Category: old

Posts from my old blogs.

Oracle complains about long identifier on simple operations.

silviuLeave a comment

Soo,

I’m going head first into the oracle db world. I was trying to create an spfile from the pfile and of course it didn’t work:

SQL> create spfile from pfile="/oracle/app/product/12.1.0/dbhome_1/dbs/initORCL.ora";
create spfile from pfile="/oracle/app/product/12.1.0/dbhome_1/dbs/initORCL.ora"
*
ERROR at line 1:
ORA-00972: identifier is too long

The reason is simple enough, you have to use single quotes instead of double quotes. But it took me a while to find out this so here it is for all other beginners.

SQL> create spfile from pfile='/oracle/app/product/12.1.0/dbhome_1/dbs/initORCL.ora';

File created.

SQL>

Errors in mail.log from nagios check_ssmtp

silviuLeave a comment

I got my nagios server banned by fail2ban because of errors in the postfix mail.log log. I know that I can simply whitelist the nagios server but I prefer it working perfectly.

Checking the logs I could see this error repeating itself on each check:

Mar 25 13:01:13 xxx-123 postfix/smtpd[17065]: connect from nagios.example.com[1.2.3.4]
Mar 25 13:01:13 xxx-123 postfix/smtpd[17065]: improper command pipelining after QUIT from nagios.example.com[1.2.3.4]:
Mar 25 13:01:13 xxx-123 postfix/smtpd[17065]: disconnect from nagios.example.com[1.2.3.4]

Apparently postfix is picky about having extra input after a QUIT or DATA command, see details here.

It turns out that I haven’t updated nagios plugins in a while. Even if I kept nagios up-to-date the plugins were at 2.0.3. Updating to 2.1.1 fixed the issue and now I simply see a connect/disconnect in the postfix logs when nagios performs a check.

AIX git SSL woes

silviuLeave a comment

Oh joy and happiness I have to admin AIX boxes. One of the first things I hit was using git to clone some stuff from github erroring out with:

SSL certificate problem: unable to get local issuer certificate

Yep, simple problem, no ssl ca bundle on the system. You can use either the bulldozer solution and have either:

export GIT_SSL_NO_VERIFY=true

either:

git config http.sslVerify false  ( git config --unset http.sslVerify )

because who cares about MITM attacks especially to deployed software on production servers

Or you can go to actually fix the issue and install a ca bundle. I downloaded mine from the curl site, here: https://curl.haxx.se/docs/caextract.html

I downloaded the cacert.pem file and configured git to use it like this:

wget --no-check-certificate  https://curl.haxx.se/ca/cacert.pem -O /var/ssl/cacert.pem
git config --system  http.sslcainfo /var/ssl/cacert.pem

The no-check-certificate is required because at this point wget has no way of checking the certificate either. If you want to ensure the validity of the file download it from a working system and scp it to the remote problem server.

Use Vagrant on Windows with Ansible under Cygwin

silviuLeave a comment

If due to some reason you have to run vagrant under windows and plan on using Ansible you will need a couple of wrappers.

ansible-playbook.bat has to be in the Windows PATH;

ansible-winpath-playbook.sh is called by ansible-playbook.bat to change paths from Windows style paths to *nix style paths that ansible under cygwin can understand.

Verify SMART details for members of an Intel RST RAID volume

silviuLeave a comment

Sooo,

Be it because of the BIOS update to a beta or because of my drives but my RAID10 keeps failing. I documented before how to repair such a broken array but I didn’t want to go ahead with it too many times as data corruption is only one step away. Knowing that at least one of the disks has some minor issues (mdadm kicked it out some time ago when the disks were running under linux) I decided to check smart details and only keep only two of the disks in RAID1. I was curious if one can read SMART details when the disks are still members of the Intel RST array. Since I had all the data off the disks it was safe to test.

I found out thet the Intel SSD Toolbox shows SMART data for all disks in a system, not only SSDs and not only Intel. Look at Other Drives and scroll to the right as under Intel Solid-State Drives it shows the RAID volumes.

Intel RST RAID Non-RAID Disk after BIOS update

silviuLeave a comment

So, having nothing better to do and for no good reason I decided to update my workstation’s BIOS to the latest version released by Gigabyte. Since ignoring the “If it works don’t fix it” mantra is always a good idea. Beautiful, after update two of my disks from a four disk RAID10 array were showing as Non-RAID Disk. I had backups but shuffling 2TB+ of data is never fun.

Initial reports were all grim, the Intel RST BIOS does not allow repairing. Thankfully a good soul had always found the answer, source thread here thank-you adamsap.

Usual disclaimer: this worked for me, I have no guarantee it will work for you, and the method is not advertised as working and/or suported by Intel

  1. Reset the volume (all disks) as non-member from the Intel BIOS. Ignore the warning that all data will be lost. The utility only touches the metadata related to RAID membership.
  2. Create a new array with the all same disks and be sure to use the same settings related to strip size, RAID type, etc. I was in luck since my array was still visible since some disks still were attached.
  3. Download TestDisk from http://www.cgsecurity.org. I used the Windows version since my Windows install was on a different disk. I never heard of this utility but seems to be really, really useful at data recovery.
  4. Run TestDisk after reading the steps on their site. Be sure to read the documentation there to know what you are doing. In brief (so I’m sure you read the original docs) you have to: search for your partition(s) on the raid volume – if everything was recreated with the same settings it should find it quickly in a few seconds – and save the partition table.
  5. After the partition table is saved reboot.
  6. The array should be back with all the data.

I compared checksums for some of the data against backups and it turns out everything is back.

pfSense home router using the PC Engines APU1D4

silviuLeave a comment

My old home router based on a sandy bridge dual core celeron and a gigabyte motherboard got “stolen” by my wife to use as a desktop as her old laptop was getting pretty slow.

I ran for a while Tomato on a Cisco E3200 router but it wasn’t able to keep up with my home connection (300 down / 100 up). Even if the router has gigabit ports it was only able to nat at ~100-150Mbit and openvpn was limited to around 10Mbit

The decision came (due to what is available in my part of the world) to the Fitlet X or the PC Engines APU1D4.

The fitlet has 4 intel LAN ports and a quad core AMD 1GHz cpu (two generations newer than the APU). This was really apealing oposed the APU’s dual core bobcat and 3 realtek based NICs.

Eventually I settled with the APU due to the two internal mini-pcie slots and being only half the cost of the Fitlet. (Consider that you have to buy RAM for the fitlet-x and that you don’t have any internal mini-pcie left, the only one is used by the FACET card with the 3 LANs)

I won’t go into detail about the build or do a full review as this has already been made. I will only go trough the bits of information I had trouble finding before and after buying it.

  • Throughput: without heavy use (squid, snort, etc.) you should see 400-500 Mbit WAN->LAN (limited by the realtek NICs). I know Mbit is not a good measure of a router/firewall performance but this is what matters to me at home. I saw mentions of 600 Mbit. I was eager to deploy it so I didn’t do any testing so all I can say is that 300Mbit works fine without any strain.
  • OpenVPN: it does around 50Mbit for me using AES-CBC-128. This was really a tough one as I didn’t find any useful values before buying and it was important for me. It’s a bit disappointing but very usable. The Bobcat T40E doesn’t support AES-NI but as far as I found out from others it’s not really helping OpenVPN either. There is low hope that newer versions of OpenVPN will perform better. The Fitlet-X CPU should be 15% faster due to IPC gains on it’s newer core so you should see a bit more.
  • Temperature: it appears that ~60 deg. C in idle is normal. Coming from Intel CPUs this worried me at first but seems normal for this CPU
  • Wireless: if you go the pfSense route as I did get the Compex WLE200NX usually sold together with the APU. It’s atheros (best for pfSense) and what most pfSense developers using the APU have.
  • SSD: don’t buy the 16GB crap SSD that is offered together with this board. Get a cheap ADATA/whatever instead. It’s probably going to be 32GB and at least twice as fast
  • Case: important due to the solution PC Engines chose for cooling. Note that this case doesn’t offer space for a 2.5 SSD/HDD (even if one SATA port is onboard), additional USBs (even if headers are present) or for a second set of antennas (even if two mini-pcie devices can be installed)

Brightness keys on Linux Mint for Acer E3-111

silviuLeave a comment

Enabling brightness control is moderately easy (I’m pretty sure they worked out of the box on slackware).

Go to https://github.com/codingtony/acer-brightness-linux-acpi and follow the instructions. Change /etc/acpi/events/acer-tm-brightness-down and /etc/acpi/events/acer-tm-brightness-up with the correct events:

event=video/brightnessdown BRTDN 00000087 00000000

and

event=video/brightnessup BRTUP 00000086 00000000

Restart acpid and the shortcuts should start working.

Repairing a Husky Hunter after reversing batteries.

silviu2 Comments

Ok, I did it. For the first time since I remember I inserted batteries wrongly and reversed polarity. And that in a device I’m pretty fond of, and I recently aquired: a Husky Hunter. It was only for a few seconds before I realized my mistake but it was enough, the computer was dead. I tried leaving it overnight with fresh batteries thinking that my mistake instantly depleted the onboard RAM battery (if it’s empty a Husky will just play dead until it gets a bit of charge). It didn’t work. Time to open it (again; the first time was for cleaning and inspection)

I was in luck, close to the battery compartment was a fuse. The multimeter quickly confirmed, it was interrupted. I began to hope that it did it’s job quick and the rest of the electronics would be fine.

I replaced (actually soldered along side it) a 1 ohm resistor (didn’t have any 0 ohm around and I hope that the small wattage resistor will act as a fuse if I’m that stupid to repeat my mistake. It is not a proper repair, next time I order parts, I’ll be sure to order a new fuse with the correct rating. Happily the Husky is back to life.

Migrating Gerrit to Google OAuth from Google OpenID

silviu1 Comment

I expect this post to be obsolete pretty soon, but for now I expect this will help you skip many of the issues and questions I had going forward with upgrading Gerrit and switching to Google OAuth from OpenID.

This post is not exhaustive, I trust that you are familiar with Gerrit if you’ve come so far. I am running a gerrit installation that was stuck at v2.10 as all our users used Google OpenID. With OpenID being retired in a few weeks it was imperative to find a sollution and I really wanted to go with Google OAuth (so we don’t have to recreate/merge all our users by hand). The Gerrit developers bounced around the fixes up until the last minute (IMHO) as only 2.10.2 supports the gerrit-oauth-provider plugin out of the box without the need of cherry picked changes.

is required reading and fun to read and see how a thing like this can take a year of missed commits, approvals, etc. 🙂 Why gerrit refuses to have built in user management like any other half-sane web app around is beyond me but happily beyond the goal of this post too.

Let’s try to organize what you have to do in steps:

  1. Shut down gerrit and update to 2.10.2 or newer, see here.
  2. Clone the gerrit repository, checkout v2.10.2 (or same version as above) and build with buck. Use gerrit buck as they seem to differ from facebook buck, see gerrit build instructions.
  3. Clone gerrit-oauth-provider inside /plugins (per build.md instructions, those are supposed to be valid and at the time of writing this building stand-alone might or might not work) and build it with buck. Add gerrit-oauth-provider.jar in your site’s plugins/ folder.
  4. Create your google project by visiting the Google Developer Console and obtain api and client secrets, per documentation or wiki.
  5. Following the [cci_bash]java -jar gerrit.war init -d site/[/cci_bash] to reconfigure the client-secret is added to [cci_bash]site/etc/secure.config[/cci_bash] but for now it doesn’t work, it has to be in [cci_bash]gerrit.config[/cci_bash] under the plugin configuration.
  6. Trust the OpenID accounts by adding [cci_bash]trustedOpenID=^.*$[/cci_bash] to the [cci_bash][auth][/cci_bash] section. See this issue.
  7. You must keep the same URL otherwise automatic linking of OpenID<=>OAuth accounts doesn’t happend and you end up with new users that have to be merged (painfully especially if you use mysql as the documentation is limited to postgress).
  8. Pray, start gerrit, pray some more. Preferably to the Spaghetti Monster.

It might be that some steps are not actually needed because due to confusing or downright missing documentation I had to scour mailing lists, github issues, gerrit commit logs and try each setting one by one until I got it working. When everything worked as expected I refused to go back and check whether some particular step (like building in tree, the need for trustedOpenID, etc.) is actually needed or it was already deprecated.

I’m pretty sure there are better ways to spend those hours.