[files] fileroot="." filetypes="Type1,Type 2,Type3,Type4"Note that there are no spaces around the commas.
What I would like to have happen is that I parse that using regular INIFile rules:
$configRoot =& $config->parseConfig($configFile,"IniFile");
$filesConfig =& $configRoot->getItem("section","files");
$fileRoot=$filesConfig->getItem("directive","fileroot")->getContent();
$fileTypes=$filesConfig->getItem("directive","filetypes")->getContent();
(This isn't meant to be the best example of PHP code extant, only code that is able to elicit the bug I want to show.)Type1,Type 2,Type3,Type4Note that the spaces in "Type 2" are preserved. If I change the filetypes line to read
filetypes="Type1,○Type2,Type3,Type4"Where "○" represents a space (ASCII 32), I get
Type 2,Type3,Type4The first element has been lost! If, however, I type
filetypes="Type1○,Type 2,Type3,Type4"(note that there are spaces in the "Type 2" entry, but the 2 abuts a comma, as does the capital T) I get:
Type1○,Type 2,Type3,Type4The entire entry is there, including the space before the comma! (This is made clear by doing a
var_dump(split(",",$fileTypes)) and getting
array 0 => string 'Type1' (length=5) 1 => string 'Type 2' (length=6) 2 => string 'Type3' (length=5) 3 => string 'Type4' (length=5)in the first case,
array 0 => string 'Type 2' (length=6) 1 => string 'Type3' (length=5) 2 => string 'Type4' (length=5)in the second, and
array 0 => string 'Type1 ' (length=6) 1 => string 'Type 2' (length=6) 2 => string 'Type3' (length=5) 3 => string 'Type4' (length=5)in the third. (Formatting courtesy of xdebug).
Continue reading ""All these worlds are yours except Europa."" »
This is an expansion on the 140 characters I spoke about on Twitter a little while ago. This is as much of the conversation as I can remember.
I just received a call from an "IT recruiter" (I don't remember who, and it doesn't matter who, really), who started off the conversation by breathlessly exclaiming:
"I need to speak to someone about a network problem."
Um, who is this?
"Is this the IT department? I need to speak to the IT manager."
Um, that would be me. Who are you trying to reach? Who are you?
"I'm so-and-so, this is the number that they forwarded me to."
Um, there is no "they", we have an auto-attendant. Who is this again?
"I got your number from J. Random Otherperson."
I don't know them, but OK. Who are you?
"I'm so-and-so, and I'm with an IT recruiting firm, and I wanted to know if blah blah you had any projects blah blah" (Yeah, I figured this out by now, but I wanted to let it play out.)
Hi, well, why did you give me this whole story instead of just coming out and saying it? I don't like being told stories to. To tell you the truth, we're not inclined to want to work with people who lie to us. I certainly don't like being told a whole cock-and-bull story to get my attention. Thank you very much. Good-bye. <click>
I hope it's not the same way in every sales arena.
So a few weeks back I had the pleasure of migrating a cilent's website from a shared web host + shared database host to a single VPS (virtual private server) where both the webserver and database server were on the same machine.
This consolidation is actually counter to the standard multi-tier architecture:
+----------------------+
| webserver |
| |
+----------------------+
+----------------------+
| database |
| server |
+----------------------+
In this case, we performed the consolidation because the shared database server that was available was horribly overburdened, and also the current application wasn't so much "architected" as much as "pieced together à la Frankenstein's monster" and wasn't uniformly careful with cleaning up its database connections, or even using database pooling (for .NET), so at times we'd see up to 4000 (!) separate connections attempting to be made to the database server.
While we were having awful problems with the database server, the technical staff at the hosting provider in question were helpful and responsive, even if they couldn't help us narrow down all the problems--some of which were caused, no doubt, by the client's own applications.
To tie in to the title, one of the big hangups came when we attempted to restore a MS SQL server backup of the original databases onto the local installation. One of the problems is that SQL server has a parallel notion of user IDs, namespaces (for tables and tablespaces and whatnot) and schemata (schemas), with some apparent overlap.
DISCLAIMER: I am not a SQL server database administrator (DBA) by any definition except by dint of having to manage a database on a single small server. Oracle, MySQL, PostgreSQL, these I can deal with, but SQL server? Not really.
So after restoring the databases, I found some standard permissions and ownership errors. And trying to just create a database user using the standard GUI method didn't work. (It never does. Why would anyone be surprised with this?). I found, however, that by dissecting the SQL that the create-a-user script uses, and modifying it ever so slightly, I could get things to work just my way. Perhaps this isn't the Microsoft way of doing things, and anyone who wants to disabuse me of my bad methodology should kindly step up and do so, as I am willing to learn.
The magic (line numbers inserted by me, actual databases and usernames modified, of course)
1 USE [master] 2 GO 3 CREATE LOGIN [loginname] WITH PASSWORD=N'password', DEFAULT_DATABASE=[defaultdb], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF 4 GO 5 USE [defaultdb] 6 GO 7 ALTER USER [loginname] WITH LOGIN=[loginname] 8 GO 9 USE [defaultdb] 10 GO 11 ALTER USER [loginname] WITH DEFAULT_SCHEMA=[schemaname] 12 GOThe key was that the loginname and the schemaname, even though they are the same text string, are totally independent, and needed to be assigned. But in line 3, the standard CREATE LOGIN creates a disabled user, and that broke the ALTER USER statements in lines 7 and 11. (Or at least, that's what my memory has.)
+-------------+ +---------------+ | web server | | database srvr | | user 'user1'| ----> | | +-------------+ +---------------+Now when the web page runs, it calls a script that connects as user 'root' from the webserver host.
+-------------+ +---------------+Presumably, if user 'root' can log in, it can create and grant privileges? Ah, not so! It turns out, you can, but if you're not careful when you first set up the permissions for root@'webserver', you end up with some permissions to do things and some NOT.
| web server | | database srvr |
| user 'root' | ----> | |
+-------------+ +---------------+
mysql> show grants; +--------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Grants for root@webserverhost | +--------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | GRANT ALL PRIVILEGES ON *.* TO 'root'@'webserver' IDENTIFIED BY PASSWORD '*you think i will put this here??!!' WITH GRANT OPTION | | GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES ON `mysql`.* TO 'root'@'webserverhost' | +--------------------------------------------------------------------------------------------------------------------------------------------------------------------+
mysql> grant all on *.* to root@'webserver' identified by 'xxxxxyyyy' with grant option
-> ;
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
[jbaltz@webhost] >mysql -u clover -pxxxxxyyyy -e 'show tables from newDataBase' -hDatabaseServer +-----------------------+ | Tables_in_newDataBase | +-----------------------+ | User | +-----------------------+...which gives me what I need.
-bash-3.2$ /usr/sbin/traceroute www.google.com traceroute: Warning: www.google.com has multiple addresses; using 64.233.169.103 traceroute to www.google.com (64.233.169.103), 30 hops max, 40 byte packets 1 fw-gw.3phasecomputing.com (192.168.xxx.yyy) 0.673 ms 0.532 ms 0.511 ms 2 98.113.45.1 (98.113.zzz.aaa) 5.012 ms 4.208 ms 4.495 ms 3 G4-0-0-1955.LCR-09.NYCMNY.verizon-gni.net (130.81.137.34) 5.021 ms 5.199 ms 5.033 ms 4 130.81.29.236 (130.81.29.236) 5.297 ms 5.569 ms 5.028 ms 5 0.so-4-3-0.XL4.NYC4.ALTER.NET (152.63.10.29) 5.561 ms 5.464 ms 5.837 ms 6 0.ge-5-1-0.BR3.NYC4.ALTER.NET (152.63.3.118) 7.157 ms 6.812 ms 6.638 ms 7 te-10-2-0.edge2.NewYork2.level3.net (4.68.110.233) 14.080 ms 14.803 ms 13.822 ms 8 vlan69.csw1.NewYork1.Level3.net (4.68.16.62) 19.441 ms vlan79.csw2.NewYork1.Level3.net (4.68.16.126) 15.586 ms vlan89.csw3.NewYork1.Level3.net (4.68.16.190) 24.895 ms 9 ae-74-74.ebr4.NewYork1.Level3.net (4.69.134.117) 23.574 ms ae-84-84.ebr4.NewYork1.Level3.net (4.69.134.121) 17.200 ms ae-74-74.ebr4.NewYork1.Level3.net (4.69.134.117) 16.937 ms 10 ae-3.ebr4.Washington1.Level3.net (4.69.132.93) 24.887 ms 17.200 ms 18.345 ms 11 ae-94-94.csw4.Washington1.Level3.net (4.69.134.190) 20.201 ms ae-63-63.csw1.Washington1.Level3.net (4.69.134.162) 15.321 ms 14.534 ms 12 ae-1-69.edge1.Washington1.Level3.net (4.68.17.16) 134.966 ms 13.450 ms 13.546 ms 13 GOOGLE-INC.edge1.Washington1.Level3.net (4.79.231.6) 13.812 ms GOOGLE-INC.edge1.Washington1.Level3.net (4.79.228.38) 13.720 ms GOOGLE-INC.edge1.Washington1.Level3.net (4.79.231.6) 14.268 ms 14 64.233.175.171 (64.233.175.171) 14.524 ms 64.233.175.169 (64.233.175.169) 14.088 ms 14.066 ms 15 216.239.49.149 (216.239.49.149) 16.987 ms 216.239.49.145 (216.239.49.145) 17.781 ms 216.239.49.149 (216.239.49.149) 17.519 ms 16 yo-in-f103.google.com (64.233.169.103) 14.319 ms 13.705 ms 14.092 ms
(2008-08-13 09:32:10) albaketapy@hotmail.com: Hey Jerry%20B.%20Altzman .....I cant upload my pics to msn for some reason! Hit me back up on http://xxxxxx.blogspot.com
$ grep -cri 'Hit me back up' *|grep -v '0$' agnessopyby@hotmail.com/2008-08-11.032149-0400EDT.txt:1 albaketapy@hotmail.com/2008-08-13.093210-0400EDT.txt:1 annefogabem@hotmail.com/2008-08-11.103216-0400EDT.txt:1 elisecokaw@hotmail.com/2008-08-12.182304-0400EDT.txt:1 genevievenugimox@hotmail.com/2008-08-12.231241-0400EDT.txt:1 jennylevyv@hotmail.com/2008-08-13.032007-0400EDT.txt:1 lessielydoc@hotmail.com/2008-08-10.235141-0400EDT.txt:1 lorenanunecaz@hotmail.com/2008-08-12.204747-0400EDT.txt:1 nanettepusun@hotmail.com/2008-08-11.080932-0400EDT.txt:1 nanettepusun@hotmail.com/2008-08-13.070848-0400EDT.txt:1 phoebecytol@hotmail.com/2008-08-11.054531-0400EDT.txt:1 robertcopow@hotmail.com/2008-08-12.155737-0400EDT.txt:1
$ tracert -d www.jbaltz.com Tracing route to www.jbaltz.com [74.208.29.13] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms 192.xxx.yyy.zzz 2 6 ms 4 ms 4 ms 98.113.aaa.bbb 3 45 ms 45 ms 45 ms 74.208.29.13 Trace complete.Hrm...1&1 is one hop from my firewall? Rockin’!
$ tracert -d mail.emailsrvr.com Tracing route to mail.emailsrvr.com [207.97.245.100] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms 192.xxx,yyy.zzz 2 6 ms 5 ms 4 ms 98.113.aaa.bbb 3 14 ms 14 ms 14 ms 207.97.245.100 Trace complete.Yow! Of course, this is Windows traceroute. From a FreeBSD box, I get somewhat different results:
[jbaltz@iridium ~]$ traceroute -n www.jbaltz.com traceroute to www.jbaltz.com (74.208.29.13), 64 hops max, 40 byte packets 1 192.168.xxx.yyy 0.514 ms 0.359 ms 0.338 ms 2 98.113.aaa.bbb 4.572 ms 5.229 ms 4.341 ms 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * *(18 more lines like this deleted...)
I thank you for the opportunity given to quote for the above and take pleasures in forwarding our resume in simple.Why am I ready for this project?
I am a Service Exporter. I must export service.I do Export My ability.I do it really happily. I am enjoying working with php. I am a Lecturer for php in local computer institute.
The posting went up at 2312 EST tonight. The posting said “send résumé in HTML or plain text” and it also said “must be able to read and follow directions”.
Email at 2355 LCL came in with a Word document attached.
43 minutes from FIRST POST to first clown. I beat my previous record.
Sigh. C’est la guerre.
Specifically, you're seeing:
%PIX-3-713119: Group = xxx.yyy.aaa.zzz, IP = xxx.yyy.aaa.zzz, PHASE 1 COMPLETED %PIX-3-713902: QM FSM error (P2 struct &0x1c0bd30, mess id 0x4a08f6c8)! %PIX-3-713902: Group = xxx.yyy.aaa.zzz, IP = xxx.yyy.aaa.zzz, Removing peer from correlator table failed, no match! %PIX-4-113019: Group = xxx.yyy.aaa.zzz, Username = xxx.yyy.aaa.zzz, IP = xxx.yyy.aaa.zzz, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 MismatchA few things you need to know about the PIX and its IPSec VPN implementation.
quick auth hmac-md5 enc 3des group modp1024\
quick auth hmac-md5 enc 3des group none \
Just to get this out front, since some people who know me might think this is meant to be mocking of my correspondent: it most certainly is not in any way meant to be disparaging to anyone, only enlightening (I hope).
He starts with:
How do we protect our trunk from bad coders/commits without spending too much time in administration, merging, Etc. Most of the developers will be new to SVN. There will be at least a dozen developers, several with language and communication barriers. Our site is live and needs lots of bug fixes so quick response is needed as well as protection of the trunk against bad code.
This isn't really a 'subversion' question, strictly speaking, as it really is more of a 'process' question. You'd encounter much the same problems in ANY version control system you used.
We recently purchased an Intel SS4400-E network-sttached storage (NAS) unit
yes, that link points to an SS4000, but that seems to be the only way the product is listed; ours identifies itself as a 4400 and this as caused me no end of trouble in discovering any information about the unit) and put some 500GB SATA drives in it to create a nice terabyte-sized RAID-10 array.
One of the nice things about this particular device is that it supports USB drives as well; you can hang a USB-drive (like the Western Digital MyBook) and the unit will (allegedly) serve it up either via NFS or CIFS shares. The idea is now I can take this big ol' USB drive, and instead of attaching it directly to a machine, I can make it “network attached” and can use it to back up the various and sundry Windows machines in the office.
It turns out that for our server, and FBSD 6.2, the machine would not reboot cleanly with the USB drive attached — it would hang at the BTX loader. This might be a known problem, maybe (?) related to ACPI, and is hopefully going to be fixed in 7.0
[jbaltz@aaa ~]$ ssh kr -l root
root@xxx.yyy.zzz's password:
Welcome to_/_/_/ _/_/_/ _/_/_/ _/
_/ _/ _/ _/ _/_/_/_/ _/_/ _/ _/_/
_/ _/_/_/ _/_/ _/ _/ _/ _/_/
_/ _/ _/ _/ _/ _/ _/
_/_/_/ _/ _/_/_/ _/_/ _/_/ _/Powered by FalconStor Software, Inc.
Copyright 2001-2006 by FalconStor.
All Rights Reserved.
http://www.falconstor.com
#
VFS: Can't find ext3 filesystem on dev sdf1.
VFS: Can't find an ext2 filesystem on dev sdf1.
XFS: unknown mount option [gid].
FAT: bogus number of reserved sectors
VFS: Can't find a valid FAT filesystem on dev sdf1.
usb-storage: device scan complete
So....I put the drive back on the machine, and a view in the /var/log/messages file showed me that the machine thought the USB disk was found on /dev/sdf
XFS: unknown mount option [gid].
FAT: invalid media value (0xf3)
VFS: Can't find a valid FAT filesystem on dev sdf.
# fdisk /dev/sdfThe number of cylinders for this disk is set to 60801.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)Command (m for help): p
Disk /dev/sdf: 255 heads, 63 sectors, 60801 cylinders
Units = cylinders of 16065 * 512 bytesDevice Boot Start End Blocks Id System
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-60801, default 1):
Using default value 1
Last cylinder or +size or +sizeM or +sizeK (1-60801, default 60801):
Using default value 60801Command (m for help): w
The partition table has been altered!Calling ioctl() to re-read partition table.
WARNING: If you have created or modified any DOS 6.x
partitions, please see the fdisk manual page for additional
information.
Syncing disks.
# mkfs.xfs -f /dev/sdf1
meta-data=/dev/sdf1 isize=256 agcount=16, agsize=7631000 blks
= sectsz=512
data = bsize=4096 blocks=122096000, imaxpct=25
= sunit=0 swidth=0 blks, unwritten=1
naming =version 2 bsize=4096
log =internal log bsize=4096 blocks=32768, version=1
= sectsz=512 sunit=0 blks
realtime =none extsz=65536 blocks=0, rtextents=0
# mount /dev/sdf1 /nas/usbdisk1
# df -h
Filesystem Size Used Available Use% Mounted on
/dev/md0 248.7M 95.2M 140.6M 40% /
/dev/vbdi2 195.3M 152.0k 195.2M 0% /nas/NASDisk-00002
/dev/vbdi3 195.3M 260.0k 195.1M 0% /nas/NASDisk-00003
/dev/vbdi4 930.2G 183.6G 746.7G 20% /nas/NASDisk-00004
/dev/sdf1 465.6G 272.0k 465.6G 0% /nas/usbdisk1
[usbdisk1]
comment =
path = /nas/usbdisk1
max connections = 0
read only = no
browseable = yes
comment =
valid users = root,jbaltz,guest,
write list = jbaltz,
available = YES
nt acl support = no
# ls -dl /nas/usbdisk1
drwxr-xr-x 2 root root 8 Nov 27 22:46 /nas/usbdisk1
# chgrp nasgrp /nas/usbdisk1
# chmod g+w /nas/usbdisk1
jbaltz@cesium /home/jbaltz
$ net use z: \\\\krypton\\usbdisk1
The command completed successfully.
Note that my one little 9 byte file appears to take up 1 megabyte on disk!
jbaltz@cesium /home/jbaltz
$ cd /cygdrive/zjbaltz@cesium /cygdrive/z
$ df -h .
Filesystem Size Used Avail Use% Mounted on
z: 466G 272K 466G 1% /cygdrive/zjbaltz@cesium /cygdrive/z
$ mkdir foojbaltz@cesium /cygdrive/z
$ cd foojbaltz@cesium /cygdrive/z/foo
$ cat > bar
hi therejbaltz@cesium /cygdrive/z/foo
$ ls -l
total 1.0M
-rw-r--r-- 1 jbaltz None 9 Nov 27 23:20 bar
However—mirabile dictu—I appear to be done! I still have a daunting task ahead of me: tightening up security somewhat. Yet, this problem seems to be now behind me.
For posterity, I should note that there is a wealth of interesting information and utilities in the /usr/local/ipstor directory tree.
If you’re using FreeBSD’s jail(8) mechanism (which, by the way, is similar to Solaris zones but not as fancy or as featureful), you might have occasionally seen this problem:
You’re inside the jail, and you’d like to ssh out, and you get:
[jbaltz@boron ~]$ sudo jexec -u jbaltz 1 bash
[jbaltz@xxx /]$ ssh localhost
socket: Protocol not supported
Host key verification failed.
[jbaltz@xxx /]$
...and you make ssh more verbose, and you see the following towards the end:
[root@xxx /]# ssh -v localhost
OpenSSH_4.5p1 FreeBSD-20061110, OpenSSL 0.9.7e-p1 25 Oct 2004
debug1: Reading configuration data /etc/ssh/ssh_config
...
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: read_passphrase: can't open /dev/tty: Device busy
Host key verification failed.
...the problem is probably that you’ve jexec(8)’d into the jail, instead of logging in. SSH expects to be able to attach to a tty, and when you connect in via jexec, you don’t create one:
[jbaltz@boron ~]$ sudo jexec 1 bash
[root@xxx /]# who
[root@xxx /]#
wupsie! The solution is to log into the jail “the regular way” via ssh:
[jbaltz@boron ~]$ ssh xxx
Password:
Last login: Thu Sep 20 14:54:04 2007 from xxx.3phasec
[jbaltz@xxx ~]$ ssh localhost
socket: Protocol not supported
The authenticity of host 'localhost (127.0.0.1)' can't be established.
DSA key fingerprint is b6:d7:47:4b:25:60:75:36:2e:30:22:2f:27:ba:67:27.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (DSA) to the list of known hosts.
Password:
Last login: Thu Sep 20 14:54:31 2007 from xxx.3phasec
[jbaltz@xxx ~]$
and voilà, it works!
So Catherine (partner-in-geek here at 3 Phase) and I went today to the Infosecurity New York trade show, which this year was co-located with ISC East. ISC is the International Security Conference & Expo: it's everything you wanted to see from electrical wiring to electronic door locks to barriers that pop up out of the ground to keep you from driving through to wireless speakers to (it seems) dozens of CCTV-over-IP solutions. It was all quite interesting, and it made sense to put infosecurity and physical security next to each other. All too often those of us in the computer field who worry about virtual security forget about the simple things we need to do to secure the data: keep it in a locked cabinet, behind a locked door, with limited access to the general public.
Another side-effect of this happy conflation is that the IT side tends to avoid the hardware issues that actually do affect clients, like power outages, so I actually got to see the very hard hardware side (finding the UPS and, just as important, battery salesman and suppliers) However, the last time I went to Infosecurity NY, there were a number of other networking equipment (read: firewall) vendors there, and this year barely any. (No Juniper/Netscreen, no Cisco/PIX/ASA, no Foundry, just Fortigate from what I could find.)
A few years back—undoubtedly a sign that I’m getting older—I decided that I would go to trade shows to actually see what people are selling and seeing what the near-state-of-the-art is, instead of just collecting swag. (Of course, there was some nice swag to be had, but I missed out on it.) By and large, the exhibitors were interested in selling appliance solutions for security folks like Barracuda Networks and StopSpamNow.com (I cannot remember offhand exactly who they were and don’t care to put a link in the blog for them.) were two of just the anti-spam plugins. It seemed like there were well over half a dozen IDS vendors selling plug-in IDS (Intrusion Detection Systems) solutions, and this doesn't count the firewall vendors (Fortinet, e.g.) who provide integrated IDS into their firewall unit.
There were a few, proud, software solutions vendors—one that impressed me some was SafeBoot, who gives you a pre-boot authentication environment to decrypt the contents of a hard-drive (I imagine your anti-virus software vendor must have a good time with that!)
It was also gratifying to be able to speak occasionally to some of the engineers of products I currently use to find out that the features that were broken 18 months ago finally got fixed. Plus, if you push the salespeople enough, you can actually get them to do the unspeakable: compare themselves honestly against their competition. Things like:
Oh, you want to do <XXX>? Hrm, well, that’s not a feature we really specialized in...if you want that, you might want to talk to vendor <YYY> you’ll be more satisfied overall
Of course, being a trade show, some things still are bothersome:
So I have one client who just migrated from using Trixbox (neé Asterisk@home) in a VMWare as his telephony platform (along with a bunch of Grandstream SIP phones) the newest version (2.2) natively on the machine. (They were experiencing the things you'd expect by running a timing-based application from within VMWare—bad sound quality, odd playback of audio files, etc.)
So we backed up the old data stores, installed Trixbox natively, and things went about as smoothly as you could expect.
One function that had never worked out of the box, for some reason, was call waiting: even though users would enter *70 to enable call waiting, for some reason the asterisk DB (an oldy moldy Berkeley DB database) wasn't taking the change.
The solution was to run the following from the asterisk console (asterisk -vr):
For each extension, execute the following command
database put CW <extension> ENABLED
...and that does the trick!
One of my clients had a major power failure at his (new!) data center the other week, and one of the side effects was that there was quite a bit of data corruption (on an ext3 filesystem). One thing we lost was the LDAP database (that we recovered from the LDAP slave) and one file that got lost was a MySQL relay log file for a MySQL "slave".
MySQL appears to use these "relay log" files as a buffer between reading from a master server and feeding into a slave—it's supposed to make things more resilient.
Of course, if you end up with a missing file, you end up with the following in your mysqld.log file (on Linux):
070304 22:24:43 [ERROR] Failed to open the relay log './<host>-relay-bin.000057' (relay_log_pos 494316200)
070304 22:24:43 [ERROR] Could not find target log during relay log initialization
This error will prevent you from starting up a slave, and will give you an error:
ERROR 1201 (HY000): Could not initialize master info structure; more error messages can be found in the MySQL error log
The solution that I found that finally worked was to:
Problem: you have a script that runs periodically (like from cron) and sometimes the time to complete is longer than the time in between invocations. You end up with multiple scripts running one on top of the other, and if the scripts are at all CPU-intensive, you can bring the machine grinding to a halt.
Solution: use a MUTEX (mutual exclusion) to prevent scripts from starting if one is active. Also use a timer in case one script terminates and doesn't clean up its Ps and Vs.
bash code:
The comments are pretty self-explanatory, but just in case, the idea of the code is thus:
Line 7: Define a file that will be the MUTEX for this program. It is unique to this program but shared across all invocations.
Lines 12-14: Check to see if the MUTEX exists. If it does, examine its contents—the contents are the time of the last invocation. If the time is “not too long ago” (I have it set here as one hour, but you can change that depending on your preferences.)
Lines 15-17: If the MUTEX exists, and is “old”, then delete the MUTEX file, and kill off any processes with our name to clean up any “hung” processes (and the next periodic run will start afresh).
Lines 18-20: If we are here, the MUTEX isn’t that old, so we just exit and wait for the next invocation.
Lines 21-23: Otherwise, there is no MUTEX here—either the old process exited normally or we cleared out a hung processes. In any case, create a new MUTEX with the current time.
Line 25: This “trap” statement is a bash directed that says “if this script terminates with exit codes 0, 1, 2, or 15, then perform the operation listed” which, in this case, is to clean up the MUTEX itself.
So it leaks out that Sun Microsystems is working on a Fortran replacement. It is supposed to take advantage of all the new multi-core chips being produced, moreso than the parallel extensions to F90/F95.
I don't like the name much, though. I think Sun should just take over the Fortran standards working group and call it Fortran 2010. (It will look pretty different from the Fortran 90 that I wrote my Ph.D. thesis work in; and sadly I can't even get Macsyma any more.)
In the grand tradition of saying “I don’t know what language they’ll be doing <X> in in 30 years, but it’ll be called <old name>”:
I don’t know what language LINPACK will be written in in 2025, but it will be called Fortran.
In this day and age, when you want to register a domain name (say, www.jbaltz.com), there is actually a two step process that goes on:
You register a domain name with a registrar, like GoDaddy or 1and1 or Network Solutions (10 years ago NetSol was the only game in town, but that is another story.) and they verify that no one else has that domain name, and they reserve it for you.
At the same time, they notify the TLD name server for your TLD with a list of the authoritative name servers for your newly-formed domain.
What? Wait? Come again? What’s
all that? Let’s define a few terms:
To wit, for jbaltz.com, the records that the .com TLD name servers hold is:
jbaltz.com. 172800 IN NS ns27.1and1.com. jbaltz.com. 172800 IN NS ns28.1and1.com.
which means that the internet hosts “ns27.1and1.com” and “ns28.1and1.com” will be able to answer the “who” and “where” questions about jbaltz.com. (The other numbers and codes are somewhat irrelevant to this discussion, although they are important.)
(Digression: A long time ago, there was actually semantic difference between “.com”, “.org” and “.net”, but nowadays the difference appears to be entirely nominal: people just scoop up the “.org” name or the “.net” name if the “.com” name is taken. There are a few TLDs that do maintain an entry-barrier other than money: “.edu” requires that you actually prove to them that you’re an educational institution, and I believe “.museum” has a similar requirement. Also, I believe other country-wide TLDs require proof of residency or something to register a website with them, with notable exceptions being Tuvalu “.tv” and Western Samoa “.ws” )
If you’re a typical website hosting with your provider (like 1and1, which is the hosting provider for this site), your hosting provider may act as your registrar (holding your name in the global namespace of .com and telling the TLD nameservers who is the nameserver for your domain) and act as the authoritative name server for the domain, but they do not have to do so. jbaltz.com is registered through MelbourneIT (neé www.registerfree.com) but has its domain name service provided through 1and1. Many many other sites do that.
My client’s site was one of them.
He had registered his site through Network Solutions, but another site (his hosting provider) was the authoritative DNS for his domain. He was moving from one hosting provider to another, and in the interim it made sense to make Network Solutions his authoritative DNS, right? I mean, they already have his registration, and they have an easy web-based interface to set up the DNS entries that were needed. It seemed like the easiest way to have a smooth transition from one place to another.
Now, Network Solutions, oddly enough, does not make moving back to them for name service easy. You cannot set up all your various and sundry domain names (www.this.com, www2.this.com, mail directions) beforehand and then tell them “OK, we want NetSol to be the authoritative DNS for us, in addition to being our registrar.” Instead, you have to do it in two steps:
Going on behind the scenes several things are going on: NetSol is setting up its own servers to be equipped to answer questions about the new domain, and NetSol is informing the TLD nameservers that it is going to be authoritative for the new domain. The former process is generally pretty quick, and the latter process can be time-consuming. (You are typically told that it takes 24-48 hours, although in reality 6 hours is about how fast it works for .com.)
What has happened now? We moved the DNS back and NetSol did the following: it notified the TLD nameservers that it was now authoritative, but it did not actually configure its own name servers to answer questions!
I think you can see where this is headed.
Now, after the move, it turns out the TLD nameservers were updated, mirabile dictu, almost immediately. NetSol’s own nameservers, however, were not updated. Which means the following things happened:
A user out on The Vast Internet tried to find “www.jerrysclient.com”
The user’s ISP’s nameserver asked the global nameserver who was responsible for www.jerrysclient.com. The global TLD nameserver replied: “NetSol is”
;; ANSWER SECTION: jerrysclient.com. 3699 IN NS NS15.WORLDNIC.com. jerrysclient.com. 3699 IN NS NS16.WORLDNIC.com.
Calling up Network Solutions technical support (“For a painful experience, press 1. To be on interminable wait, press 2”—I’m sure that Scott Adams had this in mind when coming up with Dogbert’s tech support.) was less than useful: they tried at great length to convince me that I simply had to wait for this information to propagate through the internet. I replied that it, indeed, had propagated, and the ball was now in Network Solutions’s court, and could I pretty please speak to someone in their DNS services group (I thought about posting something inquisitive to NANOG but decided later that it would be more efficacious to just wait.) and of course, I was told, I could not, but that he could enter a ticket for me, and the problem, being NetSol’s, should “clear up in 2-3 hours, tops”. The president of the client firm spent several fruitless hours, getting escalated up a never-ending chain of bureaucrats until he finally just got fed up. After about 20 hours, NetSol finally got their act together, and the site finally came “back to Earth”.
And there was much rejoicing.So last night (earlier this morning) I need to write an envelope. My handwriting is atrocious at 1 p.m., and it’s 12 hours worse at 1 a.m., so I turn to my word processor to do it for me.
On my current, new, laptop, I don’t have MS Office installed, but I do have OpenOffice 2, so I fire that up to see what it can do.
I find my way down to the envelopes composer, type in the addresses, and then try as I might, I cannot find the exact envelope orientation I need for my printer. I find one that, by all rights, should work, put an envelope in the feeder, and click print.
What happens next is that the envelope feeds through, then a plain piece of paper gets the envelope text—evidently, the envelopes are printed only after the main text (of which there is none). Two or three iterations of trying to get the right order (remember, it is 1 a.m.!) and I throw up my hands in despair. Why can’t it just take the envelope first?
I go to the other computer in the office, with MS Word 2007 installed, and go to the Envelopes wizard. It looks like the one I’ve used countless times since I started using it in Office 2000, enter my addresses, select the correct envelope orientation, insert the envelope in, and go. Time start to finish is about 2 minutes, including changing the default fonts for the envelopes. (I’m no fan of Arial to be honest.)
It isn’t that OpenOffice does it so wrong, or can’t be convinced to do it right, it’s that Microsoft made it easy and straightforward to do it right—if I want the envelope to be attached to the document, I can have that, or I can just print it out by itself. (There’s a big “print” button there on the envelope wizard.)
Some things, believe it or not, Microsoft does right.
So one of my clients is building a dating website, and we need some playtesting of the profile gathering process. This is also so we can build up a corpus of profiles upon which we can ply our special sauce matching method.
So if you've got 10 minutes, browse to this page (yes, I know it's just to an IP address; don’t worry, it doesn’t take any real information that could be used against you), and provide some feedback as to the method of data gathering. (What did you think of the questions? Of the choices?)
Note that the user interface is not going to end up exactly as ugly as it is now. The interest is mostly about the questions, types, and order.
It’s not so often that I read something I so totally identify with, but Joel Spolsky’s recent article on “Phone Screening” really hit the nail on the head for me as well.
I’ve just gone through a hiring process recently for my own company—several times—and finally I have made a single hire, after having gone through at least 100 résumés over the course of months of recruiting. (In a previous position, I was also required to recruit for sysadmin positions, and was frequently called in to also do interviews on developer candidates, having made a reputation for myself of being able to shake out solid candidates from weak ones.)
Like Joel, I have found that in the sheer number of applicants into the funnel requires a winnowing process, mine is several steps:
where tables A and B had over a million rows; I’m just glad that that query was run on the test database, and not the production one...
In addition, I like to ask a few questions about the things we currently do. Usually I’ll take a problem that we just solved, and ask the candidate how he or she would have solved the same problem. (This is one of the best ways, I have found, of determining how a candidate actually thinks.) In addition, I’ll usually have the candidate write a small script just to see how fluent he or she is with the tools we use every day: this is mostly a follow-up to the “can he/she hit the ground running or splatting” question. Also, since the office we work in currently is small, it gives the candidate a good idea of where he or she would be working, and trying out the daily commute.
Phew! I've spent the entire week playing catch-up.
For the first time since August 2003, I took a short vacation with my family. Just a short trip to Connecticut to see Mystic Seaport, with a short trip up to Touro Synagogue in Newport, RI,
Digression: it really is a cool synagogue; it isn’t terribly large—our synagogue here in Brooklyn is about the same size (maybe a little larger) but it wasn't built in the 1700’s, and doesn’t have its balcony finished yet. Plus, they have a 500+ year old Torah scroll given to them as a gift from the Jewish community of Amsterdam that is displayed quite nicely in a glass case....and a trip back on a ferry from New London, CT to Orient Point, NY.
On Sunday night, I got a frantic call from a client who just converted over to using CommuniGate Pro for their mail server. It appears that the stock spam filters that they provide just don't cut the mustard. Luckily, one of my cohorts found a spamassassin conduit for CGP that appears to have stemmed the onslaught of unsolicited mail. Of course, once that was working, it uncovered yet another problem, having to do with the fact that some email from one machine wasn't making it from a qmail install on one branch of a firewall arm to another, exacerbated by the fact that I have not yet set up separate bind views , and that there is NATing going on to allow external hosts to reach the CGP machine. (The solution to that is to use qmail’s smtproutes function to point to an internal address for the CGP machine.)
Now I have to find the time to begin the architecture work for my most recent project, LTR.com, a new-and-improved dating website being started up by my acquaintance David Siegel, which I’ve put off all week...
whine whine whine
So I receive a request from one of my co-workers to do the following:
Please redirect https://xxx.yyy.org/index.php?main_page=product_info&products_id=21 https://xxx.yyy.org/index.php?main_page=product_info&cPath=8&products_id=21 and https://xxx.yyy.org/index.php?main_page=product_info&products_id=138 https://xxx.yyy.org/index.php?main_page=product_info&cPath=8&products_id=138 tohttp://www.zzz.com/abcdefgh/nnnnn.htm
“Ah”, I say, “time for mod_rewrite, Apache's answer to everything.”
Well, it’s not that simple, you see.
You might think a simple RewriteRule would suffice, rewriting the whole URL at once:
RewriteRule /^index\.php\?main_page=product_info&products_id=21$ http://www.zzz.com/abcdefgh/nnnnn.htm [R]But that won’t work, because RewriteRule only works on the URL. In this case, the URL is just https://xxx.yyy.org/index.php, and we don’t want to rewrite THAT, because, well, there are other things on the site they’d still like to sell. Remember—the trick is to match on the stuff after the question mark, and that isn't accessible to RewriteRule!
It is accessible, however, via the variable %{QUERY_STRING}. (This took me half an hour of looking and finding.) That is because the query part (that important stuff after the question mark) gets handled differently when the web server receives and parses the URL: the expectation is that whatever the URL indicates, it is something that consumes input to generate output (so it isn’t a static page, generally speaking).
In this case, RewriteCond is the thing that does the trick. I have to chain four of them together to get them all to work, but the following did the trick:
RewriteCond %{QUERY_STRING} ^main_page=product_info&products_id=21$ [OR]
RewriteCond %{QUERY_STRING} ^main_page=product_info&cPath=8&products_id=21$ [OR]
RewriteCond %{QUERY_STRING} ^main_page=product_info&products_id=138$ [OR]
RewriteCond %{QUERY_STRING} ^main_page=product_info&cPath=8&products_id=138$RewriteRule ^/index\.php http://www.zzz.com/abcdefgh/nnnnn.htm [R=permanent]
This appears to have done the trick, and now everyone is happier.
OK, so it isn’t heavy wizardry, but it might be useful elsewhere.
If you haven't tried the veotag service, give it a swing. Its secret sauce—making parts of a video searchable (so it isn’t just text tagging)—in addition to “marking up video”, is something really cool. It’s been picked up in Guy Kawasaki’s blog as well. (Guy is a multiple techie-author and big-time blogger, so this is a nice coup.)
I really didn't gush about it enough in the comments there; it's truly a cool service.
DISCLAIMER: I have no financial interest in Veotag (in case you were wondering), I’m just a satisfied user and benefit from the works some others have posted on the site.
After the past few days of multiple outages at one of my customer's LA datacenters, I got to learn a few things about the resiliency of popular packaged unix software. Read this all the way, since the very last step is the one that came up to bite me.
innd, the popular NNTP package, does not like it when it is shut down uncleanly, e.g. by a power failure. One of the popular messages you may receive is:
Server throttled File exists writing SMstore file — throttling
# /etc/init.d/innd restart
# /usr/lib/news/bin/ctlinnd renumber ''
So I get to my office this morning and find multiple calls from my customer who has a data center in LA. Evidently they still have power problems in LA this morning, because when I call up the NOC guy in our data center, he says that he’s been up for 48 hours dealing with this.
Still: where are your battery backups? Where are your diesel gensets?
Now I get to rebuild history files again, figure out why MySQL replication isn’t automatically reconnecting (I think I know why now, though, and it smells like pilot error...) and watch as the load on our master servers jumps well into the double-digits due to the inrush of MySQL replicants and file replications...
I wanted to title this something snide about co-location clowns again, but I won’t. At this hour, the anger won’t do any good. My apologies if this isn’t as coherent as it could be.
This evening, one of my client’s data centers had a major power outage. (No, they’re not in Queens, NYC.) I found out about it right after the Sabbath ended by a phone call from one of my client’s clients, whose own monitoring was going bananas—it happened in between the Saturday coverage’s most recent check and my first check post-Sabbath.
(Yes, they have UPSes...allegedly. No, I do not know why the UPSs did not kick in. We’re waiting to hear back from them for a RCA [root cause analysis] to determine what needs to be done.)
After a major outage, you learn a lot of things about your system:
Continue reading "Lessons learned after a major system crash" »
(Grr. I lost the first edit of this.)
Well, I managed to get Asterisk running up on my FreeBSD 6.1 machine. A few things I've learned along the way:
I suppose I should find someone whose voice is a little bit higher in tenor for better audibility, too.
All in all, though, setting up the entire thing without missteps probably only took about 5 or 6 hours all told, which would probably have been as long as it would have taken to iron out all the kinks if I had purchased a service directly from Verizon.
Next steps are to get Mark Shoulson an IP phone in his house, so he can feel like a real Grown Up Employee of 3 Phase...
I think this time it's the eMachines machine I purchased.
After
I haven't re-tried CentOS, but I am pretty sure that one of the half-dozen unrecorded changes I made did the trick.
Now, as for getting my Sipura SPA-921 phone to work correctly with Asterisk, that's for another entry...
So the other week I begin to put together the materiel necessary to build that Asterisk box I've been needing to build—it doesn't seem fit for a company whose motto is “industrial-strength computing” to have no real fancy VoIP/messaging system. This is all a grand experiment and learning experience for me, so I fully expect a few missteps along the way. I'm therefore taking this as an opportunity to make a few mistakes along the way.
Being partial as I am to the *BSD series of Unices, I decide to download the 2 ISOs for FreeBSD 6.1, burn them to CD and begin to install.
I must give an aside about the hardware. I'm trying to build this machine on the cheap, but I do want to have it follow at least some notion of “best practices”. Anything that is remotely server-like gets two disk drives in a RAID1 array, disk drives being the #1 thing in my experience to up and fail on you (#2 being power supplies and #3 being—of all things—ethernet cards!). I notice that the local Best Buy has eMachines (yeah, I know, low-end consumer grade stuff? But I've had only good experiences with eMachines to date, and the cost of being wrong here is only about $400) on sale, and 160GB disk drives too, so I walk into the one in Staten Island, plunk down my credit card, and come out with a new eMachines T3418, a spare 160GB drive (to sort-of match the one in there), and another 17" monitor. (You have to buy the monitor in order to get the rebate, but the monitor on my sons' computer is about 10 years old and due to die, and it was basically free after rebate, so why not?)
Continue reading "Centos vs. Freebsd 6.1 installation travails" »
My new printer arrived yesterday via Fedex ground, and by all appearances works fine. I packed the old one up in the box, called up UPS (it turns out for ARS packages there is no pickup fee to me — usually if I call them for a pickup, there is a pickup charge, but not for return packages! w00t) and they're coming tomorrow to cart away the carcass of my old system.
HP so far has done me right.
So yesterday my relatively new (3 months) HP Officejet 7210 all-in-one printer -- really a nice machine, comes with an ethernet interface so I could put it far away from any machine printing to it, and close to the phone jacks so it can be a good fax, flatbed scanner/copier, etc. -- decides to up and die on me, telling me that the color printer cartridge (that came with the machine!) is, all of the sudden, the incorrect cartridge for the printer.
Um, this is kind of déjà vu for me now, since my OfficeJet 4215 died a similar death back in March, which is what prompted me to spring the extra $200 on the fancier, better-dressed printer.
(Of course, it's not the $1000 laserjet machine, but I needed to buy a printer RIGHT THEN and that's what Staples had in stock that evening)
So, I go to HP's site looking for support on it, and lo and behold they give me instructions: remove and reinsert the cartidges. If that doesn't work, then “call support”. Calling in this case is using their 24/7 web-chat-support feature with someone (most likely in a timezone 12 hours from my own).
I can't complain about that, because the chat works, and the support guy helped answer my questions.
First I had to
Follow the steps below to power cycle your all-in-one: 1. Unplug the all-in-one from power and disconnect the connection port.(USB) 2. Wait 30 seconds. 3. Plug in the power only. 4. Repeat steps 2-3 two more times. 5. On the third time after plugging the unit into power, reconnect the connection port from the all-in-one to your computer.
Oh well, so I jump through these hoops. (Reminds me of the old joke: how can you tell the field-service rep changing his tires on the side of the road? He's the one swapping tires in and out to see which one is flat.)
What I did not like was that part of the debugging process involves breaking into a new package of (expensive, ’natch) cartridges to try them out. But that's just me being cheap. With two new cartridges in the machine, my printer now reads:
After all of this, Mr. Tech Support declares:
xxxxxx: This shows the issue seems to be with the printer hardware
xxxxxx: Please let me know the serial number of the All-in-One
[my response]
xxxxxx: It appears that this device has experienced a hardware failure and I shall be glad to process the request for a printer replacement with your permission for free of cost and you will receive the unit with in 5 to 7 business days.
jerry altzman: that would be delightful
Well, raise my rent! They're going to ship me a new one. Of course, this item is a “collateral product”, and therefore
xxxxxx: However, the All-in-One is a collateral product, that is, you would be required to ship the defective All-in-One on receipt of the replacement. Therefore, you would be required to provide us the credit card information as security.NOTE: do not provide the Credit Card information in this chat session
In cases where HP did not receive the defective part/unit within 30 calendar days of shipment of the exchange part/unit from you then you will be charged for the exchange part/unit.Return instructions and pre-paid shipping label are included.
Today I received an interesting letter from "Domain Registry of America" telling me that the registration on a domain of mine "stefy72.com" is about to expire.
Well gee, that's odd, I've never registered a domain like that. Moreover, it has the stinky smell of a fishing site or some such.
Well, my ad went up 3 weeks ago (or so) and I've received a somewhat tepid response. I'm not sure if it's my tepid prose or something else, but response this time was about 53 résumés received, of which 16 went immediately into the “clown” folder for not following directions.
Some of the people obviously missed the
Unix sysadmin for 15-20 hours a week in-office
I have a full time position, but am looking for extra work.or
I currently working full time and I am seeking a part time opportunity.
You must be able to think on your feet, and you must be able to read and follow directions.(Extra emphasis added).
Now, of course, I don't have that much of a problem with people who aren't qualified (yet) but I don't like people who simply don't read the advertisement well.
I'm still looking, in case anyone cares.
(19:09:30) xxxxxxxxxxx: PREPARE fo da Indianswhich I had hoped to avoid by saying in my post "in-office", but alas, I probably should have said (in the great tradition of Craigslist postings in NYC) "NO ONE FROM OVERSEAS! IF YOU'RE NOT IN NYC, SORRY." Subtlety is lost in the classifieds...(19:09:34) xxxxxxxxxxx: ROFL
