JDPFu.com 2025

So, Adito/VPN doesn’t really like Linux. The installation goes better than expected on 32-bit Linux, but if you change any of the configuration settings, then have the admin web page reset the server, the system won’t come back up. This happens on both 64-bit and 32-bit Ubuntu 8.04.x in my experience.

Initially, I installed Adito on a 64-bit Ubuntu Server, but problems with the startup scripts and/or wrapper, prevented it from working as far as I can tell. I never, never, never got the Adito to work after a reboot on 64-bit Linux. I ended up installing a 32-bit VM under ESXi 4 and loading Adito there. Comments below is for 32-bit Linux, since it was clear that the 64-bit startup scripts/wrapper was beyond my ability to solve.

Even on the32-bit Adito install, the system has never come back up after changing settings that require a reboot for me. NEVER without doing some extra work. After making any reboot-required changes, only the method outlined below has gotten a running Adito system again.

The Fix

I’ve tried a few methods (UTF-8 settings, hacked startup files, hacked config files, swapped versions of libwrapper crap), only the following has actually worked. As root:

1. cd /opt/adito (or whatever directory you used)
2. Delete the conf/webserver.properties
3. ant install
4. Login through the web interface at http://host:28080
5. Step through the install process keeping all the defaults from before. Only the SSL certificate/key will need to be reinstalled.
6. Reboot and all is well.

I’ve not lost userIDs or policies or tunnel settings doing this.

At some point, I’ll need to figure out how to backup just the settings and DB, without grabbing the entire server image.

What’s the issue?

I can only guess, but I believe it is too much of a mix of java and supporting java tools. According to the blueprint going forward, they plan to swap ant for some other tool and remove libwrapper. Ant is used by all java development teams, so I doubt that really is the issue. libwrapper appears to be a lazy way to set configurations for java web applications. There seem to be incompatible versions shipped with Adito as well. The startup process is overly complex too.

/etc/init.d/adito points to /opt/adito/install/platforms/linux/adito which is overly complex and reads a config file /opt/adito/conf/wrapper.conf which figures out which specific version of wrapper to call in /opt/adito/install/platforms/linux/x86-64/wrapper with the appropriate options (more than 3 options for some reason)

/opt/adito/conf/wrapper.conf is rewritten with every run of ant, which means any time you have to modify it to make it work (UTF-8 character sets), then any use of ant will overwrite those settings. CRAP. There are ways to reset everything with ant or just reset parts. The problem is these resets aren’t explicit in the build.xml file – they are implicit. More crap.

Anyway, the levels of indirection are too complex and just make something that should be

java /opt/adito/lib/adito.war

into something really complex. Yes, I know it isn’t that simple, but it should be. That’s the point.

Update a few weeks later

So we’ve been using the VPN for a few weeks and everything is working well. Performance is good. There are a few things lacking that we’d really like to have, but they are beyond our expertise. Since I’m protecting internal web sites, we didn’t want to leverage LDAP authentication. We really want RADIUS authentication with x.509 certificate exchange. That isn’t a built-in option, so I’ve force really, really long and complex passwords and don’t allow users to change their passwords to get into the VPN. Their LDAP passwords are still known only to them, it is just the VPN access which I demand use 60+ characters. I deliver the password to each of them in a KeePass database, further insisting they follow good password management and protection methods.

Deployment to the entire company happened a few months ago. We’ve had no issues and have placed all our applications behind this VPN.

Help Make This Data Better

As I review this post, I can see where it could be confusing. It isn’t particularly well written. Please let me know which parts are too confusing to be useful. Oddly, this is one of the most popular posts on this site.

Last week, I setup and configured a special desktop for the accounting system for the company. Basically, it is a Windows7 Pro desktop running under ESXi 4 that the folks responsible for accounting remote (RDP) into after connecting via VPN to the special network for it. We’re small and only a few people even need access – never more than 1 at a time.

It was fairly painless to setup, install Accounting, load Payroll CD, then validate remote VPN access (which is never trivial), then setup daily backup jobs. Of course, AV, automatic patchs and nasty IE settings were configured too. Each daily backup set is about 250MB, which isn’t too bad, but more than I would have thought given the machine is idle most of the time and won’t be used more than 3 days a month. These backups are Microsoft VHD files using the built-in backup, which could be useful, but I’d rather have a complete VDMK, VDI, or Xen img file to restore.

Of course, it isn’t possible to connect to this VM without going through our VPN.

Next I need to perform a test restore to another machine under some virtualization tool that we use. Yeah, I know with the VHD, I can perform a restore someplace else, but with the VM-image file, I just point a hypervisor at it and go. Now that VirtualBox supports VMware, vdmk, files, this test really should be trivial. If it goes well, I’ll take my WinXP (MS-Office, Visio and other WinXP-only tools VM) and put it under a server-based VM too. It will be better to not travel with that stuff on my laptop anyway.

Linux compared to the Maytag Repairman

In summary, IT consultants don’t deploy Linux because deploying Windows gets them more customers and repeat business. Windows requires more IT support than Linux.

If you are a Linux consultant, you must have many more clients to make a living, which means more effort acquiring the clients.

With Linux systems, once they are deployed, they just work and continue to work. For many systems, even patches are handled automatically with no need for onsite support. The only reason to call your Linux consultant is to upgrade a system to a new release OR for a hardware failure.

I don’t know whether any of these statements are completely true, but there is some fact in each of them.

Part of me has wished I had a fancy IDE like visual studio provides, but without the commercial license and heavy system resources. I usually find vim to be enough syntax highlighting and it is definitely light weight. Occasionally, jEdit or Notepad++ seems like the best compromise between small, fast and features.

This morning I found Geany. It feels like emacs without the memory requirements. It has tabbed files and function indexes. The view for each function or code block can be compressed/hidden easily.

Best of all, it doesn’t depend on either Gnome or KDE toolkits, so it doesn’t force specific desktop environment libraries to be loaded, reducing RAM requirements for half of us that use the othe OE.

I hope my fellow Linux users find this code editor – mini-IDE useful.

You can manage your google data here https://www.google.com/dashboard/. This is good. I don’t really use all the google apps, but seeing all the searches I’ve made over the last few years and the trend data, was eye opening. I elected to wipe my data, then pause all future capture of that data.

What other data did the dashboard show? I have removed anything personally identifying below.

Account
Name: xxxxxxx
Nickname: xxxx
Email addresses: xxxxxxx@gmail.com, yyyyyy@yyyyyyyy.yyy
Requesting data for Account...
Manage account
Edit personal information
Privacy and security help
Calendar
Country United States
Time zone (GMT-05:00) Eastern Time
Requesting data for Calendar...
Manage calendars
Manage mobile devices
Calendar privacy policy
Contacts
Contacts 58 entries
Requesting data for Contacts...
Manage contacts
Docs
Owned by me 1 document
Most recent: Weight 2008 on Jun 6, 2006
Opened by me 1 document
Most recent: Weight 2008 on Jun 6, 2006
Starred 1 document
Most recent: Weight 2008 on Jun 6, 2006
Requesting data for Docs...
Manage documents
Sharing documents
Finance
11 securities in 1 portfolio:
My Portfolio 11 securities
Portfolio value: $0.00 at Nov 6, 2009
Requesting data for Finance...
Manage portfolios
Gmail
Inbox 11 conversations
Most recent: TTTTTTTTTTTTTTTTTTTTTTTT at 7:42 AM
All mail 40 conversations
Most recent: TTTTTTTTTTTTTTTTTTTTTTTT  at 7:42 AM
Sent mail 7 conversations
Most recent: gmail test on Oct 11, 2009
Spam 2 conversations
Most recent: Ref: ssssssssssssssss on Oct 30, 2009
Trash 25 conversations
Most recent: New private message has arrived on Oct 18, 2009
Requesting data for Gmail...
Manage chat history
Manage HTTPS settings
Manage all Gmail settings
Gmail privacy policy
Privacy and security help
IGoogle
Gadgets installed 10 gadgets
Most recent: on Jan 24, 2008
Tabs 1 tab
Most recently added:
Requesting data for IGoogle...
Manage iGoogle settings
iGoogle privacy policy
Profile
About me 2 entries
Name: xxxxx xxxxxx
Profile URL: http://www.google.com/profiles/pppppppppppppppppppppp
Requesting data for Profile...
Edit profile
Manage sharing of contact info
About access and privacy of profiles
Talk
Contacts 1 contact
Sample Contact: zzzzzz@gmail.com
Requesting data for Talk...
About talk
Talk privacy policy
Voice
History 140 calls
Placed calls 4 calls
Trash 36 items
Forwarding phones 2 phones
Requesting data for Voice...
Manage Greetings
Manage Google Voice settings
About privacy and security in Google Voice
How voicemails are transcribed
Web History
Web History: Disabled
Requesting data for Web History...
Remove items or clear Web History
Web History help
Web History privacy policy
Web History privacy FAQ
Other products
Google Maps

There was a list of 3rd party sites with access to this data too. I didn’t recall authorizing any of them. Data removed and future 3rd party access prevented.

Major kudos to google for allowing us to manage our data and privacy settings.

I did leave some of the private data out there for use. It isn’t important to me. Your internet use may tell others things that are better not shared. Suppose you search on a medical term because a friend tells you a story about his mother. That search term is saved and tied to your account. What happens if 5 yrs later you end up being medically diagnosed with that illness? Your insurance company may start legal discovery efforts, or just pay google for the data. Now they refuse to cover your treatment since it was a pre-existing condition. Even if you don’t care about this, you know someone who does. What if you search for foods that are bad for you or visit weight loss web sites for 5 years? Expect your insurance company and the govt to have access to this data. If it is stored, it will get out.

It should be noted that if you aren’t logged into your google account, the data captured doesn’t appear to be correlated with your account. That doesn’t mean it isn’t captured by your IP address or a google cookie, stored, and correlated. Further, you can’t manage the data with the dashboard. Google writes about this other data

Today, google is a little less evil. Until they let me remove my data from other peoples’ accounts (contacts, phone calls, email addresses), I’ll still avoid using google with an expectation of privacy.

11/8: The Washington Post Security Fix guy has an article on this now too.

I’m off to the VMware event in a few minutes. It is probably more of the same. I did hear from a coworker that a 17 server VMware migration went well last night. I had nothing to do with it.

Look for me at the Georgia World Congress Center today. I’ll be wearing a dull green windbreaker if it is chilly.

If I learn something ground breaking, I’ll create a new post. Sadly, it will probably be more of the send us money and send NetApp money all-day-adware.

VMware’s Client, which is used to manage VMware Servers, doesn’t like Windows7 … yet. A friend dropped me this link with instructions to get around the prob. He said it was a 64-bit Win7 issue.

• http://serverfault.com/questions/44946/how-do-you-get-the-vmware-vsphere-client-to-work-on-windows-7-rc

I haven’t tried this, but I did try to use Microsoft’s built-in compatibility mode settings. No joy.

Host VMware ESXi 4.x – 64-bit
Client Win7 Pro 64-bit

On another front, here’s a link to instructions to upgrade ESXi 3.5 to 4.0 without migrating to a new machine. Ballsy, we all know, but sometimes, in a lab, the chance of failure doesn’t matter.

I can confirm these instructions worked for me.

Enjoy.

If you have broadband internet service in the USA, chances are you already pay for commercial antivirus programs. AT&T, Verizon and Comcast all provide commercial AV with their broadband services. Here are the links:

• http://security.comcast.net/
• http://admin.stage.att.net/bellsouth/s/s.dll?spage=cg/yis/sec/vir.htm&is=sec&iss=vir
• http://www22.verizon.com/ResidentialHelp/HighSpeed/Troubleshooting/Security/QuestionsOne/85304.htm

Microsoft also has entered this market with a very competitive free download http://www.microsoft.com/Security_Essentials/. The reviews so far are good. I can’t recommend it myself, it needs time to prove it works. However, I have switched to using it since it came out of Beta. I don’t use Windows much, so my risk is very low.

In short, since you’re already paying for these commercial antivirus programs, why spend money on them again? Use the free versions that your ISP provides.

So, a few of you may have noticed that the front page to this blog hadn’t been updated in about a week, then suddenly, there were a bunch of articles. RSS users didn’t see any issues. You really, really should use the RSS feed.

So, I searched around a little and didn’t find anything that worked. Eventually, I decided to drop into the IRC support area and asked my question:

<me> Typo 5.3 has stopped displaying recent artcles on the main page.
[09:45] <neuro`> damn
[09:45] <me> RSS feeds are fine.
[09:45] <neuro`> remove the cached index.html manually
[09:46] <neuro`> then run rake sweep_cache
[09:46] <me> tmp/cache is empty.
[09:46] <neuro`> public/index.html
[09:47] <me> THANKS.

Then I did what he suggested and everything seems to be working again. Less than 2 min. There were about 10 people in the channel. Talk about support.

Below is a script that will playback a group of audio files in order, grouped by day. Suppose you have files named like this

File-1×01.mp3

   .

File-1×12.mp3

File-2×01.mp3

   .

File-2×10.mp3

File-3×01.mp3

   .

File-3×10.mp3

   .

File-7×10.mp3

File-8×01.mp3

   .

File-8×10.mp3

and want to play group Yx1-6 followed by group Yx6-12 daily. If you just wanted to do this for 1 set of files, it would be easier to just use `at` to play them. But you might have 10-50 files like this and only want to worry about setting up playback once a month or so.

Here’s the bonehead shell script that I’m using to accomplish this.

#!/bin/sh


	
Program to playback  audio tapes in order
	
based on day of the month – best to start on 1st.

#
	
It isn’t pretty, but it works assuming you want to cover
	
half a lesson each day. The filenames look like this:
	

	
File-8×10.mp3

MP=/usr/bin/mplayer

DIR=/Data/Audio/Session1

FILE_ROOT=File

DATE=`date “+%d”` # Returns the day of the month

ODD=`expr $DATE % 2`

START_GRP=`expr 1 + $DATE / 2` # pick a start date

ODD_START_NO=“01 02 03 04 05 06”

EVEN_START_NO=“06 07 08 09 10 11 12”

FILE_EXT=mp3

	
Changing the 0 to a 1 will toggle which group of files to begin

if [ $ODD = “0” ] ; then

  START_NO=$ODD_START_NO

else

  START_NO=$EVEN_START_NO

fi

for count in $START_NO; do

   afile=“$DIR/$FILE_ROOT-${START_GRP}x$count.$FILE_EXT”

   if [ -f “$afile” ] ; then

      $MP “$afile”

   else

      echo " File missing: $afile"

 fi

done

exit;

So, it isn’t very pretty and it is dependent on starting the script on the first of the month. Since today happens to be Oct 31 and I just finished the first group, I tweaked the EVEN/ODD and date modulus to jump 1 day ahead tomorrow – Nov 1. It will fail when a month roles over to the next month.

A fix to that problem would be to convert the date into a Julian day of the year, DOTY, and subtract off the current DOTY from the starting date. Check out date "+%j" for more on Julian dates. Of course, then it will break at the new year, so perhaps getting the number of seconds since epoch and performing calculations based on that would be even better? Even that method will break in 2038. At some point, the complexity outweighs the difficulty to implement.

Lastly, we need to setup crontab to run the script, playing the file.

1 6 * * * /home/jp/bin/daily_audio.sh

Enjoy.