USB video playback on Sony Bravia TVs

By Mark Farver on December 23, 2012 9:00 AM | No Comments | No TrackBacks
I was trying to play a video from a USB stick on a Sony Bravia TV KDL-55EX500.  

The TV is a little picky about the video format.  I spent a few minutes figuring out what combination of resolution and video settings were needed to get full screen playback.  The TV seems to like MPEG-2 video and 1920x1088 resolution. The command-line for Linux's avconv command was this:

 
avconv -i input.mpg -f mpeg -target ntsc-dvd  -s 1920x1088 output.mpg

I also wanted to turn off the annoying "Bong" noise the TV makes in startup but couldn't find it anywhere in the settings menu. Turns out Sony added that option back in later firmware. If you upgrade the TVs firmware to the latest version you can turn it off.

Juniper JunOS USB partition table rescan

By Mark Farver on April 16, 2012 9:03 AM | No Comments | No TrackBacks
As an update to my upgrading Juniper EX switches from USB.  Upgrading from a USB thumb drive works well, but if you don't have one handy you might try to use another "dual use" mass storage device like a phone or Kindle.  Problem is the delay while that device initializes causes JunOS to fail to read the partition table.  You will have a /dev/da1 entry, but no /dev/da1s1:

umass1: Amazon Amazon Kindle, rev 2.00/1.00, addr 3
da1 at umass-sim1 bus 1 target 0 lun 0
da1:  Removable Direct Access SCSI-2 device
da1: 40.000MB/s transfers
da1: Attempt to query device size failed: NOT READY, Medium not present
(da1:umass-sim1:1:0:0): READ CAPACITY. CDB: 25 0 0 0 0 0 0 0 0 0
(da1:umass-sim1:1:0:0): CAM Status: SCSI Status Error
(da1:umass-sim1:1:0:0): SCSI Status: Check Condition
(da1:umass-sim1:1:0:0): UNIT ATTENTION asc:28,0
(da1:umass-sim1:1:0:0): Not ready to ready change, medium may have changed
(da1:umass-sim1:1:0:0): Retrying Command (per Sense Data)
The workaround seems to be to issue a "camcontrol rescan da1" to rescan the parition table.

This issue only shows up on some versions of Junos, and the camcontrol command is also only available on some versions of Junos. 

Disabling ip_conntrack to save memory, restore happiness

By Mark Farver on January 4, 2012 5:00 PM | No Comments | No TrackBacks
I found a new trick in iptables I wasn't aware of.  Turns out iptables tracks all connections, even ones that are not going to be NAT'd.  On a busy webserver or router this means iptables is wasting resources tracking connections when it should be just routing.

The raw table in iptables can be used to set a NOTRACK flag on a packet, and that packet will not traverse the ip_conntrack stuff.

So for a busy webserver, you could disable tracking for web connection states:
iptables -t raw -A PREROUTING -d <server IP> -p tcp --dport 80 -j NOTRACK
iptables -t raw -A PREROUTING -s <server IP> -p tcp --sport 80 -j NOTRACK

Or on a machine that is routing between several internal networks and also NATing external connections you could disable tracking for the internal to internal stuff.
iptables -t raw -A PREROUTING -s 172.16.0.0/16 -d 172.16.0.0/16 -j NOTRACK

On one of our core Linux routers the number of ip_conntrack entries dropped from an average of 65-70k down to about 2k. 

Upgrading Juniper EX series switches from USB.

By Mark Farver on December 6, 2011 12:35 PM | No Comments | No TrackBacks

This is for my notes. Generally I use this to upgrade the firmware of an EX4200 switch to the same JunOS version as the rest of a virtual chassis, BEFORE connecting the VC cables.  I'm doing this from memory, so if there are any mistakes let me know.

You will need to have access to a shell. The "root" user logs into shell automatically, other users should run "start shell"

From the shell run these commands:

 # mkdir /mnt/usb

Insert the USB stick (FAT32 formatted) into the port at the back of the switch. It should have the firmware on it, generally in a file named something like "jinstall-ex-10.3R3.4-domestic-signed.tgz"

 # mount -t msdosfs /dev/da1s1 /mnt/usb"

Note that tab completion works on Junos, to save some typing just enter the frist few characters of the filename and hit "tab"

 # cp /mnt/usb/jinstall-ex-10.3R3.4-domestic-signed.tgz /var/tmp

If the switch is running firmware older than 10.3 you should upgrade the loader too:

 # cp /mnt/usb/jloader-ex-3242-11.3I20110326_0802_hmerge-signed.tgz /var/tmp
 # umount /mnt/usb
 # cli
At the ">" cli prompt: If the firmware on the switch is older than 10.3 you will need to install the updated jloader 
 > request system software add /var/tmp/jloader-ex-3242-11.3I20110326_0802_hmerge-signed.tgz
then: 
 > request system software add /var/tmp/jinstall-ex-10.3R3.4-domestic-signed.tgz reboot

Dual IP stack for twice the love

By Mark Farver on July 24, 2011 10:59 AM | No Comments | No TrackBacks
Several weeks too late for world IPV6 day: My first directly connected dual stack router (no tunnel). In this case a Juniper MX-80 connected to TW Telecom.
mfarver@RTR2> ping 2001:470:1f0e:d23::1
16 bytes from 2001:470:1f0e:d23::1, icmp_seq=0 hlim=62 time=46.032 ms
16 bytes from 2001:470:1f0e:d23::1, icmp_seq=1 hlim=62 time=45.363 ms
16 bytes from 2001:470:1f0e:d23::1, icmp_seq=2 hlim=62 time=44.284 ms

LLDP: Your guide to the land of lost servers

By Mark Farver on July 21, 2011 8:29 PM | No Comments | No TrackBacks

We often use LLDP (Link Layer Discovery Protocol) to find out which switches are uplinked to other switches. Each switch sends identification packets to the opposing switch identifying its name and the power number it is broadcasting from.

Juniper EX Example

user@core1> show lldp neighbors    
Local Interface    Parent Interface    Chassis Id          Port info     System Name
ge-2/0/7.0         -                   00:26:f2:50:85:c0   47           data_sw1 
ge-2/0/14.0        ae15.0              00:26:f5:b1:3d:40   1            data_sw2 
ge-2/0/2.0         ae9.0               b4:39:d7:89:48:40   1            pub_sw1
ge-1/0/12.0        ae31.0              b4:39:d3:1a:2c:c0   1            pub_sw2 
ge-2/0/12.0        ae31.0              b4:39:d2:1a:2c:c0   2            pub_sw2

Makes it a little simpler to audit the wire maps. I wondered if it would be possible to have servers broadcast as well.

Turns out they can. RHEL6 ships with lldpd already ready to go. Just install the package and start the daemon. We are running CentOS 5 still, and I wasn’t able to find a recent package for that. Eventually I found a src RPM for lldpd 0.4.2 and just updated it. You can find the updated version here.

HP Procurve Example

SW2# show lldp info remote

 LLDP Remote Devices Information
  LocalPort | ChassisId                 PortId PortDescr SysName               
  --------- + ------------------------- ------ --------- ----------------------
  2         | 50 c5 8f b7 33 c0         36     vme.0     pub-sw1              
  19        | 78 2b cf 16 14 f0         78 ... eth2      cache-1.example.com
  20        | 78 2b cf 15 a0 2f         78 ... eth2      web-3.example.com
  21        | 78 2b cf 16 7c 24         78 ... eth2      web-2.example.com
  22        | 78 2b cf 15 bf 9e         78 ... eth2      web-1.example.com

You can query LLDP info manually as noted above, or you can get it via SNMP MIB: lldpRemoteSystemsData 1.0.8802.1.1.2.1.4. Interestingly it looks like you might be able to get remote IP information this way. The lldpd daemon also supports CDP for Cisco environments and a few other features that we don’t use. Windows hosts can broadcast the same data using the haneWIN LLDP Agent. Adding LLDP support is a simple add to your Puppet or Chef recipes, and makes a handy backup to manual wiremaps that your network team will appreciate.

With rainbows, black is the most worrisome color

By Mark Farver on June 27, 2011 12:36 PM | No Comments | No TrackBacks
This has been at the back of my mind for years now.  Every company I've worked with stored MD5 hashed credit card numbers in the DB so "search by CC number" works.  As far as I know no one has released a rainbow table of all of the common credit card number prefixes hashed, but its getting way too easy to do so.  33.1 billions hashes per second.... yikes.

http://blog.zorinaq.com/?e=42

Back of the envelope, this system could calculate hashes for all of the Mastercard or Visa prefixes in 20 days or so.. faster if it concentrates on the most common BIN numbers.  Discover cards would take less than a week.

So reconsider if you really need a "search by CC number" function.  If you do switch to a more computationally expensive hash.   Consider adding a site specific salt so an attacker needs to generate a unique set of tables for your site.

iftop: its tops...

By Mark Farver on May 28, 2011 7:10 PM | No Comments | No TrackBacks
New tool I just found today and am kinda disappointed I never noticed before: iftop.. it works exactly how you would expect.

We're watching you, little PDU

By Mark Farver on May 14, 2011 1:22 PM | No Comments | No TrackBacks

SNMP OID values for APC8941 PDUs we found useful when setting up Zenoss and cacti monitoring.

Total Volt Amps:
.1.3.6.1.4.1.318.1.1.12.1.18.0

Temperature (with optional AP9335T Temperature Sensor)
.1.3.6.1.4.1.318.1.1.26.10.2.2.1.8 in C

.1.3.6.1.4.1.318.1.1.26.10.2.2.1.7 in F

Relative Humidity (with optional AP9335TH Temp and Humidity Sensor):
.1.3.6.1.4.1.318.1.1.26.10.2.2.1.10

There are a bunch more things you can check, Temp status, breaker and power outlet status as well.  Make sure you get the latest PowerNet MIB form APC.
Continue reading We're watching you, little PDU.

Earth, Wind, Water and a Fire Alarm

By Mark Farver on April 29, 2011 12:58 AM | No Comments | No TrackBacks
Odd experience at our older colo facility:

We were onsite in the cage when the building fire alarms sounded. I did what most reasonable persons would: figured it was a false alarm but put down tools and walked out the front door.

The datacenter's technical staff had a little trouble.  They told us immediately that it was a test, and not to worry.  But usually tests involve technicians from the alarm company and there was no service trunks outside.  The techs continued to try to reach the facilities manager on the phone.  A gentleman turned up claiming to be the building owner, and said the fire department was on the way.  The fire department shows up, and the first question they ask is "What is this place?"  When we explained it was a datacenter they asked for further clarification.  In one of the most crowded datacenter corridors in the world, the fire department had no special training on dealing with datacenter fires, and didn't even know the buildings within their area.  The fire department leaves after a few minutes.  The alarm continues sounding for another 15 minutes before resetting on its own.

We later find out the issues was a false detect from an under floor smoke detector.  Seems that some additional training in reading the fire panel and when to evacuate the datacenter might be in order for the DC operator.  I was also a little surprised the fire department didn't inspect under the floor, or even walk around. 




Archives