donder.co.uk

There was good news and bad news this week.

The bad news was that I won’t receive any funding support for the CISSP exam/course that I did which covered networks and telecoms, datacentre security, disaster recovery, software development and similar.

The good news was that yesterday I passed the smaller Comptia Security+ exam, which cuts a year off the endorsement time period required for the CISSP. It’s only a minor achievement in light of the larger CISSP exam being a superset of the Securty+ exams content (although it’s from a different vendor). A friend summed it up in a text message as “well done. It would have been HILARIOUS if a CISSP failed the Security+”.

Today I followed up on an invite to visit ECMWF, which is essentially a well funded EU wide organisation with a ~300 person branch facility in Reading, using supercomputing facilities for medium range weather forecasts.

The server rooms are restricted photography areas but the watercooled supercomputers are quite impressive in terms of heavy machined piping and reinforced floor to handle the weight. The operations monitoring room (again, photography restricted) looks like a miniature version of the military nuclear control facility in the 1980s movie ‘Wargames’. The photograph below is from the public video wall near the reception.

There’s obviously a lot of funding going on – there’s two datacentres of duplicated infrastructure equipment, large individual offices for staff (although office sharing is now coming in) but there’s also some tactful funding decisions evident such as not specifying the most expensive switch vendors for edge switches.

In the networking and security section I met my old work college, Oliver, and his co-worker Ahmed who is a CISSP and we had food at the local pub.

I enjoyed talking to Ahmed about his life experiences as he’d emigrated to the UK and I was interested in hearing what it had been like as I’d similar concerns about a potential move abroad. He’d also taken the CISSP for similar reasons to myself so it was easy to relate to his work experiences. Oliver was doing well and it was interesting to see what new technologies he’d been looking at as ECMWF appears to use quite a range of vendors. They’ve made different key choices about key business software (Zimbra based rather than MS Exchange for mail) and also have a quite different network architecture. I’m not going to go into depth on what the setup is as it’s not my network and the culture on openness might be slightly different – we tend to openly publicise network design/service setup at the university more than not educational institutions would (if someone wants to argue that this is good or bad I could probably write a whole article on the ethics and reasoning either way and what I’d chose in each situation) .

In case anyone is wondering, I passed the exam in the previous post. I finished in 3 hours 15 minutes which is a bit too fast – I think three people finished before me and I don’t think they passed – I only saw one of them and he was quite glum/stern looking after picking up his results so I left him alone and didn’t ask. The instructor had warned us that most people that finish earlier than 3 hours don’t pass so I did try to take my time to read the questions and to apply structure to answering the questions (for instance, is this a confidentiality, integrity, reliability or trivia question?) I took breaks roughly every 40-50 minutes. I found it pretty hard to concentrate for that long. I tried to use visualisation techniques to help concentrate – whenever I found myself daydreaming about a scenario that the exam question reminded me of, I imagined a box and put the thought in it to be opened after the exam. There were two questions out of 250 that I didn’t recognise as being from the ten domains, otherwise I was generally happy. I was pretty tense as I waited to collect the result, it was a big relief when I was handed it with a murmur of “congratulations”.

I had self funded the course as I had thought our training budget was used up (I had heard it was 19k split between 29 people) but this seems to be incorrect – with the merger of three IT related units at the university our requests for training funding are being handled differently and I’ve heard that at least two people are attending overseas conferences. Hence I’ve put in for retrospective partial funding for the course.

What next?

I’ve booked the Security+ exam for 11th April, which might seem odd having taken the CISSP which could be seen as a superset of the Security+ exam, but the CISSP endorsement process is going to take about 6 weeks, whereas the Security+ result is immediate and can be used as part of the CISSP endorsement process to prove you have the required experience. It’s a different vendors exam and smaller/cheaper. I’m currently scoring in the 85% area, I hope to have it up higher by the actual exam.

After that I’ll work on the LPI201 and LPI 202 exams which make up the Linux Professional Institute LPIC-2 qualification. There was a special offer on for existing LPIC-1 certified candidates to receive exam vouchers with a practise exam which I took so I’ve the vouchers to use before the end of the year.

If I get the training costs partially or fully refunded for the CISSP course then I’ll probably spend part of the money on a small development network built from Raspberry Pi computers which I can then use for revision – they cost about £35 each and are about the size of an old audio cassette, and consume about 4-15 watts with no moving parts so they’re girlfriend friendly – you can have an entire network server infrastructure in a carry case without the house being full of whirring noises and without breaking the bank.

What are you aiming for?

Career wise there’s four main paths that I see

• system administration, marked by certifications like the LPIC-2, RHCSA and RHSE
• networking, marked by the Comptia Network+ and Cisco CCNA
• security, which is a little less certification prone but the Certified Ethical Hacker (CEH) course looks interesting for good all round white hat training.
• junior management/team leadership, such as the ITIL Service Operation or Prince 2 courses

The Cisco skills are something I’ve beaten myself up over far too much – essentially I’ve worked with other people who are highly talented in the area but I feel I’ve neglected areas I’m strong in (system administration, general security) whilst trying to pursue areas I’m weak in (Cisco topics over CCENT level). I’ve felt quite frustrated with my progress when perhaps what I should have done is avoided the topic and worked on my core skills first to avoid the constant confidence knock. I need to give it another go but take it slow and methodically, mixing it in with personal development in the other areas.

All this talk of computer certifications is boring!

I will make the next post not about computer certifications, I promise

For the last week I’ve been on a training course for the CISSP, and I revised by self-study beforehand. The exam is tomorrow and I’ve been doing my last bits of revision, going over weaker areas.

I’m not going to stay up late or stress myself doing last minute cramming so will stop now – it’s a long exam and it’s best to be as calm as possible, I’ll be in bed early tonight.

I hit about 81.6% on the half size (125 questions) mock yesterday, when reviewing I can see I dropped 5 questions simply by rushing, 13 were mistakes I needed to brush up on. Today when we were going back over areas, the instructor reminded the class not to rush, staring straight at me to remind me. The statistics show that most candidates that leave before 3 hours is up, fail. For a slightly odd reason, one person has to take the test today (they can’t move the appointment). At the time of writing they’ve been in there answering questions for 4.5 hours. I didn’t want to hang around outside for them to finish, just in case it was bad news.

The course has had a lot of people from different backgrounds. There’s a large mobile network/telecoms providers security team here, lots of Ministry of Defence IT security army members, one person from a large financial firms security team and a member of Interpol. I’m not top of the class (I believe someone is hitting 90%) and I haven’t been as obnoxious as to demand everyones scores but I think I might be somewhere in the top. I feel some empathy for the people without networking backgrounds as I can see how things like the network OSI model might be difficult to grasp if you haven’t studied it before or applied it in troubleshooting and planning.

Everyone has been quite friendly, I hope we meet up again. The bar is about to open so I’m going to have one drink with my fellow coursemates (not more than that) and then it’s our last evening meal.

If I pass tomorrow the score wont be given – only failing results in a points out of 1000 message, and even then it’s not broken down by domain. I think everyone’s in the mood that we’re ready for the exam right now, and we just want to take it to get the moment of truth out of the way, but we have to wait for the booked slot tomorrow.

We’ve had a snowfall, there’s a layer of snow over everything and it’s still coming down in a light fashion, everything’s pretty peaceful outside.

I’m currently attending a CISSP training course and exam, The exam is on Sunday 24th. The training is 12 hours a day with evening self-study and accommodation on site.

“Wait, certification? Certifications suck!”

So in the IT industry there’s a (never ending) experience versus certification argument that certifications are worthless and that experience is better. I think experience is better however I don’t think it has to be one or the other. Certifications are good in certain scenarios:

• When applying for a position, the HR team filtering resumes might not know the subject area well enough to equate your stated experience to the checklist of skills they’ve asked for. You might say this is an issue with the hiring mechanism, which is true, however during a downturn in the employment market you still need to pay the bills. Another example might be discovering that your dream employer also has an imperfect hiring process that filters in a similar way. My own experience of this near the start of my IT career was nearly overnight going from having no interview requests, to having two invitations (for two applications) , after having passed the A+ and LPIC-1. This probably isn’t an issue for you later in your career if you’ve published papers or worked at a number of employments, but it might be an issue at the start or mid-career.
• If you self learn a subject via experience, sometimes a certification training syllabus forces you to learn related areas that you would otherwise not encounter, and these new skills might come in handy when you least expect it – they force you out of your comfort zone. I’ve learnt a lot doing the ISEB Software Testing Foundation and the ITIL Foundation, both of which resulted in major changes (for the better) to how I think about things.
• If you’re trying to slightly shift careers, the certification in the adjacent career path helps show the new employer that you do have knowledge in that subject area, to a roughly calculable minimum standard (for instance, a CCNA should be able to configure a vlan, a etherchannel – fairly predictable minimal skills)
• It’s part of seeking to improve yourself, it shows Continual Professional Development and evidence of some kind of drive, such as a desire to learn.
• When you feel like you’re doing nothing but firefighting at work, some measurable self development can be great for the moral/soul. Sometimes it really feels like progress.

Whilst it is possible to encounter mindless/obnoxious certification chasers they are, in my experience, fairly rare. If you’re sane about it I think you can fit certification study with your experience in a complementary way to improve your knowledge and the set of mental tools you have for dealing with issues.

“But commercial training is pointless, grab a book!”

As long as you do some self study first and use the course to fill in gaps in your understanding (to finish off your revision as it were) then I’d hope most modern professionals recognise the value (I’ve only encountered one exception) in instructor led training. Just in case, I’d briefly suggest that the forced coverage of areas that you’d otherwise struggle with or misunderstand by someone experienced in the topic pays off and additionally the lack of interruptions and focused revision makes it easy to learn.

If you self study to a good level, then attend a training course, then I think it’ll help you become (at the least) better than average in that area, and motivation to use your new skills gives you the resulting experience.

Hmm, tell me about the CISSP then?

The Certified Information Systems Security Professional (CISSP) is a security related certification aimed at (as examples  either junior managers heading up the career ladder towards corporate security managerial related posts, or security consultants. To explain the later, companies hiring in a consultant normally want someone someone certified to a given standard (or famous for their work – demonstrating experience). As an example, if my existing employment hired in a consultant to assist the switch based networking side of our team, we’d probably request that they be a CCNA or above. Someone experienced and not certified would be capable but holding the CCNA immediately certifies them to a known minimum standard. Obviously this is a generalisation but it reduces the risk when hiring a contractor in to ensure they are certified.

Why are you doing it? Aren’t you in networking rather than security?

Firstly, the exam has 10 domains and I’ve covered quite a lot of the aspects of each domain over my various employments (I’ve been a jack of all trades in three positions now), I’ve also had an enthusiast interest outside of work in a number of them. As evidence, I’m doing quite well. Here’s my mock exam results last week (only 100 questions, but similar questions) before attending the course.

So not perfect, but a potential pass, before seven days of commercial training.

Secondly, I’m looking at overseas employment. For an IT industry job application to Canada there is a route in that requires a job offer and a Labour Market Opinion (LMO) that states I’m not taking a position that a qualified Canadian has applied for. So what this means is either finding a specialist niche with a shortage of applicants, or finding a position in the absolute middle of nowhere (think, head north  that consequently has no Canadian applicants.

So I was looking for a specialist skill to market, the CISSP is one certification you see advertised by some of the security related consulting firms. For instance, stating that they have CISSP trained consultants for hire. There’s one such company that I’m actively tailoring an approach to.

So, you’re doing like a boot camp and then you’ll forget everything?

No, I really have done a lot of this before.

• The software development domain I covered on my ISEB Software Testing Foundation
• Security Operations domain I would call the day to day normal activites encountered in our team in our support and service deployment/development roles
• Access Control I’ve covered some of when revising for the Comptia Security+  although I haven’t taken that exam yet. It covers access models but also detective/reactive controls like IDS/IPS which I deployed during my time at the computer studies network at Gloscat.
• Telecoms and Network Security I’d like to think is covered by my current position, but also the Cisco ICND1 and Comptia Security+ covered aspects of this
• Cryptography – lightly covered by the Security+ revision and my mild facination with a RSA cryptography book some years ago which I read to death.

although I’ve completed our first qualitative risk analysis for one of our services, I think my weaker areas are

• Security Architecture and Design
• Business Continuity and Disaster Recovery Planning
• Corporate Governance/risk management
• Legal, Regulations, Investigations and Compliance

for each one I know some detail, but need to improve. An automated analysis of my mock suggested the following priorities for revision:

“What is the exam like? I’ve heard of people doing the Comptia Network+ in less than 15 minutes, is this one easy?”

You’re allowed six hours for the exam, and the instructor states that if you leave in under 3 hours 30 minutes then you’ve probably not read the questions well enough. There are 250 questions, and yes they are multiple choice but they use metrics to pick questions that have previously been incorrectly answered by at least 1/4 of candidates.

“Whoa. That’s quite a while to sit still. Sounds interesting”

Yes, the advice we’ve had so far is

• (try to) Get good sleep beforehand – staying up all night revising means you wont be able to think straight for the length of the exam
• Finish all the questions – leaving in a huff halfway through because you’ve ‘obviously failed’ led to one candidate, who was better than their self opinion, missing passing by a narrow margin. It’s thought that if they’d answered all the questions they would have confidently passed.
• There’s four variations of the exam, some focus on certain areas more than others
• 360 minutes and 250 questions means that you have to aim for a question per minute, a question every two minutes will be too long
• Be very careful about going back and changing answers. 92% of people change doing this exam apparently change an existing right answer to a wrong answer or existing wrong answer to another wrong answer.

So they’re just teaching you to beat the exam and not teaching you the subject area?

No, I’ve just finished my second days training and we’ve really gone into good depth on each topic. The instructor is insisting on us learning the principals/theories behind subjects and keeps repeating that we are not to try to mindlessly memorise comparison tables and similar (such as a table comparing two technologies).

Who is the trainer? Some random person?

We’ve got an instructor who’s employment history includes security consultancy for some massive companies and some national intelligence agencies. He comes with a buckload of knowledge and a confident/engaging teaching style.  I think he’s rather perceptive too as any time I’ve started to daydream I’ve swiftly found myself asked to read out a section of the book for the section being discussed.

I bet the students are are certification chasers?

No, there’s some amazing credentials – some Msc level electrical engineers with 10+ years in IT, some lecturers with Phd level qualifications, some experienced armed forces IT security staff.

So you’ll pass this exam and then forget everything?

You have to earn Continuing Professional Education points each year after passing, which can be for attending industry events, passing exams, teaching classes and lots of other possibilities. There’s also a professional code of ethics to follow, which I’ve been making an effort to think about at work prior to the exam.

So the idea isn’t to pass the exam and then let it rot – you’re required to keep your skills in the area up to date.

I bet it’s teaching really simple stuff though?

No. I’m really glad I attended the training now. When I got the high mock exam score I wondered if I’d done the right thing (I had a nagging doubt that perhaps I could have self-trained and passed) but there’s so many background theories (or ways that various implementation models interrelate) that I wasn’t aware of. That is, there’s a lot of knowledge gaps being filled. I think it will be the difference between scraping a pass and know the subject area well.

I’d much rather know a subject area well than scrape a pass – depending on how self-critical you are, I think you risk low confidence in your skills, or otherwise feeling like a fraud if you scrape through an exam. I think I fit into the self-critical group, so I’m aiming for a good pass.

Was it expensive?

Yes. It includes all accommodation and food however, and the trainer is good.

And the taxpayer is paying via your workplace?

No, I’m paying. In the trainers own words “I don’t need to normally worry about the self-funded ones. They normally pay good attention”

You haven’t passed yet?

Exam is on Sunday!

Once in your life you should attempt to build mythtv, just to help you remember that once something complicated is working, never to touch it ever again. For some reason I’m doing my build on Centos 64bit (that has hardly any codecs prepackaged) as opposed to Debian that all the sane people are using. Warning In terms of my methodology, it’s best not to copy anything I’m about to do on anything other than a home system you just want to work as I’m not building rpms, I’m installing from source and even using cpan for the Perl dependencies. This is my first draft and I’m mainly putting it online so I can keep a log of what I’ve done and to reference it when asking people annoying questions about errors I’ve had.

If someone does take the work I’ve done here and writes a better guide (building rpms as you go – don’t just use some random repo) then let me know in the comments.

First install some libs and tools we’ll need at various stages


yum install gnutls-devel mysql mysql-devel perl-DBD-MySQL perl-ExtUtils-MakeMaker perl-IO-Socket-INET6 perl-IO-Socket-SSL libxml2 libxml2-devel python-lxml MySQL-python pulseaudio-libs-devel fftw-devel alsa-lib-devel avahi-compat-libdns_sd-devel gdb gsm gsm-devel opencv opencv-devel openjpeg openjpeg-devel speex speex-devel libtheora libtheora-devel libv4l-devel libv4l libvorbis libvorbis-devel bzip2-devel texi2html SDL SDL-devel taglib taglib-devel flac flac-devel perl-XML-Simple perl-XML-XPath perl-Image-Size perl-SOAP-Lite perl-JSON perl-DateTime perl-Test-Pod lsof -y


Lets build yasm first


wget http://www.tortall.net/projects/yasm/releases/yasm-1.2.0.tar.gz
tar -zxf yasm-1.2.0.tar.gz
cd yasm-1.2.0
./configure --prefix=/usr/local
make -j3 && make install
cd ..


Then lets build faac


wget http://downloads.sourceforge.net/faac/faac-1.28.tar.gz
tar -zxf faac-1.28.tar.gz
cd ../faac-1.28
./configure --prefix=/usr/local
vim ./common/mp4v2/mpeg4ip.h
# comment out line 126 with /* */
make -j3 && make install
cd ..


Now lets build lame


wget http://downloads.sourceforge.net/project/lame/lame/3.99/lame-3.99.5.tar.gz
tar -zxf lame-3.99.5.tar.gz
cd ../lame-3.99.5
./configure --prefix=/usr/local
make -j3 && make install
cd ..


And then x264


git clone git://git.libav.org/libav.git
cd x264
# dont forget --enabled-shared on the next bit
./configure --prefix=/usr/local --enable-shared
make -j3 && make install
cd ..


And we need qt, the normal centos version doesn’t have QTWebKit


wget http://releases.qt-project.org/qt4/source/qt-everywhere-opensource-src-4.8.2.tar.gz
tar -zxf qt-everywhere-opensource-src-4.8.2.tar.gz
cd qt-everywhere-opensource-src-4.8.2
./configure -fast -no-accessibility -qt-sql-mysql -no-sql-sqlite -no-sql-odbc -no-libtiff -no-libmng -nomake examples -nomake demos -no-nis -no-cups -no-phonon -no-svg
# this make takes a long time on the HP Microserver I'm using, best to leave it running and come back much later
make -j3 && make install
cd ..


Libvpx


wget http://webm.googlecode.com/files/libvpx-v1.1.0.tar.bz2
tar -jxf libvpx-v1.1.0.tar.bz2
cd libvpx-v1.1.0
./configure --enable-vp8 --enable-shared --prefix=/usr/local
make -j3 && make install
cd ..


xvid


wget http://downloads.xvid.org/downloads/xvidcore-1.3.2.tar.bz2
tar -jxf xvidcore-1.3.2.tar.bz2
cd xvidcore/build/generic
./configure --prefix=/usr/local
make -j3 && make install
cd ..


FIXME: Subtitle support


# EDIT libass wont compile so I had to disable it in ffmpeg
# wget http://fribidi.org/download/fribidi-0.10.9.tar.gz && tar -zxf fribidi-0.10.9.tar.gz && cd fribidi-0.10.9
# ./configure --prefix=/usr/local && make -j3 && make install
# cd ..
# wget http://libass.googlecode.com/files/libass-0.10.0.tar.gz
# tar -zxf libass-0.10.0.tar.gz
# cd libass-0.10.0
# ./configure --prefix=/usr/local && make -j3 && make install
#
# [...]
# In file included from ass_font.c:35:
# ass_shaper.h:33: error: expected declaration specifiers or ‘...’ before ‘FriBidiParType’
# ass_shaper.h:39: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘resolve_base_direction’
# [...]


FIXME: Libcelt audio codec support


# yum install celt051 celt051-devel
# more fail, despite this ffmpeg could never find it
# ERROR: libcelt not found


At this point I confess that I had been sat at the computer a long time and was starting to become a little tired with trying to compile dependencies for ffmpeg and fighting with obscure error messages so decided to build ffmpeg without libcelt and without anything else that complained form this point on, the aim being just to get the damn thing working. So at this point the following aren’t working in the ffmpeg build


libdxva2 enabled no [windows only]
libva enabled no
libvdpau enabled no
AVISynth enabled no [windows only]
frei0r enabled no
libaacplus enabled no
libass enabled no
libcaca enabled no
libcdio support no
libcelt enabled no
libdc1394 support no
libfdk-aac enabled no
libiec61883 support no
libilbc enabled no
libmodplug enabled no
libnut enabled no
libopencore-amrnb support no
libopencore-amrwb support no
libopus enabled no
librtmp enabled no
libschroedinger enabled no
libstagefright-h264 enabled no
libtwolame enabled no
libutvideo enabled no
libvo-aacenc support no
libvo-amrwbenc support no
libxavs enabled no
openal enabled no
makeinfo enabled no


So, FFmpeg next


git clone git://source.ffmpeg.org/ffmpeg.git ffmpeg
cd ffmpeg
./configure --disable-w32threads \
--enable-gpl \
--enable-version3 \
--enable-nonfree \
--enable-shared \
--enable-gray \
--enable-avresample \
--enable-vda \
--enable-vdpau \
--enable-bzlib \
--enable-fontconfig \
--enable-gnutls \
--enable-libfaac \
--enable-libfreetype \
--enable-libgsm \
--enable-libmp3lame \
--enable-libopencv \
--enable-libopenjpeg \
--enable-libpulse \
--enable-libspeex \
--enable-libtheora \
--enable-libv4l2 \
--enable-libvorbis \
--enable-libvpx \
--enable-libx264 \
--enable-libxvid \
--enable-openssl \
--enable-zlib \
--enable-pic \
--enable-sram
make -j3
# at this point if it doesn't fail after 30 seconds with some cryptic messages then you deserve a drink
# it will take a few minutes, about time to make a cup of tea
make install


And then finally I crossed that other line of bad practise and messed around with cpan outside of my package managers control. If you’re doing this on your own home server then it’s your choice but best not to do this anywhere that matters if you can avoid it.


yum install perl-CPAN -y
cpan
cpan> install YAML
cpan> install HTTP::Request
cpan> install LWP::UserAgent
cpan> install Date::Manip
cpan> install Net::UPnP::QueryResponse
# this last one should be done by the above
# cpan> install Net::UPnP::ControlPoint
cpan> quit


FIXME: And then finally mythtv. ignore CEC and ASI support. I have some issues to fix here


wget http://www.mythtv.org/download/mythtv/0.25.2
tar -jxf mythtv-0.25.2.tar.bz2
cd mythtv-0.25.2
# I had to give up with --enable-libx264 --enable-libmp3lame --enable-libfaac which all caused errors when making
#
# ./libavutil/libm.h:62: error: static declaration of ‘lrint’ follows non-static declaration
# ./libavutil/libm.h:76: error: static declaration of ‘round’ follows non-static declaration
#
# So sadly I just ended up with
./configure --prefix=/opt/mythtv --enable-nonfree --qmake=/usr/local/Trolltech/Qt-4.8.2/bin/qmake
make -j3 && make install
cd ..


If everything had gone right, this would have ended up with a mythtv install that’s only missing the following options, let me know if you can improve the steps in this guide to add more


libCEC device support no [/usr/include]
FireWire support no
ASI support no

# External Codec Options
xvid no
vpx no


After this it’s a case of

make -j3 && make install


And then the plugins


wget http://www.mythtv.org/download/plugins/0.25.2
tar -jxf mythplugins-0.25.2.tar.bz2
cd mythplugins-0.25.2
cpan
cpan> install DateTime::Format::ISO8601
cpan> quit
./configure --enable-all --prefix=/opt/mythtv --qmake=/usr/local/Trolltech/Qt-4.8.2/bin/qmake


Which leaves we with


MythNetvision requires the Python OAuth library (oauth)
Disabling MythNetvision due to missing dependencies.

MythArchive plugin will be built
MythBrowser plugin will be built
MythGallery plugin will be built
MythGame plugin will be built
MythMusic plugin will be built
MythNetvision plugin will not be built
MythNews plugin will be built
MythWeather plugin will be built
MythZoneMinder plugin will be built
OpenGL support will not be included in MythGallery
EXIF support will not be included in MythGallery
Dcraw support will not be included in MythGallery
libcdio support will not be included in MythMusic
FFTW v.3 support will be included in MythMusic


we then


make -j3 && make install


From this point onwards I’m borrowing heavily from http://www.mythtv.org/wiki/Installing_MythTV_on_Fedora with the odd change for Centos


adduser mythtv
passwd mythtv


Edit the firewall to allow traffic on port 80 and 443 from our network


vim /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -tcp -s 129.168.1.0/24 --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -tcp -s 129.168.1.0/24 --dport 443 -j ACCEPT
service iptables restart


Setup mysql


yum install mysql-server
chkconfig --level 345 mysqld on
service mysqld start
# observe the dire warnings
/usr/bin/mysql_secure_installation
# when asked: set a mysql root password
# when asked: remove the anonymous user
# when asked: limit root user login to localhost
# when asked: remove test database
# when asked: reload tables
mysql -u root -p < mythtv-0.25.2/database/mc.sql
vim /etc/mysql.cnf
# recommended settings for mysql from http://www.mythtv.org/wiki/Installing_MythTV_on_Fedora
key_buffer = 16M
table_cache = 128
sort_buffer_size = 2M
myisam_sort_buffer_size = 8M
query_cache_size = 16M


The setup program is a X application but I'm only interested in mythweb. I need a Linux workstation area for at home anyway, so I'll install KDE and I'll use nomachine to run the remote desktop instead of tunnelling X.


yum groupinstall "X Window System" "KDE Desktop"
wget http://64.34.173.142/download/3.5.0/Linux/nxnode-3.5.0-9.x86_64.rpm
wget http://64.34.173.142/download/3.5.0/Linux/FE/nxserver-3.5.0-11.x86_64.rpm
rpm -i nxserver-3.5.0-11.x86_64.rpm nxnode-3.5.0-9.x86_64.rpm nxclient-3.5.0-7.x86_64.rpm


Sadly at this point things come to a halt


$ /opt/mythtv/bin/mythtv-setup
/opt/mythtv/bin/mythtv-setup: error while loading shared libraries: libmythtv-0.25.so.0: cannot open shared object file: No such file or directory
$ ls /opt/mythtv/lib/libmythtv-0.25.so.0.25.0
/opt/mythtv/lib/libmythtv-0.25.so.0.25.0


It's probably obvious to someone who does more compiling and linking than I do (I do just about none normally). I decided to take a break from the computer at this point and go out for food, figured I'd hit publish so my mythtv using friends can have a giggle.

I managed to purchase one of the HP Microservers during the final few days of the £100 cashback offer. It cost about £216 delivered so the eventual cost will be £116 for a brand new HP Microserver, which is a great deal for a low wattage small form factor PC and although apparently some other people haven’t been so lucky, mine is one of the quiet ones.

I’ve put Centos6 on it, as HP support RedHat on the hardware which is essentially the same distribution minus branding. I took the stock hard drive out and mounted a oldish SSD in the top CD compartment of the box (I could have used a USB drive but I was going to sell the SSD otherwise), running a SATA cable up from the spare port on the motherboard. I used the 64bit 6.3 netinstall media to do a bare bones base install and it all went fine, with no hiccups at all.

I’m not doing anything unique or new here, but it may help someone so I’ll aim to expand this article as I get time, with the DNS, DHCP and Squid and similar config.

Firstly I added noatime and discard mount options to the SSD hard disk mount to turn on trim support and reduce disk access, then I added tmpfs ram disk mounts for the most written to areas of disk. For my home server I’m not too bothered about log retention so it doesn’t matter if /var/log contents are lost on reboot.


vim /etc/fstab
# add noatime and discard mount options to SSD mount, then add in
# ram based tmpfs partitions:
tmpfs /var/log tmpfs size=128M,mode=0755 0 0
tmpfs /tmp tmpfs size=128M,mode=0777 0 0
tmpfs /var/tmp tmpfs size=128M,mode=0777 0 0


Next I want to check the system is patched and up to date, and I want to automate security updates. I don’t have to manually do security updates for my home network and as long as I only use the official repo I perceive from personal experience that the risks of disruption are low.


yum update
yum install yum-cron
chkconfig --levels 345 yum-cron on
service yum-cron start


Next I set the initial system time, we’ll configure ntpd to keep the clock in sync later. I actually sync to my workplaces server because if that is inaccessible I need to find out why, but normally for everyday home use it’s best to pick a pool to spread your queries over rather than someone individual locations server and so I’ve used a pool instead in the given example.


yum install ntpdate
ntpdate uk.pool.ntp.org


Then lets sort out temperature detection and similar, with reference to a blog post where someone worked out the workaround for an issue in the ipmi config
http://bodgitandscarper.co.uk/centos/hp-microserver-remote-management-card/


echo "options ipmi_si type=kcs ports=0xca2" > /etc/modprobe.d/ipmi.conf
yum install ipmitool lm_sensors OpenIPMI
service ipmi start
chkconfig --levels 345 ipmi on
sensors-detect


I don’t have the remote management card so don’t believe I can do anything further with the above currently. Running ‘sensors’ now shows the temperature at least:

k10temp-pci-00c3
Adapter: PCI adapter
temp1: +37.2°C (high = +70.0°C, crit = +100.0°C)


Next I sort out basic tools, a compiler and editor settings all of which I’ll need later when setting up various network services.


# some tools we'll need
yum install vim man wget bind-utils mlocate -y

# set logrotate to rotate daily, expire logs after 2 weeks instead of 4, and to compress
vim /etc/logrotate.conf


For the home environment it would be nice if the power button turned off the box, so lets get that working


yum install -y acpid
/etc/init.d/acpid start
chkconfig --level 345 apcid on


Next we want to fix up some network services on the box. SSH is sane by default except I disable root login and create a unprivileged account out of good practise. Replace $localusername with your chosen username.


vim /etc/ssh/sshd_config
# disable root ssh login
adduser $localusername
passwd $localusername
service sshd reload


Turn on ntpd to keep the clock permanently in sync. ntp.conf by default has 3 ntp pools setup


yum install ntp
chkconfig --levels 345 ntpd on
service ntp start


It’s worth just tweaking /etc/hosts to add your servers name and domain in case there’s an issue with name resolution and you still want services to work, for example:


127.0.0.1 localhost localhost.localdomain
192.168.3.3 myservername myservername.mydomain


I also switch selinux to be permissive rather than the default of enforcing whilst I’m building, it can be tested and the config adjusted and eventually switched to enforcing later.


vim /etc/selinux/config
# once done
setenforce 0
sestatus


I haven’t yet done any of:

• Upgraded the RAM to 8GB
• Added a large capacity disk
• Carried down the popular fan mod that makes the stock fan quieter
• Fitted the almost as popular silent PSU mod
• Fitted some sort of vfd/ldc in the 5/14 inch drive bay
• Fitted the remote management card

I have a few services to configure, some of which are complete and I’ll upload the configuration for in case it saves anyone some time. I’m replacing a fair few services provided by my ISP/my ISPS supplied router and also putting in services to practise coping with a higher latency, lower bandwidth and/or capped/per traffic charged connection, just as practise.

• Setup a DNS caching resolver for my local network, that uses forwarders that aren’t my ISP’s (or googles).
  The former due to reliability issues on the weekends/evenings and the later due to privacy concerns.
• Setup NTP for my local network
• Setup DHCP for my local network (that instructs my machines to use my DNS and NTP services)
• [todo] a Squid 3.2 webcache
• [todo] a mythweb front end for playing music and similar
• [todo] a TFTP server for Cisco revision (uploading/downloading switch images and configs)

As stated, I’ll modify this post to add service details as I get time.

It’s been quite a while since I did any Cisco revision for the CCNA exam, most of my work is server based but I spent today reminding myself of VLANS, VLAN trunking and similar, which is covered by the ICND2 exam as part of the CCNA.

I find it helps to learn if you can put the skills to practical use rather than just reading from a book so I built a network using an airgapped development network, pretending to be the network used by perhaps a site that has both an office environment, two server rooms and perhaps some sort of industrial sensor network or similar (environmental monitoring in an industrial greenhouse for instance).

Remember I’m a server admin and script writer, so not only is this quite simple work for someone who does any real Cisco work but there might be quite a few mistakes in what’s to follow – let me know if you spot any. It’s just to warm me back into the command syntax and similar.

So lets plan it out, we’ll use 5 networks. One for out of band administration access to the switches, one for out manufacturing or other industrial sensor network, one for office workstations, one for wireless and one for the company servers. That keeps the broadcast domains fairly contained and logical to understand. We use the first address in the range, .1 for the routers since that makes more sense when you eventually move to IPv6 as the last address in the range .254 would otherwise become a row of F’s in equivalent IPv6 numbering.

• vlan 201 admin router 192.168.1.1/24
• vlan 202 sensors router 192.168.2.1/24
• vlan 203 workstations router 192.168.3.1/24
• vlan 204 wireless router 192.168.4.1/24
• vlan 205 servers router 192.168.5.1/24

We’ll use two Cisco 3750′s to pretend to be our company core switches, because I don’t have anything bigger to play with. We’ll make one of them the VTP master and put the other switches in client mode so that we only have to put the vlans in in one place and all other devices will learn them automatically.

We’ll put redundant links between all the devices in case a cable gets damaged, but we’ll aggregate these links so the switches think the two wires are one main link in normal operation and so improves the throughput instead of having one cable of the pair disabled by Spanning Tree. The links will need to be in trunking mode to trunk the vlans.

We’ll use two Cisco 2960′s as the edge switches, which is quite common.

We want ports for servers on the 3750′s

For the configuration I used ‘tmux’ on Linux, which is similar to ‘screen’. I create 2 windows then split each horizontally and vertically to create two 4 pane windows, I setup the 2960′s in one and the 3750′s in the other I used the two spare panes for disabling devices not involved in this work but on the dev network and for looking up commands and similar.

For diagnostics commands, things are pretty simple, I use


show cdp neigh
show vlan
show int status
show int trunk
(config) #do show cdp neigh


which gives you the checking information you need for nearly everything that’s about to follow.

So the network will look like


! learn from my mistake: clean all the devices and reload them before starting
! so that they all show up in cdp neigh, it makes remembering which wires
! go to which devices a lot simpler

! wireless and workstation networks
edge2(config)#interface range Fa0/2-6
edge2(config-if-range)#switchport access vlan 203
edge2(config-if)#interface Fa0/20
edge2(config-if)#switchport access vlan 204


One of the issues with going freelance is that once I stop working for my main/former employer on a contract basis, I’ll lose access to some of their  useful facilities that I take for granted. One of these facilities is the VPN, which allows me to securely create a tunnel between my computer onto my employers VPN network, so if you’re sat in an internet cafe or other slightly untrustworthy network you can create an encrypted tunnel for all your traffic and you can access internal resources that are have IP based access controlled.

One of the use cases for VPN, as hinted at above, is to sidestep potential monitoring on your local network. If you’re a contractor at a business then you may have to sign a disclaimer that any traffic on their local network will be monitored and so if you’re negotiating your next employment or working with more than one business, you don’t want to accidentally disclose any information about one company to another via your monitored traffic.

Your ISP is also a potential source of data tampering or monitoring. The old phrase that “if you’ve got nothing to hide, then you’ve got nothing to worry about” doesn’t account for the fact that sometimes a large internet service provider isnt trustworthy and at an individual level there are quite corruptible staff working everywhere, including (these are non internet related examples but the theory is the same) in your local police and bank. It’s worth visiting the main Information Comissioner’s Office site and reading the news stories when you have a spare afternoon.

So in this use case a VPN is providing an encrypted tunnel out of your immediate network. You still have risks on the network your traffic emerges from, but it’s a risk you can choose. You can choose which VPN provider to use – whereas your ISP may be limited to only one or two companies depending on your local area, you can choose when you want to use the VPN (such as only when doing a certain task) and your VPN provider will probably give you a choice of where your want your encrypted traffic to emerge (e.g. France, UK, USA).

Another use case might be to side step censorship on your local network, the classic case being the firewall that prevented mail to Scunthorpe council due to the swearword hidden in the name. Since the VPN traffic is encrypted, you can bypass the local network internet filtering.

Another use case is to avoid tracking when making politically sensitive comments online – an example I personally experienced was a user from another country with a restrictive regime. The user had made an offhand comment about their countries President in a forum of the users fellow citizens (I read the post when shown, it didn’t seem offensive), who was then on a receiving end of a forum administrator who seemed adamant that he would be reporting them. In the west I would say that is ignorable, but this user was having to return in the holidays back to their home country, which I would describe as a bit more dangerous. Although behind a firewall, the user was on a static/public address, and since they could have had other traffic to destinations in that country (such as emails) there might have been some potential for a government to work out who it was via logs of intercepted traffic, depending on how much monitoring is being done and how much they care about forum comments. I’d like to think it’s highly unlikely but then I’m not the one returning to that country in the holidays and risking disappearing for a political comment.

In this case a VPN could be used, for instance to always post from a French endpoint when commenting on a specific forum, but using other endpoints for other browsing. There are other ways of tracking the user so this is just one part of the precautions needed being described but the part relevant to this blog post.

Lastly of course some VPN providers are based in countries with comparatively little copyright restrictions and so are used by people using Peer to Peer downloading software to circumvent copyright infringement detection (or rather, enforcement) since the provider will not honor cease and desist notices on copyrighted movies being downloaded. I’m not suggesting this is good or bad, just acknowledging that the scenario exists.

The problem is that if you want a VPN service provider for any of the examples, the users in the final example case are likely to be using the majority of the bandwidth so the service will be slow to use.

I took a look at iVPN [disclaimer: referral link] who specifically state that they aren’t competing with the other VPN providers on price and aren’t geared towards peer to peer filesharing. Their aim is to compete on performance and stability.

Doing a basic test I tested the connection with Speedtest.net both with my local ISP and via a iVPN client with the traffic exiting to a network in the UK, in order to measure the performance impact of the VPN setup itself rather than testing versus an endpoint in the USA and hence having the results affecting by the physical distance itself.

The download speed gets a slight hit but it’s still very usable and the other statistics are pretty good. You’re expecting some impact as the encryption itself will use up some of the bandwidth that would normally be used when sending data. The latency is due to the traffic going to the VPN provider, to the endpoint and then to the destination (and back again) rather than direct, but 65ms is fine.

My Linux workstation is currently in parts this week as I’m replacing some hardware, and probably will be until I can afford the parts next month, so I installed the client on a Windows desktop. iVPN provide multi platform clients and support multiple connection mechanisms, so it wouldn’t have been a problem to use the Linux machine. The installation was simple and I didn’t have to adjust any settings (I don’t mind configuring or troubleshooting networking but I prefer things that just work). Once the client was running it sits in the system tray and I can click it to select which endpoint destination I want traffic to emerge at and select connect. You can save your username/password on the machine so that you don’t have to enter it each time but iVPN give a technical warning suggesting against this as the password is findable by someone bad on your machine. I use KeePassX to store my password in an encrypted form and access it as needed. The only problem I’ve had at all is that Windows 7 UAC pops up a “hey are you sure you want to run this?” question when I fire up the Windows client but it’s just one mouse click and can be ignored.

I paid $100 for iVPN for one year. That’s about £60 which is going on to my business costs, less than £6 a month. There’s no bandwidth limit and the only limitation of interest to myself is one client at once from any one account. The service documentation looks good (in terms of technical and social issue understanding) and gives the impression of professionals that know what they’re talking about. I think it’s good value for money.

Spent some more time improving my online presentation

In terms of code examples – I’ve done more work on the network inventory application, hopefully to get it to a state where it’s usable by people outside of my current employment – at the moment it’s still a bit specific to our environment, some features won’t make and sense to external users and I don’t want to add it to the public portfolio in that condition. Once it’s done it will expand my code examples and be a real in use business application rather than a demonstration.

In terms of technical writing – I’ve also released a minor roughly 28 page book onto github which is a series of programming tasks based around a single theme (more series of tasks on different themes will follow), I also really got my teeth stuck in to trying to solve the example problems myself this weekend. I’m going to add a few more chapters and with some polishing and proof reading, with the hope to turn it into a published book by the end of May just using a small Lulu.com run and ISBN. My other technical writing project is in assisting the Gummi LaTex editor project, which has been going well (got mentioned in the release notes) but they’ve released a new version and I need to make time this week to run through tests and update documentation for it. A book on Ada arrived from the United States (£5 delivered! £50 if I were to buy in the UK) and although I gave it some effort this weekend I’ve not been able to get my first 200+ line program to compile in Ada yet so need to spend more time on it.

In terms of applying for Canada positions – I was feeling a bit down about the black hole that is seemingly anywhere I send my resume to in Canada, and at the lack of IT contact or mentor. I had an idea and on one of the small flash based online games I play I switched servers from the UK server for the game to the Canadian server. The server is full of all nationalities but on a hunch I did a (harmless) in-game attack on the first person from a group of people with a moose related name and before long was chatting with someone the same age as myself in the IT industry over there. I really didn’t think it would work but I’ve been able to chat to him each day and it’s my first Canadian IT contact. I wasn’t expecting it to work so that’s my minor win for the week.

He recommended signing up to www.workopolis.com which I’ve done, stating his friends in Alberta use the service. Alberta appears to have one of the lowest unemployment rates (oil industry driving the employment), Newfoundland the highest (which is a shame). The workopolis site can import all your work history from LinkedIn which is such a relief after some of the other more broken sites I’ve tried to register on. It also prompted me to re-write a lot of the descriptions I’ve got on Linked and I’ll also re-write my resume this week to incorporate some of the better information.

In terms of applying for UK positions – I’ve been putting it off but today I visited two local employment agencies in my lunchhour and had a small chat, leaving with cards to setup a formal meeting. I’ve roughly 7 weeks remaining on PAC contract at the university. I’ve a few positions to chase up and will tackle them on Thursday (working tomorrow).

With the talk of changing the Canada immigration points based system to favour bilingual (French/English) speakers, and also to improve employability I tried out the Eurotalk USB based French Canadian lessons. Seemingly it’s not just that French Canadian has a different accent to French but that the occasional whole words is different. We don’t tend to have French Canadian exams over here, only French so it’s kind of awkward that in order to get a certification that the emigration system recognises I’d probably have to learn the ‘wrong’ type of French then re-train the undesirable accent and words when I get over there. Anyway, I’ll practise some more with it since I find the included word recognition games quite good fun, it seems like a good product.

Lastly I’ve spent a couple of weeks helping my girlfriend who had a large chunk of her arm cut out by surgeons and so has to be careful with it. It was an extra muscle that is fairly uncommon but causes pressure on the nerves. It’s rare enough that the surgeons were excited. There’s (slightly out of focus) pictures of the operation in the gallery section but I wont directly link them as the pictures are not for the squeamish - you have been warned. The pictures show mid surgery with the arm opened up and the flesh being cut away. I find them hard to handle.

Applying for positions

Today I applied to four locations in Canada. The first application was to a recruitment agency in Nova Scotia, I thought having someone else helping with the job searching couldn’t hurt at all, and I don’t mind is the first years pay is slightly lower as a result of using an agency.

My second application was to put my resume online with one of the Canadian job search companies so that it would be found if an employer did a search for my skillset. Sadly it’s one of these sites where you upload your resume and then fill in all the details from your resume into various fields, all of which have had input restrictions placed on them by someone who didn’t test well enough. So my previous job title is too long, but also my first name wasn’t permitted to be my first name, and although my location had to be “County, Country”in a free text field, the later was being checked silently against some sort of list of names so I found by trial and error that United Kingdom was not ok, UK was. I gave up trying to put in a phone number that would work from Canada as that also failed the input as being too long. When one of the input forms didn’t work at all I raised a polite bug ticket with their support address and then had to move on with the details only 60% complete.

I went through a list of all the universities in Nova Scotia and Saskatchewan and visited their sites, checking for IT related vacancies. Some of them look a little politically diverse internally (like Oxford) but only on a couple of the sites was I not able to find a central vacancies listing page. At one of these the location was still desirable so I approached their network manager directly with a query about future postings but this cold emailing is not something I’d want to do to more than one location as it would look too spammy. I do really need to make some IT contacts in Canada though, even if they don’t want to employ me directly they’ll have good information about the local job markets and upcoming opportunities.

Lastly I applied to a nationwide transport firm in Canada that was considering employing someone this year but the advert was currently speculative. My skills were a reasonable match but the description of the position was about one or two sentences long, so it was not yet solid.

Last week I sent a polite follow up email to a position I applied to in La Ronge at the start of March but it’s too soon to say if I didn’t get it. Even in the UK it can take a couple of months to get a response from certain large employers and some of the forums suggest that the experience in Canada is typically longer than in the UK.

I’m working at Oxford again this week but will do some more on Friday, putting my resume online with a few more Canadian job search engines (although some are restricted to only those currently legally able to work in Canada). I’ve been looking through the government sites too. It seems to take a long time.

Working on the Portfolio

I’ve done a fair amount of documentation now for the Gummi project but there’s still a lot of the user facing manual to go, such as how some of the more complex wizards and assisting tools work. It’s gone a little quiet from the other developers so I’m going to leave it a bit to ensure I don’t burn them out with questions and minor defect reports.

I did two days contracting last week for the university, a little of which was explaining how some things worked but only one item I found not documented, which I’ve corrected. I worked a little on the inventory, adding some javascript input validation as the user types on certain input forms that had been causing confusion. I have a lot of problems pushing to github on the work machine but I’m not sure of the source of the issue yet.  The sshkey is valid and added to the project, I’ve approved it in githubs new security features and I can ssh to the github test account. It complicates synchronising my github work at Oxford, at home and the svn system at work so I’ll have to fix it.

A bit of fun

The ultrasonic range addon sensor for my radar imitation project is only about £3 but is on it’s way via a literal slowboat from china, arriving in an expected 4-5 weeks. I might get a backup spare from somewhere in the UK. I’ve built up main radar housing components of the model and have some dirtcheap USB webcams on the way from ebay which I’ll take apart for the CCD’s. Ebay had some micro bearings which are fantastic but I need a circular saw for small plastic holes – the holes being a little too big for a normal drill.

Making everything small enough to fit in a 1:35 scale vehicle is looking difficult. With the bearings making things smaller makes them more expensive but luckily micro electrical motors are cheap.