Category: IT Stuff


We are in the process of trialling GitLab CE but need to tweak/customise a few elements.

Our developers are configured with the “developer permission/role” which unfortunately means they cannot create new projects. To get around this, we created a user/bot with the relevant permissions and a custom HTML page which uses the API to create a new project based on the user input.

I am not familiar with the ruby/slim syntax and struggled to modify the new project page as desired. We use GoogleTagManager fairly extensively in our work so decided it would probably be easiest to implement this throughout GitLab so our customisation could all be ring-fenced within GTM,

Adding GoogleTagManager to GitLab was fairly straight forward- adding 2 lines of code to;

 sudo nano /opt/gitlab/embedded/service/gitlab-rails/app/views/layouts/_head.html.haml

…below the %head tag, two %meta tags follow then we insert our javascript tag;

- page_description brand_title unless page_description

- site_name = "GitLab"
%head{ prefix: "og: http://ogp.me/ns#" }
  %meta{ charset: "utf-8" }
  %meta{ 'http-equiv' => 'X-UA-Compatible', content: 'IE=edge' }

  :javascript
    (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.co$

 

I have truncated the javascript- please ensure you paste the full code (from between the <script> tags presented by GoogleTagManager). Please also note the importance of the whitespace at the start of each line in the .haml file (the :javascript line should have 2 spaces before and the next line 4 spaces before).

I had to to issue a restart command to see the changes reflected in the front-end;

sudo gitlab-ctl restart

That’s it!

Do note that your changes may/will likely be lost if/when you update.

I hope we didn’t miss an obvious/easy/out of the box mechanism for adding GoogleTagManager to GitLab?

Advertisements

After just spending a few hours trying to get RedGate SQL Monitor to monitor our Windows 2016 SQL Server in AWS I though I better record the solution!

We already had a rule in place on the AWS firewall which should allow all traffic from our office so this was unlikely to be causing an issue.

We had enabled inbound rules in the windows firewall for RPC/WMI but to rule this out we disabled the firewall entirely (temporarily) which made no difference.

We tried connecting using the IP Address and hostname. Tried using .\username hostname\username, hostname.domain.name\username and received a variety of errors including;

Number: 0x80070776
Facility: Win32
Description: The object exporter specified was not found.

Number: 0x80070005
Facility: Win32
Description: Access is denied.

The end solution was adding a record to C:\windows\system32\drivers\etc\hosts with the public IP and hostname (not fully qualified). Then I was able to connect just fine using \\hostname\root\cimv2 with the username .\username

It seems to be a NAT related issue despite the AWS server having a public IP.

Tools to run an IT Company

Inspired by https://www.bluegg.co.uk/writing/tools-to-run-a-design-agency, I felt it would be interesting to collate a list of the tools (i.e. hardware, software, services, etc.) that we use to run our business. I hope this will provide a good opportunity to share our feedback, review some of the tools, and address any gaps.

I’m starting with a simple list, but hope to follow up with some notes around each of the tools.

Hardware

Network:

  • Ubiquiti (UBNT) – UniFi Series
    • UniFi Switch 48 (USW48)
    • UniFi Security Gateway Pro (USG)
    • UniFi AP AC (UAP)

I have been fairly impressed with all the UniFi equipment. We do run the beta controller so encounter occasional issues . We chose to deploy the EdgeRouter for clients as they’re easier to manage without the complications of the controller.

Servers:

  • 1U Custom Built SuperMicro Server (running ESX 6.5.0update1)
  • Synology Rackstation (Fileserver, SFTP and DVR)

I have built half a dozen SuperMicro ESX servers over the last X years and they’ve all fared really well, providing excellent value for money. We can afford to have 2 servers (hot/cold spare) for far cheaper than an Enterprise HP/DELL equivalent (providing us a quicker turnaround in the event of failure). The biggest problem is sourcing the parts in the UK.

Similarly, I have been using Synology NAS solutions for many years and have always been impressed. We use the unit to provide in-house storage/archiving, remote backup for clients, SFTP access and as a DVR for our Hikvision IP Cameras – the only drawback being that you do have to purchase additional Surveillance Station licenses.

Desktops/Workstations:

  • HP Elitebooks 8440p/8470p with Solid State Disks (SSD)
  • HP docking stations
  • Dual Acer v226hql 21.5″ monitors.

We normally pay around £100 for the laptops and £70ish for the monitors. We have a stash of 128gb SSDs which are plenty big enough. These laptops are far from “latest generation” but are built to last and perform surprisingly well (we do some fairly serious multi-tasking). So, for under £250/user, we have a pretty impressive setup.

Tablets / Android Devices:

  • Nexus 7 (for Android development/testing)
  • Clover Flex, Mobile, Mini and Station

Our Java/Android development is currently focused on the Clover till / ePOS, hence the Clover device. These are quite hard to get hold of (having to order from the US and use a special service to forward them to the UK). The Nexus tablets have the same screen size and resolution as the Clover Mobile / Mini so provide a great platform for testing/development at a fraction of the cost!

Digital Signage:

A great bit of free software I would highly recommend. We have upgraded to the Donor’s Edition and use it each and every day. Our office screens use Microsoft SQL Server Reporting Services (SSRS) to display dashboard with key metrics and essential data to run our business.

Printer:

  • Xerox Phaser 6121MFP-S

We don’t print a lot, but when we need it, this colour laser works great. The scan to e-mail with the automatic document feeder is a life saver.

The printer has lasted for longer than I can remember, and I’ve only had to top up the toners once! I will be looking to replace it with the Xerox WorkCentre 6515N when it runs out of toner next.

Security:

  • HikVision (multiple domes and bullets)
  • Yale Wireless Smart Alarm

The HikVision cameras are very reasonably priced and provide a great resolution/quality. As mentioned above, our Synology fileserver doubles up as a DVR.

The Yale Smart Alarm is ideal; each member of staff has a unique PIN to allow audit and there is no subscription/monthly fee.

Phones:

  • Cisco 7906
  • Cisco / Linksys SPA942

We pick these up from eBay for between £5 – £15 per unit. The 7906 has proved rock solid for years, but we are starting to need the additional lines and conferencing facility provided by the Linksys SPA942. Read on for information about our VOIP provider.

Other:

  • Flukso (Energy Monitoring)

I’m still looking for something better (capable of recording more channels) but until then, this device is the best fit for our needs, where we are able to graph the usage of up to 3 channels). You can read a bit more about my home Flukso setup in an earlier blog entry; https://tickett.wordpress.com/2013/10/25/solar-kwh-meters-new-fuse-box-flukso/

Software/Services

Email/Sharepoint/Onedrive/Instant Messaging:

  • Office 365 – £45.60/user/year

We use Skype for instant messaging and Exchange for our individual and shared mailboxes, as well as Onedrive and Sharepoint for information and document storage.

Microsoft support is pretty terrible but, for the price, it’s a great service.

Version Control:

  • VisualSVN (subversion) – FOC
  • RedGate SQL Source Control – £59/user/year

If we were to set this up today, I suspect we would use Git over SVN, but we have our history and a number of integrations with other systems in place so will need a few good reasons before we jump ship.

RedGate SQL Source Control is a great tool to add SVN integration directly into Microsoft SQL Server Management Studio (SSMS).

Accounting:

  • Xero – £316.80/year

I honestly don’t know how we coped before Xero. At the end of the financial year two weeks were set aside for paperwork (and this was before we had any staff/payroll to take care of). Invoices would go unpaid for 6-months without being noticed and VAT returns were a nightmare.

We now have live bank feeds into Xero and can tell real-time who owes us what, as well as having a clear picture of where money is going to/coming from, and VAT returns are simply a click of a button. Worth every penny!

Support/Ticketing:

  • Solarwinds WebHelpDesk – £86/user/year

We have been using WebHelpDesk since before Solarwinds took over and whilst it remains a handy tool. It has it’s limitations and becomes increasingly costs over time. A bit part of the decision was based on the Microsoft SQL Server back-end, allowing us to easily pull data on our dashboard and reports.

Project Management:

  • Trialling Trello – FOC
  • Trialling Freedcamp – FOC

Holiday:

  • Timetastic – £6/user/year

Does what it says on the tin. We did trial Charlie HR, but the free service doesn’t include a holiday calendar (which in my eyes is essential).

Web hosting:

  • Amazon Web Services (AWS) – Roughly £600/year

We currently use S3 and EC2 with a single T2.Medium instance running Windows Server 2016 / SQL Server 2016. We use this to provide several in-house services as well as a number of client applications.

DNS:

  • Cloudflare – FOC

A great tool, never had any issues – and it’s free!

Phone/Broadband:

  • XLN – £620.88/year

We were previously using Claranet, but XLN offered a good introductory rate at our new premises- never really had any issues. We have a block of 5 static IPs included in the price.

Password Storage:

  • Password Safe – FOC

We are actively looking for a new web based tool which will provide a better audit trail but not break the bank.

VOIP:

  • Tel2 – £180/year

We subscribe to the Cloud 10 plan which includes 2 local numbers, 5 sip trunks for simultaneous calls, 1100 minutes (including a large number of overseas) and unlimited extensions (as well as the usual voicemail, diversion, conferencing, hunt groups, etc).

We normally use an additional £5 outside of our plan for mobile/premium rate calls.

A great service, easily configured on our Cisco/Linksys handsets.

Windows (Web) Application Development:

  • Visual Studio 2017 Community Edition – FOC
  • Android Development Studio – FOC

We have recently moved to VS2017 Community Edition and have only found a few smaller missing features from the Pro/Ultimate edition (i.e. intellitrace, code maps and references). Time will tell whether we move back to the paid for edition.

We are newer to Android/Java development. Android Studio seems to be a bit of a resource-hog/drain and getting virtual machines/emulators working seems incredibly temperamental – time will tell with this one.

Monitoring:

  • RedGate SQL Monitor – £185/server/year
  • NetXMS – FOC

We chose NetXMS as it allows Microsoft SQL Server to be used as the database back-end, which means we can easily pull data onto our dashboard and reports.

Remote Assistance:

  • ScreenConnect – £315/year (at current exchange rate… actual fee is $420/year)

After looking at GotoMeeting, Webex, JoinMe and several others, we chose ScreenConnect (I think it mainly came down to pricing when used with multiple users). The only feature it seems to lack is a telephone conferencing facility.


Cost Summary

I have only quoted ongoing costs/license fees, not purchase prices or one-off fees. To recap, for ten users – we’re roughly looking at;

£ 456.00 – Office 365 – £45.60/user/year
£ 590.00 – RedGate SQL Source Control – £59/user/year
£ 316.80 – Xero – £316.80/year
£ 860.00 – Solarwinds WebHelpDesk – £86/user/year
£ 60.00 – Timetastic – £6/user/year
£ 600.00 – Amazon Web Services (AWS) – Roughly £600/year
£ 620.88 – XLN – £620.88/year
£ 180.00 – Tel2 – £180/year
£ 185.00 – RedGate SQL Monitor – £185/server/year
£ 315.00 – ScreenConnect – £315/year (at current exchange rate… actual fee is $420/year)
£4,183.68 – Total

I suspect I have missed a few too, but I will aim to update with more comments around the products/services/costs, etc.

My company provide SQL dba services and build system integrations. We use various VPN clients to connect in to most company networks but have always had issues using integrated windows (active directory) authentication with certain applications.

Launching an RDP session or browseing a network share works just fine, but if we want to connect SQL Server Management Studio to a server on the remote network using our domain credentials we have previously been stuck. Leading us to deviate from (what I feel is) best practice and create sql users.

When we build interfaces in Visual Studio they will normally run on client servers using active directory/domain service accounts. If we wanted to carry out any troubleshooting we could not accurately emulate the interface in Visual Studio (as the domain service account).

If our local machines were joined to the client domain we could either log on as the service account or run SSMS / VS as the network user, but otherwise we are out of luck…

…that was until we stumbled across the /netonly command line argument for runas.exe.

Apparently this whole time there has been a technique to launch an application using credentials which don’t exist locally or on the current/trusted domain! We now have some .bat files saved which launch our core applications using runas.exe with the /netonly argument. For example;

runas /netonly /user:remotedomain\remoteuser “C:\Program Files (x86)\Microsoft SQL Server\140\Tools\Binn\ManagementStudio\ssms.exe”

*EDIT* Furthermore, i’ve just stumbled across ShellRunAs which will integrate into windows explorer and give you the right click option to Run As (Netonly); https://docs.microsoft.com/en-us/sysinternals/downloads/shellrunas 

runas

I recently configured my Ubiquiti/Ubnt Unifi wireless access point to use WPA Enterprise (wpaeap) and pointed Radius at my domain controller running Network Policy Server (NPS).

I could connect fine using my Android mobile but could not connect from my laptop. Logs in the event viewer indicated an authentication issue, but this was definitely not the case.

After lots of fiddling and googling I discovered that PEAP does not work with wildcard SSL certificates. I replaced the certificate with a server specific cert and voila.

Here’s an article which shows you where to change the certificate; https://cantechit.com/2015/07/10/windows-nap-as-radius-in-a-windows-7-server-2012-wireless-world/

I have recently switched my network configuration from 2 routed subnets;

192.168.0.0/24
192.168.5.0/24

To a single subnet;

192.168.0.0/21

I had hoped this would have little to no impact and be a seamless transition (how wrong I was). I have a mix of devices with both dynamic (DHCP) and static IP addresses. Those using DHCP didn’t cause much of an issues, but those configured using static addresses required the subnet mask and default gateway changing (again, fairly straight forward).

The real issue came when it came to changing my vCenter Server Appliance (VCSA) network configuration. The obvious place to look (and several articles online) pointed toward the configuration option inside the vSphere Web Client; System Configuration -> Nodes -> x ->Manage -> Settings -> Common -> Networking

vc_network_settings

Unfortunately the settings are grayed out with a message “IPv4 configuration for nic0 of this node cannot be edited post deployment.”.

Other articles pointed toward the console (alt-f2 option), vmware Appliance Management Interface (VAMI) running on https://your-vc-hostname-or-ip:5480/ or SSH; Unfortunately I couldn’t login to try any of these techniques.

Console -> Alt-F2- “Authentication failed; Invalid login or password.”
SSH- “Login incorrect”
VAMI- “Unable to authenticate user. Please try again”

This had me stumped for many hours. I was able to reset the root password (reset the VM, prevent vcsa autoboot by pressing any key when the grub bootloader appears, press p, enter the grub password (default is vmware), enter, press e, add init=/bin/bash, enter, press b then type passwd root) but still couldn’t login using the new password. I think a few issues were at play here, but eventually tracked it down to the password complexity requirement forcing the use of special characters which were in turn being transposed by RDP / vSphere (” was becoming @ and £ was becoming # etc). Once I had figured the password issue I was then able to try the techniques again;

Console -> Alt-F2 -> Configure Management Network -> IP Configurationvc_consoleNope- “Configure Management Network; Management network configuration not allowed”

Next… SSH -> /opt/vmware/share/vami/vami_config_netvc_libxml2modNope- Lots of errors stating “ImportError: No module named libxml2mod”

Finally… VAMIvmaiAgain, no joy- “Updating has been disabled”.

Eventually I decided to try the same technique i’d previously used to modify my Linux (CentOS) VMs.

I started an SSH session and modified /etc/sysconfig/network/routes (from default 192.168.0.1 to 192.168.5.1 and then /etc/sysconfig/network/ifcfg-eth0 (NETMASK=’255.255.255.0′ becomes NETMASK=’255.255.248.0′). Rebooted and voila!

After moving from my home office to a real office I decided to downgrade my premium 80/20 business fttc connection (from claranet) to a residential 40/10 service from sky.

Yesterday, the connection was changed over and I found myself with no internet. I initially thought it was because the pppoe username and password needed updating (tail /var/log/messages was showing a CHAP authentication error message) but I don’t recall ever being sent a username/password. It was then I had a flashback to many years ago having to extract the details from a router/modem in order to use them in another device. A bit of googling backed this up, but also suggested the connection doesn’t use pppoe but MPoA and was going to be even more challenging to setup; http://www.skyuser.co.uk/forum/sky-broadband-fibre-help/51550-ubiquiti-edgerouter-lite.html

But this article was written in 2013, surely someone has documented the process more recently? Fortunately, before starting the long-winded process I stumbled across another aritcle; https://community.ubnt.com/t5/EdgeMAX/Sky-Fibre-DHCP-client-option-61/td-p/1172347. However, this seemed to point to needing a different modem (such as the Draytek Vigor 13) to achieve the MPoA connection.

Before I went and bought a new modem, I thought i’d try the BT Openreach/Huawei Echolife HG12. I deleted the pppoe interface from the Edgerouter and set the address on eth0 (connected to the modem) to DHCP. Still nothing… welll both of the previous articles did state the need to add the DHCP option; send dhcp-client-identifier &quot;user|pass&quot;; so I guess it’s time to unbox the Sky router and do some packet sniffing?

I must be in luck… 2 weeks ago, a post suggested you no longer need to use logon credentials, passing anything in the dhcp-client-identifier will do the trick. The example given was;

 client-option "send dhcp-client-identifier &quot;bacons&quot;;"

So I gave it a try, but still no dice. Worth a reboot I guess? Power cycled the modem and voila, we have internet! Well, that was simpler than anticipated.

edgerouter_sky_fttc

Further to several posts about Raspberry Pi Digital Signage driving our office screens (https://tickett.wordpress.com/2014/12/03/anonymous-authentication-sql-server-reporting-services/), we recently restructured SQL Server Reporting Services. We updated the html/javascript file the Pi looks at (which redirects to SSRS) but it continued to try and use the old path.

This was fixed by SSH to the Pi then delete the browser cache;

pi@raspberrypi ~ $ cd /home/pi/.cache/chromium/Default/Cache/
pi@raspberrypi ~/.cache/chromium/Default/Cache $ rm -R *
pi@raspberrypi ~/.cache/chromium/Default/Cache $ sudo reboot

I flashed 5 of these phones back 6 months ago with some difficulty (after trying different methods/firmware versions/network cables/switches etc I finally got them all working), unfortunately I failed to record my findings! Time to resurrect the blog!

Last week I found myself with a few more Cisco CP-7906G IP phones to convert from old SCCP firmware to SIP. Rather than using the xml.conf method I chose to hard reset (I could remember this is how I did it last time);

  • Hold the # key while powering on the phone (either by POE or mains)
  • Once the red indicator on the handset start flashing release #
  • Key 3491672850*#

As my FreePBX (Asterisk PBX) is running and has the firmware ready I hoped everything would just work… Unfortunately not. All of the phones got stuck trying to pull term06.default.loads. I spent countless hours trying to figure out the problem, including;

  • Trying different DHCP servers (tftpd32, tftpd64, pumpkin & solarwinds TFTP server)
  • Trying different switches, network patch leads and even a direct connection between my laptop and the phones
  • Trying different IP ranges and network configurations

But still the phones repeatedly searched for term06.default.loads;

Dec 30 10:15:32 localhost in.tftpd[24929]: RRQ from 192.168.0.224 filename term06.default.loads
Dec 30 10:15:33 localhost in.tftpd[24950]: RRQ from 192.168.0.224 filename term06.default.loads
Dec 30 10:18:00 localhost in.tftpd[25093]: RRQ from 192.168.0.224 filename term06.default.loads
Dec 30 10:18:00 localhost in.tftpd[25094]: RRQ from 192.168.0.224 filename term06.default.loads
Dec 30 10:19:33 localhost in.tftpd[25151]: RRQ from 192.168.0.224 filename term06.default.loads
Dec 30 10:19:34 localhost in.tftpd[25152]: RRQ from 192.168.0.224 filename term06.default.loads

Eventually I decided to try a few different firmware versions “just in case”. Initially none worked (and they are hard to come by because I don’t have an active Cisco subscription and without one, you cannot download them directly from Cisco).

After almost giving up, I figured out that many of the firmware images I was previously unable to open (.cop or .cop.sgn) were in fact just zip files which can be opened in 7-zip. I recall when using the old technique to upgrade the firmware you need to start with a version around 8.5 then slowly incrementally patch. I didn’t think this was necessary with the “hard reset” technique, but found cmterm-7911_7906-sccp.8-5-2.cop.sgn and gave it a whirl….

Dec 30 10:44:41 localhost in.tftpd[26016]: RRQ from 192.168.0.245 filename term06.default.loads
Dec 30 10:44:42 localhost in.tftpd[26017]: RRQ from 192.168.0.245 filename jar11sccp.8-5-2TH1-9.sbn
Dec 30 10:44:49 localhost in.tftpd[26018]: RRQ from 192.168.0.245 filename cnu11.8-5-2TH1-9.sbn
Dec 30 10:44:51 localhost in.tftpd[26019]: RRQ from 192.168.0.245 filename apps11.8-5-2TH1-9.sbn
Dec 30 10:45:03 localhost in.tftpd[26024]: RRQ from 192.168.0.245 filename dsp11.8-5-2TH1-9.sbn
Dec 30 10:45:05 localhost in.tftpd[26025]: RRQ from 192.168.0.245 filename cvm11sccp.8-5-2TH1-9.sbn

Instantly the phone picked up term06.default.loads and proceeded to pickup the other files!

Once the phone booted, it clearly wasn’t going to register against my PBX (as it’s still running SCCP firmware). So I placed the SIP firmware cmterm-7911_7906-sip.9-4-2SR1-1.cop.sgn back on the TFTP. Carried out another hard reset and again, the phone instantly picked up the new files;

Dec 30 11:01:20 localhost in.tftpd[26726]: RRQ from 192.168.0.224 filename term06.default.loads
Dec 30 11:01:21 localhost in.tftpd[26727]: RRQ from 192.168.0.224 filename jar11sip.9-4-2ES9.sbn
Dec 30 11:01:28 localhost in.tftpd[26729]: RRQ from 192.168.0.224 filename cnu11.9-4-2ES9.sbn
Dec 30 11:01:31 localhost in.tftpd[26730]: RRQ from 192.168.0.224 filename apps11.9-4-2ES9.sbn
Dec 30 11:01:44 localhost in.tftpd[26736]: RRQ from 192.168.0.224 filename dsp11.9-4-2ES9.sbn
Dec 30 11:01:46 localhost in.tftpd[26737]: RRQ from 192.168.0.224 filename cvm11sip.9-4-2ES9.sbn

I provisioned the phones in FreePBX but they seemed to get stuck in a cycle registering/updating locale/rebooting. Fortunately I recalled having this issue previously and determined that the 7906 phones have a relatively short maximum password length which the default FreePBX passwords exceed. I was able to confirm this by looking at the Asterisk log;

[root@localhost ~]# tail /var/log/asterisk/full
[2015-12-30 02:06:30] NOTICE[1915] chan_sip.c: Registration from '<sip:1006@192.168.0.195>' failed for '192.168.0.198:51838' - Wrong password
[2015-12-30 02:08:07] NOTICE[1915] chan_sip.c: Registration from '<sip:1006@192.168.0.195>' failed for '192.168.0.198:51978' - Wrong password
[2015-12-30 02:08:54] NOTICE[1915] chan_sip.c: Registration from '<sip:1006@192.168.0.195>' failed for '192.168.0.198:49878' - Wrong password

Once I changed the password and rebuilt the configs in Endpoint manager the phones registered straight away.

In conclusion, I think the bootloader on the phones needed to be upgraded to enable them to be capable of loading the 9.x firmware. Flashing them with the 8.x firmware first upgraded the bootloader and from there it was plane sailing! I have attached the two firmwares for reference;

As a sidenote; I have never had luck with using DHCP option 150 (in either pfSense or tftpd32). Entering an IP address in it’s normal format has definitely never worked (when I do a wireshark trace I can confirm this). I believe you’re supposed to use some hex format, but having tried this in several different formats i’ve still never managed to get it working. The preferable route seems to be using DHCP option 66 (I believe this supports either a hostname or IP). In tftpd32 you don’t actually need to configure this option, the built in DHCP server automatically configures it to the hostname of the interface running the service.

%d bloggers like this: