Category: System Administration

Finding Block ID

I upgraded my Fedora kernel to 5.1 and the secondary disk mounted to /var disappeared. I use the old-school device notation in fstab;  when a disk comes up with a different name, the partition fails to mount. I wanted to change fstab to use a UUID. But first I needed to find the UUID. Enter blkid

[root@linux123 ~]# blkid /dev/sdb1
/dev/sdb1: LABEL=”mnt-var” UUID=”50545e50-75c5-45q5-95b5-34f5456515d5″ TYPE=”ext4″ PARTUUID=”m50525d5-05″

The command output includes the device UUID which is used instead of the /dev/sdb# string.

#/dev/sdb1                                                                           /var ext4 nodev,nosuid 0 2
UUID=50545e50-75c5-45q5-95b5-34f5456515d5 /var ext4 nodev,nosuid 0 2

Rebooted and my partition mounted.

Using sed to insert lines into a file

I’ve used sed to replace file content — use a regex to replace the sendmail.cf line that routes mail directly with a smarthost directive

sed -i -e 's/^DS/DS\\\[mailTWB.example.com\\\]/' $strSendmailDirectory/etc/mail/sendmail.cf

But I’ve needed to prepend text to a file. Turns out sed acn do that. In fact, you can insert strings at any line number. Using “sed -i ‘5s;^;StringsToInsert\n;’ filename.xtn will insert “StringsToInsert\n” at line 5. To prepend text to a file, use “1s”

[lisa@fedora tmp]# cat test.txt;sed -i ‘5s;^;NewLine1\nNewLine2\n;’ test.txt;cat test.txt
Line 1
Line 2
Line 3
Line 4
Line 5
Line 6
**********
Line 1
Line 2
Line 3
Line 4
NewLine1
NewLine2
Line 5
Line 6
**********

 

I’ve also come across an oddity in the Win32 sed — the method I usually use to blow away everything after a newline for some reason blows away everything after the first line. Works fine on RHEL7 and Fedora29, so the quick solution is “run it from the Linux box”.

C:\temp>cat input.txt
line 1
line 2

line 3
line 4
line 5
C:\temp>sed -i ‘/^$/q’ input.txt&cat input.txt
line 1

Using ZoneMinder v1.32.3 With OpenHAB2

I documented a temporary fix to return ZM_PATH_ZMS and ZM_OPT_FRAME_SERVER through the ./api/configs/view/<KEYNAME>.json API so ZoneMinder 1.31.45 worked with the OpenHAB2 binding. Upon upgrading ZoneMinder to 1.32.3, the binding was no longer able to communicate with our ZoneMinder server.

In the OpenHAB2 log, errors indicated malformed JSON was received.

Caused by: com.google.gson.stream.MalformedJsonException: Use JsonReader.setLenient(true) to accept malformed JSON at line 1 column 7 path $
at com.google.gson.stream.JsonReader.syntaxError(JsonReader.java:1568) ~[?:?]
at com.google.gson.stream.JsonReader.checkLenient(JsonReader.java:1409) ~[?:?]
at com.google.gson.stream.JsonReader.doPeek(JsonReader.java:542) ~[?:?]
at com.google.gson.stream.JsonReader.peek(JsonReader.java:425) ~[?:?]
at com.google.gson.JsonParser.parse(JsonParser.java:60) ~[?:?]
at com.google.gson.JsonParser.parse(JsonParser.java:45) ~[?:?]
at name.eskildsen.zoneminder.jetty.JettyConnectionInfo.fetchDataAsJson(JettyConnectionInfo.java:352) ~[?:?]

Using a web browser to access <ZoneMinderURL>/zm/api/configs/view/ZM_PATH_ZMS.json, malformed JSON is returned.

Conf files are not updated when new packages are installed – an conf.rpmnew is created instead. The changes from the new config (zoneminder.conf.rpmnew) file need to be merged into the existing config file (zoneminder.conf). In our zm.conf file, I added:

ZM_DB_SSL_CA_CERT=
ZM_DB_SSL_CLIENT_KEY=
ZM_DB_SSL_CLIENT_CERT=

Reloading the page in my browser confirmed that the JSON response is valid.

When the ZoneMinder binding started, it successfully attached to our monitors and detected a motion alarm.

This does not negate the need for the original fix — config.php still needs to have the strcmp I added. When ZoneMinder is upgraded, /usr/bin/zmupdate.pl is run (I needed to run “/usr/bin/zmupdate.pl -f” to stop zmc from existing with return code 255), the values I added to the ZoneMinder Config table are removed — they need to be re-added.

 

Shadowing Remote Desktop Sessions – Windows 2016

You need the session ID of the console you want to remote control. How do you get this? Log into the server under your ID and run “query session” in a command prompt – the session ID is in the “ID” column. Yes there are a lot of ways to do this. Ask the person you want to remote control to run quser, add the ‘session ID’ column to task manager, etc.

I am e0082643, which makes my session ID 40.

The person who wants to control the session needs to run mstsc with the /shadow option. You need to run mstsc as a user that is an administrator on the target host.

Run: mstsc /v:hostname /shadow:# /control

e.g. mstsc /v:cwwapp1726.windstream.com /shadow:40 /control

The session being controlled will see a control request – click ‘yes’ and the session will be shadowed. Click ‘no’ and it won’t.

 

Microsoft Flow Usage Tracking Process Proposal

Assumptions: This proposal is predicated on having some reasonable way to download the Flow usage report that currently needs to be generated from the Flow admin page. Otherwise usage tracking is a manual process kicked off by logging into Flow admin site and downloading the CSV usage detail report.

This proposal is also predicated on the idea that our group is not-for-profit — we are not seeking to recoup O365 licensing cost through Flow usage billback.

Issue: Flow execution is “throttled” when usage exceeds the tenant limits. Per a response from a “Flow Staff” individual to ‘what actually happens when you exceed your allocated cycle limit’, “To clarify what is meant by throttling, flow run usage exceeding your tenant limits may be suspended at Flow’s discretion until the following billing cycle.”. While “at Flow’s discretion” is still vague, a tenant risks having Flow runs suspended when they exceed their allocated cycle limit.

Additional cycles can be purchased to continue Flow execution. As of 26 April 2019, an additional 50,000 runs costs 40$. We should ask Microsoft to clarify “Flow’s discretion”. Are enterprise customers able to have Flow execution continued and be billed for their overage? Do enterprise customers receive a short grace period during which time they can purchase additional execution cycles for upcoming months?

Farther complicating the issue, it is difficult for a manager to assess how many flow cycles are being executed by their subordinates. While Microsoft has added per-workflow usage statistics, even when workflows are maintained under shared spaces, individually checking each Team flow to determine how many times it has executed is cumbersome.

Solution: If we cannot purchase execution cycles after our limit has been reached, we will need to routinely track the number of cycles executed in our tenant to avoid both execution disruption and purchasing additional runs in months where we do not exceed our “free” cycle quota. To determine an appropriate alerting interval, we need to determine the time between identifying that our tenant is approaching its threshold and the activation of newly purchased cycles.

To create a financial incentive to maintain efficient Flow jobs, cycles should be billed back to the business units that are using Flow. Since each Office 365 license includes 2,000 Flow execution cycles, a BU is not charged when they are under their “free” allocation (i.e. # of O365 licensed users in the BU times 2,000). BUs may be charged at a rate of 0.0008$ per cycle over their “free” allocation (question: does this need to be rounded up to avoid fractional pennies? i.e. one cent per 1,250 cycles). In months were the Flow execution cycle limit in the tenant is exceeded, the BUs are charged. Many individuals do not use Flow so there are unused execution cycles. If we are under our tenant limit but a BU has exceeded their allocation, no additional money has been spent so no billback occurs. The BU owner would still be notified with a message that includes “due to low company-wide Flow usage, your overage does not incur any charge this month. This overage could result in a charge of up to {calculatedOverageCost} charged to your BU.”. The message will include the web link to help them understand who is using Flow in their organization.

We would develop a script to update a data table. This table will record each Flow user, the number of cycles used month to date, the number of cycles used during the previous month, the number of cycles used year to date, and the number of cycles used during the previous year. A web interface like https://msteams.windstream.com/usageReporting/index.php (which allows managers to view Teams usage of their sub-organization) would be created to provide visibility into the Flow usage data. We would also develop a script, run at the beginning of each month, that determines the BU for each Flow user, aggregates “previous month” Flow usage data per BU, calculates the total number of O365 licensed accounts per BU, calculates the BU’s cycle overage, notifies BU owners per the previous paragraph, and either initiates the billback process or produces the data which is needed to initiate the billback process.

I additionally suggest we create a “best practices” guide for using Flow. As an example, creating a workflow ‘perform some process every time our shared mailbox receives a message from BOB’ incurs a cycle execution every time the shared mailbox receives a message, regardless of the message source. When creating workflows triggered by e-mail messages, using a dedicated mailbox (research: can an O365 group mailbox be used as a trigger??) avoids non-trigger messages executing a Flow.

Did you know … you can redirect custom URLs to Microsoft Forms?

Microsoft Forms provides a simple framework for creating surveys and polls which can be distributed either to internal users or made publicly available. Including your Form URL in an a href tag is one way to avoid trying to communicate the super-long Form URL … but if you’re looking for a ‘pretty’ URL, something that can be included in print media or provided to someone verbally, you can redirect custom URLs to your Form URL.

Generally, hosting a forwarding URL requires a web server; but URL-shortening services should work. To use a web server, you’ll need to configure a site (or path from a site) to serve an HTTP redirect. I am using 302 (temporary) redirection instead of 301 (permanent redirection) in case I want to forward my custom URL to a different Form.

Apache config

Use the “Redirect” directive in your virtual host config:

<VirtualHost 10.1.2.3:80>
     ServerName customsite.example.com
     ServerAlias customsite.example.com customsite
     Redirect / https://forms.office.com/Pages/DesignPage.aspx#FormID=wbRnJe2w9UCu41....
</VirtualHost>

IIS Config

In the IIS management utility, navigate to your website and select “HTTP Redirect”.

Check the box to redirect requests and paste in your Forms URL. Check the box to redirect all requests to the exact destination.

When your site is accessed, the browser receives the HTTP redirect and displays your Form.

 

IIS Failed Request Tracing

I set up a PHP website with a really strange issue: site/path/index.php worked fine, but site/path threw a generic ‘something failed’ error. I added the suggested lines to web.config and got … another completely generic error.

You can enable Failed Request Tracing in the site to get a clearer picture of what is going on.

You’ll need to create a tracing rule that includes the return code you are seeing. Click “Add …” and create a rule that will capture the exception you are seeing. Once the rule is in place, reproduce the error in your browser. Click “View Trace Logs …” to open the location where the trace logs are stored.

On the local disk, you’ll get a web page with the exception information. Here, I’m seeing an error in ScriptModule-4.0. The ‘Request Details” tab contains more information.

My oddity seems to be related to .NET somehow … I don’t need CLR to manage code execution for my site, so the simple solution was to turn it off – edit the application pool and select “No Managed Code”.

Voila! My site loads using the default document.

 

SPO Guest Access Stops Working

I ran across an interesting issue today — Windstream’s got a really awesome SPO site for SD Project Management – tracking orders, equipment orders, 3rd party cabling installations, etc. The cool part about the site being hosted in SharePoint Online is that a customer can get set up as a federated partner and be granted access to see equipment readiness and installation scheduling within our system.

Guest access is an interesting concept – while I have an account in our tenant that is linked to my Active Directory account in our domain, you can also create links to accounts in other company’s directories. The guest account can then be set up to access our Azure resources – added to Azure groups, added to SharePoint Online groups, invited to join Teams.

A guest user had her computer replaced and could no longer access the site – SPO insisted that she was not a valid user. Looking in Azure AD, the account existed; the audit log even showed successful authentication events. I’m not sure if the computer replacement was a coincidence, the new computer had a different configuration, or if your browser stashes some information that allowed her to avoid authentication failures, but her guest account in our tenant was no longer working.

For companies that don’t have Azure AD, when an individual accepts guest account access … the guest account link in our tenant lists “Microsoft Account” as the source.

But when the company sets up Azure, the auth framework seems to get confused by the Azure AD account. Easy enough solution – we’ve got to delete the guest account that’s linked to their MS Account from Azure AD. Bonus step specific to SPO, a site administrator needs to use <site>/_layouts/15/people.aspx?MembershipGroupId=0 to delete the guest account from the SPO site.

 

Once the “Microsoft Account” guest account has been removed, the guest can be re-invited. They’ll step through the registration process again but the guest account will be linked up to their Azure AD account.

 Re-add the new guest account to whatever they were using & their access will be restored.