Skip to main content

Eerste rondje fietsen van het jaar

Zonnetje, blauwe luchten, wat wil een mens nog meer? Eh, iets minder wind en, WTF, 9 MAART????

Drie uren stug doorgetrapt op de juggernaut (de Santos Travelmaster), resulteerde in onderstaande rondje.

Fietsvakanties update

Sinds vorige week zijn alle routes, van de fietsvakanties die ik tot nu toe gefietst heb, weer helemaal up to date. De route van de 2008 fietsvakantie is afgerond, die van 2013 is toegevoegd en ook alle jaarlijkse samenvattingen zijn waar nodig gerestaureerd en/of verbeterd. Bij de migratie naar Nikola waren een paar samenvattingen niet mee gemigreerd.

De dagboeken van de eerste twee vakanties heb ik maar opgegeven, die blijven onafgerond.

Fun with logrotate and wildcards

So a few months ago I found that freeradius on one of my machines was logging all transactions in a daily log file. After a few years this accumulated to a large number of files that started to gobble up too much disk space. Together with a colleague I created the following logrotate:

/var/log/freeradius/radacct/*/detail-* {
        daily
        rotate 90
        compress
        notifempty
}

Using wildcards with logrotate is asking for trouble, as the manual page warns, but we thought we knew better... The result was a log directory containing loads of the following:

server:/var/log/freeradius/radacct/host# ls -al
-rw------- 1 freerad freerad        0 2013-09-03 06:25 detail-20130902
-rw------- 1 freerad freerad        0 2013-09-05 06:25 detail-20130902.1.gz
-rw------- 1 freerad freerad        0 2013-09-07 06:25 detail-20130902.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-09-09 06:25 detail-20130902.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-09-11 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-09-13 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-09-15 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-09-17 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-09-19 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-09-21 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-09-23 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-09-25 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-09-27 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-09-29 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-10-01 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-10-03 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-10-05 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-10-07 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-10-09 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-10-11 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-10-13 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-10-15 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-10-17 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-10-19 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-10-21 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-10-23 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-10-25 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-10-27 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-10-29 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-10-31 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-11-02 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-11-04 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-11-06 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-11-08 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-11-10 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-11-12 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-11-14 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-11-16 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-11-18 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-11-20 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-11-22 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-11-24 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-11-26 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-11-28 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad        0 2013-11-30 06:25 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
-rw------- 1 freerad freerad 23219192 2013-09-02 21:47 detail-20130902.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz.1.gz
server:/var/log/freeradius/radacct/host#

Fixing logrotate is left for another time. But how do you get rid of all the 0 length files and how do you rename the files that do have content to something useful? Most howto's suggest basename or Perl's rename, but they all can't handle what I call "recursive" file extensions. Here's what I came up with:

# Delete all 0 length files
server:/var/log/freeradius/radacct/host# find . -size 0 -delete
# Create a list of mv commands for all remain files
server:/var/log/freeradius/radacct/192.168.59.6# ls *.gz | awk -F '.' '{ print "mv " $0 " " $1 ".1.gz" }' > commandfile
# Execute the commands (dot space commandfile executes all commands in
# commandfile, who knew?)
server:/var/log/freeradius/radacct/host# . commandfile
# And clean up after ourselves
server:/var/log/freeradius/radacct/host# rm commandfile
server:/var/log/freeradius/radacct/host#

Wishlist

Let op, deze pagina wordt regelmatig bijgewerkt. Of omdat ik iets heb gekregen of omdat ik iets nieuws heb bedacht. Dus controleer hier voordat je iets gaat kopen ;-)

UPDATE 2024-02-13, edited

IPv6 firewalling on Cisco IOS

In a previous post I explained how to get native IPv6 working on a Cisco 877 ADSL modem/router.

In this post I'm going to try and setup the most simple firewall for IPV6 based on the example from SIXXS. Remember, if you're going to start using IPv6 properly all your devices are reachable from the internet by default. This is usually a bad idea, so we need a firewall.

I'm going to assume you're not running any servers at home, you just want all traffic from the outside blocked. You also want traffic from your local network to be able to reach the Internet via IPv6 and receive answers back. But no more.

First we create an accesslist that blocks all unwanted traffic, but allows enough of the ICMP protocol for the Internet to function as intended. Real networks don't block all of the incoming ICMP traffic.

ipv6 access-list ipv6-internet-in
  remark Prevent spoofing
  deny ipv6 2A02:120:100F::/48 any log
  remark prevent ingress of all addresses except global unicast and multicast
  deny ipv6 ::/3 any log
  deny ipv6 8000::/2 any log
  deny ipv6 C000::/3 any log
  deny ipv6 E000::/4 any log
  deny ipv6 F000::/5 any log
  deny ipv6 F800::/6 any log
  deny ipv6 FC00::/7 any log
  deny ipv6 FE00::/8 any log
  permit icmp any any time-exceeded
  permit icmp any any packet-too-big
  permit icmp any any echo-request
  permit icmp any any echo-reply
  deny ipv6 any any log
  !

Next it's time to allow outgoing traffic to poke holes on the incoming side.

ipv6 inspect name cbac-ipv6 tcp
ipv6 inspect name cbac-ipv6 udp
ipv6 inspect name cbac-ipv6 icmp
ipv6 inspect name cbac-ipv6 ftp

Finally we bind all that to the Dialer0 interface we used in the previous post and have a functioning firewall.

interface Dialer0
  ipv6 traffic-filter ipv6-internet-in in
  ipv6 inspect cbac-ipv6 out

Don't forget to block IPv6 access to the console on your router!

ipv6 access-list ipv6-ssh-lockdown
  deny ipv6 any any log

line vty 0 4
  ipv6 access-class ipv6-ssh-lockdown in

And that's it! Finding an example that is as basic as this took me quite a while. With some stops and starts and some IPv6-less days of working without me noticing. If you want to run a webserver or mail server or something else on IPv6, you need to add the appropriate lines in the "ipv6-internet-in" ipv6 accesslist. I'm leaving how to do that as an exercise for the reader ;-)

NYC2013

So it was that time of year again. A few days of New York City (New York) for work. Here's the result of the tourist-y part. Even more pictures of places around Manhattan, I even left the island properly for the first time. Well, apart from the train from/to JFK.

First a guided tour of Rockefeller Centre

20131018-IMG_3087

20131018-IMG_3092

20131018-IMG_3093

20131018-IMG_3094

20131018-IMG_3096

20131018-IMG_3099

20131018-IMG_3103

20131018-IMG_3114

20131018-IMG_3119

20131018-IMG_3122

20131018-IMG_3124

20131018-IMG_3127

20131018-IMG_3150

20131018-IMG_3151

20131018-IMG_3171

Then on to "Top of the Rock", with a nice view of New York from a really high place. Much more enjoyable than Empire State Building, which I visited two years ago.

20131018-IMG_3186

20131018-IMG_3201

20131018-IMG_3204

20131018-IMG_3211

20131018-IMG_3214

20131018-IMG_3216

20131018-IMG_3217

20131018-IMG_3219

20131018-IMG_3221

20131018-IMG_3224

20131018-IMG_3249

After that I took the cable car to Roosevelt Island, in the middle of the East River. A really calm and quiet place to visit on a Friday afternoon.

20131018-IMG_3261

20131018-IMG_3266

20131018-IMG_3268

20131018-IMG_3274

20131018-IMG_3275

20131018-IMG_3277

20131018-IMG_3279

20131018-IMG_3283

20131018-IMG_3286

20131018-IMG_3293

20131018-IMG_3298

20131018-IMG_3301

20131018-IMG_3302

20131018-IMG_3304

5th Avenue early evening, just after sunset.

20131020-IMG_3368

20131020-IMG_3376

20131020-IMG_3381

Times Square late at night.

20131020-IMG_3408

20131020-IMG_3414

These last few photos have all been taken from the High Line, a really nice park on top of an old, unused, raised railroad. Really cool.

20131020-IMG_3417

20131020-IMG_3424

20131020-IMG_3425

20131020-IMG_3426

20131020-IMG_3447

20131020-IMG_3450

20131020-IMG_3458

20131020-IMG_3462

20131020-IMG_3465

20131020-IMG_3483

20131020-IMG_3485

20131020-IMG_3488

20131020-IMG_3489

20131020-IMG_3491

20131020-IMG_3497

20131020-IMG_3499

20131020-IMG_3500

20131020-IMG_3515

20131020-IMG_3517

pysnmp cannot import asn1

Today I tried to use an old Python script to do something with SNMP. The script was importing some SNMP library using the following code:

from pysnmp import asn1, v2c, role

(this is basically from the snmpget example on the pysnmp website).

Installing python-pysnmp didn't work, there's a few versions of the pysnmp API available and apparently the code above is assuming version 2 of the API, so we need to install python-pysnmp2

ramdyne@host:~$ sudo apt-get install python-pysnmp2
xxx
ramdyne@host:~$ ./script.py
Traceback (most recent call last):
    File "./script.py", line 7, in <module>
        from pysnmp import asn1, v2c, role
ImportError: cannot import name asn1

Obviously that didn't work, but why? After a lot of investigating, it looks like the current Debian python-pysnmp2 package includes both versions 2 and 4 of the API and you need to explicitly choose which one you want to use before importing pysnmp in your python code.

Choosing the API version is done using an environment variable. You can do this in your commandline shell (like bash), but I prefer to do this explicitly in the script itself:

os.environ['PYSNMP_API_VERSION'] = 'v2'
from pysnmp import asn1, v2c, role

(choosing version 4 of the API is left as an exercise for the reader.)

Worst SIP implementation of the moment

There must be something very wrong with the way the Siemens OpenScape Office PBX's SIP stack handles SIP error codes or the way people configure it by default.

Suppose you make a call and forget a digit somewhere in the middle. Your PSTN provider (or someone else) detects that the number is not quite sufficient and replies to your INVITE with an error message containing "SIP/2.0 484 Address Incomplete".

Normal SIP implementations send an error up the stack to the end user who then hears some kind of error code through their handset or some error code on the display of their phone. Is OpenScape doing that? Noooooooo.....

When OpenScape receives an error code other than "486 Busy" or "500 Internal Server Error", it sends out as many retry calls as it can, one after the other, until it hits the maximum number of simultaneous calls it has configured on the SIP trunk (even though these calls are not simultaneous).

If you're using the distribution between successful and failed calls to monitor the health of your platform, behavour like this very quickly starts to trigger alarms that something is not quite right, especially when endusers are absolutely convinced the number they dialled is correct. Hundreds of failed calls within a minute or two are not unusual in cases like this.

Keeping website sources safe

Last Friday I was thinking about making a backup of the nikola sources for my website. I have more than 12 years of blog posts in the archive now. While most of the contents are not worth much, there are some pieces I'd rather not lose.

Using normal backup procedures seemed boring, so I started thinking of other ways. Realising that most of the files were just basic text files some kind of version control system seemed appropriate. Since I had no intention of running my own VCS server Github seemed like a cool option, especially since it has private repositories.

So every time I update the site, the deploy step not only updates (using rsync) the webserver, it also calls on git to push the changes towards my private Github repository.

So for this post the procedure looked something like this (Edited for brevity and a little bit of obfuscation):

yyyyyyy@delphic:~/website/src/www.ramdyne.nl/src$ nikola new_post
Creating New Post
-----------------
Enter title: Keeping website sources safe
Scanning posts.....done!
Your post's text is at:  posts/keeping-website-sources-safe.rst
yyyyyyy@delphic:~/website/src/www.ramdyne.nl/src$ vi posts/keeping-website-sources-safe.rst
yyyyyyy@delphic:~/website/src/www.ramdyne.nl/src$ nikola build
Scanning posts.....done!
.  render_site:../output/categories/index.html
.  render_posts:cache/posts/keeping-website-sources-safe.html
.  render_indexes:../output/index.html
.  render_rss:../output/rss.xml
.  render_pages:../output/posts/keeping-website-sources-safe.html
.  render_tags:../output/categories/stack.xml
.  sitemap:../output/sitemap.xml
yyyyyyy@delphic:~/website/src/www.ramdyne.nl/src$ nikola deploy
Scanning posts.....done!
==> rsync -rav ../output/*
ramdyne@xxxxxx.org:/home/zzzzzz/www/ramdyne.nl/www
Password:
sending incremental file list
index-20.html
index.html
rss.xml
sitemap.xml
posts/
posts/keeping-website-sources-safe.html

sent 526893 bytes  received 85809 bytes  136156.00 bytes/sec
total size is 18639132  speedup is 30.42
==> /home/yyyyyyy/website/src/www.ramdyne.nl/git-push-website-to-master.sh
[master fbadf78] Another commit by nikola deploy
 448 files changed, 2205 insertions(+), 998 deletions(-)
 create mode 100644 output/.htaccess
 rewrite output/assets/js/tag_cloud_data.json (78%)
 create mode 100644 output/categories/git.html
 create mode 100644 output/categories/git.xml
 create mode 100644 output/categories/github.html
 create mode 100644 output/categories/github.xml
 rewrite output/categories/website.xml (80%)
 create mode 100644 output/posts/keeping-website-sources-safe.html
 create mode 100644
 src/cache/posts/keeping-website-sources-safe.html
 create mode 100644 src/posts/keeping-website-sources-safe.rst
Username for 'https://github.com': xxxxx
Password for 'https://xxxxx@github.com':
Counting objects: 890, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (459/459), done.
Writing objects: 100% (459/459), 129.89 KiB, done.
Total 459 (delta 444), reused 0 (delta 0)
To https://github.com/ramdyne/websites-ramdyne.nl.git
 3c519ad..fbadf85  master -> master
Successful deployment
yyyyyyyy@delphic:~/website/src/www.ramdyne.nl/src$

The eagle eyed viewers will have noticed a small script being used to do all the git steps:

yyyyyyyy@delphic:~/website/src/www.ramdyne.nl/cat git-push-website-to-master.sh
#!/bin/sh
cd /home/yyyyyyy/website/src/www.ramdyne.nl/
/usr/bin/git add '*'
/usr/bin/git commit -m "Another commit by nikola deploy"
/usr/bin/git push origin master

The script (and the cd step in the script) are needed because of the way the nikola deploy steps work. You can't do cool stuff like cd in the deploy steps themselves, if I understood this post correctly.

Now I only need to find a way to not have a boring fixed commit message for every change ("Another commit by nikola deploy"), preferably it would say what had been last updated or something like that. Or just ask me for a commit message.

The folder structure I am using now for my website sources is a little different from the default nikola setup, so can always stop not keeping all changes to the nikola output. Keeping sources and output in git is kind of redundant, isn't it.

Nikola default (with site in ~/Documents/site:

~/
|- Documents/
    |-site/
        |-cache/
        |-files/
        |-galleries/
        |-listings/
        |-output/
        |-posts/
        |-stories/
        |-themes/
        |-conf.py

My current directory structure

~/
|- Documents/
    |-site/
        |-output/
        |-src/
            |-cache/
            |-files/
            |-galleries/
            |-listings/
            |-posts/
            |-stories/
            |-themes/
            |-conf.py
        |-git-push-website-to-master.sh

Krautrock

A few weeks ago I bought a CD (yes, I still do that) called Deutsche Elektronische Musik 2, experimental German rock and electronic musik, 1971 - 83. Since then I have been on a binge, listening to as much Faust, Popol Vuh, Amon Duul II, etc. as possible.

Today I found a really nice 2 and a half hours long mix containing loads of Krautrock songs, all mixed together.

Funny, how I don't know many songs specifically, but a lot of songs I must have heard before, because I feel almost at home with them. Now for part 1, let's see if I can buy that somewhere...

Native IPv6 over PPPoA on Cisco IOS

(Update: this post was updated based on comments from my colleagues)

Here is a short howto on how to configure native IPv6 (so, no tunnel) on a PPP based DSL line, without an underlying subnet or whatever. The modem/router we'll be using is a Cisco 877 on a Dutch DSL (an unnamed ISP providing L3 connectivity) line

It is assumed that IPv4 and the underlying ADSL is working normally. We'll be configuring things as a dual-stack system, with the Cisco handing out IPv6 addresses to clients. Remember, this is IPv6, so we will be needing a firewall as soon as everything works!

I have configured a VLAN interface for handling the LAN side of the router, but you could just as easily do this on a FastEthernet port. The Dialer0 interface is the dialer handling the PPP session.

ipv6 unicast-routing
ipv6 cef

interface Vlan1
 description LAN
 ipv6 address YOUR_IPV6_NET:SUBNET::/64 eui-64
 ipv6 enable

interface Dialer0
 ipv6 address autoconfig
 ipv6 enable

ipv6 route ::/0 Dialer0

If you received a /48 from your ISP, something like 2xxx:yyyy:zzzz::/48, then pick a subnet from this assignment, in my case I chose 100, but this could be anything. So my VLAN 1 config looks like this:

interface Vlan1
 description LAN
 ipv6 address 2xxx:yyyy:zzzz::100::/64 eui-64
 ipv6 enable

Note that on a Cisco 877 (or any other Cisco router) you could assign various subnets like this to each and every port, VLAN or WIFI interface you have available. This should give you loads of neat opportunities for micromanaging access between subnets on your LAN.

Nothing else is needed, unless you also want to assign an IPv6 address for the DNS server, then you also need to add the following:

ipv6 dhcp pool DHCPv6
 dns-server DNS_SERVER_IPV6_ADDRESS
 domain-name YOUR_LOCAL_DOMAIN

interface Vlan1
 ipv6 nd managed-config-flag
 ipv6 dhcp server DHCPv6

Next time, firewalling.