Granting limited access to clustered OnTap via the System Manager gui

Although NetApp’s clustered OnTap was designed for secure multi-tenancy, the OnCommand System Manager GUI is currently unable to provide per-SVM access; you must do it via SSH. I need to be able to give my Windows admins access to configure the CIFS shares on our new cDOT system. They’re used to System Manager under 7-mode OnTap and cDOT’s System Manager adds quite a bite of extra stuff.

The storage system is connected to our Active Directory domain via the CIFS server in the SVM vs1. The domain tunnel can use this for authentication – just log in with “domain\username” in the GUI.

In order to log into System Manager, a user must be given the “admin” role on the “http” application. This allows them to see the GUI, but doesn’t give them access to the actual commands that System Manager is running. For that, we use the “ontapi” application. We configure a new role that gets readonly permissions on everything, but “all” access on just the cifs commands in the “vserver cifs share” directory of the API.

create -vserver vs1 -role sharesadmin -cmddirname “vserver cifs share” -access all
create -vserver vs1 -role sharesadmin -cmddirname DEFAULT -access readonly

Then we assign our Windows admins to the admin role in http and sharesadmin in ontapi:

create -vserver vs1 -role admin -application http -authmethod domain -user-or-group-name domain\user
create -vserver vs1 -role sharesadmin -application ontapi -authmethod domain -user-or-group-name domain\user

Tagged , Comments Off on Granting limited access to clustered OnTap via the System Manager gui

Read AIPS / FITS tape without AIPS

We get occasional requests to read data from old DDS or Exabyte tapes. Since we’ve long-ago removed tape drives from individual workstations, we now only support a single shared tape reading machine. AIPS tapes have a pretty simple format — sequential files of FITS data — but you have to use a specific block size of 28800 to read the tape correctly.

We use a script that just reads all FITS files off the tape into the current directory. I finally got around to cleaning up that script yesterday and adding more safeties, etc. I’ve posted the result on my github page in the hopes that it’s useful to others.

read-fits-tape

Comments Off on Read AIPS / FITS tape without AIPS

Conference timer app (JS Timer) release 2.1

I’m happy to announce the latest release of my conference session timer app “JS Timer”. This release, version 2.1, is the version used at our latest conference.

You can get JS Timer 2.1 from Github.

Returning to this release are binary “App” versions for both Mac and Windows. The Mac version is built with MacGap1 and the Windows app is built with NW.js. The NW.js toolkit is huge compared to the MacGap project, so the Windows binary release is a much larger download. I’ve used NSIS to pack the NW.js release into a single compressed executable which reduces the size considerably and also produces a single convenient EXE file.

Finally, you can run JS Timer from the live web version.

We used this version successfully across a four-day conference, so I’m pretty sure I’ve flushed out all the bugs. If you find something wrong with it, please open an issue on Github.

Comments Off on Conference timer app (JS Timer) release 2.1

FSR to LXC-200 via telnet server

So, after all the work I put into investigating the HTTP RPC method, it turns out that the LXC-200 supports running a telnet server on a user-selectable port which communicates directly with the serial port. Select “Remote Session Method: Telnet Server” and choose a TCP port to dedicate to the specific serial port. I’m using 81 for port 1, 82 for port 2, etc. Set the “Telnet Protocol” to “Raw” as well.

To use multiple ports on the LXC, we’re going to have to use the kludge of adding multiple IP devices to our FLEX project, each with its own TCP port. I’ll start by creating a device for port 81.

In the button action, configure an Inline IP command like so:

IP ‘Aurora_LXC-200_1_Addr’ INLINE “Hello World<0d>”

After saving and uploading the project to the FLEX, pressing the button spits out exactly the data we want from the serial port. Multiple presses continue sending the correct data; there seems to be no issue with reconnecting.

So, I can now use my Aurora LXC-200 as 3 remote serial ports for the FSR FLEX-LT system.

That was easy 🙂

Comments Off on FSR to LXC-200 via telnet server

FSR fun: Bit-banging HTTP POST

So, now that I have the Aurora LXC-200 RPC API figured out, I’m moving closer to my ultimate goal of having an FSR FLEX-LT use an LXC-200 as an expansion serial port. There’s just one problem: The FLEX doesn’t speak HTTP. It has the capability of communicating with IP devices, but just with raw bits – unlike the WACI, no protocol is implemented in it’s firmware. Well…. what’s a protocol, anyway, but a series of bits on the wire.

So, let’s come up with the most bare-bones version of an HTTP POST that we can. This technique is no stranger to anyone who’s ever used telnet to simulate an HTTP connection. We just want to make sure we make ours as stripped down as possible to preserve space in the FLEX’s memory; the FLEX is a small device compared to the WACI and every command we send to one of the LXC ports has to implement this POST inside it’s IP command. This is… unfortunate, but – hey – desperate times and all that.

We’ll start by using the ubiquitous ‘nc’ to test our series of bits. nc has the option to use ‘crlf’ to terminate lines, so that should work for our HTTP POST. We’ll create a file with our commands in it:

POST /rpc/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
method=Serial_Send&param1=1&param2=nc+test&param3=10

And tell netcat to send this to our LXC device:

$ cat lxptest.nc | nc -v -c a.b.c.d 80

And viola! Our lovely test string “nc test” is sent from the serial port. Watching the traffic with Wireshark, it doesn’t recognize the packets as proper HTTP, but the LXC is forgiving enough to honor the command.

Now, as I mentioned, every FSR command that sends data to an LXC port will need to implement this fake HTTP POST request. The easiest way to do this is to create a custom IP device with a single command “Serial send”. This command can be used via “Send Inline IP…” wherever we need it in our FLEX project; just replace the ‘param2’ bits with the data you want to send – properly URL encoded, of course.

Putting this all into an inline IP command looks like:

IP ‘Aurora_LXC-200_1_Addr’ INLINE “POST /rpc/ HTTP/1.1<0D 0A>Content-Type: application/x-www-form-urlencoded<0D 0A 0D 0A>method=Serial_Send&param1=1&param2=data&param3=10<0D 0A>”

…but running this command via a button press on the FLEX results in nothing but an empty TCP connection. The connection is started with a 3-way handshake and then torn down similarly, with no attempt at an HTTP command. *frowny* What’s going on here? Let’s change the device IP from the LXC to my desktop, run nc -l on port 8888 and press that button again. Same thing – an empty connection with no data sent. Let’s try something simpler. We’ll change the IP command to just

IP ‘Aurora_LXC-200_1_Addr’ INLINE “Hello world<0d>”

…and lo and behold, that works! We get “Hello world” spit out from our listening nc. So…. there’s something it doesn’t like about the HTTP data.

#include <swearword.h>

I guess I’ll have to keep increasing the complexity of the command until I find out what the problem is.

Comments Off on FSR fun: Bit-banging HTTP POST

Scripting an Aurora LXC-200 from the command line

Aurora Multimedia produces a number of network-attached port expanders for their WACI line of A/V control systems. Among these is their LXC-200, which provides 3 RS-232 serial ports, 2 IR ports, 2 relays and 1 GPIO in a small, POE-powered chassis. See their page for more details.

All of their WACI devices provide an HTTP-RPC API for control. In my case, I want to use the LXC-200 as a general purpose network-attached serial output port. Eventually I’d like to find a way to use it with the FSR FLEX-LT control system but for now I just want to send some serial port output from a command line. The LXC and WACI documentation provide a list of the RPC calls, but the exact usage was a tad vague. So, time to fire up Wireshark and see how this puppy is used.

The WACI event manager has the ability to send serial output to a remote port on another WACI, so I create a simple test event and point it at the LXC. Trigger the event and watch the packets flow!

LXC packet capture

The URL used was http://address.of.waci.unit/rpc/

According to the Aurora RPC docs, param3 is a max wait time, in ms. I’m just going to leave it at 10 as I’m not sure what it’s waiting for, exactly.

So, let’s give curl a shot:

$ curl --data "method=Serial_Send&param1=1&param2=TestCURL&param3=10" "http://a.b.c.d/rpc/"
status=HTTP/1.1 200 OK
Connection: close

And, sure enough, the serial strings pop out the port. What if we want to send raw binary data via the serial port (for controlling, say a Samsung EX-Link TV)? Well, the HTTP request is encoded with x-www-form-urlencoded, which is an old but still valid encoding mechanism. We just need to use the WACI syntax for sending binary data:

$ curl --data "method=Serial_Send&param1=1&param2=%08%22%00%00%00%02%d4&param3=10" "http://a.b.c.d/rpc/"

And the “Power On” command emerges from the serial port.

Now, how to make the FSR talk HTTP…

Comments Off on Scripting an Aurora LXC-200 from the command line

Slides from my Monitoring talk at UVa-LSP

I’ve posted the slides from my Automated Systems Monitoring talk I gave at the recent UVa LSP conference. Slides are available with and without my presenter notes. This talk covered high-level concepts in automated systems monitoring as well as some considerations on environmental monitoring. Some bits focused on Nagios, but most should apply to any automated monitoring system.

Feel free to share these slides.

http://blogs.nrao.edu/jmalone/talks/

Comments Off on Slides from my Monitoring talk at UVa-LSP

How to fix AIPS under OSX 10.11 ‘El Capitan’

The latest version of Mac OS X, code-named El Capitan, introduces a new feature called System Integrity Protection (SIP). SIP is designed to protect the core operating system files, as well as Apple-supplied applications, from tampering by malicious software. Unfortunately, as with most major OS changes, there is collateral damage in the form of application incompatibility.

NRAO’s classic data reduction software, AIPS, has been found to have one of these incompatibilities. AIPS is unable to start properly on systems running OSX 10.11 due to a change in how the DYLD_LIBRARY_PATH environment variable is treated. This variable used to tell the system’s dynamic linker to “look here for additional libraries.” This behavior has security implications and is, therefore, restricted under 10.11.

The workaround is to create symbolic links in one of the standard library paths to point to the necessary shared libraries for AIPS. I have created a shell script that will attempt to apply the workaround to a machine with AIPS installed on 10.11. To use it, you must first start bash (required – sorry CSH users) and then source your AIPS LOGIN.SH script so that this repair script knows where to find your AIPS installation. Here’s what it looks like when repairing my test system:

loonquawl:~ jmalone$ . /usr/local/aips/LOGIN.SH
loonquawl:~ jmalone$ ./fix_aips_elcap.sh

This script will attempt to configure an existing AIPS installation
to work properly under OS X 10.11 "El Capitan". You will be prompted
for your password so that several commands can be run as root.

Press enter to continue...

Password:

Three shared libraries were linked to /usr/local/lib. Your
installation should now be fixed to operate under OS X 10.11.

loonquawl:~ jmalone$

You must run this script as a user with administrative privileges, but do NOT run it as root or under sudo.

Download the script.

UPDATES:

2015-12-07: Detect (and fix) broken or out-of-date XQuartz installations

Comments Off on How to fix AIPS under OSX 10.11 ‘El Capitan’

Atlona HTBaseT VGA/HDMI wall plate (AT-HDVS-TX-WP)

Part of my job entails the design and support of the audiovisual systems in 7 conference rooms in Charlottesville (as well as some support for those at other sites). Our rooms are used by a combination of internal staff and external visitors, so they have to “just work”. To that end, I’m always looking for reliable, flexible and inexpensive equipment to support our conference rooms. VGA is still a must-have, but we’re starting to see visitors with consumer-grade laptops who only have HDMI outputs. I’ve been using Extron’s DTP T UWP 232 D wall plate with excellent results, but for my latest room refit, I decided to try Atlona’s input wall plate, mostly based on my desire to try Atlona’s new AT-UHD-CLSO-824 8×2 matrix switcher.

I received the Atlona input plate yesterday and decided to look at it a bit today. I haven’t received the switcher yet (B&H doesn’t stock it so it’s drop-shipped from Atlona) so I asked myself – “Will this work with my Extron equipment?”

Sadly, the answer appears to be “No”. I connected the HDVS-TX-WP to an Extron MPS-602 switcher with “DTP” inputs and…. nothing. I have to say I’m disappointed. Even my Monoprice HDBaseT extender is compatible with the Extron gear? What gives?

And there are further disappointments with the rest of the unit. The USB service port is hidden inside the chassis, which requires removing a total of 11 screws! Or, at least, it should have been 11 — my unit was actually missing an internal screw:

HDVS-TX-WP with case removed.

Note the missing screw at the bottom-right. 🙁

 

So what else is worth noting about the AT-HDVS-TX-WP? Well, it has no support for a local power supply, meaning it must be powered by the HDBaseT receiver. Perhaps it’s the remote-power implementation that makes it incompatible with my Extron switcher — the world will never know. Also, there’s no (official) way to program or configure the unit without it being connected to a receiver that has the ability to send RS232 commands over the HDBaseT. I notice that it has an internal 5-pin connector that resembles a TTL serial port — I’ll have to see what my bus pirate thinks of that port later.

Anyway, once my Atlona matrix shows up I’ll get a chance to see how it functions. The config software seems to have the ability to disable HDCP on the HDMI input as well as set the EDID properly. We shall see.

To be continued…


Note: This review is to confirm interoperability only and does not represent an endorsement of any products or services by the National Radio Astronomy Observatory.

Tagged , Comments Off on Atlona HTBaseT VGA/HDMI wall plate (AT-HDVS-TX-WP)

JS Timer 1.1 released

I’ve released an update to my JS Timer application. Version 1.1 of JS Timer adds a few new features

  • Configurable labels for “Presentation” and “Q&A” sections – in case you want to call them something else
  • Auto-sizing of the clock widget — The clock widget will attempt to adjust to the window size when it changes

JS Timer can be obtained from my github page at https://github.com/48kRAM/jstimer/releases/tag/release1.1

If notice any problems or write any patches, please open an issue on github.

Thanks!

Tagged Comments Off on JS Timer 1.1 released