Monitoring SIP Peer in Asterisk

I’ve been experimenting with an external SIP provider for outbound and inbound calling.  Nothing groundbreaking about that, plenty of people use SIP providers rather than traditional landlines.  I recently had an issue with the SIP peer going into unreachable status in asterisk.  After debugging with the provider I found it to be a weird ARP issue local to the asterisk server.  The server thought that some of the provider’s IPs were local traffic and so the traffic wasn’t being passed to the default gateway.  Clearing the arp cache and the ip route cache fixed that issue.

The issue got me thinking about how to monitor the status of the provider, so I set up a simple script that opens an ssh session to the asterisk server and looks for the status of that peer.  When the status is not “OK”, the output is printed and, through the magic of cron, is sent to me.

Here’s the script:

#!/bin/bash

ssh -i /root/.ssh/mykey phoneserver.braingia.org ‘asterisk -x “sip show peers”‘ | grep <providername> | grep -v OK

The script initiates an ssh session using a private key.  The matching public key has already been placed in authorized_keys on the asterisk server…  and yes, slap my hand for ssh’ing as root here;  I need to fix that.  The command “asterisk -x ‘sip show peers'” is executed.  That output is piped to grep for the <providername> which is then piped to grep -v to exclude the “OK” output since I assume things are OK and only want to know when they’re not OK.

Admittedly, nothing groundbreaking about this simple one line script either!  But here it is nonetheless, in case anyone finds it useful for monitoring when a sip peer goes unreachable or lagged.

Installing nftables on Debian 7.5

[Last Update: 8/11/2014 – Clean up some bits around the options to select.]

This article discusses installation of nftables, the new Linux firewall software, on a Debian 7.5 system.  Nftables is under very active development and therefore the installation steps may change by the time you view this article.  Specifically, the various prerequisites needed in order to build nftables will likely no longer be needed as the software matures, and more importantly, as packages for it become available.

Note: This article begins with a base of Debian 7.5.0 netinst with the SSH Server and Standard System Utilities installed.

There are two primary components involved in an nftables system:  The first component is the Linux kernel, which provides the underlying nftables core modules.  The second component is the administration program called nft.

Compiling a kernel

The Linux kernel that comes with Debian 7.5.0 is based on version

Before you can compile a kernel, you need to get a kernel.  As of this writing, the latest stable kernel is 3.15.  Retrieving that from the Linux server with the wget command looks like this:

wget https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.15.tar.xz

Then unpack the kernel source:

tar -xvf linux-3.15.tar.xz

You’ll now have a pristine kernel ready to be built.

Several packages are essential and some are helpful for compiling a kernel on Debian.  The package named kernel-package provides useful utilities for creating a Debian packaged kernel.  Kernel-package has several prerequisites but those are all installed when you select kernel-package for installation on the system.

The method shown in this article uses the ‘menuconfig’ option to build the kernel.  Other methods such as simply the text-based config option are also available.  The menuconfig option requires the ncurses-devel package.  On Debian, this is found as part of the libncurses5-dev package and can be installed with this command (run as root):

apt-get install libncurses5-dev kernel-package

Note:  You may need to update the package list by running apt-get update prior to the packages becoming available for installation.

From within the linux-3.15 (or whatever version) directory, run:

make menuconfig

The options necessary within the kernel for nftables are found in the Networking support hierarchy.

Drill-down to the Networking support -> Networking options -> Network packet filtering framework (Netfilter).

Inside of the IP: Netfilter Configuration select IPv4 NAT.  Back up at the Network packet filtering framework menu, select IPv6 Netfilter Configuration and enable IPv6 NAT along with its sub-options of MASQUERADE target support and NPT target support.

Back at the Network packet filtering framework level, enter the Core Netfilter Configuration menu and enable Netfilter nf_tables support.  Doing so opens up several additional options.

Netfilter nf_tables mixed IPv4/IPv6 tables support
Netfilter nf_tables IPv6 exthdr module
Netfilter nf_tables meta module
Netfilter nf_tables conntrack module
Netfilter nf_tables rbtree set module
Netfilter nf_tables hash set module
Netfilter nf_tables counter module
Netfilter nf_tables log module
Netfilter nf_tables limit module
Netfilter nf_tables nat module
Netfilter nf_tables queue module
Netfilter nf_tables reject support
Netfilter x_tables over nf_tables module

Back in the Network packet filtering framework (Netfilter) level, select IP: Netfilter Configuration and find the IPv4 nf_tables support section and enable IPv4 nf_tables route chain support, IPv4 nf_tables nat chain support, and ARP nf_tables support.  Back at the Network packet filtering framework (Netfilter) level, select IPv6: Netfilter Configuration again and enable IPv6 nf_tables route chain support, and IPv6 nf_tables nat chain support.

Note: For the purposes of this article, all of the options will be selected as modules.

Finally, within the Network packet filtering framework (Netfilter) section, enable the Ethernet Bridge nf_tables support feature if you need this functionality.

Once your kernel configuration is complete, you can clean the source tree with the command:

 make-kpkg clean

Now it’s time to compile the kernel.  Depending on the speed of your system it make take several minutes to several hours.  If you have multiple processors, you can likely speed up the process by having make-kpkg use them.  This is accomplished by setting the CONCURRENCY_LEVEL environment variable.  For instance, on a system with two processors, the variable is set as such:

export CONCURRENCY_LEVEL=2
export INSTALL_MOD_STRIP=1

Alternately, specify all of it on the command line:

CONCURRENCY_LEVEL=2 INSTALL_MOD_STRIP=1 make-kpkg --initrd --revision=1 kernel_image

Note: On a dual processor quad core system the compile took about 30 minutes.

Once the kernel has been compiled, installation is accomplished (as root) with the command:

 dpkg -i linux-image-<your_version_here>.deb

Rebooting the server brings up the shiny new kernel but the server isn’t quite ready to run nf_tables yet.  Prior to compiling the nft administration program, you can verify that the nf_tables module can load.  First, see if the module is already loaded:

 lsmod | grep nf_tables

If there’s output then the module has already been loaded.  If not, then you can load the module with modprobe, as such:

 modprobe nf_tables

Rerunning the lsmod command (lsmod | grep nf_tables) should give output now, similar to this:

 nf_tables              37955  0
nfnetlink              12989  1 nf_tables

 Compiling the nft Administration Program

The nft administration program enables control over the firewall, in much the same way that the iptables command controlled an iptables-based firewall.  The nft program depends on the libmnl and libnftnl libraries.  With the large amount of active development underway on nf_tables and related libraries, this tutorial shows how to get the latest copy using Git rather than attempting to install from a package or another method.

 apt-get install autoconf2.13 libtool pkg-config flex bison libgmp-dev libreadline6-dev dblatex

Note that dblatex is only needed if you want PDF documentation, which I sometimes do.  You can save some space and security footprint by not adding dblatex to the previous apt-get command line.

The three repositories can be cloned into your current directory with the commands:

git clone git://git.netfilter.org/libmnl
git clone git://git.netfilter.org/libnftnl
git clone git://git.netfilter.org/nftables

Once a copy has been downloaded, the next step is to compile the software.  Both libnml and libnftnl are prerequisites for compiling nftables so those will be compiled first with the commands (all run as superuser/root):

 cd libmnl
./autogen.sh
./configure
make
make install

Now cd backwards a directory and into the libnftnl directory and compile it:

 cd ../libnftnl
./autogen.sh
./configure
make
make install

Finally, compile nftables:

 cd ../nftables
./autogen.sh
./configure
make
make install

With the nftables administration program compiled and installed you can now run nft commands!  Depending on your installation, you may need to reboot and/or run ldconfig.  I did both; a reboot didn’t fix it so running ldconfig as root was the next logical step.  Actually, that might have been the first logical step before rebooting, but that’s how it goes sometimes.

In any event, running the following command should do nothing (and that’s what we want right now):

 nft list tables

If the command returns nothing at all, then nft is working fine.  You can create a table with the command:

 nft add table filter

Now create a chain with the command:

nft add chain filter input { type filter hook input priority 0 \; }

Note that the space and backslash before the semi-colon are necessary when entering the command from the command line.

You can now run nft list tables and it will show:

 table filter

Running the following command shows the contents of the table:

 nft list table filter -a

The output will be:

 table ip filter {
chain input {
type filter hook input priority 0;
}
}

That’s it!  You now have nftables running. There are several good tutorials out there that deal with creating an nftables firewall once you’re at this point and I’m also updating my Linux Firewalls book to include coverage of nftables!  It’ll be out in the fall of 2014.

 

Update: Asterisk on Raspberry Pi

I had been successfully running Asterisk on a Raspberry Pi with an Obi110 interface to PSTN for about a year.  However, I recently switched back to a standard 1u rack mount server for the phone system.  The Raspberry Pi server was just fast enough to support asterisk with a SIP and PSTN outbound and several internal SIP clients but the SD card just wasn’t reliable enough.

Something, and I never found out what, was quite wonky with SD card, image, or Raspberry Pi itself for this particular server.  At various times it would stop working and fail to boot properly after power cycle.  Swapping out the SD card for a new one with the same image worked sometimes but sometimes I had to swap out the entire Pi for another one.

I was already sending {just about} all logs towards a centralized log server to prevent writes on the box itself.  In order to increase reliability my next step was to add a USB hub and an external hard drive for the root filesystem, relying on the SD card for boot only.  However, at that point I figured I was only going to create a mess of wires without being fully assured of increasing reliability all that much.  Now there would be two more points of failure (the USB hub and the external drive) thereby making recovery all the more difficult.

I was quite happy with the performance of the Pi for this purpose.  I wonder aloud if something like the Intel Galileo would fare better, if one could get asterisk running on the primary flash.  Regardless, it was a successful experiment.

nft: error while loading shared libraries: libnftnl.so.0: cannot open shared object file: No such file or directory

After compiling nftables and attempting to run nft list tables I received the error:

nft: error while loading shared libraries: libnftnl.so.0: cannot open shared object file: No such file or directory

Turns out I needed to run ldconfig in order to fix the error.  I also rebooted prior to running ldconfig but probably didn’t need to.

svn to git without history

#assumes existence of gituser which has to be added manually.
mkdir /opt/git/newrepo.git
cd /opt/git/newrepo.git
git --bare init
cd /opt/git
chown -R gituser.gituser newrepo.git
cd ~
mkdir svnrepo-export
cd svnrepo-export
svn export <path-to-svn-repo>
git init
git add .
git commit -m "initial commit"
git remote add origin gituser@localhost:/opt/git/newrepo.git
git push origin master
<move old real svn repo out of the way>
git clone gituser@localhost:/opt/git/newrepo.git <directory>

Perl to Python RSS Conversion

For quite some time, I’ve had my own personal homepage containing commonly used links, server status, subject lines of e-mails, and RSS news feeds.  Nothing exciting there.  The RSS feeds are retrieved by a program that runs every N minutes through cron and places the entries into a MySQL table.  Again, nothing exciting.  However, recently the Perl program that I’ve been using to retrieve the RSS has been consuming a bigger percentage of the available resources on the server.  More appropriately, the server on which the RSS retriever is hosted is more heavily utilized now thus when the RSS parser runs it became noticeable on the load average of server.

Of course, one way to solve it is to throw more hardware at it, like more CPU and RAM.  However, that would be too easy.  Instead I threw together a python program using feedparser just to see the difference in performance between the two for this purpose.  The results were surprising.  Python took about 2.8 seconds in real time and used significantly less system resources to do so.  Perl took ~11 seconds for the same feeds at roughly the same time.

I’m not writing this to be a knock against Perl; more likely the methods that I used to parse the RSS in Perl (and my general Perl programming skills?) are the issue.

Timings below.

Python:

real 0m2.868s
user 0m1.808s
sys 0m0.072s

Perl:

real 0m11.016s
user 0m4.108s
sys 0m0.144s

 

 

Windows Password Expiration

When writing books I typically find myself needing to use Windows servers in various forms.  However, I don’t need the password to expire.  I always forget how to disable that, erm, feature.  So here it is.  Nothing groundbreaking here, just me writing it down so I can find it later.

For local password expiration:

gpedit.msc

Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy | Maximum Password Age

For domain password expiration:

Group Policy tab is missing in Active Directory Users and Computers (ADUC) so I went about it like this (there’s probably a different way):

Open “Group Policy Management” from the Tools menu in Windows Server 2012.

Click on Default Domain Policy within the domain that you’re working on.  Ignore the warning, if it comes up.  Click on the Settings tab.  Drill down through Policies -> Windows Settings -> Security Settings -> Account Policies/Password Policy.  Right-click Maximum password age.  This will open Group Policy Management Editor.

Within Group Policy Management Editor:  Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy.

Whew.

Possibly run gpupdate /force on clients.

Watch out that this doesn’t apply for domains:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;269236

The beauty of e-mail aliases and vanity domains

I use the braingia.org domain as my own personal domain (as you can see by visiting this site).  I also use it for e-mail.  When providing an e-mail address through an online form, I typically create an e-mail alias for that site.  Doing so enables me to track if that site sells my e-mail address or, as happened the last couple weeks, starts sending out a ton of advertising.  Just today I deleted two e-mail aliases because the sites have become more aggressive when trying to solicit their wares.  I won’t bother to mention the sites or companies; they did nothing wrong other than start sending out multiple e-mails per week.

Could I have unsubscribed?  Sure, probably, maybe?  It’s not clear that I would’ve received less garbage from them though and doing so would’ve required more time than simply deleting the e-mail aliases.

Lesson learned for me (and you):  Use e-mail aliases liberally when signing up for services or filling out forms.

Lesson learned for companies:  Stop sending so much junk mail.  You may really, really think that what you’re offering is important and, if you send just one more e-mail, I might come back to your site.  But get some self-control.  Sending out an e-mail every now and again is fine.  Sending multiple e-mails in the same week over the course of a couple weeks is too much.

iOS 7: First Impressions

After getting through some unexpected activation issues last night I spent some time with iOS 7 today and this evening.  First impression:  If this is the UI that Jony Ive designed then he should be fired and be sent to a deserted monochrome island.  There is simply not enough contrast for, well, anything in the UI. The tiles blend together and the new fonts don’t do anything to help the situation.

Everything seems to blend together, there’s no texture or feel for any of the buttons or any of the UI within apps.  It’s not even clear which way to slide to unlock – the arrow/slider is missing (or at least I can’t see it).  What is clear is that Apple has taken minimalist somewhat too far.  If this is an evolution in minimalist then I expect the next iteration will just be a blank white screen where you poke at the UI with the hope that it will do something.

For now, I’ve reverted back to iOS 6.  I’m sincerely hoping that this early beta doesn’t capture the true iOS 7 look and feel or user experience.  I hope I can write an update to this post later saying how wonderful iOS 7 is (and some of the features appear to be nice).  But for now, the UI needs fixing.  Tempted to file a bug about the UI…