Access ATAPI DVD writer on VMware ESXi 4.x Windows Guest VM

To access the physical DVD writer on Windows Guest VM, there is no alternative but setting up a SCSI device for this.

IDE passthrough on CD/DVD-ROM device seems not to be really promising as I have tried through different ESXi 4.x boxes.

Finally, I found this way to get through this. You need to open up vSphere interface at a remote machine for monitor and control. You also need a remote desktop session connected to the target Windows Guest VM for checking read/write access on the target physical DVD drive.

Using remote VMware vSphere interface, it is easy to add new SCSI device for physical DVD drive. Before adding new SCSI device, you may want to shutdown Windows guest VM first. 

Once SCSI DVD device is added to Guest VM's profile, you may start the VM again to see if the device is detected.

When you can login to Windows Guest VM, it's time to try on remote vSphere interface by clicking CD/DVD-ROM device icon to connect to host physical device. You should see the device raw ID as shown in the selection list for choice on vSphere interface. Once connected, the physical SCSI DVD drive should be ready to go for Read & Write operations on your Windows Guest VM.

Practical way to tackle WiFi dropout and slow performance issue in OS X El Capitan

There is a couple of occasions that I need to do have an upgrade on Mac OS X. Chances are I completely forget those tweaking tips and hope things will be resolved in next version. Something like WiFi connection tweaking I can remind from the forum. An explanation can help me remind those things I should do every single time when I need to do an OS X upgrade.

We can find all kinds of topics regarding WiFi dropout issue on OS X and someone may suggest standard procedure to get around this. For WiFi settings, Apple would like to stick to standard MTU size at 1500 bytes for Ethernet network. But, why?

With WiFi connection, we can do a ping test like this:

$
$
$ ping -D -s 1500 google.com
PING google.com (203.5.76.246): 1500 data bytes
ping: sendto: Message too long
ping: sendto: Message too long

Note:
Option -D suppresses fragmentation for the packet (force to transmit whole packet at a time)
Option -s 1500 specify the packet size, i.e., 1500 bytes

Problem is there is an overhead added on top of packet size for every transmission. That is why we get 'Message too long' responses from there.

To rectify this problem, let's do the math:

Optimum MTU size = Packet size + Overhead

What about the overhead? The overhead would be 28 bytes because 20 bytes are reserved for the IP header and 8 bytes must be allocated for the ICMP Echo Request header.

So, maximum packet size permitted in each network packet is actually:

Optimum MTU size = Non-fragmented Packet size +  28 bytes

Here we say MTU size will theoretically be 1500. Packet size allowed would be

(1500 -28)=1472 bytes

But, is it practical? Let's test this.

To test this magic number, issue the following command in Terminal:

$
$
$ ping -D -s 1472 google.com
PING google.com (203.5.76.246): 1472 data bytes
1480 bytes from 203.5.76.246: icmp_seq=0 ttl=56 time=7.787 ms
1480 bytes from 203.5.76.246: icmp_seq=1 ttl=56 time=4.838 ms
1480 bytes from 203.5.76.246: icmp_seq=2 ttl=56 time=4.360 ms
1480 bytes from 203.5.76.246: icmp_seq=3 ttl=56 time=6.184 ms

Packets are now transmitted successfully with this payload (1472). Therefore, we can be sure the optimum MTU payload size would be 1500 (luckily a theoretical value this time) just for this particular WiFi network.

With no fragmentation happening, each packet should be theoretically transmitted as a whole and not broken in parts. This can improve the network speed effectively in an ideal signal condition.

Just remind that the size of payload can be different across various locations and wireless routers. You might need to find the smallest optimum payload which sits within the size range of successful transmission for most networks you'll be connecting, either at home or office. Try stepping down the value until you find transmission works for all the networks you have tried.

Apply this payload value in Network settings panel and hopefully it'll help reduce the number of WiFi dropout and improve the WiFi network speed.

Secure network daemons using TCP wrapper on Ubuntu

As many blogposts point out that network daemon like sshd can be protected via configurations in two files /etc/hosts.deny and /etc/hosts.allow.

What about httpd or nignx? They provide web services to the network clients and it seems that TCP wrapper doesn't restrict access to these daemons.

TCP wrapper would only be effective when the network daemon has dependency over library like libwrap.so. To check whether a daemon relies on libwrap.so library. Issue the following command will do the job:

$ ldd /usr/sbin/sshd | grep libwrap
libwrap.so.0 => /lib/.../libwrap.so.0 (0xb55a5000) 

Daemon like sshd does rely on this TCP wrapper library so can be managed by chainging configurations in both /etc/hosts.deny and /etc/hosts.allow.

However, ldd test failed to display TCP wrapper dependency for daemon like httpd and nginx. This explains why TCP wrapper poses no action over these two daemon even with similar configurations.

Just keep in mind that checking dependency library for the daemons before trying to secure them using TCP wrapper.

Nginx php-fpm security.limit_extension issue

Just found something weird while tweaking the configurations in Nginx PHP-FPM. URL via https suddenly went offline and the server log shows something as follows:

[error] 18292#0: *1 FastCGI sent in stderr: "Access to the script '/usr/share/nginx/html' has been denied (see security.limit_extensions)", client: x.x.x.x, server: localhost, request: "GET /index.php HTTP/1.1", host: "xxx.net"

Although people suggest to turn off security.limit_extensions by setting it to nothing, it really raise me a bit of security concern.

It ends up there's one line in the config file /etc/nginx/sites-enabled/default which causes the error:

#
#
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;

Comment it out is okay while the .php page loads fine if it's changed to something else:

# Fix for missing params and blank php page display problems
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO          $fastcgi_path_info;
#fastcgi_param PATH_TRANSLATED    $document_root$fastcgi_path_info;
fastcgi_param PATH_TRANSLATED    $document_root$fastcgi_script_name;

Reloading nginx server again and things are loaded up properly!

Adding Fail2Ban UFW Portscan Filter on Ubuntu

To further prevent portscan from bad bots around the world, there's a way of making use of Fail2Ban filter.

Assuming Fail2Ban is in place, edit the config file as below;

$ sudo nano /etc/fail2ban/jail.local

Add new section in jail.local:

[ufw-port-scan]

enabled   = true
ignoreip  = 127.0.0.1/8
port      = all
filter    = ufw-port-scan
banaction = ufw
logpath   = /var/log/ufw.log
maxretry  = 20

Create new filter as follows:

$ sudo nano /etc/fail2ban/filter.d/ufw-port-scan.conf

Add new lines in ufw-port-scan.conf:

[Definition]
failregex = .*\[UFW BLOCK\] IN=.* SRC=
ignoreregex =

Create ban action config file as follows:

$ sudo nano /etc/fail2ban/action.d/ufw.conf

Add new lines in ufw.conf:

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from  to any
actionunban = ufw delete deny from  to any

Have a service restart and it's good to go.

$ sudo service fail2ban restart

It's possible to run a test for the regex rule as well:

$ fail2ban-regex /var/log/ufw.log '.*\[UFW BLOCK\] IN=.* SRC='

Then you might get some results back like these:

Running tests

=============

Use   failregex line : .*\[UFW BLOCK\] IN=.* SRC=

Use         log file : /var/log/ufw.log.1

Results

=======

Failregex: 163 total

|-  #) [# of hits] regular expression

|   1) [163] .*\[UFW BLOCK\] IN=.* SRC=

`-

Ignoreregex: 0 total

Date template hits:

|- [# of hits] date format

|  [163] MONTH Day Hour:Minute:Second

`-

Lines: 163 lines, 0 ignored, 163 matched, 0 missed

Nginx PHP-FPM display blank page for .PHP file on Ubuntu

Setting up new Nginx instance wasn't a funny thing as stated on most blogposts while it display blank page during startup. This is annoying when people set things up from scratches.

First thing first:

Check whether PHP-FPM is running:
$ ps -aux | grep php-fpm --color

$
$ ps -aux | grep php-fpm --color
root      1898  0.0  1.8 209928 18992 ?        Ss   11:48   0:00 php-fpm: master process (/etc/php/7.0/fpm/php-fpm.conf)                      
www-data  1900  0.0  0.6 210060  6660 ?        S    11:48   0:00 php-fpm: pool www                                                            
www-data  1901  0.0  0.5 210060  6088 ?        S    11:48   0:00 php-fpm: pool www   

Also, you may notice that running processes may be owned by someone else, like nginx, apache or whatsoever. Make sure user/group setting in php-fpm config file is referring to the same user/group as set in Nginx config file, like www-data/www-data.

Default location of php-fpm 7.0 config file:

/etc/php/7.0/fpm/pool.d/www.conf

Default location of Nginx config file:
/etc/nginx/sites-available/default

Back to the question about why nginx displays a balnk page instead? Let's take a look at the Nginx config file:

...
...
server {
        ...
        location ~ \.php$ {
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_cache  microcache;
                fastcgi_cache_key $scheme$host$request_uri$request_method;
                fastcgi_cache_valid 200 301 302 30s;
                fastcgi_cache_use_stale updating error timeout invalid_header http_500;
                fastcgi_pass_header Set-Cookie;
                fastcgi_pass_header Cookie;
                fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
                fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
                # Fix for missing params and blank php page display problems
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param PATH_TRANSLATED $document_root$fastcgi_script_name;

        }
}

The line "include fastcgi_params" actually refers to the file /etc/nginx/fastcgi_params which has various fastcgi_param variables initialized when calling. Unfortunately, two important variables went missing leading to an unknown blank page when startup.

They are SCRITP_FILENAME and PATH_TRANSLATED. Add them back to Nginx config file and PHP things execute again!

Ref: https://www.narga.net/avoid-nginx-wordpress-blank-page/

Windows 10 Wi-Fi get disconnected intermittently

Having witnessed the rollout of Windows version 3 yet I'm not a big fan. Now it turns out to be version 10. For some reasons I need to start digging into Google searches to find something useful. The fact is that my friend's parent get into the trouble of using Windows laptop at home and they are not tech savvy enough to adapt to the new order set by Microsoft in the new year. After an upgrade to Windows 10, wah la! Everything is not working! That's what you might expect. Well, fixing the problem would be easier than teaching them Linux or OS X from the ground up.

Having updated the Wi-Fi adaptor driver provided by the manufacturer, the wireless connection seems to work for a while. And then thing's happening... Internet Explorer becomes unresponsive and shows up an error regarding network connection. Same thing happens on Microsoft Edge. It ends up the wireless connection being broken and not recovering on time. It actually remains broken until you do something. Most of the time, Wi-Fi hotspot needs to be manually connected again whereas it's a little bit beyond what the elderly would understand. They might just blame someone for not setting things up right.

To stay away from the trouble, we need to come up with a all-year-round solution which automatically cure this bad symptom.

An active recovery process sounds good in this case. By setting up a event scheduler, it is possible to monitor the disconnection and then launch a series of commands to recover network connection behind the scene. Actually, Grannies don't even want to see something is fixing up their trouble.

To create an event that’s triggered when the network is disconnected, create an event schedule with using 10001 for the Event ID.

Launch Windows Task Scheduler from All Programs –> Accessories –> System Tools.

Click Action –> Create Task…

Give your task a name in the General tab, and then click Triggers and then click New.

Log: Microsoft-Windows-NetworkProfile/Operational
Source: NetworkProfile
Event ID: 10001

You’ll also want to make sure that there aren’t any network connection conditions (since you won’t be connected to the Internet when this happens).

Add some actions in the Actions tab and then click OK to finish making your task. Of course, it's not like that it popup a message and says "It worked!" and then thing's resolved. We need to do some more by adding a batch script to fix things up.

Talking about the Actions tab, it is actually quite possible to run PowerShell script or Batch file to regulate the broken connection.

Someone came up a solution to recover network disconnection since Windows 8 released, so it's not a new problem after all. I don't use Windows 8 myself so didn't realize this problem at all.

Possible batch script with DOS commands would be like this: 

C:\>
C:\>netsh interface set interface name="Wi-Fi" admin=disabled
C:\>netsh interface set interface name="Wi-Fi" admin=enabled
C:\>ipconfig /release
C:\>ipconfig /renew
C:\>arp -d *
C:\>nbtstat -R
C:\>nbtstat -RR
C:\>ipconfig /flushdns
C:\>ipconfig /registerdns

Change the actual interface name to suit your needs. It can be "Wi-Fi" or "Wired" or something else in particular. Take a look at your network adapter settings and see what needs to be changed.

Be it "fixmywifi.bat" or "givemebackmynetwork.bat". Just include the script file into Actions tab and hopefully it will run and try to recover the network connection at the background whenever a system event of disconnection is fired.

Embedded image in email via PHP Mail_mime

Ever try the best way to include your favourite logo image in the email message in the hope that your recipients will actually see it?

It was quite confusing why the image would show up on one email client but not the others. One challenge would be how to display an image correctly in the message for MS Outlook client.

After a reading on this blog, there are basically at least three ways to do so. Of course, we will need to find a balance between the compatibility among various types of email clients and the overall size of email message to be sent.

CID embedded image (a.k.a. inline image) is the old-school way to include images or graphics in HTML formatted message. It might increase the size of each email you send out. But, it is by-far the most compatible way to have the image displayed by desktop email clients and web mail services.  Unfortunately, the trade-off would be the inconsistent behaviour expressed by the email clients and sometimes it turns out to be ugly.

Example as below:

Install PHP 7 + mod_fcgid + opcache on Ubuntu 14.04

PHP 7 has become a hot topic in recent time as it claims to have the running speed catching up with HHVM whereas no big change in the source code is required, except for those deprecated function calls in the new release.

This is good news as nowadays Guest VM for hosting tends to be slim and small in terms of resources, i.e., 512MB, 256MB or smaller. Running a plain old build of Apache server with default settings is going to slow down everything.

This is a quick guide for a fresh installation of LAMPP server with newest PHP 7 engine on top of it. To maintain high response rates without interruption in a high concurrency situation, you may want to run PHP in CGI mode. Please check those steps below carefully. For the god sake, you might miss something along the passage without the help of a cup of coffee which is exactly my situation.

PHP 7 is now in the final stage before the official release is out. So, the source update is happening frequently than ever. As of the time of writing, it is PHP 7.0.0 RC 6. Of course, no one would like to miss that bit, even for nightly update.

Here we start in Terminal app on Ubuntu 14.04:

Step 1:

Try installing LAMPP from the ground up:

$
$ sudo apt-get update && sudo apt-get install lamp-server^

Please mind the caret (^) at the end.

You will have to install packages for Apache 2, MySQL & PHP 5 (not PHP 7 at the moment).

Step 2: (Optional)

You might want to upgrade a bit for the not-so-entirely-new version of Apache 2 which is locked in version 2.4.7 in Ubuntu 14.04 LTS Release as LTS implies not only a stable build but also less frequent update to its packages.

For upgrading Apache 2, you may add new repo to Ubuntu's source list and do a forced re-installation:

$
$ sudo apt-get install python-software-properties
$ sudo add-apt-repository ppa:ondrej/apache2

$ sudo apt-get update && sudo apt-get -f install apache2
$

Step 3:
Obtain PHP 7 early release

This is to add Zends PHP7 early access repo:

$
$ sudo echo "deb http://repos.zend.com/zend-server/early-access/php7/repos ubuntu/" >> /etc/apt/sources.list
$

To install PHP7 nighly build, we need to issue the following command:

$
$ sudo apt-get update && sudo apt-get install php7-nightly
$

Once done, PHP7 will be installed to /usr/local/php7. So you might want to keep this in mind to find something important regarding PHP configuration.

To use PHP7 with Apache, first make sure Step 1 is done properly, then copy the required modules and libs to Apache 2 folder:

$
$ sudo cp /usr/local/php7/libphp7.so /usr/lib/apache2/modules/
$ sudo cp /usr/local/php7/php7.load /etc/apache2/mods-available/
$

For initial PHP with OpCache configuration, we can create new php.ini in the following path:

/usr/local/php7/php.ini

Please copy and paste the following parameters into php.ini:

max_execution_time=600
memory_limit=128M
error_reporting=0
display_errors=0
log_errors=0
user_ini.filename=
realpath_cache_size=2M
cgi.check_shebang_line=0
zend_extension=opcache.so
opcache.enable_cli=1
opcache.save_comments=0
opcache.fast_shutdown=1
opcache.validate_timestamps=1
opcache.revalidate_freq=60
opcache.use_cwd=1
opcache.max_accelerated_files=100000
opcache.max_wasted_percentage=5
opcache.memory_consumption=128
opcache.consistency_checks=0

Step 4:
Install mod_fcgid module

$
$ sudo apt-get install libapache2-mod-fcgid
$

Step 5:
Enable and disable relevant Apache modules

Default build of Apache use MPM Event but for mod_fcgid to work we need to enable MPM Worker instead. Before enabling new MPM, we need to disable previously enabled MPM modules first.

For one important thing here, you might have to entirely disable PHP5 module in order to avoid any conflict with the upcoming PHP7. Apache can't have both PHP5 and PHP7 modules loaded for the same .php filetype handling or else Apache won't even start.

$
$ sudo a2dismod mpm_event
$ sudo a2dismod mpm_prefork
$ sudo a2enmod mpm_worker
$ sudo a2dismod php5
$

Step 6:
Enable SSL in Apache

Enable SSL module as follow:

$
$ sudo a2enmod ssl
$ sudo mkdir /etc/apache2/ssl
$

Prepare self-signed certificate:

$
$ sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
$

The key and certificate will be created and placed in your /etc/apache2/ssl directory.

Open the default SSL configuration file with root privileges now:

$
$ sudo nano /etc/apache2/sites-available/default-ssl.conf
$

Modify two lines to match the newly created certificate files:

        SSLCertificateFile /etc/apache2/ssl/apache.crt

        SSLCertificateKeyFile /etc/apache2/ssl/apache.key

And finally it may look like this:

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/apache.crt
        SSLCertificateKeyFile /etc/apache2/ssl/apache.key
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                        SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-6]" \
                        nokeepalive ssl-unclean-shutdown \
                        downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [7-9]" ssl-unclean-shutdown
    </VirtualHost>
</IfModule>

To activate SSL Virtual Host, please type:

$
$ sudo a2ensite default-ssl.conf
$

Step 7:
Add mod_fcgid related configurations

Go find the default configuration files for Apache, like

/etc/apache2/sites-enabled/000-default.conf

/etc/apache2/sites-enabled/default-ssl.conf

Edit each file with the following instructions.

Add the following configuration to the root directory section in the vhost block:

<Ifmodule mod_fcgid.c>
 # FCGID registers a handler named fcgid-script
 AddHandler fcgid-script .php
 Options +ExecCGI
 FcgidWrapper /usr/local/php7/bin/php-fcgid-wrapper
</IfModule>

Also, add the relevant settings outside the vhost block:

<Ifmodule mod_fcgid.c>
 # Context - server config
 FcgidMaxProcesses 150
 # Otherwise php output shall be buffered
 FcgidOutputBufferSize 0
</IfModule>

Step 8:
Add Wrapper script of php-cgi

Now you need to create the wrapper script that is used by mod_fcgid to launch php-cgi processes.

Script filename: php-fcgid-wrapper

#!/bin/sh
# Set desired PHP_FCGI_* environment variables.
# Example:
# PHP FastCGI processes exit after 500 requests by default.
PHP_FCGI_MAX_REQUESTS=10000
export PHP_FCGI_MAX_REQUESTS
# Replace with the path to your FastCGI-enabled PHP executable
exec /usr/local/php7/php-cgi

The actual location of the wrapper script at /usr/local/php7/bin/php-fcgid-wrapper can be stored anywhere and the path has to be mentioned in apache configuration.

Make the wrapper script executable using chmod:

$
$ chmod +x /usr/local/php7/bin/php-fcgid-wrapper
$

Step 9:
Turn on Apache server

This is the final and the most important step for all those configurations we have made:

$
$ sudo service apache2 restart
$

Step 10:
Testing

You can open a browser locally and visit https://localhost to check if SSL connection is working properly.

Or, try create a simple php info page to see if all parameters are setting as desired:

$
$ sudo echo "<php phpinfo();" /var/www/html/test_me.php
$

It's been a long time PHP's performance seems to be lagging behind since Facebook's era comes. People who are aggressive might lean to take HHVM approach to accelerate things up, yet the development team might meet new challenges with switching coding practice and taking the risk of incompatibility with official PHP release.

You go for the option of PHP7 as you have the needs for speed. Forgetting about compatibility and performance sacrifice, let's test your apps with this brand new PHP engine!

Fix Hombrew problems after upgrading Mac OS X from Mavericks to El Capitan, skipping Yosemite

I have been sticking with Mavericks (OS X 10.9.x) since released and now skip Yosemite and directly upgrade to the solid build of El Capitan (OS X 10.11). It's just a direct upgrade and things seem to be working after a couple of reboots.

Well, we all know installed packages may not work at all. For instance, Developer tools like Homebrew seems broken again.

As seen on the Github, people have started collaborating with each others to resolve this.

https://github.com/Homebrew/homebrew/issues/40519

First thing to fix broken Homebrew directory is the permission issue. Error like this for brew update command:

xcrun: error: invalid active developer path (/Library/Developer/CommandLineTools), missing xcrun at: /Library/Developer/CommandLineTools/usr/bin/xcrun
xcrun: error: invalid active developer path (/Library/Developer/CommandLineTools), missing xcrun at: /Library/Developer/CommandLineTools/usr/bin/xcrun
Stashing your changes:
xcrun: error: invalid active developer path (/Library/Developer/CommandLineTools), missing xcrun at: /Library/Developer/CommandLineTools/usr/bin/xcrun
xcrun: error: invalid active developer path (/Library/Developer/CommandLineTools), missing xcrun at: /Library/Developer/CommandLineTools/usr/bin/xcrun
Error: Failure while executing: git stash save --include-untracked --quiet

So, try the following command first:

sudo chown $(whoami):admin /usr/local && sudo chown -R $(whoami):admin /usr/local

Second trial of brew update, another error appeared while doing brew update as follows:

Error: Failure while executing: git pull -q origin refs/heads/master:refs/remotes/origin/master.

Since major upgrade, we need to install recent release of Xcode Command Line Tools. An easy way is to install Xcode 7.0.1 from AppStore and then open Xcode to agree the terms and conditions.

Within CXcode, click menu item:

[Xcode]->[Open Developer Tool]-> [More Developer Tools...]

It helps to open Apple's download website for Developer Tools.

Click to download and install the following package :

Command Line Tools OS X 10.10 for Xcode 7

Reopen Terminal again and then try brew update, once again another error message shows up. But this time it looks like things get fixed by the second call of brew update command. So, issue the update command twice to get itself fixed and ready:

$brew update
#Error message...
$brew update
#It works this time...