Archive for the 'Technology' Category

Deploying Firefox and Thunderbird Policies to Prevent auto-updates and Tune Other Features

Long-time Firefox and Thunderbird user here. I’ve tried dozens and dozens of other browsers, including the much lauded Google Chrome, but always come back to Firefox. It’s just much faster, lighter on memory, 100x more feature rich, flexible and more secure than the alternatives. Chrome by comparison, is slow, an extreme memory hog, questionable security model, and lacks any powerful features that I’ve come to user over the years.

I tend to run the latest “Developer” or “Nightly” editions of these tools, and by doing so, I agree to certain constraints (daily, enforced upgrades being one example), but with that sometimes comes product changes that cause new, undiscovered issues, breakage and undefined behavior.

My Thunderbird mail folders for example, go back 20 years and contain well over 200,000 archived and active emails. I’ve purged all of the garbage, junk, unnecessary emails as they come in, being a big proponent of Merlin Mann’s “Inbox Zero” methodology for almost 15 years, but it’s important that mail be available and accessible on-demand. Something that breaks my ability to read an IMAP folder or search across those folders and tags, would not be good.

Enter Policies!

With policies deployed, you can govern what behavior is turned on, off and supported by your Firefox browser or Thunderbird mail client. For Firefox, there’s an easy add-on called “Enterprise Policy Generator” written by Sören Hentzschel that I use to start off the policies I’m interested in. Here’s just a small sample of what’s available in the tool:

Two of the first items I turn off, is the use of “Pocket” and the constantly daily upgrade notices. I do upgrade frequently, but I make sure I back up my profile, add-ons and browser data before testing an upgrade, so I have a means to downgrade if the new version breaks my add-ons or use of the browser. To do that, you can create a policy that disables these with the EPG, or you can just create a policies.json and add the following to it:

{
    "policies": {
        "DisableAppUpdate": true
    }
}

This will stop the browser from requesting updates on a daily basis. There is a feature in Firefox under about:config called app.update.auto which can be set to “False”, but it doesn’t work. Likewise, blanking out the app.update.url in the same configuration pane does not work either. The only way to do this, is to deploy a policy that forbids it.

The policies.json file has to go into a specific directory in the application directory, not the user’s profile (where it could be altered or modified by each user). Here’s where those need to go:

On macOS

/Applications/Firefox Developer Edition.app/Contents/Resources/distribution

On Linux

If you’re using packages:

/usr/lib/firefox/distribution

If you’re using the tarball or nightly releases:

/opt/firefox/distribution

On Microsoft Windows

C:\Program Files\Firefox Developer Edition\distribution

The important part is that it lives in a new directory called distribution inside the same directory that holds the main Firefox data files. You’ll need to create this directory if it doesn’t already exist. For Thunderbird, the process is similar, just a slightly different directory:

On macOS:

/Applications/Thunderbird.app/Contents/Resources/distribution

or

/Applications/Thunderbird Daily.app/Contents/Resources/distribution

Follow the same model and paths you did with Firefox for Linux and Microsoft Windows.

You’ll know if you put the policies.json in the correct directory, if you close and relaunch your Firefox or Thunderbird client, go to Help -> About, and see the following, near the top of the About dialog:

Here is a copy of an expanded policies.json that I use on my production systems:

{
  "policies": {
    "DisableAppUpdate": true,
    "DisableFeedbackCommands": true,
    "DisableFirefoxStudies": true,
    "DisablePocket": true,
    "DisableSystemAddonUpdate": true,
    "DisableTelemetry": true,
    "ExtensionUpdate": false,
    "NetworkPrediction": true,
    "Preferences": {
      "browser.fixup.dns_first_for_single_words": true,
      "browser.tabs.warnOnClose": true
    },
    "PromptForDownloadLocation": true
  }
}

You can use this for both Firefox and Thunderbird.

If you want a full breakdown of every possible policy item, you can visit the Mozilla Policy Templates github page for detailed explanations.

While we’re on the subject of Git, you might also want to investigate using Git to manage these policies and configurations, so you can easily deploy them across multiple machines that you use your browser or mail client in.

Hope that helps. Good luck!

Converting SuperMicro BMC Sensor Temperatures from Celsius to Fahrenheit

If you’ve ever used a SuperMicro BMC before, you’ve no-doubt seen the temperatures section under Server Health => Sensor Readings. These are always expressed in Celsius, but sometimes you want to quickly convert those to Fahrenheit so you can compare them with other data/sensors.

Enter Tampermonkey! I’ve been using Tampermonkey under Firefox for the last few years to re-skin/re-theme Salesforce, Greenhouse and 1/2 dozen other sites I use, some of them in very extreme ways, adding features and functions that the parent site itself doesn’t have or support.

In this case, this is a very simple snippet that will parse the sensor table and convert the Celsius values to Fahrenheit for you, just by loading the page. The code is:

// ==UserScript==
// @name           SuperMicro Sensor Conversion
// @namespace      https://192.168.4.50/
// @description    Convert the SMC Sensor outputs to Fahrenheit vs. Celsius
// @include        /^https?://192.168.4.50/.*$/
// @author         setuid@gmail.com
// @version        1.00
// ==========================================================================
//
// ==/UserScript==


'use strict';

setTimeout(() => {
    document.querySelectorAll('div[id="HtmlSensorTable"] > table > tbody > tr > td').forEach(node => {
        if (node.innerText.includes(' degrees C')) {
            var temp = node.innerText.match(/(\d+) \w+ \w/)
            var fah = (parseInt(temp, 10) * 9 / 5 + 32).toFixed(1);
        }
        node.innerText = node.innerText.replace(/(.*?)(\d+) degrees C/, `$1 ${fah}° F)
    });
}, 500);

I tuned that a little more, by adding the degree symbol, instead of the words ‘degrees’, which now looks like:

It could be refined even further, targeting the inner iframes that this table resides in, or converting to React, but this was a quick 30-minute hack to solve a specific need I had.

Note, you can also get these same temperature values programmatically, via the RedFish API, if your chassis is properly licensed to permit it.

My homelab gets VERY warm during the day when the gear is running at full tilt, so I picked up a Govee Temp/Humidity sensor [Amazon link, not a referral or affiliate link][Govee main website product link], and it’s been very enlightening, showing me more about the trends in my office than I had visibility into before.

Here’s the last week’s temps and humidity in my office/homelab:

The only downside, is I can’t figure out a way to automate pulling/exporting this data, so I can import it into my Prometheus server and graph it with Grafana. Of note: I just taught myself Prometheus + Grafana tonight while adding all of my servers + UPS into it for monitoring. The UPS took a bit more effort, as it’s only using SNMP. I’ll go into more detail on that in future blog posts.

After nearly 22 years together, I had to let my roommate Monk go.

At 12:45pm today, April 13th 2021, my long-time buddy Monk, my roommate for the last 22 years and many relocations, had to be put down. It was a really rough last couple of days, much more difficult than letting Dart go almost 10 years earlier.

His condition over his last days, really degraded quickly. He went from being a bit ‘stiff’ and difficult to walk over the last few months, to no longer being able to control the entire rear half of his body in his last day.

His last, full night together with us consisted of me picking him up to help him stagger to the litterbox only a few feet away in the bathroom, and holding him up while he urinated and defecated all over himself, and then cleaning him up in the tub right after.

I woke up a couple of hours later, to see him trying to drag himself by his front paws back into his padded bed on the floor, with urine leading back from there to the litterbox. He couldn’t muster enough energy to lift his head much, or even to chew his food or drink water.

His body was so limp, frail, it was hard to hold his weight up while he ate or went to the litterbox, without causing him pain, because he had no real muscle tone left to keep his own bones straight.

It was time, I couldn’t wait any longer, without causing him to really suffer even more than he was already suffering. He was in fantastic health for those 22 years, with the exception of those last few months. Many tests and prescription diet changes later, I couldn’t stop the slide of his health failures.

My life with Monk was a long, amazing life. I will remember every moment with razor sharp clarity. From his sharing baskets next to Dart through laying on my back while I slept, or curling up under my arm while I read.

His name was a perfect choice from the start of his life, straight through to the end. He was always watching, inspecting, learning, waiting his turn at the food, water or the window to watch the birds and big world outside.

I couldn’t quite get him to play fetch like Dart, or chase the laser dot as much as other cats, but he had his own, deeply introspective appeal. We’d spend hours together each week in our own “Zen”, just listening to the sounds of nothing, taking in the world, being active observers and participants.

He was the only cat that Seryn had known for her entire life, there before she was born, and there to the end of his days. He would watch her in the crib, curl up around her head when she would sleep, and make sure she was safe, much like a trusted family canine.

He spent some years with Dart, Cooper Coombs, Ashe and Tink. He’s been a friend to all who have met him. He was nothing short of the smartest, most introspective, calm, patient, Buddhist of cats I’ve ever owned.

As an albino cat, he had his share of weird health difficulties starting from the first day we adopted him. He was found by a coworker of my girlfriend at the time drinking antifreeze out of the driveway in the middle of winter. He was treated for frostbite and ever since then would never, ever allow anyone to touch his paws, because they were super-sensitive to touch. He suffered from cat acne later in life, weight gain and loss, gingivitis and several teeth surgically removed, many diet challenges and food allergies, several unexpected surgeries and many tests.

His lack of one of his canine teeth caused a unique “yarr! Pirate Face” as his lips got stuck on his teefs.

He was one-of-a-kind, unique, and the most intelligent, sweetest, friendly, cuddler of a roommate I could have ever asked for.

Monk, you will be missed. I can only hope, if there’s ever another place after this life, that you’ve found Dart in that place, and you’re happily playing Meow-co-Polo with him like you did for so many years.

HOWTO: Run Proxmox 6.3 under VMware ESXi with networked guest instances

One of my machines in my production homelab is an ESXi server, a long-toothed upgrade from the 5.x days.

I keep a lot of legacy VMs and copies of every version of Ubuntu, Fedora, Slackware, Debian, CentOS and hundreds of other VMs on it. It’s invaluable to be able to spin up a test machine on any OS, any capacity, within seconds.

Recently, the need to ramp up fast on Proxmox has come to the front of my priority list for work and specific customer needs. I don’t have spare, baremetal hardware to install Proxmox natively, so I have to spin it up under my existing VMware environment as a guest.

The problem here, is that running one hypervisor under another hypervisor as a guest, requires some specific preparations, so that the networking of the nested guest, will have its packets correctly and cleanly routed through the parent host’s physical network interfaces.

Read on for how to configure this in your own environment!

VMware ESXi

In VMware ESXi, there are a few settings that you need to adjust, to enable “Promiscuous Mode”, “Forged Transmits” and “MAC Changes”. These are found under the “VM Network” section of your ESXi web-ui:

Once you’ve made these changes, you need to restart your VMware host in order to enable them for newly-created VMs under that host.

VMware Workstation

If you’re running VMware Workstation instead of ESXi, you need to make sure your ‘vmnet’ devices in /dev/ have the correct permissions to permit enabling promiscuous mode. You can do that with a quick chmod 0777 /dev/vmnet* or you can adjust the VMware init script that creates these nodes. Normally these would be adjusted in ‘udev’ rules, but those rules are run before the VMware startup, so changes are overwritten by VMware’s own automation.

In /etc/init.d/vmware, make the following adjustment:

vmwareStartVmnet() {
   vmwareLoadModule $vnet
   "$BINDIR"/vmware-networks --start >> $VNETLIB_LOG 2>&1
   chmod 666 /dev/vmnet* # Add this line
}

Now that you have your host hypervisor configured to support nested guest hypervisors, let’s proceed with the Proxmox installation.

Download the most-recent Proxmox ISO image and create a new VM in your VMware environment (ESXi or Workstation). Make sure to give your newly created VM enough resources to be able to launch its own VMs. I created a VM with 32GB RAM and 2TB of storage, configured as a ZFS RAIDZ-3 array (5 x 400GB disks). That configuration looks like this:

Read the rest of this entry »

Thoughts about cheating on Zwift

Tags: , ,

Let’s talk about cheating for a moment. There, I’ve said it. Throw the tomatoes, the Park wrench or the AppleTV remote at me. Save the criticism for the comment section!

I’m a huge data nerd. Many of you already know that. Having clean and correct data on Zwift, only helps us improve as athletes and riders.

I’ve put a LOT of thought into this over the last few years, and have had personal conversations with Eric, Steve Beckett., Jon and others about it, including sharing some of the ideas I’ve had to mitigate it. I’ve read the rants, the promoters, the detractors, all of it from all sides. So has Zwift HQ.

Forget streaming video of riders, or putting trainers on a platform with integrated scales or integrating weight-in equipment into the bikes themselves. When you do that, you kill the enjoyment for others who can’t reach that echelon, but still want to “race” on Zwift. You’d be excluding people who might have the ability, but not the means.

So here’s my proposal, a draft that I’ve been cooking up for a few years, which hopes to not only help curb cheating, but also increase the adoption of Zwift in local centers, the LBS, as well as make sure you don’t constrain race events to KICKR or TacX Neo only events.

  1. Begin the distribution of Certified Zwift Engineers (aka “ZCE”). These would initially probably be the bike mechanic at your LBS to start with. They’re already there, they have the gear and they’re probably fixing your bike or adding equipment each season already. The ZCE would be able to train up on all aspects of Zwift, including app/game configuration, optimizing the experience for the end user. Oh, you have a Dell laptop with an integrated video card? Here’s some settings you can apply to make that work for you during crowded group events.They’d also be trained in how to configure and validate bike fit, power meters and sensors that tie back to the machine/device used to run Zwift. Having drop-outs? Here’s the tools to identify drop-outs and some workarounds that can help.

    This engages the LBS mechanics and the LBS itself to be a part of the growing Zwift ecosystem, not only just as an endpoint for bike upgrades and repair, but a full, end-to-end solution for building out a Zwift environment for the riders.

    Incentivizing those LBS mechanics to become ZCE then has the potential to ensure that more people come into the shop for bike fit, possible recommendations, upgrades, etc. I haven’t met a single bike mechanic who hates cycling. They do it because they have a passion for it, and they, like others, want to grow that passion. Who wouldn’t turn down the ability to learn something new and exciting about your passion?

  2. Those same LBS that have their mechanics certified as ZCE, can now brand their shop as “Zwift Certified Training Center”, and teach riders how to use Zwift (ala spin class? LBS Fondo?). Tactics, when to drain your power-up so you can pull the next one over that hill. Buying a trainer at Best Buy won’t have the same overall value as buying it at your Zwift Certified LBS, even if Best Buy has them for 10% cheaper.
  3. Those same LBS + ZCE, can now perform equipment certification and qualification. They can properly calibrate your Power Meter + trainer combination, regardless of what you’re using. Forget trusting Qalvin on your iOS device to calibrate your Quarq PM or trusting your Garmin Vector pedals to be accurate out of the box, let the ZCE at your LBS (ZBS?) handle that for you.

Trust, but verify, as we say in my field.

They can also do the weigh-in right there at the shop, after calibrating your gear. The output of that now-calibrated Zwift setup and weigh in, is a printed certificate of authenticity of your bike, trainer, gear and your own fitness.

A piece of paper, so what you say? But wait, there’s more. What can you do with that?

Printed ON that certificate, is a unique code, generated by Zwift itself (this service does not yet exist, and would have to be created, more on that in a moment). You would then be responsible for making sure that your gear is not “altered” before or during a race. Alterations like that can be detected (ZwiftPower + formerly ZADA have tools to do this already).

This unique code would be entered before you join a race event, either at the time you sign up, or right as the event starts. It would be entered much like we do for jersey promo codes today. This is your “Zwift Race Number” (ZRN? Too many TLAs yet?).

If your gear is found to be ‘suspect’, you are unable to qualify until you remediate your gear. Your ZRN is now locked, and you can’t use it to enter any ‘official’ race events until address it. To do so, you get one free re-calibration at the ZBS, and they can unlock your ZRN for you, before further re-calibrations come at a cost.

So, what’s missing from this approach?

For starters, Zwift does not have the ability to generate these unique codes, nor any way to manage them in your user account record. Yet.

But the scaffolding to enter codes to unlock capabilities is already there. They’d have to design and build that frame work, and work with partners to make sure fits the needs of their own roadmap. It’s not something to be taken lightly, but neither is eSports or the growing community of cheaters who are going undetected.

They also don’t have a ‘Certification’ program, defined criteria, training modules or anything like that. That curriculum would have to be developed, tested and disseminated amongst the interested LBS/ZBS, training centers, bike mechanics and anyone else who wants to open up their own Zwift Certified Training Center.

But having the certification program begins to create a standard, that all trainers and eSports athletes have to begin to adhere to. It’s a great position for Zwift to be in right now, helping to define the standards and at the same time, increasing their market share by pushing eSports and ZCEs/ZRNs into the LBS.

You, as a potential eSports athlete, would now be held accountable for making sure your own gear is calibrated, your weight accurate and true, and that you manage that ZRN with all the power that comes with it.

As eSports moves up the ladder and starts adding purses for winning, and actual financial incentives, sponsorships, team selection criteria, it becomes more and more important to take steps like this.

So sure, throw your streaming camera up there, show people you’re really the 70kg your profile says you are, that’s fine. But if you want to compete in a race that has value, actual impact, financial incentives to win, then grab your trainer, bike and head to your local LBS, get weighed in, certified, and enter that ZRN the next time you want to join those events.

At some regular interval, or when you upgrade gear, bike, power meter, or the start of a new season, you go back to the LBS/ZBS, schedule an appointment for a bike tune-up, equipment review and re-certify with your new ZRN, ready to smash those Zwift Racing Event records online!

I think this has some real potential, by engaging the participating LBS’ to get onboard with certifying Zwift equipment, trainers, power meters, but also bringing them into the fold of eSports.

It’s very unlikely someone who has the intent to cheat, is going to take all the effort to get their ZRN at their local ZBS, take that gear home, and alter it to gain an advantage. If they do, there are checks-and-balances in place to DQ them, invalidate their ZRN until they go back and re-certify, and keep those events clean.

It also helps validate those riders who TRULY want to compete, and will make sure their gear is dialed in.

So let the cheaters can go ahead and tinker with their gear, take the effort to certify and then falsify their gear and get DQ’d. They only do that to the embarrassment of themselves, not Zwift as a growing eSports platform.

Your thoughts? Let’s discuss.

HOWTO: Back up your Android device with native rsync

Android
Recently, one of my Android devices stopped reading the memory card. Opening the device, the microSD card was so hot I couldn’t hold it in my hand. The battery on that corner of the device had started to swell slightly. I’ve used this device every day for 3+ years without any issues. Until this week.

I also use TitaniumBackup to back up my Android to this external memory card, but since the device can’t read the card, I can’t back it up to the card.

The card is fine, and works in my other devices, as well as being seen from the desktop. Other, blank microSD card can’t be read in the device and similarly overheat within seconds. It’s bad.

Enter rsync, the Swiss-Army Knife of power, to back up my Android device!

Here’s how:

Read the rest of this entry »

HOWTO: Purge Amazon Echo History with iMacros

Amazon Echo IoT Companion

This one is quick and easy… Have you ever wanted to go back into your Amazon Echo device and delete the history of all commands you asked Alexa to do for you? All the searches? All the weather requests?

Well, you can… manually from the mobile app, or from the Amazon Alexa Configuration page, but that can take hours, because each card you wan to remove is a minimum of two taps or clicks.

But there’s an even easier way… iMacros!

Load up the iMacros browser extension (Chrome version) (Firefox version) and create a new macro. You can edit it ‘raw’, if you wish, but you want only these lines in your macro:

VERSION BUILD=8970419 RECORDER=FX
TAB T=1
URL GOTO=http://alexa.amazon.com/spa/index.html#cards
TAG POS=1 TYPE=BUTTON ATTR=TXT:More
TAG POS=1 TYPE=SPAN ATTR=TXT:Removecard

Now when you load up the Amazon Alexa Configuration page, you can just launch your macro from iMacros and play it in a loop to progressively delete each and every one of those cards in seconds.

I personally wiped out over 5,000 cards in under 2 minutes with this approach. It works great!

Comment below if you have any luck with it, or modify it in a way that becomes more useful to others.

HOWTO: Run multiple Zwift sessions on the same PC (Windows only)

Zwift LogoMany people have asked me to write this up and I’m happy to be the first person to push Zwift this far with multiple, simultaneous sessions.

I can say with confidence that up to this point, I’m actually the only person who has this working correctly without overwriting or clobbering critical logs and data files. Others have tried some hacky methods, but they all result in instability and data loss (see “What does NOT work, and why” below).

I started this quest because I am working on a product design (“Secret Sauce” to be withheld in this HOWTO) that involves running multiple Zwift sessions on a single, 100% wireless PC, with the only wire being the single power cable to the wall. No USB cables, no video cables, no HDMI cables, no network cables.

Let’s get some general housekeeping out of the way first…

Read the rest of this entry »

HOWTO: Fully automated Zwift login on Mac OS X

Zwift LogoQuite a few riders on the Facebook Zwift Riders group have expressed an interest in this, so I decided to take a couple of hours, learn AppleScript and knock this out. Done! (if you’re on Windows, you want this other HOWTO instead)

What this code does, is allows you to create a single icon that will log you into Zwift, with no human interaction needed. It will put in your email, password, click the “Start Ride” button and away you go!

This also leverages the OS X Keychain to store your Zwift email address and password, so it’s secure, not leaked into the filesystem and is able to be called on by any other apps that might need it (ahem, like… Zwift itself!) :D

So here’s how to get it working…

First, we need to create a separate keychain to store the Zwift credentials. You could store them in the main keychain, but I’m a fan of credential separation, so let’s use that.

Read the rest of this entry »

HOWTO: Enable Docker API through firewalld on CentOS 7.x (el7)

centos-dockerPlaying more and more with Docker across multiple Linux distributions has taught me that not all Linux distributions are treated the same.

There’s a discord right now in the Linux community about systemd vs. SysV init. In our example, CentOS 7.x uses systemd, where all system services are spawned and started.

I am using this version of Linux to set up my own Docker lab host for tire-kicking, but it needs some tweaks.

I also wanted to see if I could use the Docker API from my Android phone, using DockerDroid, which (after configuring this) works famously!

Here’s what you need to do:

  1. Log into your CentOS machine and update to the most-current Docker version. The version shipped with CentOS 7 in the repo as I write this post, is “docker-1.3.2-4.el7.centos.x86_64”. You want to be using something more current, and 1.4 is the latest. To fetch that (and preserve your existing version), run the following:
    $ su -
    # cd /bin && mv /bin/docker /bin/docker.el7
    # wget https://get.docker.com/builds/Linux/x86_64/docker-latest -O docker
    # systemctl restart docker
    # exit
    $ 
    

    Now you should have a working Docker with the right version (current). You can verify that:

    $ sudo docker version
    Client version: 1.4.1
    Client API version: 1.16
    Go version (client): go1.3.3
    Git commit (client): 5bc2ff8
    OS/Arch (client): linux/amd64
    Server version: 1.4.1
    Server API version: 1.16
    Go version (server): go1.3.3
    Git commit (server): 5bc2ff8
  2. So far, so good! Now we need to make sure firewalld has a rule to permit this port to be exposed for external connections:
    $ sudo firewall-cmd --zone=public --add-port=4243/tcp --permanent
    $ sudo firewall-cmd --reload
    success
    

    You can verify that this new rule was added, by looking at /etc/firewalld/zones/public.xml, which should now have a line that looks like this:

    <port protocol="tcp" port="4243"/>
  3. Now let’s reconfigure Docker to expose the API to external client connections, by making sure the OPTIONS line in /etc/sysconfig/docker looks like this (note the portion in bold):
    OPTIONS=--selinux-enabled -H fd:// -H tcp://0.0.0.0:4243
    
  4. Restart the Docker service to enact the API on that port (if successful, you will not see any output):
    sudo systemctl restart docker
  5. To test the port locally, install telnet and then try telnet’ing to the port on localhost:
    $ sudo telnet localhost 4243
    Trying ::1...
    Connected to localhost.
    Escape character is '^]'.
    
    HTTP/1.1 400 Bad Request
    
    Connection closed by foreign host.

    All looks good so far!

  6. Lastly, install DockerDroid and configure it to talk to your server on this port:

    DockerDroid connecting to CentOS via API

  7. Now you should be able to use DockerDroid to navigate your Images, Containers and API.

    Good luck!

Bad Behavior has blocked 2002 access attempts in the last 7 days.