How to Disable ipv6 in Ubuntu

You may not need or want ipv6 in your Ubuntu install. Here’s how to disable it *well*

Shell commands to run:

# create the long-life config file
echo “net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1” | sudo tee /etc/sysctl.d/99-my-disable-ipv6.conf

# ask the system to use it
sudo service procps reload

# check the result (should read “1”):
cat /proc/sys/net/ipv6/conf/all/disable_ipv6

Some Cygwin Notes on installing Ansible in Cygwin on Windows

I wanted to install Ansible on Cygwin running in Windows. I also wanted to interact with AWS, so I needed to install boto. “six” just for kicks as well. Here’s what finally worked, along with some notes on the experience:

This step-by-step is valid on Windows Server 2012r2 machines as of 9/29/2017. It is the cleanest way of working with Cygwin that I’ve seen.

Install Cygwin
Download here:
Install to c:\cygwin64 for everything you have to specify a path for (use that for the source, it’s always fast, at least in the US)
Basic install, no additional packages
Add a shortcut to the desktop
– Shortcut points to mintty.exe, interestingly… never knew that
– C:\cygwin64\bin\mintty.exe -i /Cygwin-Terminal.ico –

Open up the Cygwin shell:
echo ‘alias cyg-get=”/cygdrive/c/cygwin64/setup-x86_64.exe -q -P”‘ >> ~/.bash_profile
– This makes it so installing more cygwin-specific packages is just like using apt-get, all from within Cygwin
– Doing it this way makes cygwin even more portable 🙂
Close and reopen the Cygwin shell
– To get that alias thing from above

Install all the dependencies using our nifty apt-get-like approach
– cyg-get cygwin32-gcc-g++,gcc-core,gcc-g++,git,libffi-devel,nano,openssl,openssl-devel,python-crypto,python2,python2-devel,python2-openssl,python2-pip,python2-setuptools,python2-devel,tree,wget,zip,make,openssh
– You have to use a comma-delimited list. Some internet blog posts use spaces…. Those don’t cut it

Use pip2 to install:
– pip2 install boto six ansible==1.9.4
— Running bdist_wheel for pynacl
— That takes forever… you have to just wait…. Forever

At this point, you should be all set. And… you should be able to copy-paste the cygwin64 folder into any other Windows machine and everything will “just work”

– This approach is the cleanest, most portable way to work with Cygwin. Really, it’s completely self-contained, not affecting anything else on the host… All things Ansible, boto, gcc, etc live entirely in that cygwin64 folder. Delete the folder; they’re all gone, as though they were never there.
– At the time of this writing, the world is kind of between Python 2.7 and Python 3.x. As such, this is a case where we have to explicitly say we want to install pip2 and python2.
– Note that the permissions and execution bits on files can kind of get scrubbed out when checking things out from GitHub (other vcs too?), so in the case of Ansible and boto, the hosts file and the ec2 file may need to have their execution bits updated after a checkout – hosts should not be executable; ec2 should be executable. It’s possible other .sh files you check out from, say, GitHub may need their execution bits changed as well

Installing ESXi on Unsupported Hardware

You have an old computer. You want to put ESXi on it. You get errors like stalling at “Initializing IOV”, “failed loading nfs41client”, or “No Network Adapters”. Here’s how I worked around all three of those.

“Initializing IOV”
– Means your hardware doesn’t support something. When ESXi is starting up press “tab” or “shift+o” to get to the boot command line options. Then simply put in a space followed by “noIOMMU” at the end of that line.
– from

During install or loading of the installer you see “failed loading nfs41client” or “failed loading nfs4lclient”… one of those two. And then you get a “No network adapters” at the end.
– Means you have some network card or chipset that’s not officially supported by the ESXi installer.
– Create a custom install image:
– I did this:
In Powershell:
– Install-Module -Name VMware.PowerCLI -Scope CurrentUser
– download this:
– run this to find what network card you have (mine was the Realtek 8168, mentioned here:
– run this: .\ESXi-Customizer-PS-v2.5.1.ps1 -v60 -vft -load net55-r8168,net51-r8169,net51-sky2
– Use rufus to create a bootable USB with the resulting ISO
– Install ESXi with that bootable USB (I had to use the “noIOMMU” additional boot option)

Hopefully it helps you 🙂

Self-Signed SSL Certs on Ubuntu and Apache2

Simple step-by-step on how to create a self-signed SSL cert in Ubuntu and then some notes on how to use it (some specific mentions of Perforce Swarm, so just update things to reflect your own site name:

1. Enable SSL for Apache2
sudo a2enmod ssl
2. Create directory to save certificates
sudo mkdir /etc/apache2/ssl

3. Create the required certificates
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

Note: Ensure the ‘Common Name’ you provide matches your Swarm servers FQDN exactly.

4. Follow the on screen prompts adding organization information as required.

5. Backup the current HTTP virtual host configuration:
cp /etc/apache2/sites-available/perforce-swarm-site.conf /etc/apache2/sites-available/perforce-swarm-site.conf.BAK

6. Edit the Apache site config file for the Swarm virtual host:
sudo nano /etc/apache2/sites-available/perforce-swarm-site.conf
We’ll continue to listing on port 80 for plain HTTP requests and on port 443 for HTTPS. See below, replacing SWARM-SERVER_HOSTNAME with the FQDN of your Swarm server.

ErrorLog “/var/log/apache2/swarm.error_log”
CustomLog “/var/log/apache2/swarm.access_log” common
DocumentRoot “/opt/perforce/swarm/public”

AllowOverride All
Require all granted

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key

ErrorLog “/var/log/apache2/swarmssl.error_log”
CustomLog “/var/log/apache2/swarmssl.access_log” common
DocumentRoot “/opt/perforce/swarm/public”

AllowOverride All
Require all granted

Note: Please check with your security team to ensure the permissions provided in this setup are suitably restrictive for your environment.

5. Restart Apache to pickup the changes
sudo service apache2 restart
6. Now try your new HTTPS URL from a web browser.

Now, in Ubuntu, here’s how to add that client-side certificate file you created above when you made the self-signed SSL cert (run alls steps as the root user):

Given a CA certificate file foo.crt, follow these steps to install it on Ubuntu:

Create a directory for extra CA certificates in /usr/share/ca-certificates:
sudo mkdir /usr/share/ca-certificates/extra

Copy the CA .crt file to this directory:
sudo cp foo.crt /usr/share/ca-certificates/extra/foo.crt
– I’d suggest renaming that .crt file to include the full domain name

Let Ubuntu add the .crt file’s path relative to /usr/share/ca-certificates to /etc/ca-certificates.conf:
sudo dpkg-reconfigure ca-certificates

In case of a .pem file on Ubuntu, it must first be converted to a .crt file:
openssl x509 -in foo.pem -inform PEM -out foo.crt

You can redirect http traffic to https by adding the below to the end of the section on your server:
– Redirect / https://

From 2 great finds:

Can’t create a new datastore on ESXi 5.5 when using an existing disk

I got this error when trying to create a datastore on a local SSD I had just installed:

A specified parameter was not correct.

This blog post reported it’s a problem with having an existing MBR partition on the disk.

Apparently, VMFS5 doesn’t like that scenario. Usually, you’d have to manually delete the partition via some shell commands on the ESXi host. But, one of the comments mentioned they were able to create a VMFS3 partition first, and then upgrade it to VMFS5. Worked for me 🙂

2006 Honda Odyssey with misfires reported on cylinders 4 and 5 – started after a head gasket and timing belt replacement

Had to change out the head gasket, particularly on the bank with cylinders 4,5, and 6 (the front-most 3 cylinders). That process, while cumbersome, worked out fine. I had to get the front cylinder head machined, since it was low in one point by around 8 thousandths. Everything went back together relatively smoothly. Once done, the engine started up on the first try, and it ran smoothly.

And then, while making sure the coolant and other fluids were filled correctly, the engine died. It turned out that the auto tensioner pully’s bearings blew up, complete with ball bearings all over in the timing belt cover area. Luckily, the belt didn’t break, but as best as I can tell it jumped one or more teeth.

After redoing the timing belt, complete with a timing belt kit – just do yourself and your car a favor and buy a timing belt kit – the engine started up, but it ran pretty rough. The codes reported misfires, especially in cylinders 4 and 5 (the front left and center cylinders when viewing the engine from the front of the car). However, it also reported random cylinder misfires. It also reported the bank 2 sensor 2 oxygen sensor heater circuit was bad somehow (this is the O2 sensor on the bottom of the front three-way-prewarm-catalytic converter… something like that).

I replaced the bank 2 sensor 2 oxygen sensor, but that didn’t chnage anything. Then I started unplugging ignition coil plugs one at a time to see which cylinders were misfiring. Sure enough, it was cylinders 4 and 5. I got new spark plugs and new ignition coils (for all cylinders). That seemed to help a bit, but it was not all the way. The engine was still misfiring on cylinders 4 and 5 (wet spark plugs that smelled like fuel).

I did a compression test on cylinders 4 and 5 to see if the valves hit the pistons when the incident with the auto tensioner pulley happened. compression was fine – 130psi or so. It’s relatively easy to test this if you have the tool.

Then, I did the CKP sensor relearn procedure. That’s “CranKshaft Position” sensor. And it worked. No more misfires, and the engine idles smoothly now – more more rough idling, it now starts easily, and it doesn’t almost die at idle.

I didn’t have a tool that would reset anything, so here’s what I did (based on what the Honda service manual outlined):

Started the engine in the driveway from cold, and ran it at 3000RM until it got up to temperature. Drove it around in 2nd gear (automatic transmission), getting up to 2,500RPM and then letting it coast down to around 1,000RPM (keeping it in the same gear). I did this about 5 times in either 1st or 2nd gear. I then went on a larger road and ran it in 2nd gear up to 5,000RPM and then let it coast down to 3,000RPM (keeping it in 2nd gear). I did this around 3 times. Then, I found a spot to park it and turned it off, then turned the key to position II (not starting the engine) and let it sit like that for 30-40 seconds, then turned it off. Then, when I started the engine up, it idled notably more smoothly. And it’s stayed that way. Further checks with a code reader showed no new codes being through, though the engine light is still on – I presume it will turn off after 100 miles or so (part of the buffer it needs to have so you can’t cheat the smog check so easily).

I hope this helps.

Perforce Proxy – uses and notes

Here’s the lowdown on the Perforce Proxy (aka P4P):

– You can use *any* version of it. Just use whatever the most recent one is on

– It’s as simple as you might hope. Install it, make it run all the time, point it at your main perforce instance, and then have all your p4 clients just point at the proxy instead of the main perforce server.

– Yeah, having all the clients point at a p4 proxy instance instead of the main perforce server means you can lock down your perforce server better.

– The proxies cache all the big files and pass along all the commands from the client to the main perforce server. All the proxy does is make it so the main server doesn’t have to read and transfer the big files.

– If you run a p4 proxy on your own computer, it means your computer is storing all the versioned files locally, so when you switch between branches or streams, you don’t have to wait for the big files to transfer from the main perforce server. Yes, it’s great for VPN connections.

– You can’t point a p4 proxy at a p4 proxy 🙂 It says something about a version not being new enough, at least in my brief tests.

– P4 Proxy is easiest to install on Windows. Pretty no-brainer stuff. Really, the installer is an .msi that includes the p4 server and client. You can install just the proxy though, so no worries.

– P4 Proxy just uses disk space. CPU and memory is negligible.

– If you have people in all kinds of locations, just have them set up a p4 proxy instance in a relatively secure manner on their own computer (or if they’re fancy, in some VM in their own environment).

– If you go fancier that a P4 proxy, you’re looking at setting up some perforce edge and read-or-whatever replicas. Just don’t go there…. unless you’re HUGE and you have people (not “person”) in your dedicated IT infrastructure team.

Download it here:

How things get restored in Google Drive after a big delete

Imagine this:

– You have a Google Drive folder that’s receiving daily builds. This means the previous day’s build gets deleted.

– Then one day you delete the folder accidentally. You know Google Drive keeps backups of everything, so you just go in to your Google Drive trash, find the folder and then right-click > Restore.

Well, you get your stuff back, that’s for sure. All of it. All of the files that had ever been in that folder. Heh. And it takes a good several hours for them all to eventually show up, and they appear gradually over that time.

Now, how many people are syncing the folder? Hah. Full hard disks a-plenty. You kind of have to just sit there refreshing the web view of the folder, deleting all the old files.

Really, I’d recommend creating a new folder and selectively restoring the specific files you need. That should be a much faster solution. Now if you have apps or something pointed at the URL of the actual folder, then, well, you’ve got a long day ahead of you. Just keep deleting the files as they show up. It’ll work.

Robocopy can’t find the path when run via TeamCity Agent

You have a network share mapped as a drive and you want your TeamCity Agent to copy files to it when it’s done building. But it doesn’t work. Your users are fine (run “whoami” in TeamCity script and look at the output to make sure).

In the TeamCity build logs you’ll see something like this:
ERROR 3 (0x00000003) Getting File System Type of Destination

The annoying part is that it works just fine when you run it via the command prompt.

In short, the issue is likely that when Robocopy doesn’t use the interactive user session, so even if you’re logged in with the user under which the TeamCityAgent service is running, and you have the network drive mapped just fine, Robocopy won’t be able to see it. So, you could put a “net use” command just before your robocopy command, but then you’ll have to remove it again afterwards, which would be prone to failure… though maybe remove-then-add just before? Anyways, just point it directly at the network share for your robocopy command. That way, you only have to make sure your TeamCityAgent user has permissions on the network share.

l2tp support in Ubuntu 16

Here’s the best step-by-step:

L2TP / IPSEC VPN on Ubuntu 16.04

Here’s another step-by-step that had some mismatched text strings that kind of wrecked stuff:

Meraki doesn’t have much in the way of documentation on setting up the client VPN on Linux servers. They have something for a Linux distro running a GUI:

Here is something about gettig the l2tp vpn client to work in a clean way on a Linux GUI. Again, not applicable for pure Linux servers though:

Here’s my step-by-step that works on a fresh Ubuntu 16 install and pointed at a Cisco Meraki MX64. It includes a means of keeping the connection alive by using the monit utility:

Install the packages we will need
You’ll have to sudo up to root to install all this stuff

apt-get update
apt-get install -y strongswan xl2tpd

Configure strongswan
Note: this “cat >…..” method replaces the file with the contents that follow. You can kind of script the whole config part that way

cat > /etc/ipsec.conf <

Configure the preshared key
Note: you could just edit the file, so we don’t have the shared key sitting in a Google doc history
In that case, just add a line in/etc/ipsec.secrets that says:
nano /etc/ipsec.secrets
: PSK “pskgoeshere”
You may have to redo the double-quotes… google docs tries to be helpful
And, yes, that colon at the beginning of the line is necessary

cat > /etc/ipsec.secrets < /etc/xl2tpd/xl2tpd.conf <
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

cat > /etc/ppp/options.l2tpd.client < ” > /var/run/xl2tpd/l2tp-control
Redo the double-quotes. Google docs screws these up bad

How to [un]format the Google Docs "Smart Quotes" italicized quotes

When this works you should see a new interface when you look at the local routing table
route -n
The first one resolves DNS; the second doesn’t
You should see something like this:

Notice the middle one, and on the right-most column is has “ppp0″…. That’s what you want.
If you don’t see it, wait 5-10 seconds and check again, then rerun that above “echo…..” command again.

When this works, you should see another connection in ifconfig
You should see something like this:

Notice the “ppp0” connection. It’s not there until after you run that above “echo…..” command. This is the actual VPN connection

Set up a route so we actually use the VPN interface
A few steps here, and I’ll show things with what I actually saw
The goal is to set a route that sends all traffic destined for addresses through the VPN connection.

Get the IP address of the local VPN interface
You need to get the IP address listed right after “P-t-P” in the “ppp0” interface

Add the route
route add -net gw
This makes the OS send all network traffic destined for any IP that starts with “10.x.x.x” through the interface, which means it goes through the VPN tunnel and to the Meraki VPN server, which then routes it as needed.

Disconnect the VPN
echo “d meraki-vpn” > /var/run/xl2tpd/l2tp-control
ipsec down meraki-vpn

Connect the VPN
ipsec up meraki-vpn
echo “c meraki-vpn ” > /var/run/xl2tpd/l2tp-control

Making sure the VPN connection stays active
Latest: monit seems to be a viable means of making sure the vpn connection is stable.

Install monit
apt install monit

Create a config file aimed at monitoring our VPN connection
nano /etc/monit/conf.d/monitor_vpn
In there use the following:
check network ppp0 with interface ppp0
start program = “/bin/bash -c ‘/p4proxy_bh/'”
stop program = “/bin/bash -c ‘/p4proxy_bh/'”
if failed link then restart

Create the referenced scripts
nano /p4proxy_bh/
ipsec up meraki-vpn
sleep 5
echo “c meraki-vpn ” > /var/run/xl2tpd/l2tp-control
sleep 5
route add -net gw

nano /p4proxy_bh/
echo “d meraki-vpn” > /var/run/xl2tpd/l2tp-control
sleep 5
ipsec down meraki-vpn
sleep 5
route delete -net gw

What this does:
The first “ppp0” in that monit config file is actually the name of the monitor…you could name it anything (used with “monit start ppp0” to manually run the monitor)
It’s saying if there is no interface by the name of “ppp0”, as would be the case when the VPN connection is down, then “restart”… in monit terms, “restart” = run the “stop program” and then the “start program” specs. It then also sets the route, just in case.

Monit wakes up and runs all the configured monitors every 2 minutes

monit status
Shows the last result of each monitor
This worked to successfully and easily detect that the VPN tunnel interface was down and automatically restart it.

Biggest Fail
All the “meraki-vpn” strings refer to each other. Some guides had inconsistent string names. The “conn” name and the “[Lac]” had to use the same string, in this case “meraki-vpn”.
Google Docs changes double quotes to fancy italicized ones, and when copied and pasted into a Linux terminal, they are technically *not* double-quotes, so your commands fail in all kinds of fun and interesting ways. Disable it:
There is a package you can now install that makes l2tp stuff much easier on Ubuntu desktop-with-a-GUI, but that won’t really work on command-line-only servers.

Here’s a message seen in “journalctl -xe” when nothing happens when you try to start the l2tp part (the “echo c….” command):
Aug 23 09:42:09 vpntest charon[1296]: 02[NET] sending packet: from[4500] to xxxxxxxxxx[4500] (60 bytes)
Aug 23 09:42:14 vpntest xl2tpd[1702]: Maximum retries exceeded for tunnel 3074. Closing.
Aug 23 09:42:14 vpntest xl2tpd[1702]: Connection 0 closed to xxxxxxxxx, port 1701 (Timeout)
Aug 23 09:42:19 vpntest xl2tpd[1702]: Unable to deliver closing message for tunnel 3074. Destroying anyway.
Aug 23 09:42:38 vpntest charon[1296]: 15[IKE] sending keep alive to xxxxxxxxxxx[4500]

A reboot of the VPN server on the MX64 resolved this.

Helpful debugging commands to use on the client
journalctl -xe
“Charon” messages are from ipsec (strongswan)
“Xl2tpd” messages are from xl2tp

/usr/sbin/xl2tpd -D
Can show xl2tpd-specific things