Dynamically change title of FreeBSD terminal windows in SSH sessions

For a while I have been working on a FreeBSD 10 desktop, and one thing I missed from my Mac OS X Terminal was the ability to have the title bar of my terminal window change when I connect via SSH to a remote host. With a lot of SSH session in different windows opened at the same time, it becomes difficult to know what server you are sending commands to. Thus I solved this little annoyance by creating this alias in the .cshrc script:

alias remote 'printf \\033]0\;\%s\\007 "\!^" && ssh "\!*"'

I’m using the urxvt terminal, but I guess the solution can works well on any other UNIX terminal emulator for X11 out there.

At the same time, I found useful to have replicated in the title bar the same info I have in the prompt, thus I added the following lines to same configuration file, under the section that (in the default FreeBSD setup) checks if this is an interactive shell:

if ($?prompt) then
  if ( $?TERM ) then
   set prompt="%{\033]0;%N@%m:%~\007%}%N@%m:%c3 %# "

(In bold the code I added).

Dynamically change title of Mac OS X Terminal in SSH sessions

I have been using Termina.app since I started using Mac OS X several years ago. In general I feel pretty comfortable by using it and I didn’t need to look for alternatives. Obviously, the command I run most often on the command line is the ssh(1) client, which I think is among the most used tool by Unix server administrators.

This terminal emulator offers a wide range of customizations, including the possibility to assign a custom title to each tab or window you open, but I’d like to make the name of the host I connect to appear as custom title automatically, as soon as I connect to it, then changing back after I disconnect to whatever it was before.

I thought it was a pretty trivial task to accomplish, but it has shown to be not so easy as I supposed. The best method I found is to create a simple shell script to manage this tricky operation. Thus I’m now posting the solutions for anyone who might found it useful or could suggest a simpler approach… here it is:

# This script changes the current Terminal window title and starts
# an ssh session with the host indicated in the argument
if [ $1 ] ; then
 oldtitle=`arch -i386 osascript -e 'tell application "Terminal" \
           to get custom title of front window'`
 newtitle=`echo $1 | sed -e 's/.*\@\(.*\)/\1/'`
 echo "\033]0;$newtitle\007"
 ssh $1
 echo "\033]0;$oldtitle\007"
 echo "ERROR: you must enter a valid host name as argument."
 echo "\033]0;Terminal\007"

If you save this lines in a file called ~/bin/remote and chmod it to 755, you can use the following string to connect to your SSH server:

% remote user@server.domain

The custom title of the current window will be set by getting the hostname part of the command argument before you connect, and will be set back to whatever was after you disconnect from the SSH session. If, for same reason the script would exit before setting the title back, you’ll only need to launch it without arguments, and it will set the name to the default “Terminal” title.

Broken board on HP LaserJet P2015

Several weeks ago our network printer started to expose an odd behavior: a couple of minutes after each reboot the firmware was crashing, simply putting the printer offline. Any try to upgrade the firmware or reinstall it was useless, since the printer become unresponsive before the procedure was able to complete. A couple of days ago, I found this post: “HP Laserjet P2015 Error Lights (LED’s) Stuck On“.
It seems unbelievable, but putting the formatter board in a oven at about 180 Celsius degrees for 8-10 minutes solved the problem. This because of the poor assembly by the manufacturer: the chip was not correctly knitted to the board!! Thanks to this simple procedure we saved about 220 Euros the HP customer service would have been charged us because the warranty period was over.

We have experienced a long sequence of troubles with poor quality server products from HP, but after this last minor issue, I think this has been actually the last object we’ll ever buy from HP.

Migration to VirtualBox hypervisor on FreeBSD

It’s a step on which I thought a lot. Our primary virtualization server was feeling a bit “outdated”… it has been started almost six years ago with Microsoft Virtual Server 2005 and then upgraded to the “R2” release, looking forward the (at that time) promising code-name Viridian technology (now called “Hyper-V“). After Microsoft’s fall, I evaluated CITRIX XenServer and VMware ESXi hypervisors, but the first one, based on Xen, was not able to virtualize Windows without the support for Intel-VT or AMD-V in the host’s CPU, and our server was bought just a few month before these technologies come out. ESXi seemed the right choice for us, but I wasn’t able to get a test machine which complies with all ESXi hardware requirements in a timely fashion. In the meanwhile I started looking at VirtualBox on FreeBSD… until a couple of weeks ago I did not consider it a viable solution to operate as a server-side headless emulator, but after some days of studying and testing I realized that it is actually a strong choice if you need a simple yet reliable hypervisor to consolidate a few non-FreeBSD servers!

Now we have a good virtualization host, on which both Windows guests and FreeBSD jails can run at the same time. With this move the last Windows Server host has gone from our server farm! 🙂

I’ll post some technical details about this migration as soon as possible.

Upgrade pfSense cluster to 2.0-RELEASE

During the weekend we have migrated our main firewall system to the latest release of pfSense. Although we had spent some hours testing in a pilot environment, a couple of minor issues were encountered in the process, as outlined below.

We upgraded the main node at first (as suggested by the “Redundant Firewalls Upgrade Guide“. Then the secondary node was not syncing immediately after its upgrade, because the old webConfigurator SSL certificate was not selected by default. Selecting the right certificate and rebooting the 2nd node solved the problem.

Some bits of the OpenVPN configuration (we have been running a couple of site-to-site VPN) was not retained correctly: tun(4) interfaces disappeared in favour of the new “ovpns” interfaces, so a reassignment was needed. After a couple of clicks all was working again flawlessly.

A little more work is planned to polish the configuration (for example, the FTP proxy is now implemented in a different way, and there is no need to allow port TCP 21 to external WAN addresses), but all the main functions are here, and the performance of the webConfigurator interface seems to be drastically improved.
In conclusion, we are very satisfied by this new version, which we have been running in production since it was released a few weeks ago, for some customer’s new firewalls.

High availability of services with ZABBIX and DNS failover

This blog was born only for testing WordPress some years ago, thus there is no reason to maintain it, but from time to time I like to post here about some change I make in our infrastructure, or about some product or technology I discover to be interesting, more to remind me when I did or read something than to actually inform someone out there, so please excuse me for the fuzzy style of the contents!

Today I put in production a procedure to make inbound Internet traffic automatically fail over a secondary ISP link, by using the strong-tested ZABBIX monitoring platform.

Our primary NOC uses two independent and full-redundant links (two-node firewall, two routers, etc.) in order to access the Internet, and all production-grade services (DNS, mail, IM, web, etc.) are continuously accessible on the public IP addresses of both the links.

Until today, when a connection failure occurred, all clients in our internal networks were immediately able to continue browsing by using the failover link, thanks to a simple source-based routing rule applied by our pfSense cluster, whereas all clients from the Internet couldn’t access the services through the secondary path until the RRs in our DNS zones were manually changed to reply the resolvers with the public IP address in the range of our secondary ISP.

I evaluated a couple of good external DNS failover services: Dynect Active Failover, DNS Made Easy’s service. The first was too expensive for our needs and the second was missing the ICMP ping check we wanted to use.
Then I gave a try to the failover host support of the TinyDNS package for pfSense. It works pretty well, but it would need two public IPs (one from each ISP range) to publish the djbdns service for the dynamic-updating zone, and at this time the range from our secondary provided is exhausted.

So it come the idea to run the dynamic zone on the same DNS servers we use for our public zones, but who might update the RRs in a reliable way? I was pretty confident in the link failure detection of pfSense, which I still use to redirect outbound Internet traffic, but I didn’t like the idea of trusting any other link failure detection script or daemon runnig inside my network… until I had a flash: ZABBIX has been reliably notifying me link failures and recoveries for several months by now. Maybe I could configure it to run the nsupdate(1) command against our primary DNS server each time such an event is triggered!

In fact it has been pretty trivial to configure a new custom media type “script” (named “nsupdate_HA“) and execute it as an “operation” from the action performed when the trigger “link failure” is generated, as shown in this screenshot.

From now on, the hostname of each server publishing a “mission-critical” service can be stored as a CNAME pointing to an A-type record in the ha.valsania.it zone, which is automatically set to the right available public IP address. I measured that the reaction time to a link state change is around 40 seconds: this will definitely make me sleep better at night!

maybe it can be useful for someone to take a look at the simple shell script I wrote to accept input from ZABBIX, or maybe someone can suggest some improvements!
Three arguments are expected (the recipient, the subject and the body of the message), but we only read the 2nd to know what’s happening, in order to execute proper failover and failback actions.

Corporate blogs upgraded to WP 3.0

After all single-instance WordPress blogs were upgraded in the past nights, today we have upgraded the WPMU blogs collection to the latest release of WordPress.
The most significative advantage of this major release is that the multi-user and the single-instance versions of WordPress has been finally merged. The upgrade process has been divided in two steps: at first, we checked on a dedicated WP 3.0 installation that all themes, plugins and WPMU plugins were working well with the new release, then the production instance of WPMU was definitely migrated. With a bit of care (read the post “Upgrading WordPress MU 2.9.2 to WordPress 3.0“), all worked well at the first shot, without any issue.

Even if WordPress is working pretty well for our publishing needs, I’m still committed to migrate all corporate blogs to Drupal as soon as possible, because its architecture is much more clean than WP’s one, and because it’s the foundation of several web apps we are deploying both for us and our customers. But I know that the time I’ll be able to allocate to this activity is less than what I need to work it out… 🙁

Corporate Subversion server

After a couple of days spent in studying and testing, today the first SVN server was put in the development stage. A test repository is available for anonymous checkout and ViewVC browsing at http://svn.valsania.it. Commit privilege is granted only to selected accounts, defined both in Active Directory and htpasswd file.

This first deployment still has some rough corners, but the main goals are targeted:

  • simple anywhere access to the repository both for read and write access (via WebDAV and ViewVC);
  • secure transmission of credentials and data (enforced SSL offloading was activated);
  • integrated authentication with corporate directory service (thanks to the auth_ldap Apache module).

During the next days I’ll be committed to put this service in the hands of all the developers which have the potential to be involved in any sort of collaboration with our company in the future!

CommuniGate VoIP services

A lot of time has past since my last post, a lot of work has been done, a lot of hours has been spent in studying and testing new solutions to serve better the needs of our corporate IT environment and our customers’ ones.

One of the bigger improvements is about the oldest form of synchronous collaboration: phone calls! One week ago our CommuniGate system began to route all voice traffic in and out my business. Stalker’s product is the last piece of software I tested to manage such type of  communications (another good candidate was Asterisk) and it proved to be the better choice for businesses of all sizes, thanks to its right price and its amazing scalability and reliability, which lets it to serve five thousand as well as five users with the same high level of performance and functionality.

The wide range of transport and access protocols supported lets our users connect and keep in contact from almost any client software or device on any platform to any customer or partner who might rely on public or private communication system and network (e-mail, Jabber, GTalk, SIP, PSTN, …), so dramatically simplifying the administrative efforts to connect these entities.

A lot of aspects were involved in such evaluation, which I can’t describe here and now, but the results of our tests convinced us that, even if CommuniGate’s strong backgrounds in carrier’s field make it miss a lot of enterprise features at this time, it has all the requirements needed to fight and win in the enterprise market, first of all because of its rock-solid architecture, which makes it run and be supported on almost twenty different computer architectures!

wpDirAuth versions

I’ve just read the “wpDirAuth-Versionen” post written in Dutch by Damian, who wish to have it published in English too. I do not know very much about Dutch neither English, but I think he had done a great job for the WordPress community, since this plugin has a tremendous impact on the usage of WordPress in the business environment, and I’m glad to post a translation of his article here.

wpDirAuth is a useful plugin to create WordPress user accounts connected to an LDAP directory service. Unfortunately Stephane Daury, the developer who built it, does not seem to be interested in or to have the time to maintain it, so the project page, the  official WordPress plugin page, and even the Google groups wpdirauth-support and wpdirauth-dev are become stale. Despite of this, the plugin still seems to be functional: Adam Yeraout published on wpdirauth-support the 1.3 release for WordPress 2.5 and newer, Andrew Valsania wrote a patch to fix a password-check bug on his blog and published the 1.4 release.

In order to take under control this versioning chaos, since the project-trac without an Administrator has become not usable, I’ve created my personal SVN repository, which also contains a revision history at https://www.delta-phi.net/svn/wordpress/wpDirAuth/tags/. Obviously I can commit other patches to SVN, but if someone would take over this work I could give him/her a dump of the repository.

I’ll be glad if someone would publish the same post in English…”

Thank you so much for you work! I hope that someone would be interested in maintaining this plugin working and improving it even more.