the myIT blog

sipXecs Backups to Amazon S3

I recently had a situation where there were around 20 servers that needed to be backed up. In sipXecs 4.6 here is how I tackled it (for those running 4.4 gpg seems to be an issue so I haven't pursued that).

1. Install the s3tools repo:

wget http://s3tools.org/repo/RHEL_6/s3tools.repo

2. Install s3cmd via yum:

yum install s3cmd

3. Once s3cmd is installed you need to have an amazon S3 account setup and know what your access key ID & Secret Access Key are, which you can get in your amazon s3 portal under "security credentials". You will also need to create a bucket and a policy.

4. Bucket Policy: Everyone has a different need to secure their policy. Here is a very basic one to get you started.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::alvin/*"
        }
    ]
}

5. Test and configure s3cmd with:

s3cmd --configure

When you finish testing and when successful, choose the option to save the configuration so you can use it.

6. Once you have done this and the test works normally, you can create a local backup and try to sync it. Here is the basic command to sync the local backup directory to your bucket, we'll use the example bucket name of "alvin" and in the bucket we created a directory called "pbx1" for a particular system to send its backups to:

s3cmd sync -r /var/sipxdata/backup/local/ s3://alvin/pbx1/

Pay attention to 'sync -r'. This means sync recursively. So the next time the cron job runs it will sync "wtahever" has changed. This also means if you manually created a backup outside of the schedule and left it on the system, the cron job will pickup just the changes and sync those too. It will also sync (delete) anything that has deleted. So it "should" prune itself based on the local number of backups (just mirroring what is local). When i ran it I showed almost no RAM and 1.3% CPU, so it also does not appear to be service impacting either.

7. Automate it with cron. Everyone has a different need, but since we are doing this locally on the local drive, figure out what you need to save and schedule that in sipXecs. Then automate the offsite backup based on that schedule. (i.e. I have a ssystem that needs to have the configuration backed up weekly and save the last 52 backups on board (locally on the sipx server). That's a year worth. I schedule sipx to do the local backups on Friday Morning at 2am. I run a cron job every Friday at 3am to sync the local backup directory. My basic config file is 80MB in size in this example. So 4.5GB of storage for a system (configuration only, everyone's size will differ). Storage costs at Amazon for 5GB is around 1 cent per month so it won't be pricey.

 0 3 * * 6 s3cmd sync -r /var/sipxdata/backup/local/ s3://alvin/pbx1/

at zero minutes on the third hour on the sixth day of each week run this command...

Conclusion: This totally works and while not for the faint of heart the payoff is completely worthwhile from a cost perspective.  I do strongly suggest saving your amazon credentials in more than one secure place because without them you can't get to your bucket to retrieve the data either. You can also have different Amazon S3 credentials for different systems, so the storage can be paid for by using their credentials.

To figure out your storage costs, do a local backup, peek at the size, determine what your frequency and number of backups will be then launch the amazon storage calculator. I think my monthly cost was 1 cent for 50 weeks worth tallied up.

You do need to fix your access policy in S3 according to your security needs. My example was so anyone somewhat new to S3 can get a backup of data done using this example in an express manner. Then figure out how they want to construct policies, access keys, buckets, folders and the like.

Postlogue:

When you have one organization and multiple systems to configure like this, keep in mind that s3cmd has a corresponding config file, if someone wanted to take this up it could be implemented and configured from within sipx also. Using cron you can probably submit the results from the cron job, inspect them and if you get an error/failure, it can be contributed to the alarms group and notification sent via email. There are simply lots of options. Also keep in mind if you installed s3cmd as root, you will find your config files once you create it as: /root/.s3cfg

Manually copying this file to multiple systems (ahem... replicate via mongo as an example) makes the process that much simpler.

My initial aim was to just get people looking at this. I found s3cmd to be painful until you got the syntax right. While not hard, its unforgiving and the error messages I had during the initial trial  messages were useless for the most part.

Happy S3'ing!

sipXecs :: vlan how-to

Normally I don't post about things related to sipx unless they are directly related to sipx. 

For the past year or so I've taken a different approach to how I deploy sipx for what I would claim "obvious ease of use" reasons.

 There are some caveats: When you don't control the firewall the firewall vendor/admin needs to know how to deploy vlans on their device. Some don't which is something I had to wade through last year. After I did that the vendor moved some equipment and there were dueling DHCP servers between the data and voice networks.

Lesson learned: Try to force the outcome before deployment. Make the vendor ante up the talent to deploy their firewall so that the ethernet ports are all trunked. 

 

So, here's the skinny: It's really a linux thing. 

First, copy your config file for the network interface (not sure what the interface is, do an ifconfig). 

Ex: eth0

cp /etc/sysconfiog/network-scripts/ifcfg-eth0 /etc/sysconfiog/network-scripts/ifcfg-eth0.2 

Then edit ll but the first two lines of ifcfg-eth0 out, in ifcfg-eth0.2 change the name from "eth0" to "eth0.2" in the file and in the next line add "VLAN=yes".

You will want to stop sipx services, then restart networking (service network restart). Assuming the interface comes up with no errors, start sipx services. Now make sure your switch where sipx is plugged in is VLAN2=tagged.

You will need to repeat the process with your gateways to make sure they are vlan2 tagged in their respective configs before changing the switch port from vlan2=untagged to vlan2=tagged. 

Now with your phones on the same vlan (2), it's easy to move the server to whatever port you want. No more DHCP feuds either.

 

Malware on a Wordpress site? Say it ain't so!

Recently my wife was trying to view a website for a local business and her Google toolbar stopped her cold. She emailed me from her office and asked my opinion. I said "don't go there".

Malware. Google says proceed at your own risk.

So cranking up a guest account on a chromebook I went to investigate. I can safely ignore these types of errors on this type of device. The worst thing that could happen is it takes me to an undesirable place. Both my home and work firewalls have snort and content filtering so I threw caution to the wind and dived in.

In looking at the source of the page it was some kind of page tracker, referencing someone's UA code for Google Analytics. The link source was "www.adultbiz.in". It was a wordpress site. Enough said. I see this kind of nonsense all the time. Why are you using an adult business firm (ahem, porn redirector domain) to help you track pages? 

Actually, those porn operators probably know a lot more about tracking pages than anyone else, but, it might not be good for every business. 

One of the reasons I like the newer sites (Tumbler, squarespace and the like), admittedly this is a basic Squarespace site I imported from Wordpress after coming to the realization the incessant security patches and quality and trustworthiness of plugins were JUST NOT WORTH IT, is that the framework is all very much hardened. It's both mobile friendly to users and admin, and very google friendly for analytics, webmaster tools and also to us Google Apps users (calendars, forms, etc.). 

Webmasters, especially Wordpress webmasters, never want to hear this. It makes them dispensable. When my hosting application provider is also the "author" of the code that runs my site and that same company is also scanning their framework to ensure it does not fail security checks and that its html code it prodcues does not offend any sensibilities, it makes me worry less.

Of course, I can always inject some code that, but since my provider allows me to simply put in my analytics code and all my social network stuff I don't have to include plugins that start redirecting our customers to "hardcore porn images of the latin persuasion".

If I all knew was wordpress, I guess I could add a security scanner plugin to scan my plugins. I wonder who poorly coded that though...

When an ITSP goes haywire...

Earlier this week, I got a lot of calls. A good standby ITSP went haywire. 

So they added 20 or 30 more POP locations in the US. Then their network got really weird and calls wouldn't complete with strange recordings.  

It hit one of my systems at work we use for testing. 

So, if you are searching our site (we saw a lot of search queries this week with this particular ITSP mentioned in our analytics, here's your cure., 

Change your registration time to 180 seconds. Change your gateway to your closest city (i.e. use netselect ping tool or something to compare them all), and also make sure your firewall and any shaping formulas you are using refence this by IP or hostname if that is how yours works.

Make the change then ensure your registration hits the new city and has the right information in it.

It's strange that they won;t acknowledge they changed their proxy-to-proxy registration interval timer(s) from 1800 seconds (30 minutes) to 180 seconds (3 minutes). This kind of was a waste of time and they should have blasted all of this to the rest of us.

To Chromebook, or not to chromebook...

Here are our thoughts after a few weeks with a new chromebook... it was not for us

Our use case may be different but realize Chrome is not Android. 

  • Netflix. OK, not really a business app but still it didn't run for a couple of weeks because we were in developer mode (not). Eventually flipping back and forth between their stable/beta and developer channel brought us to a version where Netflix works. What happens with the next update?
  • When you download files you can't rename them before opening. i.e. A file names file.cfg wont open even though it is plain text. You can't rename the file. You have to upload it to Google docs, then open it. It's somewhat laborious. If you could rename it, you could open it instead of dancing with it.
  • Occasionally we have the need to serially connect to ancillary network equipment. NO WAY we can do that with Chromebook, there is no USB to RS232 driver or app for that. So carry a second computer along... just for that.
  • As with the serial connection there is a need to telnet (or ssh). SSH can be achieved with a free app in the Chrome Webstore. But if you do not have an SSH server locally to connect to then telnet FROM, you're out of luck (again).
  • The device boots up fast! I'm not happy with the battery life, no where near advertised. When I shut my device off, then open the cover, the power light stays on. That bothers me thinking the firmware has a bug and there is no apparent BIOS option to fiddle with settings.
  • When browsing and using it as a consumer device, the Chrome browser crashes using even the stable channel A LOT. That's a real timesucker.
  • They give you a lot of storage on some devices in google drive, but since you cant manipulate files locally a whole lot, they pretty much have to give you some storage that allows this. The bandwidth is still pretty much on you and it still seems punitive and not efficient.

So although it has a keyboard and boots extremely fast, it is STILL a web browser, and one that crashes a lot! With only 6-8 pages open it simply shuts down, restoring paging doesn't log you back in to all your pages. It seems it could be better and does not happen with Chrome in the same frequency as "gasp" a Windows machine! The Chrome Webstore is sparse in comparison to Google's Play Store. Trying to shore up the OS by using even more impressive hardware makes no sense to us.  Even as a sparse function Operating System, it's really rough around the edges.

As for the new Google Pixel... 1,300.00 dollars for a laptop with a touchscreen? It's STILL just a web browser in reality. It's a Chromebook, not a notebook, laptop or ultrabook.

The unanswered questions (for us) are:

  1. Is driver support for Linux or Windows for the hardware so we can fdisk  the SSD so we can actually use it for real work?
  2. Should we see if HP will take it back? (They did, no questions asked as soon as we started talking about the battery life)
  3. What the heck is Google thinking? They have mis-stepped badly with the Galaxy Nexus on Verizon and really jeopardized the Nexus moniker. Now they have multiple (at least 4) manufacturers of chrome "blessed" devices and they experiences vary far to greatly.
  4. The new Chromebook Pixel is going to be available with a Verizon LTE subscription (limited monthly use) built in (one variant anyway). Why not release both models at the same time? Why not support some USB drivers for aircards (USB modems)?
  5. What they heck are they doing with Motorola mobility? Motorola has yet to ship anything really impressive since the purchase. At the same time, Google hasn't had much luck in showing the value of the Motorola patent portfolio in court, and Apple has them on the ropes still. They should have not entered the stalking horse bid on the Nortel patents and actively pursued that portfolio purchase, they really miscalculated that one and it will cost them for years.

Maybe when ChromeOS grows up it will meet our needs. If all you need is basic consumer'ish stuff, it might suffice for you assuming they can stabilize the platform. Based on the basic browser functionality we doubt it will be very satisfying to consumers, at least for now. 

UPDATE - The small samsung chromebook heavily advertised for 249.00 is something we're fonder of than the last HP we sent back. We've also been testing with a Chromebox. In the meantime, we tried to use the Google (paid) policy to sent a profile down to the device to do the following things:

  • Set the homepage
  • Start the browser in full screen mode
  • Start as guest account, no login required
  • Set a VLAN on the Ethernet interface (seems not possible in any way)

None of these would work. Google still has a LONG way to go.

It's also worth mentioning that the Samsung form factor is really cool but it SUCKS because there is no mounting methods for it (i.e. VESA, etc.). Again, not really sure if the Chrome guys are baking halfway or maybe they are just design geeks and don't manage any networks with devices or how much Samsung pays attention to the details, but they are surely missing a lot of them on Chrome (so far).