FFmpeg and Azure Media Services

Today I was preparing some video material for upload onto the Azure Media Services portal. Since MXF format is not supported as source for Azure Media Services I did transcode it with ffmpeg. I uploaded the videos but every encode job would fail with this error


Encoding task
UserInput : File type or codec not supported.

I checked again and again:

  • mp4 container: supported
  • aac audio, various profiles: supported
  • h264 video, various profiles: supported

But every encode task would fail. It turns out that ffmpeg encodes video in a 4:2:2 bitplane format by default but Azure supports only 4:2:0. By adding the option
-pix_fmt yuv420p
the the ffmpeg command line Azure encodes the videos resulting without any issue

VMware Horizon View Linux Ubuntu LTSP Thinclient

Focus here is not how tho setup a LTSP infrastructure but how to build a LTSP image to be used as a thin client for VMware Horizon View. PXE, tftp NBD is not discussed here.

We use the standard LTSP setup process, since this is the fastest way to get up and running . You need also to download the vmware linux view client. Some steps could contain errors, but you can use this as a guideline. I used 12.04 LTS for the ltsp image and 14.04 for the server.

Many ideas and code borrowed here https://github.com/leschartreux/ltsp-vmview , thank you!

Download the latest x86 VMware View Client bundle for linux


ltsp-build-client --arch i386 --kiosk --skipimage --dist precise --chroot ltsp-vmview
chmod a+x VMware-Horizon-Client-xxxxx.x86.bundle
cp VMware-Horizon-Client-xxxxx.x86.bundle /opt/ltsp/ltsp-vmview/root/
ltsp-chroot --arch ltsp-vmview /root/VMware-Horizon-Client-xxxxx.x86.bundle

You should get an output similar to this one and I did choose those options:

Smart Card(The Smart Card component enables Smart Card device
redirection from your local computer to the remote desktop.) [yes]: no

Real-Time Audio-Video(The Real-Time Audio-Video component allows you
to use local computer's webcam or microphone on the remote desktop.)
[yes]: no

Client Drive Redirection (Tech Preview)(The Client Drive Redirection
component enables folder redirection from your local computer to the
remote desktop.) [no]:

USB Redirection(The USB component enables USB device redirection from
your local computer to the remote desktop.) [yes]:

Virtual Printing(The Virtual Printing component allows you to use
local or network printers from a remote desktop without requiring that
additional print drivers be installed in the remote desktop.) [yes]: no

The product is ready to be installed:
USB Redirection
PCoIP
Horizon Client

Proceed the with some additional packages and setup:


ltsp-chroot --arch ltsp-vmview apt-get install libxss1 openssl openssh-server hsetroot matchbox flashplugin-nonfree libv4l-0 libudev0 libv4l-0 libudev0 libudev0 dvsource libv4l-dev acpid --yes

ltsp-chroot --arch ltsp-vmview ln -s /usr/lib/vmware/view/usb/libssl.so.1.0.1 /lib/i386-linux-gnu/libssl.so.1.0.1
ltsp-chroot --arch ltsp-vmview ln -s /usr/lib/vmware/view/usb/libcrypto.so.1.0.1 /lib/i386-linux-gnu/libcrypto.so.1.0.1
ltsp-chroot --arch ltsp-vmview ln -s /lib/i386-linux-gnu/libexpat.so.1 /usr/local/lib
ltsp-chroot --arch ltsp-vmview adduser --disabled-password view
ltsp-chroot --arch ltsp-vmview adduser view audio
ltsp-chroot --arch ltsp-vmview adduser view pulse
ltsp-chroot --arch ltsp-vmview adduser view pulse-access

ltsp-chroot --arch ltsp-vmview mv /etc/rc2.d/S50vmware-USBArbitrator /etc/rc2.d/S90vmware-USBArbitrator
ltsp-chroot --arch ltsp-vmview mv /etc/rc2.d/S55vmware-view-USBD /etc/rc2.d/S99vmware-view-USBD

Now it’s time to create some files:

ltsp-chroot --arch ltsp-vmview vi /etc/vmware/.xinitrc

matchbox-window-manager &
xset s off         # don't activate screensaver
xset -dpms         # disable DPMS (Energy Star) features.
xset s noblank     # don't blank the video device
exec /usr/bin/vmware-view  --allmonitors -l -s https://brooker.fqdn -d LOGINDOMAIN
shutdown -h now

ltsp-chroot --arch ltsp-vmview vi /etc/lts.conf

[default]
XKBLAYOUT="de"
CONSOLE_KEYMAP="de"
SCREEN_02="vmview"
KEEP_SYSTEM_SERVICES="acpid upstart-socket-bridge"

ltsp-chroot --arch ltsp-vmview vi /usr/share/ltsp/screen.d/vmview

#!/bin/sh
#
# The following script works for LTSP5 and was tested in Ubuntu 9.10 (Karmic Koala) Linux.
# Original rdesktop script by James A. McQuillan,
# modified for LTSP5 by Colin Osterhout of SERRC (www.serrc.org).
# modified for VMWare View Open Client by
#   Mikael Fridh 
#
# This software is licensed under the Gnu General Public License.
# The full text of which can be found at http://www.LTSP.org/license.txt


PATH=/bin:$PATH; export PATH
. /usr/share/ltsp/screen-x-common

if [ -x /usr/share/ltsp/xinitrc ]; then
    xinitrc=/usr/share/ltsp/xinitrc
fi

mkdir /home/view/
cp /etc/vmware/.xinitrc /home/view/
chown -R view  /home/view/
su - view -c "xinit" >/dev/null

ltsp-chroot --arch ltsp-vmview chmod a+x /usr/share/ltsp/screen.d/vmview

ltsp-chroot --arch ltsp-vmview vi /etc/vmware/view-mandatory-config

view.kbdLayout="de"
view.sslVerificationMode="3"
view.autoConnectBroker="https://brooker.fqdn" 

Now build the image
ltsp-update-image ltsp-vmview
And you are ready to deploy

GitLab and Shibboleth

At work I was trying to integrate shibboleth with with gitlab, with lots of issues. I followed the guide https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/integration/shibboleth.md but it wouldn’t work:

 

422

Sign-in using shibboleth auth failed


Sign-in failed because name can’t be blank.

There are couple of steps you can take:

  • Try logging in using your email
  • Try logging in using your username
  • If you have forgotten your password, try recovering it using Password recovery

If none of the options work, try contacting the GitLab administrator.

 

What to do

Let’s start with the config file /etc/gitlab/gitlab.rb. If you have problems the first thing to do is enable debugging

gitlab_rails['omniauth_allow_single_sign_on'] = true
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_providers'] = [
  {
    "name" => 'shibboleth',
        "args" => {
        "debug" => "true",
        "shib_session_id_field" => "HTTP_SHIB_SESSION_ID",
        "shib_application_id_field" => "HTTP_SHIB_APPLICATION_ID",
        "uid_field" => 'HTTP_EPPN',
        "name_field" => 'HTTP_CN',
        "info_fields" => { "email" => 'HTTP_MAIL'}
        }
  }
]

Don’t forget to run

sudo gitlab-ctl reconfigure

you should get a debug output in the browser where you should be able to see the parameters shibboleth is passing to gitlab. Those three are very important:

  • HTTP_EPPN
  • HTTP_CN
  • HTTP_MAIL

In my case the HTTP_CN was not populated, I have to check why with my shibboleth admin. I decided to use display name instead, so my config file looks like this one

gitlab_rails['omniauth_allow_single_sign_on'] = true
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_providers'] = [
  {
    "name" => 'shibboleth',
        "args" => {
        "shib_session_id_field" => "HTTP_SHIB_SESSION_ID",
        "shib_application_id_field" => "HTTP_SHIB_APPLICATION_ID",
        "uid_field" => 'HTTP_EPPN',
        "name_field" => 'HTTP_DISPLAYNAME',
        "info_fields" => { "email" => 'HTTP_MAIL'}
        }
  }
]

Again run

sudo gitlab-ctl reconfigure

and then you should enable Displayname in you apache shibboleth configuration. To do so edit the /etc/shibboleth/attribute-map.xml file and add those lines before the closing tag.

<Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
<Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>

restart shibboleth

sudo service shibdb restart

and it should work. If you are getting an error saying that the email is not withelisted, remove all domains restrictions for signup in the admin page.

The fact is you need all those three fields to be able to create an account in gitlab. Without name, mail and uid it will miserably fail

 

Windows 8.1 – Programmatically refresh the start menu

In the last days I was working on a VDI deployment with Horizon View and AppVolumes. I had the need to be able to programmatically refresh the Start Menu/Start Screen. The problem is that sometimes when an AppStack is mounted the start menu won’t display the shortcuts to the applications in the AppStack and a user can’t launch them form the start menu.

I execute this code via GP and this causes a refresh of the start menu, displaying all new links. Here is the downlodable RefreshStartMenu.exe application, use it at your own risk 😀

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Runtime.InteropServices;

namespace ConsoleApplication1
{

	class Program
	{
		private const int SHCNE_UPDATEDIR = 0x00001000;
		private const int SHCNF_IDLIST = 0x0000;
		private const int CSIDL_COMMON_STARTMENU = 0x0016;
		private const int CSIDL_STARTMENU = 0x000b;
		[DllImport("shell32.dll")]
		static extern void SHChangeNotify(int wEventId, int uFlags, IntPtr dwItem1, IntPtr dwItem2);
		[DllImport("shell32.dll")]
		static extern Int32 SHGetFolderLocation(IntPtr hwndOwner, Int32 nFolder, IntPtr hToken, UInt32 dwReserved, out IntPtr ppidl);

		static void Main(string[] args)
		{

			IntPtr pidlCSM;
			IntPtr pidlSM;

			SHGetFolderLocation(IntPtr.Zero, CSIDL_COMMON_STARTMENU, IntPtr.Zero, 0, out pidlCSM);
			SHChangeNotify(SHCNE_UPDATEDIR, SHCNF_IDLIST, pidlCSM, IntPtr.Zero);
			SHGetFolderLocation(IntPtr.Zero, CSIDL_STARTMENU, IntPtr.Zero, 0, out pidlSM);
			SHChangeNotify(SHCNE_UPDATEDIR, SHCNF_IDLIST, pidlSM, IntPtr.Zero);
		}
	}
}

OSX iCloud Contacts not syncing

In the last month I was plagued by a Addressbook problem on one of my macs. No matter what, only about 500 of my over 1000 contacts where syncing on my Mac Pro. I have tired many times to disable and re-enable the contacts, to export all the contacts on the only mac where my contacts were complete, empty the address book and reimporting the contacts, but with limited success. Some corrupt contact was blocking my Mac Pro form syncing.

The console messages where not really helpful ranging from a generic

[snippet id=”18″]

to a more usefull

[snippet id=”17″]

X-MS-OL-DESIGN was a starting clue so I exported again all contacts in vcf and opened the file in a text editor to find which ones had the X-MS-OL-DESIGN property. The idea was to edit them, and remove the offending property. But first I wanted to check if this was really the cause of my problems. So every time I found a contact with the X-MS-OL-DESIGN property I copied it into a secondary iCloud account that I created years ago and deleted it from my primary account. After removing all entries with the X-MS-OL-DESIGN property, I was able to sync all remaining contacts on the Mac Pro. Moreover, by moving the offending contacts to the secondary account, the offending property was gone, and I was able to move them back in the primary account and they where synced perfectly.

RDP fix for XP Clients connecting to new Windows releases – MS15-031 Freak

Some XP desktop can no longer connect via Remote Desktop to newer windows releases where the patch  MS15-031 (KB 3046049) was installed. I was able to restore connectivity by specifying a GPO setting.

Run gpedit.msc and find “Computer Configuration – Administrative templates – Network – SSL Configuration Settings – SSL Cipher Suite Order

Enable the setting and paste those values:

TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,SSL_CK_RC4_128_WITH_MD5

YMMV, try not to enable  SSL or TLS ciphers that are to weak for your environment.

Provisioning Adobe CS6 with Citrix PVS

Adobe CS6 on provisioned desktops resets the license and therefore users receive a notification asking them to start a trial. After you ensure you have a volume license, you can follow the procedure below to successfully deliver this application through Citrix Provisioning Services.

1. Install Adobe CS6 in a Read/Write enabled image (Standard image) by specifying the license code and the account ID.

2. Install Adobe Application Manager, Enterprise edition downloadable here and start it by selecting Serialization File. Select a folder containing the installation files for Adobe CS6, insert the required license and login with your account ID. It will generate two files: AdobeSerialization.exe and prov.xml

3. Copy files to a directory inside the machine, create a bat file to be run as a scheduled task at user login, containing:

AdobeSerialization.exe --tool=VolumeSerialize --stream --provfile=prov.xml

4. Perform other tasks if needed before shutting down the R/W image, promote it to production and TADA!

Alice ADSL – IPv6 in dualstack con router OpenBSD

Un progetto che da tanto volevo concludere. Da anni Alice offre la possibilità di ottenere una connessione PPPoE dualstack impostando il login adsl@alice6.it con password IPV6@alice6. Uno dei problemi riscontrati dalla connessione dualstack è l’aumento delle latenze in IPv4, come riscontrato da altri utenti vedi per esempio http://www.hwupgrade.it/forum/archive/index.php/t-2479031.html. Problema che ho potuto riscontrare di persona: in caso di connessione dualstack i ping sul famoso DNS di Google passano da 12-15ms a 24-28ms. Visto che Alice permette di avere più connessioni PPPoE attive contemporaneamente ho deciso di creare due connessioni PPPoE. Una per il classico IPv4 e una in dualstack di cui però utilizzo solo la parte IPv6.

incomincio con il definire le due connessioni PPPoE

/etc/hostname.pppoe0
[snippet id=”9″]

/etc/hostname.pppoe1
[snippet id=”10″]

Bisogna poi trasportare l’advertisement del prefisso IPv6 dall’interfaccia PPPoE alla scheda di rete interna, jme0 in questo caso,  per l’autoconfigurazione. Wide dhcpd sembra essere il tool adatto.

/etc/dhcp6c.conf[snippet id=”11″] e lanciare il demone:
/usr/local/sbin/dhcp6c -c /etc/dhcp6c.conf pppoe1

Come ultima cosa è necessario lanciare il demone responsabile dell’advertisement delle rotte e prefissi in modo che i clients presenti sulla rete possano ottenere un ip pubblico.

/usr/sbin/rtadvd jme0

Bisogna ricordarsi di configurare pf, in caso contrario si corre il rischio di lasciare come raggiungibili tutti gli IPv6 assegnati ai client dietro al router.

Test_your_IPv6_

Citrix PVS – 2012 R2 – Deduplication

Some buddy of mine is using PVS in a university to manage the students PC. They are serving the images out of raid mirrors of Intel DC S3500 SSDs to reduce the number of spindles installed on the Citrix PVS servers. It’s a cost efficient solution and since they don’t need to host the write cache, read optimised SSDs are best suited for this task.

Over time more and more images have been created for serving different hardware and use cases totaling  about 650 GB of used space on the SSD mirrors. Space started to run low so they decided to enable deduplication on the  2012 R2 PVS servers. Since there is almost no write activity on the disks, fear of write amplification caused by deduplication is not a real issue. The VDI optimised dedup was chosen even if there is no write activity, but due to the similarity of workloads and due to the fact that this way it’s possible to deduplicate also open files. No background deduplication is taking place and there is a single dedup schedule taking place during the night when images are  usually not served.

Space usage went down from 650 GB to 77 GB, impressive but expected, PVS images have great similarity also across different operating system versions. This setup is now in test phase and if no issues arise, deduplication will also be deployed in the remaining PVS servers.

dedup