Programming

Using Fullscreen Lightbox with Ghost

Posted on by Kenneth Ballard / 0 Comment

Add this code to the default.hbs file in your theme at the bottom before the {{ghost_foot}} helper. Don’t forget as well to include the fslightbox.js file. And to ensure the code is used only when needed, enclose both the line pulling in fslightbox.js and the below code block in the {{post}} helper.

// Lightbox: https://fslightbox.com/
// Adapted from: https://brightthemes.com/blog/ghost-image-lightbox
// Improved to make it so each gallery has its own lightbox
// unless the galleries are immediately adjacent to each other.

// Also removed using a lightbox for individual images since my
// current Ghost theme ("Edge") doesn't use a lightbox for
// individual images.

let galleries = document.querySelectorAll('.kg-gallery-card')
let galleryIdx = 0
let hasImages = false

let lastGallery = document
galleries.forEach(function (gallery)
{
    // Ghost has a limit of 9 images per gallery. So if two or more
    // galleries are placed one immediately after the other - no
    // other blocks between them - then treat the galleries as if
    // they are together.

    if(lastGallery.nextElementSibling != gallery)
        galleryIdx++

    lastGallery = gallery

    let images = gallery.querySelectorAll('img')
    images.forEach(function (image)
    {
        hasImages = true
        var wrapper = document.createElement('a')

        wrapper.setAttribute('data-no-swup', '')
        wrapper.setAttribute('data-fslightbox',
            'gallery_' + galleryIdx.toString())
        wrapper.setAttribute('href', image.src)
        wrapper.setAttribute('aria-label', 'Click for Lightbox')

        image.parentNode.insertBefore(wrapper,
            image.parentNode.firstChild)

        wrapper.appendChild(image)
    });
});

if(hasImages)
    refreshFsLightbox()
Docker/Plex

Migrating Plex from a VM to Docker

Posted on by Kenneth Ballard / 0 Comment

In a previous article, I described migrating Plex from one VM to another. In recently rebuilding my virtualization server, now called Cordelia, I decided against creating a VM for Plex. I have a few Docker containers running on it and decided to let Plex be another rather than constricting it to a set amount of memory and core count through a VM.

Migrating from a Plex VM to the Docker container is pretty straightforward. Just a few things to keep in mind. Along with creating a script you can run whenever there are server updates, since you can’t just… install a new version over the existing one like you could before.

Note: If you’re considering migrating Plex to Docker or running anything through Docker, make sure to install Docker CE from Docker’s repository. Don’t install the version of Docker from your distribution’s repositories. This will ensure you have the latest version – meaning also the latest security updates – and greatest compatibility.

I’ll also presume in this article that you know your way around a Linux setup, particularly the bash command line. You don’t need to be great with Docker containers, but some knowledge there will be helpful as well.

Backing up the server

First step is to back up the library on the original server. As root or an administrator, after stopping Plex Media Server:

cd /var/lib
sudo tar cvf plexmediaserver.tar plexmediaserver/
gzip plexmediaserver.tar

This should give you a .tar.gz backup of your Plex instance. I have a pretty large library – over 400 movies and specials, over 300 music albums, and 37 TV shows, most of which are complete series (and yes, I own physical copies or licenses to everything on it) – so my backup ended up being over 4GB. Compressed. Your mileage will vary.

My Plex server pulled from NFS shares on my NAS, so I made sure to also copy off the relevant fstab entries so I could restore them. Make note of however you have your media mounted to your Plex VM or physical server, the actual paths to the media. For example, on my Plex VM, I had the media mounted to these paths, meaning these paths are also what the Plex Docker container would be looking for:

  • /mnt/tv
  • /mnt/movies
  • /mnt/music

Transfer the backup file off the server somehow and shut it down.

Mount points

Here is where things get a little tricky. I think it best I just illustrate this using my directory mounts. To recap, these were the paths to the media I had with my Plex VM, meaning these are the paths the container will want:

  • /mnt/tv
  • /mnt/movies
  • /mnt/music

Paths work far different in containers compared to a virtual machine. When you install the Plex service on a virtual machine, it can see all paths it has permission to access.

Containers are a bit more isolated. This means you don’t have to worry about a container having access to more than you want it to, but it does mean you have to explicitly mount into the container whatever you want it to access.

There isn’t anything wrong, per se, with maintaining these mount points on the Docker host. It’s not like I’m going to have any other Docker containers using them. But I instead chose to consolidate those mount points under a subdirectory under /mnt on Cordelia:

  • /mnt/media/tv
  • /mnt/media/movies
  • /mnt/media/music

Why do this? It’s cleaner and means a simpler set of commands for creating the container.

Had I kept the same mount points as before – e.g., /mnt/tv, etc. – I would need a separate volume switch for each. Having everything under one subdirectory, though, means having just one volume switch that catches everything, as you’ll see in a little bit.

However you create the mount points, don’t forget to add them to your /etc/fstab file for your Docker host.

Your library

Now you’ll need another directory for your library files – i.e. the compressed archive you created above. Just find a suitable spot. You can even put it back at /var/lib/plexmediaserver if you want, following the restore commands in my previous Plex article. I have it on Cordelia’s NVMe drive.

Just remember that the archive you created above will create a directory called plexmediaserver when you extract it. And, obviously (hopefully), do NOT delete the archive until you confirm everything is working.

Creating/updating the Plex container

sudo docker stop plex
sudo docker rm plex

sudo docker pull plexinc/pms-docker

sudo docker run \
-d \
--name plex \
--network host \
-e TZ="America/Chicago" \
-v /path/to/plexmediaserver:/config \
-v /path/to/media:/mnt \
-h plexmedia \
plexinc/pms-docker

Copy and paste the above script into a shell file on your server – e.g. “update-plex.sh” – and give it proper permissions. Whenever Plex tells you there’s a new version available, just run the above script. Obviously (hopefully) the first time you run this, the commands to stop and remove the Plex container will print out errors because… the container doesn’t exist yet.

  • /path/to/plexmediaserver is the path where you extracted your backup archive
  • /path/to/media is, in my instance, the /mnt/media directory I mentioned above

If I had kept the separate mount points, I’d need individual -v switches for each path – e.g. -v /mnt/movies:/mnt/movies. Having all of them consolidated under /mnt/media, though, means I need just the one -v switch in the above script.

The latter volume mount is what ensures the Plex container has the same path for the library files. So when the library says the episodes for Game of Thrones, for example, are at /mnt/tv/Game of Thrones, it can still find them even though the Docker host has that path mounted as /mnt/media/tv/Game of Thrones.

After you create the container for the first time, you’ll want to interact with the container to make sure your mount points are set up properly:

sudo docker exec -it plex bash

Under /config you should see just one directory: Library. Under Library should be… everything else Plex will be looking for. And check your media mount point to make sure the directories there look as they did on your previous VM.

If any of the mount points don’t look right, you will need to massage the script above and re-run it to create a new container. Then just rinse and repeat with interacting with the container to validate the mount points.

Don’t forget to add the needed ports to your firewall: you must open 32400/TCP, and if you intend to use DLNA, you need to open 1900/UDP and 32469/TCP.

Making sure it all works

And lastly, of course, open one of your Plex clients and try playing something to verify everything works and that it doesn’t show the media item as “unavailable”. If anything is “unavailable”, you need to double-check your -v paths in your script. Use “Get Info” on the media item to see what path it’s trying to use to find it so you can double-check everything.

10Gb network upgrade

Troubleshooting 2.5Gb power over Ethernet

Posted on by Kenneth Ballard / 0 Comment

This quick post is for those with a 2.5Gb PoE device, such as a WiFi 6 access point, that either won’t run at 2.5GbE speeds at all or falls back to 1Gb or 100Mpbs after a short time.

On my home network I have several TP-Link devices. Relevant to this article is my EAP670 WiFi access point and TL-SG3210XHP-M2 2.5GbE PoE+ switch. And for some reason the EAP670 wouldn’t run faster than 100Mpbs.

Sound familiar?

Well there’s a simple solution I’m surprised I never thought of sooner: DON’T. USE. CAT5E! Don’t use Cat6 or Cat6A either.

To be sure your 2.5Gb PoE device will talk at 2.5GbE speed, use Cat7. When I switched out the Cat5E cable for Cat7, the access point had no problem staying at 2.5Gb. You might get away with Cat6A, but you’re better off using Cat7.

Cat5E will work fine for non-PoE 2.5GbE devices. But it won’t work for 2.5GbE POE. Again, use Cat7.

EAP670 connected at 2.5Gbps full duplex with PoE.
Capitalism/Economics

How employment actually works

Posted on by Kenneth Ballard / 0 Comment

Let’s talk about this image:

First, it is generally NOT true that workers at a business create value. Most workers, instead, transform existing materials with their labor into new products, or leverage existing products and materials to provide a service.

It’s only in the creative industries that employees actually create value, create something that didn’t previously exist in any form. I’m talking graphic design, web site and software development, photography, videography, architecture, etc. And in all those cases, the work product is also considered a “work made for hire” under copyright law, meaning it’s the intellectual property of the employer. And like in most every other line of work, the employees in creative industries aren’t using their own equipment.

As an example, I’m a professional software engineer. My employer provides everything I need to work: the computer (laptop, specifically), access to needed cloud services at their expense, software licenses, etc. The only thing I’m bringing to the table is my skill and expertise.

I am permanently work from home, so I do provide additional equipment for my own benefit: two 4K televisions I use as monitors (with needed adapters to connect to the laptop), mechanical keyboard, mouse, and work space. But those additions are divorced from the laptop my employer provided, so won’t change if I change employers.

In very, very few lines of work is an employee bringing anything more to the table than their skills, experience, and, where required, strength. The employer is providing everything else at their expense, not the employee’s expense: machinery and equipment, tools, materials, the space to do the work, additional personnel so the employee doesn’t need to do everything, etc. Before the employee even shows up to add their part to the equation, the employer has already sunk a lot of cost into production.

Yet the image above pretends the employer – the “capitalist” – isn’t putting anything into the production. Only taking. Whereas the reality is the “capitalist” is providing everything except what the employee is adding.

The easiest illustration of this is food service. Specifically those who are preparing the food.

The line cooks don’t provide the ingredients, and they didn’t purchase the equipment needed to cook and serve the food. The owners of the establishment provided that. Along with paying to have it all installed properly, paying for maintenance when required, replacements where necessary, cleaning equipment and supplies, the utility service (e.g. electricity, natural gas or liquid propane, water, etc.), insurance on the entire establishment and employees, and… pretty much everything else.

The employee just… shows up and does their job as agreed. Receiving for their time a paycheck.

Ethics/Fourth Amendment

The concept of basic principles is foreign to too many

Posted on by Kenneth Ballard / 0 Comment

This one’s a doozy. From r/AITA, “AITA for breaking into my MIL’s bedroom?

Throwaway cause some of my in-laws use reddit. We are pregnant with our rainbow baby and we couldn’t be happier. On Friday we had our 12 weeks sonogram and got plenty of pictures to take home.

My MIL and FIL came to visit so they could see them and, eventually, the pictures disappeared. I asked them for help to find them but they were just nowhere to be found. My MIL was pretty eager to leave and that didn’t sit well with me, after they left I couldn’t stop thinking about it.

So on Sunday we went to their place for lunch and, when I went to the bathroom, I went into their bedroom and found the pictures in her nightstand. I was fuming. We were planning to give each side of the family copies of the pictures and a framed one (and we told them), but of course she just wanted them all. I confronted her when I came back and she just said “she thought they were for her” which is clearly a lie (I asked them for help to find them for crying out loud, and was visibly upset).

It’s not the first time she pulls something like this and, while my husband defended me in front of them when she protested for my snooping, he then told me I’d crossed a line when I opened her drawers. I know it wasn’t the nicest thing to do, I regret having to stoop to her level but I was just so angry. So AITA?

Small Update: I had a talk with my husband, he apologized for “scolding” me and confessed that, ever since he was a boy, he’s been terrified of his mother’s meltdowns and does anything he can to avoid them, so my confrontation kind of triggered him. He also said that he’s realised that some things like me and our baby will always come first.

He’s willing to go to therapy to learn how to establish and maintain strong boundaries with his mom, so we’ll see how it goes. Thanks everyone for your kind opinions, even if you think I was TA (I know I was).

And unsurprisingly the result is NTA – Not the Asshole. There were some more reasonable heads in the group, though, labeling this as ESH – Everything Sucks Here. And that’s my verdict.

On the one hand, the MIL stole from her. And I want to make it abundantly and explicitly clear that I in no way defend the MIL’s actions, and nothing I say herein should be interpreted as defending, excusing, or condoning what the MIL did.

But the OP then violated MIL’s privacy by snooping around. Sure it was with the intent to recover stolen property, but that can’t justify her actions. Why not? Simple. What if she didn’t find them in the nightstand? Would she have searched the bedroom? How much of the bedroom did she search before finding them in the nightstand? Would she have searched the entire house if she didn’t find them in the bedroom?

Finding the pictures doesn’t retroactively justify the search. Let me repeat that for those in the back: finding the pictures does NOT retroactively justify the search!

It’d be one thing if the pictures were in plain sight – though the MIL was clearly smart enough to ensure they weren’t. That OP had to go searching in closed drawers to find them puts her squarely in the wrong. Again, finding the pictures doesn’t retroactively justify the search!

* * * * *

“Defending principles is extremely difficult. But necessary.”

I said those words about 7 years ago with regard to Brock Turner, or rather the aftermath of his criminal trial. And herein those words ring true once again.

When I posted the above to Facebook, the feedback was… far from supportive, to say the least. And the responses, much like the responses on the Reddit thread, all took much the same position that the theft not only justified the search, but that the OP would’ve been in the right to show up at the MIL’s house, knock on the door or even just break in, and search the entire house till she found what she was looking for. That your protection against unreasonable searches – which the OP engaged in – means only the government is so enjoined.

And anyone who believes such really needs to study up on tort law.

Yes the Fourth Amendment enjoins the government. But underpinning the rights protected by the Bill of Rights (not created by them as many assert) are base principles without which the rights wouldn’t be a valid concept. The Second Amendment comes from the basic principle of self defense, that the only legitimate violence is to counter the immediate and illegitimate violence of others. And the Fourth Amendment comes from the basic principle that a person’s home is their castle, in which they have a very reasonable expectation of privacy. Inviting someone into your home doesn’t mean the invitee can just… snoop around, regardless of their rationale.

Rights govern how the government interacts with the people, but principles govern how we interact with each other. Something enshrined in criminal and civil law.

As such, the Fourth Amendment aside, the theft doesn’t justify the search. Finding the photos in the MIL’s bedroom does not retroactively justify her actions. If her actions can’t be justified by not finding the property, finding them doesn’t automatically make her actions justified. Again, it all comes down to base principles.

Starting with the Golden Rule when I said this in several variations:

As I said, how would you like it if someone just searched your home on the mere *allegation* you took something from them, even knowing you’re completely innocent? Would you just stand by and let them do it? Or would you demand they leave and call the police if they refused?

I think we all know the answer. But! it’s also clear you also expect to be able to freely search someone else’s home on the mere allegation they took something of yours… That’s why you don’t want to acknowledge that the OP is in the wrong. How dare someone invade your privacy, but Lord forbid if someone doesn’t let you invade theirs, or dares to say you’re in the wrong for doing so…

And the person to whom I made that comment said this in reply:

This isn’t a random “someone.” This is the MIL with a history of similar behavior. Perhaps you would have like for the DIL to call the cops on MIL, and have her arrested and the property searched pursuant to that arrest and warrant?

To which I said this:

Doesn’t matter that it’s the MIL, and it doesn’t matter that MIL has a prior history of similar behavior. None of that justifies the DIL’s invasion of the MIL’s privacy.

Again, would you let your neighbor search your home on the mere allegation you stole something from them? And would you search your neighbor’s home on the mere allegation they stole something from you?

Going through the police should only be a last resort. But DIL would’ve been free to threaten to bring in the police if the MIL didn’t return what she reasonably believed she had, then actually reporting the theft to the police if she failed to return the photos. The threat of and actually filing a lawsuit is also an option.

Searching the home is not a viable option, though. What if the pictures weren’t in the bedroom? Would OP have been justified in searching the house for them? Or is only searching the bedroom reasonable merely because she was able to do so somewhat covertly?

That they ultimately were found there is immaterial in determining if OP was in the right since, again, that OP found the photos in the nightstand cannot be used to retroactively justify her actions. You have to look at her actions in the moment, not in hindsight.

Often, unfortunately, the only reasonable action when you’ve been wronged in some way – e.g. something was stolen from you – is to just walk away from it. In this instance, it would’ve been to request new copies of the sonogram and the other photos from the physician, and then just cut ties with the ILs or, at the least, make sure they never again step foot in their home.

Part of the problem we all have is this desire to see all wrongs righted. Which unto itself is perfectly fine. The devil is in the details.

Reality, though, paints a far more bleak picture. There is no righting the vast majority of wrongs. No closure for the wronged. No justice for the wrongdoer. Crimes go unsolved. Many murder victims and missing individuals are never found, or forever remain unidentified when remains are recovered. Meaning family of the missing and unidentified are left with unanswered questions.

But let’s pull back from the bleak and think of the more common ways that we are “wronged” by someone.

Easily the most common anymore is being ghosted, or disconnected or outright blocked by someone on social media, regardless of the reason. For some reason it’s common to take that as a personal affront, where the blocked individual sees it as if they were insulted to their face. And as with everything else, there are healthy and unhealthy ways to respond.

And when someone blocks you on a social media platform, the healthy thing to do, the only reasonable thing to do, in my opinion, is… just walk away from it. Accept it and move on. Don’t contact the person in any other way. And as much as you’d want closure – to know why you were blocked – just walk away from it. Leave it one of the many unanswered questions of life.

And in the above case… the sonogram and other pictures can be reprinted. And the OP can deny the ILs access to the OP’s home since she apparently has a pattern of suspect behavior.

But searching their home for the pictures was beyond unreasonable. And it’s disgusting that many readily defend her behavior.

Cordelia

Cordelia

Posted on by Kenneth Ballard / 0 Comment

Seems kind of odd that just a few months after writing about giving my virtualization server a 2TB NVMe drive that I’m now writing about it again. And this time, it’s a platform upgrade. So what gives?

With taking pretty much everything else on my home network to X99 I decided to fast-track an upgrade on my virtualization server as well.

In terms of performance, I’ve tended to lean on the side of more cores and threads over single-threaded performance. Given the VMs I typically had running at any given time, there wasn’t much point in going for single-thread performance over thread count. With this X99 upgrade, though, I’m getting both more threads and better single-thread performance.

My first dedicated virtualization server was a refurbished HP Z600 with dual Xeon E5520 processors. This provided, overall, 8 cores and 16 threads. It had 3 memory slots per processor that could take up to 48 GB RAM max. It’s now completely retired, and I’ll be figuring out what to do with it later.

About 5 years ago I replaced that with the dual-Opteron 6278. This gave me double the threads – 32 overall, 16 per processor – and a lot more memory capacity. The mainboard I chose could take 16GB RDIMMs or 8GB UDIMMs, maxing out 256GB or 128GB, respectively. As of this writing, I had 64GB (8x8GB) Registered ECC.

“Cordelia” is the name I gave this server after migrating it to Fedora Server with the NVMe installation to run VirtualBox and Docker CE.

Current specs

So to recap, here are the specifications before the upgrade:

CPU:2 x AMD Opteron 6278 – 16 cores, 16 threads each
CPU cooler:Noctua NH-U9DO A3
Mainboard:ASUS KGPE-D16
RAM:64GB (8x8GB) Registered ECC DDR3-1600
Storage:500GB Samsung 850 EVO M.2 SATA
Inland QN322 2TB QLC NVMe
OS:Fedora Linux with Docker CE and VirtualBox

Onward to X99

CPU:Intel Xeon E5-2697 v4 – 18 cores, 36 threads
CPU cooler:ThermalTake TH120
Mainboard:Machinist MR9S (buy on eBay)
RAM:256GB (8x32GB) Registered ECC DDR4-2400
GPU:Zotac GTX 1060 3GB

So DDR3-1600 to DDR4-2400. Dual CPU to single CPU with slightly more threads overall. Slightly lower clocks on the Xeon, but far newer platform. PCI-E 3.0. A lot more memory. And quad-channel!

Dual-CPU to single-CPU eliminates the NUMA node barrier and also reduces the server’s overall power consumption (dual 115W TDP vs single 140W TDP) – though adding in the GTX 1060 kind of offsets that.

Speaking of, while I am giving up onboard video for a dedicated video card, I’m actually not giving up much. Th eonboard video for the ASUS dual-Opteron board has only 8MB of VRAM. No, I didn’t make a typo. Only 8 megabytes. It works fine for a text console. Don’t try to use it for anything even remotely graphically intense.

I did consider the E5-2699 v4 (buy on eBay), which is 22-cores, 44 threads. But also about 3x the price on eBay. For just 4 cores and 8 threads more. I paid just 85 USD for the E5-2697 v4. And at the time I bought it, the E5-2699 v4 was going for 250 USD minimum. So no thanks.

An interesting addition to this server, though, is a Google Coral AI PCI-E module, which allowed me to migrate my home camera monitoring to Frigate. Which can do object detection instead of merely detecting motion. Which should vastly reduce how many false positives I get. While the Google Coral module isn’t required for Frigate, it’s highly, highly recommended. And to further aid Frigate’s functionality with hardware video decoding/encoding, I added a GTX 1060 I had laying around rather than just any graphics card.

I also had to change this over from Fedora to Ubuntu.

Fedora 38 was newly released when I first installed it. So new that Docker hadn’t been released for it. And was only released on April 26. So while I considered going with Fedora 37, which is what I was using prior to the migration, with the plan to eventually in-place upgrade it back to Fedora 38, I opted to install Ubuntu 22.04 LTS instead to get everything up and running sooner.

About the AIO and Micro Center’s error

Before the ThermalTake AIO, I had an NZXT M22 mounted to it. But the pump started making noise – likely due to coolant evaporation – and I needed to replace it. It was also… a week out of warranty, so I can’t RMA it.

So I went looking for a more-or-less direct replacement.

Micro Center had two options in stock: the ThermalTake MH120 and the CoolerMaster MasterLiquid ML120L. Both were listed on Micro Center’s website as supporting Intel 2011, 2011v3, and 2066 sockets. So I picked the MH120 since it was a little less expensive.

Only to discover when getting it home that there was no 2011v3 hardware included. And ThermalTake’s website does NOT list 2011v3 as one of the supported sockets.

But I was able to use the 2011v3 hardware from the NZXT M22 to mount this. And all indications are that it works fine. So the TH120 can support 2011v3. ThermalTake just is not including hardware for it. And the CoolerMaster cooler, though, does support 2011v3 out of the box according to their website.

And I went with the M22 initially as I just had it lying around unused. I didn’t have anything else readily available for 2011v3 that would fit into a 4U chassis. It was only a couple days into service that it started making noise.

Docker

Hands-off script for installing Apache Guacamole for Docker

Posted on by Kenneth Ballard / 0 Comment

So what’s different with this over other methods of setting up Apache Guacamole?

The main thing is it’s entirely hands-off. It’ll pull the images, set up the network, create the containers, initialize the MySQL database… Everything. Including generating secure random passwords for you using Random.org and writing those to the console for you to store off for later updates. (See sections below.) Just copy the script to a .sh file and run it.

And speaking of later updates, the script sets up the containers on their own network with static IPs assigned to each over using the “link” command. This allows for very easy updates down the line since the containers – especially the MySQL container – can be recreated onto the same IP address as before.

Change what you need to avoid conflicts with any existing Docker networks or if you want the main Guacamole container to be accessible on a different port. Hopefully you won’t need to extend out the 30-second wait for the MySQL container to initialize. Bear in mind as well that the gaucd container takes a few minutes to fully start up and its status to be “Healthy”.

Once everything is running, the default admin login (as of this writing) for the Guacamole web interface is guacadmin/guacadmin.

#!/bin/bash

echo Pulling latest Docker images.

sudo docker pull guacamole/guacamole
sudo docker pull guacamole/guacd
sudo docker pull mysql

echo Creating volumes for MySQL data

sudo docker volume create guac-mysql-data

echo Creating network the containers will use.

sudo docker network create \
--subnet=192.168.10.0/24 \
--gateway=192.168.10.1 \
guacamole-net

echo Contacting Random.org for new 16-character passwords for MySQL root and Guacamole users.

root_secure_password=$(curl -s "https://www.random.org/strings/?num=1&len=16&digits=on&upperalpha=on&loweralpha=on&unique=on&format=plain&rnd=new")
guac_secure_password=$(curl -s "https://www.random.org/strings/?num=1&len=16&digits=on&upperalpha=on&loweralpha=on&unique=on&format=plain&rnd=new")

sql_create="\
ALTER USER 'root'@'localhost' \
IDENTIFIED BY '$root_secure_password'; \
CREATE DATABASE guacamole_db; \
CREATE USER 'guacamole_user'@'%' \
IDENTIFIED BY '$guac_secure_password'; \
GRANT SELECT,INSERT,UPDATE,DELETE \
ON guacamole_db.* \
TO 'guacamole_user'@'%'; \
FLUSH PRIVILEGES;"

echo Creating MySQL container

sudo docker run -d \
--name guac-mysql \
-e MYSQL_ROOT_PASSWORD=$root_secure_password \
-v guac-mysql-data:/var/lib/mysql \
--network guacamole-net \
--ip 192.168.10.2 \
--restart unless-stopped \
mysql

echo Let\'s wait about 30 seconds for MySQL to completely start up before continuing.
sleep 30

echo Initializing MySQL database

sudo docker exec guac-mysql \
mysql --user=root --password=$root_secure_password -e "$sql_create"

sudo docker exec guac-mysql \
mysql --user=root --password=$root_secure_password \
--database=guacamole_db \
-e "$(sudo docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --mysql)"

echo Creating guacd container

sudo docker run -d \
--name guacd \
--network guacamole-net \
--ip 192.168.10.3 \
--restart unless-stopped \
guacamole/guacd

echo Creating main Guacamole container

sudo docker run -d \
--name guacamole \
--network guacamole-net \
--ip 192.168.10.4 \
--restart unless-stopped \
-e GUACD_HOSTNAME=192.168.10.3 \
-e MYSQL_HOSTNAME=192.168.10.2 \
-e MYSQL_DATABASE=guacamole_db \
-e MYSQL_USER=guacamole_user \
-e MYSQL_PASSWORD=$guac_secure_password \
-p 8080:8080 \
guacamole/guacamole

echo Done.

echo MySQL root password: $root_secure_password
echo MySQL guacamole_user password: $guac_secure_password

echo Store off these passwords as they will be needed for later container updates.

Update Guacamole containers

Just copy off this script and keep it on your server to update the container with the latest Guacamole images.

#!/bin/bash

read -s -p "MySQL Guacamole user password: " guac_secure_password
echo

sudo docker pull mysql
sudo docker pull guacamole/guacamole
sudo docker pull guacamole/guacd

sudo docker stop guacamole
sudo docker stop guacd
sudo docker stop guac-mysql

sudo docker rm guac-mysql
sudo docker rm guacd
sudo docker rm guacamole

sudo docker run -d \
--name guac-mysql \
-v guac-mysql-data:/var/lib/mysql \
--network guacamole-net \
--ip 192.168.10.2 \
--restart unless-stopped \
mysql

sudo docker run -d \
--name guacd \
--network guacamole-net \
--ip 192.168.10.3 \
--restart unless-stopped \
guacamole/guacd

sudo docker run -d \
--name guacamole \
--network guacamole-net \
--ip 192.168.10.4 \
--restart unless-stopped \
-e GUACD_HOSTNAME=192.168.10.3 \
-e MYSQL_HOSTNAME=192.168.10.2 \
-e MYSQL_DATABASE=guacamole_db \
-e MYSQL_USER=guacamole_user \
-e MYSQL_PASSWORD=$guac_secure_password \
-p 8080:8080 \
guacamole/guacamole
10Gb network upgrade

Goodbye, MikroTik

Posted on by Kenneth Ballard / 0 Comment
Build Log:

Four (4) years ago, I bought the MikroTik CRS317 after seeing it retailing for… around 300 USD. And it’s a great switch, so long as you use it as a switch. Later I also acquired a MikroTik CSS610. And I recently replaced both for switches from the TP-Link lineup.

A couple details pushed me to do this, but it mostly stems from the upgrade to Google Fiber’s 5Gb Internet service. Other choices made here were also about consolidating. Prior to this changeover, I had three switches in my network rack:

And I consolidated to two switches, both from TP-Link and manageable via the Omada Controller software:

TP-Link TL-SG3210XHP-M2

This switch replaced two in my network rack: the MikroTik CSS610 and BV-Tech POE-SW801. The latter is an 8-port 10/100 POE switch with a 100Mbps uplink. I bought it to support the security cameras I have, but never used all the ports on it.

The TP-Link TL-SG3210XHP-M2 has eight (8) 2.5GbE ports, all of which are Active POE+ enabled. This allows me to consolidate my security cameras and the TP-Link EAP670 wireless access point. Previously I had the EAP670 connected to the CRS317 via a TP-Link 10GbE RJ45 module and powered using its included DC power supply.

And being Active POE+ allows me to consolidate the couple Gigabit connections from the CSS610, putting me in a position to upgrade those connections to 2.5GbE. Since 2.5GbE runs across Cat5E without issue, it’s a drop-in upgrade.

One has already been upgraded as of this writing, that being the connection to my work laptop. My wife’s laptop is the other connection that will be upgraded.

I’ve considered swapping out the Gigabit switch on my living room rack for a 2.5GbE switch, but what’s connected to it isn’t really making me all that enthused about doing it. For the curious, all that’s connected is the uninterruptible power supply, mail server, and IP-KVM. And the only one that’s even slightly bandwidth intense is the latter, but it doesn’t saturate a GbE connection.

So this switch, though, means the wireless access point is powered from the TP-Link switch, removing a connection on the CRS317. My security cameras are as well, and if I expand my security camera setup more, I’ll add one of TP-Link’s Gigabit POE+ switches to the rack.

I’ve already swapped the stock fans with Noctua NF-A4x20 FLX fans as well. Omada is reporting a fan fault with it, but that’s merely due to the RPM of the Noctua fans being far lower compared to the stock fans. But that also means it’s practically inaudible from my office.

Note: I’m aware of a lot of negative reviews on this switch that indicate an… oddly short lifespan. And I’ll definitely be posting an update if this switch dies sooner rather than later. (Given the fan swap, I doubt TP-Link will honor the warranty.)

TP-Link TL-SX3008F

The CRS317 has 16 SFP+ ports. This is overkill for my home network. At the time I bought it, though, my only other option for reasonably-priced 10GbE was the MikroTik CRS305, which has only 4 SFP+ ports plus a Gigabit uplink port.

MikroTik wouldn’t introduce the 8-port CRS309 till later in 2019. And there really was no point in changing over to it at the time. After adding the aforementioned 2.5GbE switch to my rack, removing the connection for the EAP670, only six (6) ports were being used:

  1. Mira
  2. Amethyst
  3. Nasira
  4. Virtualization server
  5. Uplink from TL-SG3210XHP-M2
  6. Uplink to router

But most of the ports sitting dormant isn’t my reason for changing this out. Performance is the main reason here. The issue is either the 98DX8216 controller, or it is MikroTik’s SwitchOS.

Either way, my 5Gb Internet connection revealed the MikroTik’s limitations when it comes to its switching functions. After putting the TP-Link switch into service, I was finally able to get 5Gb from my desktop with other clients also connected to the switch.

And other random speed tests I’ve done since taking that screenshot have produced similar results. Even one taken in the middle of a Saturday afternoon.

So the MikroTik’s switching capability is a massive bottleneck. I could easily do 10Gb to Nasira, such as when I’m syncing my camera card dump folder (especially after the platform upgrade), but I’m typically the only one accessing it at any given time. But the speed test screenshot above shows that it chokes off when multiple clients are trying to tunnel through a single port – such as the one linking up to the router.

Now don’t get me wrong. The MikroTik CRS317 is a decent switch. And it was an inexpensive way to get 10GbE in a quiet package – especially if you change out the fans.

Its initial MSRP was about 400 USD, but you could easily find it for less. But MikroTik bumped that to 500 USD, with a lot of sellers making that the shelf price, making it difficult to recommend this switch when there are better options available at the same price point. Just as an immediate example, TP-Link has their own fanless 16-port 10GbE SFP+ switch for about 500 USD (as of this writing) – the TL-SX3016F – that, if similar to the TL-SX3008F, is likely to also perform much better.

There may be tweaks you can make in RouterOS – configuring it in “bridge mode” – to allow it to perform better. But the TP-Link switch is performing better out-of-the-box.

MikroTik started the trend of bringing 10GbE to the home lab in an inexpensive package that was also very quiet. Both with the CRS305 and CRS317. But competition at MikroTik’s price point revealed its weaknesses. To stay competitive, MikroTik should consider releasing a new switch to replace the CRS317 that performs much better.

Life/Logic/Politics

“Flesh Cult of Carnism”

Posted on by Kenneth Ballard / 0 Comment

“Flesh Cult of Carnism”? Tell me you’ve lost sight of reality without telling me you’ve lost sight of reality.

In all seriousness, manufacturing phrases like that means you really need to take a few miles worth of steps back and re-evaluate your psychological standing. This shows you’re so deep in your ideology, the Mariana’s Trench is like a crack in the pavement. Being vegan is one thing. But manufacturing phrases like this and posting propaganda like this to the Internet is more about re-justifying to yourself the choice to be vegan and shows a massive choice-supportive bias that is well beyond the point of delusion.

Get help.

OPNsense router

It’s final (for now) form

Posted on by Kenneth Ballard / 0 Comment
Build Log:

New specs:

The chassis and power supply were the previous of each in Mira before I upgraded to the beQuiet Dark Base 900 and EVGA 1000 G6. The former was to get more space for HDDs. The latter was because I upgraded to the RTX 3070 and needed additional PCI-E connectors but couldn’t find my original cable kit. The power supply is overkill for this use case, but at least it’s being put to use again.

I chose the Machinist mainboard after learning about it through the Craft Computing YouTube channel. Specifically the below video, which also made my decision on the CPU.

The mainboard supports everything you’d expect from an X99 mainboard, including “Above 4G decoding”. It does NOT support bifurcation, at least that I could find, but you might be able to mod the BIOS to include that – at your own risk, of course. So I’m not going to be buying another one of these for my NAS unless I need more than 64GB RAM for some reason.

But I will eventually buy one for upgrading my virtualization machine later this year since it supports up to 256GB RAM (8x32GB) and the E5-2699v4 (22 cores/44 threads), which will make for one hell of a home lab. I might even consolidate the NAS and virtualization together to one box. Not using TrueNAS SCALE’s virtualization, but putting TrueNAS in a VM, which would require going back to Proxmox since VirtualBox does not support PCI passthrough with version 7.

As mentioned previously, using ECC RAM isn’t required here, but it’ll help merely because of how much bandwidth will be going through this. Plus the price (at the time I bought it) was only 10 USD per stick on eBay brand new. So… why NOT use it?

So for now, this is the form this router will take. It’ll be interesting to see how long this will last, and I anticipate hopefully not needing to do any hardware changes on this unless there is some incompatibility with OPNsense. Which shouldn’t happen unless the FreeBSD developers go off their rocker and start removing support for older hardware from their operating system.

* * * * *

Update (2023-03-31):

Consider this kind of a lateral move. I pulled the MR9S board for the Machinist MR9A Pro MAX (buy it on eBay). It’s a slightly smaller motherboard with only four (4) DDR4 slots instead of 8, but still able to operate in quad-channel. The MR9S will be going into my virtualization server, so keep an eye out for that. (Update: Check that out here.)