The Airthings integration for HomeAssistant doesn't provide the status of the LED-ring in my Airthings Wave Plus. It does fetch the data I need though, and is required for this template.

Luckily Airthings have shared their thresholds, making it trivial to read data from Entities and making a new Entity for the LED-ring.

The template is pretty self-explanatory. Edit name of entities to match your installation.

A custom card could be created for changing the color of the ring-icon, but I haven't bothered.

Download the template-code here

Module 'CPUID' power on failed.

- Posted in VMware by

Even though the number of configured vCPUs in the VM wasn't changed nor excessive, a VM wouldn't cross-migrate (got an EVC error) hot.

After powering off the VM and migrating to another cluster, which was on the same EVC level, powering on the VM resulted in the error "Module 'CPUID' power on failed."

Inspecting the CPU Identification Mask settings (Edit Settings -> CPU > CPUID Mask -> Advanced) and resetting to default did not resolve the issue.

I assumed the VMX had some clues, and found multiple lines of cpuid-related flags:

[aners@derp:/vmfs/volumes/vsan:5..2]grep -i cpu *.vmx:

sched.cpu.units = "mhz"
cpuid.80000001.edx = "---- ---- ---0 ---- ---- ---- ---- ----"
cpuid.80000001.eax.amd = "---- ---- ---- ---- ---- ---- ---- ----"
cpuid.80000001.ebx.amd = "---- ---- ---- ---- ---- ---- ---- ----"
cpuid.80000001.ecx.amd = "---- ---- ---- ---- ---- ---- ---- ----"
cpuid.80000001.edx.amd = "---- ---- ---0 ---- ---- ---- ---- ----"
sched.cpu.latencySensitivity = "normal"

Removing all 'cpuid...'-lines from the VMX resolved the issue, the VM was now able to boot.

vSphere Remove snapshot task 0%, stuck?

- Posted in VMware by

When removing large snapshots, the task status is progressing towards 100%, or so it should be; sometimes it goes to 0% in the web UI and the user is left clueless.

Updating the web UI doesn't bring the current progress back. Luckyli the shell on the host can be used to retrieve the progress:

Chaining a few commands, will get the progress of the "Snapshot.remove"-task:

1) Get a list of all VMs and filter by the name of your VM: vim-cmd vmsvc/getallvms|grep -i garg|awk '{print $1}'

[root@virt58:/vmfs/volumes/vsan:5...2/4...9] vim-cmd vmsvc/getallvms|grep -i garg|awk '{print $1}'

The Vmid is returned, in this example 72

2) Verify the Vmid is in fact the VM you're interested in, fetch it's name: vim-cmd vmsvc/get.summary 72|grep name

[root@virt58:/vmfs/volumes/vsan:5...2/4...9] vim-cmd vmsvc/get.summary 72|grep name
name = "Gargoil",

3) Having verified the Vmid, get the running tasks: vim-cmd vmsvc/get.tasklist 72

(ManagedObjectReference) [

4) Copy the vim.Task identifier and get task_info, filter "state" and "progress": vim-cmd vimsvc/task_info haTask-72-vim.vm.Snapshot.remove-138283664|grep "state|progress"

   state = "running",
   progress = 86,

What the web UI failed to display, is that the "Snapshot.remove"-task is running and 86% complete, I guess this is why CLI is usually my favourite goto.

For more verbose output, remove the pipe to grep

When "Placement and Availability status" is "Unknown" for storage objects in vSAN, it can be as simple as an ISO mounted from another cluster. If so, simply unmount the ISO and return to the overview.

enter image description here

Consider the following scenario:

Wireguard (daemon) is running on a *:123/udp

Not always a great way out from a hotel network, since NTP is usually rate-limited - sometimes a great way out. Things change.

Instead of deciding on 1 service-port for Wireguard, having Wireguard transparently serve on more ports, seems like a good solution and does not require running multiple interfaces or services.

In the following example, iptables will translate requests coming in at port 8443/udp and redirect them to where Wireguard is actually listening; 123/udp

iptables -t nat -I PREROUTING -i ens160 -d -p udp -m multiport --dports 8443  -j REDIRECT --to-ports 123

Now connecting to :8443/udp (and still 123/udp, obviously) will access Wireguard, just that it's translated internally.

As always, change the arguments to fit your environment.

Creating a fifo-based ffmpeg service

- Posted in Linux by

I needed an encoder-service waiting to handle ffmpeg-workloads, and decided to use systemctl and a fifo pipe, so jobs could be queued without the need of RabbitMQ/other.

I'm aware of DLQ and fancy scaling, however this does the trick and hasn't failed for years.

1) Create script for initiating the fifo pipe, save it at /opt/

# pipe location

trap "rm -f $pipe" EXIT

# Initiate pipe
[[ -p $pipe ]] || mkfifo $pipe

while true; do
    exec 3<> $pipe
    read line < $pipe
    bash <<< "/opt/ $line"

2) Create your ffmpeg-worker, with your ffmpeg args, at /opt/

# Do ffmpeg stuff
/usr/bin/ffmpeg -y input.avi [yourargs] output.mp4

3) Create service file at /etc/systemd/system/ffmpeg-encoder.service:

Description=ffmpeg encoder service



3) Reload systemctl daemon: systemctl daemon-reload

4) Enable service: systemctl enable ffmpeg-encoder.service

Verify the service state with: systemctl status ffmpeg-encoder.service

Verifying service status programatially can be done by running:

systemctl is-active --quiet ffmpeg-encoder.service

where exitcode 0 is the active state of the service.

I also wrote a simple ffmpeg-log-parser for polling state via PHP, but that's for another post.

Wasabi API, polling active storage

- Posted in Uncategorized by

Programatically fetching your quota/active utilization, etc. from Wasabi ( is pretty straightforward with their API.

1) Create a user at with API-access

2) Create access keys for new subuser and assign permissions via policies. My user has the following policies assigned: WasabiReadOnlyAccess, WasabiViewAuditLogs, WasabiViewBillingAccess and WasabiViewEventNotifications

Query their API like so:

curl -H "Authorization: ACCESS-KEY:SECRET-KEY"

Note that no type of Authorization is set, no "Basic", "Digest", etc.

Getting this via jQuery is trivial, I've written a simple script for it you can try out.

Replace ACCESS-KEY and SECRETKEY on line 7 with your credentials.

For scaling a video with ffmpeg with a target of 1280px width or height, I use the following filters:

enter image description here

If the source width or height is less than 1280px, the original dimensions will be kept.

If the source width or height is larger than 1280px, the output is scaled to 1280px

Since scaling requires division by 2, the dimensions are calculated and ensured to add up

Change (both) '1280' to fit your output needs.

Escaping ruins the formatting, click here to get the source in plain text

Invalid configuration for device '0'.

- Posted in VMware by

One of my Veeam Backup Copy jobs failed for every VM in the job, reporting IO errors:

10/08/2023 08.29.02 :: Processing vSRX-18.3 Error: File does not exist. File: [vSRX-18.3.1D2023-08-09T020227_4DE4.vib]. Failed to open storage for read access. Storage: [vSRX-18.3.1D2023-08-09T020227_4DE4.vib]. Failed to restore file from local backup. VFS link: [summary.xml]. Target file: [MemFs://frontend::CDataTransferCommandSet::RestoreText_{13faea43-f648-4fee-8abb-630907bd1df7}]. CHMOD mask: [0]. Agent failed to process method {DataTransfer.RestoreText}. ...

The volume holding the VIBs, an external USB-drive forwarded to the Veeam guest within ESXi, was gone. Seemingly a failed drive.

VCSA failed to remove the USB Host device, with the error:

Invalid configuration for device '0'

Not being able to remove a missing device (the USB-controller), even when the VM is powered off, I had no choice but to manually delete it:

Simply remove the VM from the inventory - obviously not deleting it from VMFS.

Locating the device in the .VMX for the VM and removing the line from the configuration:

usb_xhci.autoConnect.device0 = "path:0/1/1/5 host:esxi7.rotteslottet.lan hostId:71 05 57 47 bf 16 10 d6-2c 0e 3c 7c 3f 11 9a f0 autoclean:1 deviceType:remote-host"

After trashing the failed drive, replacing it with a new one, and re-powering the USB-controller, I simply registered the VM via VCSA and started over with the local backup.

I wish it was possible to forcefully remove a virtual device via VCSA

Veeam suddenly failed backing up one of my VMs, a VM homed at a datastore with multiple other VMs - these VMs were backed up just fine.

My first thought was that the device backing the datastore, an old piece of spinning rust, was about to fail. The S.M.A.R.T.-info from ESXi was no help. Zero errors and a interesting runtime of 42 hours?

Retrying the backup didn't help. This single VM still failed to be backed up.

I tried booting of a live Ubuntu ISO to run fsck and found some bad sectors on the volume. Surely the physical drive will be replaced, but for now the backup can run without errors.


fsck arguments: -ccfky

ESXi version: 7.0.0, 16324942

VMFS version: 6

Veeam VBR version:

Encrypted storage container with LUKS

- Posted in Linux by

Create an encrypted container for storage with LUKS

Change the names and paths to reflect your environment and needs

1) Make sure cryptsetup is installed: sudo apt update && apt install cryptsetup -y

2) Create an empty file for the container: sudo dd if=/dev/zero bs=1M of=/path/to/lukscontainer count=10240 (I prefer using a flat file, instead of a device, for portability)

3) Create the LUKS volume within the flat file: sudo cryptsetup luksOpen /path/to/lukscontainer container_crypt

4) Create a filesystem within the LUKS volume: sudo mkfs.ext4 /dev/mapper/container_crypt

5) Create a mountpoint for the container: sudo mkdir -p /storage/container/

6) Mount the container in your newly created mountpoint: sudo mount /dev/mapper/container_crypt /storage/container/

To easily unmount and mount the container in the future, create 2 simple scripts:

#!/bin/sh /usr/bin/umount /dev/mapper/container_crypt /sbin/cryptsetup luksClose /dev/mapper/container_crypt

#!/bin/sh /sbin/cryptsetup luksOpen /path/to/lukscontainer container_crypt /usr/bin/mount /dev/mapper/container_crypt /storage/container/

(the editor in htmly isn't playing nice, insert linebreaks manually)

Make the scrips executable with chmod +x luks* and run them with ./

Make sure to upgrade your KDF to argon2id (default for latest version at the time of writing):

In case monitoring of vSRX/SRX-licensing isn't available from the official solutions from Juniper, one still might want to be in the know, before Junos stops pushing packets.

Managing a growing number of vSRX'es deployed around the world, I didn't want to manually check licenses. I had to make a quick'n'dirty solution. So I did.

The "solution" is rather simple; create a read-only user in Junos. Run a command via SSH, store the result and repeat. It has been a while, so you'd need some old repo's or rewrite some stuff.

Tested with versions:

php-cli 5.5.9
sed (GNU sed) 4.2.2

0) Create read-only users on each device (assuming 'readonlyuser' in this example) and replace 'SECRETPASSWORD' with your set password for 'readonlyuser'.

0.1) Connect to the devices with ssh to accept their keys. There might be a way to accomplish this blindly, however that is beyond the scope of this post.

1) Create a table for storing license data:

CREATE TABLE `vsrx-licenses` (
  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
  `timestamp` int(12) DEFAULT NULL,
  `host` varchar(64) DEFAULT NULL,
  `expirationdate` varchar(10) DEFAULT NULL,
  `daystoexpire` int(3) DEFAULT NULL,
  PRIMARY KEY (`id`)

2) Create file parseXML.php in /home/derp/vsrx-fetch-license/

// Configure database connection
function connectToDatabase($database) {
  $link = mysql_connect("DBHOST","DBUSER","DBPASS");
  $db = mysql_select_db($database, $link);

// Define function to calc days to expire
function daysToExpire($expireDate) {
  $todaysDate = date("Y-m-j");
  $origin = new DateTime($todaysDate);
  $target = new DateTime($expireDate);
  $interval = $origin->diff($target);
  return $interval->format('%a');

// Execute magics
$timeNow = time();

$xmlFile = '/home/derp/vsrx-fetch-license/'.$argv[1];
$licenses = json_decode(json_encode((array) simplexml_load_file($xmlFile)), 1);
$licenseDetails = array_column($licenses, 'feature-summary');

$deviceNoExt = substr($argv[1], 0, -4);
$deviceClean = substr($deviceNoExt, 34);

// Clear existing count to reduce db-size, optional
#mysql_query("DELETE FROM `vsrx-licenses`");

foreach ($licenseDetails[0] as $element) {
    if ($element['licensed'] != 0 && isset($element['end-date'])) {
    $deviceEndDate = $element['end-date'];
    $deviceDaysToExpire = daysToExpire($deviceEndDate);

    mysql_query("INSERT INTO `vsrx-licenses`
    (id, timestamp, host, expirationdate, daystoexpire)
    VALUES (null, '$timeNow', '$deviceNoExt', '$deviceEndDate', '$deviceDaysToExpire')") or die(mysql_error());
        echo 'License for device '.$deviceNoExt.' expires: '.$deviceEndDate.'

3) Create file in /home/derp/vsrx-fetch-license/. Replace vsrx01.domain.tld ... with the hostnames of your devices

# Clear old logs
/bin/rm /home/derp/vsrx-fetch-license/*.xml
/usr/bin/php /home/derp/vsrx-fetch-license/wipeDB.php
vsrxDevices=("vsrx01.domain.tld" "vsrx02.domain.tld" "vsrx03.domain.tld")
echo "Fetching licenses..."
for device in ${vsrxDevices[@]}; do
  echo "Fetching license details for device $device"
  /home/derp/vsrx-fetch-license/ $device > /home/derp/vsrx-fetch-license/$device.xml
  /bin/sed -i -n '2,$p' /home/derp/vsrx-fetch-license/$device.xml
  /bin/sed -i -n '2,$p' /home/derp/vsrx-fetch-license/$device.xml
  /usr/bin/php /home/derp/vsrx-fetch-license/parseXML.php $device.xml
  echo "Napping for $napTime seconds..."
  sleep $napTime
echo "All done!"

4) Add execution to cron:

0 * * * * /bin/bash /home/derp/vsrx-fetch-license/ > /home/derp/vsrx-fetch-license/fetch.log 2>&1

5) Create file in /home/derp/vsrx-fetch-license/ and replace values.

#!/usr/bin/expect -f
set timeout 20000
match_max 100000
set vsrxhost [lindex $argv 0];
spawn ssh -o "StrictHostKeyChecking=no" readonlyuser@$vsrxhost "show system license usage |display xml|no-more"
expect "Password:"
expect "*>"
expect eof

If all goes well, the database is updated every hour. Each run takes around 5 minutes in my case. Check the logfile /home/derp/vsrx-fetch-license/fetch.log for details after the first run.

I've added a panel in Grafana:

Query is configured as follows:

SELECT host as "Hostname", FROM_UNIXTIME(timestamp-3600) as "Licens opdateret", expirationdate as "Udløbsdato", daystoexpire as "Dage til udløb"
FROM `vsrx-licenses`
ORDER BY daystoexpire asc

Good luck.

Juniper PoE software upgrade

- Posted in Juniper by

To upgrade the PoE controller software in the device, run the following command with your fpc-slot id:

request system firmware upgrade poe fpc-slot 0

To get the status of the upgrade, issue the following command for details:

root> show poe controller
Controller  Maximum   Power         Guard    Management   Status        Lldp
index       power     consumption   band                                Priority
   0**      124W      0.00W           0W                  DOWNLOAD_INIT Disabled


root> show poe controller
Controller  Maximum   Power         Guard    Management   Status        Lldp
index       power     consumption   band                                Priority
   0**      124W      0.00W           0W                  SW_DOWNLOAD(43%) Disabled

The download requires no network connectivity, as the sofware is stored on the device.

On my EX2300-C, the download progress went to a halt at 95%, I figured it was simply installing:

Controller  Maximum   Power         Guard    Management   Status        Lldp
index       power     consumption   band                                Priority
   0**      124W      0.00W           0W                  SW_DOWNLOAD(95%) Disabled

a few minutes later, the install process had ended:

Controller  Maximum   Power         Guard    Management   Status        Lldp
index       power     consumption   band                                Priority
   0        124W      0.00W           0W                  AT_MODE       Disabled

As per intructions; Please Reboot the system after Upgrade is complete

Wordpress installation

- Posted in Uncategorized by

Should you for some reason need to install a Wordpress-site, here are the basics:

1) Install packages, run:

apt install libapache2-mod-php apache2 php-gd php-mysql php-zip mariadb-server -y

2) Secure MariaDB, run:


and go through the wizard:

<Enter> to set password if empty
N for no Unix socket
Y to change root pass
Y to remove anonymous users
Y to disallow remote root login
Y to remove test db
Y to reload privilege table

3) Create a user, a database and set permissions

Connect to MariaDB, run:

mysql -uroot -p

Create a user, run:

CREATE USER 'wordpress'@'localhost' IDENTIFIED BY 'V3RY_S3CR3T_P4SSW0RD';

Create database, run:


Set permissions for database and user, run:

GRANT ALL PRIVILEGES ON wordpress.* TO 'wordpress'@'localhost';

Apply changes, run:


Exit from MariaDB, run:


4) Download latest version of Wordpress

cd /var/www/html/ && wget

5) Extract Wordpress archive

tar xzf latest.tar.gz

6) Move files from newly created "wordpress"-folder and delete it, including the default index.html from the Apache install

mv wordpress/* . && rm -rf wordpress/

7) Set permissions to Wordpress-install, if not already properly configured

chown -R www-data: /var/www/html/

Browse to the webserver and complete the installation wizard.

match-policies, icmp ping, port 2048

- Posted in Juniper by

Consider the following policy:

security {
    policies {
        from-zone untrust to-zone junos-host {
            policy pub-ping {
                match {
                    source-address any;
                    destination-address any;
                    application junos-icmp-ping;
                then {

Security policy details:

Policy: pub-ping, action-type: permit, State: enabled, Index: 20, Scope Policy: 0
  Policy Type: Configured
  Sequence number: 1
  From zone: untrust, To zone: junos-host
  Source addresses:
    any-ipv6: ::/0
  Destination addresses:
    any-ipv6(global): ::/0
  Application: junos-icmp-ping
    IP protocol: icmp, ALG: 0, Inactivity timeout: 60
      ICMP Information: type=8, code=0
  Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No

When using match-policies in Junos, a match for icmp ping is not found unless the source-port is 2048.


Example matching for source-port 2049 (or any other port):

spiderpig@vsrx-lab> show security match-policies from-zone untrust to-zone junos-host source-ip destination-ip source-port 2049 destination-port 1234 protocol icmp
Policy: deny-all, action-type: deny, State: enabled, Index: 19
  Policy Type: Configured
  Sequence number: 4
  From zone: untrust, To zone: junos-host
  Source addresses:
    any-ipv6: ::/0
  Destination addresses:
    any-ipv6(global): ::/0
  Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0]
      Destination port range: [0-0]
  Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No

The above result matches the last policy in the sequence, not the one permitting icmp ping


Example matching for source-port 2048:

spiderpig@vsrx-lab> show security match-policies from-zone untrust to-zone junos-host source-ip destination-ip source-port 2048 destination-port 1234 protocol icmp
Policy: pub-ping, action-type: permit, State: enabled, Index: 20
  Policy Type: Configured
  Sequence number: 1
  From zone: untrust, To zone: junos-host
  Source addresses:
    any-ipv6: ::/0
  Destination addresses:
    any-ipv6(global): ::/0
  Application: junos-icmp-ping
    IP protocol: icmp, ALG: 0, Inactivity timeout: 60
      ICMP Information: type=8, code=0
  Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No

The above example matches the policy permitting icmp ping.

Junos version: 18.3R1.9

When sending alerts from MegaRAID Storage Manager (MSM) fails, even though the SMTP-server configuration is correct and the network access is permitted, it might be due to what I believe is a bug in MSM.

I've seen this issue in servers with multiple NICs/servers having changes made to the pNICs after configuring MSM.

In short, the configuration utility does not bind to the correct IP-address/NIC when saving the configuration. This setting is nowhere to be seen in MSM, which is why it took me hours to figure out. To check and potentially fix the issue, do the following:

1) Open MSM and navigate to Tools > Monitor Configure Alerts

2) Make sure the settings for the SMTP-server are correct

3) Click Save Backup, store the file monitorconfig.xml on the Desktop and click "OK" to close the Configure Alerts-window

4) Edit monitorconfig.xml with Notepad or another text-editor

5) Find the <nic>-tag in the file and set it to the IP-address of the interface that should be used to access the SMTP-server

Example, see last line:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>

6) Save the file and return to MSM

7) Navigate to Tools > Monitor Configure Alerts

8) Click Load Backup, then Yes, select monitorconfig.xml and click OK

9) Navigate to Tools > Monitor Configure Alerts and test again

Note: The dialog may display "The test email could not be sent. Check the mail server settings and try again." - ignore this and check if the email is delivered within a few minutes.

I don't know the mechanism MSM uses for verifying the email is sent - more often than not, the error displays but the email is delivered anyway.

Versions tested:,,

Valheim beta is regularly updated, this goes for both server and client. The client is usually updated automatically via Steeam, however the dedicated server is not. When the versions mismatch, ie: the server is behind; clients can no longer connect to the server.

Updating the server to the latest beta is easy, yet manual. I've written a few scripts to take care of this process. It could be improved in many ways, but it works so why bother.

Note: This procedure requires steamcmd

1) Create a start-script for Valheim, mine is called and is placed with the binary:

export templdpath=$LD_LIBRARY_PATH
export SteamAppID=892970
echo "Starting server PRESS CTRL-C to exit"
./valheim_server.x86_64 -name "valheim" -port 12345 -nographics -batchmode -world "worldname>" -password "password" -public 1
export LD_LIBRARY_PATH=$templdpath

2) Start a screen named valheim by running screen -S valheim

3) Run to start the dedicated server and detach from the screen

4) Create a new script called with the following content:

echo "Sending Control+C to $VALSCREEN"
screen -S $VALSCREEN -X stuff $'�03'
echo "Sleeping 10 seconds, let Valheim server shut down..."
sleep 10
echo "Sleep done"
echo "Running update check and install..."
/bin/bash /home/aners/valheim/
echo "Update check and install complete, sleeping 5 seconds"
sleep 5
echo "Starting Valheim-server"
screen -S valheim -X stuff 'sh /home/aners/valheim/'`echo -ne '�15'`

5) Create a crontab for the script with a runtime of your chosing

Mine looks like this:

# m h  dom mon dow   command
0 5 * * * /bin/bash /home/aners/

Every morning, my Valheim server is stopped, updated and restarted.

First use the storcli binary to identify failed drives on each controller (sure, multiple instances of grep could be improved with regex)

./storcli /cALL/eALL/sALL show all|grep Failure|grep -vi predict

   Example output:

Status = Failure
/c0/e1/s5  Failure    46 -

  Start locating the failed drive:

./storcli /c0/e1/s5 start locate

  Example output:

CLI Version = 007.1017.0000.0000 May 10, 2019
Operating system = VMkernel 6.7.0
Controller = 0
Status = Success
Description = Start Drive Locate Succeeded.

   Stop locating the failed drive:

./storcli /c0/e1/s5 stop locate

  Example output:

CLI Version = 007.1017.0000.0000 May 10, 2019
Operating system = VMkernel 6.7.0
Controller = 0
Status = Success
Description = Stop Drive Locate Succeeded.

  To stop locate for all controllers, run the following command:

./storcli /cALL set activityforlocate=off

Run a DHCP-server in macOS Monterey (12.4)

- Posted in macOS by

1) Go to Network Preferences

2) Configure IP-address on the wired connection:

3) Edit a new file for the server-configuration, run sudo nano /etc/bootpd.plist and add:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
  <plist version="1.0">

Save the file by hitting Ctrl+X then typing y and then hit the enter-key

4) Start the DHCP-daemon: sudo /bin/launchctl load -w /System/Library/LaunchDaemons/bootps.plist  

5) Stop the DHCP-daemon: sudo /bin/launchctl unload -w /System/Library/LaunchDaemons/bootps.plist

Use ovftool to deploy the image directly to the ESXi-host instead:

ovftool -dm=thick -ds=<DATASTORENAME> -n=<VMNAME> --net:"VM Network"="<VMNETWORKNAME>" "junos-media-vsrx-x86-64-vmdisk-18.2R1.9.scsi.ova" vi://[email protected]

Replace with your own settings

Enable IKE debug logging in Junos

- Posted in Juniper by

Enable IKE debug logging in Junos by configuring the following:

set security ike traceoptions file ike-debug
set security ike traceoptions file size 10m
set security ike traceoptions file files 2
set security ike traceoptions flag all
set security ike traceoptions level 15
set security ike traceoptions gateway-filter local-address remote-address

The log file is written to /var/log/ - disable the configuration when it's no longer needed, to not wear down the CF/SSD in the device.


request security ike debug-enable local remote


show security ike traceoptions


show security ike debug-status

Create a RAM-drive in Linux

- Posted in Linux by

Add the following line to /etc/fstab to create an 8 GB RAM-drive in Linux with tmpfs

tmpfs           /mnt/ramdisk tmpfs      defaults,size=8192M 0 0

Mount with sudo mount -a and use /mnt/ramdisk/

If a snapshot seems stuck, use the console to verify a task is actually running:

1) Run vim-cmd vmsvc/getallvms and note the relevant VM-ID 2) Run vim-cmd vmsvc/get.tasklist <VM-ID> and note the Task-id 3) Run vim-cmd vimsvc/task_info <Task-id> to get task status 4) Browse to the VMs location on the datastore and run watch -d 'ls -lut | grep -E "delta|flat|sesparse"' to monitor the process

Unmap VMFS using esxcli

- Posted in VMware by

First fetch a list of VMFS:

esxcli storage filesystem list

For VMFS' where unmapping is supported, run:

esxcli storage vmfs unmap --volume-label=<label> | --volume-uuid=<uid>  [--reclaim-unit=<blocks>]

Junos, save dump to pcap-file

- Posted in Juniper by

To save monitoring to a pcap-file in Junos, use the write-file argument:

monitor traffic interface ge-0/0/1.0 write-file test.pcap

The file will be saved in /cf/var/home/<userid>/test.pcap

To read back the file in the Junos CLI, use the read-file argument:

monitor traffic read-file test.pcap

ESXTOP xterm, for unsupported terminals

- Posted in VMware by

Set TERM to xterm, before running esxtop to get a usable output, when the terminal/tty is not supported; run the following command to do so:

TERM=xterm esxtop

Get Virtual Machine uptime, with vim-cmd

- Posted in VMware by

Run vim-cmd vmsvc/getallvms to get a list of VM IDs (pipe to grep -i to filter)

With the ID from the second column, use the following command to fetch the uptime (replace 12345 with your VMs ID)

vim-cmd vmsvc/get.summary 12345 |grep "uptimeSeconds"

ffmpeg, crop video

- Posted in ffmpeg by

Crop 8 seconds of a video, starting from 3 seconds, using the copy method (no reencode)

ffmpeg -i input.mp4 -ss 00:00:03 -t 00:00:08 -c copy output-crop.mp4

ffmpeg, rip audio from video

- Posted in ffmpeg by

Rip 3 seconds of audio from a video, starting from the 7 second mark:

ffmpeg -ss 7 -t 3.0 -i source.mp4 output.mp3

EX3400 boot loop, cannot find kernel

- Posted in Juniper by

EX3400 is boot looping. The kernel cannot be found, reinstall is required.

Power off the EX3400

1) Download the appropriate image for the device (ex: "junos-install-media-usb-arm-32-15.1X53-D59.4-limited.img.gz")

2) Extract the image

3) Write the extracted image to a USB-device using dd with bs=1m or bs=1M depending on version

4) Insert the USB-device and power on the EX3400

5) Hit 5 for [M]ore options and 5 again for [B]oot prompt

6) Run lsdev and confirm device disk1s1a exists

7) Run set currdev="disk1s1a"

8) Run include /boot/loader.rc to reboot the device

9) Wait for the installation to complete - be patient.

ESXi 6.5, switch to legacy USB-stack

- Posted in VMware by

Disable vmkusb module in ESXi 6.5 and switch to legacy stack:

esxcli system module set -m=vmkusb -e=FALSE

Reenable vmkusb:

esxcli system module set -m=vmkusb -e=TRUE

Either change requires rebooting of ESXi

Disable native driver and revert to sata-ahci:

esxcli system module set --enabled=false --module=vmw_ahci

Reenable native driver from sata-ahci:

esxcli system module set --enabled=true --module=vmw_ahci

Simple pyproxy TCP example

- Posted in Linux by

./ --tcp -s -d domain.tld:12345 -v

Script source-code: download here

Use wget and perl to reboot a Netgear ISP provided CPE/modem/router from comandline. Replace IP-address and 'REALPASSWORD' with your own settings

id=$(wget --quiet -O- --http-user admin --http-password password | perl -lne '/id=([0-9]+)/ && print $1'); wget --quiet --http-user admin --http-password REALPASSWORD --post-data 'buttonSelect=2'"$id"
openssl pkcs12 -inkey certificate.key -in certificate.pem -export -out certificate.pfx

Install the plugin for parsing Apache httpd config files:

sudo apt install python3-certbot-apache