Gigabyte GM-M7800S

在浏览创意礼品时发现一款技嘉和施华洛世奇的联手之作: Gigabyte GM-M7800S,镶了水晶的奢侈品鼠标。

我突然很想拥有一件这样的鼠标。或者更多件,至少给家人人手一件,己所欲,施于人。我是一个追求性价比的人,通常对奢侈品不热衷,为什么对这款鼠标情有独钟?我觉得很奇怪,仔细想了想,给自己列了这几点理由。

  1. 手头的几件鼠标用起来都不顺手。
  2. 鼠标本身是一分钱一分货。我不晓得技嘉花在鼠标硬件上的成本是多少,但要配得上施华洛世奇的水晶,不至于太抠吧?否则这个产品设计就太失败了。
  3. 质量上乘的鼠标如同实木家俬,是百年品质,一次投资。
  4. 经典款说不定还能升值。
  5. 有很强的实用性,跟普通奢侈品不能完全类同。

列了这么多,可能在别人看来纯属扯淡,我还是一个被奢侈品勾引的落入俗套者。不管这么多,我就想买它,可是,找不到哪里有卖?!

Change PHP directives in Magento

Today a Magento store owner asked me why he could not create a new attribute set based on an existing one. I took a look into his store and found out the existing attribute set has many custom attributes, which led to new attribute set creation would take more than 30 seconds. But 30 seconds is the default PHP max execution time, which is set in php.ini and has not been optimised for Magento backend operation.

My immediate reaction was changing the default value of max_execution_time to 120. I added a line in /etc/php-fpm.d/www.conf, where is my preferential place to set server wide PHP directives rather than /etc/php.ini.


php_admin_value[max_execution_time] = 120

After a while, I had another thought. I do not like to extend PHP max execution time for most of other websites on the same server. Even for the Magento store, longer execution time is only needed for the backend operations. So how can I specify different PHP directives for different websites? Particularly, how can I specify longer execution time or larger memory limit for Magento admin users?

My first idea was creating separate php-fpm (Yes, I am using php-fpm.) profiles for this purpose. However, I rejected this idea after 2 seconds, because:

  1. I do not like to create more PHP daemons into the valuable server memory.
  2. If Magento frontend and backend are on the same domain, I have no way to assign a corresponding daemon.

So, can I implement changing run-time PHP directives using a Magento module? Of course. I had a Magento module called Msdk (Magento SDK). I just need to add this feature to Msdk.

Firstly, I need to find a proper event to catch. The event should be dispatched only once per request, and earliest possible when it can distinguish frontend or adminhtml route. The earliest event is “controller_front_init_before” except some database events, which are not recommend to catch anyway. But “controller_front_init_before” can not distinguish frontend or adminhtml route, i.e. it can only be put into global section in config.xml. Following the event timeline, I find “frontend or adminhtml route” is the best event to catch.

Secondly, I put one “controller_front_init_before” event catching into frontend section and another into adminhtml section in config.xml of Msdk module.

Thirdly, write two observers in a Helper or a Model to apply PHP directives.

Lastly, modify system.xml to allow users to set PHP directives in Magento System Configuration.

It sounds complicated but actually not. I finished it in a couple of hours.

BTW, Msdk is one of my free modules. But I am not going to launch it now with only one new feature. Watch the space for updated news.

Cure fail2ban on FreePBX

不知从什么时候起,FreePBX 上的 fail2ban 不能启动了。amportal restart 时,其他项都是绿色的 OK,执行到最后是 fail2ban,两行:

Stopping fail2ban [Failed]
Starting fail2ban [Failed]

两个红色的 Failed 触目惊心。

看了看 /var/log/fail2ban.log,一头雾水。再说它不更新已经很久了,估计不能启动以后就没有更新。研究它的最后几行也不知对解决问题有没有帮助,总之我缺乏细看的耐心。问 Google 吧!有人说,

yum remove fail2ban
yum install fail2ban

就能重新工作了,就这么简单。一试,果然!

问题虽然解决,但我对 FreePBX 软件质量的印象分有所降低——“不明原因、重装解决问题”似乎是 Windows 的特症,怎么 CentOS 下的 FreePBX 也染上了?!

Sftp chroot howto

我之前在服务器上应用 Ftp chroot,那设置起来相对简单。但 Ftp service 不是服务器预装的,通常我会装 proftpd 或 vsftpd。

这次我想为什么不用服务器预装的 Sftp service?我有点钻了牛角尖—— Sftp 比 Ftp 好在哪?更安全?似乎这增加的安全性对我来说毫无意义。少占点硬盘空间?空余字节多着呢。总之,我想到了就想把它用起来。

首先新建一个用户组,sftponly,只要是这个组的用户 Sftp 登录后都会被 chroot。


groupadd sftponly

然后把需要 chroot 的用户都加到 sftponly 组


usermod -a -G sftponly user1

如果是新用户,则在创建的时候直接参组。


useradd -U -G sftponly -s /sbin/nologin -d /path/to/user1_home user1

然后要保证 /path/to/user1_home 这个目录及所有各级父目录的属主是 root,属性 755。user1 在他的 home directory 下是没有写权限的,不能由他自己创建文件或文件夹。这也容易理解,因为他被 chroot 以后,他的 home directory 看上去是系统根目录,普通用户当然不能在根目录这一级有写权限。这时需要 root 事先为 user1 创建好若干文件夹,如 /path/to/user1_home/documents、/path/to/user1_home/pictures,并将 documents、pictures 的属主指定为 user1。

然后我按网上的指点依样画瓢,在 /etc/ssh/sshd_config 里添加了这几行:


Match Group sftponly
    ForceCommand internal-sftp
    ChrootDirectory %h

然后重启 sshd service


service sshd restart

理论上这时 user1 已经可以在 Sftp 登录是被 chroot,限定在他的 home directory。但是 user1 怎么都登录不了,碰到的错误是:

Connection closed by server with exitcode 1

原来,在我的 /etc/ssh/sshd_config 里有这么一行


Subsystem       sftp    /usr/libexec/openssh/sftp-server

这是服务器预装时的配置,可能不是所有的服务器都这样,但有一定的普遍性。

这说明,Sftp 子系统是由 /usr/libexec/openssh/sftp-server 支持的。而在被 chroot 的 user1 看来,是没有 /usr/libexec/openssh/sftp-server 这个文件的。怎么办?两个办法:

办法一:将那一行改为


Subsystem     sftp    internal-sftp

办法二:在 user1 的 home directory 下建一个副本 %h/usr/libexec/openssh/sftp-server,只是简单的文件拷贝。

 

Diving into Daigou

之前我说到代购不值得一做,但老婆说有空就做,反正闲着也是闲着。她的实干精神要远胜于我,就这一点我也要支持。

代购的包装材料如果零买的话,价格很高,我就想一次购进一批包装材料来降低成本。这不,我买了 36 卷封箱大胶带,48 mm X 150 m(号称),花了 £55,free shipping。折合 £1.02 / 100m。

Packaging tapes
Packaging tapes

而在 Poundland 花 £1 能买到 2 卷胶带,48mm X 30m。折合 £1.67 / 100m,这一下我节约了 38% 的成本。

Weigh packaging tape
Weigh packaging tape

这胶带看上去质量还行,肉厚 25mm,只是它芯的孔径是 50mm,不常见,我备有的 tape gun 还不匹配。单卷胶带有 291 克重,我虽然很想从淘宝上买,9 元人民币可以买到一卷 48mm X 170m 的胶带,但加上运费,不见得能便宜多少。但是国内可以略等于普通胶带的价格买到定制胶带(这样的胶带大约要订 83 卷),在英国定制就很贵了,以后还是值得考虑从国内采购的。

我还买了一堆泡沫包装膜,非常地占地,哎,为了节约成本带来这么多不便,不知是不是真捡着了便宜。

Bubble wrap
Bubble wrap

我还买了一批双层瓦楞纸箱,但是强度不够,属于失败的采购。在淘宝上的纸箱,410 X 280 X 215,特硬加厚五层BC瓦,约448g,才5.20 元,好诱惑,但不现实。

这么多包装材料,什么时候能用完呢?

5V2A adapter for IAD

前不久在淘宝上淘了一个华为 U-SYS IAD101H,准备用作 MGCP 语音网关。才 28 元人民币,运费 6 元,真的很便宜。

Huawei U-SYS IAD101H
Huawei U-SYS IAD101H

卖家说明自配变压器,是 5V2A 的电源。我加钱求卖家帮我配好变压器,但卖家不帮忙。因为语音网关还未转寄到我手上,所以我也没急着寻购 5V2A 变压器。今天无意中在我家电视机柜边上翻出一个孤零零的变压器,一看正好是 5V2A。我想了半天没想出它是哪个设备元配的变压器,先拿来用了再说。

5V2A adapter
5V2A adapter

Newbie’s experience in setting up an IPPBX

I classify myself as a newbie as I have been diving into Asterisk / FreePBX for only 3 months. I am not familiar with 95% parameters of my IPPBX, and I try to avoid touching those parameters. However I can proudly say I have gained enough experience in setting up an IPPBX for a commercial environment, and I want to share it with you.

Before I start, I have to make it clear what my goals are, so you know if my experience suits you.

Firstly, I do not have massive users, say less than 100. We did not use any PBX, but once we launch IPPBX, it must be working very stably.

Secondly, users should be able to pick up the calls in the office, at home or on the move. Myself is a typical user, who answer 1/3 calls in the office, 1/3 at home, 1/3 on the move.

Thirdly, I want to save every pence possible on this first IPPBX. There are many IPPBX with Asterisk preinstalled and probably optimised on the market, whose prices start from £150. However I think at £150 it is an entry level product and geared for a SOHO enviroment. If I hunt for a proper commercial Asterisk IPPBX, I should look for something above £300.  I am a fanatical DIYer and I believe business can take advantage of open source. Free open source allows business to do the same things other highly priced product can do, and sometimes does better. Of course the price of open source is the learning time. I spent £100 on the hardware (Bought from China directly. I evaluate it as £190 for similar hardware on the UK market), and 3 months in learning. A commercial Asterisk IPPBX with the equivalent capacity should be priced at £500 or so.

My 3 months’ learning only saved £400 which is a loss. Nevertheless, back to the topic – my gained experience in setting up an IPPBX.

I do not need to connect IPPBX to a physical analogue (POTS) or digital (ISDN) telephone line. If you do, and the more lines to connect, the more worthwhile to buy a commercial IPPBX with FXO or BRI ports built in. None of analogue/digital cards or ATA or ISDN gateways are cheap.

At the time of choosing a DIY IPPBX other than a commercial IPPBX, I was quite worrying about the stability. Now I can say software stability can be achieved by a newbie like me. But to make the whole system work reliably, I have to buy a decent hardware to run it on, and most importantly, a reliable network. My current ISP is horrible and due to be switched away in next month. It wasted me a lot of time debugging – barking at the wrong tree. I would not say “horrible” if I was only using their network browsing Internet. It looks like it can not afford VOIP traffic when it comes to host an IPPBX.

I set port forwarding on the NAT router where IPPBX is. I forwarded SIP bind port and RTP ports. I did not do everything at client side router. The SIP client should traverse a router not in my control.

I put NAT in Settings >> Asterisk SIP Settings to “route”, which instantly solved a lot of audio silence between various devices, i.e. high end SIP phone, entry level SIP phone, and several soft SIP phones installed on several Android based mobiles. I still can not understand the exact logical behavior of “yes”, “no”, “never”, “router” for NAT choice, but to me, “router” is the best choice.

I totally understand many people says SIP behind NAT is a nightmare. My IPPBX is behind a NAT router in the office, and if I am at home, my extension is behind another NAT router. This is the worst scenario. With FreePBX Distro and the above simple configuration, but without help of any third party modules, proxy, stun server, SER, the most difficult problem I encountered is one way audio on some devices / soft phones. It is always the caller can not hear voice from the callee, but the callee can.

Then I find enabling stun server on SIP client does not do anything good. Actually I find enabling Rport for signaling and media helps eliminating one way audio symptom if this choice is available. If your device does not have such a choice, but you have two devices at hand, you can dial out using one of them and transfer the call to the other one. This method makes both ends callees. So tricky. Do we really to do that? No. I have better way later on.

Missing codecs may cause audio silence, but it has nothing to do with one way audio. If a required codec is missing, both ends will be silent. I have a weird SIP trunk provider supplying 2 lines. Both lines have an external number (connecting PSTN) and an internal number (extension number on his SIP server). It turned out he enables different codecs for these 2 lines. And even on the same line, he enables different codecs for external number and internal number. It took me a long time before I realised it was a codec problem.

Although Android mobiles are widely available, it is worth buying SIP phones for office and home.  SIP phones can stay online much more stable than any of soft SIP phones on Android mobile. It may not be a fault of soft phones. They are restricted by Android power management. The advantage of Android devices is you can choose SIP apps to install. To get the best of both worlds, the best buy is an SIP desktop phone with Android OS.

Among SIP apps, I recommend Zoiper (most stable, and support IAX2), CSipSimple (support video calls with CSipSimple video plugin), Samsung Galaxy built in SIP client (may be best choice in power saving), in turn.

It is time to summarise how to tackle one way audio. I mentioned IAX2. Yes, for soft phone, use it as the first choice over SIP. (Sadly as a hardware, VOIP phone with IAX protocol are not widely available.) I am using Zoiper on the move. In the office, as it in the same subnet, SIP traversing is not a problem, so any SIP phones will do the job. At home, use a SIP phone which can enable Rport, or use Zoiper.

I tried to achieve a stable IPPBX without having to periodically reboot it, but I could not. The IPPBX runs into a hanging state every a few days. For example, all trunks / extensions are disconnected. Even “amportal restart” can not solve the problem. A daily reboot is a must. Just choose a quietest time and use crontab to reboot. My IPPBX reboots in 34 seconds, which means the uptime is 99.96%. Normally the IPPBX will not hang within a day. But I set a monitoring script anyway to monitor if all trunks / extensions lose connection, reboot the IPPBX immediately. It never happened so far.

I also find IPPBX daily rebooting is a usual practice. I have monitored two of my SIP trunk providers are rebooting their servers daily. I am going to test it on a third one. Besides, I will be very glad to see a future version of FreePBX can run without rebooting for years as Nginx, etc.

SIP requires very reliable network

我的 SIP 服务器 FreePBX 暂时还放在一个非常不可靠网络环境下,这在前文《FreePBX working with an unstable router》有提及,一有 SIP 不正常的风吹草动,我就成了惊弓之鸟。

今天早上我在家,发现 SIP 分机又出现单向语音的症状,测了多次,十次有九次是单向语音,主要是主叫方听不到对方声音。我在服务器上看来看去看不出原因,不管三七二十一,又重启了一次,仍没解决问题。

单向语音是 SIP 很常见的问题,在用 FreePBX 之初,我曾花大力气去解决,找到一套行之有效的办法。怎么今天又出现了老问题了?我一阵头疼。

我家的网络宽带路由器确实不太好,但一开始我没意识到是它的原因,因为浏览网页是正常的,再说 SIP 能注册,也能接通。我排查了很久,无意中将手机 Wi-Fi 连接关闭,用 3G 连接网络,手机的 SIP 客户端立刻就能双向语音,一切正常。我这才想到是网络宽带路由器的原因,把它重启了一遍,SIP 通话就正常了。

看来 SIP 对网络的要求非常高,而且是服务端、客户端双方的要求都很高。

FreePBX auto reboot

FreePBX 上线运行近一个月,被我观测到若干次所有 peers (包括 trunks 和 extensions)都失去连接的情形,但 FreePBX web 界面里还是显示 asterisk 正常绿色。

目前我无法判断这究竟是 FreePBX 的硬件问题,抑或是 FreePBX 的软件问题,还是参数配得不对。我也没找到什么现成的命令可以判断 asterisk 是否在正常工作。

好羡慕一些人说 FreePBX 几年都不用重启也跑得很稳定。我也不想经常重启我的 FreePBX,但我得面对现实的商业化环境。

现实是我们不是 24 小时工作,电话也不会 24 小时响个不停,但工作时间我们不能容忍 FreePBX 无缘无故停止响应。所以我做了两项调整:

  1. FreePBX 每天在伦敦时间 6AM 重启一次 OS,保证它有活力运行在大部分人的工作时间。
  2. 我还写了一个每分钟检测一次的小程序。如果检测到所有 peers 失去连接,就重启 OS。如果重启没有解决问题,则不再重启,这是为了不为非 FreePBX 自身的原因(比如说网络原因)陷入重启循环;当然,如果重启解决了问题,也不用重启了。

I almost forgot how to use Apache

我不用 Apache 很多年,几乎忘了该怎么完整地配一台 Apache server。最近上线了一台 FreePBX,我想加强 web server 的安全系数,要修改一些默认参数。因为对 FreePBX 还不是很了解,所以不敢贸然把它的 web server 用我喜欢的 Nginx 代替,只好沿用元配的 Apache,捣腾它的 conf 文件。

首先,我想弄个 VirtualHost,把 FreePBX admin 界面隐藏到不公开的 ServerName 上。我忘了在使用 name based virtual host 前要先使用 NameVirtualHost 先声明一下。


NameVirtualHost ip_address:port_number

其次,启用了 VirtualHost 以后,VirtualHost 之外的 main DocumentRoot 就不起作用了。我在 VirtualHost 之外定义了一个 DocumentRoot 并想当然地认为它是 default server (未经任何一个 VirtualHost 定义的 server)的 DocumentRoot。事实上,VirtualHost 的 default server 是由 _default_ 显式定义,或在 _default_ 缺失的情况下,第一个 VirtualHost 就是 default server。