Apr 15

Import Virtualbox Image Into Oracle VM 

C:\Program Files\Oracle\VirtualBox>VBoxManage.exe showhdinfo c:\DATA\VirtualBox_VMs\fc18\fc18.vdi
UUID:                 3909d478-3ba5-4de5-bda1-65e802451aa0
Accessible:           yes
Logical size:         8192 MBytes
Current size on disk: 6192 MBytes
Type:                 normal (base)
Storage format:       VDI
Format variant:       dynamic default
In use by VMs:        fc18 (UUID: 5cc6b364-e935-4d00-a10a-da6aa3e1592f)
Location:             C:\DATA\VirtualBox_VMs\fc18\fc18.vdi

C:\DATA\VirtualBox_VMs\fc18>"c:\Program Files\Oracle\VirtualBox\VBoxManage.exe" clonehd fc18.vmdk fc18.img --format raw

- Run Filezilla FTP server local. Setup an user and share folder.
- Import Virtual disk in OVMM ftp://anonymous:rr@/fc18/system.img
- Rename appropriately something like vmname_system.img
- Create VM and attach disk image(s).

Comments Off on Import Virtualbox Image Into Oracle VM
comments

Posted in OVM, Virtualbox

Apr 12

Display X After User Switch

Sometimes you find yourself having to redirect the X display to a different host but "ssh -X hostname" will not work since you had to switch users. For instance you logged to a host as root and afterwards "su - oracle".

Example:

$ ssh root@host1.domain.com -X
# echo $DISPLAY
localhost:10.0
# xauth list
host1.domain.com/unix:11  MIT-MAGIC-COOKIE-1  95e4b887f2f6d132897aedbbbe297309
host1.domainom/unix:10  MIT-MAGIC-COOKIE-1  961e9e854127e3c70ff8804a5eb57f7e
# su - oracle
$ xauth add host1.domain.com/unix:10  MIT-MAGIC-COOKIE-1  961e9e854127e3c70ff8804a5eb57f7e
xauth:  creating new authority file /home/oracle/.Xauthority

Then trying xclock or xterm worked for me.  If you still have a problem also try:

$ export DISPLAY=localhost:10.0

Comments Off on Display X After User Switch
comments

Posted in Linux, Security

Apr 06

Python Manipulating XML

A short script with descriptions for reading and manipulating xml.  It seems like the python ElementTree module should be the easiest and best suited for XML manipulation.  However I had a complicated XML structure with multiple namespaces and lxml handled it better.  ElementTree could only handle one namespace with it;s register function. In addition lxml has pretty_print which might be useful.  Although in my case when I do inserts pretty_print did not work even with the FAX fix for remove_blank_text.

import lxml.etree as ET

f = open('config.xml','rb')
## http://lxml.de/FAQ.html#why-doesn-t-the-pretty-print-option-reformat-my-xml-output
#parser = ET.XMLParser(remove_blank_text=True)
#tree = ET.parse(f, parser)
tree = ET.parse(f)

#for element in tree.iter():
#    element.tail = None

root = tree.getroot()
namespace="http://xmlns.oracle.com/weblogic/domain"
servers = tree.findall('.//{%s}server' % namespace)

## Loop through the nodes we found
for server in servers:
  print "New SERVER node detected:"
  for child in server:
    tag = child.tag
    val = child.text
    ## Remove any existing children
    if tag == "{http://xmlns.oracle.com/weblogic/domain}ssl":
      print "found server.ssl and will remove",
      server.remove(child)
    if tag == "{http://xmlns.oracle.com/weblogic/domain}log":
      print "found server.log and will remove",
      server.remove(child)
    if tag == "{http://xmlns.oracle.com/weblogic/domain}data-source":
      print "found server.data-source and will remove",
      server.remove(child)
    print tag, val
  
  ## Add the 3 children we want 
  child = ET.Element("ssl")
  child.text=''
  server.insert(1,child)
  ##  Check out why xsi:nil is not working. UTF???
  ##  gchild = ET.Element("hostname-verifier",attrib={'xsi:nil':'true'})
  gchild = ET.Element("hostname-verifier",attrib={'xsi_nil':'true'})
  gchild.text=''
  child.insert(1,gchild)
  gchild = ET.Element("hostname-verification-ignored")
  gchild.text='true'
  child.insert(2,gchild)
  gchild = ET.Element("client-certificate-enforced")
  gchild.text='true'
  child.insert(3,gchild)
  gchild = ET.Element("two-way-ssl-enabled")
  gchild.text='false'
  child.insert(3,gchild)
  
  child = ET.Element("log")
  child.text=''
  server.insert(2,child)
  gchild = ET.Element("rotation-type")
  gchild.text='byTime'
  child.insert(1,gchild)
  gchild = ET.Element("number-of-files-limited")
  gchild.text='true'
  child.insert(2,gchild)
  gchild = ET.Element("rotate-log-on-startup")
  gchild.text='true'
  child.insert(3,gchild)
  
  child = ET.Element("data-source")
  child.text=''
  server.insert(3,child)
  gchild = ET.Element("data-source-log-file")
  gchild.text=''
  child.insert(1,gchild)
  ggchild = ET.Element("rotation-type")
  ggchild.text='byTime'
  gchild.insert(1,ggchild)
  ggchild = ET.Element("number-of-files-limited")
  ggchild.text='true'
  gchild.insert(2,ggchild)
  ggchild = ET.Element("rotate-log-on-startup")
  ggchild.text='true'
  gchild.insert(3,ggchild)

## Check out why pretty_print is not making newlines in new tags  
#print(ET.tostring(tree, pretty_print=True))
tree.write("wc-out.xml", pretty_print=True)

Comments Off on Python Manipulating XML
comments

Posted in Python, XML

Feb 07

Curl command line downloads

If you need a command line download on Linux there are several options.  Wget for a simple download is a very good option but I prefer curl as I have had more success when dealing with logins, cookies and uploads than with wget.

Plus if you need to go further and integrate something with python or php the curl libraries are awesome.

Simple download:

$ curl -o myfile.iso "http://server.com/file.iso"

With login:

$ curl -o myfile.iso -u user:password "https://content.server.com/isos/file-x86_64-dvd.iso"
 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
 Dload  Upload   Total   Spent    Left  Speed
 100 3509M  100 3509M    0     0  6204k      0  0:09:39  0:09:39 --:--:-- 7106k

** Note sometimes to get the correct download string you will need to login into the site with your browser and copy the download location of the link.  Or in some cases actually initiate the download with the browser and then copy the link from the browser download window.

If you are after a more permanent web or scripted solution you can use curl to login and save the cookie.  Then subsequently download the file using the generated cookie.  This requires more experimentation with your particular site.

Login and save a cookie:

$ curl -c cookie.txt -u user:password https://secDownload.mybank.com/

List files:

$ curl -b cookie.txt -u user:password https://secDownload.mybank.com/

Upload a file:

$ curl -b cookie.txt --upload-file test.rrosso https://secDownload.mybank.com/

 

If you are behind corporate firewalls you might still be able to use curl.
Behind socks5 proxy:

$ curl --socks5 proxy.domain.com -U rrosso:pwd -c cookie2.txt -u site-user:pwd https://secDownload.mybank.com/ (login and save a cookie)
$ curl --socks5 proxy.domain.com -U rrosso:pwd -b cookie2.txt -u site-user:pwd
https://secDownload.mybank.com/ (list files using saved cookie)
$ curl --socks5 proxy.domain.com -U rrosso:pwd -b cookie2.txt --upload-file test.rrosso https://secDownload.mybank.com

Behind squid proxy:

$ curl -x proxy.domain.com:3128 -U rrosso:pwd -o ARP08110610926072.txt_171317.RECVD -u site-user:pwd https://secDownload.mybank.com/ARP08110610926072.txt_171317.RECVD

$ curl -x proxy.domain.com:3128 -U rrosso:pwd -c cookie2.txt -u site-user:pwd https://secDownload.mybank.com
Virtual user site-user logged in.

$ curl -x proxy.domain.com:3128 -U rrosso:pwd -b cookie2.txt -u site-user:pwd https://secDownload.mybank.com
total 38
...

$ curl -x proxy.domain.com:3128 -U rrosso:pwd -b cookie2.txt -u site-user:pwd --upload-file rrosso-test https://secDownload.mybank.com

Comments Off on Curl command line downloads
comments

Posted in Curl, Linux

Feb 06

Customize a .deb package

In this case I had to fix some startup links in a Networker Debian package.  If I recall correctly it was after I had to use alien to create a .deb package from the vendor's rpm packages.

Package made with alien caused the following errors:

# dpkg -i lgtoclnt_7.5.1-2_amd64.deb
Selecting previously deselected package lgtoclnt.
(Reading database ... 22181 files and directories currently installed.)
Unpacking lgtoclnt (from lgtoclnt_7.5.1-2_amd64.deb) ...
Setting up lgtoclnt (7.5.1-2) ...
/bin/ln: creating symbolic link `/etc/init.d/rc2.d/S95networker': No such file or directory
/bin/ln: creating symbolic link `/etc/init.d/rc2.d/K05networker': No such file or directory
...
/bin/ln: creating symbolic link `/etc/init.d/rc5.d/K05networker': No such file or directory

Package info:

# dpkg --info lgtoclnt_7.5.1-2_amd64.deb
 new debian package, version 2.0.
...
 Package: lgtoclnt
 Version: 7.5.1-2
 Architecture: amd64
...
 Description: NetWorker Client
 EMC NetWorker protects the critical business data of more than 10,000
 enterprise customers worldwide by simplifying, centralizing, and automating
 backup and recovery operations across Unix, Windows, Linux and NetWare platforms
 in DAS, NAS, and SAN storage environments. Built upon an open, highly scalable
 client-server architecture, NetWorker reduces management overhead by providing
 "lights out" protection of storage assets in the largest corporate data centers
 and the smallest satellite branch offices.
 .
 (Converted from a rpm package by alien version 8.72.)

Uncompress with ar:

# ls
 lgtoclnt_7.5.1-2_amd64.deb

# ar vx lgtoclnt_7.5.1-2_amd64.deb
 x - debian-binary
 x - control.tar.gz
 x - data.tar.gz

Uncompress control file:

# tar xzpf control.tar.gz

Now make your changes to pre and post scripts.

Package control.tar.gz

# tar cpf control.tar control md5sums postinst postrm preinst prerm
# rm control md5sums postinst postrm preinst prerm

Package the .deb with ar:

# ar -r lgtoclnt_7.5.1-2_amd64.deb debian-binary control.tar.gz data.tar.gz
 ar: creating lgtoclnt_7.5.1-2_amd64.deb

Install:

# dpkg -i lgtoclnt_7.5.1-2_amd64.deb
 Selecting previously deselected package lgtoclnt.
 (Reading database ... 22181 files and directories currently installed.)
 Unpacking lgtoclnt (from lgtoclnt_7.5.1-2_amd64.deb) ...
 Setting up lgtoclnt (7.5.1-2) ...
 To install EMC HomeBase Agent run the below script as 'root' user:
 /opt/homebase-agent/setup-homebase.sh

Show installed package:

# aptitude show lgtoclnt
 Package: lgtoclnt
 New: yes
 State: installed
 Automatically installed: no
 Version: 7.5.1-2
 Priority: extra
 Section: alien
 Maintainer: root <root@bermuda>
 Uncompressed Size: 144M
 Description: NetWorker Client
 EMC NetWorker protects the critical business data of more than 10,000 enterprise customers worldwide by simplifying, centralizing, and
 automating backup and recovery operations across Unix, Windows, Linux and NetWare platforms in DAS, NAS, and SAN storage environments.
 Built upon an open, highly scalable client-server architecture, NetWorker reduces management overhead by providing "lights out"
 protection of storage assets in the largest corporate data centers and the smallest satellite branch offices.

(Converted from a rpm package by alien version 8.72.) (Updated postinst and postrm files to be dpkg friendly and start in runlevel 2 )
 (-- rrosso 10.21.09)

Although my goal was fix the packaged version, you can also fix startup scripts on Debian and friends with update-rc.d. Example:

 root@clnt:/etc/init.d# touch testscript
# update-rc.d testscript defaults
 update-rc.d: warning: /etc/init.d/testscript missing LSB information
 update-rc.d: see <http://wiki.debian.org/LSBInitScripts>
 Adding system startup for /etc/init.d/testscript ...
 /etc/rc0.d/K20testscript -> ../init.d/testscript
 /etc/rc1.d/K20testscript -> ../init.d/testscript
 /etc/rc6.d/K20testscript -> ../init.d/testscript
 /etc/rc2.d/S20testscript -> ../init.d/testscript
 /etc/rc3.d/S20testscript -> ../init.d/testscript
 /etc/rc4.d/S20testscript -> ../init.d/testscript
 /etc/rc5.d/S20testscript -> ../init.d/testscript

# update-rc.d -f testscript remove
 Removing any system startup links for /etc/init.d/testscript ...
 /etc/rc0.d/K20testscript
 /etc/rc1.d/K20testscript
 /etc/rc2.d/S20testscript
 /etc/rc3.d/S20testscript
 /etc/rc4.d/S20testscript
 /etc/rc5.d/S20testscript
 /etc/rc6.d/K20testscript

Comments Off on Customize a .deb package
comments

Posted in Linux

Feb 06

Setting up TCP Wrappers and local firewall on a remote host

If you use local firewall rules and tcp wrappers on a remote host where you might get locked out, with no easy way to get logged in again, here is a quick howto on playing it safe. The trick is to setup a couple cron jobs to undo whatever you stuffed up.

I scheduled two 10 minute recurring jobs. Gives you 10 minute windows of configuring/testing before security resets.

Paranoid hint: Make sure you stay logged into the target host with an extra terminal somewhere else as well.

I could also have done /etc/init.d/iptables restart or service iptables restart to reset rules from cron. That would prevent you from having a wide open machine after the flush. But the downside of that is if you save rules that were broken, a restart will load your saved (broken) rules.

Set two cron jobs:

[root@uhz002192 dev]# crontab -l
/10 * * * * cp /root/hosts.deny /etc/hosts.deny
/10 * * * * /sbin/iptables --flush

Tcp wrappers:

I made a copy of /etc/hosts.deny file in /root and then waited for the next cron run to test if the copy is really working as expected.

It looked good after cron ran.

# cat /etc/hosts.deny
#
...
#ALL: ALL

Now uncomment the ALL: ALL line in the real /etc/hosts.deny and start testing /etc/hosts.allow rules.

# more /etc/hosts.allow
...
# Host allowed to SSH
sshd: xx.xx.xx.xx

Test from non allowed and allowed host.

Feb 24 05:32:56 uhz002192 sshd[12346]: pam_unix(sshd:session): session opened for user rrosso by (uid=0)
Feb 24 05:33:43 uhz002192 sshd[12380]: refused connect from host.domain.com (::ffff:xx.xx.xx.xx)

Feb 24 05:34:34 uhz002192 sshd[12386]: Accepted password for rrosso from xx.xx.xx.xx port 37415 ssh2
Feb 24 05:34:34 uhz002192 sshd[12386]: pam_unix(sshd:session): session opened for user rrosso by (uid=0)

Now lets go tune the firewall rules...

List rules:


# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:webcache
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:etlservicemgr
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:mysql
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:redwood-broker
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Saved rules in this file:

# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9001 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3001 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Delete unneeded rules:

# iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
# iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
# iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
# iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT

Check (and test using something like nmap):

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:etlservicemgr
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:redwood-broker
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Save the rules:

# service iptables save
Saving firewall rules to /etc/sysconfig/iptables:          [  OK  ]

Check stored rules:

# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Fri Feb 24 05:48:21 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [734:96465]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 9001 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3001 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Feb 24 05:48:21 2012

Check running rules:

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:etlservicemgr
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:redwood-broker
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Delete the cron job(s) when working!

Comments Off on Setting up TCP Wrappers and local firewall on a remote host
comments

Posted in Security

Feb 06

Virtualbox additions on Redhat

I use Virtualbox for a lot of desktop related projects.  Although it is not really the first choice for server related virtualization projects, sometimes you might just need to proof or test something quickly.  Here is what I did to enable the guest additions on a Redhat server running as a Virtualbox guest.

Note since I did not want to waste an entitlement license on RHN I installed packages from the DVD.  Yum can do a group install for the Development tools which would be easier.

Install some compile tools:

[root@localhost Server]# rpm -i glibc-headers-2.5-105.x86_64.rpm libstdc++-devel-4.1.2-54.el5.x86_64.rpm gcc-4.1.2-54.el5.x86_64.rpm gcc-c++-4.1.2-54.el5.x86_64.rpm glibc-devel-2.5-105.x86_64.rpm

Install kernel headers:

[root@localhost Server]# rpm -i kernel-devel-2.6.18-339.el5.x86_64.rpm kernel-headers-2.6.18-339.el5.x86_64.rpm

Install guest additions:

[root@localhost VBOXADDITIONS_4.2.6_82870]# ./VBoxLinuxAdditions.run
Building the main Guest Additions module
...

That was it and I could use copy/paste, better screen resolution and share files from the local host.

Comments Off on Virtualbox additions on Redhat
comments

Posted in Linux, Virtualbox

Feb 06

SSH Forced Commands

If for whatever reason you have to use root for ssh authorized key access, but at least want to restrict severely the commands that can be executed.

Create a wrapper script and make it executable.

# cat /root/scripts/sshwrapper.sh
#!/bin/sh
# Script: /root/scripts/sshwrapper.sh

case "$SSH_ORIGINAL_COMMAND" in
"uname -r")
uname -r
;;
"lxc-version")
lxc-version
;;
"vserver-info")
vserver-info - SYSYINFO | grep VS-API
;;
"lxc-ls")
lxc-ls
;;
"vserver-stat")
vserver-stat
;;
*)
echo "Sorry. Only these commands are available to you:"
echo "uname, lxc-version, vserver-info, lxc-ls, vserver-stat"
exit 1
;;
esac

Tailor the key as follow:

# tail -1 /root/.ssh/authorized_keys
command="/root/scripts/sshwrapper.sh",no-port-forwarding,no-X11-forwarding,no-pty ssh-dss
...
ZkDBHoTWqskb4OXlWnV/ILBgn0HuWTPyjNS5ABjZRkxVvEeAXc= root@server.domain.com

Test:

# ssh ebsr12testdb uptime
Sorry. Only these commands are available to you:
uname, lxc-version, vserver-info, lxc-ls, vserver-stat

# ssh ebsr12testdb uname
Sorry. Only these commands are available to you:
uname, lxc-version, vserver-info, lxc-ls, vserver-stat

# ssh ebsr12testdb uname -r
2.6.18-194.32.1.el5

** Note another nice thing about this.  If we would set it up in the wrapper that “uname” is allowed as opposed to “uname –r” you can still have the command be whatever.  So we could potentially allow “vmstat” in the wrapper but the actual command executed will be “vmstat 1 100”.

Comments Off on SSH Forced Commands
comments

Posted in SSH

Feb 04

Audio and video sync problems

When you watch a video and the audio is out of sync it can be pretty frustrating. Typically this happens with encoded videos where the audio and video streams are stored separately in the container. Sync issues are not typical in something like DV format where the audio is stored with each video frame.

If you just want to sync up while you are watching just use the VLC player. Depending on the version you could use hot keys. "J" and "K" worked for me. Some people mentioned Control-K and Control-L worked for them. Newer versions should have the Tools > Track Synchronization option which works awesome.

To permanently fix the problem is trickier. I am only writing about Linux solutions. There would of course be many Windows / Mac solutions also.

My video details:

$ avconv -i wl_oos.rmvb 2>&1 | grep -i stream
Stream #0.0: Audio: aac, 44100 Hz, stereo, s16, 128 kb/s
Stream #0.1: Video: rv40, yuv420p, 1280x692, 1097 kb/s, 23.98 fps, 23.98 tbr, 1k tbn, 1k tbc
Stream #0.2: Data: [0][0][0][0] / 0x0000

1. First I would recommend trying mplayer / mencoder just because it is pretty simple.

Use mplayer and adjust delay till it seems good. Then try to fix with mencoder:

$ mplayer -delay 1.2 wl_oos.rmvb
$ mencoder -delay 1.2 -oac copy -ovc copy wl_oos.rmvb -o wl_oos_fixed.rmvb

Depending on your audio and video codecs, above might work for you. However since I had AAC audio above mencoder command did not work for me. I had this error:

$ mencoder -delay 1.2 -oac copy -ovc copy wl_oos.rmvb -o wl_oos_fixed.rmvb
...
Audio format 0x4134504d is incompatible with '-oac copy', please try '-oac pcm' instead or use '-fafmttag' to override it

As shown below I also tried converting the audio while adjusting sync but not much luck.

$ mencoder -delay 1.2 -oac lavc -lavcopts acodec=ac3:abitrate=192 -ovc copy wl_oos.rmvb  -o wl_oos_fixed.rmvb

2. Next option would be to TRY ffmpeg / libav.

$ avconv -i wl_oos.rmvb -i wl_oos.rmvb 2&>1 | grep -i stream
Stream #0.0: Audio: aac, 44100 Hz, stereo, s16, 128 kb/s
Stream #0.1: Video: rv40, yuv420p, 1280x692, 1097 kb/s, 23.98 fps, 23.98 tbr, 1k tbn, 1k tbc
Stream #0.2: Data: [0][0][0][0] / 0x0000
Stream #1.0: Audio: aac, 44100 Hz, stereo, s16, 128 kb/s
Stream #1.1: Video: rv40, yuv420p, 1280x692, 1097 kb/s, 23.98 fps, 23.98 tbr, 1k tbn, 1k tbc
Stream #1.2: Data: [0][0][0][0] / 0x0000</pre>

You can try just keeping the codecs and convert to a new container like avi and at the same time introducing the offset. Note you need to use the input file twice with this technique and then map the audio and video from the two different inputs. This did not work that good for me either.

$ avconv -i wl_oos.rmvb -itsoffset 1.2 -i wl_oos.rmvb -map 0:1 -map 1:0 -acodec copy -vcodec copy wl_oos_fixed.avi

3. Finally the recipe that worked for me:

You might not need to convert but since my video codec was rv40 I needed to make is something ffmpeg likes better as far as output.

1. Convert the video from rv40 to libx264 and the audio from aac to libvo_aacenc.

$ avconv -i wl_oos.rmvb wl_oos_fixed.mp4

2. Use avidemux open mp4, set video (copy), audio (copy), format mp4 and shift -1200ms. Save to wl_oos_fixed_av.mp4

** This worked for me. However if you have sync issues further in the file, even after you fixed the beginning you probably have Variable Bit Rate (VBR) and might need an entirely different approach. Like for instance splitting audio and video and demuxing with tools. Or stretch/squeeze of audio. There are several tools around but ffmpeg should be able to with the -async or -vsync options.

Comments Off on Audio and video sync problems
comments

Posted in Video Encoding

Jan 14

Ssh login failure

Recently I had a problem logging into a server using ssh.  I setup the public key as usual as an authorized key on the server but kept seeing an "Agent admitted failure" message.

$ ssh server.domain.com
Agent admitted failure to sign using the key.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

The fix was to update the ssh-agent as follow:

$ ssh-add
Enter passphrase for /home/rrosso/.ssh/id_rsa:
Identity added: /home/rrosso/.ssh/id_rsa (/home/rrosso/.ssh/id_rsa)

$ ssh server.domain.com
Last login: Mon Jan 14 18:01:31 2013 from .hstntx.sbcglobal.net

Comments Off on Ssh login failure
comments

Posted in SSH

« Older Entries
Newer Entries »