December 3rd, 2011
I purchased a Ubiquiti Unifi AP earlier this week and have been pretty impressed. The Unifi AP’s are super super cheap ($70 – 80), and the controller software is free. The UAP Mini’s, which have a shorter range / slower speed cost about $60, though it’s hard to find anywhere online that has them available. ( Amusingly, I can only just barely buy a Cisco PoE injector for this amount ) These are enterprise class AP’s – they support 802.1q, multiple SSID’s, WPA enterprise, centralized management, etc. All of the current models are 2.4 ghz only, supposedly dual-band models will be released in the future.
They also support a captive portal, which is super easy to configure with either a static password, generated one-time-use vouchers, etc. This is the only part that actually depends on the controller service. So, if the controller is down (or inaccessible), everything will continue to work normally except guest access. This is pretty nice, as it let’s you have a single controller for multiple sites, without having to worry too much about what happens if the sites are disconnected. I have screenshots of the guest policy and voucher interfaces below.
 
I do have a few small gripes / annoyances. Hopefully some of these will be addressed as the controller software becomes more mature. It looks like a long list – but I don’t think any of these would be deal-breakers in most small or medium sized environments.
- Limited to 4 SSID’s / VLAN’s on each AP.
This probably isn’t an issue in most environments, but it could be in some. As it is though, these AP’s are probably cheap enough that you could deploy additional AP’s to handle the additional VLAN’s and still end up spending way less than you would with Cisco, et al.
- Configuration changes take AP’s offline for short period
When I make a change on one of the SSID’s / VLAN’s, the AP goes into a provisioning mode for a minute or so. When this is occurring my wireless clients are disconnected. Not sure how this is handled in a multi-AP environment. My hope is that the provisioning would be staggered, so clients would be able to connect to another AP while the AP they were originally associated with is rep-provisioned. If not, any configuration changes become events requiring downtime, which would be disappointing.
- No SNMP Support
SNMP is currently not supported in the controller software, or on the devices themselves. This isn’t a huge deal for me (It’s easier to monitor the bandwidth usage via the switchports), but I can imagine it would be super-nice to have in many environments. The controller software has some monitoring built in to it – the controller can send email alerts if a AP goes offline and can show usage graphs (see screenshot below).
- On Windows, controller software doesn’t use a service by default
When installed on Windows, the controller software doesn’t use a Windows service out of the box. There is an option in the software to install a service ( see this post on the Ubiquiti forum ). I’m not sure why this isn’t done by default though. I can’t imagine any instance where you would not want software like this to be a service.
- Only a single RADIUS Server can be Configured
Only one RADIUS server configured, no failover. Cisco’s Aironet devices support configuring multiple redundant RADIUS servers. It would be nice to see this feature added. You could potentially use some kind of clustering or load balancing to still have redundancy though if you wanted. See screenshot of the SSID configuration interface below:
There are some other things that would be nice to have, like:
- Multiple guest policy profiles
Right now, you have one guest policy that is applied to all SSID’s that have the captive portal features enabled. It could be nice to have multiple guest profiles.though I admit I can’t come up with a common use-case.
- Standardized PoE
Ubiquiti uses a modified version of PoE. They do ship a PoE injector with their devices, but it would be annoying to have to use these if I had a large number of AP’s and already had a PoE capable switch. I’ve heard a UAP Pro mentioned on the Ubiquiti forums that sounds like it’ll use 802.3af.
- Gigabit
All of the Unifi AP’s currently offered (UAP, UAP Mini, UAP Long Range, and an external model) have a single 100 Mbps port. The 150 – 300 Mbps they claim to support support with 802.11n pretty useless with a 100 Mbps uplink.
I’ve heard of a UAP “Pro” mentioned on the Ubiquiti forums that will add a couple of these features (802.3af PoE, and gigabit interfaces).
Overall I love Unifi. If your environment can live with these annoyances, frankly I don’t see any reason why you would use anything other than Unifi.
The company I work for uses Ubiquiti AirOS devices for a short point to point connection. I also have set up Ubiquiti AirOS devices at the UNC Project in Malawi for point-to-point links there between satellite clinics. In both of these cases they perform fantastically.
I’m excited to see where Ubiquiti will go in the future – they have some really great products. Find more details on Unifi at Ubiquiti’s website.
Tags: ubiquiti
Posted by Oliver in Other Technology Projects | 1 Comment »
July 17th, 2011
I recently changed my site-to-site VPN configuration. Previously, I had been running my remote OpenVPN endpoints on CentOS with Quagga and OpenVPN installed. Now that I have a couple Vyatta VM’s routing traffic on the internal network I’ve been wanting to use those as the VPN endpoints. This simplifies things a big, and lets me remove Quagga from the two CentOS boxes. I’ve also been wanting to switch my OpenVPN to bridge mode as opposed to routed mode. OpenVPN doesn’t currently support IPv6. Using bridge mode allows me to configure the L3 aspects outside of OpenVPN.
Rather than bridged the OpenVPN interface directly to one of the VLAN’s on each end of the tunnel (which would result in broadcasts traversing the WAN, and hosts on both locations being on the same Layer 3 network, not desirable in this case) I’m not actually “bridging” the VPN tunnel interfaces to other interfaces. Instead, I created a bridge interface on each end of the connection with only the OpenVPN tunnel interface included in it. I assigned the IP addresses on the bridge interfaces. Here’s a diagram on how the interfaces are set up:
I hadn’t used OpenVPN on Vyatta before, or OpenVPN in bridged mode, so this was a little new for me. I generated a static key and copied it to all of the devices. I have the OSPF costs on my internal Vyatta routers set so that one is always preferred. (I also have that router preferred in VRRP, though this is unrelated to OpenVPN). The Vyatta VM’s aren’t directly connected to the Internet, so I have OpenVPN listening on an internal address instead. That internal address is then NAT’ed to a public IP on my edge router. Ignoring the edge router, here’s a simplified diagram of the tunnels:
Here is the configuration I used on the two Vyatta endpoints. The only OpenVPN feature I’m using that Vyatta doesn’t have a configuration option for is the compression. Thankfully, Vyatta let’s you manually specify OpenVPN configuration that they don’t support with “openvpn-option”.
intra-rtr-1:
bridge br0 {
address 172.16.5.1/30
description "L3 IF for APT site to site VPN"
hello-time 2
ip {
ospf {
authentication {
md5 {
key-id 1 {
md5-key myospfkey
}
}
}
cost 51
dead-interval 40
hello-interval 10
priority 1
retransmit-interval 5
transmit-delay 1
}
}
max-age 20
priority 0
stp false
}
openvpn vtun0 {
bridge-group {
bridge br0
}
local-host 192.168.1.21
local-port 1501
mode site-to-site
openvpn-option --comp-lzo
protocol udp
shared-secret-key-file /root/apt-rtr.secret
}
intra-rtr-2:
bridge br0 {
address 172.16.6.1/30
description "L3 IF for APT site to site VPN"
hello-time 2
ip {
ospf {
authentication {
md5 {
key-id 1 {
md5-key myospfkey
}
}
}
cost 49
dead-interval 40
hello-interval 10
priority 1
retransmit-interval 5
transmit-delay 1
}
}
max-age 20
priority 0
stp false
}
openvpn vtun0 {
bridge-group {
bridge br0
}
local-host 192.168.1.22
local-port 1502
mode site-to-site
openvpn-option --comp-lzo
protocol udp
shared-secret-key-file /root/apt-rtr.secret
}
I’m still using DD-WRT on the endpoint in my apartment. I’ll soon be switching this over to Vyatta as well, but until then I’m relying on some somewhat messy methods of using OpenVPN. I don’t trust the OpenVPN setup that the DD-WRT web GUI uses (for one, they use NAT’ing in the site-to-site connection…which makes no sense whatsoever), so I have a shell script on an attached flash drive that runs on the OpenVPN daemons. The included version of Quagga also does not work on DD-WRT (apparently they compiled it wrong), so I had to find an old statically compiled version. That’s what I’m using for OSPF on the DD-WRT box right now. For this new VPN setup, I just added a few lines to the shell script I already use for OpenVPN.
Anyway, here is the OpenVPN config on my DD-WRT router. It’s fairly simple. I actually have two separate OpenVPN daemons on the DD-WRT system. One that connects to each of my two internal Vyatta routers. The only thing different between them is the port that they connect to.
dev tap0
proto udp
remote my.vpn.endpoint 1501
resolv-retry infinite
nobind
secret intra-rtr.secret
comp-lzo
Here is the script I’m using on the DD-WRT router. It creates the bridge interfaces, and adds the OpenVPN interfaces to the bridge groups. It also assigns the IP’s on the bridge interfaces, starts Quagga, and starts the OpenVPN daemons. When starting the OpenVPN daemons, it also calls DD-WRT’s route down script, to make sure the NAT’ing that DD-WRT tries to do by default is removed from iptables.
openvpn --mktun --dev tap0
openvpn --mktun --dev tap1
brctl addbr br10
brctl addif br10 tap0
brctl addbr br11
brctl addif br11 tap1
ifconfig tap0 up
ifconfig tap1 up
ifconfig br10 172.16.5.2 netmask 255.255.255.252
ifconfig br10 promisc
ifconfig br10 up
ifconfig br11 172.16.6.2 netmask 255.255.255.252
ifconfig br11 promisc
ifconfig br11 up
zebra --daemon --config_file /jffs/opt/zebra.conf
ospfd --daemon --config_file /jffs/opt/ospfd.conf
( sleep 2 ; killall openvpn ; /tmp/openvpncl/route-down.sh ;
/jffs/opt/ovpn --config /jffs/opt/openvpn-intra-rtr-1.conf --daemon) &
( sleep 3 ; killall openvpn ; /tmp/openvpncl/route-down.sh ;
/jffs/opt/ovpn --config /jffs/opt/openvpn-intra-rtr-2.conf --daemon) &
Here’s the relevant OSPF configuration in Quagga on my DD-WRT router. Most of it’s fairly straightforward:
interface br10
description L3 IF for site to site VPN - intra-rtr-1
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 myospfkey
ip ospf cost 51
!
interface br11
description L3 IF for site to site VPN - intra-rtr-2
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 myospfkey
ip ospf cost 49
router ospf
ospf router-id 192.168.17.1
network 192.168.5.0/24 area 0.0.0.0
network 192.168.6.0/24 area 0.0.0.0
network 192.168.16.0/21 area 0.0.0.0
area 0.0.0.0 authentication message-digest
I haven’t fully set up IPv6 yet. I’m planning on waiting until I replace my DD-WRT router with Vyatta to set all of that up. The version of Quagga I found that would run on DD-WRT doesn’t support OSPFv3. Vyatta does though.
Tags: dd-wrt, linux, openvpn, vpn, vyatta
Posted by Oliver in Other Technology Projects | 2 Comments »
July 13th, 2011
I use a pair of Vyatta VM’s to route between VLAN’s at home. One is running on ESXi, the other on VMware Server 2 (yeah, I really want to move that to ESXi, haven’t had time to move all of the services I’m running on the host onto VM’s). They are redundant, I use VRRP on the user and server facing VLAN’s and OSPF on the VLAN facing my Cisco 1720 that’s connected to the Internet. The VM running on ESXi is prioritized in OSPF and VRRP to make lifer simpler and troubleshooting easier.
I recently noticed how slow the performance was when accessing FTP and HTTP for one particular host. From outside, a FTP session to this particular host would average maybe 10 KB/s. One moderate size image hosted via HTTP on that host basically would not load because the connection was going so slow (1 KB / s in this case). Off and on, I noticed slow performance connecting to other hosts. For a while, I focused my troubleshooting on the host exhibiting most of the performance issues. Oddly enough though, when I failed everything over to the other Vyatta VM running on VMware server, the performance was much better. I was able to receive 40 – 50 KB / s with that FTP session. Connecting the host directly to the VLAN between my Cisco router and the Vyatta VM’s also resulted in much improved performance. Nothing obvious jumped out from tcpdump’s or logs on the Vyatta VM’s.
I started looking at what inconsistencies there were between the two VM’s, and between the interfaces on each VM. These VM’s originally were made from Vyatta’s OVF template. I must have added one additional NIC to each of them. Two of the NIC’s on the ESXi Vyatta instances were VMXNET, and the third was E1000. Eventually, after troubleshooting this issue for quite a while, I found this particular topic on the Vyatta forums. When I changed the two VMXNET interfaces to VMXNET3, all of the performance issues on the ESXi Vyatta instance went away. (The Vyatta instance running on VMware server still has the NIC’s on VMXNET and doesn’t appear to suffer performance-wise from it). From other posts in that topic, it sounds like this may be related to a issue with the open-vm-tools included in past versions of Vyatta, that hadn’t been fixed in the OVF yet.
Another post on the Vyatta forum linked to a VMware KB article. The KB article describes performance issues on Linux guests that forward traffic if “Large Receive Offload” is enabled. I’m not sure if this is related to the issues I was having or not. Currently, LRO is enabled on my ESXi Vyatta instance, and performance still seems OK. So, I’m guessing that must be a separate issue from the one I was having.
Tags: vmware, vyatta
Posted by Oliver in Problem Solution | Comments Off
June 17th, 2011
I have my own root certificate authority that I use to sign my personal SSL certificates (for my Exchange server, other internal web servers, etc.) I’ve noticed that I’ve been getting warnings in Google Chrome, that the browser is unable to check the CRL (Certificate Revocation List). To my knowledge, the CRL is basically just a list of certificates that have been revoked, that is signed by the CA, and stored in some accessible location (like on a web server). These errors were confusing however, because I do have a CRL published where the SSL certs say it is, and the browser is able to fetch the CRL file stored there. Being the perfectionist that I am, I had to solve this problem.
After looking into file extensions, MIME types, making the location accessible from the Internet, I was looking through my OpenSSL configuration and came across this line:
default_crl_days= 365 # how long before next CRL
I had never generated a new CRL since when I tested it initially when set up all of my internal PKI stuff. (I have maybe 15 SSL certs, all of which are on systems I control, so I’ve never had a reason to revoke one for real). So, it was a couple years old at this point. I regenerated the CRL, published it at the right location, and cleared the cache in Chrome. After doing that, the CRL warning went away.
Not sure how I would have learned this had I not come across that line in the config. You learn something new every day. 
Tags: ssl
Posted by Oliver in Problem Solution | Comments Off
February 21st, 2011
Today I was wanting to set up a auto-reply for a group in Exchange. So, when someone sends a message to that group, all of the members of the group will receive the message, and the sender will receive an auto-response (so that they know I received the message).
Distribution groups aren’t actually email accounts, so rules and out of office messages can’t be configured for them. The best solution I found was to have a fake user account set up that receives the message, and then have that account forward the message to the appropriate distribution group.
Unfortunately, Exchange’s built-in “out of office” messages will only send a auto-reply once to each sender. In some scenarios (if its being used truly for someone being out of office), this behavior makes sense. In other situations though, it would be nice to send a auto-reply every time a message is received. So, instead, I had to create a rule that when send an automatic reply. This can’t be done with OWA. OWA doesn’t give you all of the rule options that the actual Outlook client does.
Still however, this wasn’t working for me. When I sent a message to the “fake” user account, I saw the mailtip in Outlook 2010 with the autoresponse message in it. However, I wasn’t actually receiving an auto-reply. I had forwarding turned on on the server. This was actually forwarding the message before the rules configured on the account saw the message. It worked as desired after changing the forwarding setting to deliver the message to the fake account’s mailbox as well as forward it on to the distribution group.
So, if you want to configure an auto-reply on a group (that always sends a reply for each message it receives):
- Create a fake user account with the email alias you want people to send the messages to
- Create a distribution group that contains the members who will receive messages sent to the fake user. If users from outside the Exchange organization will send messages to this group, make sure that non-authenticated users are allowed to send messages to this group.
- Under the recipient configuration in Exchange, set the fake user account to forward messages to the distribution group. This is configured under the “Delivery Option” properties on the “Mail Flow Settings” tab. Make sure to check the box that says “Deliver messages to both forwarding address and mailbox”.
- Log in to the fake user’s account with the full Outlook client. Create a rule that will apply to every message that is received. Choose “have server reply using a specific message” for the action.
One other thing to check if you’re having problems is to make sure that auto-replies are enabled for the Exchange organization. They may not be by default. In Exchange 2007 / 2010 this is configured under Organization Configuration -> Hub Transport -> Remote Domains. Right click on the * (default) remote domain and go to properties. The “Allow Automatic Replies” option in under the “Message Format” tab.
Oliver
Tags: exchange
Posted by Oliver in Other Technology Projects | Comments Off
January 6th, 2011
One of the books I received as a gift this Christmas was Network Flow Analysis. It introduced me to a bundle of Netflow related tools I hadn’t worked with before, flow-tools. Previously, I have used nfdump. Perhaps its just because of how it was introduced to me, but nfdump seems to be better suited for ad-hoc monitoring, rather than continually running monitoring. Flow-tools on the other hand provides a handy script in /etc/init.d (at least on CentOS / Fedora). Its easy to run it as a daemon. The only tricky part of the install process was finding the configuration file for the daemon. It is located at /etc/sysconfig/flow-capture in CentOS/Fedora, rather than in /etc/flow-tools/.
By simply running running the daemon on a Linux server at a site, and pointing the Cisco router to export its Netflow data to the server, I can store a history of network connections. If we see an unusual period of heavy traffic, or a user complains about slow performance, we can go back and see what happened in each five minute increment. By allowing us to find what the culprit was after-the-fact, this makes it much easier to troubleshoot rare or transient network performance issues. Instead of guessing, or making excuses this allows a network administrator to dig into the details and determine what was actually happening at a network level.
When combined with our Squid proxy server logs, we can determine what URL’s the user was visiting if it was web traffic causing the slow-down. Netflow will just show the destination IP and port the traffic was going to. In many cases, this isn’t enough to determine what actual website the user was visiting. If the user was downloading a large file, there’s a good chance it was hosted on a CDN (Content Delivery Network). In this case, the IP will belong to the CDN, its reverse DNS address will likely be related to the CDN, and browsing to that specific IP address in a web browser probably won’t give much in the way of clues. The proxy server log files can be searched for the specific IP, to determine what URL / website the user was actually accessing.
So far I’ve been pleased. From seeing a period of high bandwidth usage we were able to track down someone downloading a bunch of MP3’s (over the clinic’s slow and high latency satellite connection). A couple additions to the Squid configuration took care of that.
Tags: cisco, netflow
Posted by Oliver in Other Technology Projects | Comments Off
November 14th, 2010
Recently, I noticed that the forwarding rule I set up on my Exchange 2010 account at an organization I help provide IT support wasn’t working. This was on a new Exchange install. I wasn’t that worried about it, nobody contacts me at that address anyway, but it annoyed me a little. Earlier this week I finally looked into it.
Apparently forwarding / redirects to external domain names is disabled by default in Exchange 2007 and 2010. I never really realized this before, I’ve used redirect rules before in Exchange, but not on a new install (that I manage) before. It seems like the Outlook client (or OWA) should be able to check for this, and give the user an error message when they try to create a forwarding rule that would be blocked by this setting.
To change this setting, open the Exchange Management Console, and drill down to the Organization Configuration -> Hub Transport. Under the Remote Domains tab, open the Default domain.
Then, on the format tab, check the “Allow automatic forward” box.
Alternatively, from the Exchange Management Shell (PowerShell rocks!), this will do the trick:
set-remotedomain -identity Default -AutoForwardEnabled $true
Tags: exchange, malawi
Posted by Oliver in Problem Solution | Comments Off
November 2nd, 2010
I’ve recently started toying around with Amazon S3 for doing some remote backups. On Linux, I’ve been using S3 tools to access S3. I’ve been fairly impressed with S3 and S3 tools so far.
There are a few extra things beyond what the s3cmd program (included in S3 tools) does that would be useful for me. First, s3cmd will upload / download from S3 as fast as it can. If you are transferring a large file, this can be problematic as it will saturate your connection for some time. I was looking for an easy way to shape this traffic without doing traffic shaping at the network level (which could be tricky as S3 uses HTTP for transfers). I found trickle, a pretty neat little app that does traffic shaping in userland.
Second, the ability to resume a failed transfer would be nice. Last week I was in the middle of uploading a large file to S3 from the fairly limited speed connection I have here. With trickle, it was going to take about 24 hours to upload the whole file. Unfortunately, about 16 hours in to the transfer some bad storms here cut my connection off for a few minutes. It was rather frustrating to have to start that transfer back at the beginning again.
I researched it a little bit, and it looks like S3 doesn’t really provide a mechanism to resume interrupted transfers. The best way that I could think of to handle this and minimize the pain of a dropped connection is to split the larger archive into smaller pieces and upload them individually. By doing this, if you have to start the transfer over, you only have to re-transfer the part of file. I made my script split it into 20 MB pieces. At the 20 KB/s rate that trickle lets through, this would only take 17 minutes or so to re-upload. Splitting a file into smaller pieces reduces the amount of data that would have to be uploaded again if the connection is cut off.
I’ve put the scripts below. s3-up.sh will first create a tar.gz (compressed archive) of the files specified for upload, then split the tar.gz file into 20 MB chunks and upload it at 20 KB/s. s3-down.sh will download multiple files from S3, put them back together, and extract them. It will try to decrypt them using the currently configured password for s3cmd. You can specify a different decryption password (if you regularly change the encryption password you use for s3cmd for instance).
Feel free to tweak as needed. You’ll need to have s3cmd installed, along with trickle to use these scripts. If you are using CentOS, both of those are in the EPEL repository. I make absolutely no guarantees that these scripts will work for you. They have not been thoroughly tested. They are not intended to be relied upon in a production environment.
s3-up.sh:
#!/bin/bash
DATE=`date +%Y-%m-%d`
if [ -z $1 ] || [ -z $2 ]
then
echo Arguments: files to upload, base name of file
else
mkdir /tmp/$$
tar -czf /tmp/$$/$2_$DATE.tar.gz $1
mkdir /tmp/$$/$2_$DATE
split -d -b 20m /tmp/$$/$2_$DATE.tar.gz /tmp/$$/$2_$DATE/$2_$DATE.tar.gz.
trickle -s -u 20 s3cmd put -e --recursive /tmp/$$/$2_$DATE s3://your-s3-bucket-name/backup/
fi
s3-down.sh:
if [ -z $1 ] || [ -z $2 ]
then
echo Arguments: file to get, like s3://your-s3-bucket-name/backup/bak1/*, where to extract, optional password
else
mkdir /tmp/$$
mkdir /tmp/$$/split
cd /tmp/$$/split
if [ -z $3 ]
then
s3cmd get $1
else
s3cmd get $1
for fn in /tmp/$$/split/*
do
mv $fn $fn-enc
gpg -d --verbose --no-use-agent --batch --yes --passphrase $3 -o $fn $fn-enc
rm $fn-enc
done
fi
cat * > ../temp.tar.gz
cd ..
tar -xvzf temp.tar.gz -C $2
fi
Tags: backup, linux, s3, script
Posted by Oliver in Other Technology Projects | Comments Off
October 17th, 2010
We’ve recently started using Paymo to track our time and send invoices. So far I’ve been fairly impressed, it seems to do a good job.
We charge some of our customers a set amount per month that includes up to x hours of work during the month. It would be convenient for them to have a way to check to see how much time we’ve spent during the month (so they can keep track of how much time they have “left” for the month). Now that our time tracking is done in the cloud, I realized it would be possible to create a page that they could view this information on.
To keep things simple, I will just send our customers a link to view the monthly time for their project. I was a little worried about security though – the script receives the project ID number from the querystring. To keep someone from guessing the project ID for another customer’s project, I added a SHA1 hash onto the querystring. When I send a link out to a customer, I generate a SHA1 hash of the project ID concatenated with a secret key. The script then concatenates the project ID that its received with the secret key, and checks that with the hash that is sent to it through the querystring. The actual link a customer would receive looks kind of like this: http://www.example.com/paymo-time.php?pid=12345&hashsig=aBigLongSHA1Hash
The trickiest part was probably getting the XPath parts right. The Paymo API sends XML data back after you make the request, so I use XPath (through PHP’s SimpleXML) to pull out the relevant parts. Basically, this script:
- Verifies that the hash is valid
- Authenticates to Paymo
- Pulls the list of billable tasks for the given project
- Pulls the amount of time spent on each of those tasks in the current calendar month
- Adds the time together and displays the total for the whole project
<?php
$project_id = $_GET['pid'];
$hashsig = $_GET['hashsig'];
$salt = "RandomStringOfCharacters";
if (sha1($salt . $project_id) != $hashsig){
die("Invalid Authentication Token");
}
$api_key = "–MyPaymoAPIKey–";
$api_username = "–MyPaymoUsername–";
$api_password = "–MyPaymoPassword–";
$auth_token;
$start = date("Y-m-d H:i:s", strtotime(date(‘m’).’/01/’.date(‘Y’).’ 00:00:00′));
$end = date("Y-m-d H:i:s", strtotime(‘-1 second’,strtotime(‘+1 month’,strtotime(date(‘m’).’/01/’.date(‘Y’).’ 00:00:00′))));
$auth_token = paymoAuth($api_key,$api_username,$api_password);
$a1 = array(
‘api_key’ => $api_key,
‘auth_token’ => $auth_token,
‘include_task_lists’ => 1,
‘include_tasks’ => 1);
$tasklist = paymoAPI("paymo.projects.getList", $a1);
$project_name = $tasklist->xpath("/response/projects/project[@id=" . $project_id . "]/@name");
$project_name = $project_name[0];
$tasks = $tasklist->xpath("/response/projects/project[@id=" . $project_id . "]/task_lists/task_list/tasks/task[@billable=\"1\"]/@id");
$time = 0;
foreach ($tasks as $task)
{
$a2 = array(
‘api_key’ => $api_key,
‘auth_token’ => $auth_token,
‘task_id’ => $task[0],
’start’ => $start,
‘end’ => $end);
$taskinfo = paymoAPI("paymo.entries.getTrackedTimeByTask", $a2);
$tasktime = $taskinfo->xpath("/response/time/text()");
$tasktime = $tasktime[0];
$time += $tasktime;
}
print "<h1>Monthly Time for " . $project_name . "</h1><br/>";
print "<b>" . date("F Y") . ": </b>";
$time = mktime(0, 0, $time);
print date("H:i", $time) . " (HH:MM)";
function paymoAuth($api_key, $api_username, $api_password)
{
$args = array ( ‘api_key’ => $api_key, ‘username’ => $api_username, ‘password’ => $api_password );
$auth_token = paymoAPI("paymo.auth.login", $args)->xpath(‘/response/token/text()’);
return $auth_token[0];
}
function paymoAPI($method, $args)
{
$base = "https://api.paymo.biz/service/" . $method . "?";
$qs = "";
foreach ($args as $key => $value){
$qs .= "$key=" . urlencode($value) . "&";
}
$url = $base . $qs;
$result = file_get_contents($url);
$xml_result = new SimpleXMLElement($result);
return $xml_result;
}
?>
Tags: paymo, php
Posted by Oliver in Other Technology Projects | 2 Comments »
September 29th, 2010
Cloud computing has quickly taken off in the US, and is in large part changing the way organizations here use technology. What issues come up when the cloud computing model is used in less developed parts of the world?
Services such as Amazon AWS and Rackspace Cloud offer great computing and storage services at flexible prices. In addition, they allow users to take advantage of first class datacenters and connectivity. The reliability and ease of use that these services offer make them attractive to many organizations, including non-profits and university sponsored partnerships with locations spread across the world.
However, the limited connectivity options available in many parts of Africa (particularly where I visited in Malawi and Moshi, Tanzania) make utilizing cloud computing services difficult. Satellite based connections are typically quite reliable (as long as you have power). Their high latency and somewhat limited speeds however, effectively make them a long narrow road between you and your resources in the cloud. Local Internet service providers may provider faster speeds and slightly lower latency, but in my experience aren’t yet as reliable as they need to be. This will change in the future. More upstream providers will be available soon (see EASSy) and existing providers like SEACOM are becoming more reliable as the kinks are worked out.
For organizations in regions with limited connectivity, cloud computing is best used in situations where:
- The service is used mostly by people offsite, in the US, EU, etc, or
- The service uses little bandwidth, and will work with high-latency or unreliably connectivity
In the first situation, these services might include websites targeted at people in the US / EU (such as websites to encourage donations, raise awareness, or provide information to volunteers who will be traveling onsite). If data collected on the ground will need to be analyzed, or accessed by staff here in the US, cloud storage might be a viable option as well. Cloud computing systems like EC2 make it easy and inexpensive to temporarily use large amounts of computing resources to analyze data.
Everyday examples for the second situation are a little harder to come by. Cloud storage services can be effective for offsite backups, if the amount of data can be easily copied in bulk overnight. On a satellite connection with 512 kbps of upstream bandwidth, around 2.5 GB of data could be uploaded in a 12 hour period. That is likely large enough to back up a single day’s worth of data. It’s the initial full backup of everything, and a full restore from scratch that would pose the biggest issues.
If you’re in a situation like this and need help deciding what options are best for your site with limited connectivity, I’d love to help. We can also help tweak your network to make sure it allows your cloud computing service to perform optimally. Comment, give me a call, email me, or message me on Twitter if I can help in any way.
Tags: africa, cloud
Posted by Oliver in Technology Examination | Comments Off
|
