aws cp not working in cron

I just had a problem downloading some files from Amazon Web Services using the aws cp command. The script ran fine as the root user but did not when run in roots cron tab. A normal copy command that took just seconds, timed out with the error:

HTTPSConnectionPool(host='', port=443): Max retries exceeded with url: /bla.txt (Caused by ConnectTimeoutError(, 'Connection to timed out. (connect timeout=60)'))
Completed 1 part(s) with ... file(s) remaining

I came across Kris Jordan‘s excellent tips and finally got the idea that it may be my proxy environment variables that were not getting accessed.

I fixed the issue by adding the environment variable directly in the script I was running.

export https_proxy=""
export http_proxy=""

Note: that is case sensitive, so use https_proxy/http_proxy and not HTTPS_PROXY/HTTP_PROXY.

Posted in General | Leave a comment

Escaping XML with Sed

There are five XML characters that need to be escaped:

"   "
'   '
<   &lt;
>   &gt;
&   &amp;

And here is the solution ruakh provided over on stackoverflow

sed 's/&/\&amp;/g; s/</\&lt;/g; s/>/\&gt;/g; s/"/\&quot;/g; s/'"'"'/\&#39;/g'
Posted in General | Leave a comment


All the information is included

This is also released as a podcast on Hacker Public Radio and on the Internet Archive.

Over the years the image of the clock has been abstracted and stylized to a point where a long and a short line inside a circle, or even inside four dots on the ordinals, can be instantaneously recognized as a clock. This is perfectly fine if you already know how to read the analog clock but it makes no sense to use such a design as a teaching aid.


Stylized version of a clock


All the information is restored

As a teaching device, you need to make sure all the information that has been abstracted away has been put back.




The basic principle of the ccClock

  • The minute hand points at the minute dial
  • All the minutes are listed removing the need to know the 5 or 15 math table
  • The Clockwise direction is emphasized with arrows and text orientation.
  • The two per day rotation of the hour hand is described using a concentric spiral
  • The progression of day into night is indicated by recognizable icons of the rising and setting sun and moon
  • The written format is described in the traditional dial digits
  • The spoken form is described in speech balloons

The most important aspect of the clock face is that it is provided free of charge and released in such a way as to allow anyone to make improvements. Companies are free to use the design royalty free under the terms of the cc-by-sa license so long as their changes
are also given back for the public good.

With this high quality pdf file, any parent or teacher can turn a cheap wall clock into a practical and useful teaching aid. Try and get a clock that has a the three hands preferably in a format that you can color the minute hand green. That will assist in relating the big hand to the minute dial and the small hand to the inner hour dial.


By using a second hand that has visible motion you can explain that:

Teaching Instructions

  1. Each time the second hand goes around the minute hand takes one step
  2. Each time the minute hand goes around the hour hand moves one piece of the pie
  3. The hour hand winds around the clock twice. From the night into the day and then into the night again
  4. There is a difference between what people write down and what they say.

All the other information they need is given in the clock itself.

Make a clock

  1. Aquire a cheap clock
  2. Print out the ccClock, or ccKlok
  3. Remove the clock face and hands
  4. Paste the ccClock face to the back
  5. Put back the hands and face
  6. Give to child

Alternatively you can print it our landscape and laminate. Cut out two card board or plastic hands and use a split pin to fix to the clock.

The original file (English, Dutch) can be opened in inkscape
Please contribute back to this project by commenting below.
Images used are Heraldic crescent by liftarn and Weather Symbols: Sun by nicubunu

Posted in General | Leave a comment

Citrix SSL Error 61 – “GlobalSign Root CA”

After a long period of not having issues with Citrix, this old chestnut popped up again.

You have not chosen to trust “GlobalSign Root CA”, the issuer of the server;s security certificate (SSL error 61)


I checked back and we had this one before way back in 2012. The problem is that the cert is not in the plugin directory that wfica uses. So the solution is to get it and put it in the correct place.

At the time Firefox had removed the option to export certificates but fortunately it has bee restored.

Firefox F10 > Edit > Preferences > Advanced > Certificates > View Certificates

Scroll down and click on “GlobalSign Root CA” (under GlobalSign nv-sa), and then press Export.


Save it somewhere.


Then copy it into the correct directory.

sudo cp ~/tmp/cert/GlobalSignRootCA.crt /opt/Citrix/ICAClient/keystore/cacerts/

Posted in citrix | Leave a comment

I am trying to mount a cifs share aka smaba/smb/windows share, from a Debian server so I can access log files when needed. To do this automatically I create two mounts, one which is read only and is automatically mounted and another that is read/write which is not mounted. The /etc/fstab file looks a bit like this:

// /mnt/server-d cifs auto,rw,credentials=/root/.ssh/server.credentials,domain= 0 0
// /mnt/server-d-rw cifs noauto,ro,credentials=/root/.ssh/server.credentials,domain= 0 0

To mount all the drives with “auto” in the /etc/fstab file you can use the “-a, –all” option . From the man page, Mount all filesystems (of the given types) mentioned in fstab (except for those whose line contains the noauto keyword). The filesystems are mounted following their order in fstab.

However when I ran the command I get:

root@server:~# mount -a
mount: wrong fs type, bad option, bad superblock on //,
missing codepage or helper program, or other error
(for several filesystems (e.g. nfs, cifs) you might
need a /sbin/mount. helper program)

In some cases useful info is found in syslog - try
dmesg | tail or so.

Well it turns out that Debian is no longer shipping cifs as a default option. It can be added easyly enough using the command:

root@server:~# aptitude install cifs-utils

Now mount -a works fine

root@server:~# mount -a
Posted in General | Leave a comment

Adding SQLite as a datasource to SQLeo

An audio version of this post is available on Hacker Public Radio.

I have been looking for a tool that will graphically and programmatically track identifiers as they pass through systems. I could have done this in Inkscape after following the excellent tutorials on, however I also wanted to be able to describe the relationships programmatically.

This got me to thinking about graphical query builders for databases. The idea is to show each system as a table block and then draw lines between them to show how “Field_X” in “System_A” will map to “Field_Y” in “System_B”. Many of the proprietary and some free database solutions allow this type of view. However I also want to easily package the entire thing up, so that someone else could access it without needing to pay for or install any specialized software. That limited the choice of database to SQLite, which is small, supported on many platforms and is released into the Public Domain.

SQLite is an in-process library that implements a self-contained, serverless, zero-configuration, transactional SQL database engine. The code for SQLite is in the public domain and is thus free for use for any purpose, commercial or private. SQLite is the most widely deployed database in the world with more applications than we can count, including several high-profile projects.

Please follow the instructions on the SQLite site for information on how you can install it on your system. For me on Fedora it’s simple to install via dnf/yum. You might also want to install some GUI managers if that’s your thing.

dnf install sqlite sqlitebrowser sqliteman

I created a small database for demonstration purposes, consisting of two tables and one field in each.

Next step is to download SQLeo Visual Query Builder which has support for a graphical query builder.

A powerful SQL tool to transform or reverse complex queries (generated by OBIEE, Microstrategy, Cognos, Hyperion, Pentaho …) into diagrams to ease visualization and analysis. A graphical query builder that permits to create complex SQL queries easily. The GUI with multi-connections supports virtually all JDBC drivers, including ODBC bridge, Oracle, MySQL, PostgreSQL, Firebird, HSQLDB, H2, CsvJdbc, SQLite. And top of that, everything is open-source!

SQLeo is a Java Tool and there is a limited version available on the web site which is limited to 3 tables per graph and 100 rows. Now as the program is released under the GPLv2.0, you could download the code and remove the restrictions. You can also support the project to the tune of €10 and you will get the full version ready to rock.

Unzip the file and enter the newly created directory, and run the program as follows:

java -Dfile.encoding=UTF-8 -jar SQLeoVQB.jar

One slightly confusing thing, and the reason for this post, is that I could not find support for SQLite listed in the list of databases to connect to. A quick search on the support forum and I found the question “Connection to SQLite DB“. I found the answer a bit cryptic until I read the manual related to JDBC Drivers, which told me how to add the sqlite library.

SQLeo uses a standard Java sqlite library that is released under the Apache Software License, Version 2.0. You can download it from the SQLite JDBC MVNRepository and save it into the same directory as SQLeo.

Right Click in the Metadata explorer window and select new driver.


Click “add library

SQLeo_SQLite_02Enter the following information
Name: SQLite JDBC
Driver: org.sqlite.JDBC
Example: jdbc:sqlite:~/yourdb.db


Next right click on the newly created driver and select “new datasource


The name can be anything you like, but the url needs to start with jdbc:sqlite: and then the path to the sqlite database you created earlier. I selected auto-connect and pressed connect as well.


Now you can press the Query Designer button and drag the tables into the view. Once there you can then join up the fields.


That covers the graphical representation, and we can tackle the programmatic implementation by pressing the save button. Which gives the structure as defined by SQL.

ON System_B.Field_Y = System_A.Field_X


So now I can check the SQL into git and have a nice image for adding to documentation any time I like.

Posted in General, Podcasts | Leave a comment

not a dynamic executable

I sometimes have issues running a 32bit program under Linux X64.

When you run ldd it reports that it’s not a dynamic executable

# ldd /usr/bin/snx
not a dynamic executable

However if you run file, you do see that it is.

# file /usr/bin/snx
/usr/bin/snx: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, stripped

You can confirm that you are running 64 bit Linux

# uname -i

To fix this you need to install 32 bit libraries. On Fedora you can install them using

dnf install /lib/

And on Debian

apt-get update
apt-get install lib32z1 lib32ncurses5 libstdc++5:i386

Worked for me.

Posted in General | Leave a comment

I was installing Oracle VirtualBox 5.0 as per

I ran into the following issue.

Stopping VirtualBox kernel modules [ OK ]
Uninstalling old VirtualBox DKMS kernel modulesError! There are no instances of module: vboxhost
5.0.4 located in the DKMS tree. [ OK ]
Trying to register the VirtualBox kernel modules using DKMS[ OK ]
Starting VirtualBox kernel modules [FAILED]
(modprobe vboxdrv failed. Please use ‘dmesg’ to find out why)

It took me ages to find the solution but it turned out to be that changing the kernel is not allowed by secure boot. Stands to reason I guess but it would have been nice if there was more information about that. I disabled secure boot and it works. Not ideal.

Posted in General | Leave a comment

CheckPoint SNX install instructions for major Linux distributions

I decided to do a round up of how to install the software needed on GNU/Linux to enable access through a CheckPoint firewall. My focus was on distributions whose ISO downloads supported UEFI boot, and hard disk encryption out of the box. This explains why Debian is not in this list. These requirements may not apply to you so feel free to add the instructions for your distro of choice to the comments below.

As of build 800007075 Checkpoint no longer support using the Native Client on the command line. This prevents scripting logins, and also requires a heavy desktop when we were able to survive with a headless server. Access is still possible, but only via the “SSL Network Extender“. This is a major pain as it requires (from my experience) X server, Oracle Java, and the FireFox browser to run.  Chrome gives this helpful message on the Java website:

The Chrome browser does not support NPAPI plug-ins and therefore will not run all Java content. Switch to a different browser (Firefox, Internet Explorer or Safari on Mac) to run the Java plug-in.

Despite all this, it still uses the native client but with the “unsupported” -Z option.  Ah well.

With all the distributions I did the following:

  • downloaded the most prominent ISO on offer at the projects main page
  • used dd to transfer the image to usb stick
  • installed using full disk encryption
  • applied all the patch fixes
  • installed openssh-server.

Let me tell you now that your future is full of warnings like, This Connection is Untrusted, I understand the Risks, Add Exception, Confirm Security Exception, allow, allow remember, continue, run, allow, trust server, etc etc. I found it useful to browse to the Verify Java Version site in Firefox to verify that java is working.

You will also need to know the url, username and password for your own checkpoint login site. It should be something like.:

These instructions are going to be terse but the links provided should give you more information if needed.

Ubuntu 15.04 Vivid Vervet

We’re going to install a ppa to get java, change the root password and install some additional libraries that are needed to run checkpoint.

sudo su -
add-apt-repository -y ppa:webupd8team/java
apt-get update
apt-get install oracle-java9-installer libstdc++5:i386 libpam0g:i386 libx11-6:i386
java -version

Pressing connect will open an xterm window that downloads and runs the native client script. You will need to enter the root password you set earlier, sudo will not work.

Now finally try the Connect > Continue > Accept Key and you should get connected.

Linux Mint 17.2 “Rafaela”

Very similar to Ubuntu, we’re going to install a ppa to get java, change the root password and install some additional libraries that are needed to run checkpoint.

sudo su -
add-apt-repository -y ppa:webupd8team/java
apt-get update
apt-get install oracle-java9-installer libstdc++5:i386 libpam0g:i386 libx11-6:i386
java -version

Unlike Ubuntu however the install via the browser did not work for me. You will need to go to your own login site:

Then select Settings > Edit Native Applications Settings > Download installation for Linux

Open a terminal and then run the command from wherever you downloaded it.

# sh +x ~/Downloads/
Installation successfull

Now when you go back to the web site, your Connect button should work.

openSUSE 13.2

This is a distribution I haven’t used too much before but decided to give it a try. Again additional libraries were necessary to get snx to run. I also followed these instructions to install java.

zypper install  libX11-6-32bit libXau6-32bit libxcb1-32bit glibc-devel libstdc++-devel libstdc++48-devel linux-glibc-devel
rpm -ivh ./libstdc++33-3.3.3-29.2.i586.rpm

Then is was just a case of connecting to the website and pressing Connect

Fedora 22

We have covered installing under Fedora 21 before and the biggest problem was installing Oracle Java. Get the latest from and I copied it to /usr/local/src. You’ll need to adjust accordingly.

dnf update
dnf install libcanberra-gtk2.i686 pkgconfig.i686 /usr/local/src/jre-8u60-linux-x64.rpm
alternatives --install /usr/bin/java java /usr/java/latest/bin/java 200000
alternatives --install /usr/lib64/mozilla/plugins/ /usr/java/latest/lib/amd64/ 200000
alternatives --config java


I’m sorry if I haven’t covered your distribution in this round up. As I said at the beginning my requirements were pretty specific, but my time was limited. If you browse through the snx series here, you should be able to find out how you can get it running on your own distribution easily enough. This is what I had to do with openSUSE, for which I was a novice user. If not you can always drop me a line.

Having to run such a bloated and convoluted tool chain just to end up running the same application is very disappointing. I am also concerned that such an essential piece of business software is built using such old libraries, and that there is no 64 bit version.

I would like to hear if there is a way to get this plugin to run from the command line, or at least run without having a browser window open. If you have suggestions please comment below.

Posted in General, snx | 23 Comments

Stopping mplayer from displaying Album Art on Music or Podcasts

I use mplayer as my media player of choice. If it discovers embedded album art in the media files, it will display them as a popup window. To prevent this from happening you can use the switch -vo null which will tell it to ignore video output. For example.

mplayer -vo null /mnt/SANZA_KEN/PODCASTS/TuxJam_44.ogg

Posted in General | Leave a comment