Removing Rakuten TV/ SyncPlus Channels from 2017/ 2018 Samsung Smart TVs

I recently purchased a Samsung Smart TV and every time, every time my kids watched anything on it via Plex they would hit the “Exit” button on the remote and end-up with Rakuten TV / SyncPlus channels blaring out occasionally inappropriate content.

Thanks to this post I was able to remove these annoying channels/ adverts by performing the following steps:

  1. Press CH-LIST on the remote
  2. Press up on the remote and select “Edit Channels” then press OK on the remote
  3. Select “4001” and “4002”
  4. Press right on the remote and select “Delete” then press OK on the remote

Browse to an alternative source, that’s Rakuten TV gone, for good.

Why Samsung are including this annoying service with their new TVs is beyond me. As consumers we are already paying a premium for the brand, it would appear the cash extraction opportunities now just begin at time of purchase.

Content Filtering for Kid-safe Internet at Home via Pi-Hole and OpenDNS

Its worth noting that Pi-Hole can be deployed on an x86 or ARMHF (Raspberry Pi) Linux platform (i.e. no Windows deployments). That said, any device/ client type can *use* the service once deployed/ configured as outlined below.

If like me, you have young kids you’ll want to try and protect them from inappropriate content online. This is no easy feat, and there is no ‘silver bullet.’

I was already using OpenDNS Family Shield to provide DNS-based filtering via my Internet router (functionality integrated into modern ASUS routers, but you can manually set your DNS servers as outlined here) but this wasn’t sufficient when reviewing search engine results, especially image search results.

I started looking at web content filters such as Privoxy, SquidGaurd, E2Guardian etc. but when it came to HTTPS/ SSL filtering these all suffer from very limited capabilities or were complex to setup/ configure (requirement for custom CA certificates on devices for starters). As more and more of the Internet goes SSL-only this meant that using one of these options was, potentially, a “depreciating” solution.

I needed to find an effective way to filter content presented by search engines whilst maintaining the excellent block-list functionality that OpenDNS Family Shield provides.  Further reading led me to discover that popular search engines/ YouTub provide Safe Search/ Restricted Search-only URLs that have to be set/ configured using DNS CNAMEs – some links that will explain this in more detail (you can skip these if you are looking to configure this capability within PiHole):

Sadly, despite being requested multiple times, OpenDNS Family shield does not provide this functionality – interestingly this seems like a fairly simple capability to offer considering that DNS itself is the mechanism to force Safe Search. Enter Pi-Hole and dnsmasq.

PiHole is not a web content filter, it is an Ad blocker.

However, you can use the built-in dnsmasq service to force Safe Search URLs against popular search engines/ YouTube and continue to leverage DNS-based filtering such as OpenDNS Family shield. The two combined seem to provide a comfortable level of protection for my home network.

This guide assumes you have Docker installed/ running on Linux, this guide was tested on Ubuntu 17.10.

Docker Containers are immutable – i.e. if you delete the container its contents (including your configuration/ customisation) will be lost. We can use Docker volumes/ mount functionality to persist some data.

sudo mkdir /var/kvm/images/docker/pihole
sudo mkdir /var/kvm/images/docker/pihole/dnsmasq.d

Now create required dnsmasq configuration to force Safe Search (note most guides I found on this neglect to mention requirement to add regional Google URL, in the UK when browsing to www.google.com you redirect to www.google.co.uk):

sudo vi /var/kvm/images/docker/pihole/dnsmasq.d/05-restrict.conf

# YouTube Restricted
cname=www.youtube.com,restrict.youtube.com
cname=m.youtube.com,restrict.youtube.com
cname=youtubei.googleapis.com,restrict.youtube.com
cname=youtube.googleapis.com,restrict.youtube.com
cname=www.youtube-nocookie.com,restrict.youtube.com

# Google SafeSearch
cname=www.google.com,forcesafesearch.google.com
cname=www.google.co.uk,forcesafesearch.google.com

# Bing Family Filter
cname=www.bing.com,strict.bing.com

# DuckDuckGo
cname=www.duckduckgo.com,safe.duckduckgo.com
cname=duckduckgo.com,safe.duckduckgo.com

Now create the Docker Container, be sure to change your upstream DNS servers set using the DNS1/ DNS2 arguments and change WEBPASSWORD value. Also, note the host-file entries that are passed through to the Docker Container using the “–add-host” Docker run argument.

You can also set DNS1/ DNS2 to be the OpenDNS servers, as outlined here.

Finally, on Ubuntu I had to specify the LAN IP address of the Docker host for tcp/ udp port 53 port exposure. This is because Docker has a built-in DNS resolver. Be sure to change the script/ replace 192.168.0.7 with your Docker host IP address.

IP_LOOKUP="$(ip route get 8.8.8.8 | awk '{ print $NF; exit }')" # May not work for VPN / tun0
IPv6_LOOKUP="$(ip -6 route get 2001:4860:4860::8888 | awk '{ print $10; exit }')" # May not work for VPN / tun0
IP="${IP:-$IP_LOOKUP}" # use $IP, if set, otherwise IP_LOOKUP
IPv6="${IPv6:-$IPv6_LOOKUP}" # use $IPv6, if set, otherwise IP_LOOKUP

sudo docker run -d \
--name pihole \
-p 192.168.0.7:53:53/tcp -p 192.168.0.7:53:53/udp -p 8081:80 \
-v /var/kvm/images/docker/pihole/:/etc/pihole/ \
-v /var/kvm/images/docker/pihole/dnsmasq.d/:/etc/dnsmasq.d/ \
-e ServerIP="${IP}" \
-e ServerIPv6="${IPv6}" \
-e WEBPASSWORD={your password} \
-e DNS1=192.168.0.254 \
-e DNS2=192.168.0.254 \
--add-host=restrict.youtube.com:216.239.38.120 \
--add-host=restrictmoderate.youtube.com:216.239.38.119 \
--add-host=forcesafesearch.google.com:216.239.38.120 \
--add-host=strict.bing.com:204.79.197.220 \
--add-host=safe.duckduckgo.com:34.243.144.154 \
--restart=unless-stopped \
diginc/pi-hole:latest

You can now browse to http://<Docker Host IP>:8081, this should bring up the Pi-Hole Web Interface.

Finally, you’ll need to modify the DHCP configuration for your network to ensure that clients are provided with the IP address of the Docker host running Pi-Hole as their DNS server. I’ll state that you don’t *need* to use Pi-Hole to force Safe Search, any local DNS service that you can configure CNAME/ A-Records to override default IPs returned for Search Engines outlined in this post will do. You can then set the upstream DNS server(s) to be Open DNS Family Shield, or anything else. Pi-Hole provides the added benefit of Ad blocking, and my kids love clicking on Ads…

Getting Analogue Sound Working on Raspberry Pi 3B+ / Raspbian Stretch

I’ve been testing the Raspberry Pi 3B+ with Raspbian Stretch recently. I have a few older Raspberry Pi 3 devices around the house, but these are all running RasPlex and connected via HDMI to a TV – these devices have always worked perfectly (and impressively  well considering their cost) when playing high bit-rate 1080p video with lossless HD surround sound.

The same cannot be said for getting analogue audio working in Raspbian O/S- to say this has been a “journey of discovery” for something so simple would be an understatement. Out of the box I could not get Chromium, omxplayer or any applications to play sound via the Analogue audio jack.

Nevertheless, with some “tweaking” I now have analogue audio working across  Chromium, omxplayer and other applications. Instructions follow…

First we will set configuration in /boot/config.txt

# Force HDMI to operate in DVI mode
hdmi_drive=1
# Pretends all audio formats are *unsupported* by HDMI display, i.e. use analogue jack
hdmi_ignore_edid_audio=1
hdmi_force_edid_audio=0
# Force use of newer audio driver for RPi, not sure actually needed on stretch/ 3B+
audio_pwm_mode=2

With the above in-place, following a reboot, I had sound in omxplayer, but Chromium and other applications continued to be silent.

The final piece of the puzzle was to use the command below to set output to the Analogue jack:

# Force audio through analogue jack, needed for audio_pwm_mode=2 driver
amixer -c 0 cset numid=3 1

Next challenge, hardware acceleration for video in Chromium itself… this looks like a mess on Linux at the moment, so I am unlikely to sort this with a few config file changes!

Improving Raspberry Pi 3B+ Chromium Performance

I recently added a Raspberry Pi3B+ to my ever-increasing Raspberry Pi devices . I have a few of the Model 3’s running as RasPlex clients throughout the house. This new Pi was destined for a different purpose – trying to get the kids into coding!

I downloaded and deployed the March 2018 Raspbian OS, deployed it to an 8GB micro-SD card and fired the device up. I very, very quickly ran into performance issues when using Chromium, to the point of it crashing the Pi, and needing to pull the power to hard reset.

I’ve since dramatically improved this situation by extending the swap size, as below. Note that this solution will likely cause increased wear/ performance degradation over time on the SD card – at £6.00 for a 16GB card I am not too concerned.

# Modify the swap config
sudo vi /etc/dphys-swapfile

# Change the CONF_SWAPSIZE value to 1024, or greater if you have a larger SD card/ sufficnet space.
CONF_SWAPSIZE=1024

# Now save your changes and reboot the Pi
sudo reboot

Whilst not perfect, this has made the Pi 3B+ acceptable when using Chromium and multiple tabs.

Deploying Guacamole (and Duo MFA) via Docker Containers on Ubuntu

This guide replaces any previous guacamole docker deployment guides on cb-net and will be kept up-to-date as new releases emerge.

Updated: 22/01/18 : New Guacamole release 0.9.14

Use this guide to deploy a fresh/ new install of guacamole on Ubuntu using Docker containers, instructions include Docker CE installation, Duo MFA configuration (if wanted, can be skipped) and Guacamole/ pre-requisite container deployment to get you up and running. Scenarios:

  • No Docker, and want to use Duo MFA: follows sections one, two and three
  • No Docker, but don’t want to use Duo MFA: follow section one and three only
  • Already have Docker and want to use MFA: follow sections two and three only
  • Already have Docker and don’t want to use MFA: follow section three only

Continue reading “Deploying Guacamole (and Duo MFA) via Docker Containers on Ubuntu”

Increasing page width in the WordPress Theme Twenty Seventeen

As-per : https://www.vanilla-wp.org/twenty-seventeen-theme-full-width-wordpress/

You can increase the displayed page width in the Twenty Seventeen theme using the following “Additional CSS” (can be found under Customise > Additional CSS).

To modify the percentage of the screen that can be used change this percentage **only** – the other percentages affect padding/ borders etc and will affect how appears on smaller displays.

@media screen and (min-width: 48em) {
 .wrap {
 max-width: 70%;
 /* padding-left: 3em; */
 /* padding-right: 3em; */
 }
}

Full Additional  CSS to add to your site set to 70% width:

.wrap {
 /* margin-left: auto; */
 /* margin-right: auto; */
 max-width: 100%;
 /* padding-left: 2em; */
 /* padding-right: 2em; */
}
 
@media screen and (min-width: 48em) {
 .wrap {
 max-width: 70%;
 /* padding-left: 3em; */
 /* padding-right: 3em; */
 }
}
 
.page.page-one-column:not(.twentyseventeen-front-page) #primary {
 /*margin-left: auto;*/
 /*margin-right: auto;*/
 max-width: 100%;
}

@media screen and (min-width: 30em) {
 .page-one-column .panel-content .wrap
 {
 max-width: 100%;
 }
}

Using Docker Compose with MySQL/ WordPress

The following Docker Compose can be used to create persistent MySQL and WordPress instances, save the compose within its own directory on your Docker host and execute the project using the command:

docker-compose up -d

The WordPress environment will be available on http://<IP address of Docker Host>:8082 – published port can be changed by modification of the compose file.

Compose file – note you will need to provide secure MySQL and WordPress DB passwords:

version: '2'

services:
 wp-mysql:
 image: mysql:latest
 volumes:
 - wp_mysql:/var/lib/mysql
 ports:
 - "3306:3306"
 restart: always
 environment:
 MYSQL_ROOT_PASSWORD: "<mysql_root_password>"
 MYSQL_DATABASE: wordpress
 MYSQL_USER: wordpress
 MYSQL_PASSWORD: "<wordpressdb_password>"

wp-wordpress:
 depends_on:
 - wp-mysql
 image: wordpress:latest
 volumes:
 - wp_data:/var/www/html/wp-content
 ports:
 - "8082:80"
 restart: always
 environment:
 WORDPRESS_DB_HOST: wp-mysql:3306
 WORDPRESS_DB_USER: wordpress
 WORDPRESS_DB_PASSWORD: "<wordpressdb_password_as_above>"

volumes:
 wp_mysql:
 wp_data:

To stop the containers brought up by compose relating to this project:

docker-compose down

To stop the containers and cleanup volumes (thus losing data contained within them):

docker-compose down --volumes

Installing Docker CE on Ubuntu 16.04.3 LTS / 17.10

Use the commands below to install Docker CE and enable “br_netfilter” (bridge netfilter module) to ensure that ICC functions as expected on Ubuntu 16.04.3 LTS and 17.10:

# Install and configure Docker CE
sudo apt-get update
sudo apt-get install \
 linux-image-extra-$(uname -r) \
 linux-image-extra-virtual

sudo apt-get install \
 apt-transport-https \
 ca-certificates \
 curl \
 software-properties-common

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

sudo add-apt-repository \
 "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
 $(lsb_release -cs) \
 stable"

sudo apt-get update
sudo apt-get install docker-ce
sudo systemctl enable docker


# Enable br_netfilter/ iptables filtering on Docker bridge interfaces
sudo vi /etc/modules-load.d/bridge.conf:

   br_netfilter

sudo vi /etc/sysctl.d/bridge.conf:

   net.bridge.bridge-nf-call-ip6tables = 1
   net.bridge.bridge-nf-call-iptables = 1
   net.bridge.bridge-nf-call-arptables = 1

sudo sysctl net.bridge.bridge-nf-call-iptables=1
sudo sysctl net.bridge.bridge-nf-call-ip6tables=1
sudo sysctl net.bridge.bridge-nf-call-arptables=1

sudo systemctl restart docker

Docker Container Network Isolation

TL:DR: when testing Docker with “–icc=false” on Ubuntu Server 16.04.3 I found that br_netfilter was required but not configured by default. Even when enabled, I found that the Docker Host physical network was not protected against container breakout. Testing with IP Masquerade disabled addressed Docker Host physical network  security, however, with ICC and IP Masquerade disabled it was just as “easy” to manage the environment with “–iptables=false” and a firewall script.

I recently ran through an exercise where I was testing Docker Container Network Isolation in a lab environment – this involved reviewing the impact of disabling ICC, IP Masquerade and Docker’s interaction with IP tables itself. The scenarios I was trying to provide isolation for are as follows:

  • Docker Container access to Docker Containers within the same Docker network
  • Docker Container access to other Docker Containers in different Docker network
  • Docker Container access to Docker host
  • Docker Container access to Docker host physical network/ other hosts

Continue reading “Docker Container Network Isolation”

Alexa and Plex… so close!

TL:DR : The Alexa skill may well require a manual Port Forwarding rule/ Plex Media Server configured to playback music on the Echo device itself. FLAC content (at time of writing) will randomly stop mid-song, or at the end of a song but fail to progress to the next track. MP3 content does not exhibit this issue. Either use MP3 media, or don;t expect to play music via your Echo device (for now).

Update 13/01/18: Plex have released a statement on these issues, available here: https://forums.plex.tv/discussion/303556/update-on-playback-issues – in effect, the audio stream stopping issues should be fixed soon. The Need for NAT loopback/ hairpin is also being worked on.

Like “millions” of others over the Christmas period we obtained a generation 2 Echo device, with the (initial) sole purpose of replacing the DAB radio that struggles for reception in our kitchen.  Having set the device up I started looking at what integrations there were for devices/ services we consume at home – Plex is the centre of our home Television and Music entertainment, so this seemed like an obvious candidate. On paper the Alex Plex skill enables (amongst other things):

  • Control of RasPlex devices, playing video/ audio content on any device (all of our Plex clients are Raspberry Pi 3’s running RasPlex)
  • The ability to play music via the Echo device itself

The pre-requisites are fairly simple – your Plex Media server must be configured for “remote access,” and you have to install/ configure the Alex Plex “skill.”  I’ve been a long-term user of Plex on a variety of devices, so I knew remote access was in-place and working well. Sounds simple enough right…? Well, yes and no.

Enabling the skill was simple enough, but on instructing Alex to “ask Plex to play music by Incubus” I received a response stating that Alexa was “playing music by Incubus” but then silence. I tried this several times, all to no avail. RasPlex device control worked immediately, and I was able to play music without issue on these devices, instructing Alexa to “ask Plex to play music by Incubus on Kitchen TV” for example. Output from the Echo itself just would not work.

I headed to the Plex and Reddit/plex forums and sifted through a ton of similar issues. Eventually I got the damn thing playing music on the Echo itself by performing two changes:

  • Enabling “ASUS” Loopback NAT (changed from “Merlin”) on my Internet router
  • Configuring a manual Port Forwarding rule for Plex to port 34200/ configuring my plex server to use Port 32400 externally

Now I was presented with a further issue, music stopped “randomly” in the middle of a track. I could resume playback with a simple “Alexa, resume” command, but needless to say 30 – 60 seconds at a time, this got frustrating pretty quick. After a raft of testing I found that my older, MP3 based content would play through, without issue, but FLAC media would not. Again, trawling forums, I found others who had come to similar conclusions. Something appears to go wrong with transcoding media for the Echo. Workaround for now, use MP3 media or simply don’t use the Echo for music playback.