izy-idman-tools

1.0.21 • Public • Published

izy-idman-tools

Enterprise developer identity management solutions.

This product includes software developed by Inferno Nettverk A/S, Norway.

Overview and Legacy Apps

  • (legacy) taskraid (notes, etc) and new db_personidentity are utilized in the information bucket application
  • cptools
    • (legacy) db_personidentity
      • avatar
  • device manager
    • usage analytics (browsing)
    • trigger management
  • storage service
    • apps/storage/pkgdashboard:api/stream
    • cb_storagedata
    • supports generic storage solution for data

INSTALLATION

  • make sure dependencies are installed:

    • Node JS

    • NPM: If you are using npm (the Node.js package manager) always ensure that your npm is up-to-date by running

        npm update -g npm
      
    • Docker

  • run the following

      cd ~;npm install izy-idman-tools;mv node_modules/izy-idman-tools .;cd izy-idman-tools;
      npm install;
      docker build --rm -t izyidman .
    
  • update the paths

    • make the scripts available in your cli environment:

        /* put this in your shell ~/.zshrc ~/.bash_rc */
        You can add the tool to your PATH environment variable, i.e.
        export PS1="%d % : "
        export PATH=$PATH:~/izy-idman-tools;
      
    • add ~/izyware/izy-idman-tools to Docker -> Preferences... -> File Sharing.

The Izy Shell Tool

You can use the shell inside a docker container to allow multi tasking across different user profiles.

Running the tool

izyshell.sh <userid> [hostport:guestport]
izyaws.sh <userid> s3 ls --profile eugene

the following directories will be available inside the shell:

/izycommondir -> $IZYSHELL_COMMONDIR
/izyhostdir   -> $(pwd)

Working around networking issues

VPN Service

We recommend using openVPN.

  • use AWS marketplaces OpenVPN Access Server-2-8-5

  • ssh user openvpnas for use with the .pem file

  • Admin Web UI as "openvpn" (customizable through the initialization script)

  • set password for openvpn

    sudo passwd openvpn

  • to download the config.ovpn for a particular user, use the web interface to login by using (openvpn,password)

      https://<ip>:943/
    
  • the administrative interface is at:

      https://<ip>:943/admin
    

Using the openVPN Client in the IzyShell docker container

The openvpn client uses the dev/net/tun device. With docker > 1.2 you should use use:

--cap-add=NET_ADMIN
--device /dev/net/tun 

If you are using an earlier version, you'll have to run it in privileged mode.

To make sure that the DNS will always work, you should make sure that your DNS server is routed through the eth0 interface. For this reason always use the utilities provided in the ~/vpn folder:

~/vpn_connect.sh connectionfile.ovpn
OR
~/vpn_connect_socks.sh connectionfile.ovpn

~/vpn_disconnect.sh

The VPN server will be sending commands to setup the tun interface devices. You should check the client output for:

/sbin/ifconfig utun...

Then on the container check the routing config and the utun devices:

ifconfig
netstat -rn

and make sure that the tun interface is recieving traffic.

Then try connecting to a known IP address without using the DNS:

nc -v myservice_ip myservice_port

The test the DNS,

cat /etc/resolv.conf 
host izyware.com

OpenVPN support tunneling the openVPN Client via SOCKS. OpenVPN expects a a SOCKS5 server. Notice that openSSH implementation of SOCKS5 does not support UDP and trying to connect to openSSH will result in:

debug1: Connection to port __LOCALPORT__ forwarding to socks port 0 requested.
debug2: fd 6 setting TCP_NODELAY
debug2: fd 6 setting O_NONBLOCK
debug3: fd 6 is O_NONBLOCK
debug1: channel 2: new [dynamic-tcpip]
debug2: channel 2: pre_dynamic: have 0
debug2: channel 2: pre_dynamic: have 3
debug2: channel 2: decode socks5
debug2: channel 2: socks5 auth done
debug2: channel 2: pre_dynamic: need more
debug2: channel 2: pre_dynamic: have 0
debug2: channel 2: pre_dynamic: have 10
debug2: channel 2: decode socks5
debug2: channel 2: socks5 post auth
debug2: channel 2: only socks5 connect supported

However, successful connections would have resulted in ()

debug2: channel 8: dynamic request: socks5 host __IP__ port 443 command 1

The reason is openSSH does not support "UDP ASSOCIATE" (only "SSH_SOCKS5_CONNECT"). See rfc1928 for more details.

To address this issue, either use protoco TCP (you would need to do the same for using http proxy because proxying is only supported for the TCP protocol). i.e. to have TCP enabled for your openVPN server:

/etc/openvpn/server.conf
/var/log/syslog
service openvpn status
service openvpn restart

As an alternative, you may use vendors that are SOCKS5 compliant. We recommend dante:

git clone https://github.com/wernight/docker-dante
sudo docker build --rm -t izyidman_dante .

sudo docker run -d -p 1080:1080 izyidman_dante

Socks Service

We recommend using the standard openSSH stack. The basic setup will consist of an internet accessible service (IAS) with TCP://$IZY_SOCKSSERVER_IP:$IZY_SOCKSSERVER_PORT open to public.

The Socks clients can then either initiate the connections from the server or initiate the connections from a thirdparty box (3B) in your network (hence the name double dipping or DD). In both scenarios, the client will connect to socks5://$IZY_SOCKSSERVER_IP:$IZY_SOCKSSERVER_PORT

For the DD scenario to work, you will need to:

  • on 3B use SSH to setup a socks service
  • on 3B use SSH to setup port forwarding from the local socks service (3B) to IAS on the $IZY_TCPACCESS_PORT.

IAS Setup and Issues

On the IAS, when you forward a TCP port (either locally or remotely), by default SSH only listens for connections to the forwarded port on the loopback address (localhost, 127.0.0.1). This means only other programs running on the same host as the listening side of the forwarding can connect to the forwarded port. This is a security feature, since there is no authentication applied to such connections. To override this behavior GatewayPorts to yes:

vim /etc/ssh/sshd_config
set GatewayPorts to yes
sudo systemctl restart ssh.service

Also sometimes on the IAS, there will be dangling sshds attempting to processing frowarding requests on $IZY_SOCKSSERVER_PORT. Make sure they are cleared:

ssh -i $IZY_SOCKSSERVER_PEMFILE $IZY_SOCKSSERVER_SSHUSER@$IZY_SOCKSSERVER_IP
sudo lsof -i -P -n | grep $IZY_TCPACCESS_PORT

and find all of them and kill them.

On the IAS make sure that the binding address for the port is 0.0.0.0 (not 127.0.0.1)

    netstat -tupln | grep $IZY_TCPACCESS_PORT 
    0.0.0.0:19999 

3B Setup and Issues

For the 3B, setting up local socks server is very easy. Most unix and max systems come equipped with SSH. For example to setup local socks server on Mac:

System Preferences > Sharing > Turn remote logging on

/* Enable Socks Server on Local */
ssh -v -D $IZY_TCPACCESS_PORT -C -N $USER@localhost

Then "publish" the local port on the remote server:

    /* full background */
    ssh -v -N -f -R $IZY_TCPACCESS_PORT:localhost:$IZY_TCPACCESS_PORT -i $IZY_SOCKSSERVER_PEMFILE $IZY_SOCKSSERVER_SSHUSER@$IZY_SOCKSSERVER_IP
    
    /* Interactive console */
    ssh -v -g -R $IZY_TCPACCESS_PORT:localhost:$IZY_TCPACCESS_PORT -i $IZY_SOCKSSERVER_PEMFILE $IZY_SOCKSSERVER_SSHUSER@$IZY_SOCKSSERVER_IP

Environment variables to configure the CLI

Environment variables provide another way to specify configuration options and credentials, and can be useful for automation.

Precedence of options

Using a parameter on the CLI command line will override any value from the corresponding environment variable.

Supported environment variables

  • IZYSHELL_COMMONDIR: Host path mapping to shell /izycommondir
  • IZY_DEFAULT_USER: Specifies an ID associated with a user or group.
  • IZY_AUTHORIZATION_TOKEN: Specifies the session key for the cloud access APIs.

Clipboard Access From the Docker Environment

MacOS

You can use a single pipe to push stdout result into the clipboard:

izyaws.sh eugene whoami > pbcopy

To pick up content from files, etc.

pbcopy < izyshell.sh eugene 

To grab contents from clipboard:

pbpaste > mydata

Windows

replace pbcopy with clip.

Linux

replace pbcopy with xclip.

IzyVatar Management

Initial Setup/Restart checklist

  • LP

    • Make sure it is moved to the application folder. This is needed in order to automate from the commandline.
    • Activate
    • Create
      • Meet In
      • Meet Out
      • Phone Output
  • AHJ

    • Make sure it is moved to the application folder. This is needed in order to automate from the commandline.
    • Activate
    • Import profile. Or optionally create a new profile.
      • Phone Output > AUAudioFile Player > 10 Band HQ (1X max, progression towards base - otherwise it will become the telephone effect), AUNewP (-233,8,ON), AUMultiBComp () > Volume (79, 2X) > PeakRMS > Meet In
      • Profile 2
      • Branch Out Meet Out with Low Volume for Smoke Tests

    Multi Band Compression

    10 Band HQ

  • System

    • Install latest nodeJs and izy-idman-tools

    • transfer the AI libraries

        mkdir -p ~/izyware/izy-idman-tools/id;
        rsync ....
        open ~/izyware/izy-idman-tools/id;
        /* switch finder to columns view, create alias for izyware and mode alias to Desktop */
      
    • Make sure power settings are setup correctly post restart or crash

        sudo systemsetup -setcomputersleep Never 
      
    • System Preferences > Sounds

      • Check "Show volume in menu bar"
      • Set the input volume for internal Microphone to maximum
      • System Sound Default Output > Meet Out
      • System Sound Default Input > Meet In
      • Make sure the screen font size and object sizes are large enough that can be user for side by side vieweing and interacting.
    • Use data collection features to setup session and messaging.

  • SKP

    • Signing using *work account
    • Privacy > Only allow calls from contacts
    • AV > Mic > Meet Out
    • AV > Automatically Adjust Micophone Settings (Off)
    • AV > Noise Cancellation (Off)
    • AV > Automatically Adjust Settings (OFF)
    • AV > Speakers > Phone Output
    • Calling > Advanced > Answer Incoming Calls Automatically
    • Calling > Show call window when in background (yes)
  • OBS

    • Install OBS WebSockets

    • Pick "Only using Virtual Camera"

      • Default canvas resolution will be set to your screen resolution (1920x1080). Reduce that to 720p
    • Image customization, use the following sequence of commands

        find / -iname placeholder.png 2> null | grep png | read PLACEHOLDERIMAGEPATH; dirname $PLACEHOLDERIMAGEPATH | read PLACEHOLDERIMAGEPATH;echo copying to $PLACEHOLDERIMAGEPATH;sudo cp placeholder.png $PLACEHOLDERIMAGEPATH;ls -l $PLACEHOLDERIMAGEPATH;    
      
    • profile basic01

      • Scene configuration
        • Scene > Sources > izyware/izy-idman-tools/id/...
        • Scene 2 > Sources > izyware/izy-idman-tools/id/...
        • For scene transitions use Fade.400ms
      • Source configuration:
        • Loop option is enabled
        • All the other options are disabled. In particular restart should be disabled, otherwise the switching will not work well.
  • ZM

    • Always signed in
    • Bookmark the personal room link
    • Always have chat window open
    • Settings > Share Screen > Window Size when sharing: Maintain current size
    • Settings > Share Screen > When I Share > ... : Show all options
    • Settings > Mic > Meet In
    • Settings > Speaker > Meet Out
    • Background
      • izyware/izy-idman-tools/id/...
  • Workstation

    • The scaffoling for devices and basic user should be seperate for movement
    • Use more modular pieces and replace long components with smaller attachable ones.
    • More space required in the backend for screen
    • Top bar and cross bar are required for stability
    • camera setup
      • external cameras are preffered to phone camera
        • the camera angle is already setup so it will not introduce stress into the system and no dismantling.
        • computer internal webcam can not be easily tiled, mounted, or their distance to target adjusted.
        • the final angels and settings can be tested on an exetrnal subject before deployment
  • ubuntu

    • You will need ssh access

        /* find all the computers on network */
        /* the netgear web portal will show the registered machines with their ip */ 
        http://192.168.1.1/ (admin,password) 
        
        /* ssh into the box */
      
        xinput list /* grab the ID for touchscreen buggy Atmel Atmel maXTouch Digitizer  */
        xinput --disable <ID Here>
        
        /* contrast */
        xgamma -gamma 1.500
        /* brightness */
        xrandr --output LVDS-1 --brightness 1.1
        
        /* after some inactivity display brightness drops and we see the lines */
        
        to send keys and mouse to active app:
        xdotool type "Hello world"
        
      
        ; disable auto updates: https://linuxconfig.org/disable-automatic-updates-on-ubuntu-20-04-focal-fossa-linux
        
        ; TIP: list these by gsettings list-recursively | grep -i "suspend\|sleep"
      
        ; set desktop background to gray (note black will reflect off of screen)
        gsettings set org.gnome.desktop.background picture-options 'none'
        gsettings set org.gnome.desktop.background primary-color '#888888'
      
        
        ; at 5 it turns off the screen.
        gsettings set org.gnome.desktop.lockdown disable-lock-screen 'true'
        gsettings set org.gnome.desktop.screensaver lock-enabled false
        ; wakelock issues at 4 minutes the screen resolution gets shitty
        ; disable automatic brightness
        gsettings set org.gnome.settings-daemon.plugins.power ambient-enabled false
        ; Power Saving > Dim Screen When Inactive (Disable)
        gsettings set org.gnome.settings-daemon.plugins.power idle-dim false
        ; Power Saving > Blank Screen (Never)
        gsettings set org.gnome.desktop.session idle-delay 0
        ; Suspend & Power Button
        ; Disable Notification: "Computer will suspend very soon because of inactivity"
        gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-ac-type 'nothing'
        gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-battery-type 'nothing'
      
  • control computer

    • phone input: computer microphone.
  • external webcams

    • disable microphone
  • samson microphone

    • lock the mic level to zero by taping it.
  • workcomputer

    • surgery
      • internal microphones and speakers.
      • wireless antenna
      • cover internal cam
      • cover all display with black, otherwise it will cause glare on the tablet and its camera will it up from the tablet
    • Settings
      • displays
        • brightness=minimal
        • automatically adjust brightness: No
        • True Tone: No
      • Battery
        • Power Adapter
          • Turn off display after = never
          • Prevent your Mac from automatically sleeping when display is off

Media Production Notes

  • safety measure

    • never try customizating or changing things during a live run. the audio feedback saves.
    • audio feedback is critical as a last results for disaster mitigation.
    • vicinity problem
      • faraday cage is not easy to setup. wlanectomy is the preferred method.
      • vicinity can be tracked using location services or wifi, so even devices without a gps can be geo tracked.
  • Sample effects supported

    • background noise cancellation
      • baby craying and making noise (checkout performance: mro from bon a appetite)
    • when a surprised is introduced
      • still need things like smiling and wave hands (like when he brought the kid)
    • situational
      • the more crawded and interactive session could use audio automation. for example in a gaming situation a prerecorded dialog will work because it does not have to be coherent.
    • character development
      • shy personalities that not outspoken are more friendly.
  • Testing

    • Start with a regular clear asset and debug synchronization issues
  • Color and Lighting

    • turn on color filters from OBS. NOTE: this will need to happen for "ALL" scenes. It is recommend that this is done during recording time.
  • Geometry

    • Use 720p frame size.
    • laptop: head to frame ratio of 1/4-3/16 Width, 1/2 - 1/3 is the standard for laptop shooting.
    • external: head to frame ratio of 1/8 Width, 1/4-1/5 height is the standard for laptop shooting.
  • Anomation

    • movement generation
      • mechanical devices (chair) create smoother animations and more predicable picture quality.
    • AI mesh detection current detects the following human gestures.
      • Hello
      • GoodBye
      • Smile
      • Thinking
      • Scratch Face, Head
      • Look down
      • Look away
      • Get up and leave
      • Come in and Sit
      • Raise Hand
      • Waive to people
      • Look at camera
      • Point at camera
      • Hand Gestures

Smoke Tests

  • Audio: Dial into user, then on device play the AHJ audio
    • ZM > Settings > Test Audio: Should hit middle green bars
  • Video: Join an empty ZM session on Device
    • Turning off VC should show transparency (no OBS)
  • Full: Join empty ZM session on Device and play the AHJ audio
    • The sync loop should respond
    • The audio and images should fully work.

Automation

To list audio devices

npm run getaudiodevices

To test audio and microphone input, use input and microphone monitoring tool:

npm run inputmon

To pipe audio across devices, use

npm run source queryObject.deviceId -1 queryObject.address localhost:10001
npm run recieve queryObject.address localhost:10001 queryObject.id 1
npm run sendCommand queryObject.address localhost:10001 queryObject.cmd 'json:{"action":"focus","userid":17}'

To use camera broadcaster feature use

servers/ubuntu_<UID>/shell.sh;cd camera/;npm run dev;
servers/ubuntu_<UID>/shell.sh;pkill -f firefox;declare -x DISPLAY=":0";firefox "http://0.0.0.0:5000/#IP_UID:4444"

To sync OBS with audio input use

npm run audiosync queryObject.obs.address localhost:4444 queryObject.obs.password password 

A typical sequene

npm run shutdown
npm run startup
npm run playaudio queryObject.deviceName "Phone Output"
npm run audiosync queryObject.obs.address localhost:4444 queryObject.obs.password password

For dependencies:

  • Make sure that OBS is installed and uses https://github.com/Palakis/obs-websocket/releases

  • MacOS users, the naudiodon has a dependency on node-gyp which will require command line tools to be installed. so make sure to do:

      xcode-select --install
    

Platform Considerations

  • We do not recommend the Apple M1 Family:
    • M1 family does not have display scaling to 1280x720 and will slow down the system.
    • Commandline automation for mixed architecture apps will fail.
    • OBS will require Rosetta: Rosetta enables Intel-based features to run on Apple Silicon Macs. Reopening applications after installation is required to start using Rosetta.

Camera Resolution

Most laptops ship with a 720p HD camera, so the recorder videos will end up having dimensions of 1280X720. For cameras these numbers represent the quantity of vertical pixels (p)—tiny dots of color—in a recorded image. HD refers to cameras with a standardized resolution of 720p or 1080p. The numbers 720 and 1080 refer to the horizontal resolution. Therefore, 720p HD camera resolution provides images that are 1280 x 720 pixels (that adds up to 921,600 pixels, which means a 720p HD camera is not technically a megapixel camera), and 1080p HD cameras provide 1920 x 1080-pixel resolution, or 2.1 megapixels. The HD video format also uses an aspect ratio of 16:9 (rather than 5:4 or 4:3), and the frame rate is standardized at 60, 50, 30 or 25 frames per second

In contrast, smartphones have camera with much higher resolution and quality. Screen recordings can be megapixels (like 2000x3000).

As of 2021, the virtual camera provided in broadcasting software offers @1280x720 resolution / 30 FPS.

External Resources

NOTE

for more details, visit https://izyware.com

Known Issues

  • SKP

    • does not respond when in the background for incoming request
  • CLI

    • it shoud always be running and it should automatically recycle after hours.
    • should support single audio interface stream data over high speed LAN for higher quality
      • simple tcp socket streaming to an input using the node audio lib
      • have a single interface in dashboard that shows all users and screens in one spot
  • Video

  • information bucket

    • add delete option for rawdata tokens (for removing accidental bad tasks)
    • add "pings" to information bucket under a bucket and rename it to "acvitibyt"
    • pings, capture, etc. should all be consumable from an analytics dashboard
      • can track across different devices (device id is 1 parameter)
    • device switch should be renamed to device actions (we had raw data before and customer feedback was negative)
  • camera broadcast tool

    • show username in foreground in white or show logo (so that it looks like Zoom)
      • use a background picture for this: gsettings get org.gnome.desktop.background picture-uri
    • npm this: pkill -f firefox;declare -x DISPLAY=":0";firefox "http://....."

ChangeLog

V5.6

  • 5600003: remove startvirtualcam from OBS cmdline
  • 5600002: implement audio mixer
  • 5600001: implement camera broadcast tool
    • improve frame speed rate

    • black background

      • white background will generate glare in dark room
    • disable password prompt and quitly stop

    • automatic login

    • build processs

        rm ../camera.zip; zip -r ../camera.zip . -x .git/\* -x node_modules/\* .
        servers/ubuntu_<USERID>/putfile.sh ../camera.zip .
        
        servers/ubuntu_<USERID>/shell.sh
        unzip -o camera.zip -d camera
      

V5.4

  • 540006: Add placeholder.png for customization
  • 540005: Put the focus back on the tab (not the newer ones) that has the switcher.
  • 540004: Allow search by memo field
  • 540003: Update tabs lables
  • 540002: Disable client sync by default
    • unstable client connections will not disturb the application
  • 540001: Add memo to cliconfig.api

V5.3

  • 530020: Add description to cliconfig.api. remove set description from actions.
  • 530019: Update virtual shell prompt to use the mandatory fields id and description
    • This will guarantee that the prompt will always be user friendly
  • 530018: Add sessions and more robust connection recovery. Add more tests.
  • 530017: IzyVatar features
  • 530016: remember tabs on context switch
    • improves workflow efficiency
  • 530015: when switching update the snapshot and count updates
    • improves workflow efficiency
  • 530014: add reswitchBrowserContext and store contextSwitch Ids in the browser session
    • this will allow for implementation of quick context switching in the shells
  • 530013: implement add empty context
    • useful for starting a new session with new account
  • 530012: add device tracking for context switching
    • deviceswitch schema is introduced
  • 530011: add contextswitch functionality
  • 530010: add setdescription functionality
  • 530009: expose memo field in the inspect view
    • replaces cptools functionality
  • 530008: add izy-loadobject nodejs-require for locating the templates relative to __dirname.
  • 530007: add RAWDATA browsing and import orgnized by content bucket.
    • allows for aggregating view on devices and other areas.
  • 530006: create apps/devicemanager/5/dashboard and add support for "switching" using raw_tokendata.
    • replace legacy device management raw_tokendata management
    • replaces cptools functionality
    • improves device context capture using 'browsercontext_5' and referencing raw_tokendata_id
      • legacy cptools was done via the 'cptoolsuserid' cookie in cptools/pkgdashboard/admin.
  • 530005: Improve visualization for collaboration fields.
    • generates the link for the izyshell.sh and replaces the legacy cptools
  • 530004: Add support for AWS shell
  • 530003: Add support for IZY_DEFAULT_USER
  • 530002: pkgdashboard add support for aws_credentials. control access based on collaboration features.
  • 530001: clone "viewer/view" from "viewer/top" for compatibility with modern shells
  • include and add reference to Dockerfile in package

V5.2

  • implement action/cliconfig for izy-idman-tools
  • use IZY_AUTHORIZATION_TOKEN environment variable
  • add description field as the first step in adding identity context
  • link ~/izyware/izy-idman-tools/id/<>/Desktop to izyidman records
  • move izyidman/5/pkgdashboard to seperate workspace

V5

  • izyshell.sh: add optional port mapping
  • desktopautomation: launch the fragile apps at the end of sequence
  • use require('os').homedir() for the shell root directory
  • izyaws: use $HOME/izyware/izy-idman-tools/id for root
  • add applescript modules for automation
  • add schema for vmuser
  • add IZYSHELL_COMMONDIR
  • izyaws: pass more parameters
  • add izyaws.sh
  • add NPM_TOKEN to bashrc
  • Add dante source code for reference.
  • Add support for tunneling UDP through socks
  • Add support for openVPN

Readme

Keywords

none

Package Sidebar

Install

npm i izy-idman-tools

Weekly Downloads

0

Version

1.0.21

License

MIT

Unpacked Size

641 kB

Total Files

25

Last publish

Collaborators

  • alex.wong