LoneStar Overnight’s broken web page

I told them I’d give them 24 hours to respond. I actually gave them over a month. The only response was the automated “We’ve received your tech support email.” They have, to date, done jack all to fix any of the problems I alerted them to. So I’m going public.

To whom it may concern,

There are serious issues with the security of your public web site.

A search on Google and Duck-Duck-Go for “Lonestar Overnight” or “Lone Star Overnight” results in a list of links, the first of which points to www.lso.com. The rest point to various pages below www.lonestarovernight.com, all of which appear to be on the same server. However the GoDaddy-signed SSL / TLS certificate installed on that server contains only the name “*.lso.com” and the SANs (“Subject Alternative Names”) “*.lso.com” and “lso.com”. There is no SAN for any lonestarovernight.com hostname.

A potential customer or user clicking on any of the www.lonestarovernight.com links would receive a message from their browser that the certificate does not match the hostname. This can cost you business, as customers look elsewhere, to a competitor whose web server is perceived to be “trustable”.

You’ve already lost business from anyone looking for “lonestarovernight.com”. BTW, your web page does not contain the words “Lone Star Overnight” anywhere. Obviously, Like IBM, SGI, AT&T and other companies of decades past, you have pivoted to branding yourselves as “LSO”. You might communicate this to Amazon, in order to properly identify your service when they select you to perform delivery of their packages. At this time Amazon states that the courier is “Lone Star Overnight”.

The last is purely a marketing glitch, however, there are far more serious problems with your web site’s security.

You are using very weak, obsolete, encryption. This makes your customers vulnerable to man in the middle attacks.
You are still using 512-bit “export” grade encryption, and potentially vulnerable to the FREAK attack.
You ARE vulnerable to the POODLE attack.
You are still using SSL version 3.0, TLSv1.0 and TLSv1.1. All of which are considered obsolete.
You do NOT support the current TLSv1.2 standard.
You are using older, vulnerable versions of the RC4 protocols.
You do not support secure renegotiation.
You do not support Forward Secrecy

I am a highly skilled Unix Systems Administrator for a Fortune 500 company. These are BASIC items. I identified most of them using the well regarded, and free, SSL security scanning tool from Qualys Labs (qualys.com) to review your site, the results of which can be viewed here and here. To be clear: this is NOT an attempt to extort money from you or solicit my skills to you. IT Security is a highly specialized area of IT administration and I do not posses the knowledge, skills or interest, to do it justice. I am contacting you as a concerned “customer”, who regularly receives Amazon deliveries facilitated by your service. If you don’t have an IT Security expert on your staff, I would highly recommend you get in touch with an IT security consultant who can assist you with auditing your systems security and developing a remediation plan.

If there is no response to this message within 24 hours, I will post it publicly on a number of social media sites, to warn other potential customers that they should not use your web site.

Also, the tracking number for my recent “same day delivery” given by Amazon does not work on your site. It doesn’t even give an error that it could not be found. It simply reloads the page. Someone should probably look into that glitch on your site as well. I’m probably not the only Amazon customer awaiting a delivery who is trying to track their package.

For the record, it appears they fixed the tracking number glitch. At least as of today I am able to get the status of the package I’m waiting for. While typing this, I heard a car door outside and my delivery was on my doorstep when I checked.

Uverse speed throttling

Large uploads on Uverse kill download bandwidth.

So it turns out if you’re uploading something on a Uverse connection, they kill your download bandwidth.

I had been poking around in iTunes, looking at the section of the store that shows what other members of your Apple Family have “purchased” (in quotes, because even “free” apps and music show up as “purchases”). The Wife had purchased several albums (or at least songs) that I would not have purchased myself, but wouldn’t mind having a copy, since we’d already paid for it. I clicked to download them (mostly songs from our high school days), then went to watch some YouTube videos. Normally we have enough bandwidth to handle this just fine, but the video kept stuttering (play for two seconds, pause for four seconds to download the next two seconds worth of video, play for two, pause for four for the next two seconds of playback download). I switched back to iTunes and saw that what should have taken about 3 seconds per song was predicting six MINUTES or more.
The Cisco ASA showed a lot of OUTGOING bandwidth being used, and very little incoming. Well that was odd. I wasn’t uploading anything that I knew of.

Speediest showed my download speed to be 5Mbps and upload of about 77Kbps. WELL below normal.

So, drop to terminal, do a tcpdump and low and behold lots of packets going out to Apple IP addresses (I’m sure I could have found this out from ASDM, but I don’t know the interface well enough yet and I do know tcpdump.)

Turns out when I stuck the SD card from my camera into the iMac and told Photos to download 10GB worth of video I shot today, it dutifully did so, then began uploading that to iCloud. There doesn’t seem to be a setting to permit uploading photos, but not video. With a 12Mbps down / 1.5Mbps up Uverse connection, 10+GB is going to take a WHILE to upload (especially since it was only uploading at about 500Kbps).

It would seem Uverse will only let you use either upload or download at any given time, but not both. If they’re going to screw you like that, they could at least give you a reach around and let you do it at the same SPEED in either direction.

(Of course it’s possible the throttling of download speed is due to the TCP/HTTPS “ACK”s coming back from Apple signaling receipt of the upload packets and readiness for the next upload packet, but those shouldn’t take much bandwidth at all. Barely more than the TCP/IP header and a few bits of payload, I would think.)

Edit: As soon as I stopped (really, paused for one day) the “Photos” upload, my download bandwidth came roaring back: 15Mbps down (from a connection that is technically only supposed to be 12Mbps…) / 1.5Mbps up on speedtest.net and my iTunes downloads were completing in seconds.

I can’t stand “weight loss” entertainment shows

Extreme Weight Loss: How the most obese nation on earth makes itself feel good by publicly shaming the worst of us

I’m very glad the stack of routers and switches next to me is almost loud enough to drown out the TV. My wife is watching Extreme Weight Loss and I wanted to slap the “guest loser” about 30 seconds into it. (Queue sob story about how her entire family done her wrong when she was most vulnerable…)
Then they pulled the predictable and over-the-top “You’re exercising for the first time in 20 years. You’re sweaty, out of breath and straining like you’re giving birth again. Now while you strain against this weight, tell us why you’re mad at each member of your family. Great! You’re completely out of breath, drenched in sweat, face is completely red, you’re angry and crying. Now, tell us whom you’re the maddest at of all?” (Spoiler warning: she’s slightly less than pleased with herself. Bet you could have guessed that already, right?)

Oh, and the weight loss reveals, where the giant scale takes 10 seconds to “add up” how much the loser has lost this interval, piss me off. Especially when they start the “reveal”, explain what they weighed when they started, what they weighed at the last weigh in, how much they lost the first interval, how much they had to lose this time, and the overly dramatic “If you weigh less than XXX pounds today (pause) you’ve met your goal!” (because they, and the audience, can’t do math?) They step on, the scale takes 5 seconds to count down and…. ad break!
Break’s over. Let’s cover that entire conversation again. Now step on the scale and take 10 seconds to “add up” the weight…

They haven’t gotten to the part where they start discussing how close the “loser” is to having lost enough weight that the surgeon is comfortable performing the skin reduction surgery. As if the weight loss, and the chance for the surgery, actually goes away if they don’t hit that magic number by the end of the 1 hour episode.

I’d be far more interested in what the “losers” from the first season look like today. Did they maintain their magical transformations, or have half of them gone back to their original weight?

Back to this weeks episode: She’s already lost over 100 lbs, she’s down to 160-something and looks fantastic! But the narrator / trainer just said “But, she doesn’t look any different from when I last saw her three months ago in the Bahamas…” Are you kidding me? She hasn’t put on an ounce, looks great, “But she doesn’t look any different…” Fuck you. She’s not 4 feet tall and 160-ish is fat or something. And then you weigh in and she’s lost another 11 lbs and is down to 150? You, Sir, are a DICK. Double douche-bag points to the show for having her go back to her parents, on camera, and confront them with the emotional reconciliation. Either they agreed to this when the producers contacted them and all the on-camera stuff is fake, or they didn’t and you just sandbagged them. People watch this shit and actually believe it’s real?

Just imagine how much I’d be frothing at the mouth if I wasn’t sitting next to noisy equipment and could actually hear it?

“New Features” alerts in software

In which I rant about software and web site “notifications” telling you about “new” features and permissions they want from you.

There’s a new trend in software development going around where apparently it’s very important that users know about all the wicked cool new features in this latest release, so when a user launches the program, every few seconds the program has to completely block interacting with it to pop up a dialog bubble pointing to the new button that was added to UI telling you all about this new feature. (I’m looking at YOU, Evernote!)
Open program, click button to open a new document/card/note/workflow/whateverNO! You have to read about how we’ve added “chat” to this program! (great, yet another “chat” program…). Click to close the stupid dialog bubble, start to type something in the new document, get three words in and BOOM! New dialog bubble! Not only have we added chat, but we’ve added a new button to, I don’t know, make “presentations” of your documents! Click to close dialog bubble, try to finish typing the sentence (and cursing as your thought process has already been disrupted twice) and BOOM! No, it’s reallyimportant you know about this completely useless feature!
Why would I want to make “slides” out of my notes? If I want to make a presentation, I’ll use a program designed for presentations.. like, I don’t know, Powerpoint?

On a related note, web sites that do this drive me insane, especially on mobile devices. Click on something a friend has shared in Facebook. FB web browser opens, starts to load the site BANG! “Site would like to know your location and / or send you notifications”. NO. Site loads some more, BOOM! “This site should really be viewed in our APP! Would you like to install the app and read it there?” NO. Loads some more Blamo! Popup asking you to share the like / share the site with your friends, so they two can be asked for permission to send them push notifications, track their location and install an app, before reading the more and more marginally informative article.
Page FINALLY starts to become visible. You read the first paragraph and start to scroll down, but NO, the page is actually still loading all the useless menu bar graphics and advertising, and everything moves as it re-renders the new graphics, so instead of touching the text and pushing up to scroll, you just tapped an ad! Wait while the ad loads a completely NEW site, which starts playing a video with obnoxious audio.

Tip to my friends who see a cool video on a web site. If the video embedded in the site is on YouTube, just click the link to go to the YouTube page, then share THAT on FB. It will skip the clickbait site that didn’t actually say anything about the video (Seriously, “He starts to talk about something boring. But when he gets going? I finished it to the end!” (yes, really, “finished it to the end”. I kid you not. But I digress…) That site had ONE paragraph, that said NOTHING about what the video was about, just that it was something really neat / moving that you just have to watch. OK, just share the damn video link and skip the useless clickbait site.

How not to “describe” your products on web sites

In which I go off on people who use the same item description on multiple online sales listings, each with a variety of features.

Cisco ASA5505-UL-BUN-K9 ASA 5505 Security Appliance vs Cisco ASA5505-50-BUN-K9 Asa 5505 Security Appliance vs Cisco ASA5505-SEC-BUN-K9 ASA 5500 Series Adaptive Security Router Appliance
Yeah, because I enjoy digging through Cisco’s web site to figure out which features are activated by a “UL-BUN-K9” vs a “50-BUN-K9” vs a “SEC-BUN-K9” license. I already have to know a little bit about Cisco to identify that string of characters refers to the IOS license version in the first place.

Seriously, if you’re going to sell this stuff on Amazon, don’t use the same description (of the hardware) for every one of them. That’s like putting up 5 different Toyota Corollas on a web site, each with a different VIN and price, but the same stock photo and describing them all as “A popular compact car” and leaving it to the potential buyer to decipher the VIN to find out what options each one has. “Let’s see, a ‘C’ in the 10th digit means it’s a 2012 model year, or maybe a 1982…”

Yes, I know. Someone will probably point out that if you’re shopping for Cisco equipment, you should probably be able to decipher the Cisco IOS license codes.

When default allow rules… don’t.

Now that I have a power supply for the Cisco ASA, I’m trying to get it up and running to sit at the edge of my home network, so I can pull the router to be part of my Cisco lab and it’s driving me crazy.
It’s default config as set up by the ASDM setup wizard is supposed to permit all traffic from the “inside” (high security zone) to the “outside” (low security zone). That’s all fine and dandy, until the default NAT/PAT config, which LOOKS like it says “NAT / PAT all traffic from ‘inside’ to the ‘outside’ IP address” doesn’t.

I don’t want to spend a lot of time learning the intricacies of the ASA OS right now. I’d rather spend it on IOS and working toward the CCENT / CCNA…

LinkedIn spam…

Hmm… two invitations from two different women to “connect” on LinkedIn in the last five minutes, both of them graduates of “The Masters College” in “Greater Los Angeles area”, both working for “Pro Logic Web Design”, both with the exact same work experience and positions held, both trying to sell “$149 web site designs”. I smell a spammer…

Adding my network to Cacti

Geeking with Cacti.

So, geeking out this evening, adding my entire home network infrastructure to Cacti, to track how it’s doing.
I’d already set up all my VM’s, the Cisco router and Uverse gateway, and my two hosted servers at Rackspace and Linode months ago.
Tonight I added my ESXi server and both Cisco switches. Of course, not much to see on most of the switch ports, since the only port in use on one of them is the uplink to the other switch (which means the only traffic on that port is Cacti polling it’s SNMP daemon). But it’s interesting, none the less.
I’ll probably do the same on the Cisco lab I build for CCNA study.

Bach “Little” Fugue in G Minor, BMV 578 – Saxophone Quartet

The United States Army Field Band plays Bach’s “Little” Fugue in G Minor, BMV 578 – Saxophone Quartet

One of the most beautiful pieces of music I’ve ever heard, with a wonderful performance.

More Windows patching

More Win2k8 patching

Well it looks like that Win2k8 server successfully patched. Or at least got past the .NET Framework 3.5 patches that were hanging it up. Now I’m going through a series of .NET Framework 4.0 patches. Making snapshots every step of the way for quick rollback if it decides to throw a wobbly at any time.

Windows patching hell

A Unix sys admin struggling with patching Windows servers.

Never thought I’d end up babysitting MS Windows server patching and pulling my hair out as it takes an hour or more to install 100+ patches, reboot, 30 minutes “finalizing” the updates, declare it “failed” and 90 more minutes “reverting” the installs before rebooting again, wash, rinse repeat, until you successfully tell it which patch NOT to install.
I’m a Unix admin for Pete’s sake. There’s a reason I don’t (normally) do Windows. The only time a Linux server takes so long to boot is when it’s running on bare metal that takes 30 minutes to POST and/or it has lots of LUNs assigned and it takes a while to sort them all out.
I was hoping to have this 2008 server to a state that I could start installing the software it needs by the end of the day.

FINALLY it finished reverting and rebooting. Luckily it didn’t back out 100+ updates. The only one left to install is the one troublesome update that should be done last, because it causes this problem if you don’t.

Nope, spoke too soon. Had it re-check for updates and it now says ALL of the updates from the last go round still need to be installed. But now I see there’s a second update that partners with the known one, so hopefully de-selecting that one as well will fix the issue.

(And in another in a list of first that came with this job: never thought I’d be adding a new “Windows” sub-category under the System Administration category of this blog.)

First day on the new job

WAY over dressed for first day on the job. Khakis and a button up shirt, sports coat and nice shoes. Boss showed up in Bermuda shorts and a polo, with sneakers. About the same way he dressed when I interviewed, but that was a Friday, so I had no way to judge just how casual was “casual” the rest of the week.

I think I’m going to like it here. I can run home during lunch to change clothes.

And I’ll see what a scrum looks like for the first time.
Worked with “agile” developers at the last job, but we didn’t take part in their scrums.

Quite a storm 

Wow, this storm stretches all the way across Texas, from Oklahoma to Mexico…

  

The Fort Worth Botanic Gardens, Memorial Day, 2015

Fort Worth Botanic Gardens, Memorial Day weekend, 2015, with Kem, Martin, Mandie and Lyla.

FWBG

Flickr Album Gallery Powered By: Weblizar

IPv6 has come to Uverse

More than a year after my 3800HGV-B Uverse modem actually acknowledged that such a thing as “IPv6” existed, it appears it is actually making it available for use.
Now to see if I can get my Cisco router to play nice…

Uverse modem IPv6 configuration

The Spam Folder

Server-side vs. client-side spam filtering.

After my post about what causes mail to go to the spam folder, a reader1 asked:

So why did I have to tell my new computer and new email system a dozen times that Facebook posts of various types were not spam before I could get it to stop throwing them all in my spam folder.

Continue reading “The Spam Folder”

Memorial Day – 2015

Remembering my grandfather this Memorial Day

It’s Monday, 25 May, 2015; Memorial Day here in the United States.
This is the day we remember those who gave their lives in service to our country.

Today, I remember my grandfather, Lt. Herbert David Edelstein.
He was a navigator aboard a B-17 bomber (no known nickname or nose art), 367th Bombardment Squadron – Heavy, 306th Bombardment Group (“The Reich Wreckers”, tail insignia “Triangle H”), 40th Combat Bombardment Wing, Heavy, 1st Bombardment Division, VIII Bomber Command.

367th Bombardment Squadron (Heavy) emblem
367th Bombardment Squadron (Heavy) emblem

306th Bombardment Group, Heavy
306th Bombardment Group, Heavy

1st Combat Bombardment Wing (Heavy)
1st Combat Bombardment Wing (Heavy)

VIII Bomber Command
VIII Bomber Command

Continue reading “Memorial Day – 2015”

Blog crashing browser

My own blog crashes my own browser.

Well that’s just lovely. My own blog is crashing my web browser. I can access the “admin” page (and thus make posts) just fine, but loading the main screen takes forever and eventually crashes that browser tab. This is a Linux box running an older Core 2 Duo CPU and 4 gigs of RAM. It should take more than a blog page to do that.
Suspicion so far falls on the cross-posting plugin that makes my blog posts appear on Facebook, Twitter, Google+, etc, and allow people visiting my blog to “share” posts on those services. Watching the Chrome developer tools while the page loads, it’s taking forever to pull up links to sites I’ve certainly never directly linked to, such as “bizographics.com”.
Oddly enough, some of the worst offenders are google syndication and google ad services. I don’t run google ad words or on my blog…

What causes email to go to the spam folder?

A quick guide to some of the things ISPs look for to decide if it should go to the Inbox or the spam folder.

Recently a former colleague reached out to me on Linkedin to ask:

I have a question regarding email delivery. What cause emails to go into someone’s spam email box? I understand that there maybe(sic) filters that looks at the content to make that determination. I would think there are many other factors.

I replied:

Yes, there’s quite a number of things that can cause mail to go to the spam folder. The contents of the message are a big factor. Of course every ISP applies different rules, so what causes mail to go into the spam folder of a Yahoo! mailbox will differ from what matches the rules on Gmail, or Hotmail, etc. Some ISPs will allow certain mail through, but put it in the Spam folder that other ISPs would just reject outright when the sending mail server connects to send it.

Are you having a specific problem that you’re trying to solve?

He responded:

I don’t have a specific problem. Just interested in understanding how spam filtering works. Since I know an expert, why not ask directly.

Are there headers the ISP look at to validate the email?

I wrote up a quick primer on some of the esoterica of spam filtering.
This is by no means comprehensive, and not guaranteed 100% accurate.

Continue reading “What causes email to go to the spam folder?”

Ansible and Variables

A basic explanation of Ansible and a discussion of variable usage.

I’ve been talking about Ansible on Facebook lately and the other day a friend asked me about Ansible and variables. I gave her a quick explanation, then told her I’d do a more thorough writeup that would be easier to follow than my “stream of consciousness” explanation given in FB messages.
It occurred to me that I’m planning to do a “lunch and learn” on Ansible at work soon, and I could re-use the same material, so I’ll just post this publicly. I plan for this to be the first in a series on DevOps, integration, idempotent, configuration management and Ansible. So without further ado…

For those who have not seen my posts on Facebook, Ansible is a configuration management tool for provisioning, deploying and configuring, servers and applications. It is one of a series of such tools that have come out in the last few years, such as Puppet, Chef and Saltstack. It is designed to be fast, easy to use, power, efficient and secure. It is serverless and agentless. It aims to be idempotent.

I can’t speak to Puppet, Chef or Saltstack as I’ve never used them.

Addressing these one at a time, not necessarily in the order presented above:

  • Secure
  • Everything is done through SSH tunnels. No passwords, no configuration files, are ever sent over the network in the clear. Set up your SSH keys and you don’t have to worry about typing passwords either.
    There is no agent software running on the managed machines, so there’s nothing to hack.

  • Easy to use
  • “I wrote Ansible because none of the existing tools fit my brain. I wanted a tool that I could not use for 6 months, come back later, and still remember how it worked.”
    Michael DeHaan
    Ansible project founder

  • Efficient
  • No agents, just SSH (or PowerShell with Windows, but I won’t get into that.) The only software required on the managed machine is an SSH daemon and Python.

  • Serverless and Agentless
  • As I’ve already mentioned, there’s no agent running on the managed server. If you can ssh into it and run Python, you’re good to go.
    There is no central server, full of manifests, menus, etc. You can run it from your desktop or laptop. Again, if you have Python, you’re good to go (Python has its own implementation of the OpenSSH client.) Just make sure you back up your playbook and roles. Git is a great place for this!

  • idempotency
  • The is one of the most important! It means you should be able to run your Ansible script against a managed host at any time, and not break it. If anything is not configured the way it is supposed to be, the ansible script will put it back the way it should be. Shell scripts have to be written very carefully to detect if something doesn’t need to be done. It’s also notoriously difficult to modify files with shell scripts (unless you’re really good with tools like sed and awk, or perhaps Perl…)

Some vocabulary before we begin:

  • playbook
  • A file defining which hosts you want to manipulate and what roles you want to apply to those hosts, as well as what tasks you want to run.

  • roles
  • A defined list of tasks to be run when the role is called, as well as any files to be installed, templates to be applied, dependency information, etc.

  • inventory
  • A file listing every server you will manage with Ansible, and what groups they belong to. A host can belong to any number of groups, including none at all, and groups can be members of other groups.

  • host_vars & group_vars
  • Directories with files containing variables specific to certain hosts (host_vars) and host groups (group_vars). These variables are used in your tasks and roles.

Now, on with the discussion of variables. Here was Kathryn’s original question:

How do variables work with dependencies in roles? Meaning, if a role is dependant on another, can it access the variables of the other at run time?

I started to answer with an example we use at work: we have a “common” role that sets up some users with specific UIDs that we want on all our servers, and an “apache” role that depends on that common role (e.g.: it needs the wwww user created by common). Kathryn further asked:

Okay, say “application” depends on “common” and “common” has default variables… would “application” pick up “common”‘s defaults?

Yes! For example, we have in our “common” role, a task with a file which pushes out customized /etc/sudoers.d files, depending on what the server will do, what environment it will be in, etc. One of the tasks looks like this:

NOTE: the language used to write Ansible files, Yaml, is whitespace sensitive, however due to the limitations of HTML and my WordPress config, the whitespace is removed from my examples. Do not just cut and paste and expect it to work. You will need to adjust the leading spacing on all lines.

- name: Sudoers - push sudoers.d/hadoop_conf
template: >
src=sudoers_hadoop_conf.j2
dest=/etc/sudoers.d/hadoop_conf
owner=root
group=root
mode=0440
when: hadoop_cluster is defined

Note the last line: “when: hadoop_cluster is defined”. “hadoop_cluster” is a variable. This variable isn’t actually defined in our role, but rather in the playbook, or in a host_var or group_var file. In this case we have a group_vars/all_hadoop file. Any task run on any server that is part of the “all_hadoop” group in the inventory will have the variables defined in this group_var file. This file contains:
# file: group_vars/all_hadoop

hadoop_cluster: true

In this case “hadoop_cluster” is defined, and has a value of “true”. Our task above doesn’t care about the value, only that the variable is defined at all. If I run the above task on the server “namenode1”, and “namenode1” is in a group called “all_hadoop” in my inventory file, it will inherit the variables in group_vars/all_hadoop, “hadoop_cluster” is defined, so the task will be run.
Another role or task, which might be part of “common” role or in a completely different role, will be able to access the same variable and act on it. That role / task might actually care about the value of the role, and would be able to see that value. Or it might just care that the variable is defined.

Another example: I built a role for a set of servers at work. In our development environment we wanted to allow the developers actually writing the code for the applications to run on those servers to be able to use sudo to gain root access. I added another task to the same file as our Hadoop example above:
- name: Sudoers - push sudoers.d/nova_conf
template: >
src=sudoers_project_conf.j2
dest=/etc/sudoers.d/project_conf
owner=root
group=root
mode=0440
when: allow_project_sudo is defined

In our inventory, the development servers for this project are in a “dev_project” group, and there’s a group_vars/dev_project file that defines “allow_project_sudo”. We also have a “production_project” group in our inventory which contains the production servers for this project. The “allow_project_sudo” variable is NOT defined in group_vars/production_project, so that sudoers file is not pushed out.

Directly addressing Kathryn’s question about one role being able to call variables “defined” by another role (although I’ve already addressed the fact that roles don’t really “define” variables, they just access them), I have this task:
- name: Build ssh key files
assemble: >
src={{ item.user }}_ssh_keys
dest=/home/{{ item.user }}/.ssh/authorized_keys
owner={{ item.user }}
group={{ item.group }}
mode=0600
remote_src=false
backup=yes
with_items:
- { user: 'projectuser', group: 'projectgroup' }
when: allow_project_sudo is defined

Again, we look to see if “allow_projecgt_sudo” is defined; if so, we build a .ssh/authorized_keys file for the user “projectuser”, allowing all those same devs to ssh into the server as that user. This task also includes the intriguing and useful “with_items”. This allows for a form of looping, such that it will actually perform this task for each item listed in the “with_items” block, redefining the “item.user” and “item.group” variables used in the src, dest, owner and group lines in the task.
We actually define two variables in our “with_items”. Each line in “with_items” is an “item”. In this case we have two variables (basically an associative array), and we can reference the key/value pairs in the array. “item.user” has the value “project user”. “item.group” has the value “projectgroup”. Thus our “assemble” becomes, on the first iteration of “with_items”:

assemble: >
src=projectuser_ssh_keys
dest=/home/projectuser/.ssh/authorized_keys
owner=projectuser
group=projectgroup
mode=0600
remote_src=false
backup=yes

This basically says “grab all the files (presumably ssh key files) in the directory “projectuser_ssh_keys” (stored inside a directory in our role) and build, on the managed host, a file called “authorized_keys” in the directory /home/projectuser/.ssh, make that file owned by projectuser:projectgroup, with -rw——- permissions. Oh, and back up the original file first, just in case.

When you love without limits…

Best line I’ve heard all week:

When you love without limits, unconditionally,
when you love without fear,
then you shall be free.

Email message receipts

Dear Customer,

Expecting our secure message receipts to behave exactly like Outlook message receipts is just plain silly. Here’s a tip: our application is NOT OUTLOOK. No, receipts returned by our mail encryption system do not use Outlook-specific properties like "OutlookMessageClass". Since our receipt is just an email message, it’s up to Outlook to decide what message class it is. If it doesn’t set it to the same "class" as the return receipts generated BY Outlook, well, we have no control over that.

(Tip number 2: Yes, Outlook/Exchange dominate the business email market. However they do NOT define how email works. Please stop expecting everything on the Internet to conform to the Microsoft Way.)

Testing out Windows Live Writer

Just messing around with the Windows Live blog client.

Not really a big fan of MS freebie "non-commercial" tools, but Windows Live Mail is a big step up from Outlook Express. Just kind of curious how this works.

Dear Computer User,

Customer Support are not mind readers.

When emailing tech support about an issue with a user’s account, please keep in mind we don’t know who “Joan Smith” is. If you want us to do something for her email address, include her email address!

Oh, I’m sorry, did you need me to interpret that error message for you?

Dear Computer User,

When sending an error message to Tech Support, it’s generally helpful to say something about the message you are forwarding. We are not mind readers. Something like “I was doing X and clicked Y and this error message appeared” goes a long way to diagnosing the problem. While we’re at it, if the error message clearly says what the problem is, and it’s not something we can fix for you, but rather you need to fix for yourself, why waste our, and your, time?
To wit: forwarding us an email bounce message (and ONLY the bounce message!), when the bounce says:

The mail system

: host mail1.company.com[IP.AD.DR.ESS]
said: 550 5.1.1
: Recipient address
rejected: User unknown in virtual mailbox table (in reply to RCPT TO
command)

Says exactly what it means: User unknown. Forwarding this message to tech support of the sending mail server (without even saying why you’re sending it to them) is like dialing a phone number, getting a “number has been disconnected or is no longer in service” message, recording it, then dialing 411 and just playing the recording back to them. If you’re expecting the operator at the phone company to just figure out what you REALLY meant is “Why is my friend not answering the phone?” is rather silly. Expecting them to give you an answer more informative than “that number is out of service” is only marginally less silly.

Regards,

Every Technical Support Representative on the planet

Office annoyances

Dear Coworker,

You have a private office. This office has a door. Please close said door when you’re going to use speaker phone for extended periods.

Info, please?

Dear Computer User,

Sending tickets to Support with a subject line of just “Help” (even when spelled correctly!) is not very helpful for the poor techs who are staring at a screen full of tickets, trying to prioritize which one’s need immediate assistance and who can wait.

This falls in the “It’s broken. Fix it.” category. Help me help you.

 

Thank you,

Your friendly neighborhood support technician

Dear Computer User,

“Intranet Explorer”? Seriously?

Dear Computer User,

Dear Computer User,
Some details, maybe?

Dear Computer User,

Do you call your doctor and say “I don’t feel well”?
Do you call your mechanic and say “My car isn’t working right”?
Then why in God’s name do you email tech support and say “it isn’t working”? We can’t help you fix it if you don’t tell us WHAT is wrong?

More Geocaching

Heading out for an afternoon of geocaching with Kem.
We’re going to try to hit 10 caches in one day!

Mail and Network admins

I am so tired of dealing with mail,  and network admins who haven’t the slightest clue about DNS. I hate having to waste half an hour explaining PTR records to people should already understand this basic stuff.

Swype

I got a new Android phone the other day (Tmobile Vibrant /Samsung Galaxy S) that comes pre-installed with Swype. I’m not as fast or proficient as the guy in the demo videos yet, but it’s a hell of a lot faster than taping.
Anyone else have it, and what do you think of it?

Manipulating maildirs at the filesystem level

Let’s here it for being able to manipulate you mail directory structure at the file system level and still be able to access it through Thunderbird.

DJBDNS and IPv6

DJBDNS must run as two separate instances to bind to both an IPv4 and IPv6 addresss.

Tip: When patching DJB’s “dnscache” for IPv6, you can’t just tell it to bind to both the IPv4 and IPv6 addresses. You will need to run two separate instances, one binding to the IPv4 address, one binding to the IPv6 address.
I haven’t checked, but I’m betting my tinydns instance is also not binding to both addresses and will have to be run as two separate instances as well.

The AT&T tech just finished installing the Uverse modem and I just completed the “registration”. First thing I did was hit speedtest.net of course.

Speed test

Not bad. Not bad at all, when I was quoted “12Mbps”. 10MBPs actual is pretty good.

Fixing Vmware virtual disks

Having hosed a Gentoo guest on a VMware ESXi host by filling the partition (which VMware really doesn’t like) then attempting to fix it by mounting the partition in anther guest and fsck’ing it first, I got the error message “the parent virtual disk has been modified since the child was created” when I tried to boot the original Gentoo guest.
Googling pointed me to a nice post at Recovering VMware snapshot after parent changed.
Step two lists the following caveat:

“Look at the size of the snapshot virtual hard disk. If it is more than 2GB and you’re running a 32-bit OS, or it is more than the amount of memory that you have available, the following method will probably not work. You’re welcome to try though.”

I found this wasn’t an issue as it appears (at least as of ESXi 4.x) VMware has separated the vmdk “header” and “data”, putting the “header” in the “hostname.vmdk” file and the actual data in “hostname-flat.vmdk”. The original vmdk is now only a couple of hundred bytes and easily edited in vi. Grabbing the CID from the Gentoo.vmdk and modifying parentCID in Gentoo000001.vmdk had me back up and running (at least to the point that I could now boot the Gentoo guest, using an Ubuntu ISO so I could access the file system and clean it up. I moved /home to a new partition, fixing the space issue).
Next time, I’ll just be smart and build all systems with LVM, then I can just add more physical extents when I need more space.

Twitter Updates for 2009-11-22

  • Back from honeymoon, just opened wedding gifts. #

Powered by Twitter Tools

Google’s Holiday Gift: Free Wi-Fi at Airports

Cool. Now why couldn’t they have done this YESTERDAY, when it was useful to me?

Google’s Holiday Gift: Free Wi-Fi at Airports.

Twitter Updates for 2009-11-06

  • RT @feather802 Currently fulfilling my primary purpose in life: Cat Bed – We were doing that this morning, to. #

Powered by Twitter Tools

Twitter Updates for 2009-11-05

  • Rep. McCaul is an idiot making any such statemtns without more informtion. #FtHoodShootings #

Powered by Twitter Tools

Twitter Updates for 2009-11-03

  • RT @tomservo79 Marriage is a Lovecraftian ritual meant to summon Yogsothoth. Gay marriages are all about Cthulu. The divide is pretty clear. #
  • RT @choochoobear It might be a little longer before the drippy faucet in my tub is fixed. – I hear they have pills for that now. #

Powered by Twitter Tools

Twitter Updates for 2009-11-02

  • RT @nprpolitics Tech alert: The @nprtechteam is live-tweeting NPR.org's switch from Oracle to MySQL tonight. #
  • RT @BrentSpiner the only rolls I regret have complex carbs. — now there's an actor who knows where his bread is buttered. #
  • RT @martinbogo @strongbow Heh, and Mr. Spiner is looking a bit like you and me these days … – now be nice! #

Powered by Twitter Tools

Twitter Updates for 2009-10-31

  • Who wants a Google Wave invite? #

Powered by Twitter Tools

Twitter Updates for 2009-10-29

  • #tmh20 OK, get on with the zombie gag already. #
  • Obviously: there's a Black Lantern controlling them. #tmh20 #
  • #tmh20 don't break the 4th wall, guys! #
  • It's a 20 yo Mercedes. Hotwire the damn thing. #tmh20 #
  • I hope you have some sanitizer. #tmh20 #
  • Zombies and "your moma" cracks? #tmh20 #
  • He's eating cat and rat brains, not lamb and human brain. #tmh20 #
  • No! Don't let him get behind you! #tmh20 #

Powered by Twitter Tools

Seen on Facebook

“In a survey done several years ago George Barna asked American people if they pray and if they believe in God. The results were this, 97% of people pray only 92% of Americans believe in the existence of God. Did you catch that? More people pray than believe in God…”

I suspect only Christians, and to a lesser extent, Jews and Muslims would find anything odd about this. “Do you believe in God?” probably implies the “god” of Abraham to most folks.

Twitter Updates for 2009-10-23

  • reeeeeevertb! Ouch! Can barely understand what you're saying. #tmh19 #
  • I, for one, am glad zombies are replacing "vampires" as the chic horror meme #
  • That's just filled with AWESOME! RT @grantimahara YES! This is exactly the cake that I wanted!! RT @thinkgeek: http://bit.ly/2rvfXT #

Powered by Twitter Tools

Twitter Updates for 2009-10-22

  • Playing Farkle #
  • is seriously hooked on Facebook games. #

Powered by Twitter Tools

Twitter Updates for 2009-10-21

  • Damit, I've been wanting to meet @choochoobear for a long time, he's going to be at a local con… ON MY WEDDING DAY! TANJ! #

Powered by Twitter Tools

Twitter Updates for 2009-10-20

  • Just finished addressing a bunch of wedding invitations. Now no more than I want to about MS Ofice mail merge. #

Powered by Twitter Tools

Whyreboot?

Nifty tool I just read about that tells you what will happen next time you reboot your Windows system. The idea being when you install an app that insists you must reboot to complete the install, this tool will tell you what’s going to happen.
Read about it here: http://blog.rootshell.be/2008/02/13/why-reboot/