Link:
https://dannyman.toldme.com/2016/02/09/tech-tip-self-documenting-config-files/
One of my personal “best practices” is to leave myself and my colleagues hints as to how to get the job done. Plenty of folks may be aware that they need to edit /etc/exports
to add a client to an NFS server. I would guess that the filename and convention is decades old, but who among us, even the full-time Unix guy, recalls that you then need to reload the nfs-kernel-server
process?
For example:
0-11:04 djh@fs0 ~$ head -7 /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# ***** HINT: After you edit this file, do: *****
# sudo service nfs-kernel-server reload
# ***** HINT: run the command on the previous line! *****
#
Feedback Welcome
Link:
https://dannyman.toldme.com/2016/02/13/bernie-sanders-vs-henry-kissinger/
I finally caught a Democratic Debate last night, thanks to a gracious wife who helped our son to bed. I’m a Sanders guy, I send him $25/mo. I recently read that he’s the only candidate who pays his interns, which I like for several reasons: economic opportunity for young folks, which our country needs, and my hunch is that someone getting the opportunity to earn a paycheck is going to have a little more earnestness than a more privileged kid who is taking the job to build a resume. Even more, it puts a price on one’s commitment: time is at a premium for me, but my $25/mo should cover two hours of intern labor. I feel a connection …
At the debate, I was a little disappointed in Bernie. Ask him a question, ask for details, and he’d pivot to any one of several talking points about how we need to regulate the banks, shut down the prisons, hand out tuition … he is an idealist but he is still a politician.
Oh no wait that was an earlier debate. Here’s my summary:
Hillary, I like her fine enough. She had to go ahead and congratulate herself for being in the Situation Room to get Osama killed. Who wouldn’t brag about that one? Then near the end she tried to paint Bernie as a guy who is all busy hating on Obama. Bernie had a good retort that is was Hillary who ran against him in 2008.
The weirdest part was when Bernie started going off about Henry Kissinger. The gist of it is that the man is a war criminal and pals with Clinton. Maybe he could goad her into defending a war criminal? She handled that deftly: she’ll take advice from anyone. I’m no Kissinger fan but that was one of several times when Bernie’s focus seemed more on the mid-20th century than the present day. I appreciate historical perspective, but I worry about the guy coming off as stuck in the past.
I found a good explanation on the Kissinger thing here at “The Intercept”. The gist of it is that yes, Kissinger is an impressively heinous character and a friend of Hillary Clinton, and that there is a larger issue, that Left or Right, there’s a little cabal of hawkish Neocon-leaning foreign policy advisors that make up the Washington Foreign Policy Establishment. Bernie has been dinged for not articulating his vision for foreign policy, but when he lights up on Kissinger, he’s using Kissinger as the bellwether poster child for the Foreign Policy Establishment. He’s essentially saying what he says on a lot of stuff: we can do better.
Dr Henry Kissinger
For what it is worth, here’s what Google responds to the query sanders foreign policy:
The test of a great and powerful nation is not how many wars it can engage in, but how it can resolve international conflicts in a peaceful manner. I will move away from a policy of unilateral military action and regime change, and toward a policy of emphasizing diplomacy, and ensuring the decision to go to war is a last resort.
“Diplomacy. Less war.”
Huh. How about clinton foreign policy:
As secretary of state, I worked to restore America’s leadership in the world. As president, defending our values and keeping us safe will be my top priority. That includes maintaining a cutting-edge military, strengthening our alliances, cultivating new partners, standing up to aggressors, defeating ISIS, and enforcing the Iran nuclear agreement.
“Keep us safe! More military! Defeat ISIS and watch our for Iran!”
Can I get some establishment consensus? Maybe jeb foreign policy:
Obama’s disengagement has contributed to growing threats to our national security, including radical Islamic terrorism, Iranian aggression, an emboldened Putin, and an assertive China. Adversaries do not fear us and allies do not trust us. I will rebuild America’s military, restore our credibility and leadership, and repair our broken alliances.
“Muslims! Iran! Russia! China! More military!”
It would seem that this isn’t about Bernie being stuck in the 20th Century. Bernie’s beef is that Washington is stuck in the late 20th Century. The same advice that got us in bed with the Shah of Iran, that stoked the revolution there, is the same advice that got us mired in Vietnam and armed Al Qaeda, is the same advice that later got us mired in Iraq, and it is this same advice that is likely to bite us in the future.
I think one could debate the merits of interventionism versus the blowback and unintended consequences. Okay, Kissinger is a bad guy: I get it. Bernie, what should we do different and how do you honestly figure it will play out? Americans are not naturally fond of interventionism, but it seems to have worked well enough for us most days. Most days, it is foreigners who pay the price. Foreigners … and our soldiers. In Vietnam it was The Draft and it seems that everyone in my parents’ generation carries some subtle emotional scar from that. Foreigners, soldiers, conscripts … on 9/11 it was office workers, police and firefighters. But we don’t talk about 9/11 as blowback for interventionism.
I don’t know the specifics, but one has to figure there could be some better ideas about how a powerful nation can lead the world toward the better, while shedding less blood. I click back to Google, and scroll through statement after statement from Sanders that sounds sane, rational and level-headed to me. A pastiche:
Indeed, Sanders said, “I supported the use of force in Afghanistan to hunt down the terrorists who attacked us.”
Sanders said the war with the terror organization, which released videos this week that threatened attacks in Washington and New York, “must be done primarily by Muslim nations with the strong support of their global partners.”
“The war against ISIS, a brutal and dangerous organization, cannot be won unless the Muslim nations which are most threatened — Saudi Arabia, Kuwait, Qatar, Turkey, Iran and Jordan — become fully engaged, including the use of ground troops,” Sanders said.
“It must be destroyed not just by the United States of America alone. In many respects, what ISIS wants is a clash of civilizations,” Sanders said.
“With the third largest military budget in the world and an army far larger than ISIS, the Saudi government must accept its full responsibility for stability in their own region of the world,” he added
But, Sanders added: “I oppose, at this point, a unilateral American no-fly zone in Syria, which could get us more deeply involved in that horrible civil war and lead to a never-ending U.S. entanglement in that region.”
“I fear very much that supporting questionable groups in Syria who will be outnumbered and outgunned by both ISIS and the Assad regime could open the door to the United States once again being dragged back into the quagmire of long-term military engagement,” he said.
In a later tweet, Sanders insisted, “We will not destroy ISIS by undermining the Constitution and our religious freedoms.”
From what I can see, Bernie articulates what sounds to me some reasonable ideas about foreign policy. Nations have to take care of their own regional problems. We should help out. But we can’t win what isn’t really our fight.
What does Clinton have on offer?
To support troops from Iraq and around the region, the U.S. should “immediately deploy the special operations force President Obama has already authorized and be prepared to deploy more as more Syrians get into the fight,” Clinton said.
On ABC, Clinton said: “We have to fight in the air, fight on the ground and fight them on the Internet. We have to do everything we can with our friends and partners around the world. That’s what we’ll hear from the president, to intensify the current strategy.”
Yet Clinton cynically told corporate executives at a 2011 State Department roundtable on investment opportunities in Iraq, “It’s time for the United States to start thinking of Iraq as a business opportunity.”
Oh Google, your algorithms seem to have a Socialist bias. At any rate, I feel better about where my sympathies lie.
Feedback Welcome
Link:
https://dannyman.toldme.com/2016/02/25/http-auth-ssl-load-balancer-401/
I wanted to share a clever load balancer config strategy I accidentally discovered. The use case is you want to make a web service available to clients on the Internet. Two things you’ll need are:
1) an authentication mechanism
2) encrypted transport (HTTPS)
You can wrap authentication around an arbitrary web app with HTTP auth. Easy and done.
For encrypted transport of web traffic, I now love sslmate is the greatest thing since sliced bread. Why?
1) Inexpensive SSL certs.
2) You order / install the certs from a command line.
3) They feed you the conf you probably need for your software.
4) Then you can put the auto-renew in cron.
So, for example, an nginx set up to answer on port 443, handle the SSL connection, do http auth, then proxy over to the actual service, running on port 12345:
server {
listen 443;
server_name example.com;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:12345;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
auth_basic "Restricted"; #For Basic Auth
auth_basic_user_file /etc/nginx/.htpasswd; #For Basic Auth
}
# Sample config from https://sslmate.com/help/buy
ssl on;
ssl_certificate_key /etc/sslmate/example.com.key;
ssl_certificate /etc/sslmate/example.com.chained.crt;
# Recommended security settings from https://wiki.mozilla.org/Security/Server_Side_TLS
# &c.
}
The clever load balancer config? The health check is to hit the server(s) in the pool, request / via HTTPS, and expect a 401 response. The load balancer doesn’t know the application password, so if you don’t let it in, you must be doing something right. If someone mucks with the server configuration and disables HTTP AUTH, then the load-balancer will get 200 on its health checks, regard success as an error, and “fail safe” by taking the server out of the pool, thus preventing people from accessing the site without a password.
Tell the load balancer that success is not an acceptable outcome
Feedback Welcome