A quick little snippet to check when an SSL certificate on a remote server is expiring:

1

openssl s_client -connect mail.example.com:25 | openssl x509 -noout -enddate

Works for any kind of SSL service, not just SMTP.

Jordan’s posted a comprehensive setup guide for OpenVPN with OpenLDAP on his blog. Looks like OpenVPN is a great way to set up a simple client VPN solution, and the cost is certainly a lot lower than solutions from Cisco.

Check it out.

Today marks the 10th Anniversary of the OpenSSH project, a 100% free implementation of the SSH protocol.

SSH is something we all take for granted now and it’s hard to imagine life without it. It certainly forms one of the most important tools in any computer system engineer’s toolbox, but we rarely give it much thought.

Kudos to the OpenSSH team for working so hard on this vital piece of infrastructure software.

As you may or may not know, I’m a big fan of both StackOverflow and ServerFault. I think the community moderated question-answer format is great, and I also envisioned many other niches in which this type of software could be used.

It was probably inevitable, but Fog Creek Software is now launching a SaaS service that lets you create your own similar sites, StackExchange:

Pricing starts at $129/mo for 1m page views. Given that each page is essentially a heavily-keyworded bit of content, it should be quite possible to make this kind of money back using targeted ads.

Version 1.0pre3 was released today with a rather massive overhaul of the codebase. Most notably, over 10,000 lines of code were removed as the dependency on the tlslite library was dropped in favor of using the native Python SSL bindings.

The complete release announcement from the bcfg2-dev mailing list:

In time for the long weekend, we’re pleased to announce the availability
of bcfg2-1.0pre3. This release has a number of large improvements over
the previous prerelease. We have switched to the in-python ssl module,
(which is included with 2.6, and available for 2.3-2.5), threaded the
server, improved many of the client tool drivers, added a server
performance profiling interface, greatly improved the Packages plugin
and many other things. (a high-level detailed summary follows) As
always, there are bugfixes and documentation updates as well.

This release has benefited greatly from a number of users who have done
heroic testing of some of the new features; this release includes a lot
of new code, and a lot less old code. We’ve been able to remove the
python ssl implementation we’ve been carrying for quite some time.

As always, this release is the result of the efforts of a number of
folks. Problems can be reported here, in trac or on irc.
-nld

Detailed Changes
* Server Core
Fix Pkgmgr virtual package target binding (Reported by TimL)
rework File Monitoring code/adapt to new server infrastructure
Fix updates for VCS plugins
New server performance interface
Provides scalable aggregate performance data for server operations
Report deprecated plugins, improve reporting for experimental plugins
Implement support for .genshi bundles in Bundler
Packages
Yum improvements and bugfixes
Support for multi-arch yum sources
Implement dependency resolver debugging
* Improve error handling
SGenshi: improve error handling
Schema update from TimL (related to the service schema change)
* SSL
We now use the ssl module included with python2.6 (this has been backported to 2.3-2.5)
Certificate-based authentication is supported
Implementation is backward compatible to 0.9.6 clients
strict cert auth, cert or password, or bootstrap (password once, then cert only) are supported
Clients now authenticate servers by commonName (not fingerprint)
Use of certifications require a CA to be used
** The server is now multithreaded

• Tool driver fixes
  APT.Remove: Split up package names properly
  Chkconfig patch from leggett
  Fix RcUpdate driver regressions
  Initial IPS (Opensolaris) driver
  Fix YUMng -r behavior
  Fix portage driver traceback (Resolves Ticket #649)
  YUMng: Fix for RHEL5 (patch from Tim Lazlo)
  YUMng: Fix version=auto for epoch-sensitive packages
  Update RcUpdate tool driver to catch all services
  Remove deprecated RPM and Yum drivers

• Snapshots
  Add extra/bad entry reporting
  Add revision to bcfg2-admin snapshots reports
  Remove ad-hoc error handling in favor of normal bcfg2-admin mode handling
  fix Statistics data location in importer
  ** minor cosmetic updates

• Other
  Add bash completion for bcfg2-admin
  Fix daemonize exit status
  Fix builds with the redhat specific rpm packaging
  lots of py 2to3 and pylint updates
  Fix py2.4 portability (try/except/finally is 2.5+) (Reported by Lisa Giacchetti)
  Include ignores for Pkgmgr updates (patch from zultron)
  Update bcfg2 manpage for multiple bundles
  bcfg2 client: remove agent support

• Bugfixes
  Fix fam tracebacks for Ticket #650
  Add support for probed groups in bcfg2-admin query (Resolves Ticket #647)
  Display diff in interactive mode (for Ticket #526)
  Fix fd leak caused by our use of the subprocess API
  Fix reversed options (Reported by Kamil Kisiel)
  Logging: Fix reconnect when using /dev/log
  Handle import errors in the help path (Resolves Ticket #653)
  Modify bcfg2-repo-validate to warn on xml duplicates (for Ticket #643)
  Metadata: fix default group assertion
  Fix exit in bcfg2-info

As for me, I’ve once again made available RPM packages for most major distributions at my openSUSE build service repository.

As of yet, they’re functionally untested so it’s possible there may be some dependencies missing. Please try to install them and report any problems.

Just came across this article on the BBC about a popular flight simulation site that was hacked. Apparently their only means of backup was to copy the data between their two servers. Unfortunately for them, the “hackers” got in to both servers and destroyed the data. Approximately 13 years worth of work that now cannot be recovered. While I feel sorry for the owners of the site and hope that they can get much of their information back through Archive.org or Google Cache, the whole thing could probably have been prevented with a small investment in to an offline backup strategy.

I’m talking about the Netgear ProSafe Gigabit Switch. The thing is an utter piece of garbage and has caused me no end of grief.

I bought one with the intent of using it to connect my workstation to my new OpenSolaris file server I’ve built. It certainly looked like an attractive package. Tiny footprint, low power, just enough ports for my small office, and Gigabit connectivity. Great, right?

That is, until I tried to use the damn thing. I’ve spent the last week trying numerous network adapters, OS’s, drivers, on my desktop. I’ve tried several different Intel gigabit network adapters, and the onboard Realtek adapter on my desktop. The Realtek connects at 100 mbps, while the Intel adapters can only muster a measly 10 mbps. It’s like being back in the early 90’s. What the heck? My OpenSolaris machine, which has another Realtek adapter, is able to connect at a full 1000 mbps, but only after negotiating away for a while with the switch. If I connect my machines directly together, they negotiate a 1000 mbps connection in under a second. Connecting them to the switch leads to 30 or 40 seconds of trying to figure some crap out.

And before someone suggests it, yes I’ve checked the cabling. I’ve tried something like 5 or 6 different ethernet cables, all CAT 5E, all of them tested with other equipment at the office. No dice.

Apparently I’m not alone.

Funny thing is, I borrowed a Netgear GS608, a similar product but in a shinier looking case, and it had the same fricking problem!

My recommendation is to avoid these products at all costs if you value your sanity.

I’ve started building Bcfg2 RPMs using openSUSE’s build service. They’re available for most popular RPM based distros from http://download.opensuse.org/repositories/home:/kisielk/

Currently I only have builds from the 1.0.0pre2 tarball available but I’m considering also uploading some SVN snapshots in the future.

I’ll also eventually be producing builds for deb based systems, once I figure that out.

I’m hoping this will eventually be incorporated “officially” in to the Bcfg2 project

Please note that the packages are currently largely untested in actual use since I don’t have virtual machines set up with most of these distros at this point. I’d welcome everyone to test them and report any problems to me either in #bcfg2 on irc.freenode.org or by email to kamil@kamilkisiel.net

I finally got fed up of not being able to read code in Terminal.app when it was being highlighted in Vim. It seems no matter what color scheme I used, there was always some text that I couldn’t see properly. This is mostly because Terminal.app renders red and blue too dark to be readable in many conditions if they are set on a black background.

I decided to bite the bullet and write my own Vim theme, which actually wasn’t that hard. It’s called enzmye and you can get it from vim.org. It currently doesn’t do anything fancy, but it’s readable under Terminal.app and that’s all I care about.

Feedback and improvements are appreciated. Make sure you follow the instructions for setting up your terminal.

Get it while it’s hot: http://trac.mcs.anl.gov/projects/bcfg2/wiki/Download

I also have an upcoming series of blog posts about managing systems with Bcfg2 in the works. Looks for it soon.