Today marks the 10th Anniversary of the OpenSSH project, a 100% free implementation of the SSH protocol.
SSH is something we all take for granted now and it’s hard to imagine life without it. It certainly forms one of the most important tools in any computer system engineer’s toolbox, but we rarely give it much thought.
Kudos to the OpenSSH team for working so hard on this vital piece of infrastructure software.
As you may or may not know, I’m a big fan of both StackOverflow and ServerFault. I think the community moderated question-answer format is great, and I also envisioned many other niches in which this type of software could be used.
It was probably inevitable, but Fog Creek Software is now launching a SaaS service that lets you create your own similar sites, StackExchange:
Pricing starts at $129/mo for 1m page views. Given that each page is essentially a heavily-keyworded bit of content, it should be quite possible to make this kind of money back using targeted ads.
Version 1.0pre3 was released today with a rather massive overhaul of the codebase. Most notably, over 10,000 lines of code were removed as the dependency on the tlslite library was dropped in favor of using the native Python SSL bindings.
The complete release announcement from the bcfg2-dev mailing list:
In time for the long weekend, we’re pleased to announce the availability
of bcfg2-1.0pre3. This release has a number of large improvements over
the previous prerelease. We have switched to the in-python ssl module,
(which is included with 2.6, and available for 2.3-2.5), threaded the
server, improved many of the client tool drivers, added a server
performance profiling interface, greatly improved the Packages plugin
and many other things. (a high-level detailed summary follows) As
always, there are bugfixes and documentation updates as well.This release has benefited greatly from a number of users who have done
heroic testing of some of the new features; this release includes a lot
of new code, and a lot less old code. We’ve been able to remove the
python ssl implementation we’ve been carrying for quite some time.As always, this release is the result of the efforts of a number of
folks. Problems can be reported here, in trac or on irc.
-nldDetailed Changes
* Server Core
** Fix Pkgmgr virtual package target binding (Reported by TimL)
** rework File Monitoring code/adapt to new server infrastructure
** Fix updates for VCS plugins
** New server performance interface
*** Provides scalable aggregate performance data for server operations
** Report deprecated plugins, improve reporting for experimental plugins
** Implement support for .genshi bundles in Bundler
** Packages
*** Yum improvements and bugfixes
*** Support for multi-arch yum sources
*** Implement dependency resolver debugging
*** Improve error handling
** SGenshi: improve error handling
** Schema update from TimL (related to the service schema change)
* SSL
** We now use the ssl module included with python2.6 (this has been backported to 2.3-2.5)
** Certificate-based authentication is supported
** Implementation is backward compatible to 0.9.6 clients
** strict cert auth, cert or password, or bootstrap (password once, then cert only) are supported
** Clients now authenticate servers by commonName (not fingerprint)
** Use of certifications require a CA to be used
** The server is now multithreaded* Tool driver fixes
** APT.Remove: Split up package names properly
** Chkconfig patch from leggett
** Fix RcUpdate driver regressions
** Initial IPS (Opensolaris) driver
** Fix YUMng -r behavior
** Fix portage driver traceback (Resolves Ticket #649)
** YUMng: Fix for RHEL5 (patch from Tim Lazlo)
** YUMng: Fix version=auto for epoch-sensitive packages
** Update RcUpdate tool driver to catch all services
** Remove deprecated RPM and Yum drivers* Snapshots
** Add extra/bad entry reporting
** Add revision to bcfg2-admin snapshots reports
** Remove ad-hoc error handling in favor of normal bcfg2-admin mode handling
** fix Statistics data location in importer
** minor cosmetic updates* Other
** Add bash completion for bcfg2-admin
** Fix daemonize exit status
** Fix builds with the redhat specific rpm packaging
** lots of py 2to3 and pylint updates
** Fix py2.4 portability (try/except/finally is 2.5+) (Reported by Lisa Giacchetti)
** Include ignores for Pkgmgr updates (patch from zultron)
** Update bcfg2 manpage for multiple bundles
** bcfg2 client: remove agent support* Bugfixes
** Fix fam tracebacks for Ticket #650
** Add support for probed groups in bcfg2-admin query (Resolves Ticket #647)
** Display diff in interactive mode (for Ticket #526)
** Fix fd leak caused by our use of the subprocess API
** Fix reversed options (Reported by Kamil Kisiel)
** Logging: Fix reconnect when using /dev/log
** Handle import errors in the help path (Resolves Ticket #653)
** Modify bcfg2-repo-validate to warn on xml duplicates (for Ticket #643)
** Metadata: fix default group assertion
** Fix exit in bcfg2-info
As for me, I’ve once again made available RPM packages for most major distributions at my openSUSE build service repository.
As of yet, they’re functionally untested so it’s possible there may be some dependencies missing. Please try to install them and report any problems.
Just came across this article on the BBC about a popular flight simulation site that was hacked. Apparently their only means of backup was to copy the data between their two servers. Unfortunately for them, the “hackers” got in to both servers and destroyed the data. Approximately 13 years worth of work that now cannot be recovered. While I feel sorry for the owners of the site and hope that they can get much of their information back through Archive.org or Google Cache, the whole thing could probably have been prevented with a small investment in to an offline backup strategy.
I’m talking about the Netgear ProSafe Gigabit Switch. The thing is an utter piece of garbage and has caused me no end of grief.
I bought one with the intent of using it to connect my workstation to my new OpenSolaris file server I’ve built. It certainly looked like an attractive package. Tiny footprint, low power, just enough ports for my small office, and Gigabit connectivity. Great, right?
That is, until I tried to use the damn thing. I’ve spent the last week trying numerous network adapters, OS’s, drivers, on my desktop. I’ve tried several different Intel gigabit network adapters, and the onboard Realtek adapter on my desktop. The Realtek connects at 100 mbps, while the Intel adapters can only muster a measly 10 mbps. It’s like being back in the early 90′s. What the heck? My OpenSolaris machine, which has another Realtek adapter, is able to connect at a full 1000 mbps, but only after negotiating away for a while with the switch. If I connect my machines directly together, they negotiate a 1000 mbps connection in under a second. Connecting them to the switch leads to 30 or 40 seconds of trying to figure some crap out.
And before someone suggests it, yes I’ve checked the cabling. I’ve tried something like 5 or 6 different ethernet cables, all CAT 5E, all of them tested with other equipment at the office. No dice.
Apparently I’m not alone.
Funny thing is, I borrowed a Netgear GS608, a similar product but in a shinier looking case, and it had the same fricking problem!
My recommendation is to avoid these products at all costs if you value your sanity.
I’ve started building Bcfg2 RPMs using openSUSE’s build service. They’re available for most popular RPM based distros from http://download.opensuse.org/repositories/home:/kisielk/
Currently I only have builds from the 1.0.0pre2 tarball available but I’m considering also uploading some SVN snapshots in the future.
I’ll also eventually be producing builds for deb based systems, once I figure that out.
I’m hoping this will eventually be incorporated “officially” in to the Bcfg2 project
Please note that the packages are currently largely untested in actual use since I don’t have virtual machines set up with most of these distros at this point. I’d welcome everyone to test them and report any problems to me either in #bcfg2 on irc.freenode.org or by email to kamil@kamilkisiel.net
I finally got fed up of not being able to read code in Terminal.app when it was being highlighted in Vim. It seems no matter what color scheme I used, there was always some text that I couldn’t see properly. This is mostly because Terminal.app renders red and blue too dark to be readable in many conditions if they are set on a black background.
I decided to bite the bullet and write my own Vim theme, which actually wasn’t that hard. It’s called enzmye and you can get it from vim.org. It currently doesn’t do anything fancy, but it’s readable under Terminal.app and that’s all I care about.
Feedback and improvements are appreciated. Make sure you follow the instructions for setting up your terminal.
Get it while it’s hot: http://trac.mcs.anl.gov/projects/bcfg2/wiki/Download
I also have an upcoming series of blog posts about managing systems with Bcfg2 in the works. Looks for it soon.
The 3rd prerelease of Bcfg2 0.9.6 is now available.
For those not in the know, Bcfg2 is a system that:
helps system administrators produce a consistent, reproducible, and verifiable description of their environment, and offers visualization and reporting tools to aid in day-to-day administrative tasks.
Basically it comes down to managing your system configurations from a central location and then pulling (or optionally, pushing) the configuration data down to each machine. This ensures your machines are in a known state, and eliminates the need to go around to each one and manually verify or copy configuration.
Other tools in this category include Puppet or CFEngine, but IMO Bcfg2 trumps either of those.
Check it out. If you have any questions, feel free to come to #bcfg2 on irc.freenode.net and someone can surely help you out.
So, let’s say your workplace uses a Cisco IPSEC VPN solution. Many places do. Let’s also say you at home have a Linux machine. Being the good Linux user that you are, you keep your system well patched and run a recent kernel release.
You download the Cisco VPN client — from your corporate website since, of course. Cisco would never make such a thing publicly downloadable.. who does that anyway?
You extract the tarball, run the vpn_install script as instructed and BAM. The whole thing bombs! Why? Because your system is too cutting edge for the guys at Cisco to keep up (clearly!). So, your possible solutions are:
1. Dig through a bunch of random internet forums, searching for the right combination of patches and command incantations that will make the damn thing work on your particular OS and kernel version.
2. Ditch the piece of junk altogether and install something nicer.
So which should we do? Alright.. let’s go with option 1… just kidding, I mean 2.
Enter a wonderful piece of software called vpnc. Now, I’ll be the first to admit I don’t know much about how this particular piece of software works. And that’s the great thing. Getting the VPN connection up and going was just that simple. So here’s how:
1. I presume your company uses a PCF file along-side their Cisco VPN client. If not, you have to figure out how to enter the settings yourself. Download this .pcf file and put it somewhere. Say ~/mycompany.pcf
2. Download http://svn.unix-ag.uni-kl.de/vpnc/trunk/pcf2vpnc
3. Install vpnc. If you use Ubuntu, this means aptitude install vpnc. Yes, that is all.
3. Run pcf2vpnc mycompany.pcf mycompany.conf
4. cp mycompany.conf /etc/vpnc/
5. sudo vpnc mycompany
6. There is no step 6!
Oh yeah, at some point you want to disconnect and go do something else other than work. For that use sudo vpnc-disconnect.
I tested this on Hardy Heron, results may vary between distributions.
When running pcf2vpnc you may receive the following message:
Can't exec "cisco-decrypt": No such file or directory at ./pcf2vpnc line 30.
cisco-decrypt not in search path,
adding passwords in obfuscated form
This just means that your vpn configuration will contain your password in obfuscated form instead of plaintext, it does not mean the conversion failed.
Update 2009/02/20:
Someone has posted a howto which can work for OS X as well: http://www.gdanko.net/vpnc.html
vpnc: no response from target
you need to add the line
NAT Traversal Mode cisco-udp
to your mycompany.conf file.
