Chris' Laws of Oncall
I’ve spent almost twenty years in tech, almost all that time in operations of some kind and carrying a pager. I have developed “Chris’ Laws of On-Call”, most of which will overlap with similar laws created consiously or unconsiously by anyone required to carry the weight of the pager.
Ansible Role for RHEL Atomic Host
This morning I was asked by a friend if I could share any Ansible roles we use at $WORK for our Red Hat Atomic Host servers. It was a relatively easy task to review and sanitize our configs - Atomic Hosts are so minimal, there’s almost nothing we have to do to configure them.
Statement of GPG Key Transition
—–BEGIN PGP SIGNED MESSAGE—– Hash: SHA1,SHA512 Fri Dec 9 11:49:22 EST 2016 Statement of GPG Key Transition ——————————- In order to replace my older DSA-1024 key, I have set up a new OpenPGP key, and will be transitioning away from my old key. The old key will continue to be valid until 2017-06-01, but future correspondence should come to the new key. I would like the new key to be integrated into the web of trust.
Apache HTTPS configuration – June 2015
HTTPS is HTTP over TLS. It allows you to encrypt traffic to and from your web server, providing privacy and security for your clients. As of this writing, the world is moving ever closer to HTTPS everywhere: thanks to the Snowden documents, there’s been a big push for more privacy and security. Major companies like Google and Mozilla are securing traffic by default for all their applications. Cloudflare is offering free HTTPS encryption between clients and their severs.
Some Real-World Info on POODLE (CVE-2014-3566)
TL;DR: Remove SSLv3 - the impact is likely very small We’ve now removed SSLv3 from about 1000 servers in our environment. So far, we’ve only had one issue - a script used to call an API started to fail. The issue was the ruby rest client > 1.7.0. (Yes, that’s greater-than.) Removing from Apache SSLv3 is easy to remove in Apache. You probably want this in your ssl.conf (or whatever the equivalent is for your distro):
“Cloud-style” Docker Demo Container
Completed a first pass at a minimal “Cloud-style”#Docker container. It’s sort of like an EC2 instance. You generate an ssh pem file, and pass the public key in as an environmental variable at docker run: sudo docker run -i -t -d -P \ -e PUBKEY="$(cat ~/.ssh/my.pem.pub)" cloudbase You end up with a CentOS container, and a user “clouduser” that has sudo w/no password rights. I think this would be a good way to get some folks interested in Docker - perhaps offering something like this as a playground/sandbox to build interest.
SSH In a Docker CentOS Container
However, more Google-ing turns up that Docker explicitly drops the audit-related capabilities that are required for this to work, causing an error to be returned to PAM. This means that it’s not ever going to work in a Docker container unless the Docker code is changed. That’s out of my hands, though.