Planet Redpill Linpro

13 December 2017

Redpill Linpro Sysadvent

Using ssh_config(5) and FoxyProxy for fun and profit

The other day, as I just had updated my workstation to Fedora 27, I realized maybe the Include statement in ssh_config(5) had been implemented. And indeed it had.

So it’s time to reorganize my ssh-config-generate script, FoxyProxy browser plugin for tunneling web traffic through ssh, and maybe even setting up ...

Wed 13 Dec 2017, 23:00

12 December 2017

Redpill Linpro Sysadvent

iPXE and automated provisioning

Provisioning of new servers can be a daunting experience. Back in days it meant booting the machine with a CD or a DVD and doing manual choices. Automation of the installation process makes the process faster and less prone to human errors.

Network installation helps the process, but you still ...

Tue 12 Dec 2017, 23:00

11 December 2017

Redpill Linpro Sysadvent

Care and feeding of SMTP honeypots

In parallel with an SSH/telnet honeypot, I’m also running an SMTP honeypot using INetSim. The SMTP honeypot is only one of many functions of INetSim; this article will cover the SMTP component only.

The SMTP part of INetSim has been configured with the following settings in inetsim.conf:

Mon 11 Dec 2017, 23:00

10 December 2017

Redpill Linpro Sysadvent

Allow backup sysadmins to gain access through a "Break the Glass"-solution

I want backup sysadmins to have login access to some systems, with said access rarely (if ever) used. To prevent abuse I’d like strong audit logging, logging that stands out from the rest of all the logging, logging that cannot be tampered with, and that can easily be followed up ...

Sun 10 Dec 2017, 23:00

09 December 2017

Redpill Linpro Sysadvent

Running Jekyll with Docker and OpenShift

OpenShift is currently en vogue in the company. The ease of use and scaleability found in a container based system allows us to automate the build and deployment steps of containers through software like Kubernetes/OpenShift.

Jekyll

We have visited Jekyll in several previous blog posts. Our techblog and ...

Sat 09 Dec 2017, 23:00

08 December 2017

Redpill Linpro Sysadvent

A quick look at Thruk

Thruk comes natively with Naemon, and is a free and open source full drop in replacement web interface for Nagios, Icinga and Shinken. These are flexible tools for alerting us when something goes horribly wrong, and Thruk adds a few tricks for even better monitoring.

With this blog ...

Fri 08 Dec 2017, 23:00

07 December 2017

Redpill Linpro Sysadvent

Reduce disk bloat in PostgreSQL

Lately I have been working a bit with the monitoring platform Zabbix, and the instance in question is backed by the

Thu 07 Dec 2017, 23:00

06 December 2017

Redpill Linpro Sysadvent

fail2ban: To SSH and beyond

fail2ban is one of several tools designed to protect other services by blocking unwanted and possibly repeating activities. Its most common use case is probably protecting the SSH server from bruteforce attacks, where repeatedly failed login attempts will be generously rewarded with an iptables firewall ban or some other variant ...

Wed 06 Dec 2017, 23:00

05 December 2017

Redpill Linpro Sysadvent

Getting started with OpenShift – The OpenShift all-in-one cluster

OpenShift Container Platform (OCP) builds on Docker for container-technology and Kubernetes for orchestration of those containers. OpenShift solves the network annoyances in Kubernetes and adds features like authentication and authorization, multi-tenancy, source-to-image (S2I) and templating of applications.

To easily get started with OpenShift development, the OpenShift client (oc) ...

Tue 05 Dec 2017, 23:00

04 December 2017

Redpill Linpro Sysadvent

Fast and dirty RPMs

Everything was ready. The deploy should have been clean and fast. But then, the developers had added just another language module. Not a big thing, just something you could have pulled ...

Mon 04 Dec 2017, 23:00

03 December 2017

Redpill Linpro Sysadvent

Everyday Docker

The first time I successfully fired up a container I was pretty excited with the potential this tool had to make a lot of everyday tasks much easier. For example when I had a colleague ask for package xyz from EPEL/PPA made available from our internal mirrors, I could just ...

Sun 03 Dec 2017, 23:00

02 December 2017

Redpill Linpro Sysadvent

Varnish and misbehaving application servers

Sometimes you come across problems with websites that normal configuration does not address usefully. A case in point was a PHP-based application that from time to time returned a 302 to a login page instead of the front page, which is not optimal when you serve news articles.

Our solution ...

Sat 02 Dec 2017, 23:00

01 December 2017

Redpill Linpro Sysadvent

Using Ansible to change root passwords

While dropping root account passwords completely in favour of sudo is an option in many cases, we prefer keeping root passwords around for when we need direct console access. We keep these passwords in an encrypted password-store (we will write about this in a later blog post this season), and ...

Fri 01 Dec 2017, 23:00

Ingvar Hagelund

Dynamic DNS helper scripts

While dynamic DNS is a wonderful tool for automation and orchestration, tools for easy cleaning up and logging changes are needed. This post describes a couple of scripts that may help.

Read the rest of this post on Redpill Linpro SysAdvent Calendar.

by ingvar at Fri 01 Dec 2017, 12:44

30 November 2017

Redpill Linpro Sysadvent

Dynamic DNS helper scripts

While dynamic DNS is a wonderful tool for automation and orchestration, tools for easy cleaning up and logging changes are needed. This post describes a couple of scripts that may help.

...

Thu 30 Nov 2017, 23:00

29 November 2017

Redpill Linpro Sysadvent

Welcome to the third season of our SysAdvent Blog!

The staff at Redpill Linpro will this December again run an advent calendar with sysadmin-related content!

Our season three of the SysAdvent Calendar will kick off, as expected, on December 1st.

As with the original sysadvent blog, the article contents this year will range from containers and openshift to ...

Wed 29 Nov 2017, 23:00

14 November 2017

Magnus Hagander

PGConf.EU 2017 - time for the statistics

For anybody following this blog, you'll know I do this every year. PGConf.EU completed several weeks ago, and we have now collected the statistics, and I'd like to share some numbers.

Let me start with some statistics that are not based on the feedback, but instead based on the core contents of our registration database. I've had several people ask exactly how we count our attendees when we say it's the largest PGConf.EU ever, so here are the numbers:

Our total number of attendees registered was 437. This includes all regular attendees, speakers, training attendees, sponsor tickets and exhibitor only tickets. Of these 437 people, 12 never showed up. This was a mix of a couple of sponsor tickets and regular attendees, and 3 training attendees. This means we had 425 people actually present.

We don't take attendance each day. Right after the keynote on the first day there were just over 20 people who had not yet shown up, and by the end of the conference the total that number was down to 12. There were definitely fewer than 400 people who remained on a late Friday afternoon for the closing sessions, but at lunchtime the crowd was approximately the same size.

On top of the 437 actual attendees, we also had 5 further sponsor tickets that were never claimed. And we had another 59 people still on the waitlist, since we were unfortunately up against venue limits and we not able to sell all the requested tickets.

by nospam@hagander.net (Magnus Hagander) at Tue 14 Nov 2017, 20:56

05 November 2017

Redpill Linpro Techblog

27 October 2017

Ingvar Hagelund

copr packages of varnish-5.2, varnish-modules and miscellaneous vmods for el6 and el7

Some weeks ago, the Varnish Cache project released a new upstream version 5.2 of varnish cache. I have built a copr repo with varnish packages for el6 and el7 based on the fedora package, and a selection of matching vmods.

The following vmods are available:

Included in varnish-modules:
vmod-cookie
vmod-header
vmod-saintmode
vmod-softpurge
vmod-tcp
vmod-var
vmod-vsthrottle
vmod-xkey

Packaged separately:
vmod-geoip
vmod-basicauth
vmod-curl
vmod-digest
vmod-memcached
vmod-querystring
vmod-rfc6052
vmod-uuid

Please test and report bugs. If there are enough interest, I may consider pushing these to fedora as well. Packages are available at https://copr.fedorainfracloud.org/coprs/ingvar/varnish52/

by ingvar at Fri 27 Oct 2017, 20:53

15 October 2017

Tore Anderson

IPv6 roaming in Sweden

I attended the Netnod Tech Meeting 2017 in Stockholm earlier this week. As I usually do when when going abroad, I spent some time testing to what extent IPv6 works while roaming in the various PLMNs I have access to.

The previous posts in this series are:

Test results

Telia - MCCMNC 24001

Home PLMN Tech IPV6 PDP context IPV4V6 PDP context
Telenor Norway 2G Fails IPv4-only connection
Telenor Norway 3G Fails IPv4-only connection
Telenor Norway 4G N/A (no service) N/A (no service)

It would appear that Telenor Norway does not have a 4G roaming agreement with Telia. My phone was unable to register in Telia’s 4G network, at least.

In 3G and 2G coverage, I could register, but IPv6 did not work. Requesting dual stack connectivity would only yield IPv4. This is of course a quite acceptable outcome for the vast majority of users, as the Internet will ostensibly work just fine..

In all likelihood the IPv6 failures observed on 2G and 3G is due to Telenor Norway’s HLR removing the IPv6 capabilities from my subscriber profile before transmitting it to Telia’s vSGSN. This is done to forestall the possible IPv6-related failures described in RFC 7445 sections 3 and 6.

Presumably Telenor Norway will, at some point in the future, remove this IPv6 capability blacklisting for Telia, after having ascertained that Telia’s 2G/3G network does not have any issues with supporting the IPv6 PDP types.

3 - MCCMNC 24002

Home PLMN Tech IPV6 PDP context IPV4V6 PDP context
Telenor Norway 3G Fails IPv4-only connection
Telenor Norway 4G Works perfectly Works perfectly

In 4G coverage, IPv6 works perfectly. In 3G coverage, it fails - presumably due to the same IPv6 capability blacklisting as described above for Telia.

I did however notice at one point that if I connected a dual stack IPV4V6 PDP context while in 3’s 4G network, and then moved into an area that had only 3G coverage, IPv6 kept working perfectly. Thus it would appear that 3’s 3G network has no issues supporting visiting subscribers using IPv6.

Note that 3 does not operate a 2G network.

Tele2 - MCCMNC 24007

Home PLMN Tech IPV6 PDP context IPV4V6 PDP context
Telenor Norway 3G Fails IPv4-only connection
Telenor Norway 4G Works perfectly Works perfectly

Same results as for 3.

I did not get to test physically moving from 4G to 3G coverage. That said, I know for a fact that Tele2 provides IPv6 to their own mobile subscribes, so it seems like a safe bet to assume that their 3G network would support IPv6 just fine, if it hadn’t been for Telenor’s IPv6 capability blacklisting.

Telenor Sweden - MCCMNC 24008

Home PLMN Tech IPV6 PDP context IPV4V6 PDP context
Telenor Norway 3G Works perfectly Works perfectly
Telenor Norway 4G Works perfectly Works perfectly

Perfect score. It is perhaps not surprising that if a single Swedish operator would be fully «IPv6-approved», and therefore exempt from Telenor Norway’s IPv6 capability blacklisting, it would be their Swedish sister company Telenor Sweden.

It might also be worth noting that Telenor Sweden is the vPLMN my phone prefers to register in if I leave it in the default automatic mode. Therefore, for Telenor Norway subscribers, IPv6 Just Works while visiting Sweden - unless one manually fiddles around with the network settings.

Net4Mobility - MCCMNC 24024

Home PLMN Tech IPV6 PDP context IPV4V6 PDP context
Telenor Norway 2G Works perfectly Works perfectly

Perfect score.

The Net4Mobility PLMN is, as far as I can understand, a joint venture between Tele2 and Telenor Sweden that provides shared 2G coverage for both of those providers. That is, if I lock my phone on to MCCMNC 24007 (Tele2) or 24008 (Telenor Sweden), it will nevertheless change to 24024 (Net4Mobility) if I also limit it to 2G only.

This means Net4Mobility is logically part of Telenor Sweden’s network, and thus it makes sense that it, like MCCMNC 24008, is exempt from Telenor Norway’s IPv6 capability blacklisting.

Sun 15 Oct 2017, 00:00

12 October 2017

Tore Anderson

IPv6 roaming in Czechia

I spent this weekend in Czechia. As I usually do when when going abroad, I spent some time testing to what extent IPv6 works while roaming in the various PLMNs I have access to.

The previous posts in this series are:

Those posts contain some more technical background about the testing methodology, so I suggest you skim through them in order to better interpret the test results in this post.

Test results

T-Mobile - MCCMNC 23001

Home PLMN Tech IPV6 PDP context IPV4V6 PDP context
Telenor Norway 2G Fails IPv4-only connection
Telenor Norway 3G Fails IPv4-only connection
Telenor Norway 4G Works perfectly Works perfectly

While in 2G and 3G coverage Telenor’s HLR/HSS blacklisting trick comes into play, blocking any kind of IPv6 usage. (See the IPv6 roaming in Belgium and Romania post for an explanation of what that trick is.)

These results do not necessarily mean that T-Mobile has a problem with supporting IPv6 on 2G and/or 3G. It could very well be that it is entirely due to Telenor’s HLR/HSS blacklisting, and that it would start working immediately if Telenor were to move T-Mobile to their IPv6 whitelist.

When in 4G coverage, IPv6-only and dual stack work perfectly. This is as expected, because the HLR/HSS blacklisting trick does not work on 4G.

O2 - MCCMNC 23002

Home PLMN Tech IPV6 PDP context IPV4V6 PDP context
Telenor Norway 2G Fails IPv4-only connection
Telenor Norway 3G Fails IPv4-only connection
Telenor Norway 4G Works perfectly Works perfectly

Exactly the same results as T-Mobile. Telenor’s HLR/HSS IPv6 blacklisting in action.

Vodafone - MCCMNC 23003

Home PLMN Tech IPV6 PDP context IPV4V6 PDP context
Telenor Norway 2G Works perfectly Works perfectly
Telenor Norway 3G Works perfectly Works perfectly
Telenor Norway 4G Works perfectly Works perfectly

Vodafone is the only Czech operator to get a perfect score. IPv6-only and dual stack connectivity always works, regardless of the technology used.

Thu 12 Oct 2017, 00:00

27 September 2017

Pontus Ullgren

Running Jolokia JVM Agent with Mule standalone runtime

Jolokia is a great way to monitor JVM applications and provide easy access to all the JMX goodies using simple JSON over HTTP. I would say that it has almost become the de facto standard when it comes to monitoring and managing Java applications.

While Jolokia does provide a specialized Mule agent it does not allow us to exposing the Jolokia interface over HTTPS (or enable TLS Client Authentication). On the other hand this is supported by the Jolokia JVM Agent. And it also works great with the Mule Server Runtime. In this blog post I do a step by step instruction on how to starting the Jolokia JVM Agent with the Mule runtime and enable HTTPS and basic authentication.

by Pontus Ullgren at Wed 27 Sep 2017, 08:00

15 August 2017

Magnus Hagander

ftp.postgresql.org is dead, long live ftp.postgresql.org

As Joe just announced, all ftp services at ftp.postgresql.org has been shut down.

That of course doesn't mean we're not serving files anymore. All the same things as before area still available through https. This change also has an effect on any user still accessing the repositories (yum and apt) using ftp.

There are multiple reasons for doing this. One is that ftp is an old protocol and in a lot of ways a pain to deal with when it comes to firewalling (both on the client and server side).

The bigger one is the general move towards encrypted internet. We stopped serving plaintext http some time ago for postgresql.org, moving everything to https. Closing down ftp and moving that over to https as well is another step of that plan.

There are still some other plaintext services around, and our plan is to get rid of all of them replacing them with secure equivalents.

by nospam@hagander.net (Magnus Hagander) at Tue 15 Aug 2017, 19:23

31 July 2017

Tore Anderson

Huawei ME906s-158 (a.k.a. HP lt4132): Linux and IPv6 support (or lack thereof)

I recently purchased a new laptop, an HP EliteBook 820 G4. When ordering, I was given the choice of two different LTE WWAN modems: the HP lt4120 and the HP lt4132. The former is a rebranded Foxconn T77W595, while the latter is a rebranded Huawei ME906s-158.

Both modems cost about the same and there were reports of people getting them both working under Linux, so it didn’t seem to matter much which of them I chose. I eventually decided on the lt4132, the primary reason being that its specifications clearly state that it supports IPv6. This made the lt4132 seem like the safe choice, as I was unable to easily confirm that the lt4120 supported IPv6.

I was wrong. I should have opted for the lt4120. Read on for the details.

Linux support

The lt4132 did not work out of the box with my preferred Linux distribution Fedora 26; ModemManager didn’t recognise it as a supported modem.

The modem was visible in the output from usb-devices, however:

T:  Bus=01 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#=  3 Spd=480 MxCh= 0
D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=ff MxPS=64 #Cfgs=  3
P:  Vendor=03f0 ProdID=a31d Rev=01.02
S:  Manufacturer=HP
S:  Product=HP lt4132 LTE/HSPA+ 4G Module
S:  SerialNumber=0123456789ABCDEF
C:  #Ifs= 7 Cfg#= 2 Atr=a0 MxPwr=2mA
I:  If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
I:  If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=06 Prot=00 Driver=cdc_ether
I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=06 Prot=10 Driver=(none)
I:  If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=13 Driver=(none)
I:  If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=12 Driver=(none)
I:  If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=14 Driver=(none)
I:  If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=1b Driver=(none)

The problem here is Cfg#= 2, indicating that the modem is in configuration 2. The Linux kernel selects configuration 2 by default, but that does not work with ModemManager. Configuration 3 ( MBIM mode) is a much better choice.

Changing to configuration 3 is easy enough. Note that it is essential to first deconfigure the device by selecting configuration 0 and wait a few milliseconds. Going directly from 2 to 3 does not work. Thus:

$ echo 0 > /sys/bus/usb/devices/1-3/bConfigurationValue
$ sleep 1
$ echo 3 > /sys/bus/usb/devices/1-3/bConfigurationValue

The 1-3 part might not be correct for your system. If it’s not, grep lt4132 /sys/bus/usb/devices/*/product will probably tell you what the correct sysfs device path is.

This made ModemManager recognise the modem. At this point I could run nmcli con add type gsm ifname '*' apn telenor.smart to make NetworkManager successfully establish a mobile data connection. Well, ostensibly - it still didn’t quite work. All the data traffic was being blackholed. This was solved by enabling the ndp_to_end USB quirk, like so:

$ echo Y > /sys/class/net/wwp0s20f0u3c3/cdc_ncm/ndp_to_end

In the future, the lt4132 will be better supported out of the box. It will not be necessary to manually deal with these settings; the upcoming version of usb_modeswitch will automatically select USB configuration 3, and a patch I wrote to automatically enable the ndp_to_end USB quirk will be part of the Linux kernel starting with version 4.13.

In the interim, however, it is easy enough to automate the application of these tweaks by using udev rules. Simply create a file called, e.g., /etc/udev/rules.d/hp-lt4132.rules and add the following three lines to it:

ACTION=="add|change", SUBSYSTEM=="usb", ATTR{idVendor}=="03f0", ATTR{idProduct}=="a31d", ATTR{bConfigurationValue}!="3", ATTR{bConfigurationValue}:="0"
ACTION=="add|change", SUBSYSTEM=="usb", ATTR{idVendor}=="03f0", ATTR{idProduct}=="a31d", ATTR{bConfigurationValue}!="3", RUN+="/bin/sh -c 'sleep 1; echo 3 > %S%p/bConfigurationValue'"
ACTION=="add|change", SUBSYSTEM=="net", ATTRS{idVendor}=="03f0", ATTRS{idProduct}=="a31d", ATTR{cdc_ncm/ndp_to_end}=="N", ATTR{cdc_ncm/ndp_to_end}:="Y"

That’s all it takes. (You will probably want to change the vendor/product IDs 03f0/a31d if you don’t have the same HP-branded flavour of the Huawei ME906s-158 I do, though.)

Lack of IPv6 support

The Huawei ME906s-158 product page clearly specifies that the modem supports IPv6. Turns out, this is a lie - or at best, extremely misleading.

When I attempted to establish an IPv6 mobile data connection, it would just fail:

$ mmcli -m 0 --simple-connect=apn=telenor.smart,ip-type=ipv6
error: couldn't connect the modem: 'GDBus.Error:org.freedesktop.libmbim.Error.Status.NoDeviceSupport: NoDeviceSupport'

Requesting dual-stack with ip-type=ipv4v6 instead would ostensibly succeed, but it would only yield an IPv4-only connection.

I also tried the modem under Windows 10. It was only able to get IPv4 connectivity there too, so it seems clear that this is a firmware issue. For the record, I’m on the latest firmware available fom HP, version 11.617.13.00.00.

In order to figure out what was going on, I used the option serial port driver to interact with the modem’s AT command interface:

$ modprobe option
$ echo 03f0 a31d > /sys/bus/usb-serial/drivers/option1/new_id
$ cat /dev/ttyUSB0 &

The first thing to check is the output of the AT+CGDCONT=? command, a 3GPP-standardised command which returns the supported data types:

$ echo $'AT+CGDCONT=?\r' > /dev/ttyUSB0
+CGDCONT: (0-11),"IP",,,(0-2),(0-3),(0,1),(0,1),(0-2),(0,1)

OK

This is a smoking gun: there should have been two more lines returned here, one with "IPV6" and another with "IPV4V6" in the second comma-separated field. This output is essentially the modem stating «I only support IPv4».

Huawei has published an extensive document that details all the various AT commands supported by the modem. One of these is AT^IPV6CAP, a Huawei proprietary command to «Query IPv6 Capability» (see page 281). The possible return codes and their meanings are documented as follows:

1 IPv4 only
2 IPv6 only
7 IPv4 only, IPv6 only and IPv4v6

So let’s see what it says:

$ echo $'AT^IPV6CAP?\r' > /dev/ttyUSB0
^IPV6CAP: 1

OK

This appears to confirm what the AT+CGDCONT=? command already told us, the modem is IPv4-only. However, the AT^IPV6CAP=? command did give me a little bit of hope:

$ echo $'AT^IPV6CAP=?\r' > /dev/ttyUSB0
^IPV6CAP: (1,2,7)

OK

I interpret this to mean that the modem actually does contain support for IPv6 and IPv4v6; only that it is currently in an IPv4-only operational mode. The question then becomes: how to change the operational mode to 7? I have no idea, unfortunately. It’s not AT^IPV6CAP=7, for what it’s worth.

I eventually had to give up on making IPv6 work with this modem. Perhaps it will be fixed in a future firmware update, but until then my recommendation is clear: stay away from the Huawei ME906s-158 / HP lt4132 LTE modem!

Support tickets were opened with both HP and Huawei support about the issue, by the way. Despite several rounds of escalating their respective cases, none of them were able to figure out a solution. HP support eventually gave up on solving the case and shipped me a replacement HP lt4120 free of charge instead. That did the trick; it turns out the lt4120 supports IPv6 perfectly. I’ll have to commend HP for good customer support here; they obviously considered the lack of IPv6 support to be a real defect and did what was necessary to fix the problem in the most efficient manner.

Mon 31 Jul 2017, 00:00

30 July 2017

Tore Anderson

Update: GitHub Pages, Fastly, and IPv6

When I created this blog a couple of years ago, I was disappointed to find out that the GitHub Pages service (GHP) did not support IPv6. This was due to the fact that GHP’s CDN provider Fastly didn’t support IPv6.

To work around this problem I ended up inserting a dual-stacked HTTP proxy service in front of my (IPv4-only) GHP-hosted blog. While it was hardly ideal, it did the trick.

The other day I was pleasantly surprised to find out that I no longer need this hack: Fastly and GHP now do support IPv6! IPv6 appears to have been enabled for https://toreanderson.github.io and all other GHP sites without requiring explicit opt-in. Perfect!

When did it happen? Well, it seems Fastly announced IPv6 availability on the 31st of March (after having had it in limited beta since last summer). Assuming Twitter is a reliable indicator, IPv6 was enabled for GHP specifically sometime between the 10th of April and the 28th of May.

I was quite critical of Fastly in those old posts, so it’s only fair that I congratulate them now. Well done, Fastly - I’m very happy to see you get on the IPv6 bandwagon!

Sun 30 Jul 2017, 00:00

17 July 2017

Magnus Hagander

Setting owner at CREATE TABLE

When you create a table in PostgreSQL, it gets assigned default permissions and a default owner. We can alter the default privileges using the very useful ALTER DEFAULT PRIVILEGES command (a PostgreSQL extension to the standard). However, there isn't much we can do about the owner, which will get set to the role that is currently active. That is, it's the main login role, or another role if the user has run the SET ROLE command before creating the table.

A fairly common scenario that is not well handled here is when a number of end-users are expected to cooperate on the tables in a schema all the way, including being able to create and drop them. And this is a scenario that is not very well handled by the built-in role support, due to the ownership handling. Fortunately, this is something where we can once again use an event trigger to make the system do what we need.

by nospam@hagander.net (Magnus Hagander) at Mon 17 Jul 2017, 11:02

Jorge Enrique Barrera

vim – Goodbye to :set paste

I’ve been using vim as my editor of choice ever since I started learning Linux, and something that has been bothering me for a while is how vim handles pasting.

Say I want to paste a large bit of code into a terminal running vim. Before I do this I have to type:

:set paste

When everything is pasted, I turn it off with:

:set paste!

or:

:set nopaste

The command :set paste prevents vim from auto-indenting the code I’ve just pasted.

Luckily, as it most often goes, there is a solution. Why I haven’t bothered to actually find the answer till recently is a whole other matter.

As it turns out, my terminal of choice (which currently is rxvt-unicode) supports something called bracketed paste mode.

In short, when bracketed paste mode is set, pasted text is bracketed with control sequences so that the program can differentiate between pasted text and typed-in text.

Let’s stay that I copied the text:

Hello World!

from another program. When I paste it into my terminal, if it supports bracketed paste mode, it actually sends the text:

\e[200~Hello World!\e[201~

Now the thing is to let vim know how to watch out for these control sequences, and tell it what to do. Paste the following code into your .vimrc:

let &t_SI .= "\<Esc>[?2004h"
let &t_EI .= "\<Esc>[?2004l"

inoremap <special> <expr> <Esc>[200~ XTermPasteBegin()

function! XTermPasteBegin()
set pastetoggle=<Esc>[201~
set paste
return ""
endfunction

And that should reduce your use of :set paste quite a bit!

by Jorge Enrique Barrera at Mon 17 Jul 2017, 09:00

19 June 2017

Pontus Ullgren

Running Mule with systemd

Most modern Linux distributions now uses systemd as the init system. However the official documentation for Mule Standalone Runtime currently (2017-06-19) only describes how to use the old SystemV init script style to run the Mule Standalone Runtime as a Unix Daemon.

by Pontus Ullgren at Mon 19 Jun 2017, 06:15

10 June 2017

Jorge Enrique Barrera

SimpleHTTPServer with SSL

I’ve often used Python’s SimpleHTTPServer to simply share a directory with someone over a network, it being either local or the Internet. In case you don’t know how it works, it’s simple. To start a HTTP server, at your current location, type:

python -m SimpleHTTPServer

and the result:

jorge@applepie:~ $ python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...

It listens on all IPv4 interfaces, and binds to the port you specify, which in my case is 8080. The person on the other side will then be able to access the files in the directory from the outside by going to http://server1.example.com:8080, provided that your machine has the hostname server1.example.com, and that you have the port 8080 forwarded to the IP of server1.

But what if you want to provide a secure connection, say over SSL? SimpleHTTPServer has no built in way of doing this.

But behold ssl, Python’s built in SSL-module!

To create a secure connection for your SimpleHTTPServer, first create a self signed certificate by running the following command (if you don’t have a proper SSL-certificate, that is):

openssl req -x509 -newkey rsa:4096 -keyout server1.example.com.key -out server1.example.com.key -days 365 -nodes

Now create a script named shttps.py that contains the following code:

#!/usr/bin/env python

import BaseHTTPServer, SimpleHTTPServer
import ssl

## Variables you can modify

bind_to_address = ''
server_port = 8080
ssl_key_file = "/etc/ssl/certs/localcerts/server1.example.com.key"
ssl_certificate_file = "/etc/ssl/certs/localcerts/server1.example.com.pem"


## Don't modify anything below

httpd = BaseHTTPServer.HTTPServer((bind_to_address, server_port), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, server_side=True,
                                keyfile=ssl_key_file,
                                certfile=ssl_certificate_file)
httpd.serve_forever()

The only thing that needs further explanation is the variable bind_to_address. Fill this in with the text localhost if you want it to only listen to 127.0.0.1. Leave it blank to have it listen to all IPv4 interfaces (0.0.0.0).

Now that the certificate and key is all in place, and the script has been created, make it executable with:

chmod +x shttps.py

Go to the folder you’d like to share the contents of, and run the script:

jorge@applepie:~ $ ls
foo/ shttps.py
jorge@applepie:~ $ cd foo
jorge@applepie:~/foo $ ls
hello.txt world.txt
jorge@applepie:~/foo $ ../shttps.py

The result when you visit https://server1.example.com:8080?Because there is no third party verification it’s listed as insecure, but it should do the trick well enough for sharing files with others.

If you however do want a free SSL certificate for a more permanent setup, I suggest LetsEncrypt! Check out https://letsencrypt.org/getting-started/ for more information.

by Jorge Enrique Barrera at Sat 10 Jun 2017, 22:39

08 June 2017

Redpill Linpro Techblog

Mulesoft Enterprise Standalone Runtime on Raspberry Pi 3 with docker

The Raspberry Pi 3 is the third generation Raspberry Pi, on this i will be installing Mulesoft enterprise runtime standalone with latest Java 8 running inside a Docker container. The Instance will register itself with Anypoint platform ...

Thu 08 Jun 2017, 22:00