cron.weekly issue #40: Ansible, OpenSSH, Checkup, TLS, Postfix & more!August 7, 2016 - Mattias Geniar
Welcome to cron.weekly issue #40 for Sunday, August 7th, 2016.
A bit later than usual, but I was too busy recompiling kernels to better fight of F.Society hackers, tunnelling my TCP traffic over a UDP DNS interface while trying to circumvent rate limiting and at the same time mitigating an incoming SNMP amplification attack.
Or I fell asleep when I should’ve been writing the newsletter. Pick whichever you story you prefer.
Either way, enjoy your Sunday read!
Podcast: Ansible with James Cammarata
I recorded a new podcast last week with James Cammarata, head of Ansible core engineer, to talk about the Ansible project.
We discuss how it’s used as a config management tool in both a push/pull scenario, how Ansible can be used as a deployment tool and an orchestrator. We touch on the terminology, Red Hat’s acquisition, ideal use cases, how to get started with Ansible, Ansible vs. Puppet and so much more.
If you’re interested, go have a listen.
In honour of SysAdmin Day last week, here’s a set of stories that prove our heroic skills.
A good list of “devops tools” (what’s in a name, right) ranging from project management to source code & integration testing.
Lots of security improvements, easier jump-host configs, stronger Diffie-Hellman cipheres and an “include” directive for ssh_config files. That last one is going to make many config management folks happy, much easier to integrate custom configs that way.
Sometimes I stop and think how much of a miracle it is that e-mail even works. All the intermediate steps, the protocols, a thousand anti-spam filters, … So this was a fun read to go back to the basics: the first e-mail sent from ARPANET, the concept of mailboxes, e-mail headers, … Fun read if you like e-mail protocols.
It’s a story from the GitLab team themselves, so probably biased, but the numbers are impressive: for large teams, you can save thousands of dollars from moving away from GitHub to a GitLab server. Many practical examples for many users/small repositories and small users/many repositories scenario’s.
Heads-up for network engineers and firewall fans: Google is experimenting with a new protocol built on top of UDP instead of TCP. If you see strange traffic via UDP port 443, it might be the QUIC protocol. And judging by the attention it gets, QUIC might be here to stay.
Tools & Projects
GitHub’s Online Schema Change for MySQL. This looks like a very powerful, no-downtime tool to help make schema changes in MySQL easier.
Terraform allows you to describe your infrastructure as code. It can describe which VMs you want and which cloud provider needs to run them. The 0.7 release introduces imports (of your existing infrastructure), external data sources (like Consul etc.) and useful tools to check the state of each machine.
Give it an url, and it’ll show you how long it takes to connect, send a request and retrieve the reply (only the headers). A useful little tool to help troubleshoot HTTP errors.
Minio is an object storage server built for cloud application developers and devops. It’s amazon S3 compatible and written in Go. It is best suited for storing unstructured data such as photos, videos, log files, backups and container / VM images.
Stack Up is a simple deployment tool that performs given set of commands on multiple hosts in parallel. It reads Supfile, a YAML configuration file, which defines networks (groups of hosts), commands and targets.
fzf is a general-purpose command-line fuzzy finder.
Checkup does ‘Simple uptime monitoring’: easy configs, cross platform and co-created from the same person that created the Caddy webserver. Looks like a very simple to use and powerful uptime monitoring tool, you should check this one out!
Guides & Tutorials
How to deploy a Nginx reverse-proxy with Let’s Encrypt and SNI support for serving multi-domains. The examples are using Docker containers, which make this a very practical example of how to set up a Docker container for a single service.
A couple of one-liners to help you create a self-signed certificate for testing purposes in OpenSSL.
The Mozilla team has created a very good overview of what TLS on the server means: compatibility, how forward secrecy works, OCSP stapling, HSTS (HTTP Strict Transport Security) and HPKP (Public Key Pinning) and so much more. If you’re interested in securing server-side applications, bookmark this.
Many organisations use jumphosts or “bastion servers” that act as intermediates before you can SSH to other servers. It introduces several layers of extra control. This post explains how to use them in your SSH configs.
A very practical explanation on how to deploy code (PHP, Ruby, Node, …) with Ansible. Unlike other config management tools, Ansible is perfectly suited to orchestrate complex and multi-state deployments.
Ever had an e-mail stuck in the Postfix queue? These steps allow you to send those mails that are stuck in the queue to an alternative address, bypassing the original recipient.
‘The original text editor’, hardly anyone uses ed anymore. This post gives a good overview of the ed text editor and highlights some of its strengths.
The ‘httpry’ tool translates output from tcpdump into readable HTTP requests. It can only sniff HTTP traffic on port 80, but for those situations it can be pretty useful.
A very nice talk from Patrick Debois (the ‘godfather’ of DevOps) on how our role is shifting. It introduces AWS Lambda’s (the “serverless” part) and the concept of “promises”.