Jun 1, 2024
Hosting a service in your home or office can save you a few bucks and give you more control and privacy. The obvious problem with that is the lack of a public IP address or your ISP filtering inbound traffic. Even if you have a public IP, it might be dynamic and change regularly - and dynamic DNS isn’t always reliable or updated quickly. Wireguard to a tiny VM with a static public IP address...
Feb 20, 2022
We use Spring Boot and gRPC on AWS ECS Fargate behind AWS Application Load Balancers. We wanted to allow the ALB to query Spring Actuator’s robust health checks. However, the default Tomcat Actuator interface adds substantial bloat to a microservice and requires a slightly more involved configuration listening on a second port. We decided to implement a gRPC service that allows the ALB to check the Actuator health. We’ve used the gRPC HealthGrpc interface for...
Feb 5, 2022
Motivation I’ve suffered a home file server with an overly complicated disk storage setup for a number of years: LUKS, MD RAID, and LVM with a caching setup on top of that. It’s mostly a toy used for non-critical backups, so it was fun to tinker with. However, I’ve suffered disk losses multiple times despite using supposedly decent quality NAS drives. The latest configuration was 3x3TB RAID5 and an 80GB SSD LVM write-back cache with...
Mar 22, 2020
Overview I’ve been thoroughly enjoying my XPS 9560 - outlined in my original guide - for two years now. However, with the bulk of my work as a Java software engineer, I do large compiles dozens of times per day. I’ve recently found myself wanting for a bit more CPU and I/O horsepower than my I7-7700HQ and Toshiba XG5 could give me. As long as my wife doesn’t read this, I’ll also admit I wanted...
Feb 2, 2019
While working for a large client processing several petabytes of data per month, I had the opportunity to attack the primary ingest service with YourKit. This service is written in Scala and Java and runs on giant expensive AWS instances due mostly to the heap requirements, but also to keep plenty of CPU headroom as this client is performance-sensitive. The first thing I noticed was most of the heap usage was generated in one small...
Jan 26, 2019
tl;dr: Enable keepalives and permit without stream on both the client and server and make sure the keepalive time matches between clients and servers. We’re using gRpc in containerized applications written in four languages on AWS Fargate. Our service location and load balancing method is currently a combination of DNS and AWS Network Load Balancers. We’ve been plagued by “transport is closing” errors with no obvious cause. Once this bubbled up from “annoyance” to “problem”, we dug in...
Dec 16, 2018
Working on a project using MySQL and Java, I quickly found myself missing the more robust SQL and data types of PostgreSQL. :) With a conversion off the table, we needed a way to handle mapping MySQL binary(16) columns to Java UUIDs and back automatically. I was surprised not to find any ready-to-run examples out there and thought I should share our method of using a custom Converter configured in jooq-codegen-maven. Here’s our converter code:...
Jul 6, 2018
We use both Puppet and AWS extensively. Historically, we’ve managed secrets with eyaml and git. This allows version control and recovery of secrets, but requires the decryption key(s) to be stored on the same disk as the secrets. We’ve evaluated Hashicorp’s Vault as a secrets management solution. While it is robust and full of appealing features, it requires deploying and managing an infrastructure around it - especially if you want high availability. This isn’t a...
Jun 3, 2018
Note: This is an older guide for the XPS 9560 and 9360. For the 9570 and 7590 use our new XPS 7590 guide. I don’t travel for work much, but I travel enough that I need a semi-portable computer. For the last three years, I’ve lugged around a Dell Precision M6800. I’ve always found Precisions to be great laptops with exceptional Linux support. These are one of the few laptops that can still disable Optimus...
Apr 5, 2015
If you’re not running Amazon Linux with the built in network interface management tools, adding multiple ENIs on the same subnet can be a confusing experience. We use this sometimes to run multiple elastic IPs on separate network interfaces so we can bind to them separately. We worked through this with Amazon support recently and thought we should share a quick overview of how to do this on Red Hat / CentOS 7. 1. Force...
Mar 12, 2015
We have a client that keeps encountering a tremendous load on their Wordpress Mysql database despite a trivial amount of normal traffic on their blog and lots of tuning that eliminated most normal database access. We tracked this down to the AdRotate plugin, and specifically the tracking callbacks to the admin-ajax interface in Wordpress. Each one of these callbacks runs a select query against the wp_adrotate_tracker table, and each was taking ~1.3 seconds to run....
Mar 7, 2015
If you use EC2 instances for tasks that only need to be performed during work hours, it can be challenging and annoying to manually start up and shutdown instances when you need them. There are services that can handle this for you (Skeddly, Ylastic, etc) but they cost money and are overkill for small companies that just need to manage a few (or a few dozen) instances. We recently had a client that had a...
Dec 31, 2014
We use OpenVPN and OSSEC together regularly. Unfortunately, OSSEC doesn’t do any useful interpretation of OpenVPN events out of the box. Instead, you’ll wade through a stream of event id 1002s in your email to see what’s going on with OpenVPN. We recently sat down and drafted a custom decoder and a few custom rules for one of our clients who graciously permitted us to share them with the public. The decoder is simple: a...
Oct 2, 2014
Journald - a contentious subject in the Linux community. On one side, proponents tout advanced features and security. On the other, die-hard *nix users decry yet another move away from the simplicity of text files and more towards the Windows way of obfuscated binary file based systems. After using journald (and systemd) for a couple of years under Fedora,we’re unconvinced despite being a user of journal signing in security-conscious applications. With Red Hat shipping journald...
May 11, 2014
For bleeding-edge non-production and experimental use, Fedora is a great choice of server distributions. For small non-enterprise deployments, Linode is our host of choice. As much as we’ve come to appreciate Linode, as Fox Mulder says: trust no one. This is especially true when no companies appear to be immune to the intrusions of the NSA. While nothing can absolutely prevent spying at that level, we can make it extremely challenging and much more likely...
Feb 6, 2014
Updated: January 2019 with latest suggestions and revised commentary. Updated: May 2016 with new cipher suggestions and revised commentary. We routinely use SSL Labs to verify systems we’ve configured. It’s a great service to verify that an SSL configuration is reasonably secure. It scores a site in four different areas: Certificate, Protocol Support, Key Exchange, and Cipher Strength. A perfect score is theoretically possible, but isn’t practical because many client/OS combinations couldn’t connect to your site....
Feb 6, 2014
Updated 2018: Still working! xt_geoip_dl is now available and handles Geolite2 database downloading, simplifying our script. In the rare situation that we need to run a system that has SSH exposed to the world, we always install something to monitor and block SSH attempts. On the low end, we use fail2ban or sshguard, but our preference is OSSEC - especially when protecting multiple systems. The noise generated by SSH scanning is highly annoying - particularly...
Dec 14, 2013
We recently needed to migrate a large WordPress site’s comments to Disqus. Disqus offers two methods of importing comments: their plugin “export” function and a WXR import function. Unfortunately, neither worked for us. The WXR import process is horrible; if it fails processing it simply says “Error parsing import” instead of returning any useful information. The Disqus WordPress import simply hangs; the plugin would spin through its Ajax calls saying “Importing comments from post #X”...
Jul 21, 2013
With all the recent publicity regarding Internet spying, there has been a renewed interest in security and encryption. One oft-neglected feature of SSL is the ability to use a cipher with Diffie-Hellman key exchange that enables so-called perfect forward secrecy. The advantage of PFS is that even if your private key is compromised, recorded past traffic cannot be decrypted. The problem is that Diffie-Hellman algorithms are very slow. This can be offset to a large...
Mar 22, 2012
This is the world’s only existing simple example of an Openswan / Libreswan VPN between two Amazon EC2 VPCs. At least it seems that way after many fruitless searches today. We recently needed to link a client’s two VPCs together using a VPN and decided to use Libreswan instead of OpenVPN. Since there’s a dearth of specific examples online, I’ve decided to document a very simple configuration for a working Libreswan VPN bridge between two...
Mar 4, 2012
Having your site’s search results indexed is a bad SEO practice. Here’s another simple Magento fix that I didn’t find clearly documented elsewhere. In fact, I found broken plugins that purport to accomplish this for you.
In your local.xml, simply add the following to your section:
NOINDEX,FOLLOW
NOINDEX,FOLLOW
Sep 21, 2011
I haven’t written any articles in a while, and thought I should write a quick one about a Magento ‘fix’ I needed to do today. Magento isn’t the cleanest and most straight-forward software to extend, so I usually find myself doing a quick search to see if anyone has already tackled whatever customization a customer is asking for. This time, I only found bad examples of how to do this. The best way to extend...
Aug 27, 2010
We do a lot of web site tuning, and have been since before it became the routine. A while back, we were asked to tune a Magento and Wordpress installation running on a virtual machine at a budget host (see our warnings about that on our cloud providers page.). We thought it might be useful to blog about an example experience to give some idea of what’s possible as well as provide some humor with...
Jul 25, 2010
After reciting the same facts and figures for numerous customers countless times (and no doubt forgetting something each time!), I’ve finally taken the time to put up a page dedicated to why we choose Rackspace Cloud hosting. I’m sure we’ll be improving upon it as time goes on, but I’m glad we finally have this information in one place since we deal with so many people trying to migrated to cloud hosting to reduce expenses....
Jul 7, 2009
We’ve been using Opensolaris (and Solaris) more and more; the advantages in technical prowess outweigh the few advantages Linux has left in ease of use. One thing we’ve been frustrated with a couple of times is the apparent inability to to create custom slice layouts on root disks during installation. We’re building a 16 drive, 16TB ZFS archival server, and we didn’t want to waste two drives (or cram two additional drives in the chassis)...
Jun 26, 2009
I’ve been tasked with merging one subversion repository into another. The source repository is 35GB and the destination about 2GB. The source repository is bloated by the ritual inclusion of large directories of binary files that were wiped and re-added continually as well as branched and tagged hundreds of times. The goal is to eliminate these binaries and all history related to them in order to reduce the repository down to a much more manageable...
Feb 24, 2009
I’ve been eagerly waiting an upgrade from OpenSolaris 2008.11 that would provide working WPA2 PSK for my laptop, as my laptop is the easiest system for operating system experimentation. I’ve heard stories of success with snv_107, so I decided to give it a shot. Somehow the upgrade from snv_101b to snv_107 was quirky - Xorg didn’t work and ‘pkg fix’ showed such a large number of problems while crashing repeatedly. I decided a fresh installation...