Paul's Blog

The articles below are on various topics, though the majority are focused on some aspect of systems administration.

The Demise of Independent Computer Retailers · May 10, 2016

A recent thread in a local tech mailing list noted the impending closure of Pacific Solutions, an established computer retailer here in Portland. I was never a frequent customer—to get there I typically had to go out of my way—but the store had a knowledgeable staff and stocked industry-standard parts. I was saddened, though not surprised, at the news.

One contributor to the mail thread noted that back in the 1990s, there were quite a few independent computer retailers in and around Portland. “Then,” he wrote, “came Fry’s and Amazon.”

It’s true that small computer retailers have largely disappeared, but I don’t think that Fry’s and Amazon are the main culprits.


Re-index OS X Spotlight · May 4, 2016

Spotlight searches on my Macbook Pro running OS X 10.10.5 (Yosemite) were failing. Worse, the smart mailboxes in Apple Mail weren’t working. Without smart folders, it takes me a lot longer to navigate my inbox every morning.

The solution was to force OS X to re-index my hard drive.


National Weather Service Will Stop Screaming · April 11, 2016

In November 2014, I wondered why the National Weather Services still uses all upper-case letters in its forecasts.

That anachronism remaining from the days of teletype machines is now scheduled to come to an end next month. NWS will only scream in all caps to alert readers to very hazardous conditions.


My Favorite Narrator is a Dog · April 11, 2016

Whether or not it’s true that additional scenes were added to Suicide Squad to provide additional humor, I’m fairly convinced that the commercial success of films like The Martian, Guardians of the Galaxy, Deadpool, and The Avengers was in large part due to their good humor and jaunty tone.


Scripting a Keepalive for Adium · April 4, 2016

Our team at work uses a group chatroom on a daily basis, though sometimes an hour or more will pass between flurries of messages. The chats are hosted on the enterprise-level Skype for Business Server.

During those lulls, and without warning, my Mac instant-message application Adium will silently timeout. One minute I’m connected, the next I’m not—but Adium offers no indication whatsoever of the change.

Once Adium is disconnected, I get no further messages even during the next message flurry. I’d say that ignorance is bliss, but I depend on that chatroom for information. Plus, my colleagues have a reasonable expectation that I’ll respond to their questions in a timely manner.

My temporary fix is a scripted keepalive.


Apache 'Require ldap-group' Limitation · March 17, 2016

The problem, briefly: Apache configured to authenticate via LDAP and authorize access only to members of a certain group, would not authorize a new user account that was clearly a member of that group.

The solution, briefly: The new user account had its primary group identifier (GID) set to the authorized group, while all other users were auxiliary members. The new user account had to be given an explicit memberUid entry within the group’s LDAP definition.


My First Cloud-Init Scripts · March 4, 2016

I’ve been playing with OpenStack at work, getting ready for a pilot project that, if approved, will launch in a couple weeks. I hope to have more entries on OpenStack installation, configuration, and usage later. Today, however, I began experimenting with cloud-init scripting and customizing a stock OpenStack VM image.


Mozilla SSL Configuration Generator · January 15, 2016

The Mozilla SSL Configuration Generator is a very nice tool for anyone who’s responsible for configuring a web server for SSL operations. You simply tell the site what web server and OpenSSL version you have, and what range of client software you need to serve, and it gives you a working configuration snippet. Bravo!

Copying remote files while changing ownership · November 18, 2015

Someone at work encountered an interesting obstacle today. The problem was how to change ownership of files in transit to an NFS filesytem that squashed activity by user root. Solving it required a quirky shell one-liner that you may find interesting.


Site Overhaul · November 1, 2015

I’ve maintained this site since 2002, and it had essentially the same layout from 2004 until recently (November 2015). It was time to redo it.


IPMI tool function · September 28, 2015

In the vein of my post about an SSH login function I’ve added to my bash profile, here’s another profile function, this one for invoking ipmitool.


FQDN SSH login function · September 23, 2015

I don’t use unqualified hostnames for ssh logins. They’re too dependent on local context. The command ssh myhost leaves it up to the local DNS resolver to append a domain name to myhost, and too often the local DNS resolver is influenced by a DHCP server of unknown provenance.

On the other hand, laziness dictates that I reduce the amount of typing I do to login, so the command ssh myhost.mysubdomain.mydomain isn’t a winner for me either.


Ethernet Device Names in CentOS 7 · January 7, 2015

I’ve got quite a few servers currently running CentOS 6 that will over the course of the coming months be upgraded to CentOS 7. One of the allures of Linux distributions in the Red Hat family—including CentOS and Fedora—is the kickstart feature, which allows you to automate highly customized installations.

One problem I’m encountering is the CentOS 7 default of using so-called predictable network interface names. No longer can you assume the presence of eth0; your first interface may be p5p1, eno1, or something wackier like enp4s0f0. This causes issues in kickstart files which refer to a specific interface.


oVirt Engine 3.4.4 Interoperability with Fedora 21 · December 19, 2014

At work, we maintain a cluster of a dozen hosts dedicated to running virtual machines. The cluster is managed by oVirt version 3.4.4. Version 3.5 is current, but for a variety of reasons we’re sticking with 3.4.4 for a while yet.

The cluster nodes and the oVirt Engine, essentially the cluster controller, currently run Fedora 19. The standard Fedora life cycle is that “Release X is supported until one month after the release of Release X+2.” Since Fedora 21 was release earlier this month, Fedora 19 is near the end of its lifecycle.

So I thought it was time to try using Fedora 21 on a cluster node, the nodes being easier to update than the server running the Engine.

Getting Fedora 21 to work with Engine 3.4.4 took some work! The short version of the process is outlined below.


Dueling fail2ban and ipset timeouts · December 10, 2014

Quick background: Fail2ban scans system logs looking for entries that indicate network connections with malicious intent. When it finds enough such entries from a given IP address, it adds a firewall rule that blocks connections from that address for a given period of time.

In CentOS and Debian, Fail2ban is normally configured with a ban time of 600 seconds (10 minutes). That’s a safe default if you’re worried about locking yourself out of your system, but I don’t think it’s long enough to ward off persistent or obnoxious attackers.