Rolling out containers w/ Ansible

I’m not huge on containers, but I can see and appreciate their value in rolling things out fast for testing purposes. I have my own server(s) running here and there and I use Ansible for handling pretty much everything on them. Until not long ago, Docker containers were among notable exceptions from that rule. But then I finally discovered1 docker_container module. The only thing I was still missing was better handling of defining multiple containers.2

Read more “Rolling out containers w/ Ansible”

NGINX Extended Security Update →

There were three vulnerabilities discovered by Netflix in NGINX: CVE-2019-9511, CVE-2019-9513 and CVE-2019-9516. Both current stable1 and mainline2 were patched and point releases had been issued. As I mentioned in my NGINX Extended post I was not going to work on 1.14.x branch any more with the exception of security updates. Canonical backported patches to their nginx package3 with the following changelog:

  • SECURITY UPDATE: HTTP/2 Data Dribble issue
    debian/patches/CVE-2019-9511.patch: limited number of DATA frames in src/http/v2/ngx_http_v2.c, src/http/v2/ngx_http_v2.h, src/http/v2/ngx_http_v2_filter_module.c.
    – CVE-2019-9511
  • SECURITY UPDATE: HTTP/2 Resource Loop / Priority Shuffling issue
    debian/patches/CVE-2019-9513.patch: limited number of PRIORITY frames in src/http/v2/ngx_http_v2.c, src/http/v2/ngx_http_v2.h.
    – CVE-2019-9513
  • SECURITY UPDATE: HTTP/2 0-Length Headers Leak issue
    debian/patches/CVE-2019-9516.patch: reject zero length headers with PROTOCOL_ERROR in src/http/v2/ngx_http_v2.c.
    – CVE-2019-9516

I also took these patches and rebuilt my NGINX Extended version.4

Having this opportunity I thought it’s worth mentioning that there’s also Docker container available with my NGINX version. Dockerfile is available on GitHub and image itself on Docker Hub. Internally it’s also using my PPA to provide the package so it has exactly the same version as the one provided there.

Panic’s Nova Text Editor Private Beta →

Picture by Panic from the Panic – Nova Private Beta

Panic’s Nova Text Editor entered private beta testing. I don’t exactly look for a new text editor,1 but I’m watching this one closely. Two reasons: 1) it’s Panic and their software for Apple devices is absolutely awesome; 2) it’s going to be a native editor for macOS. Not some Electron app, but a real deal. I never got myself to use BBEdit and Coda looks a bit vintage these days, so I’m keeping my eye on this one.

Apple’s Convergence

Picture by Apple from the Apple Beta Software Program

There’s this craving out there in the industry. Imagine walking around with super powerful device inside your pocket. You can do all sorts of cool things on it like browsing the Internet, taking amazing pictures, listening to the music, downloading apps, documents and what not. Not that hard to imagine these days, most of the smartphones out there can do of the above and then some. Most of them can and does replace multiple devices we needed in the, not that distant, past (walkmans 1, iPods, calculators, cameras etc.). But the craving is still there. Common understanding is that these devices are so powerful nowadays, that they could take on doing even more. Imagine — the last time, I promise! — walking around with super powerful device inside your pocket. Imagine you get back home or arrive to the office, you bring the device out of your pocket and you connect it to the big screen, pointing device and a keyboard. All of a sudden, your pocket device became your desktop device. Bam! 🤯

Read more “Apple’s Convergence”

Farewell Joyent Public Cloud →

I was working for at&t when I first learned about SmartOS. Reason was simple, I’ve been in UNIX/Solaris team so I was more in “this world” back then. I found the concept of this new OS fascinating and it was additionally sprinkled by Bryan Cantrill’s amazing lightning talk. It’s one of those moments when I felt that I’m being interested in the right things at the right time. To me SmartOS in many ways felt revolutionary and I still think that some of its concepts1 are ahead of the industry.

(more…)

ZFS 0.8.0 →

My first encounter of ZFS happened on Solaris 10 running on some SPARC box. It felt very refreshing after SVM or, goodness me, VxVM. I became a fan instantly as the overall simplicity in administration and promise of reliability were nowhere else to be found.1 Throughout the years I’ve been playing with it mainly on Illumos distros (OmniOS and SmartOS) and FreeBSD, but never got myself to entrust it fully on Linux.

While it appears that ZFS is still sort of persona non grata at least in the Linux kernel, but with Canonical shipping it by default with Ubuntu helps a lot. Quite recently it also became apparent that the community behind ZFS on Linux is the largest and most active one. It also seems that both Illumos and FreeBSD (among others) are going to be syncing with/against it.

This release brings impressive set of new features. I for one am the most excited about the native encryption and possibility to transfer raw encrypted snapshots.

Ansible 2.8.0 →

On 16th of May new major release of Ansible has landed. For a very long time I was a proponent and happy user of SaltStack. I still have a soft spot for it and some formulas lying here and there. At some point, however, I gave Ansible a chance and, while it was not exactly trouble-free (I had quite a few habits from Salt), once it clicked, it stayed and is my number one automation tool period.

It’s a huge release, so many things are mentioned in the release notes that it wouldn’t make sense to go through all of them here and now. That said, there’s one thing that I was really looking forward to: python interpreter discovery. It’s surprising how annoying this one can be in a mixed distro/version environment. Finally no need for some hacky solutions! 🎉

NGINX Extended

UPDATE (April 26, 2019): this post has been updated to include latest changes made to the project. You can jump directly to it here →

I was lucky enough that in relatively early time in my career I bet on NGINX as my default HTTP server and essentially never looked back. Sure enough, I started with using it as reverse-proxy in front of Apache, but once it matured enough and I felt confident it can be trusted with essentially any HTTP-related task, I switched entirely. It was a long time ago and NGINX has made some tremendous progress since then. While its adoption didn’t exceed Apache so far, it’s in the second place for quite some time now and growing in numbers each month. I was always fond of it being so lightweight and I preferred usage of FastCGI protocol instead of native/built-in one as it was the case with Apache at that time.

The caveat is that, while being Open Source application, there are some functionalities that are available only for the paying customers (NGINX Plus). I don’t mind this kind of business model. After all, this is a great application and I hope it will stay around for years to come and the only way to achieve that goal is to keep it sustainable, financially-wise. On the other hand, I’m not able to afford NGINX Plus subscription model (especially for private use-case like mine). Fortunately enough, there are some NGINX enthusiasts out there that are creating 3rd party modules for their favourite HTTP server. Quite a few of them.

Read more “NGINX Extended”

Multipass 0.6.0 →

There are so many ways these days to start a local VM on the Mac that adding yet another one seems insane. And yet, Multipass from Canonical1 appeals to me the most. Especially when it’s just a quick check that I need to make — it’s as simple as two commands and voilà, it’s working and ready to roll.

With the new version I really am looking forward for starting automatically the instance via multipass shell command — it’s safe to say that it was the only thing I was missing.

Please note that Multipass works solely with Ubuntu instances. It is cross-platform however and one can use it on Windows, macOS and Linux.

Rsyslog to Elasticsearch

Last time I mentioned that I was working on a central syslog. Part of the task was also possibility to easily go through the logs, preferably with some filtering and what not. ELK-stack is usually the first thing mentioned as a potential solution. Essentially the goal is to land your logs in Elasticsearch. The problem with both of these solutions is on the processing part. With Logstash things can go very wrong very quickly and there’s only handful of other things than _grokparsefailure that can seriously put me into rage mode.

Read more “Rsyslog to Elasticsearch”