ck's Weblog: Everything, Punched in the Face

Navigation:

Now Playing:

Another Migration; Lessons Learned

Monday, November 20 2017

My 3-year AWS EC2 reservation expired last month, and I'm taking the opportunity to modernize some of my hosting (and move to the Ohio region).

RDS and SELinux

One of the big changes behind the scenes is following the advice I give everyone at work and allowing Amazon to manage my MariaDB database. I'd previously been running a local copy, connecting through a local socket, which was very fast and very secure. Pointing my PHP code at Amazon RDS didn't work, even though mysql was able to connect from the command line with the same credentials.

I learned that SELinux is configured by default to prevent web server processes from accessing network resources:

$ getsebool -a | grep httpd_can
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> of
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> on
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off

That bolded line needed to be changed to allow connections to RDS. You'll want to use the -P flag with setsebool to make the changes persistent.

IPv6

IPv6 is overdue. It's 2017, and I figured I should finally make it work. Amazon provides great documentation on migrating, but I'd missed the requirement to add a default IPv6 internet gateway to my VPC's route table. That's critical.

New SSH keys

So long as I was being disruptive and reconfiguring things to use an entirely new set of resources, I dug into the state of the art in SSH. It seems that ed25519 is the preferred SSH key type. This blog post lays out the reasons for updating and provides good examples on how to generate keys with especially hard-to-crack passphrases.

Up Next

Now that I have all that working, I'm still looking at migrating a WordPress site into Elastic Beanstalk and rewriting all my PHP in JavaScript & Python in a new beautiful serverless model. As soon as I find the time...

0 Comments

Bash on Ubuntu on Windows

Thursday, March 23 2017

I've been playing with Bash on Ubuntu on Windows and it's pretty cool. Microsoft has written a shim layer to translate between Linux and Windows kernel API calls, so native Linux binaries can run within Windows.

A few tips for anyone getting started:

  1. Add umask 0022 (or even better, 0027) to your .bashrc -- the Ubuntu environment defaults to umask 0000 and that's not cool.
  2. Git can't interact with HTTPS repos. As far as I can tell, the Ubuntu maintainers have known it's broken for four years and have elected to continue shipping broken software as a way to protest OpenSSL using a different open source license. The recommended workaround appears to be to build your own package linked against a working crypto library. I don't like that.
  3. The version of awscli provided through apt is way out of date, but installing the current version with pip in a virtualenv works just fine.

[Update] I shouldn't be surprised that the git issue has had a community fix for years.

0 Comments

Thanks Obama

Friday, January 20 2017

Seriously, thank you.

0 Comments

NBA Jam Glory Days

Thursday, August 11 2016

Back in 1995, I won a Nintendo Power contest for biggest blowout with the rookie team in NBA Jam: Tournament Edition on the Super Nintendo:

Nintendo Power volume 74 page 101

There was a fair bit of strategy and planning that went into my high score, since NBA Jam has a lot of (legal to use) options and codes that can be combined in interesting ways. I think it's finally safe to share my strategy:

Options:

  1. Time Speed: 1 (slowest/longest game)
  2. Drone Difficulty: 1 (easiest opponents)
  3. Hot Spots: On (making shots from randomly-placed circles gives 4-8 points)

Codes:

  1. Dunk from Anywhere (specifically, dunk from hot spots)
  2. Super Shoves (opponents always drop the ball when pushed)
  3. Prince Charles (secret players can't be injured, which otherwise slows you down)

With those in place, the game was pretty tedious. I'd run to the hot spot, dunk for extra points, then shove the opponent as soon as they received the inbound pass, pick up the ball, and dunk from the next hot spot. Sometimes I'd miss the shove and let the computer score quickly. Repeat until time expires.

Bonus trivia: the game's stats counters max out at 255.

0 Comments

Multi-Cloud Database Backups

Tuesday, August 9 2016

It's been two years since the last script and I've read the docs on how to use highlight.js, so I may as well share the new version of my database backups. This one encrypts the backups and keeps a copy in Google Drive as well as Amazon S3.

#!/bin/sh

PATH=${PATH}:${HOME}/bin
DATE=`date --iso-8601`
DAYOFWEEK=`date +%u`
TMPDIR=`mktemp -d`

S3_PATH='s3://<redacted>'

# Parent directory IDs for Google Drive.
DRIVE_NIGHTLY='<redacted>'
DRIVE_WEEKLY='<redacted>'

for DB in `mysql -ss -e 'SHOW DATABASES' | grep -v _schema`; do
        FILE=${TMPDIR}/${DB}-${DATE}.xz.gpg
        mysqldump --events ${DB} | xz - | gpg -r <redacted> --encrypt - > ${FILE}

        # Copy this backup the clouds for durable external storage.
        aws s3 cp ${FILE} ${S3_PATH}/nightly/ > /dev/null
        gdrive upload --parent ${DRIVE_NIGHTLY} ${FILE} > /dev/null

        # If it's Sunday, do a weekly backup as well.
        if [ $DAYOFWEEK = 7 ]; then
                aws s3 cp ${FILE} ${S3_PATH}/weekly/ > /dev/null
                gdrive upload --parent ${DRIVE_WEEKLY} ${FILE} > /dev/null
        fi

        rm ${FILE}
done

rmdir ${TMPDIR}

# The S3 backups get cleaned out automatically by lifecycle scripts. Google
# Drive needs that to be done manually. Nightly backups have a two-week
# retention period.
DELETE_DATE=`date --rfc-3339='seconds' --date='2 weeks ago' | sed -e 's/ /T/'`
for ID in `gdrive list -q "'${DRIVE_NIGHTLY}' in parents and modifiedTime < '${DELETE_DATE}'" | tail -n +2 | awk '{print $1}'`; do
	gdrive delete ${ID} > /dev/null
done
# Weekly backups can stay around for a year.
DELETE_DATE=`date --rfc-3339='seconds' --date='1 year ago' | sed -e 's/ /T/'`
for ID in `gdrive list -q "'${DRIVE_WEEKLY}' in parents and modifiedTime < '${DELETE_DATE}'" | tail -n +2 | awk '{print $1}'`; do
	gdrive delete ${ID} > /dev/null
done

0 Comments

Copyright © 2001-2018 Chris Kuehn