Tarus Balog : Review: System 76 Sable

April 18, 2015 05:24 PM

As you might guess, I am a big fan of all things open, and I tend to vote with my wallet. When the need arose to replace some iMacs in the office, I decided to check out the Sable systems offered by Linux-friendly vendor System 76.

System 76 was a sponsor at SCaLE this year (like OpenNMS) and they also sponsored the Bad Voltage Live event where they gave away a laptop and a server, so they already had my goodwill.

Back in 2008 I needed some machines for our training courses, so being an Apple fanboy at the time I bought iMacs. Outfitting training rooms can be problematic if you don’t do training full time because you usually end up with nice systems that you don’t use very often. Seems wasteful, so we decided to use them to run Bamboo and our unit tests for OpenNMS when they weren’t being used for training.

Seth noticed that it was taking those machines around 240 minutes to run the suite of tests versus 160 minutes for the newer iMacs we were using, and this was having a negative impact development (almost everything we do relies on test driven development). Since we were running Ubuntu on the boxes anyway, I decided on a Linux alternative and chose System 76 for the first six replacement systems.

I like all-in-one systems for training since they tend to move around (we use the training room as a conference room when there are no classes). The all-in-one form factor makes them easy to carry. The Sables I ordered came with a 23.6 inch touch screen at 1080p, 3.1 GHz i7 processor, 16GB of RAM and a 500GB SSD for a total price of US$1731.

The ordering process went smoothly (there was one glitch when the original quote was for seven instead of six but it was quickly corrected). I placed the order on March 18th and they shipped a week later on the 25th.

They arrived in six boxes marked AIO PC:

System 76 boxes

I think AIO must be the manufacturer in China, but I couldn’t find a similar system on the web. One box had a smashed-in corner, so I opened it first, but it was packed well enough that the unit wasn’t damaged:

System 76 open box

I removed the packing and pulled the unit out. It was wrapped to protect the screen.

System 76 screen wrap

and the whole unit was covered in plastic wrap to prevent scratches.

System 76 plastic wrap

These units come with a power brick that is external to the system and I ordered them with a Logitech keyboard and mouse. These came in a separate box along with extra cables, etc., for expansion (unlike Apple products, you can actually work on these systems).

System 76 keyboard box

The hardest part about the whole process was figuring out how to turn the darn thing on. I finally found the switch on the back of the system on the lower right side (as you face it). I felt kind of stupid and yes, I even read the little pamphlet that came with it. Perhaps they should add and IKEA-like drawing with the little dude pointing to the switch.

It booted right up into Ubuntu 14.10, and all I had to do was create an account and set the IP address. Ben was then able to get in and deploy our Bamboo image and we were up and running in no time.

System 76 screen

While we still have some iMacs being used, the Sables have, so far, proven to be a solid replacement. I haven’t really used them as a desktop, yet, but they can run our test suite in a little over an hour which is almost a four-fold increase.

System 76 in a line

While Apple doesn’t offer a 24-inch iMac anymore, the 21-inch version with similar processor, RAM and SSD is US$2399, or quite a premium. The Sable is not nearly as thin or stylish as the iMac, but it is a nice looking machine and after struggling this week to correctly replace the hard drive in a late 2009 iMac I appreciate the fact that I can work on these if I need to, and the extra cables shipped with it even encourage me to do so.

And that’s what open is all about.

Mark Turner : Former Obama Pilot: TWA Flight 800 was shot down, here’s why – NY Daily News

April 17, 2015 04:44 PM

I’m glad I’m not the only one.

Was TWA Flight 800 shot out of the sky?As a former pilot, that is a question I get asked about all the time.

I’m no conspiracy theorist, but let’s be clear: Yes. I say it was. And I believe the FBI covered it up.

There are many reasons to disbelieve the official explanation of what happened to TWA 800 almost 19 years ago, on July 17, 1996, off the South Shore of Long Island. There’s hardly an airline pilot among the hundreds I know who buys the official explanation — that it was a fuel-tank explosion — offered by the National Transportation Safety Board some four years later.

Lots can go wrong with an airplane. Engines can fail; they can catch fire. Devices can malfunction. Pilots make errors.

But jets do not explode in midair.

via Former Obama Pilot: TWA Flight 800 was shot down, here's why – NY Daily News.

Mark Turner : Obama to Remove Cuba From State Sponsor of Terror List – ABC News

April 15, 2015 01:59 AM

Obama removes Cuba from the terror sponsor list. I wonder if Raul Castro will remove America from Cuba’s terror sponsor list?

The terror designation has been a stain on Cuba’s pride and a major stumbling block for efforts to mend ties between Washington and Havana.In a message to Congress, Obama said the government of Cuba "has not provided any support for international terrorism" over the last six months. He also told lawmakers that Cuba "has provided assurances that it will not support acts of international terrorism in the future."

via Obama to Remove Cuba From State Sponsor of Terror List – ABC News.

Alan Porter : tar + netcat = very fast copy

April 13, 2015 10:50 PM

I reformatted a hard disk this weekend. In the process, I needed to copy a bunch of files from one machine to the other. Since both of these machines were smaller embedded devices, neither one of them had very capable CPUs. So I wanted to copy all of the files without compression or encryption.

Normally, I would use “rsync -avz --delete --progress user@other:/remote/path/ /local/path/“, but this does both compression (-z) and encryption (via rsync-over-ssh).

Here’s what I ended up with. It did not disappoint.

Step 1 – On the machine being restored:

box1$ netcat -l -p 2020 | tar --numeric-owner -xvf -

Step 2 – On the machine with the backup:

box2$ tar --numeric-owner -cvf - | netcat -w3 box1 2020

Mark Hinkle : Presentation – Crash Course Cloud 2.0

April 13, 2015 06:29 PM

Presentation on the current state of cloud computing and the role that open source, containers and microservices are playing in the cloud.

Presented to Florida Linux Users Exchange on April 9th, 2015

[Link in case embed doesn’t work].

 

Technorati Tags: ,

Warren Myers : keep your wordpress installs up-to-date

April 13, 2015 03:59 PM

I run several websites on my server – nothing heavy, just some various vhosts for Apache.

Many (but not all) of them run WordPress.

At some unknown point (and I haven’t kept the crap that was being used around), over 100,000 files were uploaded to the root directory of one of the websites (the only one, apparently, I did not have cron’d to keep up-to-date with the latest-and-greatest version of WordPress) – most of these were random-named HTML or JavaScript files. Sometime late Thursday night / early Friday morning of last week, some number of those were triggered which launched a DDoS (distributed denial-of-service) attack against a hosting company in England.

After a relatively short period of time (on the order of a couple hours at most), this otherwise-low-traffic site generated 48MB in Apache httpd logs (normal for a given day is on the order of a few dozen to couple hundred kilobytes).

My hosting provider, with no warning, “locked” my server, and sent me an administrative message with the following cryptic email:

Your server with the above-mentioned IP address has carried out an attack on another server on the Internet.

This has placed a considerable strain on network resources and, as a result, a segment of our network has been adversely affected.

Your server has therefore been deactivated as a precautionary measure.

A corresponding log history is attached at the end of this email.

10:00:21.645887 14:da:e9:b3:97:dc > 28:c0:da:46:26:0d, ethertype IPv4 (0x0800), length 1514: 176.9.40.74 > 85.233.160.139: ip-proto-17
10:00:21.646166 14:da:e9:b3:97:dc > 28:c0:da:46:26:0d, ethertype IPv4 (0x0800), length 1514: 176.9.40.74 > 85.233.160.139: ip-proto-17
10:00:21.649166 14:da:e9:b3:97:dc > 28:c0:da:46:26:0d, ethertype IPv4 (0x0800), length 1514: 176.9.40.74 > 85.233.160.139: ip-proto-17
10:00:21.649416 14:da:e9:b3:97:dc > 28:c0:da:46:26:0d, ethertype IPv4 (0x0800), length 1514: 176.9.40.74 > 85.233.160.139: ip-proto-17
10:00:21.649421 14:da:e9:b3:97:dc > 28:c0:da:46:26:0d, ethertype IPv4 (0x0800), length 1514: 176.9.40.74.54988 > 85.233.160.139.8888: UDP, length 8192

Gee, thanks, hosting company – that was informative.

After several hours of back-and-forth with their support group, I was finally able to get a rescue boot environment enabled, a KVM session to that environment, and could start diagnosing the problem(s). First, of course, were the normal checks of dmesg, /var/log/messages, and the like. there was running dig to find out who was being attacked (how I found the target IP belonged to a hosting provider in the UK). Nothing. I was also Googling similar error messages, and finally found a clue (though cannot recall where) that malicious JavaScript can cause messages like those provided to me to be trapped by external logging systems.

This led me to look in /var/log/httpd instead of just /var/log. And there is where I found the unusual log file for my LUG’s website here in Kentucky – bglug-access_log was 48 megabytes. And bglug-error_log was 4.3 MB. As I mentioned above, a typical access_log for that site is closer to ~100 KB.

Opening the ginormous log file showed a host of HTTP 200 response codes for things that looked nothing like WordPress files (things like “qdlrdi-casio-parliament-90treaty.html”). There shouldn’t be HTTP 200 (OK) response codes for non-WordPress files, because it’s a WordPress-powered website.

Running a file listing to screen failed (in the rescue boot environment) – but doing an ls -l > files.out, and then a wc -l files.out showed over 105,000 files in the root directory of the BGLUG website.

To get my server back up and online as quickly as possible, I edited the Apache vhosts.conf and disabled the Blue Grass Linux User Group site and contacted my hosting company as to what the root cause of the issue was, and what I had done to fix it (both needed for them to reenable my system).

After getting the server back online normally, I was able to clear-out all the junk that had been transparently uploaded into the LUG’s site.

One of the biggest annoyances of the whole process (after not having been given any warning from my hosting provider, but just a summary disconnect) was that permissions on the directory for the website were “correct” to have disallowed uploading random junk to the server:
drwxr-xr-x 6 bglug apache 5611520 Apr 11 13:24 bglug

The user bglug had not been compromised (it hasn’t even logged-in in a few months) – and neither was the apache group (which, of course, cannot login, but still).

Apparently, some part of the version of WordPress the site was running (or a plugin) was compromised, and allowed a malicious attacker to upload junk to the server, and spawn this DDoS on my server.

Moral of the story? Keep all your software up-to-date, and monitor your logs for suspicious activity – not sure monitoring would’ve done me good in this case, but it’s a Good Practice™ anyway.

Mark Turner : Flexing the muscle of my electric vehicle

April 12, 2015 02:59 PM

Our Ford Focus Electric

Our Ford Focus Electric


There are many days when I’m driving my electric vehicle (EV) that I’m focused on economy. I will try hard to accelerate smoothly, drive at the speed limit (or sometimes more slowly), and brake as gradually as I can. The reward is high efficiency driving, saving as much money as I can.

Yesterday was not one of those days! Having many different events to attend, stretched from one end of the city to the other, I decided to flex my EV’s muscles. On our Time Of Use (TOU) plan, weekend electricity is super-cheap, so why not have a little fun?

As I drove down 401 yesterday, I sensed the guy behind me was becoming annoyed with my efficient driving. He shifted over a lane in an attempt to pass me. Not only are EVs cheap to drive, they also have a ton of torque just ready and waiting. I let the guy pass but caught up with him at the next light, where we both were lined up.

You think my EV is slow? I mentally challenged him. Watch this!

The light turned green and I gave my EV a goose I normally never give it. It shot so far ahead that I was laughing, a smooth rocket ride right up to the speed limit. Only the motorcycle in front of me took off faster (there are some things an EV can’t catch). At the next light the guy’s expression had changed from distain to one of wonder. Take that!

I’m sure I could easily burn rubber in the Ford Focus Electric (the poor man’s Tesla) if I chose to. Haven’t tried that because I don’t want to wear down its special low-resistance tires. While I will continue to stretch the range of my EV in my everyday driving it’s good to have some fun with it every now and then!

Mark Turner : AON Hewitt thinks people are costs

April 12, 2015 12:29 AM

Here’s AON Hewitt’s page describing its Dependent Verification Services. I’d hate to be one of those “costly, ineligible dependents” that naively believe they have some sort of right to healthcare or something.

Bean-counters

Bean-counters

Aon Hewitt’s Plan-Smart® and Plan-Guard® dependent eligibility solutions help companies verify that eligible dependents maintain access to anticipated benefits and costly, ineligible dependents are removed from coverage as quickly as possible. Plan-Smart performs a complete audit of an enrolled dependent population. Plan-Guard’s ongoing dependent verification services preserve the integrity of the benefit plans on an ongoing basis and protect the results of the comprehensive audit.

Employees’ dependents drive up to 70 percent of a company’s health care costs, but in extreme cases, as many as 15 percent of dependents may actually be ineligible for coverage because of age, marital status or failure to qualify as a legal dependent. Carrying all those extra people can add thousands—if not millions—to your annual benefit costs. Verifying dependent eligibility, however, can be time-consuming and complicated for your HR staff.

Aon Hewitt’s Dependent Verification Services can verify the eligibility of your employees’ dependents, eliminating that potentially tedious task from your HR staff’s responsibilities. Our knowledgeable and experienced benefit professionals ensure a smooth verification process and measurable results. Working with Aon Hewitt enables you to manage eligibility issues in a more objective environment, which helps mitigate potential participant concerns about sharing sensitive, personal information with their employer.

With Aon Hewitt’s Dependent Verification Services, you can:

Reduce future dependent health care costs
Improve employee understanding of what’s driving health care costs
Reduce compliance risk under Sarbanes-Oxley, ERISA and DOL guidelines

Our Dependent Verification Services can be customized with options such as one-time or periodic verification, full population or random sample of plan participants or an initial amnesty period that allows employees to voluntarily drop ineligible dependents.

A wide variety of companies have used Aon Hewitt’s Dependent Verification Services to verify eligibility among active, inactive, retiree and COBRA populations. With an average reduction in the number of eligible dependents of 8 percent for the initial audit and two to three times that percentage on an ongoing basis, the resulting cost savings are substantial.
Find office locations

Mark Turner : Dependent Verification programs are a stupid idea

April 11, 2015 10:52 PM

Many employers are implementing audits of those employees using their company’s health insurance to verify that the dependents claimed are eligible to receive health insurance benefits. I think this is … well, evil.

Sez the Pittsburgh Post:

Employers like the audits because they are often able to help save on health care costs overnight without reducing benefit levels for employees. One in-depth study by the University of Colorado showed the return on investment for its own audit was 13 to 1, in the first year.

But employees targeted by the audits aren’t always fans.

“It creates a lot of anxiety,” said Richard Kolodziejski, legislative affairs director of the Minnesota Association of Professional Employees, whose 13,000-member union is now in the middle of a 130,000-employee audit covering all of the state’s employees.

Or as the Physicians for a National Health Program says:

Many employers have instituted dependent verification programs in order to ferret out this fraud. Is this really what we want to be doing?

It seems ironic that at a time in our history when theoretically we are attempting to enroll as many individuals as possible in health insurance programs, we are pushing a program designed to disenroll individuals currently covered as dependents when they are not technically entitled to such coverage.

We are expanding yet more administrative excesses which are resulting in the opposite of our policy goals. That is, we are increasing the numbers of uninsured through application of these dependent verification programs.

Wouldn’t it be far simpler to have a system that automatically covers everyone, regardless of dependency status or any other criteria? Instead of advancing policies that make health care coverage a crime, shouldn’t we make health care a right for all?

It would be one thing if employers offered first class insurance programs but gone are the days where one’s employer picked up the lion’s share of healthcare costs. Today’s reality is one of high deductibles and spiraling out-of-pocket charges. Forcing employees who are already footing most of their own healthcare bill to cough up extensive paperwork proving the dependents they claim are actually who they say they are is petty and distrustful.

And what if Joe Employee’s sick five-year-old kid is found to be ineligible for coverage? Can anything good come from kicking the kid off health insurance? The kid is going to be SOL and how do you think Joe is going to feel about working there any longer?

Is there anything more evil than a company that would deny a kid healthcare just to save a few bucks? At a time when we should be getting more people health care coverage, why are so many employers focused on kicking more people off of it?

There is plenty of obscene cost to be trimmed from what passes for this country’s healthcare. Going after kids wouldn’t be the first approach I would take. Dependent verification is a stupid idea being sold to employers by healthcare companies that are only looking to make a buck. As Freakonomics says,

The next time you’re counting up all the reasons why employer-based healthcare insurance is a bad idea, you can include this one, too.

Mark Turner : Lessons learned from a month of EV ownership — Technology Musings — Medium

April 10, 2015 08:34 PM

Good advice from a new EV driver.

I’ve lusted after a Tesla since they debuted, thought seriously about getting a Nissan Leaf too, but it was after I took a test ride in a BMW i3 that I found a perfect happy medium. I picked one up last month and learned plenty in the short time I’ve been driving it. If you’ve ever wondered what it’s like to live with an electric vehicle (EV), here’s a list of things I’ve learned since taking the plunge.

via Lessons learned from a month of EV ownership — Technology Musings — Medium.

Mark Turner : Silent running

April 10, 2015 04:57 PM

I’ve driven an electric car for about 5 months now and discovered a curious effect: Electric cars are invisible to wildlife. Several times I’ve driven right up on a bird, car, or squirrel standing in the road and they only move when I’m within a split second of hitting them. You would think that just the sight of an approaching vehicle would be enough to send them scurrying but this does not appear to be the case. Critters apparently depend on the noise of vehicles for detection the same way many people do.

Not all people have trouble spotting electric cars. I drive our EV to and from my job on a college campus (NCSU’s Centennial Campus). Every day I pass students walking right near the road, often heads down and staring at their smartphones. Not once have any of these students stepped off into the road in front of me. I think it helps that bicycles are a popular mode of travel here as it may condition pedestrians not to rely on their hearing.

The only time I was concerned was a few weeks ago as I was passing the state school for the blind. A blind gentleman was on the Pullen Park side of Ashe Avenue and seemed confused as I was driving by. He was on the other side of the road from me so there was no immediate danger of him stepping into the road. Even so, I wonder what our blind citizens think of electric vehicles, as silent as they are.

Mark Turner : Baltimore Police used secret technology to track cellphones in thousands of cases – Baltimore Sun

April 09, 2015 08:43 PM

"In Baltimore, they’ve been using this since 2007, and it’s only been in the last several months that defense attorneys have learned enough to start asking questions," he said. "Our entire judicial system and constitution is set up to avoid a ‘just trust us’ system where the use of invasive surveillance gear is secret."

via Baltimore Police used secret technology to track cellphones in thousands of cases – Baltimore Sun.

Mark Turner : Drip drip drip

April 09, 2015 05:49 PM

i-drink-your-milkshake
I was showering this morning when I realized that the water pressure isn’t what it used to be. There is no cut-off valve for the shower (or at least, any accessible valve), so I began to wonder what might account for the weak water. It’s true that a pipe from our water heater busted last fall but that was fixed up better than new by our ace plumber, Allen Baker. There was no other water running in the house at the time, so what is left?

Then it hit me (an idea, not the water). Last year, we were on the end of Tonsler Drive and the end of the water line. When the new Oakwood North subdivision went in, it extended this water line. I didn’t notice any drop in pressure initially since the homes were only slowly becoming occupied. Now that the neighborhood is almost built out there are now a lot of morning showers competing for the same water pressure.

It reminded me of the scene from There Will Be Blood: the new neighbors are drinking my milkshake!

Warren Myers : the loss of the shared social experience

April 08, 2015 12:28 PM

On a recent trip I met up with an old friend and his wife for dinner. As conversation progressed, I mentioned my wife and I have been watching M*A*S*H on Netflix. Waxing nostalgic for a moment, he told me that his parents let him stay up to watch the series finale in 1983.

And then he said something that I found fascinating: “you know, there’s nothing like that today – there’s no shared social experience you can expect to talk about the next day with your coworkers, friends, etc.”

And it’s true – sure, there are local shared experiences (NCAA games, etc), but there is nothing in today’s society that brings us all to the same place (even separately) like TV did in the pre-streaming and -DVR era.

There used to be top-rated programs that you could reasonably expect that a high percentage of your coworkers watched (M*A*S*H, The Cosby Show, ER, Friends, Cheers, All in the Family, Family Matters, etc). There still are highly-rated programs – but they’re very very different from what they used to be. Some of this, of course, comes from the rise of cable networks’ programming efforts (The Sopranos, Mythbusters, Mad Men, Breaking Bad, Game of Thrones, Stargate SG1, The Walking Dead, Switched at Birth, Secret Life of the American Teenager, Outlander, and more). Some of this comes from the efforts of streaming providers (House of Cards, Orange is the new Black, Farmed and Dangerous, etc). And there are still great shows on broadcast TV (Once Upon a time, CSI, Person of Interest, etc). But they’re different than what they used to be.

Not different merely because of better acting (sometimes it’s worse), better writing (same critique applies), better filming (Revolution – I’m looking at you as the antiexample of good filming, and why you got canceled after just two seasons), better marketing, or better special effects.

But mostly they’re different it’s because we, as a culture, have decided we do not want to be tied to an arbitrary time-table dictated to us by the Powers That Be™ at The Networks™. With the rise in un-tie-ability given to consumers, first with VCRs, then VCR+, then TiVo, and now DVRs and streaming options everywhere, even though we’ve been getting bilked on film time (an “hour long” program in the early 80s was 48-49 minutes of screen time, today it’s ~42 minutes – that’s a huge amount of added advertising time) from our programs, we have ways of compressing and massaging our watching to our personal schedules. Can’t be home in time to catch insert-name-of-series-here? No problem! It’ll be on Hulu or Amazon Prime tomorrow, or your DVR will catch it for you. Or it’ll be on Netflix in a few months.

And if you get it on Amazon Prime or Netflix, there’ll be no ads. Hulu may have a few, but they’re still shorter than what was shown on ABC the night before.

It used to be that the Superbowl was a major sporting event at the beginning of each year when the culmination of 17 weeks of regular season play, and a few playoff games, showed us just who was the best football team out there.

No more.

Now the Superbowl is a chance to see new commercials from scores of companies – each of whom has spent millions just to get the ad on TV, let alone film it – and maybe catch a little bit of a game on the side. (Unless you happen to care about the Seattle Seahawks – but I digress.)

Before widespread adoption of TV, the shared social experience would’ve had to have surrounded radio programs (perhaps The Lone Ranger, or Orson Welles’ production of The War of the Worlds).

And prior to widespread radio, what shared social experiences did society (not just little pockets) have? Gladiatorial combat in ancient Rome? The Olympic Games?

Which really means that shared social experiences a la the M*A*S*H finale are an historical aberration – something that came to be less than a century ago, and which lasted less than a century. Something as fleeting as the reign of clipper ships in transport, from a grand historical perspective.

And maybe that’s a Good Thing™ – society being drawn together over common experiences isn’t, necessarily, bad: but is it necessarily good? That’s the question that has been bugging me these last couple weeks – and which probably will for some time to come.

What say you – is it a loss, a gain, or just a fact that these shared social experiences are no more?

Tarus Balog : ♫ To Be Thick as a Brick ♫

April 07, 2015 04:44 PM

In keeping with the musical theme this week, I thought it would be cool to post about a little bit of OpenNMS “bling” now featured at the Chatham County Public Library in Pittsboro, NC.

OpenNMS Brick

We like to both talk about OpenNMS as well as support the local community, so when I found out that the library was raising money by selling personalized bricks, I thought it would be cool to get one.

OpenNMS Brick

We also have one to be installed at the Tesla Museum. I’m going to have to take a road trip to get a picture of that one, or see if Jeremy Garcia will drive over when it is open and take one for us.

Mark Turner : My first long-distance EV trip

April 07, 2015 01:44 AM

Too close for comfort!

Too close for comfort!

Over the past week I’ve made several trips to visit my seriously ill friend Scott Greenough out at UNC Hospital. I don’t always have the option of taking our Kia Sorento, so I often top off the juice in our Ford Focus Electric and hit the road.

Driving an EV longer distances requires one to do a little math, particularly if one is unsure a charging station can be found at the destination. I figured with my top range of about 75 miles, I would have more than enough to get there. The PlugShare app showed a ChargePoint charging station in the parking deck across from the hospital, so I figured I would be good to go.

I drove it in the Kia the first night and spent a little time beforehand walking around the parking decks in search of the charger. Walking through all three decks, checking every corner, I failed to find any charger. On the PlugShare app, no one had ever checked in at this station. The only thing worse than not knowing where a charger is is thinking that you know where it is and it not being there!

I drove the Focus there the second night, knowing there was no charger but thinking I might get lucky and find a regular outlet with which to charge. To my disbelief, there was no conduit anywhere to be found in the parking deck save the row right next to the attendant booth and handicap parking. No way could I plug in and use that. Instead of taking home a full charge and cruising at highway speeds, I wound up limping home, driving well below the speed limit and hoping I wasn’t too much of a hazard. It turns out I made it out and back successfully on one charge: a 66-mile round trip. Whew!

The second trip out there I did things a little differently. I didn’t have enough in reserve and, thinking I might economize by taking Highway 54 rather than I-40, I peeled off the interstate at Apex. While it’s true that driving around 50 MPH is more economical than driving 70 on I-40, the backroads are also not as direct. I wound up driving more miles and losing energy with frequent stops at traffic lights. I arrived home on electric fumes, with only 5 miles left on the batteries. Lesson learned: wind drag at highway speeds might sap an EV’s economy but a direct course beats a roundabout one.

Buddy, can you spare some electrons?

Buddy, can you spare some electrons?


Friday night was the night I got wise. An EV owner has a rental business about a 5 minute walk behind the hospital parking decks. I found his charging station on PlugShare and was delighted to be able to not only fully charge my car but to avoid paying for parking at the deck. My trip home was at highway speeds with 22 miles to spare. Success!

Knowing I could get home either way, I decided to economize on Saturday. My trip out to Chapel Hill was done around 60 MPH. To my surprise, I was not alone at driving this speed. I didn’t stand out at all. My efforts paid off when I rolled up to the hospital deck with 50 miles of capacity left (down from 80 at the start). This allowed me to get home worry-free at highway speeds again. Saving on the front end of the trip gave me more flexibility for the return trip.

A big help with the EV on longer trips is the navigation system. The system asks if you’ll be charging at your destination. By answering yes, the car computes the range you will have left once you get there (displayed as the “surplus”). This lets you employ your range-saving tricks as you go, knowing what you’ll have left once you get there. As long as your surplus value remains positive, you know you’ll be able to get back home.

Bottom line? Longer-range EV trips can be done. I’ve gained confidence in how to stretch my EV’s range, and how to calculate my odds of returning without an emergency charge. It opens up the Triangle for exploring in my electric vehicle. In a future post I’ll tell you what I’ve learned about the Triangle and EVs. Happy driving!

Mark Turner : Why skeptics think a South Carolina sailor lied about being lost at sea for 66 days – The Washington Post

April 05, 2015 11:23 PM

This guy is a liar and a nutcase to boot.

It’s rare that a man is lost at sea and returns home looking even healthier than before he disappeared.

But that’s exactly what skeptics of Louis Jordan have pointed out as they question the 37-year-old’s miraculous account of surviving 66 days adrift in the Atlantic Ocean.

via Why skeptics think a South Carolina sailor lied about being lost at sea for 66 days – The Washington Post.

Tarus Balog : ♫ The Lunatic is on My Web ♫

April 04, 2015 04:08 PM

The TL;DR of it is that I needed to create a new forum called OpenNMS Connect. This will be a place for OpenNMS Meridian users (especially those that don’t purchase support) to ask questions. I tried a number of different applications until I decided to take a chance on a project called Luna. So far I’ve been happy.

When I first started my quest for forum software a couple of month ago, I did what most geeks do and did a search for it. I found a very helpful Wikipedia page (‘natch).

After dismissing the non-open source options, I started looking at the programming language. Now I know I really shouldn’t be a PHP snob (this blog is presented using PHP software) but having been burned in the past with security issues my first inclination is to avoid it.

Now the guys in the office are trying to get me to think all “agile-ly” and so I need a “user story”. For any forum we use it has to support LDAP, for which the story could be “User must be able to access forum using directory services” or better yet “Admin needs a central way of controlling forum access”. We implement LDAP via the FreeIPA project, and it will just be so much easier if we can add and remove people from a particular group and just have it work.

The first project I looked at was Discourse. I was especially interested in a hosted version if I could tie it into our IPA instance. Discourse is kind of the “new hotness” at the moment, but I didn’t see an easy way to implement LDAP. There is a Single Sign On (SSO) option but it would require writing our own authentication page, and it wouldn’t work if we hosted it with them anyway.

The next project that caught my eye was the eXo Platform. It’s written in Java (as is OpenNMS) and it seems to have a ton of features. Perhaps too many. In any case I put the team on it and asked them to get it working with LDAP.

They succeeded in getting LDAP authentication to work, but then hit a ton of other snags. The authenticated users couldn’t access the default /portal/intranet site no matter how often we tweaked the permissions. They could reach the /portal/meridian site but we couldn’t figure out how to change the default portal. And in all cases we couldn’t get the top menu bar to load with an LDAP user which meant you couldn’t log out, etc.

On Friday I decided to see what I could do about it. Friday was a long day.

eXo is one of those companies that produces an open source version of their software as well as a paid version. My three readers know how I feel about that business model, and it made it kind of frustrating to figure out things since I couldn’t tell if the documentation would actually work on the “community” version. Also, to access the forums you need to register, which gets you a couple of spam-y e-mails trying to sell you on their paid version. Not too obnoxious and I can understand why they do it, but it was a little annoying.

It can also be hard to administer. A lot of the configuration is buried in .war files. For example, in order to set the default portal above, you have to unpack portal.war, change it and repack it. In playing around with the system, I decided that while the LDAP authentication is nice, the platform itself is way overkill for what we need. It is huge and on our system took several minutes to start up and would often spike the load with limited users.

So I spent a lot of time looking for alternatives. Unfortunately, the only option I found that had easy to understand LDAP integration was phpBB. When I mentioned that to the team, Jeff threw up in his mouth a little and I wasn’t too happy about that choice either. I don’t have the same prejudices as some, but I felt that its style was a little dated and there have been some serious security issues in the past associated with it.

But for grins I installed phpBB anyway. It was rather easy to do, which made me happy, but then I noticed that it was not easy to make the forum itself private. Another user story is that “Admin requires that only authorized users see the forum”. You can make certain parts of phpBB private, but I kind of wanted the same thing as eXo – an initial log in screen you have to use before accessing the site.

Then it dawned on me that we could just put it in a directory by itself in the web root, say /forum, and then make a pretty splash page on on the site with a link to it. Apache LDAP authentication is something we already figured out and knew worked and I could just require a valid login to access /forum.

This caused another lightbulb to go off. If we are going to do it that way, then why not just put any forum we like behind an LDAP authenticated directory?

The downside would be that users would need to create a forum-specific user if they wanted to add content, but on the upside they could choose their own usernames, thus obfuscating their identities for people who work at sensitive organizations. Thus we could have an LDAP user tied to, say, obama@whitehouse.gov and their forum name could be something totally different, like “Hot Cocoa”.

Yes, I know it is dressing up a bug as a feature, but to me it did seem useful.

Then I thought, hey, let’s revisit Discourse. That turned out to be harder than it would seem

Well, the only way to install Discourse on CentOS is as a Docker container, and at the moment it doesn’t seem to work.

The first time I tried to install it, it died complaining about lack of access to an SMTP server. No where in the instructions did it say you had to modify the app.yml and put in a valid mail server. In any case, I did that and restarted the install.

At one point during the install process I get this:

-- 0:  unicorn (4.8.3) from
/var/www/discourse/vendor/bundle/ruby/2.0.0/specifications/unicorn-4.8.3.gemspec
Bundle complete! 92 Gemfile dependencies, 189 gems now installed.
Gems in the group development were not installed.
Bundled gems are installed into ./vendor/bundle.

I, [2015-04-04T04:49:47.161747 #38]  INFO -- : > cd /var/www/discourse
&& su discourse -c 'bundle exec rake db:migrate'
2015-04-04 04:49:55 UTC [339-1] discourse@discourse ERROR:  relation "users" does not exist at character 323
2015-04-04 04:49:55 UTC [339-2] discourse@discourse STATEMENT:      SELECT a.attname, format_type(a.atttypid, a.atttypmod),	                     pg_get_expr(d.adbin, d.adrelid), a.attnotnull, a.atttypid, a.atttypmod
	                FROM pg_attribute a LEFT JOIN pg_attrdef d
	                  ON a.attrelid = d.adrelid AND a.attnum = d.adnum
	               WHERE a.attrelid = '"users"'::regclass
	                 AND a.attnum > 0 AND NOT a.attisdropped
	               ORDER BY a.attnum

which a Google search says to ignore, but then a little while later the install fails with:

FAILED
--------------------
RuntimeError: cd /var/www/discourse && su discourse -c 'bundle exec rake db:migrate' failed with return #
Location of failure: /pups/lib/pups/exec_command.rb:105:in `spawn' exec failed with the params {"cd"=>"$home", "hook"=>"bundle_exec", "cmd"=>["su discourse -c 'bundle install --deployment --verbose --without test --without development'", "su discourse -c 'bundle exec rake db:migrate'", "su discourse -c 'bundle exec rake assets:precompile'"]}
68a9a49f29ad74d9ab042bcaadfb06e02ff526104fefd82039eae1588bbb6e43
FAILED TO BOOTSTRAP

on which Google is much less helpful. No matter what I did I couldn’t get past it.

This kind of brings up an issue I have with Docker. Now let’s get this out of the way: I am jealous of the Docker project. We’ve been around for 15 years and gotten little notice whereas they have become huge in a short time. It would be nice if, say, I could get up to four readers on my blog.

But I really, really, really hated how hidden this whole process was. You install software on your system and then load “magic bits” from the Internet and hope it works. I think this is great on a intranet when you need to deploy lots of the same things, but without developing it internally first it was a little scary. When it doesn’t work it is incredibly hard to diagnose. Because the app wouldn’t build I couldn’t play with the database or really do anything, so I just uninstalled and reinstalled numerous times to try to fix this.

Plus, by running in a container, we would then need to modify nginx to use our LDAP configuration and that seems to be much harder than with Apache. I didn’t think it would be easy to just forward requests to the Docker instance, but since I couldn’t get it to work I’ll never know.

By this time I said, screw it, reinstalled phpBB and went home. It’s now about 8pm and I’ve been at it 11 hours.

Well, I have a mild form of OCD, or maybe it’s just being a geek, but I couldn’t let it rest. So early this morning (as in soon after midnight) I discovered a project called Luna (an active project from the aforementioned Wikimedia page).

Luna is the next iteration of the ModernBB project which is in turn is a fork of FluxBB. It’s simple, does almost everything I could want, and was incredibly easy to install. No Docker containers, no large Java app, just some PHP that you drop in your web root. Plus the webUI is built on bootstrap just like OpenNMS.

In about an hour I had it running, had changed the style to match our color palette, and fixed an issue where jquery wasn’t getting loaded by copying it down as a local file.

OpenNMS Luna Website

The downside is that it isn’t production yet. I installed 0.7 and earlier this morning they released 0.8. Jesse fixed an issue with the internal mail system and I have a couple of more issues that I’d like to see fixed, but overall I’m very happy with it. They are aiming to release 1.0 on 13 April.

And I really like their attitude and philosophy. They are self-funded and I love Yannick’s tag line of “You Can Do Anything.”

To help that I sent them 100€. (grin)

Anyway, sorry for the long post. I’ll let you know how it goes.

Mark Turner : Still some fight

April 04, 2015 02:36 AM

Still some fight
Mark Turner, April 2, 2015

I suppose I should offer a disclaimer to let you know that I’m not the official family spokesperson or anything of the sort. I’m just one of several co-authors here. I am not a doctor, nor do I play one on TV. I’m just a close friend of Scott who knows a lot of people care about him. I want to let you know what seems to me to be going on.

I am in a bit of a conundrum here as I have two somewhat conflicting beliefs:
1. Scott is getting the best care he possibly can by being at UNC.
2. Scott is improving, in spite of what his caregivers say.

After spending time with him over the last few nights, I can say he seems much better than he did last week. His mind is sharp, his speech is clearer and stronger, he’s closer to his normal color, and his strength has grown from even the day before. I don’t think Scott is exaggerating much when he calls the “IV IG” he’s been getting “miraculous.” It’s really helped his body boost his platelet count and he is noticeably more active.

Scott is certainly not out of the woods and faces an uphill climb. His kidney numbers from yesterday are discouraging, certainly, but I have a glimmer of hope that his recent improvement might carry over to his kidneys. He gets more lab work done Friday and Saturday. Let’s hope for the best!

Comments

Scott, Hang in there. You can & will beat this.
—Bob LeBrun, April 3, 2015

Mark, I am really glad that you posted this, not only because it makes me happy, but I’ve also seen an improvement over the last three nights. I’ve been taking comfort that, wondering if I’m crazy or just seeing what I want to see. But I’ll keep hoping and praying for him.
—Julia Trimmer, April 3, 2015

Scott – Lisa and the Family are thinking of you and praying for your recovery. Hang tough and keep up the fight.
Thanks for the updates Mark.
—Patrick Johnston, April 3, 2015

Hang Tough Scott. Your DBD teammates would like to offer our help if there’s anything that needs to be done around your house, or other errands/projects, etc that we could possibly help out with. Let us know…
CONN
—Allan Shang, April 3, 2015

Thank you Mark
I’m in agreement with his improving situation with the conflict on kidney and liver numbers. I think he needs to remain at chapel hill for a while longer to make a more complete determination of his situation. Shout out to you, Jeff and Mandy for all that you three have done for Scott and Erin.

Angels in our backyard.
Bless you
Scott’s brother , Wayne
—Wayne Greenough, April 3, 2015

Mark – thanks for the encouraging update.
Scott – we all want you to keep fighting – You got this bro!
—Greg Newman, April 3, 2015

Good Deal on the IV IG ! Managing 2ndary infections is key when battling a major illness. Carolyn had IG injections after each of her Chemo sessions and it doubled her white cell count when it would have been halved or worse.
—Mike Harris, April 3, 2015
We love you brother…stay strong and keep fighting!
—Todd Pollock, April 3, 2015

No disclaimer necessary. You’re a wonderful friend to dedicate time to keeping Scott’s family and friend network informed. For those of us not close by, we are watching HERE for news on Scott’s condition, your efforts are our lifeline to Scott. He has friends…brothers here in Connecticut who he grew up with who are very concerned, please pass to Scott we are here for him praying for his recovery.
Thank you Mark, for what you’re doing.
—Bill Moryto, April 3, 2015

Stay Strong Scott! Those two beauties need to see your smile & hear your laughter every day!
—Suzanne Ballou Rowell, April 3, 2015

Keep up the fight Scott! Miracles are all around us every day! Sending more love and prayers!
—Heather Dubian, April 3, 2015

My family is sending Prayers for you and your family. Get better Scott…
—dave calverley, April 3, 2015

So sad to hear this tonight! Wishing Scotty and Family all the best! All my years of playing Hockey, I truly enjoyed the time together. Such a positive and fun loving guy! Keep up the fight Scott!! Our thoughts and prayers are with everyone there! Miss you bud!
—Bryan Cox, April 3, 2015

Awesome update! Win the battle Scotty G!
—Brian Allen, April 2, 2015

Come on Scotty – do it. Fight like a mother f*cker. We all love you. ??
—Jen, April 2, 2015

Prayers for you and wishes for a speedy recovery!!! Love, your cousin Stef
—stefanie, April 2, 2015

Mark Turner : Scott is fighting for his life

April 04, 2015 02:23 AM

I was asked to remove my posts from Scott’s CaringBridge site so I decided to repost them here for anyone wishing to continue reading updates about him.

Scott is fighting for his life

Mark Turner, April 2, 2015
Scott has been in the hospital since mid March with terminal liver failure and is fighting for his life. He and his
wife Erin have asked me to set up this CaringBridge site for friends and well-wishers to keep up with his
progress.

Comments

Hey old buddy… Please hang in there and fight hard. We love you.
—Jonathan Chapman, April 2, 2015

You’re in our thoughts Scott. Stay strong friend!
—Russ Constantine, April 2, 2015

Sending massive amounts of healing energy your way, Scott.
—Barbara Gilly, April 2, 2015

Just read Michael Beaulieu’s message informing us of your condition. I was shocked, to say the least, but I have
great faith that God will listen to our prayers, therefore I am thinking that He will grant you full recovery. Just
don’t give up and keep trucking…don’t forget to pray though, that is the key to success. I am sending you my get
well prayers All our love from the Raymond’s family, in Connecticut.
—Charleen Raymond, April 2, 2015

Thinking of you playing that guitar and singing Johnny Cash my friend. Praying hard for you and the girls.
Sending tons of strength your way.
—Canady Thomas, April 2, 2015

Hang in there buddy. Wishing you all the best.
—Mike Marks, April 2, 2015

Prayers for you Scott, and to your family. May God Bless you all.
—Lisa Raffia, April 2, 2015

Sending you strength and prayers to you, Erin, and family. You have two beautiful girls that love you. Fight for
them!!
—Jennifer Lantry, April 2, 2015

So much love, prayers and strength being sent to you! Keep fighting!
—Heather Dubian, April 2, 2015

Praying…so hard. Fight Scott. Fight.
—Kathleen, April 2, 2015

Dude! What’re you doing??!! Get better!!!
Positive vibes for you and your wife.
—Annette Houle, April 2, 2015

The Beaulieu’s are praying for you – love you like a brother!
—Michael Beaulieu, April 2, 2015

Mark, thanks so much for setting this up! I am really glad to see it and I think Scott needs to know how many
people love him. There are a lot of Scotty fans out there!
—Julia Trimmer, April 2, 2015

Thinking about you and your family Scott! I know with all the love and support of your friends and family you
will make a quick recovery. Please let us know if there is anything we can do!
—Beth Marshall, April 2, 2015

Prayers to Scott, Erin and family. Always have great memories of Fermi hockey.
—Peter Smith, April 2, 2015

Praying for you Scott. So sorry to hear this news and believing for a miracle!
—Wayne Sombric, April 2, 2015

Sending love and prayers your way!
—Chrystal Ingersoll, April 2, 2015

Sending love and prayers to you!
—Allison Fuller Pike, April 2, 2015

Tarus Balog : OpenNMS on Bad Voltage

April 02, 2015 09:10 PM

I had to go back through my notes, but I first met Jono Bacon on April 12th, 2008 at a LugRadio Live show in San Francisco. Jeremy Garcia, the founder of LinuxQuestions.org, I didn’t meet until this year’s SCaLE conference, but I had been following that site since at least 2009 (or at least that the oldest e-mail I still have from it). Those two guys make up half of the team behind the Bad Voltage podcast.

The other half consists of Stuart “No Fruit in Beer” Langridge and Bryan “Puffy Nipples” Lunduke, both nicknames earned at SCaLE (where they did their first live show). Stuart, the more social and less-sickly of the pair, joined us for a few drinks one evening during the conference, but I have yet to meet Bryan face to face.

Which is probably a good thing, because the few seconds I saw said face on a Google hangout this week, well, it wasn’t pretty. Ebola is nothing to joke about so I shall leave it at that, but let’s just say he was under the weather.

I was on the Hangout because the guys asked me to come on Bad Voltage. The first time I was invited was a couple of weeks ago when the taping was on a Thursday. I couldn’t make that one, so considering the history of this crew I was a little suspicious when they asked me to chat on April Fool’s Day.

Of course, this is when I found out that Bryan was deathly ill and wouldn’t be joining us, and even my thick brain can detect a pattern. Dodges me at SCaLE even with the promise of free booze. Ditches me during the one time I’m on his show. I know when I’m not wanted.

The string of “coincidences” continued during the taping when Jono’s app crashed a few minutes into our chat. In 38 shows it had never happened before and so we had to start over, and the guys were good sports and laughed at all the right moments as I repeated my stories. April Fool’s Day is also my wedding anniversary, so they got a small slice of what it is to live with me and have to suffer through my stories over and over (she’s stuck with me for 22+ years so I guess that is one miracle for her sainthood, two to go).

Anyway, after the technical glitches were sorted and Bryan was done snubbing me, I thought the chat went pretty well. It’s hard for me to fit anything into ~10 minutes and I left stuff out that I would have liked to say, but I hope it gets people interested in OpenNMS. In any case, even without my bit (or should I say especially without my bit) the show is always entertaining and you should check it out. You’ll get the occasional F-bomb and sometimes references to moose genitalia, but overall it is pretty safe for work.

Anyhoo – check it out and let me know what you think:

Bad Voltage 1×39: Ambitious but Rubbish

Mark Turner : Scott Greenough is gravely ill

April 02, 2015 04:46 PM

Scott Greenough

Scott Greenough

I have been preoccupied for over a week as my close friend Scott Greenough has been battling for his life. He’s in the hospital now with terminal liver failure and everyone is concerned that he might not make it.

I set up a Caring Bridge site for Scott last night for his friends and loved ones to share their thoughts and follow his progress. You can check it out here.

Please keep him in your thoughts and prayers!

Update: I have created a separate blog for updates on Scott. See the Scott Greenough page.

Tarus Balog : OpenNMS at POSSCON, 14-15 April

April 01, 2015 04:23 PM

#NotAprilFools

I love the fact that with the possible exception of OSCON (which has blacklisted me as a speaker for some reason), the main open source conferences all tend to be grassroots, regional affairs. I love going to them and find them to be much better than the commercial and corporate shows.

One I have never been able to attend is POSSCON. Although only one state away, my schedule has not worked out to allow me to go. I’ve heard a number of good things about it, so this year I was determined to attend and The OpenNMS Group is even a gold sponsor.

We will have be a booth where you can come by and see the new OpenNMS shiny, and I will be giving a talk on the first day about switching to the Linux Desktop, and on the second day there will be a workshop on using OpenNMS.

Hope to see you there.

Warren Myers : please reply at top

April 01, 2015 02:00 PM

There is a constant war over top-repliers, bottom-repliers, and inline-repliers.

If you’re replying to an email, reply at the top. Unless there is some overarching need to reply inline (hint – it is very very rare).

Bottom-replying makes me have to reread all the crap that has been left from previous messages before I get to what you wrote – what a phenomenal waste of time*!

Just reply at the top. Like every sane person does.

Please.


*Yes, you should also trim whatever you don’t need when you reply – but that’s another story.

Mark Turner : Google Fiber introduces Dialup Mode

April 01, 2015 10:37 AM

Google Fiber wants to slow things down a bit, so they’ve added Dialup Mode to Google Fiber.

Happy April 1st!

Mark Turner : Daylight Saving Time for Electricity

March 31, 2015 01:59 PM

Today (or maybe tomorrow? I’m still not sure) is the day that the hours change for those of us on Duke Energy Progress’s Time Of Use (TOU) electric billing plans. When you’re a grid-tied solar electricity provider like we are, Duke puts you on a TOU plan so that you are encouraged to use most of your electricity off-peak. The change in electric season is like Daylight Saving Time for our electric bills.

Peak hours in winter are from 6 AM to 1 PM and from 4 PM to 9 PM. Summer peak hours are from 10 AM to 9 PM. This means we can run our dryer or charge our electric car in the morning, rather than hold off until after 9 PM, which is a good thing.

I made a handy chart to help keep track of these schedules but haven’t shared it yet since I want to incorporate suggestions that Kelly made. Hopefully I’ll get it posted soon.

Mark Hinkle : OpenSource.com – Open source and DevOps aren’t mandatory, but neither is survival

March 31, 2015 02:28 AM

I recently wrote an article for OpenSource.com – Open source and DevOps aren’t mandatory, but neither is survival This article is part of the Easy DevOps column coordinated by Greg Dekoenigsberg, VP of Community at Ansible. Share your stories and advice that helps to make DevOps practical—along with the tools, processes, culture, successes and glorious/inglorious failures from your experience by contacting us at devops-stories@redhat.com.

Technorati Tags:

Tarus Balog : OpenNMS at Fifteen

March 30, 2015 12:14 PM

It was fifteen years ago today that the OpenNMS Project was registered on Sourceforge.

OpenNMS Sourceforge Summary

The project itself was started sometime in 1999, but I wasn’t around then as I didn’t get involved until 2001. I’ve been told that it started in July of that year, but since an open source project really doesn’t exist until something gets shared, it seems that March 30, 2000, is as good a day as any to mark the birth of OpenNMS.

I went poking around on the site and wasn’t able to find the very first thing posted there. I believe it was a mockup of an administration console using the Java Swing toolkit that never actually made it into the product. While I believe the code is still in there somewhere, in switching from CVS to SVN to git, dates do get a little corrupted and I couldn’t find it.

Anniversaries don’t really mean that much in practical terms. In moving from Sunday, March 29th, to Monday, March 30th there was no substantial change in OpenNMS at all. But it does lend itself to a bit of reflection, and fifteen years is a lot of time on which to reflect.

While I have been working on OpenNMS most of my professional career, I didn’t start it. People much smarter than me did, and that has pretty much been the story of my life. My only true talent is getting intelligent and creative people to work with me, and the rest of my career is just basking in their reflected glory. In 2002, the original founders decided to stop working on the project, but I saw its potential and was able to become its maintainer.

My original plan was to simply remain a company of one and provide consulting services around OpenNMS. That didn’t work out so well, as I soon realized that it could be much bigger than one person. In September of 2004, The OpenNMS Group was born in part to insure that the OpenNMS platform would always be around. We wanted to build something amazing, and this was reflected in our goal “to make OpenNMS the de facto management platform of choice.”

Being pretty much a group of technical people, we didn’t know we were doing things wrong. For a business plan we chose “Spend less money than you earn.” For a mission statement we liked “Help Customers – Have Fun – Make Money”. I put forth my two desires that OpenNMS should never suck and that OpenNMS should always be free software. We just took it from there.

This is not to say that we haven’t met with frustration. Gartner likes to diagram companies on two axes: “Vision” and “Ability to Execute that Vision”. We have a lot of vision, but our business model doesn’t give us a lot of resources to execute that vision quickly.

In order to change this, I spent a lot of time in Silicon Valley looking for an investor. Silicon Valley is pretty much the center of the technology industry, and one would assume that they would know the best way to run a technology based business. But I was pretty much told that you can’t be anyone unless you work in the Valley, you’re too old, and most importantly, you are doing it wrong.

There seems to be a formula they like out there. You raise a bunch of money. You hire as many people as fast as you can. You get as many users as possible and you hope that some larger company will buy you out. They call this an “exit strategy”, and this is supposed to be the focus of the business. Once you “exit” you can do it all again.

The problem, as I see it, is that a lot of companies have to exit before they get bought out. They run out of money, the investors run out of interest or patience, and then they just shutter the endeavor. Sure, you have your prominent billion dollar acquisitions, but in the scheme of things they are a very, very small percentage.

Plus, I’m already doing what I love to do. I really don’t want to do anything else. My chosen field, network management, is huge and I can always find something interesting in it, such as figuring out the best way to deal with the Internet of Things.

Sure, I believe that there are companies out there that would complement what we do. Ones that have the capital to help OpenNMS grow in a way that doesn’t go against our corporate culture. And while our involvement with such a company would probably be through an acquisition, I don’t see that as much as an “exit” as an evolution. I wouldn’t do the deal if I didn’t think I’d want to continue to work on the project, so I wouldn’t be going anywhere.

I see this post has become more about the business side of OpenNMS than the project itself, but I felt it was important to think about how our business philosophy permeates the project. Thus I thought it was serendipitous that Ben sent me a link to an article about an alternative to the “exit strategy” called the “exist strategy”.

The Nishiyama Onsen Keiunkan is the world’s oldest business. It is a hot springs hotel in Japan that was founded in 705 and has been run by fifty-two generations of the same family. They have survived and even thrived for 1300+ years by having a relentless focus on their customers. Even though they have only 40 rooms, by any measure you have to call their undertaking a success.

I think there is a huge problem with the tech industry’s focus on the exit. It’s such a short term goal. I expect the goal we set for OpenNMS to take the rest of my life and maybe some time after that. By focusing on an exit the people who usually end up paying for it are your customers, and that just doesn’t strike me as a way to run a business. I’m certain that if the Nishiyama Onsen Keiunkan had focused on growth over service they would have died out a long time ago. Heck, even the company that started OpenNMS closed its doors in 2004. When they weren’t moving fast enough toward their goal for the investors, the did what today we would call “a pivot” and it didn’t work out, even thought that’s what anyone in the Valley would have said was the right decision.

Look, I don’t want to come across as some sort of holier than thou “money is evil” kind of person. I run a business, not a charity. But as a businessman, and not a gambler, I truly believe that our best chance at financial success is to find a way for us deliver the best value we can to our customers. Period. That’s our focus, and any type of “exit” is way down on the list. Heck, the current management team at The OpenNMS Group is ten years older than the rest of the guys, and we’ve even thought of selling the business to them when we wish to retire. Not sure we can do it 52 times, but that is one form of exit that is still in line with an “exist strategy”.

And that’s the thought I want to take into the next fifteen years of OpenNMS. We have a covenant with our users and they have paid us back in kind with their support. This has resulted in a number of other impressive numbers. The OpenNMS Group has prospered for more than a decade. We are getting ready for our tenth OpenNMS Developers Conference, Dev-Jam. We’ve had almost the same number of OpenNMS User Conferences, the next one is in September and hosted by the independent OpenNMS Foundation.

We still have quite a few years to go to match the numbers of the Nishiyama Onsen Keiunkan, but I think that focusing on an “exist strategy” is the way to go. We still have the greatest team of people ever assembled to work on a software project, and while the faces and names have changed over the years, I still feel like I’m standing on the shoulders of giants.

And the view is great from up here.

Mark Turner : Southern again

March 27, 2015 09:27 PM

The family and I were spending a few hours trekking around Raven Rock State Park yesterday when we encountered three senior citizens who were obviously NC natives. They had made their way down the steep stairway to the base of Raven Rock and were looking for someone to take their picture.

“I’ll be happy to take y’alls picture,” I said as they handed me their iPhone. “Y’all just stand together right there.” I snapped two photos of them and grinned as I handed their phone back to them.

When we had climbed the stairs and were out of earshot, Hallie gave me a quizzical look and said, “you were totally Southern back there!”

“Well, that’s how I was raised!” I said as I shrugged and laughed. It doesn’t occur to me that that’s not how I act all the time. I see good country folks and can’t help but slip back into my Southern accent.

I guess the South our kids are growing up in is different than the one I grew up in. I suppose that’s a good thing, them being around people from different backgrounds. Even so, I sure hope I never forget where I am from, and how to speak properly with the good folks who’ve called North Carolina home far longer than I have.

Warren Myers : ifttt & box drive my desktop backgrounds … with a little cron happiness

March 26, 2015 06:15 PM

I love that OS X lets me change my background on a schedule (I use every 30 minutes now).

But I don’t like having to find pictures to populate my desktop menagerie with.

Enter completely SFW backgrounds via RSS feeds!

Using IFTTT, I watch for new items from a variety of daily photo feeds, and upload the new items to a folder in my Box account. I have that folder set to be the source for my desktop backgrounds, and bingo bango we have automated new images coming to enjoy!

The recipe I’m using is available for you to grab here. (I have several running, but you can use any RSS feed you’d like.)

Also, to ensure I don’t end up with duplicate images (eg from the Bing images feed), I have the following running as a cron job (thanks to Unix.SE for helping me figure it out):

md5 -r * | sort | awk 'BEGIN{lasthash = ""} $1 == lasthash {print $2} {lasthash = $1}' | xargs rm

That script removes any files with duplicate MD5 sums from the folder I keep the images in (note – you should put the actual path to your folder in your cron job).

Eric Christensen : For discussion: Orphaned package in Fedora

March 26, 2015 03:38 PM

The Fedora Security Team (FST) has uncovered an interesting problem.  Many packages in Fedora aren’t being actively maintained meaning they are unofficially orphaned.  This is likely not a problem since at least some of these packages will happily sit there and be well behaved.  The ones we worry about are the ones that pick up CVEs along the way, warning of unscrupulous behaviour.

The FST has been plugging away at trying to help maintainers update their packages when security flaws are known to exist.  So far we’ve almost hit the 250 bug level.  Unfortunately we forced a policy that still isn’t perfect.  What do you do with a package that is no longer is supported and has a known vulnerability in it?  Unless you can recruit someone to adopt the package the only responsible choice you have is to retire the package and remove it from the repositories.

This, of course, leads to other problems, specifically that someone has that package installed and they know not that the package is no longer supported nor do they know it contains a security vulnerability.  This morning, during the FST meeting, we discussed the problem a bit and I had an idea that I’ll share here in hopes of starting a discussion.

The Idea

Create a file containing all the packages that have been retired from a repository and perhaps a short reason for why this package has been retired.  Then have yum/dnf consume this information regularly and notify the user/admin when a package that is installed is added to this list.  This allows the system admin to become aware of the unsupported nature of the package and allows them to make a decision as to whether or not to keep the package on the system.

Okay, discuss…


Eric Christensen : A change in thinking…

March 26, 2015 02:32 AM

When I entered the information security world in late 2001 I received training on communications technologies that included a significant interest in confidentiality.  Obviously the rest of the trifecta, integrity and availability, were also important but maintaining communications security was king.

Now, almost fifteen years later, I’m still focused on the trifecta with confidentiality coming out with a strong lead.  But my goals have changed.  While confidentiality is an important piece of the puzzle, for privacy and other reasons, I feel it should no longer be king with my work and writing.

Over the coming weeks I plan to focus on the availability of data.  And not just whether or not a file is on a server somewhere but diving into the heart of the availability problem.  File format standards, flexibility of the data to be used with accessibility tools, ability to translate the words into other languages to ease sharing, and the ability to move the information to other forms of media to improve access are all topics I want to cover.

I’m largely writing this as a reminder of ideas I want to research and discuss but I hope this gets other people thinking about their own works.  If you have a great idea don’t you want to make it easier for other people to consume your thoughts and be able to build on them?  Unfortunately the solution isn’t simple and I suspect much will be written over time about the topic.  Hopefully we’ll have a solution soon before that StarWriter file you have stored on a 5.25″ floppy drive is no longer readable.


Scott Schulz : The Martian by Andy Weir

March 22, 2015 01:02 PM

I am about 90% through Andy Weir's The Martian book, and I gotta say, this is one fantastic read.

Written in large part as log entries by an astronaut named Mark Watney, it is different enough from the average SF (Sci-Fi) work in that regard alone, but then Andy includes enough geekery to really make things interesting. I won't go into any more detail, but if you are a geek (check), who is into spaceflight (check), and Mars exploration (check), then this is one book you need to read.

And better yet, they are nearly complete with the filming of the movie (starring Matt Damon as Mark Watney, for those of you who care about such things), so that should be out later this year.

The Martian by Andy Weir

Amazon Link: http://amzn.com/0553418025

Mark Turner : NSA and spyware

March 21, 2015 03:45 PM

NSA planting spyware on a Cisco router

NSA planting spyware on a Cisco router

The photo that disturbed Cisco so much, the one showing the NSA tampering with a Cisco router, actually does not concern me as much as previous reports of NSA spying. The photo shows NSA doing what it should be doing, going after the bad guys. They have a specific router going to a specific customer and they’re using good old-fashioned hard work to gain their access. I can only assume that the target of this investigation is worthy of such attention and its targeting has been duly legally authorized.

The other thing this photo shows me is that NSA opted to plant its spyware using physical means rather than network means. If NSA has some sort of super-secret backdoor into Cisco firmware it certainly isn’t apparent from this photograph.

Cisco can of course decide it wants to make it difficult for these NSA operations to succeed and that’s the company’s prerogative. Certainly this photograph can cause the company’s customers to question Cisco’s security and can hurt its business. Even so, if NSA wants to load its firmware on boxes one by one and hands-on in a legally-authorized pursuit of a true intelligence target, I suppose I’m ok with that.

Mark Turner : Cisco Shipping Hardware To Bogus Addresses To Throw Off NSA Intercept-And-Implant Efforts | Techdirt

March 21, 2015 03:30 PM

Cisco became an inadvertent (and very unwilling) co-star in the NSA Antics: Snowden Edition when its logo was splashed across the web by a leaked document detailing the agency’s interception of outbound US networking hardware in order to insert surveillance backdoors.

It moved quickly to mitigate the damage, sending a letter to the President asking him and his administration to institute some safeguards and limitations to protect US tech companies from the NSA’s backdoor plans. To date, there has been no direct response. So, Cisco has decided to handle the problem itself.

via Cisco Shipping Hardware To Bogus Addresses To Throw Off NSA Intercept-And-Implant Efforts | Techdirt.

Mark Turner : New Hampshire legislatures kill fourth graders’ bill and dreams.

March 19, 2015 11:40 PM

What assholes.

Last Thursday, fourth graders from Hampton Falls, New Hampshire visited their state legislature to observe a bit of democracy in action. The children had previously proposed House Bill 373, establishing the Red Tail Hawk as the New Hampshire State Raptor, as part of a civics lesson in how bills become laws. Their measure had already sailed out of the Environmental and Agriculture Committee. Now the young students gathered in the House galley to watch their bill pass its next hurdle.

via New Hampshire legislatures kill fourth graders' bill and dreams..

Mark Hinkle : Presentation – Linux Collab Summit – Cloud 2.0: Containers, Microservices and Cloud Hybridization

March 19, 2015 01:09 PM

Presented at Linux Collaboration Summit 2015 in Santa Rosa, CA on February 20th, 2015.

Abstract:

In a very short time cloud computing has become a major factor in the way we deliver infrastructure and services. Though we’ve quickly breezed through the ideas of hosted cloud and orchestration. This talk will focus on the next evolution of cloud and how the evolution of technologies like container (like Docker), microservices the way Netflix runs their cloud) and how hybridization (applications running on Mesos across Kubernetes clusters in both private and public clouds).

[Sometimes the embed didn’t work so you can also view the presentation here.]

<iframe src=”//www.slideshare.net/slideshow/embed_code/44943541″ width=”425″ height=”355″ frameborder=”0″ marginwidth=”0″ marginheight=”0″ scrolling=”no” style=”border:1px solid #CCC; border-width:1px; margin-bottom:5px; max-width: 100%;” allowfullscreen> </iframe> <div style=”margin-bottom:5px”> <strong> <a href=”//www.slideshare.net/socializedsoftware/2015-linux-collaboration-summit-cloud-20-containers-microservices-and-cloud-hybridization” title=”Cloud 2.0: Containers, Microservices and Cloud Hybridization” target=”_blank”>Cloud 2.0: Containers, Microservices and Cloud Hybridization</a> </strong> from <strong><a href=”//www.slideshare.net/socializedsoftware” target=”_blank”>Mark Hinkle</a></strong> </div>

Technorati Tags: , ,

Mark Turner : A handsome exhibit

March 18, 2015 01:57 PM

It would make a cool art project to cast the hands of people who work in various vocations and display them together.

Mark Turner : Hand modeling

March 18, 2015 01:47 PM

Over the past few weeks I’ve gotten a taste of what life must be like for a hand model. Well, except for the fame and money part, of course.

I bought a lifecasting starter kit for my birthday. The problem of having a January birthday is that one’s skin is rarely in good shape from the bone-dry winter air. I’d been waiting a while for the cracks in my knuckles to heal. When they finally did, I managed to slice my right index finger when I was repairing the dishwasher last weekend. Fingertip injuries take a surprisingly long time to heal!

Ever since the dishwasher injury I’ve been overly careful with my hands, paranoid that I’ll cut myself again and have to delay casting my hand another week or more. On the other … hand (sorry, couldn’t resist), it’s been a good realization that the perfect body is a myth. We all have flaws that we conveniently overlook.

Perhaps it’s more realistic for me to cast my hand as it typically is: covered in cuts, grease, or ink; with blisters born from bicycling, yard work, or guitar-playing. Perhaps my nails will be worn down or torn from prying open computers or flattened by a misdirected hammer blow. This would be the most realistic depiction of my hands.

One of life’s secrets is learning to wear one’s scars as badges of honor.

Mark Turner : Google View

March 18, 2015 10:13 AM

Sitting in the dentist’s chair, enduring the agony of another teeth cleaning yesterday, I thought of the perfect use for the Google Fiber system coming to Raleigh.

I was being forced to watch Time Warner Cable’s News14 channel in front of me and thinking about how TWC’s local news model works. It didn’t take many minutes of watching the video (thankfully without audio, as the suction hose was often going) to realize how boilerplate it is. The TWC guys have an establishing shot, then zoom in on something dumb like police lights reflecting off the stolen car, then move on to another thing. It was obvious that the video doesn’t really tell the story – in fact, it is repetitive and dull. I could choose not to look up between rinses and feel like I didn’t really miss anything.

Then I thought about Capital Broadcasting, and how many broadcasters are able to do what they do because they ponied up decades ago for broadcast licenses and expensive studios. TWC didn’t have to compete for a license – they have all the bandwidth they need. They’re able to do what they do because most people’s television now gets routed through a coaxial cable. There is no need to build a transmitter anymore.

But TV habits are quickly changing, as I’ve written about before. People aren’t watching TV on TVs anymore. Increasingly, people watch their shows on devices, hooked to the Internet.

I thought about how Little Raleigh Radio tries harder to tell the story of Raleigh. I read earlier yesterday how Google Fiber gives free broadband to community organizations. There’s an opportunity here!

To be continued…

Warren Myers : seems i’m not the only one who thinks apple could make cars

March 16, 2015 01:55 PM

Dallas News ran a story recently on Apple being positioned to be a car maker.

Their reasoning:

  1. Cash (~$180B)
  2. It’s “ultimately” mobile
  3. They have “car guys” already
  4. Strong retail network
  5. They’re already global

I think it more likely they’d buy an existing manufacturer, and then Apple-ify them – but the arguments are strong that an Apple Car will be here sooner rather than later.

Mark Turner : Google Fiber: Kansas City offers Charlotte ‘Digital Divide’ lessons | The Charlotte Observer The Charlotte Observer

March 16, 2015 01:39 PM

CharO talks about Google Fiber and the Digital Divide

In a past job in Kansas City, Julie Porter was part of an intense, door-to-door campaign to get residents in economically challenged, mostly minority neighborhoods to sign up for Google’s high-speed Internet service.

Community organizers didn’t want residents in these areas to face an even wider Digital Divide.

Now the head of a Charlotte housing agency, Porter has urged local leaders here to get an early start encouraging residents to embrace broadband service, long before Google Fiber makes its planned Charlotte debut.

“It was just very, very challenging,” said Porter, president of the Charlotte-Mecklenburg Housing Partnership, of the Kansas City situation. “I wanted to make sure that Charlotte didn’t have the same experience.”

via Google Fiber: Kansas City offers Charlotte ‘Digital Divide’ lessons | The Charlotte Observer The Charlotte Observer.

Magnus Hedemark : State of the Nerd Report

March 14, 2015 08:55 PM

I’ve never really consistently given this personal blog of mine much love. Instead, I’ve tried to support larger soapboxes from which to either share my own stories or coordinate and recruit for others.

I’ve done a good bit of writing over the last couple of years for Red Hat, and now for Bronto. I had a piece on OpenSource.com that got a good bit of traction. But most of my writing for the last four months has been going into Autism Daily Newscast.

ADNewscast reached out to me last December through social media and asked if I might like to contribute a guest article from the perspective of an Autistic professional to help others like me to get started in their careers. I submitted the article, and it was well-received, so they asked if I’d like to write another.

Next thing you know, I’d become a Staff Writer, and was in charge of the weekly Careers column. I don’t always know what I’m going to write about next, but it’s been good for me to knock out an article every week and to get into the habit of writing regularly.

Then last week my Editor in Chief asked if I’d like to take on a larger role with the site and join the team of Editors. I did accept that role, and it’s proving to be a rewarding one.

I am autistic. This is not something that was known to me or the people around me for most of my life. But I know it now. And so much of the mysteries of my life make sense now. How come people sometimes say I talk too much? Or too little? How come I sometimes don’t know when to shut up? Or sometimes I can’t speak at all? Why, during periods of prolonged stress (often over really petty things) do I hide in a dark, quiet place and just silently decompress? Why do I have a long trail of broken but intense friendships smoldering in my wake? Most of these mysteries have now been answered with that new fundamental understanding of my self.

I’ve since been “out” about it more. I’ve made my needs known. I’ve engaged in self-advocacy, because those who claim to speak for people like me are often not themselves autistic. The largest Autism advocacy groups that you can think of have no legitimacy. So now I have to face people who dismiss me as being “too high functioning to understand their child’s needs”.

Thirty years ago, I was your autistic child. I was the kid that quietly read the dictionary from cover to cover, and then moved on to the encyclopedia. I was the kid who had memorized the taxonomic classification of every fish species in the public aquarium. I was the kid who would “spaz” (melt down) or simply and quietly shut down when things got to be too tough. I was the kid who was always being told “look me in the eye”, even (especially) when it seemed impossible for me to do so.

I know what it means to be that autistic kid, even if I didn’t know that I was autistic at the time. I’m very comfortable in knowing that I’m in a stronger position to advocate for autism than the parents who have never walked a mile in my own shoes.

As such, I’ve largely been disengaged from tech geekery at home for awhile. I’m getting more and more plugged in to the community of my peers, finding my voice, getting more comfortable with the knowledge that I am different and I do need and deserve some understanding in order to better succeed in this world.

And I’m not going to fight this just for myself; I’m going to fight it so my autistic daughter, who I understand better than Autism Speaks ever will, can enjoy a better chance of success when it’s time for her to live as an adult in this world that will never understand her.


Mark Turner : The magically-filling fuel tank

March 14, 2015 02:00 PM

Earlier this week I got to experience a phenomenon very unique to electric vehicles.

I was driving out of the parking deck at work on a warm day that had started much cooler. Batteries are sensitive to temperature and don’t provide less power when it’s cooler. My electric car had dialed back its expected range on my cooler morning commute and kept it there as my car waited in the cool parking deck for me to get off of work.

As I drove out at the end of the day, the car’s thermometer rose briskly as it went from the cool parking deck to the warm afternoon air. I watched in amusement as my car’s range began increasing as I drove! It was like someone was adding fuel to my tank! I gained 20 miles of range on a six-mile drive.

Only in an electric car can one drive somewhere and actually get an increase in range!

Mark Turner : Book idea: Malcom McLean

March 13, 2015 05:24 PM

I became fascinated yesterday of a relatively-unsung North Carolina hero, Malcom McLean. It’s not much of a stretch to say McLean more or less revolutionized world trade with his invention of the standardized shipping container. Not bad for a truck driver from Maxton, NC who only had a high school education.

Someone ought to tell his story.

Mark Turner : LTE on Skip Stam

March 13, 2015 05:19 PM

I sent this to the N&O regarding Rep. Paul “Skip” Stam’s apparent reversal of support for redistricting reform.

It is disappointing to see Rep. Paul “Skip” Stam, once a champion of redistricting reform, backing a bill that quite plainly gerrymanders the Wake County Commission. We the voters lose again.

My original version called Stam “long a champion,” but it appears his days of championing redistricting reform are over. I hope one version or another makes it to print.

Tarus Balog : Minnesota Twins and Dev Jam

March 13, 2015 04:48 PM

Just got our stack o’ Twins tickets for this year’s OpenNMS Dev Jam.

It’s become something of a tradition, and we’re back in left field so maybe the Twins will win.

Even Ulf gets to go:

I’ll be opening up Dev Jam registration in April so be sure to save the dates.

Tarus Balog : Free OpenNMS Workshop in Berlin – 30 March 2015

March 12, 2015 07:50 PM

If you happen to speak German and can get to Berlin on March 30th, Ronny Trommer will be giving a day long workshop on OpenNMS.

No promises, but afterward there will probably be beer.

Jesse Morgan : Yak Shaving: VMWare Update Edition.

March 12, 2015 07:44 PM

  1. Review nessus report, see Samba needs patching.
  2. Patch Samba.
  3. While retesting, I notice ESX has a patch that needs implementing.
  4. Find out they released 6.0 today. Rather than upgrading to 5.5.1 then 6.0, I look into upgrading directly to 6.0
  5. While looking to implement that I research updatemanager, which I can’t use since I don’t have a windows server to install it on.
  6. So I look at doing it manually, and find out that I need to upgrade vcenter first, since vcenter can’t manage esx hosts that are a higher version.
  7. I find https://www.youtube.com/watch?v=QXOkUVhIOA8 which seems to be exactly what I need.
  8. Spend half an hour looking for OVA file similar to what was used for 5.5. It does not exist.
  9. identify vcenter appliance download for 6.0. Download 3 gig ISO. Not an exact match, but close.
  10. mount ISO locally. Setup file says “vCenter Server Appliance installer cannot run on Linux. It must be run on Windows.”
  11. Spend half an hour searching for the friggen OVA.
  12. Someone clues me in that “vcsa/vmware-vcsa” on the iso is actually the OVA file. Copy that from readonly ISO to local disk, rename it as vmware-vsca-6.0.ova
  13. go to vcenter server web client, navigate to datastore.
  14. See coworker set off alarms on one datastore for being overused. Need to look into that later.
  15. Find out that I need to install a browser plugin to upload a friggen file to their web interface.
  16. Download plugin, install it.
  17. plugin doesn’t appear, realize that it installed in the wrong place.
  18. research how to uninstall the stupid plugin, then reinstall it to the right place. Still doesn’t show.
  19. Someone suggests using OVAtool. I don’t even remember what that does or if it’ll even help me. I don’t know if it works on linux, if I can install it on my workstation, or where to even find it.
  20. restart chrome; lose half of my tabs when the second window doesn’t reappear. plugin still doesn’t work.

Day two:

  1. retry chrome plugin, it fails to be detected again.
  2. research to find out that the plugin interface that VMware uses is deprecated, and their plugin only works with archaic versions of chrome
  3. Give up, load windows VM
  4. download the *deprecated* vsphere client for windows
  5. attempt to install vsphere. Installer disappears.
  6. try reinstalling, receive error that installer is in progress, then fails, then receive another failure message regarding .net 3.5
  7. installer refuses to run because an installer is already running.
  8. reboot windows
  9. run installer, installer disappears. Task manager shows background process “windows modules installer worker” using 99% of my disk bandwidth. maybe it’s still working?
  10. after 10 minutes, installer reappears. entire install takes 25 minutes.
  11. Upload OVA to datastore1 so it can be deployed.
  12. Attempt to deploy the OVA template through the web interface. Notified that “The CLient Integration Plugin must be installed to enable OVF functionality.”  (note OVA and OVF are interchangeable at this point.)
  13. Unable to COPY said text from web interface because hell, why not. Text is not selectable; maybe it’s an image?
  14. Attempt to create a new virtual machine from OVA template. Datastores inaccessible.
  15. Attempt to deploy OVA from windows client. Am unable to deploy from datastore (i.e. I must reupload 1.8 gig file again).
  16. Upload template, click through menus and get a brand new “fill in the blank” screen that I don’t recall seeing before. Attempt to fill it out to the best of my ability.
  17. Start Appliance, fails due to password needing to be reset. Web interface does not respond.
  18. After 20 minutes of digging, I delete it.
  19. start over, leaving the form empty.
  20. Similar Message: “Root password is not set. vmdir.password is not set; aborting installation.” Web interface does not respond.
  21. review my notes from the 5.5 install.
  22. dry run installation of 5.5 OVA file;  existing form has 5 fields.; Hostname is the only one really required.
  23. 6.0 OVA has 46 fields; It is unclear how many are required. Perhaps all of them.
    1. if host network mode is set to DHCP, ip address and host network prefix are not required. Default gateway, dns servers, and host identity don’t state if they are required.
    2. SSO Configuration talks about a directory password for replication partner. Is this the 5.5 instance I’m planning to mirror? I don’t think so- I’m pretending this is a stand-alone instance so I can follow the migration video later, which presumes the new instance is already installed but not configured. Setting temporary password for administrator.
    3. leaving the rest of the SSO configuration default
    4. leave database config set to Embedded.
    5. Setting root password in System Configuration (which is different than the Administrator account password set 3 steps ago).
    6. Leaving upgrade configuration blank.
    7. Leave networking properties blank
  24. After finally getting the vcenter 6.0.0 installed, it turns out 6.0.0 no longer uses port 5480, as seen in the first video, which was the only one that came up when searching for upgrades yesterday.
  25. Because, why would the upgrade process from 5.1 to 5.5 be the same as 5.5 to 6.0, right?
  26. Start searching again, find this video which appears to cover what I need.
  27. I install the vmware client integration plugin from the ISO I downloaded previously on the windows VM (which is nearly out of space at this point).
  28. run upgrader from ISO.
  29. Walk through all the options and get to step 4 before getting the message: “vCenterServer FQDN vcenter.foo.com does not match DNS servers “localhost.localdom,localhost” and ip addresses “192.168.2.220” from VC certificate. Examine the VC certificate and make sure it is valid and point to vCenter Server FQDN.”
  30. Which if I’m reading correctly, means that before I can upgrade, I have to install a properly signed certificate on 5.5 for…. I’m gonna guess the :5480 interface, which may be a totally different cert than the one for :9443.
  31. research and find that I can circumvent this by setting the cert regeneration flag in the :5480 interface and rebooting vcenter.
  32. try the upgrade tool again
  33. realize 3 seconds after clicking OK that I just started a process of unknown length at 2pm on a friday.
  34. process finishes at 3pm, warns me that my license is about to expire for vcenter(!)
  35. re-enter license, am told it is no longer valid.
  36. panic as I realize our license is for vcenter 5, not vcenter 6.
  37. research and am told that it’s a simple upgrade procedure in the vmware portal to get a new license key for 6.0
  38. go through motions, import new key, everything is awesome.

 

I owe a tremendous debt of gratitude  towards the guys in #VMware on freenode. without their assistance, I’d probably be under my desk sobbing right now.

 

MONDAY: I’ll continue by upgrading the esx hosts. I’m sure it’ll go smoothly.

 

Eric Christensen : Postfix Encryption

March 12, 2015 05:09 PM

I’ve been tinkering with the encryption options in Postfix for a while.  Encryption between clients and their SMTP server and between SMTP servers is necessary to protect the to, from, and subject fields, along with the rest of the header, of an email.  The body of the message is also protected but it’s always better to utilize PGP or S/MIME cryptography to provide end-to-end protection; encryption between clients and SMTP servers doesn’t provide this.

As rolled out now, encryption between SMTP servers is opportunistic encryption and is generally not required.  While doing a review of my mail log I seem to be receiving most personal mail via some encrypted circuit while much of the mail coming out of listservs, like Yahoo! Groups, is not negotiating encryption on connect.  I’ve also noticed that some email providers actually run their incoming email through an external service, I suspect for spam control, before accepting the message into their servers.  Some of these spam services don’t support encryption making it difficult to protect mail in transit.

Postfix documentation is pretty decent.  The project seems to document most settings but sometimes they don’t actually put the entire picture together.  Encryption is one of those things where a complete picture is difficult to put together just by looking at a single page of documentation.

Postfix’s documentation on TLS is fairly complete.  What they miss on that page, forward security, must be found else where.  Until last night, I had missed that last page and now have fixed my configuration to include, what I consider, acceptable settings.

Here’s what I’ve got:

main.cf

### TLS
# enable opportunistic TLS support in the SMTP server
smtpd_tls_security_level = may
smtpd_tls_eecdh_grade = ultra
tls_eecdh_strong_curve = prime256v1
tls_eecdh_ultra_curve = secp384r1
smtpd_tls_loglevel = 1
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.crt
smtpd_tls_key_file = /etc/pki/tls/private/mail.key
smtpd_tls_CAfile = /etc/pki/tls/certs/mail-bundle.crt
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_received_header = yes
tls_random_source = dev:/dev/urandom
#TLS Client
smtp_tls_security_level = may
smtp_tls_eecdh_grade = ultra
smtp_tls_loglevel = 1
smtp_tls_cert_file = /etc/pki/tls/certs/mail.crt
smtp_tls_key_file = /etc/pki/tls/private/mail.key
smtp_tls_CAfile = /etc/pki/tls/certs/mail-bundle.crt

master.cf

submission inet n       –       –       –       –       smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous

Those familiar with setting up TLS in Apache will notice a few differences here.  We haven’t defined ciphers or SSL protocols.  This is because this is opportunistic encryption.  We’re just happy if encryption happens, even using EXPORT ciphers, since the alternate is plaintext.  In a more controlled setting you could define the ciphers and protocols and enforce their use.  Until encryption becomes the norm on the Internet (and why shouldn’t it be?) I’ll have to stick with just begging for encrypted connections.

It should also be noted that client-to-SMTP server connections are forced to be encrypted in master.cf as seen in the submission portion.  This was a quick and dirty way of forcing encryption on the client side while allowing opportunistic encryption on the public (port 25) side.

It should be noted that ECC keys can be used with Postfix, which forces good ciphers and protocols, but most email servers have RSA keys established so problems could arise from that.  Dual keys can always be used to take advantage of both ECC and RSA.

As SSLLabs is for testing your web server’s encryption settings, so is CheckTLS for checking your SMTP encryption settings.  These tools are free and should be part of your regular security check of your infrastructure.