Annvixhttps://annvix.com/2024-02-06T13:20:00-07:00Rethinking Risk in Vulnerability Management2024-02-06T13:20:00-07:002024-02-06T13:20:00-07:00Vincent Danentag:annvix.com,2024-02-06:/blog/rethinking-risk-in-vulnerability-management<p>I’ve had the opportunity to write a few blogs and articles on one of my
favourite topics: vulnerability management. In particular, the thinking on
risk in this space. What’s acceptable risk? What isn’t?</p>
<p>You can get into the details on the variety of articles published in the …</p><p>I’ve had the opportunity to write a few blogs and articles on one of my
favourite topics: vulnerability management. In particular, the thinking on
risk in this space. What’s acceptable risk? What isn’t?</p>
<p>You can get into the details on the variety of articles published in the
last month. As an overview, <a href="https://thenewstack.io/we-need-to-rethink-risk-in-vulnerability-management/">We Need to Rethink Risk in Vulnerability
Management</a>
is a good place to start. It links to the articles but I’ll note them here
as well:</p>
<ul>
<li><a href="https://www.redhat.com/en/blog/patch-management-needs-a-revolution-part-1">Patch management needs a revolution, part 1: Surveying cybersecurity’s lineage</a></li>
<li><a href="https://www.redhat.com/en/blog/patch-management-needs-a-revolution-part-2">Patch management needs a revolution, part 2: The flood of vulnerabilities</a></li>
<li><a href="https://www.redhat.com/en/blog/patch-management-needs-a-revolution-part-3">Patch management needs a revolution, part 3: Vulnerability scores and
the concept of trust</a></li>
<li><a href="https://www.redhat.com/en/blog/patch-management-needs-a-revolution-part-4">Patch management needs a revolution, part 4: Sane patching is safe
patching is selective patching</a></li>
<li><a href="https://www.redhat.com/en/blog/patch-management-needs-a-revolution-part-5">Patch management needs a revolution, part 5: How open source and
transparency can force positive change</a></li>
</ul>
<p>Here’s the bottom line. We need to have a serious conversation about the
<span class="caps">TCO</span> (Total Cost of Ownership) when it comes to software. Installing and
testing security fixes isn’t “free”.. you might get the fix as part of your
purchase or subscription, but if it’s even remotely complicated, you need
staff, time and money to install, test, and deploy these things.</p>
<p>But what’s the end goal? No one buys software to fix security issues.
They buy software to grow and expand their business, to be useful. So the
“zero known vulnerabilities” goal is a faulty goal because it doesn’t align
to the business need you have (probably to make money). You don’t <em>make</em>
money installing patches, you <em>spend</em> it.</p>
<p>In order to make money you need a trusted brand and an intact reputation.
Breaches and significant cybersecurity events can damage both of those, not
to mention the cost spent to do the cleanup (which is excessive, just ask
<a href="https://www.ibm.com/reports/data-breach"><span class="caps">IBM</span>’s Cost of a Breach report</a>.
Preventing these is a good goal.</p>
<p><span class="dquo">“</span>Zero known vulnerabilities” does not advance that goal. Verizon tells us
that exploitation due to software is single digit events. Don’t believe
me? Look at the <a href="https://www.verizon.com/business/resources/reports/dbir/2023/results-and-analysis-intro/#:~:text=the%20presence%20of%20the%20Exploit%20vuln%20action%20has%20kept%20stable%20in%20incidents%20and%20is%20actually%20less%20prominent%20in%20breaches%2C%20dropping%20from%207%25%20to%205%25">Data Breach Investigations
Report</a>
that Verizon puts out. I trust their analysis.</p>
<p>So if “zero known vulnerabilities” isn’t a business goal, it isn’t a
signficant driver to breaches, and it’s prohibitively expense then I have
to ask: Why do we keep demanding this, like it’s some kind of measure of success?</p>
<p>It’s not.</p>
<p>You can fix every single vulnerability and <em>still</em> see data breaches and
other significant cybersecurity events trend up, annually. That means
<em>we’re focused on the wrong thing</em>.</p>
<p>We have to put corporate dollars to work on the things that actually move
the needle here. We need sophisticated tools to minimize phishing,
spoofing, and other forms of social engineering (in other words, solve the
“human element”). Even training is a step in the right direction but I
think there are enough tools out there to solve these <em>despite</em> humans
doing what humans do. And invest in automation to look for
misconfigurations that lead to compromise (<a href="https://www.theregister.com/2020/08/03/leaky_s3_buckets/">S3 leaky
buckets</a>,
anyone?). Catch misconfigurations when they happen and reduce your exposure.</p>
<p>This is a topic I’m passionate about because I believe we are collectively
investing billions per year, globally, in an area we shouldn’t. Which
means there are billions <em>not</em> being invested where it can make a difference.</p>
<p>It’s like investing in bad stock. Someone told us it was good once, we see
it continue to decline, we’re losing money hand over fist, but the <a href="https://en.wikipedia.org/wiki/Sunk_cost#Fallacy_effect">sunk
cost fallacy</a> has
kicked and we’re <em>determined</em> that one day it’ll recover. Even worse, we
keep buying it, thinking it’ll recover — rather than investing somewhere
better with a proven track record. Honestly, this is where I think
advances in <span class="caps">AI</span> will be able to help us as well (I think of Clippy warning
us not to click odd links that show up in email).</p>
<p>We’re capable of doing better. We should just do it.</p>15 years at Red Hat2024-02-02T10:30:00-07:002024-02-02T10:30:00-07:00Vincent Danentag:annvix.com,2024-02-02:/blog/15-years-at-red-hat<p><img alt="Image" src="https://annvix.com/images/15-years.jpeg" /></p>
<p>It’s been a fantastic 15 years at Red Hat as of today. Started as a Senior
Software Engineer on a very small team focused on incident response for two
products (<span class="caps">RHEL</span> and JBoss <span class="caps">EAP</span>) to end up leading a large organization
focused on a significant number of products and …</p><p><img alt="Image" src="https://annvix.com/images/15-years.jpeg" /></p>
<p>It’s been a fantastic 15 years at Red Hat as of today. Started as a Senior
Software Engineer on a very small team focused on incident response for two
products (<span class="caps">RHEL</span> and JBoss <span class="caps">EAP</span>) to end up leading a large organization
focused on a significant number of products and services with the scope to
handle incident response, compliance and certifications, secure development
efforts, and supply chain infrastructure.</p>
<p>We’ve not just grown significantly in the number of people, but also scope
and responsibility. It has been a <strong>crazy</strong> journey over the last 15 years.
When I look at who I was as a person 15 years ago compared to today.. that
change is just as transformational as the organizational changes have been.
I can take credit for one, and hope that I made a good difference with the other!</p>
<p>Here’s to the next many years with Red Hat Product Security. Not sure how
much sleeve we have left to roll up because we’ve been rolling up sleeves
for a long time. Maybe we don’t need sleeves anymore because this is just
what we do. We dig in and get it done.</p>
<p>So while it’s my anniversary, I really want to give a shoutout to my team.
I work with some of the best people in the industry who truly give so much
of themselves to Red Hat, to Product Security and to our customers. We try
to do as much of the hard work as we can to keep our customers safe and
able to focus on the things that truly matter to them. That’s the whole
point. We’re successful when our customers are successful (and safe). We’ve
never stopped and we’re not going to. So I raise my 🍷 to the fine folks in
Product Security who’ve rolled up their sleeves and in some cases ripped
them off to do what we need to get done. You all make me <strong>so</strong> proud!</p>2023: A Retrospective2023-12-26T13:00:00-07:002023-12-26T13:00:00-07:00Vincent Danentag:annvix.com,2023-12-26:/blog/2023-a-retrospective<p><img alt="Image" src="https://annvix.com/images/stuart.png" /></p>
<p>It’s the end of 2023 and, as is my custom, I always read my <a href="https://annvix.com/blog/2022-a-retrospective">retrospective</a> from
the prior year. And… umm… 2023 was <em>not</em> better than 2022. Well, in some
ways perhaps but in many ways it was not what I was hoping it would be. But,
I’m …</p><p><img alt="Image" src="https://annvix.com/images/stuart.png" /></p>
<p>It’s the end of 2023 and, as is my custom, I always read my <a href="https://annvix.com/blog/2022-a-retrospective">retrospective</a> from
the prior year. And… umm… 2023 was <em>not</em> better than 2022. Well, in some
ways perhaps but in many ways it was not what I was hoping it would be. But,
I’m resolved to look on the bright side of things!</p>
<p>On the positive side, travel experiences this year were vastly better than
last year. And I was able to go to a few places this year for work. I was
in Boston in March, Virginia in April (first time there), Vancouver (for
<span class="caps">OSS</span> Summit) and Boston (for Red Hat Summit) in May, Jasper Alberta in
September (for holidays, we love Jasper!) as well as Raleigh, the
Netherlands in October (for Summit Connect <span class="caps">NL</span>) and then also Raleigh and
Boston (October was brutal!) and finally Chicago in November (for OpenShift
Commons/Kubecon, first time there as well). All in all, it was busy,
particularly Sept-Nov as it felt like between trips I was only home for a
few days before having to head back to the airport.</p>
<p>The upside (and apologies to my wife) was that I missed a lot of the home
renovations we did. We gutted the upstairs of our home and redid
everything except the kitchen (which we’d redone a few years ago). Really
pleased with how it turned out, less pleased that it took five months to
complete. That said, I’m glad we did it and so the wait was ultimately
worth it.</p>
<p>We also had to take care of my mother-in-law for two months. My father-in-law
was in the hospital for “day surgery” on his ankle and we anticipated it
lasting a week (after all, who believes doctors?). He was in hospital and
rehab for <em>four months</em>! Unfortunately, due to the renovation schedule and the
loss of use of the upstairs, my mother-in-law had to go to her sister after
those two months so we could get things moving. It actually turned out well as
her sister didn’t have stairs in her home and we realized (too late) that the
stairs were wrecking her hip and giving her a lot of pain (including one trip
to the hospital).</p>
<p>Unlike our trip to Jasper last year, this year was <em>perfect</em> and was an
awesome time to wind down and relax. I think it was our best trip to
Jasper ever and was so relaxing. Which was good because we came home at
the end of the week and on Sunday I was flying to Raleigh and starting a
<em>lot</em> of travel. That said, the trip to the Netherlands was awesome as
I’ve not been there in over 30 years and was able to reconnect with cousins
and aunts and uncles on both sides of the family that I’d not seen for
decades. One of my cousins took us to the <a href="https://www.goudacheese-experience.com/">Gouda Cheese
Experience</a> and I highly recommend
it. A museum for cheese is an odd idea but it was fascinating!</p>
<p>I also did quite well this year in the exercise department, trying to get a bit
more active. I find exercising so incredibly boring, however, that I do it
while playing video games. Well, two in particular. Nioh and Nioh 2. I’ve
put a ridiculous amount of time into these games and have probably played them
more than any other games (300 hours and attained level 340 in Nioh, 570 hours
and attained level 750 in Nioh 2). I also had a daily activity streak that hit
238 days (thanks for tracking Apple Watch!) but sadly that streak got ruined
when I got <span class="caps">COVID</span> for the third, maybe fourth, time in November. I still have a
lingering cough as I write this. It was actually pretty bad this time.</p>
<p>Speaking of health, my wife’s health is really great (aside from me giving her
<span class="caps">COVID</span>). The blood, iron and ferritin counts are all up and good so she’s
energetic and able to do whatever she wants. Of course it does require a lot
of supplements but whatever, she’s feeling really great which was a huge plus
this year.</p>
<p>My daughter also moved out this year (hence the renovations). Is this a good
thing or bad thing? I suppose it depends on whether she’s reading this or not
;) I’ll say it’s neither good nor bad. I definitely miss having her around
all the time, but it’s so awesome to see what she’s doing on her own and
overcoming her own fears of even being able to do it on her own. She’s doing
amazing! I couldn’t be prouder of her. I do miss her cat though. I need to
visit them both more often!</p>
<p>With her cat leaving, that left Ted alone. I think he appreciated the
peace and quiet though, but that didn’t last long. My wife got a ragdoll
kitten that we named Stuart. He’s very similar in attitude to my
daughter’s cat (poor Ted, he will always be someone’s chicken nugget to
chew on!) but he’s a pretty awesome cat and so soft. Great addition to the
family this year.</p>
<p>From a work perspective, this was an interesting year. It was tough, due to
all of the personal things going on (renovations are highly disruptive and
having her mother-in-law here for two months was as well) so by the time we
went to Jasper I really needed the break. The beginning of the year was marred
by drama at work that made me less enthusiastic and probably quite a bit
grumpier than usual. Thankfully that was resolved and right now I’m really
pumped for next year. That said, it feels riskier to be in the
technology/security space right now as evidenced by the <span class="caps">SEC</span> going after the
SolarWinds <span class="caps">CISO</span> personally. A lot of those responsible for security programs
are feeling that pressure and uncertainty — it doesn’t feel as “fun” as it
used to with stuff like that hanging over our heads. Yet, while not always “fun”
necessarily, there are plenty of things that make the job rewarding.</p>
<p>Finally, I started our <span class="caps">ALDE</span> (Advanced Leadership Development Experience)
program this year which I’d put off for a few years since doing <span class="caps">ALDP</span> back
in 2018. Thus far it’s been great. Getting more input from my boss, from
my coach, from my staff, from indirect staff has been challenging and
rewarding. Lots of areas to work on to become a better version of myself,
so I’ve spent quite a bit of time reflecting on how I can change. 2024
will be a very different year for me in terms of how I lead, based on that
reflection and inputs, and some actions I’ve put into place already. I’m
looking forward to it. I think it will be good for me and the team.</p>
<p>Speaking of the team, I can’t help but think how awesome they are. Not just my
staff — they’re pretty good — but the entire organization. Truly blessed to
be working with some of the brightest minds in the industry! These guys and
gals really give me the juice to get up each day and work, even when things are
crappy. Huge shoutout to Red Hat Product Security. You all are amazing people.</p>
<p>Christmas this year was pretty awesome as well. All healthy, all good.
Great times with family and friends. The weather was definitely odd…
this time last year we had a cold streak in the -30C range, this year we’re
at or above 0C most days. This week we even got up to 5C… pretty much
shorts and t-shirt weather for us Albertans! Also got very into puzzles
over Christmas. My wife got us advent calendar puzzles which was fun and
it started a bit of an obsession now, so we ordered a few other puzzles to
put together. It was great to end the year so nice. Merry belated
Christmas and happy new year to everyone!</p>
<p>No new tattoos this year. The downside of running out of room I suppose.
Seriously considering neck-tatts but my wife isn’t a fan of my chosen design
(the Alien dual mouth on my throat.. she’s threatening no more kisses). Oh
well, maybe not ;)</p>
<h2 id="books-read">Books read<a class="headerlink" href="#books-read" title="Permanent link"> </a></h2>
<p>I do a fair bit of reading, but if I’m honest I stopped reading almost
anything non-fiction since the <span class="caps">COVID</span>-19 pandemic started. This year I
wanted to get back into reading more than just fiction (while still
continuing to read fiction as that’s part of my go-to-sleep ritual). So to
hold myself accountable to that goal I’ve been tracking which books I’ve
read this year.</p>
<ul>
<li>Knife of Dreams, Robert Jordan</li>
<li><span class="caps">HBR</span>’s Emotional Intelligence Series: Confidence</li>
<li>The Gathering Storm, Robert Jordan <span class="amp">&</span> Brandon Sanderson</li>
<li>The Coaching Habit, Michael Bungay Stanier</li>
<li>Darksword Trilogy 1: Forging the Darksword, Margaret Weis <span class="amp">&</span> Tracy Hickman</li>
<li>Towers of Midnight, Robert Jordan <span class="amp">&</span> Brandon Sanderson</li>
<li>A Memory of Light, Robert Jordan <span class="amp">&</span> Brandon Sanderson</li>
<li>Darksword Trilogy 2: Doom of the Darksword, Margaret Weis <span class="amp">&</span> Tracy Hickman</li>
<li>Sandworm, Andy Greenberg</li>
<li>Under the Radar, Robert Young <span class="amp">&</span> Wendy Goldman Rohm</li>
<li>Darksword Trilogy 3: Triumph of the Darksword, Margaret Weis <span class="amp">&</span> Tracy Hickman</li>
<li>The Devil’s Diadem, Sarah Douglass</li>
<li>The Axis Trilogy 1: Battle Axe, Sarah Douglass</li>
<li>The Axis Trilogy 2: Enchanter, Sarah Douglass</li>
<li>The New Testament in Modern English, J.B Phillips</li>
<li>The New King James Bible (just the Old Testament)</li>
</ul>Productivity improvements with Obsidian, OmniFocus and Johnny Decimal2023-12-09T17:02:00-07:002023-12-09T17:02:00-07:00Vincent Danentag:annvix.com,2023-12-09:/blog/productivity-improvements-with-obsidian-omnifocus-and-johnny-decimal<p>I’ve been using <span class="caps">GTD</span> (<a href="https://gettingthingsdone.com/">Getting Things Done</a>)
as a methodology for how I work for a number of years. I revisit the
systems I use occasionally, particularly when I don’t feel they’re working
out for me or my needs have changed. And lately one of the biggest …</p><p>I’ve been using <span class="caps">GTD</span> (<a href="https://gettingthingsdone.com/">Getting Things Done</a>)
as a methodology for how I work for a number of years. I revisit the
systems I use occasionally, particularly when I don’t feel they’re working
out for me or my needs have changed. And lately one of the biggest
challenge I have is that I’m actually quite good at <em>taking</em> notes, but I’m
not as good at <em>finding</em> the notes I took.</p>
<p>And as time goes on, I found I have more places to store things (documents
of various types, email, and so on) and while they can all be categorized
similarly, I never really bothered. Previously I had focused on how to
organize things like OmniFocus (for tasks) versus organizing <em>everything</em>
in a similar way. In other words, I would spend the time to organize a
system versus having a system to coherently organize all the data across
the systems I use.</p>
<p>As a point of reference, these are all the “storage buckets” I use for data
(whether for work or personal):</p>
<ul>
<li><a href="https://www.omnigroup.com/omnifocus/">OmniFocus</a> for tracking tasks</li>
<li><a href="https://c-command.com/eaglefiler/">EagleFiler</a> for private
out-of-the-cloud- document storage that I want to retain (think tax
documents, receipts, PDFs, etc)</li>
<li>Mac’s Finder for things I download and presumably some might make it to
EagleFiler (but I’ll admit I’m not very consistent here!)</li>
<li><a href="https://obsidian.md/">Obsidian</a> for taking markdown notes (as a
reference, I’ve gone through a number of systems here, including
EagleFiler to store <span class="caps">RTF</span> notes,
Joplin, Inkdrop, Quiver, and finally settling on Obsidian earlier this year)</li>
<li>Gmail for email</li>
<li>Google Drive for documents that are shared with others (family or
co-workers) and other cloud storage</li>
<li>Apple Notes for quick, short-lived notes (such as the hotel room number I
happen to be staying in or copy/paste references); I may rely on this
less now that I can sync Obsidian to mobile devices</li>
</ul>
<p>And because this data can be used on the desktop system at home, or the
work laptop or personal laptop, in addition to my iPad and iPhone, these
systems as much as possible need to be sync’d. Since I don’t trust cloud
services more than I need to, I try to sync as much of this via git as
possible and locally host my own <a href="https://about.gitea.com/">Gitea</a>
instance. I store my EagleFiler storage and Obsidian data in git and use
it to synchronize across my devices.</p>
<p>I’ll briefly describe how to sync Obsidian to iOS devices, which has its
own client, and then discuss a recent way I’ve found to categorize data
across disparate systems and applications.</p>
<h2 id="syncing-obsidian-to-ipad-andor-iphone">Syncing Obsidian to iPad and/or iPhone<a class="headerlink" href="#syncing-obsidian-to-ipad-andor-iphone" title="Permanent link"> </a></h2>
<p>My ecosystem is entirely Apple-based, so I use Obsidian on my Mac and I use
both the iPhone and iPad, and it would be hugely beneficial to have the
data in Obsidian available to me on both devices.</p>
<p>I followed <a href="https://meganesulli.com/blog/sync-obsidian-vault-iphone-ipad/">this tutorial on syncing Obsidian vaults to iPhone or iPad</a>
and it worked like a champ. I use <a href="https://workingcopy.app/">Working Copy</a>
to get the git repository on my device and link it to the Obsidian vault,
meaning that I have access to notes and documents, at least those in
Obsidian, while on the go or I can use the iPad to take meeting notes
without obscuring a screen while having a meeting on Google Meet or Zoom or whatever.</p>
<p>The only downside is Working Copy has a cost if you want to use it with
Obsidian. I don’t mind though; I’ve had a lot of situations where all I
had with me was my phone and I needed to reference something in my notes
which were not available. From a productivity perspective, it’s a small
price to pay.</p>
<h2 id="categorization-using-johnny-decimal">Categorization using Johnny Decimal<a class="headerlink" href="#categorization-using-johnny-decimal" title="Permanent link"> </a></h2>
<p>I randomly stumbled across a podcast, <a href="https://learnomnifocus.com/tutorial/2022-11-17-omnifocus-obsidian-workflows-with-leah-ferguson/">OmniFocus + Obsidian Workflows with Leah Ferguson</a>
discussing how to integrate OmniFocus with Obsidian. I thought this would
be an interesting way to enhance my usage of both tools, since I already
use them both, perhaps with a bit of automation (I don’t use Apple
Shortcuts as much as I probably could).</p>
<p>The podcast was great, but not because of the Obsidian and OmniFocus
integration — while helpful, the introduction to <a href="https://johnnydecimal.com/">Johnny Decimal</a>
was vastly more important and started me down a journey of trying to become
even more productive. Making the data easier to find was what struck me
most when I was listening to Leah describe her use of those systems. After
all, if I’m going to spend the time keeping something, what is it for if
not to easily find it when I need it?</p>
<p>I won’t go into all the specifics of how I organized things, but I’ll give
you some details to get the idea. The essential premise is to start broad,
with no more than 10 categories, and then you narrow the aperture as you go
further. For me, I made sure I only numbered three levels deep; anything
further than that just is un-numbered folders or files that I try to give
coherent names to.</p>
<p>At the top level I have:</p>
<ul>
<li>00 Meta</li>
<li>10 Personal</li>
<li>20 Learning</li>
<li>30 Professional</li>
<li>40 Reference</li>
</ul>
<p>I haven’t found a need to have more than these high-level groups.</p>
<h3 id="00-meta">00 Meta<a class="headerlink" href="#00-meta" title="Permanent link"> </a></h3>
<p><code>00 Meta</code> is for all the random metadata that just needs a place to live. In
Obsidian I have:</p>
<ul>
<li>00 Meta<ul>
<li>01 Inbox</li>
<li>02 Templates</li>
<li>03 Resources</li>
<li>04 <span class="caps">SOP</span></li>
</ul>
</li>
</ul>
<p><code>04 SOP</code> is a special “Standard Operating Procedures” folder where I
document things like this system. <code>01 Inbox</code> is the standard Obsidian
inbox for new files that haven’t been categorized. <code>02 Templates</code> are for
the templates I use in Obsidian, such as the weekly template where I put
notes of my schedule for the week. <code>03 Resources</code> are for all the
attachments (PDFs, graphics, etc) that are inserted into Obsidian documents.</p>
<p>In Gmail I use this a bit differently and have <code>00 Meta</code> as a label with
these nested sub-lables:</p>
<ul>
<li><span class="caps">ACTION</span></li>
<li><span class="caps">EVENTS</span></li>
<li><span class="caps">FOLLOWUP</span></li>
<li><span class="caps">IMPORTANT</span></li>
<li><span class="caps">WAITINGFOR</span></li>
</ul>
<p>The <code>ACTION</code> label should probably be used less as I work to get those
actions into OmniFocus. This would be easier if
<a href="https://mimestream.com/">Mimestream</a> (my email client) had a way to expose
email links to itself rather than to the Gmail webUI, so right now it’s
just easier to label things than to manually copy the Gmail link and create
a new task.</p>
<p>The <code>00 Meta</code> category isn’t really used anywhere other than Obsidian.</p>
<h3 id="10-personal">10 Personal<a class="headerlink" href="#10-personal" title="Permanent link"> </a></h3>
<p>This is for life stuff. I don’t have a lot of sub-categories here (I
wonder if that’s worth exploring further!), but right now I have:</p>
<ul>
<li>11 Christcity</li>
<li>12 People</li>
<li>14 Blog</li>
<li>15 Health</li>
<li>19 Financial<ul>
<li>19.01 Receipts</li>
<li>19.02 Investing</li>
<li>19.03 Compensation</li>
</ul>
</li>
</ul>
<p>You might notice a few things here. First, I don’t use all the numbers and
skip a few. I’m trying to stay consistent across categories that have
overlap; for instance there are financial and people notes/documents/etc
for both Personal and Professional, so I try to keep that number consistent.</p>
<p>In this case I use <code>11 Christcity</code> for things related to church, whether it
be my duties as a District Pastor or marriage counsellor. This label
exists in my personal Gmail as well. <code>14 Blog</code> is where I can draft new
blog posts for this site (great thing that they both use markdown!), and
<code>19 Financial</code> has a few sub-categories such as <code>19.01 Receipts</code> where I’ll
keep receipts for purchases and <code>19.02 Investing</code> where I keep
investment-related information. These also have Gmail labels and folders
in EagleFiler.</p>
<p>The point here is that things that are relevant to a system should be
present there, things that aren’t relevant to a system should not. For
example, if I wrote more on this blog and wanted to schedule things, I
might have <code>14 Blog</code> as a project in OmniFocus (I don’t, so I don’t). I
might have church-related tasks to do so <code>11 Christcity</code> definitely shows
up in OmniFocus as well. <code>15 Health</code> isn’t needed in Gmail, so I won’t
create a label for it, but I use it in EagleFiler for scans of health tests
and other documents, and in Obsidian for any notes I want to keep from a
doctor’s visit or similar.</p>
<p>I would recommend against creating all of these labels/folders for every
single system unless you need them, just to avoid clutter.</p>
<h3 id="20-learning">20 Learning<a class="headerlink" href="#20-learning" title="Permanent link"> </a></h3>
<p>The <code>20 Learning</code> category is for stuff I have learned or that I want to
learn. I use this on every system and have only two categories:</p>
<ul>
<li>21 Leadership<ul>
<li>21.03 Management Training</li>
</ul>
</li>
<li>22 Technical Notes</li>
</ul>
<p>These are for notes I might take from a class or articles I’ve downloaded
that are specifically related to learning. To be honest, I’m not yet sold
on <code>22 Technical Notes</code> as these feel more like they belong somewhere in
<code>40 Reference</code> but for now, I’m keeping it as-is.</p>
<p>I have other sub-categories under <code>21 Leadership</code> for some leadership
courses I take at work, where I collect observations, documents, and so forth.</p>
<h3 id="30-professional">30 Professional<a class="headerlink" href="#30-professional" title="Permanent link"> </a></h3>
<p>This is the busiest category and requires a lot of attention to make sure
it stays orderly. I take an insane amount of notes in meetings, and I have
a lot of meetings, which means I have a lot of documents. I also have a
lot of work-related areas that require even more documents. This section
has parts in all systems; again, not every single sub-category is needed in
every system, so not every system has them all. The below is curated, but
should illustrate how I’m using it:</p>
<ul>
<li>31 Career<ul>
<li>31.01 Mentoring</li>
<li>31.02 Mentors</li>
</ul>
</li>
<li>32 People<ul>
<li>32.01 Boss</li>
<li>32.02 Peers</li>
<li>32.03 Staff</li>
</ul>
</li>
<li>33 Public<ul>
<li>33.01 Papers</li>
<li>33.02 Presentations</li>
</ul>
</li>
<li>34 Red Hat<ul>
<li>34.01 Weekly Notes</li>
<li>34.02 Travel</li>
</ul>
</li>
<li>35 Product Security<ul>
<li>35.01 Organization</li>
<li>35.09 Escalations</li>
</ul>
</li>
<li>37 External<ul>
<li>37.01 Customers</li>
<li>37.04 Boards</li>
</ul>
</li>
<li>38 Projects</li>
<li>39 Financial<ul>
<li>39.01 Receipts<ul>
<li>Travel<ul>
<li><em><span class="caps">YYYYMM</span> <span class="caps">DESTINATION</span></em></li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
<p>You get the idea. Effectively, I take meeting notes when I meet with
people, and those notes live under <code>32 People</code>. For the people I meet with
sporadically, it’s a single file under their name. For the people I meet
with often, their name is a folder, with a year-dated file for those notes
(so if “Bob Young” worked for me, I would have this year’s meeting notes
for him in <code>32 People/32.03 Staff/Bob Young/2023 Bob Young</code>.</p>
<p>For customers and partners, those notes are named after the company name.
For folks I mentor or am mentored by, they live in a file named after them
in <code>31 Careers/31.01 Mentoring</code>, etc. I try to keep a <span class="caps">PDF</span> copy of
presentations I give in <code>33.02 Presentations</code> in EagleFiler and they’re
organized that way in Google Drive for the original presentation. The
<a href="https://arstechnica.com/gadgets/2023/11/google-drive-is-investigating-sync-issues-as-users-complain-of-lost-files/">recent debacle</a>
of files being deleted from Google Drive reassures me that I’m not insane
for keeping a local copy.</p>
<p>Interestingly, in the last few weeks since I started using this system, I’m
actually remembering the Johnny Decimal number which means it’s really easy
to find things. I know that if I’m looking for information on Bob, I can
look for “32.03” almost anywhere and find him. I might have work-related
documents about Bob in a folder living beneath <code>32.03 Staff</code> on Google
Drive, any tasks I’ve given to Bob and am waiting on would live in a
similarly named project in OmniFocus, emails from Bob automatically get
labeled <code>32.03 Staff/Bob Young</code> in Gmail. This makes finding anything
related to Bob, or people in general, super easy to find.</p>
<p>For compliance purposes, I keep all the receipts that get emailed to me
(Uber, flights, etc.) so I arrange those by destination just to keep things
orderly. So my last trip to Boston has receipts in <code>39 Financial/39.01
Receipts/Travel/202310 Boston</code>.</p>
<h3 id="40-reference">40 Reference<a class="headerlink" href="#40-reference" title="Permanent link"> </a></h3>
<p>Finally, the <code>40 Reference</code> category is just a place for me to dump notes
or copies of interesting things that I may want to use or refer to at some
point in the future.</p>
<ul>
<li>41 Books</li>
<li>42 Online</li>
<li>43 Papers</li>
<li>44 Images</li>
</ul>
<p>I haven’t really gotten into sub-categories here yet because I’m still
sorting things out. As I move things into these buckets, I’ll see if
common themes or topics occur that require further categorization.</p>
<h2 id="conclusion">Conclusion<a class="headerlink" href="#conclusion" title="Permanent link"> </a></h2>
<p>I started this journey about two weeks ago and it took quite a while,
slowly picking at and cleaning up all the various places of stashing stuff,
across a number of different systems and devices. I also wanted to ensure
that I could do this consistently, whether it was work-related or personal,
so I invested in cleaning up my personal documents as well, not just those
related to work. And, if I’m honest, I still have a ways to go (at some
point I just created an Uncategorized folder that stored everything I
hadn’t yet sorted and will slowly go through that, deleting what I no
longer need or care about, and moving around those things that I do). In
many respects, this is likely to be my “Christmas project” this year, so I
can start 2024 feeling very organized and tidy.</p>
<p>It’s astonishing how much data I’ve collected and a number of things
(notes, files, etc.) that I did organize can probably be deleted as well…
not everything has to be hung onto forever! I’m a bit of a digital packrat
and blame my mom for that (being technologically illiterate, she’s
definitely a physical items packrat). Regardless, having one consistent
method to organize all systems has had a number of distinct advantages that
are already making me more productive:</p>
<ul>
<li>I am starting to remember the numbers so content is easier to find</li>
<li>I don’t have to guess how I organized things depending on which system
I’m currently using, which reduces a lot of mental energy</li>
<li>Things just feel tidier!</li>
</ul>
<p>All that to say, it was a fairly hefty lift with all of the “technical
debt” I was carrying. And while my method might not work exactly for you,
hopefully by sharing I’ve given some ideas that may make you a wee bit more
productive as well. It’s about the consistent application of a method
across all tools and storage mechanisms that I find to be more important
than the tools themselves. I know well enough that tools come and go, but
the method to keep you sane should stay the same!</p>
<p>This blog doesn’t have comments, so hit me up on Twitter if you have any
thoughts or comments you’d like to share with me, or even recommendations.
I’m always trying to make myself more efficient and manage my systems vs
letting them manage me.</p>OpenShift Commons Chicago 20232023-11-27T19:30:00-07:002023-11-27T19:30:00-07:00Vincent Danentag:annvix.com,2023-11-27:/blog/openshift-commons-chicago-2023<p><img alt="Image" src="https://annvix.com/images/more_in_common.webp" /></p>
<p>I had the opportunity to speak at the recent <a href="https://commons.openshift.org/gatherings/kubecon-24-nov-12/">OpenShift Commons in
Chicago</a> that
was an event that coincided with Kubecon in Chicago a few weeks back. I
spoke about the <a href="https://www.youtube.com/watch?v=3S855TdwhH4">Evolution of risk management in
software</a> which is a more
reent talk that I’ve given a few times …</p><p><img alt="Image" src="https://annvix.com/images/more_in_common.webp" /></p>
<p>I had the opportunity to speak at the recent <a href="https://commons.openshift.org/gatherings/kubecon-24-nov-12/">OpenShift Commons in
Chicago</a> that
was an event that coincided with Kubecon in Chicago a few weeks back. I
spoke about the <a href="https://www.youtube.com/watch?v=3S855TdwhH4">Evolution of risk management in
software</a> which is a more
reent talk that I’ve given a few times; the first time was at the Summit
Connect <span class="caps">NL</span> in September.</p>
<p>A few technical difficulties aside, this was a great talk that resonated
quite well with the audience, and I appreciate that later in the day and
even when I was strolling around Kubecon the next day I got a lot of
comments and discussions about it.</p>
<p>The basic premise is that patching everything is out-dated and expensive
and while we’ve elevated and evolved our thinking about risk <em>a lot</em> over
the last 20 years, for some reason we’ve not really changed our thinking
when it comes to patches — and that can come at a significant cost.</p>
<p>I hope you find it interesting and useful! I’ve been working on a blog
post that goes with it and has a lot more detail than I can give in a talk,
but turns out it’s a bit too long to publish as-is on the redhat.com
web site, so it’ll likely be a 6-part blog series. I hope to be able to
share that with you all soon.</p>Relocated to GitHub pages2023-11-26T15:26:00-07:002023-11-26T15:26:00-07:00Vincent Danentag:annvix.com,2023-11-26:/blog/relocated-to-github-pages<p>This is both a test and awareness. I’ve moved the site from PythonAnywhere
to GitHub Pages because I’m cheap and it’s a static site, so it doesn’t
need to be on PythonAnywhere anymore. I changed the theme at the same time
to make it a bit …</p><p>This is both a test and awareness. I’ve moved the site from PythonAnywhere
to GitHub Pages because I’m cheap and it’s a static site, so it doesn’t
need to be on PythonAnywhere anymore. I changed the theme at the same time
to make it a bit more readable. There’s some cleanup to be done (I don’t
even know how many times I’ve migrated this content from one site to
another), but I’m pretty keen on this Elegant theme for Pelican right now.
I’m also super keen on the low maintenance burden — static sites are
definitely the way to go when you have better things to do with your time!</p>Red Hat Summit 20232023-06-04T08:00:00-06:002023-06-04T08:00:00-06:00Vincent Danentag:annvix.com,2023-06-04:/blog/rh-summit-2023<p><img alt="Image" src="https://annvix.com/images/2023-rh-summit.png" /></p>
<p>I had the opportunity to attend Red Hat Summit 2023 which you can <a href="https://reg.experiences.redhat.com/flow/redhat/sum23/regVirtual/login">watch on demand</a> in Boston, <span class="caps">MA</span>. Unlike the <span class="caps">OSS</span> Summit, this was a 14h door-to-door trip, there and back, due to delays (typically 12h door-to-door). However the annoyance in travel was more than made up for by …</p><p><img alt="Image" src="https://annvix.com/images/2023-rh-summit.png" /></p>
<p>I had the opportunity to attend Red Hat Summit 2023 which you can <a href="https://reg.experiences.redhat.com/flow/redhat/sum23/regVirtual/login">watch on demand</a> in Boston, <span class="caps">MA</span>. Unlike the <span class="caps">OSS</span> Summit, this was a 14h door-to-door trip, there and back, due to delays (typically 12h door-to-door). However the annoyance in travel was more than made up for by the energy of the Summit.</p>
<p>This was probably the best Red Hat Summit I’ve attended. Unlike last year that was more executive-focued and smaller, this one was a lot bigger, a lot busier, and was absolutely buzzing! After <span class="caps">COVID</span> and so many years or not having an in-person Summit, everyone was happy to be there, energized, talking, and excited. Beyond that, the product announcements this year were really exciting, things like: Ansible Lightspeed, Trusted Application Platform, Developer Hub and Services Interconnect to name a few. You can get the lowdown of all the announcements from the <a href="https://www.redhat.com/en/about/red-hat-summit-newsroom">Red Hat Summit 2023 Newsroom</a> which has a bunch of links to different announcements.</p>
<p>This was the first Summit where I was on the keynote stage giving a quick demo about Red Hat Trusted Application Platform with my friend, and overly experienced presenter, Burr Sutter. It was gratifying to hear later how well received this demo was! You can <a href="https://youtu.be/0LCmCkwRcOE?t=3565">watch our demo on YouTube</a> starting at 59:25 which has Ashesh’s preamble and setup first then the demo.</p>
<p>While there I was again invited to be on theCube and talked about <a href="https://www.youtube.com/watch?v=cvpmNeFvDo8">Trusted Application Pipeline, supply chain security, open source security, SBOMs and more</a>. (Try to ignore the clicking, I’m going to have to get them to mic me up on the side where I have less earrings in the future!)</p>
<p>It was also great to connect with Red Hatters I’ve never met in person or those I’ve not been able to meet for some time (and those I was hanging with at the <span class="caps">OSS</span> Summit two weeks prior!). It was an excellent event, very busy, very exhausting, but at the same time very energizing as well.</p>OSS Summit 20232023-05-13T09:00:00-06:002023-08-20T08:15:00-06:00Vincent Danentag:annvix.com,2023-05-13:/blog/oss-summit-2023<p><img alt="Image" src="https://annvix.com/images/LF-Event-Logo-_OSS-NA-V-White-01-1.png" /></p>
<p>I had the opportunity to attend the <a href="https://events.linuxfoundation.org/open-source-summit-north-america/"><span class="caps">OSS</span> Summit 2023</a> in Vancouver, <span class="caps">BC</span>. Probably the easiest conference I’ve ever attended, travel-wise, as it was about three hours door-to-door. Contrast that to Red Hat Summit in Boston, which is about 12 hours door-to-door.</p>
<p>The conference was great, I believe there …</p><p><img alt="Image" src="https://annvix.com/images/LF-Event-Logo-_OSS-NA-V-White-01-1.png" /></p>
<p>I had the opportunity to attend the <a href="https://events.linuxfoundation.org/open-source-summit-north-america/"><span class="caps">OSS</span> Summit 2023</a> in Vancouver, <span class="caps">BC</span>. Probably the easiest conference I’ve ever attended, travel-wise, as it was about three hours door-to-door. Contrast that to Red Hat Summit in Boston, which is about 12 hours door-to-door.</p>
<p>The conference was great, I believe there were about 2,000 people in person. It was awesome to catch up with some folks I’ve not seen in a while (even ran into someone from <span class="caps">SUSE</span> who worked at Mandriva when I did; last time we met had to be around 16 years ago in Paris!). Unfortunately I didn’t get to attend too many talks, although I did attend a few at the OpenSSF day. My schedule was too busy and I was too busy talking with customers and partners.</p>
<p>I also had a few other obligations. I gave Red Hat’s keynote, which is typically given by Chris Wright, Red Hat’s <span class="caps">CTO</span>, but he was in Europe for something else and couldn’t make it. While not my first keynote ever, it was the largest stage thus far. Presumably it was well-received given some of the feedback I’ve gotten and you can <a href="https://www.youtube.com/watch?v=3cgU6M0oXMQ">watch the keynote here</a>.</p>
<p>I also did an <a href="https://www.youtube.com/watch?v=gMMBNLoEn5Y">interview with theCube</a> which was great. We talked about security and open source (what else?!) and it was a lot of fun. A great conversation, thanks for having me on!</p>
<p>Finally, I was on the <a href="https://softwareengineeringdaily.com/2023/07/05/trusted-software-supply-chain/">Software Engineering Daily
podcast</a>
talking about all kinds of things from secure software, secure supply
chain, to open source in general.</p>
<p>All in all it was a great week and it was good to catch up with and reconnect with some folks I’ve not seen in a while.</p>
<p><span class="caps">EDIT</span>: Added the link to the <a href="https://www.youtube.com/watch?v=3cgU6M0oXMQ">keynote</a> and the <a href="https://softwareengineeringdaily.com/2023/07/05/trusted-software-supply-chain/">podcast</a>.</p>SBOMs, CVEs, CVSS and more2023-04-07T09:00:00-06:002023-04-07T09:00:00-06:00Vincent Danentag:annvix.com,2023-04-07:/blog/sboms-cves-cvss-and-more<p>There have been a few neat opportunities to write and discuss a variety of
topics over the last few weeks that have been published. The most recent
is a blog post I co-authored with Tracy Ragan at
<a href="https://www.deployhub.com/">DeployHub</a> entitled <a href="https://openssf.org/blog/2023/04/06/sboms-so-far-so-good-so-what/">SBOMs, So Far, So Good,
So
What?</a>
where we take a …</p><p>There have been a few neat opportunities to write and discuss a variety of
topics over the last few weeks that have been published. The most recent
is a blog post I co-authored with Tracy Ragan at
<a href="https://www.deployhub.com/">DeployHub</a> entitled <a href="https://openssf.org/blog/2023/04/06/sboms-so-far-so-good-so-what/">SBOMs, So Far, So Good,
So
What?</a>
where we take a look at the concerning trend of everyone talking about what
a good <span class="caps">SBOM</span> (Software Bill of Materials) should be, but very little on how
to consume it, or what you do once you’ve got it. Actually, I was
discussing the topic with my wife and, amusingly, we had watched Conan the
Destroyer a few weeks ago and she said: “Grab it, and take it!” to which I
responded: “Once you’ve got it, what do you do with it?” — I didn’t think
that was the most appropriate way to title the blog post though.</p>
<p>For those who’ve never seen Conan the Destroyer, here’s a <a href="https://www.youtube.com/watch?v=WPkhh5JytYE">clip of the
scene</a> although it doesn’t
have her followup of “once you’ve got him, what do you do with him?” 🤣</p>
<p>In other news, I was featured in the latest Red Hat Security Detail
episode, <a href="https://www.youtube.com/watch?v=oSyEGkX6sX0"><span class="caps">CVE</span> and <span class="caps">CVSS</span> explained | Security
Detail</a> that I had gone to
Raleigh, <span class="caps">NC</span> last year to film. I thought it turned out pretty well, and is
me (again) talking about a risk-based approach to vulnerability management
vs the old-school (and ineffective) check-box-based security. There’s a
companion article entitled <a href="https://www.redhat.com/en/topics/security/what-is-cve?sc_cid=7013a0000034s1WAAQ">What is a
<span class="caps">CVE</span>?</a>
to go along with the video.</p>
<p>Finally, I had a co-worker who is from Eastern Canada who was in town for a
day and he has this thing on LinkedIn called “Todd Talks” so we did two
videos for that. The first is again talking about vulnerability management
in my kitchen: <a href="https://www.linkedin.com/feed/update/urn:li:activity:7043935762429403136/?utm_source=share&utm_medium=member_desktop">Todd Talks security
1</a>
and the second <a href="https://www.linkedin.com/feed/update/urn:li:activity:7046704024363921408/?utm_source=share&utm_medium=member_desktop">Todd Talks security
2</a>
where we talk about risk profiles and vulnerability scoring.</p>
<p>These aren’t things I would necessarily be comfortable doing in the past,
but I’m leaning into them because there’s some really good messaging that
needs to go out. So hopefully these inspire some new thinking about how we
fix vulnerabilities, and when, while also keeping the conversation going.
When I talk to customers 1:1 and explain this, they understand… fixing
all vulnerabilities isn’t scalable or effective, and the numbers bear that
out (see the <a href="https://www.redhat.com/en/resources/product-security-risk-report-2022">2022 Product Security Risk
Report</a>
particularly when it comes to known exploitation). We could spend a lot of
time fixing things that don’t matter, or we can spend time fixing what
truly matters, responding quickly when it starts to matter, and focus
engineering and operational effort on things that actually provide value.</p>
<p>There’s a lot to talk about there, and a lot of old-school thinking that
needs to be changed. Let the conversation continue!</p>Joplin server on TrueNAS Scale2023-03-05T16:42:00-07:002023-03-05T16:42:00-07:00Vincent Danentag:annvix.com,2023-03-05:/blog/joplin-server-on-truenas-scale<p>I’m an avid note taker and have migrated through a series of different
tools to take notes, some proprietary and some open source. I’ve gone
through Quiver, Inkdrop, Agenda, and recently I migrated everything to
Joplin. But I wanted to be able to sync my notes between devices …</p><p>I’m an avid note taker and have migrated through a series of different
tools to take notes, some proprietary and some open source. I’ve gone
through Quiver, Inkdrop, Agenda, and recently I migrated everything to
Joplin. But I wanted to be able to sync my notes between devices and I
didn’t want it anywhere accessible to the public. Since I run TrueNAS
Scale at home, and there’s a TrueCharts application for the beta Joplin
Server… I figured it was worth a shot.</p>
<p>It worked great and I’ve been syncing the Joplin client on my desktop to
the TrueNAS-based Joplin Server for some time but not without <span class="caps">HTTPS</span>, which
wasn’t really an issue since it was only available in my home network and
the notes are encrypted, but I was having issues trying to get Joplin on my
iPad to work and from what I’d read, having it sync over <span class="caps">HTTPS</span> rather than
<span class="caps">HTTP</span> was the way to resolve it.</p>
<p>Took a bit of time and effort, had to change the TrueNAS Scale system from
being a single-<span class="caps">IP</span> via <span class="caps">DHCP</span> to a static <span class="caps">IP</span> with an alias, to bind all the
kubernetes applications to the second <span class="caps">IP</span> address, setting up another
wildcard Let’s Encrypt certificate to work with Traefik (which I also
installed as an application). Now I can connect to Joplin Server and my
PiHole application via <span class="caps">HTTPS</span> on their own dedicated subdomain. It’s
actually quite slick.</p>
<p>My main reason for noting this here is because I have a terrible memory
(hence the long journey through a number of note-taking applications!) and
I wanted to reference this YouTub video: <a href="https://www.youtube.com/watch?v=QSMgfz5zrxo">Secure <span class="caps">HTTPS</span> for all your TrueNAS Scale Apps (traefik)</a>
which was an amazing help and got me through the setup pretty quickly.</p>
<p>I find some of the application configuration to be quite overwhelming, so
noting here the most important pieces to remember when configuring an
application to use Traefik in your applications.</p>
<p>Under <strong>Networking and Services</strong> you want to set the “Service Type” to
<code>ClusterIP (Do Not Expose Ports)</code> because Traefik is your ingress
service, so only expose the application to the internal kubernetes network.</p>
<p>Under <strong>Ingress</strong> you want to tick <code>Enable Ingress</code> under the “Main
Ingress” section. You’ll need to add a Host and give it a HostName to
reach the application on (i.e. <code>joplin.subdomain.mynetwork.com</code> or
whatever (in this example I’d have a Let’s Encrypt wildcard certificate for
<code>*.subdomain.mynetwork.com</code>. You need to add a Path but it will
typically just be <code>/</code>.</p>
<p>Under <strong><span class="caps">TLS</span> Settings</strong> you want to add a Certificate Host which will have the
same hostname as your main ingress host above
(joplin.subdomain.mynetwork.com). In the “Use TrueNAS <span class="caps">SCALE</span> Certificate
(Deprecated)” you want to select your wildcard Let’s Encrypt certifcate.
Not sure why it’s labelled “depricated” because it works (maybe it goes
away in the future?).</p>
<p>The rest can pretty much be left alone. So even though Joplin Server
listens to port 22300, doing the above you can connect on port 443 of the
wildcard domain, using <span class="caps">HTTPS</span>, and synchronize just fine.</p>
<p>Obnoxiously, the iPad client is throwing a different error now:</p>
<div class="highlight"><pre><span></span>Last error: Error: Error 404 Not Found: Invalid origin:
http://joplin.subdomain.mynetwork.com:443
</pre></div>
<p>This error makes no sense as I have the Joplin Server <span class="caps">URL</span> in the iPad
client set to https://, not http:// … so something to figure out later I suppose.</p>
<p>At any rate, I didn’t get it precisely where I wanted it, but now it has
full end-to-end encryption and I can configure PiHole over <span class="caps">TLS</span> which always
makes me happier.</p>OpenSSF spotlight2023-02-15T11:55:00-07:002023-02-15T11:55:00-07:00Vincent Danentag:annvix.com,2023-02-15:/blog/openssf-spotlight<p>Recently I had the opportunity to be interviewed as a member of the OpenSSF
governing board. In fact, I’m not sure I mentioned this here before…
I’ve been an observer on the board for all of 2022 and at the beginning of
2023 I joined the governing board …</p><p>Recently I had the opportunity to be interviewed as a member of the OpenSSF
governing board. In fact, I’m not sure I mentioned this here before…
I’ve been an observer on the board for all of 2022 and at the beginning of
2023 I joined the governing board as a member to represent Red Hat and bring my own
extensive experience in open source software, and security, to the table.
The interview “<a href="https://openssf.org/blog/2023/02/14/spotlight-on-openssf-board-member-vincent-danen-vice-president-of-product-security-red-hat/">Spotlight on OpenSSF Board Member: Vincent Danen, Vice President of Product
Security, Red Hat</a>”
was a lot of fun to do and hopefully interesting to people!</p>
<p>At the end of the day, you can’t do this kind of work without tying it to
something that you value. For me that’s people. Sure, the model of open
source is interesting and awesome, the software produced is amazing, but I
think where a lot of folks suffer from short-sightedness is the focus on
the software itself, not what you can actually <em>do</em> with it and the impact
it has on society. How we have leapt forward so quickly with technology is
parallels how society has evolved from a humanitarian perspective (and I’d
really like to separate that from a <em>philosophical</em> or <em>idealogical</em>
perspective because I’m not convinced we’ve progressed in those areas, to
be honest… but that’s a topic for another day!).</p>
<p>Anyways, hope you find the interview interesting. Would be keen to get
some thoughts on it — do you feel the same? Different? Sadly no comments
on the new blog, but you can always reply <a href="https://twitter.com/vdanen/status/1625570396002189318">on
Twitter</a>.</p>2022: A Retrospective2022-12-28T15:50:00-07:002022-12-28T15:50:00-07:00Vincent Danentag:annvix.com,2022-12-28:/blog/2022-a-retrospective<p><img alt="Image" src="https://annvix.com/images/hand-tatt.png" /></p>
<p>Well, here we are at the end of 2022 and frankly, I’m hoping 2023 will be better. Is it just me or do things seem to continue getting worse? The economic uncertainty, war, inept governments, broken medical systems, intolerance <em>across the board</em>, and everyone seeming angry about everything… this …</p><p><img alt="Image" src="https://annvix.com/images/hand-tatt.png" /></p>
<p>Well, here we are at the end of 2022 and frankly, I’m hoping 2023 will be better. Is it just me or do things seem to continue getting worse? The economic uncertainty, war, inept governments, broken medical systems, intolerance <em>across the board</em>, and everyone seeming angry about everything… this year has been a challenging one to remain positive. And that’s just anecdotal. Apologies for starting this off on such a sour note but I had such high hopes for 2022 that were quite quickly dashed and… well, the world just feels like it’s circling the toilet.</p>
<p>What a lovely way to start this blog post!</p>
<p>But there have been some good upsides as well. I wrote a lot more this year, which meant there was more content on this site, even if a lot of it is just pointers to other publications, such as the recent post on <a href="https://opensource.com/article/22/12/tools-open-source-vulnerability-management">opensource.com</a>, the article for <a href="https://research.redhat.com/blog/article/when-is-it-secure-enough-vulnerability-research-and-the-future-of-vulnerability-management/">Red Hat Research Quarterly</a>, the <a href="https://www.redhat.com/en/blog/do-all-vulnerabilities-really-matter">Red Hat blog on vulnerability management</a> and also on <a href="https://www.redhat.com/en/blog/curated-tested-and-supported-how-enterprise-vendors-mitigate-open-source-supply-chain-risk">supply chain risks</a>, so there was a reasonable amount of writing done. Also I was interviewed on <a href="https://zerobytesgiven.com/episodes/season_one/vincent_danen/">ZeroBytesGiven</a> and <a href="https://www.youtube.com/watch?v=PjXrwx5HOvM">SiliconAngle</a>, both of which were a lot of fun.</p>
<p>At the beginning of the year I joined the <a href="https://openssf.org/">OpenSSF</a> governing board as an observer and at the end of the year I took on the responsibility of representing Red Hat on the board instead of Chris Wright, which is a great privilege and honor. I’m looking forward to representing Red Hat and the open source communities there.</p>
<p>Things have been pretty good at work this year. Red Hat is weathering the economic conditions fairly well and while it impacted us by having to slow down hiring, it could have been worse like it’s been with some other companies. We had a fair bit of turnover and really saw the effects of the so-called Great Resignation, but we’ve gotten some pretty incredible people to take those spots so I feel pretty good about it. The team has been charging <em>hard</em> this year, getting a lot done. If you read the <a href="https://www.redhat.com/en/blog/channel/security">Red Hat security blog</a> there’s quite a few articles written by folks on the team about all the incredible work that’s been done this year. It hasn’t been without its challenges, and I’m really proud of the team and all they’ve accomplished.</p>
<p>It was nice to get back to seeing people in person again this year. After a few years of not traveling (which I didn’t mind!) I had actually started to miss it. The first trip this year was pretty nerve-wracking due to lingering <span class="caps">COVID</span> concerns, the stupid Arrive-<span class="caps">CAN</span> app, chaos at airports… It was good to start traveling so as to see people in person again, but the travel experience itself was truly painful at times. This year I went to Singapore for the first time, Boston a few times, Raleigh a few times, Denver for the first time, and Lake Tahoe for the Linux Foundation Member Summit, a first for both the event and the location. Being in all of these places was great… getting there, or getting home, left much to be desired. On my way to Boston I had to spend a night in the Pearson airport because, after sitting on the plane for an hour to leave for Boston, there was no ground crew to wheel us back from the terminal, and when all the planes emptied, all of the available hotel rooms nearby were booked solid. So many planes delayed, so many times running for planes that I didn’t need to run to, because they were also delayed. Took my first WestJet/Delta flights in years and I’ll never do that again… delays on the way to California, missed the flight to Reno, stayed in a hotel in <span class="caps">LA</span>, was booked on two separate flights from <span class="caps">LAX</span> (a morning flight to Salt Lake City and an evening direct to Reno), every time I tried to board the system freaked out because of the evening flight they didn’t take me off of… and then when leaving and it was time to check in, my flight from Reno to <span class="caps">LA</span> had disappeared and I was cordially invited to checkin for my flight from <span class="caps">LAX</span> home — with nothing to get me to <span class="caps">LAX</span>! 🤬</p>
<p>About 50% of the trips were reasonably good, even though they had delays, but the other 50% were really quite stressful. Still, it was nice to see people in person and it was really nice to get to Red Hat’s <span class="caps">HQ</span> in Raleigh again.</p>
<p>I feel bad for those who got stuck over the holidays, and those who are still stuck as I write this, as we’ve had more airport insanity than we’ve had for some time and at such a large scale as well. I’m not keen yet to go on holidays somewhere I can’t drive to, such as when we went to Jasper this summer for a week which turned into two nights because of the <a href="https://www.youtube.com/watch?v=AjmyJazNFsA">Chetamon Wildfire</a> that took out power to the townsite (and hence our cabin). We made the right decision to leave after being without power for about 6h as it turned into a number of days without power.</p>
<p>Speaking of disappointing holidays, revamping this blog over Christmas was probably the only highlight. My daughter was sick with a stomach bug, my wife’s uncle died on Boxing Day, and my mother-in-law went into the hospital Christmas Day with heart issues that we’re hopeful the doctors are sorting out, although we expect her to be there for a few more days yet. Post-Christmas has been spent doing a lot of fretting and going to and from the hospital or to visit my father-in-law to make sure he’s not too lonely. Tragically, my daughter’s boyfriend’s mother passed away a week before Christmas as well, under some rather sad circumstances.</p>
<p>Not quite the way I had wanted to end this year but at this point I can only consider it to be the icing on the cake of a truly terrible year.</p>
<p>The worst for me, however, was my wife’s health this year. It’s been another challenging year and a revisit of <a href="https://annvix.com/blog/2018-a-retrospective-resilience">2018</a>. Most of the year she’s been feeling poorly, and we’re a bit stuck on how to make her body properly absorb iron because it seems as though it isn’t. She’s been on iron pills for the last number of years, and I suspect that stress is a major trigger to <em>something</em> in her body not working as it should. At the beginning of this year we started the work to sell the acreage her parents lived on and move them into an assisted living facility that’s located a little closer, and a significant amount of that effort was done by my wife. In fact, she quit her job so she could focus on it, and that’s when she started feeling poorly, almost — but not quite — as bad as in 2018 which, looking back, was likely triggered by other stressful family events. We finally managed to get her a series of iron infusions this summer and her numbers were good, but she got her iron and hemoglobin levels tested three months after the infusion and the iron is low again, while the hemoglobin is still high. But that will only last for so long with no iron to help produce red blood cells, so I expect she’ll need another infusion soon. Unless some of the help our naturopath is giving us works; we’re trying different and additional iron now, along with a few other things, so we’ll see in a month whether those iron levels have gone up.</p>
<p>All in all, from a work perspective, this was an incredibly challening yet rewarding year. From a personal perspective, it was an incredibly challeninging and not so awesome year. In fact, it’s been probably one of the toughest since I’ve started writing these retrospectives. Yet, we soldier on and take the good days and the bad as they come. Next year will undoubtably come with its own challenges, although I’m optimistic that we’ll finally get things sorted out with respect to my wife’s health. So we put our trust in God and pick ourselves up when we get knocked down.</p>
<p>One of my favourite proverbs is Proverbs 24:16: “<em>For a righteous man may fall seven times and rise again, But the wicked shall fall by calamity.</em>” It’s also a Japanese proverb: “七転び八起き” or “<em>Fall down seven times, stand up eight.</em>”</p>
<p>I guess there’s a reason I got this tattooed on my hands a few years ago. Sometimes it just comes down to reminding yourself that, no matter how tough things get, we always get to choose. We can choose to lie down and feel sorry for ourselves, we can choose destructive paths that just end up making things worse, or we can choose to get up, dust ourselves, embrace hope, and move forward.</p>
<p><strong><span class="caps">UPDATE</span></strong>: my mother-in-law was only in the hospital for a week and got
out before New Year’s, which was great. She seems to be doing much better
now on updated medication, had some really great nurses and doctors while
there, so definitely answered prayers.</p>… And a pelican in a pear tree2022-12-22T14:00:00-07:002022-12-22T14:00:00-07:00Vincent Danentag:annvix.com,2022-12-22:/blog/and-a-pelican-in-a-pear-tree<p><img alt="Image" src="https://annvix.com/images/pelican-logo.png" /></p>
<p>For a number of years, since getting more and more into management, I’ve
had less time to do any real programming. So a highlight of the year, for
the first few years at least, was to take time during the Christmas break
to do some work, mostly on this …</p><p><img alt="Image" src="https://annvix.com/images/pelican-logo.png" /></p>
<p>For a number of years, since getting more and more into management, I’ve
had less time to do any real programming. So a highlight of the year, for
the first few years at least, was to take time during the Christmas break
to do some work, mostly on this blog and for a few other odd projects. In 2016 I
wrote the platform for this site in Flask, migrating from WordPress (I
think? It’s been so long I can’t remember!). At the time I was doing a lot
of work with Flask for work, building a dashboard for our vulnerability
management and incident response processes.</p>
<p>However in 2018, the demands on my time for work were less programming and
more leading, so the amount of code I was able to write became significantly
less. And for the last few years it has been nearly non-existant.</p>
<p>As I talk to customers and others about the risk of updating software and
why an enterprise Linux vendor like Red Hat performs backporting of patches
(and why our customers love it), I often use this blog as an example.
<em>Every time</em> I try to update python modules or dependencies, things
ultimately break.</p>
<p>Well, it had been two years since I did anything with the Flask application
that powered this site. So a few days ago I spent the day upgrading Flask
and it’s dependencies, which included a deprecated Flask-Security module
(so upgraded to Flask-Security-Too) and a whole host of dependencies. After an entire
day’s worth of effort, the site ran but I couldn’t log in. There were some
issues with the <span class="caps">CSRF</span> handling, where the tokens weren’t matching and after
quite a few hours trying to figure it out I just gave up. The example I’d
been using all year with customers just became a very real reality. I had
updated my dependencies like a good security professional and a whole lot
of nothing worked (well, the site worked but no ability to add new
content, such as this blog post, which for me is a bit of a big deal).</p>
<p>The next day, yesterday, I was ready to roll up my sleeves and dive in
again when it struck me that the old site had a lot of fancy things I had
implemented because I was using it for work. Well, that old work dashboard
is long gone and I’m no longer really working with Flask at all — my
programming these days tends to be quick and dirty scripts to solve small
problems. So I spent some time thinking, to figure out what I really needed
from this site.</p>
<p>Do I need comments? Well not really, most of them are spam. Do I need a
login? Probably not, I’m the only author here. Do I need something that
looks slick? It’d be nice, but not necessary. So rather than diving into
why Flask-Security-Too had become my number one enemy, I started looking
for static site generators and stumbled on <a href="https://docs.getpelican.com/en/latest/index.html">Pelican</a>.</p>
<p>Pelican is a pretty slick static site generator that uses <span class="caps">RST</span> or Markdown
as source content. Pretty quickly I realized that the content here was
probably what was most interesting to people, not all the other
fancy-shmancy features that I had added. So I decided to focus on the
content, in particular old arcticles I’d written (that still get a
ridiculous number of hits for things that are so old!) and the blog posts.</p>
<p>Within a few hours I’d written a quick and dirty script to iterate through
the MySQL database and output a number of Markdown files for both articles
and blog posts, setup Pelican, and troubleshooted it quite a bit as I wanted
the links to blog posts and others to be consistent with the old site.</p>
<p>The look and feel is ok, it’s not exactly what I wanted but it’ll do for
now and I may monkey around with it later. But the maintenance is
effectively zero. I don’t need all the fancy modules since it’s not an
interactive site. With it being 100% static, a lot of concerns about old
python modules, updating code when it breaks, and so forth is just plain
old <em>gone</em>.</p>
<p>It feels rather refreshing! And this is the first post written for this
new site. And with three days to Christmas, I’m humming the <a href="https://www.youtube.com/watch?v=9QPQI5QUs74">twelve days of
Christmas</a> but there’s no partridge
around here… there’s a Pelican in my pear tree ;)</p>A new generation of tools for open source vulnerability management2022-12-18T07:00:00-07:002022-12-18T07:00:00-07:00Vincent Danentag:annvix.com,2022-12-18:/blog/a-new-generation-of-tools-for-open-source-vulnerability-management<p><img alt="Image" src="https://annvix.com/images/cloud_tools_hardware.png" /></p>
<p>I recently wrote for opensource.com on <a href="https://opensource.com/article/22/12/tools-open-source-vulnerability-management">A new generation of tools for open source vulnerability management</a> (the above image is credited to opensource.com).</p>
<p>This is my first article written there and while the article itself tends to be vendor-agnostic, this truly is an article about Red Hat Product …</p><p><img alt="Image" src="https://annvix.com/images/cloud_tools_hardware.png" /></p>
<p>I recently wrote for opensource.com on <a href="https://opensource.com/article/22/12/tools-open-source-vulnerability-management">A new generation of tools for open source vulnerability management</a> (the above image is credited to opensource.com).</p>
<p>This is my first article written there and while the article itself tends to be vendor-agnostic, this truly is an article about Red Hat Product Security team’s use of tooling for vulnerability management and the evolution of the same. We went from no tools, to commandline tools that manipulated Bugzilla, to a monolithic web-based tool (that also manipulated Bugzilla) to a suite of discrete tools to handle vulnerability management with a proper database and proper front-end tools. The reliance on Bugzilla was historical and we’re really looking forward to getting rid of it as our “database” because it never should have been.</p>
<p>But you iterate and learn, and the thing I’m most excited about is these tools are now being developed in the open and can benefit others, which none of the earlier tools with their reliance on our modified Bugzilla could do. So if you’re interested in vulnerability response tooling, I’d encourage you to read the above article, checkout the linked github repos (noted below for convenience) and see if there is something you can use or contribute to! </p>
<ul>
<li><a href="https://github.com/RedHatProductSecurity/component-registry">Component Registry</a>: which is used to store all of the component information across any number of products and services</li>
<li><a href="https://github.com/RedHatProductSecurity/osidb"><span class="caps">OSIDB</span></a>: the Open Security Issue Database, is the database to store all vulnerability data</li>
<li><a href="https://github.com/RedHatProductSecurity/openlcs">OpenLCS</a>: the Open License and Crypto Scanner, is the tool to obtain license and cryptography information from shipped components</li>
</ul>Interview: When is it secure enough?2022-12-05T13:00:00-07:002022-12-05T13:00:00-07:00Vincent Danentag:annvix.com,2022-12-05:/blog/interview-when-is-it-secure-enough<p><img alt="Image" src="https://annvix.com/images/RHRQNov2022_cover.png" /></p>
<p>I had the awesome opportunity to interview professor Daniel Gruss and one of his PhD students, Martin Schwarzl, a while back and the article recently was published in the Red Hat Research Quarterly magazine. For those who don’t know, Daniel was one of the folks behind the discovery of …</p><p><img alt="Image" src="https://annvix.com/images/RHRQNov2022_cover.png" /></p>
<p>I had the awesome opportunity to interview professor Daniel Gruss and one of his PhD students, Martin Schwarzl, a while back and the article recently was published in the Red Hat Research Quarterly magazine. For those who don’t know, Daniel was one of the folks behind the discovery of the <a href="https://www.redhat.com/en/blog/what-are-meltdown-and-spectre-heres-what-you-need-know">Spectre and Meltdown hardware flaws</a> made public in 2018.</p>
<p>It was an honour to be able to chat with them both about security in software and hardware and the research they have been and continue to do. You can read <a href="https://research.redhat.com/blog/article/when-is-it-secure-enough-vulnerability-research-and-the-future-of-vulnerability-management/">When is it secure enough? Vulnerability research and the future of vulnerability management</a>.</p>ZeroBytesGiven podcast appearance2022-11-22T08:00:00-07:002022-11-22T08:00:00-07:00Vincent Danentag:annvix.com,2022-11-22:/blog/zerobytesgiven-podcast-appearance<p><img alt="Image" src="https://annvix.com/images/0b-given-small.png" /></p>
<p>I did an <a href="https://zerobytesgiven.com/episodes/season_one/vincent_danen/">ad-hoc interview</a> with Eddie Knight over at Sonatype during the Linux Foundation Member Summit, for his podcast ZeroBytesGiven. It was a lot of fun and got to talk about some supply chain concerns and even dig into little-known history of how we did security at Mandriva back …</p><p><img alt="Image" src="https://annvix.com/images/0b-given-small.png" /></p>
<p>I did an <a href="https://zerobytesgiven.com/episodes/season_one/vincent_danen/">ad-hoc interview</a> with Eddie Knight over at Sonatype during the Linux Foundation Member Summit, for his podcast ZeroBytesGiven. It was a lot of fun and got to talk about some supply chain concerns and even dig into little-known history of how we did security at Mandriva back in the day.</p>Risk-based vulnerability management2022-11-15T07:00:00-07:002022-11-15T07:00:00-07:00Vincent Danentag:annvix.com,2022-11-15:/blog/risk-based-vulnerability-management<p><img alt="Image" src="https://annvix.com/images/cves-on-fire.png" /></p>
<p>For much of this year I’ve been advocating for a risk-based vulnerability management approach, rather than the “industry standard” checkbox-based approach. I’ve been talking to customers, both directly and at various events (such as Red Hat Summit in Boston, Red Hat Summit Connect in Dallas, directly with customers …</p><p><img alt="Image" src="https://annvix.com/images/cves-on-fire.png" /></p>
<p>For much of this year I’ve been advocating for a risk-based vulnerability management approach, rather than the “industry standard” checkbox-based approach. I’ve been talking to customers, both directly and at various events (such as Red Hat Summit in Boston, Red Hat Summit Connect in Dallas, directly with customers in Singapore, and virtually with customers). A few weeks ago I also published on the Red Hat Security blog: <a href="https://www.redhat.com/en/blog/do-all-vulnerabilities-really-matter">Do all vulnerabilities really matter?</a></p>
<p>The gratifying thing is that I’m not alone! Earlier this week I saw this article: <a href="https://www.darkreading.com/vulnerabilities-threats/why-cve-management-as-a-primary-strategy-doesn-t-work">Why <span class="caps">CVE</span> Management as a Primary Strategy Doesn’t Work</a> which nicely dovetails with what I’ve been talking about, and a few months ago there was <a href="https://www.darkreading.com/application-security/open-source-software-bugs--attackability">Only 3% of Open Source Software Bugs Are Actually Attackable, Researchers Say</a>.</p>
<p>Given there is such a low exploitation rate, and also given there is such a high vulnerability rate that continues to grow YoY, one has to step back and ask oneself: do all of these matter? Do we need to update all of them? The answer is, generally, “no” yet it’s a little more nuanced. Sometimes it’s hard to know which vulnerabilities will turn into something that we care about. Yet there are some metrics we can look at.</p>
<p>For instance, in the <a href="https://www.redhat.com/en/resources/product-security-risk-report-detail#section-5">2021 Red Hat Product Security Risk Report</a> we started reporting on known exploits and the data was enlightening. For example, there was a 10% exploitation rate of Critical-rated vulnerabilities, a 2.5% exploitation rate of Important-rated vulnerabilities, and the numbers kept dropping… 1.7% for Moderate-rated and 0% for Low-rated. Now, as time goes on those may edge a bit higher for Critical and Important vulnerabilities — after all, we know that there are ancient vulnerabilities that are exploited years after they’re made public (which is why patching these things is so critical!). But few are exploited immediately. So if we focus on those most likely to be exploited, and where a successful exploit would have the most damaging impact, focusing on fast fixing (and patching!) of Critical and Important (or High, as some call them) vulnerabilities makes the most sense.</p>
<p>But that’s a really tiny number, overall. Again, using the 2021 Red Hat Product Security Risk Report, there were 293 Critical and Important vulnerabilities, versus 1303 vulnerabilities rated Moderate and Low. Fixing and patching 293 is a lot easier, for both producer and consumer, than fixing all 1596. And these are just vulnerabilities that affect a shipping Red Hat product.</p>
<p>We can do a bit of correlation here with data available from <span class="caps">NVD</span>. Unfortunately I wanted to use the allitems.csv from <span class="caps">MITRE</span> to import into SQLite but it seems… well, it seems that the <span class="caps">CSV</span> file likes to have differing numbers of columns which breaks an easy import. Hopefully future APIs will help, or the <span class="caps">JSON</span> format files like <span class="caps">NVD</span> does. The APIs available from <span class="caps">NVD</span> won’t help get these statistics either so I downloaded each of the <span class="caps">JSON</span> files. And then because I don’t get to nerd out and write much python these days, I created <a href="https://github.com/vdanen/nvd-cve">nvd-cve on GitHub</a> which will let me play around with some of the data.</p>
<p>The important thing to recognize is that, as per the <span class="caps">NVD</span> data, there has been steady growth in CVEs the last few years (big surprise!). 2021 had 10% YoY growth with a total of 20078 CVEs and thus far in 2022 we’re at greater than 8% YoY with a total of 21733 CVEs published on <span class="caps">NVD</span> to-date. That’s a <strong>lot</strong> of CVEs to fix!</p>
<p>Vendors can try to keep up, at considerable expense in terms of time and energy. That’s a lot of patches to produce, and the picture is incomplete. For example, this probably under-represents the number of vulnerabilities in open source because a lot of projects don’t bother with getting CVEs assigned or don’t know they fixed a security issue. We know this <strong>vastly</strong> under-represents proprietary software because they often don’t bother labeling Low or Moderate (Medium) vulnerabilities as vulnerabilities and will either fix them silently or ignore them. Having talked with a number of proprietary PSIRTs, I know this for fact. And why not? It’s not as though anyone will find out, for the most part. The beautiful transparency of open source allows for everything to be shown — warts and all. We can’t hide it and we don’t want to hide it, which is great news for consumers. If a vendor doesn’t apply a fix, but you know there’s a vulnerability and it concerns you, you have the option to mitigate. As they say, knowledge is power!</p>
<p>Unfortunately with proprietary software, you don’t have this knowledge and so don’t have the power to mitigate on your own. That’s a benefit of open source, even though sometimes it makes things look uglier. You can assess the risk in what you know — it’s not possible to assess the risk in what you don’t.</p>
<p>So where does that leave us? Well, I’ve been working with open source for over 20 years so I’m obviously biased towards it. With open source, you’re not going to get all the fixes. And honestly, you don’t <strong>want</strong> all the fixes. It’s too expensive to test and patch for every single vulnerability discovered. With that number going up, the cost will go up too. Most people didn’t start using open source to patch all the things… they got into open source because it provided value and increased the speed to delivery of whatever it is they’re building <strong>on top of</strong> that open source. Yet, even though you won’t get all the fixes, you do get all the information, and can mitigate on your own if you feel so inclined. That’s a benefit you don’t get with proprietary software and one we shouldn’t quickly forget.</p>
<p>Yet at the end of the day, no one wants to deal with <span class="caps">CVE</span> lists in the thousands where most of those vulnerabilities don’t matter and honestly, whether you care to admit it or not, a lot of vulnerabilities out there aren’t even on your little (or big!) list. So why not do the sensible thing, set the list aside, and focus on the <strong>risk</strong> of these vulnerabilities. Critical and Important issues are most likely to be exploited, so concentrate there. If a Moderate issue does get exploited (the risk of which is quite low and the risk of it causing significant damage even lower) then look to the vendor for a fix. Typically they’ll do the right thing and provide the fix without you having to ask. That’s because most vendors truly do want to protect their customers yet, at the end of the day, the software you’re using isn’t being used because it has no known vulnerabilities… it’s being used to create value for you as a customer, and most likely your own customers further downstream.</p>
<p>Now, to be clear, I do work for a software vendor and while the thoughts above are my own, they align with our approach. We focus on the risky software that could potentially pose a threat to our customers. You may also be interested in reading <a href="https://access.redhat.com/security/vulnerability-management">An Open Approach to Vulnerability Management</a> which we updated a month or so ago with more information on exploitable vulnerabilities.</p>
<p>Also I took my first shake at some home-grown photo manipulation for fun. The explosion came from <a href="https://www.freepnglogos.com/pics/explosion">freepnglogos.com</a> and the <span class="caps">CVE</span> screenshot is from the <span class="caps">NVD</span> site. It’s not really a checklist of CVEs to fix but you should get the drift… I really would enjoy watching those lists burn ;)</p>Controlling software supply chain security will require new tools, automation and vigilance2022-02-18T16:00:00-07:002022-02-18T16:00:00-07:00Vincent Danentag:annvix.com,2022-02-18:/blog/controlling-software-supply-chain-security-will-require-new-tools-automation-and-vigilance<p><img alt="Image" src="https://annvix.com/images/redhat.png" /></p>
<p>Recently I had the opportunity to join a few other Red Hatters to talk about software supply chains with SiliconAngle. They did a writeup “<a href="https://siliconangle.com/2022/02/15/controlling-software-supply-chain-security-will-require-new-tools-automation-and-vigilance-softwaresupplychain/">Controlling software supply chain security will require new tools, automation and vigilance</a>” that was great and included the full series of videos.</p>
<p>The interview I did …</p><p><img alt="Image" src="https://annvix.com/images/redhat.png" /></p>
<p>Recently I had the opportunity to join a few other Red Hatters to talk about software supply chains with SiliconAngle. They did a writeup “<a href="https://siliconangle.com/2022/02/15/controlling-software-supply-chain-security-will-require-new-tools-automation-and-vigilance-softwaresupplychain/">Controlling software supply chain security will require new tools, automation and vigilance</a>” that was great and included the full series of videos.</p>
<p>The interview I did with Luke Hinds can also be seen on YouTube: <a href="https://www.youtube.com/watch?v=PjXrwx5HOvM">Vincent Danen and Luke Hinds, Red Hat | Managing Risk In The Digital Supply Chain</a>.</p>
<p>It was a lot of fun to talk about, this is one of my favourite topics.</p>Curated, tested and supported: How enterprise vendors mitigate open source supply chain risk2022-02-01T21:00:00-07:002022-02-01T21:00:00-07:00Vincent Danentag:annvix.com,2022-02-01:/blog/curated-tested-and-supported-how-enterprise-vendors-mitigate-open-source-supply-chain-risk<p><img alt="Image" src="https://annvix.com/images/redhat.png" /></p>
<p>Published on the Red Hat blog, noting here that <a href="https://www.redhat.com/en/blog/curated-tested-and-supported-how-enterprise-vendors-mitigate-open-source-supply-chain-risk">Curated, tested and supported: How enterprise vendors mitigate open source supply chain risk</a> was posted yesterday. It’s an article that talks about supply chain risk and associated costs — after all, no software is truly “free” (which is why we prefer …</p><p><img alt="Image" src="https://annvix.com/images/redhat.png" /></p>
<p>Published on the Red Hat blog, noting here that <a href="https://www.redhat.com/en/blog/curated-tested-and-supported-how-enterprise-vendors-mitigate-open-source-supply-chain-risk">Curated, tested and supported: How enterprise vendors mitigate open source supply chain risk</a> was posted yesterday. It’s an article that talks about supply chain risk and associated costs — after all, no software is truly “free” (which is why we prefer the term open source to free software). So where is that cost paid? The article explores that.</p>
<p>It also has a <a href="https://www.youtube.com/watch?v=iTUSCXNUvVE">video interview on open source and security</a> I did with the fine folks at RedMonk last December.</p>
<p>I also got to use my “water treatment facility” analogy that I’ve been using internally at Red Hat for nearly a year now about what a supply chain looks like and the parallels between what we do for software being akin to what a water treatment facility does for, well, water. The similarities are striking and ironic, given a few weeks after starting to use the analogy, the <a href="https://www.cnn.com/2021/02/10/us/florida-water-poison-cyber/index.html">Florida water treatment hack</a> was a thing.</p>
<p>Hopefully you find the topic as interesting as I do!</p>2021: A Retrospective2022-01-03T03:00:00-07:002022-01-03T03:00:00-07:00Vincent Danentag:annvix.com,2022-01-03:/blog/2021-a-retrospective<p><img alt="Image" src="https://annvix.com/images/IMG_5726.png" /></p>
<p>I think, like many people, I did not expect to be writing this at the end of 2021 and still be in the <span class="caps">COVID</span>-19 pandemic. Simply to get it out of the way because <span class="caps">COVID</span> certainly wasn’t the most exciting thing this year, the entire family got <span class="caps">COVID …</span></p><p><img alt="Image" src="https://annvix.com/images/IMG_5726.png" /></p>
<p>I think, like many people, I did not expect to be writing this at the end of 2021 and still be in the <span class="caps">COVID</span>-19 pandemic. Simply to get it out of the way because <span class="caps">COVID</span> certainly wasn’t the most exciting thing this year, the entire family got <span class="caps">COVID</span> in the summer. It wasn’t pleasant, but I’ve had worse. Interestingly, that was when I had the flu in Boston shortly after Spectre/Meltdown was public. Oh how our perceptions of working with sickness have changed in that short period of time. Some good (let’s keep the hygiene up people!) and some bad (really really tired of masks and restrictions!).</p>
<p>Anyways, I had considered not writing this year and even considered taking the blog down in its entirety.. but by the looks of things, people still visit and find some useful information here (maybe not these retrospectives which are largely for myself) so I’ll keep it around. Maybe I’ll retool it to be a static-only site given my time to write any code these days is slim to none. And maybe I’ll post more too (yes, I know I’ve said that multiple times before!).</p>
<p>Speaking of code, I’ve written some python code this year to do a little digging into the Google APIs, digging into calendar and mail data (such as how much time I spent in meetings, etc.). A few months after writing that, Google added a feature to the calendar to tell you just that, so it feels like a bit of wasted effort but it was enjoyable nonetheless. For the rest, most of the “code” I’ve written this year has been formulas in Google Spreadsheets. Not quite as fun as python.</p>
<p>From a work perspective, this was a busy year. Maybe the busiest, although I think I say that every year. With the SolarWinds news at the beginning of the year we spent a lot of time and effort making sure our handling of the supply chain was good, and investing in making it more resilient. That was top of mind for most of the year and we got quite involved there. Of course there was the Executive Order around cybersecurity and that certainly caused some work to make sure we could meet those expectations, particularly around the Software Bill of Materials (SBOMs) which I will state is quite disappointing when I read some of the expectations around SBOMs. Many, particularly in the <span class="caps">US</span> government, seem to think the <span class="caps">SBOM</span> is a silver bullet for proper vulnerability management. It’s certainly a part of the puzzle and required information, but not the panacea they seem to think and I strenuously object to the notion that an <span class="caps">SBOM</span> should have up to date vulnerability information contained within it. Simply doesn’t make sense. The <span class="caps">SBOM</span> is a list of ingredients – there are other ways of determining and correlating whether those ingredients are bad or, in a food services analogy, in need of recall. You don’t print recall information on the packaging of your product. So there is work to be done there and hopefully we, collectively, get this right or we’ll be producing and consuming SBOMs hourly (which, for a product like ??Red Hat Enterprise Linux, will be massive and wasteful to transfer and generate).</p>
<p>Also this year we were able to add a number of new members to our awesome Product Security team. I can’t stress enough how thankful and grateful I am for every member of the team. Truly a top-notch crew. Included were two new members to my direct staff, both of which were some of the best hires I ever managed. From a personnel perspective, feeling really great being surrounded and supported by some amazing people.</p>
<p>Additionally, I was promoted to Vice President of Product Security this year, which is a great recognition to the team (we’ve only ever had a Senior Director in the past). So while this is nice for myself, I really see this as a promotion for the team and I’m so proud of them for it.</p>
<p>From a personal perspective, the year was both exciting ?and boring. We went to the mountains again this year, which is something we like to do each year, and it was amazing. It felt really good to get away, even if it wasn’t as far as we wanted (we had planned to go to Scotland in 2020 so we’re still looking forward to that one day… maybe 2023? Fingers crossed!). But for the rest it was the same old “new normal” of being home bodies. Which I don’t mind, to be honest, but I am definitely feeling itchy about wanting to travel again. In fact, last night I was watching <span class="caps">XXX</span> (the Vin Diesel movie) and seeing the Czech countryside and Prague really made me miss Brno, so I’m definitely looking forward to being able to go again, hopefully sooner rather than later!</p>
<p>I believe I’ve mentioned before that my wife and I are marriage counselors. We’ve, sadly, been quite busy this year. There was some pre-marital counselling which is always fun, but a lot more of what we call “crisis” counselling this year… about three times as much as last year even, which is probably the most counselling we’ve ever done. So that was exhausting but rewarding for the most part.. They didn’t all have happy endings, but most of them did.</p>
<p>My wife also changed jobs this year. She had been working for the top-rated french bakery for the last 5 years but the owner closed it down. Interestingly, when my wife served her notice that’s when she found out they were closing so she was there from beginning to end. My waistline will probably thank me although I’m sad because I enjoyed those every-Friday treats from the bakery. She’s now working at a not-for-profit operated by our church, in our own community, which is really cool.</p>
<p>As I noted in my retrospective for 2021, we lost my best furry buddy, Whiskeyjack, earlier this year. But we got ourselves (and by “we” I mean my wife) a new little guy, a british shorthair, named Ted. So we have two cats now: my daughter’s Herbert and my wife’s Ted. The great thing is, for the first time in probably 30+ years, I’m no longer responsible for doing the kitty litter. He’s a great companion, even if he does like to sleep between our pillows at night… which was cute when he was small but at a year old he’s now bigger than Herbert, who’s a year older than him. He might get to over 15lbs (probably closer to 20lbs the way my wife feeds him!), so a big cat sleeping by my head… Well, I preferred Whiskeyjack (who was by no means small) sleeping at my feet!</p>
<p>I’m writing this with one day left of my two weeks of <span class="caps">PTO</span> at the end of the year. While it’s been a great time off, despite the obligatory Christmas cold, I’m stoked for 2022. I’m hoping that <span class="caps">COVID</span>-19 will become either nothing or something we just deal with, without all of the extras. I’m hoping to travel again this year; there are so many people in various locations that I’m looking forward to visiting again and connecting with – that has probably been the hardest thing about this pandemic, not being able to connect with co-workers in person. There is nothing like breaking bread with the people you depend on. And I’m looking forward to seeing what we can do in the security world – the team here at Red Hat have been working so hard, internally and externally, on doing the right thing not just for our customers but for the industry as a whole.</p>
<p>2021 was an interesting, but fulfilling, year. I changed who I reported to, which is always interesting. I think, even in the short term, it will be better for Product Security’s position within Red Hat so even though I was sad to change which organization Product Security sat in, I think this is the best thing moving forward. The year closed out with a lot of analyst briefings about open source supply chain security, which is new to me. I even did a talk at Red Hat <span class="caps">NEXT</span>, virtually, and I’m hoping to be able to do these in person soon. I might even come to enjoy them ;)</p>Linux and Cloud Native Security: Red Hat’s Perspective2021-11-07T13:00:00-07:002021-11-07T13:00:00-07:00Vincent Danentag:annvix.com,2021-11-07:/blog/linux-and-cloud-native-security-red-hats-perspective<p>I was recently interviewed by my friend Jack Wallen at the New Stack about Linux and cloud native security. This was part of a series they did with a few others.</p>
<p><a href="https://thenewstack.io/linux-and-cloud-native-security-red-hats-perspective/">Linux and Cloud Native Security: Red Hat’s Perspective</a></p>2020: A Retrospective2021-03-06T21:00:00-07:002021-03-06T21:00:00-07:00Vincent Danentag:annvix.com,2021-03-06:/blog/2020-a-retrospective<p><img alt="Image" src="https://annvix.com/images/jack-2020.png" /></p>
<p>It’s taken me some time to even get to the place where I wanted to stop and think about 2020. We’re just over 2 months into 2021 and I’ve been thinking about writing this since December, but between being plain old tired (physically and mentally) and being …</p><p><img alt="Image" src="https://annvix.com/images/jack-2020.png" /></p>
<p>It’s taken me some time to even get to the place where I wanted to stop and think about 2020. We’re just over 2 months into 2021 and I’ve been thinking about writing this since December, but between being plain old tired (physically and mentally) and being busy, every time the thought of writing this came up I shied away, finding some excuse or another not to write it.</p>
<p>But 2020 was too much of a year to <em>not</em> write about it and this will be the fifth year that I look back on a former year and reflect on it. Before it is too far in the rear view mirror… well, here we are.</p>
<p>2020 started off like any other recent year for me. In the first 9 weeks I was in Boston twice and Raleigh once. The pace was similar to prior years, until I was in Raleigh the first week of March for the <span class="caps">FIRST</span> <span class="caps">PSIRT</span> <span class="caps">TC</span> and I remember being in the hotel room in the evenings, watching the news as more cases of <span class="caps">COVID</span>-19 were appearing in North America and I distinctly remember: am I going to be able to make it home before they close the border? I ended up getting home two weeks before the border between the <span class="caps">US</span> and Canada was closed. After that, we went nowhere (like most everyone else). The staff trip I was planning to host in Toronto in April was cancelled. My wife and I were planning to visit Scotland - cancelled.</p>
<p>For most people, 2020 was when they started working from home full time. Not an issue for me, I’ve been working out of my home for 20 years — not a big deal. What I found strange that I did not expect, was not traveling anymore. When I first started having to travel more for work, I didn’t particularly enjoy it. Immensely useful and I appreciated and valued meeting people in person and getting things done. The value I got out of travel was great but the travel itself wasn’t a highlight. Oddly enough, I think I started enjoying it without even realizing it. The first 6 months were weird — I liked being at home with the family, but I missed the travel (heck, I even missed the flights, which I never thought I would miss!).</p>
<p>It was June before I put away my luggage and backpack, which I never put away due to the frequency of travel. I think it wasn’t until then that I thought we’d be in this for the long haul.</p>
<p>To this point, I wasn’t really worried about myself or my family (aside from my parents and in-laws). I’m fairly healthy, pretty hygiene conscious to begin with, and I have my faith to rest on. So in that respect, <span class="caps">COVID</span> was more of a nuisance to me personally than anything else. The part where I struggled was with the people in my Product Security team — a team who is dispersed around the globe. When things weren’t bad here in Canada but were terrible in Spain, where I have some associates, I was concerned. Every time news of new outbreaks, new lockdowns, new and terrible events around the world came up I was concerned for and praying for those I am responsible for in those countries.</p>
<p>As a result, towards the end of the year, it felt that <span class="caps">COVID</span> was sucking the life out of me. Again, not due to concerns for me or my family, but because of my concern for the team. That is probably the worst thing because while I feel responsibility for these people, there’s very little that I could do outside of work flexibility to accommodate their circumstances.</p>
<p>Throw in general unrest around the world from “mostly peaceful protests” that burned down the livelihoods of innocent people to political issues.. the so-called “doom scrolling” of 2020 was a real thing. Of course, this added to the stress as well.</p>
<p>Then throw in the impact of lockdowns to the mental health and livelihoods of people. I remember distinctly talking with my wife as we were going into our first lockdown that, impacts to the economy aside, the toll this would take on people unable to work or support their families or even get out to burn off some steam, was going to be high. We’re marriage counsellors in our church so this was a real concern for us because it did not bode well for families or marriages. What would we be seeing? What would the fallout truly be?</p>
<p>Sadly, we’ve seen and counselled a number of people for whom 2020 was the straw that broke the camels back. The number of separations and divorces, where forced proximity brought things to the surface that caused rupture were high. We’ve seen people happily married for over a decade (or so we thought), split up. We saw someone leave their spouse and children without even telling them before they were already 300km away. Not personally, but in our province, we’ve seen men commit suicide because they could no longer take care of their families, kids commit suicide because they were out of school and the isolation was too much. We’ve seen substance abuse get out of control, which meant overdoses at a scale we’d not seen before.</p>
<p>While 2020 brought out the absolute worst in a lot of people, we’ve also seen it bring some beautiful things. We got to do premarital counselling for two wonderful couples. We were able to bring couples together that were buckling under the strain of everything 2020 brought. We’ve seen kindness for neighbours, people helping out others who couldn’t help themselves. If it wasn’t for those beautiful things to balance out the ugly…</p>
<p>Circumstances like these really bring out what’s under the surface. These are times when our character is put in the crucible. I love this analogy; when precious metal is put in the crucible and the heat is turned up, the impurities always rise to the surface. They’re visible to see. Those inner parts that make us who we are come out — and we all have impurities. How we handle them I think speaks to inner strength and character. Do we manage and get rid of the impurities as they come out when under extreme heat, or do we hang on to them and when things cool down they once more become a part of us?</p>
<p>I’m not by nature a patient person. This has bubbled to the surface a lot in 2020. I have been frustrated, angry, annoyed. But when those emotions or impurities come up, I try to manage them and not keep them. My hope and prayer for myself is, by the grace of God, I continue to become a better husband, father, manager, counsellor, pastor and friend.</p>
<p>Just before Christmas we thought we were going to lose my best fuzzy friend: Whiskeyjack, my faithful companion pictured above. He was quite sick and losing a lot of weight and we’d seen this before in the other Maine Coons we had. Thankfully he turned a corner and, while not 100% and still quite thin, we made it to mid-January of this year. Unfortunately we did have to put him down then. Silly as it sounds, I’m happy that 2020 didn’t claim him. It’s claimed enough. </p>
<p>I’m also grateful for my team — 2020 was a year of intense pressure and we stayed the course and accomplished <em>a lot</em>, despite what was going on in our lives personally. If anyone in Product Security is reading this, you already know how grateful I am for each and every one of you but it bears repeating: thank you! We accomplished a lot in the most trying of circumstances!</p>
<p>Who knows what the future brings. At this point we’re well into 2021 and there’s hope on the horizon. Vaccines are slowly being made available and I hope that things continue to become more and more normal. I look forward to being able to travel again. I look forward to visiting offices and thanking people in person. I look forward to breathing free. I look forward to less doom-scrolling and more happy news.</p>
<p>2020 is one year in our journey. 2021 may not be a lot better but perhaps the night is coming to a close and dawn is on the horizon. The night always seems darkest before the dawn, so here’s to hope that the near future — if not fully realized in 2021 — will be bright!</p>Upgrading FreeNAS to TrueNAS Core2020-12-22T18:00:00-07:002020-12-22T18:00:00-07:00Vincent Danentag:annvix.com,2020-12-22:/blog/upgrading-freenas-to-truenas-core<p><img alt="Image" src="https://annvix.com/images/truenas.png" /></p>
<p>Given it’s the holidays and that’s when I tend to have time and energy to poke around the house, I decided to upgrade my FreeNAS box to the newer TrueNAS 12 release. The upgrade itself went without a hitch, simply switching from the FreeNAS 11 train to the …</p><p><img alt="Image" src="https://annvix.com/images/truenas.png" /></p>
<p>Given it’s the holidays and that’s when I tend to have time and energy to poke around the house, I decided to upgrade my FreeNAS box to the newer TrueNAS 12 release. The upgrade itself went without a hitch, simply switching from the FreeNAS 11 train to the TrueNAS 12 train was sufficient. However when everything came back, none of my jails started. I have three jails that are used daily: plex, gitea, and inkdrop (which runs a CouchDB server for the Inkdrop note-taking tool <a href="https://annvix.com/blog/inkdrop-with-couchdb-on-freenas">I’ve detailed before</a>).</p>
<p>Noting this here, as a followup to my earlier blog post about <a href="https://annvix.com/blog/updating-iocage-jails-in-freenas">updating iocage jails in FreeNAS</a> was helpful but insufficient. It might have been sufficient on any day other than today though…</p>
<p>Trying to start the jails in the TrueNAS <span class="caps">UI</span> yielded no real information as to why the jails weren’t starting, so off to the trusty commandline:</p>
<div class="highlight"><pre><span></span><span class="gh">#</span> sudo iocage start inkdrop
No default gateway found for ipv6.
<span class="k">*</span> Starting inkdrop
inkdrop devfs_ruleset 7 does not exist! - Not starting jail
</pre></div>
<p>Still not overly helpful, but some poking around led me to <a href="https://github.com/iocage/iocage/issues/1140">this issue on GitHub</a> that described the problem I was having. You could edit the <code>config.json</code> file directly, but iocage let’s you use tooling for this as well.</p>
<div class="highlight"><pre><span></span><span class="cp"># sudo iocage get all inkdrop|grep dev</span>
<span class="n">allow_mount_devfs</span><span class="o">:</span><span class="mi">0</span>
<span class="n">devfs_ruleset</span><span class="o">:</span><span class="mi">7</span>
<span class="n">min_dyn_devfs_ruleset</span><span class="o">:</span><span class="mi">1000</span>
<span class="n">mount_devfs</span><span class="o">:</span><span class="mi">1</span>
<span class="cp"># sudo iocage set devfs_ruleset=4 inkdrop</span>
<span class="n">devfs_ruleset</span><span class="o">:</span><span class="w"> </span><span class="mi">7</span><span class="w"> </span><span class="o">-></span><span class="w"> </span><span class="mi">4</span>
</pre></div>
<p>Here we set the devfs_ruleset to 4. Why 4? No idea, that’s what the GitHub issue noted to set it to. Also note that these were incremental; my plex server had a devfs_ruleset value of 5, gitea was 6, and inkdrop was 7 (incidentally the order in which they were created). I set all of them to 4. Now the jail starts:</p>
<div class="highlight"><pre><span></span><span class="gh">#</span> sudo iocage start inkdrop
No default gateway found for ipv6.
<span class="k">*</span> Starting inkdrop
+ Started OK
+ Using devfs_ruleset: 1001 (iocage generated default)
+ Configuring VNET OK
+ Using IP options: vnet
+ Starting services OK
+ Executing poststart OK
+ DHCP Address: 192.168.1.82/23
</pre></div>
<p>Now that the jail started, I pulled in the FreeBSD 12.2-<span class="caps">RELEASE</span> with <code>iocage fetch</code>. And following previous instructions I had outlined wanted to do the upgrade. Which <em>would</em> have worked, except that the FreeBSD folks appear to be monkeying around with their git repos today! Since I wanted to get this all done today rather than wait, I decided to do some more digging.</p>
<p>The upgrade error:</p>
<div class="highlight"><pre><span></span><span class="err">#</span><span class="w"> </span><span class="nx">sudo</span><span class="w"> </span><span class="nx">iocage</span><span class="w"> </span><span class="nx">upgrade</span><span class="w"> </span><span class="nx">inkdrop</span><span class="w"> </span><span class="o">-</span><span class="nx">r</span><span class="w"> </span><span class="m m-Double">12.2</span><span class="o">-</span><span class="nx">RELEASE</span>
<span class="nx">Traceback</span><span class="w"> </span><span class="p">(</span><span class="nx">most</span><span class="w"> </span><span class="nx">recent</span><span class="w"> </span><span class="nx">call</span><span class="w"> </span><span class="nx">last</span><span class="p">):</span>
<span class="w"> </span><span class="nx">File</span><span class="w"> </span><span class="s">"/usr/local/bin/iocage"</span><span class="p">,</span><span class="w"> </span><span class="nx">line</span><span class="w"> </span><span class="mi">10</span><span class="p">,</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="p"><</span><span class="nx">module</span><span class="p">></span>
<span class="w"> </span><span class="nx">sys</span><span class="p">.</span><span class="nx">exit</span><span class="p">(</span><span class="nx">cli</span><span class="p">())</span>
<span class="w"> </span><span class="nx">File</span><span class="w"> </span><span class="s">"/usr/local/lib/python3.8/site-packages/click/core.py"</span><span class="p">,</span><span class="w"> </span><span class="nx">line</span><span class="w"> </span><span class="mi">764</span><span class="p">,</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="nx">__call__</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="kp">self</span><span class="p">.</span><span class="nx">main</span><span class="p">(</span><span class="o">*</span><span class="nx">args</span><span class="p">,</span><span class="w"> </span><span class="o">**</span><span class="nx">kwargs</span><span class="p">)</span>
<span class="w"> </span><span class="nx">File</span><span class="w"> </span><span class="s">"/usr/local/lib/python3.8/site-packages/click/core.py"</span><span class="p">,</span><span class="w"> </span><span class="nx">line</span><span class="w"> </span><span class="mi">717</span><span class="p">,</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="nx">main</span>
<span class="w"> </span><span class="nx">rv</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="kp">self</span><span class="p">.</span><span class="nx">invoke</span><span class="p">(</span><span class="nx">ctx</span><span class="p">)</span>
<span class="w"> </span><span class="nx">File</span><span class="w"> </span><span class="s">"/usr/local/lib/python3.8/site-packages/click/core.py"</span><span class="p">,</span><span class="w"> </span><span class="nx">line</span><span class="w"> </span><span class="mi">1137</span><span class="p">,</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="nx">invoke</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">_process_result</span><span class="p">(</span><span class="nx">sub_ctx</span><span class="p">.</span><span class="nx">command</span><span class="p">.</span><span class="nx">invoke</span><span class="p">(</span><span class="nx">sub_ctx</span><span class="p">))</span>
<span class="w"> </span><span class="nx">File</span><span class="w"> </span><span class="s">"/usr/local/lib/python3.8/site-packages/click/core.py"</span><span class="p">,</span><span class="w"> </span><span class="nx">line</span><span class="w"> </span><span class="mi">956</span><span class="p">,</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="nx">invoke</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">ctx</span><span class="p">.</span><span class="nx">invoke</span><span class="p">(</span><span class="kp">self</span><span class="p">.</span><span class="nx">callback</span><span class="p">,</span><span class="w"> </span><span class="o">**</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">params</span><span class="p">)</span>
<span class="w"> </span><span class="nx">File</span><span class="w"> </span><span class="s">"/usr/local/lib/python3.8/site-packages/click/core.py"</span><span class="p">,</span><span class="w"> </span><span class="nx">line</span><span class="w"> </span><span class="mi">555</span><span class="p">,</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="nx">invoke</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">callback</span><span class="p">(</span><span class="o">*</span><span class="nx">args</span><span class="p">,</span><span class="w"> </span><span class="o">**</span><span class="nx">kwargs</span><span class="p">)</span>
<span class="w"> </span><span class="nx">File</span><span class="w"> </span><span class="s">"/usr/local/lib/python3.8/site-packages/iocage_cli/upgrade.py"</span><span class="p">,</span><span class="w"> </span><span class="nx">line</span><span class="w"> </span><span class="mi">40</span><span class="p">,</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="nx">cli</span>
<span class="w"> </span><span class="nx">ioc</span><span class="p">.</span><span class="nx">IOCage</span><span class="p">(</span><span class="nx">jail</span><span class="p">=</span><span class="nx">jail</span><span class="p">,</span><span class="w"> </span><span class="nx">skip_jails</span><span class="p">=</span><span class="nx">skip_jails</span><span class="p">).</span><span class="nx">upgrade</span><span class="p">(</span><span class="nx">release</span><span class="p">)</span>
<span class="w"> </span><span class="nx">File</span><span class="w"> </span><span class="s">"/usr/local/lib/python3.8/site-packages/iocage_lib/iocage.py"</span><span class="p">,</span><span class="w"> </span><span class="nx">line</span><span class="w"> </span><span class="mi">2070</span><span class="p">,</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="nx">upgrade</span>
<span class="w"> </span><span class="nx">new_release</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">ioc_upgrade</span><span class="p">.</span><span class="nx">IOCUpgrade</span><span class="p">(</span>
<span class="w"> </span><span class="nx">File</span><span class="w"> </span><span class="s">"/usr/local/lib/python3.8/site-packages/iocage_lib/ioc_upgrade.py"</span><span class="p">,</span><span class="w"> </span><span class="nx">line</span><span class="w"> </span><span class="mi">112</span><span class="p">,</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="nx">upgrade_jail</span>
<span class="w"> </span><span class="nx">with</span><span class="w"> </span><span class="nx">urllib</span><span class="p">.</span><span class="nx">request</span><span class="p">.</span><span class="nx">urlopen</span><span class="p">(</span><span class="nx">f</span><span class="p">)</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="nx">fbsd_update</span><span class="p">:</span>
<span class="w"> </span><span class="nx">File</span><span class="w"> </span><span class="s">"/usr/local/lib/python3.8/urllib/request.py"</span><span class="p">,</span><span class="w"> </span><span class="nx">line</span><span class="w"> </span><span class="mi">222</span><span class="p">,</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="nx">urlopen</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">opener</span><span class="p">.</span><span class="nx">open</span><span class="p">(</span><span class="nx">url</span><span class="p">,</span><span class="w"> </span><span class="nx">data</span><span class="p">,</span><span class="w"> </span><span class="nx">timeout</span><span class="p">)</span>
<span class="w"> </span><span class="nx">File</span><span class="w"> </span><span class="s">"/usr/local/lib/python3.8/urllib/request.py"</span><span class="p">,</span><span class="w"> </span><span class="nx">line</span><span class="w"> </span><span class="mi">531</span><span class="p">,</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="nx">open</span>
<span class="w"> </span><span class="nx">response</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">meth</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span><span class="w"> </span><span class="nx">response</span><span class="p">)</span>
<span class="w"> </span><span class="nx">File</span><span class="w"> </span><span class="s">"/usr/local/lib/python3.8/urllib/request.py"</span><span class="p">,</span><span class="w"> </span><span class="nx">line</span><span class="w"> </span><span class="mi">640</span><span class="p">,</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="nx">http_response</span>
<span class="w"> </span><span class="nx">response</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="kp">self</span><span class="p">.</span><span class="nx">parent</span><span class="p">.</span><span class="nx">error</span><span class="p">(</span>
<span class="w"> </span><span class="nx">File</span><span class="w"> </span><span class="s">"/usr/local/lib/python3.8/urllib/request.py"</span><span class="p">,</span><span class="w"> </span><span class="nx">line</span><span class="w"> </span><span class="mi">569</span><span class="p">,</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="nx">error</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="kp">self</span><span class="p">.</span><span class="nx">_call_chain</span><span class="p">(</span><span class="o">*</span><span class="nx">args</span><span class="p">)</span>
<span class="w"> </span><span class="nx">File</span><span class="w"> </span><span class="s">"/usr/local/lib/python3.8/urllib/request.py"</span><span class="p">,</span><span class="w"> </span><span class="nx">line</span><span class="w"> </span><span class="mi">502</span><span class="p">,</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="nx">_call_chain</span>
<span class="w"> </span><span class="nx">result</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">func</span><span class="p">(</span><span class="o">*</span><span class="nx">args</span><span class="p">)</span>
<span class="w"> </span><span class="nx">File</span><span class="w"> </span><span class="s">"/usr/local/lib/python3.8/urllib/request.py"</span><span class="p">,</span><span class="w"> </span><span class="nx">line</span><span class="w"> </span><span class="mi">649</span><span class="p">,</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="nx">http_error_default</span>
<span class="w"> </span><span class="nx">raise</span><span class="w"> </span><span class="nx">HTTPError</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">full_url</span><span class="p">,</span><span class="w"> </span><span class="nx">code</span><span class="p">,</span><span class="w"> </span><span class="nx">msg</span><span class="p">,</span><span class="w"> </span><span class="nx">hdrs</span><span class="p">,</span><span class="w"> </span><span class="nx">fp</span><span class="p">)</span>
<span class="nx">urllib</span><span class="p">.</span><span class="nx">error</span><span class="p">.</span><span class="nx">HTTPError</span><span class="p">:</span><span class="w"> </span><span class="nx">HTTP</span><span class="w"> </span><span class="nx">Error</span><span class="w"> </span><span class="mi">404</span><span class="p">:</span><span class="w"> </span><span class="nx">Not</span><span class="w"> </span><span class="nx">Found</span>
</pre></div>
<p>The patch I applied, based on <a href="https://github.com/iocage/iocage/issues/1237">this issue in GitHub detailing the same problem</a>:</p>
<div class="highlight"><pre><span></span><span class="err">#</span><span class="w"> </span><span class="nx">diff</span><span class="w"> </span><span class="o">-</span><span class="nx">uN</span><span class="w"> </span><span class="nx">ioc_upgrade</span><span class="p">.</span><span class="nx">py</span><span class="w"> </span><span class="o">/</span><span class="nx">usr</span><span class="o">/</span><span class="nx">local</span><span class="o">/</span><span class="nx">lib</span><span class="o">/</span><span class="nx">python3</span><span class="m m-Double">.8</span><span class="o">/</span><span class="nx">site</span><span class="o">-</span><span class="nx">packages</span><span class="o">/</span><span class="nx">iocage_lib</span><span class="o">/</span><span class="nx">ioc_upgrade</span><span class="p">.</span><span class="nx">py</span>
<span class="o">---</span><span class="w"> </span><span class="nx">ioc_upgrade</span><span class="p">.</span><span class="nx">py</span><span class="w"> </span><span class="mi">2020</span><span class="o">-</span><span class="mi">12</span><span class="o">-</span><span class="mi">22</span><span class="w"> </span><span class="mi">11</span><span class="p">:</span><span class="mi">45</span><span class="p">:</span><span class="m m-Double">17.715773034</span><span class="w"> </span><span class="o">-</span><span class="mi">0700</span>
<span class="o">+++</span><span class="w"> </span><span class="o">/</span><span class="nx">usr</span><span class="o">/</span><span class="nx">local</span><span class="o">/</span><span class="nx">lib</span><span class="o">/</span><span class="nx">python3</span><span class="m m-Double">.8</span><span class="o">/</span><span class="nx">site</span><span class="o">-</span><span class="nx">packages</span><span class="o">/</span><span class="nx">iocage_lib</span><span class="o">/</span><span class="nx">ioc_upgrade</span><span class="p">.</span><span class="nx">py</span><span class="w"> </span><span class="mi">2020</span><span class="o">-</span><span class="mi">12</span><span class="o">-</span><span class="mi">22</span><span class="w"> </span><span class="mi">11</span><span class="p">:</span><span class="mi">45</span><span class="p">:</span><span class="m m-Double">58.144014593</span><span class="w"> </span><span class="o">-</span><span class="mi">0700</span>
<span class="err">@@</span><span class="w"> </span><span class="o">-</span><span class="mi">104</span><span class="p">,</span><span class="mi">6</span><span class="w"> </span><span class="o">+</span><span class="mi">104</span><span class="p">,</span><span class="mi">8</span><span class="w"> </span><span class="err">@@</span>
<span class="w"> </span><span class="nx">f</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="nx">https</span><span class="p">:</span><span class="c1">//raw.githubusercontent.com/freebsd/freebsd' \</span>
<span class="w"> </span><span class="nx">f</span><span class="err">'</span><span class="o">/</span><span class="nx">release</span><span class="o">/</span><span class="p">{</span><span class="nx">f_rel</span><span class="p">}</span><span class="o">/</span><span class="nx">usr</span><span class="p">.</span><span class="nx">sbin</span><span class="o">/</span><span class="nx">freebsd</span><span class="o">-</span><span class="nx">update</span><span class="o">/</span><span class="nx">freebsd</span><span class="o">-</span><span class="nx">update</span><span class="p">.</span><span class="nx">sh</span><span class="err">'</span>
<span class="o">+</span><span class="w"> </span><span class="nx">f</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="nx">https</span><span class="p">:</span><span class="c1">//raw.githubusercontent.com/freebsd/freebsd/master/usr.sbin/freebsd-update/freebsd-update.sh'</span>
<span class="o">+</span>
<span class="w"> </span><span class="nx">tmp</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">None</span>
<span class="w"> </span><span class="nx">try</span><span class="p">:</span>
<span class="w"> </span><span class="nx">tmp</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">tempfile</span><span class="p">.</span><span class="nx">NamedTemporaryFile</span><span class="p">(</span><span class="nx">delete</span><span class="p">=</span><span class="nx">False</span><span class="p">)</span>
</pre></div>
<p>Now performing the upgrade worked:</p>
<div class="highlight"><pre><span></span><span class="c1"># sudo iocage upgrade inkdrop -r 12.2-RELEASE</span>
<span class="n">src</span><span class="w"> </span><span class="n">component</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">installed</span><span class="p">,</span><span class="w"> </span><span class="n">skipped</span>
<span class="n">Looking</span><span class="w"> </span><span class="n">up</span><span class="w"> </span><span class="n">update</span><span class="o">.</span><span class="n">FreeBSD</span><span class="o">.</span><span class="n">org</span><span class="w"> </span><span class="n">mirrors</span><span class="o">...</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="n">mirrors</span><span class="w"> </span><span class="n">found</span><span class="o">.</span>
<span class="n">Fetching</span><span class="w"> </span><span class="n">metadata</span><span class="w"> </span><span class="n">signature</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="mf">11.3</span><span class="o">-</span><span class="n">RELEASE</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">update2</span><span class="o">.</span><span class="n">freebsd</span><span class="o">.</span><span class="n">org</span><span class="o">...</span><span class="w"> </span><span class="n">done</span><span class="o">.</span>
<span class="n">Fetching</span><span class="w"> </span><span class="n">metadata</span><span class="w"> </span><span class="n">index</span><span class="o">...</span><span class="w"> </span><span class="n">done</span><span class="o">.</span>
<span class="n">Fetching</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="n">metadata</span><span class="w"> </span><span class="n">files</span><span class="o">...</span><span class="w"> </span><span class="n">done</span><span class="o">.</span>
<span class="n">Inspecting</span><span class="w"> </span><span class="n">system</span><span class="o">...</span><span class="w"> </span><span class="n">done</span><span class="o">.</span>
<span class="n">The</span><span class="w"> </span><span class="n">following</span><span class="w"> </span><span class="n">components</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">FreeBSD</span><span class="w"> </span><span class="n">seem</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">installed</span><span class="p">:</span>
<span class="n">world</span><span class="o">/</span><span class="n">base</span><span class="w"> </span><span class="n">world</span><span class="o">/</span><span class="n">doc</span><span class="w"> </span><span class="n">world</span><span class="o">/</span><span class="n">lib32</span>
<span class="n">The</span><span class="w"> </span><span class="n">following</span><span class="w"> </span><span class="n">components</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">FreeBSD</span><span class="w"> </span><span class="n">do</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">seem</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">installed</span><span class="p">:</span>
<span class="n">world</span><span class="o">/</span><span class="n">base</span><span class="o">-</span><span class="n">dbg</span><span class="w"> </span><span class="n">world</span><span class="o">/</span><span class="n">lib32</span><span class="o">-</span><span class="n">dbg</span>
<span class="n">Does</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">look</span><span class="w"> </span><span class="n">reasonable</span><span class="w"> </span><span class="p">(</span><span class="n">y</span><span class="o">/</span><span class="n">n</span><span class="p">)</span><span class="err">?</span><span class="w"> </span><span class="n">y</span>
<span class="o">...</span>
<span class="n">Completing</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">upgrade</span><span class="w"> </span><span class="n">requires</span><span class="w"> </span><span class="n">removing</span><span class="w"> </span><span class="n">old</span><span class="w"> </span><span class="n">shared</span><span class="w"> </span><span class="n">object</span><span class="w"> </span><span class="n">files</span><span class="o">.</span>
<span class="n">Please</span><span class="w"> </span><span class="n">rebuild</span><span class="w"> </span><span class="n">all</span><span class="w"> </span><span class="n">installed</span><span class="w"> </span><span class="mi">3</span><span class="n">rd</span><span class="w"> </span><span class="n">party</span><span class="w"> </span><span class="n">software</span><span class="w"> </span><span class="p">(</span><span class="n">e</span><span class="o">.</span><span class="n">g</span><span class="o">.</span><span class="p">,</span><span class="w"> </span><span class="n">programs</span>
<span class="n">installed</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">ports</span><span class="w"> </span><span class="n">tree</span><span class="p">)</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">then</span><span class="w"> </span><span class="n">run</span><span class="w"> </span><span class="s2">"/tmp/tmp723gk2ae install"</span>
<span class="n">again</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">finish</span><span class="w"> </span><span class="n">installing</span><span class="w"> </span><span class="n">updates</span><span class="o">.</span>
<span class="n">src</span><span class="w"> </span><span class="n">component</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">installed</span><span class="p">,</span><span class="w"> </span><span class="n">skipped</span>
<span class="n">Installing</span><span class="w"> </span><span class="n">updates</span><span class="o">...</span><span class="n">rmdir</span><span class="p">:</span><span class="w"> </span><span class="o">/</span><span class="n">mnt</span><span class="o">/</span><span class="n">storage</span><span class="o">/</span><span class="n">iocage</span><span class="o">/</span><span class="n">jails</span><span class="o">/</span><span class="n">inkdrop</span><span class="o">/</span><span class="n">root</span><span class="o">//</span><span class="k">var</span><span class="o">/</span><span class="n">db</span><span class="o">/</span><span class="n">etcupdate</span><span class="o">/</span><span class="n">current</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">share</span><span class="o">/</span><span class="n">openssl</span><span class="o">/</span><span class="n">man</span><span class="o">/</span><span class="n">en</span><span class="o">.</span><span class="n">ISO8859</span><span class="o">-</span><span class="mi">1</span><span class="p">:</span><span class="w"> </span><span class="n">Directory</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">empty</span>
<span class="n">rmdir</span><span class="p">:</span><span class="w"> </span><span class="o">/</span><span class="n">mnt</span><span class="o">/</span><span class="n">storage</span><span class="o">/</span><span class="n">iocage</span><span class="o">/</span><span class="n">jails</span><span class="o">/</span><span class="n">inkdrop</span><span class="o">/</span><span class="n">root</span><span class="o">//</span><span class="k">var</span><span class="o">/</span><span class="n">db</span><span class="o">/</span><span class="n">etcupdate</span><span class="o">/</span><span class="n">current</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">share</span><span class="o">/</span><span class="n">openssl</span><span class="o">/</span><span class="n">man</span><span class="p">:</span><span class="w"> </span><span class="n">Directory</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">empty</span>
<span class="n">rmdir</span><span class="p">:</span><span class="w"> </span><span class="o">/</span><span class="n">mnt</span><span class="o">/</span><span class="n">storage</span><span class="o">/</span><span class="n">iocage</span><span class="o">/</span><span class="n">jails</span><span class="o">/</span><span class="n">inkdrop</span><span class="o">/</span><span class="n">root</span><span class="o">//</span><span class="k">var</span><span class="o">/</span><span class="n">db</span><span class="o">/</span><span class="n">etcupdate</span><span class="o">/</span><span class="n">current</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">share</span><span class="o">/</span><span class="n">openssl</span><span class="p">:</span><span class="w"> </span><span class="n">Directory</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">empty</span>
<span class="n">rmdir</span><span class="p">:</span><span class="w"> </span><span class="o">/</span><span class="n">mnt</span><span class="o">/</span><span class="n">storage</span><span class="o">/</span><span class="n">iocage</span><span class="o">/</span><span class="n">jails</span><span class="o">/</span><span class="n">inkdrop</span><span class="o">/</span><span class="n">root</span><span class="o">//</span><span class="k">var</span><span class="o">/</span><span class="n">db</span><span class="o">/</span><span class="n">etcupdate</span><span class="o">/</span><span class="n">current</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">share</span><span class="o">/</span><span class="n">man</span><span class="o">/</span><span class="n">en</span><span class="o">.</span><span class="n">UTF</span><span class="o">-</span><span class="mi">8</span><span class="p">:</span><span class="w"> </span><span class="n">Directory</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">empty</span>
<span class="n">rmdir</span><span class="p">:</span><span class="w"> </span><span class="o">/</span><span class="n">mnt</span><span class="o">/</span><span class="n">storage</span><span class="o">/</span><span class="n">iocage</span><span class="o">/</span><span class="n">jails</span><span class="o">/</span><span class="n">inkdrop</span><span class="o">/</span><span class="n">root</span><span class="o">//</span><span class="k">var</span><span class="o">/</span><span class="n">db</span><span class="o">/</span><span class="n">etcupdate</span><span class="o">/</span><span class="n">current</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">share</span><span class="o">/</span><span class="n">man</span><span class="o">/</span><span class="n">en</span><span class="o">.</span><span class="n">ISO8859</span><span class="o">-</span><span class="mi">1</span><span class="p">:</span><span class="w"> </span><span class="n">Directory</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">empty</span>
<span class="n">rmdir</span><span class="p">:</span><span class="w"> </span><span class="o">/</span><span class="n">mnt</span><span class="o">/</span><span class="n">storage</span><span class="o">/</span><span class="n">iocage</span><span class="o">/</span><span class="n">jails</span><span class="o">/</span><span class="n">inkdrop</span><span class="o">/</span><span class="n">root</span><span class="o">//</span><span class="k">var</span><span class="o">/</span><span class="n">db</span><span class="o">/</span><span class="n">etcupdate</span><span class="o">/</span><span class="n">current</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">share</span><span class="o">/</span><span class="n">man</span><span class="p">:</span><span class="w"> </span><span class="n">Directory</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">empty</span>
<span class="w"> </span><span class="n">done</span><span class="o">.</span>
<span class="n">inkdrop</span><span class="w"> </span><span class="n">successfully</span><span class="w"> </span><span class="n">upgraded</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="mf">11.3</span><span class="o">-</span><span class="n">RELEASE</span><span class="o">-</span><span class="n">p14</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="mf">12.2</span><span class="o">-</span><span class="n">RELEASE</span><span class="o">-</span><span class="n">p2</span><span class="o">!</span>
</pre></div>
<p>Now that the upgrade was completed (which took a bit), time to log into the jail and do a userland upgrade:</p>
<div class="highlight"><pre><span></span><span class="err">#</span><span class="w"> </span><span class="nx">sudo</span><span class="w"> </span><span class="nx">iocage</span><span class="w"> </span><span class="nx">console</span><span class="w"> </span><span class="nx">inkdrop</span>
<span class="nx">Password</span><span class="p">:</span>
<span class="nx">Last</span><span class="w"> </span><span class="nx">login</span><span class="p">:</span><span class="w"> </span><span class="nx">Tue</span><span class="w"> </span><span class="nx">Dec</span><span class="w"> </span><span class="mi">22</span><span class="w"> </span><span class="mi">11</span><span class="p">:</span><span class="mi">24</span><span class="p">:</span><span class="mi">12</span><span class="w"> </span><span class="nx">on</span><span class="w"> </span><span class="nx">pts</span><span class="o">/</span><span class="mi">0</span>
<span class="nx">FreeBSD</span><span class="w"> </span><span class="m m-Double">12.2</span><span class="o">-</span><span class="nx">RELEASE</span><span class="o">-</span><span class="nx">p2</span><span class="w"> </span><span class="mi">663</span><span class="nx">e6b09467</span><span class="p">(</span><span class="nx">HEAD</span><span class="p">)</span><span class="w"> </span><span class="nx">TRUENAS</span>
<span class="nx">Welcome</span><span class="w"> </span><span class="nx">to</span><span class="w"> </span><span class="nx">FreeBSD</span><span class="p">!</span>
<span class="o">...</span>
<span class="nx">root</span><span class="err">@</span><span class="nx">inkdrop</span><span class="p">:</span><span class="o">~</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="nx">pkg</span><span class="w"> </span><span class="nx">update</span><span class="w"> </span><span class="o">&&</span><span class="w"> </span><span class="nx">pkg</span><span class="w"> </span><span class="nx">upgrade</span>
<span class="nx">Updating</span><span class="w"> </span><span class="nx">FreeBSD</span><span class="w"> </span><span class="nx">repository</span><span class="w"> </span><span class="nx">catalogue</span><span class="o">...</span>
<span class="nx">FreeBSD</span><span class="w"> </span><span class="nx">repository</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="nx">up</span><span class="w"> </span><span class="nx">to</span><span class="w"> </span><span class="nx">date</span><span class="p">.</span>
<span class="nx">All</span><span class="w"> </span><span class="nx">repositories</span><span class="w"> </span><span class="nx">are</span><span class="w"> </span><span class="nx">up</span><span class="w"> </span><span class="nx">to</span><span class="w"> </span><span class="nx">date</span><span class="p">.</span>
<span class="nx">Updating</span><span class="w"> </span><span class="nx">FreeBSD</span><span class="w"> </span><span class="nx">repository</span><span class="w"> </span><span class="nx">catalogue</span><span class="o">...</span>
<span class="nx">FreeBSD</span><span class="w"> </span><span class="nx">repository</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="nx">up</span><span class="w"> </span><span class="nx">to</span><span class="w"> </span><span class="nx">date</span><span class="p">.</span>
<span class="nx">All</span><span class="w"> </span><span class="nx">repositories</span><span class="w"> </span><span class="nx">are</span><span class="w"> </span><span class="nx">up</span><span class="w"> </span><span class="nx">to</span><span class="w"> </span><span class="nx">date</span><span class="p">.</span>
<span class="nx">Checking</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nx">upgrades</span><span class="w"> </span><span class="p">(</span><span class="mi">77</span><span class="w"> </span><span class="nx">candidates</span><span class="p">):</span><span class="w"> </span><span class="mi">100</span><span class="o">%</span>
<span class="nx">Processing</span><span class="w"> </span><span class="nx">candidates</span><span class="w"> </span><span class="p">(</span><span class="mi">77</span><span class="w"> </span><span class="nx">candidates</span><span class="p">):</span><span class="w"> </span><span class="mi">100</span><span class="o">%</span>
<span class="nx">The</span><span class="w"> </span><span class="nx">following</span><span class="w"> </span><span class="mi">77</span><span class="w"> </span><span class="kn">package</span><span class="p">(</span><span class="nx">s</span><span class="p">)</span><span class="w"> </span><span class="nx">will</span><span class="w"> </span><span class="nx">be</span><span class="w"> </span><span class="nx">affected</span><span class="w"> </span><span class="p">(</span><span class="nx">of</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="nx">checked</span><span class="p">):</span>
<span class="o">...</span><span class="p">.</span>
</pre></div>
<p>Seems to be working well! The web <span class="caps">UI</span> now shows the inkdrop jail running 12.2-<span class="caps">RELEASE</span>-p2 which is what I wanted. Rinse and repeat for the other two jails. Both of which worked just as well. All in all, upgrading the jails took longer than upgrading from FreeNAS to TrueNAS.</p>
<p>So far so good! I still have to upgrade the <span class="caps">ZFS</span> pools, and FreeNAS (sorry, TrueNAS… will take some getting used to) also supports being an OpenVPN server which is something I’ve missed since I switched from pfSense to the Unifi <span class="caps">USG</span>. I’ll have to fiddle with that later on.</p>
<p>If it wasn’t for the, hopefully transient, changes to the FreeBSD git repos it likely would have all been fine. Judging by the GitHub issues, if I had done this last weekend it probably wouldn’t have been an issue. If you do opt to do like me, make sure you have a backup and probably take snapshots of your jails first so you can rollback if you have any problems (which, as I’m typing this, made me think that would have been a good idea that I neglected to do myself…). I’ll be fiddling with this new TrueNAS release over the next few days, but so far it seems pretty good.</p>
<p>Also don’t forget to revert the changes to <code>ioc_upgrade.py</code> when you’re done!</p>COVID-19 in Edmonton2020-11-07T19:00:00-07:002020-11-07T19:00:00-07:00Vincent Danentag:annvix.com,2020-11-07:/blog/covid-19-in-edmonton<p><img alt="Image" src="https://annvix.com/images/covid.png" /></p>
<p>While the Alberta government has some excellent visualizations about <a href="https://www.alberta.ca/stats/covid-19-alberta-statistics.htm"><span class="caps">COVID</span>-19 statistics in Alberta</a>, I felt there was a little too much missing. The province is quite transparent and you can export the data in <span class="caps">CSV</span>. Since these days most of my “technical work” is dorking around in spreadsheets, I …</p><p><img alt="Image" src="https://annvix.com/images/covid.png" /></p>
<p>While the Alberta government has some excellent visualizations about <a href="https://www.alberta.ca/stats/covid-19-alberta-statistics.htm"><span class="caps">COVID</span>-19 statistics in Alberta</a>, I felt there was a little too much missing. The province is quite transparent and you can export the data in <span class="caps">CSV</span>. Since these days most of my “technical work” is dorking around in spreadsheets, I fiddled with the data a bit. It’s not quite to my liking because the data isn’t complete. For example it doesn’t tell you when a person with <span class="caps">COVID</span> had it detected and when they recovered so we can’t see the average length to recovery, etc.</p>
<p>I was more interested in my own city so sliced out the data to just focus on Edmonton. The chart below is ok and updated as I update (which depends on when I get around to it and when their data set is updated). Unfortunately due to how they publish I can’t automate it like I wanted to.</p>
<p>I may fiddle a bit with some Python to do some more interesting digging with the data, but I’m not sure how much further I can get with the limited data available.</p>
<iframe width="800" height="400" src="https://docs.google.com/spreadsheets/d/e/2PACX-1vTgEcbfFybU-6kL0BqmEkWjk243CYxAOQuOSdlt_QfepYYvz3_F7aQX14nC11NW03fF5jDUSIfXO9YT/pubchart?oid=1566877020&format=interactive"></iframe>
<p>If the above looks shifty embedded here, you can also look at <a href="https://docs.google.com/spreadsheets/d/e/2PACX-1vTgEcbfFybU-6kL0BqmEkWjk243CYxAOQuOSdlt_QfepYYvz3_F7aQX14nC11NW03fF5jDUSIfXO9YT/pubchart?oid=1566877020&format=interactive">the sheet in its own window</a>.
All I know is it’s not getting better and folks need to exercise a bit more communal responsibility. As the Premier and Chief Medical Officer of Health have said numerous times, <span class="caps">COVID</span>-19 isn’t something to be afraid of, but it is something to respect. Alberta did a great job over the summer and I expect it lulled us into a false sense of security which is why we’re seeing things get worse. Having said that, our numbers are not insanely high like other places around the world, for which I’m grateful.</p>
<p>Hoping everyone is staying safe, practicing communal responsibility, and staying healthy!</p>Interview about CVSS2020-06-09T18:00:00-06:002020-06-09T18:00:00-06:00Vincent Danentag:annvix.com,2020-06-09:/blog/interview-about-cvss<p>I was recently interviewed by my friend Jack Wallen (whom I’ve known for 20 years as he actually coerced me to start writing for TechRepublic <em>ages</em> ago!). It was about a topic near and dear to my heart: <span class="caps">CVSS</span> (or Common Vulnerability Scoring System). With the explosion of security …</p><p>I was recently interviewed by my friend Jack Wallen (whom I’ve known for 20 years as he actually coerced me to start writing for TechRepublic <em>ages</em> ago!). It was about a topic near and dear to my heart: <span class="caps">CVSS</span> (or Common Vulnerability Scoring System). With the explosion of security scanning vendors, particularly around containers, the reliance and misunderstanding of <span class="caps">CVSS</span> has been a thorn in my side.</p>
<p>I don’t often blog about challenges at work or in the security industry, but I had considered writing about <span class="caps">CVSS</span> and some deficiencies around it (I may yet still do so). When Jack reached out to Red Hat to be interviewed, I jumped at the opportunity because it’s an important topic and because I could trust Jack not to twist or sensationalize what I had to say. =)</p>
<p>This is an important topic, irrespective of who is talking about it. There is <em>so much</em> wrong with the way <span class="caps">CVSS</span> is being used today.</p>
<p><a href="https://thenewstack.io/cvss-struggles-to-remain-viable-in-the-era-of-cloud-native-computing/"><span class="caps">CVSS</span> Struggles to Remain Viable in the Era of Cloud Native Computing</a></p>An Unexpected Journey2020-05-09T04:00:00-06:002020-05-09T04:00:00-06:00Vincent Danentag:annvix.com,2020-05-09:/blog/an-unexpected-journey<p><img alt="Image" src="https://annvix.com/images/Hobbit_RECT.jpg" /></p>
<p>Yesterday we had someone at our home to look at replacing the front and back doors. The rep for the company was exceptionally personable and we probably spent more time with him than the simple transaction of selecting and ordering new doors for our home warranted, but my wife and …</p><p><img alt="Image" src="https://annvix.com/images/Hobbit_RECT.jpg" /></p>
<p>Yesterday we had someone at our home to look at replacing the front and back doors. The rep for the company was exceptionally personable and we probably spent more time with him than the simple transaction of selecting and ordering new doors for our home warranted, but my wife and I are “people” people so we enjoyed the conversation and engaged with this young man. He told us about his life, how he came to Canada by way of Israel and originally from Russia. How his first main job here was actually working immigrations to make it easier for people to come to Canada than it was for him (a bit of a shocker in how long it took and how much it cost, to be honest) and how he rather randomly ended up as a rep for a door and window installer. It was rather fascinating to learn more about how he got here, how we viewed Canada coming from both Israel and Russia, and how he feels his life is improved living here (another reminder of why I’m a grateful Canadian!).</p>
<p>What was interesting though was last night, after my daughter’s new super-energized kitten (Herbert) went to bed and I could enjoy a glass of wine in peace without our new feline Edward Scissorhands taking to my legs, I began to think about my own career journey and what got me here and, as I’m sure many folks randomly do every once in a while, I stalked myself online to get a sense of history that under normal circumstances I wouldn’t normally think about or remember without prompting. Apparently I am so full of “today” stuff that I forgot about the “what got me here” stuff.</p>
<p>It started with a search for <a href="https://en.wikipedia.org/w/index.php?cirrusUserTesting=glent_m0&search=vincent+danen&title=Special%3ASearch&go=Go&ns0=1">my name</a> and <a href="https://en.wikipedia.org/wiki/Security-focused_operating_system#Annvix">Annvix</a> on wikipedia. Not a lot there, but it did remind me that I had devoted 5 years of my life to a security-focused Linux distribution based on Mandriva, the last version of which was released over 12 years ago. I actually had no idea that it had been reviewed on <a href="https://www.linux.com/news/annvix-stable-secure-no-frills-server-distro/">linux.com</a> probably a few months after the last stable release and a few months before I decided to call it quits with my last commit on April 10 2008 to 3.1-<span class="caps">CURRENT</span> (last stable release was 3.0-<span class="caps">RELEASE</span> on Feb 3 2008), so it was interesting to find a review on it over a decade later.</p>
<p>(I think one of the Sun Fire X4100 machines in my rack still has Annvix installed on it and I bet if I fired it up it would boot… with no idea of what the passwords might be!)</p>
<p>Some of the other references on wikipedia were to articles I had written for TechRepublic. When I looked, there were <a href="https://www.techrepublic.com/search/?q=%22vincent+danen%22">28 pages consisting of 286 results</a>, with articles from Feb 2000 to June 2011, mostly Linux-related but the last few years had a bunch of Mac-related articles as well. Looking through the list of things I wrote about was a definite trip down memory lane, as I used my writing for TechRepublic as an excuse to learn about new software so that I could write about it. Anything that looked interesting merited a review or how-to.</p>
<p>Coinciding with that, I also stumbled across a <a href="http://lxer.com/module/newswire/view/9986/index.html">joint Debian, Mandrakesoft, Red Hat, and <span class="caps">SUSE</span> response to a Forrester Research report</a> that claimed Microsoft Windows was more secure than Linux, which was also noted in a <a href="https://www.computerworld.com/article/2563965/linux-vendors-claim-forrester-report-favored-microsoft.html">ComputerWorld article</a>, back in 2004. Sadly, <a href="https://www.google.com/search?q=%22Is+Linux+more+Secure+than+Windows%3F%22+2004&oq=%22Is+Linux+more+Secure+than+Windows%3F%22+2004">despite looking</a>, I couldn’t find the original report, just a number of articles discussing it. The Forrester Research site only appears to retain reports back to 2006, otherwise I would link to the original report.</p>
<p>Never would have guessed in 2004, when I co-wrote that statement with Mark Cox at Red Hat, that he would end up being my boss 5 years later when I left Mandriva for Red Hat in 2009.</p>
<p>In fact, when I started writing for TechRepublic, I was a volunteer packager for Linux-Mandrake (at the time) — akin to a Fedora contributor today. I quit my job (in bill collections) and started my own consulting company, predominantly writing for TechRepublic and a few other sites, and it was that period of volunteering and writing that got me the gig at Mandrakesoft, as a documentation writer and packager (by invitation, I never applied for a job). It wasn’t until about a year later that I started doing the security work at Mandrakesoft, preparing updates for users of Linux-Mandrake to correct the (then-rare) security vulnerabilities in our products. At this point in time I had pretty much zero security skills and, as security in software slowly came to the fore emerging as something we really needed to pay attention to, I did all of my learning on the job.</p>
<p>It’s worth pointing out that, at Mandrakesoft, I was the sole member of our security team for most of that time. We didn’t have an incident response process or tools to handle security updates. Much of what we did was modelled after what Red Hat was doing (we started using <span class="caps">CVE</span> names shortly after Red Hat did, our errata (<span class="caps">MDKSA</span>) was similar to Red Hat’s <span class="caps">RHSA</span>, etc. I built the program and everything around it. Unlike Red Hat where we have Engineering write patches and build software, Release Engineering to release the software to customers, and <span class="caps">QE</span> to quality test, the entire process was handled and driven by one person —- I found out about the issues, backported the patches, tested the packages, and used my own self-written toolchain to publish the advisories.</p>
<p>Fast forward seven years of running and managing the small security team (<span class="caps">PSIRT</span>, but we didn’t call it such back then) at Mandriva (formerly Mandrakesoft) I made the leap to join Red Hat in February 2009 as a Senior Software Engineer as part of the Security Response Team (now known as Product Security).</p>
<p>At Red Hat, for the first 5 years I spent my time doing vulnerability analysis before becoming a manager in late 2014, where I remained as a manager (of a few different functions in Product Security) until late 2017 when I assumed the leadership of our entire Product Security team.</p>
<p>It was in 1998 when I was first introduced to and started to use Linux, 22 years ago. Half of my life has been spent working on open source and being part of the open source ecosystem. I’ve ended up in a position that I didn’t even dream was possible 22 years ago and, if I’m honest, wasn’t anything I ever aspired to. This wasn’t even a proverbial twinkle in my eye.</p>
<p>So why write a blog post about this? Well, like my new friend who will be installing doors in my home in a few months, I’ve had a very interesting and rather unorthodox career journey. Grit, hard work, getting involved and putting in the extra mile (or ten) got me to where I am today. Yes, unorthodox. Yes, unbelievable.</p>
<p>In today’s world where we have a huge cybersecurity skills shortage, I don’t think my story is unique. At least, I hope it isn’t. And, if it is, it needs to not be unique. There are a number of people who found their way into security by means of “accident”, “happenstance”, or “divine intervention” (I attribute it to the latter). I get frustrated when I see people on Twitter who are smart and begging for a chance to get into the security field to be sidelined by lack of certifications or training. If I could hire you all I would! I believe security is something you can train and teach, if you have sufficient technical proficiency and, most importantly, and insatiable curiosity to understand and break things, or what I call “the spark”. I learned security on-the-job. When I started at Mandrakesoft, it wasn’t with security certifications and experience. I learned on the job because someone suckered me into the “one to two updates a month” job of taking on security updates. If I had a team to support me and teach me, maybe things would have moved faster. Who knows? The point is that we, as security practitioners who are looking for people to hire, have to accept the fact that there is more work than there are “qualified” people. And that’s ok! Because there are a lot of curious and smart people out there without degrees and CISSPs and other certifications that we can <em>teach</em> and grow into amazing security people.</p>
<p>And if their career journey is unexpected because someone took a chance on them, I say good for the company willing to take that chance. After all, my career journey was entirely unexpected and turned out better than I could have expected. I suspect the same will be said of many in the next 22 years.</p>
<p>(As a a side note, in high school, my plan was to become a fantasy author. Then my dad introduced me to the <span class="caps">BBS</span> scene and I discovered a new world where I found what I would ultimately devote my life fighting against — interestingly, the sole reason I looked at Linux in the first place was to actually run my <span class="caps">BBS</span>!)</p>Inkdrop with CouchDB on FreeNAS2020-02-23T19:00:00-07:002020-02-23T19:00:00-07:00Vincent Danentag:annvix.com,2020-02-23:/blog/inkdrop-with-couchdb-on-freenas<p><img alt="Image" src="https://annvix.com/images/inkdrop.png" /></p>
<p>I have a terrible memory, which means that I rely on a lot of tools and methodologies (like <span class="caps">GTD</span>, Getting Things Done) to help me track things. This also means that I have a lot of different tools ,and I regularly re-evaluate and change them if something new can meet …</p><p><img alt="Image" src="https://annvix.com/images/inkdrop.png" /></p>
<p>I have a terrible memory, which means that I rely on a lot of tools and methodologies (like <span class="caps">GTD</span>, Getting Things Done) to help me track things. This also means that I have a lot of different tools ,and I regularly re-evaluate and change them if something new can meet my ever-changing needs.</p>
<p>For the last two years I’ve been using <a href="https://happenapps.com/">Quiver</a> to categorize and keep notes. These are notes for myself of people, projects, interesting things, escalations, etc. These are also notes on nearly every meeting I attend. For obvious reasons, these are sensitive and need to be kept under my own control. Prior to Quiver, I was using <a href="https://c-command.com/eaglefiler/">EagleFiler</a> (incidentally, I still use EagleFiler, just not for note keeping — it’s a great way to organize and collect files).</p>
<p>While Quiver worked quite well, it has limitations. As I try to do more work from my iPad rather than my laptop, the companion Quiver iOS app was showing it’s limitations. I could share the notes via my own internal WebDAV server, but it was read-only. That is great if I only want a reference, but to fully move to my iPad for the “normal day to day” stuff I needed something where I could review and edit notes.</p>
<p>I recently came across <a href="https://inkdrop.app/">Inkdrop</a> which is a note-taking application similar to Quiver with a more robust set of features, including iOS applications that will edit, and a better way of synchronizing those notes. While Inkdrop does provide a server to store the data (which is no good for me since I want to retain full control of my data), it does allow you to use a local CouchDB server. It also has a subscription of $5/mo which, if it can do what I need it to do, is worth it to me (particularly with the travel I’ve been doing of late).</p>
<p>The big things for me were standing up a CouchDB server (never played with it before) and being able to convert my Quiver library into a format that Inkdrop can use. Fortunately, both Quiver and Inkdrop use <span class="caps">JSON</span> files for the metadata so with a little bit of elbow grease I figured I could make it work. This post covers a few things: standing up the CouchDB server, getting Inkdrop to sync to it, and finally converting the data I already had in Quiver (nearly 1800 notes).</p>
<h2 id="couchdb-in-a-freenas-jail">CouchDB in a FreeNAS jail<a class="headerlink" href="#couchdb-in-a-freenas-jail" title="Permanent link"> </a></h2>
<p>The first step was to create the FreeNAS jail in which I was going to run CouchDB. This needed to be running on my local network and not accessible to the internet. It also needed to use <span class="caps">HTTPS</span>. The first step was to create a new jail named <code>inkdrop</code> in FreeNAS (using the web <span class="caps">UI</span>). Once that was done, I logged into the FreeNAS server, entered the jail, and installed the <code>pkg</code> tool to install what I needed for CouchDB:</p>
<div class="highlight"><pre><span></span>$<span class="w"> </span>sudo<span class="w"> </span>iocage<span class="w"> </span>console<span class="w"> </span>inkdrop
<span class="c1"># pkg</span>
<span class="c1"># pkg install couchdb2 curl</span>
<span class="c1"># cd /usr/local/etc/couchdb2</span>
<span class="c1"># vi local.ini</span>
</pre></div>
<p>At this point we need to assign the admin user a password and note it in the <em>local.ini</em> file. There are other files to edit as well:</p>
<div class="highlight"><pre><span></span># vi vm.args
</pre></div>
<p>In <em>vm.args</em>, change the <code>setcookie</code> option from its default.</p>
<div class="highlight"><pre><span></span># vi /etc/rc.conf
</pre></div>
<p>In <em>rc.conf</em> set <code>coudchdb2_enable</code> to <strong><span class="caps">YES</span></strong>. Now we can start the service and initialize our database. The database will be named <code>inkdrop</code> and the admin user’s password is <strong>passwd</strong> in the following examples.</p>
<div class="highlight"><pre><span></span><span class="cp"># service couchdb2 start</span>
<span class="cp"># curl -X PUT http:</span><span class="c1">//admin:passwd@127.0.0.1:5984/_users</span>
<span class="cp"># curl -X PUT http:</span><span class="c1">//admin:passwd@127.0.0.1:5984/_replicator</span>
<span class="cp"># curl -X PUT http:</span><span class="c1">//admin:passwd@127.0.0.1:5984/_global_changes</span>
<span class="cp"># curl -X PUT http:</span><span class="c1">//admin:passwd@127.0.0.1:5984/inkdrop</span>
</pre></div>
<h2 id="install-nginx-as-the-couchdb-proxy">Install nginx as the CouchDB proxy<a class="headerlink" href="#install-nginx-as-the-couchdb-proxy" title="Permanent link"> </a></h2>
<p>The next step is to use nginx as the proxy for CouchDB so that we can have <span class="caps">HTTPS</span> requests rather than <span class="caps">HTTP</span>.</p>
<div class="highlight"><pre><span></span># pkg install nginx
# cd /usr/local/etc/nginx
# vi nginx.conf
</pre></div>
<p>At this point you want to follow the <a href="https://docs.inkdrop.app/manual/synchronizing-in-the-cloud/#how-to-set-up-your-own-sync-server">Inkdrop instructions for setting up your own sync server</a>. That should get nginx nicely configured. The next step is to use Let’s Encrypt in the FreeNAS jail. I’ve blogged about this in the past here, with <a href="https://annvix.com/blog/using-letsencrypt-on-freenas">Using LetsEncrypt on FreeNAS</a> and <a href="https://annvix.com/blog/using-letsencrypt-with-plex">Using LetsEncrypt with Plex</a> so I won’t go into a lot of detail, but will simply note the commands used:</p>
<div class="highlight"><pre><span></span><span class="c1"># pkg install git</span>
<span class="c1"># cd /root</span>
<span class="c1"># git clone https://github.com/Neilpang/acme.sh.git</span>
<span class="c1"># cd acme.sh</span>
<span class="c1"># ./acme.sh --install</span>
<span class="c1"># cd /root/.acme.sh</span>
<span class="c1"># export CF_Key="api_key"</span>
<span class="c1"># export CF_Email="email_addr"</span>
<span class="c1"># ./acme.sh --issue --dns dns_cf -d inkdrop.hostname --fullchain-file /usr/local/etc/nginx/fullchain.pem --key-file /usr/local/etc/nginx/privkey.pem</span>
<span class="c1"># crontab -l</span>
<span class="mi">12</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="s2">"/root/.acme.sh"</span><span class="o">/</span><span class="n">acme</span><span class="o">.</span><span class="n">sh</span><span class="w"> </span><span class="o">--</span><span class="n">cron</span><span class="w"> </span><span class="o">--</span><span class="n">home</span><span class="w"> </span><span class="s2">"/root/.acme.sh"</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="nb nb-Type">null</span>
</pre></div>
<p>With our <span class="caps">SSL</span> certificate setup and making sure the cronjob is set as well, we can now start nginx and test if we can connect to our CouchDB server over <span class="caps">HTTPS</span>:</p>
<div class="highlight"><pre><span></span><span class="cp"># vi /etc/rc.conf</span>
<span class="cp"># service nginx start</span>
<span class="cp"># curl -X GET https:</span><span class="c1">//127.0.0.1:6984/_all_dbs</span>
<span class="p">{</span><span class="s">"error"</span><span class="o">:</span><span class="s">"unauthorized"</span><span class="p">,</span><span class="s">"reason"</span><span class="o">:</span><span class="s">"You are not a server admin."</span><span class="p">}</span>
<span class="cp"># curl -X GET https:</span><span class="c1">//admin:passwd@127.0.0.1:6984/_all_dbs</span>
<span class="p">[</span><span class="s">"_global_changes"</span><span class="p">,</span><span class="s">"_replicator"</span><span class="p">,</span><span class="s">"_users"</span><span class="p">,</span><span class="s">"inkdrop"</span><span class="p">]</span>
</pre></div>
<p>In <em>rc.conf</em> you want to set <code>nginx_enable</code> to <strong><span class="caps">YES</span></strong>.</p>
<p>If you intend to use Inkdrop on your mobile device, you now need to create the mobile design document as per <a href="https://docs.inkdrop.app/manual/synchronizing-in-the-cloud/#support-mobile-sync">Inkdrop’s mobile sync documentation</a>, which is effectively running:</p>
<div class="highlight"><pre><span></span><span class="cp"># curl -X PUT https:</span><span class="c1">//admin:passwd@127.0.0.1:6984/inkdrop -d '{ "_id": "_design/mobile", "filters": { "sync": "function (doc) { return doc._id.indexOf('file:') === -1 }" } }'</span>
</pre></div>
<h2 id="mobile-sync">Mobile Sync<a class="headerlink" href="#mobile-sync" title="Permanent link"> </a></h2>
<p>At this point you should have a fully functional CouchDB running behind nginx in a FreeNAS jail. Now you can point Inkdrop to your server for syncing. You can set this up to be accessible from anywhere, or you can leave it accessible only internally. That’s the way I chose to do it since you can edit documents while disconnected and it will sync back to the server when the client is able to connect. This allows for complete privacy by not making it available outside of your own network, but makes it portable enough that you can take your notes with you so you can add and edit as you’re out and about.</p>
<p>The only thing that would make this even better for me would be for Inkdrop to have <span class="caps">PIN</span> or TouchID/FaceID protection on the mobile device.</p>
<h2 id="converting-from-quiver-to-inkdrop">Converting from Quiver to Inkdrop<a class="headerlink" href="#converting-from-quiver-to-inkdrop" title="Permanent link"> </a></h2>
<p>Now if you’re like me and you’ve used Quiver in the past, there is good news! You <em>can</em> convert from Quiver to Inkdrop. I had to scratch my own itch here as there was no conversion tool available. Thankfully, Quiver uses <span class="caps">JSON</span> files that can be parsed and, for Inkdrop, I can talk directly to the CouchDB server. Because of this I could see the content/format of what I had in Quiver, and what Inkdrop expected in CouchDB. It wasn’t terribly difficult to figure out, just took a bit of trial and error. </p>
<p>My script for the conversion is available on GitHub: <a href="https://github.com/vdanen/quiver-to-inkdrop">quiver-to-inkdrop</a>.</p>
<p>This was a nice amusement for me, to be honest. I always enjoy playing with new software, something I don’t get to do as often as I used to (when I wrote for TechRepublic years ago I was playing with new things all the time). Everything here aside from FreeNAS was new for me and I’d never played with CouchDB before, and I always enjoy doing a bit of Python and hacking things to make them work. Hopefully there is something interesting or useful here for others to use as well!</p>Updating iocage jails in FreeNAS2020-02-17T19:00:00-07:002020-02-17T19:00:00-07:00Vincent Danentag:annvix.com,2020-02-17:/blog/updating-iocage-jails-in-freenas<p><img alt="Image" src="https://annvix.com/images/freenas.jpg" /></p>
<p>I’ve been running FreeNAS as a file and application server for quite a while and love it. The FreeBSD jails are awesome for running applications like Plex or gitea in isolation. Recently the base FreeBSD 11.2-<span class="caps">RELEASE</span> went end of life and 11.3-<span class="caps">RELEASE</span> was the new …</p><p><img alt="Image" src="https://annvix.com/images/freenas.jpg" /></p>
<p>I’ve been running FreeNAS as a file and application server for quite a while and love it. The FreeBSD jails are awesome for running applications like Plex or gitea in isolation. Recently the base FreeBSD 11.2-<span class="caps">RELEASE</span> went end of life and 11.3-<span class="caps">RELEASE</span> was the new stable version (actually, it went <span class="caps">EOL</span> last October but I only realized it the other day). Updates for packages can still be done within the jails, but upgrading the base jail can’t be done from within the jail itself.</p>
<p>Instructions are around on how to do it, however I like blogging things that I know I’ll be coming back to and “consumer 1” for this blog is me. If you’re looking for a quick tutorial on how to upgrade the base jail on FreeNAS, then this may be of use to you. Undoubtably it will be useful to future me.</p>
<p>Unfortunately, as of the current FreeNAS 11.3-<span class="caps">RELEASE</span> this cannot be done in the <span class="caps">GUI</span>, so we need to resort to the shell. Open a console or ssh into your FreeNAS server, to an account with sudo privileges, and get a list of jails:</p>
<div class="highlight"><pre><span></span><span class="c">$ sudo iocage list</span>
<span class="c">Password:</span>
<span class="nb">+-----+-------------+-------+--------------+------+</span>
<span class="c">| JID | NAME | STATE | RELEASE | IP4 |</span>
<span class="nb">+</span><span class="c">=====</span><span class="nb">+</span><span class="c">=============</span><span class="nb">+</span><span class="c">=======</span><span class="nb">+</span><span class="c">==============</span><span class="nb">+</span><span class="c">======</span><span class="nb">+</span>
<span class="c">| 2 | gitea | up | 11</span><span class="nt">.</span><span class="c">2</span><span class="nb">-</span><span class="c">RELEASE | DHCP |</span>
<span class="nb">+-----+-------------+-------+--------------+------+</span>
<span class="c">| 3 | inkdrop | up | 11</span><span class="nt">.</span><span class="c">3</span><span class="nb">-</span><span class="c">RELEASE | DHCP |</span>
<span class="nb">+-----+-------------+-------+--------------+------+</span>
<span class="c">| </span><span class="nb">-</span><span class="c"> | openproject | down | 11</span><span class="nt">.</span><span class="c">2</span><span class="nb">-</span><span class="c">RELEASE | DHCP |</span>
<span class="nb">+-----+-------------+-------+--------------+------+</span>
<span class="c">| 1 | plex | up | 11</span><span class="nt">.</span><span class="c">2</span><span class="nb">-</span><span class="c">RELEASE | DHCP |</span>
<span class="nb">+-----+-------------+-------+--------------+------+</span>
</pre></div>
<p>On my system. the plex, gitea, and openproject jails were created quite some time ago and are running the 11.2-<span class="caps">RELEASE</span> version of FreeBSD. The inkdrop jail was created recently using the 11.3-<span class="caps">RELEASE</span> template. We’ll upgrade the openproject jail first since that one means less to me than plex or gitea.</p>
<p>The first step is to make sure it is at the latest patch release:</p>
<div class="highlight"><pre><span></span><span class="o">$</span><span class="w"> </span><span class="n">sudo</span><span class="w"> </span><span class="n">iocage</span><span class="w"> </span><span class="n">update</span><span class="w"> </span><span class="n">openproject</span>
<span class="n">Snapshot</span><span class="p">:</span><span class="w"> </span><span class="n">storage</span><span class="o">/</span><span class="n">iocage</span><span class="o">/</span><span class="n">jails</span><span class="o">/</span><span class="n">openproject</span><span class="err">@</span><span class="n">ioc_update_11</span><span class="o">.</span><span class="mi">2</span><span class="o">-</span><span class="n">RELEASE</span><span class="o">-</span><span class="n">p15_2020</span><span class="o">-</span><span class="mi">02</span><span class="o">-</span><span class="mi">16</span><span class="n">_08</span><span class="o">-</span><span class="mi">14</span><span class="o">-</span><span class="mi">35</span><span class="w"> </span><span class="n">created</span><span class="o">.</span>
<span class="n">Updating</span><span class="w"> </span><span class="n">jail</span><span class="o">...</span>
<span class="o">*</span><span class="w"> </span><span class="n">Updating</span><span class="w"> </span><span class="n">openproject</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">latest</span><span class="w"> </span><span class="n">patch</span><span class="w"> </span><span class="n">level</span><span class="o">...</span>
<span class="n">src</span><span class="w"> </span><span class="n">component</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">installed</span><span class="p">,</span><span class="w"> </span><span class="n">skipped</span>
<span class="n">Looking</span><span class="w"> </span><span class="n">up</span><span class="w"> </span><span class="n">update</span><span class="o">.</span><span class="n">FreeBSD</span><span class="o">.</span><span class="n">org</span><span class="w"> </span><span class="n">mirrors</span><span class="o">...</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="n">mirrors</span><span class="w"> </span><span class="n">found</span><span class="o">.</span>
<span class="n">Fetching</span><span class="w"> </span><span class="n">metadata</span><span class="w"> </span><span class="n">signature</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="mf">11.2</span><span class="o">-</span><span class="n">RELEASE</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">update4</span><span class="o">.</span><span class="n">freebsd</span><span class="o">.</span><span class="n">org</span><span class="o">...</span><span class="w"> </span><span class="n">done</span><span class="o">.</span>
<span class="n">Fetching</span><span class="w"> </span><span class="n">metadata</span><span class="w"> </span><span class="n">index</span><span class="o">...</span><span class="w"> </span><span class="n">done</span><span class="o">.</span>
<span class="n">Inspecting</span><span class="w"> </span><span class="n">system</span><span class="o">...</span><span class="w"> </span><span class="n">done</span><span class="o">.</span>
<span class="n">Preparing</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">download</span><span class="w"> </span><span class="n">files</span><span class="o">...</span><span class="w"> </span><span class="n">done</span><span class="o">.</span>
<span class="n">No</span><span class="w"> </span><span class="n">updates</span><span class="w"> </span><span class="n">needed</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">update</span><span class="w"> </span><span class="n">system</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="mf">11.2</span><span class="o">-</span><span class="n">RELEASE</span><span class="o">-</span><span class="n">p15</span><span class="o">.</span>
<span class="n">WARNING</span><span class="p">:</span><span class="w"> </span><span class="n">FreeBSD</span><span class="w"> </span><span class="mf">11.2</span><span class="o">-</span><span class="n">RELEASE</span><span class="w"> </span><span class="n">HAS</span><span class="w"> </span><span class="n">PASSED</span><span class="w"> </span><span class="n">ITS</span><span class="w"> </span><span class="n">END</span><span class="o">-</span><span class="n">OF</span><span class="o">-</span><span class="n">LIFE</span><span class="w"> </span><span class="n">DATE</span><span class="o">.</span>
<span class="n">Any</span><span class="w"> </span><span class="n">security</span><span class="w"> </span><span class="n">issues</span><span class="w"> </span><span class="n">discovered</span><span class="w"> </span><span class="n">after</span><span class="w"> </span><span class="n">Wed</span><span class="w"> </span><span class="n">Oct</span><span class="w"> </span><span class="mi">30</span><span class="w"> </span><span class="mi">18</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span><span class="w"> </span><span class="n">MDT</span><span class="w"> </span><span class="mi">2019</span>
<span class="n">will</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">have</span><span class="w"> </span><span class="n">been</span><span class="w"> </span><span class="n">corrected</span><span class="o">.</span>
<span class="n">src</span><span class="w"> </span><span class="n">component</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">installed</span><span class="p">,</span><span class="w"> </span><span class="n">skipped</span>
<span class="n">No</span><span class="w"> </span><span class="n">updates</span><span class="w"> </span><span class="n">are</span><span class="w"> </span><span class="n">available</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">install</span><span class="o">.</span>
<span class="n">Run</span><span class="w"> </span><span class="s1">'/tmp/tmpqduc4ubh fetch'</span><span class="w"> </span><span class="n">first</span><span class="o">.</span>
</pre></div>
<p>When I did this first, update it looked like it created a snapshot. I don’t know if this is a feature or not (or I did something by accident?), but either way it’s a good idea to make sure you have a current snapshot. You can examine whether or not that is the case:</p>
<div class="highlight"><pre><span></span><span class="c">$ sudo iocage snaplist openproject</span>
<span class="nb">+------------------------------------------------------+-----------------------+-------+-------+</span>
<span class="c">| NAME | CREATED | RSIZE | USED |</span>
<span class="nb">+</span><span class="c">======================================================</span><span class="nb">+</span><span class="c">=======================</span><span class="nb">+</span><span class="c">=======</span><span class="nb">+</span><span class="c">=======</span><span class="nb">+</span>
<span class="c">| ioc_update_11</span><span class="nt">.</span><span class="c">2</span><span class="nb">-</span><span class="c">RELEASE</span><span class="nb">-</span><span class="c">p4 | Sat Feb 15 10:23 2020 | 184K | 120K |</span>
<span class="nb">+------------------------------------------------------+-----------------------+-------+-------+</span>
<span class="c">| ioc_update_11</span><span class="nt">.</span><span class="c">2</span><span class="nb">-</span><span class="c">RELEASE</span><span class="nb">-</span><span class="c">p4/root | Sat Feb 15 10:23 2020 | 2</span><span class="nt">.</span><span class="c">61G | 11</span><span class="nt">.</span><span class="c">5M |</span>
<span class="nb">+------------------------------------------------------+-----------------------+-------+-------+</span>
<span class="c">| ioc_update_11</span><span class="nt">.</span><span class="c">2</span><span class="nb">-</span><span class="c">RELEASE</span><span class="nb">-</span><span class="c">p15_2020</span><span class="nb">-</span><span class="c">02</span><span class="nb">-</span><span class="c">16_08</span><span class="nb">-</span><span class="c">14</span><span class="nb">-</span><span class="c">35 | Sun Feb 16 8:14 2020 | 192K | 120K |</span>
<span class="nb">+------------------------------------------------------+-----------------------+-------+-------+</span>
<span class="c">| ioc_update_11</span><span class="nt">.</span><span class="c">2</span><span class="nb">-</span><span class="c">RELEASE</span><span class="nb">-</span><span class="c">p15_2020</span><span class="nb">-</span><span class="c">02</span><span class="nb">-</span><span class="c">16_08</span><span class="nb">-</span><span class="c">14</span><span class="nb">-</span><span class="c">35/root | Sun Feb 16 8:14 2020 | 2</span><span class="nt">.</span><span class="c">67G | 1</span><span class="nt">.</span><span class="c">44M |</span>
<span class="nb">+------------------------------------------------------+-----------------------+-------+-------+</span>
</pre></div>
<p>If you do see your snapshots are out of date, you can create one using <code>sudo iocage snapshot openproject</code>. It also appears that it creates a snapshot as part of the upgrade, but I personally wouldn’t rely on the good will of computers and would create a snapshot anyways.</p>
<p>The snapshots look current so we’ll go ahead and do the upgrade to the new version. This will take about 10 minutes and may interactively ask you to do things like merge or edit configuration files. I note this not because it asked me for any of the three systems I upgraded, but because I had read elsewhere that it could happen.</p>
<p>The output below is trimmed but you should get a sense of what to expect. You need to specify the version to upgrade to (<code>11.3-RELEASE</code>) and the jail name (<code>openproject</code> in this case). When you’re asked about the the components that appear to be installed or not, and are asked whether it looks reasonable, answer <code>y</code> to continue (to be honest, I have no idea but it seemed reasonable enough to me!).</p>
<div class="highlight"><pre><span></span><span class="o">$</span><span class="w"> </span><span class="n">sudo</span><span class="w"> </span><span class="n">iocage</span><span class="w"> </span><span class="n">upgrade</span><span class="w"> </span><span class="o">-</span><span class="n">r</span><span class="w"> </span><span class="mf">11.3</span><span class="o">-</span><span class="n">RELEASE</span><span class="w"> </span><span class="n">openproject</span>
<span class="n">src</span><span class="w"> </span><span class="n">component</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">installed</span><span class="p">,</span><span class="w"> </span><span class="n">skipped</span>
<span class="n">Looking</span><span class="w"> </span><span class="n">up</span><span class="w"> </span><span class="n">update</span><span class="o">.</span><span class="n">FreeBSD</span><span class="o">.</span><span class="n">org</span><span class="w"> </span><span class="n">mirrors</span><span class="o">...</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="n">mirrors</span><span class="w"> </span><span class="n">found</span><span class="o">.</span>
<span class="n">Fetching</span><span class="w"> </span><span class="n">metadata</span><span class="w"> </span><span class="n">signature</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="mf">11.2</span><span class="o">-</span><span class="n">RELEASE</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">update1</span><span class="o">.</span><span class="n">freebsd</span><span class="o">.</span><span class="n">org</span><span class="o">...</span><span class="w"> </span><span class="n">done</span><span class="o">.</span>
<span class="n">Fetching</span><span class="w"> </span><span class="n">metadata</span><span class="w"> </span><span class="n">index</span><span class="o">...</span><span class="w"> </span><span class="n">done</span><span class="o">.</span>
<span class="n">Fetching</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="n">metadata</span><span class="w"> </span><span class="n">files</span><span class="o">...</span><span class="w"> </span><span class="n">done</span><span class="o">.</span>
<span class="n">Inspecting</span><span class="w"> </span><span class="n">system</span><span class="o">...</span><span class="w"> </span><span class="n">done</span><span class="o">.</span>
<span class="n">The</span><span class="w"> </span><span class="n">following</span><span class="w"> </span><span class="n">components</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">FreeBSD</span><span class="w"> </span><span class="n">seem</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">installed</span><span class="p">:</span>
<span class="n">world</span><span class="o">/</span><span class="n">base</span><span class="w"> </span><span class="n">world</span><span class="o">/</span><span class="n">doc</span><span class="w"> </span><span class="n">world</span><span class="o">/</span><span class="n">lib32</span>
<span class="n">The</span><span class="w"> </span><span class="n">following</span><span class="w"> </span><span class="n">components</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">FreeBSD</span><span class="w"> </span><span class="n">do</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">seem</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">installed</span><span class="p">:</span>
<span class="n">world</span><span class="o">/</span><span class="n">base</span><span class="o">-</span><span class="n">dbg</span><span class="w"> </span><span class="n">world</span><span class="o">/</span><span class="n">lib32</span><span class="o">-</span><span class="n">dbg</span>
<span class="n">Does</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">look</span><span class="w"> </span><span class="n">reasonable</span><span class="w"> </span><span class="p">(</span><span class="n">y</span><span class="o">/</span><span class="n">n</span><span class="p">)</span><span class="err">?</span><span class="w"> </span><span class="n">y</span>
<span class="n">Fetching</span><span class="w"> </span><span class="n">metadata</span><span class="w"> </span><span class="n">signature</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="mf">11.3</span><span class="o">-</span><span class="n">RELEASE</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">update1</span><span class="o">.</span><span class="n">freebsd</span><span class="o">.</span><span class="n">org</span><span class="o">...</span><span class="w"> </span><span class="n">done</span><span class="o">.</span>
<span class="n">Fetching</span><span class="w"> </span><span class="n">metadata</span><span class="w"> </span><span class="n">index</span><span class="o">...</span><span class="w"> </span><span class="n">done</span><span class="o">.</span>
<span class="n">Fetching</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="n">metadata</span><span class="w"> </span><span class="n">patches</span><span class="o">.</span><span class="w"> </span><span class="n">done</span><span class="o">.</span>
<span class="n">Applying</span><span class="w"> </span><span class="n">metadata</span><span class="w"> </span><span class="n">patches</span><span class="o">...</span><span class="w"> </span><span class="n">done</span><span class="o">.</span>
<span class="n">Fetching</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="n">metadata</span><span class="w"> </span><span class="n">files</span><span class="o">...</span><span class="w"> </span><span class="n">done</span><span class="o">.</span>
<span class="n">Inspecting</span><span class="w"> </span><span class="n">system</span><span class="o">...</span><span class="w"> </span><span class="n">done</span><span class="o">.</span>
<span class="p">[</span><span class="o">...</span><span class="p">]</span>
<span class="n">To</span><span class="w"> </span><span class="n">install</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">downloaded</span><span class="w"> </span><span class="n">upgrades</span><span class="p">,</span><span class="w"> </span><span class="n">run</span><span class="w"> </span><span class="s2">"/tmp/tmp7yqr2bxf install"</span><span class="o">.</span>
<span class="n">src</span><span class="w"> </span><span class="n">component</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">installed</span><span class="p">,</span><span class="w"> </span><span class="n">skipped</span>
<span class="n">Installing</span><span class="w"> </span><span class="n">updates</span><span class="o">...</span>
<span class="n">Kernel</span><span class="w"> </span><span class="n">updates</span><span class="w"> </span><span class="n">have</span><span class="w"> </span><span class="n">been</span><span class="w"> </span><span class="n">installed</span><span class="o">.</span><span class="w"> </span><span class="n">Please</span><span class="w"> </span><span class="n">reboot</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">run</span>
<span class="s2">"/tmp/tmp7yqr2bxf install"</span><span class="w"> </span><span class="n">again</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">finish</span><span class="w"> </span><span class="n">installing</span><span class="w"> </span><span class="n">updates</span><span class="o">.</span>
<span class="n">src</span><span class="w"> </span><span class="n">component</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">installed</span><span class="p">,</span><span class="w"> </span><span class="n">skipped</span>
<span class="n">Installing</span><span class="w"> </span><span class="n">updates</span><span class="o">...</span><span class="w"> </span><span class="n">done</span><span class="o">.</span>
<span class="n">openproject</span><span class="w"> </span><span class="n">successfully</span><span class="w"> </span><span class="n">upgraded</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="mf">11.2</span><span class="o">-</span><span class="n">RELEASE</span><span class="o">-</span><span class="n">p15</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="mf">11.3</span><span class="o">-</span><span class="n">RELEASE</span><span class="o">-</span><span class="n">p6</span><span class="o">!</span>
</pre></div>
<p>When this is done, enter the jail using <code>sudo iocage console openproject</code> and run <code>pkg update && pkg upgrade</code> to upgrade all of the packages inside.</p>
<p>At this point you can use <code>sudo iocage list</code> to verify the release is as expected as well, or use the web <span class="caps">UI</span> to verify. That’s pretty much all there is to it. Everything should work properly. I successfully did this with all three jails with a minimum of fuss.</p>2019: A Retrospective - Grit2020-01-02T18:00:00-07:002020-01-02T18:00:00-07:00Vincent Danentag:annvix.com,2020-01-02:/blog/2019-a-retrospective-grit<p><img alt="Image" src="https://annvix.com/images/grit-success-workthrough-it.jpg" /></p>
<p>I’ve enjoyed reading (and writing) these annual retrospectives. This will be the fourth that I’ve written. There are two recurring themes I read from the past retrospectives: <em>tough</em> and <em>hope</em>. Life is tough — be that in work or personal life. But there is hope. Every year I look …</p><p><img alt="Image" src="https://annvix.com/images/grit-success-workthrough-it.jpg" /></p>
<p>I’ve enjoyed reading (and writing) these annual retrospectives. This will be the fourth that I’ve written. There are two recurring themes I read from the past retrospectives: <em>tough</em> and <em>hope</em>. Life is tough — be that in work or personal life. But there is hope. Every year I look back and see how much was painful and hard and yet, at the end of each year, I see the accomplishments. The things that made <em>tough</em> worth it. The things that make me hopeful come the next time I write one of these.</p>
<p>2019 was no different.</p>
<p>It seems like every year I say this was the toughest year. Then the next year I say “no, <em>this</em> was the toughest year!” Will I say the same thing again? Probably! What I’m coming to see is that as we grow and look back and experience new things, it’s always harder. As we move forward, as we accomplish more, there is more adversity to conquer. There is more growth to experience. There is always <em>more</em> that we strive for and in that striving comes cost and sacrifice.</p>
<p>So what can we say about this year? We’ll start on the work side of things. When I look at what was accomplished at work, I’m honestly blown away. This was my first year of really feeling settled in the role I unexpectedly found myself in just over a year ago. Last year was hard because I felt like I was treading water just figuring out how to lead the team — no training, no instruction, just expectations. It’s like learning anything new: riding a bike or surfing. There was a lot of unsteady riding, a lot of figuring out how to keep balance. I remember teaching my daughter how to ride a bike — there was a helmet, training wheels, a bike her size. As she grew more confident the training wheels came off but those first few “solo” rides saw me running behind her hanging on to the bike to keep it balanced. And then she was riding free, all on her own using her own muscles and her own skill.</p>
<p>2018 was like a kid learning to ride an adult bike with no training wheels, no helmet, and no parent hanging on to the back to keep me upright.</p>
<p>2019 was not mastering the ride, but remaining upright more often than not, catching my balance, falling and dusting myself off and getting back on and riding for all I was worth.</p>
<p>For me it isn’t about how much I stayed balanced on the bike, pedalling like a crazy person. It was about how many times I fell off the bike and chose to get back on and keep going. It’s for that reason that my word for this year is <em>grit</em>. Because without a huge dose of grit I don’t think I would have gotten back on the bike as many times as I did, or went as far on it as I had.</p>
<p>I can’t get into all the details of what I accomplished at work, but suffice it to say there was a lot! I hope my team, who had the opportunity to live through and hopefully experience the benefits of those things, would agree that we did a lot in 2019 that we’d never done before and there was a lot of change made. A lot of “back to basics” to reset some things, some pivoting, some chasing of new things that have profound impact on not just us but our customers.</p>
<p>Looking back I feel really good about what was accomplished this year, even if there were some mishaps. I also feel good about finishing <span class="caps">ALDP</span> (Advanced Leadership Development Program), which consumed a lot of time and effort for the first 6 months of the year. Graduating that program was, to me, a huge benefit. Not for my career, although there is that, but for me personally. I learned a lot about myself through that program that I might not have learned otherwise. When you’re stretched to the point where you’re ready to snap — yet stay held together — you learn a lot about what your capacity is, about the load you can bear… even if just for a time (and I certainly wouldn’t recommend doing it for a prolonged period of time!). One of the things I appreciate about Red Hat is the investment in people — growing and stretching leaders in hugely positive ways so that we can take what we learn to then grow and stretch those we are responsible for. Our whole point as leaders is to grow and build people, so programs like this are amazing.</p>
<p>Midway through the year we got our new “parents in blue” and I don’t have much to say about that aside from it made things feel different and challenging at a meta level. The day-to-day didn’t change, at least not for me or my team, but the feeling of no longer being masters of our own destiny was there. Whether this is an accurate statement or just a feeling remains to be seen… I’m well aware that feelings are often wrong so, as they say, the proof is in the pudding. I did get a chance to meet with the <span class="caps">IBM</span> <span class="caps">PSIRT</span> in person which was cool and I think they’re a great crew. We’ll see what that means for the future.</p>
<p>On the personal side of things…. well, life continues to be messy. The health challenges my wife was facing last October are unfortunately back again and we still have no answers. But now we recognize the symptoms and can manage them even if we don’t yet know the underlying cause. Hopefully we will have answers soon this time around. Honestly, the last year with her has been a gift because I know that without God’s intervention she would have died a year ago. It is a bonafide miracle that she was around this year, and I’m immensely grateful for it.</p>
<p>My daughter became an adult this year which has proven to be interesting. All the things the father of a daughter knows is coming are here now — she is her own person and making her own way in the world. I only hope I did a good enough job! She’s shown a lot of grit this year in her own way and while she didn’t do everything the way I would have or wanted her to (makes sense, she is her own person), she’s done pretty good. Especially the last few months of her schooling, I’ve seen her adapt to the new realities of adulthood and I couldn’t be prouder. 2020 will be a good year for her, I think, as she’s getting out the gate well and really wants to do well.</p>
<p>She’s even reading David Allen’s <span class="caps">GTD</span> book which is pretty astonishing =)</p>
<p>Finally, I’ve done far too much traveling this year. Again. I’ve been to <span class="caps">NC</span> twice, Boston three times, Atlanta, Victoria, to the Czech, Israel, and Australia. I actually obtained status with Air Canada which is a bit mind blowing. 2020 is shaping up to be more of the same. The nice thing about having an adult child is that my wife will be able to come with me on some of these trips.</p>
<p>All in all, 2019 was hard — lots of challenges, lots of new things, and a <em>lot</em> of blood, sweat, and tears. But here at the beginning of 2020, I’m grateful because through adversity you find where your true strength lies. And when you’ve found it, and you know it exists, it is something you can always lean on and it will always serve you.</p>
<p>On a final note, years ago I read the 7 Habits of Highly Effective People by Stephen Covey. I cannot recommend this book enough. One of the main things I pulled from that book was to create a set of personal guiding principles, a personal mission statement, that serves as a compass for everything you do. I cannot stress enough how invaluable an exercise like this is. Every circumstance, choice and decision has to stand the test of alignment to that compass. When you have a thousand things coming at you a thousand different ways, having that compass to steer you to your True North is beyond valuable — it’s absolutely critical.</p>
<p>I created the personal mission statement, and then because I’m both a nerd and a Christian, I aligned them to verses from the Bible because I knew that if they were the <em>right</em> things to have, I would find substance to support them in the Bible. I’ve had this for years and I’m not sure whether I shared it before. I’ll share it now as an example of what is my personal mission statement and, perhaps, this may inspire some to figure out what their own compass is.</p>
<ul>
<li>Jesus Christ is first in all things</li>
<li>Seek and merit divine help</li>
<li>Never compromise honesty or integrity</li>
<li>Facilitate the success of those who work with me</li>
<li>Listen twice as much as I speak</li>
<li>Money is my servant, not my master</li>
<li>Be generous with my time and money to those in need</li>
<li>Take an honest interest in the people around me</li>
<li>Always believe the best in and about others</li>
<li>Be courageous in the face of obstacles</li>
<li>Never give up</li>
<li>With God’s help, be the best husband and father that I can be</li>
<li>Maintain disciple and properly manage my time</li>
<li>Control my emotions, never let them control me</li>
</ul>
<p>Cheers, and my hope and prayer is that everyone who reads this has an <em>amazing</em> 2020 of learning, growing, and developing!</p>Replacing pfSense with a Unifi Security Gateway2019-12-25T15:00:00-07:002019-12-25T15:00:00-07:00Vincent Danentag:annvix.com,2019-12-25:/blog/replacing-pfsense-with-a-unifi-security-gateway<p><img alt="Image" src="https://annvix.com/images/usg-pro4-hero-mobile-01-2x.png" /></p>
<p>I’ve had a Unifi Security Gateway for over a year now but never had the time or patience to make it work properly. Turns out my <span class="caps">ISP</span> <em>really</em> likes to cache <span class="caps">MAC</span> addresses so getting the <span class="caps">USG</span> to present the pfSense <span class="caps">MAC</span> address solved the problem pretty quick. The …</p><p><img alt="Image" src="https://annvix.com/images/usg-pro4-hero-mobile-01-2x.png" /></p>
<p>I’ve had a Unifi Security Gateway for over a year now but never had the time or patience to make it work properly. Turns out my <span class="caps">ISP</span> <em>really</em> likes to cache <span class="caps">MAC</span> addresses so getting the <span class="caps">USG</span> to present the pfSense <span class="caps">MAC</span> address solved the problem pretty quick. The rest of my gear is all Unifi (48 port switch, 3 APs, Cloud Key Gen 2, 4 video cameras) and I love it. Probably the most reliable network gear I have.</p>
<p>The configuration of the <span class="caps">USG</span> is a bit of a <span class="caps">PITA</span> though and finding information is hard because they have <em>so much</em> networking gear out there and it seems they’re all configured in different ways.</p>
<p>This post will share the two important things I needed: first, how to change the <span class="caps">MAC</span> address for the <span class="caps">WAN1</span> port and secondly, restoring similar behaviour to pfSense’s pfBlockerNG utility which blocks all ad-serving systems by replacing their <span class="caps">IP</span> address with 0.0.0.0. Reading a page on macworld.com this morning on my phone made me really sad because of all the ads. I do some surfing outside my home network, rarely… mostly I notice that the weather network app has ads when I’m <em>not</em> home that aren’t present when I <em>am</em> home. But loading that page this morning was an intolerable regression from what I’m accustomed to.</p>
<h2 id="custom-mac-address">Custom <span class="caps">MAC</span> address<a class="headerlink" href="#custom-mac-address" title="Permanent link"> </a></h2>
<p>This is what I needed to do to get my <span class="caps">USG</span> to even talk to the internet and this is what stumped me the few times I had tried before. I probably would have figured it out sooner if I’d had more time and/or patience. At any rate, you need to create a <code>/usr/lib/unifi/data/sites/default/config.gateway.json</code> file with contents similar to the following (assuming you’re using the Cloud Key; if you run the controller software on a different system you’ll have to find the right spot):</p>
<div class="highlight"><pre><span></span>{
"interfaces": {
"ethernet": {
"eth2": {
"mac": "00:00:00:00:00:00"
}
}
}
}
</pre></div>
<p>Change that <span class="caps">MAC</span> address to whatever you need it to be. Depending on the port, <code>eth2</code> may not be correct. On my <span class="caps">USG</span> 4 Pro, eth2 is the <span class="caps">WAN1</span> port which is what is connected to my cable modem. eth0 is <span class="caps">LAN1</span>. Note that this <code>config.gateway.json</code> file goes on the Cloud Key and once there you need to force-provision the <span class="caps">USG</span> and it will get copied over to it.</p>
<p>You can ssh into the <span class="caps">USG</span> and double-check by grepping for that interface:</p>
<div class="highlight"><pre><span></span><span class="nx">admin</span><span class="err">@</span><span class="nx">ubnt</span><span class="p">:</span><span class="o">/</span><span class="nx">config</span><span class="o">/</span><span class="nx">user</span><span class="o">-</span><span class="nx">data</span><span class="err">$</span><span class="w"> </span><span class="nx">ip</span><span class="w"> </span><span class="kd">addr</span><span class="o">|</span><span class="nx">grep</span><span class="w"> </span><span class="o">-</span><span class="nx">A2</span><span class="w"> </span><span class="nx">eth2</span><span class="p">:</span>
<span class="mi">4</span><span class="p">:</span><span class="w"> </span><span class="nx">eth2</span><span class="p">:</span><span class="w"> </span><span class="p"><</span><span class="nx">BROADCAST</span><span class="p">,</span><span class="nx">MULTICAST</span><span class="p">,</span><span class="nx">UP</span><span class="p">,</span><span class="nx">LOWER_UP</span><span class="p">></span><span class="w"> </span><span class="nx">mtu</span><span class="w"> </span><span class="mi">1500</span><span class="w"> </span><span class="nx">qdisc</span><span class="w"> </span><span class="nx">noqueue</span><span class="w"> </span><span class="nx">state</span><span class="w"> </span><span class="nx">UP</span>
<span class="w"> </span><span class="nx">link</span><span class="o">/</span><span class="nx">ether</span><span class="w"> </span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span><span class="w"> </span><span class="nx">brd</span><span class="w"> </span><span class="nx">ff</span><span class="p">:</span><span class="nx">ff</span><span class="p">:</span><span class="nx">ff</span><span class="p">:</span><span class="nx">ff</span><span class="p">:</span><span class="nx">ff</span><span class="p">:</span><span class="nx">ff</span>
<span class="w"> </span><span class="nx">inet</span><span class="w"> </span><span class="m m-Double">1.1.1</span><span class="p">.</span><span class="o">/</span><span class="mi">22</span><span class="w"> </span><span class="nx">brd</span><span class="w"> </span><span class="m m-Double">255.255.255.255</span><span class="w"> </span><span class="nx">scope</span><span class="w"> </span><span class="nx">global</span><span class="w"> </span><span class="nx">eth2</span>
</pre></div>
<p>If it shows your external <span class="caps">IP</span> (1.1.1.1 in the above) and the right <span class="caps">MAC</span> address (00:00:00:00:00:00 in the above) then you’re good.</p>
<h2 id="pfblockerng-like-ad-blocking">pfBlockerNG-like ad blocking<a class="headerlink" href="#pfblockerng-like-ad-blocking" title="Permanent link"> </a></h2>
<p>This one is easy enough and the credit comes from this article: <a href="https://medium.com/server-guides/how-to-integrate-ad-blocking-using-a-unifi-usg-a165dc2233c1">How to integrate ad blocking using a Unifi <span class="caps">USG</span></a>.</p>
<p>You can get the instructions from there, but the <code>update-adblock-dnsmasq.sh</code> script I’ll include below has been updated to suit me better. For one, it’s using an old <span class="caps">URL</span> for the block list. Secondly, I don’t like the idea of calling out to the internet with curl as root so I changed that. Finally, I also made sure it validates the dnsmasq configuration before it restarts.</p>
<div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal"> 1</span>
<span class="normal"> 2</span>
<span class="normal"> 3</span>
<span class="normal"> 4</span>
<span class="normal"> 5</span>
<span class="normal"> 6</span>
<span class="normal"> 7</span>
<span class="normal"> 8</span>
<span class="normal"> 9</span>
<span class="normal">10</span>
<span class="normal">11</span>
<span class="normal">12</span>
<span class="normal">13</span>
<span class="normal">14</span>
<span class="normal">15</span>
<span class="normal">16</span>
<span class="normal">17</span>
<span class="normal">18</span>
<span class="normal">19</span>
<span class="normal">20</span>
<span class="normal">21</span>
<span class="normal">22</span>
<span class="normal">23</span>
<span class="normal">24</span>
<span class="normal">25</span>
<span class="normal">26</span>
<span class="normal">27</span>
<span class="normal">28</span>
<span class="normal">29</span>
<span class="normal">30</span>
<span class="normal">31</span>
<span class="normal">32</span>
<span class="normal">33</span>
<span class="normal">34</span>
<span class="normal">35</span>
<span class="normal">36</span>
<span class="normal">37</span>
<span class="normal">38</span>
<span class="normal">39</span>
<span class="normal">40</span>
<span class="normal">41</span>
<span class="normal">42</span>
<span class="normal">43</span>
<span class="normal">44</span>
<span class="normal">45</span>
<span class="normal">46</span></pre></div></td><td class="code"><div><pre><span></span><span class="ch">#!/bin/bash</span>
<span class="c1">#</span>
<span class="c1"># original writeup: https://medium.com/server-guides/how-to-integrate-ad-blocking-using-a-unifi-usg-a165dc2233c1</span>
<span class="c1">#</span>
<span class="c1"># note this script needs to run as root, but that doesn't mean everything</span>
<span class="c1"># has to run as root</span>
<span class="k">if</span><span class="w"> </span><span class="o">[</span><span class="w"> </span><span class="s2">"</span><span class="k">$(</span>whoami<span class="k">)</span><span class="s2">"</span><span class="w"> </span>!<span class="o">=</span><span class="w"> </span><span class="s2">"root"</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"Script must be run as root"</span>
<span class="w"> </span><span class="nb">exit</span><span class="w"> </span><span class="m">1</span>
<span class="k">fi</span>
<span class="nv">ad_list_url</span><span class="o">=</span><span class="s2">"https://pgl.yoyo.org/adservers/serverlist.php?hostformat=dnsmasq&amp;showintro=0&amp;mimetype=plaintext"</span>
<span class="c1">#The IP address below should point to the IP of your router or to 0.0.0.0</span>
<span class="nv">pixelserv_ip</span><span class="o">=</span><span class="s2">"0.0.0.0"</span>
<span class="nv">ad_file</span><span class="o">=</span><span class="s2">"/etc/dnsmasq.d/dnsmasq.adlist.conf"</span>
<span class="nv">temp_ad_file</span><span class="o">=</span><span class="k">$(</span>su<span class="w"> </span>-c<span class="w"> </span><span class="s2">"mktemp /tmp/nobody.XXXXXX"</span><span class="w"> </span>nobody<span class="k">)</span>
<span class="c1">#temp_ad_file="/etc/dnsmasq.d/dnsmasq.adlist.conf.tmp"</span>
sudo<span class="w"> </span>-u<span class="w"> </span>nobody<span class="w"> </span>curl<span class="w"> </span>-s<span class="w"> </span><span class="s2">"</span><span class="si">${</span><span class="nv">ad_list_url</span><span class="si">}</span><span class="s2">"</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>sed<span class="w"> </span><span class="s2">"s/127\.0\.0\.1/</span><span class="si">${</span><span class="nv">pixelserv_ip</span><span class="si">}</span><span class="s2">/"</span><span class="w"> </span>><span class="w"> </span><span class="si">${</span><span class="nv">temp_ad_file</span><span class="si">}</span>
<span class="k">if</span><span class="w"> </span><span class="o">[</span><span class="w"> </span>-f<span class="w"> </span><span class="s2">"</span><span class="si">${</span><span class="nv">temp_ad_file</span><span class="si">}</span><span class="s2">"</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span>
<span class="w"> </span>sed<span class="w"> </span>-i<span class="w"> </span>-e<span class="w"> </span><span class="s1">'/googleadservices\.com/d'</span><span class="w"> </span><span class="si">${</span><span class="nv">temp_ad_file</span><span class="si">}</span>
<span class="w"> </span>sed<span class="w"> </span>-i<span class="w"> </span>-e<span class="w"> </span><span class="s1">'/doubleclick\.net/d'</span><span class="w"> </span><span class="si">${</span><span class="nv">temp_ad_file</span><span class="si">}</span>
<span class="w"> </span>sed<span class="w"> </span>-i<span class="w"> </span>-e<span class="w"> </span><span class="s1">'/awin1\.com/d'</span><span class="w"> </span><span class="si">${</span><span class="nv">temp_ad_file</span><span class="si">}</span>
<span class="w"> </span>cp<span class="w"> </span>-f<span class="w"> </span><span class="si">${</span><span class="nv">temp_ad_file</span><span class="si">}</span><span class="w"> </span><span class="si">${</span><span class="nv">ad_file</span><span class="si">}</span>
<span class="w"> </span>chmod<span class="w"> </span><span class="m">644</span><span class="w"> </span><span class="si">${</span><span class="nv">ad_file</span><span class="si">}</span>
<span class="k">else</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"Error building the ad list, please try again."</span>
<span class="w"> </span><span class="nb">exit</span><span class="w"> </span><span class="m">1</span>
<span class="k">fi</span>
rm<span class="w"> </span>-f<span class="w"> </span><span class="si">${</span><span class="nv">temp_ad_file</span><span class="si">}</span>
<span class="c1"># before restarting, test the validation so we can remove the ad file if</span>
<span class="c1"># it's going to cause problems</span>
<span class="k">if</span><span class="w"> </span><span class="o">[</span><span class="w"> </span><span class="s2">"</span><span class="k">$(</span>dnsmasq<span class="w"> </span>--test<span class="w"> </span>>/dev/null<span class="w"> </span><span class="m">2</span>><span class="p">&</span><span class="m">1</span><span class="p">;</span><span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="nv">$?</span><span class="k">)</span><span class="s2">"</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s2">"0"</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span>
<span class="w"> </span>/etc/init.d/dnsmasq<span class="w"> </span>force-reload
<span class="k">else</span>
<span class="w"> </span>rm<span class="w"> </span>-f<span class="w"> </span><span class="si">${</span><span class="nv">ad_file</span><span class="si">}</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"Removing ad configuration due to validation errors"</span>
<span class="w"> </span><span class="nb">exit</span><span class="w"> </span><span class="m">1</span>
<span class="k">fi</span>
</pre></div></td></tr></table></div>
<p>As the article notes, this should be placed in <code>/config/user-data/</code> where you can run it the first time using <code>sudo sh -x update-adblock-dnsmasq.sh</code> so you can see what it does and if it spits out any errors. When that’s done, I added it to root’s crontab: <code>sudo crontab -e</code>.</p>
<div class="highlight"><pre><span></span><span class="k">admin</span><span class="nv">@ubnt</span><span class="err">:</span><span class="o">/</span><span class="n">config</span><span class="o">/</span><span class="k">user</span><span class="o">-</span><span class="k">data</span><span class="err">$</span><span class="w"> </span><span class="n">sudo</span><span class="w"> </span><span class="n">crontab</span><span class="w"> </span><span class="o">-</span><span class="n">l</span>
<span class="mi">0</span><span class="w"> </span><span class="o">*/</span><span class="mi">24</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">unifi</span><span class="o">/</span><span class="n">ips</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">getsig</span><span class="p">.</span><span class="n">sh</span>
<span class="mi">56</span><span class="w"> </span><span class="mi">4</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="mi">6</span><span class="w"> </span><span class="o">/</span><span class="n">config</span><span class="o">/</span><span class="k">user</span><span class="o">-</span><span class="k">data</span><span class="o">/</span><span class="k">update</span><span class="o">-</span><span class="n">adblock</span><span class="o">-</span><span class="n">dnsmasq</span><span class="p">.</span><span class="n">sh</span>
</pre></div>
<p>The final question is why change from pfSense to <span class="caps">USG</span>? Honestly, I <em>love</em> pfSense. It is one of the best firewalls out there and arguably better than the <span class="caps">USG</span>. But the <span class="caps">USG</span> ties in so nicely with the <span class="caps">UI</span> and dashboards with the rest of my Unifi gear. With the <span class="caps">USG</span> I can get deep packet inspection and threat monitoring and it’s all in one spot. Yeah, I can get a lot of the same with pfSense but it’s disjointed and as I’m getting, ahem, older and with much less time on my hands (as evident through the fact that I really only blog around Christmas and my other times off!) I don’t want to fiddle as much. My fiddle time is reserved for <span class="caps">LEGO</span> these days =) </p>
<p>Not firewalls.</p>
<p>However, now that I have this thing working more or less the way that I want to, I’m sure I’ll be making more time to fiddle… at least in the next week and a half! Hopefully this is helpful to others thinking about either switching or standing up a <span class="caps">USG</span> of their own.</p>Replaced GPG key (2019)2019-11-18T05:00:00-07:002019-11-18T05:00:00-07:00Vincent Danentag:annvix.com,2019-11-18:/blog/replaced-gpg-key-2019<p>I recently got another yubikey and due to poor handling of the old key (can’t load it onto the new card) I’ve generated a new key. I’ve revoked my old 2017 key (key id <code>0xBD51CB9670DF9DE7</code>) and replaced with my new key (key id <code>0xDAE4D06F77191ACD</code>)</p>
<p>My new key …</p><p>I recently got another yubikey and due to poor handling of the old key (can’t load it onto the new card) I’ve generated a new key. I’ve revoked my old 2017 key (key id <code>0xBD51CB9670DF9DE7</code>) and replaced with my new key (key id <code>0xDAE4D06F77191ACD</code>)</p>
<p>My new key’s fingerprint is:</p>
<div class="highlight"><pre><span></span>AD05 74F1 0BC3 E41D 3D8E 78FD DAE4 D06F 7719 1ACD
</pre></div>
<p>and it is signed with the old (revoked) key. You can download the key directly <a href="https://annvix.com/static/vdanen.asc">from me</a> or <a href="https://keys.openpgp.org/search?q=vdanen%40annvix.com">from keys.openpgp.org</a>.</p>What Makes Red Hat Enterprise Linux So Secure (Video)2019-10-03T16:00:00-06:002019-10-03T16:00:00-06:00Vincent Danentag:annvix.com,2019-10-03:/blog/what-makes-red-hat-enterprise-linux-so-secure-video<p><img alt="Image" src="https://annvix.com/images/redhat.png" /></p>
<p>I had a great opportunity this summer to be interviewed by <a href="https://www.telecomtv.com/">TelecomTV</a>. It feels a little weird to post this here since I don’t typically “self-promote” in any way, however this was a neat experience and I think the points are good. If you’ve been looking at my …</p><p><img alt="Image" src="https://annvix.com/images/redhat.png" /></p>
<p>I had a great opportunity this summer to be interviewed by <a href="https://www.telecomtv.com/">TelecomTV</a>. It feels a little weird to post this here since I don’t typically “self-promote” in any way, however this was a neat experience and I think the points are good. If you’ve been looking at my blog for any length of time you know I don’t typically write directly about the things I do at Red Hat, but since this was made for public consumption anyways…</p>
<p>Hope you will find it interesting!</p>
<iframe width="560" height="315" src="https://www.youtube.com/embed/Nv26sRatRPw" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>Moving from python 2 to python 32019-09-01T21:00:00-06:002019-09-01T21:00:00-06:00Vincent Danentag:annvix.com,2019-09-01:/blog/moving-from-python-2-to-python-3<p><img alt="Image" src="https://annvix.com/images/python-logo2x.png" /></p>
<p>With my move to PythonAnywhere a few weeks back, I got my Flask-based applications up and running quite easily (I have two, this blog and another application). Then I had a bit of a heart attack on Friday realizing that Python 2 will be <span class="caps">EOL</span> at the end of the …</p><p><img alt="Image" src="https://annvix.com/images/python-logo2x.png" /></p>
<p>With my move to PythonAnywhere a few weeks back, I got my Flask-based applications up and running quite easily (I have two, this blog and another application). Then I had a bit of a heart attack on Friday realizing that Python 2 will be <span class="caps">EOL</span> at the end of the year. I guess I’ve been hiding under a rock and far too busy with my other work — I’ve not done much coding in a few years now. At any rate, this caused a bit of a late-night panic for me so I spent Saturday thinking I would start converting both applications to Python 3.</p>
<p>To my surprise, I completed both on Saturday as well. I was expecting to have to refactor and potentially rewrite more than I did, so come Saturday night I was more than pleased to realize that both were done and working as expected. There weren’t even a lot of things that needed to be changed so if I’m being honest, more time was spent refactoring code to silence pylint warnings than actually getting things to work with Python 3.7. There were obvious things like using <code>print('foo')</code> instead of <code>print 'foo'</code> and I found the <a href="http://python-future.org/compatible_idioms.html#compatible-idioms">Cheat Sheet: Writing Python 2-3 compatible code</a> to be exceptionally helpful.</p>
<p>This is a list of all I really needed to change:</p>
<ul>
<li><code>print 'foo'</code> to <code>print('foo')</code></li>
<li><code>urllib.urlencode()</code> to <code>urllib.parse.urlencode()</code></li>
<li>needing to <span class="caps">UTF</span>-8 encode a string before using hashlib on it, so:<code>'hashlib.md5(self.email.lower()).hexdigest()</code> to <code>hashlib.md5(self.email.lower().encode('utf-8')).hexdigest()</code></li>
<li>ConfigParser became configparser</li>
<li>sgmllib is gone, so someone helpfully made sgmllib3k which will work for now but likely I’ll need to find a solution for the future since it won’t be maintained</li>
<li><code>unicode()</code> to <code>str()</code></li>
<li>and using BeautifulSoup4 rather than BeautifulSoup</li>
</ul>
<p>All in all, it was relatively painless and there wasn’t a lot that needed to be changed.</p>
<p>There are probably a ton of little scripts that need to be updated, especially for the print changes, but this gives me some peace knowing it’s not going to be that difficult to change existing Python 2 scripts to Python 3. For some reason I figured this would be a terrible thing to have to do (like the stories I’ve heard about Perl 5 to 6). Turns out it was not bad at all.</p>
<p>I was looking at doing things like <code>'Some {} to print'.format(thing)</code> vs using <code>'Some %s to print' % thing</code> but after some poking around and looking in particular at <a href="https://stackoverflow.com/questions/5082452/string-formatting-vs-format">this StackOverflow question</a> I figured that some things still work and are better left alone. I’m sure there are a ton of optimizations and things I can do to make my code better now that it’s running on Python 3, but that’s stuff I can do in the future be it another Saturday spent hacking on some code or over Christmas holidays.</p>Moved to PythonAnywhere2019-08-12T02:00:00-06:002019-08-12T02:00:00-06:00Vincent Danentag:annvix.com,2019-08-12:/blog/moved-to-python-anywhere<p><img alt="Image" src="https://annvix.com/images/logo-234x35.png" /></p>
<p>Just a quick note that I’ve moved my blog from Liquid Web (which used to be WiredTree) since I didn’t really need a full blown <span class="caps">VPS</span> anymore. I was looking at a number of different solutions to host this blog, given it’s python-based and, after a lot …</p><p><img alt="Image" src="https://annvix.com/images/logo-234x35.png" /></p>
<p>Just a quick note that I’ve moved my blog from Liquid Web (which used to be WiredTree) since I didn’t really need a full blown <span class="caps">VPS</span> anymore. I was looking at a number of different solutions to host this blog, given it’s python-based and, after a lot of reading and reviews, I settled on PythonAnywhere and so far I’m pretty happy. Between CloudFlare for <span class="caps">DNS</span> and PythonAnywhere to do the actual hosting we’ll see how it goes for the next month and if all is good… well, I’ll save a pile of money each month which is always a good thing. =)</p>2018: A Retrospective - Resilience2018-12-28T12:00:00-07:002018-12-28T12:00:00-07:00Vincent Danentag:annvix.com,2018-12-28:/blog/2018-a-retrospective-resilience<p><img alt="Image" src="https://annvix.com/images/apple-on-tree.jpeg" /></p>
<p>As I sit here taking my first real break of the year, suffering with fever, chills and a ridiculously stuffy nose that has lasted since before the holidays began, I turn once again to a retrospective of 2018 after reading the <a href="https://annvix.com/blog/2017-a-retrospective">one I wrote last year</a>. Once again, life provided …</p><p><img alt="Image" src="https://annvix.com/images/apple-on-tree.jpeg" /></p>
<p>As I sit here taking my first real break of the year, suffering with fever, chills and a ridiculously stuffy nose that has lasted since before the holidays began, I turn once again to a retrospective of 2018 after reading the <a href="https://annvix.com/blog/2017-a-retrospective">one I wrote last year</a>. Once again, life provided no shortage of “interesting things” this year and since I appear to be doing this on an annual basis (and enjoying looking back), why break with a new(ish) tradition?</p>
<p>If I had to define this last year with a word it would be <em>resilience</em>.</p>
<p>I have a couple other choice words for 2018. Crazy. Insane. Busy. Challenging. Frustrating. Stressful. The list could go on, but I don’t like any of those words because they just define the period in time. I like <em>resilience</em> because it defines <em>me</em>. How I handled all of those other choice words is summed up in this one.</p>
<p>2018 was going to be a challenging year, without a doubt. I knew that towards the end of last year when I found out I would be leading the Red Hat Product Security team, at least on an interim basis. I started 2018 as the interim Director of the team and the only things in my favour were experience and a crap-ton of tenacity and determination. It was not a given thing that I would remain in this role (I did not know if I wanted it, or if it wanted me). Before taking this role I had spoken with my new manager once for about five minutes, three years prior. He was a new unknown. My new peers were entirely unknown. Would I like working with them? I have this thing about working relationships, so knowing the answer to this question was important for me. Thankfully, they’re all awesome, a really great group of people. My new boss is fantastic and I really enjoy working for him. But this was a great unknown for me given I had reported to my predecessor for 9 years; he was an amazing boss and it was a distinct honour to work for him. I’d changed roles a few times in Product Security in the last few years but my manager was my single constant throughout that time.</p>
<p>At any rate, I also went with some friends from our church and my family to take a 2.5 week tour of Israel, Egypt and Jordan which was awesome. It was time off but I think I “worked” harder on that trip than I do at work (at least insofar as the walking is concerned!). Shortly after we came back, it was to the permanency of my role within Red Hat Product Security.</p>
<p>Which kicked off a whole new level of responsibility and ownership for a team that I have had the amazing privilege of working with for almost a decade. There was a ton to learn, a whole world of “stuff” that I never had to think about before. The weight of this responsibility settled on my shoulders and I think it actually settled pretty well. At least it felt <em>comfortable</em>. Hard to describe, honestly, but I never felt overwhelmed. Out of my depth at times, certainly. There were days that the “imposter syndrome” felt very very real. And this year I pushed harder, worked harder, worked longer, than I ever had before in the past. And while there were weeks that felt really rough and were really draining, I didn’t ever feel empty or drained. I think the sheer challenge in and of itself energized me.</p>
<p>Suffice it to say, from a work perspective, this was a very busy, very challenging, but very <em>fulfilling</em> year. I found how to be resilient and adapt to the change and come out of it at the end of the year better than I went into it.</p>
<p>On the personal side, things this year were also tough. There were some really significant medical things to deal with, from a family member suffering with depression, to another with acute pancreatitis, to another with a bleed in the brain, and finally to my own wife who by the doctors accounts really shouldn’t be celebrating Christmas with us this year (but who, by the grace of God, is!). Thankfully all of these are either resolved or looking so much better, but this was a real personal strain on me this year, while at the same time trying to lead my amazing team and grow into the role I thought I would have had a lot more time to prepare for.</p>
<p>Either one of these personal or professional scenarios on its own is pretty tough. When you throw both of them together, it’s been one heck of a year. But here I sit, writing this at the end of the year, looking back on all of these challenges and feeling no worse for it. (I do actually feel worse right now having gotten my daughter’s cold.)</p>
<p>I was having a conversation with some other leaders in Red Hat earlier this month as part of the <span class="caps">ALDP</span> (Advanced Leadership Development Program) that I am in, and we were talking about resiliency. Resilience was defined as: <em>how quickly and effectively you are able to take steps that are positive and moving forward in the face of adversity or challenges</em>. Without that conversation and that definition, I probably wouldn’t have defined 2018 by <em>resilience</em>. However when I look back over the last year, it simply must be defined that way.</p>
<p>What’s the purpose behind sharing this? Well, I’ve learned that resilience isn’t necessarily something that you’re born with and it can certainly be learned. Like a muscle exercised over time you can grow your resilience. I look at 2018 as setting me up to handle the challenges I’m sure to be facing ahead (without pointing to the big… ummm… “purple elephant” in the room). This muscle has been exercised a lot this year. With the perspective of time and distance, I can honestly say that it is stronger now (and was probably stronger than I thought to begin with). I imagine this is true for most of those reading this if you’re honest with yourself. None of us thinks we can do it until we’re put into a position where we have no choice <em>but</em> to do it. The amazing adaptability of humans will never cease to amaze me.</p>
<p>One thing I’ve realized is that the world is much more volatile and the pace of change is increasing. We all <em>need</em> to be more resilient in this volatile, uncertain and ever-changing environment. Heraclitus, a Greek philosopher, once said, “Change is the only constant.” How true this is. Jesus, in Matt 6:34 said, “Therefore do not worry about tomorrow, for tomorrow will worry about itself. Each day has enough trouble of its own.” This too is absolutely true.</p>
<p>We can paralyze ourselves with what-ifs. All we can really do is take care of today and prepare for tomorrow. Worrying and stressing about it, or what it might bring, does us no good. Doing the best that you can <em>today</em> is all anyone can ever ask and honestly it’s all you can deliver. You can’t deliver tomorrow today, so why worry about it? Show up at your best today and worry about tomorrow, well, tomorrow.</p>
<p>Finally, I think a lot of what kept me going through everything this year boils down to a number of factors. First and foremost is my relationship with Jesus. I am simply no good without Him. Secondly, the faith and support of my amazing wife who put up with a 390% increase in travel this year compared to last year, not to mention a 50% increase in time spent working. I am simply no good without her. And finally to my amazing team, who put up with me for more hours a week than they probably should have had to and who do such a stellar job and, for the most part, make my job pretty straightforward. I could not do what I do without them.</p>
<p>I said last year that I would blog more. That didn’t happen, unfortunately. I make no promises for next year… we’ll see what happens. I hope everyone had an amazing Christmas with friends and family, as well as a safe and prosperous New Year!</p>Using LetsEncrypt with Plex2018-12-24T10:00:00-07:002018-12-24T10:00:00-07:00Vincent Danentag:annvix.com,2018-12-24:/blog/using-letsencrypt-with-plex<p><img alt="Image" src="https://annvix.com/images/plex-plex.png" /></p>
<p>The other day I blogged about using LetsEncrypt with FreeNAS. There were another two things around the house that I wanted to have proper <span class="caps">SSL</span> certificates on: my Plex server and the Unifi Controller. The latter looks like far too much effort to go through, but I did get it …</p><p><img alt="Image" src="https://annvix.com/images/plex-plex.png" /></p>
<p>The other day I blogged about using LetsEncrypt with FreeNAS. There were another two things around the house that I wanted to have proper <span class="caps">SSL</span> certificates on: my Plex server and the Unifi Controller. The latter looks like far too much effort to go through, but I did get it up and running for Plex pretty quickly this morning. Since I also used the same CloudFlare-based <span class="caps">API</span> updates for <span class="caps">DNS</span>, this one goes through a bit more detail than the previous post simply because I had to go through it again and could capture the steps along the way.</p>
<p>One thing to keep in mind is that my Plex server runs in an iocage jail on FreeNAS so if you’re running Plex on Linux it will look a bit different since this is FreeBSD-based. One notable thing is that md5sum, which I needed to use, is apparently not something that FreeBSD provides by default (who knew?) so you’ll need to <code>pkg install coreutils</code> and use gmd5sum if you happen to be using FreeBSD (on most Linux distros you simply get md5sum as part of the base install).</p>
<p>First step is to install the acme.sh client that will obtain the LetsEncrypt certificates. We’ll checkout from git since I prefer to see shellscripts before I run them, particularly when doing so as root.</p>
<div class="highlight"><pre><span></span># cd /root
# git clone https://github.com/Neilpang/acme.sh.git
# cd acme.sh
# ./acme.sh --install
</pre></div>
<p>You now want to exit the shell or reload the environment to get the new environment that the installer setup. At this point you’ll also want to get your CloudFlare <span class="caps">API</span> key. Below we’ll assume the hostname for the Plex server is “plex.hostname.com”. Once you’ve reloaded your environment (logout then login works):</p>
<div class="highlight"><pre><span></span><span class="c1"># export CF_KEY="[API key from CloudFlare]"</span>
<span class="c1"># export CF_Email="[CloudFlare login email address]"</span>
<span class="c1"># cd /root/.acme.sh</span>
<span class="c1"># ./acme.sh --issue --dns dns_cf -d plex.hostname.com</span>
</pre></div>
<p>This will take a little over two minutes to run. Once it has completed, if it is successful, your certificates will be in <code>/root/.acme.sh/plex.hostname.com/</code>. Also note that these commands are not run in the git repo we checked out; you can remove that repo if you want to, you won’t use it again unless you want to keep the acme.sh script up to date. The directory to run the script is <code>/root/.acme.sh</code> (note the initial dot in the directory name).</p>
<p>The next step is to create a <span class="caps">PKCS</span> #12 certificate file, which is an archive file format used to store the server certificate, private key, and any intermediate certificates in a single encrypted binary file. These files often have a p12 or or pfx extension, however Plex seems to like pkfx for the extension. We will need to use openssl to combine the files that acme.sh provided for us into one for Plex to use. Since it is encrypted, we need to provide it with a passphrase, which we will tell Plex about later. In this example, the passphrase is “foo”.</p>
<div class="highlight"><pre><span></span><span class="c1"># openssl pkcs12 -export -out plex-certificate.pkfx \</span>
<span class="w"> </span><span class="o">-</span><span class="n">inkey</span><span class="w"> </span><span class="n">plex</span><span class="o">.</span><span class="n">hostname</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="n">key</span><span class="w"> </span>\
<span class="w"> </span><span class="o">-</span><span class="ow">in</span><span class="w"> </span><span class="n">plex</span><span class="o">.</span><span class="n">hostname</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="n">cer</span><span class="w"> </span>\
<span class="w"> </span><span class="o">-</span><span class="n">certfile</span><span class="w"> </span><span class="n">fullchain</span><span class="o">.</span><span class="n">cer</span><span class="w"> </span>\
<span class="w"> </span><span class="o">-</span><span class="n">passout</span><span class="w"> </span><span class="k">pass</span><span class="p">:</span><span class="n">foo</span>
</pre></div>
<p>This will create a <code>plex-certificate.pkfx</code> file in the current directory. I moved this file to <code>/usr/local/etc/</code> although you can put it anywhere that the Plex server will be able to get at. Next, go to the Plex web <span class="caps">UI</span> and navigate to <em>Settings</em> -> <em>Server</em> -> <em>Network</em> and then click <em>Show Advanced</em>. You will be able to enter the following values as per our example above:</p>
<ul>
<li>Custom certificate location: <strong>/usr/local/etc/plex-certificate.pkfx</strong></li>
<li>Custom certificate encryption key: <strong>foo</strong> (the password)</li>
<li>Custom certificate domain: <strong>https://plex.hostname.com:32400</strong></li>
</ul>
<p>I would also suggest keeping <em>Secure connections</em> to Preferred, at least for now, to ensure you don’t get locked out if something goes wrong.</p>
<p>At this point, you should be able to navigate to your Plex web <span class="caps">UI</span> using <span class="caps">HTTPS</span> rather than <span class="caps">HTTP</span>. You shouldn’t have to restart the Plex server. If all works well and you get no errors or insecure warnings in your web browser, we can then turn to automating certificate renewals.</p>
<p>The acme.sh install put an entry into cron which runs daily:</p>
<div class="highlight"><pre><span></span><span class="mf">16</span><span class="w"> </span><span class="mf">0</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="s">"/root/.acme.sh"</span><span class="o">/</span><span class="n">acme</span><span class="mf">.</span><span class="n">sh</span><span class="w"> </span><span class="o">--</span><span class="n">cron</span><span class="w"> </span><span class="o">--</span><span class="n">home</span><span class="w"> </span><span class="s">"/root/.acme.sh"</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">null</span>
</pre></div>
<p>We want to change this because we have to create the <span class="caps">PKCS</span> #12 file out of the acme.sh output. We’ll create a wrapper that will run the above command and if we find any changes, will create the needed certificate file, put it in place, and restart the Plex server. Because we’re using CloudFlare and doing updates via the <span class="caps">API</span> key (which acme.sh dutifully stored for us as part of the configuration information for this host), this will be a very simple script to write.</p>
<p>You can call the script whatever you like and put it wherever you like, I created <code>/root/update-plex-cert.sh</code> with the following contents:</p>
<div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal"> 1</span>
<span class="normal"> 2</span>
<span class="normal"> 3</span>
<span class="normal"> 4</span>
<span class="normal"> 5</span>
<span class="normal"> 6</span>
<span class="normal"> 7</span>
<span class="normal"> 8</span>
<span class="normal"> 9</span>
<span class="normal">10</span>
<span class="normal">11</span>
<span class="normal">12</span>
<span class="normal">13</span>
<span class="normal">14</span>
<span class="normal">15</span>
<span class="normal">16</span>
<span class="normal">17</span>
<span class="normal">18</span>
<span class="normal">19</span>
<span class="normal">20</span>
<span class="normal">21</span>
<span class="normal">22</span>
<span class="normal">23</span>
<span class="normal">24</span>
<span class="normal">25</span>
<span class="normal">26</span></pre></div></td><td class="code"><div><pre><span></span><span class="ch">#!/bin/sh</span>
<span class="nv">HOST</span><span class="o">=</span><span class="s2">"plex.hostname.com"</span>
<span class="nv">ACMEHOME</span><span class="o">=</span>/root/.acme.sh
<span class="nv">CERTDIR</span><span class="o">=</span><span class="si">${</span><span class="nv">ACMEHOME</span><span class="si">}</span>/<span class="si">${</span><span class="nv">HOST</span><span class="si">}</span>/
<span class="nv">CERTPASS</span><span class="o">=</span><span class="s2">"foo"</span>
<span class="nv">DESTDIR</span><span class="o">=</span><span class="s2">"/usr/local/etc/"</span>
<span class="nv">PKFXFILE</span><span class="o">=</span><span class="s2">"plex-certificate.pkfx"</span>
<span class="nv">TMPFILE</span><span class="o">=</span><span class="k">$(</span>mktemp<span class="k">)</span>
gmd5sum<span class="w"> </span><span class="si">${</span><span class="nv">CERTDIR</span><span class="si">}</span>/<span class="si">${</span><span class="nv">HOST</span><span class="si">}</span>.cer<span class="w"> </span>><span class="si">${</span><span class="nv">TMPFILE</span><span class="si">}</span>
<span class="si">${</span><span class="nv">ACMEHOME</span><span class="si">}</span>/acme.sh<span class="w"> </span>--cron<span class="w"> </span>--home<span class="w"> </span><span class="si">${</span><span class="nv">ACMEHOME</span><span class="si">}</span>
gmd5sum<span class="w"> </span>-c<span class="w"> </span><span class="si">${</span><span class="nv">TMPFILE</span><span class="si">}</span>
<span class="k">if</span><span class="w"> </span><span class="o">[</span><span class="w"> </span><span class="s2">"</span><span class="nv">$?</span><span class="s2">"</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s2">"0"</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span>
<span class="w"> </span><span class="c1"># nothing has changed</span>
<span class="w"> </span>rm<span class="w"> </span>-f<span class="w"> </span><span class="si">${</span><span class="nv">TMPFILE</span><span class="si">}</span>
<span class="w"> </span><span class="nb">exit</span><span class="w"> </span><span class="m">0</span>
<span class="k">fi</span>
openssl<span class="w"> </span>pkcs12<span class="w"> </span>-export<span class="w"> </span>-out<span class="w"> </span><span class="si">${</span><span class="nv">DESTDIR</span><span class="si">}</span>/<span class="si">${</span><span class="nv">PKFXFILE</span><span class="si">}</span><span class="w"> </span><span class="se">\</span>
<span class="w"> </span>-inkey<span class="w"> </span><span class="si">${</span><span class="nv">CERTDIR</span><span class="si">}</span>/<span class="si">${</span><span class="nv">HOST</span><span class="si">}</span>.key<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>-in<span class="w"> </span><span class="si">${</span><span class="nv">CERTDIR</span><span class="si">}</span>/<span class="si">${</span><span class="nv">HOST</span><span class="si">}</span>.cer<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>-certfile<span class="w"> </span><span class="si">${</span><span class="nv">CERTDIR</span><span class="si">}</span>/fullchain.cer<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>-passout<span class="w"> </span>pass:<span class="si">${</span><span class="nv">CERTPASS</span><span class="si">}</span>
chmod<span class="w"> </span><span class="m">644</span><span class="w"> </span><span class="si">${</span><span class="nv">DESTDIR</span><span class="si">}</span>/<span class="si">${</span><span class="nv">PKFXFILE</span><span class="si">}</span>
rm<span class="w"> </span>-f<span class="w"> </span><span class="si">${</span><span class="nv">TMPFILE</span><span class="si">}</span>
service<span class="w"> </span>plexmediaserver_plexpass<span class="w"> </span>restart
</pre></div></td></tr></table></div>
<p>Once the script is saved, make it executable and then edit the crontab entry to point to the new script. You may need to tweak a few things based on your operating system (using FreeBSD it uses <code>gmd5sum</code> but on Linux you’d use <code>md5sum</code>; also the service likely needs to be changed depending on the Plex media server’s service name).</p>
<div class="highlight"><pre><span></span><span class="gh">#</span> chmod 700 /root/update-plex-cert.sh
<span class="gh">#</span> crontab -e
<span class="gh">#</span> crontab -l
16 0 <span class="gs">* *</span> * /root/update-plex-cert.sh > /dev/null
</pre></div>
<p>That’s it! You can give it a try to see how it would work by modifying the script to force the update by using:</p>
<div class="highlight"><pre><span></span><span class="cp">${</span><span class="n">ACMEHOME</span><span class="cp">}</span>/acme.sh<span class="w"> </span>--cron<span class="w"> </span>--force<span class="w"> </span>--home<span class="w"> </span><span class="cp">${</span><span class="n">ACMEHOME</span><span class="cp">}</span>
</pre></div>
<p>and running the script (using <code>sh -x /root/update-plex-cert.sh</code> is a great way to see what it is doing). You should see it obtain a new certificate and everything that follows. Re-start your browser and connect to the Plex web <span class="caps">UI</span>, examine the certificate details and you should see a later date than the first time you did it. If that works, be sure to remove <code>--force</code> or you’ll be updating the certificate every day.</p>
<p>All told, this is pretty straightforward and hopefully helpful to someone out there (including future-me).</p>Using LetsEncrypt on FreeNAS2018-12-22T11:00:00-07:002018-12-22T11:00:00-07:00Vincent Danentag:annvix.com,2018-12-22:/blog/using-letsencrypt-on-freenas<p><img alt="Image" src="https://annvix.com/images/freenas.jpg" /></p>
<p>Last week my LetsEncrypt certificate expired on FreeNAS which effectively locked me out of my FreeNAS <span class="caps">UI</span> when using Chrome (my default browser). Thinking perhaps that I had forgotten something during my upgrade to FreeNAS 11.2 I set out to figure out what the problem was, only to realize …</p><p><img alt="Image" src="https://annvix.com/images/freenas.jpg" /></p>
<p>Last week my LetsEncrypt certificate expired on FreeNAS which effectively locked me out of my FreeNAS <span class="caps">UI</span> when using Chrome (my default browser). Thinking perhaps that I had forgotten something during my upgrade to FreeNAS 11.2 I set out to figure out what the problem was, only to realize two things: one, I hadn’t setup a cronjob to renew and two, I didn’t blog about it.</p>
<p>Usually I write blogs primarily for my benefit on these things so that I can go back and look at some of the things I’ve done. So this is an attempt to repair that and record information for future-me, although perhaps it will be helpful for some of you as well.</p>
<p>To start with, I use CloudFlare for <span class="caps">DNS</span> for the domain I use for home. For the moment lets assume I use <code>annvix.com</code> for home and we’ll also assume that the hostname for my FreeNAS server is <code>freenas.annvix.com</code> (neither are obviously true).</p>
<p>The first step is to install the <a href="https://github.com/Neilpang/acme.sh">acme.sh</a> client on the FreeNAS server. You could go through a bunch of hoops by installing it in a dedicated jail, etc. but I opted not to. Instead I have it installed as the root user on my FreeNAS server and it ends up in <code>/root/.acme.sh/</code>. Second, install the <a href="https://github.com/danb35/deploy-freenas">deploy-freenas</a> python script; it ends up as <code>/root/deploy_freenas.py</code>. Create the config file as described, mine lives in <code>/root/.deploy_config</code>.</p>
<p>The <a href="https://github.com/Neilpang/acme.sh/tree/master/dnsapi">instructions for using acme.sh with CloudFlare</a> are pretty simple; I’m not going to repeat them here. I chose to use CloudFlare because it’s free and has an <span class="caps">API</span> which makes this all very simple and very transparent.</p>
<p>The end result is you should have a config file in <code>/root/.acme.sh/freenas.annvix.com/freenas.annvix.com.conf</code> and the only thing really to point out is that you want it to contain this:</p>
<div class="highlight"><pre><span></span><span class="n">Le_ReloadCmd</span><span class="o">=</span><span class="s1">'/root/deploy_freenas.py --config /root/.deploy_config'</span>
</pre></div>
<p>That reload command will automatically update the FreeNAS web <span class="caps">UI</span> with the new certificate. Note that it doesn’t remove certificates, so you might want to manually prune them every once in a while in the FreeNAS web <span class="caps">UI</span>.</p>
<p>Finally, and the big part that I missed, is you want to enable a cronjob to run this every day. This should be done via the web <span class="caps">UI</span>. In the web <span class="caps">UI</span> navigate to <em>Tasks</em> then <em>Cron Jobs</em>. Add a new daily task that runs:</p>
<div class="highlight"><pre><span></span>/root/.acme.sh/acme.sh --cron --home /root/.acme.sh
</pre></div>
<p>I’ll know in March whether or not it works, but I’m pretty sure it will. You should be able to see the certificate listed in the web <span class="caps">UI</span> in <em>System</em> then <em>Certificates</em>. This is also where you’ll want to prune any old certificates.</p>
<p>Next I’m going to look at how to use LetsEncrypt with Plex since I hate seeing the “Not Secure” label whenever I go to the Plex <span class="caps">UI</span>. This time I’ll be sure to blog about it.</p>Migrate plex from a warden jail to an iocage jail2018-11-04T16:00:00-07:002018-11-04T16:00:00-07:00Vincent Danentag:annvix.com,2018-11-04:/blog/migrate-plex-from-a-warden-jail-to-an-iocage-jail<p><img alt="Image" src="https://annvix.com/images/plex.png" /></p>
<p>I’ve been running FreeNAS 11.2 beta for a while (currently on 11.2-<span class="caps">RC1</span>). I’ve got a bunch of media on it from when I started running FreeNAS 9 (home videos, music, etc.) and I’ve not taken the step to migrate the old warden-based jails to …</p><p><img alt="Image" src="https://annvix.com/images/plex.png" /></p>
<p>I’ve been running FreeNAS 11.2 beta for a while (currently on 11.2-<span class="caps">RC1</span>). I’ve got a bunch of media on it from when I started running FreeNAS 9 (home videos, music, etc.) and I’ve not taken the step to migrate the old warden-based jails to the newer iocage jails. This meant that my Plex jail was not listed in the web <span class="caps">UI</span>. I could get into the jail using <code>jexec</code> but couldn’t really configure it or use the web <span class="caps">UI</span> to control it. This was sufficient to apply Plex upgrades and other things that I needed to do, from within the jail, which was all <span class="caps">CLI</span>-based.</p>
<p>Amongst other fiddling today, I decided to create a new jail in the FreeNAS web <span class="caps">UI</span> and try to migrate the old jail to a new one. It had to take 10 minutes or less or I wasn’t interested (I didn’t want to fight with it on a Sunday!). I was pleasantly surprised.. it took maybe 15 minutes including testing. But I had prepared the old jail a long time ago in that I had all of the media and data files in storage volumes outside of the jail.</p>
<p>I have one pool named “storage” and within this pool I have two datasets: “plex” and “plex_media”. The first contains all the media files for Plex, the second has all the data files (basically <code>/usr/local/plexdata</code>). This meant that all configuration data for Plex existed outside of the jail. If you have these local to the jail, you’ll want to create a dataset, stop the Plex server, mount the dataset in the jail, and copy the data files over. Plex respects symlinks so it works out pretty good (you’ll see what I mean in a moment). I had <code>plex</code> mounted in the jail at <code>/media</code> and <code>plex_media</code> mounted in the jail at <code>/plex_media</code>.</p>
<p>Creating the new jail involved very little “special sauce”. When I created the jail, I added similar mount points as those described above to the jail. I also made sure before I started the new jail to stop the Plex server running in the old jail since having two Plex servers accessing the same metadata at the same time would probably cause issues.</p>
<p>I did this using (in the old jail):</p>
<div class="highlight"><pre><span></span><span class="gh">#</span> service plexmediaserver stop
<span class="gh">#</span> sysrc plexmediaserver_enable=NO
</pre></div>
<p>Note, you can see where those datasets are mounted in the jail using <code>mount</code> on the FreeNAS host:</p>
<div class="highlight"><pre><span></span>/mnt/storage/plex on /mnt/iocage/jails/plex/root/media (nullfs, local)
/mnt/storage/plex_media on /mnt/iocage/jails/plex/root/plex_media (nullfs, local)
</pre></div>
<p>In the new jail, which was pristine, I did the following:</p>
<div class="highlight"><pre><span></span><span class="n">root</span><span class="err">@</span><span class="n">plex</span><span class="p">:</span><span class="o">~</span><span class="w"> </span><span class="c1"># pkg upgrade</span>
<span class="n">The</span><span class="w"> </span><span class="n">package</span><span class="w"> </span><span class="n">management</span><span class="w"> </span><span class="k">tool</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">yet</span><span class="w"> </span><span class="n">installed</span><span class="w"> </span><span class="n">on</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">system</span><span class="o">.</span>
<span class="n">Do</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">want</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">fetch</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">install</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="n">now</span><span class="err">?</span><span class="w"> </span><span class="p">[</span><span class="n">y</span><span class="o">/</span><span class="n">N</span><span class="p">]:</span><span class="w"> </span><span class="n">y</span>
<span class="n">Bootstrapping</span><span class="w"> </span><span class="n">pkg</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">pkg</span><span class="o">+</span><span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">pkg</span><span class="o">.</span><span class="n">FreeBSD</span><span class="o">.</span><span class="n">org</span><span class="o">/</span><span class="n">FreeBSD</span><span class="p">:</span><span class="mi">11</span><span class="p">:</span><span class="n">amd64</span><span class="o">/</span><span class="n">quarterly</span><span class="p">,</span><span class="w"> </span><span class="n">please</span><span class="w"> </span><span class="n">wait</span><span class="o">...</span>
<span class="n">Verifying</span><span class="w"> </span><span class="n">signature</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">trusted</span><span class="w"> </span><span class="n">certificate</span><span class="w"> </span><span class="n">pkg</span><span class="o">.</span><span class="n">freebsd</span><span class="o">.</span><span class="n">org</span><span class="o">.</span><span class="mf">2013102301.</span><span class="o">..</span><span class="w"> </span><span class="n">done</span>
<span class="p">[</span><span class="n">plex</span><span class="p">]</span><span class="w"> </span><span class="n">Installing</span><span class="w"> </span><span class="n">pkg</span><span class="o">-</span><span class="mf">1.10</span><span class="o">.</span><span class="mi">5</span><span class="n">_5</span><span class="o">...</span>
<span class="p">[</span><span class="n">plex</span><span class="p">]</span><span class="w"> </span><span class="n">Extracting</span><span class="w"> </span><span class="n">pkg</span><span class="o">-</span><span class="mf">1.10</span><span class="o">.</span><span class="mi">5</span><span class="n">_5</span><span class="p">:</span><span class="w"> </span><span class="mi">100</span><span class="o">%</span>
<span class="n">Updating</span><span class="w"> </span><span class="n">FreeBSD</span><span class="w"> </span><span class="n">repository</span><span class="w"> </span><span class="n">catalogue</span><span class="o">...</span>
<span class="n">pkg</span><span class="p">:</span><span class="w"> </span><span class="n">Repository</span><span class="w"> </span><span class="n">FreeBSD</span><span class="w"> </span><span class="nb">load</span><span class="w"> </span><span class="n">error</span><span class="p">:</span><span class="w"> </span><span class="n">access</span><span class="w"> </span><span class="n">repo</span><span class="w"> </span><span class="n">file</span><span class="p">(</span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">db</span><span class="o">/</span><span class="n">pkg</span><span class="o">/</span><span class="n">repo</span><span class="o">-</span><span class="n">FreeBSD</span><span class="o">.</span><span class="n">sqlite</span><span class="p">)</span><span class="w"> </span><span class="n">failed</span><span class="p">:</span><span class="w"> </span><span class="n">No</span><span class="w"> </span><span class="n">such</span><span class="w"> </span><span class="n">file</span><span class="w"> </span><span class="ow">or</span><span class="w"> </span><span class="n">directory</span>
<span class="p">[</span><span class="n">plex</span><span class="p">]</span><span class="w"> </span><span class="n">Fetching</span><span class="w"> </span><span class="n">meta</span><span class="o">.</span><span class="n">txz</span><span class="p">:</span><span class="w"> </span><span class="mi">100</span><span class="o">%</span><span class="w"> </span><span class="mi">944</span><span class="w"> </span><span class="n">B</span><span class="w"> </span><span class="mf">0.9</span><span class="n">kB</span><span class="o">/</span><span class="n">s</span><span class="w"> </span><span class="mi">00</span><span class="p">:</span><span class="mi">01</span>
<span class="p">[</span><span class="n">plex</span><span class="p">]</span><span class="w"> </span><span class="n">Fetching</span><span class="w"> </span><span class="n">packagesite</span><span class="o">.</span><span class="n">txz</span><span class="p">:</span><span class="w"> </span><span class="mi">100</span><span class="o">%</span><span class="w"> </span><span class="mi">6</span><span class="w"> </span><span class="n">MiB</span><span class="w"> </span><span class="mf">2.2</span><span class="n">MB</span><span class="o">/</span><span class="n">s</span><span class="w"> </span><span class="mi">00</span><span class="p">:</span><span class="mi">03</span>
<span class="n">Processing</span><span class="w"> </span><span class="n">entries</span><span class="p">:</span><span class="w"> </span><span class="mi">100</span><span class="o">%</span>
<span class="n">FreeBSD</span><span class="w"> </span><span class="n">repository</span><span class="w"> </span><span class="n">update</span><span class="w"> </span><span class="n">completed</span><span class="o">.</span><span class="w"> </span><span class="mi">32468</span><span class="w"> </span><span class="n">packages</span><span class="w"> </span><span class="n">processed</span><span class="o">.</span>
<span class="n">All</span><span class="w"> </span><span class="n">repositories</span><span class="w"> </span><span class="n">are</span><span class="w"> </span><span class="n">up</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">date</span><span class="o">.</span>
<span class="n">Updating</span><span class="w"> </span><span class="n">database</span><span class="w"> </span><span class="n">digests</span><span class="w"> </span><span class="n">format</span><span class="p">:</span><span class="w"> </span><span class="mi">100</span><span class="o">%</span>
<span class="n">Checking</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">upgrades</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="w"> </span><span class="n">candidates</span><span class="p">):</span><span class="w"> </span><span class="mi">100</span><span class="o">%</span>
<span class="n">Processing</span><span class="w"> </span><span class="n">candidates</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="w"> </span><span class="n">candidates</span><span class="p">):</span><span class="w"> </span><span class="mi">100</span><span class="o">%</span>
<span class="n">Checking</span><span class="w"> </span><span class="n">integrity</span><span class="o">...</span><span class="w"> </span><span class="n">done</span><span class="w"> </span><span class="p">(</span><span class="mi">0</span><span class="w"> </span><span class="n">conflicting</span><span class="p">)</span>
<span class="n">Your</span><span class="w"> </span><span class="n">packages</span><span class="w"> </span><span class="n">are</span><span class="w"> </span><span class="n">up</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">date</span><span class="o">.</span>
<span class="n">root</span><span class="err">@</span><span class="n">plex</span><span class="p">:</span><span class="o">~</span><span class="w"> </span><span class="c1"># pkg upgrade</span>
<span class="n">Updating</span><span class="w"> </span><span class="n">FreeBSD</span><span class="w"> </span><span class="n">repository</span><span class="w"> </span><span class="n">catalogue</span><span class="o">...</span>
<span class="n">FreeBSD</span><span class="w"> </span><span class="n">repository</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">up</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">date</span><span class="o">.</span>
<span class="n">All</span><span class="w"> </span><span class="n">repositories</span><span class="w"> </span><span class="n">are</span><span class="w"> </span><span class="n">up</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">date</span><span class="o">.</span>
<span class="n">Checking</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">upgrades</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="w"> </span><span class="n">candidates</span><span class="p">):</span><span class="w"> </span><span class="mi">100</span><span class="o">%</span>
<span class="n">Processing</span><span class="w"> </span><span class="n">candidates</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="w"> </span><span class="n">candidates</span><span class="p">):</span><span class="w"> </span><span class="mi">100</span><span class="o">%</span>
<span class="n">Checking</span><span class="w"> </span><span class="n">integrity</span><span class="o">...</span><span class="w"> </span><span class="n">done</span><span class="w"> </span><span class="p">(</span><span class="mi">0</span><span class="w"> </span><span class="n">conflicting</span><span class="p">)</span>
<span class="n">Your</span><span class="w"> </span><span class="n">packages</span><span class="w"> </span><span class="n">are</span><span class="w"> </span><span class="n">up</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">date</span><span class="o">.</span>
<span class="n">root</span><span class="err">@</span><span class="n">plex</span><span class="p">:</span><span class="o">~</span><span class="w"> </span><span class="c1"># pkg install multimedia/plexmediaserver</span>
<span class="n">Updating</span><span class="w"> </span><span class="n">FreeBSD</span><span class="w"> </span><span class="n">repository</span><span class="w"> </span><span class="n">catalogue</span><span class="o">...</span>
<span class="n">FreeBSD</span><span class="w"> </span><span class="n">repository</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">up</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">date</span><span class="o">.</span>
<span class="n">All</span><span class="w"> </span><span class="n">repositories</span><span class="w"> </span><span class="n">are</span><span class="w"> </span><span class="n">up</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">date</span><span class="o">.</span>
<span class="n">The</span><span class="w"> </span><span class="n">following</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="n">package</span><span class="p">(</span><span class="n">s</span><span class="p">)</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">affected</span><span class="w"> </span><span class="p">(</span><span class="n">of</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="n">checked</span><span class="p">):</span>
<span class="n">New</span><span class="w"> </span><span class="n">packages</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">INSTALLED</span><span class="p">:</span>
<span class="w"> </span><span class="n">plexmediaserver</span><span class="p">:</span><span class="w"> </span><span class="mf">1.13</span><span class="o">.</span><span class="mf">8.5395</span>
<span class="w"> </span><span class="n">compat9x</span><span class="o">-</span><span class="n">amd64</span><span class="p">:</span><span class="w"> </span><span class="mf">9.3</span><span class="o">.</span><span class="mf">903000.20170608</span>
<span class="w"> </span><span class="n">compat10x</span><span class="o">-</span><span class="n">amd64</span><span class="p">:</span><span class="w"> </span><span class="mf">10.3</span><span class="o">.</span><span class="mf">1003000.20170608</span>
<span class="n">Number</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">packages</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">installed</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span>
<span class="n">The</span><span class="w"> </span><span class="n">process</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">require</span><span class="w"> </span><span class="mi">200</span><span class="w"> </span><span class="n">MiB</span><span class="w"> </span><span class="n">more</span><span class="w"> </span><span class="n">space</span><span class="o">.</span>
<span class="mi">71</span><span class="w"> </span><span class="n">MiB</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">downloaded</span><span class="o">.</span>
<span class="n">Proceed</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">action</span><span class="err">?</span><span class="w"> </span><span class="p">[</span><span class="n">y</span><span class="o">/</span><span class="n">N</span><span class="p">]:</span><span class="w"> </span><span class="n">y</span>
<span class="p">[</span><span class="n">plex</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="mi">1</span><span class="o">/</span><span class="mi">3</span><span class="p">]</span><span class="w"> </span><span class="n">Fetching</span><span class="w"> </span><span class="n">plexmediaserver</span><span class="o">-</span><span class="mf">1.13</span><span class="o">.</span><span class="mf">8.5395</span><span class="o">.</span><span class="n">txz</span><span class="p">:</span><span class="w"> </span><span class="mi">100</span><span class="o">%</span><span class="w"> </span><span class="mi">66</span><span class="w"> </span><span class="n">MiB</span><span class="w"> </span><span class="mf">7.7</span><span class="n">MB</span><span class="o">/</span><span class="n">s</span><span class="w"> </span><span class="mi">00</span><span class="p">:</span><span class="mi">09</span>
<span class="p">[</span><span class="n">plex</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="mi">2</span><span class="o">/</span><span class="mi">3</span><span class="p">]</span><span class="w"> </span><span class="n">Fetching</span><span class="w"> </span><span class="n">compat9x</span><span class="o">-</span><span class="n">amd64</span><span class="o">-</span><span class="mf">9.3</span><span class="o">.</span><span class="mf">903000.20170608</span><span class="o">.</span><span class="n">txz</span><span class="p">:</span><span class="w"> </span><span class="mi">100</span><span class="o">%</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="n">MiB</span><span class="w"> </span><span class="mf">1.5</span><span class="n">MB</span><span class="o">/</span><span class="n">s</span><span class="w"> </span><span class="mi">00</span><span class="p">:</span><span class="mi">02</span>
<span class="p">[</span><span class="n">plex</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="mi">3</span><span class="o">/</span><span class="mi">3</span><span class="p">]</span><span class="w"> </span><span class="n">Fetching</span><span class="w"> </span><span class="n">compat10x</span><span class="o">-</span><span class="n">amd64</span><span class="o">-</span><span class="mf">10.3</span><span class="o">.</span><span class="mf">1003000.20170608</span><span class="o">.</span><span class="n">txz</span><span class="p">:</span><span class="w"> </span><span class="mi">100</span><span class="o">%</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="n">MiB</span><span class="w"> </span><span class="mf">1.2</span><span class="n">MB</span><span class="o">/</span><span class="n">s</span><span class="w"> </span><span class="mi">00</span><span class="p">:</span><span class="mi">02</span>
<span class="n">Checking</span><span class="w"> </span><span class="n">integrity</span><span class="o">...</span><span class="w"> </span><span class="n">done</span><span class="w"> </span><span class="p">(</span><span class="mi">0</span><span class="w"> </span><span class="n">conflicting</span><span class="p">)</span>
<span class="p">[</span><span class="n">plex</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="mi">1</span><span class="o">/</span><span class="mi">3</span><span class="p">]</span><span class="w"> </span><span class="n">Installing</span><span class="w"> </span><span class="n">compat10x</span><span class="o">-</span><span class="n">amd64</span><span class="o">-</span><span class="mf">10.3</span><span class="o">.</span><span class="mf">1003000.20170608</span><span class="o">...</span>
<span class="p">[</span><span class="n">plex</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="mi">1</span><span class="o">/</span><span class="mi">3</span><span class="p">]</span><span class="w"> </span><span class="n">Extracting</span><span class="w"> </span><span class="n">compat10x</span><span class="o">-</span><span class="n">amd64</span><span class="o">-</span><span class="mf">10.3</span><span class="o">.</span><span class="mf">1003000.20170608</span><span class="p">:</span><span class="w"> </span><span class="mi">100</span><span class="o">%</span>
<span class="p">[</span><span class="n">plex</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="mi">2</span><span class="o">/</span><span class="mi">3</span><span class="p">]</span><span class="w"> </span><span class="n">Installing</span><span class="w"> </span><span class="n">compat9x</span><span class="o">-</span><span class="n">amd64</span><span class="o">-</span><span class="mf">9.3</span><span class="o">.</span><span class="mf">903000.20170608</span><span class="o">...</span>
<span class="p">[</span><span class="n">plex</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="mi">2</span><span class="o">/</span><span class="mi">3</span><span class="p">]</span><span class="w"> </span><span class="n">Extracting</span><span class="w"> </span><span class="n">compat9x</span><span class="o">-</span><span class="n">amd64</span><span class="o">-</span><span class="mf">9.3</span><span class="o">.</span><span class="mf">903000.20170608</span><span class="p">:</span><span class="w"> </span><span class="mi">100</span><span class="o">%</span>
<span class="p">[</span><span class="n">plex</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="mi">3</span><span class="o">/</span><span class="mi">3</span><span class="p">]</span><span class="w"> </span><span class="n">Installing</span><span class="w"> </span><span class="n">plexmediaserver</span><span class="o">-</span><span class="mf">1.13</span><span class="o">.</span><span class="mf">8.5395</span><span class="o">...</span>
<span class="o">===></span><span class="w"> </span><span class="n">Creating</span><span class="w"> </span><span class="n">groups</span><span class="o">.</span>
<span class="n">Creating</span><span class="w"> </span><span class="n">group</span><span class="w"> </span><span class="s1">'plex'</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">gid</span><span class="w"> </span><span class="s1">'972'</span><span class="o">.</span>
<span class="o">===></span><span class="w"> </span><span class="n">Creating</span><span class="w"> </span><span class="n">users</span>
<span class="n">Creating</span><span class="w"> </span><span class="n">user</span><span class="w"> </span><span class="s1">'plex'</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">uid</span><span class="w"> </span><span class="s1">'972'</span><span class="o">.</span>
<span class="p">[</span><span class="n">plex</span><span class="p">]</span><span class="w"> </span><span class="p">[</span><span class="mi">3</span><span class="o">/</span><span class="mi">3</span><span class="p">]</span><span class="w"> </span><span class="n">Extracting</span><span class="w"> </span><span class="n">plexmediaserver</span><span class="o">-</span><span class="mf">1.13</span><span class="o">.</span><span class="mf">8.5395</span><span class="p">:</span><span class="w"> </span><span class="mi">100</span><span class="o">%</span>
<span class="n">Message</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">plexmediaserver</span><span class="o">-</span><span class="mf">1.13</span><span class="o">.</span><span class="mf">8.5395</span><span class="p">:</span>
<span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span>
<span class="n">multimedia</span><span class="o">/</span><span class="n">plexmediaserver</span><span class="w"> </span><span class="n">includes</span><span class="w"> </span><span class="n">an</span><span class="w"> </span><span class="n">RC</span><span class="w"> </span><span class="n">script</span><span class="p">:</span>
<span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">rc</span><span class="o">.</span><span class="n">d</span><span class="o">/</span><span class="n">plexmediaserver</span>
<span class="n">TO</span><span class="w"> </span><span class="n">START</span><span class="w"> </span><span class="n">PLEXMEDIASERVER</span><span class="w"> </span><span class="n">ON</span><span class="w"> </span><span class="n">BOOT</span><span class="p">:</span>
<span class="n">sysrc</span><span class="w"> </span><span class="n">plexmediaserver_enable</span><span class="o">=</span><span class="n">YES</span>
<span class="n">START</span><span class="w"> </span><span class="n">MANUALLY</span><span class="p">:</span>
<span class="n">service</span><span class="w"> </span><span class="n">plexmediaserver</span><span class="w"> </span><span class="n">start</span>
<span class="n">Once</span><span class="w"> </span><span class="n">started</span><span class="p">,</span><span class="w"> </span><span class="n">visit</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">following</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">configure</span><span class="p">:</span>
<span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">localhost</span><span class="p">:</span><span class="mi">32400</span><span class="o">/</span><span class="n">web</span>
<span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">*</span>
<span class="n">root</span><span class="err">@</span><span class="n">plex</span><span class="p">:</span><span class="o">~</span><span class="w"> </span><span class="c1"># sysrc plexmediaserver_enable=YES</span>
<span class="n">plexmediaserver_enable</span><span class="p">:</span><span class="w"> </span><span class="o">-></span><span class="w"> </span><span class="n">YES</span>
<span class="n">root</span><span class="err">@</span><span class="n">plex</span><span class="p">:</span><span class="o">~</span><span class="w"> </span><span class="c1"># cd /usr/local</span>
<span class="n">root</span><span class="err">@</span><span class="n">plex</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="w"> </span><span class="c1"># mv plexdata plexdata.org</span>
<span class="n">root</span><span class="err">@</span><span class="n">plex</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="w"> </span><span class="c1"># ln -s /plex_media plexdata</span>
<span class="n">root</span><span class="err">@</span><span class="n">plex</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="w"> </span><span class="c1"># service plexmediaserver start</span>
</pre></div>
<p>I kept the old <code>plexdata</code> directory just as a precaution; you could easily delete it.</p>
<p>After this I grabbed the <span class="caps">MAC</span> address of the jail so that I could update my static <span class="caps">DHCP</span> mapping to give it the <span class="caps">IP</span> address of the old jail:</p>
<div class="highlight"><pre><span></span><span class="n">root</span><span class="nv">@plex</span><span class="err">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="k">local</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">ifconfig</span><span class="o">|</span><span class="n">grep</span><span class="w"> </span><span class="n">ether</span>
<span class="w"> </span><span class="n">ether</span><span class="w"> </span><span class="mi">02</span><span class="err">:</span><span class="nl">ff</span><span class="p">:</span><span class="mi">60</span><span class="err">:</span><span class="mi">14</span><span class="err">:</span><span class="nl">fa</span><span class="p">:</span><span class="mi">0</span><span class="n">a</span>
</pre></div>
<p>After updating the <span class="caps">DHCP</span> server and flushing the <span class="caps">ARP</span> cache, I restarted the jail using the web <span class="caps">UI</span>. After that, Plex was running properly with all of the old media, at the old web address, available to Google Chromecast and my mobile devices, etc.</p>
<p>I know you can run Plex as a plugin but I like running it in a jail as you get a bit more control over it and don’t typically have to wait too long for Plex server upgrades.</p>
<p>The last step is to remove the old warden jail. I’ll likely wait a few days before I do that to ensure the new jail is working properly. In the meantime, with the new <span class="caps">DHCP</span> map and the Plex server disabled in the old jail, it shouldn’t be running and interfering with anything.</p>
<p>This was actually a lot easier than I had expected! This is the second migration of Plex I’ve done and the first was so painful I didn’t want to try again, but this one was really easy (granted the first was from a macOS server to FreeNAS so there was a bit more effort, but it completely hosed all of my metadata so it was like starting from scratch). At any rate, I know a lot of people in the FreeNAS community that use Plex were having difficulty with migrating jails so I thought I would quickly write this up for anyone who might still need it (keeping in mind that 11.2 is still technically a beta product although it’s worked pretty well for me thus far, your mileage may vary). For the record, it took me longer to write this than to do the actual upgrade!</p>
<p>Next step is to setup another jail to play with OpenProject and possibly move my GitHub setup from a separate machine here at home onto the FreeNAS server (those are likely Christmas shutdown projects though).</p>
<p>Enjoy!</p>Stonecutters2018-08-15T04:00:00-06:002018-08-15T04:00:00-06:00Vincent Danentag:annvix.com,2018-08-15:/blog/stonecutters<p><img alt="Image" src="https://annvix.com/images/stonecutters.jpg" /></p>
<p>Have you heard the parable of the stonecutters?</p>
<p>This is one of my favourite parables/stories because it speaks of purpose and passion in a very simple to understand way. If you’ve not heard the parable before, let me relay it briefly. There are three stonecutters doing the same …</p><p><img alt="Image" src="https://annvix.com/images/stonecutters.jpg" /></p>
<p>Have you heard the parable of the stonecutters?</p>
<p>This is one of my favourite parables/stories because it speaks of purpose and passion in a very simple to understand way. If you’ve not heard the parable before, let me relay it briefly. There are three stonecutters doing the same, back breaking, tedious, difficult work of cutting stone. This is not an easy job. There’s no air conditioning. There’s no power tools. There is simply you, a chisel, and stone. Imagine the effort, the heat… the day after day effort of doing the same thing, over and over again.</p>
<p>One day a traveler comes down the road and sees these three men, working away cutting stone. He asks the first man what it is that he is doing and the man replies that he is cutting stone. The traveler moves on to the second man and asks the same question and the man replies that he is building a wall. Finally, he moves on to the third man and asks him the same question to which the third man replies, “I’m building a cathedral.”</p>
<p>Each man is doing the same work, putting in the same effort. The first man is clearly there for the sake of the job — he does what he needs to do to collect the money he is going to be paid. This man had a <em>job</em>.</p>
<p>The second man sees a little further than the work itself. While he’s not laying the stone in the wall, he knows the purpose for which he works. He knows what his work contributes to. This man had a <em>career</em>.</p>
<p>The third man, however, saw beyond the work of his hands and even where the stone he was cutting would be laid. He saw the big picture, he saw the end result. This man, although he was doing the same work as the others, had been inspired with a vision. This man had a <em>calling</em>.</p>
<p>I imagine each man also had a different response to the work. When all you see is the stone, with no idea of its place, perhaps the finished product doesn’t matter so much. After all, you’re given the dimensions, you know how big to make the pieces, but what happens after that doesn’t really matter. I expect this man wasn’t so precise in the work he was doing. Maybe he took shortcuts just to get the job done quicker. Maybe it didn’t matter to him if a cut wasn’t perfect or the size was slightly off. After all, what difference did it make? He was simply there to do a job.</p>
<p>The second probably took a little more pride in his work. After all, he knew someone else after him would take the stone he cut and would fit it into the wall. Maybe his measurements were more precise, the cuts smoother to ensure the pieces fit together. He knew what the stone was for and he knew they would have to fit well together. Perhaps he took a bit more care to roughen the edges of the stone so the grout would hold the pieces together better. At any rate, he knew the project, the work, was bigger than just the stone he was cutting in the moment and I imagine his effort rose with that belief.</p>
<p>The third man, however, looked at his work in an entirely different light. This man knew he was doing more than just cutting stone, knew he was contributing to something grander than just a wall. This man I imagine putting in the time and effort to make sure the stone was cut to perfection… every piece just <em>so</em>. Whether this stone he was cutting would be used for a wall or a buttress or the floor, it didn’t matter. He cut it to exact dimensions, he ensured each piece was beautiful. He wasn’t building a simple building or a road, he was building something grand and majestic and he put in the time, patience, effort, and all of his skill because he knew he was contributing to something great, something that would survive him, something that would benefit many people and be admired by them. I imagine this man put his heart and soul into it and would accept nothing less than precision because what he was helping make would be incredible — beyond what one man could make himself. He was a part of it, he contributed to it, his pieces helped make this cathedral a masterpiece.</p>
<p>This story came to my mind as I was watching my garage get constructed this week. The first crew that came in to pour the cement were an interesting bunch. They showed up to do the work, usually late. They came and dug out where the concrete pad would sit one day. Two days later they framed it. The next day they poured the concrete. A week and a half later they came and dug out the sidewalk in the backyard, which was meant to be 3’ across yet they used a 6’ skid steer to dig out the path. And tore the lawn to pieces while they did it. Then tore up the driveway so badly that they needed to replace the gravel. And left a pile of dirt that still needs to be removed.</p>
<p>They framed up the sidewalk and apron to the garage four days ago. They were meant to have the concrete done before the garage was framed. They guaranteed they would be here yesterday, the day the framing was to start.</p>
<p>One could arguably say they were doing the job they were paid to do. But they were careless. They didn’t respect the property they were on. They left nails in the alley, empty water bottles and orange peels on my deck, nails in the yard. This crew was the first man. They did their job, technically (I do, after all, have concrete in place). Because they chose an expedient way to do the work, they ended up having to replace the gravel on a perfectly good driveway; I imagine that ate into their profits due to the cost of the gravel and the time to lay it out.</p>
<p>The framing crew, however, are a different class. They were here this morning before I was even awake and had the side walls framed by the time I realized they were here. They worked fast, but with precision. They knew what needed to be done and in what order, and they did it well. When I knew the framing was going to happen yesterday, I expected the frame alone to be done. Yet the walls, trusses, and roof are complete. Obviously there is siding, drywall, insulation, electrical, and much more that needs to be done but these four fellows measured twice and cut once, worked together to get this raised, and at the end of the day I was very much impressed.</p>
<p>Oh, I should also mention that they did it in 35C weather and in poor air quality conditions due to wildfires a province over (you can taste the smoke on the air and feel the irritants on your eyes). And after a long day in these conditions? Before they even drank any of the ice water I brought out for them as they were packing up, they cleaned the workplace so it was spotless. Picked up the garbage, moved discarded pieces out of the way. The left the site cleaner than they found it.</p>
<p>The way these two crews approached their work were vastly different. They both had jobs to do and arguably they both did it. One at additional cost (someone’s going to pay for the lawn they tore up!) and one being methodical, precise, and diligent. The first crew did their job. The second crew, perhaps they recognized this as their career and were willing to do the exceptional work. I don’t know for certain if they think building homes or garages is their calling, but their approach to the work stands in stark contrast to the first crew. To one I’m <em>grateful</em> they did their job, although I certainly would have liked it to be better, but to the second I’m <em>pleased</em> with their work. Would I recommend the first crew? Probably not. The second? Absolutely.</p>
<p>If you’ve made it this far you’re probably wondering what the point is. Maybe you see it already, maybe not. It does make me wonder if we simply show up to do the job, one <em>thing</em>, at a time. Or are we taking this work and using it to hone our craft, to become increasingly <em>better</em> so that we can see the vision, the cathedral, built through our efforts and labour? Do we see the <em>purpose</em> to our work, the change to the world we strive to make?</p>
<p>Connecting purpose to the work is important. Purpose is what allows you to see the big picture, the vision for the work being done, no matter what role you play in the process. Without that purpose, without that vision, you never see beyond the task at hand which means missing the grandeur of what is being built. In fact it robs you of that connection to the bigger picture — it robs you of inspiration, it robs you of ownership, it robs you of feeling that you are a part of something bigger than you are.</p>
<p>We are all a part of something bigger than we are. The whole is always greater than the sum of its parts.</p>Pictures of Israel2018-06-01T22:00:00-06:002018-06-01T22:00:00-06:00Vincent Danentag:annvix.com,2018-06-01:/blog/pictures-of-israel<p><img alt="Image" src="https://annvix.com/images/41784128904_e496ddb419_z.jpg" /></p>
<p>Finally I got the pictures of Israel up. Apologies once again for those who have been waiting… I didn’t intend for it to take this long, but they are up now!</p>
<p>Favourite places in Israel were the Garden of Gethsemane, Madasa, Shiloh (who wouldn’t want to stand basically …</p><p><img alt="Image" src="https://annvix.com/images/41784128904_e496ddb419_z.jpg" /></p>
<p>Finally I got the pictures of Israel up. Apologies once again for those who have been waiting… I didn’t intend for it to take this long, but they are up now!</p>
<p>Favourite places in Israel were the Garden of Gethsemane, Madasa, Shiloh (who wouldn’t want to stand basically where the Ark of the Covenant rested?!? plus the budding almond trees were beautiful) and Tel Dan.</p>
<p>Enjoy!</p>
<p><a href="https://www.flickr.com/photos/wulfheart/albums/72157694371595062">Israel 2018 album on Flickr</a></p>Pictures of Jordan2018-05-05T12:00:00-06:002018-05-05T12:00:00-06:00Vincent Danentag:annvix.com,2018-05-05:/blog/pictures-of-jordan<p><img alt="Image" src="https://annvix.com/images/jordan.png" /></p>
<p>Apologies for this taking so long… I know there are quite a few people who have been after me to post the pictures. Unfortunately due to time constraints I have skipped to the <em>end</em> of the trip to post pictures from Jordan (since there are less than those of Israel …</p><p><img alt="Image" src="https://annvix.com/images/jordan.png" /></p>
<p>Apologies for this taking so long… I know there are quite a few people who have been after me to post the pictures. Unfortunately due to time constraints I have skipped to the <em>end</em> of the trip to post pictures from Jordan (since there are less than those of Israel). One of my favourite places on the trip was Petra, so the bulk of the pictures are from there. This is, of course, just a small sampling of the better pictures.</p>
<p>Enjoy and I hope to not take as long to get the pictures of Israel up (apologies again to those who really want to see those pics, you’ll have to wait a wee bit longer..)</p>
<p><a href="https://www.flickr.com/photos/wulfheart/albums/72157694730348621">Jordan 2018 album on Flickr</a></p>Pictures of Egypt2018-03-18T16:00:00-06:002018-03-18T16:00:00-06:00Vincent Danentag:annvix.com,2018-03-18:/blog/pictures-of-egypt<p><img alt="Image" src="https://annvix.com/images/pyramids.png" /></p>
<p>There are far too many pictures taken of my recent trip, but since I’m being (graciously!) hounded by friends I figured I’d note when some of them were available so I’ve gotten the first few up, just of the Egypt part. The Israel part will take longer …</p><p><img alt="Image" src="https://annvix.com/images/pyramids.png" /></p>
<p>There are far too many pictures taken of my recent trip, but since I’m being (graciously!) hounded by friends I figured I’d note when some of them were available so I’ve gotten the first few up, just of the Egypt part. The Israel part will take longer though as that is where the bulk of the trip was. I think these ones are a good sampling of the many pictures I took. I hope you enjoy!</p>
<p>As an aside, standing on the pyramids was pretty darn amazing, something I had never expected to do in my life. And the pictures of the cave church really don’t do justice to how amazing it was.</p>
<p>One downside of the trip is that I forgot the battery charger for my Nikon so took more pictures on my iPhone than I would have if I knew I could charge the battery for the Nikon. Miraculously, the battery did not die and made it to the end of the trip although that was because I was pretty disciplined with saving it for the scenic pictures.</p>
<p><a href="https://www.flickr.com/photos/wulfheart/albums/72157694634244345">Egypt 2018 album on Flickr</a></p>Pilgrimage to Egypt, Israel, Jordan2018-03-03T14:00:00-07:002018-03-03T14:00:00-07:00Vincent Danentag:annvix.com,2018-03-03:/blog/pilgrimage-to-egypt-israel-jordan<p><img alt="Image" src="https://annvix.com/images/petra.png" /></p>
<p>This past last half of February I took a trip with my family and members of our church on a tour of the “land of the Bible” (Egypt, Israel, and Jordan). This was a 15 day trip that took us to and through five countries in four continents. It was …</p><p><img alt="Image" src="https://annvix.com/images/petra.png" /></p>
<p>This past last half of February I took a trip with my family and members of our church on a tour of the “land of the Bible” (Egypt, Israel, and Jordan). This was a 15 day trip that took us to and through five countries in four continents. It was a whirlwind trip… super busy, amazing in a lot of ways, and offered a lot of opportunities for quiet reflection. This post is the first of two, I think.. there simply isn’t space to record both the places we went and the thoughts I had about them, so this one will focus on the trip itself and all the places we went. The next post, hopefully in the next week or two, will share some of those thoughts and reflections.</p>
<p>We left Edmonton on February 14 heading to Toronto, then Munich, then to Cairo. We landed in Cairo on Feb 15 and went straight from the airport to the Nile river where we boarded a boat to have dinner on the Nile itself. Given it was pretty late by the time we got on there, we didn’t see much of Cairo other than that the Nile is a hopping place at night… plenty of river boats with food and music. Sadly I did not see any crocodiles, just some stray cats and dogs along the shore. And a donkey. After our trip along the river for an hour or so, we got back on the bus and headed to our hotel.</p>
<p>Interestingly, my eye must be very tuned to Shadowman. I saw him briefly on a building while in the bus… what are the odds of seeing him in Cairo? It must have been a partner company as he was alongside a Dell and <span class="caps">HP</span> logo if I remember correctly. Anyways, it went by too fast to snap a pic, but it was neat to see nonetheless.</p>
<p>The next day we woke up to a view of the pyramids from the hotel room which was pretty amazing. We then went to the pyramids and the sphinx. At first it was pretty hard to see.. the pollution in Cairo is insane. It is apparently <a href="https://earthdata.nasa.gov/user-resources/sensing-our-planet/a-black-cloud-over-cairo">one of the most polluted cities on the planet</a>. My wife even developed what we called the “cairo cough”.. it lingered until a day or two after we left. Anyways, the pyramid was amazing. To think that people, thousands of years ago, built these magnificent things makes me think again of the power of unity — people banded together, with one vision, can accomplish fantastic things!</p>
<p>We then made our way to the Cairo Museum which was neat (lots of artifacts, mummies, old things). Honestly if not for the pictures I wouldn’t remember much… the fatigue hit <em>hard</em> while there and it was hard just to remain vertical. After the museum, we drove up to the <a href="http://www.amusingplanet.com/2013/09/the-cave-church-of-zabbaleen-in-cairo.html">cave church of the Zabbaleen</a> which is one of the most beautiful places I’ve ever been. The trip getting to and from the church, conversely, is one of the most depressing things I’ve ever seen. You need to drive through an area inhabited largely by Coptic Christians who collect garbage. Given Egypt is a Muslim-majority country, these Coptic Christians have a hard go of it to begin with, but the living conditions (to this Canadian) are somewhat horrific. Yet, for all that, finding a happier group of people might be a challenge! The people were friendly, happy, and very interested in this group of 18 Canadians who travelled up to their church. The church itself, carved out of the rock, was amazing. The stone carvings in and around the church were beautiful. The pyramids were cool, don’t get me wrong, but this church was breath-taking. In our short time in Egypt, this was my highlight. The trip up and down to this beautiful place was challenging and offered the sort of perspective that I think a lot of people in North America, at least, could benefit from. It was a sobering ride.</p>
<p>After this, we headed to the airport again to fly up to Sharm El Sheikh where we spent the night at a resort hotel and the morning along the Red Sea enjoying the beach and nice weather. In the afternoon we got on the bus and drove to Nuweiba where we spent the night and planned to climb what they believe was Mount Sinai (up to Saint Catherine’s Monastery). The intent was to go at 3am to watch the sunrise at the top of the mountain but due to poor weather, most of us opted out since it would make the climb challenging. And given the smell of camel I experienced at the pyramids I was unwilling to deal with a camel ride up the mountain. A few of the group did, though, and they said it was amazing. The rest of us caught up on sleep and enjoyed a morning on the beach.</p>
<p>When the mountain climbers got back (and showered!) from Mount Sinai, we drove to the Egypt/Israel border, crossed, and headed to Eilat where we went to <a href="https://www.coralworld.co.il/en/">Coral World</a> and the Underwater Observatory. This was a pretty cool place seeing a bunch of fish and other marine critters. It was also the first place in Israel that we were, and I can tell you that the contrast between Egypt and Israel is dramatic. Where Egypt, for the most part (especially Cairo) was dirty, full of garbage, chaotic, and horribly smelly, Eilat was clean, smelled great, and people actually paid attention to traffic laws.</p>
<p>We spent the night in Eilat then drove to <a href="http://www.parktimna.co.il/en/">Timna Park</a> where we got to see a life-size replica of the Tabernacle of Moses. This was really neat because standing in something that was built to the specifications noted in the Bible was quite different than seeing a picture or model. We also went to Solomon’s Pillars here, which were amazing. I’ll update this article in the next week or so with a link to pictures so you can see them. After this we drove through <a href="https://en.wikipedia.org/wiki/Makhtesh_Ramon">Makhtesh Ramon</a> where a meteor caused a great crater in the Negev. I thought it would be more exciting, but it just looked like the rest of the desert other than we had to drive up, then down, through it, then up again. Taking some pics from the observation point was pretty neat. I spotted no Kryptonians. We then continued driving up to Tel-Aviv where we spent the night.</p>
<p>The next day we picked up the last 8 people who were just joining us for the Israel/Jordan part of the trip (the Egypt part was an optional extension to the tour). Now we were 22 people and we drove up to <a href="https://en.wikipedia.org/wiki/Caesarea_Maritima">Caesarea Maritima</a> where we saw ruins of the ancient city, the theatre, the hippodrome and the aqueduct. Then we drove up to Mount Carmel which was exciting to me as I love the story of Elijah and the priests of Baal (1 Kings 18). We headed back to Tel-Aviv for the night.</p>
<p>On Wednesday (Feb 21) we headed out to Shiloh, where the Tabernacle of Moses had been. This was a really neat moment and place because as I was standing there I realized I was in the very place where the Ark of the Covenant actually resided… literally on the spot where it sat on the ground. This was not something I would have ever thought I would be able to do in my lifetime, so it was quite profound for me. But that was just the beginning of profound moments for me that day.. this was probably the most personally reflective days of the trip because after this we headed into Jerusalem where we went to the Mount of Olives, the Garden of Gethsemane, Golgotha (Skull Hill), and to the Garden Tomb. Each of these locations were quite solemn for us as this is where Jesus spent that last night before heading to the Cross, dying, being buried in the tomb, and then rising from the grave. The opportunity to take communion at the Garden Tomb was an experience I can’t even describe. Suffice it to say, this was probably the most memorable part of the trip for me.</p>
<p>After this we went to <a href="https://en.wikipedia.org/wiki/Zedekiah%27s_Cave">Zedekiah’s Cave</a> which was pretty cool, and the Pool of Bethesda which was neat because it proved to be real when many had thought it wasn’t (because they hadn’t excavated it yet). It also had a cool church with amazing acoustics; one of the young ladies in the group can really sing and in this church it sounded <em>amazing</em>. This would be a great place for some good Gregorian Chants! Then from there we went into the old city bazaar where we could do some shopping. Honestly, we were in for a few minutes and I wanted out… it was crazy, busy, congested, and hard to breathe. I could live my life without going into a bazaar like that again! I’ll take the open-air kind or the farmer’s markets we have at home. We then went to the Tower of David for a neat <a href="https://www.tod.org.il/en/">sound and light show</a>. After this, back to the hotel in Tel-Aviv.</p>
<p>On Thursday, we went to the <a href="https://en.wikipedia.org/wiki/City_of_David">City of David</a> which is the entrance to Hezekiah’s Tunnel (or the <a href="https://en.wikipedia.org/wiki/Siloam_tunnel">Siloam Tunnel</a>). This tunnel has you going through water, but there’s a shorter (and drier) side tunnel you can take which some of us who didn’t feel like getting hip-deep in the water opted to take. We then took a shuttle to the Dung Gate so we didn’t have to walk so far (I will have you know that each day we walked on average 10km!) and while we waited for our bus we watched a bunch of Bar Mitzvahs that were heading to the Western Wall. These were really fun to watch! (These guys know how to have a good time!). We then went to the <a href="http://allaboutjerusalem.com/attraction/jerusalem-archaeological-park-davidson-center">Davidson Archeological Centre</a>, spotted the fake Tomb of David (great for tourists I guess?), and then visited the Upper Room where Jesus and the disciples had the Last Supper. We then visited the Western Wall, which was an interesting up-close view of traditional Judaism, and went underneath them in the <a href="https://english.thekotel.org/western_wall_sites/core_excavations/about/">Kotel Excavations</a> which was really neat to see all that is below the temple mount. When we made our way out, we saw what remains of <a href="http://www.jpost.com/Israel/Nehemiahs-wall-uncovered">Nehemiah’s Wall</a> which was really neat as well.</p>
<p>One note about Nehemiah’s Wall… according to Nehemiah 6:15, they built the wall around Jerusalem in 52 days. 52 days! Now it says they worked on it day and night, but you don’t really grasp what those walls looked like by just reading about it. Seeing it in person… that was an impressive feat! Like the pyramids, it made me think about that power of vision and people united. The things that can be accomplished by a team of people, united, working together, is amazing. For someone who leads a team of people, this was a very reflective moment for me… what kinds of things can we, as professional teams, accomplish together if we put ourselves out of the way and collaborated to build and do important things? Visiting the remnants of this wall really made me think about work and the upcoming year.</p>
<p>After the Wall we went back to the hotel in Jerusalem. The next day, Friday, we drove out to <a href="https://en.wikipedia.org/wiki/Masada">Masada</a> which was incredibly cool. Masada is a mountain fortress built by Herod the Great and it has an amazing view and is fairly well preserved considering it’s over 2000 years old. From Masada we went to En Gedi, where David hid from king Saul who was hunting him (neat water springs) and the Qumran Caves where they found the Dead Sea Scrolls. Then we went down to the Dead Sea itself (on the Israel side) but it was pretty much a gong-show with tourists and locals all over the place, super muddy, and just plain chaotic. A few folks went into the Dead Sea (my daughter included) and floated, covered themselves in mud, etc. My daughter says this was one of her most favourite parts of the trip. After this we headed into Bethlehem to spend the night.</p>
<p>Saturday morning we got up and went to the Shepherd’s Fields in Bethlehem, which is where they say the angels appeared to the shepherds. It’s plausible, but I don’t know if it’s the exact field or not. Doesn’t really matter, it was neat to see and think about that time in history. We then drove to <a href="https://en.wikipedia.org/wiki/Tel_Megiddo">Megiddo</a> which is on the edge of the Jezreel Valley. The neat thing about this place is that the Jezreel Valley is also known as Armageddon, or where the end-time battle will be fought according to the book of Revelation. There is debate as to whether it is symbolic or literal… we’ll leave the theology alone but suffice it to say, it was an interesting place to be! From there we went to the <a href="http://www.land-of-the-bible.com/Gideons_Spring">Gideon Springs</a> which is a really pretty place, and then to <a href="http://www.nazarethvillage.com/">Nazareth Village</a> which is a neat little place that recreates what things would have looked like in Nazareth 2000 years ago. We saw an old wine press, an old olive press, some very interested-in-humans sheep, a woman who spun wool into thread and was making a blanket, an old tomb, old synagogue, etc. It was really neat. Nazareth does not look like that anymore! Here in Edmonton we have a place called Fort Edmonton Park that recreates what it looked like for the settlers here.. this was the same kind of idea. From there we went to the <a href="https://en.wikipedia.org/wiki/Mount_Precipice">Mount of the Precipice</a> where Jesus announced himself as Messiah and the crowd tried to push him off the cliff. The view from up here was stunning… you could see the countryside and the Valley of Jezreel for miles in all directions. Got some really neat pictures up here. No one tried to leap off, thankfully. After this we headed to Tiberias on the Sea of Galilee where we spent the night.</p>
<p>Sunday we got up and drove north through the <a href="https://en.wikipedia.org/wiki/Golan_Heights">Golan Heights</a> which was beautiful on our way to Tel Dan. This place was amazing! We got to see the old city gates and an old altar, and then found the place where <a href="https://bible.org/seriespage/9-tel-dan-worshipping-altar-convenience">Jeroboam had built an altar to God</a> and told the people that if it was too much effort to go to Jerusalem to sacrifice to God, they could do it there (a big no-no you can read about in 1 Kings 12). We also saw a Canaanite gate that they call <a href="https://www.haaretz.com/4-000-year-old-abraham-s-gate-reopened-to-public-after-painstaking-restoration-work-1.5089039">Abraham’s Gate</a> which they estimate is 4000 years old. This was incredible to see! After that we went to the Sea of Galilee and took a boat ride on it, looked at the Boat Museum where we saw the remains of an excavated fishing boat that is 2000 years old (they call it the <a href="https://en.wikipedia.org/wiki/Sea_of_Galilee_Boat">Ancient Galilee Boat</a> or the Jesus Boat). After this we went to <a href="https://en.wikipedia.org/wiki/Church_of_the_Primacy_of_Saint_Peter">Saint Peter’s Primacy</a> where they figure he was when he became the first pope of the church (only Catholics think this of course). After this we went to the ruins of Capernaum, then to the Jordan River baptism site (this place amused me because the Jordan River is <em>not</em> clean, yet they sell Holy Water from the Jordan that is as crystal clear as… tap water… hmmm… perhaps Purified Water from the Jordan River?). Finally we went back to the hotel in Tiberias.</p>
<p>On Monday, Feb 26, we travelled to the Israel/Jordan border and crossed into Jordan. We went to the ruins of Gedara, which was one of the cities of the Decapolis. I have fallen in love with ruins… ghost towns with so many stories to tell! The basalt theatre ruins were really neat to see. From there we went to <a href="https://en.wikipedia.org/wiki/Jerash">Jerash</a>, another of the Decapolis (Decapolis was a group of ten cities in the ancient Roman Empire) which are better preserved than Gedara and also exceptionally cool to see. We then drove to Amman and saw the <a href="https://en.wikipedia.org/wiki/Amman_Citadel">Amman Citadel</a>, in the ancient home of the Ammonite people. We spent the night in Amman (not at the Citadel). Amman is an interesting city.. whereas the rest of Jordan that we saw was dirty with lots of garbage lying around, Amman is a mix of “modern big city” they are keeping clean and “old city” that looks rough like other parts of Jordan. I was surprised by how modern parts of it there where given what I had seen to that point.</p>
<p>On Tuesday we drove out to <a href="https://en.wikipedia.org/wiki/Petra">Petra</a> which was one of my favourite parts of the trip. Petra is absolutely breathtaking! Too bad it’s ruined by so many peddlers of cheap wares that get really obnoxious and in your face. Some merchants were respectful enough, but a lot were downright rude and constantly in your face which made it hard to really enjoy it. I think I spent more time walking in the long entry to get to and from Petra just because it was quieter and the rock formations are amazing. After Petra we headed to the Dead Sea on the Jordan side and spent the night there.</p>
<p>On Wednesday we spent the morning at the Dead Sea which was much nicer and cleaner than on the Israel side (maybe because this hotel resort was right on the beach, and private, so they had incentive to keep it clean). We then headed out to <a href="https://en.wikipedia.org/wiki/Mount_Nebo">Mount Nebo</a> where Moses got a look at the Promised Land before he died. The view from up here is stunning! After that we crossed the border back into Israel and drove through <a href="https://en.wikipedia.org/wiki/Jericho">Jericho</a>, a city that is 11,000 years old (I was impressed with the Canaanite Gate at 4000 years!). We saw a sycamore tree, the one they call the <a href="http://shalomholytours.com/the-sycamore-tree/">Zacchaeus Tree</a>. I didn’t know what this kind of tree looked like even though I’ve known the story of Zacchaeus since I was a little kid, so that was neat to see. Finally we went to the <a href="https://en.wikipedia.org/wiki/Valley_of_Elah">Valley of Elah</a> where David fought Goliath, but it was too dark to really see much. This was on our way back to Tel-Aviv and the hotel we would spend too few hours sleeping in since we had to get up at 03:00 in order to leave for the airport at 04:00.</p>
<p>So Thursday was up at 03:00 (or 18:00 on Wednesday, Edmonton time) and from there we flew to Frankfurt, then to Toronto, then home. By the time we walked in our home on Thursday it was 22:00, or 28 hours after we had woken up to head home. None of us got much sleep on the flight so we were pretty bagged when we got home on March 1.</p>
<p>Some final thoughts. If you’ve made it this far, you no doubt are thinking that this wasn’t much of a “vacation” because it was really busy most days and you’d be right! We knew going into it that this was going to be busy… busier than work or school in terms of time (every day was, for the most part, leave the hotel at or around 8am and return at or around 7pm). Then there was all the walking. And hours in the bus. When my family takes a vacation we enjoy a leisurely pace and visit a handful of places during the day and take time at each place. But this was a once in a lifetime trip and given what we were going to see, we thought it worth it. At our normal pace, we would have required five trips of two weeks or would have had to stay two or three months to see it all.</p>
<p>And what we got to see was incredible. This was my first time to the Middle East, even though I’ve been reading about what I visited almost my entire life. It was exceptionally cool to see all the places and things, although I take the “this is the site of X” with a grain of salt.. some of it is proven historically, some of it is just based on tradition. Either way, if we weren’t at the exact place, we were near it, which was enough for me.</p>
<p>So while it wasn’t a relaxing vacation in the traditional sense, it was an awesome experience. And it was a much-needed mental break from work and computers and security (although it wasn’t all entirely avoided!). And I’ve walked away with some new insights that I think will help me in the future, both on a practical and theological level. I’ve got a new appreciation for the culture and country of Canada, and have a new interest in the history of Israel <em>after</em> the events of the Bible as our local tour guide Angelina was great in sharing some of the more recent history of the places we were going.</p>
<p>Finally, I’d like to thank my good friend Mario who was our <a href="https://www.facebook.com/guriontourcanada">tour guide</a> (you can see some of his pictures from the trip on <a href="https://www.instagram.com/explore/tags/guriontour/">Instagram</a>. I wouldn’t have wanted to go with anyone else.. he did an amazing job and I know it was stressful.</p>
<p>I’ll get some pictures up on Flickr in the next few days… there are about 1000 pictures to go through and cleanup, but I’ll get a few up there soon! I’ll also write about some of the thoughts I had from a few of these places… most of this post just described the trip and not what I thought about in a lot of these places. To be honest, I’m still reflecting and thinking about things and still putting the pieces together… so much was crammed into such a small amount of time. Even writing this was helpful as it helped me remember some of the things we did, so while this may be interesting for some of you it’s mostly to help me remember the trip!</p>Open Source is 20; Let’s Wander Down Memory Lane2018-02-11T00:45:00-07:002018-02-11T00:45:00-07:00Vincent Danentag:annvix.com,2018-02-11:/blog/open-source-is-20-lets-wander-down-memory-lane<p><img alt="Image" src="https://annvix.com/images/Mandriva_family_tree_11-06.png" /></p>
<p>I’m a week behind as the 20th anniversary of “Open Source” was a week ago. Back on February 3, 1998 the term “Open Source” was coined as a result of the decision of <a href="http://www.zdnet.com/article/netscape-offers-up-browser-source-code-for-free/">Netscape Communications Corp to give away the source code to it’s Netscape Navigator browser</a> earlier …</p><p><img alt="Image" src="https://annvix.com/images/Mandriva_family_tree_11-06.png" /></p>
<p>I’m a week behind as the 20th anniversary of “Open Source” was a week ago. Back on February 3, 1998 the term “Open Source” was coined as a result of the decision of <a href="http://www.zdnet.com/article/netscape-offers-up-browser-source-code-for-free/">Netscape Communications Corp to give away the source code to it’s Netscape Navigator browser</a> earlier on January 23, 1998. Red Hat has a nice recap of what happened then in its <a href="https://www.redhat.com/en/blog/20th-anniversary-open-source">Celebrating the 20th anniversary of open source</a> blog post; ZDNet has another great writeup entitled <a href="http://www.zdnet.com/article/open-source-turns-20">Open source is 20: How it changed programming and business forever</a>.</p>
<p>My purpose in writing about this amazing milestone is mostly to wax nostalgic. I remember when Navigator’s source code was released. At that time I was in the collections industry bouncing around between being a collector and a sysadmin at one of the collection agencies I worked at then. Actually, as hateful of a job as that was, I’m grateful for it because it introduced me to <span class="caps">HP</span>-<span class="caps">UX</span>, which piqued my interest in operating systems other than <span class="caps">DOS</span> or Windows. In fact, it was when I was working at the first collection agency where I did sysadmin work that I picked up my first non-Microsoft operating system to play with at home (<span class="caps">OS</span>/2 Warp 4).</p>
<p>My first foray into Linux was trying out Slackware (I don’t remember which version, I just remember borrowing a bunch of floppies from a friend to try it). I also remember trying out Yggdrasil, and I’m pretty sure that one was on <span class="caps">CD</span>. Neither of them at that time (probably mid-90s) were very attractive to me. Using an already installed and configured <span class="caps">HP</span>-<span class="caps">UX</span> system at work was one thing, installing Linux back then was not very user-friendly for someone getting into *nix for the first time.</p>
<p>My first Linux install that really took was Red Hat Linux 5.0. <span class="caps">OS</span>/2 was my day-to-day system, but Linux was interesting to me for a variety of reasons. This was back when the term “free software” was used; “Open Source” was yet to come. I remember it being pretty ugly compared to <span class="caps">OS</span>/2 and I remember fighting with it, trying to make my <span class="caps">SCSI</span> <span class="caps">CD</span>-Writer work. I also remember my wife being annoyed that I spent so much time tinkering with garbage hardware (since I scrounged up anything I could) and fiddling with something that equally fascinated and frustrated me.</p>
<p>I was a <span class="caps">BBS</span> enthusiast, having run a <span class="caps">BBS</span> from high school, originally on <span class="caps">DOS</span> and then under <span class="caps">OS</span>/2 (which was <em>amazing</em> for running a <span class="caps">BBS</span> and being able to use it while others were dialled in). I moved through a bunch of different <span class="caps">BBS</span> software (Maximus/2, Renegade, Telegard… I’m actually shocked I remember some of these names so many years later!) and ended up using software called <span class="caps">BBBS</span>. It should be noted that during my <span class="caps">BBS</span> days I ran two different Fido-style networks (one for sysops and one for fantasy topics), wrote documentation for a number of different <span class="caps">BBS</span>-related utilities, wrote some utilities of my own, and was generally very much involved in the <span class="caps">BBS</span> “tools” community. When I started using <span class="caps">BBBS</span> I also <a href="https://www.bbbs.net/sysop.html">took over the documentation</a> and ran a documentation project on my Freezer Burn web site back then (more on Freezer Burn in a moment).</p>
<p>At any rate, <span class="caps">BBBS</span>/2 under <span class="caps">OS</span>/2 worked great until <span class="caps">IBM</span> decided to muck up a few fixpacks and I had a lot of trouble with <span class="caps">OS</span>/2 running my <span class="caps">BBS</span>. Thankfully, I had some exposure to Linux, and <span class="caps">BBBS</span> had their <span class="caps">BBBS</span>/Li version that ran on Linux. So I had an option to get my <span class="caps">BBS</span> running on a different, hopefully more stable, operating system than <span class="caps">OS</span>/2. The problem was I had only half-heartedly tinkered with Linux before and if I was going to do this I really needed to learn it. At that time, Linux-Mandrake 5.3 was my operating system of choice and I dove into learning it while trying to keep my <span class="caps">BBS</span> running and still doing my work as a collector (I made a conscious choice to fully remove <span class="caps">OS</span>/2 and replace it with Linux — no fallback and no choice but to learn by doing). And since I needed some utilities for my board that were not provided by Linux-Mandrake, I started getting involved in the community by providing fixes, patches, documentation updates, and new <span class="caps">RPM</span> packages and that’s where things really got weird because within months I was writing Linux-related articles for a number of web sites like Tech Republic, trying to evangelize Linux locally and through my Freezer Burn web site, started my own consulting company, and eventually was asked to work for MandrakeSoft (which I started to do in 2000).</p>
<p>The local evangelism didn’t work out well, although I did meet some interesting like-minded people locally as a result. The “general packager and documentation” role turned into docs and “the odd security fix” so that Chmouel (our then security packager) could focus more on kernel work. I was assured it wouldn’t take much time (which was largely true, for about a year). And the rest, as they say, is history. There was soon enough no more time to work on documentation <em>and</em> security, so security took precedence and I was a one-man security team for Mandriva for many years until I got a few people able to help. Fun fact: the entire security build and release system for Mandriva ran in my basement, built and written entirely by me. Another fun fact: the entire release system for advisories and package uploads, urpmi metadata updates, etc. was done by a series of commandline <span class="caps">PHP</span> scripts (I did mention earlier that I didn’t write in C, right?). Say what you want, but the original scripts that I started with were written in Perl and the <span class="caps">PHP</span> rewrite was about 2x as fast and much easier for me to work on (because while working for MandrakeSoft I also did a lot of web design and hosting, so I spent a lot of time working in <span class="caps">PHP</span>).</p>
<p>Here’s the real kicker: Open Source allowed me to fork Mandriva, reduce it and change it into Annvix because I wanted something with a greater security focus. It gave me the opportunity to learn and spend a significant number of years building my own community, reusing the work others had done, and giving away the changes I had made to that work — to everyone who was interested. I couldn’t have done that with any other operating system at the time, and the learning opportunities it afforded me were invaluable. Without Open Source, that sort of thing would not have been possible.</p>
<p>Eventually, after 9 years at Mandriva I left to come to Red Hat and celebrated 9 years here when Open Source celebrated its 20th anniversary. Even the shift and growth in Open Source in the last 9 years amazes me. When I joined Red Hat, <span class="caps">RHEL6</span> was in beta and the current release was <span class="caps">RHEL</span> 5.3. Things that I take for granted now, like OpenStack and OpenShift, containers… these things didn’t exist.</p>
<p>I look back and see that out of the 20 years of Open Source, I’ve spent 18 of them working directly for Open Source companies… companies that devoted all they had to benefit from and contribute to Open Source. One didn’t make it, despite being an excellent distro and having some amazing co-workers (many of whom, thankfully, are now also at Red Hat!), and one that did. I remember the shock and pride when we were able to say we were <a href="http://www.businessinsider.com/its-official-red-hat-becomes-the-first-1-billion-open-source-company-2012-3">the first $1B Open Source company</a> in 2012. Four years later in 2016 we were <a href="http://www.zdnet.com/article/red-hat-becomes-first-2b-open-source-company/">the first $2B Open Source company</a>. While there are many companies that bet on Open Source and failed, there are many that succeeded — but those are not the only success stories of Open Source. The fact that companies like <span class="caps">IBM</span> and Microsoft embrace Open Source today is a testament to the work that the Open Source community has done in 20 years.</p>
<p>The fact that non-tech companies like WalMart and other retailers not only use Open Source but create it, is amazing. The fact that home stereo systems, TVs, cell phones, and much of the technology we take for granted today would not exist without Open Source really makes me grateful that I am able to be a part of this epic journey.</p>
<p>In fact, I honestly don’t know what I would be doing today if it wasn’t for Open Source. My mind can’t even fathom its absence.</p>2017: A Retrospective2017-12-30T15:00:00-07:002017-12-30T15:00:00-07:00Vincent Danentag:annvix.com,2017-12-30:/blog/2017-a-retrospective<p><img alt="Image" src="https://annvix.com/images/2017-eyeball.jpg" /></p>
<p>Last year <a href="https://annvix.com/blog/2016-a-retrospective">I wrote a retrospective</a> and was interesting to read it at the end of this year so I’ve decided to do it again. What can I say about 2017?</p>
<p>From a work perspective, this was a crazy year. The vulnerabilities we had to deal with this year …</p><p><img alt="Image" src="https://annvix.com/images/2017-eyeball.jpg" /></p>
<p>Last year <a href="https://annvix.com/blog/2016-a-retrospective">I wrote a retrospective</a> and was interesting to read it at the end of this year so I’ve decided to do it again. What can I say about 2017?</p>
<p>From a work perspective, this was a crazy year. The vulnerabilities we had to deal with this year were pretty significant, things like Blueborne and <span class="caps">KRACKS</span> and others that created a lot of work for the team. To say it was a painful year would be an understatement, to be honest. We put our <a href="https://access.redhat.com/blogs/766093/posts/2950971">Customer Security Awareness</a> (CSAw) process to work more times than I would like.</p>
<p>Aside from that, just the goings-on (that didn’t affect Red Hat) were simply painful to watch. The Equifax breach was bad. Really, really bad. And watching how it was handled was distressing. Thankfully we did not have to deal with that Struts2 vulnerability. And there were other data breaches that were bad as well — the news that the Yahoo! breach was even worse than originally reported, Uber having paid off the miscreants that ran off with their data… there were others and if we thought 2016 was bad, I think 2017 took the cake and 2018 will be even worse. IdentityForce has a <a href="https://www.identityforce.com/blog/2017-data-breaches">list of the 2017 data breaches</a> that you can read. 2018 will be interesting in that these breaches will be painful <em>and</em> expensive, thanks to the European <span class="caps">GDPR</span> (<a href="https://en.wikipedia.org/wiki/General_Data_Protection_Regulation">General Data Protection Regulation</a>) which I think is ultimately a good thing even though it will make life miserable for the people who need to be compliant.</p>
<p>On the personal side, this was another year of growth. Personally, within the area of work, there were more responsibilities and more people to be responsible for. It was a challenging year of new responsibilities. Very little code was written in 2017, probably the least amount of code I’ve written in the last 15 years or so. Except the last two days — I spent the last two days taking the time to finally get this site updated; you should notice the differences. They’re subtle, but I think they give it a nice level of polish and the entire look is a little simpler. I’ve not had the opportunity all year to spend this much time fiddling with code and it was nice (even if most of it was <span class="caps">HTML</span>, it was still fun work). I think the days of putting my head down and losing myself for hours at a time writing python code are behind me, which makes me a little sad.</p>
<p>One of the hats I wear is that of a District Pastor for Christcity church, which is effectively nothing more than being a shepherd (or leader) for a small flock (our church has seven districts in and around the city and my wife and I are in charge of one). This means we’re available to help those in need, pray for people, provide guidance and counsel, and just be available for people. We visit sick people in the hospital as well, and this year we had to deal with our first death as District Pastors. It was even harder as this wonderful woman who passed worked with us when we used to teach at the women’s prison years ago. She was an amazing woman, very gentle and quiet, and a good friend to my wife and I. My wife used to take her to cancer treatment appointments, we’d visit with her, helped her move when her apartment got to be too much for her to handle, and so on. It was tough to watch her go from a woman full of life and energy to a shadow of herself. We were fortunate enough to visit her a few days before she died, although that was a difficult visit to make. We’ve lost people in the past and this certainly was not our first funeral, but this was different because she was in our spiritual charge. Barb, you will be missed. Thank you for who you were and it was a distinct honour and privilege to be able to know you and count you as a good friend.</p>
<p>Unfortunately, I didn’t really get much time to blog this past year. I had hoped to write more. I also didn’t have much time for podcasting either… this was a busy year. How much time I will have for either next year is a huge unknown.</p>
<p>2017 was a tough year, but overall it was good. I feel like a lot of the change and challenges in 2016 prepared me for 2017, which in turn prepares me for 2018. I think 2018 is going to be another year of growth and change. There are a lot of professional challenges that need to be taken on and I’m glad I work with some amazing people that get to share in the work with me. There is much yet to be done!</p>Working Remotely2017-09-30T20:00:00-06:002017-09-30T20:00:00-06:00Vincent Danentag:annvix.com,2017-09-30:/blog/working-remotely<p><img alt="Image" src="https://annvix.com/images/busy-1972122_1280.jpg" /></p>
<p>I’ve read a few articles lately about working from home and some best practices for working remotely, and other topical guidance around the subject of working from home. I always find these articles fascinating because I want to see if there’s something I am missing or doing wrong …</p><p><img alt="Image" src="https://annvix.com/images/busy-1972122_1280.jpg" /></p>
<p>I’ve read a few articles lately about working from home and some best practices for working remotely, and other topical guidance around the subject of working from home. I always find these articles fascinating because I want to see if there’s something I am missing or doing wrong. Maybe there’s a way I can boost my own productivity. Some insight. <em>Something</em>.</p>
<p>Inevitably I finish the article, sigh, and carry on. The suggestions they make are sometimes silly, and sometimes they are no-brainers. And since I’ve not written on this blog for a while, I figured I would write about what my day as a remote worker looks like. It may also be useful for friends and family to realize that just because I’m home, it doesn’t necessarily mean I’m available. Sometimes I think people figure I don’t work and can drop anything whenever <em>they</em> like. (I wish!)</p>
<p>So, as a preamble, I’ve worked from home since 2000. It’s not something I’ve done for a few weeks or months or even years. I’ve been working from home for about 17 years now, and as a result I think I’ve developed an allergy to working in the office. I find it very, very difficult to work from an office these days. I do have to work from an office maybe once or twice a year (usually in a different country though!). The benefits of meeting some of my coworkers and associates outweigh the temporary discomfort of putting jeans on and working in an office, so I do want to state up front that when working from an office is required, I usually don’t mind… probably because it doesn’t happen too often. =)</p>
<p>If I could sum up working from home in one word it would be <strong>discipline</strong>. This is absolutely the 100% most useful skill you need (and can develop) to work remotely from home. Every time I read articles on this topic, however, they don’t call it out specifically. They give you ideas and routines to adopt, but they don’t tell you that in order to adhere to these things you need to be <strong>disciplined</strong> to be successful. Tools and tricks are helpful, but they are easy to work around. So from here on out, every topic has one underlying premise: you must have, or you must develop, discipline in order to be successful and performant when working from home.</p>
<p>That being said, let’s go through some of the things that are usually suggested for remote workers and I’ll share my thoughts.</p>
<h2 id="getting-dressed-for-work">Getting Dressed for Work<a class="headerlink" href="#getting-dressed-for-work" title="Permanent link"> </a></h2>
<p>Most of these sites tell you that you need to get dressed for work, even if work is at home. I suppose this is because we’ve conditioned ourselves that “dressing for success” is a requirement, but I expect it’s more basic than that. Just get out of bed! Do <em>not</em> work in your bed. Beds are meant for sleeping in, and the same reasoning behind going to bed to sleep rather than play games or read or watch YouTube goes here: if you turn your bed into something other than a place to sleep, your brain won’t properly shut down when you get into bed. You’re conditioning your brain to think of your bed no differently than your couch or your desk — places where sleeping is generally a bad idea. Well, for most people. This doesn’t seem to be the case with my wife who can watch YouTube, roll over, and be out. This is not the case for me.</p>
<p>So, having said that, here’s my perspective. I am a gloriously unapologetic pajama-wearing person. My “pajamas”, mind you, usually consist of a t-shirt and pajama pants, so I’m semi-dressed: I just don’t put on jeans. Ok, maybe this is <span class="caps">TMI</span> but the conventional suggestion of “dressing for work” doesn’t cut it for me (and while I may mow the lawn in pajama pants, I’ve certainly never showed up to an office in pajama pants). Sitting long hours behind a computer make me desire to be comfortable. Pajama pants are <em>comfy</em> and so I wear them. I do get dressed when I need to go somewhere though.. the idea of being stranded on the side of the road in pajama pants is a little horrifying. But from home, why not? This is one of the perks from working from home. Big thing is getting out of bed and moving to a working space. Oh, just don’t wear the pajamas you sleep in during the day, at the very least put on your “daytime” pajamas and set aside your “nighttime” pajamas.</p>
<h2 id="designated-work-space">Designated Work Space<a class="headerlink" href="#designated-work-space" title="Permanent link"> </a></h2>
<p>Most people/articles suggest you have a designated work space. I couldn’t agree more. If you live alone, I suppose it could be just about anywhere that isn’t your bed. If you don’t, I would strongly suggest a space with a door. A different or dedicated room devoted to all things work so that when you’re in it, you know you’re working (and just as importantly, others know you are working). Maybe it’s the psychological aspect of it, but being in a separate dedicated “office” (with a door) is a great way to maintain focus. I actually don’t ever close my door. My daughter or my wife can wander in as they please. They know that when my headset is on, chances are if they walk too far in someone will spot them via a video chat so that’s enough of a deterrent. But they know when I’m in here, I’m (usually) working. And more importantly, <em>I</em> know when I’m down here that I’m working. It’s a way to set that boundary between work and home. Which leads to the next point.</p>
<h2 id="maintain-worklife-balance">Maintain Work/Life Balance<a class="headerlink" href="#maintain-worklife-balance" title="Permanent link"> </a></h2>
<p>This is probably one of the hardest things to do, because one of the great benefits of working from home is that you can take care of personal things while also dealing with work things. But, without the aforementioned <em>discipline</em> you can find yourself doing more personal things than work things and this can be an easy trap to fall into, particularly if you’re new to remote work. For me, having a set of firm understandings with myself and with those around me really helps. So here’s my list of required things for making sure that I can maintain that work/life balance.</p>
<h3 id="set-a-start-time-and-stick-to-it">Set a start time and stick to it<a class="headerlink" href="#set-a-start-time-and-stick-to-it" title="Permanent link"> </a></h3>
<p>I get up every morning at 6:30 and start at 8:00 on the nose. There are odd days when I need to get up earlier, but I never get up later. This 1.5 hours before I start working gives me a lot of time to get started and alert without starting my work day 10 minutes after I roll out of bed (been there, did that for many years). This gives me ample opportunity to use what could have been a commute to get myself oriented for the day. I’m not a breakfast person, so this involves some coffee, some time spent reading the Bible, some time spent in prayer, and some time spent exercising. Skipping this routine usually means I’m not at my best. Whatever your routine needs to be, set out enough time before you start so that your work time is highly productive time (some people go for meditation, go for a swim, play with your kids, whatever it is that gets your blood moving and your mind alert). I don’t know about you, but 10 minutes after I get out of bed I don’t even register my own name so starting to work at that time, and trying to be performant, doesn’t really happen and that first hour of work would be spent simply walking up and not being very effective. Also note that I am <em>not</em> a morning person so when I started doing this it took a huge amount of disciple and not a little internal complaining, but it has been well worth it.</p>
<h3 id="set-boundaries">Set boundaries<a class="headerlink" href="#set-boundaries" title="Permanent link"> </a></h3>
<p>This is of huge importance. My family knows that my working at home isn’t because we’re independently wealthy and that the work done here actually pays the bills. They also know that without the job, we don’t eat, which makes it rather important. They also know that if I can get the work done, I have more time for them in the evenings. Making this understanding clear, they treat me, at home, as though I were in the office. They don’t sneak around like little church mice so as not to disturb me, but they know to keep their disturbances to a minimum. I am, however, always available if they need it and no one gets barked at if they do interrupt me with good reason. I also try (and mostly fail) to step away from the computer and get out of the office for a break every hour or so (either to grab coffee or water, etc.) and they grab me at those times if they need to. The big point here is to make sure that those significant people in your life know that if they interrupt you when you’re working you will be distracted. Those interruptions are costly, and tend to get paid for with “over time” and that simply robs everyone of quality time later. I am not someone who wants to be thinking about work for 16 hours a day because of constant interruptions.</p>
<p>They say it takes you, on average, about 10 minutes to get “into the zone” when you’re doing creative work. When you’re in the zone and interrupted, not only does it cost you the time of the interruption (say, 5 minutes) but it also costs you another 10 minutes to get back to where you were before. If you get two 5 minute interruptions every hour, you’re only doing 30 minutes of efficient work every hour. That is not what I would consider performant. Forbes has an interesting article called <a href="https://www.forbes.com/sites/markmurphy/2016/10/30/interruptions-at-work-are-killing-your-productivity/#45a746a01689">Interruptions At Work Are Killing Your Productivity</a> that is worth a read on this topic. Suffice it to say, if you want to feel good about (and maintain) an 8 hour workday, you want to minimize those interruptions.</p>
<h3 id="time-away-from-work">Time away from work<a class="headerlink" href="#time-away-from-work" title="Permanent link"> </a></h3>
<p>Another important aspect to working at home is to make time for other activities away from work. This is where having a separate workspace is useful, but sometimes it also means being intentional about how tethered to work you’re going to be. I used to get work email going to my phone, along with the wonderful dings to remind me that someone wanted something from me. This doesn’t help! Now, while I can still check work mail on my phone if I want, it no longer alerts me in any way (not even visually). I can still be reached easily enough in an emergency (a voice call, text message, etc.) but I don’t let mail alert me when I’m away from my desk. While not everyone can do this if they’re on call or have certain obligations, being binged about things that I really don’t need to care about at this point in time can be a real distraction in what should be downtime.</p>
<p>Also, given you’re working at home and not in an office with it’s implicit social environment, you need to take time to get around people (unless you hate people, in which case ignore this advice). I love hanging out with my family and I have plenty of home projects to do so there is no shortage of things to do outside of work. I’m not a big bar/club/coffee person, so am not one to go out to social environments like that. For me, I spend quite a bit of my time at my church and with my church family and that meets my social needs and gets me hanging out with people. I really value these times because they get me out of my work environment and keep me away from that ever-present temptation of work around the corner (which is literally the case for a remote worker). They also keep me centred and keep me focused on the important things in life and keep my priorities in perspective.</p>
<p>In conclusion, working remotely is a huge benefit to me, to my family, and to Red Hat as well. I find I’m more productive since I’ve managed to minimize interruptions from home (still working on managing those from work, but at least you can ignore an <span class="caps">IRC</span> ping a little easier than someone walking into your office!). And if I can be more productive at home in those regular working hours, it means that time spent away from work can be had without thinking about work.. if the internet isn’t on fire, that is. Remote work can be exceptionally rewarding, but for it to be effective for both you <em>and</em> your employer, some care has to be taken to do it well so that you can reap the benefits, and your employer can as well.</p>
<p>I enjoy reading articles about working remotely, and see the value in them given so many more people are working remotely now than when I started. They’ve not really taught this old dog any new tricks, but for those new to this working from home game, or for those struggling with it, take some time to hunt them down (I won’t list any, but there are a lot), read the advice and instead of overhauling everything at once, go for those incremental and impactful changes, and consistently seek to improve yourself. Remember, it boils down to one thing: <em>discipline</em>.</p>Red Hat Container Health Index2017-05-02T14:00:00-06:002017-05-02T14:00:00-06:00Vincent Danentag:annvix.com,2017-05-02:/blog/red-hat-container-health-index<p><img alt="Image" src="https://annvix.com/images/rhsummit.png" /></p>
<p>Today is the first day of Red Hat Summit 2017, this year in Boston. I’m not there, but am thoroughly enjoying watching the keynotes and other interviews via <a href="https://www.redhat.com/en/summit/2017?intcmp=701600000012CyGAAU">TheCube on Summit</a>. One of the big things that we’ve been working on for a while that was announced today …</p><p><img alt="Image" src="https://annvix.com/images/rhsummit.png" /></p>
<p>Today is the first day of Red Hat Summit 2017, this year in Boston. I’m not there, but am thoroughly enjoying watching the keynotes and other interviews via <a href="https://www.redhat.com/en/summit/2017?intcmp=701600000012CyGAAU">TheCube on Summit</a>. One of the big things that we’ve been working on for a while that was announced today is the Container Health Index within our <a href="https://access.redhat.com/containers">Red Hat Container Catalog</a>. I’m not going to go into detail here as I’ve already done that via a blog post in the Red Hat Customer Portal entitled <a href="https://access.redhat.com/blogs/product-security/posts/container-security-scoring">Security Scoring and Grading for Containers and Images</a>.</p>
<p>You can also read the <a href="https://investors.redhat.com/news-and-events/press-releases/2017/05-02-2017-143054640">press release</a> for more information as well.</p>
<p>This is pretty exciting because it’s great to see the realization of all this effort between a <em>lot</em> of people across a <em>lot</em> of teams. Kudos to the many fine folks who put a lot of blood, sweat and tears into this!</p>Virtualized Linux guest in FreeNAS 9.10 using iohyve2017-03-24T16:00:00-06:002017-03-24T16:00:00-06:00Vincent Danentag:annvix.com,2017-03-24:/blog/virtualized-linux-guest-in-freenas-9-10-using-iohyve<p><img alt="Image" src="https://annvix.com/images/freenas.jpg" />During the day I’m a manager of one of the greatest security teams on the planet (in my biased estimation), but at night (and random times throughout the day), I’m a sysadmin tinkerer. There’s just something about goofing off with operating systems that appeals to me; this …</p><p><img alt="Image" src="https://annvix.com/images/freenas.jpg" />During the day I’m a manager of one of the greatest security teams on the planet (in my biased estimation), but at night (and random times throughout the day), I’m a sysadmin tinkerer. There’s just something about goofing off with operating systems that appeals to me; this is likely what caused me to devote five years of my life to working on Annvix back in the day.</p>
<p>I’ve been running a local <a href="https://www.freeipa.org/page/Main_Page"><span class="caps">IPA</span></a> install for quite a few years, but because you really need <span class="caps">IPA</span> to run on its own dedicated system (and given I have enough machines running in this house) I’ve been using <span class="caps">KVM</span> to handle the virtualization of an <span class="caps">IPA</span> server. <span class="caps">IPA</span> is really cool and allowed me to discard my homegrown <span class="caps">LDAP</span>+Kerberos setup for something with some enterprise gusto to manage authentication, identification, and authorization policies for my home network (insert obligatory comment about overkill here). I started using <span class="caps">IPA</span> on CentOS 6 and a year ago moved both guest and host to CentOS 7 which is working pretty good other than, for some odd reason, python is randomly segfaulting at times. I don’t know what the cause is, I’ve filed abrt reports, and it’s a concern when the language that your system updater is based on decides to start crashing before installing updates or, even worse, during the installation of updates and making a mess of things (this does <em>not</em> make <span class="caps">RPM</span> happy!). The oddest thing is that none of the other CentOS 7 systems (on bare metal) exhibit this behaviour.</p>
<p>The other problem is if my <span class="caps">IPA</span> server decides to tip over, I don’t have a failover setup (again this being at home). So while I was thinking about the best way to stand up another <span class="caps">IPA</span> server as a replicating slave to then promote it to the master and migrate away from whatever is causing all these nasty segaults, I was reminded by FreeNAS that an update was available for it, and I started thinking about jails and whether they would run Linux. After starting down the rabbit trail, I found out about <a href="ttps://github.com/pr1ntf/iohyve">iohyve</a> which is a FreeBSD (what FreeNAS is based on) <a href="https://en.wikipedia.org/wiki/Bhyve">bhyve</a> manager. Byhve is a hypervisor that runs on FreeBSD, basically like <span class="caps">KVM</span> (which I’ve been using) or OpenVZ (which I’ve used with <span class="caps">VPS</span> hosting), or Xen.</p>
<p>So bhyve is for FreeBSD what <span class="caps">KVM</span> is for Linux. And this is where the sysadmin/tinkerer/geek in me thinks “cool” and away disappears a weekend.</p>
<p>For the purposes of this post/tutorial, you need to be running FreeNAS 9.10 (you can probably do this easily enough with FreeBSD, but I’ve not tried). There is also documentation on <a href="https://doc.freenas.org/9.10/jails.html#using-iohyve">Using iohyve</a>.</p>
<p>From your FreeNAS system you need to know your ethernet interface name (in the web <span class="caps">UI</span> go to <strong>Network -> Network Interfaces</strong>, in my case <em>em0</em>) and the storage pool name (<strong>Storage -> Volumes</strong>, in my case the pool is named <em>storage</em>). The actual setup of iohyve needs to be done as root over <span class="caps">SSH</span>, so you’ll need that running as well.</p>
<p>As root, we need to create the environment iohyve requires. I used the following commands to create the pool for its use:</p>
<div class="highlight"><pre><span></span><span class="cp"># iohyve setup pool=storage kmod=1 net=em0</span>
<span class="n">Setting</span><span class="w"> </span><span class="n">up</span><span class="w"> </span><span class="n">iohyve</span><span class="w"> </span><span class="n">pool</span><span class="p">...</span>
<span class="n">On</span><span class="w"> </span><span class="n">FreeNAS</span><span class="w"> </span><span class="n">installation</span><span class="p">.</span>
<span class="n">Checking</span><span class="w"> </span><span class="n">for</span><span class="w"> </span><span class="n">symbolic</span><span class="w"> </span><span class="n">link</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="o">/</span><span class="n">iohyve</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="o">/</span><span class="n">mnt</span><span class="o">/</span><span class="n">iohyve</span><span class="p">...</span>
<span class="n">Symbolic</span><span class="w"> </span><span class="n">link</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="o">/</span><span class="n">iohyve</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="o">/</span><span class="n">mnt</span><span class="o">/</span><span class="n">iohyve</span><span class="w"> </span><span class="n">successfully</span><span class="w"> </span><span class="n">created</span><span class="p">.</span>
<span class="n">Loading</span><span class="w"> </span><span class="n">kernel</span><span class="w"> </span><span class="n">modules</span><span class="p">...</span>
<span class="n">bridge0</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="n">already</span><span class="w"> </span><span class="n">enabled</span><span class="w"> </span><span class="n">on</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">machine</span><span class="p">...</span>
<span class="n">Setting</span><span class="w"> </span><span class="n">up</span><span class="w"> </span><span class="n">correct</span><span class="w"> </span><span class="n">sysctl</span><span class="w"> </span><span class="n">value</span><span class="p">...</span>
<span class="n">net</span><span class="p">.</span><span class="n">link</span><span class="p">.</span><span class="n">tap</span><span class="p">.</span><span class="n">up_on_open</span><span class="o">:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="o">-></span><span class="w"> </span><span class="mi">1</span>
</pre></div>
<p>This tells iohyve to install the required <span class="caps">ZFS</span> datasets and kernel modules. We use <code>kmod=1</code> to tell iohyve to load the required kernel module, <code>pool=storage</code> tells it which pool to use for files (in this case, <em>storage</em>) and <code>net=em0</code> sets up the network bridge to this interface (iohyve can only be bound to a single interface). You can use multiple pools for iohyve, however I only have one pool on the system.</p>
<p>Next, you need to create a few tunables in FreeNAS. Heading back to the web <span class="caps">UI</span>, go to <strong>System -> Tunables</strong> and create the following two tunables:</p>
<ul>
<li>variable: <strong>iohyve_enable</strong>, values: <strong><span class="caps">YES</span></strong>, type: <strong>rc_conf</strong></li>
<li>variable: <strong>iohve_flags</strong>, values: <strong>kmod=1 net=em0</strong>, type: <strong>rc_conf</strong></li>
</ul>
<p>The <strong>iohyve_enable</strong> variable tells FreeNAS to load iohyve support at boot, and the <strong>iohyve_flags</strong> are the same kmod and net options we used when setting up iohyve initially.</p>
<p>The next step is to download an <span class="caps">ISO</span> image for iohyve to use for installing a virtual machine. In my case, I want to run CentOS 7. There are plenty of <a href="http://isoredirect.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-Minimal-1611.iso">mirrors</a> to choose from for the minimal <span class="caps">ISO</span> which is probably what you want since you can install any specific software required using yum after it’s installed.</p>
<div class="highlight"><pre><span></span><span class="gh">#</span> iohyve fetch http://centos.mirror.iweb.ca/7/isos/x86_64/CentOS-7-x86_64-Minimal-1611.iso
Fetching http://centos.mirror.iweb.ca/7/isos/x86_64/CentOS-7-x86_64-Minimal-1611.iso...
/iohyve/ISO/CentOS-7-x86_64-Minimal-1611.iso/C100% of 680 MB 9 MBps 01m08s
</pre></div>
<p>You need to use iohyve to fetch the <span class="caps">ISO</span> image (somewhat annoyingly) so you can’t just copy an existing <span class="caps">ISO</span> over (although I believe you can do a fetch over <span class="caps">NFS</span> or provide it locally via <span class="caps">HTTP</span> from another system on your network).</p>
<p>Once you have the <span class="caps">ISO</span> downloaded, you can configure a new virtual machine. Check to make sure you have the <span class="caps">ISO</span> available:</p>
<div class="highlight"><pre><span></span><span class="gh">#</span> iohyve isolist
Listing ISO's...
CentOS-7-x86_64-Minimal-1611.iso
</pre></div>
<p>Then, to create the machine with <span class="caps">20GB</span> of space (the same size as my existing <span class="caps">KVM</span> machine for <span class="caps">IPA</span>, which is more than enough):</p>
<div class="highlight"><pre><span></span># iohyve create ipa-slave 20G
Creating ipa-slave...
# iohyve list
Guest VMM? Running rcboot? Description
ipa-slave NO NO NO Sun Mar 12 16:39:10 MDT 2017
</pre></div>
<p>Now you can configure the specifics of the machine:</p>
<div class="highlight"><pre><span></span><span class="c1"># iohyve set ipa-slave ram=1G cpu=1 os=custom loader=grub-bhyve</span>
<span class="n">Setting</span><span class="w"> </span><span class="n">ipa</span><span class="o">-</span><span class="n">slave</span><span class="w"> </span><span class="n">ram</span><span class="o">=</span><span class="mi">1</span><span class="n">G</span><span class="o">...</span>
<span class="n">Setting</span><span class="w"> </span><span class="n">ipa</span><span class="o">-</span><span class="n">slave</span><span class="w"> </span><span class="n">cpu</span><span class="o">=</span><span class="mf">1.</span><span class="o">..</span>
<span class="n">Setting</span><span class="w"> </span><span class="n">ipa</span><span class="o">-</span><span class="n">slave</span><span class="w"> </span><span class="n">os</span><span class="o">=</span><span class="n">cuscom</span><span class="o">...</span>
<span class="n">Setting</span><span class="w"> </span><span class="n">ipa</span><span class="o">-</span><span class="n">slave</span><span class="w"> </span><span class="n">loader</span><span class="o">=</span><span class="n">grub</span><span class="o">-</span><span class="n">bhyve</span><span class="o">...</span>
</pre></div>
<p>This sets my virtual machine to have <span class="caps">1GB</span> of <span class="caps">RAM</span>, use one virtual <span class="caps">CPU</span>, use the “custom” operating system type (we need this later, even though we will be using CentOS 7), and uses the grub-bhyve loader which is required by Linux guests. The <a href="https://github.com/pr1ntf/iohyve/wiki">iohyve wiki</a> has more details on operating system types and which values to use depending on which Linux operating system you intend to install.</p>
<p>When using a CentOS 7 guest, iohyve currently cannot boot from an <span class="caps">XFS</span> partition (which is the default), and due to the limitations of the commandline installer, we can’t tell Anaconda to use something other than <span class="caps">XFS</span>. Another thing I found, with some trial and error, is you want to use traditional partitions and not the <span class="caps">LVM</span>-based partition scheme (so plan out your filesystem in advance to ensure you have enough size!). This is the main reason for using the “custom” operating system type. We’ll fix that later.</p>
<p>To work around this, we’ll use a simple kickstart file to get us to a minimal working system from which we can install the rest of what we want.</p>
<p>In order to make grub boot and use the kickstart file, you need to edit <code>/iohyve/ipa-slave/grub.cfg</code> so it looks like:</p>
<div class="highlight"><pre><span></span>linux (cd0)/isolinux/vmlinuz inst.ks=http://somewhere.internal/ks.cfg
initrd (cd0)/isolinux/initrd.img
boot
</pre></div>
<p>and the <code>ks.cfg</code> file would look something like (see the <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html">documentation</a> for more info):</p>
<div class="highlight"><pre><span></span><span class="cp">#version=RHEL7</span>
<span class="cp"># System authorization information</span>
<span class="n">auth</span><span class="w"> </span><span class="o">--</span><span class="n">enableshadow</span><span class="w"> </span><span class="o">--</span><span class="n">passalgo</span><span class="o">=</span><span class="n">sha512</span>
<span class="cp"># Use CDROM installation media</span>
<span class="n">cdrom</span>
<span class="cp"># Use text install</span>
<span class="n">text</span>
<span class="cp"># Run the Setup Agent on first boot</span>
<span class="n">firstboot</span><span class="w"> </span><span class="o">--</span><span class="n">enable</span>
<span class="n">ignoredisk</span><span class="w"> </span><span class="o">--</span><span class="n">only</span><span class="o">-</span><span class="n">use</span><span class="o">=</span><span class="n">sda</span>
<span class="cp"># Keyboard layouts</span>
<span class="n">keyboard</span><span class="w"> </span><span class="o">--</span><span class="n">vckeymap</span><span class="o">=</span><span class="n">us</span><span class="w"> </span><span class="o">--</span><span class="n">xlayouts</span><span class="o">=</span><span class="err">'</span><span class="n">us</span><span class="err">'</span>
<span class="cp"># System language</span>
<span class="n">lang</span><span class="w"> </span><span class="n">en_US</span><span class="p">.</span><span class="n">UTF</span><span class="mi">-8</span>
<span class="cp"># Network information</span>
<span class="n">network</span><span class="w"> </span><span class="o">--</span><span class="n">bootproto</span><span class="o">=</span><span class="k">static</span><span class="w"> </span><span class="o">--</span><span class="n">device</span><span class="o">=</span><span class="n">eth0</span><span class="w"> </span><span class="o">--</span><span class="n">gateway</span><span class="o">=</span><span class="mf">192.168.1.1</span><span class="w"> </span><span class="o">--</span><span class="n">ip</span><span class="o">=</span><span class="mf">192.168.1.16</span><span class="w"> </span><span class="o">--</span><span class="n">nameserver</span><span class="o">=</span><span class="mf">192.168.1.1</span><span class="w"> </span><span class="o">--</span><span class="n">netmask</span><span class="o">=</span><span class="mf">255.255.255.0</span><span class="w"> </span><span class="o">--</span><span class="n">noipv6</span><span class="w"> </span><span class="o">--</span><span class="n">activate</span>
<span class="n">network</span><span class="w"> </span><span class="o">--</span><span class="n">hostname</span><span class="o">=</span><span class="n">ipa</span><span class="o">-</span><span class="n">slave</span><span class="p">.</span><span class="n">mydomain</span><span class="p">.</span><span class="n">com</span>
<span class="cp"># Root password</span>
<span class="n">rootpw</span><span class="w"> </span><span class="o">--</span><span class="n">iscrypted</span><span class="w"> </span><span class="n">$6$</span><span class="o">/</span><span class="n">GdEAa2DwhlmU</span><span class="p">.</span><span class="n">Vr$R</span><span class="o">/</span><span class="n">L</span><span class="p">.</span><span class="n">fEc6QwtFiTMLd04HR1SuS7NrsdA</span><span class="p">.</span><span class="n">NuQyQ17RbBk8p37oGD</span><span class="o">/</span><span class="n">hVvRIOw0v5x6pSC6uU4NigueNmEXvQ8pzo0</span>
<span class="cp"># System services</span>
<span class="n">services</span><span class="w"> </span><span class="o">--</span><span class="n">enabled</span><span class="o">=</span><span class="s">"chronyd"</span>
<span class="cp"># System timezone</span>
<span class="n">timezone</span><span class="w"> </span><span class="n">America</span><span class="o">/</span><span class="n">Edmonton</span><span class="w"> </span><span class="o">--</span><span class="n">isUtc</span><span class="w"> </span><span class="o">--</span><span class="n">ntpservers</span><span class="o">=</span><span class="n">ntp</span><span class="p">.</span><span class="n">mydomain</span><span class="p">.</span><span class="n">com</span>
<span class="cp"># System bootloader configuration</span>
<span class="n">bootloader</span><span class="w"> </span><span class="o">--</span><span class="n">location</span><span class="o">=</span><span class="n">mbr</span><span class="w"> </span><span class="o">--</span><span class="n">boot</span><span class="o">-</span><span class="n">drive</span><span class="o">=</span><span class="n">sda</span>
<span class="cp"># Partition clearing information</span>
<span class="n">clearpart</span><span class="w"> </span><span class="o">--</span><span class="n">drives</span><span class="o">=</span><span class="n">sda</span><span class="w"> </span><span class="o">--</span><span class="n">all</span>
<span class="cp"># Disk partitioning information</span>
<span class="n">autopart</span><span class="w"> </span><span class="o">--</span><span class="n">type</span><span class="o">=</span><span class="n">plain</span><span class="w"> </span><span class="o">--</span><span class="n">fstype</span><span class="o">=</span><span class="s">"ext4"</span>
<span class="nf">%packages</span>
<span class="n">chrony</span>
<span class="nf">%end</span>
<span class="nf">%addon</span><span class="w"> </span><span class="n">com_redhat_kdump</span><span class="w"> </span><span class="o">--</span><span class="n">disable</span><span class="w"> </span><span class="o">--</span><span class="n">reserve</span><span class="o">-</span><span class="n">mb</span><span class="o">=</span><span class="err">'</span><span class="k">auto</span><span class="err">'</span>
<span class="nf">%end</span>
</pre></div>
<p>Before starting the installation, make sure you can retrieve that file with something like curl. Next, start the installation:</p>
<div class="highlight"><pre><span></span><span class="gh">#</span> iohyve isolist
Listing ISO's...
CentOS-7-x86_64-Minimal-1611.iso
<span class="gh">#</span> iohyve install ipa-slave CentOS-7-x86_64-Minimal-1611.iso
Installing ipa-slave...
GRUB Process does not run in background....
If your terminal appears to be hanging, check iohyve console ipa-slave in second terminal to complete GRUB process...
</pre></div>
<p>From another terminal, ssh into your FreeNAS server again in order to connect to the serial console by using:</p>
<div class="highlight"><pre><span></span><span class="gh">#</span> iohyve console ipa-slave
Starting console on ipa-slave...
~~. to escape console [uses cu(1) for console]
Connected
...
Starting installer, one moment...
anaconda 21.48.22.93-1 for CentOS Linux 7 started.
<span class="k">*</span> installation log files are stored in /tmp during the installation
<span class="k">*</span> shell is available on TTY2
<span class="k">*</span> when reporting a bug add logs from /tmp as separate text/plain attachments
14:21:39 Not asking for VNC because of an automated install
14:21:39 Not asking for VNC because text mode was explicitly asked for in kickstart
Starting automated install..
...
</pre></div>
<p>Now sit back while it automatically installs. This will be quite the minimal install, however it will get you up and running with an ext4-based system that iohyve can boot up, and from there you can install individual packages or package groups.</p>
<p>When the install is complete, you will see something like this on the console:</p>
<div class="highlight"><pre><span></span>[ OK ] Started Restore /run/initramfs.
[ OK ] Reached target Shutdown.
dracut Warning: Killing all remaining processes
Rebooting.
[ 819.859124] Restarting system.
</pre></div>
<p>However, it’s not actually restarting the system. Switch back to the other console and you will see:</p>
<div class="highlight"><pre><span></span>Unhandled ps2 keyboard command 0xf6
# iohyve list
Guest VMM? Running rcboot? Description
ipa-slave YES NO NO Sun Mar 12 16:39:10 MDT 2017
</pre></div>
<p>As you can see from the <code>list</code> command, the virtual machine is not running even though it said it was restarting. In order to start the machine, you must use:</p>
<div class="highlight"><pre><span></span><span class="err">#</span><span class="w"> </span><span class="n">iohyve</span><span class="w"> </span><span class="k">start</span><span class="w"> </span><span class="n">ipa</span><span class="o">-</span><span class="n">slave</span>
<span class="n">Starting</span><span class="w"> </span><span class="n">ipa</span><span class="o">-</span><span class="n">slave</span><span class="p">...</span><span class="w"> </span><span class="p">(</span><span class="n">Takes</span><span class="w"> </span><span class="mi">15</span><span class="w"> </span><span class="n">seconds</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">FreeBSD</span><span class="w"> </span><span class="n">guests</span><span class="p">)</span>
<span class="o">[</span><span class="n">root@heimdall</span><span class="o">]</span><span class="w"> </span><span class="o">~</span><span class="err">#</span><span class="w"> </span><span class="n">GRUB</span><span class="w"> </span><span class="n">Process</span><span class="w"> </span><span class="n">does</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">run</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">background</span><span class="p">....</span>
<span class="k">If</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">terminal</span><span class="w"> </span><span class="n">appears</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">hanging</span><span class="p">,</span><span class="w"> </span><span class="k">check</span><span class="w"> </span><span class="n">iohyve</span><span class="w"> </span><span class="n">console</span><span class="w"> </span><span class="n">ipa</span><span class="o">-</span><span class="n">slave</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="k">second</span><span class="w"> </span><span class="n">terminal</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">complete</span><span class="w"> </span><span class="n">GRUB</span><span class="w"> </span><span class="n">process</span><span class="p">...</span>
</pre></div>
<p>Now switch back to the original console (that you’ve not disconnected) and you will see the system booting. I had some difficulty with dracut-initqueue warning about incessant timeouts, so it took some time for the system to boot and even then I ended up in a rescue shell.</p>
<p>As annoying as this is, it’s not too terribly difficult to solve although I hate how hackish it needs to be. The root of the problem <em>seems</em> to be that dracut wants to connect to this kickstart file before the network is up. So we need to do some chroot shenanigans and fix the initramfs:</p>
<div class="highlight"><pre><span></span><span class="gh">#</span> mkdir /mnt
<span class="gh">#</span> mount /dev/sda3 /mnt
<span class="gh">#</span> mount /dev/sda1 /mnt/boot
<span class="gh">#</span> chroot /mnt
<span class="gh">#</span> cd /boot
<span class="gh">#</span> cp initramfs-3.10.0-514.el7.x86_64.img initramfs-3.10.0-514.el7.x86_64.img.bak
<span class="gh">#</span> dracut -f /boot/initramfs-3.10.0-514.el7.x86_64.img 3.10.0-514.el7.x86_64
<span class="gh">#</span> ls -al initramfs*
-rw------- 1 root root 45180381 Mar 14 08:24 initramfs-0-rescue-715baff9360a47a89af2ddbc55b9f0cf.img
-rw------- 1 root root 44766225 Mar 14 09:26 initramfs-3.10.0-514.el7.x86_64.img
-rw------- 1 root root 17437682 Mar 14 09:25 initramfs-3.10.0-514.el7.x86_64.img.bak
</pre></div>
<p>Judging by the difference in size between the rescue image, the newly created image, and the previous one that was copied, this is a pretty strong indication that something is missing.</p>
<p>Also, there are a few more steps to do before we can get CentOS 7 booted properly. The first is to edit <code>/iohyve/ipa-slave/grub.conf</code> and remove the kickstart reference. I’m not 100% sure this is required after we perform the next action, but after a lot of beard-tugging (and to spare you the same) I’m suggesting you remove it. Also, you need to set the operating system type back to CentOS 7:</p>
<div class="highlight"><pre><span></span># iohyve set ipa-slave os=centos7
Setting ipa-slave os=centos7...
</pre></div>
<p>If you’ve stopped the virtual machine, great, if it’s still waiting for network timeouts, you can forcibly stop it with <code>iohyve destroy ipa-slave</code> and then we can use <code>iohyve start ipa-slave</code> to start it back up again (this from the session not attached to the console, of course).</p>
<p>Now on the console, you should be able to watch the virtual machine boot and arrive at a login prompt.</p>
<p>Once you login, you probably want to install a few other things given we opted for the minimal install:</p>
<div class="highlight"><pre><span></span><span class="c1"># yum update -y</span>
<span class="c1"># yum install net-tools vim-enhanced zsh ipa-server</span>
<span class="c1"># systemctl status sshd</span>
</pre></div>
<p>The last is to make sure that sshd is running so you can ssh in and carry on (at least for me, an 80x25 console is pretty darn tiny). I also prefer the enhanced vim, and having tools like ipaddr and ifconfig are just plain old handy, and of course the whole point of this exercise was to set this up as an <span class="caps">IPA</span> server.</p>
<p>Finally, once you verify you can ssh into the server, disconnect from the console by typing the tilde and <span class="caps">CTRL</span>-D (so <code>~ + CTRL-D</code>).</p>
<p>To finish up, let’s give the virtual machine a decent description and tell it to start at boot:</p>
<div class="highlight"><pre><span></span># iohyve set ipa-slave description="IPA Slave server"
Setting ipa-slave description=IPA Slave server...
# iohyve set ipa-slave boot=1
Setting ipa-slave boot=1...
# iohyve list
Guest VMM? Running rcboot? Description
ipa-slave YES YES YES IPA Slave server
</pre></div>
<p>At this point, you can make a backup or snapshot of the virtual machine (which is one of the first things I wanted to do after all of the effort of figuring out the above!):</p>
<div class="highlight"><pre><span></span><span class="err">#</span><span class="w"> </span><span class="n">iohyve</span><span class="w"> </span><span class="n">snap</span><span class="w"> </span><span class="n">ipa</span><span class="o">-</span><span class="n">slave</span><span class="nv">@base</span><span class="o">-</span><span class="n">install</span><span class="o">-</span><span class="mi">20170314</span>
<span class="n">Taking</span><span class="w"> </span><span class="n">snapshot</span><span class="w"> </span><span class="n">ipa</span><span class="o">-</span><span class="n">slave</span><span class="nv">@base</span><span class="o">-</span><span class="n">install</span><span class="o">-</span><span class="mi">20170314</span>
<span class="err">#</span><span class="w"> </span><span class="n">iohyve</span><span class="w"> </span><span class="n">snaplist</span>
<span class="n">ipa</span><span class="o">-</span><span class="n">slave</span><span class="nv">@base</span><span class="o">-</span><span class="n">install</span><span class="o">-</span><span class="mi">20170314</span>
</pre></div>
<p>Currently there doesn’t seem to be a way to remove snapshots.</p>
<p>I haven’t played with it enough to know whether or not the performance is better than <span class="caps">KVM</span> on Linux, but I enjoyed fiddling with this to get it figured out and working. Hopefully this is helpful to others; there have been quite a few references to the desire to run CentOS 7 on FreeNAS using iohyve, but even the upstream site indicates it is currently not possible (although according to <a href="https://github.com/pr1ntf/iohyve/issues/224#issuecomment-274279896">this comment</a>, it’s on the roadmap). With a bit of fiddling, it <em>is</em> possible.</p>
<p>The next step now is to figure out how to get an <span class="caps">IPA</span> replication slave setup because the documentation is <em>not</em> intuitive at all and setting up a replicated slave is about the only way to migrate <span class="caps">IPA</span> from one machine to another. Wish me luck, and I hope this is helpful to people interested in running CentOS 7 with iohyve.</p>Replaced GPG Key2017-02-12T16:00:00-07:002017-02-12T16:00:00-07:00Vincent Danentag:annvix.com,2017-02-12:/blog/replaced-gpg-key<p>Quick note to indicate that I’ve revoked my old <span class="caps">GPG</span> key (key id <code>0x94BE833CE8B86CAB</code>) and replaced it with my new one (key id <code>0xBD51CB9670DF9DE7</code>). My new key’s fingerprint is:</p>
<div class="highlight"><pre><span></span><span class="mf">1810</span><span class="w"> </span><span class="mf">81</span><span class="n">E8</span><span class="w"> </span><span class="mf">178</span><span class="n">E</span><span class="w"> </span><span class="mf">4692</span><span class="w"> </span><span class="mf">03</span><span class="n">F6</span><span class="w"> </span><span class="n">BFD0</span><span class="w"> </span><span class="n">BD51</span><span class="w"> </span><span class="n">CB96</span><span class="w"> </span><span class="mf">70</span><span class="n">DF</span><span class="w"> </span><span class="mf">9</span><span class="n">DE7</span>
</pre></div>
<p>and it is signed …</p><p>Quick note to indicate that I’ve revoked my old <span class="caps">GPG</span> key (key id <code>0x94BE833CE8B86CAB</code>) and replaced it with my new one (key id <code>0xBD51CB9670DF9DE7</code>). My new key’s fingerprint is:</p>
<div class="highlight"><pre><span></span><span class="mf">1810</span><span class="w"> </span><span class="mf">81</span><span class="n">E8</span><span class="w"> </span><span class="mf">178</span><span class="n">E</span><span class="w"> </span><span class="mf">4692</span><span class="w"> </span><span class="mf">03</span><span class="n">F6</span><span class="w"> </span><span class="n">BFD0</span><span class="w"> </span><span class="n">BD51</span><span class="w"> </span><span class="n">CB96</span><span class="w"> </span><span class="mf">70</span><span class="n">DF</span><span class="w"> </span><span class="mf">9</span><span class="n">DE7</span>
</pre></div>
<p>and it is signed with the old (revoked) key. You can download the key directly <a href="https://annvix.com/vdanen.asc">from me</a> or <a href="http://pgp.mit.edu/pks/lookup?search=vdanen&op=index">from pgp.mit.edu</a> which is where you can also see the old key is revoked.</p>Figuring out GPG, SSH and U2F with YubiKey 42017-02-11T15:00:00-07:002017-02-11T15:00:00-07:00Vincent Danentag:annvix.com,2017-02-11:/blog/figuring-out-gpg-ssh-and-u2f-with-yubikey-4<p><img alt="Image" src="https://annvix.com/images/yubikey.jpg" /></p>
<p>You know your wife is a keeper when she gets you a YubiKey 4 for your birthday! I was really excited about this YubiKey because of its support
for storing your <span class="caps">GPG</span> private keys and also for an <span class="caps">SSH</span> private key, in addition to the <span class="caps">U2F</span> (Universal 2nd Factor) support …</p><p><img alt="Image" src="https://annvix.com/images/yubikey.jpg" /></p>
<p>You know your wife is a keeper when she gets you a YubiKey 4 for your birthday! I was really excited about this YubiKey because of its support
for storing your <span class="caps">GPG</span> private keys and also for an <span class="caps">SSH</span> private key, in addition to the <span class="caps">U2F</span> (Universal 2nd Factor) support. I’ve been using
earlier versions of the YubiKey for <span class="caps">OTP</span> (one-time password) and <span class="caps">U2F</span>, but the new version was especially interesting to me because of the <span class="caps">GPG</span> support.</p>
<p>Plus it’s a new toy to tinker with, and I like nerdy little things like this.</p>
<p>When I got it, it was easy enough to associate it with the accounts I previously had my <span class="caps">U2F</span>-only YubiKey associated with and also others I previously had not and probably should have.</p>
<p>However, when it came to getting this setup for GnuPG I ran into some interesting things. First off, I used this <a href="https://github.com/drduh/YubiKey-Guide">YubiKey
Guide</a> to get things setup (this is a great guide). I did it on my Fedora laptop because from the things I
read it seemed that using Linux for the setup would be easier.</p>
<p>That guide is pretty Debian-specific when it comes to the software install, so on Fedora you want to use:</p>
<div class="highlight"><pre><span></span>$<span class="w"> </span>sudo<span class="w"> </span>dnf<span class="w"> </span>install<span class="w"> </span>ykpers<span class="w"> </span>libyubikey<span class="w"> </span>gnupg2<span class="w"> </span>gnupg2-smime<span class="w"> </span>pcsc-list<span class="w"> </span>pcsc-lite-ccid
</pre></div>
<p>Creating the new key on the laptop was easy enough with the instructions provided but I ran into problems writing the keys to the YubiKey. I could
program the card as root, but as the user that generated the key I was unable to write the keys. With a bit more hunting around, I found another
blog post about using the <a href="http://stafwag.github.io/blog/blog/2015/06/16/using-yubikey-neo-as-gpg-smartcard-for-ssh-authentication/">YubiKey Neo as a <span class="caps">GPG</span> Smartcard for <span class="caps">SSH</span> Authentication</a> and realized I needed to give myself access to write to the card via udev.</p>
<p>Editing the <code>/usr/lib/udev/rules.d/69-yubikey.rules</code> file to add myself as an owner of the device did the trick and now it looks like:</p>
<div class="highlight"><pre><span></span><span class="k">ACTION</span><span class="o">!=</span><span class="ss">"add|change"</span><span class="p">,</span><span class="w"> </span><span class="k">GOTO</span><span class="o">=</span><span class="ss">"yubico_end"</span>
<span class="err">#</span><span class="w"> </span><span class="n">Udev</span><span class="w"> </span><span class="n">rules</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">letting</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">console</span><span class="w"> </span><span class="k">user</span><span class="w"> </span><span class="n">access</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">Yubikey</span><span class="w"> </span><span class="n">USB</span>
<span class="err">#</span><span class="w"> </span><span class="n">device</span><span class="w"> </span><span class="n">node</span><span class="p">,</span><span class="w"> </span><span class="n">needed</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">challenge</span><span class="o">/</span><span class="n">response</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">work</span><span class="w"> </span><span class="n">correctly</span><span class="p">.</span>
<span class="err">#</span><span class="w"> </span><span class="n">Yubico</span><span class="w"> </span><span class="n">Yubikey</span><span class="w"> </span><span class="n">II</span>
<span class="n">ATTRS</span><span class="err">{</span><span class="n">idVendor</span><span class="err">}</span><span class="o">==</span><span class="ss">"1050"</span><span class="p">,</span><span class="w"> </span><span class="n">ATTRS</span><span class="err">{</span><span class="n">idProduct</span><span class="err">}</span><span class="o">==</span><span class="ss">"0010|0110|0111|0114|0116|0401|0403|0405|0407|0410"</span><span class="p">,</span><span class="w"> </span><span class="err">\</span>
<span class="w"> </span><span class="n">OWNER</span><span class="o">=</span><span class="ss">"[me]"</span><span class="p">,</span><span class="w"> </span><span class="n">ENV</span><span class="err">{</span><span class="n">ID_SECURITY_TOKEN</span><span class="err">}</span><span class="o">=</span><span class="ss">"1"</span>
<span class="n">LABEL</span><span class="o">=</span><span class="ss">"yubico_end"</span>
</pre></div>
<p>Then reloading the configuration using:</p>
<div class="highlight"><pre><span></span><span class="o">$</span><span class="w"> </span><span class="n">sudo</span><span class="w"> </span><span class="n">udevadm</span><span class="w"> </span><span class="n">control</span><span class="w"> </span><span class="o">--</span><span class="n">reload</span>
<span class="o">$</span><span class="w"> </span><span class="n">sudo</span><span class="w"> </span><span class="n">udevadm</span><span class="w"> </span><span class="n">trigger</span>
</pre></div>
<p>Now I could finish with the original tutorial and get the keys written to the card. Success!</p>
<p>Or so I thought. Once this was done, the <span class="caps">U2F</span> logins were no longer working. Plugging the YubiKey into my mac and trying to use it as the
second factor with some of the sites it previously worked with was no longer possible.</p>
<p>Given this was already a few hours of work, I went off to eat dinner and watch a show with the family. When that was done, as often happens when
you give your mind something else to think about, it occurred to me that the command in the original tutorial about changing the mode of the YubiKey might have had something to do with it. The original tutorial indicates that to configure the YubiKey you needed to do:</p>
<div class="highlight"><pre><span></span>$<span class="w"> </span>ykpersonalize<span class="w"> </span>-m82
</pre></div>
<p>Checking out the manpage, it seems that this mode of 82 sets:</p>
<ul>
<li>MODE_FLAG_EJECT (which is the 80)</li>
<li><span class="caps">OTP</span>/<span class="caps">CCID</span> composite device (which is the 2)</li>
</ul>
<p>I guess earlier YubiKeys did not enable <span class="caps">CCID</span> which is what we need for <span class="caps">GPG</span> support. But guess what’s missing? Right, the <span class="caps">U2F</span> support. We need mode 6, which is for <span class="caps">OTP</span>/<span class="caps">CCID</span>/<span class="caps">U2F</span>. So running:</p>
<div class="highlight"><pre><span></span>$<span class="w"> </span>ykpersonalize<span class="w"> </span>-m86
</pre></div>
<p>fixed the problem and now <span class="caps">U2F</span> works again (as does <span class="caps">GPG</span>).</p>
<p>The next problem I had was that, while <span class="caps">GPG</span> worked fine on my Fedora laptop, when I tried to do <code>gpg2 --list-secret-keys</code> on my mac, it was telling me there were no secret keys. Using <code>gpg2 --card-status</code> or <code>gpg2 --card-edit</code> worked fine, and they even showed those card slots occupied.</p>
<p>What the heck?!?</p>
<p>Well, it turns out <span class="caps">GPG</span> 2.1 uses a different format for storing key information that <span class="caps">GPG</span> 1.x and 2.0 don’t support or understand. And MacGPG2 for the mac is currently providing 2.0.30 which didn’t understand this stuff. And it turns out that fink (which I use for all the extra Linux-like commands and updated <span class="caps">CLI</span> tools that I like) did not provide GnuPG 2.1. As a result I switched from fink to HomeBrew because it provides GnuPG 2.1, which I found from <a href="https://www.rempe.us/blog/yubikey-gnupg-2-1-and-ssh/">Yubikey, GnuPG 2.1 Modern, and <span class="caps">SSH</span> on macOS</a>.</p>
<p>There’s still some work to be done to clean a few things up. I need to publish my new <span class="caps">GPG</span> key once I’m confident with it, and have signed it with
my existing key, and revoked the old key. Then I need to put the new <span class="caps">SSH</span> pubkey on those servers that are critical and I want the higher security on.</p>
<p>Most of what I had to do to get this setup was already out there (thank you citizens of the internet!) but there were a few gotchas that others may
stumble on and since I couldn’t easily find any answers (maybe I’m the only one that tripped over the ykpersonalize, or maybe most people use these for <span class="caps">GPG</span>/<span class="caps">SSH</span> and not also <span class="caps">U2F</span>, I have no idea). Hopefully this will be helpful for anyone stuck in the same boat.</p>
<p>Quick notes on some macOS-specific things:</p>
<p>I’m a MailMate user (awesome email client) but the suggestion of using a command-line pinentry program causes it to crash because it can’t get input from anywhere. You want to <code>brew install pinentry-mac</code> first, and then use that as the pinentry program for the gpg-agent. My <code>~/.gnupg/gpg-agent.conf</code> file now looks like this:</p>
<div class="highlight"><pre><span></span>enable-ssh-support
use-standard-socket
pinentry-program /usr/local/bin/pinentry-mac
default-cache-ttl 600
max-cache-ttl 7200
</pre></div>
<p>You will also want to uninstall MacGPG2 if you have it installed. You can re-install it if you want, as it does have some nice tools, but if you do be sure to select “Customize” on the installer and de-select “GPGMail” and “MacGPG2” (basically install “GPGServices”, “GPGKeychain”, and “GPGPreferences” only). I don’t know if the GPGMail plugin will work with GnuPG 2.1 (I don’t use Apple Mail and MailMate doesn’t need it) so maybe you don’t need to remove it (and I can’t be bothered to find out).</p>
<p>As a final note, I had this working fine with two macs and my Fedora laptop, but when I tried it on another mac a day or two later it did not want to work. I finally figured out that it was because when I started fiddling with this, on the first two macs I had gnupg 2.1.17 but on the other mac it pulled the new version (2.1.18) from homebrew. This new version does not play well with the YubiKey. I filed <a href="https://github.com/Homebrew/homebrew-versions/issues/1522">this bug</a> against homebrew but then after some more digging I found it was actually <a href="https://bugs.gnupg.org/gnupg/issue2933">this upstream bug</a> so hopefully 2.1.19 will fix the problem. I note it here only because it had me scratching my head for a few days going through my setups wondering if I had done something wrong on the last mac. Once I installed 2.1.17 on that one, everything worked peachy. Talk about whacky timing!</p>
<p>Thanks Ang for this awesome birthday present! =)</p>
<p><strong><span class="caps">EDIT</span></strong>: see <a href="https://annvix.com/blog/replaced-gpg-key">Replaced <span class="caps">GPG</span> Key</a> for details on the new key.</p>2016: A Retrospective2016-12-30T14:00:00-07:002016-12-30T14:00:00-07:00Vincent Danentag:annvix.com,2016-12-30:/blog/2016-a-retrospective<p><img alt="Image" src="https://annvix.com/images/open-bible.jpg" /></p>
<p>I’ve been spending a lot of time thinking about this past year and all of its challenges and accomplishments, the moments of growth and clarity, the opportunities taken and the opportunities missed. I’m not one to get deeply personal in public, and won’t get into a lot …</p><p><img alt="Image" src="https://annvix.com/images/open-bible.jpg" /></p>
<p>I’ve been spending a lot of time thinking about this past year and all of its challenges and accomplishments, the moments of growth and clarity, the opportunities taken and the opportunities missed. I’m not one to get deeply personal in public, and won’t get into a lot of the nitty gritty as I write this, but the end of a year is an opportunity to look back and do some self-reflection. I’m a firm believer that if you don’t know where you came from, you’ll have no idea where you’re going. I’ve come to learn that <em>perspective</em> is key in a lot of things.</p>
<p>This has been a very interesting year for me, personally, and for my family. There has been a lot of stretching and a lot of growth. There have been some hard times and some <em>really</em> hard times, but there have been some awesome times as well. The security industry is probably going to note 2016 as the year of “the suck” (for a lot of really valid reasons!) and it would be easy for me to get sucked into the same doom-and-gloom point of view, especially when I consider all of the personal stuff this year brought. But I am an eternal optimist (although I’ve not always been so) and so I don’t look at 2016 as “the suck” but “the stretching”.</p>
<p>From a work perspective, this year has been challenging. At Red Hat we have been doing a <em>lot</em> of stuff, and within Product Security we have had a lot on our plate. The growth of branded high-visibility flaws has been a real challenge to manage. And manage it we did, sometimes not as well as we would have liked or hoped, but in the end we accomplished what we set out to. There were some really big projects (and a lot of little ones) that kept us busy with the aim of streamlining, enhancing, and strengthening the work that we do. This was incredibly challenging and I can honestly say that I don’t think I’ve worked harder in my life than I have this year. This was a period of significant growth for me personally as well, and a lot of personality quirks needed to be dealt with. I absolutely need to thank the folks I work with for being some of the most awesome people on the planet. I have peers that are amazing and the folks that report to me… well, I would not want to work with anyone else. You guys blow my mind and you know who you are. If any of you wander across this and read it, know that I highly value each and every one of you!</p>
<p>I had the opportunity to go to the Czech Republic twice this year and meet with most of my guys and this is something I thoroughly enjoyed. I’m not a big fan of travel and it’s quite the hike to get there, but again, I get to hang out with some awesome people and work on some amazing things. Hopefully I have the opportunity to head back again soon as I really enjoyed spending time with these guys and weekly video chats just don’t cut it.</p>
<p>So work this year was <em>hard</em> but in the end, I’m glad it was hard. Strength through adversity and all that jazz right? Growing and learning. I’ve read a ridiculous number of management books this year and try to put these things into practice and with it comes a lot of uncomfortable self-examination. Things that are easy to ignore or overlook when you’re doing purely technical work (which I don’t anymore, in fact I don’t seem to be doing much hands-on technical stuff at all anymore). These are, however, a critical mirror when you’re dealing with people.</p>
<p>I also retired as the “<span class="caps">IT</span> guy” from the church this year which I’ve been doing on a regular basis for the last five years and an irregular as-needed basis for the five or so prior to. That was a huge change as well, but allowed me to focus on more important things like my work with Red Hat, my family, my work as a marriage counsellor and district pastor. Ultimately it gave me back a lot of time, so while that was a very hard decision to make, I’m glad for it.</p>
<p>On a non-work front, thirteen months ago we “adopted” a 17 year old and had her come and live with us. Her story is her’s to tell, so I’m not going to get into the how or why she became part of the family, but suffice it to say this was one of those situations where God was clearly at work. Having a 17 year old come and live in our home (our daughter was 14 when she moved in) was one heck of a challenge. Everything was turned upside down as we adjusted to living with not just another person, but one we were responsible for and who needed us. And when I look back over the last thirteen months, I realize we needed her as well. Obviously not in the same ways, but she brought things to our home and our lives that caused us to stretch and grow. We live and think a certain way and our ways were not her ways and so there was a bit of a “culture clash” that caused all of us to grow and develop that under-used skill called <em>perspective</em>. She moved out a few days ago (she’s 18 now) to make a go of life as an adult on her own (she calls it “adulting”). And while this is sad, it’s also exciting. I’m excited to see what she does with her life. I’m excited to see if those late night conversations made a difference. I’m excited to see what comes of the foundational changes and opportunities God has given her, and He’s given her plenty of both.</p>
<p>In 2015, God gave us a young lady to take care of but in 2016 He gave us a forever daughter and I’m immensely grateful for it.</p>
<p>Also this year I’ve been thinking a lot about my faith and service to Jesus Christ and what that means on not just a personal level, but a practical one as well. I’ve had the opportunity to speak at church on a variety of occasions in the last few years and I felt led to share some of that outside the confines of the church walls. And that’s where the podcasts come in. I have no idea where they will go or what will happen with them, but I’m making and taking the time to speak to those who are interested in listening and whatever God wants to do with it is up to Him. I’ve written about my faith here and there in this blog, but now I’m going to speak about it as well. I don’t plan on a particular cadence, but as things come up with counselling or things that I read, I’ll be taking the time to talk about it, not just write about it. I think this is especially important in our day where a lot of Christians are going off the rails and are doing and saying things that are not in line with the Bible we profess to believe says to say or do. I don’t think a lot of people who call themselves Christians read their “instruction manual” and find themselves in places they were never meant to go. So my hope is to bring some clarity to that confusion as well.</p>
<p>So, fair warning, if you’re not interested in the Bible, you probably want to avoid the podcasts. =)</p>
<p>I could go on.. so much has happened this year. It has literally been a crazy year and looking back on it I’m amazed at just how much got jam-packed into 365 days. It seems like such a small amount (it’s only 2.5% of my life or 5% of my productive adult life). Some people I know can’t wait for 2016 to be over and done with (hang on! it ends tomorrow!) with almost a superstitious zeal that writing a 7 instead of a 6 will make everything magically better. 2017 will come with it’s own challenges and opportunities for growth — of that I am certain. Looking back on 2016… I’m grateful for the challenges and the opportunities. I am not the same man on Dec 30 as I was on Jan 1 and for that I am thankful. Zechariah 4:10 tells us not to despise the day of small beginnings, and if your beginnings seemed small in 2016, know that often they are the essential building blocks, foundation stones, to greater things in the future. We all start off small but we almost never end that way if we are committed to the growth process.</p>
<p>God bless and Happy New Year!</p>Using GitLab CI to deploy to remote host over ssh2016-12-08T18:00:00-07:002016-12-08T18:00:00-07:00Vincent Danentag:annvix.com,2016-12-08:/blog/using-gitlab-ci-to-deploy-to-remote-host-over-ssh<p><img alt="Image" src="https://annvix.com/images/gitlab.png" /></p>
<p>I’ve been using GitLab for a while now and I really like it. I can’t objectively say whether it’s better than GitHub or not (I have a few projects on GitHub but I rarely make any changes to them and even more rarely use the web <span class="caps">UI …</span></p><p><img alt="Image" src="https://annvix.com/images/gitlab.png" /></p>
<p>I’ve been using GitLab for a while now and I really like it. I can’t objectively say whether it’s better than GitHub or not (I have a few projects on GitHub but I rarely make any changes to them and even more rarely use the web <span class="caps">UI</span>), but one of the things I appreciate about GitLab is the fact that I can run my own copy of it and store my own stuff in it. I also use it every day for work and at home so am much more familiar with it than GitHub.</p>
<p>Recently I’ve been playing with the <span class="caps">CI</span> aspect of GitLab. I’ve used Jenkins to handle “<span class="caps">CI</span> duties” in the past, and GitLab and Jenkins work quite well together, but I wanted to play around with GitLab’s built-in <span class="caps">CI</span> because of how tightly integrated it is (and since I run a small GitLab here at home, I can use the same system for my runners and don’t have to worry about setting up Jenkins).</p>
<p>I found it quite easy to setup, although there are a few things to be aware of and I wanted to note them here. Partly so if I need to do it again in the future it’ll be easy for me to refer to.</p>
<p>Create the user to run the service:</p>
<div class="highlight"><pre><span></span># groupadd -g 2001 otter
# useradd -u 2001 -g 2001 -d /srv/www/otter -s /bin/bash otter
# chmod 0711 /srv/www/otter
</pre></div>
<p>The above creates the “otter” user and group which will run the service and makes <em>/srv/www/otter</em> traversable since we will checkout the git repository (as user otter) and it will live in <em>/srv/www/otter/otter/</em>:</p>
<div class="highlight"><pre><span></span># su - otter
$ mkdir otter
$ cd otter
$ git clone https://[gitlab-url]/otter.git
</pre></div>
<p>This project is public so there is no need for authentication. If you had a private project you could still authenticate over <span class="caps">HTTPS</span> by creating a <em>~/.netrc</em> file that looks like this:</p>
<div class="highlight"><pre><span></span><span class="n">machine</span><span class="w"> </span><span class="o">[</span><span class="n">gitlab-host</span><span class="o">]</span>
<span class="n">login</span><span class="w"> </span><span class="o">[</span><span class="n">gitlab-user</span><span class="o">]</span>
<span class="n">password</span><span class="w"> </span><span class="o">[</span><span class="n">password</span><span class="o">]</span>
</pre></div>
<p>After this I added the otter user to <em>/etc/sudoers</em> to be able to restart the otter.service but that didn’t work out so well. When I used the following in <em>.gitlab-ci.yml</em>:</p>
<div class="highlight"><pre><span></span><span class="w"> </span><span class="nl">script</span><span class="p">:</span>
<span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">ssh</span><span class="w"> </span><span class="o">-</span><span class="n">t</span><span class="w"> </span><span class="n">otter</span><span class="nv">@production</span><span class="p">.</span><span class="k">host</span><span class="w"> </span><span class="ss">"cd otter && git pull && sudo /bin/systemctl restart otter.service"</span>
</pre></div>
<p>Because the <span class="caps">CI</span> does not allocate a pseudo-terminal, which is ultimately required for sudo (even though we set up the private key without a password), the deployment failed. This means that while we can deploy the new code via calling <strong>git pull</strong>, we cannot restart the gunicorn daemon that is serving the content. A work-around for this is to setup a cronjob to run every minute and look for a specific file, since we can easily do something like <strong>touch /srv/www/otter/otter.restart</strong> with our ssh call after doing the git pull. So editing <em>/etc/crontab</em> and adding:</p>
<div class="highlight"><pre><span></span><span class="k">*</span> * <span class="gs">* *</span> * root test -f /srv/www/otter/otter.restart && /bin/systemctl restart otter.service && rm -f /srv/www/otter/otter.restart
</pre></div>
<p>does the trick. This actually is a bit nicer than trying to use sudo because it’s still only root that can restart the service and given <em>/srv/www/otter</em> is writable only by the otter user, and outside the git repository, nothing else that isn’t either a root or otter process can create the file. This removes the need to change anything in <em>/etc/sudoers</em> or give this user any kind of special permissions. The downside is this will add an entry every minute to <em>/var/log/cron</em>, but change the threshold to whatever you want (i.e. use “*/5” to check every 5 minutes if preferred).</p>
<p>To use this, the <em>.gitlab-ci.yml</em> file was updated to:</p>
<div class="highlight"><pre><span></span><span class="w"> </span><span class="nl">script</span><span class="p">:</span>
<span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">ssh</span><span class="w"> </span><span class="o">-</span><span class="n">t</span><span class="w"> </span><span class="n">otter</span><span class="nv">@production</span><span class="p">.</span><span class="k">host</span><span class="w"> </span><span class="ss">"cd otter && git pull && touch /srv/www/otter/otter.restart"</span>
</pre></div>
<p>Obviously there are other considerations that can and should be done here. For instance, if you have database changes, the above isn’t sufficient for an automatic deployment so a script to make changes to the database as part of the deployment would probably be good. This could be an external script or something that your systemd initscript handles, or the web application itself. One thought that comes to mind is to use a table in the database for configuration information and store a version in the database that can be compared and if less than what the script expects, automatically perform the migration at start. (Note to self, I should implement this…)</p>
<p>For reference, the full <em>.gitlab-ci.yml</em> file looks like:</p>
<div class="highlight"><pre><span></span><span class="n">image</span><span class="o">:</span><span class="w"> </span><span class="n">centos</span><span class="o">:</span><span class="mi">7</span>
<span class="n">stages</span><span class="o">:</span>
<span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">test</span>
<span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">deploy</span>
<span class="n">before_script</span><span class="o">:</span>
<span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">yum</span><span class="w"> </span><span class="n">install</span><span class="w"> </span><span class="n">which</span><span class="w"> </span><span class="o">-</span><span class="n">y</span>
<span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">install</span><span class="w"> </span><span class="n">ssh</span><span class="o">-</span><span class="n">agent</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="n">not</span><span class="w"> </span><span class="n">already</span><span class="w"> </span><span class="n">installed</span><span class="o">,</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">required</span><span class="w"> </span><span class="n">by</span><span class="w"> </span><span class="n">docker</span>
<span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="s1">'which ssh-agent || ( yum install openssh-clients -y )'</span>
<span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">run</span><span class="w"> </span><span class="n">ssh</span><span class="o">-</span><span class="n">agent</span><span class="w"> </span><span class="o">(</span><span class="n">inside</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">build</span><span class="w"> </span><span class="n">environment</span><span class="o">)</span>
<span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nf">eval</span><span class="w"> </span><span class="n">$</span><span class="o">(</span><span class="n">ssh</span><span class="o">-</span><span class="n">agent</span><span class="w"> </span><span class="o">-</span><span class="n">s</span><span class="o">)</span>
<span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">add</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">ssh</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">stored</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="n">SSH_PRIVATE_KEY</span><span class="w"> </span><span class="n">variable</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">agent</span><span class="w"> </span><span class="n">store</span>
<span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">ssh</span><span class="o">-</span><span class="n">add</span><span class="w"> </span><span class="o"><(</span><span class="n">echo</span><span class="w"> </span><span class="s2">"$SSH_PRIVATE_KEY"</span><span class="o">)</span>
<span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">docker</span><span class="w"> </span><span class="n">builds</span><span class="w"> </span><span class="n">disable</span><span class="w"> </span><span class="n">host</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">checking</span><span class="w"> </span><span class="n">although</span><span class="w"> </span><span class="k">this</span><span class="w"> </span><span class="n">can</span><span class="w"> </span><span class="n">lead</span><span class="w"> </span><span class="n">to</span>
<span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">mitm</span><span class="w"> </span><span class="n">attacks</span><span class="o">;</span><span class="w"> </span><span class="n">only</span><span class="w"> </span><span class="n">use</span><span class="w"> </span><span class="k">this</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="n">docker</span><span class="w"> </span><span class="n">or</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">overwrite</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">host</span>
<span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">ssh</span><span class="w"> </span><span class="n">config</span><span class="o">!</span>
<span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">mkdir</span><span class="w"> </span><span class="o">-</span><span class="n">p</span><span class="w"> </span><span class="o">~/.</span><span class="n">ssh</span>
<span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="s1">'[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'</span>
<span class="n">test</span><span class="o">:</span>
<span class="w"> </span><span class="n">stage</span><span class="o">:</span><span class="w"> </span><span class="n">test</span>
<span class="w"> </span><span class="n">script</span><span class="o">:</span>
<span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">yum</span><span class="w"> </span><span class="n">update</span><span class="w"> </span><span class="o">-</span><span class="n">y</span>
<span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">yum</span><span class="w"> </span><span class="n">install</span><span class="w"> </span><span class="n">https</span><span class="o">://</span><span class="n">dl</span><span class="o">.</span><span class="na">fedoraproject</span><span class="o">.</span><span class="na">org</span><span class="sr">/pub/epel/</span><span class="n">epel</span><span class="o">-</span><span class="n">release</span><span class="o">-</span><span class="n">latest</span><span class="o">-</span><span class="mi">7</span><span class="o">.</span><span class="na">noarch</span><span class="o">.</span><span class="na">rpm</span><span class="w"> </span><span class="o">-</span><span class="n">y</span>
<span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">yum</span><span class="w"> </span><span class="n">install</span><span class="w"> </span><span class="n">mariadb</span><span class="o">-</span><span class="n">devel</span><span class="w"> </span><span class="n">mariadb</span><span class="o">-</span><span class="n">server</span><span class="w"> </span><span class="n">python</span><span class="o">-</span><span class="n">virtualenv</span><span class="w"> </span><span class="n">python</span><span class="o">-</span><span class="n">pip</span><span class="w"> </span><span class="n">gcc</span><span class="w"> </span><span class="n">gcc</span><span class="o">-</span><span class="n">c</span><span class="o">++</span><span class="w"> </span><span class="n">freetype</span><span class="o">-</span><span class="n">devel</span><span class="w"> </span><span class="n">libpng</span><span class="o">-</span><span class="n">devel</span><span class="w"> </span><span class="n">python</span><span class="o">-</span><span class="n">requests</span><span class="w"> </span><span class="n">MySQL</span><span class="o">-</span><span class="n">python</span><span class="w"> </span><span class="n">mailx</span><span class="w"> </span><span class="n">python</span><span class="o">-</span><span class="n">simplejson</span><span class="w"> </span><span class="n">vim</span><span class="w"> </span><span class="n">httpd</span><span class="w"> </span><span class="n">mod_wsgi</span><span class="w"> </span><span class="o">-</span><span class="n">y</span>
<span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">sh</span><span class="w"> </span><span class="n">setup</span><span class="o">.</span><span class="na">sh</span>
<span class="n">production</span><span class="o">:</span>
<span class="w"> </span><span class="n">stage</span><span class="o">:</span><span class="w"> </span><span class="n">deploy</span>
<span class="w"> </span><span class="n">script</span><span class="o">:</span>
<span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">ssh</span><span class="w"> </span><span class="o">-</span><span class="n">t</span><span class="w"> </span><span class="n">otter</span><span class="err">@</span><span class="n">production</span><span class="o">.</span><span class="na">host</span><span class="w"> </span><span class="s2">"cd otter && git pull && touch /srv/www/otter/otter.restart"</span>
<span class="w"> </span><span class="n">only</span><span class="o">:</span>
<span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">master</span>
<span class="w"> </span><span class="n">environment</span><span class="o">:</span><span class="w"> </span><span class="n">production</span>
</pre></div>
<p>The key is handled using a project variable in GitLab which can be set by going to the project in question, clicking the gear icon and selecting “Variables”. You want to add a variable named <strong>SSH_PRIVATE_KEY</strong> with the contents of a private key you generate. The corresponding public key would be added to the <em>~/.ssh/authorized_keys</em> file for, in this case, the otter user on “production.host”. You can read more about <a href="https://docs.gitlab.com/ce/ci/variables/README.html" target="_blank">GitLab variables</a>.</p>
<p>Finally, and I mention this because I found using systemd’s initscripts a little bit painful at first (especially with mod_uwsgi, which is why I opted to use gunicorn and mod_proxy instead, see <a href="https://annvix.com/blog/current-progress-of-new-blog-platform">my earlier blog post about this</a> for more details), I leave you with the service scripts. There are two scripts in question, the <em>otter.socket</em> and the <em>otter.service</em> scripts.</p>
<p><em>otter.socket</em> sets up the listeners:</p>
<div class="highlight"><pre><span></span><span class="k">[Unit]</span>
<span class="na">Description</span><span class="o">=</span><span class="s">otter socket</span>
<span class="k">[Socket]</span>
<span class="na">ListenStream</span><span class="o">=</span><span class="s">/run/otter/socket</span>
<span class="na">ListenStream</span><span class="o">=</span><span class="s">0.0.0.0:5000</span>
<span class="k">[Install]</span>
<span class="na">WantedBy</span><span class="o">=</span><span class="s">sockets.target</span>
</pre></div>
<p>and <em>otter.service</em> runs the gunicorn service:</p>
<div class="highlight"><pre><span></span><span class="k">[Unit]</span>
<span class="na">Description</span><span class="o">=</span><span class="s">otter daemon</span>
<span class="na">Requires</span><span class="o">=</span><span class="s">otter.socket</span>
<span class="na">After</span><span class="o">=</span><span class="s">network.target</span>
<span class="k">[Service]</span>
<span class="na">PIDFile</span><span class="o">=</span><span class="s">/run/otter/pid</span>
<span class="na">User</span><span class="o">=</span><span class="s">otter</span>
<span class="na">Group</span><span class="o">=</span><span class="s">otter</span>
<span class="na">WorkingDirectory</span><span class="o">=</span><span class="s">/srv/www/otter/otter</span>
<span class="na">ExecStart</span><span class="o">=</span><span class="s">/srv/www/otter/otter/flask/bin/gunicorn --pid /run/otter/pid --access-logfile /srv/www/otter/otter.log app:app</span>
<span class="na">ExecReload</span><span class="o">=</span><span class="s">/bin/kill -s HUP $MAINPID</span>
<span class="na">ExecStop</span><span class="o">=</span><span class="s">/bin/kill -s TERM $MAINPID</span>
<span class="na">PrivateTmp</span><span class="o">=</span><span class="s">true</span>
<span class="k">[Install]</span>
<span class="na">WantedBy</span><span class="o">=</span><span class="s">multi-user.target</span>
</pre></div>
<p>These files need to live in <em>/etc/systemd/system/</em> and are enabled using:</p>
<div class="highlight"><pre><span></span># systemctl enable otter.socket
# systemctl enable otter.service
</pre></div>
<p>I also have a <em>/etc/tmpfiles.d/otter.conf</em> for the socket file:</p>
<div class="highlight"><pre><span></span>d /run/otter 0755 otter otter -
</pre></div>
<p>Which can be setup using:</p>
<div class="highlight"><pre><span></span># systemd-tmpfiles --create
</pre></div>
<p>You’d want to do that before starting the services for the first time.</p>
<p>Hopefully this is helpful for someone who is interested in running a Flask application as a service under systemd with some <span class="caps">CI</span> integration using GitLab. It covers a little bit more than just using GitLab <span class="caps">CI</span> to deploy remotely, although all the pieces are tied together and it seemed odd to focus on the one part of the picture without giving some details on the rest to make things work. One thing I did consider is making the systemd services to be user services so that the otter user could <strong>systemctl restart otter.service</strong> but I didn’t really get around to it and it didn’t really matter to me (perhaps something to fiddle with in the future).</p>
<p>I’d love any feedback or ideas for improvement. This is all pretty new to me yet so undoubtably there are ways these can be implemented better, but this works and I felt like sharing. =)</p>Countdown to SHA1-based HTTPS Doom2016-11-22T22:00:00-07:002016-11-22T22:00:00-07:00Vincent Danentag:annvix.com,2016-11-22:/blog/countdown-to-sha1-based-https-doom<p>So it’s been noted in a few places that 2017 is the year that <span class="caps">SHA1</span> for <span class="caps">HTTPS</span> is doomed. Microsoft has deprecated <span class="caps">SHA1</span> in <a href="https://blogs.windows.com/msedgedev/2016/04/29/sha1-deprecation-roadmap/">Edge and Internet Explorer</a> browsers and in February 2017 will be blocking them entirely. Google is doing the same thing <a href="https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html">with Chrome</a> starting January 2017 …</p><p>So it’s been noted in a few places that 2017 is the year that <span class="caps">SHA1</span> for <span class="caps">HTTPS</span> is doomed. Microsoft has deprecated <span class="caps">SHA1</span> in <a href="https://blogs.windows.com/msedgedev/2016/04/29/sha1-deprecation-roadmap/">Edge and Internet Explorer</a> browsers and in February 2017 will be blocking them entirely. Google is doing the same thing <a href="https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html">with Chrome</a> starting January 2017, as is <a href="https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/">Firefox</a>.</p>
<p>Most sites today don’t use <span class="caps">SHA1</span>-based <span class="caps">SSL</span> certificates (which is good) and there are sites you can go to in order to easily check if your public web site is using one, such as <a href="https://shaaaaaaaaaaaaa.com/">shaaaaaaaaaaaaa.com</a>, but what about internal services? You can’t really point an external web site to an internal resource.</p>
<p>There are a few sites out there that explain how to do it, but as I had to poke at a few things internally myself I figured it was worth sharing the simple script I wrote to check. Cut-n-paste the following into something like sha1checker.sh and run it. It will tell you if you’re using a <span class="caps">SHA1</span>-based certificate or, if not, tell you what is used (hopefully “sha256WithRSAEncryption”):</p>
<pre>
#!/bin/sh
site="${1}"
if [ -n "${2}" ]; then
port="${2}"
else
port="443"
fi
algo="$(openssl s_client -connect ${site}:${port} </dev/null 2>/dev/null | openssl x509 -text -in /dev/stdin | grep 'Signature Algorithm')"
if [ "${algo}" == "" ]; then
echo "Unable to load certificate! Invalid hostname (${site}) or port (${port})"
exit 1
fi
if [ "$(echo ${algo} | grep -q sha1; echo $?)" == "0" ]; then
echo "Vulnerable, using SHA1"
else
echo "Not vulnerable"
echo "${algo}"
fi
</pre>
<p>It’s easy enough to run:</p>
<pre>
$ sh sha1checker.sh annvix.com 443
Not vulnerable
Signature Algorithm: sha256WithRSAEncryption
Signature Algorithm: sha256WithRSAEncryption
</pre>
<p>Probably not perfect (it seems to wig out with the version of openssl provided with macOS unless you’re using a version supplied with Fink, but it works well on Linux). Now is probably a good time to check this stuff out before you end up locked out of some essential web services come January.</p>From There to Here (But Not Back Again) - 15 years of Red Hat Product Security2016-10-24T07:53:00-06:002016-10-24T07:53:00-06:00Vincent Danentag:annvix.com,2016-10-24:/blog/from-there-to-here-but-not-back-again<p><img alt="Image" src="https://annvix.com/images/shadowman-tattoo.png" /></p>
<p>This year we celebrated 15 years of Red Hat Product Security. I’ve not been with Red Hat that long, but I’ve been doing product security work for longer (slightly over a year longer). I was asked to write a little something to stroll down memory lane with the …</p><p><img alt="Image" src="https://annvix.com/images/shadowman-tattoo.png" /></p>
<p>This year we celebrated 15 years of Red Hat Product Security. I’ve not been with Red Hat that long, but I’ve been doing product security work for longer (slightly over a year longer). I was asked to write a little something to stroll down memory lane with the inter-webs. That post is not this post. =) You can read the details on the Red Hat Security Blog:</p>
<p><a href="https://access.redhat.com/blogs/766093/posts/2712261" target="_blank">From There to Here (But Not Back Again)</a></p>
<p>You can also read my boss’ recollections as well which are quite interesting too:</p>
<p><a href="https://access.redhat.com/blogs/766093/posts/2695561" target="_blank">Happy 15th Birthday Red Hat Product Security</a></p>Periodic security reviews (and a bit of a rant)2016-10-01T12:00:00-06:002016-10-01T12:00:00-06:00Vincent Danentag:annvix.com,2016-10-01:/blog/periodic-security-reviews-and-a-bit-of-a-rant<p><img alt="Image" src="https://annvix.com/images/security-review.jpg" /></p>
<p>Today marks one month that my “work time” is 100% devoted to Red Hat; last month I “retired” from any of the <span class="caps">IT</span>/web work for my church that I’ve been doing for the last 12 or so years. It’s been an interesting month being able to spend …</p><p><img alt="Image" src="https://annvix.com/images/security-review.jpg" /></p>
<p>Today marks one month that my “work time” is 100% devoted to Red Hat; last month I “retired” from any of the <span class="caps">IT</span>/web work for my church that I’ve been doing for the last 12 or so years. It’s been an interesting month being able to spend time on things that I want to spend on outside of regular Red Hat work hours. =) My rediscovered and available time has been spent fiddling around the house dealing with things I never really had time to get to in quite a while, and some on computer-related things that I’ve wanted to do but never had the time to do. One of the things on this long todo list was to do some “security reviews” of passwords and related things (<span class="caps">GPG</span> keys, <span class="caps">SSH</span> keys, etc.).</p>
<p>This review became a bit more pressing for two reasons: macOS Sierra ships with a version of OpenSSH that does not use <span class="caps">DSA</span> keys by default, and a former client of mine phoned me two weeks ago because they were phished for $150k and he was looking for help. The latter reminded me that it’s good to review the landscape every once in a while and keep up to date with changes, the former was the impetus to actually do something about it.</p>
<p>Because of the <span class="caps">DSA</span> key change, and because (to my chagrin) I still used such a key for a few hosts, I decided to do some cleanup of my <span class="caps">SSH</span> keys first. To maintain compatibility with some older hosts that may not support newer key types like <span class="caps">ECDSA</span>, I opted to create a new 2048 bit <span class="caps">RSA</span> key for use:</p>
<pre>
# ssh-keygen -t rsa -b 2048 -C "user@host"
</pre>
<p>Then the real fun began when I had to remember where the old keys were being used and updating them. I had a half-dozen <span class="caps">SSH</span> keys of various types (<span class="caps">DSA</span>, 1024 bit <span class="caps">RSA</span>, 2048 bit <span class="caps">RSA</span>) and decided to consolidate things and cleanup my ~/.ssh/known_hosts and ~/.ssh/config files as well. I started primarily with making a clean ~/.ssh directory and backing up the old one so I can still keep it for those hosts I’m likely to have missed.</p>
<p>As a side note, when you upgrade to macOS Sierra it overwrites /etc/ssh/sshd_config and /etc/ssh/ssh_config so I had to make changes there with respects to kerberos authentication. The options are the same; basically you want to set <b>GSSAPIAuthentication yes</b> in both config files.</p>
<p>Double-checked my <span class="caps">GPG</span> key and it’s a 3072 bit <span class="caps">RSA</span> key, so doing alright there.</p>
<p>The next step in the coming days is to update passwords on some sites where it’s not been changed in a long time. I use 1Password (you could use any password manager you like) so I have distinct and unique passwords on each site, but some of them are a bit weaker than I would like. One nice feature of 1Password is the “Security Audit” section that lists passwords that are weak, duplicates, and then those that have not been changed in a while (broken down in 3+ years old, 1-3 years old, and 6-12 months old). Thankfully the weak password count is fairly low, but the 3+ year old list is a bit higher.</p>
<p>Some people recommend changing passwords often, but I disagree with this. For instance, whenever you change your password you introduce some risk (is the site currently compromised? are you? is there someone listening on the wire as you make the change?) so there are some instances where it makes sense, but if you’re rotating passwords every 3mos or so I have to wonder what the point is (and point out that you’re actually increasing risk when you do). So use a good password or passphrase, make sure they are different for each site (so a compromise of one doesn’t compromise you on another, etc.). Having said that, it’s good to change passwords every once in a while. The security policy of the site may have changed — maybe when you first signed up they kept passwords in plaintext for some insane reason, and in a later software update they started storing it properly, or maybe they used to store the password as a weak md5 hash and have since moved to a stronger sha256. The point is, even though your password may have been strong, you don’t know how they have stored it on the remote side and in a lot of these cases, you’re at their mercy even if you use a good password.</p>
<p>Of course, you can almost always tell if the remote end has bad security policies by doing the “forgotten password” request… if they send you your password, you might want to move on from that site entirely (a server should not be able to send you your password in plaintext!).</p>
<p>Finally, if the sites you use offer two-factor authentication (sometimes called two-step authentication) I do recommend using it. Sometimes it’s a pain, but (as in the case of this former client) using two-factor authentication would have kept someone from accessing his email account and convincing his bank to wire a <i>lot</i> of money out of the country. The idiocy of the bank aside, this is a pretty costly reminder that some really smart people can do some really creative things to steal a buck, and some other (equally smart or not nearly as smart, you decide) people can get suckered. How that bank handled that situation was <i>beyond</i> ridiculous, which sort of drives home the point that ultimately it’s up to you to be your own advocate and first line of defence. Good passwords, good security “know how”, and just plain old being smart (don’t click random links in email, people!) are really the best things you can do to save yourself a lot of grief.</p>
<p>And while there is a balance between security and convenience, with some things (like 1Password) you can get a measure of both. And education… education is important. We as humans are really good at learning about the things that matter to us… healthy eating, responsible money management, and so on… we need to drive home the message that security is important and it starts with the individual and their computing habits. As security professionals, we almost need these horror stories to shock people into action but it seems like when the horror stories come in rapid succession, we tend to filter them out. These things becoming “normal” is not ok. Humans tend to minimize how awful something is unless it happens to them. And sometimes we need bad things to happen more than once to really drive it home.</p>
<p>As an illustration, a neighbour had a drive die and the last time this happened a few years ago I helped him get sorted out with a backup system and made it quite clear how important it was by sharing my own experiences. However, over time, the backups happened less and now those pictures, financial information, and other things are… poof… gone. He’s an example of being bit, perhaps not hard enough the first time, but hopefully hard enough <i>this</i> time. I’ve been bit once (hard!) and I would gladly pay the cost of multiple redundant backups than deal with that kind of data loss again. I suspect this time he will too.</p>
<p>While that isn’t really security-related, per se, I think it’s probably something that people can appreciate due to their own experiences — when it comes to some of the damage that comes from security breaches or information theft, I don’t want people to have those experiences! So while we can’t fully control what information we provide to a site that may or may not get exposed, we can certainly try to reduce the damage and we should. I’ve spoken to homeschool groups about exactly this and I was probably more shocked overall than they were! They were shocked at all the naughty stuff that can happen and I was shocked that they didn’t know even the half of it.</p>
<p>I could keep going (maybe I should, maybe a multitude of voices shouting from the rooftops that this stuff is actually serious will make a difference), but I’ll stop here. Suffice it to say that while I think there is a great, and growing, responsibility on site owners to protect their customers and users, the sad reality is these things are based on software written by humans and humans make mistakes. I’ve been doing security response work for over 15 years now and while certain things become better, other things are horribly, <i>horribly</i> broken (don’t even get me started on IoT!) and we have a lot to do to fix them and educate the coders of the future on how <i>not</i> to write these things.</p>
<p>And since there will always be users, we need to educate them so that they know the risks and how best to minimize them. We can try, and often succeed, in keeping users safe, but it only takes one crack in the armor and then it becomes a matter of minimizing damage and the user who has prepared for this (because it <i>will</i> happen) will be much better off than the user that didn’t or, even worse, didn’t even realize it was possible.</p>Consumer Christianity2016-09-11T14:00:00-06:002016-09-11T14:00:00-06:00Vincent Danentag:annvix.com,2016-09-11:/blog/consumer-christianity<p><img alt="Image" src="https://annvix.com/images/food-man-person-eating.jpg" /></p>
<p>Today we held a “Ministry Fair” at the church that serves to highlight the many ministries within our church as a way to highlight the sorts of things we do and also to allow others to volunteer and serve in particular areas where we have need. As I stood at …</p><p><img alt="Image" src="https://annvix.com/images/food-man-person-eating.jpg" /></p>
<p>Today we held a “Ministry Fair” at the church that serves to highlight the many ministries within our church as a way to highlight the sorts of things we do and also to allow others to volunteer and serve in particular areas where we have need. As I stood at my station, I began to think about the church and why I, with my family, attend and serve… and it caused some interesting reflection that I wanted to share here.</p>
<p>It is my firm belief that one of the biggest problems within the church today is that it has become an institution that seeks to change God for the sake of people, rather than to change people for the sake of God. It has become “seeker friendly” and so much so that the gospel of Jesus Christ has been watered down to the point that it is indistinguishable from real Biblical truth. It isn’t hard to see… turn around and look at what many churches today preach, teach, and “sell” to people who come in the doors. Instead of calling people to serve God, the church starts to serve the individual. Instead of the church calling individuals to serve the body (which is the church and members of the Christian community, and also all mankind), it seeks to become more palatable to the masses.</p>
<p>In the words of Dietrich Bonhoffer:</p>
<blockquote>
“Cheap grace is the preaching of forgiveness without requiring repentance, baptism without church discipline, Communion without confession, absolution without personal confession. Cheap grace is grace without discipleship, grace without the cross, grace without Jesus Christ, living and incarnate.”
</blockquote>
<p>How did we get to this point? The church used to be something that people gave their lives for (and, in many parts of the world, still do) but here in North America we equate the church to nothing more than a drive-through fast food joint. We have become a McDonalds for the soul. A Subway for the spirit. To me, the obvious answer is that churches want more people, and I believe most have good intentions here. The more folks who come through the doors, the more people who will have that encounter with Jesus and ultimately start down the road of relationship with Him that leads to eternal life. Sure, some churches are thinking that more people mean more finances and they are financially driven although I don’t think this is most churches (undoubtably there are more than a few that would fall into this kind of motivation).</p>
<p>The question I have for these churches that are willing to water down the message to get more people in the door is: what do you do with them once you have them? If your lure to get people into the church is to preach messages about how much God loves you (He does) and how much He wants to bless you (He does), and how much it’s all about <i>you</i> (it isn’t really) then what do you do about the flip-side of the gospel that is just as important, if not more so? If you spend all your time talking about these things and then toss in a message about repentance, about obedience, self-sacrifice, loving your neighbour like yourself, putting God first above all things… if you don’t preach these things as part of the “whole package” then the people you brought in with the “it’s all about you, baby” message will vote with their feet and walk because this new message isn’t what drew them in to begin with. So what are the chances these things will reach the pulpit? Probably little chance because the fear will be that you’ve changed the menu and you’ve changed what they came for with something they need, but don’t really want. We can’t be “bait and switch” churches because that doesn’t work and deceives people.</p>
<p>So what are we left with? Starting of as peddlers of cheap grace and staying that way. Or we can preach a full gospel and stay true to it, showing integrity and honesty and deceiving no one.</p>
<p>I believe this is a real fear in a lot of churches today. If they start preaching a <i>full</i> gospel, who is going to stick around to hear it? Sure some will, but for those who came to the church because it met <i>their</i> needs, when those needs are no longer met, they’ll leave.</p>
<p>This is the essence of consumer christianity. Thomas C. Reeves, in his book <i>The Empty Church</i> said:</p>
<blockquote>
“Christianity in modern America … tends to be easy, upbeat, convenient, and compatible. It does not require self-sacrifice, discipline, humility, an otherworldly outlook, a zeal for souls, a fear as well as love of God. There is little guilt and no punishment, and the payoff in heaven is virtually certain. What we now have might best be labeled ‘Consumer Christianity.’ The cost is low and customer satisfaction seems guaranteed.”
</blockquote>
<p>But this isn’t the way the church was supposed to operate and as a Christian, this isn’t how we’re supposed to view the church. There are two main points here: the first is that the church has to stop catering to people and be what it was actually meant to be, what God designed it to be. The second is that people have to stop looking at church as something that caters to their needs and making it all about their wants and desires. I believe that if the second happens, the first will also. But some churches just need to make the decision that, even if it means people leaving, they will preach a full gospel truth — not watered down, not manipulated, and certainly not absent. Why? Because Jesus asked us to make disciples, not patrons.</p>
<p>For Christians, the church was not meant to serve our needs. We were meant to serve the church, to be obedient to the call of God. In Luke 9:23-34 (<span class="caps">TLB</span>), Jesus says:</p>
<blockquote>
Then he said to all, “Anyone who wants to follow me must put aside his own desires and conveniences and carry his cross with him every day and keep close to me! Whoever loses his life for my sake will save it, but whoever insists on keeping his life will lose it;
</blockquote>
<p>We need to understand that sometimes we won’t get what we want. We need to understand that sometimes the pastor will preach a message that digs a little deep and makes us uncomfortable and that it isn’t a license to leave to find somewhere else that preaches something a little softer. We need to be ok with change and that sometimes people will rub us the wrong way and instead of looking for the exit, realize that we have a place here and maybe, just maybe, this is a good opportunity for growth. The church is called the Body of Christ and we don’t get to define what that looks like. God calls us, and has designed us, to be a part of one body. In 1 Corinthians 12 the Bible talks about the body and how we are necessary parts of it, and in Colossians 1:18a the Bible tells us that Jesus is the head of the body:</p>
<blockquote>
He is the Head of the body made up of his people—that is, his Church—which he began
</blockquote>
<p>So we see that it’s not up to us to determine whether or not we belong, whether or not we should leave, whether or not it meets our needs. Instead, we need to know that we <i>do</i> belong, we should only leave if the Lord directs us elsewhere (after all, He places us where He wishes), and we need to start thinking about meeting the needs of others rather than just being in it for ourselves.</p>
<p>My wife and I have been attending Christcity (started back when it was Bethesda Christian Fellowship) for about 18 years now. We have seen pastors move on to other churches, we have seen many friends leave for a variety of reasons, and we have seen people who have remained loyal to that body of believers much longer than we have. In fact, today we honoured the retirement of our Treasurer who has served faithfully for 46 years. I can honestly say that remaining this long has not been without it’s challenges! Some of the people who have moved on have been very dear friends and it would have been so easy to leave with them.</p>
<p>Except that my wife and I understood and acknowledged that God planted us in that church 18 years ago and we don’t have the option of leaving until He says so. This isn’t about loyalty to one pastor, or even one building. It’s about loyalty to the God who said “this is where you belong” and understanding that God commands blessing when we remain in unity (Psalm 133).</p>
<p>And so we have, and God has rewarded us immensely for remaining faithful to the place God has called us. But even more than that, we don’t come to the church as consumers, we come to the church as contributors. When we come as contributors, yes, we consume, but we also take part.</p>
<p>This can easily be compared to the open source ecosystem. There are many consumers of open source (in fact, a whole lot of what you use today, whether you realize it or not, is effectively consumed open source software, be it your phone, <span class="caps">TV</span>, router… heck, even your toaster). There are, comparatively, few contributors. And yet the contributors to open source will tell you, time and time again, that contributing to open source makes all the difference and there is great satisfaction to be had. In fact, I’d say that open source contributors believe “it is better to give than to receive” because they know they will receive so much more than they contributed, because they are able to reap the fruit of the labours of others who, like themselves, contributed to something that was bigger than just “me”.</p>
<p>This is what the church is meant to be. We are meant to be partakers, to partner with God and the church He designed. We are meant to serve. We are meant to walk alongside our brothers and sisters in Christ. We are meant to be active parts of the body. And we are meant to be loyal and committed to the body, in the same way two people are committed in marriage. I find the imagery of Christ and His Bride so potent because Jesus has made commitment to the church in the same way a husband does to his bride, and the church is meant to have that same level of commitment to her Husband. And we, in turn, are meant to have the same level of commitment to both the Bride (church) as members of the body, and to the Husband (Jesus) as the Bride.</p>
<p>I’ll wrap this post up with Acts 20:28-35 (<span class="caps">TLB</span>) as a warning for both those who lead the church and for those who are a part of the church:</p>
<blockquote>
“And now beware! Be sure that you feed and shepherd God’s flock—his church, purchased with his blood—for the Holy Spirit is holding you responsible as overseers. I know full well that after I leave you, false teachers, like vicious wolves, will appear among you, not sparing the flock. Some of you yourselves will distort the truth in order to draw a following. Watch out! Remember the three years I was with you—my constant watchcare over you night and day and my many tears for you.
“And now I entrust you to God and his care and to his wonderful words that are able to build your faith and give you all the inheritance of those who are set apart for himself.
“I have never been hungry for money or fine clothing— you know that these hands of mine worked to pay my own way and even to supply the needs of those who were with me. And I was a constant example to you in helping the poor; for I remembered the words of the Lord Jesus, ‘It is more blessed to give than to receive.’”
</blockquote>Replacing a FreeNAS drive2016-08-10T17:00:00-06:002016-08-10T17:00:00-06:00Vincent Danentag:annvix.com,2016-08-10:/blog/replacing-a-freenas-drive<p><img alt="Image" src="https://annvix.com/images/freenas.jpg" /></p>
<p>I was on holidays a few weeks ago and decided to replace an aging Mac Pro that I had been using as a Plex server with a new FreeNAS box, since I could run a jail with Plex. So I used the four <span class="caps">3TB</span> <span class="caps">WD</span> Red drives in the Mac …</p><p><img alt="Image" src="https://annvix.com/images/freenas.jpg" /></p>
<p>I was on holidays a few weeks ago and decided to replace an aging Mac Pro that I had been using as a Plex server with a new FreeNAS box, since I could run a jail with Plex. So I used the four <span class="caps">3TB</span> <span class="caps">WD</span> Red drives in the Mac Pro with another two new similar drives to construct a new FreeNAS box.</p>
<p>Of course, the problem with those four drives I used as a base was that they were already four years old, but since they still seemed to be working well enough and it would save me about $600, why not?</p>
<p>As it turns out, yesterday FreeNAS helpfully told me that one of the drives was failing. I’m not a stranger to systems administration, having done it for the better part of 20 years, and I’m certainly not a stranger to replacing failed drives, but… FreeNAS (based on FreeBSD) is a bit different than what I’m used to (I’m a Linux guy, I can deal with <code>mdadm</code> and others no problem). Couple this with the fact that I’m using <span class="caps">ZFS</span> in a <span class="caps">RAIDZ2</span> configuration and… this is all new to me, thus this entry. If nothing else, it gives me something to refer down the line but hopefully it is found useful by others as well.</p>
<p>I’m using FreeNAS 9.10.1 and while the error alert and emails are nice, they don’t give me much to go on. Especially when the web <span class="caps">UI</span> tells me that the zpool is degraded but doesn’t actually tell me which drive has the problems. When I navigate to <b>Storage</b> - <b>Volumes</b> - [mount point] - <b>View Volumes</b> you can select the volume name (in my case it is “storage”) by clicking on it and at the bottom of the page you will see three new icons, the last of which is <b>Volume Status</b>. Here you can see the physical device that is failed, in my case with a <span class="caps">DEGRADED</span> status. You can also view this information by using the commandline:</p>
<pre>
[root@heimdall] ~# zpool status storage
pool: storage
state: DEGRADED
status: One or more devices has experienced an unrecoverable error. An
attempt was made to correct the error. Applications are unaffected.
action: Determine if the device needs to be replaced, and clear the errors
using 'zpool clear' or replace the device with 'zpool replace'.
see: http://illumos.org/msg/ZFS-8000-9P
scan: none requested
config:
NAME STATE READ WRITE CKSUM
storage DEGRADED 0 0 0
raidz2-0 DEGRADED 0 0 0
gptid/ebcc2eb3-4be5-11e6-9152-3497f634fc9c ONLINE 0 0 0
gptid/ed05b1c9-4be5-11e6-9152-3497f634fc9c ONLINE 0 0 0
gptid/edc30220-4be5-11e6-9152-3497f634fc9c ONLINE 0 0 0
gptid/ee870fb3-4be5-11e6-9152-3497f634fc9c DEGRADED 0 0 40 too many errors
gptid/ef3cebfa-4be5-11e6-9152-3497f634fc9c ONLINE 0 0 0
gptid/effda85e-4be5-11e6-9152-3497f634fc9c ONLINE 0 0 0
errors: No known data errors
</pre>
<p>So from the above I can see that my <b>storage</b> zpool is in a degraded state and it tells me that the device <code>gptid/ee870fb3-4be5-11e6-9152-3497f634fc9c</code> is the culprit. That isn’t a drive identifier and I can’t see in the zpool manpage a way to make it show me the device. So I have to use a different command and since I have the gptid, I can weed out the things I don’t care about:</p>
<pre>
[root@heimdall] ~# glabel status | grep ee870fb3
gptid/ee870fb3-4be5-11e6-9152-3497f634fc9c N/A ada2p2
</pre>
<p>This is helpful! So I know that the device that is degraded and has too many errors is /dev/ada2. Checking this out with smartctl shows me no useful information — it has not failed any <span class="caps">SMART</span> tests. I even ran long and short <span class="caps">SMART</span> tests after the fact, in a different machine, to see if it was actually dying and smartctl tells me that both tests completed without error. But, given the age of the drive, it’s probably due a replacement anyways.</p>
<p>When you’re pulling the drive, unless you’ve labelled the drives physically, you’ll need to identify them by serial number. The smartctl tool can show you this, or you can use camcontrol:</p>
<pre>
[root@heimdall] ~# camcontrol identify ada2|grep serial
serial number WD-WMC1T0421516
</pre>
<p>The <a href="https://doc.freenas.org/9.10/freenas_storage.html#replacing-a-failed-drive">FreeNAS documentation will tell you how to replace a failed drive</a>. Effectively, you just need to power off the system, pull the failed drive and replace it with a new drive and reboot. Once you have done this, navigate back and find the <span class="caps">OFFLINE</span> disk (it will be the one with a series of numbers rather than a device name) and click the <b>Replace</b> button and select the new device (should be the only one on the list). Since this drive is entirely new and unpartitioned, you’ll need to force the replacement. After that, it’s just a matter of sitting back while the volume performs the resilver operation.</p>
<p>If you’re using an encrypted volume (I’m not) you have a few more steps to take that the documentation describes.</p>
<p>When you’ve done this, you’ll be able to see the estimate of how long it will take to resilver with the zpool command:</p>
<pre>
[root@heimdall] ~# zpool status -v storage
pool: storage
state: ONLINE
status: One or more devices is currently being resilvered. The pool will
continue to function, possibly in a degraded state.
action: Wait for the resilver to complete.
scan: resilver in progress since Wed Aug 10 23:20:19 2016
41.4G scanned out of 4.55T at 392M/s, 3h20m to go
6.89G resilvered, 0.89% done
config:
NAME STATE READ WRITE CKSUM
storage ONLINE 0 0 0
raidz2-0 ONLINE 0 0 0
gptid/ebcc2eb3-4be5-11e6-9152-3497f634fc9c ONLINE 0 0 0
gptid/ed05b1c9-4be5-11e6-9152-3497f634fc9c ONLINE 0 0 0
gptid/edc30220-4be5-11e6-9152-3497f634fc9c ONLINE 0 0 0
gptid/42ea0574-5f83-11e6-aa4a-3497f634fc9c ONLINE 0 0 0 (resilvering)
gptid/ef3cebfa-4be5-11e6-9152-3497f634fc9c ONLINE 0 0 0
gptid/effda85e-4be5-11e6-9152-3497f634fc9c ONLINE 0 0 0
errors: No known data errors
</pre>
<p>In my case, it took over 3 hours. I just went to bed and when I got up, it was back online and in good state. Really really easy. Thank you FreeNAS!</p>Current progress of new blog platform2016-08-05T16:00:00-06:002016-08-05T16:00:00-06:00Vincent Danentag:annvix.com,2016-08-05:/blog/current-progress-of-new-blog-platform<p>I’ve not had much time in the past week to work on the blog platform due to getting back to work after two weeks off. So that means future enhancements to the blog will take a bit longer.</p>
<p>I managed to implement a fairly basic commenting system that works …</p><p>I’ve not had much time in the past week to work on the blog platform due to getting back to work after two weeks off. So that means future enhancements to the blog will take a bit longer.</p>
<p>I managed to implement a fairly basic commenting system that works well, so at least now you can offer your thoughts and comments on blog posts. The one thing that’s really missing before I redirect the old linsec.ca site to here is searching. I think search capabilities are quite important. Flask can do this with Whooshalchemy, which would be awesome except I opted to use Peewee (which we use at work in a few places, so it helps me learn it better) rather than SQLAlchemy. It also looks like you can do full text search quite easily if you were using SQLite but alas, I’m using MySQL on the backend.</p>
<p>So it looks like the next step is to write something that uses Whoosh for searching, but also integrates with Peewee (in a way that Flask-WhooshAlchemy would). I might look into writing something quick-n-dirty from scratch, or I might poke at Flask-WhooshAlchemy and see if there might be a future Flask-WhooshPeewee… you never know!</p>
<p>If someone on the interwebs has figured this out already though, I would be really keen on hearing what you have to say!</p>
<p>Another issue that currently bothers me a little bit is the <span class="caps">UWSGI</span> integration. Because I’m using mod_proxy_uwsgi and running this site as a <span class="caps">UWSGI</span> application, I have a systemd unit file to run it, which looks like this:</p>
<pre>
[Unit]
Description=annvix.com flask uwsgi server
[Service]
Type=forking
WorkingDirectory=/mysite/flask
ExecStart=/usr/bin/bash -c 'cd /mysite/flask; source flask/bin/activate; /mysite/flask/flask/bin/uwsgi --ini /mysite/flask/annvix.ini'
RuntimeDirectory=/mysite/flask
Restart=always
[Install]
WantedBy=multi-user.target
</pre>
<p>But whenever I run <code>systemctl start annvix-flask</code>, it sits for a <i>long</i> time before releasing to the console and the systemctl status show it as “activating”:</p>
<pre>
# systemctl status annvix-flask
? annvix-flask.service - annvix.com flask uwsgi server
Loaded: loaded (/etc/systemd/system/annvix-flask.service; disabled; vendor preset: disabled)
Active: activating (start) since Fri 2016-08-05 17:01:55 MDT; 13s ago
Control: 31128 (bash)
CGroup: /system.slice/annvix-flask.service
??31128 /usr/bin/bash -c cd /mysite/flask; source flask/bin/activate; /mysite/flask/flask/bin/uwsgi --ini /mysite/flask/annvix.ini
??31133 /mysite/flask/flask/bin/uwsgi --ini /mysite/flask/annvix.ini
??31141 /mysite/flask/flask/bin/uwsgi --ini /mysite/flask/annvix.ini
Aug 05 17:01:55 vps.annvix.com bash[31128]: [uWSGI] getting INI configuration from /mysite/flask/annvix.ini
</pre>
<p>Nothing that I’ve read explains why this might be the case. It works, the site is obviously running, but systemd thinks it’s still activating and when it finally releases it’s saying it has timed out. This is a cheap plea to smart folks that may have the answer (although if I do figure out why it’s doing this, I’ll be sure to use the new commenting feature to share the answer).</p>
<p>Any takers?</p>Welcome to the new journey2016-07-22T11:00:00-06:002016-07-22T11:00:00-06:00Vincent Danentag:annvix.com,2016-07-22:/blog/welcome-to-the-new-journey<p>This is the first post on my new blogging platform that I’ve written from scratch using Flask and Python. I’ve been using Drupal to host annvix.com for quite some time (mostly for consulting client information) and have used WordPress for years on linsec.ca. To be quite …</p><p>This is the first post on my new blogging platform that I’ve written from scratch using Flask and Python. I’ve been using Drupal to host annvix.com for quite some time (mostly for consulting client information) and have used WordPress for years on linsec.ca. To be quite honest, I’m tired of Drupal, Wordpress, and <span class="caps">PHP</span> in general so I set out to try something new. I have been using Flask at work now for some applications and am <b>really</b> enjoying web applications written in Python using the Flask framework. I’m not a <span class="caps">PHP</span> expert by any means, but <span class="caps">PHP</span> lost it’s appeal for me many years ago when I got around to learning Python and now… Well, I just really don’t want to do anything in <span class="caps">PHP</span> anymore.</p>
<p>I’m also tired of updating Wordpress and Drupal and having to install poorly maintained and insecure modules in order to use that fraction of functionality that I want. I was working on a redesign of my church’s web site, written in Python, and decided to do the same for myself. So this is the fruit of that.</p>
<p>It’s by no means perfect and it has a lot of things missing (i.e. no comment support yet). I’m ok with the odd error 500 and things that go oops because it gives me a chance to learn and play with things outside of work, something that has been sorely lacking for quite some time. It also lets me play with things that I wouldn’t be doing in a work context, like fiddling with the Twitter and Flickr APIs and some other things that aren’t really required when you’re working on CVEs or OpenSCAP or internal dashboards, etc.</p>
<p>I’ve also taken this opportunity to migrate content from the linsec.ca blog to here (all of the documentation, which was previously on Mediawiki, has already been done… the blog entries themselves go back quite a few years so I’ll get around to going pre-2013 as I get to it). I guess this is the “great consolidation” of content into one place with one platform that I get to write from scratch.</p>
<p>So, apologies in advance if this is a bit rough around the edges. =)</p>
<p>As well, I won’t be restricting myself on what content I produce. Previous blogs and articles have been pretty much strictly tech-related, but while that’s still very interesting and important to me, my faith is even more important and that’s where a lot of my conversations these days lead so why not talk about it in an open forum? There are so many misconceptions about what true Christianity is, and so many people I talk to that have preconceived notions about “religion” and “faith” that, while my aim here is not to convert anyone, perhaps I can use this platform to at least educate or enlighten people. Instead of believing something without critically thinking about or considering it (the very same accusations typically tossed at Christians), maybe get to understand or know it a little bit better. This seems to be a fundamental flaw in society today. We all want to be understood but take very little time to bother to understand. This isn’t just my complaint in regards to Christianity, this is my complaint when it comes to Linux (how many people never give it a chance because they <b>assume</b> they know what it is and what it can and cannot due without ever even trying it?). This is the complaint that Muslims have when the majority assumes all Muslims are extremists. This is the complaint that members of the <span class="caps">LGBTQ</span> community have when many assume they are deviants. This is the complaint teenagers have when parents assume they understand what their kids are going through without even bothering to talk to them and actually listen to them. The list goes on.</p>
<p>This isn’t something specific to Christianity, or to “religion”. This affects all walks of life. And if you don’t take the time to try to understand, you’ll miss what the real truth is, and you’ll miss all kinds of opportunities. So, moving forward, I will attempt to do that for anyone who cares to understand what true discipleship looks like, and what James refers to as “true religion” which I firmly believe many so-called “Christians” today have either forgotten, or never learned to begin with.</p>
<p>(As an aside, this is the reason why I will not be syndicating content to Fedora Planet like I had with my old blog and as the content will vary widely from just Linux and would thus be inappropriate for Fedora Planet)</p>
<p>Let the journey begin!</p>Adding Dash support to Komodo IDE2016-02-24T22:00:00-07:002016-02-24T22:00:00-07:00Vincent Danentag:annvix.com,2016-02-24:/blog/adding-dash-support-to-komodo-ide<p>I’ve recently found and become a fan of the <a href="https://kapeli.com/dash">Dash</A> documentation browser for <span class="caps">OS</span> X. It has some neat integration with some applications, like Sublime Text and PyCharm (both of which I use), but not for Komodo <span class="caps">IDE</span> (which I also use). So this post is to show how …</p><p>I’ve recently found and become a fan of the <a href="https://kapeli.com/dash">Dash</A> documentation browser for <span class="caps">OS</span> X. It has some neat integration with some applications, like Sublime Text and PyCharm (both of which I use), but not for Komodo <span class="caps">IDE</span> (which I also use). So this post is to show how easy it is to integrate the two.</p>
<p>Dash uses a <span class="caps">URL</span> scheme of <pre>dash://[query]</pre> that makes it really easy to tie into any application that can callout to such URLs. You can use <span class="caps">URL</span> scheme pretty much anywhere. For instance, if you wanted to search for “os.getpid” (a Python function) you could type:</p>
<pre>
$ open dash://python2:os.getpid
</pre>
<p>on the commandline in the Terminal and it will open Dash, searching in the Python docset, for this function. We will make use of that capability in our Komodo <span class="caps">IDE</span> toolbox.</p>
<p>The first step is to create a new toolbox item of the type “Command”. The only things we need to do here is give it a name (like “dash lookup”), set the command to “open dash://%W” and check off the “Do not open output pane” (since there won’t be any output). Finally, on the “Key Binding” tab, assign a new key binding; I chose <span class="caps">CTRL</span>-H since that mimics what Sublime Text uses.</p>
<p><img src="/static/uploads/komodo-toolbox.jpg" alt="komodo-toolbox" width="502" height="600" class="img-responsive" /></a></p>
<p>Now when your cursor is on a function or item in your Python code, or if you highlight something (this is represented by the “%W” in the command), hitting <span class="caps">CTRL</span>-H will open Dash and display search results.</p>
<p>If, however, you’re like me, you probably have a lot of docsets installed in Dash and probably don’t want to search all of them when you’re working on your code. If you’re working on Python, which is what I pretty much exclusively write code in, you wouldn’t want search results for bash or git commands to show up.</p>
<p>Dash has this nice way of allowing you to restrict what docsets are searched based on what the former foreground application was (or the application that triggered the search). So in our case, we want to restrict what we search in Dash when we launch it from Komodo. When you click on the magnifying glass icon next to the search field in Dash, the following search profile editor pops up:</p>
<p><img src="/static/uploads/dash-search.jpg" alt="dash-search" width="637" height="475" class="img-responsive" /></p>
<p>In this case, I created a new search profile called “Komodo” and ensured that it’s active only when Komodo becomes active. And then we can add which docsets to search. In this case, I only want to search the Flask, Jinja, and Python 2 docsets as well as the Python Format Strings cheatsheet. This allows me to search for things that are relevant to what I use Komodo for.</p>
<p>You can have as many search profiles as you like; you could define one for Sublime Text depending on what you use it for, you can define one for the Terminal (the aforementioned shell and git docsets would be a good candidate for searching from there), and so on.</p>
<p>As an aside, because I find this useful also, if you want to search for something in Dash from the commandline, you could create this script to do that:</p>
<pre>
$ cat ~/bin/dash
#!/bin/sh
if [ "${1}" == "" ]; then
echo "I need an argument to launch dash with"
exit
fi
open "dash://$@"
</pre>
<p>Dash pretty much just wants a single argument for the most part so something like:</p>
<pre>
$ dash "vagrant suspend"
</pre>
<p>only shows you search results for “vagrant”. In this case you could type “vagrant:suspend” to have it search for the “suspend” command in the “vagrant” docset alone.</p>
<p>Dash is pretty neat and I’m enjoying using it as an easy reference tool. Using it has tidied up my browser window and I feel more productive with it and I really like how easy it is to summon it from almost any program that I’m using.</p>Bye Bye Mediawiki2016-01-16T22:08:00-07:002016-01-16T22:08:00-07:00Vincent Danentag:annvix.com,2016-01-16:/blog/bye-bye-mediawiki<p>Just a quick note to say that I’ve shifted things around and have put most of the mediawiki content on as pages on the blog. This way I don’t have to worry about updating both mediawiki and wordpress. I’m getting older and have less interest in patching …</p><p>Just a quick note to say that I’ve shifted things around and have put most of the mediawiki content on as pages on the blog. This way I don’t have to worry about updating both mediawiki and wordpress. I’m getting older and have less interest in patching things unnecessarily, so I’ve moved all of that information over. As a result, all of the old Annvix content is now gone as well. I figure this is ok since it’s been 8 years since I stopped working on it and while the information was neat as a curiosity, that was about it.</p>
<p>I can’t guarantee that I’ll write more blog entries, though. I can guarantee that I’ll have a wee bit more time to myself not having to update mediawiki. =)</p>
<p>Most of the old links should still work; if any don’t please leave a comment and I’ll put a redirect in place. All of the content moved (some of it probably didn’t have to). The main stuff that didn’t were the Annvix bits, and old book and software reviews (seriously, who wants to read a review on Komodo <span class="caps">IDE</span> 1.0 nowadays?).</p>
<p>Oh, and Happy New Year!</p>Serial console support in Grub22015-08-16T16:03:00-06:002015-08-16T16:03:00-06:00Vincent Danentag:annvix.com,2015-08-16:/blog/serial-console-support-in-grub2<p>This is another one of those “just so I don’t forget” posts. I’m working towards migrating from <span class="caps">IPA</span> in a <span class="caps">KVM</span>-based virtual machine running CentOS 6 to one running CentOS 7 and the way of making serial consoles work in 7 is different than it was in …</p><p>This is another one of those “just so I don’t forget” posts. I’m working towards migrating from <span class="caps">IPA</span> in a <span class="caps">KVM</span>-based virtual machine running CentOS 6 to one running CentOS 7 and the way of making serial consoles work in 7 is different than it was in 6 because CentOS 7 (and thus <span class="caps">RHEL7</span>) use Grub2.</p>
<p>Instead of editing /boot/grub.cfg, you need to edit /etc/defaults/grub and add:</p>
<pre>
GRUB_TERMINAL="serial"
GRUB_SERIAL_COMMAND="serial --unit=0 --speed=115200"
</pre>
<p>The above will enable Grub output to the serial console. Next, change the GRUB_CMDLINE_LINUX command to the following so you can use “virsh console” to connect to the guest:</p>
<pre>
GRUB_CMDLINE_LINUX="rhgb quiet console=tty0 console=ttyS0,115200"
</pre>
<p>Once you have saved the file, you need to recreate the grub.cfg file with grub2-mkconfig:</p>
<pre>
# grub2-mkconfig -o /boot/grub2/grub.cfg
</pre>
<p>Now, reboot the system and you should be able to use “virsh console [<span class="caps">VMNAME</span>]” to have a serial console to the guest.</p>Getting started with firewalld2015-08-15T20:00:00-06:002015-08-15T20:00:00-06:00Vincent Danentag:annvix.com,2015-08-15:/blog/getting-started-with-firewalld<p>I’m mostly writing this for my own reference as I spent a bunch of time figuring this out while I was on holidays with some serious oVirt misadventures and didn’t document any of what I did, so since I had to reinstall CentOS 7, I’m stuck doing …</p><p>I’m mostly writing this for my own reference as I spent a bunch of time figuring this out while I was on holidays with some serious oVirt misadventures and didn’t document any of what I did, so since I had to reinstall CentOS 7, I’m stuck doing this all over again.</p>
<p>Effectively I’m migrating from CentOS 6 to CentOS 7 and trying to take advantage of the new way of doing things. I could easily switch things to use /etc/sysconfig/iptables (that I can handle pretty much in my sleep) but it feels a bit like cheating, so I want to figure out firewalld which is to me a totally alien way of handling my firewall rules.</p>
<p>Suffice it to say that there may be better ways of doing this (and, to you the reader, probably far better tutorials), but this is how I went about it. This is on a CentOS 7.1 system.</p>
<p>First thing is to make sure firewalld is running and will run. It should be the default but never hurts to check:</p>
<pre>
[root@thor dhcp]# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; <b>enabled</b>)
Active: <b>active</b> (running) since Sat 2015-08-15 18:21:30 MDT; 18min ago
Main PID: 745 (firewalld)
...
</pre>
<p>Ok, it’s active and enabled (in particular pay attention to the enabled bit that is bolded above) so on a reboot it will come up. firewalld has this concept of <a href="https://fedoraproject.org/wiki/FirewallD#Which_zones_are_available.3F">zones</a>, so you can set certain ethernet interfaces to be assigned to a particular zone. The default zone is public, but as this is an internal <span class="caps">DNS</span>/<span class="caps">DHCP</span>/web server for my <span class="caps">LAN</span>, I want to set it to the internal zone:</p>
<pre>
[root@thor dhcp]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
[root@thor dhcp]# firewall-cmd --set-default-zone=internal
success
</pre>
<p>I also want to make sure that the one ethernet interface on this machine, enp2s0 (so long eth0!) is assigned the same zone. I believe this would happen by default, but it doesn’t hurt to be explicit:</p>
<pre>
[root@thor dhcp]# firewall-cmd --zone=internal --change-interface=enp2s0 --permanent
success
</pre>
<p>Now we can see how this zone is configured:</p>
<pre>
[root@thor dhcp]# firewall-cmd --zone=internal --list-all
internal (default, active)
interfaces: enp2s0
sources:
services: dhcpv6-client ipp-client mdns samba-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
</pre>
<p>Not a lot there right now and it’s definitely setup to be a workstation, not a server. You can see the available list of services that come pre-defined (they are <span class="caps">XML</span> files in /usr/lib/firewalld/services) by using:</p>
<pre>
[root@thor dhcp]# firewall-cmd --get-services
</pre>
<p>If you want to examine any of the listed services, just look at the <span class="caps">XML</span> file. For instance, /usr/lib/firewalld/services/dns.xml looks like:</p>
<pre>
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>DNS</short>
<description>The Domain Name System (DNS) is used to provide and request host and domain names. Enable this option, if you plan to provide a domain name service (e.g. with bind).</description>
<port protocol="tcp" port="53"/>
<port protocol="udp" port="53"/>
</service>
</pre>
<p>Pretty straightforward. When adding new services or rules, firewalld makes them temporary, in that they will persist until a reboot or service restart. You need to use the “—permanent” option to, well, make them permanent. Since this server is going to do <span class="caps">DNS</span>/<span class="caps">DHCP</span>/<span class="caps">HTTP</span>/<span class="caps">HTTPS</span> we need to do:</p>
<pre>
[root@thor dhcp]# firewall-cmd --permanent --zone=internal --add-service=http
success
[root@thor dhcp]# firewall-cmd --permanent --zone=internal --add-service=https
success
[root@thor dhcp]# firewall-cmd --permanent --zone=internal --add-service=dns
success
[root@thor dhcp]# firewall-cmd --permanent --zone=internal --add-service=dhcp
success
[root@thor dhcp]# firewall-cmd --reload
success
[root@thor dhcp]# firewall-cmd --zone=internal --list-all
internal (default, active)
interfaces: enp2s0
sources:
services: dhcp dhcpv6-client dns http https ipp-client mdns samba-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
</pre>
<p>In the above we added four services: <span class="caps">HTTP</span>, <span class="caps">HTTPS</span>, <span class="caps">DNS</span>, and <span class="caps">DHCP</span>. We then reloaded the rules (so as to apply them) and then listed the internal zone where we can now see our new services are enabled.</p>
<p>If you want to enable a service for which no default service definition exists, you can create one in /etc/firewalld/services/ as an <span class="caps">XML</span> file (copy a similar one from /usr/lib/firewalld/services/ and adjust for your service). If you’re using SELinux, be sure to run <code>restorecon -Rv /etc/firewalld</code> and make sure the <span class="caps">XML</span> file has 0640 permissions and is owned root:root.</p>
<p>Instead of making a new service, however, you can simply add ports to the configuration which might be easier. For instance, if I wanted to expose apcupsd but didn’t want to make a service I might do:</p>
<pre>
[root@thor dhcp]# firewall-cmd --zone=internal --add-port=3551/udp --permanent
success
[root@thor dhcp]# firewall-cmd --zone=internal --add-port=3551/tcp --permanent
success
[root@thor dhcp]# firewall-cmd --reload
success
[root@thor dhcp]# firewall-cmd --zone=internal --list-all
internal (default, active)
interfaces: enp2s0
sources:
services: dhcp dhcpv6-client dns http https ipp-client mdns samba-client ssh
ports: 3551/udp 3551/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
</pre>
<p>For further reading, I recommend:</p>
<ul>
<li> <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html"><span class="caps">RHEL</span> 7 Security Guide: Using Firewalls</a></li>
<li> <a href="http://www.certdepot.net/rhel7-get-started-firewalld/"><span class="caps">RHEL7</span>: How to get started with Firewalld</a></li>
</ul>
<p>In brief, managing the firewall is a little bit annoying to do this way compared to the old way of “vim /etc/sysconfig/iptables; service iptables restart” but I can understand why it’s done this way now. It’s quite modular and adaptable and allows you to make temporary changes to the firewall easily without having to know iptables commands. There are a lot of commands, and since firewalls tend not to be things you tinker with often, they may not be overly memorable (thus deciding to write this after my second time of doing it in as many weeks as I didn’t remember a darn thing).</p>Tell me your secrets2015-08-15T17:00:00-06:002015-08-15T17:00:00-06:00Vincent Danentag:annvix.com,2015-08-15:/blog/tell-me-your-secrets<iframe width="420" height="315" src="https://www.youtube-nocookie.com/embed/qr_peAIQU8k?rel=0" frameborder="0" allowfullscreen></iframe>
<p>It was a long day; my daughter got back from youth camp this afternoon, I got home from being in Raleigh at 2am, and we’re all beat. So we had some fun with the cat.</p>
<p>And now I just need to share it so I never forget. =)</p>Blocking ad networks with named2015-08-01T14:04:00-06:002015-08-01T14:04:00-06:00Vincent Danentag:annvix.com,2015-08-01:/blog/blocking-ad-networks-with-named<p>I’ve meant to do this for ages, so on my first day of my “staycation”, despite vowing to myself that I wouldn’t look at a computer screen this week (hey, it’s not actually the technical start of my week off is it?), I fiddled this morning with …</p><p>I’ve meant to do this for ages, so on my first day of my “staycation”, despite vowing to myself that I wouldn’t look at a computer screen this week (hey, it’s not actually the technical start of my week off is it?), I fiddled this morning with <span class="caps">BIND</span> to try and avoid seeing ads on my devices. While AdBlock works great on my browsers, that doesn’t transfer well to mobile devices and apps with built-in advertising, etc.</p>
<p>Unless you’re running your own <span class="caps">BIND</span> <span class="caps">DNS</span> server at home, you won’t be able to do this. If you have a home network with named running (my local network does) and unless you restrict all outbound <span class="caps">DNS</span> and allow <span class="caps">DNS</span> lookups only from your named server (which I do, it forces all of the machines on the system to use my <span class="caps">DNS</span> server which is configured to only ask OpenDNS for <span class="caps">DNS</span> info), this also won’t really work for you (at least not in the way that I’ve done it).</p>
<p>So this assumes some knowledge of <span class="caps">BIND</span> and networking. This is not so much a tutorial on how to configure <span class="caps">BIND</span> as it is some quick tips and shared info on what I did this morning.</p>
<p>First you need to setup a master zone. Mine looks like this:</p>
<pre>
zone "rpz.linsec.ca" {
type master;
file "master/rpz.linsec.ca.zone";
};
</pre>
<p><b><span class="caps">NOTE</span>:</b> You may also need the following in your <code>options</code> section, but I’m not 100% sure as it was there before:</p>
<pre>
response-policy {
zone "rpz.linsec.ca";
};
</pre>
<p>This makes anything defined in this zone to be considered authoritative, just like the <span class="caps">DNS</span> settings I have for my local network. As an aside, you can use this to block entire domains (like youtube or facebook if you have kids at home staring at screens all day…).</p>
<p>I then wrote a script which pulls data from <a href="http://mvpshostsnews.blogspot.ca/"><span class="caps">MVPS</span> Hosts</a>. Their data is meant to be put into a hosts file, but that means it would only work on a single machine and I’m trying to solve a multi-machine/mobile issue, not just a single computer. The script takes my rpz.linsec.ca.zone file and mashes in data from <span class="caps">MVPS</span> Hosts and to create a new file that we will use:</p>
<pre>
#!/bin/sh
IFS=$'\n'
input=$(mktemp /tmp/mvps.hosts.XXXXXX)
output=$(mktemp /tmp/rpz.linsec.ca.zone.XXXXXX)
source="/etc/named/rpz.linsec.ca.zone"
serial=$(grep serial ${source} | awk '{print $1}')
n_serial="$(date +%Y%m%d)01"
curl -s http://winhelp2002.mvps.org/hosts.txt >${input}
dos2unix -o ${input} >/dev/null 2>&1
lines=$(wc -l ${input} | awk '{print $1}')
if [ ${lines} -lt 10000 ]; then
exit 1
fi
for line in $(cat ${source}); do
if [ "${line}" == ";START ADHOSTS" ]; then
break
else
echo ${line} >>${output}
fi
done
echo "" >>${output}
echo ";START ADHOSTS" >>${output}
for hostname in $(cat ${input} | egrep -v '^#' | awk '{print $2}'); do
if [ "${hostname}" != "localhost" ]; then
echo "${hostname} IN CNAME ." >>${output}
fi
done
echo ";END ADHOSTS" >>${output}
perl -pi -e "s/${serial}/${n_serial}/g" ${output}
rm -f ${input}
cp -f ${output} ${source}
rm -f ${output}
</pre>
<p>Note that you need dos2unix installed. Everything else is fairly standard. The <span class="caps">MVPS</span> Hosts file seems to be updated monthly, so this something you could possibly add to a monthly cronjob or just run manually every once in a while. So far it seems to work pretty good over here. I had initially thought about writing something in python, but bash is just so much faster (for me).</p>
<p>Also, if you put things in your zone file before the “;<span class="caps">START</span> <span class="caps">ADHOSTS</span>” line they’ll be retained, so if you do want to block specific domains (you may want to block iadsdk.apple.com and qwapi.com if you don’t want to see iOS iAd ads) you still can, and take advantage of the <span class="caps">MVPS</span> Hosts list (if someone has a better list, I would love to see it).</p>
<p>I hope this helps someone else out. Comments for improvement are welcome, this was a pretty quick-and-dirty script that, I’ll admit, does a few things oddly.</p>Our Response to the Majesty of God2015-06-14T08:27:00-06:002015-06-14T08:27:00-06:00Vincent Danentag:annvix.com,2015-06-14:/blog/our-response-to-the-majesty-of-god<p>The following is the transcript of what I spoke on at a Tuesday night at Christcity. A few people missed it and wanted to know what I spoke about, so I’m sharing it here. For those reading who may not “get it”, this was delivered to Christians. This isn …</p><p>The following is the transcript of what I spoke on at a Tuesday night at Christcity. A few people missed it and wanted to know what I spoke about, so I’m sharing it here. For those reading who may not “get it”, this was delivered to Christians. This isn’t a message to anyone else. There are a lot of “Christians” out there who were told a lie: That becoming a Christian is all about reserving a seat in Heaven and having God do “stuff” for you. That is part of it, absolutely, but that’s not the main thrust (or even really a large part) of what Christianity is about. That lie makes Christianity all about <b>you</b> (a selfish thing) when the reality is Christianity is all about <b>Jesus Christ</b> (a selfless thing).</p>
<p>I hope that this really encourages Christians to continue walking the path that Jesus set before us.</p>
<p><b>May 5, 2015:</b></p>
<p>I had initially wanted to speak about the awesome majesty of our God, as it is something that has been burning in my heart for months now. I believe God wants us to fully understand the greatness of who our King is, and He has been speaking this to us, as a church, through recent sermons and the exhortations of people like Julia and Don in the past weeks. I could certainly say much of the same tonight, but I want to speak about how we serve this majestic King and Lord, and how we express our love to Him.</p>
<p>The Bible says in John 14:15 (<span class="caps">AMP</span>):</p>
<blockquote>“If you [really] love Me, you will keep (obey) My commands.”</blockquote>
<p>And in John 14:21 (<span class="caps">AMP</span>):</p>
<blockquote>“The person who has My commands and keeps them is the one who [really] loves Me; and whoever [really] loves Me will be loved by My Father, and I [too] will love him and will show (reveal, manifest) Myself to him. [I will let Myself be clearly seen by him and make Myself real to him.]”</blockquote>
<p>So the question then becomes: do we love Him? Because Jesus clearly says that there is exactly one expression of love towards Him: to obey His commandments. Pop Christianity today would make God a common thing, one priority among many and that it’s ok to choose other things over God. This can be in many areas of our lives: time, talent, and finances (or tithes). Everything falls under these main areas. Every day we have many options of how to prioritize our time, how and where we use our God-given abilities and talents, and what we spend our money on. The world gives us many options on what to devote these things to.</p>
<p>These are important things to consider for three reasons. The first is that it all comes down to directing them towards one of two people: do we use these things for our God, or for ourselves?</p>
<p>The second is that these are all things given to us, and the Bible calls us stewards or managers of the things God has given us. So if we believe these things are given to us, by God, and we are stewards of them, then they don’t belong to us and we are not owners but simply managers. So I ask you: How is our stewardship?</p>
<p>Lastly, do we use these things in the light of Eternity, knowing that our existence on this planet is the blink of an eye or a drop in the ocean, and also keeping in mind that it is the only blink that counts and it is the single drop that defines what the rest of the ocean looks like?</p>
<p>These are sobering thoughts indeed. We need to understand that it isn’t just what we say that matters. God considers our words, our actions, and our motives. All three need to line up. The Bible has some very interesting things to say:</p>
<p>Jeremiah 17:10 <span class="caps">NLT</span>-<span class="caps">SE</span>:</p>
<blockquote>“But I, the <span class="caps">LORD</span>, search all hearts and examine secret motives. I give all people their due rewards, according to what their actions deserve.””</blockquote>
<p>James 2:14–17 <span class="caps">NLT</span>-<span class="caps">SE</span>:</p>
<blockquote>“What good is it, dear brothers and sisters, if you say you have faith but don’t show it by your actions? Can that kind of faith save anyone? Suppose you see a brother or sister who has no food or clothing, and you say, “Good-bye and have a good day; stay warm and eat well” —but then you don’t give that person any food or clothing. What good does that do?
So you see, faith by itself isn’t enough. Unless it produces good deeds, it is dead and useless.”</blockquote>
<p>Titus 1:16 <span class="caps">HCSB</span>:</p>
<blockquote>“They profess to know God, but they deny Him by their works. They are detestable, disobedient, and disqualified for any good work.”</blockquote>
<p>1 John 3:16–18 <span class="caps">HCSB</span>:</p>
<blockquote>“This is how we have come to know love: He laid down His life for us. We should also lay down our lives for our brothers. If anyone has this world’s goods and sees his brother in need but closes his eyes to his need—how can God’s love reside in him?
Little children, we must not love with word or speech, but with truth and action.”</blockquote>
<p>This is just a sampling of what the Bible says about our actions and motives. God demonstrated His love to us by His actions: He sent His only Son, who had existed with Him for eternity, to earth, to teach us and then bear the full weight of God’s wrath against sin, God’s wrath that belonged to each of us. He interrupted a relationship that had existed for Eternity <i>before</i> us, so that He could have a relationship in Eternity <i>with</i> us. God did this for you, and He did this for me.</p>
<p>If we understand that God loves us this much, then it’s not too much of a stretch to suggest that we owe God a debt we can never repay. The great thing is that we don’t have to repay it! God did not set out a number of homeless people we needed to feed, or a number of people we needed to bring to church, or a number of times we needed to read the Bible. He didn’t give us a set of rules to keep, He gave us a lifestyle to live and a Saviour to accept as our own and devote our entire being to.</p>
<p>Galatians 2:20 (<span class="caps">NKJV</span>) says:</p>
<blockquote>“I have been crucified with Christ; it is no longer I who live, but Christ lives in me; and the life which I now live in the flesh I live by faith in the Son of God, who loved me and gave Himself for me.”</blockquote>
<p>This lifestyle includes loving God fully, which we’ve seen is demonstrated by keeping His commandments. This is the lifestyle. This new life we’ve received in Christ is not about us. The old life, the sinful life, was about us. This new life is all about Christ. We are second to Him.</p>
<p>If we believe this, if we believe the Bible, if we believe the Truth that the Holy Spirit, the Spirit of Truth, places into our hearts and haven’t hardened ourselves to Him, then we know that coming to church is not a chore, or a duty, or something common. We have the privilege of being in the Presence of the King of kings! The Uncreated God of the universe desires the privilege of spending time with us in His House! Giving our tithes in a Biblical way is easy. If we believe that we are stewards of that money and God has given it to us then we should never look at it as giving 10% back to God. We should always look at it as God graciously giving us the 90% to do with as we want or need and that 10% returned is simply a way to tangibly demonstrate our gratitude and thankfulness for the rest, and our obedience to His commands. Proper tithing proves our obedience to God and don’t think for a second that God doesn’t know how to count! Giving less demonstrates that we still put ourselves first.</p>
<p>If our time is likewise a gift from God, then we need to use it in a way that glorifies Him and advances eternity. Do we show God gratitude for the time He has given us by “tithing” back our time and helping our “neighbour” (meaning everyone)? Do we show God gratitude for the Church He has given to us and pour our time into it – not just for ourselves, but for others? We need to realize that we don’t just come to church for our own benefit, but when we place ourselves here with a proper attitude of humility and reverence before God, He can use us to bless others around us. And most importantly, when we come to church, we need to view it for what it really is: we are entering the Presence of Almighty God and ministering to Him. Our praise, thanksgiving, worship, and prayers are our ministry before the Throne of God.</p>
<p>I challenge you tonight to be like David and Isaiah, every day, and see what God does with you.</p>
<p>Psalms 51:10 (<span class="caps">NKJV</span>) says:</p>
<blockquote>“Create in me a clean heart, O God, And renew a steadfast spirit within me.”</blockquote>
<p>And Isaiah 6:8 (<span class="caps">NKJV</span>) says:</p>
<blockquote>“Also I heard the voice of the Lord, saying: “Whom shall I send, And who will go for Us?” Then I said, “Here am I! Send me.””</blockquote>
<p>Do we have the courage to stand and say the same?</p>Custom Email Notifications in GitLab2015-01-07T10:44:00-07:002015-01-07T10:44:00-07:00Vincent Danentag:annvix.com,2015-01-07:/blog/custom-email-notifications-in-gitlab<p>I started playing around with GitLab last month in order to get to know it a better and, while I like it well enough, the one thing that drove me nuts was the email that it sent out alerting of changes. My old git setup used the wonderful <a href="http://www.icir.org/robin/git-notifier/">git-notifier</a> script …</p><p>I started playing around with GitLab last month in order to get to know it a better and, while I like it well enough, the one thing that drove me nuts was the email that it sent out alerting of changes. My old git setup used the wonderful <a href="http://www.icir.org/robin/git-notifier/">git-notifier</a> script to send out emails and I <i>much</i> prefer the format it used than the format GitLab uses. Unfortunately, at that time, without ponying up for the enterprise edition it didn’t look feasible to change without some serious work that I didn’t have the time or effort to invest.</p>
<p>Yesterday I was looking at the latest version (7.6.2) and noticed the community edition support for <a href="http://doc.gitlab.com/ce/hooks/custom_hooks.html">custom hooks</a>. After upgrading, I fiddled with it and git-notifier to try to make the two work well together. With a little elbow-grease (git-notifier works well with straight git repos or gitolite) I got it to work, although it is a bit of a nuisance because, with regular git or gitolite, you can get some information from the repo exposed via the calling scripts and environment that does not seem to be present in GitLab.</p>
<p>If you follow the instructions on the custom hooks document referenced above, you’ll end up with something along the lines of /var/opt/gitlab/git-data/repositories/<group>/<project>.git/custom_hooks (in my case it is /srv/git-data/repositories/<group>/<project>.git/custom_hooks). In this directory (which must be owned git:git, including all its contents) lives a post-receive script which looks like:</p>
<pre>
#!/bin/sh
repo_name="mygroup/myrepo"
base_dir="/srv/git-data/repositories"
git_host="gitlab.myhost.com"
send_from="mailer@myhost.com"
send_to="commits@myhost.com"
pushd ${base_dir}/${repo_name}.git >/dev/null 2>&1
/srv/git-hooks/git-notifier $@ --link="http://${git_host}/${repo_name}/commit/%s" --sender="${send_from}" \
--mailinglist="${send_to}" --repouri="ssh://git@${git_host}:${repo_name}.git" --emailprefix="[git/%r]"
popd >/dev/null 2>&1
</pre>
<p>I have git-notifier in a directory called /srv/git-hooks and it’s owned root:root and mode 0755. This will tell git-notifier to send an email to the $send_to address, from the $send_from address, and defines a few things like the repository itself and the host (all things that would normally be exposed via the environment in a git or gitolite setup but are lacking with GitLab). But this can be used as a template and the only thing you should have to change is the value of $repo_name (everything else can be the same unless you need to define them differently per-repo or per-group).</p>
<p>The downside to this is that you need shell access to set it up, which may prove troublesome for larger installations or shared environments. For a personal or work environment this is probably an ok requirement. Make sure that you disable the “Emails on push” service for the repository in GitLab or you’ll get both the stock GitLab commitdiff email and git-notifier’s email.</p>
<p>I’m extremely grateful for those who contributed this support to GitLab as it means I spent a lot less time dorking around with this than I would have had I done it all myself, and while it was a bit of a nuisance to setup, it works quite well and I’m back to getting my old style of email notifications which are much more useful (for one thing, GitLab seems to have an upper size limit and if that is exceeded it sends no mail at all, whereas git-notifier will send you a list of changed files without the actual diff… a much more useful and meaningful email than sending nothing at all (if you look at git-notifier’s changelog you’ll see that was contributed by me in version 0.3-18, almost 2.5 years ago… that’s how long I’ve been using git-notifier)).</p>
<p>I wish I could contribute some sane code back to git-notifier to support GitLab, but without GitLab exposing things like the repository name or committer name to the environment I don’t think it would be possible unless I’ve missed something non-obvious.</p>SSL Certificate Verification failure with fink’s Python 2.7.92015-01-06T23:50:00-07:002015-01-06T23:50:00-07:00Vincent Danentag:annvix.com,2015-01-06:/blog/ssl-certificate-verification-failure-with-finks-python-2-7-9<p><a href="https://www.python.org/downloads/release/python-279/">Python 2.7.9 was released</a> nearly a month ago and with it came some <span class="caps">SSL</span>-related changes (it backported the Python 3.4 ssl module and does <span class="caps">HTTPS</span> certificate validation using the system’s certificate store). The latter can cause some problems with home-grown <span class="caps">CA</span>’s, however. On Mac …</p><p><a href="https://www.python.org/downloads/release/python-279/">Python 2.7.9 was released</a> nearly a month ago and with it came some <span class="caps">SSL</span>-related changes (it backported the Python 3.4 ssl module and does <span class="caps">HTTPS</span> certificate validation using the system’s certificate store). The latter can cause some problems with home-grown <span class="caps">CA</span>’s, however. On Mac <span class="caps">OS</span> X, the <span class="caps">CA</span> certificate store is in the Keychain Access application which isn’t exposed to commandline tools like Python. This will cause <span class="caps">HTTPS</span> certificate validation to fail because Python doesn’t know anything about the <span class="caps">CA</span> certificate used to sign the certificate being used by a <span class="caps">HTTPS</span> server.</p>
<p>If you’re using the system OpenSSL, supposedly you can export the <span class="caps">CA</span>’s of interest to the /System/Library/OpenSSL/cert.pem file (untested). I use fink and fink’s OpenSSL does not seem to use this directory. Instead it uses /sw/etc/ssl/ and if you install fink’s ca-bundle package you will have a stock /sw/etc/ssl/certs/ca-bundle.crt file which presumably works with some applications. This file can be replaced with an updated <span class="caps">CA</span> bundle containing the <span class="caps">CA</span> certificate that is used to sign the service(s) you want to connect to.</p>
<p>However, replacing that file is not enough. If you upgrade to Python 2.7.9 in fink and make that change, you will still see this annoying error:</p>
<pre>
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
</pre>
<p>when attempting to connect to a site using a certificate signed by a non-stock <span class="caps">CA</span>. Note that prior to 2.7.9, Python did not do this <span class="caps">CA</span> validation so you would not see this error until upgrading to 2.7.9.</p>
<p>The fix is quite simple. Put your new ca-bundle.crt file in place as noted above, and then, as root, symlink this file to /sw/etc/ssl/cert.pem:</p>
<pre>
# cd /sw/etc/ssl
# ln -s certs/ca-bundle.crt cert.pem
</pre>
<p>Now when using Python 2.7.9 (on a fink-using system) you will be able to connect to those sites and avoid the “certificate verify failed” error noted above.</p>SSL Certificate Verification failure with fink’s Python 2.7.92015-01-06T23:00:00-07:002015-01-06T23:00:00-07:00Vincent Danentag:annvix.com,2015-01-06:/blog/ssl-certificate-verification-failure-with-fink-s-python-2-7-9<p><a href="https://www.python.org/downloads/release/python-279/">Python 2.7.9 was released</a> nearly a month ago and with it came some <span class="caps">SSL</span>-related changes (it backported the Python 3.4 ssl module and does <span class="caps">HTTPS</span> certificate validation using the system’s certificate store). The latter can cause some problems with home-grown <span class="caps">CA</span>’s, however. On Mac …</p><p><a href="https://www.python.org/downloads/release/python-279/">Python 2.7.9 was released</a> nearly a month ago and with it came some <span class="caps">SSL</span>-related changes (it backported the Python 3.4 ssl module and does <span class="caps">HTTPS</span> certificate validation using the system’s certificate store). The latter can cause some problems with home-grown <span class="caps">CA</span>’s, however. On Mac <span class="caps">OS</span> X, the <span class="caps">CA</span> certificate store is in the Keychain Access application which isn’t exposed to commandline tools like Python. This will cause <span class="caps">HTTPS</span> certificate validation to fail because Python doesn’t know anything about the <span class="caps">CA</span> certificate used to sign the certificate being used by a <span class="caps">HTTPS</span> server.</p>
<p>If you’re using the system OpenSSL, supposedly you can export the <span class="caps">CA</span>’s of interest to the /System/Library/OpenSSL/cert.pem file (untested). I use fink and fink’s OpenSSL does not seem to use this directory. Instead it uses /sw/etc/ssl/ and if you install fink’s ca-bundle package you will have a stock /sw/etc/ssl/certs/ca-bundle.crt file which presumably works with some applications. This file can be replaced with an updated <span class="caps">CA</span> bundle containing the <span class="caps">CA</span> certificate that is used to sign the service(s) you want to connect to.</p>
<p>However, replacing that file is not enough. If you upgrade to Python 2.7.9 in fink and make that change, you will still see this annoying error:</p>
<pre>
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
</pre>
<p>when attempting to connect to a site using a certificate signed by a non-stock <span class="caps">CA</span>. Note that prior to 2.7.9, Python did not do this <span class="caps">CA</span> validation so you would not see this error until upgrading to 2.7.9.</p>
<p>The fix is quite simple. Put your new ca-bundle.crt file in place as noted above, and then, as root, symlink this file to /sw/etc/ssl/cert.pem:</p>
<pre>
# cd /sw/etc/ssl
# ln -s certs/ca-bundle.crt cert.pem
</pre>
<p>Now when using Python 2.7.9 (on a fink-using system) you will be able to connect to those sites and avoid the “certificate verify failed” error noted above.</p>Merry Christmas 2014!2014-12-23T08:00:00-07:002014-12-23T08:00:00-07:00Vincent Danentag:annvix.com,2014-12-23:/blog/merry-christmas-2014<p>I just wanted to wish everyone a Merry Christmas and Happy New Year, from my family to yours. My wife found the most awesome card for my teammates at work and it is just too good not to share with everyone — for those who are programmers or into <span class="caps">IT</span>, this …</p><p>I just wanted to wish everyone a Merry Christmas and Happy New Year, from my family to yours. My wife found the most awesome card for my teammates at work and it is just too good not to share with everyone — for those who are programmers or into <span class="caps">IT</span>, this is perhaps one of the most fitting cards for our industry. =)</p>
<p>God bless you all and my prayer for each and every person reading this is that this year has been good, but that next year will be even better!</p>
<p><center><img class="img-responsive" src="/static/uploads/atleasttheywork.jpg" /></center></p>Bible Study 2014-11-162014-11-19T20:00:00-07:002014-11-19T20:00:00-07:00Vincent Danentag:annvix.com,2014-11-19:/blog/bible-study-2014-11-16<p>We’ve started a Bible study at the church so I’m going to just share some of the thoughts and scriptures that we look at each week. This is our first week and the topic was <i>What does it mean to be a Christian?</i> The first thing we looked …</p><p>We’ve started a Bible study at the church so I’m going to just share some of the thoughts and scriptures that we look at each week. This is our first week and the topic was <i>What does it mean to be a Christian?</i> The first thing we looked at was the Apostles Creed and the Nicene Creed, both of which <a href="http://linsec.ca/blog/2014/09/11/christian-statements-of-faith/">we’ve looked at here before</a>. I’m going to include the scripture we looked at and add emphasis to them, so when you see anything in bold those were the key phrases in the text we were looking at.</p>
<blockquote>“Therefore, when many of His disciples heard this, they said, “<b>This teaching is hard!</b> Who can accept it?”
Jesus, knowing in Himself that <b>His disciples</b> were complaining about this, asked them, “<b>Does this offend you?</b> Then what if you were to observe the Son of Man ascending to <b>where He was before</b>? The Spirit is the One who gives life. The flesh doesn’t help at all. The words that I have spoken to you are spirit and are life. But there are some among you who don’t believe.” (For Jesus knew from the beginning those who would not believe and the one who would betray Him.) He said, “This is why I told you that no one can come to Me unless it is granted to him by the Father.”
<b>From that moment many of His disciples turned back and no longer accompanied Him</b>. Therefore Jesus said to the Twelve, “You don’t want to go away too, do you?”
Simon Peter answered, “Lord, who will we go to? You have the words of eternal life. We have come to believe and know that You are the Holy One of God!””
(John 6:60–69 <span class="caps">HCSB</span> (emphasis mine))</blockquote>
<p>This passage in John took place shortly after Jesus fed the 5000 (John 6:1). After Jesus did a miracle and fed their bodies (their flesh, their natural and material hungers), they wanted to make Him their king, in an aim to displace the Roman authority that ruled over the Jews (John 6:15). The Jews at that time viewed Messiah as one who would come and free them from the tyranny of the Romans; they thought He would be a <i>political</i> authority rather than a <i>spiritual</i> authority. Jesus left them when He realized what it was they wanted to do because He did not come to setup an earthly kingdom — that wasn’t the point for His coming.</p>
<p>In this passage, the reference to “His disciples” is not to the 12 who would later be the apostles. Jesus, to that time, had many disciples — people who followed Him and wanted to learn what He was teaching. When these disciples, and the 5000 men (and probably at least another 5000 women and children) finally caught up to Him again, Jesus recognized they were looking for the food He could provide to their bodies more than the food He could provide for their spirits. He called them out on it in John 6:26-27 and He followed this with the “hard teaching” which Jesus gave, indicating that He was the bread of life and that He had come down from heaven and described His mission to humankind (eternal life). These people didn’t want to hear any of this, they simply wanted a free meal and someone who would provide for them materially. So His words offended them and many deserted Him.</p>
<p>Unfortunately, this is what a lot of Christians in North America do today: we sell Jesus as a provider of free lunches (“He will bless you!” or “Your life will be so good!” and so on) and yet we never mention the <i>cost</i> of what it is to follow Jesus. It would serve some Christians well to pay attention to this… Jesus didn’t sell Himself cheap, and He didn’t chase after those who left. Jesus laid it out for them straight, and they found the teaching hard because it wasn’t what they were looking for and they didn’t understand.</p>
<p><span class="caps">C.S.</span> Lewis defines Christianity as this, in his book “Mere Christianity”:</p>
<blockquote>“Now the whole offer which Christianity makes is this: that we can, if we let God have His way, come to share in the life of Christ. If we do, we shall then be sharing a life which was begotten, not made, which always existed and always will exist. Christ is the Son of God. If we share in this kind of life we also shall be sons of God. We shall love the Father as He does and the Holy Ghost will arise in us. He came to this world and became a man in order to spread to other men the kind of life He has — by what I call “good infection.” Every Christian is to become a little Christ. The whole purpose of becoming a Christian is simply nothing else.”</blockquote>
<p>While “Christian” does not necessarily mean “little Christ”, I find it works quite well. Truthfully, a number of commentators agree that “Christian” most likely started off as a derogatory term that would mean “follower of Christ” or “slave of Christ”, both of which are not at all derogatory and really quite apt descriptions. At any rate, our next few passages set out the call to be like (to imitate) Christ — in a sense to become “little Christs”. In fact, Paul states:</p>
<blockquote>“Therefore I urge you to <b>imitate me</b>.”
(1 Corinthians 4:16 <span class="caps">HCSB</span> (emphasis mine))</blockquote>
<blockquote>“<b>Imitate me</b>, as I also <b>imitate Christ</b>.”
(1 Corinthians 11:1 <span class="caps">HCSB</span> (emphasis mine))</blockquote>
<p>The Greek word <i>exakoloutheo</i> means to follow out, to obey, or yield to. Paul is urging the Corinthian church to imitate him as he imitates Christ, or to follow him as he follows Christ. We as Christians are called to a live a life of imitation (of Christ), to be true disciples who see and do what our teacher shows us and asks of us. Jesus is the standard that we set before us which is why it pains me (and should pain all true Christians) to see people who claim to bear the name of Christ acting in ways He never acted or say things that He would never say. I suppose this could be because they are unfamiliar with what Jesus asks of us, or of how He would act in a given situation. While all of this is clearly found in the Bible, too many people think the Bible unnecessary and don’t bother to even crack open the book. This is why Paul made the following statement:</p>
<blockquote>“Remind them of these things, charging them before God <b>not to fight about words</b>; this is in no way profitable and leads to the ruin of the hearers. Be diligent to <b>present yourself <i>approved</i> to God</b>, a worker who doesn’t need to be ashamed, <b>correctly teaching</b> the word of truth. But avoid irreverent, empty speech, for this will produce an even greater measure of godlessness. And their word will spread like gangrene; Hymenaeus and Philetus are among them. They have <b>deviated from the truth</b>, saying that the resurrection has already taken place, and are overturning the faith of some. Nevertheless, God’s solid foundation stands firm, having this inscription:
The Lord knows those who are His, and <b>Everyone who names the name of the Lord must turn away from unrighteousness</b>.”
(2 Timothy 2:14–19 <span class="caps">HCSB</span> (emphasis mine))</blockquote>
<p>The King James says:</p>
<blockquote>“<b>Study</b> to shew thyself approved unto God, a workman that needeth not to be ashamed, rightly dividing <b>the word of truth</b>.”
(2 Timothy 2:15 <span class="caps">KJV</span> (emphasis mine))</blockquote>
<p>Paul is talking about studying the Word of God, the result of which is approval from God. This is the only way that God can trust us to know His Will and it is the only way that we can imitate Christ: by reading the Bible to see what it is that we are to imitate. Paul doesn’t call us to just imitate random people; he calls us to imitate people who themselves are imitating Christ — the end result is that we too will imitate Christ. The other point here is that we need to study so as to prevent ourselves from being led astray and also preventing ourselves from leading <i>others</i> astray. There is a great responsibility and accountability on those who teach the Word of God, so I fear for those who profess to teach “the Word of God” and don’t read or study it. They are certainly not approved to God! And they are those of whom Paul also speaks:</p>
<blockquote>“But I fear that, as the serpent <b>deceived</b> Eve by his cunning, <b>your minds may be <i>seduced</i> from a complete and pure devotion to Christ</b>. For if a person comes and preaches <b>another Jesus</b>, whom we did not preach, or you receive a <b>different spirit</b>, which you had not received, or a <b>different gospel</b>, which you had not accepted, you <b>put up with it</b> splendidly!”
(2 Corinthians 11:3–4 <span class="caps">HCSB</span> (emphasis mine))</blockquote>
<p>Paul clearly warns against false teachers who teach a different Jesus than the resurrected Jesus the apostles teach, or a different gospel than the gospel of Christ Jesus. In an almost mocking/sarcastic tone he says “You put up with it <i>splendidly</i>!”, like they never even questioned it or compared it to what they were already taught and known. Deceptive teaching is a very real danger — it was then, and it still is today.</p>
<blockquote>“I am amazed that you are <b>so quickly</b> turning away from Him who called you by the grace of Christ and are <b>turning to a different gospel</b>— not that there is another gospel, but there are some who are troubling you and want to <b>change the good news</b> about the Messiah. <b>But even if we or an <i>angel from heaven</i> should preach to you a gospel other than what we have preached to you, a curse be on him!</b> As we have said before, I now say again: If anyone preaches to you a gospel contrary to what you received, a curse be on him!”
(Galatians 1:6–9 <span class="caps">HCSB</span> (emphasis mine))</blockquote>
<p>What is most disturbing about the above passage that Paul writes to the Galatians is that this very same thing is evident today. We have major religions today that were delivered by “an angel from heaven”: Mormonism and Islam. In Mormonism, the angel “Moroni” delivered the plates of the Book of Mormon to Joseph Smith and while the Book of Mormon claims that the Gospel is true, it was corrupted (something which has not been proven scientifically despite many critical attempts to do so). So while Mormons are to read the Bible, the Book of Mormon is considered superior, as Joseph Smith said: “I told the brethren that the Book of Mormon was the most correct of any book on earth, and the keystone of our religion, and a man would get nearer to God by abiding by its precepts, than by any other book.”<sup><a href="#fn1" id="ref1">1</a></sup>. This book was delivered by an angel and taught a different gospel!</p>
<p>Interestingly, the same is true of Islam, for Muhammad claimed that the Quran was delivered to him by the angel Gabriel<sup><a href="#fn2" id="ref2">2</a></sup>. The similarities between Islam and Mormonism are far more than just that they were delivered to their respective prophets by angels. One other similarity is they both claim that the Bible (or more specifically the Gospel and the Torah) were, in their “uncorrupted” form, the Word of God and both the Quran and the Book of Mormon are further/final revelations of God to earth (see Surat ‘?li `Imr?n 3:3 <sup><a href="#fn3" id="ref3">3</a></sup> and the <span class="caps">LDS</span> web site topic on the Bible<sup><a href="#fn4" id="ref4">4</a></sup>).</p>
<p>Finally, to wrap up, our final scripture which also talks about deceptive teachings:</p>
<blockquote>“If anyone teaches <b>other doctrine</b> and <b>does not agree</b> with the sound teaching of our Lord Jesus Christ and with the <b>teaching that promotes godliness</b>, he is conceited, understanding nothing, but has a sick interest in <b>disputes and arguments over words</b>. From these come envy, quarreling, slander, evil suspicions, and constant disagreement among people whose minds are depraved and deprived of the truth, <b>who imagine that godliness is a way to material gain</b>.”
(1 Timothy 6:3–5 <span class="caps">HCSB</span> (emphasis mine))</blockquote>
<p>While the point of the Bible study was not to poke at other religions, they were used as examples as to why it is so important to study and know the Bible so that when these other doctrines and “gospels” come about, or even when preachers are preaching from the pulpit, Christians who have the Word of God written on their hearts will know the truth. The hope is that we will recognize the lack of truth in others, but also recognize any lack of truth in our own words and actions which contradict the example Jesus set before us to follow.</p>
<p><small>
<ul>
<li> <sup id="fn1">1. <a href="https://www.lds.org/scriptures/bofm/introduction">Book of Mormon: Introduction</a></li>
<li> <sup id="fn2">2. <a href="http://www.islamreligion.com/articles/2652/viewall/">The Story of the Quran (part 1 of 4): God’s Final Revelation</a></li>
<li> <sup id="fn3">3. <a href="http://quran.com/3/1-5">Surat ‘?li `Imr?n 3:1-5</a></li>
<li> <sup id="fn4">4. <a href="https://www.lds.org/topics/bible?lang=eng"><span class="caps">LDS</span>: Bible</a></li>
</ul>
</small></p>Using Romans 14 to improperly defend “Christian freedom”2014-11-01T23:00:00-06:002014-11-01T23:00:00-06:00Vincent Danentag:annvix.com,2014-11-01:/blog/using-romans-14-to-improperly-defend-christian-freedom<p>Full disclosure: I have not and will not participate in Halloween, and I personally do not believe that Christians should. And while this posting talks about Halloween, it’s not <i>about</i> Halloween itself. It’s about misinterpreting scripture to suit your own desires.</p>
<p>The scripture in question is Romans 14 …</p><p>Full disclosure: I have not and will not participate in Halloween, and I personally do not believe that Christians should. And while this posting talks about Halloween, it’s not <i>about</i> Halloween itself. It’s about misinterpreting scripture to suit your own desires.</p>
<p>The scripture in question is Romans 14:</p>
<blockquote>“Receive one who is weak in the faith, but not to disputes over doubtful things. For one believes he may eat all things, but he who is weak eats only vegetables. Let not him who eats despise him who does not eat, and let not him who does not eat judge him who eats; for God has received him. Who are you to judge another’s servant? To his own master he stands or falls. Indeed, he will be made to stand, for God is able to make him stand.
One person esteems one day above another; another esteems every day alike. Let each be fully convinced in his own mind. He who observes the day, observes it to the Lord; and he who does not observe the day, to the Lord he does not observe it. He who eats, eats to the Lord, for he gives God thanks; and he who does not eat, to the Lord he does not eat, and gives God thanks. For none of us lives to himself, and no one dies to himself. For if we live, we live to the Lord; and if we die, we die to the Lord. Therefore, whether we live or die, we are the Lord’s. For to this end Christ died and rose and lived again, that He might be Lord of both the dead and the living. But why do you judge your brother? Or why do you show contempt for your brother? For we shall all stand before the judgment seat of Christ. For it is written: “As I live, says the <span class="caps">LORD</span>, Every knee shall bow to Me, And every tongue shall confess to God.”
So then each of us shall give account of himself to God.”
(Romans 14:1–12 <span class="caps">NKJV</span>)</blockquote>
<p>This scripture was quoted in reference to a Christian handing out candy at Halloween, and why they believe it’s acceptable. To them, Halloween is not about celebrating darkness and witchcraft, it’s about celebrating children and candy. They are interpreting the scripture above to say “it’s fine for me to participate in Halloween because I get to interact with my neighbours, as a Christian I can hand out the best candy with the biggest smile on my face and don’t judge me because I choose to do so (“eat all things”) whereas you refrain from participating in Halloween (“only eat vegetables”) and I have the freedom in Christ do so because I’m doing it for the kids”.</p>
<p>The problem with that kind of thinking (paraphrased above) is that it doesn’t account for the context of the scripture quoted. Paul isn’t talking about certain tastes in food (“I like beef and you like chicken — don’t judge me for liking beef!”). He’s not even referring to the Jewish custom of not eating certain foods (such as pork). Rather, he’s talking about food sacrificed to idols. The food in question was for sale on the market after it had been sacrificed to idols, and people would buy it from the market, knowing it’s origin, take it home and eat it. Some Christians thought that the very act of eating this food that had previously been sacrificed to idols meant they were partaking in idolatry (which is something that Christians would very much want to avoid). For some Christians, this was a very real problem and they would not want to be seen as being partakers in the practice, and for others they looked at it for what it was: food to be eaten. Give thanks to God for the food, and eat, regardless of where it came from.</p>
<p>There is a definite problem with using this scripture to back the practice of Christians partaking in Halloween, and it’s very much the “apples vs oranges” problem.</p>
<p>Primarily, you cannot compare the act of handing out candy in the same light as eating food sacrificed to idols. They are two very different stages in a somewhat similar process. Rather, you need to compare eating this kind of food to eating the candy procured through Halloween activities. So the question of eating meat versus eating vegetables is the same as whether or not you should eat candy given to you that someone <i>else</i> obtained while out trick-or-treating versus refusing to eat it (because of the association to Halloween). In other words, if my neighbour comes over the day after Halloween and offers me some of the candy they collected the night before, I have to ask myself this: Does eating this candy make me a participator in the festivities or not?</p>
<p>Now, the act of handing out candy to children or taking your children out to collect candy from others can’t be compared in the same way. If we look at participation in Halloween as the sensitive issue today, then the sensitive issue when Romans 14 was written is the sacrificing to idols. Perhaps it would be better to compare the <i>participation</i> in either activity rather than the participation in one to the end result of the other. Paul never compared the sacrificing of food to idols with the eating of this food. For a Christian it would be a no-brainer: You don’t sacrifice anything to idols. So the <i>participation</i> is not the focus because the answer is an unequivocal <b><span class="caps">NO</span></b>. Should that not be the same with this holiday originating in paganism and celebrated as the third most important day for Satanists today according to the Satanic Bible<sup><a href="#fn1" id="ref1">1</a></sup>?</p>
<p>The question of whether or not to partake of the treats obtained by <i>others</i> who participated in Halloween should be the “freedom” that Christians need to think about and can use Romans 14 as a frame of reference. You cannot use Romans 14 for the question of participation. Instead, you should be using what Paul wrote to the Corinthians:</p>
<blockquote>“Do not be unequally yoked together with unbelievers. For what fellowship has righteousness with lawlessness? <b>And what communion has light with darkness? And what accord has Christ with Belial?</b> Or what part has a believer with an unbeliever? And what agreement has the temple of God with idols? For you are the temple of the living God. As God has said: “I will dwell in them And walk among them. I will be their God, And they shall be My people.””
(2 Corinthians 6:14–16 <span class="caps">NKJV</span> (emphasis mine))</blockquote>
<p>I think this passage of scripture is the more appropriate question with some very definite answers. There is nothing remotely Christian about Halloween and lame attempts to “Christianize” it to things like “Harvest Festival” are silly and were previously done — in fact, the Catholic Church tried to Christianize Samhain to Halloween (or All Hallow’s Eve) in the first place<sup><a href="#fn2" id="ref2">2</a></sup>. Personally, I think they should have left well enough alone, like we should today.</p>
<p>Participating in Samhain<sup><a href="#fn3" id="ref3">3</a></sup> is something that, in my opinion, no Christian should be a part of. In the same way that I don’t think Christian missionaries in India celebrate Diwali, or Christians in Muslim countries celebrate Ramadan, I don’t believe that cultural observances are an excuse to participate in something that is clearly not Christian. And, to stem the comments of Easter and Christmas being “originally based in pagan holidays” I’d like to point out the obvious difference: Christmas is about celebrating the birth of our Lord Jesus Christ and Easter is about celebrating His death, burial and resurrection. Regardless of what other holidays they may coincide with, there is an obvious meaning to the Christian that <i>is</i> based on Christ. The use of Christmas trees may be a point of contention with some, but I believe that falls under the freedoms we have in Christ. The significance of the holiday is something very important to a Christian to celebrate.</p>
<p>I would also point out that those of other faiths such as Hindus and Muslims don’t celebrate Christmas just because they live in Canada, so I think that “cultural observances” is a pretty weak excuse to participate in something that, unlike Christmas and Easter, has absolutely nothing to do with God nor glorifies God in the slightest.</p>
<p>The main point of this article is not about Christians participating in Halloween. As I stated before, I’m not one to judge. I have many Christian friends who participate and I don’t think any less of them. I’m also not out to defend my right <i>not</i> to partake. The point of this posting was to dispel the faulty logic behind using Romans 14 as a prop to say that it’s ok. All of us have to account for our thoughts and actions and only God is judge, not me, nor any other Christian. But if you are going to participate, just do it without trying to build a defence on scriptures that contextually cannot be used. For further in Romans 14 it states:</p>
<blockquote>“So then each of us shall give account of himself to God. Therefore let us not judge one another anymore, but rather resolve this, not to put a stumbling block or a cause to fall in our brother’s way.
I know and am convinced by the Lord Jesus that there is nothing unclean of itself; but to him who considers anything to be unclean, to him it is unclean. Yet if your brother is grieved because of your food, you are no longer walking in love. Do not destroy with your food the one for whom Christ died.”
(Romans 14:12–15 <span class="caps">NKJV</span>)</blockquote>
<p>Each of us will give an account, and we should be considering others as well as ourselves. Here Paul is stating that if a Christian brother or sister is grieved by your desire to eat food sacrificed to idols then don’t do it and so become a stumbling block to them. I say this to those who advertise the fact they are participating in Halloween and defending their “right” to participate. Rather, if you want to participate in Halloween don’t make a big deal of it — just do it. I don’t make a big deal of the fact that I don’t, yet to anyone who asks I will let them know my belief. In the same way, why make a big deal of the fact that you do, and then go on to justify it as well?</p>
<p>Ultimately, it is up to you. I don’t at all believe that participating in Halloween affects salvation in any way or that it makes you a “worse Christian” than if you didn’t. However, as Christians we should really be thinking long and hard about what James wrote:</p>
<blockquote>“You adulterers! Don’t you realize that friendship with the world makes you an enemy of God? I say it again: If you want to be a friend of the world, you make yourself an enemy of God.”
(James 4:4 <span class="caps">NLT</span>)</blockquote>
<p><small>
<ul>
<li> <sup id="fn1">1. <a href="http://en.wikipedia.org/wiki/Satanic_holidays">http://en.wikipedia.org/wiki/Satanic_holidays</a></li>
<li> <sup id="fn2">2. <a href="http://www.catholicculture.org/culture/liturgicalyear/overviews/months/10_2.cfm">http://www.catholicculture.org/culture/liturgicalyear/overviews/months/10_2.cfm</a></li>
<li> <sup id="fn3">3. <a href="http://inventors.about.com/od/sstartinventions/a/Samhain.htm">http://inventors.about.com/od/sstartinventions/a/Samhain.htm</a></li>
</ul>
</small></p>
<p><small>Scripture quotes taken from the Holy Bible, New King James Version (<span class="caps">NKJV</span>) Copyright © 1982 by Thomas Nelson, Inc. and
the Holy Bible, New Living Translation (<span class="caps">NLT</span>) copyright© 1996, 2004, 2007 by Tyndale House Foundation. Used by permission of Tyndale House Publishers Inc., Carol Stream, Illinois 60188. All rights reserved.</small></p>Religion and Relationship2014-10-26T15:19:00-06:002014-10-26T15:19:00-06:00Vincent Danentag:annvix.com,2014-10-26:/blog/religion-and-relationship<p>Whenever I hear (non-Christians) talk about Christianity it’s always about “religion” and how they’re “not into religion.” When they make statements like this, I know that they have not heard the real gospel of Jesus Christ, nor do they understand what Christianity is all about. When people talk …</p><p>Whenever I hear (non-Christians) talk about Christianity it’s always about “religion” and how they’re “not into religion.” When they make statements like this, I know that they have not heard the real gospel of Jesus Christ, nor do they understand what Christianity is all about. When people talk about how they hate “organized religion” and then lump Christianity (in the broad sense) in the same category, they miss what Jesus said. Don’t miss the context and audience to whom Jesus is speaking to when He says:</p>
<blockquote>“Brood of vipers! How can you, being evil, speak good things? For out of the abundance of the heart the mouth speaks.”
(Matthew 12:34 <span class="caps">NKJV</span>)</blockquote>
<p>Jesus also says to the religious leaders the following in this second passage:</p>
<blockquote>“Serpents, brood of vipers! How can you escape the condemnation of hell?”
(Matthew 23:33 <span class="caps">NKJV</span>)</blockquote>
<p>Clearly Jesus is condemning their “form of religion” in the same way God did with the Israelites in the Old Testament:</p>
<blockquote>“Therefore the Lord said: “Inasmuch as these people draw near with their mouths And honor Me with their lips, But have removed their hearts far from Me, And their fear toward Me is taught by the commandment of men,”
(Isaiah 29:13 <span class="caps">NKJV</span>)</blockquote>
<p>This scripture is also referenced by Jesus in Matthew 15. The context is important in how Jesus quotes this, and in what He is trying to tell His disciples (those to whom the name “Christian” is later given):</p>
<blockquote>“Then the scribes and Pharisees who were from Jerusalem came to Jesus, saying, “Why do Your disciples transgress the tradition of the elders? For they do not wash their hands when they eat bread.”
He answered and said to them, “Why do you also transgress the commandment of God because of your tradition? For God commanded, saying, “Honor your father and your mother’; and, ‘He who curses father or mother, let him be put to death.’ But you say, “Whoever says to his father or mother, ‘Whatever profit you might have received from me is a gift to God”— then he need not honor his father or mother.’ Thus you have made the commandment of God of no effect by your tradition. Hypocrites! Well did Isaiah prophesy about you, saying: “These people draw near to Me with their mouth, And honor Me with their lips, But their heart is far from Me. And in vain they worship Me, Teaching as doctrines the commandments of men.’ ”
When He had called the multitude to Himself, He said to them, “Hear and understand: Not what goes into the mouth defiles a man; but what comes out of the mouth, this defiles a man.”
Then His disciples came and said to Him, “Do You know that the Pharisees were offended when they heard this saying?”
But He answered and said, “Every plant which My heavenly Father has not planted will be uprooted. Let them alone. They are blind leaders of the blind. And if the blind leads the blind, both will fall into a ditch.””
(Matthew 15:1–14 <span class="caps">NKJV</span>)</blockquote>
<p>The Pharisees and the scribes were the leaders of the Jewish religion of the day. These are the people who took the Mosaic Law (the Laws of Moses) and turned them into the <a href="http://www.jewfaq.org/613.htm">Mitzvot</a>, a list of 613 commandments. Keep in mind that God gave the people ten commandments on Mount Sinai (see Exodus 20 and Deuteronomy 5). It was upon these ten commandments that the law was based (in Leviticus) when God gave specific direction to the people. What most people don’t realize is that God was giving laws for both spirituality/morality, as well as the “laws of the land” (similar to how we have built-in moral laws, yet we also have the laws of our justice systems, such as adhering to speed limits). God was establishing His covenant people in terms of both their spiritual lives and their natural lives. Given that the Israelites were a people bound in slavery and had no laws of their own, other than the laws of Egypt (their slave masters), God needed to establish the natural/judicial laws by which the <i>nation</i> of Israel would adhere to — similar to those that a King would establish for his people (and in the strictest sense, until the time of King Saul, Israel was a theocracy with God as their sole king).</p>
<p>However, what the Pharisees had done was take those judicial and spiritual laws to a whole new extreme (thus the 613 commandments) and this was the burden to the people. Jesus took the ten commandments and distilled them down to two essential laws:</p>
<blockquote>“Then one of the scribes came, and having heard them reasoning together, perceiving that He had answered them well, asked Him, “Which is the first commandment of all?”
Jesus answered him, “The first of all the commandments is: ‘Hear, O Israel, the <span class="caps">LORD</span> our God, the <span class="caps">LORD</span> is one. And you shall love the <span class="caps">LORD</span> your God with all your heart, with all your soul, with all your mind, and with all your strength.’ This is the first commandment. And the second, like it, is this: “You shall love your neighbor as yourself.’ There is no other commandment greater than these.”
So the scribe said to Him, “Well said, Teacher. You have spoken the truth, for there is one God, and there is no other but He. And to love Him with all the heart, with all the understanding, with all the soul, and with all the strength, and to love one’s neighbor as oneself, is more than all the whole burnt offerings and sacrifices.”
Now when Jesus saw that he answered wisely, He said to him, “You are not far from the kingdom of God.” But after that no one dared question Him.”
(Mark 12:28–34 <span class="caps">NKJV</span>)</blockquote>
<p>In fact, Jesus was also referring to the burden of religion when He said:</p>
<blockquote>“Come to Me, all you who labor and are heavy laden, and I will give you rest. Take My yoke upon you and learn from Me, for I am gentle and lowly in heart, and you will find rest for your souls. For My yoke is easy and My burden is light.””
(Matthew 11:28–30 <span class="caps">NKJV</span>)</blockquote>
<p>In other words, Christianity can be summed up in two commands:</p>
<ul>
<li> Perfect love for God
<li> Proper love for man
</ul>
<p>How can ten commandments be expanded to 613, and then distilled down to two? Being that I’m not Jewish, and that the Mitzvot is not in the Bible (and, likewise, considering Jesus’ opinion concerning the weight of the burden the religious leaders were putting on people), I am only concerned with the ten commandments (see Exodus 20:2-17). When you read the ten commandments it is easy to see that:</p>
<ul>
<li> Thou shalt have no other gods before me (perfect love for God puts nothing before Him)
<li> Thou shalt not make for yourself an idol (likewise, nothing comes before God)
<li> Thou shalt not take name of the Lord thy God in vain (using the Lord’s name as a curse is not showing Him love)
<li> Remember the Sabbath, to keep it holy (loving God means to take the time to develop a relationship with Him)
<li> Honor thy father and mother (proper love for people means honoring them, particularly those God has placed in authority over you, such as parents)
<li> Thou shalt not kill (people don’t kill people they love)
<li> Thou shalt not commit adultery (this is the ultimate betrayal, or dishonor, of your spouse that you love)
<li> Thou shalt not steal (people don’t steal from people they love)
<li> Thou shalt not bear false witness against thy neighbour (people don’t lie to, or about, people they love)
<li> Thou shalt not covet what belongs to your neighbour (material possessions or spouse, it doesn’t matter; those things that belong to other people belong to them)
</ul>
<p>So, rightfully, the ten commandments can be distilled down to two, as Jesus did. When Jesus condemned the religious leaders, He spoke these words:</p>
<blockquote>““Woe to you, scribes and Pharisees, hypocrites! For you are like whitewashed tombs which indeed appear beautiful outwardly, but inside are full of dead men’s bones and all uncleanness. Even so you also outwardly appear righteous to men, but inside you are full of hypocrisy and lawlessness.”
(Matthew 23:27–28 <span class="caps">NKJV</span>)</blockquote>
<p>These words were spoken to them because they were concerned more with the <i>acts</i> of men than with the <i>hearts</i> of men. To them, it was the works of righteousness, moreso than a humble heart, that God desired. They put on masks (thus being called “hypocrites”) so that they looked good on the outside, when on the inside they were more concerned with themselves and their positions of power than they were with actually obeying God. It is for this reason that, when Saul did what looked good as opposed to what God commanded, that Samuel said:</p>
<blockquote>“So Samuel said: “Has the <span class="caps">LORD</span> as great delight in burnt offerings and sacrifices, As in obeying the voice of the <span class="caps">LORD</span>? Behold, to obey is better than sacrifice, And to heed than the fat of rams.”
(1 Samuel 15:22 <span class="caps">NKJV</span>)</blockquote>
<p>I think it’s safe that, given all of the above, God is not interested in religion (as many define it today — a set of rules you must live by), given how Jesus reacts to the Pharisees and religious leaders of His day. Well known is John 3:16, which describes God’s love for all humanity by sending His Son to be the sacrifice for our sins (<i>sin</i> is defined as our disobedience and rebellion to God and His character, which are shown through His commands):</p>
<blockquote>“For God so loved the world that He gave His only begotten Son, that whoever believes in Him should not perish but have everlasting life. For God did not send His Son into the world to condemn the world, but that the world through Him might be saved.”
(John 3:16–17 <span class="caps">NKJV</span>)</blockquote>
<blockquote>“In this is love, not that we loved God, but that He loved us and sent His Son to be the propitiation for our sins.”
(1 John 4:10 <span class="caps">NKJV</span>)</blockquote>
<p>Many times in the Bible, God is referred to as the Father… not just as the Father of Jesus, but our Father as well:</p>
<blockquote>“If you then, being evil, know how to give good gifts to your children, how much more will <b><i>your Father</b></i> who is in heaven give good things to those who ask Him!”
(Matthew 7:11 <span class="caps">NKJV</span> (emphasis mine))</blockquote>
<p>This is the heart of God. He is a Father to the fatherless (Psalm 68:5) and He is a Father to all. The whole point of sending Jesus Christ to earth to die for us was to bridge the divide between God and man that our disobedience and rebellion caused.</p>
<p>But even more than this, consider Jesus — He is a part of the triune God and the Father asks Him to come to earth to walk among us and teach us (to reveal the heart and will of God to us), and He is willing to do it. He shows not only His obedience to God (with whom He’s had relationship with for all eternity), but His love for us. What other King would step off His throne to die for those who are meant to serve and worship Him? What God would abandon divinity to become mortal flesh and then die, not for friends, not for anyone deserving, not for anyone who’s earned it — not <i>despite</i> us but <i>for</i> us? Only Jesus Christ would do this, and He did it for <i>us</i>, so that we could have relationship with God the Father, as He had for eternity. In fact, before being arrested and ultimately sent to the cross, Jesus prayed:</p>
<blockquote>““I do not pray for these alone, but also for those who will believe in Me through their word; that they all may be one, as You, Father, are in Me, and I in You; that they also may be one in Us, that the world may believe that You sent Me. And the glory which You gave Me I have given them, that they may be one just as We are one: I in them, and You in Me; that they may be made perfect in one, and that the world may know that You have sent Me, and have loved them as You have loved Me.”
(John 17:20–23 <span class="caps">NKJV</span>)</blockquote>
<p>The desire here is for the Father to have relationship with us in the same way that Jesus does. When He says (paraphrased) “Father, You are in Me, and I am in You, and my prayer is for them to be one in Us and that the glory You gave to Me I have in turn given to them so that they can be united together as one in the same way that We are united together as One”. You cannot get any closer than to be united (which is to form as a unit or as a whole; a picture of this is the marriage covenant). This is the closeness of the relationship Jesus desires with us — so much so that in the Bible He is often referred to as the bridegroom and we (the church) as the bride. Even in the Old Testament, God referred to the people of Israel as His wife (one such reference is Isaiah 54, another is the book of Hosea).</p>
<p>To bring this to a close, it’s clear to me that if Jesus condemned the forms/burdens of religion that the Pharisees practiced, then it is not something that we should be engaging in (this is not, however, a license to “do whatever you want” because, while Jesus condemned this, He also instructs us to live holy and righteous before God (or, to put it another way, He expects us to be obedient children to God the Father)). Christianity was not meant to suck the life out of people making them do “stuff”, nor was it meant to be a burden we carried alone. John 10:10 says that Christ came to give us abundant life. It is also clear that Jesus would not step down from His throne to give His life for people He didn’t care about and that His death for us was the highest expression of love that He could give us, and that God even asking Him to do so was the highest expression of love that God could give (after all, would we give up our children for random strangers we cared nothing for and who hated us?). Would you do that for anything less than the hope of a relationship with the ones you gave so much for, and an intense desire to have that relationship in the first place?</p>
<p>Finally, if God simply wanted our obedience, He could have made us with no free will or capacity for choice. For God to have a true and genuine relationship with us, He had to create us with free will and offer us the choice: love Me or reject Me. Just as children demonstrate love and honor to their parents by obeying them, we as children do the same to our heavenly Father. If I <i>make</i> my daughter do what I want and don’t give her a choice, her “obedience” does not demonstrate love, it just shows good programming. It is in the <i>choosing</i> that we demonstrate love, so God had to create us with free will and the capacity for choice in order to have a genuine relationship with us.</p>
<p>Finally, the word “religion” is not a dirty word as we have made it. Almost 200 years ago <a href="http://webstersdictionary1828.com/Home?word=Religion">Webster defined religion</a> as:</p>
<blockquote>1. <i>religion</i> in its most comprehensive sense, includes a belief in the being and perfections of God, in the revelation of his will to man, in man’s obligation to obey his commands, in a state of reward and punishment, and in man’s accountableness to God; and also true godliness or piety of life, with the practice of all moral duties. It therefore comprehends theology, as a system of doctrines or principles, as well as practical piety; for the practice of moral duties without a belief in a divine lawgiver, and without reference to his will or commands, is not religion</blockquote>
<p>Which I think is a pretty reasonable and accurate explanation for what religion is. In other words, when we seek to define our position in relation to Almighty God we must ask ourselves:</p>
<ul>
<li> Who? God the Father, His Son Jesus Christ, the Holy Spirit, and man
<li> What? Obedience to His commands
<li> Where? Everywhere
<li> When? Now!
<li> Why? Relationship
<li> How? Religion
</ul>Theological Terms2014-09-22T17:00:00-06:002014-09-22T17:00:00-06:00Vincent Danentag:annvix.com,2014-09-22:/blog/theological-terms<p>Recently I wrote about <a href="/blog/christian-statements-of-faith">Christian Statements of Faith</a>, which talks about the foundational pillars of Christianity — those things that make Christianity what it is. In this posting, I want to explain some theological terms that every Christian should know (sadly if you ask most Christians what these terms mean you …</p><p>Recently I wrote about <a href="/blog/christian-statements-of-faith">Christian Statements of Faith</a>, which talks about the foundational pillars of Christianity — those things that make Christianity what it is. In this posting, I want to explain some theological terms that every Christian should know (sadly if you ask most Christians what these terms mean you likely won’t get a very good response). These terms and what they mean are most probably foreign to those who know nothing about Christianity (beyond what non-Christians describe, which is grossly inaccurate).</p>
<p>So what, exactly, does “redemption” mean? Or “justification”? Or “sanctification”? These are big words that are core to the belief of any Christian. I am going to define them in brief and give a scripture reference for each; the interested reader can follow the links to definitions in Baker’s Evangelical Dictionary of Biblical Theology which will explain these words in depth (looking at original Hebrew and Greek words with their meanings, further commentary and other scripture references — I highly encourage taking the time to read it).</p>
<p>These words, and the meaning behind them, are fundamental to understanding the Christian message and worldview.</p>
<p><b><em>Gospel</em></b> means “Good News” or “Glad Tidings” and refers to the message of salvation and new life offered in and by Jesus Christ. To the Christian, being cleansed of your sins and having the assurance of eternal life in the presence of God is indeed good news!<sup><a href="#fn1" id="ref1">1</a></sup></p>
<blockquote>“<span class="caps">AND</span> <span class="caps">NOW</span> let me remind you [since it seems to have escaped you], brethren, of the Gospel (the glad tidings of salvation) which I proclaimed to you, which you welcomed and accepted and upon which your faith rests, And by which you are saved, if you hold fast and keep firmly what I preached to you, unless you believed at first without effect and all for nothing. For I passed on to you first of all what I also had received, that Christ (the Messiah, the Anointed One) died for our sins in accordance with [what] the Scriptures [foretold], That He was buried, that He arose on the third day as the Scriptures foretold, And [also] that He appeared to Cephas (Peter), then to the Twelve. Then later He showed Himself to more than five hundred brethren at one time, the majority of whom are still alive, but some have fallen asleep [in death]. Afterward He was seen by James, then by all the apostles (the special messengers), And last of all He appeared to me also, as to one prematurely and born dead [no better than an unperfected fetus among living men].”
(1 Corinthians 15:1–8 <span class="caps">AMP</span>)</blockquote>
<p><b><em>Salvation</em></b> means “rescue, set free, deliverance, escape, wholeness, healing, and safety”. When we receive salvation, we are released from the bondage of sin and are no longer slaves to the sinful nature that each human being is born with.<sup><a href="#fn2" id="ref2">2</a></sup></p>
<blockquote>“For God so greatly loved and dearly prized the world that He [even] gave up His only begotten (unique) Son, so that whoever believes in (trusts in, clings to, relies on) Him shall not perish (come to destruction, be lost) but have eternal (everlasting) life. For God did not send the Son into the world in order to judge (to reject, to condemn, to pass sentence on) the world, but that the world might find salvation and be made safe and sound through Him.”
(John 3:16–17 <span class="caps">AMP</span>)</blockquote>
<p><b><em>Repentance</em></b> means a complete change of direction in a person’s life (for example, you are travelling north, then you turn around and travel south in the opposite direction). It is a complete change of the mind, will and emotions away from sin and towards God.<sup><a href="#fn3" id="ref3">3</a></sup></p>
<blockquote>“Let the wicked forsake his way and the unrighteous man his thoughts; and let him return to the Lord, and He will have love, pity, and mercy for him, and to our God, for He will multiply to him His abundant pardon.”
(Isaiah 55:7 <span class="caps">AMP</span>)</blockquote>
<p><b><em>Redemption</em></b> is the means by which salvation is achieved, by the payment of a ransom. It literally means “to buy” and signifies the act of purchase in the market (in particular the slave market). For a Christian, we are redeemed, or have received redemption, from being slaves to sin and through the purchase of ourselves with the precious blood of Jesus Christ on the cross. He paid <i>our</i> debt to God for <i>our</i> sins on <i>our</i> behalf. The death we deserved as sinners before a Holy and Righteous God, Jesus took upon Himself and died in our place.<sup><a href="#fn4" id="ref4">4</a></sup></p>
<blockquote>“In Whom we have our redemption through His blood, [which means] the forgiveness of our sins.”
(Colossians 1:14 <span class="caps">AMP</span>)</blockquote>
<p><b><em>Atonement</em></b> is the term used to sum up the entire saving work of Christ, the offering of a redemptive sacrifice for the sin of man. Atonement is God’s action — His work, not man’s. Man cannot provide atonement for sin, only God can. Jesus Christ died the death that every person on the planet deserved and through this act of complete surrender, God’s divine justice was satisfied and the wrath of God against sin was appeased. This satisfaction concerning sin is called <em>propitiation</em>.<sup><a href="#fn5" id="ref5">5</a></sup></p>
<blockquote>“He went once for all into the [Holy of] Holies [of heaven], not by virtue of the blood of goats and calves [by which to make reconciliation between God and man], but His own blood, having found and secured a complete redemption (an everlasting release for us). For if [the mere] sprinkling of unholy and defiled persons with blood of goats and bulls and with the ashes of a burnt heifer is sufficient for the purification of the body, How much more surely shall the blood of Christ, Who by virtue of [His] eternal Spirit [His own preexistent divine personality] has offered Himself as an unblemished sacrifice to God, purify our consciences from dead works and lifeless observances to serve the [ever] living God?”
(Hebrews 9:12–14 <span class="caps">AMP</span>)</blockquote>
<p><b><em>Justified</em></b> means “to declare or pronounce righteous” (as my pastor likes to say, “just as if I’d never sinned”). Justification is the act of God removing the guilt, condemnation, and the penalty of sin from the believer and placing His own standard of righteousness on them. This is not something that man can obtain on his own. It’s similar to being acquitted of a crime, but goes much further because as sinners we are guilty — in other words, we are guilty and deserve the penalty of sin, but God not only doesn’t punish us for it, He removes the stain of it from us so completely that it’s as if it was never there.<sup><a href="#fn6" id="ref6">6</a></sup></p>
<blockquote>“[And He did it in order] that we might be justified by His grace (by His favor, wholly undeserved), [that we might be acknowledged and counted as conformed to the divine will in purpose, thought, and action], and that we might become heirs of eternal life according to [our] hope.”
(Titus 3:7 <span class="caps">AMP</span>)</blockquote>
<p><b><em>Faith</em></b>, in the theological context, means “firm persuasion, belief, conviction, reliance, and complete trust in God alone for salvation”. I like how Noah Webster’s American Dictionary of the English Language (1828) describes it (one of the twelve definitions it has): “<i>3. In theology, the assent of the mind or understanding to the truth of what God has revealed. Simple belief of the scriptures, of the being and perfections of God, and of the existence, character and doctrines of Christ, founded on the testimony of the sacred writers, is called historical or speculative faith; a faith little distinguished from the belief of the existence and achievements of Alexander or of Cesar.</i>”<sup><a href="#fn7" id="ref7">7</a></sup></p>
<blockquote>“But without faith it is impossible to please and be satisfactory to Him. For whoever would come near to God must [necessarily] believe that God exists and that He is the rewarder of those who earnestly and diligently seek Him [out].”
(Hebrews 11:6 <span class="caps">AMP</span>)</blockquote>
<p><b><em>Grace</em></b> is the undeserved kindness of God or the “unmerited favour” of God. It is favour that cannot be purchased, gained or earned — it is 100% the gift of God, and can only be given by God. This kindness of God came to the world in the form of Jesus Christ who died for us to make us righteous before God. And as a gift, it can be accepted or rejected. The Christian accepts this gift of God, the non-Christian rejects it.<sup><a href="#fn8" id="ref8">8</a></sup></p>
<blockquote>“For it is by free grace (God’s unmerited favor) that you are saved (delivered from judgment and made partakers of Christ’s salvation) through [your] faith. And this [salvation] is not of yourselves [of your own doing, it came not through your own striving], but it is the gift of God; Not because of works [not the fulfillment of the Law’s demands], lest any man should boast. [It is not the result of what anyone can possibly do, so no one can pride himself in it or take glory to himself.]”
(Ephesians 2:8–9 <span class="caps">AMP</span>)</blockquote>
<p><b><em>Adoption</em></b> means to be placed as a son or daughter into a family, as an actual member of the family with all of the responsibilities and benefits of the family being adopted into. When God says that we have been adopted as sons, it is not to be a part of the family of God as second-class citizens but as heirs to all of the promises of God.<sup><a href="#fn9" id="ref9">9</a></sup></p>
<blockquote>“To purchase the freedom of (to ransom, to redeem, to atone for) those who were subject to the Law, that we might be adopted and have sonship conferred upon us [and be recognized as God’s sons]. And because you [really] are [His] sons, God has sent the [Holy] Spirit of His Son into our hearts, crying, Abba (Father)! Father! Therefore, you are no longer a slave (bond servant) but a son; and if a son, then [it follows that you are] an heir by the aid of God, through Christ.”
(Galatians 4:5–7 <span class="caps">AMP</span>)</blockquote>
<p><b><em>Sanctification</em></b> means “to make holy” or “holiness”. This is where we get the word “saint” from (“saint” is <em>hagios</em> in Greek, meaning “a sanctified one”, from the Greek <em>hagiasmos</em> or “holiness”, which is the Greek word translated “sanctification”). Another way to look at this is that to be sanctified, or holy, is when a person lives according to God’s design and purpose.<sup><a href="#fn10" id="ref10">10</a></sup></p>
<blockquote>“to open their eyes, in order to turn them from darkness to light, and from the power of Satan to God, that they may receive forgiveness of sins and an inheritance among those who are sanctified by faith in Me.’”
(Acts 26:18 <span class="caps">NKJV</span>)</blockquote>
<p>There are, of course, many other terms that could be defined but I think that these are the most important “pillars” of what it means to be a Christian. The meanings of these words are at the heart of Christian “language” and describe what we believe and show their use and context. They also illustrate the Christian worldview, to some degree, because they help to provide clarity to how we view the world.</p>
<p>Every person has their own worldview — the lens through which they view the world. Whether you are Christian, Atheist, Muslim, Hindu, whatever… you have a worldview and there are certain words used to describe that worldview. In the Christian context, these words are supremely important because they convey certain imagery in a powerful way. A Christian shouldn’t be tossing these words around without knowing what they mean.</p>
<p>For instance, when a Christian says “I have been redeemed” or a song’s lyrics talk about redemption, we should know what we are saying or singing. Without a full understanding of the word, it’s just words. As with any words, it’s the meaning behind them that give them depth, that give them purpose. Saying “I have been redeemed” means nothing if you don’t know that it paints a picture of our state as slaves to sin, as hopeless captives, without any possibility of rescue in and of ourselves, but that it is only by the price Jesus paid on the cross that we have been taken from the pit of slavery, never to look back. We have been bought with a price, the blood of Jesus on the cross, so saying “I have been redeemed” should bring to mind the work of Jesus on the cross, the steep price He paid in the suffering, pain, and torture He endured for my sake and for yours. Knowing the state we were in, and the high price paid, should bring us to deep gratitude and thankfulness, knowing that there is no rescue, no <i>thing</i>, that we could ever possibly do to purchase our own freedom or place us in right standing before an infinite, holy, and righteous God. The picture behind the simple statement “I have been redeemed” is rich and potent, yet without the understanding of the word itself, it is minimized to nothing more than a “religious catch-phrase” which robs us of the precious meaning and majesty behind it.</p>
<hr />
<p><small>
<ul>
<li> <sup id="fn1">1. Defined: <a href="http://www.biblestudytools.com/dictionaries/bakers-evangelical-dictionary/gospel.html">Gospel</a>.</li>
<li> <sup id="fn2">2. Defined: <a href="http://www.biblestudytools.com/dictionaries/bakers-evangelical-dictionary/salvation.html">Salvation</a>.</li>
<li> <sup id="fn3">3. Defined: <a href="http://www.biblestudytools.com/dictionaries/bakers-evangelical-dictionary/repentance.html">Repentance</a>.</li>
<li> <sup id="fn4">4. Defined: <a href="http://www.biblestudytools.com/dictionaries/bakers-evangelical-dictionary/redeem-redemption.html">Redemption, Redeem</a>.</li>
<li> <sup id="fn5">5. Defined: <a href="http://www.biblestudytools.com/dictionaries/bakers-evangelical-dictionary/atonement.html">Atonement</a>.</li>
<li> <sup id="fn6">6. Defined: <a href="http://www.biblestudytools.com/dictionaries/bakers-evangelical-dictionary/justification.html">Justified, Justification</a>.</li>
<li> <sup id="fn7">7. Defined: <a href="http://www.biblestudytools.com/dictionaries/bakers-evangelical-dictionary/faith.html">Faith</a>.</li>
<li> <sup id="fn8">8. Defined: <a href="http://www.biblestudytools.com/dictionaries/bakers-evangelical-dictionary/grace.html">Grace</a>.</li>
<li> <sup id="fn9">9. Defined: <a href="http://www.biblestudytools.com/dictionaries/bakers-evangelical-dictionary/adoption.html">Adoption</a>.</li>
<li> <sup id="fn10">10. Defined: <a href="http://www.biblestudytools.com/dictionaries/bakers-evangelical-dictionary/sanctification.html">Sanctification</a>.</li>
</ul>
</small></p>
<p><small>Scripture quotes taken from the Amplified Bible (<span class="caps">AMP</span>) copyright © 1954, 1958, 1962, 1964, 1965, 1987 by The Lockman Foundation, and The Holy Bible, New King James Version (<span class="caps">NKJV</span>) Copyright © 1982 by Thomas Nelson, Inc.</small></p>Christian Statements of Faith2014-09-11T22:35:00-06:002014-09-11T22:35:00-06:00Vincent Danentag:annvix.com,2014-09-11:/blog/christian-statements-of-faith<p>In the course of my studies I’ve come to realize that a lot of people have no idea what Christianity really means — even people who profess to be Christian really don’t understand what it means, and this is the real disappointment as the North American church has done …</p><p>In the course of my studies I’ve come to realize that a lot of people have no idea what Christianity really means — even people who profess to be Christian really don’t understand what it means, and this is the real disappointment as the North American church has done a fantastic job of conforming the gospel to our culture when we should be aiming to conform our culture to the gospel (in other words, if we try to conform Truth, we end up with a twisted view of the truth or an outright lie). In a later posting I’ll tackle the issue of truth (what it is and why it matters); suffice it to say for now I believe that truth is not subjective as relativism claims.</p>
<p>To begin to understand the origin of Christianity, you need to understand the orthodoxy of Christianity (the theories, doctrines, and practices that defined Christianity in the early church and are the pillars of Christian theology today). These statements or creeds are inviolate — they are the foundations of Christianity and without them you may have something that <em>resembles</em> Christianity, but really <em>isn’t</em> Christianity. There are two statements of faith that define Christianity: the Apostles’ Creed and the Nicene Creed.</p>
<p><b>The Apostles’ Creed</b></p>
<blockquote>
1. I believe in God the Father almighty, creator of heaven and earth.
2. I believe in Jesus Christ, his only Son, our Lord.
3. He was conceived by the power of the Holy Spirit and born of the Virgin Mary.
4. Under Pontius Pilate, He was crucified, died, and was buried.
5. He descended to the dead. On the third day he rose again.
6. He ascended into heaven and is seated at the right hand of the Father.
7. He will come again to judge the living and the dead.
8. I believe in the Holy Spirit,
9. the holy catholic Church, the communion of saints,
10. the forgiveness of sins,
11. the resurrection of the body,
12. and the life everlasting.
Amen.
</blockquote>
<p>Note: I’m not catholic and this doesn’t mean “catholic church” in the sense that we understand it today (not to be confused with the “Catholic Church” as an organized religion today). It comes from the Greek words <em>kata</em> (with respect to) and <em>holos</em> (whole) so the meaning of “catholic” in this statement is the universal (<em>katholikos</em>) church (or, to put it into our language today, “the holy world-wide united christian church” (again, not to be confused with the “United Church” as an organized religion today)).</p>
<p><b>The Nicene Creed</b></p>
<blockquote>
We believe in one God, the Father Almighty, maker of heaven and earth, and of all things visible and invisible.
And in one Lord Jesus Christ, the only begotten Son of God, begotten of his Father before all worlds, God of God, Light of Light, very God of very God, begotten, not made, being of one substance with the Father; by whom all things were made; who for us and for our salvation came down from heaven, and was incarnate by the Holy Spirit of the Virgin Mary, and was made man; and was crucified also for us under Pontius Pilate; he suffered and was buried; and the third day he rose again according to the Scriptures, and ascended into heaven, and is seated at the right hand of the Father; and he shall come again, with glory, to judge both the living and the dead; whose kingdom shall have no end.
And I believe in the Holy Spirit, the Lord, and giver of life, who proceeds from the Father and the Son; who with the Father and the Son together is worshipped and glorified; who spoke by the prophets; and we believe in the one holy catholic and apostolic church; we acknowledge one baptism for the forgiveness of sins; and we look for the resurrection of the dead, and the life of the world to come.
</blockquote>
<p>Note that the Nicene Creed was initially written in 325 <span class="caps">AD</span> at the first council of Nicea, and expanded (and slightly re-arranged) at the first council of Constantinople in 381 <span class="caps">AD</span>. This creed was considered the Symbol of Faith.</p>
<p>Both of these creeds are foundational to Christianity. To take away or change any of these statements removes the foundational material of the faith and fundamentally changes the faith to something that is like Christianity, but is not, in fact, Christianity. For instance, Jehovah’s Witnesses, despite having a similar Bible and similar beliefs, are not Christian — they deny the triune nature of God and deny that Jesus is God, both of which are foundational truths to the Christian belief. Therefore a Jehovah’s Witness cannot (and will not) claim to be Christian, because the foundations of the Jehovah’s Witness faith are drastically and fundamentally different (not meaning to pick on Jehovah’s Witnesses here, but they are probably the closest almost-but-definitely-not-Christian faith I can think of).</p>
<p>I want to reiterate what I noted above about the “catholic church” because I think it’s very important to note, particularly for readers that are not Christian and don’t understand the denominational differences that various churches have. I like the way that Charles Colson and Harold Fickett explain it in their book “The Faith”<sup><a href="#fn1" id="ref1">1</a></sup>:</p>
<blockquote>
The Church is <i>one</i> because all true Christians, while we participate in different confessing congregations, are part of one body. That body is <i>holy</i> because its essential nature is found in Christ. The Church is <i>catholic</i> because it is universal, which is what <i>catholic</i> means — the Church is open to everyone. Finally, the Church is <i>apostolic</i>, which means that its teachings are those of the apostles. We have not invented a religion. We are part of the faith God revealed.
</blockquote>
<p>Finally, and perhaps most important to me, these are <em>my</em> statements of faith.</p>
<p><small>
<ul>
<li> <sup id="fn1">1. Charles W. Colson, Harold Fickett, <i>The Faith</i> (Grand Rapids, Michigan: Zondervan, 2008), 157-158.</li>
</ul>
</small></p>Christianity2014-09-09T17:59:00-06:002014-09-09T17:59:00-06:00Vincent Danentag:annvix.com,2014-09-09:/blog/christianity<p>I’ve had to rearrange the layout of the blog to accommodate some new postings that will be showing up here in the future. As an aside, my apologies to those who visit and see that I have been sadly lacking in any kind of content on the site. I …</p><p>I’ve had to rearrange the layout of the blog to accommodate some new postings that will be showing up here in the future. As an aside, my apologies to those who visit and see that I have been sadly lacking in any kind of content on the site. I will be making a distinct effort to rectify this moving forward, although perhaps not in the way that most might expect.</p>
<p>Since May I have been engaging in theological studies through my church’s off-campus theology program (<a href="http://christcity.com/training/CTI">Christcity Theological Institute</a> for anyone curious). The material we have been going through has been exceptional and between a crazy amount of work and my studies I’ve not had much time for posting random things. I haven’t had time to do extra-curricular mucking around with random computer things like I used to, so there isn’t as much to write about as a result.</p>
<p>However, as I’ve gone through these theological materials (and others), I realize I do have something worth writing about, but it stands apart from the typical content that has been published here for years. To that end, I opted to keep my thoughts and writings about Christianity and my faith from the front page of the site — purely to keep the tech focus on the site. Since I don’t feel like maintaining a second blog and don’t want to come across as a “Bible thumper” or have anyone feel like I’m attempting to shove my faith down their throat, I’ve intentionally set these pieces out of “simple sight”. They are perfectly visible in all respects beyond not being on the front page, as I have a feeling these posts may be quite lengthy. They will be syndicated to my Facebook and Google+ pages, as well as my Twitter feed. Anyone who haunts those will find that these posts are no real surprise given what I tend to tweet/post (again, rather infrequently as I don’t have much time for social media these days either).</p>
<p>Please understand that this is by no means an attempt to “hide my faith” as, if that were the aim, I could simply not post these things to begin with. Also understand that comments have always been moderated on this site, and will continue to be, so that isn’t new. I am more than happy for questions or reasonable comments, but will likely ignore flames or other questionable comments — I’m not here to pick fights and won’t respond to any in kind. You’re free to believe what you like, and you’re free to read what you like (and the same holds true for myself). If you don’t like what I write, simply don’t read it. If you’re curious or have genuine questions, I will certainly welcome them and try to answer as best I can.</p>
<p>This is a journey for understanding. I have always been a Christian (although not always a very good one!) and I have always had a firmness to my faith, but these studies answer more questions than I had thought to ask (and I will admit that, growing up, this was the adoption of my parents’ faith; this is now beyond the shadow of a doubt <em>my</em> faith). However, as I study, Christianity makes sense and in the light of other religions and philosophies in the world, it makes the <em>most</em> sense. Future postings will have examples of what I mean by this.</p>
<p>Also note that I am not a “religious person” and don’t believe in following rules for their own sake. Yes, the orthodoxy of Christianity is religious, in that there is a set of doctrines and beliefs but that is merely the shape of the box. What is inside the box is vastly different, and is not defined by strict adherence to rules/regulations/laws. Yes, these things exist and they do so for a purpose, but the fundamental premise and ideology behind the Bible is simple: it’s a love story about relationships. Relationship with God the Father, Jesus the Son, and the Holy Spirit. Relationships with each other. I believe that “religion” and the same adherence to rules/regulations/laws are things that have contributed to atrocities committed in the past in the name of God, but were not done in the spirit of what the Bible teaches and so can no more be attributed to God than cars running children over can be attributed to automobile manufacturers, or that murderers can be attributed to law makers. I will get more into all of this in later posts, however. </p>
<p>Finally, for those to whom this may offend: I’m not sorry, it’s not on the frontpage, and just don’t read it if you don’t like it or disagree with it. Don’t feel like you need to post to “convert” me as my aim in posting is not to “convert” you. To those who want to read, I encourage you to use the <span class="caps">RSS</span> feed to be made aware of when new postings are out. For those concerned these will hit Planet Fedora, don’t worry about it. They won’t.</p>
<blockquote>
“I’m convinced that most men don’t know what they believe, rather, they only know what they wish to believe. How many people blame God for man’s atrocities, but wouldn’t dream of imprisoning a mother for her son’s crime?”
? Criss Jami
</blockquote>
<p>This is my way of knowing not only what I believe, but <em>why</em> I believe it. And not just “knowing” but <em>knowing</em>. Why would I want to believe in something that is false or that, when you dig past the surface, doesn’t make sense? It concerns me how many people condemn Christianity but know nothing about it, or those who believe in it but have never asked themselves why they do. Similarly, people shouldn’t condemn the Muslim faith without bothering to know anything more than what media presents, while at the same time Muslims should be questioning and looking into their own faith (although this is admittedly difficult due to Sharia Law — this, in itself, should be causing them to question!). Even many Darwinists (or Naturalists, or Athiests) never bother to understand the views they implicitly oppose and, if I may be so bold, often don’t look logically at their own worldview and philosophy to know what it is they are even professing to believe in.</p>
<p>This is my way of articulating, both to myself and to others who care to take the same journey, or are already on it, why it is that I believe what I believe and that it isn’t some mindless, blind devotion to a dead religion, but a logical and reasonable walk of faith. I’m not concerned about taking this journey — after all, if I’m wrong then I want, and need, to know it. It’s not enough for me to be a “good person” or to be a “pew warmer” on a Sunday, get some warm fuzzies and feel good about myself and then be, as James 1:22 says, merely a hearer of the word and not a doer of the word and in the end, simply deceiving myself.</p>
<p>Every Christian should be unafraid to take an honest look at the faith, we are in fact instructed to study and learn and understand the Bible and our faith:</p>
<blockquote>
“Study and be eager and do your utmost to present yourself to God approved (tested by trial), a workman who has no cause to be ashamed, correctly analyzing and accurately dividing [rightly handling and skillfully teaching] the Word of Truth.”
(2 Timothy 2:15 <span class="caps">AMP</span>)
</blockquote>
<p>Finally:</p>
<blockquote>
“But in your hearts revere Christ as Lord. Always be prepared to give an answer to everyone who asks you to give the reason for the hope that you have. But do this with gentleness and respect, keeping a clear conscience, so that those who speak maliciously against your good behavior in Christ may be ashamed of their slander.”
(1 Peter 3:15–16 <span class="caps">TNIV</span>)
</blockquote>
<p>How can you give an answer for something you do not understand? As far as I am concerned, these two scriptures indicate that God wants us to know what we believe and why we believe it. Why? So that, if we fully understand, we will live our lives according to that understanding — not simply paying lip-service to a philosophy or good idea, but actually living our lives in such a way that our belief is seen in how we act, not just in what we say. A <em>true</em> belief is something that does not change to suit us. We change to suit it.</p>
<p>We, as Christians, are called to be agents of change to the world. How can we possibly change anything if we don’t <em>really</em> believe that what we believe is <em>really</em> real?* Just look around and you’ll see how poorly we preach the true gospel of Jesus Christ in North America.</p>
<p><small>* (Yes, this statement is taken from the Truth Project because I couldn’t possibly articulate it better)</small></p>Heartbleed2014-04-12T13:00:00-06:002014-04-12T13:00:00-06:00Vincent Danentag:annvix.com,2014-04-12:/blog/heartbleed<p>I’ve refrained from posting or saying anything about Heartbleed all week because I didn’t want to add to any sensationalism and hype, and I’ve also been too busy actually dealing with it (as opposed to simply talking about it or running around with hands waving in the …</p><p>I’ve refrained from posting or saying anything about Heartbleed all week because I didn’t want to add to any sensationalism and hype, and I’ve also been too busy actually dealing with it (as opposed to simply talking about it or running around with hands waving in the air like a mad man). Now that the dust has settled a bit, I just want to link to some sites that I think are good to keep handy as we see this play out. I don’t need to talk about the flaw itself as all you need to do is google “heartbleed” and you’ll get all the info you want; certainly more than I can provide here (although you will have to distill the sensational from the facts).</p>
<p>So, the sites:</p>
<ul>
<li> <a href="https://zmap.io/heartbleed/">Heartbleed Bug Health Report</a>; they’re keeping it up to date, but it’s essentially a “top 1000 still-vulnerable sites” list
<li> <a href="http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/">Mashable’s Heartbleed Hit List</a> which has a list of some of the bigger sites/services that were (or were not) affected and whether they still are; when I looked this morning it was last updated as of last night so presumably they’re keeping it fairly up to date
<li> <a href="http://www.digitaltrends.com/mobile/heartbleed-bug-apps-affected-list/#!DLTZK">DigitalTrends Mobile app list</a> which has a list of vulnerable/not-vulnerable mobile apps
<li> <a href="http://heartbleed.com/">The Heartbleed site</a> which is being kept up to date with regards to linking to various advisories
</ul>
<p>Some of these sites (and the apps that use such sites) have been fixed this week. There is speculation that this has been known for a while which means the “window of opportunity” may be much bigger than was initially thought. Some of the numbers being tossed around are pretty gross exaggerations though (one I saw was “66% of the internet vulnerable!”) so you have to take things with a grain of salt. The best advice is to look at the sites you use and if they have fixed the flaw (and were previously vulnerable) and recommend you doing something (like changing your password), strongly consider doing as they suggest — <b><span class="caps">PROVIDED</span> <span class="caps">THEY</span> <span class="caps">HAVE</span> <span class="caps">ALREADY</span> <span class="caps">FIXED</span> <span class="caps">THE</span> <span class="caps">FLAW</span></b>! Sorry for the caps but I talked to some people yesterday who had rushed to change their password and when I asked them if the site in question was fixed already, they gave me a blank stare.</p>
<p>It does you <span class="caps">NO</span> good to change your password to a site that is <span class="caps">STILL</span> vulnerable. You will only have to change it again.</p>
<p>Anyways, look at the sites noted above, breathe, and keep in mind that changing passwords occasionally is a good thing. Maybe now is the time to start using something like LastPass, 1Password, KeePass, or something similar and having it generate pure random nonsense for a password, knowing that you can use this tool/service to remember it for you (although, arguably, this whole situation makes me quite happy that I use 1Password (an app on my computer) instead of a service.</p>
<p>My last point on this is that people need to upgrade if they’re using an affected version of OpenSSL. If you are, and your operating system provides it (which is the case with Red Hat Enterprise Linux and Fedora, among many others) then you really should be updating to the packages provided. It’s not a question of whether you should or shouldn’t — you should. Period. This has been a crazy week and a lot of crazy things have happened and this is a really really bad thing <span class="caps">IF</span> you’re affected. So if you are (as in you’re running Red Hat Enterprise Linux 6.5 or a current Fedora, etc.) then you really need to update <span class="caps">ASAP</span>. And then you need to assess your next steps (changing passwords on vulnerable (and now fixed) services, revoking and reissuing certificates if you feel it necessary, etc.).</p>
<p>Anyways, that’s all I have to say about Heartbleed. It will be interesting to see what the next few weeks will be like as we continue to get a bigger picture of what’s happened here, how, and to whom. And to see what damage has been done, and who responded appropriately and when. For instance, if there were a site or service I was using and as of today (being Saturday, and this thing exploded on Monday) it was still <span class="caps">NOT</span> fixed, I don’t think I would be using that site/service anymore. To put it into perspective, Red Hat had updates out late Monday for Red Hat Enterprise Linux 6.5 and the other affected products early Tuesday morning (my time). Everything was available to customers in under 24hrs. It’s not hard to install — “yum update” and reboot (to make sure everything is covered). So for a site to be still affected by this now? There’s really no excuse as far as I’m concerned.</p>
<p>Finally, just to note that I did get some minor press coverage (so this is more vanity than useful), <a href="http://www.linuxinsider.com/story/FOSS-Community-Hustles-to-Fix-Gaping-Heartbleed-Flaw-80263.html">LinuxInsider reported on Heartbleed</a> and my name is noted, although my answers to the questions must have been less than exciting as there wasn’t too much noted there other than where Red Hat customers could go for more info. =)</p>
<p>And to finish off, the obligatory xkcd:</p>
<p><center><img class="img-responsive" src="http://imgs.xkcd.com/comics/heartbleed_explanation.png"></center></p>20 years of tattoo collecting2014-02-01T13:00:00-07:002014-02-01T13:00:00-07:00Vincent Danentag:annvix.com,2014-02-01:/blog/20-years-of-tattoo-collecting<p>So this year I’m going to be 38, which means that I’ve been collecting tattoos for 20 years. The biggest “rush” of ink has been in the last 5-6 years as I’ve actually been able to afford it, whereas before it was getting a piece done whenever …</p><p>So this year I’m going to be 38, which means that I’ve been collecting tattoos for 20 years. The biggest “rush” of ink has been in the last 5-6 years as I’ve actually been able to afford it, whereas before it was getting a piece done whenever I could spare a few hundred dollars (which wasn’t often) and it also meant the pieces were smaller. The challenge with the sleeves was that we had merge these things together to make it look a bit cohesive. I think, considering I have maybe 2-3hrs left to finish the right arm, that we’ve managed this pretty good. I want to sincerely thank Jared Phair of <a href="http://crimsonempiretattoo.com/" target="_new">Crimson Empire</a> for the <i>amazing</i> work he has done on both sleeves. He’s done a fantastic job with everything I’ve thrown at him. And now I’ve thrown my wife at him and Angela’s tattoo is looking amazing as well.</p>
<p>I invite everyone who’s interested to look at <a href="http://www.flickr.com/photos/wulfheart/sets/72157594268514726/">my tattoo set</a> on Flickr, and <a href="http://www.flickr.com/photos/wulfheart/sets/72157640395814043/">Angela’s tattoo set</a> on Flickr. There you will see all of the pictures. I did want to embed two pictures in my post, however, as I think they are quite amusing to compare.</p>
<p>This is today:</p>
<p><img class="img-responsive" src="http://farm6.staticflickr.com/5530/12256159604_7b141a472a.jpg"></p>
<p>This is about 15 years ago (1999):</p>
<p><img class="img-responsive" src="http://farm8.staticflickr.com/7329/12255681075_059691cc8f.jpg"></p>
<p>A lot has changed in 15 years!!</p>Angela’s First2014-01-31T08:00:00-07:002014-01-31T08:00:00-07:00Vincent Danentag:annvix.com,2014-01-31:/blog/angela-s-first<p>I’ve been collecting tattoos for 20 years. In that time, Angela has never gotten a tattoo. Her sisters and her brother all have, but she was the last of the great holdouts. I’m pleased to announce that as of January 29th, that is no longer the case! Angela …</p><p>I’ve been collecting tattoos for 20 years. In that time, Angela has never gotten a tattoo. Her sisters and her brother all have, but she was the last of the great holdouts. I’m pleased to announce that as of January 29th, that is no longer the case! Angela has lost her tattoo virginity. And I couldn’t be prouder. =)</p>
<p>For one, she handled it like a trooper. She went for 5.5hrs without a break for her first tattoo. 5.5hrs. I know a lot of guys, with a lot of tattoos themselves, that can’t hack that. Heck, yesterday I was in for 5.5hrs and that last half hour was pretty bad. She says she could have kept going. I believe her… I came home like a wuss last night after my 5.5hrs, she came home and was just hungry.</p>
<p>So I’d like to publicly state that those who mocked and jested and said she couldn’t do it (there were quite a few, most predominantly some family whom I am happy to say are properly shamed because she <i>smoked</i> any of their sessions and in one fell swoop may have surpassed most of them in sheer ink volume) were so completely and utterly wrong that I chuckle whenever I think about it. I knew she could do it, because my wife is tough — except when I’m around so as to play me, I’m sure.</p>
<p>Anyways, that is much more exciting than what I did yesterday (I also did 5.5hrs, and my second sleeve is almost complete!). Pictures of both to come shortly. And pictures of my last session too. <sigh></p>
<p><center><img class="img-responsive" src="http://farm6.staticflickr.com/5524/12236649194_74ece7accd.jpg"></center></p>
<p><center><img class="img-responsive" src="http://farm4.staticflickr.com/3709/12236234835_4da783ab4d.jpg"></center></p>Email Tagging2014-01-23T22:00:00-07:002014-01-23T22:00:00-07:00Vincent Danentag:annvix.com,2014-01-23:/blog/email-tagging<p>The last 6-8 months have been pretty hectic for me, both at work and with other “real life” stuff and I’ve noticed, as a result, that my email handling has really suffered. I can’t even say it’s <i>begun</i> to suffer because it’s entirely snowballed to the …</p><p>The last 6-8 months have been pretty hectic for me, both at work and with other “real life” stuff and I’ve noticed, as a result, that my email handling has really suffered. I can’t even say it’s <i>begun</i> to suffer because it’s entirely snowballed to the point where my inbox is insane.</p>
<p>The other day Lifehacker noted Andreas Klinger’s blog posting on <a href="http://klinger.io/post/71640845938/dont-drown-in-email-how-to-use-gmail-more">Don’t drown in email! How to use Gmail more efficiently.</a>. It was a good read and got me thinking. Unfortunately, I don’t use the Gmail web interface and I doubt that it’s use of stars and exclamation marks will really work across email clients. I want something that’s easy enough to use.</p>
<p>Recently I’ve been using <a href="http://freron.com/">MailMate</a> and it has a nice way of treating Gmail labels like <span class="caps">IMAP</span> keywords so that you can tag emails, in MailMate, and have them labelled in Gmail. The nice thing with this, unlike other non-Gmail normal <span class="caps">IMAP</span> providers is that you can tag a message and then delete it, and it will show up in the “folder” corresponding to that label.</p>
<p>So I created the following labels (in Gmail) and tags (in other <span class="caps">IMAP</span> accounts.. yes, I have a few scattered abroad):</p>
<ul>
<li> @<span class="caps">ACTION</span>: for things that need to be done or responded to
<li> @<span class="caps">IMPORTANT</span>: for really important things that need to be done or responded to <span class="caps">ASAP</span> (like today)
<li> @<span class="caps">WAITING</span>: for things I’m waiting on or expect a reply on, essentially things I’m waiting on a person for (needs to be reviewed weekly)
<li> @<span class="caps">FOLLOWUP</span>: for things I need to follow up on (such as things I’ve delegated, also needs to be reviewed weekly)
<li> @<span class="caps">EVENTS</span>: for upcoming events or trips, just so they are easily found
</ul>
<p>I’m not sure how @<span class="caps">WAITING</span> and @<span class="caps">FOLLOWUP</span> will be treated differently. For now, I’m going to try it this way and see if I use one more than the other.</p>
<p>So my goal is to look in the @<span class="caps">ACTION</span> folder (on the regular <span class="caps">IMAP</span> accounts, I have a smart mailbox in MailMate named after these keywords so that regardless of whether I’m using Gmail or not I get the same behaviour on all email accounts) once a day and deal with quick things, and try to empty out every week.</p>
<p>The @<span class="caps">IMPORTANT</span> stuff will need to be dealt with daily. That’s going to be the hard one. But I’m going to have to set a time (like 3pm or something) where I have to clear this folder out.</p>
<p>The rest, with the exception of @<span class="caps">EVENTS</span> (which should be cleared out after any said events), should be reviewed at the beginning of each week. Before I used to do reviews on Friday, but that seems odd to me now as I’ll be emailing a bunch of folks right before the weekend when they probably don’t want to hear from me. Better to catch them (hopefully!) fresh and chipper on a Monday.</p>
<p>So I’ve cleaned out two out of my four emails. They were the easiest of the two. Inbox-zero for them both. My work and primary personal accounts are two different stories, however, and will probably require some time this weekend to do.</p>
<p>I have many friends who have, quite literally, thousands of emails in their inbox. How they manage to stay sane is beyond me. Maybe if I can get a system that works and I can do consistently (that is my biggest challenge… taking those few seconds to just deal with things) then I can share it with them and they’ll maybe realize what a crippling thing it is to have such horrendously large inboxes (and why it feels like their email is so slow.. seriously, I cannot make this make sense to them!).</p>
<p>Any other tips from anyone out there on how to manage your email, or perhaps what clever things you do to manage your email? Keep in mind that for my work I can quite easily get a few hundred emails in a day, so email is a very important and severely irritating part of my life.</p>40 day social media fast2014-01-06T18:11:00-07:002014-01-06T18:11:00-07:00Vincent Danentag:annvix.com,2014-01-06:/blog/40-day-social-media-fast<p>Being sick this Christmas season with a cold and a middle ear infection caused me to spend more time than I normally would have on Twitter and Facebook because it was a complete time-killer and I didn’t have energy for anything productive. In fact, my one goal for this …</p><p>Being sick this Christmas season with a cold and a middle ear infection caused me to spend more time than I normally would have on Twitter and Facebook because it was a complete time-killer and I didn’t have energy for anything productive. In fact, my one goal for this week and a half off of work was to clean my office and as I sit here typing this, I’m taking sad glances around me, to see that my one measly little goal didn’t get accomplished. Which is frustrating and annoying.</p>
<p>I suspect if I had spent less time just wasting time (heck, even sleep would have been more productive), my office would be clean and I’d be feeling good about myself, until at least next week when it would become less-than-tidy again.</p>
<p>Obviously blaming social media here is silly, but it did get me to thinking about how much time I spend on these two sites (I have never attempted to measure it), and what I actually get out of the multiple-times-a-day visits. There’s an extremely low “news value” from these sites, and I’m not as interested in what is going on in the lives of friends and family as I perhaps once thought I might be. In fact, when I really think about it, I realize that they are a complete, utter, and absolute waste of time. I seriously have better things to do with my time.</p>
<p>I’ve always liked the lyric “wasting time like it was free” (from a Godsmack song) because there is a definite cost to my time. If I look at what I charge people for my consultancy work, and if I applied that value to the time I spend on something that doesn’t actually bring me any pleasure or money (which, I must add, is a very important thing — if reading Facebook or Twitter was anything more than a “I’m sitting on the toilet and need something quick to read” or “I’m bored so will aimlessly wander around on social media sites”, then I would not be making this decision or writing this blog post).</p>
<p>Strangely enough, I find more value on Google+ because it’s all tech-related things that show up the odd time I go on there. I am going to put Google+ into the fast however.</p>
<p>So I’m going to fast from Facebook, Twitter, and Google+. I’ve already removed the apps from my phone (which is the only time I really look at them). And I think I’m going to close my Linkedin account because I get absolutely <i>zero</i> value from that and all the Linkedin endorsements and buddy requests and so on just annoy me. I mean, as an example, there is a wonderful woman who’s daughter we took in for a few months as a friend/buddy/whatever on Linkedin and we know each other, but she doesn’t really know the work that I do (other than it’s computer-related). So for her to endorse me for my Ruby programming skills is a bit odd — for one, I can say with 98% certainty that she has no idea what Ruby is other than it must be a geek thing, I’m a geek-ish person, so I must have the skill, right? Secondly, I don’t have any Ruby skills so… yeah.. don’t endorse me for Ruby. Now I doubt she thought one day that she would endorse me for a bunch of random crap, but Linkedin did helpfully suggest that maybe she’d like to endorse me for random crap? And so she did… probably because she was bored or thought it had some value for me (it doesn’t).</p>
<p>Facebook and Twitter just irritate me, Linkedin actually cheeses me right off.</p>
<p>Anyways, I’m going to fast from these social media sites for 40 days. After that, we’ll see. Maybe I’ll find I didn’t miss them at all and shut them down permanently. Maybe I’ll be desperate to know what’s been going on the last 40 days and will binge and spend a whole hour or so feasting my eyes with nonsense.</p>
<p>Will I miss hearing about friends who love their kids one day and hate them the next? Will I miss hearing about the seemingly constant misadventures of family when it comes to dating? Or dieting? Will I miss people who whine and complain about their crap lives? When Facebook was new and a novelty, I thought that sort of thing was amusing. Now I just find it sort of sad.</p>
<p>Postings from my blog will still get auto-posted to Facebook and Twitter. But if you intend to comment on them, you may want to do so here and not via either social media site as I won’t see the response. Also, there’s a few <span class="caps">RSS</span> feeds on my Facebook, but I have no idea how to configure the app to disable them, and it’s just my blog and opensource.com (highly recommended!) anyways, so I’ll leave those intact.</p>
<p>So February 15th is the day I either return to social media or … don’t. Right now, I’m betting on the latter. All social expression will be made here on my blog. Or Flickr. I intend to spend some time getting some photos I’ve been meaning to get up there so as to share (some great pics of our trip to Jasper and the Columbian Ice Fields last summer are my top priority).</p>MailMate keyboard shortcuts and Gmail archive handling2013-12-28T16:00:00-07:002013-12-28T16:00:00-07:00Vincent Danentag:annvix.com,2013-12-28:/blog/mailmate-keyboard-shortcuts-and-gmail-archive-handling<p>So, playing around with MailMate I’ve found you can create keyboard shortcuts. It comes with a standard keyboard shortcut list, one for Postbox (a Thunderbird-based email client), and Gmail. My main need here to is to map “delete” to “Archive message” because MailMate, unlike Apple’s Mail, does not …</p><p>So, playing around with MailMate I’ve found you can create keyboard shortcuts. It comes with a standard keyboard shortcut list, one for Postbox (a Thunderbird-based email client), and Gmail. My main need here to is to map “delete” to “Archive message” because MailMate, unlike Apple’s Mail, does not seem to have a setting to turn “delete” into “archive”. So when I hit the delete key, my message goes to the trash, rather than just removing the label of the current mailbox (so if it’s in the Inbox, remove the “Inbox” label, which removes it from the mailbox but keeps it in Gmail’s “All Mail”).</p>
<p>First thing’s first, we need to create our new keybinding list. To do this, copy the Standard.plist from <b>/Applications/MailMate.app/Contents/Resources/KeyBindings</b> (to reveal this in the Finder, right-click the MailMate application icon and select “Show Package Contents”. This is where you’ll find the three keybinding plist files: Gmail, Postbox, and Standard.</p>
<p>Create the directory to store the new keybinding file:</p>
<pre>
% cd ~/Library/Application\ Support/MailMate
% mkdir -p Resources/KeyBindings
% cp /Applications/MailMate.app/Contents/Resources/KeyBindings/Standard.plist Resources/KeyBindings/Mutt.plist
</pre>
<p>This creates a new plist file called Mutt.plist. You can edit this file with any text editor. I suggest copying one of the existing plist files as it will have some of the commands you may already want in there with the funky characters like the down arrow, etc.</p>
<p>The important one (to me) is this:</p>
<pre>
"\UF728" = "deleteMessage:";
</pre>
<p>I don’t want that backspace key to delete the message. You can use the “archive” command here, which will remove it from the mailbox (and remove its label) but this also puts it into a new “[Gmail]/Archive” folder. This folder doesn’t exist normally. So while it does accomplish what I want (remove it from the specified mailbox without actually permanently deleting the message), it does it in a wonky way.</p>
<p>Ahh, this leads to more Gmail-related things. Writing blog posts while working through issues is so much fun. =)</p>
<p>The problem here is that I imported these from Apple Mail rather than creating them as new accounts. In the <a href="http://updates.mailmate-app.com/release_notes">1.7.1 release notes</a> we see:</p>
<ul>
<li>New: Changed default behavior for new Gmail accounts. 1. “[Gmail]/All Mail” is subscribed. 2. Default archive mailbox is “[Gmail]/All Mail”. Existing accounts are not affected.”
</ul>
<p>Interesting. So when I go to edit the <span class="caps">IMAP</span> account, I see that these are not subscribed. So this gets us more like Apple Mail where it also note too downloads the All Mail folder (some people have an issue with this… I never have, I kinda like that it’s all downloaded). So I had “All Mail”, “Important”, and “Starred” unsubscribed. The “Important” one can remain unsubscribed as that’s what Gmail thinks is important, not me. All Mail is subscribed to, and so is Starred. MailMate has nice smart mailboxes so you don’t need to have the Starred one (it has a default smart mailboxes called “Flagged” which shows you flagged messages in each mailbox.. unfortunately, with three email accounts handled by MailMate, having three “<span class="caps">INBOX</span>” smart folders means I can’t zero in on one specific account; the Starred mailbox will let me do that).</p>
<p>The other thing I noticed in the 1.7.1 release notes is this:</p>
<ul>
<li> New: Changed default behavior for new Gmail accounts. 1. “[Gmail]/All Mail” is subscribed. 2. Default archive mailbox is “[Gmail]/All Mail”. Existing accounts are not affected.
</ul>
<p>The nice thing is that it seems when you subscribe to “[Gmail]/All Mail”, the default archive mailbox is changed as well (so if you archive messages, it goes to All Mail rather than Archive).</p>
<p>So now we can get back to your keyboard shortcuts. As noted above, we can now change the “deleteMessage” command to “archive” and have it do what we want:</p>
<pre>
"\UF728" = "archive:";
</pre>
<p>Now, because it is useful to be able to permanently delete stuff, we can have something like “^d” or some such to permanently delete:</p>
<pre>
"^d" = "deleteMessage:";
</pre>
<p>Anyways, calling this “Mutt” keybindings is a bit of a misnomer because they’re not default mutt keybindings (although some of them are for <i>my</i> mutt setup), but here’s my Mutt.plist:</p>
<pre>
"\UF728" = "archive:"; // ? (forward-delete)
"\U007F" = "archive:"; // delete
"^d" = "deleteMessage:"; // CTRL-D
" " = "scrollPageDown:"; // Space (alternatively it can be bound to scrollPageDownOrNextUnreadMessage:)
"$ " = "scrollPageUp:"; // Shift-space
"\U000A" = "openMessages:"; // Return
"\U000D" = "openMessages:"; // Enter
"m" = "newMessage:";
"r" = "replySender:";
"G" = "replyAll:"; // group reply
"R" = "replyList:"; // list reply
"f" = "forwardMessage:";
"F" = "toggleFlag:"; // flag-message
"/" = "mailboxSearch:";
"^/" = "searchAllMessages:";
"~e" = "expandThread:"; // OPT-E
</pre>
<p>This is just my “starting” list. I’ll be tweaking it as I get used to MailMate more. So far, so good…</p>
<p>More information is found in the MailMate <a href="http://manual.mailmate-app.com/custom_key_bindings">Custom key bindings</a> section of the online manual.</p>
<p><b><span class="caps">EDIT</span></b>: I removed the bits about the custom keybindings not overriding the Standard.plist keybindings as, poking around further, I realized that you need to restart MailMate in order for it to pickup the new keybindings and that was why it did not appear to be working correctly.</p>Mavericks Mail is Apple’s worst Mail yet2013-12-28T15:00:00-07:002013-12-28T15:00:00-07:00Vincent Danentag:annvix.com,2013-12-28:/blog/mavericks-mail-is-apples-worst-mail-yet<p>To begin with, I <i>liked</i> Apple Mail in Mountain Lion (and Lion also). I’ve been using Apple Mail for a while now for my personal email on my mac, and mutt for my work email on my Fedora box. It works well, and I’ve gotten used to using …</p><p>To begin with, I <i>liked</i> Apple Mail in Mountain Lion (and Lion also). I’ve been using Apple Mail for a while now for my personal email on my mac, and mutt for my work email on my Fedora box. It works well, and I’ve gotten used to using a <span class="caps">GUI</span> for my personal email and like it.</p>
<p>But then Mavericks came out and everything changed. Seriously… how do you release a complete and utter <span class="caps">CRAP</span> email client in 10.9.0, have an update to fix Gmail, then have more Gmail-related fixes in 10.9.1 and it <i><span class="caps">STILL</span></i> is complete and utter crap? Mountain Lion’s Mail worked just peachy with Gmail. This? This … does not.</p>
<p>Before anyone yacks about Gmail itself… been using Google Apps for years, love it, not changing. Period. I’d rather change email clients. Which, in fact, looking at my mail this morning (after having been replying/deleting/etc mail on my phone the last two days), I see all the messages I’ve delete still showing as new on my computer, despite having been deleted days ago. Seriously? Even telling it to sync/refresh/get new mail doesn’t make those deleted messages (that are most definitely <i>gone</i> on the web <span class="caps">UI</span>) disappear. The fix? Restarting Mail. Sorry… that doesn’t cut it. I’m not restarting my desktop mail client everytime I manipulate a mailbox on my phone.</p>
<p>So I’ve been playing this morning with <a href="http://freron.com/">MailMate</a> which looks intriguing. So far I’m liking it. A few things I want to note so that I don’t forget when setting it up on the other system:</p>
<p>Some font settings can be changed in the preferences. The mail headers text cannot, but a quick trip to the Terminal fixes it and makes it easier for me to read:</p>
<pre>
% defaults write com.freron.MailMate MmHeadersViewFontName -string "Verdana"
% defaults write com.freron.MailMate MmHeadersViewFontSize -float 14
</pre>
<p>This one changes the “on [date] so and so wrote:” string to “On 12/23/2013, at 9:59 <span class="caps">AM</span>, So and So wrote:” (slightly different from the default)</p>
<pre>
% defaults write com.freron.MailMate MmReplyWroteString -string 'On %m/%d/%Y, at %k:%M %p, ${from.name:${from.address}} wrote:'
</pre>
<p>All of the other settings are largely set in the Preferences. Some esoteric things are not configurable in the Preferences, so checking the Help for “Hidden Preferences” and “Low-Level Customization” will let you tweak things even further.</p>
<p>The only downside that I’ve found so far is that it does not support Kerberos authentication (<span class="caps">GSSAPI</span>) and I can’t find a way to have threads expanded by default. The lack of <span class="caps">GSSAPI</span> isn’t a deal-breaker (although it sure would be nice), but the thread expansion issue is pretty annoying. The only thing I found is that holding <span class="caps">OPTION</span> while clicking the thread triangle or the right arrow key will expand the thread (<span class="caps">OPTION</span>+<span class="caps">LEFT</span>-<span class="caps">ARROW</span> to collapse the thread, but it’s a bit wonky and not great as you need to be on the first message in the thread to expand/collapse the entire thread).</p>
<p>Digging into it, it looks fairly powerful. It’s a bit steeply priced for a mail client ($<span class="caps">50USD</span>) but since I’m in my email all the time… maybe it’s worth it? Will need to keep digging/playing during this trial period to see if it’s worth the price.</p>
<p>I could always wait to see if Apple fixes their sh*t, but at this point I’m so annoyed that maybe this has pushed me to find something better. Not quite how I wanted to spend my holidays but… meh. I don’t get the opportunity to poke around with new things too often, so this is a bit of a refresher.</p>Merry Christmas!2013-12-24T15:48:00-07:002013-12-24T15:48:00-07:00Vincent Danentag:annvix.com,2013-12-24:/blog/merry-christmas<p>Merry Christmas to all my friends, family, co-workers, partners-in-crime, and just generally everyone else out there. I share a wonderful eCard with you all. May it bring you much joy and laughter.</p>
<div style='background-color:#e9e9e9; -moz-border-radius: 10px;border-radius:10px;width: 567px;'><object id='A64060' quality='high' data='http://static.jibjabcdn.com/sendables/9ecbb06a/client/zero/ClientZero_EmbedViewer.swf?external_make_id=5KZmbDYOQQqlX7huX31Cxw&service=www.jibjab.com&partnerID=holidays' pluginspage='http://www.macromedia.com/go/getflashplayer' type='application/x-shockwave-flash' wmode='transparent' height='319' width='567'><param name='wmode' value='transparent'></param><param name='movie' value='http://static.jibjabcdn.com/sendables/9ecbb06a/client/zero/ClientZero_EmbedViewer.swf?external_make_id=5KZmbDYOQQqlX7huX31Cxw&service=www.jibjab.com&partnerID=holidays'></param><param name='scaleMode' value='showAll'></param><param name='quality' value='high'></param><param name='allowNetworking' value='all'></param><param name='allowFullScreen' value='true' /><param name='FlashVars' value='cornerRadius=10&external_make_id=5KZmbDYOQQqlX7huX31Cxw&service=www.jibjab.com&partnerID=holidays'></param><param name='allowScriptAccess' value='always'></param></object><div style='text-align:center;margin-top:6px;'>Personalize funny videos and birthday <a href='http://www.jibjab.com/ecards?utm_campaign=Link+from+Embed&utm_medium=Share&utm_source=JibJab' title='eCards'>eCards</a> at JibJab!</div></div>
<p>God bless the faithful!</p>Merry Christmas 2013!2013-12-24T15:00:00-07:002013-12-24T15:00:00-07:00Vincent Danentag:annvix.com,2013-12-24:/blog/merry-christmas-2013<p>Merry Christmas to all my friends, family, co-workers, partners-in-crime, and just generally everyone else out there. I share a wonderful eCard with you all. May it bring you much joy and laughter.</p>
<p>God bless the faithful!</p>
<p><center><div style='background-color:#e9e9e9; -moz-border-radius: 10px;border-radius:10px;width: 567px;'><object id='A64060' quality='high' data='http://static.jibjabcdn.com/sendables/9ecbb06a/client/zero/ClientZero_EmbedViewer.swf?external_make_id=5KZmbDYOQQqlX7huX31Cxw&service=www.jibjab.com&partnerID=holidays' pluginspage='http://www.macromedia.com/go/getflashplayer' type='application/x-shockwave-flash' wmode='transparent' height='319' width='567'><param name='wmode' value='transparent'></param><param name='movie' value='http://static.jibjabcdn.com/sendables/9ecbb06a/client/zero/ClientZero_EmbedViewer.swf?external_make_id=5KZmbDYOQQqlX7huX31Cxw&service=www.jibjab.com&partnerID=holidays'></param><param name='scaleMode' value='showAll'></param><param name='quality' value='high'></param><param name='allowNetworking' value='all'></param><param name='allowFullScreen' value='true' /><param name='FlashVars' value='cornerRadius=10&external_make_id=5KZmbDYOQQqlX7huX31Cxw&service=www.jibjab.com&partnerID=holidays'></param><param name='allowScriptAccess' value='always'></param></object><div style='text-align:center;margin-top:6px;'>Personalize funny videos and birthday <a href='http://www.jibjab.com/ecards?utm_campaign=Link+from+Embed&utm_medium=Share&utm_source=JibJab' title='eCards'>eCards</a> at JibJab!</div></div>
</center></p>Git patch workflow2013-12-24T11:14:00-07:002013-12-24T11:14:00-07:00Vincent Danentag:annvix.com,2013-12-24:/blog/git-patch-workflow<p>Probably most people who use git know about patch management and whatnot, so I’m writing this largely for myself as I keep forgetting (mostly because I don’t have to do it very often).</p>
<p>Some code that I’m working on has a development branch which I’m working …</p><p>Probably most people who use git know about patch management and whatnot, so I’m writing this largely for myself as I keep forgetting (mostly because I don’t have to do it very often).</p>
<p>Some code that I’m working on has a development branch which I’m working on while other fixes are being made to the master branch. This is great, except for the fact that I need to apply any changes made to master to the development branch as well (we’ll call it “feat/X”). And since I’m the only one working on feat/X, but others add fixes or necessary changes to master, I need to apply those changes. Some changes will apply clean, others need to be modified due to one part that is receiving a major overhaul.</p>
<p>There is probably a better way to do this and if so, please do let me know in the comments. Even though I use git almost daily, I am by no means a power user and would love more “insider tips”.</p>
<p>So I have my working copy, and I need it to know about both branches. By default, if you clone the repository you’ll just be on the master branch. So in this case I would have to <code>git checkout feat/X</code>. Once I do that, I will see:</p>
<pre>
% git branch
* feat/X
master
</pre>
<p>So do a <code>git checkout master</code> to switch back to the master branch. From here we can make a series of patches that represent code changes made to master after feat/X was branched:</p>
<pre>
% git format-patch feat/X
</pre>
<p>The first time you do this, all the patches will be new. But as you move along, you’ll continue to see these patches show up so it’s useful to keep them kicking around so you know which are new. You’ll see patches in the format “0001-The-commit-text.patch” and “0002-Other-commit-text.patch”.</p>
<p>I move the patches out of the way (I have horrid file management, so I just <code>mv *patch ~/</code>). Then <code>git checkout feat/X</code> to switch to the feat/X branch. Now we apply the patches one-by-one:</p>
<pre>
% git am <0001-The-commit-text.patch
</pre>
<p>If the patch is successful, you can do the same to the next. If not, however, you need to fiddle with things a bit. You’ll see an error like this:</p>
<pre>
% git am <~/0001-The-commit-text.patch
Applying: The commit text
error: patch failed: something/else.py:559
error: something/else.py: patch does not apply
Patch failed at 0001 The commit text
The copy of the patch that failed is found in:
/home/vdanen/my-git-repo/.git/rebase-apply/patch
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".
</pre>
<p>You can run <code>git am --abort</code> which will revert the commit attempt, to allow you to manually apply the patch and commit. You can also use <code>git am --skip</code> to do the same. I suspect if you fed git something like <code>git am <~/*patch</code> these commands would mean different things (abort the session versus skip the one patch) but if you’re doing one patch at a time they both do the same thing.</p>
<p>You can also check the log output with <code>git log master..HEAD --stat</code> which will show that our branch contains the update, along with the appropriate author information (might be you, might be me, might be someone else). I tend to skip the log bit and just apply one patch at a time. Rinse and repeat.</p>
<p>Finally, if you don’t move your patches like I did, you can use <code>git clean</code> to remove the patches from your working directory. Use ‘-n’ first though, so it runs in dry-run mode.</p>
<p>Like I indicated earlier, there are probably simpler ways to do this, but this works for me. I got all of this from <a href="http://rypress.com/tutorials/git/patch-workflows.html">Ry’s Git Tutorial on Patch Workflows</a>. Excellent tutorial.</p>Adventures in AppleRAID2013-12-07T21:00:00-07:002013-12-07T21:00:00-07:00Vincent Danentag:annvix.com,2013-12-07:/blog/adventures-in-appleraid<p>Actually, it’s not much of an adventure so much as a reminder. I’m used to doing software <span class="caps">RAID</span> on Linux with mdadm and am fully comfortable with the commandline tools — in fact, I prefer them to any <span class="caps">GUI</span> tools that may or may not be out there (for …</p><p>Actually, it’s not much of an adventure so much as a reminder. I’m used to doing software <span class="caps">RAID</span> on Linux with mdadm and am fully comfortable with the commandline tools — in fact, I prefer them to any <span class="caps">GUI</span> tools that may or may not be out there (for example, if I were to have a choice of using mdadm on the commandline versus using Anaconda to setup a <span class="caps">RAID</span> array, I would take the commandline).</p>
<p>Anyways, I use Apple’s software <span class="caps">RAID</span> on <span class="caps">OS</span> X as well. With mdadm I’m fully confident. With Apple <span class="caps">RAID</span> I’m not as much, primarily because I’ve not had the opportunity to put it through it’s paces, and also because Disk Utility is absolutely horrendous for dealing with setting the <span class="caps">RAID</span> arrays up.</p>
<p>Anyways, I was unlucky enough in mid-2012 to buy a few of those Seagate drives that chirped. Harmless, once I realized the drives were not going to die, but annoying nonetheless. Suffice it to say, I’ve gotten used to it. Anyways, <span class="caps">3TB</span> drives are $<span class="caps">130CAD</span> a piece now which is pretty cheap, and these drives have been running for the last year and a half pretty much non-stop. Between price, requiring some larger drives as offline archives (to which use I can put these chirpy drives), and really feeling like I should test the Apple <span class="caps">RAID</span> (last test I believe was in 10.7 and now the system is running 10.9), I figured it was a good time to give it a go.</p>
<p>Simple procedure: shut down the computer, pull out one drive, pop in a new drive, fire it back up. Because I have a <span class="caps">RAID0</span>+1 (so three <span class="caps">RAID</span> arrays, two <span class="caps">RAID</span> mirrors and one <span class="caps">RAID</span> stripe), I could pull two drives, one from each mirror array, and rebuild two at a time but I prefer to be cautious.</p>
<p>Upon bootup I get the “you’ve inserted an uninitialized disk” notice (to which I tell it to ignore the drive), get a happy degraded <span class="caps">RAID</span> warning from SMARTReporter, and am ready to get it back up and running. The required commands are surprisingly simple:</p>
<pre>
% <b>sudo diskutil list</b>
Password:
/dev/disk0
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *512.1 GB disk0
1: EFI EFI 209.7 MB disk0s1
2: Apple_HFS fenris 511.3 GB disk0s2
3: Apple_Boot Recovery HD 650.0 MB disk0s3
<b>/dev/disk1
#: TYPE NAME SIZE IDENTIFIER
0: *3.0 TB disk1</b>
/dev/disk2
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *3.0 TB disk2
1: EFI EFI 209.7 MB disk2s1
2: Apple_RAID 3.0 TB disk2s2
3: Apple_Boot Boot OS X 134.2 MB disk2s3
/dev/disk3
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *3.0 TB disk3
1: EFI EFI 209.7 MB disk3s1
2: Apple_RAID 3.0 TB disk3s2
3: Apple_Boot Boot OS X 134.2 MB disk3s3
/dev/disk4
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *3.0 TB disk4
1: EFI EFI 209.7 MB disk4s1
2: Apple_RAID 3.0 TB disk4s2
3: Apple_Boot Boot OS X 134.2 MB disk4s3
/dev/disk5
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *3.0 TB disk5
1: EFI EFI 209.7 MB disk5s1
2: Apple_HFS G-DRIVE 3.0 TB disk5s2
/dev/disk6
#: TYPE NAME SIZE IDENTIFIER
0: Apple_HFS Stuff *6.0 TB disk6
</pre>
<p>In this case, we’ve removed the first physical drive in the Mac Pro’s four bays (I have an <span class="caps">SSD</span> as a boot device in there as disk0), so it’s disk1 we’re interested in. Make a note of the disk identifier (the one with no partitions on it).</p>
<p>Next we want to see what our <span class="caps">RAID</span> information looks like because we need to know which array this drive needs to be added to, and we need to know the unique identifer (<span class="caps">UUID</span>) of the <span class="caps">RAID</span> array:</p>
<pre>
% <b>sudo diskutil appleraid list</b>
AppleRAID sets (3 found)
===============================================================================
Name: Stuff_1
Unique ID: A50AAB2A-D2DE-44DD-BAF0-7577072C5937
Type: Mirror
Status: Online
Size: 3.0 TB (3000248958976 Bytes)
Rebuild: automatic
Device Node: -
-------------------------------------------------------------------------------
# DevNode UUID Status Size
-------------------------------------------------------------------------------
0 disk2s2 3BF8BC8C-CE09-447C-8A86-ED51E8515C3E Online 3000248958976
1 disk3s2 A117C08C-B375-469C-A654-EAA902E5A317 Online 3000248958976
===============================================================================
===============================================================================
Name: Stuff
Unique ID: F2429656-695B-4F8C-B870-B7334DC3340D
Type: Stripe
Status: Online
Size: 6.0 TB (6000497786880 Bytes)
Rebuild: manual
Device Node: disk6
-------------------------------------------------------------------------------
# DevNode UUID Status Size
-------------------------------------------------------------------------------
0 -none- C96F3052-8EBD-45D5-9A25-29EE23957CA9 Online 3000248893440
1 -none- A50AAB2A-D2DE-44DD-BAF0-7577072C5937 Online 3000248893440
===============================================================================
===============================================================================
Name: Stuff_2
Unique ID: <b>C96F3052-8EBD-45D5-9A25-29EE23957CA9</b>
Type: Mirror
Status: <b>Degraded</b>
Size: 3.0 TB (3000248958976 Bytes)
Rebuild: automatic
Device Node: -
-------------------------------------------------------------------------------
# DevNode UUID Status Size
-------------------------------------------------------------------------------
<b>- -none- F3921C5D-0B94-4264-9619-0291A5147F4E Missing/Damaged</b>
1 disk4s2 12511D3B-A21C-4BB7-B68B-DAA5E2AC0277 Online 3000248958976
===============================================================================
</pre>
<p>There’s a few bits of info here. The first is the uuid of our <span class="caps">RAID</span> mirror that it’s in a degraded state (the <span class="caps">RAID</span> volume name is Stuff_2, above, with the uuid noted below the name). The second bit of information we need is the uuid of the <i>failed</i> drive (in this case, the drive I removed). We will need to remove this missing device from the array after we add the new one.</p>
<pre>
% <b>sudo diskutil appleraid add member disk1 C96F3052-8EBD-45D5-9A25-29EE23957CA9</b>
Started RAID operation
Unmounting disk
Repartitioning disk1 so it can be in a RAID set
Unmounting disk
Creating the partition map
Adding disk1s2 to the RAID Set
Finished RAID operation
% <b>sudo diskutil appleraid list</b>
AppleRAID sets (3 found)
===============================================================================
Name: Stuff_1
Unique ID: A50AAB2A-D2DE-44DD-BAF0-7577072C5937
Type: Mirror
Status: Online
Size: 3.0 TB (3000248958976 Bytes)
Rebuild: automatic
Device Node: -
-------------------------------------------------------------------------------
# DevNode UUID Status Size
-------------------------------------------------------------------------------
0 disk2s2 3BF8BC8C-CE09-447C-8A86-ED51E8515C3E Online 3000248958976
1 disk3s2 A117C08C-B375-469C-A654-EAA902E5A317 Online 3000248958976
===============================================================================
===============================================================================
Name: Stuff
Unique ID: F2429656-695B-4F8C-B870-B7334DC3340D
Type: Stripe
Status: Online
Size: 6.0 TB (6000497786880 Bytes)
Rebuild: manual
Device Node: disk6
-------------------------------------------------------------------------------
# DevNode UUID Status Size
-------------------------------------------------------------------------------
0 -none- C96F3052-8EBD-45D5-9A25-29EE23957CA9 Online 3000248893440
1 -none- A50AAB2A-D2DE-44DD-BAF0-7577072C5937 Online 3000248893440
===============================================================================
===============================================================================
Name: Stuff_2
Unique ID: C96F3052-8EBD-45D5-9A25-29EE23957CA9
Type: Mirror
Status: Degraded
Size: 3.0 TB (3000248958976 Bytes)
Rebuild: automatic
Device Node: -
-------------------------------------------------------------------------------
# DevNode UUID Status Size
-------------------------------------------------------------------------------
- -none- F3921C5D-0B94-4264-9619-0291A5147F4E Missing/Damaged
1 disk4s2 12511D3B-A21C-4BB7-B68B-DAA5E2AC0277 Online 3000248958976
<b>2 disk1s2 6A381F4D-759C-4CFB-BB38-1EA22C7D58B8 0% (Rebuilding)3000248958976</b>
===============================================================================
</pre>
<p>Or, <b>sudo diskutil appleraid add member disk# [uuid-of-raid]</b>
As you can see from the above, we added the new drive (disk1) to the <span class="caps">RAID</span> array named Stuff_2. And after we did so, performed another list operation, and you can see three drives associated with that array — one is online, one is missing, and one is rebuilding. Now we need to remove the missing one as we won’t be adding it back:</p>
<pre>
% <b>sudo diskutil appleraid remove F3921C5D-0B94-4264-9619-0291A5147F4E C96F3052-8EBD-45D5-9A25-29EE23957CA9</b>
Started RAID operation
Removing disk from RAID
Finished RAID operation
</pre>
<p>Or, <b>sudo diskutil appleraid remove [uuid-of-failed-drive] [uuid-of-raid]</b>.</p>
<p>And that’s it. Honestly, it took me longer to type this out than it did to rebuild the <span class="caps">RAID</span> array. Sadly, in that time it’s only progressed to 3% rebuilt. The downside of such large drives is the reconstruction time is a little ridiculous. Anyways, once you’ve run these commands in Terminal, if you were to fire up Disk Utility, you’d see a nice little <span class="caps">GUI</span> progress bar that, for me, indicates it will take 4hrs to rebuild.</p>
<p>Honestly, for anyone who has fought with Disk Utility to manage anything <span class="caps">RAID</span> in <span class="caps">OS</span> X, you’ll appreciate how simple the diskutil commandline tool makes things.</p>Git commits on xkcd2013-11-27T14:00:00-07:002013-11-27T14:00:00-07:00Vincent Danentag:annvix.com,2013-11-27:/blog/git-commits-on-xkcd<p><center><img src="http://imgs.xkcd.com/comics/git_commit.png"></center></p>
<p>I’ve had no time to do any coding lately, which makes me sad, but when I did have time and was doing lots of commits in short periods of time, I definitely felt like doing this. Many many times.</p>Last tattoo session pics2013-10-31T23:21:00-06:002013-10-31T23:21:00-06:00Vincent Danentag:annvix.com,2013-10-31:/blog/last-tattoo-session-pics<p>Today I got more work done on my sleeve, but I’d neglected to post (and even take!) pictures of the next-to-last session. So if you look at Flickr you’ll see the last bits I got done (the flaming cross and re-darkening the tribal Jesus), but not the stuff …</p><p>Today I got more work done on my sleeve, but I’d neglected to post (and even take!) pictures of the next-to-last session. So if you look at Flickr you’ll see the last bits I got done (the flaming cross and re-darkening the tribal Jesus), but not the stuff before that (which actually consisted of two sessions). I’m so bad for that.</p>
<p>Anyways, the pics don’t really do it justice as it’s a hard thing to take pictures of, but Ang tried. =) Pictures of Jesus’ hands holding a thawing heart are now on Flickr. This is probably my favourite but boy did it feel… interesting. I wondered why I had never felt a certain kind of pain before and after I looked at it I realized he had gone about an inch higher towards the armpit on the inner arm. That definitely explains it! Lots of crazy detail in this one, and some really cool shapes with bright yellow/orange/red colors that also use a lot of negative space.</p>
<p>You can view the slideshow starting here:</p>
<p><a href="http://www.flickr.com/photos/wulfheart/10609282436/in/set-72157594268514726/">http://www.flickr.com/photos/wulfheart/10609282436/in/set-72157594268514726/</a></p>
<p>I was in for a bit and the sleeve from the elbow down is now fully done. Pics to come (I promise!) when the swelling has reduced as we did a bunch of grey-wash stuff but with the inflamed/red natural “I’m angry!” skin tone it doesn’t look like it will eventually, so probably next week I’ll put pics up.</p>
<p>Sorry to those who were waiting to see this. This stuff was all done last year. =(</p>Some changes…2013-10-10T15:37:00-06:002013-10-10T15:37:00-06:00Vincent Danentag:annvix.com,2013-10-10:/blog/some-changes<p>The blog needed an updated look. I think I kinda like this new look. Much cleaner and sharper.</p>
<p>I think I’m going to be doing more “life” blogging from this point forward. The tech stuff is important, but so is “real life”. So there should be more stuff of …</p><p>The blog needed an updated look. I think I kinda like this new look. Much cleaner and sharper.</p>
<p>I think I’m going to be doing more “life” blogging from this point forward. The tech stuff is important, but so is “real life”. So there should be more stuff of the Life category going forwards. That stuff I don’t think gets syndicated to Fedora Planet, so if this makes it there I’ll have to change that as I don’t want to clutter the ‘Planet up with non-tech stuff.</p>
<p>That’s my kid’s eyeball up there, <span class="caps">BTW</span>. You can see part of the kitchen in it. I need to buy my own macro lense (thanks, Jenny, for letting me borrow yours all the time!).</p>Dealing with a Sea of Backlog2013-10-10T13:45:00-06:002013-10-10T13:45:00-06:00Vincent Danentag:annvix.com,2013-10-10:/blog/dealing-with-a-sea-of-backlog<p>I saw this on Facebook today and, thankfully, it’s also on their blog. I’ve always liked the idea of “Inbox Zero” and have even gotten my inbox to zero a few times since I started (mostly)-seriously using <span class="caps">GTD</span>. Sadly, I’m not there anymore due to how …</p><p>I saw this on Facebook today and, thankfully, it’s also on their blog. I’ve always liked the idea of “Inbox Zero” and have even gotten my inbox to zero a few times since I started (mostly)-seriously using <span class="caps">GTD</span>. Sadly, I’m not there anymore due to how crazy work has been the last few months, but I’m thankful that I’m not <i>this</i> guy. It’s a good read:</p>
<p><a href="http://www.gtdtimes.com/2013/10/04/dealing-with-a-sea-of-backlog/" target="_blank">Dealing with a Sea of Backlog</a> (via the <span class="caps">GTD</span> Times blog)</p>
<blockquote>This smart, savvy executive had no idea how to effectively use a tool through which major business decisions were being made. He had no email pending or reference folders set up, and he had stored every saved email in his inbox. As a result, he had more than 87,000 emails, spanning over 14 years, sitting as an amorphous pile of stress in his inbox.</blockquote>
<p>Amorphous pile of stress indeed.</p>
<p>I do have a few other mailboxes (mostly mailing lists) that I need to apply the “Inbox Zero” principle to.</p>
<p>I also know plenty of people that could seriously learn about filters and deleting email. I’ve got friends that have as many emails in their inbox as this guy does (the idea is to keep everything in the inbox and use no other folders… I suppose they think it’s clever and makes it easy to find stuff, I call it insanity). Actually, oddly enough, most of the people I know outside of work do this.</p>
<p>Anyways, interesting read for those of you unnecessarily drowning in a multi-thousand-count inbox.</p>Review of O’Reilly’s Learning Python, 5th Edition2013-08-24T20:00:00-06:002013-08-24T20:00:00-06:00Vincent Danentag:annvix.com,2013-08-24:/blog/review-of-oreillys-learning-python-5th-edition<p><img alt="Image" src="https://annvix.com/images/learning-python.jpg" /></p>
<p>I’ve been programming in Python for a few years now (I can pretty much mark the beginning because of starting at Red Hat). Since picking it up, I’ve fallen in love with the language and have a few books on the subject. One of the most indispensable books …</p><p><img alt="Image" src="https://annvix.com/images/learning-python.jpg" /></p>
<p>I’ve been programming in Python for a few years now (I can pretty much mark the beginning because of starting at Red Hat). Since picking it up, I’ve fallen in love with the language and have a few books on the subject. One of the most indispensable books I have is Learning Python 3rd Edition published by O’Reilly. Recently I received a copy of the 5th Edition for review.</p>
<p>My first reaction was that it was no mere book, but a tome. The 3rd Edition was no slouch, weighing in at 700 pages, but the 5th Edition is a hefty 1540 pages, over twice the size! This edition was released in June 2013 (<span class="caps">ISBN</span> 978-1-449-35573-9); the previous edition that I owned (the 3rd) was published in October 2007. This new edition was updated to cover Python versions 3.3 and 2.7 (the 4th Edition covered 2.6 and 3.0/3.1, so I imagine it too had a hefty size increase over the 3rd Edition).</p>
<p>Before I go further with the review I have to note that Learning Python 3rd Edition is nearly always on my desk. I referenced that book all the time. With the number of alternatives out there (searching on the internet or looking at other books that I have, such as Programming Python, the Python Cookbook, and Python in a Nutshell), this is the one book I used all the time. It is worn, crinkled, dirty, and probably sticky in a few spots as well. However, I’m not one to read books like this from front to back — I use them as reference material for areas that interest me or I need help with (or I need to brush up on).</p>
<p>The first section of the book, “Getting Started” goes into the basics of Python: what it is, what it’s used for, how to use it, why you would use it, and so forth. The 5th Edition expands on this, particular in regards to version 3.3 and its new options in Windows. This is all the really basic stuff, explained quite well and great for those interested in getting into Python without a lot of knowledge of the language. Those more experienced with Python will likely skip this section for the most part, but there are some good bits in here.</p>
<p>The second section of the book, “Types and Operations”, gets to the meat of writing code. This is the section that talks about Python object types (lists, dictionaries, tuples), how Python handles numbers, dynamic typing, manipulating and using strings, and handling file operations. One thing I noticed immediately is that the section dealing with numbers is greatly expanded from the 3rd Edition and this is largely due to the changes of how these are handled in Python 2.x vs 3.x. It is in this chapter that you begin to see why the book is so hefty — instead of focusing on just one major version of the language, it provides the necessary information for both 2.x and 3.x and the differences between the two. Because Python 2.x is still so widely used, it would have been impossible to ignore it unless they decided to write two books, one for each major version. The section on handling strings has likewise been expanded, enhanced, and re-organized with quite a bit of extra content. Again, quite a bit of this is due to the coverage of both Python 2.x and 3.x.</p>
<p>The third section of the book, “Statements and Syntax”, gets into the fundamentals of handling your code: typical statements (if/elif/else, variable assignments, loop handling, creating functions, namespaces, module handling, and exception handling). Here again a lot of content is devoted to the differences between 2.x and 3.x, and even between different versions of 2.x. There is a lot of content here — chapters devoted to topics about looping, if statements, iteration and comprehension, the 2.x print statement versus the 3.x print function, and even how to generate documentation for your code using PyDoc. For those learning Python, and even for those who choose to use this book as a reference, this section will be greatly used.</p>
<p>Perhaps one of the most significantly changed sections between the two editions of Learning Python (again, noting that I’ve never looked at the 4th Edition so I don’t know how significant a change it is between the 4th and 5th editions), is what was “Functions” in the 3rd edition is now “Functions and Generators” in the 5th Edition. There is a significant overhaul between the two: where before “Scopes and Arguments” were a single chapter, we now have two chapters, one devoted to each topic; the 33 page chapter has turned into 67 pages spanning two chapters. It also goes into great detail about generator functions and expressions (something I have yet to fully explore). Suffice it to say, there is a good 45 pages of new content here that will prove interesting to read (list comprehension, generators, etc.).</p>
<p>The fifth section, “Modules and Packages” likewise contains greatly expanded content covering the use of modules, how to create them, why (and how) you should use them, the differences between importing and reloading modules, full coverage of Python 3.3 namespace packages, problems you can encounter with module use, and so forth. It talks about the features common to both major versions of Python, and has sections that are more specific, such as how byte code is handled (.pyc in versions prior to 3.2 and the <strong>pycache</strong> directory in 3.2+) and namespace packages that were introduced in 3.3 (which is also shows the differences between regular packages and namespace packages). This once again shows the level of detail the book provides for users of any version of Python.</p>
<p>Section six is all about Object-Oriented Programming and classes, and gives great detail and examples on topics such as polymorphism, classes and subclasses, object handling, operator overloading, and more.</p>
<p>Section seven goes into the how’s and why’s of exceptions and how to use them to write good error-handling in your code. This is the last section that appears in both editions, although (as with every other section), this one is greatly expanded.</p>
<p>The new section in the 5th Edition, compared to the 3rd, is the “Advanced Topics” section and its five chapters. This section goes into unicode and byte strings — an area that has seen a lot of changes between Python 2.x and 3.x, as well as managed attributes, decorators for functions and classes, metaclasses and the differences between them.</p>
<p>Obviously I’ve not yet read the entire book and chances are I never will. Most of these programming books I never do read end-to-end, but I do use them as functional references and to learn new things from (pretty much the entire “Advanced Topics” section is new to me), as well as to brush up on older things. From the parts I’ve read, and the comparisons I’ve made to the 3rd edition, this is most definitely a worthwhile “upgrade”. One thing I appreciate as well is the consistent back-and-forth regarding Python 2.x versus 3.x. As a Python coder who has never yet touched Python 3.x, this book will help me understand the subtle, and sometimes not-so-subtle, nuances between both major versions — when the time comes (aka: when the time is available). As such, this book is valuable to me now (writing code in Python 2.x) and will be valuable to me in the future.</p>
<p>I certainly appreciate the expanded content, as it’s already twigged a few things in my mind about the code I’ve written so far, and has given me some new ideas on how to handle certain issues or improve performance/handling of my code. This is both good and dangerous! Having said that, this is most definitely a book worth getting for any Python programmer who either is new to the language or is a veteran of the language — the first will appreciate the no-nonsense easy-to-understand approach to introducing both the basics and some quite advanced topics, while the latter will appreciate it as a reference book or to expand on their understanding of certain topics. For myself, I’m somewhere in the middle of the two and this book is introducing me to a lot of stuff I do not yet know, and is a very handy reference for the stuff that I do know (and need reminders of every once in a while).</p>
<p>I’ve highly recommended the 3rd edition of this book to anyone asking about good books on Python, and the 5th Edition is no different. I highly recommend this book to anyone who wants more than just a passing understanding of Python.</p>
<p>And as a replacement for my well-worn and well-loved 3rd Edition, I know this book will see much use from me.</p>Real-world SSD vs HDD: cvs2svn speed2013-08-20T09:03:00-06:002013-08-20T09:03:00-06:00Vincent Danentag:annvix.com,2013-08-20:/blog/real-world-ssd-vs-hdd-cvs2svn-speed<p>This just absolutely blew my mind so I figured I’d post a quick note about it. I have to convert a <span class="caps">CVS</span> repository to <span class="caps">SVN</span> and this is a big repository, over 33k commits to it spanning a decade. In my trial runs, using cvs2svn resulted in it taking …</p><p>This just absolutely blew my mind so I figured I’d post a quick note about it. I have to convert a <span class="caps">CVS</span> repository to <span class="caps">SVN</span> and this is a big repository, over 33k commits to it spanning a decade. In my trial runs, using cvs2svn resulted in it taking just shy of 11.5hrs to complete, on the <span class="caps">HDD</span> (I have an <span class="caps">SSD</span> in my workstation for everything and a <span class="caps">2TB</span> <span class="caps">HDD</span> for storage and scratch space which is where I was running the conversion). Moving the original raw <span class="caps">CVS</span> repository into a temporary directory on the <span class="caps">SSD</span> and running cvs2svn from there (reading from and writing to the <span class="caps">SSD</span>) resulted in 19 minutes.</p>
<p>Come again?!?</p>
<p>That’s right… 19 <i>minutes</i>. Moving from the <span class="caps">HDD</span> to an <span class="caps">SSD</span> dropped the conversion from 11.5hrs to 19 <i>minutes</i>. I expected a speed-up, but I did not expect it to be this drastic. It makes me wonder how much faster having my Fedora mirror on an <span class="caps">SSD</span> would be when doing rq imports. There I have the MySQL database on the <span class="caps">SSD</span>, but all the rpms are being read/unpacked on the large <span class="caps">HDD</span>. Importing can be slow, given the size of Fedora (queries to the database is really fast).</p>
<p>Unfortunately, my Fedora/CentOS mirror is almost <span class="caps">800GB</span> and that would be a very expensive purchase. This makes me sad.</p>Setting up a Drobo 5N2013-06-26T22:12:00-06:002013-06-26T22:12:00-06:00Vincent Danentag:annvix.com,2013-06-26:/blog/setting-up-a-drobo-5n<p>There’s something about <span class="caps">NAS</span> units that makes me happy. Tiny little boxes full of storage and ripe for mucking with since for the most part they run Linux make me all warm and fuzzy and just generally put me in a good mood. Probably because I’m a bit …</p><p>There’s something about <span class="caps">NAS</span> units that makes me happy. Tiny little boxes full of storage and ripe for mucking with since for the most part they run Linux make me all warm and fuzzy and just generally put me in a good mood. Probably because I’m a bit of a digital packrat, so I like having gobs of storage space.</p>
<p>I’ve played with different <span class="caps">NAS</span> units over the years: the D-Link <span class="caps">DNS</span>-323 was a favourite for a while due to it’s high hackability, and I’ve used the Iomega Storcenter ix2-200 (it’s not awful, but not great). I did some consulting for a friend’s company earlier this year and setup a <span class="caps">QNAP</span> for them for off-site backups, and when the backup box at my mom’s died I picked up a <span class="caps">QNAP</span> for myself (I like these QNAPs; very familiar md-based <span class="caps">RAID</span> and really quite feature-rich, easier to muck about it in than the <span class="caps">DNS</span>-323 I found). The same friend also had two Drobo units at his office, connected via <span class="caps">FW800</span> to a Mac Mini (so two big storage volumes). When I first popped in, one of the units had a failed drive that needed replacing, and within the following 2-3mos, another drive in each unit had died. Zero-dataloss in both cases, which impressed me.</p>
<p>After taking the backup box from my mom’s that I replaced with the <span class="caps">QNAP</span>, I played a bit with FreeNAS (I’ve never played with <span class="caps">ZFS</span> before so it seemed like a good excuse). I like FreeNAS — those guys did some excellent work on it, but after doing a bunch of reading I’m glad I went with the <span class="caps">QNAP</span> at my mom’s rather than building a new FreeNAS-based box to put there. And it didn’t seem like the right fit for what I wanted at home (lots of storage with a small footprint, low power usage, and not necessarily having all the bells and whistles that I didn’t need). As a result, I did some reading up on the Drobo 5N which sounded like a perfect fit, and having had played with those other two Drobo units, seemed like it could be exactly what I was looking for.</p>
<p>The Drobo 5N is a <span class="caps">NAS</span> unit (so only takes power and ethernet as far as “peripherals” go. It’s a Linux-based system as well, which meant I could poke around and make it do interesting things. I also like that it can take an mSATA <span class="caps">SSD</span> for a caching accelerator, making writing to the device much faster. I also really like that I can hot-swap the drives easily. No downtime, no dataloss, what’s not to like?</p>
<p>So yesterday I picked one up and loaded it with five drives and a <span class="caps">128GB</span> <span class="caps">SSD</span>.</p>
<p>I’ll dispense with the typical “unboxing” that you tend to find, and get right down to making it more usable. Out of the box, the Drobo does <span class="caps">SMB</span>/<span class="caps">CIFS</span> and <span class="caps">AFP</span>, so it works good for <span class="caps">OS</span> X and Windows. <span class="caps">NFS</span> is available through the <a href="https://sites.google.com/a/droboports.com/www/">DroboPorts</a> site, but after fiddling with it for a bit (and it might just be a quirk of this version or I did something wrong), I wasn’t able to write to the shares (only read), so I instead went with using <span class="caps">CIFS</span> to mount this thing from Linux instead. When a new version of <span class="caps">NFS</span> is available for it maybe I’ll try it again. For now, <span class="caps">CIFS</span> works pretty nice.</p>
<p>My first steps to make this thing a bit more usable:</p>
<p>Install <a href="https://sites.google.com/a/droboports.com/www/app-repository/openssh-6-1">openssh</a>. This will allow you to log remotely into the Drobo unit. A few things to note: 1) you will need to copy the openssh.tgz to the DroboApps share and then reboot, at which point openssh will get installed and will start, 2) any users defined will by default have access via ssh to the Drobo, 3) root has access with the default password “root” (please please please change this <span class="caps">ASAP</span>!), 4) the defined administrator user’s username is Admin, not admin.</p>
<p>Once you have openssh installed and can ssh into the box, you can install <a href="https://sites.google.com/a/droboports.com/www/app-repository/sudo-1-8-5p3">sudo</a>. You’ll need to install it as root (or as Admin, and then login as root and chown everything to root). The app instructions indicate to setup a sudo group, etc. but unless you have more than one user it’s probably unnecessary. You can simply edit the sudoers file to give your Admin user sudo access, or a chosen other user (say, joe or mary).</p>
<p>These two I find pretty much critical to install, but some other essential apps to add would be rsync, vim, curl, and nfs (assuming you can make the latter work better than I could). Other nice apps that are available include git and openvpn. You can even install apache and mysql on this thing if you were so inclined (as well as php, python, ruby, etc.).</p>
<p>Because none of these will be in your $<span class="caps">PATH</span>, you’ll need to follow these <a href="https://sites.google.com/a/droboports.com/www/using-command-line-apps">instructions</a> on how to get these things in your $<span class="caps">PATH</span> if you want to use them easily when you ssh in.</p>
<p>Once you’ve done all of this, the final steps would be to 1) change the root password if you have not already done so, 2) copy an ssh public key to the drobo and make sure it works for password-less authentication, 3) turn off password-based authentication to the Drobo via editing /mnt/DroboFS/Shares/DroboApps/openssh/etc/sshd_config.</p>
<p>All in all, I’m pleased with this unit. I loaded it with 2x4TB, 2x3TB, and 1x1.<span class="caps">5TB</span> (the latter simply because I pulled it from a de-commissioned box and didn’t want to waste the drive), and it gave me <span class="caps">10TB</span> of usable space, which is pretty good. In this configuration it will tolerate one dead drive. The data on here isn’t critical enough for me to enable the dual-drive-fail mode (which would drop the usable space to just upwards of <span class="caps">6TB</span>; I care more about the space than the redundancy for what’s going to be stored on it).</p>
<p>Out of all the various consumer <span class="caps">NAS</span> boxes I’ve used, the Drobo is by far the most simplistic. But what it does, it does extremely well. The <span class="caps">QNAP</span> is my second choice. But since my Linux boxen take care of all the other extras that these things provide, the Drobo 5N and its more simplistic interface/feature-set really met my needs.</p>Of bugzilla, python, fetchmail, and procmail2013-06-08T14:31:00-06:002013-06-08T14:31:00-06:00Vincent Danentag:annvix.com,2013-06-08:/blog/of-bugzilla-python-fetchmail-and-procmail<p>I’ve been working with bugzilla for years.. at Mandriva I was the primary bugzilla care-taker for a few years, and now with Red Hat I do a lot of work on some internal tools that interface with bugzilla that enhances and directs the workflow of day-to-day work (being that …</p><p>I’ve been working with bugzilla for years.. at Mandriva I was the primary bugzilla care-taker for a few years, and now with Red Hat I do a lot of work on some internal tools that interface with bugzilla that enhances and directs the workflow of day-to-day work (being that we work with bugzilla all the time). I also run my own bugzilla instance a) so I can keep up to date with the goings-on of bugzilla and b) so I can track various things in some of the scripts I write and other stuff. One thing that I do is also use it as a way of logging issues that may come up with the various bits of web hosting that I do.</p>
<p>So what I needed was a way to take incoming emails generated by lfd (my primary concern right now is high load average warnings; I wanted to log them to bugzilla so that if I’m unavailable my dad could also see them (he helps maintain the server and hosts a bunch of his stuff there as well) and perhaps deal with them or at the very least if he wanted/needed to comment on them he could do so via bugzilla, and I can also make note of resolutions or causes, etc. Yes, I’m turning bugzilla into a poor man’s “<span class="caps">RT</span>” ticketing system (I have no interest in setting something like that up, I’m already using bugzilla, and this is the best place for me to stuff these sorts of notes). I’ve tried the email_in.pl method and while it works, it only works if you have a specific format so you can assign it to the right component and product — not something that will work with these lfd-generated emails.</p>
<p>Being that a lot of the work that I’ve been doing has to do with using python and xmlrpc to manipulate bugs in the Red Hat bugzilla, it seemed like a reasonable approach to take to deal with my own bug mangling. The problem is that these emails were being sent to root, which in turn forwards directly to me. I also wanted to keep a copy of those mails in my own mailbox in case bugzilla, or anything in between, did something funky, so I opted to do a few things:</p>
<ul>
<li> use a gmail filter to forward those emails to another email account specifically for bugzilla mails
<li> setup fetchmail to pull (via pop3) those emails
<li> setup procmail to filter those emails and send them to a helper script
<li> write a helper script that will then call the <a href="https://fedorahosted.org/python-bugzilla">python-bugzilla</a> tool to file the bug
</ul>
<p>The first step was easy. Fetchmail was pretty easy too (although it’s been a few years). Procmail was easy, particularly now since I’m only concerned with one particular type of email and my gmail filter is quite specific. The helper script was initially a shell script that was going to call the bugzilla script but I quickly found limitations to that, particular since lfd’s email also has a few attachments and I was having issues with getting it to file the bugs properly. So instead of using uudeview and a shell script, I opted to write something in python.</p>
<p>Instead of procmail feeding uudeview and then feeding my script, I made use of some of the features of python that allow for manipulating email messages (something I’ve never done before). I also found that passing stdin to the python script was somehow also passing stdin to python-bugzilla when I was calling it, which was causing all kinds of grief.</p>
<p>So with this script I learned all kinds of new things: how to manipulate an email message in python and reduce an email with attachments to a message body with individual attachments as objects and how to use subprocess (yes, I’m still using the commands stuff by and large, but that was really problematic with stdin being persistent).</p>
<p>All in all it works quite well. However, I do still have one problem that I’ve not yet liked, and that is with binary files. I’m not sure where the issue is coming from, but for some reason when I call python-bugzilla myself, in a shell, and feed it the file to attach to the bug it works fine — however, when I call it from my script (so no shell), it uses the —file argument as the name of the file and wants stdin as the contents of the file. This is all fine and dandy, but somewhere along the line something is rendering that binary file (was testing with a jpeg) into text and when it’s attached to the bug it has the right mime type, but the contents are wrong and no image is displayed. So, dear lazy web, if there any python folks out there who want to look at my script and tell me what I’m doing wrong, I’d be much obliged…. =)</p>
<p>Anyways, since no post like this is really any good without the files involved, what follows is the script (process-mail) and the .procmailrc file (which is pretty bare bones and doesn’t filter much of anything):</p>
<pre>
# .procmailrc
#
HOME="/home/mailer"
SHELL=/bin/sh
VERBOSE=off
LOGFILE=$HOME/.procmail/procmail.log
# inserts a blank line between log entries
LOG="
"
:0
*^content-Type:
{
:0fw
| /usr/bin/python $HOME/bin/process-mail
}
</pre>
<p><br /></p>
<p>All this does is call the process-mail script. It will/may eventually filter on subject and sender if I find that unwanted emails are triggering new bugs. For the moment I don’t particularly care.</p>
<p>And the process-mail python script:</p>
<pre>
#!/usr/bin/env python
import commands
import email
import os
import subprocess
import sys
import tempfile
# email comes from stdin due to procmail
raw_msg = sys.stdin.readlines()
log = open(os.environ['HOME'] + '/tmp/bugzilla-email.log', 'a')
bz_prog = '/usr/bin/bugzilla'
bz_dest = '--bugzilla=https://bugzilla.annvix.com/xmlrpc.cgi'
directory = tempfile.mkdtemp()
f = tempfile.NamedTemporaryFile(delete=False)
f.write(''.join(raw_msg))
f.close()
msg = email.message_from_file(open(f.name))
attachments = {}
for part in msg.walk():
a_payload = part.get_payload()
a_name = part.get_filename()
a_type = part.get_content_type()
if a_name is None and a_type == 'text/plain':
email_body = part.get_payload()
elif a_name is not None:
tf_name = '%s/%s' % (directory, a_name)
tf_file = open(tf_name, 'wb')
tf_file.write(a_payload)
tf_file.close()
attachments[a_name] = a_type
os.unlink(f.name)
email_to = msg['to']
email_from = msg['from']
email_sub = msg['subject']
log.write('Email received from %s to %s with subject "%s"\n' % (email_from, email_to, email_sub))
cmd = [bz_prog, bz_dest, 'new', '-i', '-p', 'Web Hosting', '-v', 'none', '-c', 'Availability', '-s', email_sub, '-l', email_body]
bug = subprocess.Popen(cmd, stdout=subprocess.PIPE).communicate()[0]
if bug != '':
log.write('Filed bug %s\n' % bug)
if len(attachments) > 0:
for x in attachments:
attachment = os.path.join(directory, x)
log.write('Found attachment: %s\n' % attachment)
cmd = [bz_prog, bz_dest, 'attach', '--file=%s' % x, '--type=%s' % attachments[x], '--desc=mail attachment: %s' % x, bug.strip('\n')]
if 'text' in attachments[x]:
a_file = open(attachment, 'r')
else:
# this does not work.. attaching a jpg results in mangled text and I'm not sure why...
a_file = open(attachment, 'rb')
foo = subprocess.Popen(cmd, stdin=a_file, stdout=subprocess.PIPE).communicate()[0]
a_file.close()
if foo != '':
log.write(foo + '\n')
else:
log.write('Failed to attach bug to bugzilla!\n')
log.close()
sys.exit(0)
</pre>
<p><br /></p>
<p>I’m not sure why this isn’t working for binary attachments though… it’s probably something simple, but I’ve not had a chance to figure out what the problem is. Dear lazy web…. any advice? =)</p>Converting subversion to git redux2013-04-27T17:00:00-06:002013-04-27T17:00:00-06:00Vincent Danentag:annvix.com,2013-04-27:/blog/converting-subversion-to-git-redux<p>I know I’ve written about this in the past (<a href="/blog/figuring-this-git-thing-out">here</a> and <a href="/blog/dissecting-part-of-a-subversion-repo-to-git">here</a>), but I needed to do another conversion the other day that was similar, yet different. Previous posts talked about pulling parts of a subversion repository into a git repo — effectively taking one svn repo apart into multiple …</p><p>I know I’ve written about this in the past (<a href="/blog/figuring-this-git-thing-out">here</a> and <a href="/blog/dissecting-part-of-a-subversion-repo-to-git">here</a>), but I needed to do another conversion the other day that was similar, yet different. Previous posts talked about pulling parts of a subversion repository into a git repo — effectively taking one svn repo apart into multiple git repos. This time I just needed to do a straight conversion, however I needed to exclude one single directory from ever being a part of the history of the repo.</p>
<p>Since this was a fairly important repo to convert, I did a few trial runs first and ended up scripting it since there isn’t just a single command to do what I needed. Essentially, we are doing a git clone from a subversion repository (a standard one with trunk/, tags/, branches/ this time), but excluding one directory (we’ll call it private). I also wanted to convert the svn branches to tags since that’s effectively what they were. Also, since the git repository was not local, and for the sake of expediency I didn’t want to tar something up and email it, we’re taking our converted-and-cleaned-up new git repo, changing the upstream, and then pushing the whole thing to a remote bare repository.</p>
<p>Ready? (Note: a few lines are manually wrapped with ‘' below)</p>
<pre>
#!/bin/sh
WORKDIR="/srv/svn2git/git"
REMOTE="git+ssh://remote.git.host/myrepo.git"
mkdir -p ${WORKDIR}
pushd ${WORKDIR}
git svn clone https://remote.svn.host/repos/myrepo --no-metadata \
-A /srv/svn2git/authors-transform.txt --stdlayout \
--ignore-paths="^trunk/private" ${WORKDIR}/from-svn
cd from-svn
git init --bare ../bare.git
cd ../bare.git
git symbolic-ref HEAD refs/heads/trunk
cd ../from-svn
git remote add bare ../bare.git
git config remote.bare.push 'refs/remotes/*:refs/heads/*'
git push bare
cd ../bare.git
git branch -m trunk master
for x in branch_one branch_two branch_three; do
git tag "${x}" refs/heads/${x}
git branch -D ${x}
done
cd ..
git clone bare.git myrepo
cd myrepo
git remote rm origin
git remote add origin ${REMOTE}
git config remote.origin.push 'refs/remotes/*:refs/heads/*'
git config master.remote origin
git config master.merge refs/head/master
git push --set-upstream origin master
</pre>
<p>And that is all there was too it. The svn authors file was created ny using:</p>
<pre>
$ svn log -q | awk -F '|' '/^r/ {sub("^ ", "", $2); sub(" $", "", $2); \
print $2" = "$2" <"$2">"}' | sort -u > authors-transform.txt
</pre>
<p>in the existing copy of the subversion repository that I had (and then mangling it to suit my needs, particularly changing it to add the committers’ real names and email addresses as well).</p>Bye bye Google Reader2013-03-13T20:26:00-06:002013-03-13T20:26:00-06:00Vincent Danentag:annvix.com,2013-03-13:/blog/bye-bye-google-reader<p>This really makes me sad: <a href="http://googlereader.blogspot.com.au/2013/03/powering-down-google-reader.html">http://googlereader.blogspot.com.au/2013/03/powering-down-google-reader.html</a>.</p>
<p>Does anyone know of a similar service? I’ve gotten so used to using Google Reader (not the web interface, but the actual syncing and being able to connect to the account with all my various …</p><p>This really makes me sad: <a href="http://googlereader.blogspot.com.au/2013/03/powering-down-google-reader.html">http://googlereader.blogspot.com.au/2013/03/powering-down-google-reader.html</a>.</p>
<p>Does anyone know of a similar service? I’ve gotten so used to using Google Reader (not the web interface, but the actual syncing and being able to connect to the account with all my various <span class="caps">RSS</span> readers whether I’m on my phone or the desktop or the laptop and be able to just pick up where I left off).</p>
<p>I get that Google needs to sunset things that don’t make sense, but it would be nice if they could maybe let the code go so others can setup their own implementations that’s basically compatible with all the Google Reader-friendly <span class="caps">RSS</span> readers out there.</p>
<p>Or they could just get rid of Orkut…</p>More work on the right sleeve2013-02-08T10:00:00-07:002013-02-08T10:00:00-07:00Vincent Danentag:annvix.com,2013-02-08:/blog/more-work-on-the-right-sleeve<p><center><a href="http://www.flickr.com/photos/wulfheart/8455501893/"><img src="http://farm9.staticflickr.com/8251/8455501893_63b37359db.jpg" width="375" height="500"></a></center></p>
<p>Spent a few hours last night laying some of the groundwork for getting more of the second sleeve done.</p>
<p>This is was re-lining and darkening of my existing cross, and I think the flames look pretty darn sweet.</p>
<p>This is re-lining and darkening of my tribal Jesus, and fixing the …</p><p><center><a href="http://www.flickr.com/photos/wulfheart/8455501893/"><img src="http://farm9.staticflickr.com/8251/8455501893_63b37359db.jpg" width="375" height="500"></a></center></p>
<p>Spent a few hours last night laying some of the groundwork for getting more of the second sleeve done.</p>
<p>This is was re-lining and darkening of my existing cross, and I think the flames look pretty darn sweet.</p>
<p>This is re-lining and darkening of my tribal Jesus, and fixing the J (the ticks it used to have were too thick, making it look odd):</p>
<p><center><a href="http://www.flickr.com/photos/wulfheart/8455511809/" title="Re-lined tribal Jesus by Wulfheart, on Flickr"><img src="http://farm9.staticflickr.com/8231/8455511809_aee5a0571f.jpg" width="268" height="500" alt="Re-lined tribal Jesus"></a></center></p>
<p>And as I looked at my Flickr album, I realized I never took any pics of the work done last year. =( Since I can’t take those pics on my own, I’ll have to get Ang to take some tonight.</p>
<p>The next step will be finishing filling in the forearm, and then need to get the concept for the top done, which will include re-working the flaming skull I got 19 years ago. Looking forward to getting the sleeve finished this year!</p>I’m FedUp with Fedora!2013-02-03T00:19:00-07:002013-02-03T00:19:00-07:00Vincent Danentag:annvix.com,2013-02-03:/blog/im-fedup-with-fedora<p>Sorry, couldn’t resist. =)</p>
<p>So normally I do my updates from one version of Fedora to the next using yum, in particular the <a href="https://fedoraproject.org/wiki/Upgrading_Fedora_using_yum">Upgrading Fedora using yum</a> guide. Usually it works pretty good. I didn’t really have much good experience with PreUpgrade the few times I tried it, so …</p><p>Sorry, couldn’t resist. =)</p>
<p>So normally I do my updates from one version of Fedora to the next using yum, in particular the <a href="https://fedoraproject.org/wiki/Upgrading_Fedora_using_yum">Upgrading Fedora using yum</a> guide. Usually it works pretty good. I didn’t really have much good experience with PreUpgrade the few times I tried it, so I wanted to give <a href="https://fedoraproject.org/wiki/FedUp">FedUp</a> a try.</p>
<p>In my Parallels Fedora 17 <span class="caps">VM</span> it worked amazingly well. So decided to try it on my laptop, which is also running Fedora 17. I think it makes sense to do a little bit of house-keeping before running it though, and the FedUp page doesn’t mention any of this (perhaps it’s no longer needed?). Anyways, a few steps:</p>
<ul>
<li><code>yum install rpmconf; rpmconf -a</code> (review any .rpmnew/.rpmsave files, merge changes as required)</li>
<li><code>find /etc /var -name '<em>?.rpm?</em>'</code> (find any other old .rpmnew/.rpmsave files)</li>
<li><code>yum install yum-utils; package-cleanup --leaves</code> (review and remove any unused packages, not all will be removable)</li>
<li><code>package-cleanup --orphans</code> (find and remove any orphan packages no longer in the repositories)</li>
</ul>
<p>Now you can run FedUp:</p>
<ul>
<li><code>yum install fedup</code></li>
<li><code>fedup-cli --network 18 --debuglog /root/fedupdebug.log</code></li>
</ul>
<p>If this completes without error (check the log), you can reboot. At grub you’ll see a “System Upgrade” entry. When that’s done, it’ll reboot into Fedora 18.</p>
<p>The wiki page talks about upgrading <span class="caps">GRUB2</span> since you’ll be booting from Fedora 17’s <span class="caps">GRUB2</span>. If you’ve got a <span class="caps">BIOS</span>-based system, you can use the <a href="https://fedoraproject.org/wiki/GRUB_2#Updating_GRUB_2_configuration_on_BIOS_systems">Updating <span class="caps">GRUB2</span> configuration on <span class="caps">BIOS</span> systems</a> instructions. For those using <span class="caps">UEFI</span>, instructions are on the same page.</p>
<p>You may also want to run <code>package-cleanup --orphans</code> after you do the upgrade as well, just to get rid of any other leftovers. The only issue I discovered so far with the upgrade is that Google Chrome didn’t work out-of-the-box. However, doing a <code>yum remove google-chrome-stable; yum install google-chrome</code> got that sorted out (although it did install the unstable version; the stable version had issues with missing libraries and wouldn’t load).</p>
<p>All in all, upgrading from Fedora 17 to 18 went a heck of a lot smoother than a fresh install did. I also got to see what the new <span class="caps">GDM</span>/<span class="caps">GNOME</span> looks like (quite nice, actually, although I think I’ll give <span class="caps">MATE</span> a try on the laptop as well because, while <span class="caps">GNOME3</span> is pretty, I definitely preferred <span class="caps">GNOME2</span>).</p>
<p>Good job, Fedora-folks! Now I just have to upgrade my main workstation, but I think I’m going to play on the laptop for a bit before taking that step. Just in case I find any other gotchya’s.</p>Systemd article on wiki2013-02-02T10:05:00-07:002013-02-02T10:05:00-07:00Vincent Danentag:annvix.com,2013-02-02:/blog/systemd-article-on-wiki<p>In light of my recent (mis-)adventures with Fedora 18 installation in VMware Fusion and the need to figure out some systemd stuff, I’ve started writing a hints/tip sheet type entry on my wiki: <a href="/systemd">Systemd</a>. Far from complete yet, but I’m going to use it to document …</p><p>In light of my recent (mis-)adventures with Fedora 18 installation in VMware Fusion and the need to figure out some systemd stuff, I’ve started writing a hints/tip sheet type entry on my wiki: <a href="/systemd">Systemd</a>. Far from complete yet, but I’m going to use it to document some hints, tricks, light-bulb-moments, and comparisons to SysV-init tools (chkconfig, service). I’m no stranger to alternative boot/service management systems but it indeed makes me chuckle when people were complaining about Annvix using runit to manage the init system. I definitely appreciate the work gone into Systemd (having done a similar thing myself for Annvix although obviously not anywhere near the scale/scope of Systemd!), so do want to learn it as opposed to using old scripts as a crutch-interface to the new stuff. So as I likely stumble across various bits of useful info, I’ll be adding it to that wiki article if anyone else is interested in checking it out (or perhaps giving me tips… like how the heck do I actually get gettys to run in graphical.target!! I want a working <span class="caps">CTRL</span>-<span class="caps">ALT</span>-F2/F3 to login at the console please!!).</p>