Signs you are doing IT wrong

  1. You still use FTP
  2. You use SFTP
  3. You have a single server hosting 1 website, MySQL, and PHP. It has 4+ GB of RAM and you only have ~2,000 visitors a day.
  4. You login via root
  5. You don’t use version control
  6. You use a control panel for servers which you have SSH access.
  7. It takes you over an hour to migrate 1 website
  8. Your DNS TTL records are over 10 minutes
  9. Your SQL server is not accessible over SSL/TLS
  10. You use mod_php instead of reverse proxying to php-fpm
  11. You develop for the web on Windows
  12. You chmod 777
  13. You use modules/plugins that require chmod 777
  14. You have no backups
  15. You host multiple websites on one server (internal-only websites excluded)
  16. You SSH with passwords
  17. You reuse passwords
  18. You don’t read books
  19. You don’t attend conferences
  20. You attend more than 6 conferences a year
  21. You use skype for communication
  22. You make a separate mobile site
  23. You add more RAM to fix your memory leaks

Iced coffee is the best

I am not a very big fan of hot drinks, but I enjoy drinking a cup/glass/thermos/pot/gallon of coffee. I especially drink it more when my taste buds dance around and say, “Wow! That was some good, quality coffee!” A few weeks ago I set out to find a better way to make my favorite drink – iced coffee. In my opinion, the best method of procuring coffee is in whole bean form. I tend to buy a brand that is roasted in my region – supporting the local economy – that also tastes good. I store the whole bean bag in my freezer and the grounded bean in a small coffee can in my refrigerator.

At first, I tried pouring hot coffee over Frozen coffee cubes, then added my refrigerated creamer. This lasted for a few weeks, but I couldn’t notice a huge difference in taste between water iced cubes and coffee iced cubes.

Secondly, I tried cold brewing coffee – placing ground coffee beans in cold water into the refrigerator overnight. This only resulted in weak, flavorless coffee.

Next, I tried hot brewing coffee, pouring it into a container, and letting it sit in the refrigerator overnight. This seems to be the best option so far. I still get to keep my 1.5 tbsp ratio for coffee beans and resulting liquid. The iced cubes do not melt when the coffee is poured over them. I think I will stick to this option for now.

My IoT device history

The internet of things (IoT) is getting pretty saturated with devices most of which are either smart watches or activity trackers. Smart watches do not appeal to me as I have a very nasty habit of destroying the clock face of my watches. Last November, I was able to get a Vivosmart from Garmin for $60 plus tax and shipping. It was great – did step tracking, allowed for notifications, allowed me to dismiss calls and see texts. My brother-in-law also received one as a gift a few months later (he preferred it over the Fitbit which did less and cost more).

A month ago we both noticed the pixels disappearing on the Garmin Vivosmart display. I was able to submit a warranty request through their website quite painlessly, and the offered to upgrade me to a Garmin Vivosmart HR! Of course I took the upgrade offer and paid the shipping for the old device to be sent back. My brother-in-law had a complete different experience. The website at first said his Garmin Vivosmart was out of warranty (even though it was newer than mine) then it eventually – a day later – said it was in warranty. He was given the option to replace the Garmin Vivosmart with a non-HR model, but they gave him a shipping label. It is quite odd that we both had different experiences within a few days of submitting our warranty requests.

I recently received the newer model after waiting the RMA process and I am quite impressed. At first, the font was too skinny and hard to read, but all I had to do was upgrade to the latest firmware and it was fixed. One neat feature that was added (besides the obvious HR function) was the ability to see the weather – up to a 4 day forecast. Two new goal trackers were also added – a stair counter and strenuous activity counter. The plain Garmin Vivosmart’s battery lasted over a week. I haven’t depleted the new model all the way, but I am assuming it will last 4-5 days depending on my use.

Provisioning VMs with cloud init

One of the easiest ways to deploy a virtual machine in oVirt is first to install the OS then turn it into a template. This will allow you to copy that template to deploy new instances. One mundane task after a new template is copied to a new instance is logging in, changing the IP, setting the hostname, setting up Puppet, running puppet, etc. cloud-init is the tool designed to fix that mundane task process by allowing those steps to be automated. oVirt/RHEV (as well as OpenStack, AWS, and others) allow you to pass in user data which is then supplied to cloud-init after the template is copied over and turned on. This allows for scripting on the new VM – easing deployment.

For my environment, I wanted a CentOS 7 template. To have that, I must first install CentOS on a new VM and seal it (Windows calls this Sysprep). Before I seal it, I must install cloud-init and any other tools I might use for deployment – such as puppet. Here are the steps to obtain just that:

Continue reading Provisioning VMs with cloud init

Securing PWM

In last week’s post we set up PWM insecurely. In this post, we are going to secure it down and install mysql to store the reset questions. This guide assumes you have this CentOS 7 server publicly accessible with ports 80 and 443 available to the entire world. First, we will need to install mysql, set up a database, and add a user to that database. To do that, we need to edit our manifest.pp and append the following:

 class { '::mysql::server':
     root_password           => 'My4cc0unt$$password!',
     remove_default_accounts => true,
     package_name            => 'mariadb-server',
     package_ensure          => 'installed',
     service_name            => 'mariadb',

 mysql::db { 'pwm':
     user     => 'pwm',
     password => 'pwm_passworD2!', # Can't do a password hash here :(

 class { 'mysql::bindings':
     java_enable => true,

file { '/opt/tomcat8/pwm/lib/mysql-connector-java.jar':
     ensure  => link,
     target  => '/usr/share/java/mysql-connector-java.jar',
     require => Class['mysql::bindings']

We will also need to install additional modules: Continue reading Securing PWM

Password management portal for end users

We in IT have heard it often, the #1 request coming into help desk ticket systems is password resets, account lockouts, and the like. PWM is a password reset web application written in Java for use with LDAP directories. You can configure it to work with Active Directory, OpenLDAP, FreeIPA, and others. There are already a handful of good tutorials on how to set up PWM (I think of this one in particular); however, I want to demonstrate the puppet apply command in this tutorial.


This guide assumes you have an Active Directory server with TLS set up (to change passwords) which is beyond the scope of this post. It also assumes you have a CentOS 7 instance which can communicate to the Active Directory server. It also assumes this is in an environment without a puppet master/server. The end manifest can be uploaded to a master and used that way.

Continue reading Password management portal for end users

Avoiding Catastrophic Failure

You may have already heard the news about Delta Airlines catastrophic failure. Ars Technica reports the true cause of the failure – routine maintenance of the power generators. While it may be a little presumptuous or high on the bragging scale to have only one datacenter to house your entire infrastructure – this is not the best method. The blame is often placed on the IT personnel when computer systems go down, but in this case the error is shared. There was a maintenance individual who did not spot the potential of a fire, there is the building planning committee that placed the power sources too close together, there is the IT budgeting team that did not have an off-site solution, and there is the CTO misinformed on the infrastructure needs of a worldwide company. A catastrophic failure is anything that damages a company’s reputation.

I can understand the single point of failure – it is often found in SMB/non-profit environments. The single point of failure happening is marginal at best. This causes it to be overlooked many times over as some will hope it never comes to encountering that scenario. Budgetary constraints are often the first road block, the second being time to implement, the third being the internal security practices of customer data, and the fourth being the time to restore after a catastrophic failure is less than 24 hours – these also minimizes the single point of failure in our minds. We so often minimize the single point of failure to where it loses its place as #1 concern to #100 on “do someday task.”

We live in the best computer age right now. Catastrophic failures can be avoided. Here are a few ways to prevent catastrophic failures.

Continue reading Avoiding Catastrophic Failure

Common problems with Web Developers configuring LAMP/LEMP

I am a SysAdmin who likes to code. I would say I know a fair amount of web developing, but do not understand it like a web developer uunderstands it. I think the reverse is true as well – web developers know how to set up a LAMP/LAMP stack, but they do not understand it as well as SysAdmin might understand it.

To be a successful SysAdmin, you need to relearn your field every 3-5 years. New versions of software come out, new OSes, new features, new methods, and new ideas come out every several months. It takes somebody dedicated to read news blogs, mailing lists, and following the appropriate people on social media to keep up with the rapid trends. Web developers do not have that time to dedicate to operations work. They only need infrastructure to work for their project and it doesn’t matter how well tuned the software is – if it works, that is all they need. Below are some common pitfalls I see with web developers. Continue reading Common problems with Web Developers configuring LAMP/LEMP

The future without Microsoft Office products 

I recently submitted a proposal to remove Microsoft Office from off my network and switch to Google Apps for Work and LibreOffice. This would incur a cost savings of ~$17.50 per user per month (GAFW $5 plan versus Office 2016 Professional Plus, Corporate, Open License, License Only). Some may argue that there are better license options with Microsoft and the $508 per user per 2 years (with the open license; source: is not a fair estimation, however, it is not fair to compare a stagnant version of Office versus the always updated version of GAFW or LibreOffice. Continue reading The future without Microsoft Office products 

Refreshing Ruby Knowledge

I see a trend in system administration tasks moving toward the Ruby programming language. Yes, you can still code in Perl, Python, Shell, etc., but Ruby seems to be growing in popularity as a choice in scripting language. It should be – it is certainly easier to type and it has a big community to go with it. I was first introduced to Ruby in 2009 and immediately after learning Ruby, I learned Ruby on Rails. At the time, Rails and the MVC model was too advanced for me and so I never used my knowledge. Mostly because Rails had many “does this automatically so you do not need to include it in your code” so it was difficult for a beginner.

Now nearly 7 years later, I am taking Ruby off my virtual bookshelf and blowing the bugs off of it and refreshing my knowledge – this time leaving Rails out of the picture. So far I am liking plain Ruby. Below are some resources I have used to sharpen my Ruby skills.


Bonus: Setting up the exercism client on Fedora 24

The exercism client is written in Go. Go can fetch and install other Go programs as long as you have a Go workspace set up. To do that we will issue the following commands:

# To install go
sudo dnf install golang

# To set up the workspace
mkdir -p ~/gocode/{bin,src,pkg}
echo 'export GOPATH=$HOME/gocode' >> ~/.profile
echo 'export export PATH=$PATH:$GOROOT/bin:$GOPATH/bin' >> ~/.profile
source ~/.profile

Those commands will set up the Go workspace and allow you to issue the next command: go get -u