Category Archives: Tidbits

Signs you are doing IT wrong

  1. You still use FTP
  2. You use SFTP
  3. You have a single server hosting 1 website, MySQL, and PHP. It has 4+ GB of RAM and you only have ~2,000 visitors a day.
  4. You login via root
  5. You don’t use version control
  6. You use a control panel for servers which you have SSH access.
  7. It takes you over an hour to migrate 1 website
  8. Your DNS TTL records are over 10 minutes
  9. Your SQL server is not accessible over SSL/TLS
  10. You use mod_php instead of reverse proxying to php-fpm
  11. You develop for the web on Windows
  12. You chmod 777
  13. You use modules/plugins that require chmod 777
  14. You have no backups
  15. You host multiple websites on one server (internal-only websites excluded)
  16. You SSH with passwords
  17. You reuse passwords
  18. You don’t read books
  19. You don’t attend conferences
  20. You attend more than 6 conferences a year
  21. You use skype for communication
  22. You make a separate mobile site
  23. You add more RAM to fix your memory leaks

Iced coffee is the best

I am not a very big fan of hot drinks, but I enjoy drinking a cup/glass/thermos/pot/gallon of coffee. I especially drink it more when my taste buds dance around and say, “Wow! That was some good, quality coffee!” A few weeks ago I set out to find a better way to make my favorite drink – iced coffee. In my opinion, the best method of procuring coffee is in whole bean form. I tend to buy a brand that is roasted in my region – supporting the local economy – that also tastes good. I store the whole bean bag in my freezer and the grounded bean in a small coffee can in my refrigerator.

At first, I tried pouring hot coffee over Frozen coffee cubes, then added my refrigerated creamer. This lasted for a few weeks, but I couldn’t notice a huge difference in taste between water iced cubes and coffee iced cubes.

Secondly, I tried cold brewing coffee – placing ground coffee beans in cold water into the refrigerator overnight. This only resulted in weak, flavorless coffee.

Next, I tried hot brewing coffee, pouring it into a container, and letting it sit in the refrigerator overnight. This seems to be the best option so far. I still get to keep my 1.5 tbsp ratio for coffee beans and resulting liquid. The iced cubes do not melt when the coffee is poured over them. I think I will stick to this option for now.

Provisioning VMs with cloud init

One of the easiest ways to deploy a virtual machine in oVirt is first to install the OS then turn it into a template. This will allow you to copy that template to deploy new instances. One mundane task after a new template is copied to a new instance is logging in, changing the IP, setting the hostname, setting up Puppet, running puppet, etc. cloud-init is the tool designed to fix that mundane task process by allowing those steps to be automated. oVirt/RHEV (as well as OpenStack, AWS, and others) allow you to pass in user data which is then supplied to cloud-init after the template is copied over and turned on. This allows for scripting on the new VM – easing deployment.

For my environment, I wanted a CentOS 7 template. To have that, I must first install CentOS on a new VM and seal it (Windows calls this Sysprep). Before I seal it, I must install cloud-init and any other tools I might use for deployment – such as puppet. Here are the steps to obtain just that:

Continue reading Provisioning VMs with cloud init

Securing PWM

In last week’s post we set up PWM insecurely. In this post, we are going to secure it down and install mysql to store the reset questions. This guide assumes you have this CentOS 7 server publicly accessible with ports 80 and 443 available to the entire world. First, we will need to install mysql, set up a database, and add a user to that database. To do that, we need to edit our manifest.pp and append the following:

 class { '::mysql::server':
     root_password           => 'My4cc0unt$$password!',
     remove_default_accounts => true,
     package_name            => 'mariadb-server',
     package_ensure          => 'installed',
     service_name            => 'mariadb',

 mysql::db { 'pwm':
     user     => 'pwm',
     password => 'pwm_passworD2!', # Can't do a password hash here :(

 class { 'mysql::bindings':
     java_enable => true,

file { '/opt/tomcat8/pwm/lib/mysql-connector-java.jar':
     ensure  => link,
     target  => '/usr/share/java/mysql-connector-java.jar',
     require => Class['mysql::bindings']

We will also need to install additional modules: Continue reading Securing PWM

Password management portal for end users

We in IT have heard it often, the #1 request coming into help desk ticket systems is password resets, account lockouts, and the like. PWM is a password reset web application written in Java for use with LDAP directories. You can configure it to work with Active Directory, OpenLDAP, FreeIPA, and others. There are already a handful of good tutorials on how to set up PWM (I think of this one in particular); however, I want to demonstrate the puppet apply command in this tutorial.


This guide assumes you have an Active Directory server with TLS set up (to change passwords) which is beyond the scope of this post. It also assumes you have a CentOS 7 instance which can communicate to the Active Directory server. It also assumes this is in an environment without a puppet master/server. The end manifest can be uploaded to a master and used that way.

Continue reading Password management portal for end users

Avoiding Catastrophic Failure

You may have already heard the news about Delta Airlines catastrophic failure. Ars Technica reports the true cause of the failure – routine maintenance of the power generators. While it may be a little presumptuous or high on the bragging scale to have only one datacenter to house your entire infrastructure – this is not the best method. The blame is often placed on the IT personnel when computer systems go down, but in this case the error is shared. There was a maintenance individual who did not spot the potential of a fire, there is the building planning committee that placed the power sources too close together, there is the IT budgeting team that did not have an off-site solution, and there is the CTO misinformed on the infrastructure needs of a worldwide company. A catastrophic failure is anything that damages a company’s reputation.

I can understand the single point of failure – it is often found in SMB/non-profit environments. The single point of failure happening is marginal at best. This causes it to be overlooked many times over as some will hope it never comes to encountering that scenario. Budgetary constraints are often the first road block, the second being time to implement, the third being the internal security practices of customer data, and the fourth being the time to restore after a catastrophic failure is less than 24 hours – these also minimizes the single point of failure in our minds. We so often minimize the single point of failure to where it loses its place as #1 concern to #100 on “do someday task.”

We live in the best computer age right now. Catastrophic failures can be avoided. Here are a few ways to prevent catastrophic failures.

Continue reading Avoiding Catastrophic Failure

The future without Microsoft Office products 

I recently submitted a proposal to remove Microsoft Office from off my network and switch to Google Apps for Work and LibreOffice. This would incur a cost savings of ~$17.50 per user per month (GAFW $5 plan versus Office 2016 Professional Plus, Corporate, Open License, License Only). Some may argue that there are better license options with Microsoft and the $508 per user per 2 years (with the open license; source: is not a fair estimation, however, it is not fair to compare a stagnant version of Office versus the always updated version of GAFW or LibreOffice. Continue reading The future without Microsoft Office products 

Why I went with Puppet over other CMEs

Configuration management engines (CME) have increased in popularity over the past several years. When I evaluated all the potential options, I needed one to be free in cost, work on Mac and Windows, and be easy to set up and use. At the time, only Chef, CFEngine, and Puppet had Windows clients so I tested them all out. Puppet came the victor for several reasons:
Continue reading Why I went with Puppet over other CMEs

Access Samba shares from Chromebook

Chromebooks are cloud focused. Many Chromebooks come with very limited storage in hopes you would be storing everything in the cloud. While this is a great habit to practice, in all reality, how likely are you to store 2tb of data in the cloud? Not many cloud providers even offer plans for that much storage. Continue reading Access Samba shares from Chromebook

Cloud computing cost analysis

Having a server in the cloud scared me at first. It wasn’t the fact that being in a multi-tenant environment posed the possibility of others gaining access to my code/files – it was the cost that scared me. Not knowing if I was getting the best deal always plagued my mind. Especially since electricity, a/c, and hardware maintenance were never factored into my budgets it made it hard to justify a server in the cloud when on-premise appeared to be so cheap.

Continue reading Cloud computing cost analysis

Wayfinding with RPi

A few years ago I was tasked at looking at solutions for digital, static wayfinding. While there are some cool solutions available now for free with minimum setup, none of these were available to me. We currently were locked in with a digital signage company that charged $7,000/year for generating 640×480 graphics with events that showed up in our Exchange 2007 calendar.

The jump to Exchange 2010/2013 was dependant upon our vendor to upgrade their software to support the new EWS protocol over the older protocols. This was a classic case of vendor lock-in which is a horrible state to be in. Maintaining legacy software to keep an outdated system running should be avoided like the plague.

After taking a trip to Google HQ in mountain view, CA (back when they did tours), I was encouraged by the motto they plastered all over the buildings: “the most complex problems are rarely solved with blunt force objects.” What also intrigued me was their form of digital wayfinding. It was an e-ink display with a wireless antenna which showed all of its circuitry – definitely made in house. This allowed me to formulate my own configuration after seeing the release of the Raspberry Pi.

After about a week of coding, I was able to make RPi-wayfinding. It is a simple PHP website that pulls in information from Exchange 2007+ (using EWS), a Google Calendar, or Planning Center Online Resources and displays it on a 1920×1080 resolution. This setup has been running smoothly for close to 3 years.

Linux, nginx, MySQL 5.7, and PHP 7 (LEMP) on AWS with free SSL

A stack is a group of software that creates a foundation to build upon. The LEMP stack is a web software stack which allows for delivering web applications. It is one of the most common of the web stacks to deliver a PHP application. LEMP uses a Linux kernel, Nginx for the webserver, MySQL or MariaDB for the database, and PHP for the scripting language.

Nearly all distributions of GNU/Linux will have the same instructions to install the required packages. There is also little change between versions of Ubuntu to warrant a special blog post entitled “LEMP on Ubuntu 14.04” and “LEMP on Ubuntu 16.04” as they will contain the same exact instructions. There are a few oddities on the Amazon Linux AMI to get Let’s Encrypt working on the t2.nano (1 CPU, 512 RAM) instance which I will cover here.

Continue reading Linux, nginx, MySQL 5.7, and PHP 7 (LEMP) on AWS with free SSL

Blame as a service (BlaaS)

Today I am pleased to announce a new offering – Blame as a Service (BlaaS).

With the ever increase of SaaS offerings and cloud providers with high resiliency and low downtime, there will be the inevitable glitch or hiccup whenever a CEO views your team’s area of responsibility. With the recent passing of Murphy’s Law in IEEE this has become more frequent in day-to-day operations.

BlaaS helps you by receiving the blame for your incompetence by providing you with simple, easy-to-use templates that you can share with your CEO. These templates shift the blame from your SaaS choosing and put it on your BlaaS application making you the hero and us the bad guy.

BlaaS has already saved several Developers from embarrassment and System Administrators from potential job loss and it can help you too!
Continue reading Blame as a service (BlaaS)

The greatest story ever told

The greatest story ever told is how an Almighty God came down to earth, lived a perfect life, and offered Himself as a sacrifice for the sins of the whole world (past, present, and future). This is what the Easter weekend represents. There is a penalty for sin which must be paid. Jesus paid that penalty with his life. Those that confess that Jesus took their place and put their trust in Him will receive a pardon from sin, peace with God, and a prepared home in heaven.

Because God is so righteous, He cannot have unrighteousness near Him.

Because God is so holy, sin cannot come before Him.

Because I can be biased, I am unrighteous.

Because I am human, I have sinned.

Because God is so merciful, He provided a scapegoat to take my place.

Because God is loving, He placed my unrighteousness and sin upon Himself and died on the cross.

Because God is gracious, He offers a pardon to all those who trust in Him.

WiFi Captive Portal

A captive portal is a piece of software that prompts for user interaction before allowing the client to access the internet or other resources on the network. It is a combination of a firewall and a webserver. In this tutorial, I will explain how to create an open WiFi network. Before deploying an open WiFi network, you may want to consult a lawyer of the legality and restrictions for having one. You can also review what has been said by lawyers here and here.

When a device first connects to any network, it sends out a HTTP request and expects an HTTP status code of 200. If the device receives a HTTP 200 status code, it assumes it has unlimited internet access. Captive portal prompts are displayed when you are able to manipulate this first HTTP message to return a HTTP status code of 302 (redirect) to the captive portal of your choice.

To set up a captive portal on a Raspberry Pi, you will need a wired network (I will refer to this as WAN or uplink) and a wireless network (such as the Ralink RT5372 or the Ralink RT5370) which you can set into AP mode. A server with 2 NICs would also suffice if you want to perform this on a wired LAN instead.


UPDATE 2/15/2017: If you get the too many redirects error, look at the hotspot.localnet nginx configuration. It could be that the dollar signs $ are not present. The below block is what the location / block should look like in the hotspot.localnet virtual host.

     location / {
         try_files $uri $uri/ index.php;

Continue reading WiFi Captive Portal