Our Blog

Scripting ssh master connections

By Josh Williams
March 17, 2014

At End Point, security is a top priority. We just phased out the last of the 1024-bit keys for all of our employees—​those of us in ops roles that have keys lots of places had done so a long while back. Similarly, since we’ll tend to have several sessions open for a long while, a number of us will use ssh-agent’s -c (confirm) option. That forces a prompt for confirmation of each request the agent gets. It can get a little annoying (especially since it takes the focus over to one monitor, even if I’m working on the other) but it combats SSH socket hijacking when we have the agent forwarded to remote servers.

Working on server migrations is where it gets really annoying. I like to write little repeatable scripts that I can tweak and re-run as needed. They’re usually simple little things, starting with a bunch of rsync’s or pipe-over-ssh’s for pg_dump or any other data we need to move across. With any more than a couple of those ssh connections in there, repeatedly hitting the confirm button gets irritating fast. And if a large transfer takes a while, I’ll go off to do something else, later getting an unexpected confirmation box when I’m not thinking about the running script. …

Provisioning a Development Environment with Packer, Part 2

By Mike Farmer
March 14, 2014

In my previous post on provisioning a development environment with Packer I walked through getting a server setup with an operating system installed. This post will be focused setting up Ansible so that I can setup my development environment just the way I like it. Packer supports many different methods for provisioning. After playing with some of them, I decided that Ansible was a good mix of simplicity and functionality.

A Packer provisioner is simply a configuration template that is added to the json configuration file. The “provisioners” section of the configuration file takes an array of json objects which means that you aren’t stuck with just one kind of provisioner. For example, you could run some shell scripts using the shell provisioner, then upload some files using the File Uploads provisioner, followed by your devops tool of choice (puppet, salt, chef, or ansible). You can even roll-your-own provisioner if desired. Here’s an example provisioner setup for the shell provisioner:

{
  "variables": {...},
  "builders" : [...],
  "provisioners" [
    {
      "type": "shell",
      "inline": [ "echo foo" ]
    }
  ]
}

Sudo …

Setup Rails Environment with PostgreSQL on Apple Mac OS X

By Selvakumar Arumugam
March 14, 2014

Setting up Rails on Mac OS X to have a Rails application is a tedious process. It’s a kind of road block for newbies. Here I have listed the steps to have Rails application running with a PostgreSQL database on the Mac OS X.

1. Rails

Before installing Rails, We need couple of things installed on Mac OS X.

Ruby

Luckily Mac OS X comes with preinstalled Ruby.

$ ruby -v
ruby 2.0.0p247 (2013-06-27 revision 41674) [universal.x86_64-darwin13]

Xcode and Command Line Tools

Install Xcode from Mac Store. Xcode contains some system libraries which are required for Rails.

To install Command Line Tools, Open Xcode -> Xcode(menu bar) -> Preferences -> Downloads -> Install ‘Command Line Tools’

Homebrew

Homebrew helps to install gems with ‘gem’ and its dependencies with help of brew. Homebrew makes our life easier by handling dependencies for us during installation.

$ ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

Note:– Xcode already comes bundled with gcc. But install gcc using homebrew if you face any gcc problems while installing Rails.

$ brew tap homebrew/dupes
$ brew install apple-gcc42
$ sudo ln -s /usr/local/bin/gcc-4.2 …

Restrict IMAP account access to one (or more) IP address

By Emanuele “Lele” Calò
March 13, 2014

If you’re in need of some extra layer of security on your mail server and know in advance who is going to access your IMAP account and from where (meaning which IP), then the following trick could be the perfect solution for you.

In order to use this feature you’ll have to use Dovecot 2.x+ and then just add a comma separated list of addresses/subnets to the last field of your dovecot passwd auth file:

user:{plain}password::::::allow_nets=192.168.0.0/24,10.0.0.1,2001:abcd:abcd::0:0/80

After a quick reload Dovecot will start to enforce the specified new settings.

An additional neat aspect is that from an attacker perspective the given error will always be the same one got from a “wrong password” attempt, making basically impossible to discover this further protection.

Stay safe out there!

Bucardo, and Coping with Unicode

By Josh Tolley
March 12, 2014

Given the recent DBD::Pg 3.0.0 release, with its improved Unicode support, it seemed like a good time to work on a Bucardo bug we’ve wanted fixed for a while. Although Bucardo will replicate Unicode data without a problem, it runs into difficulties when table or column in the database include non-ASCII characters. Teaching Bucardo to handle Unicode data has been an interesting exercise.

Without information about its encoding, string data at its heart is meaningless. Programs that exchange string information without paying attention to the encoding end up with problems exactly like that described in the bug, with nonsense characters all over. Further, it’s impossible even to compare two different strings reliably. So not only would Bucardo’s logs and program output contain junk data, Bucardo would simply fail to find database objects that clearly existed, because it would end up querying for the wrong object name, or the keys of the hashes it uses internally would be meaningless. Even communication between different Bucardo processes needs to be decoded correctly. The recent DBD::Pg 3.0.0 release takes care of decoding strings sent from PostgreSQL, but other inputs, such as …

Provisioning a Development Environment with Packer, Part 1

By Mike Farmer
March 12, 2014

I recently needed to reconstruct an old development environment for a project I worked on over a year ago. The codebase had aged a little and I needed old versions of just about everything from the OS and database to Ruby and Rails. My preferred method for creating a development environment is to setup a small virtual machine (VM) that mimics the production environment as closely as possible.

Introducing Packer

I have been hearing a lot of buzz lately about Packer and wanted to give it a shot for setting up my environment. Packer is a small command line tool written in the increasingly popular Go programming language. It serves three primary purposes:

1. Building a machine based on a set of configuration parameters
2. Running a provisioner to setup the machine with a desired set of software and settings
3. Performing any post processing instructions on that machine

Packer is really simple to install and I would refer you to their great documentation to get it set up. Once set up, you will have the packer command at your disposal. To build a new machine, all you need to is call:

packer build my_machine.json

The file my_machine.json can be the name of any json file and contains all the …

Implementing Background Fetch in iOS 7

By Kamil Ciemniewski
March 11, 2014

With the iOS7 being out and gaining market share, great features it introduced are becoming available to more and more users.

One such new feature is a set of so-called “background modes”.

States the application can be in, in iOS

To explain this new set of modes, let me give you a really quick intro to what modes are.

In iOS, at a given point in time, an app can be in one of the following states:

Not running

There is no process for the app in the system.

Inactive

The app is running in the foreground but currently is not receiving any events. (It may be executing other code though.) An app usually stays in this state only briefly as it transitions to a different state.

Active

The application is running and is receiving user input. The main user interface is visible on the display.

Background

The application is running. It’s not receiving user input. Its code is being executed but it will be switched to the suspended state very soon by the system.

Suspended

The app remains in memory, but it’s not being executed. It remains dormant until a user chooses to activate it again or a system switches it back to a background state to allow it to process certain kinds of data.

Background modes …

Interchange table hacking

By Jeff Boes
March 11, 2014

Interchange has a powerful but terribly obscure table administration tool called the Table Editor. You can create, update, and delete rows, and even upload whole spreadsheets of data, but the Table Editor isn’t the most flexible thing in the world, so sometimes it just flat-out refuses to do what you want.

So you trick it.

A client wanted to upload data to a table that had a single-column primary key (serial), but also had a unique three-column key that was only used in the upload process (because the uploaded data was intended to replace rows with identical three-column combinations). Example:

In the table:

code: 243
field1: AAA
field2: BBB
field3: CCC
data-fields: ...

In the spreadsheet:

field1  field2  field3  data-fields...
 AAA     BBB     CCC     ...

In the database definition for this table, I had to add a secondary key definition for Interchange’s use:

Database  my_table  COMPOSITE_KEY  field1 field2 field3

in addition to the original key:

Database  my_table  KEY  code

Here’s the problem this presents: when you add a COMPOSITE_KEY to a table, the table editor refuses to show per-row checkboxes that allow you to delete rows. I thought I might have to write a custom admin …