Our Blog

SELinux Local Policy Modules

By Jon Jensen
May 11, 2012

If you don’t want to use SELinux, fair enough. But I find many system administrators would like to use it but get flustered at the first problem it causes, and disable it. That’s unfortunate, because often it’s simple to customize SELinux policy by creating what’s known as a local policy module. That way you allow the actions you need while retaining the added security SELinux brings to the system as a whole.

A few years ago my co-worker Adam Vollrath wrote an article on this same subject for Red Hat Enterprise Linux (RHEL) 5, and went into more detail on SELinux file contexts, booleans, etc. I recently went through the process of building an SELinux local policy module on RHEL 6 and RHEL 7 mail servers and found a few differences and want to document some of the details here. This applies to RHEL 5, RHEL 6, and RHEL 7, and near relatives CentOS, Scientific Linux, et al.

When under pressure …

If you’re tempted to disable SELinux, consider leaving it on, but in “permissive” mode. That will leave it running but stop it from blocking disallowed actions until you have time to deal with them properly. It’s as simple as:

setenforce 0

That will last until you reboot, unless otherwise …

Three Things: Rails, JOIN tip, and Responsiveness

By Steph Skardal
May 11, 2012

Here’s another entry in my Three Things series, where I share a few small tips I’ve picked up lately.

1. Rails and Dramas

Sometimes I think that since Rails allows you write code efficiently, [a few] members of the Rails community have time to overdramatize incidents that otherwise would go relatively unnoticed :) Someone with a good sense of humor created this website to track these dramas. While it’s probably a waste of time to get caught up on the personal aspects of the drama, some of the dramas have interesting technical aspects which are fiercely defended.

2. JOIN with concat

Recently I needed to perform a JOIN on a partial string match in MySQL. After some investigation, I found that I had use the CONCAT method in a conditional (in an implicit inner JOIN), which looked like this:

SELECT * FROM products p, related_items ri WHERE concat(p.sku, '%') = ri.id

In modern MVC frameworks with ORMs, databases are typically not designed to include data associations in this manner. However, in this situation, data returned from a third party service in a non-MVC, ORM-less application was only a substring of the original data. There may be alternative ways to perform this type of …

UTOSC Recap

By Josh Tolley
May 10, 2012

I spent three days last week attending the Utah Open Source Conference, in company with Josh Ausborne and Jon Jensen. Since End Point is a “distributed company”, I’d never met Josh Ausborne before, and was glad to spend a few days helping and learning from him as we demonstrated the Liquid Galaxy he has already written about.

This time around, the conference schedule struck me as being particularly oriented toward front-end web development. The talks were chosen based on a vote taken on the conference website, so apparently that’s what everyone wanted, but front-end stuff is not generally my cup of tea. That fact notwithstanding, I found plenty to appeal to my particular interests, and a number of talks I didn’t make it to but wished I had.

I delivered two talks during the conference, the first on database constraints, and the second on Google Earth and the Liquid Galaxy as they apply to geospatial visualization (slides here and here, respectively). Though I couldn’t get past the feeling that my constraints talk dragged quite a bit, it was well received. Where possible I kept it as database-agnostic as possible, but no talk on the subject would be complete without mentioning …

Inherit an application by rewriting the test suite

By Brian Buchalter
May 8, 2012

One of my first tasks at End Point was to inherit a production application from the lead developer who was no longer going to be involved. It was a fairly complex domain model and had passed through many developers’ hands on a tight client budget. Adding to the challenge was the absence of any active development; it’s difficult to “own” an application which you’re not able to make changes to or work with users directly. Moreover, we had a short amount of time; the current developer was leaving in just 30 days. I needed to choose an effective strategy to understand and document the system on a budget.

Taking Responsibility

At the time I was reading Robert C. Martin’s The Clean Coder, which makes a case for the importance of taking responsibility as a “Professional Software Developer”. He defines responsibility for code in the broadest of terms.

Drawing from the Hippocratic oath may seem arrogant, but what better source is there? And, indeed, doesn’t it make sense that the first responsibility, and first goal, of an aspiring professional is to use his or her powers for good?

From there he continues to expound in his declarative style about how to do no harm to the function and …

Monitoring many Postgres files at once with tail_n_mail

By Greg Sabino Mullane
May 8, 2012

This post discusses version 1.25.0 of tail_n_mail, which can be downloaded at https://bucardo.org/tail_n_mail/

One of our clients recently had one of their Postgres servers crash. In technical terms, it issued a PANIC because it tried to commit a transaction that had already been committed. We are using tail_n_mail for this client, and while we got notified six ways to Sunday about the server being down (from Nagios, tail_n_mail, and other systems), I was curious as to why the actual PANIC had not gotten picked up by tail_n_mail and mailed out to us.

The tail_n_mail program at its simplest is a Perl script that greps through log files, finds items of interest, and mails them out. It does quite a bit more than that, of course, including normalizing SQL, figuring out which log files to scan, and analyzing the data on the fly. This particular client of ours consolidates all of their logs to some central logging boxes via rsyslog. For the host in question that issued the PANIC, we had two tail_n_mail config files that looked like this:

## Config file for the tail_n_mail program
## This file is automatically updated
## Last updated: Fri Apr 27 18:00:01 2012
MAILSUBJECT: Groucho …

Problem with Cisco VPN on Ubuntu 12.04

By Szymon Lipiński
May 7, 2012

A couple of days ago I had to change my notebook. I installed Ubuntu 12.04 on the new one, while on the previous one there was Ubuntu 11.10. There were no problems with copying all the files from the old to the new machine, including GPG and SSH keys. Everything went smoothly and I could connect to all the machines I needed.

The only problem was with VPN. While working for one of our clients, I need to connect to their VPN. On the old machine I did that through the Network Manager. Nothing easier, I went to the Network Manager, chose the Export option and saved all the settings to a file. I copied the file to the new computer and loaded it into the Network Manager.

The file loaded correctly. I could switch the VPN on. It said everything works. But in fact it didn’t. The message was “VPN is connected”, I could switch it on and off, but I couldn’t access any of the client’s resources available from my previous notebook.

The first thing I checked was the content of /etc/resolv.conf on both computers. The file without connecting to VPN looked like this on both computers:

$ cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 127.0.0.1

When I connected to the VPN the files on …

End Point at the Utah Open Source Conference

By Josh Ausborne
May 5, 2012

End Point had a table at the Utah Open Source Conference at Utah Valley University this week. We implemented a “mini Liquid Galaxy” system for the event, and it was a big hit. Most of the other sponsors were offering services or recruiting, but End Point offered a physical item which people could touch and engage with. This allowed us to present our product and services to people, as well as make contact with people who may be interested in joining our team.

Numerous people were really excited about the Liquid Galaxy. The most common thing that people did first when they started using it was to look for their own homes, but they quickly moved onto other areas that contained more 3D building content. They asked questions about the practical application of the system, as well how well it would play games. Multiple other people asked about the ability to build video walls with the system. One of the biggest things that people found interesting about the hardware was the 3D mouse from 3Dconnexion. It took some visitors a while to get the hang of it, but others picked it up quickly and found themselves really liking the way it interacts.

The mini LG consisted of a headless head node, …

Instance Variable Collision with ActsAsTaggableOn

By Brian Gadoury
May 3, 2012

As developers, a lot of what we do is essentially problem solving. Sometimes it’s a problem of how to implement a specific feature. Sometimes it’s a problem with a specific feature. Last week, I ran into a case of the latter in some relatively mature code in the Rails app I was working on.

I was getting a sporadic exception while trying to save an instance of my StoredFile model. I encountered the problem while implementing a pretty trivial boolean field in my model, while I was playing around with it in the rails console. This is where it gets a little weird.

The exception message:

#<NoMethodError: undefined method 'uniq' for "":String>
#Backtrace:
... acts-as-taggable-on-2.2.2/lib/acts_as_taggable_on/acts_as_taggable_on/<b>core.rb</b>:264:in 'block in save_tags'
...rest of backtrace...

Note that none of my work was related to my model’s use of acts_as_taggable_on. I looked briefly at line 264 and its cohorts in core.rb, but nothing jumped out as “a giant, obvious bug in acts-as-taggable-on” (which I wouldn’t expect.) Also, the actual error is a bit suspicious. I love duck typing (and ducks) as much as anyone, but it’s pretty rare to see …