Posts

Showing posts from 2015

Docker Appliance as Linux Service RPM

Image
Docker provides a convenient way to package entire applications into runnable containers. OTOH in the data center we use RPM packages to deliver software and configuration to our servers.

This wrapper build a bridge between Docker appliances and Linux services by packaging a Docker image as a Linux service into an RPM package.

The resulting Linux service can be simply used like any other Linux service, for example start the service with service schlomo start.

See the GitHub repo at https://github.com/ImmobilienScout24/docker-service-rpm for code and more details and please let me know if you find this useful.

Signet Ring = Early 2 Factor Authentication

Image
I recently met somebody who had a signet ring and suddenly realized that this is a very early form of 2-factor-authentication (2FA):

Signet Ring2FAUniqueUniqueDifficult to copySupposedly impossible to copySeal proves personal involvement of bearer2FA token proves personal interaction of owner
The main difference is of course that 2FA is commonly available to everybody who needs it while signet rings where and remain a special feature. But it is still nice to know that the basic idea is several thousands years old.

Cloud Exit Strategy

Image
As ImmobilienScout24 moves to the cloud a recurring topic is the question about the exit strategy. An exit strategy is a plan for migrating away from the cloud, or at least from the chosen cloud vendor.

Opinions range from "why would I need one?" to "how can we not have one?" with a heavy impact on our cloud strategy and how we do things in the cloud.

When talking about exit scenarios it is worth to distinguish between a forced and a voluntary exit. A forced exit happens due to external factors that don't leave you any choice when to go. A voluntary exit happens at your own choice, both when and how.

Why would one be force to have an exit strategy? Simple because running a business on cloud services carries other types of risks compared to running a business in your own data center:
Cloud accounts can be disabled for alleged violation of termsCloud accounts can be terminatedThere are no guaranteed prices. Running costs can explode as a result of a new pricing mo…

DevOps Berlin Meetup 2015-07

Image
Is Amazon good for DevOps? Maybe yes, maybe no. But for sure the new Berlin office is good for a Berlin DevOps Meetup.

Jonathan Weiss gave a short overview over the engineering departments found here: AWS OpsWorks, AWS Solution Architects, Amazon EC2, Machine Learning.

Michael Ducy (Global Partner Evangelist at Chef Software) talks about DevOps and tells the usual story. Michael uses goats and silos as a metaphor and builds his talk from the famous goat and silo problem. He sees the "IT manufacturing process" as silos (read History of Silos for more about that) and DevOps minded people as goats: Multi-purpose, versatile, smart and stubborn at reaching their goals.
The attendees of the DevOps event probably did not need much convincing, but the talk was nevertheless very entertaining. Michael has an MBA and also gave some useful insights into how organisations evolve into silos and how organisational "kingdoms" develop.

The talk is available as video: 15min from Jan 2…

ImmobilienScout24 Social Day at the GRIPS Theater

Image
Today I went to the GRIPS Theater (English) instead of the office. Once a year ImmobilienScout24 donates the work force to social projects, called Social Day. I used the opportunity to catch a glimpse behinde the stage. The theater in turn got a workshop from us about their web site and social media channels.

But first we watched a very nice children show (Ein Fest bei Baba Dengiz) about a German guy who learned respect for foreigners - from another German with Turkish background. The show was well adapted to the school-age audience.

The theater follows a somewhat unusual concept and places the stage in the middle of the audience:
This was my first visit to the GRIPS Theater, but not the last. Besides a rich children programme the theater also offers shows for adults and is most famously known for the show Linie 1.

Meetup Marathon

Image
This week was my Meetup Marathon:

Microservices Meetup Berlin about Software Memories and Simulated Machines by William Louth.Berlin DevOps about Scaling Logstash: A Collection of War Stories by Pere Urbon-Bayes and "Continuous development with Nix" by Rok Garbas. Sadly there was no time for the traditional fish bowl discussion.AWS User Group Meetup about STUPS tools & components platform by Henning Jacobs and Distributed Log Refinement Discussion by Christian Kniep. Software Memories and Simulated Machines was above my head. Scaling Logstash made me wonder how many engineers you actually need to run that "properly". Nix is something we hopefully don't need, Rok actually said that if you package everything you don't need it.
STUPS is the "Cloud Ops" stack from Zalando, nicely published on GitHub:
The STUPS platform is a set of tools and components to provide a convenient and audit-compliant Platform-as-a-Service (PaaS) for multiple autonomous tea…

OpenTechSummit 2015

Image
Yesterday was the first OpenTechSummit in Berlin, a new conference that came partially in place of the LinuxTag. The conference squeezed a large amount of talks into a single day. The talks where either 10 or 20 minutes long and covered many non-technical topics related to open knowledge or open technology.

One thing impressed me especially: All day long there where workshops for children and youth. While some kids took their first steps in coding, others came to work together on advanced programming or hardware projects.
The date (a German state holiday) made sure that children had time to attend, many IT people came together with their children. The organizers where actually surprised by the large amount of children who registered for a free kids ticket.

I gave my "DevOps, Agile and Open Source at ImmobilienScout24" talk and put up some ImmobilienScout24 posters for our sponsoring.

Better Package Than Copy

Image
Today I realized that for me it easier to create a small package than to copy a single file.

The example is glabels-schlomo, a Debian package I created just now to store extra gLabels templates for the label sheets that I use at home. The motivation was that I spend half an hour looking through old backups to find a template definition that I had not copied over when I reinstalled my Desktop.

Creating the package took another half an hour and now I can be sure that I won't forget to copy that file again. And I will also have the template definition at work in case I need to print a sheet of labels there.

If you also feel that packaging is better than copying then feel free to use this package as a template for you own stuff. It contains a Makefile and uses git-dch to automatically build a DEB release from the git commits.

WARNING is a waste of my time

Image
How many log levels do you know? How many log levels are actually useful? At Relax and Recover we had an interesting discussion about the use of the WARNING log level.

I suddenly realized that in a world of automation, I need only two log levels:
ERROR and everthing else. ERROR means that I as a human should take action. Everything else is irrelevant for me.

So far for the user side. As a programmer the choice of log level is sometimes much more difficult. As a programmer I might not want to decide for the user if some problem is an ERROR or not. The obvious solution is to issue a WARNING in an attempt to shed the responsibility of making a decision.

But in an automated world that does not help me as an admin to run the software better. WARNINGS for most cases only create extra manual work because somebody needs to go and check some log file and decide if there actually is a problem. I would rather have the software make that decision and I would be happy to fix or readjust the softw…

Exploring Academia

Image
Last week I attended the Multikonferenz Software Engineering & Management 2015 in Dresden hosted by the Gesellschaft für Informatik:

My topic was Test Driven Development, but I had to rework my original talk to fit into 20 minutes and to be much less technical. As a result I created a completely new fast paced talk which draws a story line from DevOps over Test Driven Infrastructure Development into Risk Mitigation:

SE 2015 DevOps Risk Mitigation - Test Driven Infrastructure from Schlomo Schapiro The conference is very different from the tech conferences I usually attend. First, I really was the only person in a T-Shirt :-/. Second, I apparently was invited as the "practitioner" while everybody else was there to talk about academic research, mostly in the form of a bachelor or master thesis.

As much as the topics where interesting, as little was there anything even remotely related to my "practical" work :-(

I still find it interesting to better combine the diff…

A Nice Day at CeBIT 2015

Image
After many years of abstinence I went back to visit the CeBIT today. And actually enjoyed it a lot. It is funny to see how everything is new but nothing changed. From the oversized booths of the big players like IBM and Microsoft to the tiny stalls of Asian bank note counting machine vendors. From the large and somewhat empty government-IT-oriented booths to meeting old acquaintances and friends. But there are also several notably new things to see: For example Huawei shows itself being an important global player with a huge booth next to IBM. I managed only to visit a third of the exhibition but it was more than I could absorb in a single day. Nevertheless, my missing was accomplished with giving a talk about “Open Source, Agile and DevOps at ImmobilienScout24”. The talk is much more high-level than my usual talks and tries to give a walk through overview. There were about 60-80 people attending my talk and the questions showed that the topic was relevant for the audience. So maybe giv…

Injecting a Layer of Automation

Image
Relax and Recover is the leading Open Source solution for automated Linux disaster recovery. It was once the pride of my work and is now totally irrelevant at my current job at ImmobilienScout24.

Why? Simply because at ImmobilienScout24 we invest our time into automating the setup of our servers instead of investing into the ability to automatically recover a manually configured system. Sounds simple but this is actually a large amount of work and not done in a few days. However, if you persist and manage to achieve the goal the rewards are much bigger: Don't be afraid of troubles, based on our automation we can be sure to reinstall our servers in a very short time.

The following idea can help to bridge the gap if you cannot simply automate all your systems but still want to have a simplified backup and disaster recovery solution:

Inject a layer of automation under the running system.
The provisioning and configuration of the automation layer should be of course fully automated. Th…

mod_remoteip backport for Apache HTTPD 2.2

Image
Apache HTTPD 2.4 has a very useful new feature for large deployments: Replacing the remote IP of a request from a request header, e.g. set by a load balancer or reverse proxy. Users of Apache HTTPD 2.2 as found on RHEL6 can now use the backport found on https://github.com/ImmobilienScout24/mod_remoteip-httpd22.

I pulled this backport together from various sources found on the Internet and "it seems to work". Working with C code (which I did not do for 14 years!) tought me again the value of test driven development and modern programming languages. Unfortunately I still can't explain a change like this without a lot of thinking:
You can easily build an RPM from the code on GitHub. The commit history shows the steps I had to undertake to get there. Configuration is as simple as this:


LoadModule remoteip_module modules/mod_remoteip.so
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 10.100.15.33

with the result that a reverse proxy on 10.100.15.33 can set the X-Forwarded-…

Simplified DEB Repository

Image
2 years ago I wrote about creating a repository for DEB packages with the help of reprepro. And since then I suffer from the complexity of the process and cumbersome reprepro usage:
Complicated to add support for new Ubuntu version which happens every 6 monthsNeed to specifically handle new architecturesI actually don't need most of the features that reprepro supports, e.g. managing multiple repos in one or package staging This week I realized that for there is a much simpler solution for my needs: apt-ftparchive. This tool creates a trivial repo with just enough information to make apt happy. For my purposes that is enough. All what I want from a DEB repo is actually
Work well with 50-500 packagesEasy to add new Debian/Ubuntu/Raspbian versions or architecturesSimple enough for me to understandGPG signatures It turns out that the trivial repo format is enough for that, it makes it even simpler to add new distro versions because the repo does not contain any information about the di…

Ubuntu Guest Session Lockdown

Image
The guest session is a very important feature of Ubuntu Linux. It makes it very simple to give other people temporary computer or Internet access without compromising the permanent users of the computer.

Unfortunately the separation is not perfect, the guest user can actually modify critical configuration settings on the computer and even access the files of the other users, if they don't take precautions.

The following scripts and files help to lock down the guest session so that no harm can be done.
How It Works The guest session is actually a feature of the LightDM Display Manager that is used in Ubuntu and in Xubuntu. The guest session is enabled by default.
When a user chooses a guest session the following happens: LightDM uses the /usr/sbin/guest-account script to setup a temporary guest account. The home directory is created in memory (via tmpfs) and can occupy at most half the RAM of the computer.
Optionally, /etc/guest-session/prefs.sh is included as root to further custo…

No Site VPN for Cloud Data Centers

Image
A site to site VPN is the standard solution for connecting several physical data center locations. Going to the Cloud, the first idea that comes to mind is to also connect the Cloud "data center" with a site VPN to the existing physical data centers. All Cloud providers offer such a feature.

But is such a VPN infrastructure also a "good idea"? Will it help us or hinder us in the future?

I actually believe that for having many data centers a site VPN infrastructure is a dangerous tool. On the good side it is very convenient to have and to set up and it simplifies a lot of things. On the other side it is also very easy to build a world-wide mesh of dependencies where a VPN failure can severly inhibit data center operations or even take down services. It also lures everybody into creating undocumented backend connection between services.

The core problem is in my opinion one of scale. Having a small number (3 to 5) of locations is fundamentally different from having …

PPD - Pimp your Printer Driver

Image
I recently got myself a new printer, the HP Officejet Pro X476dw. A very nice and powerful machine, it can not only print double sided but also scan, copy and send faxes.

And of course it has very good Linux support, thanks to the HP Linux Printing and Imaging Open Source project. On my Ubuntu 14.10 desktop everything is already included to use the printer.

However, the first printouts where very disappointing. They looked coarse and ugly, much worse than prints from my old HP LaserJet 6 printer. After overcoming the initial shock I realized that only prints from my Ubuntu desktop where bad while prints over Google Cloud Print where crisp and good looking.

So obviously something has to be wrong with the printer drive on Ubuntu!

After some debugging I was able to trace this down to the fact that by default CUPS converts the print job to 300 dpiPostScript before giving it to the hp driver, as it shows in the CUPS logs:

D [Job 261] Printer make and model: HP HP Officejet Pro X476dw MFP D …

Comparing Amazon Linux

Image
Since ImmobilienScout24 decided to migrate to a public cloud I have been busy looking at various cloud offerings in detail. Amazon Web Services (AWS) has a special feature which is interesting: Amazon Linux is a fully supported, "RHEL like", RPM-based Linux distribution.

While not beeing a true Red Hat Enterprise Linux clone like CentOS or Scientific Linux (which is the standard OS for the ImmobilienScout24 data centers), it is derived from some Fedora version and comes with a nice choice of current software. To me it feels like "RHEL +" because so far all our internal stuff worked well but a lot of software packages are much newer than on RHEL 6 or RHEL 7. The 2014.09 release updated a lot of components to very recent versions.

On the other hand, we also found packages missing from Amazon Linux, most notably desktop-file-utils. This package is required to install Oracle Java RPMs. I found a thread about this on the AWS Forums and added a request for desktop-file-…