Certbot on Amazon Linux without using Yum – Fix [Errno 2] No such file or directory May 18, 2019

So let’s say you’re running an aging version of Amazon Linux and don’t want to blow up your system by wedging in yum repos from distributions that aren’t quite in line with the CentOS derived Amazon Linux.
Instructions on the web call on users to use Fedora or RHEL yum repos for CentOS users; but on Amazon Linux, you’re kind of twice-removed.

So long-story short, here’s some fodder for those who want the benefits of LetsEncrypt without the fluff of a repo.

My instructions will be for Apache/HTTPD, but you’ll see the key linch-pin item below.

First, start by downloading Certbot by hand:

cd /usr/local/bin
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

cd /usr/local/bin

wget https://dl.eff.org/certbot-auto

chmod a+x certbot-auto

Second, back up your Apache HTTPD configuration:

tar -czvf /root/httpd-backup.tar.gz /etc/httpd

1	tar -czvf /root/httpd-backup.tar.gz /etc/httpd

Third, test certbot-auto and let it ‘bootstrap’ dependencies:
** An error is likely here**

./certbot-auto --debug
Bootstrapping dependencies for Amazon... (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
yum is hashed (/usr/bin/yum)
Loaded plugins: priorities, upgrade-helper
amzn-main                                                                                                                                                                                     | 2.1 kB  00:00:00
amzn-updates                                                                                                                                                                                  | 2.5 kB  00:00:00
1066 packages excluded due to repository priority protections
Package 1:openssl-1.0.2k-16.150.amzn1.x86_64 already installed and latest version
Package 1:openssl-devel-1.0.2k-16.150.amzn1.x86_64 already installed and latest version
Package system-rpm-config-9.0.3-42.28.amzn1.noarch already installed and latest version
Package ca-certificates-2018.2.22-65.1.20.amzn1.noarch already installed and latest version
Resolving Dependencies
... (ETC ETC)...

./certbot-auto --debug

Bootstrapping dependencies for Amazon... (you can skip this with --no-bootstrap)

yum is /usr/bin/yum

yum is hashed (/usr/bin/yum)

Loaded plugins: priorities, upgrade-helper

amzn-main | 2.1 kB 00:00:00

amzn-updates | 2.5 kB 00:00:00

1066 packages excluded due to repository priority protections

Package 1:openssl-1.0.2k-16.150.amzn1.x86_64 already installed and latest version

Package 1:openssl-devel-1.0.2k-16.150.amzn1.x86_64 already installed and latest version

Package system-rpm-config-9.0.3-42.28.amzn1.noarch already installed and latest version

Package ca-certificates-2018.2.22-65.1.20.amzn1.noarch already installed and latest version

Resolving Dependencies

... (ETC ETC)...

Error from certbot – “creating virtual environment” gives an error: “No such file or directory”:
After running the command above – you may see this error after it installs the dependencies for certbot:

Creating virtual environment...
Traceback (most recent call last):
File "", line 27, in
File "", line 19, in create_venv
File "/usr/lib64/python2.7/subprocess.py", line 185, in check_call
retcode = call(*popenargs, **kwargs)
File "/usr/lib64/python2.7/subprocess.py", line 172, in call
return Popen(*popenargs, **kwargs).wait()
File "/usr/lib64/python2.7/subprocess.py", line 394, in __init__
errread, errwrite)
File "/usr/lib64/python2.7/subprocess.py", line 1047, in _execute_child
raise child_exception
OSError: [Errno 2] No such file or directory

Creating virtual environment...

Traceback (most recent call last):

File "", line 27, in

File "", line 19, in create_venv

File "/usr/lib64/python2.7/subprocess.py", line 185, in check_call

retcode = call(*popenargs, **kwargs)

File "/usr/lib64/python2.7/subprocess.py", line 172, in call

return Popen(*popenargs, **kwargs).wait()

File "/usr/lib64/python2.7/subprocess.py", line 394, in __init__

errread, errwrite)

File "/usr/lib64/python2.7/subprocess.py", line 1047, in _execute_child

raise child_exception

OSError: [Errno 2] No such file or directory

After some searching, I’ve found that this is really easy to solve!

To fix, upgrade pip and REMOVE virtualenv:

1. pip-2.7 install --upgrade pip
// Note: You might need to change the 2.7 to your python version
2. pip uninstall virtualenv
// note: when you do the upgrade, you'll see normal 'pip' is now in your path
// No need to do pip-<version>
3. pip uninstall virtualenv

1. pip-2.7 install --upgrade pip

// Note: You might need to change the 2.7 to your python version

2. pip uninstall virtualenv

// note: when you do the upgrade, you'll see normal 'pip' is now in your path

// No need to do pip-<version>

3. pip uninstall virtualenv

Now you’ll see that certbot works like a champ!

certbot-auto --debug --test --apache
Bootstrapping dependencies for Amazon... (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
yum is hashed (/usr/bin/yum)
Loaded plugins: priorities, upgrade-helper
1066 packages excluded due to repository priority protections
Package gcc-4.8.5-1.22.amzn1.noarch already installed and latest version
Package augeas-libs-1.0.0-5.7.amzn1.x86_64 already installed and latest version
Package 1:openssl-1.0.2k-16.150.amzn1.x86_64 already installed and latest version
Package 1:openssl-devel-1.0.2k-16.150.amzn1.x86_64 already installed and latest version
Package libffi-devel-3.0.13-16.5.amzn1.x86_64 already installed and latest version
Package system-rpm-config-9.0.3-42.28.amzn1.noarch already installed and latest version
Package ca-certificates-2018.2.22-65.1.20.amzn1.noarch already installed and latest version
Package python27-devel-2.7.16-1.125.amzn1.x86_64 already installed and latest version
Package python27-virtualenv-15.1.0-1.14.amzn1.noarch already installed and latest version
Package python27-tools-2.7.16-1.125.amzn1.x86_64 already installed and latest version
Package python27-pip-9.0.3-1.26.amzn1.noarch already installed and latest version
Nothing to do
Creating virtual environment...
Installing Python packages...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
(ETC ETC ETC...)

certbot-auto --debug --test --apache

Bootstrapping dependencies for Amazon... (you can skip this with --no-bootstrap)

yum is /usr/bin/yum

yum is hashed (/usr/bin/yum)

Loaded plugins: priorities, upgrade-helper

1066 packages excluded due to repository priority protections

Package gcc-4.8.5-1.22.amzn1.noarch already installed and latest version

Package augeas-libs-1.0.0-5.7.amzn1.x86_64 already installed and latest version

Package 1:openssl-1.0.2k-16.150.amzn1.x86_64 already installed and latest version

Package 1:openssl-devel-1.0.2k-16.150.amzn1.x86_64 already installed and latest version

Package libffi-devel-3.0.13-16.5.amzn1.x86_64 already installed and latest version

Package system-rpm-config-9.0.3-42.28.amzn1.noarch already installed and latest version

Package ca-certificates-2018.2.22-65.1.20.amzn1.noarch already installed and latest version

Package python27-devel-2.7.16-1.125.amzn1.x86_64 already installed and latest version

Package python27-virtualenv-15.1.0-1.14.amzn1.noarch already installed and latest version

Package python27-tools-2.7.16-1.125.amzn1.x86_64 already installed and latest version

Package python27-pip-9.0.3-1.26.amzn1.noarch already installed and latest version

Nothing to do

Creating virtual environment...

Installing Python packages...

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator apache, Installer apache

(ETC ETC ETC...)

Once you’ve established a working test configuration with certbot – you should see a LetsEncrypt test certificate on your site, it’s time to run the real command without the --test flag.

certbot-auto --debug --apache

If all goes well, you’ll have a completely valid and proper SSL certificate for free via LetsEncrypt!

I won’t cover the automation aspect as there are already endless write-ups on how to do that.

No Comments

Tags: certbot

Categories: apache servers

Using _.intersection for deep many to many filter June 26, 2015

Sometime you might find yourself needing a fast way to do a complex match on property from an array of objects under a property (confused?)

Let’s say I have a collection of objects as such:

[{
    id: 1,
    name: 'Item 1',
    groups: [{
        id: 1,
        name: 'Group 1'
    }, {
        id: 2,
        name: 'Group 2',
    }]
}, {    
    id: 1,
    name: 'Item 1',
    groups: [{
        id: 2,
        name: 'Group 1'
    }, {
        id: 3,
        name: 'Group 2',
    }]
}, {
    id: 1,
    name: 'Item 1',
    groups: [{
        id: 1,
        name: 'Group 1'
    }, {
        id: 4,
        name: 'Group 2',
    }]
}]

[{

id: 1,

groups: [{

id: 1,

}, {

id: 2,

}]

}, {

id: 1,

groups: [{

id: 2,

}, {

id: 3,

}]

}, {

id: 1,

groups: [{

id: 1,

}, {

id: 4,

}]

I want to have a fast way to get all items that are in group ID: 1 OR 2. The transverse can be just as useful, items NOT in groups with ID of 1 OR 2.

UnderscoreJS’s intersection method in conjunction with _.pluck can make short work of this task.

Here’s an example (in Typescript) for the given array of objects as above (array of objects, with property of ‘groups’, which is an array of group objects)

    public itemsInGroups = (groups: Array<any>, inverse = false) : Array<Item> => {

        return _.filter(this.worklog.consumed, function(i) {

            var itemGroups = _.pluck(i.groups, 'id');

            if (inverse) {
                return (_.intersection(groups, itemGroups).length == 0);
            }
            return (_.intersection(groups, itemGroups).length > 0);
        });
    };

public itemsInGroups = (groups: Array<any>, inverse = false) : Array<Item> => {

return _.filter(this.worklog.consumed, function(i) {

var itemGroups = _.pluck(i.groups, 'id');

if (inverse) {

return (_.intersection(groups, itemGroups).length == 0);

}

return (_.intersection(groups, itemGroups).length > 0);

});

};

The key here is the _.filter declaration within the Typescript method wrapper.

No Comments

Categories: programming

PHP Interface rant June 15, 2015

This isn’t my first rant about interfaces (which are finally receiving a due adjustment).

I haven’t tested it, but don’t believe I’ve seen anything pertaining to interface inheritance, look at the following use case for example, which fails in current PHP 5.6:

interface foo {
  public function bar(BarValueInterface $v);
}

class BarValueObject implements BarValueInterface {
  // etc.
}

interface subFoo extends foo {
  public function bar(BarValueObject $vo); // NOPE! Can't do it :(
}

interface foo {

public function bar(BarValueInterface $v);

}

class BarValueObject implements BarValueInterface {

// etc.

}

interface subFoo extends foo {

public function bar(BarValueObject $vo); // NOPE! Can't do it :(

}

There are some benefits to doing this, however as you can be implicit with the interface while supporting explicit behavior in other areas.

No Comments

Categories: php rant

How to show us your company is immature. June 9, 2015

I’ve seen ‘Sentry‘ pop up a few times – it’s a neat SaaS that ails the pains of logging and monitoring for development level logging. It’s pretty neat, has a spot for business for sure.

Here’s the problem and I touched base on this a while ago – your business WILL be judged on it’s class. (As in ‘classy person’).

Want my business’s money? Be more eloquent.

Remember, not everyone with a pocketbook is looking to trust critical data and infrastructure decisions on a company that thinks unnecessary words are professional enough for their home page slogan.

I can swear like a fish some days, but I maintain professional behavior to those outside my ‘circle’; there’s a song and dance you need to do for B2B and government relationship to open up the coffers for you. (This ain’t it).

No Comments

Categories: rant Uncategorized

Laravel/Lumen vs Symfony/Silex a corporate perspective May 30, 2015

YAPFC. Yet Another PHP Framework Comparison. I’m judging Silex and Lumen through their bigger brothers, Symfony 2 and Laravel 5.

After doing some extensive research, re-evaluating the PHP framework atmosphere, two frameworks and their respective “mini-me” counterparts seem to rule the seas.

In this post I’m simply sharing my opinion of Laravel and Symfony and their lighter-weight counterparts: Lumen and Silex. Drawing from my 15 years as a PHP developer, 10 as a professional (aka: full time employed) I am drawing from my perspective as a small business owner who does contract work and a government employee.

The winner is (for this developer): Symfony / Silex.

Let’s just start: I’m resting my laurels on Silex. (and Symfony).

As a business owner, it’s my job to choose the best balance between productivity and production for my clients. As leader of a development team, my concerns are pretty much the same, but I have to answer for more than being my own boss on the side. These are my points as to why I feel confident saying this (right now).

Quick note: Laravel is a very nice framework – if LTS was offered and there was a demonstrated history of design stability, my vote would be different.

1. Longevity.

Symfony offers LTS (long term support) for it’s versions, it’s corporation backed and has THE following of experienced developers doing their thing. This is extremely important to know, because that means the rug won’t be pulled out from under you from version to version. There’s a highly structured process in place for dealing with upgrades and notifying of BC breaks. Silex absolutely benefits from this.

Laravel on the other hand is more of a one-man show than Symfony. In my travels, I examined the version history of Laravel and Symfony, and I found that Laravel was simply too volatile for adopting into the environments that I work in. For lack of a better phrase, cutting edge in Laravel at times have clobbered those who chose to jump in with both feet at a more frequent cycle than Symfony. Lumen will have the same woes.

(Re-read that: at a more frequent cycle, PROGRESS has a cost – but there needs to be a methodical approach for enterprise environments to feel comfortable).

Not quite ready (http://www.reddit.com/r/PHP/comments/1eld2t/why_would_anyone_choose_laravel_over_symfony_or/)

2. Opinionated

Lumen is easy to set up – because it’s opinionated. Opinions in my world mean you’re harder to “slip stream” into a code base refactor. Can you gut it and make it your own? Yes. But that’s just as much work as starting with something without an opinion, right?

Silex is barely opinionated. Almost no training wheels, which makes it more hostile for inexperienced developers.

That’s it!

Really, those are the things that rub me the wrong way. I think Laravel/Lumen have a lower learning curve (due to opinion) and you truly can get off the ground faster with Lumen in my opinion. However, these frameworks largely do the same thing.

This is a somewhat painful decision

I honestly like Laravel/Lumen a bit better in regards to learning them quickly. Laracasts are a true contribution to the community – not just bettering the cause of Laravel.

I think in a few years, Laravel will become the big kid on the block that it deserves to be – but right now there’s too many warning flags going off regarding API stability and decision making.

Somewhat painful?

Yes! Laravel and lumen ship with Eloquent out of the box. It uses the active record paradigm and AR can’t hold a candle to a data mapper pattern in terms of protecting yourself from your dependencies.

This really rubbed me the wrong way because it’s like giving a loaded gun to an inexperienced developer (or team). I expected a better ORM architecture for a framework for artisans.

I realize I can ignore it, and use Doctrine – but really, they should not have coupled an ORM from the get go. It’s a “crack factor” for the framework in my opinion.

2 Comments

Categories: php programming

Commando style: triage dashboard May 20, 2015

If you’re working on a foreign system, or one that doesn’t have the bells and whistles that make you feel at home, sometimes you need to improvise tools on the spot by chaining together commands, etc.

This little one-snip serves as a “dashboard” approach for quickly assessing consumption,

DIVIDER="======================================" \
watch -n 2 -d \
"vmstat -d && \
echo $DIVIDER && \
df -hT && \
echo $DIVIDER && \
top -b -n 1 |head -n 15"

DIVIDER="======================================" \

watch -n 2 -d \

"vmstat -d && \

echo $DIVIDER && \

df -hT && \

echo $DIVIDER && \

top -b -n 1 |head -n 15"

Every 2.0s: vmstat -d && echo  && df -hT && echo  && top -b -n 1 |head -n 15                                                                                                          Mon Apr 13 20:05:39 2015

disk- ------------reads------------ ------------writes----------- -----IO------
       total merged sectors      ms  total merged sectors      ms    cur    sec
xvda  171468   1536 3785177  165124 4205092 1660144 125678640 11980920      0   2810
loop0      0      0       0       0      0      0       0       0      0      0
loop1      0      0       0       0      0      0       0       0      0      0
loop2      0      0       0       0      0      0       0       0      0      0
loop3      0      0       0       0      0      0       0       0      0      0
loop4      0      0       0       0      0      0       0       0      0      0
loop5      0      0       0       0      0      0       0       0      0      0
loop6      0      0       0       0      0      0       0       0      0      0
loop7      0      0       0       0      0      0       0       0      0      0
dm-0  354486      0 3469926   15188  62628      0 4110088  307268      0     17

Filesystem     Type      Size  Used Avail Use% Mounted on
/dev/xvda1     ext4       30G   13G   17G  43% /
devtmpfs       devtmpfs  2.0G   92K  2.0G   1% /dev
tmpfs          tmpfs     2.0G     0  2.0G   0% /dev/shm

top - 20:05:39 up 6 days, 11:32,  2 users,  load average: 0.01, 0.02, 0.05
Tasks: 115 total,   1 running, 114 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.3%us,  0.1%sy,  0.0%ni, 99.5%id,  0.2%wa,  0.0%hi,  0.0%si,  0.0%st
Mem:   4050724k total,  3895464k used,   155260k free,   163288k buffers
Swap:        0k total,        0k used,        0k free,   850944k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
    1 root      20   0 19600 1556 1244 S  0.0  0.0   0:01.34 init
    2 root      20   0     0    0    0 S  0.0  0.0   0:00.01 kthreadd
    3 root      20   0     0    0    0 S  0.0  0.0   0:01.82 ksoftirqd/0
    5 root       0 -20     0    0    0 S  0.0  0.0   0:00.00 kworker/0:0H
    7 root      20   0     0    0    0 S  0.0  0.0   0:14.77 rcu_sched
    8 root      20   0     0    0    0 S  0.0  0.0   0:00.00 rcu_bh
    9 root      RT   0     0    0    0 S  0.0  0.0   0:02.02 migration/0
   10 root      RT   0     0    0    0 S  0.0  0.0   0:03.61 migration/1

Every 2.0s: vmstat -d && echo && df -hT && echo && top -b -n 1 |head -n 15 Mon Apr 13 20:05:39 2015

disk- ------------reads------------ ------------writes----------- -----IO------

total merged sectors ms total merged sectors ms cur sec

xvda 171468 1536 3785177 165124 4205092 1660144 125678640 11980920 0 2810

loop0 0 0 0 0 0 0 0 0 0 0

loop1 0 0 0 0 0 0 0 0 0 0

loop2 0 0 0 0 0 0 0 0 0 0

loop3 0 0 0 0 0 0 0 0 0 0

loop4 0 0 0 0 0 0 0 0 0 0

loop5 0 0 0 0 0 0 0 0 0 0

loop6 0 0 0 0 0 0 0 0 0 0

loop7 0 0 0 0 0 0 0 0 0 0

dm-0 354486 0 3469926 15188 62628 0 4110088 307268 0 17

Filesystem Type Size Used Avail Use% Mounted on

/dev/xvda1 ext4 30G 13G 17G 43% /

devtmpfs devtmpfs 2.0G 92K 2.0G 1% /dev

tmpfs tmpfs 2.0G 0 2.0G 0% /dev/shm

top - 20:05:39 up 6 days, 11:32, 2 users, load average: 0.01, 0.02, 0.05

Tasks: 115 total, 1 running, 114 sleeping, 0 stopped, 0 zombie

Cpu(s): 0.3%us, 0.1%sy, 0.0%ni, 99.5%id, 0.2%wa, 0.0%hi, 0.0%si, 0.0%st

Mem: 4050724k total, 3895464k used, 155260k free, 163288k buffers

Swap: 0k total, 0k used, 0k free, 850944k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND

1 root 20 0 19600 1556 1244 S 0.0 0.0 0:01.34 init

2 root 20 0 0 0 0 S 0.0 0.0 0:00.01 kthreadd

3 root 20 0 0 0 0 S 0.0 0.0 0:01.82 ksoftirqd/0

5 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kworker/0:0H

7 root 20 0 0 0 0 S 0.0 0.0 0:14.77 rcu_sched

8 root 20 0 0 0 0 S 0.0 0.0 0:00.00 rcu_bh

9 root RT 0 0 0 0 S 0.0 0.0 0:02.02 migration/0

10 root RT 0 0 0 0 S 0.0 0.0 0:03.61 migration/1

No Comments

Categories: servers tools

iptables list – a helpful ~/.bashrc alias May 10, 2015

I grow tired of asking iptables to give me my line numbers for insert/deletes, and sometimes, I just want it to “cut to the chase” and give me numbers.

Toss this into your ~/.bashrc for making life easier:

alias ipt-ls='iptables -L -n --line-num -v'

1	alias ipt-ls='iptables -L -n --line-num -v'

then run source ~/.bashrc to reload.

Output sample:

Chain fail2ban-SSH (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1    24217 1846K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fail2ban-SSH (1 references)

num pkts bytes target prot opt in out source destination

1 24217 1846K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Voila! Now you’ve got counters (helpful for debugging btw), numeric IP’s and line numbers at your fingertips!

No Comments

Categories: servers

Worthy of Distribution: Angularjs patterns April 29, 2015

Feel like you’ve gotten ‘over the hump’ on getting AngularJS to do what you want? Check out the video below to help save yourself from being overly analytical for your project structuring and avoiding common pitfalls (and general javascript pitfalls) for moving on to the “next level” for AngularJS development.

No Comments

Categories: angularjs programming

A PHP bug – really? (custom session handlers) April 18, 2015

It’s not often I ramble about PHP, since it’s my bread and butter. But after perusing the RFC notes to get up to speed on the PHP 7 pipeline, I found this: https://wiki.php.net/rfc/session.user.return-value

That bug has been around for how long? I’m amazed folks with pitchforks haven’t come out on that one sooner. I myself have suffered great pains dealing custom session handlers for this exact bug. Shame shame! (At least it’s getting fixed)

/rant

No Comments

Categories: php programming rant

PHP 7 Roundup – implicit ‘array to string’ conversion April 15, 2015

Feast your eyes upon this: https://wiki.php.net/rfc/array-to-string

If you’ve been in the trenches for a long time, chances are you’ve been bitten more than enough by the implicit array to string conversion as such:

$z = [1,2,3]; echo $z; // Array

1	$z = [1,2,3]; echo $z; // Array

It will now look like this in PHP 7: Catchable fatal error: Array to string conversion

No Comments

Categories: php programming

PHP 7 Roundup: Chainable ternary awesomeness. April 12, 2015

Feast your eyes on this: https://wiki.php.net/rfc/isset_ternary

This eliminates quite a bit of ‘noise’ and ‘fluff’ use in any display logic, it’s a new ternary operator that allows you to quickly set a default without doing the isset() dance.

This has a limited affect if you use a templating engine like Twig, but it’s still very nice if you have to do some quick and dirty default setting at the code level for display.

No Comments

Categories: php programming

A better way to give Logstash permissions to your logs

So you’re ready to rock out Logstash to ship your logs – there’s one little headache: You still need to give it access to your files. Chances are, you want “all of the files!”

The internet will (at the moment) instruct you to use “setfacl”, or various chown/chmod techniques or even add logstash to various groups.

READ THIS TECHNIQUE FIRST!

Why setfacl won’t work

Logrotate can be scripted, but sudo-io (sudo logging) can’t. There are other exceptions where logs not managed by logrotate don’t persist setfacl settings.

Why chmod/chown and adding “logstash” to groups its a bad idea

You’re making too many exceptions, and relinquishing flexibility to give access to the logs in a normal basis. (meaning, not using something like setfacl, but instead normal linux groups)

Then what works best?

It’s so clean and tidy: either through mount –bind or bindfs.
Feast your eyes on this:

mount --bind /var/log /srv/logstash-data
mount -o remount,ro,uid=123,gid=123 /srv/logstash-data

1 2	mount --bind /var/log /srv/logstash-data mount -o remount,ro,uid=123,gid=123 /srv/logstash-data

OR (in the case of ext4)

bindfs -u logstash -g nogroup -p 0000,u=rD /var/log /srv/logstash-data

1	bindfs -u logstash -g nogroup -p 0000,u=rD /var/log /srv/logstash-data

You’re given a tidy ‘ro’ binding of the /var/log dir ONLY readable by the logstash reader.

I hope this helps those who want to ship “all of the things!” – this is a good separation of concerns for managing logstash access.

‘bindfs’ is available in the default Debian repos as well!

No Comments

Categories: Uncategorized

How to use PHPUnit installed by composer in PHPStorm April 5, 2015

Ever wonder how to properly use those packages installed from the require-dev section of composer.json?

Ideally you’d integrate them with your IDE, or perhaps set up your system path to access it via vendor\bin\phpunit – If you use PHPUnit, take a quick look at this on how to properly set up PHPUnit in PHPStorm on a per-project basis (because not all projects use the same PHPUnit version).;

No Comments

Categories: php phpunit programming tools

PHP 7 Roundup: RETURN TYPES! March 27, 2015

Many years ago (in 2011) I wrote “interfaces are worthless“. For the most part they have remained mostly worthless for me as typically a superclass of sorts has proven to be a better solution for taxonomy and enforcing the exact typing rules I have criticized interfaces in PHP for in the past.

Feast your eyes on this: https://wiki.php.net/rfc/scalar_type_hints_v5 – not enough for you? ok, how about THIS! https://wiki.php.net/rfc/return_types

PHP 7 is shaping up to be a pretty awesome release. FINALLY. RETURN TYPES. INTERFACES. JOY.

No Comments

Categories: php programming rant

Composer and getting to vendor/bin March 22, 2015

Want to stop typing ‘vendor\bin\toolname’ to access tools like PHPUnit, phpcs, etc when installed through composer?

It’s a simple process really – merely add “vendor\bin” into your PATH variable and profit! (as long as you’re running the command from the project root).

No Comments

Categories: php programming tools

Ionic – Things I wish I knew out of the gate March 18, 2015

Cordova is a gamechanger. Ionic framework (and ngCordova) are game changers to the Cordova scene. However, I have already learned two very painful lessons as a beginner into the bowels of Cordova-tech:

Avoid ionic-generator

While yeoman generators can be helpful, the ionic-generator simply imposes too much junk into your workflow. It shouldn’t be a surprise to those familiar with the generators.

“ionic run <platform> -lc”

Words cannot express how upset I was after much searching and suffering with launching emulators that livereload (‘-l’) comes OUT OF THE BOX with ionic-cli. Their ‘getting started’ documentation has nothing on this (as of this writing)!

Avoid ‘../’ (relative paths) in ANYTHING

Unless you want to mess around with building, you will end up biting yourself eventually when testing. For example, when you test with the ‘serve’ functionality, everything is served over HTTP.

You can end up biting yourself when you use relative paths in regards to css, js or angular template files, e.g.:

.state('tab', {
    url: "/tab",
    abstract: true,
    templateUrl: "../templates/tabs.html" // DONT DO THIS.
    templateUrl: "templates/tabs.html" // DO THIS.
})

.state('tab', {

url: "/tab",

abstract: true,

templateUrl: "../templates/tabs.html" // DONT DO THIS.

templateUrl: "templates/tabs.html" // DO THIS.

})

http://foo.bar.com/../file.js is the same as http://foo.bar.com/file.js
file://www_app/../file.js is NOT the same as file://file.js

The problems manifest themselves when you run on your device, the protocols turn into file:// and aren’t protected from the browser fail-safe’s.

$stateProvider: ‘cache: false’

$state.go('foo', {}, {reload: true} does no good, you need to specify this extra property in your state definition in order to reload the controller.

No Comments

Categories: Ionic

AngularJS modals: anything NOT angular-ui-bootstrap March 17, 2015

I have grown warmly toward the semantic ui offerings. However, when dealing with a fledgling framework that doesn’t have an active port for angularJS, some things can be frustrating since you sometimes have to re-implement boilerplate calls that are already bundled in with the angular-ui-bootstrap project.

One of the bigger pain in the butt areas is the modal dialog. Specifically, wrapping a non-angularjs variant to support controllers, etc. There is a (nearly) silver bullet for your woes, take a look at the pain free abstraction called ‘angular-modal-service’ github.com/dwmkerr/angular-modal-service

By simply adding this into your project you can get many levels of complexity for a modal dialog in WHATEVER FLAVOR YOU WANT. Take a look, it’s been a life saver for me!

No Comments

Categories: angularjs

PHPCS custom standards and PHPStorm integration March 9, 2015

At about 6 minutes long, I threw together this screencast to show a method to involve your custom PHP CodeSniffer standards into your project workflow when using Composer. Essentially it covers the convenience of putting your standards into a Composer package and adding a wrapper to ‘extend’ the PHPCS shell/batch script to automatically detect your custom standards without having to install them system-wide in your development environment. *Best viewed in full screen*

No Comments

Categories: php programming tools

Securing Elasticsearch – Part 1 May 28, 2014

The most frequently asked question for ElasticSearch and security is “how do I require login”?

Once you’ve answered and implemented the answer to that question; a larger, truly more troublesome issue looms. The same principals used to secure ElasticSearch; typically a proxy fronted by Apache/nginx use various auth techniques. If you know what you’re doing, you have different endpoints in that proxy for controlling who can do GET/POST/DELETE requests, possibly pre-determining the index and type.

If you REALLY know what you’re doing, you’ll be far more concerned over the payload.

While reading through the documentation, I was surprised; no, SHOCKED to see that ElasticSearch ships with a security flaw as severe as remote code execution as an intentional feature through the dynamic scripting component of a body payload for ES.

If you’re responsible for running ElasticSearch servers…

You must examine how queries are sent into the server. If your web developers are sending near-verbatim DSL queries to ElasticSearch without any further filtration except auth and index constriction, please read this.

A malicious person could modify the payload directly to read files directly off of your filesystem and serve them up in ES.

The article contains a proof of concept (POC) link – simply download and modify the file and point it to your ES server and see if you’re vulnerable.

I think in most cases, dynamic remote scripting isn’t a big deal to turn off. So I’d strongly suggest following the advice on this page: script.disable_dynamic: true

Stay tuned for Part 2 of a more obsessive approach to securing ElasticSearch for use on public search interfaces.

2 Comments

Categories: nosql security servers

angular-ui-router – IE8 and nested states April 16, 2014

Just a quick tip, If you still have to maintain compatibility with IE8 (< AngularJS 1.3) – and you’re using angular-ui-router for nested views, the documentation for nesting states says you should use “<ui-view />” for your template for an abstract parent state:

Remember: Abstract states still need their own <ui-view/> for their children to plug into. So if you are using an abstract state just to prepend a url, set resolves/data, or run an onEnter/Exit function, then you’ll additionally need to set template: "<ui-view/>".

The problem is, IE8 doesn’t like “<ui-view />” – so instead, (I’d suggest this anyways), use:

<div ui-view=""></div>

1	<div ui-view=""></div>

2 Comments

Categories: angularjs Design programming purdy

Tales of an IT Nobody

devbox:~$ iptables -A OUTPUT -j DROP

Certbot on Amazon Linux without using Yum – Fix [Errno 2] No such file or directory May 18, 2019

Using _.intersection for deep many to many filter June 26, 2015

PHP Interface rant June 15, 2015

How to show us your company is immature. June 9, 2015

Laravel/Lumen vs Symfony/Silex a corporate perspective May 30, 2015

The winner is (for this developer): Symfony / Silex.

1. Longevity.

2. Opinionated

That’s it!

This is a somewhat painful decision

Somewhat painful?

Commando style: triage dashboard May 20, 2015

iptables list – a helpful ~/.bashrc alias May 10, 2015

Worthy of Distribution: Angularjs patterns April 29, 2015

A PHP bug – really? (custom session handlers) April 18, 2015

PHP 7 Roundup – implicit ‘array to string’ conversion April 15, 2015

PHP 7 Roundup: Chainable ternary awesomeness. April 12, 2015

A better way to give Logstash permissions to your logs

Why setfacl won’t work

Why chmod/chown and adding “logstash” to groups its a bad idea

Then what works best?

How to use PHPUnit installed by composer in PHPStorm April 5, 2015

PHP 7 Roundup: RETURN TYPES! March 27, 2015

Composer and getting to vendor/bin March 22, 2015

Ionic – Things I wish I knew out of the gate March 18, 2015

Avoid ionic-generator

“ionic run <platform> -lc”

Avoid ‘../’ (relative paths) in ANYTHING

$stateProvider: ‘cache: false’

AngularJS modals: anything NOT angular-ui-bootstrap March 17, 2015

PHPCS custom standards and PHPStorm integration March 9, 2015

Securing Elasticsearch – Part 1 May 28, 2014

If you’re responsible for running ElasticSearch servers…

angular-ui-router – IE8 and nested states April 16, 2014

Links

FLAIR

Categories

Archives