New tutorialinux guide: Getting Started with Linux Containers (LXC)

A while back, I did a YouTube series on Linux Containers (LXC). If you are (or want to be) a sysadmin or software developer, you need to know about Linux Containers, and understand how to use them. I’ve just written a ~45-page guide to getting started with this useful skill — check it out here! For those of you that want more details (or a link to the original playlist), read on:

Read more

Today I Learned: Migrating from sqlite to Postgres is easy with Sequel

I spent some time migrating an application from sqlite3 to Postgres today, and wanted to write down a few notes for next time. Here they are!

Read more

Today I Learned: ZFS send/receive is Like rsync, but Developed by a Much More Evolved Species

If you use ZFS, you already know that it completely knocks the socks off of other filesystems. It prevents and corrects data corruption, gives you incredible flexibility, and basically gives you everything you could ever want from a filesystem. If you use OpenZFS on several systems already, you probably know about the ‘send’ and ‘receive’ commands to do incremental transfer of snapshots between systems.

Here’s a great video on ZFS send and receive, which goes much deeper than most videos into how send and receive are implemented, along with some clever ideas for use cases where send/receive can really save you a lot of time and pain.

Because being able to mimic $50,000 enterprise filesystem replication on your home NAS or your little ‘friends-and-family’ WordPress hosting server is pretty effing cool.

Read more

Sysadmin Links, February (jk March) 2016

It’s been a really long time since the last batch of sysadmin links, so it’s time to get started again. Lots of great stuff to share from the last few months.


Enjoy!

HTTP Strict Transport Security

I’m excited for this post, because I get to introduce one of my best friends (and favorite coworkers) to the tutorialinux horde. I’ve been working with Christian in some form or another for several years now. We met while working at a startup in 2012, where he is the lead developer, and have worked on several projects since then. Although right now he gets paid mostly for programming work, he’s a longtime sysadmin and has been a huge influence on my growing taste for using FreeBSD systems in production.

You know those people who seem to have started in IT when they were still in diapers? That’s Christian. It’s my pleasure to welcome him as a contributor to tutorialinux. He’s got some fantastic stuff to share, and a huge amount of real-world experience to back up everything he teaches.

Lately, Christian and I have become a bit obsessed with encryption and HTTPS (going to far as to write a mini e-book about it, teaching people to set up TLS on their websites). Can you blame us? With the recent Internet security scares and the enormous push for TLS by organizations like Firefox, Tor, Google, Let’s Encrypt, and others, it’s definitely at the forefront of many system administrators’ and developers’ minds.

In these conversations about website security and HTTPS, you’ll often hear people talk about HTTP Strict Transport Security (HSTS for short). But what exactly is HTTP Strict Transport Security? How does it work? And how can you set it up in a few simple steps?

You’re about to find out.

Read more

32c3 Video: Analysis of Red Star, the North Korean OS

Did you know that Kim Jong Un, the glorious, fearless, and immaculately rotund leader of North Korea, loves Mac OS X (and possibly Madonna)? If not, you’ll want to check out this video about Red Star OS, the operating system which the North Korean government has put together for their citizens.

Read more

Protecting Your Website With HTTPS (SSL/TLS)

I’ve just released the first tutorialinux ebook. For those of you who want a sneak-peek, this post is basically a command-line-instructions only version of the practical content from the e-book. These instructions will get you a working configuration for serving HTTPS traffic to your website visitors.

Disclaimer: This post leaves out most of the background, theory, explanations, security and performance tuning, and additional considerations like backups, security, etc. All of this extra content is found in the e-book. If you want to support tutorialinux, buying the e-book is a great way to ensure that there’s a constant stream of new content coming out on YouTube and this website.

Okay, that being said, let’s get started!

If you’re a sysadmin, chances are that you feel strongly about the adoption of widespread encryption. Advertising companies, governments, and criminals are trying to track and record every move you and your website visitors make, every interest you show, and every thought you hint at. People are finally beginning to fight back by encrypting web traffic, even for pages that don’t absolutely require it, such as login or payment pages.

In this post, I’ll show you how.

Read more

How to Choose a Career in IT

Most aspiring tech people make a critical mistake when evaluating ideas for a career. They approach the problem from a 30,000-foot view, saying to themselves, “I might like a career in finance.” Then, they try to work out a more detailed niche, before making plans for getting there. This can work sometimes, but if you find yourself getting stuck in this high-level thinking, perhaps a more practical approach is right for you.

Read more

How to Get Into a Programming Career

I was just talking to a friend about programming. She’s interested for all kinds of reasons, not the least of which is that she’s read all about how ‘programming is the future’ and that tech people make tons of money.

We talked about some things that I thought would be useful to share more openly — so here it is: my advice for getting into programming, System Administration, or any other technology path.

Read more

32c3 Video: Capability-Based Security

System Administration and programming are becoming more and more entwined with each passing year. If you’re not programming yet (or don’t view the scripting/configuration-management you do as programming), my hunch is that you will be, soon.

There were a few talks at 32c3 about different methods for securing applications on Linux and Unix. You’ve probably heard of several, like AppArmor, SELinux. Capsicum is an interesting solution for FreeBSD; its basics are explained well in this video (although the video is really about another technology).

We’re definitely still at the very beginning stages of running untrusted code safely on our machines. It’s kludgy, breaks common applications, and works cleanly for only a few very specific use-cases at the moment. One of the problems is that applications really aren’t written with containment in mind — a lot of security problems require the cooperation of developers to really work smoothly. For example, your web browser needs to read and write files ANYWHERE on your filesystem (for opening local HTML and saving files from the Web). Even if web browsers had no other features, this would make them difficult to effectively contain.

CloudABI looks like it’s a big step forward in this space. It’s a way to limit what software can do once it’s running on your system; a sort of ‘restricted execution environment.’ CloudABI has three huge features, along with many great small ones):

  • Capsicum is always turned on.
  • Applications are forced to behave (no global namespaces, no hardcoded filepaths). Dependency injection is enforced.
  • Implementations/Ports for NetBSD + Linux.

This talk gives you a good idea of how it works on both a theoretical and a practical level. Even if you never write applications that comply with an environment like CloudABI or mechanisms like Capsicum/SELinux/AppArmor/etc., this talk is an interesting introduction to the thoughts behind how to contain applications, write safer/less-exploitable applications, and otherwise improve Operating System security.