Category Archives: Show Notes

Admin Admin Podcast #075 Show Notes – Highly Available Updates

In this show we read your feedback, we answer your questions and talk about what we’ve been up to!

Want to join the community talking about this podcast on Telegram? Join us!

Al’s back!

Jerry has been subcontracting freelance work out to people, and talks a bit about how and why he started doing that. He also talks about how he’s using Selenium to sign up for free train wifi, using the Selenium IDE Firefox plugin and having a headless browser using Selenium Side-Runner.

Al asks about how to update systems after there was a security incident on his email system. Jon mentions a Firefox plugin which watches for page changes. (He credits this find to Steve Gibson, but he couldn’t find the one Steve mentions. He found this one instead: check4change.  Jon describes an Ansible script for running Apt upgrades but notes that it doesn’t perform reboots if they’re required, Jerry also mentions Unattended Upgrades and Yum-Cron.

Jon refers to a Fortigate Playbook policy Ansible script that he’s written (but isn’t endorsed for use by his employer – use at your own risk!) He describes change management boards. Jerry mentions you can convert an XLS to a CSV and that Ansible will handle CSV files.

Jon also mentions about the fact he’s learning to use Terraform for IaaS (Infrastructure as a Service – basically Azure/AWS). He wrote a blog post about how he got started with Terraform on Azure. Jon mentions about a talk with HashiCorp and RedHat talking about how Ansible and Terraform can work together. Jerry explains how you can chain the output of Terraform to start an Ansible task.

Al talks about the Phoenix Project as an Audiobook, and asks for recommendations on further Audiobooks to listen to. Jon recommends the “#CauseAScene Podcast“.

We then answer a question from a member of the Admin Admin Podcast community about High Availability:

Scenario is a CentOS7 guest VM on a single ESXi host (no vCentre/HA) located at customer site.

Users connect to a friendly URL via web browser which is mapped via A record pointing to a static IP within customer block of IP’s associated with customer broadband.

The solution works well but has several points of failure as this single CentOS7 server running on a non-HA ESXi host not to mention customer Internet reliance.

If wanted to make this highly available either onsite or via AWS/Azure how would you go about this whilst also keeping this secure.

Main Components

  • Apache Web Server
  • PHP Code – Customer Bespoke Internal Website
  • MySQL/MariaDB – Database

How would you go about breaking these up into either individual VM’s? IE multiple web servers and separate PHP and Database servers.

I would imagine you would then also require a front-end load balancer or reverse proxy.

Is this something you might look at using Docker for and how would this impact database state and backups to ensure no data is lost.

We discuss feedback we received by email:

Hi chaps

In a recent episode you asked for feedback, so I thought I would drop a quick line to say that I enjoy listening to the show and look forward to it every other month. 60-90 minutes is about the right length and I think having a topic each time (e.g. IPv6) works well.

I can’t think of anything to offer for improvements – just more of thesame please!

Cheers

Jon replied:

Are there any subjects you want us to cover in the next few episodes?

To which the response was:

Anything to do with Ansible or AWS would be of interest to me, as I use Ansible for all my servers and I’d like to get into AWS as it’s becoming something that clients are asking about.

Based on this email, we briefly discuss differences between Azure and AWS networking compared to Physical networking.

We also discuss another email feedback (trimmed on the podcast, but represented in full here):

Hi guys !

I just finished listening to episode 73 where Jon talked about the difficulties he had with certbot and some exotic architecture.

Here at work, we also had to figure out a way to secure many websites, hosted on various kinds of servers, and running on a variety of operating systems.

The best solution we came up with is to use nginx as a reverse proxy. That proxy handles the TLS part, and it’s the only place our certificates are located. Its exposes the .well-known directory and redirects traffic to the proper servers. If we need to add or remove cyphers for security reasons, all of our websites are protected at once.

We also have a wildcard certificate for our company’s domain. I’ll take frenchguy.ch as an example. This cert is actually valid for 2 domains : frenchguy.ch and *.frenchguy.ch

Each time we need a new subdomain, we create it in our DNS and point it to the reverse proxy. We can then forward traffic to a whatever server we want inside our network, even exotic ones.

This has many advantages :

  • there is only one place where the certs needs to be stored – easy to backup, no need to run around the network when time comes to renew the certs ;
  • the cert is a wildcard so we can have as many subdomains as we want ;
  • the only server exposed to the internet is the reverse proxy, not the actual web servers ;
  • the traffic can be forwarded to old servers that do not support the new TLS protocols, or have old vulnerable cyphers – yes, I’m talking about you IIS ! ;
  • the traffic is forwarded over HTTP, so we can reduce the load on the web servers ;
  • there is no need to modify the actual webserver, in particular, no need to expose the .well-known directory ;
  • servers can be moved around, migrated from one architecture to another, etc.. without having to bother about certificates or encryption.

That’s how we did it at work, it works like a charm for us, but that doesn’t mean it’s the only way to do it. If someone as another way to solve that problem I’d be glad to hear it !

Thanks for the great show, it’s always a pleasure to listen to.

Yannick
a.k.a. The frenchguy from Switzerland

We thank Dave Lee (@thelovebug) for doing our audio production, we thank our Patreons and we mention OggCamp (get your tickets now!), and note that we all plan to be there! Hope to see you there!

Admin Admin Podcast #074 Show Notes – Devops is not a dirty word

Sadly, we’ve no Al this time, it’s just Jon and Jerry.

Want to join the community talking about this podcast on Telegram? Join us!

In this episode, we talk about:

  • Options about how to change your Windows password without logging into a Windows Machine:
  • What “is” Active Directory – it’s not open source LDAP and Kerberos, but an implementation of the open protoocol.
  • We want to do more Q&A – email us!
  • We talk about TDD and Infrastructure as Code
    • inspec
    • rspec
    • Noted that you sometimes need to mock up the connections to external services, e.g. you can’t always “mock” connecting to an IRC server.
  • Mentioned IRC, SMTP, CI/CD, Vagrant
  • DevOps is a Buzzword (so was Cloud!) but it isn’t a dirty word!
    • Jon and Jerry disagree on terminology! Jon thinks DevOps is a culture not tooling. Jerry thinks you can have tooling because the tools didn’t exist, or weren’t in mainstream use a few years ago.
    • Config Management Tools are mentioned (things like Ansible, Chef, Puppet, Salt and more…)
    • Jon talks about silo‘ing that happens in large enterprises, and then explains how DevOps aims to change that behaviour.
    • We talk about multi-disciplinary teams, and how the team members in those teams don’t lose their own unique skills. We talk about how Infrastructure as Code massively supports that requirement.
    • Jon mentions Smoke Tests, Jerry mentions Disposable Infrastructure. Jon mentions Geek Code, Failing Fast, chaos monkey and Game Days.
    • We mention change management rituals (including ITSM toolsets) and why “don’t push to prod on a friday” isn’t a good idea (in certain cases) and GitOps.
  • Synchronising between a “Live” and “Dev” wordpress environment – audience, we need your help! 🙂
    • Mentioned LAMP Stack and Restic
    • Taking Database Dump and manipulating the resulting data.
    • Suggested using an ansible playbook, or using MySQL Views. Neither are suitable right now!
  • Mentioned OggCamp – and that they’re looking for talk submissions for the scheduled track at the moment.
  • Mentioned FossTalk Live

Admin Admin Podcast #073 Show Notes – This ain’t your pa’s Co-Lo Service

IPv4/IPv6 Questions following the previous episode
– Can you have dual stack?
– IPv6 takes precedence and therefore can be an attack vector – https://www.virusbulletin.com/blog/2013/08/researchers-demonstrate-how-ipv6-can-easily-be-used-perform-mitm-attacks/
– Why do IPv6?
– How does peering work?
– Discuss mDNS

MVC (Model, View, Controller) explained, briefly, while talking about Laravel (a PHP web framework).
– Test Driven Development briefly explained – https://en.wikipedia.org/wiki/Test-driven_development
– Behaviour Driven Development briefly explained – https://en.wikipedia.org/wiki/Behavior-driven_development
Cucumber, Inspec, rSpec, Travis-CI, Selenium mentioned

Certbot
– Issue with Let’s Encrypt’s SNI test which has now been resolved, but required upgrade to Certbot
– Talked about common issues with Certbot

Mentioned Travis-CI again and CircleCI

Talking about IPTables Firewalls and how that’s been applied to a Mikrotik Firewall. Also mentioned about generic firewall policies – https://jon.sprig.gs/blog/post/1019

Discussed MS SBS replacement – what your options are in the cloud – Azure, AWS.

Mentioned Cryptography Video on DH Key Exchange – https://www.youtube.com/watch?v=YEBfamv-_do

Talked about at home backup solutions – Jerry recommends Restic – https://restic.net/

Talked about setting up KVM on Linux

If you want to talk to other members of the community, contact the hosts or support the show, please go to adminadminpodcast.co.uk

Admin Admin Podcast #072 Show Notes – Tunnels and Tools

Al was debugging VPN Tunnels

Jon was playing with IPv6

Hurricane Electric IPv6 Gateway on Raspbian for Raspberry Pi

Jerry was playing with salt stack and building LAMP stack from scratch using Ansible

iptables flow digram

install UFW on CentOS (It’s in EPEL)

Podcasts mentioned in the show:

Other “things” mentioned in the wrap-up

Monitoring Weekly Newsletter, FossTalk Live, OggCamp

Admin Admin Podcast #071 Show Notes – Little CRUDdy clouds

What have we been up to:

Other things we mention:

CRUD (create/read/update/delete data)

Links to other podcast we mention:

Patreon Link 

Admin Admin Podcast #070 Show Notes – A game of two halves

We have an interview with VM (Vicky) Brasseur about:

Al and Jon mention Freenode Live event (although it’s now past us by!)

The website Al mentions about how to Renew SSL Cert on windows without generating a new private key.

Jon discusses an IPSec talk which he then wrote up on his own Blog with more details.

Jon also talked about a scam where someone was paid $15 to hook a box up to their router, which was capturing all the traffic on the internet.

Mark (from the binary times podcast) emailed in to suggest using a Toner Tester when trying to trace cables.

 

Admin Admin Podcast #069 Show Notes – Message received, decoded and understood

Things Mentioned in the Podcast:

Live Oggcamp show
National Cyber Security Centre 
JumpCloud
Vault by HashiCorp
Exchange TLS email
Office 365 deadline day
Amazon Simple Email Service
Mail-tester.com
tcpdump101.com and regex101.com
Renew SSL Cert on windows 
lnav Log Viewer

New Podcast we mention..

Bug Report
Linux Lads
Ubuntu Security Podcast
Tales Of The UnattestedHollywood Outlaws 
The Binary Times
Hollywood Outlaws 

 

Admin Admin Podcast #68 Shownotes – Live from OggCamp 2018

Thank you Joe Ressington for recording and producing the Show!

Talks Mention in the Show:
Load Balancing 101 & Building a Linux Load Balancer
Plumbing for non-plumbers
Matrix, the year to date
rst2pdf: Use a text editor, make a 
Technologists of the World Unite. You have nothing to lose but your bosses!
Morality and Ethics – Caring is Everything

Other things mention in the show:

https://www.openshift.com/

Admin Admin Podcast #67 Shownotes – It’s all about the VPNs!

Storage Replica
Kanban 
Mind mapping
Mike Tech Show

Type of VPNs:

Different Type of VPNs:

Admin Admin Podcast #65 Show Notes – Learning to accept failure

This is the episode of the ironsysadin podcast we discuses in the podcasts

Windows admin Center is the new way to manage servers in windows 2016.

tldr command

Tiny Tiny RSS

Jon’s Learning List!

Mailing List: DevOps’ish: devopsish.com
Mailing List: Andy Bounds Tuesday Tip: andybounds.com
Mailing List: Security Newsletter: securitynewsletter.co
Mailing List: Awesome Self Hosting: selfhosted.libhunt.com
Mailing List: Servers for Hackers: serversforhackers.com
Mailing List: The Hustle: thehustle.co
Mailing List: Versioning: versioning.substack.com
Mailing List: Cron Weekly: cronweekly.com
Mailing List: DevOps Weekly: devopsweekly.com
Mailing List: Monitoring Weekly: http://weekly.monitoring.love
Mailing List: Raspberry Pi Weekly: https://www.raspberrypi.org/weekly
Mailing List: SRE Weekly: sreweekly.com
RSS: Free Tech Books: http://www.freetechbooks.com/rss
Slack: HangOps: hangops.slack.com
Slack: All Day Devops: alldaydevops.slack.com
Slack: Manchester Tech: mcrtech.slack.com

Al’s List

Mailing List: THE WORD FROM GOSTEV – You need to signup to this forum to get the weekly Veeam  Digest.
Podcast: Minimalist
Podcast: brendon.com

Admin Admin Podcast #64 – Show Notes Enter the Matrix

    • Enabling TLS 1.2 and disabling TLS 1.1, 1.0 and SSL 3.0 and SSL 2.0.
      • Test your Server to what SSL/TLS version you website uses – ssl labs
      • Enable/Disable TLS versions via a GUI  –  IISCrypto
    • Immutable Infrastructures – CoreOS
      • CoreOS is a linux distribution that is completely described by YAML
      • Kubernetes – learnt a bit more about it by actually installing it (kubespray), also, trying to do it in an “air-gapped” environment proved hard work
      • kubespray works by bootstrapping python onto the CoreOS nodes so it can use ansible.
      • Doing Immutable Infrastructure with deb packages?
      • Docker
      • Terraform
        • Plan & Apply stage
        • Providers talk to cloud provider APIs
      • Lab with PXE Booting using Ansible
    • Highly available Network Appliances on OpenStack
      • Allowed_Address_Pairs – 0.0.0.0/1 and 128.0.0.0/1
      • Virtual MAC address between HA members, which means adding an extra Allowed_Address_Pairs pair per Virtual MAC address
      • Ansible with Jinja2 for the Allowed_Address_Pairs variable
    • Ansible 2.5 is out
      • With_SubElements has been depreciated – still works, but documentation refers to loop and lookup plugins
      • loops can have names now
      • roles: has been replaced by include_roles
      • Ansible Galaxy roles don’t need to be the files from galaxy.ansible.com – you can use Git repos.
    • Matrix.org / riot.im
      • Bridges to Telegram and others
      • Matrix.org runs bridges to IRC, Slack and Gitter and host some bots and plugins.
      • Other bridges are in-place (e.g. t2bot.io) and you can host your own.
      • French Government to use Matrix as their inter-government communication system
      • Synapse (Matrix.org homeserver) federates between all the other Synapse servers, and updates the servers when they all come back online. Demo at matrix.org.
    • Email about Postlayer (Email and Spam Filtering) being demised
      • Replaced by Fusemail
      • Discussed open source options (no conclusion)
    • Bullet journal revisited
      • Monthly too often – weekly…
  • Audio Production by Dave Lee @thebugcast
  • Fosstalk Live
  • Glasgow Podcrawl
  • Oggcamp