GitHub and animated gifs…

For our n0r1skcom/echo DockerHub image we wanted to add a gif (see above) with console output to the corresponding GitHub project README.

But that wasn’t that easy as we thought because GitHub caches images with atmos/camo and that brings in some problems with bigger gif’s…

So we had to disable image caching via the http headers of our source image but these images are located in our WordPress media library and we didn’t want to disable image caching in general.

The solution for us was to configure the serving webserver (in our case Apache) to set some caching/expiry headers via LocationMatch directive and a fancy regex.
Our regex includes all pictures with the filename prefix “nocache_” – so every other image uploaded isn’t touched in any way.

Apache configuration sample

OpenSSH on IBM i (AS400) – some hints

Preface

I was asked to repost this article from our old wiki. So here it is – with the content back from 2011. If I find some time I’ll post how to restrict ssh access to users with a predefined group profile. Or better let me know if you are interested in it ūüôā

Prerequisites

Install Portable App Solutions Environment i5/OS PASE which is shipped as i5/OS option 33.

Installation

Install IBM Portable Utilities for i5/OS (*BASE) and OpenSSH, OpenSSL, zlib Libs (Opt 1) from your i5/OS Installation Media in Drive OPTxx.

Setup

For setup use CL (Command Language) commands or the build terminal to change configuration files

Config file location

After the first call of WRKLNK the DETAIL and DSPOPT parameter doesn’t have to be specified anymore. If you are more familiar with vi use this commands…

(Auto)start ssh daemon

From V6.1 and following, the start is done with an integrated CL command. System wide key files ar generated at first start!!! Autostart can be d

At V5.4 there is some more work, with QSECOFR or a user with following prerequisites, is to be done…

  • The userid that starts the daemon must have *ALLOBJ special authority
  • The userid that starts the daemon must be 8 or fewer characters long
  • Before starting sshd for the first time, you will need to generate host keys starting a PASE shell (STRQSH or CALL QP2TERM)

Start the sshd daemon within the same job…

or in a new job using PASE shell

or in a new job useing CL

For Autostart contact you AS400 SysAdmin to plan a Scheduler Entry (WRKJOBSCDE) with QSECOFR Profile in order to be sure that all thinks will run.

Stopping sshd

From V6.1 and following use…

In V5.4 you may find the running job and ‘kill’ it…

and stop the job using selection 4 ending for the Job with the function PGM-sshd. If more than one job is listed, then there are active connections to you system.

Enable public key authentication

Unmask the following lines in the sshd_config file.

Generate keys and exchange them on user basis as on any other linux/unix based system. Be aware that public key authentication will not work if public (write) authority is set to some directories or files … just read on.

Nice hints

Check this before connect to ssh on AS400

  • The userid that is connecting must be 8 or fewer characters long
  • For public key authentication verify the permissions on the userid’s directories and files
  • The userid’s home directory must not have public write authority ( chmod go-w /home/myuserid )
  • The userid’s /home/myuserid/.ssh directory and /home/myuserid/.ssh/authorized_keys file must not have any public authorities (chmod go-rwx /home/userid/.ssh and chmod go-rwx /home/myuserid/.ssh/authorized_keys )

Once connected, you will be at a PASE for i command line.

Restrictions on ssh, sftp or scp in PASE shell

The PASE shell (STRQSH or CALL QP2TERM) is not a true TTY device. This can cause problems when trying to use ssh, sftp or scp within one of these sessions. Try this as work-a-round:

  • For ssh: use the -T option to not allocate a tty when connecting
  • For sftp and scp: use the ssh-agent utility and public key authentication to avoid sftp and scp prompting for passwords or passphrases

References and Links

IBM Redbooks on this topic
Another straight forward guide
Using chroot to restrict jail access to specific directories
Some security considerations

ACS – Run SQL Scripts – Saving result data to .csv and other

In my last post about¬†ACS 1.1.7.0¬†I mentioned that it is the first real suitable version for developers. Now I want to share¬†another nice to know…

While IBM support tells us how to Save Result Data to .csv or .xls Files Using Run SQL Scripts in iSeries Navigator, in ACS the feature is grayed out.

Just add these two lines to AcsConfig.properties file to enable save results:

Quality of service…

Most of the time when we try to look at some new software we catch some bugs, have compatibilty problems and so on.

Let me give an example:
We work with a Ubuntu Desktop on an virtual environment and wanted to upgrade it to the newest 17.04 release because our main working tool (terminator) crashed every once in a while letting you sit there without your already opened ssh sessions to many servers or with open vi’s with configuration files / script code / …
Upgrading wasn’t that problem – we used the software updater and everything was fine. Until our monitoring software (zabbix) wrote us an e-mail about a problem with our configuration management agent (puppet) – and BAM, there was the first problem…
So i wanted to install a new puppet agent via the puppet debian repositories -> actually no debian package for ubuntu 17.04…
Next problem -> the upgrade also removed the old puppet package which included facter -> so our monitoring reported a backup problem, because our backup script uses facter variables… the backup works but the monitoring part isn’t…

That’s only one single example but especially when it comes to docker, which is really a great enhancement for IT in general, there are bugs and error’s (not only docker itself) everywhere.

So, getting a system up and running with quality is really hard work with lot’s of testing, searching, reading & implementing.

For me, my part is to raise quality by trying to get any system to a certain standard which includes backup / monitoring / configuration management & scripts for automation. I think these are four of the many important things when developing new systems.

WordPress SSL (https) and Reverse Proxy (Nginx, Apache httpd)

As you can see, this blog is accessible through SSL (https) encryption only. Normally this is not a huge problem but WordPress is a little bit clunky if it comes to a setup that also includes a reverse proxy.

General

The following text is a sum up some pages which can be found on the internet but often lacks information. This WordPress blog that you are currently reading is running on an Apache httpd on localhost. In front of it, there is a second Apache httpd which acts as reverse proxy for different tasks. One of these tasks is to offload SSL (https) encryption.

WordPress installation

In the described setup you should first install the WordPress software on http (port 80) without SSL. If you enable SSL at this time chances are good that you end up in a redirect loop.

Configure SSL (https)

On the reverse proxy configure SSL as usual but be aware, that you have to set RequestHeader set X-Forwarded-Proto "https" inside the SSL virtual host! This information is important as otherwise the URL’s generated by WordPress will be http links and therefore you will get browser warnings later. Do not force a permanent redirect from http to https at this point or you will not be able to install the necessary WordPress plugin which take care on your URL’s.

After you have enabled basic https support install the WordPress extension SSL Insecure Content Fixer and configure it to use the X-Forwarded-Proto header. Afterwards you have to modify the wp-config.php to reflect this settings. If you want use Jetpack, you also have to specify SERVER_PORT otherwise you will receive a error message on wordpress.com during the configuration of your social media connections (There was an error retrieving your site settings.). You also have to force admin SSL usage.

Hopefully this will help some people out there to get this up and running. If this config does not help you, leave a comment!

-M

Apache http reverse proxy config

Nginx reverse proxy

We dont use Nginx at the moment, but it should work in the same manner. Just be shure that the X-Forwarded-Proto header is submitted by the reverse proxy to the backend.

WordPress wp-config.php

Okay, Houston, we’ve had a problem here.

sdr

This quote perfectly reflects the essence of what makes our job as DevOps thrilling. Sometimes its like on Apollo 13. You are writing an e-mail and just one second later the master caution is triggered and you have no idea what happend. And for me that is the moment where our job gets out of the often boring daily business and the engineer within us awakens. We literally take our slide rulers and we do what we can do best as Einstein said: “Scientists investigate that which already is; Engineers create that which has never been.”

Therefore on this blog I will write about all that technology and engineer stuff that surrounds me like a satellite and about things that I am interested in. And sometimes that will be sarcastic. Have fun and follow up!

ACS 1.1.7.0 – First suitable version for developement and end-user

When ACS¬†(IBM i Access Client Solutions)¬†in version 1.1.6.2 introduced additional support to restrict functions using Application Administration. (See also May Dawn’s post)¬†I felt happy to get a real tool to limit the usage of ACS functions for end-user.
We do¬†no longer scare ūüôā about end-user being able to find the AcsConfig.properties file and enabling all components by commenting¬†com.ibm.iaccess.ExcludeComps (See GettingStarted Guide).

ACS Version 1.1.7.0 and Applications Administration restiction message
ACS Version 1.1.7.0 – restrict functions in Application Administration and new Database management features like Schema

But together with the new features like Schema РDatabase management interface Рand some improvements in Run SQL Scripts we were able to provide a real alternative to Windows 10  users which had to use slow IBM Navigator for i web tools so far (to be supported).

Hello IBM i (AS400) community

I will write what drives me (crazy) as IBM i SysAdmin. Transforming a grown AS400 system to a well managed, fully integrated and virtualized Power System running i5/OS remains exciting.

If you understand the following¬†IBM i abbreviations and tradmarkes – stay tuned! ACS, PowerVM, HMC, SVC, V5000, Navigator for i, Admin Server, ¬†PASE, PowerHA, BRMS, RDi, VIOS, LPAR, …

Hello IT World!

This is our “next generation” blog – hopefully it survives a little longer than the last ones. ¬†ūüėÄ

Mario & i (Bernhard) will try (once again) to let the world know a little about what is going on in our IT world. We’ll try to write something about Docker / LoadBalancing / OpenSource and so on…

It would be nice if you follow us – stay tuned!