Blog | Luis Cacho

Understanding the Compliance Operator

Tue, 16 Aug 2022 00:00:00 +0000

Table of Contents

Compliance studies a company’s security processes. It details their security at a moment in time and compares it to a specific set of regulatory requirements. These requirements come in the form of legislation, industry regulations, or standards created from best practices.

Every company can protect its data accordingly if they follow Compliance frameworks and have quality security in place. To have proper protection, companies must understand that Compliance is not the same thing as security. However, security is a big part of Compliance.

Becoming secure and compliant means securing information assets, preventing damage, protecting it, eliminating potential attack vectors and decreasing the system’s attack surface.

Compliance Operator Introduction

The Compliance Operator was released in OpenShift Container Platform v4.6, and allows OpenShift Container Platform administrators describe the desired compliance state of a cluster and provides them with an overview of gaps and ways to remediate them. The Compliance Operator assesses compliance of both the Kubernetes API resources of OpenShift Container Platform, as well as the nodes running the cluster. The Compliance Operator uses OpenSCAP, a NIST-certified tool, to scan and enforce security policies provided by the content.¹

The Compliance Operator is available for Red Hat Enterprise Linux CoreOS (RHCOS) deployments only.

To secure your OpenShift cluster, it is necessary to consider both; platform (Kubernetes/OpenShift API) and host OS (RHCOS) perspectives, because Kubernetes is composed of control plane machines (master) and worker machines (node), then the Kubernetes services such as API Server, etcd, or controller manager run on the control plane to manage the workloads on the worker machines.

Platform and Host Perspective

The basic approach to perform hardening in a RHCOS host is described in the documentation and it is based in the RHEL 8 Security Hardening. For instance, the hardening consists in validate if the file has appropriately restrictive file permissions, if the file ownership is appropriately set, if required systemd services or processes are launched with appropriate arguments or parameters in the configuration, or if the appropriate kernel parameters are set. Then, hardening the control plane is specific to the Kubernetes services and includes the control plane components or the master configuration files. It should validate if the API server has started with restrictive arguments regarding allowing specific admission plug-ins, enabling audit logging, applying etcd server and peer configurations, and restricting RBAC, among others. For clusters that use RHCOS, updating or upgrading are designed to become automatic events from the central control plane, because OpenShift completely controls the systems and services that run on each machine, including the operating system itself through the Machine Config Operator.

Why Compliance Operator?

Why is the Compliance Operator needed to validate the hardening and apply changes in the configuration of the operating system and the platform? The Compliance Operator is defined as follows:

The Compliance Operator lets OpenShift Container Platform administrators describe the required compliance state of a cluster and provides them with an overview of gaps and ways to remediate them. The Compliance Operator assesses compliance of both the Kubernetes API resources of OpenShift Container Platform, as well as the nodes running the cluster. The Compliance Operator uses OpenSCAP, a NIST-certified tool, to scan and enforce security policies provided by the content.¹

In other words, the Compliance Operator checks the host and the platform to detect gaps in compliance by specifying profiles for scan and creates summary reports about security compliance so that you will be able to find if there is any configuration that violates the policy in the cluster. The reports also show which remediations are applied, so you can choose if you want to apply the recommended configuration by hand, step-by-step, or automatically. In short, the whole process goes like this: choosing a profile for scanning, specifying the scan settings, then initiating the scan, and generating the reports.

Compliance Operator Overview

The Compliance Operator leverages OpenSCAP, a NIST-certified tool, to scan and enforce security policies, and the security policies for the compliance checks are derived through SCAP content and built from the community-based ComplianceAsCode/content project. A bundle of security policies, or profiles created by default when the operator is installed and profiles scheduled include NIST 800-53 Moderate (FedRAMP), Australian Cyber Security Centre (ACSC) Essential Eight, CIS OpenShift Benchmark, and others, so far. You can also create or tailor your own profiles so that you can pick the rules you want to run other than the profiles provided by default.

How can I implement Compliance Operator in my cluster?

First of all, you will need to install the Compliance Operator, for that, you can follow the documentation steps

Great, the Operator is installed and functional, now lets check how to create, run and evaluate a compliance scan.

References:

https://docs.openshift.com/container-platform/4.8/security/compliance_operator/compliance-operator-understanding.html ↩︎ ↩︎

Gitkraken Ambassador

Mon, 09 Aug 2021 00:00:00 +0000

Table of Contents

Hello again,

I’m happy to announce that I’m participating in the GitKraken Ambassador program.

For me, it is a joy that the GitKraken team trusts me for this work.

GitKraken Ambassador

I have been a GitKraken advocate even before they launched this program. I always recommend it to all my friends and colleges because I have loved it since the first time I used it, back in 2018.

Now, I’m being named Ambassador to actively promote it in community events, meetings with other Ambassadors, beta-testing of new functionality, etc. Also, I will create some post showing/explaining how I use GitKraken in my job, that is A LOT.

For joining the GitKraken Ambassador team, I received:

Free GitKraken Pro Account ($79 value)
Ambassador Starter Kit: Stickers, Swag & Resources
Access to a private Ambassador Slack Channel
Exclusive Ambassador Content & early access to beta features
Access to GitKraken Product Team to share feedback and get exclusive insight

GitKraken Ambassador Starter Kit

What is GitKraken?

Let’s start defining what is GitKraken for me and how I use it.

GitKraken provides me the easiest, safest, and most powerful way to interact/work with:

Git
GitHub
GitLab,
and more Source Code Management (VCS)

becoming the best complement to manage your source code.

As an Infrastructure consultant, I contribute to Ansible playbooks/roles, Terraform provisioning, Kubernetes/OpenShift manifests, Documentation, and more, but my profile is not necessary as a Developer. I consider myself more a DevOps Practitioner where, from my perspective, I write code for Infrastructure in a declarative way; that being said, my workflow is slightly different from a Developer.

That means I usually do all my code in VSCode. Sometimes I commit using the terminal and sometimes using the Kraken. Once I’m ready to push my changes, I switch to GitKraken to review that I’m in the correct branch/tree/tag, if there are no conflicts, etc. and, then I do push/merge it in a collaborative way and keeping the order that the project requires and that I want to show. That personal workflow always helped me to avoid mistakes in my job.

What I like

GitKraken has a pretty neat interface where it is easy to find all I need for that git workflow.

GitKraken Interface
Multiple git profiles support

GitKraken Profiles 1/2

GitKraken Profiles 2/2
Easy drag and drop Pull-Request/Merge-Request integration

GitKraken Drag & Drop Pull Request

What I don’t like

Sometimes, when my computer has high resources usage, like when I’m running some containers/virtual machines, GitKraken produces a slow down for a bit like some other GUI’s.

Wrapping Up

So, starting today, I’m going to generate content related to Git/Gitkraken, and to achieve this, I will write about how I integrate GitKraken into my daily work.

If you want to start using GitKraken, you can download the Kraken and try it by yourself! Furthermore, I recommend to use my referral code when you sign in.

Happy coding!

Podman remote client on MacOS using Vagrant

Tue, 23 Feb 2021 00:00:00 +0000

Table of Contents

Introduction

Podman is a daemonless, open-source, Linux native tool designed to make it easy to find, run, build, share and deploy applications using Open Containers Initiative (OCI) Containers and Container Images.

That been said, the core of podman only runs in Linux! To use podman on macOS, we need to implement the remote client to manage container using a Linux as a backend.

Brief Architecture

The remote client uses a client-server model. We need Podman installed on a Linux VM that also has the SSH daemon running. On our MacOS, when you execute a Podman command:

Podman connects to the server via SSH.
It then connects to the Podman service by using systemd socket activation.
The Podman commands are executed on the Linux VM.
From the client’s point of view, it seems like Podman runs locally.

Installation

Install podman on MacOS

To install podman remote client on MacOS, we use Homebrew

$ brew install podman

Create a new ssh-keys on MacOS

We will need to connect via ssh to our vagrant VM, in order to do it passwordless, we will create a ssh-key, the commands for that are:

$ ssh-keygen -t rsa -b 4096 -C "podman+vagrant"
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/<USERNAME>/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/<USERNAME>/.ssh/id_rsa.
Your public key has been saved in /Users/<USERNAME>/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:+pGx7Wcn9WdfRYKJrcdMiKEIPKFRW1lQ1MXP/8i0PLA podman+vagrant
The key's randomart image is:
+---[RSA 4096]----+
| ....=B+. ooo ..|
| . ++. ..+oo.+ |
| o .. o +oo =|
| .o+ |
| S ..|
| . = . . o|
| . + . B oo|
| . o E X o|
| . .+.= o.|
+----[SHA256]-----+

cat /Users/<USERNAME>/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1y ... O3JH8w== podman+vagrant

Create a vagrant VM

We will use a Virtual Machine based on Fedora 33,

To create the specified Vagrantfile, we need to follow the next steps:

$ mkdir my-fedora && cd my-fedora

$ echo "Vagrant.configure("2") do |config|
 config.vm.box = "generic/fedora33"
 config.vm.hostname = "my-fedora"
 config.vm.provider "virtualbox" do |v|
 v.memory = 1024
 v.cpus = 1
 end
end" >> Vagrantfile

Implementation

At this moment we have:

Podman installed
A ssh-key with no password created
A VM created with vagrant

Let’s start our implementation

Copy ssh-key from MacOS to Linux VM

We use the ssh-copy-id command, and it will ask us for the vagrant user password. The default one is: vagrant

$ ssh-copy-id -i id_rsa.pub vagrant@127.0.0.1 -p 2222

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
vagrant@127.0.0.1's password:

Number of key(s) added: 1

Now try logging into the machine, with: "ssh -p '2222' 'vagrant@127.0.0.1'"
and check to make sure that only the key(s) you wanted were added.

You can verify connectivity with the command:

$ ssh vagrant@127.0.0.1 -p 2222
Last login: Tue Feb 23 07:33:45 2021 from 10.0.2.5
[vagrant@my-fedora ~]$

Configure the Linux VM

On this step we will:

Install the podman package and dependencies
Enable the podman service
Enable the sshd service

Installing podman

sudo dnf --enablerepo=updates-testing install podman libvarlink-util libvarlink

Enableling the podman service

We can enable and start the service permanently, using the following commands:

$ systemctl --user enable --now podman

Also, we will need to enable linger for this user in order for the socket to work when the user is not logged in.

sudo loginctl enable-linger $USER

You can verify that the socket is listening with a simple Podman command.

$ podman --remote info

Enableling the sshd service

In order for the client to communicate with the server you need to enable and start the SSH daemon on the Linux VM:

$ sudo systemctl enable --now sshd

Using the client

The first step in using the Podman remote client is to configure a connection. To do that, we need can add a connection by using the podman system connection add command.

$ podman system connection add <CONNECTION-NAME> ssh://vagrant@127.0.0.1:2222 --identity <SSH-KEY>
$ podman system connection add my-fedora ssh://vagrant@127.0.0.1:2222 --identity ~/.ssh/id_rsa.pub

We can verify that the connection is in place with the command:

$ podman system connection list
Name Identity URI
my-fedora* ~/.ssh/id_rsa.pub ssh://vagrant@127.0.0.1:2222/run/user/1000/podman/podman.sock

Now we can test the connection with the command:

$ podman info
host:
 arch: amd64
 buildahVersion: 1.18.0
 cgroupManager: systemd
 cgroupVersion: v2
 conmon:
 package: conmon-2.0.21-3.fc33.x86_64
 path: /usr/bin/conmon
 version: 'conmon version 2.0.21, commit: 0f53fb68333bdead5fe4dc5175703e22cf9882ab'
 cpus: 1
 distribution:
 distribution: fedora
 version: "33"
 eventLogger: journald
 hostname: my-fedora
 ...

Also, you can start running podman commands as you run them in docker:

$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE

Next steps

At this point we have installed everything that we need to start using podman on our MacOS, but podman only work if the Linux VM is up & running, otherwise you will receive an error similar to this:

$ podman images
Error: Cannot connect to the Podman socket, make sure there is a Podman REST API service running.: failed to create sshClient:
Connection to bastion host (ssh://vagrant@127.0.0.1:2222/run/user/1000/podman/podman.sock) failed.: dial tcp 127.0.0.1:2222: connect: connection refused

To avoid that behavior, what I implement is an automator workflow, here are the steps:

Get the vagrant VM id, to do that run:

$ vagrant global-status
id name provider state directory
--------------------------------------------------------------------------
894d683 my-fedora virtualbox running ~/vms/my-fedora

The above shows information about all known Vagrant environments
on this machine. This data is cached and may not be completely
up-to-date (use "vagrant global-status --prune" to prune invalid
entries). To interact with any of the machines, you can go to that
directory and run Vagrant, or you can use the ID directly with
Vagrant commands from any directory. For example:
"vagrant destroy 1a2b3c4d"

As you can see we are interested on get the id column, for this example: 894d683

Now, we need to open Automator, go to Launchpad -> search -> type automator, do click on the Automator Application

Launchpad + Automator

Then, we need to write an automator application, for this example I choose a workflow that it will run the command vagrant up <VM-ID>

$ vagrant up 894d683
Bringing machine 'my-fedora' up with 'virtualbox' provider...
==> default: Checking if box 'generic/fedora33' version '3.2.0' is up to date...
==> default: A newer version of the box 'generic/fedora33' for provider 'virtualbox' is
==> default: available! You currently have version '3.2.0'. The latest is version
==> default: '3.2.6'. Run `vagrant box update` to update.
==> default: Clearing any previously set forwarded ports...
==> default: Clearing any previously set network interfaces...
==> default: Preparing network interfaces based on configuration...
 default: Adapter 1: nat
==> default: Forwarding ports...
 default: 22 (guest) => 2222 (host) (adapter 1)
==> default: Running 'pre-boot' VM customizations...
==> default: Booting VM...
==> default: Waiting for machine to boot. This may take a few minutes...
 default: SSH address: 127.0.0.1:2222
 default: SSH username: vagrant
 default: SSH auth method: private key
==> default: Machine booted and ready!
==> default: Checking for guest additions in VM...
==> default: Setting hostname...
==> default: Machine already provisioned. Run `vagrant provision` or use the `--provision`
==> default: flag to force provisioning. Provisioners marked to run always will still run.

Automator Workflow

Save the Workflow and remember the location where you save it.
The final step is to add the workflow to our login items. Go to Systems Preferences -> Users & Groups -> Login Items and add the application that you save on the previous step.

Login Items Menu

And that is all, you will have a fully working podman command on your MacOS.

References:

Podman MacOS and windows install ¹
Detailed podman installation on MacOS ²
Automator Configuration ³

My journey to become CKA and CKAD

Thu, 26 Nov 2020 00:00:00 +0000

Hi, people that read me!

I usually don’t write about my achievements. Still, I’m proud of what I did, and in this post I want to share my journey to that back in July I passed two essential certifications for me, the CKA (Certified Kubernetes Administrator) and the CKAD (Certified Kubernetes Application Developer). Those certs are important to me because one of my professional goals is to apply all my knowledge as an SRE (Site Reliabilty Engineer), so I’m putting all my effort to get trained and gain experience as I believe that Kubernetes is and will continue to be widely used by the industry I want to be part of that.

I put a lot of hours/practice on my study lately, but my journey started probably 3 years ago, or even more time (don’t remember exacly). Still, I remember that I become interested when I was talking with my friends @yazpik and @tonyskapunk about the new stuff that is comming on tech, by that time they were running a Kubernetes Meetup at the Castle and I started to assist to each meetup.

Being honest, at the begginning, I barely understand all the concepts and projects that the speakers were talking about but once I started to get involved reading blog posts, practicing (Yeah I did the ‘Kubernetes the Hard way’ on minikube), also began to follow and test other exciting projects like Rancher. So after a while, I started to understand better what the speaker was trying to communicate. And that helps me a lot to understand not only the basics but some good projects that work in conjunction with Kubernetes.

With all the meetings that were held on Rackspace I get involved and I wanted to keep learning more so, I decided to assist to Kubecon North America 2018 that was held on Seattle, and I like to think that this set of conferences opened my mind for all the Kubernetes environment, and I feel that I need to keep learning even more about this awesome technology, that keeps me motivated to get my certifications too, in a nutshell I feel inspired about the conferences, the comunity, everything and I want to be part of it.

Talking about community, in that kubecon I met with some Latin-American friends that were interested in Kubernetes like @domix, @marKox,both from México, and @EdduMelendez from Peru, that from their trenches they are trying to grow the Kubernetes community on Spanish.

Mexicanos in Kubecon 2018

But returning to my certifications path, after a while I decided that I will have the certs by the end on this year, so back in March I get more serious studying and purchased the excellent course Certified Kubernetes Administrator (CKA) with Practice Tests a course by Mumshad Mannambeth that I highly recommend to reinforce the theory and also, becasue includes exercises similar to the exam that you can practice.

Once I feelt confident in me and my knowledge I get my coupon to present the CKA exam, and I passed!

My CKA Certification

I need tell you, it wasn’t easy, mostly because you need to be careful with the time/value of the questions and you need to weigh to reach the passing score, for this exam it was 74%.

Of course after I get the CKA certitification, I was super happy but on my train of thoughts, I keep thinking that I can use the CKA study as leverage to get the CKAD.

I already have the fundamentals of a CKA and just need some extra study to complement the CKAD curriculum, so I got commited (my wife too), and right away I got my CKAD exam coupon and I scheduled the test 2 weeks appart after I decided to get the cert (That’s 3 weeks appart after I took the CKA exam).

My approach works, I passed the CKAD certification!

My CKAD Certification

Now that I’m certified on Kubernetes I will look to be more involved in Cloud Native initiatives on my company, to apply the knowledge that I already have on current or new projects, and as always keep learning!

Backing Up a Ruckus Switch Config

Sat, 21 Nov 2020 00:00:00 +0000

I want to do some changes on my home network to improve the performance, so I will implement VLANs on my network. But before I do that I want to document how to perform a backup of my Ruckus ICX 7150 Switch.

In a past post I mentioned how to enable ssh and web cofiguration on the Ruckus switch, so my first attemtp was to download the configuration file from the web interface but unfortunately it is not possible to do it, there is not an option for that. What I did is go to the documentation and found the copy command but I need a TFTP server to be able to download the backup file.

Let’s start!

Install a TFTP server - This is easy will depend on your Operative System, for my is an ArchLinux laptop.
```
yay -Sy atftp
```
The configuration file for atftp is /etc/conf.d/atftpd

Next step, is login on your Ruckus switch and perform the copy command:

ssh <USER>@<SWITCH-IP>
copy running-config tftp <TFTP-SERVER-IP> myconfig.cfg

#In my case is:
ssh ruckus@192.168.50.5
copy running-config tftp 192.168.50.4 myconfig.cfg

Verify that the file is on your TFTP server, by default, the configured directory for atftp is /srv/atftp/ so you should go that location and verify that the generated file is created.
```
cd /srv/atftp
ls -la
```

That’s all, you can restore your switch configuration if needed.

Bye!

Using the Ansible Stat Module on a Loop

Sun, 12 Apr 2020 00:00:00 +0000

Table of Contents

Using the Ansible stat module on a loop

Hi again, it’s been a while since I wrote something on this blog. This time I was working on a Ansible playbook and I get this:

Problem

I want to verify if a file exists. Depending on the registered output I want to perform some other actions. On my specific use case, I want to use in in conjunct with the file module to define the state on my next task.

graph TD; A(Stat over file) --> B{Does the file exists?}; B -->|Yes| C[state: file]; B -->|No| D[state: touch];

Solution

Here is the solution that worked for me, using loops, loop_control,and jinja2 filters.

- name: Stat over the files
 stat:
 path: "{{ my_loop }}"
 loop:
 - /etc/cron.allow
 - /etc/at.allow
 loop_control:
 loop_var: my_loop
 register: my_stat_var

- name: Create a file if not exists
 file:
 path: "{{ item.my_loop }}"
 owner: root
 group: root
 mode: og-rwx
 state: "{{ 'file' if item.stat.exists else 'touch' }}"
 loop: "{{ my_stat_var.results }}"

Basically, I’m using the new loop syntax to iterate over all the files that I want to check.

In order to avoid some warnings about the loop using item I implement the loop_control and loop_var syntax to control the loop behavior and on this specific case, instead of using the word item I will substitute it with the one that I define as my loop_var in this case is called my_loop (Remember this, I will use it on the next task).

I’m registering the result of the stat task on a variable, for this case is my_stat_var

Here is an example of the output, when the 2 files do not exists:

ok: [instance-amazon2] => {
 "my_loop": {
 "changed": false,
 "msg": "All items completed",
 "results": [
 {
 "ansible_loop_var": "my_loop",
 "at_cron_restricted_touch": "/etc/cron.allow",
 "changed": false,
 "failed": false,
 "invocation": {
 "module_args": {
 "checksum_algorithm": "sha1",
 "follow": false,
 "get_attributes": true,
 "get_checksum": true,
 "get_md5": false,
 "get_mime": true,
 "path": "/etc/cron.allow"
 }
 },
 "stat": {
 "exists": false
 }
 },
 {
 "ansible_loop_var": "my_loop",
 "at_cron_restricted_touch": "/etc/at.allow",
 "changed": false,
 "failed": false,
 "invocation": {
 "module_args": {
 "checksum_algorithm": "sha1",
 "follow": false,
 "get_attributes": true,
 "get_checksum": true,
 "get_md5": false,
 "get_mime": true,
 "path": "/etc/at.allow"
 }
 },
 "stat": {
 "exists": false
 }
 }
 ]
 }
}

On the next task I access the results of the registered variable my_stat_var using, according to the previous output, I need to use the results variable to access it and gives me 2 arrays (each one for each file)

Also, I extract the path from the same variable my_stat_var.results but as it is part of a loop, I will access it using item.my_loop as on the the second task loop I’m not using a loop_control, also I can access it using item.item but I prefer the first syntax. In case you implement a loop_control on you can access it as my_second_loop.my_loop

Also, I extract if the file exists with the variable item.stat.exists but I’m putting that on a jinja2 filter, that way it will evaluate and set the correct option on the state

# When the file exists
state: file
# When the file does not exists
state: touch

This behavior also brings idempotency to your task, because:

If the files does not exists on the first iteration it will be created and,
The next time you run the tasks as the files already exists it will works as a stat and will return the current state of path.

That is all for now. See you soon!

Gestion de History

Tue, 03 Dec 2019 00:00:00 +0000

Table of Contents

El archivo de logs histórico (history) tiene varias opciones que podemos cambiar para tener un mejor control del mismo. Aquí vamos a ver algunas opciones para el control y gestión del fichero del log histórico (history).

Mostrar la fecha y hora de cuando escribimos comandos

Para mostrar la fecha y hora en el formato que requieras puedes agregas las lineas siguientes:

export HISTTIMEFORMAT='- %F %T - '

Control del tamaño del archivo de logs histórico

Tenemos dos variables de entorno para ello, HISTSIZE y HISTFILESIZE, que indican el tamaño del fichero, por ejemplo:

HISTSIZE=1000
HISTFILESIZE=1000

Con esto hacemos que el tamaño máximo del fichero de logs histórico sea de 1000 comandos o líneas.

Si ponemos el tamaño de la variable HISTSIZE a cero hacemos que no se guarde nada en el archivo de logs histórico

export HISTSIZE=0

Control de duplicados en el histórico

En el log histórico se van guardando TODOS los comandos que se van introduciendo aunque repitamos 20 veces el mismo comando, se guardará 20 veces, lo cual es en ocasiones una perdida de espacio. Por lo que podemos usar la variable HISTCONTROL para hacer 2 cosas:

Eliminar los duplicados consecutivos con ignoredups.
Eliminar los duplicados sean o no consecutivos con erasedups.

HISTCONTROL=ignoredups
HISTCONTROL=erasedups

Path para guardar el archivo de logs histórico

Por defecto el histórico se guarda en ~/.bash_history pero podemos indicar donde guardarlo con la variable HISTFILE.

HISTFILE=~/.bitacora.

Un truco muy bueno cuando en un mismo servidor entran varios administradores que se pasan a root y poder controlar y guardar que hace cada uno es: Guardar un archivo de logs histórico por cada uno de ellos. Lo puedes hacer de la siguiente forma:

HISTSIZE=5000
HISTFILESIZE=5000
HISTFILE=/root/.bash_hist-$(who am i | awk '{print $1}';exit)

Con esto se guardará en el home de del usuario root un archivo de logs histórico por cada uno de los usuarios que se hayan pasado a root. El tamaño se puede ampliar o reducir a gusto. También podemos poner que ignore duplicados.

Todas estas variables debemos ponerlas en un archivo donde se activen al arranque que puede ser ~/.bashrc.

Espero les sea útilidad.

😄

Docker Login the Right Way

Wed, 15 May 2019 00:00:00 +0000

Table of Contents

Hi again!

It is been a while since I wrote something here, as always, there is no much time for a hobby.

I’ve been working for a while with docker, not a production level, but for some applications that I use at work. And since the Docker Hub Data breach I put more atention on the security of my data/credentials, so I investigate a little about and found this official repository https://github.com/docker/docker-credential-helpers/ from Docker where are the supported credential helpers.

Credential Store

Docker keeps our credentials saved on a JSON file located on ~/.docker/config.json, but unfortunatelly credentials are just encrypted on base64, here is an articule/video where there is an explanation for the why it is a bad idea to just use base64 encryption.

The following is a diagram on how a plain text storage works:

Plain Text Storage

Here is an example on how ~/.docker/config.json looks like when is using plain text credentials:

cat ~/.docker/config.json
{
 "auths": {
 "https://index.docker.io/v1/": {
 "auth": "azRjaDA6c3VwZXJzZWNyZXRwYXNzd29yZAo="
 },
 "quay.io": {
 "auth": "azRjaDA6c3VwZXJzZWNyZXRwYXNzd29yZAo="
 }
 },
 "HttpHeaders": {
 "User-Agent": "Docker-Client/18.09.6 (linux)"
 }
}

After a successful docker login command, Docker stores a base64 encoded string from the concatenation of the username, a colon, and the password and associates this string to the registry the user is logging into:

$ echo azRjaDA6c3VwZXJzZWNyZXRwYXNzd29yZAo= | base64 -d -
luiscachog:supersecretpassword

A docker logout command removes the entry from the JSON file for the given registry:

$ docker logout quay.io
Remove login credentials for quay.io

$ cat ~/.docker/config.json
{
 "auths": {
 "https://index.docker.io/v1/": {
 "auth": "azRjaDA6c3VwZXJzZWNyZXRwYXNzd29yZAo="
 }
 },
 "HttpHeaders": {
 "User-Agent": "Docker-Client/18.09.6 (linux)"
 }
}

Docker Credential Helpers

Since docker version 1.11 implements support from an external credential store for registry authentication. That means we can use a native keychain of the OS. Using an external store is more secure than storing on a “plain text” Docker configuration file.

Secure Storage

In order to use a external credential store, we need a program to interact with.

The actual list of “official” Docker Credential Helper is:

docker-credential-osxkeychain: Provides a helper to use the OS X keychain as credentials store.
docker-credential-secretservice: Provides a helper to use the D-Bus secret service as credentials store.
docker-credential-wincred: Provides a helper to use Windows credentials manager as store.
docker-credential-pass: Provides a helper to use pass as credentials store.

docker-credential-secret service

On this post we will explore the docker-credential-secretservice and how to configure it.

We need to download and install the helper. You can find the lastest release on https://github.com/docker/docker-credential-helpers/releases. Download it, extract it and make it executable.

wget https://github.com/docker/docker-credential-helpers/releases/download/v0.6.2/docker-credential-secretservice-v0.6.2-amd64.tar.gz
tar -xf docker-credential-secretservice-v0.6.2-amd64.tar.gz
chmod +x docker-credential-secretservice
sudo mv docker-credential-secretservice /usr/local/bin/

Then, we need to specify the credential store in the file ~/.docker/config.json to tell docker to use it. The value must be the one after the prefix docker-credential-. In this case:
```
{
 "credsStore": "secretservice"
}
```
To facilite the configuration and do not make mistakes, you can run:
```
sed -i '0,/{/s/{/{\n\t"credsStore": "secretservice",/' ~/.docker/config.json
```

From now we are uning an external store, so if you are currently logged in, you must run docker logout to remove the credentials from the file and run docker login tostart using the new ones.

Let me know how this works for you.

References:

Docker Credential Helpers repository¹
Docker Credential Store Documentation²
Slides about this topic ³

Bulk Delete Rackspace Cloud Files data via API

Wed, 13 Feb 2019 00:00:00 +0000

Sometimes it is necessary to delete all the content of the Cloud Files containers, however, the API does not have a proper method to delete the data and the containers on the same API call. Also, accoring to the documentation, you can only delete empty containers.

So, in cases where you need to delete the data and the containers at the same time, you should follow the next steps:

Download Turbolift, I know it is an old tool.

git clone https://github.com/cloudnull/turbolift
cd turbolift

In order to get and isolated installation, we are going to create a Python Virtual Environment (virtualenv)
```
mkvirtualenv turbolift
workon turbolift
```
Install the tool
```
pip install turbolift
```

Now, prior to start to play with the API calls, we need to grab some data to authenticate with the API:

Variable	Definition
USERNAME	This is the Rackspace Public Cloud username
APIKEY	This is your API-KEY
REGION	This is the Region where the Cloud Files are located (dfw, ord, iad, lon, hkg)
TOKEN	The TOKEN is generated after you get authenticated
ENDPOINT	This ENDPOINT is given also after you get authenticated

Next step, we are going to use cURL, to perform all the API calls:

First of all, get the TOKEN:

USERNAME=YOUR-USERNAME
APIKEY=YOUR-APIKEY
TOKEN=$(curl -s -XPOST https://identity.api.rackspacecloud.com/v2.0/tokens \
 -d'{"auth":{"RAX-KSKEY:apiKeyCredentials":{"username":"'$USERNAME'","apiKey":"'$APIKEY'"}}}' \
 -H"Content-type:application/json" | jq '.access.token.id' | tr -d "\"")

Next step, get the ENDPOINT:

ENDPOINT=$(curl -s -XPOST https://identity.api.rackspacecloud.com/v2.0/tokens \
 -d'{"auth":{"RAX-KSKEY:apiKeyCredentials":{"username":"'$CL_USERNAME'","apiKey":"'$APIKEY'"}}}' \
 -H"Content-type:application/json" | jq '.access.serviceCatalog[] | select((.name=="cloudFiles") or (.name=="cloudFilesCDN")) | {name} + .
 endpoints[] | .publicURL' | tr -d "\"" | grep -v cdn | grep -i $REGION)

In this case we are skipping all te CDN endpoints, but you can add them if is necessary.

With all the collected data, next step is use turbolift to delete the Cloud Files container and their data. To do it, I use a for-loop:

for i in $(curl -s -H "X-Auth-Token: $TOKEN" $ENDPOINT); do turbolift -u $USERNAME -a $APIKEY --os-rax-auth $REGION delete -c $i ; done

Now, you have all the Data and Cloud Files containers deleted on one region.

😄

Configure SSH on a Ruckus Switch

Tue, 20 Nov 2018 00:00:00 +0000

I just have a Ruckus ICX 7150 Switch on my home and I’m trying to get access under ssh and web, to easy configuration and security instead of use telnet. So, I logged in using telnet and then run the following commands to configure a username/password and begin to receive petitions over port 22(ssh) and port 443(https). Let’s begin!

We will connect via telnet to the switch.
```
telnet SWITCH_IP
```

Once we are on the Switch CLI as a optional step, we can configure an IP on the switch.

device> enable
device# configure terminal
device(config)# ip address IP_ADDRESS/CIDR
device(config)# ip default-gateway IP_GATEWAY

Now, the next steps are for generate a SSL certificate, a username/password, activate password to login and enable thw web access and ssh access.

device(config)# crypto-ssl certificate generate
device(config)# username USERNAME password PASSWORD
device(config)# aaa authentication login default local
device(config)# aaa authentication web-server default local

It may take several minutes to generate the certificate key. After that, save the configuration.
```
device(config)# write memory
```

Now you are able to login on your switch using ssh or web.

References:

Blog with ruckus commands ¹

Ruckus ICX7150-C12P – Initial Configuration ↩︎

Set a hugo blog on Kubernetes

Mon, 18 Jun 2018 00:00:00 +0000

Table of Contents

Overview

Since last year I been trying to become an SRE (Site Reliability Engineer), so I been involved with some emerging technologies, like ansible, docker and on this time with kubernetes.

This time, I will try to explain how I containerized my blog using:

Architecture

So, I take some ideas from here and I modify them and adapt the architecture described to my options.

The principal changes that I made are:

My Kubernetes cluster is running on 2 cloud server on Rackspace Public Cloud
The container registry that I’m using is Quay
Rackspace Public Cloud does not support a Kubernetes LoadBalancer service automatically, so I simulate that behavior adding a Cloud Load Balancer manually after the Kubernetes service provide me the port.

Architecture

Containerized

I use Hugo to deploy my blog, I used to do it as mentioned on this previous post (In Spanish).

Now, as a part of containerize the blog it make sense to me to create two stages as described here:

The first stage is a defined build environment containing all required build tools (hugo, pygments) and the source of the website (Git repository).
The second stage is the build artifact (HTML and assets), from the first stage and a webserver to serve the artifact over HTTP.

Dockerfile

Here is the Dockerfile that containerize the blog:

FROM ubuntu:latest as STAGEONE

# install hugo
ENV HUGO_VERSION=0.41
ADD https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_${HUGO_VERSION}_Linux-64bit.tar.gz /tmp/
RUN tar -xf /tmp/hugo_${HUGO_VERSION}_Linux-64bit.tar.gz -C /usr/local/bin/

# install syntax highlighting
RUN apt-get update
RUN apt-get install -y python3-pygments

# build site
COPY source /source
RUN hugo --source=/source/ --destination=/public/

FROM nginx:stable-alpine
RUN apk --update add curl bash
RUN rm /etc/nginx/conf.d/default.conf
COPY modules/nginx.luiscachog.io.conf /etc/nginx/conf.d/luiscachog.io.conf
COPY --from=STAGEONE /public/ /usr/share/nginx/html/
EXPOSE 80 443

MAINTAINER Luis Cacho <luiscachog@gmail.com>

First Stage

Fetch the lastest Ubuntu image and name as STAGEONE
Install the last available hugo version from source.
Install pygments library to use it for highlighting.
Build the site with hugo and the output is set on /public as a build artifact.

Second Stage

Fetch the lastest stable nginx alpine image.
Update the image and install some utilities.
Delete the default nginx configuration file.
Copy the configuration files needed from the repository root directory.
Copy the build artifact /public from the previous stage (STAGEONE)

My First Contribution to OpenStack project

Thu, 15 Mar 2018 00:00:00 +0000

I been working since last year using Ansible for fun and to trying to get prepared to become a DevOps, so I found an excelent OpenStack project called ARA Records Ansible.

Ansible Logo

ARA Logo

Basically it is a project from the OpenStack community that makes it easier to understand and troubleshoot your Ansible roles and playbooks. If you want more information, please refer to the Documentation Page.

Anyhow, I just found a little bug on the Ansible Role to install ARA ansible-role-ara on Debian based distros and just send the patch to fix it.

Here is the link to my contribution.

And, as I am proud of my first commit on a big project here is the screenshot too:

My First OpenStack Contribution

I feel happy and motivated to still learn about this Open-Source project and a lot more.

😄

Deployment de un sitio estatico con Hugo y Git Hooks

Mon, 05 Mar 2018 00:00:00 +0000

Table of Contents

Motivación

Estoy intentando escribir un poco más en mi blog, ya que noté que muchas veces no lo hacia muy a menudo por que al llegar a la consola de administración de Wordpress, habia que dar bastantes clicks para llegar al menu de “Posts”, además de que cada vez que entraba había un plugin diferente que actualizar, y verificar que nada se rompiera con las nuevas actualizaciónes, en pocas palabras hay que darle bastante mantenimiento a un sitio con Wordpress, y además de eso había que dedicarse a escribir el post.

Otra razón por lo que opté hacer el cambio de plataforma, es que al estar tratando de convertirme en DevOps, es necesario, desde mi punto de vista; tratar automatizar/scriptear la mayoria de tus tareas que realizas día a día, y con Hugo considero que se puede realizar este objetivo también.

Consideraciones

Una vez que decidí migrarme de Wordpress, el siguiente paso era decidir a que plataforma mudarme. De entrada la plataforma que queria probar era un Static Site Generator, aqui otro link de por que usar un Static Site Generator.

Partiendo de lo anterior, las opciones que me parecieron interesantes fueron:

Cada una de las opciones tiene diferentes caracteristicas, que no vamos a discutir en este post, sin embargo las carteristicas que me convencieron de usar Hugo por encima de las otras alternativas fueron:

Consta solamente de un binario, que comparado con las otras posibilidades hay que instalar todo un ambiente de desarrollo/producción.
Es bastante rápido.
Es Multi-plataforma
Tiene diversos temas

Instruciones

Consideraciones técnicas

El ambiente consta de:

1 servidor productivo donde esta instalado hugo, git y un servidor web (apache o nginx) , haremos todos los deployments usando el usuario admin, ojo que no es el usuario root.
1 servidor/equipo de desarrollo, de igual forma que cuenta con hugo y git, en mi caso, es mi computadora personal y mi usuario es luiscachog.
1 cuenta de github.com

Autenticación mediante llaves SSH

El primer paso es realizar el intercambio de llaves SSH entre el equipo de desarrollo y el equipo productivo. Para ello seguimos los siguientes pasos:

Generar la llave SSH, tendrás que contestar algunas preguntas, entre las cuales está si quieres ponerle un password, a lo cual deberas dejarlo en blanco para que no te pida contraseña.
```
luiscachog@dev-server:~$ ssh-keygen
```

Copiar la llave SSH hacia el equipo productivo:

luiscachog@dev-server:~$ ssh-copy-id admin@IP_servidor_productivo

Verificar que te puedas conectar desde tu servidor de desarrollo, con tu usuario al servidor productivo, con el usuario que realizará los deployments.
```
luiscachog@dev-server:~$ ssh admin@162.125.2.30 hostname
```
En este caso, debera de mostrarte el hostname del servidor productivo sin pedirte el password.

Configuración sitio con Hugo

El siguiente paso es configurar nuestro ambiente de desarrollo con Hugo y Git.

Para instalar ambos en Ubuntu o derivados debes de ejecutar:
```
luiscachog@dev-server:~$ sudo apt install hugo git
```
Para tener la version más actualizada de hugo puedes seguir los pasos descritos en este link

Vamos a crear un directorio de trabajo para nuestro sitio estatico

luiscachog@dev-server:~$ mkdir ~/sites
luiscachog@dev-server:~$ cd ~/sites

Crearemos un nuevo sitio usando el comando hugo

luiscachog@dev-server:~$ hugo new site luiscachog.io
Congratulations! Your new Hugo site is created in /home/luiscachog/sites/luiscachog.io.

Just a few more steps and you're ready to go:

1.- Download a theme into the same-named folder.
 Choose a theme from https://themes.gohugo.io/, or
 create your own with the "hugo new theme <THEMENAME>" command.
2.- Perhaps you want to add some content. You can add single files
 with "hugo new <SECTIONNAME>/<FILENAME>.<FORMAT>".
3.- Start the built-in live server via "hugo server".

Visit https://gohugo.io/ for quickstart guide and full documentation.

Cuando termine de correr el comando se podra apreciar los siguientes directorios y archivos

luiscachog@dev-server:~$ cd luiscachog.io
luiscachog@dev-server:~$ ls
archetypes config.toml content data layouts static themes
luiscachog@dev-server:~$ tree
.
├── archetypes
│   └── default.md
├── config.toml
├── content
├── data
├── layouts
├── static
└── themes

6 directories, 2 files

El siguiente paso es agregar un tema, puedes encontrar uno que te guste en https://themes.gohugo.io/
```
git init
git submodule add https://github.com/budparr/gohugo-theme-ananke.git themes/ananke

# Edit your config.toml configuration file
# and add the new theme.

echo 'theme = "ananke"' >> config.toml
```
Como recomendación adicional en este paso, puedes realizar un fork del tema que te guste en github para poder realizar modificaciones y proponer cambios al mismo, contribuyendo de esa forma a su desarrollo, para hacerlo, sigue los pasos:
1. Realizar un fork del tema, sigue esta guia para hacerlo.
2. Al realizar el fork, tendras en tus repositorios de github el tema que quieras, por lo que tendras que ejecutar los mismos comandos del punto anterior, pero el repositorio del tema apuntara a tu usario en github
```
git init
git submodule add https://github.com/luiscachog/gohugo-theme-ananke.git themes/ananke
# Edit your config.toml configuration file
# and add the new theme.

echo 'theme = "ananke"' >> config.toml
```
Vamos a crear un post de prueba para verificar que todo esta funcionando correctamente
```
hugo new posts/my-first-post.md
echo "Hola Mundo" >> content/posts/my-first-post.md
```
El comando anterior creara un archivo en la ruta content/posts/my-first-post.md, y el contenido será:
```
---
title: "My First Post"
date: 2018-02-28T12:02:38-06:00
draft: true
---
Hola Mundo!!!
```
Finalmente, probaremos que nuestro sitio estatico con nuestro post se muestren de manera local, en nuestro servidor de desarrollo. Cabe mencionar, que por defecto el comando ‘hugo server’ no mostrará los posts que tengan la opción ‘draft: true’, por ello se agrega la bandera -D
```
luiscachog@dev-server:~$ hugo server -D
```

Configuración del repositorio Git en el servidor de desarrollo 1ra parte

En el paso pasado, realizamos la inicialización del repositorio dentro del directorio del sitio estatico:

luiscachog@dev-server:~$ pwd
/home/luiscachog/sites/luiscachog.io
luiscachog@dev-server:~$ git status
On branch master

Initial commit

Changes to be committed:
 (use "git rm --cached <file>..." to unstage)

 new file: .gitmodules
 new file: themes/ananke

Untracked files:
 (use "git add <file>..." to include in what will be committed)

 archetypes/
 config.toml
 content/
 themes/ananke/

Ahora, para tener el repositorio publico, tenemos que crear el repositorio en github.com y configurarlo como un repositorio remoto

luiscachog@dev-server:~$ git add *
luiscachog@dev-server:~$ git commit -m "First commit"
luiscachog@dev-server:~$ git remote add origin https://github.com/luiscachog/luiscachog.io
luiscachog@dev-server:~$ git push -u origin master

Configuración del repositorio Git en el servidor productivo

Para poder ocupar los hooks de git es necesario hacer una primera copia inicial del repositorio en el que vamos a trabajar, con la particularidad de que el repositorio clonado debe ser del tipo bare.

En nuestro servidor productivo haremos:

admin@prod-server:~$ mkdir sites
admin@prod-server:~$ cd sites
admin@prod-server:~$ git clone --bare https://github.com/luiscachog/luiscachog.io luiscachog.io.git

Configuración del hook

Ya que tenemos nuestro repositorio tipo bare en el servidor productivo vamos a crear el script que mandará a llamar el hook de git.
```
admin@prod-server:~$ cd sites/luiscachog.io.git/hooks
admin@prod-server:~$ vim post-update
```

Y agregamos algo asi:

#!/bin/bash

GIT_REPO=$HOME/luiscachog.io.git
WORKING_DIRECTORY=/var/www/vhosts/luiscachog.io/working_hugo
PUBLIC_WWW=/var/www/vhosts/luiscachog.io/public_html
BACKUP_WWW=/var/www/vhosts/luiscachog.io/backup_html
MY_DOMAIN=luiscachog.io

set -e

rm -rf $WORKING_DIRECTORY
rsync -aqz $PUBLIC_WWW/ $BACKUP_WWW
trap "echo 'A problem occurred. Reverting to backup.'; rsync -aqz --del $BACKUP_WWW/ $PUBLIC_WWW; rm -rf $WORKING_DIRECTORY" EXIT

git clone $GIT_REPO $WORKING_DIRECTORY
mkdir -p $WORKING_DIRECTORY/themes
rm -rf $PUBLIC_WWW/*
/home/admin/bin/hugo -v -s $WORKING_DIRECTORY -d $PUBLIC_WWW -b "http://${MY_DOMAIN}"
trap - EXIT

Damos permisos de ejecución al script

admin@prod-server:~$ chmod +x post-update

Probamos que nuestro script funcione adecuadamente:

admin@prod-server:~$ ~/sites/luiscachog.io.git/hooks/post-update

Cloning into '/var/www/vhosts/luiscachog.io/working_hugo'...
done.
0 draft content
0 future content
4 pages created
0 paginator pages created
0 tags created
1 categories created
in 26 ms

Podras verificar tu nuevo post en la URL de su sitio:
```
http://production_domain_or_IP
```

Configuración del repositorio Git en el servidor de desarrollo 2da parte

Una vez tenemos configurado nuestro repositorio en el servidor de producción, procedemos a agregarlo como repositorio remoto en nuestro servidor de desarrollo

luiscachog@dev-server:~$ cd /home/luiscachog/sites/luiscachog.io
luiscachog@dev-server:~$ git remote add prod admin@IP_servidor_productivo:luiscachog.io
luiscachog@dev-server:~$ git ls-remote prod
d1b0b73528ab3117170ef74e133d0194dd2bc88a HEAD
d1b0b73528ab3117170ef74e133d0194dd2bc88a refs/heads/master

Puedes verificar los repositorios remotos con el comando:

luiscachog@dev-server:~$ git remote -v
origin git@github.com:luiscachog/luiscachog.io.git (fetch)
origin git@github.com:luiscachog/luiscachog.io.git (push)
prod admin@IP_servidor_productivo:luiscachog.io.git (fetch)
prod admin@IP_servidor_productivo:luiscachog.io.git (push)

Ahora cada vez que realizemos un push hacia el remote llamado ‘prod’ se llamara la función del hook.

luiscachog@dev-server:~$ cd /home/luiscachog/sites/luiscachog.io
luiscachog@dev-server:~$ hugo new posts/Testing-Deployment.md
luiscachog@dev-server:~$ echo "Deployment Test" >> content/posts/Testing-Deployment.md
luiscachog@dev-server:~$ git add *
luiscachog@dev-server:~$ git commit -m 'Deployment test with git hooks'

Este es el comando que hace la magia:

luiscachog@dev-server:~$ git push prod master
Counting objects: 3, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 310 bytes | 0 bytes/s, done.
Total 3 (delta 2), reused 0 (delta 0)
remote: Cloning into '/var/www/vhosts/luiscachog.io/working_hugo'...
remote: done.
remote: Cloning into '/var/www/vhosts/luiscachog.io/working_hugo/themes/hugo-future-imperfect'...
remote: INFO 2018/03/01 03:12:34 Using config file: /var/www/vhosts/luiscachog.io/working_hugo/config.toml
remote: Building sites … INFO 2018/03/01 03:12:34 syncing static files to /var/www/vhosts/luiscachog.io/public_html/
remote:
remote: | EN
remote: +------------------+----+
remote: Pages | 10
remote: Paginator pages | 0
remote: Non-page files | 0
remote: Static files | 3
remote: Processed images | 0
remote: Aliases | 1
remote: Sitemaps | 1
remote: Cleaned | 0
remote:
remote: Total in 44 ms
To admin@IP_servidor_productivo:luiscachog.io.git
 d5b0671..cvc4dee master -> master

Listo ya podemos probar nuestro sitio

http://luiscachog.io

Con esto el siguiente paso que realizare es hacer el deployment de mi servidor para el blog usando Ansible.

Nos Vemos!!!

References: Digital Ocean blog post ¹

Digital Ocean ↩︎

Improve WD MyCloud performance

Fri, 16 Feb 2018 00:00:00 +0000

I’ve just noticed that my NAS a Western Digital My Cloud EX2 is going slower, so I decided to investigate about what can I do to improve its performance.

I assume that you already configure ssh on your NAS device. If is not configured you can follow the next instructions: https://support-en.wd.com/app/answers/detailweb/a_id/12861

Stop Indexing Services

/etc/init.d/wdmcserver stop
/etc/init.d/wdphotodbmerger stop

To do it forever, you should create the cronjob as:

crontab -e

And add the following lines:

@reboot /bin/sh /etc/init.d/wdmcserverd stop
@reboot /bin/sh /etc/init.d/wdphotodbmerger stop

References:

Western Digital knowledge base link¹

How to enable SSH (Secure Shell) on a My Cloud EX2 device ↩︎

OSI Model Cheat Sheet

Wed, 13 Sep 2017 00:00:00 +0000

If anyone need a good OSI Model cheat sheet, as me:

OSI Model diagram

WordPress with Let's Encrypt SSL Certificate on a Load Balancer

Sun, 03 Sep 2017 00:00:00 +0000

Hi again,

As many of you know a lot of “Production” applications need to be configured to provide High Availability. With that in mind, a best practice architecture to your application is to add a Load Balancer as a front end who distribute your traffic between your application nodes, as you can appreciate on the next image:

HA Load Balancer diagram

SSL Offloading

In this case, my “Production” application is my blog, and I will install a SSL Certificate on the Cloud Load Balancer(CLB) to offloading the encryption/decryption to the CLB instead of doing it on the webserver. That way your webservers uses port 80 (HTTP), as always, and you serve your content trought port 443(HTTPS).

SSL-Offloading diagram

Here are the what I use to configure my WordPress with SSL Certificate:

SSL Certificate issued using Let’s Encrypt
A Client of Let’s Encrypt called acme
A Cloud Load Balancer
A WordPress installation

Step 1: Install acme.sh client

There is a lot of ACME clients supported by Let’s Encrypt, the most popular is Certbot. However, I prefer to use acme.sh.

Let’s install it:

git clone https://github.com/Neilpang/acme.sh.git
cd acme.sh
# Create a data home directory
sudo mkdir -p /opt/acme/data
# Actual command to install it
bash acme.sh --install --home /opt/acme --config-home /opt/acme/data --certhome /opt/acme/data/ssl-certs --accountemail your@email.com

Step 2: Issue SSL Certificate

Once acme.sh is installed, we proceed to issue our first SSL Certificate:

/opt/acme/acme.sh --issue -d example.com -w /var/www/vhosts/example.com/public_html
[Mon Aug 25 06:04:07 UTC 2017] Creating domain key
[Mon Aug 25 06:04:07 UTC 2017] The domain key is here: /opt/acme/data/ssl-certs/example.com/example.com.key
[Mon Aug 25 06:04:07 UTC 2017] Single domain='example.com'
[Mon Aug 25 06:04:07 UTC 2017] Getting domain auth token for each domain
[Mon Aug 25 06:04:07 UTC 2017] Getting webroot for domain='example.com'
[Mon Aug 25 06:04:07 UTC 2017] Getting new-authz for domain='example.com'
[Mon Aug 25 06:04:08 UTC 2017] The new-authz request is ok.
[Mon Aug 25 06:04:08 UTC 2017] Verifying:example.com
[Mon Aug 25 06:04:11 UTC 2017] Success
[Mon Aug 25 06:04:11 UTC 2017] Verify finished, start to sign.
[Mon Aug 25 06:04:11 UTC 2017] Cert success.
-----BEGIN CERTIFICATE-----
MIIE/zCCA+egAwIBAgISA2AIs/G8gWjkRkNOUb7zmqh1MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA4MjgwNTA0MDBaFw0x
NzExMjYwNTA0MDBaMBkxFzAVBgNVBAMTDmNvb2tpZWxhYnMubmV0MIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo8/4fXH0dOHcSlyXpsBoULhwQYkz4m0J
MegRHU2mhyy/jfKWM6KHDxHpFWUFajLJ/ORE4uncvjmRYeSVBxgv2R2cYoZyKd6v
txT+Cdj3jD9fBfDerfdfsdfsd6Y6mlr6Im61afKsFXIgLsprBpK22JU6HOz+0Fdo
lan09aaF8zLPtVzdfJw9MU55K7nzerxO8j4ro2lve0PHExkMIBCrXey50wcuqQRY
hwkbbXsm+wTES7TCn3tooSzFq6ore3JrSckxhFQ96EOea0s9CgYnw4d9rU/b3jyK
bFCILEJK64vgFHx0qvd0hBJFJG/HUtAXAVrFQjjlZlCmCMbnee1UTQIDAQABo4IC
DjCCAgowDgYDVR0pasoasoasogWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBR2KRpXKKgTorwfXpo44wgKyFUl
QzAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRj
MGEwLgYIKwYBBQUHMAASdTdddHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5v
cmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5v
cmcvMBkGA1UdEQQSMBCCDmNvb2tpZWxhYnMubmV0MIH+BgNVHSAEgfYwgfMwCAYG
Z4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0cDovL2Nw
cy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0aWZp
Y2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRpZXMg
YW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQb2xp
Y3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9yeS8w
DQYJKoZIhvcNAQELBQADggEBAFVGs82tzyVER6U0x7p/Q+6xplDFd6ap/dVX9G6i
eRPf4ayGykPSH9J3ewu398LOQd3DE93oWbqc7PfEC40Z5HqvCEY3fl9auep99/IF
rwhf36J7PXvEsPrUB6pxNFSBw9WX366Z1MP8qoIzm3XYEpp2D/SPniWY5+eQ42Pj
WNxxVksA4kFUF9wgKcrsCNTm0X8GZj5HUXC1OwtlopY2w42QrAMGwz1jM4nxv5Mc
Jim+nT0zmJUhAdQi8ocDjAl2PvcfdgfmkMr9IWH3al/GJSKy3a9Cq+BaIsIUYi6E
8M8Mj+00ONNn1folm9aVn+FW5fVCaxYN32ir8PnoTWkOXK8=
-----END CERTIFICATE-----
[Mon Aug 25 06:04:11 UTC 2017] Your cert is in /opt/acme/data/ssl-certs/example.com/example.com.cer
[Mon Aug 25 06:04:11 UTC 2017] Your cert key is in /opt/acme/data/ssl-certs/example.com/example.com.key
[Mon Aug 25 06:04:11 UTC 2017] The intermediate CA cert is in /opt/acme/data/ssl-certs/example.com/ca.cer
[Mon Aug 25 06:04:11 UTC 2017] And the full chain certs is there: /opt/acme/data/ssl-certs/example.com/fullchain.cer

Where the explained options are:

-issue: Issue a new certificate

-d (-domain) : Specifies a domain, used to issue, renew or revoke, etc.

-w (-webroot) : Specifies the web root folder for web root mode. This is the DocumentRoot where your site is hosted and it is necessary to verify it by Let’s Encrypt.

Step 3: Install SSL Certificate on Cloud Load Balancer

So, at this moment we have our SSL Certificate, Private Key, and Intermediate CA Certificate ready to install on our Cloud Load Balancer (CLB)

Your cert is in /opt/acme/data/ssl-certs/example.com/example.com.cer
Your cert key is in /opt/acme/data/ssl-certs/example.com/example.com.key
The intermediate CA cert is in /opt/acme/data/ssl-certs/example.com/ca.cer

So we should go to https://login.rackspace.com -> Rackspace Cloud -> Networking -> Cloud Load Balancers:

Rackspace Portal - Cloud Loud Balancer

Then, to Optional Features and Enable/Configure on “Secure Traffic SSL”

Rackspace Portal - Cloud Loud Balancer

Finally, we add our SSL Certificate, Private Key, and Intermediate CA Certificate to the CLB and save the configuration:

Rackspace Portal - Cloud Loud Balancer

Step 4: Configure WordPress

We are almost done, at this time we already have configured our SSL on the CLB to provide WordPress over HTTPS, however, WordPress is still with HTTP, so we need to reconfigure our WordPress with SSL.

Database queries

First of all, we should update the links from http to https; we are going to do it directly on the database doing the following queries:

Change all instances of example.com to your own. If you have the www as part of your WordPress Address(URL) in the WordPress Settings, add the ‘www’.

Also, if you have a custom table prefix in the WordPress database, something other than the default ‘wp_’, then you must change all the instances of ‘wp_’ to your own table prefix.

Update any embedded attachments/img that use http:This one updates the src attributes that use double quotes:

UPDATE `wp_posts` SET post_content = REPLACE(post_content, 'src=\"http://example.com', \
'src=\"https://example.com') WHERE post_content LIKE '%src=\"http://example.com%';

This one takes care of any src attributes that use single quotes:

UPDATE `wp_posts` SET post_content = REPLACE(post_content, 'src=\'http://example.com', \
'src=\'https://example.com') WHERE post_content LIKE '%src=\'http://example.com%';

Update any hard-coded URLs for links.This one updates the URL for href attributes that use double quotes:

UPDATE `wp_posts` SET post_content = REPLACE(post_content, 'href=\"http://example.com', \
'href=\"https://example.com') WHERE post_content LIKE '%href=\"http://example.com%';

This one updates the URL for href attributes that use single quotes:

UPDATE `wp_posts` SET post_content = REPLACE(post_content, 'href=\'http://example.com', \
'href=\'https://example.com') WHERE post_content LIKE '%href=\'http://example.com%';

Update any “pinged” links:

UPDATE `wp_posts` SET pinged = REPLACE(pinged, 'http://example.com', \
'https://example.com') WHERE pinged LIKE '%http://example.com%';

This step is just a confirmation step to make sure that there are no remaining http URLs for your site in the wp_posts table, except the GUID URLs.

You must replace WP_DB_NAME, near the beginning of the query, with the name of your database.

This will confirm that nowhere in the wp_posts table is there a remaining http URL, outside of the GUID column. This ignores URLs in the GUID column.

This query only searches; it does not replace anything, nor make any changes. So, this is safe to run. It’s a safe and quick way to check the wp_posts table while ignoring the guid column.

This SQL query should return an empty set. That would mean that it found no http URLs for your site. (This is all just 1 query. It’s 1 very, very long line.)

Remember to replace WP_DB_NAME, near the beginning of the query, with the name of your database.

```sql
SELECT * FROM `WP_DB_NAME`.`wp_posts` WHERE (CONVERT(`ID` USING utf8) LIKE \
'%%http://example.com%%' OR CONVERT(`post_author` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`post_date` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`post_date_gmt` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`post_content` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`post_title` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`post_excerpt` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`post_status` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`comment_status` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`ping_status` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`post_password` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`post_name` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`to_ping` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`pinged` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`post_modified` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`post_modified_gmt` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`post_content_filtered` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`post_parent` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`menu_order` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`post_type` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`post_mime_type` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`comment_count` USING utf8) LIKE '%%http://example.com%%');
```

Now, we move to the wp_comments table. This changes any comment author URLs that point to the http version of your site. This is in case you’ve ever replied to a comment while your URL was pointing to http.
```
UPDATE `wp_comments` SET comment_author_url = REPLACE(comment_author_url, \
'http://example.com', 'https://example.com') WHERE comment_author_url \
LIKE '%http://example.com%';
```

This updates the content of the comments on your site. If there are any links in the comments that are linking to an http URL on your site, they will be updated to https.

UPDATE `wp_comments` SET comment_content = REPLACE(comment_content, 'http://example.com', \
'https://example.com') WHERE comment_content LIKE '%http://example.com%';

Now we move to the wp_postmeta table. This takes care of any custom post meta that points to the http version of your site.

UPDATE `wp_postmeta` SET `meta_value` = REPLACE(meta_value, 'http://example.com', \
'https://example.com') WHERE meta_value LIKE '%http://example.com%';

Now we move to the wp_options table. Update the WordPress Address (URL) and Site Address (URL).

For the WordPress Address URL, you may have to modify example.com. If you have WordPress installed in some other directory, then modify this according to your own WordPress URL. For example, some people have WordPress installed in a subdirectory named “blog”, and so their WordPress Address would be https://example.com/blog.
```
UPDATE `wp_options` SET `option_value` = "https://example.com" \
WHERE `wp_options`.`option_name` = 'siteurl';
```
This one will update the Site Address URL (this is the home page of your site):
```
UPDATE `wp_options` SET `option_value` = "https://example.com" \
WHERE `wp_options`.`option_name` = 'home';
```

WordPress Control Panel

Besides, with run the queries directly on the database, we can update, or verify, the blog URLs, by going to Settings > General

And updating your WordPress Address (URL) and Site Address (URL) address fields.

WordPress - Change URL

WordPress Config File

Finally, we should add the following line to our wp_config.php file

$_SERVER['HTTPS']='on';

Now, you have configured WordPress with Let’s Encrypt SSL Certificate on a Load Balancer.

Build a Dynamic DNS Client with Rackspace API

Mon, 11 Apr 2016 00:00:00 +0000

This time I’ve want to create a homemade Server with my Raspberry Pi2 and publish it using my own sub-domain, the main problem is that the ISP provide me an dynamic IP and we should ensure that if my IP address change the sub-domain record should point to the new IP.

The instructions assume that you:

Have a domain
Have already changed your NS records to point to dns1.stabletransit.com and dns2.stabletransit.com.

You should download the latest version of rsdns from github

cd ~/bin/
git clone https://github.com/linickx/rsdns.git

Go to your Rackspace portal https://login.rackspace.com/ and grab your Username & API key (It’s under “Your Account” -> “Account Settings” -> “API Key”)
Create a configuration file for rsdns (~/.rsdns_config) with your settings.
```
#!/bin/bash
RSUSER=lcacho
RSAPIKEY=1234567890
RSPATH=~/bin/rsdns/
```
You need your domain created on Rackspace(It’s under “Networking” -> “Cloud DNS” -> “Create Domain”) if you don’t have your domain created you are able to created using rsdns:
```
./rsdns-domain.sh -d www.luiscachog.io -e lcacho@luisachog.io
```
Once you have a domain setup you need to create an A record. To create the A record you going to need an IP address, you can use http://icanhazip.com to get your actual current IP. Again to create a record you are able to do it from Rackspace panel (It’s under “Networking” -> “Cloud DNS” -> YOUR_DOMAIN -> “Add Record”) or you can use rsdns:
```
./rsdns-a.sh -n dynamic-host.luiscachog.io -i 123.123.123.123 -t 3600
```
In the above the TTL is set to 1hr (3600 secs), this is so that DNS caches do not keep the record too long. That’s all the pre-work done, now lets get your dynamic host setup!
The script to update your a record is rsdns-dc.sh, and you run it like this:
```
./rsdns-dc.sh -n dynamic-host.luiscachog.io
```
The script uses icanhazip to get your current IP, it then update the A record with it.

I never switch off my router so I have create a created a cronjob to run that script every 2 hours, plus the 1hr TTL should mean that the record is roughly in sync with my IP without making unnecessary requests

I use CentOS, so I can simply drop the following file called rsdns-dc into /etc/cron.d/ with this…

vim /etc/cron.d/rsdns-dc
* */2 * * * lcacho /home/lcacho/bin/rsdns/rsdns-dc.sh -n dynamic-host.luiscachog.io &>/dev/null

Now we are done! Private Dynamic DNS on your own zone using the Rackspace API.

Spamassassin Error: cannot create user preferences file //.spamassassin/user_prefs: Permission denied on VestaCP - CentOS

Wed, 08 Apr 2015 00:00:00 +0000

When you configure spamassassin on VestaCP (CentOS) sometimes you might have some problems with the autolearn feature and also with the bayes plugin of spamassassin.

The error looks like:

more /var/log/maillog

Apr 5 00:31:00 vestaserver01 spamd[1353]: spamd: connection from localhost [127.0.0.1] at port 37022
Apr 5 00:31:00 vestaserver01 spamd[1353]: spamd: setuid to nobody succeeded
Apr 5 00:31:00 vestaserver01 spamd[1353]: spamd: creating default_prefs: //.spamassassin/user_prefs
Apr 5 00:31:00 vestaserver01 spamd[1353]: config: cannot create user preferences file //.spamassassin/user_prefs: No such file or directory
Apr 5 00:31:00 vestaserver01 spamd[1353]: spamd: failed to create readable default_prefs: //.spamassassin/user_prefs
Apr 5 00:31:00 vestaserver01 spamd[1353]: spamd: checking message &lt;5520C87B.8020009@example.com&gt; for nobody:99
Apr 5 00:31:00 vestaserver01 spamd[1353]: plugin: eval failed: bayes: (in learn) locker: safe_lock: cannot create tmp lockfile
/.spamassassin/bayes.lock.vestaserver01.example.com.1353 for /.spamassassin/bayes.lock: No such file or directory
Apr 5 00:31:00 vestaserver01 spamd[1353]: spamd: clean message (-1.0/5.0) for nobody:99 in 0.2 seconds, 3138 bytes.
Apr 5 00:31:00 vestaserver01 spamd[1353]: spamd: result: . 0 - ALL_TRUSTED,HTML_MESSAGE scantime=0.2,size=3138,user=nobody,uid=999,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=37022,mid=&lt;5520C87B.8020009@example.com&gt;,autolearn=unavailable

Basically the error are the permissions on: //.spamassassin/user_prefs

To fix it follow the next steps:

Create the user spamd, in order to avoid to run spamassassin with the user nobody:

groupadd -g 1001 spamd
useradd -u 1001 -g spamd -s /sbin/nologin -d /var/lib/spamassassin spamd
mkdir /var/lib/spamassassin
chown spamd:spamd /var/lib/spamassassin</pre>

Edit the file /etc/exim/exim.conf.

vi /etc/exim/exim.conf

Change the line:

spam = nobody:true/defer_ok

spam = spamd:true/defer_ok

Restart exim an spamassassin

/etc/init.d/exim restart
/etc/init.d/spamassassin restart

After that verify that the files bayes_seen, bayes_toks and user_prefs exists on the spamd home (In this case /var/lib/spamassassin)

pwd
/var/lib/spamassassin
ls -la
total 40
drwxr-xr-x 3 spamd spamd 4096 Apr 7 17:58 .
drwxr-xr-x 36 root root 4096 Feb 25 00:56 ..
-rw------- 1 spamd spamd 12288 Apr 2 21:34 bayes_seen
-rw------- 1 spamd spamd 12288 Apr 2 17:34 bayes_toks
-rw-r--r-- 1 spamd spamd 1869 Apr 1 17:18 user_prefs

Done!

SFTP Jailed

Tue, 31 Mar 2015 00:00:00 +0000

To configure your server to use a jailed user on SFTP you should do:

Edit the sshd_config file

We need to comment the following line:

Subsystem sftp /usr/libexec/openssh/sftp-server

And add the uncomment line, your modification will be same as:

# Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

Also, at the end of the file we should to add the next lines:

Match Group sftponly
ChrootDirectory %h
X11Forwarding no
AllowTCPForwarding no
ForceCommand internal-sftp

After save all the changes, we must restart the sshd daemon

service sshd restart

Add sftponly group

groupadd sftponly

Add jailed user and add to sftponly group

useradd -m USERNAME
passwd USERNAME
usermod -aG sftponly,apache USERNAME

IMPORTANT: Create directory and establish correct permissions

chown root:root /home/USERNAME
chmod 755 /home/USERNAME
mkdir /home/USERNAME/TEST.DOMAIN.COM
chown apache:apache /home/USERNAME/TEST.DOMAIN.COM
chmod 775 /home/USERNAME/TEST.DOMAIN.COM
mkdir /var/www/vhost/TEST.DOMAIN.COM
chown apache:apache /var/www/vhost/TEST.DOMAIN.COM
chmod 775 /var/www/vhost/TEST.DOMAIN.COM

Note: If you have any connection problem please double check the permissions on the folders and check the logs on /var/log/secure

tail -f /var/log/secure

Mount DocumentRoot path on jailed user home directory

mount -o bind,noatime /var/www/vhost/TEST.DOMAIN.COM/ /home/USERNAME/TEST.DOMAIN.COM

Make the mount point permanent, editing the fstab file:
```
vi /etc/fstab
```
Add the mount point at the end of the file:
```
/var/www/vhost/TEST.DOMAIN.COM/ /home/USERNAME/TEST.DOMAIN.COM none bind,noatime 0 0
```
Save and exit
Test connection:
```
sftp SERVERIP
```

View sources IP's in Apache Logs behind a Load Balancer

Fri, 13 Feb 2015 00:00:00 +0000

When you use the Rackspace Cloud Load Balancers, it is common that the IP logged in Apache is the Private IP (ServiceNet) from the Cloud Load Balancer, however, we can fix that.

We can view sources IP’s in Apache Logs doing some changes on Apache configuration file and also on the vhosts configuration files.

On your Apache configuration file, you should to find the line:

LogFormat "%h %l %u %t \"%r\" %&gt;s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

Modified to:

LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %&gt;s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

And also, on your vhosts configuration files you should to change the “combined” LogFormat definition will then be called in a “CustomLog” entry specific to your VirtualHost configuration. Here is an example VirtualHost definition to show you what I’m referring to:

ServerAdmin webmaster@example.com
DocumentRoot /var/www/html/example.com
ServerName example.com
ErrorLog logs/example.com-error_log
CustomLog logs/example.com-access_log combined

After adding the X-Forwarded-For definition to the LogFormat definition, you can restart Apache and view the logs to notice the difference. If all is done properly, you will see an actual public IP in the first field of your logs instead of the Cloud Load Balancer IP.

Yosemite stuck on boot process

Thu, 08 Jan 2015 00:00:00 +0000

Sometimes, I’m having problems with my Mac, when it’s sleep (hibernate) and I tried to “wake up” the Mac doesn’t start, and it shows me a Black Screen. So, I’ve rebooted and after that it is stuck on the boot process.

So, I’ve found these solution to avoid that Yosemite stuck on the boot process:

A. Enter to Single-user or verbose mode

Shutdown the Mac
Press the power button to start the computer
Immediately press and hold the Command Key and either of the following

* the "s" key for single-user mode (Command-S)
* the "v" key for verbose mode (Command-V)

B. When you login on the Mac, you should run the following commands:

```shell
/sbin/mount -uw /
rm -rf /System/Library/Caches/*
rm /private/var/db/BootCache.playlsit
reboot
```

After the reboot, your Mac will boot as always.

🙂

How to Update a ThemeForest Theme with the Envato WordPress Toolkit

Mon, 10 Nov 2014 00:00:00 +0000

I’ve purchased some themes on ThemeForest.com because they’re great. So this time I want to write about “How to Update ThemeForest Themes with the Envato WordPress Toolkit”.

First of all, Envato WordPress Toolkit it is very similar to a WordPress plugin. The installation it is the only difference. So I will explain how install the “plugin” and how to use in order to get the last update from your theme.

Envato WordPress Toolkit is NOT available on WordPress Repositories, so you will to download from Github. https://github.com/envato/envato-wordpress-toolkit
After you download the .ZIP file, you should be able to install from the WordPress Plugin Manager. Or you could upload the envato-wordpress-toolkit folder to the /wp-content/plugins/ directory.
Activate the Plugin from the WordPress Plugin Manager.
You will need to generate an API key from your Themeforest account.
1. In order to get your API key from Themeforest, you should login to themeforest.com, go to your dashboard and click on My Settings The API Keys screen allows you to generate a free API key.
Generate Envato API Key
Once the API connection has been established you will see a list of themes that can be auto installed. If you don’t see any themes and are certain you’ve done everything correct, there is a good chance the theme author has not updated their theme to be available for auto install and update. If that’s the case, please contact the theme author and ask them to update their theme’s information.

Envato Theme Autoupdate

This “plugin” very helpful to get your themes updated. I hope works for you as well as with me.

MySQL reset root password

Wed, 30 Jul 2014 00:00:00 +0000

Hello,

This time I share with you the faster and more secure method to reset the root password of MySQL.

This method is faster because the downtime is between 1 or 2 seconds (MySQL restart time) and it is more secure because the mysqld is not started without grants on the tables.

The steps are:

Create text file /var/lib/mysql/mysql-init with the sintaxis to reset the password for user root:

vim /var/lib/mysql/mysql-init

SET PASSWORD FOR 'root'@'localhost' = PASSWORD('new_password');

Add under the [mysqld] stanza on the file /etc/my.cnf:
```
init-file=/var/lib/mysql/mysql-init
```
Restart the mysqld service:
```
service mysqld restart
```
Remove the init-file line from /etc/my.cnf
Remove /var/lib/mysql/mysql-init
```
rm /var/lib/mysql/mysql-init
```

And after that, you can access again to your mysql instance.

😄

MySQL without password

Tue, 15 Apr 2014 00:00:00 +0000

The common form to log in to MySQL server, is running a mysql command with your login credentials and server’s IP address as arguments. For example:

mysql -u $MYSQL_ROOT -p$MYSQL_PASS

However, besides the inconvenience of typing extra arguments, using plain-text login credentials in a command line like above is really not a secure way to access a MySQL server.

MySQL offers a way for you to log in to MySQL server without password, by using an external MySQL configuration file. In Linux, there are two different kinds of MySQL configuration files:

/etc/my.cnf and
~/.my.conf

While any system-wide MySQL configuration is defined in /etc/my.cnf, any user-specific MySQL configuration is stored in ~/.my.cnf. You can leverage ~/.my.cnf, to define your MySQL login credential in the file.

vim ~/.my.cnf

We put our MySQL user in the configuration file:

[client]
user=root
password=$PASSWORD_ROOT

Make sure to have the configuration file readable to you only.

chmod 0600 ~/.my.cnf

Once ~/.my.cnf is created, simply typing mysql command will let you log in to the MySQL server as root, and you no longer need to provide login password separately.

mysql

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 14787
Server version: 5.1.73 Source distribution

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

I'm a Racker

Mon, 31 Mar 2014 00:00:00 +0000

Since January 6th I working on Rackspace, the Open Cloud Company, so I’m a Racker almost 3 months ago and I’m loving every minute of it.

Rackspace - Kickoff

Everything stared on November 2013 when a Technical Recruiter contact me and started a proceess with some long tough interviews, ability tests, paperwork, etc; I have accepted a position as a Linux System Administrator I in the LATAM Team for Rackspace, so, I got to work for one of the most dynamic, fanatic, and fun tech companies in the world!

So, I was very excited, nervous, happy, all together.

The Castle

Since I came to The Castle, everything was wonderful, I have met nice, friendly, smart and fanatical people, like @SugarBear, a Rackspace Ambassador of Culture, or Graham Weston, Rackspace’s Chairman and Co-Funder. I met them at the Rookie Orientation (a.k.a Rookie’O), where I spend time with other Rookies learning about Rackspace history, culture and future plans.

On the Rookie’O, I was surprised and admired with all the energy that is transmitted between the new Rackers, it was awesome!

And I was inspired by the Rackspace Core Values:

Fanatical Support® in all we do.
Results first, substance over flash.
Committed to Greatness
Full Disclosure and Transparency
Passion for our Work
Treat fellow Rackers like Friends and Family

Which from my point of view I can applied to my personal life, and having great results.

Also is very comfortable to have a Coffe Shop, a soda machine or microwaves inside the Castle. It is pretty nice!

In general the first week in Rackspace, on the Rookie’O, I was a great experience, I can say that is one of my best experiences in my life.

Rackspace - Rookie O

Rackspace - Fanatical Jacket

Rackspace - Fuel station

Rackspace - Slide

Rackspace - Coffee Shop

My Goals

This is a new big challenge, because means:

Relocation in other country, specifically in San Antonio, TX, USA.
Leave my family in Mexico City, that means that I see my parents only for Skype or FaceTime :).
Know other culture, the “American” culture, with the Breakfast Tacos or Tex-Mex food (I really hate the Tex-Mex food yiack!) or the Lunch at noon, people do not always says “Good morning” and some details that I don’t understand but here is common.
Improve my skills in other language (English) event though I’m in the Rackspace LATAM team all the communications like emails or meetings are in English, so, it is very important for my job.
And the most important challenge for me is still learn about Linux, get my Red Hat Certifications, do my best at job and take advantage of this great opportunity. All of that to try to be a DevOps Engineer

Rackspace - LATAM Section

Rackspace - My Desk

I will be working on, providing Fanatical Support for our customers, resolving LATAM customer issues with Linux and working with remote teams from all around the world.

Summarizing, I’m a happy Racker 🙂

Blog | Luis Cacho

Understanding the Compliance Operator

Compliance Operator Introduction

Why Compliance Operator?

How can I implement Compliance Operator in my cluster?

Gitkraken Ambassador

GitKraken Ambassador

What is GitKraken?

What I like

What I don’t like

Wrapping Up

Podman remote client on MacOS using Vagrant

Introduction

Brief Architecture

Installation

Install podman on MacOS

Create a new ssh-keys on MacOS

Create a vagrant VM

Implementation

Copy ssh-key from MacOS to Linux VM

Configure the Linux VM

Installing podman

Enableling the podman service

Enableling the sshd service

Using the client

Next steps

My journey to become CKA and CKAD

Backing Up a Ruckus Switch Config

Using the Ansible Stat Module on a Loop

Using the Ansible stat module on a loop

Problem

Solution

Gestion de History

Mostrar la fecha y hora de cuando escribimos comandos

Control del tamaño del archivo de logs histórico

Control de duplicados en el histórico

Path para guardar el archivo de logs histórico

Docker Login the Right Way

Docker Login the right Way

Credential Store

Docker Credential Helpers

docker-credential-secret service

Bulk Delete Rackspace Cloud Files data via API

Configure SSH on a Ruckus Switch

Set a hugo blog on Kubernetes

Overview

Architecture

Containerized

Dockerfile

First Stage

Second Stage

My First Contribution to OpenStack project

Deployment de un sitio estatico con Hugo y Git Hooks

Motivación

Consideraciones

Instruciones

Consideraciones técnicas

Autenticación mediante llaves SSH

Configuración sitio con Hugo

Configuración del repositorio Git en el servidor de desarrollo 1ra parte

Configuración del repositorio Git en el servidor productivo

Configuración del hook

Configuración del repositorio Git en el servidor de desarrollo 2da parte

Improve WD MyCloud performance

Stop Indexing Services

OSI Model Cheat Sheet

WordPress with Let's Encrypt SSL Certificate on a Load Balancer

SSL Offloading

Step 1: Install acme.sh client

Step 2: Issue SSL Certificate

Step 3: Install SSL Certificate on Cloud Load Balancer

Step 4: Configure WordPress

Database queries

WordPress Control Panel

WordPress Config File

Build a Dynamic DNS Client with Rackspace API

Spamassassin Error: cannot create user preferences file //.spamassassin/user_prefs: Permission denied on VestaCP - CentOS

SFTP Jailed

View sources IP's in Apache Logs behind a Load Balancer

Yosemite stuck on boot process