Posted by Scott Laird
Wed, 13 Jul 2005 02:11:30 GMT
I’ve spent most of the past two days working on a little project at work that needs the ability to generate Java JKS keystore files (compatible with the Java keytool program) containing X.509 certificates signed by a private certificate authority.
If you think that sounds simple, then you’ve obviously never worked with X.509.
This turns out to be astoundingly difficult, largely because X.509 is insane. It doesn’t help that Sun’s keytool program is missing a lot of functionality–if you want to rename keys or extract the private keys from the keystore file, then you’ll need to resort to coding it in Java. It’s also really hard to find usable certificate authority software. I’ve been looking for it at least 8 years for a complete open-source corporate CA! There are lots of partial solutions out there, but none of the ones that I’ve used have actually been able to solve all of the problems that I’ve needed solved. I’ve always fallen back on scripting openssl directly, and that always requires a day or so of digging through OpenSSL documentation to find the right incantations to get it to work.
In the end, all I needed to do was run openssl 3 times per key generated (make key, sign key, convert to PKCS#12), then run a bit of Java code out of Jetty to convert the PKCS#12 key to a format that keytool can read. Don’t ask why I had to drag Jetty into the picture–that’s like requiring Apache in order to get your version control software to compile or something–it just doesn’t make any sense. Sigh.
For future reference, here are a few useful references:
Posted in Computer Security, Computer System Administration, Work | Tags cryptography, openssl, rant, x509 | 4 comments
Posted by Scott Laird
Thu, 14 Apr 2005 21:59:54 GMT
The Rails app that I was working on a couple weeks ago for work is finally complete and in the hands of users. A couple higher-priority tasks kept me from getting back to it until yesterday, and the final push towards release was fantastically ugly.
For legacy reasons, I need two of my app’s controllers to use HTTP basic authentication, not form-based authentication. HTTP authentication with Rails isn’t well documented, but the ”teenage mutant ninja hero coders” have an example that works just fine with webrick. Unfortunately, it completely fails with Apache for reasons that weren’t particularly clear. It’s fairly well-known that Apache blocks CGIs from seeing HTTP authentication headers, but none of the workarounds that should have worked with Apache 1.3 (mod_rewrite, fastcgi, etc) actually worked.
In the end, I ended up upgrading to Apache 2 with FastCGI, and it worked flawlessly. Er, except the CGI variable that I was looking for went from being called HTTP_AUTHORIZATION to Authorization, so I had to tweak application.rb a bit.
Posted in Ruby, Work | Tags fastcgi, rails, ruby, rubyonrails, work | no comments
Posted by Scott Laird
Thu, 31 Mar 2005 01:48:38 GMT
My little Rails project at work is starting to wind down finally. I’ve been heads-down on this thing for almost a week, but it seems to be worth it–I have a nice UI around my database, along with a clean schema to replace the hacked-up one from the previous design. I have 8 models, 9 controllers, and 40-some views. Including tests and documentation, I currently have *90* files open in xemacs, a personal record.
Of the 4 days I’ve spent on this, at least one full day was lost to bugs in Rails that I had to find workarounds for. Probably another day was spent searching for examples and documentation on specific Rails features and generally learning how the system fits together. The remaining two days were divided between database/code design (there are some weird controller issues for this application) and HTML design. It’s been years since I last threw together anything more complex then a Movable Type theme, so my web-design skills were years out of date.
All things considered, 4 days doesn’t strike me as amazingly fast for this project, but I doubt that I could have been much faster using any other framework. The big thing that’s impressed me with Rails is the amount of polish that I’ve been able to put into this in a very small amount of time–things like pagination and live searching were nearly trivial to implement. With a bit of practice, I suspect that I could churn out similarly-complex applications in a little over a day, and that would be just astounding.
Posted in Ruby, Work | Tags rails, ruby, rubyonrails, work | no comments
Posted by Scott Laird
Sat, 19 Mar 2005 00:25:36 GMT
Paul Graham seems to be this decade’s most vocal Lisp hacker, constantly spitting out new essays on assorted topics. Today’s essay is on how to spend your time in college. He dishes out a fair bit of useful advice, including bits like this:
If you want to work at a cool little company or research lab, you’ll do better to learn Ruby on Linux.
Heh. That is *so* me. Cool little company, writing Ruby on Linux.
Later on he talks about open-source projects, and how starting your own project to scratch some sort of itch is a great way to gain useful (and marketable) experience:
For example, I stumbled on a good algorithm for spam filtering because I wanted to stop getting spam. Now what I wish I had was a mail reader that somehow prevented my inbox from filling up. I tend to use my inbox as a todo list. But that’s like using a screwdriver to open bottles; what one really wants is a bottle opener.
I find this kind of hilarious, because as everyone knows, Ruby is best known for writing to-do list software.
Having said that, I’d love to see what Graham can spit out on the to-do list front. I could certainly use something better then my inbox or post-it notes, but none of the other alternatives that I’ve tried have really stuck with me. I really need to finish reading Getting Things Done.
Posted in Work | Tags college, essay, paulgraham | 3 comments
Posted by Scott Laird
Tue, 08 Mar 2005 00:31:13 GMT
Today’s weather for Seattle, WA:
60°F, mostly cloudy
Today’s weather for my office:
72°F, light rain.
For the fourth time in the last two years, the air conditioner hiding above my office’s suspended ceiling is dripping, sending a stream of water onto the floor of my office. Fortunately, my current office layout doesn’t have any critical hardware setting underneath the leak.
The really annoying thing is that the leak seems to follow me–my previous office had the same problem, and it was in a completely different building.
Posted in Work | Tags broken, office, seattle | no comments
Posted by Scott Laird
Fri, 22 Oct 2004 21:43:31 GMT
One of the things about startups is that you tend to outgrow office space fairly rapidly. At Internap, I think I had 5 different offices in my first two years, and my current job hasn’t been far behind–we moved into office number 4 last week, just in time for my 2-year anniversary. This is the first time that we’ve been in our own space, though. The previous places were all in Regus’s temporary office space in the Bank of America Tower in Seattle–the tallest building in town, and a pinnacle of impersonal 1980’s corporate architecture. It’s full of lawyers and bank workers. I’m glad to be out.
The corporate website hasn’t been updated with the address of our new office, so I won’t mention it here, but it’s a nice art-deco building from the late ’20s. We have a floor to ourselves, and room to spread out. It feels like home, which Regus never did.
The combination of the move and a couple big projects at work have kept me from blogging much over the past few weeks. Hopefully the next few months will be more productive on both fronts, now that we’re settled in at work and back into the normal flow of work.
Posted in Work | Tags office, seattle, work | no comments
Posted by Scott Laird
Fri, 09 Jul 2004 18:01:52 GMT
I’ve been a full-time professional computer guy now for at least 12 years, and I’ve had paying jobs doing computer support back to 1988. So, it’s not very often that I can say “I did something completely new” today. Sure, things change, I grow professionally, and I take on new responsibilities, but the old mundane stuff is still old and mundane. Except today.
We have a pile of Dell PowerEdge 350 1U servers sitting around the office that we bought for testing and demo purposes a couple years ago. I hate the things–they’re unexpandable, they boot slowly, the front panel is basically a layer of vinyl over a bare circuit board, they use a PCI video card that pops out of its slot every other time you move the system, and they use a bunch of dinky little screws that are too small for reasonable screwdrivers. We’ve had to have Dell replace hardware on about half of the ones that we’ve bought. So anyway, we had to ship one a few weeks ago in what I’ll be charitable and call an “unapproved shipping container,” and USPS returned it a bit the worse for wear. Like, the rack ears were bent back against the case, the CPU heat sink was sliding around the inside of the case, and the hard drives had popped out of their retaining clips. Amazingly enough, it still boots, but we’d be insane to ever trust the system again. So, it sat collecting dust on one end of my desk for a few weeks, until we found ourselves needing another test system.
So, a few minutes ago, I finally re-assembled the system. When I went to put the cover on it, I discovered that the cover didn’t fit–the hard drive carriers had popped out of their little retaining clips, and the back end of the carriers was popping up far enough to keep the case from closing. The clips are really just metal pegs welded to the bottom of the case, but 3 of the 4 of them were visibly crooked, and neither drive would fit.
No problem. I know how to bend sheet metal. So, today, after 16 years of working on computers, I finally got to use a hammer as a computer repair tool. It worked, too–the pins bent, the drives fit, the lid went on, and the system is up and running in the test rack, where it’ll remain far away from any mission-critical work for the rest of its life.
Posted in Work | Tags broken, hammer, hardware | no comments
Posted by Scott Laird
Mon, 24 May 2004 00:40:07 GMT
The whole funeral thing has thrown me off stride a bit at work, and I discovered that I’d left a few things undone that needed to be done before I’m planning on being into the office tomorrow. So I headed into the office for an hour or so this afternoon.
Of course, it’s never quite that easy. I brought Gabe with me to the office, and he’s busy asking me about everything on my desk, and I’d made it 5 minutes down the road before I realized that my laptop was still sitting at home. Then, when I got to the office, I realized that I’d lost my office keys somewhere (they’re probably under the bed in my parents’ guest room), so I had to get the security guard to let me in. Amazingly enough, I was able to get and and get work done.
The fun thing about big office buildings is that they never run the air conditioning on the weekends. As I mentioned once or twice before, I share an office with a rackload of Cisco gear, including a Catalyst 6500, a 7505, a 7200, and a bunch of smaller stuff. I’d realized that it gets hot in here before, but never quite how hot–it was at least 95° in here when I walked in. It was sweltering. Ten minutes after walking in, I asked the 7200 what temperature it was reading, and it claimed that it was 96° F at the inlet. Since it’s in an open rack, that’s probably not that far from the truth.
Posted in Work | Tags weekend, work | no comments
Posted by Scott Laird
Sat, 03 Jan 2004 13:47:10 GMT
<rant on>This has been killing me for about a year: I hate my parking garage at work. They find new ways to irritate me about every other week. I tend to work late hours, leaving work after 7:00 at night. The problem is that my garage closes for the night at 7:00. Since I pay for parking monthly, I have an access card to get me into the garage, but once or twice per month I manage to leave it at home, or in my car, and inevitably I find myself locked out. Half of the time, I can just wait around for someone else to show up with an access card and follow them in, but I hate having to do that. I mean, they obviously have a pile of customers that leave between 7:00 and 8:00 PM, but they don’t seem to think that it’d pay for them to stay open any later.
Even when I have my card, it sucks. This garage valet-parks everyone’s car, which is okay during the day, but it sucks at night. This is an ancient, dark, ugly building on the edge of Pioneer square (read: not a great neighborhood), and they tend to hide my car at night. So, I have to run up and down the stairs and figure out which dark cranny they hid my car in. It’s usually in the bottom corner, slalomed between building support posts, occasionally blocked in by someone else’s car. On Veteran’s Day, it was even better–the garage was closed, but half of the offices downtown were open. It wasn’t that bad parking in the morning, but at 6:00 when I picked up my car, the entire building was pitch black, and I had to run up 5 flights of stairs in the dark, using my cell phone for light. By the time I got to my car, I could only see car-sized objects 2 feet in front of me–it was DARK, and phones don’t make the best flashlights.
Like I said, the garage closes at 7:00. Usually. I’ve been locked out a handful of times by 6:55 or so, even by their punch-clock inside. Now, if you can actually catch them there, the staff’s okay, but the place just doesn’t work for people who work late nights. And find me a programmer who doesn’t work late every now and then?
So, tonight, what did they do? They left my lights on. I finished some server work around 8:15, walked the three blocks to my garage, got in, found the car, and nothing. The dash lights barely glowed at all. It wouldn’t even pretend to turn over. There’s no one around to jump me at 8:30 on a Friday, and I can’t push-start my can uphill, so I’m screwed. I’m on the bus right now; I’ll figure out how to get my car back later.
At least the bus stop is close to work, and there’s a direct run to the park-and-ride closest to my house.
Posted in Work | Tags parking, rants, seattle | no comments
Posted by Scott Laird
Tue, 30 Dec 2003 00:26:48 GMT
Heh. As part of a joke, someone here used the term “remote rebranding” as sort of an analog of “remote reboot” support in an appliance. I love it–think about it–Marketing decides that they don’t like the product name or color, so the product repaints itself on the fly.
Posted in Work | no comments
Posted by Scott Laird
Tue, 11 Nov 2003 19:18:54 GMT
Work needed a headshot of my boss for something, so I dragged my camera (and assorted accessories) to the office today. Of course, I forgot that it was Veterans’ Day, so my parking garage is closed, which really just means that I needed my access card to get in and there were no valets, but I had to lug my big camera/laptop bag (LowePro Stealth Reporter 650 AW, nice bag, but it gets heavy), a light stand, umbrella, and a couple foamcore sheets down the dark stairs in the garage and then a couple blocks uphill to the office. At least the lower entrance to the building wasn’t locked; it usually is on “major” holidays.
All things considered, the photos could have went better–we were in a hurry, and it’s a pain to get consistent lighting with multiple 550EXes with the D60. It may actually be impossible to get consistent lighting with the D60 and Canon’s E-TTL, but Canon’s wireless multi-flash feature doesn’t work in manual mode. In the end, I had around 20 shots with 2-3 keepers, but nothing spectacular. This is my favorite of the set; it could use a bit more photoshop work to get rid of reflections in the window, and if I was really serious about it I’d probably re-shoot with less contrast, but it gets the idea across.
Posted in Photography , Work | 1 comment
Posted by Scott Laird
Fri, 24 Oct 2003 18:35:19 GMT
Amazing–a book on role-based access control. Enhanced security models like RBAC and MAC have been making their way into Unix and Linux for years, but I still haven’t found a good introduction to either model. Maybe this is finally it. The Linux Journal reviews it:
A good overview of implementing RBAC in the enterprise for students as well as corporate-level decision makers. [Linux Journal]
Amazon has it for $79, or £55 from amazon.co.uk.
Interestingly enough, the UK Amazon has an ebook on HIPAA and RBAC that I didn’t see when searching on amazon.com. That’s strange because HIPPA is a US thing, not a UK thing. I’m not particularly interested in HIPAA, though, and I prefer paper books.
Posted in Books, Computer Security, Computer System Administration, Work | Tags books, rbac, security | 1 comment
Posted by Scott Laird
Wed, 15 Oct 2003 20:54:00 GMT
I’ve been a Unix sysadmin for years, professionally since 1994 or 1995, but my current job is more programming and embedded design then traditional system administration. Since we’re just a small startup, there really isn’t anyone here working on the servers unless things break. When I started, I asked my boss “how much time should I spend as a sysadmin working on our servers” and the answer was “as little as possible.” So I did. When things broke, I fixed them, and when we needed a new box internally for something, I set it up, but that’s pretty much it. Someone else, yet to be hired, will be the sysadmin.
That is, until last week, when we finally broke down and decided that we needed to fix a bunch of things, including printing, LDAP, and Samba. So, I had 3 days in the schedule for sysadmin work, but LDAP ended up taking most of a week to get straightened out. Even though things worked correctly in testing, they didn’t quite work right in production. Plus, I had to wait until after 6:00 or so to work on production systems, and I needed to be in the office at 8:30 or so to verify that things weren’t broken when people showed up. It was a pain, and everything took longer then it was supposed to.
At my previous job, stuff like this was still irritating, but actually rolling things out in production tended to go very smoothly. That’s because we (a) could clone the production environment to produce an accurate test environment and (b) once the test environment worked, we could merge the changes made back onto the production environment.
Of course, we don’t have any of that here, at least not for IT servers. We do have that for our product, but that’s not strictly relevant here. The way that Internap did it was wonderful, but I don’t think it scales down far enough–it’s great with 700 servers, and probably even with 70 servers, but with 7 it’s probably overkill.
Testing is absolutely one place that system administration can learn something from programming. No matter what you think about XP, it’s obvious that automated unit tests are a major win for program reliability. I’ve never worked any place that put any thought at all into automated system testing (outside of a few things like DNS and ping tests), but it seems obvious that it’s a good thing. Or, rather, once the tests exist, running them would be a good thing. Actually creating tests (and a testing framework) is, as always, a pain.
This is one of the things that I want so fix with the server management stuff that I’m slowly working on. Smaller servers are (obviously) easier to test then bigger servers, because the number of weird interactions is lower, and the server’s function is much more obvious.
If anyone has a good source of 27 hour days, let me know.
Posted in Computer System Administration, Work
Posted by Scott Laird
Fri, 03 Oct 2003 18:20:28 GMT
My build server died yesterday. I was working along, minding my own business, when I smelled smoke in my office. A bit of olfactory detective work lead me to my build server, which currently sits between a couple bookshelves behind my desk. I killed the power and discovered that the video card in the box had died, leaving a crater along the edge of the card and a big pile of soot on the motherboard.
Gotta love technology.
Posted in Work | no comments
Posted by Scott Laird
Sat, 27 Sep 2003 00:44:34 GMT
We’re starting to get to the point at work where communication between developers is getting difficult. So, I’ve spent about half of today working on getting a wiki working, along with a weblog. I’d really like to have a single, integrated wikilog, but I can’t really a suitable one. So, a bit of hacking, and I have a wiki that does RSS and a web log that can link WikiWords to the wiki. It’s not perfect, but it’s good enough for now.
Now, all we need is content, and to train people to use it.
Posted in Work | no comments
