Category Archives: Admin

Do We Trust Cloud Storage For Privacy?

With more generic offerings from  cloud storage providers –  up to 50GB free,   cloud storage is tempting alternative to store some of our data. I have some data, which I really do not want to loose. I already have them stored on several devices, however additional copy in cloud could help.  But how much I can trust cloud providers to keep my data private, even from their own employees.  Not that I have something super secret, but somehow I do not like idea, that some bored sysadmin, will be browsing my family photos.  Or provider  use my photos for some machine learning algorithms.

Main providers like Dropbox, Google do use some encryption, however they control  encryption keys, so they can theoretically access your data any time and in worst case provide them to third parties – like government agencies.   From what I have been looking around only few providers like Mega or SpiderOak  offer privacy  by design – which means  all encryption is done on client and they should not have any access to your keys (zero knowledge).   However how much we can trust that their implementation is flawless or that there are not intentional back-doors left? There has been some concerns about Mega security couple years ago,  but no major issues appeared since then.

So rather then trusting those guys fully, why not to take additional step and also encrypt our data, before sending them to cloud?  Additional encryption will not cost us much CPU time on current hardware (from tests – 11% of one core of old AMD CPU) and will not slow down transfers, because they are rather limited by Internet connection bandwidth.  And on Linux we have quite few quality encryption  tools like gpg or openssl, which can be relatively easily integrated into our backup/restore chains. In the rest of this article I’ll describe my PoC shell script, that backs up/ restores  whole directory to MEGA, while providing additional encryption / decryption on client side.  Continue reading Do We Trust Cloud Storage For Privacy?

Media Server For Music And Audio-Books

music-7Having updated my mobile  recently (but still staying on Android) to 4G device, I thought that it would be about time to make my audio collection available outside of home network.  At home I use samba share, which is quite fine for most of uses, however enabling access from internet required bit more  effort. In following article I’d like to describe options, I’ve been looking at, and the final solution. Continue reading Media Server For Music And Audio-Books

Simple Web Applications Deployment via Git

Git is not only great version control tool,  but can be easily used for web application deployment to testing or production environmenst.  For more complex projects some continuous integration (CI), tools/services can be more appropriate  (like Jenkins), but for smaller project we can do just fine with Git , SSH and simple script installed as git hook. Below is the scenario I’m using for one Python Flask web application. Continue reading Simple Web Applications Deployment via Git

OpenShift Experiencies

PaaS is happily buzzing in the Cloud and it seems to be hottest topic in the infrastructure  services today,  so I decided to test Openshift –  PaaS  offering  from Red Hat.  Couple of reasons make this platform interesting – firstly it’s open source solution, so we can use it to build your own private solution, secondly on public service we  get 3 gears ( linux containers with predefined configuration) for free forever, so it’s easy to experiment with this platform. As a sample project we will create very simple Python Flask web application with MongoDb. Continue reading OpenShift Experiencies

Check UPnP port mapping on you router

Most modern SOHO routers (like my Asus) support UPnP IGDP  or NAT-PMP protocols to enable hosts on local network to open and map incomming (from WAN) port on router.  While these two are different protocols with different origins, they both serve same purpose, so often they are enabled by a single option in your router configuration ( like in my Asus – there is only one option ‘Enable UPnP’,  but in fact it enables both protocols).

This automatic incomming port port management is very convenient, however it can cause some security problems  in your local network.  Because normaly  neither UPnP nor NAT-PMP is authenticated, all local subnet is basically trusted, it means that any program can open incomming port, as it needs (including  malware programs).  More detailed description about potential UPnP issues is for instance here. Continue reading Check UPnP port mapping on you router

Tunneling SSH through Restrictive HTTS Proxy

In one of past articles I’ve described how to use HTTP CONNECT method to tunnel other protocols through a proxy.  It worked for me for various protocols ( mainly email access IMAP, SMTP),  but recently it stopped working for SSH protocol. After some investigation I’ve found  that proxy is checking  what protocol it is tunnelling through and expects it to be SSL/TLS.  If it is anything else, proxy closes connection with an error.  It still worked for mail protocols,  because they were already wrapped in SSL. But to be still able to use SSH through proxy some more sophisticated setup was needed –  tunnelling SSH through SSL protocol, which is then tunnelled via HTTPS proxy ( HTTP CONNECT method).  Below I describe a setup,  which works for me. Continue reading Tunneling SSH through Restrictive HTTS Proxy

Running Oracle VM Template for DB 12c in XenServer

As many may know Oracle VM Server is based on Xen hypervisor so it’s possible to run VMs prepared for Oracle VM on other Xen based solutions like XenServer or OCP.  Main difference is management of VMs – Oracle VM is using xm, while recent XenServer is using newer xapi stack.  But paravirtualized Linux kernels can run easily on both.

Oracle is providing VM templates with many of it’s key products – like for instance new Oracle 12c database.   In this article we will show how to run Oracle 12c Database VM template on XenServer 6.2. Continue reading Running Oracle VM Template for DB 12c in XenServer

Accesing Oracle from Python (with proper unicode support)

It’s not obvious to set it right, so I’m putting some notes here:

Installation is described here.
Few comments:

  • ORACLE_HOME is needed just for installation
  • If you add client library path to /etc/ld.so.conf.d/oracle.conf   and update ldconfig, you don’t need to export modified LD_LIBRARY_PATH
  • when you install Oracle client library and set environment,  you can install cx_oracle also via pip install cx_Oracle

The crucial step not mentioned in the installation guide is  to set NLS_LANG environment variable – this should be in the environment of your python program using cx_oracle.  So for instance for Flask+SQLAlchemy you can have:

if app.config.get('SQLALCHEMY_DATABASE_URI').startswith("oracle"):
    os.environ['NLS_LANG']= 'AMERICAN_AMERICA.AL32UTF8'

Without this variable oracle client is using 7bits ASCII! So any unicode character will raise “UnicodeEncodeError: ‘ascii’ codec can’t encode character” error.

Simple statistics from nginx access logs

I required some simple statistics (selected page visits per day)  from web-server logs.   I looked at some web log analyzer packages like AWStats, but it looked to me like as an overkill in my case – I’d probably spent more time to trying make it work then putting together some small script. So here it is – a simple bash script that will take all available access logs (by default on Debian nginx is using logrotate to rotate logs daily and keeps 52 daily logs, old logs are gzipped) and calculate page visits for certain request pattern: Continue reading Simple statistics from nginx access logs