At work we’ve written some monitoring and alerting software. We’ve also automated releases and we wanted to take it to the next level so that the instant there was a new release, we’d deployed to production. This automated releasing of software upon a new release is called Continuous Deployment, or “CD” for short. This post documents the simple yet effective approach we took to achieve CD using just 20 lines of bash.

The 20 lines of bash

Super impatient? I got you. This code will mean a lot more if you read the post below, but I know a lot of engineers want more copypasta and less preachy blog posts:

#!/usr/bin/env bash

# Checks for local version (current) and then remote version on GH (latest)
# and if they're not the same, run update script
#
# uses lasttversion:  https://github.com/dvershinin/lastversion

current=$(cd /root/cht-monitoring;/usr/bin/git describe --tags)
latest=$(/usr/local/bin/lastversion https://github.com/medic/cht-watchdog)

update(){
	cd /root/cht-monitoring
	git fetch
	git -c advice.detachedHead=false checkout "$latest"
	/root/down-up.sh	
}

announce(){
	/usr/bin/curl -sX POST --data-urlencode "payload={\"channel\": \"#channel-name-here\", \"username\": \"upgrade-bot\", \"text\": \"Watchdog has been updated from "$current" to "$latest". Check it out at https://WATCHDOG-URL-HERE\", \"icon_emoji\": \":dog:\"}" https://hooks.slack.com/services/-SECRET-TOKEN-HERE-
}


if [ ! "$current" = "$latest" ];then
	$(update)
	$(announce)
	echo "New version found, upgraded from $current to $latest"
else
	echo "No new version found, staying on $current."
fi

Why use CD?

There’s been a lot written about CD, like this quote:

Engineering teams can push code changes to the main branch and quickly see it being used in production, often within minutes. This approach to software development [allows] continuous value delivery to end users.

– rando GitHub blog post

I’ll add to this and say, as an engineer, it’s also extremely gratifying to have a pull request get merged and then minutes later see a public announcement in Slack that a new release has just automatically gone live. There’s no waiting even to do the release manually yourself, it’s just done for you, every time, all the time! Often when engineers are bogged down by a lengthy release process and slow customer adoption where it can take weeks or months (or years?!) to see their code go live, CD is the antidote to the poison of slowness.

Tools Used

The script uses just one custom binary, but otherwise leans on some pretty bog standard tools:

• git – Since our app is in a local checked out git repository, we can use trivially find out what version is running locally with git describe --tags
  
• curl – We use curl to do the POST to slack using their webhook API. It’s dead simple and requires just a bearer token
  
• lastversion – I found this when searching for an easy and reliable way to resolve what the latest release is for our product. It’s on GitHub and it just made my day! It solved the exact problem I had perfectly and it really Does One Thing Well (well, admittedly also downloads)
  
• down-up.sh – this is the cheating part of this solution ;) This is an external bash script that makes it easy tokeep track of which docker compose files we’re using. Every time we create a new compose file, we add it to the compose down and compose up calls in the script. This ensures we don’t exclude one by accident. It’s just two lines which are something like:
  
  docker compose -f docker-compose.yml -f ../docker-compose-extra.yml down
docker compose -f docker-compose.yml -f ../docker-compose-extra.yml up --remove-orphans -d
  
  
• Inside the repository itself, we’ve hooked up Semantic Release which automatically cuts a new release based on Semantic Versioning (aka “SemVer”)

New release process

With all the tools in place, here’s how we cut a new release, assuming we’re on version 1.10.0:

1. An engineer will open a pull request (PR) with some code changes.
2. The PR will be reviewed by another engineer and any feedback will be addressed.
3. Once approved, the PR is merged to main with an appropriate commit message.
4. A release is automatically created: A fix commit will release version 1.10.1. A feat (feature) commit will release version 1.11.0. A commit citing BREAKING CHANGE will release version 2.0.0
5. Every 5 minutes a cronjob runs on the production server to compare the current local version verses the latest version on GitHub
6. If a new version is found, git is run to check out the latest code
7. The down-up.sh script is called to restart the docker services. We even support updates to compose files citing a newer tag of a docker image in which case docker downloads new releases of upstream. Easy-peasy!
8. A curl command is run to make a POST to the Slack API so an announcement is made in our team’s public channel:

I’ve had a 3d printer for a about 8 months now. It’s been fun to download STLs from the internet and print them. We’ve done articulated snakes and planetary gear prints. It is really amazing to print something in one go that you can move and spin around. Amazeballs!

The kids have printed up little castles and and little knickknacks the designed in TinkerCAD. This has been fun, but I was always bothered that I didn’t know a “real” design program that was also open source. Really that left FreeCAD. I did a tutorial or two on-line which were pretty great. I understood “parametric” and “fully constrained” finally \o/. But, it was time consuming to learn, and I was impatient. I printed up a laptop holder I found online. Time went on.

Recently I got some new mini servers (I’ll save the setup and install story for another blog post) and I wanted to mount them to the wall. I knew this would be pretty trivial to design a custom bracket if I’d learned FreeCAD well enough, but I still hadn’t.

I just decided to go for it, use TinkerCAD even though it was proprietary and online. Not ideal, but I got what I wanted! I made a two left and right brackets that held two mini servers against a plywood board. Perfect!

The point of this blog post is to let other folks know that they should just go for it – don’t let the tools slow you down. Once you see the power of creating something from nothing, and a physical something (not just software), you’ll see how empowering and inspiring it is!

I will say, you won’t get it right on your first try. I already knew this from some earlier prototyping I’d done, so I was ready for the 4 or 5 prints that failed before the final one succeeded. Don’t get flustered when, even after measuring twice before you cut print, that it’s still wrong!

So, here’s what I made:

What you see here are two “L” type brackets that each can hold the corners of two mini servers. Note the hole through the cross brace that allows you to screw in the top screw (the first draft totally lacked this and it was nigh impossible to mount). These are of course rotated up in how you’d mount them, and in a terrible position to print.

While these held the servers pretty well in place, there was still a chance they could tip forward off the wall, so I made a toolless top bracket to match. The nice thing is that you can screw this in as one piece, and the slide off the bracket from the screw mount. Some very light sanding was needed to ensure the two pieces slide together with just the right of amount of friction (showing two of them side by side, but only used one):

And here they are in situ:

If you have little servers and you want the STL, here’s the file and here’s the TinkerCAD link (which may go away b/c I’m not a fan of cloud services).

I hope if you’re thinking about designing your first part from scratch, you go for it!!

I was taking a flight and wanted to play Boggle while onboard. I looked for a simple “show me a Boggle board” app for my phone, and only found ones of dubious quality, ad laden ones or ones that were something like “play a boggle-like game with friends (account required, has ads, is not boggle)”.

Eventually I gave up when I found this great website that generates .png images of Boggle boards. Even better, I could do a bunch of curl calls (with a 5 second sleep in-between, to be nice) to download a BUNCH of boards. Then I could use ImageMagick’s montage to stitch them all together in a 2×4 layout, which printed out nicely. montage -tile 2x4 -mode concatenate *.png output.png to be exact ;) With 4 or 5 pages printed out, I cut out each board, stapled together and made for the perfect Offline Boggle Booklet. Worked great!

However, on the flight I was thinking that it’d be pretty easy to write a bit of JavaScript and bang out a board that worked well offline. Further, I realized that CSS supports transformations, like transform: rotate(90deg)that could even mimic the rotated dice like the site above I referenced. Indeed, by the end of the flight I had all the hard parts worked out. This was mostly me working offline without Stack Exchange to remember this or that. Special thanks to xuth.net for post the source to the perl app which gave me some good ideas on how to write this!

After landing, and doing some refining, I’m happy to present Offline Boggle Boards. Load up the web page before you take off and you’re good to go! Also, for you coder types, pull requests welcome!

Intro

While the venerable Matt Rude has a great write up on compiling the latest SKS server for Ubuntu 18.04, using the one that ships with Ubuntu 18.04 is considerably easier. Given I just did this for work, this blog post has already been 99% written – handy!

The prerequisite for this guide is that you have root on an Ubuntu 18.04 server with a static, public IP address.

Hardening

This is out of scope for this guide, but you should secure your server. I recommend only allowing SSH with public keys, no passwords. If possible, only allow SSH from your subnet, or from behind a VPN/firewall. Only open the ports to the internet for the keyserver (11371) and SSH (22) if you must. Keep your software up to date – consider turning on automatic updates for security releases.

Initial install

Given that there’s a native Ubuntu SKS package, this one command gets you a LOT. All your config files are put in place, your user is created, a cronjob is added and there’s no compiling from source. While compiling is nice for knowing exactly what code you’re runnig, it’s slower and more laborious to get set up.

Run this as root:

apt-get update
apt-get -y install sks gnupg wget apache2 xz-utils


Configure Apache

Apache functions as a reverse HTTP proxy for the SKS HTTP interface, and so binds to the SKS HTTP port (11371) only on the public IP addresses.

Create the file /etc/apache2/sites-available/100-keyserver.conf with the following contents. Be sure to update the SERVER_IP_HERE to be the real IP:

#######################################
# Configuration for SKS reverse proxy #
#######################################

Listen SERVER_IP_HERE:11371
<VirtualHost *:11371>
    <Proxy *>
            Order deny,allow
            Allow from all
    </Proxy>
    ProxyPass / http://127.0.0.1:11371/
    ProxyPassReverse / http://127.0.0.1:11371/
    ProxyVia On
    SetEnv proxy-nokeepalive 1
</VirtualHost>

Run the following commands as root to set up apache with the new vhost and enable the right config. The last command should yield no errors:

a2enmod proxy
a2enmod proxy_http
a2enmod proxy_balancer
a2enmod lbmethod_byrequests
a2ensite 100-keyserver.pch.net.conf
systemctl restart apache2
systemctl status apache2


Configure SKS

As everything was prepped for you with the apt-get install sks call from above, you only have to define server_contact: and hostname:in the /etc/sks/sksconf file. The contact should be your PGP key ID. Mine is 0xA105C2764BF2C4CB, for example. The hostname is the FQDN for your server.

Initialize the SKS Database

Run the following commands to download a recent dump of the SKS database, decompress it, update permissions and import it. This puts less of a load on other SKS servers as we won’t need to synchronize much when we come online.

When running sks-build.sh, select the ”normalbuild” option. This loads all keys into the database, unlike the ”fastbuild” option, which uses the key dump files as a basis over which to operate, but loads the keys much faster. The bunzip2 and load process will take **several hours to complete**.

Run this as root:


mkdir -p /var/lib/sks/dump/
cd /var/lib/sks/dump/
wget -e robots=off -r --no-parent https://mirror.cyberbits.eu/sks/dump
mv mirror.cyberbits.eu/sks/dump/*pgp .
cd /usr/lib/sks/
./sks_build.sh
chown -R debian-sks:debian-sks /var/lib/sks
systemctl enable sks


Note: The source of the key dump for our installation is http://keys.niif.hu/keydump/. However, a key dump may be obtained from any up-to-date SKS key server, since each is a mirror of all the others. Key dumps from public key servers are listed on sks-keyserver’s wiki on GitHub. If required, any of the sources listed on this page may be used to obtain the key dump.

If you need to rebuild the database from a fresh download for some reason, be sure to fully delete the DB file with rm -rf /var/lib/sks/DB first.

Membership File

For your keyserver to be known by others and have it’s keys be up to date via synchronizatoin, you need to contact the keyserver operators so they they list you in their membership file. That way when you list them, the servers will not not error out.

The format of /var/lib/sks/membership is simply KEYSERVER_URL PORT

After you create it, ensure it can be read by SKS:

chown -R debian-sks:debian-sks /etc/sks/memberships

Start and Test

Start your server with systemctl start sks. That’s it! You’re done.

Monitor the log files for any problems during startup and testing: tail -f /var/log/syslog. As well, check the output of systemctl status sks.

To test, open a browser window to http://YOUR_SERVER:11371. Search for a few different keys to verify that key information is being retrieved correctly.

Check the SKS stats page to verify the number of keys loaded: http://YOUR_SERVER:11371/pks/lookup?op=stats

If you have peered with other servers, verify that it is showing up properly in the pool.

I’ll keep this short and sweet: When I read the headline, “EFF sues to kill FOSTA, calling it ‘unconstitutional Internet censorship law'”, I realized how proud I am to support the Electronic Frontier Foundation (EFF) in the form of annual donations. They are an awesome group doing amazing things. Further, my financial support will not wane now that the Tax Cuts and Jobs Act has been passed.

With the direction the current administration is going with human rights and health care, and with the Supreme Court switching up a justice, now, more than ever, is the time to support the causes you believe in. Do you what you can!

As part of putting some good hardware to use, I taught a class on how to use SSH Keys the other week. As this was the first time I taught this class, it took a good long while to do the prep for it. I figured it’d take 6 hours (3 sessions @ 2hr), but I think I ended up putting in closer to 15 hours. There’s still room for improvement!

The slides are available (PDF), as is the video (below). I hope to redo this class so that it’s a generic “learn about SSH Keys” which then could be open to the general public. That said, I’m really glad to see we’re up to 16 containers and the load average is only at 0.37 right now ;)

PS – I know, I know, those are not VMs, they’re actually containers!

After buying USB-C power adapter that didn’t work out, I’d been on the hunt for a replacement. After getting a Chromebook for video chats and music (and curiosity :) which has USB-C charging, I had an extra need for cheap, portable chargers and other simple USB-C accessories.

All these devices were tested on either my ASUS Chromebook Flip C101PA-DB02 or my Dell XPS 13 9350 or both.

What I really wanted was to plug a single cord into my laptop and have it work with my external webcam, external speakers, external 4k monitor @60Hz, external wireless headset and USB3 gigabit NIC. In the end, for stability, I ended up going with two cables: one for power and DisplayPort and one USB3.0 for my USB3.0 hub with everything else. My laptop not crashing makes me be totally OK with the two cables ;)

First up is a good, small travel charger with USB-C and USBA ports. It delivers the full 45W so it’ll work nicely with your MacBook and Dell XPS 13. It’ll work with your MacBook Pro, but not at the full rate as the stock charger. It’s the Yojock YKJ USB-C PD Charger with 45W:

After that, if you want a charger that’ll work at home (read: no folding plug), then this charger with attached cable is quite small and cheap. It’s the Nekteck 45W USB-C charger. It only has USB-C and, beware, my XPS 13 9350 says it’s only delivering 40W, but I’ve had no problems with it keeping my laptop charged even when it’s powering an external 4k monitor, running 4 containers, a full IDE and twenty odd tabs in FireFox.

Then, in the non-power-adapter accessories:

• This Plugable USB-C -> HDMI cable has worked well for a 4k monitor, but limited to 30Hz (source isn’t HDMI 2.0)
• Not a USB-C device per se., I’ve liked being able to easily switch USB inputs to my fancy speakers with RIJER 2 Input USB Switcher.
• If you want to power your laptop (of any wattage) AND have 4k output at 60Hz, then I highly recommend this StarTech USB-C -> DisplayPort adapter with USB-C PD (Power Delivery).
• If you want 4k output at 60Hz, but don’t need to charge your laptop, then this VicTsing USB-C -> DisplayPort adapter is great.
• If you do a lot of domestic flying where they don’t always have outlets, or simply want to power you laptop on the go, I’ve been really happy with the performance, price and weight of the ZeroLemon JuiceBox 20100mAh 45W Battery. It’s the cheapest battery I found that can charge at 45W (and not blow up ;).
• While I tested the HDMI and it worked at 4k @30hz from my ChromeBook, I use this RayCue USB-C Hub with 2xUSB3, 1xHDMI and 1xUSB-C PD with out the HDMI. Cheap and works well!
• Also not a USB-C device, but great to have upstream, is this super solid USB3.0 Hub by Anker. It’s the Anker 10 Port 60W Data Hub with 7 USB 3.0 Ports and 3 PowerIQ Charging Ports.
• Last on the list, also ALSO not USB-C ;) is this awesome USB3 Gigabite ethernet connector. Works on a mac (with driver download) and works on ubuntu (without driver download!!) and I get 100MB+/sec copy speed on my LAN.

These items I don’t recommend as they didn’t work as advertised with my ubuntu laptop;

• ONCHOICE USB-C Hub
• Cable Matters USB C Multiport Adapter (USB C Dock with USB C to DisplayPort 4K 60Hz), 2x USB 2.0, Fast Ethernet, and 60W PD. This crashed my laptop multiple times and the ethernet was slower than when I plugged in a USB2.0 ethernet NIC to itself. The DisplayPort and USB-C PD did work.

To be clear, I am gathering the referral kickbacks from Amazon on these links, but I do use these products and wasn’t paid for the positive review.

If you have questions, feel free to contact me or ask in the comments!

I’m testing out using two of these cute, cheap security cameras:

It’s the v2 of the WyzeCam and it’s only $25 shipped.

While they’re easy to set up, there doesn’t seem to be a way to turn off the mics on them. Here’s the config screen for a camera on the android app as of version 1.2.76 on Apr 26, 2018:

So what’s a hacker to do? Open it up and remove the mic, of course ;)

2019/01/10 Update – At this point in the post, I should let you know that we’re about to permanently remove your camera microphone. As well, there’s a chance you can rip off the antenna cable, effectively bricking your camera.  Only one reader has reported any problems, but as with all DIY modifications, proceed at your own risk and happy hacking!

2018/05/08 Update! – If you just yank off the mic there’s a LOT less disassembly. I had two more cams come through, so I made a video of the whole thing. 10 minutes or less! Otherwise, read on below for old, solder method.

Old Solder method – I was too impatient to take all the step by step photos, but the only tricky part was getting the two plastic plates off after the initial two outer screws. My advise: it takes more force than you think!

You have to fully disassemble the camera to be able to solder out the mic. There were 5 or 6 screws, two ribbon cables and an antenna, speaker and camera power lead that all needed to be taken apart.

Here’s a before and after picture:

After re-assembling both cameras everything still works – w00t! Here’s to hardwired audio privacy, as it should be.