Vladimir Vuksan's Blog Documenting the systems and network infrastructure madness

Recently I upgraded from Ubuntu 19.04 to 19.10. Upgrade was uneventful except for Chromium losing all my saved passwords and personal HTTPS certificates. Main cause of the issue is the new chromium packaging. As of 19.10 chromium is utilizing snap packaging instead of deb. You can read the rational behind the change on the Ubuntu blog.

As a result on first invocation $HOME/.config/chromium is copied into $HOME/snap/chromium/.config/chromium. Unfortunately that is not sufficient as you end up with a following error message

[23083:23264:1024/150717.374528:ERROR:token_service_table.cc(140)] Failed to decrypt token for service AccountId-19854958475897323

Solution is to run

snap connect chromium:password-manager-service

Thanks to this post for providing the solution..

As far as personal HTTPS certificates are concerned your best course of action is to either export those prior to the upgrade or if you don’t have that option download latest Chromium build then export the cert and reimport into your new shiny chromium :-).

If you are curious what Chromium is using for it’s config directory you can enter a following URL

chrome://version

Recently at Fastly we have been gradually turning off TLS v1.0 and v1.1 support due to PCI mandate to deprecate them. You can read about the deprecation policy here.

We also recently received couple reports from customers about some of the Android 4.x users not being able to access some of these end points. During the investigation I found following SSLLabs issue

https://github.com/ssllabs/ssllabs-scan/issues/258

which had a pointer to this post about different vendors packaging a version of Google Chrome as their own built in browser

http://www.quirksmode.org/blog/archives/2015/02/chrome_continue.html

Unfortunately it appears that some vendors notably Samsung standardized on version of Chrome which did not have TLS v1.2 support e.g. Chrome 28. Can I Use site has a nice table of TLS v1.2 support

http://caniuse.com/#search=tls%201.2

This is clearly a major hassle as it may force you to keep TLS 1.0/1.1 around for longer than you’d like or educate users to install latest Google Chrome from the Play Store. To get a better understanding what the experience may look like is I tested it on my Android 4.2 table and this is what it it looks like

This is what the built-in browser capabilities are

Unfortunately this will result in a very nasty error that says secure connection cannot be established

Same device with Google Chrome installed passes the capability test with flying colors

My children like to play Minecraft and they often like to play with their friends and cousins who are remote. To do so in the past I would set up my laptop at the house, set up port forwarding on the router, etc. This would often not work as the router would not accept the changes, my laptop firewall was on etc. Instead I decided to shift all this to the cloud. In this particular example I will be using Google Cloud Engine since it allows you to have persistent disks. To minimize costs I will automate creation and destruction of minecraft server(s) using Hashicorp’s Terraform.

All the terraform template and files can be found in this specific Github Repo

https://github.com/vvuksan/terraform-playground

You will need to sign up for a Google Cloud account. You may also optionally buy a domain name from a registrar so that you don’t need to enter IP addresses in your minecraft client. If you do so rename dns.tf.disabled to dns.tf and change this section

variable "domain_name" {
  description = "Domain Name"
  default     = "change_to_the_domain_name_you_bought.xyz"
}

As described in the README what this set of templates will do is create a persistent disk where you will store your gameplay and spin up a minecraft server just for that time being. When you want to play you will need to type

make create

and when you are done playing you will type

make destroy

Cost of this should be minimal. In the TF template I’m setting a persistent disk of size of 10 GB (change that in main.tf if you need to). That will cost you approximately $0.40 per month. On top of it you’d be paying for g1.small instance cost which is about $0.02 per hour. You can certainly opt for a faster instance by adjusting the instance size in main.tf file. Also if you are using DNS there will be DNS query costs but those should be minimal.

Have fun.

I was working with a customer trying to configure Fastly’s Log Streaming and ship logs to their Rsyslog server. Fastly supports sending Syslog over TLS however it appeared that TLS handshake was not succeeding as we would end up with gibberish in the logs e.g.

May  3 13:22:08 192.168.0.10 #001#000#000M#033#000#020#023#000#001#000#000#016log.domain.com#000#002#000#005#001#000#000#000#000 

I looked over a number of different guides with no luck. After trying a number of different things I ended up with a following configuration. This was tested on RSyslog 7 and 8.

auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/openandclick.log
kern.*                          -/var/log/kern.log
mail.*                          -/var/log/mail.log

#
# Emergencies are sent to everybody logged in.
#
*.emerg                                :omusrmsg:*

# Setup disk assisted queues
$WorkDirectory /var/log/spool # where to place spool files
$ActionQueueFileName fwdRule1     # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g       # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on     # save messages to disk on shutdown
$ActionQueueType LinkedList       # run asynchronously
$ActionResumeRetryCount -1        # infinite retries if host is down

#RsyslogGnuTLS
# CA certificate store. Uses generic Debian/Ubuntu CA store
$DefaultNetstreamDriverCAFile /etc/ssl/certs/ca-certificates.crt
$DefaultNetstreamDriverCertFile /etc/letsencrypt/archive/log.domain.com/fullchain1.pem
$DefaultNetstreamDriverKeyFile /etc/letsencrypt/archive/log.domain.com/privkey1.pem
$DefaultNetstreamDriver gtls

module(load="imtcp"
streamdriver.mode="1"
streamdriver.authmode="anon")
input(type="imtcp" port="5144" name="tcp-tls")

It will use the TLS certificate from /etc/letsencrypt and listen to TLS requests on port 5144. There is no client authentication ie. authmode=anon. If you want to authenticate clients you will need to change authmode to e.g.

streamdriver.authMode="name" 
streamdriver.permittedpeer=["test1.example.net", "test.example.net"]

Ubuntu 16.04 Xenial comes with Ganglia Web Front end 3.6.1 included however doesn’t pull in all the dependencies. If you get an error like this

Sorry, you do not have access to this resource. "); } try { $dwoo = new Dwoo($conf['dwoo_compiled_dir'], $conf['dwoo_cache_dir']); } catch (Exception $e) { print "

You are missing Mod PHP and PHP7-XML module. To correct that you need to do execute following commands

sudo apt-get install libapache2-mod-php7.0 php7.0-xml ; sudo /etc/init.d/apache2 restart

If you don’t have Ganglia web frontend enabled all you need to do is type

sudo ln -s /etc/ganglia-webfrontend/apache.conf /etc/apache2/sites-enabled/001-ganglia.conf
sudo /etc/init.d/apache2 restart