Friday, 15 August 2014

OpenVPN version 2.3.2: using new easyrsa mechanism for multiple users

  1. Server setup
    1. ./easyrsa init-pki
      1. don't do this twice!
    2. ./easyrsa build-ca
  2. User key and cert signing request on complete separate machine
    1. ./easyrsa init-pki
      1. don't do this twice!
    2. ./easyrsa gen-req myuser
  3. Server signs user cert req
    1. ./easyrsa import-req myuser.req myuser
    2. ./easyrsa sign-req client myuser
Generate your server key and cert in a similar manner to a user.

Any client with a signed cert may connect to the server. There is no record of the client cert on the server itself; since the server signed the user cert, that is authority enough to validate the user cert.

Only if a user cert needs to be revoked, is a "revocation file" created on the server; this revocation file disallows that user from connecting. If no users need to be revoked, nothing needs to be done, nothing needs to exist about users on the server-side.

https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto

Wednesday, 6 August 2014

Very fast editing over sshfs

Update: this can cause some of your ssh sessions to hang, so be aware of that.

Add this to your ~/.ssh/config

Host myserver.mydomain.com
  ControlMaster auto
  ControlPath /tmp/%r@%h:%p


Then, say you have root access via your ssh pub key

mkdir tmp001
sshfs -o uid=1000 root@myserver.mydomain.com:/var/www tmp001

Now, the files in tmp001 map to your remote /var/www directory. And access to them uses an ssh session that is maintained in your /tmp directory, i.e. all interactions are performed over the same ssh session.

To see the tmp file, if you just opened the sshfs session in the last 10 mins

find /tmp -mmin -10 -ls

Friday, 1 August 2014

AWS cli: rework EBS volume on AMI launch: switch to SSD, "delete on termination" to true

aws
    ec2
        run-instances
            --image-id
                ami-aaaaaa
            --instance-type
                hi1.4xlarge
            --security-group-ids
                sg-eeeeeeee
            --subnet-id
                subnet-cccccccc
            --block-device-mappings
                '[
                    {
                        "DeviceName":"/dev/sdb",
                        "VirtualName":"ephemeral0"
                    },
                    {
                        "DeviceName":"/dev/sdc",
                        "VirtualName":"ephemeral1"
                    },
                    {
                        "DeviceName":"/dev/sdd",
                        "Ebs":
                        {
                            "SnapshotId":"snap-6",
                            "VolumeType":"gp2",
                            "DeleteOnTermination":"true"
                        }
                    }
                ]'
            --region
                us-east-1


Switch to high IOPS
aws
    ec2
        run-instances
            --image-id
                ami-aaaaaa
            --instance-type
                hi1.4xlarge
            --security-group-ids
                sg-eeeeeeee
            --subnet-id
                subnet-cccccccc
            --block-device-mappings
                '[
                    {
                        "DeviceName":"/dev/sdb",
                        "VirtualName":"ephemeral0"
                    },
                    {
                        "DeviceName":"/dev/sdc",
                        "VirtualName":"ephemeral1"
                    },
                    {
                        "DeviceName":"/dev/sdd",
                        "Ebs":
                        {
                            "SnapshotId":"snap-6",
                            "VolumeType":"io1",
                            "Iops":4000,
                            "DeleteOnTermination":"true"
                        }
                    }
                ]'
            --region
                us-east-1

Interview questions: 2020-12

Terraform provider vs provisioner Load balancing Network Load Balancer vs Application Load Balancer  Networking Layer 1 vs Layer 4 haproxy u...