25 Aug 2016

feedPlanet Grep

Xavier Mertens: [SANS ISC Diary] Example of Targeted Attack Through a Proxy PAC File

I published the following diary on isc.sans.org: "Example of Targeted Attack Through a Proxy PAC File".

Yesterday, I discovered a nice example of targeted attack against a Brazilian bank. It started with an email sample like this … [Read more]

[The post [SANS ISC Diary] Example of Targeted Attack Through a Proxy PAC File has been first published on /dev/random]

25 Aug 2016 6:44am GMT

23 Aug 2016

feedPlanet Grep

Xavier Mertens: [SANS ISC Diary] Voice Message Notifications Deliver Ransomware

I published the following diary on isc.sans.org: "Voice Message Notifications Deliver Ransomware".

Bad guys need to constantly find new ways to lure their victims. If billing notifications were very common for a while, not all people in a company are working with such kind of documents. Which types of notification do they have in common? All of them have a phone number and with modern communication channels ("Unified Communications") like Microsoft Lync or Cisco, everybody can receive a mail with a voice mail notification. Even residential systems can deliver voice message notifications…[Read more]

[The post [SANS ISC Diary] Voice Message Notifications Deliver Ransomware has been first published on /dev/random]

23 Aug 2016 12:38pm GMT

Dries Buytaert: Drupal 8.2, now with more outside-in

Over the weekend, Drupal 8.2 beta was released. One of the reasons why I'm so excited about this release is that it ships with "more outside-in". In an "outside-in experience", you can click anything on the page, edit its configuration in place without having to navigate to the administration back end, and watch it take effect immediately. This kind of on-the-fly editorial experience could be a game changer for Drupal's usability.

When I last discussed turning Drupal outside-in, we were still in the conceptual stages, with mockups illustrating the concepts. Since then, those designs have gone through multiple rounds of feedback from Drupal's usability team and a round of user testing led by Cheppers. This study identified some issues and provided some insights which were incorporated into subsequent designs.

Two policy changes we introduced in Drupal 8 - semantic versioning and experimental modules - have fundamentally changed Drupal's innovation model starting with Drupal 8. I should write a longer blog post about this, but the net result of those two changes is ongoing improvements with an easy upgrade path. In this case, it enabled us to add outside-in experiences to Drupal 8.2 instead of having to wait for Drupal 9. The authoring experience improvements we made in Drupal 8 are well-received, but that doesn't mean we are done. It's exciting that we can move much faster on making Drupal easier to use.

In-place block configuration

As you can see from the image below, Drupal 8.2 adds the ability to trigger "Edit" mode, which currently highlights all blocks on the page. Clicking on one - in this case, the block with the site's name - pops out a new tray or sidebar. A content creator can change the site name directly from the tray, without having to navigate through Drupal's administrative interface to theme settings as they would have to in Drupal 7 and Drupal 8.1.

Editing the site name using outside-in

Making adjustments to menus

In the second image, the pattern is applied to a menu block. You can make adjustments to the menu right from the new tray instead of having to navigate to the back end. Here the content creator changes the order of the menu links (moving "About us" after "Contact") and toggles the "Team" menu item from hidden to visible.

Editing the menu using outside-in

In-context block placement

In Drupal 8.1 and prior, placing a new block on the page required navigating away from your front end into the administrative back end and noting the available regions. Once you discover where to go to add a block, which can in itself be a challenge, you'll have to learn about the different regions, and some trial and error might be required to place a block exactly where you want it to go.

Starting in Drupal 8.2, content creators can now just click "Place block" without navigating to a different page and knowing about available regions ahead of time. Clicking "Place block" will highlight the different possible locations for a block to be placed in.

Placing a block using outside-in

Next steps

These improvements are currently tagged "experimental". This means that anyone who downloads Drupal 8.2 can test these changes and provide feedback. It also means that we aren't quite satisfied with these changes yet and that you should expect to see this functionality improve between now and 8.2.0's release, and even after the Drupal 8.2.0 release.

As you probably noticed, things still look pretty raw in places; as an example, the forms in the tray are exposing too many visual details. There is more work to do to bring this functionality to the level of the designs. We're focused on improving that, as well as the underlying architecture and accessibility. Once we feel good about how it all works and looks, we'll remove the experimental label.

We deliberately postponed most of the design work to focus on introducing the fundamental concepts and patterns. That was an important first step. We wanted to enable Drupal developers to start experimenting with the outside-in pattern in Drupal 8.2. As part of that, we'll have to determine how this new pattern will apply broadly to Drupal core and the many contributed modules that would leverage it. Our hope is that once the outside-in work is stable and no longer experimental, it will trickle down to every Drupal module. At that point we can all work together, in parallel, on making Drupal much easier to use.

Users have proven time and again in usability studies to be extremely "preview-driven", so the ability to make quick configuration changes right from their front end, without becoming an expert in Drupal's information architecture, could be revolutionary for Drupal.

If you'd like to help get these features to stable release faster, please join us in the outside-in roadmap issue.

Thank you

I'd also like to thank everyone who contributed to these features and reviewed them, including Bojhan, yoroy, pwolanin, andrewmacpherson, gtamas, petycomp, zsofimajor, SKAUGHT, nod_, effulgentsia, Wim Leers, catch, alexpott, and xjm.

And finally, a special thank you to Acquia's outside-in team for driving most of the design and implementation: tkoleary, webchick, tedbow, Gábor Hojtsy, tim.plunkett, and drpal.

Acquia's outside in team
Acquia's outside-in team celebrating that the outside-in patch was committed to Drupal 8.2 beta. Go team!

23 Aug 2016 7:10am GMT

22 Aug 2016

feedPlanet Grep

Claudio Ramirez: Post-it: PROXIMUS_AUTO_FON and TelenetWifree (Belgium) from GNU/Linux (or Windows 7)


Update 20160818: added Proximus RADIUS server.

The Belgian ISPs Proximus and Telenet both provide access to a network of hotspots. A nice recent addition is the use of alternative ssids for "automatic" connections instead of a captive portal where you login through a webpage. Sadly, their support pages provide next to no information to make a safe connection to these hotspots.

Proximus is a terrible offender. According to their support page on a PC only Windows 8.1 is supported. Linux, OSX *and* Windows 8 (!) or 7 users are kindly encouraged to use the open wifi connection and login through the captive portal. Oh, and no certification information is given for Windows 8.1 either. That's pretty silly, as they use EAP-TTLS. Here is the setup to connect from whatever OS you use (terminology from gnome-network-manager):

Security: WPA2 Enterprise
Authentication: Tunneled TLS (TTLS)
Anonymous identity: what_ever_you_wish_here@proximusfon.be
Certificate: GlobalSign Root CA (in Debian/Ubuntu in /usr/share/ca-certificates/mozilla/)
Inner Authentication: MSCHAPv2
Usename: your_fon_username_here@proximusfon.be
Password: your_password_here
RADIUS server certificate (optional): radius.isp.belgacom.be

Telenet's support page is slightly better (not a fake Windows 8.1 restriction), but pretty useless as well with no certificate information whatsoever. Here is the information needed to use TelenetWifree using PEAP:

SSID: TelenetWifree
Security: WPA2 Enterprise
Authentication: Protected EAP (PEAP)
Anonymous identity:what_ever_you_wish_here@telenet.be
Certificate: GlobalSign Root CA (in Debian/Ubuntu in /usr/share/ca-certificates/mozilla/)
Inner Authentication: MSCHAPv2
Usename: your_fon_username_here@telenet.be
Password: your_password_here
RADIUS server certificate (optional): authentic.telenet.be

If you're interested, screenshots of the relevant parts of the wireshark trace are attached here:

proximus_rootca telenet_rootca

Filed under: Uncategorized Tagged: GNU/Linux, Lazy support, proximus, PROXIMUS_AUTO_PHONE, telenet, TelenetWifree, Windows 7

22 Aug 2016 10:37pm GMT

Claudio Ramirez: Vim as a Perl 6 editor

If you're a Vim user you probably use it for almost everything. Out of the box, Perl 6 support is rather limited. That's why many people use editors like Atom for Perl 6 code.

What if with a few plugins you could configure vim to be a great Perl 6 editor? I made the following notes while configuring Vim on my main machine running Ubuntu 16.04. The instructions should be trivially easy to port to other distributions or Operating Systems. Skip the applicable steps if you already have a working vim setup (i.e. do not overwrite you .vimrc file).

I maintain my Vim plugins using pathogen, as it allows me to directly use git clones from github. This is specially important for plugins in rapid development.
(If your .vim directory is a git repository, replace 'git clone' in the commands by 'git submodule add'.)

Basic vim Setup

Install vim with scripting support and pathogen. Create the directory where the plugins will live:
$ sudo apt-get install vim-nox vim-pathogen && mkdir -p ~/.vim/bundle

$ vim-addons install pathogen

Create a minimal .vimrc in your $HOME, with at least this configuration (enabling pathogen). Lines commencing with " are comments:

"Enable extra features (e.g. when run systemwide). Must be before pathogen
set nocompatible

"Enable pathogen
execute pathogen#infect()
"Enable syntax highlighting
syntax on
"Enable indenting
filetype plugin indent on

Additionally I use these settings (the complete .vimrc is linked atthe end):

"Set line wrapping
set wrap
set linebreak
set nolist
set formatoptions+=l

"Enable 256 colours
set t_Co=256

"Set auto indenting
set autoindent

"Smart tabbing
set expandtab
set smarttab
set sw=4 " no of spaces for indenting
set ts=4 " show \t as 2 spaces and treat 2 spaces as \t when deleting

"Set title of xterm
set title

" Highlight search terms
set hlsearch

"Strip trailing whitespace for certain type of files
autocmd BufWritePre *.{erb,md,pl,pl6,pm,pm6,pp,rb,t,xml,yaml,go} :%s/\s\+$//e

"Override tab espace for specific languages
autocmd Filetype ruby,puppet setlocal ts=2 sw=2

"Jump to the last position when reopening a file
au BufReadPost * if line("'\"") > 1 && line("'\"") <= line("$") |
\ exe "normal! g'\"" | endif

"Add a coloured right margin for recent vim releases
if v:version >= 703
set colorcolumn=80

"Ubuntu suggestions
set showcmd " Show (partial) command in status line.
set showmatch " Show matching brackets.
set ignorecase " Do case insensitive matching
set smartcase " Do smart case matching
set incsearch " Incremental search
set autowrite " Automatically save before commands like :next and :make
set hidden " Hide buffers when they are abandoned
set mouse=v " Enable mouse usage (all modes)

Install plugins

vim-perl for syntax highlighting:

$ git clone https://github.com/vim-perl/vim-perl.git ~ /.vim/bundle/vim-perl


vim-airline and themes for a status bar:
$ git clone https://github.com/vim-airline/vim-airline.git ~/.vim/bundle/vim-airline
$ git clone https://github.com/vim-airline/vim-airline-themes.git ~/.vim/bundle/vim-airline-themes
In vim type :Helptags

In Ubuntu the 'fonts-powerline' package (sudo apt-get install fonts-powerline) installs fonts that enable nice glyphs in the statusbar (e.g. line effect instead of '>', see the screenshot at https://github.com/vim-airline/vim-airline/wiki/Screenshots.

Add this to .vimrc for airline (the complete .vimrc is attached):
"airline statusbar
set laststatus=2
set ttimeoutlen=50
let g:airline#extensions#tabline#enabled = 1
let g:airline_theme='luna'
"In order to see the powerline fonts, adapt the font of your terminal
"In Gnome Terminal: "use custom font" in the profile. I use Monospace regular.
let g:airline_powerline_fonts = 1


Tabular for aligning text (e.g. blocks):
$ git clone https://github.com/godlygeek/tabular.git ~/.vim/bundle/tabular
In vim type :Helptags

vim-fugitive for Git integration:
$ git clone https://github.com/tpope/vim-fugitive.git ~/.vim/bundle/vim-fugitive
In vim type :Helptags

vim-markdown for markdown syntax support (e.g. the README.md of your module):
$ git clone https://github.com/plasticboy/vim-markdown.git ~/.vim/bundle/vim-markdown
In vim type :Helptags

Add this to .vimrc for markdown if you don't want folding (the complete .vimrc is attached):
"markdown support
let g:vim_markdown_folding_disabled=1

synastic-perl6 for Perl 6 syntax checking support. I wrote this plugin to add Perl 6 syntax checking support to synastic, the leading vim syntax checking plugin. See the 'Call for Testers/Announcement' here. Instruction can be found in the repo, but I'll paste it here for your convenience:

You need to install syntastic to use this plugin.
$ git clone https://github.com/scrooloose/syntastic.git ~/.vim/bundle/synastic
$ git clone https://github.com/nxadm/syntastic-perl6.git ~/.vim/bundle/synastic-perl6

Type ":Helptags" in Vim to generate Help Tags.

Syntastic and syntastic-perl6 vimrc configuration, (comments start with "):

"airline statusbar integration if installed. De-comment if installed
"set laststatus=2
"set ttimeoutlen=50
"let g:airline#extensions#tabline#enabled = 1
"let g:airline_theme='luna'
"In order to see the powerline fonts, adapt the font of your terminal
"In Gnome Terminal: "use custom font" in the profile. I use Monospace regular.
"let g:airline_powerline_fonts = 1

"syntastic syntax checking
let g:syntastic_always_populate_loc_list = 1
let g:syntastic_auto_loc_list = 1
let g:syntastic_check_on_open = 1
let g:syntastic_check_on_wq = 0
set statusline+=%#warningmsg#
set statusline+=%{SyntasticStatuslineFlag()}
set statusline+=%*
"Perl 6 support
"Optional comma separated list of quoted paths to be included to -I
"let g:syntastic_perl6_lib_path = [ '/home/user/Code/some_project/lib', 'lib' ]
"Optional perl6 binary (defaults to perl6)
"let g:syntastic_perl6_interpreter = '/home/claudio/tmp/perl6'
"Register the checker provided by this plugin
let g:syntastic_perl6_checkers = [ 'perl6latest']
"Enable the perl6latest checker
let g:syntastic_enable_perl6latest_checker = 1


You complete me fuzzy search autocomplete:

$ git clone https://github.com/Valloric/YouCompleteMe.git ~/.vim/bundle/YouCompleteMe

Read the YouCompleteMe documentation for the dependencies for your OS and for the switches for additional non-fuzzy support for additional languages like C/C++, Go and so on. If you just want fuzzy complete support for Perl 6, the default is ok. If someone is looking for a nice project, a native Perl6 autocompleter for YouCompleteMe (instead of the fuzzy one) would be a great addition. You can install YouCompleteMe like this:
$ cd ~/.vim/bundle/YouCompleteMe && ./install.py


That's it. I hope my notes are useful to someone. The complete .vimrc can be found here.

Filed under: Uncategorized Tagged: Perl, perl6, vim

22 Aug 2016 8:49am GMT

20 Aug 2016

feedPlanet Grep

Claudio Ramirez: Please test: first release of syntastic-perl6, a vim syntax checker

Vimlogo.svgI think that Perl 6, as a fairly new language, needs good tooling not only to attract new programmers but also to make the job of Perl 6 programmers more enjoyable. If you've worked with an IDE before, you certainly agree that syntax checking is one of those things that we take for granted. Syntastic-perl6 is a plugin that adds Perl 6 syntax checking in Vim using Syntastic. Syntastic is the leading Vim plugin for syntax checking. It supports many programming languages.

If the plugin proves to be useful, I plan on a parallel track for Perl 6 support in Vim. On one hand, this plugin will track the latest Perl 6 Rakudo releases (while staying as backwards compatible as possible) and be the first to receive new functionality. On the other hand, once this plugin is well-tested and feature complete, it will hopefully be added to the main syntastic repo (it has it's own branch upstream already) in order to provide out-of-the-box support for Perl 6.

So, what do we need to get there? We need testers and users, so they can make this plugin better by:

The plugin, with installation instructions, is on its github repo at syntastic-perl6. With a vim module manage like pathogen you can directly use a clone of the repo.

Keep me posted!

Filed under: Uncategorized Tagged: Perl, perl6, vim

20 Aug 2016 9:16pm GMT

19 Aug 2016

feedPlanet Grep

Xavier Mertens: [SANS ISC Diary] Data Classification For the Masses

I published the following diary on isc.sans.org: "Data Classification For the Masses".

Data classification isn't a brand new topic. For a long time, international organizations or military are doing "data classification". It can be defined as:

"A set of processes and tools to help the organization to know what data are used, how they are protected and what access levels are implemented"

Military's levels are well known: Top Secret, Secret, Confidential, Restricted, Unclassified.

But organizations are free to implement their own scheme and they are deviations. NATO is using: Cosmic Top Secret (CTS), NATO Secret (NS), NATO Confidential (NC) and NATO Restricted (NR). EU institutions are using: EU Top Secret, EU Secret, EU Confidential, EU Restricted. The most important is to have the right classification depending on your business… [Read more]

[The post [SANS ISC Diary] Data Classification For the Masses has been first published on /dev/random]

19 Aug 2016 6:31am GMT

17 Aug 2016

feedPlanet Grep

Claudio Ramirez: Split one flac (+ cue) file into separate tracks (update: including embedded cue files)


You may have backupped your music cd's using a single flac file instead of a file for each track. In case you need to split the cd-flac, do this:

Install the needed software:

$ sudo apt-get install cuetools shntool

Split the album flac file into separate tracks:

$ cuebreakpoints sample.cue | shnsplit -o flac sample.flac

Copy the flac tags (if present):

$ cuetag sample.cue split-track*.flac

The full howto can be found here (aidanjm).

Update (April 18th, 2009):
In case the cue file is not a separate file, but included in the flac file itself do this as the first step:

$ metaflac --show-tag=CUESHEET sample.flac | grep -v ^CUESHEET > sample.cue

(NB: The regular syntax is "metaflac -export-cuesheet-to=sample.cue sample.flac", however often the cue file in embedded in a tag instead of the cuesheet block).

Posted in Uncategorized Tagged: flac, GNU/Linux, music

17 Aug 2016 10:49pm GMT

16 Aug 2016

feedPlanet Grep

Mattias Geniar: TCP vulnerability in Linux kernels pre 4.7: CVE-2016-5696

The post TCP vulnerability in Linux kernels pre 4.7: CVE-2016-5696 appeared first on ma.ttias.be.

This is a very interesting vulnerability in the TCP stack of Linux kernels pre < 4.7. The bad news: there are a lot of systems online running those kernel versions. The bug/vulnerability is as follows.

Red Hat Product Security has been made aware of an important issue in
the Linux kernel's implementation of challenge ACKS as specified in
RFC 5961. An attacker which knows a connections client IP, server IP
and server port can abuse the challenge ACK mechanism
to determine the accuracy of a normally 'blind' attack on the client or server.

Successful exploitation of this flaw could allow a remote attacker to
inject or control a TCP stream contents in a connection between a
Linux device and its connected client/server.

* This does NOT mean that cryptographic information is exposed.
* This is not a Man in the Middle (MITM) attack.
[oss-security] CVE-2016-5389: linux kernel -- challange ack information leak

In short: a successful attack could hijack a TCP session and facilitate a man-in-the-middle attack and allow the attacker to inject data. Ie: altering the content on websites, modifying responses from webservers, ...

This Stack Overflow post explains it very well.

The hard part of taking over a TCP connection is to guess the source port of the client and the current sequence number.

The global rate limit for sending Challenge ACK's (100/s in Linux) introduced together with Challenge ACK (RFC5961) makes it possible in the first step to guess a source port used by the clients connection and in the next step to guess the sequence number. The main idea is to open a connection to the server and send with the source of the attacker as much RST packets with the wrong sequence mixed with a few spoofed packets.

By counting how much Challenge ACK get returned to the attacker and by knowing the rate limit one can infer how much of the spoofed packets resulted in a Challenge ACK to the spoofed client and thus how many of the guesses where correct. This way can can quickly narrow down which values of port and sequence are correct. This attack can be done within a few seconds.

And of course the attacker need to be able to spoof the IP address of the client which is not true in all environments. It might be possible in local networks (depending on the security measures) but ISP will often block IP spoofing when done from the usual DSL/cable/mobile accounts.

TCP "off-path" Attack (CVE-2016-5696)

For RHEL (and CentOS derivatives), the following OS's are affected.


While it's no permanent fix, the following config will make it a lot harder to abuse this vulnerability.

$ sysctl -w net.ipv4.tcp_challenge_ack_limit=999999999

And make it permanent so it persists on reboot:

$ echo "net.ipv4.tcp_challenge_ack_limit=999999999" >> /etc/sysctl.d/net.ipv4.tcp_challenge_ack_limit.conf

While the attack isn't actually prevented, it is damn hard to reach the ACK limits.

Further reading:

The post TCP vulnerability in Linux kernels pre 4.7: CVE-2016-5696 appeared first on ma.ttias.be.

16 Aug 2016 10:13am GMT

Dries Buytaert: Drupal goes to Rio

Rio olympic stadium

As the 2016 Summer Olympics in Rio de Janeiro enters its second and final week, it's worth noting that the last time I blogged about Drupal and the Olympics was way back in 2008 when I called attention to the fact that Nike was running its sponsorship site on Drupal 6 and using Drupal's multilingual capabilities to deliver their message in 13 languages.

While watching some track and field events on television, I also spent a lot of time on my laptop with the NBC Olympics website. It is a site that has run on Drupal for several years, and this year I noticed they took it up a notch and did a redesign to enhance the overall visitor experience.

Last week NBC issued a news release that it has streamed over one billion minutes of sports via their site so far. That's a massive number!

I take pride in knowing that an event as far-reaching as the Olympics is being delivered digitally to a massive audience by Drupal. In fact, some of the biggest sporting leagues around the globe run their websites off of Drupal, including NASCAR, the NBA, NFL, MLS, and NCAA. Massive events like the Super Bowl, Kentucky Derby, and the Olympics run on Drupal, making it the chosen platform for global athletic organizations.

Rio website
Rio press release

Update on August 24: This week, the NBC Sports Group issued a press release stating that the Rio 2016 Olympics was the most successful media event in history! Digital coverage across NBCOlympics.com and the NBC Sports app set records, with 3.3 billion total streaming minutes, 2.71 billion live streaming minutes, and 100 million unique users. According to the announcement, live streaming minutes for the Rio games nearly doubled that of all Olympic games combined, and digital coverage amassed 29 percent more unique users than the London Olympics four years prior. Drupal was proud to be a part of the largest digital sporting event in history. Looking forward to breaking more records in the years to come!

16 Aug 2016 7:05am GMT

12 Aug 2016

feedPlanet Grep

Mattias Geniar: youtube-dl: download audio-only files from YouTube on Mac

The post youtube-dl: download audio-only files from YouTube on Mac appeared first on ma.ttias.be.

I may or may not have become addicted to a particular video on YouTube, and I wanted to download the MP3 for offline use.

(Whether it's allowed or not is up for debate, knowing copyright laws it probably depends per country.)

Luckily, I remember I featured a YouTube downloader once in cron.weekly issue #23 that I could use for this.

So, a couple of simple steps on Mac to download the MP3 from any YouTube video. All further commands assume the Brew package manager is installed on your Mac.

$ brew install ffmpeg youtube-dl

To download and convert to MP3:

$ youtube-dl --extract-audio --audio-format mp3 --prefer-ffmpeg https://www.youtube.com/watch?v=3UOtF4J9wpo
 3UOtF4J9wpo: Downloading webpage
 3UOtF4J9wpo: Downloading video info webpage
 3UOtF4J9wpo: Extracting video information
 3UOtF4J9wpo: Downloading MPD manifest
[download] 100% of 58.05MiB
[ffmpeg] Destination: 3UOtF4J9wpo.mp3

Deleting original file 3UOtF4J9wpo.webm

And bingo, all that remains is the MP3!

The post youtube-dl: download audio-only files from YouTube on Mac appeared first on ma.ttias.be.

12 Aug 2016 8:30pm GMT

Frank Goossens: Music from Our Tube; Lianne La Havas singing a Little Prayer

Burt Bacharach! Aretha Franklin! Dionne Warwick! My Best Friends Wedding (with the lobster gloves)! And now also Lianne La Havas, live, solo with the public singing background-vocals. Goosebumps!

YouTube Video
Watch this video on YouTube.

Possibly related twitterless twaddle:

12 Aug 2016 3:02pm GMT

11 Aug 2016

feedPlanet Grep

Mattias Geniar: Mark a varnish backend as healthy, sick or automatic via CLI

The post Mark a varnish backend as healthy, sick or automatic via CLI appeared first on ma.ttias.be.

This is a useful little command for when you want to perform maintenance on a Varnish installation and want to dynamically mark backends as healthy or sick via the command line, without restarting or reloading varnish.

See varnish backend health status

To see all backends, there are 2 methods: a debug output and a normalized output.

$ varnishadm -S /etc/varnish/secret -T localhost:6082 backend.list
Backend name                   Refs   Admin      Probe
backend1(,,80)        1      probe      Sick 0/4
fallback(,,80)      12     probe      Healthy (no probe)

$ varnishadm -S /etc/varnish/secret -T localhost:6082 debug.health
Backend backend1 is Sick
Current states  good:  0 threshold:  2 window:  4
Average responsetime of good probes: 0.000000
Oldest                                                    Newest
---------------------------------------------------------------- Happy

The backend.list shows all backends, even those without a probe (= healtcheck) configured.

The debug.health command will show in-depth statistics on the varnish probes that are being executed, including the IPv4 connect state, whether a send/receive has worked and if the response code was HTTP/200.

For instance, a healthy backend will be shown like this, with each state of the check (IPv4, send, receive & HTTP response code) on a seperate line.

$ varnishadm -S /etc/varnish/secret -T localhost:6082 debug.health
Backend backend1 is Healthy
Current states  good:  5 threshold:  4 window:  5
Average responsetime of good probes: 0.014626
Oldest                                                    Newest
4444444444444444444444444444444444444444444444444444444444444444 Good IPv4

Now, to change backend statuses.

Mark a varnish backend as healthy or sick

In order to mark a particular backend as sick or healthy, thus overriding the probe, you can do so like this.

$ varnishadm -S /etc/varnish/secret -T localhost:6082 backend.set_health backend1 healthy

The above command will mark the backend named backend1 as healthy. Likewise, you can mark a backend as sick to prevent it from getting traffic.

$ varnishadm -S /etc/varnish/secret -T localhost:6082 backend.set_health backend1 sick

If you have multiple Varnish backends and they're configured in a director to load balance traffic, all traffic should gracefully be sent to the other backend(s). (see the examples in mattiasgeniar/varnish-4.0-configuration-templates)

If you mark a backend explicitly as sick, the backend.list output changes and the admin column removes the 'probe' and marks it as 'sick' explicitly, indicating it was changed via CLI.

$ varnishadm -S /etc/varnish/secret -T localhost:6082 backend.list
Backend name                   Refs   Admin      Probe
backend1(,,80)        1      sick       Sick 0/4
fallback(,,80)      12     probe      Healthy (no probe)

You can also change it back to let Varnish decide the backend health.

Mark the backend as 'varnish managed', let probes decide the health

To let Varnish decide the health itself, by using it probes, mark the backend to be auto again:

$ varnishadm -S /etc/varnish/secret -T localhost:6082 backend.set_health backend1 auto

So to summarise: the backend.set_healthy command in varnishadm allows you to manipulate the backend health state of varnish backends, overriding the result of a probe.

Useful when you're trying to gracefully update several backend servers, by marking backends as sick one by one without waiting for the probes to discover that backends are sick. This method allows you to do things gracefully before the update.

The post Mark a varnish backend as healthy, sick or automatic via CLI appeared first on ma.ttias.be.

11 Aug 2016 7:30pm GMT

09 Aug 2016

feedPlanet Grep

Mattias Geniar: zsh: slow startup for new terminals

The post zsh: slow startup for new terminals appeared first on ma.ttias.be.

I couldn't quite put my finger on the why, but I was experiencing slower and slower startups of my terminal when using zsh (combined with the oh-my-zsh extension).

In my case, this was because of a rather long history file that gets loaded whenever you start a new terminal.

$  wc -l ~/.zsh_history
   10005 /Users/mattias/.zsh_history

Turns out, loading over 10k lines worth of shell history whenever you launch a new shell is hard for a computer.

This was my fix:

$ cp ~/.zsh_history ~/.zsh_history.1
$ echo '' > ~/.zsh_history

I had to use echo because the shortcut that would normally work on Bash didn't work here;

$ > ~/.zsh_history

Either way, that solved zsh from starting slowly for me.

The post zsh: slow startup for new terminals appeared first on ma.ttias.be.

09 Aug 2016 8:30pm GMT

Mattias Geniar: Docker Cheat Sheet

The post Docker Cheat Sheet appeared first on ma.ttias.be.

An interesting Docker cheat sheet just got posted on the @Docker Twitter account that's worth sharing. Because it got linked to a strange domain (pdf.investintech.com, really?) I'll mirror it here -- I feel the original link will one day go down.


Alternative links:

Good stuff Docker, thanks for sharing!

The post Docker Cheat Sheet appeared first on ma.ttias.be.

09 Aug 2016 4:23pm GMT

08 Aug 2016

feedPlanet Grep

Mattias Geniar: Awk trick: show lines longer than X characters

The post Awk trick: show lines longer than X characters appeared first on ma.ttias.be.

Here's a quick little awk trick to have in your arsenal: if you want to search through a bunch of files, but only want to show the lines that exceed X amount of characters, you can use awk's built-in length check.

For instance:

$ awk 'length > 350'
$ awk 'length < 50' 

If you combine this with a grep, you can do things like "show me all the lines that match TXT and that exceed 100 characters in length".

$ grep 'TXT' * | awk 'length > 100'

Super useful to quickly skim through a bunch of logs or text-files.

The post Awk trick: show lines longer than X characters appeared first on ma.ttias.be.

08 Aug 2016 8:30pm GMT