Compiling Ruby Enterprise Edition on Solaris 10
Posted by Sam
I wanted to try out Phusion's Ruby Enterprise Edition and hopefully Phusion's Passenger. From what I've read I know they are a pretty Linux centric pair of developers so I wasn't surprised at all that their Ruby Enterprise Edition installer didn't actually install on Solaris 10 despite using gnu tools. Fortunately, it was pretty easy to bypass their installer and compile it like I would with MRI. Here's a quick rundown of what I did to get it compiled.
Here's what I did to get Ruby Enterprise Edition compiled on Solaris 10. This assumes you are using gcc from Blastwave.
bash-3.00# wget http://rubyforge.org/frs/download.php/38084/ruby-enterprise-1.8.6-20080507.tar.gz
bash-3.00# gtar xvf ruby-enterprise-1.8.6-20080507.tar.gz
bash-3.00# cd ruby-enterprise-1.8.6-20080507/source
bash-3.00# ./configure --with-openssl-dir=/opt/csw --with-readline-dir=/opt/csw \
--with-iconv-dir=/opt/csw --prefix=/opt/rubyenterprise
bash-3.00# make
bash-3.00# make install
That's all there is to it. I wish Phusion wasn't so Linux centric. I'm going to try and get mod_rails or passenger or whatever it's called this week compiled next, but I don't think it's going to go quite so easy.
Tags: ruby
Images Belong in the Database
Posted by Sam
Logical Reasons
The more web programming and system administration I do the more I'm convinced that images and other forms of uploaded content belong in the database. I've pretty strongly suspected this for many a years but it's becoming more and more clear that this is just how things need to be. There are many reasons. Some are technical and some are logical, but all signs point to loading images in the database. Below are just a couple.
I'll start with the logical reason first and then get to the technical reasons. Logically all other forms of dynamic content will reside in the database yet programmer after programmer insists on putting images and other uploaded content on the filesystem. Now you've got some content in the database and it's tied to content on the filesystem. Suddenly the nice clean line is broken. You've blurred the lines on who does what and where it goes. What usually happens is programmers forget to clean up after themselves so files references are deleted in the database but still exist on the file system. You know why this happens? Because you shouldn't have put it there in the first place. Repeat after me - dynamic content in the database and application files in the filesystem. Got it?
Technical Reasons
So know that we've got the logical reasons behind us what are some of the technical reasons? For starters your database(s) will always be in sync. That's what they are meant to do. That's what they have to do. Your database(s) have to be synchronized. Your site depends on it. It doesn't matter if it's a simple site with a single database server or a huge site with a dozen database servers. You have to keep your database servers in sync. And databases are good at it. It's much much easier to scale out database servers than file servers. Having all your dynamic content in the database keeps everything in sync.
Some people will wrongly argue that having files in the database will cause slowdowns. To that I say....um maybe, but only if you're doing it wrong. Databases are very fast and have excellent caching but it's highly likely that multiple web servers can server images straight from disk faster than a database. Well that's great, but images still belong in the database. And in this case you can have your cake and eat it too. Check out this article about caching images on the file system with Rails. Hrm, one extra line of code lets you cache your image on the file system. Doesn't seem to bad to me. Elegant, simple and lightning fast.
The Reason for the Rant
Time after time I'm responsible for deploying other people's crappy software. They invariably come up with some stupid solution that lets them click the checkbox that says their product will work on a load balancer, but they neglect to tell you upfront what ridiculous hoops you have to jump through to get it work. The most recent product is called Ektron. I can't say what it's like to work with from a programming stand point but from an admin stand point it's a nightmare. Instead of loading the images in the database like they should they instead force you to share out files and do this dumb little virtual directory linking to the other servers. It's just annoying and not even close to elegant, but then I have yet to see a CMS system that is so I wasn't surprised. Thankfully the Ruby on Rails team understands what it takes to scale apps and they provide you with a nice foundation. If only the rest of the world would catch up.
Tags: rubyonrails web rant
The 5 Minute Guide to Securing Solaris
Posted by Sam
Disclaimer
This is a super quick guide to securing a Solaris server. It's not in depth and I highly recommend taking a deeper look at the technologies that are used.
Install Solaris Security Toolkit (formerly called JASS)
- Download Solaris Security Toolkit
- install and run
# pkgadd -d . SUNWjass
# /opt/SUNWjass/bin
# ./jass-execute secure.driver
A ton of stuff will scroll by. If you need remote access be sure to edit the tcp wrappers allow file otherwise you'll be locked out of the box. Also, if you remotely log in to SSH as root you'll need to allow root access and restart SSH. I always double check that I can remotely log in before closing the current console.
Links for Solaris Security Toolkit
Activate BSM Auditing
Auditing will let you watch as little or as much as you want on your box. It's also zone aware so you can see exactly what's going on in a specific zone. Here's a quick run through on how to turn it on and what I'm monitoring on my boxes. Keep in mind if you have a busy box these settings can produce some very large logs and slow down your system. Take a look at the links to learn exactly what these settings do and then decide how much logging you need.
- Edit /etc/security/audit_control so that it looks like this:
dir:/var/audit
flags:lo,ex,ad,pc,fm,fw,-fc,-fd,-fr
minfree:10
naflags:lo,ex,ad - Edit /etc/security/audit_startup so it looks like this:
/usr/bin/echo "Starting BSM services."
/usr/sbin/auditconfig -setpolicy +cnt
/usr/sbin/auditconfig -setpolicy +argv,arge
/usr/sbin/auditconfig -setpolicy +zonename
/usr/sbin/auditconfig -conf
/usr/sbin/auditconfig -aconf
- Run the bsmconv script
/etc/security/bsmconf - Add the following line to the crontab
0 0 * * * /usr/sbin/audit -n - Reboot and check out your newly created logs in /var/audit
Links for BSM Auditing
Showing Blastwave Packages with Upgrades Available
Posted by Sam
I love love love Blastwave. I couldn't imagine using Solaris without it. One of the annoying things though is if you want to see if newer packages are available you have to wade through every package that they have. And they have a lot. So here is a super simple one liner for showing just the packages that need to be upgraded.
pkg-get -c | grep -v "Not installed" | grep -v SAME | \
mailx -s "Blastwave Updates" yourname@example.com
And since you are probably using Solaris Zones here is a simple script that will look in all non-global zones and email out a report. Currently this sends one email per zone but that could easily be changed to send one email per physical box.
#!/usr/bin/sh
for zone in `/usr/sbin/zoneadm list | /usr/bin/grep -v global`; do
zlogin $zone "/opt/csw/bin/pkg-get -c | \
/usr/bin/grep -v \"Not installed\" | \
/usr/bin/grep -v SAME | \
/usr/bin/mailx -s \"Blastwave Updates for $zone\" yourname@example.com"
done
The Initial release of ZoneMan
Posted by Sam
I've been wanting to switch from BIND to PowerDNS for a while now but I haven't been able to find any admin tools that worked the way I wanted them to. This is the problem when you can write software. It seems that hardly anything is just right. Since PowerDNS can use a SQL back-end it seems that everybody wants to create a web admin which is fine for lots of things. One of the things I'm working on now is something I like to call Agile Systems Administration. If nobody has coined the term to date I'm coining it now. Basically I'm looking for ways to automate whatever I can. Since I deploy a LOT of sites DNS was an obvious choice to start automating.
This is where ZoneMan comes into play. It's a command line tool that works with MySQL, PostgreSQL or any other database that Rails works with. The usage is pretty simple. Here's an example of adding a new record.
$ ./zoneman add_record example.com www.example.com A 10.1.1.1
That's it. To break out what we just did. add_record is the command. Example.com is the domain that you are adding the record to. www.example.com is the record itself. 'A' is the record type. And lastly '10.1.1.1' is where the record is pointing to. Using that example you can see how easy it is to script new site setups from the DNS perspective. You can wrap that command in a bash script and make it even shorter.
example.com has been created
The initial release is already hosted at RubyForge. It's very rough and untested. I've also set up a project page on this site. If you have suggestions feel free to leave them in the comments. I hope to make this a very useful tool for managing PowerDNS. Enjoy.