Alex N. Jose

Updating CA root certificate bundle on Synology

Alex N. Jose — Thu, 20 Jan 2022 00:07:23 GMT

I ran into the issue of my Synology NAS not being able to pull from my local Docker registry:

docker: Error response from daemon: Get "https://redacted-local-hostname.net/v2/": x509: certificate has expired or is not yet valid

Turns out my Synology hasn't been picking up the latest CA root certificates. I could verify that this is the issue by running curl

curl -I https://alexnj.com  
curl: (60) SSL certificate problem: certificate has expired  
More details here: https://curl.haxx.se/docs/sslcerts.html  
...

Fixing this turned out rather easy. The commands below download the up-to-date root certificates from curl.se, in PEM format. We move it to the place where Synology keeps the CA-certificate bundle, overwriting it. We create a backup of the origin CA-certificate bundle, with a .backup extension, just in case you'd want to revert for any reason.

cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.backup  
wget --no-check-certificate https://curl.se/ca/cacert.pem  
mv cacert.pem /etc/ssl/certs/ca-certificates.crt

After this, the same curl command started succeeding. However, Docker was still throwing the same error — meaning it didn't pick up the updated root certificates. Solution? Let's try restarting the Synology Docker daemon:

synoservice --restart pkgctl-Docker

That took care of it. If you run into the same issue with your Synology, hope this helps!

Useful Docker commands

Alex N. Jose — Sun, 26 Jul 2020 18:40:03 GMT

Debug a stopped container, or open a shell into one

Since Docker doesn't allow a container's entrypoint being modified, we need to create a new container on the same image, and modify entrypoint to be a shell. One can use the command below to shell into a Docker image to examine contents, or to debug the image.

docker run -it --entrypoint sh node:10-alpine

Replace the image name, node:10-alpine with the correct image name. Shell here is sh, which is available in Alpine images, but you can change it with any other command as well.

Fix for wrong domain suffix for local devices in USG networks

Alex N. Jose — Sun, 19 May 2019 18:06:57 GMT

If you have the issue of your devices (especially Macs) picking up the wrong domain suffix during DHCP with your Ubiquity USG gateways, the issue is with USG's implementation.

USG remembers the preferred DNS hostname of local devices as they negotiate DHCP, and records it in its /etc/hosts file. When clients change their preferred name, USG doesn't seem to respect it, and continues to vendor the previously cached name from hosts file.

To fix this:
1. Login to your USG gateway via SSH
2. Open its /etc/hosts file and remove all the cached entries.
3. Reboot USG gateway and force your clients to reconnect and acquire new DHCP leases.

Enable mouse-wheel scroll on tmux with iTerm2

Alex N. Jose — Wed, 27 Mar 2019 17:56:12 GMT

The trick is to enable mouse support. Add the following line to ~/.tmux.conf:

setw -g mouse on

LetsEncrypt+Docker to issue certificates against DNS challenge

Alex N. Jose — Fri, 08 Feb 2019 19:19:09 GMT

Running LetsEncrypt in Docker is the best way to ensure DNS plugins are available, regardless of your platform.

First, create two folders conf and lib in the current folder. We'll setup these as two-way shares between Docker container and host, and use to get certificates once the steps are complete.

sudo docker run -it \  
  --rm --name certbot \
  --mount src="$(pwd)/conf",target=/etc/letsencrypt,type=bind \
  --mount src="$(pwd)/lib",target=/var/lib/letsencrypt,type=bind  \
  certbot/certbot certonly --manual \
  --preferred-challenges dns

Create two-way shares between Docker host and container

Alex N. Jose — Wed, 06 Feb 2019 19:47:47 GMT

If you are using Docker volumes to copy files over to a container and would like to have two-way sharing (i.e., container changes to reflect on host folder), here's the docker-compose syntax to be used:

volumes:  
  shared:
    driver: local
    driver_opts:
      type: none
      o: bind
      device: "/home/alexnj/projects/test/shared"

services:  
  web:
    build: .
    command: npm run start
    volumes:
      - shared:/app/shared

Install telegraf on Raspbian Lite

Alex N. Jose — Sat, 19 Jan 2019 00:29:52 GMT

First add InfluxDB repository:

curl -sL https://repos.influxdata.com/influxdb.key | sudo apt-key add -
source /etc/os-release
test $VERSION_ID = "7" && echo "deb https://repos.influxdata.com/debian wheezy stable" | sudo tee /etc/apt/sources.list.d/influxdb.list
test $VERSION_ID = "8" && echo "deb https://repos.influxdata.com/debian jessie stable" | sudo tee /etc/apt/sources.list.d/influxdb.list
test $VERSION_ID = "9" && echo "deb https://repos.influxdata.com/debian stretch stable" | sudo tee /etc/apt/sources.list.d/influxdb.list

Followed by installing Telegraf service:

sudo apt-get update 
sudo apt-get install telegraf
sudo service telegraf start

Avoiding require('../../../relative/path') hell in Node.js

Alex N. Jose — Sat, 02 Jun 2018 01:54:09 GMT

A frequent problem that you might run into in your Node.js application is requiring your local dependencies using a relative path notation. I.e., similar to require('../../../config/app'). This can soon become confusing, error prone and a huge productivity loss trying to hit the right level of directory structure.

The most elegant way that I have come across so far is an npm package module-alias.

With the package installed, I can then configure aliases like @app and @root that makes local dependency locations manageable and much more pleasant to interact with.

To configure, install the package as usual:

npm i module-alias --save

As the first line of your program entrypoint, i.e, index.js or server.js, register the package:

require('module-alias/register')

Aliases are defined in package.json, as follows:

  "_moduleAliases": {
    "@app": "./src",
    "@root": "."
  },

This setup now allows you to refer to your local dependencies as:

const userRoutes = require('@app/routes/user')

// or using import
import User from '@app/models/User'

That works for your server-side application. What about client? Fortunately, this package can also be used with Webpack, which allows use of alias via its resolve configuration. An example configuration webpack.config.js snippet is below:

const packageJson = require('./package.json')

let webpackConfig = {  
  // ...
  resolve: {
    alias: packageJson._moduleAliases
  },
  // ...
}

This pulls in the same alias definitions from package.json. From that point, you can refer to client-side dependencies also with the same @app/path/to/file syntax.

If you are using less-loader with Webpack resolver, the syntax for @imports are as below example (Note the preceding ~, which enables less-loader version 4 and above to resolve using Webpack's resolver):

@import (reference) "~@app/styles/mixins/buttons.less";

Hope that helps. If you are aware of a better pattern, please share via comments below.

Fix for OSX 10.11+ losing Wifi speed after sleep

Alex N. Jose — Tue, 23 Jan 2018 01:33:08 GMT

If your Wifi connection is going slow after a deep sleep after OSX 10.11 upgrade, fix is to disable "Wake for network access" in Energy Saver settings.

Uncheck "Wake for Wi-Fi network access" and reboot. Sleep shouldn't reduce the Wifi speed.

Configuring IPTables to allow traffic to Parse with fail2ban

Alex N. Jose — Thu, 04 May 2017 15:02:23 GMT

If you have fail2ban installed to protect your server, run the following:

iptables -A IN_public_allow -p tcp -m tcp --dport 1337 -j ACCEPT

Once you test the configuration, make the ruleset permanent by:

service iptables save

Install Fail2Ban on Ubuntu and CentOS

Alex N. Jose — Wed, 03 May 2017 05:11:18 GMT

Ubuntu

Install Fail2Ban.

sudo apt-get update  
sudo apt-get install fail2ban

Review configuration at /etc/fail2ban/jail.conf to see if you want to modify any default values.

Create a local jail config as below:

vim /etc/fail2ban/jail.local

with the following contents:

[ssh-iptables]

enabled  = true  
filter   = sshd  
action   = iptables[name=SSH, port=ssh, protocol=tcp]  
logpath  = /var/log/secure  
maxretry = 5

Start Fail2Ban service:

sudo service fail2ban start

To see which IPs are blocked:

iptables -L -n

CentOS

Install Fail2Ban.

yum install epel-release  
yum install fail2ban

Review configuration at /etc/fail2ban/jail.conf to see if you want to modify any default values.

Create a local jail config as below:

vim /etc/fail2ban/jail.local

with the following contents:

[ssh-iptables]

enabled  = true  
filter   = sshd  
action   = iptables[name=SSH, port=ssh, protocol=tcp]  
logpath  = /var/log/secure  
maxretry = 5

Start Fail2Ban service:

chkconfig --level 23 fail2ban on  
service fail2ban start

To see which IPs are blocked:

iptables -L -n

Keeping Docker container time in sync with host on OSX

Alex N. Jose — Thu, 23 Mar 2017 01:17:52 GMT

Docker containers on your Mac can get their time skewed over the time your Mac sleeps and wakes up. This happens because Docker doesn't sync container time with host hardware clock on wake up. This can be a nag when you are dealing with an API server like Amazon S3, which requires requests to be signed with time and a very short expiry.

Fortunately, the fix isn't that hard with the sleepwatcher brew.

brew install sleepwatcher  
brew services start sleepwatcher  
echo /usr/local/bin/docker run --rm --privileged \  
    node:argon hwclock -s > ~/.wakeup
chmod +x ~/.wakeup

What does this do? Using sleepwatcher, schedule a forced hwclock -s sync in containers each time the Mac wakes up from sleep. Here I'm using node:argon as my OS name. Be sure to replace that with the OS image you are using.

Ember: Using RESTAdapter with a nested API endpoint to POST a new record

Alex N. Jose — Sun, 05 Mar 2017 12:29:31 GMT

Problem statement:
1. You are using Ember Data and have two models, say Blog and Post where Post has defined a DS.belongsTo('Blog') relationship.
2. Your API endpoint is nested, i.e., the endpoint to create a post is taking a POST request to /blog/:blogId/posts.
3. You are using RESTAdapter

The correct solution is to create an adapter override at app/adapters/post.js with the appropriate method to provide the correct endpoint URL. See the sample below:

import ApplicationAdapter from './application';

export default ApplicationAdapter.extend({  
    urlForCreateRecord(modelName, snapshot) {
        let blogID = snapshot.belongsTo('blog').id;
        return `/${this.namespace}/blogs/${blogID}/posts`;
    }
});

Here we are using the snapshot object to get the parent model and its ID to construct the URL. This is about the minimal override I could find, compared to overriding the complete createRecord, for example. Hope it helps!

Using multiple SSH identities with Git

Alex N. Jose — Thu, 24 Nov 2016 18:20:05 GMT

Starting with version 2.10, Git allows the SSH command used for a single repo to be configured within the repository configuration.

Within the repo, run:

git config core.sshCommand "ssh -i ~/.ssh/id_rsa.github.alexnjose -F /dev/null"

For initial clone of the repo, you can make use of the GIT_SSH_COMMAND environment variable:

GIT_SSH_COMMAND="ssh -i ~/.ssh/id_rsa.github.alexnjose -F /dev/null" \  
    git clone git@github.com:alexnj/dotfiles.git

Self-hosting a Continuous Integration server using Drone.

Alex N. Jose — Tue, 01 Nov 2016 09:20:58 GMT

This article will help you setup a self-hosted continuous integration and delivery server using Drone.

What you'll need:

A DigitalOcean account.
A GitHub or BitBucket account. For this article's purpose I'm going to assume your code is on GitHub.

Once this setup is complete, you will be able to import your projects into the newly setup CI server and have it automatically build and deploy your commits.

1. Create and configure a DigitalOcean droplet.

Use the DigitalOcean UI to create an Ubuntu 14.04 droplet. For demonstration purposes, I'm going to use the smallest instance available. For real life use cases, depending on the size and computation needs of your builds, feel free to pick a more configured box.

Make sure to check the SSH Keys section and provide your local development box's public SSH key (id_rsa.pub contents) to DigitalOcean so you can login without a password for root. The password-less login is only a preference here, but is highly recommended for added security.

Through the rest of the article, I will be referring to the public IP address of this droplet as DROPLET_IP. Anytime you see this, replace it with the public IP of your droplet.

ssh root@DROPLET_IP

PS: Please follow the guide at https://www.digitalocean.com/community/tutorials/how-to-add-swap-on-ubuntu-14-04 to setup more swap memory on the droplet. This will help you run more sizable builds and keep it from running out of memory during builds.

2. Install Docker

Drone ships as a single Docker image. We need to enable Docker support on the droplet first to install Drone. Start by updating your box:

sudo apt-get update  
sudo apt-get -y upgrade

Add docker repository key to apt-key for package verification:

sudo apt-key adv --keyserver hkp://pgp.mit.edu:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D

Add the docker repository to Apt sources:

echo "deb https://apt.dockerproject.org/repo ubuntu-trusty main" | sudo tee /etc/apt/sources.list.d/docker.list

Update the repository with the new addition:

sudo apt-get update

Finally, download and install docker:

sudo apt-get -y install docker-engine

3. Setup an Application ID on GitHub.

Drone needs an application ID registered with one of the supported code hosting providers to be able to integrate and execute builds. For more information, read Remote Drivers on Drone Wiki.

For the purpose of this article, I'm going to use GitHub.

Go to GitHub's Settings > OAuth applications and provide a name for your CI server, the publicly accessible URL and an authorization callback URL. The most important one here is the Authorization callback URL. Make sure you provide http://${ip-or-hostname-of-droplet}/authorize as the URL here.

Once the application is created, note down the Client ID and Client Secret parameters of the application. We'll need it in the next step.

4. Install Drone.

Drone ships as a single binary file and is distributed as a minimalist 20 MB Docker image. Download the official Drone image from DockerHub:

sudo docker pull drone/drone:0.4

Create a /etc/drone/dronerc file. Docker will use this file to load environment variables from disk.

mkdir /etc/drone  
vim /etc/drone/dronerc

Please note these variables should never be quoted. Use the Client ID and Client Secret from the previous step here. Enter the following, by replacing with appropriate values:

REMOTE_DRIVER=github  
REMOTE_CONFIG=https://github.com?client_id=....&client_secret=....

Create and run the Drone Container:

sudo docker run \  
    --volume /var/lib/drone:/var/lib/drone \
    --volume /var/run/docker.sock:/var/run/docker.sock \
    --env-file /etc/drone/dronerc \
    --restart=always \
    --publish=80:8000 \
    --detach=true \
    --name=drone \
    drone/drone:0.4

At this point, if you direct your browser to the IP/host name of your droplet, you should be able to see Drone running and ready to setup your first project. Congratulations!