So Ubuntu are now starting to collect “telemetry data”. It’s an opt-out “feature” (but not 100%), but this is a bad move.
Maybe time to start evaluating other distros, because it’s a slippery slope that WILL only mine more and more data with every release; and ultimately it will antagonize compliance requirements for EXPLOINSIGHTS Inc., which are already difficult enough to manage.
Server Updates
Updating critical software is something not to be taken lightly. It’s nerve-wracking when your business operations rely upon such systems.
What has helped EXPLOINSIGHTS Inc. (EI) sleep better at night is the extensive use of unprivileged containers or so-called virtual machines. Most of the EI support software is installed on unprivileged LXC containers, which is a standard component of the Ubuntu 16.04 Linux distribution.
Today was a typical day for EI: an update to a major release of Nextcloud. This critical software houses EI’s data and is the hub for data sharing with customers and stakeholders. If this upgrade goes wrong, my customers can’t download their files. #Embarrassing – or maybe even worse; loss of critical data? To make it more enjoyable, I am not in the office today – so the update has to be performed remotely via secure SSH. That’s an excellent recipe for high stress…normally.
So how did EI mitigate this update risk? With the following simple command entered at the host machine terminal via secure SSH access (i.e. WITHOUT SuperUser privileges!):
LXC snapshot NC pre-13-upgrade
That’s it. Painless. Super-safe (no Superuser rights!). Blindingly fast. Very efficient. And this creates a full working snapshot of the EI current cloud configuration – files, links, settings, SSL-certs, SQL database, apache2 configs – absolutely everything needed to completely restore the setup should the upgrade process break something critical.
Breaking this command down:
- LXC – this is the command we issue to fire up the Ubuntu LXC/LXD virtual machine management hypervisor, followed by three parameters:
- snapshot – tells LXC to take a full working snapshot of the running instance;
- NC – the name of the EI container that runs the Nextcloud instance – the one we want to backup;
- pre-13-upgrade – a name assigned to the snapshot (easy to remember).
Yes, it’s that simple. After that, the Nextcloud upgrade process was initiated…and as it happens, everything went smoothly, so the snapshot was NOT actually needed to recover the pre-version-13 upgrade – but it will be kept for a while just to make sure there are no bugs waiting in the shadows. Here’s the new EI cloud instance:
If a major problem arises, then the following command entered at the same terminal, again as a non-SuperUser, restores the entire pre-version 13 instance:
LXC restore NC pre-13-upgrade
#NoWorries 🙂
This restore command overwrites the current instance with the pre-upgraded and fully functioning snapshot. The only risk is losing files/links created since completing the upgrade process – way better than a total rebuild.
LXC makes it so convenient to update major platforms. The entire process was fast, safe; easy. And because all the work is performed in non-SuperUser unprivileged mode, it comes with the confidence of knowing you can’t accidentally break an important part of the core system on the way. It’s so good, it’s almost boring – but only almost.
Checkout using LXC to run your small business support software, it’s better than prescription-grade sleeping tablets for helping you with the upgrade process! Official documents are here. And there’s a ton of useful tutorials to get you started – Google is your friend.
OpenVPN Server
EXPLOINSIGHTS now has its own VPN service. As expected, the transfer speeds are much slower then when in the main office or on a trusted network:
But it is at least operational as a beta-service today, and the speeds are more than adequate for simple file transfers/emails. This provides me with greater end to end data protection as and when I connect via hotels/airports/coffee-houses etc.
I know the service is working because this blog entry is made via the VPN network, and it shows my IP location as being:
And I am not physically near Kingsport now, just as the VPN service should so indicate.
And it works great on my Android devices too:
For the techies: I tried installing this in an LXC container but failed, with all kinds of permission errors that I could not fix, so the service is installed on a completely separate device for now. I would be grateful for some pointers from anyone on how to overcome the permission-issues of openvpn installation on an unprivileged LXC container. 🙂
Managing Power Cuts
Well it’s not as if power cuts are a new thing. But I had to learn this before I was ready of course:
- Router resets itself after a power-cut. No surprises there;
- Ubuntu LXC containers assign a new MACVLAN address when you launch a new container from an old one (like after major changes, or a make-over, as I have done a few times now);
- If containers have a new MACVLAN, they won’t connect to your static assigned LAN IP’s after a power-cut, but they won’t drop a current router LAN connection beforehand even if the MACVLAN MAC ID changes. In other words, unless you remember to do this at the time of creating a new container, you have a surprise coming the next time the router reboots;
- ..After said power-cut, if your public-IP facing server is one that had a new MAC ID assigned then your your public-IP facing server suddenly has no port 80 and 443 traffic, as the router is sending it to the OLD fixed LAN IP;
- You go to access a site (say this blog…), and nothing works!
NET RESULT –> Everything goes down and it requires a little groping-in-the-dark to find out what happened.
- My fault. I should reset my connections when I launched new containers. Better yet, I might even one day soon learn to use the non-MACVLAN network connector so I don’t have to bother that anymore, but that’s a job for another day.
- Dumb-luck bonus: my SSH is tunneled directly to my host machine, not the LXC containers, and the MAC address of my hardware at least has not changed – so I could at least log back in via SSH to the LXC host after the router had power restored. That made it easy to see my new LAN IP addresses so I could make correct assignments to the router for forwarding ports from WAN to LAN; and to the haproxy server for routing to the LAN servers. So the tip here is – if you elect to use MACVLAN, always SSH into the LXC host, not the LXC container. 🙂
So today’s admin work: reset static LAN IP’s to the LXC containers that have new MAC ID’s via MACVLAN setting and forward ports to the new IP address of the haproxy public-ip facing proxy server. And all this was after power was restored, which in itself was more groping in the dark… 🙂
Tip: you can find/verify MAC ID from this command:
lxc info container_name
And, also today…after that self-inflicted fiasco, I ordered an uninterruptible power supply for my modem and router as power-cuts clearly have the potential to catch me flat-footed again. 🙂
New Office Capability
Part of my NIST-800-171 Implementation and Compliance Plan:
I now have a portal to an “OnlyOffice” document office server to create and edit Office documents ONLINE. The “OnlyOffice” document server is linked to the EXPLOINSIGHTS Nextcloud file storage server so I can create and store documents that are stored at my work office, all via HTTPS connection of course:
And of course I can share directly from the server, using two-factor authentication with expiring links:
#MakingProgress
But I have work to do on the SSL side, not that this is “terrible”, but I know it can be better. This is the system at launch (1-Feb-2018). Watch this space…
UPDATE 6th Feb 2018 – FIXED SSL cert (via web-server configuration):
I could probably beef up the other parameters, but I reduce my audience a little: older browsers might not be able to handle my already tight configuration. So this is it for a while, until I learn of a reason to spend more time on this. 🙂
2FA – WordPress
WordPress fans FYI. This plugin:-
- Two-Factor Authentication for WordPress using the Android/iPhone/Blackberry app as One Time Password generator.
WORKS with the release of WordPress 4.9.2, even though the plugin records say it’s “untested” with this version of WP. 🙂
#JustSayin