Recent posts

Script for generating STIR/SHAKEN certificates (including self-signed)

March 25, 2024

While working on my company’s implemenation of STIR/SHAKEN, I ran into a very basic issue – how do I easily create test self-signed SHAKEN certificates?

While I did find a couple of posts on how to do this, I wanted a nice script that would accomplish the following:

Generate either a self-signed certificate or a key/CSR pair for use with an official certificate authority
Allow easy passing of the certificate subject information (Country, State, Locality, etc.)
Create certificate filenames with a unique identifier, to prevent name collisions (by default, the identifier is a UNIX timestamp)

Below is the script I came up with:

#!/usr/bin/env bash set -e # Set default values for variables BUILD_DIR="/tmp/stir-shaken" CA_DIR="${BUILD_DIR}/ca" SP_DIR="${BUILD_DIR}/sp" SP_CREATED_FILES_LIST="${SP_DIR}/stir_shaken_files.txt" IDENTIFIER=$(date +%s) DEBUG_MODE=0 SELF_SIGNED=0 CERT_COUNTRY="" CERT_STATE="" CERT_LOCALITY="" CERT_ORG="" CERT_OU="" CERT_CN="SHAKEN" # Default, 5 years. SP_PRIVKEY_EXPIRY_DAYS=${SP_PRIVKEY_EXPIRY_DAYS:-1825} # Default, 1 year. SP_PUBKEY_EXPIRY_DAYS=${SP_PUBKEY_EXPIRY_DAYS:-366} usage() { echo cat << EOF Usage: ${0} [-b BUILD_DIR] [-i IDENTIFIER] [-d] [-h] [-s] <CERT_COUNTRY> <CERT_STATE> <CERT_LOCALITY> <CERT_ORG> <CERT_OU> [CERT_CN] Arguments: -h : Show this help message -s : Generate self-signed certificate -i IDENTIFIER : Unique Key/Cert/CSR identifier (default: current timestamp) -d : Enable debug mode -b BUILD_DIR : Build directory (default: ${BUILD_DIR}) CERT_COUNTRY : Required. Certificate subject country CERT_STATE : Required. Certificate subject state CERT_LOCALITY : Required. Certificate subject locality CERT_ORG : Required. Certificate subject organization CERT_OU : Required. Certificate subject organizational unit CERT_CN : Certificate subject common name (default: SHAKEN) Environment overrides: SP_PRIVKEY_EXPIRY_DAYS: Default: ${SP_PRIVKEY_EXPIRY_DAYS} SP_PUBKEY_EXPIRY_DAYS: Default: ${SP_PUBKEY_EXPIRY_DAYS} EOF exit 1 } log() { echo "$1" } log_debug() { if [[ ${DEBUG_MODE} -eq 1 ]]; then echo "$1" fi } log_error() { echo "$1" >&2 } validate_cert_info() { if [[ -z "${CERT_COUNTRY}" || -z "${CERT_STATE}" || -z "${CERT_LOCALITY}" || -z "${CERT_ORG}" || -z "${CERT_OU}" || -z "${CERT_CN}" ]]; then echo log_error "ERROR: Incomplete certificate subject information." log_error "Please provide all of the following: CERT_COUNTRY, CERT_STATE, CERT_LOCALITY, CERT_ORG, CERT_OU" echo usage fi } make_build_dir() { log "Cleaning old certs" rm -rf "${BUILD_DIR}" mkdir -p "${BUILD_DIR}" } create_sp_key() { log "Creating SP key" local sp_key="stir_shaken_sp_key_${IDENTIFIER}.pem" mkdir -p "${SP_DIR}" cd "${SP_DIR}" openssl ecparam -noout -name prime256v1 -genkey -out ${sp_key} } create_self_signed_certs() { log "Creating CA certificate and key" local sp_key="stir_shaken_sp_key_${IDENTIFIER}.pem" local sp_csr="stir_shaken_sp_csr_${IDENTIFIER}.pem" local sp_cert="stir_shaken_sp_cert_${IDENTIFIER}.pem" local ca_key="stir_shaken_ca_key.pem" local ca_cert="stir_shaken_ca_cert.pem" mkdir -p "${CA_DIR}" cd "${CA_DIR}" openssl ecparam -noout -name prime256v1 -genkey -out ${ca_key} openssl req -x509 -new -nodes -key ${ca_key} -sha256 -days ${SP_PRIVKEY_EXPIRY_DAYS} -subj "/O=${CERT_ORG}/CN=${CERT_CN}" -out ${ca_cert} cd "${SP_DIR}" log "Configuring TNAuthList" cat >TNAuthList.conf << EOF asn1=SEQUENCE:tn_auth_list [tn_auth_list] field1=EXP:0,IA5:1001 EOF openssl asn1parse -genconf TNAuthList.conf -out TNAuthList.der cat >openssl.conf << EOF [ req ] distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] commonName = "${CERT_CN}" [ v3_req ] EOF od -An -t x1 -w TNAuthList.der | sed -e 's/ /:/g' -e 's/^/1.3.6.1.5.5.7.1.26=DER/' >> openssl.conf log "Creating SP certificate" openssl req -new -nodes -key ${sp_key} -keyform PEM -subj "/C=${CERT_COUNTRY}/ST=${CERT_STATE}/L=${CERT_LOCALITY}/O=${CERT_ORG}/OU=${CERT_OU}/CN=${CERT_CN}" -sha256 -config openssl.conf -out ${sp_csr} log "Signing SP certificate" openssl x509 -req -in ${sp_csr} -CA "${CA_DIR}/${ca_cert}" -CAkey "${CA_DIR}/${ca_key}" -CAcreateserial -days ${SP_PUBKEY_EXPIRY_DAYS} -sha256 -extfile openssl.conf -extensions v3_req -out ${sp_cert} log "Verifying CA certificate" if [[ ${DEBUG_MODE} -eq 1 ]]; then openssl x509 -in "${CA_DIR}/${ca_cert}" -text -noout else openssl x509 -in "${CA_DIR}/${ca_cert}" -noout > /dev/null 2>&1 fi if [[ $? -ne 0 ]]; then echo log_error "ERROR: CA certificate verification failed." echo exit 1 fi log "Verifying SP certificate" if [[ ${DEBUG_MODE} -eq 1 ]]; then openssl x509 -in "${SP_DIR}/${sp_cert}" -text -noout else openssl x509 -in "${SP_DIR}/${sp_cert}" -noout > /dev/null 2>&1 fi if [[ $? -ne 0 ]]; then echo log_error "ERROR: SP certificate verification failed." echo exit 1 fi log "Setting proper permissions on generated files" chmod 600 "${CA_DIR}/${ca_key}" "${SP_DIR}/${sp_key}" chmod 644 "${CA_DIR}/${ca_cert}" "${SP_DIR}/${sp_csr}" "${SP_DIR}/${sp_cert}" echo "Key: ${SP_DIR}/${sp_key}" > "${SP_CREATED_FILES_LIST}" echo "Certificate: ${SP_DIR}/${sp_cert}" >> "${SP_CREATED_FILES_LIST}" log "Self-signed STIR/SHAKEN certificate generated successfully!" log "Key: ${SP_DIR}/${sp_key}" log "Certificate: ${SP_DIR}/${sp_cert}" log "Created files list written to: ${SP_CREATED_FILES_LIST}" } create_csr() { log "Creating CSR for SP certificate" local sp_key="stir_shaken_sp_key_${IDENTIFIER}.pem" local sp_csr="stir_shaken_sp_csr_${IDENTIFIER}.pem" openssl req -new -nodes -key ${sp_key} -keyform PEM -subj "/C=${CERT_COUNTRY}/ST=${CERT_STATE}/L=${CERT_LOCALITY}/O=${CERT_ORG}/OU=${CERT_OU}/CN=${CERT_CN}" -sha256 -out ${sp_csr} log "Verifying CSR" if [[ ${DEBUG_MODE} -eq 1 ]]; then openssl req -in "${SP_DIR}/${sp_csr}" -text -noout else openssl req -in "${SP_DIR}/${sp_csr}" -noout > /dev/null 2>&1 fi if [[ $? -ne 0 ]]; then echo log_error "ERROR: CSR verification failed." echo exit 1 fi log "Setting proper permissions on generated files" chmod 600 "${SP_DIR}/${sp_key}" chmod 644 "${SP_DIR}/${sp_csr}" echo "Key: ${SP_DIR}/${sp_key}" > "${SP_CREATED_FILES_LIST}" echo "CSR: ${SP_DIR}/${sp_csr}" >> "${SP_CREATED_FILES_LIST}" log "STIR/SHAKEN CSR generated successfully!" log "Key: ${SP_DIR}/${sp_key}" log "CSR: ${SP_DIR}/${sp_csr}" log "Created files list written to: ${SP_CREATED_FILES_LIST}" } # Process script arguments while getopts ":b:i:dhs" opt; do case ${opt} in h) usage;; s) SELF_SIGNED=1;; i) IDENTIFIER="${OPTARG}";; d) DEBUG_MODE=1;; b) BUILD_DIR="${OPTARG}";; \?) log_error "Invalid option -${OPTARG}"; usage;; esac done shift $((OPTIND -1)) # Set certificate subject information from positional arguments CERT_COUNTRY="${1:-$CERT_COUNTRY}" CERT_STATE="${2:-$CERT_STATE}" CERT_LOCALITY="${3:-$CERT_LOCALITY}" CERT_ORG="${4:-$CERT_ORG}" CERT_OU="${5:-$CERT_OU}" CERT_CN="${6:-$CERT_CN}" validate_cert_info make_build_dir create_sp_key if [[ ${SELF_SIGNED} -eq 1 ]]; then create_self_signed_certs else create_csr fi

Credit to the original source posts, here and here.

FreeSWITCH Dbh 'fetch' convenience functions for Lua

July 1, 2020

freeswitch.Dbh is the method I’ve chosen for connecting to a database via a Lua script in FreeSWITCH.

The interface is simple to use, and provides all the basics needed to communicate with a database via a configured ODBC driver.

One thing I found lacking, however, were ‘fetch’ type helper functions, that:

Returned a multi-row result in a table of tables
Returned a single-row result in a table
Returned a single-row, single-column result directly.

Below are the helper functions I came up with. You might also be able to extend the dbh object directly with methods – I just chose to pass the dbh object into a standalone function call.

--[[ Wrapper for freeswitch.Dbh to fetch results into an indexed table of assocative tables. ]] function db_fetch(dbh, sql) local rows = {} dbh:query(sql, function(data) local row = {} for col, val in pairs(data) do row[col] = val end table.insert(rows, row) end) return rows end --[[ Convenience function to return only the first row of a result. ]] function db_fetch_one(dbh, sql) return db_fetch(dbh, sql)[1] end --[[ Convenience function to return a single result. ]] function db_result(dbh, sql) local row = db_fetch_one(dbh, sql) if row then local _, val = next(row) return val end end

Pacemaker NFSv4 resource agent for Debian

June 5, 2020

If you’re interested in running an NFSv4-only server in a Pacemaker cluster on Debian, you’ll probably find the default nfsserver RA in the Debian-packaged resource agents to be lacking.

It suffers from serveral issues:

The default behavior is to use the NFS init script to handle starting/stopping/monitoring the NFS server. This is broken in the monitor case as the service is reported as active even if it’s been killed.
Starting/stopping the service is dog slow. I’d venture to say at least half of the total cluster failover time in my setup with the default RA was consumed by starting/stopping the NFS daemon and all the related v2/v3 services.

So if you’re willing to go with NFSv4 only, here’s a much better approach:

Follow the Debian NFS server setup, including the adjustments under NFSv4 only.
Drop the below RA in a valid path for Pacemaker to find it, and make it executable.
Configure your resource(s).

CAVEATS:

Does not work for v2/v3, and will not manage any of the services that are v2/v3 only.
Only tested on Debian Buster, YMMV.

#!/bin/sh # nfsserver # # Description: Manages NFS server as OCF resource # by hxinwei@gmail.com # NFSv4-only modifications by thehunmonkgroup at gmail dot com # License: GNU General Public License v2 (GPLv2) and later if [ -n "$OCF_DEBUG_LIBRARY" ]; then . $OCF_DEBUG_LIBRARY else : ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat} . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs fi if is_redhat_based; then . ${OCF_FUNCTIONS_DIR}/nfsserver-redhat.sh fi DEFAULT_RPCPIPEFS_DIR="/var/lib/nfs/rpc_pipefs" nfsserver_meta_data() { cat <<END <?xml version="1.0"?> <!DOCTYPE resource-agent SYSTEM "ra-api-1.dtd"> <resource-agent name="nfsserver"> <version>1.0</version> <longdesc lang="en"> Nfsserver helps one to manage the Linux nfs server as a failover-able resource in Linux-HA. It depends on Linux specific NFS implementation details, so is considered not portable to other platforms yet. </longdesc> <shortdesc lang="en">Manages an NFS server</shortdesc> <parameters> <parameter name="nfs_ip" unique="0" required="0"> <longdesc lang="en"> Comma separated list of floating IP addresses used to access the nfs service </longdesc> <shortdesc lang="en"> IP addresses. </shortdesc> <content type="string"/> </parameter> <parameter name="nfs_shared_infodir" unique="0" required="0"> <longdesc lang="en"> The nfsserver resource agent will save nfs related information in this specific directory. And this directory must be able to fail-over before nfsserver itself. </longdesc> <shortdesc lang="en"> Directory to store nfs server related information. </shortdesc> <content type="string" default="" /> </parameter> <parameter name="rpcpipefs_dir" unique="0" required="0"> <longdesc lang="en"> The mount point for the sunrpc file system. Default is $DEFAULT_RPCPIPEFS_DIR. This script will mount (bind) nfs_shared_infodir on /var/lib/nfs/ (cannot be changed), and this script will mount the sunrpc file system on $DEFAULT_RPCPIPEFS_DIR (default, can be changed by this parameter). If you want to move only rpc_pipefs/ (e.g. to keep rpc_pipefs/ local) from default, please set this value. </longdesc> <shortdesc lang="en"> The mount point for the sunrpc file system. </shortdesc> <content type="string" default="$DEFAULT_RPCPIPEFS_DIR" /> </parameter> </parameters> <actions> <action name="start" timeout="40s" /> <action name="stop" timeout="20s" /> <action name="monitor" depth="0" timeout="20s" interval="10s" /> <action name="meta-data" timeout="5s" /> <action name="validate-all" timeout="30s" /> </actions> </resource-agent> END return $OCF_SUCCESS } nfsserver_usage() { cat <<END usage: $0 {start|stop|monitor|status|validate-all|meta-data} END } if [ $# -ne 1 ]; then nfsserver_usage exit $OCF_ERR_ARGS fi case $__OCF_ACTION in meta-data) nfsserver_meta_data exit $OCF_SUCCESS ;; usage|help) nfsserver_usage exit $OCF_SUCCESS ;; *) ;; esac fp="$OCF_RESKEY_nfs_shared_infodir" : ${OCF_RESKEY_rpcpipefs_dir="$DEFAULT_RPCPIPEFS_DIR"} OCF_RESKEY_rpcpipefs_dir=${OCF_RESKEY_rpcpipefs_dir%/} ## # wrapper for init script and systemd calls. ## nfs_exec() { local cmd=$1 local svc=$2 if ! echo $svc | grep -q "\."; then svc="${svc}.service" fi systemctl $cmd $svc } nfsserver_systemd_monitor() { local threads_num local rc nfs_exec is-active nfs-server rc=$? # Now systemctl is-active can't detect the failure of kernel process like nfsd. # So, if the return value of systemctl is-active is 0, check the threads number # to make sure the process is running really. # /proc/fs/nfsd/threads has the numbers of the nfsd threads. if [ $rc -eq 0 ]; then threads_num=`cat /proc/fs/nfsd/threads 2>/dev/null` if [ $? -eq 0 ]; then if [ $threads_num -gt 0 ]; then return $OCF_SUCCESS else return 3 fi else return $OCF_ERR_GENERIC fi fi return $rc } nfsserver_monitor () { local fn fn=`mktemp` nfsserver_systemd_monitor > $fn 2>&1 rc=$? ocf_log debug "$(cat $fn)" rm -f $fn #Adapte LSB status code to OCF return code if [ $rc -eq 0 ]; then return $rc elif [ $rc -eq 3 ] || [ $rc -eq $OCF_NOT_RUNNING ]; then return $OCF_NOT_RUNNING else return $OCF_ERR_GENERIC fi } prepare_directory () { if [ -z "$fp" ]; then return fi [ -d "$OCF_RESKEY_rpcpipefs_dir" ] || mkdir -p $OCF_RESKEY_rpcpipefs_dir [ -d "$fp/v4recovery" ] || mkdir -p $fp/v4recovery [ -f "$fp/etab" ] || touch "$fp/etab" [ -f "$fp/xtab" ] || touch "$fp/xtab" [ -f "$fp/rmtab" ] || touch "$fp/rmtab" } is_bound () { if mount | grep -q "on $1 type"; then return 0 fi return 1 } bind_tree () { if [ -z "$fp" ]; then return fi [ -d "$fp" ] || mkdir -p $fp if is_bound /var/lib/nfs; then ocf_log debug "$fp is already bound to /var/lib/nfs" return 0 fi if nfs_exec status var-lib-nfs-rpc_pipefs.mount > /dev/null 2>&1; then ocf_log debug "/var/lib/nfs/rpc_pipefs already mounted. Unmounting in preparation to bind mount nfs dir" systemctl stop var-lib-nfs-rpc_pipefs.mount fi mount --bind $fp /var/lib/nfs } unbind_tree () { local i=1 while `mount | grep -q " on $OCF_RESKEY_rpcpipefs_dir "` && [ "$i" -le 10 ]; do ocf_log info "Stop: umount ($i/10 attempts)" umount -t rpc_pipefs $OCF_RESKEY_rpcpipefs_dir sleep 1 i=$((i + 1)) done if is_bound /var/lib/nfs; then umount /var/lib/nfs fi } binary_status() { local binary=$1 local pid pid=$(pgrep ${binary}) case $? in 0) echo "$pid" return $OCF_SUCCESS;; 1) return $OCF_NOT_RUNNING;; *) return $OCF_ERR_GENERIC;; esac } terminate() { local pids local i=0 while : ; do pids=$(binary_status $1) [ -z "$pids" ] && return 0 kill $pids sleep 1 i=$((i + 1)) [ $i -gt 3 ] && return 1 done } killkill() { local pids local i=0 while : ; do pids=$(binary_status $1) [ -z "$pids" ] && return 0 kill -9 $pids sleep 1 i=$((i + 1)) [ $i -gt 3 ] && return 1 done } stop_process() { local process=$1 ocf_log info "Stopping $process" if terminate $process; then ocf_log debug "$process is stopped" else if killkill $process; then ocf_log debug "$process is stopped" else ocf_log debug "Failed to stop $process" return 1 fi fi return 0 } nfsserver_start () { local rc; local fn if nfsserver_monitor; then ocf_log debug "NFS server is already started" return $OCF_SUCCESS fi bind_tree prepare_directory if ! `mount | grep -q " on $OCF_RESKEY_rpcpipefs_dir "`; then mount -t rpc_pipefs sunrpc $OCF_RESKEY_rpcpipefs_dir fi ocf_log info "Starting NFS server ..." # mounts /proc/fs/nfsd for us lsmod | grep -q nfsd if [ $? -ne 0 ]; then modprobe nfsd fi fn=`mktemp` nfs_exec start nfs-server > $fn 2>&1 rc=$? ocf_log debug "$(cat $fn)" rm -f $fn if [ $rc -ne 0 ]; then ocf_exit_reason "Failed to start NFS server" return $rc fi tfn="/proc/fs/nfsd/threads" if [ ! -f "$tfn" ] || [ "$(cat $tfn)" -le "0" ]; then ocf_exit_reason "Failed to start NFS server: /proc/fs/nfsd/threads" return $OCF_ERR_GENERIC fi ocf_log info "NFS server started" return $OCF_SUCCESS } nfsserver_stop () { local fn ocf_log info "Stopping NFS server ..." fn=`mktemp` nfs_exec stop nfs-server > $fn 2>&1 rc=$? ocf_log debug "$(cat $fn)" rm -f $fn if [ $rc -ne 0 ]; then ocf_exit_reason "Failed to stop NFS server" return $rc fi ocf_log info "Stop: threads" tfn="/proc/fs/nfsd/threads" while [ -f "$tfn" ] && [ "$(cat $tfn)" -gt "0" ]; do ocf_log err "NFS server failed to stop: /proc/fs/nfsd/threads" sleep 1 done nfs_exec stop rpc-gssd > /dev/null 2>&1 ocf_log info "Stop: rpc-gssd" unbind_tree ocf_log info "NFS server stopped" return 0 } nfsserver_validate () { if [ -n "$OCF_RESKEY_CRM_meta_clone" ] && [ -n "$OCF_RESKEY_nfs_shared_infodir" ]; then ocf_exit_reason "This RA does not support clone mode when a shared info directory is in use." exit $OCF_ERR_CONFIGURED fi return $OCF_SUCCESS } nfsserver_validate case $__OCF_ACTION in start) nfsserver_start ;; stop) nfsserver_stop ;; monitor) nfsserver_monitor ;; validate-all) exit $OCF_SUCCESS ;; *) nfsserver_usage exit $OCF_ERR_UNIMPLEMENTED ;; esac

Fencing/STONITH IAM configuration on Google Cloud Platform (GCP)

May 24, 2020

UPDATE 2024-01-28: The fence_gce agent now additionally requires the compute.zoneOperations.list permission in the list.instances IAM role. I have updated the code to reflect this change.

Having spent the better part of a day figuring this out, I thought it might be nice to save others some time.

My specific need was to configure STONITH for a Pacemaker cluster deployed on Google Cloud Platform, using fence_gce.

By far the trickiest part was figuring out Google’s extremely robust permissions system to meet this case in the most secure manner. The goal: to allow each node in a two-node cluster to fence the other node (by reset or poweroff), while restricting each node to only be able to fence its peer, and nothing else.

Below I’ll post some psuedo-code that should give you an idea about how to execute this for your particular needs. I deployed this solution using Terraform, but the concepts should be easily adaptable to other use cases.

In a nutshell:

Create two custom IAM Roles (I called them fencing and list.instances):
- fencing: permissions to reset or stop a server and get access to its state
- list.instances: Permissions to list the available instances in a project (this was a small security sacrific, I’d prefer that a node can’t see other nodes this way, but the fencing agent seems to require it, and as of this writing, there’s no clean way on GCP to restrict the nodes listed via the API)
For each instance in a cluster, create a Service Account, and configure the instance run as that service account, granting all the default scopes and the ‘compute-rw’ scope’
At the project level, add an IAM policy binding that binds all the instance service accounts to the list.instances role.
At the instance level, add an IAM policy binding that binds the fencing role to the instance service account for the instance that will fence the instance in question. For example, if you have data1 and data2 instances Then for the data1 instance you’ll bind data2’s service account to the fencing role, and vice-versa. This allows each node to fence its peer, but to have no other permissions for fencing, not even for itself.

Psuedo-code:

########################################### # IAM ROLES ########################################### resource "google_project_iam_custom_role" "fencing" { role_id = "fencing" title = "Fencing" permissions = [ # Allows instance status to be queried. "compute.instances.get", # HARD reset: immediate reset, not an orderly shutdown. "compute.instances.reset", # SOFT poweroff: Orderly shutdown at the OS level, with a 3 minute timeout # until a hard poweroff. "compute.instances.stop", # NOTE: As of this writing, GCP has no HARD poweroff API call. ] } resource "google_project_iam_custom_role" "list-instances" { role_id = "list.instances" title = "List instances" permissions = [ # All of these permissions are necessary for listing servers on a project. "compute.instances.list", "compute.zones.list", "compute.zoneOperations.get", "compute.zoneOperations.list", ] } ########################################### # IAM SERVICE ACCOUNTS ########################################### resource "google_service_account" "data1" { account_id = "data1" display_name = "data1" } resource "google_service_account" "data2" { account_id = "data2" display_name = "data2" } ########################################### # ATTACHING SERVICE ACCOUNT TO INSTANCE ########################################### resource "google_compute_instance" "data" { name = var.hostname # Other stuff... service_account { # Serivce account for this instance. email = "${var.hostname}@${var.project}.iam.gserviceaccount.com" scopes = [ # Custom service accounts don't include the default permissions unless # they are explicitly granted. # TODO: Get rid of these when # https://github.com/terraform-providers/terraform-provider-google/issues/1943 # is fixed. "https://www.googleapis.com/auth/devstorage.read_only", "https://www.googleapis.com/auth/logging.write", "https://www.googleapis.com/auth/monitoring.write", "https://www.googleapis.com/auth/pubsub", "https://www.googleapis.com/auth/service.management.readonly", "https://www.googleapis.com/auth/servicecontrol", "https://www.googleapis.com/auth/trace.append", #"default", "compute-rw", ] } } ########################################### # IAM INSTANCE-LEVEL BINDINGS ########################################### locals { # NOTE: This expects no more than two data servers per region. fencing_peer = var.hostname == "data1" ? "data2" : "data1" } resource "google_compute_instance_iam_binding" "fencing" { zone = var.zone instance_name = google_compute_instance.data.name role = "projects/${var.project}/roles/fencing" members = [ # Access to this instance's peer to allow fencing this instance. "serviceAccount:${local.fencing_peer}@${var.project}.iam.gserviceaccount.com", ] } ########################################### # IAM PROJECT-LEVEL BINDINGS ########################################### resource "google_project_iam_member" "list-instances" { project = var.project role = "projects/${var.project}/roles/list.instances" # Access for this instance to list other instances. member = "serviceAccount:${var.hostname}@${var.project}.iam.gserviceaccount.com" } # Not strictly necessary, but adding a custom service account to the # instance removes this, and it's nice to have. resource "google_project_iam_member" "log-writer" { project = var.project role = "roles/logging.logWriter" member = "serviceAccount:${var.hostname}@${var.project}.iam.gserviceaccount.com" }

Bash script to play a sound file every X seconds

February 2, 2019

As part of my continued efforts to improve awareness of my physical body while I’m hacking away at a keyboard, I got the idea that it would be nice if a pleasant sound played every X seconds to remind me stop slouching, relax, etc.

I wanted it to be simple, easy to start and stop, and easy to configure both the time interval between plays and the file being played.

Finding nothing of that ilk in some quick Google searches, I present the below for your usage and hopefully increased awareness :)

Run without arguments for the help.

#!/usr/bin/env bash progname=$(basename ${0}) command=${1} default_seconds="60" default_volume="1" default_filepath="${HOME}/attention.wav" usage() { echo " Usage: attention.sh start [seconds] [file] [volume] attention.sh stop [file] Simple bash script to play a file every X seconds. The 'stop' command is simply a convenience function if the script was put in a background job, eg. '${progname} start &'. seconds: Optional, play file every N seconds, defaults to ${default_seconds}. Can also be set via the ATTENTION_SECONDS environment variable. file: Optional, file to play, defaults to ${default_filepath} for the start action, and no file for the stop action. For the start action, can also be set via the ATTENTION_FILEPATH environment variable. volume: Optional, play file at specified relative volume. Less than 1 decreases, greater than 1 increases, defaults to ${default_volume}. Can also be set via the ATTENTION_VOLUME environment variable. CAVEATS: The sox 'play' binary must be installed and in your PATH, it will play the sound through the default audio device. For PulseAudio users, it is recommended to install the 'libsox-fmt-pulse' package as well, to prevent issues with sox/PulseAudio integration. " } if [ "$(which play)" = "" ]; then echo "ERROR: no 'play' binary found" echo usage exit 1 fi if [ $# -lt 1 ]; then usage exit 1 fi if [ "${command}" = "start" ]; then if [ $# -gt 3 ]; then usage exit 1 fi if [ -n "${2}" ]; then seconds="${2}" else seconds="${ATTENTION_SECONDS:-${default_seconds}}" fi if [ -n "${3}" ]; then filepath="${3}" else filepath="${ATTENTION_FILEPATH:-${default_filepath}}" fi if [ -n "${4}" ]; then volume="${4}" else volume="${ATTENTION_VOLUME:-${default_volume}}" fi elif [ "${command}" = "stop" ]; then if [ $# -gt 2 ]; then usage exit 1 fi if [ -n "${2}" ]; then filepath="${2}" fi fi log() { message="${1}" echo "${message}" logger "${message}" } start() { log "Playing ${filepath} every ${seconds} seconds, volume: ${volume}" while true; do sleep ${seconds} play -q --volume ${volume} ${filepath} 2> /dev/null done } stop() { log "Stopping ${progname}" if [ -n "${filepath}" ]; then play -q "${filepath}" & fi pkill -f -9 ${progname} } case ${command} in start) start ;; stop) stop ;; *) usage exit 1 ;; esac

Debian start a ramdisk on boot

March 13, 2017

I run some servers that use a ramdisk to increase performance for recording audio files. Since ramdisks evaporate on a reboot, and I have services that depend on the ramdisk to operate properly, I needed a way to:

Automatically create the ramdisk on boot
Ensure it’s set up prior to the services that depend on it
Perform cleanup on the ramdisk when the server is shut down

The set of scripts below accomplish this nicely by leveraging systemd. Here’s a quick rundown of what each does:

ramdisk: The script is written as a System V init script, and would be placed at /etc/init/ramdisk. Does the work of:
- Creating the ramdisk
- Calling an optionally configured script to perform cleanup prior to tearing down the ramdisk
customize: This is an optional file to override the default settings of the first script. Place it at /etc/default/ramdisk with any customizations you like.
ramdisk.service: systemd service file that calls the start/stop functions of ramdisk. Place this anywhere systemd recognizes service scripts, and run systemctl daemon-reload.

The nice thing about this setup through systemd is that any other systemd services that depend on the ramdisk being set up can simply include this in their service description:

Requires=ramdisk.service
After=ramdisk.service

ICE/CBP regulations summary for domestic travelers

February 28, 2017

The election of Donald Trump has roused me from my political slumber, to be sure…

I’m trying to stay informed, and also signed up for the excellent Daily Action alerts, which keeps me plugged in to things I can do every day to make my voice heard.

Today’s alert was in reference to ICE/CBP’s request to see the ID of all passengers on a US domestic flight.

According to the expert cited in that article, it’s highly unlikely that these authorities have a legal right to demand you produce ID under these circumstances.

So today my little action of resistance was to print up a convenient half-page summary of the regulations the expert referred to in that article. Two copies per page, should be small enough to fold up and fit in a wallet, purse, or back pocket.

I’ll be carrying mine around, at least for awhile, to remind myself that I don’t want to live in a police state.

HUGE DISCLAIMER:

What I’m sharing is for informational purposes only. I’m not an attorney, and did not deeply vet this information, but simply looked up the US codes referenced in the article and made them a bit easier to carry around.

FreeSWITCH Kickstart, an automated server configuration tool

April 6, 2016

Project background

Several years ago I began the journey to better systematize my server management workflow. At the time I was managing over 20 server instances, almost entirely ‘by hand’, meaning I did things like keeping checklists for the steps to rebuild critical servers, running software updates on each individually, etc. Then, I finally took the time to research server configuration management software, selected Salt as my tool, and completely re-oriented my relationship to dealing with software updates, new server builds, etc.

Managing a server this way means that you don’t change anything about the server directly, but instead write code that makes the changes for you. While this does involve a learning curve (it’s almost always faster to just run a command straight from the command line than write code to run the command for you), the benefits of this approach far outweigh the costs in the long run:

Automatically rebuild any server from scratch: As long as you have data backups, it’s no longer a big deal if your server tanks. Rebuilding becomes a glorified version of rebooting your computer when it’s acting weird
Consistency in dev -> staging -> production environments: You can be much more sure that the server you’re doing development on is consistent with the server that will run in production. With tools like Vagrant, combined with server configuration management, you can run virtually the identical server on your laptop that you do for your customers.
Clear documentation: This cannot be underestimated. The exact steps to re-create your mission critical infrastructure is written in code, which means both certainty about how it works, and ease of transfer of this knowledge to other maintainers.

Even though this approach is well known by hard core sysadmins, I suspect many people who could profit from it still have not taken the leap, either through ignorance or the barrier of the learning curve.

Fast forward to last year, and I’m working on CircleAnywhere, an online group meditation platform, using FreeSWITCH for some of the video conferencing portions. Naturally the server, being mission-critical to the project, was built using a Salt configuration for all the reasons mentioned above. It was a fair amount of work to hammer out the deployment, and it occurred to me that a lot of the heavy lifting I had done was the same heavy lifting that anyone rolling out a new FreeSWITCH server (whether for local development or in production) had to do. So I decided to do just a little bit more work, and repackage my efforts for the good of others. :)

FreeSWITCH Kickstart

Thus was born FreeSWITCH Kickstart, a Vagrant/Salt configuration for automatically deploying a FreeSWITCH server for either development or production. Installation locally via Vagrant or remotely involves only a few simple steps (the most difficult of which is acquiring valid SSL certificates for production builds).

The project strives to provide these three things:

An easy way to get up and running with a local FreeSWITCH development environment
A sane/convenient starting point for rolling a production server.
A nice starter template for admins who want their FreeSWITCH server under Salt server configuration management.

A ton of stuff is done automagically for you – even if you don’t like/need it all, it’s still an awesome way to get going!

I’ve written up a fairly comprehensive features list, so you know what you’re getting.

I hope the community will benefit from this work, and doubly hope that others will offer refinements on this first effort. My intention is to maintain this project for the FreeSWITCH community, keeping it up to date with the installation procedure for the latest code and recommended operating system. If anyone would like to join me in maintainership of the project, I would certainly welcome it. :)

Jester, FreeSWITCH, Lua, and my quest for an awesome scripting toolkit

January 20, 2016

Back in 2010, in collaboration with Star2Star Communications, I wrote a Lua scripting library for FreeSWITCH called Jester. Its most marketable highlight was a profile that offered a complete drop-in replacement for Asterisk’s Comedian Mail.

My deeper motivation for writing it was to try and bring some sanity and consistency to the process of implementing more advanced voice workflows. This motiviation arose from my own experience of the mishmash of dialplan XML and one-off Lua scripts that still to this day forms the foundation of my first major VoIP system. I began to believe that there must be a better way – if the goal was to do any number of fairly common things, like grab data from a database, send an email, talk to a webservice – can’t we basically standardize those into reusable units? So, Jester…

Fast forward to 2016, and my toolkit, through almost complete lack of maintenance, had become legacy code. In addition, the years had revealed both the strengths and weaknesses of my original efforts, and I wanted to do something about it.

In the last few weeks, I took the first big steps to revive and reshape Jester for a new and improved release. A lot of the hard work is now done:

Updated the entire codebase to be compatible with all 5.x versions of Lua, which means it will now run on anything from the terrifically old FreeSWITCH 1.0.7 to the very latest code.
Complete refactoring/update of the user documentation, now available online and nicely formatted.
Preserved the original Asterisk Comedian Mail replica, so it can still be used as a drop in replacement for those moving from Asterisk to FreeSWITCH
Good progress on handling some of the original architectural issues

Going forward, I’d love to get some other people on board with the project, particularly those interested in helping to turn Jester into a solid, well-used library for the land beyond the dialplan. I think the biggest reason for the initial flaws was that I didn’t have any other eyes on my designs.

Please do contact me if you’re interested in teaming up.

New release of Luchia, Lua API for CouchDB

December 31, 2015

Many years ago, I wrote Luchia, a Lua API for Apache CouchDB.

The library worked great, and had fair unit/integration test coverage, but after many years it was no longer compatible with the newer versions of Lua.

So, I took a few days recently to revive it and roll an updated release. It’s now compatible with Lua versions 5.1, 5.2, and 5.3, and also sports 100% unit test coverage.

Installation via LuaRocks, Lua’s package manager, is a breeze, just do:

luarocks install luchia

You can check out a summary and API usage in the online documentation.

Happy Luchia’ing. :)