Making Modular CloudFormation with Includes When the YAML format for CloudFormation was launched in September 2016, many of the users knew it was only a matter of time until the commonly used pattern of including multiple YAML files into a single file made its way into CloudFormation. On March 28, 2017, AWS did exactly that by launching the AWS::Include Transform, albeit with surprising lack of fanfare. Using AWS Athena to Query CloudTrail Logs One of the first things which came to mind when AWS announced AWS Athena at re:Invent 2016 was querying CloudTrail logs. Over the course of the past month, I have had intended to set this up, but current needs dictated I had to do it quickly. When I went looking at JSON imports for Hive/Presto, I was quite confused. Of course, as a trusty technologist I went to Google. Much to my surprise, no one had published an article about using Athena to do this, I was only able to locate EMR based posts which used a custom serde to support the nested CloudTrail format. NTP Peerstats Status Word Secret Decoder Ring The Peer Status Word is a multi-byte disaster which represents things to NTP. This post explains how to make use of the PeerStats file Using Your Mac's Screen Remotely Without People Watching Long since property of Apple Remote Desktop Enterprise, the ability to remote into your computer without leaving the screen on for all to see has finally shown up, but its in 10.7 only. New Site Adding VMNet's in VMWare Fusion 4 With the release of VMWare Fusion 4 (and its CONTINUED lack of GUI for network manager), I bring you the instructions on how to add networks to VMWare Fusion 4 Security in the 'Cloud' As many of you know I am a very big proponent of using the cloud with high automation. At my job we do this in a big way. However, one question always comes to mind, if you share your servers with other physical machines; how can one guarantee security? IPv6 Redux IPv6 Puppet Continuous Integration Puppet is an amazing configuration management system as I have previously written, but one downfall is that no system exists where you check in code, it runs, and if it fails, it alerts. Cron Job to Ensure Your Puppet Clients Stay Happy Adding VMNet's in VMWare Fusion 3 This problem has come up a couple times and I figured out how to do it. It isn't a pretty thing to do, but it works. How to Upgrade a Cisco Pix 515 With Serial Failover From 6.3 -> 8.0
Well it sounds simple doesn't it? Cisco says you reload the OS, you make a couple changes and voila, you have a working Pix 515 running the latest and greatest code (which by the way is the same code those ASA's run which cost quite a bit more). Well, not so fast.
First of all, make sure you meet the requirements for running anything over 6.3. This means a 515 or higher Pix (I do not recommend 515 but 515e's as the minimum as the code is much heavier and the Pentium II in the 515's are slower). Also, you need to have enough room on your flash. If you don't use the god forsaken Pix Device Manager (which by all accounts no one ever should) you are fine. Finally, you need RAM. Luckily, as long as you are not covered my SmartNet, feel free to crack open your Pix to reveal its true nature. It runs a Intel motherboard and PC-100 RAM. It supports a maximum of 256 MB (2x128mb) and RAM is cheap so go for it and upgrade it to the max. One caveat, is that you MUST run an unrestricted license to support 256 MB of RAM. I was able to upgrade a restricted version (as 128 MB is the minimum, but I soon found its flash chip was fried and bought a replacement 515e off the used market).
Ok so you pass the pre-req's. Now what to do, well you need 2 separate OS images. You need 7.2 and an 8.0 or greater. They are available on Cisco's website for registered users. Also, you need to make sure if you are stateful failover you have a free ethernet interface or sub-interface for replication (which I haven't done yet).
Now on to the procedure, Cisco's website is a little fuzzy on how to do this on a pair of failover 515's so this will be of the best use to you. This is certainly a maintenance window activity as doing it incorrectly will cause arp poisoning and other awfulness.
First, BACK UP YOUR CONFIG! (not that this has to be said) Then disconnect the serial cable between the two Pix's. Start the upgrade on the Primary Pix (the one with the Primary side of the Serial cable). Upgrade via: copy tftp: flash: from 6.3 to 7.2. The Pix will start complaining about re-writing rules, this is ok right now. One you are at the prompt, write your config and reboot again. From here you can now go to 8.0 via: copy tftp: flash:image.bin
Reboot the Pix again and you will be in 8.0. You may get some warnings about stateful failover (how to solve that hopefully coming later). Any other warnings should be looked and and confirmed as ok or fixed. Errors must be fixed at this point as well. Now comes the tricky part. For every interface which has a standby IP associated re-input the ip address line without the standby ip. Also make sure ALL failover lines are gone. Save your config and now its time to move to the second Pix.
This time the upgrade starts off a bit differently. Make sure the serial cable is disconnected (as it already should be) and write erase. You want a blank config for this. Reload and do the same 6.3 -> 7.2 (don't bother saving the config this time) and then 7.2 -> 8.0. At this time write erase again to be sure its a clean Pix. Power off the Secondary Pix and connect the serial cable on both ends.
Now put your additions back on your ip address lines (yes, you have to type it all out) and wr your config. Now do a show fail. It should report partner is powered off. This is correct as it should be. Finally in configure mode type "failover" on the Primary Pix. Boot up your Secondary Pix and go into configure and type "failover". Magically you should see "show fail" pair up and start replicating the conf over the serial link to the blank standby unit.
Once everything is up and good, you have upgraded from 6.3->8.0 and now have almost all the features of an ASA. This is a very worthwhile activity as it gives you a huge bump in features and ease of use. Once I get stateful failover working on a subinterface/Trunk, I will post how to finish off the job. However, do heed Cisco's warnings, doing stateful failover using a data bearing interface is NOT supported, it will not nat, blow away your acl's and every reference to that interface, just don't try it.
I hope this helps your upgrade go smoother than ours did (its only a mild concussion the doctor says from hitting our heads against the wall so much)
Dance Puppets, DANCE! What an odd title? What has to deal with puppets and system administration? Well, in fact there is a program called puppet. What is puppet? Puppet is a client/server software system put out by Reductive Labs which allows for simplistic management of *Nix (OS X included). Where Has the Time Gone... Why Linux? Linux is now rapidly becoming the operating system of choice in many core areas of business. It is transforming information technology in many exciting ways from being used in products ranging from cell phones and PDAs to cars and mainframe computers. In addition to being cost-effective, it is constantly being updated and refined with the latest technologies. As Linux gains greater acceptance in todays Information and Communication Technology, more and more companies are supporting Linux both application and hardware compatibility. Restricting Login in Linux When we talk about forcing a user to log off, what we're really talking about is time restrictions on certain account system access and services. The easiest way I've found to implement time restrictions is by using software called Linux-PAM Clustering in VMware Ever wonder if you could try playing with clustering, but without all the expense? Well you are in luck. It is pretty simple to do.