System administration is a special are of IT. It also has a special place in my heart. It is an interesting mixture of all the other disciplines, both common across the whole industry, and at the same time unique for each person, company, and geographical location. When I have something to say or share about system administration, I use this category.
I thought I did. Especially after all the hours spent with Ansible. Turns out I don’t. I have a very limited understanding of the YAML format. How do I know that, you ask? Well, that’s because I am reading the YAML specification now.
Holy Molly that’s an interesting format! Much recommended weekend reading.
VimGolf – a quick and fun way to learn Vim text editor. There is a whole lot of different challenges for all levels – from novice to expert – that will test your knowledge of Vim trickery.
You can also review the solutions provided by other people, from shortest to the most readable.
Today, while upgrading some of my Ansible roles I’ve hit the problem. Some of the newer roles require Ansible 2.0. My Amazon AMI machine that runs the playbooks was still on version 1.9. EPEL repository doesn’t seem to have the newer Ansible version yet. Gladly, Google brough in this StackOverflow thread, which suggested installing Ansible with pip, not with yum. This helped a lot:
rpm -e ansible pip install ansible
It actually brought in Ansible v2.2 (see also Ansible v2.1), which is even better.
Here is a handy blog post that shows how to simplify the installation and running of the Amazon AWS command line commands, using Docker. With the Dockerfile like this:
FROM python:2.7 ENV AWS_DEFAULT_REGION='[your region]' ENV AWS_ACCESS_KEY_ID='[your access key id]' ENV AWS_SECRET_ACCESS_KEY='[your secret]' RUN pip install awscli CMD /bin/bash
One can build the image and run the container as follows:
$ docker build -t gnschenker/awscli $ docker push gnschenker/awscli:latest $ docker run -it --rm -e AWS_DEFAULT_REGION='[your region]' -e AWS_ACCESS_KEY_ID='[your access ID]' -e AWS_SECRET_ACCESS_KEY='[your access key]' gnschenker/awscli:latest
Obviously, DO NOT hardcode your Amazon AWS credentials into an image, which will be publicly available through DockerHub.
Once the AWS CLI works for you, you can add the command to your bash aliases, to make things even easier.
Here are a couple of interesting articles from the last few days on Slashdot.
First, comes in a very non-surprising survey saying that “40 percent of organizations store admin passwords in Word documents“. Judging from my personal experiences in different companies, I’d say this number is much higher if you extend the Word documents to Excel spreadsheets and plain text files. I think pretty much every single company I’ve worked at used such common files for admin password storage (at least at some point).
“Why or why?!!!”, the security concerned among you might scream. Well, I think there are two reasons for this. The first one is that password management is complicated. There are tools that help with this, but even those are rarely easy to use. Storing the passwords in a secure, encrypted storage is one thing. But, how do you share them with just the right people? How do you trust the tool? What happens if the file gets corrupted, the software updates, the license expires, or the master password is lost? The risk of losing admin access to all your equipment and accounts is scary. On top of that, there is the issue of changing passwords (especially when people leave the company) – not a simple job if you have a variety of accounts (hardware, software, services, etc) and a lot of people who have a varying degree of access. Or automation scripts that need access to perform large scale operations. Personally, I don’t think this problem has been solved yet.
The second reason is in this other Slashdot post – “Sad Reality: It’s Cheaper To Get Hacked Than Build Strong IT Defenses“. This is very true as well. A simple firewall and a strong password policy is often more than enough for many organizations. The risks of compromise are low. In those cases where it does happen, you’d often get some script kiddie consequence like a Bitcoin mining app or affiliate links spread across your website. Both are quite easy to detect and fix. Is it worth investing hundreds of thousands in equipment and personnel to prevent this? For many companies it is not.
The fact of the matter is that a lot of people don’t really care about security or privacy on the personal level, and that then translates into the organizational mentality as well.
Just think about people leaving in all those high crime areas. Some of them think the risk is worth it – maybe then can make more money there or have a more exciting life. Some of them simply can’t afford to move anywhere. That’s very similar to the digital security, I think. Some don’t care and prefer to run the risk, saving the money on protection. Some simply can’t afford to have a decent level of security.