How to secure a Go application with seccomp

pre code { font-size: 80% !important; } Spoiler alert: This will only work on Linux, since seccomp is a feature of the Linux kernel. With seccomp you can limit the kernel syscalls a program can use and you can do that from the program itself. The good news is that it’s dead simple to do this from Go! The ingredients For Go we need libseccomp-golang. Then we also need the C libs.

Trojan Horse in a Bash Script

Yes, you heard right. But you might ask youself why? Good question! Sometimes you might want to send a script to a customer just so that they can execute it. But this script might need an interpeter that is not already pre-installed on the target system or not even pre-packaged on that platform. That’s where you need a Trojan Horse. In this case the Trojan Horse is a Bash script, that comes with two payloads.

"Dynamic web pages without Javascript" by Tim Bell

Yesterday I’ve noticed a great presentation by Tim Bell with the title Dynamic web pages without Javascript, that was given at PyCon AU 2018. He gives an introduction to creating dynamic web applications with intercooler.js and even mentiones django-intercoolerjs, my little Django wrapper, at some point. Go check it out if you are interested in creating dynamic web applications without fiddeling with JavaScript too much.

Batteries are evil

I had an expanding battery some days ago up to the point where the battery deformed the frame of the laptop. Dell support was really stellar and replaced the battery the next day. One of the benefits, if you are working for SUSE. But I started to digg into the topic and now I’m convinced to buy a new fire extinguisher. Why? Well, if a lithium-ion battery starts to burn, the fire doesn’t need oxygen.

Salt and openSUSE

If you haven’t been living under a rock, you’ve certainly noticed that Salt is one of the hot topics within openSUSE and SUSE. It is used in many of the major openSUSE projects like DeepSea for managing and automating Ceph deployments, in Kubic to provision Kubernetes cluster or the newly announced Spacewalk fork Uyuni project to manage your whole IT infrastructure. Therefore I think it’s time to take a closer look at how Salt itself is being packaged and shipped and how you might collaborate.

Ultima VIII on Linux

Don’t you miss the good old games sometimes? Okay, opinions diverge when it comes to exactly this Ultima. Ultima 8 is indeed much different from the previous Ultima titles in the saga, which reached its peak with Ultima 7. Don’t get me wrong, the story is still awesome and you can dive into a world with great depth. But with the Avatar walking around alone, all the jumping and the much different fight system Ultima 8 was simply too different for most of the fans.

We want openSUSE on DigitalOcean - The results

Two month ago I started this survey and the results are finally here. Many thanks to all who took the time to send this in. All of this is based on 66 answers. All of the answers where mandatory with one possible answer, besides the last two that where multiple choice and completely optional. Are you already a DO customer? Are you an openSUSE user? Are you using other cloud hosting providers because of their openSUSE support?

ssht moved to OBS

Yesterday I’ve set up an OBS repository for ssht. ssht allows you to directly connect to a running tmux session on a remote host via ssh. So if you are using openSUSE (Leap or Tumbleweed), Fedora, CentOS or RedHat you can finally make use this instead of building the package yourself. The easiest way is to just search for ssht at software.opensuse.org. Then you can pick the disto you’ve installed and choose to download the package directly or you can add the repo with the 1-click installer.

openSUSE Conference 2017 - My Highlights

This has been my first openSUSE Conference and it has been great. Thanks to all the organizers and supporters! My Highlights I have to admit, that I lost track of openSUSE and SUSE about ten years ago and I was really surprised to see such a mature and compelling ecosystem. Yes, the ecosystem is the most compelling thing to me. Don’t get me wrong, openSUSE and SLES are great Linux distributions, but the ecosystem is what elevates this above all the others!

IOError - decoder jpeg not available 🐞

This is one of the blog posts, that is adressing the future me but might also be useful for you too. You might have gotten this error because you are using PIL or Pillow in a Python project. IOError - decoder jpeg not available - I’ve had this error out of the blue and was a bit confused. Nothing in the virutalenv had been changed, dependencies where still in place and I couldn’t find anything missing.

Service Locator Pattern in Python?

The service locator pattern is a design pattern used in software development to encapsulate the processes involved in obtaining a service with a strong abstraction layer. This pattern uses a central registry known as the “service locator”, which on request returns the information necessary to perform a certain task. Source: Wikipedia I’ve noticed, that a lot of PHP frameworks are eagerly adopting new patterns like service locators recently. I wasn’t really happy to see that, because service locators are introducing an other abstraction layer, which adds complexity and moves dependencies away from the source.

HTTPS with Nginx, Let's Encrypt and acmetool

There is really no reason to not use valid HTTPS certificates anymore. Let’s Encrypt is easy to use and free. So without further ado here is how your setup could look like with Nginx and acmetool. acmetool is a Go program that can handle all your Let’s Encrypt related tasks without messing with you configs. But keep in mind that Let’s Encrypt offers domain validation. So Let’s Encrypt makes sure, that you are the one that controls e.

Off the Grid as a Digital Nomad

Being a Digital Nomad has a lot of benefits, but there are also some major downsides. Not having permanent access to the energy grid is one of them. Pluging your laptop or smartphone into the next outlet might not always be possible. Heck, there might not even be an outlet. I’m in Spain right now and Spain has a surprisingly decent network coverage. But roaming around in a camper often leads you to remote places.

Django, Localized Decimal-Fields, and our beloved Internet Explorer

Current versions of Internet Explorer aren’t as bad as it used to be. Some even claim that Safari is the new IE. We usually don’t have to optimize for a particular browser very often. If it works in Firefox and Chrome, the others are just fine. But one thing that didn’t work for one of our customers (yes, he sadly uses Internet Explorer exclusively) was the localization of DecimalField. So instead of comma, which is the decimal separator in Germany and many other countries, IE would only allow a dot.

Letting Django know about your HTTPS proxy

If you are running a Django application behind a proxy, Django cannot automatically know if encryption is used. This can cause problems e.g. with redirects. Django, not knowing it should use HTTPS, redirects to http://example.com/foobar/ and this might cause a series of other problems. But Django is awesome and you can let Django know if encryption is used or not. In this example I’m using Nginx. In your proxy settings you’ll have to set a header for X-Forwarded-Proto with the current $scheme.

Two seconds, then kill it with fire!

In this example I’m setting a time limit for code execution. If the execution takes too long, the TimeoutException is beeing raised and we can proceed with the rest of the program.

Django Channels - a game changer

Do you remember the good old days, when everything was stateless and there was, at least most of the times, a response for every request? Those times are gone. Nowadays we want rich, interactive web applications, that not only respond instantly without reloading the entire website, but also push changes directly to the browser and send notifications. Lets admit it, Django started to look old and busted. If you wanted to use WebSockets e.

Improved backups with rsync and ZFS

Today backups saved someones bacon again. A customer messaged me and asked if I could restore a file from yesterday. Luckily this is a piece of cake (just like it should be). Our production systems are not yet using ZFS and this will definetly change in the future. But our backup systems are using ZFS extensively. No matter how backups are performed on-site, the backups are transfered to the backup systems via rsync.

ssht - a shortcut right into your tmux session

ssht is not exactly new, but I’ve never blogged about it and it’s a really handy timesaver. If you are working on the terminal a lot, there is a big chance, that you are using tmux. tmux allows you to have multiple windows and panes in one shell - locally and remote. Now ssht allows you to ssh to a remote computer and directly connect to a running tmux session.

CI with drone.io and your own images

I’ve been evaluating drone.io yesterday and I’m quite impressed with the integration and simplicity. You can use drone as a SAAS or install it on your own hardware. It’s really easy. Drone comes with batteries included. After setting up OAuth with your repository system (e.g. Gitlab in our case), you are good to go. You can just select the project from a list and then you are asked to place a .

Nginx has no TLSv1.2!???

Which is of course not true. Setting ssl_protocols to ssl_protocols TLSv1 TLSv1.1 TLSv1.2; will activate TLSv1, v1.1 and v1.2. So why am I writing this? The documentation clearly states that ssl_protocols can be set in the context of http and server. Which is true. But you can set ssl_protocols only once per port. Sadly this is not mentioned in the documentation. I don’t know if Nginx stops after the first definition or takes the last definition, but that was exacly my problem.

Quick&Dirty: PlantUML watchdog

We’ve been using PlantUML in the past to outline dependencies and relations between classes or to simply get the relations in databases right. There is a nice Confluence plugin and serveral editors availabe, that let you edit your PlantUML file in the browser and show the generated graph image right beside it. That is neat, but I prefere my own computer and I like vim. But re-running the command to generate the image every 10 seconds manually is tedious.

Three month of elementary OS

Three month ago I’ve been installing elementary OS on my Dell XPS 13. The sputnik edition. The XPS 13 is my main workstation that follows me everywhere I go – so this is more or less like a full switch to elementary for me. Previously I’ve been using Ubungu GNOME on the XPS, which is an official flavour of Ubuntu, featuring the GNOME desktop environment. But I’m also using Kubuntu from time to time and vanilla Ubuntu with Unity nearly every day on an iMac.

SuperGenPass implemented in Go

Last year I’ve started a port of SuperGenPass in Go. After my initial release Mathias Gumz totally dominate the project and made huge improvements. gosgp was born – a command-line application to generate passwords for domains (or any other string you enter). Since I’m still using SuperGenPass for many Passwords, gosgp is something I install frequently on my Linux boxes. Recently a new Macbook found its way into my bag and I had to compile gosgp again for OS X.

Turn the Bootstrap carousel with FancyBox

This is more or less a reminder for me. With this little gist, the Bootstrap carousel and FancyBox2 are working hand in hand when it comes to browsing images. Normally those two don’t care for each other – but it would be much nicer, if the carousel would display the next set of images, when one of them was loaded in the FancyBox modal. Well, these few lines of code make it possible:

Is Freya released yet?

Once uppon a time there has been a website called Is Freya released yet, that is no longer needed. Why? Because the Beta 1 of elementary OS has been released and it looks awesome. So IFRY is no longer needed, but I’d like to publish some numbers here: 99,783 unique visitors with 581,546 total requests in roughly two month. Nearly 9,700 visitors a day. Most of the visitors already run Linux (52,336), but 19,408 visitors used Windows.

What does the IoT and your laptop have in common?

Do you still remember Cuttlefish? With this neat application your computer becomes aware of its surroundings and can react to a switch of the wifi network, a plugged in USB devices, aso. These would be the triggers. What makes Cuttlefish so very useful are the reactions you can combine this with. E.g. I’m turning the phone in my home office off whenever I’m not at home. Makes sense, doesn’t it? And there is plenty more you can do.

docker, OwnCloud and Sqlite

I’ve been playing more with docker recently and decided to deploy OwnCloud with it. Turns out it is not so easy to finde a Dockerfile for OwnCloud that actually works flawlessly. One thing that strikes me, is the fact that most people tend to forget the config folder. Once you want to update your OwnCloud container, you really need the config from that folder. Otherwise your database config is lost and you’ll have to reconfigure everything.

LXC-Backup

Attention: This blog post is from 2014, but still seems to get a lot attention. Many things have changed. LXD has been released and there is ZFS support in LXC, which is far superior to this method. I’ll post an update soon. If you are using Linux containers for deployment, you might want to backup a whole container instead of just the application data. This comes with a down side.

Who am I?

Jochen Breuer Father of two. Founder, CEO and Head of Cloud Development at dajool.com, a start-up in Germany that develops solutions for mobile and web in pretty much all areas. Skills Over ten years of experience in programming with various languages and frameworks. First Linux distribution came on 5 ¼ floppy discs and was a RedHat Linux. Almost six years of experience in project and personnel management. Agile and pragmatic team-worker.

Cup-Recipe For (Django) Python Deployment Part 3 - Deployment

Happy New Year Happy new year everyone! I hope you could spend a nice time with your family and friends. I’m very sorry, that the third part took me so long. The end of the year is always a tough time, but this year was especially busy. We had a lot work over at dajool and I needed to take some time off during the holidays to relax a bit.

Cup-Recipe For (Django) Python Deployment Part 2 - Detailed Overview

Detailed Overview The last part outlined the bigger picture of the setup. Now we’ll get a bit more into the details. reprepro You’ll get several benefits from using reprepro: Security With a GPG-Key at hand you will be able to sign the packages. Your client systems (the webservers are meant) will check these signatures from the repository server during installation. Also, but this has nothing to do with reprepro directly, deb packages (can) contain checksums within the packages for each file included.

Cup-Recipe For (Django) Python Deployment - Or How To Make Your Admin Happy

What To Expect In this short series I will explain how to deploy applications with deb packages – but without the usual pain involved. My focus will be deb, because we are using Ubuntu LTS nearly everywhere at dajool. With a few sidenotes from me and a few google searches from you, you’ll quickly adopt this to RPM (and perhaps soon FreeBSD). You will be free from any vendor lock-in and you will have the freedom to deploy anywhere: Your own servers, cloud and even your customers data center.

How to json serialize form errors in Django

This is really ugly and you will absolutely need it if you’d like to json serialize form errors in Django. Why? Because you’d like to reply to an AJAX request and just pass trough the errors your form has generated. simplejson itself is not able to serialize the ErrorDict. But not the ErrorDict itself is the problem - the proxy objects within the ErrorDict are the problem. Those proxy objects represent a string (unicode here) and will be casted whenever needed.

Juno with WSGI

Just a quick note on the wonderful Juno framework, which I’ve been using for a small project. Sadly the documentation isn’t quite clear when it comes to deployment with mod_wsgi. At least I had some head scratching while reading through the documentation and had to figure out how to do it. This is what you find in the documentation: ** WSGI Notes ** Since mod_wsgi requires a function named 'application', you would need to put Juno in 'wsgi' mode >and call run() like so: config('mode', 'wsgi') application = run() Those functions will make more sense later.

Mail Comments or How Comments Suck Less

Recently I’ve been thinking about an alternative for the widespread way of commenting to blogs or websites in general. Nowadays nearly everyone (including me) has a blog and writes uberimportant stuff to the world. That’s nice and fine, but since we have web 2.0 we need to let others comment the stuff we write. This way we get a communication where everyone can participate - and I think that is the really important thing here.