Hey there!


My Game of Thrones finale review

Lots of people are pretty vocal about this long expected thing – so here are my few bits:

I did not like it. Not so much as people giving it 1 star on IMDB, I would probably give 3 or 4. There were many goods things in S08 – mostly visuals, CGI in late episodes, acting, music… I liked all these, but the script, that’s where main problem was.

Internet is full of better versions that would be so much more fun to watch, would be far more exciting and people would probably love them, even if they had much darker ending than what D&D did, but ultimately they all share similar problem – there is no way they would fit into one 6 episodes long season.

That’s in my opinion the main reason why this whole season was so bad. Not only because D&D are rather less than average writers compared to GRRM, but mostly because it was nearly impossible to come with a proper story for the finale in so short time.

So why do I blame them? Because they didn’t have to make it this short. It was their decision. HBO wanted 10 seasons. Fans wanted 10 seasons. D&D wanted Star Wars. They were tired of GoT I understand that, so why they didn’t let someone else, who is better than them to finish it? I guess because of personal greed. Having someone else finish project they started just didn’t seem right from their point of view.

So they decided to sacrifice everything they were working for. The complex and mysterious story of Jon Snow, who turned out to be someone else than everyone was thinking – screw it, who cares. Dark and evil Night King with possibly exciting story behind, full of secrets that people wanted to reveal, screw him, no time. Plot armors and fights that made no sense? Who cares, no time to think about this.

They literraly rushed the show to ruins. Long and slow build-up of complex story that is quickly killed by couple of moves and scenes that made no sense whatsoever and didn’t fit in the theme of previous episodes.

https://pbs.twimg.com/media/Dl7RFziWwAAuhtu.jpg




How to disable spotlight on MacOS

So, few weeks after having this MacBook Air with horrid screen, I figured out that there is a small issue with RAM. 2 tasks permanently eating 2GB of RAM, effectively reducing 8GB of RAM this machine has, to only 6GB (which sadly isn’t enough these days, especially not for a power user, who wants to use Firefox and also some other programs – Mozilla expects that firefox is all you need, so it deliberately uses all free RAM you have :)).

The problem was with these 2:

  • Kernel task – obviously a kernel, but why does it need 1GB? I need to figure that out later
  • mdm_store – process belonging to “spotlight” which is some searching / suggestion feature I will never use

So I found some information about spotlight and people who wanted to disable to protect privacy. While I completely don’t care about that, I do care about my RAM, so here is how you can kill it permanently. Open a terminal and put there:

Here we go, 1GB of RAM back for use!




Why I hate wireless

There is this new ongoing trend, forced by Apple and companies that follow Apple, that everything must be wireless. Your headphones, your charger, phone, everything. No more cables.

Sure this is a step forward, no more cables, sounds really cool – but is the technology we have now ready for it? I don’t think so, for multiple reasons:

Batteries

Everything that is wireless must have a battery inside, otherwise it will not operate since it needs power. Can we create batteries that are eco-friendly and last forever? Nope.

For each wireless gadget we need to create a battery, which is actively harming environment, the battery adds to complexity and weight of the item and it is soon (within 5 years) going to wear out and whole thing becomes unusable. Not a big deal for large corporations like Apple that wish their consumers renewed (buy new) gadgets every year or two. The battery waste (old batteries) are also not very eco-friendly.

Energy efficiency

Wireless charging is least efficient charging that was ever invented. Not that typical charging was efficient, even that is wasting lot of energy, from total energy produced by power plant that is taken by a charger, only few percent is actual energy stored in a battery. But it’s even worse with wireless, the charger consumes huge amount of power just to store tiny amount of it in battery and it’s extremely slow.

 

These 2 things combined make wireless one of most disastrous innovation from ecological point of view – just image what would happen if everyone switched to wireless gadgets, the vast amount of used batteries and energy overhead from wireless charging would put huge impact on environment. Wireless may be a future, but technology is not yet there to use it in eco-friendly manner.




Optimizing Ansible for high performance

So, I have made a custom Ansible setup for more than 4000 servers in 12 different countries across the planet, and that gave me some insight into how to make it perform better.

First of all, sadly Ansible doesn’t yet support “proxy / caching servers” as in servers that you could use to execute playbook through. You can configure SSH proxy server, but that won’t help with performance. Only way to execute playbook from another server is to install Ansible there as well, sync the playbooks somehow and execute from this host.

Anyway, now for the performance hacks.

Redis caching

Major boost in performance. Simply install redis server on same host as Ansible and put this to configuration of ansible:

This will put all facts of every server you connect to into redis cache and next time you execute anything on that server (within 1 day), ansible will not gather facts again, but it would take them from redis cache.

Pipelining

Minor boost. But slightly helps:

Multithreading

Major boost, but not very stable, often causes troubles. Putting more than 20 makes Ansible quite unstable.

Example config

This config works pretty well to me:

 




How to install mdadm to XenServer 7

Based on https://discussions.citrix.com/topic/378478-xenserver-7-raid1-mdadm-after-install-running-system/

This post is basically just a backup of that forum post in case it become dead link




Letsencrypt kung-fu

Let’s encrypt CLI client is by far the most shittiest software ever invented, there is probably no doubt about it, but sadly, it’s the only interface that is supported, and unless you want to pay money for SSL certificate you need to live with that.

First of all – yes, their client (without asking or telling you) WILL run sudo and WILL use root and most likely WILL install garbage on your server that you don’t want to have there. If you never used letsencrypt client before, run it on testing VM first, before it desecrates your favorite web server with random garbage you don’t want there.

The letsencrypt client is written for dumb people, and it is based on undocumented black magic that I will try to uncover here a bit. The client basically works with a component called “certbot” which is a software that run on your server and does something to prove that you really own the domains for which you want to generate your SSL certificate. Because letsencrypt staff doesn’t want to bother you with technicalities they created this crap of a software to deal with them for you, in their own way, like it or not. It uses so called ACME (Automatic Certificate Management Environment) protocol to verify that you are owner. This thing is not a rocket science, and in a nutshell all it does is publish some data used to prove your ownership through your webserver, usually located on webroot/.well_known, their counter-party server will try to locate these by accessing your.domain/.well_known and in order to make it possible to verify your domain without modifications to your webserver, all you need to do is to create a central webroot and then make a symlink from all domain webroots to this one (just ln -s /var/www/letsencryptshite/.well_known /var/www/your.uber.tld/.well_known).

Once you do that, always pass these 2 parameters to their “software”:

I also strongly recommend you to maintain a comma separated list of all domains for which you want to get your certificate and store it somewhere like /etc/letsencrypt/domains because you will need to provide this list very often.

Now a little cheat sheet:

Renewing all domains

This can even be in your cron

You may need to restart / reload your web server after doing this, since the certificate will be overwritten, and Apache seems to be caching it somehow.

Adding or remove a domain and regenerate certificate

Modify your /etc/letsencrypt/domains list and run

Common locations:

/etc/letsencrypt – root of this thing’s config

/etc/letsencrypt/live – symlinks to current certificates, that’s where you can find chains for your domains

Example apache config that uses letsencrypt cert

 




Why SPF doesn’t solve anything in regards of e-mail spoofing

If you ever thought that having an SPF record would effectively prevent anyone from spoofing a delivery of e-mail from your domain, you were terribly wrong. It wouldn’t. This whole “sender policy framework” is built on top of flawed ancient SMTP protocol that never was designed with slightest security in mind.

Majority of all e-mail clients will display value stored in “From” of e-mail header as a sender of your e-mail. That is exactly the “sender” that SPF doesn’t check. SPF is checking the “envelope sender” which is something entirely else, and sadly, almost never displayed anywhere in e-mail clients.

Basically, delivering an e-mail on behalf of anyone that would pass SPF is as easy as spoofing the From in the mail header and sending this from a mail server that has its own IP in its own SPF record.

This 3rd domain would be a part of “envelope sender” which is however not visible anywhere in the mail client (unless you open original source) and SPF check would check against this domain. The spoofed domain that would be visible in mail client wouldn’t be checked anywhere though and most of users would be easily tricked by this.

There are ways to make this harder to do, such as implementing DMARC policies or DKIM, but again, most of regular users would easily be tricked. Nobody cares if e-mail was digitally signed or not, unless you explicitly tell them to do that.

As of now there is only one working protection when it comes to e-mails and that is: DO NOT TRUST THEM. Whatever e-mail you received, from whoever, may be a fake. Even GPG signature could be a fake if someone steals the private key of victim somehow. So yes, if someone is asking you for money in e-mail, or whatever else, better call them, or meet them in person. It can save you lot of troubles.




Gentoo quick setup (for advanced gentoo users)

  • May 8, 2016
  • Linux

This is an excerpt from gentoo handbook containing only the stuff that really matters, with no extra stuff:

Prepare your disks

Do I need to explain how? 🙂 if yes, this is not for you

Mount them

Prepare stage3

Chroot

Emerge setup

Kernel

Initramfs

Pick one

Filesystems

Just edit /etc/fstab

Networking

Grub

 




systemd cheat sheet

Services overview and unit files

The available unit files can be seen in /usr/lib/systemd/system/ and /etc/systemd/system/

Start / stop

Checking status

By default it should be possible to view the output of every unit using journal – journalctl

Enable / disable service

Power management

Modifying system

  • /usr/lib/systemd/system/: units provided by installed packages
  • /etc/systemd/system/: units installed by the system administrator

When you modify the unit file, you always need to run:

See https://wiki.archlinux.org/index.php/systemd for more information




New blog

Heya, I have decided to move from blogger to my own blog for couple of reasons. The biggest one was that blogger doesn’t support custom code formatters and I often need that when I am posting source codes.

I also got my own domain now 🙂

The contents of previous blog were imported back here and I will post new stuff here only.

Thank you for using my blog, I hope you will find it useful!