cat ~/blog

I occasionally write about projects that I’m working on or things that I’m playing with. Like almost everyone who maintains a technical blog, I don’t have nearly enough time to care and feed for it. However, I do try to write articles with technical merit. Since this takes a lot of time and effort, I only find myself publishing a few articles each year. Lately, I’ve been working with the talented folks at the Red Hat Enable Sysadmin blog to publish some beginner-friendly articles about sysadmin topics.

Automated OS Qualification with Ansible

Dec 1 2020

Upgrading thousands of servers is challenging and filled with uncertainty. This article describes how we leveraged Ansible at Datto to build automation that increases confidence in our upgrade process. This was a project that I personally championed, designed a technical solution for, and then led my team through implementation. The article can be found on the Datto Engineering Blog.

Read more...

Using Ansible to interact with web endpoints

Oct 7 2020

I love finding unique ways to leverage Ansible, and interacting with web endpoints directly from playbooks is probably one of my favorite tricks. Read about it in this article that I wrote for the Red Hat Enable SysAdmin blog. The article can be found here.

Read more...

5 ways to harden a new system with Ansible

Sep 22 2020

Continuing on the Ansible theme, this is a quick article that I wrote for Red Hat Enable SysAdmin with some simple suggestions for building an initial hardening playbook for your systems. It can be found here.

Read more...

Choosing between Ansible's copy and template modules

Aug 6 2020

Choosing between copying static files and using templates can be a bit confusing to someone who is brand new to Ansible. This is an article that I wrote for for the Red Hat Enable SysAdmin blog to help clarify this choice for the beginner. It can be found here.

Read more...

Sysadmin careers: How sysadmins can pay it forward

Jul 15 2020

Taking a break from technical topics, this is an article that I wrote for for the Red Hat Enable SysAdmin blog about paying it forward to the SysAdmin who will inevitably replace you someday. I normally don’t write a lot of non-technical content, but this was a fairly satisfying article to put together. It can be found here.

Read more...

Building, saving, and loading container images with Ansible

Jul 7 2020

Continuing on the Ansible theme, this is an article that I wrote for for the Red Hat Enable SysAdmin blog about performing basic container image management using Ansible. It can be found here.

Read more...

Deploying a static website with Ansible

Jun 30 2020

This is an article that I wrote for for the Red Hat Enable SysAdmin blog as a beginner’s introduction to Ansible. I’ve found that deploying a simple, static website is one of the easiest and most useful end-to-end exercises that someone new to Ansible can pick up. It can be found here.

Read more...

Five best practices for administering remote systems

Apr 21 2020

This is an article that I wrote for the Red Hat Enable SysAdmin blog with some basic tips for managing remote systems. While most of these can be considered “common sense” suggestions, it’s always good to ensure that you have a grasp on the fundamentals of remote system management. It can be found here.

Read more...

Keepalived and high availability: Advanced topics

Apr 1 2020

This is the final article in a three part series that I wrote for Red Hat Enable SysAdmin about using Keepalived to build HA systems. This article includes a discussion of advanced Keepalived features, such as process and script tracking. It can be found here.

Read more...

Setting up a Linux cluster with Keepalived: Basic configuration

Mar 25 2020

This is the second article in a three part series that I wrote for Red Hat Enable SysAdmin about using Keepalived to build HA systems. I introduce the reader to Keepalived configuration basics and demonstrate how to set up a simple failover cluster. It can be found here.

Read more...

Automating Vault and Consul Template Management

Mar 18 2020

One of my favorite projects at Datto was architecting and implementing our Vault environment. This article discusses some of the harder problems that we solved, including how to make Vault work within our Puppet environment. The article can be found on the Datto Engineering Blog.

Read more...

Using Keepalived for managing simple failover in clusters

Mar 18 2020

This is the first article in a three part series that I wrote for Red Hat Enable SysAdmin about using Keepalived to build HA systems. This introduction covers VRRP and Keepalived fundamentals. It can be found here.

Read more...

Connect an Asterisk system to the public switched telephone network

Jan 23 2020

This is the final article in a six part series that I wrote for Red Hat Enable Sysadmin about Asterisk and VoIP. This article covers the Asterisk configuration necessary to connect to the public phone network. It can be found here

Read more...

How to configure an Asterisk dialplan for intra-office calling

Jan 21 2020

This is the fifth article in a six part series that I wrote for Red Hat Enable Sysadmin about Asterisk and VoIP. This article describes how to configure the Asterisk dialplan to support calling within an office environment. It can be found here

Read more...

How to configure a SIP endpoint for intra-office calling

Jan 16 2020

This is the fourth article in a six part series that I wrote for Red Hat Enable Sysadmin about Asterisk and VoIP. This article walks through configuring Asterisk and registering softphones. It can be found here

Read more...

How to install Asterisk on Linux

Jan 14 2020

This is the third article in a six part series that I wrote for Red Hat Enable Sysadmin about Asterisk and VoIP. This article covers the installation of Asterisk on RHEL-based distributions. It can be found here

Read more...

An introduction to Asterisk

Jan 9 2020

This is the second article in a six part series that I wrote for Red Hat Enable Sysadmin about Asterisk and VoIP. This article covers the basics of Asterisk architecture and configuration. It can be found here

Read more...

An introduction to VoIP for sysadmins

Jan 7 2020

This is the first article in a six part series that I wrote for Red Hat Enable Sysadmin about Asterisk and VoIP. This article discusses VoIP protocols and fundamentals. It can be found here

Read more...

A sysadmin's guide to troubleshooting VLANs

Nov 28 2019

This is the final article in a three part series that I wrote for Red Hat Enable Sysadmin about VLANs. It can be found here

Read more...

How to configure a VLAN in Linux

Nov 21 2019

This is the second in a three part series that I wrote for Red Hat Enable Sysadmin about VLANs. It can be found here

Read more...

Packet sniffer basics for network troubleshooting

Nov 19 2019

This is an article about packet sniffing fundamentals with tcpdump that I wrote for Red Hat Enable Sysadmin about VLANs. It can be found here

Read more...

VLANs for sysadmins: The basics

Nov 14 2019

This is the first in a three part series that I wrote for Red Hat Enable Sysadmin about VLANs. It can be found here

Read more...

A beginner's guide to network troubleshooting in Linux

Sep 24 2019

This is an article that I wrote for Red Hat Enable Sysadmin about basic network troubleshooting in Linux. It can be found here

Read more...

Using Vault as a CA for Graylog

Feb 25 2019

Overview Graylog is a pretty sweet log management solution that allows you to quickly get up and running with centralized log collection and analysis. One common way to get your logs into Graylog is to use Filebeat, which can be further secured using TLS. Graylog even includes a handy Collector Sidecar for handling configuration. Vault is an excellent secrets management tool created by Hashicorp. It includes the ability to easily set up a public key infrastructure, right out of the box. Read more...

Monitoring VMware with Icinga

Nov 29 2018

One of my coworkers and I have been working on building a monitoring environment using Icinga, and I began to consider some options for monitoring the VMware environments that we support. PowerCLI is great for programmatically interacting with VMware environments, and PowerShell for Linux removes the barrier for integrating PowerShell and PowerCLI scripts in a Linux monitoring environment. My goal was to run our check scripts directly on one of our Icinga masters, without the need for a separate Windows satellite that would only be used for running scripts. Read more...

Connecting to systemd-nspawn SSH containers in Ansible

Aug 3 2018

I’ve recently been working on using Ansible to deploy some test services, one of which is an open source IAM server called Gluu. Gluu is unique in that it runs in a systemd-nspawn container. Management and installation of Gluu requires dropping into the container namespace using /sbin/gluu-serverd-3.1.3 login. While this is all well and good for manual configuration, it makes it a bit tricky to deploy using automation. There’s no real official support in Ansible for systemd containers, although there was some discussion on this pull request. Read more...

Persistent Password SSH on AWS AMIs

Feb 14 2017

If you use AWS EC2, you’re definitely familiar with the concept of using a key pair for SSH authentication. Recently, I had a use case that required password SSH login. I set PasswordAuthentication yes in /etc/ssh/sshd_config and created an AMI, but was surprised to discover that PasswordAuthentication no quickly reappeared in my sshd_config when launching an image from the AMI. I spent some time troubleshooting this (more than I care to admit, to be honest), and eventually found that most AMIs use cloud-init to accomplish their provisioning steps. Read more...

Deploying certificate-based SSH with Ansible

Dec 25 2016

A few months ago, I read “Scalable and secure access with SSH” by Marlon Dutra on the Facebook Engineering blog. It’s an informative look into how an organization of Facebook’s size is able to keep authentication manageable across a very large, dynamic, and scalable environment without a single point of failure. If you haven’t read the article, do that before reading mine. Otherwise, nothing below is going to make any sense. Read more...

A Packet Look at Cisco FabricPath

Nov 6 2016

Spanning-tree protocol was one of the first network control plane protocols that I learned about back in my Intro to Routing and Switching class during college. At the time, it seemed pretty obvious: network loops are bad at layer 2, and should be indiscriminately avoided in an effort to prevent broadcast storms. However, real-life networks really aren’t that simple, as any data center engineer will gladly tell you. Specifically, modern data centers face a few important issues: Read more...

Flannels n sh*t is Making my WiFi Slow

Jul 24 2016

I’ve recently been working on renewing the Certified Wireless Network Administrator (CWNA) certification.The CWNA focuses on a deep, technical, and vendor-agnostic understanding of the foundational principles underlying 802.11 WLANs. One day, in between flipping through flash cards, I decided to take a look at the wireless traffic in my own home environment. I was interested to see quite a few Request to Send/Clear to Send (RTS/CTS) exchanges on the same channel as mine, so I decided to dig a bit deeper to “diagnose” the issue. Read more...

Peer Routing and VLT with Dell FTOS Switches

May 26 2016

I recently wrapped up a Dell networking deployment consisting of both Dell S-series switches running the Force10 Operating System (FTOS) and N-series switches running the Dell Network Operating System (DNOS). Both boasted straightforward configuration and were pleasant to work with. The FTOS switches in particular offered a powerful and Dell-recommended feature called Peer Routing that could be used in conjunction with the Virtual Link Trunking (VLT) capabilities. VLT is similar to Cisco’s Virtual Port Channel (vPC) feature, and allows for a single port channel to be multihomed to two Dell FTOS switches. Read more...

Path MTU Discovery

Mar 20 2016

The maximum transmission unit (MTU) is the largest packet that can be transmitted on a link. It naturally follows that the MTU of a given path is the smallest MTU that would be experienced along any given hop on a packet’s journey to its destination. While many of us have become accustomed to the default Ethernet LAN MTU of 1500 bytes, different transmission technologies may have a more constrained MTU. With IPv4, a host didn’t necessarily have to know the MTU of a given path. Read more...

Neighbor Discovery

Sep 27 2015

The next topic that we’ll be covering is fairly straightforward (allowing for a quick article and providing some forward momentum on this blog series). Neighbor discovery is a crucial element of host communication on a local network. While it’s not a particularly complex topic, it is a fundamental IPv6 networking concept that should be understood by any administrator of an IPv6 network. This article will build on our previous discussion of Stateless Autoconfigurationin some ways, and it is recommended that you read that article first. Read more...

Stateless Autoconfiguration

Aug 22 2015

A packet series about IPv6 If you perform nearly any role in the information technology world, you’re no doubt familiar with the issue of IPv4 exhaustion and the challenges of IPv6 adoption. While it doesn’t mean that every business, small and large, will be renumbering their entire networks anytime soon, it does mean that every IT professional should have a familiarity (I’d argue comfortability) with this new addressing scheme that will be directing our packets to and from their destinations in the future. Read more...

Pockethernet: A review of the net admin Swiss Army Knife

Mar 2 2015

About a year ago, I decided to fund a nifty project called Pockethernet on IndieGoGo.With the product being marketed as “The Swiss Army knife for network administrators,” I was really looking forward to the final product being released sometime in July of 2014. When the team started missing target dates due to various setbacks, I shrugged it off as the business learning experience of a few hard working guys, and I largely forgot about it. Read more...

Hacking VoIP: Decrypting SDES Protected SRTP Phone Calls

Jun 22 2014

VoIP security is a fairly complex topic, rife with acronyms, competing solutions, and enough implementation challenges to make any administrator pull their hair out. The Session Description Protocol Security Descriptions (SDES)provide one method for exchanging the keys that are used to encrypt RTP media. Essentially, SDES allows for key exchange within the SDP portion of a SIP packet. Remember that SDP provides parameters, such as media encoding, for a connection. Also remember that SIP is usually unencrypted by default. Read more...

Voice and XMPP: Integrating Asterisk with ejabberd

Apr 2 2014

My current home voice system consists of an Asterisk virtual machine, two Cisco 7940 IP Phones running SIP firmware, and a Google Voice number that is handled by Asterisk. Clearly, I was lacking in the home telephony department, so I decided to try finding some neat things to do with my setup. That’s when I decided to learn about XMPP, unified communications, presence, synergy, communications enabled business practices, agile, methodologies, eXtreme programm…Oops, my bad. Read more...

Upgrading Cisco 7940 Firmware to SIP

Feb 28 2014

So, you picked up a few cheap Cisco 7940s on eBay with the hopes of using SIP and Asterisk, but you don’t really feel like using Call Manager Express (mainly because you don’t want to drop more money on a router). You Google around for firmware upgrade instructions, only to find that the vast majority of “tutorials” are completely unhelpful, wrong, or missing some critical component of the process. Yeah, I did that too. Read more...

Getting around paid in-flight Wi-Fi

Sep 2 2013

Note: The following article is theoretical and based on lab testing. I do not condone or suggest that you attempt to bypass filtering mechanisms for paid Wi-Fi access. This is merely an academic exercise performed in a lab setting. I was flying back to New York recently, and my flight (like most) had a paid Wi-Fi access option. Naturally, as a student with an interest in wireless networking, I started to wonder if there was a way to bypass the payment option get some free access. Read more...

Book and Cert Review: Certified Wireless Network Administrator

Jul 29 2013

I used to hate 802.11. Wireless networking was some form of black magic that broke often, was impossible to troubleshoot, and made me convinced that everything should be hardwired if a reliable connection was desired. I found that others shared my sentiments toward WLANs, and complaining about some broken wireless device was a frequent occurrence among my peers. Overall, wireless networking was this mystical creature that I could never quite understand, troubleshoot, or control. Read more...