Are you over 18 and want to see adult content?
More Annotations
![A complete backup of askhungryeren.tumblr.com](https://www.archivebay.com/archive2/ac52dded-b40f-4389-844b-232a1f293c45.png)
A complete backup of askhungryeren.tumblr.com
Are you over 18 and want to see adult content?
![A complete backup of actonetakeone.com](https://www.archivebay.com/archive2/6f398aae-2ea1-4b62-9072-400711f79c4b.png)
A complete backup of actonetakeone.com
Are you over 18 and want to see adult content?
![A complete backup of takht-jamshid.com](https://www.archivebay.com/archive2/fac3746a-366e-43f6-a126-efbbee8ba2ee.png)
A complete backup of takht-jamshid.com
Are you over 18 and want to see adult content?
![A complete backup of myheartland.co.uk](https://www.archivebay.com/archive2/bef5f7a7-7497-46d1-a215-04739177366f.png)
A complete backup of myheartland.co.uk
Are you over 18 and want to see adult content?
![A complete backup of xn--c1adkjnf.net](https://www.archivebay.com/archive2/801d3d30-e7df-4cde-8232-b79984210e55.png)
A complete backup of xn--c1adkjnf.net
Are you over 18 and want to see adult content?
Favourite Annotations
![A complete backup of https://tadalafilnova.com](https://www.archivebay.com/archive6/images/723d4e01-f0de-45e5-951d-7fe4d07569fd.png)
A complete backup of https://tadalafilnova.com
Are you over 18 and want to see adult content?
![A complete backup of https://confidentials.com](https://www.archivebay.com/archive6/images/92c04258-9998-4e66-955a-a7cc1de5faf9.png)
A complete backup of https://confidentials.com
Are you over 18 and want to see adult content?
![A complete backup of https://51985.net](https://www.archivebay.com/archive6/images/39563d50-b0f6-4a6a-b5dc-e54610890e6d.png)
A complete backup of https://51985.net
Are you over 18 and want to see adult content?
![A complete backup of https://doppelherz.de](https://www.archivebay.com/archive6/images/aa7e28db-0c22-42f1-ab49-ba3ece38bbc6.png)
A complete backup of https://doppelherz.de
Are you over 18 and want to see adult content?
![A complete backup of https://packagingdigest.com](https://www.archivebay.com/archive6/images/f3c24d3b-c010-4e5e-b60a-9c84b2080bb6.png)
A complete backup of https://packagingdigest.com
Are you over 18 and want to see adult content?
![A complete backup of https://onesimcard.com](https://www.archivebay.com/archive6/images/3ef4fbb7-c087-4629-9c74-9cf898fff9f8.png)
A complete backup of https://onesimcard.com
Are you over 18 and want to see adult content?
![A complete backup of https://themorning.lk](https://www.archivebay.com/archive6/images/682340ba-9ce9-4c07-b955-013d581df71e.png)
A complete backup of https://themorning.lk
Are you over 18 and want to see adult content?
![A complete backup of https://beautydea.it](https://www.archivebay.com/archive6/images/466f2798-203f-4d69-9ea2-63f2c51a9508.png)
A complete backup of https://beautydea.it
Are you over 18 and want to see adult content?
![A complete backup of https://sctelstar.nl](https://www.archivebay.com/archive6/images/c45267d3-2243-4624-9819-3ab418e1f62e.png)
A complete backup of https://sctelstar.nl
Are you over 18 and want to see adult content?
![A complete backup of https://msymedia.in](https://www.archivebay.com/archive6/images/108870e6-d0f3-4016-80e8-dd5af18eb31e.png)
A complete backup of https://msymedia.in
Are you over 18 and want to see adult content?
![A complete backup of https://livewatch.de](https://www.archivebay.com/archive6/images/494357c5-0392-452c-a87a-66bf2f24cd6f.png)
A complete backup of https://livewatch.de
Are you over 18 and want to see adult content?
Text
HARTWORK BLOG
libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license. Expat 2.4.0 and follow-up release 2.4.1 have both been released earlier today. Release 2.4.0 fixes long known security issue CVE-2013-0340 by adding protection against so-called BillionBEAMER THEME MATRIX
default albatross beaver beetle crane dolphin dove fly lily orchid rose seagull seahorse whale wolverine; default: AnnArbor: Antibes: Bergen: Berkeley: Berlin: Boadilla: CambridgeUS HARTWORK BLOG · NEVER MIS-BUMP A .SO VERSION AGAIN Never Mis-Bump a .so Version Again. 2021-03-15 19:25. TL;DR — I built a free interactive web-tool and also found an alternative, more human-friendly algorithm. For every software release that involves a shared library you have to consider bumping the -version-info C:R:A part of your linker arguments so that your libxyz.so.1.2.3 numbersmatch
HARTWORK BLOG · TAGS AND CATEGORIES Tags and Categories. Hartwork Blog. Free Software, Music, ChineseChess
HARTWORK BLOG · HELVETICA. WHICH ONE? Letters to recognize Helvetica style fonts easily are lower a and e, capital G and the rectangle dots seen with i, j and full stops. Different versions of Helvetica can be distinguished by a closer look at lower letters i, f, t and capital letters P and R. The HARTWORK BLOG · CVE-2013-0340 "BILLION LAUGHS" FIXED IN libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license. Expat 2.4.0 and follow-up release 2.4.1 have both been released earlier today. Release 2.4.0 fixes long known security issue CVE-2013-0340 by adding protection against so-called Billion HARTWORK BLOG · HOW TO GET DEBIAN, WIFI/WLAN AND AMDSEE MORE ONBLOG.HARTWORK.ORG
HARTWORK BLOG · HELVETICA NEUE: INTEGRATING WITH LINUXSEE MORE ON BLOG.HARTWORK.ORGADOBE HELVETICA FONT DOWNLOADFREE FONT HELVETICAHELVETICA FONT FREE DOWNLOAD TTFHELVETICA FONT FREE DOWNLOAD TTFHELVETICA REGULAR TTFHELVETICA TRUETYPE FONT HARTWORK BLOG · WHAT IS WRONG WITH MONOTYPE'S FONT LICENSING? 2. Tracking users and increasing page load time is not acceptable. When it comes to licensing fonts for use on the web, Monotype licenses a specific maximum number of page views — 250,000, 2,500,000, 25,000,000 or 75,000,000 — and forces the customer to have the web page to load a file from their server so they can count the number ofpage
HARTWORK BLOG · PRINTING A BACKTRACE FROM INSIDE A C PROGRAM Printing a backtrace from inside a C program. 2011-08-15 18:26. While digging in the latest code of htop in hunt of a resizing bug I came across calls to functions backtrace (3) and backtrace_symbols_fd (3) , which I didn't know about before. htop installs a custom segfault handler which tries to shut down curses and print a stacktrace usingHARTWORK BLOG
libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license. Expat 2.4.0 and follow-up release 2.4.1 have both been released earlier today. Release 2.4.0 fixes long known security issue CVE-2013-0340 by adding protection against so-called BillionBEAMER THEME MATRIX
default albatross beaver beetle crane dolphin dove fly lily orchid rose seagull seahorse whale wolverine; default: AnnArbor: Antibes: Bergen: Berkeley: Berlin: Boadilla: CambridgeUS HARTWORK BLOG · NEVER MIS-BUMP A .SO VERSION AGAIN Never Mis-Bump a .so Version Again. 2021-03-15 19:25. TL;DR — I built a free interactive web-tool and also found an alternative, more human-friendly algorithm. For every software release that involves a shared library you have to consider bumping the -version-info C:R:A part of your linker arguments so that your libxyz.so.1.2.3 numbersmatch
HARTWORK BLOG · TAGS AND CATEGORIES Tags and Categories. Hartwork Blog. Free Software, Music, ChineseChess
HARTWORK BLOG · HELVETICA. WHICH ONE? Letters to recognize Helvetica style fonts easily are lower a and e, capital G and the rectangle dots seen with i, j and full stops. Different versions of Helvetica can be distinguished by a closer look at lower letters i, f, t and capital letters P and R. The HARTWORK BLOG · CVE-2013-0340 "BILLION LAUGHS" FIXED IN libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license. Expat 2.4.0 and follow-up release 2.4.1 have both been released earlier today. Release 2.4.0 fixes long known security issue CVE-2013-0340 by adding protection against so-called Billion HARTWORK BLOG · HOW TO GET DEBIAN, WIFI/WLAN AND AMDSEE MORE ONBLOG.HARTWORK.ORG
HARTWORK BLOG · HELVETICA NEUE: INTEGRATING WITH LINUXSEE MORE ON BLOG.HARTWORK.ORGADOBE HELVETICA FONT DOWNLOADFREE FONT HELVETICAHELVETICA FONT FREE DOWNLOAD TTFHELVETICA FONT FREE DOWNLOAD TTFHELVETICA REGULAR TTFHELVETICA TRUETYPE FONT HARTWORK BLOG · WHAT IS WRONG WITH MONOTYPE'S FONT LICENSING? 2. Tracking users and increasing page load time is not acceptable. When it comes to licensing fonts for use on the web, Monotype licenses a specific maximum number of page views — 250,000, 2,500,000, 25,000,000 or 75,000,000 — and forces the customer to have the web page to load a file from their server so they can count the number ofpage
HARTWORK BLOG · PRINTING A BACKTRACE FROM INSIDE A C PROGRAM Printing a backtrace from inside a C program. 2011-08-15 18:26. While digging in the latest code of htop in hunt of a resizing bug I came across calls to functions backtrace (3) and backtrace_symbols_fd (3) , which I didn't know about before. htop installs a custom segfault handler which tries to shut down curses and print a stacktrace usingHARTWORK
Hartwork
HARTWORK BLOG · NEVER MIS-BUMP A .SO VERSION AGAIN Never Mis-Bump a .so Version Again. 2021-03-15 19:25. TL;DR — I built a free interactive web-tool and also found an alternative, more human-friendly algorithm. For every software release that involves a shared library you have to consider bumping the -version-info C:R:A part of your linker arguments so that your libxyz.so.1.2.3 numbersmatch
HARTWORK BLOG · TAGS AND CATEGORIES Tags and Categories. Hartwork Blog. Free Software, Music, ChineseChess
HARTWORK BLOG · POSTS ABOUT FONTS Posts about Fonts. What is wrong with Monotype's font licensing? 2020-05-09 14:11. Helvetica Neue: Integrating with Linux 2020-03-2121:30.
HARTWORK BLOG · HARTWORK MUSEUM Hartwork Museum. The museum is a place with artifacts from my ancient past: as far back as when I was still developing for Microsoft Windows, only starting to learn programming in C/C++, and playing with things like OPAL and Turbo Pascal . Time flies. HARTWORK BLOG · HELVETICA. WHICH ONE? Letters to recognize Helvetica style fonts easily are lower a and e, capital G and the rectangle dots seen with i, j and full stops. Different versions of Helvetica can be distinguished by a closer look at lower letters i, f, t and capital letters P and R. The HARTWORK BLOG · POSTS ABOUT AGILE Hartwork Blog. Free Software, Music, Chinese Chess. Archive Topics RSS feed Museum Contents © 2021 Sebastian Pipping - Powered by Nikola HARTWORK BLOG · DAN NORTH IS WRONG ABOUT THE PURPOSE OF I'll make it quick. You probably know Dan North as the inventor of behavior-driven development and as a frequent speaker. In a talk in March 2019 he stated that the goal of testing is HARTWORK BLOG · REPLACING ANSIBLE WITH SALT-SSH A high-level language leveraging YAML with idempotency in mind, just like with Ansible. Being able to stay agentless: No minions, no masters, just SSH. More flexibility (but also some duty) with regard to state dependencies and order of execution. Being able to use Jinja templating right in the playbook (or "Salt state file") unlike withAnsible.
HARTWORK BLOG · FLASK BEHIND A REVERSE PROXY: ACTUAL As a result, client IPs are all reported to be 127.0.0.1: Flask is based on Werkzeug. Werkzeug comes with a helper called ProxyFix to address this problem. from flask import Flask from werkzeug.contrib.fixers import ProxyFix app = Flask(__name__) app.wsgi_app = ProxyFix(app.wsgi_app) To make nginx feed the headers needed by ProxyFix, these Skip to main contentHARTWORK
BLOG
Free Software, Music, Chinese Chess Archive Topics RSS feed Museum Contents © 2021 Sebastian Pipping - Powered byNikola
CVE-2013-0340 "BILLION LAUGHS" FIXED IN EXPAT 2.4.02021-05-23 19:47
libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed underthe MIT license .
Expat 2.4.0
and
follow-up release 2.4.1have both
been released earlier today. Release 2.4.0 fixes long known securityissue CVE-2013-0340
by adding
protection against so-called Billion Laughs Attacks, a form of
denial of service against applications accepting XML input, in all known variations, including recent flavor Parameter Laughs.
I first became interested in detecting Billion Laughs Attacks back in 2008, 13 years ago, already in context of Expat at the time, but on top of it rather than from the inside, and long before I joined maintaining Expat in July 2016. In 2017 the topic got back on my radar, and by 2020 I eventually decided to make the topic a personal priority. In an e-mail conversation with Nick Wellnhofer in June 2020, Nick wrote: > I came to the conclusion that the most sensible check is to make > sure that the total size of the output in bytes doesn't exceed the > input size by a certain factor I was doubtful at first, digested it for multiple days, and then I was sure that he was right. Nick's conclusion became the foundation of my implementation for protection in Expat. That factor between input and output bytes is what the term "amplification" is about, that you will find used throughout the documentation. Besides this security fix, there is the usual bunch of fixes and improvements in tooling, documentation, and the two build systems. For more details, please check out the change log.
If you maintain Expat packaging _or_ a bundled copy of Expat _or_ a pinned version of Expat somewhere, please update to 2.4.1. Thank you!Sebastian Pipping
CVE-2021-3541 "PARAMETER LAUGHS" FIXED IN LIBXML2 2.9.112021-05-13 17:41
In context of my work on protection against Billion Laughs Attacksfor libexpat
, I played with the existing protection of libxml2 against those attacks. As an unintended byproduct, that led me to finding a bypass of that protection, a new vulnerability in libxml2 prior to2.9.11 that I
call PARAMETER LAUGHS; it has been assigned CVE number CVE-2021-3541and is
known as libxml2 issue 228upstream.
Parameter Laughs is based upon well-known ideas from the BillionLaughs Attack
— both use nested entities to amplify a small payload of a few hundred bytes up to gigabytes of content to process and hence wasting loads of RAM, CPU time, or both — but in contrast ParameterLaughs…
* uses parameter entities (syntax %entity; with %) rather than general entities (syntax &entity; with &) and * uses delayed interpretation to effectively sneak use of parameter entities into the so-called "internal subset" of the XML document (the "here" in ) where undisguised parameter entitiesare not allowed
,
with regard to the XML specification. What do I mean by "delayed interpretation"? Let us declare a parameterentity like this:
%pe_1;"> Now during replacement of reference %pe_2; text % is turned into % and hence %pe_1; becomes %pe_1;. That triggers two new rounds of replacement for %pe_1; _after_ %pe_2; has been fully replaced — there you have the delay (and the exponential growth). Here is what Parameter Laughs looks like as a complete XML document(added 2021-05-25):
2021-03-26 19:14
Dieses Interview ist Teil der Serie Frag ein Klischee von hyperbole mit vielen anderen spannendeInterviews.
EXPAT 2.3.0 HAS BEEN RELEASED2021-03-25 16:06
libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed underthe MIT license .
Expat 2.3.0
has been
released earlier today. Simplified, this release brings…* bugfixes,
* improvements to both build systems, and * improvements to xmlwf usability. For more details, please check out the changelog.
With this release, the combination of continuous integration and Clang's sanitizers — in Expat's case AddressSanitizer ("ASan"), LeakSanitizer
("LeakSan") and
UndefinedBehaviorSanitizer ("UBSan")—
proved invaluable once more by preventing the introduction of new bugs into the code base. It was interesting to see in particular, how Clang 11 found an issue that Clang 9 was still blind to; so updating thetoolchain paid off.
Let me take the occasion of one bugfix in 2.3.0 related to function XML_ParseBuffer for a reminder that using XML_ParseBuffer over XML_Parse can reduce your application's memory footprint by up to a factor of 2, because you no longer keep the the same data in two buffers — one outside of Expat and one inside. With XML_ParseBuffer those two buffers become one. I have taken the close releases of two C libraries — first uriparser 0.9.5 about a week ago and now libexpat 2.3.0 — for a reason to research answers to my own open questions about bumping linker arguments -version-info C:R:A properly an every situation. That led to finding a simpler, more human-friendly algorithm , and also building a free interactive web-tool served at https://verbump.de/ to make that topic more approachable to thecommunity.
I still see many old, buggy, vulnerable copies of Expat on the Internet: anything unpatched before 2.2.8 is documented vulnerable, in particular. If you maintain Expat packaging _or_ a bundled copy of Expat _or_ a pinned version of Expat somewhere, please update to2.3.0. Thank you!
Sebastian Pipping
URIPARSER 0.9.5 RELEASED2021-03-19 01:21
A few hours ago uriparser 0.9.5 has been released. Version 0.9.5 comes with improvements to the build system and one key bugfix that affects both resolution of URI references and normalization of URIs. For more details please checkthe change log
.
Last but not least: If you maintain uriparser packaging or a bundled version of uriparser somewhere, please update to 0.9.5 — thank you! NEVER MIS-BUMP A .SO VERSION AGAIN2021-03-15 19:25
> TL;DR — I built a free interactive web-tool > and also found an alternative, more human-friendly algorithm. For every software release that involves a shared library you have to consider bumping the -version-info C:R:A part of your linker arguments so that your libxyz.so.1.2.3 numbers match the semantic changes you did since the previous release. Finding the correct new set of numbers can be a bit tricky. The current best place for how to bump them properly is probably section 7.3 Updating library version information of the GNU Libtool documentation. Ignoring the details, you'll be given this very structure: * Start with version information of ‘0:0:0’ for each Libtoollibrary.
*
* If .
* If .
* If .
* If .
It took me a while to figure out what I'd need to do when _multiple_ of those ifs apply: what they give you is an _algorithm_ to follow step by step — it involves _state_ and that state is carried from one step to the next. While that algorithm is precise, it is a lot better suited to machines than humans. One reason is that — with multiple steps and state involved — there is quite some chance for the result to turn out wrong. Does it have to be that complicated? In this post I would like to offer two things:*
A SIMPLER ALGORITHM that doesn't involve state or pen and paper.*
A WEB-TOOL to play with things interactively. A STATELESS ALGORITHM So let's get rid of the overlapping ifs and state and move to exclusive else if instead. The stateless algorithm is this:*
IF it's the FIRST RELEASE EVER go with -version-info 0:0:0.*
ELSE IF you HAVEN'T MADE ANY CHANGES to the source code but still needto do a re-release,
keep the version info untouched and re-use the same values.*
ELSE IF you have made BACKWARDS-INCOMPATIBLE CHANGES to the API — removed or changed something existing — bump applying +1/=0/=0: -version-info C:R:A becomes -version-info*
ELSE IF you have ONLY ADDED to the public API and are sure of backwards compatibility bump applying +1/=0/+1: -version-info C:R:A becomes -version-info*
ELSE bump applying +0/+1/+0: -version-info C:R:A becomes -version-info C:. Thank you!
For a clickable preview: Enough version bumping for today. DAN NORTH IS WRONG ABOUT THE PURPOSE OF TESTING / THE ACTUAL PURPOSEOF SOFTWARE TESTING
2021-03-09 19:45
I'll make it quick.
You probably know Dan North as the inventor of behavior-driven development and as a frequent speaker. In a talk in March 2019 he stated that the goal of testing is… > to increase confidence for stakeholders through evidence.>
> _Daniel Terhorst-North, 2019_ Let's ignore that testing cannot prove absence of bugs and hence cannot provide _true_ evidence. The core of the statement — "to increase confidence for stakeholders" — is my concern. He explains that stakeholders is everyone whose life is touched by the software — so he is interpreting that term broadly, which is fine. With no emphasis on increasing confidence over simply providing or establishing confidence, things boil down to merely: confidence . Confidence with the product and the code base sure is of use to the stakeholders but… is confidence really the key effect of testing, is it the _purpose_? What if we take testing away? Let's imagine for a moment we have no testing — none at all. Please ask yourself, without testing: * Can we add new members to the team and have them find the things they broke, themselves? * Can we change the software with low risk, can we update thirdparty dependencies?
* Can we move fast and _not_ break things? * Can we rest assured that the bugs we fixed yesterday are not coming back as regressions tomorrow? What I would like to suggest is the following: THE POINT OF SOFTWARE TESTING IS THIS: > to enable the team to change the software, > to reduce the risk of changes, and > to retain development velocity over time > by uncovering issues before they do damage.>
> _Sebastian Pipping, 2021_ To reduce this further: the goal of testing is to:* Enable change
* Reduce risk
* Retain velocity
* Prevent damage
_That_'s the purpose of testing. Thank you. Disagree? Drop me a mail at sebastian@pipping.org. PS: That talk from March 2019 is "BDD Is Not About Testing" by Dan North at Beauty in Code 2019 . REPLACING ANSIBLE WITH SALT-SSH2020-10-22 11:07
FIRST, WHERE AM I COMING FROM WITH ANSIBLE? There is this machine (or "box") that I used to manage using Ansible until recently. I wanted configuration management on that box so that if ever disk or VM or the entire hosting provider would go away, I would have a magic button to start a rebuild from nothing, grab a coffee, and have things work the same again. I wanted Ansible for that task because it's fairly easy and approachable, requires nothing but working SSH access from the host system, and is written in Python. Unlike Puppet, Chef, CFEngine and SaltStack — or so I thought. Over time using Ansible I noticed that when I made changes to a playbook I was repeatedly facing the same challenge: Either I run the whole playbook and wait for many de-facto no-op tasks _or_ I invest in annotation with tags, save some runtime but need to deal with the shortcomings that tags have in Ansible. TAGS IN ANSIBLE: WHAT SHORTCOMINGS? Tags in Ansible have two problems that bug me. First, you'll need to manually propagate the same tag to all dependency tasks, especially those referenced in when-conditionals or else you'll run into undefined-variable issues because the task due to register that variable has not been executed. So that's something I would have to take good care of, manually. Secondly, tags and loops do not work well together in Ansible. What I _would like to do_ is use the iteration item as a tag like this:- hosts: all
tasks:
- name: Add Docker usersuser:
name: "{{ item }}"groups: docker
append: yes
loop:
- ssl-reverse-proxy- example1-org
- example2-net
tags:
# NOTE: Does not work! # Gets you: ERROR! 'item' is undefined- "{{ item }}"
Unfortunately, this gets me ERROR! 'item' is undefined because tags do not support loops like that in Ansible. I can address this problem by * a) having two verbatim copies of that list, * b) extracting and re-using a variable, or * c) making use of YAML references. A version using YAML references could look like this:- hosts: all
tasks:
- name: Add Docker usersuser:
name: "{{ item }}"groups: docker
append: yes
loop: &users
- ssl-reverse-proxy- example1-org
- example2-net
tags: *users
More importantly though, I'll also need to be okay with _the whole loop being run_ if I ask for _any_ of those tags now, which means additional runtime for no value. I didn't feel like I wanted to deal with these shortcomings of tags most of the time so instead I started to work on other tasks while the whole playbook was running, and got back to it when there wereresults.
It was hard to accept one other thing though: When I ran the playbook two times in a row, for the second run Ansible would take about 4 minutes to do nothing but confirming that all the work was already done. Why? Would I have to accept that it was that slow? WHEN ANSIBLE IS SLOW, HOW FAST CAN I GET IT TO BE? So I started looking for ways to improve Ansible speed, and SSH pipelining, disabling fact gathering, and Mitogenhelped but
wouldn't get runtime below 3 minutes, so I was not very happy. On a sidenote Mitogen doesn't support Ansible >=2.10 as of this writing so that boost in speed would come at the cost of being stuck with Ansible 2.9 in the past for longer, which is not ideal either. So I accepted 3 minutes as the minimum runtime of that particular playbook at that time. And started wondering about looking elsewhere. CAN SALT BE USED LIKE ANSIBLE? Maybe Salt had some way without all those minions, masters, daemons, agents that seemed like a given to me when I last had a few bits to do with SaltStack at a previous job a few years ago. To me delight, I did find salt-ssh this time. salt-ssh was introduced with the release of Salt 0.17.0 on 2013-09-26, it's not actually new. So I was trying to answer the question: > Can I port my existing Ansible playbook to salt-ssh, will it be fun > and work well, and will it be faster than 3 minutes for when it > doesn't actually need to do anything? A SUMMARY OF MY EXISTING ANSIBLE PLAYBOOK For some context, what is that playbook of mine doing anyway? For an almost complete high-level summary (if you're interested): * Configure sshd, an SSH pubkey, restart the service as needed * Install Docker from a dedicated repository, having it running and enabled, install docker-compose * Configured firewalld to be friends with Docker * Create a specific Docker network for a Caddy-based SSL reverseproxy to talk
to website containers * Configures and activates dnf-automatic so that it updates packages by itself, restarts outdated services and reboots the VM when tracerdetects need to
* Adjusts systemd-resolved config to no longer expose LLMNR port 5355 to the world without need to * Closes port 9000 to the world previously exposed by the cockpitservice
* Makes sure that ${HOME}/.local/bin is in $PATH for all users * Downgrade cgroup to v1 for Docker by adjusting the kernel command line and re-creating the GRUB config for the change to have actualeffect
* Install some tools for manual inspections, e.g. htop, tmux andncdu
* Create some bare Git repositories to host off-GitHub websitecontent
* Clone some Git repositories containing docker-compose website projects and keep them up to date with upstream * Spin up multiple docker-compose based service and have them do rebuilds and restarts whenever their underlying Git clone changed * Set machine hostname It's not very different from this playbook actually, just a bit bigger. FIRST STEPS AND PAINS WITH SALT-SSH I started making my way through the official Agentless Salt: GetStarted Tutorial
and got
stuck rather quickly. I wanted execution as an unprivileged user but despite obeying the tutorial in detail I ran into errors about not being able to write to /var/cache/ — for good reasons — likethese:
# salt-ssh '*' test.ping Unable to render roster file: Traceback (most recent call last): PermissionError: Permission denied: '/var/cache/salt/master/roots/mtime_map' And while the docs used absolute paths like /home/vagrant/salt-ssh/ everywhere, I wanted relative paths that would work with a Git repository cloned anywhere in the file system hierarchy. Not to mention that log_file needs to be ssh_log_filein the tutorial.
So with all of that figured out after a while, this MINIMAL SETUP satisfied all of my needs: execution as an unprivileged user, relative paths with the help of root_dir: ., significantly less noisy output through state_output_diff: True, and a place to start adding playbook-like things to. For a bird's eye view:# tree
.
├── master
├── pillar
│ ├── data.sls │ └── top.sls├── roster
├── salt
│ └── setup.sls└── Saltfile
In more detail, looking into these files:File Saltfile:
salt-ssh:
roster_file: ./rosterconfig_dir: .
ssh_log_file: ./log.txtFile master:
root_dir: .
cachedir: ./cachedirfile_roots:
base:
- ./salt
pillar_roots:
base:
- ./pillar
state_output_diff: TrueFile roster:
host1:
host: host1.tld
user: root
host2:
host: host2.tld
user: root
File pillar/top.sls:base:
'*':
- data
With that as a base I can now port the playbook over in a new filesalt/setup.sls.
For example, let's adjust the Open SSH server config to know my public key (that I'll store at salt/ssh/files/authorized-keys-root.txt), to disable password-based log-in (to protect against brute-force log-in attempts) and be sure that the server makes use of the adjustedconfiguration:
ssh-daemon:
# Set SSH public keys for rootssh_auth.present:
- user: root
- source: salt://ssh/files/authorized-keys-root.txt # Disable password-based log-ins to SSHfile.keyvalue:
- name: /etc/ssh/sshd_config - key: PasswordAuthentication- value: "no"
- separator: " "
- uncomment: "#"
- require:
- ssh_auth: ssh-daemon # Restart sshd service to apply changes in configurationservice.running:
- name: sshd
- reload: True
- watch:
- file: ssh-daemon That state file was made with Fedora 32 in mind, by the way. With that local setup we can now run commands like: # salt-ssh '*' test.ping # salt-ssh '*' grains.items # salt-ssh '*' state.apply setup test=True # salt-ssh '*' state.apply setup It took me maybe one and a half day to port the whole playbook to salt-ssh and be confident with the result. What did it get me? * (What I first believed to be a) significant reduction of runtime: Down from 3-4 minutes with Ansible to about 1 minute with salt-ssh… but I'll get to why these numbers are misleading, below * A high-level language leveraging YAML with idempotency in mind, just like with Ansible * Being able to stay agentless: No minions, no masters, just SSH * More flexibility (but also some duty) with regard to state dependencies and order of execution * Being able to use Jinja templating right in the playbook (or "Salt state file") unlike with Ansible * Experience with a new tool to add to my DevOps toolbox Only _after_ porting to SaltStack it became clear that some badly-written parts of the original Ansible playbook were a big contributing factor to its excessive runtime. For instance, the playbook was using module package with a loop…- hosts: all
tasks:
- name: Install distro packagespackage:
name: "{{ item }}"state: present
loop:
# NOTE: Bad idea, very slow- git
- htop
- ncdu
…rather than a list of names:- hosts: all
tasks:
- name: Install distro packagespackage:
name:
# NOTE: Better, a lot faster- git
- htop
- ncdu
state: present
With as many as 20 packages to check for, this single loop alone contributed heavily to the initial 4 minutes runtime with Ansible for when there was not actually anything left to do. In a fair comparison with a _well-written playbook_, Ansible and salt-ssh exhibit close to identical runtime for me now. Still, after having used both Ansible and SaltStack I think it's fair to say that I consider myself an salt-ssh convert by now. I do hope that SaltStack gets better at fixing bugs in the future. All the hiccups and limitations I ran into with version 3001.1 were related to features that I'd consider mainstream enough that I shouldn't even have seen them, given the size of the community. Things I ran into include: * #29142 — Limitation: Same function twice per state * #35592 — Limitation: Allow multiple when function is different * #49273 — Bug: Parallelization is sequential with requisites * #53664 — Bug: getstarted/ssh/connect.html is incomplete * #57778 — Bug: pkgrepo.managed always reported as "changed" * #54449 — Bug: Issues with installing python3-docker I hope those are not a sign of structural issues with SaltStack. VMWare bought SaltStack in September 2020 so I'm hoping that it turns out for the best. I'm happy to help out with pull requests once I'm convinced that I won't be wasting my time. For more about using salt-ssh to replace Ansible, maybe Duncan Mac-Vicar P.'s article "Using Salt like Ansible"
is of interest to you. That's enough Salt for me today. Did I miss anything? Please let meknow.
Best, Sebastian
EXPAT 2.2.10 HAS BEEN RELEASED2020-10-03 23:03
libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed underthe MIT license .
Expat 2.2.10
has been
released earlier today. This release fixes undefined behavior from pointer arithmetic with NULL pointers, fixes reads to uninitialized variables uncovered by Cppcheck 2.0 , adds documentation on exit codes to the man page of command-line tool xmlwf, brings a pile of improvements to Expat's CMake build system, and more. For details, please check out the changelog.
If you maintain Expat packaging _or_ a bundled copy of Expat _or_ a pinned version of Expat somewhere, please update to 2.2.10. Thank you!Sebastian Pipping
URIPARSER 0.9.4 RELEASED2020-05-31 18:41
A few minutes ago uriparser 0.9.4 has been released. Version 0.9.4 comes with a number of minor improvements to the build system and four new functions — uriMakeOwner and uriMakeOwnerMm — that make UriUri instances independent of the original URI string. For more details please check the change log.
Last but not least: If you maintain uriparser packaging or a bundled version of uriparser somewhere, please update to 0.9.4. Thank you!* Older posts
Details
Copyright © 2024 ArchiveBay.com. All rights reserved. Terms of Use | Privacy Policy | DMCA | 2021 | Feedback | Advertising | RSS 2.0