Tuesday, August 04, 2020

Homemade (and grown!) English-style pickled onions

English-style pickled onions in malt vinegar are an acquired taste, but I have firmly acquired it.

I picked, prepared, and pickled the onions in the space of one day. The onions were Barletta type (they have early maturity and are naturally small in size) and I used this recipe. I haven't eaten one yet (they need to mature for a few weeks) so I can't vouch that either of things are net positives!




Monday, August 03, 2020

PowerShell and passing command-line arguments to external scripts

I like PowerShell a lot, but occasionally you run into something that seems mind-bendingly over-engineered. The simple act of calling an external script and passing command-line arguments to it is one of those things.

To avoid wasting any more of your time, here is the best way I have found to do it.

I will call the following Python script my_script.py from PowerShell, which simply prints out the arguments passed to Python:

import sys

for i in range(len(sys.argv)):
print("my_script args: " + str(i) + ": " + str(sys.argv[i]))

The script is called from PowerShell by putting the Python command-line arguments into an array and passing them to the external script using the Splat operator.

# Put Python command-line arguments into an array
$cmd_args = @("c:\temp\my_script.py", "-f", "c:\myfile.txt", "-t", "5")

# Call the Python executable, supplying arguments using the Splat operator
& python.exe @cmd_args

Which produces the expected output:

my_script args: 0: c:\temp\my_script.py
my_script args: 1: -f
my_script args: 2: c:\myfile.txt
my_script args: 3: -t
my_script args: 4: 5


Splunk and the self-signed certificate on port 8089

I'm writing this post after finding a solution to this problem. Pieces of the solution were scattered around the web but I didn't find them all in one place.

Problem

Splunk's ports when accessed using SSL/TLS are by default protected with a self-signed certificate. Many Enterprises are beginning to scan for these cases and flagging them for remediation so that the encrypted communications are protected by a certificate signed by the Enterprise itself.

Using an alternate certificate for the Splunk web UI (port 8000 by default) is well-documented but I did not feel that it was documented well for the management port (port 8089 by default).

Solution

The solution has a few steps:
  1. Generate a Certificate Signing Request (CSR) and private key.
  2. Use the CSR to obtain a signed certificate from a Certificate Authority (CA)
  3. Obtain the Root CA certificate chain for the organization that provided the signed certificate
  4. Combined outputs of steps 1-3 as required by Splunk
  5. Configure Splunk to use the items in step 4
  6. Restart Splunk
Before going further, consider whether you need the management port to be enabled for Universal Forwarders (UF). It is not required for forwarder management from the web UI, nor for deployment apps. It is required for API or CLI communication with the UF. If you don't use these features then you can simple disable the port by putting the following in server.conf and restarting the UF.

[httpServer]
disableDefaultPort = true

However, if you want to leave the port open and protect it with your own certificate then read on.

And, unless you have changed the default configuration, Splunk KV stores on the same server will also be protected by the configuration applied in this post.

Step 1: Generate a Certificate Signing Request (CSR) and private key.


These steps will leave you with a CSR stored in server_conf.csr and a private key in server_conf.key

Linux

openssl req -out server_conf.csr -new -newkey rsa:2048 -keyout server_conf.key

Windows

REM SPLUNK_HOME is the root of your Splunk Enterprise installation set SPLUNK_HOME="C:\Program Files\Splunk"

REM TMP will hold the generated private key and CSR files
set TMP=C:\TEMP REM Generate the private key for the certificate.

%SPLUNK_HOME%\bin\splunk cmd openssl genrsa -des3 -out %TMP%\server_conf.key 2048

REM Generate the CSR request file
%SPLUNK_HOME%\bin\splunk cmd openssl req -new -key %TMP%\server_conf.key -out %TMP% \server_conf.csr

You should leave this step with two outputs:
  • CSR file
  • Private key

Step 2: Use the CSR to obtain a signed certificate from a Certificate Authority (CA)

Step 3: Obtain the Root CA certificate chain for the organization that provided the signed certificate


The method to accomplish Step 2 and 3 will vary by CA, but you will normally need to provide your CSR file as part of the process.

You should leave these steps with:
  • CA-signed certificate provided by your CA
  • Root CA and Intermediate CA certificates provided by your CA

Step 4: Combine outputs of steps 1-3 as required by Splunk

All of the files you have created so far are plaintext files. They need to be combined in specific ways:
  • Root CA and Intermediate CA certificates combined into a single file (example: server_conf_root.pem)
  • CA-signed certificate and private key (example: server_conf.pem)
By "combined", I literally mean to copy and paste the contents of the files you received into a single file, one after the other. The example filenames above will be used in subsequent steps.

Store the files in a location accessible by your Splunk installation that will not be affected by upgrades. For example, you may choose to create a directory like $SPLUNK_HOME/etc/auth/mycerts, giving you these files:
  • $SPLUNK_HOME/etc/auth/mycerts/server_conf_root.pem
  • $SPLUNK_HOME/etc/auth/mycerts/server_conf.pem

Step 5: Configure Splunk to use the items in step 4

Modify your server.conf file to include these attributes:

[sslConfig]
enableSplunkdSSL = true
serverCert = /opt/splunk/etc/auth/mycerts/server_conf.pem
sslRootCAPath = /opt/splunk/etc/auth/mycerts/server_conf_root.pem
sslPassword = <key password entered during CSR creation>

Note that, when you restart Splunk in a subsequent step, the sslPassword value will be replaced with a hash of the value by Splunk. As long as everything is working you do not need to worry about it.

Step 6: Restart Splunk

This step hopefully does not need any elaboration!

After the restart, you can use a browser to access the management port (i.e. https://splunk.mycompany.com:8089) and confirm that it is using your CA-signed certificate using the browser's certificate inspection functionality.

Unless you have changed the default configuration, Splunk KV stores on the same server will also be protected by the configuration applied in this post.

Wednesday, June 17, 2020

Real estate and the 5-year outlook

One thing about the real estate industry.

If you were to ask them today what the housing market will be like in 5 or 10 years' time, they may hum and haw about pros and cons but tell you that there's no way of knowing what conditions will be like in 5 years' time.

However, I have never - ever - heard a standard real estate agent say that now is not a good time to buy a house.

So, really, they do know what the market will be like in 5 years' time: it will be a great time to buy or sell a house.

Monday, May 25, 2020

While politicians regain control of the COVID-19 narrative, a void...

Like a lot of people, I'm confused by the apparent lack of a roadmap for COVID-19 recovery in society. Newspapers float a lot of ideas, but it's increasingly hard to tell which have serious intent behind them and which are just the napkin scribblings of career jockeys that find the notion of recovering through methodical, nose-to-the-grind diligence and hard work increasingly boring and tedious.

At first I perceived this to be an issue with our leaders and a lack of planning or vision. After all, most leaders simply look at what other people are doing and copy it within their own fiefdom. And there's no-one to copy in this situation. But, lately, I'm becoming convinced that this recent void is intentional.

I think what we are seeing is a weeks-long transition from a strategy led by medical advice based on data, testing, and targets, focused solely on virus case management, to one that is led by politicians who are accountable for the longer-term health of the economy of which all other goods (including the healthcare system) depend.

I think it has become increasingly apparent that we can't afford to have the recovery led solely by medical advice. It seemed prudent at the beginning when there was so little information about how the virus would spread, but it's now emerging that their concerns are very solitary and, really, the models were overly pessimistic. This mirrors the public's own reaction - very cautious at the beginning, but increasingly relaxed as they see no or very little impact within their sphere and are emboldened by each inconsequential, tentative step outside The Village.

What we are doing in lockdown isn't "scientific". It's likely good advice, and the advice comes from scientists, but it's not science because it has never been tried before, there are too many variables, and there is a strong cultural component to outcomes. There's no "if you do X then Y will happen". It's a hypothesis that we can't afford to complete controlled tests on at the scale required. Scientists aren't elected, and they don't have to consider the broad variety of concerns that politicians do, yet politicians are the ones that will take fire when the results take too long to materialize.

So, I think what we may be seeing is a void while the deckchairs are reorganized and the politicians regain control of the narrative. I don't think it's a coincidence that we are seeing exposés in the international media of politicians that didn't follow their own advice. Months ago they'd have been expected to resign, but now they are defended. They're just like everyone else, wanting to get on with their lives. Soon, I think we'll start seeing things that go against the medical advice given out weeks ago. We can't afford to follow it. And hopefully people will forget what that advice was... and as long as new cases don't start to surge in any significant way, they will.

This is the way it should be.




Thursday, April 16, 2020

Learning to get along with COVID-19 (and possibly take a selfie with it)

Everything I'm seeing tells me that we've painted ourselves into a corner on COVID-19.

To encourage people to take the short-term lockdown seriously, a significant number of people have been put into a panic about the virus. To be sure, it is to be taken seriously, but perhaps not this seriously as long as you are following the rules of social distancing.

The people who are dying in Canada from COVID-19 are dying during a lockdown with many precautions in place, and with full access to ICUs and ventilators. They are not dying because of unavailable critical care. There is no shortage of ICUs and ventilators because of actions taken so far to divert resources to deal with the epidemic - in fact there is a significant excess.

This is good news, but it's only good news for a short period of time. At some point, it begins to look like a misallocation of resources during a time of economic collapse.

So, once we are confident in our ability to consistently help those that can be helped, excess resources need to be reallocated where they will be more likely to save lives. Such as resuming cancer consultations, pre-emptive surgeries, and similar things that have been put deprioritized and put on hold. Putting people back to work is also effective medicine where the unemployed condition involves over-eating, alcohol or drug abuse, depression, and other grotty things that fall under the banner of "idle hands syndrome".

Without a vaccine and/or some other anti-viral therapy that is discovered to improve survival rates, that percentage of susceptible people would still die with or without a lockdown. But without a lockdown, or with a relaxed lockdown, it's now going to be seen by some as the government's fault to some extent if lockdowns are relaxed and people suffer, as they inevitably will.

Unless seasonal weather changes things. Hopefully, but hopefully not - because, if true, then come June it becomes the southern hemisphere's turn to deal with this.

We don't know if you become immune after you've caught it once, and if we suspect that you are then we don't know for how long... but hopes pinned on a vaccine are high.

We don't have the means to know broadly whether someone has already caught it and acquired some immunity.

But, it sounds like mutation of this particular type of virus is a red herring as far as vaccination goes.

Like many others, I can see a way that life gradually returns to normal by gradual easing of the lockdown. I don't know how businesses that were marginally surviving at full capacity would survive at half-capacity. Live events and restaurants that normally need to fill 90% of seats may not survive filling 50% of seats. Airlines won't. Transit won't. But it's better than nothing and perhaps government programs can compensate in part where they are currently compensating in full, which is still a net benefit. At some point it has to end in full because we can't afford to do otherwise, and this is independent of whether or not there is a vaccine.

Even with all sensible measures in place, this doesn't stop a certain % of susceptible people from meeting an early death as restrictions are relaxed, nor does it help governments that have taken full responsibility for the lockdown absolve themselves in the public eye of responsibility for outcomes.

To be clear, I would not hold the government responsible because (a) I don't see any of this as the government's fault and (b) I see relaxing the lockdown as soon as possible as an absolute necessity and accept that mistakes will be made. If that's evil then it is a necessary evil. But that's just me and people that think like me. Click-bait media (most mainstream media) would hold them accountable; political opponents would; and undoubtedly would reddit. Even if those factions didn't believe the government was responsible in their heart, they would still blame and provide encouragement to those looking for a scapegoat.

Here's one communication point that would set the stage: start emphasizing now that the goal is not to prevent everyone from being afflicted by COVID-19, but to ensure that we have all necessary resources available to assist when someone does catch it and needs attention. That has always been the goal, but it is not at all clear.

Proof? Grocery workers, transit workers, and nurses refusing work or agitating over work that they believe mean "it's only a matter of time" until they acquire COVID-19. Well, it's only a matter of time until all of us catch it.

The concern about kids catching this ("...and she has 2 kids at home!") seems particularly misplaced. I'm sure someone has a link they can send me of one child that has died from it. That is beside the point, but it's also part of the irrational hysteria that cohabits with the rational hysteria around COVID-19.

The people I have most affinity toward during these times are those special epidemiologists who say that we can't just be listening to medical professionals on this issue. These people are out there. Medical professionals are not elected and have no accountability to keep society functioning. Nor do the media. Scientists go where their scientific specialty leads them and the media are starved for revenue, with attention being a proxy for revenue. Both have had an overweight say in public policy on this issue until now. Medical professionals very clearly have valuable advice to impart, but we also need the equivalent of "engineers" that are going to put that scientific knowledge to effective use (and I mean real engineers - not software ones).

And with the production pipeline shut down this year, there will be very few new Hollywood movies next year.

Dark skies ahead, but hopefully warmer weather.

Thursday, March 19, 2020

Have some self-control: COVID-19 subsidies are for the people that really, really need them

In semi-lockdown like most other people due to COVID-19, I'm a bit disappointed to see people who can well-afford to maintain their lifestyle for the time being trying to apply pressure via social media or elsewhere to get free benefits such as cheaper electricity, increased Internet caps, and other similar things.

Some of these people are even people I know to be on fixed-income. Times like these are when fixed-income is a blessing rather than a curse. Imagine that: someone else is responsible for making sure you get paid when they themselves may be losing!

The impact to the economy of this lockdown will be incredible. I would not be surprised to see a "pandemic tax" come out of this, and for good reason. Subsidies are for the people who will suffer extreme hardship.

The role of anyone who can still afford to pay their bills for the time being is to continue to pay them as promised for the services they chose, and be glad that they are in a position to do that.

And why not donate any money you are saving from driving less, taking fewer transit trips to work, or buying fewer coffees or take-out meals to a local charity that will help people in your community who will soon begin to struggle?