"Healthy in moderation" is an exclusive statement

It occurred to me the other day that if your diet is mostly made up of things that "can be part of a healthy lifestyle" then you must have a very unhealthy diet indeed.

How quickly the ways to listen to music have changed: Luka Bloom, etc.

I recently went to look up an artist to whom I listened to quite enthusiastically when I was in University, but to whom I haven't listened to in some time.

I don't like to bucket musicians into genres because, whether true or not, I secretly suspect that they hate it. But, Luka Bloom was the artist I went to look up, and he would fall roughly into the "Irish folk singer-songwriter" genre. I first heard Mr. Bloom on one of those Windham Hill collections that were popular in the 1990s, and went on to admire his back catalogue.

I was happy to find that he was still active and had released some new material. But, I could not believe that it was not on Spotify.

I pretty much listen to everything on Spotify now. I have muscles that have memorized how to listen to music in any given situation and they have only been fully-trained on Spotify.

Back in the day, I was one of those people who amassed stacks and stacks of CDs organized into multitudes of CD towers. As time went on and I moved from place to place, it got to the point where I didn't get them out of the moving boxes anymore, and they stayed in storage.

Initially, the reason they stayed in situ was because I had converted the purchased CDs into MP3 files as soon as I added them to my collection. Over time, the CDs had been mostly been for display. For many years, I listened to most of my music digitally using the Squeezebox line of digital music players, many of which were scattered around the house. Squeezebox eventually got discontinued, though I still have a number in use.

But, then came Spotify. In most cases, it became easier to listen to all of my music - purchased or not - through Spotify.

So, coming back to Luka Bloom, I was surprised to find that he'd made an executive decision to not release his latest music on Spotify and to make it available only on his website, where all of the money goes directly to the people that made the whole package possible.

I fully respect with and agree with this decision. I don't understand how great artists with loyal but modest followings manage to make any money off the platform. It seems optimized for superstars with millions of plays each month. Beyond just respecting this decision, I like it a lot. But it nonetheless threw me a curveball: I've mostly forgotten how to listen to MP3 files that I own in all the places I listen to Spotify.

I've figured it out, of course, and found a way to make it accessible wherever I am - I'm one of those technical people - but the point is that there must be many people out there who have no idea how to listen to music that's not on Spotify (or Apple Music, YouTube Music, etc.), and people who risk their visibility and income by not using that platform may be shut out of an audience altogether.

Regardless, I bought the albums blind. Another moment of discomfort occurred when I couldn't actually listen to them before I bought them. I used to visit record stores regularly and buy albums unheard, but now it feels like a huge risk even as I spend less money than ever on music.

Anyway, the albums are great and I highly recommend them:

• Out of the Blue
• Bittersweet Crimson

On music in general, I still follow the general approach to paying for music that I wrote about in HMV Canada bankruptcy and thinking about digital music and Spotify streaming, which is:

• Spotify is a discovery and convenience tool, not a replacement for buying music.
• I still buy a fair amount of music, but it is mostly digital now, via iTunes.
• After I've purchased music, I still tend to listen to it on Spotify for convenience.
• In my mind, that supports the artists twice (to the extent that you can call Spotify streams "support").
• During the pandemic, I bought a number of concert livestreams to support artists I like.

I have bought only one physical CD this year: Steven Wilson - The Future Bites

Here's one from the new Luka Bloom album:

Homemade (and grown!) English-style pickled onions

English-style pickled onions in malt vinegar are an acquired taste, but I have firmly acquired it.

I picked, prepared, and pickled the onions in the space of one day. The onions were Barletta type (they have early maturity and are naturally small in size) and I used this recipe. I haven't eaten one yet (they need to mature for a few weeks) so I can't vouch that either of things are net positives!

PowerShell and passing command-line arguments to external scripts

I like PowerShell a lot, but occasionally you run into something that seems mind-bendingly over-engineered. The simple act of calling an external script and passing command-line arguments to it is one of those things.

To avoid wasting any more of your time, here is the best way I have found to do it.

I will call the following Python script my_script.py from PowerShell, which simply prints out the arguments passed to Python:

import sys

for i in range(len(sys.argv)):

print("my_script args: " + str(i) + ": " + str(sys.argv[i]))

The script is called from PowerShell by putting the Python command-line arguments into an array and passing them to the external script using the Splat operator.

# Put Python command-line arguments into an array
$cmd_args = @("c:\temp\my_script.py", "-f", "c:\myfile.txt", "-t", "5")

# Call the Python executable, supplying arguments using the Splat operator
& python.exe @cmd_args

Which produces the expected output:

my_script args: 0: c:\temp\my_script.py

my_script args: 1: -f

my_script args: 2: c:\myfile.txt

my_script args: 3: -t

my_script args: 4: 5

Splunk and the self-signed certificate on port 8089

I'm writing this post after finding a solution to this problem. Pieces of the solution were scattered around the web but I didn't find them all in one place.

Problem

Splunk's ports when accessed using SSL/TLS are by default protected with a self-signed certificate. Many Enterprises are beginning to scan for these cases and flagging them for remediation so that the encrypted communications are protected by a certificate signed by the Enterprise itself.

Using an alternate certificate for the Splunk web UI (port 8000 by default) is well-documented but I did not feel that it was documented well for the management port (port 8089 by default).

Solution

The solution has a few steps:

1. Generate a Certificate Signing Request (CSR) and private key.
2. Use the CSR to obtain a signed certificate from a Certificate Authority (CA)
3. Obtain the Root CA certificate chain for the organization that provided the signed certificate
4. Combined outputs of steps 1-3 as required by Splunk
5. Configure Splunk to use the items in step 4
6. Restart Splunk

Before going further, consider whether you need the management port to be enabled for Universal Forwarders (UF). It is not required for forwarder management from the web UI, nor for deployment apps. It is required for API or CLI communication with the UF. If you don't use these features then you can simple disable the port by putting the following in server.conf and restarting the UF.

[httpServer]
disableDefaultPort = true

However, if you want to leave the port open and protect it with your own certificate then read on.

And, unless you have changed the default configuration, Splunk KV stores on the same server will also be protected by the configuration applied in this post.

Step 1: Generate a Certificate Signing Request (CSR) and private key.

These steps will leave you with a CSR stored in server_conf.csr and a private key in server_conf.key

Linux

openssl req -out server_conf.csr -new -newkey rsa:2048 -keyout server_conf.key

Windows

REM SPLUNK_HOME is the root of your Splunk Enterprise installation set SPLUNK_HOME="C:\Program Files\Splunk"

REM TMP will hold the generated private key and CSR files

set TMP=C:\TEMP REM Generate the private key for the certificate.

%SPLUNK_HOME%\bin\splunk cmd openssl genrsa -des3 -out %TMP%\server_conf.key 2048

REM Generate the CSR request file

%SPLUNK_HOME%\bin\splunk cmd openssl req -new -key %TMP%\server_conf.key -out %TMP% \server_conf.csr

You should leave this step with two outputs:

• CSR file
• Private key

Step 2: Use the CSR to obtain a signed certificate from a Certificate Authority (CA)

Step 3: Obtain the Root CA certificate chain for the organization that provided the signed certificate

The method to accomplish Step 2 and 3 will vary by CA, but you will normally need to provide your CSR file as part of the process.

You should leave these steps with:

• CA-signed certificate provided by your CA
• Root CA and Intermediate CA certificates provided by your CA

Step 4: Combine outputs of steps 1-3 as required by Splunk

All of the files you have created so far are plaintext files. They need to be combined in specific ways:

• Root CA and Intermediate CA certificates combined into a single file (example: server_conf_root.pem)
• CA-signed certificate and private key (example: server_conf.pem)

By "combined", I literally mean to copy and paste the contents of the files you received into a single file, one after the other. The example filenames above will be used in subsequent steps.

Store the files in a location accessible by your Splunk installation that will not be affected by upgrades. For example, you may choose to create a directory like $SPLUNK_HOME/etc/auth/mycerts, giving you these files:

• $SPLUNK_HOME/etc/auth/mycerts/server_conf_root.pem
• $SPLUNK_HOME/etc/auth/mycerts/server_conf.pem

Step 5: Configure Splunk to use the items in step 4

Modify your server.conf file to include these attributes:

[sslConfig]

enableSplunkdSSL = true

serverCert = /opt/splunk/etc/auth/mycerts/server_conf.pem

sslRootCAPath = /opt/splunk/etc/auth/mycerts/server_conf_root.pem

sslPassword = <key password entered during CSR creation>

Note that, when you restart Splunk in a subsequent step, the sslPassword value will be replaced with a hash of the value by Splunk. As long as everything is working you do not need to worry about it.

Step 6: Restart Splunk

This step hopefully does not need any elaboration!

After the restart, you can use a browser to access the management port (i.e. https://splunk.mycompany.com:8089) and confirm that it is using your CA-signed certificate using the browser's certificate inspection functionality.

Unless you have changed the default configuration, Splunk KV stores on the same server will also be protected by the configuration applied in this post.

Real estate and the 5-year outlook

One thing about the real estate industry.

If you were to ask them today what the housing market will be like in 5 or 10 years' time, they may hum and haw about pros and cons but tell you that there's no way of knowing what conditions will be like in 5 years' time.

However, I have never - ever - heard a standard real estate agent say that now is not a good time to buy a house.

So, really, they do know what the market will be like in 5 years' time: it will be a great time to buy or sell a house.

While politicians regain control of the COVID-19 narrative, a void...

Like a lot of people, I'm confused by the apparent lack of a roadmap for COVID-19 recovery in society. Newspapers float a lot of ideas, but it's increasingly hard to tell which have serious intent behind them and which are just the napkin scribblings of career jockeys that find the notion of recovering through methodical, nose-to-the-grind diligence and hard work increasingly boring and tedious.

At first I perceived this to be an issue with our leaders and a lack of planning or vision. After all, most leaders simply look at what other people are doing and copy it within their own fiefdom. And there's no-one to copy in this situation. But, lately, I'm becoming convinced that this recent void is intentional.

I think what we are seeing is a weeks-long transition from a strategy led by medical advice based on data, testing, and targets, focused solely on virus case management, to one that is led by politicians who are accountable for the longer-term health of the economy of which all other goods (including the healthcare system) depend.

I think it has become increasingly apparent that we can't afford to have the recovery led solely by medical advice. It seemed prudent at the beginning when there was so little information about how the virus would spread, but it's now emerging that their concerns are very solitary and, really, the models were overly pessimistic. This mirrors the public's own reaction - very cautious at the beginning, but increasingly relaxed as they see no or very little impact within their sphere and are emboldened by each inconsequential, tentative step outside The Village.

What we are doing in lockdown isn't "scientific". It's likely good advice, and the advice comes from scientists, but it's not science because it has never been tried before, there are too many variables, and there is a strong cultural component to outcomes. There's no "if you do X then Y will happen". It's a hypothesis that we can't afford to complete controlled tests on at the scale required. Scientists aren't elected, and they don't have to consider the broad variety of concerns that politicians do, yet politicians are the ones that will take fire when the results take too long to materialize.

So, I think what we may be seeing is a void while the deckchairs are reorganized and the politicians regain control of the narrative. I don't think it's a coincidence that we are seeing exposés in the international media of politicians that didn't follow their own advice. Months ago they'd have been expected to resign, but now they are defended. They're just like everyone else, wanting to get on with their lives. Soon, I think we'll start seeing things that go against the medical advice given out weeks ago. We can't afford to follow it. And hopefully people will forget what that advice was... and as long as new cases don't start to surge in any significant way, they will.

This is the way it should be.