Using a 'quasi'-disposable VM for UpdateVM in Qubes

In Qubes, the dom0 is updated via an 'UpdateVM' which is responsible for downloading any new packages (since dom0 has no direct network access of its own).

Typically the UpdateVM is your sys-firewall or any other VM you've chosen (it's configurable under Global Settings via the Qubes Manager, or with qubes-prefs from command-line).

Virus scanning your Qubes VMs and Templates with ClamAV

Here's a simple script to iterate over your VMs (and, optionally, your templates) and run clamscan against them.

For templates we scan the full disk /, whereas for the AppVMs we just scan the writable dir /rw

The script will start any VMs it needs to, and remember if it had to, so that it shuts down just the VMs that weren't already running.

There are a couple of caveats to this approach:

Migrating a Vagrant VM into Qubes as StandaloneVM

I had a Vagrant VM on my other laptop that I wanted to convert into a Qubes AppVM (StandaloneVM).

The disk was lazy allocated 40GB but only using about 1.3GB within the guest.

The underlying disk of the Vagrant VM was a .vmdk. A lot of guides online talk about compacting VDIs, but I had to convert my VMDK first, I couldn't compact it directly.

Here's how I got it into Qubes.

Terraform remote state and errors about AWS_DEFAULT_REGION

This may be obvious to others, but it wasn't to me.

I was setting up Terraform remote state storage (to an s3 bucket) like so:

terraform remote config -backend=s3 \
           -backend-config="bucket=mig5-terraform-state" \

I kept getting the error on the above:

Failed to read state: Error initializing remote driver 's3': missing 'region' configuration or AWS_DEFAULT_REGION environment variable

This worked, of course:

Deploying and managing Autoscaled Drupal applications at AWS with Terraform, Packer and Fabric

As part of a prototype/experiment for a customer, I decided to 'eat my own dogfood' and put this site onto an autoscale cluster at AWS.

In doing so, I wanted to manage my infrastructure using Terraform (a configuration management tool). In addition, since the use of autoscale requires using a base image (AMI) capable of hosting the site, I wanted to build the AMI using Packer. Furthermore, I wanted to use Puppet to speed up that configuration of the AMI built by Packer.

'Nice to have' goals

I had a few other goals also in mind:

Nagios script for VMware memory balloon size

Couldn't find a Nagios plugin for checking the VMware 'memory balloon' percentage, after observing a server that due to hypervisor issues was ballooning too much. For more on that subject, you can read about it here.

So here's a script to do it.

Source based load-balancing in HAproxy based on X-Forwarded-For header

We had some application servers behind an active/passive HAproxy loadbalancer pair (using keepalived to arbitrate the IP on failover).

We needed to put a WAF product in front of the HAproxy pair (e.g Sucuri's CloudProxy or CloudFlare). This might seem odd to put a reverse proxy in front of a HAproxy pair (yo dawg, I heard you like proxies), but we need to do some funky extra munging of URLs and the like via HAproxy configuration rules, which upstream providers can't account for.

mig5 in another BetterCloud article about communication and I.T

As a separate piece to the previous three part series published, I was featured in another BetterCloud article about elevating the perception of I.T teams in the wider parts of organisations.

This builds again on my belief that the combination of communication and the right toolsets makes all the difference.

Interview with BetterCloud about I.T and communication

I was one of three professionals recently interviewed by BetterCloud for a series on blending the art of effective communication into I.T (with a focus on communicating to people in a less-technical role). This includes not just supporting end-users but communicating 'above' to C-level type management, trying to get budget buy-in for a project, and so on.

The series covers tips on how to do this effectively, as well as some pitfalls to avoid.