my first opensource release : check_fortiadc

Sometimes, things don’t work out the way you plan.

I have wanted to contribute to opensource software for a long time, after all, I have been using it for many years now, and sometimes it just seems right to give back. But while I am good at quite a few things, I am not a developer, so you won’t be seeing beautiful bits of C from my hand anytime soon. (It’s on the list of things I want to learn).

However, recently the company I work for started using a previously unknown bit of kit (for us anyway), we do quite a lot with Fortigate firewalls, but this was our first go at the FortiADC loadbalancer. I got to try my hand at it, and after a few days of tinkering with it, we had a solid setup for a customer.

As part of any proper setup, you want to monitor whatever you use, and when dealing with Fortinet devices, you want to definitely monitor things like licenses. You do not want them to expire after all!

So, after looking high and low for a Nagios / Check_mk plugin for FortiADC, and not finding any, I decided to write one myself. I had to teach myself Python for it while writing it, great fun!

So, I present you with:

things KLM does that kind off baffle me

KLM is sometimes a baffling airliner.

The first time I stepped on board of a KLM aircraft ( age 7, 31 years ago, a DC-10 to Hamburg ), it set in motion my undying love for aviation. I – seriously – love to fly. I sometimes joke I am most comfortable at 35,000 feet zooming along at a good 900 km / hour. (depending on wind).

KLM_Royal_Dutch_Logo_Skyteam_2011.svgKLM – as the country flag carrier – has been a very solid factor in all that. Whenever I fly, it’s usually KLM, mostly because it has a vast network that pretty much takes me from my own backyard ( the airport is a 40 minute drive ) to anywhere in the world.

I might not have raked up as many frequent flyer miles as a lot of people ( or even as much as my girlfriend, who flies a lot on business and to visit friends ), but I have a solid accumulation, and in general, there is not a year that goes by without at least 4 flights, 2 of which intercontinental. It used to be more when my girlfriend still lived in Vienna. (I would say a good 16 flights at it’s peak).

PriviumBecause we are a traveling couple, and love to visit Japan amongst many other countries, we got ourselves Privium. Privium is a quick-border passing service at Schiphol, it works based on an iris-scan. You get a special card to use the special privium border control gates, and it also gives you access to the speed-lanes ( the lanes commonly reserved for businessclass travellers) in the common sections of the airport. Privium also has a very lovely lounge which provides a nice place to camp out for a while, and have something to eat. But best of all: you get to not stand in line for passport control and central security check. (and we all known how busy those lines can get, right?).

On top of this you get priority parking ( though some of the services depend on which level of privium to subscribe to ) at P1 and P2, discounts here and there, and businessclass check-in at airlines that are cooperating with privium.

Schiphol-AA-logo-CMYKAnd here we get to todays source of bafflement. KLM – despite Schiphol being its home port – does not cooperate in privium. THE airline a privium user is most likely to use the most! I can not wrap my brain around how this could be. Clearly the privium user is the type of user KLM would want to service, the one that pays extra for speedy access, because they are a frequent flyer.

It is a strange world we live in.


US senator voicing “concerns” about apple touch ID.

A US senator wrote a letter to Apple CEO Tim Cook, voicing concerns about the security and privacy aspects of this new technology.

Unfortunately, the letter also reads as one big “we have grave concerns that the government will not be able to access this fingerprint data”.

The senator starts off like a good (oxymoron) politician, citing concerns about the security and privacy of this technology, but then goes on to ask Cook to explain under what type of data this fingerprint data would fall, and therefor if it would be something they would have to hand over to law enforcement officials. Tipping the old hand quite obviously there, one would say.

Normally, you could easily yell “conspiracy theory!”, shrug, and move on with your lives. However: there is a wide range of devices on the market today, sporting fingerprint ID sensors, like laptops from well known brands, that did not have to divulge such information, and where not targeted by a senator with ‘concerns’.

That raises the following conclusions, for your consideration:

      Said devices are easily penetrated by law enforcement, and fingerprint data snatches
      Said technology is so clunky and useless, it will never adopt mainstream use, and therefor will not be a threat to a noses government
      Apple made something which is reasonably expected to become very popular, very wide spread in use, and is also bloody secure and will therefor seriously thwart the efforts of an extremely nosey and voyeuristic USA government. Not just inside the USA, but also in everything every honest, law abiding citizen of everyone of their so-called ‘allies’ does.

The evil in ‘do not be evil’ google

The words “do not be evil” have been linked to Google for a while now, and has reached near mythical proportions now with some of its users. But how much of this is true?

One would argue, successfully, that google must absolutely not be evil, since these very words where immortalized in it’s IPO. However, such reasoning would have one flaw:

They have shareholders now.

Perhaps when google started out, it truly was guided by wonderful guidelines like that, many companies do. Personally, I always strive to be as honest and transparent as possible, but as a private person, I can do that. A publicly traded company like google cannot. It has shareholders. Shareholders are in it for one thing only: making a profit, and as much as possible of that profit. There is no “for the greater good of mankind” in stocks.

Now, a lot of you will grab a torch and pitchfork, (There is an app for that) and demand proof.

Okay, here are some examples that I plucked from a number of users at (commonly known as ADN by it’s users):

  • when removing my unused google+ account, It also – without warning – deleted my YouTube account with all it’s video’s.
  • when I wanted to upload a new video to my companies YouTube channel, it first demanded and forced me to create a google+ account
  • Now, we all know google+ is google’s third or something attempt at building a social network. Personally, all I hear or see about it is messages on Facebook or ADN saying: I created a google+ account for some reason. Followed by a message a month or so later: I deleted my google+ account.

    But seriously, forcing people to create an account there, and deleting their stuff on other sections of the platform if you delete the account? That is pretty evil. It is safe to say that google’s latest attempt to do something akin to a social network is failing too. Most accounts are idle, and those that are not are few and far between. All I hear is that there is zero interaction and zero community feeling. (Something that comes by the bucketload on

    What is next? My google enterprise (which just got a very unexpected, inconsiderate, and hefty price increase) account will get whipped out if I don’t want to use a google+ account?

    Google, even more then apple, is the most rampant example of vendor lock-in I have witnessed in the industry so far. An apple device without iCloud will function just fine. An android device? Not so much.

    So, is google evil? Yes, increasingly so. They have no choice, their shareholders demand that of them. You see an almost similar thing happening at apple after Jobs, Jobs was fascinatingly good at keeping shareholders at bay, in order to build a monumentally good product ecosystem. He just about got away with everything, simply because the figures showed he was right. Now, you slowly see shareholders demands for higher profits creep in in the little things. And this is worrying. Shareholders don’t know what makes a company like that successful, and they should not get too much say in the development processes. Companies like apple and google need a Jobs who can stick to his core principles and damned the consequences. Shareholders – despite what they might say – do not have the best interest of the company, it’s products, it’s customers at heart. It’s all about how much profit they can make. And if that is by dissolving the company, they will do that in a heartbeat.

    Samsung Continues to Poke Fun at Apple Fans in Super Bowl Ad

    A nice post from MacRumors points out that Samsung continues to poke fun at Apple users, who stand in line to get the a newly launched product.

    Now, as a dutch person, I am blissfully oblivious to the Super Bowl, but one thing I do know is:

    Super Bowl ads do not come cheap

    So, Samsung thinks people are wrong for being dedicated to a certain brand other then theirs (Apple, no surprises so far). And wants to use advertising to ‘convert’ such people to purchasing the ‘right’ choice. (their product). Nothing shocking so far.

    So, they have spent millions ( from what I’ve learned, Super Bowl Ads really do not come cheap) on an ad, in which they alienate their prospective customers, by – basically – calling them idiots. Now, I am not one to complain when a big corporation pisses away it’s money. But seriously. Did you even pay attention in marketing school? Never, ever, ever, piss of people you want as your customer.

    For people who buy Apple stuff, your products are probably just not interesting enough. From my own personal experience with Samsung: apple hardware is a hell of a lot better quality. If I spend money, I don’t mind spending more money, if I get a better product. Apple delivers. Every damn time.

    Not that I would personally stand in line for it.

    The only thing the iPad might be lacking

    I, like many others, like the iPad. I don’t own one, and never have, because as much as I love my iPhone, I don’t like one simple thing:

    – it’s got no separation for users

    Separation for users, while a common thing on computers, including OS X, is very uncommon on phones and tablets. On phones like the iPhone this is entirely justifiable because phones in general have only one intended user. It’s a PIM, or personal information device. Computers are very much the opposite, where more then one users frequently accesses the same computer both in a work or a home setting.

    Enter the tablet. The tablet seems to fit right between those two groups, but one thing is for sure: a tablet is often shared amongst people in a household.

    Now comes the issue of user separation: my girlfriend and I both have email accounts, Facebook and twitter accounts, etc, that we would like to access on a tablet we would share. We also both have iPhone’s and Mac’s. But neither of us has any interest or business in the other’s email or Facebook, and the mentioned apps are not build to support more then one user for the most part, anyway.

    Now, one might argue that we could just choose not to use email, Facebook, twitter, and what not, on the tablet, and this is possible. However, how much sense does it make to purchase a device for about € 499, and then be utterly limited in it’s use? And no, buying two would simply be wasteful.

    So, one seemingly innocent feature, would probably open up a whole new piece of the market. I know it would for us. I imagine tablet manufacturers would much rather sell everyone in the household his or her own tablet. But in cases like this it’s not about making the most money, but just doing what’s right. You’re probably not going to loose sales over it. Some households will still buy more then one tablet, simply because the demand is high enough to justify such a purchase.

    Steve Jobs : 1955 – 2011

    In memoriam, Steve Jobs, 1955 – 2011

    Apple has used the following text on more then one occasion, and I think it sums up Steve Jobs like few other texts could:

    Here’s to the crazy one. The misfit. The rebel. The troublemaker. The round peg in the square holes. The one who see things differently. He was not fond of rules. And he had no respect for the status quo. You can quote him, disagree with him, glorify or vilify him. About the only thing you can’t do is ignore him. Because he changed things. He pushed the human race forward. And while some may see him as the crazy one, we see genius. Because the people who are crazy enough to think they can change the world, are the ones who do.

    – Apple Inc.

    my friend Marjolein also sums it up quite beautifully in her blogpost.

    Crouching lion, hidden UNIX

    One of the many things I like about Mac OS X (Server) is the fact it’s a pure-bred UNIX. It’s even certified as such. Not to mention that the Director of Unix Technology at Apple is the person who at one point started the FreeBSD project: Jordan K. Hubbard. (I love FreeBSD, so I’m very appreciative of Jordan’s work)

    Another reason I like OS X as much as I do, is because literally anything can be done from the command-line, something a Unix nerd like myself thoroughly loves to do. But, OS X has advanced features like Access Control Lists and all that fancy stuff, so sometimes I can be a bit of a learn to find out how exactly OS X does things compared to other members of the Unix family.

    Now, I mentioned ACL’s, when you do something rather simple like ‘ls -la on /Groups’, you get this:

    server:Groups username$ ls -la
    total 0
    drwxr-xr-x+  6 root  wheel   204 Aug  7 21:57 .
    drwxr-xr-x  33 root  wheel  1190 Aug 17 09:29 ..
    -rwxr-xr-x   1 root  wheel     0 Jul 27 21:29 .localized
    drwxrwx---+  5 root  admin   170 Aug 13 12:37 group1
    drwxrwx---+  2 root  admin    68 Aug  7 21:57 group2
    drwxrwx---+  2 root  admin    68 Jul 27 21:47 workgroup

    which is nice enough, but what if I wanted to see the real permissions, including the ACL’s? There’s a switch for that:

    ls -lae

    Wich produces the following output:

    total 0
    drwxr-xr-x+  6 root  wheel   204 Aug  7 21:57 .
     0: user:_spotlight inherited allow list,search,file_inherit,directory_inherit
    drwxr-xr-x  33 root  wheel  1190 Aug 17 09:29 ..
    -rwxr-xr-x   1 root  wheel     0 Jul 27 21:29 .localized
    drwxrwx---+  5 root  admin   170 Aug 13 12:37 group1
     0: group:group1 allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
     1: user:_spotlight inherited allow list,search,file_inherit,directory_inherit
    drwxrwx---+  2 root  admin    68 Aug  7 21:57 group2
     0: group:group2 allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
     1: user:_spotlight inherited allow list,search,file_inherit,directory_inherit
    drwxrwx---+  2 root  admin    68 Jul 27 21:47 workgroup
     0: 839AE424-BBF3-442E-BAD6-C8B5E8B596F5 allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
     1: user:_spotlight inherited allow list,search,file_inherit,directory_inherit

    It might be a bit daunting to read through, but heck if it does’t show you exactly what you need to see. It’s really easy seeing ACL’s on Mac OS X with ls!

    In case you’re wondering, the ‘839AE424-BBF3-442E-BAD6-C8B5E8B596F5’ part corresponds to a UserID in OpenDirectory/LDAP.

    daemontools on redhat enterprise 6.0

    So, for a project I needed to get something running in order to insure memcached would keep on running. The (for me) natural choice for this was daemontools (0.76 at time of writing).

    There are a couple of things you have to pay attention to, in order to get this going on RHEL 6. (and I suppose many other Linux distro’s)

    Phase 1 – get the source and compile it

    get the source tarball here (note: this might not be the current version anymore!) and download it to /usr/local/src

    • unpack it with tar -zvxf daemontools-0.76.tar.gz and cd into admin/daemontools-0.76.
    • edit src/conf-cc and add ‘-include /usr/include/errno.h’ at the end of the line. (anywhere is fine, really)
    • run package/install

    this should give you the needed files in /command and an existing /service

    Phase 2 – fixing startup

    Daemontools requires a somewhat different approach to starting up then you might be used to. ( the most common way being /etc/init.d/<name>, and using chkconfig to influence when it starts). Daemontools should be started on boot, and init must be told to restart it when it dies. This ensures continued operation. The installer you ran in phase 1, took care of this by adding a line in /etc/inittab, but that’s an old method, and for the sake of continued operation (and working straight away) we’ll use the new method:

    • Remove the added line from /etc/inittab.
    • cd /etc/init
    • create a new file called svscan.conf, and put the following contents in:
    start on runlevel [345]
    exec /command/svscanboot

    now, tell init, it should re-read it’s configuration, and then start svscanboot:

    • initctl reload-configuration
    • initctl start svscan

    if you check now, you should see a happily running svscan, and daemontools is ready to kick some:

    2676 ?        Ss     0:00 /bin/sh /command/svscanboot
    2678 ?        S      0:00  \_ svscan /service

    Enjoy! I hope this little post was helpful.