My relationship with Puppet is one of love and hate. I am forced to use it simply because there is no better tool around, but I hate it in so many ways that I don’t even want to start to enumerate (hint: most have to do with Ruby, actually).

Today I decided to put an end to one thing that has been driving me insane: the fact that puppetd (the client) and puppetmasterd (the server) use the same working directory, /var/lib/puppet. Since I consider and would like to treatthe machine on which puppetmasterd is running just another puppet client, I was running into funky issues related to SSL certificate confusion, obscure errors, and SSL revocation horrors.

The following hence assumes that you have installed or are planning to install puppetd on the machine running your puppetmaster, and that you have two fully-qualified domain names for the machine. For instance, I run puppetmaster on vera.madduck.net, and puppetmaster.madduck.net is an alias for the same machine. I’ll use these names in the following as examples.

The following may be Debian-specific, as I am solely using the puppet and puppetmaster packages for my experimentation and verification. Your mileage may vary, but the concept shall be the same.

1. Stop everything:

   /etc/init.d/puppetmaster stop
   /etc/init.d/puppet stop
   
   

   (also verify that you have not instructed cron to restart these services)

2. Rename the working directory:

   mv /var/lib/puppet /var/lib/puppetmaster
   
   

   and amend /etc/puppet/puppet.conf accordingly:

   [main]
   # …
   vardir=/var/lib/puppetmaster
   ssldir=$vardir/ssl
   # …
   
   
   [puppetmasterd]
   certname=puppetmaster.madduck.net
   # …
   
   

   I am doing this in [main], planning to override it for puppetd later, because puppetd is the only program which makes sense to be separated from the rest. Since only the puppetmaster needs a special certificate name, that is set specifically in the [puppetmasterd] section.

   If you use apache2 or nginx in front of your puppetmasters, make sure to amend the SSL file locations in the virtual host definition and restart (!) the service.

   You can verify that the configuration has been amended by making sure that there is no output from the following command:

   # puppetmasterd --genconfig | grep -q '/var/lib/puppet/' && echo SOMETHING IS WRONG
   
   

3. Now restart puppetmaster:

   /etc/init.d/puppetmaster start
   
   

   and verify that it starts.

   If your puppetmaster previously ran under a different name, it will create itself a new certificate and sign it.

   Since the client will get its own working directory (and thus a new SSL certificate), you want to remove all records of the old certificate:

   # puppetca --list --all
   + puppetmaster.madduck.net
   + vera.madduck.net
   # puppetca --clean vera.madduck.net
   
   

4. Change the configuration file to tell puppetd about its working directory:

   [puppetd]
   server=puppetmaster.madduck.net
   vardir=/var/lib/puppetmaster
   ssldir=$vardir/ssl
   # …
   
   

   This you can verify with the following command, which should not print anything:

   # puppetd --genconfig | grep -q '/var/lib/puppet[^/]' && echo SOMETHING IS WRONG
   
   

5. Now install puppet, or (re)start it if it’s already installed:

   # /etc/init.d/puppet stop
   # puppetd --no-daemonize --onetime --verbose --waitforcert 30 &
   info: Creating a new SSL key for vera.madduck.net
   warning: peer certificate won't be verified in this SSL session
   info: Caching certificate for ca
   info: Creating a new SSL certificate request for vera.madduck.net
   
   
   # puppetca --list
   vera.madduck.net
   # puppetca --sign vera.madduck.net
   notice: Signed certificate request for vera.madduck.net
   notice: Removing file Puppet::SSL::CertificateRequest vera.madduck.net at '/var/lib/puppetmaster/ssl/ca/requests/vera.madduck.net.pem'
   
   
   # fg
   info: Caching certificate for vera.madduck.net
   info: Caching certificate_revocation_list for ca
   […]
   
   
   # puppetca --list --all
   + puppetmaster.madduck.net
   + vera.madduck.net
   
   
   # /etc/init.d/puppet start
   
   

   Do yourself the favour and check that it’s all working.

6. Optionally, you can now clean up the client stuff in the server’s working directory, for instance like this (it worked for me, but this is the sledgehammer approach):

   # /etc/init.d/puppetmaster stop
   # cd /var/lib/puppetmaster
   # tar -cf /tmp/puppetmaster.workingdir-backup.tar .
   # find ../puppet -type f -printf '%P\n' | xargs rm
   # /etc/init.d/puppetmaster start
   
   

7. If you stopped cron before (and your puppet recipes have not since restarted it):

   /etc/init.d/cron start
   
   

All done. I wish puppet, or at least Debian’s puppet packages would do this by default. Please let me know if the above conversion works for you. Then I might start working on an automated migration.

NP: Genesis: Selling England by the Pound

The most common criticism of the Anti-Counterfeiting Trade Agreement (ACTA) is the lack of transparency. Before the nations disclose the terms of the agreement under negotiation, we are unable to gain an idea of the big picture, let alone voice our opinions and push for changes. Our politicians don’t want us to know. We rely on leaked documents for our information. This is backwards in a world where a state should represent its people. This smells foul to me.

There are undoubtedly some good reasons for the treaty, and if we can contain worldwide, large-scale trade of counterfeited goods and medicine, then that would be a net benefit to us all. However, we must not allow certain governments to succomb to the pressure of (commercially-motivated) lobbyists, to extend that pressure onto other nations using trade as a means of pressure, and to slash our freedom as if it were an inconvenient obstacle in their way.

Only if the terms under negotiation become publicly available, and the public is given a voice, then we can help our governments in entering an agreement that is in the interest of its people, rather than a threat to us.

It is hardly surprising that total capitalist nation USA are the strongest opponents of transparency, because the public might delay or even prevent the treaty. I was also not surprised to see South Korea and Germany in the list of supporters of secrecy either. It is interesting to see that the leaders of Singapore, Belgium, Portugal, and Denmark also seem to believe that these negotiations should be withheld from the public. Does anyone know about Switzerland?

I tip my hat to New Zealand, Canada, Australia, Netherlands, Sweden, Finland, Ireland, Hungary, Poland, Estonia, and Austria for their support of transparency.

ISPs fight a raging war over net neutrality because their infrastructure cannot keep up with the increasing demand (or rather supply) of content. Therefore, ISPs want to charge the users premiums if they wish to use certain services on the Net. For instance, since videos are usually large in size, one would have to purchase e.g. the “platinum package” to be able to access video hosting sites. It would be a serious loss of freedom if they won, and the Internet would never be the same.

Let’s turn that idea around: since sites that use advertising make money off every visitor, they are really the ones that should pay the ISPs so that they can improve their infrastructure. The same applies to sites that make money off visitors in other ways.

At the moment, users pay to access the network (which is like paying a taxi to get to the market), so that they can visit sites where advertisers make money showing ads to the visitor, which might actually let them to pay a manufacturer for a product — the end user pays twice, and the advertisers take in money, leeching off the ISPs investing into their infrastructure.

I think that the advertiser and not the consumer should pay the ISP to keep the infrastructure afloat — improve it even. The manufacturer should then pay the advertisers for displaying the ad, and the user consumes if s/he chooses to — and everyone only pays once, for services they want. This will help improve competition among providers, which should always be the goal.

If my ISP would start to record the volume of HTTP traffic I produce for each target site, charge the targets appropriately (they could start with a couple at first), and I’d get free connectivity in turn, I’d be quite happy. The ISP wouldn’t have to look at the contents at all for that.

I don’t yet know what to do if the target sites choose not to pay up. ISPs could block them, or throttle or deprioritise traffic, but either of those might simply lead to an exodus of users, just like “premiums” would.

As usual, this just needs to be done by many ISPs in concert. Are you listening?

The coffee place around the corner from where Penny and I lived for the past two months — Caffé Mode — offers to make your food using free-range eggs for NZ$1. Free-range eggs are more expensive than normal ones, but the price difference is not one dollar. Therefore, the cafe makes a profit every time a customer makes the right choice.

I went in this morning to ask them about it, and the guy taking my coffee order admitted stale-mate. When I suggested that the cafe should use free-range eggs exclusively, he agreed. Let’s hope that he lets those making that decision know, and that the cafe soon stops making money on ethical choices.

Tomorrow, Penny and I head off back home, and two months of living in NZ come to an end. (did you hear that, pleaserobme.com?)

Maybe I’ll find the time to write about my impressions of living on this side of the planet, and being immersed in Kiwi culture while going after my daily routine and trying to work as much as I could. But there is one thing that should not wait:

Thank you, Catalyst IT for giving us workspaces! For the better part of 6 weeks, you gave us our own room, monitors, keyboards, mice, and connectivity. And more than that: you welcomed us, let us participate in sessions, invited us to your parties, received our parcels, sent out letters, and generally provided us with a great environment to work. This was certainly well above what we had dreamed of.

At times, I was forced to stay into the middle of the night — 12 hours time difference with Europe is not always easy — and spent waking hours in your building alone. Thank you for your trust!

Catalyst is a fully New Zealand owned company who deliver critical open source business systems to some of NZ’s largest organisations, and organisations worldwide. Catalyst was also a major enabler of LCA2010, and a sponsor of Kiwi Foo Camp, both events that I had the privilege to attend.

Let me know when you’re in my part of the world. ;)

NP: The Mamaku Project: Karekare

Shortly after I wrote my last article about ACTA and the lack of transparency, I was delighted to find out that a report of the recent negotiations in Mexico has been leaked. I find it a bit disconcerting that our politicians, who are theoretically supposed to represent our interests, are writing documents that can “leak” to the public, when they should have been available to the public from the start.

The document and the coverpage are available for direct download.

Michael Geist has a first analysis

A brief report from the European Commission authored by Pedro Velasco Martins (an EU negotiator) on the most recent round of ACTA negotiations in Guadalajara, Mexico has leaked, providing new information on the substance of the talks, how countries are addressing the transparency concerns, and plans for future negotiations. (read more…)

NP: Dimmer: Degrees of Existence

Dear lazyweb: I am in search of a mailing list for discussion on matters related to digital identity and privacy in the information age. Unfortunately, my (limited) searching has not unveiled results, mostly because many mailing lists have “privacy agreements” or somesuch, polluting the results with pointers to those.

If you know such a list, or you don’t but you are interested in the topic, don’t hesitate to drop me a line. I will then either let you know when my search was successful, or subscribe you when I have created a list to fill the void.

NP: Sola Rosa: Solarized

Right now, your government is probably engaged in the discussion of the Anti-Counterfeiting Trade Agreement (ACTA). You are likely not aware of that because your government has been actively keeping these negotiations and details surrounding them secret.

Your government does not want you to know about a treaty that has far-reaching negative effects on your freedom, as well as your basic human rights. If you did know, you might speak up and make it difficult for the drivers of ACTA to smoothly push their interests past you.

The red light should light up in your head right now!

The goals of the “trade agreement” that is being negotiated are multifarious, but essentially seem to centre around challenges related to intellectual property, and copyright in the digital age, even though it is sometimes claimed that the agreement serves primarily to contain trade of fake Prada bags and Rolex watches.

In reality, ACTA is about content producers like movie studios, who try everything to prevent you from copying their work without paying for it — even if you cannot actually purchase the work, because of e.g. technical measures designed to prevent certain people from legally obtaining content, or simply because the media companies are greedy and consider it PR-savvy to delay the release of a given work in certain countries until after people have had a chance to pay a lot of money to the cinemas.

In theory, a creative work goes out of copyright 50 or 75 years after its author died, depending on whether the creativity can be attributed to a person or a corporation, respectively. Therefore, 50 or 75 years after creation, it gets increasingly hard to monetise a work that has not been reinvented in that period of time.

Sounds plausible to you and me, but this sort of stuff frightens companies like Disney, who seem powerful enough to simply have the law changed. That is not how things should work.

The media producers are failing to control the Internet, and hence they want to turn it into something more like cable TV, which they do know how to control.

ACTA aims to make copyright infringement a criminal offence.

ACTA wants to make it possible for a government to cut you off the Internet because someone thinks you did something bad — they don’t actually have to prove it though, accusation is enough. Similar efforts have already failed all over the world, e.g. in France and New Zealand. That’s a sign, not a reason to try again.

ACTA wants to set in stone that you have absolutely no rights when you cross borders. This is largely already the case — border officials can pretty much do with you whatever they want — now it’s supposed to be made official, and legally binding.

ACTA will create a culture of surveillance and suspicion.

ACTA is designed to break the Internet, among other things.

But worst of all: I am just speculating because we are not supposed to know the details.

The best current source of information on ACTA seems to be Canadian law professor Dr. Michael Geist, who has been collecting content and linking to articles consistently since the ACTA negotiations commenced 2–3 years ago. The Electronic Frontier Foundation also has comprehensive resources available.

It’s even more important today than before to put an end to this secrecy. Don’t let your government enter secret agreements that affect you and your life, refusing to talk to you about it beforehand, and probably refusing all responsibility afterwards. Talk to your politicians and ask questions that cannot be answered with stock replies.

If you have specific contact addresses for politicians, please let me know so I can add them.

Colin Jackson helped me with this article at Kiwi Foo Camp. He also takes an issue with the secrecy around ACTA.

I found out yesterday that my university’s Microsoft Exchange Server account stopped forwarding my mail on 8 December 2009. As a result, mail accumulated there and remained unseen.

Dear examiners, paper authors, supervisors, sponsors, participants, and peers who responded to my calls and cries related to my PhD thesis. I am terribly sorry that you were subjected to this. You replied usually within a few days, but I still sent you reminder after reminder in the weeks to follow. You must have thought that I was a real dork. Please forgive me. I really appreciate your patience!

I filed a ticket with my university’s IT service provider, which got closed the next day with “it should now work again”. That wasn’t going to cut it for me, so I reopened the ticket, asking for an explanation. Next, I received an apology with a bit of speculation.

After a bit of research, it seems that the reason was to be found in the “inconsistency” of being an external staff member (i.e. an e-mail address outside of the Active Directory domain), but still having an account on the server.

On 8 December 2009, the server was upgraded with a service pack. This caused Exchange to go a little manic on the housekeeping. After all, why would anyone ever want to forward their e-mail elsewhere, and still have an account?

Well, I certainly don’t want an account, and yet I have to have one: Microsoft has bought their ways into the university and spread their germs all across, I need credentials to be able to access shared files, print, browse the library, or search the phone book.

However, considering that UL’s Outlook Web Access instance does not let users of decent browsers search their mailboxes (a “premium feature” reserved for users of Internet Exploder), one cannot manipulate more than a page-full of e-mails at a time, bounce messages, or do many of the other operations that make dealing with large amounts of e-mail possible, and because Exchange mail — if it doesn’t get lost in the first place — sucks in so many other ways, I certainly prefer my mail to be handled by a real mail server with a proper mail filter (writeup in progress).

Maybe the Exchange service pack was simply designed to get rid of outcasts like me who don’t buy into the low-Microsoft-quality vendor lock-in? We’ll never know, thanks to the proprietarity of their software (and the fact that the university service provider apparently does not keep logs of changes).

NP: AC/DC: Back in Black

I do not like it when people tell Web 2.0 sites to send me invitation e-mail. I won’t enumerate the reasons here. But there is one reason for why I don’t like you passing on my address to those sites, which is subject of this article:

Unlike popular belief, the Web 2.0 is not a money-printing machine. It’s a long road until you can actually generate real money with user content. Therefore, some shadey sites are probably selling contact details to advertisers to make ends meet while hoping for the big cashflow.

I don’t have any data to back this up, and I want to change that:

Please tell all your Web 2.0 sites to send me an invitation! Please use an address in the signmeup.madduck.net domain for that, and make sure to include the domain name of the service to which you sign me up before the @ symbol. Also append a hyphen/dash and a random, short string. More on that in just a sec.

For instance, if you are one of those people that believes that letting people know where you are (and have been) at any point in time, tell Foursquare to send an invitation to:

foursquare.com-ponies@signmeup.madduck.net

The reason for the random, short string (“ponies”) is simply so that I can later cross-check that a message receiving spam actually went through a social networking site — I intend to catalog the invitation messages.

Thank you for your time. Keep in mind: the more, the merrier. I’ll make sure to report back on the outcome of this little experiment right here, so watch this space.

NP: Billy Joel: Cold Spring Harbor