Sunday, April 4, 2021

Reviewing the past decade

Over the past decade, LittleDragonInc has been a personal portfolio that has the outward appearance of a small company's website. 

Putting on rose colored glasses:
  • This portfolio has used in many contexts with satisfactory returns.
  • Indirectly through work, I have fulfilled my initial curiosities of how development, and operations might be carried out in "real world" environments.
Taking off said glasses:
  • The false sense of confidence, and complacency was detrimental in my interview preparations.
  • To the best of my approximation, the portfolio demonstrated herein, such as shown here did not positively impact my most recent job search.
On the content of this blog going forward:

Journaling was helpful in keeping me aligned during the initial trajectory of my career. I don't think the personal posts have been useful even for myself in recent years. This current post is to provide closure on that particular arc.

Saturday, May 30, 2020

Notice of ceasing contractual obligations.

It is a opportune time to announce that after ten years of operations, Little Dragon Inc (LDI) has finally (in early 2020) winded down all previously entered contractual activities. The decision had been made to discontinue offering the services to new external parties many years ago. The final party that LDI was providing services to decided to shutter its business a few months before the shutdowns of 2020.

The business model that we have employed involved offering to eliminate our customers hosting, and online advertising expenses. By providing a free hosting service, it was a easy proposition for the customer:  Expand their online presence, reducing their hosting expenses down to zero, free advertising/brand management across popular services (reaching over 100k clicks per month), and free ongoing first world labor/support during non business hours.

It may be shocking to learn then, that that division of LDI has been in the red for the past ten years. After the initial introspection on revenues, and debts ten years ago; it dawned clear as day that the near zero income generated (both present, and future expected) was going to be significantly outweighed by the costs to support our operating expenses. (rent, utilities, the scholarship benefits to the unpaid help involved.)

However, through our core principle of reducing sales to a minimal, we could avoid having to waste time negotiating fees, and integrating with payment vendors. We could keep internal costs low by utilizing extreme cost savings measures. The technical side of this was hosted on free cloud services. The losses from debt burdening were just the layman's exercise to practice theoretical finance. A slightly profitable arrangement was achieved if the debt burdening wasn't in place.

Wednesday, December 11, 2019

Wildcard SSL Certs


# Manual steps for root CA creation, and signing of application certificates

# apt-get install libnss3-tools

CERT_NAME=ldi.lan
CA_NAME=LDI


MY_CN='*.ldi.lan'    # Common name
MY_O=ldi    # Organization
MY_C=US    # Country
MY_ST=Some    # State
MY_L=Where    # Locale

# create root ca keys, and cert
openssl req \
    -new \
    -newkey rsa:4096 \
    -days 365 \
    -nodes \
    -x509 \
    -subj "/C=${MY_C}/ST=${MY_ST}/L=${MY_L}/O=${MY_O}/CN=${MY_CN}" \
    -keyout ${CA_NAME}.key \
    -out ${CA_NAME}.crt

# provide user signing request key, to create signing request
openssl genrsa -out ${CERT_NAME}.key 2048
openssl req \
    -new \
    -nodes \
    -subj "/C=${MY_C}/ST=${MY_ST}/L=${MY_L}/O=${MY_O}/CN=${MY_CN}" \
    -addext "subjectAltName = DNS:${MY_CN}" \
    -key ${CERT_NAME}.key \
    -out ${CERT_NAME}.csr

# create app cert from cs, root ca, and ca key
openssl x509 -req -in ${CERT_NAME}.csr -CA ${CA_NAME}.crt -CAkey ${CA_NAME}.key -CAcreateserial \
-req -extfile <(printf "subjectAltName=DNS:${MY_CN}") \
-out ${CERT_NAME}.crt -days 1825 -sha256 

# import root CA cert to OS host, or through browser
sudo cp ${CA_NAME}.pem /usr/local/share/ca-certificates/${CA_NAME}.crt
sudo update-ca-certificates 

# import root CA  to chrome:
certutil -d sql:$HOME/.pki/nssdb -A -n 'name' -i ./${CA_NAME}.crt -t TCP,TCP,TCP 

# import app cert to chrome, when not using root CA:
certutil -d sql:$HOME/.pki/nssdb -A -n 'name' -i ./${CERT_NAME} -t P,P,P

Saturday, January 13, 2018

Proxmox postmortem

A list of failures:

  • No reliable monitoring of server, and equipment.
  • Using an USB drive as main primary drive.
  • Not backing up said USB drive.
  • Not backing up said drive when disk symptoms occurred. (I/O issues were a hint that disk failures are imminent.)
  • Not having automated deployment process.
  • Having data behind (possibly?) a single point of failure. If recovery of data is possible, will have to be postponed for a while.

Last week, I noticed that my basement server was down. I attempted to reboot to no avail. Plugging in a monitor, I noticed that the boot up disk had issues. By chance, I plugged in the USB disk into another slot, and the server booted up the OS with the proper output.

Mission accomplished. /s

I was (innocently) happy at the easy resolution, and went to my basement computer to kick off some patches on the server, and encountered my disk encryption prompt. [1]

After logging into my client computer, I SSH'd to my server and manually kicked off an update. The update ran for a while, and ended up with the disk in a read only state. At this point, I was likely screwed regardless, and won't go into further details. (as I don't know how to migrate good partitions onto a new bootable disk; though it seems to be a worthwhile endeavor)

There are a few problems, including not having backups of my primary disk. A better approach would have been automating the full deployment process. There was no version control in any step of the image deployment, and installation processes. 

These issues will be corrected in the near future.

2018 Resolutions

I think my approach towards productivity and personal growth has taken a backseat to the turbulence of 2017.

Technology:

  • Automate all of my deployments. I've experienced encounters where not relying on automation has led to pain points. Automation, at least with the experience that I have, will not eliminate pain points, but make life smoother.
  • Gain experience in technical areas that I have less experience with. 
  • See post after this one - Proxmox postmortem. 

Productivity:
  • If I am able to keep my head above the water (this is metaphor, where air is free time), I want to advance my skills outside of work and school.

Organization
  • I have rebased my office back in the same room as I did in undergrad. I've accumulated some nice equipment, and experience which I hope to rely heavily on for success in my coursework.
  • It seems this new workplace environment, and regulations have been of positive impact. I have a better appreciation for organization.

Saturday, September 16, 2017

September 16, 2017 - Hosting downtime incident

This is the writeup for the temporary downtime of an remote domain pointing to an app engine instance through 170820 to 170916

I transferred a domain from Gsuite to Google Domains earlier last month, but have encountered a few hiccups. It may be possible that DNS records were not selected to be migrated during the transfer, so the domain was inaccessible for a period for at least a few weeks.

This issue was noticed on September 15 during an infrequent site maintenance. It was observed that the domain and its respective subdomains were inaccessible. Investigations led to the observation of missing DNS records. Recovering the records back was simple and resolved the issues.

Satisfied with the results, I closed out the Gsuite Trial account and attempted to add the domain as an alias domain to LDI. Verification of the MX records was taking over 24 hours, but I was prepared to wait for the full 72 hours. 

Later in the day, I happened to noticed that the naked domain on the recovered site was failing to resolve. The naked custom domain had somehow been removed from the App Engine console. This should have been an easy fix, but attempting to add it back kept throwing a few errors in the UI: "There is an operation pending for this application. Please wait and try again." Another item of note, which was not blocking, was Google's recent addition to App Engine for automatic SSL management alleviates needs for solutions such as LetsEncrypt. But the certificate generation for this domain was not completing in any reasonable fashion. I choose to fall back to my LetsEncrypt certs for the subdomain during the investigation. There were few other even less descriptive warnings or small bugs where subdomains (and not the naked domain) would be auto added even if I did not complete the prompts.

These are a very vague issues, but due to personal urgency, I attempted a few steps to resolve.
  • Create a synthetic record to foward from the naked domain to the subdomain.
  • Creating a new duplicated application, and associate the naked and subdomain as custom domains.
  • Canceling the MX record verification, considering an official comment about incompatibility with hosting and processing email on the same domain. 
  • Wait out this error, and hope for some batch process, etc to be resolved out. 
  • Set up the site at another host.
I tried first three options to no further results. The synthetic record mapping had the most potential, but would not properly allow SSL certificates to be forwarded from the subdomain.  I felt that since a few hours had past since investigating this issue, and having exhausted my options, I had to fall back to the last option.

As a temporary resort, I migrated the static portions of the website to Github pages and set up custom domains there. Github currently does not seem to support secure web pages on custom domains, and led to unsightly ~"This connection is not secure", and ~"This website is using insecure practices" warnings to be shown by web browsers. Adding free cloudflare DNS, SSL plan resolved the insecure warnings. Interestingly domain, MX, text record verification from Google to Cloudflare was significantly faster than verification from Google to its own DNS servers. 

This failure has come at a critical time as I have been starting to apply to other opportunities. Having others accessing prominent links to a non existing webpage hurts my outreach efforts. For over six years, LDI has never encountered a known outage of this scope and duration, and it is deeply regrettable. In the future this may be mitigated through a few simple scripts for monitoring.

Monday, August 21, 2017