Blog von Slagwerks

Heroku + Refinery + SSL

Say you’re hosting a refinerycms site on Heroku, and would like to rewrite all admin access to use Heroku’s free piggyback SSL.

Say also that you have a few different environments, accessible via your own domain (http://mysite-dev.mydomain.com). The following in your application controller seems to do the trick:

Tip for New Sinatra Deployers

If you get the error undefined method `application' for Sinatra:Module and your config.ru includes the line run Sinatra.application, try changing that to run Sinatra::Application and it should actually work.

(via http://www.sinatrarb.com/one-oh-faq)

Does 201 CMR 17 Apply to VOIP?

Background: looking at going to a Voice Over IP phone system at work. Wondering if Massachusetts’ new law about information security applies.

Why it might not: a potential (MA based) vendor we’re talking to says

We’ve not been asked this before and about 201 CMR 17 Compliance and I don’t particularly think it applies to our VoIP, or VoIP in general

Why it might: Section 17.04 qualifies the applicability of the rule to

Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include…a security system covering its computers, including any wireless system

Like just about any business, we definitely transmit personal information over our phone system, so I think the technical / legal question is whether an electronic phone system of the type in question is covered under the “its computers” phrase.

Stepping back from the legal to the practical, however, it seems fair to expect reasonable information security from our communications systems, including VOIP. At least in its intent, I think that’s what 201 CMR 17 is after. VOIP is still new enough that I suspect many prospective customers (like us!) aren’t quite sure what constitutes a reasonably secure installation, though we sense that there are all kinds of potential attack vectors not present in POTS.

Ruby & NoSQL @ Vermonster

Update: Vermonster has a nice recount, chock full of code & explanations.

A fine time was had the other night in the offices of Boston’s Vermonster, when a few Vermonsters generously helped some folks from Boston.rb get up to speed on the use of some NoSQL projects from Ruby.

Up until now, I’ve been a little leery of NoSQL. Probably due to painful past experience with ZODB failing to keep up with moderate loads, and reading too many Philip Greenspun essays at an impressionable age. Happily, it appears that the projects collected under the NoSQL banner can actually walk and chew gum at the same time, without rendering your data unreasonably inconsistent.

The whole question of the Consistency of one’s data is addressed by the CAP theory, which I understand to roughly say

Consistency, Availability, Partitionability: pick (at most) two, particularly under certain challenging conditions such as running Google or Amazon.

Even if you aren’t running something quite that big, there seem to be some situations where you’d want to think about this stuff – for example, running an app on Google’s App Engine (right? Haven’t yet myself.) Plus, all the cool kids are into it.

We worked with the locally-written Riak (looks like it’s the topic of the April Boston.rb meeting!) and with CouchDB. Both are ridiculously easy to get running locally, have Ruby client libraries, and are powered mainly by Erlang, with javascript Map/Reduce. For the latter, we used the couch_potato library, which seems to do a nice job of writing your javascript for you in the most common cases.

We wrapped the evening up with a coding challenge. My brain was fried & I gave up 2/3rds of the way through, but still had a blast & learned plenty. As a side benefit, beyond the exposure to the NoSQL, my state-of-the-art-circa-2008 Ruby habits got challenged by working with RSpec, 1.9.1, and RVM, all of which will should prove handy for future things.

Big ups to Vermonster for hosting, feeding, and educating us. They are good guys, skilled teachers, and have excellent taste in beverages.

Snow Leopard Still a Mixed Bag

I’ve been trying out Mac OS 10.6 a.k.a. Snow Leopard for a few weeks now. For the most part it looks and acts… just like Leopard! Still, I have run into the following annoyances:

  • Doesn’t really want to do more than one thing if you only have 1 GB RAM, very noticeably worse than Tiger in this regard (never ran Leopard much on only 1 GB).  I guess there are more ints running in the OS & in basic apps than I would have thought, if it is the 64bitness to blame.
  • Doesn’t work with our older b/g Airport Extreme. Says it’s on the wireless network, but doesn’t configure TCP/IP settings – this is after much experimenting with various Airport settings. Search for ‘snow leopard wireless’ for a variety of related complaints.
  • Doesn’t work with the Citrix XenApp web plugin. To be fair, this seems to be due to Citrix expecting Java 1.5 to be installed, which is kind of lame. Workarounds are reported on the internets, but then you’re managing your own Java installation, which seems to be one of the most vulnerability-plagued pieces of OS X.

My conclusion, as of 10.6.2: no reason to upgrade from Leopard, unless you’ve bought brand-new hardware that requires SL.

Latest 201 CMR 17 Hotness

You could be excused for having missed the news, but the 201 CMR 17 that was just about to go into effect over a year ago… is now just about to go into effect!

some tidbits:

Fortunately, there doesn’t seem to be anything particularly unreasonable in the requirements, so organizations following good data security procedures shouldn’t have to do much work (if any) to be compliant.

    Testing Backups

    I’m putting together our backup testing plan, and marveling at the suggestions in Preston’s Backup and Recovery. Here’s my paraphrase:

    • restore many single files
    • restore older versions of files
    • restore entire drive / filesystem, compare to original (same size? etc.)
    • recreate entire system
    • pretend a given backup volume is bad, use alternate
    • restore without touching backup server (as if it were destroyed)
    • include database restores, inc. database at different point in time
    • dream up painful scenarios with pessimists, test for those regularly

    To actually do these tests, he suggests making a list & randomly picking a subset to test on a monthly basis.

    Fun, huh? Beats holding the bag when your organization’s vital data goes missing.

    Python Script for Importing Maildirs to Gmail

    In fact the script in question should work also for mboxes and for other SMTP servers, but maildir-to-gmail was the problem I was trying to solve.

    The most promising starting point was an old script by Mark Lyon. After a little rejiggering so I could see what error was coming back from Google, I made a couple of more tweaks to use TLS & to take the user’s password.

    If anyone’s interested in what seemed to me a strange hoop to hop through before connecting, check the src.

    Considering How to Reliably Jam Stuff Into FileMaker From the Web

    I’m sure I’m not the only person with this situation:

    1. FileMaker database sitting behind a firewall (though similar issues would pertain for other internal databases / services)
    2. Website hosted elsewhere (i.e. other side of firewall)
    3. Need to get data from #2 to #1 reliably and securely

    Up until today, I’ve only had one instance of #2 in this situation. I dealt with it by storing data collected on the website (which happened to be written in Rails) in a database on the web server, and then running a periodic PHP script on the FileMaker server that connects to the Rails app via phpactiveresource, pulls in pending data, and inserts it into FileMaker via its PHP api.

    That instance was such a roaring success that the requests have been pouring in for more of the same. Some of the new requests will be handled by a site running PHP, so I’ve got a bit of rewiring to do – I can’t see any sense in the getting the data from the PHP app into something the Active Resource client can talk to.

    Stepping back and looking at the bigger picture, issues here include:

    • the connection from the website to the FileMaker server could be down, so data collected by the website needs to be stored until it can be confirmed to have made it to FileMaker.
    • it would be nice for this to happen in a timely fashion
    • multiple technologies on the web side (PHP & ruby) are going to be collecting data to be submitted to FileMaker, so it’d be nice if the transfer machinery can be agnostic and just accept JSON or XML or something.

    Sounds like a problem for a queue system, huh? So my current plan is to run a beanstalkd instance on the webserver, deposit JSON-endocded data into it from the web sites, and run workers that write to FileMaker using the Ruby FM API. I have no experience with beanstalkd, but a bit of googling suggests that it’s at a nice point in simplicity to configure & run, maturity, light weight, and easy access from PHP & Ruby.

    A further benefit of working in beanstalkd is that, based on a quick perusal of the recommended Rails integration, it should be really easy to break Observers out to async code, thus making my rails apps snappier.

    Any advice to the contrary is of course welcome. I’ll try to remember to update y’all on how this turns out.

    Custom Flickr Sidebar via Wget, Cron & PHP

    The new site launched with a sidebar that shows two random photos from our flickr account, using their javascript widget. This was a great way to get things going, but now we’ve developed slightly more involved needs and I’ve had to come up with a custom solution.

    Getting the list of photos

    You need a flickr API key, which is quick & easy to get. Then wget & cron to get ‘em: wget --quiet 'http://api.flickr.com/services/rest/?method=flickr.photos.search&api_key=YOUR_API_KEY&user_id=YOUR_USER_ID&tags=website&per_page=500' -O photos.xml

    Note that this includes a tags argument. The thing that pushed me to switch the workflow was the desire to be able to upload photos to our flickr account that don’t necessarily fit into the sidebar format, such as panoramics. To handle this, everything that belongs on the website gets the tag website, and we only fetch those ones. We’ve also talked about just getting landscape oriented photos, but haven’t implemented that.

    I’m running this daily, which is plenty often to update the available photo list. I believe this gets the newest 500, which seems more than adequate, particularly since we don’t have close to 500 photos yet.

    Parsing the list & generating the HTML

    PHP5’s SimpleXML is pretty nice – here’s what we’re doing:

    try {
      $xml = new SimpleXMLElement(file_get_contents('photos.xml'));
        $number_of_photos = count($xml->photos->photo);
        $displayed_photos = array();
        array_push(
          $displayed_photos,
          $xml->photos->photo[rand(0, $number_of_photos - 1)]);
        array_push(
          $displayed_photos,
          $xml->photos->photo[rand(0, $number_of_photos - 1)]);
        foreach ($displayed_photos as $photo) { ?>
      <div>
    <?php
          print "<a href=\"http://www.flickr.com/photos/8562013@N07/" .
            $photo['id'] . "\"><img src=\"http://farm" . $photo['farm'] .
            ".static.flickr.com/" . $photo['server'] . "/" . $photo['id'] . "_" .
            $photo['secret'] .  "_m.jpg\" alt=\"" . $photo['title'] . "\" /></a>";
    ?>
      </div>
    <?php
     }
    } catch (Exception $e) {
      error_log("flickr badge had some troubles: " .
        $e->getMessage());
    }

    This snippet takes my laptop less than 1/20th of a second to run from the command line, which suits me fine. The actual code sits in page.tpl.php.

    Flickr’s API docs, in particular the API Explorer, were awful handy in figuring this all out.