Disable/Enable GlobalProtect on OS X

Sometimes I need to download big ISOs or other large files onto my work laptop, but GlobalProtect forces me to do so via the VPN. In order to speed things up and use my local network connection, I need to disable the VPN, but I cannot do so due to restrictions (it asks for a ticket ID).

Anything’s possible in Unix, so here’s how you force it:

If this is against IT policy at your company, don’t blame me ūüôā .

Here’s a script you can use to make this easy to toggle:

Get nameservers from resolv.conf with Ruby

I’m a big user of Chef, but was bummed when I couldn’t find any resolver information in Ohai data. I needed to make some changes to an nginx config to use resolver, but wanted to use the resolver that’s already on the host (since nginx doesn’t inherit that for dynamic backends). Anyway, after a lot of doc reading that led me nowhere, I dug into the source of resolv.rb, and tried about 100 different things until I found something that worked:

This will give you an array of all your nameservers in resolv.conf, like:

In Chef, you can easily iterate over this and use as needed. If you want just the nameservers (without the ports), then you can use:

I hope that helps!

Run multiple ssh commands in parallel with GNU Parallel

Every true sysadmin has been in this predicament — “I need to run this command on a bunch of machines.” The typical approach is to create a for loop, and run the command serially. This works well, but if a) you have tons of hosts, or b) the command takes a while to run on each machine, you may be looking for something a bit more efficient.

Here’s an example that gets a list of hosts using aws-cli, and restarts httpd on them. In your case, update the command and key path as needed.

Elasticsearch cluster administration notes

If a replica shard is in an INITIALIZATION state and the primary shard is healthy, then the shard is being replicated from the primary to the replica. You can use the cat API to get this state:

Now, we have no clue from this view what progress has been made, if any. ¬†On large shards, it may even look like things are frozen. ¬†How do we gain insight into what is happening? ¬†Well, thankfully, there’s a status page which is called like so:


Queue size reached


To increase your queue size, you can add the following to elasticsearch.yml. ¬†Replace “bulk” and “search” with the appropriate thread pool name, along with a reasonable value. ¬†You can find the list of those at¬†http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/modules-threadpool.html .



Installing OpenVZ templates in Proxmox

Promox has built-in support for installing templates, but they’re pretty outdated and not well-maintained. ¬†openvz.org, on the other hand, regularly updates their templates, and has a wide selection to choose from.

In order to make these templates available for use in Proxmox, it’s simple. ¬†Get the links for the templates you’d like from the link above, and download them like:

All of the links were placed together with one wget command, but you could also do a wget for each template.

You will now see the templates in your local storage. ¬†Note that if you use alternate storage (e.g. GlusterFS), you’ll need to update the template path above accordingly.

IMAP Append – Message contains bare newlines

The Cyrus IMAP server (which is used by FastMail, FYI), is pretty picky when it comes to enforcing RFCs.  When performing a recent email migration (from Zoho, which is less picky), I got a boatload of errors along the way.

With each of my messages as individual files (downloaded as “RFC822” in raw IMAP speak), the following cleaned it up:

Although you can use sed as well, the command is not the prettiest due to the way it works with lines.

To be more thorough, this is what I ultimately placed in my PHP-based migration script:


Create multiple Proxmox containers via script

There are times when I need to create a number of OpenVZ containers in Proxmox at once, which would take way too long via the user interface.  There are a number of ways to accomplish this programmatically, but the most straightforward (assuming you have root access) is via  pvectl .

Below is an example script which creates identical containers.  Adjust the container IDs to ones that are available, as well as any other parameters you need.  If you need more advanced options, the man page can be found at https://pve.proxmox.com/wiki/Pvectl_manual .

Your output will be something like:



rsync to multiple hosts in parallel



Enable XHProf for WordPress


You’ll now need to have this module loaded in PHP; this varies depending on which handler you use:

cd into wp-content/plugins

In wp-config.php:

In your admin dashboard, enable “WP XHProf Profiler” from the plugins section.

You will have “Profiler output” links at the very bottom of your page that’ll show you¬†XHProf output.

Migrating from one Chef server to another

It happens — you’re on a server that just can’t be upgraded any further, and you need more resources. ¬†Or, you need to backup a Chef server. ¬†Or, you need to setup a QA instance. ¬†Or, you need to finally migrate from Chef 10 to Chef 11. ¬†Or, you have one of many other possible reasons, but you need to be able to stand up a new Chef instance, and not have to do a ton of work. ¬†If any of that applies to you, then this post is for you.

In the case where you’re migrating from one Chef server to another (i.e., the old one is going bye-bye), it would be very helpful to have your Chef server be CNAMEd (e.g. chef.company.com -> vm101.iad.company.com) or behind a load balancer/proxy where you can change targets easily. ¬†That way, you won’t need to update the client configs, and it’ll be an easy swap. ¬†Everything should “just work” ‚ĄĘ.

First, we’ll make a copy of your knife.rb:

Now, we’ll need to get access to your new Chef server via knife. ¬†You can do so by logging in as admin, and regenerating and saving a new private key. ¬†You can also create a new user here instead of using admin, but I advise against this, as any user you create will conflict with users of the same name from the old server. ¬†Yes, that means that if you’ve been using ‘admin’ as the main user, you may run into problems (but let’s just hope that you’ve been using per-person accounts).

Now, we’ll update your current knife.rb to¬†reflect the new node information in it:

It wouldn’t hurt to check that you have access to the new node by doing a¬† knife user list¬†.

Now, we’ll need to download all of the data from the “old” Chef server. ¬†To do so, we’ll be using the nifty ‘knife backup‘ plugin. ¬†To get it installed on OS X, I did:

Now, to finally back things up, we’ll do:

Note that the argument after -D is the destination directory where all of the Chef data will go; this directory will automatically be created for you. ¬†The argument of -c tells knife which config file to use; we’ll, of course, be using the “old” server here. ¬†Also, if you only need to backup a certain set of data from your Chef server (e.g. only users and environments), you can specify that. ¬†See the knife backup documentation for details.

Now that we have all the data we need, we’ll need to push it up to the new server. ¬†This works much the same as the export:

I left off the -c here because knife.rb is the default config file.

Once everything has been restored, your original user in Chef will now be available (you can verify this via the Chef Server UI).  The amazing thing is that your keys have not changed, and can be used as-is.  Chef Server keeps track of your public keys, so all of your private keys for all nodes/clients are still good.

This, now, is where you update your knife.rb to reflect your original user settings. ¬†If you’re running behind a load balancer/proxy, you can simply use your original config as-is after replacing¬†the old¬†server with the new one. ¬†If you’re doing the CNAME/A record route, you can do the same once DNS has propagated. ¬†Otherwise, you can overwrite your new config with your old one, and edit it to reflect the new server’s URL.

If your nodes are pointing to the wrong server in their client.rb, you can use knife ssh with sed to find/replace the server URLs.

If you’ll be accessing multiple Chef servers frequently enough, I highly recommend looking at the knife block plugin. ¬†That way, you can switch between different configurations with ease, including those for Berkshelf.