git push deploy to docker

UntitledBin ziemlich zufrieden, mit dem jetzt erreichten Setup, für das automatisierte Deployment unserer Serveranwendungen. Jeder im Team kann jetzt via Jenkins eine aktuelle Version der Anwendungen deployen.

Dazu haben wir über die letzten Monate die verschiedenen bisherigen Artefakte (war, jar) in Docker Images verpackt, docker-compose Konfigurationen für die verschiedenen Installationsumgebungen erstellt (Test, Produktion, Intern, …) und zuletzt noch git repositories mit Hooks eingerichtet, die bei einem Push das Deployment anstoßen.

Ich denke ich werde dazu in einer der nächsten Podcast Episoden des Donau Tech Radios mehr erzählen und eventuell noch einen Blog Artikel verfassen.

keep ssh-agent for sudo

I am working a lot via ssh on different Linux servers. For authentication on those I always use a ssh key. I am also tunneling my ssh key for git to those servers because I often need to work with git repositories there (containing configuration files for example).

Of course I need those ssh keys also when I am working with sudo and last week I had to make this work on a new server again. The trick is to configure the following line in the /etc/sudoers file:

Defaults env_keep+=SSH_AUTH_SOCK

This keeps the environment of SSH_AUTH_SOCK around while in the sudo context and sudo git will work with my credentials.

Requiring a client certificate

If you want to secure your web site you can configure your apache2 server to require a client certificate. You do this by adding the following to options to the ssl host configuration:

SSLCACertificateFile /etc/ssl/private/CAcert.pem

SSLVerifyClient require
SSLVerifyDepth 10

To create a client certificate use the following commands

openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr

The create client.csr file has to be signd by your CA with the following command:

openssl x509 -req -days 365 -CA private/CAcert.pem -CAkey private/CAkey.pem -CAcreateserial -in client.csr -out client.crt

To create a PKCS#12 document from the client private key and the signed certificate:

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

The client.p12 file has to be imported by a browser to a access your server.

new debian mail server

Today I finished the setup of my new mail server. Based on the recently released Sarge 3.1 I used the following configuration:

Of course the web interface and the IMAP server are only accessibly through a secure connection.

All the packages used for this configuration can be found in the debian repositories and were easy to install with apt-get. The configuration of the components was not to hard though there were some tricky things (I never thought it could be complicated to get apache2 running in secure mode only – see).

Maybe I’ll write a short HOWTO about it.