West Windsor-Plainsboro Regional School District, New Jersey, Eases Pressure on Students, While Baring an Ethnic Divide between Asian-American and (sic) Americans

New Jersey School District Eases Pressure on Students, Baring an Ethnic Divide; Kyle Spencer; In The New York Times (NYT); 2015-12-25.

tl;dr → Divided by immigration in the proxy of observable regional origin & named by their race, those doing well in the system want more of it; those not succeeding want a different system. School district administrators try to <quote>avoid becoming another Palo Alto</quote>.  The stewards & stakeholders debate the pros & cons, with emotion & emphasis in public spheres as school policy is modified in situ.  Student population & individual behavior, feelings & attitudes are not surveyed; with the understanding that all is compos mentis therein.

Original Sources

Letter to the Community; Dr. David Aderhold; West Windsor-Plainsboro (WW-P) Regional School District; 2015-10 (undated in the text, dated on the filename); 16 pages.

Mentions
  • There will be change.
    The changes are outlined.
  • Core Values
  • Whole Child, Every Child
    <snide>what bright & colorful names!</snide>

    • Whole Child, Every Child!
    • No Student Left Behind!
    • The Race to the Top!
    • Headstart (the grandaddy of them all!)
  • Mission Statement
    <quote>The mission of the WW-P school district is to “develop passionate, confident, lifelong learners.”</quote>
  • Association for Supervision and Curriculum Development (ASCD)
    • Whole Child Initiative
      • started 2007
  • Whole Child Tenets
    large longish sentences with mission statement gravitas, embedding the adjectives:

    • healthy
    • safe
    • engaged
    • supported
    • challenged
  • Six Compenencies Framework
    1. Collaborative Team Member
    2. EffectiveCommunicator
    3. Globally Aware, Active, Responsible Student/Citizen
    4. Information Literate Researcher
    5. Innovative and Practical Problem Solver
    6. Self‐Directed Learner.
  • Quoted, cited
    in order of appearance

  • Programs & Practices
    The changes already made, the changes yet to occur.
    selected; see pages 6-15.

    • 1:1 Learning Initiative, uses Chromebooks
      (snippet reading, animations, videos, multiple choice tests; mouse & keyboard work; ho hum)
    • No midterm, final exams; continuous & constant grading.
    • Option II; a State of New Jersey program for credit granted for activities performed outside of school.
  • Argot
    • assessments (grading); somehow different than testing.
    • Basic Skills
    • Common Assessments
    • eduspeak
    • excessive stress
    • external program review
    • parental overrides
    • social-emotional development
    • stakeholders

Mentions

  • <quote>face the prospect of becoming another Palo Alto, Calif., where outsize stress on teenage students is believed to have contributed to two clusters of suicides in the last six years.</quote>, attributed to David Aderhold in verbal statements at a meeting.
  • West Windsor-Plainsboro Regional School District, N.J.
    • is “near” Princeton, N.J. whatever that means in a state the size of New Jersey.
    • <quote>bout 10 minutes from Princeton and an hour and a half from New York City,
    • Abbreviation: WW-P
    • Two cities
      • West Windsor
      • Plainsboro
  • <quote>At a packed meeting of the school district’s Board of Education held shortly before the winter break, a middle school cafeteria was filled with parents, with Asian-Americans sitting on one side and white families on the other.</quote>; unclear if Kyle Spencer, the reporter, witnessed this, experienced this, or was told of this by others.

Categorization

Apparently due to the Kyle Spencer, the reporter, and the editorial staff of The New York Times (NYT).

Categories of Persons
  • Asian-American
    euphemism to characterize 0th generation (at least, the parents)

    • Chinese
    • Indian
    • Korean.
  • white (lower case)
    Everyone else.
Evidences
  • <quote>Both Asian-American and white families say the tension between the two groups has grown steadily over the past few years, as the number of Asian families has risen/quote>
  • <quote>The district has become increasingly popular with immigrant families from China, India and Korea. This year, 65 percent of its students are Asian-American, compared with 44 percent in 2007. Many of them are the first in their families born in the United States.</quote>

Who

  • David Aderhold
    • Ed.D.
    • superintendent, West Windsor-Plainsboro (WW-P) Regional School District, NJ.
    • tenure
      • 2.5 years as superintendant
      • 7 in WW-P
  • Catherine Foley
    • parent; son, daughter; ages circa elementary school, middle school.
    • former president, Parent Teacher Student Association (PTA)
  • Mike Jia
    • <quote>Asian-American professional</quote>; cited as exemplar of the genre.
    • parent, no further details.
    • moved to WW-P after 2005.
  • Helen Yin
    • (represented as) Chinese; i.e. born in Chengdu, CN
    • a parent; kindergarten, 8th grade
    • something about “pursuing” a masters degree in chemistry
      [still working on it?  she didn't finish it & has abandoned the quest?]
  • Karen Sue
    • (represented as) Chinese-American; i.e. born in the U.S.
    • parent; 5th, 8th graders

Quoted

Not Interviewed

  • David Aderhold
    lots of quotes about what he has said in public fora; but (apparently?) he was not actually interviewed for the piece; nor were any school district press relations personnel at all.

Referenced

Actualities

Via: backfill.

Notes on the Operation of Kerberos: Increasing Ticket Lifetime (beyond the default)

Following

Ticket Lifetime

The ticket lifetime is the minimum of the following values:

  • max_life in kdc.conf on the KDC.
  • ticket_lifetime in krb5.conf on the client.
  • maxlife for the user principal user/REALM@REALM.
  • maxlife for the service principal krbtgt/REALM@REALM.
  • requested lifetime in the ticket request.

Actualities

There is no indication whether a principal is renewable or not. You just have to “know.”

$ kadmin -p wbaker/admin
Couldn't open log file /var/log/kadmind.log: Permission denied
Authenticating as principal wbaker/admin with password.
Password for wbaker/admin@EXAMPLE.COM: 

kadmin:  getprinc wbaker
Principal: wbaker@EXAMPLE.COM
Expiration date: [never]
Last password change: Sun Nov 29 12:40:11 PST 2015
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Sun Nov 29 12:40:11 PST 2015 (wbaker/admin@EXAMPLE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 8
Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Key: vno 1, aes128-cts-hmac-sha1-96, no salt
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, arcfour-hmac, no salt
Key: vno 1, camellia256-cts-cmac, no salt
Key: vno 1, camellia128-cts-cmac, no salt
Key: vno 1, des-hmac-sha1, no salt
Key: vno 1, des-cbc-md5, no salt
MKey: vno 1
Attributes:
Policy: [none]

kadmin:  modprinc +allow_renewable wbaker

kadmin:  getprinc krbtgt/EXAMPLE.COM
Principal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
Expiration date: [never]
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Sat Nov 28 18:05:08 PST 2015 (db_creation@EXAMPLE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 9
Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Key: vno 1, aes128-cts-hmac-sha1-96, no salt
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, arcfour-hmac, no salt
Key: vno 1, camellia256-cts-cmac, no salt
Key: vno 1, camellia128-cts-cmac, no salt
Key: vno 1, des-hmac-sha1, no salt
Key: vno 1, des-cbc-md5, no salt
Key: vno 1, des-cbc-crc, no salt
MKey: vno 1
Attributes:
Policy: [none]

modprinc -maxlife 125hour -maxrenewlife 750hour  krbtgt/EXAMPLE.COM
modprinc +allow_renewable  krbtgt/EXAMPLE.COM

kadmin:  getprinc krbtgt/EMERSON.BAKER.ORG
Principal: krbtgt/EMERSON.BAKER.ORG@EMERSON.BAKER.ORG
Expiration date: [never]
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: 5 days 05:00:00
Maximum renewable life: 31 days 06:00:00
Last modified: Sun Dec 20 19:17:29 PST 2015 (wbaker/admin@EMERSON.BAKER.ORG)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 9
Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Key: vno 1, aes128-cts-hmac-sha1-96, no salt
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, arcfour-hmac, no salt
Key: vno 1, camellia256-cts-cmac, no salt
Key: vno 1, camellia128-cts-cmac, no salt
Key: vno 1, des-hmac-sha1, no salt
Key: vno 1, des-cbc-md5, no salt
Key: vno 1, des-cbc-crc, no salt
MKey: vno 1
Attributes:
Policy: [none]

Folklore

The krb5-auth-dialog for GNOME

Configuration

Seems pretty self-configuring, within the limitations

  • Launch on logon … a GNOME dialog somewhere (not on the Settings center)
    gnome-session-properties

Folklore

Packages

$ rpm -q krb5-auth-dialog
krb5-auth-dialog-3.14.0-1.fc21.x86_64
$ rpm -q krb5-auth-dialog
krb5-auth-dialog-3.2.1-7.fc20.x86_64
$ rpm -q krb5-auth-dialog
krb5-auth-dialog-3.2.1-7.fc19.x86_64

Actualties


Also: problems with the certificate on honk.sigxcpu.org are noted.

honk.sigxcpu.org | This Connection is Untrusted

Nothing says “The Web is Misconfigured” quite like a low-level security protocol failure notice from a free software distribution shop: krb5-auth-dialog



Explanation

The Certificate Authority is CAcert

  • Which is not trusted by Firefox
    • for a variety of historical reasons
  • At least because
    • the root certificate uses MD5 (md5WithRSAEncryption)
    • whereas the host certificate signed by that issuer uses SHA-2 (sha256WithRSAEncryption)

Remediation

If you want to install the CAcert Root Certificate … it’s work, and risky, with the MD5 on the root, and all.

Actualities

$ openssl s_client -showcerts -connect honk.sigxcpu.org:443
CONNECTED(00000003)
depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing Authority, emailAddress = support@cacert.org
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/CN=honk.sigxcpu.org
   i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
-----BEGIN CERTIFICATE-----
MIIHdjCCBV6gAwIBAgIDD375MA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
dEBjYWNlcnQub3JnMB4XDTE0MDkwNDE4NDUyMloXDTE2MDkwMzE4NDUyMlowGzEZ
MBcGA1UEAxMQaG9uay5zaWd4Y3B1Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAKsmbtfNuTOJxz4/hW2VhJm95vE+V0KIbnYwKs/jOeLyn+SLchI8
drZbyyFiInRSobWJotV3fzH42t9XaXgiM1OFTTvv26vwoFlK6mYBeqDQUr2y0lJp
zjOnbCtZbwhsIKFbr4tLH3EqWwuKwVWMVpAP1eY9QRWo+Suv8Fqcs6otobNXdjTU
LuJNo1Qx3bwqGFfyW7Vl2pu8x95pk9WWgkDtj6O5ch9T3+OzwuFtzFT3A3TWljII
CimKf7loHuMkwksSTwKLb2cBZybG26bHlmU3QJDw5tcUHqK9Gh5Jhc/T7H6pdu3n
OaKR4nbKj+uqwl+jFhQlqsZQvxti2SticPUCAwEAAaOCA2MwggNfMAwGA1UdEwEB
/wQCMAAwDgYDVR0PAQH/BAQDAgOoMDQGA1UdJQQtMCsGCCsGAQUFBwMCBggrBgEF
BQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3CgMDMDMGCCsGAQUFBwEBBCcwJTAjBggr
BgEFBQcwAYYXaHR0cDovL29jc3AuY2FjZXJ0Lm9yZy8wMQYDVR0fBCowKDAmoCSg
IoYgaHR0cDovL2NybC5jYWNlcnQub3JnL3Jldm9rZS5jcmwwggKfBgNVHREEggKW
MIICkoIQaG9uay5zaWd4Y3B1Lm9yZ6AeBggrBgEFBQcIBaASDBBob25rLnNpZ3hj
cHUub3JnghFob25rNi5zaWd4Y3B1Lm9yZ6AfBggrBgEFBQcIBaATDBFob25rNi5z
aWd4Y3B1Lm9yZ4IPd3d3LnNpZ3hjcHUub3JnoB0GCCsGAQUFBwgFoBEMD3d3dy5z
aWd4Y3B1Lm9yZ4ILc2lneGNwdS5vcmegGQYIKwYBBQUHCAWgDQwLc2lneGNwdS5v
cmeCFGhvbmsuZHluLnNpZ3hjcHUub3JnoCIGCCsGAQUFBwgFoBYMFGhvbmsuZHlu
LnNpZ3hjcHUub3JnghBodXBlLnNpZ3hjcHUub3JnoB4GCCsGAQUFBwgFoBIMEGh1
cGUuc2lneGNwdS5vcmeCEGltYXAuc2lneGNwdS5vcmegHgYIKwYBBQUHCAWgEgwQ
aW1hcC5zaWd4Y3B1Lm9yZ4IQc210cC5zaWd4Y3B1Lm9yZ6AeBggrBgEFBQcIBaAS
DBBzbXRwLnNpZ3hjcHUub3Jngg9naXQuc2lneGNwdS5vcmegHQYIKwYBBQUHCAWg
EQwPZ2l0LnNpZ3hjcHUub3JnghB3aWtpLnNpZ3hjcHUub3JnoB4GCCsGAQUFBwgF
oBIMEHdpa2kuc2lneGNwdS5vcmeCEmNhbGRhdi5zaWd4Y3B1Lm9yZ6AgBggrBgEF
BQcIBaAUDBJjYWxkYXYuc2lneGNwdS5vcmeCE2NhcmRkYXYuc2lneGNwdS5vcmeg
IQYIKwYBBQUHCAWgFQwTY2FyZGRhdi5zaWd4Y3B1Lm9yZ4IRbGlzdHMuc2lneGNw
dS5vcmegHwYIKwYBBQUHCAWgEwwRbGlzdHMuc2lneGNwdS5vcmcwDQYJKoZIhvcN
AQELBQADggIBAIsovvfdYsdedtnV10IZpgoVWS6Iwd/I0BLQd6E457L6xAgJTsfL
zPpFc2OqwnTlEywPL6JOOU1GCsV5om0JghDC3GTz0rnwF6lToulKOSb33XNtnUB+
XG6AOMAzt3YW9zsXXeL4xMiFDEuK6wnqyfBmMI8TApQFsybMtZAN7gRY+BKFR5pG
NjS5GI3bHx7lxWUFVV3DrYzDWfMR4mnK1oIrZ8N3Yscu5jlC0n8eA3rA9ujytzFl
BK/0VCcuO3qXI7CUfNdu50vK+KurZFiAmnLfWDiYM2Q9bLIOKgU9dtH2rkN9WIS5
bwF9IOeCxvu9r9jlMtlVI8xCYcF2icBRoSKwlQl5xrwC7pbb2icR09wE/Qtq9mJt
y58htz2ozPevc7f4yBzal1J3jxs2NzbC/LgnhAm9Tb33GJjRH3UmTPNLu4I6Av9Q
MMcANLIcDPaKCGurMbkA/Sh76P95k9dSGKBiOF92gPX96XIGejSk6yKt96sJJRuq
qD5pf4Y7WTD8nbJQ3TeJNe/NQ15RKX7fGkf7BCPc0hTLweExpC/PNd5AooqXlztz
M0IHQtm1SlVhAP1UGP5aTat7DzXy/u3mr2Ple6izhL+2m6hFetO8RPD7z6MbRhTx
8OuSbdAucvvnl620MqlaWklGn6T5CCwMG1eL5Abz7RwlgI4xzxOPVhRu
-----END CERTIFICATE-----
 1 s:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
   i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
-----BEGIN CERTIFICATE-----
MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290
IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO
BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi
MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ
ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ
8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6
zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y
fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7
w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc
G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k
epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q
laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ
QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU
fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826
YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAc4w
ggHKMB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TCBowYDVR0jBIGbMIGY
gBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9vdCBDQTEe
MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0
IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy
dC5vcmeCAQAwDwYDVR0TAQH/BAUwAwEB/zAyBgNVHR8EKzApMCegJaAjhiFodHRw
czovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMAYJYIZIAYb4QgEEBCMWIWh0
dHBzOi8vd3d3LmNhY2VydC5vcmcvcmV2b2tlLmNybDA0BglghkgBhvhCAQgEJxYl
aHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDBWBglghkgBhvhC
AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg
b3ZlciB0byBodHRwOi8vd3d3LmNhY2VydC5vcmcwDQYJKoZIhvcNAQEEBQADggIB
ACjH7pyCArpcgBLKNQodgW+JapnM8mgPf6fhjViVPr3yBsOQWqy1YPaZQwGjiHCc
nWKdpIevZ1gNMDY75q1I08t0AoZxPuIrA2jxNGJARjtT6ij0rPtmlVOKTV39O9lg
18p5aTuxZZKmxoGCXJzN600BiqXfEVWqFcofN8CCmHBh22p8lqOOLlQ+TyGpkO/c
gr/c6EWtTZBzCDyUZbAEmXZ/4rzCahWqlwQ3JNgelE5tDlG+1sSPypZt90Pf6DBl
Jzt7u0NDY8RD97LsaMzhGY4i+5jhe1o+ATc7iwiwovOVThrLm82asduycPAtStvY
sONvRUgzEv/+PDIqVPfE94rwiCPCR/5kenHA0R6mY7AHfqQv0wGP3J8rtsYIqQ+T
SCX8Ev2fQtzzxD72V7DX3WnRBnc0CkvSyqD/HMaMyRa+xMwyN2hzXwj7UfdJUzYF
CpUCTPJ5GhD22Dp1nPMd8aINcGeGG7MW9S/lpOt5hvk9C8JzC6WZrG/8Z7jlLwum
GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk
zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/qbn3BHLt4Ui9SyIAmW
omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=honk.sigxcpu.org
issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
---
No client certificate CA names sent
---
SSL handshake has read 4465 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 25CE690DDD33CB1CA47F3860484C79E5F16173F2564D640552E16D907E1DF86E
    Session-ID-ctx: 
    Master-Key: CFCD36C29D1004673F807021C06253D418BB213E62E45D48DA71BF7C07B8899EFEF0A677D328E8A180C9D607F9DE8B7F
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 9f a6 bb 53 6c 76 a0 75-d5 ba 40 ed 4f 26 83 2b   ...Slv.u..@.O&.+
    0010 - 0e 41 7c cc e9 de 7a bb-e0 3d 5d 42 43 da 2b b1   .A|...z..=]BC.+.
    0020 - f3 59 7e ff 03 e5 41 00-b3 fb 98 3f 4f 5c 37 e2   .Y~...A....?O\7.
    0030 - 74 a4 64 b7 f8 67 dc 0f-9c ea 41 0a 99 b6 1a 21   t.d..g....A....!
    0040 - da d2 e0 f8 25 a4 a3 38-50 2b 91 a8 bd 76 5d b2   ....%..8P+...v].
    0050 - da b6 10 01 6d e8 ad 4d-bc d0 42 fd bf f6 99 fd   ....m..M..B.....
    0060 - 35 e3 50 44 2f d3 b9 d5-55 6a 20 a1 6d 5f 6e bf   5.PD/...Uj .m_n.
    0070 - 5d de dd 4b d0 8c d2 2f-f7 0e cc 5a db b5 02 ed   ]..K.../...Z....
    0080 - fb 72 b5 29 4c 9e f8 de-c4 cc 17 9d 00 96 b2 63   .r.)L..........c
    0090 - aa 2d 57 82 57 22 ba ff-be 69 9a 0e e1 06 99 cc   .-W.W"...i......
    00a0 - e7 44 92 86 b4 1e d2 b6-11 d7 d3 40 a5 77 83 ba   .D.........@.w..
    00b0 - 5f fb 18 db 57 48 bd 27-eb 4b 16 dc b0 be 1d be   _...WH.'.K......

    Start Time: 1451065956
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
closed

$ openssl x509 -in cacert_root.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
    Signature Algorithm: md5WithRSAEncryption
        Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
        Validity
            Not Before: Mar 30 12:29:49 2003 GMT
            Not After : Mar 29 12:29:49 2033 GMT
        Subject: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:ce:22:c0:e2:46:7d:ec:36:28:07:50:96:f2:a0:
                    33:40:8c:4b:f1:3b:66:3f:31:e5:6b:02:36:db:d6:
                    7c:f6:f1:88:8f:4e:77:36:05:41:95:f9:09:f0:12:
                    cf:46:86:73:60:b7:6e:7e:e8:c0:58:64:ae:cd:b0:
                    ad:45:17:0c:63:fa:67:0a:e8:d6:d2:bf:3e:e7:98:
                    c4:f0:4c:fa:e0:03:bb:35:5d:6c:21:de:9e:20:d9:
                    ba:cd:66:32:37:72:fa:f7:08:f5:c7:cd:58:c9:8e:
                    e7:0e:5e:ea:3e:fe:1c:a1:14:0a:15:6c:86:84:5b:
                    64:66:2a:7a:a9:4b:53:79:f5:88:a2:7b:ee:2f:0a:
                    61:2b:8d:b2:7e:4d:56:a5:13:ec:ea:da:92:9e:ac:
                    44:41:1e:58:60:65:05:66:f8:c0:44:bd:cb:94:f7:
                    42:7e:0b:f7:65:68:98:51:05:f0:f3:05:91:04:1d:
                    1b:17:82:ec:c8:57:bb:c3:6b:7a:88:f1:b0:72:cc:
                    25:5b:20:91:ec:16:02:12:8f:32:e9:17:18:48:d0:
                    c7:05:2e:02:30:42:b8:25:9c:05:6b:3f:aa:3a:a7:
                    eb:53:48:f7:e8:d2:b6:07:98:dc:1b:c6:34:7f:7f:
                    c9:1c:82:7a:05:58:2b:08:5b:f3:38:a2:ab:17:5d:
                    66:c9:98:d7:9e:10:8b:a2:d2:dd:74:9a:f7:71:0c:
                    72:60:df:cd:6f:98:33:9d:96:34:76:3e:24:7a:92:
                    b0:0e:95:1e:6f:e6:a0:45:38:47:aa:d7:41:ed:4a:
                    b7:12:f6:d7:1b:83:8a:0f:2e:d8:09:b6:59:d7:aa:
                    04:ff:d2:93:7d:68:2e:dd:8b:4b:ab:58:ba:2f:8d:
                    ea:95:a7:a0:c3:54:89:a5:fb:db:8b:51:22:9d:b2:
                    c3:be:11:be:2c:91:86:8b:96:78:ad:20:d3:8a:2f:
                    1a:3f:c6:d0:51:65:87:21:b1:19:01:65:7f:45:1c:
                    87:f5:7c:d0:41:4c:4f:29:98:21:fd:33:1f:75:0c:
                    04:51:fa:19:77:db:d4:14:1c:ee:81:c3:1d:f5:98:
                    b7:69:06:91:22:dd:00:50:cc:81:31:ac:12:07:7b:
                    38:da:68:5b:e6:2b:d4:7e:c9:5f:ad:e8:eb:72:4c:
                    f3:01:e5:4b:20:bf:9a:a6:57:ca:91:00:01:8b:a1:
                    75:21:37:b5:63:0d:67:3e:46:4f:70:20:67:ce:c5:
                    d6:59:db:02:e0:f0:d2:cb:cd:ba:62:b7:90:41:e8:
                    dd:20:e4:29:bc:64:29:42:c8:22:dc:78:9a:ff:43:
                    ec:98:1b:09:51:4b:5a:5a:c2:71:f1:c4:cb:73:a9:
                    e5:a1:0b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
            X509v3 Authority Key Identifier: 
                keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
                DirName:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
                serial:00

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:https://www.cacert.org/revoke.crl

            Netscape CA Revocation Url: 

https://www.cacert.org/revoke.crl

            Netscape CA Policy Url: 

http://www.cacert.org/index.php?id=10

            Netscape Comment: 
                To get your own certificate for FREE head over to http://www.cacert.org
    Signature Algorithm: md5WithRSAEncryption
         28:c7:ee:9c:82:02:ba:5c:80:12:ca:35:0a:1d:81:6f:89:6a:
         99:cc:f2:68:0f:7f:a7:e1:8d:58:95:3e:bd:f2:06:c3:90:5a:
         ac:b5:60:f6:99:43:01:a3:88:70:9c:9d:62:9d:a4:87:af:67:
         58:0d:30:36:3b:e6:ad:48:d3:cb:74:02:86:71:3e:e2:2b:03:
         68:f1:34:62:40:46:3b:53:ea:28:f4:ac:fb:66:95:53:8a:4d:
         5d:fd:3b:d9:60:d7:ca:79:69:3b:b1:65:92:a6:c6:81:82:5c:
         9c:cd:eb:4d:01:8a:a5:df:11:55:aa:15:ca:1f:37:c0:82:98:
         70:61:db:6a:7c:96:a3:8e:2e:54:3e:4f:21:a9:90:ef:dc:82:
         bf:dc:e8:45:ad:4d:90:73:08:3c:94:65:b0:04:99:76:7f:e2:
         bc:c2:6a:15:aa:97:04:37:24:d8:1e:94:4e:6d:0e:51:be:d6:
         c4:8f:ca:96:6d:f7:43:df:e8:30:65:27:3b:7b:bb:43:43:63:
         c4:43:f7:b2:ec:68:cc:e1:19:8e:22:fb:98:e1:7b:5a:3e:01:
         37:3b:8b:08:b0:a2:f3:95:4e:1a:cb:9b:cd:9a:b1:db:b2:70:
         f0:2d:4a:db:d8:b0:e3:6f:45:48:33:12:ff:fe:3c:32:2a:54:
         f7:c4:f7:8a:f0:88:23:c2:47:fe:64:7a:71:c0:d1:1e:a6:63:
         b0:07:7e:a4:2f:d3:01:8f:dc:9f:2b:b6:c6:08:a9:0f:93:48:
         25:fc:12:fd:9f:42:dc:f3:c4:3e:f6:57:b0:d7:dd:69:d1:06:
         77:34:0a:4b:d2:ca:a0:ff:1c:c6:8c:c9:16:be:c4:cc:32:37:
         68:73:5f:08:fb:51:f7:49:53:36:05:0a:95:02:4c:f2:79:1a:
         10:f6:d8:3a:75:9c:f3:1d:f1:a2:0d:70:67:86:1b:b3:16:f5:
         2f:e5:a4:eb:79:86:f9:3d:0b:c2:73:0b:a5:99:ac:6f:fc:67:
         b8:e5:2f:0b:a6:18:24:8d:7b:d1:48:35:29:18:40:ac:93:60:
         e1:96:86:50:b4:7a:59:d8:8f:21:0b:9f:cf:82:91:c6:3b:bf:
         6b:dc:07:91:b9:97:56:23:aa:b6:6c:94:c6:48:06:3c:e4:ce:
         4e:aa:e4:f6:2f:09:dc:53:6f:2e:fc:74:eb:3a:63:99:c2:a6:
         ac:89:bc:a7:b2:44:a0:0d:8a:10:e3:6c:f2:24:cb:fa:9b:9f:
         70:47:2e:de:14:8b:d4:b2:20:09:96:a2:64:f1:24:1c:dc:a1:
         35:9c:15:b2:d4:bc:55:2e:7d:06:f5:9c:0e:55:f4:5a:d6:93:
         da:76:ad:25:73:4c:c5:43
wbaker:wbaker@vast [wbaker wheel users mock bakers source yahoo bakerfamily cameras android] [l2 u0002 ssh] [F19 Schrödingers_Cat]
~/sandbox/cacert.org
$ openssl x509 -in honk.sigxcpu.org_host.crt  -CA cacert_root.crt -noout -text
openssl x509 -in honk.sigxcpu.org_host.crt  -CA cacert_root.crt -noout -text
Getting CA Private Key
unable to load CA Private Key
139828100306848:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY
wbaker:wbaker@vast [wbaker wheel users mock bakers source yahoo bakerfamily cameras android] [l2 u0002 ssh] [F19 Schrödingers_Cat]
~/sandbox/cacert.org
$ openssl x509 -in honk.sigxcpu.org_host.crt -noout -text
openssl x509 -in honk.sigxcpu.org_host.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1015545 (0xf7ef9)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
        Validity
            Not Before: Sep  4 18:45:22 2014 GMT
            Not After : Sep  3 18:45:22 2016 GMT
        Subject: CN=honk.sigxcpu.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ab:26:6e:d7:cd:b9:33:89:c7:3e:3f:85:6d:95:
                    84:99:bd:e6:f1:3e:57:42:88:6e:76:30:2a:cf:e3:
                    39:e2:f2:9f:e4:8b:72:12:3c:76:b6:5b:cb:21:62:
                    22:74:52:a1:b5:89:a2:d5:77:7f:31:f8:da:df:57:
                    69:78:22:33:53:85:4d:3b:ef:db:ab:f0:a0:59:4a:
                    ea:66:01:7a:a0:d0:52:bd:b2:d2:52:69:ce:33:a7:
                    6c:2b:59:6f:08:6c:20:a1:5b:af:8b:4b:1f:71:2a:
                    5b:0b:8a:c1:55:8c:56:90:0f:d5:e6:3d:41:15:a8:
                    f9:2b:af:f0:5a:9c:b3:aa:2d:a1:b3:57:76:34:d4:
                    2e:e2:4d:a3:54:31:dd:bc:2a:18:57:f2:5b:b5:65:
                    da:9b:bc:c7:de:69:93:d5:96:82:40:ed:8f:a3:b9:
                    72:1f:53:df:e3:b3:c2:e1:6d:cc:54:f7:03:74:d6:
                    96:32:08:0a:29:8a:7f:b9:68:1e:e3:24:c2:4b:12:
                    4f:02:8b:6f:67:01:67:26:c6:db:a6:c7:96:65:37:
                    40:90:f0:e6:d7:14:1e:a2:bd:1a:1e:49:85:cf:d3:
                    ec:7e:a9:76:ed:e7:39:a2:91:e2:76:ca:8f:eb:aa:
                    c2:5f:a3:16:14:25:aa:c6:50:bf:1b:62:d9:2b:62:
                    70:f5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access: 
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name: 
                DNS:honk.sigxcpu.org, othername:<unsupported>, DNS:honk6.sigxcpu.org, othername:<unsupported>, DNS:www.sigxcpu.org, othername:<unsupported>, DNS:sigxcpu.org, othername:<unsupported>, DNS:honk.dyn.sigxcpu.org, othername:<unsupported>, DNS:hupe.sigxcpu.org, othername:<unsupported>, DNS:imap.sigxcpu.org, othername:<unsupported>, DNS:smtp.sigxcpu.org, othername:<unsupported>, DNS:git.sigxcpu.org, othername:<unsupported>, DNS:wiki.sigxcpu.org, othername:<unsupported>, DNS:caldav.sigxcpu.org, othername:<unsupported>, DNS:carddav.sigxcpu.org, othername:<unsupported>, DNS:lists.sigxcpu.org, othername:<unsupported>
    Signature Algorithm: sha256WithRSAEncryption
         8b:28:be:f7:dd:62:c7:5e:76:d9:d5:d7:42:19:a6:0a:15:59:
         2e:88:c1:df:c8:d0:12:d0:77:a1:38:e7:b2:fa:c4:08:09:4e:
         c7:cb:cc:fa:45:73:63:aa:c2:74:e5:13:2c:0f:2f:a2:4e:39:
         4d:46:0a:c5:79:a2:6d:09:82:10:c2:dc:64:f3:d2:b9:f0:17:
         a9:53:a2:e9:4a:39:26:f7:dd:73:6d:9d:40:7e:5c:6e:80:38:
         c0:33:b7:76:16:f7:3b:17:5d:e2:f8:c4:c8:85:0c:4b:8a:eb:
         09:ea:c9:f0:66:30:8f:13:02:94:05:b3:26:cc:b5:90:0d:ee:
         04:58:f8:12:85:47:9a:46:36:34:b9:18:8d:db:1f:1e:e5:c5:
         65:05:55:5d:c3:ad:8c:c3:59:f3:11:e2:69:ca:d6:82:2b:67:
         c3:77:62:c7:2e:e6:39:42:d2:7f:1e:03:7a:c0:f6:e8:f2:b7:
         31:65:04:af:f4:54:27:2e:3b:7a:97:23:b0:94:7c:d7:6e:e7:
         4b:ca:f8:ab:ab:64:58:80:9a:72:df:58:38:98:33:64:3d:6c:
         b2:0e:2a:05:3d:76:d1:f6:ae:43:7d:58:84:b9:6f:01:7d:20:
         e7:82:c6:fb:bd:af:d8:e5:32:d9:55:23:cc:42:61:c1:76:89:
         c0:51:a1:22:b0:95:09:79:c6:bc:02:ee:96:db:da:27:11:d3:
         dc:04:fd:0b:6a:f6:62:6d:cb:9f:21:b7:3d:a8:cc:f7:af:73:
         b7:f8:c8:1c:da:97:52:77:8f:1b:36:37:36:c2:fc:b8:27:84:
         09:bd:4d:bd:f7:18:98:d1:1f:75:26:4c:f3:4b:bb:82:3a:02:
         ff:50:30:c7:00:34:b2:1c:0c:f6:8a:08:6b:ab:31:b9:00:fd:
         28:7b:e8:ff:79:93:d7:52:18:a0:62:38:5f:76:80:f5:fd:e9:
         72:06:7a:34:a4:eb:22:ad:f7:ab:09:25:1b:aa:a8:3e:69:7f:
         86:3b:59:30:fc:9d:b2:50:dd:37:89:35:ef:cd:43:5e:51:29:
         7e:df:1a:47:fb:04:23:dc:d2:14:cb:c1:e1:31:a4:2f:cf:35:
         de:40:a2:8a:97:97:3b:73:33:42:07:42:d9:b5:4a:55:61:00:
         fd:54:18:fe:5a:4d:ab:7b:0f:35:f2:fe:ed:e6:af:63:e5:7b:
         a8:b3:84:bf:b6:9b:a8:45:7a:d3:bc:44:f0:fb:cf:a3:1b:46:
         14:f1:f0:eb:92:6d:d0:2e:72:fb:e7:97:ad:b4:32:a9:5a:5a:
         49:46:9f:a4:f9:08:2c:0c:1b:57:8b:e4:06:f3:ed:1c:25:80:
         8e:31:cf:13:8f:56:14:6e

Continued, refined & summarized: Bringing up Kerberized NFSv4 on Fedora 16 through Fedora 23

Finally from

Recipe

On client.example.com

  • Establish /etc/krb5.confwith the appropriate default realm and realm-to-DNS associations
    • sudo mv /etc/krb5.conf /etc/krb5.conf.orig
    • sudo install -m 444 krb5.conf /etc/.
  • sudo kadmin -p wbaker/admin
    This will ask for the administrative principal’s password
    The sudo is required because you’ll be writing into /etc/krb5.keytab

    • Host Principals
      typically you’ll need multiple principals for all the aliases to the host

      • Create the new host principals for the client hostname, all possible names
        addprinc -randkey host/client.example.com@EXAMPLE.COM
        addprinc -randkey host/interface.client.example.com@EXAMPLE.COM
      • Add the new host principals to the system keytab on the host
        ktadd host/client.example.com
        ktadd host/interface.client.example.com
    • NFS Principal
      typically only one principal is needed

      • Create the new NFS principal for the client hostname
        addprinc -randkey nfs/interface.client.example.com@EXAMPLE.COM
      • Add the new NFS principal to the system keytab on the host
        ktadd nfs/interface.client.example.com
  • If you are on “older” Fedora, then see the subrecipe for deleting the keytab entries pertaining to  unuseable encryption algorithms See SOLVED
    • Fixup /etc/krb5.keytab, removing the unuseable algorithms
      • sudo ktutil
        • Read rkt /etc/krb5.keytab
        • Use list to show the available algorithms
        • Use list -e to exhibit the unsupported algorithms
          the command will abort/crash/stop-abruptly upon encountering an unsupported algorithm (number).  Delete that entry. Rinse.  Repeat.
        • Use delent the encryption unuseable algorithms
        • Write wkt /etc/krb5.NEWtab to a new file
          Be sure to write the updated keytab to a NEW file and move that into place; do not attempt to update the existing keytab (there is no update/overwrite operation in wkt).
      • sudo mv /etc/krb5.NEWtab /etc/krb5.keytab
    • Ensure that /etc/identd.confhas relevant entries:
      • Domain
        e.g. Domain = DEPARTMENT.EXAMPLE.COM
      • Local-Realms (may need to be a comma-list)
        e.g. Local-Realms = DEPARTMENT.EXAMPLE.COM,EXAMPLE.COM
  • Enable and start the Secure NFS client service:
    systemctl enable nfs-secure.service
    systemctl start nfs-secure.service

On server.example.com

  • Kerberos Configuration
    • Create /etc/krb5.conf, as above
  • Kerberos Principals
    • Create the host principal keys, as above.
    • If necessary, remove unsupported algorithms, as above.
  • Enable and start the Secure NFS client service
    systemctl enable nfs-secure.service nfs-secure-server.service
    systemctl start nfs-secure-server.service
  • Exporting volumes in /etc/exports
    Export the relevant volumes with appropriate security scheme

    • sec=sys (avoid)
    • sec=krb5
    • sec=krb5i
    • sec=krb5p (use)

Specimen krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 # kdc = FILE:/var/log/krb5kdc.log
 # admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
EXAMPLE.COM = {
  kdc = kerberos.example.com
  admin_server = kerberos.example.com
}

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM

References

Suzan Russaw is Dispossessed in the Land of Dreams, which is Palo Alto | The New Republic

Dispossessed in the Land of Dreams; Monica Potts; In The New Republic; 2015-12-13.
Teaser: Those left behind by Silicon Valley’s technology boom struggle to stay in the place they call home.
Monica Potts is a fellow with the New America Asset Building program.

Monica Potts is a writer based in Washington, D.C., and a fellow with the New America Foundation Asset Building Program. She writes about a variety of subjects, including poverty, politics, and culture. Her work has appeared in The American Prospect, New York magazine, Vogue.com, The New York Times, The Daily Beast, The Trace, and Democracy: A Journal of Ideas. She is also a PostBourgie alum.

tl;dr → Suzan Russaw now has an apartment for “a year” commencing circa 2015-11.
tl;dr → Beltway reporter breezes into town, weaves a discursive tale alternating between one person’s heartwrenching slow-moving personal disaster and small-town aspirations towards cuddly remediation, intractable government social policy & reality. Eats, shoots, leaves. Dripping with the sanctimony of the age, and with helpful animated interactive HTML5 maps of the area for the East Coast audience who won’t understand what “east side of the city” means.  Map oriented against the mute totemic icons for the campuses of Google, Microsoft, Stanford.  Conflates San Francisco, Palo Alto, East Palo Alto.  Most source materials are 2013-2014; television, newspaper articles & City Council minutes & staff reports.

Mentions

Quoted

  • Emily Farber, social worker
    • at an unspecified senior citizens center in Palo Alto
    • Supports Suzan Russaw
  • Julia Lang
    • social worker
    • supporting Suzan Russaw
  • Steve Levy, director of the Center for Continuing Study of the California Economy in Palo Alto.
  • Hope Nakamura
    • a legal aid attorney
    • lives in Palo Alto.
  • Nick Selby

Exemplar

  • Suzan Russaw, James Russaw, a married couple
    • James Russaw died 2014-02-17,
  • Suzan Russaw
    • Circa 2015-08?
    • Pays $810 a month, the amount determined to be affordable for her income.
    • The amount $1,100/month equals 80 percent of her income from [her] trust and her widow’s benefits from Social Security.
  • Wishes to live in Palo Alto.
    Does not wish to live elsewhere where it is “too bland, charming, suburban”
    <quote>The only downside for Suzan was that it was in Santa Clara, another charmingly bland suburban enclave in the South Bay, a half hour south of Palo Alto and a world away for Suzan. “It’s out of my comfort zone, but that’s OK!” Suzan Russaw told [Molly Potts].</quote>

Biography

<quote>

Suzan was born in 1945. Her father worked at what was then the Lockheed Corporation, and her mother had been raised by a wealthy family in Oak Park, Illinois. Her family called her Suzi. Though she grew up in nearby Saratoga—and spent some time in school in Switzerland—she distinctly remembers coming with her mother to visit Palo Alto, with its downtown theaters and streets named after poets. Palo Alto more than any other place formed the landscape of her childhood. “It was a little artsy-craftsy university town—you find charming towns are university towns.”
Like many women of her day, Suzan didn’t graduate from college. When she was 24, after her last stay in Switzerland, she moved to Mountain View, the town on Palo Alto’s eastern border that is now home to Google and LinkedIn. She was living off a small trust her family had set up for her when she met James at a barbecue their apartment manager threw to foster neighborliness among his tenants. James had grown up in a sharecropping family in Georgia, moved west during World War II, and was more than 17 years her senior, handsome and gentlemanly. Suzan thought: “I can learn something from him.” They were an interracial couple in the late 1960s, which was unusual, though she says her family didn’t mind. It was also an interclass marriage, and it moved Suzan down the income ladder.
For years, James and Suzan lived together, unmarried. They bought a house on University Avenue, just north of the county line and blocks from downtown Palo Alto, in 1979, and four years later had their only daughter, Nancy. It was the area’s ghetto, and the only source of affordable housing for many years. It was also the center of violence in the region, and, in 1992, was the murder capital of the country.
They never had much money. For most of their marriage, James ran a small recycling company and Suzan acted as his bookkeeper, secretary, and housewife. They refused to apply for most government assistance, even as homeless elders. “My husband and I had never been on welfare or food stamps,” she told me. “Even to this day.”

</quote>

Gemeral

Demographics

  • Palo Alto (city), California; QuickFacts, At the United States Census Bureau, revised continually, last updated 2015-12-02.
    • Data from various sources,
    • People QuickFacts Palo Alto California
      Median household income, 2009-2013 $121,465 $61,094
    • Used as the source for the statement
      <quote> In part, that’s because Palo Alto, a technology boomtown that boasts a per capita income well over twice the average for California, has almost no shelter space:</quote>

Legal

Cultural

  • Frederick Jackson Turner; Frontier Thesis, a speech at the Chicago World’s Fair, 1893-07-12.
    • quoted from a guide published in 1837 for migrants headed for the Western frontiers of Ohio, Indiana, and Wisconsin:
      “Another wave rolls on. The men of capital and enterprise come. The ‘settler’ is ready to sell out and take the advantage of the rise of property, push farther into the interior, and become himself a man of capital and enterprise in turn.”
    • wrote. “The American energy will continually demand a wider field for its exercise, But never again will such gifts of free land offer themselves.”

Referenced

In archaeological order, more recent works on top, older works below.

2015

2014

2013

Undated

[SOLVED] Continuing the Bringup of Kerberized NFSv4 on Fedora 16 through Fedora 23

Continued from bringing up Kerberized NFSv4 on Fedora 16 through Fedora 23
Onward as continued, refined & summarized.

tl;dr

  • To make Fedora 17 clients “work,” one must remove nfs host keys encrypted with
    • camellia128-cts-cmac
    • camellia256-cts-cmac
  • To make Fedora 18 servers “work,” one must remove nfs host keys encrypted with
    • camellia128-cts-cmac
    • camellia256-cts-cmac

Also

  • Ensure that /etc/imapd.conf has appropriate definitions for
    • Domain = the domain of the NFS clinet’s address
    • Local-Realms = the Domain and any sibling or ancestor settings

Configuration

Release Packages
Fedora 16 krb5-libs-1.9.4-3.fc16.i686
krb5-workstation-1.9.4-3.fc16.i686
nfs-utils-1.2.5-8.fc16.i686
Fedora 17 krb5-libs-1.10.2-6.fc17.i686
krb5-workstation-1.10.2-6.fc17.i686
nfs-utils-1.2.6-5.fc17.i686
Fedora 18 krb5-libs-1.10.3-17.fc18.i686
krb5-workstation-1.10.3-17.fc18.i686
nfs-utils-1.2.7-6.fc18.i686
Fedora 19 krb5-libs-1.11.3-24.fc19.x86_64
krb5-workstation-1.11.3-24.fc19.x86_64
nfs-utils-1.2.8-6.3.fc19.x86_64
Fedora 20 krb5-libs-1.11.5-19.fc20.x86_64
krb5-workstation-1.11.5-19.fc20.x86_64
nfs-utils-1.3.0-2.4.fc20.x86_64
Fedora 21 krb5-libs-1.12.2-15.fc21.x86_64
krb5-workstation-1.12.2-15.fc21.x86_64
nfs-utils-1.3.1-6.3.fc21.x86_64
Fedora 22 krb5-libs-1.13.1-3.fc22.x86_64
nfs-utils
(some version)
Fedora 23 krb5-libs-1.13.2-13.fc23.x86_64
krb5-workstation-1.13.2-13.fc23.x86_64
nfs-utils-1.3.3-1.rc1.fc23.x86_64

References

Configuration

allow_weak_crypto
defaults to false starting with krb5-1.8. When false, removes single-DES enctypes (and other weak enctypes) from permitted_enctypes, default_tkt_enctypes, and default_tgs_enctypes. Do not set this to true unless the use of weak enctypes is an acceptable risk for your environment and the weak enctypes are required for backward compatibility.
permitted_enctypes
controls the set of enctypes that a service will accept as session keys.
default_tkt_enctypes
controls the default set of enctypes that the Kerberos client library requests when making an AS-REQ. Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded.
default_tgs_enctypes
controls the default set of enctypes that the Kerberos client library requests when making a TGS-REQ. Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded.

The following per-realm setting in kdc.conf affects the generation of long-term keys.

supported_enctypes
controls the default set of enctype-salttype pairs that kadmind will use for generating long-term keys, either randomly or from passwords.
enctype weak? krb5
des-cbc-crc weak all
des-cbc-md4 weak all
des-cbc-md5 weak all
des3-cbc-sha1 notyet >=1.1
arcfour-hmac notyet >=1.3
arcfour-hmac-exp weak >=1.3
aes128-cts-hmac-sha1-96 notyet >=1.3
aes256-cts-hmac-sha1-96 notyet >=1.3
camellia128-cts-cmac notyet >=1.9
camellia256-cts-cmac notyet >=1.9

The Changing Digital Landscape: Where Things are Heading | Pew Research Center


The Changing Digital Landscape: Where Things are Heading; (Pew Research Center); Presented at Tencent Media Summit, Beijing, China; 2015-11-12; 36 slides.

Contents

  • Three (3) digital revolutions have changed the news
  • State of the digital news media 2015
  • Six (6) impacts on news and the media
  • Five (5) trends for the future

Mentions

Three (3) digital revolutions have changed the news

  1. Internet
  2. Mobile Connectivity
  3. Social Networking / Social Media

State of the digital news media 2015

  • ABC & CBS improved in 2014
  • NBC declined in 2014
  • Mobile crossover occurred
  • Digital Advertising grows
  • Mobile (Digital) Advertising grows
  • Digital News uses display (banner) advertisements
  • Video Advertising grows
  • 61% of revenue, industry-level to five
    1. Google
    2. Facebook
    3. Microsoft
    4. Yahoo
    5. AOL
  • Facebook leads mobile revenue

Six (6) impacts on news and the media

  1. Mobile majority, factoids recited
  2. Mobile and Social Go Together, trendoids are recited
  3. Facebook Now Rivals Legacy News Sources (TV, national & local)
  4. There are Clear Generational Divides
    • Millennials (age 18-34) → Facebook over Local TV
    • Generation X → not shown
    • Baby Boomers (age 51-68) → Local TV over Facebook
  5. Digital Video and Radio News on the Rise.
  6. Consumers are a Part of the Process
    • User-Generated Content (UGC)
    • The Internet is defined as
      • one-to-one
      • many-to-many
      • [not one-to-many; broadcasts, portals, "the" home page]

Five (5) trends for the future

The Internet of Things (IoT) of 2025 is the 4th Revolution

  1. Screens and data will be almost everywhere
    • Lots of screens → All Ads, All The Time & on Every Available Surface
    • All Audiences are Measured
  2. Augmented reality will bring media nd data into real life
    • location awareness
    • Selling Opportunites, Always Be Selling.
    • Privacy will be gone
  3. Virtual reality will become immersive and compelling
    • Product Placement → All Ads, All The Time & on Every Available Surface
    • Personalized
    • Distractions
  4. Alerts will become pervasive and people will regulate their media streams more aggressively
    • Stress → Fear Of Missing Out (FOMO)
    • Expect aggressive management of alerts (mod way down; high bar to disturb the consumer)
  5. Smart agents and machines enabled by “artificial intelligence” will work alongside people as their assistants and “media concierges”
    • the robots will be self-aware
    • they will be actually useful & actionable, not an IT headache

Via: backfill.

Juniper’s ScreenOS source code base was hacked, backdoors were installed, code was deployed everywhere, for years

Important Announcement about ScreenOS®; Bob Worrall (Juniper); 2015-12-17.
Bob Worrall is Senior Vice President & Chief Information Officer, Juniper.

<quote>During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen® devices and to decrypt VPN connections. Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS.</quote>

Mentions

  • patches
  • Affected
    • ScreenOS 6.2.0r15 through 6.2.0r18
      released “in” 2008.
    • ScreenOS 6.3.0r12 through 6.3.0r20.
      released “in” 2009.
  • Not Affected (per Juniper)
    • SRX
    • Junos
  • Effect
    • Remote administrator access
      • SSH
      • Telnet
    • “enabling” VPN decryption (whatever that means)

Folklore

  • In place since 2012.
    • source: a tweet
  • The compromise in place since 2008.
    • source: The Register, speculation.

Promotions

in archaeological order; derivative effluent on top, more original work below.

Via: backfill.

Actualities

Philips Closes Down the Hue IoT Ecosystem – No More 3rd Party Hardware

Recommendation:

Avoid

Friends of Hue – Update; Hue Developer Program, Philips.

<quote>As part of this program, last week, we started deployment of the 1.11 software for both versions of the Philips Hue bridge (version 01029624). Alongside big feature updates to our group and scene APIs (which you can read about here <snip/>) we introduced a change which stops untested products being able to join the Philips Hue bridge.</quote>

Does Philips block bulbs of other manufacturers since the latest firmware update?; Hue Developer Program, Philips.
Mentions

Promotions

In archaeological order, derivatives on top, more original opinements below.

Vendors

Blocked: at least

  • Cree
  • General Electric (GE)
  • Osram

Products

Lockin: at least

  • Bloom
  • Friends of Hue
  • Hue
  • LightStrips

Previously

Via: backfill.

Actualities

Bringing up Kerberized NFSv4 on Fedora 16 through Fedora 23

Onward as Continuing the Bringup of Kerberized NFSv4 on Fedora 16 through Fedora 23.

tl;dr

  • Works with limitations (but see [ALMOST SOLVED]SOLVED in the continuation)
    seems like the success recipe requires

    • krb5-workstation-1.11 or later.
    • nfs-utils-1.3 or later.
  • NFS server; workable Fedora 18-21 (Fedora 22 & Fedora 23 → unclear)SOLVED.
  • NFS client; prior to Fedora 20 → Does. Not. Work. (versionitis).SOLVED
Release Packages Server Client
mount idmap mount idmap
Fedora 16 krb5-libs-1.9.4-3.fc16.i686
krb5-workstation-1.9.4-3.fc16.i686
nfs-utils-1.2.5-8.fc16.i686
Unknown Unknown FAIL
SOLVED
FAIL
SOLVED
Fedora 17 krb5-libs-1.10.2-6.fc17.i686
krb5-workstation-1.10.2-6.fc17.i686
nfs-utils-1.2.6-5.fc17.i686
Unknown Unknown FAIL
SOLVED
FAIL
SOLVED
Fedora 18 krb5-libs-1.10.3-17.fc18.i686
krb5-workstation-1.10.3-17.fc18.i686
nfs-utils-1.2.7-6.fc18.i686
Success FAIL
SOLVED
FAIL
SOLVED
FAIL
SOLVED
Fedora 19 krb5-libs-1.11.3-24.fc19.x86_64
krb5-workstation-1.11.3-24.fc19.x86_64
nfs-utils-1.2.8-6.3.fc19.x86_64
Success Success Success FAIL
SOLVED
Fedora 20 krb5-libs-1.11.5-19.fc20.x86_64
krb5-workstation-1.11.5-19.fc20.x86_64
nfs-utils-1.3.0-2.4.fc20.x86_64
Success Success Success Success
Fedora 21 krb5-libs-1.12.2-15.fc21.x86_64
krb5-workstation-1.12.2-15.fc21.x86_64
nfs-utils-1.3.1-6.3.fc21.x86_64
Unknown Unknown Success Success
Fedora 22 Unknown Unknown Unknown Unknown Unknown
Fedora 23 krb5-libs-1.13.2-13.fc23.x86_64
krb5-workstation-1.13.2-13.fc23.x86_64
nfs-utils-1.3.3-1.rc1.fc23.x86_64
Unknown Unknown Success Success

Maybe

It could be that there is still some ill-understood iptables, ip6tables, firewalld, idmapd or other configuration that’s needed. There’s a lot of moving parts here and the default values may not be sufficient to make the system work. Most error conditions have to be mapped into something else; e.g.

  • graceful fallback to sub-optimal to operation; e.g. all_squash to nfsnobody
  • Permission denied.
  • Operation not permitted.
  • I/O Error.

Expectations

  • Fedora 19 or beyond
    kernel 3.10 seems to be a dividing line for gssproxy
  • Kerberos Key Distribution Center (KDC) Server
    defined and available on the LAN somewhere
  • NFSv4
  • Use sec=krb5p NFS exports & mounts
  • Kerberos service principals for
    • all NFS servers must authenticate to the NFS clients & Users.
      Use ktadd to establish /etc/krb5.keytab
    • all NFS client hosts must authenticate to the NFS server
      Use ktadd to establish /etc/krb5.keytab
    • all Users must authenticate to the NFS server prior to use of the NFS-served volumes.
      Via:

      • Kerberized login
      • Manual ktinit; see below.

Amplification

Not otherwise stated in the documentation
e.g. for remote ssh sessions which do nothave access to the main credential repository

  • all NFS servers must authenticate to the NFS clients & Users.
    Use ktadd to establish /etc/krb5.keytab
  • all NFS client hosts must authenticate to the NFS server
    Use ktadd to establish /etc/krb5.keytab
  • all Users must authenticate to the NFS server prior to use of the NFS-served volumes.

So, to access NFS, the user must have a Kerberos ticket; headless users require special treatment.

GOTCHA!

WATCHOUT – there are version-level incompatibilities between nearby versions that make kerberos very very brittle. Whereas the validity lifetime of encryption and message digest algorithms is but a few core months and the lifetime of the deployment of these Fedora systems is measured in (half-)decades.   The current theory is that this has to do with the encryption types present in /etc/krb5.conf. For example the following “won’t work.”

  • mounting a Fedora 18 server from a Fedora 21 client via a Fedora 23 KDC.
  • mounting a Fedora 18 server from a Fedora 18 client via a Fedora 23 KDC.
  • mounting a Fedora 20 server from a Fedora 16 client via a Fedora 23 KDC.

Each fails in its own unique way; very buggy.

Success

  • mounting Fedora 18 server from a Fedora 20 client via a Fedora 23 KDC.
  • mounting Fedora 20 server from a Fedora 20 client via a Fedora 23 KDC.
  • mounting Fedora 20 server from a Fedora 21 client via a Fedora 23 KDC.

The narrow window…

Operable

Apparently kerberos prior to version 1.11 and/or nfs-utils 1.3 – Does. Not. Work.

  • at all? → unclear.
  • in the NFSv4 use case → verified.

Recipe

On client.example.com

  • Establish /etc/krb5.confwith the appropriate default realm and realm-to-DNS associations
    • sudo mv /etc/krb5.conf /etc/krb5.conf.orig
    • sudo install -m 444 krb5.conf /etc/.
  • sudo kadmin -p wbaker/admin
    See addendum & update in the Updated Recipe
    This will ask for the administrative principal’s password
    The sudo is required because you’ll be writing into /etc/krb5.keytab

    • Create the new NFS principal for the client hostname
      addprinc -randkey nfs/$(hostname)@EXAMPLE.COM
      addprinc -randkey nfs/client.example.com@EXAMPLE.COM
    • Add the new NFS principal to the system keytab on the host
      ktadd nfs/client.example.com
  • If you are on “older” Fedora, then see the subrecipe for deleting the keytab entries pertaining to  unuseable encryption algorithms See SOLVED
    • Fixup /etc/krb5.keytab, removing the unuseable algorithms
      • sudo ktutil
        • read rkt /etc/krb5.keytab
        • use delent the encryption unuseable algorithms
        • write wkt /etc/krb5.NEWtab to a new file
      • sudo mv /etc/krb5.NEWtab /etc/krb5.keytab
    • Ensure that /etc/identd.confhas relevant
      • Domain
        e.g. Domain = DEPARTMENT.EXAMPLE.COM
      • Local-Realms (may need to be a comma-list)
        e.g. Local-Realms = DEPARTMENT.EXAMPLE.COM,EXAMPLE.COM
  • Enable and start the Secure NFS client service
    systemctl enable nfs-secure.service
    systemctl start nfs-secure.service

On server.example.com

  • Enable and start the Secure NFS client service
    systemctl enable nfs-secure-server.service
    systemctl start nfs-secure-server.service
  • Export the relevant volumes with appropriate security scheme
    • sec=sys (avoid)
    • sec=krb5
    • sec=krb5i
    • sec=krb5p (use)

Specimen krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 # kdc = FILE:/var/log/krb5kdc.log
 # admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
EXAMPLE.COM = {
  kdc = kerberos.example.com
  admin_server = kerberos.example.com
}

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM

References

  • Bug 1232984rpc-gssd & gssproxy: NFS machine credentials not saved & user unable to access NFS /home; Red Hat Bugzilla; 2015-07-17 → 2015-10-18.
    tl;dr → describes the symptoms, was never acted upon.
  • Features/gss-proxy for Fedora 19, circa 2013-05-14.
  • gss-rpoxy for NFS; In Their Wiki
  • Jason Garman; Kerberos: The Definitive Guide, O’Reilly Media; 2003-09-05; 274 pages; kindle: $16, paper: $3+SHT.
    tl;dr → covers history & theory and implementations: MIT, Heimdal, Microsoft Active Directory.

Folklore

  • gssproxy was introduced in circa Fedora 19 to replace rpc-gssd.

Exhibition

Of the OID path for Kerberos v5

The path 1.2.840.113554.1.2.2 as

Of the admonisthment around RPCSEC_GSS from exports (5)

RPCSEC_GSS security

You may use the special strings “gss/krb5″, “gss/krb5i”, or “gss/krb5p” to restrict access to clients using rpcsec_gss security. However, this syntax is deprecated; on linux kernels since 2.6.23, you should instead use the “sec=” export option:

sec=
The sec=option, followed by a colon-delimited list of security flavors, restricts the export to clients using those flavors. Available security flavors include
sys
(the default–no cryptographic security),
krb5
(authentication only),
krb5i
(integrity protection), and
krb5p
(privacy protection).

For the purposes of security flavor negotiation, order counts: preferred flavors should be listed first. The order of the sec= option with respect to the other options does not matter, unless you want some options to be enforced differently depending on flavor. In that case you may include multiple sec=options, and following options will be enforced only for access using flavors listed in the imme‐ diately preceding sec= option. The only options that are permitted to vary in this way are

  • ro,
  • rw,
  • no_root_squash,
  • root_squash, and
  • all_squash.

Actualities

Exhibition of success in mounting with krb5p but failure to actually etattr or access any files:

$ sudo mount -v -t nfs4 -o sec=krb5p nfs-server.example.com:/local /tmp/u
<no error>

$ tail -1 /proc/mounts
nfs-server.example.com:/local /tmp/u nfs4 rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp6,port=0,timeo=600,retrans=2,sec=krb5p,clientaddr=2001:db8::223:26ff:fe5c:ddeb,local_lock=none,addr=2001:DB8::20d:5ff:fe04:de11 0 0

$ ls -ld /tmp/u
ls: cannot access /tmp/u: Permission denied

Messages in syslog indicating that the [domain_realm] stanza of /etc/krb5.conf is not correctly defined.  This manifests in files accessed (created) on the server being accessed (created) with nfsnobody:nfsnobody.

Dec  1 13:03:05 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec  1 13:03:16 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec  1 13:03:16 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec  1 13:03:18 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec  1 13:03:36 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec  1 13:10:59 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec  1 13:10:59 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec  1 13:14:55 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec  1 13:14:58 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec  1 13:15:01 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec  1 13:15:08 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec  1 13:34:09 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec  1 13:34:09 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec  1 13:34:12 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Dec  1 13:35:31 moist gssproxy: gssproxy[5035]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found

Exhibition of /etc/exports with the modern sec=krb5p

$ cat /etc/exports
# require kerberos
#
# [server]
# systemctl start nfs-secure-server.service
#
# [client]
# systemctl start nfs-secure.service
# mount -v -t nfs4 -o sec=krb5p server.example.com:/local /tmp/t
#
# n.b. with kerberos, any host that can supply an appropriate principal can mount
#
/local *.example.com(rw,sync,sec=krb5p)
<eof>

$ sudo exportfs -rva
exporting *.example.com:/local

Bringing up PostgreSQL on Fedora 23

Goals

  • PostgreSQL v9.4.5
  • Fedora 23
  • SELinux in enforcing mode
  • With a different data partition; PGDATA=/data/pgsql/storage

Recipe

  • Create the new storage area as
    sudo mkdir -p /data/pgsql/storage
    sudo chown -R postgresql:postgresql /data/pgsql
    sudo chmod -R g+ws /data/pgsql
  • Modify SELinux to the appropriate labels
    sudo semanage fcontext -a -t postgresql_db_t "/data/pgsql/storage(/.*)?"
    sudo restorecon -R /data/pgsql/storage
  • Create /etc/systemd/system/postgresql.service as
    .include /lib/systemd/system/postgresql.service
    [Service]
    Environment=PGDATA=/data/pgsql/storage
  • Initialize the database as
    sudo -u postgres initdb -D /data/pgsql/storage
  • Enable & start the database
    sudo systemctl enable postgresql.service
    sudo systemctl start postgresql.service
  • Create the initial (database) user base
    sudo -u postgres createuser --no-superuser --no-createrole --no-createdb wbaker
    sudo -u postgres createuser --no-superuser --no-createrole --no-createdb apache
    sudo -u postgres createuser --no-superuser --no-createrole --no-createdb koji

    Alternatively

    create database wbaker owner wbaker;
    create database koji owner koji;

Configuration

With PGDATA=/data/pgsql/storage

  • /data/pgsql/pg_hba.conf
  • /data/pgsql/pg_ident.conf
  • /data/pgsql/postgresql.conf
  • /data/pgsql/postgresql.auto.conf
  • /data/pgsql/postmaster.opts

Packages

$ rpm -q -a | grep ^post | sort
postgis-2.1.8-2.fc23.x86_64
postgresql-9.4.5-1.fc23.x86_64
postgresql-contrib-9.4.5-1.fc23.x86_64
postgresql-devel-9.4.5-1.fc23.x86_64
postgresql-docs-9.4.5-1.fc23.x86_64
postgresql-ip4r-2.0.2-7.fc23.x86_64
postgresql-libs-9.4.5-1.fc23.x86_64
postgresql-server-9.4.5-1.fc23.x86_64

Folklore

  • Default user for user postgres; John R. Pierce; In PostgreSQL Bugs, a mailing list; 2011-04-01.
    tl;dr → gives the bringup recipe; is ambiguous about plaintext contra md5 encoding of passwords & how they are established.

    sudo -u postgres psql
    postgres=> alter user postgres password 'apassword';
    postgres=> create user someusername createdb createuser password 'somepassword';
    postgres=> create database someusername owner someusername;
    postgres=> \q

    Ambiguous: how to modify pg_hba.conf to account for the new (unhashed?) password on the default user postgres

  • SELinux Policy for PostgreSQL Data Directory; Some dude using the self-asserted identity token brock; In Some Blog; 2010-03-29.
    tl;dr → old, circa PostgreSQL v8.4; suggests using chcon ad hoc and manually.

References

  • Documentation PostgreSQL v9.4; In PostgreSQL Wiki
  • PostgreSQL, in Fedora Project
    tl;dr → general upgrade recipe; does cover systemd, postgresql.conf changing PGDATA, PGHOME
  • Move PGDATA Fedora 17, In PostgreSQL Wiki
    Subheading: Moving PGDATA to a directory below /home in Fedora 17, 18 or 19.
    tl;dr → recipe

    • with semanage fcontext
    • semi-manual edit of PGDATA
      • from /usr/lib/systemd/system/postgresql.service
      • into /etc/systemd/system/postgresql.service
  • PostgreSQL Changing Database Location; In Configuration Examples of Red Hat Enterprise Linux 6
    tl;dr → recipe

    • with semanage fcontext
    • still references SysV initscripts.

Actualities

$ sudo -u postgres initdb -D /data/pgsql/storage
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.

The database cluster will be initialized with locale "en_US.UTF-8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".

Data page checksums are disabled.

fixing permissions on existing directory /data/pgsql/storage ... ok
creating subdirectories ... ok
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting dynamic shared memory implementation ... posix
creating configuration files ... ok
creating template1 database in /data/pgsql/storage/base/1 ... ok
initializing pg_authid ... ok
initializing dependencies ... ok
creating system views ... ok
loading system objects' descriptions ... ok
creating collations ... ok
creating conversions ... ok
creating dictionaries ... ok
setting privileges on built-in objects ... ok
creating information schema ... ok
loading PL/pgSQL server-side language ... ok
vacuuming database template1 ... ok
copying template1 to template0 ... ok
copying template1 to postgres ... ok
syncing data to disk ... ok

WARNING: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the option -A, or
--auth-local and --auth-host, the next time you run initdb.

Success. You can now start the database server using:

    postgres -D /data/pgsql/storage
or
    pg_ctl -D /data/pgsql/storage -l logfile start
$ sudo systemctl enable postgresql.service
Created symlink from /etc/systemd/system/multi-user.target.wants/postgresql.service to /etc/systemd/system/postgresql.service.
$ sudo systemctl start postgresql.service
Job for postgresql.service failed because the control process exited with error code. See "systemctl status postgresql.service" and "journalctl -xe" for details.
$ sudo restorecon -v -v -R /data/pgsql/storage
restorecon reset /data/pgsql/storage context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/pg_snapshots context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/pg_ident.conf context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/pg_dynshmem context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/postgresql.auto.conf context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/pg_hba.conf context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/pg_replslot context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/pg_clog context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/pg_clog/0000 context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/pg_notify context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/pg_notify/0000 context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/global context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/global/13085 context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/global/12973 context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/global/12980 context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/global/12831_fsm context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/global/12990 context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/global/12975 context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/global/12831 context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/global/12967 context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/global/12974 context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/global/12971 context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/global/pg_internal.init context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:postgresql_db_t:s0
restorecon reset /data/pgsql/storage/global/12833 context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:
<snip/>
$ sudo systemctl start postgresql.service
<no output>
$ systemctl status postgresql.service
● postgresql.service - PostgreSQL database server
   Loaded: loaded (/etc/systemd/system/postgresql.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2015-12-05 11:31:13 PST; 10s ago
  Process: 4966 ExecStart=/usr/libexec/postgresql-ctl start -D ${PGDATA} -s -w -t ${PGSTARTTIMEOUT} (code=exited, status=0/SUCCESS)
  Process: 4962 ExecStartPre=/usr/libexec/postgresql-check-db-dir %N (code=exited, status=0/SUCCESS)
 Main PID: 4969 (postgres)
   CGroup: /system.slice/postgresql.service
           ├─4969 /usr/bin/postgres -D /data/pgsql/storage
           ├─4972 postgres: logger process   
           ├─4974 postgres: checkpointer process   
           ├─4975 postgres: writer process   
           ├─4976 postgres: wal writer process   
           ├─4977 postgres: autovacuum launcher process   
           └─4978 postgres: stats collector process

Automatic Empty Zones (including RFC 1918 prefixes) transition between BIND v9.8 and BIND v9.9

References

Standards

  • RFC 1918Address Allocation for Private Internets, 1996-02.
  • RFC 4193Unique Local IPv6 Unicast Addresses, 2005-11.
  • RFC 5737IPv4 Address Blocks Reserved for Documentation, 2010-01.
  • RFC 6598IANA-Reserved IPv4 Prefix for Shared Address Space, 2012-04.

Interesting

The two zones pertaining to the unknown address and the localhost address of IPv6 are each considered individually and separately as a zone:

0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA

To amplify, there is not a containing zone that is expected to hold both of these names

0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA

 Exhibitions

As of BIND v9.9, the following empty zones may be produced:

10.IN-ADDR.ARPA
16.172.IN-ADDR.ARPA
17.172.IN-ADDR.ARPA
18.172.IN-ADDR.ARPA
19.172.IN-ADDR.ARPA
20.172.IN-ADDR.ARPA
21.172.IN-ADDR.ARPA
22.172.IN-ADDR.ARPA
23.172.IN-ADDR.ARPA
24.172.IN-ADDR.ARPA
25.172.IN-ADDR.ARPA
26.172.IN-ADDR.ARPA
27.172.IN-ADDR.ARPA
28.172.IN-ADDR.ARPA
29.172.IN-ADDR.ARPA
30.172.IN-ADDR.ARPA
31.172.IN-ADDR.ARPA
168.192.IN-ADDR.ARPA
100.51.198.IN-ADDR.ARPA
113.0.203.IN-ADDR.ARPA
8.B.D.0.1.0.0.2.IP6.ARPA

Earlier versions produced empty zones for the following:

0.IN-ADDR.ARPA
127.IN-ADDR.ARPA
254.169.IN-ADDR.ARPA
2.0.192.IN-ADDR.ARPA
100.51.198.IN-ADDR.ARPA
113.0.203.IN-ADDR.ARPA
255.255.255.255.IN-ADDR.ARPA
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
8.B.D.0.1.0.0.2.IP6.ARPA
D.F.IP6.ARPA
8.E.F.IP6.ARPA
9.E.F.IP6.ARPA
A.E.F.IP6.ARPA
B.E.F.IP6.ARPA

Building Microservice Architectures | Neal Ford, ThoughtWorks

Neal Ford (ThoughtWorks); Building Microservice Architectures; In Some Venue; 2014; 80 slides.

tl;dr → Enterprise Service Bus (ESB) rides again, but with Agile, Conway, Java, JSON, HTTP, REST, CI/CD & DevOps!

Original Sources

Sam Newman; Building Microservices: Designing Fine-Grained Systems; O’Reilly Media; preview edition; WHEN?; 102 pages; free sample (final edition); 25 pages; Amazon: kindle: $31, paper: $42+SHT; O’Reilly: pdf: $43, paper: $50+SHT.

Mentions

  • Conway’s Law
    • Definition: “organizations which design systems … are constrained to produce designs which are copies of the communication structures of these organizations,” as stated in the slides.
    • Melvin Conway
    • Jimi Wales Wiki.
    • Respect it: everyone must obey The Law, whether you like it or not.
      • Inverse Conway Maneuver → assemble teams around the desired architecture; the architecture will develop itself.
      • Domain Isomorphism
      • Architecture Isomorphism
  • Coupling
    • is bad
    • Efferent vs Afferent, from medicial terminology
      • Efferent → conducting away (from the center)
      • Affernet → conducting towards the center
    • Efferent Coupling is tolerable at low levels
      Fancy-speak: independent non-coordinating
  • CAP Theorem
    Choose at most two

    • Consistency
    • Availability
    • Partition Tolerance
  • Prefer BASE over ACID
    • BASE
      • Basic Availability
      • Soft-State
      • Eventual Consistency
    • ACID
      • Atomic
      • Consistent
      • Isolated
      • Durable
  • Prefer Choreography-over-Orchestration
  • Have Consumer-Driven Contracts;
  • Prefer REST-over-SOAP
    • RPC over REST is good
    • RPC over SOAP is bad
  • DevOps is good.
  • Service-Oriented Architecture (SOA)
    • is different somehow
    • is (was) J2EE, the aircraft carrier approach
    • Enterprise Service Bus (ESB), hub-and-spoke
  • Claim: Microservice is the first architectural style developed post-Continuous Delivery.
  • Something vague about “smart endpoints, dumb pipes”
  • Something vague about allowing multiple languages
    “embrace polyglot solutions where sensible”
    in practice: Java servers (Jetty), HTTP as IPC, JSON wire format, no-SQL, no-schema, Ci/CD, DevOps
  • Databases
    • Bad → Monolithic & ACID
    • Good → Lots of uncoordinated, decentralized, small, application-specific databases & hope; let BASE carry the day.
  • Something vague about decentralized governance
    Claimed <quote>Enterprise architects suffer from less pressure to make the correct choice(s) in microservice architectures.</quote>
    In practice: it’s hard to go wrong with Java/JSON/HTTP/noSQL/noschema/Ci/CD/DevOps
  • Prefer: to rewrite instead of maintain
    This has got to be somewhat controversial, but isn’t amplified in any way.
  • Scope: stay small, 10-100LOC per function; a function is now called “a service”
    This has got to be somewhat controversial, but isn’t amplified in any way [one has to marshall up a HTTP-scale network call just to get access to 10-100LOC "over there"?  Orly?  Sounds slow ... and brittle.]
  • Theory
    • no theory
      • find “a balance”
      • do “what feels right”
    • U R DOIN IT RONG → No, we’re not, it feels right & good. Go away. You’re not the boss of me.
    • Partitions
      • Domain
      • Organization
      • Transaction
      • other.
  • Taxonomy
    • Components → deployed
    • Features → released (enabled)
    • Applications → implement of routing
      • to deployed Components
      • with released Features.
    • There are no other sorts of applications.
  • Cascading Failure
    • Avoid it
    • Metaphors to slideware about
      • timeouts
      • circuit braekers
      • bulkheads
      • [firewalls?]

Nostrums

Slide 39 -80.

  • Return queries optimized for ranking & aggregation rather than for display [sure, but why?]
  • Prefer timely but partial results over slow & complete results [ahem, when appropriate]
  • Command and Query Responsibility Segregation (CQRS)
    • Query Model
    • Command Model
  • Design for Failure
  • Graceful Degradation
  • Use Monitoring
    • bad → multipane ssh terminal
    • good → Logstash+Kibana
  • Testing on Production
    • Synthetic transactions
    • Isotopes
    • Correlated (Unique) Identifiers
      a.k.a. unique order numbers
  • Service Templates, Microsoft
    • VM & (J)VM Concepts
    • A set of VMs deployed together
  • Software Configuration Management (SCM) → you will use git (you will avoid subversion)
    • lots of little repositories
    • only organized & integrated & build time → good luck!
  • Object-Relational Mapping (ORM)
    • Sooner or later you have to persist something in a real database
    • Spring
  • Testing Theory
    • Taxonomy
      • Unit Solitary
      • Unit Sociable
      • Integration
      • Boundary (Interface)
      • Component
      • Contract
      • End-to-End
    • Tooling
      • Shim
  • CI/CD & DevOps
    • Staging mustn’t diverge from Production
    • One change at a time
    • Two copies of prod: Blue & Green

Referenced

Roughly in order of appearance

Tooling

Via: backfill.

AMD Catalyst is no longer supported at RPM Fusion after Fedora 21, not for Fedora 22 or Fedora 23

Availability

Documentation

AMD Radeon Software Crimson Edition Linux 15.11 Proprietary Graphics Driver Release Notes

  • Fedora is not mentioned
  • Declared support
    • Red Hat Enterprise Linux Suite 7.2, 7.1, 7.0, 6.7, 6.6, 6.5
    • Ubuntu 12.04.4 LTS, 14.04.2, 14.04.3, 15.04, 15.10
    • SUSE® Linux Enterprise 11 SP3, 12
    • OpenSuSE 13.1
  • Linux kernel 2.6 or above (up to 3.19)
    i.e. not after 3.19 and definitely not the 4.x series
  • Xorg/Xserver 7.4 and above (up to 1.17)

<quote>

Before attempting to install the AMD Radeon Software Crimson Edition Linux 15.11 Proprietary Graphics Driver, the following software must be installed:

  • Xorg/Xserver 7.4 and above (up to 1.17)
  • Linux kernel 2.6 or above (up to 3.19)
  • glibc version 2.2 or 2.3
  • POSIX Shared Memory (/dev/shm) support is required for 3D applications

</quote>

Folklore

Phoronix

  • What The Radeon “Crimson” Control Center Looks Like On Linux;

    Michael Larabel; in His Blog entitled Phoronix; 2015-11-24.
    tl;dr → reports success on Ubuntu 15.10

    • Renaming
      • Crimson Linux Driver
      • Radeon
      • AMDCCCLE (AMD Catalyst Control Center Linux Edition)
        becomes
        AMDRCCLE (AMD Radeon Control Center Linux Edition)
    • vglrx 15.30

RPMFusion

from rpmfusion-users@rpmfusion.org

From: Dario Castellarin, 2015-11-23
Afaik Catalyst has not been dropped for lack of interest, but because it doesn’t support the newer versions of kernel and xorg that Fedora ships, and it’s generally speaking a huge PITA to support. If you have a Fury card, open source support has been published recently and it should land in kernel 4.5, but you can already build your own from git, of you’re in a hurry…

From: Stephen Adler, 2015-11-23.
Guys,
I bought a Radeon Fury card and I would like to get it running with the latest fedora dist. It seems like the catalyst support has been dropped for lack of interest. Is this true? If so, is there any hope of seeing the support come back? I may offer some package maintenance cycles depending on how much time it would take. Or is the open source support for the Radeon cards sufficient and thus the reason interest in the proprietary ATI driver has dropped?
Thanks. Steve.

On the reception and detection of pseudo-profound bullshit | Pennycook, Cheyne, Barr, Koehler, Fugelsang

Gordon Pennycook, James Allan Cheyne, Nathaniel Barr, Derek J. Koehler, Jonathan A. Fugelsang; On the reception and detection of pseudo-profound bullshit; In Judgment and Decision Making, Vol. 10, No. 6, 2015-11, pp. 549–563

Abstract

Although bullshit is common in everyday life and has attracted attention from philosophers, its reception (critical or ingenuous) has not, to our knowledge, been subject to empirical investigation. Here we focus on pseudo-profound bullshit, which consists of seemingly impressive assertions that are presented as true and meaningful but are actually vacuous. We presented participants with bullshit statements consisting of buzzwords randomly organized into statements with syntactic structure but no discernible meaning (e.g., “Wholeness quiets infinite phenomena”). Across multiple studies, the propensity to judge bullshit statements as profound was associated with a variety of conceptually relevant variables (e.g., intuitive cognitive style, supernatural belief). Parallel associations were less evident among profundity judgments for more conventionally profound (e.g., “A wet person does not fear the rain”) or mundane (e.g., “Newborn babies require constant attention”) statements. These results support the idea that some people are more receptive to this type of bullshit and that detecting it is not merely a matter of indiscriminate skepticism but rather a discernment of deceptive vagueness in otherwise impressive sounding claims. Our results also suggest that a bias toward accepting statements as true may be an important component of pseudo-profound bullshit receptivity.

Sources

Bringing up MySQL (MariaDB) v10.0 on Fedora 23 on an Intel NUC

Components

Configuration

Non-Standard Storage Area

Prepare the new storage area.

$ cat > mysql.semanage << EOF
fcontext -a -t mysqld_db_t "/data/mysql/storage(/.*)?"
EOF
$ sudo semanage -i ./mysql.semanage
$ sudo restorecon -v -v -R /data/mysql
restorecon reset /data/mysql context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:default_t:s0
restorecon reset /data/mysql/selinux context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:default_t:s0
restorecon reset /data/mysql/storage context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:mysqld_db_t:s0
restorecon reset /data/mysql/tmp context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:default_t:s0
restorecon reset /data/mysql/tmp/mysql.semanage context unconfined_u:object_r:etc_runtime_t:s0->unconfined_u:object_r:default_t:s0

validate…

$ cat /etc/selinux/targeted/contexts/files/file_contexts.local
# This file is auto-generated by libsemanage
# Do not edit directly.

/data/mysql/storage(/.*)?    system_u:object_r:mysqld_db_t:s0

Configure the new storage area either in /etc/my.cnf or /etc/my.cnf.d/mariadb-server.cnf

$ cat /etc/my.cnf /etc/my.cnf.d/mariadb-server.cnf
<snip/>
[mysqld]
datadir=/data/mysql/storage
<snip/>

SSL Authentication & Authorization

# ssl-cipher is defaulted
ssl-ca = /etc/pki/emerson/databasists/all.crt
# ssl-capath = unused
ssl-cert = /etc/pki/mysql/server.crt
ssl-key = /etc/pki/mysql/server.key

Bringup

$ mysqladmin -u root password a574e703-e87a-4013-8a54-179cfed91809
$ mysql -u root -h localhost -p
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 10.0.21-MariaDB MariaDB Server

Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create user wbaker;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'wbaker'@'%'
->    REQUIRE
->        ISSUER '/C=US/ST=California/L=Palo Alto/O=Baker/OU=Emerson/CN=Baker Emerson Database Authority 1'
-> AND SUBJECT '/C=US/ST=California/L=Palo Alto/O=Baker/OU=Emerson/CN=wbaker/emailAddress=wbaker@emerson.baker.org';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> show grants for wbaker@'%';
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for wbaker@%                                                                                                                                                                                                                                                |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'wbaker'@'%' REQUIRE ISSUER '/C=US/ST=California/L=Palo Alto/O=Baker/OU=Emerson/CN=Baker Emerson Database Authority 1' SUBJECT '/C=US/ST=California/L=Palo Alto/O=Baker/OU=Emerson/CN=wbaker/emailAddress=wbaker@emerson.baker.org' |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
MariaDB [(none)]>

Validation

MariaDB [(none)]> show global variables like '%ssl%'; 
+---------------+--------------------------------------+
| Variable_name | Value                                |
+---------------+--------------------------------------+
| have_openssl  | YES                                  |
| have_ssl      | DISABLED                             |
| ssl_ca        | /etc/pki/emerson/databasists/all.crt |
| ssl_capath    |                                      |
| ssl_cert      | /etc/pki/mysql/server.crt            |
| ssl_cipher    |                                      |
| ssl_crl       |                                      |
| ssl_crlpath   |                                      |
| ssl_key       | /etc/pki/mysql/server.key            |
+---------------+--------------------------------------+
9 rows in set (0.00 sec)

If have_ssl is DISABLED then the server is compiled with SSL support, but somehow it is not enabled. This can occur (silently) if the server key files are specified, but not readable by the mysql user (e.g. they are owned and/or only readable by root).

$ find /etc/pki/mysql -ls
398268    4 drwxr-xr-x   2 root     root         4096 Nov 25 12:23 /etc/pki/mysql
398270    4 -r--r--r--   1 mysql    mysql        1736 Nov 25 12:22 /etc/pki/mysql/server.crt
398271    4 -r--------   1 mysql    mysql        1679 Nov 25 12:23 /etc/pki/mysql/server.key

$ ls -alsZ /etc/pki/mysql
total 16
4 drwxr-xr-x.  2 root  root  unconfined_u:object_r:cert_t:s0 4096 Nov 25 12:23 .
4 drwxr-xr-x. 12 root  root  system_u:object_r:cert_t:s0     4096 Nov 25 12:26 ..
4 -r--r--r--.  1 mysql mysql system_u:object_r:cert_t:s0     1736 Nov 25 12:22 server.crt
4 -r--------.  1 mysql mysql system_u:object_r:cert_t:s0     1679 Nov 25 12:23 server.key
$ mysql -h perfect
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 10.0.21-MariaDB MariaDB Server

Copyright (c) 2000, 2014, Oracle, Monty Program Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> status;
--------------
mysql  Ver 15.1 Distrib 5.5.39-MariaDB, for Linux (x86_64) using readline 5.1

Connection id:		3
Current database:	
Current user:		wbaker@vast.sanguine.emerson.baker.org
SSL:			Cipher in use is DHE-RSA-AES256-SHA
Current pager:		less
Using outfile:		''
Using delimiter:	;
Server:			MariaDB
Server version:		10.0.21-MariaDB MariaDB Server
Protocol version:	10
Connection:		perfect via TCP/IP
Server characterset:	latin1
Db     characterset:	latin1
Client characterset:	utf8
Conn.  characterset:	utf8
TCP port:		3306
Uptime:			8 sec

Threads: 1  Questions: 5  Slow queries: 0  Opens: 0  Flush tables: 1  Open tables: 63  Queries per second avg: 0.625
--------------

MariaDB [(none)]> 

SSL not supported on via localhost

A reminder: the use of SSL is not supported via localhost (the Unix domain socket). The hostname localhost is treated specially and is interpreted to mean the Unix domain socket. The use of SSL for identification (and for security) therefore is only available via TCP.

References

  • SSL System Variables; In MariaDB Documentation; 2013-06?
    • If the server supports SSL connections, will be set to YES, otherwise will be set to NO.
    • If set to DISABLED, the server was compiled with SSL support, but was not started with SSL support (see the mysqld options). See also have_openssl.
  • mysqld Options (full list); In MariaDB Documentation; circa 2010-09.
  • SELinux and MySQL; Jeremy Smyth (Oracle); In Their Blog; 2013-03-22.
  • MySQL Changing Database Location, Configuration Examples; Documentation for Red Hat Enterprise Linux 6.

Actualities

$ df -h
Filesystem                 Size  Used Avail Use% Mounted on
devtmpfs                   7.8G     0  7.8G   0% /dev
tmpfs                      7.9G     0  7.9G   0% /dev/shm
tmpfs                      7.9G  1.1M  7.9G   1% /run
tmpfs                      7.9G     0  7.9G   0% /sys/fs/cgroup
/dev/mapper/perfect-root    24G  1.7G   22G   8% /
tmpfs                      7.9G  4.0K  7.9G   1% /tmp
/dev/sdb1                  477M   98M  351M  22% /boot
/dev/mapper/perfect-home   4.7G   22M  4.5G   1% /home
/dev/mapper/perfect-var     48G  568M   45G   2% /var
/dev/mapper/perfect-local  137G   60M  130G   1% /local
/dev/mapper/bulk-data      1.8T   68M  1.7T   1% /data
sudo dnf install -y mariadb-server
Last metadata expiration check performed 2:30:35 ago on Wed Nov 25 08:28:20 2015.
Dependencies resolved.
=========================================================================================================
 Package                   Arch            Version                      Repository                  Size
=========================================================================================================
Installing:
 mariadb                   x86_64          1:10.0.21-1.fc23             collected-by-file          6.0 M
 mariadb-common            x86_64          1:10.0.21-1.fc23             collected-by-file           74 k
 mariadb-config            x86_64          1:10.0.21-1.fc23             collected-by-file           25 k
 mariadb-errmsg            x86_64          1:10.0.21-1.fc23             collected-by-file          199 k
 mariadb-libs              x86_64          1:10.0.21-1.fc23             collected-by-file          637 k
 mariadb-server            x86_64          1:10.0.21-1.fc23             collected-by-file           18 M
 perl-DBD-MySQL            x86_64          4.033-1.fc23                 collected-by-file          153 k
 perl-DBI                  x86_64          1.633-6.fc23                 collected-by-file          727 k
 perl-Math-BigInt          noarch          1.9997-349.fc23              collected-by-file          188 k

Transaction Summary
=========================================================================================================
Install  9 Packages

Total size: 26 M
Installed size: 132 M
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : mariadb-config-1:10.0.21-1.fc23.x86_64                                               1/9 
  Installing  : mariadb-common-1:10.0.21-1.fc23.x86_64                                               2/9 
  Installing  : mariadb-errmsg-1:10.0.21-1.fc23.x86_64                                               3/9 
  Installing  : mariadb-libs-1:10.0.21-1.fc23.x86_64                                                 4/9 
  Installing  : mariadb-1:10.0.21-1.fc23.x86_64                                                      5/9 
  Installing  : perl-Math-BigInt-1.9997-349.fc23.noarch                                              6/9 
  Installing  : perl-DBI-1.633-6.fc23.x86_64                                                         7/9 
  Installing  : perl-DBD-MySQL-4.033-1.fc23.x86_64                                                   8/9 
  Installing  : mariadb-server-1:10.0.21-1.fc23.x86_64                                               9/9 
  Verifying   : mariadb-server-1:10.0.21-1.fc23.x86_64                                               1/9 
  Verifying   : mariadb-config-1:10.0.21-1.fc23.x86_64                                               2/9 
  Verifying   : perl-DBD-MySQL-4.033-1.fc23.x86_64                                                   3/9 
  Verifying   : perl-DBI-1.633-6.fc23.x86_64                                                         4/9 
  Verifying   : mariadb-common-1:10.0.21-1.fc23.x86_64                                               5/9 
  Verifying   : mariadb-errmsg-1:10.0.21-1.fc23.x86_64                                               6/9 
  Verifying   : perl-Math-BigInt-1.9997-349.fc23.noarch                                              7/9 
  Verifying   : mariadb-libs-1:10.0.21-1.fc23.x86_64                                                 8/9 
  Verifying   : mariadb-1:10.0.21-1.fc23.x86_64                                                      9/9 

Installed:
  mariadb.x86_64 1:10.0.21-1.fc23                     mariadb-common.x86_64 1:10.0.21-1.fc23            
  mariadb-config.x86_64 1:10.0.21-1.fc23              mariadb-errmsg.x86_64 1:10.0.21-1.fc23            
  mariadb-libs.x86_64 1:10.0.21-1.fc23                mariadb-server.x86_64 1:10.0.21-1.fc23            
  perl-DBD-MySQL.x86_64 4.033-1.fc23                  perl-DBI.x86_64 1.633-6.fc23                      
  perl-Math-BigInt.noarch 1.9997-349.fc23            

Complete!