I'll be giving my "Stealing the Best Ideas from DevOps" talk at BayLISA next week. Location will be in Palo Alto (exact location is in flux, RSVP for updates). Hope to see you there!

More info and RSVP here: https://www.meetup.com/BayLISA/events/237776292/

Posted by Tom Limoncelli in Speaking

The NYC DevOps meetup is trying something new in February: Tiny Talks. Tiny talks are short, 5-10 minute talks usually presented by members. They can be basically any topic related to DevOps. The idea is to encourage local members to present at meetings.

We'll be doing this for our first time at the February 21, 2017 NYCDevOps meetup. You are encouraged to sign up here (though we won't be strict if you show up with a presentation.)

From the website:

Tiny talks are 5-10 minute talks on any DevOps-related topic. We want to encourage everyone to submit a proposal. NYCDevOps is a community that shares. Tiny Talks don't have to be polished or fancy. These are short talks, making it easy for beginners and experienced people alike. We hope to have 3-4 presentations.

If you think you can't give a talk, here's a formula to start you off: (1) Use a title like: "In the last 6 months something I learned about X was Y". (2) Create 1-3 slides about what you learned. (3) The talk only has to be a few minutes long... Q&A will fill the rest of the time. For example, "In the last 6 months I learned that TerraForm breaks in [situation], here's why."

We'll have time for 2-3 Tiny Talks, so speaking slots will be first come first serve.

Hope to see you there!

Remember to RSVP!

Posted by Tom Limoncelli in NYCDevOps

I'll be the speaker at the February meeting of NYCDevOps. I'll be presenting my talk "Stealing the Best Ideas from DevOps: A Guide for Sysadmins without Developers". If you didn't see me give this talk at Usenix LISA, you can catch it here.


Please RSVP. Seating is limited.

Posted by Tom Limoncelli in Speaking

I'll be the speaker at the NYC DevOps meetup meeting. https://www.meetup.com/nycdevops/events/237543220/

Posted by Tom Limoncelli in AppearancesArchive

I am pleased to announce that the 7th Annual Cascadia IT conference Registration is open at https://www.casitconf.org/casitconf17/register-now/.

This years conference features tutorials on Git, Reusable Infrastructures, Time Management (based on my book), AWS, and Advanced Communication Strategies along with several talks and a keynote by Corey Quinn.

Cascadia IT Conference will be held on March 10-11 in Seattle WA.


Posted by Tom Limoncelli in Conferences

LOPSA-NJ is starting regular meetings in Montclair, NJ. They've asked me to be the speaker at their first meeting. I'm honored to be asked (oh... and I live 5 miles away, so it is difficult to turn down).

I'll be giving my talk, "Stealing Best Ideas from DevOps: A Guide for Sysadmins without Developers".

I look forward to this new group being a big success!

Come join us!

Posted by Tom Limoncelli

Today I learned that you can't copy a Mac application's plist by just copying the file. However, you can export the plist and import it on a new machine:

Step 1: Exit the app.

To make sure the file is stable.

Step 2: Export the plist data:

$ defaults export info.colloquy ~/info.colloquy.backup

To know the name of the plist (info.colloquy in this example) look in ~/Library/Preferences. Use the filename but strip off the .plist suffix. If an app has multiple plists, (I assume you need to) do each of them individually.

Step 3: Copy the backup file to the new machine

I like to either copy it to Dropbox and wait for it to sync on the other machine, or scp it to my VPS and then scp it down to the new machine.

Step 4: Import the plist data:

$ defaults import info.colloquy ~/info.colloquy.backup

Step 5: Start the app and make sure it worked.

Because we're adults and we check our work.

Posted by Tom Limoncelli in Technical Tips

I have two accounts on GitHub: Personal and work. How do I access both from the same computer without getting them confused? I have two different ssh keys and use .ssh/config to do the right thing. Some bash aliases also help.


Why is it important to me that I keep these two accounts separate?

First, certain repos can only be accessed from one account or the other. Public repos can be accessed from either, but private repos are not so lucky.

Second, I want the commit logs for different projects should reflect whether I am "Tom the person" or "Tom the employee". My work-related repos shouldn't be littered with my personal email address. It is ugly and, more importantly, it would mean that someone searching for my commits would have to do two searches: one for each of my names. My username is different at my work account ("tlimoncelli" vs. "tal)... how could I expect a coworker to know that?.)

Lastly, when I contribute to a third-party project it is a very intentional decision whether I am contributing as a StackOverflow employee or as myself. I want bug reports and other notifications sent to one email address or the other depending on the situation. Also, this future-proofs things so that when I change jobs (no current plans, BTW), I'll stop receiving notifications from projects that I'm involved in for work-related reasons.

What doesn't work?

You can't upload the same SSH public key to GitHub two accounts. GitHub uses the key to determine which account you are accessing, so they must be unique. If you were able to upload the same key to both accounts, GitHub would have to guess your intention for each repo, and that guess would often be wrong. You can upload multiple keys to each account, but there may not be overlapping keys between the accounts.

I could simply decide that one machine will be only for work, and will have SSH keys associated with my work account. I would then have a different machine that I'd only use for personal stuff, and will have an SSH key there that is only associated with my personal account. However, expecting me to carry around 2 laptops is silly. That isn't to say that some companies should adopt such a policy, especially ones that have higher security requirements, but that's not my situation.

What do I do?

I set up a fake hostname in .ssh/config to indicate which SSH key to use.

Here's an example:

git clone [email protected]:StackExchange/httpunit.git
git clone [email protected]:StackExchange/httpunit.git
              ^^^^^^^^^^^^^^^ What??? That's not a thing!

There is no such thing as home-github.com or work-github.com. However, if you look at my .ssh/config file you'll find a "Host" entry that sets the actual hostname and sets a bunch of parameters, including which SSH key to use:

# Personal GitHub account:
Host home-github.com
  HostName github.com
  User git
  IdentityFile ~/.ssh/id_ed25519-homegithub
  PreferredAuthentications publickey
  PasswordAuthentication no
  IdentitiesOnly yes

# Work GitHub account:
Host work-github.com
  HostName github.com
  User git
  IdentityFile ~/.ssh/id_ed25519-workgithub
  PreferredAuthentications publickey
  PasswordAuthentication no
  IdentitiesOnly yes

On any machine that I use git, I simply make sure that the filename points to the appropriate key.

When someone gives me an SSH-based Git URL, I manually doctor the hostname by adding the "home-" or "work-" prefix. After that, everything just works.

If I forget to edit the hostname, I have defaults set so that it uses my work key. Originally I set it up so that using the undoctored hostname fails. That way I'd get an error and remember to doctor the hostname. However I found that interfered with systems (usually install scripts) that didn't let me edit the hostname.

Things like go get are unaffected by this system since they use anonymous HTTP, not Git.

Setting the user.email correctly

The other problem I had was properly configuration git user.name and user.email. My global ~/.gitconfig file sets user.name because I am always Tom Limoncelli. However, I leave user.email unset in that file to force me to set it per-repo.

I've set up Bash aliases to let me easily set the email address:

alias gitmeHome='git config user.email [email protected]`
alias gitmeWork='git config user.email [email protected]`

After I do "get clone", I need to remember to cd into that repo and run either gitmeHome or gitmeWork. If I forget, I get this nice reminder:

$ git commit filename
[master 5667341] yes
 Committer: Tom Limoncelli <[email protected]>
Your name and email address were configured automatically based
on your username and hostname. Please check that they are accurate.
You can suppress this message by setting them explicitly:

    git config --global user.name "Your Name"
    git config --global user.email [email protected]

After doing this, you may fix the identity used for this commit with:

    git commit --amend --reset-author

 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 dirname/filename

By having the bash aliases, setting user.email is without hassle.

One more thing.

I've found it greatly simplifies my life to have the exact same ~/.ssh/config and ~/.gitconfig file on all my machines.

Manually adding a new Host entry to ~/.ssh/config on the proper machines is a pain. It is easier to copy the entire master file (which I keep in git, of course) is easier. If a particular machine doesn't need that Host entry, who cares? Either I won't use it, or it will fail if I do use it. My Host entries are carefully constructed so that they work if the right keys are on the machine, and fail otherwise.

Having the same ~/.gitconfig on all my machines is a little more tricky. It contains the settings that are the same everywhere. Overrides are set in the repo-specific .git/config file. As you saw above, a setting like user.email is critical, so I have no default in the global file thus the per-repo setting is required.

Posted by Tom Limoncelli in Technical Tips

RIP John Boris

John was active in the LOPSA community. I saw him at nearly every LOPSA-NJ meeting, where he was active in planning and hosting the meetings. He was also on the board of LOPSA (national) where he will be greatly missed.

John was also a football coach at the school where he worked in the IT department. It was very clear that his coaching skills were something he applied everywhere, including his helpfulness and mentoring at LOPSA.

I had a feeling that when I hugged him at the end of the January LOPSA meeting it might be the last time I saw him. He was recovering from bypass surgery and was looking worn. He was chipper and friendly as always. He was a good guy. Easy to get along with. He kept LOPSA-NJ and many other projects going.

John Boris passed away last night.

I'll miss him.


Info about his service:

  • Friday Jan 20th
  • Visitation: 1030am to noon
  • Memorial Mass: noon
  • St Joseph the Worker Parish,
  • St Aloysius Church, 37 W Hadden Ave, Oaklyn, NJ 08107

In lieu of flowers donations can be made to Camden Catholic high school football program, Cherry Hill, NJ c/o Nick Strom.

Posted by Tom Limoncelli in LOPSA

My coworker did a bang-up job on this blog post. It explains a lot about how DNS works, how the Dyn DDOS attack worked (we missed it because we don't use Dyn), and the changes we made so that we'll avoid similar attacks when they come.

How Stack Overflow plans to survive the next DNS attack

Posted by Tom Limoncelli in Stack Exchange, Inc.

  • LISA16