Posts | The End of the Tunnel

Rebuilding the Homestead’s DNS with Consul, DNSMasq, and Ansible

Wed, 29 Aug 2018 12:05:52 -0400

My friend Jason recently posted an update on his blog over at Peaks and Protocols about redoing his home network’s DNS setup. This reminded me that I really needed to do an update on my own recent DNS rebuild, which was based around Hashicorp‘s Consul, DNSMasq and Ansible running on some Raspberry Pi 3s. Overkill? Probably. But if you can’t have fun with your home network, what’s the point? On to the setup…

Consul

Consul started life as a distributed service locator and key-value store. It has grown significantly over the years and is now becoming a full-fledged service mesh. It allows for any server to register and provide one or multiple services, with simple config files or api calls. Further, Consul supports the idea of multiple locations natively and even has health checks. This means it will give you your local, healthy service endpoint.

One of the main reasons I chose Consul is because it makes itself available via DNS as the .consul domain. Want to know where your git server is? dig git.service.consul. Your documentation hosted on a webserver somewhere? dig docs.service.consul. This makes finding a service you have running somewhere trivial, and means never having to update a DNS zone file again.

Another reason, which I’m not using yet, is that it has a solid key-value store. This is great for storing configuration settings for distributed applications. There are a ton of tools that take advantage of this, and even provide dynamic reloading capabilities to the app when a key is changed in Consul.

DNSMasq

In order to take advantage of Consul’s DNS features you need a DNS server that can point to Consul for just that domain, while passing through all other traffic to a normal DNS resolver. I chose DNSMasq for this because it is simple and well understood. There were some security issues with it last year, but they have since been addressed. I may migrate to unbound in the long run, but DNSMasq is fine for my use cases.

Ansible & Putting it All Together

Ansible is the glue that makes sure I can redo this config easily should something happen to the PIs. It is a configuration management system that just works, with minimal extra craziness. I could go on for days about Ansible, and probably should write a dozen posts on it alone, but there’s so much out there already that I don’t feel the need. Bottom line is, this is the tool that sets up Consul and DNSMasq for me, and ensures that I can reset everything to a known working state in the event of configuration drift.

I used several modules to help get this project running quickly.

I ended up having to change some of the roles around to suit the raspberry pi environment, but otherwise it was fairly easy. I created my own baseline role which updates and upgrades and installs some packages, including python and its tools. This base role also creates a user account for me and Ansible itself. The first time I ran it, I had to pass parameters to login as the default Raspbian user, but after that it can run using the Ansible user instead.

- name: Update Apt and Upgrade Packages
apt:
update_cache: yes
cache_valid_time: 3600
name: "*"
state: latest
tags:
- packages
- name: Install Baseline Apps
apt:
name: "{{ packages }}"
state: present
vars:
packages:
- python
- python-pip
- python3
- python3-pip
- virtualenv
- python3-virtualenv
- python-pip
- dnsutils
tags:
- packages
- name: Install pi base python packages
pip:
name: "{{ packages }}"
state: present
vars:
packages:
- python-consul
- hvac
- name: Create Ansible management user
user:
name: ansible
comment: Ansible system user
group: admin
state: present
- name: Create dmurawsky user
user:
name: dmurawsky
comment: Derek Murawsky
group: admin
state: present

For my group_vars, I created a DNS.yml file with the needed variables for consul and DNSMasq.

# Consul Configuration
consul_version: 1.2.2
#consul_package: consul_1.2.2_linux_arm.zip
consul_server: true
consul_agent: true
consul_ui: true
consul_server_nodes:
- 192.168.1.2
- 192.168.1.3
# Services #
consul_agent_services: true
consul_services_register:
# Register NTP in consul
- name: ntp
port: 123
tags:
- udp
- name: dns
port: 53
tags:
- udp
# Hashicorp Vault
vault_version: 0.10.4
vault_pkg: vault_{{ vault_version }}_linux_arm.zip
vault_pkg_sum: 384e47720cdc72317d3b8c98d58e6c8c719ff3aaeeb71b147a6f5f7a529ca21b
# DNSMasq
dnsmasq_dnsmasq_conf:
- |
port=53
bind-interfaces
server=8.8.8.8
server=8.8.4.4
dnsmasq_dnsmasq_d_files_present:
cache:
- |
domain-needed
bogus-priv
no-hosts
dns-forward-max=150
cache-size=1000
neg-ttl=3600
no-poll
no-resolv
consul:
- |
server=/consul/127.0.0.1#8600
homestead-murawsky-net:
- address=/usg.homestead.murawsky.net/192.168.1.1
- address=/ns1.homestead.murawsky.net/192.168.1.2
- address=/ns2.homestead.murawsky.net/192.168.1.3
# NTP
ntp_enabled: true
ntp_manage_config: true
ntp_area: 'us'
ntp_servers:
- "0{{ ntp_area }}.pool.ntp.org iburst"
- "1{{ ntp_area }}.pool.ntp.org iburst"
- "2{{ ntp_area }}.pool.ntp.org iburst"
- "3{{ ntp_area }}.pool.ntp.org iburst"
ntp_timezone: America/New_York

And finally, the simple site.yml file.

- name: Configure System Baselines
hosts: all
roles:
- { role: baseline, tags: ['baseline']}
- name: Configure DNS hosts
hosts: dns
roles:
- { role: ntp, tags: ['ntp'] }
- { role: dnsmasq, tags: ['dnsmasq'] }
- { role: consul, tags: ['consul'] }
- { role: hashivault, tags: ['hashivault'] }

Results

DNS resolution worked perfectly out of the gate as expected, but what about Consul?

Brilliant! Sure, the services that I have loaded are pretty simple and don’t really benefit from a service locator, but they’re examples of what is possible. Now I can register any new service by loading the consul agent onto the server and simply adding a definition file in the appropriate folder! This should make future expansion of services much easier.

Note: I currently have two consul servers. This is bad and not highly available. I have to get one more consul server online. Debating between another pi or putting on the home server.

Future Plans

You’ll notice there’s no real security around the deployment above either. That needs to be fixed in terms of Consul ACLs, Vault, and password/key management for user accounts. There’s also a cool tool called pi-hole which is a dns level ad blocker that I want to integrate into my environment. I also plan on setting up Docker on my home server in the not too distant future to make it easier to host some fun services like Prometheus, Grafana, HomeAssistant, and some other cool tools. I’ll also have to extend the network to my barn as the office is moving out there. Lastly, I want to build a portable lab that I can take with me when doing demos or presentation at local user groups.

Homestead Network Upgrades

Sun, 22 Oct 2017 12:05:33 -0400

Despite coming from the networking side of IT, I tend to use regular consumer grade equipment at home. It typically just works, and I’m not looking for extreme reliability or features. I’ve been using hardware from Linksys, Netgear, and the other consumer network vendors for at least the last 10 years. Sometimes, though, things happen that make you reevaluate your previous life choices…

For me, that thing was an email that I received from Verizon saying my router was infected with malware. Since I always take basic precautions like changing the default password and locking down external ports, I was a bit surprised. Turns out, there was a vulnerability in the firmware that had gone unpatched for months… In hindsight, I should not have been that surprised. At all. I thought I had purchased a flagship router that would be supported for at least a few years, but it didn’t look like any more patches were coming. Ever. I looked into trusty old DD-WRT figuring that I could flash the router and at least get another year out of it, but apparently the R7000 has some performance issues with DD-WRT.

After having issues like this a few times with generic consumer grade stuff over the years, no matter the vendor, I decided enough was enough. I researched available options in the enterprise hardware space (way too expensive and time consuming to set up), looked at open source alternatives (cheap, but time consuming, and not well integrated), and even looked at the more pro-level offerings from consumer manufacturers (underwhelming). After a few days, I decided on and purchased some Ubiquiti hardware based on the many good reviews and a few personal recommendations from networking folks I respect.

Ubiquiti’s hardware is solid stuff, performance wise, and they have a very good reputation. The hardware is what I would call “Enterprise Lite”, meaning it’s not Cisco, but its perfect for small to medium businesses who just want things to work. Additionally, the Unifi configuration system and dashboard is excellent, taking a significant configuration and support burden off of me.

The initial hardware purchase was:

Unifi Security Gateway Pro (Amazon)- I definitely went overkill here. The entry model USG is capable of routing gigabit at near wirespeed. However, I decided that I likes the extra ports for a few future projects, like the barn office.
Unifi Switch 8, 60 Watt (Amazon)- Since the new network was not an all-in-one setup, I needed something to power the other devices around the house. This managed switch provided a lot more than just that, though. The VLANs will come in handy when we set up the home office.
Unifi AP AC Pro (Amazon)- Another bit of overkill for home use, but this one was easier to justify than the firewall. Simply put, it has more power, and I need that given the 2′ thick stone walls in the farmhouse.
Unifi Cloud Key (Amazon)- Though not strictly necessary, the Cloud Key allows you to run your network controller app on dedicated hardware. It can also be linked to the Unifi cloud portal allowing for a very convenient and secure hybrid cloud management platform.

The hardware wasn’t cheap, but surprisingly, it wasn’t much more than I paid for the R7000 two years ago. If I had chosen the regular USG, the price difference would have been negligible.

As for the setup, it was easier than I thought. I racked the USG Pro, plugged in the switch, then the cloud key. Thankfully I had already run the line to the wireless AP so that was easy. I also threw in a Raspberry Pi server for fun. It took about 10 minutes to patch everything together. But what about the configuration?

Well, thanks to the Unifi software on the Cloud Key, I was able to “adopt” the other devices and have them configured in no time at all. My basic single vlan setup was ready to go out of the box. All totaled, I had the network up and running in 20 minutes. Time vs the R7000? Maybe an extra 10 minutes.

What has it been like living with “Enterprise Lite” hardware at home? Fantastic. Having a useful dashboard that I can glance at to see the status of the home network is a perk I didn’t think I would care about, but I’ve used it several times already. The speed is true gigabit on wired, the wireless coverage is solid, and we don’t have random drops in connectivity anymore. And as for patches… I’ve already had two patches come through for stack. It’s a simple matter of hitting the upgrade button for the device, or setting up auto-upgrade. As far as I’m concerned, I’m never going back to consumer gear again.

Saving the Jeep

Mon, 31 Jul 2017 12:05:19 -0400

There has been a 1979 Jeep CJ-7 in my family for nearly 40 years now. My Great-Uncle bought it new from the dealer, and it passed to my father, then my mother, and now to me. The Jeep has many fond memories associated with it. I can still remember the first time I road in it, with my uncle taking dad and me to the cabin. I remember when both my mom and dad were separately teaching me to drive and made me promise not to tell the other. I remember when, on one particular lesson, mom drove the Jeep off a steep embankment and I had to calm her down and get it out. Countless stories are wrapped up in that hunk of metal; precious memories that I wouldn’t trade for the world.

Unfortunately life gets in the way sometimes. Dad passed away many years ago, and the Jeep became an occasional driver. Mom got sick a few years ago, and the Jeep was semi-permanently garaged. Recently, Mom passed after a long battle with cancer, and now the Jeep belongs to me. I don’t know much about cars, but I know keeping a vehicle in an unconditioned space for several years is bad for it. So what to do?

I’m a fan of a show called The Survival Podcast (TSP). In it, Jack Spirko, a renaissance prepper-cum-duck-farmer, talks about dozens of topics ranging from stocking a larder to bitcoin’s implications on the global economy. It’s a fantastically interesting show. TSP also has something called an Expert Council, comprised of subject matter experts from fields across the spectrum. One in particular stood out: Charles Sanville, the Humble Mechanic. I thought if anyone could help and offer guidance, he could. So I sent the following email to Jack.

Question for: Charles Sanville

Question: What should I do for an inherited 1979 CJ-7 that’s been garaged for the last 5 years and had some odd modifications done to it? It currently doesn’t run, but I’d like to keep it, and learn the basics of car maintenance and “restoration”.

Background: My great-uncle bought an odd CJ-7 new in 1979 from the dealer. It has

A straight 6, automatic transmission (I think AMC 232?)

Power steering

Manual breaks

All-time 4-wheel drive, Quadra-Trac, which makes the jeep really squirrely at speed).

Less than 20,000 original miles

Almost no rust

Over the years, it passed on from my great-uncle, to my father, then my mother. It’s a family heirloom at this point, and I have many fond memories of going camping, hiking, and to our families cabin in upstate NY. Heck, I ever learned to drive in it! I really want to keep this vehicle for weekend/occasional driving, camping, and because it’s all I have left of my family at this point. I’d love for my son to learn to drive in it some day.

There are a few known issues with the vehicle:

My dad didn’t believe in modern emissions regulations and pulled most of those components. There are hoses the terminate in a bolt and hose clamp. The Jeep ran after these modifications, but I’d like to get it back to “normal” running mode so that it doesn’t potentially mess up the engine.

Some of the control knobs inside come off.

All four whitewalls are flat and don’t appear to hold air.

The spare tire was side-mounted so a rear wooden cargo-box could be added. That box is now falling apart. Should I rebuild it or try to restore the spare tire to the rear?

It’s in a garage in upstate NY, and I need to get it hauled to my garage in PA.

I’m an IT Architect/engineer who used to build a lot of sets for theater, so I’m competent with tools and woodworking, but I have almost no experience with cars. I’ve changed oil a few times and that’s about it.

How do you get started with something like this? How do you figure out what was removed from the engine? Is a car this old worth restoring, or am I letting my sentimentality get in the way? Any insight or advice you could provide would be greatly appreciated. Sincerely, -Derek M, in PA.

I sent it in wondering if the question was too specific for a followup on the show, but I figured it was worth a shot. A few weeks went by and no answer came, so I thought I’d have to figure it out on my own. Then, to my surprise, I heard my question on the air…

This is the start of a new series, documenting my Family’s 1979 CJ-7. Stay tuned for updates.

The Great Cleanup – Chicken Coop Restoration Part 2

Sat, 04 Mar 2017 11:38:48 -0400

Welcome to Part 2 of the Coop Restoration series. In this post, I’ll go over the cleanup that I did this past weekend. The coop started out in rough shape. There were rolls of old insulation, mouse nests, mold… It had been used as a storage space for transient garbage for years. Below are some pictures after I pulled out the worst of the insulation. You can see some of the nest in the back left corner behind the cabinets and dog crate.

Once the big items were moved, sorted, and mostly thrown in the garbage, I did a preliminary sweep up. Turns out that half of the coop has unfinished hardwood floors! Bonus! After inspecting the chicken wire, I saw lots of rust, holes, and filth. There was no way to clean and reinforce it, so off it came. I also pulled off the old roosts and low panels as well.

I debated pulling out the old flooring and walls, but there’s only so much I can do in two weeks. The plan right now will be to disinfect them thoroughly, and lay some washable hardboard over them. This is the same material that I’ll be using for the lower two feet of wall as it’s easily cleanable and a great draft blocker.

After another sweep up, and vacuum, the place looked a lot better. The door was in pretty good shape, so that got left in place. I may have to pull it in the long run, though, as it currently swings inward and the wife and I are thinking about deep litter, but that’s an easy change at a later date.

Next up, in part 3: Framing and Re-Chicken-Wiring the coop!

To Export the Unexportable Key

Wed, 01 Mar 2017 11:59:53 -0400

Every now and then, you have to export a certificate in Windows, and someone forgot to check that little box to let you be able to do it… What is an enterprising SysAdmin to do? Enter Mimikatz (source), a tool that lets you patch the Windows crypto api and do several cool (and frightening) things. The process is very simple.

To Export an Unexportable Private Key:

Create a temp directory
Download the latest version of Mimikatz
Extract the appropriate version (32 or 64 bit) to the temp directory
Open an admin command prompt
Change to the temp directory
Run mimikatz
Type crypto::capi
And finally type crypto::certificates /export

You’ll see all of the certificates in the MY store exported into the temp directory in pfx format. The default password is mimikatz. Want another cert store? Perhaps, the computer store? Simply run crypto::certificates /export /systemstore:LOCAL_MACHINE. Check out the github wiki for documentation on this and other cool features of this powerful tool.

Chicken Coop Restoration Part 1

Tue, 28 Feb 2017 10:41:14 -0400

One of the wonderful things about our homestead is that we inherited several outbuildings. We have a large post-and-beam barn (40 x 60), equipment shed (16 x 24), storage shed (14 x 24 + lean-to), and a rather large chicken coop turned racing pigeon coop (14 x 24). Yes, you read that right. The previous owners really loved their racing pigeons and converted a perfectly good chicken coop into a palatial (for a pigeon) loft! Unfortunately, the barn is the only structure in good shape, having been rebuilt by the previous owner. The rest of the outbuildings are in various states of disrepair.

Since we’re starting the new year off with a focus on sustainability, it’s time to look at our outbuildings and restore them to their former glory! Or at least, to a usable state. The first project will be to rebuild the chicken coop and get some birds in!

About the Chicken Coop

The Coop is a semi-insulated structure, elevated on piers, with a door on the short end closest to the house. It has several windows along the south wall, electricity, and a freeze-proof yard hydrant, and is in desperate need of a paint job amongst other things. Inside, there are two large rooms separated by wall. Each of those rooms has a wired off coop area and an open area. The previous owners must really have loved their racing pigeons to build such a large structure for them!

Plan for the Chicken Coop

In addition to the basic cleanup of the building, the goal for the coop project is to make it able to hold a brooder in two weeks. As part of that, we want to do three main things: extend the interior coop wall to include the exterior chicken door, create removable roosting space, and build exterior-accessible nesting boxes.

By extending just one section of the coop to include the exterior chicken door, we can keep more room for storage of supplies for the birds and other critters. If we end up running more birds than this space allows, I can always extend the entire wall.
The roost space will be angled and removable. When brooding chicks, the roost will come out and the hover-brooder will go in the corner.
Finally, having nesting boxes that we can access without having to go into the coop itself is just easier in the long run. I would very much like to have roll-out nesting boxes, but they tend to be expensive and we already have enough expenses rehabbing the coop this year.

So, what do you think?

Next Up, in part 2: The Great Cleanup!

My First Wine Kit – Winexpert World Vineyward Chilean Malbec

Mon, 21 Nov 2016 10:26:19 -0400

I’ve brewed beer about a half a dozen times over the last few years. It’s not a hobby that I’m not particularly active in, but I do enjoy it once in a while. I’ve made ciders and ales a few times, even going as far as to make a Trippel once. The only thing I’ve bombed was a batch of mead which, for some reason, refused to ferment. Ah well, it was college. I blame distractions. Anyway, I thought it would be good to keep a journal of some of these activities. So here goes, my first foray into wine making: The Winexpert World Vineyard Chilean Malbec.

Day 1 – Customer Appreciation Day (Nov 20, 2016)

It was Customer Appreciation Day at my local homebrew store, Keystone Homebrew, so my wife, son, and I went down to see what they had. Aside from a bouncy-castle, crepe truck, and lots of samples, they had a great selection of wine kits. My wife, being a wine person, was really interested. However, she didn’t think it would be easy to do. Originally, we were going to get a 1 gallon demo kit to try out the whole process, but thanks to a very helpful sales guy, we realized just how simple the kit process was. We walked out with two kits: The Winexpert Speciale Dessert Wine and the Winexpert World Vineyard Chilean Malbec.

After reading the directions for both kits, I decided to start with the Malbec. Both were surprisingly simple, but the malbec had one less step. We cleaned our equipment, hydrated the bentonite, poured the concentrate in, topped it up with bottled water, tested, and otherwise got the kit ready. The OG was 1.092-94, which is right where the directions said it should be. The kit is happily hanging out in the utility closet now. T-Minus 5-7 days to racking!

Authorized_Keys in Active Directory

Sat, 21 Nov 2015 17:09:02 -0400

Now that we are implementing more Linux systems, I’m noticing some of the pain points of keeping certain things in sync. A big annoyance, for example, is keeping our infrastructure and users’ SSH keys in sync across all of our machines. There are several methods currently available, but I had issues with each. I’ve listed the two main methods below.

Via Configuration Management

A very DevOpsy way of tackling the problem would be to us a configuration management system like Chef to keep the files updated. In fact, there are several examples of this solution out there already. However, this seems a bit counter-intuitive to me. Why keep user account and related information in a config management system instead of a directory service? This is probably my Windows World bias, but there are others that agree.

Via Scripts/Dedicated Systems

From simple shell scripts, to complex systems, there are many ways to keep this data in sync. The simplest would appear to to be setting up NFS and pointing all users’ home directories there… But then you have to keep those NFS servers in sync and backed up across multiple sites, which can be problematic at scale.

Our Solution – AD/LDAP storage of SSH keys

To be up front, this was not my idea. There are many other folks who have implemented similar solutions. We are using this method specifically because we already have a robust AD infrastructure with all of our Linux authentication going through AD already (a post on this is soon to come). It probably doesn’t make sense for a group that already has a solid solution in, say, chef or puppet. For us, it did, and this is how we built it.

First, we had to extend the Active Directory schema. This is not something for the faint of heart, but is also not something to be afraid of. I followed the procedure listed here (after backing things up) and had everything ready to go in about 15 minutes. A note on the procedure: you do not need to use ADSIEdit to manage the custom attirbute afterwards. Just open AD Users and Computers and switch to the advanced view mode. Each item will then have an “attributes” tab in its properties page.

Once the schema was extended, the fun began. OpenSSH supports a config variable called “AuthorizedKeysCommand”. This allows us to call an arbitrary script to pull the users authorized_keys file. This serverfault post got me going on creating a custom command, but the output of SED wasn’t clean enough. I whipped up the following script in perl to get everything working nicely. It binds to AD using a username and password and then pulls all sshPublicKey values from the specified user account.

#!/usr/bin/perl
# Gets authorized keys from LDAP. Cleaner and supports any number of ssh keys, within reason.
# Requires Net::LDAP.
use Net::LDAP;
$BINDDN="cn=service account,dc=example,dc=com";
$BINDPW="Password";
$SEARCHBASE="dc=example,dc=com";
$SERVER="domain or ip";
$SearchFor="samaccountname=$ARGV[0]";
$ldap = Net::LDAP->new( $SERVER ) or die "$@";
$msg = $ldap->bind( $BINDDN, password=> $BINDPW);
$result = $ldap->search( base => $SEARCHBASE,
filter => $SearchFor,
);
while (my $entry = $result->shift_entry) {
foreach ($entry->get_value('sshPublicKey')){
print $_ , "\n"
} ;
}
$ldap->unbind;

Once the script is created, it can be called by adding “AuthorizedKeysCommand /path/to/script” to the sshd_config file. I also had to set the script to run as root by using the “AuthorizedKeysCommandUser root” command.

Next Steps

I want to improve this script in a few ways long-term…

Since all of our Linux systems are part of our domain, there should be a way to have them bind to LDAP by using the machine’s Kerberos ticket. I don’t like using a username and password, but didn’t have the time to get the Kerberos bind working reliably.
On the security front, this should be a TLS bind. No reason to have the data going over the wire cleartext.
The script should not have to run as root…
Cache the authorized_keys file on a per-user basis. We have a very robust AD infrastructure, but there is always a concern that it could become unavailable. The system’s resiliency would be greatly increased if it could cache the authorized_keys locally on a per-user basis, where sshd would normally look for it.
Error Handling and Logging. It’s not fun, but it’s important. I wanted to get this solution out quickly, but it should be able to log to standard sources and handle some edge cases.
Since the above is a lot of work, perhaps I can just improve a project like ssh-ldap-pubkey to support Kerberos.

External Links

I found the following links quite helpful in generating this solution.

Flexible Email Alerts for Logstash

Fri, 13 Nov 2015 17:00:47 -0400

My company currently does a lot of it’s debug logging via email… This means that every time an unhandled exception occurs in production, qa, uat, or integration, we get an email. Thank goodness for custom email rules and single instance storage in Exchange. Oh wait.

I have been a proponent of Logstash and the ELK stack for quite a while now. It is a wonderfully flexible framework for centralizing, enriching, and viewing log data. This past week, I built a proof of concept for management and they loved it. However, many folks wanted to know how we could send out emails from the logging system. I pointed them at the Logstash email output plugin, but they weren’t convinced. They wanted to see some flexible routing capabilities that could be leveraged in any config file, for any log type. Thankfully, this was pretty easy to accomplish.

Below I present a simple tag and filed based config for email notifications.

# This config is designed to flexibly send out email notifications
# It *requires* certain fields to work
# Create a tag "SendEmailAlert"
# Required field emailAlert_to - the email address to send to
# Required field emailAlert_subject - The subject of the email
# Required field emailAlert_body - The body, defaults to %message
#
output {
if "SendEmailAlert" in [tags] {
email {
address => "smtp.XXXXX.org"
username => "XXXXX"
password => "XXXXX"
via => "smtp"
from => "logstash.alert@XXXXXX.com"
to => "%{emailAlert_to}"
subject => "%{emailAlert_subject}"
body => "%{emailAlert_body}"
}
}
}

As the comments indicate, all you need to do is tag a message with “SendEmailAlert” and add the appropriate fields and voila: flexible email notifications. In order to use it, a simple mutate is all that is needed.

mutate {
add_tag => ["SendEmailAlert"]
add_field => {
"emailAlert_to" => "user@XXXXX.com"
"emailAlert_subject" => "Test Alert"
"emailAlert_body" => "%{message}"
}
}

We could easily extend it further, but this has been fine for our POC thus far. We have also implemented similar notifications for Hipchat and PagerDuty.

What to do with an old Christmas tree farm?

Wed, 21 Oct 2015 16:42:36 -0400

It’s dark in there…

As the missus and I sit and talk about our new homestead and the directions that we are thinking about taking it, one problem keeps coming up: the old Christmas tree stand. You see, dear reader, our homestead used to be a Christmas tree farm back in the 80s. Unfortunatly, the previous owners decided not to keep the farm going and let the trees grow up. On the surface this may not appear to be an issue, that is, until you consider planting densities.

Normal pine tree stands are planted at about 400-500 trees per acre. This allows for them to grow straight and healthy. Stands like that can be used for lumber and wood pulp and can net a good amount of money when they mature. However, Christmas tree farms are planted at 1,000 – 1,500 trees per acre. This is no problem if trees are kept small and regularly trimmed… Unfortunatly, that’s no the case here. Our stand is dense. It’s dark in there. This level of density leads to really unhealthy trees, and from the research I’ve been doing, it appears that there is not much that can be done.

It seems that our options are limited to the following:

Leave it be – The trees will keep growing, and will start dying off. This will likely result in a bad situation for both domestic and wild animals, not to mention the lack of productivity of that patch of the homestead.
Selective thinning – This would involve either getting a lumber/pulp company in to selectively harvest every other row of trees. This may not be an option because of the density. You can’t really get equipment in there. That means it might just be me with a chainsaw.
Harvest the whole thing – This is the option that I really don’t like, but seems to be the best all around. It would net some cash from the sale of the wood and would allow us to plant a new, healthy, forest and silvopasture using permaculture principles. The main problem here would be handling the stumps and the time it would take for a new forest to establish itself.

In case anyone is interested, I’ve also compiled a few links on the topic.

Contending with Overgrown Christmas Trees – http://blogs.oregonstate.edu/treetopics/2014/03/10/contending-overgrown-christmas-trees/
Reddit Discussion on the topic – https://www.reddit.com/r/forestry/comments/3gsdi3/harvesting_a_30_yearold_abandoned_christmas_tree/

And here is a are some additional photos:

The stand is pretty tall

Unhealthy

It’s dark in there…

Finding a Home(stead)

Sun, 12 Jul 2015 16:38:51 -0400

Finding a place to call your own is quite a step in life. To me, it means you’re ready to settle in, put down some roots, and potentially create a legacy. After discussing various options with my wife, we decided now would be a good time to consider buying a home. I thought would document the reasons for a the move for posterity’s sake.

Investment

The thing that started us down this path was a simple realization: we pay a lot out in rent, and it would be really nice to “invest” that money instead. My wife and I currently live in a nice townhouse, in a good planned development near Princeton, NJ. Though we live within our means, we still pay out quite a bit for rent. For that, we get three bedrooms (really one bedroom and two offices), access to a pool, and lots of restrictions (including a no-charcoal-grill policy).

At the time, it made sense for us to move in to the development and not worry about anything. We could concentrate on paying off our debts, saving money, and helping my mother sell her old home in Queens, NY. Now that we’re done with all of that, though, it’s time to move on. Although many don’t consider a home an investment, putting equity in our pocket is certainly better than having it leave the family entirely.

Healthy, Self-Sufficient Lifestyle

My wife and I have recently started to adopt a “healthy lifestyle”. For us, that means eating more natural foods with fewer carbs and processed junk. The first thing we realized after making these changes was that the cost of high-quality food adds up quick. Then next thing we noticed was that we really did feel a lot better, so the premium was worth it.

Aside from food, we spend a lot of time commuting. Currently, my wife is commuting two hours, one way, by public transit, daily. This just isn’t healthy for so many reasons. I am in a better position, commuting a little over an hour one-way, by car, twice a day, but this takes quite a toll on us in many ways.

We don’t eat until 8:30-9:00 PM most nights. When you go to bed at 10 PM, this is a really bad thing. Second, we don’t have time for each other. Having an hour, two if you’re lucky, to catch up with your significant other is a terrible way to live a life. I love my wife, it’s why I married her! Finally, we don’t have time for our hobbies. My wife is a bit luckier in this regard as her hobby, knitting, is portable. I have taken to listening to podcasts on my commute as no one wants to listen to a table saw going at 9:30PM.

A Base of Operations with a Sense of Permanence

Living in a development has taught me two things: I love having someone else mow the lawn / shovel snow, and I hate not having a back yard to do projects in. Even with two offices, there’s no place for a shop, garden, or sheep. Yes, you read that right: sheep.

My wife is a knitter and she loves her hobby. She wants sheep, and I want her to be happy, so we need a place for sheep. My hobby is woodworking and building things. I’ve always been limited to a corner of a garage or basement, when I’ve been lucky enough to have a place at all. So room for a shop is a must for me. Finally there’s the garden. We had one in the past, and it was a wonderful experience. Now that we are focusing on healthier eating, what better way to get the best produce at the best prices than to grow it ourselves?

So on to the home search!

Searching for Superfish using PowerShell

Thu, 19 Feb 2015 16:34:26 -0400

Lenovo installed a piece of software that could arguably be called malware or spyware. Superfish, as this article indicates, installs a self-signed root certificate that is authoritative for everything. I wanted to be sure that this issue wasn’t present on any of our Lenovo systems, so I turned to PowerShell to help.

I found a copy of the certificate on Robert David Graham’s github here. I pulled the thumbprint from the cert which appears to be: ‎c864484869d41d2b0d32319c5a62f9315aaf2cbd

Now, some simple PowerShell code will let you run through your local certificate store and see if you have it installed.

Get-ChildItem -Recurse cert:\LocalMachine\ |where {$_.Thumbprint -eq "c864484869d41d2b0d32319c5a62f9315aaf2cbd"}

You could just as easily replace the get-childitem with “Remove-Item -Path cert:\LocalMachine\root\c864484869d41d2b0d32319c5a62f9315aaf2cbd”, but I wanted to make sure the key wasn’t installed somewhere else.

Now, to take it a step further, I use the AD commandlets and some more simple PowerShell to search all my systems for it.

Import-Module ActiveDirectory
$Cred = Get-Credential
$Computers = Get-ADComputer -Filter {enabled -eq $true} | select Name
foreach ($Computer in $Computers) {
try{
if(test-connection -Count 1 -ComputerName $Computer.Name){
write-output (invoke-command -ComputerName $Computer.Name -Credential $Cred -ScriptBlock {Get-ChildItem -Recurse cert:\LocalMachine\ |where {$_.Thumbprint -eq "‎c864484869d41d2b0d32319c5a62f9315aaf2cbd"}})
}
}catch{
Write-Error ("There was an issue connecting to computer $Computer : " + $_.Exception)
}
}

Is it perfect? No. But it gets the job done in relatively short order.

A Hundred Domains and SHA-1 Depreciation

Wed, 17 Sep 2014 16:27:17 -0400

Apparently I’ve been living under a rock for a while, because I didn’t know that SHA-1 was being phased out in the immediate future. Thank you, GoDaddy, for notifying me with a month and change to spare. As it turns out, Google will no longer be trusting certain SHA-1 signed SSL certificates with the release of Chrome 39, which is set for November. For details, see the following links.

Gradually Sunsetting SHA-1 (Google)
SHA1 Deprecation Policy (Microsoft)
Phasing out Certificates with 1024-bit RSA Keys (Mozilla)

Due to the fact that our clients often purchase their own SSL certificates, we have no internal records to check what algorithm was used to sign the certificates in use. So now we get to audit slightly over 100 domains to check and see what signature algorithm is in use. We could browse to each domain manually and take a look at their certificate but that would just take way too long. There were some web based tools around that could do it, but they also only worked on one site at a time.

So, instead, I looked to PowerShell to see what could be done… Unfortunately, there was no native cmdlet to do anything like this! I did find a module that had a lot of great PKI-related functionality, the Public Key Infrastructure PowerShell module, but it, too, didn’t have the much-needed signature algorithm. However, it did provide a very robust base on which to build. Below is the solution I came up with.

function get-SSLSigningAlgorithm {
[CmdletBinding()]
param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true, Position = 0)]
[string]$URL,
[Parameter(Position = 1)]
[ValidateRange(1,65535)]
[int]$Port = 443,
[Parameter(Position = 2)]
[Net.WebProxy]$Proxy,
[Parameter(Position = 3)]
[int]$Timeout = 15000,
[switch]$UseUserContext
)
$ConnectString = "https://$url`:$port"
$WebRequest = [Net.WebRequest]::Create($ConnectString)
$WebRequest.Proxy = $Proxy
$WebRequest.Credentials = $null
$WebRequest.Timeout = $Timeout
$WebRequest.AllowAutoRedirect = $true
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
try {$Response = $WebRequest.GetResponse()}
catch {}
if ($WebRequest.ServicePoint.Certificate -ne $null) {
$Cert = [Security.Cryptography.X509Certificates.X509Certificate2]$WebRequest.ServicePoint.Certificate.Handle
write-host $Cert.SignatureAlgorithm.FriendlyName;
} else {
Write-Error $Error[0]
}
}

I’ll create a CSV of the domains that I need to check, and iterate over them in a for-each loop. That function will be used within the loop to check the sites, and the output will go into another CSV. We’ll use that to plan our re-keying.

Hide Disabled AD Accounts from the GAL using Powershell

Mon, 08 Sep 2014 16:23:48 -0400

Our account decommission process involves disabling a user and moving them to a “Disabled Domain Accounts” OU. Well, it turns out that our previous admin never actually hid these mailboxes from the Global Address List (GAL), so many of our offshore partners have still been sending emails to them. I decided to start cleaning this up a bit today with the following:

Search-ADAccount -SearchBase "ou=Disabled Domain Accounts,dc=example,dc=local" -AccountDisabled -UsersOnly |Set-ADUser -Replace @{msExchHideFromAddressLists=$true}

Another simple bit of PowerShell. The first command searches within the disabled account OU, and looks for disabled user accounts only. That output is piped into the second command which replaces the Exchange attribute that hides that account from the GAL.

How to clear all Workstation DNS caches from PowerShell

Thu, 04 Sep 2014 16:20:07 -0400

I recently found myself in need of the ability to clear the DNS cache of all the laptops in my company. I found a very powerful and simple way to do so and thought I would share.

$c = Get-ADComputer -Filter {operatingsystem -notlike "*server*" }
Invoke-Command -cn $c.name -SCRIPT { ipconfig /flushdns }

The first line queries Active Directory for all computers that are not servers. The second line simply invokes the normal windows command “ipconfig /flushdns” on all computers.

This technique could be used to run any command across all workstations. Very powerful, and dangerous. Use at your own risk!

Expired Ad Users and Powershell

Mon, 02 Jun 2014 16:14:25 -0400

The Setup

I came into the office today and was bombarded with users not being able to access our TFS server. Now, before I get too far into this story, you have to understand: Technically I’m only responsible for client-facing infrastructure. However, over the years I’ve started wearing more of a devops hat because, apparently, I’m quite good at it. That means TFS is now largely my problem. Funny how that works, eh? Anyway, back to TFS.

There were a few odd things about this issue: the oddest being that some of our off-shore developers were having no problems and others just couldn’t get in. The users with issues also couldn’t access the web portal. We (at least me) hadn’t made any changes to TFS in about a month, so I started to investigate.

After a brief panic about SharePoint not being installed properly (Hey, I didn’t set up this system, I’m just its current keeper) I managed to trace the issue to network logons. Thank you Security log! Wait, what’s this? Turns out many, many users recently had their accounts marked as expired… Turns out we just implemented mandatory password rotation and guess what? Today – 90 days was the day that a large batch of offshore development accounts were created! So now I had to reset credentials on 35+ accounts, and I’ll be damned if I’m going to do that manually!

Enter PowerShell!

List all accounts in an OU that have expired passwords

Get-ADUser -searchbase "ou=contractors,dc=example,dc=com" -filter {Enabled -eq $True} -Prop PasswordExpired | Where {$_.PasswordExpired } |select-object -property SAMAccountName,Name,PasswordExpired |format-table

Get-ADUser

SearchBase tells the Get-ADUser command to limit the search to a specific OU. This is very handy since I only have admin access to the one OU anyway. I filtered only for enabled accounts since trying to filter on PasswordExpired here didn’t work for some reason. I also explicitly called out the PasswordExpired property. This output was piped to the where-object commandlet.

Where-Object

This was where I filtered on the current object group. Since passwordExpired is a bool, no fanciness needed here. Then I piped the output to Select-Object.

Select-Object

I only cared about some specific data for the output. I used this to select the properties I needed. Finally, I piped to Format-Table to make everything display nicely.

Reset passwords for accounts in an OU with expired passwords

Get-ADUser -searchbase "ou=contractors,dc=example,dc=com" -filter {Enabled -eq $True} -Prop PasswordExpired | Where {$_.PasswordExpired } | ForEach-Object {Set-ADAccountPassword -Identity $_.SAMAccountName -NewPassword (ConvertTo-SecureString -AsPlainText "Changeme1" -Force) }

Get-ADUser & Where-Object

These are the same as in the section above. We are filtering for enabled accounts in the contractors OU. This was piped to one of my favorite commands on earth: ForEach-Object.

ForEach-Object

This is, hands down, one of the handiest commands in PowerShell. Or any language for that matter. In this particular instance, we are running the Set-ADAccountPassword option for each object that we pass in. We pass the object’s SAMAccountName as the identity. We then create a new secure string password and pass that to -NewPassword. Then you hit enter and the magic runs!

Permaethos Pdc

Fri, 23 May 2014 16:10:31 -0400

Jack Spirko, of The Survival Podcast fame, is a visionary in many ways. His most recent endeavor is a little project called PermaEthos, which aims to create a worldwide network of farms based on Permaculture Principles and Libertarian Ideals. As part of this effort, Jack and his team will be putting on an online PDC at the first PermaEthos farm. Needless to say, the wife and I are taking a PDC!

For more information on the PermaEthos model, and how it came to be, listen to Episode 1335 The PermaEthos Model 3.0.

As part of this, I created a profile over at Permaculture Global to help track what I’ve done. If you’re on that network, feel free to connect with me! Direct Link to Profile on Permaculture Global

Learning to Cook

Mon, 18 Nov 2013 15:48:40 -0400

A friend asked me at lunch today: “How do I learn to cook?” Since this question seems to come up a lot in my life, I figured I would write a post on the topic so I could easily answer the next person.

I am passionate about cooking. I learned to cook from my mother at a very young age. She would always encourage me to help cut the vegetables, or stir the soup. Some of my earliest memories are of helping out in the kitchen (the others are of taking things, usually expensive, apart). For me, cooking developed naturally as I absorbed what my mother taught me. When I hit college, I started collecting cookbooks trying to improve on my skills in earnest. However, I quickly became disappointed in what the average cookbook had to teach.

You see, the problem with most cookbooks is that they are just recipe collections. Sure, some good ones will give you a few brief pointers on how to knead bread, or broil a steak, but most are just a list of recipes that throw terms at the reader that they might not be familiar with. “Saute one cup of chicken, diced into one inch cubes”. What’s a saute? What’s a dice? What temperature? What pan? Do I cover it?

Most folks think that they know the vocab, and throw the recipe together in a way that makes sense to them. This usually results in an edible meal that roughly approximates the recipe, so most people leave it at that. Presto! We’re cooking now! Never mind the fact that our ragu is now more of a vegetable stew and our bread is completely crumbly without any of that nice chewy texture we were looking for… Cooking not only throws an entirely new vocabulary at you, it also throws you a new grammar and syntax, which most books don’t even touch on. By following the average cookbook, we are merely parroting back what we are reading and failing to understand why we’re doing any of it. This isn’t how you learn.

So how would I recommend you learn to cook? Learn the vocab, learn the grammar, and learn the syntax.

The vocab is basic, and fairly easy. It’s not like you are becoming a doctor and need to learn latin. To take our earlier example, sauteing involves cooking meat in a pan with oil while braising uses some other water based liquid. Most folks at home braise meats unintentionally when they cover their frying pans. The Professional Chef and Jacques Pépin’s Complete Techniques do a great job of going over the vocabulary of cooking, while illustrating it with both recipes and pictures.

Grammar is a bit more tricky. The rules are hinted at, and even discussed in a high level, in The Professional Chef. However, pick up a copy of Ratio: The Simple Codes Behind the Craft of Everyday Cooking and you will really get a feeling for the power of culinary grammar. For a full review of Ratio, see this article I wrote a while back. To summarize it, though, imagine knowing the base ratio for a cake and then being able to make any cake you can imagine. Then imagine changing the ratio of the exact same ingredients and coming out with a scone instead. This is the power of culinary ratios. They free you from recipes and let your imagination take flight.

Finally come syntax, and this is one of the harder things to learn. Syntax, in the cooking world, is the fingerprint of a particular cuisine. More accurately, it is the flavorprint of a particular cuisine. What makes American BBQ unique when compared to, say, Vietnamese BBQ? If you look at the recipes, you will notice that it is all in the specific ingredients and flavoring agents that are available to each culture. Unfortunately though, no-one, to my knowledge, has written a good book on the flavor prints of the world. The only way to learn syntax is by reviewing recipe collections on specific cuisines, looking at the ingredients in ethnic markets, and analysing the flavors when you eat out at a restaurant that specializes in that type of cuisine. It may not be easy to learn syntax, but it can be fun and filling!

Since this is an article on learning to cook, I want to share my favorite cooking show as well. Good Eats is a fantastic show by the mad scientist of the culinary world, Alton Brown. It gives great examples of all of the above material and does so in a fascinating, highly entertaining way. Truth be told, Good Eats was one of the reasons I started looking in to the whys and wherefores of the cooking world. You can pick up the DVDs of the show on Amazon, and I’m sure you can find episodes streaming online if you look on the search engine of your choice.

Was this article helpful? Did you find it interesting or disagree with it? Please post in the comments below!

Edited to add: Turns out there are a few cheatsheets floating around on flavor profiles. Have a look.

Character

Tue, 13 Aug 2013 15:27:20 -0400

When you look at dishonesty as a social disease, things get very interesting. I always believed that “The true test of a man’s character is what he does when no one is watching” (John Wooden), but perhaps there’s more to it than that. Character is also standing up for what you believe in the face of social pressure. Tricky double-edged sword, that is. However, it is worth careful consideration. This article gives some great food for thought along these lines.

Art Of Manliness - What Strengthens and Weakens Our Integrity – Part III: How to Stop the Spread of the Immorality Virus

Monitoring and Caching Dns

Thu, 20 Jun 2013 15:18:48 -0400

Had an interesting issue today. One of the production systems suddenly went dark, and we found out about it from the client. This is never a good way to start a Thursday. It turns out that the client was having DNS issues and the domain was no longer valid. Relatively simple fix, crisis averted…

But why didn’t the monitoring system pick it up?

We use Dotcom-Monitor to check each of our sites on a regular basis. The monitor actually logs in to each website to verify functionality. What in the DNS world could cause this issue in such a scenario? How about a caching nameserver? Turns out, to limit the stress on their nameserver, Dotcom Monitor set up a standard caching nameserver that keeps a record in cache until the record expires. So even though DNS was no longer working for this site, the monitor thought everything was A-OK.

What can we do to fix this issue? Not much unfortunately. Dotcom Monitor will have to implement a change in their infrastructure which will likely increase the load on their DNS servers significantly. Since that’s not likely, it looks like I’ll have to build a service into our internal monitor (Zabbix based) to check for the domain against the SOA for it.

Page Speed Score Wordpress

Wed, 12 Jun 2013 15:11:52 -0400

After configuring W3 Total Cache and playing around with google’s free PageSpeed Insights tool, I was able to increase The End of the Tunnel’s score from 49 to 96! This is impressive to me because this site currently runs on the basic DreamHost shared environment plan. No dedicated servers, no fancy configurations, just good cache management. Fantastic!

Flush Dns Cache for Single Domain

Tue, 11 Jun 2013 15:05:15 -0400

I was working on the site today and ran into an issue: Our caching DNS server (Windows 2008) was holding on to the old webserver’s IP. This wasn’t a problem for me locally as I used the old hosts file trick to point to the new server. However, this meant I couldn’t show other folks the site until either the cache was completely flushed or the record expired.

A little googling later, and I found this little command from ServerFault.

dnscmd dnsserver.local /NodeDelete ..Cache whatever.com [/Tree] [/f]
/tree Specifies to delete all of the child records.
/f Executes the command without asking for confirmation.

This allows you to clear just a small portion of the cache, as you define it. Pretty handy!

Of Floors and Friends

Tue, 05 Jun 2012 14:59:57 -0400

This past week, several of my friends and I went to the cabin to do some much needed renovations. I will be documenting these renovations over the next few posts and will link them here when finished.

Four of the five key players in this tale of triumph.

Putting up a Storage Shed
Living Room Demolition
Jacking up the Cabin
Foundation Work
New Living Room floor

Ratio Book Review

Wed, 05 Jan 2011 14:31:51 -0400

Originally posted on the Zombie Squad Forum on Wed Jan 05, 2011 1:02 am

Ratio: The Simple Codes Behind the Craft of Everyday Cooking, by Michael Ruhlman

I’ve been cooking for most of my life, even though my definition of cooking has changed considerably over the years. When I was young, cooking meant helping my mother in the kitchen with whatever she would let me do. It started out with holding a spoon here and there, to stirring the pots, to actually cutting up the veggies. Cooking was listening to what my mother told me to do, and following her instructions closely. As I grew, cooking became more complicated. I found cook books and cooking shows, which opened up an entirely new world! All of a sudden I had recipes to follow instead of just my mother’s words of wisdom. This evolution continued as I learned to “customize” recipes. Take a little from one recipe, a little from another, maybe change up some spices here and there… This led to some culinary triumphs, like the oddly delicious scrambled pancake, and many culinary failures; pancakes should never have tendrils. The evolution continued as I realized there were different techniques for cooking. I purchased the Culinary Institute of America’s The Professional Chef and worked my way through bits and pieces of it to broaden my horizons and skill base. I watched shows like Alton Brown‘s Good Eats and began learning how ingredients actually worked together. I started to see the patterns in recipes and come up with some of my own. But I was still basing my culinary work on existing recipes in one way or another.

Then I came across a list of Alton Brown’s favorite cook books. Some of the items on the list were familiar, the first one was my mother’s culinary bible The Joy of Cooking. Others were just plain intriguing, like this book called Ratio. Math? In cooking? My inner engineer just had to know more…

Eventually, Ratio was ordered, made its way into my mailbox, my book pile, and my hands. Let me start by saying that Ratio is not a cookbook in the classic sense: it does not contain a list of recipes. In fact, ratio has only a handful of recipes in the whole book. Ratio is, as its title suggests, about ratios. More specifically, it is about the fundamental ratios that exist in the world of cooking. Why is this important? Allow me to quote from the first paragraph of ratio. “When you know a culinary ratio, it’s not like knowing a single recipe, it’s instantly knowing a thousand.” Ratio is primordial culinary power, pure and simple.

Ratio’s author, Michael Ruhlman gives each ratio in its own chapter, where he discusses some of the nuances of the ratio. In the bread section, for example, he details kneading, yeasts, and a few ways to expand on the basic ratio. Each chapter then has some example recipes using the ratio, and a few final notes. Every section of this unassuming little tome is packed with useful information. Even it’s cover is a useful chart of the continuum of dough, from bread to crepes. Ratio is a true eye-opener. Want to bake bread? Five parts flour to three parts water. Salt and yeast are encouraged, but optional. Five to three and you will have bread. All bread, of any kind starts with this simple ratio. Want pie dough? 3:2:1 flour, fat, water. Crepes? 1:1:.5 Liquid, Egg, Flour. Stocks? 3:2 Water, Bones. Mayonnaise, not the clunky, bland store-bought mayo, but deliciously creamy and flavorful mayonnaise? 20:1+1 Oil, liquid, yolk. Ratio is the culinary world at its simplest and most elegant.

Ratio by itself won’t do the average person much good, I suppose. You have to have an appreciation for cooking and a desire to understand why it works the way it does. If you like your TV dinners luke-warn, Ratio is not for you. If, on the other hand, you want to learn the most fundamental parts of actual cooking, if you want to expand your horizons past simple recipes, if you want to grow as a cook and not just be a follower, Ratio may well be your path to enlightenment.

Review of the September 19th, 2009 Appleseed Shoot in Saratoga Springs, NY

Mon, 21 Sep 2009 17:08:51 -0400

Originally posted on the Zombie Squad Forum on Mon Sep 21, 2009 3:39 pm

“Shooters, Your 2 minute preparation period has begun!”

The chill from the night is still in the air as I lay down on an old carpet remnant and examine my loaned Ruger ¹⁰⁄₂₂. Chamber flag out, wrap the sling around my arm “hasty” and lie down… The sun shines at a shallow angle and warms me. It also creates some glare in the tech-100 sights. I focus on the target and dry fire a few times. Wait, this isn’t right. I remember the training from earlier: align the sites, create the site picture, control my breathing, focus on the front site, get into the shooters bubble, squeeze the trigger, and follow through… I run it all through my head. So much to internalize!

“Shooters, your two minute preparation period has ended. Load!”

Two minutes up already! I take the rotary magazine and insert it into the ¹⁰⁄₂₂. I hear the soft click of it locking into place and I rack the bolt. Thoughts run around in my mind, I try to calm myself and get back into my natural point of aim and the shooter’s bubble… Shimmy to the left, shimmy to the right… my hand steadies as if by magic. Ah, there it is!

The line boss gives the final command, “Fire!”, and the line erupts with dozens of little snaps of 22 and the occasional loud bang of a larger caliber. I turn the safety off and squeeze the trigger. My Ruger mews to life, sending it’s tiny .22lr down range at the target. I call the shot, low and to the left. The smell of gunpowder hangs in the air throughout the day…

All totaled, we launched 716 rounds of ammunition down range over the course of two days. Two folks were awarded a rifleman patch that weekend. Though I was not one of them, my shooting improved significantly, going from a 120 to a 180. Using my own rifle, it will be even higher. I’ve learned what to practice, how to practice, why to practice. I want to become a Rifleman. I want to teach others. This is only the beginning. I think I just woke up.

The morning commute to Appleseed

Teaching the group

Proper sitting position

Proper standing position

Battle scars

And the sun shown down…

If an Appleseed shoot comes around your area. Go. You won’t regret it. This group and these events get the official seal of awesomeness.

Wiggys Ftrss Review

Wed, 04 Feb 2009 15:33:20 -0400

Updates at the bottom of this post.

Overview

Wiggy’s makes a line of top notch synthetic sleeping bags right here in the good old US of A. They carry a lifetime warranty, keep their warranty even after machine washing, and don’t appear to loose their loft when compressed. All bags come with a compression sack and Lamilite pillow. A particularly nice feature is that you can combine two bags into the Flexible Temperature Range Sleep System, or FTRSS.

Wiggy’s uses an insulation called Lamilite. Lamilite is their proprietary blend of “a 5.5 denier continuous filament fiber which has been coated with a silicone finish”. It has been reported by many users to provide considerable warmth when wet, however it is heavier than some other synthetics available and doesn’t compress as well.

Overbag

The Overbag is a +35 degrees F rated mummy style bag. It is available in four sizes; 33 inches wide in the torso and 82 inches long (regular regular) (weight 2 lbs.), 36 inches wide and 82 inches long (regular wide body) (weight 2 lbs.), 33 inches wide and 92 inches long (long regular) (weight 2 lbs.), and 36 inches wide and 92 inches long (long wide body) (weight 3 lbs.). Please note the larger size for the Overbag, so it will fit comfortably over any of the other bags when the FTRSS is created. Also note that a larger roomier bag is necessary for warm weather use.

Price is $190 (Additional 20% discount as of 2/2/09) Available in Black, Purple, Olive Drab, and Blue. Mine is Black.

Super Light

The Super Light is a 0 degree F rated mummy style bag. It is available in four sizes; 31 inches wide in the torso and 80 inches long (regular regular) (weight is 4 lbs.), 34 inches wide and 80 inches long (regular wide body) (weight is 4 lbs.), 31 inches wide and 90 inches long (long regular) (weight 4 lbs.), and 34 inches wide and 90 inches long (long wide body) (weight 5 lbs.). When the Overbag is added to the Super Light the temperature rating becomes -40 degrees F. When both bags are combined you have the Super Light FTRSS. The Super Lt. has proven to be our most popular bag, both with the Armed Forces and Civilian markets.

Price is $218.00 (Additional 20% discount as of 2/2/09) Available in Purple, Black, and Olive Drab. Mine is Olive Drab

Photos

My core bag, a Wiggy’s Super Light. Laid out in all its wrinkled glory.

Wiggy’s. Made in the USA.

Overbag, over the core bag.

The two bags nested, but not attached.

Showing the Overbag’s draft tube.

Starting the zippering process. You can see how beefy the zippers are here.

The two bags are now joined and I’m trying to give a semblance of scale. That’s a LMF Spork in my hand.

FTRSS Laid out. It’s Beefy.

That’s me holding up the bag. I’m 6’6″ tall, 250 lbs, and about 2′ broad at the shoulders. The door behind me is a standard height door. I was trying to hold the bag off the floor and failing. These bags in Large/Wide are Huge!

FTRSS all Packed up into one compression sack. No, it’s not very tiny.

Comments on the system

What can I say? I like the system so far and recommend it to anyone who needs a single good bag or a great sleep system. Packing the FTRSS can be challenging as it’s actually two sleeping bags, but if you’re going cold weather camping this is a lifesaver. I’ve used the Overbag extensively during this past summer. It works as both a blanket and a sleeping bag with only one real downside: The extra zippers inside can get annoying. I’ve only had a chance to test the Super Light a few times and never down to 0. It is a very comfortable bag and definitely kept me extra toasty down to 20 which is the coldest I’ve gone out with it. I’m going to test the FTRSS during the NNY09WCT this year in the Adirondacks. Last year I used a cheap zero bag inside another zero bag and still needed a blanket.

Test Results: (added Feb 27, 2009)

It didn’t get nearly as cold on this years winter trip, only around 0. I wish I had thought to take the FTRSS apart and just use the 0 bag for the trip. Ah well, maybe later this month… Here are my observations:

The Wiggy’s FTRSS did not cut it by itself in a Hennessey Hammock. The insulation got severely compacted underneath me and my backside started to get cold after 10 minutes. This was what I expected to happen, but it was worth doing and knowing. In order to use this setup to bug out, you’ll need the Hennessey winter kit to add more insulation under you.
Night one was spent on a bed made of two wool blankets and a Z-lite from Thermarest. I was completely comfortable temperature wise with no cold spots. In fact, I was overheating a bit.
Night two was spent on an Exped DownMat… I had the best night sleep of my camping career that night. The FTRSS was nice and toasty (again almost too warm) and the DownMat provided incredible comfort and insulation. Many thanks to WoodsWalker for suggesting this thing. It’s amazing.
My one complaint on the system is how the hood draws closed. It takes a bit of messing around to get the hoods to draw closed properly and sometimes the overbag’s hood gets lost. Not a big deal once you get the hang of it, though. Always keep the overbag’s hood slightly drawn. Once you’re in for the night, pull the inner bag drawstring first, then finish closing the overbag up.

Finally, there’s one feature I forgot to mention on all Wiggy’s bags. If you need to get out of the bag in a hurry, just give the zipper a yank upwards. It unlocks the zipper and you can get out of your bag in less than two seconds. Takes a bit of practice but it works very well.