Upgrade to Ubuntu 16.04 Breaks PHP 5

[crit] 1505#1505: *14 connect() to unix:/var/run/php5-fpm.sock failed (2: No such file or directory) while connecting to upstream
Ubuntu 16.04 removes PHP 5, pushing everyone to 7. If you really need to have 5, you can add it back (https://askubuntu.com/questions/756181/installing-php-5-6-on-xenial-16-04) but it’s probably best to move to 7.
PHP 7 is the default for 16.04, so sudo apt-get install php will do the trick.

Read-Only Filesystem after Upgrading to Ubuntu 16.04

I panicked for a moment, not that it’s a big deal (backups, and backups of backups) but I still didn’t really want to dick with it. Apparently the UUID had changed (or something, I dunno, I didn’t really look much into it) but all that was necessary was to get the UUID of the disk (blkid), remount to rw (mount -o remount, rw /), and then edit /etc/fstab to reflect the correct UUID. Once that’s done, reboot, and all seems well.

Change IP Address of FOG Server

It’s not as easy as one might think. Obviously you have to change the IP assigned to the network interface, and then change what the web server is listening on, but there are tons of references to the IP in the FOG database that you have to change too. I dumped the database out to a .sql file, did a find/replace on it, and then imported my .sql file.

There is probably more. I’m changing the IP on one soon, and I’ll report back here with any other steps I may have forgotten.

Johnny I hardly Knew Ye

Except Johnny is Server 2003, and I knew it a long fucking time. Too long. Go to hell, Johnny.

Server 2k3 EOL

Like many, I still have a ton of 2k3 boxes in production (including one exposed to the world). Legacy applications are the bain of my existence.

completed with 87

“HttpSetServiceConfiguration completed with 87.”


Super helpful Microsoft.

Trying to set a url acl so somebody can bind a port. It’s on Server 2003, so I had to install the support tools to make httpcfg.exe available. I’ve been beating my head against the wall just long enough for the white paint to start to stain with my blood. The word completed might make one thing that the command was successful, but of course that is not the case.

It finally dawned on me that I had typed http://+:1234, and I didn’t follow up 1234 with a forward slash.

Perhaps, instead of “HttpSetServiceConfiguration completed with 87,” we could say something like “Hey, you dumb shit, your command DID NOT COMPLETE because you fucked something up.”

Or something.

fail2ban for wordpress!

There are botnets out there that just scan the Internet for wordpress sites, and then try to dictionary attack the login page. WP fail2ban is an awesome plugin that will write the unsuccessful login attempts to your syslog.

Installation is easy.

Install the plugin.
Activate the plugin.
Copy wordpress.conf to /etc/fail2ban/filters.d (default on Ubuntu, ymmv)
add the following to the end of jail.conf (or jail.local)


enabled = true
filter = wordpress
logpath = /var/log/auth.log
port = http,https
bantime = 604800
findtime = 86400
maxretry = 5

Then just sudo service fail2ban restart and you’re all set.

Yay Compliance


NO. Just…fucking no.

I thing the days of “but our shitty app needs this” being a valid excuse are long gone. I have been been witness to reversible encryption biting a client in the ass, and it was not pretty.

Leave Default Group Policies alone, leave them alone!!!!!!!!

What was that guys name?  Chris something?  Yeah…


Anyways, if you saw the way I live you probably wouldn’t know this, but I really like to have things organized.

This includes group policies!

I create new policies for EVERYTHING, and they get the shit tested out of them before they get put into production.  Some policies have version numbers or dates stamped into the names as well.

You don’t put shit in ANY default policy.  If I work with you and I catch you doing it, I’ll kick you in the nuts.  I’ve cleaned up quite a few messes stemming from that.

This was inspired by someone on reddit:

Kitten meat is tasty.



If you’re going to disable ipv6, then FFS do it the right way!


FOG Snapins with batch files because I’m old

I like FOG

I’ve mentioned before that I really like FOG, it’s a great solution for reimaging that doesn’t have much of a price tag associated with it, aside from the hardware, and the time to learn it.

FOG uses “snapins” for application deployment.  A snapin is associated with a host machine, and then can be deployed when the machine is imaged, or redeployed when necessary.  Basic snapin configuration is fairly simple, you can upload your snapin file (typically an MSI or an executable binary) and specify flags for it, and in the case of an MSI you can specify commands to be run before the snapin (ie msiexec) with flags for that command as well.

Needing more

Sometimes, however, that is not enough; we use an application from Atlassian called HipChat for most of our internal one-on-one and group messaging needs, and quite a few of our legacy users were still using an old Adobe Air based client, which as of last week is no longer supported, and users attempting to login would receive a message notifying them of such.  I had been putting off pushing out the new native Windows client because it still has some bugs (some features don’t work if the message is pushed via API, spell check isn’t currently working, sometimes it doesn’t let you go idle and therefore the feature to send you an SMS notification if you get a message while idle didn’t work) and, most annoyingly, it installs only for the user that was running the installation, which in a corporate environment is kind of a pain in the ass.  During a one off installation it wasn’t a big deal to move some short cuts around so that all users could see, but that was an additional consideration when setting up one massive push.

A tiny bit of manual configuration for FOG

In a situation where something extra is needed, I almost always fall back on my old friend, the batch file.

I like to keep things separate, so while my batch file can live in the snapins folder just fine (/opt/fog/snapins) I like to keep the extra stuff in a new folder (ie /opt/fog/applications).  Your new folder needs to be readable via samba by all users. Anything that I call from one of the batch files lives here in applications, and in the case of something that gets updated a lot (ie HipChat, java, etc) I keep them named generic (HipChat.msi) instead of whatever the default is (HipChat.Win32.super.long.version.number.msi) so that I can drop a new version in place without having to make changes to my snapin.

Snapin configuration

For snapin configuration itself, all I do is upload the batch file, and for flags I usually put ” >c:\productname_install.log” so that I can have something to fall back on for troubleshooting, as the local FOG log isn’t very helpful and clears itself constantly.

The batch file

I wanted my batch file to uninstall the previous version, if applicable, install the new version, kill the process off (because as soon as it is installed, even in quite mode, it fires up hipchat as the user performing the installation, which in the case of a remote installation gives the user a notification that a window in the background wants their attention) and then copies shortcuts over to the all users start menu and desktop.

:: Uninstall the old version of HipChat
wmic product where name="HipChat" call uninstall
:: Install the new version of HipChat
pushd \\\applications
copy HipChat.msi c:\
msiexec /i c:\HipChat.msi /qn
:: Kill off the hipchat process
taskkill -im hipchat.exe /f
:: Copy the shortcuts over to all users
copy HipChat.lnk "c:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\"
copy HipChat.lnk c:\users\public\desktop\
:: Clean up
del c:\HipChat.msi


It works!  It did exactly what we needed it to do.

*Note we are still running on FOG 0.32, I have some new hardware becoming available soon and will be doing a total rebuild, which I will document here.