Force Rsync Command via SSH but Allow Any Directory

Recently, I needed to sync several directories on a backup / fail-over server with the same directories on a production server. Rsync over SSH takes care of this, but if you want to tighten security, you must use the “command” restriction in the SSH authorized_keys file — This restricts the authenticated key to running a single command, with a specific set of arguments. For example, let’s look at a typical command that might be run from a backup server to rsync daily database dumps:

Continue reading

Adding the nginx-plus Repository to apt-mirror and Puppet


Nginx Inc. provides access to the nginx-plus package and repository using SSL certificates. Their instructions cover the configuration of apt for Ubuntu, but for people using apt-mirror and Puppet to manage their internal servers, additional custom configurations are required.

The standard apt configuration for nginx-plus might look like this:

The connection to the nginx-plus repository must be made using HTTPS and authentication is handled by client certificates. As provided, apt-mirror is not able to manage SSL certificates, so two sections in the apt-mirror script must be modified. The %config_variables array defines the settings read from its configuration files. We will add the ‘certificate’, ‘private_key’, and ‘ca_certificate’ settings to the array.

Continue reading

Remove MultiArch / i386 in Ubuntu with Puppet

Here’s a little snippet I use to remove multiarch / i386 support from Ubuntu with Puppet.

Continue reading

Multiple MongoDB Instances with Ubuntu’s Upstart

Recently a client asked me to setup multiple instances of MongoDB on a Linux Ubuntu server. Ubuntu does not use standard /etc/init.d/ scripts, instead it uses upstart, an event-based replacement for the /sbin/init daemon, that handles starting of tasks and services during boot, stopping them during shutdown and supervising them while the system is running. Upstart uses it’s own limited syntax to describe a service or task. I tried launching several processes from a single upstart config, but upstart could not track the service properly. Instead, I broke-up the upstart script into two — one master to define the instances, and another to start each one independently.

Continue reading

Shell Script to Route Multiple Public/Private Interfaces

If you have a server with multiple interfaces – either public and/or private – your routing table might look something like this:

This example shows one private interface with IP, two public interfaces with IPs and, and a default route to This means that any traffic to/from an IP outside the interface’s subnets is sent to — and this is where problems occur (and probably why you’re reading this article). ;-)

Continue reading