Force Rsync Command via SSH but Allow Any Directory

Recently, I needed to sync several directories on a backup / fail-over server with the same directories on a production server. Rsync over SSH takes care of this, but if you want to tighten security, you must use the “command” restriction in the SSH authorized_keys file — This restricts the authenticated key to running a single command, with a specific set of arguments. For example, let’s look at a typical command that might be run from a backup server to rsync daily database dumps:

Continue reading

Adding the nginx-plus Repository to apt-mirror and Puppet


Nginx Inc. provides access to the nginx-plus package and repository using SSL certificates. Their instructions include the configuration of apt for Ubuntu, but for people using apt-mirror and Puppet to manage their internal servers, additional custom configurations are required.

The standard apt configuration for nginx-plus might look like this:

The connection to the nginx-plus repository must be made using HTTPS and authentication is handled by client certificates. As provided, apt-mirror is not able to manage SSL certificates, so two sections in the apt-mirror script must be modified. The %config_variables array defines the settings read from its configuration files. We will add the ‘certificate’, ‘private_key’, and ‘ca_certificate’ settings to the array.

Continue reading

Remove MultiArch / i386 in Ubuntu with Puppet

Here’s a little snippet I use to remove multiarch / i386 support from Ubuntu with Puppet.

Continue reading

Multiple MongoDB Instances with Ubuntu’s Upstart

Recently a client asked me to setup multiple instances of MongoDB on a Linux Ubuntu server. Ubuntu does not use standard /etc/init.d/ scripts, instead it uses upstart, an event-based replacement for the /sbin/init daemon, that handles starting of tasks and services during boot, stopping them during shutdown and supervising them while the system is running. Upstart uses it’s own limited syntax to describe a service or task. I tried launching several processes from a single upstart config, but upstart could not track the service properly. Instead, I broke-up the upstart script into two — one master to define the instances, and another to start each one independently.

Continue reading

Shell Script to Route Multiple Public/Private Interfaces

If you have a server with multiple interfaces – either public and/or private – your routing table might look something like this:

This example shows one private interface with IP, two public interfaces with IPs and, and a default route to This means that any traffic to/from an IP outside the interface’s subnets is sent to — and this is where problems occur (and probably why you’re reading this article). ;-)

Continue reading

Optimize Images to Save Bandwidth and Speed Page Load

A few weeks ago I mentioned the script from GitHub to optimize images, and how I had modified it to keep (or discard) the EXIF / XMP information. Making sure images are as small as possible is important to save bandwidth and improve page load times (and google rank), so I think it’s worth discussing my image optimization process in more detail.

Continue reading optimize script for jpeg, png, and gif

To improve page load times (and Google ranking), you should make sure all jpeg, png, and gif files are properly optimized. Instead of writing my own script for jpegtran, pngcrush, and gifsicle, I used Mike Brittain’s script on GitHub. It works great, though I did have to modify it to change the “jpegtran -copy” parameter it uses — I need to keep the EXIF on larger files, and strip it from thumbnails. I posted the diff on the GitHub Issues page.

Update 2012-12-31 : In case Mike doesn’t merge my diff, with the addition of the --copy=[all|comments|none] command-line argument (see my comment bellow for more info), you can download the patched script here instead.

Continue reading

Enable Autocomplete for root on Mac OS X

Are you frustrated by the lack of autocomplete in root’s shell on Mac OS X? I’ve tried a few different solutions, and the easiest / simplest I found is to create an /etc/inputrc file (chown root:wheel and chmod 644) with the following text.

The /etc/inputrc file is used by readline — the input-related library used by bash and most other shells. GNU’s readline init file syntax page documents all the available settings, and Gerard Beekmans Linux initrc file page shows a common initrc for Linux.

Continue reading

Autossh Startup Script for Multiple Tunnels

When an encrypted VPN is not available, the next best solution is usually port-forwarding one or more port(s) through an SSH tunnel. The down-side of SSH is that by itself it cannot maintain a persistent connection — network issues may force the tunnel to stop responding, or even drop completely. Autossh is a small front-end for SSH that can monitor the connection, and restart the tunnel if it drops or stops responding. I found that the startup scripts available for autossh on the internet were a little too basic for my needs — I wanted autossh to start multiple connections, and to start/stop each one individually if I needed — so I wrote my own.

Continue reading

WordPress OS Disk Cache Report, Prime and Flush

I wrote a bash script this morning to report the size of WordPress cache folders, the number of files they contain, read each file to prime the OS disk cache, and optionally flush the OS disk cache as well. This might be a script you could execute to email a daily/weekly report of cache folder sizes, or perhaps execute during/after booting a server to prime the OS disk cache, or even on a regular schedule to make sure the OS cache is always primed. The script also has a “flush” argument to sync and drop the OS disk cache, which isn’t very useful (to me) except to see the difference in speed between a clean and primed cache (about 11s vs 0.4s for all websites on my server).

Continue reading