Felt motivated….

Made some changes to old cringeworthy pages I’ve not touched in years, laughed at the old servers, might delete later 😀

The Servers page updates were good laugh, who said Moore’s Law didn’t apply any more? My alarm clock now has more computing power than they did.

I’ve also cleared all the dead / old links from the sidebar and put in more current ones. I’d add my Github page if it wasn’t empty.

Oh and why are people still hitting my RPM packages pages? They’ve been gone for years and like disco and Big Brother they’re not coming back.

Is this thing still on?

Holy hell, I remembered I had this thing.  I literally hadn’t posted here for over half a decade. Too busy with work, my better half and Skyrim / Eve Online / Witcher. etc etc.

To be honest I am certain as death and taxes that long form blogging is fairly dead, so I’ve not missed it.  “Social media” has changed a ton since 2011 and who can be arsed with serious discursive blog posts when you can simply quickie-shitpost on Twitter and Reddit instead?

Instant messaging? Oh that’s gone, I even switched off my Jabber service ages back, uninstalled Pidgin because honestly I can be contacted by anyone I care about via Facebook/Slack/Steam/LinkedIn – I don’t need / want MSN/ICQ/AIM/Jabber and friends anymore, too much redundant, obsolete clutter

So yeah don’t expect lengthy updates or diatribes here often. Most don’t care – they’re here for the occasional techie post / howto.

Which reminds me: I’m devops these days. I’m done with traditional systems admin and it’s going the way of “operator” accounts and COBOL outside of banks. I’m getting too old for that shit and I sleep through those dead-of-night phone calls

If someone wants me to get up at some ungodly hour to hand-fix some broken infrastructure I’ve got some bad news for them:

You’re doing it wrong.  Infrastructure as code is the way to go, and track that with revision control. Most of your breakage is because someone is cowboying it, poorly.

This site’s just been migrated off an ancient CentOS 5  Rackspace VM (originally a 512mb Slicehost box)  to AWS EC2 using purely CloudFormation and Ansible roles/plays. I can (and have) recreated the whole shebang with a couple of commands. The only tinkering is around the security groups/network ACLs around IPv6 (since backported into code)

Hell even the database migrations were done in Ansible (yeah yeah I know about AWS DMS too, shaddap)

It’s the best thing I’ve done for my personal infrastructure in ages because I actually know how it’s configured , can rebuild/migrate as I need to and still have time to do other things rather than slave away in vim in an SSH session  😀

…and it runs reliably (touch wood.)

Moving domain registrars – NoDaddy Day

My domains are currently registered with GoDaddy, which seemed like a good idea at the time but given the company’s and their CEO Bob Parsons’ blatant disregard for customers, common decency, ethics and acceptable business practices I’m moving them en-masse to different registrars.

As for why? Let me count the reasons:

  1. GoDaddy Faces Boycott over SOPA support (Goodbye a free Internet, hello online feudalism. Don’t believe their attempts at backtracking, merely an ill-considered public relations move that’s fooling noone)
  2. CEO Shot Female Elephant, Not Bull (Bob Parsons, CEO – thinks it’s perfectly fine to hunt elephants for sport, fails to CYA. Welcome to the 18th century Bob)
  3. SOPA debate puts GoDaddy in hot water over domain transfers (GoDaddy limiting outbound domain transfers – either you simply don’t have the capacity or you’re outright dodgy dealing IMO)
  4. Need I say more about their cringe-worthy advertising and “Go Daddy Girls”?

As I host my own DNS services (Motto: “If you want it done right, do it yourself – including screwups”) I expect little to no downtime.

For folks unfamiliar with the proposed legislation (and if you’re a savvy user in the US and don’t – why not!) go and read about it right now! Do you want commercial enterprises and government flodging complaints and taking down lawful domains/content with impunity and no legal recourse? Stifling innovation and competition by allowing said bodies to simply muzzle online ideas that don’t suit their worldview?

Not I. So on the 29th (if not earlier) I’ll be participating in the great exodus from GoDaddy to a registrar that actually cares for the state of the global Internet.

For reference, here’s some info on the bills in question:

Seriously – in comparison Steven “I’m not bought by the Australian Christian Lobby, really!” Conroy’s Australian internet filter is positively mild 🙁


A response to Danny Nalliah

(Non-technical post: Fedora folks can skip this if they like, I just feel the need to rant as this offends me deeply)

Context: My city of Brisbane, Australia is currently experiencing the worst floods in the region since 1974; Outlying areas and regional towns and cities are cut off and practically underwater. 9 have died and 72 people unaccounted for in Toowoomba, about 1hr outside of Brisbane.

This evangelical preacher, Pastor Daniel Nalliah of “Catch The Fire” Church believes this is his God’s wrath for an ex-Prime Minister asking the state of Israel to participate in the Nuclear Non-Proliferation Treaty)

Here’s my response: Originally sent as a comment, but posted here for posterity (and because I suspect Pastor Nalliah has the moral courage to approve comments not matching his own viewpoints)

As a Brisbanite currently preparing for the worst of these floods I take extreme offense to this post and the ignorant, spiteful rhetoric you appear to espouse.

To blame natural disasters affecting hundreds of thousands of people on a politician’s failure to back your *political* belief of choice is utterly vile and as un-Christian as a person of sound mind can conceive.

I (as a practicing Zen Buddhist amenable to the core beliefs of other faiths) have been under the impression that Christ and his followers showed compassion to their brothers and sisters, especially in times of hardship? Am I mistaken? Is compassion in your church only applicable to those who follow your beliefs in lock-step fashion?

If you are truly a Christian (or a decent human being of any ethical / moral character irrespective of believe or lack thereof) then you’ll recant your comments and apologize to the people of Brisbane.

If you truly believe in your heart that the people of Brisbane deserve to suffer because a former Prime Minister’s reasonable call for a government to disengage from creation / proliferation of weaponry capable of killing millons – then frankly I pity you and consider you a poor excuse for a human being with no place in providing ethical and moral guidance to anyone and may your God have mercy on *you*.

While I doubt that this comment will be posted to your site at all (as I’m not preaching to the choir :-)) I would be sincerely interested in a considered response. I will also be posting it to my own blog for the consideration of others, even if you fail to publish it.


Michael Fleming

Pardon the disruption..

Due to a lost / corrupted GPG keyring and passphrase I’ve had to issue a new RPM signing key for my ThatFlemingGent repository. I’m fixing the breakage now and I can’t say I’m too pleased, it’s a pain in the proverbial nether regions I (and users!) can do without.

On the topic of packaging – the observant have noticed I didn’t do an F13 branch anyway – I simply don’t have the time and frankly my own hackish scripts can’t keep up with the pace anymore, so I’m scaling back to maintaining my Fedora/EPEL packages and my own RHEL/CentOS package set – the latter mainly as I use CentOS 5 on my infrastructure and I/others still want the Courier IMAP packages, or so AWStats tells me 🙂

I have however done a LOT of work on modules for the Puppet configuration management system, mainly as part of my daily work – 69 in total (not-so-gentlemen start your entendres) some of which I may extend / put up for public use (with permission) and help my fellow sysadmins.  Puppet is in both Fedora and EPEL (and fairly current too – I’m waiting for 2.6.0 to hit stable as it will fix some problems in my work environment *hint*)

Oh, and a “dear lazyweb” to finish – having worked extensively with PostgreSQL for the last 10 months I’ve become something of a fan and looking to move off my MySQL instances (which don’t perform as well) – any suggestions for a good PostgreSQL backend blog/CMS?

(I know Drupal already and it’s not my preference; Django-based stuff is out too through painful experience. Rails? Perhaps with a good mod_passenger package?)

Going dark…

Don’t be alarmed, I’ve not been compromised 🙂

In support of the Open Internet / No Clean Feed initiatives fighting proposed mandatory Internet filtering here in Australia, I’m “turning the lights out” on my site until the 29th.

The Great Australian Internet Blackout site (http://www.internetblackout.com.au) has more info – support us if you can, on and offline.

Keeping afloat in a binary ocean


One of my pet peeves as a guy who likes to say his piece online is the number of really interesting and useful technologies / ideas completely ruined by lazy attempts at marketing by even lazier “salesmen” and marketers.

Look at email – DKIM/SPF/DNSBLs/greylisting just to keep the signal to a sane level. I don’t accept IM’s from contacts not already vetted and authed, I’d be flooded..

Social media is no different, alas. I have accounts on both Twitter and Identi.ca and the former attracts enough bot followers that I routinely clean them out (no for the nth time I don’t want to see Britney naked; we’ve all seen it and we’re still paying for the eyebleach. Cheers)

Getting it right takes only a little  effort. Lauren Cochrane, an old colleague of mine who now works for the RSPCA nails this on the head – you need to balance your “brand” with being human ; don’t fail the Turing test.

While it’s easy to write up a bot to spruik a message cheaply and efficiently (especially to services with a free, public API like Twitter or Laconica, although thankfully identi.ca/Laconica aren’t as badly affected) it’s a huge turnoff for a lot of people and ineffective – the sign of laziness / ignorance in my rarely humble opinion. If your product / “brand” has real worth then it should be very easy to talk about it earnestly and openly and give it a bit more depth – Lauren cites commenting and relaying information relating to your interests, even a few pics here and there just to assure your community you don’t end in .sh 🙂

Be interesting, discuss useful ideas, show you’re the real deal and they’ll come – something that F/OSS communities are also very good at. Are you reading me via Fedora Planet? See the posts above and below mine? These are great examples – a potpourri of diverse people, places and posts not essentially directly free software or Fedora related. The community works well and brings in more people simply because it has this depth, it’s not strictly dry technical talk.

If you can’t do that with your product / “brand”, then go buy a sandwich board / billboard we can choose to ignore if we want to while we go about our business. There’s enough noise in traditional advertising without adding to it here, there’s no need to force a broken old model on a medium built in an essentially polar-opposite fashion.

Other stuff:

I seem to have a spam dry run – for the first time since I started using email (1994, I’m a relative newbie) I have 0 spam in my junk folder. Either I have achieved some sort of email enlightenment, my setup is too hardcore for current spammer tricks or something is horribly wrong. The irony is that my secondary MX has no greylisting or spam filtering on it yet – just when you think you’ve seen it all something can still surprise you.

As heretical as it sounds I may have to lay off the caffeine, as my poor old brain doesn’t seem to cope well (beware the wired sysadmin!) plus for some reason instant coffee makes me sleepy (hey, that’s not meant to happen! Stimulants anyone?) Fortunately I dislike anything that I haven’t ground myself or at least been beans recently.

Any suggestions for good quality green tea are welcomed 🙂

Another closed protocol failure…

It looks like the Microsoft Windows Live Messenger Service protocol servers are unresponsive tonight (http login still works) – I’ve got some friends from old workplaces and other Windows hold-outs using it, so I still have an active account.

If you haven’t convinced friends/loved ones/co-workers to switch over to a decentralised, completely free and open protocol like XMPP, now is a good time! I’ll be making some gentle suggestions to the abovementioned holdouts 🙂

Fedora has a slew of options for all the common desktop managers as well as the console (I look after mcabber for instance) and there’s excellent options for your Mac / Windows friends in Pidgin, PSI, Pandion et. al

At least with the XMPP network one downed service doesn’t bring down the  whole house, especially with cluster-aware servers such as ejabberd freely available and plenty of open, public services around.

Getting a PowerDNS recursor up and going, fast!

This post is another one of my “quick and dirty” service tutorials

This time, I’ll cover getting a recursive DNS service up and going, using the PowerDNS recursor package. Traditionally Red Hat/Fedora users would opt for BIND (with or without the old “caching-nameserver” package of old) but I like to be a little different. Plus:

  • PowerDNS has an excellent security record (was not affected by the Kaminsky DNS vulnerability)
  • It’s small and does only the job it’s intended for in the traditional small-tool UNIX philosophy (Authoritative DNS is the job of it’s “bigger brother” PowerDNS package)
  • It’s fast and very easy to configure (compare to djbdns for example, which is neither)

Installing the software

For Fedora users, it’s in the Everything repository so you can just install the package as below. Red Hat Enterprise Linux  / CentOS et. al will need to  add the EPEL repository first

To install, simply

yum install pdns-recursor

.. which will install the package and it’s dependencies (just lua and boost if you’re on a fairly fresh install)


It only needs a single configuration file in /etc/pdns-recursor/recursor.conf., so open it in your preferred editor

As it uses key = value pairs, it’s very easy to follow, well commented and the defaults are quite sensible.

Firstly, for security, change the “allow-from” to match your local subnets – this determines which address blocks our server will permit and answer recursive queries for.


If  you have local authoritative zones (especially private internal DNS) you may want to set forward-zones to tell the recursor to query those servers for domains

#format is zonename=dns.server.ip

forward-zones = internal.example.com=

If  you have a number of zones to forward queries for, you can use the forward-zones-file directive, which should point to a file containing the key-value pairs as above

By default, PowerDNS will listen on all interfaces but in practice will still prefer an explicit interface to listen on, so setting a local address via local-address is generally a good idea, especially if you’re multi-homed. It takes multiple addresses or even 🙂

# Listen on localhost and my NIC IP

local-address =,

For spotting common issues I like to have a little logging, but not much, so I set it to send common errors to syslog


For most uses, that’s all you need! Start the server via service pdns-recursor start and test it via dig/host

[mfleming@qbert ~]$ dig a www.thatfleminggent.com @

; <<>> DiG 9.5.1-P3-RedHat-9.5.1-3.P3.fc10 <<>> a www.thatfleminggent.com @
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6559
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;www.thatfleminggent.com.    IN    A

www.thatfleminggent.com. 2044    IN    A

;; Query time: 4 msec
;; WHEN: Sun Aug  9 14:19:19 2009
;; MSG SIZE  rcvd: 57

Oh, and before anyone asks: see the 3rd answer in the FAQ regarding presence/absence of Authority records in dig etc. output. It’s a feature, not a bug!

A little more advanced..

If you have IPv6 enabled networks and want to make best use of v6-enabled services, tell the recursor to look up AAAA records too (it’s not on by default, as it’s a little slower):


You can also send queries out over IPv6 using the query-local-address6 directive eg:


If you’re security conscious and don’t want any bogus records coming from g/TLDs that isn’t glue/delegations, use the delegation-only directive:



Keeping it simple isn’t stupid

GeoIP / IPv6

As an IPv6 enthusiast/proponent/fanboy I was really happy to see Maxmind finally put up a free-as-in-beer IPv6 GeoIP database[1]. Now to find some applications that will make good use of this data… 🙂

(Don’t worry, I’ll pull it into EPEL/Fedora GeoIP packages either way. It’s not a huge file)

Keeping it simple isn’t stupid, no sir!

I’ve worked with configurations in a variety of baroque formats, not limited to but including your common XML formats, Perl scripts (thank you cleanfeed/amavisd), python (ta maradns!), something that may be Erlang (ejabberd), lua (prosody) and have developed a fondess for the simple simpicity of a key = value pair config.

This is especially useful when you’re in a bind with a relatively unfamiliar piece of software, as I was this morning. The last thing you want to be faced with when you’re under the gun and need something working Right Now is some app developer’s bizarro idea of a sane config file, so keeping them simple and sensible is a huge plus – app developers take note, resist the urge to be too clever 😀

Say what you will about the old Windows .ini file, at least you know what you had to do with it

(The less said about the prank-gone-wrong that is registry hives the better and I’m glad UNIX vendors never took that particular drug :-))

PS. The application was qpidd from the AMQP stack, for reference and both it’s manuals – and Red Hat’s MRG Guides – helped immensely. Microbrews all around!

[1] http://geolite.maxmind.com/download/geoip/database/GeoIPv6.dat.gz