S4E6: "Be a Rancher, Not a Vet"

Posted
Comments 0

Navigation
Previous EpisodeNext Episode
Log
Recorded (UTC) Aired (UTC) Editor
2019-05-02 02:14:53 2019-05-13 04:10:34 "Edita"
Verification
Format SHA256 GPG Audio File
MP3 3a7db17b9807115912cdf25774510e3556008661c378d798d51d6962feff5988 click click
OGG 77ba96228f81115acfce87b36b061a69b21fb4575be3adc7804d96e86b2c8b31 click click

Paden couldn’t join us, so myself and Jthan talk about enterprise desktop fleet management.

Just the Tip

  • Paden’s tip was postponed to next episode (because he wasn’t able to join us), so Jthan and I talk about Nginx optimization/quick Nginx performance improvements.
    • Caching
      • Good for lots of responses.
      • Nginx was primarily and initially designed to be a caching reverse proxy, so there are a lot of resources available on it.
      • Caching technical details can be found in RFC 7234.
    • Gzip compression
      • Good for large responses.
      • The Nginx configuration details can be found here.
      • You can find more details about HTTP gzip (de)compression in RFC 2616 § 3.5.
    • It’s important to really understand location block handling.
      • And test them too! (Nginx also has a built-in configuration validation – nginx -t.)
    • There are also a lot more tricks you can do that we don’t go into.

Notes

Starts at 26m48s.

I was drinking Guinness Extra Stout. Jthan was drinking Hogback rye whiskey.

  • Managing enterprise desktop/workstation fleets.
    • Network performance is the most important component to managing enterprise workstations.
      • Your addressing (CIDR) suffix has to be large enough and (if using IPv6) your prefix has to be properly handled (ideally with SLAAC).
      • Cross-site bridging and routing need to be properly set up.
      • Traffic flow/throughput needs to be managed.
    • We didn’t mention it on-air, but VLANing is great for security benefits and department segregation.
    • Hardware profiling/specification.
      • Thin clients, hybrid clients, and “fat” clients.
        • Thin clients are awesome for this, assuming you can use them in their relevant roles.
      • Fat clients are almost never ideal. If anything, hybrid clients are where you’d want to go with this in the event of momentary network outage.
      • Prime takeaway of hardware decision-making is your data should be managed centrally.
    • PXE and/or especially iPXE is fantastic for hybrid and fat clients.
    • Inventory management/asset tracking is also very important.
      • Ideally this should be managed with QR codes or barcodes and a scanner for quick inventory management, but it should be tied to something in the hardware serial numbers as well so configuration management can access these and hook into your inventory management.
    • Needs/role segregation.
      • Jthan doesn’t know “cattle, not pets” is a thing.
      • It’s key to remember that sometimes you have different “livestock”, depending on the role/department that machine serves within your organization.
    • Centralized user identity management/authentication.
      • Active Directory is ideal for pure-Windows environments. Pure LDAP is ideal for Linux/*NIX-like environments (see our FreeIPA episode, S2E10 and episode S3E1 as well!). Kerberos for mixed-platform environments (though every major platform should work well enough in an AD environment, with various levels of pain and agony).

15 Clams

In this segment, Jthan shares with you a little slice of life. The title is a reference to this video. (2m16s in)

Starts at 47m25s.

Jthan revisits S4E5 thanks to a conversation he had with Nosbig.

Jthan ponders how to best manage simultaneous multi-destination backups.

Nosbig performs a local borg backup archive, and then rsyncs his borg repository to a remote location. Jthan worries about bad snapshot propagation. Borg has a verification feature, and rsync is unlikely to corrupt in transfer, but Jthan (and I) agree that ultimately it’s probably better to just have different destinations and creating fresh snapshots in each.

Errata

  • Paden was at IBM Tech University and due to hotel networks being terrible was unable to join us.
  • The law on home distilling is murky at best and can vary from state to state. But there is one thing clear: I was absolutely wrong and you need a license to home distill beverage alcohol, no matter what quantity (admittedly, the license is easy to get).
  • Vault developers don’t like it being reverse-proxied – at least in the past (although it is perfectly possible and possible to do well, and something I do).

Music

Music Credits
Track Title Artist Link Copyright/License
Intro Another Reality Delirix click CC-BY-ND 3.0
Outro Slave Racer Savvier click CC-BY-ND 3.0
(All music is royalty-free, properly licensed for use, used under fair use, or public domain.)

Author
Categories

Comments

There are currently no comments on this article.

Comment...

Enter your comment below. Fields marked * are required. You must preview your comment before submitting it.