Switching SSH keys between Heroku accounts

At times, I have to switch between a few different Heroku accounts. Apart from having to login again, the other annoyance is having the right SSH key active. If you don’t have the right SSH key active, (i.e. if the SSH auth agent has more than one key added to it, or if it has no keys at all), you’ll see errors that look like:

Your key with fingerprint: ... is not authorized to access <application-name>.
fatal: the remote end hung up unexpectedly

The proper solution for this involves configuring them in the SSH configuration files (~/.ssh/config or /etc/ssh/ssh_config). [See this article or ssh_config manpage for details]

But I’m loath to maintain all that configuration just for the sake of occasionally switching between accounts. Here’s what I usually do instead:

Clear any active identities (removing all ambiguity about which SSH key should be picked up for auth)
$ ssh-add -D
$ ssh-add -D
ssh-add key for the account
$ ssh-add ~/.ssh/an_account_key
$ ssh-add ~/.ssh/an_account_key
Push to Heroku
$ git push heroku-remote master
$ git push heroku-remote master

Of course, this assumes that the key is already associated with your Heroku account. If you haven’t, you can do that (after heroku login) with:

$ heroku keys:add ~/.ssh/an_account_key

Note: On Linux, if you’re on GNOME, the gnome-keyring-daemon keeps adding keys back to the auth agent as you keep trying to remove them with ssh-add -D. So, it’ll look like the command is not working. The solution is to disable the damn thing (Google for it). I find the daemon annoying for the popups it keeps throwing at me, so personally, I’d be glad to see it gone.

While I use this technique mostly with Heroku, this is useful for any situations involving SSH and multiple keys. It’s useful when switching between SSH accounts, or switching between GitHub accounts (or other Git accounts), and in general, anything involving switching SSH keys for SSH auth. Of course, if you find yourself switching between the same set of accounts (keys) frequently, consider configuring them using ssh_config.

[PS: This post is based on one of my SO answers: http://stackoverflow.com/questions/13752908/managing-multiple-ssh-keys-on-heroku/13876622#13876622]

Capture HTTPS traffic from Java applications with Fiddler

Fiddler usually works out of the box, with a few exceptions. One of those exceptions is capturing traffic from a JVM.

To capture plain HTTP traffic from a JVM, you can configure Fiddler as the proxy by setting these VM args:

-DproxySet=true
-DproxyHost=127.0.0.1
-DproxyPort=8888

[Note: Fiddler proxies at port 8888 by default]

Capturing HTTPS traffic (of course, to view it unencrypted in Fiddler), is slightly more involved. Here’s how to do that.

1. Export Fiddler’s Root Certificate

Click on Tools -> Fiddler Options… to open the Fiddler Options dialog.

Switch to the HTTPS tab, and click on Export Root Certificate to Desktop.

This will generate the file: FiddlerRoot.cer on your Desktop.

2. Create a JVM Keystore using this certificate

This step will require Administrator privileges (since keytool doesn’t seem to work without elevating privileges). So, open command prompt as Administrator, by right clicking on the Command Prompt icon, and clicking on Run as administrator.

Run the following command (replacing <JAVA_HOME> with absolute path to the JDK/JRE that you’re interested in capturing traffic from):

<JDK_Home>\bin\keytool.exe -import -file C:\Users\<Username>\Desktop\FiddlerRoot.cer -keystore FiddlerKeystore -alias Fiddler

This will prompt you to enter a password. Remember the password, as it’s required for the next step.

Once a password is entered, this’ll create a file called FiddlerKeyStore. Remember the path to this file, as we’ll be using it in the next step. You can, of course, move it to a more convenient location and use that path.

3. Start the JVM with Fiddler as the proxy, and the Keystore you just created as a Trust Store

Essentially, we’re asking the JVM to use Fiddler as the proxy, and to trust the keys in the Keystore we just created. Here’re the VM args to configure your Keystore as the Trust Store:

-Djavax.net.ssl.trustStore=<path\to\FiddlerKeystore>
-Djavax.net.ssl.trustStorePassword=<Keystore Password>

So, in effect, these are the VM args you’ll need:

-DproxySet=true
-DproxyHost=127.0.0.1
-DproxyPort=8888
-Djavax.net.ssl.trustStore=<path\to\FiddlerKeystore>
-Djavax.net.ssl.trustStorePassword=<Keystore Password>

That’s about it. Now, launch Fiddler, and launch your JVM (your Java application). Fiddler will start showing all HTTPS (and HTTP) traffic from the JVM in plaintext.

Setting up VM args in an IDE

If you’re using IntelliJ or Eclipse for development, you can set VM args in the Run Configuration dialogs. Here’s what they look like with the VM args populated:

Here’s the IntelliJ Run Configuration dialog with the VM args populated:

And here’s the Eclipse Run Configuration dialog with the VM args populated:

[PS: This post is based on one of my SO answers: http://stackoverflow.com/questions/8549749/how-to-capture-https-with-fiddler-in-java/8588914#8588914]

Take control of your Heroku Git repository

Have you ever wished to have a finer control over your Heroku git repository? There’s a neat little Heroku plugin that gives you just that: heroku-repo.

Around the first release of my current project, things were happening in a frenzy. There were plenty of last minute fixes, and each of them would get built and pushed to our staging instance. On occasions, when people couldn’t wait for the build to finish (wasn’t a particularly long build though), or when the build was a bit flaky, they’d push directly to the Heroku staging repo. At some point, Heroku started rejecting our pushes, because it’s git tree had diverged from ours. It wasn’t nice, but we resorted to doing force pushes to the Heroku git repo from then on.

Once the release frenzy was over, I started investigating the issue. I started by trying to get a local clone of the Heroku repo, to see if I’d find something there, but it kept timing out. I opened a shell on the staging instance and tried searching for a repo somewhere there, but in vain. Heroku doesn’t host the repo from there. I had pretty much decided to blow up the staging app and recreate it, when I found this plugin.

It’s a plugin for the Heroku toolbelt that, in a sense, gives you raw access to the git repo that your Heroku application uses. Using this, I managed to download the git repo locally, which took quite a while because the repo had grown to some insane size (was a few hundred MBs, nearing a GB). Digging into the repo, I found a huge pack file that was causing all the issues. I suspected it to be because of a huge binary accidentally checked in by a team member, but my git-fu isn’t really good enough to say for sure. Running a gc on the repo using the plugin didn’t really help. So, I was still left with having to blow up and recreate the staging app.

I thought it’d be nice if I could just reset the Heroku git repo, and start over instead of having to recreate the app (and then add all the addons to it, which was a bit of a hassle since there were paid addons and I’d have to contact the instance owner to re-enable them). So, to figure out where the repo is hosted and how the plugin manages access it, I went through the plugin source code. Turns out, the repo is hosted on S3, and Heroku toolbelt exposes the S3 URL to it’s plugins. Better yet, the plugin itself had an undocumented command to reset and upload an empty git repo back to S3 🙂

This is pretty amazing. I can now start over with a clean repo in case my Heroku repo is messed up for any reason. On top of that, I can now deploy an entirely new app into my Heroku instance without leaving any dangling commits (not that it’s a common usecase, or even a useful one). See this protip for details: https://coderwall.com/p/okrlzg.

To install the plugin, do:

$ heroku plugins:install https://github.com/lstoll/heroku-repo.git

Here’s a few commands that I found useful:

Download the Git repo as an archive (useful when you can’t clone from Heroku)

      $ heroku repo:download -a appname

GC the repo (on Heroku)

      $ heroku repo:gc -a appname

Reset the repo and upload an empty repo

      $ heroku repo:reset -a appname

The plugin has a few more useful commands. Do check it out on GitHub: https://github.com/lstoll/heroku-repo. Also, I’d recommend going through it’s source code to see how it works. I thought it was pretty neat.

Missing ldconfig and /etc/sudoers

I was trying to upgrade my Ubuntu installation to 12.10 (Quantal Quetzal), and the update manager (Muon) kept failing with error messages like:

dpkg: warning: 'ldconfig' not found in PATH or not executable.
dpkg: warning: 'start-stop-daemon' not found in PATH or not executable.
dpkg: error: 2 expected programs not found in PATH or not executable.
Note: root's PATH should usually contain /usr/local/sbin, /usr/sbin and /sbin.

which ldconfig as root returned /sbin/ldconfig, and of course, root‘s $PATH had /sbin in it, so, couldn’t think of a reason why the updates were failing. But a bit a googling led me to the sudoers file (/etc/sudoers)

Muon, and in turn apt-get, use sudo for installing stuff. And sudo starts with an empty/default ENV, if it’s either been compiled with –with-secure-path, or if env_reset has been set in the sudoers file. In my case, env_reset was set in the sudoers file, so, sudo‘s ENV didn’t have /sbin in it. In case of env_reset, you should provide a secure_path, which’s the $PATH that any sudoed process would use. So, after the fix, my /etc/sudoers looks like:

Defaults env_reset
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

In case you’re seeing the error, but don’t have env_reset set in your sudoers file, then it’s likely that your version of sudo was compiled with -with-secure-path. To see the options that your version of sudo was compiled with:

$ cat /usr/share/doc/sudo/OPTIONS

Ruby 1.9.3 segfault in OSX Lion due to OpenSSL

I just set-up my new MacBook Pro, running OSX Lion (10.7.3), for Rails development. Installed rvm, installed Ruby 1.9.3 using rvm and did a gem install rails -v 3.2.3. Everything went fine, until I tried to create a new rails app.

rails new <app_name> would create the app structure, but would then fail with a segfault in http.rb. Here’s what the stacktrace looked like:
... run bundle install /Users/CodeMangler/.rvm/rubies/ruby-1.9.3-p125/lib/ruby/1.9.1/net/http.rb:799: [BUG] Segmentation fault ruby 1.9.3p125 (2012-02-16 revision 34643) [x86_64-darwin11.3.0]

— Control frame information ———————————————–
c:0038 p:—- s:0217 b:0217 l:000216 d:000216 CFUNC :connect
c:0037 p:0011 s:0214 b:0214 l:001570 d:000213 BLOCK /Users/CodeMangler/.rvm/rubies/ruby-1.9.3-p125/lib/ruby/1.9.1/net/http.rb:799
…

So, the failure was while doing a bundle install at the end of creating a new rails application, which’s new in rails (to me anyway. It’s been a while since I last looked into rails).
Googling for ruby segfault in http.rb pointed towards issues with OpenSSL. Then I found this post that describes how to fix the issue: http://www.rojotek.com/blog/2012/01/20/how-to-get-openssl-in-ruby-1-9-3-working-on-osx-10-7-fixing-the-segmentation-fault-with-ruby-openssl/

It tuns out, you’ve to install the openssl package for rvm, and then, while installing ruby, point it to use this version of OpenSSL.

To quote steps from the post:

$ rvm pkg install openssl $ rvm remove 1.9.3 # uninstall the existing version, if you've installed one $ rvm install 1.9.3 --with-openssl-dir=$rvm_path/usr --with-gcc=clang

Do that, and you should be all set. I tried creating a new rails app after that, and it went through just fine. Also, from googling, it appears that if it’s a segfault in http.rb, it’s most likely due to OpenSSL.

Tabby – the missing tab switcher for eclipse

My job for the past few years primarily involved developing eclipse based applications, and so, I’ve had to use eclipse full-time for quite some time. My pet peeve with eclipse has always been it’s usability. It’s not particularly keyboard friendly (not the same as having a gazillion keyboard shortcuts, which eclipse has plenty of), and the UI is just plain clunky. One thing that particularly annoyed me at some point was, not being able to conveniently switch between open tabs (editors, views), like you can with most other IDEs and text editors. Before you say it, I know there’s a Ctrl+F6 that brings up a quick switcher for editor tabs, but come on, it’s not even close to what I’d like it to be. And no, reassigning it to Ctrl+Tab just doesn’t cut it.

So, I went ahead and wrote tab switcher for eclipse sometime last year. Never really released it though, since there was always that one little feature I could add before it was “done”, and I never had the time for it. Regardless, I’ve been using it for some time, and it works just the way I like it. If you ever missed having a decent tab switcher for eclipse, try this one out.

Screenshot

Tabby Screenshot

Default Key Bindings

Ctrl+Tab – Cycles through the list of open editors and views
Ctrl+Shift+Tab – Cycles through the list of open editors and views, in reverse
Esc – Switches focus to the last active editor. Useful when you’re navigating through views and would like to quickly get back to editing.

Installation

The update site for the plugin is currently hosted at: http://dharampal.in/projects/tabby/updatesite

To install:

Open eclipse
Go to Help -> Install New Software…
Copy the update site URL and paste it in the dialog that shows up
Follow the dialog to finish installation

You can also download the update site as an archive from here: http://dharampal.in/projects/tabby/tabby-1.0.1.zip [30KB]

You can grab the sources from GitHub here: https://github.com/CodeMangler/Tabby

Subtext

Subtext is a visual programming language where you express the application logic in a tabular fashion. I’m not gonna try to explain Subtext in this post. You can find out more from its homepage: http://subtextual.org/.

I learned about Subtext nearly 2 months back. It sounded interesting, but all I could find on the site were 2 screencasts and a bunch of papers. Apparently, it’s still a research project and the prototype used in the screencast isn’t publicly available yet. I was a little disappointed, and almost forgot about it until today.

Today, someone posted this link on programming reddit where someone had posted a link to the the page where Jonathan Edwards (Subtext creator) has posted a link to the prototype used in the demo! (hmm.. that was just 3 indirections 😀 but still, here’s a direct link to the download if all that confused you: http://subtextual.org/subtext2.zip ) Yay! Finally, something for me to dabble with 🙂 And guess what, it’s even got the sources! 🙂

I’m not expecting much from the prototype (not yet). Good if it’s mature enough for me to go beyond the hello worldish programs. Even otherwise, I’m happy just to play around 🙂

Scatterbrain

Semi-organized collection of thoughts, notes and anything else I feel like writing about

Menu

Category Archives: Software