menu

Category: How-To Guides

The How-To Guides category is for posts that explain how to fix an issue, configure a device or a piece of software, or make something work.

Posted on by Arnon Erba in How-To Guides

On Windows and macOS, Stata can be configured to check for updates automatically with the set update_query command. However, there are a few drawbacks to this approach.

For one, this feature isn’t present on the Linux version of Stata. For two, this command doesn’t actually update Stata — it just enables update notifications. Stata will still need to be manually updated by someone with the permission to do so.

If you’re running Stata on a standalone Linux server or an HPC cluster, you may be interested in having Stata update itself without any user interaction. This is especially useful if Stata users do not have permission to update the software themselves, as is often the case on shared Linux systems.

We can enable true automatic updates with a cron job and a Stata batch mode hack:

0 0 * * 0 echo 'update all' | /usr/local/stata16/stata > /dev/null

Adding this line to root’s crontab will cause the update all command to be run every Sunday at 12am. Standard output is piped to /dev/null to prevent cron from sending unnecessary emails.

As always, think carefully before enabling automatic updates for mission-critical pieces of software. However, this approach can save time over updating Stata manually.

Posted on by Arnon Erba in How-To Guides

Ubuntu has been using update-motd as a MOTD (Message of the Day) generator for several years. Some of the default messages — such as the number of available security patches — can be helpful, but not everyone likes being greeted by a barrage of text every time they log in to their server. In this article, we’ll explore how to adjust, disable, or replace the dynamic MOTD in Ubuntu.

Before You Begin

If you’d rather work with update-motd than turn it off, detailed documentation for changing its output is available in the man page for update-motd. Essentially, the dynamic MOTD is generated by a collection of executable scripts found in the /etc/update-motd.d/ directory. These scripts can be updated, removed, or reordered, and new scripts can be added.

Disabling the Dynamic MOTD

While Ubuntu does not provide a straightforward way to remove update-motd, it’s possible to disable it by adjusting a few PAM options. Two lines, found in both /etc/pam.d/login and /etc/pam.d/sshd, cause update-motd to run on login:

session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate

Commenting out these lines in both files will prevent the pam_motd.so module from being loaded and will disable the dynamic MOTD.

Bonus Section: Enabling a Static MOTD

If you still want a message printed to the console on login, you can fall back to a static MOTD. Per the man page for sshd_config, OpenSSH can easily be configured to display a static MOTD:

PrintMotd
Specifies whether sshd should print /etc/motd when a user logs in interactively. (On some systems it is also printed by the shell, /etc/profile, or equivalent.) The default is “yes”.

Ubuntu disables this option by default and incorporates /etc/motd into its dynamic generator, but we can re-enable the option to make /etc/motd work again. Add or uncomment the following line in /etc/ssh/sshd_config and restart the OpenSSH daemon to have OpenSSH print /etc/motd on login:

PrintMotd yes

Sources

Posted on by Arnon Erba in How-To Guides

(Editor’s note: This post has been updated since publication to fix broken links.)

If you have a recent business-class Dell PC with TPM version 1.2, you may be able to upgrade it to TPM version 2.0. Several Dell models are capable of switching between TPM version 1.2 and 2.0 provided a few conditions are met.

Prerequisites

First, your PC must support switching to TPM 2.0. Most supported models are listed in the “Compatible Systems” section of the instructions for the Dell TPM 2.0 Firmware Update Utility itself. If you can’t find your system in that list, there’s a good chance it isn’t supported by this process.

Second, your PC should be configured in UEFI Boot Mode instead of Legacy Boot Mode. Switching boot modes generally requires a reinstallation of Windows, so it’s best to choose UEFI from the start.

Finally, while optional, it’s recommended that you update your BIOS to the latest version. You can get your serial number by running wmic bios get serialnumber from within PowerShell or Command Prompt. Then, you can provide this serial number to the Dell support website to find the latest drivers and downloads for your PC.

Once you’re ready, you can clear the TPM and run the firmware update utility. However, since Windows will automatically take ownership of a fresh TPM after a reboot by default, we have to take some additional steps to make sure the TPM stays deprovisioned throughout the upgrade process.

Step-By-Step Instructions

  1. First, launch a PowerShell window with administrative privileges. Then, run the following command to disable TPM auto-provisioning (we’ll turn it back on later):
    PS C:\> Disable-TpmAutoProvisioning 
  2. Next, reboot, and enter the BIOS settings. Navigate to “Security > TPM 1.2/2.0 Security”. If the TPM is turned off or disabled, enable it. Otherwise, click the “Clear” checkbox and select “Yes” to clear the TPM settings.
  3. Then, boot back to Windows, and download the TPM 2.0 Firmware Update Utility. Run the package, which will trigger a reboot similar to a BIOS update.
  4. When your PC boots back up, run the following command in another elevated PowerShell window:
    PS C:\> Enable-TpmAutoProvisioning 
  5. Reboot your PC again so that Windows can automatically provision the TPM. While you’re rebooting, you can take this opportunity to enter the BIOS and ensure that Secure Boot is enabled (Legacy Option ROMs under “General > Advanced Boot Options” must be disabled first).
  6. Finally, check tpm.msc or the Windows Security app to ensure that your TPM is active and provisioned.

References

Posted on by Arnon Erba in How-To Guides

(Editor’s note: This post has been updated since publication.)

Introduction

Let’s Encrypt has steadily improved since its public debut in late 2015. Certbot, the most popular Let’s Encrypt client, is available for a wide variety of Linux distributions, making it easy to integrate Let’s Encrypt with many common web server configurations. However, because of this broad support, and because Certbot offers many internal options, there are several different ways to integrate Certbot with Nginx.

If you run Certbot with the --nginx flag, it will automatically make whatever changes are necessary to your Nginx configuration to enable SSL/TLS for your website. On the other hand, if you’d prefer to handle the Nginx configuration separately, you can run Certbot with the --webroot flag. In this mode, Certbot will still fetch a certificate, but it’s up to you to integrate it with Nginx.

Once you’ve obtained certificates from Let’s Encrypt, you’ll need to set up a method to automatically renew them, since they expire after just 90 days. On Ubuntu 18.04, the “certbot” package from the Ubuntu repositories includes an automatic renewal framework right out of the box. However, you’ll also need to reload your web server so it can actually serve the renewed certificates. The packaged renewal scripts on Ubuntu won’t restart Nginx unless you used the --nginx flag to request certificates in the first place. If you’re using --webroot or some other method, there’s an additional important step to take.

Automatically Restarting Nginx

On Ubuntu 18.04, Certbot comes with two automated methods for renewing certificates: a cron job, located at /etc/cron.d/certbot, and a systemd timer. The cron job is set to run every 12 hours but only takes effect if systemd is not active. Instead, the systemd timer (visible in the output of systemctl list-timers) works in tandem with the certbot systemd service to handle certificate renewals.

Instead of modifying the cron job or the systemd service, we can change Certbot’s renewal behavior by editing a config file. Add the following line to /etc/letsencrypt/cli.ini:

deploy-hook = systemctl reload nginx

This will cause Certbot to reload Nginx after it renews a certificate. With the deploy-hook option, Certbot will only reload Nginx when a certificate is actually renewed, not every time the Certbot renewal check runs. Ed: A previous version of this post recommended using renew-hook instead. This option has been superseded by deploy-hook.

You can verify that your changes are working by running certbot renew --dry-run. This will not renew any certificates but will tell you if your deploy-hook command is being picked up by Certbot.

A Little Background Information

If you’re new to Let’s Encrypt, and you’re wondering why you need to automatically renew your certificates and restart your web server when you get new ones, it’s a good thing you’re here. While “traditional” SSL/TLS certificates are manually requested and can be valid for up to two years, certificates from Let’s Encrypt are only valid for 90 days. In their blog post, the Let’s Encrypt team explains their reasoning behind such short certificate lifetimes: they limit the time period for damage to be caused by stolen keys or mis-issued certificates, and they heavily encourage automation, which is key to the success of the Let’s Encrypt model.

This means that you’re going to need to automatically renew your certificates in order to take full advantage of Let’s Encrypt. Fortunately, since this is how Let’s Encrypt is designed to work, auto-renewal functionality is built directly into Certbot, the recommended ACME client for Let’s Encrypt.

A slightly less obvious question is why you’d want to automatically restart your web server as well. The answer is simple: web servers, such as Apache or Nginx, don’t read your SSL/TLS certificates directly from disk every time they need them. Instead, they load them into memory along with the rest of the web server configuration. This is great, and perfectly normal, since reading the certificates from disk would be horribly inefficient. However, it means that updating (or renewing) a certificate with Let’s Encrypt won’t directly change the certificate that Apache/Nginx serves when a page is requested. Instead, the web server must be restarted in order to load the new certificate into memory.

Sources

Posted on by Arnon Erba in How-To Guides

Julia, the fast-moving and popular open source programming language for scientific computing, allows for the usage of multiple BLAS implementations. Pre-built Julia binaries ship with OpenBLAS due to licensing restrictions surrounding the Intel Math Kernel Library, but by building Julia from source you can replace OpenBLAS with a free copy of MKL obtained from Intel’s Yum or Apt repositories. As of the time of writing, there are instructions for this process on the Julia GitHub repository.

Determining the BLAS Vendor

Regardless of which BLAS implementation you choose, it is nice to check that Julia is actually using the one you want, especially if you are building Julia from source. In recent versions of Julia, you can run the following two commands in the Julia REPL to find your BLAS vendor:

julia> using LinearAlgebra
julia> LinearAlgebra.BLAS.vendor()

The second command should output a string indicating which BLAS implementation your Julia installation is currently built with.

Posted on by Arnon Erba in How-To Guides

As a blogger, getting your content in front of as many people as possible is crucial to growing your reader base. One way to broaden your reach is to take advantage of Apple News as a publishing platform so that iOS users can easily discover your content. Fortunately, getting an established blog on Apple News takes nothing but an Apple ID and a little patience.

Two Ways to Publish

Apple News offers two different formats for displaying your content in the News app. If you have some extra time, you can publish your articles in Apple News Format, which allows you to create a custom visual theme and gives you access to more advanced features like analytics. There are third-party Apple News Format plugins available for popular content management systems such as WordPress and Drupal, and you can find the instructions for setting up Apple News Format in the News Publisher documentation.

However, if you’re in a hurry, you can simply add an RSS or Atom feed to your Apple News account. We’ll be covering that method in this post. If you’re using WordPress, you can take advantage of its built-in RSS and Atom feeds for this tutorial.

Publishing Using an RSS/Atom Feed

Adding a blog to Apple News with just an RSS or Atom feed can be accomplished in a few quick steps:

  1. First, head to the Apple News sign-up portal. The sign-up process for a News Publisher account is handled through iCloud, so you’ll need an Apple ID for this step.
  2. Next, enter your publisher information. Apple News requires a name, email address, and mailing address to proceed.
  3. After setting up your personal News Publisher account, you’ll be able set up a “channel” for your blog. This is separated from the previous step, and requires you to provide a phone number.
  4. Next, you can break off and set up Apple News Format, or you can skip directly to adding an RSS/Atom feed. You can even add multiple feeds if you have different streams of content.
  5. Once you add your feed, Apple News will ask if you want to upload branding for your channel. Apple has clear guidelines for this optional branding in the News Publisher documentation, but you can skip this step too if you’re short on time.

Finally, your new News channel containing your blog’s feed will be submitted to Apple for review. The waiting period can vary, and it took about three weeks for Apple to approve the Atom feed for my blog. You’ll get an email from Apple if your submission is approved, and you should be able to find your channel in the News app immediately.