A typical yak shaving session

1. blog

Someone recently asked what yak shaving means and, because I am a professional at this pastime, I figured I would share my most recent excursion in the field.

As a reminder, "yak shaving" describes a (anti?) pattern by which you engage in more and more (possibly useless) tasks that lead you further and further away from your original objective.

The path I took through the yak heard is this:

1. i wondered if i can use my home network to experiment with another VPN software (e.g. Wireguard instead of IPsec)

2. then i tried Tailscale because I heard good things about it, and they have an interesting approach to opensource

3. I wasn't happy with that, so i tried an IPv6 tunnel

4. that broke after a few minutes, so i went on to try deploying Wireguard with Puppet), which involved reviewing about 4 different Puppet modules

5. while I was there, I might as well share those findings with the community, so I publish that as a blog post

6. someone else mentions that Nebula (from Slack) is a thing, but after investigation, it's not well packaged in Debian, so didn't test it, but add it to the blog post

7. now that I found the right Puppet module, I tried to deploy it with Puppet's g10k, which requires me to input a checksum

8. I got lazy and figured if i would put the checksum wrong, it would tell me what the right checksum was, but it didn't: instead it silently succeeded instead of failing, which seemed really bad

9. then I looked upstream for such a bug report and saw that the Debian package was many versions behind and, because I'm on the Golang packaging team, I figured I would just do the upgrade myself

10. then there were problems with the Debian-specific patch trying to disable network tests, so i rewrote the patch

11. ... but ended up realizing basically all tests require the network, so I just disabled the build-time tests

12. ... but then tried to readd it to Debian CI instead, which didn't work

At that point, I had given up, after shaving a 12th yak. Thankfully, a kind soul provided a working test suite and I was able to roll back all those parenthesis and:

1. test the g10k package and confirm it works (and checks the checksums)

2. upload the package to the Debian archive

3. deploy the package in my Puppet manifests

4. deploy a first tunnel

You'll also notice the work is not complete at all. I still need to:

• make a full mesh between all nodes, probably with exported resources

• have IP addresses in DNS so I don't need to remember them

• hook up Prometheus into Puppet to monitor all nodes

• deploy this at work (torproject.org), replacing the IPsec module I was originally trying to publish

Also notice the 8th yak, above, which might be a security issue. I wasn't able to confirm it, because g10k does some pretty aggressive caching, and I could "reproduce" it in the sense that the checksum wasn't checked if it exists in the cache. So it might have just been that I had actually already deployed the module before adding the checksum... but I still had that distressing sentiment:

<anarcat> there's a huge yak breathing down my neck with "CVE" written in large red letters on the side
<anarcat> i'm trying to ignore it, it stinks like hell

Hopefully it's nothing to worry about. Right? Riiight.

Oh. And obviously, writing this blog post is the sugar on top, the one last yak that is self-documented here.

Comments on this page are closed.