SELinux - not supported?


#1

Hi Chef Users:

My initial NTP cookbook failed on a fresh RHEL 5.7 install because the new config file had the wrong selinux context.

{code}
$ ls -Z /var/lib/chef/etc/ntp.conf.chef-20111222165615 /etc/ntp.conf
-rw-r–r-- root root user_u:object_r:tmp_t:s0 /etc/ntp.conf
-rw-r–r-- root root user_u:object_r:var_lib_t:s0 /var/lib/chef/etc/ntp.conf.chef-20111222165615
{code}

Okay, no problem. I’ll just add the file context like I did with Puppet:

{code}
seluser => “user_u”,
selrole => “object_r”,
seltype => “var_lib_t”,
{code}

Oh, but wait, it seems there’s no such support in Chef. Is that so? All I can find are various open tickets such as:
http://tickets.opscode.com/browse/COOK-759
http://tickets.opscode.com/browse/COOK-347
http://tickets.opscode.com/browse/CHEF-1890

The current cookbook says only this, “users are recommended to set SELinux to permissive mode, or disabled completely.”

I’m surprised and disappointed that this is the case. Is there really no one using SeLinux under Chef? Or is there a secret I’m not yet in on?

Thanks,

Peter


Peter Burkholder | Sr. System Administrator (consultant)
AARP | Digital Strategy & Operations | 601 E Street NW | Washington, DC 20049
pburkholder@aarp.org | aim: peterbtech | w: 202-434-3530 | c: 202-344-7129
For optimal efficiency, I check email at 2-hour intervals during the workday
(except when on-call). Please use IM or phone to contact me for urgent matters


#2

On Thu, Dec 22, 2011 at 2:33 PM, Burkholder, Peter PBurkholder@aarp.org wrote:

Oh, but wait, it seems there’s no such support in Chef. Is that so? All I can find are various open tickets such as:
http://tickets.opscode.com/browse/COOK-759
http://tickets.opscode.com/browse/COOK-347
http://tickets.opscode.com/browse/CHEF-1890

The current cookbook says only this, “users are recommended to set SELinux to permissive mode, or disabled completely.”

I’m surprised and disappointed that this is the case. Is there really no one using SeLinux under Chef? Or is there a secret I’m not yet in on?

I’m not aware of anyone using SELinux with Chef or asking for it
really. I’d attribute this to the smaller install base of rhel (and
clones) versus the larger debian/ubuntu contingent using Chef.

Might be worth filing a ticket so people can +1 it at least - maybe
someone will take up the challenge :slight_smile:

Matthew Kent | http://magoazul.com


#3

My experience matches Matthews, and I come from an all rhel shop
On Dec 22, 2011 6:21 PM, “Matthew Kent” mkent+chef-users@magoazul.com
wrote:

On Thu, Dec 22, 2011 at 2:33 PM, Burkholder, Peter PBurkholder@aarp.org
wrote:

Oh, but wait, it seems there’s no such support in Chef. Is that so?
All I can find are various open tickets such as:
http://tickets.opscode.com/browse/COOK-759
http://tickets.opscode.com/browse/COOK-347
http://tickets.opscode.com/browse/CHEF-1890

The current cookbook says only this, “users are recommended to set
SELinux to permissive mode, or disabled completely.”

I’m surprised and disappointed that this is the case. Is there really
no one using SeLinux under Chef? Or is there a secret I’m not yet in on?

I’m not aware of anyone using SELinux with Chef or asking for it
really. I’d attribute this to the smaller install base of rhel (and
clones) versus the larger debian/ubuntu contingent using Chef.

Might be worth filing a ticket so people can +1 it at least - maybe
someone will take up the challenge :slight_smile:

Matthew Kent | http://magoazul.com


#4

On 22 December 2011 22:33, Burkholder, Peter PBurkholder@aarp.org wrote:

Okay, no problem. I’ll just add the file context like I did with Puppet:

{code}
seluser => “user_u”,
selrole => “object_r”,
seltype => “var_lib_t”,
{code}

Oh, but wait, it seems there’s no such support in Chef. Is that so? All I can find are various open tickets such as:
http://tickets.opscode.com/browse/COOK-759
http://tickets.opscode.com/browse/COOK-347
http://tickets.opscode.com/browse/CHEF-1890

I would mirror the statements made by Matthew, and add that some of
the reason behind support for AppArmor (Ubuntu et al) being easier to
implement is due to it being path-based.

Drop the right support into /etc and you’re pretty much done. Very
easy to accomplish.

As soon as you move to label-based approaches such as SELinux things
become significantly more complicated at pretty much every layer, from
filesystems on upward :wink:

I’m sure the sentiment that “Patches are welcome!” would apply here…


#5

On Thu, Dec 22, 2011 at 5:21 PM, Matthew Kent
mkent+chef-users@magoazul.com wrote:

On Thu, Dec 22, 2011 at 2:33 PM, Burkholder, Peter PBurkholder@aarp.org wrote:
I’m not aware of anyone using SELinux with Chef or asking for it
really. I’d attribute this to the smaller install base of rhel (and
clones) versus the larger debian/ubuntu contingent using Chef.

Might be worth filing a ticket so people can +1 it at least - maybe
someone will take up the challenge :slight_smile:

Also agreed. We’re a RHEL shop and only haven’t hit this yet because
we haven’t gotten to it. Have to get Chef fully rolled out so we can
get some actual consistency across the environment. Then we’ll look at
going from permissive to enforcing mode. I doubt it’ll be pretty when
the time comes, but it is coming.

KC


#6

i second this statement. I do agree that chef install base on rhel/centos
is relatively smaller than the debian/ubuntu, but its decently big.
ThoughtWorks internally runs on centos, and most of our client too runs on
rhel or centos or amazon linux. Although as of now theres hardly any
support for selinux in chef , but we should definitely plan for it, bring
security context inside file base class. Sean was already working on it, i
had tested the initial versions, but some how we lost the tempo. But i
guess time has come to revive the effort…

and we should definitely discourage disabling selinux (unless some other
alternative like AppArmor is in place)

my 2 cents

On Fri, Dec 23, 2011 at 4:51 AM, Matthew Kent <mkent+chef-users@magoazul.com

wrote:

On Thu, Dec 22, 2011 at 2:33 PM, Burkholder, Peter PBurkholder@aarp.org
wrote:

Oh, but wait, it seems there’s no such support in Chef. Is that so?
All I can find are various open tickets such as:
http://tickets.opscode.com/browse/COOK-759
http://tickets.opscode.com/browse/COOK-347
http://tickets.opscode.com/browse/CHEF-1890

The current cookbook says only this, “users are recommended to set
SELinux to permissive mode, or disabled completely.”

I’m surprised and disappointed that this is the case. Is there really
no one using SeLinux under Chef? Or is there a secret I’m not yet in on?

I’m not aware of anyone using SELinux with Chef or asking for it
really. I’d attribute this to the smaller install base of rhel (and
clones) versus the larger debian/ubuntu contingent using Chef.

Might be worth filing a ticket so people can +1 it at least - maybe
someone will take up the challenge :slight_smile:

Matthew Kent | http://magoazul.com


#7

On Fri, Dec 23, 2011 at 12:21 AM, Matthew Kent
mkent+chef-users@magoazul.com wrote:

On Thu, Dec 22, 2011 at 2:33 PM, Burkholder, Peter PBurkholder@aarp.org wrote:

Oh, but wait, it seems there’s no such support in Chef. Is that so? All I can find are various open tickets such as:
http://tickets.opscode.com/browse/COOK-759
http://tickets.opscode.com/browse/COOK-347
http://tickets.opscode.com/browse/CHEF-1890

The current cookbook says only this, “users are recommended to set SELinux to permissive mode, or disabled completely.”

I’m surprised and disappointed that this is the case. Is there really no one using SeLinux under Chef? Or is there a secret I’m not yet in on?

I’m not aware of anyone using SELinux with Chef or asking for it
really. I’d attribute this to the smaller install base of rhel (and
clones) versus the larger debian/ubuntu contingent using Chef.

Ditto for FreeBSD, and other “nice” OS.
I think it’s natural that Opscode as a company, and the larger
community that provides patches and new cookbook, focuses on what is
needed by a majority of users.
Great stuff usually comes out of people having a need, and the drive
to make it happen.

That said, and pardon me a little advertising.

There are a few consulting companies that will gladly develop and
provide any additional feature that a company needs; that goes for
enterprise software, and doubly so for distributions that are
typically used in environments with special requirements, as often is
the case with SELinux.
The end result may be delivered as open or closed source.
My company is one such; there are others on the mailing list; and you
can talk to Adam Jacob to see what Opscode professional services can
do for you.

A small suggestion: if you think you don’t have the budget for that,
but you care enough to devolve some of your time, you could start a
"bounty" program where all interested parties can chip in a little
money. And then go and find someone to do the work.

Andrea


#8

I’ll snip the feedback (and thanks so much for that), and reframe the question in terms of “What would you do?” when you see your options as the following:

  1. Set SELinux to ‘permissive’ instead of ‘enforcing’
  • Not really and option here, as we’ve been running RHEL with SELinux in enforcing mode for at least four years, and we tout it as being part of our defense-in-depth strategy
  1. Abandon Chef try again with Puppet as our configuration management system
    [This section is not open for comments]

  2. Use/Adapt Chef to provide the SELInux support we need:

3.1) Wait until the project provides selinux file context in the file resource

3.2) Add the patches to provide this, either doing so myself or paying someone to do so.
– I don’t know if we have the budget to do this
– I don’t know if I have the time, with my rusty Ruby skills, to do this very well myself

3.3) Work around the lack of SELinux support by using Ruby or Shell blocks in the code to set file context appropriately, even if it’s not done idempotently.

Clearly, 3.2 is right answer, but even that is fraught, as then we’d be using our own build of Chef until the new code is pulled into the project.

Any further thoughts out there?

-Peter

Peter Burkholder | Sr. System Administrator (consultant)
AARP | Digital Strategy & Operations | 601 E Street NW | Washington, DC 20049
pburkholder@aarp.org | aim: peterbtech | w: 202-434-3530 | c: 202-344-7129
For optimal efficiency, I check email at 2-hour intervals during the workday
(except when on-call). Please use IM or phone to contact me for urgent matters


#9

I would think that 3.3 would be easy and could be idempotent. You can
write execute blocks with only_if that will test the context before
doing a chcon.

On Fri, Dec 23, 2011 at 10:11 AM, Burkholder, Peter
PBurkholder@aarp.org wrote:

I’ll snip the feedback (and thanks so much for that), and reframe the question in terms of “What would you do?” when you see your options as the following:

  1. Set SELinux to ‘permissive’ instead of ‘enforcing’
  • Not really and option here, as we’ve been running RHEL with SELinux in enforcing mode for at least four years, and we tout it as being part of our defense-in-depth strategy
  1. Abandon Chef try again with Puppet as our configuration management system
    [This section is not open for comments]

  2. Use/Adapt Chef to provide the SELInux support we need:

3.1) Wait until the project provides selinux file context in the file resource

3.2) Add the patches to provide this, either doing so myself or paying someone to do so.
– I don’t know if we have the budget to do this
– I don’t know if I have the time, with my rusty Ruby skills, to do this very well myself

3.3) Work around the lack of SELinux support by using Ruby or Shell blocks in the code to set file context appropriately, even if it’s not done idempotently.

Clearly, 3.2 is right answer, but even that is fraught, as then we’d be using our own build of Chef until the new code is pulled into the project.

Any further thoughts out there?

-Peter

Peter Burkholder | Sr. System Administrator (consultant)
AARP | Digital Strategy & Operations | 601 E Street NW | Washington, DC 20049
pburkholder@aarp.org | aim: peterbtech | w: 202-434-3530 | c: 202-344-7129
For optimal efficiency, I check email at 2-hour intervals during the workday
(except when on-call). Please use IM or phone to contact me for urgent matters


#10

Ohai Chefs!

We have an issue at tickets.opscode.com for this topic:

http://tickets.opscode.com/browse/COOK-759

This ticket covers:

  • Setting enforcing/permissive/disabled based on an attribute
  • Installing selinux Ruby library bindings
  • Managing security contexts for Chef resources.

These features should be added to our existing “selinux” cookbook,
which currently only had recipes that set the local policy to
enforcing, permissive or disabled, respectively.

On Thu, Dec 22, 2011 at 3:33 PM, Burkholder, Peter PBurkholder@aarp.org wrote:

Hi Chef Users:

My initial NTP cookbook failed on a fresh RHEL 5.7 install because the new config file had the wrong selinux context.

{code}
$ ls -Z /var/lib/chef/etc/ntp.conf.chef-20111222165615 /etc/ntp.conf
-rw-r–r-- root root user_u:object_r:tmp_t:s0 /etc/ntp.conf
-rw-r–r-- root root user_u:object_r:var_lib_t:s0 /var/lib/chef/etc/ntp.conf.chef-20111222165615
{code}

Okay, no problem. I’ll just add the file context like I did with Puppet:

{code}
seluser => “user_u”,
selrole => “object_r”,
seltype => “var_lib_t”,
{code}

Oh, but wait, it seems there’s no such support in Chef. Is that so? All I can find are various open tickets such as:
http://tickets.opscode.com/browse/COOK-759
http://tickets.opscode.com/browse/COOK-347
http://tickets.opscode.com/browse/CHEF-1890

The current cookbook says only this, “users are recommended to set SELinux to permissive mode, or disabled completely.”

I’m surprised and disappointed that this is the case. Is there really no one using SeLinux under Chef? Or is there a secret I’m not yet in on?

Thanks,

Peter


Peter Burkholder | Sr. System Administrator (consultant)
AARP | Digital Strategy & Operations | 601 E Street NW | Washington, DC 20049
pburkholder@aarp.org | aim: peterbtech | w: 202-434-3530 | c: 202-344-7129
For optimal efficiency, I check email at 2-hour intervals during the workday
(except when on-call). Please use IM or phone to contact me for urgent matters


Opscode, Inc
Joshua Timberman, Technical Program Manager
IRC, Skype, Twitter, Github: jtimberman


#11

Hi Peter,
I have experimental SELinux monkey patches for File and Directory
resources here:


It tries to guess sane defaults by examining the default context for
the directory a file would be written to, and provides a way to
override it via the selinux_label attribute. Right now you have to
pass the whole label in as a text string instead of in parts.
Please feel free to test them!
Note that you’ll need to install libselinux-ruby as a system
prerequisite before running Chef, since there’s no way to get the
package installed via Chef because of the order Chef loads code.
-s
On Fri, Dec 23, 2011 at 11:22 AM, Joshua Timberman joshua@opscode.com wrote:

Ohai Chefs!

We have an issue at tickets.opscode.com for this topic:

http://tickets.opscode.com/browse/COOK-759

This ticket covers:

  • Setting enforcing/permissive/disabled based on an attribute
  • Installing selinux Ruby library bindings
  • Managing security contexts for Chef resources.

These features should be added to our existing “selinux” cookbook,
which currently only had recipes that set the local policy to
enforcing, permissive or disabled, respectively.

On Thu, Dec 22, 2011 at 3:33 PM, Burkholder, Peter PBurkholder@aarp.org wrote:

Hi Chef Users:

My initial NTP cookbook failed on a fresh RHEL 5.7 install because the new config file had the wrong selinux context.

{code}
$ ls -Z /var/lib/chef/etc/ntp.conf.chef-20111222165615 /etc/ntp.conf
-rw-r–r-- root root user_u:object_r:tmp_t:s0 /etc/ntp.conf
-rw-r–r-- root root user_u:object_r:var_lib_t:s0 /var/lib/chef/etc/ntp.conf.chef-20111222165615
{code}

Okay, no problem. I’ll just add the file context like I did with Puppet:

{code}
seluser => “user_u”,
selrole => “object_r”,
seltype => “var_lib_t”,
{code}

Oh, but wait, it seems there’s no such support in Chef. Is that so? All I can find are various open tickets such as:
http://tickets.opscode.com/browse/COOK-759
http://tickets.opscode.com/browse/COOK-347
http://tickets.opscode.com/browse/CHEF-1890

The current cookbook says only this, “users are recommended to set SELinux to permissive mode, or disabled completely.”

I’m surprised and disappointed that this is the case. Is there really no one using SeLinux under Chef? Or is there a secret I’m not yet in on?

Thanks,

Peter


Peter Burkholder | Sr. System Administrator (consultant)
AARP | Digital Strategy & Operations | 601 E Street NW | Washington, DC 20049
pburkholder@aarp.org | aim: peterbtech | w: 202-434-3530 | c: 202-344-7129
For optimal efficiency, I check email at 2-hour intervals during the workday
(except when on-call). Please use IM or phone to contact me for urgent matters


Opscode, Inc
Joshua Timberman, Technical Program Manager
IRC, Skype, Twitter, Github: jtimberman


#12

Thanks for the patch, Sean. I’ll give this a try and see what happens.

Is there any attendant RSpec or other test code that goes with this?

Thanks,

Peter
On Dec 23, 2011, at 12:07 PM, Sean OMeara wrote:

Hi Peter,
I have experimental SELinux monkey patches for File and Directory
resources here:
https://github.com/someara/cookbooks/tree/selinux-monkeys
It tries to guess sane defaults by examining the default context for
the directory a file would be written to, and provides a way to
override it via the selinux_label attribute. Right now you have to
pass the whole label in as a text string instead of in parts.
Please feel free to test them!
Note that you’ll need to install libselinux-ruby as a system
prerequisite before running Chef, since there’s no way to get the
package installed via Chef because of the order Chef loads code.
-s
On Fri, Dec 23, 2011 at 11:22 AM, Joshua Timberman joshua@opscode.com wrote:

Ohai Chefs!

We have an issue at tickets.opscode.com for this topic:

http://tickets.opscode.com/browse/COOK-759

This ticket covers:

  • Setting enforcing/permissive/disabled based on an attribute
  • Installing selinux Ruby library bindings
  • Managing security contexts for Chef resources.

These features should be added to our existing “selinux” cookbook,
which currently only had recipes that set the local policy to
enforcing, permissive or disabled, respectively.

On Thu, Dec 22, 2011 at 3:33 PM, Burkholder, Peter PBurkholder@aarp.org wrote:

Hi Chef Users:

My initial NTP cookbook failed on a fresh RHEL 5.7 install because the new config file had the wrong selinux context.

{code}
$ ls -Z /var/lib/chef/etc/ntp.conf.chef-20111222165615 /etc/ntp.conf
-rw-r–r-- root root user_u:object_r:tmp_t:s0 /etc/ntp.conf
-rw-r–r-- root root user_u:object_r:var_lib_t:s0 /var/lib/chef/etc/ntp.conf.chef-20111222165615
{code}

Okay, no problem. I’ll just add the file context like I did with Puppet:

{code}
seluser => “user_u”,
selrole => “object_r”,
seltype => “var_lib_t”,
{code}

Oh, but wait, it seems there’s no such support in Chef. Is that so? All I can find are various open tickets such as:
http://tickets.opscode.com/browse/COOK-759
http://tickets.opscode.com/browse/COOK-347
http://tickets.opscode.com/browse/CHEF-1890

The current cookbook says only this, “users are recommended to set SELinux to permissive mode, or disabled completely.”

I’m surprised and disappointed that this is the case. Is there really no one using SeLinux under Chef? Or is there a secret I’m not yet in on?

Thanks,

Peter


Peter Burkholder | Sr. System Administrator (consultant)
AARP | Digital Strategy & Operations | 601 E Street NW | Washington, DC 20049
pburkholder@aarp.org | aim: peterbtech | w: 202-434-3530 | c: 202-344-7129
For optimal efficiency, I check email at 2-hour intervals during the workday
(except when on-call). Please use IM or phone to contact me for urgent matters


Opscode, Inc
Joshua Timberman, Technical Program Manager
IRC, Skype, Twitter, Github: jtimberman


Peter Burkholder | Sr. System Administrator (consultant)
AARP | Digital Strategy & Operations | 601 E Street NW | Washington, DC 20049
pburkholder@aarp.org | aim: peterbtech | w: 202-434-3530 | c: 202-344-7129
For optimal efficiency, I check email at 2-hour intervals during the workday
(except when on-call). Please use IM or phone to contact me for urgent matters


#13

Also with 3.3 you could workaround by creating script resource with
chcon in it and notifying this resource from template/file resource.
Thus you will change context only when file/template changed.

On Fri, 23 Dec 2011 10:11:04 -0500, Burkholder, Peter wrote:

I’ll snip the feedback (and thanks so much for that), and reframe the
question in terms of “What would you do?” when you see your options
as
the following:

  1. Set SELinux to ‘permissive’ instead of ‘enforcing’
  • Not really and option here, as we’ve been running RHEL with SELinux
    in enforcing mode for at least four years, and we tout it as being
    part of our defense-in-depth strategy
  1. Abandon Chef try again with Puppet as our configuration management
    system
    [This section is not open for comments]

  2. Use/Adapt Chef to provide the SELInux support we need:

3.1) Wait until the project provides selinux file context in the file
resource

3.2) Add the patches to provide this, either doing so myself or
paying someone to do so.
– I don’t know if we have the budget to do this
– I don’t know if I have the time, with my rusty Ruby skills, to do
this very well myself

3.3) Work around the lack of SELinux support by using Ruby or Shell
blocks in the code to set file context appropriately, even if it’s
not
done idempotently.

Clearly, 3.2 is right answer, but even that is fraught, as then
we’d be using our own build of Chef until the new code is pulled into
the project.

Any further thoughts out there?

-Peter

Peter Burkholder | Sr. System Administrator (consultant)
AARP | Digital Strategy & Operations | 601 E Street NW | Washington,
DC 20049
pburkholder@aarp.org | aim: peterbtech | w: 202-434-3530 | c:
202-344-7129
For optimal efficiency, I check email at 2-hour intervals during the
workday
(except when on-call). Please use IM or phone to contact me for
urgent matters


#14

No RSpec yet… It’s just a first attempt at raw functionality.

Also, the libselinux-ruby binding from system packages will only work
if you’re a system ruby. If you’re running in RVM or omnibus you’ll
need to compile the library against the appropriate ruby libs.

-s

On Fri, Dec 23, 2011 at 12:30 PM, Burkholder, Peter
PBurkholder@aarp.org wrote:

Thanks for the patch, Sean. I’ll give this a try and see what happens.

Is there any attendant RSpec or other test code that goes with this?

Thanks,

Peter
On Dec 23, 2011, at 12:07 PM, Sean OMeara wrote:

Hi Peter,
I have experimental SELinux monkey patches for File and Directory
resources here:
https://github.com/someara/cookbooks/tree/selinux-monkeys
It tries to guess sane defaults by examining the default context for
the directory a file would be written to, and provides a way to
override it via the selinux_label attribute. Right now you have to
pass the whole label in as a text string instead of in parts.
Please feel free to test them!
Note that you’ll need to install libselinux-ruby as a system
prerequisite before running Chef, since there’s no way to get the
package installed via Chef because of the order Chef loads code.
-s
On Fri, Dec 23, 2011 at 11:22 AM, Joshua Timberman joshua@opscode.com wrote:

Ohai Chefs!

We have an issue at tickets.opscode.com for this topic:

http://tickets.opscode.com/browse/COOK-759

This ticket covers:

  • Setting enforcing/permissive/disabled based on an attribute
  • Installing selinux Ruby library bindings
  • Managing security contexts for Chef resources.

These features should be added to our existing “selinux” cookbook,
which currently only had recipes that set the local policy to
enforcing, permissive or disabled, respectively.

On Thu, Dec 22, 2011 at 3:33 PM, Burkholder, Peter PBurkholder@aarp.org wrote:

Hi Chef Users:

My initial NTP cookbook failed on a fresh RHEL 5.7 install because the new config file had the wrong selinux context.

{code}
$ ls -Z /var/lib/chef/etc/ntp.conf.chef-20111222165615 /etc/ntp.conf
-rw-r–r-- root root user_u:object_r:tmp_t:s0 /etc/ntp.conf
-rw-r–r-- root root user_u:object_r:var_lib_t:s0 /var/lib/chef/etc/ntp.conf.chef-20111222165615
{code}

Okay, no problem. I’ll just add the file context like I did with Puppet:

{code}
seluser => “user_u”,
selrole => “object_r”,
seltype => “var_lib_t”,
{code}

Oh, but wait, it seems there’s no such support in Chef. Is that so? All I can find are various open tickets such as:
http://tickets.opscode.com/browse/COOK-759
http://tickets.opscode.com/browse/COOK-347
http://tickets.opscode.com/browse/CHEF-1890

The current cookbook says only this, “users are recommended to set SELinux to permissive mode, or disabled completely.”

I’m surprised and disappointed that this is the case. Is there really no one using SeLinux under Chef? Or is there a secret I’m not yet in on?

Thanks,

Peter


Peter Burkholder | Sr. System Administrator (consultant)
AARP | Digital Strategy & Operations | 601 E Street NW | Washington, DC 20049
pburkholder@aarp.org | aim: peterbtech | w: 202-434-3530 | c: 202-344-7129
For optimal efficiency, I check email at 2-hour intervals during the workday
(except when on-call). Please use IM or phone to contact me for urgent matters


Opscode, Inc
Joshua Timberman, Technical Program Manager
IRC, Skype, Twitter, Github: jtimberman


Peter Burkholder | Sr. System Administrator (consultant)
AARP | Digital Strategy & Operations | 601 E Street NW | Washington, DC 20049
pburkholder@aarp.org | aim: peterbtech | w: 202-434-3530 | c: 202-344-7129
For optimal efficiency, I check email at 2-hour intervals during the workday
(except when on-call). Please use IM or phone to contact me for urgent matters