SitesLinksOttawaLifePhotosTravelToolsJournalBlog
See More Stuff
Next
Tuesday, May 14, 2019

PHP MySQL (MariaDB) in AWS Micro with Amazon Linux 2

Introduction

This shows how to migrate your webserver from Amazon Linux to Amazon Linux 2. The initial Amazon Linux setup guides are here and here, but they're very old and I've included the necessary bits for first-timers below.

If you don't already have an AWS account

You can start with a free account. To sign up, you just provide: email, password, billing info, enter a capcha, and they auto-dial your home phone and get you to enter a pin.

After you receive your confirmation email, you need to sign in to the AWS Management Console

But what if someone keylogs your AWS password? You're exposed to billing-by-usage liability. Get multi factor authentication at aws.amazon.com/mfa. You can purchase a device from onlinenoram.gemalto.com.

Instance & Region

The initial free offering was a t1.micro, and there was only one eastern america region (Nothern Virginia). When you launch an EC2 instance you have to choose an availability zone within a region.

The current free offering is a t2.micro. But you have to consider the unlimited option and the t3 alternatives. For reference, I ran a LAMP stack with peaks of 200 users per day with the t1.micro with no noticeable lag. For this application, the on-demand total cost is USD $14.40/mo for the t1.micro instance and $1.22 for the EBS.

The key difference between t1.micro and t2.micro is the way the CPU bursting happens. It is not possible to predict or control the performance of t1.micro. With the T2 instance types, you can accumulate points that can be redeemed within 24 hours to get predictable performance. During a burst, when you run out of credits it falls back to the Baseline CPU Performance. (cloudacademy.com)
T2 standard was misunderstood due to its CPU throttling over baseline. Amazon introduced T2 unlimited as a way to overcome the CPU throttling with a pay for credit mechanism. The new introduction – T3, is a T2 unlimited with some subtle variations. (cloudsqueeze.ai)
t1.micro:  0.6 GiB, 1 vCPUs,                    poor network,     $0.0200/hour 
t2.micro:  1.0 GiB, 1 vCPUs (for 2h 24m burst), moderate network, $0.0116/hour 
t3.micro:  1.0 GiB, 2 vCPUs (for 2h 24m burst), moderate network, $0.0104/hour 
t3a.micro: 1.0 GiB, 2 vCPUs (for 2h 24m burst), moderate network, $0.0094/hour
(ec2instances.info)

t2.micro: 1 vCPUs, Baseline per vCPU = 10%
t3.micro: 2 vCPUs, Baseline per vCPU = 10%
(amazon.com)

Note that "1 vCPUs for a 2h 24m burst" is the same as "10% of 1 vCPU in a 24 hour period", and that t3.micro is effectively 20% of a vCPU. There is a good explanation at roberttisdale.com. On a t2.micro, you're constantly earning enough credits to drive the CPU at 10%. If your server load is a constant 10%, then you never earn any extra and never burst. If your customer demand is a constant 11% then your server is capped at 10% and your users have to wait.

The micro instance provides different levels of CPU resources at different times (up to 2 ECUs). By comparison, the m1.small instance type provides 1 ECU at all times. The following figure illustrates the difference. (archive.org)

They don't explicitly say, but the figure suggests that the t1.micro background level should be ~20% of an ECU in order to not have peaks throttled. So it's not clear if a t2 is weaker than a t1, but a t3 is certainly stronger than t1.

CPU credits on a running instance do not expire. For T3 and T3a, the CPU credit balance persists for seven days after an instance stops. For T2, the CPU credit balance does not persist between instance stops and starts. (amazon.com)
In standard mode, if the instance is running low on accrued credits, performance is gradually lowered to the baseline performance level. In unlimited mode, the instance can run at higher CPU utilization for a flat additional rate per vCPU-hour. T3 and T3a instances are launched as unlimited by default. T2 instances are launched as standard by default. (amazon.com)
T3 uses Intel Xeon processors and provides 30% price performance over T2. T3a uses AMD EPYC processors and provides 10% price performance over T3. (amazon.com)

concurrencylabs.com has a very extensive article explaining the price, latency and service difference between different regions.

May 3rd, 2019

On-Demand Linux:

US East (Ohio)       t3a.micro $0.0094/hr = $82/yr
                      t3.micro $0.0104/hr = $91/yr
US East (N.Virginia) t3a.micro $0.0094/hr = $82/yr
                      t3.micro $0.0104/hr = $91/yr
Canada (Central)     t3a.micro (not available)
                      t3.micro $0.0116/hr = $102/yr
(amazon.com)

Reserved Linux, standard 3-year term, partial upfront:

US East (Ohio)       t3a.micro $49.00 + $1.39/mo = $33/yr
                      t3.micro $55.00 + $1.53/mo = $37/yr
US East (N.Virginia) t3a.micro $49.00 + $1.39/mo = $33/yr 
                      t3.micro $55.00 + $1.53/mo = $37/yr
Canada (Central)     t3a.micro (not available)
                      t3.micro $61.00 + $1.68/mo = $40/yr
                      
(amazon.com)

Note that I don't consider the EBS region difference cost because as described above it is only 8% of my total cost. Also, T3a is the better deal but I'm willing to pay the extra $3/yr to be hosted in Canada.

Therefore for a personal LAMP stack in eastern Canada that doesn't generate income you should use T3 in standard mode in Canada (Central) aka Montreal.

Concepts

If you're new to AWS, you'll also need to get familiar with these concepts.

Amazon EBS volumes are off-instance storage that persists independently from the life of an instance. ... can be attached to a running Amazon EC2 instance and exposed as a device within the instance. (aws.amazon.com/ebs)
An Elastic IP address is associated with your account not a particular instance, and you control that address until you choose to explicitly release it. Unlike traditional static IP addresses, however, Elastic IP addresses allow you to mask instance or Availability Zone failures by pro grammatically remapping your public IP addresses to any instance in your account. (aws.amazon.com/ec2)

This means that you don't want to "terminate" because that kills your EBS. Instead you start/stop your EC2. But each time it gets a new IP, so you need to assign it an elastic IP which you can then point to from DNS.

New t3.micro Instance

At first I tried "64-bit (Arm)", but that was only available in a1.medium and larger. Also, you have to select the region in the top-bar before using the "Launch Instance" wizard.

AWS Management Console
In the top-bar, select "Canada (Central)" in the Region drop-down.
In the top-bar, select "Services" > "EC2"
In the side-bar, select "EC2 Dashboard"
Click the "Launch Instance" button

Amazon Linux 2 AMI (HVM), SSD Volume Type
64-bit (x86)
Select
t3.micro

Next: Configure Instance Details

 Number of instances: (default) 1
 Purchasing option: (default) [unchecked] Request Spot instances
 Network: (default) VPC
 Subnet: (default) No preference
 Auto-assign Public IP: (default) Use subnet setting (Enable)
 Placement group: (default) [unchecked] Add instance to placement group
 Capacity Reservaton: (default) Open
 IAM role: (default) None
 CPU options: (default) [unchecked] Specify CPU options
 Shutdown behavior: (default) Stop  
 Enable termination protection: [checked] Protect against accidental termination
 Monitoring: (default) [unchecked] Enable CloudWatch detailed monitoring
 EBS-optimized instance: (mandatory) [checked] Launch as EBS-optimized instance
 Tenancy: (default) Shared  
 T2/T3 Unlimited: [unchecked] Enable

 Note that termination protection just prevents you from accidentally trashing 
 your instance when you just meant to power it off. And that by not allowing
 unlimited, you are not exposed to increased costs due to increased CPU.

Next: Add Storage

 Size (GiB): (default) 8
 Volume Type: (default) General Purpose SSD (gp2)
 Delete on Termination: (default) [checked]

Next: Add Tags

 (none)

Next: Configure Security Group

 Name: VPC-WebServerSecurityGroup
 Description: VPC-WebServerSecurityGroup

 SSH   TCP  22 1.2.3.4/32
 HTTP  TCP  80 0.0.0.0/0, ::/0
 HTTPS TCP 443 0.0.0.0/0, ::/0

 Note: we need 22 since that's in the default SSHD config,
 but we'll restrict to IP and later will change the port.

Review and Launch
Launch
Choose an existing key pair // if you don't have one, see below
WebServerKey 
Acknowledge
Launch Instances

If you've never created an EC2 instance before, you'll need to create a keypair like this:

 # continue
 - create a new key pair
 - name: WebServerKey
 # create and download your key pair 
 // this is WebServerKey.pem that you will use later with putty

After that, navigate to the EC2 dashboard where you can see the instance starting up.

Left-click the blank instance name and give it something meaningful.

In the Description tab below your new instance, take note of its Public IP.

Basic SSH

Clone your existing putty config but use the new IP and port 22. Connect to your instance with putty.

If you've never connected to an EC2 instance before and you just created WebServerKey.pem above, then you'll need to do the following.

If you're on windows, download putty.

The WebServer.pem key won't work with putty, you have to convert it. Download puttygen.

puttygen
 conversions > import key > WebServerKey.pem
 key passphrase: INVENT_A_STRONG_PASSWORD
 confirm passphrase: STRONG_PASSWORD_AGAIN
 save private key > WebServerKey.ppk
 exit

You now have an encrypted .ppk version of your plaintext .pem key. I'd suggest deleting, encrypting, or storing the .pem on a thumb drive.

Use putty to connect:

session.saved_sessions: amazon
session.host: YOUR_PUBLIC_DNS_FROM_ABOVE
session.port: 22
session.type: SSH
window.lines_of_scrollback: 2000
window.colours.use_system_colours: checked
connection.data.auto-login_username: ec2-user
connection.ssh.auth.private_key_file_for_authentication: WebServerKey.ppk

Session > Save
then double-click: amazon
- accept unknown thumbrint (only happens once)
- enter your .ppk passhprase

You're in! Now let's make it bullet proof.

Harden SSH

sudo yum -y update

That will probably pickup a bunch of updates.

Next make a copy of the config we're about to copy. We'll download it as a local backup later.

mkdir /tmp/org
sudo cp /etc/ssh/sshd_config /tmp/org
sudo chmod 644 /tmp/org/sshd_config

Now we'll harden the SSHD config.

sudo vi /etc/ssh/sshd_config

Ensure the following are in place.

# change the port to the custom SSH port from your security group
# this makes it a little bit harder for people to attack you as they
# now have to scan all ports to discover which is your SSH port
Port 12345

# Explicitly require strong protocol 2 (which is the default)
Protocol 2

# change this to no, we never want root access over SSH
PermitRootLogin no

# explicitly disable weak authentication systems
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreUserKnownHosts yes
IgnoreRhosts yes

# EC2 uses keys for remote access
PasswordAuthentication no
PermitEmptyPasswords no

# Explicitly disable Kerberos Authentication
KerberosAuthentication no

# Explicitly disable GSSAPI Authentication
GSSAPIAuthentication no

# explicitly disable x11 forwarding, we will never connect with a gui
X11Forwarding no

Reboot. This will pickup the SSHD changes and anything from the yum update.

sudo shutdown -r now

In the AWS Console remove the temporary port 22 entry from your security group so that you just have something like this.

VPC-WebServerSecurityGroup
 HTTP             TCP    80 0.0.0.0/0
 HTTP             TCP    80 ::/0
 HTTPS            TCP   443 0.0.0.0/0
 HTTPS            TCP   443 ::/0
 Custom TCP Rule  TCP 12345 1.2.3.4/32

Re-connect with putty now using the custom port. Note that the instance will have a new public IP.

No Lighttpd

Note that in the previous posts I used the Lighttpd webserver but packages from Amazon Linux 1 aren't available on Amazon Linux 2.

Here's what happens if you try the old packages.

Don't do this:

$ sudo yum -y install lighttpd lighttpd-fastcgi
No package lighttpd available.
No package lighttpd-fastcgi available.

$ sudo yum -y install mysql mysql-server
No package mysql-server available.
Package mariadb.x86_64 1:5.5.60-1.amzn2 will be installed

$ sudo yum -y install php-cli php-mysql php-mbstring php-xml
Package php-mysql is obsoleted by php-mysqlnd, trying to install php-mysqlnd-5.4.16-45.amzn2.0.6.x86_64 instead

Install LAMP

First, have a look at the default users and groups on your system.

sudo cat /etc/passwd
sudo cat /etc/group

I make a local backup of these for my records.

Tutorial: Install a LAMP Web Server on Amazon Linux 2

Apache web server
PHP 7.2
MariaDB (a community-developed fork of MySQL)
Amazon Linux 2 

The above doesn't include SSL (Tutorial: Configure Apache Web Server on Amazon Linux 2 to Use SSL/TLS) or the [php-mbstring php-xml] extensions that I require.

Here's the whole package that I use:

sudo amazon-linux-extras install -y lamp-mariadb10.2-php7.2 php7.2
sudo yum install -y httpd mariadb-server
sudo yum install -y mod_ssl
sudo yum install -y php-mbstring php-xml

Result:

Installing php-pdo, php-mysqlnd, php-fpm, php-cli, php-json, mariadb
      
===============================================================================
 Package                         Arch                    Version               
===============================================================================
Installing:
 mariadb                         x86_64                  3:10.2.10-2.amzn2.0.3 
 php-cli                         x86_64                  7.2.16-1.amzn2.0.1    
 php-fpm                         x86_64                  7.2.16-1.amzn2.0.1    
 php-json                        x86_64                  7.2.16-1.amzn2.0.1    
 php-mysqlnd                     x86_64                  7.2.16-1.amzn2.0.1    
 php-pdo                         x86_64                  7.2.16-1.amzn2.0.1    
Installing for dependencies:
 mariadb-common                  x86_64                  3:10.2.10-2.amzn2.0.3 
 mariadb-config                  x86_64                  3:10.2.10-2.amzn2.0.3 
 php-common                      x86_64                  7.2.16-1.amzn2.0.1    
Updating for dependencies:
 mariadb-libs                    x86_64                  3:10.2.10-2.amzn2.0.3 

  Installing : php-json-7.2.16-1.amzn2.0.1.x86_64          
  Installing : php-common-7.2.16-1.amzn2.0.1.x86_64        
  Installing : php-pdo-7.2.16-1.amzn2.0.1.x86_64           
  Installing : 3:mariadb-config-10.2.10-2.amzn2.0.3.x86_64 
  Installing : 3:mariadb-common-10.2.10-2.amzn2.0.3.x86_64 
  Updating   : 3:mariadb-libs-10.2.10-2.amzn2.0.3.x86_64   
  Installing : 3:mariadb-10.2.10-2.amzn2.0.3.x86_64        
  Installing : php-mysqlnd-7.2.16-1.amzn2.0.1.x86_64       
  Installing : php-cli-7.2.16-1.amzn2.0.1.x86_64           
  Installing : php-fpm-7.2.16-1.amzn2.0.1.x86_64           

Installed:
  mariadb.x86_64 3:10.2.10-2.amzn2.0.3     
  php-cli.x86_64 0:7.2.16-1.amzn2.0.1  
  php-fpm.x86_64 0:7.2.16-1.amzn2.0.1  
  php-json.x86_64 0:7.2.16-1.amzn2.0.1
  php-mysqlnd.x86_64 0:7.2.16-1.amzn2.0.1  
  php-pdo.x86_64 0:7.2.16-1.amzn2.0.1

Dependency Installed:
  mariadb-common.x86_64 3:10.2.10-2.amzn2.0.3          
  mariadb-config.x86_64 3:10.2.10-2.amzn2.0.3          
  php-common.x86_64 0:7.2.16-1.amzn2.0.1

Dependency Updated:
  mariadb-libs.x86_64 3:10.2.10-2.amzn2.0.3

========================================================================================
 Package                                      Arch                Version               
========================================================================================
Installing:
 httpd                                        x86_64              2.4.39-1.amzn2.0.1    
 mariadb-server                               x86_64              3:10.2.10-2.amzn2.0.3 
Installing for dependencies:
 apr                                          x86_64              1.6.3-5.amzn2.0.2     
 apr-util                                     x86_64              1.6.1-5.amzn2.0.2     
 apr-util-bdb                                 x86_64              1.6.1-5.amzn2.0.2     
 bison                                        x86_64              3.0.4-6.amzn2.0.2     
 generic-logos-httpd                          noarch              18.0.0-4.amzn2        
 httpd-filesystem                             noarch              2.4.39-1.amzn2.0.1    
 httpd-tools                                  x86_64              2.4.39-1.amzn2.0.1    
 jemalloc                                     x86_64              3.6.0-1.amzn2.0.1     
 m4                                           x86_64              1.4.16-10.amzn2.0.2   
 mailcap                                      noarch              2.1.41-2.amzn2        
 mariadb-backup                               x86_64              3:10.2.10-2.amzn2.0.3 
 mariadb-cracklib-password-check              x86_64              3:10.2.10-2.amzn2.0.3 
 mariadb-errmsg                               x86_64              3:10.2.10-2.amzn2.0.3 
 mariadb-gssapi-server                        x86_64              3:10.2.10-2.amzn2.0.3 
 mariadb-rocksdb-engine                       x86_64              3:10.2.10-2.amzn2.0.3 
 mariadb-server-utils                         x86_64              3:10.2.10-2.amzn2.0.3 
 mariadb-tokudb-engine                        x86_64              3:10.2.10-2.amzn2.0.3 
 mod_http2                                    x86_64              1.14.1-1.amzn2        
 perl-Compress-Raw-Bzip2                      x86_64              2.061-3.amzn2.0.2     
 perl-Compress-Raw-Zlib                       x86_64              1:2.061-4.amzn2.0.2   
 perl-DBD-MySQL                               x86_64              4.023-6.amzn2         
 perl-DBI                                     x86_64              1.627-4.amzn2.0.2     
 perl-Data-Dumper                             x86_64              2.145-3.amzn2.0.2     
 perl-IO-Compress                             noarch              2.061-2.amzn2         
 perl-Net-Daemon                              noarch              0.48-5.amzn2          
 perl-PlRPC                                   noarch              0.2020-14.amzn2       

  Installing : apr-1.6.3-5.amzn2.0.2.x86_64                                
  Installing : apr-util-bdb-1.6.1-5.amzn2.0.2.x86_64                       
  Installing : apr-util-1.6.1-5.amzn2.0.2.x86_64                           
  Installing : perl-Data-Dumper-2.145-3.amzn2.0.2.x86_64                   
  Installing : httpd-tools-2.4.39-1.amzn2.0.1.x86_64                       
  Installing : jemalloc-3.6.0-1.amzn2.0.1.x86_64                           
  Installing : m4-1.4.16-10.amzn2.0.2.x86_64                               
  Installing : bison-3.0.4-6.amzn2.0.2.x86_64                              
  Installing : perl-Net-Daemon-0.48-5.amzn2.noarch                         
  Installing : 3:mariadb-errmsg-10.2.10-2.amzn2.0.3.x86_64                 
  Installing : httpd-filesystem-2.4.39-1.amzn2.0.1.noarch                  
  Installing : perl-Compress-Raw-Bzip2-2.061-3.amzn2.0.2.x86_64            
  Installing : generic-logos-httpd-18.0.0-4.amzn2.noarch                   
  Installing : mailcap-2.1.41-2.amzn2.noarch                               
  Installing : mod_http2-1.14.1-1.amzn2.x86_64                             
  Installing : httpd-2.4.39-1.amzn2.0.1.x86_64                             
  Installing : 1:perl-Compress-Raw-Zlib-2.061-4.amzn2.0.2.x86_64           
  Installing : perl-IO-Compress-2.061-2.amzn2.noarch                       
  Installing : perl-PlRPC-0.2020-14.amzn2.noarch                           
  Installing : perl-DBI-1.627-4.amzn2.0.2.x86_64                           
  Installing : perl-DBD-MySQL-4.023-6.amzn2.x86_64                         
  Installing : 3:mariadb-backup-10.2.10-2.amzn2.0.3.x86_64                 
  Installing : 3:mariadb-tokudb-engine-10.2.10-2.amzn2.0.3.x86_64          
  Installing : 3:mariadb-rocksdb-engine-10.2.10-2.amzn2.0.3.x86_64         
  Installing : 3:mariadb-cracklib-password-check-10.2.10-2.amzn2.0.3.x86_64
  Installing : 3:mariadb-gssapi-server-10.2.10-2.amzn2.0.3.x86_64          
  Installing : 3:mariadb-server-10.2.10-2.amzn2.0.3.x86_64                 
  Installing : 3:mariadb-server-utils-10.2.10-2.amzn2.0.3.x86_64           

Installed:
  httpd.x86_64 0:2.4.39-1.amzn2.0.1                                       
  mariadb-server.x86_64 3:10.2.10-2.amzn2.0.3

Dependency Installed:
  apr.x86_64 0:1.6.3-5.amzn2.0.2                                          
  apr-util.x86_64 0:1.6.1-5.amzn2.0.2
  apr-util-bdb.x86_64 0:1.6.1-5.amzn2.0.2                                  
  bison.x86_64 0:3.0.4-6.amzn2.0.2
  generic-logos-httpd.noarch 0:18.0.0-4.amzn2                             
  httpd-filesystem.noarch 0:2.4.39-1.amzn2.0.1
  httpd-tools.x86_64 0:2.4.39-1.amzn2.0.1                                 
  jemalloc.x86_64 0:3.6.0-1.amzn2.0.1
  m4.x86_64 0:1.4.16-10.amzn2.0.2                                         
  mailcap.noarch 0:2.1.41-2.amzn2
  mariadb-backup.x86_64 3:10.2.10-2.amzn2.0.3                             
  mariadb-cracklib-password-check.x86_64 3:10.2.10-2.amzn2.0.3
  mariadb-errmsg.x86_64 3:10.2.10-2.amzn2.0.3                             
  mariadb-gssapi-server.x86_64 3:10.2.10-2.amzn2.0.3
  mariadb-rocksdb-engine.x86_64 3:10.2.10-2.amzn2.0.3                     
  mariadb-server-utils.x86_64 3:10.2.10-2.amzn2.0.3
  mariadb-tokudb-engine.x86_64 3:10.2.10-2.amzn2.0.3                      
  mod_http2.x86_64 0:1.14.1-1.amzn2
  perl-Compress-Raw-Bzip2.x86_64 0:2.061-3.amzn2.0.2                      
  perl-Compress-Raw-Zlib.x86_64 1:2.061-4.amzn2.0.2
  perl-DBD-MySQL.x86_64 0:4.023-6.amzn2                                   
  perl-DBI.x86_64 0:1.627-4.amzn2.0.2
  perl-Data-Dumper.x86_64 0:2.145-3.amzn2.0.2                             
  perl-IO-Compress.noarch 0:2.061-2.amzn2
  perl-Net-Daemon.noarch 0:0.48-5.amzn2                                   
  perl-PlRPC.noarch 0:0.2020-14.amzn2

========================================================================================
 Package                           Arch                           Version               
========================================================================================
Installing:
 mod_ssl                           x86_64                         1:2.4.39-1.amzn2.0.1  
Installing for dependencies:
 libtalloc                         x86_64                         2.1.13-1.amzn2        
 sscg                              x86_64                         2.3.3-2.amzn2.0.1     

  Installing : libtalloc-2.1.13-1.amzn2.x86_64     
  Installing : sscg-2.3.3-2.amzn2.0.1.x86_64       
  Installing : 1:mod_ssl-2.4.39-1.amzn2.0.1.x86_64 

Installed:
  mod_ssl.x86_64 1:2.4.39-1.amzn2.0.1

Dependency Installed:
  libtalloc.x86_64 0:2.1.13-1.amzn2                                             
  sscg.x86_64 0:2.3.3-2.amzn2.0.1

============================================================================
 Package                        Arch                     Version            
============================================================================
Installing:
 php-mbstring                   x86_64                   7.2.16-1.amzn2.0.1 
 php-xml                        x86_64                   7.2.16-1.amzn2.0.1 
Installing for dependencies:
 libxslt                        x86_64                   1.1.28-5.amzn2.0.2 
 oniguruma                      x86_64                   5.9.6-1.amzn2      

  Installing : oniguruma-5.9.6-1.amzn2.x86_64           
  Installing : libxslt-1.1.28-5.amzn2.0.2.x86_64        
  Installing : php-xml-7.2.16-1.amzn2.0.1.x86_64        
  Installing : php-mbstring-7.2.16-1.amzn2.0.1.x86_64   

Installed:
  php-mbstring.x86_64 0:7.2.16-1.amzn2.0.1                                       
  php-xml.x86_64 0:7.2.16-1.amzn2.0.1

Dependency Installed:
  libxslt.x86_64 0:1.1.28-5.amzn2.0.2                                           
  oniguruma.x86_64 0:5.9.6-1.amzn2

Now look again to see what new users and groups have been added.

sudo cat /etc/passwd
sudo cat /etc/group

New entires:

apache
nginx
mysql

Also, get a local backup of all the config files we're about to modify.

sudo cp /etc/httpd/conf/httpd.conf /tmp/org
sudo cp /etc/httpd/conf.d/ssl.conf /tmp/org
sudo cp /etc/httpd/conf.modules.d/00-mpm.conf /tmp/org
sudo cp /etc/my.cnf /tmp/org
sudo cp /etc/php.ini /tmp/org

Then use something like WinSCP to copy these to local.

WinSCP 4.3.5
Installation package
winscp435setup.exe > agree with defaults

Host: 1.2.3.4
Port: 12345
User: ec2-user
Password: [blank]
Private key file: WebServerKey.ppk
File protocol: SFTP (don't allow scp fallback)
> save > login > [enter password when prompted]

After the copy delete the temp files.

sudo rm -rf /tmp/org

Setup and harden Apache

Start the Apache web server.

sudo systemctl start httpd

Note, in the following, apache may fail to start because of bad config. In that case you will get an error like "Job for httpd.service failed because the control process exited with error code." To see the actual error code, you issues the status command.

systemctl status httpd.service

Configure the Apache web server to start at each system boot.

sudo systemctl enable httpd

Add ec2-user to the apache group.

sudo usermod -a -G apache ec2-user

Close your terminal and log back in to pickup the change then issues these commands so that ec2-user and future members of the apache group can modify apache files.

sudo chown -R ec2-user:apache /var/www
sudo chmod 2775 /var/www && find /var/www -type d -exec sudo chmod 2775 {} \;
find /var/www -type f -exec sudo chmod 0664 {} \;

In a browser go to the IP of your EC2 instance, i.e. http://1.2.3.4/ to view the Apache test page. Use the browser to inspect the response and see that etag and version info are exposed.

Response Headers:
 Accept-Ranges: bytes
 Connection: Upgrade, Keep-Alive
 Content-Length: 3630
 Content-Type: text/html; charset=UTF-8
 Date: Sun, 05 May 2019 16:50:47 GMT
 ETag: "e2e-585b840220000"
 Keep-Alive: timeout=5, max=100
 Last-Modified: Thu, 04 Apr 2019 18:08:00 GMT
 Server: Apache/2.4.39 () OpenSSL/1.0.2k-fips
 Upgrade: h2,h2c

We don't want that. Also note the HTTP/2 error in your logs:

sudo cat /var/log/httpd/error_log
[http2:warn] [pid 3358] AH10034: The mpm module (prefork.c) is not supported by 
mod_http2. The mpm determines how things are processed in your server. HTTP/2 has 
more demands in this regard and the currently selected mpm will just not do. This is an 
advisory warning. Your server will continue to work, but the HTTP/2 protocol will be 
inactive.

You can additionally verify that your test page doesn't support HTTP/2 by entering your public IP at http2.pro.

Also observe that your current Server MPM is prefork:

httpd -V
Server version: Apache/2.4.39 ()
...
Server MPM:     prefork
  threaded:     no

We'll harden apache and resolve these issues as follows.

For reasoning see geekflare, vaulted.io, stackoverflow.com.

Note that I've added AllowOverrideList to completely disable htaccess.

Note that since the remaining Options command doesn't include Indexes, that means directory listing is forbidden.

Note that ProxyErrorOverride was added to resolve what appears to be a bug in the default config of apache/php. See howtoforge.com and stackoverflow.com for details. Here is what happens in the default config:

example.com/fake.php ->
 Browser output: "File not found."
 Error.log: [proxy_fcgi:error] [client] AH01071: Got error 'Primary script unknown\n'
example.com/fake.html -> default 404 page
example.com/fake/fake.php -> default 404 page

The problem here is that if you specify a custom error document it won't be processed for 404 of *.php in the root folder. And this resolved via ProxyErrorOverride.

sudo vi /etc/httpd/conf/httpd.conf

Delete the existing <Directory "/var/www/html"> node.
Delete the existing <Directory "/var/www/cgi-bin"> node.
And make the following edits:

<Directory />
    AllowOverride none
    AllowOverrideList none
    Require all denied

    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
    Header always append X-Frame-Options SAMEORIGIN
    Header set X-XSS-Protection "1; mode=block"

    Header unset Etag
    FileETag None
    
    RewriteEngine On
    RewriteCond %{SERVER_PROTOCOL} ^HTTP/0\.9$
    RewriteRule ^ - [F]
    RewriteCond %{SERVER_PROTOCOL} ^HTTP/1\.0$
    RewriteRule ^ - [F]
</Directory>
...
<Directory "/var/www">
    Options FollowSymLinks
    Require all granted
    ProxyErrorOverride on
</Directory>
...
<Location "/">
  <LimitExcept OPTIONS GET HEAD POST>
    Deny from all
  </LimitExcept>
</Location>
...
ServerTokens Prod
ServerSignature Off
TraceEnable off
Timeout 60
rmdir /var/www/cgi-bin
sudo vi /etc/httpd/conf.modules.d/00-mpm.conf

Change this:

LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
#LoadModule mpm_event_module modules/mod_mpm_event.so

To this:

#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
LoadModule mpm_event_module modules/mod_mpm_event.so

Restart apache.

sudo systemctl restart httpd

Observe that your Server MPM is now event/threaded:

httpd -V
Server version: Apache/2.4.39 ()
...
Server MPM:     event
  threaded:     yes (fixed thread count)

Observe that your error log now shows a successful mpm notice

sudo cat /var/log/httpd/error_log
[mpm_event:notice] [pid 30266:tid 139623658481856] AH00489: 
 Apache/2.4.39 () OpenSSL/1.0.2k-fips configured 
 -- resuming normal operations

Observe that your public IP at http2.pro now indicates HTTP/2 is supported.

Reload your public IP in the browser, and observe that the etag and version are removed. And that X-Frame and X-XSS are added. You may need to CTRL+F5.

Response Headers:
 Accept-Ranges: bytes
 Connection: Upgrade, Keep-Alive
 Content-Length: 3630
 Content-Type: text/html; charset=UTF-8
 Date: Sun, 05 May 2019 16:59:46 GMT
 Keep-Alive: timeout=5, max=100
 Last-Modified: Thu, 04 Apr 2019 18:08:00 GMT
 Server: Apache
 Upgrade: h2,h2c
 X-Frame-Options: SAMEORIGIN
 X-XSS-Protection: 1; mode=block

To convince yourself that HTTP/0.9 and HTTP/1.0 are blocked, you can add a HTTP/1.1 line and save and restart apache and refresh your test page. You'll get the forbidden response instead.

To convince yourself that only OPTIONS GET HEAD POST are permitted, remove GET from LimitExcept and save and restart apache and refresh your test page. You'll get the forbidden response instead.

To convince yourself that directory listing is disabled, add a folder and file and attempt to visit the folder. You'll get the forbidden response instead.

Confirm that apache doesn't run as root. The ps command should display one process running as root (which allows apache to listen on port 80) and the rest as the apache user.

ps -ef |grep http

Confirm that everything except the web content files are owned by root.

sudo ls -la /etc/httpd
sudo ls -la /var/log/httpd
sudo ls -la /usr/lib64/httpd

We must define domain mappings via virtualhosts.conf. But the first one defined will also act as the default/primary server for unspecified server names, so lets adapt the default html to explicitly indicate those as invalid.

mv /var/www/html /var/www/_invalid
vi /var/www/_invalid/index.html
i
invalid
[esc]:wq

For this to work you must change:

sudo vi /etc/httpd/conf/httpd.conf
DocumentRoot "/var/www/html"

To:

DocumentRoot "/var/www/_invalid"

Note that all *.conf in the /conf.d/ are picked up at the end of the /etc/httpd/conf/httpd.conf via:

IncludeOptional conf.d/*.conf

So, create the following:

sudo vi /etc/httpd/conf.d/virtualhost.conf
<VirtualHost *:80>
  ServerName invalid
  DocumentRoot /var/www/_invalid
</VirtualHost>
<VirtualHost *:80>
  ServerName example.com
  DocumentRoot /var/www/example.com
</VirtualHost>
<VirtualHost *:80>
  ServerName another.com
  DocumentRoot /var/www/another.com
</VirtualHost>

For this to work the DocumentRoot paths must exist.

mkdir /var/www/example.com
vi /var/www/example.com/index.html
i
example
[esc]:wq

mkdir /var/www/another.com
vi /var/www/another.com/index.html
i
another
[esc]:wq

If your local box is Windows, you can edit your hosts so that a test domain maps to the IP of your AWS box.

C:\Windows\System32\drivers\etc\hosts

1.2.3.4 example.com
1.2.3.4 www.example.com
1.2.3.4 another.com
1.2.3.4 www.another.com
1.2.3.4 fake.com
sudo systemctl restart httpd

You should get the following results in your browser:

1.2.3.4          contents of /var/www/_invalid/index.html
fake.com         contents of /var/www/_invalid/index.html
example.com      contents of /var/www/example.com/index.html
www.example.com  error 404
another.com      contents of /var/www/another.com/index.html 
www.another.com  error 404

I want to always strip away the www, but we'll do that after we've setup SSL.

SSL

In this setup I'm using one cert from LetsEncrypt with SubjectAltNames for each domain.

I think that the install of mod_ssl created a key and self-signed cert at the default paths from /etc/httpd/conf.d/ssl.conf

sudo ls -la /etc/pki/tls/certs/localhost.crt
-rw-r--r-- root root /etc/pki/tls/certs/localhost.crt

sudo ls -la /etc/pki/tls/private/localhost.key
-rw------- root root /etc/pki/tls/private/localhost.key

Migrate the cert and key from the existing server. Replace the contents of the existing .crt and .key file on your new server.

sudo vi /etc/pki/tls/certs/localhost.crt
 -----BEGIN CERTIFICATE-----
 ...
 -----END CERTIFICATE-----

sudo vi /etc/pki/tls/private/localhost.key
 -----BEGIN PRIVATE KEY-----
 ...
 -----END PRIVATE KEY-----

The default config allows a wide range of crypto. There is no reason to support anything but the modern algorithms that work with your certificate.

Note that the OpenSSL terms don't match the TLS specification. You can find a map at openssl.org. And the definition of the SSLCipherSuite directive is at apache.org.

sudo vi /etc/httpd/conf.d/ssl.conf
<VirtualHost _default_:443>
  SSLEngine on
  SSLProtocol -ALL +TLSv1.2
  SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
  SSLCertificateFile /etc/pki/tls/certs/localhost.crt
  SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
</VirtualHost>

Now append to your virtual hosts file. I would like to just add the ServerName and DocumentRoot. In fact this works because it gets the SSL settings from the _default_ entry in ssl.conf, but your phpinfo $_SERVER['SERVER_PORT'] will report 80 and $_SERVER['HTTPS'] will be undefined because the SSL directives weren't explicitly in your VirtualHost. See a similar issue on serverfault.com. For this reason, I've duplicated the full SSL config in each VirtualHost.

sudo vi /etc/httpd/conf.d/virtualhost.conf
<VirtualHost *:443>
  ServerName example.com
  DocumentRoot /var/www/example.com
  SSLEngine on
  SSLProtocol -ALL +TLSv1.2
  SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
  SSLCertificateFile /etc/pki/tls/certs/localhost.crt
  SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
</VirtualHost>
sudo systemctl restart httpd

Now you should be able to access both of the following urls. We'll set this up with LetsEncrypt auto-renewal later.

http://example.com/index.html
https://example.com/index.html

Rewrites

For SSL sites, I only want urls of the form https://example.com/index.html, which means redirecting www and http. For non-SSL sites, I only need to redirect the www. I liked the suggestion of simonecarletti.com but to use that outside a virtualhost, you need all your destinations to be SSL.

Here's a scenario where you have example.com as SSL and another.com without SSL. Also, I've added custom 404 handlers for both.

sudo vi /etc/httpd/conf.d/virtualhost.conf
<VirtualHost *:80>
  ServerName invalid
  DocumentRoot /var/www/_invalid
  ErrorDocument 404 /index.html
</VirtualHost>

<VirtualHost *:80>
  ServerName another.com
  ServerAlias www.another.com
  DocumentRoot /var/www/another.com
  ErrorDocument 404 /index.html

  RewriteEngine On
  RewriteCond %{HTTP_HOST} ^www\. [NC]
  RewriteRule ^/(.*) http://another.com/$1 [R=301,L,NE]
</VirtualHost>

<VirtualHost *:80>
  ServerName example.com
  ServerAlias www.example.com
  DocumentRoot /var/www/example.com

  RewriteEngine On
  RewriteRule ^/(.*) https://example.com/$1 [R=301,L,NE]
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com
  ServerAlias www.example.com
  DocumentRoot /var/www/example.com
  ErrorDocument 404 /index.html

  SSLEngine on
  SSLProtocol -ALL +TLSv1.2
  SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
  SSLCertificateFile /etc/pki/tls/certs/localhost.crt
  SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

  RewriteEngine On
  RewriteCond %{HTTP_HOST} ^www\. [NC]
  RewriteRule ^/(.*) https://example.com/$1 [R=301,L,NE]
</VirtualHost>
sudo systemctl restart httpd

Now you should have the following behaviour:

1.2.3.4 -> index.html
1.2.3.4/blah -> error page
fake.com -> index.html
fake.com/blah -> error page

another.com -> index.html
www.another.com -> another.com -> index.html
another.com/blah -> error page

http://example.com -> https://example.com
https://www.example.com -> https://example.com
http://www.example.com/index.html?one=two#three -> https://example.com/index.html?one=two#three

PHP Config

sudo vi /etc/php.ini
# It looks like this is the default now, so this may be unnecessary.
cgi.fix_pathinfo = 1

# I use short tags
short_open_tag = On

# Simpler logs
error_reporting = E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT

# decrease max post size so you don't waste time on bogus payloads
# this also limits the size of attack packets and reduces the risk of overflow
post_max_size = 1M

# http://tympanus.net/codrops/2009/08/31/solving-php-mysql-utf-8-issues/
# UTF8
[mbstring]
mbstring.language = Neutral
mbstring.internal_encoding = UTF-8
mbstring.encoding_translation = Off
mbstring.http_input = auto
mbstring.http_output = UTF-8
mbstring.detect_order = auto
mbstring.substitute_character = none
default_charset = UTF-8

Restart php.

sudo systemctl restart php-fpm

Create a test php page.

vi /var/www/example.com/test.php
hello <? echo "world"; ?> <?php echo " again"; ?>

You should be able to see this at http://example.com/test.php
It should say: hello world again

Create a phpinfo page, view it, and save it to pdf for future reference.

vi /var/www/example.com/phpinfo.php
<? phpinfo(); ?>

Afterwards delete it because it contains sensitive information.

rm /var/www/example.com/phpinfo.php

Setup and harden DB

Configure the db server to start at each system boot.

sudo systemctl enable mariadb

Secure the database server. It's default config is for development and test.

sudo systemctl start mariadb
sudo mysql_secure_installation
[enter]   # existing root mysql password is blank
Y         # yes set a root mysql password
password  # choose a password
password  # enter it again
Y         # remove anonymous users
Y         # disallow root login remotely
Y         # remove the test db
Y         # reload privilege tables now

The default config listens to the network.

# this shows that it is listening
sudo netstat -tap | grep mysql
sudo vi /etc/my.cnf
# ensure you already have this line
symbolic-links=0

# append this line to the [mysqld] block to disable TCP/IP listening
skip-networking

# append these to the [mysqld] block to set utf8 as your default
character-set-server=utf8
collation-server=utf8_general_ci

# I forget why I append this line to the [mysqld] block
skip-external-locking

Restart MySQL for the settings to take effect and look at netstat again to see that it's no longer listening.

sudo systemctl restart mariadb
sudo netstat -tap | grep mysql

Here is the full list of port uses. Note that nothing is on port 22 (the standard SSH port).

sudo lsof -i -P

Note that even with all that utf8 config, you still need to explicitly select utf8 in your php mysqli constructor like this $db->set_charset('utf8'); if you want $db->character_set_name() to return utf8 instead of latin1.

We will now create all the databases that we wish to migrate. If you don't remember which databases you created, you can use show databases; in mysql on your live box.

mysql -u root -p 
password

SELECT User, Host, Password FROM mysql.user;
--- no passwords in the returned list should be blank

SELECT * FROM mysql.db;
--- empty result means the anonymous access to test tables has been deleted

CREATE DATABASE db1name CHARACTER SET utf8;
CREATE USER 'db1user'@'localhost' IDENTIFIED BY 'db1password';
GRANT ALL PRIVILEGES ON db1name.* TO 'db1user'@'localhost';

CREATE DATABASE db2name CHARACTER SET utf8;
CREATE USER 'db2user'@'localhost' IDENTIFIED BY 'db2password';
GRANT ALL PRIVILEGES ON db2name.* TO 'db2user'@'localhost';

exit

Next you must migrate all your database contents with commands like the following.

Old box:

mysqldump --user=db1user --password=db1password --skip-lock-tables --databases db1name > /tmp/db1name.sql

New box:

mysql -D db1name -u db1user -p
db1password
source /tmp/db1name.sql
exit

Be sure to delete the SQL from the /tmp folder once you're done.

Migrate Content

Next you must migrate all your webserver files.

Old box:

/var/www/lighttpd/example.com/
/var/www/lighttpd/another.com/

New box:

/var/www/example.com/
/var/www/another.com/

Once your files are uploaded, you'll need to create any symlinks that exist on your source server.

Old box:

sudo find /var/www/lighttpd -type f | sort > /tmp/files1.txt
sudo find /var/www/lighttpd -type l | sort > /tmp/links1.txt

Create necessary symlinks on the new box.

New box:

sudo find /var/www -type f | sort > /tmp/files2.txt
sudo find /var/www -type l | sort > /tmp/links2.txt

Diff the outputs to confirm the migration was identical.

Backup Initial Config

Get a local backup of the modified files.

mkdir /tmp/org
sudo cp /etc/ssh/sshd_config /tmp/org
sudo chmod 644 /tmp/org/sshd_config
sudo cp /etc/httpd/conf/httpd.conf /tmp/org
sudo cp /etc/httpd/conf.d/ssl.conf /tmp/org
sudo cp /etc/httpd/conf.modules.d/00-mpm.conf /tmp/org
sudo cp /etc/my.cnf /tmp/org
sudo cp /etc/php.ini /tmp/org

Then use WinSCP to copy these to local and delete the temp files.

sudo rm -rf /tmp/org

Go Live

Restart you new box to ensure all the settings take effect. Edit your hosts file to test the new server before swapping your elastic IP. You can move an elastic IP across regions, so I created a new one in the new region, assigned it, then updated my dns records at my domain registrar to point to the new IP.

Once the DNS has fully propagated you are now live and can shutdown and archive the old box.

Local Backup

You really should setup AMI backups, but it's not unreasonable to want a local copy of the data as well. I always have a local copy of the source code, but I want a way to fetch nightly backups of the database. You can achieve that by hosting an encrypted dump of the db at a randomly named folder and get your local machine to fetch it each night.

Choose a web location for the backup.

mkdir /var/www/example.com/randomFolderName/

Create the backup script.

sudo mkdir /backup
sudo chown ec2-user:ec2-user /backup
vi /backup/go.sh
#!/bin/sh

# call this script with no arguments to create an encrypted dump of all your databases
# call this script with a file name as the only argument to decrypt that file
#
# here's how to setup a cron job to call this script nightly
# this example runs on the 5th minute fo the 4th hour each day, i.e. 4:05am
# watch-out, that's the time of the server, which may not be your local time
# the output of the cronjob will be appended to /backup/chron.log
#
# crontab -e
# 5 4 * * * /backup/go.sh 2>&1 >> /backup/chron.log

if [ "$1" = "" ]; then

  today=`date +%Y_%m_%d`
  if [ -e $today -o -e $today.dat ]; then
    echo "$today already exists"
    exit
  fi
  echo `date`
  mkdir $today

  mysqldump --user=user1 --password=password1 --skip-lock-tables --databases database1 > ./$today/database1_$today.sql
  mysqldump --user=user2 --password=password2 --skip-lock-tables --databases database2 > ./$today/database2_$today.sql

  tar czf - $today | openssl des3 -salt -k password | dd of=$today.dat
  rm -rf $today
  rm -f /var/www/lighttpd/site1/randomFolderName/*
  mv $today.dat /var/www/lighttpd/site1/randomFolderName/
  echo "finished"

elif [ -f "$1" ]; then

  dd if="$1" | openssl des3 -d -k password | tar xzf -

else

  echo "$1 doesn't exist"

fi
chmod 700 /backup/go.sh

Create the cronjob.

crontab -e
5 4 * * * /backup/go.sh 2>&1 >> /backup/chron.log

Windows Scheduler

To get a windows box to automatically wake up each night and download your backup, you can use the windows scheduler and the background intelligent transfer service (bits).

First create a local bat file that will fetch your backup from the web.

bitsadmin /TRANSFER jobname /DOWNLOAD http://site1.com/randomFolderName/%DATE:~6,4%_%DATE:~3,2%_%DATE:~0,2%.dat C:\Backups\%DATE:~6,4%_%DATE:~3,2%_%DATE:~0,2%.dat

Next, schedule a task to wake the computer and run the script. I'm assuming that your computer is configured to automatically go back to sleep after an idle period.

Start > Control Panel > Administrative Tools > Task Scheduler

[right sidebar] > Create Task

General
 Name: Fetch Database
 [checked] Run with highest privileges

Triggers
 New
  Daily
  Start: 2am (some time shortly after your web backup becomes available)
 Ok

Actions
 New
  Action: Start a program
  Program/script: C:\Backups\fetch.bat (or whatever you named the above script) 
 Ok

Conditions
 [checked] Wake the computer to run this task
 
Ok

Your task now appears in the "Active Tasks" list in the Task Scheduler.

Alarms

It's a good idea to setup some AWS alarms to let you know when your systems are operating outside their expected range. Basic Monitoring metrics (at five-minute frequency) for Amazon EC2 instances and EBS volumes are free of charge.

In the AWS Console, on your new instance:

[right-click] EC2 Instance > CloudWatch Monitoring > Add/Edit Alarms > Create Alarm

[checked] send a notification to: your contact info
Whenever: Average of CPU Utilization
Is: >= 40 Percent
For at least 1 consecutive period of 5 minutes

Create Alarm > Close

I've only exceeded that CPU range when there was a bug in my code and php was stuck in a loop.

[right-click] EC2 Instance > CloudWatch Monitoring > Add/Edit Alarms > Create Alarm

[checked] send a notification to: your contact info
Whenever: Average of Network Out
Is: >= 150000 Bytes
For at least 1 consecutive period of 6 hours

Create Alarm > Close

I've only exceeded that Network range when re-imaging a box or when I was under attack.

It's fairly easy to adjust the alarms to your system after it's been running for a few days as the alarms console shows you a graph of each and the red line after which the alarm would fire.

You probably also want a billing alarm.

[top-bar] Services > Billing > Billing preferences 
 > [check] Receive Billing Alerts > Save preferences
 > Manage billing alerts
 (note that billing alerts appear in the N.Virginia region, 
 regardless of where you have your instances)
[side-bar] Billing > Create Alarm > EstimatedCharges > ...

AMI Backups

The AMI is your best backup option. This is a snapshot of your disk and your instance details (micro, etc). From the AMI you can launch a new box and move over your IP in a few minutes. Ideally you'll create an AMI from your instance and take snapshots of your instance every 24 hours and keep the last week and perhaps a few older copies. We'll want to configure the creation of these snapshots to happen automatically.

We'll setup nightly Amazon EBS Snapshots of our instance. They can later be used as the basis for an AMI.

Something has to issue the nightly command, and that something must contain an unprotected copy of the credential that allows the snapshot to occur. First we'll create a constrained credential to reduce the risk of its exposure, then we'll piggyback on our existing local database backup script to kickoff the amazon snapshot. Your server is probably more likely to be attacked then your devbox.

IAM Credential

In the AWS Console, select IAM. If you haven't used this yet, you'll have zero groups, users and roles. First we'll create a group that can create snapshots and then we'll create a user and assign them that group. The backup script will connect as this user.

Groups
Create New Group
 Group Name: snapshot
 Continue
 Policy Generator
 Select
   Effect: Allow
   AWS Service: Amazon EC2
   Actions: Create Snapshot
            Delete Snapshot
            Describe Snapshots
   ARN: *
   Add Statement
  Continue
 Continue
Create Group

Users
Create New Users  
 User Name 1: snapshot
 [checked] generate and access key for each user 
 Create
 Download Credentials
 Close Window

Users
 snapshot
  Groups > Add User to Groups > snapshot > Add to Groups

Snapshot

We'll use the following command from the AWS API Reference.

ec2-create-snapshot volume_id -d "Nightly Backup"

To find your volume_id, go the the AWS Console, select EC2, select Volumes from the sidebar, scroll right to the Attachment Information column which will show your WebServer instance, then scroll left and record the Volume ID.

First we have to setup the tools.

Download and unzip the latest tools. I used these. The latest link will be posted here. No install is required.

You have to have Java installed.

Run the following commands for a dos console to create your first snapshot.

SET JAVA_HOME=C:\Program Files (x86)\Java\jre1.8.0_191
SET PATH=%PATH%;%JAVA_HOME%\bin

SET EC2_HOME=C:\Amazon\ec2-api-tools-1.7.5.1
SET PATH=%PATH%;%EC2_HOME%\bin

SET AWS_ACCESS_KEY=AAAAAAAAAAAAAAAAAAAA
SET AWS_SECRET_KEY=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
SET EC2_URL=https://ec2.ca-central-1.amazonaws.com

ec2-create-snapshot vol-11111111 -d "Nightly Backup"

Run the following command to show existing snapshots.

ec2-describe-snapshots

You can filter that to only show the snapshots of a particular volume.

ec2-describe-snapshots --filter "volume-id=vol-11111111"

You can further restrict that to only show the snapshots of a particular volume that are tagged as "Nightly Backup", thus avoiding any ones you created manually.

ec2-describe-snapshots --filter "volume-id=vol-11111111" --filter "description=Nightly Backup"

Here's a windows script to create a snapshot and delete old nightly backup snapshots from a particular volume. You can call this from the script that you already setup to run nightly.

@echo off

SET JAVA_HOME=C:\Program Files (x86)\Java\jre1.8.0_191
SET PATH=%PATH%;%JAVA_HOME%\bin

SET EC2_HOME=C:\Amazon\ec2-api-tools-1.7.5.1
SET PATH=%PATH%;%EC2_HOME%\bin

SET AWS_ACCESS_KEY=AAAAAAAAAAAAAAAAAAAA
SET AWS_SECRET_KEY=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
SET EC2_URL=https://ec2.ca-central-1.amazonaws.com

SET EC2_VOLUME=vol-22222222

REM  This command lists all snapshots:
REM
REM  ec2-describe-snapshots
REM  
REM  SNAPSHOT        snap-11111111   vol-22222222    completed       2014-04-12T20:29:58+0000        100%    333333333333    8       Nightly Backup
REM  SNAPSHOT        snap-11111111   vol-22222222    completed       2014-04-12T20:29:58+0000        100%    333333333333    8       Nightly Backup
REM  SNAPSHOT        snap-11111111   vol-22222222    completed       2014-04-12T20:29:58+0000        100%    333333333333    8       Created by CreateImage(i-44444444) for ami-55555555 from vol-22222222
REM  SNAPSHOT        snap-11111111   vol-33333333    completed       2014-04-12T20:29:58+0000        100%    333333333333    8       Nightly Backup
REM
REM  This command lists only snapshots:
REM  - from the given volume
REM  - with the nightly backup tag
REM  - sorted from oldest to newest, http://ss64.com/nt/sort.html
REM  - note that whitespace above is actually a tab character so it counts as one space
REM 
REM  ec2-describe-snapshots --filter "volume-id=vol-22222222" --filter "description=Nightly Backup" | sort /R /+49

echo List interesting snapshots:
call ec2-describe-snapshots --filter "volume-id=%EC2_VOLUME%" --filter "description=Nightly Backup" | sort /R /+49

REM  This loop finds the selected snapshots that are older than 7 days:
REM  usebackq - use `` to delimit the command to be executed so that it can contain ""
REM  skip=7   - skip the first 7 rows, so we keep a week's worth of backups
REM  tokens=2 - select the 2nd column, delimited by spaces
REM  note: that the | must be escaped as ^|

echo Delete old snapshots:
FOR /F "usebackq skip=7 tokens=2" %%G IN (`ec2-describe-snapshots --filter "volume-id=%EC2_VOLUME%" --filter "description=Nightly Backup" ^| sort /R /+49`) DO (
  echo Delete %%G
  call ec2-delete-snapshot %%G
)

REM  Create the snapshot after we delete old snapshots so that our list won't contain any 
REM  pending entries that would mess up our assumptions about the poistion of the date at /+49

echo Create a snapshot:
call ec2-create-snapshot %EC2_VOLUME% -d "Nightly Backup"

Let's Encrypt

My original setup with lighttpd is here, and I've just done the minimum to get that working on Amazon Linux2 with Apache. There is probably an easier official way at this point, but I didn't experiment.

On the source box:

cd /tmp
sudo tar -zcvf letsencrypt.tar.gz /etc/letsencrypt
sudo tar -zcvf certbot.tar.gz /etc/lighttpd/ssl

On the destination box:

cd /tmp

sudo tar -xvzf letsencrypt.tar.gz
rm letsencrypt.tar.gz
sudo mv /tmp/etc/letsencrypt /etc

sudo tar -xvzf certbot.tar.gz
rm certbot.tar.gz
sudo mv /tmp/etc/lighttpd/ssl /etc/httpd/certbot
sudo rm -f /etc/httpd/certbot/intermediate.pem
sudo rm -f /etc/httpd/certbot/ssl.pem

On the source box:

rm -f /tmp/letsencrypt.tar.gz
rm -f /tmp/certbot.tar.gz 

On the destination box:

sudo vi /etc/httpd/certbot/certbot-renew
#!/bin/sh

echo certbot-renew $(date)
/etc/httpd/certbot/certbot-auto renew --debug --quiet --post-hook "/etc/httpd/certbot/certbot-deploy"
sudo vi /etc/httpd/certbot/certbot-deploy
#!/bin/sh

echo certbot-deploy $(date)

cp /etc/letsencrypt/live/holtstrom.com/cert.pem /etc/pki/tls/certs/localhost.crt
cp /etc/letsencrypt/live/holtstrom.com/privkey.pem /etc/pki/tls/private/localhost.key
cp /etc/letsencrypt/live/holtstrom.com/chain.pem /etc/pki/tls/certs/server-chain.crt

systemctl restart httpd
sudo vi /etc/httpd/conf.d/ssl.conf
# uncomment this line
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
sudo vi /etc/httpd/conf.d/virtualhost.conf
# add this line to each ssl block
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# test the deploy
sudo /etc/httpd/certbot/certbot-deploy
# observe good permission and ownership
sudo ls -la /etc/pki/tls/certs/localhost.crt
-rw-r--r-- 1 root root

sudo ls -la /etc/pki/tls/private/localhost.key
-rw------- 1 root root 

sudo ls -la /etc/pki/tls/certs/server-chain.crt
-rw-r--r-- 1 root root 
# test the renew
sudo /etc/httpd/certbot/certbot-renew

# it failed, so try to replace with updated script
sudo rm -f /etc/httpd/certbot/certbot-auto
cd /etc/httpd/certbot
sudo wget https://dl.eff.org/certbot-auto
sudo chmod a+x certbot-auto

# try again
sudo /etc/httpd/certbot/certbot-renew

# still failure
# found advice here

# hack it
sudo vi /etc/httpd/certbot/certbot-auto

# replace this
elif [ -f /etc/issue ] && grep -iq "Amazon Linux" /etc/issue ; then

# with this
elif grep -i "Amazon Linux" /etc/issue > /dev/null 2>&1 || \
    grep 'cpe:.*:amazon_linux:2' /etc/os-release > /dev/null 2>&1; then

# try again
sudo /etc/httpd/certbot/certbot-renew

# successful output doesn't look like much, you can remove the --quiet
# to see that it doesn't attempt renewal because the certs aren't due yet
certbot-renew Wed May 15 03:14:58 UTC 2019
yum is /bin/yum
yum is hashed (/bin/yum)
Package 1:openssl-1.0.2k-16.amzn2.1.1.x86_64 already installed and latest version
Package ca-certificates-2018.2.22-70.0.amzn2.noarch already installed and latest version
Package python-devel-2.7.14-58.amzn2.0.4.x86_64 already installed and latest version
Package 1:mod_ssl-2.4.39-1.amzn2.0.1.x86_64 already installed and latest version
# setup the chronjob
sudo crontab -e

38 3 * * * /etc/httpd/certbot/certbot-renew >> /etc/httpd/certbot/chron.log 2>&1

Reminders

# restart apache
sudo systemctl restart httpd

# find out why apache failed to start
systemctl status httpd.service

# restart php
sudo systemctl restart php-fpm

# php error logs
sudo cat /var/log/php-fpm/www-error.log

# see your full list of servers
sudo netstat -plnt

# watch the db log
sudo tail -n 200 -f /var/log/mariadb/mariadb.log

# see what's actually going over the wire
sudo tcpdump port 80 -A | strings
aws
Sunday, February 10, 2019

Global Warming

After a conversation with a friend, I intend to investigate the following three topics:

    Is it true that in 10k years we had a global temp delta of ~3.5 deg C?
    Do we know why global temp change has happened in the past?
    What (if anything) makes it different this time?

And as a meta-investigation:

    Discover if what I consider to be "reasonable convincing answers" others consider to be "unreasonable unconvincing claims", and if possible why.
    Discover if the answers are easy to find to test my belief that many people are intentionally uninformed.

Therefore rather than constructing an argument in a direction, I'll list sources in the order I find them and my interpretations of them.


ice core chart goes here


XKCD - Earth Temperature Timeline - Sep 12, 2016


Phys.ORG - Cooling or warming climate? - Aug 11, 2014


Phys.ORG - 30 years of above-average temperatures - Feb 26, 2015

Tuesday, January 1, 2019

Beer in Ottawa

Ordered By Preference:

Daniel O'Connell's Irish Pub
Bar Laurel
Tooth and Nail Brewing Company
Pubwells Restaurant
The Wood On Wellington
The Hintonburg Public House
Vimy Brewing Company
Bar Robo
Elmdale Oryster House & Tavern
Mill St. Brew Pub
The Carleton
Orange Monkey Bar & Billiards

Not Pub-Crawled Yet:

The Third
10Fourteen
Royal Oak
Bar Lupulus
Foolish Chicken
The Soca Kitchen
Beyond the Pale Brewing Company
Happy Goat Coffee Co.
Pub Italia
Heart & Crown
The Wellington Gastropub
Clocktower Brew Pub
Westboro Barley Mow
Churchills
Whispers Pub & Eatery
Bowman's Bar & Grill
Quinn's
House of TARG
The Belmont
Friday, December 28, 2018

CBC Radio Archive (Part4)

Decoding the resistance to climate change (important)

CBC Radio, Ideas, September 2017, Part1, Part2

"No one wanted to pay attention to the implications of a world four degrees warmer… It's too horrendous to think about. And no one talked about it. Then a few scientists said let's have a conference and actually talk about it. They held this conference in Oxford and I went along. As the conference started, there was a kind of suppressed emotional intensity, except in the coffee breaks. It was then that I would buttonhole a couple of scientists and say: 'Well, you know we're speculating about this. But what do you really think is the situation?' And one of them just looked at me and said: 'We're f--ked.'" – Clive Hamilton

The art of crime fiction & what it says about human nature

CBC Radio, Ideas, September 2017

To begin a new season of The Enright Files, we take a look the art of crime fiction and what it says about the ills of society, life on the margins and the stormy heart of human nature.
- Henning Mankell, the late Swedish author of the Kurt Wallander detective series.
- Howard Engel, the Canadian author of the Benny Cooperman detective series.
- P. D. James, the late English author of the Adam Dalgleish detective series.
- Louise Penny, the Canadian author of the Armand Gamache detective series.

Canada's original promise: Still waiting to be realized

CBC Radio, Ideas, June 2017

Roberta Jamieson believes Canada is at a make-or-break moment where it has a chance to recast its historically troubled relationship with First Nations for the next 150 years. She sees the hope for that renewal in the very moment of contact between settler Europeans and her ancestors.

​Fighting at the table: Conflict as successful integration (important)

CBC Radio, Ideas, June 2017

Sociologist Aladin El-Mafaalani​ sees anti-immigrant cries to build walls, and hate-fuelled politics counter-intuitively: a sign that integration is working. Conflict, he argues in his talk delivered in Berlin, is the necessary consequence of new arrivals at a metaphoric dinner table. The more people taking their place at the table, the more jostling and arguments there inevitably will be. While conflict can of course lead to violence, or even war, conflict in and of itself is neutral. It's simply a necessary stage of maturing societies. And those which have no conflict tend to be top-down authoritarian states which coerce their populations into obedience.

What happens when we stop asking questions: Why India must be secular (important)

CBC Radio, Ideas, June 2017

Political scientist Neera Chandhoke makes a heartfelt argument for a secular India at a talk delivered in Mumbai. Against the growing tide of Hindu nationalism and India's history of inter-religious strife, she draws on Western and Indian thinkers to make the case for diversity — not simply a social nicety, but as a condition for civilization itself. According to Neera, diversity means that a society is continually questioning itself. Those that don't embrace diversity cease to grow and eventually ossify. Yet Neera isn't against religious worldviews. In her vision of a secular state, all religions have a legitimate place. Because all religions seek the truth, none can fully lay claim to having all of it, and therefore there is space left for all: "The opposite of secularism is not communalism. It is theocracy".

The new tribe of Israel: The immigrant underclass (important)

CBC Radio, Ideas, June 2017

Anthropologist Galia Sabar has devoted her professional life to what she calls the "new tribe" of Israel: Jewish-African and non-Jewish labour migrants, asylum seekers, and refugees. Galia believes that Israel must be vigilant about its security. But it also has a moral duty, as a state established for Jews persecuted as the ultimate "other", to be humane and welcoming to the disadvantaged.

Eyes on the back of our heads: Recovering a multicultural South Africa (important)

CBC Radio, Ideas, June 2017

Journalist and activist Sisonke Msimang speaks at a former prison complex in Johannesburg which once held Mahatma Gandhi and Nelson Mandela. The setting is apt: Sisonke believes that post-apartheid South Africa has become imprisoned by its own past — a past which whites cannot recall and which blacks cannot forget. With both a mischievous sense of humour and sharp historical analyses, she pulls down the old binarism of black versus white to make way for a truly multicultural South Africa, one that welcomes other African migrants as it embraces its own racially diverse past.

Go with the flow: Using nature to help fight climate change

CBC Radio, Ideas, June 2017

Since the 1990s, the Netherlands has been looking at softer approaches to help fight climate change, mainly by using the forces of nature. The Room for the River project involves 30 different interventions along the major rivers flowing through the Netherlands, and is essentially a flood control project that allows rivers to flood, instead of forcing the water to go where it wouldn't naturally go.

Building Tension

CBC Radio, Ideas, June 2017

When to tear down and when to preserve buildings in our city cores was the topic of a discussion held in Halifax at the recent annual meeting of the International Council on Monuments and Sites.

Policing (important)

CBC Radio, Ideas, June 2017, Part1, Part2

CBC Radio One in partnership with the Munk School of Global Affairs at the University of Toronto, considers what it means to police and be policed in these complex and anxious times.

Counter-terrorism, fighting cybercrime, policing highly diverse societies: Can the police do it all? Should the police do it all? Do the police want to do it all?

Interesting perspective from inspector Shawna Coxon, Toronto Police Service, and member of the TPS Transformational Task Force


Distant Future Warnings: The challenges of communicating with eternity

CBC Radio, Ideas, June 2017

Radioactive waste and toxic mining byproducts will remain deadly for thousands of years – maybe forever. Generations in the distant future will need to know about about the places this stuff is buried, and to stay away. Deep in the arsenic-contaminated underground at Giant Mine near Yellowknife, contributor Garth Mullins wonders how we can warn the distant future. Is it even possible to send messages that can outlast governments, languages, cultures, nations – maybe even humans?

Newfoundland Jam: Shakespeare's "As You Like It"

CBC Radio, Ideas, June 2017

The way Shakespeare's plays sounded in his own time, on his own stage, wasn't quite the way it sounds today — the accent, the way words were pronounced, was different then. Today we're used to a kind of standard "British" pronunciation, and veerings into Canadian and American accents work too: Shakespeare, and what he's trying to share with us about human nature, generally gets through.

Ben Crystal: artistic director, Passion in Practice theatre company, Original Pronunciation specialist.

Lady and Lord Macbeth on trial: guilty or bewitched?

CBC Radio, Ideas, June 2017

What in fact might happen in a modern Canadian courtroom if the Macbeths were put on trial? Let's assume there's already been a trial, and they've been found guilty. Now of course, in the great legal tradition, there has to be an appeal. On the bench, three Supreme Court justices — Russell Brown, Andromache Karakatsanis, and the chief justice- Beverley McLachlin. And the star witness, former leader of the Liberal Party of Canada Bob Rae.

Orchids: A Love Story

CBC Radio, Ideas, June 2017

Wily, deceptive, manipulating: get ready to travel between history and science, how we humans think about orchids and who they really are in nature among themselves. A celebration of all things orchid with contributing producer Marilyn Powell.

The 2017 Killam Prize (important)

CBC Radio, Ideas, June 2017

John Borrows (Social Sciences) — John Borrows holds the Canada Research Chair in Indigenous law at the University of Victoria where he teaches constitutional, Indigenous, and environmental law. He is Anishinaabe and a member of the Chippewas of the Nawash First Nation in Ontario, where he grew up on the family farm east of the reserve. Over the decades, his work had a major influence on the broader recognition of Indigenous legal systems and legal rights within Canada.

Molly Shoichet (Engineering) — Molly Shoichet holds the Canada Research Chair in Tissue Engineering and is Professor of Chemical Engineering & Applied Chemistry, Chemistry and Biomaterials & Biomedical Engineering at the University of Toronto. Her innovations in designing hydrogels promise to have a major impact on cancer research, spinal cord rehabilitation, and restoring lost vision.

Thomas Hurka (Humanities) — Thomas Hurka is the distinguished chair in philosophical studies at the University of Toronto. His main area research is moral and political philosophy, zeroing in on normative ethical theory. He is interested in understanding what makes a 'good life.' Knowledge, achievement and friendship play strong roles in that understanding.

W. Ford Doolittle (Natural Sciences) — W. Ford Doolittle is professor emeritus in the department of biochemistry and molecular biology at Dalhousie University. He's also been awarded the Herzberg Gold Medal for science and engineering, which is Canada's highest honour. His work in molecular genetics includes the study of lateral gene transfer, a key driver of microbial evolution and the proposition of an alternative "web of life" theory. He jokes that his revived enthusiasm for philosophy means that he's now 'practicing philosophy without a license.'

Dr. Julio Montaner (Health Sciences) — Dr. Julio Montaner is the Director of the British Columbia Centre for Excellence in HIV/AIDS. Originally from Argentina, he immigrated to Canada more than 30 years ago and his innovations in HIV/AIDS treatment helped save millions of lives. He is a strong advocate of 'treatment as prevention' as well as safe injection sites and needle exchange programs.

Fail Better: What baseball can teach us about failure and community

CBC Radio, Ideas, June 2017

Baseball may have inspired more books than any other sport -- but none quite like philosopher Mark Kingwell's recently published, Fail Better: Why Baseball Matters. It's the first book-length philosophical meditation on what has been called America's national pastime. Paul Kennedy takes him out to a ballgame, and discusses everything from RBIs, to the metaphysics of failure, and how Kingwell borrowed the title for his baseball book from a work by Samuel Beckett.

The Challenge of Words: What is the future of literary writing in the digital age?

CBC Radio, Ideas, June 2017

In our hyperfast, overcaffeinated, 140-character, social-media-blasted, Facebook-overloaded age, there are still people writing serious books. The novel -- an art form that's centuries old -- still has the capacity to hold our attention from subway commute to library chair. But we tell ourselves we're in a different era now. What's to become of serious writing in the digital age? From the 2016 Stratford Festival, a discussion featuring writers Shani Mootoo, Charles Foran and Monia Mazigh.

Subversive thoughts for an infantile age (important)

CBC Radio, Ideas, October 2015

In her new book Why Grow Up? Subversive Thoughts for an Infantile Age, Paul Kennedy talks with philosopher Susan Neiman, who believes that "Having failed to create societies that our young want to grow up into, we idealize the stages of youth."

Nine minutes that changed the world

CBC Radio, Ideas, May 2017

In 1876, the poet Stéphane Mallarmé published a poem entitled The Afternoon of a Faun. He doubted anyone could set it to music successfully. But composer Claude Debussy did exactly that. The resulting music -- Prelude to the Afternoon of a Faun -- runs only about nine minutes long, but it helped give birth to the modern era as we know it. It's more than just a famous piece of music. It stands at the beginning of the world we still live in. It's a guide, in sound, to the political, social, moral and geopolitical changes that ended the nineteenth and created the twentieth century. And it remains an existential and culturally shape-shifting work of art that offers us clues into who we are today. Contributor Robert Harris and Tafelmusik's Ivars Taurins bring us inside the spellbinding magic of Debussy's imagining.

Bringing up furbaby: The evolution from family pet to pet family (important)

CBC Radio, Ideas, May 2017

There are now more pets than children in North American homes, and lavish dog beds and catnip mice are taking the place of bassinets and rattles. Is this turn from traditional to furry families simply a passing fad, or a response to the stresses of modern life?

History Derailed: Understanding the messy Middle East (important)

CBC Radio, Ideas, May 2017

The Arab Spring was supposed to be a turning point for the Arab Middle East. And it was. But history appears to have taken a wrong turn. Again. American journalist Robert F. Worth joins Paul Kennedy in conversation about his book, A Rage for Order: The Middle East in Turmoil, from Tahrir Square to ISIS.

Robert F. Worth is a former correspondent for The New York Times. The travels he underwent in Egypt, Libya, Syria -- and elsewhere -- make up a journey into an idea of the Arab world itself. Not into the revolutionary promises of the 2010 Arab Spring. But into the sobering, and tragic narrative that took shape just a year later.

Does public broadcasting have a future?

CBC Radio, Ideas, May 2017

It seems the idea of public service journalism is under fire everywhere. So three major public broadcasters came together to talk about their collective future at a forum held in Toronto by the Canadian Journalism Foundation: Jennifer McGuire, General Manager and Editor-in-Chief of CBC News, James Harding, Director of News and Current Affairs of the BBC, and Michael Oreskes, Senior Vice-President of News and Editorial Director of NPR. The discussion was moderated by Simon Houpt of The Globe and Mail.

Ideas from the Trenches - The problem of bad referendums (important)

CBC Radio, Ideas, May 2017

From Brexit to Turkey, the use of referendums is on the rise around the world. They're seen as a way of getting politicians and experts out of the way to let 'the people' decide on major policy decisions, and making democracy work more directly. Leah Trueblood is a PhD student at Oxford University. She warns that ill-conceived referendums are actually dangerous for democracies.

Jason Brennan — professor of Strategy, Economics, Ethics, and Public Policy at Georgetown University and author of Against Democracy and The Ethics of Voting.

The Myth of Victory (important)

CBC Radio, Ideas, May 2017

Some people argue that World War One was just the opening act for the Second World War, and perhaps World War Three is just around the corner. And what about wars of ideology? The Soviet Union doesn't seem to be dead yet, and nor is Communism. Even if we defeat ISIS, does that mean the idea of an Islamic state is finished? Stephen Toope, Janice Stein and Hugh Segal in conversation from the Stratford Festival.

How art shapes history

CBC Radio, Ideas, May 2017

Toronto CBC Radio host Matt Galloway talks with architect Sir David Adjaye, visual artist Christi Belcourt, author Junot Díaz and filmmaker Paul Gross. The group met onstage at Toronto's Massey Hall as part of the Creative Minds series, produced in partnership with CBC, the Art Gallery of Ontario, the Banff Centre and Massey Hall. Their focus: current global politics and how art shapes our understanding of place, history and progress.

Why "Buffyworld" still matters

CBC Radio, Ideas, May 2017

It's been 20 years since a midriff-baring California cheerleader leapt onto our television screens and became a riveting woman warrior — slaying vampires, demons and monsters. Her fantastical enemies were subversive metaphors for a corrupt and authoritarian culture. Today, Buffy the Vampire Slayer remains the most-studied show in television history. IDEAS producer Mary O'Connell revisits the legacy of "Buffyworld".

The program's prevailing messages: life can be hell, so expect it. In a society that medicates sadness and quirks of temperament, Buffy the Vampire Slayer asks us to consider emotional pain as a part of being human. And to be alive to the dangers, and joys, around us — and inside us. It invites us to be engaged, to strive towards good. It does not leave apathy as an option. In the words of British theatre critic Ian Shuttleworth, it's a "program more relevant today than ever".

How a 900-year-old Arabic tale inspired the Enlightenment (important)

CBC Radio, Ideas, May 2017

Our contemporary values and ideals are generally seen as the product of the Enlightenment. Individual rights, independent thinking, empiricism and rationalism are traced to the debates and discussions held by the great European thinkers of the 17th and 18th century: Locke, Rousseau, Voltaire, and Kant among others. But these thinkers owe a debt to a figure from 12th century Spain: a philosopher-physician named Ibn Tufayl who wrote a story called Hayy ibn Yaqzan -- which may be the most important story you've never heard.

The Munk Debates on the decline and fall of the liberal international order (important)

CBC Radio, Ideas, May 2017

For decades, global affairs have been moulded by ideas about the mutual benefits of an interdependent world. But the pillars of liberal internationalism are cracking under the rise of nationalist politics and other challenges. Is this the beginning of the end of the liberal international order? In a head-to-head Munk Debate, historian Niall Ferguson says Yes, the old order is collapsing, while commentator Fareed Zakaria argues No, there's life yet in liberal ideals.

The Enright Files: fifty years after the Six-Day War (important)

CBC Radio, Ideas, May 2017

That pivotal 1967 conflict that shaped so much of Israel's subsequent history has become known as the Six-Day War, but the outcome was effectively decided in the first 45 minutes. On the morning of June 5th, two Israeli squadrons of jet fighters destroyed hundreds of Egyptian aircraft as they sat on the ground. Less than a week later, the war was over.

According to historian Tom Segev, it was a Pyrrhic victory. In the decades that followed Israel faced more wars, two Intifadas and countless missile attacks and suicide bombings. What has not happened has been a resolution to the plight of hundreds of thousands of Palestinians living in the occupied territories. A two-state solution seems as distant as ever.

- Tom Segev, Israeli historian.
- Michael Oren, Israeli historian and politician.
- Margaret MacMillan, Canadian historian.
- David Shulman, Israeli academic and peace activist
- David Grossman, acclaimed Israeli novelist.

Don't shoot the messenger: The value of whistleblowing (important)

CBC Radio, Ideas, April 2017

Recorded at Ryerson University's Centre for Free Expression, Paul Kennedy hosts a panel on why whistleblowers are vital to the public interest...and how their exposure of wrongdoing can ultimately be helpful, even to their workplace. Investigator Sandy Boucher, international expert Anna Myers, and Canadian advocate David Hutton join forces to explain why they believe whistleblowers should be heard and protected.

Chernobyl Remembered

CBC Radio, Ideas, Part1, Part2, April 2007

The accident at Chernobyl remains the worst nuclear accident in history, worse even than what happened in Fukushima. Thirty-one people died as an immediate consequence, and a great many more were treated for radiation poisoning, but what is less-well understood are the long-term consequences: who is sick today, more than 30 years later, as a result of Chernobyl? Around Chernobyl itself there's a 30 km zone, where no one is supposed to live, and nothing should be harvested. But many have returned to the zone, and many others are marked forever by their time there 31 years ago.

The Motorcycle is Yourself

CBC Radio, Ideas, December 2014

Robert Pirsig's Zen and the Art of Motorcycle Maintenance has been called the most widely read book of philosophy ever written. Forty years after its publication, contributor Tim Wilson revisits an extraordinary interview he did with its author, for still vital advice on how to live.

The rise of the extreme right in France (important)

CBC Radio, Ideas, Part1, Part2, Part3, April 2017

The French go to the polls April 23 to begin the selection of their next president. In the volatile world of French politics, the stakes seem higher than ever, as National Front leader Marine Le Pen is poised to make history. After decades in the political wilderness, the extreme right just might pull off an upset. She's promised to take France out of Europe and to end immigration, as per her motto: "One community, one culture, one language".

Francois Picard, host of Debate and The World This Week on the Paris-based TV network France 24.

Nonna Mayer is research director at the Centre for European Studies at Sciences Po in Paris. She's written extensively about the roots of right-wing politics in France.

Jeremy Ghez -- professor of economics and international affairs at the Hautes Etudes de Commerce in Paris, Director of the HEC Centre for Geopolitics.

Jean-Yves Camus -- political analyst at the French Institute for International and Strategic Affairs (IRIS) and director of the Observatory for Radical Politics, author of Far-Right Politics in Europe.

Pierre Larti, from the extreme right youth political action group Génération Identitaire.

Lucile Schmid, president of the non-profit Foundation for Political Ecology, former diplomat and politician.


The Rise of the Anti-Establishment: Where do we go from here? (important)

CBC Radio, Ideas, April 2017

"It is a deep tragedy, bordering on calamity, that we have come to this point," says Robert Reich of the Trump presidency. In a lecture at the University of British Columbia, followed by an interview with Paul Kennedy, the former U.S. Secretary of Labor and Professor of Public Policy at University of California at Berkeley details how understanding the circumstances that led to the election of Donald Trump can help shape a new democratic political sensibility.

Globalized Anger: The Enlightenment's Unwanted Child (important)

CBC Radio, Ideas, April 2017

Trumpism. Hindu nationalism. ISIS. Chinese expansionism. People everywhere seem fed up with the status quo, and their anger and intolerance are finding political expression. But why? Pankaj Mishra believes that the current unrest isn't about any so-called "clash of civilizations" between the enlightened and unenlightened. He thinks the globalized anger is the legitimate offspring of the Enlightenment itself. He speaks with Paul Kennedy about his provocative book, The Age of Anger: A History of the Present.

Islamist Persistence: The rise and reality of political Islam (important)

CBC Radio, Ideas, Part 1, Part 2, April 2017

It's a provocative argument among Islamic Scholars: was Islam founded on political principles? Is the rise of Islamism, after the Arab Spring, a natural evolution in Muslim-dominated countries? Many would say no. But author Shadi Hamid, an American Muslim and self-described liberal, says the rise of Islamist parties is inevitable. He also argues that mainstream Islamist parties that gain power through democratic, free elections should not be de-legitimized by secular liberals in the West and the Middle East.

Ireland 1916: how 800 years of British rule led to violent rebellion

CBC Radio, Ideas, April 2017

On Easter Monday, April 24, 1916, the streets of Dublin were transformed into a war zone. About 1,200 Irish rebels rose up against 20,000 British troops in a doomed attempt to throw off centuries of British colonial rule. The Easter Rising may have failed in that moment, but the brutality of the British response so disgusted and angered the people of Ireland that Irish independence became inevitable. On this edition of The Enright Files, we revisit some highlights of a two-hour special commemorating the 100th anniversary of the Easter Rising last year.

The Return of History: Your Questions

CBC Radio, Ideas, April 2017

Jennifer Welsh's 2016 CBC Massey Lectures: The Return of History is a stunning tour-de-force survey of the world we live in. Francis Fukuyama made his ill-fated proposal that history had ended in 1989. As communism was collapsing it looked like Western liberal democracy was here to stay. Fukyama argued that no new or better political system could possibly emerge, and that peace and international stability were definitely here to stay. Well, we know how that worked out. Jennifer Welsh's elegant essays explored what went wrong with those expectations, and why.

Saving Syria: Keeping war-torn culture alive

CBC Radio, Ideas, March 2017

Destruction and displacement -- that's the story of Syria today. Paul Kennedy talks with three Syrians who believe in other Syrias, with stories about love, and laughter, and the smells of jasmine and tarragon. Maamoun Abdulkarim risks his life rescuing stolen ancient artefacts. Ghada Alatrash translates the work of poets still coping with life in Syria. And journalist Alia Malek writes about the history of Syria through the story of her family. Each talks about the responsibility they feel toward saving the Syria they know, and their fears that those stories might soon disappear.

Return of the Michif Boy: Confronting Métis trauma (important)

CBC Radio, Ideas, March 2017

PhD student Jesse Thistle was once a high school drop-out who spent more than a decade in and out of homeless shelters, consumed by drug and alcohol addiction. By reconnecting with his birth mother and spending time with his Métis elders he came to understand the effects of intergenerational trauma. His award-winning historical research shines a light on the struggles and the resilience of Métis 'road-side allowance' communities in northern Saskatchewan.

Expletive Repeated: Why swearing matters

CBC Radio, Ideas, March 2017

Profanity was once considered rude and crude — a linguistic last resort. Not so these days. Younger generations use swearing as everyday slang, and academics study it as an ever-evolving form of creative and cultural expression. Cognitive scientist, linguist, and author Benjamin K. Bergen (What the F: What Swearing Reveals About Our Language, Our Brains, and Ourselves) explains why cursing is so %$#* fascinating. Also featured: writer Roxana Robinson, who traces the subversive path of a sexist slur against women, and performer/activist Jess Thom explains what it's like to live with coprolalia — involuntarily swearing out loud.

The Rise of the Extreme Right in The Netherlands (important)

CBC Radio, Ideas, Part 1 (The Night Watch), Part 2 (The Immigrants), March 2017

In 1642, Rembrandt painted a masterpiece featuring Dutch men preparing for military duty at the height of the war of independence from Spain. Its an icon of democracy in The Netherlands, the reminder of a founding moment in history, of the values of tolerance and nationhood. But now, approaching this year's national elections, the Netherlands -- like many countries -- is experiencing an explosion of right-wing populism, fueled by the anti-immigrant rhetoric of Geert Wilders. And the nation is torn.

Rabin Baldewsingh came to The Netherlands as a 13-year-old, a Hindu from the Dutch colony of Surinam in South America. Today he's Deputy Mayor of The Hague, responsible for Social Affairs and Integration. It's an immigrant story with a happy ending, but it's not a track most new immigrants might be able to follow -- the Dutch are struggling with a rise of right-wing, anti-immigrant sentiment on the eve of national elections.

How Existentialist and Conservative Philosophers Think About Freedom (important)

CBC Radio, Ideas, March 2017

While the study of philosophy may seem more peripheral to everyday culture than ever in the 21st Century, the past hundred years saw a proliferation of schools of philosophical thought. None had the popular reach of existentialism, and few had greater impact on politics and debates on social issues than the various branches of conservatism - in many ways, the opposite of existentialism. On this month's edition of The Enright Files, conversations about, and with, existentialist and conservative philosophers.

- Sarah Bakewell, author of At the Existentialist Café; Freedom, Being and Apricot Cocktail.
- Claire Messud, acclaimed novelist and author of New York Review of Books article on Albert Camus.
- Roger Scruton, English conservative philosopher and author of more than 30 books.

Beyond the Huddled Masses (important)

CBC Radio, Ideas, February 2017

From the 2016 Stratford Festival, a discussion with three fighters for human rights, three people whose families arrived on the shores of North America with next to no thing. Today, all three are deeply involved in fighting for human rights around the world.

Flora Terah works for women's rights in Canada and elsewhere- she was a political activist in Kenya before her son was murdered in retribution.

Harold Hongju Koh is professor of law at Yale and has worked as an advisor to the State Department -- his parents were refugees from North Korea.

Payam Akhavan and his family were refugees from Iran. He's worked extensively with the United Nations and as a UN prosecutor at The Hague; now he teaches law at McGill. He's also this year's CBC Massey lecturer.

Downloading Decision: Could machines make better decisions for us? (important)

CBC Radio, Ideas, February 2017

Humans like to let others make decisions for them. But what happens when those decisions are made by machines or artificial intelligence? Can we trust them to make the right choices? Contributor Scott Lilwall explores how we might program robots to make ethical choices. Assuming, of course, we can ever figure out just how humans make those same choices.

Sir Peter Gluckman on the proper role of science (important)

CBC Radio, Ideas, February 2017

The Harper government muzzled scientists. Donald Trump's administration is now doing the same. But a better relationship between science and government is possible. Sir Peter Gluckman is the Chief Science Advisor to the Prime Minister of New Zealand. This episode draws on a conversation he had with host Paul Kennedy and a talk he gave organized by Canadian Science Policy Centre, and hosted by the Institute for Science Society and Policy at the University of Ottawa. His point: science's proper role is to help decision-makers make scientifically-informed decisions.

From Tolerance to Tyranny (important)

CBC Radio, Ideas, January 2015

Christians, Muslims and Jews lived together in relative harmony in medieval Spain. Then the Spanish Inquisition came along with its use of terror and racism, turning a pluralistic society into a police state. Writer Erna Paris first explored this history for IDEAS in 1995. In a new take, she calls what happened in Spain "a cautionary tale for today."

Wachtel On The Arts - Phyllis Lambert (important)

CBC Radio, Ideas, February 2017

Eleanor Wachtel speaks to Canadian architectural activist, Phyllis Lambert, in celebration of her exceptional career on her 90th birthday. Phyllis Lambert's deep commitment to architecture and the city has won her international renown. In 2014, she received the Golden Lion for Lifetime Achievement at the Venice Architectural Biennale.

Back in the 1950s, Lambert became deeply involved in the construction of New York's landmark Seagram Building designed by Mies van der Rohe. It's often called a turning-point for modern architecture, a moment when social responsibility, beauty and truth counted for more than egotism or commercial interests.

The Marriage of True Minds

CBC Radio, Ideas, Part 1, Part 2, February 2017

More than thirty years ago, Paul Kennedy prepared a series that celebrated famous intellectual marriages. These relationships were consummated at various times, from the early Middle Ages to the late-twentieth century. We revisit that classic series from a more contemporary perspective, and wonder what might be learned, and what could be lost from looking for lessons from relationships in the past.

Surviving Post-Capitalism: Coping, hoping, doping & shopping (important)

CBC Radio, Ideas, February 2017

The signs are troubling: the ever-widening chasm between the ultra-rich and everyone else. Mass protests. Political upheaval and social division. It looks as though the rocky marriage between capitalism and democracy is doomed, at least according to Wolfgang Streeck, who directs the Max Planck Institute for the Study of Societies in Cologne, Germany, where he is also a professor of sociology. In conversation with Paul Kennedy about his book How Will Capitalism End?, he makes the unnerving case that capitalism is now at a point where it cannot survive itself.

The Challenge of Peace (important)

CBC Radio, Ideas, February 2017

We have the best communications in history, except for the kind that matters — nations and states understanding each other. What values might we agree on? What ideas about society do we have in common? Has there been progress of any sort? Jennifer Welsh, Paul Heinbecker, Peter Boehm, Arne Kislenko and Daniel Eayrs in conversation from the Stratford Festival.

"Peace" is a tricky concept — everyone agrees that war is a bad idea, but when someone lays siege to you, it's hard not to resort to conflict. We'd all like to have peace, but in an unequal world, where resources are finite and unequally distributed, its hard to see how conflict can be avoided, and how peace can be maintained.

The Enright Files on humanizing Canada's penal system (important)

CBC Radio, Ideas, February 2017

Politicians and governments call it getting tough on crime, part of a law and order agenda. A government focus on victim rights, longer sentences and stripping away services and programs meant to improve the lives -- and life chances -- of inmates, has left Canada's penal system much more equipped to punish than to rehabilitate offenders.

The result is overcrowded, violent jails and penitentiaries. Mentally ill prisoners are often placed in solitary confinement instead of receiving the treatment they need. Minorities are vastly over-represented, particularly Indigenous and black people.

Howard Sapers, Reverend Carol Finlay, Kate Johnson, Sister Elaine MacInnes, and Marianne Vollan, the Director General of Correctional Services of Norway.

Ecology of Sound: Hildegard Westerkamp

CBC Radio, Ideas, February 2017

Paul Kennedy joins sound ecologist Hildegard Westerkamp on a sound-walk through Vancouver's downtown eastside, and explores how opening our ears to our surroundings can open our minds.

After Guantanamo: Dennis Edney on defending Omar Khadr (important)

CBC Radio, Ideas, February 2017

In 2002, a 15-year-old boy was caught by American forces in Afghanistan after a firefight, and imprisoned in Guantanamo for the next 13 years. The boy was Omar Khadr, and his then little-known lawyer was Dennis Edney from Edmonton. From the Stratford Festival, Dennis Edney talks with Paul Kennedy about a life-changing experience that contains a challenge for us all

"In all the years I went to Guantanamo, he was always chained to the floor. And so I saw my job as trying to keep him alive, and I talked to him about hope. And I used to keep pointing to the steel door and I said 'behind that door is light.'"

Media in the Age of Terrorism: Mohamed Fahmy (important)

CBC Radio, Ideas, January 2017

For 438 days, Mohamed Fahmy was locked away in an Egyptian jail, including solitary confinement in the brutal Scorpion wing of Cairo's Tora Prison, living side-by-side with members of the Muslim Brotherhood, al-Qaeda and ISIS. He was accused of being a terrorist, when in fact, he was simply being a journalist. The Egyptian-Canadian's arrest, trials and eventual release in 2015, garnered international attention.

The importance of being ethical with Dr. Janet Rossant (important)

CBC Radio, Ideas, January 2017

Dr. Janet Rossant argues that recent revolutions in genetic medicine demand comparable advances in our understanding of the underlying morality and ethics. "How do we draw the line between fixing a terrible disease and enhancing the human condition?"

After spending years studying the genetic development of mouse and human embryos, Dr. Rossant paved the way for important new possibilities in medical science -- particularly in the area of stem cell therapy. Much of this research was conducted at the Hospital for Sick Children, in Toronto. She is now President and Chief Scientist for the Gairdner Foundation. We hear highlights from her 2016 Henry G. Friesen Lecture, in Ottawa, as well as an interview with Paul Kennedy.

The Causes and Consequences of Brexit: Timothy Garton Ash (important)

CBC Radio, Ideas, January 2017

The election of Donald Trump. Brexit. The turn towards the hard right across Europe. We're in a new era, according to celebrated historian and political writer, Timothy Garton Ash. One in which populist, anger-fueled movements are gathering increasing momentum, not only in the West but throughout the world.

"Let me immediately put my cards on the table, and tell you where I stand on this question of Brexit. I said the day after the referendum that the best day of my political life was the 9th of November 1989 with the fall of the Berlin Wall. And the worst day of my political life was the 23rd of June 2016 [Brexit vote]."

Reconciliation Before Reconciliation with Dr. Tracey Lindberg

CBC Radio, Ideas, January 2017

Dr. Tracey Lindberg explores the importance of reconciliation with self, with community, and with Indigenous peoples in advance of reconciliation with Canada.

The truth about "post-truth" (important)

CBC Radio, Ideas, January 2017

The election of Donald Trump has ignited talk that we're now living in a "post-truth" era. But are we? Where does the idea that the truth no longer exists come from? Or the notion that the truth doesn't matter anymore? Host Paul Kennedy talks to thinkers who argue that the story began years earlier, with a kind of collective identity crisis: authoritarianism can become attractive when you no longer remember who you are.

"'Post-truth' is often understood as involving people's emotions rather than their critical abilities to make distinctions. And I think that might be true but i think it's important to keep in mind that emotion and truth are not two different things. Emotion has to do with what we care about and truths have to do with things that are the case. The two have to work together." -- Kathleen Higgins

Wachtel On The Arts - John Neumeier

CBC Radio, Ideas, January 2017

John Neumeier has been at the cutting edge of dance for more than fifty years. When he was studying English Literature and Theatre at university in Milwaukee, the head of the drama department recognized his talent and connected him with modern dance pioneer Sybil Shearer in Chicago. Before long, John Neumeier was studying at the Royal Ballet Company in London, England. There, another chance encounter landed him a contract at the Stuttgart Ballet, led by the influential John Cranko. At the age of 27, and very much to his surprise, John Neumeier was invited to become the artistic director of the Frankfurt Ballet. Then, in 1973, scarcely 30 years old, he became Artistic Director of the Hamburg Ballet. And he's been there ever since.

Screened Off: The dangers of an insular web

CBC Radio, Ideas, January 2017

Corporate control, and the "tyranny of the popular." Fake news, filter bubbles, and apps as "walled gardens." Have we lost a free and democratic internet? And did we do this to ourselves? Sue Gardner, ex-of the Wikimedia Foundation, writer Hossein Derakhan, and Brodie Fenlon of CBC Digital News join Paul Kennedy onstage at Ryerson University's Centre for Free Expression, in Toronto.

The Enright Files - Ideas to make a better world (important)

CBC Radio, Ideas, January 2017

Many of the things we take for granted in Canada -- universal health care, public pensions, a five-day work week -- were once considered utopian pipe dreams. The same is true of a lot of current ideas to make a better world and improve our quality of life: they endure ridicule and pushback until some brave souls flout conventional wisdom and try them out. This month on The Enright Files, ideas to improve our communities, our countries and our quality of life.

Rutger Bregman, the author of Utopia for Realists: The Case for a Universal Basic Income, Open Borders, and a 15-Hour Workweek.

Janette Sadik-Khan, the former Transportation Commissioner for New York City and the co-author of Street Fight: Handbook for an Urban Revolution.

Pasi Sahlberg, the Director General of the Centre for International Mobility and Cooperation in Helsink and the author of Finnish Lessons: What Can the World Learn from Educational Change in Finland?

Karyn McCluskey, the Director of the Violence Reduction Unit of the Glasgow police.

The 2016 Sobey Art Award

CBC Radio, Ideas, Part 1, Part 2, December 2016

Over two shows, IDEAS profiles the five regional finalists: from the West Coast & Yukon: Jeremy Shaw; Prairies and the North: Brenda Draney; Ontario: Charles Stankievech; Quebec: Hajra Waheed; The Atlantic: William Robinson.

Reflections on Global Affairs: Is the world really falling apart? (important)

CBC Radio, Ideas, December 2016

The news has been bleak: Brexit, populism, terrorism and, an America divided. The war in Syria continues to rage and the number of refugees and other migrants world-wide is soaring. Then, there's economic inequality and a host of other big concerns. It's tempting to think that everything is falling apart. But is that really true? IDEAS in partnership with the Munk School of Global Affairs at the University of Toronto reflects upon the state of the world, along with a razor sharp panel.

Michael Blake, Professor of Philosophy, Public Policy, and Governance at the University of Washington; Randall Hansen, Director of the Centre of European, Russian & Eurasian Studies at the Munk School of Global Affairs and Professor of Political Science; Janice Stein, the Founding Director of the Munk School of Global Affairs and an internationally renowned expert on international conflict and global governance; and moderator Stephen Toope, Director of the Munk School of Global Affairs, take the global view in a time of disruption and change.

Seed Banks: Re-sowing paradise

CBC Radio, Ideas, December 2016

For their potential to be awakened hundreds -- if not thousands -- of years later, seeds have captured our imagination. Seeds that have been entombed with Egyptian mummies, seeds that have sat dormant in mud banks for a generation, seeds that have been tucked into 18th century letters -- all sit expectantly for humans to rediscover them and bring them back to life.

While individuals have always saved seeds, with global warming and with so many plant species now threatened, seed banks have become a strategy to preserve biodiversity. Seed banks might be low-tech operations run out of an individual's home, or high-tech facilities dug into the Norwegian permafrost. The orientation of these collections might vary (a seed "bank" or a seed "sanctuary") but the impulse is the same -- to guard these potentially vibrant objects against extinction.

The Sea Women

CBC Radio, Ideas, October 2007

South Korea's "sea women" have been harvesting commercial treasures from the ocean floor since the 4th century. With only a few tools and fishing baskets slung over their shoulders, these sunburnt and wrinkled grandmothers can dive up to 20 metres on a single breath. Their dives mix dexterity, desire and death. Vancouver writer and broadcaster Gloria Chang returns to the country of her birth for an intimate portrayal of these cultural icons and to unravel a matriarchal mystery: Why do only women take to the waters?

Writing in worried times: GG Award winners share their anxieties

CBC Radio, Ideas, December 2016

They may be successful writers, but that doesn't mean the 2016 Governor General's Literary Award winners are immune from worry about the world around us. Five authors share some brand new work on that theme, and explain how they grapple with the cultural issues that make them most anxious.

Steven Heighton is a novelist and poet based in Kingston, Ontario. Martine Leavitt is an Alberta-born fiction writer living in Vermont. Bill Waiser is a historian in Saskatoon. Madeleine Thien is a Montreal fiction writer. Colleen Murphy is a playwright based in Toronto.

Cracking our moral code: How we decide what's right and wrong

CBC Radio, Ideas, December 2016

We all have a moral code -- a clear sense of what is right and what is wrong. But the reasons why we make certain decisions can quickly get fuzzy. Producer John Chipman explores why some people stick to their moral codes more stringently than others, and delves into the latest neuroimaging research to find out what it can tell us about what guides our moral decisions.

Decoding Death: The science and significance of near death experiences (debunk)

CBC Radio, Ideas, December 2016

People have reported "near death experiences", or NDE's, over centuries and across cultures. The nature of them has historically been the territory of religion and philosophy. But now science has staked its claim in the discussion. And the questions are profound: where is consciousness produced, in the brain, or somewhere else? Can consciousness continue to exist even after the heart and brain have stopped working? Contributor Ashley Walters explores the science and the meaning of near death experiences.

The Enright Files on William Shakespeare & James Joyce

CBC Radio, Ideas, December 2016

On the 400th anniversary of Shakespeare's death, Stratford Festival veterans Colm Feore and Seana McKenna talked to Michael Enright to describe what Shakespeare demands of his actors; how his characters embody the essential qualities of humanity, and why despite the barrier of Elizabethan language, Shakespeare in the 21st century is more relevant than ever.

One hundred years ago -- on December 29, 1916 -- James Joyce published his first novel, A Portrait of the Artist as a Young Man. Michael Enright talks to Irish politician and Joyce scholar Senator David Norris, Irish cultural historian and Joyce scholar Declan Kiberd, and Canadian professor of literature and Joyce scholar Jennifer Levine.

Rear View Mirror: Has the future ever looked like the past?

CBC Radio, Ideas, December 2016

Why does history matter? The conventional reason we're given is that in order to comprehend the future, we need to know the past, that there are lessons in history -- that the mistakes of the past can teach us what to avoid in the future, that unbridled political power leads to dictatorship, that war is a bad way to settle things. But does the past really have anything to teach us -- has the future ever looked like the past?

Bob Rae, Margaret MacMillan, Karin Wells.

The dangerous game: Gamergate and the "alt-right" (important)

CBC Radio, Ideas, November 2016

Emma Vossen's love of gaming started when she was a kid growing up in small-town Ontario. Now as a PhD candidate at the University of Waterloo Games Institute, she looks to gamer culture as a microcosm of how sexism is seeded and replicated within broader society, and she draws connections between gamer culture and the rise of the political extreme right.

Kishonna Gray -- visiting scholar and associate professor at MIT and founder of the Critical Gaming Lab at Eastern Kentucky University. She's also the author of Race, Gender, and Deviance in Xbox Live.

"All of a sudden it became completely normalized that the king of all Internet trolls [Donald Trump] became the president." — Anita Sarkeesian, director of Feminist Frequency, a non-profit organization exploring the representations of women in pop culture.

Jennifer Jensen -- York University professor of pedagogy and technology, and director of the Institute for Research on Digital Learning. She is also the president of the Canadian Games Studies Association.

Is That All There Is? Exploring the meaning & future of science (important)

CBC Radio, Ideas, November 2016

Science helps us understand ourselves and our own place in the cosmos. But how far does the math take us? And what do science and the humanities tell us when we look at the same questions from different points of view? From the Stratford Festival, a discussion between physicist Neil Turok, science writer Margaret Wertheim and philosopher Mark Kingwell.

"We've seen these incredible advances in our basic knowledge of the universe, at the same time the discipline itself is in a crisis. So what's the crisis? Essentially nothing new has been predicted in fundamental physics for three decades" -- Neil Turok, Perimeter Institute for Theoretical Physics in Waterloo.

The Matter of Meat: A history of pros and cons

CBC Radio, Ideas, November 2016

Eating meat: some say we've evolved to do it. It's in our DNA. It's how we got our big brains. Yet others, as far back as Pythagoras, have argued that eating meat is bad for our bodies, cruel to animals, and toxic to the planet. Now -- perhaps more than ever -- when it comes to the matter of meat, clear-cut answers can be hard to come by. Kevin Ball serves up the arguments.

The Tedium is the Message

CBC Radio, Ideas, November 2016

It's never been easier to banish the feeling of boredom -- at least for a moment. But some fear our weapons of mass distraction could lead to an epidemic of ennui and ADD. Contributor Peter Mitton examines boredom and discovers a little-understood universal state of mind. From its obvious downsides and unexpected upsides, to its evolutionary origins and the way it's shaping our future.

The uncertain future of journalism and why it matters

CBC Radio, Ideas, November 2016

Whether it's radio, television, print or online, anyone who works in journalism can feel the ground shifting under their feet. The business model of news has been radically disrupted by the Internet age, and yet, the mandate of journalism remains the same: to uncover and report the truth and hold power to account. In this month's edition of The Enright Files, Michael Enright explores the mandate of journalism and how to maintain the integrity and craft even while it faces an uncertain future.

Wachtel on the Arts - Ai Weiwei (important)

CBC Radio, Ideas, November 2016

Chinese artist Ai Weiwei has been called "the most powerful artist in the world" and "a contemporary icon of resistance." He's reached an almost unprecedented level of international fame, both for his powerful work and his tough political criticism. He talks to Eleanor Wachtel about his beautiful and subversive art and about his fight for freedom and democracy in China.

Together with volunteers he gathered through the Internet, Ai Weiwei went town to town and door to door in Sichuan, talking to the families of the children who had been killed. Then he published their names, birthdays, and other information on his website. This is what ultimately led to his arrest and detention.

Nominating Leonard Cohen for a Nobel Prize

CBC Radio, Ideas, November 2016

In the fall of 2013, we broadcast several programs celebrating Paul Kennedy's 15 years as host of IDEAS. Nominating Leonard Cohen for a Nobel Prize was one of the episodes we revisited. This lively open forum was recorded at the 2005 Blue Metropolis Literary Festival in Montreal. Panelists include critic, Ed Palumbo; poet, translator and broadcaster, Michel Garneau; jazz singer, Karen Young; and poet George Elliot Clarke.

Saturday, August 11, 2018

Stratford Year 14

Stratford

We decided to stay at an AirB&B again. Same building as last year, but different owner. We had a mashup of three different babysitters this time, which wasn't very pleasant. And we had a visit from Jana which was nice. Libby enjoyed trundling around town with us, especially the ice cream.

Thursday evening we saw Ideal Husband at the Avon, which I didn't like at first, but it grew on me and had a strong ending. Friday evening we saw Paradise Lost at the Studio, and it was great, but a little too raw at the end. Saturday morning, I went to a CBC Ideas panel at the Studio. That was lots of fun. They even took one of my questions. Saturday evening we saw The Tempest at the Festival Theatre. It was good, but The Tempest isn't one of my favourites.

Next