Apptainer Signatures | CIQ Webinar

I had the pleasure of participating in my first CIQ webinar today! Check it out if you'd like to learn a bit about Apptainer's support for cryptographic signatures, using well-established PGP infrastructure and paradigms.

I hope you'll join us for our next session! We're live every Thursday at 11:00 Pacific time, streaming to YouTube and LinkedIn.

Migrating to LDAP PAM Pass Through Auth

The Research Computing authentication path is more complex than I'd like.

  • We start with pam_sss which, of course, authenticates against sssd.

  • Because we have users from multiple home institutions, both internal and external, sssd is configured with multiple domains.

  • Two of our configured domains authenticate against Duo and Active Directory. To support this we run two discrete instances of the Duo authentication proxy, one for each domain.

  • The Duo authentication proxy can present either an LDAP or RADIUS interface. We went with RADIUS. So sssd is configured with auth_provider = proxy, with a discrete pam stack for each domain. This pam stack uses pam_radius to authenticate against the correct Duo authentication proxy.

  • The relevant Duo authentication proxy then performs AD authentication to the relevant authoritative domain and, on success, performs Duo authentication for second factor.

All of this technically works, and has been working for some time. However, we've increasingly seen a certain bug in sssd's proxy authentication provider, which manifests as an incorrect monitoring or management of authentication threads.

The problem

[sssd[be[]]] [dp_attach_req] (0x0400): Number of active DP request: 32

sssd maintains a number of pre-forked children for performing this proxy authentication. This default to 10 threads, and is configurable per-domain as proxy_max_children. Somewhere in sssd a bug exists that either prevents threads from being closed properly or fails to decrement the active thread count when they are closed. When the "Number of active DP request" exceeds proxy_max_children sssd will no longer perform authentication for the affected domain.

We have reported this issue to Red Hat, but 8 months on and we still don't have a fix. Meanwhile, I'm interested in simplifying our authentication path, hopefully removing the proxy authentication provider from our configuration in the process, and making sssd optional for authentication in our environment.

Our solution

We use 389 Directory Server as our local LDAP server. 389 has with it the capability to proxy authentication via PAM. A previous generation RC LDAP used this to perform authentication; but only in a way that supported a single authentication path. However, with some research and experimentation, we have managed to configure our instance with different proxy authentication paths for each of our child domains.

First we simply activate the PAM Pass Through Auth plugin by setting nsslapd-pluginEnabled: on in the existing LDAP entry.

dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
objectClass: pamConfig
cn: PAM Pass Through Auth
nsslapd-pluginPath: libpam-passthru-plugin
nsslapd-pluginInitfunc: pam_passthruauth_init
nsslapd-pluginType: betxnpreoperation
nsslapd-pluginEnabled: on
nsslapd-pluginloadglobal: true
nsslapd-plugin-depends-on-type: database
pamMissingSuffix: ALLOW
pamExcludeSuffix: cn=config
pamIDMapMethod: RDN
pamIDAttr: uid
pamFallback: FALSE
pamSecure: TRUE
pamService: ldapserver
nsslapd-pluginId: pam_passthruauth
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: PAM pass through authentication plugin

The specifics of authentication can be specified at this level as well, if we're able to express our desired behavior in a single configuration. However, the plugin supports multiple simultaneous configurations expressed as nested LDAP entries.

dn: PAM,cn=PAM Pass Through Auth,cn=plugins,cn=config
objectClass: pamConfig
objectClass: top
cn: PAM
pamMissingSuffix: ALLOW
pamExcludeSuffix: cn=config
pamIDMapMethod: RDN ENTRY
pamIDAttr: uid
pamFallback: FALSE
pamSecure: TRUE
pamService: curc-twofactor-duo
pamFilter: (&(objectClass=posixAccount)(!(homeDirectory=/home/*@*)))

dn: PAM,cn=PAM Pass Through Auth,cn=plugins,cn=config
objectClass: pamConfig
objectClass: top
cn: PAM
pamMissingSuffix: ALLOW
pamExcludeSuffix: cn=config
pamIDMapMethod: RDN ENTRY
pamIDAttr: uid
pamFallback: FALSE
pamSecure: TRUE
pamService: csu
pamFilter: (&(objectClass=posixAccount)(homeDirectory=/home/*

Our two sets of users are authenticated using different PAM stacks, as before. Only now this proxy authentication is happening within the LDAP server, rather than within sssd. This may seem like a small difference, but there are multiple benefits:

  • The proxy configuration exists, and need only be maintained, only within the LDAP server. It does not require all login nodes to run sssd and a complex, multi-tiered PAM stack.

  • The LDAP "PAM Pass Through Auth" plugin does not have the same bug as the sssd proxy authentication method, bypassing our immediate problem.

  • Applications that do not support PAM authentication, such as XDMoD, Foreman, and Grafana, can now be configured with simple LDAP authentication, and need not know anything of the complexity of authenticating our multiple domains.

For now I'm differentiating our different user types based on the name of their home directory, because it happens to include the relevant domain suffix. In the future we expect to update usernames in the directory to match and would then likely update this configuration to use uid.

Cleaning up a few remaining issues

However, when I first tied this back into sssd, I DOS'd our LDAP server.

debug_level = 3

description = CU Boulder Research Computing
id_provider = ldap
auth_provider = ldap
chpass_provider = none

enumerate = false
entry_cache_timeout = 300

ldap_id_use_start_tls = True
ldap_tls_reqcert = allow
ldap_uri = ldap://
ldap_search_base = dc=rc,dc=int,dc=colorado,dc=edu
ldap_user_search_base = ou=UCB,ou=People,dc=rc,dc=int,dc=colorado,dc=edu
ldap_group_search_base = ou=UCB,ou=Groups,dc=rc,dc=int,dc=colorado,dc=edu

This seemed simple enough: when I would try to authenticate using this configuration, I would enter my password as usual and then respond to a Duo "push." But the authentication never cleared in sssd, and I would keep receiving Duo pushes until I stopped sssd. This despite the fact that I could authenticate with ldapsearch as expected.

$ ldapsearch -LLL -x -ZZ -D uid=[redacted],ou=UCB,ou=People,dc=rc,dc=int,dc=colorado,dc=edu -W '(uid=[redacted])' dn
Enter LDAP Password:
dn: uid=[redacted],ou=UCB,ou=People,dc=rc,dc=int,dc=colorado,dc=edu

I eventually discovered that sssd has a six-second timeout for "calls to synchronous LDAP APIs," including BIND. This timeout is entirely reasonable--even generous--for operations that do not have a manual intervention component. But when BIND includes time to send a notification to a phone, unlock the phone, and acknowledge the notification in an app, it is easy to exceed this timeout. sssd gives up and tries again, prompting a new push that won't be received until the first is addressed. In this way, the timeouts just extend against each other.

Thankfully, this timeout is also configurable as ldap_opt_timeout in the relevant sssd domain section. I went with ldap_opt_timeout = 90, which is likely longer than anyone will need.

There is still the matter of the fact that this DOS'd the LDAP server, however. I suspect I had exhausted the number of directory server threads with pending, long-living (due to manual intervention required / timeout) BIND requests.

The number of threads Directory Server uses to handle simultaneous connections affects the performance of the server. For example, if all threads are busy handling time-consuming tasks (such as add operations), new incoming connections are queued until a free thread can process the request.

Red Hat suggests that nsslapd-threadnumber should be 32 for an eight-CPU system like ours; so for now I simply increased to this recommendation from 16. If we continue to experience thread exhaustion in real-world use, we can always increase the number of threads again.

digging into BeeGFS striping

I did some work today figuring out how BeeGFS actually writes its data to disk. I shudder to think that we’d actually use this knowledge; but I still found it interesting, so I want to share.

First, I created a simple striped file in the rcops allocation.

[root@boss2 rcops]# beegfs-ctl --createfile testfile --numtargets=2 --storagepoolid=2
Operation succeeded.

This file will stripe across two targets (chosen by BeeGFS at random) and is using the default 1M chunksize for the rcops storage pool. You can see this with beegfs-ctl --getentryinfo.

[root@boss2 rcops]# beegfs-ctl --getentryinfo /mnt/beegfs/rcops/testfile --verbose
EntryID: 9-5F7E8E87-1
Metadata buddy group: 1
Current primary metadata node: bmds1 [ID: 1]
Stripe pattern details:
+ Type: RAID0
+ Chunksize: 1M
+ Number of storage targets: desired: 2; actual: 2
+ Storage targets:
  + 826 @ boss1 [ID: 1]
  + 834 @ boss2 [ID: 2]
Chunk path: uF4240/5BED/E/0-5BEDEB51-1/9-5F7E8E87-1
Dentry path: 50/4/0-5BEDEB51-1/

I write an easily-recognized dataset to the file: 1M of A to the file; then 1M of B and so-on.

[root@boss2 rcops]# python -c 'import sys; sys.stdout.write("A"*(1024*1024))' >>testfile
[root@boss2 rcops]# python -c 'import sys; sys.stdout.write("B"*(1024*1024))' >>testfile
[root@boss2 rcops]# python -c 'import sys; sys.stdout.write("C"*(1024*1024))' >>testfile
[root@boss2 rcops]# python -c 'import sys; sys.stdout.write("D"*(1024*1024))' >>testfile

This gives me a 4M file, precisely 1024*1024*4=4194304 bytes.

[root@boss2 rcops]# du --bytes --apparent-size testfile
4194304     testfile

Those two chunk files, as identified by beegfs-ctl --getentryinfo, are at /data/boss207/rcops/storage/chunks/uF4240/5BED/E/0-5BEDEB51-1/9-5F7E8E87-1 and /data/boss106/rcops/chunks/uF4240/5BED/E/0-5BEDEB51-1/9-5F7E8E87-1. (boss106/rcops doesn’t have a storage directory as part of an experiment to see how difficult it would be to remove them. I guess we never put it back.) the boss1 target, 826, is first in the list, so that’s where the file starts.

[root@boss1 ~]# dd if=/data/boss106/rcops/chunks/uF4240/5BED/E/0-5BEDEB51-1/9-5F7E8E87-1 bs=1 count=5 status=none

if we skip 1M (1024*1024 bytes) we see that that’s where the file changes to C.

[root@boss1 ~]# dd if=/data/boss106/rcops/chunks/uF4240/5BED/E/0-5BEDEB51-1/9-5F7E8E87-1 bs=1 skip=$(((1024 * 1024))) count=5 status=none

And we can see that actually is precisely where it starts by stepping back a little.

[root@boss1 ~]# dd if=/data/boss106/rcops/chunks/uF4240/5BED/E/0-5BEDEB51-1/9-5F7E8E87-1 bs=1 skip=$(((1024 * 1024)-2)) count=5 status=none

Cool. So we’ve found the end of the first chunk (made of A) and the start of the third chunk (made of C). That means the second and fourth chunks are over in 834. Which they are.

[root@boss2 rcops]# dd if=/data/boss207/rcops/storage/chunks/uF4240/5BED/E/0-5BEDEB51-1/9-5F7E8E87-1 bs=1 count=5 status=none
[root@boss2 rcops]# dd if=/data/boss207/rcops/storage/chunks/uF4240/5BED/E/0-5BEDEB51-1/9-5F7E8E87-1 bs=1 count=5 skip=$(((1024*1024-2))) status=none

So, in theory, if we wanted to bypass BeeGFS and re-construct files from their chunks, we could do that. It sounds like a nightmare, but we could do it. In a worst-case scenario.

It’s this kind of transparency and inspectability that still makes me really like BeeGFS, despite everything we’ve been through with it.

Wireguard on Raspberry Pi OS

Recently I fell victim to an attack on a security vulnerability in SaltStack that left much of my homelab infected with cryptominers. When I rebuilt the environment I found myself in the market for a VPN solution.

I have used OpenVPN for a little while, but I found it inconvenient enough to set up and use that I only used it when absolutely necessary to bridge between otherwise private networks.

But I had been hearing good things about WireGuard, so I performed a test deployment. First between two disparate servers. Then on a workstation. Then another. Each time the software deployed easily and remained reliably available, particularly in contrast to the unreliability I had become accustomed to with the Cisco VPN I use for work.

So I came to the last system in my network: a first-generation Raspberry Pi B+. WireGuard isn't available in the Raspberry Pi OS (née Raspbian) repository, but I found articles describing how to install the packages from either Debian backports or unstable. I generally avoid mixing distributions, but I followed the directions as proof of concept.

The base wireguard package installed successfully, and little surprise: it is a DKMS package, after all. However, binaries from wireguard-tools immediately segfaulted. (I expect this is because the CPU in the first-generation B+ isn't supported by Debian.)

But then I realized that APT makes source repositories as accessible as binary repositories. Compiling my own WireGuard packages would worry me less as well:

First add the Debian Buster backports repository, including its signing key. (You can verify the key fingerprint at

sudo apt-key adv --keyserver --recv-keys 0x80D15823B7FD1561F9F7BCDDDC30D7C23CBBABEE
echo 'deb-src buster-backports main' | sudo tee /etc/apt/sources.list.d/backports.list
sudo apt update

Install the devscripts package (so we can use debuild to build the WireGuard packages) and any build dependencies for WireGuard itself.

sudo apt install devscripts
sudo apt build-dep wireguard

Finally, download, build, and install WireGuard.

apt source wireguard
(cd wireguard-*; debuild -us -uc)
sudo apt install ./wireguard_*.deb ./wireguard-tools_*.deb

At this point you should have a fully functional WireGuard deployment, with working wireguard-tools binaries.

Ōkami | Game Older

Issun must die

Jonathon was finally left with no excuse to not play Ōkami, when Cam joined the crew, Steam library in tow. Like the game, we spend a lot of time hanging out and talking too much.

Media used

  • Ōkami OST

  • "Harushiden," halc,

Games mentioned

  • Ōkami

  • Myst (series)

  • Death Stranding

  • Spyro the Dragon

  • The Witness

  • Viewtiful Joe

  • God Hand

  • Vanquish

  • Metal Gear Rising: Revengeance

  • The Legend of Zelda: Ocarina of Time

  • The Legend of Zelda: Twilight Princess

  • Bayonetta

  • Nier: Automata

  • Snake Pass

  • Crash Bandicoot

  • Katamari Damacy

  • Chibi-Robo!

Other references

sprint backlog - 18 February 2020

Research Computing team goals for the period 18 February - 3 March, 2020. If you have any questions or comments please contact

Intro to Python workshop

Reserch Computing is presenting its regular Intro to Python course.

RCAMP portal testing framework

The RC Account Management Portal (RCAMP) handles account requests and group membership in the RC environment. In order to help us better update and develop the portal and its dependencies we are rebuilding and enhancing its automated test infrastructure.

Internal training for upcoming CC* hybrid cloud environment

RC is developing a hybrid "coud" environment with support from the NSF Campus Cyberinfrastructure (CC*) program. Development of this environment is ongoing; but our team is also taking this time to learn more about Amazon EC2 and OpenStack virtual machines in order to better support our users when the platform is ready.

Better staff access to fail2ban on login nodes

RC login nodes are protected from brute-force attacks using fail2ban: if a login node sees a sequence of login failures from the same source, that souce is "banned" from all login node access for a period of time. During a training, however, when such authentication failures are common from multiple people in the same room, it is inconvenient to wait for the ban to expire. RC system administrators have the ability to cancel such a ban, but they are not usually present at trainings. To better support this use case, we will be delegating the ability to cancel such bans to the rest of the RC team.

PetaLibrary monthly status reports

A monthly email status report is sent out to PetaLibrary allocation owners and and contacts; but this report has fallen out of date, and has not been updated to reflect changes in the PetaLibrary infrastructure. We are updating this reporting script so that all PetaLibrary allocations are reported, irrespective of their deployment location.

Updated MPI in rebuilt Core Software

Our efforts to update our core software stack are ongoing, with our next goal being to install up-to-date Intel MPI and OpenMPI.

RC trainings review

Finally, to better plan future RC trainings and other user support activities, we are reviewing the trainings, office hours, and consults that we've supported in CY2019.

God in your own image

You can safely assume you’ve created God in your own image when it turns out that God hates all the same people you do.

~ Anne Lamott quoting her “priest friend Tom” in Bird by Bird

an open letter to the TED team

Some time back I was talking with church leadership about possible opportunities for me to serve the church, including potential calling to leadership. At the time I insisted that theological differences between myself and the church disqualified me.

I still believe I have important theological differences with the church, even if only in my own questioning and theological formation; but I have felt a weight of consideration ever since, and I believe that the Spirit is provoking me to action. What that means I do not yet know, but I decided that, at the very least, I could formally put my name in for consideration by the church, and leave it to the church, rather than my own preemption, to disqualify me.

After applying I was asked to schedule a 30-minute conversation with the church's trustees, elders, and deacons (TED) team. As part of the conversation, I will be expected to share responses to the following questions:

Please share a brief statement (3-5 minutes) about your faith in Christ and how your personal relationship began and continues.

I have been raised in the church my entire life, my father a Christian Rock Band Jesus Hippie and my mother proselytized by him early in their relationship. I didn't appreciate the full impact of my upbringing until adulthood; but my father always had an earnest heart for God, and my mother a love for everyone around her. I grew up assuming these characteristics, and I am so thankful that they are encoded so deeply in who I am.

As a family we attended a Church of the Nazarene; but I also exclusively attended a small private school, kindergarten through highschool run by a fundamentalist Baptist church, followed by four years at a Nazarene univeristy. Church, has been embedded in virtual every aspect of my life for as long as I can remember; and more than that, a pervasively diverse church context means that I have always had to acknowledge and consider different, conflicting, and often opposing views of God and the scripture, even within Christianity.

This much pervasive access to church can make the experience of God somewhat mundane; so it wasn't until somewhere in my teens that I really felt God alive in my life. It's somewhat cliché, but I attended a weekend cursillo retreat run by local Methodist churches as part of The Upper Room ministries. I shouldn't have needed it--I had exactly the same kind of example at home already--but it was there that I first recognized the difference between assumptively "going to church" and living a life that is transformed by the Spirit and oriented toward God. I continued to work (and speak) at the retreat for years after, and my entire family attended successively afterward.

The next notable impact to my faith came as a result of my wife and I living for three and a half years in the Kingdom of Saudi Arabia. Though we were only there professionally, the facts of being a Christian in the nation of Isalm cannot be avoided--and why should they? There our understanding of God and Christ was deepended through comparison and contrast with the people around us. We met several strong Christians, largely among the students, and gathered to worship in our homes (eventually our home specifically) every week.

We have worshiped almost exclusively at Presbyterian churches since returning to the States, first at Redeemer Presbyterian in New York and now at First Pres in Boulder, an extension of our existing desire to challenge our own theological background and assumptions through comparison and contrast.

What is currently going on in your life spiritually? What is God teaching you? What growth are you experiencing?

Fankly, this is something going on in my life spiritually: I am trying to be ever more open to the leading of the Spirit, particularly where I habitually resist Him. For example: when we were first asked to open our home to our church in Saudi Arabia, I literally said, "OK; as long as I'm not expected to lead." Of course, it was scarcely a year later that I was preparing scripture readings, selecting songs for us to sing together, and distributing communion, after our previous leaders graduated from their respective academic programs and returned home.

I love theology, and I try to not let my esoteric interests get in the way of ministry and community. Most recently I have been reading the work of David Bentley Hart. I finished his defense of universal salvation "That All Shall Be Saved" and found it a profound challenge to what might be the last vestiges of my fundamentalist assumptions about hell; but I am currently re-reading the New Testament with his defense in mind to better discern my assumptions about scripture from my actual reading of it. After and during that I am also reading his defense of theism: "The Experience of God."

More personally, the Spirit is convicting me regarding how I respond to disagreement in my marriage. I say this here only because my comments so far have been largely academic, and I don't want to imply that the Spirit doesn't affect me more intimately as well; but, while I'm open to discussing such things, I tend to wait for them to be asked explicitly as well.

How did you come to be a part of First Pres? What experiences have you had as a part of our church family? What excites you about the future?

We came to Boulder largely chasing my wife's family (in Greeley) and the church family that we had had in Saudi: themselves largely from the Boulder area. When we surveyed the churches in the area we found mostly a certain type of closed conservatism, a certain type of loose liberalism, or a certain type of seeker congregation: none of these seemed to fulfill our expectations to be challenged toward growth in the faith. But we found First Pres, supported by our previous experiences at Redeemer, and encouraged by what we heard in sermon recordings online. We attended and, in our first services we encountered academic theology (led by Carl); passionate tradition (bagpipes); and earnest community (in coffee with Erik).

We showed up to Family Small Groups without prior arrangement; and, though there was no group for us to join on the spot, our chidren were cared for and we were told to enjoy the evening together.

At First Pres I feel at home, in a way that I have not felt since I left my childhood church.

How do you seek to discern God's will for you personally? How might you discern God's will in a group setting?

I seek God's will for me personally through prayer and study; but I cannot ignore the transforming work of the Spirit in my life as well. I can scarcely believe my life, and I am excited by the prospect of even deeper relationship with God.

In a group setting, if my self-assessment is accurate, I have a tendency and aptitude for listening to all perspectives and helping to bring parties to at least a common understanding. I consider what is said long after a group meeting, and often follow-up off-cycle to ask questions or assert possibilities. I pray, but more generally I believe that I feel the Spirit leading throughout the day, and I hope that I would be able to discern that leading in a more formal group as well.

Perhaps more technically, I argue. And I hope that that is not understood as argumentative; but I try what I believe to be Truth by presenting it for scruitiny. I am strong in my beliefs, but I am also quick to abandon my own misunderstandings. When I argue, I argue from scripture and (where it is a help and not a distraction) well-established shared belief.

I was also pointed to the Essential Tenents of ECO [1]; and it is here that I am afraid I will have the most trouble. As above, I don't intend to be argumentative; but I also do not want to conceal anything, so I will do my best to enumerate my concerns here.

I want to be clear: I do not begrudge ECO or First Pres these essential tenents. I recognize the importance of common doctrine, and I value the diversity of Christianity as expressed in the diversity among congregations: that diversity does not necessarily need to be expressed within each congregation. Still, First Pres is my home; and if I am to serve here, I have to be honest about what I believe as well.

Regarding "God’s Word: The Authority for Our Confession"

I have serious concerns regarding the common definition of the Word of God. Even today, Carl preached in his sermon that God's word is incarnate, proclaimed, and written; but the essential tenents omit acknowledgement of God's word as proclaimed altogether.

I further fear, and have for many years, that the veneration of the so-called "written Word of God" is a form of idolatry: the Bible serves as an image of God's Word, and its worship (in everything but name) is troubling to me. More striclty, I consider the scripture a testament to the Word of God, not the Word itself (as opposed to Christ, the Word Incarnate.)

I do acknowledge, as Paul taught Timothy, that "All Scripture is breathed out by God and profitable for teaching, for reproof, for correction, and for training in righteousness, that the man of God may be complete, equipped for every good work." But I'll still point out that Paul certainly was not talking about the gospels, the revelation, or much less the epistles (particularly that he was contemporaneously writing), but "the sacred writings" that Timothy had been acquanted with "from childhood." This is not to say that the Christian scriptures are not themselves "Breathed out by God," and I have faith in the work of the Spirit in preserving the Scripture through church tradition and study; but I believe the true nature of the scripture is more complex than is often exhorted in such essential tenents, and the true nature of the Word of God more complex still.

We confess that God alone is Lord of the conscience, but this freedom is for the purpose of allowing us to be subject always and primarily to God’s Word.

We are happy to confess ourselves captive to the Word of God

Perhaps there is some scriptural basis for this imagery that I am missing; but without it I am troubled by this imagery. Life in Christ is denotatively freedom; we are not captives, but heirs, ransomed from sin and death. I do not deny that "the Spirit will never prompt our conscience to conclusions that are at odds with the Scriptures that He has inspired"--perhaps this is an unnecessary complaint; but the heart with which we approach the Word matters to me, and I find it important to recognize that the Spirit changes our desires to be those of God; we are not captive to the Word, but freed by it.

Regarding "secondary authority"

[W]e affirm the secondary authority of the following ECO Confessional Standards as faithful expositions of the Word of God: Nicene Creed, Apostles’ Creed, Heidelberg Catechism, Westminster Confession, Westminster Shorter Catechism, Westminster Larger Catechism and the Theological Declaration of Barmen.

I don't know how I missed this before; but this greatly expands the scope of the so-called "essential" tenents. I have studied some of these; but certainly not all, and I would be loathe to assumptively confirm their authority in my theology, or my adherence to them, without further study (and given the differences raised by the primarily-stated essential tenents, I can only expect there would be further differences in a greater body of confessions).

regarding "Trinity and Incarnation: The Two Central Christian Mysteries"

I have strong, fundamental concerns regarding the doctrine of the Trinity.

But first let me be clear: I believe in God, non-contingent, transcendent, Father and creator of all. I believe that Jesus, the Christ, is the incarnate Word of God, one with the Father, in the Father and in whom the Father is. I believe in the Holy Spirit, the paraclete, the helper and advocate, who comes in the name of Christ and is sent by the Father, the Spirit of Christ and, thus, the Father.

But there is a great deal of distance between that and bold claims about God as having a fundamentally "trinitarian" nature. This is not quite idolatry; but it is seeking to define God by our experience of him, where he is more accurately transcendent. God has revealed himself freqntly through social terms, but it is eisegesis to read this as emphatically trinitarian. God did not direct Israel, for example, to worship "God the Creator; God the Fire of the Bush; and God the Pillar of Cloud"; but God. And if God did not direct worship to a plurality, but a unity God, then we should not break from that direction.

And what of the Word of God? Surely the Word of God is God, as John proclaimed. But if Christ is one part of a trinity God, then surely the Word is a person of God, existing before "the Word became flesh and dwelt among us." So perhaps the trinity is more accurately "the Father, the Word, and the Spirit"?

But I am particularly troubled by extra-Biblical habits I have observed recently of praying to individual "members of the trinity"; we are to pray to God, the Father, as Christ did and directed us to.

affirmed by all Christians everywhere

This is simply not true: there have been many Christians that have had different interpretations and understandings of the being of Christ. I may not agree with them, but to ignore them is distracting and disingenuous.

like us in having both a human soul and a human body

This anthropology isn't Biblical, so far as I can tell. Maybe it is technically true to say that Christ had a human soul; but this statement does not mean what a western mind will infer from it. God did not make a human body and then put a human soul into it; man became a living soul when God breathed into it. As such, to say that Christ is "like us in every way but sin" but then say that he has a "human soul" is both non-sensical and contradictory.

Regarding "God’s grace in Christ"

Our desires are no longer trustworthy guides to goodness, and what seems natural to us no longer corresponds to God’s design.

I hope that these tenents do not mean to indicate that we who are alive in the Spirit are unable to discern good. "We have received [...] the Spirit who is from God, that we might understand the things freely given us by God. And we impart this in words not taught by human wisdom but taught by the Spirit, interpreting spiritual truths to those who are spiritual." It is the promise of life in the Spirit that our hearts are turned towards the things of God; that our desires are made trustworthy, being those of the Spirit.

Jesus takes our place both in bearing the weight of condemnation against our sin on the cross

I require further study here; but I believe this to be incorrect theology. Christ did not "bear the weight of [presumably God's] condemnation against our sin"; in stead, his death paid the ransom to free us from our slavery to death.

Regarding "Election for salvation and service"

I am thankful that ECO does not, at least here, go so far as to proclaim limited atonement an essential tenent. (Perhaps it does implicitly by extension through one of the "secondary" authorities.) But I must say that the language of atonement does not appear, to me, to be concerned with eternal salvation or the church in general, but of specifically the work of the Spirit in Israel in the church age. "Israel failed to obtain what it was seeking. The elect obtained it, but the rest were hardened." But later "a partial hardening has come upon Israel, until the fullness of the Gentiles has come in. And in this way all Israel will be saved."

"just as you were at one time disobedient to God but now have received mercy because of their disobedience, so they too have now been disobedient in order that by the mercy shown to you they also may now receive mercy. For God has consigned all to disobedience, that he may have mercy on all."

Therefore I hold that, at the very least, the concept of election as expressed by Paul does not reflect eternal salvation, or its absence; but the work of God in the lives of some for the age towards an ultimately redemptive purpose for all.

One last thing: Paul explicitly doesn't use the word "elect" to refer to Gentiles; only Israel.

Regarding "Living in obedience to the Word of God"

I note here only to claim this commandment as expressed:

pursue truth, even when such pursuit is costly, and defend truth when it is challenged, recognizing that truth is in order to goodness and that its preservation matters;