Posts by Year


Use a GPG smartcard with Thunderbird. Part 1: setup GnuPG

14 minute read

I use a Free Software Foundation Europe fellowship GPG smartcard for my email encryption and package signing. While FSFE doesn’t provide the smartcard anymore it’s still available at

gpg smartcard readers

I moved to a Thinkpad w541 with coreboot running Debian GNU/Linux and FreeBSD so I needed to set up my email encryption on Thunderbird again.

It took me more time to reconfigure it again - as usual - so I decided to take notes this time and create a blog post about it. As this might be useful for somebody else … or me in the future :-)

The setup is executed on Debian GNU/Linux 12 (bookworm) with the FSFE fellowship GPG smartcard, but the setup for other Linux distributes, FreeBSD or other smartcards is very similar.


Running OpenBSD as an UEFI virtual machine (on a Raspberry Pi)

9 minute read

I started to migrate all the services that I use on my internal network to my Raspberry Pi 4 cluster. I migrated my FreeBSD jails to BastileBSD on a virtual machine running on a Raspberry Pi. See my blog post on how to migrate from ezjail to BastilleBSD.


Running FreeBSD as a virtual machine with UEFI on ARM64 came to the point that it just works. I have to use QEMU with u-boot to get FreeBSD up and running on the Raspberry Pi as a virtual machine with older FreeBSD versions:

But with the latest versions of FreeBSD ( not sure when it started to work, but it works on FreeBSD 14) you can run FreeBSD as a virtual machine on ARM64 with UEFI just like on x86 on GNU/Linux with KVM.

UEFI on KVM is in general provided by the open-source tianocore project.

I didn’t find much information on how to run OpenBSD with UEFI on x86 or ARM64.

OpenBSD 7.4

So I decided to write a blog post about it, in the hope that this information might be useful to somebody else. First I tried to download the OpenBSD 7.4 ISO image and boot it as a virtual machine on KVM (x86). But the iso image failed to boot on a virtual with UEFI enabled. It looks like the ISO image only supports a legacy BIOS.

ARM64 doesn’t support a “legacy BIOS”. The ARM64 download page for OpenBSD 7.4 doesn’t even have an ISO image, but there is an install-<version>.img image available. So I tried to boot this image on one of my Raspberry Pi systems and this worked. I had more trouble getting NetBSD working as a virtual machine on the Raspberry Pi but this might be a topic for another blog post :-)

You’ll find my journey with my installation instructions below.

Back to top ↑


Getting started with GitLab-CE. Part 1: Installation

12 minute read

CI/CD Platform Overview

When you want or need to use CI/CD you have a lot of CI/CD platforms where you can choose from. As with most “tools”, the tool is less important. What (which flow, best practices, security benchmarks, etc) and how you implement it, is what matters.

One of the most commonly used options is Jenkins.

I used and still use Jenkins and created a jenkins build workstation to build software and test in my homelab a couple of years back.


Jenkins started as Hudson at Sun Microsystem(RIP). Hudson is one of the many open-source projects that were started at Sun and killed by Oracle. Jenkins continued as the open-source fork of Hudson.

Jenkins has evolved. If you need to do more complex things you probably end up creating a lot of groovy scripts, nothing wrong with groovy. But as with a lot of discussions about programming, the ecosystem (who is using it, which libraries are available, etc) is important.

Groovy isn’t that commonly used in and known in the system administration ecosystem so this is probably something you need to learn if you’re coming for the system administrator world ( as I do, so I learnt the basics of Groovy this way ).

The other option is to implement CI/CD using the commonly used source hosting platforms; GitHub and GitLab.


Migrate from ezjail to BastilleBSD part 2: Migrate the Jails

6 minute read

How to migrate Jails from ezjail to BastilleBSD


In my previous blog post, I reviewed BastilleBSD. In this post, we go through the required steps to migrate the Jails from ezjail to BastilleBSD.

ezjail test Jail

To test the Jail migration, we’ll first create a test Jail with ezjail. This test Jail will migrate to a BastilleBSD Jail.

Create the test ezjail Jail

We use the ezjail-admin create staftestje001 'vtnet0|<ip>' command to create the test Jail.


Migrate from ezjail to BastilleBSD part 1: BastilleBSD exploration

11 minute read

Introduction to BastilleBSD

What are “containers”?

Chroot, Jails, containers, zones, LXC, Docker

I use FreeBSD on my home network to serve services like email, git, fileserver, etc. For some other services, I use k3s with GNU/Linux application containers.

The FreeBSD services run as Jails. For those who aren’t familiar with FreeBSD Jails. Jails started the whole concept of “containers”.

FreeBSD Jails inspired Sun Microsystems to create Solaris zones.

If you want to know more about the history of FreeBSD Jails, Solaris zones and containers on Un!x systems in general and the challenges to run containers securely I recommend the video;

“Papers We Love: Jails and Solaris Zones by Bryan Cantrill”

Papers We Love: Jails and Solaris Zones by Bryan Cantrill

Sun took containers to the next level with Solaris zones , allowing a fine-grade CPU and memory allocation.

On GNU/Linux LXC was the most popular container framework. …Till Docker came along.

Application vs system containers


Build a 3-node Kubernetes cluster home lab in minutes: The movie.

1 minute read

I use the lightweight Kubernetes K3s on a 3-node Raspberry Pi 4 cluster.

And created a few ansible to provision the virtual machines with cloud image with cloud-init and deploy k3s on it.

I updated the roles below to be compatible with the latest Debian release: Debian 12 bookworm.

I created a movie to demonstrate how you can setup a kubernetes homelab in few minutes.

Deploy k3s on vms

The latest version 1.1.0 is available at:

Have fun!


Ansible roles: qemu_img 2.2.0 & cloud_localds 2.1.1 Released

less than 1 minute read

Time again to make some releases of 2 of the ansible roles I maintain.

This time none of the commits are created by me :-)

Thanks to for your contributions!

Have fun!

qemu_img 2.2.0

stafwag.qemu_img 2.2.0 is available at:




Build a 3-node Kubernetes cluster home lab in 5 minutes (*)

1 minute read

Tux with pi's

I use the lightweight Kubernetes K3s on a 3-node Raspberry Pi 4 cluster. I wrote a few blog posts on how the Raspberry Pi’s are installed.

I run K3s on virtual machines.

Why virtual machines?

Virtual makes it easier to redeploy or to bring a system down and up if your want to test something.

Another reason is that I also run FreeBSD virtual machines on the Raspberry Pis.

I use Debian GNU/Linux as the Operating system with KVM/libvirt as the hypervisor.

I use Ansible to set up the cluster in an automated way. Got finality the time to clean up the code a bit and release it on Github:


Ansible role: delegated_vm_install 1.1.0 released

4 minute read


I use KVM and cloud-init to provision virtual machines on my home network. I migrated all my services to Raspberry PIs running GNU/Linux and FreeBSD to save power.

I first wanted to use terraform, but the libvirt terraform provider wasn’t compatible with arm64 (at least at that time).

So I started to create a few ansible roles to provision the virtual machines.

delegated_vm_install is a wrapper around these roles to provision the virtual machine in a delegated way. It allows you to specify the Linux/libvirt KVM host as part of the virtual machine definition.


delegated_vm_install 1.1.0

  • update_ssh_known_hosts directive added
    • update_ssh_known_hosts directive added to allow to update the ssh host key after the virtual machine is installed.
    • Documentation updated
    • Debug code added

Have fun!

Back to top ↑


Create a custom ArchLinux boot image with linux-lts and OpenZFS support

2 minute read


I use ArchLinux on my desktop workstation. For the root filesystem, I use btrfs with luks disk encryption and wrote a blog post about it.

My important data is on OpenZFS.

I’ll migrate my desktop to ArchLinux with OpenZFS in RAIDZ configuration as the root filesystem.

To make installation easier I decide to create a custom ArchLinux boot image with linux-lts and OpenZFS support.

You’ll find my journey to create the boot iso below. All action are execute on a ArchLinux host system (already using OpenZFS)


Ansible role: delegated_vm_install 1.0.0 released

3 minute read


I use KVM and cloud-init to provision virtual machines on my home network and wrote a few articles about it.

on my blog on how to use cloud images with cloud-init on a “non-cloud” environment.

I created an Ansible role: ansible-role-virt_install_vm for it.

This role works great, but I wanted to have the possibility to provision the virtual machine in a delegated way.

For this reason I create the ansible role delegated_vm_install.

Delegated_vm_install 1.0.0 is available at:

Have fun!


Debian bullseye on the RPI 4: golden image

9 minute read


In my last blog post, we set up Debian bullseye with full disk encryption on a Raspberry PI 4.

I use 3 three Raspberry PI’s to run K3s and a few FreeBSD virtual machines. For the FreeBSD virtual machines I still use QEMU:, I still need to test if we can use KVM/libvirt with the UEFI improvements in FreeBSD 13.1. But that might be another blog post :-)

As need I the same installation at least three times, I decided to create a “golden image” with the most important tools.


Debian bullseye on the RPI 4 with full disk encryption.

19 minute read

Updated @ Sun Jul 17 07:51:58 PM CEST 2022: Added blkid section UUID cryptroot. Changed dropbear port to 2222.


I use a few Raspberry PI’s 4 to run virtual machines and k3s.

I was using the Manjaro Linux with full disk encryption but I’ll switch to Debian GNU/Linux, the main reason is that libvirt is currently broken on archlinuxarm.

You’ll find my journey to get Debian GNU/Linux bullseye up and running on the Raspberry PI with full disk encryption below.


How to install coreboot on a Lenovo x230

9 minute read


I already use coreboot on my Lenovo W500 with FreeBSD. I bought a Lenovo x230 for a nice price I decide to install coreboot on it. After reading a lot of online documentation. I decided to install the skulls coreboot distribution on it. The skulls project has nice documentation on how to install it.

To replace the BIOS with coreboot you will need to disassemble the laptop and use a clip on the BIOS chip to install it.

Back to top ↑


Ansible role: package_update v2.0.2

1 minute read


Keeping your software up-to-date is an important task in System Administration. Not only for security reasons but also to roll out bug fixes to your systems.

As always we should try to automate this process as much as possible.

Ansible has a package module to install packages in a generic way. It supports most Un*x platforms (GNU/Linux, BSD, …). But it doesn’t allow you to update all packages.

For this reason, I created an Ansible role: package update.

Package update enables you to update all packages on most Linux distributions and the BSD operating systems. It can also update the running jails on FreeBSD.

Version 2.0.2 is available at

Version 2.0.2:


  • Always update the apt cache on Debian based distributions.

Have fun!


Use unbound as an DNS-over-TLS resolver and authoritative dns server v2.0.0

4 minute read


In previous blog posts, I described howto setup stubby as a DNS-over-TLS resolver. I used stubby on my laptop(s) and unbound on my internal network.

I migrated to unbound last year and created a docker container for it. Unbound is a popular DNS resolver, it’s less known that you can also use it as an authoritative DNS server.

This work was based on Debian Buster, I migrated the container to Debian Bullseye reorganize it a bit to make it easier to store the zones configuration outside the container like a configmap or persistent volume on Kubernetes.

Version 2.0.0 is available at

Version 2.0.0:


  • Updated the base image to debian:bullseye.
  • Updated to be able to run outside the container.
  • Removed the zones.conf generation from the entrypoint
  • Start the container as the unbound user
  • Updated to logging.conf
  • Set the pidfile /tmp/
  • Added remote-control.conf
  • Updated the documentation


Ansible role: virt_install_vm 1.0.0 released

2 minute read


I wrote a few articles:

on my blog on how to use cloud images with cloud-init on a “non-cloud” environment.

I finally took the time to create an Ansible role for it. You’ll find the below.

Virt_install_vm 1.0.0 is available at:

Have fun!


Manjaro on the RPI4 with full disk encryption and remote unlock

13 minute read

pi cluster

Last year I got a raspberry pi 4 to play with and installed Manjaro on it.

The main reason I went with Manjaro was that the ArchLinux Arm image/tgz for the Raspberry Pi 4 was still 32 bits, or you needed to create-your-own kernel.

But started to like Manjaro Linux, it provided a stable base with regular updates. This year I upgraded my setup with 2 additional Raspberry Pi 4 to provide clustering for my k3s (Kubernetes) setup. I used virtual machines on the Raspberry Pi to host the k3s nodes. Also because want to the Pi for other tasks and virtual machines makes it easier to split the resources. It’s also an “abstraction layer” if you want to combine the cluster with other ARM64 systems in the future.

I always (try to) to full disk encryption, when you have multiple nodes it’s important to be able to unlock the encryption remotely.


Update your bootloader on FreeBSD 13 when you upgrade your zroot pool…

2 minute read

boot failed

One of the nice new features of FreeBSD 13 is OpenZFS 2.0. OpenZFS 2.0 comes with zstd compression support. Zstd compression can have compression ratios similar to gzip with less CPU usage.

For my backups, I copy the most import data - /etc/, /home, … - first locally to a ZFS dataset. This data gets synced to a backup server. This local ZFS dataset was compressed with gzip, after upgrading the zroot pool and setting zstd as the compress method. FreeBSD failed to boot with the error message:

ZFS: unsupported feature: org.freebsd:zstd
ZFS: pool zroot is not supported
gptzfsboot: failed to mount default pool zroot

As this might help people with the same issue, I decided to create a blog post about it.


How to run a FreeBSD Virtual Machine on the RPI4 with QEMU. Part 2: Network, Install from cdrom, startup

10 minute read

rpi4 with disk

In my last blog post, we set up a FreeBSD virtual machine with QEMU. I switched from the EDK2 (UEFI) firmware to U-boot, the EDK2 firmware had issues with multiple CPU’s in the virtual machines.

In this blog post, we’ll continue with the Network setup, install the virtual machine from a CDROM image and how to start the virtual machine during the PI start-up.


How to run a FreeBSD Virtual Machine on the RPI4 with QEMU. Part 1: QEMU setup

2 minute read


I got a Raspberry PI 4 a couple of months back and started it use it to run virtual machines.

This works great for GNU/Linux distributions but FreeBSD as a virtual machine didn’t work for me. When I tried to install FreeBSD or import a virtual machine image, FreeBSD wasn’t able to mount the root filesystem and ended with an “error 19”.

On the FreeBSD wiki, there are a few articles on how to use ARM64 FreeBSD with QEMU directly.

You find my journey of getting a FreeBSD Virtual Machine below.

I use Manjaro on my Raspberry PI, but the same setup will work with other GNU/Linux distributions.


OpenVAS on Kali GNU/Linux Part 1: How to install OpenVAS

6 minute read


OpenVAS is an opensource security scanner it started as a fork of Nessus which went from an opensource project to a closed source scanner.

I always prefer opensource software, for security tools, I even prefer it more… It nice to see/audit where the security data comes from, instead of the “magic” that is used by the close source software.

To scan for missing patches on your systems there are faster/better tools available that can be integrated into your build pipeline more easily. But OpenVAS is still a very nice network security scanner. Relying on one security tool is also not a “best security practice”.

Kali GNU/Linux has become the default Linux distribution for security auditing pen testing, it’s nice to have OpenVAS installed on your Kali GNU/Linux setup. If you just want to have OpenVAS available there is also a (virtual) appliance available from the OpenVAS developers ( Greenbone ).

You’ll find my journey to install OpenVAS on Kali GNU/Linux.


Best wishes 2021!

less than 1 minute read


$ sudo -i
# find / -name "*covid*" -exec rm -rf {} \;
# find / -name "*corona*" -exec rm -rf {} \;
# pkill -9 covid19
# pkill -9 corona
# reboot

Have fun!

Back to top ↑


32 bits (still) matters!

6 minute read

updated @ Mon Nov 16 08:16:30 PM CET 2020: Corrected the version when OPNsense dropped 32 bits support.

FreeBSD on alix

I used OPNsense on my pcengines Alix 2d13 firewall.

The Alix 2d13 is a nice motherboard with a Geode CPU 32 bits x86 CPU.

I migrated to OPNsense after pfSense dropped support for 32 bits. Unfortunately, OPNsense also dropped support for 32 bits CPUs in the 19.1.7 release 20.7 release. I decided to install FreeBSD on my Alix to use it as my firewall.

To make it possible to reinstall my Alix firewall, I installed FreeBSD on my Raspberry Pi 2 to use it as my firewall during the installation of FreeBSD on my Alix.

You’ll find my journey to install FreeBSD my an Alix firewall below.


Use a raspberry-pi 2 as a firewall with FreeBSD

10 minute read

Updated @ Mon Nov 16 08:16:30 PM CET 2020: Corrected the version when OPNsense dropped 32 bits support.


I was using OPNsense on my pcengines alix firewall and was quite happy with it.

The alix 2d13 is a nice motherboard with a Geode CPU, it has a 32 bits x86 instruction set. I migrated to OPNsense from pfSense when pfSense dropped 32 bits support.

Unfortunately, OPNsense also dropped support for 32 bits CPU’s in the 19.1.7 release 20.7 release. I decided to install FreeBSD on the alix to use it as my firewall. But I need a temporary firewall solution so I can install FreeBSD on my alix board. I have a Raspberry PI 2 that I wasn’t using.

You’ll find my journey to use my RPI2 as my firewall below.


Open Hardware PowerPC notebook

less than 1 minute read

PowerPC Notebook

powerpc noetbook

I prefer RISC as a CPU architecture over CISC. RISC is a simpler design that should deliver more CPU performance with fewer transistors and is more power-efficient. We have to recognize that Intel and AMD have made great progress in increasing the performance and efficiency of the x86 CISC architecture.

But the x86 architecture comes with a FreeDOM cost, Intel has the Intel Management Engine and closed Proprietary software is required to initialize the components. The same can be said about AMD; AMD has the AMD Platform Security Processor and binary blobs are required.

Power is currently the most powerful alternative that doesn’t require binary blobs; this is not only great for free/open source activists. A truly open-source firmware that can be reviewed / audited is also for nice security reasons.


Keep zfs running on the Raspberry PI

less than 1 minute read

I got a Raspberry PI 4 to play with and installed Manjaro GNU/Linux on it.

I use OpenZFS on my PI. The latest kernel update broke zfs on my PI due to a License conflict, the solution is to disable PREEMPT in the kernel config. This BUG was already resolved with OpenZFS with the main Linux kernel tree at least on X86_64/AMD64, not sure why the kernel on the raspberry pi is still affected.

I was looking for an excuse to build a custom kernel for my Pi anyway :-). I cloned the default manjaro RPI4 kernel and disabled PREEMPT in the kernel config.

The package is available at: This package also doesn’t update /boot/config.txt and /boot/cmdline.txt to not overwrite custom settings.

Have fun!


Howto use cloud images on the Raspberry PI 4

7 minute read

I got a Raspberry PI 4 to play with and installed Manjaro GNU/Linux on it.

I wanted to verify how usable the latest PI is for desktop and home server usage.

  • For desktop usage, it is “usable”.

    For video playback in the browser, I recommend disabling 60fps ( and keep the video playback to 720p. Please note that if you want to use it for Netflix you will need Widevine for the DRM content. As far as I know, there isn’t an ARM64 version available. An ARM32 version exists but I didn’t try (yet).

  • For (home) server usage ARM64 or AArch64 is getting more usable.

    Cloud providers are also offering ARM64 based systems. A container-based workload - like Docker, LXC, FreeBSD jails etc - is probably better suited for a small device like the Raspberry PI. Virtual machines are still important for server usage so let see how the PI4 can handle it.

Most GNU/Linux distributions RedHat, Centos, Ubuntu, Debian are offering cloud images for ARM64. To configure these images you’ll need cloud-init.

I already wrote a blog post on howto cloud-init for KVM/libvirt on GNU/Linux: Howto use centos cloud images with cloud-init on KVM/libvirtd. Let see if we can get it working on ARM64.


Manjaro on the RPI4 with full disk encryption

13 minute read

The Raspberry PI has become more and more powerful in the recent years, maybe too powerful to be a “maker board”. The higher CPU power and availability of more memory - up to 8GB - makes it more suitable for home server usage.

The latest firmware (EEPROM) enables booting from a USB device. To enable USB boot the EEPROM on the raspberry needs to be updated to the latest version and the bootloader that comes with the operating system - the start*.elf, etc files on the boot filesystem - needs to support it.

I always try to use filesystem encryption. You’ll find my journey to install GNU/Linux on an encrypted filesystem below.

64 Bits operating systems

The Raspberry PI 4 has a 64 bits CPU, the default operating system - Raspberry Pi OS (previously called Raspbian) - for the Rasberry PI is still 32 bits to take full advantage of the 64bits CPU a 64 bits operating system is required.

You’ll find an overview GNU/Linux distributions for RPI4 below.


Using SmartCardHsm with GnuPG

4 minute read


When you want to store your GnuPG private key(s) on a smartcard, you have a few options like the Yubikey, NitroKey GPG compatible cards, or the OpenPGP. The advantage of these cards is that they support GnuPG directly. The disadvantage is that they can only store 1 or a few keys.

Another option is SmartCardHSM, NitroKey HSM is based on SmartCardHsm and should be compatible. The newer versions support 4k RSA encryption keys and can store up 19 RSA 4k keys. The older version is limited to 2k RSA keys. I still have the older version. The advantage is that you can store multiple keys on the card. To use it for GPG encryption you’ll need to set up a gpg-agent with gnupg-pkcs11-scd.


Setup a certificate authority with SmartCardHSM

13 minute read

SmartCardHSM on Kali In this blog post, we will set up a CA authority with SmartCardHSM.

When you to create internal certificate authority for internal services it’s important to protect the private key. When somebody with bad intentions gets access to the private key(s) of the signing certificate authorities, it can be used to issue new certificates. This would enable the man in the middle attacks.


Lookat 2.0.1 released

less than 1 minute read

lookat 2.0.1

“lookat” (or “bekijk” in Dutch) is a program to view text files and manual pages. It is designed to be more user-friendly than more conventional text viewers such as less. And supports colored manpages.

Lookat 2.0.1 is the latest stable release of Lookat/Bekijk.


  • BUGFIX: corrected screen refresh code. To handle non-utf8 terminals correctly.
  • BUGFIX: ensure that menus are initialized before using them.
  • BUGFIX: corrected type menu handling.
  • BUGFIX: failed to open type enabled extentions from the commandline.


Use unbound as an DNS-over-TLS resolver and authoritative dns server

2 minute read


In previous blog posts, I described howto setup stubby as an DNS-over-TLS resolver. I used stubby on my laptop(s) and unbound on my internal network.

But I’m migrating away from stubby in favour of unbound.

Unbound is a popular DNS resolver, it’s less known that you can also use it as an authoritative DNS server.

I created a docker container that can serve both purposes, although you can use the same logic without docker.

It’s available at


CGIpaf at GNU Savannah

less than 1 minute read

GNU Savannah

The CGIpaf project has a new home at GNU savannah:

The source code was - and is still also hosted - on GitHub.

There are a few reasons for the move;

  • I was looking for an easy way to store binary releases. Binary releases aren’t supported by GitHub. There might be a solution for this at GitLab but scp to upload a release is more convenient.
  • GitHub is becoming too dominant.
  • I prefer a solution that is based on Free Software.
  • I was already using GNU savannah for another project lookat.

Have fun


Lookat 2.0.0 released

less than 1 minute read

lookat 2.0.0

Lookat 2.0.0 is the latest stable release of Lookat/Bekijk the userfriendly file browser/viewer.


  • utf8 support
  • default color scheme has been updated
  • improved error handeling
  • Macos 10.7+ support

Back to top ↑


Migrate from octopress to jekyll

2 minute read

octopress_logo I migrated my blog from Octopress to Jekyll. The primary reason is that octopress isn’t maintained any more. I’m sure its great theme will live on in a lot of projects.

I like static webpage creators, they allow you to create nice websites without the need to have any code on the remote website. Anything that runs code has the possibility to be cracked, having a static website limit the attack vectors. You still need to protect the upload of the website and the system(s) that hosts your site of course.


OPNsense upgrade failed: Out of inodes

7 minute read

opnsense with no inodes

I use OPNsense as my firewall on a Pcengines Alix.

The primary reason is to have a firewall that will be always up-to-update, unlike most commercial customer grade firewalls that are only supported for a few years. Having a firewall that runs opensource software - it’s based on FreeBSD - also make it easier to review and to verify that there are no back doors.

When I tried to upgrade it to the latest release - 19.1.7 - the upgrade failed because the filesystem ran out of inodes. There is already a topic about this at the OPNsense forum and a fix available for the upcoming nano OPNsense images.


Building Your Own Docker Base Images (Part 3: Yum)

3 minute read


In my previous two posts (1, 2 ), we created Docker Debian and Arch-based images from scratch for the i386 architecture.

In this blog post - last one in this series - we’ll do the same for yum based distributions like CentOS and Fedora.

Building your own Docker base images isn’t difficult and let you trust your distribution Gpg signing keys instead of the docker hub. As explained in the first blog post. The mkimage scripts in the contrib directory of the Moby project git repository is a good place to start if you want to build own docker images.


Building your own docker images (Part2: Arch GNU/Linux & Co)

2 minute read

In my previous post, we started with creating Debian based docker images from scratch for the i386 architecture.

In this blog post, we’ll create Arch GNU/Linux based images.

Arch GNU/Linux

Arch Linux stopped supporting i386 systems. When you want to run Archlinux on an i386 system there is a community maintained Archlinux32 project and the Free software version Parabola GNU/Linux-libre.

For the arm architecture, there is Archlinux Arm project that I used.


Howto use centos cloud images with cloud-init on KVM/libvirtd

6 minute read

Images versus unattended setup


Unattended setup

In a traditional environment, systems are installed from a CDROM. The configuration is executed by the system administrator through the installer. This soon becomes a borning and unpractical task when we need to set up a lot of systems also it is important that systems are configured in same - and hopefully correct - way.

In a traditional environment, this can be automated by booting via BOOTP/PXE boot and configured is by a system that “feeds” the installer. Examples are:


How to install libreboot on a ThinkPad W500

12 minute read

w500 and pi

I got a Lenovo Thinkpad W500 from for a nice price.

Actually, I got it a couple of months back but I didn’t have time to play with it and it took some time to get some parts from Aliexpress.

The Thinkpad W500 is probably the most powerful system that is compatible with Libreboot, it has a nice high-resolution display with a 1920 x 1200 resolution which is even a higher screen resolution than the Full HD resolution used on most new laptops today.


Keep in mind that the core duo CPU does not get microcode updates from Intel for [spectre and meltdown]( There is no solution (currently) for spectre 3a - Rogue System Register Read - CVE-2018-3640 and Spectre 4 - Speculative Store Bypass CVE-2018-3639 without a microcode update.

Binary blobs are bad. Having a closed source binary-only piece of software on your system is not only unacceptable for Free Software activists it also makes it more difficult to review what it really does and makes it more difficult to review it for security concerns.

Having your system vulnerable is also a bad thing of course. Can’t wait to get a computer system with an open CPU architecture like RISC-V.



Setting up OpenStack-Ansible All-In-One on a Centos 7 system

6 minute read


Openstack is a nice platform to deploy an Infrastructure as a service and is a collection of projects but it can be a bit difficult to setup. The documentation is really great if you want to setup openstack by hand and there are a few openstack distributions that makes it easier to install it.

Ansible is a very nice tool for system automatisation and is one that’s easier to learn.


Wouldn’t be nice if we could make the openstack installation easier with ansible? That’s exactly what Openstack-Ansible does.

In this blog post we’ll setup “an all-in-one” openstack installation on Centos 7. The installer will install openstack into lxc containers and it’s nice way to learn how openstack works and how to operate it.


Back to top ↑


DNS Privacy with Stubby (Part 1 GNU/Linux)

9 minute read

** Installing and configuring an encrypted dns server is straightforward, there is no reason to use an unencrypted dns service. **

DNS is not secure or private

DNS traffic is insecure and runs over UDP port 53 (TCP for zone transfers ) unecrypted by default.

This make your unencrypted DNS traffic a privacy risk and a security risk:

  • anyone that is able to sniff your network traffic can collect a lot information from your leaking DNS traffic.
  • with a DNS spoofing attack an attacker can trick you let go to malicious website or try to intercept your email traffic.

Encrypt your dns traffic

Encrypting your network traffic is always a good idea for privacy and security reasons - ** we encrypt, because we can! ** - . More information about dns privacy can be found at

On this site you’ll find also the DNS Privacy Daemon - Stubby that let’s you send your DNS request over TLS to an alternative DNS provider. You should use a DNS provider that you trust and has a no logging policy. quad9, cloudflare and google dns are well-known alternative dns providers. At you can find a few other options.

You’ll find my journey to setup Stubby on a few operation systems I use (or I’m force to use) below …



Migrate a windows vmware virtual machine to Linux KVM

6 minute read

Linux KVM is getting more and more useable for desktop virtualization thanks to the the virtio and QXL/SPICE drivers.

Most Linux distributes have the virtio & QXL drivers you might need to install the spice-vdagent.

On Windows you can download and install the virtio and QXL drivers.

Using the virtio drivers will improve your guest system performance and your virtualization experience.


32 bits matters!

1 minute read


pfsense 2.3

My firewall is a pcengines alix.

It was running pfsense and was quite happy about it. Pfsense dropped support for 32 bits in their pfsense 2.4 release.

This would left me with a unsupported firewall which was one of the reasons to use pfsense instead of a closed source commercial router.

I could have moved to a new firewall like the pcengines apu but there is no reason to replace hardware that works fine.

The nice thing about opensource software is that we’ve options to choose from if software doesn’t match your usecase we’ve other options to choose from.



How to start DLM monitoring on a VDSL line in Belgium

less than 1 minute read

In Belgium/Flanders we have two main internet line providers;

  • telenet the cablenet network provider.
  • proximus is the telephone network provider.

On telephone network there are alternative internet providers but they use the network of proximus.

I switched my internet connection from ADSL to VDSL and switched to a new provider ( edpnet). The internet speed was below the expectations and my modem reported errors on the line. After fixing the internal phone cabbeling in my appartment I wanted the retrigger the DLM monitoring.

The process is explained in the this post at

To start the DLM monitoring in Belgium you need to call 0800 22 424 and type in your line number. If you don’t have a proximus phone number the line number is not the same as your phone number. To get your line number you need to connect an analog phone to our line and call 1924 this will read aloud your line number.

** Have fun **


High screen resolution on a KVM virtual machine with QXL

4 minute read

When you create an new virtual KVM virtual system the video ram is limited to 16MB by default to use a higer screen resolution you need to increase the video ram. The available resolution reported by the virtual screen may also not include the resolution that you want to utilize.

You’ll find my journey to enable higher screen resolutions in my KVM (qemu) virtual systems below.


Postfix smarthost with authentication

1 minute read


I used the relay host of my internet provider but this was causing issues since my email was getting mark as SPAM in gmail.
It was already on my to-do list to move my outgoing mail to my mail provider also to make it easier to move to another ISP or to implement SPF but was not on the top of my to-do list.
My email provider requires authentication, so I needed to reconfigure postfix in my FreeBSD mail jail to use a relay host with authentication.


Update your CPU microcode on Arch Linux

10 minute read

Meltdown & spectre

With Meldown, Spectre Variant 1 and Spectre Variant 2 out in the wild there is a lot of confusing going about updating microcode.

There is a “Spectre & Meltdown Checker” available at

Usage is very easy just clone the git repository and run the script.


Microcode isn’t uploaded to the CPU but loaded during the boot strap of the CPU. Normally the BIOS upload the microcode to the CPU but this can also be done by the by the bootloader, or the operating system kernel.

Back to top ↑


model-m tux update…

less than 1 minute read


I own a Unicomp model-m keyboard. The keyboard has a nice key feel but it has windows super key(s).

I don’t use super key(s), and would prefer to have a keyboard without it. But when it has super keys I’d rather have it without the windows logo on it so it was time to replace them with the tux version


20 core Dual Processor jenkins build workstation

1 minute read


My jenkins builds are taking too long mainly due the lack of memory. I mainly use jenkins to verify that my software work on different operation systems (GNU/Linux distributions / *BSD / Solaris).

Looking for a solution that is still affordable I ended up with building a dual Xeon workstation. CPU and memory comes from



Bacula on FreeBSD (part 2 Bacula Catalog over SSL )

25 minute read


In my previous post, I setup on my PostgresSQL FreeBSD jail, In this post we continue with the bacaula server.

In this post we will continue with the database connection (Catalog) we’ll go the extra mile 1,609344 km and encrypt the catalog connection with ssl. Why? We encrypt.. because we can!

Bacula Components

  • Bacula Director
    The Bacula Director is daemon that runs in the backgroud that control all backup operations.

  • Bacula Console
    The Bacula console is an administrator program that allows an system administrator to control the Bacula director.

  • Bacula File
    The Bacula File is a backup client install on the backup client.

  • Bacula Storage
    The backup media.

  • Catalog
    The Catalog is the index of the backups. Bacula supports three types of index databases mySQL ( mariaDB), PostgreSQL and SQLite

  • Bacula monitor
    A Bacula monitor service is a program that allows the system administrator to cerify the status of the bacula Directors, Bacula File Daemons and Bacula Storage Daemons.

Bacula Server


Bacula on FreeBSD (part 1 PostgresSQL in a jail)

9 minute read

I do take backups; my current solution are couple of shell script wrapper around dump/zfs send/btrfs send/rsync which is a mess. So decided give bacula a try

I use ezjail to manage my FreeBSD jails. PostgresSQL is my favorite database and will use this database as the backend for bacula and will use this database as the backend for bacula. I want to move all my databases to 1 FreeBSD jail this should make the easier to create reliable database backup in the further. For this reason we’ll setup 2 FreeBSD jails 1 for the database and 1 for bacula.

You’ll find my journey of installing PostgreSQL on a FreeBSD jail. In another blog post we will continue with the installation of bacula.


Install Parabola GNU/Linux on an Encrypted btrfs logical volume

14 minute read


I finally found time to complete the installation of my Libreboot laptop

I decided to give Parabola GNU/Linux a try as my daily driver to get a fully Free Software Laptop/tablet.

Download the Parabola GNU/Linux iso and boot it

After Parabola GNU/Linux is booted verify that you have internet access if the network card is support and dhcp is enabled on you network you should get a network address.


How to install libreboot on a ThinkPad X60

13 minute read

I got a ThinkPad x60 (tablet version) from to install libreboot on it.
I tried to compile libreboot on Debian and Parabola GNU/Linux but both failed, compling Libreboot on Trisquel 7 works fine so I’ll use Trisquel to replace the BIOS with libreboot.
I’m not sure that I’ll use Trisquel 7 as my daily driver since it is a bit outdated… I might go with Debian Strech without the non-free repositories to get a fully Free Software Laptop/tablet. I’ll need to replace the Intel wifi adapter since this requires non-free firmware.
You’ll find a small howto install libreboot on a Thinkpad X60 below.


Build Libreboot

The latest version of libreboot isn’t available via a binary distribution so I decided to build it from source.

Back to top ↑


Install Arch on an encrypted btrfs partition

13 minute read


I’m preparing to move my workstation to arch linux Before I’ll install it on my physical workstation I did the installation on a virtual machine. I’ll use btrfs as the filesystem during the installation. btrfs is a nice filesystem but it had some serious dataloss issue with RAID5/RAID6 recently.

btrfs might not stable enough for a production environment but it has some nice features like snapshots, send/recieve, compression etc. I use zfs for my important date anyway.


Thunderbird: Importing s/mime certificate failed

3 minute read


On you get a list of free s/mime certificate.

I ordered a free 30 days certificate at globalsign:

The import of the pkcs12 failed in Thunderbird with the message: “The PKCS #12 operation failed for unknown reasons.”

Searching the internet didn’t provide a solution. To debug this issue I started to extract the private / certificate from the pkcs12 file provided by globalsign and creating a new one.

To execute this command I use an encrypted luks volume.

Create a new pkcs12 file

Back to top ↑


Lookat 1.4.4 released

less than 1 minute read

Lookat 1.4.4 is the latest stable release of Lookat/Bekijk the userfriendly file browser/viewer.


Running Docker on ARM

22 minute read


I own an odroid u3 that I used for my media center with xbmc while I like the performance of the Exynos4412 CPU but the drivers for the Mali GPU aren’t opensource.

I like ARM but unfortunatelly a lot of the ARM soc’s have no opensource drivers for the GPU

The manufacturer of the odroid u3 - hardkernel - provides ubuntu 14.04 images with xbmc and mali support. It isn’t possible to get the newer of version of xbmc - now kodi - running, or I didn’t succeed withit. I’ll look for another solution for my media server needs this might be my raspberry pi 1 model B+ that is laying around doing nothing running openelec


Like I said I like the performance of the ordoid U3 that why I installed archLinuxArm to play with Docker. I could have sticked with Ubuntu 14.04 but with Arch Linux I get more up-to-date software.

The installion was pretty straightforward even the docker installation was the same as on a x86 platform.

Since we are using docker on arm we have to build our own docker base images instead of using the docker registery. I have security concerns about installtion and using unsigned non-verified software anyway. If you build your own image it possible to audit/verify the build process.


Rataplan becomes a watchdog

less than 1 minute read

My NAS runs on FreeBSD I’m quiet happy with it. It’s named after the dog rataplan from the Lucky Luke comic

However transferring large data files to it causes the network to hang. The realtek network interface had issues with freebsd from the beginning. On the screen and in syslog the entry “re0: watchdog timeout” is printed.

Most FreeBSD people recommends to use Intel nics, I ordered a new Intel nic at After the installation of the new NIC the network seems to be stable again.


Openvas 7: adding credentials failed

less than 1 minute read

I’m creating a new openvas 7 system running centos 7 as a KVM instance.

The installation went fine but it was impossible to create new credentials.

I had a similar issue with my openvas 6 installation, this was resolved by creating the /etc/openvas/gnupg directory and creating the key openvasmd --create-credentials-encryption-key

But on my openvas 7 installation a creation of the encryption key was slooooow. As always Good Randomness is important for creating keys. So I decided to install haveged to get more randomness and hopefully this would speed up key creation.

[root@localhost ~]# yum install haveged

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * atomic:
 * base:
 * extras:
 * updates:
Package already installed and latest version
Nothing to do
[root@localhost ~]# 
[root@localhost ~]# systemct list-unit-files --type=service | grep haveged
-bash: systemct: command not found
[root@localhost ~]# systemctl list-unit-files --type=service | grep haveged
haveged.service                             disabled
[root@localhost ~]# systemctl enable haveged
ln -s '/usr/lib/systemd/system/haveged.service' '/etc/systemd/system/'
[root@localhost ~]# systemctl start haveged
[root@localhost ~]# 

The key creation took a only sec.

[root@localhost ~]# openvasmd --create-credentials-encryption-key
Key creation succeeded.
[root@localhost ~]# 

Adding new credentials works like a charm now.

Happy hacking!


Run google chrome inside a fedora docker container over ssh

less than 1 minute read

Update (Mon Jun 8 2015): Running google-chrome inside a docker container isn't stable for me. I switched back to LXC to run google-chrome which seems to be more stable.

Created a docker image to start a docker container with chrome. Destroying the container each time that you start a browser is a easy way to get rid of your cookies and browser history.

Back to top ↑


lxc templates in Fedora 20

9 minute read

I’m a big fan of containers and used them a lot on Solaris and jails on Freebsd. Containers/jails are the fastest way to spinup an new system and the easiest way to isolate services.

As always with virtualization you’ve to careful with sharing systems or containers that doesn’t below to the same customer or service on the same physical machine since you’re never sure which traces are left behind in the memory etc.

Linux containers are getting more popular since the release of docker

When I tried to create a few containers on Fedora 20, the first attempt (a debian container) wasn’t an success.

On a newly create debian container networking didn’t work.


Size matters, but …

less than 1 minute read

dell2713 Size matters, but … resolution and image quality are as import.

Since I was diagnosed with diabetes I have eyes issues things are getting better recently but I still needs glasses for reading etc.

My “no smoking” Piggy Bank was fat enough for some “eye candy”. I bought a Dell UltraSharp U2713HM a 27 inch WQHD (2560x1440) IPS display.

Compared to the others screens I used to work with the image quality is amazing and the higher resolution give so much more space.

Dell 2713HM images

Back to top ↑


bash saved my day

less than 1 minute read

I was creating an ugly quick-and-dirty script to setup the squid cache_dir automatically with puppet based on the diskspace and memory available.

When you are developing you sometimes forget to create backups and push it to git, and mistakes are around the corner.

Lucky bash saved my day!

$ ./  > 
-bash: ./ /bin/bash: bad interpreter: Text file busy
$ vi 


yum update on fedora 19 and zfs on linux

2 minute read


I use zfs on linux on fedora now.

The installation was pretty straightforward but after the installation of zfs yum update failed.

[root@vicky etc]# yum update -y
Loaded plugins: langpacks, refresh-packagekit
Repository google-chrome is listed more than once in the configuration
fedora/19/x86_64/metalink                                                                                                                                                                   |  33 kB  00:00:00     
fedora                                                                                                                                                                                      | 4.2 kB  00:00:00     
fedora-chromium-stable                                                                                                                                                                      | 3.4 kB  00:00:00     
google-chrome                                                                                                                                                                               |  951 B  00:00:00     
rpmfusion-free                                                                                                                                                                              | 3.3 kB  00:00:00     
rpmfusion-free-updates                                                                                                                                                                      | 3.3 kB  00:00:00     
rpmfusion-nonfree                                                                                                                                                                           | 3.3 kB  00:00:00     
rpmfusion-nonfree-updates                                                                                                                                                                   | 3.3 kB  00:00:00     
updates/19/x86_64/metalink                                                                                                                                                                  |  30 kB  00:00:00     
updates                                                                                                                                                                                     | 4.4 kB  00:00:00     
zfs                                                                                                                                                                                         | 2.9 kB  00:00:00     
(1/6): fedora-chromium-stable/19/x86_64/primary_db                                                                                                                                          |  20 kB  00:00:00     
(2/6): zfs/19/x86_64/primary_db                                                                                                                                                             | 6.7 kB  00:00:00     
(3/6): updates/19/x86_64/group_gz                                                                                                                                                           | 385 kB  00:00:02     
(4/6): fedora/19/x86_64/group_gz                                                                                                                                                            | 384 kB  00:00:06     
(5/6): updates/19/x86_64/primary_db                                                                                                                                                         | 8.8 MB  00:01:53     
(6/6): fedora/19/x86_64/primary_db                                                                                                                                                          |  17 MB  00:03:34     
(1/10): google-chrome/primary                                                                                                                                                               | 1.9 kB  00:00:00     
(2/10): rpmfusion-free-updates/19/x86_64/primary_db                                                                                                                                         | 217 kB  00:00:01     
(3/10): rpmfusion-nonfree/19/x86_64/primary_db                                                                                                                                              | 149 kB  00:00:00     
(4/10): rpmfusion-free/19/x86_64/primary_db                                                                                                                                                 | 440 kB  00:00:03     
(5/10): rpmfusion-nonfree-updates/19/x86_64/primary_db                                                                              b                                                       |  97 kB  00:00:00     
(6/10): rpmfusion-nonfree-updates/19/x86_64/group_gz                                                                                                                                        |  990 B  00:00:05     
(7/10): rpmfusion-nonfree/19/x86_64/group_gz                                                                                                                                                |  993 B  00:00:07     
(8/10): rpmfusion-free/19/x86_64/group_gz                                                                                                                                                   | 1.6 kB  00:00:07     
(9/10): rpmfusion-free-updates/19/x86_64/group_gz                                                                                                                                           | 1.6 kB  00:00:07     
(10/10): updates/19/x86_64/updateinfo                                                                                                                                                       | 861 kB  00:00:09     
google-chrome                                                                                                                                                                                                  3/3
Resolving Dependencies
--> Running transaction check
---> Package dkms.noarch 0: will be updated
--> Processing Dependency: dkms = for package: zfs-dkms-0.6.2-1.fc19.noarch
---> Package dkms.noarch 0: will be an update
--> Finished Dependency Resolution
Error: Package: zfs-dkms-0.6.2-1.fc19.noarch (@zfs)
           Requires: dkms =
           Removing: dkms- (@zfs)
               dkms =
           Updated By: dkms- (updates)
               dkms =
           Available: dkms- (fedora)
               dkms =
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest
[root@vicky etc]# 

On another fedora system yum update worked fine, after reviewing the differences in the yum configuration it seems that yum-plugin-priorities wasn’t installed on my box. After installing yum-plugin-priorities

[root@vicky etc]# yum install yum-plugin-priorities
Loaded plugins: langpacks, refresh-packagekit
Repository google-chrome is listed more than once in the configuration
Resolving Dependencies
--> Running transaction check
---> Package yum-plugin-priorities.noarch 0:1.1.31-18.fc19 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

 Package                                                     Arch                                         Version                                              Repository                                     Size
 yum-plugin-priorities                                       noarch                                       1.1.31-18.fc19                                       updates                                        22 k

Transaction Summary
Install  1 Package

Total download size: 22 k
Installed size: 28 k
Is this ok [y/d/N]: y
Downloading packages:
yum-plugin-priorities-1.1.31-18.fc19.noarch.rpm                                                                                                                                             |  22 kB  00:00:01     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : yum-plugin-priorities-1.1.31-18.fc19.noarch                                                                                                                                                     1/1 
  Verifying  : yum-plugin-priorities-1.1.31-18.fc19.noarch                                                                                                                                                     1/1 

  yum-plugin-priorities.noarch 0:1.1.31-18.fc19                                                                                                                                                                    

[root@vicky etc]# 

And make sure that the zfs has the priority

[root@localhost etc]# cat yum.repos.d/zfs.repo
name=ZFS of Linux for Fedora $releasever
Requires:       yum-plugin-priorities

name=ZFS of Linux for Fedora $releasever - Source
[root@vicky etc]# 

yum update works again.

[root@vicky etc]# yum update -y
Loaded plugins: langpacks, priorities, refresh-packagekit
Repository google-chrome is listed more than once in the configuration
2 packages excluded due to repository priority protections
No packages marked for update
[root@vicky etc]# 


Running kindle on GNU/Linux with wine

less than 1 minute read


I enjoy reading ebooks during my train trip to work on my nexus 7.

At home I prefer to read on my monitor since this is bigger.

Most of the time I use epub or pdf for reading, I bought a kindle version of a book from amazon assuming that I could read with amazon cloud reader at home.

Unfortunately this books is not compatible with cloud reader.

Proprietary_formats should be avoid, lesson learned (again).

To read my book at home I decided to give the windows version of kindle on wine a try

The installation was pretty straightforward on Fedora 19.

  • Install wine
[root@vicky ~]# yum install wine
Loaded plugins: langpacks, refresh-packagekit

  • Download Kindle for Window xp

Download it from:

  • Run the installer
[swagemakers@vicky ~]$ wine ~/Downloads/KindleForPC-installer.exe 
  • Create kindle startup script
wine $HOME/.wine/drive_c/Program\ Files\ \(x86\)/Amazon/Kindle/Kindle.exe &

Happy reading


It’s better to only read ebooks in an open format


Ide is still alive…

less than 1 minute read


The dvd drive in my sun blade 1500 workstation broke down. I use this system acausally for some development, it's always handy to have a big endian system at hand.

The dvd drive was still handy to load another operating system on it.
The dvd drive has an ide interface which are hard to get these days…


I found a ide to sata convertor and a new dvd drive with a sata interface at conrad. This should convert the sata interface to an ide interface without any driver and works with any operating system.

Well let's put this to a test on a sparc system with solaris :-)


The installation was pretty straightforward, luckily the dvd rom drive has a plastic back since the converter touches the back of the dvd rom drive.


After a quick test it seems to work like a charm. I might install opensxce on it.

It seems to be the only option to run an opensolaris ancestor on sparc hardware.


yum install lookat

less than 1 minute read

“yum install lookat” works on Fedora now ;-)

Thanks Christopher!

[staf@vicky ~]$ sudo yum install lookat
[sudo] password for staf: 
Loaded plugins: langpacks, presto, refresh-packagekit, security
Repository google-chrome is listed more than once in the configuration
Resolving Dependencies
--> Running transaction check
---> Package lookat.x86_64 0:1.4.2-1.fc18 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

 Package                                 Arch                                    Version                                         Repository                                Size
 lookat                                  x86_64                                  1.4.2-1.fc18                                    updates                                   55 k

Transaction Summary
Install  1 Package

Total download size: 55 k
Installed size: 118 k
Is this ok [y/N]: y
Downloading Packages:
lookat-1.4.2-1.fc18.x86_64.rpm                                                                                                                           |  55 kB  00:00:00     
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : lookat-1.4.2-1.fc18.x86_64                                                                                                                                   1/1 
  Verifying  : lookat-1.4.2-1.fc18.x86_64                                                                                                                                   1/1 

  lookat.x86_64 0:1.4.2-1.fc18                                                                                                                                                  

[staf@vicky ~]$ 


CGIpaf uploaded to github

less than 1 minute read

I finally converted the cgipaf cvs repository to github.

I used cvs2git It took a bit longer than expected.

My first attempt didn’t had the release tags right.

Adding --retain-conflicting-attic-files to cvs2git resolved this issue.

You’ll find how I did it it below.


Freebsd 9.1 jails with Qjail

4 minute read

I’m using ezjail now.

The reason for this is that the port is marked as RESTRICTED. Since it seems to be a fork from ezjail without respecting the copyright and license


I’m adding more services to my freebsd system

I’m coming from the solaris world where it’s a common practice to run services in separated containers for security reasons.

On FreeBSD there are jails to isolate services and improve security.

At first I didn’t like jails the way the freebsd handbook describes it requires a buildworld which takes a long time on my system with a AMD C-60 CPU.

Lucky Qjail makes the deployment a lot easier.

Back to top ↑


Running Freebsd 9.0 on Asus C60M1-i motherboard

less than 1 minute read


As my file and backup system pluto died i’m building a new one.

This system will run Freebsd mainly for the ZFS filesystem.

The motherbord will be a Asus C60M1-I. The cpu may not have not enough horsepower for deplucation at full speed but it has 6 sata ports which is not common on a mini ITX motherbord. I will reuse my old harddrives and add or replace them when I need more storage.

The freebsd 9.0 installation with ZFS root went well but the network adapter a Realtek 8111F isn’t supported by Freebsd 9.0. After checking google I found this on the freebsd-net mailinglist.

The realtek f8111F is supported in the latest driver code, after rebuilding my kernel the network adapter works fine. Very useful on a NAS ;-)


RIP: pluto

less than 1 minute read

RIP After 10 year, my fileserver pluto died. Pluto was a AMD64 had 1GB RAM and 4 too loud samsung drives (160GB).

( 1 minute silence …. )

I take backups of course ;-) I already ordered the parts to build a new pluto.

Pluto still hosted some CSV repositorties like CGIpaf. But it’s time to move the source to a safer place. This will be github.

I also decided to create a blog and I wanted something that integrated well with github. Octopress seems to be the most logical choose. It’s written in ruby which is a nice bonus.

Back to top ↑