Use a GPG smartcard with Thunderbird. Part 3: Setup Thunderbird

September 10, 2024 5 minute read

In previous blog posts, we discussed setting up a GPG smartcard on GNU/Linux and FreeBSD.

In this blog post, we will configure Thunderbird to work with an external smartcard reader and our GPG-compatible smartcard.

Before Thunderbird 78, if you wanted to use OpenPGP email encryption, you had to use a third-party add-on such as https://enigmail.net/.

Thunderbird’s recent versions natively support OpenPGP. The Enigmail addon for Thunderbird has been discontinued. See: https://enigmail.net/index.php/en/home/news.

I didn’t find good documentation on how to set up Thunderbird with a GnuPG smartcard when I moved to a new coreboot laptop, so this was the reason I created this blog post series.

New release Ansible role stafwag.ntpd, and clean up Ansible roles

August 25, 2024 2 minute read

I made some time to give some love to my own projects and spent some time rewriting the Ansible role stafwag.ntpd and cleaning up some other Ansible roles.

There is some work ongoing for some other Ansible roles/projects, but this might be a topic for some other blog post(s) ;-)

stafwag.ntpd

An ansible role to configure ntpd/chrony/systemd-timesyncd.

This might be controversial, but I decided to add support for chrony and systemd-timesyncd. Ntpd is still supported and the default on the BSDs ( FreeBSD, NetBSD, OpenBSD).

It’s possible to switch from the ntp implementation by using the ntpd.provider directive.

The Ansible role stafwag.ntpd v2.0.0 is available at:

• https://github.com/stafwag/ansible-role-ntpd
• https://galaxy.ansible.com/ui/standalone/roles/stafwag/ntpd/

Release notes

V2.0.0

• Added support for chrony and systemd-timesyncd on GNU/Linux
  • systemd-timesynced is the default on Debian GNU/Linux 12+ and Archlinux
  • ntpd is the default on all operating systems (BSDs, Solaris) and Debian GNU/Linux 10 and 11
  • chrony is the default on all other GNU/Linux distributes
  • For ntpd hash as the input for the role.
  • Updated README
  • CleanUp

Use a GPG smart card with Thunderbird. Part 2: setup GnuPG on FreeBSD

July 28, 2024 19 minute read

Updated @ Mon Sep 2 07:55:20 PM CEST 2024: Added devfs section
Updated @ Wed Sep 4 07:48:56 PM CEST 2024 : Corrected gpg-agent.conf

I use FreeBSD and GNU/Linux.

In a previous blog post, we set up GnuPG with smartcard support on Debian GNU/Linux.

In this blog post, we’ll install and configure GnuPG with smartcard support on FreeBSD.

The GNU/Linux blog post provides more details about GnuPG, so it might be useful for the FreeBSD users to read it first.

Likewise, Linux users are welcome to read this blog post if they’re interested in how it’s done on FreeBSD ;-)

Use a GPG smartcard with Thunderbird. Part 1: setup GnuPG

April 21, 2024 14 minute read

I use a Free Software Foundation Europe fellowship GPG smartcard for my email encryption and package signing. While FSFE doesn’t provide the smartcard anymore it’s still available at www.floss-shop.de.

I moved to a Thinkpad w541 with coreboot running Debian GNU/Linux and FreeBSD so I needed to set up my email encryption on Thunderbird again.

It took me more time to reconfigure it again - as usual - so I decided to take notes this time and create a blog post about it. As this might be useful for somebody else … or me in the future :-)

The setup is executed on Debian GNU/Linux 12 (bookworm) with the FSFE fellowship GPG smartcard, but the setup for other Linux distributes, FreeBSD or other smartcards is very similar.

Running OpenBSD as an UEFI virtual machine (on a Raspberry Pi)

February 25, 2024 9 minute read

I started to migrate all the services that I use on my internal network to my Raspberry Pi 4 cluster. I migrated my FreeBSD jails to BastileBSD on a virtual machine running on a Raspberry Pi. See my blog post on how to migrate from ezjail to BastilleBSD. https://stafwag.github.io/blog/blog/2023/09/10/migrate-from-ezjail-to-bastille-part1-introduction-to-bastillebsd/

Running FreeBSD as a virtual machine with UEFI on ARM64 came to the point that it just works. I have to use QEMU with u-boot to get FreeBSD up and running on the Raspberry Pi as a virtual machine with older FreeBSD versions: https://stafwag.github.io/blog/blog/2021/03/14/howto_run_freebsd_as_vm_on_pi/.

But with the latest versions of FreeBSD ( not sure when it started to work, but it works on FreeBSD 14) you can run FreeBSD as a virtual machine on ARM64 with UEFI just like on x86 on GNU/Linux with KVM.

UEFI on KVM is in general provided by the open-source tianocore project.

I didn’t find much information on how to run OpenBSD with UEFI on x86 or ARM64.

So I decided to write a blog post about it, in the hope that this information might be useful to somebody else. First I tried to download the OpenBSD 7.4 ISO image and boot it as a virtual machine on KVM (x86). But the iso image failed to boot on a virtual with UEFI enabled. It looks like the ISO image only supports a legacy BIOS.

ARM64 doesn’t support a “legacy BIOS”. The ARM64 download page for OpenBSD 7.4 doesn’t even have an ISO image, but there is an install-<version>.img image available. So I tried to boot this image on one of my Raspberry Pi systems and this worked. I had more trouble getting NetBSD working as a virtual machine on the Raspberry Pi but this might be a topic for another blog post :-)

You’ll find my journey with my installation instructions below.

Best wishes 2024!

January 2, 2024 less than 1 minute read

Getting started with GitLab-CE. Part 2: User accounts, SSH access

November 26, 2023 5 minute read

In my previous blog post, we installed GitLab-CE and did some post configuration. In this blog post, we’ll continue to create user accounts and set up SSH to the git repository.

In the next blog posts will add code to GitLab and set up GitLab runners on different Operating systems.

Getting started with GitLab-CE. Part 1: Installation

November 15, 2023 12 minute read

CI/CD Platform Overview

When you want or need to use CI/CD you have a lot of CI/CD platforms where you can choose from. As with most “tools”, the tool is less important. What (which flow, best practices, security benchmarks, etc) and how you implement it, is what matters.

One of the most commonly used options is Jenkins.

I used and still use Jenkins and created a jenkins build workstation to build software and test in my homelab a couple of years back.

Jenkins started as Hudson at Sun Microsystem(RIP). Hudson is one of the many open-source projects that were started at Sun and killed by Oracle. Jenkins continued as the open-source fork of Hudson.

Jenkins has evolved. If you need to do more complex things you probably end up creating a lot of groovy scripts, nothing wrong with groovy. But as with a lot of discussions about programming, the ecosystem (who is using it, which libraries are available, etc) is important.

Groovy isn’t that commonly used in and known in the system administration ecosystem so this is probably something you need to learn if you’re coming for the system administrator world ( as I do, so I learnt the basics of Groovy this way ).

The other option is to implement CI/CD using the commonly used source hosting platforms; GitHub and GitLab.

• On GitHub we have GitHub Actions.
• On GitLab there is GitLab CI/CD.

Migrate from ezjail to BastilleBSD part 1: BastilleBSD exploration

September 10, 2023 11 minute read

Introduction to BastilleBSD

What are “containers”?

Chroot, Jails, containers, zones, LXC, Docker

I use FreeBSD on my home network to serve services like email, git, fileserver, etc. For some other services, I use k3s with GNU/Linux application containers.

The FreeBSD services run as Jails. For those who aren’t familiar with FreeBSD Jails. Jails started the whole concept of “containers”.

FreeBSD Jails inspired Sun Microsystems to create Solaris zones.

If you want to know more about the history of FreeBSD Jails, Solaris zones and containers on Un!x systems in general and the challenges to run containers securely I recommend the video;

“Papers We Love: Jails and Solaris Zones by Bryan Cantrill”

Sun took containers to the next level with Solaris zones , allowing a fine-grade CPU and memory allocation.

On GNU/Linux LXC was the most popular container framework. …Till Docker came along.

Application vs system containers

Build a 3-node Kubernetes cluster home lab in minutes: The movie.

July 21, 2023 1 minute read

I use the lightweight Kubernetes K3s on a 3-node Raspberry Pi 4 cluster.

And created a few ansible to provision the virtual machines with cloud image with cloud-init and deploy k3s on it.

I updated the roles below to be compatible with the latest Debian release: Debian 12 bookworm.

I created a movie to demonstrate how you can setup a kubernetes homelab in few minutes.

The latest version 1.1.0 is available at: https://github.com/stafwag/ansible-k3s-on-vms

Have fun!

Build a 3-node Kubernetes cluster home lab in 5 minutes (*)

April 4, 2023 1 minute read

I use the lightweight Kubernetes K3s on a 3-node Raspberry Pi 4 cluster. I wrote a few blog posts on how the Raspberry Pi’s are installed.

I run K3s on virtual machines.

Why virtual machines?

Virtual makes it easier to redeploy or to bring a system down and up if your want to test something.

Another reason is that I also run FreeBSD virtual machines on the Raspberry Pis.

I use Debian GNU/Linux as the Operating system with KVM/libvirt as the hypervisor.

I use Ansible to set up the cluster in an automated way. Got finality the time to clean up the code a bit and release it on Github: https://github.com/stafwag/ansible-k3s-on-vms

Best wishes 2023!

January 1, 2023 less than 1 minute read

Create a custom ArchLinux boot image with linux-lts and OpenZFS support

December 21, 2022 2 minute read

I use ArchLinux on my desktop workstation. For the root filesystem, I use btrfs with luks disk encryption and wrote a blog post about it.

https://stafwag.github.io/blog/blog/2016/08/30/arch-on-an-encrypted-btrfs-partition/.

My important data is on OpenZFS.

I’ll migrate my desktop to ArchLinux with OpenZFS in RAIDZ configuration as the root filesystem.

To make installation easier I decide to create a custom ArchLinux boot image with linux-lts and OpenZFS support.

You’ll find my journey to create the boot iso below. All action are execute on a ArchLinux host system (already using OpenZFS)

Debian bullseye on the RPI 4: golden image

July 24, 2022 9 minute read

In my last blog post, we set up Debian bullseye with full disk encryption on a Raspberry PI 4.

I use 3 three Raspberry PI’s to run K3s and a few FreeBSD virtual machines. For the FreeBSD virtual machines I still use QEMU: https://stafwag.github.io/blog/blog/2021/03/14/howto_run_freebsd_as_vm_on_pi/, I still need to test if we can use KVM/libvirt with the UEFI improvements in FreeBSD 13.1. But that might be another blog post :-)

As need I the same installation at least three times, I decided to create a “golden image” with the most important tools.

Debian bullseye on the RPI 4 with full disk encryption.

July 3, 2022 19 minute read

Updated @ Sun Jul 17 07:51:58 PM CEST 2022: Added blkid section UUID cryptroot. Changed dropbear port to 2222.

I use a few Raspberry PI’s 4 to run virtual machines and k3s.

I was using the Manjaro Linux with full disk encryption but I’ll switch to Debian GNU/Linux, the main reason is that libvirt is currently broken on archlinuxarm.

You’ll find my journey to get Debian GNU/Linux bullseye up and running on the Raspberry PI with full disk encryption below.

How to install coreboot on a Lenovo x230

January 21, 2022 9 minute read

I already use coreboot on my Lenovo W500 with FreeBSD. I bought a Lenovo x230 for a nice price I decide to install coreboot on it. After reading a lot of online documentation. I decided to install the skulls coreboot distribution on it. The skulls project has nice documentation on how to install it.

To replace the BIOS with coreboot you will need to disassemble the laptop and use a clip on the BIOS chip to install it.

Best wishes 2022!

January 2, 2022 less than 1 minute read

Ansible role: package_update v2.0.2

October 31, 2021 1 minute read

Keeping your software up-to-date is an important task in System Administration. Not only for security reasons but also to roll out bug fixes to your systems.

As always we should try to automate this process as much as possible.

Ansible has a package module to install packages in a generic way. It supports most Un*x platforms (GNU/Linux, BSD, …). But it doesn’t allow you to update all packages.

For this reason, I created an Ansible role: package update.

Package update enables you to update all packages on most Linux distributions and the BSD operating systems. It can also update the running jails on FreeBSD.

Version 2.0.2 is available at

• Github: https://github.com/stafwag/ansible-role-package_update.
• Ansible galaxy: https://galaxy.ansible.com/stafwag/package_update

Version 2.0.2:

Changelog:

• Always update the apt cache on Debian based distributions.

Have fun!

Use unbound as an DNS-over-TLS resolver and authoritative dns server v2.0.0

October 17, 2021 4 minute read

In previous blog posts, I described howto setup stubby as a DNS-over-TLS resolver. I used stubby on my laptop(s) and unbound on my internal network.

I migrated to unbound last year and created a docker container for it. Unbound is a popular DNS resolver, it’s less known that you can also use it as an authoritative DNS server.

This work was based on Debian Buster, I migrated the container to Debian Bullseye reorganize it a bit to make it easier to store the zones configuration outside the container like a configmap or persistent volume on Kubernetes.

Version 2.0.0 is available at https://github.com/stafwag/docker-stafwag-unbound.

Version 2.0.0:

Changelog:

• Updated the base image to debian:bullseye.
• Updated create_zone_config.sh to be able to run outside the container.
• Removed the zones.conf generation from the entrypoint
• Start the container as the unbound user
• Updated to logging.conf
• Set the pidfile /tmp/unbound.pid
• Added remote-control.conf
• Updated the documentation

Best wishes 2021!

January 1, 2021 less than 1 minute read

$ sudo -i
# find / -name "*covid*" -exec rm -rf {} \;
# find / -name "*corona*" -exec rm -rf {} \;
# pkill -9 covid19
# pkill -9 corona
# reboot

Have fun!

Open Hardware PowerPC notebook

August 9, 2020 less than 1 minute read

PowerPC Notebook

I prefer RISC as a CPU architecture over CISC. RISC is a simpler design that should deliver more CPU performance with fewer transistors and is more power-efficient. We have to recognize that Intel and AMD have made great progress in increasing the performance and efficiency of the x86 CISC architecture.

But the x86 architecture comes with a FreeDOM cost, Intel has the Intel Management Engine and closed Proprietary software is required to initialize the components. The same can be said about AMD; AMD has the AMD Platform Security Processor and binary blobs are required.

Power is currently the most powerful alternative that doesn’t require binary blobs; this is not only great for free/open source activists. A truly open-source firmware that can be reviewed / audited is also for nice security reasons.

Keep zfs running on the Raspberry PI

August 3, 2020 less than 1 minute read

I got a Raspberry PI 4 to play with and installed Manjaro GNU/Linux on it.

I use OpenZFS on my PI. The latest kernel update broke zfs on my PI due to a License conflict, the solution is to disable PREEMPT in the kernel config. This BUG was already resolved with OpenZFS with the main Linux kernel tree at least on X86_64/AMD64, not sure why the kernel on the raspberry pi is still affected.

I was looking for an excuse to build a custom kernel for my Pi anyway :-). I cloned the default manjaro RPI4 kernel and disabled PREEMPT in the kernel config.

The package is available at: https://gitlab.com/stafwag/manjaro-linux-rpi4-nopreempt. This package also doesn’t update /boot/config.txt and /boot/cmdline.txt to not overwrite custom settings.

Have fun!

Howto use centos cloud images with cloud-init on KVM/libvirtd

March 3, 2019 6 minute read

Images versus unattended setup

Old-school

Unattended setup

In a traditional environment, systems are installed from a CDROM. The configuration is executed by the system administrator through the installer. This soon becomes a borning and unpractical task when we need to set up a lot of systems also it is important that systems are configured in same - and hopefully correct - way.

In a traditional environment, this can be automated by booting via BOOTP/PXE boot and configured is by a system that “feeds” the installer. Examples are:

• [Solaris Jumpstart](https://en.wikipedia.org/wiki/JumpStart_(Solaris)
• Redhat Kickstart
• DebianInstaller Preseed
• Suse Autoyast
• …

Setting up OpenStack-Ansible All-In-One on a Centos 7 system

January 21, 2019 6 minute read

Openstack is a nice platform to deploy an Infrastructure as a service and is a collection of projects but it can be a bit difficult to setup. The documentation is really great if you want to setup openstack by hand and there are a few openstack distributions that makes it easier to install it.

Ansible is a very nice tool for system automatisation and is one that’s easier to learn.

Wouldn’t be nice if we could make the openstack installation easier with ansible? That’s exactly what Openstack-Ansible does.

In this blog post we’ll setup “an all-in-one” openstack installation on Centos 7. The installer will install openstack into lxc containers and it’s nice way to learn how openstack works and how to operate it.

Preparation

DNS Privacy with Stubby (Part 1 GNU/Linux)

September 9, 2018 9 minute read

** Installing and configuring an encrypted dns server is straightforward, there is no reason to use an unencrypted dns service. **

DNS is not secure or private

DNS traffic is insecure and runs over UDP port 53 (TCP for zone transfers ) unecrypted by default.

This make your unencrypted DNS traffic a privacy risk and a security risk:

• anyone that is able to sniff your network traffic can collect a lot information from your leaking DNS traffic.
• with a DNS spoofing attack an attacker can trick you let go to malicious website or try to intercept your email traffic.

Encrypt your dns traffic

Encrypting your network traffic is always a good idea for privacy and security reasons - ** we encrypt, because we can! ** - . More information about dns privacy can be found at https://dnsprivacy.org/

On this site you’ll find also the DNS Privacy Daemon - Stubby that let’s you send your DNS request over TLS to an alternative DNS provider. You should use a DNS provider that you trust and has a no logging policy. quad9, cloudflare and google dns are well-known alternative dns providers. At https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers you can find a few other options.

You’ll find my journey to setup Stubby on a few operation systems I use (or I’m force to use) below …

GNU/Linux

Migrate a windows vmware virtual machine to Linux KVM

July 1, 2018 6 minute read

Linux KVM is getting more and more useable for desktop virtualization thanks to the the virtio and QXL/SPICE drivers.

Most Linux distributes have the virtio & QXL drivers you might need to install the spice-vdagent.

On Windows you can download and install the virtio and QXL drivers.

Using the virtio drivers will improve your guest system performance and your virtualization experience.

Nested virtualization in KVM

June 4, 2018 5 minute read

KVM

Kernel-based Virtual Machine (KVM) has become the defacto hypervisor on GNU/Linux systems it works with great performance as it utilizes the CPU virtualization extensions Inetl VT-x or AMD-V). KVM doesn’t emulate hardware but uses QEMU for this.

Nested Virtual guest

It’s possible to use nested virtualization this make it possible to run a hypervisor inside a KVM virtual machine.

High screen resolution on a KVM virtual machine with QXL

April 22, 2018 4 minute read

When you create an new virtual KVM virtual system the video ram is limited to 16MB by default to use a higer screen resolution you need to increase the video ram. The available resolution reported by the virtual screen may also not include the resolution that you want to utilize.

You’ll find my journey to enable higher screen resolutions in my KVM (qemu) virtual systems below.

Update your CPU microcode on Arch Linux

February 10, 2018 10 minute read

Meltdown & spectre

With Meldown https://nvd.nist.gov/vuln/detail/CVE-2017-5754, Spectre Variant 1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753 and Spectre Variant 2 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753 out in the wild there is a lot of confusing going about updating microcode.

There is a “Spectre & Meltdown Checker” available at https://github.com/speed47/spectre-meltdown-checker

Usage is very easy just clone the git repository and run the script.

Microcode

Microcode isn’t uploaded to the CPU but loaded during the boot strap of the CPU. Normally the BIOS upload the microcode to the CPU but this can also be done by the by the bootloader, or the operating system kernel.

model-m tux update…

October 20, 2017 less than 1 minute read

I own a Unicomp model-m keyboard. The keyboard has a nice key feel but it has windows super key(s).

I don’t use super key(s), and would prefer to have a keyboard without it. But when it has super keys I’d rather have it without the windows logo on it so it was time to replace them with the tux version

20 core Dual Processor jenkins build workstation

September 16, 2017 1 minute read

My jenkins builds are taking too long mainly due the lack of memory. I mainly use jenkins to verify that my software work on different operation systems (GNU/Linux distributions / *BSD / Solaris).

Looking for a solution that is still affordable I ended up with building a dual Xeon workstation. CPU and memory comes from www.ebay.be

Run google chrome inside a fedora docker container over ssh

May 12, 2015 less than 1 minute read

Update (Mon Jun 8 2015): Running google-chrome inside a docker container isn't stable for me. I switched back to LXC to run google-chrome which seems to be more stable.

Created a docker image to start a docker container with chrome. Destroying the container each time that you start a browser is a easy way to get rid of your cookies and browser history.

lxc templates in Fedora 20

June 9, 2014 9 minute read

I’m a big fan of containers and used them a lot on Solaris and jails on Freebsd. Containers/jails are the fastest way to spinup an new system and the easiest way to isolate services.

As always with virtualization you’ve to careful with sharing systems or containers that doesn’t below to the same customer or service on the same physical machine since you’re never sure which traces are left behind in the memory etc.

Linux containers are getting more popular since the release of docker

When I tried to create a few containers on Fedora 20, the first attempt (a debian container) wasn’t an success.

On a newly create debian container networking didn’t work.

zfs on Fedora 20

January 14, 2014 7 minute read

With Fedora 20 being released a few weeks ago and no official zfsonlinux support for Fedora 20. It time to get zfs on linux working on Fedora 20.

Zfs on linux 2.6.2 required a custom DKMS package. Lucky the patches that were required for zfs on linux are already integrated into Fedora: http://negativo17.org/dkms-patches-for-zfs-on-linux-merged/

So lets try to build the rpm packages for Fedora 20 from the source.

yum update on fedora 19 and zfs on linux

October 13, 2013 2 minute read

I use zfs on linux on fedora now.

The installation was pretty straightforward but after the installation of zfs yum update failed.

[root@vicky etc]# yum update -y
Loaded plugins: langpacks, refresh-packagekit
Repository google-chrome is listed more than once in the configuration
fedora/19/x86_64/metalink                                                                                                                                                                   |  33 kB  00:00:00     
fedora                                                                                                                                                                                      | 4.2 kB  00:00:00     
fedora-chromium-stable                                                                                                                                                                      | 3.4 kB  00:00:00     
google-chrome                                                                                                                                                                               |  951 B  00:00:00     
rpmfusion-free                                                                                                                                                                              | 3.3 kB  00:00:00     
rpmfusion-free-updates                                                                                                                                                                      | 3.3 kB  00:00:00     
rpmfusion-nonfree                                                                                                                                                                           | 3.3 kB  00:00:00     
rpmfusion-nonfree-updates                                                                                                                                                                   | 3.3 kB  00:00:00     
updates/19/x86_64/metalink                                                                                                                                                                  |  30 kB  00:00:00     
updates                                                                                                                                                                                     | 4.4 kB  00:00:00     
zfs                                                                                                                                                                                         | 2.9 kB  00:00:00     
(1/6): fedora-chromium-stable/19/x86_64/primary_db                                                                                                                                          |  20 kB  00:00:00     
(2/6): zfs/19/x86_64/primary_db                                                                                                                                                             | 6.7 kB  00:00:00     
(3/6): updates/19/x86_64/group_gz                                                                                                                                                           | 385 kB  00:00:02     
(4/6): fedora/19/x86_64/group_gz                                                                                                                                                            | 384 kB  00:00:06     
(5/6): updates/19/x86_64/primary_db                                                                                                                                                         | 8.8 MB  00:01:53     
(6/6): fedora/19/x86_64/primary_db                                                                                                                                                          |  17 MB  00:03:34     
(1/10): google-chrome/primary                                                                                                                                                               | 1.9 kB  00:00:00     
(2/10): rpmfusion-free-updates/19/x86_64/primary_db                                                                                                                                         | 217 kB  00:00:01     
(3/10): rpmfusion-nonfree/19/x86_64/primary_db                                                                                                                                              | 149 kB  00:00:00     
(4/10): rpmfusion-free/19/x86_64/primary_db                                                                                                                                                 | 440 kB  00:00:03     
(5/10): rpmfusion-nonfree-updates/19/x86_64/primary_db                                                                              b                                                       |  97 kB  00:00:00     
(6/10): rpmfusion-nonfree-updates/19/x86_64/group_gz                                                                                                                                        |  990 B  00:00:05     
(7/10): rpmfusion-nonfree/19/x86_64/group_gz                                                                                                                                                |  993 B  00:00:07     
(8/10): rpmfusion-free/19/x86_64/group_gz                                                                                                                                                   | 1.6 kB  00:00:07     
(9/10): rpmfusion-free-updates/19/x86_64/group_gz                                                                                                                                           | 1.6 kB  00:00:07     
(10/10): updates/19/x86_64/updateinfo                                                                                                                                                       | 861 kB  00:00:09     
google-chrome                                                                                                                                                                                                  3/3
Resolving Dependencies
--> Running transaction check
---> Package dkms.noarch 0:2.2.0.3-14.zfs1.fc19 will be updated
--> Processing Dependency: dkms = 2.2.0.3-14.zfs1.fc19 for package: zfs-dkms-0.6.2-1.fc19.noarch
---> Package dkms.noarch 0:2.2.0.3-17.fc19 will be an update
--> Finished Dependency Resolution
Error: Package: zfs-dkms-0.6.2-1.fc19.noarch (@zfs)
           Requires: dkms = 2.2.0.3-14.zfs1.fc19
           Removing: dkms-2.2.0.3-14.zfs1.fc19.noarch (@zfs)
               dkms = 2.2.0.3-14.zfs1.fc19
           Updated By: dkms-2.2.0.3-17.fc19.noarch (updates)
               dkms = 2.2.0.3-17.fc19
           Available: dkms-2.2.0.3-5.fc19.noarch (fedora)
               dkms = 2.2.0.3-5.fc19
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest
[root@vicky etc]# 

On another fedora system yum update worked fine, after reviewing the differences in the yum configuration it seems that yum-plugin-priorities wasn’t installed on my box. After installing yum-plugin-priorities

[root@vicky etc]# yum install yum-plugin-priorities
Loaded plugins: langpacks, refresh-packagekit
Repository google-chrome is listed more than once in the configuration
Resolving Dependencies
--> Running transaction check
---> Package yum-plugin-priorities.noarch 0:1.1.31-18.fc19 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================================================================================================================
 Package                                                     Arch                                         Version                                              Repository                                     Size
===================================================================================================================================================================================================================
Installing:
 yum-plugin-priorities                                       noarch                                       1.1.31-18.fc19                                       updates                                        22 k

Transaction Summary
===================================================================================================================================================================================================================
Install  1 Package

Total download size: 22 k
Installed size: 28 k
Is this ok [y/d/N]: y
Downloading packages:
yum-plugin-priorities-1.1.31-18.fc19.noarch.rpm                                                                                                                                             |  22 kB  00:00:01     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : yum-plugin-priorities-1.1.31-18.fc19.noarch                                                                                                                                                     1/1 
  Verifying  : yum-plugin-priorities-1.1.31-18.fc19.noarch                                                                                                                                                     1/1 

Installed:
  yum-plugin-priorities.noarch 0:1.1.31-18.fc19                                                                                                                                                                    

Complete!
[root@vicky etc]# 

And make sure that the zfs has the priority

[root@localhost etc]# cat yum.repos.d/zfs.repo
[zfs]
name=ZFS of Linux for Fedora $releasever
baseurl=http://archive.zfsonlinux.org/fedora/$releasever/$basearch/
enabled=1
priority=1
metadata_expire=7d
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-zfsonlinux
Requires:       yum-plugin-priorities

[zfs-source]
name=ZFS of Linux for Fedora $releasever - Source
baseurl=http://archive.zfsonlinux.org/fedora/$releasever/SRPMS/
enabled=0
metadata_expire=7d
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-zfsonlinux
[root@vicky etc]# 

yum update works again.

[root@vicky etc]# yum update -y
Loaded plugins: langpacks, priorities, refresh-packagekit
Repository google-chrome is listed more than once in the configuration
2 packages excluded due to repository priority protections
No packages marked for update
[root@vicky etc]# 

Running kindle on GNU/Linux with wine

September 8, 2013 less than 1 minute read

I enjoy reading ebooks during my train trip to work on my nexus 7.

At home I prefer to read on my monitor since this is bigger.

Most of the time I use epub or pdf for reading, I bought a kindle version of a book from amazon assuming that I could read with amazon cloud reader at home.

Unfortunately this books is not compatible with cloud reader.

Proprietary_formats should be avoid, lesson learned (again).

To read my book at home I decided to give the windows version of kindle on wine a try

The installation was pretty straightforward on Fedora 19.

• Install wine

[root@vicky ~]# yum install wine
Loaded plugins: langpacks, refresh-packagekit

• Download Kindle for Window xp

Download it from: http://www.amazon.com/gp/feature.html/ref=kcp_pc_ln_ar?docId=1000426311

• Run the installer

[swagemakers@vicky ~]$ wine ~/Downloads/KindleForPC-installer.exe 

• Create kindle startup script

wine $HOME/.wine/drive_c/Program\ Files\ \(x86\)/Amazon/Kindle/Kindle.exe &

Happy reading

but

It’s better to only read ebooks in an open format

Use a GPG smartcard with Thunderbird. Part 3: Setup Thunderbird

September 10, 2024 5 minute read

In previous blog posts, we discussed setting up a GPG smartcard on GNU/Linux and FreeBSD.

In this blog post, we will configure Thunderbird to work with an external smartcard reader and our GPG-compatible smartcard.

Before Thunderbird 78, if you wanted to use OpenPGP email encryption, you had to use a third-party add-on such as https://enigmail.net/.

Thunderbird’s recent versions natively support OpenPGP. The Enigmail addon for Thunderbird has been discontinued. See: https://enigmail.net/index.php/en/home/news.

I didn’t find good documentation on how to set up Thunderbird with a GnuPG smartcard when I moved to a new coreboot laptop, so this was the reason I created this blog post series.

New release Ansible role stafwag.ntpd, and clean up Ansible roles

August 25, 2024 2 minute read

I made some time to give some love to my own projects and spent some time rewriting the Ansible role stafwag.ntpd and cleaning up some other Ansible roles.

There is some work ongoing for some other Ansible roles/projects, but this might be a topic for some other blog post(s) ;-)

stafwag.ntpd

An ansible role to configure ntpd/chrony/systemd-timesyncd.

This might be controversial, but I decided to add support for chrony and systemd-timesyncd. Ntpd is still supported and the default on the BSDs ( FreeBSD, NetBSD, OpenBSD).

It’s possible to switch from the ntp implementation by using the ntpd.provider directive.

The Ansible role stafwag.ntpd v2.0.0 is available at:

• https://github.com/stafwag/ansible-role-ntpd
• https://galaxy.ansible.com/ui/standalone/roles/stafwag/ntpd/

Release notes

V2.0.0

• Added support for chrony and systemd-timesyncd on GNU/Linux
  • systemd-timesynced is the default on Debian GNU/Linux 12+ and Archlinux
  • ntpd is the default on all operating systems (BSDs, Solaris) and Debian GNU/Linux 10 and 11
  • chrony is the default on all other GNU/Linux distributes
  • For ntpd hash as the input for the role.
  • Updated README
  • CleanUp

Use a GPG smart card with Thunderbird. Part 2: setup GnuPG on FreeBSD

July 28, 2024 19 minute read

Updated @ Mon Sep 2 07:55:20 PM CEST 2024: Added devfs section
Updated @ Wed Sep 4 07:48:56 PM CEST 2024 : Corrected gpg-agent.conf

I use FreeBSD and GNU/Linux.

In a previous blog post, we set up GnuPG with smartcard support on Debian GNU/Linux.

In this blog post, we’ll install and configure GnuPG with smartcard support on FreeBSD.

The GNU/Linux blog post provides more details about GnuPG, so it might be useful for the FreeBSD users to read it first.

Likewise, Linux users are welcome to read this blog post if they’re interested in how it’s done on FreeBSD ;-)

Best wishes 2024!

January 2, 2024 less than 1 minute read

Migrate from ezjail to BastilleBSD part 2: Migrate the Jails

September 17, 2023 6 minute read

How to migrate Jails from ezjail to BastilleBSD

In my previous blog post, I reviewed BastilleBSD. In this post, we go through the required steps to migrate the Jails from ezjail to BastilleBSD.

ezjail test Jail

To test the Jail migration, we’ll first create a test Jail with ezjail. This test Jail will migrate to a BastilleBSD Jail.

Create the test ezjail Jail

We use the ezjail-admin create staftestje001 'vtnet0|<ip>' command to create the test Jail.

Migrate from ezjail to BastilleBSD part 1: BastilleBSD exploration

September 10, 2023 11 minute read

Introduction to BastilleBSD

What are “containers”?

Chroot, Jails, containers, zones, LXC, Docker

I use FreeBSD on my home network to serve services like email, git, fileserver, etc. For some other services, I use k3s with GNU/Linux application containers.

The FreeBSD services run as Jails. For those who aren’t familiar with FreeBSD Jails. Jails started the whole concept of “containers”.

FreeBSD Jails inspired Sun Microsystems to create Solaris zones.

If you want to know more about the history of FreeBSD Jails, Solaris zones and containers on Un!x systems in general and the challenges to run containers securely I recommend the video;

“Papers We Love: Jails and Solaris Zones by Bryan Cantrill”

Sun took containers to the next level with Solaris zones , allowing a fine-grade CPU and memory allocation.

On GNU/Linux LXC was the most popular container framework. …Till Docker came along.

Application vs system containers

Best wishes 2023!

January 1, 2023 less than 1 minute read

Best wishes 2022!

January 2, 2022 less than 1 minute read

Ansible role: package_update v2.0.2

October 31, 2021 1 minute read

Keeping your software up-to-date is an important task in System Administration. Not only for security reasons but also to roll out bug fixes to your systems.

As always we should try to automate this process as much as possible.

Ansible has a package module to install packages in a generic way. It supports most Un*x platforms (GNU/Linux, BSD, …). But it doesn’t allow you to update all packages.

For this reason, I created an Ansible role: package update.

Package update enables you to update all packages on most Linux distributions and the BSD operating systems. It can also update the running jails on FreeBSD.

Version 2.0.2 is available at

• Github: https://github.com/stafwag/ansible-role-package_update.
• Ansible galaxy: https://galaxy.ansible.com/stafwag/package_update

Version 2.0.2:

Changelog:

• Always update the apt cache on Debian based distributions.

Have fun!

Update your bootloader on FreeBSD 13 when you upgrade your zroot pool…

May 9, 2021 2 minute read

One of the nice new features of FreeBSD 13 is OpenZFS 2.0. OpenZFS 2.0 comes with zstd compression support. Zstd compression can have compression ratios similar to gzip with less CPU usage.

For my backups, I copy the most import data - /etc/, /home, … - first locally to a ZFS dataset. This data gets synced to a backup server. This local ZFS dataset was compressed with gzip, after upgrading the zroot pool and setting zstd as the compress method. FreeBSD failed to boot with the error message:

ZFS: unsupported feature: org.freebsd:zstd
ZFS: pool zroot is not supported
gptzfsboot: failed to mount default pool zroot

As this might help people with the same issue, I decided to create a blog post about it.

How to run a FreeBSD Virtual Machine on the RPI4 with QEMU. Part 2: Network, Install from cdrom, startup

March 28, 2021 10 minute read

In my last blog post, we set up a FreeBSD virtual machine with QEMU. I switched from the EDK2 (UEFI) firmware to U-boot, the EDK2 firmware had issues with multiple CPU’s in the virtual machines.

In this blog post, we’ll continue with the Network setup, install the virtual machine from a CDROM image and how to start the virtual machine during the PI start-up.

How to run a FreeBSD Virtual Machine on the RPI4 with QEMU. Part 1: QEMU setup

March 14, 2021 2 minute read

I got a Raspberry PI 4 a couple of months back and started it use it to run virtual machines.

This works great for GNU/Linux distributions but FreeBSD as a virtual machine didn’t work for me. When I tried to install FreeBSD or import a virtual machine image, FreeBSD wasn’t able to mount the root filesystem and ended with an “error 19”.

On the FreeBSD wiki, there are a few articles on how to use ARM64 FreeBSD with QEMU directly.

You find my journey of getting a FreeBSD Virtual Machine below.

I use Manjaro on my Raspberry PI, but the same setup will work with other GNU/Linux distributions.

Best wishes 2021!

January 1, 2021 less than 1 minute read

$ sudo -i
# find / -name "*covid*" -exec rm -rf {} \;
# find / -name "*corona*" -exec rm -rf {} \;
# pkill -9 covid19
# pkill -9 corona
# reboot

Have fun!

32 bits (still) matters!

November 15, 2020 6 minute read

updated @ Mon Nov 16 08:16:30 PM CET 2020: Corrected the version when OPNsense dropped 32 bits support.

I used OPNsense on my pcengines Alix 2d13 firewall.

The Alix 2d13 is a nice motherboard with a Geode CPU 32 bits x86 CPU.

I migrated to OPNsense after pfSense dropped support for 32 bits. Unfortunately, OPNsense also dropped support for 32 bits CPUs in the 19.1.7 release 20.7 release. I decided to install FreeBSD on my Alix to use it as my firewall.

To make it possible to reinstall my Alix firewall, I installed FreeBSD on my Raspberry Pi 2 to use it as my firewall during the installation of FreeBSD on my Alix.

You’ll find my journey to install FreeBSD my an Alix firewall below.

Upgrade FreeBSD on a Raspberry Pi 2

November 1, 2020 4 minute read

I recently installed FreeBSD on my raspberry-pi 2 to use it as my firewall.

The FreeBSD version that I installed was a FreeBSD 12.2 Pre-Release. FreeBSD 12.2 has been released this week.

ARM is a Tier-2 on FreeBSD. This means that freebsd-update doesn’t work on a Raspberry Pi.

Freebsd-update wouldn’t work on a Pre-Release anyway. So I was looking for a way to update my Raspberry Pi to FreeBSD 12.2.

Use a raspberry-pi 2 as a firewall with FreeBSD

October 25, 2020 10 minute read

Updated @ Mon Nov 16 08:16:30 PM CET 2020: Corrected the version when OPNsense dropped 32 bits support.

I was using OPNsense on my pcengines alix firewall and was quite happy with it.

The alix 2d13 is a nice motherboard with a Geode CPU, it has a 32 bits x86 instruction set. I migrated to OPNsense from pfSense when pfSense dropped 32 bits support.

Unfortunately, OPNsense also dropped support for 32 bits CPU’s in the 19.1.7 release 20.7 release. I decided to install FreeBSD on the alix to use it as my firewall. But I need a temporary firewall solution so I can install FreeBSD on my alix board. I have a Raspberry PI 2 that I wasn’t using.

You’ll find my journey to use my RPI2 as my firewall below.

Switch from Libreboot to coreboot

October 17, 2019 11 minute read

I use(d) Libreboot on my Lenovo W500. And it works fine… but I want to install FreeBSD on it. The GRUB payload Libreboot uses by default isn’t compatible with the FreeBSD bootloader. It is possible to boot FreeBSD from GRUB or try to recompile Libreboot with the SeaBIOS payload. …But I just wanted to play with coreboot, to be honest :-)

Prepare

OPNsense upgrade failed: Out of inodes

May 21, 2019 7 minute read

I use OPNsense as my firewall on a Pcengines Alix.

The primary reason is to have a firewall that will be always up-to-update, unlike most commercial customer grade firewalls that are only supported for a few years. Having a firewall that runs opensource software - it’s based on FreeBSD - also make it easier to review and to verify that there are no back doors.

When I tried to upgrade it to the latest release - 19.1.7 - the upgrade failed because the filesystem ran out of inodes. There is already a topic about this at the OPNsense forum and a fix available for the upcoming nano OPNsense images.

How to configure DNS-over-TLS on OPNsense

December 9, 2018 2 minute read

DNS-over-TLS

In my previous blog posts we configured Stubby on GNU/Linux and FreeBSD.

In this blog article we’ll configure DNS-over-TLS with Unbound on OPNsense. Both Stubby and Unbound are written by NLnet.

DNS Privacy with Stubby (Part 2 FreeBSD)

October 7, 2018 8 minute read

FreeBSD

In my previous blog article we install on GNU/Linux which is my main desktop operation system. My NAS and the services that are required to be always running are on FreeBSD.

In this arcticle we will setup Stubby - the DNS Privacy Daemon - on FreeBSD.

Postfix smarthost with authentication

March 4, 2018 1 minute read

I used the relay host of my internet provider but this was causing issues since my email was getting mark as SPAM in gmail.
 
It was already on my to-do list to move my outgoing mail to my mail provider also to make it easier to move to another ISP or to implement SPF but was not on the top of my to-do list.
 
My email provider requires authentication, so I needed to reconfigure postfix in my FreeBSD mail jail to use a relay host with authentication.

Bacula on FreeBSD (Part 3 storage setup)

December 27, 2017 3 minute read

I finally got the time to continue with my bacula backup setup. See my previous posts about the start of my bacula setup.

• bacula on freebsd_part 1
• bacula on freebsd part 2

Storage setup

I created a new zfs pool “bigpool” with some old harddisks I probably need to replace them with bigger harddisk in the further.

Bacula on FreeBSD (part 2 Bacula Catalog over SSL )

September 9, 2017 25 minute read

In my previous post, I setup on my PostgresSQL FreeBSD jail, In this post we continue with the bacaula server.

In this post we will continue with the database connection (Catalog) we’ll go the extra mile 1,609344 km and encrypt the catalog connection with ssl. Why? We encrypt.. because we can!

Bacula Components

• Bacula Director
  The Bacula Director is daemon that runs in the backgroud that control all backup operations.

• Bacula Console
  The Bacula console is an administrator program that allows an system administrator to control the Bacula director.

• Bacula File
  The Bacula File is a backup client install on the backup client.

• Bacula Storage
  The backup media.

• Catalog
  The Catalog is the index of the backups. Bacula supports three types of index databases mySQL ( mariaDB), PostgreSQL and SQLite

• Bacula monitor
  A Bacula monitor service is a program that allows the system administrator to cerify the status of the bacula Directors, Bacula File Daemons and Bacula Storage Daemons.

Bacula Server

Bacula on FreeBSD (part 1 PostgresSQL in a jail)

August 6, 2017 9 minute read

I do take backups; my current solution are couple of shell script wrapper around dump/zfs send/btrfs send/rsync which is a mess. So decided give bacula a try

I use ezjail to manage my FreeBSD jails. PostgresSQL is my favorite database and will use this database as the backend for bacula and will use this database as the backend for bacula. I want to move all my databases to 1 FreeBSD jail this should make the easier to create reliable database backup in the further. For this reason we’ll setup 2 FreeBSD jails 1 for the database and 1 for bacula.

You’ll find my journey of installing PostgreSQL on a FreeBSD jail. In another blog post we will continue with the installation of bacula.

Rataplan becomes a watchdog

September 5, 2015 less than 1 minute read

My NAS runs on FreeBSD I’m quiet happy with it. It’s named after the dog rataplan from the Lucky Luke comic

However transferring large data files to it causes the network to hang. The realtek network interface had issues with freebsd from the beginning. On the screen and in syslog the entry “re0: watchdog timeout” is printed.

Most FreeBSD people recommends to use Intel nics, I ordered a new Intel nic at dx.com. After the installation of the new NIC the network seems to be stable again.

Using squid to cache FreeBSD packages

June 23, 2015 5 minute read

PKGNG config

I manage a few FreeBSD jails behind a squid proxy. pkgng is configured to use the proxy:

CGIpaf 1.3.4 Released

November 23, 2014 less than 1 minute read

CGIpaf 1.3.4 has been released

lxc templates in Fedora 20

June 9, 2014 9 minute read

I’m a big fan of containers and used them a lot on Solaris and jails on Freebsd. Containers/jails are the fastest way to spinup an new system and the easiest way to isolate services.

As always with virtualization you’ve to careful with sharing systems or containers that doesn’t below to the same customer or service on the same physical machine since you’re never sure which traces are left behind in the memory etc.

Linux containers are getting more popular since the release of docker

When I tried to create a few containers on Fedora 20, the first attempt (a debian container) wasn’t an success.

On a newly create debian container networking didn’t work.

CGIpaf 1.3.4pre1 released

September 15, 2013 less than 1 minute read

This is the first pre-release of CGIpaf 1.3.4.

Migrating from Qjail to ezjail

April 10, 2013 7 minute read

I was using qjail on my freebsd system but I’m migrating to ezjail.

The reason for this is that the port is marked as RESTRICTED. Since it seems to be a fork from ezjail without respecting the copyright and license https://lists.freebsd.org/pipermail/freebsd-jail/2013-March/002149.html.

Freebsd 9.1 jails with Qjail

February 16, 2013 4 minute read

I’m using ezjail now.

The reason for this is that the port is marked as RESTRICTED. Since it seems to be a fork from ezjail without respecting the copyright and license https://lists.freebsd.org/pipermail/freebsd-jail/2013-March/002149.html.

</strong>

I’m adding more services to my freebsd system

I’m coming from the solaris world where it’s a common practice to run services in separated containers for security reasons.

On FreeBSD there are jails to isolate services and improve security.

At first I didn’t like jails the way the freebsd handbook describes it requires a buildworld which takes a long time on my system with a AMD C-60 CPU.

Lucky Qjail makes the deployment a lot easier.

Running Freebsd 9.0 on Asus C60M1-i motherboard

December 16, 2012 less than 1 minute read

As my file and backup system pluto died i’m building a new one.

This system will run Freebsd mainly for the ZFS filesystem.

The motherbord will be a Asus C60M1-I. The cpu may not have not enough horsepower for deplucation at full speed but it has 6 sata ports which is not common on a mini ITX motherbord. I will reuse my old harddrives and add or replace them when I need more storage.

The freebsd 9.0 installation with ZFS root went well but the network adapter a Realtek 8111F isn’t supported by Freebsd 9.0. After checking google I found this on the freebsd-net mailinglist.

The realtek f8111F is supported in the latest driver code, after rebuilding my kernel the network adapter works fine. Very useful on a NAS ;-)

Use a GPG smartcard with Thunderbird. Part 3: Setup Thunderbird

September 10, 2024 5 minute read

In previous blog posts, we discussed setting up a GPG smartcard on GNU/Linux and FreeBSD.

In this blog post, we will configure Thunderbird to work with an external smartcard reader and our GPG-compatible smartcard.

Before Thunderbird 78, if you wanted to use OpenPGP email encryption, you had to use a third-party add-on such as https://enigmail.net/.

Thunderbird’s recent versions natively support OpenPGP. The Enigmail addon for Thunderbird has been discontinued. See: https://enigmail.net/index.php/en/home/news.

I didn’t find good documentation on how to set up Thunderbird with a GnuPG smartcard when I moved to a new coreboot laptop, so this was the reason I created this blog post series.

Use a GPG smart card with Thunderbird. Part 2: setup GnuPG on FreeBSD

July 28, 2024 19 minute read

Updated @ Mon Sep 2 07:55:20 PM CEST 2024: Added devfs section
Updated @ Wed Sep 4 07:48:56 PM CEST 2024 : Corrected gpg-agent.conf

I use FreeBSD and GNU/Linux.

In a previous blog post, we set up GnuPG with smartcard support on Debian GNU/Linux.

In this blog post, we’ll install and configure GnuPG with smartcard support on FreeBSD.

The GNU/Linux blog post provides more details about GnuPG, so it might be useful for the FreeBSD users to read it first.

Likewise, Linux users are welcome to read this blog post if they’re interested in how it’s done on FreeBSD ;-)

Use a GPG smartcard with Thunderbird. Part 1: setup GnuPG

April 21, 2024 14 minute read

I use a Free Software Foundation Europe fellowship GPG smartcard for my email encryption and package signing. While FSFE doesn’t provide the smartcard anymore it’s still available at www.floss-shop.de.

I moved to a Thinkpad w541 with coreboot running Debian GNU/Linux and FreeBSD so I needed to set up my email encryption on Thunderbird again.

It took me more time to reconfigure it again - as usual - so I decided to take notes this time and create a blog post about it. As this might be useful for somebody else … or me in the future :-)

The setup is executed on Debian GNU/Linux 12 (bookworm) with the FSFE fellowship GPG smartcard, but the setup for other Linux distributes, FreeBSD or other smartcards is very similar.

Migrate from ezjail to BastilleBSD part 1: BastilleBSD exploration

September 10, 2023 11 minute read

Introduction to BastilleBSD

What are “containers”?

Chroot, Jails, containers, zones, LXC, Docker

I use FreeBSD on my home network to serve services like email, git, fileserver, etc. For some other services, I use k3s with GNU/Linux application containers.

The FreeBSD services run as Jails. For those who aren’t familiar with FreeBSD Jails. Jails started the whole concept of “containers”.

FreeBSD Jails inspired Sun Microsystems to create Solaris zones.

If you want to know more about the history of FreeBSD Jails, Solaris zones and containers on Un!x systems in general and the challenges to run containers securely I recommend the video;

“Papers We Love: Jails and Solaris Zones by Bryan Cantrill”

Sun took containers to the next level with Solaris zones , allowing a fine-grade CPU and memory allocation.

On GNU/Linux LXC was the most popular container framework. …Till Docker came along.

Application vs system containers

Debian bullseye on the RPI 4 with full disk encryption.

July 3, 2022 19 minute read

Updated @ Sun Jul 17 07:51:58 PM CEST 2022: Added blkid section UUID cryptroot. Changed dropbear port to 2222.

I use a few Raspberry PI’s 4 to run virtual machines and k3s.

I was using the Manjaro Linux with full disk encryption but I’ll switch to Debian GNU/Linux, the main reason is that libvirt is currently broken on archlinuxarm.

You’ll find my journey to get Debian GNU/Linux bullseye up and running on the Raspberry PI with full disk encryption below.

Manjaro on the RPI4 with full disk encryption and remote unlock

August 8, 2021 13 minute read

Last year I got a raspberry pi 4 to play with and installed Manjaro on it.

The main reason I went with Manjaro was that the ArchLinux Arm image/tgz for the Raspberry Pi 4 was still 32 bits, or you needed to create-your-own kernel.

But started to like Manjaro Linux, it provided a stable base with regular updates. This year I upgraded my setup with 2 additional Raspberry Pi 4 to provide clustering for my k3s (Kubernetes) setup. I used virtual machines on the Raspberry Pi to host the k3s nodes. Also because want to the Pi for other tasks and virtual machines makes it easier to split the resources. It’s also an “abstraction layer” if you want to combine the cluster with other ARM64 systems in the future.

I always (try to) to full disk encryption, when you have multiple nodes it’s important to be able to unlock the encryption remotely.

OpenVAS on Kali GNU/Linux Part 2: First scan

March 7, 2021 4 minute read

In my previous blog post, I described how to install OpenVAS, in this blog post we will configure and execute a security scan with OpenVAS.

OpenVAS documentation is available on the OpenVAS developer website Greenbone: https://docs.greenbone.net/

Logon to the Greenbone Manager assistend at https://127.0.0.1:9392.

OpenVAS on Kali GNU/Linux Part 1: How to install OpenVAS

February 28, 2021 6 minute read

OpenVAS is an opensource security scanner it started as a fork of Nessus which went from an opensource project to a closed source scanner.

I always prefer opensource software, for security tools, I even prefer it more… It nice to see/audit where the security data comes from, instead of the “magic” that is used by the close source software.

To scan for missing patches on your systems there are faster/better tools available that can be integrated into your build pipeline more easily. But OpenVAS is still a very nice network security scanner. Relying on one security tool is also not a “best security practice”.

Kali GNU/Linux has become the default Linux distribution for security auditing pen testing, it’s nice to have OpenVAS installed on your Kali GNU/Linux setup. If you just want to have OpenVAS available there is also a (virtual) appliance available from the OpenVAS developers ( Greenbone ).

You’ll find my journey to install OpenVAS on Kali GNU/Linux.

Manjaro on the RPI4 with full disk encryption

July 12, 2020 13 minute read

The Raspberry PI has become more and more powerful in the recent years, maybe too powerful to be a “maker board”. The higher CPU power and availability of more memory - up to 8GB - makes it more suitable for home server usage.

The latest firmware (EEPROM) enables booting from a USB device. To enable USB boot the EEPROM on the raspberry needs to be updated to the latest version and the bootloader that comes with the operating system - the start*.elf, etc files on the boot filesystem - needs to support it.

I always try to use filesystem encryption. You’ll find my journey to install GNU/Linux on an encrypted filesystem below.

64 Bits operating systems

The Raspberry PI 4 has a 64 bits CPU, the default operating system - Raspberry Pi OS (previously called Raspbian) - for the Rasberry PI is still 32 bits to take full advantage of the 64bits CPU a 64 bits operating system is required.

You’ll find an overview GNU/Linux distributions for RPI4 below.

Using SmartCardHsm with GnuPG

May 2, 2020 4 minute read

When you want to store your GnuPG private key(s) on a smartcard, you have a few options like the Yubikey, NitroKey GPG compatible cards, or the OpenPGP. The advantage of these cards is that they support GnuPG directly. The disadvantage is that they can only store 1 or a few keys.

Another option is SmartCardHSM, NitroKey HSM is based on SmartCardHsm and should be compatible. The newer versions support 4k RSA encryption keys and can store up 19 RSA 4k keys. The older version is limited to 2k RSA keys. I still have the older version. The advantage is that you can store multiple keys on the card. To use it for GPG encryption you’ll need to set up a gpg-agent with gnupg-pkcs11-scd.

Setup a certificate authority with SmartCardHSM

April 29, 2020 13 minute read

In this blog post, we will set up a CA authority with SmartCardHSM.

When you to create internal certificate authority for internal services it’s important to protect the private key. When somebody with bad intentions gets access to the private key(s) of the signing certificate authorities, it can be used to issue new certificates. This would enable the man in the middle attacks.

building your own docker base images (Part 1: Debian GNU/Linux & Co)

April 22, 2019 7 minute read

I was using docker on an Odroid U3, but my Odroid stopped working. I switched to another system that is i386 only.

You’ll find my journey to build docker images for i386 below.

Reasons to build your own docker images

If you want to use docker you can start with docker images on the docker registry. There are several reasons to build your own base images.

How to configure DNS-over-TLS on OPNsense

December 9, 2018 2 minute read

DNS-over-TLS

In my previous blog posts we configured Stubby on GNU/Linux and FreeBSD.

In this blog article we’ll configure DNS-over-TLS with Unbound on OPNsense. Both Stubby and Unbound are written by NLnet.

DNS Privacy with Stubby (Part 2 FreeBSD)

October 7, 2018 8 minute read

FreeBSD

In my previous blog article we install on GNU/Linux which is my main desktop operation system. My NAS and the services that are required to be always running are on FreeBSD.

In this arcticle we will setup Stubby - the DNS Privacy Daemon - on FreeBSD.

DNS Privacy with Stubby (Part 1 GNU/Linux)

September 9, 2018 9 minute read

** Installing and configuring an encrypted dns server is straightforward, there is no reason to use an unencrypted dns service. **

DNS is not secure or private

DNS traffic is insecure and runs over UDP port 53 (TCP for zone transfers ) unecrypted by default.

This make your unencrypted DNS traffic a privacy risk and a security risk:

• anyone that is able to sniff your network traffic can collect a lot information from your leaking DNS traffic.
• with a DNS spoofing attack an attacker can trick you let go to malicious website or try to intercept your email traffic.

Encrypt your dns traffic

Encrypting your network traffic is always a good idea for privacy and security reasons - ** we encrypt, because we can! ** - . More information about dns privacy can be found at https://dnsprivacy.org/

On this site you’ll find also the DNS Privacy Daemon - Stubby that let’s you send your DNS request over TLS to an alternative DNS provider. You should use a DNS provider that you trust and has a no logging policy. quad9, cloudflare and google dns are well-known alternative dns providers. At https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers you can find a few other options.

You’ll find my journey to setup Stubby on a few operation systems I use (or I’m force to use) below …

GNU/Linux

Update your CPU microcode on Arch Linux

February 10, 2018 10 minute read

Meltdown & spectre

With Meldown https://nvd.nist.gov/vuln/detail/CVE-2017-5754, Spectre Variant 1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753 and Spectre Variant 2 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753 out in the wild there is a lot of confusing going about updating microcode.

There is a “Spectre & Meltdown Checker” available at https://github.com/speed47/spectre-meltdown-checker

Usage is very easy just clone the git repository and run the script.

Microcode

Microcode isn’t uploaded to the CPU but loaded during the boot strap of the CPU. Normally the BIOS upload the microcode to the CPU but this can also be done by the by the bootloader, or the operating system kernel.

Thunderbird: Importing s/mime certificate failed

January 17, 2016 3 minute read

On http://kb.mozillazine.org/Getting_an_SMIME_certificate you get a list of free s/mime certificate.

I ordered a free 30 days certificate at globalsign: https://www.globalsign.com/en/personalsign/trial/

The import of the pkcs12 failed in Thunderbird with the message: “The PKCS #12 operation failed for unknown reasons.”

Searching the internet didn’t provide a solution. To debug this issue I started to extract the private / certificate from the pkcs12 file provided by globalsign and creating a new one.

To execute this command I use an encrypted luks volume.

Create a new pkcs12 file

Protecting your SSH keys with SmartCard-HSM

December 5, 2015 3 minute read

I use a yubi key for my ssh authentication. But I’ve other ssh keys for my remote services so wanted something that allows me to take a backup of my keys see this post for more information on to backup/restore a SmartCard-HSM

Starting to protect my private keys with SmartCard-Hsm

November 21, 2015 15 minute read

I still have too many private keys on a local filesystem, I started to use the yubikey neo for my ssh authentication. Mainly because the nice formfactor of the yubikey.

For my other private keys/data I was looking for something cheeper since I need to have a backup of my secured data so I bought a few Smartcard-HSM smartcards they cost 16 € each while a yubi-key neo cost 54 € at amazon.de

Using YubiKey Neo as gpg smartcard for SSH authentication

June 16, 2015 13 minute read

I purchased a Yubi NEO I’ll use it to hold my Luks password and for ssh authentication instead of the password authentication that I still use.

You’ll find my journey to get the smartcard interface working with ssh on a fedora 22 system below;

Openvas 7: adding credentials failed

May 14, 2015 less than 1 minute read

I’m creating a new openvas 7 system running centos 7 as a KVM instance.

The installation went fine but it was impossible to create new credentials.

I had a similar issue with my openvas 6 installation, this was resolved by creating the /etc/openvas/gnupg directory and creating the key openvasmd --create-credentials-encryption-key

But on my openvas 7 installation a creation of the encryption key was slooooow. As always Good Randomness is important for creating keys. So I decided to install haveged to get more randomness and hopefully this would speed up key creation.

[root@localhost ~]# yum install haveged

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * atomic: www6.atomicorp.com
 * base: centos.cu.be
 * extras: centos.cu.be
 * updates: centos.cu.be
Package haveged-1.9.1-2.el7.art.x86_64 already installed and latest version
Nothing to do
[root@localhost ~]# 
[root@localhost ~]# systemct list-unit-files --type=service | grep haveged
-bash: systemct: command not found
[root@localhost ~]# systemctl list-unit-files --type=service | grep haveged
haveged.service                             disabled
[root@localhost ~]# systemctl enable haveged
ln -s '/usr/lib/systemd/system/haveged.service' '/etc/systemd/system/multi-user.target.wants/haveged.service'
[root@localhost ~]# systemctl start haveged
[root@localhost ~]# 

The key creation took a only sec.

[root@localhost ~]# openvasmd --create-credentials-encryption-key
Key creation succeeded.
[root@localhost ~]# 

Adding new credentials works like a charm now.

Happy hacking!

Running OpenBSD as an UEFI virtual machine (on a Raspberry Pi)

February 25, 2024 9 minute read

I started to migrate all the services that I use on my internal network to my Raspberry Pi 4 cluster. I migrated my FreeBSD jails to BastileBSD on a virtual machine running on a Raspberry Pi. See my blog post on how to migrate from ezjail to BastilleBSD. https://stafwag.github.io/blog/blog/2023/09/10/migrate-from-ezjail-to-bastille-part1-introduction-to-bastillebsd/

Running FreeBSD as a virtual machine with UEFI on ARM64 came to the point that it just works. I have to use QEMU with u-boot to get FreeBSD up and running on the Raspberry Pi as a virtual machine with older FreeBSD versions: https://stafwag.github.io/blog/blog/2021/03/14/howto_run_freebsd_as_vm_on_pi/.

But with the latest versions of FreeBSD ( not sure when it started to work, but it works on FreeBSD 14) you can run FreeBSD as a virtual machine on ARM64 with UEFI just like on x86 on GNU/Linux with KVM.

UEFI on KVM is in general provided by the open-source tianocore project.

I didn’t find much information on how to run OpenBSD with UEFI on x86 or ARM64.

So I decided to write a blog post about it, in the hope that this information might be useful to somebody else. First I tried to download the OpenBSD 7.4 ISO image and boot it as a virtual machine on KVM (x86). But the iso image failed to boot on a virtual with UEFI enabled. It looks like the ISO image only supports a legacy BIOS.

ARM64 doesn’t support a “legacy BIOS”. The ARM64 download page for OpenBSD 7.4 doesn’t even have an ISO image, but there is an install-<version>.img image available. So I tried to boot this image on one of my Raspberry Pi systems and this worked. I had more trouble getting NetBSD working as a virtual machine on the Raspberry Pi but this might be a topic for another blog post :-)

You’ll find my journey with my installation instructions below.

Migrate from ezjail to BastilleBSD part 2: Migrate the Jails

September 17, 2023 6 minute read

How to migrate Jails from ezjail to BastilleBSD

In my previous blog post, I reviewed BastilleBSD. In this post, we go through the required steps to migrate the Jails from ezjail to BastilleBSD.

ezjail test Jail

To test the Jail migration, we’ll first create a test Jail with ezjail. This test Jail will migrate to a BastilleBSD Jail.

Create the test ezjail Jail

We use the ezjail-admin create staftestje001 'vtnet0|<ip>' command to create the test Jail.

Migrate from ezjail to BastilleBSD part 1: BastilleBSD exploration

September 10, 2023 11 minute read

Introduction to BastilleBSD

What are “containers”?

Chroot, Jails, containers, zones, LXC, Docker

I use FreeBSD on my home network to serve services like email, git, fileserver, etc. For some other services, I use k3s with GNU/Linux application containers.

The FreeBSD services run as Jails. For those who aren’t familiar with FreeBSD Jails. Jails started the whole concept of “containers”.

FreeBSD Jails inspired Sun Microsystems to create Solaris zones.

If you want to know more about the history of FreeBSD Jails, Solaris zones and containers on Un!x systems in general and the challenges to run containers securely I recommend the video;

“Papers We Love: Jails and Solaris Zones by Bryan Cantrill”

Sun took containers to the next level with Solaris zones , allowing a fine-grade CPU and memory allocation.

On GNU/Linux LXC was the most popular container framework. …Till Docker came along.

Application vs system containers

Build a 3-node Kubernetes cluster home lab in 5 minutes (*)

April 4, 2023 1 minute read

I use the lightweight Kubernetes K3s on a 3-node Raspberry Pi 4 cluster. I wrote a few blog posts on how the Raspberry Pi’s are installed.

I run K3s on virtual machines.

Why virtual machines?

Virtual makes it easier to redeploy or to bring a system down and up if your want to test something.

Another reason is that I also run FreeBSD virtual machines on the Raspberry Pis.

I use Debian GNU/Linux as the Operating system with KVM/libvirt as the hypervisor.

I use Ansible to set up the cluster in an automated way. Got finality the time to clean up the code a bit and release it on Github: https://github.com/stafwag/ansible-k3s-on-vms

Manjaro on the RPI4 with full disk encryption and remote unlock

August 8, 2021 13 minute read

Last year I got a raspberry pi 4 to play with and installed Manjaro on it.

The main reason I went with Manjaro was that the ArchLinux Arm image/tgz for the Raspberry Pi 4 was still 32 bits, or you needed to create-your-own kernel.

But started to like Manjaro Linux, it provided a stable base with regular updates. This year I upgraded my setup with 2 additional Raspberry Pi 4 to provide clustering for my k3s (Kubernetes) setup. I used virtual machines on the Raspberry Pi to host the k3s nodes. Also because want to the Pi for other tasks and virtual machines makes it easier to split the resources. It’s also an “abstraction layer” if you want to combine the cluster with other ARM64 systems in the future.

I always (try to) to full disk encryption, when you have multiple nodes it’s important to be able to unlock the encryption remotely.

How to run a FreeBSD Virtual Machine on the RPI4 with QEMU. Part 2: Network, Install from cdrom, startup

March 28, 2021 10 minute read

In my last blog post, we set up a FreeBSD virtual machine with QEMU. I switched from the EDK2 (UEFI) firmware to U-boot, the EDK2 firmware had issues with multiple CPU’s in the virtual machines.

In this blog post, we’ll continue with the Network setup, install the virtual machine from a CDROM image and how to start the virtual machine during the PI start-up.

How to run a FreeBSD Virtual Machine on the RPI4 with QEMU. Part 1: QEMU setup

March 14, 2021 2 minute read

I got a Raspberry PI 4 a couple of months back and started it use it to run virtual machines.

This works great for GNU/Linux distributions but FreeBSD as a virtual machine didn’t work for me. When I tried to install FreeBSD or import a virtual machine image, FreeBSD wasn’t able to mount the root filesystem and ended with an “error 19”.

On the FreeBSD wiki, there are a few articles on how to use ARM64 FreeBSD with QEMU directly.

You find my journey of getting a FreeBSD Virtual Machine below.

I use Manjaro on my Raspberry PI, but the same setup will work with other GNU/Linux distributions.

Best wishes 2021!

January 1, 2021 less than 1 minute read

$ sudo -i
# find / -name "*covid*" -exec rm -rf {} \;
# find / -name "*corona*" -exec rm -rf {} \;
# pkill -9 covid19
# pkill -9 corona
# reboot

Have fun!

32 bits (still) matters!

November 15, 2020 6 minute read

updated @ Mon Nov 16 08:16:30 PM CET 2020: Corrected the version when OPNsense dropped 32 bits support.

I used OPNsense on my pcengines Alix 2d13 firewall.

The Alix 2d13 is a nice motherboard with a Geode CPU 32 bits x86 CPU.

I migrated to OPNsense after pfSense dropped support for 32 bits. Unfortunately, OPNsense also dropped support for 32 bits CPUs in the 19.1.7 release 20.7 release. I decided to install FreeBSD on my Alix to use it as my firewall.

To make it possible to reinstall my Alix firewall, I installed FreeBSD on my Raspberry Pi 2 to use it as my firewall during the installation of FreeBSD on my Alix.

You’ll find my journey to install FreeBSD my an Alix firewall below.

Upgrade FreeBSD on a Raspberry Pi 2

November 1, 2020 4 minute read

I recently installed FreeBSD on my raspberry-pi 2 to use it as my firewall.

The FreeBSD version that I installed was a FreeBSD 12.2 Pre-Release. FreeBSD 12.2 has been released this week.

ARM is a Tier-2 on FreeBSD. This means that freebsd-update doesn’t work on a Raspberry Pi.

Freebsd-update wouldn’t work on a Pre-Release anyway. So I was looking for a way to update my Raspberry Pi to FreeBSD 12.2.

Use a raspberry-pi 2 as a firewall with FreeBSD

October 25, 2020 10 minute read

Updated @ Mon Nov 16 08:16:30 PM CET 2020: Corrected the version when OPNsense dropped 32 bits support.

I was using OPNsense on my pcengines alix firewall and was quite happy with it.

The alix 2d13 is a nice motherboard with a Geode CPU, it has a 32 bits x86 instruction set. I migrated to OPNsense from pfSense when pfSense dropped 32 bits support.

Unfortunately, OPNsense also dropped support for 32 bits CPU’s in the 19.1.7 release 20.7 release. I decided to install FreeBSD on the alix to use it as my firewall. But I need a temporary firewall solution so I can install FreeBSD on my alix board. I have a Raspberry PI 2 that I wasn’t using.

You’ll find my journey to use my RPI2 as my firewall below.

Keep zfs running on the Raspberry PI

August 3, 2020 less than 1 minute read

I got a Raspberry PI 4 to play with and installed Manjaro GNU/Linux on it.

I use OpenZFS on my PI. The latest kernel update broke zfs on my PI due to a License conflict, the solution is to disable PREEMPT in the kernel config. This BUG was already resolved with OpenZFS with the main Linux kernel tree at least on X86_64/AMD64, not sure why the kernel on the raspberry pi is still affected.

I was looking for an excuse to build a custom kernel for my Pi anyway :-). I cloned the default manjaro RPI4 kernel and disabled PREEMPT in the kernel config.

The package is available at: https://gitlab.com/stafwag/manjaro-linux-rpi4-nopreempt. This package also doesn’t update /boot/config.txt and /boot/cmdline.txt to not overwrite custom settings.

Have fun!

Howto use cloud images on the Raspberry PI 4

July 23, 2020 7 minute read

I got a Raspberry PI 4 to play with and installed Manjaro GNU/Linux on it.

I wanted to verify how usable the latest PI is for desktop and home server usage.

• For desktop usage, it is “usable”.

  For video playback in the browser, I recommend disabling 60fps (https://greasyfork.org/en/scripts/23329-disable-youtube-60-fps-force-30-fps) and keep the video playback to 720p. Please note that if you want to use it for Netflix you will need Widevine for the DRM content. As far as I know, there isn’t an ARM64 version available. An ARM32 version exists but I didn’t try (yet).

• For (home) server usage ARM64 or AArch64 is getting more usable.

  Cloud providers are also offering ARM64 based systems. A container-based workload - like Docker, LXC, FreeBSD jails etc - is probably better suited for a small device like the Raspberry PI. Virtual machines are still important for server usage so let see how the PI4 can handle it.

Most GNU/Linux distributions RedHat, Centos, Ubuntu, Debian are offering cloud images for ARM64. To configure these images you’ll need cloud-init.

I already wrote a blog post on howto cloud-init for KVM/libvirt on GNU/Linux: Howto use centos cloud images with cloud-init on KVM/libvirtd. Let see if we can get it working on ARM64.

Manjaro on the RPI4 with full disk encryption

July 12, 2020 13 minute read

The Raspberry PI has become more and more powerful in the recent years, maybe too powerful to be a “maker board”. The higher CPU power and availability of more memory - up to 8GB - makes it more suitable for home server usage.

The latest firmware (EEPROM) enables booting from a USB device. To enable USB boot the EEPROM on the raspberry needs to be updated to the latest version and the bootloader that comes with the operating system - the start*.elf, etc files on the boot filesystem - needs to support it.

I always try to use filesystem encryption. You’ll find my journey to install GNU/Linux on an encrypted filesystem below.

64 Bits operating systems

The Raspberry PI 4 has a 64 bits CPU, the default operating system - Raspberry Pi OS (previously called Raspbian) - for the Rasberry PI is still 32 bits to take full advantage of the 64bits CPU a 64 bits operating system is required.

You’ll find an overview GNU/Linux distributions for RPI4 below.

Use a GPG smartcard with Thunderbird. Part 3: Setup Thunderbird

September 10, 2024 5 minute read

In previous blog posts, we discussed setting up a GPG smartcard on GNU/Linux and FreeBSD.

In this blog post, we will configure Thunderbird to work with an external smartcard reader and our GPG-compatible smartcard.

Before Thunderbird 78, if you wanted to use OpenPGP email encryption, you had to use a third-party add-on such as https://enigmail.net/.

Thunderbird’s recent versions natively support OpenPGP. The Enigmail addon for Thunderbird has been discontinued. See: https://enigmail.net/index.php/en/home/news.

I didn’t find good documentation on how to set up Thunderbird with a GnuPG smartcard when I moved to a new coreboot laptop, so this was the reason I created this blog post series.

Use a GPG smartcard with Thunderbird. Part 1: setup GnuPG

April 21, 2024 14 minute read

I use a Free Software Foundation Europe fellowship GPG smartcard for my email encryption and package signing. While FSFE doesn’t provide the smartcard anymore it’s still available at www.floss-shop.de.

I moved to a Thinkpad w541 with coreboot running Debian GNU/Linux and FreeBSD so I needed to set up my email encryption on Thunderbird again.

It took me more time to reconfigure it again - as usual - so I decided to take notes this time and create a blog post about it. As this might be useful for somebody else … or me in the future :-)

The setup is executed on Debian GNU/Linux 12 (bookworm) with the FSFE fellowship GPG smartcard, but the setup for other Linux distributes, FreeBSD or other smartcards is very similar.

Build a 3-node Kubernetes cluster home lab in minutes: The movie.

July 21, 2023 1 minute read

I use the lightweight Kubernetes K3s on a 3-node Raspberry Pi 4 cluster.

And created a few ansible to provision the virtual machines with cloud image with cloud-init and deploy k3s on it.

I updated the roles below to be compatible with the latest Debian release: Debian 12 bookworm.

I created a movie to demonstrate how you can setup a kubernetes homelab in few minutes.

The latest version 1.1.0 is available at: https://github.com/stafwag/ansible-k3s-on-vms

Have fun!

Debian bullseye on the RPI 4: golden image

July 24, 2022 9 minute read

In my last blog post, we set up Debian bullseye with full disk encryption on a Raspberry PI 4.

I use 3 three Raspberry PI’s to run K3s and a few FreeBSD virtual machines. For the FreeBSD virtual machines I still use QEMU: https://stafwag.github.io/blog/blog/2021/03/14/howto_run_freebsd_as_vm_on_pi/, I still need to test if we can use KVM/libvirt with the UEFI improvements in FreeBSD 13.1. But that might be another blog post :-)

As need I the same installation at least three times, I decided to create a “golden image” with the most important tools.

Debian bullseye on the RPI 4 with full disk encryption.

July 3, 2022 19 minute read

Updated @ Sun Jul 17 07:51:58 PM CEST 2022: Added blkid section UUID cryptroot. Changed dropbear port to 2222.

I use a few Raspberry PI’s 4 to run virtual machines and k3s.

I was using the Manjaro Linux with full disk encryption but I’ll switch to Debian GNU/Linux, the main reason is that libvirt is currently broken on archlinuxarm.

You’ll find my journey to get Debian GNU/Linux bullseye up and running on the Raspberry PI with full disk encryption below.

Use unbound as an DNS-over-TLS resolver and authoritative dns server v2.0.0

October 17, 2021 4 minute read

In previous blog posts, I described howto setup stubby as a DNS-over-TLS resolver. I used stubby on my laptop(s) and unbound on my internal network.

I migrated to unbound last year and created a docker container for it. Unbound is a popular DNS resolver, it’s less known that you can also use it as an authoritative DNS server.

This work was based on Debian Buster, I migrated the container to Debian Bullseye reorganize it a bit to make it easier to store the zones configuration outside the container like a configmap or persistent volume on Kubernetes.

Version 2.0.0 is available at https://github.com/stafwag/docker-stafwag-unbound.

Version 2.0.0:

Changelog:

• Updated the base image to debian:bullseye.
• Updated create_zone_config.sh to be able to run outside the container.
• Removed the zones.conf generation from the entrypoint
• Start the container as the unbound user
• Updated to logging.conf
• Set the pidfile /tmp/unbound.pid
• Added remote-control.conf
• Updated the documentation

Switch from Libreboot to coreboot

October 17, 2019 11 minute read

I use(d) Libreboot on my Lenovo W500. And it works fine… but I want to install FreeBSD on it. The GRUB payload Libreboot uses by default isn’t compatible with the FreeBSD bootloader. It is possible to boot FreeBSD from GRUB or try to recompile Libreboot with the SeaBIOS payload. …But I just wanted to play with coreboot, to be honest :-)

Prepare

building your own docker base images (Part 1: Debian GNU/Linux & Co)

April 22, 2019 7 minute read

I was using docker on an Odroid U3, but my Odroid stopped working. I switched to another system that is i386 only.

You’ll find my journey to build docker images for i386 below.

Reasons to build your own docker images

If you want to use docker you can start with docker images on the docker registry. There are several reasons to build your own base images.

Howto use centos cloud images with cloud-init on KVM/libvirtd

March 3, 2019 6 minute read

Images versus unattended setup

Old-school

Unattended setup

In a traditional environment, systems are installed from a CDROM. The configuration is executed by the system administrator through the installer. This soon becomes a borning and unpractical task when we need to set up a lot of systems also it is important that systems are configured in same - and hopefully correct - way.

In a traditional environment, this can be automated by booting via BOOTP/PXE boot and configured is by a system that “feeds” the installer. Examples are:

• [Solaris Jumpstart](https://en.wikipedia.org/wiki/JumpStart_(Solaris)
• Redhat Kickstart
• DebianInstaller Preseed
• Suse Autoyast
• …

How to install libreboot on a ThinkPad X60

February 11, 2017 13 minute read

 
I got a ThinkPad x60 (tablet version) from ebay.be to install libreboot on it.
 
I tried to compile libreboot on Debian and Parabola GNU/Linux but both failed, compling Libreboot on Trisquel 7 works fine so I’ll use Trisquel to replace the BIOS with libreboot.
 
I’m not sure that I’ll use Trisquel 7 as my daily driver since it is a bit outdated… I might go with Debian Strech without the non-free repositories to get a fully Free Software Laptop/tablet. I’ll need to replace the Intel wifi adapter since this requires non-free firmware.
 
You’ll find a small howto install libreboot on a Thinkpad X60 below.
 

Build Libreboot

The latest version of libreboot isn’t available via a binary distribution so I decided to build it from source.

lxc templates in Fedora 20

June 9, 2014 9 minute read

I’m a big fan of containers and used them a lot on Solaris and jails on Freebsd. Containers/jails are the fastest way to spinup an new system and the easiest way to isolate services.

As always with virtualization you’ve to careful with sharing systems or containers that doesn’t below to the same customer or service on the same physical machine since you’re never sure which traces are left behind in the memory etc.

Linux containers are getting more popular since the release of docker

When I tried to create a few containers on Fedora 20, the first attempt (a debian container) wasn’t an success.

On a newly create debian container networking didn’t work.

fedora 19 boottime on an intel core i7 4770 with a Samsung 840 Pro Series 256GB ssd

September 1, 2013 1 minute read

I installed fedora 19 on my new pc mainly to play with ovirt which seems to be easier to install on fedora than on Debian.

Don’t worry I still have a debian system at hand…

The boot time on a ssd is fast:

Lookat 2.0.1 released

April 23, 2020 less than 1 minute read

“lookat” (or “bekijk” in Dutch) is a program to view text files and manual pages. It is designed to be more user-friendly than more conventional text viewers such as less. And supports colored manpages.

Lookat 2.0.1 is the latest stable release of Lookat/Bekijk.

ChangeLog

• BUGFIX: corrected screen refresh code. To handle non-utf8 terminals correctly.
• BUGFIX: ensure that menus are initialized before using them.
• BUGFIX: corrected type menu handling.
• BUGFIX: failed to open type enabled extentions from the commandline.

Lookat 2.0.0 released

March 1, 2020 less than 1 minute read

Lookat 2.0.0 is the latest stable release of Lookat/Bekijk the userfriendly file browser/viewer.

ChangeLog

• utf8 support
• default color scheme has been updated
• improved error handeling
• Macos 10.7+ support

Lookat utf8 branch created

January 5, 2020 less than 1 minute read

I finally made some time work on utf8 support in Lookat (the most requested feature), it is still a work in progress… It’s available at:

• https://git.savannah.nongnu.org/cgit/lookat.git/log/?h=utf8

Have fun!

Lookat 1.4.4 released

December 28, 2015 less than 1 minute read

Lookat 1.4.4 is the latest stable release of Lookat/Bekijk the userfriendly file browser/viewer.

Lookat 1.4.4rc2 Released

October 17, 2015 less than 1 minute read

Lookat 1.4.4rc2 is the second release candicate of Lookat 1.4.4

lookat 1.4.4rc1 released

July 21, 2015 less than 1 minute read

It is a national holiday in Belgium so I have some time to code again.

Lookat 1.4.4rc1 is the first release candicate of Lookat 1.4.4

Lookat 1.4.3 released

August 18, 2013 less than 1 minute read

I’m pleased to anounce that Lookat/Bekijk 1.4.3 has been released.

This new stable version will compile correctly with LLVM/clang.

The new stable version 1.4.3 is available at http://www.wagemakers.be/english/programs/lookat Or at the Git repository at GNU savannah http://git.savannah.gnu.org/cgit/lookat.git

Have fun...

yum install lookat

May 25, 2013 less than 1 minute read

“yum install lookat” works on Fedora now ;-)

Thanks Christopher!

[staf@vicky ~]$ sudo yum install lookat
[sudo] password for staf: 
Loaded plugins: langpacks, presto, refresh-packagekit, security
Repository google-chrome is listed more than once in the configuration
Resolving Dependencies
--> Running transaction check
---> Package lookat.x86_64 0:1.4.2-1.fc18 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================================================================================================================
 Package                                 Arch                                    Version                                         Repository                                Size
================================================================================================================================================================================
Installing:
 lookat                                  x86_64                                  1.4.2-1.fc18                                    updates                                   55 k

Transaction Summary
================================================================================================================================================================================
Install  1 Package

Total download size: 55 k
Installed size: 118 k
Is this ok [y/N]: y
Downloading Packages:
lookat-1.4.2-1.fc18.x86_64.rpm                                                                                                                           |  55 kB  00:00:00     
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : lookat-1.4.2-1.fc18.x86_64                                                                                                                                   1/1 
  Verifying  : lookat-1.4.2-1.fc18.x86_64                                                                                                                                   1/1 

Installed:
  lookat.x86_64 0:1.4.2-1.fc18                                                                                                                                                  

Complete!
[staf@vicky ~]$ 

lookat/bekijk has landed in fedora

May 12, 2013 less than 1 minute read

Thanks to Christopher Meng

Lookat has landed in Fedora.

https://admin.fedoraproject.org/pkgdb/acls/name/lookat

Lookat/Bekijk 1.4.3rc1 released

April 27, 2013 less than 1 minute read

Trying to release more often…

The first release candicate of lookat 1.4.3 has been released.

Lookat/Bekijk 1.4.2 released

December 12, 2012 less than 1 minute read

Finaly a long overdue release of Lookat / Bekijk the userfriendly file browser.

The new stable version 1.4.2 is available at the http://www.wagemakers.be/english/programs/lookat

Or at the Git repository at GNU savannah http://git.savannah.gnu.org/cgit/lookat.git

1.4.2 is a maintenance release. When there are more than 24 hours in a day I’ll start with the long waited utf-8 support ;-)

New release Ansible role stafwag.ntpd, and clean up Ansible roles

August 25, 2024 2 minute read

I made some time to give some love to my own projects and spent some time rewriting the Ansible role stafwag.ntpd and cleaning up some other Ansible roles.

There is some work ongoing for some other Ansible roles/projects, but this might be a topic for some other blog post(s) ;-)

stafwag.ntpd

An ansible role to configure ntpd/chrony/systemd-timesyncd.

This might be controversial, but I decided to add support for chrony and systemd-timesyncd. Ntpd is still supported and the default on the BSDs ( FreeBSD, NetBSD, OpenBSD).

It’s possible to switch from the ntp implementation by using the ntpd.provider directive.

The Ansible role stafwag.ntpd v2.0.0 is available at:

• https://github.com/stafwag/ansible-role-ntpd
• https://galaxy.ansible.com/ui/standalone/roles/stafwag/ntpd/

Release notes

V2.0.0

• Added support for chrony and systemd-timesyncd on GNU/Linux
  • systemd-timesynced is the default on Debian GNU/Linux 12+ and Archlinux
  • ntpd is the default on all operating systems (BSDs, Solaris) and Debian GNU/Linux 10 and 11
  • chrony is the default on all other GNU/Linux distributes
  • For ntpd hash as the input for the role.
  • Updated README
  • CleanUp

Build a 3-node Kubernetes cluster home lab in minutes: The movie.

July 21, 2023 1 minute read

I use the lightweight Kubernetes K3s on a 3-node Raspberry Pi 4 cluster.

And created a few ansible to provision the virtual machines with cloud image with cloud-init and deploy k3s on it.

I updated the roles below to be compatible with the latest Debian release: Debian 12 bookworm.

I created a movie to demonstrate how you can setup a kubernetes homelab in few minutes.

The latest version 1.1.0 is available at: https://github.com/stafwag/ansible-k3s-on-vms

Have fun!

Ansible roles: qemu_img 2.2.0 & cloud_localds 2.1.1 Released

June 25, 2023 less than 1 minute read

Time again to make some releases of 2 of the ansible roles I maintain.

This time none of the commits are created by me :-)

Thanks to https://github.com/fazlerabbi37 for your contributions!

Have fun!

qemu_img 2.2.0

stafwag.qemu_img 2.2.0 is available at: https://github.com/stafwag/ansible-role-qemu_img

Changelog

• remote_src directive
  • remote_src added this allows copying the source image from a remote host. Thanks to https://github.com/fazlerabbi37

Build a 3-node Kubernetes cluster home lab in 5 minutes (*)

April 4, 2023 1 minute read

I use the lightweight Kubernetes K3s on a 3-node Raspberry Pi 4 cluster. I wrote a few blog posts on how the Raspberry Pi’s are installed.

I run K3s on virtual machines.

Why virtual machines?

Virtual makes it easier to redeploy or to bring a system down and up if your want to test something.

Another reason is that I also run FreeBSD virtual machines on the Raspberry Pis.

I use Debian GNU/Linux as the Operating system with KVM/libvirt as the hypervisor.

I use Ansible to set up the cluster in an automated way. Got finality the time to clean up the code a bit and release it on Github: https://github.com/stafwag/ansible-k3s-on-vms

Ansible role: users 1.2.0 released

March 6, 2023 6 minute read

The Ansible role stafwag.users is available at: https://github.com/stafwag/ansible-role-users

This release implements a shell parameters to define shell for an user. See the github issue for more details.

ChangeLog

shell parameter

• shell parameter added

Have fun!

Ansible role: delegated_vm_install 1.1.0 released

January 29, 2023 4 minute read

I use KVM and cloud-init to provision virtual machines on my home network. I migrated all my services to Raspberry PIs running GNU/Linux and FreeBSD to save power.

I first wanted to use terraform, but the libvirt terraform provider wasn’t compatible with arm64 (at least at that time).

So I started to create a few ansible roles to provision the virtual machines.

delegated_vm_install is a wrapper around these roles to provision the virtual machine in a delegated way. It allows you to specify the Linux/libvirt KVM host as part of the virtual machine definition.

Changelog

delegated_vm_install 1.1.0

• update_ssh_known_hosts directive added
  • update_ssh_known_hosts directive added to allow to update the ssh host key after the virtual machine is installed.
  • Documentation updated
  • Debug code added

Have fun!

Ansible role: users 1.1.0 released

November 10, 2022 3 minute read

The Ansible role stafwag.users is available at: https://github.com/stafwag/ansible-role-users

ChangeLog

lineinfile ‘create’ directive added

• create directive added.
• Update dir_mode perm to ‘0700’ to be compatible with newer ansible versions.
• Use string for perm mode to be compatible with newer ansible versions documentation updated

Have fun!

Ansible role: delegated_vm_install 1.0.0 released

October 16, 2022 3 minute read

I use KVM and cloud-init to provision virtual machines on my home network and wrote a few articles about it.

• Howto use centos cloud images with cloud-init on KVM/libvirtd
• Howto use cloud images on the Raspberry PI 4

on my blog on how to use cloud images with cloud-init on a “non-cloud” environment.

I created an Ansible role: ansible-role-virt_install_vm for it.

This role works great, but I wanted to have the possibility to provision the virtual machine in a delegated way.

For this reason I create the ansible role delegated_vm_install.

Delegated_vm_install 1.0.0 is available at: https://github.com/stafwag/ansible-role-delegated_vm_install

Have fun!

Ansible role: package_update v2.0.2

October 31, 2021 1 minute read

Keeping your software up-to-date is an important task in System Administration. Not only for security reasons but also to roll out bug fixes to your systems.

As always we should try to automate this process as much as possible.

Ansible has a package module to install packages in a generic way. It supports most Un*x platforms (GNU/Linux, BSD, …). But it doesn’t allow you to update all packages.

For this reason, I created an Ansible role: package update.

Package update enables you to update all packages on most Linux distributions and the BSD operating systems. It can also update the running jails on FreeBSD.

Version 2.0.2 is available at

• Github: https://github.com/stafwag/ansible-role-package_update.
• Ansible galaxy: https://galaxy.ansible.com/stafwag/package_update

Version 2.0.2:

Changelog:

• Always update the apt cache on Debian based distributions.

Have fun!

Ansible role: virt_install_vm 1.0.0 released

September 19, 2021 2 minute read

I wrote a few articles:

• Howto use centos cloud images with cloud-init on KVM/libvirtd
• Howto use cloud images on the Raspberry PI 4

on my blog on how to use cloud images with cloud-init on a “non-cloud” environment.

I finally took the time to create an Ansible role for it. You’ll find the READE.md below.

Virt_install_vm 1.0.0 is available at: https://github.com/stafwag/ansible-role-virt_install_vm

Have fun!

Setting up OpenStack-Ansible All-In-One on a Centos 7 system

January 21, 2019 6 minute read

Openstack is a nice platform to deploy an Infrastructure as a service and is a collection of projects but it can be a bit difficult to setup. The documentation is really great if you want to setup openstack by hand and there are a few openstack distributions that makes it easier to install it.

Ansible is a very nice tool for system automatisation and is one that’s easier to learn.

Wouldn’t be nice if we could make the openstack installation easier with ansible? That’s exactly what Openstack-Ansible does.

In this blog post we’ll setup “an all-in-one” openstack installation on Centos 7. The installer will install openstack into lxc containers and it’s nice way to learn how openstack works and how to operate it.

Preparation

Building Your Own Docker Base Images (Part 3: Yum)

May 12, 2019 3 minute read

In my previous two posts (1, 2 ), we created Docker Debian and Arch-based images from scratch for the i386 architecture.

In this blog post - last one in this series - we’ll do the same for yum based distributions like CentOS and Fedora.

Building your own Docker base images isn’t difficult and let you trust your distribution Gpg signing keys instead of the docker hub. As explained in the first blog post. The mkimage scripts in the contrib directory of the Moby project git repository is a good place to start if you want to build own docker images.

Using YubiKey Neo as gpg smartcard for SSH authentication

June 16, 2015 13 minute read

I purchased a Yubi NEO I’ll use it to hold my Luks password and for ssh authentication instead of the password authentication that I still use.

You’ll find my journey to get the smartcard interface working with ssh on a fedora 22 system below;

Run google chrome inside a fedora docker container over ssh

May 12, 2015 less than 1 minute read

Update (Mon Jun 8 2015): Running google-chrome inside a docker container isn't stable for me. I switched back to LXC to run google-chrome which seems to be more stable.

Created a docker image to start a docker container with chrome. Destroying the container each time that you start a browser is a easy way to get rid of your cookies and browser history.

lxc templates in Fedora 20

June 9, 2014 9 minute read

I’m a big fan of containers and used them a lot on Solaris and jails on Freebsd. Containers/jails are the fastest way to spinup an new system and the easiest way to isolate services.

As always with virtualization you’ve to careful with sharing systems or containers that doesn’t below to the same customer or service on the same physical machine since you’re never sure which traces are left behind in the memory etc.

Linux containers are getting more popular since the release of docker

When I tried to create a few containers on Fedora 20, the first attempt (a debian container) wasn’t an success.

On a newly create debian container networking didn’t work.

zfs on Fedora 20

January 14, 2014 7 minute read

With Fedora 20 being released a few weeks ago and no official zfsonlinux support for Fedora 20. It time to get zfs on linux working on Fedora 20.

Zfs on linux 2.6.2 required a custom DKMS package. Lucky the patches that were required for zfs on linux are already integrated into Fedora: http://negativo17.org/dkms-patches-for-zfs-on-linux-merged/

So lets try to build the rpm packages for Fedora 20 from the source.

yum update on fedora 19 and zfs on linux

October 13, 2013 2 minute read

I use zfs on linux on fedora now.

The installation was pretty straightforward but after the installation of zfs yum update failed.

[root@vicky etc]# yum update -y
Loaded plugins: langpacks, refresh-packagekit
Repository google-chrome is listed more than once in the configuration
fedora/19/x86_64/metalink                                                                                                                                                                   |  33 kB  00:00:00     
fedora                                                                                                                                                                                      | 4.2 kB  00:00:00     
fedora-chromium-stable                                                                                                                                                                      | 3.4 kB  00:00:00     
google-chrome                                                                                                                                                                               |  951 B  00:00:00     
rpmfusion-free                                                                                                                                                                              | 3.3 kB  00:00:00     
rpmfusion-free-updates                                                                                                                                                                      | 3.3 kB  00:00:00     
rpmfusion-nonfree                                                                                                                                                                           | 3.3 kB  00:00:00     
rpmfusion-nonfree-updates                                                                                                                                                                   | 3.3 kB  00:00:00     
updates/19/x86_64/metalink                                                                                                                                                                  |  30 kB  00:00:00     
updates                                                                                                                                                                                     | 4.4 kB  00:00:00     
zfs                                                                                                                                                                                         | 2.9 kB  00:00:00     
(1/6): fedora-chromium-stable/19/x86_64/primary_db                                                                                                                                          |  20 kB  00:00:00     
(2/6): zfs/19/x86_64/primary_db                                                                                                                                                             | 6.7 kB  00:00:00     
(3/6): updates/19/x86_64/group_gz                                                                                                                                                           | 385 kB  00:00:02     
(4/6): fedora/19/x86_64/group_gz                                                                                                                                                            | 384 kB  00:00:06     
(5/6): updates/19/x86_64/primary_db                                                                                                                                                         | 8.8 MB  00:01:53     
(6/6): fedora/19/x86_64/primary_db                                                                                                                                                          |  17 MB  00:03:34     
(1/10): google-chrome/primary                                                                                                                                                               | 1.9 kB  00:00:00     
(2/10): rpmfusion-free-updates/19/x86_64/primary_db                                                                                                                                         | 217 kB  00:00:01     
(3/10): rpmfusion-nonfree/19/x86_64/primary_db                                                                                                                                              | 149 kB  00:00:00     
(4/10): rpmfusion-free/19/x86_64/primary_db                                                                                                                                                 | 440 kB  00:00:03     
(5/10): rpmfusion-nonfree-updates/19/x86_64/primary_db                                                                              b                                                       |  97 kB  00:00:00     
(6/10): rpmfusion-nonfree-updates/19/x86_64/group_gz                                                                                                                                        |  990 B  00:00:05     
(7/10): rpmfusion-nonfree/19/x86_64/group_gz                                                                                                                                                |  993 B  00:00:07     
(8/10): rpmfusion-free/19/x86_64/group_gz                                                                                                                                                   | 1.6 kB  00:00:07     
(9/10): rpmfusion-free-updates/19/x86_64/group_gz                                                                                                                                           | 1.6 kB  00:00:07     
(10/10): updates/19/x86_64/updateinfo                                                                                                                                                       | 861 kB  00:00:09     
google-chrome                                                                                                                                                                                                  3/3
Resolving Dependencies
--> Running transaction check
---> Package dkms.noarch 0:2.2.0.3-14.zfs1.fc19 will be updated
--> Processing Dependency: dkms = 2.2.0.3-14.zfs1.fc19 for package: zfs-dkms-0.6.2-1.fc19.noarch
---> Package dkms.noarch 0:2.2.0.3-17.fc19 will be an update
--> Finished Dependency Resolution
Error: Package: zfs-dkms-0.6.2-1.fc19.noarch (@zfs)
           Requires: dkms = 2.2.0.3-14.zfs1.fc19
           Removing: dkms-2.2.0.3-14.zfs1.fc19.noarch (@zfs)
               dkms = 2.2.0.3-14.zfs1.fc19
           Updated By: dkms-2.2.0.3-17.fc19.noarch (updates)
               dkms = 2.2.0.3-17.fc19
           Available: dkms-2.2.0.3-5.fc19.noarch (fedora)
               dkms = 2.2.0.3-5.fc19
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest
[root@vicky etc]# 

On another fedora system yum update worked fine, after reviewing the differences in the yum configuration it seems that yum-plugin-priorities wasn’t installed on my box. After installing yum-plugin-priorities

[root@vicky etc]# yum install yum-plugin-priorities
Loaded plugins: langpacks, refresh-packagekit
Repository google-chrome is listed more than once in the configuration
Resolving Dependencies
--> Running transaction check
---> Package yum-plugin-priorities.noarch 0:1.1.31-18.fc19 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================================================================================================================
 Package                                                     Arch                                         Version                                              Repository                                     Size
===================================================================================================================================================================================================================
Installing:
 yum-plugin-priorities                                       noarch                                       1.1.31-18.fc19                                       updates                                        22 k

Transaction Summary
===================================================================================================================================================================================================================
Install  1 Package

Total download size: 22 k
Installed size: 28 k
Is this ok [y/d/N]: y
Downloading packages:
yum-plugin-priorities-1.1.31-18.fc19.noarch.rpm                                                                                                                                             |  22 kB  00:00:01     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : yum-plugin-priorities-1.1.31-18.fc19.noarch                                                                                                                                                     1/1 
  Verifying  : yum-plugin-priorities-1.1.31-18.fc19.noarch                                                                                                                                                     1/1 

Installed:
  yum-plugin-priorities.noarch 0:1.1.31-18.fc19                                                                                                                                                                    

Complete!
[root@vicky etc]# 

And make sure that the zfs has the priority

[root@localhost etc]# cat yum.repos.d/zfs.repo
[zfs]
name=ZFS of Linux for Fedora $releasever
baseurl=http://archive.zfsonlinux.org/fedora/$releasever/$basearch/
enabled=1
priority=1
metadata_expire=7d
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-zfsonlinux
Requires:       yum-plugin-priorities

[zfs-source]
name=ZFS of Linux for Fedora $releasever - Source
baseurl=http://archive.zfsonlinux.org/fedora/$releasever/SRPMS/
enabled=0
metadata_expire=7d
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-zfsonlinux
[root@vicky etc]# 

yum update works again.

[root@vicky etc]# yum update -y
Loaded plugins: langpacks, priorities, refresh-packagekit
Repository google-chrome is listed more than once in the configuration
2 packages excluded due to repository priority protections
No packages marked for update
[root@vicky etc]# 

Running kindle on GNU/Linux with wine

September 8, 2013 less than 1 minute read

I enjoy reading ebooks during my train trip to work on my nexus 7.

At home I prefer to read on my monitor since this is bigger.

Most of the time I use epub or pdf for reading, I bought a kindle version of a book from amazon assuming that I could read with amazon cloud reader at home.

Unfortunately this books is not compatible with cloud reader.

Proprietary_formats should be avoid, lesson learned (again).

To read my book at home I decided to give the windows version of kindle on wine a try

The installation was pretty straightforward on Fedora 19.

• Install wine

[root@vicky ~]# yum install wine
Loaded plugins: langpacks, refresh-packagekit

• Download Kindle for Window xp

Download it from: http://www.amazon.com/gp/feature.html/ref=kcp_pc_ln_ar?docId=1000426311

• Run the installer

[swagemakers@vicky ~]$ wine ~/Downloads/KindleForPC-installer.exe 

• Create kindle startup script

wine $HOME/.wine/drive_c/Program\ Files\ \(x86\)/Amazon/Kindle/Kindle.exe &

Happy reading

but

It’s better to only read ebooks in an open format

fedora 19 boottime on an intel core i7 4770 with a Samsung 840 Pro Series 256GB ssd

September 1, 2013 1 minute read

I installed fedora 19 on my new pc mainly to play with ovirt which seems to be easier to install on fedora than on Debian.

Don’t worry I still have a debian system at hand…

The boot time on a ssd is fast:

yum install lookat

May 25, 2013 less than 1 minute read

“yum install lookat” works on Fedora now ;-)

Thanks Christopher!

[staf@vicky ~]$ sudo yum install lookat
[sudo] password for staf: 
Loaded plugins: langpacks, presto, refresh-packagekit, security
Repository google-chrome is listed more than once in the configuration
Resolving Dependencies
--> Running transaction check
---> Package lookat.x86_64 0:1.4.2-1.fc18 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================================================================================================================
 Package                                 Arch                                    Version                                         Repository                                Size
================================================================================================================================================================================
Installing:
 lookat                                  x86_64                                  1.4.2-1.fc18                                    updates                                   55 k

Transaction Summary
================================================================================================================================================================================
Install  1 Package

Total download size: 55 k
Installed size: 118 k
Is this ok [y/N]: y
Downloading Packages:
lookat-1.4.2-1.fc18.x86_64.rpm                                                                                                                           |  55 kB  00:00:00     
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : lookat-1.4.2-1.fc18.x86_64                                                                                                                                   1/1 
  Verifying  : lookat-1.4.2-1.fc18.x86_64                                                                                                                                   1/1 

Installed:
  lookat.x86_64 0:1.4.2-1.fc18                                                                                                                                                  

Complete!
[staf@vicky ~]$ 

lookat/bekijk has landed in fedora

May 12, 2013 less than 1 minute read

Thanks to Christopher Meng

Lookat has landed in Fedora.

https://admin.fedoraproject.org/pkgdb/acls/name/lookat

Use unbound as an DNS-over-TLS resolver and authoritative dns server v2.0.0

October 17, 2021 4 minute read

In previous blog posts, I described howto setup stubby as a DNS-over-TLS resolver. I used stubby on my laptop(s) and unbound on my internal network.

I migrated to unbound last year and created a docker container for it. Unbound is a popular DNS resolver, it’s less known that you can also use it as an authoritative DNS server.

This work was based on Debian Buster, I migrated the container to Debian Bullseye reorganize it a bit to make it easier to store the zones configuration outside the container like a configmap or persistent volume on Kubernetes.

Version 2.0.0 is available at https://github.com/stafwag/docker-stafwag-unbound.

Version 2.0.0:

Changelog:

• Updated the base image to debian:bullseye.
• Updated create_zone_config.sh to be able to run outside the container.
• Removed the zones.conf generation from the entrypoint
• Start the container as the unbound user
• Updated to logging.conf
• Set the pidfile /tmp/unbound.pid
• Added remote-control.conf
• Updated the documentation

Use unbound as an DNS-over-TLS resolver and authoritative dns server

March 22, 2020 2 minute read

In previous blog posts, I described howto setup stubby as an DNS-over-TLS resolver. I used stubby on my laptop(s) and unbound on my internal network.

But I’m migrating away from stubby in favour of unbound.

Unbound is a popular DNS resolver, it’s less known that you can also use it as an authoritative DNS server.

I created a docker container that can serve both purposes, although you can use the same logic without docker.

It’s available at https://github.com/stafwag/docker-stafwag-unbound.

Building Your Own Docker Base Images (Part 3: Yum)

May 12, 2019 3 minute read

In my previous two posts (1, 2 ), we created Docker Debian and Arch-based images from scratch for the i386 architecture.

In this blog post - last one in this series - we’ll do the same for yum based distributions like CentOS and Fedora.

Building your own Docker base images isn’t difficult and let you trust your distribution Gpg signing keys instead of the docker hub. As explained in the first blog post. The mkimage scripts in the contrib directory of the Moby project git repository is a good place to start if you want to build own docker images.

Building your own docker images (Part2: Arch GNU/Linux & Co)

May 5, 2019 2 minute read

In my previous post, we started with creating Debian based docker images from scratch for the i386 architecture.

In this blog post, we’ll create Arch GNU/Linux based images.

Arch GNU/Linux

Arch Linux stopped supporting i386 systems. When you want to run Archlinux on an i386 system there is a community maintained Archlinux32 project and the Free software version Parabola GNU/Linux-libre.

For the arm architecture, there is Archlinux Arm project that I used.

building your own docker base images (Part 1: Debian GNU/Linux & Co)

April 22, 2019 7 minute read

I was using docker on an Odroid U3, but my Odroid stopped working. I switched to another system that is i386 only.

You’ll find my journey to build docker images for i386 below.

Reasons to build your own docker images

If you want to use docker you can start with docker images on the docker registry. There are several reasons to build your own base images.

Jenkins build with 20 Cores

September 30, 2017 less than 1 minute read

I finally got the time to try out my jenkins build on my new 20 Core Dual Processor Jenkins Build Workstation

I’m able to run all test on multiple operation systems now. I still need to review this setup and perhaps move some tests to docker instead of the virtual machines to save some memory. …but this jenkins setup was configured before docker was a thing.

Have fun

Running Docker on ARM

December 26, 2015 22 minute read

I own an odroid u3 that I used for my media center with xbmc while I like the performance of the Exynos4412 CPU but the drivers for the Mali GPU aren’t opensource.

I like ARM but unfortunatelly a lot of the ARM soc’s have no opensource drivers for the GPU

The manufacturer of the odroid u3 - hardkernel - provides ubuntu 14.04 images with xbmc and mali support. It isn’t possible to get the newer of version of xbmc - now kodi - running, or I didn’t succeed withit. I’ll look for another solution for my media server needs this might be my raspberry pi 1 model B+ that is laying around doing nothing running openelec

Like I said I like the performance of the ordoid U3 that why I installed archLinuxArm to play with Docker. I could have sticked with Ubuntu 14.04 but with Arch Linux I get more up-to-date software.

The installion was pretty straightforward even the docker installation was the same as on a x86 platform.

Since we are using docker on arm we have to build our own docker base images instead of using the docker registery. I have security concerns about installtion and using unsigned non-verified software anyway. If you build your own image it possible to audit/verify the build process.

Run google chrome inside a fedora docker container over ssh

May 12, 2015 less than 1 minute read

Update (Mon Jun 8 2015): Running google-chrome inside a docker container isn't stable for me. I switched back to LXC to run google-chrome which seems to be more stable.

Created a docker image to start a docker container with chrome. Destroying the container each time that you start a browser is a easy way to get rid of your cookies and browser history.

lxc templates in Fedora 20

June 9, 2014 9 minute read

I’m a big fan of containers and used them a lot on Solaris and jails on Freebsd. Containers/jails are the fastest way to spinup an new system and the easiest way to isolate services.

As always with virtualization you’ve to careful with sharing systems or containers that doesn’t below to the same customer or service on the same physical machine since you’re never sure which traces are left behind in the memory etc.

Linux containers are getting more popular since the release of docker

When I tried to create a few containers on Fedora 20, the first attempt (a debian container) wasn’t an success.

On a newly create debian container networking didn’t work.

Getting started with GitLab-CE. Part 2: User accounts, SSH access

November 26, 2023 5 minute read

In my previous blog post, we installed GitLab-CE and did some post configuration. In this blog post, we’ll continue to create user accounts and set up SSH to the git repository.

In the next blog posts will add code to GitLab and set up GitLab runners on different Operating systems.

Getting started with GitLab-CE. Part 1: Installation

November 15, 2023 12 minute read

CI/CD Platform Overview

When you want or need to use CI/CD you have a lot of CI/CD platforms where you can choose from. As with most “tools”, the tool is less important. What (which flow, best practices, security benchmarks, etc) and how you implement it, is what matters.

One of the most commonly used options is Jenkins.

I used and still use Jenkins and created a jenkins build workstation to build software and test in my homelab a couple of years back.

Jenkins started as Hudson at Sun Microsystem(RIP). Hudson is one of the many open-source projects that were started at Sun and killed by Oracle. Jenkins continued as the open-source fork of Hudson.

Jenkins has evolved. If you need to do more complex things you probably end up creating a lot of groovy scripts, nothing wrong with groovy. But as with a lot of discussions about programming, the ecosystem (who is using it, which libraries are available, etc) is important.

Groovy isn’t that commonly used in and known in the system administration ecosystem so this is probably something you need to learn if you’re coming for the system administrator world ( as I do, so I learnt the basics of Groovy this way ).

The other option is to implement CI/CD using the commonly used source hosting platforms; GitHub and GitLab.

• On GitHub we have GitHub Actions.
• On GitLab there is GitLab CI/CD.

bash saved my day

October 20, 2013 less than 1 minute read

I was creating an ugly quick-and-dirty script to setup the squid cache_dir automatically with puppet based on the diskspace and memory available.

When you are developing you sometimes forget to create backups and push it to git, and mistakes are around the corner.

Lucky bash saved my day!

$ ./create_cache_entries.sh  > create_cache_entries.sh 
-bash: ./create_cache_entries.sh: /bin/bash: bad interpreter: Text file busy
$ vi create_cache_entries.sh 

Lookat/Bekijk 1.4.3rc1 released

April 27, 2013 less than 1 minute read

Trying to release more often…

The first release candicate of lookat 1.4.3 has been released.

CGIpaf uploaded to github

March 16, 2013 less than 1 minute read

I finally converted the cgipaf cvs repository to github.

I used cvs2git It took a bit longer than expected.

My first attempt didn’t had the release tags right.

Adding --retain-conflicting-attic-files to cvs2git resolved this issue.

You’ll find how I did it it below.

Lookat/Bekijk 1.4.2 released

December 12, 2012 less than 1 minute read

Finaly a long overdue release of Lookat / Bekijk the userfriendly file browser.

The new stable version 1.4.2 is available at the http://www.wagemakers.be/english/programs/lookat

Or at the Git repository at GNU savannah http://git.savannah.gnu.org/cgit/lookat.git

1.4.2 is a maintenance release. When there are more than 24 hours in a day I’ll start with the long waited utf-8 support ;-)

RIP: pluto

December 11, 2012 less than 1 minute read

After 10 year, my fileserver pluto died. Pluto was a AMD64 had 1GB RAM and 4 too loud samsung drives (160GB).

( 1 minute silence …. )

I take backups of course ;-) I already ordered the parts to build a new pluto.

Pluto still hosted some CSV repositorties like CGIpaf. But it’s time to move the source to a safer place. This will be github.

I also decided to create a blog and I wanted something that integrated well with github. Octopress seems to be the most logical choose. It’s written in ruby which is a nice bonus.

Migrate from ezjail to BastilleBSD part 1: BastilleBSD exploration

September 10, 2023 11 minute read

Introduction to BastilleBSD

What are “containers”?

Chroot, Jails, containers, zones, LXC, Docker

I use FreeBSD on my home network to serve services like email, git, fileserver, etc. For some other services, I use k3s with GNU/Linux application containers.

The FreeBSD services run as Jails. For those who aren’t familiar with FreeBSD Jails. Jails started the whole concept of “containers”.

FreeBSD Jails inspired Sun Microsystems to create Solaris zones.

If you want to know more about the history of FreeBSD Jails, Solaris zones and containers on Un!x systems in general and the challenges to run containers securely I recommend the video;

“Papers We Love: Jails and Solaris Zones by Bryan Cantrill”

Sun took containers to the next level with Solaris zones , allowing a fine-grade CPU and memory allocation.

On GNU/Linux LXC was the most popular container framework. …Till Docker came along.

Application vs system containers

Best wishes 2023!

January 1, 2023 less than 1 minute read

20 core Dual Processor jenkins build workstation

September 16, 2017 1 minute read

My jenkins builds are taking too long mainly due the lack of memory. I mainly use jenkins to verify that my software work on different operation systems (GNU/Linux distributions / *BSD / Solaris).

Looking for a solution that is still affordable I ended up with building a dual Xeon workstation. CPU and memory comes from www.ebay.be

lxc templates in Fedora 20

June 9, 2014 9 minute read

I’m a big fan of containers and used them a lot on Solaris and jails on Freebsd. Containers/jails are the fastest way to spinup an new system and the easiest way to isolate services.

As always with virtualization you’ve to careful with sharing systems or containers that doesn’t below to the same customer or service on the same physical machine since you’re never sure which traces are left behind in the memory etc.

Linux containers are getting more popular since the release of docker

When I tried to create a few containers on Fedora 20, the first attempt (a debian container) wasn’t an success.

On a newly create debian container networking didn’t work.

Ide is still alive…

August 10, 2013 less than 1 minute read

The dvd drive in my sun blade 1500 workstation broke down. I use this system acausally for some development, it's always handy to have a big endian system at hand.

The dvd drive was still handy to load another operating system on it.
The dvd drive has an ide interface which are hard to get these days…

I found a ide to sata convertor and a new dvd drive with a sata interface at conrad. This should convert the sata interface to an ide interface without any driver and works with any operating system.

Well let's put this to a test on a sparc system with solaris :-)

The installation was pretty straightforward, luckily the dvd rom drive has a plastic back since the converter touches the back of the dvd rom drive.

After a quick test it seems to work like a charm. I might install opensxce on it.

It seems to be the only option to run an opensolaris ancestor on sparc hardware.

Freebsd 9.1 jails with Qjail

February 16, 2013 4 minute read

I’m using ezjail now.

The reason for this is that the port is marked as RESTRICTED. Since it seems to be a fork from ezjail without respecting the copyright and license https://lists.freebsd.org/pipermail/freebsd-jail/2013-March/002149.html.

</strong>

I’m adding more services to my freebsd system

I’m coming from the solaris world where it’s a common practice to run services in separated containers for security reasons.

On FreeBSD there are jails to isolate services and improve security.

At first I didn’t like jails the way the freebsd handbook describes it requires a buildworld which takes a long time on my system with a AMD C-60 CPU.

Lucky Qjail makes the deployment a lot easier.

New release Ansible role stafwag.ntpd, and clean up Ansible roles

August 25, 2024 2 minute read

I made some time to give some love to my own projects and spent some time rewriting the Ansible role stafwag.ntpd and cleaning up some other Ansible roles.

There is some work ongoing for some other Ansible roles/projects, but this might be a topic for some other blog post(s) ;-)

stafwag.ntpd

An ansible role to configure ntpd/chrony/systemd-timesyncd.

This might be controversial, but I decided to add support for chrony and systemd-timesyncd. Ntpd is still supported and the default on the BSDs ( FreeBSD, NetBSD, OpenBSD).

It’s possible to switch from the ntp implementation by using the ntpd.provider directive.

The Ansible role stafwag.ntpd v2.0.0 is available at:

• https://github.com/stafwag/ansible-role-ntpd
• https://galaxy.ansible.com/ui/standalone/roles/stafwag/ntpd/

Release notes

V2.0.0

• Added support for chrony and systemd-timesyncd on GNU/Linux
  • systemd-timesynced is the default on Debian GNU/Linux 12+ and Archlinux
  • ntpd is the default on all operating systems (BSDs, Solaris) and Debian GNU/Linux 10 and 11
  • chrony is the default on all other GNU/Linux distributes
  • For ntpd hash as the input for the role.
  • Updated README
  • CleanUp

Ansible role: package_update v2.0.2

October 31, 2021 1 minute read

Keeping your software up-to-date is an important task in System Administration. Not only for security reasons but also to roll out bug fixes to your systems.

As always we should try to automate this process as much as possible.

Ansible has a package module to install packages in a generic way. It supports most Un*x platforms (GNU/Linux, BSD, …). But it doesn’t allow you to update all packages.

For this reason, I created an Ansible role: package update.

Package update enables you to update all packages on most Linux distributions and the BSD operating systems. It can also update the running jails on FreeBSD.

Version 2.0.2 is available at

• Github: https://github.com/stafwag/ansible-role-package_update.
• Ansible galaxy: https://galaxy.ansible.com/stafwag/package_update

Version 2.0.2:

Changelog:

• Always update the apt cache on Debian based distributions.

Have fun!

Lookat 1.4.4 released

December 28, 2015 less than 1 minute read

Lookat 1.4.4 is the latest stable release of Lookat/Bekijk the userfriendly file browser/viewer.

Lookat 1.4.4rc2 Released

October 17, 2015 less than 1 minute read

Lookat 1.4.4rc2 is the second release candicate of Lookat 1.4.4

CGIpaf 1.3.4 Released

November 23, 2014 less than 1 minute read

CGIpaf 1.3.4 has been released

CGIpaf 1.3.4pre1 released

September 15, 2013 less than 1 minute read

This is the first pre-release of CGIpaf 1.3.4.

Running OpenBSD as an UEFI virtual machine (on a Raspberry Pi)

February 25, 2024 9 minute read

I started to migrate all the services that I use on my internal network to my Raspberry Pi 4 cluster. I migrated my FreeBSD jails to BastileBSD on a virtual machine running on a Raspberry Pi. See my blog post on how to migrate from ezjail to BastilleBSD. https://stafwag.github.io/blog/blog/2023/09/10/migrate-from-ezjail-to-bastille-part1-introduction-to-bastillebsd/

Running FreeBSD as a virtual machine with UEFI on ARM64 came to the point that it just works. I have to use QEMU with u-boot to get FreeBSD up and running on the Raspberry Pi as a virtual machine with older FreeBSD versions: https://stafwag.github.io/blog/blog/2021/03/14/howto_run_freebsd_as_vm_on_pi/.

But with the latest versions of FreeBSD ( not sure when it started to work, but it works on FreeBSD 14) you can run FreeBSD as a virtual machine on ARM64 with UEFI just like on x86 on GNU/Linux with KVM.

UEFI on KVM is in general provided by the open-source tianocore project.

I didn’t find much information on how to run OpenBSD with UEFI on x86 or ARM64.

So I decided to write a blog post about it, in the hope that this information might be useful to somebody else. First I tried to download the OpenBSD 7.4 ISO image and boot it as a virtual machine on KVM (x86). But the iso image failed to boot on a virtual with UEFI enabled. It looks like the ISO image only supports a legacy BIOS.

ARM64 doesn’t support a “legacy BIOS”. The ARM64 download page for OpenBSD 7.4 doesn’t even have an ISO image, but there is an install-<version>.img image available. So I tried to boot this image on one of my Raspberry Pi systems and this worked. I had more trouble getting NetBSD working as a virtual machine on the Raspberry Pi but this might be a topic for another blog post :-)

You’ll find my journey with my installation instructions below.

Debian bullseye on the RPI 4 with full disk encryption.

July 3, 2022 19 minute read

Updated @ Sun Jul 17 07:51:58 PM CEST 2022: Added blkid section UUID cryptroot. Changed dropbear port to 2222.

I use a few Raspberry PI’s 4 to run virtual machines and k3s.

I was using the Manjaro Linux with full disk encryption but I’ll switch to Debian GNU/Linux, the main reason is that libvirt is currently broken on archlinuxarm.

You’ll find my journey to get Debian GNU/Linux bullseye up and running on the Raspberry PI with full disk encryption below.

Migrate a windows vmware virtual machine to Linux KVM

July 1, 2018 6 minute read

Linux KVM is getting more and more useable for desktop virtualization thanks to the the virtio and QXL/SPICE drivers.

Most Linux distributes have the virtio & QXL drivers you might need to install the spice-vdagent.

On Windows you can download and install the virtio and QXL drivers.

Using the virtio drivers will improve your guest system performance and your virtualization experience.

Nested virtualization in KVM

June 4, 2018 5 minute read

KVM

Kernel-based Virtual Machine (KVM) has become the defacto hypervisor on GNU/Linux systems it works with great performance as it utilizes the CPU virtualization extensions Inetl VT-x or AMD-V). KVM doesn’t emulate hardware but uses QEMU for this.

Nested Virtual guest

It’s possible to use nested virtualization this make it possible to run a hypervisor inside a KVM virtual machine.

High screen resolution on a KVM virtual machine with QXL

April 22, 2018 4 minute read

When you create an new virtual KVM virtual system the video ram is limited to 16MB by default to use a higer screen resolution you need to increase the video ram. The available resolution reported by the virtual screen may also not include the resolution that you want to utilize.

You’ll find my journey to enable higher screen resolutions in my KVM (qemu) virtual systems below.

Openvas 7: adding credentials failed

May 14, 2015 less than 1 minute read

I’m creating a new openvas 7 system running centos 7 as a KVM instance.

The installation went fine but it was impossible to create new credentials.

I had a similar issue with my openvas 6 installation, this was resolved by creating the /etc/openvas/gnupg directory and creating the key openvasmd --create-credentials-encryption-key

But on my openvas 7 installation a creation of the encryption key was slooooow. As always Good Randomness is important for creating keys. So I decided to install haveged to get more randomness and hopefully this would speed up key creation.

[root@localhost ~]# yum install haveged

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * atomic: www6.atomicorp.com
 * base: centos.cu.be
 * extras: centos.cu.be
 * updates: centos.cu.be
Package haveged-1.9.1-2.el7.art.x86_64 already installed and latest version
Nothing to do
[root@localhost ~]# 
[root@localhost ~]# systemct list-unit-files --type=service | grep haveged
-bash: systemct: command not found
[root@localhost ~]# systemctl list-unit-files --type=service | grep haveged
haveged.service                             disabled
[root@localhost ~]# systemctl enable haveged
ln -s '/usr/lib/systemd/system/haveged.service' '/etc/systemd/system/multi-user.target.wants/haveged.service'
[root@localhost ~]# systemctl start haveged
[root@localhost ~]# 

The key creation took a only sec.

[root@localhost ~]# openvasmd --create-credentials-encryption-key
Key creation succeeded.
[root@localhost ~]# 

Adding new credentials works like a charm now.

Happy hacking!

Use a GPG smartcard with Thunderbird. Part 3: Setup Thunderbird

September 10, 2024 5 minute read

In previous blog posts, we discussed setting up a GPG smartcard on GNU/Linux and FreeBSD.

In this blog post, we will configure Thunderbird to work with an external smartcard reader and our GPG-compatible smartcard.

Before Thunderbird 78, if you wanted to use OpenPGP email encryption, you had to use a third-party add-on such as https://enigmail.net/.

Thunderbird’s recent versions natively support OpenPGP. The Enigmail addon for Thunderbird has been discontinued. See: https://enigmail.net/index.php/en/home/news.

I didn’t find good documentation on how to set up Thunderbird with a GnuPG smartcard when I moved to a new coreboot laptop, so this was the reason I created this blog post series.

Getting started with GitLab-CE. Part 1: Installation

November 15, 2023 12 minute read

CI/CD Platform Overview

When you want or need to use CI/CD you have a lot of CI/CD platforms where you can choose from. As with most “tools”, the tool is less important. What (which flow, best practices, security benchmarks, etc) and how you implement it, is what matters.

One of the most commonly used options is Jenkins.

I used and still use Jenkins and created a jenkins build workstation to build software and test in my homelab a couple of years back.

Jenkins started as Hudson at Sun Microsystem(RIP). Hudson is one of the many open-source projects that were started at Sun and killed by Oracle. Jenkins continued as the open-source fork of Hudson.

Jenkins has evolved. If you need to do more complex things you probably end up creating a lot of groovy scripts, nothing wrong with groovy. But as with a lot of discussions about programming, the ecosystem (who is using it, which libraries are available, etc) is important.

Groovy isn’t that commonly used in and known in the system administration ecosystem so this is probably something you need to learn if you’re coming for the system administrator world ( as I do, so I learnt the basics of Groovy this way ).

The other option is to implement CI/CD using the commonly used source hosting platforms; GitHub and GitLab.

• On GitHub we have GitHub Actions.
• On GitLab there is GitLab CI/CD.

Using SmartCardHsm with GnuPG

May 2, 2020 4 minute read

When you want to store your GnuPG private key(s) on a smartcard, you have a few options like the Yubikey, NitroKey GPG compatible cards, or the OpenPGP. The advantage of these cards is that they support GnuPG directly. The disadvantage is that they can only store 1 or a few keys.

Another option is SmartCardHSM, NitroKey HSM is based on SmartCardHsm and should be compatible. The newer versions support 4k RSA encryption keys and can store up 19 RSA 4k keys. The older version is limited to 2k RSA keys. I still have the older version. The advantage is that you can store multiple keys on the card. To use it for GPG encryption you’ll need to set up a gpg-agent with gnupg-pkcs11-scd.

Setup a certificate authority with SmartCardHSM

April 29, 2020 13 minute read

In this blog post, we will set up a CA authority with SmartCardHSM.

When you to create internal certificate authority for internal services it’s important to protect the private key. When somebody with bad intentions gets access to the private key(s) of the signing certificate authorities, it can be used to issue new certificates. This would enable the man in the middle attacks.

Protecting your SSH keys with SmartCard-HSM

December 5, 2015 3 minute read

I use a yubi key for my ssh authentication. But I’ve other ssh keys for my remote services so wanted something that allows me to take a backup of my keys see this post for more information on to backup/restore a SmartCard-HSM

Starting to protect my private keys with SmartCard-Hsm

November 21, 2015 15 minute read

I still have too many private keys on a local filesystem, I started to use the yubikey neo for my ssh authentication. Mainly because the nice formfactor of the yubikey.

For my other private keys/data I was looking for something cheeper since I need to have a backup of my secured data so I bought a few Smartcard-HSM smartcards they cost 16 € each while a yubi-key neo cost 54 € at amazon.de

Create a custom ArchLinux boot image with linux-lts and OpenZFS support

December 21, 2022 2 minute read

I use ArchLinux on my desktop workstation. For the root filesystem, I use btrfs with luks disk encryption and wrote a blog post about it.

https://stafwag.github.io/blog/blog/2016/08/30/arch-on-an-encrypted-btrfs-partition/.

My important data is on OpenZFS.

I’ll migrate my desktop to ArchLinux with OpenZFS in RAIDZ configuration as the root filesystem.

To make installation easier I decide to create a custom ArchLinux boot image with linux-lts and OpenZFS support.

You’ll find my journey to create the boot iso below. All action are execute on a ArchLinux host system (already using OpenZFS)

Debian bullseye on the RPI 4 with full disk encryption.

July 3, 2022 19 minute read

Updated @ Sun Jul 17 07:51:58 PM CEST 2022: Added blkid section UUID cryptroot. Changed dropbear port to 2222.

I use a few Raspberry PI’s 4 to run virtual machines and k3s.

I was using the Manjaro Linux with full disk encryption but I’ll switch to Debian GNU/Linux, the main reason is that libvirt is currently broken on archlinuxarm.

You’ll find my journey to get Debian GNU/Linux bullseye up and running on the Raspberry PI with full disk encryption below.

Manjaro on the RPI4 with full disk encryption and remote unlock

August 8, 2021 13 minute read

Last year I got a raspberry pi 4 to play with and installed Manjaro on it.

The main reason I went with Manjaro was that the ArchLinux Arm image/tgz for the Raspberry Pi 4 was still 32 bits, or you needed to create-your-own kernel.

But started to like Manjaro Linux, it provided a stable base with regular updates. This year I upgraded my setup with 2 additional Raspberry Pi 4 to provide clustering for my k3s (Kubernetes) setup. I used virtual machines on the Raspberry Pi to host the k3s nodes. Also because want to the Pi for other tasks and virtual machines makes it easier to split the resources. It’s also an “abstraction layer” if you want to combine the cluster with other ARM64 systems in the future.

I always (try to) to full disk encryption, when you have multiple nodes it’s important to be able to unlock the encryption remotely.

Manjaro on the RPI4 with full disk encryption

July 12, 2020 13 minute read

The Raspberry PI has become more and more powerful in the recent years, maybe too powerful to be a “maker board”. The higher CPU power and availability of more memory - up to 8GB - makes it more suitable for home server usage.

The latest firmware (EEPROM) enables booting from a USB device. To enable USB boot the EEPROM on the raspberry needs to be updated to the latest version and the bootloader that comes with the operating system - the start*.elf, etc files on the boot filesystem - needs to support it.

I always try to use filesystem encryption. You’ll find my journey to install GNU/Linux on an encrypted filesystem below.

64 Bits operating systems

The Raspberry PI 4 has a 64 bits CPU, the default operating system - Raspberry Pi OS (previously called Raspbian) - for the Rasberry PI is still 32 bits to take full advantage of the 64bits CPU a 64 bits operating system is required.

You’ll find an overview GNU/Linux distributions for RPI4 below.

Building your own docker images (Part2: Arch GNU/Linux & Co)

May 5, 2019 2 minute read

In my previous post, we started with creating Debian based docker images from scratch for the i386 architecture.

In this blog post, we’ll create Arch GNU/Linux based images.

Arch GNU/Linux

Arch Linux stopped supporting i386 systems. When you want to run Archlinux on an i386 system there is a community maintained Archlinux32 project and the Free software version Parabola GNU/Linux-libre.

For the arm architecture, there is Archlinux Arm project that I used.

Install Arch on an encrypted btrfs partition

August 30, 2016 13 minute read

I’m preparing to move my workstation to arch linux Before I’ll install it on my physical workstation I did the installation on a virtual machine. I’ll use btrfs as the filesystem during the installation. btrfs is a nice filesystem but it had some serious dataloss issue with RAID5/RAID6 recently.

btrfs might not stable enough for a production environment but it has some nice features like snapshots, send/recieve, compression etc. I use zfs for my important date anyway.

Debian bullseye on the RPI 4: golden image

July 24, 2022 9 minute read

In my last blog post, we set up Debian bullseye with full disk encryption on a Raspberry PI 4.

I use 3 three Raspberry PI’s to run K3s and a few FreeBSD virtual machines. For the FreeBSD virtual machines I still use QEMU: https://stafwag.github.io/blog/blog/2021/03/14/howto_run_freebsd_as_vm_on_pi/, I still need to test if we can use KVM/libvirt with the UEFI improvements in FreeBSD 13.1. But that might be another blog post :-)

As need I the same installation at least three times, I decided to create a “golden image” with the most important tools.

Debian bullseye on the RPI 4 with full disk encryption.

July 3, 2022 19 minute read

Updated @ Sun Jul 17 07:51:58 PM CEST 2022: Added blkid section UUID cryptroot. Changed dropbear port to 2222.

I use a few Raspberry PI’s 4 to run virtual machines and k3s.

I was using the Manjaro Linux with full disk encryption but I’ll switch to Debian GNU/Linux, the main reason is that libvirt is currently broken on archlinuxarm.

You’ll find my journey to get Debian GNU/Linux bullseye up and running on the Raspberry PI with full disk encryption below.

How to run a FreeBSD Virtual Machine on the RPI4 with QEMU. Part 2: Network, Install from cdrom, startup

March 28, 2021 10 minute read

In my last blog post, we set up a FreeBSD virtual machine with QEMU. I switched from the EDK2 (UEFI) firmware to U-boot, the EDK2 firmware had issues with multiple CPU’s in the virtual machines.

In this blog post, we’ll continue with the Network setup, install the virtual machine from a CDROM image and how to start the virtual machine during the PI start-up.

How to run a FreeBSD Virtual Machine on the RPI4 with QEMU. Part 1: QEMU setup

March 14, 2021 2 minute read

I got a Raspberry PI 4 a couple of months back and started it use it to run virtual machines.

This works great for GNU/Linux distributions but FreeBSD as a virtual machine didn’t work for me. When I tried to install FreeBSD or import a virtual machine image, FreeBSD wasn’t able to mount the root filesystem and ended with an “error 19”.

On the FreeBSD wiki, there are a few articles on how to use ARM64 FreeBSD with QEMU directly.

You find my journey of getting a FreeBSD Virtual Machine below.

I use Manjaro on my Raspberry PI, but the same setup will work with other GNU/Linux distributions.

Upgrade FreeBSD on a Raspberry Pi 2

November 1, 2020 4 minute read

I recently installed FreeBSD on my raspberry-pi 2 to use it as my firewall.

The FreeBSD version that I installed was a FreeBSD 12.2 Pre-Release. FreeBSD 12.2 has been released this week.

ARM is a Tier-2 on FreeBSD. This means that freebsd-update doesn’t work on a Raspberry Pi.

Freebsd-update wouldn’t work on a Pre-Release anyway. So I was looking for a way to update my Raspberry Pi to FreeBSD 12.2.

Use a raspberry-pi 2 as a firewall with FreeBSD

October 25, 2020 10 minute read

Updated @ Mon Nov 16 08:16:30 PM CET 2020: Corrected the version when OPNsense dropped 32 bits support.

I was using OPNsense on my pcengines alix firewall and was quite happy with it.

The alix 2d13 is a nice motherboard with a Geode CPU, it has a 32 bits x86 instruction set. I migrated to OPNsense from pfSense when pfSense dropped 32 bits support.

Unfortunately, OPNsense also dropped support for 32 bits CPU’s in the 19.1.7 release 20.7 release. I decided to install FreeBSD on the alix to use it as my firewall. But I need a temporary firewall solution so I can install FreeBSD on my alix board. I have a Raspberry PI 2 that I wasn’t using.

You’ll find my journey to use my RPI2 as my firewall below.

CGIpaf at GNU Savannah

March 18, 2020 less than 1 minute read

The CGIpaf project has a new home at GNU savannah: https://savannah.nongnu.org/projects/cgipaf/

The source code was - and is still also hosted - on GitHub.

There are a few reasons for the move;

• I was looking for an easy way to store binary releases. Binary releases aren’t supported by GitHub. There might be a solution for this at GitLab but scp to upload a release is more convenient.
• GitHub is becoming too dominant.
• I prefer a solution that is based on Free Software.
• I was already using GNU savannah for another project lookat.

Have fun

CGIpaf 1.3.5 Released

April 13, 2016 less than 1 minute read

CGIpaf 1.3.5 has been released

CGIpaf 1.3.4 Released

November 23, 2014 less than 1 minute read

CGIpaf 1.3.4 has been released

CGIpaf 1.3.4pre1 released

September 15, 2013 less than 1 minute read

This is the first pre-release of CGIpaf 1.3.4.

CGIpaf uploaded to github

March 16, 2013 less than 1 minute read

I finally converted the cgipaf cvs repository to github.

I used cvs2git It took a bit longer than expected.

My first attempt didn’t had the release tags right.

Adding --retain-conflicting-attic-files to cvs2git resolved this issue.

You’ll find how I did it it below.

Ansible role: package_update v2.0.2

October 31, 2021 1 minute read

Keeping your software up-to-date is an important task in System Administration. Not only for security reasons but also to roll out bug fixes to your systems.

As always we should try to automate this process as much as possible.

Ansible has a package module to install packages in a generic way. It supports most Un*x platforms (GNU/Linux, BSD, …). But it doesn’t allow you to update all packages.

For this reason, I created an Ansible role: package update.

Package update enables you to update all packages on most Linux distributions and the BSD operating systems. It can also update the running jails on FreeBSD.

Version 2.0.2 is available at

• Github: https://github.com/stafwag/ansible-role-package_update.
• Ansible galaxy: https://galaxy.ansible.com/stafwag/package_update

Version 2.0.2:

Changelog:

• Always update the apt cache on Debian based distributions.

Have fun!

20 core Dual Processor jenkins build workstation

September 16, 2017 1 minute read

My jenkins builds are taking too long mainly due the lack of memory. I mainly use jenkins to verify that my software work on different operation systems (GNU/Linux distributions / *BSD / Solaris).

Looking for a solution that is still affordable I ended up with building a dual Xeon workstation. CPU and memory comes from www.ebay.be

CGIpaf 1.3.5 Released

April 13, 2016 less than 1 minute read

CGIpaf 1.3.5 has been released

CGIpaf 1.3.4 Released

November 23, 2014 less than 1 minute read

CGIpaf 1.3.4 has been released

CGIpaf 1.3.4pre1 released

September 15, 2013 less than 1 minute read

This is the first pre-release of CGIpaf 1.3.4.

Migrate from ezjail to BastilleBSD part 1: BastilleBSD exploration

September 10, 2023 11 minute read

Introduction to BastilleBSD

What are “containers”?

Chroot, Jails, containers, zones, LXC, Docker

I use FreeBSD on my home network to serve services like email, git, fileserver, etc. For some other services, I use k3s with GNU/Linux application containers.

The FreeBSD services run as Jails. For those who aren’t familiar with FreeBSD Jails. Jails started the whole concept of “containers”.

FreeBSD Jails inspired Sun Microsystems to create Solaris zones.

If you want to know more about the history of FreeBSD Jails, Solaris zones and containers on Un!x systems in general and the challenges to run containers securely I recommend the video;

“Papers We Love: Jails and Solaris Zones by Bryan Cantrill”

Sun took containers to the next level with Solaris zones , allowing a fine-grade CPU and memory allocation.

On GNU/Linux LXC was the most popular container framework. …Till Docker came along.

Application vs system containers

Create a custom ArchLinux boot image with linux-lts and OpenZFS support

December 21, 2022 2 minute read

I use ArchLinux on my desktop workstation. For the root filesystem, I use btrfs with luks disk encryption and wrote a blog post about it.

https://stafwag.github.io/blog/blog/2016/08/30/arch-on-an-encrypted-btrfs-partition/.

My important data is on OpenZFS.

I’ll migrate my desktop to ArchLinux with OpenZFS in RAIDZ configuration as the root filesystem.

To make installation easier I decide to create a custom ArchLinux boot image with linux-lts and OpenZFS support.

You’ll find my journey to create the boot iso below. All action are execute on a ArchLinux host system (already using OpenZFS)

Keep zfs running on the Raspberry PI

August 3, 2020 less than 1 minute read

I got a Raspberry PI 4 to play with and installed Manjaro GNU/Linux on it.

I use OpenZFS on my PI. The latest kernel update broke zfs on my PI due to a License conflict, the solution is to disable PREEMPT in the kernel config. This BUG was already resolved with OpenZFS with the main Linux kernel tree at least on X86_64/AMD64, not sure why the kernel on the raspberry pi is still affected.

I was looking for an excuse to build a custom kernel for my Pi anyway :-). I cloned the default manjaro RPI4 kernel and disabled PREEMPT in the kernel config.

The package is available at: https://gitlab.com/stafwag/manjaro-linux-rpi4-nopreempt. This package also doesn’t update /boot/config.txt and /boot/cmdline.txt to not overwrite custom settings.

Have fun!

zfs on Fedora 20

January 14, 2014 7 minute read

With Fedora 20 being released a few weeks ago and no official zfsonlinux support for Fedora 20. It time to get zfs on linux working on Fedora 20.

Zfs on linux 2.6.2 required a custom DKMS package. Lucky the patches that were required for zfs on linux are already integrated into Fedora: http://negativo17.org/dkms-patches-for-zfs-on-linux-merged/

So lets try to build the rpm packages for Fedora 20 from the source.

yum update on fedora 19 and zfs on linux

October 13, 2013 2 minute read

I use zfs on linux on fedora now.

The installation was pretty straightforward but after the installation of zfs yum update failed.

[root@vicky etc]# yum update -y
Loaded plugins: langpacks, refresh-packagekit
Repository google-chrome is listed more than once in the configuration
fedora/19/x86_64/metalink                                                                                                                                                                   |  33 kB  00:00:00     
fedora                                                                                                                                                                                      | 4.2 kB  00:00:00     
fedora-chromium-stable                                                                                                                                                                      | 3.4 kB  00:00:00     
google-chrome                                                                                                                                                                               |  951 B  00:00:00     
rpmfusion-free                                                                                                                                                                              | 3.3 kB  00:00:00     
rpmfusion-free-updates                                                                                                                                                                      | 3.3 kB  00:00:00     
rpmfusion-nonfree                                                                                                                                                                           | 3.3 kB  00:00:00     
rpmfusion-nonfree-updates                                                                                                                                                                   | 3.3 kB  00:00:00     
updates/19/x86_64/metalink                                                                                                                                                                  |  30 kB  00:00:00     
updates                                                                                                                                                                                     | 4.4 kB  00:00:00     
zfs                                                                                                                                                                                         | 2.9 kB  00:00:00     
(1/6): fedora-chromium-stable/19/x86_64/primary_db                                                                                                                                          |  20 kB  00:00:00     
(2/6): zfs/19/x86_64/primary_db                                                                                                                                                             | 6.7 kB  00:00:00     
(3/6): updates/19/x86_64/group_gz                                                                                                                                                           | 385 kB  00:00:02     
(4/6): fedora/19/x86_64/group_gz                                                                                                                                                            | 384 kB  00:00:06     
(5/6): updates/19/x86_64/primary_db                                                                                                                                                         | 8.8 MB  00:01:53     
(6/6): fedora/19/x86_64/primary_db                                                                                                                                                          |  17 MB  00:03:34     
(1/10): google-chrome/primary                                                                                                                                                               | 1.9 kB  00:00:00     
(2/10): rpmfusion-free-updates/19/x86_64/primary_db                                                                                                                                         | 217 kB  00:00:01     
(3/10): rpmfusion-nonfree/19/x86_64/primary_db                                                                                                                                              | 149 kB  00:00:00     
(4/10): rpmfusion-free/19/x86_64/primary_db                                                                                                                                                 | 440 kB  00:00:03     
(5/10): rpmfusion-nonfree-updates/19/x86_64/primary_db                                                                              b                                                       |  97 kB  00:00:00     
(6/10): rpmfusion-nonfree-updates/19/x86_64/group_gz                                                                                                                                        |  990 B  00:00:05     
(7/10): rpmfusion-nonfree/19/x86_64/group_gz                                                                                                                                                |  993 B  00:00:07     
(8/10): rpmfusion-free/19/x86_64/group_gz                                                                                                                                                   | 1.6 kB  00:00:07     
(9/10): rpmfusion-free-updates/19/x86_64/group_gz                                                                                                                                           | 1.6 kB  00:00:07     
(10/10): updates/19/x86_64/updateinfo                                                                                                                                                       | 861 kB  00:00:09     
google-chrome                                                                                                                                                                                                  3/3
Resolving Dependencies
--> Running transaction check
---> Package dkms.noarch 0:2.2.0.3-14.zfs1.fc19 will be updated
--> Processing Dependency: dkms = 2.2.0.3-14.zfs1.fc19 for package: zfs-dkms-0.6.2-1.fc19.noarch
---> Package dkms.noarch 0:2.2.0.3-17.fc19 will be an update
--> Finished Dependency Resolution
Error: Package: zfs-dkms-0.6.2-1.fc19.noarch (@zfs)
           Requires: dkms = 2.2.0.3-14.zfs1.fc19
           Removing: dkms-2.2.0.3-14.zfs1.fc19.noarch (@zfs)
               dkms = 2.2.0.3-14.zfs1.fc19
           Updated By: dkms-2.2.0.3-17.fc19.noarch (updates)
               dkms = 2.2.0.3-17.fc19
           Available: dkms-2.2.0.3-5.fc19.noarch (fedora)
               dkms = 2.2.0.3-5.fc19
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest
[root@vicky etc]# 

On another fedora system yum update worked fine, after reviewing the differences in the yum configuration it seems that yum-plugin-priorities wasn’t installed on my box. After installing yum-plugin-priorities

[root@vicky etc]# yum install yum-plugin-priorities
Loaded plugins: langpacks, refresh-packagekit
Repository google-chrome is listed more than once in the configuration
Resolving Dependencies
--> Running transaction check
---> Package yum-plugin-priorities.noarch 0:1.1.31-18.fc19 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================================================================================================================
 Package                                                     Arch                                         Version                                              Repository                                     Size
===================================================================================================================================================================================================================
Installing:
 yum-plugin-priorities                                       noarch                                       1.1.31-18.fc19                                       updates                                        22 k

Transaction Summary
===================================================================================================================================================================================================================
Install  1 Package

Total download size: 22 k
Installed size: 28 k
Is this ok [y/d/N]: y
Downloading packages:
yum-plugin-priorities-1.1.31-18.fc19.noarch.rpm                                                                                                                                             |  22 kB  00:00:01     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : yum-plugin-priorities-1.1.31-18.fc19.noarch                                                                                                                                                     1/1 
  Verifying  : yum-plugin-priorities-1.1.31-18.fc19.noarch                                                                                                                                                     1/1 

Installed:
  yum-plugin-priorities.noarch 0:1.1.31-18.fc19                                                                                                                                                                    

Complete!
[root@vicky etc]# 

And make sure that the zfs has the priority

[root@localhost etc]# cat yum.repos.d/zfs.repo
[zfs]
name=ZFS of Linux for Fedora $releasever
baseurl=http://archive.zfsonlinux.org/fedora/$releasever/$basearch/
enabled=1
priority=1
metadata_expire=7d
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-zfsonlinux
Requires:       yum-plugin-priorities

[zfs-source]
name=ZFS of Linux for Fedora $releasever - Source
baseurl=http://archive.zfsonlinux.org/fedora/$releasever/SRPMS/
enabled=0
metadata_expire=7d
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-zfsonlinux
[root@vicky etc]# 

yum update works again.

[root@vicky etc]# yum update -y
Loaded plugins: langpacks, priorities, refresh-packagekit
Repository google-chrome is listed more than once in the configuration
2 packages excluded due to repository priority protections
No packages marked for update
[root@vicky etc]# 

Migrate from ezjail to BastilleBSD part 1: BastilleBSD exploration

September 10, 2023 11 minute read

Introduction to BastilleBSD

What are “containers”?

Chroot, Jails, containers, zones, LXC, Docker

I use FreeBSD on my home network to serve services like email, git, fileserver, etc. For some other services, I use k3s with GNU/Linux application containers.

The FreeBSD services run as Jails. For those who aren’t familiar with FreeBSD Jails. Jails started the whole concept of “containers”.

FreeBSD Jails inspired Sun Microsystems to create Solaris zones.

If you want to know more about the history of FreeBSD Jails, Solaris zones and containers on Un!x systems in general and the challenges to run containers securely I recommend the video;

“Papers We Love: Jails and Solaris Zones by Bryan Cantrill”

Sun took containers to the next level with Solaris zones , allowing a fine-grade CPU and memory allocation.

On GNU/Linux LXC was the most popular container framework. …Till Docker came along.

Application vs system containers

Building Your Own Docker Base Images (Part 3: Yum)

May 12, 2019 3 minute read

In my previous two posts (1, 2 ), we created Docker Debian and Arch-based images from scratch for the i386 architecture.

In this blog post - last one in this series - we’ll do the same for yum based distributions like CentOS and Fedora.

Building your own Docker base images isn’t difficult and let you trust your distribution Gpg signing keys instead of the docker hub. As explained in the first blog post. The mkimage scripts in the contrib directory of the Moby project git repository is a good place to start if you want to build own docker images.

Building your own docker images (Part2: Arch GNU/Linux & Co)

May 5, 2019 2 minute read

In my previous post, we started with creating Debian based docker images from scratch for the i386 architecture.

In this blog post, we’ll create Arch GNU/Linux based images.

Arch GNU/Linux

Arch Linux stopped supporting i386 systems. When you want to run Archlinux on an i386 system there is a community maintained Archlinux32 project and the Free software version Parabola GNU/Linux-libre.

For the arm architecture, there is Archlinux Arm project that I used.

Run google chrome inside a fedora docker container over ssh

May 12, 2015 less than 1 minute read

Update (Mon Jun 8 2015): Running google-chrome inside a docker container isn't stable for me. I switched back to LXC to run google-chrome which seems to be more stable.

Created a docker image to start a docker container with chrome. Destroying the container each time that you start a browser is a easy way to get rid of your cookies and browser history.

lxc templates in Fedora 20

June 9, 2014 9 minute read

I’m a big fan of containers and used them a lot on Solaris and jails on Freebsd. Containers/jails are the fastest way to spinup an new system and the easiest way to isolate services.

As always with virtualization you’ve to careful with sharing systems or containers that doesn’t below to the same customer or service on the same physical machine since you’re never sure which traces are left behind in the memory etc.

Linux containers are getting more popular since the release of docker

When I tried to create a few containers on Fedora 20, the first attempt (a debian container) wasn’t an success.

On a newly create debian container networking didn’t work.

Use a GPG smartcard with Thunderbird. Part 3: Setup Thunderbird

September 10, 2024 5 minute read

In previous blog posts, we discussed setting up a GPG smartcard on GNU/Linux and FreeBSD.

In this blog post, we will configure Thunderbird to work with an external smartcard reader and our GPG-compatible smartcard.

Before Thunderbird 78, if you wanted to use OpenPGP email encryption, you had to use a third-party add-on such as https://enigmail.net/.

Thunderbird’s recent versions natively support OpenPGP. The Enigmail addon for Thunderbird has been discontinued. See: https://enigmail.net/index.php/en/home/news.

I didn’t find good documentation on how to set up Thunderbird with a GnuPG smartcard when I moved to a new coreboot laptop, so this was the reason I created this blog post series.

Use a GPG smart card with Thunderbird. Part 2: setup GnuPG on FreeBSD

July 28, 2024 19 minute read

Updated @ Mon Sep 2 07:55:20 PM CEST 2024: Added devfs section
Updated @ Wed Sep 4 07:48:56 PM CEST 2024 : Corrected gpg-agent.conf

I use FreeBSD and GNU/Linux.

In a previous blog post, we set up GnuPG with smartcard support on Debian GNU/Linux.

In this blog post, we’ll install and configure GnuPG with smartcard support on FreeBSD.

The GNU/Linux blog post provides more details about GnuPG, so it might be useful for the FreeBSD users to read it first.

Likewise, Linux users are welcome to read this blog post if they’re interested in how it’s done on FreeBSD ;-)

Use a GPG smartcard with Thunderbird. Part 1: setup GnuPG

April 21, 2024 14 minute read

I use a Free Software Foundation Europe fellowship GPG smartcard for my email encryption and package signing. While FSFE doesn’t provide the smartcard anymore it’s still available at www.floss-shop.de.

I moved to a Thinkpad w541 with coreboot running Debian GNU/Linux and FreeBSD so I needed to set up my email encryption on Thunderbird again.

It took me more time to reconfigure it again - as usual - so I decided to take notes this time and create a blog post about it. As this might be useful for somebody else … or me in the future :-)

The setup is executed on Debian GNU/Linux 12 (bookworm) with the FSFE fellowship GPG smartcard, but the setup for other Linux distributes, FreeBSD or other smartcards is very similar.

Using SmartCardHsm with GnuPG

May 2, 2020 4 minute read

When you want to store your GnuPG private key(s) on a smartcard, you have a few options like the Yubikey, NitroKey GPG compatible cards, or the OpenPGP. The advantage of these cards is that they support GnuPG directly. The disadvantage is that they can only store 1 or a few keys.

Another option is SmartCardHSM, NitroKey HSM is based on SmartCardHsm and should be compatible. The newer versions support 4k RSA encryption keys and can store up 19 RSA 4k keys. The older version is limited to 2k RSA keys. I still have the older version. The advantage is that you can store multiple keys on the card. To use it for GPG encryption you’ll need to set up a gpg-agent with gnupg-pkcs11-scd.

Using YubiKey Neo as gpg smartcard for SSH authentication

June 16, 2015 13 minute read

I purchased a Yubi NEO I’ll use it to hold my Luks password and for ssh authentication instead of the password authentication that I still use.

You’ll find my journey to get the smartcard interface working with ssh on a fedora 22 system below;

32 bits (still) matters!

November 15, 2020 6 minute read

updated @ Mon Nov 16 08:16:30 PM CET 2020: Corrected the version when OPNsense dropped 32 bits support.

I used OPNsense on my pcengines Alix 2d13 firewall.

The Alix 2d13 is a nice motherboard with a Geode CPU 32 bits x86 CPU.

I migrated to OPNsense after pfSense dropped support for 32 bits. Unfortunately, OPNsense also dropped support for 32 bits CPUs in the 19.1.7 release 20.7 release. I decided to install FreeBSD on my Alix to use it as my firewall.

To make it possible to reinstall my Alix firewall, I installed FreeBSD on my Raspberry Pi 2 to use it as my firewall during the installation of FreeBSD on my Alix.

You’ll find my journey to install FreeBSD my an Alix firewall below.

Use a raspberry-pi 2 as a firewall with FreeBSD

October 25, 2020 10 minute read

Updated @ Mon Nov 16 08:16:30 PM CET 2020: Corrected the version when OPNsense dropped 32 bits support.

I was using OPNsense on my pcengines alix firewall and was quite happy with it.

The alix 2d13 is a nice motherboard with a Geode CPU, it has a 32 bits x86 instruction set. I migrated to OPNsense from pfSense when pfSense dropped 32 bits support.

Unfortunately, OPNsense also dropped support for 32 bits CPU’s in the 19.1.7 release 20.7 release. I decided to install FreeBSD on the alix to use it as my firewall. But I need a temporary firewall solution so I can install FreeBSD on my alix board. I have a Raspberry PI 2 that I wasn’t using.

You’ll find my journey to use my RPI2 as my firewall below.

OPNsense upgrade failed: Out of inodes

May 21, 2019 7 minute read

I use OPNsense as my firewall on a Pcengines Alix.

The primary reason is to have a firewall that will be always up-to-update, unlike most commercial customer grade firewalls that are only supported for a few years. Having a firewall that runs opensource software - it’s based on FreeBSD - also make it easier to review and to verify that there are no back doors.

When I tried to upgrade it to the latest release - 19.1.7 - the upgrade failed because the filesystem ran out of inodes. There is already a topic about this at the OPNsense forum and a fix available for the upcoming nano OPNsense images.

How to configure DNS-over-TLS on OPNsense

December 9, 2018 2 minute read

DNS-over-TLS

In my previous blog posts we configured Stubby on GNU/Linux and FreeBSD.

In this blog article we’ll configure DNS-over-TLS with Unbound on OPNsense. Both Stubby and Unbound are written by NLnet.

32 bits matters!

May 11, 2018 1 minute read

pfsense 2.3

My firewall is a pcengines alix.

It was running pfsense and was quite happy about it. Pfsense dropped support for 32 bits in their pfsense 2.4 release.

This would left me with a unsupported firewall which was one of the reasons to use pfsense instead of a closed source commercial router.

I could have moved to a new firewall like the pcengines apu but there is no reason to replace hardware that works fine.

The nice thing about opensource software is that we’ve options to choose from if software doesn’t match your usecase we’ve other options to choose from.

OPNsense

Use unbound as an DNS-over-TLS resolver and authoritative dns server v2.0.0

October 17, 2021 4 minute read

In previous blog posts, I described howto setup stubby as a DNS-over-TLS resolver. I used stubby on my laptop(s) and unbound on my internal network.

I migrated to unbound last year and created a docker container for it. Unbound is a popular DNS resolver, it’s less known that you can also use it as an authoritative DNS server.

This work was based on Debian Buster, I migrated the container to Debian Bullseye reorganize it a bit to make it easier to store the zones configuration outside the container like a configmap or persistent volume on Kubernetes.

Version 2.0.0 is available at https://github.com/stafwag/docker-stafwag-unbound.

Version 2.0.0:

Changelog:

• Updated the base image to debian:bullseye.
• Updated create_zone_config.sh to be able to run outside the container.
• Removed the zones.conf generation from the entrypoint
• Start the container as the unbound user
• Updated to logging.conf
• Set the pidfile /tmp/unbound.pid
• Added remote-control.conf
• Updated the documentation

Use unbound as an DNS-over-TLS resolver and authoritative dns server

March 22, 2020 2 minute read

In previous blog posts, I described howto setup stubby as an DNS-over-TLS resolver. I used stubby on my laptop(s) and unbound on my internal network.

But I’m migrating away from stubby in favour of unbound.

Unbound is a popular DNS resolver, it’s less known that you can also use it as an authoritative DNS server.

I created a docker container that can serve both purposes, although you can use the same logic without docker.

It’s available at https://github.com/stafwag/docker-stafwag-unbound.

How to configure DNS-over-TLS on OPNsense

December 9, 2018 2 minute read

DNS-over-TLS

In my previous blog posts we configured Stubby on GNU/Linux and FreeBSD.

In this blog article we’ll configure DNS-over-TLS with Unbound on OPNsense. Both Stubby and Unbound are written by NLnet.

DNS Privacy with Stubby (Part 2 FreeBSD)

October 7, 2018 8 minute read

FreeBSD

In my previous blog article we install on GNU/Linux which is my main desktop operation system. My NAS and the services that are required to be always running are on FreeBSD.

In this arcticle we will setup Stubby - the DNS Privacy Daemon - on FreeBSD.

DNS Privacy with Stubby (Part 1 GNU/Linux)

September 9, 2018 9 minute read

** Installing and configuring an encrypted dns server is straightforward, there is no reason to use an unencrypted dns service. **

DNS is not secure or private

DNS traffic is insecure and runs over UDP port 53 (TCP for zone transfers ) unecrypted by default.

This make your unencrypted DNS traffic a privacy risk and a security risk:

• anyone that is able to sniff your network traffic can collect a lot information from your leaking DNS traffic.
• with a DNS spoofing attack an attacker can trick you let go to malicious website or try to intercept your email traffic.

Encrypt your dns traffic

Encrypting your network traffic is always a good idea for privacy and security reasons - ** we encrypt, because we can! ** - . More information about dns privacy can be found at https://dnsprivacy.org/

On this site you’ll find also the DNS Privacy Daemon - Stubby that let’s you send your DNS request over TLS to an alternative DNS provider. You should use a DNS provider that you trust and has a no logging policy. quad9, cloudflare and google dns are well-known alternative dns providers. At https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers you can find a few other options.

You’ll find my journey to setup Stubby on a few operation systems I use (or I’m force to use) below …

GNU/Linux

Best wishes 2024!

January 2, 2024 less than 1 minute read

Best wishes 2023!

January 1, 2023 less than 1 minute read

How to install coreboot on a Lenovo x230

January 21, 2022 9 minute read

I already use coreboot on my Lenovo W500 with FreeBSD. I bought a Lenovo x230 for a nice price I decide to install coreboot on it. After reading a lot of online documentation. I decided to install the skulls coreboot distribution on it. The skulls project has nice documentation on how to install it.

To replace the BIOS with coreboot you will need to disassemble the laptop and use a clip on the BIOS chip to install it.

Switch from Libreboot to coreboot

October 17, 2019 11 minute read

I use(d) Libreboot on my Lenovo W500. And it works fine… but I want to install FreeBSD on it. The GRUB payload Libreboot uses by default isn’t compatible with the FreeBSD bootloader. It is possible to boot FreeBSD from GRUB or try to recompile Libreboot with the SeaBIOS payload. …But I just wanted to play with coreboot, to be honest :-)

Prepare

How to install libreboot on a ThinkPad W500

February 10, 2019 12 minute read

I got a Lenovo Thinkpad W500 from www.2dehands.be for a nice price.

Actually, I got it a couple of months back but I didn’t have time to play with it and it took some time to get some parts from Aliexpress.

The Thinkpad W500 is probably the most powerful system that is compatible with Libreboot, it has a nice high-resolution display with a 1920 x 1200 resolution which is even a higher screen resolution than the Full HD resolution used on most new laptops today.

Security

Keep in mind that the core duo CPU does not get microcode updates from Intel for [spectre and meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability). There is no solution (currently) for spectre 3a - Rogue System Register Read - CVE-2018-3640 and Spectre 4 - Speculative Store Bypass CVE-2018-3639 without a microcode update.

Binary blobs are bad. Having a closed source binary-only piece of software on your system is not only unacceptable for Free Software activists it also makes it more difficult to review what it really does and makes it more difficult to review it for security concerns.

Having your system vulnerable is also a bad thing of course. Can’t wait to get a computer system with an open CPU architecture like RISC-V.

Preparation

Debian bullseye on the RPI 4: golden image

July 24, 2022 9 minute read

In my last blog post, we set up Debian bullseye with full disk encryption on a Raspberry PI 4.

I use 3 three Raspberry PI’s to run K3s and a few FreeBSD virtual machines. For the FreeBSD virtual machines I still use QEMU: https://stafwag.github.io/blog/blog/2021/03/14/howto_run_freebsd_as_vm_on_pi/, I still need to test if we can use KVM/libvirt with the UEFI improvements in FreeBSD 13.1. But that might be another blog post :-)

As need I the same installation at least three times, I decided to create a “golden image” with the most important tools.

Debian bullseye on the RPI 4 with full disk encryption.

July 3, 2022 19 minute read

Updated @ Sun Jul 17 07:51:58 PM CEST 2022: Added blkid section UUID cryptroot. Changed dropbear port to 2222.

I use a few Raspberry PI’s 4 to run virtual machines and k3s.

I was using the Manjaro Linux with full disk encryption but I’ll switch to Debian GNU/Linux, the main reason is that libvirt is currently broken on archlinuxarm.

You’ll find my journey to get Debian GNU/Linux bullseye up and running on the Raspberry PI with full disk encryption below.

How to install coreboot on a Lenovo x230

January 21, 2022 9 minute read

I already use coreboot on my Lenovo W500 with FreeBSD. I bought a Lenovo x230 for a nice price I decide to install coreboot on it. After reading a lot of online documentation. I decided to install the skulls coreboot distribution on it. The skulls project has nice documentation on how to install it.

To replace the BIOS with coreboot you will need to disassemble the laptop and use a clip on the BIOS chip to install it.

Best wishes 2022!

January 2, 2022 less than 1 minute read

How to install libreboot on a ThinkPad W500

February 10, 2019 12 minute read

I got a Lenovo Thinkpad W500 from www.2dehands.be for a nice price.

Actually, I got it a couple of months back but I didn’t have time to play with it and it took some time to get some parts from Aliexpress.

The Thinkpad W500 is probably the most powerful system that is compatible with Libreboot, it has a nice high-resolution display with a 1920 x 1200 resolution which is even a higher screen resolution than the Full HD resolution used on most new laptops today.

Security

Keep in mind that the core duo CPU does not get microcode updates from Intel for [spectre and meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability). There is no solution (currently) for spectre 3a - Rogue System Register Read - CVE-2018-3640 and Spectre 4 - Speculative Store Bypass CVE-2018-3639 without a microcode update.

Binary blobs are bad. Having a closed source binary-only piece of software on your system is not only unacceptable for Free Software activists it also makes it more difficult to review what it really does and makes it more difficult to review it for security concerns.

Having your system vulnerable is also a bad thing of course. Can’t wait to get a computer system with an open CPU architecture like RISC-V.

Preparation

Ansible role: delegated_vm_install 1.1.0 released

January 29, 2023 4 minute read

I use KVM and cloud-init to provision virtual machines on my home network. I migrated all my services to Raspberry PIs running GNU/Linux and FreeBSD to save power.

I first wanted to use terraform, but the libvirt terraform provider wasn’t compatible with arm64 (at least at that time).

So I started to create a few ansible roles to provision the virtual machines.

delegated_vm_install is a wrapper around these roles to provision the virtual machine in a delegated way. It allows you to specify the Linux/libvirt KVM host as part of the virtual machine definition.

Changelog

delegated_vm_install 1.1.0

• update_ssh_known_hosts directive added
  • update_ssh_known_hosts directive added to allow to update the ssh host key after the virtual machine is installed.
  • Documentation updated
  • Debug code added

Have fun!

Ansible role: delegated_vm_install 1.0.0 released

October 16, 2022 3 minute read

I use KVM and cloud-init to provision virtual machines on my home network and wrote a few articles about it.

• Howto use centos cloud images with cloud-init on KVM/libvirtd
• Howto use cloud images on the Raspberry PI 4

on my blog on how to use cloud images with cloud-init on a “non-cloud” environment.

I created an Ansible role: ansible-role-virt_install_vm for it.

This role works great, but I wanted to have the possibility to provision the virtual machine in a delegated way.

For this reason I create the ansible role delegated_vm_install.

Delegated_vm_install 1.0.0 is available at: https://github.com/stafwag/ansible-role-delegated_vm_install

Have fun!

Ansible role: virt_install_vm 1.0.0 released