Many DevOps used Vagrant together with VirtualBox (Box) in their default setups to quickly spawn new VMs. However, when switching from AMD64 (Intel architecture) to Apple Silicon (M1/M2/M3) there was a lack of unsupported tools which broke many workflows. Currently, there’s an ARM64 supported build of Virtual Box but it doesn’t support ARM64 guests at all. This makes it necessary to switch to other alternatives. VMware Fusion A solution could lead into a free copy (for personal usage) of VMware Fusion for macOS which also supports ARM64 based guests. This alternative to Virtual Box supports all Apple Silicon Macs and even runs on the newest macOS which might be a pretty good alternative to Virtual Box. However, we still need Vagrant and a dedicated plugin (vagrant-vmware-desktop) for the VMware platform provider. This plugin supports VMware Workstation, VMware Desktop and VMware Fusion. Vagrant can still be installed in the same ways .... [read more]
Unfortunately, many companies still have security policies according to frequently password changes for endusers. Which first sounds like a good idea may fastly result in a less better security – I also often call this security by obscurity. So, why is password rotation a bad idea nowadays? First, let us have a look at the past before year 2000, where users had really short passwords with less than 10 characters. Many dynamic websites (e.g. free mailers, etc.) at that time enforced a password length of 6-10 characters and did not accept any special characters. As a result, it came to the well known passwords like abc123, 12345678, gyptazy2000, gyptazy89 etc. where users created an easy to guess combination of names, birthdates etc. With more compute power, brute force attacks became more easy. As a result, passwords got longer including further special characters. Within the first iteration, many special characters like .... [read more]
My new module pf (packet filter) allows managing the BSD’s packet filter (pf – as a firewall) which is compatible with FreeBSD, OpenBSD etc. When running in dry_run mode a generated rule set file will be validated and printed within Ansible’s meta output (json). Rulesets can be loaded by filters (e.g. filter, options or nat) and tested in dry_run mode. Next to this, basic service management can be done by this module for starting, stopping and restarting pf. - name: Test a rule set pf: action: reload config: /etc/pf.conf dry_run: True - name: Load only NAT rules set pf: action: reload config: /etc/pf.conf filter: nat - name: Flush PF rules pf: action: reload config: /etc/pf.conf - name: Start PF pf: action: restart config: /etc/pf.conf Resources: Initial upload: initial upload of pf (packet filter) PR: PR#5857 .... [read more]
Plutono is an interactive visualization web application that provides graphs, charts and also alerts. It is based on a Grafana 7.5 fork, maintained by credativ GmbH ( NetApp GmbH ), under the Apache 2.0 license which is limited to maintenance and security updates. In 2021, Grafana switched the licensing of its core products from the Apache License 2.0 to the more restrictive AGPL v3 (Affero General Public License) as an attempt to balance the values of open source with its monetization strategy. As this license switch might impact several users the Plutono project got initiated and comes with several other tools like Vali (as an alternative to Loki) and Valitail. Plutono: Plutono brings further possibilities to query, visualize, alert on and understand your metrics no matter where they are stored. Explore, create and exchange dashboards with your team: * Visualize: Fast and flexible client side graphs with a multitude of .... [read more]
Monkey Switcher just got released in V1.2. witch your Bluetooth capable devices like Magic Keyboard 2, Track Pad, AirPods, etc. between multiple Macs (e.g. personal & business) with a single click for macOS. This can especially be helpful to avoid connecting you wired USB-C to Lightning cable to your Magic Keyboard to establish a peering session to another Mac and may fasten up your workflow. However, initially this must be done on all Macs where you like to use this app to be a known and authorized Bluetooth device. This application ships binary versions for amd64 and arm64 architectures of blueutil. Running the application is a toggle – when the Bluetooth device is connected it gets disconnected. If the device is currently disconnected it gets connected. This can be done in combination of multiple Macs where the bluetooth device should be connected to. Monkey Switcher is fully open-source. You can .... [read more]
Now, Garden Linux comes with Firecracker (microVM) images for running heavy workloads. You may also find some more information on Firecracker within my last post. Thanks to nkraetzschmar for adding Firecracker support within the Garden Linux feature system. Next to this, the Pytest pipeline needed further adjustments as well as a new IAAS type to perform tests on microVMs. With my PR feat(pytest): Add Firecracker IAAS for PyTest #1318 I recently added further support for Firecracker images as a new IAAS platform type. The new IAAS takes care for all image and network related adjustments to fit the Pytest’s RemoteClient object requirements. Creating a Garden Linux Firecracker image Creating a Firecracker image is as easy as building regular images and can simply be accomplished by running: Production image: make firecracker # Dev image (autologin, etc.) make firecracker-dev This creates the kernel- & filesystem image artifacts: * kernel image: firecracker_dev-amd64-today-0ee7682b.vmlinux * .... [read more]
While Garden Linux was running with SELinux all the time, Garden Linux finally supports running SELinux in enforcing mode. Within the last few weeks I made several adjustments to make sure we could switch from permissive mode to enforcing. By pushing the last commit , the gardenlinux-selinux-module gets reactivated in synergy with the patched refpolicy package within the Garden Linux build pipeline. All related packages are available on Garden Linux repositories, now. Unluckily, I had many issues based on Debian’s Testing refpolicy package which was a show stopper for several services including casual bash usage after login or systemd-resolved start ups (see also bug #1012755 ). Unfortunately, further bug reports and texting resulted into no solutions. Even no direct solutions could be found on DebConf 2022 by getting in touch with some people directly. Thanks to chrinorse for getting in touch with other ones at DebConf 2022. Therefore, I consider .... [read more]
Finally, my Garden Linux PR feature(build): Add support for macOS #1013 got merged which allows building Garden Linux images on macOS regarding the underlying hardware architecture (Intel and Apple Silicon are supported). As a result, no further Linux virtual machines are needed to create artifacts. This is a big step forwards for all macOS users in usability and also speeds up the whole local build process. Update: With PR Add support for macOS and CentOS (Stream) in startvm #1027 you may also directly run the created images on macOS. .... [read more]
Introducing Monitorix , a versatile, open-source, and lightweight system monitoring tool that excels in overseeing a wide array of services and system resources. Originally crafted for production environments on Linux/UNIX servers, its adaptability extends seamlessly to embedded devices due to its simplicity and compact size. While Monitorix remains a stalwart choice, contemporary implementations may pose challenges. The conventional practice of exposing services to external entities may not always be ideal, prompting the adoption of a reverse proxy like Nginx as a viable solution. However, managing this setup across multiple systems requires additional configurations. To streamline this process, leveraging the Nginx subfilter function emerges as an elegant solution. The following snippet illustrates the implementation of this approach. location /ns01/ { proxy_pass http://ns01.gyptazy.ch:8080/; proxy_redirect default; sub_filter_once off; sub_filter '/monitorix-cgi/' '/ns01/monitorix-cgi/'; sub_filter '/imgs/' '/ns01/imgs/'; sub_filter '/monitorix/imgs/' '/ns01/imgs/'; sub_filter 'monitorixico.png' '/ns01/monitorix/monitorix/monitorixico.png'; sub_filter 'logo_bot.png' 'monitorix/logo_bot.png'; sub_filter 'logo_top.png' 'monitorix/logo_top.png'; proxy_buffering off; proxy_set_header Host $http_host; proxy_set_header X-Real-IP .... [read more]
Garden Linux is a Debian GNU/Linux derivate that aims to provide small and auditable Linux images for most cloud providers (e.g. Ali, AWS, Azure, GCP etc.) and bare-metal systems. Garden Linux is the best Linux for Gardener nodes to increase you cloud platform and replaces the legacy and discontinued CoreOS system. Garden Linux provides great possibilities for customizing and provides a great feature set to fit your needs and is fully Open-source (MIT licensed). By the given feature set it is possible to build Garden Linux with different features (options) like CIS, FedRAMP, ReadOnly mode, etc. Next to this, all features allow full customization to fit the operator's needs. In default, Garden Linux already provides an awesome stack of features like: * Repeatable and auditable builds * Great test framework (PyTest based) * Purely systemd based (network, fstab etc.) * Aiming to always integrate the latest LTS Kernel * Dracut .... [read more]
[previous] [next]