Linux Disk Encryption - Remote Unlocking at boot
If you have a encrypted root partition, it usually requires access to the console to enter the passphrase. Even if you have the root partition unencrypted and have you sensitive data on a different encrypted partition, that you manually mount after SSH is available. You still have to deal with starting services after said manual mount. There are a number of remote unlocking tools (luksrku, mandos, tang/clevis), which attempt to solve this problem, by having a service running a trusted network to provide the decryption key....
Kubernetes Authentication with OIDC
This post describes how to configure a kubernetes cluster to authenticate users via OpenID Connect. As well as configuring the kubectl client. We’ll be using microk8s as the kubernetes distribution and Google as the OIDC provider. Configuring OIDC Provider (Google) Before we can configure kubernetes to authenticate against an OIDC provider, we need to configure one and get the following pieces of information: Issuer URL Client ID Client Secret To do this in Google, take the following steps:...
SSH-Agent on Windows & WSL2
There is a lot of advice out there on the best way to share SSH credentials and SSH-agent connection between windows and WSL. This is complicated even more by the different SSH agent communication protocols on the windows side (e.g. openssh vs pagent). Frankly the situation is a bit of a mess: (credit) For me, I have the following requirements: Be able to access the same SSH agent from all my SSH clients, be that Windows or Linux (WSL2)....
LISA 17
I was lucky enough to be able to attend LISA 2017 in San Francisco. As usual, this conference is absolutely fantastic and jam packed full of useful content. Sunday to Tuesday is dedicated to the Training Program. Then Wednesday sees the start of the Conference Program, that continues until Friday. Defending against the dark arts Linux performance monitoring with BPF Troubleshooting performance issues in postgreSQL Security in Automation UX Design and Education for effective monitoring tools...
UEFI Network Boot
UEFI Boot has been supported on Dell PowerEdge servers since Generation 11 (~2010). But network booting via a PXE ROM to provision an OS is not a well know and established procedure, so I’ve been lazy and always placed my Dell PowerEdge servers in Legacy BIOS mode. Recently I was struggling with a R730 not accepting keyboard input on the PXELINUX menu, which felt like an issue with “Legacy USB emulation” not being enabled in the BIOS, but I couldn’t find any such setting....
Spectrum Scale UK User Group Meeting 2016
I attended my 2nd Spectrum Scale User group meeting, it was amazing to see how much feedback IBM had taken onboard from 2015 and has directly influenced the product. It was also very useful to see how other users are solving their problems using GPFS. All the slides from the conference are online, the rest of this post picks out some specific areas I found particularly interesting and how they could apply to the University of Bristol....
GPFS User Group Meeting 2015
The following post contains my notes from the GPFS User Group meeting in York. Keynote Doris Conti, Director, Spectrum Scale (GPFS) and HPC SW Product Development Doris’ Keynote started the day with a theme that continued throughout the day: IBM are encouraging their users to get in touch with developers to help steer the direction of GPFS. They are also looking for customers to join Beta programs for various components of GPFS....
Replacing Foremans web SSL certificate.
Foreman does a great job of providing SSL support out-of-the-box, it does this by using the SSL certificates generated by your puppet-ca. Unless your users web browsers all trust the puppet CA (unlikely), any human user of Foreman is going to get SSL warnings. Replacing Foremans SSL certificate with one that’s signed by a default trusted CA requires some care for 2 reasons: Other components apart from humans using web browsers, need to validate the Foreman server....
Bootstrapping a Puppet master
Puppet masters can be complex beasts, with multiple components and are often managed by themselves. There are multiple reasons why you might want to bootstrap a new puppetmaster without depending on your existing one (developement, DR, etc). In my environment, the puppetmaster is managed with a combination of the following modules: theforeman/puppet theforeman/foreman theforeman/foreman_proxy puppetlabs/puppetdb Getting to a position where our puppetmaster wrapper class can be applied using puppet apply takes some care....
GPFS License Designation - Incorrect required license field
GPFS 3.3 Introduced License designations, for both client and server nodes. So after upgrading a cluster from GPFS 3.2, you are required to designate licenses with the mmchlicnse command. I recently upgraded a GPFS cluster from 3.2 to 3.5 which contained 6 servers and 393 clients. Unfortuantly mmlslicense does not agree with me and has determined it requires 396 server licenses and 7 client licenses. 1 2 3 4 5 6 7 Summary information --------------------- Number of nodes defined in the cluster: 403 Number of nodes with server license designation: 0 Number of nodes with client license designation: 0 Number of nodes still requiring server license designation: 396 Number of nodes still requiring client license designation: 7 Even using the mmchnode --client did not demote the client....