Tagged "Sysadmin"

Patching a Debian package locally: Nextcloud, DWM and the focus lost

If you use a Window Manager that switches focus automatically (like dwm) and the Nextcloud client, surely you are annoyed by the Nextcloud window disappearing on focus lost “feature” (and no knob to switch it off). Apparently, the developers decided that This Is The Right Way®.

With the power of The Source Code, we can change that!

Proxmox LXC, Systemd, and Linux Capabilities

Debian in LXC/Proxmox works flawlessly, except for some systemd utility daemons. Instead of disabling those services, we can leverage Linux capabilities to achieve the same results.

Winbox on WINE: network namespaces for MAC-Telnet

Winbox, the MikroTik RouterOS management application, uses a proprietary link-layer protocol to discover and connect to RouterOS appliances. It’s useful when you have a router with a bad/unknown network configuration.

Let’s see how we can use it on Linux and WINE.

RAID5, URE and the probability

So you may have heard that RAID5 is doomed due to this “URE”.

What does it mean? Is it true? Let’s find out.

K3s, ZFS, cgroups v2

Unfortunately, after the migration from ext4 to ZFS, I discovered that k3s was crashing due to the missing support for overlayfs in ZFS.

Migrate Linux (home)server to ZFS

Recently I moved my home server to a (refurbished) Dell Optiplex 7050. The previous PC was on ext4, and I decided to try ZFS without reinstalling it.

ovf-export, open-source tool for exporting libvirt domains as OVF/OVA

Today I’m releasing ovf-export, a tool for exporting libvirt domains as OVF/OVA, as open-source. Generated packages follow the OVF 1.0 standard so that you can use them with VirtualBox, VMware Workstation/Player, and others.

Revoke active GitLab sessions for all users

If you have a self-hosted version of GitLab, you may need to revoke all active sessions for all users (for example, to force a password change when using an external authenticator like LDAP or OAuth2).

My opinion on DoH/DoT

I don’t have a strong opinion on everything. However, in the case of DoH-vs-DoT-vs-DNS, I have a very strong opinion.

And it’s that DoH is harmful and unnecessary. In this post, I’ll explain why.

Windows API - Information disclosure / covert channel

I use open-source software every day. And I try to contribute as much as I can.

However, sometimes weird things happen when writing OSS code. Like finding a security bug in a closed source software.

Full-disk encryption and remote unlock

Do you know that you can unlock your full-disk encrypted GNU/Linux PC remotely? Cool, isn’t it? You can directly use SSH to type the password and unlock your PC.

Let’s ask ourselves: is it secure?

Hide KVM/QEMU in Windows 10 guest

Recently I was preparing a Windows 10 VM (in a Proxmox/KVM/QEMU environment) with the specific need to spoof some hardware IDs and evade a VM detection.

Protect Kubernetes Dashboard using oauth2-proxy and Keycloak

Kubernetes Dashboard is an excellent web client for Kubernetes clusters. Even if I prefer locally installed clients (kubectl and k9s are enough for me :-D), a web UI is handy when you have a random group of users (developers?) and you don’t want to give them access to the API server, or you don’t want to force them to install and configure a Kubernetes client only to open the logs of some pod once a week.

Debian 10, Cloud-init and static IP addresses

In the last two days, I was preparing a virtual environment for some tests about MariaDB replication. I was determined to use the same identical settings of the production machine I was simulating: Debian 10, Docker, MariaDB 10.4. I use terraform for these tests, which works pretty well with the libvirt provider.

DoS (and possible MITM) in Cisco VPN 3000 Concentrator

TL;DR: the Cisco VPN 3000 Concentrator has a bug that allows you to create a DoS (and maybe a MITM) by sending the wrong netmask in IPSec phase 2. You need valid credentials. Apparently there is no workaround or fix. It’s EOL, so maybe you may want to change it :-)

Iomega ix2-200, Debian and iSCSI

I recovered an old Iomega ix2-200 from the dust of my apartment, hoping to use it as a storage NAS for backups with burp. I can’t use NFS (at least, it will be unsafe), so I was looking for an iSCSI export. The ix2-200 was advertized as iSCSI-enabled, however the performance were very bad and the box was freezing literaly every night.

JWT or not?

In a recent web portal project, made with Python and Angular, I faced the amethic doubt: should I use the standard pseudorandom generation of session tokens, or should I use a JWT?

Simple policy based routing in practice

Sometimes the network setup isn't the one that you find in a textbook. Policy based routing is a mechanism to choose a route based on a policy (which can be anything, from the current time to the kind of packet/frame).

Using fogproject to deploy Windows 10 images

Despite the web is full of pages about fogproject and Windows 10, there are many different things that you need to do in order to make fog to deploy a Windows 10 image in a fully automated way (without your physical intervention). This is my guide, just in case.