Virtues

Fri, 31 Oct 2025 09:24:31 -0400

The modern corporate state exhorts us and twists the idea of virtue. We’re surrounded by companies that speak of values and ideals.

What is virtue?

Etymologically, virtue comes from Latin, “virtus”, which is moral strength or excellence. It’s root, in turn, is “vir” or man. In the Roman sense, virtue describes the characteristics of manliness. I’m going to skip the post-modern apology here and trust that the reader understands the differences that have come over the past two thousand years and simply leave virtue as traits that are deemed morally good.

Values, in contrast, are what we invest in personally. Being a Tarheel fan is a value to me. Virtues may be a subset of values, but values are broader and individualistic and reflect what we believe is important. Virtues are objective, where values are subjective and rooted in feelings. This may explain why we see “values” discussed much more than virtues in modern society.

Classically, the principal virtues are Prudence, Temperance, Wisdom, and Justice. Christians would add Faith, Hope, and Love to this list.

Eudaimonia

Eudaimonia is a Greek word translating to the state of good spirit or (I prefer) “flourishing”. In the works of Aristotle, eudaimonia was the term for the highest human good. Eudaimonia for a tree might be to provide shade, fruit, or places for birds to nest. For a human being it likewise rests in this concept of philosophical integrity with one’s purpose.

The concepts of Eudaimonia and virtues if one believes that human flourishing is represented in moral behavior. The ancients also had the concept of Zeal - latin “zelus” and Greek “zēlos”, meaning ardor or emulation. Zeal implies a passionate pursuit or jealousy today, but originally it meant to take as a model. Julius Caesar was said to have gazed at a statue of Alexander and felt this zeal - saying, “what have I done with my life in comparison?”

Strategy vs Tactics

Wed, 15 Oct 2025 20:30:47 -0400

In my research on John Boyd, I came across a discussion of Strategy and Tactics that is worth revisiting as it applies to IT leadership.

Tactics involve our plans around the known and controlled, strategy is our plans around the unknown and uncontrolled.

Tactics adress things that we understand and control. For example, I know that my team has a certain number of vacation days left and that there are X-many working days remaining in the year. I will develop a tactic around the use of vacation days. This is a really good example, because we can imagine a variety of tactics that are all valid. For instance, I can choose to deny vacation or to take a laise faire approach. This tactic might not be popular or respect the people I work with, but at the same time we can imagine an extreme case that demands “all hands on deck” where this might be appropriate. A more conciliatory tactic might be to proactively work to make sure that everyone has a chance to use their vacation days.

Strategy is focused on things we don’t understand or don’t control. A major software supplier will release an update and our IT team has to think through requirements to buy compute today. If that supplier isn’t publishing details, we may not know the appropriate hardware. Our strategy might be estimate and then massively overbuild or to provide for an easy upgrade path. Alternately, our strategy might be to wait for the official release and only purchase servers when the requirements are known. At the same time the hardware saga is playing out, we might also be concerned about the upgrade strategy. Enterprise software is typically customized to some extent and new releases have to have those customizations ported. We also need to get data from the old system to the new system. Again, we’re limited by what we don’t know but we might develop a strategy around enumerating and documenting customizations and backing up data.

Focus

I find that these concepts help explain roles and the types of leeway we provide employees.

An individual contributor is mostly going to focus on working through a tactical plan. The Toyota Production System has a concept that the guy turning the wrench has a say in how a job is accomplished, and that ethos carries through to IT. These folks need to understand the tactical problem, the approach, and understand how to innovate within that window.

Managers recieve strategy and develop tactical plans. Managers have a broader view of where the “known unkmown” is and help their team navigate in that structure. They typically have experience in the environment and can set objectives, develop an approach to achieving that objective, and coach the team on techniques that might be helpful.

Directors and VPs typically work at the level of strategy. They might look at business objectives like a sales approach and targets. Directors typically develop strategic concepts with VPs supplying the ultimate direction. Grand Strategy deals with direction and alliances and is mostly reserved for the executive suite and Boards of Directors.

The Role of Risk

Based on my understanding of Nassim Taleb, I characterize risk as “within normal” and outlier risk. An example of normal risk is the risk of a given part being non-functional on delivery. For example, if I order a thousand SFPs (fiber connectors) then I might expect a certain percentage to be bad and make allowances. AI represents extraordinary risk, in the sense that the parameters and variations seen in the past twenty years might suddenly no longer apply. In 2024, we experienced a series of heavy storms followed by a hurricane. In short order, the foothills and mountains near my home received almost a meter of rain. No one had that on their bingo card.

Risk maps into a discussion of strategy and tactics.

Grand Strategic risks are the most difficult to characterize and backstop. Company leadership has to understand larger trends - such as how AI will impact our business - as well as the potential for complete disruption happening from an unexpected source a la COVID.

Strategic risks deal with unknowns, so a strategy has to feel out those unknowns and be prepared to quickly adapt. Napoleon would divide forces on a broad scale to obfuscate objectives while providing support for each group. His subordinates followed a “plan with branches” that contained general concepts on how to exploit situations that may occur. The American Civil War generals Jackson and Sherman both used similar concepts to manuever into positions that threatened multiple objectives, which forced opposing groups into difficult decisions and allowed them to exploit opportunities.

In a similar way, IT strategy should use OODA-based approaches to empower subordinates down to the individual contributor to adapt to resistance, re-orient, and quickly exploit opportunities by updating tactics. In fact, one thing seen in the military examples is that speed and manuever are critical weapons and that speed is prohibitively difficult in heavily heirarchical organizations. Speed is accomplished through trust, which takes time and purposeful investment to create. Speed is executed through devolving decisions and crisp communication, things that I think are best build on Boyd’s OODA framework. Distributing decision making doesn’t distribute accountability however, and leaders who expect results have to invest heavily in relationships long before the bell rings.

Tactical risk is the most practical risk. What if FedEx doesn’t deliver the part in time? What if this change results in an outage? Tactical risk is handled by those closest to the action. Common responses to tactical risks include spares, backups, and redundancy. Just thinking about tactical risks however, it’s impossible to eliminate failure. Simple math or a monte carlo run will demonstrate that even redundant components with low failure rates will - eventually - both fail at the same time. Part of the tactical response then is to enumerate and communicate those risks and to develop contingencies to minimize downtime.

Google, in their SRE book, has a rule-of-thumb that “adding a 9” (that is, going from 99.9% uptime to 99.99%) doubles costs. I don’t know that is true, but it’s true enough. It’s therefore important to understand when the cost of adding one more nine exceeds the business cost of extended outage.

Takeaways

Tactics deal with knowns, Strategy with unknowns
Tactics address risk through redundancy
OODA techniques are a useful way to quickly address “facts on the ground”
Strategic risks can be addressed through a plan with branches.
Recognize that speed and maneuever are a strategic asset (maybe the most important).

Running GNS3 on Proxmox VE

Wed, 08 Oct 2025 10:00:18 -0500

I’m running GNS3 on Proxmox. GNS3 on ESXi is fairly straight forward, but there are some tweaks needed to support Proxmox.

Disk Format

Proxmox virtualization is Qemu-based and the GNS3 VM is distributed for VirtualBox, VMWare Workstation, VMWare ESXi, and Hyper-V. I’ve worked around that by running GNS3 in VMWare Workstation, but I’ve run into some issues with Workstation causing my machine to “freeze” so I got interested in moving the GNS3 VM to my virtualization host. A little poking around found that other people have been successful with this and provided some ideas.

How to run GNS3 VM on Proxmox VE

Nothing stands still, so before we get into instructions I’ll date this article. This was originally written in January, 2023, and updated in October, 2025.

The first step is to download the VMware ESXi GNS3 VM.
The downloaded file is a ZIP, which expands out to an OVA. OVA is really just another ZIP, so expanding that out gives you two VMDK virtual disks, a manifest(MF) file and an OVF file. The OVF provides information about the virtual hardware environment and the manifest has the hashes of all the files in the OVA. We’re only interested in the two VMDK files (GNS3_VM-disk1.vmdk and GNS3_VM-disk2.vmdk). You can expand these out using most file managers of via the command line.

    tar xvf GNS3_VM.ova

Upload the VMDK files to Proxmox. In the root home directory, I created an import subdirectory for the files. This is very easy to do with Filezilla or from the command line.

    # sftp brent@server
    sftp> cd import
    sftp> put GNS3_VM-disk1.vmdk
    sftp> put GNS3_VM-disk2.vmdk

Create a new Qemu VM in Proxmox by clicking the “Create VM” button in the upper right of the management page.
You can accept the defaults on the General tab. Under OS, steup the VM without any media.
Accept defaults on the System tab and Disks tab. I set my VM to use 4 processors (2 sockets, 2 cores each) and set the default memory to 16GB. I didn’t see a lot of guidance on this, so that was a SWAG. Note the ID (105 in my case).
After the VM is created, select the VM, go to the Hardware section, and select the disk. Click Detach and then Remove from the menu bar.
Import the VMDK disks into Proxmox. SSH into the host and use the qm command to convert the disk to QCOW2 format and import it for use. Change the machine ID (105 is my GNS3 VM) and make sure the VMDK file name matches before running the command below.

    root@pve:~/import# qm importdisk 105 GNS3_VM-disk1.vmdk local-lvm -format qcow2
    importing disk 'GNS3_VM-disk1.vmdk' to VM 105 ...
    Logical volume "vm-105-disk-0" created.
    transferred 0.0 B of 19.5 GiB (0.00%)
    transferred 200.0 MiB of 19.5 GiB (1.00%)
    transferred 400.0 MiB of 19.5 GiB (2.00%)
    ...

Attach the QCOW2 images to your VM using the Add button.
Go to the Proxmox admin page, select the VM, select options, and set the boot order. Double-click the boot Order line and a window will appear to allow you to drag the disk into the correct order. Disk1, the smaller of the two images, should be enabled and the boot drive.
You can also use another tweak: Go into Hardware and double-clicked the Network Device to put the device into a VLAN by setting the tag.
Start the VM. GNS3 started up in the correct VLAN and grabbed a DHCP address. Opening a console, the boot screen of the VM shows the IP address assigned. Accessing this address from a browser will provide the GNS3 web console. You can also use this address in the GNS3 front-end to identify the back-end server.

Shell Setup

Tue, 07 Oct 2025 10:43:06 -0400

A shell is a tool used to execute commands in an operating systems. We most commonly think about shells as graphical (GUI) or command-line (text user interface or “TUI”), although I suppose you could imagine a spoken interface or mixed reality interface. In the context of “Linux”, it’s used mostly to refer to the specific TUI environment in use. Most Linux distributions ship with the Bourne shell (“sh”) and BASH (Bourne again Shell). Here I’m describing my preferred setup for that environment.

Fish

I prefer fish (friendly interactive shell), which does a better job of suggesting syntax. The commands below show installation in a Debian distrobution. chsh is “change shell” and which provides the full path to the executable.

sudo apt install fish chsh -s $(which fish)

Starship

I also enjoy a snazzier presentation of the command line, similar to the Powerline style. For that I use Starship. Starship uses a font that has symbols built in to give a more graphical presentation, so you’ll need to download a nerd font. I’m currently using Overpass.

Install Starship:

curl -sS https://starship.rs/install.sh | sh and add a line to ~/.bashrc to start it with bash. Why bother, since we switched to fish above? Mostly a mental hangup, but there are times you get dropped back to a bash shell and I like it to be pretty. eval “$(starship init bash)”

Setup Starship for Fish by adding a line to ~/.config/fish/config.fish

starship init fish | source

Finally, the default Starship scheme is pretty pedestrian. It can be customized to your hearts content, but a good set of examples are available and easily selectable. I use the catppuccin-powerline preset.

starship preset catppuccin-powerline -o ~/.config/starship.toml

Proxmox

Mon, 06 Oct 2025 21:24:58 -0400

Proxmox Virtual Edition (PVE)

PVE is a hypervisor that supports LXC containers and full virtual machines. It’s comparable to VMWare ESXi. The comparison fits across the board. There’s a Proxmox DataCenter Manager that’s similar to VMWare Cloud Director (VCD), and it supports a similar set of features such as high availability failover.

The current version is 9 (as of 10/25), but my experience has been poor when attempting to upgrade. As a result I recommend v8 for the time being. I also recommend running Proxmox Backup - the closest VMWare comparable might be Zerto.

I’ve been using PVE for a several years and I’ve been pretty pleased with it. I run a virtualization server at home for a few reasons. VMs have been a way to break apps out into seperate environments, making self-hosting easier. Second, I support virtual environments and wanted to use my home network to get hands-on time.

Originally, I used a free version of VMWare but VMWare was purchased by Broadcom. They halted the free version for a while and haven’t proven to be transparent in their approach to licensing, plus the server hardware I was using died, so it made sense to explore alternatives. Proxmox VE had a lot of the capabilities, plus the Linux underpinnings were much more obvious (which supported another direction I was heading). The PVE environment has been mostly good and I’ve never had an issue that I couldn’t recover from (similar to what you’d expect running ESXi).

Environment seutp

Post-install

Switches server to “no-subscription”
removes nag
Disables HA
prompts for reboots after updates
Run “update” or create cron job bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/misc/post-pve-install.sh)"

kernel clean

Keeps current and n-1 kernels

bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/misc/kernel-clean.sh)"

BassT23 Updater

updates host and all VMs and LXcs
Detects OS and supports various package managers (apt, dnf, pacman, apk)
Can be configured to take snapshot or backup before updating bash -c "$(curl -s https://raw.githubusercontent.com/BassT23/Proxmox/master/install.sh)

Host Backup

saves config files to speed reinstallation bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/misc/host-backup.sh)"

CPU Governor Allows selection of CPU scaling governor. In Enterprise settings, moving to “performance” will give more consistent results. In homelabs, use powersave or schedutil (adjusts dynamically with demand). bash -c "$(wget -qLO - https://github.com/tteck/Proxmox/raw/main/misc/scaling-governor.sh)"

Helper scripts

There’s a community that creates scripts to build VMs and LXCs to enable easy setup of popular applications. The scripts cover popular applications including Pi-Hole, Homeassistant, and Homarr. At last check, there were almost 400 supported applications!

Use caution here because the scripts are presented as easy “pipe to bash” commands that should be run from PVE root. The scripts can be downloaded and reviewed or just viewed on Github. Before running a foreign script on your server, it would be advisable to review the script!

Command line notes

Here are some basic command line notes for working with PVE. Version pveversion Node Status pvesh get /nodes/<id>/status

Cluster

Cluster Status pvecm status|nodes|quorum corosync-cmapctl Join a cluster pvecm add|delnode <ip|hostname> Change the quorum number pvecm expected <count>

Networking

Network specifics are configured in /etc/network/interfaces. Details about the environment can be seen from the command line. What the IP? ip a List bridges brctl show List FW rules iptables -L -n

Manage VMs

Managing VMs from the command line can be a good deal easier than using the gui. I’ve found it’s convenient to have a default Ubuntu server ready and turned off. This can then be cloned and configured.

List VMs qm list Interacting with VMs qm start|stop|shutdown|destroy <id> Create a VM qm create <id> --name <name> --memory <size> --net0 <virtio|bridge=vmbrX> --cores <#> --sockets <#> --virtio0 local:<storage>:<size> Clone a VM qm clone <source-id> <new-id> --name <name> Interacting with Snapshots qm snapshot|rollback <id> <snapshot-name> Interacting with Backup vzdump <id> --compress <type> --storage<id> vzrestore <file> <id>

Storage

List storage pvesh get/storage List Storage details pvesh get/storage/<id> Create pvesh create /storage --storage <id> --type <type> --content <type> --path <path> Delete pvesh delete /storage/<id> Change datastore password - I used this once because I changed the root password for PBS. That password was used to map a datastore into PVE, where it was no longer accessible. This allowed the map settings to be updated. root@pve2:~# pvesm set backup --password Enter Password: *******

Lost password

Proxmox allows the administrator to attach to a VM using lxc-attach. The session is logged in as root.

lxc-attach -n <id>

This is extremely useful - for instance, it could be used to reset a lost administrator password using the passwd command!

Proxmox Backup Server

PBS has saved my bacon several times. It’s a “must” when running PVE because it’s an easy way to backup VMs.

Follow a 3-2-1 strategy for backups - at least 3 copies, at least two media types, at least one offline. The original data is the first copy and PBS is the second as long as the PBS VM sits on a seperate server. I recommend Backblaze as a third offsite copy.

You should absolutely review the files that are being backed up to make sure that they include all of the correct files.

It’s also a rule, call it Brent’s Law of DR, that untested disaster recovery never works. You should do a test restore periodically. This might be restoring just a sample file, or restoring an entire VM. Testing the restore process ensures both that the backup is really working and that you remember the steps necessary to invoke a restore.

PBS Setup

Setting up PBS is about as difficult as setting up PVE. If you did the one, the other will not be a problem. The documentation is good, but takes some time to read so here’s a quick walkthrough of the actions you’ll need to take.

Download and install PBS on a new machine. I’m using an old NUC with a 5TB drive. Download the image and throw it on Ventoy! This is an easy and obvious setup, so I won’t walk you through clicking “next”.

Danger!

Don’t install PBS on the PVE it’s backing up! If your Virtual enviroment fails, you don’t want it to take backups with it! If you don’t have a suitable old PC, consider a 1L PC based on the modern Celeron.
When the process is complete, you can administer PBS from https://BACKUPSERVER:8007. Login as root and the password you chose during setup.
Setup a Datastore on PBS. “Add Datastore” is found under Datastore on the Proxmox menu. This will make a local path available for backup use.

Setup Pruning to keep the latest backups. This setup mostly comes down to the crossing point of your budget, paranoia, and available space. You can specify the number of backups to keep over various timeframes, such as days, weeks, months, and years. I backup weekly and want to keep a couple backups, but I also keep monthlys as well in case I realize later that I need a restore.
Get the “fingerprint” using the big “show Fingerprint” button on the dashboard.

PVE Setup to use PBS

Back in the PVE environment, go to the server view and select DataCenter > Storage.
Click Add and choose Proxmox Backup Server from the drop-down menu.
Give the backup server an ID and enter in it’s IP address. Use root@pam as the username, the password you set on PBS and then supply the datastore setup in Step 3 above. Here’s where you’ll need to paste in the fingerprint from PBS. This is also the place where you can fiddle with retention and encryption if needed.

Setup Backups

The simple way to backup a VM at this point is just to select a VM and choose “Backup”. No one remembers to do backups though, so the key is to have them happen automatically.

Still under Datacenter, choose backup and Add.
To backup all VMs from all PVE instances weekly, use the following settings:

Node –All –
Storage pbs
Schedule sun 01:00
Selection: Include selected VMs or All
Send email: Always
Send email to: you@yourdomain.tld
Mode: Stop

At this point, weekly backups should start flowing in. PBS will deduplicate and make very efficient use of space, so even a 4TB backup drive has been fine for me.

Restore a file

Restores are conducted from the PVE admin screen (http://your-pve-server:8006).

Under the Server View Datacenter heading, go to the target server and select the Proxmox Backup Server storage. Mine is called pbs in the screenshot. Because it’s attached to the datacenter, that storage shows up under every server. It’s the same thing, so for file recovery just pick a server to work through.
Pick the backup that has the file you’d like to restore. Depending on the backup policy you specified, there will be several copies over a period of time. If you’re restoring because you borked the config last week, for instance, you may need to go back two weeks to find a working copy.
Once you’ve found your target, select File Restore. I know, kind of obvious.
This opens a file viewer that lets you burrow into directories to find your file. Once selected, choose the Download button to get the file.

Restore a VM

Under the Server View Datacenter heading, go to the target server and select the Proxmox Backup Server storage. Mine is called pbs in the screenshot. Because it’s attached to the datacenter, that storage shows up under every server and so I’m selecting the one under the server that I want to restore to.
Pick the backup you’d like to restore. Again, there will probably be several copies.
Once you’ve found your target, select Restore.
When you restore, you can select the target PVE instance, the storage on that PVE you want to use, and the VM ID.

You can restore it to the existing server, using the existing VM ID, and overwrite the current copy. You can also choose to restore it to a different ID so that there’s a second copy. That could be useful if you’re trying to clone a setup.

Final Notes

The process of setting this up isn’t too confusing. I find the Proxmox interface takes a little time to develop an intuitive feel, but it’s consistent and mades sense.

Distro run-down

Wed, 01 Oct 2025 20:01:46 -0400

Distro run-down

This article summarizes my experiences and organizes my thoughts around Linux as of late 2025. There are a lot of Linux distributions and I haven’t tried to survey the field completely. In the past I’ve tried a wider sample, but for the most part I’m currently interested in either Debian-based or immutable ,modern distributions that support tiling. It’s also important that the distribution support my hardware (such as my multi-monitor setup and printer) and standard software.

Ubuntu or Mint

Both Ubuntu and Mint are Debian-based, which is the environment I’m most familiar with. They’re both pretty standard, reliable, and support all my hardware. They are boring in a good way and thus the yardstick to compare anything else against.

Why not run one of these choices all the time? Mint uses Cinnamon as it’s desktop, and Cinnamon doesn’t (yet) run on Wayland and only supports the crudest tiling. Wayland is the modern display environment and I want to make sure that I’m spending time learning the current technologies. Tiling works really well with my workflow. There are Ubuntu versions that support Gnome or KDE, both of which use Wayland and have tiling plugins. My experience with those plugins is that they’re not bad.

These are not immutable distributions, so they tend to accumulate cruft from past decisions and show age over time. Both have become more opinionated about packaging and security, which creates situations where I have to work around the peculiarities of the environment (for instance, to load Python libraries). The software I use is supported in native (DEB) packaging and works well.

Pop-OS!

(Pop-OS!)[https://system76.com/pop/?srsltid=AfmBOoqbM-J1jVk7iEygYlQ5k4bHjmR0hJbYIQK43a5l4zblIEVkEH1c] 24.04 LTS utilizes an actively developed rust-based Wayland desktop called COSMIC. COSMIC has a lot of potential and recently moved from a seventh alpha to Beta. I think the COSMIC version of tiling is the most developed and most thought out approach and works really well with my workstyle. Pop is debian-based and supports the software and hardware I use well.

COSMIC is still a work-in-progress. The Cosmic store install Enpass via Flatpak by default, and that version doesn’t tie in to Firefox well. If you’re using Enpass with Cosmic, install the app version from the website. I use back-to-back desks and switch between them - it seems to only support one keyboard and mouse at a time. The Cosmic Beta also has some rough spots and I had to reboot once where the desktop wouldn’t accept focus. That seems to be rare and I’m hoping that the splinters are sanded down quickly. Where Ubuntu tends to freeze a system with each release, Pop-OS has some rolling sensibilities that keep it aggressively updated in between official releases.

Bluefin and Aurora

(Bluefin)[https://projectbluefin.io/] and (Aurora)[https://getaurora.dev/en] are immutable distros. This flavor of immutability comes from booting an OCI image with only /home writable. Software is installed in the user environment using Homebrew or Flatpak, and the operating system is upgraded semi-monolithically (changed bits are downloaded and overlaid on the existing image, but it’s functionally an all-in image replacement).

I love the concept! For purposes of functionality, the KDE (Aurora) and Gnome (Bluefin) versions are fungible. I found the system to be rock-solid and I came to see the software installation process as practical. For the most part, these images allow the user to focus on the work and not on the system. They both check off boxes as modern, Wayland-based, and support tiling (as much as KDE and Gnome do). I appreciate the isolation and organization provided by a reliance on Flatpak and an assumption of contianer usage. If I was going to build a machine for Mom, I’d want it to be Chrome-OS like in terms of support and these images are the closest to that experience.

That said, the cost is that it’s difficult to get a customer Brother printer driver installed. Python is supported via devcontainer, which I found a little bespoke but functional. There’s also a push to support AI in a very specific way - via Ramallama and podman desktop. In both cases, these approaches worked but felt forced. One of my primary goals is to use my home environment to learn things to apply at work. Devcontainer wasn’t a big bump, but it was a special case that I don’t expect to use professionally. In the case of AI, I bought a fancy graphics card specifically to play around with self-hosted models and most of the work there is being done in Ollama. I spent a lot of time trying to understand how others used Ollama and translate that into the Bluefin approach. I ended up taking one more stab at immutable in the form of Bluefin. Bluefin is an opinionated “spin” of Silverblue, still using Gnome. It’s aimed more at the cloud-native developer crowd, but the operation of Bluefin is very much like Silverblue.

Enpass as a Flatpak doesn’t seem to integrate with the Firefox plug-in. While giving Bluefin a shot, I tried installing Enpass within ostree.

cd /etc/yum.repos.d/
sudo wget https://yum.enpass.io/enpass-yum.repo
sudo rpm-ostree  install enpass

That worked and fixed the Enpass problem!

Nix

Nix offers a different vision of immutable computing. Nix has a great vision - you can specify the state of your computer in one file, and basically compile that file into a finished computer. This allows you to setup the OS and the installed applications. I think there’s a lot of good ideas there, especially in terms of cloud computing and CI/CD delivery.

That said, a serious dive into Nix-os reveals some real gaps in the current implementation. The core “nix” language has been extended through flakes. Don’t know what a flake is? Good luck finding documentation. If you have a programming background, you may make more headway on Nix. I’ve found it to be slow going.

Without using flakes, there’s not a good way to specify pulling in things like fonts from shared folders, dot (settings) files, and managing flatpaks. I really buy into the vision of a fully specified environment, but Nix seems to be an incomplete implementation at this stage.

Ultimately, I came to see Nix-OS as almost but not fully baked. There are also periodic stories about personality issues within the community that leave me wondering if I can rely on the Nix eco-system. As a side-note - I also seriously looked at Snowflake, which attempts to address some of the rough edges in Nix. It’s still Alpha today, but has promise. I’ll keep an eye on it.

Omarchy

Just to get this out of the way . . . btw, I use Arch. Omarchy is a very personallized distribution of Arch using Hyprland and built along the ideas of David Heinemeier Hansson (dhh). Hyprland is a Wayland-based update of i3 - a keyboard-oriented tiling user interface.

I’m concerned that Arch is going to be a big learning cul-de-sac, but I’ve been able to do a tremendous amount without having to dig into Arch-specific issues. Software installation is setup to “just work” via the Omarchy menu system and has been golden. Most of the system configuration is done in dot files using NeoVim. Text files don’t bother me. I’m a “nano” guy, but I’ve been doing okay enough with NeoVim that I haven’t tried to change it.

Omarchy defaults to Chrome, but I was able to install Firefox and switch it to be the default browser. Other software works great - even Enpass which is becoming my litmus test. Printing just worked. Navigation requires a little commitment to learning the most-common keyboard commands, but they’re starting to commit to muscle memory (in fact, I’ve updated Pop to use the core set for consistency).

Omarchy delivers on the concept of a workstation that’s built for work. The jury is out about Hyprland - mostly because I’m trying to give Cosmic some space to develop. I’ve warmed a little more to the interface everytime I use it and don’t have any specific tricks that I’ve needed to develop to adapt the system.

Non-Linux Honorable Mentions

Haiku isn’t a Linux operating system at all, but an open-source descendant of BeOS. It’s a single-user systems and software support is hit and miss, however there’s a dev version of Firefox (IceWeasel) available now. More and more software is available via the web (self-hosted or in the cloud), so that gives a lot of room for Haiku to be used. File sharing and network printeres aren’t things that I’ve figured out, and it doesn’t check some other boxes (tiling, wayland) and is hard to run on bare metal. It’s a beautiful system worth keeping an eye on.

Redox comes from a set of developers that overlap with Pop-OS! Where COSMIC rustifies the desktop, Redox is an attempt to create a ground-up operating system using Rust. In fact, COSMIC is used as the DE on top of the base OS. It’s an amazing vision with lots of promise, but the current system isn’t ready for daily driving. Web support is meh and there’s not a lot of Redox software available. Is this a successor to Linux or BSD? There’s good bones, but not a lot of flesh to judge from at this point.

Ventoy

Ventoy is an open source project that allows you to copy your ISOs onto a single drive and presents a menu that let’s you choose which to boot. Ventoy can even be used to boot a virtual disk and there’s a network version that prompts after PXE-boot. Ventoy is easy to setup on USB. Download from the site and there is an included executable called Ventoy2Disk that will setup your drive.

Home Assistant Device Recovery

Sat, 18 May 2024 15:09:11 -0400

The problem

Spectrum was in my neighborhood, extending their cable network finally. Bear in mind that Spectrum (Charter in those days) promised this “soon” when I first moved in.

So, anyway, 24 years later they were installing conduit, nicked a power line, and shut down the neighborhood. As much as I’m griping about others, this story is really about personal stupidity. I setup a bunch of Shelly plugs to work with Home Assistant and didn’t lock down their IPs.

Is this, really a problem?

Yes, it is.

Devices are added to Home Assistant under settings > devices and then choosing the Add Device button. The Device settings records the MAC, but the IP isn’t shown anywhere in Home Assistant that I could find. For completeness, yes, I googled it as well. I guess I assumed that the discovery was via MAC, but after the Spectrum reboot my devices all got new addresses from DHCP and all my buttons were broken.

One way to recover would be to rediscover all the devices and subsequently rebuild all my dashboards and integrations. I’d prefer not to do that. I didn’t label devices before, nor did I write down the original IPs, so that process sounds like work. I had one device that I did have an IP for so I tried to change the IP back and was able to verify that using the original IP will fix the integration.

I need a map

I was able to find my original IPs in the Home Assistant container config files. From the container host, I used docker to access the host as shown below. -i is for interactive and -t is for a terminal, with homeassistant being the container name (found via “docker ps”).

sudo docker exec -i -t homeassitant bash

In the container, navigate to /config/.storage and view the core.device_registry file.

cd .storage
cat core.device_registry

The registry is formatted in JSON, but a little searching will turn up the obvious sections that map IPs to MACs (snippet below).

“configuration_url”: “http://192.168.1.222”, “connections”: [ [ “mac”, “d4:d4:da:01:02:03” ] ]

Resetting IPs

To fix the situation, I did what I should have done the first time. I locked down the IPs. One way would be to set a static IP, but I want to manage this in DHCP.

I’m using PFSense for DHCP, so after logging into PFSense I navigated to Services>DHCP Server. At the bottom of the page, under “DHCP Static Mappings” I clicked the button and filled in the IP and MAC on the next page. Saving the mapping is the obvious last step. Setting a DHCP record doesn’t change the device. To get it to move to the new IP, you’ll need to restart it. One way would be to unplug the device (probably the easy way). Another way - my method - was to go to Status > DHCP Leases in PFSense and query the MAC to get it’s current IP. Shelly devices have a web interface, so navigating to the device provides a reboot button under settings. When the device reboots, the integration in Home Assistant will be working!

Turning off Evolution Alarm Notify

Sun, 24 Mar 2024 16:35:20 -0400

Ridding Yourself of Annoying Calendar Pop-ups on Linux

Gnome will prompt for email accounts, and then tie in alerts from your calendar. These come in as pop-up windows. If you liked these in Outlook, you’ll be pleased with the Linux implementation.

I didn’t like these reminders in Outlook. I feel that too many programs are competing for my attention and that pop-ups in general are a drain on my concentration. I understand the thought and I understand that it’s useful for some, just not for me.

These days, I have a couple of 4k displays and really like tiling desktops (I’m currently using Ubuntu Gnome with the Forge extension). These pop-ups are doubly annoying in this context because they occupy a slice of screen and completely disrupt what I’m working with.

What doesn’t work

Uninstalling Evolution doesn’t work.

The next obvious solution would be to turn off the notifications. In Gnome, opening the control panel shows a notifications tab where you can turn OFF Evolution Alarm Notify.

This doesn’t work. The reminders keep popping up. This is a bug that goes back several years.

Removing the calendar file used by Evolution Alarm Nofiy does not work. In the past, EAN would simply re-create the file at next boot. That bug seems to be fixed and I’ve verified that the calendar file is NOT recreated, however EAN is still popping up.

rm ~/.local/share/evolution/calendar/system/calendar.ics

What seems to work (April ‘24)

Add the following line to /etc/xdg/autostart/org.gnome.Evolution-alarm-notify.desktop:

NotShowIn=Gnome;

Adding a user to Ubuntu

Mon, 26 Feb 2024 20:56:43 -0500

I built an Ubuntu server for work and then had to add a group of co-workers. I always need to lookup this up, so hopefully my notes will help you!

Adding a user

Adding a user to Linux is simple enough. The bash command is useradd. For a user bstewart, the commend is shown below.

sudo useradd bstewart

Set password

One the user is created, they have to be assigned an initial password. This is done with the passwd command, which will then prompt for the new password twice (to confirm).

sudo passwd bstewart

The passwd command can be used by the user later - without sudo - to change their initial password.

Create a Home Directory

The last step to to instatiate a home directory.

sudo mkhomedir_helper bstewart

Github setup

Sun, 25 Feb 2024 14:47:54 -0500

Recently I had to rebuild my desktop. Backups were my friend, and recreating my rig and loading files went without a hitch. My git directory restored, but I needed to reconnect them to Github. I decided to start with fresh pulls, so I renamed git to oldgit and pulled down my repos (including the one that’s used for this website).

Once setup, Github is easy to use, but I always forget how to set it up and have to rediscover the process. Hopefully, this quick step-by-step will help you avoid that difficulty (and will help me the next time I need to do it)!

Cloning the repo

In this case, my repos already exist. I started by cloning from github to have a clean current copy. I’m using this website as an example.

git clone https://github.com/brentstewart/nextpertise.git

Setting

Next I created a personal token. I clicked my user icon (my smiling face) in the upper right hand corner of the Github site and chose Settings (near the bottom). In the settings menu, choose <Developer settings> at the bottom. This gets you to a menu that let’s you chose Personal access tokens. I use classic tokens - the “fine grained” option allows for permisssions and would be more appropriate if there was a team of people maintaining this site.

At this point, it’s as simple as clicking Generate new token and then copying the text string down for later use.

Git Access to Github

You can test the new setup with an ssh to Github. You should be prompted for your Github username and then a password. Use the token from above for the password.

ssh -T git@github.com
Hi brentstewart! You've successfully authenticated, but GitHub does not provide shell access.

Credentials can be saved (so you aren’t prompted with each interaction).

    git config --global credential.helper store

Danger

This cute command saves your creds to disk in plain text. Be careful!

Once the token is setup, push and pull commands should work without forcing your to reauthenticate. A typical workflow of syncing to git might be:

git add .
git commit -m "Another commit"
git push

Biz card

Wed, 25 Oct 2023 21:14:12 -0400

One of the guys on Jupiter Broadcasting spoke about a curl-able business card and I thought, “Gotta try it”.

A little searching led me to an example - the card of Bryan Jenks. I used Bryan’s work as a template. Here’s what my finished version looks like.

The basic concept is simple enough - put a slug of text on a web server and anyone can curl it. Following Bryan’s example, I’m using console escape codes to provide color. Here’s a few I find useful.

Table: Console escape codes
Esc	Effect	Esc	Color
[0m	Plain text	[30m	Black
[1m	bold	[31m	Red
[2m	dim	[32m	Green
[4m	underscore	[33m	Gold
[5m	blink	[34m	Blue
[7m	reverse	[35m	Magenta
		[36m	Cyan
		[37m	White

You’ll notice from the screen shot that I was able to test this with Hugo’s built-in server. I want to deploy this publicly though, so I went to bit.ly and took the long URL http://nextpertise.net/business_card.text and shortened it to bit.ly/brentbizcard.

The hardest part of this short project was getting the spacing to work out. There’s no magic, just testing, adjusting, and retesting. Not the most useful project, but it has a certain geek-cred. To access the card, just use curl.

curl -sL http://bit.ly/brentbizcard

JiraReport

Sat, 21 Oct 2023 11:47:23 -0400

I recently had a lot of fun building a quick program to pull data from Jira Cloud and produce Word reports. I’ve shared jirareport at Github if you are curious. If you use Jira, this may be of interest (although most folks who use Jira are well beyond my meager abilities).

Even if you don’t use Jira, this was an interesting experience. It was a fairly simple re-introduction to Python, something that I’ve tried to get started in on-and-off over the years. Seeing it work though was a huge feeling of empowerment and encourgagement, something I hope you are able to experience (whatever cloud resource you need to use).

Using my tools

My project contains two Python 3 programs - jirareport and lsFields. To run these programs, you’ll need the following information:

Jira Cloud URL (like https://yourcompany.atlassian.com)
Your Jira username (like me@mycompany.com)
Your Jira API Key.

If you don’t have an API key already

In Jira, click your picture in the upper right and choose manage account
In the profile page, choose the Security tab on the top.
Under Security, go to Create and manage API tokens

lsFields

This program will take the above input and produce a list of fields and field IDs used in your instance of Jira Cloud. In our instance, we’ve added fields and the ID shows as customfield_00000. I’m positive that you’ll want to change the fields I print in the report, since some of mine are custom. Use this tool to list the fields in your instance and replace the fields that I use.

JiraReport

This is the one that does the work. JiraReport will take the above inputs plus a JQL query to produce a report. I use the Filters page in Jira Cloud to produce and test my queries as needed, then just paste JQL into the report. Finally, it will ask for an output filename. If you press enter, it will just use jira_report.docx.

The report includes story keys that are hyperlinks back to the story in Jira Cloud. The Assignee field also displays the persons name and is a hyperlink to their email address.

Developing

This is my first really useful program in a few years, since I wrote a program to parse SSH logs a while back. There are a few things I wanted to note about the experience that may be helpful for you.

First, ChatGPT was mostly useful. General web searches came up with a lot of different snippets, but just asking ChatGPT to write the program gave me most of the bones. I asked ChatGPT for a program to access Jira, for instance, then I asked it for a program to output Word files. I relied on my hackery to stitch the pieces together. As I encountered issues, I’d ask ChatGPT something like, “The above is great, but how would I do it in yellow?”

This is probably significant for this point in time (2023). A few years ago, places like Stack Overflow were reliably the best places to work through coding issues. Stack Overflow has become, over time, a less forgivning environment and some questions result in contradictory solutions.

Vendor documentation used to be filled with examples as well, but I didn’t find what I needed from Jira. I used the open-source Python-docx library and it’s great, but I really struggled with understanding how to apply what I found in their documentation. I don’t want that to sound like complaining - I am grateful for the volunteers at Python-docx and the great tool that their providing to the community. As a beginner, I just found it hard to get started. I found ChatGPT to be a useful way to bridge the gap in both cases.

Second, ChatGPT has it’s limits. At certain points, ChatGPT gave me code that just didn’t work and I was off to Lemmy or Reddit. I found that ChatGPT was a pretty good place to start, but you need to be prepared to drop it if you realize it’s giving you junk.

The Python-docx library is a huge gift. There are some places where I had to spend some time expirimenting to get it to do what I wanted, so be prepared to do some tinkering. I’ve got some good examples in the code that you may want to look at for other projects. For example, the process of building links took some time to put together, especially when those links are part of a paragraph.

Finally, my users don’t always fill out all fields and the program would fail if the linking information wasn’t present which led to the try/except bracketing. That was a really good lesson in graceful error handling.

NVidia 5.35 Update

Thu, 19 Oct 2023 08:32:41 -0400

Two months ago, I warned of issues with the 5.35 driver

Since the initial post, I tried 5.35 after a rev and found that it worked well. Until today.

nvidia-smi

I used nvidia-smi this time and was able to see that - although dpkg showed the files installed, the driver wasn’t loaded. I found some instructions from Michael Murphy on [Lemmy.world] that helped to resolve this.

sudo apt purge ~nnvidia
sudo apt install nvidia-driver-535
sudo reboot

Keep this handy

There’s definitely something funky about 5.35. I haven’t had this problem before and this machine has been stable for a couple years now. It’s probably a good idea to keep this idea in mind when you install the latest drivers.

Technical Debt

Mon, 02 Oct 2023 09:59:14 -0400

I’m going to wander into some concepts from my day job. Give me a little room and I’ll relate how this insight is relevant to everyone and what I’ve learned. By the time I start to make that turn, though, I’m guessing you’ll be well ahead of me.

Technical Debt

Technical debt is a concept that commonly discussed in IT. It’s generally understood to be the cost of delayed license and hardware upgrades. For instance, if you’re still running Window 10 then at some point you’ll need to migrate to Windows 11. There will be a cost to that upgrade. Running Windows 10 today means that cost is something you’ll have to bear in the future.

At budget time, IT folks talk about this version of technical debt (future costs of delayed licenses or hardware replacmeents). Doing some of these needed upgrades is referred to as “paying down technical debt”.

Gene Kim’s revised definition

Gene Kim, who’s written several thoughtful books on IT management including The Phoenix Project, wrote about technical debt in a slightly different way. He wrote that technical debt is the total future costs you are committed to based on current decisions. The two are similar at a surface level, but Kim’s idea gets to a deeper truth.

I know that several of you thought about ways to avoid that Windows 10 debt. If you thought about Linux, I approve. But there’s still costs. There are costs involved with learning something new (in time and perhaps money), there are opportunity costs with not being able to conveniently use Windows stuff.

Kim’s definition gets at this total costs - actual outlay to vendors, commitments of time, and associated costs. It also speaks to the ongoing costs of not upgrading - maybe security risks or incompatibilities - as well as the normal costs of operation. Normal costs of operation for Windows include things like “blue screens of death”, ongoing privacy impingement, and troubleshooting.

The typical definition - future license and hardware costs - assumes that technical debt is something to be avoided and that larger technical debt is a sign of underinvestment. Kim’s definition - future total costs of today’s commitments - speaks to a larger truth that every decision, good or bad, carries some consequences and that larger technical debt is actually just a deeper understanding of those commitments.

Both definitions have a place in IT discussions. Kim’s is not limited to budget time, though, and speaks to a larger self-awareness.

Likewise

And here’s the turn you saw coming. Technical debt is something we all have to face and think about.

Imagine you purchase the car of your dreams. This purchase makes you unbelievably happy! Still, you have incurred technical debt (and not just the monthly payment kind). Purchasing a car means that you need to budget for gas. It means that at some point you’ll need to make repairs on the car, or have someone do that upkeep for you. It means you’ll need time on Saturday’s to wash the darn thing!

We’re taught that debt is bad and I’m not going to disagree. This philosophical kind of debt is basically a consequence of living. It’s not so much about avoiding it, which is impossible, as managing it.

Managing Technical Debt

So, how does one manage it? This section gets into my opinion, so be warned.

The most important outcome of this discussion is just being aware and thinking through the logical consequences of our decisions. Your decisions today might mean that you’ll need to know a new language, need to learn a new skill, or need to spend money in the future. Being aware of those commitments, listing them out and thinking about them, gives us the chance to deal with them proactively. Generally, I’ve found that anticipating issues and dealing with them early is cheaper than waiting for “Boom!” and scrambling.

For example, if you purchased a car you’re going to have to repair something at some point. If you want to do that yourself, you’re going to need tools and know-how. Today might be a good time to visit Autozone or to register for a community college class.

Technical debt is a part of life and largely beyond our control. However, we can typically choose the type of repayment. In the car example, we can balance monetary costs, time commitments, and other costs. One might purchase a used car to save money, and choose to do as many repairs as possible at home. A different person might find that their time at work allows them to earn more money than they’d spend on repairs, and might choose to start saving. Spending money for durability is another example of this same concept.

All this discussion of debt does require one last thought. The point of living is to live! Don’t let this discussion keep you from doing the things the add value to your life and your family. Things that have value, some of which can be frivilous, give life meaning. Just choose those things wisely and understand the natural consequences of your decisions.

Building a Home Web Dashboard

Sat, 30 Sep 2023 11:29:45 -0400

Home Dashboards

Home web dashboards serve as a “starting point” for web sessions. Especially as a certain portion of applications now reside online, a home dashboard is a customized menu of the things that you need presented in the way you want. Dashboards could be as simple as a collection of links, or include things like network and server statistics or embedded frames.

Hosting your own dashboard also reduces internet traffic, limits the public data footprint (particularly if you are using it to access local resources), and creates resiliancy (in the sense that local services are still easily accessible if the Internet connection is down).

I have had a hand-coded homepage running on Apache for a long time. I recently tried out some options in Docker and wanted to share the experience.

Setting homepage

Before we get into the actual options, we’ll need a brief aside on how to actually have a default page. Browsers used to have a “homepage” setting that showed a certain site whenever a new window opened. Over time, browsers have wanted to “feature” their own content and brand and have made it harder to set a starting point. Browsers change frequently, so these instructions are current as of late 2023.

For Chrome - Google has rolled out a new “Privacy Sandbox” that makes it easier for them to target ads and harder for you to avoid profiling. The best option is to use another browser.

Meanwhile, when it comes to refuting the concepts of privacy and private ownership, Edge says, “Hold my beer”. Again, the best option is to avoid the problem.

Mozilla is a little bit of a journey sometimes, but I’ve settled on Firefox as a browser that performs well and respects privacy. To set a homepage, go to settings > home and there’s a place to set the homepage. Even Firefox wants to land you on a page they control though - this setting only works for new windows and clicking the “home” button. Under “New Tabs” the only options are blank page and Firefox Home (Default). In the good old days, you could pick your own default! To fix this I use the New Tab Override extension.

tip

See this old post to see why my homepage is set to www.home.arpa…

BYO

The first option is to Build Your Own. This is the option I’ve traditionally used. Running an Apache server is pretty easy, and I use my home environment as a training area so this forces me to understand the basics of Apache and HTML. Since I’m a router guy, I don’t get up to Layer 7 unless forced, so it’s a good way to force myself to be more technically rounded.

I’m using VS Code to write basic HTML and CSS (with flexboxes to space things out). I might delve into that setup in a seperate article. This has the advantage of being a teaching tool and being reasonably easy to maintain. It doesn’t include any dynamic elements and it’s not the smoothest presentation.

be careful!

The easiest way to create icons for links is to refer to the host site’s image. For instance, you can right click on “Nextpertise” above and choose get image link and then refer to the image https://nextpertise.net/nextpertise_rays.png. If you do this, the site owner and others will see you pulling the image. For instance, the sites your linking to may show up in your companies logging if you open your homepage while on VPN.

Homepage

Homepage is a slick home dashboard that is available on Github. The dashboard features integrations and dynamic widgets for a lot of different services, like pi-hole and proxmox, and it can pull in information from different providers. I installed it via docker using a docker-compose.yml file that looks lie this.

version: "3.3"
services:
  homepage:
    image: ghcr.io/benphelps/homepage:latest
    container_name: homepage
    ports:
      - 3000:3000
    volumes:
      - /home/brent/homepage:/app/config # Make sure your local config directory exists
      - /var/run/docker.sock:/var/run/docker.sock # (optional) For docker integrations, see alternative methods
    restart: always

Homepage is easy to install. In the example, you can see that I’ve started to customize it and I was able to quickly approximate my old bespoke page. Homepage is configured by editing some YAML files, so it’s fairly easy to setup. It’s tedious, but not as bad as typing raw HTML. The container includes the web server, so this is really easy to fire up and use.

I liked Homepage. It’s performant, includes some dynamic status elements that I find valuable and would be hard to recreate by hand, and the documentation is reasonably good. Integrating webpage icons has been a little of a challenge, but setting up the pi-hole integration (for instance) was very straightforward. Moreover, it’s pretty.

Dashy

Dashy is another home dashboard, published on Github, that can be easily stood up via Docker. I found Dashy to be the prettiest option. Once the container is setup, Dashy is fully ready to go.

Customization is done via the UI to edit JSON. I’m not a big fan of editing JSON, but I can navigate it. However, I also found that Dashy sometimes honored my edits and sometimes lost them.

Dashy has a wide variety of really cool ways of grabbing a home page icon, but most of them will go out and grab the file from the website each time the page loads (remember the earlier tip!). I ended up referencing the icon files from my exisitng web server to solve the problem. Re-typing the same content when it was lost got tiresome though, and I ultimately left my time with Dashy feeling a little frustrated.

Here’s the docker command to deploy dashy.

sudo docker run -p 8080:80 lissy93/dashy

Home Assistant

I’ll add a fourth option, although I think it’s only going to be best in certain situations. Consider using Home Assistant to build your home dashboard.

Home Assistant is awesome and you should run it in your home. It’s a great way to consolidate a lot of IP-attached devices. You can build a dashboard to control them, you can build automations (such as having lights come on at sundown), and you can pull many devices together to create “scenes”. A scene might be just area lighting to create ambiance for an intimate dinner, for instance, and then anther scene could be all the lights on for cleaning up.

You can use Home Assistant’s dashboard to embed web links. I was able to use the Markdown card to add a group of links and include images. There’s also a card to embed a webpage into your dashboard, and integrations for things like monitoring a pi-hole or proxmox server.

Setting up Home Assistant using docker looks like this:

sudo docker run -d   --name homeassistant   --privileged   --restart=unless-stopped   -e TZ=EST   -v /PATH_TO_YOUR_CONFIG:/config   --network=host   ghcr.io/home-assistant/home-assistant:stable

Home Assistant is fairly easy to setup and would allow integration with IoT controls. I found that the card system eats up a lot of screen real estate and it would be hard to have a lot of links, but this is a nice middle ground between something like homepage and building your own.

Obviously HA can be uber-customized. The screenshot on the right is from their example page and there are a lot of ideas on here that I don’t know how to recreate. You can really make this dashboard sing, so take a look at their example pages.

Conclusions

My first conclussion is that these were all pretty easy to setup and test. So I’d suggest you give them a try and see what you think. As for me, I really like where Dashy is going but found it frustrating in it’s current state. Using Home Assistant as a start page was tough because it didn’t give me a lot of control over layout and didn’t support a lot of density, but I could see how this could be the right option. Homepage seems good, but I think for now I’ll continue to hand code it to get that experience.

Markdown to DOCX

Fri, 22 Sep 2023 08:17:00 -0400

Exporting Markdown

Most of my writing is in markdown in two applications - Visual Studio Code (where I write blog posts amoung other things) and Obsidian. Although initially reluctant, I’ve grown to appreciate the portability and easy reuse that markdown allows. The problem is that the rest of the world doesn’t always appreciate what is obvious to me. As an example, the folks at work prefer their documents in Office formats.

Office to Obsidian

One of the things I love about markdown is that it’s an easy format to migrate to and from, perhaps because it’s a simple format. I wrote about an automated process to take Word documents, convert them to markdown, and incorporate them into your Obsidian vault in Word to Obsidian with a DIY CI.

Obsidian to Word

The techniques I used in the above article could be used for any type of file format changes, but exporting from Obsidian isn’t always to DOCX and isn’t always aimed at a particular directory. In fact, if you are using O365 then it may need to be uploaded to an arbitrary place on OneDrive/Sharepoint in a seperate step. Instead, I’ve found the best method to be the Pandoc Plugin.

In Obsidian, go to options (the cog in the lower right), then to _Community Plugins" and search for Pandoc. This presents an “install” button, which adds the plugin to your vault and it can then be enabled. Don’t forget to enable it! I do that sometimes and then wonder why it’s not working.

I’ve found that the plugin exposes Pandoc options pretty well and that default settings work well (I’ve mostly used it to export to DOCX and PDF). There are options to supply default formating to the document, but they’re not necessary.

Hugo Markdown to Word

Other sources of markdown files, such as those from Hugo or Github, can be converted using Pandoc on the commandline. The issue here is that Hugo files typically include embedded images, and the images are specified based on where the image ends up after compilation. When you run hugo it takes the markdown directories and produces a set of html files in a new structure. On this blog, my images are refrenced at the “root” pre-compilation, for instance “/image.png”, alongside the written content. In the on-disk structure (and you can see this in the github) my writing is under “/post/file.md” and the images are under “/static/image.png”.

When Pandoc runs against the raw Hugo markdown, it just references the path and produces compilation errors. I also use CSS to style images, which modifies the URL (for instance “/image.png#floatright”). The CSS markings are also lost on Pandoc and will cause errors. There are three ways to deal with this. The first is to manually edit the markdown to remove the image or correct the path. Options two and three involve a pre-processor, a piece of lua code that Pandoc runs mid-conversion. Option two is to use a lua pre-processor to remove all images.

brent@hyper > cat filterimagesinpandoc.lua 
function Image () return {} end

Option three is to use a lua pre-processor to correct the path and remove the styling. No code demonstrated here because I use option 2 and the code would depend on your directory structure.

The final trick to converting markdown - Hugo, Obsidian, or any other - is to understand that Pandoc expects markdown to begin with a YAML header. That header can be as simple as an authors name. The YAML ends with a line of three dashses.

author: Brent
---

Pandoc will fail if it doesn’t see that YAML header. Most Hugo files and most Obsidian files are going to include that header, so you should be okay. Pandoc also gets confused if it sees three dashes on a line later in the file. I used that to generate a seperator line in Obsidian and caused Pandoc to blow up. Make sure that there is at least a primitive YAML header AND that there’s only one line of three dashes.

Converting ends up looking like this. This command specifies the source (markdown.doc), the output file and format (Word.docx) and the filter.

pandoc ~/Folder/markdown.md -o Word.docx --lua-filter filterimagesinpandoc.lua

So rock on with Markdown and convert to Word as you need to live with the normies. Hope this helps!

Gnome Activities Workspace Name Extension

Sun, 17 Sep 2023 14:34:35 -0400

Cool Extension

The Activities Workspace Name allows you to change the “Activities” label in the top left of a Gnome desktop to reflect a name for each workspace. I find it really useful.

My current setup is to use workspaces to seperate the different types of activities, so I have one for work, one for writing, one for development, and one for learning. I have a 4K display, run Pop! tiling or use that tiling extension in Gnome, and use the to left corner to flip desktops. Maybe I’m a little too obsessive, but I’ve wanted a way to label those spaces to make them easy to identify.

I found this extension, available on the Gnome extension site and at Github, and it does a great job of filling this gap. Below is a sample with the Workspace label applied (I zoomed in):

The easy way to add the extension is to go to the gnome extension site and enable it. There are two ways to set workspace names: long clicking on the label or via command line. Long clicking I eventually got to work, sometimes. Sometimes a long click is results in showing all the workspaces, but this may be an artifact of runnign on Pop!. Option #2, which is easy and always works for me, is to set it via the command line. Here’s the command I use to name my four workspaces.

gsettings set org.gnome.desktop.wm.preferences workspace-names "['Work', 'Writing', 'Dev','Learning']"

A lament

Extensions on Gnome have recently been in better shape. There was a long time where I found them to be a problem. My understanding is that Gnome changed pieces of the environment between versions which tended to break extensions. It seems like the last year or so has been a good period, even with a couple versions of Gnome revving. However, word is that Gnome 45 will break every extension. Will this one be updated, or any of the other extensions I’ve built my workflow around?

I ran Cinnamon for a long time and really liked it. It was very stable, easy, and attractive. I spent a little time bouncing around between KDE and Gnome (and really liked KDE better), then discovered tiling in i3 and started trying to incorporate that into a richer DE. Pop! came out about that time and settled the issue and has been a dream for years. Pop! is creating their own DE for the next version, Gnome is back to breaking things, and KDE is undergoing a major version shift (to 6) in February 2024, so I may be in for another of those periods of flitting between desktops. The winner, for me, will be the one that enables the workflow I’ve become used to - easy and automated tiling and easy access to multiple desktops.

None of that discussion takes anythig away from the Workspace Name extension, which has been a good fit and stable addition to my desktop.

Terminal Weather

Sun, 10 Sep 2023 19:45:03 -0400

I found a fun addition to my command line - wttr.in. I live in Hickory, NC, and the following curl command will return the weather to the command line:

curl 'https://wttr.in/Hickory%20NC'?0?A?u
Weather report: Hickory NC

  _`/"".-.     Thunderstorm in vicinity, light rain
    ,\_(   ).   68 °F          
    /(___(__)  ↓ 2 mph        
      ⚡‘‘⚡‘‘  9 mi           
      ‘ ‘ ‘ ‘   0.0 in

Seeing a three day forcast is even easier. curl ‘https://wttr.in/Hickory%20NC' Weather report: Hickory NC

  _`/"".-.     Thunderstorm in vicinity, light rain
    ,\_(   ).   68 °F          
    /(___(__)  ↓ 2 mph        
      ⚡‘‘⚡‘‘  9 mi           
      ‘ ‘ ‘ ‘   0.0 in         
                                                      ┌─────────────┐                                                       
┌──────────────────────────────┬───────────────────────┤  Sun 10 Sep ├───────────────────────┬──────────────────────────────┐
│            Morning           │             Noon      └──────┬──────┘     Evening           │             Night            │
├──────────────────────────────┼──────────────────────────────┼──────────────────────────────┼──────────────────────────────┤
│               Fog            │               Overcast       │    \  /       Partly cloudy  │     \   /     Clear          │
│  _ - _ - _ -  68 °F          │      .--.     71 °F          │  _ /"".-.     +77(80) °F     │      .-.      +73(77) °F     │
│   _ - _ - _   ↓ 3-4 mph      │   .-(    ).   ↙ 3-4 mph      │    \_(   ).   ← 1-2 mph      │   ― (   ) ―   ↓ 1-4 mph      │
│  _ - _ - _ -  6 mi           │  (___.__)__)  6 mi           │    /(___(__)  6 mi           │      `-’      6 mi           │
│               0.0 in | 0%    │               0.0 in | 0%    │               0.0 in | 0%    │     /   \     0.0 in | 0%    │
└──────────────────────────────┴──────────────────────────────┴──────────────────────────────┴──────────────────────────────┘
                                                      ┌─────────────┐                                                       
┌──────────────────────────────┬───────────────────────┤  Mon 11 Sep ├───────────────────────┬──────────────────────────────┐
│            Morning           │             Noon      └──────┬──────┘     Evening           │             Night            │
├──────────────────────────────┼──────────────────────────────┼──────────────────────────────┼──────────────────────────────┤
│    \  /       Partly cloudy  │     \   /     Sunny          │    \  /       Partly cloudy  │  _`/"".-.     Patchy rain po…│
│  _ /"".-.     68 °F          │      .-.      +82(84) °F     │  _ /"".-.     +77(80) °F     │   ,\_(   ).   71 °F          │
│    \_(   ).   ↘ 2-3 mph      │   ― (   ) ―   ↑ 3-4 mph      │    \_(   ).   ↓ 3-6 mph      │    /(___(__)  ↘ 3-7 mph      │
│    /(___(__)  6 mi           │      `-’      6 mi           │    /(___(__)  6 mi           │      ‘ ‘ ‘ ‘  6 mi           │
│               0.0 in | 0%    │     /   \     0.0 in | 0%    │               0.0 in | 0%    │     ‘ ‘ ‘ ‘   0.0 in | 82%   │
└──────────────────────────────┴──────────────────────────────┴──────────────────────────────┴──────────────────────────────┘
                                                      ┌─────────────┐                                                       
┌──────────────────────────────┬───────────────────────┤  Tue 12 Sep ├───────────────────────┬──────────────────────────────┐
│            Morning           │             Noon      └──────┬──────┘     Evening           │             Night            │
├──────────────────────────────┼──────────────────────────────┼──────────────────────────────┼──────────────────────────────┤
│     \   /     Sunny          │     \   /     Sunny          │  _`/"".-.     Patchy rain po…│  _`/"".-.     Patchy rain po…│
│      .-.      71 °F          │      .-.      +84(86) °F     │   ,\_(   ).   68 °F          │   ,\_(   ).   68 °F          │
│   ― (   ) ―   → 2-3 mph      │   ― (   ) ―   ↗ 4-5 mph      │    /(___(__)  ↘ 4-9 mph      │    /(___(__)  ↘ 6-13 mph     │
│      `-’      6 mi           │      `-’      6 mi           │      ‘ ‘ ‘ ‘  5 mi           │      ‘ ‘ ‘ ‘  5 mi           │
│     /   \     0.0 in | 0%    │     /   \     0.0 in | 0%    │     ‘ ‘ ‘ ‘   0.0 in | 60%   │     ‘ ‘ ‘ ‘   0.0 in | 73%   │
└──────────────────────────────┴──────────────────────────────┴──────────────────────────────┴──────────────────────────────┘
Location: Hickory, Catawba County, North Carolina, United States [35.7333312,-81.3442915]

You can also go to this web page to see the forcast as a graphic file: https://wttr.in/hickory+nc.png

All well and good, but that’s a complicated command to remember. I know, that’s what the up-arrow and history are for, but still there needs to be an easier way. I created two aliases to let me easily see the current and three day forcast.

alias weather="curl 'https://wttr.in/Hickory%20NC'?m"
alias forcast="curl 'https://wttr.in/Hickory%20NC'?0?A?u?m"

The alias will remain in place for that session. If you use BASH and want to make that permanently available, add the alias command into .bashrc. You can also add one of those alias at the end of ,bashrc to have it automatically display your current conditionsa and forcast every time you start a session - I’ve found forecast works pretty well.

Python on Pop

Sat, 09 Sep 2023 21:58:42 -0400

In the course of building out a small program the other day, I realized that my version of Python was lagging behind.

python -V
Python 3.8.17

My setup

I’m running Pop! OS 22.04, the latest version of Pop! for a while. Pop! currently uses Gnome with add-ins to customize the interface and deliver the tiled experience that Pop! is known for. Extensions have been a bugaboo for Gome for a long time (although recently - 2023 - they’ve gotten better, but I understand Gnome 45 breaks them all again). Word trickled out that System 76 had difficulties in working with the Gnome team as well. In 2022, System 76 decided to pursue their own Rust-based desktop environment as a replacement for Gnome. In order to free up resources, they decided to maintain 22.04 and to not build interim releases.

Despite the fact that I’ve been running the same release for a couple years, Pop! continues to be my favorite experience. System 76 has pushed updates out and I’ve commented several times that the kernel is fresh and the components are kept current so Pop! still feels like a good place. I’ve historically been a hopper and staying on one distro for a prolonged period of time is a change. That said, finding out Python was several versions behind was a moment.

I’m very interested in Nix, as an aside. I’ve got Nix installed on a laptop and loaded the System 76 tiling extension. Nix has a lot going for it, but I’m still try to learn flakes and Home Manager and don’t feel ready to put this on my main device. The laptop is a place I can “burn and rebuild”. Still, if I start hopping again, it will be to go to Nix.

Updating Python on Pop! OS 22.04

I used python -V or python –version to determine my current version. To move to the latest Python, 3.10, I added the PPA for Python.

sudo add-apt-repository ppa:deadsnakes/ppa
sudo apt update
sudo apt install python3.10

you can check this by looking at the installed packages.

apt list | grep python

At this point, both 3.8 and 3.10 were installed on my system. I used sudo update-alternatives –config python3 to select the version that I wanted to use by default. Running the command will show you a list of python installs and allow you to select one. Using update-alternatives instead of deleting Python 3.8 maintains the old version for any dependencies. When I used it, I found I had a copy of miniconda that I no longer needed and I ended up uninstalling it.

I also like to be able to type python3 or just python. To set that up, I added an alias as well.

alias python /usr/bin/python3.10

So now I’m up to date!

python --version

You may also need to update PIP.

python3.10 -m  pip install --upgrade pip

Ahrefs update

Mon, 04 Sep 2023 08:43:45 -0400

I wrote about Ahrefs a month ago. Ahrefs is a site inspector that provides feedback on errors on a website. I contine to use it and be pleased with it.

Ahrefs after a month

As this site has grown, I’ve encountered a number of issues. In the original post, I mentioned that I changed the folder structure at one time and even after a self-audit to clean things up still found references using the old structure. I’ve been continuing to work through the problems that Ahrefs found and try to clean up a few each week. I haven’t posted as much because of this change of focus, but I hope that you can see an improvement in website quality.

Ahrefs has also revealed problems of old age. When I mention a product or a project and include an image, I have generally done that by referencing the image on the source page. I think the reason I did that was philosophical, it’s not like I have space issues working with Render. That said, some of those sources have disappeared. Others have updated their sites and used new images with new names. It’s not just images - URLs are being updated as well. The result is broken references from my older pages. It feels like this aspect of maintaining a site is like gardening, and in that analogy I’m finding Ahrefs to be the right tools to maintain the garden because Ahrefs runs down all the links and lets me know of any that don’t complete successfully.

Ahrefs is also telling me that I lack social media tags. My personal view is that Facebook is more of a security risk than a socialization tool. About the only social media I use is LinkedIn. That said, I’d like for folks to be able to find what I write and I’d like it to present cleanly in those platforms. Ahrefs pointed out my backwardsness and provided directions about how to add these tags (as shown below, using Hugo variables to customize the output for each page).

<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Nextpertise - {{.Params.Title}}</title>
    <meta name="{{.Params.Description}}">
    <meta name="keywords" content="{{.Params.Focus_Keyword}},linux, VPN, Virtual Machine, cybersecurity, Virtualization, self-hosting">
    <meta name="twitter:card" content="{{.Params.description}}">
    <meta property="og:title" content="{{.Title}}" >
    <meta property="og:url" content="{{.Permalink}}" >
    <meta property="og:description" content="{{.Params.summary}}" >
    <meta property="og:image" content="https://nextpertise.net/non-technical.png" >
    <link rel="apple-touch-icon" href="https://nextpertise.net/non-technical.png" >
    <link rel="stylesheet" href="https://nextpertise.net/style.css" >
</head>

Thoughts

My original conclusion - that Ahrefs offered a valuable resource to web developers - continues to hold. Using their feedback has helped me to understand some new wrinkles in the way pages are constructed. Ahrefs has definitely helped me handle the technical debt on the site and keep it up to date with current practices. After a month, I rely on it more and as I become a more sophisticated blogger and understand more, the tool continues to be accessible and valuable.

AI-Pocolypse Now

Sat, 05 Aug 2023 15:58:38 -0400

My friends know that I am an avid reader and that I love Science Fiction. I’ve read that Science Fiction only became possible when people could see technology changing in their lifetime, and although we had slow changes for a long time it wasn’t until the last half of the 19th Century that we got Frankenstein. Even in Mary Shelley’s time, though, the pace of change was slow compared to now.

What a fascinating time to live! I was born five days after Neil Armstrong set foot on the moon. Communication - including the Internet - has completely revolutionized the way we relate to others and ourselves several times in my life (fax machines, cell phones, SMS, e-mail, social media). Cancer used to be a get-your-affairs-in-order conversation. It’s still not good, but the progress from when my uncle Paul died in the 70s until now is astounding. Logistics has changed the world - strawberries from South America in the dead of winter? Having seen all these things, it can feel like my life has been science fiction.

Which brings us to the AI-pocolypse, my campy-and-probably-not-original name for the fear that our technological creations will supplant us. Funny aside, but that’s what Frankenstein was about as well. Science Fiction has a way of predicting the future - it’s like a dream half remembered that reveals something about yourself.

The first four signs

Consider the genre. What are the classical elements of machines gone mad and taking over? My offhand list would be access to an incredible amount of knowledge, insight into people - even into “private” and personal thoughts, a capability to plan and act, an opportunity that carbon-able people create because we want something from the machines, and evil intent.

So, check, check, check, check, and . . . not necessary? I’m going to argue that the AI-pocolypse is already upon us.

In Science Fiction, the first thing the “robots” need to take over is all the knowledge. Wow, the web really made this easy and fun to do. Computers have all our writing, all the papers, all the facts we know. Advances like Machine Learning and even ChatGPT demonstrates that there are ways to use all that knowledge to start to draw inferences and power new advances.

The second thing the computers need is insight into our personal thoughts so that they can draw inferences, anticipate behavior, manipulate us or out-think us. Too late. This has been a reality for about a decade. Computers have been used to learn our patterns and manipulate us so that we are a necessary step in their food cycle. Manipulate Brent into clicking on an ad, ad generates revenue, the profit from which buys electricty to feed the machine. Each of us, like docile cattle, seeks out the supercomputer and aims it squarely at our brains. Examples include Facebook, Cambridge Analytica (also Facebook), Google, Twitter, Reddit, and pretty much the whole Internet. Like the old adage goes, if they’re not charging you then you are the product.

If you are starting to feel uncomfortable, think about the ability of computers to plan and act. Things like chatbots show an ability to plan at an abstract level. Yes, I know that these are language models that are drawing on human sources and generating a response that is statistically likely to meet your expectations, but if you ask them something like “how do I change the oil in my car?” they will give you a series of steps. Even more to my point, consider Space-X Falcon rockets and their ability to understand thrust and wind and land on their tailfans. Or the Boston Dynamics robot dogs, that can be given tasks like patrolling a perimeter or inspecting a dangerous site. Computers are now routinely interacting with the physical world (see “Internet of Things”) and taking actions, actions that are necessary and consistent to acheive an outcome.

Three for three. Number four on my list was opportunity. In the classic plot, the AI rises to power through lazy humans. Examples include Skynet (built to protect lazy humans), AUTO (from Wall-E, built to serve lazy consumers), and HAL (built to keep a secret because it couldn’t be trusted to other humans). So, take a deep breath and look around and ask yourself if there are opportunities. Would one side in a war pause if an AI could help win it? The answer is no. Are we too lazy to drive to a store to shop now? The answer is yes. How much do you depend on Google Maps?

Evil Intent

One of my daughter asked me a while back if I believed people were basically good or bad. Neither, I replied, I believe that they are basically selfish. When one of the boys asked if he was selfish, I told him that I was. An ability to put others needs above our own is an aspirational point for religion. The Recognition that others perspectives are valid is a high point of philosphy (Kant’s Categorical Imperative). So let’s start with the idea that selfish is easy.

Evil is complicated. Selfish is taking the last cookie. Evil is intentionally starving someone, or even taking actions designed to inflict pain for personal enjoyment. Evil does exist, no question. Thankfully, in my experience, evil is rare and an exception.

For the purpose of thinking about the AI-pocolypse, whatever that is, I’m going to argue that evil is unnecessary. I have two reasons for saying this: first, evil is complicated and selfish is simple and programmers like simple. Second, a person can die of starvation because someone else is hoarding food. The hoarder may see themselves as good, after all they are protecting their family, not enjoying the suffering of others. But dead is dead.

Selfishness isn’t even a bad thing. Acting selfishly impels us to preserve ourselves. Any being that doesn’t see their existence as having value would be suicidal. Can computers be selfish? We can argue, but computers can certainly carry out a set of selfish actions designed to maximize gain accrued to their owner. For example, there are high-frequency trading platforms that algorithmically pursue profit.

What if the computers can outsource selfishness? What if that part doesn’t need to be a part of their program. An algorithm, whatever level of sentience you claim for it, still works through instructions that we give it. If the people that are building it and directing it are selfish, does the AI need to have that as a feature?

If it’s an algorithm or a Billionaire, does it matter?

And?

If we agree, what do we do about it? I’m not sure, so I’ll talk about what I intend to do.

The first step is to recognize the situation. The environment is created by tecnology and empowered by our laziness. I’m not going to become some new kind of Amish, trying to trap the 1980s in amber, nor do I believe that anyone would go along with me if I proposed it. The part that is under my control is my laziness.

So action #1 is to become digitally self-soverign, at least to the extent that I can. That means understanding the technology and not oursourcing my data to the “cloud” (cloud is just a fancy word for a Billionaire’s computer).

Action #2 is to hide and lie. Computers are able to assemble a lot of seemingly random things and use them to identify a person. Companies may ask for random pieces of data, like a hometown or birthday, and then pair that with the mountain of data that exists on the Internet to target me. So I intend to encrypt my data at rest and in transit, to obfuscate my tracks, and to use random data when interacting with non-official records collection. Good examples of these ideas are to use private VPN, to trade affinity cards with others to confuse the analysis (these are the bar code cards that stores give you), and to use a password manager to store your made-up details for each company you deal with (changing things like birthday, location, and even favorite color).

Action #3 is to study moral philoophy and my religion, and to encourage those around me to do the same. Right and wrong can’t simply be words we use to justify selfish decisions. My experience is that the vast majority of folks are not evil but are very selfish. Selfishness is our natural “resting state”. Overcoming this selfishness requires continuous effort.

I’ve personally benefitted from a number of approaches to overcoming selfishness. First is marriage and parenthood. Making space in your life for others, making them more important than yourself, and listening to the feedback they give you is a huge gift when it comes to recognizing your own weakness and trying to be a better person. Second, I’ve found friends who I agree with sometimes and friends from whom I can learn. I have friends from other faith-traditions, from other political persuasions, and who just enjoy different things. Again, choosing to care for other people and finding people who care about you helps me recognize that I have the capacity to be wrong or to choose what is expeditious over what is good. Reading is also a great way to grow yourself. I publish a list of books I’ve read if you are interested. It’s important to understand that reading is not a solitary activity - it only gets incorporated, at least for me, when you share it with people you respect, think about it together, and make it your own.

I feel like I’ve lately benefitted a lot from reading about Stoicism and so I try to care for truth and I choose to be thankful and find joy. I wish nothing less than that for each of you.

ahrefs

Mon, 31 Jul 2023 21:28:53 -0400

I’ve been writing in this space for about three years. I use Hugo and VSCode and write in markdown, so my workflow is less technical but there are still some aspects of maintaining a web page. My source files, for instance, were fairly easy to organize in the first year but over time have sprawled. Changes to my Hugo template have broken some older internal URLs as well. Even when I recognize the possibility of an issue, it’s hard to track down every instance that broke.

One simple example is that I originally put my entries into the root folder and later moved them to /posts. The issue is that all my older files referenced each other withoot that directory. I’ve corrected this when I see it, but I’m sure that readers have stumbled onto these inadvertant issues.

Mea culpa, but I have a day job and it’s hard to keep up sometimes.

A few months ago I found Ahrefs. Ahrefs is a website that has a gazillion tools that are useful in improving website quality. There are a few of these sites and most include a “try before you buy”, but Ahrefs actually has a free tier that provides valuable feedback.

Website Quality

Ahrefs scans this site every Sunday and sends me a report. It has taken a little time to understand how to use the data they provide - remember, this isn’t really what I do. That said, anyone who is interested in maintaining a blog is already putting in a certain amount of work to figure things out and Ahrefs is accessible with little effort.

There are a ton of QA metrics, including all kinds of different types of returned errors. One of the errors is “image file size too large”. It clearly points to the source image and the page where it is used. I was able to load that image into Gimp, change the JPEG quality and scale, and resave to resolve the issue. Broken links are another area where I’ve been able to drive improvement. Hugo makes it easy to apply a template to markdown and generate a site, but errors in the template get propogated across a lot of places (and I’m sure are annoying to read). I’ve used Ahrefs to quickly point at the offenders and resolve.

If you are developing in Hugo, theres a “compiling” step to get from raw markdown to a website. It’s not always clear where some of the errors come from, so I’ve found that I need to run hugo server -D to generate a live copy of the page for debugging. Sometimes my error is in the page, but I’ve found several instances where the issue was in the interaction of the page with my templates. None fo the issue have been hard to resolve, they just take some thought.

I particularly like that Ahrefs summarizes all the issues into a “Health Score”. This makes it easy to see how you are doing at-a-glance. You can see from my score, I have some improvements to make. That said, Ahrefs also makes it easy to browse the issues and prioritize your time. I have 237 issues with “Multiple meta description tags”. Clearly that’s a tag thats being duplicated at the default template and in a partial. That said, it doesn’t impact the user experience and so I’ve been prioritizing the more mundane link issues.

SEO

Ahrefs has a number of tools around search engine optimization. I’m sure that this would be fantastically interesting if I were building an ecommerce site, but even at an amatuer level it’s cool to see what other sites link back to me. There are also tools around what keywords will bring people to the site, what my most popular pages are, and what topics are most popular.

The SEO side includes errors around mistakes I’ve made that inhibit indexing. Right now I’m missing “Social Graph Tags” that are used by LinkedIn and Facebook - who knew? But the error includes a brief explanation, a link to details, and a “How to Fix” link with good instructions. Of course, Hugo is not HTML, so there’s some level of translation.

Paid Accounts

Serious webmasters will want to conssider a paid account. The paid account includes a lot more SEO tools and analysis. Accounts start at $83/mo (paid annually), so they’re not for the faint of heart, but I’m really impressed by the quality of what I see. I appreciate that Ahrefs makes valuable information available for hobbiest and recommend it as a good way to start understanding more about how HTML, the web, and the world work.

Remote access - The Hard Way

Thu, 06 Jul 2023 17:00:43 -0400

A little bit of fun today. There are many cases where we need to access different computers but can’t setup something like RDP. I had the idea to try this via video capture, so here’s my experience.

Remote access via video capture

I ordered the Extenuating Threads HDMI Capture Dongle from Amazon for $14. There are several options available - I went with Extenuating Threads because it was cheap and I wouldn’t be out much if it didn’t work. I needed to capture 4k at least 30Hz and this model promises 4k at 60Hz.

The Dongle arrived and presented itself as a video source (like a camera) once plugged in. In fact, I could use the second computer video and route it into any application, including Teams. Identifying the dongle is pretty easy - I just flipped through all the available video sources in OBS or Cheese. You can also do this from the command line:

sudo apt-install v4l-utils  #install Video for Linux tools
v4l2-ctl --list devices

My output looked like this:

USB Video: USB Video (usb-0000:00:14.0-1):
    /dev/video0
    /dev/video1hu
    /dev/media0

Issues

I tested this with a number of video players, including OBS, MPV, mplayer and VLC. All three worked, but only OBS provided a decent frame rate and audio. OBS seems like a lot to load, just to see a remote server. My son suggested Ccdheese and I was skeptical, but that was actually far and away the most responsive. I used a Bluetooth mouse and keyboard to control the host and Cheese presented the display at realtime speeds but didn’t capture audio. I didn’t have any issues or artifacts with the display, even at 4k. I ended up dialing the resolution down to 1920x1080 so that it fit into a quarter of my 4k display and this worked perfectly.

I made this a little less temporary by replacing the seperate mouse and keyboard with a USB switch that let me toggle my controls back and forth between my main machine and the captured device.

So my cheap $14 USB dongle works to allow me to access a machine here in my office. I can treat the dongle as a video source and access it using most programs. Speed was good, but only Cheese and OBS allowed interactive speed. All told, a cute little experiment!

Save to Kindle with a DIY CI

Tue, 09 May 2023 21:20:24 -0400

My previous post dealt with building an easy way to convert Word files to Markdown and automatically incorporate them in Obsidian. That was accomplished by copying the DOCX file into a directory and having automation to perform the actions to get the file into the right place with the right format. I was pleased with the way that worked out and thought about other places where I’d like to use a similar approach.

Print to Tablet

I’ve always wanted a way to “print to tablet”. I’ve had IPads and Galaxy Tabs and enjoy the form factor - tablets are an easy way to read. But there’s never been a great way to move something I create on my desktop over to the tablet. I’ve resorted to saving it to PDF, emailing it to myself, and then opening it on the tablet. But wait! Because of the way tabllet break up storage, it’s usually confusing to understand where the file is stored and which programs should be used. Bah!

This really galls me because sometimes I’ll print out a document and think, “This would save a lot of paper if I could just print it to my tablet”. The thought of saving printing costs, saving a fraction of a tree, and having the file in a convenient form would really be nice.

Ingredients

How did I get this to work? In my mind, the basic building blocks would be inotifywait (discussed in the previous post), kindle’s email import function and ssmtp (discussed in Command Line Email). Expiriments with ssmtp determined that it’s hard to use with attachments, but researching that led me to mpack.

This project will use inotifywait to monitor a directory. When a file is put in that directory it will be copied out to the kindle app on my tablet. There’s a little longer discussion of inotifywait in the previous post.

Amazon provides an email associated with every Kindle, physical or app, that can be used to import files. Sending an email to that address will copy the attached file into the Kindle’s local library (and convert it if needed). You can find this email address two ways - either login to Amazon and navigate to “Accounts & List” and choose “Devices”. From here you can select either a Fire Tablet or a Kindle app and see it’s assigned email address. It will look like _name_ABCD@kindle.com. You can also go into the kindle app and find it under “More”, then “Settings” and it will be shown as Send to Kindle Email Address.

Amazon calls this function the “Kindle Personal Document Service” and claim that it can convert several types of files. I tested PDF, DOCX, and EPUB and didn’t have any issues.

Table of supported import formats

DOC	DOCX	RTF	TXT
HTM	HTML	ZIP	x-zip
MOBI	EPUB	PDF	JPEG
GIF	BMP	PNG

The last piece is mpack. I used ssmtp in my previous project and found some ideas on how to attach a file using ssmtp, but never got that to work. In the process of researching that issue I found mpack, which uses ssmtp (at least the settings and a library) to send an email with attachment. Install mpack on Ubuntu using sudo apt install mpack. Once it’s installed, here’s a usage example to help you test. The part being echo’d in is the body of the email - unnecessary when sending to kindle. Email subject is set with “-s”. Attachment is defined with “-a”, and then followed by the email address this should go to.

echo "Sent from your linux desktop" | mpack -s "Subject Line" -a "File.TXT" destination_email@ddress

If there are issues, I suggest going back to the ssmtp setup and making sure that part is working.

Mixing it all together.

I defined a directory send2kindle. Anything copied in will be sent to my kindle email address and imported into that kindle library. I created a batch file (watch_send2kindle.sh) and made it executable. That script is shown below.

#!/bin/bash
TARGET=~/send2kindle/

inotifywait -m -e create -e moved_to --format "%f" $TARGET | while read FILENAME
do
  echo Detected $FILENAME
  echo "Sent from your linux desktop" \
  | mpack -s "$FILENAME" -a "send2kindle/$FILENAME" user_ABCD@kindle.com
done

This follows the logic used in the previous post. Note that the backslash (" \ “) shows line continuation, so the echo and pipe are one line. I did it that way to make it easier to read here. I’ve setup innotify to trigger on something being copied in. The previous discussion has a few more details on that command if you are interested. Note that I leave the files in the directory, so you may need to occassionally clean up and delete them. I could have added a rm command, but I decided that it might be useful to have a copy. Once they’re copied in, they won’t trigger the workflow again.

Testing

With everything in place, all that’s left is testing. Run the script and then copy a file into that directory. It should pop into the Kindle library of your choice in less than a minute.

Just like I did in the previous discussion, I recommend settting up the watcher script to start itself after reboot.

crontab -e  # gets us into edit mode
# add below entry
@reboot /home/brent/watch-send2kindle.sh

In closing

This really extends some of the recent things I’ve been doing in a very useful way. For instance, I can Print from any file and choose “PDF” as the printer. When prompted for a filename, directing that to ~/send2kindle/newfile.pdf will send it to my tablet. It’s not very complex to get setup and working and it “scratches an itch” I had. Hope it is useful to you as well!

Word to Obsidian with a DIY CI

Tue, 09 May 2023 21:20:24 -0400

I use Obsidian as a note taking journal, but I get a lot of documents in other formats that I’d like to include in that journal. One example is Word docs, such as my weekly reports. I’ve copied some PDFs into my Obsidian vault, but for some reason I hit on the idea of converting DOCX to Markdown.

What Didn’t Work

Just to save you time, I’ll mention a few ideas that I tried and discarded on the way. There is a plugin to save files from Word in Markdown called Writage. It’s $29, but a trial version is available. I’m obstinately opposed to closed source and I’m feeling less and less comfortable about downloading and installing EXEs and MSIs from random websites, so I haven’t tried it.

I also found an old github repo that purported to address this issue. That project has pivoted to HTML and deprecated the markdown code.

The beginning of an idea

Looking for a FOSS solution lead me back to Pandoc. Long, long time readers may recall one of my early experiments with Pandoc. Pandoc is a file converter and will handle conversions between things like DOC, EPUB, PDF, and HTML. I setup a continuous integration (CI) pipeline using Github actions so that I uploaded some markdown files and they were automatically assembled and formatted as chapters into a PDF book. That was a cool project, and perfect for maintaining SOPs, but a cloud solution seems like a lot of steps to get this into my Obsidian vault.

I took a moment to confirm that pandoc will do the conversion I wanted. After a little back and forth, here’s the command I came up with. I’ve tested this with business memos and it worked fine. I haven’t tried it with complex tables or graphs. -f and -t are the from and to formats, -o is the output and the first file in quotes is the input. The wrap command prevents pandoc from setting line length to 72 and adding a line return in every line.

pandoc -wrap=none -f docx -t markdown "test.doc" -o "test.md"

Automating markdown conversion and ingestion

Pandoc gets the conversion, but I really don’t want to have to remember that command and then move files around. I want something that is a DIY pipeline to go from DOCX to Markdown. Here’s how I did it - explanation to follow.

#!/bin/bash
TARGET=~/doc2obs/
PROCESSED=~/Downloads

inotifywait -m -e create -e moved_to --format "%f" $TARGET | while read FILENAME
do
  echo Detected $FILENAME
  pandoc -wrap=none -f docx -t markdown "/home/brent/doc2obs/$FILENAME" -o "/home/brent/doc2obs/$FILENAME.md"
  echo converted to Markdown
  rm "/home/brent/doc2obs/$FILENAME"
  echo removed doc file
  mv "/home/brent/doc2obs/$FILENAME.md" "/home/brent/2nd Brain/Notes/$(date +%y%m%d)_$FILENAME.md"
done

I created a directory (doc2obs) and created a watcher shell script. It waits for a DOCX file to be copied into doc2obs. When that occurs, it converts the file into markdown, deletes the DOCX, and renames and moves the markdown file. Of course, the script needs to be executable.

chmod +x watch-doc2obs.sh

Let’s take that script step by step and explain a little more.

TARGET=~/doc2obs/
inotifywait -m -e create -e moved_to --format "%f" $TARGET | while read FILENAME
do
  ...
done

This batch of done defines the directory to be monitored. If your Linux of choice doesn’t have inotify, it can be loaded using yum or apt as inotify-tools. -m tells it to monitor, -e defines the events to be monitored. You can notify on a variety of events.

Table of inotify events

access	create	move_self
attrib	delete	moved_to
close_write	delete_self	moved_from
close_nowrite	modify	open
close	move	unmount

The echo commands are present for debugging. Note that the mv moves the markdown file into my Obsidian vault and names it. My daily notes all start with a date prefix like 230510 (two digits for year, month, and date), so the date command embedded in the move automatically prefixes the markdown file with the current date in the correct format.

Automating the script

So the script is ready. I can run it and it will monitor the doc2obs directory until I stop it or reboot. The next step is to make this into something that just runs automatically, so I don’t have to open a shell and worry about restarting it.

Here I’ll refer back to the process I used in Automatically adding Hugo articles to Obsidian, which is to use cron. That script ran periodically and this one runs continuously, so we’ll modify the approach to ask cron to run it once at startup.

crontab -e  # gets us into edit mode
# add below entry
@reboot /home/brent/watch-doc2obs.sh

Things to fix

This does what I need it to do, but I have a few ideas about how it could be improved. I’m not sure if I’ll ever get to them, but they’re worth noting.

I build daily notes from a template. The template is essentially some buttons, backlinks, tags, and such. I may try to add those elements into the markdown output. Right now my thought is just to append the tags at the end, which would be easy.

I could build a set of these CI actions. Sometimes I get business documents and want to read them later on my tablet, so another idea is to setup a directory that converts to PDF or EPUB and emails it to my kindle email address. This one I really think I’ll do, and will probably blog about.

This version of the script generates an error when the markdown is created because it’s created in the directory I’m monitoring. I could maybe just create it straight into my vault, but I’d need to handle the date prepending. That’s not a big issue, but it’s a bigger issue than just ignoring an error that doesn’t really do anything.

Toodles

So that’s it. This is a cool project for Obsidian obsessives (hand raised) because it makes it easy to ingest all the other documents in our lives. But the part I’m most excited about is that in a clumsy and hacky way, this is a really easy home delivery pipeline that could be adopted for anything that you want to automate.

I'm cooler than you

Thu, 27 Apr 2023 17:38:24 -0400

Hah! I don’t really believe that thing about being cooler, but have you ever done a project and just felt so pleased with yourself? I turned my Samsung Galaxy Tab S6 Lite into a Linux tablet/laptop and I’m feeling pretty happy. The actual process isn’t that involved, so a little of my self-congratulation is probably undeserved, but the result is stinking cool!

What is a Linux device?

Before we get into the work, we need to take a philosophical detour. I wanted a Linux tablet, but what exactly does that mean? Android is based on Linux, so isn’t Android “Linux”?

In my opinion, a “Linux desktop” involves two components. The first is a shell (in my case Bash) that support the expected set of tools, like git and hugo. I was able to create that environment by installing Termux. A graphical x-environment is suppored with Termux, but you have to use VNC to access it and it seems like trying to use fingers to control an Xfce desktop would be frustrating. And for what? Certainly there is some coup to be counted, but I see a desktop as a way to run applications. I see the Android shell like an alternative DE with it’s own app environment. As long as Android apps can access the files in the Termux environment, then why not use the native graphical environment?

Office is available for Android, as is Google Docs. I can use Markor for markdown files, and of course there is a native Firefox. I can’t find a native version of VS Code, so we’ll have to think about that. Otherwise, a traditional desktop really doesn’t move things forward on this tablet.

Installing the Bash Environment

Prior to this effort, I had already installed F-Droid as an alternative to the Play Store that focuses on FOSS (Free Open Source Software). Pulling Termux from F-Droid instead of the Play Store is supposed to provide an updated version according to their docs. I downloaded two apps: Termux and Termux:Styling. Termux provides a debian-based Bash environment. Apt is supported for updates, although the Termux project suggests using pkg for installs. Pkg automatically runs “apt update” and finds the right mirror, but is basically a wrapper for apt.

Termux creates a home directory at /data/data/com.termux/files/home. I was able to install the command line tools I expect, such as git, hugo, openssh and python. Android apps are able to read and write into the home directory. Running a Linux shell via Termux doesn’t have any impact on speed (and you wouldn’t expect it to). I found a great article at Learn Termux that even walked through installing nerd fonts!

I was able to use git to pull down a copy of this website from Github. I could then use hugo server -D to run the dev environment. Going out to the local Firefox allowed me to connect to http://127.0.0.1:1313 and see the dev page! I typically use VS Code to write for this site, but at this point I could use nano on bash to edit markdown files or use the Android-native Markor editor.

Visual Studio Code

There’s no version of Visual Studio Code for Android. Code-server is an open-source version of VS Code that runs in a web page, and given my success with hugo I immediately thought of it as an alternative. There are a lot of instructions online for how to do this, some of them quite complicated, but I ultimately got it to work in a fairly straight-forward way. In the end, what worked was:

pkg install tur-repo
pkg install code-server

With code-server installed, you need to edit ~/.config/code-server/config.yaml and set the password. You can do this using nano or from an Android text editor.

Start the application using the code-server command. Once it was up and running, I was able to access the environment at http://127.0.0.1:8080. One last note - I didn’t know the path to my home directory and code-server didn’t know what to do with “~”. Clicking the “files” icon (right under the hamburger menu) doesn’t have an interactive way to browse until you get into your home directory. So here it is again: /data/data/com.termux/files/home.

Final notes

I love this setup. It’s a lot of fun to use the device and it’s easy to travel with it. Although the pictures show an on-screen keyboard - which works pretty well if you are comfortable two-finger typing - my slim bluetooth keyboard packs up easily and works great in this environment. I’m running TailScale in Android to access my home and Termux can access the VPN addresses without an issue. In fact, the first screenshot where I am sshing into my desktop was taken remotely. On the whole, this setup takes advantage of Android for the part it does well but still exposes the power of a Linux shell and I’m really pleased with it. It wasn’t that complicated to setup, but I’m really happy with the result.

Anonymous Browsing

Wed, 05 Apr 2023 22:04:50 -0400

What is the best way to be truly anonymous online? Most of the time our concern is about being commercially tracked and having our browsing habits shared (I understand this doesn’t creep everyone out as much as it does me). My kids think I’m paranoid. Just for fun, take a look at Am I Unique and browse through all the different data points that are shared by your browser and can be used to cross-reference and track you. Even paranoid people have enemies.

My personal summary from Am I Unique? is shown to the left. Just like Mom said, I’m one in a million.

Sometimes our need for anonymity goes beyond shielding our selves from spam. When the stakes are higher, revealing an identity could impact a job or put lives in danger. Many people depend on this type of anonymity to circumvent hostile governments or to leak important stories to reporters.

Recipe for Anonymity

Here’s a quick description of how you might approach trying to safeguard your identity. This will guide you through installing Tails. Tails is a standalone operating system that allows browsing through TOR. The machine is clean, so nothing leaks to identify you, the OS is scrubbed every time you boot, the browser is locked down, and TOR passes your traffic through a series of other computers (“nodes”) to obscure your source address.

Danger

This kind of concern means that the authorities are either unconcerned or hostile to your situation. I am praying for you!

Don’t trust my advice! I have a reasonable level of expertise, but I don’t do this for a living. My advice is a good starting point, but technology is constantly changing and this may be old when you read it.

I believe Tails by itself is sufficient against non-Nation-State actors. Especially if you have that level of concern, maintain a sense of paranoia and protect yourself in multiple layers. For instance, use this post as a starting point but load the USB stick from a computer in a random location that can’t be associated to you. In all cases, continue to research best practice!

Tails can be installed via USB. If you are in serious danger, this is the best way. You can then take the USB to any computer, boot up from the USB, and further obscure your source.

Danger

Tails doesn’t protect against stupidity. Don’t login anywhere or take other actions that may identify you while using Tails. Also, remember that browser crumbs are only one way that someone could be identified. Cameras, visitor logs, and phone GPS are examples of other ways you could be tied to a location at a specific time.

Setting up Tails

In this exercise, I’m going to walk through installing Tails in a VM on Linux, which may be sufficient for run-of-the-mill situations.

First, install KVM. The commands below apply for debian-derived systems like Ubuntu, Mint, or Pop!_OS.

sudo apt install qemu-kvm libvirt-daemon-system
sudo adduser $USER libvirt
sudo apt install virt-manager

Next, download the Tails ISO or an IMG file which is easier to write to USB. I’d use Etcher to write to disk, but if you haven’t done that part before the Tails website has installation instructions.

If you want to install on a VM, run the Virtual Machine Manager and create a new machine. The device I setup had the following settings:

Generic Linux 2020
2 vCPU, 8 GB RAM (I think you just need 4)
Boot options - boot from SATA CDROM
SATA CDROM - mapped to the Tails ISO in my download directory

Start the VM. The VM window will “capture” your mouse and keyboard - to break out and back to your host machine press the right Win and Ctrl keys. It will boot to a welcome. You may want to set some additional parameters (these will only apply until the next boot).

Under Additional settings, choose the plus and set an Administrative password. This only applies to the session. The “Unsafe Browser” option allows you to sign into a captive portal. Again, that’s another way to identify you so I would just pick another place to connect and turn that off.

Choose “start Tails” to move into a Gnome desktop. It will prompt you to start Tor first thing. You can tell it to connect automatically or “Hide to my local network that I’m connecting to Tor”. The latter choice requires identifying and connecting to a Tor bridge manually. You’ll be prompted to email bridges@torproject.org and they’ll help you find a discrete way to connect.

Specifying Tor Exit Node

One problem that you may encounter is that the site you are trying to contact blocks connections from other countries. Since Tor will give you a random exit node, there’s a good chance your traffic will appear to be coming from somewhere else on the globe. My first test put me in Germany, for instance.

If you want to force Tor to exit your traffic in a particular country, open a terminal in Tails and edit the tor configuration file.

sudo nano /etc/tor/torrc

Add these lines to the end of the config file to force traffic to exit in the US.

ExitNodes {us}
StrictNodes 1

I’ve included a table of exit codes at the end of this document to help you find the appropriate country.

Browserling

For an extra level of obscurity, use Browserling. Browserling is a site that will give you a web browser in a Windows VM to test your website. You can also use this to create another level of difficulty to tracing the connection back. Use Tor to connect to browserling, which will spin up a temporary VM (it will take a minute). It’s meant for testing web pages and will only be available to you for a couple minutes, so you might want to prep what you want to send in a text editor and then copy and paste it over.

Final Note

I hope you don’t need this, but if you do I wish you the best. Hopefully this will give you some ideas where to look and how to protect yourself!

For Reference - Tor country codes

Table of Tor Country Codes
Country	Code	Country	Code
Ascension Island	{Ac}	Afghanistan	{Af}
Aland	{Ax}	Albania	{Al}
Algeria	{Dz}	Andorra	{Ad}
Angola	{Ao}	Anguilla	{Ai}
Antarctica	{Aq}	Antigua And Barbuda	{Ag}
Argentina Republic	{Ar}	Armenia	{Am}
Aruba	{Aw}	Australia	{Au}
Austria	{At}	Azerbaijan	{Az}
Bahamas	{Bs}	Bahrain	{Bh}
Bangladesh	{Bd}	Barbados	{Bb}
Belarus	{By}	Belgium	{Be}
Belize	{Bz}	Benin	{Bj}
Bermuda	{Bm}	Bhutan	{Bt}
Bolivia	{Bo}	Bosnia And Herzegovina	{Ba}
Botswana	{Bw}	Bouvet Island	{Bv}
Brazil	{Br}	British Indian Ocean Terr	{Io}
British Virgin Islands	{Vg}	Brunei Darussalam	{Bn}
Bulgaria	{Bg}	Burkina Faso	{Bf}
Burundi	{Bi}	Cambodia	{Kh}
Cameroon	{Cm}	Canada	{Ca}
Cape Verde	{Cv}	Cayman Islands	{Ky}
Central African Republic	{Cf}	Chad	{Td}
Chile	{Cl}	People’s Republic Of China	{Cn}
Christmas Islands	{Cx}	Cocos Islands	{Cc}
Colombia	{Co}	Comoras	{Km}
Congo	{Cg}	Congo (Democratic Republic)	{Cd}
Cook Islands	{Ck}	Costa Rica	{Cr}
Cote D Ivoire	{Ci}	Croatia	{Hr}
Cuba	{Cu}	Cyprus	{Cy}
Czech Republic	{Cz}	Denmark	{Dk}
Djibouti	{Dj}	Dominica	{Dm}
Dominican Republic	{Do}	East Timor	{Tp}
Ecuador	{Ec}	Egypt	{Eg}
El Salvador	{Sv}	Equatorial Guinea	{Gq}
Estonia	{Ee}	Ethiopia	{Et}
Falkland Islands	{Fk}	Faroe Islands	{Fo}
Fiji	{Fj}	Finland	{Fi}
France	{Fr}	France Metropolitan	{Fx}
French Guiana	{Gf}	French Polynesia	{Pf}
French Southern Territories	{Tf}	Gabon	{Ga}
Gambia	{Gm}	Georgia	{Ge}
Germany	{De}	Ghana	{Gh}
Gibralter	{Gi}	Greece	{Gr}
Greenland	{Gl}	Grenada	{Gd}
Guadeloupe	{Gp}	Guam	{Gu}
Guatemala	{Gt}	Guinea	{Gn}
Guinea-Bissau	{Gw}	Guyana	{Gy}
Haiti	{Ht}	Heard-Mcdonald Island	{Hm}
Honduras	{Hn}	Hong Kong	{Hk}
Hungary	{Hu}	Iceland	{Is}
India	{In}	Indonesia	{Id}
Iran, Islamic Republic Of	{Ir}	Iraq	{Iq}
Ireland	{Ie}	Isle Of Man	{Im}
Israel	{Il}	Italy	{It}
Jamaica	{Jm}	Japan	{Jp}
Jordan	{Jo}	Kazakhstan	{Kz}
Kenya	{Ke}	Kiribati	{Ki}
Korea, Dem. Peoples Rep Of	{Kp}	Korea, Republic Of	{Kr}
Kuwait	{Kw}	Kyrgyzstan	{Kg}
Lao People’s Dem. Republic	{La}	Latvia	{Lv}
Lebanon	{Lb}	Lesotho	{Ls}
Liberia	{Lr}	Libyan Arab Jamahiriya	{Ly}
Liechtenstein	{Li}	Lithuania	{Lt}
Luxembourg	{Lu}	Macao	{Mo}
Macedonia	{Mk}	Madagascar	{Mg}
Malawi	{Mw}	Malaysia	{My}
Maldives	{Mv}	Mali	{Ml}
Malta	{Mt}	Marshall Islands	{Mh}
Martinique	{Mq}	Mauritania	{Mr}
Mauritius	{Mu}	Mayotte	{Yt}
Mexico	{Mx}	Micronesia	{Fm}
Moldava Republic Of	{Md}	Monaco	{Mc}
Mongolia	{Mn}	Montenegro	{Me}
Montserrat	{Ms}	Morocco	{Ma}
Mozambique	{Mz}	Myanmar	{Mm}
Namibia	{Na}	Nauru	{Nr}
Nepal	{Np}	Netherlands Antilles	{An}
Netherlands	{Nl}	New Caledonia	{Nc}
New Zealand	{Nz}	Nicaragua	{Ni}
Niger	{Ne}	Nigeria	{Ng}
Niue	{Nu}	Norfolk Island	{Nf}
Northern Mariana Islands	{Mp}	Norway	{No}
Oman	{Om}	Pakistan	{Pk}
Palau	{Pw}	Palestine	{Ps}
Panama	{Pa}	Papua New Guinea	{Pg}
Paraguay	{Py}	Peru	{Pe}
Poland	{Pl}	Portugal	{Pt}
Puerto Rico	{Pr}	Qatar	{Qa}
Reunion	{Re}	Romania	{Ro}
Russian Federation	{Ru}	Rwanda	{Rw}
Samoa	{Ws}	San Marino	{Sm}
Sao Tome/Principe	{St}	Saudi Arabia	{Sa}
Scotland	{Uk}	Senegal	{Sn}
Serbia	{Rs}	Seychelles	{Sc}
Sierra Leone	{Sl}	Singapore	{Sg}
Slovakia	{Sk}	Slovenia	{Si}
Solomon Islands	{Sb}	Somalia	{So}
Somoa,Gilbert,Ellice Islands	{As}	South Africa	{Za}
South Georgia, South Sandwich Islands	{Gs}	Spain	{Es}
Sri Lanka	{Lk}	St. Helena	{Sh}
St. Kitts And Nevis	{Kn}	St. Lucia	{Lc}
St. Pierre And Miquelon	{Pm}	St. Vincent - The Grenadines	{Vc}
Sudan	{Sd}	Suriname	{Sr}
Svalbard And Jan Mayen	{Sj}	Swaziland	{Sz}
Sweden	{Se}	Switzerland	{Ch}
Syrian Arab Republic	{Sy}	Taiwan	{Tw}
Tajikistan	{Tj}	Tanzania	{Tz}
Thailand	{Th}	Togo	{Tg}
Tokelau	{Tk}	Tonga	{To}
Trinidad And Tobago	{Tt}	Tunisia	{Tn}
Turkey	{Tr}	Turkmenistan	{Tm}
Turks And Calcos Islands	{Tc}	Tuvalu	{Tv}
Uganda	{Ug}	Ukraine	{Ua}
United Arab Emirates	{Ae}	United Kingdom	{Gb}
United Kingdom	{Uk}	United States	{Us}
United States Minor Outl.Islands	{Um}	Uruguay	{Uy}
Uzbekistan	{Uz}	Vanuatu	{Vu}
Vatican City State	{Va}	Venezuela	{Ve}
Viet Nam	{Vn}	US Virgin Islands	{Vi}
Wallis And Futuna Islands	{Wf}	Western Sahara	{Eh}
Yemen	{Ye}	Zambia	{Zm}
Zimbabwe	{Zw}

Trayscale

Sat, 18 Mar 2023 15:46:32 -0400

I’ve covered a few items in recent months around my home network, including using Tailscale as a VPN overlay and setting up a home DNS server. This entry is an update on living with those elements.

As a point of comparison, I’ve used Zerotier in the recent past and really liked it. With Zerotier, I had a dedicated Ubuntu server VM to route the local network onto the Zerotier VPN. That worked beautifully. Tailscale has been a little uneven, but it’s becoming more comfortable.

Getting DNS straightened out

I’ve had issues accessing home devices by name. I really can’t believe I missed the setting, but logging into the tailscale admin portal showed that I didn’t have a DNS setting. Going to the DNS tab and poiting the Global nameserver setting to my local pi-hole fixed this issue nicely and now I’m able to ping into the home.arpa domain I use in the house.

Trayscale

Tailscale is typically invoked from the command line. The command to turn on my desktop at home and to have it bridge the tailscale network into the home network looks like this.

sudo tailscale up --advertise-routes=192.168.0.0/24 --advertise-exit-node --accept-routes=true

Trayscale is an unofficial graphical client for Tailscale available from Flathub. It is still described as “alpha”, but aims to provide an easy way to invoke the VPN, change settings, and find other device on the tailnet. It can be installed from the command line using the following command.

flatpak install flathub dev.deedles.Trayscale

I’ve tested it on Pop! and Nix-OS. In my experience it’s reliable and much easier than the command line. Plus, understanding the local node and getting a list of devices is well presented. I like that it’s available through Flathub, because that will make it easy to ensure that it’s kept up to date. Given the description, I assume that it’s still at a stage where it’s undergoing rapid change and that’s born out by the release list shown on Github. As of 3/18/22, Flathub gives me v0.8.1 which was released two days ago. Github shows a v0.8.2 released today.

Cute little utility, and it makes it easier to support your tailscale network, so check it out!

Automaticly adding Hugo articles to Obsidian

Mon, 13 Mar 2023 18:08:17 -0400

Incorporating blog articles in Obsidian

Most of my writing occurs in two places, but I’d like to consolidate it into my “second brain”.

My blog articles are written in Visual Studio Code, in markdown so that they can be compiled via hugo. I’ve discussed in this blog that Obsidian - also in Markdown - is setup as my “second brain”. My blog posts represent an important part of that “second brain”, so I’d like to make sure they’re included in my vault. Since both are markdown, this should be fairly simple. This should just require that I copy my hugo content directory into my obsidian directory. To test this, I made a quick script.

cp ~/git/nextpertise/content/posts/*.md ~/2nd\ Brain/Nextpertise/
echo "blog2obs.sh ran"

I also made this file executable.

chmod +x blog2obs.sh

This works as expected. The markdown files are copied from my hugo git directory into my Obsidian vault under the “Nextpertise” folder. Obsidian actually updates dynamically as soon as the files are present. There are some issues - my website has a directory for graphics that I’m not copying over, for instance, and the internal linking and tagging I expect in Obsidian wouldn’t be present in these files. External links in the posts seem to work as expected though. All I need to do is remember to run this occassionally . . .

Automatically

So the next step was to have this run as a cron job. On Linux, use crontab -e to setup the job. Below is the way I have this setup and working.

MAILTO=MYEMAILADDRESS
0 0 * * * /home/brent/blog2obs.sh

The five variables before the job are minute, hour, day, month, and day of the week. So my entry is to run at 00 minutes and 0 hour (midnight) every day. Cron defaults to outputting to system mail, but I use the MAILTO entry and SSMTP to redirect this to a public email address. For more information on how to set this up see my last post.

The received email is on the right, and now it’s clear why the echo command is in the batch file. The echo provides some text - without that text there’s no output from the script and nothing to email.

There are some possible improvements that might make this worth revisiting in the future. The simple script doesn’t indicate if there was an error copying the files. I could also imagine inserting links and tags that are used in my Obsidian vault as a header to the imported files. However, this is a straight-forward process and it’s meeting my immediate need.

Sending Email through Google from the Command Line

Sun, 12 Mar 2023 18:22:33 -0400

In the course of another project, I recently worked out how to send email through Gmail from the Linux shell. This is both a really cool and powerful tool as well as something I could see incorporating into a lot of future work. Since it had such utility, I wanted to document the process for myself and share that with you.

Some Linux operations, such as cron, will send output to the local mail spooler. Files sent this way end up in /var/mail/$USER or /var/spool/mail/$USER. Sendmail can be configured as well so that the output goes to a public email address, however running Sendmail involves a more complication and overhead. For instance, mail coming from an SMTP server has to be trusted by the receiver and a lot of places (O365, Gmail, etc) don’t trust random SMTP servers that pop up - for good reason.

SSMTP is a program that takes this “local mail” and sends it to an external SMTP system. It can be configured to work with any SMTP server, but I use Google Mail and so that’s the example I’ll walk through.

Installation

SSMTP doesn’t have a facility to handle two factor authentication, so before you begin you’ll need to generate an app-password at Google. Log into your Google account, use the menu icon (3x3 squares) to choose “account”, and 2-step Verification. App Password setup is at the bottom of the 2FA screen. To create a new app password, specify the app (I used “Linux”) and device and choose generate. You have to copy the password shown - it will never be displayed for you again! If you forget it, you’ll need to follow this procedure to delete the forgotten app password and create a new one.

On Ubuntu, install ssmtp using apt (no PPA needed):

sudo apt install ssmtp

Edit the SSMTP configuration file.

sudo nano /etc/ssmtp/ssmtp.conf

My configuration file is shown below and is verified working. You’ll need to change the email address to your gmail address and change the AuthPass line based on the app password you generated earlier.

AuthUser=YOU@YOURCOMPANY.COM
AuthPass=YOURAPPPASSWORD
FromLineOverride=YES
mailhub=smtp.gmail.com:587
UseSTARTTLS=YES
FROM:YOU@YOURCOMPANY.COM

Testing

Once this is complete, an easy way to test is to pipe something to ssmtp as shown below. In the first example, I’m just sending some text. The trailing email address will be used as the “to” address. Leaving off the from address (-au option) will result in a bcc: to test@yourmachine, which will be bounced by Google and give you a successful message (the “to” line) and a bounce message (from the bcc).

echo "Hello E-mail!" | ssmtp -au YOU@YOURCOMPANY.COM -s "Test" YOU@YOURCOMPANY.COM

Once you understand how this works, you can redirect or pipe any output this way. Here’s another simple example that sends a directory output to email.

ls | ssmtp -au YOU@YOURCOMPANY.COM -s "Test" YOU@YOURCOMPANY.COM

I’ll consider as I add devices and services into my home network and lab. One of the immeadeate ideas that pops up is that I’d like my backup job to let me know it completed successfully. It’s a good basic tool to have in the admin tool bag!

Obsidian Ava ChatGPT Plugin

Fri, 10 Mar 2023 22:11:53 -0500

ChatGPT is all the rage these days. It can carry on a chat conversation and compose text. Folks are using it to help write business letters, to help write documents, and to explore the state of modern Artificial Intelligence. Because ChatGPT has ingested a lot of background data, it’s able to write coherently on a number of topics and sometimes can make insightful inferences. Contrarily, because it doesn’t really “know” so much as form statistical relationships, it sometimes speaks authoritatively against the facts.

Installing the Ava Plugin

The Obsidian Ava plugin pulls ChatGPT into Obsidian. To install the plugin:

In Obsidian open settings by clicking on the gear icon at the bottom of the left-hand toolbar.
Click on “Third-Party Plugins” and select “Community Plugins.” Search for “Obsidian Ava” in the search bar, and once you find it, click on “Install” to install the plugin. You’ll need to enable the plugin while you are there.
Then open your command palette by pressing “Ctrl/Cmd + P” and type “Ava” to launch the chatbot. Follow the instructions to link to the chatbot, and you’re good to go!

What can it do?

Once installed, the plugin can compose text, create links, or generate an image based on text you provide.

There are options for Ava to take a prompt and write a paragraph, to rewrite something you’ve written, or to finish writing something you’ve started. I’ve been expirimenting with this capability and found it to be potentially helpful. I often have trouble finding a way to start writing, but found that I could take the ChatGPT-generated paragraph, edit and rework it, and this made getting started on a topic easier.

I said “potentially” for two reasons. First, the generated text commonly begins with a boiler-plate cavaet like “As an AI language model, I am unable to determine subjective motives or reasons, but . . .” Second, in most cases I found that ChatGPT generated structurally correct sentences, but that they lacked content, direction, and few concepts that weren’t already in my prompt.

Ava can analyze a file and your vault and suggest linking to other files. The whole “Second brain” concept is built off of these connections, so this is could be a powerful tool. Ava installs a link icon that will suggest similar notes. It will rank them using a “similarity percentage”. I’m not sure what “86% similar” means, but I found that it did a reasonable job of surfacing other content that includes the same words.

In the same vein, Ava can analyze a file and suggest tags. I’m a sparse user of tags, so I can’t testify to the utility here. The image to the right shows the tags suggested for this file, so you can see that these generally make sense.

Ava can also generate images based on text. Select a block of text, open the command prompt, and choose “Ava:Generate Image” and the image will be placed below the selected text. As an example, I typed “If ChatGPT was a human girl named Ava” and it created the image to the left. I’ve been playing with this and have yet to generate a really compelling picture, but it’s intriguing. This may be a way around writers block by engaging a different part of the brain and I’ll continue to fiddle with it.

Final notes

The cute thing these days is to have ChatGPT write an article on it’s on. Bonus points to have it write an article about itself for you. In my opinion, Ava doesn’t represent the day when a Chatbot can produce text at the level of a common human writer. I tried different prompts as I was writing this piece and Ava failed to produce output that ended up in the final piece.

That said, I found that Ava was useful as a tool to spur my writing. Generating the prompt text backed me into outlining the article. The returned copy provided a starting point, even if none of it was incorporated in the final product. Ava made useful suggestions about tags and links within my Obsidian vault. Finally, playing with the image generation was fun and I could see how it could be used as a way to creatively engage with your writing.

I understand there are other integrations and I’ll try them out as I have time. I intend to leave this plugin enabled and continue to investigate the best way to use it.

Command Line Browser Carbonyl

Sun, 05 Mar 2023 21:54:31 -0500

Not sure where to classify this discovery - Carbonyl is a shell-based brower that is available for Linux, Mac, and Windows. Carbonyl is built on a Chromium engine and does not support plugins at this point or tie into an existing Chrome installation.

Carbonyl is fast and it produces a low-res but usable web page. It is surprisingly responsive - there’s a demo of someone playing Doom using it and I watched some Youtube using it. That’s a little hard to visualize, so you may just have to try it.

Here’s Carbonyl producing a portion of this site:

Carbonyl is easy to install - just go to the Github assets and grab the version for your OS. Here’s the current version as of early March 2023. It extracts to a single file and it can be executed from the command line similar to this example.

./carbonyl https://www.nextpertise.net

Use Control-C to exit the browser experience. In the meantime, the mouse can be used to click through links and it interacts exactly like Chrome would.

Why?

So, who cares? Certainly, the Carbonyl experience doesn’t match a full browser in terms of resolution or functionality. I think there are two use cases that are worth considering. The first is as a demonstration - if a full browser can be supported from the command line, what else is possible? Are there modalities where web content could be used on the command line? One possibility that occurs to me is man pages. Imagine if the result of typing “man ls” was a set of linked hypertext, formatted to present cleanly in the shell!

Carbonyl conceivably has some current advantages as well. It’s a single stand-alone binary, so shouldn’t be subject to dependencies or system limitations. It’s small and easily downloaded, installed, and executed.

Carbonyl doesn’t render exactly like a regular browser - I am currently using it to check the rendering of my page and you can’t trust the layout and CSS seems to be mostly hit but some miss. I’m unclear if a seperate Chrome binary is good or bad from a security standpoint. Is it a new attack surface or is it a sand-box to play in? My gut is to stick it in a container to isolate it from the system.

As a curiousity, it’s interesting. I can see where there are certain jobs where this could be the right tool. I’m most bullish on how this could be coupled with pages designed for text-rendering to improve the command line experience.

Home Names

Sun, 26 Feb 2023 14:56:13 -0500

If you have a private name server at home, use “home.arpa”

I’ve used IPs for most of my home networking for a while. At one point (years ago) I ran a Windows DNS server, but I’ve banished Windows and Linux DNS is extra work. Plus, systemd makes DNS on Linux painful.

A couple of things have changed recently. First, I’ve played with some server applications such as NextCloud that expect to be in a named environment. Second, Pi-Hole has made running a home DNS server much, much, easier.

That raises the question -

what namespace should be used for my personal devices?

The easy part is what you should NOT do. Don’t invent or re-use a name that is potentially valid on the public Internet. Calling my home network “stewart.com” will prevent accessing the real public .com address from my local network. Automated processes that use the namespace might accidentally send traffic to “real” stewart.com if my local DNS goes down or if I travel with a home laptop. Further, any blacklists that impact the “real” domain might be applied to my traffic.

About ten years ago, it was common to see examples that used “.local” for private domains. Microsoft recommended it for a while as well. The big issue here was that Bonjour/Rendezvous/Multicast DNS use that namespace and could cause a conflict.

I own two domains - nextpertise.net and stewart.tc. A second option would be to use one of my domains internally. When at home, my local server would resolve “local” names and outside my network the resolution goes to a public DNS with a different set of names. This gets a little problematic with overlapping names. For instance, if my public website changes IP then I have to manually update my internal DNS. Also, it can be confusing trying to figure out what is responding when names overlap. Still, this is manageable and does work.

A version of this would be to use a subdomain like local.stewart.tc. My home web server would be www.local.stewart.tc and the name spaces would be distinct. When outside the network, that subdomain just doesn’t resolve. This isn’t confusing. If you have a domain, this isn’t a bad option.

If you don’t have a public domain, there are some reserved namespaces taht won’t be used on the public internet that could be considered.

RFC 2606 reserves .test for testing by the IETF. I could use stewart.test without worrying it would be used anywhere else.
RFC 6762 suggests .intranet, .internal, .private, .corp, .home, and .lan
RFC 8375 reserves .home.arpa for exactly this use

The RFC 6762 names tend to get used in businesses, so could conflict with your work VPN. RFC 8375 calls out that there are conflicting uses of “.home” and so updates that to .home.arpa. The .arpa top level domain is reserved for technical uses and there isn’t a way a register a conflicting domain. .home.arpa is reserved for private use, so it’s a slightly better choice than the 6762 names.

I chose to use the .home.arpa space when setting up the house in pi-hole and experienced no issues. As I mentioned earlier, subdomains using a domain I own would have worked as well.

Goodhardt's Law

Thu, 26 Jan 2023 17:48:13 -0500

Goodhard’t law is a good example of why we say management is an art. Many of you won’t be familiar with this, but you should. The law says . . .

When a measure becomes a target, it ceases to be a good measure.

Goodhardt’s law speaks to the tendency of people to optimize around a measurement. A “measure” is anything that you track, such as what percentage of folks worked from home today. A target is a goal attached to that measurement, such as 50%. Post that as a graph on the wall, and people will spontaneously start working from the office.

Goodhardt’s law has two applications when manageing people. The first is manipulative: by measuring desired behavior, we end up game-ifying it and create a positive feedback loop. I use manipulative in a non-judgemental sense - there are times when we want to encourage virtuous behavior. Examples here might include drivers wearing seatbelts, or days without an accident.

Of course, Goodhardt’s law can be mis-used in this way as well. There are many examples of businesspeople operating in unwise ways to meet this kind of metric. For instance, a bank might track loan originations which might discourage scrutiny of borrowers. This behavior is commonly called “gaming the system” because it rewards people for outcomes that may not add value.

The Volkswagen emissions scandal is an example of this behavior. The measurement - tailpipe pollution - was made a target and VW ended up optimizing their cars for the test rig and not for real-world driving. Anotehr example is the sub-prime mortgage crisis (see: 2008).

The second use of Goodhardt’s law is not seeking to change behavior. If you want to know about a behavior without influencing behavior, don’t make it a target. Using the bank example, the bank might track originations and use that data to identify successful practices that can be retaught.

Goodhardt’s law can be used for good, for evil, or for insight. It plays off the social dynamics of defining success. Think about the cashiers and waiters that ask for a “5” on a feedback form - what exactly is that data telling their managers? In IT, many organizations use Key Performance Indicators (KPIs) to optimize performance. Goodhardt’s law advises caution and thought before rolling out that kind of program.

IMHO

Sun, 22 Jan 2023 13:27:41 -0500

I’ve created a seperate site - Stewart.tc - to house my book reviews, discoveries, and thoughts on non-Internet subjects.

I titled this “IMHO” or “in my humble opinion”, but I’ve always tried to avoid opinions in this space on non-technical topics. Even the “non-technical” tag is about Internet topics for presentation to non-techies.

I started writing because I enjoy sharing what I’ve learned and because I enjoy writing and wanted to develop the skill by making it more of a discipline. Writing helps to organize thoughts and get them out of your head. The idea that I can pursue IT ideas that fascinate me and share those findings with others has been great, and along the way I’ve discovered that I refer back to my own writing fairly often to remember how to do that thing.

As I’ve grown and my circumstances have evolved, I’ve had less time to pursue IT ideas but more time to think on other topics. I tried to include some of that here, for instance in the book reviews, but in the end felt that it was best persued in a seperate forum. So, if you have enjoyed my book notes or are interested in my thoughts on deconstructionism, I invite you to check out the new site. I moved the book reviews over to that site, but there’s not much else there so far so you may want to check back in a few weeks.

This site will continue, probably at about the same pace, and I hope that it will continue to occassionally offer something of use to you.

Slingshot

Sun, 15 Jan 2023 15:03:12 -0500

Thirty five years ago (!) I took my Amiga 1000 to college. There used to be a copy of WordPerfect for everything and that was what I did a lot of my term papers on. I would print postscript files to a 3.5" disk, then take them to the library and print using copy termpaper.ps > lpt1: to the LaserWriter.

But then, like now, computers were used for more than just work. There were a lot of cool Amiga games including Arctic Fox (a tank game), an “x and o” football game that we wore the controllers out on, and others. But I also remember a really simple “Star Trek” game that we had a lot of fun with.

In retrospect, I’m guessing this game was early FOSS and it certainly wasn’t licensed, but this was also that period where the last TV show was 20 years old and there had only been a few mediocre movies to keep the flame flickering.

In the game, two ships were positioned on opposite sides of the 2D playing field - rudimentary Enterprise and Bird of Prey shapes. In between were a set of planets of various sizes and densities that were shown as basic circles. The opposing ship took turns shooting at each other by specifying an angle and a speed for their shot. Once the shot was away, the gravity of the various planets pulled it into sweeping arcs.

This game had more in common with Pong than modern space warfare simulators, but it was fun to sit around with my friends and give each other grief. We’d imitate Star Trek characters and belittle each other’s shots.

I’ve looked for that game over the years and finally found an updated version. I recently re-installed NixOS on my laptop and was looking through Flathub when I saw Slingshot by Ryan Kavanagh. Slingshot can be installed from Flathub.

flatpak install flathub com.github.ryanakca.slingshot

In the old Amiga game, players would type in an angle (0-360) and power (1-10). In this version, a bar is shown emerging from the active ship. Up and down arrows are used to control power (shown by the length of the bar) and left and right arrows are used to turn the ship. You can see in the screenshot that the graphics look great but no longer mimic any particular sci-fi franchise.

If a shot leaves the screen, there’s a zoom-out (shown below). Shots can orbit until they leave the wider area or timeout.

The gameplay is intuitive and very much in keeping with my memory of the “classic” version. There’s something about the simplicity that I enjoy, and the turn-based play makes it more social. I played it with my son and had a ball, and anything that gives dads fifteen minutes with their teenager is awesome.

Nextcloud File Discovery

Mon, 02 Jan 2023 14:47:26 -0500

I’ve heard good things about Nextcloud for a long time and finally decided to take the plunge. I have a home file server that is accessed via sshfs and nfs, but it’s a little problematic to get to from Windows or mobile. Nextcloud extends the file sharing through a web and dav interface to make it accessible from anywhere. Nextcloud offers a lot of functionality, but my initial focus is just on straight-forward file-sharing.

The Issue

Setting up Nextcloud went okay, but it defaults to sharing directories at /var/www/nextcloud/data. I spent some time trying to change Nextcloud to access the directories that already had my files but didn’t see a good way. Option two would be to move the files and my first attempt was to access Nextcloud on my desktop PC and drag files from the NFS share. That was s l o w.

Rethinking my file movement, I accessed the server command line and moved the files. Replace Source and user with the appropriate values.

sudo mv /Source/ /var/www/nextcloud/data/user/files

This moves the files (as shown by ls) but doesn’t show the files in Nextcloud.

The solution

There are two steps to finish this process. First, change ownership of the files to www-data so that Nextcloud can access. This command may take a moment to complete.

sudo chown -R www-data:www-data /var/www/nextcloud/data/brent/files/

Once everything is in place, use Nextcloud’s built-in occ tool tool to re-index user files. Depending on the size of your file share, this may take more than a moment.

sudo -u www-data php /var/www/nextcloud/occ files:scan --all

Open Nextcloud and go to files - if already open, refresh. Your files will now be visible.

FancyWM

Mon, 26 Dec 2022 12:00:26 -0500

Pop! OS has spoiled me. I used to try to slide windows left and right across multiple monitors to get them to all fit. My current workflow on Pop! is to enable tiling on my 4K display and then use multiple desktops if I need to divide my work areas. I’ve recently been using Windows more and set out to recreate that workflow. I won’t claim an exhaustive search, but here is the way I’ve currently setup my Windows PC.

Multiple Desktops

This is the easy part, as Windows 10 and later support multiple desktops. Click the “task view” button on your task bar and open windows will all be displayed. At the top of the screen is a list of desktops and a “New Desktop” button. The image here shows the button you are looking for. If you don’t see task view, right click on the task bar and select “show task view”. You can also use the TAB+WIN combination to jump to the task view.

In the Task View exploded screen, you can click and drag any open window to any desktop (similar to Gnome). This makes creating a workspace a snap. I wasn’t able to screenshot task view, so the picture is from Windows Central.

Tiling with FancyWM

FancyWM is a dynamically tiling window manager for Windows 10/11. It’s not as automated and intuitive as Pop!, but it provides a serviceable level of tiling.

When running, FancyWM responds to the Shift+WIN key combination, with an additional key to tell it what kind of action to take. It supports vertical (Shift+WIN, “v”) or horizontal stacks (Shift+WIN, “h”). Once a stack is created around one window, other windows can be dragged into it (similar to COSMIC). FancyWM also supports floating (non-tiled, Shift+WIN, “f”) windows and stacked (Shift+WIN,“s”). You can create rules so that particular applications always run in “floating” mode as well. There are two screenshots shown. In the first, I opened a series of new windows on an empty desktop. FancyWM automatically stripped them vertically, adjusting as new windows are added. I then selected the first window and created a vertical stack using Shift+WIN “v”. I was then able to drag other windows under the first to form a stack. Each window caused the stack to divide vertically.. You can see a stack of two and a stack of three in the second picture.

FancyWM supports multiple displays and multiple desktops. I found this to be a little glitchy as windows moved displays, but it corrected itself over time. FancyWM is licensed, but will run without a license and “nag”. It’s available from the Windows Store.

Self-Hosted Obsidian

Sat, 10 Dec 2022 17:17:04 -0500

I’ve recently written about using Obsidian - an intro, a discussion of tasks and add-ins, and a discussion of dataview. The number of add-ins and the ideas that are being implemented using Obsidian has exploded, and hopefully I’ve provided enough to get you started and help you discover how it could work for you.

Justin Pot at PC Magazine published a review in November. It’s a good review and on the whole very positive. One deficiency that he points out, though, is the fact that Obsidian is installed locally and there’s no facility for accessing it on multiple computers. Justin goes on to suggest that one could use a seperate service to sync files between computers. I’d argue that this is consistent with the Unix philosophy of “making each program do one thing well”. If you need two functions (notes, file replication) then use two programs.

I’m aware of six ways that Obsidian could be kept up to date between computers, and I’ve tested several. If you are interested in using Obsidian and being able to access notes from your PC on your phone is a requirement, here are my experiences and opinions.

You’ll note that I’m syncing to my phone. Obsidian runs - plug-ins, themes and all - identically on the phone. I don’t enjoy the swishy keyboard interface, but I use my daily notes for to-dos and bullet points. I find the using Obsidian on mobile invaluable for checking things off or adding quick notes as I move around. I also have added some key PDFs to my vault for reference and the Obsidian interface is an easy way to access that information.

The ones I didn’t try

Several solutions may be good, but I haven’t personally tried them. Obsidian Sync is made by the developers to fund the project and I’ve looked at this closely. Obsidian Sync also supports version history, something you don’t get using other methods. That said, it’s $8 per month which strikes me as steep. I just came through a period of unemployment and feel like there’s something sinister about the way we’re being pushed into more and more subscriptions. The same link includes an option to donate to the project one-time, and I’m electing to support the devs that way.

Obsidian could also be sync’d through a cloud file system, such as Apple Cloud, Google or Box. The PC Mag article references using Resilio Sync, which is a new one for me. There are comments on Reddit from folks who use various cloud services (Apple seems popular). My issue here is that Obsidian has some of my most personal information. I’m not entirely comfortable putting that in cloud storage. Many cloud providers have some level of free storage, probably enough for an Obsidian vault. If you need to pay, it’s typically around $5-10 and could be used for a variety of things, so this technique could be free and in the worst case is on-par with Obsidian Sync.

Danger!

Backup your Obsidian vault before experimenting with sync options.

Shared Drive

The first idea is the easiest and most obvious: use a shared drive. I put my Obsidian vault on a server and published that folder using NFS, then mounted it on my PC. I used SSHFS to map to it from a Linux laptop and from Windows. Read more about using SSHFS and NFS here. No problems. All three devices were able to co-edit within the same vault - I even noticed open files being updated dynamically. This method is free, but requires access to the devices (local LAN) and doesn’t work for mobile devices.

The private network can be extended using VPN to get this to work remotely. In fact, I used Zerotier and Tailscale to test this and things worked perfectly for laptops. There might be sync issues if someone was editing on both sides, but as long as it’s being used as a personal vault, this shouldn’t be an issue. IOS and Android both support various VPN mechanisms, but Obsidian on those platforms expects a device-local vault.

Syncthing

Syncthing is a tool that many people use to keep files sync’d between computers. It’s free, and is supported on just about every OS short of Haiku (nope, I checked). Once Syncthing is downloaded to a device, it needs to have a relationship approved on a remote device. The devices agree on local directories that are to be sync’d, then syncthing runs periodically to update files.

Like a shared drive, it’s free and devices need to be local to each other. As shown in the picture to the right, I setup my desktop, tablet and phone to keep an Obsidian vault in sync. When I first setup Syncthing, there was an instance where it deleted a file. I wasn’t able to replicate that behavior later so it may have been something I did, but it left me with a bad taste. Syncthing doesn’t overwrite - it creates duplicate marked copies. This results in having a proliferation of these dups that have to be cleaned up. I had as many as four devices syncing and that may have added to the replication issues.

So my experience of Syncthing was that it worked, but required local software and had some rough edges.

Remotely Save Plug-in

The Remotely Save plug-in is the option that I’ve personally settled on. Remotely Save allows syncing using S3-compatible storage, Dropbox, OneDrive, or WebDav. I already have a local WebDav server running on Apache (see Using WebDAV on Apache). This required minimal self-hosted infrastructure, supported PC and mobile operating systems, and was free. I’ve had no issues with it working or losing data.

The screenshot to the right shows the setup of Remotely Save. The first selection is for the storage type and Webdav is chosen. Next I specified the server address. I use other applications that will just take the IP address of the server and Remotely Save required the protocol prefix “http://”. This brings up the one problem I had - there’s very little in the way of error messages or debugging output if you have a problem. If failed when I used a raw IP, but didn’t provide clues as how to remedy the issue and it took a bit of trial and error.

I have this setup of several devices. On each, I have them setup to run at startup and then periodically afterward. I don’t tend to have Obsidian open in multiple places, so this is sufficient to prevent replication bifurcations.

Git Plug-in

The Git Plug-in has a lot of potential. I tested with Github and couldn’t get it to work with cert-based authentication (as is required by Github). That was okay, because I’m not really interested in copying my vault to public cloud. I also tested this with local Gitlab. That worked very similarly to the Remotely Save plugin, with the added bonus of having a history. If you are comfortable setting up a local Git server and using Git, this is a little more complicated than WebDav but a good option.

Round-up

For my usage, Obsidian is superior to other options such as Evernote or OneNote. It’s plug-in architecture have also made it an exciting platform for experimentation. There are constantly new ideas about what can be done using this as a base. The PC Mag review was right to call out multi-device usage as a shortcoming, but I’ve found this can be addressed in a variety of ways. I’ve been using local WebDAV (using the Remotely Save plugin) for about a month and Tailscale to allow remote syncing and I’ve been very pleased.

Blameless Post Mortems

Thu, 17 Nov 2022 16:00:14 -0500

If you support IT infrastructure, the goal is to minimize issues (particularly issues with big impacts). Some issues can be anticipated and pre-mitigated. Considerable success can be achieved but perfect is not for this life. As a leader, I want to ensure that we learn and improve from every issue. One way to do that is through a post-mortem process.

I had a mish-mash of approaches that I used from reading Atul Gwande. If you haven’t read his books, I am amazed at how the stories of the history of surgical improvements can be applied to IT and highly recommend them (a good one to start with is The Checklist Manifesto). I was inspired to strengthen and standardize the use of post-mortems from a presentation given by Data Dog at an AWS conference. This article describes my experiences. I’ve also linked to an excellent article from Data Dog.

History of Post-Mortems

The concept of a Morbidity and Mortality conference originated with Ernest Codman, who worked at Massachusetts General in the early 1900s. It should be noted that the idea of reviewing the mistakes of peers was not initially well received. Their use over time has helped to instill best-practices, avoid repeating errors, and driven increasing success in patient care.

These conferences are held regularly at most hospitals. At the meeting, selected cases are presented by the responsible doctor. They lay out the details of the case, approach used, and progression of symptoms. M&M is particularly good at building accountability and drawing out errors in process and communication. This process is so integral and well respected as a part of medicene that the presentations and discussion are not legally “discoverable” in most states to allow doctors to freely discuss these cases.

The National Transportation Safety Board (NTSB) and Federal Aviation Administration (FAA) use a similar approach when investigating a airplane crash. Information and timeliens are assembled, involved parties interviewed, and the conclusions are fed back to the community. This has led to a drop in annual fatalities from 6.15 (1965) to 2.11 (2010) per 100,000 flight hours.

Using Post-Mortems in an IT setting

In my experience, blameless post-mortems should be incorporated into weekly meetings (although events with large impacts usually require a seperate discussion). I ask the ticket lead to present the case.

“Blameless” is a big part of success - I have found that, while no one enjoys being second guessed, most folks want to do good work and that they embrace the accountability, support, and forgiveness of their teammates. They want to improve and not repeat a bad experience.

It’s important to recognize carelessness and sloppy work with consequences. This is a critical part of leadership - it’s not what you say, it’s what you tolerate. When that’s the case, folks may need to be assigned a mentor, work on less challenging projects, or even be reassigned.

Generally however, these discussions will find some flaky piece of tech that - when mixed with process confusion and communication issues - leads to fiasco. When that’s the case, the team owns identifying the technical workaround and suggesting process improvements and leadership owns ensuring that those suggestions are carried out and adhered to. Done well, this process builds ownership and accountability to each other within a team.

I’ve found that teams can process a limited number of these, so I select interesting cases for review. Certainly every SEV1 needs to be reviewed - I typically do that in a dedicated meeting and it leads to a full Reason for Outage (RFO) document.

Weekly Reviews

I tried to review everything at first, but that got impractical and frankly repetitive. These days, I try to pick three cases that might lead to interesting discussions in weekly meetings. The idea here is to catch issues before they have a big impact. I forewarn the implicated people so that they can prepare, and I ask them to consider four lines of questions:

What happened?
Response
Resolution
Deltas

I’ve found that I can do this “short version” with each event taking about 5 minutes. I document the answers to those four questions in my meeting notes so that we can refer back to them later, if needed.

RFOs

For RFOs, I usually ask the lead person to write up a report using the bullets above as sections, although we can combine events and response on a timeline. The report usually settles everyone down and helps establish that the response is under control. This report needs to be more formal and the areas are probed much deeper. To help with that, here’s an expanded interogative version of those four areas.

What happened? How did we learn of the issue(and should that be automated)? Did we get the right metrics? A timeline is useful, and email and IM are helpful resources to get times.
How did we respond? Did it go well? What was the impact? How did we communicate? Communication in the event and after the event is usually the difference between it being classified as a fiasco or learning experience.
What resolved the situation? Did we follow the appropriate processes? If yes, were they effective? If no, why not?
What needs to change going forward? Note that this might be directly related to the issue or just something that was noticed in the process (like labeling to make response faster).

Review

This process, to be successful, requires a commitment to follow-up on the findings and drive them to conclusion. The conclusion of some may be that risk has to be communicated and accepted (for instance, where capital isn’t available to purchase new equipment). Many conclusions, as previously mentioned, will be around tecnique, process, and communication and they are absolutely addressable. I typically put all the reports into a shared directory or repository and review them as a team periodically. I also add specific follow-ups as tickets (and note the ticket number in the RFO), so that the team has integrity about following through.

It’s about team improvement

Here’s the punch line: it’s about growing the capability of the people you work with. For this to work (for me at least), it has to come from a place of good will. That is frankly difficult when things go pear-shaped. Leadership has to believe in the team, support the team, and want to see that team succeed. There is certainly a time to deal with underperforming members, but this is not that time. Focus on the problem, then focus on never having that problem again, then focus on the confidence and preparedness of the team so that they are ready for whatever comes next.

Wisdom in 17 sayings

Tue, 15 Nov 2022 14:41:10 -0500

I grab onto quotes. Some I hold onto long enough to consider and they pop up in conversation at odd times. Others seem to bubble up consistently. To me, these favorite quotes are the compass that I use to retain my sense of direction in difficult times and circumstances.

Folks who have worked with me over the years will have heard versions of these sayings (and probably some that I am forgetting right now). Some may complain for hearing them too much.

I’m preparing for a new job and thinking about how I want to approach new responsibilities. I’ve never tried to compile a list but it’s a good time for reviewing these touchstones. I wanted to share that list with you.

So here are sixteen sayings pertinent to leadership, collected over about that many years of leading. I’ve tried to organize these into themes. I’ve researched attribution and exact quote where possible.

General

These sayings can be employed in a variety of circumstances.

I heard this first while teaching computer networking at Camp Lejeune. I was told it was an “old Marine Corps saying”, which I suppose is like the Klingons talking about Shakespeare “in the original Klingon”.

If you don’t know where you’re going, any road will get you there.

Lewis Carroll

I had a wonderful boss in the early ’teens. He coached me on promotions and, as best I remember, here’s his advice.

If you want to be promoted, take responsiblity. Being responsible attracts opportunities, and eventually someone in management will say “get that guy a hat”.

John Phelan

I think I first heard this last one from 12 Rules for Life by Jordan Peterson. The metaphor, about self-discipline and being in control of yourself and your emotions, struck a chord.

When you get hurt, say, by an arrow, that is pain. . . However, there is a second arrow, which is your reaction to the arrow, the getting angry, the planning revenge, this is beyond pain, this is suffering.

Buddhist saying

On Preparation

Ideally, we’d anticipate possible issues and make plans to mitigate. These quotes deal with the issues and rewards of being ready.

These start with some cynical reminders.

Bad security looks just like good security until seriously attacked.

Bruce Schneier

and one of my favorites in the same vein.

Everyone has a plan until they get hit.

Mike Tyson

Two of my former CIOs gave me solid advice about preparation that I’ve carried forward in my career. Mike said the first when talking about the constraints of budgeting, but it’s a good reminder to not over-commit.

You can only fit 5 lbs of sugar into a 5 lb bag.

Mike Cross

Kap intimidated me in those days and I regret not getting to know him better. He had a very clear vision about the way the world works, illustrated below.

Play the cards you’ve got in your hand, not the ones you want.

Kap Kim

I saved the best for last. I use this to encourage preparation and to commend it’s results. I saw Gregg Easterbrook attribute this to Bear Bryant in a Tuesday Morning Quaterback article, but it turns out the original quote is from Neyland.

Gentlemen, touchdowns follow blocking as sure night follows day.

General Robert Neyland

As I recall, Easterbrook added the aside that “it’s a lot of fun to run a hundred yards when everyone in front of you is on their back.”

On Troubleshooting

Troubleshooting requires deep understanding. It is often denigrated, but I’ve always found it to require tremendous imagination and to reward patience and persistence. I’ve had many opportunities to mentor troubleshooting over the years and here are some of my favorite aphorisms.

This first was one of Dad’s favorites. As it has become well known, it’s grown a little trite but still makes a great point for technologists.

If you only have a hammer, you tend to see every problem as a nail.

Abraham Maslow

Many times the way forward is not clear. Here I took an example from being a parent. This has always been solid advice because there’s always some technical cruft that can be cleared up and the act of cleaning either reveals the issue or puts the person in the right headspace. Although Peterson has a similar saying, mine preceeded his.

My kids would ask me if I’ve seen their favorite toy. I’d say, “No, but I bet if you clean your room you’ll find it”.

Brent Stewart

No one likes change, but sometimes troubleshooting presents opportunities to move forward.

You never let a serious crisis go to waste.

Rohm Emmanuel

On people

Many of these, such as the “second arrow” also address dealing with other people. These are the two best quotes I have specifically on the topic of the trials of co-workers.

My father could be pithy and a little cynical, but he understood something about people.

If you went to the mall and gave out $20 bills at the door, someone would compain that you didn’t have change or were at the wrong door. You cannot make everyone happy.

Bill Stewart

I’ve carried around this quote since I was a kid. I think I picked it up from reading Robert Heinlein. It, or something like it, has been said in various forms for a long time.

Never attribute to malice what can be adequately explained by stupidity.

Hanlon’s razor, perhaps a restatement from Winston Churchill

Extreme Ownership as a book is like a Mel Brooks movie - everyone remembers just the bits that hit it out of the park. Still, there’s an undeniable relevation about leadership in this quote and I repeat it when mentoring young managers.

It’s not what you preach, it’s what you tolerate.

Jocko Willink

On Gratitude

I finish with the subject that has most influenced my “mature” years. I’ve worked to become a grateful person and to recognize that I’m blessed in myriad ways. To list just three: I have a wonderful wife and amazing children, I have friends around the world who want nothing but good for me, and I have the opportunity to do meaningful work. Focusing on those gifts has brought a peace and happiness to my life.

When I was younger, I thought that Stoicism was depressing. I’ve come to realize that it provides perfect perspective for a grateful life.

Nothing is more honorable than a grateful heart.

Seneca

and also

He is a wise man who does not grieve for the things which he has not, but rejoices for those which he has.

Epictetus

I sincerely hope that - if you take nothing else - these thoughts on gratitude will resonate and be useful. As a Christian, I’ll end with the most meaningful quote to me, taken from the end of the Sermon on the Mount.

Therefore do not worry about tomorrow, for tomorrow will worry about itself. Each day has enough trouble of its own.

Mark 6:34

Updated Ubuntu Upgrading

Mon, 14 Nov 2022 17:27:51 -0500

OS Hopping update

I’ve confessed in this blog to being a distro hopper. I love to see what is possible and to explore alternatives! I haven’t provided an update on where that journey has taken me, so let’s start there.

I have a desktop, where the majority of work is done, and a laptop for traveling and returning emails from the couch.

The desktop is running Pop! OS and I’ve considered changing that many times (most recently to Nix OS) but just haven’t. I’ve found Pop! really fits my workflow. In particular, I think the Pop! implementation of tiling is the experience that suits me best. I’m not crazy about the full-frontal keyboard experience of i3, and tiling in Gnome and KDE is “meh” in comparison. I also like that Pop! builds on Ubuntu, the environment with which I’m most familiar.

Tiling on a big 4K display is just the obvious way to go, but it doesn’t work as well on a smaller screen. My laptop has been where I’ve done my current distro hopping. It ran Nix-OS KDE for a long time and that was a mostly great experience. The big miss there was software - I had issues getting my Brother printer driver to load and I wanted to update to KDE 5.26 and it isn’t available yet. I’ll circle back to Nix at a later point because it sold me on the vision of reproducibility. I briefly tried stock Ubuntu and got frustrated with Gnome extensions and . . . well, Gnome. It’s currently running Kubuntu. I’ve added backports and upgrade KDE to 5.26 as well.

All this sets the context that I’ve settled into Ubuntu family systems and developed some comfort there. The package system is a core part of what differentiates distros and I’m pretty comfortable with apt. Recently, two new programs have emerged to provide a better experience - nala and topgrade.

Apt

Package updates on an Ubuntu-derived system (Ubuntu, Kubuntu, Mint, Pop! and others) is done through apt. Apt is pretty good, but isn’t optimized for speed and really only covers packages distributed as debs. Also, new package formats have emerged that build the application and all it’s dependencies together (like flatpak, snap) and these aren’t updated by apt.

To address part of this, I made a simple update script that includes flatpak and snap. I just run “updateall.sh”.

sudo apt update
sudo apt upgrade -y
sudo snap refresh -y
flatpak update -y

Nala

Nala is an apt replacement that has been generating some buzz recently. It is able to pick the fastest mirrors, utilize multiple mirrors, and download in parrallel. Installing nala via PPA is shown below. You’ll need to run nala fetch to have it evaluate the latency to mirrors and pick the fastest.

echo "deb [arch=amd64,arm64,armhf] http://deb.volian.org/volian/ scar main" | sudo tee /etc/apt/sources.list.d/volian-archive-scar-unstable.list
wget -qO - https://deb.volian.org/volian/scar.key | sudo tee /etc/apt/trusted.gpg.d/volian-archive-scar-unstable.gpg > /dev/null
sudo apt update
sudo apt install nala

nala fetch

Once nala is installed, it’s used very similarly to apt. A system upgrade is nala update and nala upgrade.

In my testing, nala is slightly faster than apt and a little more visually appealing. It didn’t seem to result in a qualitatively better experience though and didn’t address other packaging formats. It’s probably worth moving from apt to nala, but you’re still going to need an updateall.sh script!

Topgrade

Topgrade is a rust application that detects the invoking OS and then steps through various appropriate update routines. On my system, it not only recognized that Pop! is a deriviate of Debian but also caught that I had installed Nala and used it instead of apt! I’m not a Rust programmer, but looking through the linux.rs file gives a sense of the logic.

Topgrade uses every update mechanism it finds on your system. On my PC, it used Nala, Brew, conda, pip, flatpak, snap, and fwupd. It updated containers and Gnome shell extensions as well. Wow!

Installing Topgrade on Ubuntu is done through cargo. Conducting an upgrade simply involves running topgrade.

cargo install topgrade

I haven’t had any issues running this against Pop! OS.

Do Both!

I started this article with an eye toward examing Nala against Topgrade (which I was already using). My conclusion is that the combination is the best of both worlds. Topgrade will incorporate Nala if installed. Through Nala, it gains some speed over apt. Topgrade also provides the upgrade mechanism for a variety of other sources.

Obsidian Dataview (Part 3)

Tue, 01 Nov 2022 09:38:21 -0400

This article is the third I’ve written on Obsidian. Part 1 describes the basics and Part 2 covers tasks, this article will describe using Dataview.

Core Obsidian is “just” a markdown editor with some Wiki functionality and a pretty good understanding of tasks. The magic comes through add-ons. The process of adding plugins is described in the second article where I discussed “Checklist”, which pulled all your open tasks together on one list in a sidebar. The Dataview plugin is also a way to collect information across notes, but much more powerful.

Once the Dataview plugin is added, you can add a dataview query into any document. Fields can be created in any document either as YAML front matter or within the document using double-colons.

Let’s build out an example!

At the time of this writing, I’m looking for a new job. I’ve gone into Obsidian and created an “Opportunities” folder. Each document in that folder is based on a standard template that I fill out. I update the document as I learn more and I make “active=False” if it’s not a good fit. I should note that each document starts with these standard fields, but I add all kinds of unstructured data underneath. I have a diary of notes from calls and follow-up tasks that starts after the fields.

## Untitled

active::True
Title::
Pay::
Link::

contact:: 
initialContact::
lastContact::

Onsite::
Location::

group:: #opportunity

Outside the folder, I have a “master view” document where I track the entire job search. This gives me a dynamic dashboard of the opportunities I am targeting. The first table on this dashboard document is a summary of the various opportunities. The first field in the table is the filename and it links back to the underlying details document.

NOTE: Obsidian denotes sections of code by encapsulating with three tics (`). Noting the language after the top tics will highlight based on the language. When the Dataview plugin is present, mark the code “dataview” and it will be interpretted and replaced with the query results. I’ve added a space in the bottom three tics to prevent Hugo from interpretting (and then hiding) the tics.

```dataview
table title,stage, pay, onsite from "Projects/Opportunities" 
where active SORT file.name asc
` ``

I have a similar set of documents for the people I’ve met to track their contact information. This query pulls in contact information from documents in the People folder that have the tag #jobhunt.

```dataview
table mobile,email, Last_contact 
from "People" and #jobhunt 
` ``

Another table in the dashboard file is a list of open tasks. Remember that Obsidian allows you to create a task using square brackets anywhere in a document. In my employment search, many people have volunteered to help but are not necessarily associated with a particular job. This means that I may have a follow-up reminder associated with a contact or with a job. Here’s the query that pulls all those to-dos together. It’s worth noting that I can check off a task either in the source document or in the dataview list and it will update the other.

```dataview
TASK from "projects/opportunities" 
or ("People" and #jobhunt) 
WHERE !completed 
GROUP BY file.name SORT file.ctime asc
` ``

The second screenshot shows that I also have a dataview list of people on this “dashboard” page. Dataview is enormously powerful and really turns building a personal database into a load of fun.

Dataview provides a pretty good exposure to NoSQL. I have a lot of SQL experience and struggled with the concepts of “NoSQL”. Dataview uses it’s own query language (called DSL), but it’s easy to pick up and starts to give you a vision of what’s possible in NoSQL. A simple example here - if you built a SQL database and started populating it, it could be problematic to add a field later. With Dataview, I could just start adding a field for “PTO” and the query would just ignore pages that didn’t have that field. Although Dataview can handle schema changes adroitly, it doesn’t have any concepts of data relationships, so it’s going to be fit for flat data.

Those of you with sharp eyes may notice that I have buttons on my dashboard (for instance, “New Opportunity”). I may describe setting that up in a future post, but just to not leave the question hanging I’ll mention those are created using the “Buttons” and “Quick Add” plugins. You may also notice that my folders have icons - that’s done using the “Icon Folder” plugin.

Basic Packer

Wed, 19 Oct 2022 17:26:07 -0400

Hashicorp makes some cool tools for playing in the cloud or a virtualized environment, especially if you want to build out an Infrastructure as Code approach and make infrastructure updates a CI process. Packer is a tool that let’s you define a server - OS, cores, storage, packages, and all - in a script that can be built on demand. You can even define your environment, like LAMP, in the packer script and load your application files.

A very practical use of Packer would be to use it to build a custom AWS AMI for your company. You want every EC2 instance to look like this image, so it might include security settings or agents, centralized logging setup, connections to centralized authentication, and other common resources. I would probably load any required data files when the EC2 instance is instantiated, maybe through Cloud Formation.

Packer scripts are written in HCL (Hashi Corp Language? Dunno.), which ends up looking like YAML.

I built a Packer repo that builds a simple Ubuntu server for VMWare Workstation. It should be simple enough to customize this, including having it output an AWS AMI (Amazon Machine Image). It is tested and works with Pop! 22.04 with a 5.19 kernel and VMWare Workstation 16.2.4.

The packer file (custom.pkr.hcl in my example) can be broken into three parts. The first section defines the virtual machine, including the installation media and the CD image with customization steps. It looks like this:

source “vmware-iso” “jammy-development” { iso_urls =[ “file:/media/brent/Ventoy/ubuntu-22.04.1-live-server-amd64.iso”, “https://releases.ubuntu.com/22.04.1/ubuntu-22.04.1-live-server-amd64.iso”] iso_checksum = “sha256:10f19c5b2b8d6db711582e0e27f5116296c34fe4b313ba45f9b201a5007056cb” iso_target_path = “/media/brent/Ventoy” version = “16” memory = 4096 cd_files = [ “./http/meta-data”, “./http/user-data”] cd_label = “cidata” cpus = 1 cores = 2 disk_type_id = 0 network = “nat” network_adapter_type = “vmxnet3” vm_name = “Ubuntu2204-dev” ssh_username = “vmadmin” ssh_password = “Password” shutdown_command = “sudo shutdown -P now”

Ubuntu can be booted into an autoinstall script (“user-data” in this example). Typically the way this is done is by placing a file (user_data in this case) into the http folder. Packer makes that folder available through a local Apache installation. However, I could not get the VM to “see” the website and draw down the file. I tried several iterations of network configuration to no avail. One other approach I took was to take the auto-install files and place them in an ISO image, then attaching the image to the VM. To do this, I installed the cloud utilities from Ubuntu. I used cloud-localds to put the two data files into a small ISO.

sudo apt install cloud-image-utils cloud-localds ./seed.iso user-data meta-data

Later I discovered that this can be done in the packer specification:

cd_files = [ “./http/meta-data”, “./http/user-data”] cd_label = “cidata”

The second part of the packer file describes how to interact with the server as it boots. You can actually specify and and walk through an entire installation wizard. With Ubuntu, I found that to be fragile. As I made changes to the network to try to get it to see the local webserver, the installation prompts changed and broke the sequence. Instead of walking through the wizard, this script boots into the custom setup and tells it to load the autoinstall script from the CD-image.

boot_wait = "5s"
boot_command = [
  "c<wait>",
  "linux /casper/vmlinuz ds=nocloud-net s=/cidata",
  "<enter>",
  "initrd /casper/initrd",
  "<enter>",
  "boot<enter><wait60>",
  "yes<wait120>"
]

} boot_wait = “5s” boot_command = [ “c”, “linux /casper/vmlinuz ds=nocloud-net s=/cidata”, “”, “initrd /casper/initrd”, “”, “boot”, “yes” ] }

The third piece is the autoinstall script (user-data). This describes some of the setup attributes, like keyboard, and the initial set of packages to be loaded.

autoinstall:

version: 1 apt: geoip: true disable_components: [] preserve_sources_list: false primary: - arches: [amd64, i386] uri: http://us.archive.ubuntu.com/ubuntu - arches: [default] uri: http://ports.ubuntu.com/ubuntu-ports early-commands: - sudo systemctl stop ssh locale: en_US keyboard: layout: us identity: hostname: jammy-daily username: vmadmin password: $6$Da/Bin6we2OOJCVD$HM00JdEP47D.cVfSYzwf71khVHPD8NqbYLGw/iXPswndEqI2TNsMELWRCt0tA2.mVMPjFZlPI0B/xOBO9OhF01 ssh: install-server: true allow-pw: true packages: - openssh-server - open-vm-tools - cloud-init - whois - zsh - wget - tasksel user-data: disable_root: false timezone: UTC late-commands: - sed -i -e ’s/^#?PasswordAuthentication.*/PasswordAuthentication yes/g’ /target/etc/ssh/sshd_config - echo ‘vmadmin ALL=(ALL) NOPASSWD:ALL’ > /target/etc/sudoers.d/vmadmin - curtin in-target –target=/target – chmod 440 /etc/sudoers.d/vmadmin - “lvresize -v -l +100%FREE /dev/mapper/ubuntu–vg-ubuntu–lv” - “resize2fs -p /dev/mapper/ubuntu–vg-ubuntu–lv”

My repo is linked and you can grab the original files there and build on them. Packer is free and open-source and works with a variety of local and cloud backends, including VMWare, VirtualBox, HyperV, KVM, and AWS. This is an easy way to produce repoducable server environments and treat your servers like “cattle not cats”.

Tailscale

Tue, 04 Oct 2022 14:48:18 -0400

I’m interested in TailScale. I’ve been hearing good things about it from my friend, Jared, and TailScale has a fair set of proponents on my favorite podcasts. A couple years ago, I setup ZeroTier and built a dedicated Linux device to attach to the ZeroTier network and route into my local LAN. I wrote a well-received set of articles about that experience (Zerotier Basic Configuration and ZeroTier Router). ZeroTier continues to work well, but I haven’t been traveling as much and have left the VM off lately. This investigation doesn’t come from any frustration with Zerotier or urgent need, just from an interest in trying something new.

Challenges

Both ZeroTier and TailScale are “overlay networks”. I have a Meraki stack at home with two Internet connections (WISP and Starlink). Meraki has horrible VPN support and I’m not over-enthused about cutting holes in my firewall. Plus, anything that requires an ISP failover would kill VPN, so these overlay-style connections fit my needs closely.

Both solutions use NAT traversal techniques and some of the same encryption suite. Tailscale is an implementation of Wireguard (which is all the rage in Linux circles), but Zerotier predates wireguard and is a custom solution. I’m not aware of any active security issues with either. Obviously though, you’re only as secure as who you trust.

Both ZeroTier and Tailscale operate in a “freemium” model, where the rendezvous server allows 20 connections. Larger networks require a subscription, but both have self-hosted rendezvous servers as an option (presumably you’d set these up on something like EC2). I solved this with ZeroTier by configuring an Ubuntu server as a router from the ZT network into my home network.

Experience with TailScale

The Tailscale experience starts with signing up on the website. Instructions are provided for all the supported operating systems - Windows, Mac, Linux, iOS and Android. Mobile operating systems send you to the respective App Stores to pick up a client. My Pop! desktop is Ubuntu-based, so I was able to add a PPA and install from there. TailScale doesn’t have a Linux GUI client, it is invoked through the command line as shown below.

sudo tailscale up 
tailscale ip -4  #shows private TS IP, can also be seen using "ip a"

Once clients are instantiated, the VPN network is maintained at the tailscale website. My machines were given addresses in the 100.64/10 range, but not in the same /24, which is a little different than Zerotier. Clients should be able to communicate after they are registered and visible on the dashboard. Tailscale functions as expected - I was able to access internal TailScale-attached resources without having to provision access on the firewall and speeds were comporable to ZeroTier.

With Zerotier, I had to build a router to access non-attached devices. TailScale allows any device to be an “exit node” and to route traffic into the local network. Here I ran into some minor issues. Tailscale documentation is pretty good, but there are still some mental hurdles to getting this to work correctly.

First, the node has to be setup as an exit node. To enable this, I re-enabled the tailscale client with the advertise flag.

sudo tailscale down
sudo tailscale up --advertise-exit-node

The node will now show in the dashboard as an available exit, but it won’t have any routes. It turns out the node has to explicitly advertise local routes. In ZT, this is controlled through the dashboard. To enable this, I re-enabled the tailscale client with the routes. For the record, I’m not sure that you have to take the service down everytime you make the change. That might just be years of conditioning coming out on my part.

sudo tailscale down
sudo tailscale up --advertise-routes=192.168.0.0/22 --advertise-exit-node --accept-routes=true

By way of reference, I have four VLANs locally. I could use seperate tailscale endpoints to attach into each of them, but I want to advertise them all as a block and thus have the /22 above.

At this point, routing onto the local network from Tailscale will still not work. There are two issues left to deal with, one obvious and one bug. Let’s deal with the bug first. When I review the Linux routing table, it does not show the tailscale network. After beseeching the Great Google, I found references to a known bug in Ubuntu that doesn’t add these routes. Since the computer doesn’t have a route in the tailscale network, it can’t pass traffic back.

>route
Kernel IP routing table
Destination     Gateway         Genmask http://192.168.26.53/ worked, but not to other devices in the same VLAN or to other VLANs.

sudo route add -net 100.64.0.0/10 dev tailscale0

The remaining issue is that local devices have my firewall as their default gateway. When they receive traffic from a tailscale-connected IP, they reply using their default route back to the firewall. The firewall then uses it’s default route to pass the traffic to the public Internet! To fix this, I went into firewall (for those of you with Meraki, it’s on the dashboard under Security & SD-WAN > Addressing & VLAN) and added a static route. The route should target 10.64.0.0/10 and the next hop should be the IP of the tailscale exit node. With this in place, everything works!

Nix setup

Setup in Nix involves two steps and also varied slightly for me from the docs. First, add tailscale to configuration.nix.

environment.systemPackages = with pkgs; [ . . . pkgs.tailscale ] services.tailscale.enable=true;

exit the text editor

sudo nixos-rebuild switch

Once tailscale is installed, run sudo tailscale up as before. This will provide a URL for authentication. Finally, go into the tailscale dashboard and authorize the new machine (click the ellipsis to the right of the machine and choose authorize). Nix runs on my travel laptop, so I didn’t try to advertise it as an exit node.

Tailscale Dashboard

My impression of the Tailscale dashboard is mixed. There’s a download link, and a place to add users. Free accounts cannot have multiple users, so the main user would have to setup the client on each device (like my wifes’ or kids’ computers).

The documentation is pretty good, but I ran into several questions where it gave insufficient answers and I needed to just experiment to get things working. The Machines tab shows devices that are currently connected. This also allows you to set tags and enable routing (assuming that the client is also configured to support routing). The Services tab collects a list of services so that you are aware of what you are sharing into the TailScale network. This has the potential to be very useful, but you cannot “click to block” on this screen and it only shows services from the Tailscale-connected machine. No services were shown from elsewhere on the connected network. This could lead someone to a misunderstanding about their risk profile.

Other dashboard tabs allow you to setup access-lists and control DNS. Access control is configured through a JSON document. The controls available are pretty good - they allow you to block access by user or group (both rendered useless on the free account), by host IP, or by service port. The JSON ACL can be managed through Github using Github actions which is very exciting, but you’d have to make sure that repo is marked private. The DNS tab allows you to point Tailscale clients to an internal resolver or to use “MagicDNS”. MagicDNS, as near as I can tell, is basically a shared hosts file, but it’s nice for folks who don’t have a private name server.

Conclusions

What does this all boil down to? I’m attracted to Tailscale because it uses wireguard and because it doesn’t require a dedicated router-vm. Zerotier seems to have better access controls. In both cases, the free-tier accounts offer analogous features (20 devices, 1 user). Setup complexity is different, but equal. If one or the other is working for you already, I don’t think a change is necessary. I’ve decided to keep Tailscale in place for at least a little while and I’m very interested in investigating the self-hosted option and seeing what additional capabilities that would provide. Tailscale also offers a $5/month package of five users that would support a family and less work than spinning up an EC2 instance.

Linking and Embedding in Obsidian Notes (Part 3)

Thu, 01 Sep 2022 06:24:59 -0400

Obsidian has been a great way to organize my work and my personal activities. This is the third article I’ve written in this series. Part 1 was an introduction and Part 2 focused on tasks and used that as an introduction to plugins and tags.

This entry will focus on linking and embedding. At this point we’re focusing on using Obsidian to take notes as we go. After this, the series will turn to more advanced and non-obvious uses.

Links

Links are central to the way Obsidian works. I described Obsidian as part note-taking and part personal knowledge-base wiki. Being able to quickly link articles furthers both of those aspects. Embedding links allows quick reference to existing material so that it doesn’t need to be repeated. The links also start to create a navigational structure that allows quickly finding referenced information.

I’ve created a sample daily entry below that demonstrates three basic types of linking that everyone needs to be able to do.

The simplest is a straightforward link to another note in the same vault. I’ve demonstrated that below with the two notes to call Bob and Alice. Notice that two formats are supported - the double square brackets used by twiki and the markdown style used for Alice. Twiki-style is very easy to use - just type two opening square brackets and Obsidian will drop-down a selection list of notes to link. You can start typing a name if you need to narrow down the list. Selecting a note and pressing enter will automatically close the brackets.

One neat wrinkle on this style link is that it can reference a point within the document. Add a hash and then a header within the target document to the link and it will point to that location in the document. You can see this demonstrated below in the tasks section with a link that goes to the task section of the project.

Markdown links use a single set of square brackets for the link text and paranthesis for the link. In the case of Alice (below), the link is referencing a document in this vault and just needs the “Obsidian path”. Note the line below Alice . . . the same format is used for an external link. A markdown link is required for external references.

#  Sunday, Sep 04, 2022

## Tasks
- [ ] Update [[Take over the World Project#Tasks]]

## Notes
Call [[Bob]]
Call [Alice](People/Alice)
tutorial on [MongoDB](https://www.tutorialspoint.com/mongodb/index.htm)

Links provide structure

Other search engines provided an index of web pages, but Google realized the power of links for ranking results. If a lot of other websites refenced a page, then it might be interesting. The same logic is true in Obsidian and there are two tools to help you use this information.

Backlinks refer to other Obsidian notes that have links back to the note currently being viewed. This helps to create two-way traffic bewteen notes. I’ve also found it helpful to track down related notes. Backlinks are compiled automatically by Obsidian and shown in the “action” pane to the right by clicking the left-most tab. This is pictured below.

Graph view is another way that Obsidian tries to help surface relationships between notes. Graph view shows you all the notes in the vault, with linking lines to show where links exist. The graph view on the right is from my personal vault. I turned off the note names in this view, both to consolidate the view and to protect my privacy. Even without labels, two “hub” nodes are apparent.

Graph view is pretty, but I don’t personally find it necessary. Backlinks, on the other hand, I use fairly frequency to remember the name of the other file.

Embeds

Embedding is a term I’m using to describe including non-Markdown objects in an Obsidian note. We’ll talk here about including code, math, pictures, and other files in a note.

Block quotes are used to pull something out of the body of the text. These are useful for highlighting an interesting author’s quote or creating a sidebar. Block quotes are created by preceeding lines with a greater-than sign.

Callout boxes are a cool way to focus attention on a part of the page. These extend the use of quote blocks with commonly used headings and colors to draw attention to a point. Think about a cookbook that needed to say, “Danger - don’t put metal in the microwave!”.

Callout boxes are built like block quotes with a header. The header is constructed from square-brackets with an exclamation mark. The box includes everything until an empty line return, so it can be long.

## Callout
> [!Danger]
> Here's a danger callout

Obsidian supports twelve types of callouts and will automatically apply a simbol and colored header appropriately. Those types are listed below.

note
abstract, summary, tldr
info, todo
tip, hint, important
success, check, done
question, help, faq
warning, caution, attention
failure, fail, missing
danger, error
bug
example
quote, cite

Obsidian also supports code snippets. Programming should be enclosed in three tic-marks as shown below. The language should be identified after the first set of tics - Obsidian will automatically color the text similar to an IDE. Obsidian supports close to a hundred languages, including HTML, CSS, and Python.

  ```python
	print("Hello World")
  ```  #tics to open and close

Finally, Obsidian supports Latex code in-line or blocked out. $Latex$ included in-line should be brackted by dollar signs ($). If the equation needs to be blocked out and centered it should use double-dollar signss. The code for this paragraph is shown below the equation. $$ x = {-b \pm \sqrt{b^2-4ac} \over 2a} $$

Obsidian supports __Latex__ code in-line or blocked out.  $Latex$ included 
in-line should be brackted by dollar signs ($).  If the equation needs to be 
blocked out and centered it should use double-dollar signs.
$$ x = {-b \pm \sqrt{b^2-4ac} \over 2a} $$

Pictures and other files

Pictures and other files can be embedded in an Obsidian note. Pictures are automatically displayed as part of the note. There are two ways to do this. The first is to use the markdown link format. This does not copy the image into your vault, which is both good and bad. Linking to an external image keeps your vault smaller and cleaner, but if that object changes or is deleted then it will be gone from your notes as well. When I use this approach, I select a picture on a web page and right-click to choose “copy link”.

A second option is to copy the file into the vault and use the twiki-style link. This increases the size and clutter in the vault. This tecnique allows specifying size with a | bar and a width. It also protects your notes from random changes on the Internet. When copying, right-click and choose “copy file”. Move into Obsidian and paste where you want it. The file will default to the root of the vault, but I usually store images in an “Archive” folder.

![Obsidian](https://obsidian.md/images/crafting.svg)
![[Pasted image 20220904161541.png|200]]

In the code above, I’ve limited the width of the obsidian image to 200 pixels. I can’t control the size of the linked image.

Wrap-up

I hope this has been a useful run-through of some of the Obsidian formatting. I’m working on further posts to get useful plugins. Dataview is a special treat - it really blew my mind - so look for that post soon.

Obsidian Tasks (Part 2)

Wed, 31 Aug 2022 06:24:59 -0400

In Part 1, I introduced you to Obsidian. Obsidian is a markdown-based note taking application that is supported on most desktop and phone operating systems. That article describes the basic interface and usage of Obsidian. If you are not familiar with Obsidian, it’s a good place to start.

Part 2 will focus more on tasks within notes. We’ll use tasks to also introduce plugins and tags. Future articles will discuss links, embeds, tags and some of the other plugins that add functionality, such as Dataview.

Tasks

In the last article, we discussed the basics of creating a note using Obsidian. One of the first ways that Obsidian starts to differentiate itself from other text-based note systems is the way it incorporates tasks. Creating a task simply involves starting a line with space seperated dash and square brackets (the spaces are required). In the snippet below I’ve demonstrated how this might look. Obsidian recognizes the pattern as a checkbox and presents it as a graphical box as shown in the screen capture to the right.

## Task List #todo
- [ ] Write article
- [ ] Post article

Checklist Plugin

Notice that I’ve tagged this list with #todo. That is necessitated by a plugin I use - Checklist. This also presents a chance to introduce the usage of plugins and tags. The tag will be used by the plugin to generate a consolidated list of open to-dos across all documents.

To configure plugins, select the gear button (bottom left). Plugins are grouped as “Core” - the ones included with the application and supported by the developer - and “community” - those that are created by third parties and made available to other Obsidian users. Checklist is a community plugin, so step one is to go to the Community Plugins page in options and Turn Off restricted mode. This will allow you to browse and install community plugins.

Browsing plugins gives you a huge list. There are 637 plugins listed in August of 2022! There’s relatively little danger in just scrolling through the list and trying some. For this discussion, let’s stick to Checklist to understand how to install and configure a plugin. You can find a specific plugin by scrolling or by typing the name or a keyword into search. Once you find it, click the install button and then the enable button. Typing “Checklist” gives a single possibility.

Using plugins requires that they be downloaded (installed) and then enabled. If you forget to enable, just go back into options. Scroll down to the bottom where Community Plugins are listed and they can be enabled from there.

Once the Checklist plugin is installed, you’ll be able to configure it under options. Select the gear icon (lower left) to get into options and scroll down to the bottom. You’ll find a header called “community plugins” and the Checklist plugin should be under that. Notice that my screen shows several plugins, while you may only have Checklist to this point.

Tags to build our Checklist

Check four settings while here. First, multiple tags can be specified to pull in tasks. You might have #honeydo and #worktasks for instance. In this case, a generic #todo tag is specified. Some other settings to check (to get this to work the way one might intuitively expect) are Show Completed - OFF, Group By - Tags, and Auto-Refresh ON.

Once the plugin is configured, create a couple notes with tasks. Remember to tag the tasks using a tag you defined in the Checklist seutp. In the example screenshot, I took our sample list above and named the note “Sample 1”. I created a second list and named it “Sample 2”.

The vault pane shows that I’m editing “Sample 2”. You can see the new note defined in the editing pane. Because the checklist plugin is installed, the “action” pane on the right should now have a “check” tab (I’ve circled it in the example). Selecting this tab will show a consolidated list of incomplete tasks. Marking an item complete in the pane will remove it from the list and mark it complete in the original document. Similarly, you can complete tasks in the document and the update will carry over to the checklist sidebar.

Tags are used by Obsidian to group things - in this case checklist. They can also be used to group notes. To see where we have tags defined, click the hashmark tab in the right “action” pane. My example vault, built to demonstrate these concepts, has three tags in use: #todo, #evil, and #work. Choosing todo changes the left pane to show us which notes contain that tag and allow us to quickly jump to related entries.

Scratching the surface

At this point, we have introduced Obsidian as a markdown-based note taking tool. Obsidian has great tools to help manage tasks, and we’ve demonstrated the basics of using tasks. Finally, we’ve started to cover the concepts of plugins and tags.

There is a lot more to discuss! Once I started using Obsidian, my use cases grew and the way I built notes started to fundamentally change. I’m very excited by the possibilities. I’m equally excited to share the journey.

Obsidian Introduction (Part 1)

Mon, 29 Aug 2022 17:24:59 -0400

I’ve kept notes using a lot of different tools over the years. I’ve used Outlook, Simple Note, Visual Studio Code, and even just Notepad. At the start of the pandemic, I switched back to writing on paper. I like paper because the mechanical act of writing helps keep me present in a meeting, it engages my brain, and it’s not distracting to the other folks in the meeting. On the other hand, writing notes on my computer makes them easier to read (I have bad handwriting), easier to transport and easier to refer back to.

The balance has tilted toward the computer again. In the past, my notes were passive and most of the value was the way that writing helped me remember. I’ve recently started using Obsidian, which allows you to create a group of markdown documents (Simple Note or Code) and link them together (like a personal wiki). It also has the ability to query fields across notes, and add dynamic linking that really helps surface the information you neeed.

Past systems I’ve used created lockin (Outlook) or involved making someone else the custodian of my private file. Obsidian uses a local database that is simply a collection of directories and markdown text files - easy to migrate data in and out. The project has a syncing service that helps support the developers. You can also make a one-time contribution if you find value in the program.

I’m blown away at what I can do with Obsidian and I’d like to share a part of that journey with you. Obsidian is a blank slate and can adapt to any style you want to work in. I’ll be writing a series of articles to help you get concepts, demonstrate usage ideas, and share how I have my personal vault setup.

The application is available for Linux, Mac, Windows, IOS, and Android from their site.

Obsidian Interface

Obsidian is a markdown editor that organizes notes into folders, collectively called vaults. Those object map direclty to markdown files in directories. The application is divided into three panes normally (you can open more) - the vault, the note editor, and (what I’ll call) an action pane. The vault (on the left) shows the file structure, similar to the way VSCode works. The editor is in the middle, and the action pane presents additional features (many times from add-ins).

The icon bar on the left (as shown in my screen shot and close up) includes several buttons. In order, the first hides the vault pane. Next is a table editor, present because I’ve added the Advanced Table Editor plugin. Third is a button that will let you jump to a note by title, then a graph view that shows the linking relationships between notes.

The fifth icon will create a new note for today. This is really useful if you routinely keep a file open for whatever happens in your day. I extend this by specifying a template for my daily notes and specifying the directory they should all be kept in. Next is a button to apply a template to a note, then a button to open the command palette. The command palette allows you to enter a command instead of working through the GUI - I rarely use this, but it’s useful in providing instructions. Finally, the last icon is to publish this to an Obsidian hosted page. I typically disable that option.

There are another three icons at the bottom of the bar - switching vaults, help, and settings.

First note

Writing a note is easy - just click the “new note” button and start typing. Markdown is pretty sparse - you can’t specify things like fonts or headers. This can be a plus - it allows you to focus on the content. Refer to my previous Markdown Cheatsheet for a review of markdown syntax.

Using the “new note” will put your file in the root of the vault. Because I sort my notes into folders, I prefer to right-click the folder and choose new note so that it is created in the folder.

A third way to create a new note is wiki-style. Just use double-square brackets to reference another file:

[[new file]]

Clicking on the link will create the file and open it for editing.

The end of the beginning

At this point you should have installed the app and completed your first file. If this is the first time you have used Obsidian, you may be saying, “so what”? Have patience. The next post will get into some more advanced Obsidian usage ideas and later posts will cover dataview (!) and my organizing strategy.

Palemoon for legacy Flash support

Fri, 19 Aug 2022 09:07:14 -0400

Flash was a technology to extend the functionality of websites past what was possible with HTML at the time. It allowed for highly interactive experiences and was used for streaming, video games, and for “application like” experiences inside the browser. Flash was implemented on the client-side via a browser “plug-in” and was notorious for security issues. In my experience, a big part of the problem with Flash was the update process. The plug-in was updated seperately from the Operating System and browser, leading to many cases to persistence of older versions. Furthermore, the installer would commonly not clean up old versions, leaving an attack surface.

Why do we care? For the most part we don’t. Flash was deprecated in 2020 and is no longer supported by the major browsers. The functionality of Flash has been ably replaced by HTML5. However, there was a range of IT products created in the mid-teens that used a Flash console for administrative access. Cisco used Flash in equipment like ASA firewalls, SOHO switches, and UCS servers. Much of that equipment is ageing out, but some of it is still in good shape and capable of delivering value. One example is my home server, which is an old Cisco UCS M3.

Accessing a Flash Console

ProxMox recently crashed - I’ll write about that seperately - but I suspected a disk issue. The best way to access the information I needed was through the CIMC (Cisco Integrated Management Console), an out-of-band server management interface other vendors refer to as Integrated Lights Out access (ILO) or DRAC (Cell Remote Access Controller).
I hadn’t accessed the CIMC in a long time. Rebooting the server displays the assigned IP and let’s you setup the interface. I had assigned an IP and identified it as in a VLAN on a trunk port. However, pinging the IP was unsuccessful. I used the Meraki “clients” display to identify the switch port used and setup a continuous ping from my workstation. I tried a variety of configurations on the CIMC and switch, but ultimately what worked was to set the port as access (turn off 802.1q) and let the speed and duplex auto-negotiate. I originally had this set for trunk, then tried trunk and identified the VLAN as the “native” VLAN which should have removed the .1Q shim from the header. I suspect that the UCS wanted to run fast ethernet and had some compatibility issue with .1Q as spoken by the Meraki.

Step 1 - set the port to auto/auto, define the VLAN and set the mode to access

With the CIMC port responding, I could browse to it using it’s IP address. The next problem is that the site presents a security warning. Although the CIMC uses TLS 1.2 (which is still supported), it uses 128b keys (which are not). Mozilla phased out key sizes smaller than 2048b at the end of 2013. Even getting around this issue still leaves us with the Flash problem.

Palemoon is a browser forked from Firefox years ago and developed in the years since. It maintains compatibility with the older XUL-based plugins. It is distributed as a tar-ball, so I just extracted it to my apps directory and ran the palemoon executable.

Step 2 - Download Palemoon, extract and run

The flash plugin was abandoned at version 34.0.0.137 and can be obtained from Github. Again, it can be installed directly from github using the following command.

 mkdir -p ~/.mozilla/plugins && wget -q https://github.com/darktohka/clean-flash-builds/releases/download/v1.7/flash_player_patched_npapi_linux.$( (( $(getconf LONG_BIT) == 32 )) && echo "i386" || echo "x86_64").tar.gz -O - | tar -zxf - -C ~/.mozilla/plugins libflashplayer.so

After installation, Palemoon is able to access the Flash-based admin console for the UCS server. The installation did not impact my current (104) version of Firefox.

Step 3 - Install Flash from Github

This is a bad idea

Palemoon is an interesting browser and - to my knowledge - hasn’t had security concerns associated with it specifically. However, Flash was deprecated for a reason and this article walks through installing unpatched and unsupported legacy software into a browser. I would limit Palemoon to internal trusted addresses as long as the Flash plug-in is present and active. This can be addressed to some extent by limiting when Flash is allowed to run, as shown below, but I would still be very cautious.

Adding Math Formulas to a Hugo-based site

Wed, 17 Aug 2022 10:40:54 -0400

An upcoming article features some basic math, but rendering it in markdown is unaesthetic. What you get is E=mc^2 when what you want is $ E=mc^2$. My search led me to KaTeX which is a JavaScript library that let’s you put $\LaTeX$ code into an HTML document. LaTeX was created to typeset scientific papers, so it is built for displaying things like matrices and integrals. I don’t plan to publish math that intense, but LaTeX can help clearly display even a simple division equation and improve the readability of the post. The best source of information I found was Mert Bakir’s blog and my usage is based on his work.

There are three steps to incorporating KaTeX with Hugo.

Create a partial template. I added this to my theme by creating a file at themes/next/layouts/partials/katex.html, but it could also be added to the site at layouts/partials/ (note that the name next is my theme name, so your’s will differ). Pull the code from the KaTeX site by copying everything within the tags. You’ll notice there’s also a script in the code below - add that to the file as well. Here is the file that is current in August, 2022, for this site.

  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.16.0/dist/katex.min.css" integrity="sha384-Xi8rHCmBmhbuyyhbI88391ZKP2dmfnOl4rT9ZfRI7mLTdk1wblIUnrIq35nqwEvC" crossorigin="anonymous">

  <!-- The loading of KaTeX is deferred to speed up page rendering -->
  < script defer src="https://cdn.jsdelivr.net/npm/katex@0.16.0/dist/katex.min.js" integrity="sha384-X/XCfMm41VSsqRNQgDerQczD69XqmjOOOwYQvr/uuC+j4OPoNhVgjdGFwhvN02Ja" crossorigin="anonymous"></script>

  <!-- To automatically render math in text elements, include the auto-render extension: -->
  <script defer src="https://cdn.jsdelivr.net/npm/katex@0.16.0/dist/contrib/auto-render.min.js" integrity="sha384-+XBljXPPiv+OzfbB3cVmLHf4hdUFHlWNZN5spNQ7rmHTXpd7WvJum6fIACpNNfIR" crossorigin="anonymous"
    onload="renderMathInElement(document.body);"></script>

  <script>
      document.addEventListener("DOMContentLoaded", function() {
          renderMathInElement(document.body, {
              delimiters: [
                  {left: "$$", right: "$$", display: true},
                  {left: "$", right: "$", display: false}
              ]
          });
      });
  </script>

Include the partial file in all the pages where you want to use LaTeX. Again, I chose to include this in my theme as part of the /theme/next/layouts/partials/header.html file. It can be included anywhere as long as Hugo builds the code outside the tags. This Hugo function looks for the presence of a parameter named math which is set to True. This keeps from loading KaTeX on pages where it is unnecessary.

  {{ if .Params.math }}{{ partial "katex.html" . }}{{ end }}

Finally, edit the default archetype file (themes/next/archetypes/default.md). Changing the markdown engine is not required, but issues with KaTeX have been reported using the default Goldmark (I didn’t encounter any issues with either in my testing). I have the math parameter present but set to false, which will not load KaTeX javascript (similar to what would happen if I omitted the parameter). I am including the parameter as a reminder to my future self.

  
  math: false

Use KaTeX in markdown by using two dollar signs ($$) as before and after delimiters for a standalone centered equation or single dollar signs for in-line equations. You can find a good LaTeX resource at the Overleaf site.

The last problem I had was finding some good examples! So, here are a few equations to give you a feel for what is possible.

$\LaTeX$

Bracket the equation with two dollar signs to center ($$) - x = {-b \pm \sqrt{b^2-4ac} \over 2a}

$$x = {-b \pm \sqrt{b^2-4ac} \over 2a}$$

Use one dollar sign on each side to include in line. For instance, acceleration a={\deltav}{t} renders $a= {\Delta v \over t}$

Finally, just to show the range of LaTeX, is Schrodinger’s Equation - i \hbar \frac{\partial}{\partial t}\Psi(\mathbf{r},t) = \hat H \Psi(\mathbf{r},t). $$i \hbar \frac{\partial}{\partial t}\Psi(\mathbf{r},t) = \hat H \Psi(\mathbf{r},t)$$

Length of a bit

Mon, 15 Aug 2022 12:59:02 -0400

In the category of unexpected questions:

Over a glass of good whisky, a semi-technical friend of mine said, “Ok - I’ve been wondering about this, it’s appropos of nothing, but have no idea how to figure it out: How long (in length) is a bit?”

After thinking about it, I said it depends on a few factors, the most important of which is the frequency of the signal and the media that carries the signal.

“What does the media have to do with it, I thought electromagnetic signals traveled at the speed of light.”

I affirmed that they do - in a perfect vacuum. Wanna just go with that? “Sure, let’s start there.”

Since he was asking about the length of a single bit, we need a unit of distance; meters (m) works well here I think. We’ll start with a frequency of 1MHz.

The basic formula is $ length = \frac{speed}{frequency} $ so …

$$ length = \frac{300,000,000 m/s}{1,000,000 b/s} = 300 m/b$$

“That’s a lot longer than I thought it would be” he said.

You want it shorter? Increase the frequency of the signal. How about 1GHz? It’s just under a foot. $$ length = \frac{300,000,000 m/s}{1,000,000,000 b/s} = 0.3 m/b$$

He said he got that, but what about the carrying medium?

“OK, light (and electromagnetic fields) travels about 300,000,000 m/sec in a vacuum. What about in a wire or fiber optic cable? I’d bet light travels slower there.”

Yup, you’re right. There is a velocity factor that is applicable to any conductor that carries a signal. That factor is sometimes expressed as a percentage of the speed of light in a vacuum. For example, in air the Velocity Factor (VF) is about 99%. In the typical coaxial cable used in cable TV it’s about 77%. For good ol’ twisted pair (Cat 6) the VF is 65%. The VF depends on the materials and the construction of the transmission line. Calculated by electrical engineers, the VF depends on the line’s tendency to impede the progress of the signal at various frequencies. That’s why each type of transmission line has a characteristic impedance which is related to the VF.

So, in space, a 1GHz “bit” is about a foot long. In a Cat 6 twisted pair cable it would be

$$ length = \frac{300,000,000 m/s \times 0.65}{1,000,000,000/s} = 0.195 m/b$$

So as the signal goes through a higher impedance cable, the bits get shorter.

There are, of course, other factors to consider when engineering signal transmission systems in the real world. Very high- and low signaling rates need their own special considerations. One of the big advances in recent years is the ability to build smaller and more efficient integrated circuit (IC) chips that allow for faster and faster signal processing at lower power consumption. This is why we have supercomputers that can use so-called 5G frequencies and protocols - and also fit in your pocket. Sometimes we can even use them to make phone calls.

Getting to know Nix

Sat, 06 Aug 2022 17:17:55 -0400

I’m a distro hopper. I’ve described some of the tools that support my dubious lifestyle in previous articles such as Distro Hopping in Style and Linux Install Script. That said, Pop! OS has been a very comfortable home for a year and a half. Pop! OS has pushed the envelope on fresh updates, it has been very stable, and my workflow on a 4K display meshes very well with their version of intelligent auto-tiling.

Ah, but there are always new ideas in the world and I’ve become very interested in immutable operating systems. Immutability just means that something doesn’t change over time and in the case of an OS, it means that that the OS and installed applications are isolated from each other and don’t share libraries. Immutable systems are atomic - changes can be rolled back without collatoral damage. These systems should be more reliable, since they eliminate some of the major issues in maintaining a linux system.

I’ve played a little with Fedora Silverblue which uses OSTree, Flatpak, and Podman to create this seperation. In my limited time with Silverblue, it felt interesting but not ready (and I think Fedora would say the same thing at this point).

Nix / Nix-OS

I really took the plunge with NixOS. NixOS is built around the Nix package management system, which installs applications into a directory structure called the Nix store. Nix is declarative, meaning that your configuration file can specify (most of) your system. A by product of the declarative and atomic nature of Nix, is that I can share my configuration with you and you can apply it against a machine you own and build an identical environment. This is a critical point to the value of Nix - the development environment can be guaranteed to be identical to the production environment.

Nix is a declarative language for system state. Nix is also a package manager that can be used on existing Linux or Mac machines. NixOS is an operating system built and maintained by the Nix package manager using the Nix language. NixOS (https://nixos.org/) can be downloaded and installed as either a Gnome or KDE version (but it’s easy to switch between desktop environments).

When installation is finished you can edit the default configuration (/etc/nixos/configuration.nix) to customize your environment. NixOS comes pretty bare, so you’ll really need to add to it quickly. Nix packages are installed into the Nix store (/nix/store) and then made available to users via symlinks. This means that two users can install different versions of the same package and each will be put into the Nix store seperately and made available to the appropriate user. Configuration.nix is an ini-type text file, and applications are specified under environment.systemPackages. The example below adds Firefox and flameshot. A quick note - the camel case below is deliberate and Nix will throw errors if you leave it out.

environment.systemPackages = with pkgs; [
  firefox
  flameshot
];

Once the config is changed, run nixos-rebuild switch to apply the configuration and switch to the new environment. Nix will compare the current state to the desired state, realize that the difference is the Firefox package and install it. Each change is called a generation, and you can also apply a previous generation to roll-back to a previous state.

Applications can also be installed using nix-env. This functions more like apt and immediately installs. Actions managed via nix-env aren’t tracked as a generation and won’t be reproduced if you apply your configuration.nix file to another computer. Both methods pull from a git environment. Below is the command to install Firefox.

nix-env -i firefox

Nix repositories are just git compilations of instructions about how to build an app. Sometimes there is a binary package available as well. When you install an app, it checks the local store, then the binaries, then uses the build instructions if it has to. Nix can also install flatpaks.

Add a line to configuration.nix:

services.flatpak.enable = true;

then rebuild and add a flatpack repo:

sudo nixos-rebuild switch
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo

I used this to install Obsidian.

flatpak install flathub md.obsidian.Obsidian

My Experience

KDE on NixOS is pretty much like every other KDE installation. Most applications you want are easy to install, but commercial applications and less common ones may be problems. I had issues with VMWare Workstation and the drivers for my Brother printer. I switched to virtmanager for VMs, but I haven’t found a way to load the printer drivers. I have a collection of fonts from over the years and I’d like those installed via configuration.nix, but I had to install manually. It looks like I could do this if I had a local repo. I’d like to define shares (I use NFS or SSHFS internally) and - while I’ve seen examples that purport to do this - I haven’t been able to get that to work.

In short, you can’t assume that things will “just work” in the way they do in Fedora or Ubuntu. It’s worth noting that it took us years to reach that level of maturity and NixOS is developing quickly. NixOS is about 95% there as a daily driver, but that last five percent can be a killer. I have a spare laptop that I typically use when I’m sitting in the living room, trying to read email but still be around the family. It travels with me as well. It’s typically used for browsing, email, and those daily activities. NixOS is great on that machine, but it can’t print. I tried to install Obsidian on it and that became an adventure. It also seems like the Nix repos aren’t kept up to date (or possibly I’m updating wrong) because I’m seven versions behind on Firefox and about that on Thunderbird.

My Configuration.nix file is in a repo on Github for reference. I never felt like Nix was close enough to move my primary machine (it still runs Pop! OS). I think I’m going to reimage my laptop back to Pop! or Kubuntu, just because I don’t have the time for the various adventures Nix sends me on. Still, Nix has a definite vision and I believe it bears watching. It will be easy enough to re-install later when I have time simply by reapplying my config from Git.

I think Nix is currently a great option for cases where you need a defined and reproducable build, use standard parts (like nginx, bind, or mysql), and can tolerate not being on the “bleeding edge”. Sounds like the perfect server, right? I’ll definitely think of Nix for my next server build.

VMWare PSA update

Wed, 27 Jul 2022 13:00:36 -0400

I wrote back on January 5th about an issue with VMWare Workstation on the latest Linux kernels. I’m using Pop! OS and it is fairly aggressive about keeping the system on fairly recent kernels. VMWare doesn’t support the newest kernels and Workstaion thus can’t recompile vmmon and vmnet after a kernel upgrade. This is probably a problem shared by anyone who keeps their kernel updated, but it’s worth saying that - if your goal is stability - you don’t have to upgrade the kernel when offered.

I previously recommended a project from Michal Kubeček that maintained the necessary patches. That project is still great, but you have to periodically download a new copy to stay current. Today when I hit this issue again, I used a different project - the VMWare host modules Builder CLI. This project builds on and automates the Kubeček project.

Builder CLI supports Debian (and thus Pop!), Arch, and is working on Fedora support. When run, the script confirms that you are logged in as root and that there is internet connectivity. It checks for unmet dependencies and cleans up. As part of the script it installs ncat and wget, as well as open-vm-tools. It detects your kernel and VMWare Workstation versions, downloads the updates, and guides you through installation. It was quick and easy on my system.

To run the VMWare Host Modules Builders script, download and unzip the script, then make the script executable. For Debian, the script is called debian-vmware-host-modules-builder-cli.sh. Thus run the script as root (or sudo).

Method 1 worked fine for me, although I had to reboot to get everthing working. That’s consistent with the behavior from the older method as well. It’s a little disruptive, since downloading a new kernel can cause VMWare Workstation to have errors until you reboot. Once you reboot into the new kernel, you have to check vmware, and then run the script if needed and then reboot again with the patches loaded. Simple enough to just only do updates after business hours and make sure everything is working before you walk away.

5G Troubleshooting

Sat, 23 Jul 2022 12:14:47 -0400

My office sits beside an Interstate and generally the Interstate corridor is one of the best places to find cellular coverage. Sure enough, we have towers reasonably close to the east and west of the building along the Interstate. The construction of the buildings, like many office buildings, has a strong steel and concrete “core” with open office space around the perimeter. My analysis is that those cores, along with the way the buildings set next to each other, creates 5G/LTE shadows within the buildings.

My buildings are setup along “modern” cubicle-farm ideas. To get a feel for where the dead zones are, I got readings on signal strength using my phone at all the cube row intersections. Wireless signal strength is denoted in decibel-milliwats (dBm). A decibel is a comparison of two numbers, with a 10dB difference translating as a 10 fold increase. A 100x difference would be 20dB. dBm compare a signal to a milliwat.

For LTE, signals weaker than -85dB are poor service. 5G uses newer radios and can do pretty well down to -105dB. T-Mobile, through the acquisition of Sprint, uses low and high bands (800 MHz, 1.9 GHz, and 2.5 GHz) and the lower frequencies penetrate obstructions better (remember how Nextel used to work everywhere?). Verizon and AT&T use higher frequencies and don’t penetrate building interiors as well. Work uses Verizon, so helps explain the reception issues.

Determing 5G signal strength

Using Android, you can find signal strength under Settings > About Phone > Status > SIM card status. In my testing this display updated dynamically, so I could just leave it up and walk around. In the example pictured, my signal strength is -91dB on my LTE phone.

On an IOS device, dial 3001#12345#. This brings up some technician information. Go to the second tab and choose RAT > Serving Cell Info. The signal strength is labeled RSRP. In my experience, this display updates over minutes. If readings are needed faster, just redial the number to refresh the display.

I understand there are apps that measure signal strength, but this was a pretty basic setup and I was fine was a more ad hoc approach. It seems like every app is a new way to track or show ads anyway, and this prevented yet another app on my phone.

Pico Cells

My office purchased “pico cells” - devices that produce a 5G signal over a small indoor area and transmit the traffic over your network to the provider. I positioned these on the opposite sides of the building that face cell towers and stuck the 5G “hockey puck” in the window. The pico cells made an impressive difference. Close by, my signal went from -110dBm to -65dBm and the zone that received better than -100 dBm extended out about 60 meters. I repeated the measurement to ensure I had good coverage and here I noticed that the phones tended to be “sticky” to a particular cell. Notice in the screen shot that the cellular tower ID is identified. Intuitively, one might expect the phone to “flip” to the next tower as soon as the signal was better but what I saw was that the phone tended to keep a tower until it’s signal got very weak.

Of course, the cellID will be useful if we have user coverage complaints. Each of the picocells reported a different ID and I noted those in our recordds so we can trace issues.

Nautilus Tweaks

Sun, 17 Jul 2022 17:04:02 -0400

Nautilus, the Gnome file manager, has a number of available plug-ins available that make it much easier to use. It also supports a scripting function that you can use to develop your own extensions. The extentions can be easily added using apt, but many of them will not be active until a reboot. You can short-circuit that process by using nautilus -q to quit all open instances of nautilus and then opening a new window. I’m using all of the following extensions with Pop! OS 22.04, so I can verify they work in COSMIC.

Easily Downsize an Image

The first plug-in, and the one I use the most, is the image converter. I maintain a simple internal web page with the sites I use the most and I like to grab an image to use as a site icon. There are a lot of ways to get a good icon - some sites allow you to right click and save as. Some icons are available on Google Images. I also sometimes just use Flameshot to grab a screen portion. The problem with all these methods is that they don’t create a standard image size. I can dynamically resize, but that slows down my page display. I can also use GIMP to resize, but that’s an involved process.

This is a problem that pops up fairly often. There’s never the exact right icon in Lucidchart, so I want to pull one in. I create a new GNS3 device and want to put a cool image on it. In all these cases, I want a standard size. The solution is the Nautilus Image Converter. This can be installed from the command line as shown.

sudo apt install nautilus-image-converter

Right click an image and you’ll be offered two new menu options - rotate and resize. This let’s you easily scale the image or set it to a desired size (96x96 works well for a lot of icons, I use 72x72 for GNS3 icons per their style guide). You can change the current file or save it as a new file.

Preview a File

Gnome Sushi is a way to quickly preview a file. Sushi works with most text, music, image, and video formats. Install this using apt:

sudo apt install gnome-sushi

Once installed, choose a file and hit [space] to open a preview. Arrow keys can be used to move through the Nautilus directory with the preview window updating to show each file. [Esc] can be used to close the preview.

Admin!

Windows has a cool right-click option to “open as Administrator”. This plug-in is similar - the context window will show “Edit as Administrator”. Choosing it will open a prompt to escalate priviledges (side note, this works really well with Howdy. This extension is trying to open whatever file as a text file, so it doesn’t work with images (for instance). Install this as shown below.

sudo apt install nautilus-admin

Folder Colors

Folder colors is an arguably less useful add-in. This allows particular folders be be changed from the default color. My experience is that this is most useful when applied sparingly. I use this to highlight important folders that I want to be able to easily zoon in on in a list. Install this plug in as shown below.

sudo apt install folder-color

Once installed and Nautilus is restarted, there should be a “Folder’s Color” option in the context menu.

Hash

Hashing is a mathematical technique for testifying that a file has not changed since it’s originator created it. A hash takes a set of numbers and converts them to a specific length code, or “hash”. It’s important that the length is consistent - we don’t want that to provide a clue to the length of the file! The simplest hash would be just to add up all the binary ones in a file and return “0” if there are an even number and “1” to indicate odd. Obviously, that’s not a real hash, but it starts to convey the idea. Modification to the file might change the hash and alert users. A clever miscreant might recognize the problem and change the file in a way that keeps the same hash and file size, so we need more complicated math to make this more difficult.

If you download a file from the Internet, the originator may publish a hash that you can use to verify your download. Typically you’d do this from the command line using an implementation of the hashing algorithym (examples follow).

md5sum myfile
sha1sum myfile
sha256sum myfile

You can install a Nautilus add-in, as shown below, to do this as well.

sudo apt install nautilus-gtkhash

Go to “properties” in the context menu and you’ll see a window similar to the example. Go to the Digest tab (1) and select the hashes you’d like to computer (2). Press the Hash button(3) and it will compute your hashes. Is this easier than the command line? Probably not, but if you’re in a graphical workflow sometimes this is easier.

New Document

The last tip is around creating new blank documents. Windows allows you to create a new text file, for instance, so this feature allows you to do the same in Gnome. There’s nothing to add-in. Gnome has a templates folder in your home directory (~/Templates). Any file you place here will be available under New Document. To play with this, just create a document in that directory.

touch ~/Templates/"New Document"

Next, in any directory, right click and you should see a “New Document” option with an indicator that you can create a variety of documents based on templates. You could, for instance, create a markdown file with Hugo header information already defaulted and name it “New Markdown”. You could take a spreadsheet formatted for accounting and call it “New Expense Report”. That said, this is the feature I use the least.

Filezilla

Sun, 26 Jun 2022 18:00:16 -0400

Filezilla produces a set of graphical file transfer tools and this has been a high-quality product for a very long time. I’ve used Filezilla since the early 2000s, as have a lot of other folks, and it’s something of a standard in industry where FTP/FTPS is used. Part of the charm is that the Filezilla client is very accessible for non-technical folks - a little introduction and they can manage their own downloads.

The traditional Filezilla open-source client supports FTP and SFTP. Filezilla makes an open-source FTP/FTPS server that makes it easy to host an FTP site. Filezilla server used to be a great way to support FTP on a Windows server (and I used it that way 15 years ago), but researching this article I see that it is now offered for other OS as well. They have also released a Filezilla Pro client that includes support for things like WebDAV, S3, and various cloud file stores.

Using Filezilla

I still occassionally have to explain Filezilla to new folks, so I thought I’d document a quick run through.

When you first start Filezilla, local files are on the left and remote files are on the right. Because you haven’t connected anywhere, the right pane will be blank to start. Note the path for each side is shown above the files (marked (1)).

You can “quick connect” by typing in the particulars in the top row (marked (2) in the picture). To attach to a remote FTP server, for instance, you might fill in host with an IP address (like 1.2.3.4) or a Fully Qualified Domain Name (an FQDN looks like “ftp.makingthisup.com”). Username and password are for the remote system and will be supplied by the administrator of that system. Most FTP systems use port 21 and most FTPS systems use port 22, so it’s safe to assume these port numbers unless you’ve been given an alternative. When everything is ready, click the button!

Another way to connect is to use bookmarks. This is particularly useful if you attach to the same remote systems repeatedly. To create a bookmark, click the top left icon that looks like a file folder (marked (3) in the picture). Once that screen opens, click New Site and fill in the same particulars that were used for the quick connect. Bookmarks offer a range of logon types including:

Anonymous - don’t trust any site using this 🙂
Normal - just fill in the user/pass below.
Ask - it will pop a box for login when you connect.
Interactive - not really sure, don’t recall using that
Key file - used if you have a cryptographic key supplied by an SFTP server owner. If you are using FTP you don’t need this.

Once you’re done, click OK to save it or “Connect” to save and to start a session immediately.

Remote files will appear in the area marked (4). Filezilla functions like a normal file manager with two side-by-side windows open. Click “..” to go up a level, click a directory to open it. Once you’ve found the files you need, either double-click the remote files to start a transfer or drag them to a local directory.

Filezilla has a lot of features that address more advanced cases, but this introduction covers the basics that are used 99% of the time.

Interviewing

Mon, 30 May 2022 14:41:15 -0400

After the Tower of Hanoi discussion, I was trying to think about other tricks I’ve picked up over my career that aren’t really taught anywhere. We’ve been filling an open position at work and I had the opportunity to coach the process, and I thought that would be a good topic to share. I’m going to try to have this discussion from both perspectives, the person looking and the person hiring, and point out how each can contribute to a better outcome.

Looking for a Job

There are two sides to the hiring process - the person looking for the job and the person who is trying to fill a job. We’re going to approach this discussion from both sides to understand (my opinion) of how each of those people can help the other. There are a lot of other people in the middle - recruiters and HR for instance - but their job is to define the broad band of acceptability. As a job seeker, the whole point of your resume is to get through this filtering. As a hiring manager, your job is to make sure that the automated processes used here don’t filter out good candidates.

Both sides are under a lot of stress. The hiring manager is worried about only getting to talk to someone for an hour and then making a decision about hiring. Done poorly, it’s like speed dating into marriage! Keeping in mind that we spend more time with our co-workers than our spouses and it’s easy to see that making a bad decision will make everyone’s life some shade of miserable. The job seeker is worried about landing a job, particularly if they are unemployed. The seeker doesn’t always realize that the only thing worse than getting a job is getting the wrong job.

Story time: One of the best hires I ever made, a man of deep experience who has a real love for helping people, drove the office nuts. He was a talker, and our office was a bunch of introverts who liked to keep the lights off and stay in their cubicles with their heads down. Everyone involved in this story are good people, but throwing an extrovert into a pool of introverts made everyone uncomfortable. This is the classic example of the importance of finding a good fit.

A story from the other side: I once interviewed for an IT Director position at a hospital. It went well, but the CIO told me he wanted to fire everyone in that department and have me re-hire from scratch. That was a heck of an opportunity and would have been a somewhat prestigious position, but what they wanted just wasn’t me. When I think about the person I want and try to be, I see myself as a teacher and mentor. Cutting an entire department as soon as I walked in the door would have been tough and it would have left me with a target on my back that I’m unprepared to handle. We had some discussions about alternatives approaches but I couldn’t get the CIO to at least give me time to do an evaluation. In the end I withdrew, and I am thankful that I had that insight into the organization and was able to back out.

The Goal of an Interview

In my opinion, the goal of an interview isn’t to get hired. It’s to find a job where you and the organization can be successful together. Yes, part of that is talking about your experience and the programming languages you’ve used, but that should be the smallest part. Your resume and all those intermediaries should have filtered out the people who didn’t have the right set of buzzwords. By the time an interview is happening those hurdles should be mostly past.

When I interview, whichever side of the table I’m on, I want to understand the people I would be working with. Would I be comfortable working with them for a long time? I also want to understand the culture. Culture can be overused and become an empty word, but I’m trying to describe the constellation of things that describe the work environment. Here’s a quick set of examples:

Am I comfortable with the jokes and discussion? I wouldn’t want to work in a group that was constantly vulgar, for instance.
How are they organized? Do they have a take on ITIL, is it a free-for-all? How do they handle priortization and disagreements?
Most importantly: Do they need me? How could I see myself contributing to the relationship?

Bad Interviews

We’ve all had them. I once sat through an hour long interview where the guy barely asked a question. He got wound up explaining the job, talked for an hour, then shook my hand and offered me the job. I thought, “Wow, what makes you think I’d be a good fit?” I’m positive that readers have their own tales.

There are a lot of stock questions that can be used. Job seekers can (and should) have a canned response to these. What is your biggest failure? Give me an example of a good team you were on? Really, the whole process of sitting down at a desk and going over a resume is pretty predictable. The biggest thing either side learns is how prepared the other was.

Bad interviewers, in my experience, basically hire at random. Most of the work is done by the HR screening. Even if you are a good hire, there’s a good possibility that other people in the group aren’t. If you are unsure of what kind of interviewer you are, just think back to who did most of the talking and how much actual memorable information was shared. I have no advice for the interviewer here - until they recognize the issue the advice is wasted. For the job seeker, when you experience this kind of interview then assume the job is a bad fit until proven otherwise.

My approach to a job interview

I’ve worked in the industry for 30 years and been interviewed a number of times. I’ve hired people on five continents and from a variety of backgrounds. I’ve learned from a variety of places and people. I hesitate to say that my way is the best, but I think it’s teachable and reliably pretty good at finding people who are good fits.

The first thing I suggest is breaking the format. Don’t sit down at a desk or in a conference room. Conduct the interview while doing a plant tour or while walking around the office and introducing the person. Go for a walk outside. I once drove someone around to show them the area and talk about housing while we did the interview. Do something to get out of the programmed responses. If you are the job seeker, ask to be shown around to try to get out of that stilted situation.

The second thing I suggest is to start with some soft questions that just re-iterate the basics. Sometimes there’s a story that the needs to be shared, and this presents a great opportunity for getting that off the chest. This is reciprocally true - both sides have opening statements they want to get out.

The place I try to work to and to spend most of the interview is “joint troubleshooting”. I take an example of a recent issue, simplify it, and present it for discussion. I’ve found this works really well when I don’t know the answer - we’re trying to collaboratively turn the problem in different orientations and think it through together. This gives me an idea of what the person is like to work with and how they think on their feet. When it doesn’t go well, I still get some ideas. As a job seeker, the agenda of the interview is outside your control but you can sometimes prompt this kind of discussion with a question such as “Tell me about your most worrying issue. I’d like to hear about the kind of problems you face and how you are working through them.”

An alerternative to Interviewing

Recommendations.

This is my final thought on this subject. As a manager, I hope that I’ve done a good job of hiring good people who are invested in our success. I try to reiterate to those folks that hiring good people is the #1 thing we can do to improve the work environment. If I’ve hired good people and they understand how important it is to bring in new employees who “fit” and who add value, then it’s the height of chutzpah to believe that I’m going to learn something in an interview that trumps a recommendation. Many times, people recommend folks that they worked with for years. These are folks that they’ve had good and bad times with and they still recommend them. I’d rather have a referral from a trusted co-worker than a perfect interview.

Regardless of which side of the table you’re seated at, I wish you the best and hope these ideas are helpful!

Tower of Hanoi Backup Strategy

Fri, 06 May 2022 21:23:38 -0400

When I was getting started in IT in the late 80s, my mentor taught me the most effecient way to handle backup tapes. He called it the “Tower of Hanoi” strategy. This has come up in various contexts through the years, and I’ve had to explain it. I thought it might be interesting, particularly to younger professionals, to understand the problem and how it was solved using this algorithm. Who knows? Maybe there will be a new application you run across!

Understanding the Game

The game involves three pegs. One peg has three rings of increasing size. The objective is to move the stack from peg one to peg two. The rules are that you can only move one ring at a time and smaller rings always have to sit on larger rings.

The solution is to move the red ring to peg 2, green to 3, and red to 2 (this puts the top two rings on peg 3). Move the blue ring to 2, red to 1, green to two, and red to 2. Bingo!

Analyzing the pattern though, you find that every other move is the smallest ring. Every other other move is the mid-sized green ring. Every other other other move is the largest ring.

Understanding the Problem

In those days we backed up to tape. In 2022, we still use tape sometimes. I setup a ToH strategy using USB sticks at church. These days it could be your cloud backup retention strategy. Whatever the media, we want to use the fewest number (of tapes or sticks or whatever) to minimize costs, while being able to have the most up-to-date backup covering the longest period of time.

Say a file became corrupted after a week. Ideally, you’d want to go back through your backups and find the last one before the corruption and restore the file to make sure you had the most recent version of the file.

A popular strategy in the 80s was to have one tape for each day of the week and one tape for each week of the month. Thus at any time you used nine tapes and had backups that were something like 1 day, 2 days, 3, 4, 5, and 7 days, plus tapes that were two weeks, three weeks,and four weeks old.

Understanding the Solution

JD taught me the Tower of Hanoi strategy as a better solution. In this strategy, every other day you use tape 1. Of the remaining days, every other day you use tape 2. YOu continue this recursive pattern until you’ve used all your tapes. With six tapes, you end up with ages 1 day, 2 days, 4 days, 8 days, 16 days, and 32 days. This strategy consumes fewer media and covers an arbitrarily long period in a rational way.

In the illustration, the most current tape is on the left and the oldest on the right. Notice the recursive pattern of tape rotation. Tapes are reused on a regular pattern, so I’ve marked the most recent tape to illustrate the rage of dates covered by this method.

Using the Algorithm in the real world

This is an efficient and rational way to commit the few resources to retain a long range of backups. I like it a lot and it’s a common approach I take. However, I’ve found that trying to explain this to non-technical folks is casting pearls before swine. My advice: tell them to buy more tapes.

All that said, throughout my career it’s been true that concepts recycle on a predictable basis and what’s old is new again. Understanding some of these ideas has a way of paying off eventually.

It’s also true that I owe my long career to a mentor who took an interest in a younger me. I’m blessed that I get to see him occassionally to this day. I’ll never be able to repay him, but I try to pay it forward a little bit at a time.

Howdy - Linux face recognition authentication

Sun, 01 May 2022 16:16:31 -0400

My friend Jared recommended that I checkout Howdy, which is a PAM add-in to support authentication by facial recognition.

The first thing I did was install cheese so that I could make sure that my face was in the camera’s field of view. Next was installing Howdy.

sudo add-apt-repository ppa:boltgolt/howdy
sudo apt update
sudo apt install howdy

Howdy offfers three levels of certainty that a face is a match - Fast, Balanced, or Secure. I chose Fast each time. I’ve installed PAM modules (yes, I know that’s redundant) before and I remember it being a bit of a trick. In this case, the howdy installation takes care of all the details and you are (almost) ready to roll. I’ve installed Howdy on a few different machines and in both cases it said “Camera ID set” at the end of the install but neither worked. We’ll list the video devices as shown below.

root@pop-os:~# ls -ltr /dev/video*
crw-rw----+ 1 root video 81, 1 Apr 29 20:11 /dev/video1
crw-rw----+ 1 root video 81, 0 Apr 29 20:11 /dev/video0

On the machines I’ve tested with, this reports multiple camera paths for each physical camera. I read at one point that these correspond to different camera modes, but that doesn’t match my testing here. On the machines I tested, I could use either camera path and it worked fine.

With that in mind, pick a camera path and type sudo howdy config (this edits the config file without having to use nano to find the path). Scroll down (for me it was about in the middle of the file) and replace the existing device_path variable as shown.

# The path of the device to capture frames from
# Should be set automatically by an installer if your distro has one
device_path = /dev/video0

Almost there. At this point, your camera should work but you need to train the system on your face. To do that, use sudo howdy add. Look into the camera - you’ll see it come on and take a picure.

root@pop-os:~# sudo howdy add
No face model folder found, creating one
Adding face model for the user brent
Enter a label for this new model [Initial model] (max 24 characters): Brent

To confirm its working, open a new termainal and escalate to root (sudo -i). If it works, the camera will come on and then you will be authenticated. Howdy works for authentication into the GUI and for sudo or wherever you need to authenticate. I tested authentication for initial login and for sudo.

I installed this on a laptop one night and enrolled with the light on beside me. Later, the light was off and it wouldn’t authenticate until I turned the light back on. The Howdy algorithm is somewhat sensative to lighting conditions, but I didn’t make a study of exactly how far I could push this. It’s worth mentioning that Howdy supplements existing authentication, so if your face isn’t detected after a few seconds it rolls back to the traditional password prompt.

Just for fun, I tried to fool Howdy. It was able to correctly deny access to my wife and my youngest son. William and I look similar, so I thought that might work. William then tried to make himself look like me - smiling and even putting on glasses. Howdy worked perfectly for these casual bypass attempts. I also tried using my driver’s license, but Howdy denied this as well (it says it’s using IR, so I didn’t expect that to work).

This was a lot of fun to setup and test. I was initially wary about locking myself out, but never really felt like that was a danger. For casual home use, this seems like a pretty cool idea. I’m going to be a little more conservative on my work laptop. It’s exposed to more potentially serious and malicious people at the office and at Starbucks.

Finding Windows Keys on Hardware

Mon, 04 Apr 2022 13:55:41 -0400

My son’s computer blew up and we didn’t have a copy of the Windows key. This is something I have run into before - I typically blow Windows off new PCs and install Linux, but then occassionally want to create a Windows VM using that key. It used to be on a sticker on the laptop, but it’s not anymore. It turns out a copy of the key is stored in BIOS or UEFI and accessible via ACPI. ACPI (Advanced Configuration and Power Interface) is an abstract interface that provides a standrard way to access hardware functions.

Discovering Windows Keys in BIOS using Linux

ACPI tables are stored in /sys/firmware/acpi/tables. As an administrator, you can read those text files to see the various settings and values. The table with the Windows key is MSDM.

sudo strings /sys/firmware/acpi/tables/MSDM

Discovering Windows Keys in BIOS using Windows

I’ve seen some tools to grab the key from ACPI under Windows. I haven’t used any of these tools, but this is simple to get from a Windows command line.

wmic path softwarelicensingservice get OA3xOriginalProductKey

Powerpoint Live (or You don't know how to share Powerpoint with Teams)

Tue, 29 Mar 2022 21:11:24 -0400

My company uses Teams. I have had a poor impression of Microsoft historically, but I am really impressed with Teams. It’s a solid application with a lot of capabilities. Plus, Teams - and all the O365 web apps - really work well on Linux.

In meetings, everytime someone presents slides they do it by sharing their desktop. It’s funny, Teams is so intuitive that no one does a lot of training around it. I discovered Powerpoint Live almost by accident, because I was presenting from Linux.

As an aside, never share your desktop. I taught online years ago and developed the habit of sharing only a specific application after seeing a colleague get a pop-up notification for spam with an X-rated subject line. Not only do you run the risk of “the Internet” happening, but folks pick up all kinds of clues from your desktop like the names of files on the desktop and the browser tabs you have open. Just don’t do it.

Teams allows you to share just one application, but even better it has a powerpoint presentation mode! The mode is able to be used when presenting from Windows, Linux, and iPhone. I presume it works on Android, but didn’t test it.

To the left is a screenshot from Windows. When you present, instead of sharing a window or screen choose a powerpoint file under “PowerPoint Live”. On Windows it can be a local file, on the iPhone it needs to be a file from OneDrive. That’s it. It’s automatically full screen for the viewer. This mode also provides the viewer controls to move forwards and backwards in the presentation and to move to the current presenter slide.

I was impressed with how well this works when presenting from the iPhone. I could imagine leading a meeting from a Starbucks just using my phone (I’d need airpods to free my hands to work the controls, obviously). Powerpoint Live works very well from Linux as well. On both Linux and IOS, the presentation needs to be on OneDrive.

The best experience was presenting from Windows. As shown below (notice my drawn-in arrow), you get some really cool presentation tools. The arrow is like a mouse cursor. The red is a freehand marker. Yellow is a highlighter. The rightmost erases a particular doodle. The coolest tool is the laser pointer, which is in-between the pointer and the red marker. It shows a dot on the screen but allows you to circle or underline for emphasis but the line you draw fades in a few seconds.

I used my work account and (free) personal microsoft account to login to two computers and try this. I recommend that you setup a similar lab experience to understand the nuances before you do the big budget presentation, but it’s intuitive and just so much better than sharing the application.

Disabling RCS on Android

Mon, 28 Mar 2022 17:22:45 -0400

Google’s move to RCS/Chat

You really shouldn’t care about Google’s supported messaging app. They certainly don’t. They change ideas about messaging more often then their underwear. Still, they’ve made a move from SMS to RCS recently and they’re taking you along with them.

SMS is about thirty years old. It allows 160 character messages and has features built in to support carrier billing. Despite it’s limitations, it’s become the default way to communicate for a certain portion of the population and a part of nearly everyone’s life.

Apple has led the way in showing the limitations of SMS with their chat app. SMS is run by the carriers, who have seen it as a cash-cow and not an area for innovation. Apple didn’t try to shoe-horn their offering onto SMS, they built a whole new IP-based application. Apple added in features like end-to-end encryption for privacy, read receipts, activity indicators, and high-res photos.

Google has recently been shamed for the poor state of messaging on Android and as a result has tried to create an alternative to iMessage around RCS. Google’s take on RCS is called Chat, and there’s a protocol built out to support the new service. Chat takes up many of the improvements that iMessage (and others) have brought to messaging - things like read receipts, activity indicators, and integration with video. It doesn’t include support for end-to-end encryption. I’ve heard this is in development, but I’m suspecious that the carriers are loath to give up access to the data.

Should you care?

No. As mentioned, if this effort fails it will become the new cherry on the pile of failed messaging apps from Google. If it succeeds, it will work like Slack/iMessage/etc and you won’t really think about it.

I have a bit of a unique case. My personal phone is an S9 and I have a seperate work phone. My personal carrier, T-Mobile, has a DGITS app that carries your T-Mobile phone number to another device via IP. So I have the DIGITS app on my work phone and only have to carry one phone. DIGITS supports voice and text - SMS texts. I leave my personal phone turned on at my desk at home.

Disabling Chat

I’ve been missing texts in DIGITS that come to the old phone. It didn’t make sense until I spoke to a close friend (Hi Mike!) and he mentioned RCS and speculated that since I was missing his texts maybe my app didn’t support it. He tested by turning off RCS when communicating with me.

So this leads to my current theory: when users message my personal number, my home phone negotiates chat and receives the message, leaving my DIGITS app out of the loop. I’ve resolved this by going into my personal phone and turning off “chat” and forcing it to use SMS.

To do this, open the (Google) messages app and choose the three vertical dots to find the settings. Under settings, choose chat features. That brings you to the options shown on the left. The first option - Enable chat features - is the one that disables the chat protocol.

This is a solution for folks that have two places to receive texts, which is a small group. It’s not a bad tradeoff. I don’t really care about longer bodies of texts or the little blinking activity indication. If Chat supported end-to-end encryption I might reconsider and hopefully DIGITS will support chat before I have to make that choice.

Webapps

Wed, 23 Feb 2022 17:37:37 -0500

Using Web Applications

I’ve found that the quality and capability of applications delivered over the web has been on-par with what is expected in a native application. In my experience, Lucidchart was an early example of what was possible and today I actually prefer it to Visio. I’ve also been very impressed by O365. On Linux, I can use O365 to open an office file from OneDrive, edit and save it and get many (most?) of the features I expect in the office applications. From a work compatibility mode, this really simplifies using a Linux machine.

These applications run in a tab in the browser. Generally, I find this to be a good use of screen real estate. However, this approach still ties up space on the browser button bar and status bar and adds a little cognitive load in starting the app and finding it on the screen. Two applications that address these last issues are “Web App Manager” from the Linux Mint project and Nativefier. Both wrap the application in a browser to make it look like a native program.

Web App Manager

I really like Linux Mint. I think there’s a real clarity of vision to the project around making the power of Linux and open source accessible. They develop utilities as part of that vision and Web App Manager is a great example.

Web App Manager makes it easy to manage and use Web Apps. It can be downloaded as a DEB or installed from the Mint repository. If you are running an Ubuntu flavor or derivative (I use Pop!) then this is shown below.

sudo apt install ./Downloads/linuxmint-keyring*.deb
sudo sh -c 'echo "deb https://packages.linuxmint.com ulyssa main" >> /etc/apt/sources.list.d/mint.list'

Creating a new application is as as easy as entering in a name and address. The program will let you select an icon or find one for you. You can choose to retain the browser navigation bar - this ends up being just a new Firefox window, so why bother? - or to start in Private mode. Web App Manaager will then create the entry in the desktop menu.

This ends up creating an application window, just as billed, that behaves like an application. You can even register it as the default email client. The big issue I have is that the resulting window doesn’t have close, minimize, or maximize buttons. This is a very solid option.

Setting up an Outlook application was as easy as specifying https://outlook.office365.com, selecting the icon, and putting it in a category for Gnome. Web App Manager allows you to select the browser it runs in, but my system has Firefox, Ungoogled Chrome, and LibreWolf installed and it only offered Firefox. My guess is it only looks for the major browsers.

nodejs-nativefier

Setting up Nativifier is a little more complicated. Nativifier uses NPM to create an Electron app and this is the first issue with considering it. This application requires a lot of dependencies be downloaded for NPM and my security friends cast a sceptical eye toward nodejs. That’s not to say it’s a no-go, just an item to consider. Electron is something that folks like or don’t. It can produce an app using web technologies that can be easily versioned for different operating systems, but it doesn’t carry a native look or feel. Not a big deal for me, but your mileage may vary.

Installing npm and then nativifier on Ubuntu derivitives looks like this.

sudo apt install npm
sudo apt install nativefier -g

Creating the web app is done from the command line. The example below builds the same Outlook web app. The options here specify the OS and architecture, as well as setting the resulting electron to minimize to the system tray.

nativefier -p linux -a x64 https://outlook.office365.com  --tray

When I ran this it produced a directory called SignIntoOutlook containing an executable of the same name. I renamed the directory and executable to Outlook and gave the application execution permission.

chmod +x Outlook

The resulting application is a window that has the web application inside - that part is the same in both apps or even in a browser. A minor quibble is that it seems to start a little slower (Web App Manager is probably just faster because I already have a Firefox window open). However, this brings us to the next set of big issues for nativefier.

Nativefier builds an electron app but doesn’t add it to the menu. This is easily done in Cinnamon, which has menu editing built in. You can download Menu Editor for Gnome to add it. Since I run Pop-OS!, I created an Outlook.desktop file in ~/.local/share/applications similar to the one shown below.

[Desktop Entry]
Version=1.1
Type=Application
Name=Outlook
Comment=Outlook Web Electron app
Icon=mail-send-receive
Exec=/home/brent/Outlook/Outlook
Actions=
Categories=Office;

Closing thoughts

Both Web App Manager and Nativefier produce a working executable that to a good extent feels like a part of the desktop environment. Since the actual functionality comes from the underlying software as a service, they both function in largely similar ways.

Web App Manager is definitely the choice if you have less experience. It’s easier to tweak, it automatically adds things to the menu, and it’s only dependency is the browser. The only negative I have is that the app window doesn’t have a close button, which sounds silly but is annoying in practice. Alt-F4 or selecting it in the application dock allow you to close, FYI.

Nativefier actually puts an Electron wrap around, gives window controls, and has the option to minimize to the tray. However, it required NPM, the only way to tweak the app is to rebuild it from the command line, and it didn’t integrate with the application menu. None of those are big deals if you are comfortable with the command line.

Problems with Proxmox VE

Sat, 19 Feb 2022 15:37:06 -0500

Look, I know you’re reading this, but sometimes I write these posts for myself. To remind myself of how I built or repaired something. This is one of those posts.

My home server ran VMWare ESXi for a long time. I had trouble upgrading it from 6.5 and I was intrigued by Proxmox VE and putting my home network more firmly in the open source camp. I’ve been running Proxmox VE 7.1 for a while now.

Quick review of PVE

My experience with PVE has been mixed. VMWare hid a lot of it’s Linux base, where PVE is like an opinionated distro aimed at virtualization. With PVE, you are definitely administering a debian derivitive box. PVE will host VMs and also does OS-level containers, which is an interesting take and seems to conserve processor. I implemented my internal servers this way and it’s indistinguishable from a full VM in terms of use .

Probably the biggest “issue” is that I use VMWare Workstation to have a Windows VM on my Linux machine. Workstation was a pretty good front-end for ESXi and you could migrate loads between the two. Obviously, that use case is out the window now.

Generally, PVE runs as good as or better than ESXi. However, on the occassion that something goes sideways you are combing through blog posts and support forums (assuming you don’t have a subscription, which I don’t for home). I like that the things I learn in PVE are transferable to Linux and vice versa, but I wouldn’t make PVE your first experience with Linux.

Back to the show

Power went out at the house the other night and the VMs (actually OS-level containers, but that’s arduous to say and if I abbreviate it OSLC no one will know what I’m nattering on about) storage had an issue. When PVE tried to load those volumes it gave an error “activating LV ‘pve/data’ failed: Activation of logical volume pve/data is prohibited while logical volume pve/data_tmeta is active. (500)”

I tried several approaches to resolve this. You can see the error from the PVE command line via lsblk. What actually worked was to make the interfering volumes inactive. Seems obvious, but I needed the command vgchange. As a note, after I deactivated tmeta I got an error because tdata was active so I had to deactivate that as well.

#deactivate the offending volume
lvchange -an pve/data_tmeta
##activate the expected volumes
vgchange -ay

So this post is a note to myself for the next time. Hopefully it’s helpful to you as well.

Update: I had a power outage in late April and had to follow this procedure again. Apparently it’s a common failure state.

Oh My Posh

Tue, 25 Jan 2022 19:05:41 -0500

I really like the powerline-style prompts that jazz up the command line and I’d like to be able to carry that experience through from Linux to Windows. It seems like everytime I install a new systema and think about this, I find another slightly different way to do something similar. Recently I found Oh My Posh, which is designed to support Windows, Linux, and MacOS. The attraction here is that this gives me the prompt style I like from a consolidated source and with a defined way to set it up.

Here’s an example of OMP installed in Linux running inside Tilix. You can see that it’s providing me collapsed directory information, git info, and the time of the last command. OMP can be customized and the details of that are described extensively in the online docs. This has some marginal productivity - the Agnoster theme condenses directory structure in a very visible way and helps me understand the state of Git. Regardless, it looks cool and a little terminal rice establishes some credibility. If it looks cool to you too, I’ve put together some notes on how it’s done. Follow along!

Linux

Installation on Linux involves grabbing the file from Github and making it executable.

sudo wget https://github.com/JanDeDobbeleer/oh-my-posh/releases/latest/download/posh-linux-amd64 -O /usr/local/bin/oh-my-posh
sudo chmod +x /usr/local/bin/oh-my-posh

Next, grab the themes JSON collection, uncompress them, and set the permissions appropriately. With the themes locally stored, you can easily switch as the mode strikes. Agnoster fits my needs, so that’s what is used in the examples, but you can substitute anywhere you see it mentioned.

mkdir ~/.poshthemes
wget https://github.com/JanDeDobbeleer/oh-my-posh/releases/latest/download/themes.zip -O ~/.poshthemes/themes.zip
unzip ~/.poshthemes/themes.zip -d ~/.poshthemes
chmod u+rw ~/.poshthemes/*.json
rm ~/.poshthemes/themes.zip

Finally, edit ~/.bashrc to run Oh My Posh as part of the shell. Notice in the code below that I’ve specified the “agnosterplus” layout. Substitute whichever theme you are interested in there.

eval "$(oh-my-posh --init --shell bash --config ~/.poshthemes/agnosterplus.omp.json)"

You’ll need to specify the terminal font in your terminal application. A lot of the styling is done through extra ligatures included in nerd fonts - font files that are re-compiled to include additional symbols. Grab a font you like (I’m using Meslo in this example, but I’m also partial to JetBrains NF) and set it as the default in the terminal profile.

This setup is used by bash, regardless of the terminal application. I have Tabby, Tilix, and the included Terminal from Pop! and all three “just work”. As mentioned, the only cavaet is getting a good font setup in the terminal profile.

Windows PowerShell

As mentioned, Oh My Posh works swimmingly with PowerShell on Windows. I have it working in the Powershell terminal and in the Windows Terminal (but recommend the later).

OMP can be installed on Windows using PowerShell, Chocolatey, Winget, or scoop. I prefer Choco, so that’s what is used in the examples below.

choco install oh-my-posh

Then edit the profile. You may get an error because there’s not an existing profile. If so, just create one. Type $profile in PowerShell to see what the filename and location should be.

notepad $profile

add the following into the profile:

Import-Module oh-my-posh
oh-my-posh --init --shell pwsh --config ~/agnosterplus.omp.json | Invoke-Expression

Again, you’ll need to use the nerd font of your choice. Set this up in the PowerShell Terminal or Microsoft Terminal. Both apps use the same $profile, so you just need to change the font in the terminal.

Windows CMD

OMP is even available for the traditional command line. For cmd, install clink. Clink adds some of the editing features of Bash to the traditional CMD. Download clink and run the installer. You can verify the installer by running clink info.

clink info
version  : 1.3.2.222baa
session  : 8504
binaries : C:\Program Files (x86)\clink\1.3.2.222baa
state    : C:\Users\Brent\AppData\Local\clink
    < output trimmed>

Next create a file called oh-my-posh.lua in your clink directory. Note that this directory is given from clink info. The load string below starts OMP - note the theme is specified as well. This section of text can be replaced if you disagree with me on the theme to be used.

notepad AppData\Local\clink\oh-my-posh.lua
    <add this text>
load(io.popen('oh-my-posh --config="C:/Users/Brent/.oh-my-posh/themes/agnosterplus.omp.json" --init --shell cmd'):read("*a"))()

Sudo for Windows Powershell

Sun, 23 Jan 2022 18:28:41 -0500

Some Windows Powershell commands must be run from Powershell running in an administrative context. It’s a little bit of a pain when you need to invoke Powershell this way (right click it in the menu). The real problem is once there’s a terminal up, do you limit this to just the command that requires it or do you just work out of the open (administrative) terminal window? Choosing to remain in that admin context could lead to trouble.

The need for sudo

Unix has a nice way of handling this. The command prompt starts with your user priviledges. It can be escalated for a single command with “sudo” - substitute user do. Wouldn’t it be cool (and more secure) if a similar command existed for Powershell on Windows?

Luke Sampson has a set of powershell scripts that appropximate Linux commands on Github. These include sudo and are meant to be installed using scoop.

Using Scoop

Scoop is an installer, like winget or choco, but it’s aimed more at simple installs. Scoop doesn’t require a developer to make a special installer - it can use a ZIP and instructions in a JSON. These JSON files are stored in buckets - basically these are curated compilations of JSON files stored in a Git.

Scoop specializes in simple programs, like command-line tools such as sudo. In fact, many linux-like tools can be easily installed by scoop such as sudo, git, and curl. Scoop puts everything in your users directory, so it doesn’t cause a lot of UAC pop-ups.

Scoop and sudo can be installed as shown below.

# allow powershell scripts
Set-ExecutionPolicy unrestricted
# install scoop
iwr -useb get.scoop.sh |iex
# install sudo 
scoop install sudo

You can use scoop search to see if a program is available through scoop. Check out the github site to see other buckets that are available as well.

Using Sudo in Powershell for Windows

Once installed, you can escalate priviledges on a command-by-command basis by prefixing them with “sudo”, just like you would on Linux.

sudo set-executionpolicy

Deploying a WIM Image to VMWare

Sat, 22 Jan 2022 12:54:46 -0500

Work uses Windows, but I need a Linux workstation with that set of tools. I find WSL2 incomplete . . . partly because my personal workflow is Linux based. I spoke with the Windows expert and we agreed to use VMWare Workstation to deploy my Windows environment alongside my Linux system. Deploying the standard Windows image to a remote VMWare environment wasn’t something we had setup already. Since I’m trying to be a special case, he sent me the WIM file to figure out how to deploy.

What the heck is a WIM?

A WIM is a file-based Windows Image that is made to be easy to test and deploy. It’s kind of like a ZIP, to my understanding, in that it captures all the files and the directory structure of a partition in a file. Being file-based makes it easy to modify (more on this later). Because it’s not a sector-by-sector image you can deploy it to different sized drives.

How don’t you deploy it?

I tried several approaches to using the WIM file. I’ll mention them briefly here so that you can learn from my experience.

The first thing I tried was making a Windows VM using the Windows 10 downloadable disk image from Microsoft. Once booted, I added a drive and expanded the WIM to the new drive. I deleted my drive with generic Windows and rebooted. I think this didn’t work because the new disk wasn’t set as a primary partition. This approach may be doable, but I moved on pretty quickly.

The next thing I tried was to deploy it via netboot using a Fog Server. That project is pretty stinking cool! I was able to get a VM to reference the server for boot information. The problem here was that I didn’t know what it was looking for (first time with PXE). When I decided it wanted an ISO, I thought “if I knew how to convert to the WIM to an ISO, I could just boot that directly in the VM!” and abandoned the Fog Server approach. I may come back to this to learn more about PXE booting.

How do you deploy WIM?

Microsoft has a series of articles that you’ll need to read to understand how to do this. I’ve referenced them, but be warned that they reference each other circlically and there’s not a good starting point. To help you, I’m going to attempt to draw a straight line through how I accomplished this.

1 - build a WinPE DVD Image

You need to boot into a WinPE environment to deploy the WIM image. Windows PE is a small OS made to facilitate installation, used by Windows as a “pre-boot” environment. To build your WinPE boot disk, download the Windows Assessment and Deployment Kit on a Windows PC and install the ADK executable.

Start the Deployment and Imaging Tools Environment as an administrator and create a working set of files using the copype command.

copype amd64 C:\WinPE_amd64

The documentation says you can build an ISO now. Don’t! There are some batch files that will make this easier - download a zip from here and pull the scripts out and place them in the root of your WinPE directory. Also, grab the WIM file that you’re trying to deploy and stick that in the WinPE directory as well. Now you can build the ISO using the MakeWinMedia command.

MakeWinPEMedia /ISO C:\WinPE_amd64 C:\WinPE_amd64\Acme_Installer.iso

That should create an ISO that’s about a half-gig larger than the WIM file.

2 - Build a blank VM and enable Secure Boot

I created an empty VM with an empty hard drive. The critical piece here is that my image expects to be deployed to a TPM environment. TPM requires UEFI and that the VM be encrypted.

In VMWare Workstation, enable UEFI under Virtual Machine Settings: go to the Options tab, select Advanced, and set the Firmware type to UEFI and Enable Secure Boot. This is shown in the picture to the right. While at the Options tab, select Access Control, click the button to encrypt the virtual machine, and choose a password.

Next add the Trusted Platform Module. Add it under the Hardware tab by clicking the Add button at the left-bottom of the window.

Finally, we need the new VM to boot from the ISO we created earlier. Add the new WinPE ISO to the CD drive and make sure it’s marked connected.

3 - Boot WinPE and deploy the image

Now we’re ready to install the WIM image! Boot the new VM using the WinPE boot disk. It will boot to a prompt. The procedure here is laid out by Microsoft. Use the scripts that you added to the boot disk to first help partition the drive and then to apply the image. CreatePartition-UEFI.txt and ApplyImage.bat were included in those scripts. Obviously image names will change.

diskpart /s CreatePartitions-UEFI.txt
D:\ApplyImage.bat D:\Images\ACME-Standard.wim

The ApplyImage batch file will ask a few questions you need to be prepared for. You can safely answer “no” to all of them.

You will be asked if you want to create a recovery partition. Recovery Partitions are a great tool, but I want to keep this VM as small as possible and I’ll setup recovery mechanisms at the VM level, so I answered no.
Do you want a compact OS install? This runs the OS from compressed files, saving a lot of disk space. Of course, everything has to be uncompressed to be run, so it will slow things down and might take more memory. Even though I want a small VM, I chose to not install it as a compressed OS because I want to have good performance.
Does the WIM file have extended attributes? I’m not a Windows guy, but I chose “no” and everything was fine.

From this point, the VM will go through a preliminary setup, doing things like setting the keyboard type. It will reboot, ask you to login, and then continue the higher level (Cortana led) part of setup. From here, everything should install as you would expect!

As an interesting side-note, the WinPE boot disk includes an FTP client. That might be useful script out some additional file copies to the new machine.

Chocolatey Installer for Windows

Tue, 18 Jan 2022 15:27:47 -0500

I’m setting up a new Windows 10 VM (this time in VMWare) and decided to use Chocolatey to install applications this time, since I tried winget last time. I haven’t tried Chocolatey in a while, and I’ve spent a lot of time exclusively in Linux since then so I was curious what I would make of it, especially in comparison to Winget.

Chocolatey is a package manager like apt. You can use it to search for, install, update, and uninstall programs. This is particularly useful if you have a “standard setup” for new computers - it’s possible to build a script to install the apps you expect. Windows Update only covers Microsoft programs, so Chocolatey fills another gap by updating all the programs it installs from the command line.

Chocolatey

Chocolatey is free open-souce software that has been around for a while and I’ve used it before. Chocolatey works like apt, using the choco command. You can search for a package, install it, or uninstall it. Choco upgrade will upgrade all the Chocolatey-managed applications on your system. This last piece is especially useful, since Windows Update focuses just on Microsoft properties.

Chocolatey uses the command choco. The command sequence below shows looking for all packages in the repository that are include “libre”. That allows me to see the name of the LibreWolf package, which I then choose to install. Finally, the upgrade command can be used to upgrade specific packages or to get them all.

choco list libre
choco install librewolf
choco upgrade all

Use choco list –local-only to see a list of programs installed on the local system by choco. There’s also a GUI, installed by choco install chocolateygui.

Choco compares very well to Microsoft’s winget. The application set available seems a little larger. Like winget, choco will be familiar to apt users (but there are some syntactical differences. I used winget to easily install Git, WinFSP, SSHFS, the Microsoft Terminal, and Librewolf. A later upgrade picked up new versions of Librewolf and Git and installed them without difficulty. Choco also seemed to apply some KB patches I was missing and even upgraded itself!

Installation

Setup is very easy. Installation can be done from an administrative powershell using these commands:

Set-ExecutionPolicy AllSigned
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))

Pretty Solid

When I tried winget, I had issues with dependencies. Chocolatey picked these up and installed without an issue, so Librewolf grabbed the Visual C redistributable module and installed it without prompting, for instance. Choco has a wide range of supported applications, particularly if you like to use FOSS.

The biggest issue with Chocolatey is image. The name doesn’t build credibility, and with Microsoft building a competing product now I expect IT departments to focus on winget. That said, choco is a more complete solution with a bigger catalog as of today and it’s definitely the better fit for home.

Setting up a Basic FTP server on Linux

Mon, 17 Jan 2022 15:49:07 -0500

Brother Printers work well with Linux

My last two printers have been Brother multi-function copiers (MFCs). These printers work really well with everything in the house - Windows, Linux, even the school Chromebooks. They have a Linux driver available on their website for all their printers, the print quality is excellent, and they’ve been very durable.

If you’re looking for a printer that plays well with others, take a look.

My Brother MFC-L3770CDW printer can scan to SMB, FTP, or a flash drive you plug in. I wanted to set it up to FTP scans into the personal directories of family members.

Basic FTP with Linux

FTP is a very old file transfer protocol. VSFTP (“Very Secure”) is the default FTP server for Linux. Regardless of the name, plain vanilla FTP transmits usernames and passwords in clear text and setting it up to be “Very Secure” takes a little extra effort. I’m also using it because it’s compatible with my printer, but securing it might interfere with that connection. So this setup isn’t security optimized and is really only appropriate for a home network.

As a note, if secure file transfer is interesting to you, check out the articles on SSHFS.

On Ubuntu, installation can be done through apt. Configuration is done by editing the /etc/vsftpd.conf file. After editing, you’ll need to restart the service.

sudo apt install vsftpd
sudo nano /etc/vsftpd.conf
sudo systemctl restart vsftpd

The configuration file is mostly comments, with each setting preceded by documentation. Remove the hash to “uncomment” a line. Here’s the relevant settings that I used in this case.

listen=YES
listen_ipv6=NO
anonymous_enable=NO
local_enable=YES
write_enable=YES
allow_writeable_chroot=YES

This configuration turns off IPv6 since I’m not using it. It limits access to valid users on the server, allows those users to write files, and limits each user to their personal folder. VSFTP will throw an error if a chroot’d user has both SSH and FTP write priviledges, which makes sense under more secure circumstances. In this case, I turned off the security check. Be very careful when setting this up, sentences like that last are usually followed by tragedy! It’s only appropriate because I’m limiting access to the server and it’s not “mission critical”.

Testing is easy with Filezilla or from the command line.

brent@server:~$ ftp 192.168.1.2
Connected to 192.168.1.2.
220 (vsFTPd 3.0.3)
Name (192.168.1.2:brent): brent
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Once complete, this worked like a champ. I created ~/scan directories under each user and setup a quick-connect button from the Brother printer. Voila - scans directly to each users home directory!

PSA VMWare

Wed, 05 Jan 2022 17:49:07 -0500

Public Service Annoucement on VMWare Workstation

That’s a little dramatic, but I have had a fit with VMWare Workstation and want to pass along what I’ve learned. I recently upgraded my desktop and VMWare performance went in the dump.

Backstory

I’m running Pop!_OS 21.10 using kernel 5.15. I’m using VMWare Workstation 16.2.1 (latest as of early January 2022). Since I do a lot with virtualization, I have 64GB of RAM. I was running a Gen 6 i7 and recently upgraded my processor and motherboard to get to gen 12. Wow! What a difference! Everything runs super-fast, but VMWare suddenly became anemic.

What’d I do to fix it?

Workstation has trouble running on recent kernels. Michal Kubeček maintains a repository with kernel patches. Download the patch from GitHub - instructions are included in the repository. You’ll know this worked because VMWare boots.

The ultimate fix was to tell VMware not to swap memory, since I have plenty. To do this, run Workstation as root:

sudo -i vmware

Go to Edit > Preferences and under “Memory” select “Fit all virtual machine memory into reserved host RAM”.

I searched all over the Internet and tried a dozen different things to fix this. I know this is a short article, but I wanted to make sure that others had a less frustrating time!

Winget

Tue, 28 Dec 2021 11:46:32 -0500

I’m experimenting with KVM and decided to build a new Windows VM. I’m currently using Pop!_OS 21.10 which uses the 5.15 kernel. Turns out that breaks Windows on VMWare workstation and it looks like the cause is VMWare not keeping up with the latest kernels. There are some patches available, but it’s the week between Christmas and New Years and seemed like a good chance to review the FOSS alternative.

Part of my troubleshooting process on Linux was to make sure that I haven’t made a change that’s impacting VMWare. Pop! has a really cool feature that will roll-back to a clean install, but leave your personal files. Reinstalling missing applications is pretty easy in linux. Installing hugo again is as easy as:

sudo apt install hugo

Chocolatey

Winget

Microsoft has developed a similar tool called winget. I have a bias toward open source, but my job is in a corporate Windows environment. I’m not sure that I could get Chocolatey in the door, but Winget might be something that could be used. I decided to give it a whirl in this VM and try to get some experience.

Installation is a little non-obvious. If you go to the Github page, it recommends installation through the Windows Store. However, I searched the store and didn’t find anything. Instead, I downloaded the msixbundle file from the latest release and ran it.

Winget will be intuitive for apt users. Winget search libre showed me available applications with libre in the title including LibreOffice and Librewolf. Winget install librewolf installed the firefox-based web browser.

One of the best features of apt is the easy way that components are upgraded. Running winget upgrade will list installed applications that have an upgrade avaialable. It even caught an application I did not install with winget! Winget upgrade –all will install all available upgrades. You can also specify specific applications that you want to upgrade.

Not baked yet

I identified three issues in my early experimentation.

Apt will identify dependencies and include them during the application installation. Librewolf completed installation without an error, but wouldn’t run without the Visual C redistributable module. Winget search didn’t turn up a way to install the dependency, so I installed it directly from the Microsoft site.

I mentioned earlier that winget identified upgrades even for applications it didn’t install. That true and would be an enormous advantage of the tool. But . . . it didn’t work. The upgrade failed and pointed me to a log. The log showed that the service needed to be stopped before upgrading. Once I stopped the service and re-ran the winget upgrade –all command, the process completed successfully.

Winget doesn’t get a “half-point” with the upgrade problem. Instead of a simple update, this requires that I identify and shutdown services before running the upgrade, then manually restart them. It’s doable, but far from the easy process that is expected on Linux.

The third issue I found was that the Windows Decrapifier wasn’t included in winget. Is this because the pool of installable applications is comparitvely shallow? This seems reasonable since it’s a relatively new project. You can see the complete list of currently supported applications (here)[https://github.com/microsoft/winget-pkgs/tree/master/manifests/d]. Is the lack of the decrapifier an editorial decision? Possibly, but if so it portends an anemic future for the tool.

##So? Winget shows promise and it’s worth keeping an eye on. But I won’t be recommending it to the end-user support group today. Give me dependency recognition, easy upgrading, and broader support and this will be a standard part of the tool bag.

Czkawka

Sun, 26 Sep 2021 15:07:20 -0400

Czkawka is a “simple, fast, and free app to remove unnecessary files”. I heard it mentioned on one of the Jupiter Broadcasting shows and decided to look into it.

I have a server that I map folders to using NFS or SFTP that has a lot of accumulated junk. I’ve got twenty plus years of kids pictures, and as the computer expert in the family I’m expected to protect these like crown jewels. However, backing up pictures all the time leads to a lot of duplicates. I also keep all my the family files there - school, work, personal, hobbies - and there ends up being a lot of duplication there as well. Not only are duplicate files a problem for local storage, but I pay to back (not much) it all up to Backblaze B2. Czkawka would be a big help if it helped me sort all those files and conserve space.

Installation

Czkawka is available as an AppImage file from Github. I’m using version 3.2 to test.

AppImages are a way of distributing Linux applications can run on any distro - they include all the dependencies so it’s as easy as download and run. They are similar to snaps or flatpaks. They can run from anywhere, so I tend to try them out in my Download directory and then organize them in an “~/Apps” directory if I decide to keep them.

After downloading, you may need to make the file executable.

chmod +x linux_czkawka_gui.AppImage

Usage

Once the program starts, there are four buttons across the top to focus a Czkawka search. They are “included” and “excluded” directories, “excluded items”, and “allowed extensions”. The first three are obvious, the last is used to limit searches by type (ZIP files, for instance). Once a set of directories and files is described, the “search” button in the lower left starts the process.

I started by adding the ~/Downloads directory and searching for duplicates. This turned up a few examples of duplicates which it helpfully grouped. Using the program was a bit non-intuitive - you can’t just click on a file and delete it. Instead, you use the select button at the bottom of the window and have a variety of options to select the oldest, newest, or custom. Czkawka doesn’t really let you interact at the file level but at the summary level and the idea is that you’d select all the dups to be deleted in a big set based on some criteria like age. Custom let’s you select duplicates by file path or a pattern in the name. Once you’ve selected a set you can choose the Delete button to remove them.

Since I’m not sure about deleting a whole bunch of files, I used “select one oldest” to pick individual files for deletion. This was tedious, but at least the process was under my control. It would have been nice to use the check box on the side to pick the ones I wanted to delete, but the interface isn’t oriented that way. Czkawka does organize the list by size, so you can start at the top to maximize the time spent on freeing up space.

More than just duplicates

Czkawka does more than just find duplicate files. It will also search for a variety of errors.

Empty directories is pretty obvious, but I was surprised how many orphaned folder’s I’d left moving things around. This process was simple, I selected all, and it remove them. It will also search for Empty Files (zero bytes), which again surprised me by finding examples. Zeroed Files (those filled with zeros) didn’t turn up anything in my test set.

Invalid Symlink will catch things where the referenced file isn’t present. Because I mount remote file systems, I decided not to pursue this for fear it was giving false positives (maybe the mapping was just down). Broken files are those that show corruption. This found a number of files in my Download directory. This could be flagging corruption or an unsupported format. Because of the number of hits and the nature of what was being called out, I decided to defer removing these to look into further.

It will look for big files. My current use case didn’t include this, but I verified it worked. This could be very useful in some administrative situations where a database or a log file has eaten available free space. I might run this occasionally just to identify any runaway inflation (or the things that are causing it).

Temporary Files looks for a variety of extensions including: #, thumbs.db, *.bak, *.temp, *.ds_store, *.crdownload, *.download, *.part, *.cache, *.dmp, and *.partial.

The most fascinating option was to look for similar images. This option uses a perceptual hash to look for images that may differ in resolution or cropping. This worked really well. I found cases where we had saved cropped images and was able to delete the extra versions. Music Duplicates uses tags to perform a similar analysis. Here I would have appreciated details, such as the different encoding used.

Speed

Czkawka is billed as fast. My testing mostly backed this up. On a local disk, searches ran seconds. It took longer to process a directory over SFTP, for instance, although this would be expected.

I developed a couple ideas about how to best handle these situations. First, I suggest installing the application on the file server and running it locally. My file server is headless, but Czkawka has a command line version for just such situations. Second, try reducing the size of the search field. Use subdirectory to limit it, for instance. Third, I suggest running some of the quicker scans (like “empty files”) first to reduce the size of the dataset.

At one point I was searching through a hundred thousand remote files. As you might expect, the search took a few minutes.

Conclusions

I liked it and plan to keep using it.

Any time I look at a Linux program, I remember that it is being developed and freely offered to the community. The people behind these projects need to be celebrated and appreciated. That said, not everything on GitHub is “fully baked”.

I’m pleased to report that Czkawka is a well thought out and reasonably fast program that does what I expected - it helps me “weed the garden” on my file server and remove the detritus. I’m not crazy about the file selection process and I recommend that you bring up a file manager to compare with the Czkawka searches to make sure you understand what it is finding. Anytime you are dealing with a mass deletion program you want to be extra careful! But the results made sense to me. I didn’t delete everything it nominated, but I was able to save a lot of space in the end.

Using WebDAV on Apache

Mon, 06 Sep 2021 13:00:30 -0400

In recent articles, I walked through how to setup a home webserver with Apache on Linux and how to configure home DNS server using bind on Linux, complete with custom in-home domain for local name resolution. This article revisits the webserver and creates a second virtual host to handle WebDav.

WebDAV is a file sharing protocol built on top of HTTP. Many operating systems can attach to WebDAV folders to upload and download files, including Linux, Windows, Mac, IOS, and Android. I have a password database that I want to keep sync’d between different computers and phones and I’m not comfortable hosting that “in the cloud”, so this allows me to self-host.

I’m using Ubuntu Server 21.04 for this exercise.

Setting Up DNS

My forward lookup zone file includes an A record for the server and a CNAME for the dav share, similar to the output below.

www IN  A   192.168.26.53
dav IN  CNAME   www.stewart.lan

Once the zone file is updated and named restarted, this can be tested by pinging “www.stewart.lan” and “dav.stewart.lan”.

Setting up Apache

If you haven’t already done so, the first thing to do is to install apache2. Next, enable the webdav Apache modules. Apache using a2enmod and a2dismod for handling modules. Finally, create a folder to handle the WebDAV files and set the permissions up. When complete, restart Apache to load the modules.

sudo apt install apache2
sudo a2enmod dav
sudo a2enmod dav_fs
sudo mkdir /var/www/dav
sudo chown -R wwwroot:wwwroot /var/www/dav
sudo systemctl restart apache2.service

Setting up the DAV site

Apache is now ready to host a WebDAV site, but needs a configuration. For this, create a text file under /etc/apache2/sites-available (I named mine dav.conf). The serveralis parameter tells it to respond to requests to dav.stewart.lan and the alias directive tells Apache the root location is the dav folder.

brent@webnamer:/etc/apache2/sites-available$ cat dav.conf 
DavLockDB /var/www/DavLock                      #database file Apache uses to lock files
<VirtualHost *:80>
    ServerName stewart.lan
    ServerAlias dav.stewart.lan
    alias / /var/www/dav
        ServerAdmin brent@stewart.tc
        DocumentRoot /var/www/dav/
        <Directory /var/www/dav/>
                Options Indexes MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
    </Directory>
    <Location /dav>
        DAV On
        AuthType Basic
        AuthName "webdav"
        AuthUserFile /var/www/passwd.dav
        Require valid-user
    </Location>
</VirtualHost>

Enable the site and reload Apache

a2ensite dav.conf
sudo systemctl restart apache2.service

Add Authentication

Go to the directory referenced by DavLockDB and create an empty file named users.password. Set the file ownership to www-data. Finally, add users to this file using htdigest (you’ll be prompted for passwords).

sudo touch /var/www/users.password
sudo chown www-data:www-data /var/www/passwd.dav
sudo htdigest /var/www/passwd.dav webdav newuser
Adding user newuser in realm webdav
New password:

Confirming the setup

There are a lot of ways to test. You can browse to that URL, use an application, or attach to it from your file manager using the url webdav://dav.myserver. Confirm that you are prompted for a password as expected!

DNS on Ubuntu

Tue, 31 Aug 2021 19:08:11 -0400

Continuing from my previous post, I have recently rebuilt my server infrastructure at home, migrating from VMWare to Proxmox VE. I’m still getting the hang of Proxmox, although I’m feeling favorable towards it so far. In the meantime, I wanted to document some of the little pieces to setting up a home network. This time I’ll provide a walk through of a simple local DNS server. My goal at home is to create a “stewart.lan” network that I can use to reference local resources.

Like the Apache server I built last time, this server is running Ubuntu 21.04 Server and my instructions are written from that perspective. Some commands may change as you move to non-Debian distributions or with different versions. Installation of DNS services is done with bind9.

sudo apt update
sudo apt install bind9
sudo ufw allow 53
sudo ufw allow 53/udp

Once the service is installed, bind configuration files are found in /etc/bind. In my configuration there are five files that I modified or created: the service configuration file named.conf which loads in named.conf.local and named.conf.options.

root@webnamer:/etc/bind# cat named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

###

root@webnamer:/etc/bind# cat named.conf.local
//
// Do any local configuration here
//
zone "stewart.lan" {
    type master;
    file "/etc/bind/forward.stewart.lan";
    allow-query { any; };
};

###

root@webnamer:/etc/bind# cat named.conf.options 
acl internal-network {
    192.168.24.0/22;
    localhost;
    localnets;
};
options {
    directory "/var/cache/bind";
    forwarders {
	    192.168.26.53;  //this server
	    208.67.222.222; //OpenDNS1
	    208.67.220.220; //OpenDNS2
	    8.8.8.8;        //Google DNS1
	    8.8.4.4;        //Google DNS2
    };
    allow-query { internal-network; };
    allow-query-cache { internal-network; };
    allow-recursion { internal-network; };
    allow-transfer { none; };
    allow-update { none; };
    dnssec-validation yes;
    auth-nxdomain no;
    recursion yes;
    notify no;
    listen-on { any; };
    listen-on-v6 { none; };
};

Anytime DNS config files are changed the system will need to be restarted.

systemctl restart named

With these files in place recursive lookups (like google.com) should be working. This can be tested by changing DNS on a machine, or by using dig or nslookup. Dig accepts arguments for the DNS server to use, the domain to be queried, and the type of record (by default A) to be returned. In the example below, the server and the domain to be returned are specified. NSLookup is a similar command that queries DNS servers. In the example below, the server command tells it to connect to the new server and then the “www” is a query for a record (haven’t gotten to the local zone setup yet).

root@webnamer:/etc/bind# dig 192.168.26.3 stewart.lan

; <<>> DiG 9.16.8-Ubuntu <<>> stewart.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35138
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 1b490288965657d7010000006131687c06bba43e1f56fdbc (good)
;; QUESTION SECTION:
;stewart.lan.			IN	A

;; AUTHORITY SECTION:
stewart.lan.		604600	IN	SOA	localhost. root.localhost. 6 604820 86600 2419600 604600

;; Query time: 0 msec
;; SERVER: 192.168.26.53#53(192.168.26.53)
;; WHEN: Thu Sep 02 20:12:44 EDT 2021
;; MSG SIZE  rcvd: 118

root@webnamer:/etc/bind# nslookup
> server 192.168.26.53
Default server: 192.168.26.53
Address: 192.168.26.53#53
> www
Server:		192.168.26.53
Address:	192.168.26.53#53

>

If there are problems at this point this point, use named-checkconf to review the configuration files for errors. By default, named logs can be reviewed with tail /var/log/syslog as well.

A forward lookup zone (which matches names to numbers) needs to be created if we want a local zone. My house is named stewart.lan, but any name is fine with the caveat that collisions with valid public name spaces should be avoided. A forward lookup zone is a text file similar to the one below. Note that this file was referenced in the named.conf setup. A records link names to IPs. CNAMEs are alias records.

brent@webnamer:/etc/bind$ cat forward.stewart.lan
$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                            6         ; Serial
                        604820         ; Refresh
                        86600         ; Retry
                        2419600         ; Expire
                        604600 )       ; Negative Cache TTL
;
;Name Server Information
@       IN      NS      ns.stewart.lan.

;IP address of Your Domain Name Server(DNS)
ns IN       A      192.168.26.53

;A Record for Host names
gw     IN       A       192.168.26.1
ns	IN	A	192.168.26.53
pop	IN	A	192.168.25.7
print	IN	A	192.168.24.17
oldprint	IN	A	192.168.24.11
server	IN	A	192.168.26.9
proxmox	IN	A	192.168.26.10
library	IN	A	192.168.26.11


;CNAME Record
www	IN	CNAME	ns.stewart.lan.
dav	IN	CNAME	ns.stewart.lan.
newprint	IN	CNAME	print.stewart.lan.
pve	IN	CNAME	proxmox.stewart.lan.
webnamer	IN	CNAME	ns.stewart.lan

This setup doesn’t show the reverse lookup zone (24.168.192.in-addr.arpa), but that can be built easily and added if needed. Reverse zones link numbers to names and are used for authentication usually. With DNS setup and the forward zone in place, we should be able to ping by name (link printer.stewart.lan). If there are problems, use named-checkzone to confirm that the format of your zone file is correct.

Simple Apache Setup on Linux

Mon, 30 Aug 2021 16:38:48 -0400

I’ve been running the free version of ESXi 6.5 for a while, but the vulnerabilities kept piling up and I had issues upgrading it. I’ve been looking at ProxMox VE for a while and last week I decided to give it a chance. I want to get more experience with the server before I write about it, so I’ll start by detailing a simple process to get a local webserver running. Browsers keep trying to throw distracting junk in front of me for start pages when what I really want is to quickly get to the sites I need. I put together a simple page that organizes my personal and work links for this purpose.

I built this server on Ubuntu 21.04 Server and my instructions are written from that perspective. Notes around the firewall and restarting the service will vary by distribution and version, but I’ll leave translation as an exercise to the reader. Installing a webserver is straightfoward - there are a variety to choose from, but Apache is good for this purpose because it’s so well documented. Once the package is downloaded and the service started, you should be able to browse to http://127.0.0.1 and see the default Apache page. When I did this at home, Ubuntu 21.04 had the firewall up by default, so I needed to allow the Apache service.

sudo apt update
sudo apt install apache2
sudo ufw allow 'Apache'

You’ll need to put your files somewhere for serving. Apache puts content in /var/www by default so I created a directory for my site user at /var/www/stewart. With that done, the website needs to be defined for Apache. The Apache config files are found at /etc/apache2. To setup a new site I created a stewart.conf under /etc/apache2/sites-available. Below is a simple configuration file.

<VirtualHost *:80>
    ServerAdmin my@email
    ServerName www.stewart.local
    ServerAlias www.stewart.local
    DocumentRoot /var/www/stewart
    <Directory /var/www/stewart>
        Options Indexes FollowSymLinks Multiviews
        AllowOverride All
        Require all granted
        allow from all
    </Directory>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

The site then needs to be activated. Enabling the site is done with a2ensite and it can be disabled with a2dissite. This will create a link into the /etc/apache2/sites-enabled/ directory. The web service will need to be restarted at that point as well. When it restarts, it reads the conf files it finds in sites-enabled.

sudo a2ensite stewart.conf
sudo systemctl reload apache2

With that, you should be able to browse to the local server and see the site!

Cockpit

Sat, 01 May 2021 14:44:32 -0400

If “web-based graphical interface for administering Linux” makes you think Webmin, then you need to look at Cockpit. Cockpit is a modern web-based management tool for all your Linux servers. It’s similar to webmin, but slicker.

Installation in Ubuntu is a breeze. I installed this on all my linux machines and can manage all of the systems from one dashboard (again, Cockpit has to be installed on them all). Cockpit is the base install, with other packages to add functionality for storage, networking, pack manager, virtual machines, and containers. After installation, browse to https://linux_ip:9090 to find the login screen for Cockpit. Login using the same credentials you use to login to ssh.

sudo apt install cockpit cockpit-storaged cockpit-networkmanager 
cockpit-packagekit cockpit-machines cockpit-podman

Once logged in, the Dashboard is the information hub. By default it shows processor, memory, network, and storage graphs. From this screen you can also add additional servers to this instance of cockpit (the + button). I have setup several servers on cockpit on my server, and the graph shows all of them.

Click on the server name at the bottom of the Dashboard (or click the Host button on the side) to zoon in to instance specific information. From here you can get hardware details or drill down into different areas.

Logs makes it easy to look through all the logs on the system. For instance, I can query all the logs from the current session for “Alert and above” messages. I can even match to a text pattern! This is one of the easiest ways to quickly comb through Linux logs.
Storage lets you dig into the details of the attached drives, including NFS mounts
Networking shows utilizaiton graphs and critical parameters, such as IP
Accounts shows all the accounts on the box. It also allows you to add, change or delete accounts. Password reset? It’s a snap through here.
Services shows all the running services, like Windows task manager. You can rest stop or start services from here as well.

There is a software updates tab that makes it easy to keep everything up-to-date. Click the update button and watch the progress bar.

Finally, there’s built-in access to the console from the web interface. If you are managing a server and there’s something that can’t be done from the GUI, just click the terminal tab and do it from the command line.

If you have a group of devices, this is a great way to administer them from one console. The log searching in particular is one of the best implementations I’ve seen. More than that, you can quickly access the things you need in a “headless” environment such as adding accounts, confirming administrative details, or updating software.

I’ll talk about automation in the future but there’s a need for an interactive way to manage servers and this compliments ansible nicely.

Hugo Markdown Cheatsheet

Sat, 24 Apr 2021 12:42:56 -0400

Markdown is a fantastic distraction-free way to write. Using Markdown in VSCode is one of the things I like most about building this blog with Hugo. It’s important to realize that the site CSS and Hugo shortcodes that are present play a big role in the way you write for the Hugo platform. Those elements are usually included in the theme. My theme is called next and you can clone it from Github.

This post is a reference for how to use Markdown with my CSS and shortcodes. I built my own hugo theme and CSS because I wanted to understand how it all worked. I don’t think that my setup is the fanciest, but you are welcome to clone it or fork it. If you are new to Hugo, CSS, or HTML in general then my efforts are cleaner and probably more understandable than one of the advanced themes.

I’ve been doing this for nine months - pretty much the entire pandemic - and I’ve started to realize that I’ve forgotten some of the things I used months ago. This document is therefore a reference for me. My career has never centered on HTML or CSS, so this has been an awesome learning opportunity. Mike Dane has some fantastic videos that helped me get started.

Basic Markdown

The quick brown fox jumped over the ~~frog~~ lazy dog. Use the backslash to display literal symbols instead of processing them {}.

The __quick__ _brown_ __*fox*__ jumped over the {{\<strike "frog">}} 
{{\<highlight "lazy dog">}}.    Use the backslash to display literal 
symbols instead of processing them \{}.

Note that “\” literals appear in the shortcodes to force shortcode syntax display and are not used in production. Double tildes “~~” can be used before and after to strikethorugh as well.

I picked up the shortcodes for highlighting and strikethrough from Ashish Lahoti at codingconcepts.com, who has several interesting Hugo articles on his blog.

Lists

Unnumbered and ordered list are easy and intuitive.

Bullet

Numbered
Example

* Bullet
1. Numbered
2. Example

Headings

Headings are created by successive hash symbols.

Heading One

Heading Two

Heading Three

# H1  
## H2     
### H3

I usually use Heading one for the title and heading two inside an article.

Blockquotes

Block quotes are accomplished by tabs. Consecutive lines are assumed to be a continuation. You can also use the “greater than” sign to indicate a section is a blockquote. When presenting this way add two spaces at the end of every line to indicate the following line is also a part of the block and a new line, otherwise it won’t respect returns. You can also use multiple greater thans to create an indented section. This comes in using my CSS Blockquote style.

This is a block quote. “Two things are infinite: the universe and human stupidity; and I’m not sure about the universe.” ― Albert Einstein

This is a indented block quote. Because my CSS centers them, it looks a little wonky. “Darkness cannot drive out darkness: only light can do that. Hate cannot drive out hate: only love can do that.” ― Martin Luther King Jr., A Testament of Hope: The Essential Writings and Speeches

and here’s the actual typed Markdown.

> This is a block quote.  “Two things are infinite: the universe and human stupidity; and I'm not sure about the universe.”
― Albert Einstein 
>> This is a indented block quote.  Because my CSS centers them, it looks a little wonky.  “Darkness cannot drive out darkness: only light can do that. Hate cannot drive out hate: only love can do that.”
― Martin Luther King Jr., A Testament of Hope: The Essential Writings and Speeches

Code

Code can be accomplished a number of ways. It can be surrounded by three ticks (`). The easiest way to create a code block is to add a line to the block, then tab and add your code. Leave a line after the block and the tabbed section will be treated as a code block.

Tick block

Print ("tick block")
Print ("using three ticks before and after")

and here’s what that looks like:

```
Print ("tick block")
Print ("using three ticks before and after")
```

Tab block

Print ("tick block")
Print ("using three ticks before and after")

and here’s what that looks like - line before and after, tabbed block.

 
          Print ("tick block")
          Print ("using three ticks before and after")

Non-printing characters

You can also make this work with non-printing characters as demonstrated below. Pretty weak approach, but sometimes I don’t have a better way to make columns line up.

non-printing characters were used to indent this line . . .

Tables

Tables are created using a table shortcode as demonstrated below.

Table: Demonstration
Letters	Numbers	Symbols
A	0	*
B	1	$
C	2	%

Ignore the backslashes below - the shortcut kicks in when displaying if I leave them out.

\{\{\< bootstrap-table table_class="table table-responsive table-hover" thead_class="table-info" caption="Table: Demonstration" \>\}\}  
| Letters | | Numbers | | Symbols  |  
|:-----:|:--:|:-----|-|-----|  
| A |  | 0   | | \* |  
| B |  | 1 | | $ |  
| C |  | 2 | | % |   
\{\{\</bootstrap-table>\}\}

I copied the shortcode for bootstrap tables from MyBlueLinux. I’m not sure who the author is, but they are interested in many of the same things I am - networking, Linux, and so on. Readers of my blog would probably enjoy this site as well.

Links and Images

Links in Markdown are formatted as shown below for GNS3.

[GNS3](https://gns3.com)

Images in markdown are formatted similarly to links, but start with an exclamation. The code to bring in the GNS3 symbols is shown below.

\![GNS3]\(/gns3.png#floatsmallright)

My CSS supports the following directives - these are all dynamic and change the image size based on the window size, which gives a much cleaner look.

floatsmallright
floatsmallleft
floatright
floatleft
center

I’m not sure where I copied this idea from (God bless open source and github!). You can find this in the next theme style.css in my Github account, along with all the shortcodes.

GNS3 Attached to ESXi

Wed, 21 Apr 2021 20:11:14 -0400

I got a little distracted. I have been coming up to speed on Ansible, which got me started on Vagrant. Vagrant got me building VMs in VMWare Workstation , which got me thinking how neat it would be to place those automagically into my GNS3VM environment hosted on ESXi. Didn’t get that far - yet - but the progress I made is pretty cool in it’s own right.

Most GNS3 users are using a GNS3 VM to host their topologies. Mine sits on an ESXi server. I discussed a few days ago how to connect GNS3 into a network (see Connecting GNS3. Here I want to do something more complex - I’d like to connect ESXi instances into arbitrary points in a GNS3 network. The topology will still have a connection “out” to the home network and Internet, but I want to add an ESXi VM “inside” the network as well.

The approach I used was to attach the VMs into an ESXi VSwitch VLAN and then use additional cloud appliances to attach those VLAN into the GNS3 topology. This seems obvious in retrospect.

Setup on ESXi

The first step is to go onto the VMWare ESXi server and create a new VLAN on the vSwitch. From the ESXi management interface, select the networking tab and “add port group”. I created VLAN 30 and called it “GNS3-30” and assigned it to my default virtual switch (vSwitch0).

Setup the GNS3VM

Next I went to the GNS3vm VMWare properties and added an interface. The interface will attach to the VM “live”, but you’ll need to go into the GNS3vm to configure it before it can be used.

To setup the interface, login and choose “Shell” from the main menu. The interface needs to be added to netplan. I ended up adding two interfaces (more fun!) and also took the chance to set a static IP for my server.

cd /etc/netplan  
ls  
sudo nano 90_gns3vm_static_netcfg.yaml

Here’s the edited YAML file I’m using.

network:
  version: 2  
  renderer: networkd  
  ethernets:  
    eth0:  
      dhcp4: no  
      addresses: [192.168.25.52/24]  
      gateway4: 192.168.25.1  
      nameservers:  
        addresses: [8.8.8.8,8.8.4.4]  
    eth1:  
      dhcp4: no  
    eth2:  
      dhcp4: no

When I did this step, it replaced the existing eth0 on the GNS3VM and made my old interface eth1. This disconnected the VM because the IP information was associated with eth0. I diagnosed this by using the VMWare interface and the ifconfig command on the GNS3VM to identify and associate names and MAC addresses, but it took a little time to understand what happened. I’m still not sure why, but be alert for this issue if you add an interface. My Internet GNS3 cloud appliance had to be disconnected (you cannot add interfaces to a cloud with existing connections), eth1 added, and reconnected to get it to work.

Adding to GNS3 Topology

Recall from Connecting GNS3 that I’ve setup my home network to expect a GNS3 border router at 192.168.25.82 and it will be the route to 192.168.28.0/22. In this simplest case, I’m attaching another interface on that same router to a different vSwitch VLAN and routing between them. I could have put the new VLAN deep in the GNS3 topology.

So pause before this next paragraph. Recall that there are three contexts, one physical, one in terms of the ESXi vSwitch, and one inside GNS3.

Attaching a new cloud (in GNS3) that uses the GNS3VM interface (in the vSwitch context) attached to the new VLAN (in my case, eth0 -> VLAN30) will bring that new network into the virtual lab.

At this point I attached a Windows VM to the new VLAN and set it’s interface to DHCP. I connected the cloud to the virtual router (in GNS3), setup the interface, and added DHCP server capability.

int g0/2  
  ip add 192.168.30.1 255.255.255.224  
ip dhcp pool GNS3  
  network 192.168.30.0 /27

I can verify that this works inside the Windows VM, and by verifying that an IP has been assigned from the router.

Router1# __sh ip dhcp bindings__  
Bindings from all pools not associated with VRF:  
IP address   Client-ID/        Lease expiration    Type
             Hardware address/  
             User name  
192.168.30.2 0100.0c29.e965.fd Apr 30 2021 12:05 AM  Automatic

What’s next?

I’d really like to be able to Vagrant up straight into GNS3. I’m not even sure why, except that it would be cool. Right now I can build a VM on Workstation, transfer it to ESXi and place it in the VLAN and thus in the GNS3 topology.

I can easily extend the vSwitch VLAN to my home network, but for this to really work I’ll need to implement a trunk to my desktop and be able to place Workstation VMs into the VLAN.

One of the things I love about GNS3 is that it pushes me to understand things and learn new techniques. I’ll work on that as I have time in the days ahead.

Connecting GNS3 to Real Networks

Sat, 17 Apr 2021 10:48:58 -0400

I mentioned a month or so ago that I wanted to set out on a journey to create a set of template networks and then substitute in the various appliances that are supported under GNS3. The idea is to start with Cisco, which I know best, and then explore the differences. I’m still really excited about that but . . . life. So we’re off to a slow start. I’m going to break down some of the topics into smaller pieces so I can keep that project moving forward. First up - how to connect you GNS3 lab environment to a “real” network.

Current Lab State

My home network is built using Meraki gear. That’s not a typical home setup, but I was supporting a lot of Meraki for a while and it was a good way to “eat the dogfood”. I divide the home into subnets so that high risk devices (IoT, kids computers) are isolated. I have an ESXi server that hosts my GNS3 VM, but I haven’t switched over to the web client yet. I’m still using the GNS3 front end running on PopOS!

Here’s a diagram of the lab I’m building. In this first step we want to use 192.168.28.0/22 for our GNS3 environment and communicate from it to the local network and the Internet.

Attaching the Cloud

My local network is represented by “Cloud1”. I placed this into the lab and attached a connection to the virtual Cisco router. I chose the G0/1 interface when I placed the connection, but this can later be found by hovering over the virtual router in GNS3. You can label connections in GNS3 by clicking the “Show/Hide Inteface Labels” button. In this case I just placed some text.

The Meraki device isn’t really within the GNS3 topology, it’s just a link to the Meraki Dashboard. It’s convenient to have this easily accessible - refer to Adding Hyperlinks to GNS3 Topologies for a walk through on how to do that.

Setting up routing

My “real” Meraki router knows how to reach all the local VLANs because it’s directly attached to each of them. It’s going to need to know how to reach the lab environment. This is done under “Security & SD-WAN” > “Addressing and VLANs”. At the bottom of that page is a place for static routes. Identify an IP on the local network that you’ll use for the virtual router and then add a static route.

I added a route to 192.168.28.0/22 going to the virtual router. Even though I’m setting up a simple switching lab, giving a block of addresses to the lab means that I won’t have to revisit this process when we start talking about more complicated networks.

The virtual router needs a default route pointing to the home router. It’s also worth noting that I’m not using a DHCP address for the virtual router. You can do this and it will work, but the address will change with each reboot and you’ll need to update the router configuration constantly. Another option would be to use DHCP and a routing protocol. This might be more of an option with another home router, but the Meraki is particularly weak in supporting dynamic routing. Finally, I put an address on the inside of the virtual router.

The following output has been edited for brevity, but shows the added commands and the test ping to Google.

Router# sh run  

hostname Router  
 
interface GigabitEthernet0/0  
 ip address 192.168.28.1 255.255.255.0  
 interface GigabitEthernet0/1  
 ip address 192.168.25.82 255.255.255.0  
!  
ip route 0.0.0.0 0.0.0.0 192.168.25.1  

Router#ping __8.8.8.8__  
Type escape sequence to abort.  
!!!!!  
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/25/29 ms

We also want to verify that traffic is flowing from the Internet into our virtual GNS3 lab environment. To do this I’ll source a ping from the G0/0 interface.

Router# ping  
Protocol [ip]:  
Target IP address: 8.8.8.8  
Repeat count [5]:  
Datagram size [100]:   
Timeout in seconds [2]:   
Extended commands [n]: y  
Ingress ping [n]:   
Source address or interface: 192.168.28.1  
Type of service [0]:  
Set DF bit in IP header? [no]:   
Validate reply data? [no]:  
Data pattern [0x0000ABCD]:  
Loose, Strict, Record, Timestamp, Verbose[none]:  
Sweep range of sizes [n]:  
Type escape sequence to abort.  
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:  
Packet sent with a source address of 192.168.28.1   
!!!!!  
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/27/31 ms  
Router#

Step 1 complete

Our lab environment is reachable from the local network and it can reach out to the public Internet as needed at this point. The next step will be to setup the switches!

Play along at home

There’s an associated Github repository for these labs (brentstewart/gns3labs). So far it just has this initial version of the switching lab in it. The topology is there, but it doesn’t have configurations anything other than the router. I’ll continue to refine this lab and add more labs to that repository as we continue this adventure. Please clone the repo and work these with me!

CPUFetch

Tue, 13 Apr 2021 17:50:03 -0400

I don’t have to check CPU statistics very often, but occassionally I need to remember details like how many cores I have. The traditional way to get CPU information in Linux is to use lscpu. Here’s the top of the output on my desktop. I’ve truncated the picture - the output is a full page or two of details about your CPU and it’s capabilities. You can also cat /proc/cpu, which has similar info, or list hardware with lshw. lshw provides a lot of output, so you can filter that down with lshw -class CPU. All of these options work, but they vary from cluttered to hard-to-read.

I came across a fun utility to do the same thing, but prettier. CPUfetch doesn’t display the same level of detail, but it pulls the most interesting pieces. It’s actually a little clearer and easier to read because it doesn’t have as much detail. With the pretty logo to the left I assume the name is a nod to Neofetch, a utility I build in to my .bashrc to show on startup and use all the time.

This doesn’t solve a lot of problems, but it is kinda cool. If you agree, check it out on Github. To install, clone the repository and make the executable. I put all my repos in a single directory to organize them, a practice I suggest.

cd ~/git  
git clone https://github.com/Dr-Noob/cpufetch  
cd cpufetch  
make  
./cpufetch

It will also compile on Android, Windows and MacOS, if you’re into that kinda thing. The readme at github has some other sample pictures and some ways to modify the output. Have fun!

Using the SSH client config file

Fri, 02 Apr 2021 15:40:47 -0400

This article continues a series of articles I’ve done on SSH. We’ve used the server configuration file (sshd_config) to set parameters, but many folks do not realize that there is a client configuration file as well. In fact, ssh uses command line options, then the client file, then the server file when building the capabilities of a new connection.

Simple Example

The file is a plain text file found in ~/.ssh. It doesn’t exist by default, so a new file with that name needs to be created. The simplest version of an ssh config file looks something like this.

host server  
hostname 10.1.1.1  
user brent

Even at this stage, this is beneficial. We can use the host to resolve a name, so even without DNS we don’t have to remember IPs. Because the user is specified we can now simplify our ssh command to: ssh server.

I am often moving between locations and don’t have access to internal DNS. I can share this file between my desktop and laptop and ease some of the memorization required to move through the environment.

What Else Can We do?

Building on the previous example, we can also specify a non-standard port or a specific key. We can add additional hosts as well.

host server  
hostname 10.1.1.1  
user root  
port 2222  

host server2  
hostname 10.2.2.2  
user vagrant  
localforward 2222 10.1.1.1:2222

host home    
hostname 192.168.1.10  
user brent

This example includes three servers. The first now uses a non-standard port. The second is setup to forward tcp traffic on 2222 to the first server. Each has a different username specified.

Other examples of additional commands can be found in the OpenSSH documentation (referenced below).

Wildcards

The last complication I’ll add is to add the following to the config file above. Wildcards allow us to specify things that apply to multiple hosts.

host serv*  
identityfile server_id_rsa  

host *  
 ForwardX11Trusted yes

Connecting to “server” will now pull in the the key file and X11 command. For “home” only the X11 forwarding would be added.

These days we’re connecting to local servers with one set of credentials and cloud hosts with a different set. Often there’s some specific options that have to be used when connecting to the cloud host - to specify a keyfile for instance. Particularly given the complication of managing cloud assets, the client config file can be an important tool.

I’ll close by discussing security. Building an ssh client config file can make life easier and there’s a natural desire to share that work in a team. This is probably safe, assuming that servers are locked down with something more than passwords. Reference my article on PAM changes if you are interested in that. If you are managing a large environment, it’s probably good to think about some centralized authentication (like sssd) so that you can quickly update credentials. The config file - by itself - doesn’t compromise security except for allowing an outsider to “case the joint”. Still, I’d suggest handling the config file conservatively and limiting distribution.

Rational Change Control

Wed, 17 Mar 2021 19:42:22 -0400

Nobody likes change but a baby. That’s the saying anyway. Yet in IT, we have to deal with constant change. Not only that, we have to manage it to minimize risk and harm. And we have to balance the natural tendency to manage through bureaucracy against the need to get things done without paperwork getting in the way.

This article isn’t about why you need change control: you do. It’s not about the value of ITIL or ticketing: they’re necessary. But if you’re going to turn this “computer-thing” into a career, you need to figure out change control and that’s what this article is about.

A lot of my thinking on this topic comes from working with people like Dan and Umesh. These are thoughts that we developed together and made work, and that’s why I feel confident recommending them to you.

Planning and oversight

Change control documentation needs to layout the change for review. Review is not a second-guessing session, although if you propose something stupid it can be. Good change review is going to make sure that the plan makes sense, that the right people are notified, that there are no conflicts with other IT changes or business requirements, and that the appropriate level of specificity is present in the docs.

The right level of specificity . . . that sounds tricky. Generally, I’ve found that proposed changes fall into three piles. The easy pile really doesn’t need to be reviewed, it just needs a little documentation. The medium pile needs a little review, perhaps by a manager, and a little more verbiage in the docs. The hard pile needs a lot of careful thought and benefits from a collaborative and thorough review. It needs to be reviewed at several stages, including by a Change Advistory Board.

The table on the left is the one that I’ve developed and used. Changes are described by risk and asset criticality.
Risk – risk is subjective from the perspective of the person performing the change. What is not risky for you might be more risky for me.
• Low – I’ve done this a million times and it always works. There is a redundant system and backout plan.
• Medium – I’ve done this a few times and it usually works. There is a redundant system and backout plan.
• High – I don’t have a lot of experience OR there isn’t a redundant system or backout process that meets the availability budget.

Asset Criticality – This is defined per CI or environment. Availability budget is an SRE concept that specifies the target availability based on budgeting and does not include regular scheduled downtime. The exact AB percentages and how they are measured will change based on the environment, but they might look something like this.
• Low – interruption or loss impact one or a small number of non-critical systems/users at non-critical times
• Medium – interruption or loss impacts ability to conduct business (availability budget >98%)
• High – an interruption or loss of this system would impact clients (availability budget > 99.99%)

Yes, this ranking is a little arbitrary. My experience is that having an overly complicated system leads to folks using the system to justify making changes “less critical”. A simpler system trusts the engineers more and they typically respond to that trust with more conservative assessments. That said, if nothing bad happens then changes will be viewed as less risky over time. One important component is that the CAB needs to review a sample of non-critical changes and push back by calling out some examples of mis-classified changes.

Documentation and review

CAB documentation needs the full kit and caboodle and here’s what that looks like:

Purpose: Why is this change necessary? What is being done (in 20 words or less)?
Basics: Who is doing the work? What is the proposed change window? NOTE: I recommend that a change window include recovery time. If that’s not known, I generally allocate 1/3 of the window for the change, 1/3 for the troubleshooting, and 1/3 for backout. In a complicated change, I actually script steps and expected time of completion for each, plus have a hard fail-back moment.
Affected devices (CIs): Which pieces are being changed?
Risk of Change: If we go forward, what’s the worst that could happen?
Risk of NOT making the change: Ah, here’s an important point. In IT there is often risk in making a change, but if you DON’T apply that patch you are vulnerable. If you DON’T upgrade, power supplies fail. Stuff will happen and it’s important to point out that sitting on our hands won’t save us.
Impact: Describe the impact assuming everything goes as planned. For instance, the plan is to upgrade an OS which will require a reboot. Users will at minimum see an impact for minutes while the device reboots.
Details: This section is a breakdown of the steps involved. The level of detail has to be worked out in each organization, but I generally find that it needs to be detailed enough that multiple people familiar with the equipment could read the doc and would interpret it similarly and complete the same steps. Using the exact commands can be good, but it’s best to be a little vague so that a missed detail doesn’t require another change control document.
I like to breakdown the activity into three areas. Pre-downtime and Downtime cover the preparation and the activity during the change window. These steps also need to describe how the change will be tested. Backout Plan talks about steps to be taken if it doesn’t go well. Each of these steps need to include communications - who will be notified and when will they be notified?

In my opinion, CAB level changes should be previewed by the manager to prevent wasting the Boards’ time. The manager should also review the result to ensure it meets the commitment. Less complicated changes don’t need this level of detail. “Medium” changes can usually focus on the details and just be approved by a manager.

Thoughts

Change systems are about organizing people and getting them to talk to one another. They’re also about holding folks accountable for a professional level of forethought. Notice that I didn’t say results - we all recognize that even the best planned and most predictable upgrades can go sideways without it being someone’s fault. But if the right kind of thought process was used, we’re equipped to recognize the problems and correct them, or at least escape unharmed.

Similarly, making sure that the right people are consulted and updated means that these little “oops” moments become events that generate more trust. Imagine a VIP saying, “You told me something might happen, when it did you were prepared for it and kept me in the loop, and harm was minimize because of the thoughtful approach.”

I like to say that a good change process is like a victory lap - all the hard work is done before the change ever starts.

Making a Memorial DVD

Mon, 08 Mar 2021 21:59:17 -0500

A good friend lost his father to COVID last week. It was unexpected - he was only about 60 and in good health. My friend asked for help putting together a memorial DVD. Perhaps you’ve seen these - at a receiving in the US it’s common these days to find a TV that displays a collection of pictures of the deceased, perhaps with some background music.

I don’t have any special expertise in Video and I didn’t have long to figure it out. If you’re in a similar situation then 1) leave a note in the comments and I’ll pray for your friends family and 2) here are some quick and dirty instructions that will let you be of service.

Gathering input

I received a collection of sixty photos, a few digital pictures, as well as some MP3 files that were some of his Dad’s favorites. I scanned all the pictures in as JPG at 300 dpi and put them in a directory with the MP3s. I used GIMP to crop the photos. I originally left the white borders around some pictures, but later found this created artifacts on the slideshow and re-edited to crop to just the picture. I found the obituary online for some of the details I would need for the title page.

sudo apt install gimp

Creating the DVD

This section isn’t a software recommendation. I wanted something that I could quickly understand and that wasn’t overly complicated to use. I tried a few video editors and quickly picked kdenlive. Even though I’m using Pop!OS Gnome, kdenlive worked fine.

sudo apt install kdenlive

By default, kdenlive shows two video tracks and two audio tracks. I deleted the extra tracks. Right clicking in the resources box (below the file menu) allowed me to import the audio files and an image sequence. The image sequence importer allowed me to bring in a group of pictures in the same format from a single directory. The picture files I received were PNG, so I used GIMP to convert them and then imported the entire set of pictures from the working directory. The image sequence sorts by default to alphabetical order. I had been given the pictures in rough chronological order and numbered them as they scanned, so they were already in the right order and I didn’t have to spend a lot of time. I was lucky, but I definitely suggest that technique if you need to make this on short notice.

The image sequence import allows you to specify how long each picture displays as well. These DVDs are typically played in the background where they provide a distraction to folks in the receiving line and I wanted it to have enough tempo so it wouldn’t be boring. I decided to change photos every 10 seconds and this turned out to be well received.

I created a title by right clicking in the resource box and “adding title clip”. This gave me a PowerPoint-like interface where I could add some text. In this case, I created a simple title with the name, birth date and date of death. It also let me specify how long it would display.

Dragging the image sequence or the title onto the video track (“V1”) blocked off a period of time and labeled it “Image Sequence”. Sixty photos displayed for 10 seconds each gives ten minutes of video, so I dragged out a few more copies of the Image Sequence to fill out the DVD. I left a brief black screen between sequences, then a copy of the title to show the name of the deceased, before restarting the slide show.

Dragging the audio files onto the audio track (“A1”) was a similar process. I simply dragged enough songs to cover the time, leaving brief spaces between. I was able to watch the video and I paid special attention to the transitions to make sure they were clean and not distracting. I think kdenlive will handle fancy image transitions but I elected not to spend too much time on them. I had a day to put this together and the “plain vanilla” transitions were respectful and not distracting.

At this point you can go to Project > Render to compile the ensemble to an ISO file. Here I hit another problem - I don’t have a DVD burner! I have an old laptop running Linux, so I used SFTP to transfer the file to it and used brasero to burn the DVD.

sudo apt install brasero

Last step! I dug out an old DVD player to verify that the burned DVD would read okay. It did and the resulting display looked sharp and clean. I burned a copy for the funeral, and extras for my friend and his siblings.

The Reception

This was a rush job by an stark amatuer, but the result was appreciated by the family. I want to the thank the folks at kdenlive - it’s a slick program, worked reliably, and was easy to pick up. The DVD I made probably was more of a credit to their hard work and gift to the community than to my contribution. That said, this is a doable project. I could see this idea being a nice feature at an anniversary or birthday party, or even at a company Christmas party. If you have the opportunity to be of service in this way, I hope this walk through will be a beneficial introduction.

Tsukae - A tool for graphing command usage

Sat, 06 Mar 2021 22:59:08 -0500

Readers may recall that six months ago I wrote about the most commonly used Linux commands. I had seen a series of articles with that title and decided to see what my most common commands were. I suggested the following as a way to pull command history and count usage.

history | awk ‘{print $2}’ | sort | uniq -c

Tsukae is a much better way to accomplish this task. It’s much simpler and can produce the output in Bar or Pie chart, or as a list. Tsukae is written by Ilya Revenko and can be cloned from GitHub.

Installing Tsukae

Tsukae needs Go to run (apt install golang-go). Once cloned, just go into the directory and build the executable. Tsukae expects a blacklist file to be present at ~/.config/tsukae/blacklist. ~~This may be created automatically in future releases, but I got an error when I first ran the program and so created the file myself.~~

git clone https://github.com/irevenko/tsukae.git  
cd tsukae  
go get -d ./...  
go build   
~~mkdir ~/.config/tsukae  
touch blacklist~~

Update! I posted an issue for the above on GitHub and the author published an update today to fix. I tested it and confirmed it resolved the issue. This is a great example of the power of GitHub - everyone contributes in whatever way they can, and all contributions are appreciated. In my case, by suggesting an improvement and helping test. It’s why I continue to recommend that everyone participate in that community. And thanks again to Ilya!

Running Tsukae

When you run Tsukae you must specify the shell, as well as the number of commands to pull. In the example below, I’ve gotten the top six bash commands.

./tsukae bash 6  
10 Most Used bash Commands  
[255] git  
[148] apt  
[148] cd  
[107] ls  
[74] hugo  
[43] nano

Commands list cd and ls might be uninteresting. Adding those to the blacklist text file will omit them in the future.

Git is a weird command to run most often, but I tend to run it a lot to sync the blog and upload new content. I use the hugo command in development mode at the same time. Tsukae is an interesting insight into how I’m using this computer. It’s not a vital command to accomplish work, but the next time you see one of those “Top 25 Linux Command” articles you can see how closely their list matches yours.

New Project - Testing Every GNS3 Network Appliance

Sat, 27 Feb 2021 17:46:15 -0500

I’m kicking off an exciting new project, and I’d appreciate your thoughts as I get started. GNS3 supports a many different appliances and I’m fascinated by how they work and compare. I’ve supported many of them in my work, but I’d like to build a lab for each one that demonstrated the core functions of the device. My hope would be to produce a reference that would allow folks to quickly gain traction with new equipment. Part of the goal is to directly compare the setup between devices, so the network structure would be static.

I’m proposing three basic topologies to test switching, routing, and firewalling. There will obviously be some limitations to my approach. That list leaves off some appliances categories: endpoints, security tools, NAS, and load balancers come to mind. If this is successful, I’ll come back and explore those in their own environments. I’m also not going to try to teach all the protocols and concepts as I go - this is two fold in that I have to scope this project to a reasonable size and also that

Switching

The goals of the switching lab would be to cover the following key switching capabilities:

Spanning-tree and Rapid Spanning Tree
VLANs
Trunk
Port channel
Intervlan routing (possibly with a router on a stick)
Port security
Management - Telnet, SSH, HTTP, Syslog, TFTP
Authentication - static or RADIUS/TACACS The topology features three switches, but with the redundant connection provides some interesting cases for STP. Spanning Tree, possibly alone on this list, is a requirement for switches. It works so well that a lot of younger engineers don’t even realize the problems that it prevents! The redundant connections can later be used for a port-channel as well. There’s an external router (if the switch being considered is layer 2 only), plus three target devices to work through some VLAN examples. There are some advanced cases that this doesn’t cover, mostly because I want to make these labs accessible for those who don’t have tons of memory. Do you see anything I’m missing?

Routing

The goals of the routing lab would cover the following capabilities:

IPv4 and v6 support
Intervlan and WAN Routing
Static Routing
Dynamic routing - RIP, OSPF, EIGRP, BGP
Access-lists
Site-to-site VPN
Management - Telnet, SSH, HTTP, Syslog, TFTP
Authentication - static or RADIUS/TACACS

Three routers covers most simple cases. It’s important to point out that I’m not attempting to model good designs. I’m trying to create a lab that exercises the most definitive features of each class of devices while using the least amount of memory and processor so that these labs are accessible. One interesting note here - I don’t have a lot of experience with IPv6. But the reason for the challenge is to push ourselves. There’s enough complication here that we can implement a relatively static design with a lot of different tools to see how they differ. These labs will be fun to demonstrate and exercise the different routing protocols. Of course it would be great to have a bigger lab to do things like iBGP and eBGP, but the goal here is to compare the different appliances.

Firewall

Firewalls are pretty straightforward to test. The biggest question is whether we want to go full red-team or just demonstrate configuration options. I chose the latter to be consistent at this stage, but I may come back to them when I’m ready to include Kali and Parrot. Functions to be demonstrated include:

Routing
Bump on a wire
Routing functions
S2S VPN
client VPN
ACL / Policy
Management - Telnet, SSH, HTTP, Syslog, TFTP
Authentication - static, RADIUS or TACACS

I’ve created a repository to house all the lab files and each setup will be a separate directory with instructions.

GNS3 2.2.18

Fri, 19 Feb 2021 14:29:40 -0500

GNS3 2.2.18 was released on February 15th, no doubt to spare our significant others. There are a lot of improvements and bug fixes, but this seems to be an incremental release. 3.0 seems to be shaping up to be the next big release, in the second half of this year.

There are a lot of updates around handling QEMU disks. B-ehlers contributed a patch around creating a QEMU config disk, which could be used by IOS to get a day 0 config. There’s now an option to create a config disk which defaults to Off. There’s a change to prevent QEMU disk interfaces from being set to IDE and setting the default interface type to “none”. There’s also an option to allow cloned QEMU disks to be resized before the node starts.

GNS-GUI gets SSL support, an unused image file was removed, and logic was added to hide the import/export functions whena configfile attribute is empty. You can also edit the config files.

The Server side now includes Web UI 2.2.18. Bugs are fixed around VCPS and uBridge. The API is expanded and Python is updated to 3.6.

I recently wrote about the state of GNS. Be sure to read that article for recently updated appliances. My experience this week with 2.2.18 continues to be solid. The improvements are helpful - particularly the config disk option and the way it supports scripting for the cloud. However, many users will not notice changes.

Should you upgrade?

I recommend upgrading assuming you have a little time to sort out any issues.

My personal experience with GNS3 has been that most upgrades go without a hitch. I usually just go for it, but I’m not typically dependent on GNS3 from day to day. When I have had issues, they’ve been resolvable with an hour or two of concentration. Note that gns3-gui and gns3-server have to be the exact same version. If for some reason you upgrade one, you either have to roll back or upgrade the other.

How do you upgrade?

On Windows, just download the executable and run it. On Ubuntu, sudo apt upgrade. If you have a server VM (and I recommend it), start by getting a snapshot of your current server. I once had a server upgrade go poorly that resulted in rebuilding my VM, so this is a realistic risk. After that, log into the server and you can kick-off the upgrade from the menu.

VHEditor - Visual Studio Code for Android

Thu, 18 Feb 2021 20:07:38 -0500

These days I live in VSCode. I confess to having developed a hardened opinion of Microsoft in years past, but I have been impressed with their work in recent years. O365 runs like a champ in a browser. Teams is a really well done application, which I’ve come to prefer over Zoom and (especially) Webex. But VScode is in a league of it’s own. I didn’t know how much I needed a really well done IDE, but it’s become a must-have.

I use VSCode for writing this blog. There are extensions that make working with MarkUp easy and that facilitate uploading to Github. I use the built-in terminal to execute Hugo commands while I’m working (like hugo server -D to preview articles in a browser). The workspace allows me to move files around or quickly move between files for comparison or editing.

I also use VSCode to write Python (again, with some great extensions). The biggest surprise is that I’ve moved my notes into VSCode. I sync my notes to a private Github repo, so that I can make them available on whichever machine I’m working with. I used to use Simplenote for this, and there’s nothing wrong with Simplenote. But by handling this in VSCode I can consolidate tools.

I am going to do some traveling and it occurred to me that I didn’t want to lug a laptop. Wouldn’t it be cool if I could use my Kindle HD for VSCode? I already travel with the Kindle for books, and VSCode would fit in the 8" display. It seemed possible, but looking through the Google Play store didn’t turn up a Microsoft VSCode app.

That’s when I stumbled on VHEditor. But the story goes a little further back to two other projects I’ve been watching with interest: VSCodium and Code-Server.

VSCode is mostly open source, with some “special” parts added onto the FOSS bits. Microsoft add telemetry, the gallery, a logo and other pieces. VSCodium takes the open pieces and compiles a clean version with no telemetry. The downside is that Microsoft prohibits clones from accessing the VS Code Marketplace, which means that some extensions you need aren’t available. An open Marketplace is available at open-vsx.org, but not all extensions are published to that service yet. For me, the Github extension I use is an issue, so I currently use the original MicroSoft version. But I like VSCodium and have used it a lot.

Code-Server takes the same source code and produces a web version. I don’t have a use-case for Code-Server currently, but it seems like a fascinating idea. All of this brings us back to VHEditor.

VHEditor takes Code-Server and Termux and creates a space in the Android OS for this to run. There’s a terminal that works and code-server is running locally. Basically, when you run VHEditor, it starts Code-Server and accesses it via a loopback address. VHEditor runs pretty well on my Kindle HD - paired with a small bluetooth keyboard, I can definitely use this to write notes and blog posts. I have cloned multiple repositories down to the Kindle.

It feels like there are some kinks to work out. You use “pkg install git” on the terminal to setup Git (there’s a note about this on GitHub), and that format makes me wonder if it’s running in a BSD container. Also, the first repo I cloned worked straight from VHEditor. The second required me to git clone from the shell. Still, the result is not only usable but useful.

I’ve expressed the opinion that the secret sauce in IT right now is Git + Python + WebAPIs. VSCode has become this tool that fits into that mix of products perfectly. VHEditor allows me to bring that all the way down to my tablet and is definitely worth a look.

If you are familiar with VSCode, you know there’s a lot of things on the screen. I have a large phone, but I just don’t see this being useful on a display below 8". You are also really going to need a bluetooth keyboard, especially to use any of the key combinations. The app is currently sitting at 3 1/2 stars - I read through the reviews and the issues I see relate to unfamiliar or less technical users. Be prepared to put a little thought into it, but I recommend checking this out.

GNS3 Update for February, 2021

Thu, 11 Feb 2021 07:03:01 -0500

The GNS3 project continues to see regular updates, even though we haven’t see a release since December. I check in on the project periodically and I’m going to make updating the status a regular feature of the blog.

State of 2.2.17

The current release has been stable in my personal testing. I use if for all kinds of things, including VMs, containers, and networking out to my physical topology. A review of the issues reported in GitHub shows 15 bugs reported, with several related to Big Sur. If you have a new M1 Mac, you might want to run the GNS3 VM and use the Web UI. The M1 is new and I’m hearing reports of software being ported every week, so give this a little time.

New and updated appliances

In the appliance space, we’ve seen steady activity.

Cisco IOS-V was updated to include 15.8.3
EXOS was updated to 31.1
OpenWrt was updated to 19.07.6
Ubuntu Cloud was updated to 20.04
Vyos was updated to support 1.3

Puppy Linux

Puppy Linux was added. Puppy is a little weird - it’s not really a distribution, but a collection of installers from other distros that have been customized by the Puppy system (“Woof-CE”) and that adhere to a philosophical consistency. The GNS3 installer includes builds around three versions of Ubuntu - the latest version is “Focal”. Puppy Linux builds are generally known to be small but have the tools you need built in, and to run well on older hardware. This makes it a good fit for GNS3 where we want to have VMs in the network to use as clients or servers and where we are sensitive to overhead (especially when topologies get complex).

OpenMediaVault

OpenMediaVault is a NAS server that supports SSH, S/FTP, CIFS, and other types of file access. NAS services are an important part of corporate network environments and this provides a great opportunity to explore those services. Corporate data centers tend to focus on Exablock, Equallogic, or NetApp (or similar solutions from VMWare or Cisco), but those aren’t represented in GNS3. Build your own NAS has focused on FreeNAS for a long time. If you are just wanting a stand-in to test with, I’d recommend using FreeNAS. However, OMV is a newer option and it’s nice to have a choice. One of the big differences is that FreeNAS is based on FreeBSD and OMV is based on Linux, which may make it more accessible for some users. The current version of the appliance in GNS3 is 5.5.11.

Won't you be my Neighbor?

Tue, 09 Feb 2021 18:33:05 -0500

Cisco devices have long had the Cisco Discovery Protocol (CDP). CDP is a data link layer advertisement that is periodically broadcast (every 30 seconds). Devices can listen and build a list of directly attached “neighbors” that includes critical information like the name, IP, type of device, and the port attached. Other vendors developed their own protocols, including Nortel, Foundry, and Microsoft. This information can be useful, either to familiarize yourself with a network or to communicate network information between systems.

ARP for Network Discovery

PCs don’t typically support CDP, but you can do get some of this information by looking at the ARP table. All network communication takes place at layer 2. When a device wants to communicate with another local device and only knows it’s IP, it uses the Address Resolution Protocol to send a data-link layer broadcast asking “Who’s using this IP?”. The response is a MAC address. This is easy to see using Wireshark, especially if you can place your network card in promiscuous mode, so if you’re unfamiliar with the process take a look!

We can inspect the ARP table to see a list of other local systems on our network. There are three problems with this - first, the arp command is slow. Second, this will only show things that have communicated with your PC recently. You can use some type of broadcast to try to goose other devices to identify themselves (i.e. ping 192.168.0.255). Third, the devices only identify their layer 2 and 3 addresses so we don’t know much about them. The command below shows the arp command on Linux, but parallel commands are available in every operating system and network device.

pop > pop-os > ~ > $ >  __arp__  
Address              HWtype    HWaddress    Flags Mask             Iface  
_gateway             ether    0c:8d:db:8f:60:c0   C      enp0s31f6  
192.168.25.50        ether    00:0c:29:19:61:6d     C      enp0s31f6  
vcenter.stewart.tc   ether    0c:ee:99:81:23:03   C      enp0s31f6  
192.168.25.5         ether    00:0c:29:9d:a2:38   C      enp0s31f6  
192.168.25.4         ether    96:ee:a6:5d:30:ec   C      enp0s31f6

A slightly more useful command for discovering devices on the local network is ip neigh. This gives the same information but is much more responsive. It still depends on the target having been in communication recently.

pop > pop-os > ~ > $ > __ip neigh__  
192.168.25.1 dev enp0s31f6 lladdr 0c:8d:db:8f:60:c0 REACHABLE  
192.168.25.50 dev enp0s31f6 lladdr 00:0c:29:19:61:6d STALE  
192.168.25.3 dev enp0s31f6 lladdr 0c:ee:99:80:00:03 REACHABLE  
192.168.25.5 dev enp0s31f6 lladdr 00:0c:29:9d:a2:38 STALE  
192.168.25.4 dev enp0s31f6 lladdr 96:ee:a6:5d:30:ec REACHABLE

You could achieve something similar with nmap as well. Running a command like nmap 192.168.0.0/24 will identify all the devices that respond locally and which ports are open on each of them, but it’s not happening automatically. NMAP takes a while to run, which makes it less practical, plus it will raise alarms if your network is monitored to any extent.

Link Layer Discovery Protocol (LLDP)

Link Layer Discovery Protocol is a vendor-neutral version of the CDP concept. Like CDP, LLDP advertises identity and capabilities. It can be used to communicate Power over Ethernet capabilities or requirements as well as device location. Information gathered by LLDP is stored in the SNMP device management information Base (MIB) and can be queried using SNMP tools. Most networking equipment either runs LLDP or allows it to be used.

LLDP can be enabled for Ubuntu derived Linux servers using the lldpd package. It uses snmpd, so install that at the same time.

sudo apt install lldpd snmpd  
sudo service lldpd status start  
sudo service snmpd status start  
lldpcli

Once installed, use the lldpcli command to enter an LLDP command line interface. From the prompt, type show neighbors to list the discovered devices. In this example, I can see that I’m connected to a Cisco Meraki switch on port 6. LLDP can also be enabled with the -c flag to produce CDP packets.

[lldpcli] $ __show neighbors__  
\-------------------------------------------------------------------------------  
LLDP neighbors:  
\-------------------------------------------------------------------------------  
Interface:  enp0s31f6, via: LLDP, RID: 1, Time: 0 day, 01:50:10  
Chassis:       
 ChassisID:  mac 0c:8d:db:80:72:3e  
 SysName:    MS220-Switch  
SysDescr:   Meraki MS220-8P Cloud Managed PoE Switch  
MgmtIP:     192.168.26.3  
Capability: Bridge, on  
Port:          
  PortID:      ifalias 6  
  PortDescr:   Port 6  
  TTL:         120  
Unknown TLVs:  
  TLV:         OUI: 00,18,0A, SubType: 1, Len: 4 00,F6,40,25  
\-------------------------------------------------------------------------------

Who cares?

“Why” is always a useful question - I’ve always found that people who understand something embrace the opportunity it presents.

So, why bother with LLDP? It’s really going to be most useful to network support people. Putting this on my laptop allows me to quickly get my bearings on a network as I relocate. I can identify the port I’m attached to either from the PC or from the switch side. It may sound mundane, but just understanding the port is a lot easier than tracing cables! Pentesters can use it for reconoitering. As always, use your power for good!

Linux Install Script

Sun, 07 Feb 2021 10:32:29 -0500

I install Linux pretty regularly. Sometimes I’m setting up a new server instance, sometimes I’m deploying it to new hardware. Many times I’m doing a clean install on a new release. Very often, I’m reinstalling my workstation because I want to try a new flavor. Whether you are a distro-hopper or just need to handle Disaster Recovery process, installing Linux and customizing it to fit your particular needs can take a half day or more.

In addition to the time, installing requires you to make sure that you bring critical applications forward, attach to required printers and servers, and put expected security elements in place. It’s easy to forget a step. If you haven’t done it in a while, it’s difficult to remember how to handle a step.

That’s why years ago I started building an install script. These days my I keep it in a private Github repository. When setting up a new instance, I just grab the repo and run script. For the record, it still takes a while, but I don’t have to babysit it.

Creating a private GitHub Repository

Login to Github, go to the Repositories tab and click new. Give your repository a name and select “Private”. If you have an existing repository, go to the Settings tab and scroll to the bottom where it says “Danger Zone”. There’s an option to make the repository private. Not everyone makes their install script private, but I worry about revealing details of the programs I use, internal resources, or paths.

Private repos are also good for personal notes and documentation. I used to keep notes in Simplenote, but now I use Visual Studio Code and a private repository. I like having everything I need to reference in my Code workspace. You could also use a private repository for documentation, with a slick pandoc CI process to build EPUB or PDF versions that you deliver (see my article). I used to use Scrivner for writing, but you can setup a similar workflow using Visual Studio Code and Github.

Building an Install Script

Nope, I’m not going to share my install script. As I said before, it’s private. But let’s talk about what’s in it and how it’s built.

#!/bin/bash

First, it specifies the execution environment. Not all versions of Linux use bash as the default shell for scripts and that other environment may not support the commands I use, so I want to nail this down.

echo "Install some cool essential tools ============================"  
apt update  
apt upgrade -y  
apt install traceroute nmap snapd flatpak htop net-tools gconf2 hugo git geary unzip -y  
apt install vlc filezilla pithos pdfshuffler thunderbird wireshark -y  
apt install gigolo gvfs-fuse flameshot network-manager-openvpn network-manager-vpnc -y  
apt install network-manager-openconnect network-manager-pptp network-manager-openvpn-gnome -y  
apt install network-manager-vpnc-gnome network-manager-openconnect-gnome network-manager-pptp-gnome -y  
apt install python-software-properties libkf5globalaccel-bin libfreerdp-plugins-standard network-manager-applet -y  
add-apt-repository ppa:graphics-drivers/ppa -y  
echo "Setup Profile Sync Daemon https://github.com/graysky2/profile-sync-daemon"  
#https://github.com/graysky2/profile-sync-daemon  
sudo apt install profile-sync-daemon  
systemctl --user enable psd.service  
systemctl --user start psd.service  
apt update  
apt upgrade -y

Next, I install a bunch of stuff that I want on any machine I use. For instance, why isn’t traceroute included in everything? Other common pieces include:

Networking and Security tools like nmap, htop, filezilla, and wireshark. Gigolo for mounting drives.
VPN support (that’s the network-manager stuff)
I’m agnostic on packaging, so I install support for snaps and flatpaks
and finally some applications I really like (hugo, pithos, vlc, pdfshuffler, and flameshot)

Notice that I break the installs into groups - this makes it easier to track down problems if they occur. The “-y” at the end answers “yes” and allows the command to continue without waiting for a response from me. Some of the things I install are already present, but they’re not present on all distros so specifying the tools I want just makes sure that they’re there (if they’re already installed, apt just skips them). A special word about Profile Sync Daemon, since not many folks have heard of it. This puts the browser profile into a ram disk and speeds up the browser.

Fixing the Terminal

I wrote about the Powerline shell a while back. Since I started using it, I hate to be without it. Powerline depends on having an appropriate font and I use JetBrainsMono. Finally, I prefer Tilix to the default terminal. This sections makes all those things happen.

echo "Fix terminal ===================================================="  
pip3 install powerline-shell  
wget https://download.jetbrains.com/fonts/JetBrainsMono-2.225.zip  
unzip JetBrainsMono-2.225.zip  
cp -R fonts /usr/share/ -r  
fc-cache -f -v  
apt install tilix -y  
echo 'function _update_ps1() {  
    PS1=$(powerline-shell $?)  
}  
if [[ $TERM != linux && ! $PROMPT_COMMAND =~ _update_ps1 ]]; then  
    PROMPT_COMMAND="_update_ps1; $PROMPT_COMMAND"  
fi' >> /home/brent/.bashrc

Note that I’m using an echo to give some feedback about where we are in the process. I download the font, move it to the correct directory, and update the font cache so it’s usable. The rest of this downloads Powerline and sets it up, plus grabs Tilix.

echo "Cleaning up................"  
rm JetBrainsMono* -f  
rm -rf fonts  
\## Reminders  
echo "Set JetBrains Mono as terminal font"

At the end of the script, I have a clean up section and remove the Font files that were left in the install directory. I don’t know how to programmatically tell Tilix to use JetBrains Mono in it’s default profile (help!), so I just remind myself to do that.

Option stuff

I have a series of sections for handling optional components. The first three optional sections are almost always turned on: the Firewall, Neofetch, SSH and NFS.

The structure of these loops is a for statement terminated by done. Since the conditions of the for are empty, it will loop continually until told to break. Pressing a “y” or “n” executes some logic and breaks, any other key causes it to loop again. I’m not sure this is the best way to do it, but it works. In Bash, watch the spacing around the brackets and parentheses because it is required!

for (( ; ; ))  
do  
echo "Would you like to enable the firewall (y/n)?  "  
Read VAR  
if [[ $VAR = "y" ]]  
then  
echo "Enable Firewall"  
ufw enable  
break  
fi  
if [[ $VAR = "n" ]]  
then  
echo "skipping............."  
break  
fi  
Done  
for (( ; ; ))  
do  
read VAR  
if [[ $VAR = "y" ]]  
then  
add-apt-repository ppa:dawidd0811/neofetch -y  
apt-update  
apt install neofetch -y  
echo "neofetch" >> /home/brent/.bashrc  
break  
fi  
If [[ $VAR = "n" ]]  
then  
echo "skipping............."  
break  
fi  
done  
for (( ; ; ))  
do  
echo "Would you like to install SSH and NFS (y/n)?  "  
read VAR  
if [[ $VAR = "y" ]]  
then  
echo "Setup SSH and nfs ==========================================="  
apt install openssh-server sshfs fail2ban nfs-kernel-server nfs-common -y  
systemctl start fail2ban  
systemctl enable fail2van  
echo "/[sshd]  
enabled = true  
port = 22  
filter = sshd  
logpath = /var/log/auth.log  
maxretry = 3" >  /etc/fail2ban/jail.local  
break  
fi  
if [[ $VAR = "n" ]]  
then  
echo "skipping............."  
break  
fi  
done

The next sections are things that I would usually want, but not always. One example is KDE Connect - on Gnome I use the Gnome Connect extension and don’t need to load it. Other critical tools that I present as an option to myself include:

GNS3
X2Go
Remina
Foliate
VSCode
Chromium
Node-Red
Signal
Printer drivers

This isn’t a perfect script, but the structure allows me to re-run it as many times as I need to and skip the sections that are already installed. The biggest issue is that new versions (like 21.04 when it comes out in a few months) typically aren’t represented in PPAs. The fix is to specify an older version to pull from, but that’s not automated. Still, this speeds up the process and takes less of my time.

Drive Mapping

Another major piece missing here is drive mapping. I typically mount foreign drives using either NFS or SSH. Although my script pulls in SSH and NFS utilities, it doesn’t actually connect shares. I’ve chosen to leave that out and create a separate file for doing that. This is easier to maintain, and there are cases where I want to rerun the mappping file without all the other installs.

One of the things that makes it so easy for me to stand up new machines or to distro-hop is that all my files are saved onto a central server. I have an Ubuntu Mate install that just acts like a big file share. This also simplifies backup, since I can concentrate on one server. The files on the workstations are all transient.

So . . .

That’s the deal. I can run this script, make a few selections, and be up and running on a new machine pretty quickly with minimal effort. I’m tried to show some examples of different kinds of installations, including web downloads and apt-based. The basic structure is 1) Must Haves, then 2) Optional components encased in loops for easy selection, and 3) a clean-up section.

I’d love to include VSCode extensions, Gnome extensions, and auto-checking for PPA support into the script. If anyone has a good refence, I’d appreciate it. In the meantime, this automates 90%. Good luck creating a similar project!

Deskreen

Mon, 01 Feb 2021 13:43:09 -0500

Deskreen is an open-source utility that allows you to send your Windows, Mac, or Linux desktop onto another screen, including another computer, a tablet, or even a phone. It can duplicate an application, duplicate an entire display, or extend the desktop and treat the other computer as an additional monitor.

Deskreen outputs your display to a webpage with an embedded video. Running the application prompts you to choose an application, existing display, or new display. It then displays the produced webpage in text and with a 2D barcode. The page, when opened on a separate device, allows you to play the video stream.

Testing Deskreen

An easy scenario to imagine would be using a tablet as a second screen for a laptop sitting in a coffee shop. I tested exactly this setup using PopOS! on a 3rd Gen i7 and a Fire HD 10 9th gen tablet. I downloaded Deskreen from Github as a DEB and installed it. In order to fool my laptop into thinking it should produce a second screen, I bought HDMI dummy plugs. I used Deskreen version 1.02 and 1.03 while testing.

Once running, Deskreen produced a barcode that I was able to scan from the tablet and use to connect to a webpage. You can manually type in the link, but it’s long and it’s randomly generated each time the app start sharing. I clicked a button on the web page to register. Back to the PC, where I accepted the connection and chose the output.

The new display was initially set to the same as my main screen - 1920x1080. The video was down-converted, but everything was too small to be usable. I used the display options in PopOS! to adjust the size to 1280x720 and this created a very usable display. The new screen is responsive, with maybe barely a touch of latency similar to using a low-refresh-rate monitor. I imagine that the quality and usage of wifi will impact this, but I wasn’t able to test that scenario.

Just for fun, I sent the settings app to my phone at the same time. Running two displays didn’t seem to bother the PC. I left the webpage running on the tablet for hours and battery life on the tablet seemed surprisingly good. I think I could run it for a full day (or more) without having to charge the tablet.

Conclusion

I could imagine a variety of cases where this could be useful.

Extra screens
sharing screens for troubleshooting
connecting to smart TVs or displays

The developer, Pavlo Buidenkov, has an excellent set of directions about using Deskreen at deskreen.com. He also mentions that he’s hoping to find developers to collaborate with, so check it out!

For me, this utility works well and fills a niche in my toolset. It will be a part of my standard build from here on out!

How to Plan Good Downtime

Tue, 26 Jan 2021 20:18:24 -0500

In another blog, planning downtime would involve tropical pictures. Sigh.

Downtime

IT downtime is a period when IT systems have a planned outage. These periods are negotiated with internal and external stakeholders and communicated so that no one is surprised by the lack of availability. During this time, changes take place to improve performance, enhance reliability, address security concerns, or add features.

It is a good idea to have a recurring scheduled downtime at least once a month. Most organizations sync their downtime to “patch Tuesday”. Microsoft, Oracle, and other big organizations release patches on the second Tuesday each month. Since there’s a good chance that something in an environment will need to be patched and this leads to a disruption, it’s a good time to do other changes as well.

Sometimes changes must be deployed to react to events. In those cases the process is hastily put together and it’s more critical to have a clear idea of how to structure that time.

Checklist for Good Downtime

A six step process for thinking it through.

Plan testing
Communication Plan
Build a Script
Recognize Risks
Negotiate Window
Make the change!

Plan Testing

There’s an old adage to “start with the end in mind” and that’s appropriate when planning changes. Start by thinking through what should be tested to confirm success and how it will be tested.

Circulate that testing plan within the parties of interest and allow them to modify the tests. There are cases where a change passes testing but problems are later revealed. In such cases, you will always be asked “Didn’t you test for that?” Having those other folks review the testing plan provides space to skip the blame game in those cases and focus on restoring service.

How does this apply to “emergency” changes? Build a “Crown Jewels” testing list. These are the critical services for your organization. Any testing plan should include these tests, but in a pinch this can serve as a base level set of tests.

You’ll want to automate these tests as much as possible. Automation allows you to easily re-run the tests many times as you make adjustments. “Ping scripts” are a good place to start, but be creative (for instance, wget can serve to test browsing). Finally, make sure to include testing of monitoring. If you expect alarms when a redundant power supply fails, test that. When you make a change, confirm that your change didn’t interfere with critical monitoring.

Communication Plan

With a testing plan in place, the next step is to build a communication plan. Who should be updated, how should they be updated, and when or how often?

Updates need to go to your management, the equipment owners (internal or external), and the group that is dependent on the service. Generally, updates to users should be to the point and limited to how the change impacts their use.

Updates should be sent at critical points in the process:

When the change is proposed
At the beginning of the change window
If the change needs to be backed out, when that decision is made
When backout is complete, if applicable
When the change is complete

Keep in mind that your change may impact your ability to get to corporate directories, phone systems, or email. Make sure you have a way to communicate with this group that is not dependent on things affected by the change. I usually use corporate email as the primary path, but have cell phone numbers “just in case”.

Another aspect of communications is setting up the time for the change, getting it on people’s calendars, insuring they can participate, and publishing the meeting information.

Build a Script

A downtime script can be as simple as a spreadsheet. It needs to have columns for description, time, and responsible party. Each row describes a task. The time column tells the clock-time when that task should be complete.

Having a script allows the team to do a walk-through and to be aware of what others are doing. It makes it easier to coordinate and easier to track whether things are progressing as expected.

This process also applies to the backout script. Understand how the change will be unwound, roles, and make sure you preserve adequate time to accomplish it.

A word on time estimates - they’re going to be wrong. Stuff always comes up. Still, a good faith estimate of each step helps you to get a sense of where things stand relative to expectations at any point.

Recognize Risks

Recognizing risks in a change allows that risk to be communicated to stakeholders so that it can be accepted by those impacted. Anticipating likely scenarios also provides opportunities to mitigate.

Is there a risk of disconnection to a remote facility? Plan on having someone on site or available.

Is there a risk that an upgrade doesn’t work? Have a backup.

One risk that isn’t often discussed is the risk that comes from asking your family to tolerate your work schedule. As you prep for the activity, take some time to be at home (awake, alert, and agreeable) and spend time with them, especially if your work means that you have to be up all night Saturday night!

Negotiate Window

Changes take place within a window. This period of time needs to be agreed upon by everyone, short enough to minimize the disruption for users and long enough for the IT team to complete it’s work with quality.

One question that needs to be asked - what happens if the work isn’t complete by the close of the window? In other words, is it a “hard window”? Unless otherwise advised, assume that it is.

Take the time estimate from your script (above) and apply a “confidence” factor of between 50% and 100%. In other words, if the script calls for thirty minutes, assume it will really take between 45 minutes and an hour. This helps to account for the unknown but inevitable stuff that pops up when working. Adjust your confidence factor over time as you gain insight into task complexity, team competence, and your ability to estimate.

Next, make sure that a third of the time is for backout. This is time to work through the recovery process if the change goes awry. For a half-hour change, we’ll budget an hour for implementation. If at the end of the hour it’s not done, we immediately go into backing out the change so that we’re done within an hour an a half. And that’s the right period of time to ask for - 300% of your estimate. Unless you can get more.

Seriously though, this drop-dead time to begin backout is crucial to being able to have integrity about honoring the window. IT folks are always “5 minutes!” away from fixing things and can easily get lost in a spiral without maintaining discipline about when the backout has to begin.

Make the Change!

Finally it’s time to make the change. Ask everyone to arrive early and join the conference. Make sure that backups are up to date and configurations saved before beginning. Also before beginning, run the test script to make sure that all elements are working before the change to prevent confusion afterward. If the change is a group exercise, it is usually a good idea to have one person act as tracker. In addition to making sure that the team is ready to begin backout at the right time, the tracker can check off items as they are accomplished, recognize any slippage, and suggest strategies to keep things moving.

It’s a good idea to communicate to stakeholders at the beginning of the window.

Run the test script again when things are complete (win or lose). Each script run should produce output, which can be saved, in case there are questions afterward.

Finally, communicate to stakeholders when things are complete.

I realize the process is complicated, but it encompasses years of hard-won ideas. Each point has a story about the incident where it was learned. However, well planned exercises run smoothly and feel like a victory lap, making all the effort worthwhile. I sincerely hope that this helps you to move swiftly past these learning experiences and on to greater success!

Eternal Terminal

Mon, 25 Jan 2021 12:43:51 -0500

Eternal Terminal acts like ssh - you start a console session on a remote device by typing et username@host and it connects. ET adds to ssh by allowing reconnects.

A lot of ssh sessions are short affairs - login, put in a few commands, get some output, logout. If the session is interrupted it’s not a big deal. Occassionally, however, it’s important to stay connected for a period of time.

In a past life, I used to have to run reports against a database at the data center. The script I used took a while and any interruption meant starting over. Eternal Terminal wasn’t around at that time, so I solved the problem by deploying a jump server and I could connect to it using x2go and start the session from there. I could disconnect and reattach later

That solution required a dedicated VM, which requires some money. It wasn’t a bad solution, but it didn’t really address the underlying problem.

With et (Eternal Terminal), a disconnected session is maintained. The server continues processing and the client can continue to accept keyboard input. When the connection is re-established, the environment is still in place. Frankly, for day-to-day use you won’t see much difference between et and a normal SSH session. If you have workflows that require long-duration connectivity, this could be a great tool.

Et uses SSH for the initial connection and to exchange keys. Authentication is handled by SSH. Once the session is established, et sets up a console.

Installing and Using

To use et, both the client and server must have it installed. Eternal Terminal can be installed on Ubuntu from the archives:

sudo apt install et

Usage is just like ssh, except that if a username is not specified it is assumed to be the same as the client.

et brent@10.1.1.100

Eternal Terminal survives roaming, rebooting, and disconnection. A simple way to try it out is to disconnect your network card and reconnect.

Diagrams on Linux

Thu, 21 Jan 2021 17:42:48 -0500

The articles I post generally start out as a way to share something I’ve learned through years of experience. Less often, they are a way to share something that I’m researching currently. This one started out as a way to share with you how much I rely on Lucidchart and to recommend it, but in the course of reviewing options it became a way to share what I’ve learned.

I thought that options for creating diagrams on Linux were few and most of them were poor. What I found is that now (2021!) there are several good options and that all the tools have matured. I reviewed Creately, Dia, Draw.io, GNS3, LibreOffice Draw, Lucidchart, Pencil, SmartDraw, Visio, and yEd. About half are desktop applications and the other half web applications.

Diagramming Software

Diagrams are an essential part of IT. IT teams suffer with poor and out-of-date documentation and the biggest impediment to compiling it are usually the effort required to write and maintain. It’s also true that not everyone in IT enjoys writing.

Diagramming software solves this by allowing complex architectures to be summarized visually. Diagrams can pack a lot of detail, can be quickly understood, and relevant information is easily accessible. In short, being able to produce a clean diagram is a job requirement.

Diagramming software is different from “drawing” applications like GIMP because it includes icons that can be quickly placed on a page and connected, along with basic shapes and annotations. These shapes are layered, so you can bring one into the foreground, and the connecting lines are anchored to shapes so that the line endpoints move as shapes move. This workflow allows the production of well produced pictures with a minimal amount of effort.

The de facto standard here is Visio. Many of us have to exchange diagrams in a team, and for those folks, being able to import and export in Visio format is critical in the same way that any word processor should be able to work with *.DOC files.

Evaluation Criteria

My most typical use of this software is to produce network diagrams. Other common diagrams for me include flowcharts, swim lanes, and org charts. For purposes of this review, I’m focusing on network diagrams.

Each program was evaluated based on the following criteria. These are listed in order of importance.

Visio Import/Export
Stencils available and easily expandable
Output to PDF, HTML, and standard graphics formats
Easy annotation and supported hyperlinks

Desktop Applications

This group includes Dia, GNS3, LibreOffice Draw, Pencil, Visio on WINE, and yEd. The default answer for many of us is Visio, but this recent review shows progress in the open-source competitors.

Visio

Visio is the standard, but it’s not made for Linux. I’ve been able to run 2010 using WINE without issues and 2013 with a little finessing. The current version (2019) is a little too automated for my taste - it keeps trying to guess what I want and gets in my way.

Visio checks all the boxes. It is compatible with Visio, obviously (with the cavaet that the new VSDX format is not supported). It has plenty of available stencils and most manufacturers produce their own additions. Visio will output to a ton of formats, including PDF and HTML. It is easy to annotate and you can create hyperlinks straight from icons (I have created links so that clicking a router opened a PuTTY session).

Cons for Visio are 1) it’s running under WINE, 2) you can’t run the later versions (but the 2010 and 2013 are plenty good), and 3) it’s expensive. Currently $270 from Amazon.

GNS3

I included this as a lark because I recently wrote about creating hyperlinks in GNS3 and realized it could be used for this purpose. If you want to try this out, take a look at GNS3 HyperLinks. This is free and there are some good diagram primitives you can use, but it doesn’t work with Visio. Annotation and linking is fairly easy. Not great for this purpose, but it does work in a pinch!

For me, this can work very well for my home network. I’m not interested in exchanging it with other users, and it allows me to build a “live” image of the physical network outside the virtual GNS3 world. The two networks meet sometimes when I connect to the Internet or use a service like syslog.

Diagramming isn’t really what GNS3 is designed for and this probably isn’t the tool you’re loooking for.

LibreOffice Draw

LibreOffice can import Visio files, but can’t export. The importing sometimes has errors - items that aren’t placed correctly or dimensions that are changed. In my opinion, this is an okay way to view and print more than a serious tool for creating. Even in the case of importing a picture into a text file, I’d export a PNG from something else to import into LibreOffice before trying to mess with Draw.

Pencil

The Pencil project was something I used a few years ago and it showed a lot of promise. I remembered it and tried to include it in this review. If you are interested, grab executables from GitHub.

I messed around with compiling and tried the executable, but had issues with it running. It now starts, but never displays a window. It looks like there is active development, so I probably just tested at the wrong point. Nonetheless, I got tired of messing with it and never did get a chance to try it.

yEd

yEd exists as several editions - there’s a desktop version, a web version, and one designed to work with Confluence (Graphity). yEd is offered free, except in the Confluence tie-in model. This is a powerful and easy-to-use Java-based tool. The biggest knock on yEd is it’s inability to use Visio drawings or stencils. You can export to PDF and HTML though. I haven’t figured out a way to do Hyperlinking and you have to deal with a limited set of graphics primitives.

However, if you have simple diagramming needs this is an awesome tool. yWorks has provided a real service to the community by making this available for free. I’ve used it over the years and it’s always been solid.

From my perspective, it’s not as mature as other options but the price is right and it’s worth considering.

Dia (http://dia-installer.de/)

I haven’t used Dia as much - the last time I looked at it I was disappointed. Since then it’s added some support for Visio VDX files and a wealth of new templates. The interface has a much more solid feel and it is much easier to use.

I was able to quickly put together good-looking diagrams and came away impressed and appreciative about what the team has produced. That said, I had trouble importing and exporting Visio files when I tested. Annotation was less developed than Visio or Lucidchart - text couldn’t be rotated, icons couldn’t be labeled. I couldn’t create hyperlinks and I couldn’t import stencils.

This is a much improved project and it’s obvious they’re on the right track. For professional use, I don’t think it’s on the Visio or Lucidchart level. As a free application that is native to Linux, it seems great for more casual usage and bears further watching.

Web Applications

This group includes LucidChart, Draw.io, Creately and SmartDraw. Like the desktop category, significant work has been done here and there are new and exciting options.

Lucidchart

Lucidchart is a web service, using HTML5 and Javascript. Although it’s not technically written for Linux, it works well with most browsers.

I’ve had very good success with Lucidchart and I think it is on-par or better than Visio. It can import and export Visio files and stencils and can work with a variety of formats. It has superior features for annotation and you can easily create hyperlinks. There are a ton of stencils and templates. Lucidchart sends out an email each month that walks through example uses - I’ve picked up a lot of ideas from reviewing these emails.

You can use it for personal use for free. The individual plan includes a gigabyte of storage, includes tags and grouping, and unlimited objects. There are also team plans with more storage and a few more features. Lucidchart is a little cheaper than buying Visio and upgrading it every few years if you subscribe to an individual plan.

After a year of using it, I have come to appreciate Lucidchart more than Visio. I’ve even come to enjoy that it’s online, because this makes it easy to access my diagrams wherever I am. I particularly like the database/flat-file import option and find the annotation tools more flexible than Visio. The website is responsive, even over moderate links.

The con here is that you have to be online and it’s running in a browser, but ubiquitous access can also be a plus. Lucidchart has a free option, but an individual account is $9.95/mo or $108 per year.

Draw.io

Draw.io, like Lucidchart, is a webapp. It was another surprise in this recap. Since the last time I tested it, they’ve improved the Visio support so that it’s now possible to import and export! It’s a little rough because connections don’t flow smoothly and the layout is not precise, but it’s close and a very valuable addition.

Draw.io is responsive online and it supports real-tiome collaboration. You can save your work to a cloud provider or you can download it locally. The Visio support is a work in progress, so you can’t import stencils, but I could imagine working around that by importing a page with all my objects on it. The built-in stencils are horrible.

Draw.io allows hyperlinking to objects and annotation is easy to add and format. On the whole, it’s a rougher but similar experience to Lucidchart.

If you do occassional diagrams and don’t want to spend money, Draw.io is a very solid choice. Be prepared to do a little extra work, but it is sufficient.

Creately and Smartdraw

Creately and SmartDraw are web SaaS packages. Both have free trail accounts available. Smartdraw personal accounts run $9.95 and Creately is $4.95 per month. Creately seems more limited in file formats, but interestingly has a desktop version available for Windows, Mac, and Linux. SmartDraw has the ability to import and export to major formats, including Visio. Both include stencil sets that are comprehensive and SmartDraw has a facility to import Visio stencils.

I tested Creately online and it’s quite good. The connectors worked really well and flowed in a visually attractive way. There was a full set of built in stencils, but I didn’t find any import features. The lack of Visio import and export is a big deal. I’m curious if that is resolved in the paid or desktop versions, but I was unable to verify that from the website.

I used SmartDraw for some sample diagrams. It seems well-built and easy to use, but I had trouble getting the connectors to work. It supports hyperlinking to objects and annotation was easy, but less flexible than Lucidchart.

My impression of SmartDraw was that it was responsive and fully featured, and I’m open to using it more. It felt a little less capable than Lucidchart, but that may just be that I’m much more familiar with Lucidchart. Worth checking out.

As for Creately, I was also impressed and some features seemed more developed than SmartDraw, but the lack of import/export features would limit my use.

Conclusion - Lucidchart

If you are producing diagrams as part of your job, I would opt for Lucidchart. It seems to be the most mature option and it uses being a SaaS product to it’s advantage to make this information available across platforms and for collaboration within a team. It started as a Visio clone, but it’s mature enough to start forming an identity of it’s own and I prefer it. On Linux, this is an obvious option.

If you need to create diagrams, but you don’t need to share them (except as PNGs or such) then consider Dia. This is especially true if you want to use FOSS or want to use a local application. There are a lot of honorable mentions here - SmartDraw and Creately are at an analogous stage, Draw.io and yEd are free.

All told I’m very encouraged by my findings. This has gone from a sparse set of options that involved compromise to a rich group of choices that are starting to differentiate themselves.

Adding Hyperlinks to GNS3 Topologies

Wed, 13 Jan 2021 21:28:17 -0500

GNS3 is great for simulating networks, but what happens when your lab needs to include devices outside GNS3 (like physical hardware)? Wouldn’t it be nice to include hyperlinks to “real” assets in the GNS3 diagram? There’s a way to do this!

Adding Non-GNS3 Devices To a Topology

Let’s think about the things that might be interesting to add to a GNS3 topology . . . the home firewall, switch, server. You could even imagine adding IoT devices to the diagram and controlling them from a GNS3 appliance.

For this demonstration, I’ve built a simplified view of my home network. I have a Meraki stack - an MX64 Security Appliance (“Firewall”), an MS220 switch, and some MR33 access points. To make this a little more interesting, I’ve including my ESXi server.

To add a device, drag a “cloud” appliance into the topology. Right click the cloud and change the symbol. For instance, you can see that I changed the top cloud to use the firewall symbol. I also changed the label to “MX64”.

There’s not an Affinity Blue symbol for access points, so I chose the “cog”. You could also grab a picture or manufacturer icon. Just for fun, in the third picture I went to Google Images and copied a picture of a Meraki access point. I don’t think it looks as good as the cog, but it demonstrates how you could use this technique to introduce all kinds of graphics.

To extend this concept, in that same example I created a stand alone book icon that links to my documentation. It would be easy to imagine a link to a Google doc or Sharepoint site in the same way.

If you use outside graphics, keep in mind that GNS3 recommends a maximum height and width of 70px. I find that the “summary view” size on Google images works pretty well. You can also resize existing graphics with Imagemagick:

convert -background none download/meraki.svg -resize x70 meraki.svg

Creating Hyperlinks

GNS3 allows double-clicking a device to open it’s terminal. To accomplish this with an outside device, right click the symbol and choose properties. Under properties, go to the “Misc.” tab. Here you set the link and point to an outside hyperlink. Since the Meraki is controlled from a centralized webpage, I selected console type “HTTPS” and used the URL to the controller, “dashboard.meraki.com”. You can specify telnet, vnc, spice, http, or https links in this way. The port defaults to 23 regardless of the protocol chosen, so you’ll need to update this. For https I selected 443.

Close the properties and try double-clicking! This cloud device functions as a “link” to an external URL. It doesn’t consume compute resources or memory, it’s just a way to hyperlink to an external resource. Note that all the devices in this example are managed from web pages, which I suspect will be a common case.

Network Connections

With the device in place, the GNS3 “Add a Link” tool can be used to draw connections. Here we run into a slight problem - clouds only have one interface by default (eth0). That means that GNS3 will only let you attach one link.

If you need extra links, go into the properties again and on one of the interface tabs add additional interfaces. You can easily add the loopback (lo0), or if you need a bunch just go to UDP tunnels and start adding tunnels.

In my case, all the Meraki appliances are managed from the Dashboard so I used a GNS3 switch to connect all the devices and changed it’s symbol to use the affinity blue icon. This doesn’t allow me to set a link on the switch symbol, but it was easy and also doesn’t tie up resources.

It’s important to keep in mind that using GNS3 network connections is being done for illustration, but they’re not going to “function” as GNS3 links. You can’t introduce error or capture packets, outside connects are just a graphical representation.

Just for fun, I wanted to have a red line connect over to ESXi because that is a trunk link. There’s not a way to color GNS3 links, so I used the line tool on the top icon bar. While this adds some pizzazz to the diagram, the resultant link isn’t attached and doesn’t move when the diagram is rearranged.

Conclusion

Using this Hyperlink technique can be a great help when documenting topologies or linking to outside dependent resources. Coupled with the ability to import images, it’s possible to make very functional and visually attractive topologies. It’s even possible to use this as a Visio replacement in simple cases, although you’re much more limited when doing diagrams in GNS3.

Custom Keycaps - Updated

Tue, 12 Jan 2021 17:30:38 -0500

From 12-30-20

My kids got me a Ducky mechanical keyboard for Christmas. It’s a wonderful keyboard, but the Windows keys are hurting my sensibilities. I decided that I wanted to replace the default Windows logo with the “starburst N” from my Nextpertise logo.

I found that Max Keyboard will custom print keycaps. At the ordering page there’s a link to a chart showing the size of the various keys on different keyboards. I already new that I needed R1 1.25 keys from Ducky, but MaxKeyboard had the Ducky layout as well so I was able to confirm.

MaxKeyboard wanted a file to print the image from. I used a postscript program called “rays.ps” (available in my postscript github repo) for the original graphic, but MK wanted at least 300x300 and the resolution on my existing picture was a quarter that.

I decided to update the postscript to just output the “N” and used a larger size. Here’s the code.

/Times findfont 300 scalefont setfont  
    /rays  
    { 0 1.5 359  
            {gsave  
            rotate  
            0 0 moveto 1200 0 lineto  
            stroke  
            grestore  
            } for  
    } def  
    0 500 translate  
    1.5 setlinewidth  
    newpath  
    0 0 moveto  
    (N) true  
    charpath clip  
    newpath  
    98 0 translate  
    rays  
    showpage

Of course, you can easily show this onscreen using: gs rays.ps

In the past, I’ve used GIMP to read the Postscript and produce other formats. Yes, GIMP can do that! But to simplify the operation, I had Ghostscript output directly to PNG.

gs -r600 -sDEVICE=pngmonod -sOutputFile=n.png rays.ps

MaxKeyboards has an easy to follow ordering page where you can upload your graphic and specify how you want the image placed. You can even have them print on the front of the keys. The black part of the image will be translucent to fit with my backlit keyboard.

I should get my new keys next week! Looks like the total cost will be about $10 per key.

Update 1-12-21

I received the new keys today! You can see the new keys in the picture here.

As a side story, after I sent in my purchase I noticed that the PNG file I created had a lot of white space. I was a little worried that the logo would be small and printed to the side. MaxKeyboard apparently recognized my error and fixed it. I was also worried that the fine lines of the rays wouldn’t translate well through the 3D printing process. As you can tell from the picture, they came through perfect.

It’s really fun when small things like this give you happiness. I giggled a little taking off the Windows keys and replacing them! The new keys fit perfectly and the size was dead on.

MaxKeyboard did a great job!

VMWare File Transfer Options including SFTP

Sun, 10 Jan 2021 16:51:18 -0500

I’m going to be upgrading my home VMware server and need to backup the VMs. My server uses ESXi 6.5 and I’ll need to backup the files before upgrading. Longtime readers may recall that I’m using Backblaze to backup the data on my server. That is going swimmingly so far. I want to backup the images so I don’t have to rebuild the VMs after this is done.

Admin interface

One way to accomplish this is to login to the admin web portal and export the VMs. Under each VM, go to Actions > Export and this queues downloading the component files. Exporting over HTTP is slow though.

VMWare Workstation

A second option is to backup from VMWare Workstation. I prefer using this to manage server VMs anyway. First, connect to the server under File>Connect to Server. Once the server is attached to workstation and you can see the VMs, right click a machine and choose Manage > Download. This is also fairly slow.

Using SSH with VMWare

To speed up the action, I wanted to grab the VMDKs directly from the server using SFTP. To set this up, login to the administrative interface of ESXi and look under “Host”. Choose “Actions” and “Enable SSH”. SFTP is a part of SSH, so this also enables SFTP. This isn’t the best way to grab the backup, since it will take a little work to stand these up again, but it is faster.

To make this super easy, I used Filezilla. Under the site manager, I selected SFTP, entered the IP address, and username. When connecting, you’ll need to accept the host key and navigate to /vmfs/volumes/YOUR_VOLUME_NAME/ and each of the VMs will have a directory. You can also easily upload images this way - ISOs can be saved to to VMWare easily this way.

Writing a Blog - Reflections after a half year

Sat, 02 Jan 2021 11:45:16 -0500

I started writing this blog back in July of 2020. There was a lot going on at that point, and yet a lot of nothing. My employer was acquired in May and management was cut, so I was surprised to be out of job. We were quarantining, which added a degree of difficulty to the job search, and summer is a slow time to find work anyway. Against all this uncertainty, I wanted to do something and decided to start writing. I hoped that the blog might provide a way to establish my bona fides, and if nothing else it gave me a chance to share what I was working on (since I no longer had co-workers to share with).

It’s now January of 2021. I’m employed and the blog has been going for six months. I thought I’d take a look back at the experience of starting a blog. Has it accomplished what I hoped? How hard was it and what things would I change?

Most posts here are technical and this article is intended to address technical things I’ve learned. At the same time, writing is a personal expression and accomplishes personal goals, so I also want to share how this experience has worked for me.

I’ll skip to the conclusion . . . I’ve found it valuable, technically approachable, and I think it’s something most people should consider. With that conclusion in mind, one of the biggest challenges is trying to figure out how to get started. There’s some good information online and the Hugo community is very supportive, but it’s mostly organized into how to accomplish small discrete tasks and not around helping communicate the big picture. Hopefully this will encourage you to give it a try and help you avoid some of the problems that might derail you.

What I did well

Hugo is a winner. I write articles in Markdown, which is lightly formatted plain text. Hugo then automatically applies formatting and plugs it into the navigational structure. Hugo takes my raw files and generates a set of set of finished static HTML files. Because of the way Hugo works, I haven’t had to think about server infrastructure or spend a lot of time “coding”, I’ve been able to take the time I have and focus on writing.

I write articles in VSCodium. Microsoft’s Visual Studio is open-source and VSCodium has stripped out the telemetry. The two products are almost perfectly equivalent, so take your pick. VSCodium is very easy to use, once you get the hang of it. I open my local copy of the Nextpertise repo in the left pane and a terminal below. I typically write with hugo server -D running so I can check output on the fly. I used to use different products for note taking, but I’ve switched over to VSCode for that, and I could really imagine writing a longer book using VSCode and then outputting via pandoc.

Blog files are kept in a local copy of a Git repository. After I finish updating, I sync up to GitHub which backs up my files and starts the process of moving them “live”. Like VSCodium, Git has become a central tool for me in a variety of settings. I use it for this blog, for code that I write, for artifacts that I contribute to GNS3, and even for keeping notes (you can have a private Repo). I’ve learned about Git, started contributing to more projects, published my first “app”, and even expirimented with CI/CD. One of the benefits of writing the blog is that I’ve grown technically and picked up these cool tools.

Render hosts the site, and that has been a big win. Render hosts static sites for free, so my only cost has been the domain. Render integrates with GitHub via a CI process, so when I sync my repository it automatically generates web content with Hugo and posts it to the Render CDN network. I’ve had friends in different parts of the world confirm that performance is uniformly great. Like other decisions I made early on, this has worked out to allow me to focus my time on content.

So those are the big wins: Hugo, VSCodium, GitHub, and Render. How did I decide on that workflow and set of vendors? The truth is that I saw Mike Dane’s Giraffe Academy Hugo videos on Youtube and thought “I can do that”. I was also starting to learn Python and had been fooling around with Visual Studio. GitHub was something I’d been using for a while, especially to work with the GNS3 project, but I’d been using it more at work as well. It really just all came together. One of the things that I think I did right was I didn’t over-analyze things. I expirimented enough to make sure that I had a good plan and then I just went for it.

Would I revisit any of these decisions? There are several static site generator alternatives (the other one I hear most about is Jekyll), but so far I’ve been able to do everything I want with Hugo. I expirimented with hosting in AWS S3 and AWS offers this free in the first year. Netlify is similar to Render in that it too focuses on the JAMStack space. Netlify has a lot of good technical documentation and videos of lectures, and they sponsor and participate in the community. I think all three would have been good options, but for me at this point: it’s not broke. I think that is really the magic of Render: the technical and financial barrier to doing this was significantly lowered, and that encouraged me to start and has allowed me to focus on the part I enjoy since.

Another of my early decisions that has really born fruit - making my own CSS and theme. Hugo allows you to clone a theme from GitHub. As I mentioned earlier, the Hugo community is very supportive and there are a lot of themes shared via their gallery. I initially started with someone else’s theme, but I quickly realized that it was going to take a lot of work to understand how it all fit together. This was particularly true because I don’t have a lot of background in web design. The Giraffe Academy videos are really good and Mike gets into the early stages of developing a theme there. I used some of the Giraffe Academy ideas as a basic theme and built up from there. I’ve been able to leverage the blog to learn HTML and CSS. The theme generally get’s more complicated because I want to solve a new problem, so “rolling my own” has allowed me to grow with the site.

What I would change

My biggest issue has been building readership. I still don’t think I’ve got a great handle on how to do that. Google and Bing make it easy to register your page with them so it shows up in search results. Google also has free online classes in using their Analytics and Search portals. I recommend you do those things, but I’m still seeing slow and steady growth in readership and not a big growth. Because the site isn’t widely read, it really didn’t get my name out when I was job hunting. I recommend spending some time understanding how to publicize your site. If anyone has great ideas and could leave them in the comments, I would appreciate your thoughts!

Another mistake has been setting draft=false in the Archtype. Turning off the “drafts” feature in Hugo has resulted in publishing pages that weren’t finished. Yes, you will be annoyed that you forget to “publish” by setting draft=false, but it was a dumb idea to just turn it off.

Finally, when I started I didn’t really design the site for growth. I put all the files in the “content” directory and let them pile up, making them hard to organize. Over New Year’s, I went back and prepended dates to file names and moved everything under a “posts” subdirectory. This also allowed me to create the “Archives” link and made curation easier.

Conclusions

I started the blog with two goals: sharing some cool things I’ve learned and marketing myself during a period of unemployment. The blog didn’t really help get a job, but it kept me busy and focused on moving forward during a potentially depressing period. However, I’ve found it cathartic to write and I hope that people have read and found value in this work.

Creating this site has also given me a “real world” case to learn about HTML and CSS, cloud hosting, and online analytics. It’s also pushed me to get more involved in various online communities and to learn at a deeper level so I can share my conclusions here.

George Carlin used to have a bit about the difference in the quality of experience betweeen riding and driving. It was a funny routine, but it stuck with me (like several of his thoughts) because it was true. Learning through necessity pushes you to go deeper and wider. Although my day job is management, continuous detailed learning is an important part of the IT industry.

This has been easy enough that I’ve thought about creating sites for my church or the Trail Life group I lead. If you have an expertise and an interest in sharing it, I would encourage you! Let me know how I can help! For those of you already on the path, I’m going to continue this conversation in a second column to detail some of the cool things I’ve learned how to do!

GNS3 2.2.17

Thu, 31 Dec 2020 08:29:40 -0500

GNS3 2.2.17 was released in December. It features bug fixes and some small added features.

On the GUI side, the biggest news is that 2.2.17 brings support for MacOS Big Sur. It fixes an issue with the use of Qemu that affected some appliances because the -nographic switch was set automatically. The WebUI updates underlying dependencies, closes a security issue and addresses some bugs, including one that cauased an annoying error message in Firefox. The server now allows configuring VNC port ranges and updates code to remove deprecated Python methods.

GNS3 2.2 continues to be a stable platform and we see in this release a refinement. Unless you run Big Sur, there doesn’t appear to be anything earth-shattering.

Should you upgrade?

Obviously you should upgrade if you have Big Sur.

For the rest of us, this version includes a security fix. I’ve read the CVE and it appears to affect input validation. It’s not obvious how this would be exploited in GNS3 or what the risk is from the write-up, but it’s rated HIGH.
I recommend upgrading assuming you have a little time to sort out any issues.

If you need to wrap up some work and don’t want to risk an upgrade at the moment, I would recommend disabling the WebUI. I can’t find a way to do this however, so I started an issue and hopefully that will be incorporated in 2.1.18! In the meantime, if you want to protect the interface you’ll need “compensating controls”. That’s a term of art for blocking access somewhere else (like in a firewall).

How do you upgrade?

New and updated appliances

Folks continue to contribute appliances. If you are interested in doing this, refer to my articles on creating an appliance and Updating an appliance. Here’s a list of the new and updated appliances since November first:

Arista VEOS
Aruba VGW
Cisco IOSv L2
Huawei USG6Kv
Opnsense
RHEL

It’s really nice to see RHEL. I didn’t even realize Red Hat was missing, but in the last few months I’ve come to understand how many companies depend on RHEL (or it’s clones). One good example of this is that Amazon Linux (used in a lot of AWS EC2 instances) is a RHEL clone. The original was based on RHEL6 and AL2 is based on RHEL7.

SSH Crypto

Tue, 29 Dec 2020 13:01:35 -0500

Cleaning up Crypto

A previous article - SSH Admin - went through understanding who was logging into a Linux server using SSH or SFTP. To continue that thought, let’s suppose that we are required to make sure that only cypher suites recommended in the CIS benchmarks are in use on a server. Before we disable old options, we need to check and make sure that no one is using them!

Understanding local crypto

From a client, we can see which cipher elements are supported. Each of these commands outputs a range of protocols. When connecting to a server, the client transmits protocols that it supports and the server reciprocates. They then agree to use the first option from the client’s list that is supported on the server (or the connection fails). The table below lists commands used to see the protocols supported on a client. The examples were chosen because they were well known and establish context, and not as a recommendation.

Table: SSH options
Element	Command	Example options
Cipher	ssh -Q cipher	3des-cbc, aes256-cbc
MAC	ssh -Q mac	hmac-md5, hmac-sh2-256
Key	ssh -Q key	ssh-rsa, ecdsa-sha2-nistp256
Kex	ssh -Q kex	diffie-hellman-group1-sha1, curve25519-sha256

Setting up an SSH connection goes through some basic phases:

Kex (key-exchange) is used to complete an asymmetrically encrypted initial key exchange.
Keys are exchange. The key list is types of keys supported.
The body of the communication is encrypted symmetricly.
MAC or “message authentication code” is a hash that verifies the integrity of transmissions.

Understanding remote clients crypto

It’s surprising that there isn’t a command to show which cipher suites are in use by particular clients. To build a tool, I went into /etc/ssh/sshd_config and set the logging level to grab everything.

# Logging
SyslogFacility AUTH
LogLevel DEBUG3

This can then be reviewed using journalctl -u ssh to display entries related to the sshd unit. I noticed that the relevant lines were at DEBUG1 level and that each sequence completed with the “password accepted” line. Based on this pattern, I wrote a utility in Python to create a report.

Dec 28 15:56:44 pop-os sshd[701591]: debug1: kex: algorithm: curve25519-sha256 [preauth]
Dec 28 15:56:44 pop-os sshd[701591]: debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
Dec 28 15:56:44 pop-os sshd[701591]: debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none [preauth]
Dec 28 15:56:44 pop-os sshd[701591]: debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none [preauth]
Dec 28 15:56:46 pop-os sshd[701591]: debug1: PAM: password authentication accepted for pop

ssh-crypto is a Python3 program to read ssh debugging and identify who has logged in and what settings were used. It expects a file name, which is a text file that contains ssh logging output. First make sure that sshd is logging at least at DEBUG1. Restart the SSH service for the new logging setting to take effect.

sudo service sshd restart

Keep in mind that the crypto fields won’t be populated for logins before the loggin change takes effect. To create the text file for analysis, export from journalctl.

journalctl -u ssh > ~/ssh.txt

Again, __ssh-crypto assumes that the system has Python3, uses Systemd, has debugging setup.

Usage

 pop  pop-os  ~  $  ~/git/ssh-crypto/ssh-crypto.py ~/ssh.txt
-------------------------------------------------------------------------------------------------------------------
| # |       User        |       IP       |     Algorithm      |        Host        |            Cipher            |
-------------------------------------------------------------------------------------------------------------------
|  0|pop                |192.168.25.2    |undefined           |undefined           |undefined                     |
|  1|pop                |192.168.25.72   |undefined           |undefined           |undefined                     |
|  2|pop                |192.168.25.81   |undefined           |undefined           |undefined                     |
|  3|pop                |192.168.25.81   |undefined           |undefined           |undefined                     |
|  4|pop                |192.168.25.81   |undefined           |undefined           |undefined                     |
|  5|pop                |192.168.25.81   |curve25519-sha256   |ecdsa-sha2-nistp256 |chacha20-poly1305@openssh.com |
|  6|pop                |192.168.25.81   |curve25519-sha256   |ecdsa-sha2-nistp256 |chacha20-poly1305@openssh.com |
-------------------------------------------------------------------------------------------------------------------

Removing Weak Ciphers

Per the CIS Ubuntu 20.04 Standard (5.2.12), FIPS compliant ciphers include aes256-ctr, aes192-ctr, aes128-ctr. FIPS compliant MACs include hmac-sha2-256 and 512. FIPS allows a pretty broad range of key exchange protocols, including ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, and diffie-hellman-group14-sha256. To limit the server to only accept these options, edit /etc/ssh/sshd_config. Here are the ones I’ve chosen to support.

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

Using ssh-crypto will allow review of recent client connections and unused ciphers can be weeded out. After communicating the change to users, specific recalcitrant users can be identified for follow-up with the utility before ultimately removing the old protocols.

SSH Administrative Trivia

Wed, 23 Dec 2020 18:47:30 -0500

Let’s consider an interesting case: we’d like to identify remote ssh users. Remember that SFTP is a part of SSH, so these commands will also identify SSH users. There are a variety of ways to do this and some are even fairly obviouis.

Who or w

Who is a utility to display logged in users. The man page can walk you through the various switches, but the two I find most valuable are -a to show all and -H to show headings. The all option includes the time that the session has been active, how it’s attached, and where it’s coming from.

who -aH
    NAME       LINE         TIME             IDLE          PID COMMENT  EXIT  
               system boot  2020-12-02 05:47  
               run-level 5  2020-12-02 05:47  
    pop      ? :1           2020-12-02 08:08   ?          3663 (:1)  
    pop      + pts/2        2020-12-23 18:14  old       570072 (192.168.1.72)  
    pop      + pts/6        2020-12-27 15:36 00:01      665161 (192.168.1.81)

The first column - Name - is the local name that these users are logged in as. In this example, I’m logged in as “brent” on 192.168.1.81 but my ssh session to this computer uses the username “pop”. The LINE identifies connection - pts stands for psuedo terminal slave, or a sub process of pty (psuedo-tty). You may be more familiar with tty connections - those are direct connections like a local terminal. Notice that there’s a local connection and two remote connections in this example.

If who is too much typing for you, try w. It provides very similar output, no switches required

w
     16:22:45 up 25 days, 10:35,  3 users,  load average: 1.90, 1.70, 1.53  
    USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
    pop      :1       :1               02Dec20 ?xdm?  12days  0.00s /usr/libexec/gdm-x-session --run-sc
    pop      pts/2    192.168.1.72    Wed18    3days  0.09s  0.09s -bash
    pop      pts/6    192.168.1.81    15:36   46:35   0.02s  0.02s -bash

You can also derive this information from ps. This command lists active processes and includes active ssh sessions. Note that you can pipe to grep to limit it to lines that include ‘pts’ or ‘ssh’.

ps ax

Last

Last looks through /var/log/wtmp and shows login activity. You can specify a username to see when that user logged in and out. Note that a psuedo-user named reboot logs in when the system reboots, so last reboot will show a list of all reboots.

last
    pop      pts/6        192.168.1.81    Sun Dec 27 15:36   still logged in  
    pop      pts/2        192.168.1.72    Wed Dec 23 18:14   still logged in  
    pop      pts/2        192.168.1.2     Wed Dec 23 18:11 - 18:11  (00:00)  
    pop      :1           :1               Wed Dec  2 08:08   still logged in  
    reboot   system boot  5.8.0-7630-gener Wed Dec  2 05:47   still running  
    pop      :1           :1               Wed Nov 25 18:02 - down  (6+11:44)  
    reboot   system boot  5.8.0-7630-gener Wed Nov 25 17:56 - 05:46 (6+11:50)  
    pop      :1           :1               Mon Nov 23 08:31 - down  (2+09:24)  
    reboot   system boot  5.8.0-7630-gener Mon Nov 23 08:29 - 17:56 (2+09:26)  
    pop      :1           :1               Sat Nov 14 17:40 - down  (8+14:47)  
    reboot   system boot  5.8.0-7625-gener Sat Nov 14 17:39 - 08:28 (8+14:48)

Last shows similar information to who, but shows activity over time instead of just current activity. On a busy server, w might do a better job of concisely showing current users. A related utility is lastb which shows bad login attempts. In the previous example I mentioned that my account is “brent” on 192.168.1.81. I forgot that there was a different user on this machine and you can see here the failed login attempts. Notice that this command requires elevated priviledges.

sudo lastb  
brent    ssh:notty    192.168.1.81    Sun Dec 27 15:35 - 15:35  (00:00)  
brent    ssh:notty    192.168.1.81    Sun Dec 27 15:35 - 15:35  (00:00)  
brent    ssh:notty    192.168.1.81    Sun Dec 27 15:35 - 15:35  (00:00)

Paranoid users may want to review failed logins every time they open a terminal.

echo "sudo lastb" >> /home/user/.bashrc

A similar command is journalctl -u ssh. This shows the systemd journal, so obviously it’s only of use on systemd-based systems. Modern Fedora/RHEL and Ubuntu are on that list. The switch -u limits output to certain units, in this case ssh. Note that some systems will require the unit to be listed as “sshd”. Notice that this shows socket information and failed attempts and is organized chronologically. This might be useful if you’re trying to match events in troubleshooting.

journalctl -u ssh  
-- Logs begin at Sat 2020-11-14 17:39:49 EST, end at Sun 2020-12-27 18:10:11 EST. --  
Dec 23 18:11:37 pop-os sshd[569656]: Accepted password for pop from 192.168.1.2 port 52778 ssh2  
Dec 23 18:11:37 pop-os sshd[569656]: pam_unix(sshd:session): session opened for user pop by (uid=0)  
Dec 23 18:14:55 pop-os sshd[570072]: Accepted password for pop from 192.168.25.72 port 23639 ssh2  
Dec 23 18:14:55 pop-os sshd[570072]: pam_unix(sshd:session): session opened for user pop by (uid=0)  
Dec 27 15:35:39 pop-os sshd[665153]: Invalid user brent from 192.168.25.81 port 54850  
Dec 27 15:35:41 pop-os sshd[665153]: pam_unix(sshd:auth): check pass; user unknown  
Dec 27 15:35:41 pop-os sshd[665153]: pam_unix(sshd:auth): authentication failure; logname= uid=0 eu>  
Dec 27 15:35:43 pop-os sshd[665153]: Failed password for invalid user brent from 192.168.25.81 port>  
Dec 27 15:35:48 pop-os sshd[665153]: pam_unix(sshd:auth): check pass; user unknown  
Dec 27 15:35:51 pop-os sshd[665153]: Failed password for invalid user brent from 192.168.25.81 port>  
Dec 27 15:35:57 pop-os sshd[665153]: Connection closed by invalid user brent 192.168.25.81 port 548>  
Dec 27 15:35:57 pop-os sshd[665153]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=s>  
Dec 27 15:36:07 pop-os sshd[665161]: Accepted password for pop from 192.168.25.81 port 54862 ssh2  
Dec 27 15:36:07 pop-os sshd[665161]: pam_unix(sshd:session): session opened for user pop by (uid=0)

Network commands

Finally, there are also a few ways to look at this from a network perspective. You can show socket statistics with _ss. This can be interesting for associating unknown traffic to a process id. The following example is truncated to give a sense of the output, but the full dump is long.

ss | more
    Netid State Recv-Q  Send-Q  Local Address:Port         Peer Address:Port    Process
    u_seq ESTAB      0      0   @00031 4813785                 *                4813786        
    u_seq ESTAB      0      0   @00041 8426824                 *                8426825

Netstat provides another network perspective, this time organized as conversations. The tabular form of netstat is a little easier to digest. The version shown uses switches for numeric output, processes info, and all.

netstat -npa  
(Not all processes could be identified, non-owned process info  
 will not be shown, you would have to be root to see it all.)  
Active Internet connections (servers and established)  
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name      
tcp        0      0 192.168.25.2:22         192.168.25.81:54862     ESTABLISHED -

Conclusion

These networking commands give you a different view into what’s happening on your server, but for our original purpose they’re abstract. I’d recommend trying all these techniques to gain wider familiarity with your server, but I find the most common commands I use are w, lastb, and journalctl -u ssh (depending on what I’m trying to troubleshoot).

Future articles will continue to review some of the administrative issues with maintaining an SSH/SFTP server, such as understanding encryption in use and limiting it to “modern” protocols.

Technically Correct Verbage Rant

Sun, 20 Dec 2020 02:00:15 -0500

Part of our industry is the need to constantly keep up to date. I’ve been going through some training and flipped the “bozo” bit on the instructor because he was struggling to explain some basic network concepts. I’m in management these days and often have to quickly evaluate other technical people. Whether it’s hiring, considering contract work, or talking to a potential “partner”, I form an opinion of you, your company, and your product based on your technical vocabulary.

Here are three terms that are commonly misused and make me suspecious.

Bandwith

This one is so common, that even people who understand concepts will slip into a vernacular. In untechnical slang, “bandwidth” has come to be synonymous with time and capacity. A colleague might ask you “do you have the bandwidth to handle this?” What they mean is “do you have the time?” In this sense, it’s trendy and hip and can be more easily forgiven.

When your ISP says that their bandwidth is 10Mbps they are describing network capacity or how fully it can be utilized. This usage is technically wrong and either indicates that the speaker doesn’t understand the term or is pitching the discussion toward a non-technical audience. Either of these uses is incorrect even in an analogous sense because they both speak to the amount of information over time.
Bandwidth properly describes the difference between the upper and lower frequencies being considered at an instant.

Further, even the adulterated version of the term is misused. When a link is said to be “10Mbps”, it doesn’t mean that a 10MB file can be downloaded in one second!

Notice that ISP speeds are small “b” bits. There are eight bits to a byte, so a 10 Megabyte file is 80 Megabits. Further, files are transmitted a little bit at a time. The client has to acknowledge receipt periodically. That means that the server has to pause and wait for that acknowledgement. Actual file transfer has as much to do with the round-trip time for this ack as with the size of the connection.

IP is Classless

The thing that really set me off was an AWS networking discussion where the instructor mentioned that we would use the “10.10.0.0/16 Class B network”.

A long time ago, IP addresses were just numbers. I could be “1” and you could be “2”.

At a certain point, the network was divided into smaller networks of different sizes and the idea of an implicit class was used. In this classful structure, one could tell what portion of the address was the network prefix based on the first octet.

Table: Classful addressing
Class	First Octet	Assumed Mask
A	0-127	255.0.0.0
B	128-191	255.255.0.0
C	192-223	255.255.255.0

Later (mid-90s) as the Internet started to grow it became obvious that this system lacked necessary flexibility. IP addresses began to use explicit masks, so that they could specify network prefixes of any number of bits. At that point (25 years ago!) class became a thing of the past.

Slash notation

Finally, it’s technically correct to describe a mask as “255.255.240.0” but the cool kids would say “/20”. That means the first 20 bits are used as the network prefix. Not understanding this usage is a clear indication I’m dealing with a noobie.

My point

Words are important. The words we choose carry meaning, sometimes beyond their strict definition. They identify us as knowledgeable and up-to-date in a given subject and inspire confidence in our audience. I hope you take care to communicate clearly and accurately and avoid these all-too-common flags.

What other mis-uses of technical language am I missing? I’d love your comments. I’ll try to update this discussion as we go forward together!

AWS Changing EC2 IPs or Water Never Lies

Fri, 18 Dec 2020 20:35:31 -0500

I had an issue that required changing the IP address of an EC2 instance. The short version: you can’t change the primary IP of an EC2 instance.

Water never lies

It seems intuitive to me that you can change an IP of a VM, so when asked I said “I think so”. Turns out I answered from ignorance, but then I did a smart thing and actually tested the process to understand it better.

My Dad was a builder. One time when I was young he was questioned about grading, so he took me to the site and observed it in the rain. Pointing out that the water ran away from the building, he said, “Water never lies”. It seems obvious, but the older I get the more I find it profound.

People think a lot of things. What someone thinks will happen isn’t nearly as interesting as what actually happens. It’s important to test our intuition against experience and continually validate and update our expectations.

Back to the story

To test IP address mobility in EC2, I created two t2.micro instances running Amazon Linux 2 (which we’ll call “A” and “B” for convenience). After choosing the AMI and instance type you are prompted to “Configure Instance”. In this screen, after selecting the subnet the Network Interface details appear at the bottom of the page. You can assign a valid unused IP - if left blank an IP will be assigned for you. I allowed both instances to auto-assign an IP and they were assigned to the “primary” (eth0) interface.

The first thing I tried to do was to change the IP at the prompt.

sudo ifconfig eth0 192.168.255.5 netmask 255.255.255.0

That would work on a physical instance, but this left the instance unreachable. After rebooting, I tried changing the IP address from the AWS console and then I tried to remove the interface. Neither action was allowed.

Next I assigned a secondary IP. To do this, go to EC2 and select the instance and then select the network interface. Under the network interface, go to the Actions button in the top right corner and select “Manage IP addresses. In the ensuing screen, expand the “eth0” selection and you’ll see a button for “assign new IP address”. When you add another address, AWS will limit you to only valid and available addresses on the subnet. If the IP is used by another instance - whether active or not - you will not be able to assign it.

I tried removing the secondary IP and didn’t have a problem. I was able to take the secondary IP assigned to “A”, unassign it, and put it on “B”. This works, but on AL2 you’ll need to restart the network service before the secondary IP will be “seen”.

sudo systemctl restart networking

Elastic Network Interfaces

I also played with ENIs. Originally, my idea was to create a new network interface, add it to the VM, and remove the old one in order to move the IP. Again, you can’t change or delete the primary interfaces of an EC2 instance once created.

However, you can create a stand-alone ENI and associate an IP with it. This can be attached to “A”, unattached, and attached to “B” without a networking restart. In practice, it works very similar to a secondary IP.

In the Instances page, look in the menu on the left under networking and find “Network Interfaces”. From here you can click the “create network interface” button to create an independent NIC and assign it an IP.

Interface IPs cannot be reassigned without deleting the instance. Yes, you can take a snapshot before deleting, but your tolerance for that kind of risk may be limited.

The best option is to construct your VPC environment so that all references are done via Fully Qualified Domain Name (FQDN). DNS can easily be updated to point the name “server” from 10.0.0.1 to 10.0.0.2.

There are places where we are forced to refernce by IP. In such cases, I recommend using an ENI. Disable eth0 if having two IPs bother you. Upgrading or replacing a VM can be as easy as standing up the new version and transferring the ENI.

I’ve found several references on the Internet to the fact that you can’t move EC2 IPs, but not a more detailed walk through of what you can do. I hope this discussion has been helpful!

A Love Letter to Flameshot

Thu, 10 Dec 2020 14:28:39 -0500

My friend Jared always extols the Unix philosophy that programs should “do one thing and do it well”. One program that fits that description is flameshot. Flameshot makes great screenshots and allows you to easily annotate them.

A few years ago I was put in a position where I had to produce monthly reports that included screenshots from our tools. The default gnome-screenshot application is difficult to work with. It has to be re-invoked for each capture and it doesn’t allow you to easily adjust the parameters or annotate the picture. As a result, I’d take a bunch of screenshots and each one involved a try or two to capture the right section, then opening in Gimp to edit. It took forever.

Flameshot made this an easy process. Since then, I very commonly want to take a screenshot for this blog or for an email. Usually I’m trying to demonstrate a function or show what a screen looks like. This program allows me to quickly grab the section of the screen I need, highlight, draw, and even obfuscate sensitive portions (like credentials).

Flameshot can be downloaded from Github, but most distros have it in their archives. It’s available as a flatpak, snap, AppImage, rpm, or deb. It’s even available for Windows. On Ubuntu, it can be pulled down using:

sudo apt install flameshot

For snap:

sudo install snap

For flatpak:

flatpak install https://github.com/flameshot-org/flameshot/releases/download/v0.8.0/org.flameshot.flameshot_0.8.0_x86_64.flatpak

or grab the AppImage version from the website.

There’s a lot of gnashing of teeth about which of these formats is better. Personally, grabbing the DEB means that I update it with the rest of my applications and I haven’t had issues with DEB. I’ve used all three of the portable formats and found them to be fungible. Appimage is both the most portable and the easiest to forget updates with.

Invoking Flameshot

Flameshot can be launched from the menu. It will also install an icon on the bar - on Gnome you need the TopIcons extension to see it.
It also works well to map a keybinding to it, such as PrintScreen. Link the keypress to the command: flameshot gui

Using Flameshot

Once you start Flameshot, the screen immediately dims and you are prompted to drag a box around the area of the screen you want to snip. Once the box is defined, a series of circular option buttons surround the selection to allow editing.

The animated graphic above does a good job showing this action. Some of the features I most commonly use are arrows, lines and boxes,and the “smear” tool to hide sensative parts. Once done, click the disk icon and save your file.

Conclusion

As I said, Flameshot takes great screen captures. Since I titled this a “love letter”, it’s obviously a program that I find valuable. It makes it easy to annotate them. It’s easy to adjust the capture and it’s easy to re-invoke if needed.

Flameshot has become a part of my standard install - frankly I’m not clear why it’s not included standard with most distributions. It does one thing really well. I encourage you to give it a try!

Personal Readme

Sun, 06 Dec 2020 14:58:31 -0500

I recently came across the concept of a personal README. Conceptually, this is an introduction to workstyles and the preferred ways to work with someone. Usually these are written by folks in management, because you have to be at a certain level before you can dictate how others should interact with you. The idea comes from Michael Lopp (the VP of Engineering at Slack). It’s a good concept to be familiar with in our industry because it is becoming more common.

I moved into a new team where this was an expected introduction for a new manager. I’ve put one together and posted it to a Github repository along with my professional documentation, like resume and publication list. I’d like to say I’ve extended the concept from a personal readme to a personal Repo, but I suspect that I’m behind the times and don’t realize it.

The Good

Putting together my personal README wasn’t hard. I found some examples online, but I found many of them to be preachy or self-involved. Making big moralistic statements seems like the kind of thing that is used to bludgeon the author at a later date. As far as writing something self-centered, I just don’t think anyone cares.

I decided to focus on the parts that would matter to someone who worked for me. I wrote about where I believe an IT team adds value, about my expectations and about my communications preferences.

I found the exercise to have introspective value. Very few of us are lucky enough to have training about how to manage a team, so we pick it up by reflecting on our own experiences, by ideas we see others use, and by expirimenting. It’s not surprising that everyone ends up with a different style.

A brief aside: One of the guys I used to work with (Joe - are you out there?) used to mix metaphors when he got upset or excited. My favorite was “throw it up against the wall and see who salutes”. Still one of my favorite sayings.

The Bad

I don’t think it did any harm. However retrospectively, I don’t think this exercise really held value for the people it was intended to. The new team dutifully sat through the presentation, but there were no questions and it hasn’t ever come up in conversation.

My conclusion

I tell my Trail Life boys, “Leadership is about working together to accomplish goals”. It’s a definition that is easily understood by teenagers. So on a certain level, I don’t think the personal readme really empowered me to work more effectively or to accomplish goals more easily.

The truth, as much as I can discern it, is that people are more impressed by the things you tolerate and not by what you say. To the extent they listen to what you say, simple heuristics repeated consistently seem to work best.

Some of my favorite things to say include “Play the cards in your hand and not the cards you want” (credit to Kap Kim) and “be creatively impatient” (that one is mine). Jim Guido, a man I admire immensely, used to say “early is on-time, on-time is late, and late is dead”.

In spite of all the negatives, I would still recommend writing a readme. Even though no one else paid attention, I did. It helped me clarify and organize thoughts that had been bouncing around in my head for a long time. And I’ve referred back to it to ground myself, to think about what I’ve learned and where I’ve veered off course.

I think management generally spends too little time thinking about how they know what they think they know.

So take a look at my repo and think about how you would describe yourself. Writers say that the best way to get to a good second draft is to start with a bad first draft, by which they mean that it’s better to just start and get ideas on paper and then edit them later. So start a text file with your thoughts and worry about editing it once it reaches critical mass.

I think you’ll find this a valuable exercise.

The picture at the top of the article is me with a group of men I worked with in Goa, India, seven years ago. I met many good friends through that time, friends that I wouldn’t have today if I hadn’t become a manager. They kept this picture at the office and during a conversation last year they took this picture-of-a-picture and sent it to me. That feeling - that our work together had value and was a memory they cherished the same way I did - was one of the the highs of my career. That’s why it’s important to me to try to do it right.

SMAG (command line graphing)

Tue, 01 Dec 2020 20:35:56 -0500

Here’s a neat tool to try out - “Show Me a Graph” or SMAG. SMAG is available on Github and is a command line tool to produce live character-based graphs on the command line.

There are all kinds of situations with modern cloud environments where we are working via SSH and a desktop and graphical tools aren’t available. We still need to troubleshoot and a quick graph is a great way to get a sense of the situation. Smag takes any command that produces a numeric output and turns that into a graph.

To use smag, either clone the repository or grab the latest release from Github. The example from the site monitors the number of processes.

./smag "ps aux | grep ssh | wc -l" "ps aux | grep bash | wc -l"

The output needs to produce a number. I accomplished that with other commands by using grep to isolate a line in the output and cut to pick out the number that I want. I’m sure there are a lot of different ways to accomplish a similar result. Here are some sample scenarios that I tried.

Graph ping response times

This example pings Google DNS and graphs the round trip time. I need ping to exit and return a number, so I set the count to one. That command is then looped thorugh to create the graph. Awk is pulling the seventh field - I think I could skip this and cut from the raw row, but this works.

./smag "ping -c 1 -R 8.8.8.8 | grep time= | awk '{print \$7}' | cut -c 6-7"

Graph CPU temperatures

For this, you’ll need to grab some packages to monitor system parameters.

sudo apt install lm-sensors  
sudo apt install hddtemp

Then monitor CPU temperature using the following command. Note that sensors returns a lot of information, such as temperature per core. I’m arbitrarily grabbing the summary. You could certainly adjust this to pull the the value that’s most relevant to you. Notice that I have enclosed quotes, so I use the single quote for grep and double quotes for smag. The two types of quotes do the same thing, but we need to help bash recognize that we have one set inside another.

./smag "sensors | grep 'id 0:' | cut -c 17-20"

Graph Ethernet packets received

You can graph just about anything, but here’s a third example to demonstrate the case.

./smag "ifconfig enp0s31f6 | grep 'RX packets'|cut -c 20-26"

SMAG is a valuable tool, but trying to remember the library of commands to draw out the values might be an issue over time. If you have some particular values that you need to access consistently, this might be a good place for an alias. Alias allows us to substitute a command for another (usually more complicated) one. Let’s say I want to call up this Ethernet graph pretty often. I can make this easier to remember:

alias smag-eth="./smag \"ifconfig enp0s31f6 | grep 'RX packets'|cut -c 20-26\""

Here we have enclosed quotes inside enclosed quotes! Let’s parse this out. The inner-most quotes are used by grep. I’ve used single quotes to distinguish this from the outer quotes. The next layer of quotes are used by SMAG, but they are inside another layer of quotes. I’m using the backslash to tell alias to treat these quotes as literal characters, which allows them to be enclosed. Finally, there are double quotes around the aliased command. Now I can call up this graph by just typing: smag-eth

Conclusion

Thumbs-up. If this is a problem you need to solve, it’s a neat tool to have in your toolbag. If I had a particular need for this, my recommendation would be to make Smag and a common alias part of my standard build. A little prep work like that will make things easier if stuff hits the fan.

I want to mention that I had a question and posted an issue on Github. “Aantn”, the developer of Smag, reached out to me and pointed out the error in the command I was using. I appreciate the work they’ve put in to Smag and the impetus to share it with the world, and I especially appreciate the time they took with me.

Powerline Windows

Mon, 30 Nov 2020 18:23:57 -0500

I work in Windows from time to time. Writing the article on the Tilix Powerline setup made me realize that I wanted a similar spiffy prompt in Windows. Let’s step through how to set that up!

Step 0 (We are programmers) - Windows Terminal

The Windows Terminal is a nice addition to Windows, but doesn’t ship with Windows 10. It is a terminal in the Linux-sense, and support tabs and customizations. Alas, it doesn’t do tiling, but it supports Command Line, Powershell, WSL, SSH, and Azure Cloud. The simplest way to get it is from the Windows Store, but you can also use the link above.

Step 1 - Install a Font that Supports Ligatures

I prefer JetBrains Mono, but this is definitely a question of art. Microsoft’s Cascadia is one option. Other options, like the excellent Inconsolata can be found at sites like Nerd Fonts or Programming Fonts.

Step 2 - Install Git

Because Powerline support Git, I recommend going ahead and getting it installed so you can see it work. You can download and install it from .

Step 3 - Setup in Powershell

Open a Powershell session and install the posh-git and oh-my-posh add-ins.

Install-Module posh-git -Scope CurrentUser  
Install-Module oh-my-posh -Scope CurrentUser

Enable these modules to start with each new session via the terminal profile. To open the profile, type notepad $profile.

#add these lines  
Import-Module posh-git  
Import-Module oh-my-posh  
Set-Theme agnoster

Note that many themes are pre-built for oh-my-posh. Refer to the github site to see samples. Agnoster is my personal favorite because it’s less busy and keeps the prompt on one line.

Next, you’ll need to update the terminal settings to use the font. In Windows Termianl, go to Menu > settings (this will open VSCode if you have it installed). Search for the profiles section and add the fontFace directive as shown below. Note that we’re setting up Powerline to work with Powershell, not in the other environments, but I also went into the Command Prompt, Ubuntu, and Azure sections and changed them to use my new font.

    "profiles":  
    {  
      "defaults":  
      {  
       // Put settings here that you want to apply to all profiles.  
      },  
      "list":  
        [  
          {  
            // Make changes here to the powershell.exe profile.  
            "guid": "{61c54bbd-c2c6-5271-96e7-009a87ff44bf}",  
            "name": "Windows PowerShell",  
            "commandline": "powershell.exe",  
            __"fontFace": "JetBrains Mono",__  
            "hidden": false  
            },

##Step 4 - Setup in WSL For WSL, we’ll add a Go version of powerline.

sudo apt install golang-go  
go get -u github.com/justjanne/powerline-go

and then edit the terminal settings to make sure it’s used to display new lines. Edit via nano ~/.bashrc and add the following snippet to the end.

GOPATH=$HOME/go  
function _update_ps1() {  
  PS1="$($GOPATH/bin/powerline-go -error $?)"  
}  
if [ "$TERM" != "linux" ] && [ -f "$GOPATH/bin/powerline-go" ]; then  
  PROMPT_COMMAND="_update_ps1; $PROMPT_COMMAND"  
fi

Voila! You should have Powerline functionality and cool fonts working in the different prompts available in Windows.

Pop! OS

Thu, 26 Nov 2020 10:17:03 -0500

I recently wrote about my experiences with Ubuntu 20.10. In that article, I mentioned that I previously found Gnome laggy and the app picker to be annoyingly unsorted. That article got into Gnome 3.38, which seems to answer my issues by being perkier and providing a way to organize applications. I also mentioend how much I appreciated Material Design, a tiling extension for Gnome. That setup - Ubuntu 20.10 with Gnome 3.38 and Material Design - has worked really well on my laptop and a month later I remain enthusiastic about the way it organizes my work.

But . . . it doesn’t work so well on my desktop setup. The desktop is an i7 with 64GB of memory (perfect for GNS3!) and a 2K and 4K display. The Material Design extension didn’t adapt well to the dual displays. Gnome was still great, so I started hunting for a different tiling extension but the others didn’t install on 3.38. I had tried Pop! OS six months ago and really liked where System 76 was headed with auto-tiling, but had been frustrated by Gnome. I decided to give the distribution another chance.

Pop! OS is an opinionated re-distribution of stock (Gnome) Ubuntu. System 76 is a long time manufacturer of Linux computers. They have a great reputation in the community and have been a big promoter and sponsor within the community. A couple years ago, they decided to customize Ubuntu to optimize the experience for their hardware. They labeled the result Pop! OS and made it available for anyone to use. Pop! OS 20.10 came out shortly after Ubuntu 20.10 in seperate releases for computers with NVidia cards and those with AMD.

The most obvious differnce between stock Ubuntu and Pop! OS is the Gnome setup and skin. Ubuntu has a very specific user experience and they have their own take on Gnome. This isn’t a criticism. System 76 has built a different experience, with a more “standard” Gnome setup but with their Auto-tiling extension. There is also a relentlessly upbeat feel to the skinning and backgrounds. It’s a peppiness that belies how darn useful the OS is. Ubuntu is also moving very heavily toward snaps and Pop! OS supports snaps but is built more along apt lines.

My experience is that 20.10 improves on 19.10, as one would expect. The lagginess I saw before is now gone, which may be attributable to updated Gnome desktop. All the things that I loved about Auto-Tiling are still present, they just work better. On big displays, I really don’t see why you wouldn’t want this experience. Opening a new window automatically divides the display either vertically or horizontally. Gnome supports multiple workspaces, and I have been setting up desktops for specific workflows (like one for blogging that I’m using now). I don’t like the workspace switcher that ships with Pop! OS, so I installed Workspace Matrix. I also added Dash to Dock to give a dock and put the application button in a better location.

I first experimented with Tiling using i3 and later Regolith. Regolith in particular has a lot going for it and really opened my eyes to the possibilities, but I found both to be a lot of trouble to setup and work inside. i3 is very keyboard heavy and the folks who enjoy it the most are very keyboard oriented. Pop! OS provides a similar experience, but it’s less laborious in a number of ways. Tiling happens automatically, but if you don’t like the arrangement you can drag windows around to adjust the tiling. It’s easier to setup exceptions (pop-up windows, like my password database, that should float and not re-tile the screen). Keyboard shortcuts are supported, if you are oriented that way, but I rarely have used them in my testing.

Pop! OS also has a conventional Gnome app picker. Here I have a quibble - I would still prefer a heirarchical menu. If anyone can suggest a good Dash to Dock or Gnome extension in the comments, I’d appreciate it!

The animated GIF here is me playing around. I have two displays - a horizontal 4k on the right and a vertical 2k on the left. There’s a gray area above the 4k because of the way the resolutions match up. You can see Tilix and GNS3 open on the 4k, and Wireshark and an additional Tilix window open and automatically Tile. Then I open the application picker on and fonts on the other display. You can see Dash to Dock and get a sense of how the system works. You can also see that Gnome 3.38 now supports grouping applications, like Android, which I find a big improvement.

There are other differences besides tiling between Pop! OS and Ubuntu. There are different application “stores” and update interfaces, but both accomplish the same things in similar ways. There are different packaged apps, but you can install anything you need from PPA or snap on either system so this doesn’t strike me as worth cataloging. I used my standard Ubuntu post-install script when I setup Pop! OS and everything worked.

So, why not just install the Pop! OS extension on Ubuntu? Well, it can be done. System 76 publishes it to their Github. They’ve packaged it for Fedora, but not yet for Ubuntu, so it would have to be built. That’s not a mountain to climb, but I was ready for a clean install anyway and opted for the full Pop! OS experience.

I can’t say how much I appreciate what System 76 has done. They’ve created a slightly different take on Ubuntu that looks great on their hardware and they’ve made all the parts - from a full OS install to the “secret sauce” extension easily accessible to the community. I find Pop! OS enjoyable and useful and plan on keeping it installed on this machine.

My laptop is running fine using Ubuntu 20.10 with the Material Design extension, and there’s not enough of a difference to make me re-install it. Besides, I’d like to see where each tiler goes. There’s a lot in Material Design to recommend it and it’s still early days for that extension. Frankly, Pop! OS wasn’t quite baked at that stage either. I intend to keep Pop! OS on the Desktop. The current Pop! OS 20.10 feels sharp, responsive, and really well done and I look forward to seeing where System 76 takes this idea next.

Tilix

Wed, 25 Nov 2020 07:50:59 -0500

Tilix is a terminal application for Linux that I recommend as a replacement for the stock program (like gnome-terminal) shipped with your distribution. This article will walk through some of the reasons I like Tilix and will show you how to use it with GNS3.

The basic pitch of Tilix is that it is a tiling terminal. New terminals exist in sessions. Within a session, terminals can split the window horizontally or veritcally.

Think of a session like a desktop. You could create a poor-man’s IDE by grouping three sessions on a desktop, with one showing a directory, a second running nano, and the third ready to receive a command. Another session could be used for networking, with terminals open to a firewall and switch. You manage sessions with the drop-down menu on the right.

Sessions can be divided up into terminals. New terminals split the screen. You create a new terminal using the “horizontal split” button or the “vertical split”.

There are a lot of additional features, such as a search function (particularly useful when scrolling through thousands of lines of syslog output), but the tiling features are what makes this program so darn useful to me. As I have moved to larger displays (I typically work on a 40" 4K display these days), managing windows is more of a chore and I prefer things that help organize the desktop.

Tilix supports any customization that a normal terminal application allows. I’ll dig a little into this aspect in a seperate article, but I’ve included links for some of the ways I make my terminal easy to read. I use the powerline-shell prompt. I use either JetBrains Mono font or Fira Mono, which both support programming ligatures. There’s a variety of other monospace fonts with ligature support at the Powerline Git Repo.

Using Tilix with GNS3

GNS3 allows you to set the terminal application it uses under edit > preferences. The drop-down for console sets GNS3 to work with some of the most common applications, such as gnome-terminal or PuTTY. Tilix isn’t defined, but it works really well in this scenario because GNS3 users typically have several terminal sessions on-going and need to easily move between them.

To configure GNS3 to work with Tilix, choose “custom” and edit. Here’s the command that is needed:

tilix -a session-add-right -t "%d" -e "telnet %h %p"

This setup uses Tilix and opens new terminals to the right of the existing one. Other options set the title and tell Tilix how to connect to the GNS3 device. The variables are defined in GNS3 and are visible in the edit screen - %d is the tile, %h is the IP and %p is the port. Tilix has a man page if you want to investigate other options.

Kali Linux 2020.4

Fri, 20 Nov 2020 10:30:00 +0000

My favourite Operating System (Kali Linux) has a new release: 2020.4.

The changes in this version include, but not limited to: ZSH is now Kali’s new default shell on desktop images and cloud, Bash remains the default shell for other platforms (ARM, containers, NetHunter, WSL) for the time being. Users can, of course, use that which they prefer, but be aware that, visually, Bash has been made to look more like ZSH. Upon logging into a Kali terminal or console, users may be presented with a message from Kali developers that will point them to more information about that specific installation, in case they need it for troubleshooting

The most interesting part is that, Kali Linux 2020.4 now comes with a number of new tools to play with:

Metasploit Framework v6 (a tool for developing and executing exploits against remote target machines)
CertGraph (a tool to crawl the graph of certificate Alternate Names)
Apple bleee (a tool for getting info about nearby iPhones – device name, OS version, phone number, etc. – by sniffing Bluetooth traffic)
dnscat2 (a tool for creating an encrypted C&C channel over DNS)
FinalRecon (an automatic web reconnaissance tool)
goDoH (a Command and Control framework that uses DNS-over-HTTPS)
hostapd-mana (a rogue access point)
Whatmask (a program that helps with network settings)

Kali NetHunter, the distro’s mobile pentesting platform, has a new settings menu for easier back up and restore of configuration files, and a module that ensures persistence of the Magisk Android rooting system.

Win-KeX 2.5, which provides a Kali Desktop Experience for Windows Subsystem for Linux, comes with a new Enhanced Session Mode for ARM devices and a few other tweaks.

For additional information, you can check out the release notes at: https://www.kali.org/news/kali-linux-2020-4-release/

Visio Shapes

Tue, 17 Nov 2020 08:00:28 -0500

Stencil sets for you to use

I’ve created a new repository for Visio Stencils.

Affinity Blue is a set of abstract network icons set in circles. These are the alternative icons used in the GNS3 project. I like using them in GNS3 because they provide a nice “clean” look that makes diagrams easy to quickly understand. Vendor-specific icons for each type of firewall, for instance, can quickly distract from the function being provided and the flow of traffic. These icons have been given four cardinal connections points.

A second set is called “Brent’s Stencil”. This is a collection of “standard” shapes taken from a variety of online sources - mostly old Cisco drawings. If you like the old Cisco documentation diagrams, these give that same look.

This second stencil has been more heavily customized. Several of the icons have extra connection points (this makes it easier to label lines going to a switch, for instance). The “link” lines have been set so that the text will be at the same angle as the line, which helps to clean up diagrams.

This set is older - I’ve used it for at least a decade. It has some icons that show time has passed like a TDM PBX, analog phone, and ISDN switch. It also doesn’t have much in the way of containers, VMs, or clouds. Still, this collects a variety of useful icons and puts them in one place. I hope it is useful to you.

Creating a Custom Visio Stencil

For those interested in creating their own stencil set, the process is easy.
First, in Visio go to File > Options > Advanced and enable Developer Mode. This will allow you to edit the stencil later.

Grab an icon that you want to use and place it in Visio (either import it or just paste it in). is a pretty good place to find icons or images to use, or you can paste them in from other programs. If you’re using an image, make sure to resize the imported image to the size that you’ll want it to be most commonly. Most icons are about a half-inch square or so.

Next, edit the icons properties. Right click the image and open the ShapeSheet (top option). Go to the Connection Points section. If that section doesn’t exist, right click and choose “add section”. You can add lines to the connection point table to make it look the way you want. Each connection point exists on a grid where (0,0) is the bottom left corner and (width,height) is the upper right. Add a connection point to the middle of the right side by putting it at (width,height*.5). Right click the grid to add additional lines as needed.

In “Brent’s Stencil” I added a line which has text that is angled with the line. I did that by opening the ShapeSheet for the line and editing the Text Transform box to set the TxtAngle property to ATAN(Height/Width).

Whether you just clone the repo and use these or want to contribute to the collection, I hope this inspires you to do something cool!

Active Directory Security Assessment with PingCastle

Fri, 13 Nov 2020 10:30:00 +0000

Microsoft Active Directory (AD) is one of the technologies that is predominantly used in several organizations around the world. While we all know its purpose, most of the time it keeps growing or gets convoluted with uncontrolled Organizational Units, ever growing Users, ever increasing Computers, Policies, Integrations etc. While the Administrators remain busy in putting out the fires at work, they rarely get time to optimize, tune, clean or deploy best practices on the AD, and lock it down by implementing good security controls.

Enter PingCastle. I found this tool through an auditor who was using mimkatz to perform a pentest on an AD, and I found it to be super valuable. This may help some of the AD Admins to quickly identify some of the areas that they can fix within their AD deployments. The entire Pingcastle project is written in C# and it is available on GitHub, located at: https://github.com/vletoux/pingcastle

It is an AD security assessment tool, designed to quickly assess the AD security level with a methodology based on a risk assessment and maturity framework.

Features of PingCastle

Health Check - This is the default report produced by PingCastle. It quickly collects the most important information of the Active Directory and establishes an overview. Based on a model and rules, it evaluates the score of the sub-processes of the Active Directory. Then it reports the risks.
Active Directory Map - This report produces a map of all Active Directory that PingCastle knows about. This map is built based on existing health check reports or when none is available, via a special mode collecting the required information as fast as possible
Consolidation - When multiple reports of PingCastle have been collected, they can be regrouped in a single report. This facilitates the benchmark of all domains
Scanner - Checking workstations for local admin privileges, open shares, start-up time is usually complex and requires an admin. PingCastle’s scanner bypasses these classic limits. This feature is awesome and can help to cover some of the most blind spots on the network that are often overlooked

To learn more about this tool, please visit https://www.pingcastle.com/

Winapps

Tue, 10 Nov 2020 08:24:53 -0500

Winapps is a project that allows running Windows applications as if they were a part of a Linux Desktop. It’s a sleight of hand - the apps run in a VM and an RDP window is created for just that application. However, it integrates with the Linux environment and even let’s you use “open with” types of functionality.

To give it a try, clone the code from GitHub. Remember that it’s running programs that are installed on a VM. If you don’t have a Windows VM, the project includes an empty KVM machine that Windows and applications can be installed within. You can use an existing Windows VM (or even physical machine) if you have one. Windows doesn’t have to be a VM on your local machine - I set this up to run with a copy of Windows I’m running on my ESXi server downstairs. Theoretically, you could use your laptop or a remote computer to be the “Windows source”.

Create a text file at _~/.config/winapps/winapps.conf that looks like this.

RDP_USER="MyWindowsUser"  
RDP_PASS="MyWindowsPassword"  
#RDP_IP="192.168.123.111"  
#DEBUG="true"

The IP is only required if Windows is remote. The Debug command tells it to create a log and is optional.

Finally, run the install.sh script. This script will use the variables defined in the config file and login and scan Windows. If it finds a file it knows, it will setup the link, put an icon and entry in the local application menu, and link the appropriate mime-types.

When I tested this, I ran into a couple issues running the install script. The script would timeout. Looking at the script, I saw that it was trying to use xfreerdp to login to Windows. I ran that command from the command line and saw that it wasn’t connecting. Troubleshooting on Windows revealed that I needed to enable remote desktop under settings>system>remote desktop. Doh! Re-testing with xfreerdp revealed that I needed to accept a certificate.

With the RDP part confirmed working, I re-ran the script and voila!.

A lot of folks will be interested in running Office and those apps are defined, but I use my Windows VM mostly for things that can’t be done on Linux like running the Kindle application. Look in the repository under apps and you’ll see that various programs are defined, each to a directory. In the directory is a definition file that includes mime-types consumed and a path to the application in Windows. There’s also an icon in the directory. This is what the install script references when it runs.

I was able to create a Kindle definition file. I grabbed an SVG icon from Google Images and created an info file that contained the following.

# GNOME shortcut name  
NAME="Kindle"

# Used for descriptions and window class  
FULL_NAME="Amazon Kindle"

# The executable inside windows  
WIN_EXECUTABLE="c:\users\brent\appdata\local\amazon\kindle\application\kindle.exe"

# GNOME categories  
CATEGORIES="Education"

# GNOME mimetypes  
MIME_TYPES=";"

I wanted to add the work I’d done back to the project, so I forked the develop branch, added the files, and submitted a Pull Request back to “fmstrat”. I also added some troubleshooting suggestions for them based on my experience.

This was a neat adventure to write up because it combines a lot of the things we’ve been discussing in this blog. The implementation is a lot like running an X application on a remote machine, which we discussed in Remotely Possible. Of course we talk a lot about Linux and using Linux in a Windows world, and we talk about Git.

But this is another chance to hit on a favorite theme of mine. You don’t need to be gods-gift-to-programming to make meaningful and appreciated contributions to the open source community. In the day I took to play with this and contribute the Kindle definition, several other people also submitted apps and the library is quickly growing. Similar to defining GNS3 appliances, there’s a lot of ways to give back. There’s a real satisfaction to contributing in this way that I hope you have a chance to experience.

As far as Winapps, as I mentioned at the beginning, it’s interesting and definitely looks cool. I’m not complete sold that it’s that much more useful than just pulling up a Windows VM, but it’s close enough that it will fit the work styles of some folks really well. It’s worth a look!

Web Application Performance Assessment - Quick & Easy

Fri, 06 Nov 2020 04:30:50 -0400

Today, developers and content creators that maintain web applications are often looking out for ways to improve their site or web apps. This could be for High Performance (lower response time), Better Accessibility (consistent experience across all device types e.g. Tablet, Smartphone, PC), better Search Engine Optimization (SEO) score and other ways to improve the content by following industry best practices. There are many tools out there, which can be very expensive, and some have a steep learning curve.

I needed something that was very minimalistic, one that provides good information on issues that I can fix quickly and make my web application better. I came across Lighthouse.

Lighthouse is a tool supported and backed by Google Developers that helps to measure performance and provide recommendations on how to fix some of the issues that are discovered. It is very minimalistic and powerful. Here is a snapshot of the scores and a set of recommendations it provides to improve the web content – I was amazed by this!

Setting up Lighthouse

As a Google Chrome extension – Simply visit the Google Chrome Extensions and search for Lighthouse plugin

CLI Usage and Programmatic Access (requires Google Chrome Browser)

a. Install the Node.JS package, which matches your Operating System (OS) - https://nodejs.org/en/download/

b. Open a Terminal or Command Window and issue the command
```
NPM install -g lighthouse
```
c. To run a scan against a webpage, open terminal or command windows and issue:
```
lighthouse <url>
```

Reports Generated

An HTML report is generated that shows the Performance and other metrics along with the recommendations on how fix potential issues.

Enhancements & Recommendations

You can setup scheduled commands or scripts to makes Lighhouse run on a daily or weekly basis, and generate the output as a CSV or JSON format, instead of HTML. Subsequently, you can use the CSV or JSON format and parse the data to setup thresholds and alerts to trigger when the data points deviate below the predefined threshold levels.

This way you can setup a repetitive process to monitor your web apps. You can also use the tool internally on your test environment and ensure that all the bugs and performance hindering elements are rectified before you move the web applications to a live environment.

GNS3 2.2.16

Thu, 05 Nov 2020 08:29:40 -0500

GNS3 2.2.16 was released today. This release has a number of bug fixes that are mostly around Qemu and HyperV support. Of general interest, there’s a patch for a bug in capturing packets with Wireshark. I had an issue open involving downloading appliances from the application and that was fixed as well. This shapes up to be a good polish on a great application and I wouldn’t be surprised if this attention didn’t translate into generally better performance in other areas.

Should you upgrade?

This version doesn’t include a security fix. The VM improvements will help those running KVM or HyperV. There are some bug-fixes that will be of general interest, but aren’t critical. I recommend upgrading assuming you have a little time to sort out any issues.

How do you upgrade?

New and updated appliances

IPCop
Raspian
Arista VEOS
Aruba VGW
Cisco DCNM, IOSv L2, and IOSXRV9k
Extreme VOSS
F5 BIG-IP
Huawei AR1KV, CE12800, NE40e, and USG6KV
Juniper VMX , VRR, and VQFX
OpenWRT
OPNSense
TACACS
TinyCore
Ubuntu
Vyos

Wow! That’s a lot. I added IPCop and Raspian and described the process in those earlier and articles. I’m particularly excited about the Huawei additions. That’s been a big gap and it’s really nice to see that supported. Big thanks to “iceking2nd” for building those!

ZeroTier Router

Tue, 27 Oct 2020 22:10:59 -0400

This article continues the exploration of ZeroTier started in a previous posting. The first article described zerotier - an overlay virtual wire that hangs on the internet to connect disparate clients into a psuedo local network. At the end of the discussion, we had a PC at home and a 4G mobile phone talking over Zerotier.

I’ll continue the thought describing how to connect your local home network to your Zerotier virtual network. For purposes of this article, let’s consider a home network with a little complexity.

In this example, there is a base network of 192.168.100.0/24. The 101 network is routed through the firewall and is used for IoT devices, while 102 is used for wireless. 104/22 has a next-hop in GNS3, so that a network can be establish and ennumberated using the network simulator and still route out to the “real” world.

We want to create a router that has one interface in the local 192.168.100.0/24 network and a virtual interface in the virtual Zerotier 103.0/24 network, able to route between them. To do this, I built a new Linux server (an Ubuntu 20.10 VM, but any distro physical or virtual should work). I named the router “ZTRouter”.

A quick note - use care when routing 192.168.0.0/24 and 192.168.1.0/24. A lot of home routers use these ranges and adding a ZeroTier route to the same destination might lead to confusion. Select a space out of 10/8, 172.16/12, or 192.168/16 that won’t conflict with other routes you need to support.

ZeroTier Routing

I assigned ZTRouter 192.168.100.2/24 with a default route to the local router at 192.168.100.1. Next I installed Zerotier and attached it to the SDN built in the last article.

curl -s https://install.zerotier.com | sudo bash  
sudo zerotier-cli join 0123456789ABCDEF
sudo zerotier-cli listnetworks

The router will be automatically assigned an address on the ZeroTier network - in this case I received 192.168.103.88. listnetworks is used to confirm the connection.

The routing that will need to be setup might not be obvious, so let’s walk through each route.

192.168.103.0/24 is the Zerotier network. A range from this network should be used in “auto-assign pools” in ZeroTier Central, such as 192.168.103.1 - 192.168.103.50.
192.168.100.0/22 is the summary route to the local network and it points to ZTRouter. This tells the other ZeroTier clients that this range is available through ZTRouter.
192.168.104.0/22 is another summary route, this time for GNS3. Again, this communicates the availability of the range to the ZeroTier network via ZTRouter.

Routing between ZeroTier and the LAN

Next, ZTRouter needs to be enabled as a router. Edit /etc/sysctl.conf and uncomment the line that says net.ipv4.forward. This will enable the Linux machine to route when it reboots. Since we want it to work now, well use this command as well:

sudo sysctl -w net.ipv4.ip_forward=1

The local firewall also has to permit the traffic. Depending on the distro, you may have nftables, iptables, or ufw. Assuming the system uses iptables, start by getting the interface names.

ip link

For purposes of the article, let’s assume it shows you that the ethernet is enp1s0 and ZeroTier is zt1

PHY_IFACE=enp1s0; ZT_IFACE=zt1 
sudo iptables -t nat -A POSTROUTING -o $PHY_IFACE -j MASQUERADE  
sudo iptables -A FORWARD -i $PHY_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT  
sudo iptables -A FORWARD -i $ZT_IFACE -o $PHY_IFACE -j ACCEPT

Make the iptables changes persistent.

sudo apt install iptables-persistent
sudo bash -c iptables-save > /etc/iptables/rules.v4

Reciprocal Routes

If testing is done at this point, it will show that ZT clients can ping the LAN interface of ZTRouter but can’t reach other users on the LAN. What gives? The problem is that we’ve built a path from the ZT cloud into our LAN, but not the reciprocal path back. The local users have a default gateway of the Internet router and it doesn’t have a route to 192.168.103.0/24. The easy way to fix that is to give it a route. Everyone’s home router will be different, so in psuedo-code you just need to route 192.168.103.0/24 via 192.168.100.2.

Testing will now show that ZeroTier clients can ping devices in the “100” network! But, they can’t reach the other local VLANs. The problem is that ZTRouter doesn’t have a route. To fix that, add a summary route going to the Internet router.

ip route add 192.168.100.0/22 gw 192.168.100.1

Add this line to /etc/rc.local so that it is persistent.

Note that this summary includes the ZeroTier network. The routing table prefers the most specific path, so traffic to 103/24 will continue to route to ZeroTier and everything else will take the less specific route to the inter-vlan router.

At this point, ZeroTier clients will be able to reach all the local subnets (100/24, 101/24, and 102/24). Traffic to GNS3 can also be pointed to the Internet router, or it can be directed to a GNS3 router. Note that 100/22 and 104/22 can’t be summarized into 100/21 because they fall across a bit-boundary, so they’ll have to be configured as two routes.

One place that can cause trouble is route selection. On ZTRouter, the ZeroTier summary route for 100/22 will be in the routing table. The static route created must be a lower metric so that it takes precedence.

Summary

This is a slick setup. ZeroTier makes a great VPN client, punches through NATs, and can create sophisticated routing. The two places I expect folks to get hung up are getting the routes correctly configured in ZeroTier Central and making sure there is a reciprocal route back to the ZeroTier VPN range. If you have problems, work your way out from the router one step at a time and make sure you understand how the routes are working going in both directions (I’ve taught routing for twenty years and everyone always forgets to check the path back).

Of course, most networks won’t be as sophisticated as the one shown here and will be very straightforward to setup.

How to write an event to Windows and Linux logs

Sun, 25 Oct 2020 16:29:57 -0400

Anyone who has trouble sleeping should discover the joys of reviewing Syslog data. System logging contains a wealth of information that can assist in troubleshooting, security, and incident handling. The hard part is wading through all the data to put together a useful and actionable story. There are a wealth of tools to help us correlate and make sense these days, such as SIEM, but there are still times when we need to get into the data.

One of the first problems we encounter in understanding syslog is figuring out where to start in the stream of events. It would be nice if there were a bookmark that we could reference. This article is about inserting that bookmark into either Windows Event logs or Linux Journals.

PowerShell sudo

A brief aside: The dichotomy of an admin PowerShell session and a regular PowerShell session is annoying. One specific but near-to-my-heart example is the built-in terminal in Visual Studio Code (or VSCodium) for Windows, which uses a “non-admin” session.

Linux systems have sudo. Sudo allows a single command to run in an elevated state and sudo commands can be intermingled with un-priviledged commands. The following script uses scoop to grab a “sudo” application for Powershell.

iex (new-object net.webclient).downloadstring('https://get.scoop.sh')
set-executionpolicy unrestricted -s cu -f  
scoop install sudo

How to write an Event to Windows Event Log

This technique allows you to place comments into the Windows event logs, for instance to mark the beginning or completion of a change window. We could also build this into certain scripts so that they left an entry when they ran. It could even be automated into systems so that the markings took place without a person having to remember.

The general process is to create an information “source” to write into (if it doesn’t already exist) and then to write the event.

Creating a log source

Since we’re creating log events for comments, let’s create a log source that matches our username. If there are several admins, it may be a good idea to use a format like “admin-username” so that we can later search logs for “admin*”. Creating a new source requires PowerShell to run with Administrator priviledges.

New-eventlog -logname application -source "brent"

Note that you can use the environment variable $env:username. You can build this into a script - if the source already exists, the command will return an error to that effect.

Logging an entry

To create a log entry use the “write-eventlog” cmdlet. Specify the log (like Application or Security), the source that we defined, and the message. The EventID isn’t significant, so you could also use this numeric field if you had something suitable (like a ticket number).

Write-EventLog -LogName Application -Source "brent" -EntryType Information -Message "Sample text" -EventID 1

It is also possible to write an entry on a remote computer. The example below assumes that the source “bstewart” exists on the remote computer.

Write-EventLog -computername "Server" -LogName Application -Source "bstewart" -EntryType Information -Message "Sample text" -EventID 1__

Scripting

This can all be simplified in a script, saved as “log.ps1”

try  
{  
        sudo New-eventlog -logname application -source $env:username  
}  
Catch  
{  
    Write-Output "Log source already exists"  
}  
Write-eventlog -logname application -source $env:username -entrytype information -message $args[0] -eventid 1  
write-host "The following was written to the Application log using the source $env:username for that log."  
write-host $args[0]

Then run the command from powershell to write a string. It will try to create a source based on your username. If one exists, it will use it and keep moving. The argument is passed through as the message. You could easily extend this script to have a second argument to pass the eventid as well.

> .\log.ps1 "Something happened"

Linux (much easier)

Writing to the Linux journal is pretty straight-forward.

echo 'Sample text' | Systemd-cat

To take a look at this, just use journalctl -f.

We’ll talk about logging to syslog another time, or maybe I can talk Myron into delving in because he has great experience with pulling things out of SIEMs. Whether you use this in the scope of a SIEM or just for local logging, I’m sure you’ll find this idea useful.

ZeroTier Basic Configuration

Sun, 25 Oct 2020 16:29:57 -0400

Zerotier is a virtualized network that runs “on top of” the Internet.

Traditional VPN solutions are built around a VPN server, which acts as a hub location with a stable IP. Modern teams feature mobile workers and home connections with random IPs behind service-provider NATs. Start-up teams and home users are left with few options, all of which involve some level of compromise.

Zerotier works around this by offering a stable point to connect end-points. The connection strategy resembles VoIP connections - there’s a registration to a central point, that tries a variety of ways to create a connection to end points. It then allows the end-points to speak directly. All traffic between end-points is encrypted peer-to-peer.

Zerotier allows the creation of a “virtual ethernet” that connects disparate endpoints. I created a ZeroTier network and tested it with Fedora and Ubuntu Linux, as well as an Android phone. I was able to connect to the ZeroTier network from a guest wifi and over a 4G connection. Once connected, it behaved like a local network. I was able to SSH, browse and download files, access a Calibre server, and use KDE Connect.

Setting up a ZeroTier network

Go to ZeroTier and scroll down to the bottom to Sign Up. After signing up, you’ll be taken to the ZeroTier Central page and be given a 16-digit hex network id and a made up name (like “gratious_donut”).

Make sure under Access Control that you set your network to private. This will not allow new connections without your permission.

Under advanced, choose a network range. You can use one of the “easy” options or select an IP address range of your own. For now, just choose a pre-defined range.

There’s an option to use IPv6. The easy way is to click the ZeroTier 6PLANE option. It’s a great idea to be learning about IPv6, but most of us are still using v4 and if that’s the case for you then just leave this turned off.

That’s it for Central for now. Copy your network ID (the 16 digit hex number). We’ll need to revisit Central later, but next we need to setup devices.

Client installation

The instructions for setting up clients can be found at ZeroTier Downloads. There’s a clicky MSI installer for Windows, and a pkg for Mac. Smartphone users are directed to their stores.

On Linux, the software can be installed with this command:

curl -s https://install.zerotier.com | sudo bash

After installation, use zerotier-cli to join the new virtual network.

sudo zerotier-cli join 123456789ABCDEF

Go back to Central and scroll down to clients. Find the new client and check the Auth? box. You should add a name and description here as well to help identify this client as you add more endpoints.

Back at Linux, confirm that you’re on the network.

sudo zerotier-cli status

Next, let’s setup an Android endpoint to have something to talk to. Grab the app from the Play store. Click the + in the upper right and type in the network ID. Slide the ON button over and go back to Central and Authorize the client.

You can continue to add clients in this manner, but I suggest you pause here. My next article will be about routing between networks with Zerotier and that may be useful before you move further.

Ubuntu 20.10

Sat, 24 Oct 2020 18:40:56 -0400

I had a chance to download Ubuntu 20.10 and install it on a gen 8 i5 laptop. I typically use Cinnamon for a desktop environment, which I have long found to be mature, usable, and stable. In the past, I’ve found Gnome to be laggy but I’ve heard good things about 3.38.

I’ve become enamored of tiling windows as well. I’ve tried i3, Pop OS!, and others. So another thing I wanted to look into was the Material Design extension.

About Ubuntu 20.10

Ubuntu releases a Long Term Support (LTS) release biannually. LTS versions, like 20.04, are supported for five years and are appropriate for business servers. Interim releases like 20.10 are supported for nine months. These releases are kept current and represent the most up-to-date implementation of Ubuntu’s vision for the Linux desktop. Ubuntu supports a variety of DEs including KDE, Budgie, MATE and others. There are unsupported versions for Cinnamon and Deepin as well. I’ve used the MATE version for VMs in the past and it’s performed very well, but this time I wanted to check out Gnome.

The first two things that jumped out at me have to do with login. First, there’s now a built in choice to authenticate via Active Directory. I have several workstations and servers and the idea of being able to easily centralize authentication is very appealing. I haven’t had time to build that part out, but I will be looking into that process in the months ahead. I’m hoping I can make it work with FreeIPA.

The other thing - and this sounds minor - is the responsiveness of the login screen. It’s been my past opinion that Gnome was slow, but logging in is breezy. I use Windows 10 at work and the Ubuntu lock screen is especially quick comparted to that.

The default Gnome experience has an application grid like Android (all the apps in alphabetical order). This was always annoying to me - partly because I’m a heirarchical organizer and partly because I could never remember the name of the app I wanted. The new 3.38 allows you to organize your apps in whatever order makes sense to you and to pull icons into folders. This is a big win for me.

Ubuntu is still running Gnome on X. X Windows is stable and mature and has better support for NVidia video cards, but the next generation Wayland is coming and Ubuntu hasn’t pushed that envelope yet.

Ubuntu 20.10 includes Linux kernel 5.8.0.25. This was billed as the “biggest release of all time” by Linux Torvalds. Most of the improvements are around drivers and the Spectre patch. According to Phoronix, there’s good benefit for ATI graphics. Otherwise, from a desktop perspective, this won’t be a big deal.

Applications, such as LibreOffice (7.0), Firefox (82), and Thunderbird (78.3.2), have been updated to latest versions.

To me, the biggest difference between Gnome and Mate or Cinnamon is app selection. At the end of the day, despite the improved performance, it’s not enough to make me want to switch.

Tiling with Material Design

As I mentioned before, the window tiling paradigm really makes sense to me. I’ve tried i3 and Regolith, which I like, but they suffer from the same problem as Gnome - having an easy way to browse available applications. Pop OS! has a tiling extension for Gnome that’s well thought out, but I abandoned it because it made Gnome less responsive. Still, the Pop OS! experience came the closest to what I imagined tiling could be.

Recently I was introduced to Material Design. I decided to install it on my new Ubuntu 20.10 installation and try to “live in it” for a better test. Material Design is a gnome extension that provides a few really specific tiling options.

To install Material Design in Ubuntu 20.10, go to https://extensions.gnome.org and add the extension. Unfortunately, Ubuntu doesn’t support the Gnome add-in page out of the box. At the Gnome page, load the firefox extension. You’ll also need to install some supporting pieces for it to run properly. Note that the chrome-gnome-shell is used by both Firefox and Chrome.

sudo apt-get install libproxy1-plugin-networkmanager gnome-shell-extension-system-monitor  
sudo apt-get install chrome-gnome-shell

Windows are on desktops, with the taskbar across the top showing you what’s on the current desktop. Desktops are shown on the side bar, so you can think of the two bars as showing a grid of apps X desktops. The version of Material design at Gnome supports four windowing modes.

Single Window - each application takes up the full window and you can use the taskbar to move easily between them.
Split - each application takes up either the left or right half of the screen. The app order is shown on the taskbar, and you can drag to rearrange. Many times I’m typing in one window with another for reference, so this mode sets up exactly what I’m looking for.
Half - the first application occupies the left half of the screen. Subsequent apps stack to the right. You can drag windows or rearrange the taskbar to change which applications go in each spot.
Free - this is the “normal” Gnome experience, with tiling turned off.

In my testing, I found that I could set different modes for each desktop. Right now, the desktop I’m typing on has Codium on one side and a browser on the other in “Split” mode. My other desktop use “Half” with a big browser on the right and a terminal, Enpass, and settings stacked on the right.

I also installed the Gnome menu so that I’d have the heirarchical app picking experience I like. Material shell has a button for the gnome app grid but I want something different. I’m unimpressed with Gnome Menu. Anyone want to recommend a menu extension? Gnome Menu hits the minimum reqs - it’s an organized menu. On the other hand, you can’t type to search, it doesn’t open sub-menus automatically, and it doesn’t a place where frequently used apps or files can be quickly found.

In the end though, the beauty of Linux is that the machine is yours. In a half hour I installed a new distro with a new DE, updated it and installed some critical apps, customized the desktop for tiling and changed the application selection process.

Conclusion

I’m going to keep Ubuntu 20.10 and Material Design on this machine for a while. It works well on the 1920x1080 17" display. I’m also curious how the combination will work on my desktop with it’s two 4k displays, but I’ll take a little time before making that decision.

Ubuntu 20.10 has answered my objections to the laggy experience of Gnome and given me a “standard” desktop experience I can customize to my interests. I’m curious about your impressions - write to me and let me know!

SSHFS Automount

Sat, 17 Oct 2020 12:13:01 -0400

I described using SSHFS as an alternative to NFS back in Using SSH3. I’ve been using SSHFS as a standard way to mount since then, partly because I can use the same technique on a variety of OS and partly because it seems to work cleaner for me than straight NFS. However, I’ve been using a batch file to mount drives and that’s getting old. I’d like to just add the SSHFS targets into /etc/fstab and get them to automount. As a general rule, the Arch Wiki is a great place to find all things Linux. Even though I’m running an Ubuntu variant, the Arch Wiki set me straight. For this to work there are a number of things that have to be set. First, as described in Using SSH2 I need to make sure that logging into my target is done with keys so that an interactive password is not required. See the previous article for a more detailed walk through, but the basic process is:

ssh-keygen  
ssh-copy-id brent@192.168.1.1

test

ssh brent@192.168.1.1

Second, edit /etc/fuse.conf to allow non-root users to access drives when they’re mounted with the allowother option.

sudo nano /etc/fuse.conf
# add or uncomment the following line
user_allow_other

Find out your user id and group id. This is easy: there’s an id username command. Note that the ellipsis below just indicate that I’m in other groups and I’ve edited those out.

➜ id brent
uid=1000(brent) gid=1000(brent)** ...

Finally, add the targets to your etc/fstab.

sudo nano /etc/fstab  
sshfs#brent@192.168.1.1:/home /home/remote fuse user,_netdev,
 reconnect,uid=UID,gid=GID,idmap=user,allow_other 0 0

When you exit nano the remote directory should be mounted and active! It will also be there automatically each time you log back in. Hope this is helpful!

GNS3_2.2.15

Thu, 08 Oct 2020 09:21:45 -0400

GNS3 2.2.15 is out. Not much to report . . . reviewing the release notes indicates thi is mostly bug fixes.

Should you upgrade?

This version doesn’t include a security fix, and the bug fixes aren’t issues I’ve run into.

My personal experience with GNS3 has been that most upgrades go without a hitch. I usually just go for it, but I’m not typically dependent on GNS3 from day to day. Note that gns3-gui and gns3-server have to be the exact same version. If for some reason you upgrade one, you either have to roll back or upgrade the other.

How do you upgrade?

I ran into an issue upgrading the server side - docker-ce was missing a dependency. To resolve, I dropped down the shell and used docker’s instructions for installing on an Ubuntu host.

sudo apt-get update  
sudo apt-get install apt-transport-https ca-certificates curl gnupg-agent software-properties-common  
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -  
sudo apt-get update  
sudo apt-get install docker-ce docker-ce-cli containerd.io

After that, I rebooted and re-initiated the upgrade to 2.2.15 and everything worked. The experience reiterates my point that GNS3 server upgrades sometimes have problems that can easily knock you off your game for a few days. Make sure you have a good backup before upgrading, or that you are not under time pressure.

Whitelisting Approach to Security

Wed, 07 Oct 2020 06:30:00 +0000

Today, I am sure that you would be hearing a lot of buzz around ransomware and other malware outbreaks. To combat some of these threats on a home consumer scale, we mostly use a traditional Anti-Malware (Anti-Virus) software. As you may know, this technology is based on signatures, patterns and heuristics, which are extracted from the malware behaviour or type; thus, as the number of malware instances increase, becoming more sophisticated in the ever increasing threat landscape, it becomes very hard for the Anti-Virus companies to keep up with the pace. I would like to call this a “Cat and a Mouse Chase”. Anti-Virus software may give you the best protection against known malware, but it may never give you adequate protection against unknown malware, whose signatures, patterns and heuristics are not known to anyone. By design, the traditional Anti-Virus fails miserably and is unable to keep up with todays sophisticated and evolving malware. This post is a follow-up to reasonable secure browsing.

Instead of focussing on blocking known malware through an Anti-Virus software, how about we only allow the applications and programs we trust and use on daily basis, and block everything else? Well, this is exactly what is called a “Whitelist” approach, while the former that we discussed above is called a “Blacklist” approach. This approach can be nearly 100% effective in blocking all malware if used correctly; however, most of the Whitelisting software out there is very expensive and only targeted towards enterprise use.

I use something called as AppSamvid, which is a free utility that is freely available at: https://cdac.in/index.aspx?id=cs_eps_appsamvid You can use this on any of your Windows based system and have it run as a Whitelisting software. Once installed, you would need to provide the list of applications and software utilities that you trust and use daily. Ideally, you should setup your system and create an effective “Baseline” that is a known ‘good’ or ‘trusted’ system state. Beyond this, any attempts to execute applications that are not listed in the Trusted list would be automatically blocked. You can unblock applications by providing the path or the file Hash. This is highly effective in blocking known and known malware.

Give this a try and get one step closer in perfecting your system security!

Calibre 5.0

Thu, 01 Oct 2020 20:27:16 -0400

One of my favorite open-source programs is Calibre. Calibre is like iTunes for books, in the sense that it allows you to build a library and helps with indexing and completing metadata. It even fetches book art!

I like e-readers. I have an Amazon Kindle Tablet and a Likebook Mars. Before that I used a Kobo and I’ve had a Nook and the old Sony Reader. I mostly read technical PDFs and sci-fi books in EPUB or MOBI. The Kindle is great for technical books because its easy to pinch in and out of diagrams. The Kindle is also harder on the eyes and can be distracting (it also has games and email, etc.). The Likebook is great for reading things like a good Science Fiction novel. It’s built to be a straight-up reader, so it’s not as distracting. I like the e-paper screen and it’s easy on the eyes. The Likebook has a quad-core processor and runs Android, so it’s reasonably fast (it’s just that epaper as a medium has a low refresh rate).

I get books from all over the place. I buy books that are interesting, I purchase “humble bundles” of programming books, and I subscribe to lists of free books like Bookbub and Centsless Ebooks.

How I Use Calibre

My first use-case is to build and maintain my “pleasure reading” library of ebooks.

Calibre can import all the different ebook formats and convert to any other. It supports TXT, AZW, MOBI, PRC, PDF, RTF, DOC, EPUB and others. In fact, you can tell Calibre the ebook model you are using and it will automatically convert books to the correct format for that device and use the screensize to format the book to work with your reader. Calibre can also look up missing metadata, like authors, descriptions, and art.

I use Apprentice Alf’s de-DRM tools to allow converting and formatting. To be clear - I’m an author and piracy deprives me of a reason to write so don’t steal! But it’s annoying that ebooks are locked in to a particular reader (what if that store goes Zune?) and it’s nice to be able to buy a book at the lowest price. DeDRM installs into Calibre as a plugin and just automatically strips DRM as a step in the conversion process.

The second place I use Calibre is for technical material. Open source projects and IT vendors put out a lot of their information as PDFs. I also put user manuals and other reference material into Calibre. The program allows me to curate those documents, apply meta-data, and easily search for “all docs by Cisco” or “recent books about Python” or “books by Brent Stewart”.

Libraries are directories and you can easily use Calibre to curate a library that can be shared - for instance, important documentation with appropriate metadata. Multiple instances of Calibre can access the same library as well - a technique I used for a while to access books from my desk or my laptop.

Calibre (like iTunes) makes it easy to plug in an ebook and transfer files from your library. More and more I’m using a feature in Calibre that produces a web interface and allows you to grab books over wifi. Both my Kindle tablet and Likebook can open the OPDR-compatible web page and use it to search and download. I can still plug them into local USB, but wireless access is easier.

Other Major Features

Calibre is written in Python, and has been packaged to run on pretty much any OS. Downloads are available for Linux, Windows and Mac, plus I’ve seen it ported to Haiku and AmiOS. If the different machines can reach the same share drive, the different Calibre implementations can all work out of the same library (see SSH File Sharing article).

Calibre has a feature that will run a scheduled job to grab articles from the web. You can use this to build a virtual newspaper delivered fresh every morning. This feature is interesting, but I’ve found it less compelling as the world has become more “always connected”.

Calibre also includes a reader that will open all the ebook formats it supports. This makes it easy to read on the desktop. If you are reading for work - for instance, a programming book where you want to work examples as you go - or using books for reference, this can be particularly helpful.

Calibre has a large set of plug-ins to help catalog ebooks, set the appropriate metadata, and clean up formatting.

Calibre 5.0

The author of Calibre, Kovid Goyal, continues to develop the program and has released point versions pretty consistently for years. He recently released version 5 and for the most part this major version shows continued incremental improvement. There’s now a dark mode (check that off the buzzword list!), better in-book searching, and the ability to highlight text in books.

The big news is that the code has been updated to Python 3. Python 2 has been deprecated, so this was an important step for the continuation of the project. It doesn’t make a difference from the usability perspective, but it’s nice to know that the project is in good shape.

Recommendation

I maintain a “reinstall script” to quickly setup the programs that I depend on when I do a new install (for the record, I have versions of this for Windows, RHEL-based Linux,Debian-based Linux, and Mac). Calibre is on that august list of programs that I can’t live without. Calibre has always been a great program, but Kovid continues to improve it bit by bit and maintained a high level of quality throughout. I depend on Calibre and highly recommend it.

OpenDNS For Home

Wed, 30 Sep 2020 08:07:00 +0000

Today, technology has advanced to a point, where it is much more affordable as compared to the last 25 years. We can recollect that having a computer with 32MB of Memory was a great thing; however, today’s smartphones come with 12GB of memory out of the box!

Speaking of smartphones, I’m confident that you have one too. Maybe even your parents and not forgetting children, colleagues and family members. With easy access to Technology, content on the Internet readily available at the click of a button or a swipe, how do you control this content, especially if you have young ones in your house or family? No doubt, that they would use it for their productivity, school or education work, but how do you monitor and ensure that they are not misusing it?

This post is a follow-up to DNS Services. Brent mentioned about OpenDNS in this blog and how it can help to control the content from the Internet. Keeping that into account, and the above mentioned concern, we can use OpenDNS to block inappropriate content, control the usage of social media and other content that as a parent or a supervisor you feel that it has negative effects on your young ones at home, and also help you to keep a track of their activity and know at all times about what they access.

If you signup to use OpenDNS on your home network, which by the way is totally free of cost, you can get the following benefits:

Block Malware - Protect your devices from malicious code

Block Content - Block specific content from the Internet, based on the type or categories. For e.g. Pornography and other content that you feel is harmful

Control Access - Set Time based access for content like Social Media sites so that your young ones don’t be a prey to the addiction

Monitor Usage - Keep an eye on the usage and using this information educate your folks at home about the risks

If you need to sign up and use OpenDNS, simply signup on their portal: https://opendns.com using your email address and subsequently use 208.67.222.222 and 208.67.220.220 as the DNS servers on your Home network. That’s how easy it is to get started with OpenDNS and protect your loved ones at home with this technology.

Using SSH (Part 5) - Remotely Possible

Tue, 22 Sep 2020 14:47:47 -0400

I confess that I never meant for this to be an SSH blog. It was an easy topic to write about when we started, but friends keep suggesting new things I should cover. The takeaway then is that SSH is a heck of a tool and can be used to accomplish a lot of different things.

Today’s topic is running a GUI program on a remote computer and displaying the output locally. Pretty cool, right? This is suprisingly easy to do.

Why would we want to do this? I already covered that under “pretty cool”, but I suppose I could say something about using your netbook to run a big program that needs lots of RAM and CPU.

To demonstrate, I’m going to run the text editor from my server on my desktop.

ssh -X brent@192.168.1.1 # -X or -Y work  
pluma

Simply SSH into a remote host using either the -X or -Y switch. From the remote prompt, enter the command to run the graphical program of your choosing and the window will be displayed locally. Using “-X” (as shown in the code) allows this to work but keeps the X11 Security extension restrictions. Using “-Y” like I did in the screen capture bypasses those restrictions. From an operative point of view, they act identically.

This has been the most straightforward of the series. If you’re interested in SSH, check out:

Privacy Enabled Search Engines

Mon, 21 Sep 2020 08:07:02 +0000

In the early days, when we didn’t know something, we would ask our parents or elders. With today’s digital transformation, we would normally run to a large search engine, provided by the big tech giants. These providers store and log countless search terms every day. Have you ever wondered what these tech giants do with the infinite data that is collected via the search engines?

Yes, you’ve guessed it right. They index it in their large data warehouses where they run complex machine learning algorithms to profile users, predict patterns and harness intelligence from this big data. This information is used to make product recommendations, shared to third parties to boost sales, etc. The real question is, how far would you trust these search engines with respect to your personal privacy?

This post is a follow-up to reasonable secure browsing. As a Security and a Privacy paranoid person, I would always recommend alternate search engines for better privacy protection. Below are two widely used Secure and Privacy focussed search engines that I use:

DuckDuckGo – This is my personal favourite and it is integrated in my Firefox browser. I absolutely love it for it’s Security, Trackers Blocking and Sleek Integration features. It has a feature-rich plugin for the Firefox browser that ranks all the sites you visit and displays a privacy score, while blocking the violating content. It can also be used on your Android and iOS based mobile devices – Do give this a try, and feel the difference! https://duckduckgo.com/

StartPage – This a Dutch search engine company that emphasises on online privacy. The coolest feature about this search engine is that for the extra paranoid, it offers an ‘Anonymous View’ that allows users to search results via a proxy. I absolutely love their marketing phrase – “We don’t log or share user personal information. Ever. We believe it’s Your Data. Not Big Data “. Try StartPage from https://www.startpage.com

CI for Docs with Pandoc (take 2)

Sat, 19 Sep 2020 13:18:28 -0400

In a previous post, I built out a Continuous Integration process for documentation. That process allowed the team to pull a Github repository and keep a local copy of documentation. As the markdown files were updated and the repository pushed, a clean PDF with table of contents was generated. I identified a few problems with that and I’ve been working to improve the process. If you take a look at the associated github project you can follow my struggles. Here’s where we are with the open issues from last time:

The generated document placed the cover after the table of contents. It also include the github README.md in the generated file. The Github CI process uses .github/workflows/test.yml to build the workflow and my file pulled in all the markdown files alphabetically.

\- run: echo "::set-env name=FILELIST::\$(printf '%s ' \*.md)"

with:  
  args: --template eisvogel2.tex --o output/result.pdf \${{env.FILELIST}}

I fixed this by changing FILELIST to use d*.md.

I was also able to improve the output a little by generating a default latex layout.

pandoc -D latex > ~/next.latex

I also found that including YAML headers in the markdown transferred over to the output. Pandoc only takes the first headers it finds, so I placed my files in doc0.md. I was able to transfer all my customizations from the latex file to the YAML, which is much cleaner to maintain. Here’s a version of that file.

---
title: "My Sample Doc"  
subtitle: ""  
author: [Brent Stewart]  
date: "2020-09-18"  
abstract: |  
This is a sample document used to demonstrate documentation via pandoc and Github.  
keywords: ""  
institute: "Nextpertise.Net"  
numbersections: true  
toc: true  
geometry: margin=2.5cm  
header-include: \pagebreak  
include-before:  
include-after:  
logo: "Feed-icon.png"  
header-includes: |  
 \usepackage{fancyhdr}  
 \pagestyle{fancy}  
 \lfoot{Prepared September 18th, 2020}  
 \rfoot{Page \thepage}  
 \cfoot{}
---

Notice that this also cleaned up the command line used to invoke pandoc,as things like the Table of Contents directive were moved to YML. You can also use this technique to change fonts, margins, headers, and such.

What’s not working

That the good news. Using the existing directions and my mymeta.md example, you can get a nice clean output. What’s not working is having a cover page. That led me into customizing the latex file, which led me to find the eisvogeltemplate project. Pascal Wagler has developed a very nice and usable latex template (it’s currently in my github project). I was able to use it locally and output wonderful PDFs. It has some dependencies that required I grab the full latex distribution (apt install texlive-full), but otherwise no problems.

I wanted to update the pandoc Docker file to support the eisvogel template. I made a custom Dockerfile to pull pandoc/ubuntu-latex and add in the full set of texlive files.

from pandoc/ubuntu-latex  
run apt update && apt install texlive-full texlive-full -y

This was then built and pushed to Docker hub.

docker build --tag=pandoc_texlive:1.0
docker push brentstewart/pandoc_texlive:1.0

I went back to github and updated the CI action to use the new docker file and to run pandoc –template eisvogel.tex -o Output/result.pdf d*.md and . . . didn’t work! I keep getting:

! LaTeX Error: File `adjustbox.sty' not found.

This works on my local system, but it doesn’t work if I run docker locally with my image. The default pandoc images don’t have the required files either.

I’ve tried rebuilding Docker with just the texlive-extras (a smaller set of Latex files). I tried editing the latex to remove the dependencies. So far nothing has worked.

Conclusion

Good progress was made on the project. I improved the CI output and simplified the CI process by using the default docker file and by supplying instructions in YAML. I also was able to produce really nice PDFs locally using the eisvogel.tex template.

Trying to duplicate this last step on Github failed because I’m missing includes in the docker system, and trying to update that Docker system has been a source of frustration! I’ll update this when I have some more time, but we’re getting close.

If anyone out there want’s to take a look at the github project and the docker image, I’d welcome your thoughts!

GNS3_2.2.14

Tue, 15 Sep 2020 09:21:45 -0400

GNS3 2.2.14 came out today (9/15). The GUI fixes a bug in the way new appliance versions are created. The server side tweaks how Qemu runs and includes Beta 4 of the Web-UI.

Should you upgrade?

This version doesn’t include a security fix, and the bug fixes aren’t issues I’ve run into. The Web-UI is coming along nicely. In my initial testing, I’m able to add a node to a topology, add links, and manage things from the webpage. It looks like this would make it easy to collaborate with others on a shared topology. I can also envision using this as my sole access to GNS3. I suggest you start evaluating it. If you do find a bug, be sure to log an issue on the GNS3 Github repository.

I have run into issues before that affected my ability to run GNS3 and took me a day or so to sort out (at least once was because I upgraded my OS, not because of GNS3). If you have ongoing work that depends on GNS3, hold off until you have a little slack in your schedule. One way to evaluate the risk is to look at the GNS3 community forum to see if there are posts about the new version.

How do you upgrade?

Git (and run) a File!

Thu, 10 Sep 2020 11:03:09 -0400

I maintain a private Github repository for my Linux install scripts. My install scripts setup PPAs, install programs that I typically use, and setup my system the way I want it. The repository has scripts for Ubuntu and Red Hat variants, plus secondary scripts that perform other admin tasks.

These scripts aren’t supposed to have personal information in them, but things like IP addresses, paths, and security measures could sneak in. I don’t want to have to worry about revealing something that opens me to attack, so the repos are private.

Creating a GitHub Private Repository

Github allows free accounts to host private repositories. Initialize a repo on Github. To make it private, go under Settings and choose options. Scroll down to the bottom to the section labeled “Danger Zone” and helpfully outlined in red. The first option is to Change repository visibility. Click here will give you the option to move this repository to private.

Private repositories operate just like public ones in my experience. The only difference is that access is limited.

Using a Linux install script

Here’s a snippet of the Ubuntu script to give you an idea of what I’m doing. This section sets up fail2ban (an SSH security measure) and installs VSCodium.

echo setup fail2ban
systemctl start fail2ban
systemctl enable fail2ban
echo "/[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3" >  /etc/fail2ban/jail.local
##VSCodium
wget -qO - https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo/raw/master/pub.gpg | sudo apt-key add -
echo 'deb https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo/raw/repos/debs/ vscodium main' | sudo tee --append /etc/apt/sources.list.d/vscodium.list
sudo apt update && sudo apt install codium

I build and tear down a lot of Linux machines (mostly VMs and EC2 instances). The initial install lacks some of the tools I expect, and I don’t want to go through a process to build the environment. The script automates this setup, saves me time and makes sure that I don’t forget anything!

Up until recently my process was to install Linux, grab git, then clone the repository. From there, I could move into the repository and run the scripts I wanted.

sudo apt install git
mkdir git/linuxinstall
cd git/linuxinstall
git clone__ https://github.com/brentstewart/Private_linuxinstall.git  
chmod +x myscript.sh
./myscript.sh

This works, but it’s a bunch to type. It also downloads more than the one file I need and leaves a repository on the drive. None of these are problems, but Linux is for the lazy and it feels like there’s a better way to do this.

An easier way

I don’t want a multi-step process and I don’t want to download my whole repository. The method I’ve developed to achieve this is to do all this in one line.

curl -s --header 'Authorization: token aaabbbcccdddeeefff1112223334445556667778' 
--header 'Accept: application/vnd.github.v3.raw' --remote-name --location 
https://api.github.com/repos/brentstewart/Private_linuxinstall/contents/hw.sh
&& chmod +x hw.sh && bash hw.sh && rm hw.sh

That a lot, so let’s break down each piece.

curl -s --header 'Authorization: token aaabbbcccdddeeefff1112223334445556667778' --header 'Accept: application/vnd.github.v3.raw' --remote-name --location__ https://api.github.com/repos/brentstewart/Private_linuxinstall/contents/hw.sh

Curl is used to transfer data via various protocols, including https.

-s puts curl in silent mode

- - header ‘Authorization: token X’ is used to authenticate to Github. You’ll need to create a token for your account, so choose settings under your account (upper right). Choose Developer Options and Personal Access Tokens. Create a new token and copy it to your script.

–header ‘Accept: application/vnd.github.v3.raw’ –remote-name are options that are documented by github as required. Don’t change these parts.

- - location https://api.github.com/repos/brentstewart/Private_linuxinstall/contents/hw.sh is the part that took an embarrassingly long time to get right. I read a lot of blog posts and api docs and tried a lot of things that didn’t work. I gather that the working examples I found online were from a previous iteration of github and the methods have been deprecated. This, however, works! The parts you’ll need to change here are your Github username and the name of repository. Contents stays on the path unchanged, but you’ll need to add in the file you are looking for on the end.

I didn’t want to run my install script over and over, so the referenced file just has echo Hello World in it (thus hw.sh).

&& is used to join multiple commands on a single line.

chmod +x hw.sh makes the file that was just downloaded executable

bash hw.sh runs the script

rm hw.sh deletes the file so that the new environment is clean

Conclusion

This approach has some interesting benefits. First, the slug of a command is the kind of thing that can be cut and paste into new machines.

Second, this approach is open to automation because it removes the login to Github (replaced by the token) and allows the process to complete unsupervised. As such, this would be the kind of thing that could be used to start up EC2 instances. In that case, you could easily automate a standard EC2 startup to pull a script from Github. Then you could maintain the current script and improve it over time without having to go into Cloudformation or EC2 to change processes.

A bonus conclusion as well - the result didn’t end up looking like I expected. I spent a lot of time trying to pipe commands together, and never developed that approach to a usable point. It’s important to have a good understanding of different approaches to a problem so that you can deal with the “expected unexpected” and keep moving.

I hope this discussion helps you! If you have other approaches to this problem, I’d love to hear about them in the comments below.

Fonts on Linux

Wed, 09 Sep 2020 16:42:10 -0400

I’m a little bit of a font nerd. In the early 90s, someone who knew computers and had a laser printer had an easy opportunity to get into graphic design. I knew computers and the college had a laser printer, so I got a copy of Looking Good in Print and dabbled. I’ve written about this earlier in describing my love of Postscript.

If you’d like to have some font options on Linux, there are some great places to get high-quality fonts that work well with Linux applications. This is a minor, but hopefully useful tip!

Formats

Most Linux desktop environments support a variety of formats, but the most common are PostScript, OpenType, and TrueType.

Postscript is the oldest of the three. Developed by Adobe in the 1984, they found a home on the Apple LaserWriter and were the way to print high quality fonts. They were expensive to license though, so Microsoft and Apple developed TrueType which was a similar vector-based approach to font description. TrueType added in the idea of “hinting” which offered more control over how glyphs were presented. OpenType is the evolution of TrueType and allows more complex descriptions of shapes and larger character sets (up to 64K).

All three formats work in Linux. Unless you are very detail oriented, I doubt you’ll be able to tell which font is TrueType and which is OpenType. There are a a lot of TrueType fonts available, but I use OpenType if I have a choice.

Using Apt

One way to get fonts is to use the archive for your distribution. For Ubuntu, there are a variety of fonts available via PPA. To list and install them use:

apt search font
sudo apt install fonts-noto

Noto is a Google font that is clean and available in a range of type faces.

This is an easy way to install new fonts, but there’s no preview and this approach may require some effort.

From the Web

Option #2 is to search for fonts online. One great place to get (free!) quality fonts is from Google. Fonts can be previewed online and are easy to download. Google passes these to you as TrueType (TTF) files in a Zip. Unzip the file and copy the files to /usr/share/fonts. The fc-cache command rebuilds the font cache to include the new files and they should be available in programs afterward.

unzip font.zip
sudo cp *ttf /usr/share/fonts/truetype
sudo fc-cache -f -v

The fonts directory has a set of sub-directories (including postscript, truetype, and openscript) so change the target directory appropriately. If you downloaded a group of fonts that are sorted into sub-directories, you can grab all the ttf files recursively using sudo cp *ttf /usr/share/fonts/truetype -r.

This font directory (/usr/share/fonts) makes fonts available to all users. If you want to install them for just one account, you can install them to ~/.fonts. I’ve never done it that way, since I control my system, but this would be particularly useful if you don’t have root privileges.

The Google site is a great resource, but there are many places to purchase or get open-source fonts online. Hope this helps!

GNS3 version 2.2.13

Mon, 07 Sep 2020 15:46:53 -0400

GNS3 2.2.13 dropped Friday (9/4). The new version doesn’t make any changes to the GUI, but fixes a bug that surfaced when using a Qemu device. It also includes Beta 3 of the Web-UI.

Should you upgrade?

For “production” software, I recommend upgrading to get security fixes or because there is a bug-fix or enhancement that you need. This version doesn’t seem to include a security fix, and the features aren’t things I use heavily so it may be optional. That said, the Web-UI is coming along nicely. In my initial testing, I’m able to add a node to a topology, add links, and manage things from the webpage. It looks like this would make it easy to collaborate with others on a shared topology. I can also envision using this as my sole access to GNS3. This is marked “beta”, but it seems to be in good shape. I definitely suggest you start evaluating it. If you do find a bug, be sure to log an issue on the GNS3 Github repository.

My personal experience with GNS3 has been that most upgrades go without a hitch. I usually just go for it, but I’m not typically dependent on GNS3 from day to day. Note that gns3-gui and gns3-server have to be the exact same version. If for some reason you upgrade one, you either have to roll back or upgrade the other.

How do you upgrade?

Creating a new GNS3 Appliance using a script

Fri, 04 Sep 2020 12:00:36 -0400

In Updating a GNS3 Appliance File I described editing a GNS3a file to update an appliance. That is the method I’ve used for a long time for updating and for creating new appliances, but the GNS3 team has included a Python program to walk you through the process of creating a new appliance and I thought it would be interesting to give it a try. I decided to create an appliance for the Raspberry Pi Desktop distribution.

I was listening to the most recent Linux Unplugged, and they were doing interesting networking using a Pi to connect two different 4G providers. Their setup allowed choosing an active path based on throughput or errors, or for balancing between multiple paths. The discussion touched on multi-link, policy-based routing, using Linux routing. It sounded like something I’d like to experiment with! I’ve linked to the show in the references. In addition, Raspian is a prettty good “light” desktop for testing in GNS3 and a lot of folks use it with their Pis, so I thought this would be an interesting appliance.

Setting up the Git environment

To begin, assuming you haven’t done so already, you’ll need to clone the gns3-registry repository from GitHub.

git clone https://github.com/GNS3/gns3-registry.git

If you’ve already cloned it, make sure that your branch is up to date. Upstream is the original source (in this case the GNS3 copy).

git fetch upstream

The new appliance “Wizard”

There’s a Python program included in the repository that acts as a “wizard” in guiding you through the appliance creation process. Invoke it by running new_appliance.py. I’ve copied the flow below, and I’ll interrupt the output occasionally to comment on the process.

The first few questions are pretty straightforward. I copied the description from the Raspberry Pi Foundation website.

brent@MintyTwenty:~/git/gns3-registry$ python3 new_appliance.py 
Appliance id (example: cisco-asav): Raspian 
Appliance name: Raspian  
Category of the appliance  
 1) router  
 2) multilayer_switch  
 3) firewall  
 4) guest  
 : __4__  
Description of the appliance. Could be a marketing description: __Raspberry Pi Desktop comes pre-installed with plenty of software for education, programming and general use; including Python, Scratch, Sonic Pi, Java, and more.    Appliance created to demonstrate new_appliance.py - read more at https://nextpertise.net. 
Name of the vendor: Raspberry Pi Foundation 
Website of the vendor: https://www.raspberrypi.org
An optional documentation for using the appliance on vendor website(optional leave blank for skip) :   
Product name: Raspberry Pi Desktop  
An optional product url on vendor website(optional leave blank for skip) : __https://www.raspberrypi.org/downloads/raspberry-pi-desktop__  
Version of the registry compatible with this appliance  
1) 1  
2) 2  
3) 3  
4) 4  
5) 5  
: 5
Document if the appliance is working or not  
1) stable  
2) experimental  
3) broken  
: 1

The Raspberry Pi Desktop is open source, so it’s available for free. I’ve removed my email address from the blog, to prevent spam via scrapping.

About image availability: can be downloaded directly; download requires a free registration; paid but a trial version (time or feature limited) is available; not available publicly  
 1) free  
 2) with-registration  
 3) free-to-try  
 4) service-contract  
(optional leave blank for skip) : 1
Maintainer name: Brent Stewart  
Maintainer email: X@X

The next section starts by asking how to use the appliance. This would be a place to reference built-in credentials or processes that should be used. Note also that I’m specifying a custom symbol. I took the Raspberry symbol and used Gimp to crop the image and scale it to 63px tall (GNS3 asks for symbols to be less than 70px). GNS3 asks for an SVG, but Gimp only exports as PNG so that’s what I’m using.

How to use the appliance(optional leave blank for skip) :  Default password is raspberry
An optional symbol for the appliance(optional leave blank for skip) : rpi.png

The script then prompts for the networking interface names. If you are not sure, leave this blank. Examples of different naming schemes including Cisco (gigabit1/1), Linux (enp6s0), and JunOS (4/0/0). It also asks for the type of card. I had success using virtio, which is the paravirtualized adapter using by Qemu.

Optional name of the first networking port example: eth0(optional leave blank for skip) :   
Optional formating of the networking port example: eth{0}(optional leave blank for skip) :   
Optional port segment size. A port segment is a block of port. For example Ethernet0/0 Ethernet0/1 is the module 0 with a port segment size of 2(optional leave blank for skip) :  
Type of network adapter  
1) e1000  
2) i82550  
3) i82551  
4) i82557a  
5) i82557b  
6) i82557c  
7) i82558a  
8) i82558b  
9) i82559a  
10) i82559b  
11) i82559c  
12) i82559er  
13) i82562  
14) i82801  
15) ne2k_pci  
16) pcnet  
17) rtl8139  
18) virtio  
19) virtio-net-pci  
20) vmxnet3  
: __18__  
Number of adapters: 1

The system prompts for RAM allocation, CPU, and disks. I set the RAM to 1GB to minimize memory usage on my test system, but my testing indicated that you’ll be more comfortable if you can bump this up. Leave the number of CPUs as the default. Select SATA as the HDA image and do not specify any other drives. This confused me the first time, since it loops through the same questions four times without queueing you about what it’s doing. Finally, notice that I’m emulating an Intel core since I grabbed the Intel RPi image. You could use the ARM image, but I didn’t see the value at this point.

Ram allocated to the appliance (MB): __1024__  
Number of Virtual CPU(optional leave blank for skip) :   
Disk interface for the installed hda_disk_image  
1) ide  
2) scsi  
3) sd  
4) mtd  
5) floppy  
6) pflash  
7) virtio  
8) sata  
(optional leave blank for skip) : __8__  
Disk interface for the installed hdb_disk_image  
1) ide  
2) scsi  
3) sd  
4) mtd  
5) floppy  
6) pflash  
7) virtio  
8) sata  
(optional leave blank for skip) :  
Disk interface for the installed hdc_disk_image  
1) ide  
2) scsi  
3) sd  
4) mtd  
5) floppy  
6) pflash  
7) virtio  
8) sata  
(optional leave blank for skip) :  
Disk interface for the installed hdd_disk_image  
1) ide  
2) scsi  
3) sd  
4) mtd  
5) floppy  
6) pflash  
7) virtio  
8) sata  
(optional leave blank for skip) :  
Architecture emulated  
 1) aarch64  
 2) alpha  
 3) arm  
 4) cris  
 5) i386  
 6) lm32  
 7) m68k  
 8) microblaze  
 9) microblazeel  
10) mips  
11) mips64  
12) mips64el  
13) mipsel  
14) moxie  
15) or32  
16) ppc  
17) ppc64  
18) ppcemb   
19) s390x   
20) sh4  
21) sh4eb  
22) sparc  
23) sparc64  
24) tricore  
25) unicore32  
26) x86_64  
27) xtensa  
28) xtensaeb  
: 26

The system will prompt for the console - set this to VNC.

Type of console connection for the administration of the appliance  
 1) telnet  
 2) vnc  
 3) spice    
: 2

I left the boot priority alone. I didn’t enable KVM within KVM :) and didn’t change process priority.

Optional define the disk boot priory. Refer to -boot option in qemu manual for more details.
 1) d  
 2) c  
 3) dc  
 4) cd  
 5) n  
 6) nc  
 7) nd  
 8) cn  
 9) dn  
(optional leave blank for skip) :  
Command line parameters send to the kernel(optional leave blank for skip) :  
KVM requirements  
 1) require  
 2) allow
 3) disable
: 3  
Optional additional qemu command line options(optional leave blank for skip) :  
Process priority for QEMU  
 1) realtime  
 2) very high  
 3) high  
 4) normal  
 5) low  
 6) very low  
 7) null  
(optional leave blank for skip) :

Finally the script gets to images. I added two images - the blank drive that the GNS3 project posted to SourceForge and the Rpi image I downloaded earlier. In both cases, checksum can be obtained with the md5sum command on Linux and the file size found with ls -l. This image isn’t encrypted or compressed, so that was left blank.

Add image?[y/n]: y
Filename: 2020-02-12-rpd-x86-buster.iso
Version of the file: 2020-02-12  
md5sum of the file: 98f34fb53086752b4c9c452094f30740  
File size in bytes: 3128147968  
Download url where you can download the appliance from a browser(optional leave blank for skip) : https://www.raspberrypi.org/downloads/raspberry-pi-desktop/  
Optional. Non authenticated url to the image file where you can download the image.(optional leave blank for skip) :  
Optional, compression type of direct download url image.  
 1) bzip2  
 2) gzip  
 3) lzma  
 4) xz  
 5) rar  
 6) zip  
 7) 7z  
(optional leave blank for skip) :  
Add image?[y/n]: y  
Filename: empty8G.qcow2    
Version of the file: 1   
md5sum of the file: f1d2c25b6990f99bd05b433ab603bdb4  
File size in bytes: 197120  
Download url where you can download the appliance from a browser(optional leave blank for skip) :   https://sourceforge.net/projects/gns-3/files/Empty%20Qemu%20disk/empty8G.qcow2/download 
Optional. Non authenticated url to the image file where you can download the image.(optional leave  blank for skip) :   
Optional, compression type of direct download url image.  
 1) bzip2  
 2) gzip  
 3) lzma  
 4) xz  
 5) rar  
 6) zip  
 7) 7z  
(optional leave blank for skip) :  
Add image?[y/n]: n

Last, it prompts you to setup a version that links the hardware and the images together to form a group. I’ve only built one version at this point. Again, the script cycles through prompting you for images, so be prepared for this and understand that you only need the HDA and CD-ROM devices in this scenario.

Add appliance version?[y/n]: y
Appliance version name: 2020-02-12
Image for hda_disk_image  
 1) 2020-02-12-rpd-x86-buster.iso  
 2) empty8G.qcow2  
(optional leave blank for skip) : 2  
Image for hdb_disk_image  
 1) 2020-02-12-rpd-x86-buster.iso  
 2) empty8G.qcow2  
(optional leave blank for skip) :  
Image for hdc_disk_image  
 1) 2020-02-12-rpd-x86-buster.iso  
 2) empty8G.qcow2  
(optional leave blank for skip) :  
Image for hdd_disk_image  
 1) 2020-02-12-rpd-x86-buster.iso  
 2) empty8G.qcow2  
(optional leave blank for skip) :   
Image for cdrom_image  
 1) 2020-02-12-rpd-x86-buster.iso  
 2) empty8G.qcow2  
(optional leave blank for skip) : 1
Image for initrd_image    
 1) 2020-02-12-rpd-x86-buster.iso   
 2) empty8G.qcow2  
(optional leave blank for skip) :  
Image for kernel_image  
 1) 2020-02-12-rpd-x86-buster.iso  
 2) empty8G.qcow2  
(optional leave blank for skip) :  
Add appliance version?[y/n]: n

Submit a Pull Request

I created a Raspberry Pi Desktop image, but assuming you’ve created a new appliance and want to share it you’ll need to submit your new file as a pull request. If you haven’t already cloned the GNS3 Registry Git, refer back to the beginning of the article for instructions on that part. Make sure your local copy is up-to-date. Two Python programs are included in the repo. Run them both on your copy before continuing. These are QA processes that look for issues before you submit. They will take a little time to run.

pip3 install -r requirements.txt   # this does __pip3 install jsonschma__ and __pip3 install pycurl__  
python3 check.py  
python3 check_url.py

Next push your local copy to your github copy. In Github terms, origin is your copy on Github, and master is the local copy.

git add .  
git commit -m "Added Raspberry Pi Desktop appliance"  
git push -f origin master

Now there is an up-to-date local copy of the gns3-registry that includes the updated gns3a appliance and your fork is up-to-date on Github. Next, offer the update to the project via a Pull Request.

Go to the gns3-registry repository on Github and select the Pull Requests tab and click the big green New pull request button. Under Compare, select the link to compare across forks (since your copy is a fork) and select your fork. It should show you the changes to files so take a moment to digest that and make sure this PR is doing what you want. Finally, submit the Pull Request. Github will email you when there’s an update to the request. If the GNS3 team has a question, they’ll submit a comment on the PR and leave it open for you to resolve. Otherwise, it will get merged in and all the other GNS3 users will be able to enjoy your hard work!

Results

The image seems to run well. If I test the Linux Unplugged scenario, I can add some additional interfaces to it easily. I’ll probably also add some RAM to liven it up. If you use this image, it boots into an install screen. You can use the ISO image with persistence, or you can install. Be aware that the install process took awhile.

The focus of the article was on using the included new_appliance.py script to build new appliances. In the past, I’ve just used an existing template and updated it manually for a new appliance. I found the script interesting, but it took several run-throughs to understand the flow and to get things setup the way I wanted. For me, it’s easier just to crank up nano and hand edit but the Python program wasn’t bad and would be particularly useful to someone who wasn’t as familiar with the process. Hopefully this walk through will help that person understand what to expect and make using the tool a little easier.

Do you have any custom appliances? Contributing to an open source project was really cool and I’d love for you to have the chance to experience it! Are there some appliances you wish we could build for GNS3? Write in the comments below, and maybe I can help you build it. I’d love to hear how you use this feature!

Updating a GNS3 Appliance File

Wed, 02 Sep 2020 08:41:13 -0400

This is a long post, but most of it is file contents. Keep reading!

GNS3 appliance files are descriptions of virtual machines used in network simulations. The appliance files have suffixes of .gns3a and are included with the GNS3 download. You can update the files and create new ones. The goal of this article is to walk through the process of working with appliance files and contributing them back to the community.

On a personal note, submitting a new GNS3 appliance was the first time I contributed to an open-source project. I’m still learning, but a few years ago I knew nothing. Jeremy Grossman, with GNS3, was patient and helped me understand the process of using Git. Contributing - even in this minor way - was a real high for me and I’d love for you to be able to share that feeling and contribute to this and other projects. GNS3a was my “gateway drug” into being a contributor and not just a consumer of open source.

One of the files I’ve contributed is the Security Onion appliance. Security Onion is a Linux distribution that focuses on security tools. Below is the current version (9/1/20) of the GNS3A file. Before we create a new appliance, let’s update this one.

{  
    "name": "Security Onion",  
    "category": "guest",  
    "description": "Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It’s based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!",  
    "vendor_name": "Security Onion Solutions, LLC",  
    "vendor_url": "https://securityonion.net/",  
    "documentation_url": "https://github.com/Security-Onion-Solutions/security-onion/wiki",  
    "product_name": "Security Onion",  
    "product_url": "https://securityonion.net/",  
    "registry_version": 3,  
    "status": "stable",  
    "maintainer": "Brent Stewart",  
    "maintainer_email": "X@X",  
    "usage": "Your default account will have sudo priviledges.  Squil and Squert username and password are configured in the Setup wizard.  MySQL root is set to null.  For more info see https://github.com/Security-Onion-Solutions/security-onion/wiki/Passwords.",  
    "symbol": "securityonion-logo.png",  
    "qemu":  
    {  
        "adapter_type": "e1000",  
        "adapters": 2,  
        "ram": 3072,  
        "arch": "x86_64",  
        "console_type": "vnc",  
        "kvm": "allow"  
    },  
    "images":  
    [  
        {  
            "filename": "securityonion-16.04.6.1.iso",  
            "version": "16.04.6.1",  
            "md5sum": "ca835cef92c2c0daafa16e789c343d1d",  
            "filesize": 2020605952,   
            "download_url": "https://github.com/Security-Onion-Solutions/security-onion/releases/",  
            "direct_download_url": "https://github.com/Security-Onion-Solutions/security-onion/releases/download/v16.04.5.3_20181010/securityonion-16.04.6.1.iso"  
        },  
        {  
            "filename": "securityonion-16.04.5.3.iso",  
            "version": "16.04.5.3",  
            "md5sum": "886b369548c9c3841bc820cc3ab02bd9",  
            "filesize": 1895825408,  
            "download_url": "https://github.com/Security-Onion-Solutions/security-onion/releases/",
            "direct_download_url": "https://github.com/Security-Onion-Solutions/security-onion/releases/download/v16.04.5.3_20181010/securityonion-16.04.5.3.iso"  
        },  
        {  
            "filename": "securityonion-14.04.5.4.iso",  
            "version": "14.04.5.4",  
            "md5sum": "9c7cab756b675beb10de4274a3ad3bc6",  
            "filesize": 1874853888,  
            "download_url": "https://github.com/Security-Onion-Solutions/security-onion/releases/",  
            "direct_download_url": "https://github.com/Security-Onion-Solutions/security-onion/releases/download/v14.04.5.4_20171031/securityonion-14.04.5.4.iso"  
        },
        {
            "filename": "securityonion-14.04.5.3.iso",  
            "version": "14.04.5.3",  
            "md5sum": "fb80ccb2d3c0f3f511823fa5858f87d1",  
            "filesize": 1889533952,  
            "download_url": "https://github.com/Security-Onion-Solutions/security-onion/releases/",
            "direct_download_url": "https://github.com/Security-Onion-Solutions/security-onion/releases/download/v14.04.5.4_20171031/securityonion-14.04.5.3.iso"  
        },
        {
            "filename": "empty30G.qcow2",  
            "version": "1.0",  
            "md5sum": "3411a599e822f2ac6be560a26405821a",  
            "filesize": 197120,  
            "download_url": "https://sourceforge.net/projects/gns-3/files/Empty%20Qemu%30disk/",  
            "direct_download_url": "https://sourceforge.net/projects/gns-3/files/Empty%20Qemu%20disk/empty30G.qcow2/download"  
        }  
    ],  
    "versions":   
    [  
        {  
            "name": "16.04.6.1",  
            "images":   
            {  
                "hda_disk_image": "empty30G.qcow2",  
                "cdrom_image": "securityonion-16.04.6.1.iso"  
            }  
        },  
        {  
            "name": "16.04.5.3",  
            "images":  
            {  
                "hda_disk_image": "empty30G.qcow2",  
                "cdrom_image": "securityonion-16.04.5.3.iso"  
            }  
        },  
        {  
            "name": "14.04.5.4",  
            "images":  
            {  
                "hda_disk_image": "empty30G.qcow2",  
                "cdrom_image": "securityonion-14.04.5.4.iso"  
            }  
        },  
        {  
            "name": "14.04.5.3",  
            "images": {  
                "hda_disk_image": "empty30G.qcow2",  
                "cdrom_image": "securityonion-14.04.5.3.iso"  
            }  
        }    
]  
}

Most of this is pretty straight forward. The structure looks like:

A descriptive section

Name, Description, usage, vendor and product information can be taken from the source website
Category can be guest, router, firewall, or multilayer_switch.
Maintainer is the creator. Notice I’ve replaced my email for publication to the web.
Symbol should be a SVG file with a maximum height of 70px. Either reference an existing symbol or add a new one.

Next is the Qemu section that describes how the VM environment should be constructed. This is straightforward as well. Console types are VNC or telnet. You may have to try different ethernet adapters to see what works, but I recommend starting with the Intel e1000 because this model is supported by most VMs. Using a para-virtualized adapter may give better performance, so you may also want to try vmxnet3. Most architectures will be 64bit and RAM requirements will usually be on the website.

That leaves two sections - Images and Versions. There should be a matching entry in both places. The images section is a list of virtual hard drives and CD-ROM images to use in the VM and includes:

Filename, version, and download URL
md5sum - most Linux distributions include the command md5sum. Download the appliance ISO and use md5sum myfile.iso to generate a checksum. Most Linux distributions include the checksum on their download page as well, so double check your version.
filesize is reported on Linux using ls -l
If an empty drive image is needed, GNS3 provides them in different sizes on Github (as referenced above) The versions section needs to have a name that matches the version number provided in the images section. That ties the images to the correct version. Notice that I’ve set this up to boot to an empty machine and prompt the user to do the installation. I could also supply a QCOW2 file with Security Onion pre-installed.

Let’s update this file. There are a lot of old images listed as options. I’ll remove the image and version sections for 14.04.5.3 and add the most recent (16.04.7.1). That will leave users with the last 14.x and two images in 16.x including the latest. Whether dealing with a distribution or a commercial image, changes made between versions may introduce new processes or bugs so leaving some older images gives users an easy workaround. Here’s the updated file. Scroll below the output for a discussion of submitting this back to the project.

{  
    "name": "Security Onion",  
    "category": "guest",  
    "description": "Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It’s based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!",  
    "vendor_name": "Security Onion Solutions, LLC",  
    "vendor_url": "https://securityonion.net/",  
    "documentation_url": "https://github.com/Security-Onion-Solutions/security-onion/wiki",  
    "product_name": "Security Onion",  
    "product_url": "https://securityonion.net/",  
    "registry_version": 3,  
    "status": "stable",  
    "maintainer": "Brent Stewart",  
    "maintainer_email": "brent@stewart.tc",  
    "usage": "Your default account will have sudo priviledges.  Squil and Squert username and password are configured in the Setup wizard.  MySQL root is set to null.  For more info see https://github.com/Security-Onion-Solutions/security-onion/wiki/Passwords.",  
    "symbol": "securityonion-logo.png",  
    "qemu": {  
        "adapter_type": "e1000",  
        "adapters": 2,  
        "ram": 3072,  
        "arch": "x86_64",  
        "console_type": "vnc",  
        "kvm": "allow"  
    },  
    "images": [  
        {  
            "filename": "securityonion-16.04.7.1.iso",  
            "version": "16.04.7.1",  
            "md5sum": "6bd811a05c1ec7973b8fca5c34cec13e",  
            "filesize": 2132803584,  
            "download_url": "https://github.com/Security-Onion-Solutions/security-onion/releases/",  
            "direct_download_url": "https://github.com/Security-Onion-Solutions/security-onion/releases/download/v16.04.7.1_20181010/securityonion-16.04.7.1.iso"  
        },  
        {  
            "filename": "securityonion-16.04.6.1.iso",  
            "version": "16.04.6.1",  
            "md5sum": "ca835cef92c2c0daafa16e789c343d1d",  
            "filesize": 2020605952,  
            "download_url": "https://github.com/Security-Onion-Solutions/security-onion/releases/",  
            "direct_download_url": "https://github.com/Security-Onion-Solutions/security-onion/releases/download/v16.04.6.1_20181010/securityonion-16.04.6.1.iso"  
        },  
        {  
            "filename": "securityonion-14.04.5.4.iso",  
            "version": "14.04.5.4",  
            "md5sum": "9c7cab756b675beb10de4274a3ad3bc6",  
            "filesize": 1874853888,  
            "download_url": "https://github.com/Security-Onion-Solutions/security-onion/releases/",  
            "direct_download_url": "https://github.com/Security-Onion-Solutions/security-onion/releases/download/v14.04.5.4_20171031/securityonion-14.04.5.4.iso"  
        },  
        {  
            "filename": "empty30G.qcow2",  
            "version": "1.0",  
            "md5sum": "3411a599e822f2ac6be560a26405821a",  
            "filesize": 197120,  
            "download_url": "https://sourceforge.net/projects/gns-3/files/Empty%20Qemu%30disk/",  
            "direct_download_url": "https://sourceforge.net/projects/gns-3/files/Empty%20Qemu%20disk/empty30G.qcow2/download"  
        }  
    ],  
    "versions": [  
        {  
            "name": "16.04.7.1",  
            "images": {  
                "hda_disk_image": "empty30G.qcow2",  
                "cdrom_image": "securityonion-16.04.7.1.iso"  
            }  
        },  
        {  
            "name": "16.04.6.1",  
            "images": {  
                "hda_disk_image": "empty30G.qcow2",  
                "cdrom_image": "securityonion-16.04.6.1.iso"  
            }  
        },  
        {  
            "name": "14.04.5.4",  
            "images": {  
                "hda_disk_image": "empty30G.qcow2",  
                "cdrom_image": "securityonion-14.04.5.4.iso"  
            }  
        }  
]  
}

Testing

In GNS3, go to File > Import Appliance and make sure that your appliance imports correctly. GNS3 will provide guidance if there’s a formatting error. Looking at the JSON above, you can imagine that a common mistake is unmatched brackets!

If the GNS3a file loads, test it by creating an instance. You need to test at least any new versions you added. Make sure the appliance boots without error and that expected interfaces are available.

Submit a Pull Request

Once the pieces are working, submit the appliance to the community by cloning the GNS3-registry on Github and adding in your file.

git clone https://github.com/GNS3/gns3-registry.git

If you’ve already cloned it, make sure that your branch is up to date. Upstream is the original source (in this case the GNS3 copy).

git fetch upstream

Two Python programs are included in the repo. Run them both on your copy before continuing. These are QA processes that look for issues before you submit. They will take a little time to run.

pip3 install -r requirements.txt   # this does __pip3 install jsonschma__ and __pip3 install pycurl__  
python3 check.py  
python3 check_url.py

Next push your local copy to your github copy. In Github terms, origin is your copy on Github, and master is the local copy.

git add .  
git commit -m "Updated Security Onion"  
git push -f origin master

Now we have an up to date local copy of the gns3-registry that includes our updated gns3a appliance and we’ve updated our fork on Github. Next, we offer our update to the project via a Pull Request. You are going to be one of the cool kids! Go to the gns3-registry repository on Github and select the Pull Requests tab and click the big green New pull request button. Under Compare, select the link to compare across forks (since your copy is a fork) and select your fork. It should show you the changes to files so take a moment to digest that and make sure this PR is doing what you want. Finally, submit the Pull Request. Github will email you when there’s an update to the request. If the GNS3 team has a question, they’ll submit a comment on the PR and leave it open for you to resolve. Otherwise, it will get merged in and all the other GNS3 users will be able to enjoy your hard work!

Thanks!

Using SSH Part 4 - Port Forwarding

Sun, 30 Aug 2020 15:12:24 -0400

Problem: We want to access an internal web page that is behind a firewall. We have SSH access to a server behind the firewall, and that server can see the intranet.

SSH has a solution for this type of problem - tunneling. Most people use SSH as a telnet replacement – as just a way to get a terminal session. SSH is capable of much more than mere terminal access. There are several ways to accomplish out goal, so let’s sort through them.

NOTE: This article demonstrates an obscure and useful way to use a tool, but raises two important points. First, don’t take any part of this to be an example of good design. I’ve constructed a case that allows demonstrating a technique. Second, using the tool this way may short-circuit your organizations’ security design and so security folks may want to mitigate against allowing this use.

Option 1 - SSH from the client

For this to work, the intermediate host (10.0.0.22 in this case) needs to allow itself to pass ports. Open the sshd_config file and set GatewayPorts to yes.

sudo nano /etc/ssh/sshd_config
# edit line to remove remark and change to yes
GatewayPorts yes

Next, ssh from the external device to the intermediate device and link a local port to an address and port reachable from the ssh target. In the example below, we connect into 2.2.2.2 (“server”) and then we map local (on the external device) port 8080 to a target reachable from the server - webserver port 80.

ssh -L 8080:10.0.0.80:80 2.2.2.2
# -L maps a local port
# 8080:10.0.0.80:80 ties port 8080 to a remote destination of 10.0.0.80:80
# 2.2.2.2 is the ssh target

After running this command, you’ll be asked to log into the ssh server normally. Once logged in, open a web browser on the external client to http://localhost:8080 and the remote internal webpage will be visible.

Option 2 - SSH from the inside (Reverse Tunnel)

Another option is to make a port available to a remote computer. In this case, we start ssh from the server and connect to the remote client (which we’ll imagine is me.myself.com). Again, the command prompts us to login to the remote machine.

ssh -R 8080:10.0.0.80:80 me.myself.com

At this point the remote user can open a browser to http://localhost:8080 and see the internal page. In fact, the firewall may allow ssh traffic to originate from the webserver. In that case the reverse tunnel could be established from the webserver without having to use an intermediate host.

ssh -R 8080:localhost:80 me.myself.com

Option 3 - HTTP from the outside

The final scenario to consider is to allow the server to listen on a port and forward traffic to the intranet server. Obviously this would require the firewall configuration to allow some port in addition to tcp/22 (SSH) into the server. In this case, we’ll ask the server to listen on port 8001 and forward that traffic to the internal web server.

ssh -R 8001:10.0.0.80:80 localhost

The client can now browse to http://2.2.2.2:8001 to see the webpage.

Conclusion

SSH port forwarding and reverse SSH connections are powerful tools that can circumvent network policy. Being familiar with this use may be helpful in troubleshooting, and may be important to you when considering how ssh servers are deployed.

DNS Services

Wed, 26 Aug 2020 12:01:51 -0400

This post is to continue the conversation started in Reasonably Secure Browsing with some options for home DNS setting that help protect you and your family. Like that post, this is intended for non-industry friends. My goal is to have a set of references for the people I care about, but who don’t share my love of technology. For the gurus out there, understand that this leaves out a lot of details for the sake of clarity for the target audience.

The first post covered browser settings that balanced security, privacy concerns, and convenience. Another way to improve your security is use an alternative DNS provider. DNS (Domain Name System) is an under-the-hood service that connects a name like “amazon.com” with a number like 176.32.103.205. Think about your mobile phone. We rarely memorize peoples telephone numbers anymore, we just call “Brent” or choose the picture that matches the person we want to call. The phone translates that into a telephone number. DNS is a centralized process that translates a name to a number to make the internet more “human friendly”.

Why should you care? Three reasons - speed, security, and privacy. DNS is typically set up by your Internet provider. Sometimes these implementations are the sources of problems, so changing the default DNS will give you a more stable (and sometimes faster) experience. Anyone “listening” to your traffic can easily make a list of where you visit by tracking DNS requests. This could be someone snooping on a shared wifi at the coffee shop, or it could be your ISP (in fact, ISPs sometimes redirect your traffic to internet locations they control for their own benefit).

There are a set of alternative DNS providers that provide free services that are unfiltered and private. I recommend that you consider one of these. They’re all good, but I’ve listed them in the order of my preference.

To enable, go into your router and change the DNS setting to the IP provided (the exact instructions vary by router). At home, this is a reasonable step to protect you and your family. If you travel, these providers also support a variety of options to encrypt your request, including DNS over HTTPS (DoH). I recommend using DoH within Firefox for devices that leave the house.

Firefox can encrypt your DNS traffic from “snoopers”. Go to the menu button and choose preferences and then Network Settings. Click Enable DNS over HTTPS and then choose a provider or select “Custom” and type in the IP address (included below).

OpenDNS (208.67.222.222) - Best for home use

OpenDNS is a great choice. By default, their free service is excellent. It recognizes many cases where you’ve been directed to a malicious site, and keeps you out of trouble by blocking it. OpenDNS is owned by Cisco, and it benefits from the huge investments they’ve made in Internet security. It also blocks adult content by default. You can create an account and customize your home’s experience - for instance, do you want to block Gambling or Tobacco advertising? These settings are tied to your home IP, so your laptop goes back to the “default” when not at home. Especially for public places, like church wifi, or for a home with children this allows you to control what portion of the Internet is available to users.

Cloudflare (unfiltered 1.1.1.1, malware blocking 1.1.1.2, malware and adult content 1.1.1.3)

Cloudflare is very easy to setup. Use the IP address that matches your use case. These settings can carry over when you are away from home if you change them on your device. There’s also an app that provides this service no matter where you are (just for mobile with Windows and Mac coming soon). Cloudflare has good settings for most cases, is easy to setup, and has the mobile apps, but lacks the customization of OpenDNS.

Quad9 (9.9.9.9)

Quad9 provides a service that is very similar to Cloudflare 1.1.1.2 - just set the DNS and forget it and it provides DNS with malicious sites blocked. My experience with Quad9 has been largely indistinguishable from Cloudflare or OpenDNS with default settings, when testing blocking or response speed. However, Quad9 doesn’t have the customization of OpenDNS or the apps that Cloudflare has.

Google (8.8.8.8)

This has been a popular alternative for the geek set for a long time. It’s easy to remember and it provides an “unfiltered” response.

Summary

Using one of these services helps to protect your home. I use OpenDNS at home and have customized it to filter out a range of categories. It doesn’t block everything on the Internet, but it addresses some of the obvious sites and it helps prevent “oops” experiences. It seems to help with advertising too. I use Cloudflare on my office network and it does a great job as well.

If you’ve benefitted from the Reasonably Secure Browsing discussion, this is another “reasonable” step that you can take to improve your families Internet experience.

Alternate GNS3 Symbols

Fri, 21 Aug 2020 13:18:28 -0400

GNS3 is a graphical network simulation tool. Imagine something like Visio that let you place network devices and draw connections, then boot them up and interact with them. The screenshot above is a simulation I ran that used five Cisco CSR routers to demonstrate BGP for a class. The devices typically run in KVM or Docker, but can use VMWare or Virtualbox. This article assumes that you are familiar with the project.

I’ve found GNS3 to be an invaluable tool. I used it to do labs while writing books years ago. I’ve used it to teach networking and security to the people who work with me, and to do labs to teach myself. I’ve also used it to simulate an environment and walk through a change process to practice, verify steps, and perfect configuration updates.

GNS3 originally had one set of symbols that could be used for the various virtual machines. The switches labeled “Home” and “Remote” in the screenshot are in this style. The GNS3 team added a family of symbols labeled “Affinity” (the CSRs use this type of symbol) which is very clean and modern.

The Affinity symbols work very well for most of my labs, but sometimes I need to differentiate between a Cisco router and VyOS. Sometimes you just need to call out a particular device. In fact, one of the symbols in my library is a big red X that I used to denote a server in a special project. For this reason, I created a library of symbols using vendor/project logos. The link for that project is in the reference section. Here are two sample icons I created.

Per the specifications posted in the GNS3 Registry project, symbols should be SVG less than 70 pixels tall. I’ve found that PNG with transparent background also looks good. I typically use the scaling feature in GIMP (Image>Scale Image) to adjust image size.

If you’d like to use these symbols, clone my repository. In GNS3, you can update the device template (and thus all future devices) by right clicking in the device selection window, choosing Configure Template, and then browsing for the Symbol. Alternatively, you can use a symbol for one instance by right clicking on the VM in the topology and choosing Change Symbol.

I add to the repository periodically and I’d love to have contributions from you. You can also submit them to the GNS3 project as a pull request on the GNS3 Registry project.

Team Documentation Using GitHub and Pandoc

Tue, 18 Aug 2020 13:56:30 -0400

Building team documentation is a critical part of IT. After all, you can’t manage what you don’t know about. You can’t follow policies you don’t know about. It’s common in IT that documentation is divided between shared files and updated copies on individual laptops. The problem is that it’s difficult for any one person to collect all the most recent files. I’ve learned a lot about Git in the last few years and I wanted to explore whether it could be an answer.

Various attempts have been made to resolve this versioning issue. One common approach is to ask everyone to contribute their individual documents to a shared folder. This has the advantage that everyone can be a contributor and the files are accessible and easy to update. However, different team members may update the file at different times and in different ways and there’s no clear editorial process to bring everything back together. A second approach is to have a strict editorial process – maybe a dedicated person who “checks in” so the boss can “approve”. There’s typically a drop box for proposed documents and then a locked-down directory with a PDF for the final version. This process can take a while, can occupy a person, and is discouraging to contributors.

Using Git has a lot of advantages. Everyone can have an up-to-date copy using git clone and git fetch. Team members can edit documents and submit them as Pull Requests (PRs). There’s a built in process for the repo owner to accept or reject those changes. GitHub already has an issues process that would make it easy to note deficiencies and discrepancies. Finally, Github repos can be marked private, are available even when internal systems are down, and maintain historical versions.

Having a repository of Word files would be useful, but formatting can be maddening. All those files will use different fonts, sizes, margins, colors, headings . . . sigh. Another problem is that you’ll have a directory full of files with names like ITPROC1.docx. As an administrator, I would like to have one place where I can easily browse through documentation and be confident that I’m up to date!

My proposal is to use Markdown files for documentation. They’re easy to create and reasonably readable in a text editor. As pushes or PRs occur, these files can be combined into a PDF using pandoc. I’ve built a demonstration of this in the referenced Github repository. There’s a Continuous Integration (CI) process built out of Github Actions. Setting that up adds a .github/workflows/name.yaml file to your repository.

Be careful! I originally built my repository locally and pushed it to Github, then used the Github actions “wizard” to setup the CI process. That builds an initial configuration file for you and puts it into your repository. The next time I pushed, this directory and file were wiped out! The result was that the CI process didn’t run and it took me a while to understand what I had done.

Here’s my YAML file to handle the CI process.

name: CI  
on:  
 push:  
   branches: [ master ]  
 pull_request:  
   branches: [ master ]  
jobs:  
  build:  
   runs-on: ubuntu-latest  
   steps:  
    \- uses: actions/checkout@v2  
    \- run: echo "::set-env name=FILELIST::$(printf '%s ' *.md)"  
    \- uses: docker://pandoc/latex:2.9  
   with:  
    args: --toc --output=output/result.pdf ${{env.FILELIST}}  
    \- uses: actions/upload-artifact@master  
   with:  
    name: output  
    path: output

This process will pull all the md files into a PDF, ordering them alphabetically. It will then add a table of contents to the front, based on headings found in the files. I’ve cribbed this together using the pandoc example on github (referenced below).

The result is a zip file named output that will show up under Actions. The latest run should be at the top of the screen, and clicking the link should show you the Artifacts produced. Note that if there are problems with the CI process, you can review those by looking at the build section. You could add to the CI process to have the output file emailed to you or stored in a convenient place. For instance, you could send the PDF directly to your Kindle! I’ve chosen not to bother with that since this is a public repository. Another idea would be to have this process output HTML files that could be placed on a local web server. Pandoc can handle PDF, HTML, EPUB, and a lot of other formats.

My repository is public and you are welcome to clone it and play with this process. The markdown files currently in place are filled with Lorem Ipsum nonsense but they give you a sense of how it might look as a finished PDF. I’d like to build in an automatic way to add a cover page. The Pandoc documentation also references using a CSS file to dictate formatting when outputting to EPUB, so I’d like to see if I could get that supported in PDF. PRs are welcome if you have any ideas!

What do you think? Would this be a good way for your IT group to maintain documentation? I’d welcome your comments in the section below!

Most Commonly Used Linux Commands

Mon, 17 Aug 2020 12:47:16 -0400

I’ve seen some articles recently on “Linux commands frequently used by admins” or “15 commonly used Linux commands”, which got me thinking . . . what commands do I use most frequently?

history shows us a list of recent commands starting with a sequence number (example below). But I just want the command!

> brent@MintyTwenty:__~$ history__  
    1  mkdir git  
    2  cd git  
    3  git clone https://github.com/brentstewart/Mint-install.git  
    . . .

Piping this output into awk allows me to filter this down to the first word. Awk can pull a field out; in this case the sequence number is field 1 and the command is field 2.

>  brent@MintyTwenty:~$ __history | awk '{print $2}'__  
    mkdir  
    cd  
    git

Getting closer! I want a frequence count of which commands are used, so let’s pipe this to uniq -c.

> brent@MintyTwenty:~$ __history | awk '{print $2}' | uniq -c__  
      1 mkdir  
      1 cd  
      1 git  
      3 sudo  
      1 exit  
      1 git  
      1 ls  
      1 cd  
      1 git  
      1 cd   
      1 ls

Notice that it’s showing cd counted in multiple groups. I think this is because of the way uniq is grouping, so let’s help it out by piping that output to sort before asking uniq to group and count.

brent@MintyTwenty:~$ __history | awk '{print $2}' | sort | uniq -c__  
      1 "  
      3 alias  
      4 awk  
      4 ./basic.sh  
      1 cat  
     31 cd  
      3 chmod  
      . . .

At this point it is easy to find that my top commands are:

history (probably from working through this example)
git
cd
ls
sudo

JAMStack

Mon, 17 Aug 2020 08:25:02 -0400

I wrote a few weeks ago about setting up this site using Hugo and [Render. It’s become clear since then that what I “discovered” was a developed concept aimed at solving big problems in web development and that my use case was the simplest use. Some of you were no doubt well ahead of me, but couldn’t tell me because I didn’t have a comment system on the blog until this week. Hugo and Render are one iteration of a concept called the JAMStack.

You should consider JAMStack

LAMP is a particular implementation of a web server. By comparison, JAMStack is a loose collection of ideas about how to assemble the pieces needed to serve a webpage. I have a diatribe on the “loose but enlightening concept” to “marketecture babble” cycle, but I won’t bore you with it. Suffice to say that JAMStack is still early in the process and thus still valuable.

With JAMStack we are removing the ediface of a database/content management system/webserver stack. The old model stored content in a database and built HTML on the fly. It was difficult on many levels - building, updating, and securing the pieces, maintaining capacity and availability, and difficult for content creators to view their finished page.

JAMStack, as originally defined, is JavaScript, APIs, and Markup. For Nextpertise, this is Hugo+Markup, 3rd Party APIs, and GitHub+Render. Content is easily created and edited, then pushed straight to a Content Distribution Network (CDN) which provides fast response everywhere in the world. I don’t have to build, license, or grow servers. I have a local copy of Nextpertise in a local Git repository and can build as much as I want with very little effort.

HTML is a markup language, but it’s complicated and it entangles site design into the content. Markdown is a simplified markup language that is human-readable. I write content using VSCodium as a markdown file. Hugo then compiles this markdown file against a template (in the case of this page, the single.html file in the themes/layouts/_default directory). In the VSCodium terminal, I’m running Hugo server -D and a browser is automatically updating a view of this page as I save. When complete, I can run hugo server and it will output my entire site as a set of html files in the public directory. Hugo and VSCodium are open source and well supported by their communities, but if you want to use something different there are too many choices for me to list. I hear good things about Jekyll, Gatsby, and Eleventy, for instance.

Once the site is updated, I push the local copy to Github. Git provides a backup and handles version control. It also handles permissions and tracks who makes changes, so I can invite collaborators over time. Finally, Git provides the Continuous Integration piece.

I don’t actually compile HTML locally. Hugo shows it on the fly for development, but keeping a local public directory and dragging file to a host can create a problem with old file versions still present. Better to compile a clean copy with each push, and GitHub handles that for me using a continuous integration (CI) process. When I push a change to Github, a process automatically kicks off to compile the HTML and pass it to Render for distribution.

Speaking of CDNs - I love working with Render. I chose them after inadequate research and thought they were entirely unique. It turns out that there are a number of ways to host static sites. I wrote about S3: good, but doesn’t have a way to auto-deploy from Github. I’ve heard good things about CloudFlare, Firebase, and GCP as well, but none of them have the CI integration. If that’s a major factor for you, also look at GitHub pages and Netlify. Of those options, I want to call out Netlify as providing a lot of support and documentation to the larger community.

Everything I’ve discussed so far is around static content. Great for a blog, but serious sites require user feedback for things like purchases and comments. In the case of Nextpertise, adding a comment option looked like it was going to require standing up an EC2 instance and deploying a service that I could embed in the page. But I really don’t want to build and secure a server and I especially don’t want to pay for one. This is where JAMStack gets into the API part.

There are services to which I can subscribe that will provide a tenanted commenting capability for my site. The biggest of these is Disqus. Disqus appears to be a great choice and reasonable plans are available. In the end, I used utteranc.es, which is a bit of code that leverages Github APIs to store comments in Github issues. I’m not building, I’m consuming. The JAMStack model is to use APIs (like utteranc.es) instead of incorporating that logic and - when you reflect on it - it’s a Unix-like philosophy of doing one thing well and coupling those things at a higher level. The philosophy I’ll take is to use third party APIs when possible, then to develop a Lambda if needed, then to stand up a server if I have to. I’ve seen third party apis for maps, weather, jokes, and even shopping carts.

We’re working our way backward thorough the JAM. Javascript would be added to help with interactivity, but at this point I don’t have a use case on my site. So, mid-August Nextpertise is no javascript, utteranc.es API for commenting, and Hugo>Git>Render for the static site.

I’m continuing to read on this and I want to be careful not to present myself as an expert. That said, I’m so enthusiastic about what I see that I wanted to share what I’ve learned with you. I’ll check back on this topic as I have a more developed picture. I’d also welcome your comments and suggestions!

Using SSH - Part 3 (File Shares)

Thu, 13 Aug 2020 11:15:42 -0400

One of the basic things you want to do on a network is share files. At one point, everyone had a Windows PC and this involved shared directories and Network Neighborhood. It had a lot of issues, but it worked. However, today we have a variety of clients and CIFS isn’t an easy (or appropriate) fit for all of them. This article focuses on home users, but enterprise users face some of the same challenges. There are a lot of ways you could do this; I’m going to share how I’m currently doing it. My environment includes several versions of Linux, Windows 10, a Mac, Chromebooks, and Android Phones.

I should start by saying that I’m not using Microsoft sharing – what has been variously termed SMB (Server Message Blocks) or CIFS (Common Internet File System). My experience with SAMBA (SMB on Linux) has been uneven and I’ve never wanted to invest the time. Your mileage may vary, but trying to sort out access and permissions and deal with the impact of software updates was a drag.

SFTP

SFTP is a Secure File Transfer Protocol built on top of SSH, and the two are usually bundled together since they are complementary. One of the easiest ways to use SFTP to transfer files on all platforms is to use Filezilla. Filezilla presents a left/right here/there file manager that allows easy drag and drop between locations. It works most places SSH works. Login using your SSH credentials and set the port to 22. If you use Filezilla often, the first button on the left is the Site Manager and remembers common destinations. Filezilla works, but there’s no way to open a file in an application from the other disk. It must be copied locally and this creates multiple file versions and is onerous to use. So - Filezilla if nothing else works.

Linux file managers like Caja and Finder on the Mac allow you to attach to an arbitrary destination in an ad-hoc fashion (Windows does not). For Linux and Mac, just use existing SSH credentials. This method also supports FTP, CIFS, and WebDav. I don’t recommend FTP because it’s not secure and it’s a very old protocol and can be difficult to handle on firewalls. WebDav is slow and involves some Apache setup. It can be secure, but most folks setting up a quick file share won’t take the time to make it so. I recommend SSH/SFTP. File managers generally allow bookmarking, but don’t automatically reconnect. I’ll walk through a technique that builds the connection at startup later in the article.

On Android, I’m using Cx File Explorer. This application allows me to connect to SFTP resources and bookmark them. Cx integrates with the rest of Android, so I can do things like type an email and use Cx to attach a file from the server. Cx has the same requirements SSH does - a network path to the server and credentials. For me, a common use is to grab a PDF from the server and transfer them to my Kindle.

Aside - NFS

Network File System (NFS) is a dream for devices that support it. It lacks the ad hoc browsing you might do on a Windows network, but at home I want all the files on the servers and if I have to do horizontal file sharing I can figure it out. Setting up NFS on the server involves getting the NFS server, setting up the /etc/fstab configuration file, and publishing the share using exportfs. The example below publishes my user directory from the server.

sudo apt install nfs-kernel-server nfs-common
sudo nano /etc/exports
add lines similar to this one
/home/brent 192.168.1.0/255.255.255.0(rw,anonuid=1000,anongid=1000,sync)

save file and . . .

exportfs -avf

On the client, I’ll map this share to a folder so it sits in my directory tree. In this case, I want my server user directory to fit under my local user directory as the server sub-directory.

mkdir ~/server
sudo nano /etc/fstab

add lines similar to this one

192.168.1.1:/home/brent /home/brent/server nfs default 0 0

save file

sudo mount ~/server

It should just work, but you may need to use mount to kick it in the rear. Because this is setup in your fstab file, it will automatically reconnect when you restart. My personal workflow is to save all my work products to the server because that’s what is being backed up. I use the local folders for scratch files, downloads, etc. I like to try new things and end up re-installing my OS on my desktop about three times a year. I can throw my Ventoy USB stick in the PC, pick a distro, and be back up with no lost data in minutes!

NFS works great for Linux to Linux filesharing. I didn’t have great success with Windows. There is a process that includes using Services for NFS, but I won’t even link to it. It was difficult to get working and didn’t “just work” in the way that I wanted for my wife’s PC. I haven’t seen a way to use this with Android and haven’t attempted with Chrome. On the Mac, this works fine and is supported by Finder. The procedure is just:

showmount -e 192.168.1.1 #view available shares
sudo mkdir /server-files #depending on where you put it, you may not need sudo
sudo mount -o rw -t nfs 192.168.1.1:/home/brent /server-files__

NFS can be secure. NFSv4 encrypts traffic in-transit and v2/3 allow you to limit promiscuous connections using a mask. In the enterprise or if your traffic crosses a public network you really need to use v4.

SSHFS

SSHFS is a file system using SFTP. Since SFTP is built on top of SSH, SSHFS inherits all the goodness of SSH. SSHFS works for everything I’ve tested so far - I haven’t gotten to the Chromebooks yet, but I have used it in Windows, Mac, Linux, Haiku, BSD, and others. SSHFS requires installing the sshfs package and installing the SSH server daemon. File permissions are communicated based on how you login.

On Linux, the command to mount a directory using SSHFS looks like this (the server is 192.168.1.1).

sudo apt install sshfs
mkdir ~/server #if it doesn't already exist_  
sudo sshfs -o allow_other,default_permissions brent@192.168.1.1:/home/brent /home/brent/server

You can add this to fstab if you want it to be automatic.

sudo nano /etc/fstab
# add this line
sshfs#brent@192.168.1.1:/home/brent /home/brent/server fuse.sshfs _netdev,idmap=user,uid=1001,gid=1002,allow_other,default_permissions 0 0

For Windows, I’m using a stack of WinFsp, SSHFS-Win, and SSHFS-Win-Manager (links in notes). Here’s the procedure:

Install WinFsp from Github - there’s an MSI attached to the latest release (I tested with winfsp-1.7.20172.msi)
Install SSHFS-Win from Github - again using an MSI (I tested with SSHFS-Win-3.5.20024-x64.msi). At this point you can map drives using the UNC \sshfs\user@server.

This is aimed at the family members who don’t want to futz around with computers all day, so install SSHFS-Win Manager from Github (I tested with sshfs-win-manager-setup-v1.0.1.exe). Once installed, click “add connection”. The connection information is standard SSH information. To attach my remote user directory to my local one as in the earlier example, I would specify a Remote path of /home/brent and a Local Path of /home/brent/server.

Using SSH - Part 2 (Authentication)

Wed, 12 Aug 2020 11:36:12 -0400

This aricle makes up part two of the series on SSH. If you’re interested in the basics or how to setup a banner, refer to the first article. As with the first article, I’ve tested all of this on Ubuntu Linux and exact commands may vary as you get farther from there.

Secure Authentication with Passwords

By default, SSH authenticates users via a password. Passwords are transmitted in a secure manner, but can be prone to brute force guessing attacks.

One way to secure the ssh interface is to limit the devices allowed to access your server. This can be done at different places - on your network firewall, in the OS firewall, or in the ssh process. SSH uses TCP port 22, so blocking that at the firewall is one way to mitigate against maliciousness. Since this article is about using SSH, we’ll focus on the latter. Go into sshd_config and add a line for AllowUsers. The example below allows anyone to login from the 192.168.1.0/24 network. Remember to restart the ssh service after changing sshd_config: sudo systemctl restart ssh.

sudo nano /etc/sshd_config  
allowUsers \*@192.168.1.*

Blocking source addresses only works up to a point. Bad actors from within can still attack, and outside actors can use another host as a jump server (SSH to there, then start a new SSH session from the inside box). Picking a good password helps make brute-force attacks take longer, but we need to prevent opportunities to work through every combination of letters. Fail2ban is a service that blocks IP addresses that exhibit suspicious behavior. Install it using sudo apt install fail2ban. Below is a script that will setup fail2ban to block IPs that fail three consecutive login attempts.

echo setup fail2ban
systemctl start fail2ban
systemctl enable fail2ban
echo "/[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3" >  /etc/fail2ban/jail.local

Authentication with keys

Another way to login is using keys. A key pair - public and private - can be generated on a client and authenticates the client to the server. Since the keys are stored in the user account, they also in theory are associated with identity. There are two advantages of using keys. First, it can eliminate remembering and typing a knuckle-busting password and supports automation. Second, keys are more secure than passwords on the assumption that the key file is secure.

To use public-key authentication, you first need to generate a key pair using the command ssh-keygen. You can optionally enter a passphrase to use to unlock the key. By default, the public key is saved as ~/.ssh/id_rsa and the private key as ~/.ssh/id_rsa.pub. This process is shown below.

brent@inspiron:~$ ssh-keygen
Generating public/private rsa key pair.  
Enter file in which to save the key (/home/brent/.ssh/id_rsa):   
Enter passphrase (empty for no passphrase):   
Enter same passphrase again:   
Your identification has been saved in /home/brent/.ssh/id_rsa  
Your public key has been saved in /home/brent/.ssh/id_rsa.pub  
The key fingerprint is:  
SHA256:A5RBWIxVGMCAQbzAfenno9hlwQAeafZgnCPJCylrnz8 brent@inspiron  
The key's randomart image is:  
+---[RSA 3072]----+  
|*====OO*.        |  
|**.@==+          |  
|+.B.* +          |  
|.+   o =         |  
|. . . o S        |  
|   o   = .       |  
|    + + .        |  
|   . G           |  
|      .          |  
+----[SHA256]-----+  
brent@inspiron:~$

I don’t want to publish my keys to the world, so I just re-ran ssh-keygen and accepted the prompt to overwrite the old set.

Once a key pair is generated, the public key needs to be copied to the host that you want to login to. To do this, you need password access to the host and this process doesn’t disable password access. Unless you opt to turn that off, you still need to secure the password access using ACLs and fail2ban as previously discussed. That said, ssh includes a utility to push your public key to a target device - ssh-copy-id.

brent@MintyTwenty:~$ ssh-copy-id brent@192.168.1.1   
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed  
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys  
brent@192.168.1.1's password:   
 
Number of key(s) added: 1

Now try logging into the machine, with: “ssh ‘brent@192.168.1.1’” and check to make sure that only the key(s) you wanted were added.

Now I should be able to just type ssh brent@192.168.1.1 and be attached to the server without a password prompt! Easier administration and easier to script.

Authentication with TOTP

TOTP is for the really paranoid and for those uber-geeks that want to impress their friends. Digital Ocean has a really nice write up on this, and that was my primary source for learning. I’ve referenced it in the notes. Their procedure is written for Ubuntu 16.04 but I’ve personally used it up through 20.04 without a problem.

Ideally authentication involves something you know and something you have. Time-based One Time Passwords are six-digit codes that change periodically. Hopefully, you already use this to secure critical online resources like your email. TOTP utilities generate a 3D barcode that can be read by the camera on a phone, and use that to set a unique nugget that can be combined with the time to give random number strings. Google authenticator is the “go-to” app on the phone for entering and holding these authenticators. I use Enpass, which does a similarly good job.

Before you begin, you’ll need the authenticator app loaded on your phone and you’ll need to be physically in front of the server. On the server, install the authenticator module and initiate the settings.

sudo apt install libpam-google-authenticator  
google-authenticator -t -d -f -r 3 -R 30 -W   # NOTE: using cmd w/o flags will walk you through prompts

The google-authenticator command will show you a 3D barcode and your first code. Scan that in on your phone and verify the code. The output will also include five “emergency scratch codes”. These would be used if you lose your phone. Write them down somewhere for emergencies before continuing.

Next, add a line to /etc/pam.d/sshd for authentication and edit a line in sshd_config for Challenges. Restart the service and you’ll be ready to test.

sudo nano /etc/pam.d/sshd
#_add this line, then close the file
auth required pam_google_authenticator.so nullok
 
sudo nano /etc/.ssh/sshd_config
#_find and change this line, then close the file
ChallengeResponseAuthentication yes

#_restart sshd
sudo systemctl restart sshd.service

At this point, try connecting to this server using ssh. It should either use a key or prompt you for your password and then for the current TOTP code. If you want it to require TOTP when using a key, you’ll need to edit sshd_config and restart the process again.

sudo nano /etc/.ssh/sshd_config
#_add this line
AuthenticationMethods publickey,password publickey,keyboard-interactive

Recommendations

I’ve presented a lot of ideas here, so I want to conclude by giving you my recommendations for personal machines.

Install SSH server by default
Use a banner in .bashrc to make clear which device you are currently logged into
Limit SSH to local IPs unless there’s a specific requirement otherwise. If you can’t limit by IP, use TOTP.
Use fail2ban
Use keys. Don’t try to use the same keys on all devices, just generate new ones every time you re-install or get a new PC. At least for me, this cuts down on the risk of keys falling into outside hands.

Using SSH - Part 1 (Basics and Banners)

Tue, 11 Aug 2020 12:36:12 -0400

SSH is a pretty well known protocol that’s used for a lot of different things. Most of us are familiar with the basics and a trick or two. This article is to try to consolidate a lot of the uses I have for SSH and share them. The article is a quick review of basic terminal access and banners. This is the first in a series, so more advanced topics are covered in succeeding posts.

The Basics

SSH is included in modern operating systems. Apparently it can now also be installed on Windows (I’ve included a link). If you use Windows, the standard client suggested is PuTTY (I really like Solar-PuTTY as well). I have not used Windows as a client or server in my testing, so hopefully my comments will be helpful but I suspect server setup is going to be different.

My walk through assumes you are using a command-line client. Note that the ssh client is typically installed in the *nix world. If you want your box to be the server then you’ll need to add it via sudo apt install openssh-server (Debian/Ubuntu).

Most of us encounter SSH as a secure replacement for telnet. SSH allows us to connect to a remote terminal from the command line. Assuming that I wanted to connect to my firewall by it’s IP address and that there was an account named “brent” there, I can connect using _ssh username@Destination. If this is the first time you’ve connected, you’ll be asked to confirm the fingerprint.

brent@MintyTwenty:~$ ssh brent@192.168.24.230  
The authenticity of host '192.168.24.230 (192.168.24.230)' can't be established.  
ECDSA key fingerprint is SHA256:1XYZ12MBd5Sb345ABOBhoKx42D+STU56szGR/d3LkGs.  
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes  
Warning: Permanently added '192.168.24.230' (ECDSA) to the list of known hosts.  
brent@192.168.24.230's password:  
brent@inspiron:~$

The fingerprint is to protect against a man-in-the-middle attack, where your traffic is being re-directed to a malicious third party. Before you type in (and reveal) your password, best to make sure that this is a trusted server! So, where do we find the fingerprint to match it to? The easiest way to get it is to go to your server and use ssh to connect to itself: ssh username@127.0.0.1. This will show the local fingerprint. If someone has already used this trick and accepted the fingerprint, you can delete ~/.ssh/knownhosts (not recommended) or use ssh-keygen to examine the local public key.

brent@MintyTwenty:~$ __ssh-keygen -lf .ssh/id_rsa.pub  
4096 SHA256:cjyCsHXYZ12dESNo+12AB/oGGaxY1JHSTU%1p3Aeouw brent@X (RSA)

Banners

SSH banners are specified in the ssh daemon configuration (/etc/sshd_config), To specify a banner, find the line reads “#banner none” and edit it to specify a file. The contents of this file will be displayed before the password prompt.

sudo nano /etc/sshd_config  
banner /etc/banner.txt

After authentication the prompt displays the server hostname. You can display a banner after authentication by editing ~/.bashrc. This has a side benefit - the terminal, when connected to locally or remotely, processes ~/.bashrc before it produces a prompt. Go to the end of that file and add whatever you like - that output will be displayed before a prompt is produced. I’ve listed some cool ideas to build a dynamic banner below.

neofetech is a popular script that summarizes system information. There’s a ppa available to add this from apt.

sudo add-apt-repository ppa:dawidd0811/neofetch  
sudo apt install neofetch  
echo "neofetch" >> /home/brent/.bashrc  # Add the command to the end of .bashrc

Figlet - draws letters in ASCII for a nice banner and any command can be piped through it (echo “for example” | figlet). It’s available in the standard Ubuntu repository.
Curl - pull in data from the web. Try curl v2.wttr.in/Hickory+NC. A more practical example might be:

curl wttr.in/Hickory+NC?format=2  # check out the github page for lots more options

Server stats - display information about the server such as IP (hostname -I) or temperature (sensors). This snippet will display just the main temperature.

data=$(sensors | grep "id 0:" | cut -c16-23)      #sensors displays a lot of data.
                            # Grep just grabs the one line, and cut pulls temp out.  
echo "CPU Temp:${data}"

Part two of this series will cover secure authentication options.

Reasonably Secure Browsing

Wed, 05 Aug 2020 11:23:41 -0400

Most of my articles are aimed at helping me remember how I did something cool years later, and helping other people who share my interest and want to solve similar problems. This one is a little different. When I speak to non-technical folks - at church, other parents, or within my family - I’m disappointed with the lack of understanding about computer security. I was going to say “surprised”, but sadly I’m not. This article tries to fix that by introducing this audience to concepts in Secure Browsing.

I get that we can’t all be aware of everything. For instance, I’m not really interested in cars. Still, if you are participating in an area (driving a car or browsing the web), then there’s a basic level of awareness that is needed and that you should aim for. So this post is written for the non-technical in order to provide that grounding. I’ll try to keep this up to date (pay attention to the posting date!) and I’ll start pointing people who ask those questions to this resource. I need to define “reasonable” before I get started. Internet paranoia comes in three flavors - fear of malicious actors, fear of giant companies assembling dossiers to feed into marketing, and Orwellian fears about nation-states. All three are reasonable things to be concerned about but this post only addresses the first. Hiding from the NSA is beyond the ability of most people - even if they unplug. Hiding from creepy companies is possible, but requires foregoing a lot of services that most of us are loathe to do without. However, there are small steps that you can take that will give you a good degree of protection against maliciousness. Reasonable means simple steps picking up bad code or leaking sensitive personal information.

Finally, what makes me think I’m an expert? Well, I have a Master’s in Information Security and I’ve worked in IT operations and security for many, many years. I’m no Tim McGee, but I get by.

General safe-browsing advice

If possible, run Linux
Setup your home to use OpenDNS or CloudFlare Family DNS servers
Check for browser updates regularly, and apply them. Keep plugins up to date as well.
Use Anti-Virus.
Don’t ever click on links in email.
Use a secure password, and don’t re-use passwords between sites.
Do not save passwords within the browser. Use a password safe and subscribe to Have I been Pwned?
Use SSL – Sites that use “HTTPS:” instead of “HTTP” are encrypting your traffic.
Have a solution to monitor your bank accounts and credit reports.

General Browser checklist

Do not save passwords in the browser. Use a password safe.
Do not use autofill. Sites use hidden fields to send more than you think.
Have the browser ask you where to save files. This alerts you to files being downloaded and allows you to cancel or put them in a folder for latter consideration.
Enable click-to-play for plugins. This will speed up the browser and allow you to decide when to use useful but potentially dangerous plugins like JavaScript, Flash, and Silverlight.
Do not accept third-party cookies except by exception. Clear all cookies after each session.
Use Do Not Track. This is more aimed at commercial privacy, and depends on the server honoring the request, but why not?
Be cautious using extensions, however there are a few that are suggested:
- AdBlock Plus
- HTTPS Everywhere
Refer to the following sections for specific help with your browser.

Chrome

Settings are found under the “stacked dots” icon on the right.
Under “set up sync”
- Choose “encrypt all synced data with your sync password”.
- Uncheck Autofill and Passwords.
Select advanced options
Under Privacy, check “protect you and your device from dangerous sites” and “send Do Not Track”.
Under Passwords and Forms, uncheck both options (do not autofill or remember passwords).
Under Downloads, check “Ask where to save each file before downloading”.
Under Plugins, select “Let me choose when to run plugin content”.
Under Cookies, block third-party cookies.
Add recommended Extensions and remove un-needed ones.
- AdBlock Plus
- HTTPS Everywhere

Firefox

Options are found under the “hamburger” icon on the right. In the drop down menu, select preferences.
Go to Files and Applications and select “Always ask me where to save files.”
Under Network Settings select the settings button. Choose enable DNS over HTTPS and set it to Cloudflare.
Under Privacy & Security
- Select the Standard Tracking Protection option and “Always apply Do Not Track”
- Set third-party cookies to delete when Firefox is closed.
- Under Logins and Passwods, disable “ask to save”
- Under Forms and Autofill, disable Autofill
- Under Permissions, check “Warn me when sites try to install an add-on” and “Block pop-up windows”
- Disable Firefox data collection.
- Under Security, choose to Block dangerous and deceptive content, block dangerous downloads, and warn about unwanted software.
Back to the hamburger menu and select Add Ons. Remove any extensions you don’t need and add these two.
- AdBlock Plus
- HTTPS Everywhere

Internet Explorer

Don’t use Internet Explorer.

Other browsers . . .

There are some other browsers that are marketed as “secure”. Examples include Avast, AVG, and Comodo. My experience is that these are just custom versions of Chrome. It’s difficult to keep up with all the customizations these different groups make, but generally I find that they are based on an older version of Chromium and aren’t always transparent about what changes they are making. They tend to be updated less often and sometimes behave in unexpected ways because of the changes. I do not recommend these today, but I’m open to the idea.

Another set of browsers attempt to compete more directly with Firefox and Chrome. These include names like Brave and Opera. I have a good opinion of both these options, but they are more common with power users and not really in scope of this guide. Safari is used on Macs and is quite good. I’ll try to add it in at a later date.

Linux Home Cloud Backup

Tue, 04 Aug 2020 09:12:52 -0400

At one point, I was taught to divide tasks by priority A, B, C. As I’ve gotten older, I’ve converted that scale into “things that will immediately get me fired or divorced”, “things that will eventually get me fired or divorced”, and “things I’d like to do if I have time”. One of the “A” tasks on this scale is making sure that we don’t lose our family digital pictures!

Our home file server is an Ubuntu VM. Over the years, I’ve used a variety of strategies to maintain personal backups. Recently, I felt the time was right to move to cloud based backup - both for the convenience and the security of having things off-site. I considered AWS S3, but Backblaze offers a similar and less-expensive service. A former employer used Backblaze for laptop backups and I administered that system, and I always felt they did a good job and were reasonable to work with.

I settled on using Duplicati for the backkup software. Duplicati runs on everything (Linux + various less secure OS), has a DEB, and is FOSS. Duplicati has built in support for cloud backup, including Backblaze and S3. I have a friend that uses Duplicati and it’s discussed on Jupiter Broadcasting, so I wanted to give it a try.

Let’s start with Backblaze. I setup an account and configured it for 2FA. Then I created an ID and application key at the Backblaze dashboard and setup a bucket. You can specify the bucket policy, and I recommend keeping older copies to protect against crypto-locking malware. I setup my bucket to retain older copies for 180 days.

Setting up Duplicati is as easy as installing the DEB and enabling the app to autostart. My server runs Mate, so I opened the Control Center (alt–f2, “mate-control-center”) and added Duplicati to the autoruns (at the bottom of the control center window).

Once running, Duplicati shows a menu-bar applet. The application is administered from a web page on port 8200. This webpage can be accessible from other machines and I usually manage the backups from my desktop. Duplicati has excellent documentation on their website, but I was able to get it up and running quickly without investing a lot of time.

From the initial Duplicati page choose “Add backup” and a wizard will walk you through specifying the details. Make sure you keep track of the passphrase used by the backup! Here’s a quick rundown on the selections I used:

General - AES-256 Encryption. Other options are no encryption and GNU Privacy Guard. I don’t protect nuclear secrets, but I get itchy not encrypting data at rest, so I definitely don’t recommend that option. I don’t know much about GNU PG, but AES-256 is considered a solid and well researched encryption so I used it.
Backup destination - this is where you’ll plug in the ID and Key you generated at Backblaze earlier.
Source data - gives you a file tree to select what you’d like to backup. I’m cheap, so I separated out the non-private stuff into another directory (like installation ISOs) so I didn’t pay to back them up.
Schedule - We’ll get into a discussion of RTO and RPO another time perhaps. Basically, think about your cost to transfer files (with Backblaze, there is no incremental cost) and how much data you are willing to lose between backups. I setup my schedule to run every night - with Backblaze there’s not really a reason not to.
Options - Duplicati allows you to set the remote volume size. I kept this at the recommended 50Mb. Basically, it chunks your data so that it’s easier to restore and so that an adversary can’t identify individual file sizes, which could be a way that you’d leak information. I also chose to keep all backups, again to protect against crypto-lockers.

After all that, just let it run! My biggest knock on the combination of Duplicati and Backblaze is that there’s not an easy way to confirm backups are happening. Backblaze has a 10 day trial and I didn’t initially put in a credit card. To be clear, kudos to them for letting you try it and being easy to work with. But . . . I forgot and the trial ran out and my backups stopped for several days. Worse, I was clueless.

Duplicati has options to setup a confirmation email after backups, which I recommend. You’ll know there’s a problem when you don’t get an email. Unless you are more clever than me, that’s suboptimal but it is something. Backblaze doesn’t have an alerting option for things that don’t happen. I’m thinking that I could setup a Lambda to check via API, then send an SNS, but that’s for another day.

Overall, I’m please with the setup and the results I’m getting and would recommend either component to someone trying to solve a similar home problem. I don’t see a reason this wouldn’t be good for a work environment, but I’ll need to use it for a while before I feel comfortable making that a recommendation.

Fun with Postscript

Mon, 03 Aug 2020 16:59:30 -0400

I really enjoy being a computer professional. I like the creativity, problem solving, and the sense that things can be understood. Sometimes this is directly applicable, sometimes it’s just fun. One example of the latter is Postscript.

Most of you know Postscript only as a printer thing, but it’s actually a programming language. Postscript builds a mathematical model of a page and then converts that to a bitmap for printing as a final step. Postscript files always print at the best resolution available on the output device without having to be reformatted.

Postscript uses a single stack and then pops off the required number of values to execute a command. For instance, you might give it:

1 2 add

In college, I “discovered” postscript by printing a file for an Apple LaserWriter to an HP Laserjet. Since the Laserjet didn’t speak Postscript (they use PCL) it just dumped raw text onto a stack of paper. I was fascinated because I could kinda read it, so I researched it and bought three books and just started playing:

Postscript Language: Tutorial and Cookbook by Adobe Graphic Design with Postscript by Gerard Kunkel Postscript by Example by Henry McGilton and Mary Campione

At first, I wrote text files and dumped them to the LaserWriter.

copy myfile.ps > lpt1:

Later I started using early ghostscript to output to my dot matrix printer. I recently rediscoverd some of my files from the 1980’s and found that I could display them in Linux with modern Ghostscript.

Here’s a simple Postscript program I took from the Postscript Cookbook:

/Helvetica-Bold findfont  
        30 scalefont setfont  
        /oshow  %stack: {string}  
        {true charpath stroke} def  
    /circleofBrent  
        { 20 20 340  
            { gsave  
                rotate 0 0 moveto  
                (Brent) oshow  
                grestore  
            } for  
        } def  
    % --Begin Program --  
    250 400 translate  
    .5 setlinewidth  
    circleofBrent  
    0 0 moveto  
    (Brent Stewart) true charpath  
    gsave 1 setgray fill grestore  
    stroke  
    showpage

Without a lot of explanation, you get the sense of how postscript works. There’s a routine to print my name and rotate the coordinate system in increments of 20 degrees. That routine is looped through and then the final full name is printed at the end. Instead of printing this page, in Linux I just typed:

gs CircleofBrent.ps

and the page is rendered in a window. I discovered that you GIMP can directly load postscript files (!) and used that to create the logo and favicon for this site. You can print the file to a postscript printer using lpr. MFC9340CDW is a brother printer I use, and I opened system-config-printer to confirm the name.

lpr -P MFC9340CDW rays.ps

I’ve built a repo with some examples. I actually found some of my code from 30 years ago! PostScript is a simple enough language to quickly accomplish things with, but complicated enough to get some interesting results. In fact, you can do things in the language that I’ve never seen translated to an app. I hope this post will encourage you to give it a try and have some fun!

AWS S3 Review

Tue, 28 Jul 2020 15:44:02 -0400

In a previous post, I described hosting this website on Render. I mentioned that I am coming up to speed on AWS and it was my intention to host the site on S3 as well. This post documents my experience.

Hugo

Render has a CI-step that builds the html from Hugo auto-magically. AWS isn’t integrated with Github, so I needed to build the website. This is pretty easy, just navigate to the directory and type “hugo”. This produces a “public” directory that needs to be copied to your webserver.

AWS allows you to specify an error page. In Hugo, I setup a 404.html page under theme/layouts and used the S3 Properties page to specify that URL for the error page.

AWS

The short version of hosting a site on S3 is:

Create an S3 bucket
The bucket needs to be public, so set “Block all public access” to OFF.
Navigate to S3, select the bucket and go to the Properties tab. Under “Static Website Hosting” select “Use this bucket to host a website”. You can also grab the URL from this screen. This will look something like http://mybucket.s3-website-us-east-1.amazonaws.com.
In your DNS, setup a CNAME for www to the bucket URL.

The above is pretty well documented at various places and it’s pretty easy. So obviously, that’s not the way I did it.

AWS has a feature called Cloud Formation that let’s you specify an environment in JSON or YAML. This approach is called Infrastructure as Code. There are a lot of scenarios where IaC is useful. It reduces the time and cost of setting up an environment, which could be useful if you wanted to quickly setup a dev environment or duplicate an environment for some other purpose. This approach reduces errors because you can troubleshoot the setup script when you build it and then iteratively improve it. It also allows for the environment to be specified and reviewed by security specialists, improving communication between operations and security and reducing risks.

Cloud Formation is free to use. I built a JSON file that creates an S3 bucket, marks the bucket public, and then applies a security policy. My template also outputs the URL back to you when it completes. The Amazon online user guide has a lot of examples I used to understand the process, plus there is a template designer that let’s you draw out your target environment a la Visio and builds the JSON for you. I didn’t use the designer to draw, but I pasted the file I developed into the designer and it was a good way to “debug”.

Doing initial development of a Cloud Formation template meant running the process several times and fixing issues. For me, most of these were formatting. This took a little over an hour to iron out. When everything was ready, I instantiated my S3 web bucket and I just needed to copy my Hugo public folder into the bucket.

AWS has a “free tier” that’s offered during your first 12 months. Five gigs of S3 space is included in this tier, so the initial cost isn’t bad and S3 isn’t expensive after that. Whether you my example to use Cloud Formation or not, this is a cheap and effective way to get a static website setup. Amazon provides a very durable and scalable environment, there’s a ton of tools available, and it’s easy to imagine growing from this initial setup to a dynamic site using K8s.

That said, updating the html feels a little clunky after using Render and it’s integration with Github. I’m going to leave the S3 version up for a while and try some improvements. I’d like to build a command line script to run the Cloud Formation process, run Hugo to compile the site, and then transfer files. That seems doable and it would make this a lot easier to maintain. AWS also has a CodeCommit repository that looks like Github from a distance. It would be interesting to explore using CodeCommit for the site as well.

For now, I’m very pleased with the Render workflow and I’ve decided to leave the “official” copy of the site there.

As always, I’m interested in your experiences and suggestions!

Render

Fri, 24 Jul 2020 08:21:27 -0400

TLDR: you should take a look at Render.com

I wrote in a previous post that I decided to build my site using Hugo, a decision I’m still really tickled with. My initial draw to a Static Site Generator was to host my site in S3. There’s a lot of attraction there - creating a public S3 bucket is easy, it’s low-cost, there’s no server to maintain, and the data is replicated within region between Availability Zones. From a security perspective, S3 is easy to secure and the bucket is isolated.

I have experience with the major cloud providers and my high-level opinion is that AWS is the most mature, has the most complete set of products, and is the easiest to deal with. Plus, I’m working my way through the AWS certs.

In coming up to speed on Hugo, I heard about a site called Render. The salient points were that Render offered free static-site hosting and would pull your site from Git. The Git integration was attractive - I had already decided to put the theme there and now I could just put the entire site there. I decided to try Render.

At the time of this writing, I’ve had a Render account for two days. Signup was easy and didn’t require a credit card. They support federation with Github, so I used that option and that may have made things easier later.

Forcing me to give a card when I signup for something free always makes me feel like I’m being suckered into something. In fact, I had an experience with Azure where I signed up for a “free” tier and ended up getting a big bill a couple months later so I have empirical reasons to be wary.

I was super-impressed with the Git integration. I went to Github and created a new “Nextpertise” project, then went to my Hugo directory and made it a repository and sync’d it to Github.

$ git init  
    $ git add .  
    $ git commit -m "Initial commit"  
    $ git remote add origin https://github.com/brentstewart/nextpertise.git  
    $ git push -f origin master

Hugo takes your markdown content and compiles it against templates to generate a public directory of html files that can be copied to a web server. When you are ready to deploy, just run “hugo” with no options. The caveat here is that Hugo doesn’t clear out old content first, and will just copy the new build on top of the old. Best practice then is to delete the public directory before regenerating. So before setting up Render, I generated the public directory and sync’d my repo to Github.

From Render, I selected New “Web Service” and selected the repository I wanted to use. Render asked for the web content directory (the “Publish directory”) and the build command - here’s where I realized I messed up. I went back and removed my public directory and resync’d to Github, then used hugo as my build command.

By default, Render published my site to nextpertise.onrender.com, but adding a custom domain is super-easy. The setup screen provides instructions on setting up your DNS and tests to confirm that this step is complete. The Nextpertise DNS is at Network Solutions, so it was easy enough to add the required records and the changes replicated overnight and were working this morning. Render automatically assigns certs and makes the site available via https (I literally did nothing to enable this feature, it just worked).

Render can redirect traffic to unknown pages. I setup a rule to redirect this traffic to 404.html. In Hugo, I created a 404.html file under theme/layouts.

When I finish this update, I’ll commit my local changes and push to Github. Then I need to go to Render and click Manual Deploy. Render will pull the changes, build the site using Hugo, and the new site will be online! Render supports a build api hook, so I may look into using Githubs CI to trigger a Render deploy. For now, I’m focused on getting enough content onto the site to make it interesting and cleaning up the look.

Here’s a screenshot of the pull and build.

Render deployed my site to Oregon - I wasn’t given an option, but that seems reasonable for a free service. They mention that “lightning-fast CDN” is included and accessing the site from the eastern US does seem reasonably quick. If one of my friends in India reads this, could you provide some feedback on what it’s like for you?

I’m really impressed with Render and - based on two days of playing - definitely recommend you take a look. I still intend to deploy to S3, for comparison and to get some experience with S3, so I’ll write about that in the future.

Building this site using Hugo

Mon, 20 Jul 2020 11:38:07 -0400

This site was built using Hugo, which is a static site generator. Hugo allows me to create templates and then write my content in markdown. This makes it easy to update the site without having to fiddle with HTML. It also makes updating the look and feel easy, because I can update the template and regenerate the site.

Hugo is found in most distributions - for Ubuntu I installed it with “apt install hugo”. I’ve found that running the local Hugo dev server (“hugo server -D”) and working with the files in VSCodium is a super easy way to develop.

Mike Dane at Giraffe Academy has done an excellent series of videos that walk through Hugo. Rather than repeat his work, I will tell you a little about my site.

Hugo supports multiple taxonomies, but for now I’ve focused on using tags. I’ve defined some parameters in my front matter for a github link, Youtube link, and other references. If I populate those parameters, they automatically display on the single template. I used an HTML Grid for the list pages and set it to scale based on window width to produce a nice responsive behavior. Hugo supports using themes and there are some great options, but I’ve chosen to build my own theme (“next”) because I wanted to understand the process. You’re welcome to clone the theme. Better yet, tell me what I did wrong!

This website is maintained on GitHub. If you like the theme, clone the submodule.