en-us Major Hayden (C) 2019 2019-01-14 00:00:00 +0000 UTC Running Home Assistant in a Docker container with a Z-Wave USB stick Mon, 14 Jan 2019 00:00:00 UTC Major Hayden <p>The <a href="">Home Assistant</a> project provides a great open source way to get started with home automtion that can be entirely self-contained within your home. It already has plenty of <a href="">integrations</a> with external services, but it can also monitor <a href="">Z-Wave</a> devices at your home or office.</p> <p>Here are my devices:</p> <ul> <li><a href="">Monoprice Z-Wave Garade Door Sensor</a></li> <li><a href="">Aeotec Z-Stick Gen5 (ZW090)</a></li> <li>Fedora Linux server with Docker installed</li> </ul> <h2 id="install-the-z-wave-stick">Install the Z-Wave stick</h2> <p>Start by plugging the Z-Stick into your Linux server. Run <code>lsusb</code> and it should appear in the list:</p> <div class="highlight"><pre class="chroma"># lsusb | grep Z-Stick Bus 003 Device 006: ID 0658:0200 Sigma Designs, Inc. Aeotec Z-Stick Gen5 (ZW090) - UZB</pre></div> <p>The system journal should also tell you which TTY is assigned to the USB stick (run <code>journalctl --boot</code> and search for <code>ACM</code>):</p> <div class="highlight"><pre class="chroma">kernel: usb 3-3.2: USB disconnect, device number 4 kernel: usb 3-1: new full-speed USB device number 6 using xhci_hcd kernel: usb 3-1: New USB device found, idVendor=0658, idProduct=0200, bcdDevice= 0.00 kernel: usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 kernel: cdc_acm 3-1:1.0: ttyACM0: USB ACM device kernel: usbcore: registered new interface driver cdc_acm kernel: cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters</pre></div> <p>In my case, my device is <code>/dev/ttyACM0</code>. If you have other serial devices attached to your system, your Z-Stick may show up as <code>ttyACM1</code> or <code>ttyACM2</code>.</p> <h2 id="using-z-wave-in-the-docker-container">Using Z-Wave in the Docker container</h2> <p>If you use <code>docker-compose</code>, simply add a <code>devices</code> section to your existing YAML file:</p> <div class="highlight"><pre class="chroma"><code class="language-yaml" data-lang="yaml">version<span class="p">:</span><span class="w"> </span><span class="s1">&#39;2&#39;</span><span class="w"> </span><span class="w"></span>services<span class="p">:</span><span class="w"> </span><span class="w"> </span>home-assistant<span class="p">:</span><span class="w"> </span><span class="w"> </span>ports<span class="p">:</span><span class="w"> </span><span class="w"> </span>-<span class="w"> </span><span class="s2">&#34;8123:8123/tcp&#34;</span><span class="w"> </span><span class="w"> </span>network_mode<span class="p">:</span><span class="w"> </span><span class="s2">&#34;host&#34;</span><span class="w"> </span><span class="w"> </span>devices<span class="p">:</span><span class="w"> </span><span class="w"> </span>-<span class="w"> </span>/dev/ttyACM0<span class="w"> </span><span class="w"> </span>volumes<span class="p">:</span><span class="w"> </span><span class="w"> </span>-<span class="w"> </span>/etc/localtime<span class="p">:</span>/etc/localtime<span class="p">:</span>ro<span class="w"> </span><span class="w"> </span>-<span class="w"> </span>/mnt/raid/hass/<span class="p">:</span>/config<span class="p">:</span>Z<span class="w"> </span><span class="w"> </span>image<span class="p">:</span><span class="w"> </span>homeassistant/home-assistant<span class="w"> </span><span class="w"> </span>restart<span class="p">:</span><span class="w"> </span>always</code></pre></div> <p>You can add the device to manual <code>docker run</code> commands by adding <code>--device /dev/ttyACM0</code> to your existing command line.</p> <h2 id="pairing">Pairing</h2> <p>For this step, always refer to the instructions that came with your Z-Wave device since some require different pairing steps. In my case, I installed the battery, pressed the button inside the sensor, and paired the device:</p> <ul> <li>Go to the Home Assistant web interface</li> <li>Click <strong>Configuration</strong> on the left</li> <li>Click <strong>Z-Wave</strong> on the right</li> <li>Click <strong>Add Node</strong> and follow the steps on screen</li> </ul> <h2 id="understanding-how-the-sensor-works">Understanding how the sensor works</h2> <p>Now that the sensor has been added, we need to understand how it works. One of the entities the sensor provides is an <code>alarm_level</code>. It has two possible values:</p> <ul> <li><code>0</code>: the sensor is tilted vertically (garage door is closed)</li> <li><code>255</code>: the sensor is tilted horizontally (garage door is open)</li> </ul> <p>If the sensor changes from <code>0</code> to <code>255</code>, then someone opened the garage door. Closing the door would result in the sensor changing from <code>255</code> to <code>0</code>.</p> <h2 id="adding-automation">Adding automation</h2> <p>Let&rsquo;s add automation to let us know when the door is open:</p> <ul> <li>Click <strong>Configuration</strong> on the left</li> <li>Click <strong>Automation</strong> on the right</li> <li>Click the plus (+) at the bottom right</li> <li>Set a good name (like &ldquo;Garage door open&rdquo;)</li> <li>Under triggers, look for <code>Vision ZG8101 Garage Door Detector Alarm Level</code> and select it</li> <li>Set <strong>From</strong> to <code>0</code></li> <li>Set <strong>To</strong> to <code>255</code></li> <li>Leave the <strong>For</strong> spot empty</li> </ul> <p>Now that we can detect the garage door being open, we need a notification action. I love <a href="">PushBullet</a> and I have an action set up for PushBullet notifications already. Here&rsquo;s how to use an action:</p> <ul> <li>Select <strong>Call Service</strong> for <strong>Action Type</strong> in the <strong>Actions</strong> section</li> <li>Select a service to call when the trigger occurs</li> <li><strong>Service data</strong> should contain the json that contains the notification message and title</li> </ul> <p>Here&rsquo;s an example of my service data:</p> <div class="highlight"><pre class="chroma"><code class="language-json" data-lang="json"><span class="p">{</span> <span class="nt">&#34;message&#34;</span><span class="p">:</span> <span class="s2">&#34;Someone opened the garage door at home.&#34;</span><span class="p">,</span> <span class="nt">&#34;title&#34;</span><span class="p">:</span> <span class="s2">&#34;Garage door opened&#34;</span> <span class="p">}</span></code></pre></div> <p>Press the orange and white save icon at the bottom right and you are ready to go! You can tilt the sensor in your hand to test it or attach it to your garage door and test it there.</p> <p>If you want to know when the garage door is closed, follow the same steps above, but use <code>255</code> for <strong>From</strong> and <code>0</code> for <strong>To</strong>.</p> Allow a port range with firewalld Fri, 04 Jan 2019 00:00:00 UTC Major Hayden <p>Managing iptables gets a lot easier with <a href="">firewalld</a>. You can manage rules for the IPv4 and IPv6 stacks using the same commands and it provides fine-grained controls for various &ldquo;zones&rdquo; of network sources and destinations.</p> <h2 id="quick-example">Quick example</h2> <p>Here&rsquo;s an example of allowing an arbitrary port (for <a href="">netdata</a>) through the firewall with iptables and firewalld on Fedora:</p> <div class="highlight"><pre class="chroma">## iptables iptables -A INPUT -j ACCEPT -p tcp --dport 19999 ip6tables -A INPUT -j ACCEPT -p tcp --dport 19999 service iptables save service ip6tables save ## firewalld firewall-cmd --add-port=19999/tcp --permanent</pre></div> <p>In this example, <code>firewall-cmd</code> allows us to allow a TCP port through the firewall with a much simpler interface and the change is made permanent with the <code>--permanent</code> argument.</p> <p>You can always test a change with firewalld without making it permanent:</p> <div class="highlight"><pre class="chroma">firewall-cmd --add-port=19999/tcp ## Do your testing to make sure everything works. firewall-cmd --runtime-to-permanent</pre></div> <p>The <code>--runtime-to-permanent</code> argument tells firewalld to write the currently active firewall configuration to disk.</p> <h2 id="adding-a-port-range">Adding a port range</h2> <p>I use <a href="">mosh</a> with most of my servers since it allows me to reconnect to an existing session from anywhere in the world and it makes higher latency connections less painful. Mosh requires a range of UDP ports (60000 to 61000) to be opened.</p> <p>We can do that easily in firewalld:</p> <div class="highlight"><pre class="chroma">firewall-cmd --add-port=60000-61000/udp --permanent</pre></div> <p>We can also see the rule it added to the firewall:</p> <div class="highlight"><pre class="chroma"># iptables-save | grep 61000 -A IN_public_allow -p udp -m udp --dport 60000:61000 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT # ip6tables-save | grep 61000 -A IN_public_allow -p udp -m udp --dport 60000:61000 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT</pre></div> <p>If you haven&rsquo;t used firewalld yet, give it a try! There&rsquo;s a lot more documentation on common use cases in the <a href="">Fedora firewalld documentation</a>.</p> Disable autoplay for videos in Firefox 65 Tue, 18 Dec 2018 00:00:00 UTC Major Hayden <p>Firefox has some great features, but one of my favorites is the ability to disable autoplay for videos. We&rsquo;ve all had one of those moments: your speakers are turned up and you browse to a website with an annoying advertisement that plays immediately.</p> <p><img src='../gifs/2018-12-18-just-want-it-to-stop.gif' alt="GIF: I just want it to stop." style="display: block; margin: auto;"></p> <p>This feature stopped working for me somewhere in the Firefox 65 beta releases. Also, the usual setting in the preference page (under <em>Privacy &amp; Security</em>) seems to be missing.</p> <p>Luckily we can edit Firefox&rsquo;s configuration directly to get this feature working again. Open up a new browser tab, go to <code>about:config</code>, and adjust these settings:</p> <ul> <li><p>Set <code>media.autoplay.default</code> to <code>1</code> to disable video autoplay for all sites</p></li> <li><p>Set <code>media.autoplay.allow-muted</code> to <code>false</code> to disable video autoplay <em>even for muted videos</em></p></li> </ul> <p>Those changes take effect for any new pages that you open after making the change.</p> Getting started with ham radio repeaters Thu, 13 Dec 2018 00:00:00 UTC Major Hayden <p><a href="">Amateur radio</a> is a fun way to mess around with technology, meet new people, and communicate off the grid. Talking directly to another radio on a single frequency (also called <em>simplex</em>) is the easiest way to get started. However, it can be difficult to communicate over longer distances without amplifiers, proper wiring, and antennas. This is where a radio repeater can help.</p> <h2 id="what-s-in-scope">What&rsquo;s in scope</h2> <p>This post is focused on fairly local communication on VHF/UHF bands. The most common frequencies for local communication in these bands are:</p> <ul> <li>2 meters (~144-148MHz)*</li> <li>70 centimeters (~420-450MHz)*</li> </ul> <p><em>* NOTE: Always consult the <a href="">band plan</a> for your area to see which part of the frequency band you could and should use.</em></p> <p>Of course, you can do some amazing things with weak signal VHF (which can be used to commuinicate over <strong>great</strong> distances), but we&rsquo;re not talking about that here. The <a href="">HAMSter Amateur Radio Group</a> is a great place to get started with that.</p> <p>We&rsquo;re also not talking about radio bands longer than 2 meters (which includes high frequency (HF) bands). Some of those bands require advanced FCC licensing that takes additional studying and practice.</p> <h2 id="keeping-it-simple-x">Keeping it simple(x)</h2> <p><a href="">Simplex radio</a> involves communication where radios are tuned to a single frequency and only one radio can transmit at a time. This is like a simple walkie-talkie. If one person is transmitting, everyone else listens. If someone else tries to transmit at the same time, then the waves will be garbled and nobody will be able to hear either person. This is often called &ldquo;doubling up&rdquo;.</p> <p>This method works well when radios are in range of each other without a bunch of objects in between. However, it&rsquo;s difficult to talk via simplex over great distances or around big obstables, such as mountains or hills.</p> <h2 id="repeaters">Repeaters</h2> <p><a href="">Repeaters</a> are a little more complex to use, but they provide some great benefits. A repeater usually consists of one or two radios, one or two antennas, duplexers, and some other basic equipment. They receive a signel on one frequency and broadcast that same signal on another frequency. They often are mounted high on towers and this gives them a much better reach than antennas on your car or home.</p> <p>I enjoy using a repeater here in San Antonio called <a href=";ID=11397">KE5HBB</a>. The repeater has this configuration:</p> <ul> <li>Downlink: 145.370</li> <li>Uplink: 144.770</li> <li>Offset: -0.6 MHz</li> <li>Uplink Tone: 114.8</li> <li>Downlink Tone: 114.8</li> </ul> <p>Let&rsquo;s make sense of this data:</p> <ul> <li><p>Downlink: This is the frequency that the repeater uses to <em>transmit</em>. In other words, when people talk on this repeater, this is the frequency you use to hear them.</p></li> <li><p>Uplink: The receiver <em>listens</em> on this frequency. If you want to talk to people who are listening to this repeater, you need to transmit on this frequency.</p></li> <li><p>Offset: This tells you how to calculate the uplink frequency if it is not shown. This repeater has a negative 0.6 offset, so we can calculate the uplink frequency if it was not provided:</p></li> </ul> <div class="highlight"><pre class="chroma">145.370 - 0.600 = 144.770</pre></div> <ul> <li>Uplink/Downlink Tones: Your radio must transmit this tone to <em>open the squelch</em> on the repeater (more on this in a moment). The repeater will use the same tone to transmit, so we can configure our radio to listen for that tone and only open our squelch when it is detected.</li> </ul> <h2 id="opening-the-squelch">Opening the squelch</h2> <p>Transmitting radio waves uses a lot of power and it creates a lot of heat. There are parts of a radio that will wear out much more quickly if a radio is transmitting constantly. This is why receivers have a <em>squelch</em>. This means that a radio must transmit something strong enough on the frequency (or use a tone) to let the repeater know that it needs to repeat something.</p> <p>You may come across repeaters with no tones listed (sometimes shown as <em>PL</em>). This means that you can just transmit on the uplin frequency and the repeater will repeat your signal. These repeaters are easy to use, but they can create problems.</p> <p>Imagine if you&rsquo;re traveling through an area and you&rsquo;re using a frequency to talk to a friend in another car. As you&rsquo;re driving, you move in range of a repeater that is listening on that frequeny. Suddenly your conversation is now being broadcasted through the repeater and everyone listening to that repeater must listen to you. This isn&rsquo;t what you expected and it could be annoying to other listeners.</p> <p>Also, in crowded urban areas, there&rsquo;s always a chance that signals might end up on the repeater&rsquo;s listening frequency unintentionally. That would cause the repeater to start transmitting and it would increase wear.</p> <p>Two repeaters might be relatively close (or just out of range) and the tone helps each repeater identify its own valid radio traffic.</p> <h2 id="tuning-the-tones">Tuning the tones</h2> <p>Most repeaters have a <em>tone squelch</em>. That means you can blast them with 100 watts of radio waves and they won&rsquo;t repeat a thing until you transmit an inaudible tone at the beginning of your transmission.</p> <p>As an example, in the case of KE5HBB, this tone is 114.8. You must configure a <a href="">CTCSS</a> tone on your radio so that the tone is transmitted as soon as you begin transmitting. That signals the repeater that it&rsquo;s time to repeat. These signals aren&rsquo;t audible to humans.</p> <p>If you know you&rsquo;re tuned to the right frequency to transmit (the uplink frequency), but the repeater won&rsquo;t repeat your traffic, then you are most likely missing a tone. There&rsquo;s also a chance that you programmed the uplink and downlink tones into your radio in reverse, so check that, too.</p> <h2 id="repeater-transmit-tone">Repeater transmit tone</h2> <p>Some receivers will transmit a tone when they broadcast back to you, but some won&rsquo;t. If you can transmit but you can&rsquo;t hear anyone else when they talk, double check your radio&rsquo;s settings for a tone squelch on the receiving side. Your radio can also listen for these tones and only open its squelch when it hears them.</p> <p>I usually disable receiver squelch for tones on my radio since the repeater operator could disable that feature at any time and I wouldn&rsquo;t be able to hear any transmissions since my radio would be waiting for the tone.</p> <h2 id="testing-a-repeater">Testing a repeater</h2> <p>First off, please don&rsquo;t test a repeater unless you have a proper amateur radio license in your jurisdiction. In the United States, that&rsquo;s the FCC. Don&rsquo;t skip this step.</p> <p>Once you get your repeater&rsquo;s frequencies programmed into your radio properly and you&rsquo;ve double checked the settings for sending tones, you can try &ldquo;breaking the squelch.&rdquo;</p> <p>Press the transmit button on your radio briefly for about half second and release. You should hear something when you do this. For some repeaters, you may hear a <em>KERRRCHUNK</em> noise. That&rsquo;s the sound of the repeater squelch closing the transmission now that you&rsquo;re done with your transmission. On other repeaters, you may hear some audible tones or beeps as soon as you release the transmit button.</p> <p>Once you have it working properly, stop breakng the squelch and introduce yourself! For example, when I&rsquo;m in my car, I might say: <em>&ldquo;W5WUT mobile and monitoring.&rdquo;</em> That lets people on the repeater know that I&rsquo;m there and that I&rsquo;m moving (so I might not be on for a very long time).</p> <p>Good luck on the radio waves! 73&rsquo;s from W5WUT.</p> Use a secret as an environment variable in OpenShift deployments Thu, 06 Dec 2018 00:00:00 UTC Major Hayden <p>OpenShift <a href="">deployments</a> allow you to take a container image and run it within a cluster. You can easily add extra items to the deployment, such as environment variables or volumes.</p> <p>The best practice for sensitive environment variables is to place them into a <a href="">secret object</a> rather than directly in the deployment configuration itself. Although this keeps the secret data out of the deployment, the environment variable is still exposed to the running application inside the container.</p> <h2 id="creating-a-secret">Creating a secret</h2> <p>Let&rsquo;s start with a snippet of a <code>deploymentConfig</code> that has a sensitive environment variable in plain text:</p> <div class="highlight"><pre class="chroma"><code class="language-yml" data-lang="yml">spec<span class="p">:</span><span class="w"> </span><span class="w"> </span>containers<span class="p">:</span><span class="w"> </span><span class="w"> </span>-<span class="w"> </span>env<span class="p">:</span><span class="w"> </span><span class="w"> </span>-<span class="w"> </span>name<span class="p">:</span><span class="w"> </span>MYAPP_SECRET_TOKEN<span class="w"> </span><span class="w"> </span>value<span class="p">:</span><span class="w"> </span>vPWps5E7KO8KPlljaD3eXED3f6jmLsV5mQ<span class="w"> </span><span class="w"> </span>image<span class="p">:</span><span class="w"> </span><span class="s2">&#34;fedora:29&#34;</span><span class="w"> </span><span class="w"> </span>name<span class="p">:</span><span class="w"> </span>my_app</code></pre></div> <p>The first step is to create a secret object that contains our sensitive environment variable:</p> <div class="highlight"><pre class="chroma"><code class="language-yml" data-lang="yml">apiVersion<span class="p">:</span><span class="w"> </span>v1<span class="w"> </span><span class="w"></span>kind<span class="p">:</span><span class="w"> </span>Secret<span class="w"> </span><span class="w"></span>metadata<span class="p">:</span><span class="w"> </span><span class="w"> </span>name<span class="p">:</span><span class="w"> </span>secret-token-for-my-app<span class="w"> </span><span class="w"></span>stringData<span class="p">:</span><span class="w"> </span><span class="w"> </span>SECRET_TOKEN<span class="p">:</span><span class="w"> </span>vPWps5E7KO8KPlljaD3eXED3f6jmLsV5mQ</code></pre></div> <p>Save this file as <code>secret-token.yml</code> and deploy it to OpenShift:</p> <div class="highlight"><pre class="chroma">oc apply -f secret-token.yml</pre></div> <p>Query OpenShift to ensure the secret is ready to use:</p> <div class="highlight"><pre class="chroma">$ oc get secret/secret-token-for-my-app NAME TYPE DATA AGE secret-token-for-my-app Opaque 1 1h</pre></div> <h2 id="using-the-secret">Using the secret</h2> <p>We can adjust the deployment configuration to use this new secret:</p> <div class="highlight"><pre class="chroma"><code class="language-yml" data-lang="yml">spec<span class="p">:</span><span class="w"> </span><span class="w"> </span>containers<span class="p">:</span><span class="w"> </span><span class="w"> </span>-<span class="w"> </span>env<span class="p">:</span><span class="w"> </span><span class="w"> </span>-<span class="w"> </span>name<span class="p">:</span><span class="w"> </span>MYAPP_SECRET_TOKEN<span class="w"> </span><span class="w"> </span>valueFrom<span class="p">:</span><span class="w"> </span><span class="w"> </span>secretKeyRef<span class="p">:</span><span class="w"> </span><span class="w"> </span>key<span class="p">:</span><span class="w"> </span>SECRET_TOKEN<span class="w"> </span><span class="w"> </span>name<span class="p">:</span><span class="w"> </span>secret-token-for-my-app<span class="w"> </span><span class="w"> </span>image<span class="p">:</span><span class="w"> </span><span class="s2">&#34;fedora:29&#34;</span><span class="w"> </span><span class="w"> </span>name<span class="p">:</span><span class="w"> </span>my_app</code></pre></div> <p>This configuration tells OpenShift to look inside the secret object called <code>secret-token-for-my-app</code> for a key matching <code>SECRET_TOKEN</code>. The value will be passed into the <code>MYAPP_SECRET_TOKEN</code> environment variable and it will be available to the application running in the container.</p> <p><strong>Security note:</strong> If someone has access to change the deployment configuration object, they could get access to the value of the secret without having direct access to the secret object itself. It would be trivial to change the startup command in the container to print all of the environment variables in the container (using the <code>env</code> command) and view them in the container logs.</p> Make alt-arrow keys work with terminator and weechat Thu, 06 Sep 2018 03:43:30 UTC Major Hayden <p>As I make the move from the world of GNOME to i3, I found myself digging deeper into the <a href="">terminator</a> preferences to make it work more like <a href="">gnome-terminal</a>.</p> <p>I kept running into an issue where I couldn&rsquo;t move up and down between buffers using alt and arrow keys. My workaround was to call the buffer directly with alt-8 (for buffer #8) or alt-j 18 (buffer #18). However, that became tedious. Sometimes I just wanted to quickly hop up or down one or two buffers.</p> <p>To fix this problem, right click anywhere inside the terminal and choose <em>Preferences</em>. Click on the <em>Keybindings</em> tab and look for <code>go_up</code> and <code>go_down</code>. These are almost always set to <em>Alt-Up</em> and <em>Alt-Down</em> by default. That&rsquo;s the root of the problem: terminator is grabbing those keystrokes before they can make it down into weechat.</p> <p>Unfortunately, it&rsquo;s not possible to clear a keybinding within the preferences dialog. Close the window and open <code>~/.config/terminator/config</code> in a terminal.</p> <p>If you&rsquo;re new to terminator, you might not have a <code>[keybindings]</code> section in your configuration file. If that&rsquo;s the case, add the whole section below the <code>[global_config]</code> section. Otherwise, just ensure your <code>[keybindings]</code> section contains these lines:</p> <div class="highlight"><pre class="chroma"><code class="language-ini" data-lang="ini"><span class="k">[keybindings]</span> <span class="na">go_down</span> <span class="o">=</span> <span class="s">None </span><span class="s"> go_up = None</span></code></pre></div> <p>Close <em>all</em> of the terminator windows (on all of your workspaces). <strong>This is a critical step!</strong> Terminator only loads the config file when it is first started, not when additional terminals are opened.</p> <p>Open a terminator terminal, start weechat, and test your alt-arrow keys! You should be moving up and down between buffers easily. If that doesn&rsquo;t work, check your window manager&rsquo;s settings to ensure that another application hasn&rsquo;t stolen that keybinding from your terminals.</p> How to thrive at a technical conference Wed, 09 May 2018 23:54:28 UTC Major Hayden <p><img src="../wp-content/uploads/2018/05/IMG_20180508_202748.jpg" alt="1" /></p> <p>I&rsquo;m at the <a href="">2018 Red Hat Summit</a> this week in San Francisco and I am enjoying the interactions between developers, executives, vendors, and engineers. It&rsquo;s my seventh Summit (but my first as a Red Hat employee!), but I regularly meet people who are attending their first technical conference.</p> <p>The question inevitably comes up: &ldquo;I&rsquo;m so tired. How do you survive these events?&rdquo;</p> <p>One attendee asked me to write a blog post on my tips and tricks. This is the post that explains how to thrive, not just survive, at conferences. Beware - these tips are based on my experiences and your mileage may vary depending on your personality, the event itself, and your caffeine intake.</p> <h2 id="discover-the-area">Discover the area</h2> <p>Traveling to a conference is awesome way to experience more of the world! Take time to enjoy the tourist sites but also find out where the locals like to go. Any hotel concierge should be able to give you advice on where to go to truly experience the location.</p> <p>Take some time to learn the area around your hotel and the venue. Be sure you can navigate between the two and find some important spots nearby, like pharmacies and coffee shops.</p> <h2 id="food-water-and-sleep">Food, water, and sleep</h2> <p>These conferences can often feel overwhelming and you may find yourself forgetting to eat the right foods, stay hydrated, and get some rest.</p> <p>Take every opportunity to eat healthier foods during the week that will give you energy without weighing you down. All the stuff that your Mom told you to eat is a good idea. My rule of thumb is to eat a heavy breakfast, a medium sized lunch, and then whatever I want for dinner. Evening events often have free food (more on those events next), and that fits my travel budget well. It also allows me to splurge a bit on foods that I might not eat back home.</p> <p>Take along a water container when you travel. You can&rsquo;t always depend on the conference for making water available and you&rsquo;ll often need more than they offer anyway. I&rsquo;m a big fan of <a href="">Nalgene&rsquo;s</a> products since they take a beating and they have really good seals.</p> <p>Sleeping is a real challenge. Early morning keynotes and late night events put a strain on anyone&rsquo;s sleep schedule. Lots of people have trouble sleeping in hotels or in cities where the noise level remains high all night long. The best remedy is to be choosy about the events you attend and the time you spend there. Think about what is more valuable: more time listening to blasting music at a party or more time with your head on the pillow.</p> <p>Consider using an application on your phone that provides various types of noises, such as <a href="">white noise</a>. I love the <a href="">White Noise</a> app on Android since it has tons of options for various sounds. In my experience, brown noise works best for sleeping. Pink noise can help in extremely noisy environments (like downtown San Francisco) but it&rsquo;s often too loud for me.</p> <h2 id="keep-your-devices-charged">Keep your devices charged</h2> <p>Find a way to keep your devices charged, especially your phone. I use <a href="">Anker</a> battery packs to keep my phone topped up during the day when I can&rsquo;t get to a plug. A dead phone disconnects you from your friends, maps, and conference details.</p> <h2 id="dress-for-success">Dress for success</h2> <p>Your clothing selection really depends on the type of conference and the company you represent. If you need to dress formally each day, then your choices are already made for you.</p> <p>Pack layers of clothing so you can add or remove layers as needed. The walk to the conference center may be warm, but the keynote auditorium could feel like a freezer. This also prepares you for evening events which might be outdoors.</p> <p>Wear clothing that makes you feel comfortable. You&rsquo;ll find a wide range of outfits at most tech conferences and you&rsquo;ll find that nobody really cares how formal or informal you are. If you&rsquo;re there to listen, learn, and contribute, then dress casually. If you&rsquo;re looking for a new job, doing a talk, or if you&rsquo;ll be on camera, choose something a little more formal.</p> <h2 id="the-hallway-track">The hallway track</h2> <p>You won&rsquo;t find the hallway track on any agenda, but it is often the most valuable part of any gathering. The hallway track encompasses those brief encounters you have with other people at the event. Turn those mundane events, such as waiting in line, eating lunch, or between talks, into opportunities to meet other people.</p> <p>Yes, this does mean that you must do something to come out of your shell and start a conversation. This is still difficult for me. Here are some good ways to start a conversation with someone around you:</p> <ul> <li>&ldquo;Hello, my name is Major&rdquo; (put out your hand for a handshake)</li> <li>&ldquo;Where do you work?&rdquo;</li> <li>&ldquo;What do you work on?&rdquo;</li> <li>&ldquo;Man, this line is really long.&rdquo;</li> <li>&ldquo;vim or emacs?&rdquo; <em>(just kidding)</em></li> </ul> <p>The secret is to find something that makes you and the other person feel comfortable. There are situations where you might be met with a cold shoulder, and that&rsquo;s okay. I&rsquo;ve found that sometimes people need some space or the issue could be a language barrier. Making the attempt is what matters.</p> <p>These are excellent opportunities for learning, for listening, and for sharing. These new contacts will show up again and again at the event (more on parties/networking next), and you can talk to them again when you feel the tendency to become a <a href="">wallflower</a> again.</p> <h2 id="parties-and-networking-events">Parties and networking events</h2> <p>Evening events at conferences are a great way to keep the hallway track going while taking some time to relax as well. Some of the best conversations I&rsquo;ve had at conferences were during evening events or vendor parties. People are more candid since the conference demands are often reduced.</p> <p>However, it&rsquo;s incredibly easy to make some spectacularly bad decisions at these events. This list should help you navigate these events and get value from them:</p> <h3 id="enjoy-an-open-bar-responsibly">Enjoy an open bar responsibly</h3> <p>Early in my career, I looked at an open bar as a magical oasis. Free drinks! As many as I want! This is heaven! (Narrator: <em>It was not heaven. It was something else.</em>)</p> <p>I think about open bars much like I think about a trip to Las Vegas. Before I go, I think about how much money I feel like losing, and I only bet that much. <strong>Once the money is gone, I&rsquo;m done.</strong></p> <p>Go into the event knowing how much or how little you want to consume. <strong>Zero is an entirely valid answer.</strong> Keep in mind that the answer to &ldquo;Why aren&rsquo;t you drinking anything?&rdquo; does not have to be &ldquo;I guess I&rsquo;ll get something.&rdquo; <strong>Nobody needs to know why you&rsquo;re not drinking and you shouldn&rsquo;t feel pressured to do something you don&rsquo;t want to do.</strong></p> <p>Think about how you want to feel in the morning. Is a massive hangover worth another round of shots? Is it worth it to ruin your talk the next day? Is it worth it to get belligerent and say something that may be difficult to take back? Think about these things ahead of time and make a plan before you begin drinking.</p> <h3 id="leave-when-you-want">Leave when you want</h3> <p>Some evening events can last much too late and this could derail your plans for the morning. If the party runs from 7-10PM, don&rsquo;t feel obligated to stay until 10PM. If you&rsquo;re not meeting the right people or if you&rsquo;re not having a good time: leave. It&rsquo;s better to abandon an event early than suffer through it and crawl through the next morning.</p> <h3 id="turn-down-an-uninteresting-invitation">Turn down an uninteresting invitation</h3> <p>The conference may host various events or a vendor may invite you to an event. These are just invitations and your attendance is not required (unless you work for the vendor throwing the party). Feel free to do something else with your time if the event or the venue seem uninteresting or unsafe. (More on safety next.)</p> <h3 id="get-a-party-buddy">Get a party buddy</h3> <p>Remember those people you talked to in the hallway and during lunch? Find those people at the event and tell them you enjoyed the conversation from earlier. I&rsquo;ve been to conferences before where I&rsquo;ve been the only one from my company and after letting the other person know that, they invited me to hang out with them or their group at the event.</p> <p>This is a good idea for two reasons. First, it gives you someone to talk to. More importantly, it helps you stay safe.</p> <h2 id="dealing-with-harassment">Dealing with harassment</h2> <p>This gets its own section. It has happened to me and it will likely happen to you.</p> <p>Nobody ever wants it to happen, but people are often harassed in one way or another at these events. It&rsquo;s inevitable: there are drinks, people are away from home, and they&rsquo;re enjoying time away from work. For some people, this is a combination of factors that leads them to make bad choices at these events.</p> <p>Harassment comes in many forms, but nobody should put up with it. If you see someone being treated badly, step in. If you&rsquo;re being treated badly, get help. If you&rsquo;re treating someone badly, apologize and remove yourself from the situation. This is where a party buddy can be extremely helpful.</p> <p>Harassment is not a women-only or men-only problem. I have been touched in unwelcome ways and verbally harassed at evening events. It is not fun. In my experience, telling the other person to &ldquo;Please stop&rdquo; or &ldquo;That is not okay&rdquo; is usually enough to diffuse the situation.</p> <p>This may not always work. Grab your buddy and get help from conference staffers or a security guard if a situation continues to escalate.</p> <h2 id="more-ideas">More ideas</h2> <p>These are some ideas that help me thrive at conferences and make the most of my time traveling. Feel free to leave some of your ideas below in the comments section!</p> Reaching the fork in the road Wed, 07 Mar 2018 16:18:51 UTC Major Hayden <p><img src="../wp-content/uploads/2018/03/1024px-Mountain_trail_in_Panachaiko_mountains_Greece.jpg" alt="1" /></p> <p>Walt Disney said it best:</p> <blockquote> <p>We keep moving forward, opening new doors, and doing new things, because we&rsquo;re curious and curiosity keeps leading us down new paths.</p> </blockquote> <p>The world of technology is all about change. We tear down the old things that get in our way and we build new technology that takes us to new heights. Tearing down these old things can often be difficult and that forces us to make difficult choices.</p> <p>Rackspace has been a great home for me for over 11 years. I&rsquo;ve made the incredibly difficult choice to leave Rackspace on March 9th to pursue new challenges.</p> <h2 id="humble-beginnings">Humble beginnings</h2> <p>I came to Rackspace as an entry-level Linux administrator and was amazed by the culture generated by Rackers. The dedication to customers, technology, and quality was palpable from the first few minutes I spent with my team. Although I didn&rsquo;t know it at the time, I had landed at the epicenter of a sink-or-swim technology learning experience. My team had some very demanding customers with complex infrastructures and it forced me to take plenty of notes (and hard knocks). My manager and teammates supported me through it all.</p> <p>From there, I served in several different roles. I was a manager of technicians on a support team and had the opportunity to learn how to mentor. One of my favorite leaders said that &ldquo;good managers know when to put their arm around to people and when to put a boot in their rear.&rdquo; I reluctantly learned how to do both and I watched my people grow into senior engineers and great leaders.</p> <p><img src="../wp-content/uploads/2018/03/6519121761_ab65bab3c1_b.jpg" alt="/wp-content/uploads/2018/03/6519121761_ab65bab3c1_b.jpg" /> Datapoint office closing in 2011</p> <p>I was pulled to Mosso, Rackspace&rsquo;s first cloud offering, shortly after that and discovered an entirely new world. Rackers force-fed me &ldquo;Why&rsquo;s (Poignant) Guide to Ruby&rdquo; and I started building scripts and web front-ends for various services. Rackspace acquired Slicehost after that and I jumped at the chance to work as an operations engineer on the new infrastructure. That led to a lot of late nights diagnosing problems with Xen hypervisors and rails applications. I met some amazing people and began to realize that St. Louis has some pretty good barbecue (but Texas still has them beat).</p> <p><img src="../wp-content/uploads/2018/03/4171091103_7150ded95f_b.jpg" alt="/wp-content/uploads/2018/03/4171091103_7150ded95f_b.jpg" /> Slicehost humor in 2009</p> <p>Not long after that, I found myself managing an operations team that cared for Slicehost&rsquo;s infrastructure and Rackspace&rsquo;s growing Cloud Servers infrastructure. OpenStack appeared later and I jumped at the chance to do operations there. It was an extremely rough experience in the Diablo release, but it taught me a lot. My start with OpenStack involved fixing lots of broken Keystone tests that didn&rsquo;t run on Python 2.6.</p> <p><img src="../wp-content/uploads/2018/03/7730840100_01257c5fa4_b.jpg" alt="/wp-content/uploads/2018/03/7730840100_01257c5fa4_b.jpg" /> Working on OpenStack in 2012</p> <p>If you&rsquo;ve attended some of my talks on impostor syndrome, you may know what came next. We had a security issue and I sent some direct feedback to our CSO about how it was handled. I expected to be told to &ldquo;pack a box&rdquo; after that, but I was actually asked to lead a security architecture team in the corporate security group. It was definitely a surprise. I accepted and joined the team as Chief Security Architect. My coworkers called it &ldquo;joining the dark side&rdquo;, but I did my best to build bridges between security teams and the rest of the company.</p> <p><img src="../wp-content/uploads/2018/03/24142777780_5196ca622b_h.jpg" alt="/wp-content/uploads/2018/03/24142777780_5196ca622b_h.jpg" /> Talking at Rackspace::Solve in 2015</p> <p>This role really challenged me. I had never operated at the Director level before and our team had a ton of work to do. I found myself stumbling (and floundering) fairly often and I leaned on other leaders in the business for advice. This led me to take some courses on critical thinking, accounting, finance, and tough conversations. I&rsquo;ve never had a role as difficult as this one.</p> <p>Our cloud team came calling and asked me to come back and help with some critical projects in the public cloud. We worked on some awesome skunkworks projects that could really change the business. Although they didn&rsquo;t get deployed in one piece, we found ways to take chunks of the work and optimize different areas of our work. An opportunity came up to bring public cloud experience to the private cloud team and I jumped on that one. I discovered the awesome OpenStack-Ansible project and a strong set of Rackers who were dedicated to bringing high-touch service to customers who wanted OpenStack in their own datacenter.</p> <p><img src="../wp-content/uploads/2018/03/imposter-syndrome_hayden.jpg" alt="/wp-content/uploads/2018/03/imposter-syndrome_hayden.jpg" /> Impostor syndrome talk at the Boston OpenStack Summit in 2017</p> <p>During this time, I had the opportunity to deliver several conference talks about OpenStack, Fedora, security, and Ansible. My favorite topic was impostor syndrome and I set out on a mission to help people understand it. My first big talk was at the Fedora Flock conference in Rochester in 2015. This led to deep conversations with technical people in conference hallways, evening events, and even airport terminals about how impostor syndrome affects them. I took those conversations and refined my message several times over.</p> <p><img src="../wp-content/uploads/2018/03/DSCF0425.jpg" alt="/wp-content/uploads/2018/03/DSCF0425.jpg" /> Talking about impostor syndrome at Fedora Flock 2015 (Photo credit: Kushal Das)</p> <h2 id="gratitude">Gratitude</h2> <p>I couldn&rsquo;t even begin to name a list of Rackers who have helped me along the way. I wouldn&rsquo;t be where I am now without the help of hundreds of Rackers. They&rsquo;ve taught me how to build technology, how to navigate a business, and how to be a better human. They have made me who I am today and I&rsquo;m eternally grateful. I&rsquo;ve had an incredible amount of hugs this week at the office and I&rsquo;ve tried my best not to get a face full of tears in the process.</p> <p>I&rsquo;d also like to thank all of the people who have allowed me to mentor them and teach them something along the way. One of the best ways to understand something is to teach it to someone else. I relish any opportunity to help someone avoid a mistake I made, or at least be able to throw something soft under them to catch their fall. These people put up with my thick Texas accent, my erratic whiteboard diagrams, and worse of all, my dad jokes.</p> <p>Another big &ldquo;thank you&rdquo; goes out to all of the members of the open source communities who have mentored me and dealt with my patches.</p> <p>The first big community I joined was the Fedora Linux community. I&rsquo;ve been fortunate to serve on the board and participate in different working groups. Everyone has been helpful and accommodating, even when I pushed broken package builds. I plan to keep working in the community as long as they will have me!</p> <p>The OpenStack community has been like family. Everyone - from developers to foundation leaders - has truly been a treat to work with over several years. My work on Rackspace&rsquo;s public and private clouds has pushed me into various projects within the OpenStack ecosystem and I&rsquo;ve found everyone to be responsive. OpenStack events are truly inspiring and it is incredible to see so many people from so many places who dedicate themselves to the software and the people that make cloud infrastructure work.</p> <h2 id="the-next-adventure">The next adventure</h2> <p>I plan to talk more on this later, but I will be working from home on some projects that are entirely different from what I&rsquo;m working on now. That adventure starts on March 19th after a week of &ldquo;funemployment.&rdquo; I&rsquo;m incredibly excited about the new opportunity and I&rsquo;ll share more details when I can.</p> <p><em>Top photo credit: <a href=",_Greece.jpg">Wikipedia</a></em></p> Install testing kernels in Fedora Wed, 28 Feb 2018 13:53:48 UTC Major Hayden <p><img src="../wp-content/uploads/2018/02/120928-F-YV474-917.jpg" alt="1" /></p> <p>If you&rsquo;re on the latest Fedora release, you&rsquo;re already running lots of modern packages. However, there are those times when you may want to help with testing efforts or try out a new feature in a newer package.</p> <p>Most of my systems have the <code>updates-testing</code> repository enabled in one way or another. This repository contains packages that package maintainers have submitted to become the next stable package in Fedora. For example, if there is a bug fix for nginx, the package maintainer submits the changes and publish a release. That release goes into the testing repositories and must sit for a waiting period or receive sufficient karma (&ldquo;works for me&rdquo; responses) to move into stable repositories.</p> <h2 id="getting-started">Getting started</h2> <p>One of the easiest ways to get started is to allow a small amount of packages to be installed from the testing repository on a regular basis. Fully enabling the testing repository for all packages can lead to trouble on occasion, especially if a package maintainer discovers a problem and submits a new testing package.</p> <p>To get started, open <code>/etc/yum.repos.d/fedora-updates-testing.repo</code> in your favorite text editor (using <code>sudo</code>). This file tells yum and dnf where it should look for packages. The stock testing repository configuration looks like this:</p> <div class="highlight"><pre class="chroma"><code class="language-ini" data-lang="ini"><span class="k">[updates-testing]</span> <span class="na">name</span><span class="o">=</span><span class="s">Fedora $releasever - $basearch - Test Updates</span> <span class="na">failovermethod</span><span class="o">=</span><span class="s">priority</span> <span class="c1">#baseurl=$releasever/$basearch/</span> <span class="na">metalink</span><span class="o">=</span><span class="s">$releasever&amp;arch=$basearch</span> <span class="na">enabled</span><span class="o">=</span><span class="s">0</span> <span class="na">repo_gpgcheck</span><span class="o">=</span><span class="s">0</span> <span class="na">type</span><span class="o">=</span><span class="s">rpm</span> <span class="na">gpgcheck</span><span class="o">=</span><span class="s">1</span> <span class="na">metadata_expire</span><span class="o">=</span><span class="s">6h</span> <span class="na">gpgkey</span><span class="o">=</span><span class="s">file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch</span> <span class="na">skip_if_unavailable</span><span class="o">=</span><span class="s">False</span></code></pre></div> <p>By default, the repository is not enabled (<code>enabled=0</code>).</p> <p>In this example, let&rsquo;s consider a situation where you want to test the latest kernel packages as soon as they reach the testing repository. We need to make two edits to the repository configuration:</p> <ul> <li><code>enabled=1</code> - Allow yum/dnf to use the repository</li> <li><code>includepkgs=kernel*</code> - Only allow packages matching <code>kernel*</code> to be installed from the testing repository</li> </ul> <p>The repository configuration should now look like this:</p> <div class="highlight"><pre class="chroma"><code class="language-ini" data-lang="ini"><span class="k">[updates-testing]</span> <span class="na">name</span><span class="o">=</span><span class="s">Fedora $releasever - $basearch - Test Updates</span> <span class="na">failovermethod</span><span class="o">=</span><span class="s">priority</span> <span class="c1">#baseurl=$releasever/$basearch/</span> <span class="na">metalink</span><span class="o">=</span><span class="s">$releasever&amp;arch=$basearch</span> <span class="na">enabled</span><span class="o">=</span><span class="s">1</span> <span class="na">repo_gpgcheck</span><span class="o">=</span><span class="s">0</span> <span class="na">type</span><span class="o">=</span><span class="s">rpm</span> <span class="na">gpgcheck</span><span class="o">=</span><span class="s">1</span> <span class="na">metadata_expire</span><span class="o">=</span><span class="s">6h</span> <span class="na">gpgkey</span><span class="o">=</span><span class="s">file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch</span> <span class="na">skip_if_unavailable</span><span class="o">=</span><span class="s">False</span> <span class="na">includepkgs</span><span class="o">=</span><span class="s">kernel*</span></code></pre></div> <h2 id="getting-testing-packages">Getting testing packages</h2> <p>Running <code>dnf upgrade kernel*</code> should now pull a kernel from the <code>updates-testing</code> repository. You can verify this by checking the <code>Repository</code> column in the dnf output.</p> <p>If you feel more adventurous later, you can add additional packages (separated by spaces) to the <code>includepkgs</code> line. The truly adventurous users can leave the repo enabled but remove <code>includepkgs</code> altogether. This will pull all available packages from the testing repository as soon as they are available.</p> <h2 id="package-maintainers-need-feedback">Package maintainers need feedback!</h2> <p>One final note: <strong>package maintainers need your feedback</strong> on packages. Positive or negative feedback is very helpful. You can search for the package on <a href="">Bodhi</a> and submit feedback there, or use the <code>fedora-easy-karma</code> script via the <code>fedora-easy-karma</code> package. The script will look through your installed package list and query you for feedback on each one.</p> <p>Submitting lots of feedback can earn you some <a href="">awesome Fedora Badges</a>!</p> <p><em>Photo credit: <a href="">US Air Force</a></em></p> Takeaways from my foray into amateur radio Sat, 06 Jan 2018 19:26:53 UTC Major Hayden <p><img src="../wp-content/uploads/2018/01/kenwood_mobile_radio.jpg" alt="1" /></p> <p>The <a href="">Overland Expo in Asheville</a> last year was a great event, and one of my favorite sessions covered the basics about radio communications while overlanding. The instructors shared their radios with us and taught us some tips and tricks for how to save power and communicate effectively on the trail.</p> <p>Back at the office, I was surprised to discover how many of my coworkers had an FCC license already. They gave me tips on getting started and how to learn the material for the exam. I took some of my questions to Twitter and had plenty of help pouring in quickly.</p> <p>This post covers how I studied, what the exam was like, and what I&rsquo;ve learned after getting on the air.</p> <h2 id="the-basics">The basics</h2> <p>FCC licenses in the US for amateur radio operators have multiple levels. Everything starts with the Technician level and you get the most basic access to radio frequencies. From there, you can upgrade (with another exam) to General, and Extra. Each license upgrade opens up more frequencies and privileges.</p> <h2 id="studying">Studying</h2> <p>A coworker recommended the <a href="">official ARRL book</a> for the Technician exam and I picked up a paper copy. The content is extremely dry. It was difficult to remain focused for long periods.</p> <p>The entire exam is available in the public domain, so you can actually go straight to the questions that you&rsquo;ll see on the exam and study those. I flipped to the question section in the ARRL book and found the questions I could answer easily (mostly about circuits and electrical parts). For each one that was new or difficult, I flipped back in the ARRL book to the discussion in each chapter and learned the material.</p> <p>I also used <a href=""></a> to quickly practice and keep track of my progress. The site has some handy graphs that show you how many questions you&rsquo;ve seen and what your knowledge level of different topics really is. I kept working through questions on the site until I was regularly getting 90% or higher on the practice tests.</p> <h2 id="testing">Testing</h2> <p>Before you test, be sure to <a href="">get a FCC Registration Number</a> (commonly called a FRN). They are free to get and it ensures that you get your license (often called your &lsquo;ticket&rsquo;) as soon as possible. I was told that some examiners won&rsquo;t offer you a test if you don&rsquo;t have your FRN already.</p> <p>The next step is to <a href="">find an amateur radio exam</a> in your area. Exams are available in the San Antonio area every weekend and they are held by different groups. I took mine with the <a href="">Radio Operators of South Texas</a> and the examiners were great! Some examiners require you to check in with them so they know you are coming to test, but it&rsquo;s a good idea to do this anyway. Ask how they want to be paid (cash, check, etc), too.</p> <p>Be sure to take a couple of pencils, a basic calculator, your government issued ID, your payment, and your FRN to the exam. I forgot the calculator but the examiners had a few extras. The examiners complete some paperwork before your exam, and you select one of the available test versions. Each test contains a randomly selected set of 35 questions from the pool of 350.</p> <p>Go through the test, carefully read each question, and fill in the answer sheet. Three examiners will grade it when you turn it in, and they will fill out your Certificate of Successful Completion of Examination (CSCE). Hold onto this paper just in case something happens with your FCC paperwork.</p> <p>The examiners will send your paperwork to the FCC and you should receive a license within two weeks. Mine took about 11-12 business days, but I took it just before Thanksgiving. The FCC will send you a generic email stating that there is a new license available and you can download it directly from the FCC&rsquo;s website.</p> <h2 id="lessons-learned-on-the-air">Lessons learned on the air</h2> <p>Once I passed the exam and keyed up for the first transmission, I feared a procedural misstep more than anything. What if I say my callsign incorrectly? What if I&rsquo;m transmitting at a power level that is too high? What power level is too high? What am I doing?!</p> <p>Everyone has to start somewhere and you&rsquo;re going to make mistakes. Almost 99.9% of my radio contacts so far have been friendly, forgiving, and patient. I&rsquo;ve learned a lot from listening to other people and from the feedback I get from radio contacts. Nobody will yell at you for using a repeater when simplex should work. Nobody will yell at you if you blast a repeater with 50 watts when 5 would be fine.</p> <p>I&rsquo;m on VHF most often and I&rsquo;ve found many local repeaters on <a href="">RepeaterBook</a>. Most of the repeaters in the San Antonio area are busiest during commute times (morning and afternoon) as well as lunchtime. I&rsquo;ve announced my callsign when the repeater has been quiet for a while and often another radio operator will call back. It&rsquo;s a good idea to mention that you&rsquo;re new to amateur radio since that will make it easier for others to accept your mistakes and provide feedback.</p> <p>when I&rsquo;m traveling long distances, I monitor the national simplex calling frequency (146.520). That&rsquo;s the CB equivalent of channel 19 where you can announce yourself and have conversations. In busy urban areas, it&rsquo;s best to work out another frequency with your contact to keep the calling frequency clear.</p> <h2 id="my-equipment">My equipment</h2> <p>My first purchase was a (cheap) <a href="">BTECH UV-5X3</a>. The price is fantastic, but the interface is rough to use. Editing saved channels is nearly impossible and navigating the menus requires a good manual to decipher the options. The manual that comes with it is surprisingly brief. There are some helpful how-to guides from other radio operators on various blogs that can help.</p> <p>I picked up a <a href="">Kenwood TM-D710G</a> mobile radio from a coworker and mounted it in the car. I wired it up with <a href="">Anderson Powerpole connectors</a> and that makes things incredibly easy (and portable). The interface on the Kenwood is light years ahead of the BTECH, but the price is 10x more.</p> <p>My car has the <a href="">Comet SBB-5NMO</a> antenna mounted with a <a href="">Comet CP-5NMO</a> lip mount. It fits well on the rear of the 4Runner.</p> <p>Managing a lot of repeater frequencies is challenging with both radios (exponentially more so with the BTECH), but the open source <a href="">CHIRP</a> software works well. I installed it on my Fedora laptop and could manage both radios easily. The BTECH radio requires you to download the entire current configuration, edit it, and upload it to the radio. The Kenwood allows you to make adjustments to the radio in real time (which is excellent for testing).</p> <h2 id="more-questions">More questions?</h2> <p>If you have more questions about any part of the process, let me know!</p> Ensuring keepalived starts after the network is ready Fri, 15 Dec 2017 21:18:37 UTC Major Hayden <p><img src="../wp-content/uploads/2017/12/wait.jpg" alt="1" /></p> <p>After a recent <a href="">OpenStack-Ansible (OSA)</a> deployment on CentOS, I found that keepalived was not starting properly at boot time:</p> <div class="highlight"><pre class="chroma">Keepalived_vrrp[801]: Cant find interface br-mgmt for vrrp_instance internal !!! Keepalived_vrrp[801]: Truncating auth_pass to 8 characters Keepalived_vrrp[801]: VRRP is trying to assign ip address to unknown br-mgmt interface !!! go out and fix your conf !!! Keepalived_vrrp[801]: Cant find interface br-mgmt for vrrp_instance external !!! Keepalived_vrrp[801]: Truncating auth_pass to 8 characters Keepalived_vrrp[801]: VRRP is trying to assign ip address to unknown br-mgmt interface !!! go out and fix your conf !!! Keepalived_vrrp[801]: VRRP_Instance(internal) Unknown interface ! systemd[1]: Started LVS and VRRP High Availability Monitor. Keepalived_vrrp[801]: Stopped Keepalived[799]: Keepalived_vrrp exited with permanent error CONFIG. Terminating</pre></div> <p>OSA deployments have a management bridge for traffic between containers. These containers run the OpenStack APIs and other support services. By default, this bridge is called <code>br-mgmt</code>.</p> <p>The keepalived daemon is starting before NetworkManager can bring up the <code>br-mgmt</code> bridge and that is causing keepalived to fail. We need a way to tell systemd to wait on the network before bringing up keepalived.</p> <h2 id="waiting-on-networkmanager">Waiting on NetworkManager</h2> <p>There is a special systemd target, <code></code>, that is not reached until all networking is properly configured. NetworkManager comes with a handy service called <code>NetworkManager-wait-online.service</code> that must be complete before the <code>network-online</code> target can be reached:</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="c1"># rpm -ql NetworkManager | grep network-online</span> /usr/lib/systemd/system/ /usr/lib/systemd/system/</code></pre></div> <p>Start by ensuring that the <code>NetworkManager-wait-online</code> service starts at boot time:</p> <div class="highlight"><pre class="chroma">systemctl enable NetworkManager-wait-online.service</pre></div> <h2 id="using-network-online-target">Using</h2> <p>Next, we tell the keepalived service to wait on <code></code>. Bring up an editor for overriding the <code>keepalived.service</code> unit:</p> <div class="highlight"><pre class="chroma">systemctl edit keepalived.service</pre></div> <p>Once the editor appears, add the following text:</p> <div class="highlight"><pre class="chroma"><code class="language-ini" data-lang="ini"><span class="k">[Unit]</span> <span class="na">Wants</span><span class="o">=</span><span class="s"></span> <span class="na">After</span><span class="o">=</span><span class="s"></span></code></pre></div> <p>Save the file in the editor and reboot the server. The keepalived service should come up successfully after NetworkManager signals that all of the network devices are online.</p> <p>Learn more by reading the upstream <a href="">NetworkTarget</a> documentation.</p> Changes in RHEL 7 Security Technical Implementation Guide Version 1, Release 3 Thu, 02 Nov 2017 15:00:25 UTC Major Hayden <p><a href="../wp-content/uploads/2017/06/2.jpg"><img src="../wp-content/uploads/2017/06/2-300x91.jpg" alt="ansible-hardening logo" width="300" height="91" class="alignright size-medium wp-image-6744" srcset="../wp-content/uploads/2017/06/2-300x91.jpg 300w, ../wp-content/uploads/2017/06/2-768x233.jpg 768w, ../wp-content/uploads/2017/06/2-1024x311.jpg 1024w" sizes="(max-width: 300px) 100vw, 300px" /></a>The latest release of the Red Hat Enterprise Linux Security Technical Implementation Guide (STIG) <a href="">was published last week</a>. This release is Version 1, Release 3, and it contains four main changes:</p> <ul> <li>V-77819 - Multifactor authentication is required for graphical logins</li> <li>V-77821 - Datagram Congestion Control Protocol (DCCP) kernel module must be disabled</li> <li>V-77823 - Single user mode must require user authentication</li> <li>V-77825 - Address space layout randomization (ASLR) must be enabled</li> </ul> <h2 id="deep-dive">Deep dive</h2> <p>Let&rsquo;s break down this list to understand what each one means.</p> <h3 id="v-77819-multifactor-authentication-is-required-for-graphical-logins">V-77819 - Multifactor authentication is required for graphical logins</h3> <p>This requirement improves security for graphical logins and extends the existing requirements for multifactor authentication for logins (see V-71965, V-72417, and V-72427). The STIG recommends smartcards (since the US Government often uses <a href="">CAC cards</a> for multifactor authentication), and this is a good idea for high security systems.</p> <p>I use <a href="">Yubikey 4&rsquo;s</a> as smartcards in most situations and they work anywhere you have available USB slots.</p> <h3 id="v-77821-datagram-congestion-control-protocol-dccp-kernel-module-must-be-disabled">V-77821 - Datagram Congestion Control Protocol (DCCP) kernel module must be disabled</h3> <p><a href="">DCCP</a> is often used as a congestion control mechanism for UDP traffic, but it isn&rsquo;t used that often in modern networks. There have been <a href="">vulnerabilities</a> in the past that are mitigated by disabling DCCP, so it&rsquo;s a good idea to disable it unless you have a strong reason for keeping it enabled.</p> <p>The ansible-hardening role has been updated to <a href="">disable the DCCP kernel module by default</a>.</p> <h3 id="v-77823-single-user-mode-must-require-user-authentication">V-77823 - Single user mode must require user authentication</h3> <p>Single user mode is often used in emergency situations where the server cannot boot properly or an issue must be repaired without a fully booted server. This mode can only be used at the server&rsquo;s physical console, serial port, or via out-of-band management (DRAC, iLO, and IPMI). Allowing single-user mode access without authentication is a serious security risk.</p> <p>Fortunately, every distribution supported by the ansible-hardening role already has authentication requirements for single user mode in place. The ansible-hardening role does not make any adjustments to the single user mode unit file since any untested adjustment could cause a system to have problems booting.</p> <h3 id="v-77825-address-space-layout-randomization-aslr-must-be-enabled">V-77825 - Address space layout randomization (ASLR) must be enabled</h3> <p><a href="">ASLR</a> is a handy technology that makes it more difficult for attackers to guess where a particular program is storing data in memory. It&rsquo;s not perfect, but it certainly raises the difficulty for an attacker. There are multiple settings for this variable and the <a href="">kernel documentation for sysctl</a> has some brief explanations for each setting (search for <code>randomize_va_space</code> on the page).</p> <p>Every distribution supported by the ansible-hardening role is already setting <code>kernel.randomize_va_space=2</code> by default, which applies randomization for the basic parts of process memory (such as shared libraries and the stack) as well as the heap. The ansible-hardening role will ensure that the default setting is maintained.</p> <h2 id="ansible-hardening-is-already-up-to-date">ansible-hardening is already up to date</h2> <p>If you&rsquo;re already using the ansible-hardening role&rsquo;s master branch, these changes are <a href="">already in place</a>! Try out the new updates and <a href="">open a bug report</a> if you find any problems.</p> Import RPM repository GPG keys from other keyservers temporarily Wed, 20 Sep 2017 15:24:13 UTC Major Hayden <p><a href="../wp-content/uploads/2017/09/Close-up_of_keys-e1505920978611.jpg"><img src="../wp-content/uploads/2017/09/Close-up_of_keys-e1505920978611.jpg" alt="Keys, but not gpg keys" width="1024" height="399" class="aligncenter size-full wp-image-6815" srcset="../wp-content/uploads/2017/09/Close-up_of_keys-e1505920978611.jpg 1024w, ../wp-content/uploads/2017/09/Close-up_of_keys-e1505920978611-300x117.jpg 300w, ../wp-content/uploads/2017/09/Close-up_of_keys-e1505920978611-768x299.jpg 768w" sizes="(max-width: 1024px) 100vw, 1024px" /></a>I&rsquo;ve been working through some patches to <a href="">OpenStack-Ansible</a> lately to optimize how we configure yum repositories in our deployments. During that work, I ran into some issues where was returning 500 errors for some requests to retrieve GPG keys.</p> <p>Ansible was returning this error:</p> <div class="highlight"><pre class="chroma">curl: (22) The requested URL returned error: 502 Proxy Error error:;search=0x61E8806C: import read failed(2)</pre></div> <p>How does the <code>rpm</code> command know which keyserver to use? Let&rsquo;s use the <code>--showrc</code> argument to show how it is configured:</p> <div class="highlight"><pre class="chroma">$ rpm --showrc | grep hkp -14: _hkp_keyserver -14: _hkp_keyserver_query %{_hkp_keyserver}:11371/pks/lookup?op=get&amp;search=0x</pre></div> <p>How do we change this value temporarily to test a GPG key retrieval from a different server? There&rsquo;s an argument for that as well: <code>--define</code>:</p> <div class="highlight"><pre class="chroma">$ rpm --help | grep define -D, --define=&#39;MACRO EXPR&#39; define MACRO with value EXPR</pre></div> <p>We can assemble that on the command line to set a different keyserver temporarily:</p> <div class="highlight"><pre class="chroma"># rpm -vv --define=&#34;%_hkp_keyserver; --import 0x61E8806C -- SNIP -- D: adding &#34;63deac79abe7ad80e147d671c2ac5bd1c8b3576e&#34; to Sha1header index. -- SNIP --</pre></div> <p>Let&rsquo;s verify that our new key is in place:</p> <div class="highlight"><pre class="chroma"># rpm -qa | grep -i gpg-pubkey-61E8806C gpg-pubkey-61e8806c-5581df56 # rpm -qi gpg-pubkey-61e8806c-5581df56 Name : gpg-pubkey Version : 61e8806c Release : 5581df56 Architecture: (none) Install Date: Wed 20 Sep 2017 10:17:11 AM CDT Group : Public Keys Size : 0 License : pubkey Signature : (none) Source RPM : (none) Build Date : Wed 17 Jun 2015 03:57:58 PM CDT Build Host : localhost Relocations : (not relocatable) Packager : CentOS Virtualization SIG ( &lt;; Summary : gpg(CentOS Virtualization SIG ( &lt;;) Description : -----BEGIN PGP PUBLIC KEY BLOCK----- Version: rpm-4.11.3 (NSS-3) mQENBFWB31YBCAC4dFmTzBDOcq4R1RbvQXLkyYfF+yXcsMA5kwZy7kjxnFqBoNPv aAjFm3e5huTw2BMZW0viLGJrHZGnsXsE5iNmzom2UgCtrvcG2f65OFGlC1HZ3ajA 8ZIfdgNQkPpor61xqBCLzIsp55A7YuPNDvatk/+MqGdNv8Ug7iVmhQvI0p1bbaZR 0GuavmC5EZ/+mDlZ2kHIQOUoInHqLJaX7iw46iLRUnvJ1vATOzTnKidoFapjhzIt i4ZSIRaalyJ4sT+oX4CoRzerNnUtIe2k9Hw6cEu4YKGCO7nnuXjMKz7Nz5GgP2Ou zIA/fcOmQkSGcn7FoXybWJ8DqBExvkJuDljPABEBAAG0bENlbnRPUyBWaXJ0dWFs aXphdGlvbiBTSUcgKGh0dHA6Ly93aWtpLmNlbnRvcy5vcmcvU3BlY2lhbEludGVy ZXN0R3JvdXAvVmlydHVhbGl6YXRpb24pIDxzZWN1cml0eUBjZW50b3Mub3JnPokB OQQTAQIAIwUCVYHfVgIbAwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEHrr voJh6IBsRd0H/A62i5CqfftuySOCE95xMxZRw8+voWO84QS9zYvDEnzcEQpNnHyo FNZTpKOghIDtETWxzpY2ThLixcZOTubT+6hUL1n+cuLDVMu4OVXBPoUkRy56defc qkWR+UVwQitmlq1ngzwmqVZaB8Hf/mFZiB3B3Jr4dvVgWXRv58jcXFOPb8DdUoAc S3u/FLvri92lCaXu08p8YSpFOfT5T55kFICeneqETNYS2E3iKLipHFOLh7EWGM5b Wsr7o0r+KltI4Ehy/TjvNX16fa/t9p5pUs8rKyG8SZndxJCsk0MW55G9HFvQ0FmP A6vX9WQmbP+ml7jsUxtEJ6MOGJ39jmaUvPc= =ZzP+ -----END PGP PUBLIC KEY BLOCK-----</pre></div> <p>Success!</p> <p>If you want to override the value permanently, create a <code>~/.rpmmacros</code> file and add the following line to it:</p> <div class="highlight"><pre class="chroma">%_hkp_keyserver</pre></div> <p><em>Photo credit: <a href="">Wikipedia</a></em></p> Thunderbird changes fonts in some messages, not all Wed, 02 Aug 2017 12:54:38 UTC Major Hayden <p><a href="">Thunderbird</a> is a great choice for a mail client on Linux systems if you prefer a GUI, but I had some problems with fonts in the most recent releases. The monospace font used for plain text messages was difficult to read.</p> <p>I opened <strong>Edit &gt; Preferences &gt; Display</strong> and clicked <strong>Advanced</strong> to the right of <strong>Fonts &amp; Colors</strong>. The default font for monospace text was &ldquo;Monospace&rdquo;, and that one isn&rsquo;t terribly attractive. I chose &ldquo;DejaVu Sans Mono&rdquo; instead, and closed the dialog boxes.</p> <p>The fonts in monospace messages didn&rsquo;t change. I quit Thunderbird, opened it again, and still didn&rsquo;t see a change. The strange part is that a small portion of my monospaced messages were opening with the updated font while the majority were not.</p> <p>I went back into Thunderbird&rsquo;s preferences and took another look:</p> <p><a href="../wp-content/uploads/2017/08/Screenshot-from-2017-08-02-07-48-18.png"><img src="../wp-content/uploads/2017/08/Screenshot-from-2017-08-02-07-48-18.png" alt="thunderbird fonts and colors panel" width="457" height="583" class="aligncenter size-full wp-image-6803" srcset="../wp-content/uploads/2017/08/Screenshot-from-2017-08-02-07-48-18.png 457w, ../wp-content/uploads/2017/08/Screenshot-from-2017-08-02-07-48-18-235x300.png 235w" sizes="(max-width: 457px) 100vw, 457px" /></a></p> <p>Everything was set as I expected. I started with some Google searches and stumbled upon a Mozilla Bug: <a href="">Changing monospace font doesn&rsquo;t affect all messages</a>. One of the participants in the bug mentioned that any emails received without ISO-8859-1 encoding would be unaffected since Thunderbird allows you set fonts for each encoding.</p> <p>I clicked the dropdown where &ldquo;Latin&rdquo; was selected and I selected &ldquo;Other Writing Systems&rdquo;. After changing the monospace font there, the changes went into effect for all of my monospaced messages!</p> Troubleshooting CyberPower PowerPanel issues in Linux Tue, 25 Jul 2017 18:16:11 UTC Major Hayden <p><img src="../wp-content/uploads/2017/07/1024px-Sierra_Blanca_and_electricity_pole-e1501006440664.jpg" alt="1" /></p> <p>I have a <a href="">CyberPower BRG1350AVRLCD</a> at home and I&rsquo;ve just connected it to a new device. However, the <code>pwrstat</code> command doesn&rsquo;t retrieve any useful data on the new system:</p> <div class="highlight"><pre class="chroma"># pwrstat -status The UPS information shows as following: Current UPS status: State........................ Normal Power Supply by.............. Utility Power Last Power Event............. None</pre></div> <p>I disconnected the USB cable and ran <code>pwrstat</code> again. <strong>Same output.</strong> I disconnected power from the UPS itself and ran <code>pwrstat</code> again. <strong>Same output.</strong> This can&rsquo;t be right.</p> <h2 id="checking-the-basics">Checking the basics</h2> <p>A quick look at <code>dmesg</code> output shows that the UPS is connected and the kernel recognizes it:</p> <div class="highlight"><pre class="chroma">[ 65.661489] usb 3-1: new full-speed USB device number 7 using xhci_hcd [ 65.830769] usb 3-1: New USB device found, idVendor=0764, idProduct=0501 [ 65.830771] usb 3-1: New USB device strings: Mfr=3, Product=1, SerialNumber=2 [ 65.830772] usb 3-1: Product: BRG1350AVRLCD [ 65.830773] usb 3-1: Manufacturer: CPS [ 65.830773] usb 3-1: SerialNumber: xxxxxxxxx [ 65.837801] hid-generic 0003:0764:0501.0004: hiddev0,hidraw0: USB HID v1.10 Device [CPS BRG1350AVRLCD] on usb-0000:00:14.0-1/input0</pre></div> <p>I checked the <code>/var/log/pwrstatd.log</code> file to see if there were any errors:</p> <div class="highlight"><pre class="chroma">2017/07/25 12:01:17 PM Daemon startups. 2017/07/25 12:01:24 PM Communication is established. 2017/07/25 12:01:27 PM Low Battery capacity is restored. 2017/07/25 12:05:19 PM Daemon stops its service. 2017/07/25 12:05:19 PM Daemon startups. 2017/07/25 12:05:19 PM Communication is established. 2017/07/25 12:05:22 PM Low Battery capacity is restored. 2017/07/25 12:06:27 PM Daemon stops its service.</pre></div> <p>The <code>pwrstatd</code> daemon can see the device and communicate with it. This is unusual.</p> <h2 id="digging-into-the-daemon">Digging into the daemon</h2> <p>If the daemon can truly see the UPS, then what is it talking to? I used <code>lsof</code> to examine what the <code>pwrstatd</code> daemon is doing:</p> <div class="highlight"><pre class="chroma"># lsof -p 3975 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME pwrstatd 3975 root cwd DIR 8,68 224 96 / pwrstatd 3975 root rtd DIR 8,68 224 96 / pwrstatd 3975 root txt REG 8,68 224175 134439879 /usr/sbin/pwrstatd pwrstatd 3975 root mem REG 8,68 2163104 134218946 /usr/lib64/ pwrstatd 3975 root mem REG 8,68 1226368 134218952 /usr/lib64/ pwrstatd 3975 root mem REG 8,68 19496 134218950 /usr/lib64/ pwrstatd 3975 root mem REG 8,68 187552 134218939 /usr/lib64/ pwrstatd 3975 root 0r CHR 1,3 0t0 1028 /dev/null pwrstatd 3975 root 1u unix 0xffff9e395e137400 0t0 37320 type=STREAM pwrstatd 3975 root 2u unix 0xffff9e395e137400 0t0 37320 type=STREAM pwrstatd 3975 root 3u unix 0xffff9e392f0c0c00 0t0 39485 /var/pwrstatd.ipc type=STREAM pwrstatd 3975 root 4u CHR 180,96 0t0 50282 /dev/ttyS1</pre></div> <p><strong>Wait a minute.</strong> The last line of the <code>lsof</code> output shows that <code>pwrstatd</code> is talking to <code>/dev/ttyS1</code>, but the device is supposed to be a <code>hiddev</code> device over USB. If you remember, we had this line in <code>dmesg</code> when the UPS was plugged in:</p> <div class="highlight"><pre class="chroma">hid-generic 0003:0764:0501.0004: hiddev0,hidraw0: USB HID v1.10 Device [CPS BRG1350AVRLCD] on usb-0000:00:14.0-1/input0</pre></div> <p>Things are beginning to make more sense now. I have a USB-to-serial device that allows my server to talk to the console port on my Cisco switch:</p> <div class="highlight"><pre class="chroma">[ 80.389533] usb 3-1: new full-speed USB device number 9 using xhci_hcd [ 80.558025] usb 3-1: New USB device found, idVendor=067b, idProduct=2303 [ 80.558027] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0 [ 80.558028] usb 3-1: Product: USB-Serial Controller D [ 80.558029] usb 3-1: Manufacturer: Prolific Technology Inc. [ 80.558308] pl2303 3-1:1.0: pl2303 converter detected [ 80.559937] usb 3-1: pl2303 converter now attached to ttyUSB0</pre></div> <p>It appears that <code>pwrstatd</code> is trying to talk to my Cisco switch (through the USB-to-serial adapter) rather than my UPS! I&rsquo;m sure they could have a great conversation together, but it&rsquo;s hardly productive.</p> <h2 id="fixing-it">Fixing it</h2> <p>The <code>/etc/pwrstatd.conf</code> has a relevant section:</p> <div class="highlight"><pre class="chroma"><code class="language-ini" data-lang="ini"><span class="c1"># The pwrstatd accepts four types of device node which includes the &#39;ttyS&#39;,</span> <span class="c1"># &#39;ttyUSB&#39;, &#39;hiddev&#39;, and &#39;libusb&#39; for communication with UPS. The pwrstatd</span> <span class="c1"># defaults to enumerate all acceptable device nodes and pick up to use an</span> <span class="c1"># available device node automatically. But this may cause a disturbance to the</span> <span class="c1"># device node which is occupied by other software. Therefore, you can restrict</span> <span class="c1"># this enumerate behave by using allowed-device-nodes option. You can assign</span> <span class="c1"># the single device node path or multiple device node paths divided by a</span> <span class="c1"># semicolon at this option. All groups of &#39;ttyS&#39;, &#39;ttyUSB&#39;, &#39;hiddev&#39;, or</span> <span class="c1"># &#39;libusb&#39; device node are enumerated without a suffix number assignment.</span> <span class="c1"># Note, the &#39;libusb&#39; does not support suffix number only.</span> <span class="c1">#</span> <span class="c1"># For example: restrict to use ttyS1, ttyS2 and hiddev1 device nodes at /dev</span> <span class="c1"># path only.</span> <span class="c1"># allowed-device-nodes = /dev/ttyS1;/dev/ttyS2;/dev/hiddev1</span> <span class="c1">#</span> <span class="c1"># For example: restrict to use ttyS and ttyUSB two groups of device node at</span> <span class="c1"># /dev,/dev/usb, and /dev/usb/hid paths(includes ttyS0 to ttySN and ttyUSB0 to</span> <span class="c1"># ttyUSBN, N is number).</span> <span class="c1"># allowed-device-nodes = ttyS;ttyUSB</span> <span class="c1">#</span> <span class="c1"># For example: restrict to use hiddev group of device node at /dev,/dev/usb,</span> <span class="c1"># and /dev/usb/hid paths(includes hiddev0 to hiddevN, N is number).</span> <span class="c1"># allowed-device-nodes = hiddev</span> <span class="c1">#</span> <span class="c1"># For example: restrict to use libusb device.</span> <span class="c1"># allowed-device-nodes = libusb</span> <span class="na">allowed-device-nodes</span> <span class="o">=</span></code></pre></div> <p>We need to explicitly tell <code>pwrstatd</code> to talk to the UPS on <code>/dev/hid/hiddev0</code>:</p> <div class="highlight"><pre class="chroma">allowed-device-nodes = /dev/usb/hiddev0</pre></div> <p>Let&rsquo;s restart the <code>pwrstatd</code> daemon and see what we get:</p> <div class="highlight"><pre class="chroma"># systemctl restart pwrstatd # pwrstat -status The UPS information shows as following: Properties: Model Name................... BRG1350AVRLCD Firmware Number.............. Rating Voltage............... 120 V Rating Power................. 810 Watt(1350 VA) Current UPS status: State........................ Normal Power Supply by.............. Utility Power Utility Voltage.............. 121 V Output Voltage............... 121 V Battery Capacity............. 100 % Remaining Runtime............ 133 min. Load......................... 72 Watt(9 %) Line Interaction............. None Test Result.................. Unknown Last Power Event............. None</pre></div> <p>Success!</p> <p><em>Photo credit: <a href="">Wikipedia</a></em></p> Apply the STIG to even more operating systems with ansible-hardening Fri, 21 Jul 2017 17:38:46 UTC Major Hayden <p><img src="../wp-content/uploads/2017/07/1024px-Samuils_Fortress_and_Ohrid_Lake.jpg" alt="1" /></p> <p>Tons of improvements made their way into the <a href="">ansible-hardening</a> role in preparation for the OpenStack Pike release <a href="">next month</a>. The role has a <a href="../2017/06/27/old-role-new-name-ansible-hardening/">new name</a>, new <a href="">documentation</a> and extra tests.</p> <p>The role uses the Security Technical Implementation Guide (STIG) produced by the Defense Information Systems Agency (DISA) and applies the guidelines to Linux hosts using Ansible. Every control is configurable via simple Ansible variables and each control is thoroughly documented.</p> <p>These controls are now applied to an even wider variety of Linux distributions:</p> <ul> <li>CentOS 7</li> <li>Debian 8 Jessie <em>(new for Pike)</em></li> <li>Fedora 25 <em>(new for Pike)</em></li> <li>openSUSE Leap 42.2+ <em>(new for Pike)</em></li> <li>Red Hat Enterprise Linux 7</li> <li>SUSE Linux Enterprise 12 <em>(new for Pike)</em></li> <li>Ubuntu 14.04 Trusty</li> <li>Ubuntu 16.04 Xenial</li> </ul> <p>Any patches to the ansible-hardening role are tested against all of these operating systems (except RHEL 7 and SUSE Linux Enterprise). Support for openSUSE testing <a href="">landed this week</a>.</p> <p><strong>Work is underway to put the finishing touches on the master branch before the Pike release and we need your help!</strong></p> <p>If you have any of these operating systems deployed, please test the role on your systems! This is pre-release software, so it&rsquo;s best to apply it only to a new server. Read the <a href="">&ldquo;Getting Started&rdquo;</a> documentation to get started with <code>ansible-galaxy</code> or <code>git</code>.</p> <p><em>Photo credit: <a href="'s_Fortress_and_Ohrid_Lake.JPG">Wikipedia</a></em></p> Customize LDAP autocompletion format in Thunderbird Tue, 18 Jul 2017 18:08:42 UTC Major Hayden <p><img src="../wp-content/uploads/2017/07/1280px-Mailbox_USA-e1500401199427.jpg" alt="1" /></p> <p>Thunderbird can connect to an LDAP server and autocomplete email addresses as you type, but it needs some adjustment for some LDAP servers. One of the LDAP servers that I use regularly returns email addresses like this in the thunderbird interface:</p> <div class="highlight"><pre class="chroma">username &lt;firstname.lastname@domain.tld&gt;</pre></div> <p>The email address looks fine, but I&rsquo;d much rather have the person&rsquo;s full name instead of the username. Here&rsquo;s what I&rsquo;m looking for:</p> <div class="highlight"><pre class="chroma">Firstname Lastname &lt;firstname.lastname@domain.tld&gt;</pre></div> <p>In older Thunderbird versions, setting <code>ldap_2.servers.SERVER_NAME.autoComplete.nameFormat</code> to <code>displayName</code> was enough. However, this option isn&rsquo;t used in recent versions of Thunderbird.</p> <h2 id="digging-in">Digging in</h2> <p>After a fair amount of searching the Thunderbird source code with <code>awk</code>, I found a mention of <code>DisplayName</code> in <code>nsAbLDAPAutoCompleteSearch.js</code> that looked promising:</p> <div class="highlight"><pre class="chroma"><code class="language-javascript" data-lang="javascript"><span class="c1">// Create a minimal map just for the display name and primary email. </span><span class="c1"></span> <span class="k">this</span><span class="p">.</span><span class="nx">_attributes</span> <span class="o">=</span> <span class="nx">Components</span><span class="p">.</span><span class="nx">classes</span><span class="p">[</span><span class="s2">&#34;;1&#34;</span><span class="p">]</span> <span class="p">.</span><span class="nx">createInstance</span><span class="p">(</span><span class="nx">Components</span><span class="p">.</span><span class="nx">interfaces</span><span class="p">.</span><span class="nx">nsIAbLDAPAttributeMap</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">_attributes</span><span class="p">.</span><span class="nx">setAttributeList</span><span class="p">(</span><span class="s2">&#34;DisplayName&#34;</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nx">_book</span><span class="p">.</span><span class="nx">attributeMap</span><span class="p">.</span><span class="nx">getAttributeList</span><span class="p">(</span><span class="s2">&#34;DisplayName&#34;</span><span class="p">,</span> <span class="p">{}),</span> <span class="kc">true</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">_attributes</span><span class="p">.</span><span class="nx">setAttributeList</span><span class="p">(</span><span class="s2">&#34;PrimaryEmail&#34;</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nx">_book</span><span class="p">.</span><span class="nx">attributeMap</span><span class="p">.</span><span class="nx">getAttributeList</span><span class="p">(</span><span class="s2">&#34;PrimaryEmail&#34;</span><span class="p">,</span> <span class="p">{}),</span> <span class="kc">true</span><span class="p">);</span> <span class="p">}</span> </code></pre></div> <p>Something is unusual here. The LDAP field is called <code>displayName</code>, but this attribute is called <code>DisplayName</code> (note the capitalization of the <em>D</em>). Just before that line, I see a lookup in an attributes map of some sort. There may be a configuration option that is called <code>DisplayName</code>.</p> <p>In Thunderbird, I selected <strong>Edit &gt; Preferences</strong>. I clicked the <strong>Advanced</strong> tab and then <strong>Config Editor</strong>. A quick search for <em>DisplayName</em> revealed an interesting configuration option:</p> <div class="highlight"><pre class="chroma">ldap_2.servers.default.attrmap.DisplayName: cn,commonname</pre></div> <h2 id="fixing-it">Fixing it</h2> <p>That&rsquo;s the problem! This needs to map to <code>displayName</code> in my case, and not <code>cn,commonname</code> (which returns a user&rsquo;s username). There are two different ways to fix this:</p> <div class="highlight"><pre class="chroma"># Change it for just one LDAP server ldap_2.servers.SERVER_NAME.attrmap.DisplayName: displayName # Change it for all LDAP servers by default (careful) ldap_2.servers.default.attrmap.DisplayName: displayName</pre></div> <p>After making the change, quit Thunderbird and relaunch it. Compose a new email and start typing in the email address field. The user&rsquo;s first and last name should appear!</p> Old role, new name: ansible-hardening Tue, 27 Jun 2017 20:49:44 UTC Major Hayden <p><img src="../wp-content/uploads/2017/06/2.jpg" alt="2" /></p> <p>The interest in the <a href="">openstack-ansible-security</a> role has taken off faster than I expected, and one piece of constant feedback I received was around the name of the role. Some users were unsure if they needed to use the role in an OpenStack cloud or if the OpenStack-Ansible project was required.</p> <p>The role works everywhere - OpenStack cloud or not. I started a <a href="">mailing list thread</a> on the topic and we eventually settled on a new name: <a href="">ansible-hardening</a>! The updated documentation is <a href="">already available</a>.</p> <p>The old openstack-ansible-security role is being retired and it will not receive any additional updates. Moving to the new role is easy:</p> <ol> <li>Install <em>ansible-hardening</em> with <code>ansible-galaxy</code> (or <code>git clone</code>)</li> <li>Change your playbooks to use the ansible-hardening role</li> </ol> <p>There&rsquo;s no need to change any variable names or tags - they are all kept the same in the new role.</p> <p>As always, if you have questions or comments about the role, drop by <code>#openstack-ansible</code> on Freenode IRC or <a href="">open a bug in Launchpad</a>.</p> Enable AppArmor on a Debian Jessie cloud image Wed, 24 May 2017 16:14:03 UTC Major Hayden <p><img src="../wp-content/uploads/2017/05/" alt="1" /></p> <p>I merged some <a href="">initial Debian support</a> into the openstack-ansible-security role and ran into an issue enabling AppArmor. The <code>apparmor</code> service failed to start and I found this output in the system journal:</p> <div class="highlight"><pre class="chroma">kernel: AppArmor: AppArmor disabled by boot time parameter</pre></div> <h2 id="digging-in">Digging in</h2> <p>That was unexpected. I was using the <a href="">Debian jessie cloud image</a> and it uses extlinux as the bootloader. The file didn&rsquo;t reference AppArmor at all:</p> <div class="highlight"><pre class="chroma"># cat /boot/extlinux/extlinux.conf default linux timeout 1 label linux kernel boot/vmlinuz-3.16.0-4-amd64 append initrd=boot/initrd.img-3.16.0-4-amd64 root=/dev/vda1 console=tty0 console=ttyS0,115200 ro quiet</pre></div> <p>I <a href="">learned</a> that AppArmor is <strong>disabled by default</strong> in Debian unless you <strong>explicitly enable it</strong>. In contrast, SELinux is enabled unless you turn it off. To make matters worse, Debian&rsquo;s cloud image doesn&rsquo;t have any facilities or scripts to automatically update the extlinux configuration file when new kernels are installed.</p> <h2 id="making-a-repeatable-fix">Making a repeatable fix</h2> <p>My two goals here were to:</p> <ol> <li>Ensure AppArmor is enabled on the next boot</li> <li>Ensure that AppArmor remains enabled when new kernels are installed</li> </ol> <p>The first step is to install grub2:</p> <div class="highlight"><pre class="chroma">apt-get -y install grub2</pre></div> <p>During the installation, a package configuration window will appear that asks about where grub should be installed. I selected <code>/dev/vda</code> from the list and waited for apt to finish the package installation.</p> <p>The next step is to edit <code>/etc/default/grub</code> and add in the AppArmor configuration. Adjust the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> line to look like the one below:</p> <div class="highlight"><pre class="chroma">GRUB_DEFAULT=0 GRUB_TIMEOUT=5 GRUB_DISTRIBUTOR=`lsb_release -i -s 2&gt; /dev/null || echo Debian` GRUB_CMDLINE_LINUX_DEFAULT=&#34;quiet apparmor=1 security=apparmor&#34; GRUB_CMDLINE_LINUX=&#34;&#34;</pre></div> <p>Ensure that the required AppArmor packages are installed:</p> <div class="highlight"><pre class="chroma">apt-get -y install apparmor apparmor-profiles apparmor-utils</pre></div> <p>Enable the AppArmor service upon reboot:</p> <div class="highlight"><pre class="chroma">systemctl enable apparmor</pre></div> <p>Run <code>update-grub</code> and reboot. After the reboot, run <code>apparmor_status</code> and you should see lots of AppArmor profiles loaded:</p> <div class="highlight"><pre class="chroma"># apparmor_status apparmor module is loaded. 38 profiles are loaded. 3 profiles are in enforce mode. /usr/lib/chromium-browser/chromium-browser//browser_java /usr/lib/chromium-browser/chromium-browser//browser_openjdk /usr/lib/chromium-browser/chromium-browser//sanitized_helper 35 profiles are in complain mode. /sbin/klogd /sbin/syslog-ng /sbin/syslogd /usr/lib/chromium-browser/chromium-browser /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox /usr/lib/chromium-browser/chromium-browser//lsb_release /usr/lib/chromium-browser/chromium-browser//xdgsettings /usr/lib/dovecot/anvil /usr/lib/dovecot/auth /usr/lib/dovecot/config /usr/lib/dovecot/deliver /usr/lib/dovecot/dict /usr/lib/dovecot/dovecot-auth /usr/lib/dovecot/dovecot-lda /usr/lib/dovecot/imap /usr/lib/dovecot/imap-login /usr/lib/dovecot/lmtp /usr/lib/dovecot/log /usr/lib/dovecot/managesieve /usr/lib/dovecot/managesieve-login /usr/lib/dovecot/pop3 /usr/lib/dovecot/pop3-login /usr/lib/dovecot/ssl-params /usr/sbin/avahi-daemon /usr/sbin/dnsmasq /usr/sbin/dovecot /usr/sbin/identd /usr/sbin/mdnsd /usr/sbin/nmbd /usr/sbin/nscd /usr/sbin/smbd /usr/sbin/smbldap-useradd /usr/sbin/smbldap-useradd///etc/init.d/nscd /usr/{sbin/traceroute,bin/traceroute.db} /{usr/,}bin/ping 0 processes have profiles defined. 0 processes are in enforce mode. 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.</pre></div> <h2 id="final-thoughts">Final thoughts</h2> <p>I&rsquo;m still unsure about why AppArmor is disabled by default. There aren&rsquo;t that many profiles shipped by default (38 on my freshly installed jessie system versus 417 SELinux policies in Fedora 25) and many of them affect services that wouldn&rsquo;t cause significant disruptions on the system.</p> <p>There is a <a href="">discussion that ended last year</a> around how to automate the AppArmor enablement process when the AppArmor packages are installed. This would be a great first step to make the process easier, but it would probably make more sense to take the step of enabling it by default.</p> <p><em>Photo credit: <a href="">Max Pixel</a></em></p> Fixing OpenStack noVNC consoles that ignore keyboard input Thu, 18 May 2017 16:58:56 UTC Major Hayden <p><img src="../wp-content/uploads/2017/05/Televideo925Terminal-e1495126632469.jpg" alt="1" /></p> <p>I opened up a noVNC console to a virtual machine today in my OpenStack cloud but found that the console wouldn&rsquo;t take keyboard input. The <strong>Send Ctrl-Alt-Del</strong> button in the top right of the window worked just fine, but I couldn&rsquo;t type anywhere in the console. This happened on an Ocata OpenStack cloud deployed with <a href="">OpenStack-Ansible</a> on CentOS 7.</p> <h2 id="test-the-network-path">Test the network path</h2> <p>The network path to the console is a little deep for this deployment, but here&rsquo;s a quick explanation:</p> <ul> <li>My laptop connects to HAProxy</li> <li>HAProxy sends the traffic to the nova-novncproxy service</li> <li>nova-novncproxy connects to the correct VNC port on the right hypervisor</li> </ul> <p>If all of that works, I get a working console! I knew the network path was set up correctly because I could see the console in my browser.</p> <p>My next troubleshooting step was to dump network traffic with <code>tcpdump</code> on the hypervisor itself. I dumped the traffic on port 5900 (which was the VNC port for this particular instance) and watched the output. Whenever I wiggled the mouse over the noVNC console in my browser, I saw a flurry of network traffic. The same thing happened if I punched lots of keys on the keyboard. At this point, it was clear that the keyboard input was making it to the hypervisor, but it wasn&rsquo;t being handled correctly.</p> <h2 id="test-the-console">Test the console</h2> <p>Next, I opened up <code>virt-manager</code>, connected to the hypervisor, and opened a connection to the instance. The keyboard input worked fine there. I opened up <code>remmina</code> and connected via plain old VNC. The keyboard input worked fine there, too!</p> <h2 id="investigate-in-the-virtual-machine">Investigate in the virtual machine</h2> <p>The system journal in the virtual machine had some interesting output:</p> <div class="highlight"><pre class="chroma">kernel: atkbd serio0: Unknown key released (translated set 2, code 0x0 on isa0060/serio0). kernel: atkbd serio0: Use &#39;setkeycodes 00 &lt;keycode&gt;&#39; to make it known. kernel: atkbd serio0: Unknown key released (translated set 2, code 0x0 on isa0060/serio0). kernel: atkbd serio0: Use &#39;setkeycodes 00 &lt;keycode&gt;&#39; to make it known. kernel: atkbd serio0: Unknown key pressed (translated set 2, code 0x0 on isa0060/serio0). kernel: atkbd serio0: Use &#39;setkeycodes 00 &lt;keycode&gt;&#39; to make it known. kernel: atkbd serio0: Unknown key pressed (translated set 2, code 0x0 on isa0060/serio0). kernel: atkbd serio0: Use &#39;setkeycodes 00 &lt;keycode&gt;&#39; to make it known. kernel: atkbd serio0: Unknown key released (translated set 2, code 0x0 on isa0060/serio0). kernel: atkbd serio0: Use &#39;setkeycodes 00 &lt;keycode&gt;&#39; to make it known. kernel: atkbd serio0: Unknown key released (translated set 2, code 0x0 on isa0060/serio0). kernel: atkbd serio0: Use &#39;setkeycodes 00 &lt;keycode&gt;&#39; to make it known.</pre></div> <p>It seems like my keyboard input was being lost in translation - literally. I have a US layout keyboard (Thinkpad X1 Carbon) and the virtual machine was configured with the <code>en-us</code> keymap:</p> <div class="highlight"><pre class="chroma"># virsh dumpxml 4 | grep vnc &lt;graphics type=&#39;vnc&#39; port=&#39;5900&#39; autoport=&#39;yes&#39; listen=&#39;; keymap=&#39;en-us&#39;&gt;</pre></div> <p>A thorough Googling session revealed that it is <a href="">not recommended to set a keymap for virtual machines</a> in libvirt in most situations. I set the <code>nova_console_keymap</code> variable in <code>/etc/openstack_deploy/user_variables.yml</code> to an empty string:</p> <div class="highlight"><pre class="chroma">nova_console_keymap: &#39;&#39;</pre></div> <p>I redeployed the nova service using the OpenStack-Ansible playbooks:</p> <div class="highlight"><pre class="chroma">openstack-ansible os-nova-install.yml</pre></div> <p>Once that was done, I powered off the virtual machine and powered it back on. (This is needed to ensure that the libvirt changes go into effect for the virtual machine.)</p> <p><strong>Great success!</strong> The keyboard was working in the noVNC console once again!</p> <p><em>Photo credit: <a href="">Wikipedia</a></em></p> OpenStack Summit Boston 2017 Recap Fri, 12 May 2017 00:25:55 UTC Major Hayden <p><img src="../wp-content/uploads/2017/05/1280px-Bunker_Hill_Monument_by_night_dfv-e1494544221347.jpg" alt="1" /></p> <p>The OpenStack Summit wrapped up today in Boston and it was a great week! There were plenty of informative breakouts and some interesting keynotes.</p> <h2 id="keynotes">Keynotes</h2> <p>Beth Cohen <a href="">shared some of the work that Verizon has done</a> with software-defined WAN on customer-premises equipment (CPE). She showed a demo of how customers could easily provision virtual network hardware, such as firewalls or intrusion detection systems, without waiting for hardware or cabling changes. I&rsquo;m less familiar with the world of telcos, so I found this really interesting.</p> <p>Daniela Rus <a href="">gave an amazing keynote</a> about the democratization of robotics. She showed videos of tiny robots doing some amazing things, including robots which could be swallowed. Those robots could help children who swallow dangerous things (like batteries) without painful surgery.</p> <p>The big surprise on the second day was the <a href="">Q&amp;A with Edward Snowden</a>. At first, I was skeptical about it being a publicity stunt, but it turned out to be a really good conversation about the value of open source.</p> <p>My <a href="">favorite keynote</a> was from Patrick Weeks of GE. He talked about their IT transformation goals and how they selected OpenStack to solve them. They chose a solution from Rackspace and their engineers love it!</p> <h2 id="breakouts">Breakouts</h2> <p>Here are some links to my favorite breakouts:</p> <ul> <li>Adam Young&rsquo;s <a href="">&ldquo;Per API Role Based Access Control&rdquo;</a></li> <li>Ansible&rsquo;s <a href="">BoF about Management, Upgrades and Operations</a></li> <li>Forum: <a href="">Compliance/Security Certification for Upstream Openstack</a></li> </ul> <h2 id="openstack-ansible">OpenStack-Ansible</h2> <p>Although I couldn&rsquo;t make it to all of the OpenStack-Ansible sessions, we had a great turnout for the ones I attended! Every seat was taken during the developer onboarding session and we had some helpful comments from new contributors.</p> <p><img src="../wp-content/uploads/2017/05/IMG_20170510_092327-e1494547255505.jpg" alt="16" /> Andy McCrae leads the OpenStack-Ansible onboarding session</p> <h2 id="my-talks">My talks</h2> <p>The week was a long one for me! I shared two full-length talks, helped with a lightning talk, and joined a panel. Here are some quick links to the videos and slides:</p> <ul> <li>Grow Your Community: Inspire an Impostor <ul> <li><a href="">Video</a></li> <li><a href="">Slides</a></li> </ul></li> <li>Securing OpenStack Cloud and Beyond with Ansible <ul> <li><a href="">Video</a></li> <li><a href="">Slides</a></li> </ul></li> <li>The Open Open Open Open Cloud <ul> <li><a href="">Video</a></li> </ul></li> <li>OpenStack Security Team Update <ul> <li><a href="">Video</a></li> </ul></li> </ul> <p><em>Photo credit: <a href="">Luciot</a></em></p> OpenStack-Ansible networking on CentOS 7 with systemd-networkd Thu, 13 Apr 2017 13:18:09 UTC Major Hayden <p><img src="" alt="1" /></p> <p>Although OpenStack-Ansible doesn&rsquo;t fully support CentOS 7 yet, the support is almost ready. I have a four node Ocata cloud deployed on CentOS 7, but I decided to change things around a bit and use systemd-networkd instead of NetworkManager or the old rc scripts.</p> <p>This post will explain how to configure the network for an OpenStack-Ansible cloud on CentOS 7 with systemd-networkd.</p> <p>Each one of my OpenStack hosts has four network interfaces and each one has a specific task:</p> <ul> <li><code>enp2s0</code> &#8211; regular network interface, carries inter-host LAN traffic</li> <li><code>enp3s0</code> &#8211; carries <code>br-mgmt</code> bridge for LXC container communication</li> <li><code>enp4s0</code> &#8211; carries <code>br-vlan</code> bridge for VM public network connectivity</li> <li><code>enp5s0</code> &#8211; carries <code>br-vxlan</code> bridge for VM private network connectivity</li> </ul> <h2 id="adjusting-services">Adjusting services</h2> <p>First off, we need to get systemd-networkd and systemd-resolved ready to take over networking:</p> <pre lang="html">systemctl disable network systemctl disable NetworkManager systemctl enable systemd-networkd systemctl enable systemd-resolved systemctl start systemd-resolved rm -f /etc/resolv.conf ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf </pre> <h2 id="lan-interface">LAN interface</h2> <p>My <code>enp2s0</code> network interface carries traffic between hosts and handles regular internal LAN traffic.</p> <p><code>/etc/systemd/network/</code></p> <div class="highlight"><pre class="chroma"><code class="language-ini" data-lang="ini"><span class="k">[Match]</span> <span class="na">Name</span><span class="o">=</span><span class="s">enp2s0</span> <span class="k">[Network]</span> <span class="na">Address</span><span class="o">=</span><span class="s"></span> <span class="na">Gateway</span><span class="o">=</span><span class="s"></span> <span class="na">DNS</span><span class="o">=</span><span class="s"></span> <span class="na">DNS</span><span class="o">=</span><span class="s"></span> <span class="na">DNS</span><span class="o">=</span><span class="s"></span> <span class="na">IPForward</span><span class="o">=</span><span class="s">yes</span></code></pre></div> <p>This one is quite simple, but the rest get a little more complicated.</p> <h2 id="management-bridge">Management bridge</h2> <p>The management bridge (<code>br-mgmt</code>) carries traffic between LXC containers. We start by creating the bridge device itself:</p> <p><code>/etc/systemd/network/br-mgmt.netdev</code></p> <div class="highlight"><pre class="chroma"><code class="language-ini" data-lang="ini"><span class="k">[NetDev]</span> <span class="na">Name</span><span class="o">=</span><span class="s">br-mgmt</span> <span class="na">Kind</span><span class="o">=</span><span class="s">bridge</span></code></pre></div> <p>Now we configure the network on the bridge (I use OpenStack-Ansible&rsquo;s defaults here):</p> <p><code>/etc/systemd/network/</code></p> <div class="highlight"><pre class="chroma"><code class="language-ini" data-lang="ini"><span class="k">[Match]</span> <span class="na">Name</span><span class="o">=</span><span class="s">br-mgmt</span> <span class="k">[Network]</span> <span class="na">Address</span><span class="o">=</span><span class="s"></span></code></pre></div> <p>I run the management network on VLAN 10, so I need a network device and network configuration for the VLAN as well. This step adds the <code>br-mgmt</code> bridge to the VLAN 10 interface:</p> <p><code>/etc/systemd/network/vlan10.netdev</code></p> <div class="highlight"><pre class="chroma"><code class="language-ini" data-lang="ini"><span class="k">[NetDev]</span> <span class="na">Name</span><span class="o">=</span><span class="s">vlan10</span> <span class="na">Kind</span><span class="o">=</span><span class="s">vlan</span> <span class="k">[VLAN]</span> <span class="na">Id</span><span class="o">=</span><span class="s">10</span></code></pre></div> <p><code>/etc/systemd/network/</code></p> <div class="highlight"><pre class="chroma"><code class="language-ini" data-lang="ini"><span class="k">[Match]</span> <span class="na">Name</span><span class="o">=</span><span class="s">vlan10</span> <span class="k">[Network]</span> <span class="na">Bridge</span><span class="o">=</span><span class="s">br-mgmt</span></code></pre></div> <p>Finally, we add the VLAN 10 interface to <code>enp3s0</code> to tie it all together:</p> <p><code>/etc/systemd/network/</code></p> <div class="highlight"><pre class="chroma"><code class="language-ini" data-lang="ini"><span class="k">[Match]</span> <span class="na">Name</span><span class="o">=</span><span class="s">enp3s0</span> <span class="k">[Network]</span> <span class="na">VLAN</span><span class="o">=</span><span class="s">vlan10</span></code></pre></div> <h2 id="public-instance-connectivity">Public instance connectivity</h2> <p>My router offers up a few different VLANs for OpenStack instances to use for their public networks. We start by creating a <code>br-vlan</code> network device and its configuration:</p> <p><code>/etc/systemd/network/br-vlan.netdev</code></p> <div class="highlight"><pre class="chroma">[NetDev] Name=br-vlan Kind=bridge</pre></div> <p><code>/etc/systemd/network/</code></p> <div class="highlight"><pre class="chroma"><code class="language-ini" data-lang="ini"><span class="k">[Match]</span> <span class="na">Name</span><span class="o">=</span><span class="s">br-vlan</span> <span class="k">[Network]</span> <span class="na">DHCP</span><span class="o">=</span><span class="s">no</span></code></pre></div> <p>We can add this bridge onto the <code>enp4s0</code> physical interface:</p> <p><code>/etc/systemd/network/</code></p> <div class="highlight"><pre class="chroma"><code class="language-ini" data-lang="ini"><span class="k">[Match]</span> <span class="na">Name</span><span class="o">=</span><span class="s">enp4s0</span> <span class="k">[Network]</span> <span class="na">Bridge</span><span class="o">=</span><span class="s">br-vlan</span></code></pre></div> <h2 id="vxlan-private-instance-connectivity">VXLAN private instance connectivity</h2> <p>This step is similar to the previous one. We start by defining our <code>br-vxlan</code> bridge:</p> <p><code>/etc/systemd/network/br-vxlan.netdev</code></p> <div class="highlight"><pre class="chroma"><code class="language-ini" data-lang="ini"><span class="k">[NetDev]</span> <span class="na">Name</span><span class="o">=</span><span class="s">br-vxlan</span> <span class="na">Kind</span><span class="o">=</span><span class="s">bridge</span></code></pre></div> <p><code>/etc/systemd/network/</code></p> <div class="highlight"><pre class="chroma"><code class="language-ini" data-lang="ini"><span class="k">[Match]</span> <span class="na">Name</span><span class="o">=</span><span class="s">br-vxlan</span> <span class="k">[Network]</span> <span class="na">Address</span><span class="o">=</span><span class="s"></span></code></pre></div> <p>My VXLAN traffic runs over VLAN 11, so we need to define that VLAN interface:</p> <p><code>/etc/systemd/network/vlan11.netdev</code></p> <div class="highlight"><pre class="chroma"><code class="language-ini" data-lang="ini"><span class="k">[NetDev]</span> <span class="na">Name</span><span class="o">=</span><span class="s">vlan11</span> <span class="na">Kind</span><span class="o">=</span><span class="s">vlan</span> <span class="k">[VLAN]</span> <span class="na">Id</span><span class="o">=</span><span class="s">11</span></code></pre></div> <p><code>/etc/systemd/network/</code></p> <div class="highlight"><pre class="chroma"><code class="language-ini" data-lang="ini"><span class="k">[Match]</span> <span class="na">Name</span><span class="o">=</span><span class="s">vlan11</span> <span class="k">[Network]</span> <span class="na">Bridge</span><span class="o">=</span><span class="s">br-vxlan</span></code></pre></div> <p>We can hook this VLAN interface into the <code>enp5s0</code> interface now:</p> <p><code>/etc/systemd/network/</code></p> <div class="highlight"><pre class="chroma">[Match] Name=enp5s0 [Network] VLAN=vlan11</pre></div> <h2 id="checking-our-work">Checking our work</h2> <p>The cleanest way to apply all of these configurations is to reboot. The <em>Adjusting services</em> step from the beginning of this post will ensure that systemd-networkd and systemd-resolved come up after a reboot.</p> <p>Run <code>networkctl</code> to get a current status of your network interfaces:</p> <div class="highlight"><pre class="chroma"># networkctl IDX LINK TYPE OPERATIONAL SETUP 1 lo loopback carrier unmanaged 2 enp2s0 ether routable configured 3 enp3s0 ether degraded configured 4 enp4s0 ether degraded configured 5 enp5s0 ether degraded configured 6 lxcbr0 ether routable unmanaged 7 br-vxlan ether routable configured 8 br-vlan ether degraded configured 9 br-mgmt ether routable configured 10 vlan11 ether degraded configured 11 vlan10 ether degraded configured</pre></div> <p>You should have <code>configured</code> in the <code>SETUP</code> column for all of the interfaces you created. Some interfaces will show as <code>degraded</code> because they are missing an IP address (which is intentional for most of these interfaces).</p> RHEL 7 STIG v1 updates for openstack-ansible-security Wed, 05 Apr 2017 17:46:17 UTC Major Hayden <p><a href="../wp-content/uploads/2017/04/OpenStack-Logo-Horizontal-e1491414195297.png"><img src="../wp-content/uploads/2017/04/OpenStack-Logo-Horizontal-e1491414195297-300x67.png" alt="OpenStack Logo" width="300" height="67" class="alignright size-medium wp-image-6674" srcset="../wp-content/uploads/2017/04/OpenStack-Logo-Horizontal-e1491414195297-300x67.png 300w, ../wp-content/uploads/2017/04/OpenStack-Logo-Horizontal-e1491414195297.png 510w" sizes="(max-width: 300px) 100vw, 300px" /></a>DISA&rsquo;s final release of the Red Hat Enterprise Linux (RHEL) 7 Security Technical Implementation Guide (STIG) <a href="">came out a few weeks ago</a> and it has plenty of improvements and changes. The openstack-ansible-security role has already been updated with these changes.</p> <p>Quite a few duplicated STIG controls were removed and a few new ones were added. Some of the controls in the pre-release were difficult to implement, especially those that changed parameters for PKI-based authentication.</p> <p>The biggest challenge overall was the renumbering. The pre-release STIG used an unusual numbering convention: RHEL-07-123456. The final version used the more standardized &ldquo;V&rdquo; numbers, such as V-72225. This change required a <a href="">substantial patch</a> to bring the Ansible role inline with the new STIG release.</p> <p>All of the <a href="">role&rsquo;s documentation</a> is now updated to reflect the new numbering scheme and STIG changes. The key thing to remember is that you&rsquo;ll need to use <code>--skip-tag</code> with the new STIG numbers if you need to skip certain tasks.</p> <p><strong>Note:</strong> These changes won&rsquo;t be backported to the <code>stable/ocata</code> branch, so you need to use the <code>master</code> branch to get these changes.</p> <p>Have feedback? Found a bug? Let us know!</p> <ul> <li>IRC: <code>#openstack-ansible</code> on Freenode IRC</li> <li>Bugs: <a href="">LaunchPad</a></li> <li>E-mail: <a href=""></a> with the subject line <code>[openstack-ansible][security]</code></li> </ul> Takeaways from Bruce Schneier’s talk: “Security and Privacy in a Hyper-connected World” Wed, 22 Mar 2017 01:31:52 UTC Major Hayden <p><a href="../wp-content/uploads/2017/03/IMG_20170321_113057-e1490144858438.jpg"><img src="../wp-content/uploads/2017/03/IMG_20170321_113057-e1490144858438.jpg" alt="IBM Interconnect 2017 Bruce Schneier" width="1024" height="378" class="aligncenter size-full wp-image-6659" srcset="../wp-content/uploads/2017/03/IMG_20170321_113057-e1490144858438.jpg 1024w, ../wp-content/uploads/2017/03/IMG_20170321_113057-e1490144858438-300x111.jpg 300w, ../wp-content/uploads/2017/03/IMG_20170321_113057-e1490144858438-768x284.jpg 768w" sizes="(max-width: 1024px) 100vw, 1024px" /></a>Bruce Schneier is one of my favorite speakers when it comes to the topic of all things security. His talk from IBM Interconnect 2017, &ldquo;<a href="">Security and Privacy in a Hyper-connected World</a>&rdquo;, covered a wide range of security concerns.</p> <p>There were plenty of great quotes from the talk (scroll to the end for those) and I will summarize the main takeaways in this post.</p> <h2 id="people-process-and-technology">People, process, and technology</h2> <p>Bruce hits this topic a lot and for good reason: a weak link in any of the three could lead to a breach and a loss of data. He talked about the concept of security as a product and a process. Security is part of every product we consume. Whether it&rsquo;s the safety of the food that makes it into our homes or the new internet-connected thermostat on the wall, security is part of the product.</p> <p>The companies that sell these products have a wide variety of strategies for managing security issues. Vulnerabilities in an internet-connected teapot are not worth much since there isn&rsquo;t a lot of value there. It&rsquo;s probably safe to assume that a teapot will have many more vulnerabilities than your average Apple or Android mobile device. Vulnerabilities in those devices are extremely valuable because the data we carry on those devices is valuable.</p> <h2 id="certainty-vs-uncertainty">Certainty vs. uncertainty</h2> <p>The talk moved into incident response and how to be successful when the worst happens. Automation only works when there&rsquo;s a high degree of certainty in the situation. If there are variables that can be plugged into an algorithm and a result comes out the other end, automation is fantastic.</p> <p>Bruce recommended using orchestration when tackling uncertain situations, such as security incident responses. Orchestration involves people following processes and using technology where it makes sense.</p> <p>He talked about going through TSA checkpoints where metal detectors and x-ray scanners essentially run the show. Humans are around when these pieces of technology detect a problem. If you put a weapon into your carry on, the x-ray scanner will notify a human and that human can take an appropriate response to escalate the problem. If a regular passenger has a firearm in a carry-on bag, the police should be alerted. If an Air Marshal has one, then the situation is handled entirely differently - by a human.</p> <p>One other aspect he noted was around the uncertainty surrounding our data. Our control over our data, and our control over the systems that hold our data, is decreasing. Bruce remarked that he has more control over what his laptop does than his thermostat.</p> <h2 id="ooda-loop">OODA loop</h2> <p>Bruce raised awareness around the <a href="">OODA loop</a> and its value when dealing with security incidents. Savvy readers will remember that the OODA loop was the crux of my &ldquo;<a href="">Be an inspiration, not an impostor</a>&rdquo; talk about impostor syndrome.</p> <p>His point was that the OODA loop is a great way to structure a response during a stressful situation. When the orchestration works well, the defenders can complete an OODA loop faster than their adversaries can. When it works really well, the defenders can find ways to disrupt the adversaries&rsquo; OODA loops and thwart the attack.</p> <h2 id="quotes">Quotes</h2> <p>I tried to capture as many of the memorable quotes on Twitter as they happened. It&rsquo;s certainly possible - perhaps likely - that I&rsquo;ve missed a few words in the quotes. <em>I apologize in advance to Bruce if I&rsquo;ve mangled any of his words here.</em></p> <blockquote class="twitter-tweet tw-align-center" data-width="500"> <p lang="en" dir="ltr"> "Internet security will become everything security." <a href="">#ibminterconnect</a> </p> <p> &mdash; Major Hayden (@majorhayden) <a href="">March 21, 2017</a> </p> </blockquote> <blockquote class="twitter-tweet tw-align-center" data-width="500"> <p lang="en" dir="ltr"> "Security is a product and a process. What's changing are the ratios." <a href="">#ibminterconnect</a> </p> <p> &mdash; Major Hayden (@majorhayden) <a href="">March 21, 2017</a> </p> </blockquote> <blockquote class="twitter-tweet tw-align-center" data-width="500"> <p lang="en" dir="ltr"> "Automation requires certainty. If you need flexibility, you need people." <a href="">#ibminterconnect</a> </p> <p> &mdash; Major Hayden (@majorhayden) <a href="">March 21, 2017</a> </p> </blockquote> <blockquote class="twitter-tweet tw-align-center" data-width="500"> <p lang="en" dir="ltr"> "In a world of certainty, the focus is on data. In a world of uncertainty, the focus is on understanding." <a href="">#ibminterconnect</a> </p> <p> &mdash; Major Hayden (@majorhayden) <a href="">March 21, 2017</a> </p> </blockquote> <blockquote class="twitter-tweet tw-align-center" data-width="500"> <p lang="ro" dir="ltr"> "Certainty: centralization. Uncertainty: decentralization." <a href="">#ibminterconnect</a> </p> <p> &mdash; Major Hayden (@majorhayden) <a href="">March 21, 2017</a> </p> </blockquote> <blockquote class="twitter-tweet tw-align-center" data-width="500"> <p lang="en" dir="ltr"> "Incident response is fundamentally uncertain. That's why it's difficult to automate." <a href="">#ibminterconnect</a> </p> <p> &mdash; Major Hayden (@majorhayden) <a href="">March 21, 2017</a> </p> </blockquote> <blockquote class="twitter-tweet tw-align-center" data-width="500"> <p lang="en" dir="ltr"> "If you can't remove the people, make them effective." <a href="">#ibminterconnect</a> </p> <p> &mdash; Major Hayden (@majorhayden) <a href="">March 21, 2017</a> </p> </blockquote> <blockquote class="twitter-tweet tw-align-center" data-width="500"> <p lang="en" dir="ltr"> "As soon as you get to a situation that needs judgement, people go to the foreground." <a href="">#ibminterconnect</a> </p> <p> &mdash; Major Hayden (@majorhayden) <a href="">March 21, 2017</a> </p> </blockquote> <blockquote class="twitter-tweet tw-align-center" data-width="500"> <p lang="en" dir="ltr"> "The union of people, process and technology is orchestration. Tech where it works, people where it's necessary." <a href="">#ibminterconnect</a> </p> <p> &mdash; Major Hayden (@majorhayden) <a href="">March 21, 2017</a> </p> </blockquote> <blockquote class="twitter-tweet tw-align-center" data-width="500"> <p lang="en" dir="ltr"> "If your OODA loop can move faster than the attacker, you have the advantage." <a href="">#ibminterconnect</a> </p> <p> &mdash; Major Hayden (@majorhayden) <a href="">March 21, 2017</a> </p> </blockquote> <blockquote class="twitter-tweet tw-align-center" data-width="500"> <p lang="en" dir="ltr"> "There's a cognitive bias against spending on security." <a href="">#ibminterconnect</a> </p> <p> &mdash; Major Hayden (@majorhayden) <a href="">March 21, 2017</a> </p> </blockquote> <blockquote class="twitter-tweet tw-align-center" data-width="500"> <p lang="en" dir="ltr"> "We are good at network security. We are bad at end device security." <a href="">#ibminterconnect</a> </p> <p> &mdash; Major Hayden (@majorhayden) <a href="">March 21, 2017</a> </p> </blockquote> <blockquote class="twitter-tweet tw-align-center" data-width="500"> <p lang="en" dir="ltr"> "We're losing control of our data and the systems that process our data." <a href="">#ibminterconnect</a> </p> <p> &mdash; Major Hayden (@majorhayden) <a href="">March 21, 2017</a> </p> </blockquote> Five reasons why I’m excited about POWER9 Tue, 21 Mar 2017 18:38:22 UTC Major Hayden <p>There&rsquo;s plenty to like about the POWER8 architecture: high speed interconnections, large (and flexible) core counts, and support for lots of memory. POWER9 provides improvements in all of these areas and it has learned some entirely new tricks as well.</p> <p>Here are my top five reasons for getting excited about POWER9:</p> <h2 id="nvlink-2-0">NVLink 2.0</h2> <p>In the simplext terms, NVLink provides a very high speed interface between CPUs and GPUs with very low latency. This is quite handy for software that needs to exchange large amounts of data with GPUs. Machine learning can get a significant performance boost with NVLink.</p> <p>NVLink 2.0 connects CPUs and GPUS with a 25GB/sec link (per lane). That&rsquo;s not all - GPUs can communicate with each other over their own independent lanes. Drop in a few NVIDIA&rsquo;s Tesla P100 GPUs and you will have an extremely powerful accelerated system. NVIDIA&rsquo;s next generation GPUs, codenamed &ldquo;Volta&rdquo;, will take this to the next level.</p> <h2 id="capi-2-0">CAPI 2.0</h2> <p>The Coherent Accelerator Processor Interface (CAPI) allows the CPU to quickly access accelerators (think ASICs and FPGAs) over a high bandwidth interface with very low latency. CAPI 2.0 gets a 4x performance bump in POWER9 since it uses PCI-Express Gen 4.</p> <p>The OpenCAPI 3.0 interface is also available, but it doesn&rsquo;t use PCI-Express like CAPI does. It has an open interface with 25GB/sec of bandwidth and it uses direct memory access to perform operations very quickly.</p> <h2 id="on-chip-acceleration">On-chip acceleration</h2> <p>POWER9 provides more acceleration for common tasks right on the chip itself. This includes the common functions, like cryptography, but it also accelerates compression. The chip will accelerate gzip compression, 842 compression and AES/SHA. It also has a true random number generator built in.</p> <p>Another nice on-chip benefit is the virtualization acceleration. No hypervisor calls are needed (this depends on your hypervisor choice) and this allows for user mode invocation of virtualization actions.</p> <h2 id="multiple-core-options">Multiple core options</h2> <p>POWER9 comes in two flavors: SMT8 and SMT4. SMT8 is geared towards the PowerVM platform and provides the strongest individual threads. This makes it great for larger PowerVM partitions that need lots of cores. SMT4 is designed more for Linux workloads.</p> <p>The chip can handle 64 instructions per cycle on the SMT4 and 128 instructions on the SMT8. There are also some compiler benefits that can improve performance for modern codebases.</p> <h2 id="openpower-zaius">OpenPOWER Zaius</h2> <p>I&rsquo;d be remiss if I didn&rsquo;t mention Rackspace&rsquo;s contributions to the <a href="">Zaius P9 server</a>! Zaius is a spec for an Open Compute POWER9 server. Google, Rackspace, IBM and Ingrasys have been working together to build this server for the masses.</p>