Skip to main content

About

Hi there! I'm Remy, a Linux/UNIX sysadmin, my primary focus is on building high available cloud environments in OpenStack, Amazon, Microsoft Azure or on premise with Ansible and Terraform (or any other configuration management tool). My keywords are OpenStack, cloud, virtualization, high availability, scaling and clustering, security, (Open)SSL, Python, Powershell, Bash and general linux/UNIX system administration. Besides that I also develop software in Python.

I currently work for VolkerWessels, the largest Dutch civil engineering construction company as an (Azure) cloud specialist.

I've worked as a sysadmin (in a devops role) for the Erasmus University Medical Center (a large hospital and medical university in Rotterdam), Digidentity (a Dutch certificate authority, the company that develops DigiD and other Ruby on Rails applications), CloudVPS (an OpenStack Cloud provider, ISP, managed service provider and datacenter) and a few other smaller companies. I like to design, build, document and manage large, complex and high available systems. I'm a team player that loves to work with configuration management tools and version control systems. If I do something more than three times I automate it. Planning, documentation, monitoring and backups are things I do first, not when the time allows it later. Last but not least I have an interest in legacy systems like the PDP-11, PDP-8 and operating systems like OpenVMS, HP-UX and old UNIX systems.

To contact me, see my resume, get my GPG or S/MIME key see the about page.

This is my personal website, please do note that these articles do not reflect or are based on work, opinions or policies of any of my (previous) employers. Any resemblance to reality is pure coincidence.

This site started in 2006 as my form of (public) documentation. It has grown to include software, tutorials, snippets and articles on linux/UNIX, system administration and everything related with over 10.000 unique visitors a day as of 2018-06. The URL is the phonetic way you say my name (Ray-Mii), since non-Dutch speakers always have trouble with the correct pronunciation.


Latest Items

Split keyboards, a five year review including the ErgoDox EZ, Matias Ergo Pro and Kinesis Freestyle 2

10-02-2019 | Remy van Elst

A split keyboard is weird at first, but once you get used to it, you will never want anything else. The keyboard is made up from two halves allowing your arms and wrists to be in a natural (neutral, straight) position, instead of having an angle/twist in your wrist. I've been using split keyboards for about five years now. Over those years I've tried several different models from different manufacturers. In this article I'll talk about the three split keyboards I've used intensively and two I have only seen or tried shortly. We'll start with my current and favorite split keyboard, the ErgoDox EZ. The other two I've used are the Matias Ergo Pro and the Kinesis Freestyle 2. I discuss the UHK and Microsoft Natural Ergonomic Keyboard 4000 briefly.

Read more...

Sparkling Network

12-01-2019 | Remy van Elst

This is an overview of all the servers in the Sparkling Network, mostly as an overview for myself, but it might be interesting for others. It also has a status overview of the nodes.

Read more...

SSH on Windows Server 2019 (including how to sudo)

18-12-2018 | Remy van Elst

On hackernews I saw a Microsoft blog post stating that Windows Server 2019 now includes OpenSSH. In this post I'll try out both the client and server on a Windows 2019 server, including how to login as a Active Directory Domain user and how to generate and place and SSH keypair. The bonus this time is how to elevate permissions via SSH on Windows, sudo but way more complicated. This guide is also applicable on Windows 10, build 1809 and up.

Read more...

OpenSSL command line Root and Intermediate CA including OCSP, CRL and revocation

17-12-2018 | Remy van Elst

These are quick and dirty notes on generating a certificate authority (CA), intermediate certificate authorities and end certificates using the OpenSSL command line tools. It includes OCSP, CRL and CA Issuer information and specific issue and expiry dates. We'll set up our own root CA. We'll use the root CA to generate an example intermediate CA. We'll use the intermediate CA to sign end user certificates.

Read more...

Ansible - Only do action if on specific distribution (Debian, Ubuntu, CentOS or RHEL) or distribution version (ubuntu precise, ubuntu trusty)

16-12-2018 | Remy van Elst

This ansible playbook example helps you execute actions only if you are on a certain distribution. You might have a mixed environment with CentOS and Debian, when using ansible to execute actions on different servers you don't need to run yum on debian, or apt on CentOS. Some package names are different and such, so this helps you with a when statement to select a specific distribution. As a bonus, you also get a when for specific distribution versions, like Ubuntu precise (12.04 LTS) or Ubuntu trusty (14.04 LTS).

Read more...

Ansible - Only do something if another action changed

15-12-2018 | Remy van Elst

This Ansible tutorial shows you how execute actions only if another action has changed. For example, a playbook which downloads a remote key for package signing but only executes the apt-add command if the key has changed. Or a playbook which clones a git repository and only restarts a service if the git repository has changed.

Read more...

Ansible - Add an apt-repository on Debian and Ubuntu

14-12-2018 | Remy van Elst

This is a guide that shows you how to add an apt repository to Debian and Ubuntu using Ansible. It includes both the old way, when the apt modules only worked on Ubuntu, and the new way, now that the apt-modules also support Debian, plus some other tricks.

Read more...

Line total (up+down sum) in PHP Network Weathermap

13-11-2018 | Remy van Elst

With PHP Network Weathermap you can create a birds-eye view of network components from your monitoring system (like LibreNMS, Cacti or anything else with an RRD database). It can display simple maps with components and links between, showing up and down traffic, but also complex systems with custom components, like Nagios status, temperature or other information. For network and system administrators seeing the seperate in and out traffic of a link is fine, we can sum up two numbers. A co worker filling the role of service manager asked me if it was possible to sum up in and out and show that, including the scale (different colours depending on link usage). This co worker is not interested in the seperate up/down link speed but wants to know how much traffic a location is using in total. Using a clever workaround, you can display a line's total usage, including the scale. This article also gives some more tips on weathermap, colouring and scale.

Read more...

Three new NitroKeys! Nitrokey Pro 2, Storage 2 and a FIDO-U2F Nitrokey

08-11-2018 | Remy van Elst

Last week I received several newsletters from Nitrokey. As you might know, I'm a fan of their (mostly open source) hardware security devices. Their newsletters introduced two new keys, the Nitrokey Pro 2 and the Nitrokey FIDO-U2F key. On their website I also saw the Nitrokey Storage Pro 2. This article is a summary of the newsletters and goes over the new features in the new hardware. It boils down to a new OpenPGP smartcard version (3.3, it was 2.1) in the Nitrokey Pro 2 and Storage 2. The FIDO-U2F device is an entirely new Nitrokey (with a button).

Read more...

Use Ubuntu behind a Microsoft ForeFront TMG proxy with cntlm

27-10-2018 | Remy van Elst

Recently I had to deploy a few machines in a network where outgoing network access was forced through a Microsoft Forefront TMG proxy. For all the Windows clients this went automatically due to domain policies, for Linux this has to be set up manually. Defining the proxy in /etc/environment was not enough since NTML authentication is required, which is not supported by default. I found cntlm, a piece of software which acts as a local proxy, translating all requests to authenticated NTLM requests to your upstream proxy. This guide covers the (offline) installation, setup, getting the correct password hash and system-wide configuration. It should work on a desktop as well, but I did not test that.

Read more...

Encrypt and decrypt files to public keys via the OpenSSL Command Line

25-10-2018 | Remy van Elst

This small tutorial will show you how to use the openssl command line to encrypt and decrypt a file using a public key. We will first generate a random key, encrypt that random key against the public key of the other person and use that random key to encrypt the actual file with using symmetric encryption.

Read more...

Find files in tar archives and extract specific files from tar archives

17-10-2018 | Remy van Elst

This is a small tip, to find specific files in tar archives and how to extract those specific files from said archive.

Read more...

Reddit Gold for Caldera Openlinux 1.2

26-09-2018 | Remy van Elst

Someone liked my Reddit post regarding a few old CD's I found of Caldera Openlinux 1.2, including source code and floppies so much they gilded it. I got some special internet points today.

Read more...

Service checks in LibreNMS (http, all other Nagios plugins)

10-09-2018 | Remy van Elst

LibreNMS is becoming one of my favorite monitoring tools. Setup and getting started is easy and it has enough advanced options and tunables. I recently discovered that LibreNMS is able to check services as well. Services, in this context, means, executing Nagios plugins (like check_http, check_ping, etc). This allows you to check services that SNMP does not cover by default, like HTTP(s) health checks, certificate expiry, tcp port checks (e.g. rdp) and anything for which you can write a Nagios plugin yourself. The performance data, if available, is graphed automatically. Alerting is done with the regular LibreNMS alerts. This guide covers the setup of services (it's not enabled by default) and a few basic checks, like an http health check, certificate expiry and SSH monitoring.

Read more...

tping - ping with a timestamp

03-09-2018 | Remy van Elst

tping is a bash alias I once got from an old co-worker. It's ping, but with a timestamp. Instead of looking at the increased icmp_seq number you now have a timestamp.

Read more...

Linux on Microsoft Azure? Disable this built-in root-access backdoor (wa-linux-agent)

22-08-2018 | Remy van Elst

Are you running Linux on Microsoft Azure? Then by default anyone with access to your Azure portal can run commands as root in your VM, reset SSH keys, user passwords and SSH configuration. This article explains what the backdoor (wa-linux-agent) is, what it is meant to do, how it can be disabled and removed and what the implications are. OpenStack/QEMU also have an agent/backdoor which is covered in this article as well.

Read more...

Python script to talk to LibreNMS API and get alerts and hosts

08-08-2018 | Remy van Elst

This script talks to the LibreNMS API to receive a list of down devices and alerts. The LibreNMS dashboard provides widgets for alerts and host statusses, but there is no easy way to access that output via the API. Using Python I was able to get certain information and output it as HTML or text using PrettyTable. It can be included in other systems or be used in a chain of monitoring customizations. z

Read more...

nginx 1.15.2, ssl_preread_protocol, multiplex HTTPS and SSH on the same port

06-08-2018 | Remy van Elst

The NGINX blog recently had a nice article on a new feature of NGINX 1.15.2, $ssl_preread_protocol. This allows you to multiplex HTTPS and other SSL protocols on the same port, or as their blog states, 'to distinguish between SSL/TLS and other protocols when forwarding traffic using a TCP (stream) proxy'. This can be used to run SSH and HTTPS on the same port (or any other SSL protocol next to HTTPS). By running SSH and HTTPS on the same port, one can circumvent certain firewall restrictions. If the session looks like HTTPS, nginx will handle it, if it looks like something else, it will forward it to the configured other program. I used to use SSHL to get this functionality, but now it's built into the nginx webserver. This small guide will cover the installation of the latest version of nginx on Ubuntu (16.04) and configuring this multiplex feature.

Read more...

Site updates for accessibility, text only pages and skip to main content

01-08-2018 | Remy van Elst

I've made some new improvements to this website. Raymii.org is generated using my self-written static site generator named ingsoc, the new features are focussed on accessibility. If you are using a screen reader or command-line browser this will benefit you. Or if you like to archive stuff offline. The two main improvements are a text-only version of every content page (article/tutorial etc) and a 'Skip to main content' link.

Read more...

Send email with multiple inline images via bash with a loop

23-07-2018 | Remy van Elst

Recently I had a request from a user that whished to receive a scheduled email with two screenshots. The screenshots were automated via AutoIt on a network share, the user manually logged in every evening to check the pictures. With bash and postfix/sendmail we can automate this process, the user now doesn't have to login but can just check their email. There are a lot of snippets and guides to attach emails via the shell, but displaying multiple images inline as an HTML mail was something I had to figure out. You cannot embed the image in base64 HTML because Outlook doesn't show that, you must use the Content-ID style embed. Like UUENCODE, but more complicated. (The next step in this process with the user is to automate the reason why they have to check those screenshots every night, that is something for another article)

Read more...

log_vcs - Ansible callback plugin that creates VCS (git) branches for every Ansible run

10-07-2018 | Remy van Elst

This Ansible callback plugin creates a VCS branch every time you run Ansible. If you ever need to go back to a certain state or environment, check out that branch and be sure nothing has changed. This is useful when you have multiple environments or multiple people deploying and continually develop your Ansible. When you often deploy to test / acceptance and less often to production, you can checkout the last branch that deployed to production if a hotfix or other maintenance is required, without having to search back in your commits and logs. I would recommend to develop infrastructure features in feature branches and have the master branch always deployable to production. However, reality learns that that is not always the case and this is a nice automatic way to have a fallback.

Read more...

All Items