About

I'm a Linux/Unix sysadmin with experience in High Availability, scaling and clustering, security, (Open)SSL and general linux system administration. I've worked as a sysadmin (devops) for Certificate Authorities, Hospitals, Managed Service providers, Datacenters Development shops and large Internet Service providers. I currently work for an Openstack provider. I like to design, build and manage large, complex and high available systems. I like to work with configuration management tools and version control systems. Documentation, monitoring and backups are things I do first, not when the time allows it later.
This is my personal website, please do note that these articles do not reflect opinions or policies of any of my (previous) employers, only my personal one.


Latest Items

Openstack Glance Image Download, download Openstack images

25-02-2015 | Remy van Elst

This guide shows you how download Openstack Images to your local machine using the command line Glance client. You can use this, for example, to download a copy of an image created from a VM, or to download the images your Openstack provider provides and adapt those.

Read more...

Installing Virtual Machines with virt-install, plus copy pastable distro install one-liners

08-02-2015 | Remy van Elst

virt-install is a command line tool for creating new KVM , Xen or Linux container guests using the libvirt hypervisor management library. It allows you to create a VM and start an installation from the command line. This article has a few copy pastable getting started examples for different distro's.

Read more...

Remove Installatron from a (Directadmin) server

08-02-2015 | Remy van Elst

This is a short guide which shows you how to remove Installatron from a server.

Read more...

Olimex OlinuXino A20 LIME2 mainline 3.19 kernel, u-boot and debian rootfs image building tutorial

06-02-2015 | Remy van Elst

The Olimex OlinuXino A20 LIME2 is an amazing, powerfull and cheap open source ARM development board. It costs EUR 45, and has 160 GPIO pins. This is a guide to build a linux image with Debian and the mainline 3.19 kernel for the Olimex A20-Lime2 board, from scratch. By default it comes with an 3.4 kernel with binary blobs and patches from Allwinner. Recently the mainline kernel has gained support for these boards, you can now run and use the mainline kernel without these awfull non-free binary blobs.

Read more...

Raspberry Pi FM radio transmitter with Buttons

04-02-2015 | Remy van Elst

The PiFM project allows you to use a Raspberry Pi to send out a WAV file on the FM band. This is awesome because every normal radio then can receive your music/podcast without expensive (sonos) equipment. I've used a lasercutter to craft a new top plate for my Pi which has room for three buttons. These are hooked up to a python script which allows me to start and stop the transmission, and skip or go back songs. It also allows me to shut down the Pi instead of just pulling the power cable.

Read more...

Olimex OlinuXino A20 LIME2 Minimal Debian 7 Image

28-01-2015 | Remy van Elst

The Olimex OlinuXino A20 LIME2 is an amazing, powerfull and cheap open source ARM development board. It costs EUR 45, and has 160 GPIO pins. The default Debian image from OlimeX is quite huge and bloated, over 2,5 GB, with X and all. I do not want a huge image, so I stripped it down to a 200 MB image with only dhcp and ssh and a few basic tools. It uses about 15 MB of RAM. This image allows you to start with almost nothing and build up only what you need.

Read more...

OpenVZ/Proxmox - pre-backup all container dump script

18-01-2015 | Remy van Elst

This simple script creates a vzdump of all the OpenVZ containers on a machine. It can be used before an actual backup, in my case the actual backup excludes the container path /var/lib/vz/private. This because a dump is easier to backup because it has much less files in it.

Read more...

Filtering IMAP mail with imapfilter

17-01-2015 | Remy van Elst

I have several email accounts at different providers. Most of them don't offer filtering capabilites like Sieve, or only their own non exportable rule system (Google Apps). My mail client of choice, Thunderbird, has filtering capabilities but my phone has not and I don't want to leave my machine running Thunderbird all the time since it gets quite slow with huge mailboxes. Imapfilter is a mail filtering utility written in Lua which connects to one or more IMAP accounts and filters on the server using IMAP queries. It is a lightweight command line utility, the configuration can be versioned and is simple text and it is very fast.

Read more...

Broken Corrupted Raspberry Pi SD Card

09-01-2015 | Remy van Elst

One of my Raspberry Pi's would not boot up after a reboot. The SD card was corrupted, sadly beyond repair. This article walks you through the steps I took to try to fix the SD card, including fsck, badblocks and other filesystem utilities. It also has tips to reduce the writing on the Raspberry Pi, this to save SD cards from some amount of wear and thus possible corruption.

Read more...

Shared Git repository over ssh for multiple users

05-01-2015 | Remy van Elst

This tutorial will show you how to set up a shared git repo with multiple accounts over ssh. Only ssh, not gitolite or any other software. This is usefull if you have a small team of people that don't often need access to the repo and don't want something like github or bitbucket. With this you can use existing infrastructure.

Read more...

Get all IP ranges from an AS number

04-01-2015 | Remy van Elst

One of my clients wanted to block a few social networking websites. Since they have no IPv6 (yet) I figured the simplest way was to block access to the entire IP range. This won't work for all the CDN networks they use, but it does get you started. To find all the ranges beloning to an AS number you can query the whois.radb.net server with the AS number.

Read more...

pfSense allow web interface access on WAN from specific IP

31-12-2014 | Remy van Elst

pfSense is a fast and simple FreeBSD based firewall appliance with a nice web managent interface and the power of the pf firewall underneath. Normally the web interface is only accessible from the management LAN (or LAN by default) interface. If you for whatever reason locked yourself out or need access from a different IP via the WAN interface you can use the easyrule command line to temporarly add a rule that allows your remote IP in. This simple snippet shows you how.

Read more...

IPSEC VPN on Centos 7 with StrongSwan

30-12-2014 | Remy van Elst

This is a guide on setting up an IPSEC VPN server with CentOS 7 using StrongSwan as the IPsec server and for authentication. It has a detailed explanation with every step. We choose the IPSECP protocol stack because of recent vulnerabilities found in pptpd VPNs and because it is supported on all recent operating systems by default. More than ever, your freedom and privacy when online is under threat. Governments and ISPs want to control what you can and can't see while keeping a record of everything you do, and even the shady-looking guy lurking around your coffee shop or the airport gate can grab your bank details easier than you may think. A self hosted VPN lets you surf the web the way it was intended: anonymously and without oversight.

Read more...

HTTP Public Key Pinning Extension HPKP for Apache, NGINX and Lighttpd

30-12-2014 | Remy van Elst

Public Key Pinning means that a certificate chain must include a whitelisted public key. It ensures only whitelisted Certificate Authorities (CA) can sign certificates for `*.example.com`, and not any CA in your browser store. This article has background theory and configuration examples for Apache, Lighttpd and NGINX.

Read more...

Stong SSL Security on lighttpd

29-12-2014 | Remy van Elst

This tutorial shows you how to set up strong SSL security on the lighttpd webserver. We do this by disabling SSL Compression to mitigate the CRIME attack, disable SSLv3 and below because of vulnerabilities in the protocol and we will set up a strong ciphersuite that enables Forward Secrecy when possible. We also set up HSTS and HPKP. This way we have a strong and future proof ssl configuration and we get an A on the Qually Labs SSL Test.

Read more...

HTTP Strict Transport Security for Apache, NGINX and Lighttpd

29-12-2014 | Remy van Elst

HTTP Strict Transport Security (often abbreviated as HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. This tutorial will show you how to set up HSTS in Apache2, NGINX and Lighttpd.

Read more...

Strong SSL Security on nginx

29-12-2014 | Remy van Elst

This tutorial shows you how to set up strong SSL security on the nginx webserver. We do this by disabling SSL Compression to mitigate the CRIME attack, disable SSLv3 and below because of vulnerabilities in the protocol and we will set up a strong ciphersuite that enables Forward Secrecy when possible. We also enable HSTS and HPKP. This way we have a strong and future proof ssl configuration and we get an A on the Qually Labs SSL Test.

Read more...

Arch Linux AUR PKGBUILD generate new checksums

29-12-2014 | Remy van Elst

The AUR is a nice feature from Arch Linux, it allows anyone to create and upload a simple package build script, PKGBUILD, for a piece of software which is not in the repositories. Sometimes however, the PKGBUILD is outdated. You then need to manually fix it, by changing the download link or version. With a new version you get new checksums, and the makepkg command has a neat feature which generates the checksums for you.

Read more...

Strong SSL Security on Apache2

29-12-2014 | Remy van Elst

This tutorial shows you how to set up strong SSL security on the Apache2 webserver. We do this by disabling SSL Compression to mitigate the CRIME attack, disable SSLv3 and below because of vulnerabilities in the protocol and we will set up a ciphersuite that enables Forward Secrecy when possible. We also set up HSTS and HPKP. This way we have a strong and future proof ssl configuration and we get an A on the Qually Labs SSL Test.

Read more...

Ansible - Only if a file exists or does not exist

27-12-2014 | Remy van Elst

This Ansible playbook example helps you execute actions only if a file exists or does not exist. If you for example have a command you need to run to generate a certificate (or Diffie Hellman parameters for nginx) you only want to do that once. The command itself is not convergent so it will run with every ansible run. However, the command creates a file and Ansible is able to check if that file exists. If the file exists, it will not execute the action. The same goes for checking if a file does exist and only executing the action if it exists. (The action you want to do will remove that file).

Read more...

Fix inconsistent Openstack volumes and instances from Cinder and Nova via the database

22-12-2014 | Remy van Elst

When running Openstack, sometimes the state of a volume or an instance can be inconsistent on the cluster. Nova might find a volume attached while Cinder says the volume is detached or otherwise. Sometimes a volume deletion hangs, or a detach does not work. If you've found and fixed the underlying issue (lvm, iscsi, ceph, nfs etc...) you need to bring the database up to date with the new consistent state. Most of the time a reset-state works, sometimes you need to manually edit the database to correct the state. These snippets show you how.

Read more...

All Items