About

I'm a Linux/Unix sysadmin with experience in High Availability, scaling and clustering, security, (Open)SSL and general linux system administration. I've worked as a sysadmin (devops) for Certificate Authorities, Hospitals, Managed Service providers, Datacenters Development shops and large Internet Service providers. I currently work for an Openstack provider. I like to design, build and manage large, complex and high available systems. I like to work with configuration management tools and version control systems. Documentation, monitoring and backups are things I do first, not when the time allows it later.
This is my personal website, please do note that these articles do not reflect opinions or policies of any of my (previous) employers, only my personal one.


Latest Items

Openstack Soft Delete - recover deleted instances

18-03-2017 | Remy van Elst

This article contains both an end user and OpenStack administrator guide to set up and use soft_delete with OpenStack Nova. If an instance is deleted with nova delete, it's gone right away. If soft_delete is enabled, it will be queued for deletion for a set amount of time, allowing end-users and administrators to restore the instance with the nova restore command. This can save your ass (or an end-users bottom) if the wrong instance is removed. Setup is simple, just one variable in nova.conf. There are some caveats we'll also discuss here.

Read more...

Running WPS-8 (Word Processing System) on the DEC(mate) PDP-8i and SIMH

09-03-2017 | Remy van Elst

This article covers running WPS-8 on a modern day emulator. WPS-8 is a word processor by DEC for the PDP-8. The PDP-8 was a very populair 12-bit minicomputer from 1965. WPS-8 was released around 1970, it came bundled with DEC's VT78 terminal. This terminal bundle was also known as the DECmate. This article covers the setup of the emulator, simh with the correct disk images and terminal settings. It covers basic usage and the features of WPS-8 and it has a section on key remapping. The early keyboards used with WPS-8 have small but incompatible differences with recent keyboards, but nothing that xterm remapping can't fix.

Read more...

Traceroute IPv6 to Smokeping Target config

05-03-2017 | Remy van Elst

This little one-liner converts the output of traceroute for IPv6 to Smokeping Target output. I had only setup my smokepings for IPv4. Recently we had an issue were network config was borked and the whole IPv4 network was not announced via BGP anymore. I was at home troubleshooting, but finding nothing since I have native IPv6 and that part still worked. My Smokeping did show loss, and that explicitly uses IPv4. That helped with the debugging a lot. I have a [IPv4][4] version of this article as well.

Read more...

Ansible: access group vars for groups the current host is not a member of

27-01-2017 | Remy van Elst

This guide shows you how to access group variables for a group the current host is not a member of. In Ansible you can access other host variables using `hostvars['hostname']` but not group variables. The way described here is workable, but do I consider it a dirty hack. So why did I need this? I have a setup where ssl is offloaded by haproxy servers, but the virtual hosts and ssl configuration are defined in Apache servers. The loadbalancers and appservers are two different hostgroups, the ssl settings are in the appserver group_vars, which the hosts in the loadbalancer group need to access. The best way to do this is change the haproxy playbooks and configuration and define the certificates there, but in this specific case that wasn't a workable solution. Editing two yaml files (one for the appservers and one for the loadbalancers) was not an option in this situation.

Read more...

haproxy: restrict specific URLs to specific IP addresses

09-01-2017 | Remy van Elst

This snippet shows you how to use haproxy to restrict certain URLs to certain IP addresses. For example, to make sure your admin interface can only be accessed from your company IP address.

Read more...

OpenStack: Quick and automatic instance snapshot backup and restore (and before an apt upgrade) with nova backup

20-12-2016 | Remy van Elst

This is a guide that shows you how to create OpenStack instance snapshots automatically, quick and easy. This allows you to create a full backup of the entire instance. This guide has a script that makes creating snapshots from an OpenStack VM automatic via cron. The script uses the `nova backup` function, therefore it also has retention and rotation of the backups. It also features an option to create a snapshot before every apt action, upgrade/install/remove. This way, you can easily restore from the snapshot when something goes wrong after an upgrade. Snapshots are very usefull to restore the entire instance to an earlier state. Do note that this is not the same as a file based backup, you can't select a few files to restore, it's all or nothing.

Read more...

Create a PDP-8 OS8 RK05 system disk from RX01 floppies with SIMH (and get text files in and out of the PDP-8)

07-12-2016 | Remy van Elst

This guide shows you how to build an RK05 bootable system disk with OS/8 on it for the PDP-8, in the SIMH emulator. We will use two RX01 floppies as the build source, copy over all the files and set up the LPT printer and the PTR/PIP paper tape punch/readers. As an added bonus the article also shows you how to get text files in and out of the PDP-8 sytem using the printer and papertape reader / puncher.

Read more...

Overflow the Investigatory Powers Bill!

24-11-2016 | Remy van Elst

I read an article on The Register regarding the Investigatory Powers Bill. The part were ISP's are forced to save their customers browsing history for a year is the most horryfing part, just as that whole bill. Let's hope the political process and organizations like the Open Rights Group and the EFF have enough lobbying power to change people's minds. If that fails, then we can all try to overflow the logging. Just as some people put keywords in their mail signatures to trigger automatic filters and generate noise, we should all generate as much data and noise as possible. This way the information they do gather will not be usefull, it will take too much time, storage and effort to process it and thus the project will fail. 2 years ago I wrote a small Python script which browser the web for you, all the time. Running that on one or two Raspberry Pi's or other small low power computers 24/7 will generate a lot of noise in the logging and filtering.

Read more...

Build a FreeBSD 11.0-release Openstack Image with bsd-cloudinit

14-11-2016 | Remy van Elst

We are going to prepare a FreeBSD image for Openstack deployment. We do this by creating a FreeBSD 11.0-RELEASE instance, installing it and converting it using bsd-cloudinit. We'll use the CloudVPS public Openstack cloud for this. We'll be using the Openstack command line tools, like nova, cinder and glance. A FreeBSD image with Cloud Init will automatically resize the disk to the size of the flavor and it will add your SSH key right at boot. You can use Cloud Config to execute a script at first boott, for example, to bootstrap your system into Puppet or Ansible. If you use Ansible to manage OpenStack instances you can integrate it without manually logging in or doing anything manually.

Read more...

Nitrokey gnuk firmware update via DFU

11-10-2016 | Remy van Elst

The Nitrokey (start, all of them) can be upgraded to a newer GNUK firmware. However, this can only be done via ST Link or DFU, if you use the Gnuk USB firmware upgrade you will brick the device. This guide shows you how to attach a DFU adapter and how to flash firmware to a Nitrokey, both for upgrading or unbricking an USB upgraded one.

Read more...

MySQL restore after a crash and disk issues

10-10-2016 | Remy van Elst

Recently I had to restore a MySQL server. The hardware had issues with the storage and required some FSCK's, disk replacements and a lot of RAID and LVM love to get working again. Which was the easy part. MySQL was a bit harder to fix. This post describes the proces I used to get MySQL working again with a recent backup. In this case it was a replicated setup so the client had no actual downtime.

Read more...

Firefox History stats with Bash

25-09-2016 | Remy van Elst

This is a small script to gather some statistics from your Firefox history. First we use sqlite3 to parse the Firefox history database and get the last three months, then we remove all the IP addresses and port numbers and finally we sort and count it.

Read more...

Create /etc/shadow crypted password entries

23-09-2016 | Remy van Elst

These small snippets create password strings you can put in /etc/shadow when you need to reset a password on a system.

Read more...

Mouse movement via the keyboard with xdotool and xbindkeys

13-09-2016 | Remy van Elst

I had a request from a friend to figure out how she could use her mouse via the keyboard. Normally you would use Mouse Keys, but she uses a kinesis freestyle2 keyboard which has no numpad. By using xbindkeys together with xdotool we can use our own key combination to move the mouse keys, in any window manager.

Read more...

IPSEC VPN on Ubuntu 16.04 with StrongSwan

12-09-2016 | Remy van Elst

This is a guide on setting up an IPSEC VPN server on Ubuntu 16.04 using StrongSwan as the IPsec server and for authentication. It has a detailed explanation with every step. We choose the IPSEC protocol stack because of vulnerabilities found in pptpd VPNs and because it is supported on all recent operating systems by default. More than ever, your freedom and privacy when online is under threat. Governments and ISPs want to control what you can and can't see while keeping a record of everything you do, and even the shady-looking guy lurking around your coffee shop or the airport gate can grab your bank details easier than you may think. A self hosted VPN lets you surf the web the way it was intended: anonymously and without oversight.

Read more...

Nagios 4 + Nagiosgraph (latest) installation on Ubuntu

11-09-2016 | Remy van Elst

This is a guide on installing the latest Nagios Core (4.2.1) on Ubuntu 12.04 and 14.04. Nagios is an open source computer system monitoring, network monitoring and infrastructure monitoring software application. Nagios offers monitoring and alerting services for servers, switches, applications, and services. It alerts the users when things go wrong and alerts them a second time when the problem has been resolved. The version in the Ubuntu 12.04 repositories is quite old, it is still the in the 3 branch. This guide helps to fix that by using the latest Nagios version. We also install Nagiosgraph, a plugin for Nagios which gives you graps of the metrics.

Read more...

Ansible - Create OpenStack servers with Ansible 2.0 and the os_server module and a dynamic inventory

10-09-2016 | Remy van Elst

I regularly deploy clusters and single servers on OpenStack with Ansible. However, Ansible 2.0 comes with new OpenStack modules my playbooks still used the old ones. I reserved some time to convert these playbooks to the new modules and ansible 2. This article shows a very simple example, it creates three servers in OpenStack and adds them to different hostgroups based on variables. For example, to create one loadbalancer and two appservers and run specific playbooks on those hosts based on their role.

Read more...

FST-01 gnuk firmware update via USB

09-09-2016 | Remy van Elst

The FST-01 (Flying Stone 1) is a small STM32F103TB based USB device designed to run gnuk and NeuG (gpg usb token or true random number generator). This guide shows you how to upgrade the firmware on the FST-01 so that you can enjoy newer gnuk features like 4096 bit RSA keys.

Read more...

Ansible - create playbooks and role file and folder structure

08-09-2016 | Remy van Elst

Because I always forget which folders and files go into a playbook folder.

Read more...

Reset iptables to ACCEPT all (backup and remove all existing rules)

03-09-2016 | Remy van Elst

Here's a small bash script that removes all iptables rules and sets up a default ACCEPT ALL state. Before the reset, it creates a backup of the current rules. I use this often to troubleshoot servers with networking issues. If you just blindly do an `iptables -F` you might lock yourself out of a server since the INPUT policy might be DROP.

Read more...

Nitrokey Start: Getting started guide (gnuk openpgp token)

14-08-2016 | Remy van Elst

The Nitrokey Start is an OpenPGP USB token. It supports three 2048 bit GPG keys and is based on gnuk. Gnuk is an implementation of USB cryptographic token for GPG. Cryptographic token is a store of private keys and it computes cryptographic functions on the device. The main difference with other GPG cards like the Nitrokey Pro or the OpenPGP card is that this device does not use a smartcard. Whereas the other devices are basically USB smartcard readers, the Nitrokey Start has everything in it's firmware. This article is a getting started guide where I talk about the initial setup of the device, setting up a user PIN, an admin PIN and a reset code, generating the key and subkeys on the device, or loading external keys into the device and usage examples with GPG, OpenSSH and Thunderbird.

Read more...

All Items