1. Design an online ransomware safe backup with restic

    The only way to be safe for ransomware, except for keeping a offline backup, is to have a immutable online backup.

    restic is a deduplication backup sofware, designed for ease of use and security. Rclone is a versatile program for syncing data between a huge variety of protocols and cloud providers. What is especially nifty is that restic can use rclone as a backend, and by that extend restic destination into most cloud providers.


    Setting up an automated backup from one macine is no problem. This can be done quite easily with

    restic -p password_file -r sftp://user@destination/srv/backups init

    Backups is then done with

    restic -p password_file -r sftp://user@destination/srv/backups backup /srv/backmeup

    If a malicious actor has access to the source machine, they will have read and write access to the backup on the destination. To avoid giving the malicious actor write access to already existing backups, we need to ensure that existing backups on the destination never is changed. This is done by making the destination immutable. When data is written, it cannot be changed later.


    This can be solved in couple of ways

    1. Use a immutable backend, in example immutable object storage in the cloud.
    2. Make any destination immutable by relying all traffic through a secured rclone proxy with the --append-only forced.

    Design, rely traffic through proxy

         source               intermediate                destination
    +---------------+       +--------------+  chosen     +-----------+
    |               |  SSH  | rclone       |  transport  | favorite  |
    | /srv/backmeup | ----> | append only  | ----------> | cloud     |
    |               |       | rely         |             | storage   |
    +---------------+       +--------------+             +-----------+


    On source

    1. Create a SSH key …


  2. SSH with YubiKey NEO on Fedora made easy

    Your private SSH key is the key for the kingdom. This means always having a password on the key. With YubiKey, you can keep your secret key outside your machine too.

    Excerpt from Wikipedia: The YubiKey allows users to sign, encrypt and decrypt messages without exposing the private keys to the outside world.

    This is a short how-to to get startet with using Yubikey to SSH into your servers.

    YubiKey as private SSH key

    Pre requests

    1. Install the YubiKey management software.

      sudo dnf install yubikey-manager
    2. Insert YubiKey

    3. Check that OpenPGP is enabled on your YubiKey.

      ykman info

      Expected output should include the following.

          OPGP:      Enabled

      If you get an error, restart your computer and goto 2. Yes, I know this is Linux, but we're just doing it the easy way. It should work the second time around.

    4. Set preferred number of retries when entering PIN on YubiKey. Default is 3 for user pin, 3 for unlock user pin (reset), 3 for admin pin. In the example admin retries is increased to 5.

      ykman openpgp set-pin-retries 3 3 5

    Generate OpenPGP key on YubiKey

    Use gpg2 for the rest.

    1. Generate PGP certificate on the key.

      gpg2 --edit-card
      gpg/card> admin
      gpg/card> generate
    2. Follow the instructions.

    3. Optionally set login, lang and sex.

    4. Enter the password menu.

      gpg/card> passwd
    5. Change user PIN, menu 1.

    6. Change admin PIN, menu 3. The easiest is to keep to numbers to avoid accidentally locking you YubiKey. If that happens you need to reset it with …


  3. Distributed syncing with Syncthing

    I've tried to ditch Dropbox for a long time. But the need for synchronizing folders between my computers have held me back. Syncthing solves this for me. It's decentralized syncrhonization between all my units, including my phone, without the need to go through a 3rd party server.

    Excerpt from Syncthings homepage: Syncthing replaces proprietary sync and cloud services with something open, trustworthy and decentralized. Your data is your data alone and you deserve to choose where it is stored, if it is shared with some third party and how it's transmitted over the Internet.


  4. zram: Compressed RAM based block devices

    From zram documentation: The zram module creates RAM based block devices named /dev/zram<id> (<id> = 0, 1, ...). Pages written to these disks are compressed and stored in memory itself. These disks allow very fast I/O and compression provides good amounts of memory savings. Some of the usecases include /tmp storage, use as swap disks, various caches under /var and maybe many more :)

    Example of compressed swap in memory

    Write this commands in /etc/rc.local to create a 2G compressed swap partition in memory.

    # Load the module and create one zram device, /dev/zram0
    modprobe zram num_devices=1
    # Maximum of compressed streams (keep same as CPUs)
    echo 4 > /sys/devices/virtual/block/zram0/max_comp_streams
    # Size of zram0 device in k/m/g
    echo 2g > /sys/devices/virtual/block/zram0/disksize
    # Comression compression algorithm to use
    echo lzo > /sys/devices/virtual/block/zram0/comp_algorithm
    # Create the swap file system
    mkswap /dev/zram0
    # Enable the swap partition with high priority
    swapon /dev/zram0 -p 10


  5. Record a PulseAudio sound stream

    Ever wondered on how to record the audio from one application? Either the browser or a streaming application that don't have the option to save audio to a file.

    The PulseAudio sound server in your desktop makes this quite easy.

    I've created a small script that captures the current playing sound stream and redirects it to FLAC audio file. After the capture is started, you can start playing sound from other programs. It won't interfere with the current capture.

    Capture audio

    Pre requests

    You have to install a couple of programs, if you don't have them from before, to make the bash script work.

    apt-get install pulseaudio-utils flac coreutils

    The script

    This is my record-app.sh script.

    BN=$(basename $0)
    SI=$(pacmd list-sink-inputs | grep -m 1 index | egrep -o "[[:digit:]]+")
    if [[ "$1" == "" ]]; then
      echo "usage: $BN filename"
      exit 1
    if [[ "$SI" == "" ]]; then
      echo "error: no input sinks found"
      exit 2
    echo $BN recording:
    echo · Found sink index «$SI»
    echo · Loading module-null-sink
    MI=$(pactl load-module module-null-sink sink_name=rec)
    trap "{ echo · Trying to delete null sink «rec»; pactl unload-module $MI; }" EXIT
    echo · Moving sink «$SI» to null sink «rec»
    pactl move-sink-input $SI rec
    echo · Saving sound data to «$N.flac» 
    parec -d rec.monitor | flac --endian=little --sign=signed --channels=2 --bps=16n --sample-rate=44100 -o "$1.flac" - 2>/dev/null


    usage: record-app.sh filename

    Example 1

    ./record-app.sh firefox-sound

    Will start to record the current playing audio in Firefox. The audio is saved int …


  6. Vagrant with OpenStack

    If you want to use Vagrant with OpenStack, you need to prepare Vagrant with installing the vagrant-openstack-plugin. I had some problems installing it directly through vagrant plugin install. I had to clone it from Github and install it manually.

    One time configuration

    Install OpenStack plugin in Vagrant

    cd /tmp
    git clone https://github.com/cloudbau/vagrant-openstack-plugin
    cd vagrant-openstack-plugin
    gem build vagrant-openstack-plugin.gemspec
    vagrant plugin install vagrant-openstack-plugin-*.gem

    Add a dummy box to Vagrant thats needed by the plugin.

    vagrant box add dummy https://github.com/cloudbau/vagrant-openstack-plugin/raw/master/dummy.box

    Download OpenStack RC file

    • Log into OpenStack
    • Download OpenStack API RC file
    • Go to Project -> Compute -> Access & Security -> API Access
    • Down RC file by hitting Download OpenStack RC File
    • Put $USER-openrc.sh in your ~/ or somewhere you prefer

    Configure a Vagrant VM


    This is a default generic Vagrant file which starts a m1.tiny flavor image of Ubuntu Utopic. It requires that you already have added your ssh key to OpenStack. Please add your ssh key with the name $USER_ssh_key.

    require 'vagrant-openstack-plugin'
    Vagrant.configure("2") do |config|
      config.vm.box = "dummy"
      config.vm.synced_folder ".", "/vagrant", type: "rsync", rsync__exclude: ".git/"
      # Make sure the private key from the key pair is provided
      config.ssh.private_key_path = "~/.ssh/id_rsa"
      config.vm.provider :openstack do |os|
        os.username     = "#{ENV['OS_USERNAME']}"
        os.api_key      = "#{ENV['OS_PASSWORD']}"
        os.flavor       = /m1.tiny/
        os.image        = "Ubuntu CI utopic 2014-09-18"
        os.endpoint     = "#{ENV['OS_AUTH_URL']}/tokens"
        os.keypair_name = "#{ENV['OS_USERNAME']}_ssh_key"
        os.ssh_username = "ubuntu"
        # The tenant have two networks, so …


  7. fio - flexible I/O tester

    From man page: fio is a tool that will spawn a number of threads or processes doing a particular type of I/O action as specified by the user. The typical use of fio is to write a job file matching the I/O load one wants to simulate.

    This example only show how to use fio to make reproduceable test on a file system. For me it's been useful to catch changes in I/O throughput before and after a system has gone into production. Buy running the same tests on all systems the numbers are comparable.

    All parameter numbers are examples, define your own test according to what you want to measure.

    Installing fio

    apt-get install fio

    Running fio

    • Change bsrange to the block size range you want to test.
    • numjobs is the number of simultanious read/write threads.
    • size is the working file size.
    • If you want to test a read heavy load, use rwmixread with a percentage of reads versus writes..
    for i in read write readwrite randread randwrite randrw; do fio --name=fio  --write_bw_log=$i --write_iops_log=$i --write_lat_log=$i --ioengine=sync --size=10G --runtime=60 --rw=$i --norandommap --refill_buffers --randrepeat=0  --iodepth=1 --direct=1 --numjobs=8 --group_reporting --bsrange=4k-4k; done

    Generating I/O plots

    fio2gnuplot -i -g

    For me is the most interesting plot is compare-result-2Dsmooth.png.

    Generating bandwidth plots

    Testing bandwidth is better to do with a larger block size. I usually set a block size between 64k to 1m.

    for i in …


  8. Power saving on laptop

    Notes for power saving on my i5 laptop.


    #  SATA power save
    echo medium_power | tee /sys/class/scsi_host/host*/link_power_management_policy > /dev/null
    # Set minimum performance to 30% of CPU MHz 
    echo 30 > /sys/devices/system/cpu/intel_pstate/min_perf_pct
    # Set CPU governor to power save since we run on a laptop
    # Valid values: powersave performance
    echo powersave | tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor > /dev/null
    # Increase for CrashPlan so unlocking gnome-shell lock screen works
    echo 1048576 > /proc/sys/fs/inotify/max_user_watches


    # Make my back light buttons work correctly
    # Full power save for GPU
    GRUB_CMDLINE_LINUX="video.use_native_backlight=1 i915.enable_rc6=7 i915.enable_fbc=1 i915.lvds_downclock=1"
    vim: set spell spl=en syn=markdown:


  9. View Google Earth in the browser

    Google now supports Google Earth in Google Maps. As far as I know it works in Chrome and Chromium. If Google Earth isn't available where the satellite view options is, your graphic card is in the browsers blacklist.

    To force enabling WebGL in the browser start it with the following options

    chromium-browser --enable-webgl --ignore-gpu-blacklist

    Now you can use Google Earth in maps.google.com.


  10. Vagrant, development environments made easy

    Prototyping and testing configurations and system installations is time consuming on traditional hardware. That is why I started using Vagrant for nearly all development, prototyping and testing. It's free and really easy to use. If you install VirtualBox sudo apt-get install virtualbox first, you'll be up and running in no time.

    Vagrant do profile itself for developers, but sysadmins has much to gain by using such tools to make life easier for themselves. Automation and reproducibility is key concepts in modern system administration. We need to think more and more like developers, as much as developers need to think more and more like sysadmins.

    Excerpt: Create and configure lightweight, reproducible, and portable development environments.


Page 1 / 3 »