If you are running Windows and Linux in dual boot, you will soon find out, that the clocks are not matching. Most probable the reason is that Windows by default expects the computer time to be set to local time, while Linux assumes it to be UTC.
I consider the approach of Linux the better one: The BIOS/UEFI system time is there set to a global harmonised standard, UTC. The operating system then translates this to the local time. This means you can install as many operating systems in parallel without interference of them with the system time - just immagine if you have for example, Windows, FreeBSD and two Linux distributions on your computer and every one of them wants to account for daylight saving time .... When setting the system clock to UTC, this problem will never arise.
... from the black magic voodoo ssh box of the tech priests ...
[Scroll down for the TL;DR section]
I'm writing this post as an ode to ProxyJump of ssh, one of the little helpers that make your day awesome. If you are working on multiple computers in different companies/networks at some point you encounter the scenario, where you want to access a computer, that is only reachable via another computer. Let's say, you need to access your office computer names datenhalde from home, but datenhalde is only reachable via the company network. Luckily your company provides a public ssh gateway named gateway), where you can connect from your home computer (named zuhause). On a Friday you decide that it's a day where you want to work without interrupts from home. Perhaps you just brewed a nice cup of coffee and start your work
Last login:Tue Aug2717:42:202019from22.214.171.124
Last login:Mon Aug2609:31:522019from192.168.22.72
At some point, you might find it unnecessary boring to always type in ssh gateway and then ssh datenhalde and you wonder, if there is not a more convenient way, to directly access datenhalde from zuhause via gateway, but without the fuzz of redundant ssh typing.
This is where ProxyJump comes into play. Use -J
Last login:Mon Aug2609:31:522019from192.168.22.72
Here ssh connects first to gateway and then to datenhalde. Awesome!
ssh config for even more convenience
Even better, you can put the ProxyJump into your ssh config, so every time you access a host, if first jumps to the given gateway host and then to the destination. Too complicated formulated? Just look at the following example
Now, if you connect to datenhalde via ssh, it automatically and transparently first jumps to gateway and then to datenhalte. This configuration then applies to all protocols that are building atop ssh, like scp, rsync or libvirt.
Last login:Mon Aug2609:31:522019from192.168.22.72
Want to connect to your working computer datenhalde via a ssh gateway in one single command?
Want to configure your ssh-configuration to always jump to gateway before connecting to datenhalde?
Then your ssh connections will transparently always jump over gateway
ProxyJump for the glory!
ProxyJump is a tool for the tech priests, and it's imperative that every adept of the Adeptus Mechanicus shall be able to handle it. ... in the (unlikely?) case in Warhammer 40k they also use ssh ...
After my last post about the Lightning Node using a MOD-1016 (Embedded Adventures), some tests and time has passed by. Especially I noticed, the disturber and noise rate is high. High as in, it disturbs the normal workflow. I was occasionally able to measure some lightnings, but with far than expected and anticipated precision and number. So back to the design, and start to think about pitfalls and design flaws.
My working hypothesis is, that because the small little antenna of the MOD-1016 is heading towards the Arduino Nano, it gets much noise from the microcontroller itself. So I decided to de-solder the current header and resolder it on the other side, so the antenna points to the outside. This is how the final product looks like
Preliminary tests look pretty good, as I do not detect any noise and distrubers anymore, while still being able to communicate with the MOD-1016.
Now, back into the field with the box. Let's hope for some nice thunderstorms this week 🙂
There are two kinds of users: The ones, who encrypt their stuff and the ones, who never had lost something or never got something stolen. Imagine your Laptop being stolen on the train. Not only, you probably lost all of your data (Backups!), but also there is now a stranger that has access to potentially very private data - Pictures of your last birthday, company records you need to keep secret or the new piece of code that is awesome and the capital of your startup you just wanted to create. Plenty of reasons for investing a little bit of time in your digital self-defence, and a sane full-disk encryption is a major part of it.
I personally have two different approaches: VeraCrypt (successor of TrueCrypt after they surprisingly closed, leaving lots of speculations about their non-commitment to build in a secret backdoor for a large state agency, but that is based on pure speculation and is on the list of conspiracy theorems that probably turn out to be at least somehow concise enough to be taken seriously.) seems to be sane enough to be used or LUKS. In this article I'm gonna cover LUKS, as I consider this the canonical way for every mature Linux environment.
Assuming the HDD is /dev/sdb and you want to call it Cryptodisk
Reformat the external HDD. Create a single partition with any filesystem (we will overwrite this in the next step)
Make sure all filesystems for that disk are unmounted.
cryptsetup -y -v luksFormat /dev/sdb1
Write the passphrase on a sheet of paper and store it on a safe place.
REALLY do it. You probably will forget the passphrase and then you can cry your data goodbye
Open the crypdevice: cryptsetup luksOpen /dev/sdb1 Cryptodisk
cryptsetup luksClose Cryptodisk
Plug the disk out and re-plug it in. In caja/nemo it should appear as encrypted device. If you click on it, it asks for the passphrase and it will be mounted. Alternatively, user cryptsetup cryptsetup luksOpen /dev/sdb1 Cryptodisk mount /dev/mapper/Cryptodisk /mnt/Cryptodisk
Note: It's possible to compartmentalize multiple partitions by putting a LVM volume atop cryptsetup. This is more advanced but pretty much straightforward.
Step by Step guide
I plug in my HDD and assume it's gonna be recognised as /dev/sdb.
First, We need to make sure that it's unmounted
Next, format the HDD. I normally use parted, but gparted seems to be the nicer way, as it's graphical and pretty easy. So, start gparted on the disk
# In Wayland this might cause trouble, as sudo and Wayland are not super nice to each other ... That's beyond the scope of what I write down here, sorry :-)
MAKE SURE IT's THE RIGHT DISK. Do the partitions look like the ones expected? Is there anything fishy? Once you clear your partition table or (even worse) wrote a new filesystem, it's unlikely you can fetch your data without any losses. Take a breath and double-check before doing anything.
OK, Then create the partition you want to encrypt. Select a random filesystem, as we are anyways going to delete the filesystem. It's only important to create the layout correctly. In my case it looks like the following: one partition that takes the full space (Little bit of empty space at the end is needed by GPT for the Backup table)
Close gparted and encrypt the partition using cryptsetup
Thiswill overwrite data on/dev/sdb1 irrevocably.
Are you sure?(Type uppercase yes):YES
Enter LUKS passphrase:
Congratulations, you created your first encrypted parition! Now we are gonna put a filesystem on that one, so you can actually use it 🙂
So, we are gonna "open" the cryptdevice. This means, we are putting an encryption/decryption layer, atop which we can run our filesystem
# Assuming you want to name it Cryptodisk. The name doesn't matter, it's just for the system to find the device
$sudo cryptsetup luksOpen/dev/sdb1 Cryptodisk
Cryptsetup asks for the Passphrase. After successfully opening the device, it will be listed as /dev/mapper/Cryptodisk
Now we create a filesystem. I chose xfs because it's a nice working horse, that runs everywhere, but you can choose whatever you want.
Great, now you've created the filesystem. Close the disk with cryptsetup
$sudo cryptsetup luksClose Cryptodisk
Wait until everything on the disk has been written (it stops flashing, depending on your disk) and unplug the disk.
The next time you plug your disk in, it will be recognised by caja/nemo as Encrypted Device, you type in your Passphrase and it will be automatically mounted (or with cryptstetup luksOpen and mount but the purpose was to create a convenient way to work with your external disks).
Congratulations, you just created your first fully encrypted external HDD!
The headline picture was created btw. by using the amazing dekryptize tool - a really cool ncurses animation to show how decrypting is definitely NOT working 😉
I've just got a brand new Raspberry Pi 4. For now I'm just playing around a bit with it. Until openSuSE Leap will be available, I'm using Raspbian Buster which comes by default with ext4. Since I want to have snapshots, the first thing I want to do is to convert the existing root partition into btrfs. So let's do this.
0. Get Raspbian
First, flash Raspbian to a SD card and boot it. I also recommend to run a system update after booting into Raspbian. There are plenty of tutorials on the internet, that are probably far better than what I can write.
1. Prepare initramfs
In Raspbian btrfs is included as module. In order to make the kernel mount a btrfs root filesystem, we need to build the corresponding initramfs. First install the necessary tools
sudo apt install initramfs-tools btrfs-tools
Now we add the btrfs module to /etc/initramfs-tools/modules
Next is to build the initramfs
And tell the bootloader to load the initramfs, by editing /boot/config.txt
# For more options and informations see
# Some settings may impact device functionality. See link above for details
And then reboot the device, to check if everything is set up properly. If the boot succeeds, shutdown the Raspberry and take the SD-Card to another computer. If you run at this stage into trouble, probably a filename is wrong and you should be still able to recover. Otherwise: Just start from scratch - at this point really nothing is lost.
2. Convert ext4 rootfs to btrfs
In my case I insert the SD card into my laptop. The SD card gets recognised as /dev/mmcblk0 and contains the following partitions:
I just wrote a small Bash script for creating offline-backups of a bunch of virtual machines on a server using btrfs snapshots.
The script shutsdown all running KVM machines, waits until they are down, creates a (readonly) btrfs snapshot and spins the machines back up. All together takes less than a minute. After the process I have an image of all KVM machines in the state, when the machines are shut down. This is then suitable for storing the machine image files on a different machine to have a complete working state of the machines. This is part of my backup (more hardware failure) strategy for one of our general purpose servers at work.
The KVM instances need to be in a btrfs subvolume, otherwise it doesn't work
See the script as gist on GitHub. You will need to do some adjustments and probably test it a couple of times, until it will work nicely.
I just recently got a new Laptop (a T440p) to test it, if it suits my needs. The old x220 is still a nice companion, but I kind of need a bit more horsepower on my daily companion.
Let me tell you something about the magic of Linux - I just removed the old SSD from my x220 and put it into the T440p. It booted out of the box, with all my configurations and everything in place. No need to reconfigure or even reinstall anything. I could be productive in a couple of minutes. Also transferring the SSD was a matter of some screws, so no problem at all. That's how it should be. That's one of the reasons, why soldered-in SSD suck so badly.
So, everything was working nicely, except for some reason NetworkManager seemed to have forgotten all the Wifi connections. Except, they were still there and configured, just for the Wifi interface of the other laptop. And reconfiguring all of them is kind of boring. There has to be a better way
NetworkManager & System connection
NetworkManager stores all the connections in /etc/NetworkManager/system-connections. They are there as plaintext files (restricted to root through)
Turns out, the line we need to change in every file is the following
This is the mac-address of my old laptop, and I just need to replace it with the MAC of my new laptop. Easy as goo pie. The following one-liner does the job. Remember to replace YY:YY:YY:YY:YY:YY with the MAC address of your laptop
My Pull-Request for including the CCfits package in Spack has just been merged into the development version. Very nice!
I use spack extensively on our scientific clusters in order to provide environment modules with various software packages (and versions) to our users. And because we need the CCfits package, I've created this package for spack. Now it's upstream and I hope that it makes the work of many other system administrators easier.
This blog post is about getting Kodi up and running with Netflix on Raspbian. This is not a tutorial, more a collection of notes for myself in order to reproduce the setup.
Get a recent version of Raspbian from the Raspberry Pi website. (Or my ftp mirror). Extract it to a fresh micro-SD card and get the system ready. Follow this guide, if you need help. Boot into the system and run a update and install some handy tools
sudo apt update
sudo apt upgrade
sudo apt install git tmux screen htop iftop iotop
usermod-aG audio,video kodi
Next, we are gonna harden the system. For that do the following
The Netflix Plugin is hosted on GitHub. Download the plugin and install the zip-file. Best option seems to be to put it on a USB-Stick and install it from there. This plugin needs parted or fdisk, you install them on your kodi and then let the plugin install the widevine library, necessary for the DRM. The DRM is by the way also the thing, that was in the way of getting Netflix work in the first place. And it's still a bit of a mess, since we are using here a extraction of the libwidevine from the chromecast.
Well, as long as it works, but it's not nice and probably creating causing one or two times headache until it finally works.
Allow Kodi to reboot and shutdown
This is now more a quick fix, based on the suggestion from here. The original clue was posted long time ago on the kodi forums, but those posts were only of limited help. So, create the following file
I encountered the problem, that if Kodi runs for too long (multiple days), the Netflix plugin stopped working. No errors given, it just won't play a movie again. A quick fix is to schedule a reboot every night using a cronjob
# Reboot the system every night at 5am
This is of course just the basic installation. You will need to configure Kodi to your needs (Skins, Addons, Timezone, connect your NAS, ...)
Also, I might create an ansible-playbook to setup this procedure. This looks like a fun project to do on a rainy Sunday.