Temporary Permanence

Red Hat Satellite and Changing CAs for Custom SSL Certificates

2026-03-12T00:00:00+00:00

My workplace's security team recently changed where we get our SSL certs from. Unfortunately, this led to some things breaking with our Red Hat Satellite (aka RH-branded The Foreman) instance. Namely, several of our hosts started reporting SSL errors while running dnf update</code> (some parts redacted for security):

Errors during downloading metadata for repository 'InfluxDB':
</span>  - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://capsule.example.com/pulp/content/Org/Prod/RHEL9/custom/InfluxDB/InfluxDB/repodata/repomd.xml [SSL certificate problem: self-signed certificate in certificate chain]
</span></code></pre>
Turns out that Satellite is really</em> temperamental about changing your CA and there is no way to go about it without running some kind of script or command on every host in your fleet. Red Hat's suggested course of action is to use a script on the Satellite server designed to update the CA. You can run it on Satellite-managed hosts easily by creating a job within Satellite (category: "Command", job template: "Download and run a script") with the URL https://satellite.example.com/unattended/public/foreman_ca_refresh</code>.</p>
Unfortunately, this script only</strong> exists on Satellite and not on any of the capsules. That means it won't work for hosts on segmented networks. And the next-best course of action according to Red Hat is, even more unfortunately, to un-register and re-register each host. I'm sure that's a fine idea if you only have a few hosts. But one of the orgs in our instance has several hundred</em>.</p>
Thus, I recommend the following command (which can also be run via Satellite jobs, same category template: "Run Command - Script Default"):</p>
sudo rpm --force -Uvh https://$(grep -oP '[0-9a-zA-Z\-]+.example.com' /etc/rhsm/rhsm.conf | head -n 1)/pub/katello-ca-consumer-latest.noarch.rpm
</span></code></pre>
Of course, update the domain to match what you're using. The one-liner will search your Subscription Manager config for the first instance of something looking like a hostname - which should be the one it's configured to use for dnf repos - and reach out to it to get the katello-ca-consumer</code> package that contains the CA certificates. Be warned</strong>: this file is deprecated, but not removed, in newer versions of Satellite. So your experience using this command may change as time goes on.</p>

What is the purpose of Ubuntu Studio? 2026-03-12T00:00:00+00:00 A friend asked me today about the best and worst versions of Ubuntu. (I know this isn't objective.) I told them that Kubuntu was likely the best, and that Ubuntu studio is likely the worst. I have to wonder who the target audience for Studio is. The easy answer is "creatives" but I have to wonder why they install such a diverse array of software by default. According to their pages, they include by default: Calibre (ebook manager) </li> PikoPixel (pixel art editor) </li> Ardour (music creation) </li> GIMP (photo editor) </li> Kdenlive (video editor) </li> Blender (3d modeler) </li> Krita (raster graphics editor/digital painting) </li> digiKam (photography management program) </li> Scribus (PDF editor) </li> Inkscape (vector graphics) </li> Rakarrack (guitar amp simulator) </li> </ul> To be clear, I'm not doubting the quality of any of these applications. I've used several of them myself. But I question who would have all of these (and more) installed by default. With the exception of coming with the JACK audio server, I can't see why someone would prefer Studio over another Ubuntu flavor and installing the software they need afterwards. My 2¢ on a Linux Distro for Beginners 2026-03-06T00:00:00+00:00 I often see debate around which Linux distro is the best for beginners or people who just want something other than Windows for playing video games on their PC. Here's my thoughts on the matter: Most "standard" distros like Mint or Fedora or OpenSUSE are probably fine and will have good documentation. Distros like Arch and Gentoo are good if you want to learn a lot but are willing to invest the time. The only one I'd avoid outright is Ubuntu and similar distros that use Snap^{1</a>. </blockquote>} I once heard someone describe choosing a distro as choosing your package manager and default wallpaper. I think that's an accurate judgement for most purposes2</a>. I don't think the average person who plays CS:GO and watches Twitch streams would be able to tell the difference between two installs with a similar desktop environment and theme. I feel it's also worth mentioning that Linux is not always the best option. Linux's support for uncommon peripherals like third-party drawing tablets and such can be really rough for someone who doesn't have the time or desire to troubleshoot things. Windows has been and will likely continue to be the king of compatibility. And Mac is well-known for having the best support for all manner of creative apps.3</a> And I say all of this as someone who has used Linux as my primary OS since 2019! Arguably longer if you count how much of 2017 and 2018 with only my Linux laptop and not my gaming desktop. 1</a> Why don't I recommend Ubuntu and other Snap distros? It's entirely because of my first and only experience using them. One day in college while doing a lab, I installed the nmap</code> snap at the suggestion of Ubuntu's command-not-found message. I installed it as suggested and spent over half an hour trying to figure out why my command wouldn't work before learning that the permissions limitations of snaps prevented this feature of nmap from working entirely. I don't know if this was ever fixed. Is this a fair reason to not suggest an entire family of distros? Maybe not, but it was certainly frustrating enough that I can't fully recommend it. 2</a> Does this cover other things that are hard to customize later like non-standard init systems (Gentoo and Artix use OpenRC instead of Systemd)? No. But I don't know of any popular and common distros that use that kind of thing either. 3</a> None of this is to say that they don't have other issues. But they still have their strengths. Testing Pages CMS 2026-02-26T00:00:00+00:00 This is a test of pages-cms</a> as a way to make posting easier on myself! Fix for AAP with Github Apps Giving libcrypto Error 2026-01-14T00:00:00+00:00 This is a quick, mostly unedited post that will hopefully save someone some time. Context</h2> We're moving to Github for code hosting at work. This means I have to move all of my Ansible Automation Platform projects into private repos within our Enterprise account. I've set up two credentials within AAP: a "GitHub App Installation Access Token Lookup" credential, and a "Source Control" credentials that feeds from the token lookup credential. The Source Control credential is then used within playbooks and projects for authentication. While I had previously used the credential successfully within a playbook being run by AAP, using it to pull a project resulted in the following error: Error loading key "/runner/artifacts/1243/ssh_key_data": error in libcrypto </code></pre> Fix</h2> The fix was surprisingly simple. I made a duplicate of my Source Control credential and cleared the "SCM PRivate Key" and "Private Key Passphrase" fields so that only the normal username and password were still being fed from the token lookup. I don't know why it was causing an error when I was using an HTTPS address rather than an SSH address for the repo. But at least now I have a fix. Thoughts on RHEL 10's Release Notes 2025-05-14T00:00:00+00:00 Between Red Hat Summit next week and what seems to have been an accidental announcement of a GA release on the RHEL Release dates page</a> (which has now been reverted), it seems clear that RHEL 10 will be released within the next week or two. I thought it would be a good time to look over the changes listed for the RHEL 10 beta to see what might be interesting or applicable to me at work. I'm not much of a developer so most of my interests will be on the admin side. The embedded DNS server for IdM is not available because they are waiting on updates to another library. We've tried to move away from the embedded DNS server in our environment, but I can see this being an issue for anyone who does and wants to upgrade to RHEL 10 immediately. </li> RDP has replaced VNC as the graphical remote access protocol for RHEL 10's installer. I haven't tried to set up RDP on Linux before, but I have set up VNC on a home server. Maybe I should figure out how they're handling it in RHEL and consider switching over. </li> Valkey has replaced redis. I'm not surprised after reading some of the problems of the licensing change. </li> Firefox and Thunderbird are only available as Flatpaks in RHEL 10. It looks like this change will require logging in to the Red Hat Container Catalogue, which is slightly unfortunate because of the extra step required. On the other hand, this appears to simplify a lot of the upstream work and allow longer terms for supporting a single version. Ultimtely, I don't use RHEL on the desktop so this is all just a curiosity to me.</li> The web console known as Cockpit now includes a file manager.</li> The storage</code> system role can now manage Stratis pools. This is the only time I've seen Stratis mentioned outside of studying fro the RHCSA exam.</li> The podman</code> system role can now log in to container registries. Cool and useful.</li> There's a postfix</code> system role. This isn't new, but I wish I knew about it before making basically the same thing for work. </li> </ul> If you'd like to read the notes for yourself, they are currently hosted at https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10-beta/html/10.0_beta_release_notes/index</a>. Preparing for EX294 (RHCE exam) 2025-04-23T00:00:00+00:00 I got my RHCSA certification last April. It was my first certification since shifting from my security-centered education and first job to my current role as a systems engineer. I learned plenty of stuff for my job while preparing for it, and it's the most fulfilling exam I've taken to date because it is entirely practical. I also had a major head-start to learning it because I'd been using Linux as a daily OS since 2019. The next exam in the series for Red Hat is the EX294 AKA the RHCE exam. The prior versions of the RHCE exam focused on advanced Linux topics, but the modern version is all about Ansible. Unfortunately, I had minimal exposure to Ansible prior to starting at this job. It wasn't none but it was fairly close. Luckily, I've had plenty of opportunities to get acquainted with it. We are quickly moving to using Ansible for as much as possible at work - enrolling servers in LDAP, setting up services on servers, etc... We're also using Ansible Automation Platform, so learning to use execution environments and Navigator has become essential as well. homelab vs selfhosted 2025-01-09T00:00:00+00:00 I don't look at Reddit that often since they changed the API rules. On the rare chance that I do look, it's usually either r/homelab or r/selfhosted. The two subreddits are practically the same with lots of focus on Linux, containers, etc... You often find people in r/selfhosted talking about learning and testing things, and people in r/homelab threads about what people are hosting. I have to wonder if changing r/selfhosted to r/homeproduction would help at all. Happy New Year 2025-01-02T00:00:00+00:00 I realize I'm a day late with this, but a happy new year to anyone who reads this. Hopefully it will be a good one. needs-reboot, Satellite, and Ansible 2024-11-21T00:00:00+00:00 This post outlines a solution I came up with for a recent problem at work: detecting if servers required a reboot after an update. I'll explain the problem and provide the solution in the form of some Ansible job templates for use in Red Hat Satellite 6.15. Problem</h1> Prior to RHEL9, you could use the katello-host-tools-tracer</code> package to provide Satellite with information about if a host required any services to be restarted. This method is no longer supported and as far as I can tell there is no alternative integrated into Satellite. However, you can use the command dnf needs-restarting -r</code> on the host to list services that will require a reboot to benefit from updates. This is an ideal time to use Ansible and the job templates within Satellite. Solution</h1> This solution uses three job templates: one to collect information from hosts, one to safely reboot the hosts, and one to reset the host facts created by the first one. The job templates can be created in "Hosts -> Templates -> Job Templates". You can copy from a pre-existing playbook job, or create a new one and change "Job -> Provider Type" to "Ansible". You'll also need to enable the checkbox "Ansible -> Enable Ansible Callback" to allow the hosts to send facts back to Satellite. This is critical. This is the job template to check for the reboot and store the host fact. --- - hosts: all tasks: - name: Run needs-restarting check shell: dnf needs-restarting -r changed_when: false register: needs_restarting_result failed_when: false - name: Register fact set_fact: needs_restarting: "{{ (needs_restarting_result.rc == 1) | bool }}" </code></pre> This job template will allow you to restart the servers. --- - hosts: all tasks: - name: Safety check ansible.builtin.debug: msg: "Has \"restart_safety_variable\" been set to \"YES\"?: {{ restart_safety_variable }}" failed_when: restart_safety_variable != "YES" - name: Reboot with 10 minute timeout ansible.builtin.reboot: reboot_timeout: 600 - name: Register fact set_fact: needs_restarting: false # Add an input in the job template with the following parameters: # Name: "restart_safety_variable" # Required: enabled # Input Type: User input # Value Type: Plain # Advanced: disabled # Hidden value: disabled # Options: (blank) # Default: "NO" </code></pre> It's possible to use the "Ansible Command" job with a "restart" command, but this method offers a few benefits: It will automatically reset the needs_restarting</code> variable to false</code>.</li> It will detect if the host came back online. I've also included a "safety" feature that will fail the playbook if "YES" is not entered while configuring a job execution to prevent a potential accident. To use it, enter "YES" into the "restart_safety_variable" box on the target selection screen when running the job.</li> </ul> Finally, this job template is either to get the initial facts for each host, or to reset everything if you've done some manual reboots. --- - hosts: all tasks: - name: Register fact set_fact: needs_restarting: false </code></pre> You can search for which hosts need a restart by going to "Hosts -> All Hosts" and searching for facts.needs_restarting = true</code>. Notes After a Year at My Current Job 2024-09-04T00:00:00+00:00 About a year ago, I started working for a new company. This was a major shift for me as I'd gone from being a fully-remote penetration tester with a focus on Windows to an on-site systems engineer with a focus on Linux. This post is some of my thoughts on the change, and things I've learned about my work and myself in that time. I really enjoy being a Linux admin more than a Windows admin. I prefer the tooling and being able to do most of my work over SSH.</li> I need to have some kind of project tracking like a kanban board so that I don't get lost in a list of 700 tasks. </li> I can learn a lot through hands-on work and troubleshooting. I already kind of knew this one but not how much I could learn. A year ago, I had never heard of Satellite and Ansible was something I used in a class one time. Today, I'm the SME for Satellite at the company and leading our Ansible Automation Platform deployment project. </li> Red Hat has wonderful people working for them. Everyone I've met on sales calls, in workshops, and at the Summit has been a pleasure to talk to.</li> It is so much fun having Linux nerds to talk to who aren't developers. That's not a jab against developers, but there is a difference between a Linux nerd who mostly talks about programming new drivers and a Linux nerd who knows how to write Systemd unit files. </li> I loathe driving into an office. I had an hour-long commute each way for most of the past year. It was a huge waste of time, energy, and (gas) money.</li> I also strongly dislike being in an office. I never felt unsafe or anything, but I never felt comfortable either. </li> Basic vim</code> usage is worth it to learn. I originally did so because nano</code> wasn't available on all of the servers I was managing. I continue to use it as my default because it feels a little more ergonomic than the alternatives. </li> Ansible is incredibly satisfying. There's nothing quite like going from base installation to a working service in 2 minutes with one command.</li> There are plenty of tricks and tools that I have no idea about yet but will change the way I work as soon as I learn them. For example: bash</code>'s Ctrl-r</code> to do a substring search on history instead of tapping the up key a bunch</li> at</code> to schedule one-off commands</li> Everything related to Ansible</li> </ul> </li> </ul> I may add to this post as I think of more. 20240528 2024-05-28T00:00:00+00:00 I've been rebuilding my homelab using Fedora Rawhide + Ansible. It's a nice mix of the kind of stuff I use at work and the bleeding-edge updates I prefer for home use. The goal is to have something that can be rebuilt 100% from Ansible. Of course, I'm making it harder on myself by aiming for an OKD setup... I am now an RHCSA 2024-04-15T00:00:00+00:00 As of last Friday afternoon, I am a Red Hat Certified System Administrator. It was my first time taking a certification exam that was 100% practical and I was really nervous going into it. You at least can get things right by chance if it's a multiple-choice question, but there was no such chance here. Thankfully, I studied and knew how to find what extra info I needed during the exam via the man pages. I passed with a score of 286 out of a possible 300 (with 210 being the cut-off). Exam rules mean that I can't discuss any of the details of the exam. That's a shame because I wanted to share the anecdote of spending the last 40 minutes on a single task because of an issue related to the man pages for a particular tool. I'll share what I think is most important for anyone who might be considering the exam themselves: my study methods. Before I began studying for the exam, I had several years of using Arch Linux as my primary OS for my desktop and laptop. I was already very comfortable with using the command line to do things. Additionally, I had several months of work-related experience with RHEL specifically. </li> I used the EX200 Study Guide from Pearson by Sander van Vugt. I skipped most of the end-of-chapter questions in favor of the labs and practice tests. What questions I did have, I allowed myself to use man pages to answer them without counting it as cheating.</li> I didn't study a lot per week but tried to practice things where I could with a mix of Anki and a set of VMs.</li> </ul> Next on the list: RHCE. Learning to Use Your Hammer by Turning Things into Nails 2024-04-11T00:00:00+00:00 There's the famous saying: "When all you have is a hammer, everything looks like a nail". It's meant to imply that when your skills or tools are limited, you think it can be applied to anything and everything (and that this is a bad thing). But what if you get your new hammer and want to learn to use it as fast and effectively as possible? It may be useful to learn to use it to solve problems it wasn't designed for. Examples: You're learning Ansible and create playbooks to run on localhost instead of a bash script.</li> You're learning to draw and use a brush pen for sketching instead of a pencil.</li> You try containerizing an app that you'd have traditionally installed bare-metal.</li> </ul> This isn't something you should do in production - but I think it has its merits. Sudo for Windows 2024-04-07T00:00:00+00:00 Over 40 years after the initial release of sudo</code> for UNIX, Microsoft is adding sudo to windows</a>. Thank you, Microsoft. Please Don't Dunk on Scam Victims 2024-04-06T00:00:00+00:00 Yesterday, a Twitter user going by the name "marsothy" (@splatatouille) posted a thread of tweets about getting caught up in a Discord scam. You can find that thread [linked here](https://twitter.com/splatatouille/status/1776311022506459564) (link broken) but I'll summarize it here: a friend's account was compromised</li> scammer poses as friend claiming that Marsothy needs to get in contact with Discord support via a specified Discord account</li> having Marsothy change their Discord account's email address</li> asking for banking information</li> asking for a money transfer via Venmo + Bitcoin</li> Marsothy is locked out of their account</li> </ul> I've had one person DM this to me, and another group I'm part of post about it. The general consensus was "this person was very dumb". And yeah, to an extent, he was. Having to share your bank account information or sent money via crypto is really clear of a scam and I'd like to believe that I wouldn't fall for something like that. But some of it tilted the scales in the scammer's favor. It's important to note that: Marsothy had just woken up (so probably not thinking straight)</li> Marsothy had never heard of this kind of scam.</li> </ul> Scammers prey on you not thinking rationally. If you got a text from your [mother/close fiend/amicable ex-lover] using a semi-verified way of knowing it was them (like phone contacts) shortly after waking up, you'd probably not think as much about "who is this" versus "how can I help". I used to construct social engineering campaigns professionally (and under legal contracts that gave me permission to do so). They also prey on people now knowing about scams. Yeah, this one might have been less believeable once it got the the bank account stage. But it's a good thing to share knowledge of scams even if it's embarrassing. We need to stop dunking on people who share that they fell for a scam. I applaud Marsothy for sharing this with the world. I leave you with two of his tweets from after the thread had been up for a while: muting this, but that you to everyone who has been understanding of my situation despite the...questionable lack of judgement i had in the moment. [...] hopefully sharing will prevent more people from falling victim to this terrible scam everybody calling me or anyone stupid for falling victim to this kind of situation, you're really not helping anybody </blockquote> Ruff 2024-03-26T00:00:00+00:00 I tried the Ruff linter for Python</a> today. It's pretty snazzy. I think it'll become part of my standard toolset for Python stuff. Home Lab and Selfhosting Redesign Thoughts 2024-03-09T00:00:00+00:00 I've been hosting some of my own services since 2019. It started as just a Wordpress blog, but now I have things like Nextcloud and Shaarli that give me tangible benefits. However, these services are currently spread across about 5 different servers and nearly none of them are worth the price for what they do individually. The goal of this post is to share my thoughts and possibly collect some feedback about how to go about changing things. (Side note: Google says that I've spent nearly $1500 in their cloud since April 2019. That sounds like a lot, but the amount I've gained from learning to use it has been a lot more.) The Current Setup</h2> Currently, I have a server in Google Cloud that I pay ~$30 a month for. It hosts Nextcloud, Mediawiki, my blog</a>, and some other smaller services. The VPS is running Rocky Linux, and the services are all in Docker. My primary reason for using it is not a particularly great one - it's what I've been using since I started selfhosting. That's... not a great reason. $30 for 2 vCPUs and 4GB of RAM is enough to buy the equivelent Raspberry Pi model every 2 months. However, it also gives me a different IP (so nobody is who tries to DDOS me will kill my home network connectivity) and it's resilient to the semi-regular power outages I have at home. In addition to that server, I also have a used SuperMicro server that I use for a mix of home lab and selfhosting. I've got several VMs running under KVM - including an OpnSense router to put them all in a private subnet. It also serves as a jumpbox to my network if I'm out somewhere and need to access my home network (though I won't give details for security reasons). It's a really cool setup and has been fun for learning Ansible + networking, but the power usage really high for what's essentially just running Gitea, Jenkins, and Vaultwarden. The trade-off is that I get way more bang for my buck than the VPS, but I waste a lot of electricity on unused potential. Two other servers of note: An OVH VPS that is a simple Wireguard tunnel + nginx stream proxy to the SuperMicro for I-don't-want-to-share-my-home-IP reasons.</li> A Dell mini PC for testing things when I don't want to provision a new VM in KVM, and for hosting some friends' stuff that doesn't need 90+% uptime.</li> </ul> The Proposed Setup</h2> In my theoretical new setup: The Google VPS would be removed.</li> The blog is migrated to Cloudflare Pages or Github Pages.</li> All services are moved to a different domain (vacula.xyz</code> instead of lvacula.com</code>).</li> All services are moved to a Dell micro PC with a UPS for power.</li> All services are moved to rootless Podman.</li> All services are separated into per-service pods and mapped to different ports from 8080 to 8090, then reverse-proxied out to the OVH VPS.</li> The SuperMicro server is powered down unless I'm actively using it for home lab or game server hosting. </li> </ul> The key part of this for me is the move from bare-metal services and Docker to rootless Podman. The security benefits of it are almost too incredible to not use it. Additionally, I want to be able to help document it and podman kube play ...</code> + kube YAML system because podman compose</code> is not a perfect replacement for docker compose</code>. Do you have thoughts on this? Do you use Podman for your self-hosting setup? Then please, dear reader, email me with your advice and knowledge. My email is "lukas" at this domain. SubdoMailing Campaign 2024-02-27T00:00:00+00:00 I came across this while reading my RSS feeds this morning: there's a new ad fraud campaign that is using insecure domains from big names like VMware and Marvel. But the interesting thing for me isn't the names attached, but that it seems so simple of an attack: look for outdated and unregistered domains, and use their existing presence in other companies mail records to bypass spam filters. Relevant link to Bleeping Computer article</a> 20240222 2024-02-22T00:00:00+00:00 Quality-of-life suggestion for the day: turn off the annoying bell in Windows terminal by going to a profile -> Advanced -> Bell notification style and turning off "audible" Slower and More Meaningful 2024-02-19T00:00:00+00:00 Lately, I've felt like I need to be more conscious about my "free" time. There are many reasons for it (work schedule, the rise of generative AI, ...) but I'm mildly happy with the results thus far? I'd like to make a dedicated post of it, but I'm having trouble putting my feelings into words. Thoughts on FSRS 2024-02-15T00:00:00+00:00 I've been trying FSRS for about a month now. Here's my thoughts on it so far: I feel like I have a more manageable workload. However, part of me wonders if this is because I'm not putting all of my effort into studying a cert or a language. </li> I don't think about how my choices are affecting the ease factor anymore. </li> The 3-component model is a lot easier to understand than SM-2's ease.</li> I wish I had been studying more during the Fall. My stats page isn't reliable because my Anki usage was very sparse for most of 2023. </li> Some of the intervals for relatively new cards feel very long. I'm not sure what to make of this. I'll probably need to reflect on this again in a few months </li> Even with the helper add-on to auto-reschedule cards on sync on desktop, I still feel disincentivized to use Ankidroid due to lack of native support.</li> It has been a very positive experience overall. </li> </ul> Discord as a UI Library 2024-02-05T00:00:00+00:00 One annoying problem I have with learning something new programming-wise: I'm so familiar with the Discord.py API library that any real UI library feels like it has too much friction to be worth it for any of my projects. It's even cross-platform! I'm torn between freshening up my PyQt, learning Kotlin + Android dev, or looking into something else for Linux/Windows dev... Email Migration Inquiry 2024-02-01T00:00:00+00:00 Google's made progress with their handoff of domain-related things to Squarespace. As I write this, my domain is being transferred to Cloudflare. However, no longer being with Google means no more Google Workspace for the email associated with this domain. So where should I go? My primary concern is avoiding the issue I had previously where emails were simply forwarded to another email but would sometimes be lost due to email destination authentication failing for the sender (or at least that's what Google Support said). I really only need basic sending/recieving functionality, the ability to use a custom domain, and the industry standard IMAP/SMTP access. Spam filtering would be strongly preferred, but I haven't had an issue with that since the days that Verizon still managed Verizon.net emails. Calendars, rules, etc are all something that I manage via Thunderbird. I'd like to avoid Outlook, Google/Gmail, and AOL. I don't mind paying for email service, but I've had bad experiences with two of those three and feel a little bitter about the third for making me have to do this to begin with. The top contender looks like ProtonMail. I've already reached out to their support team to see if they know if this would be an issue or not. So far the only point against them is that you have to buy the bundle that includes extra drive space and a VPN - two things that I'm sure increase the overall price. A small note on my search so far: where's Hey</a>, that email service everyone was raving about for a while, in all of the "top 12 best email providers" lists that keep appearing in Google? Did they piss off the wrong listicle writer? Are they just not interesting anymore? I don't think I'll go with them for three reasons: Most of their benefits appear to be part of the interface they offer.</li> It would cost me 120$/year because the domains plan costs 10$ for a single user per month and they do not offer a yearly pricing option for the plan with custom domains.</li> They don't support IMAP or POP.</a></li> </ol> How was this popular with all of the developers I was following? 20240131 2024-01-31T00:00:00+00:00 Signal boosting this in case someone hasn't seen it: there's a new flat in glibc (one of, if not the, most common library on Linux) that allows local privilege escalation. The latest versions of Fedora, Debian, and Ubuntu are all affected so update if you can. Relevant links: https://www.bleepingcomputer.com/news/security/new-linux-glibc-flaw-lets-attackers-get-root-on-major-distros/</a></li> https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt</a></li> </ul> Shortnotes Change 2024-01-31T00:00:00+00:00 In the interest of keeping things easier to read, I've migrated all of my "shortnotes" posts to a separate page. 20240129 2024-01-29T00:00:00+00:00 Do you ever work on something at work and wish you had a use for it in your homelab? I'm feeling like that right now with Ceph. Data storage is such a fun topic, but I can't justify buying all of the network and storage hardware needed to make a decent cluster instead of just buying more storage for my Synology NAS. Trying Out FSRS 2024-01-15T00:00:00+00:00 I'm trying out the new FSRS scheduling algorithm for Anki. I was hesitant to use it when it was first announced because it seemed to be undergoing a lot of fast changes and required a fair amount of manual setup. But now it's in the main Anki code (though not in AnkiDroid, yet) and it seems like a poor idea to not use it. Commenting on a Paper from First Monday about Generative AI 2024-01-06T00:00:00+00:00 One of the 400 RSS feeds in my FreshRSS instance is an open-access journal that describes itself as "solely devoted to the internet": First Monday. Reviewing this month's articles had one that was particularly interesting for me: Why do people use ChatGPT? Exploring user motivations for generative conversational AI"</a>. I encourage you to read it. This post will be some comments on the paper (mostly just the points I found interesting). There were 197 participants in the study. Okay, this one isn't interesting but it will help contextualize the numbers below.</li> 58% of participants reported using ChatGPT weekly or more, but only 4% used it daily. I initially thought the difference would be because they're using it for work (and thus not on the weekends), but using it for personal use is more popular (82% for personal use versus 38% for work). </li> The most popular theme for ChatGPT use was productivity at 55%. That tracks with my priors. Interest in the technology was second at 51%, then a big drop down to only 20% for fun and amusement. </li> Some people used it to come up with dinner suggestions (no complaints here!). Others used it to set up diet plans (scary!) or "a place to address mental health issues" (also scary!).</li> 5 of the participants reported "high reliability or trustworthiness of the information it offered". I'm reminded of a question someone asked of where the idea that generative AI was reliable for information came from. Why do people assume it is good at being correct and not confidently wrong? That was one of the first things that came to mind when I first heard of it.</li> More people (24) reported using it as a support tool for writing, such as to re-word their own sentences, than as a purely generative tool (10). This feels slightly better to me than if pure generation was more popular. This difference was narrower in software developement. 17 used it for generation and 14 for debugging/problem-solving. I think I feel less good about this.</li> </ul> </li> Two of the summarized uses that the authors list in the discussion - alleviating the burden of decision making and dealing with information overload - feel like they're connected. What is the burden of decision making but an information overload related to a particular choice?</li> </ul> Happy New Year 2024-01-02T00:00:00+00:00 Happy New Year to those who celebrate using a solar calendar! Only another 24 until we hit a nice, round-number milestone</a>. Some things I've recently learned about Podman (and Docker) 2023-11-27T00:00:00+00:00 Podman does not require a user to have unique permissions to use it.</li> Any user on a docker-enabled system that also is in the docker group can become root with one command</li> The "ADD" directive in a Containerfile or Dockerfile is considered more insecure than "COPY" because it can pull remote directories.</li> Podman was made with Docker command compatability in mind because the devs knew they'd never get market share otherwise.</li> </ul> Mobile Posting Test 2023-11-26T00:00:00+00:00 This post is a test of how easy it is to post from a mobile device using the Jenkins auto-deploy system I set up the other week. I'm currently sitting in a restaurant waiting for a friend to finish their food. GitNex's editor isn't the most impressive, but it isn't bad either. Why I moved from Wordpress to Zola 2023-11-21T00:00:00+00:00 I've used a few different site generators and blogging platforms over the years, including but not limited to: Wordpress</li> Google Blogger </li> Tumblr</li> Pelican</li> MediaWiki (yes, it counts)</li> DokuWiki (it counts too!)</li> Zola</li> </ul> It should go without saying that every system has its benefits and trade-offs. This post about the specific trade-offs that made me switch from Wordpress to Zola. My primary issue with Wordpress is the writing. Gutenberg seems like it would be a very useful editor for a more traditional writer or someone who doesn't have an emphasis on technical content. I couldn't figure out how to easily move from extended code blocks back to normal writing without using my mouse to add a new paragraph block. (The classic editor doesn't fix this issue.) With static site generator that rely on Markdown syntax for formatting (like Zola), it's as simple as adding a few backticks at the start and end. I write enough code or general monospace text</code> that this was a dealbreaker for me. The second major issue was the difficulties I had in customizing the site. This isn't an issue of Wordpress lacking customization - Wordpress themes are popular enough for entire businesses to be built upon the back of them. Unfortunately, the graphical editor wasn't behaving for me (primarily not reliably changing link colors to those in my color scheme) and the code side is its own monster. I don't want to become a web developer to get my theming working. Zola's Tera templates only require a bit more than basic HTML and CSS. Of course, there's downsides to moving to Zola. The largest trade-off - and the reason that I waited so long to do so - is that there are extra steps to deploying the website. Wordpress is as simple as "write the content and hit publish". Zola requires you to have the Zola binary, compile the website, and push the content to the web server host. You can simplify this by writing your content on the same host as the web server, but then you lose the ability to write and publish from anywhere. In my case, it also means losing the ability to use graphical editors. The solution to that trade-off was learning to install and use Jenkins. For the unfamiliar: Jenkins is a CI/CD tool. I can write my content on any host, push the "source code" to a git repo, and Jenkins will take care of the rest. In theory, Jenkins will detect and push a new version of this site within 3 minutes of a new commit being pushed to the git repo. So far this has worked fairly well. The final question I can imagine someone may ask is "Lukas, Pelican is a static site generator as well. Why did you move to a different one?" The answer is Rust. Zola is written in it. I'm learning it and want to use it more. If I encounter a bug, I want to be able to fix it. I have conqured Podman's YAML 2023-11-18T00:00:00+00:00 I decided that I was done with Gitea's weird port mapping, so I tried to fix it. Several hours of head-bashing later, I was left with a corrupted database and no Gitea instance. I'm now writing this several hours after that. I've learned a surprising amount about Podman (compared to Docker), Kubernetes, pods, and several other things that I'll probably end up using at work some day. Expect a post some time this week about deploying a Zola static site with Jenkins. And maybe some notes on why I switched from Wordpress to Zola. Google finally feels worse 2023-11-06T00:00:00+00:00 I didn’t really agree with statements about Google’s search getting worse until today. Using search would usually give me what I wanted within the first few results. All I’d need to do was skip past the inevitable Amazon link that would show up. But for the past few days, I feel like I’ve had more and more “junk” in it. Links that look like they are for a specific post on a forum, but take me to the main page instead.</li> Links for blogs that look like they were written by an AI.</li> Links that go to entirely different websites than those they appear to be for.</li> </ul> It’s admittedly tiring and makes me want to restart my habit of bookmarking more sites. A surreal blog 2023-10-31T00:00:00+00:00 I found a blog by someone who works at a polar research station. Their post on nights</a> there is surreal. It reminds me of Signalis. EDIT: I realized while porting this post to Zola that I posted this on Halloween. It wasn't my intention to match that with a horror game reference, but it fits! :D Wordpress Gripes 2023-10-30T00:00:00+00:00 Late night thought before work maintenance: I don’t particularly enjoy WordPress’ writing interface. It doesn’t feel suitable for quick or technical writing. Customizing the site feels like fighting against the tool. Pelican (the static site generator) felt a lot nicer. Writing in markdown feels much nicer than using Gutenberg or the Classic Editor (plus I can do version control with Git!) and .html.j2 files for customization is easier than WordPress’ syntax. I’m hardly a Python dev – I don’t wanna be a web dev too. Backups and YAML 2023-10-29T00:00:00+00:00 Finally doing something that I should have done a long time ago – adding a second (and in some places, first) backup to my systems. BorgBase won over rsync.net for price, and over Backblaze B2 for ease of use with Borg. Bonus points for also making my GUI of choice – Vorta. Additionally, I’m automating as much as possible with Ansible. I still loathe YAML for configuring anything, but Ansible nearly makes that worth it. ;p Resolved: Connection Issues on a libvirt Isolated Network to Router 2023-10-07T00:00:00+00:00 Quick answer: The isolated network auto-allocates the first address to a virtual interface for the hypervisor host. Check that your router’s IP isn’t set to the same thing. I was having issues the other night with my homelab setup. Specifically, devices would randomly be unable to communicate with the router. Pinging worked, but accessing OPNsense’s web interface wasn’t. It wasn’t firewall issues either. After running tcpdump</code> on the opnsense box, I realized that my traffic wasn’t even reaching it. I double checked that they were on the same vnet (they were), then checked the ARP table on the client I was using. Sure enough, the MAC of the supposed gateway wasn’t the same as the OPNsense interface. I took down all other VMs except the router and client to isolate the issue in case it was a misconfiguration, but the issue persisted. This meant it had to be something involving libvirt. Sure enough, a quick Google search revealed that libvirt will still allocate an address for the host on isolated subnets – even if you disable services such as DHCP. It defaults to the first IP address in the subnet. I changed the OPNsense LAN IP from .1 to .254 and the issue was resolved. Bash history search 2023-10-05T00:00:00+00:00 Another useful tip for Linux users and admins: you can search your command history in bash with Ctrl+r</code>. Typing something and hitting it again will search backward through commands that match that pattern. It saves a lot of time compared to pressing up repeatedly. python `or [default]` 2023-10-02T00:00:00+00:00 Did you know that you can use the “or” keyword in python to set a “default” for a variable? variable_name = value_or_none() or "default value!" </code></pre> Over five years since I started using Python, and I’m only learning this now. I wish I knew about it sooner. When do you change the default settings (on tools/apps?) 2023-09-28T00:00:00+00:00 That question is rhetorical. I already have a good system in place for myself. I will always review privacy settings. It’s rare that privacy settings will default to the more private options unless you’re using certain open source software such as KDE. Perhaps ironically, I’ll usually enable the anonymous usage statistics in those cases. The reason for that is a story for another post, though. Things like keybinds and such are another story. Sometimes I’ll change the settings to whatever gets me the most use, and sometimes I’ll avoid changing the defaults as much as possible. On one hand, if I have something like Joplin or Firefox, I’ll obsess over each setting and get it configured just so. These are tools that I’ll likely only use from devices I own, and only from a small percentage of them at that. I’ll only need to do that setup once every few months. However, take something like Vim</code> or tmux</code>: I use these very often (more often than Joplin for sure), but I use them on almost every system I work on. This includes systems that aren’t owned by me or systems that I’ll only use once every few months. If someone else uses the system, they should be able to expect how these tools will behave. It’s for this reason that I haven’t configured tmux, Vim, or similar tools on my own systems. I use the system default settings for tmux. I think I have small vanity options configured for Vim (syntax highlighting, hard tabs), but nothing more. Using Vi[m] 2023-09-19T00:00:00+00:00 I'm finally giving Vi[m] a try. It's hard to get used to it after using nano</code> for so long. Surprisingly, it's not the :wq</code> or insert mode stuff that is catching me, but the fact taht I can't go to the previous/next ling by pressing left/right at the line ends. (Yes, I realize I can modify this in the .vimrc file but I'm attempting to keep it as close to default as possible since I work on so many different systems.) My Experience Studying For and Taking the CISSP Exam 2023-08-15T00:00:00+00:00 This post is about studying for and taking the (ISC)2 CISSP exam. I’ll talk about my experiences, what I thought was useful, what I thought wasn’t useful, and some high-level information about the test. I will not go into specifics about the questions on the test. Studying</h2> I primarily used five sources for the exam: Sybex CISSP Official Study Guide</li> Sybex CISSP Official Practice Tests</li> LearnZApp CISSP official practice test app</li> Anki</li> r/cissp subreddit (for meta-information)</li> </ul> I had access to the first two resources through O’Reilly’s online learning subscription – which I had for free through my alma mater’s library. Both were good resources, but had multiple clear errors in the answer key (as in, mentioning something not even referenced in the question or having same answer associated with a different letter). I took the first practice test before starting on the Official Study Guide (OSG) book. I scored a 60%. I completed the chapter questions after reading each chapter of the OSG, then did another two practice tests. By the end, I was scoring ~80%. I cannot really recommend paying for the official practice test app if you have the practice test book. A good number of the questions in the app were identical to the ones in the book. Also, the “readiness score” isn’t helpful – I had a 55% when I took my exam. Anki</h2> Anki, for those unfamiliar, is a spaced-repetition software</a> for flashcards. I’ve used it for Japanese, trivia, grep flags, tmux keybinds, and more. It is one of the most useful pieces of software I’ve ever used. I used two Anki decks: one of my own creation, and lfionxkshine</a>‘s CISSP 10k deck. While lfionxkshine‘s deck is very impressive for it’s size, I didn’t continue using it for a few reasons: There are a very large number of cards that are things I’d already committed to long-term memory. It makes no sense to spend such a large amount of time sorting through to find the useful cards instead of making them myself.</li> Some of the cards were contained incomplete or incorrect information. One question was “What layer of the ring protection scheme is not normally implemented?” This question is both in the Anki deck as an open-ended question, and in the official practice test app as a multiple-choice question with the options 0, 1, 3, and 4. Both formats list “Layer 1” as the correct answer – but the practice test app goes on to tell that the full answer is layers 1 and 2. It’s better to not study the card at all than to memorize the wrong thing.</li> </ul> </li> </ul> It’s worth noting that I’d made over 700 cards while studying but only reviewed about half of them by the time I took the exam (see below in the Taking section to see why). r/CISSP Subreddit</h2> I spent a good amount of time before the exam browsing the r/cissp subreddit to see what others’ thoughts were on exam prep materials and the format of the exam. College Degree and Hands-On Experience</h2> I have a four-year degree in computer security, and just under 2 years’ experience doing penetration testing. I think that had a significant impact on how much less I had to study compared to others. Taking</h2> The days leading up to my test were, in short, a mess. The clothes dryer broke. The AC broke and it would get into the 90s some days. I was doing prep for a job offer I had just accepted. I’d already bought the exam voucher and wanted to use it before things got even more hectic. I was prepared to fail the exam, but come out with better knowledge of what the questions would be like and where I would need to study more. The sign-in process for the exam was uneventful. The only difference between it and any other certification test I’ve taken (Sec+, CC, etc…) is that I had to get my palms scanned a bunch. Again, I will not discuss details of questions. All I will say is that the questions were generally less technical than I expected, and slightly easier than some of the practice questions. I would often see comments on the subreddit about the exam drilling you on whatever it thinks is what you struggle with the most as you get further in the exam. I don’t think that I experienced that. I’d have a difficult question from a random domain, followed by a really easy question from a different one. I was fairly certain that I was going to fail with how easy some of the questions near the end were. Then I hit submit on Q125 and was told my test was over. I passed. "Prompt Engineering" 2023-07-28T00:00:00+00:00 A small realization just came to me: there’s a certain irony to “prompt engineering” being something that people try to teach as if it’s a programming discipline. Wasn’t the goal of the natural language models to make it so that people can speak normally and get the output they want? Shouldn’t that mean that “prompt engineering” should be the same as a communications or writing class? YouTube Music 2023-07-24T00:00:00+00:00 A funny thing I’ve noticed about YouTube Music: it doesn’t seem to take your recently-listened-to music into account when showing quick recommendations if you have YouTube history turned off. I can listen to as much blues or j-rock as I want, but it doesn’t start showing those as quick recommends until I hit the like button on a track. Unfortunately, this also means that things I liked a while ago don’t appear anymore. Encryption Flashcards 2023-07-19T00:00:00+00:00 I think I added an extra 80 or so cards today just for encryption algorithms’ key lengths, block sizes, etc… I don’t expect they will be used in a lot of CISSP questions, but I’ll ace whatever questions involve them. Security Models 2023-07-14T00:00:00+00:00 I’m reviewing security models in preparation for taking the CISSP exam. It’s something I haven’t had a lot of reason to think about since I took a class on it in college. Bell-LaPadula, Biba, Clark-Wilson, etc…. I’m glad I know what Anki is now. Resolved: Email Delivery Issues with Google Domains Email Aliases 2023-06-15T00:00:00+00:00 This post is a combination announcement and “hey, this is how you fix this” post. I’ve used Google Domains as my DNS registrar for several years now, and I’ve used the email address hinted at on my Contact page</a> as a personal address for just about as long. Unfortunately, it wasn’t until recently that I learned that some senders can’t or won’t send to it because it is set up as an alias instead of a proper address. The solution provided by Google is to use a Google Workspace email instead. I guess I’ll just have to add another address to Thunderbird. For anyone who’s curious, here’s what Google has to say about the matter on their help page</a>: You may not get the email forwarded to you by senders with specific email authentication settings. Regardless of your mail settings in Google Domains, some email senders have rules that prevent their mail from being delivered with email forwarding systems. Tip: To avoid delivery issues, use a custom email with Google Workspace instead of email forwarding. </blockquote>

Temporary Permanence

Red Hat Satellite and Changing CAs for Custom SSL Certificates

What is the purpose of Ubuntu Studio?

My 2¢ on a Linux Distro for Beginners

Testing Pages CMS

Fix for AAP with Github Apps Giving libcrypto Error

Thoughts on RHEL 10's Release Notes

Preparing for EX294 (RHCE exam)

homelab vs selfhosted

Happy New Year

needs-reboot, Satellite, and Ansible

Notes After a Year at My Current Job

20240528

I am now an RHCSA

Learning to Use Your Hammer by Turning Things into Nails

Sudo for Windows

Please Don't Dunk on Scam Victims

Ruff

Home Lab and Selfhosting Redesign Thoughts

SubdoMailing Campaign

20240222

Slower and More Meaningful

Thoughts on FSRS

Discord as a UI Library

Email Migration Inquiry

20240131

Shortnotes Change

20240129

Trying Out FSRS

Commenting on a Paper from First Monday about Generative AI

Happy New Year

Some things I've recently learned about Podman (and Docker)

Mobile Posting Test

Why I moved from Wordpress to Zola

I have conqured Podman's YAML

Google finally feels worse

A surreal blog

Wordpress Gripes

Backups and YAML

Resolved: Connection Issues on a libvirt Isolated Network to Router

Bash history search

python `or [default]`

When do you change the default settings (on tools/apps?)

Using Vi[m]

My Experience Studying For and Taking the CISSP Exam

Studying</h2> I primarily used five sources for the exam:</p>

r/CISSP Subreddit</h2> I spent a good amount of time before the exam browsing the r/cissp subreddit to see what others’ thoughts were on exam prep materials and the format of the exam.</p>

College Degree and Hands-On Experience</h2> I have a four-year degree in computer security, and just under 2 years’ experience doing penetration testing. I think that had a significant impact on how much less I had to study compared to others.</p>

"Prompt Engineering"

YouTube Music

Encryption Flashcards

Security Models

Resolved: Email Delivery Issues with Google Domains Email Aliases

r/CISSP Subreddit</h2>
I spent a good amount of time before the exam browsing the r/cissp subreddit to see what others’ thoughts were on exam prep materials and the format of the exam.</p>

College Degree and Hands-On Experience</h2>
I have a four-year degree in computer security, and just under 2 years’ experience doing penetration testing. I think that had a significant impact on how much less I had to study compared to others.</p>