Posts

Ansible: using secrets for user password

 I guess we all have a bootstrap which creates the ansible user and give it password less sudo rights. There are ways around that, but that is not what this is about. I create my use with: - name: create andible user user: name: ansible state: present password: "{{ my_secret_password | string | password_hash('sha512') }}" update_password: on_create shell: /bin/bash groups: sudo append: yes   notice the 'ansible_user_password', that is variable set somewhere else:   vars: ansible_user_password: !vault | $ANSIBLE_VAULT;1.1;AES256 ..... 353064646365326663373339393239363735     But where does the encrypted value come from, using 'ansible-vault' one can create encrypted values, which either are kept in password vault files, or just in your playbook (like above):  $ ansible-vault encrypt_string Give it a password (this is the vault password which you need to unlock it when you run

MacOS Ventura: not able to ssh to ruckus switch (diffie-hellman-group1-sha1)

 I upgrade to Ventura and replaced my Intel MacMini with an M2 MacBook Air ... everything was working, then I wanted to ssh to my Ruckus ICX 7150-C12 (08.0.95fT211), and got an error: Unable to negotiate with my-switch port 22: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 Hummm, WTF.... I've seen similar things before when you upgrade FW or OS suddenly ssh will no longer work as a protocol or cipher have been deprecated. As I do not feel like upgrading my switch I had to do something else. I found this on serverfaul t, helped to a part of the way, and then a bit more googling I found the solution, which might be overkill. I ended up adding this in my ~/.ssh/config for the switch: Host my-switch KexAlgorithms=+diffie-hellman-group1-sha1 PubkeyAcceptedKeyTypes ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512 HostkeyAlgorithms +ssh-rsa    And now I can access my switch again. Yes, I know upgrading the firmw

Docker and KVM on the same host and networking

  If you are trying to get Docker and KVM to work on the same host then you will find that the networking is a  bit icky. You'll need to tell iptables to allow forwarding on your network interface. As I always to things using a bridge (makes it easier to change network card if needed), I use br0 in this example. cat <<EOF | sudo tee /etc/systemd/system/restore-iptables-rules.service > /dev/null [Unit] Description = Apply iptables rules [Service] Type=oneshot ExecStart=/bin/sh -c 'iptables -A FORWARD -i br0 -o br0 -j ACCEPT' [Install] WantedBy=network-online.target EOF   Then you need to enable it and restart the service (I'd restart the host): sudo systemctl daemon-reload \ && sudo systemctl enable restore-iptables-rules.service \ && sudo systemctl start restore-iptables-rules.service   That should be it, now your KVM guests will be able to reach the network. (there, of cause will be other things like enabling of forwarding which is als

Docker: ipvlan (ipv6)

 Due to macvlan instability, I moved my "public" network from macvlan to ipvlan. While I was doing this, I ran in to a problem which caused my no end of grief. No matter what I did, I could not get my ipv6 to work, ipv4 did work, but not ipv6. I was following bobcares:Alpine Docker enable IPv6 : How to? instructions to the letter, or so I thought.  My configuration was: docker network create -d ipvlan -o parent=eth0 \ --subnet 10.10.43.0/24 \ --gateway 10.10.43.1 \ --subnet "fd80:1::/64" \ --gateway "fd80:1::1" \ --ipv6 \ public   No matter what I would, it did not work. Then suddenly I rememberd, in another setup (which also took a while to get working), I had to move "-o parent=eth0" to the end, like: docker network create -d ipvlan \ --subnet 10.10.43.0/24 \ --gateway 10.10.43.1 \ --subnet "fd80:1::/64" \ --gateway "fd80:1::1" \ --ipv6 \ -o parent=eth0 pu

Docker: macvlan crashing

I have been using macvlan for a very long time, and have had no problems what so ever. Now suddenly I started having an issue which would lock up my box (I'm running +25 containers), the box would run for everything from 15 minutes to 24 hours (sometimes longer) but it would lock up. The only notification I would get would be an exception like this in dmesg: Oct 21 00:51:10 <box> kernel: [22600.504145] ------------[ cut here ]------------ Oct 21 00:51:10 <box> kernel: [22600.504183] WARNING: CPU: 0 PID: 303960 at net/netfilter/nf_conntrack_core.c:1123 __nf_conntrack_confirm+0x3ff/0x480 [nf_conntrack] Oct 21 00:51:10 <box> kernel: [22600.504186] Modules linked in: tcp_diag udp_diag inet_diag xt_nat xt_tcpudp veth macvlan xt_conntrack nft_chain_nat xt_MASQUERADE nf_nat nf_conntrack_netlink nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xfrm_user nft_counter xt_addrtype nft_compat nf_tables nfnetlink br_netfilter overlay bridge stp llc mlx5_core(OE) mlxfw(OE) mlxdevm(O

Kviknet and IPv6

Image
 I decided to switch ISP, mainly due to Hiper (Danish) was using a VLAN for their connection which made pfSense and my APU3 board require a reboot everytime I changed anything. Kviknet has a good reputation (wonder why) in Denmark, they are not cheap and they have the same opening hours as everyone else - meaning until 16:30 and closed during weekends. I sometimes wonder how companies who need 24/7 internet get on with that ... well it's Denmark. Kviknet has an interesting way to do IPv6, your router get and SLAAC assigned IPv6 address on the public side (wan) and you get a ::/48 network from Kviknet to use on your lan.  To some degree it does make sense, you can then configure your lan with static addresses as you see fit, and for dynamic assignment you use RA stateless dhcp *) ... which works for everything.  (I need to get my piHole configured with an static IPv6 so that I can use that ...). pfSense is a pain, I do like it, but they are light years behind their main competitor