CentOS 7 to CentOS 8 update — it’s fine.

I’ve been taming my homelab network. All the VMs I’ve installed to try out software that I eventually deploy at work, the few administrative VMs I need for my own “stuff,” etc., and I was pleasantly surprised. Turns out that most of my stuff is reasonably up to date, a bunch of CentOS 8 VMs, a few recent Rocky 8 instances, a few Ubuntu servers, and one lone CentOS 7 instance.

So I decided I no longer want to support CentOS 7, and since everything’s on ESXi, it’s easy to attempt the CentOS 7 to 8 update I found here: https://www.tecmint.com/upgrade-centos-7-to-centos-8/

Everything sailed smoothly until the actual package update step. Obviously it’s a lot of packages, etc., a lot of opportunities for things to go wrong. And a couple wrinkles did expose themselves. One was MariaDB and the other was the FreeIPA client. And since I took a snapshot before starting, I felt pretty free to experiment.

So fuck it. I backed up the MariaDB database itself just in case, and deleted the package.

The fuck it, I can recreate the FreeIPA config if need be. Deleted the package.

Some other minor stuff came up as blockers, the rpmconf package, etc., deleted them too.

Ran the upgrade, it went all the way through. Then I simply reinstalled the MariaDB server and the FreeIPA client using dnf, and they both picked up their original configurations and just worked. I love it when that happens. No there’s no more CentOS 7 on my network.

Monday Nov 8 VIRTUAL meetup

Hope y’all can make it. How’d you spend your weekend? I worked a bunch Saturday, made some hellacious progress on a project I’m involved in. Then I saw Dune with my kid on Sunday. Spent all the in-between time laser-burning holiday ornaments and taming my home network with Ansible, Zabbix and Observium.

An unnamed member left his bottle of Four Roses Single Barrel last week, and it’s taking a bit of restraint for me to ignore it. But the way I see it, liquor that’s brought to an in-person meetup is not a donation; it stays where it was left until the next in-person meetup.

These are the blanks I chose for the holiday ornaments:

https://amzn.to/3BWO4Ff

It’s a nice set, it comes with 100 ornament-shaped blanks that burn pretty evenly. On my engraver I have S-MAX set to 325 and a speed of 1000. The set also comes with string. Here’s an example of an ornament I burned with a photo of the UU Church in Leesburg:

Now that’s got me thinking I should make some DC540 ornaments. Open to suggestions for design.

Reminder: Costumes encouraged for tonight’s meeting

We’re meeting this evening in the usual space. You know, that place where we put that thing that time. Costumes are encouraged. Someone will probably live-stream it on Discord for those who can’t make it, but come on out.

Here’s the current CDC guidance on gatherings:

https://www.cdc.gov/coronavirus/2019-ncov/your-health/gatherings.html

Real-World Uses for Cyberdecks

Tonight I’m applying updates to my cyberdeck (CrowPi) in preparation for using it as a portable network stack build and rescue platform (PXE boot + ISO images and installers).

Sometimes it’s preferred to set up new environments in spaces where there may not yet be connectivity to the Internet. Or maybe limited internet. Maybe at a meetup.

Serving pxe clients with dhcp, tftp and ftp. Maybe the menu includes an ESXi installer, a couple of Linux installers, a Live ISO for rescues, DBAN for non-SSD emergencies. The sky’s the limit, right? Updated for the twenty-first century by including support for UEFI clients.

But first, updating to the latest everything. Later, I migrate the whole thing to a larger SD card, and replace the Raspberry Pi 3B that came with it, with a much more powerful 4B with 4GB of RAM.

Maybe even have a process watching the logs, and have certain events trigger LED matrix animations, buzzer and vibration activity, countdown timers on the clock, or display status on the small display. This’ll be a fun longer-term project.

Self-hosted Password Manager Round-up

Haven’t you ever set up a network for a specific project and wanted a simple way to manage passwords within the project network while sharing them between the project participants?

Don’t you hate/mistrust the cloud?

For this project, I did a quick rundown on a few available self-hosted password managers that can live inside a network enclave without involving the cloud.

  1. PASSBOLT

I wanted Passbolt to work. Even after I found out the installer* isn’t available beyond CentOS 7 and won’t run under Rocky. Seriously, who uses a closed installer anymore?

So i built a C7 VM and let her rip. Flawless install, got all the way to the point of logging in, and then?

Fucking hell. It REQUIRES a BROWSER EXTENSION to browse the site. That’s a lot of trust you’re asking me to extend. It also requires an email address to validate users. This seems more like a cloud offering hastily made into a self-hosted offering. These are not features I want or need in a closed, self-hosted password manager.

2. BITWARDEN

I wanted to disqualify this one simply for deploying it in Docker. If you know me at all, you know I f’n HATE Docker. And the first set of instructions I found completely validated my hate.

But then I found this. Specifically happens to be for the exact platform I’m working with. https://computingforgeeks.com/running-bitwarden-password-manager-using-docker-container/

Other than dealing with SELinux (either by disabling it or by poking holes in it) and using a different cert mechanism than those described, it was flawless, and I had a Bitwarden instance complete in about an hour.

3. Anything file-based

Immediate automatic disqualification for being file-based. No matter how you share them, sharing them never works out.

4. Integrations

I noticed that NextCloud has a password manager app available for it. So that’s another valid option if it turns out we don’t like Bitwarden.

P.S. I still hate Docker.

Flying blind with network appliances

I was tasked with reclaiming some decommissioned network appliances. More specifically, some pretty decent Lanner appliances. Multiple ethernet interfaces, 16GB RAM, and a decent processor.

Fun, right? Well….

No access, no passwords. They have IPMI, but we don’t have passwords for that either.

We have access to serial, but all that gives us is access to BIOS, and then a boot failure, ostensibly because they’ve been wiped.

So I fought with this in several directions before coming up with a possible solution.

Wrestle with BIOS until I can get it to PXE boot. Set it to PXE from LAN0. Boot it, see what MAC address it comes up with. Add that MAC to my FOG server and deploy an image via FOG. In my case, I imaged it with Rocky Linux 8.4.

Then, because it’s still unconfigured, incomplete and flying blind, go back to serial, boot to the hard disk, edit the grub menu entry to add “console=ttyS0,115200” to the linux line, then let her rip. Sure enough, it’s now fully booting to serial and I’m able to IP it, set up permanent console redirection, make sure sshd is starting, and boom.

I probably could have done mostly the same thing with a USB boot disk, but then I’m stuck doing a full install, whereas using FOG gives me an already-standardized image. Now I’ll be done with this stack in about two bourbons.

Monday In Person: 10/4 Good Buddy

We’re in person tomorrow. Likely someone will make it hybrid but I’ve proven useless at dividing my attention between virtual and IRL, so I tend to focus on the IRL. After all, that’s where the booze is.

Anyone who has come to previous meetings is welcome. If you’ve only met us virtually hit one of us up if you’re interested in attending. We prefer to vet strangers because it’s a private space.

Optionally, bring a snack or festive bevs to share. This seems to be shaping up to be one of the larger in-persons we’ve had in a while, this could be interesting.

Indoors vs outdoors is currently unknown. WX report indicates rain possibility around meeting time of around 50%. We can handle either, but if you can’t, that’s on you. Please be vaxxed and/or masked if indoors. None of us want the delta variant.

Activities: laser engraving, staring at psychedelic lighting, and badge thoughts for DC30.

Don’t be a dick.

Just Because I’m Paranoid…

Doesn’t mean they’re not out to get me.

So I ordered some more PCBs, what, ten days ago now. This evening after dinner I was thinking, “wow, I should have gotten a ship notice by now…” then, a few minutes later, it showed up. That’s not the paranoid part.

The shipping notice from the fab house was normal, package on the way via DHL, etc.

An hour or so later, I got a phishing email purporting to be from DHL.

I get lots of phishing emails. I’m not going to categorize them based on quality, because to me, almost all phishing emails are low effort.

But I think it’s strange that I, who normally only gets DHL packages a couple times per year, get a DHL phishing email within an hour or so of an actual DHL package being sent my way.

Now I’m not saying there’s a connection, but if there is a connection, then either:
1) Someone’s got access to the fab house records;
2) Someone’s got access to DHL records; or
3) Someone’s got access to the “Deliveries” tracking app. (I entered the tracking info into that app like I do every time I learn of a package enroute). I suspect this, the rogue phone app, is most likely.

If I’ve got any phishing expert mutuals that have anything to share, I’m all ears.

DC540 pizza night this evening

In the backyard. 6:30.
If anyone wants to try laser engraving, bring an image on a flash drive. 1.5″ round, or 2.5 x 3.5″ rectangle. Take home a souvenir of your obnoxious insensitive nerdy friends and their messy habits.
I’ll try to have the pizza show up around 7.

Closed the Meetup account for good today

Obviously DC540 lives on, but I really don’t feel like Meetup is worth the cost. They make it surprisingly obscure to shut down. The default is to “step down as organizer” allowing any rando who’s joined your group to take over. Anyhow, y’all can still find us here, wherever it is that you see this message.