Technical

Last modified by Mitchell on February 9, 2014, 10:39 PM

Category: Technical (23 posts) [RSS]

Nov 26 2017

Not quite dead yet

Yes, it's been a while since I've updated anything here. I really should do more updates. 馃構 I've worked on a few things, so will start scribbling things here in the meantime.

At the moment, I'm replacing my older server at home with an Intel NUC. While doing so, I was looking at installing Windows Server on my server as before... except that a few things have changed. For starters, since it's a 7th Generation Intel Core-based system, Windows Server 2012 R2 is no longer supported. Okay, I can deal with that... except that my preferred minimal server interface is no longer supported. Thanks?

So I suppose I'll end up running VMware ESXi there too. Except that there have been changes there as well, with VMware 6.5, where the native Windows client has been deprecated. Thanks? And on top of that, predictably, ESXi doesn't support the 7th Gen NUC out of the box. Fortunately, there are workarounds, but... bleh.

Just can't win, I guess...

Aug 06 2016

First Looks: Windows Subsystem for Linux

As I imagine you've probably read about, the Windows 10 Anniversary Update included the Windows Subsystem for Linux (WSL). I don't fully understand the technical details, but I would imagine they've implemented something along the lines of the Linux emulation layer included in FreeBSD. There's still a fair amount I have to poke around with, but there are a few interesting things I've noticed so far:

  • There doesn't seem to be an obvious location of where the virtual filesystem is (although, admittedly, I haven't tried that hard to find where it is, and pico processes don't seem to be introspectable by Process Explorer). It doesn't appear to be in the usual Windows Store package location (%USERPROFILE%\AppData\Local\Packages). Each user does have their own instance of the filesystem, though, so it can't be used as a sharing mechanism. I suppose on the bright side, lxrun.exe lets you reset your WSL installation in case you break it.
  • WSL isn't able to run Windows executables, interestingly. So it looks like no scripting your Windows tools with a Linux stack. Read more...

Jun 28 2016

1Password for Families

So I've been using KeePass for a while to manage my credentials. Somewhat recently, there was a kerfuffle involving an unencrypted check for updates. It wasn't so much that there was an issue that bothered me (everything has issues, including security software). What bothered me was the complete disregard for it as an issue, particularly since it's meant to be a piece of security software.

So what came up next was 1Password for Families, since I had a sibling who decided to go for it and let me opt in as well. Seeing as it's a commercial product that's been out for a while, you would think that they have it to the point where It Just Works, right?

Wrong.

  • The import process was fairly miserable. Sure, I understand that KeePass might not be a large target audience. But when their migration solution involves running a Perl script? I suppose ignoring Windows might be a strategy, but it doesn't strike me as a good one.
  • Once the import was complete, I tried to import the generated file. Like a good number of Windows users, I'm now on Windows 10... except the Windows store version of the app (required for Families) doesn't support imports. I guess Windows + Families users don't matter....
  • I ended up using a Mac OS X system to do the import. Almost every entry came in as a Login, which isn't a huge issue. Except that they, as a design decision, opted to not allow for converting between categories. I have almost 600 entries, and manually recreating those items isn't a pleasant option.
  • I have several items with attachments (e.g. 2FA where I've saved off the authenticator image so that I can have multiple synced authenticators). Except those aren't supported in Families; again, a design decision.
  • For a product that was initially built around saving off website credentials (like most of these applications), you would think that they would at least have that working great out of the gate. Except you'd be wrong, at least for Windows. For the current official releases, the browser plugins require the standard desktop application... that doesn't support Families. In somewhat fairness, the 1Password 6 beta adds support for this... almost six months after they launched Families.

Short version? Families (and likely Teams as well) was launched half-assed. Windows is a low priority for them (seeing as one of the most important features wasn't provided for half a year). Dealing with a product like this just doesn't make sense, so I'm going back to my usage of KeePass, where at least I know what to expect.

Jan 10 2016

More fun (or not) with VPN

So I had initially written about setting up VPN with Windows Server as the platform. But I then swapped over to Libreswan and Linux. Ironic or not, I've decided to switch back to using Windows Server for a couple of reasons:

  • It turns out that the problems I was having with routing were actually the fault of my personal wireless router, and not the platform. Switching to a custom firmware and setting my custom route there was actually necessary to get Libreswan/Linux working as well.
  • Debugging the Libreswan/Linux setup is easier, true. But only nominally so. And in return, the setup is considerably more complicated.
  • Perhaps most importantly, under the Libreswan/Linux setup, a given user could only have a single connection to the VPN. Under Windows Server, that restriction doesn't exist.

However, during that process, I also decided to switch around my home setup. Previously, I was running a domain controller as a Hyper-V host with a RRAS server as a client. The problem is that since the RRAS client comes up after the domain controller does, so it doesn't always act correctly as a result. So, I decided to switch it around, and try to set up a RRAS server as the Hyper-V host, with the domain controller as a client. Except... this doesn't work properly. Honestly, I'm somewhat shocked that this bug has existed for over 3 years - I will admit that's one area where open source would (probably) not have let this bug live for this long. In this case, it resulted in me setting up a standalone Hyper-V host with two clients: the RRAS server coming up first, with the domain controller coming up later. *sigh* Read more...

Jun 18 2015

CentOS 7: Differences on the ground floor

As you might expect, CentOS 7 has its package differences from CentOS 6. What does looks like from the ground, though? There have been a number of changes, as you might expect.

Well, let's start with my base-level kickstart file which sets up a fairly minimal system: Read more...

Kickstarting a new image

I've decided to finally get around to set up kickstart configuration files for my system images, since I've started investigating migrating over to CentOS 7. Kickstart, if you're not familiar with it, is a method of automating Linux installation and configuration, and is largely centered around the Red Hat-based distributions. While I was setting all of this up, I decided to also investigate whether it was worth switching from CentOS to Ubuntu Server, seeing as Ubuntu usage has passed CentOS and RHEL usage according to W3Techs (I suppose I could have looked at Debian as well, but for whatever reason it doesn't particularly appeal to me - possibly because it's not as marketable a job skill, for all that I don't really do this for a career?).

That said, I decided not to, for a couple of reasons:

  • The difference in how well they're documented is huge. Red Hat has a tremendous amount of documentation on setting up a kickstart installation compared to Ubuntu's preseed documentation (which seems to boil down to: take this undocumented file and it should work). Somewhat ironically, Debian has considerably better documentation.
  • Red Hat's installation process generates a kickstart configuration file (/root/anaconda-ks.cfg) that you can immediately turn around and feed back into a kickstart installation to get the same result, whereas the Debian documentation notes that their equivalent (debconf-get-selections --installer; debconf-get-selections) doesn't actually quite work (and I would expect that Ubuntu would follow in the same footsteps).
  • And, of course, I'm still better and more comfortable with Red Hat-based distributions than Ubuntu distributions, which matters for what is effectively a production deployment.

P.S. Yes, Ubuntu can also support kickstart installations, but it's a hacky process. I don't care that much.

Sep 01 2014

Tunnelling through the Internet

As mentioned in the previous post, I'm writing down some details concerning setting up a VPN, which can occasionally be quite useful, whether it be due to accessing the Internet from an insecure location or due to working around region restrictions. As before, I'm using Libreswan, along with xl2tpd and ppp. I'm also using winbind (part of the Samba project) in order to authenticate against a Windows domain. Read more...

Aug 17 2014

Finding a new route

Up until recently, I've been using RRAS (built into Windows Server) to handle my NAT/router needs on my VMware ESXi host. I had a couple of problems previously, and annoyingly, one of the things I had set up previously (subnet-to-subnet VPN) stopped working and I was unable to fix it, even after several days of kicking it around. So, I opted to replace it with a Linux option, using Libreswan as my IPsec software. One of the advantages (other than it being somewhat easier to debug odd issues) is that it's quite a bit simpler to add additional Linux systems to the subnet-to-subnet VPN, which I'm planning for later use.

The eventual plan is to combine the following into one system:

  • NAT/router
  • Subnet-to-subnet VPN (multi-site)
  • Host-to-subnet VPN (client)

This post will address the first two, and I'll cover the third a later time. Read more...

Apr 30 2014

Checking DNS

While looking around to check if I might potentially be contributing to the DNS amplification problem, CERT pointed me at a pretty nifty site that checks a lot of other potential DNS issues: DNSInspect. It checks several different aspects related to nameservers (and a few besides), and generates a report that tells you what works, what doesn't, and what could potentially use some shoring up. It really likes IPv6 (although it doesn't hold it against you), but all in all, performs a considerable number of checks, including some I wasn't aware of (like that your MX records should be A records, and not, for example, CNAMEs). I highly recommend checking it out if you're setting up a domain.

Apr 27 2014

Backup and running

The past few weeks have been pretty hectic, so I haven't had as much time to work on things as I'd prefer.

An important part of having a production-grade system is, naturally, having backups. it's remarkably possible to put together a semi-decent system with a little bit of effort. Some requirements:

  • Cross-platform support
    • I have Linux and Windows systems with data I need to back up.
  • Secure
    • No single system should have the ability to read the backups of all other systems.
  • Redundant
    • As much as possible, the backup system should tolerate failure.
  • Free
    • Okay, so I'm cheap. But this is a purely personal setup, so I'd like to minimize my investment (especially since a lot of the available options easily run over several thousand dollars!). Read more...
Tags:
Created by Mitchell on February 9, 2014, 10:39 PM

This wiki is licensed under a Creative Commons 4.0 license
XWiki Enterprise 6.1 - Documentation