smoser

## Install necessary packages
$ sudo apt-get install virtualbox-ose qemu-utils genisoimage cloud-utils

## get kvm unloaded so virtualbox can load
$ sudo modprobe -r kvm_amd kvm_intel
$ sudo service virtualbox stop
$ sudo service virtualbox start

## URL to most recent cloud image of 12.04
$ img_url="http://cloud-images.ubuntu.com/server/releases/12.04/release"

smoser

*.img
*.raw

smoser

Set up a ssh tunnel only user

In order to give someone access to hosts that are available only by ssh "bouncing" (ProxyJump), add a user for this specific purpose.

We have an internal openstack where instances get IPs on per-tenant networks. Each tenant has a 'bastion' host that has a "public" ip (floating ip). You can access other instances by bouncing through the bastion. From time to time I want to let someone else into an instance. This could be done either with:

a.) just give them shell access to the bastion and let them hop through. Sharing an unrestricted shell account on my bastion is less than ideal. b.) assign a floating/"public" IP to the instance so they could go directly in. Floating IPs are limited, so this is less than ideal.

So instead, I have set up a single user as described here that can only be used for ProxyJump. It allows others proxied access to my instances but without granting them full shell access.

smoser

suspend-then-hibernate on Ubuntu 22.04

Recently I have had the opportunity/necessity to use Windows for a bit. Windows, expecially with WSL (Windows Subsystem for Linux) is much better than it used to be. One thing that I really liked was "susped to hibernate".

When closing the lid on the laptop, the system would suspend, and then after some time it would power off. This is really nice behavior for someone who often comes to find a laptop they've suspended a couple days ago and that they have no power.

So... How to do that on linux? Specifically Ubuntu 22.04

smoser

Mappings for DMI/SMBIOS to Linux and dmidecode

Information can be put into dmi tables via some qemu-system hosts (x86_64 and aarch64). That information is exposed in Linux under /sys/class/dmi/id and can be read with dmidecode. The names are very annoyingly inconsistent. The point of this doc is to map them.

Mappings

Example qemu cmdline:

qemu-system-x86_64 -smbios type=<type>,field=value[,...]

qemu-system-x86_64 -smbios type=0,vendor=superco,version=1.2.3

smoser

catch-fail - trap and sleep to enter a melange build for debug

Usage: catch-fail op

   catch-fail is used to help debug a melange build.  In a 'run' section
   you can add at the top:

      eval $(/home/build/catch-fail eval-trap 1h)

smoser

#!/bin/sh
# https://gist.github.com/smoser/14df5f0cd621e10d2282d7c90345e322
# This is /etc/schroot/setup.d/91smoser
# I use it to apply local updates to schroots.
# make sure it is executable (chmod +x).
# Things it does:
#   a.) sets proxy inside.  If apt proxy is configured outside, it will
#       apply that inside.
#   b.) uses a portion of 'apt-go-fast'
#       https://gist.github.com/smoser/5823699/

smoser

All Systems Go 2023: Kernel command line and UKI; systemd-stub and the ‘stubby’ alternative

This talk is was given 2023-09-14 in Berlin at the All Systems Go 2023 conference. It is available online from all-systems-go conference here.

Abstract

Modification of the kernel command line has historically been one of the easiest ways to customize system behavior. Bootloaders allow for persistent changes via config-files and on-the-fly changes interactively during system boot.

System behavior changes made via the kernel command line are not limited to the kernel itself. Userspace applications from installers to init systems and beyond also take input from /proc/cmdline.

It is clear that some kernel command line options are desirable (console=ttyS0 verbose) and possibly even necessary. Others, such as the cromulent 'init=/bin/sh', can allow circumvention of benefits that Secureboot and TPM provide.

smoser

Yubikey and GPG setup

A change in process at work meant that internal IT would be managing my work-provided laptop. While I do not expect management to leak any personal sensitive data that was on the machine, it does represent an increase in the potential for such a thing to happen.

I bought a Yubikey (5c). The goal was to store "personal" GPG and SSH credentials on the yubikey so that they would not be available to a compromised system, or inadvertantly get backed up.

The setup seems to work pretty well. Here is what I did.

smoser

lp-add-user or github-add-user

Add a local user to the system and populate user's ssh authorized keys to contain the keys on gitub or launchpad.

usage: lp-add-user [-h] [--dry-run] [--sudo] [--verbose] user [ruser]

Add a user with, keys from launchpad or github.

positional arguments:
  user           the local username

ruser the launchpad username (default to lp:). Format is