Index ¦ Archives ¦ Atom

Using post-quantum cryptography kyber / ML-KEM (X25519MLKEM768) using Open Quantum Safe library and HAProxy

Introduction

Google recently published a new blog post on Kyber. Let's try getting ML-KEM / Kyber working in Google Chrome 131 and Firefox Nightly 133.

OpenSSL 3+ exposes an API for SSL-providers that allows us to only compile the provider instead of having to recompile the application itself.

Disclaimer

liboqs is …


Why developers doing devops without supervision ends up in disaster

Introduction

Here's a fun little thing that happens between a more ops oriented system administrator and developers. Considering the crap colleges produce every year, there's more and more people with fancy degrees that don't mean anything who manage to wrestle the permissions to publish releases from the Ops crowd. Of …


Kernel livepatching on Fedora part 2

Introduction

This blog post uses Fedora 40 and the 6.10 kernel. The focus is to get the technology working on a 'real' system via a series of experiments. Serial experiments help build-up the knowledge, experience, tooling etc. to handle real-world use-cases.

In this part we'll try using the Fedora-native …


Factorio DevOps lessons

Introduction

This awesome paper https://web.mit.edu/nelsonr/www/Repenning=Sterman_CMR_su01_.pdf indicates that for the chemical industry, there was a need to create a game scenario for participants to understand how the optimal strategy behaves over longer periods of time. The paper is awesome, however, the lessons are …


KeyDB active-active replication issues

Introduction

KeyDB sounds like a viable redis alternative in 2024, however there are issues with how active-active replication works. It mostly boils down to issues with reconciling data when writes arrive at both instances. https://en.wikipedia.org/wiki/Conflict-free_replicated_data_type is a good introductory read.

The relevant issues

The relevant …


Lessons from the OceanGate disaster

Introduction

There was a lot of coverage around the titan submarine but most of it wasn't very useful. The only useful newspaper article I have found is: https://www.vanityfair.com/news/2023/08/titan-submersible-implosion-warnings

I highly recommend reading it in full.

Some of the key highlights

Some key takeaways …


Kernel livepatching on Fedora part 1

Introduction

This blog post uses Fedora 40 and the 6.10 kernel. The focus is to get the technology working on a 'real' system via a series of experiments. Serial experiments help build-up the knowledge, experience, tooling etc. to handle real-world use-cases.

Kernel livepatching is a nice technology that doesn't …


Unpacking img files ubuntu

Introduction

This is an example of how to unpack an image and access the files from an img file. The problem is that depending on the actual file, different procedures (and tools) need to be used.

Preparation

A ubuntu 22.04 cloud image from https://cloud-images.ubuntu.com/jammy/current …


Gitlab locks security features behind paywall

Introduction

One of the more fun things in 2024 is evaluating software for use as part of a CI/CD pipeline. I think that kicking off a CI/CD pipeline should involve some kind of human intervention in the form of a person with a gpg smartcard, or a HSM-powered …


Resetting a yubikey

Introduction

There might be a time when you'll need to purge a yubikey without access to your gpg stubs (or if you want to avoid importing them). In this case the below method works, even though googling won't reveal at first glance. In short, the procedure involves entering a pin …


Testing if core dumps are enabled correctly

The problem

Core dumps are extremely useful for debugging purposes. However, it is often non-trivial to enable them as many production systems require twiddling with some configuration options to get core dumps working (most notably, the kernel.core_pattern sysctl, and the core file size setable with ulimit -c \<some value …


Signing RPM packages with subkeys on RHEL7

The problem

RHEL7 doesn't support signing RPM packages with GPG subkeys. The tooling will however allow you to shoot yourself in the foot, allowing you to sign a package with a subkey no problemo.

It is only when you attempt to install the package on a RHEL7 system that the …


One-off ansible bootstrapping playbooks

The case for simple playbooks

For my private infrastructure it doesn't make sense to create full-blown ansible roles unless I'm showing off. Therefore I use a set of simple, ansible playbooks that do one thing and cover the most common tasks. These playbooks are mostly intended to make the new …


Disclaimer and terms of use

Disclaimer

All views expressed on this sitre are my own and do not represent the opinions of any entity whatsoever with which I have been, am now, or will be affiliated.

The author is not to be held responsible for your use of the information contained in or linked from …


Compiling HAProxy from source on Fedora

Introduction

Since I always forget to write down all the dependencies and make options, here are my scribbly notes on how to compile HAProxy on Fedora 29/Fedora 30.

Where to get the source

The GitHub URL is a mirror of the main repository and doesn't contain the other branches …


Ad-hoc Ansible for infrastructure navigation

Introduction

The official definition for Ansible is the following:

Ansible is a radically simple IT automation engine that automates
cloud provisioning, configuration management, application deployment,
intra-service orchestration, and many other IT needs.

Or explained simply, ansible is ssh on steroids wrapped in python+yaml bubblewrap to prevent sysadmins from …


Contact

Email:

  • bhenc { at } ceresia . ch

IRC:

GitHub: brhenc

Gitlab: brhenc

© Bruno Henc. Built using Pelican. Theme by Giulio Fidente on github.