Category Archives: Linux

Note to self: Even rocky 9.2 uses bridge-utils

Sometimes I decrypt LUKS volumes via dracut/dropbear (ssh). To enable this I follow the instructions from the dracut-ssh project. However since I usually use my linux boxes as hypervisors, and vms need a bridge, I end up with bridged networking.

Now for the problem: if your dracut networking config does not align with your normal post-dracut networking, you end up with a weird blending of the two. So to avoid this I just keep dracut the same, building by bond/bridges in dracut to match the normal configuration.

Here’s a sample portion of my /etc/default/grub:

rd.neednet=1 ip=10.10.2.2::10.10.0.1:255.255.240.0:server-2:bridge0:none:8.8.8.8 bridge=bridge0:enp47s0

This all works well, so long as you are sure to install bridge-utils – otherwise dracut silently fails.

yum install -y bridge-utils

Be sure to rebuild your dracut

dracut --force --regenerate-all

Viola! Fin.

Probably time to dump Redhat

Late in 2020 Redhat made its first attempt to kill CentOS. Then came the heroic rescue of Alma and Rocky distros. Now just last month, June 2023, Redhat is attempting to kill these “downstream distros.” They – wrongly, I might add – assert “recently, we have determined that there isn’t value in having a downstream rebuilder.”

We could argue with redhat or just move on. There are other distros. But the tragedy here is that redhat is missing the entire point of open source. Everyone contributing anything that worked on CentOS was bolstering Redhat’s offering. It is arrogant for anyone, Redhat included, to view the community as a bunch of freeloaders. Opensource isn’t narrowly defined as sharing of code – it is a community of sharing. In that light Redhat is saying they are done sharing. So they are done with open source. So I am done with them. Time to move on.

The only question now is which distro will be used next. In the past I’ve avoided other distros because there was simply no compelling reason to switch. There is now a reason to switch. Perhaps Ubuntu or Debian? Arch?

Goodbye Redhat – have a good time sliding further into irrelevance.

Ubiquitous Encryption with GPG

Because its easy, and because it provides so many benefits, i now try to use encryption everywhere. GPG is my tool of choice; i actually don’t even know what other options there are. Here are some things I have found to be useful:

  • Password management.  I use the pass application for this.  After installing gpg, i just do a “pass init <keyid>” and from there i am good to go.  I use qtpass as a graphical frontend.  The way this works is as follows: you add a password “pass insert blah”, which then asks you for the password to store.  Later you can ask for the password by typing “pass blah”. Storing passwords sure is a good idea, but even better is to just have pass generate good ones for you.  To do this i type “pass generate foobar 12” and a 12-char password is generated and stored.  Now i can have unique passwords for all my websites, and pass will remember them.  The one thing that weired me out is that after unlocking any password i could get at any others without entering my passphrase.  This worried me a bit because it looked like you only had to unlock things once and then they remained unlocked.  Turns out it was because gpg-agent is running and caching passwords for up to 10 min (default).  I figure its ok to leave things open for 10 min, in fact it would essentially mean if youre checking a lot of websites and you dont remember their passwords, you dont have to keep typing your passphrase over and over.
  • GPG also has great integration into mac os x.  I use this for mail and file encryption.  For mail, it lets me sign all my emails, regardless of where they go.  If the recipients are also using encryption, i can encrypt the messages.  When i receive an encrypted email i can decrypt it, etc.  Its literally 1-button email encryption for free.  Not bad!

As for my philosophy: “why encrypt?” I think the burden is more on people to answer: “why not encrypt?”  It takes almost no effort, and the benefit is that emails sent directly to you are no longer viewable by anyone else along their way.