If you have warning messages coming from apt about an invalid signature verification and EXPKEYSIG, then it is likely that a signing key for one of the remote apt repo has expired. Below is an example coming from an expired podman package at the “download.opensuse.org” repo. W: An error occurred during the signature verification. The … Ubuntu: fixing apt invalid signature warnings
If you have Dropbox installed on your Linux desktop and have recently started seeing this warning message from apt: http://linux.dropbox.com/ubuntu/dists/disco/Release.gpg: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details This can be resolved by adding the Dropbox PGP key to the ‘signed-by’ of the apt repo definition (as … Ubuntu: fix apt warning for Dropbox with key in legacy keyring
Mike Farah’s yq yaml processor has a a rich set of operators and functions for advanced usage. In this article, I will illustrate how to update a deeply nested element in yaml. Install yq Here are the steps for installing the latest yq on Snap enabled systems like Ubuntu/Debian. See the notes at bottom if … yq: update deeply nested elements in yaml
Mike Farah’s yq yaml processor has a a rich set of operators and functions for advanced usage. In this article, I will illustrate how to take a block of yaml from one file to populate a specific location in another. Install yq Here are the steps for installing the latest yq on Snap enabled systems … yq: replace section of one yaml file with content section of another
Gitlab has an official CLI tool that allows you to perform many of the operations you may currently perform in the web UI. Among its many uses, the ‘glab‘ utility will allow you to fork repositories, manage issues, merge PR, and create releases all from the console for ease of use or automation. Below I … GitLab: glab official CLI tool for repository operations
Github Actions provide the ability to define a build workflow based on Github repository events. The workflow steps are defined as yaml and can be triggered by various events, including a code push, branch, or tagging in the repository. In this article I will detail the steps of creating a statically-linked GoLang binary that when … Github: automated build and publish of containerized GoLang app with Github Actions
Github Actions provide the ability to define a build workflow directly in Github. The workflow steps are defined as yaml and can be triggered by various events, including a code push, branch, or tagging in the repository. In this article I will detail the steps of creating a statically-linked GoLang binary that is automatically built … Github: automated Github release of GoLang binary using Github Actions
Python issues warning messages to users when an exception or halting the program is not warranted but there is still useful information that should be relayed to the end user. Instead of following your first instincts to suppress these warnings you should instead resolve the root issue. However, if you already understand the problem and … Python: suppressing warnings from Python applications
If you are using Linux with graphical X interface and need to copy to the clipboard, the ‘xclip‘ utility works similar to ‘pbcopy’ on a Mac terminal and will place the content unto your clipboard. Here is the basic usage: sudo apt install xclip -y # copies to clipboard echo “hello” | xclip -selection clipboard … Linux: xclip to place content on the clipboard
A Gradle Exec task will only run the last ‘commandLine’ defined inside its block. Putting multiple entries inside its block will not run multiple commands. As an example, if you run the following Gradle task. task willOnlyRunLast(type: Exec) { commandLine “echo”, “first” commandLine “echo”, “second” commandLine “echo”, “last” } The task above will only echo … Gradle: running more than one command in an Exec task
Github Actions provide the ability to define a build workflow directly in Github. The workflow steps are defined as yaml and can be triggered by various events, including a code push, branch, or tagging in the repository. In this article I will detail the steps of creating a simple Spring Boot web application that when … Github: automated Github release for Spring Boot jar using Github Actions
Github Actions provide the ability to define a build workflow directly in Github. The workflow steps are defined as yaml and can be triggered by various events, including a code push, branch, or tagging in the repository. In this article I will detail the steps of creating a simple Spring Boot web application that when … Github: automated build and publish of containerized Spring Boot app using GitHub Actions
The GitHub “Release” page for a repository can provide your consumers a convenient way to download a binary version of your software as well as track the latest changes and enhancements. In this article, I will show how to invoke a local release process for a Java Spring Boot jar built with Gradle. A new … Github: locally invoked release process for a Gradle built Java Spring Boot project
The GitHub “Release” page for a repository can provide your consumers a convenient way to download a binary version of your software as well as track the latest changes and enhancements. In this article, I will show how to invoke a local release process for a Go language binary. A new Github release will be … Github: locally invoked release process for a Go binary
The Go language with its simplicity, concurrency support, rich package ecosystem, and ability to compile down to a single binary is an attractive solution for writing services on Ubuntu. However, the Go language does not natively provide a reliable way to daemonize itself. In this article I will describe how to take a couple of simple Go language programs … GoLang: Running a Go binary as a systemd service on Ubuntu 22.04
The Go programming language consistently ranks as one of the most popular languages in developer surveys. In fact, Kubernetes as well as most of the CNF projects are written in Go. And it compiles down to machine code, which has made it popular in containers like Docker where a single executable binary fits the execution model … GoLang: Installing the Go Programming language on Ubuntu 22.04
If you need to quickly standup a secure HTTPS server on a machine, perhaps to validate that a client is sending the proper method or parameters, the socat utility can assist. In this article we will use “socat.local” as the FQDN of our certificate and host. Maybe you already have a pem key+certificate for this … Linux: socat used as secure HTTPS web server
In environments where certificates are manually deployed, reloading TLS certs is often only done annually when the certificate is near expiration. This long lapse in time often means that someone else has inherited the task of renewal, and the original key in use may even be in question. Luckily, openssl provides a way to validate … Linux: openssl to validate whether private key and TLS certificate match
sed is an excellent utility for doing substitutions, but if you need to work across multiple files, then you need to pair it with a command that can provide a list of candidate files. This is where find comes in handy. For example, to replace all instances of ‘zebra’ with ‘horse’ recursively in the current … Linux: sed to replace across multiple files in directory
When using a private key on the client to ssh into a remote server with the matching public certificate in ~/.ssh/authorized_keys, a common failure message from the client is: Permission denied (publickey) The most common reasons for this is private key permissions issues (chmod 600), a misconfiguration of authorized_keys, or trying to send the wrong … Linux: ssh-keygen to check whether ssh private key and public cert are keypair
Starting with Kubernetes client 1.22, you may start seeing warning messages about your authentication mechanism when running commands. Here is an example when using gcloud for GKE cluster credentials. WARNING: the gcp auth plugin is deprecated in v1.22+, unavailable in v1.26+; use gcloud instead. This is because the authentication provider-specific login code will be removed … GCP: fix kubectl auth plugin deprecation warning by installing new auth plugin
GCP Compute VM Instances can be set to run as a service account with API scopes that allow specific operations to be performed. If you need to change the service account or the scopes, you will need to power down the VM instance, make the changes, and then start the VM instance up again. Here … GCP: gcloud to change VM instance service account and API scope
If you are scripting a set of gcloud commands, there is a good chance that it is within a Bash script. While some Bash loops can be driven by a single variable, sometimes you need access to multiple variables within the loop. In this article I will show you can drive a Bash loop requiring … GCP: gcloud csv format with no-heading for Bash parsing
Anthos Identity Service allows an organization to tie into their existing Identity Provider to authenticate and authorize users into their Anthos clusters. In this article, I will show how the authentication for an Anthos on VMware cluster can be integrated into an existing Active Directory deployment, and further how a user’s AD group membership can … GCP: LDAP authentication for Anthos VMware clusters using Anthos Identity Service
When GCP operations fail due to permissions issues, checking the IAM roles assigned to a user, group, or service account becomes a necessity. When hierarchical projects and organizations are involved it becomes even more complex. This article will show you how to use gcloud at the project and organization level to pull IAM policies for … GCP: listing IAM roles for user, group, and service account in project and organization
The ClientAliveInterval and ClientAliveMaxCount settings in “/etc/sshd/sshd_config” work together to control the timeout value of an ssh session on the server side. But under BASH, to keep idle client sessions from timing out, you also need to set the ‘TMOUT’ variable or you will see messages like below when disconnected. timed out waiting for input: … Bash: extend timeout for idle ssh sessions using TMOUT
Before Kubernetes 1.24, the creation of a KSA (Kubernetes Service Account) would also create a non-expiring secret, where the token controller would generate a token that could be used to authenticate into the API server. As a quick example of the legacy behavior on Kubernetes < 1.24, notice how the creation of a service account … Kubernetes: KSA must now create secret/token manually as of Kubernetes 1.24
When orchestrating a playbook against multiple hosts, you may need to pull facts from one host in order to feed those values to another host. For example, a database master may need to provide its IP address to its many replicas, or a CA certificate from a controller may need to be distributed among its … Ansible: accessing a fact from a different host using cached facts
In this article I will demonstrate how to create an Ubuntu 22 template in vCenter. Then use Terraform to create a vSphere VM based on this template. The VM template creation is done by manually stepping through the Ubuntu server ISO installation wizard, followed by a set of preparation steps. Then Terraform is used to … Terraform: creating an Ubuntu 22 template and then guest VM in vCenter
Anthos GKE on-prem is a managed platform that brings GKE clusters to on-premise datacenters. This product offering brings best practice security measures, tested paths for upgrades, basic monitoring, platform logging, and full enterprise support. Setting up a platform this extensive requires many steps as officially documented here. However, if you want to practice in a … Kubernetes: Anthos GKE on-prem 1.13 on nested VMware environment
If you are creating a log file or perhaps an archive directory, it can be a convenience to end users to use a sortable timestamp in the file name itself, similar to “YYYYMMDD-HHMMSS”. This allows them to easily find the file relevant to their needs. Here are a couple of ways to implement this logic … Ansible: embedding a timestamp in a file name
Migrating from one Python 3.x version to a newer 3.x minor version seems like it would just be a simple ‘apt install’ of the latest Python package. But you most likely have pip modules installed at a version specific ‘dist-packages’ or ‘site-packages’ directory, and those modules have to be freshly installed into the newer version … Python: migrating pip modules to newer Python version on Ubuntu
In order to expose KVM virtual machines on the same network as your bare-metal Host, you need to enable bridged networking. In this article, I’ll show how to implement KVM bridged networking on Ubuntu 22.04 using Netplan. This bridged network will expose the KVM Guest OS as a peer on the upstream network, with no … KVM: Creating a bridged network with NetPlan on Ubuntu 22.04
Google’s API supports OAuth2 and OIDC, and can be used to both authenticate and authorize users. In this article, I will show how to use the Google web console to configure an Application that can support OAuth2/OIDC. We will then use a small, local Docker image to implement the Client Application side and smoke test … OAuth2: Configuring Google for OAuth2/OIDC
Github allows users or systems to access their API via OAuth2. Although this mechanism is often used on the public internet for authentication of users into a 3rd party site, note that OIDC is not implemented. In this article, I will show how to use the Spotify Dashboard to configure an Application that can support … OAuth2: Configuring Github for OAuth2
Spotify allows users or systems to access their data and features via OAuth2. Note that this is not intended for centralized authentication, and does not implement OIDC. In this article, I will show how to use the Spotify Dashboard to configure an Application that can support OAuth2. We will then use a small, local Docker … OAuth2: Configuring Spotify for OAuth2
okta is an Identity and Access Management solution that can be used to provide OAuth2 and OIDC authentication and authorization to your applications. In this article, I will show how to use the okta Dashboard to configure a hosted okta Application that can support OAuth2/OIDC. We will then use a small, local Docker image to … OAuth2: Configuring okta for OAuth2/OIDC
The ‘kubectl cp‘ command is a convenient way to get files into and out of remote containers, however it requires that the ‘tar’ utility be installed inside the container. There are many images that have removed this utility because of the identified security vulnerability, while others have removed it due to the adoption of the … Kubernetes: copying files into and out of containers without ‘kubectl cp’
Keycloak is an open-source Identity and Access Management (IAM) solution that can be used to provide authentication and authorization to your enterprise applications. One of the many protocols it supports is OAuth2/OIDC. One of the easiest ways to deploy Keycloak is directly into your Kubernetes cluster, exposed securely with an NGINX Ingress. In this article, … Kubernetes: Keycloak IAM deployed into Kubernetes cluster for OAuth2/OIDC
Flask OIDC is an extension to the popular Flask web framework that enables OAuth2/OIDC for your application. The base project does not support ADFS, but I have create a personal fork of this module that supports Windows 2019 ADFS as the OAuth2 Authentication Server. In this article, we will exercise the OAuth2 Authorization Code flow. … Python: Flask-OIDC protecting Client App and Resource Server using Windows 2019 ADFS