Dietrich Schroff

Subscribe to Dietrich Schroff feed
Dietrich Schroff
Updated: 2 days 16 hours ago

Firefox on Linux: password field flickering / curser blinks...

Sat, 2019-07-20 07:53
After upgrading to firefox 68 i was not able to enter the password (and configuration password) field in online registrations.
The cursor in the password fields kept flickering/blinking and on some pages firefox completely freezes.
With other browsers this does not happen, but i wanted to stay with firefox.

The solution was starting firefox with an additional environment variable:

GTK_IM_MODULE=xim firefox

apt-get install aspnetcore-runtime-2.2 fails on ubuntu: workaround with snap

Sun, 2019-07-14 05:10
Two week ago i tried to install a microsoft tool on my linux laptop and i got the following error:
So i tried:

apt-get install aspnetcore-runtime-2.2
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.
Statusinformationen werden eingelesen.... Fertig
Einige Pakete konnten nicht installiert werden. Das kann bedeuten, dass
Sie eine unmögliche Situation angefordert haben oder, wenn Sie die
Unstable-Distribution verwenden, dass einige erforderliche Pakete noch
nicht erstellt wurden oder Incoming noch nicht verlassen haben.
Die folgenden Informationen helfen Ihnen vielleicht, die Situation zu lösen:

Die folgenden Pakete haben unerfüllte Abhängigkeiten:
aspnetcore-runtime-2.2 : Hängt ab von: dotnet-runtime-2.2 (>= 2.2.5) soll aber nicht installiert werden
E: Probleme können nicht korrigiert werden, Sie haben zurückgehaltene defekte Pakete.

A quick workaround was to use the dotnet snap package:
snap install dotnet-sdk --classic
And then to a link from /usr/bin/dotnet to /snap/dotnet...:
$ ls -l /usr/bin/dotnet 
lrwxrwxrwx 1 root root 31 Jun 23 20:56 /usr/bin/dotnet -> /snap/dotnet-sdk/current/dotnet

Ubuntu Server: How to activate kernel dumps

Fri, 2019-06-21 14:25
If you are running ubuntu server, you can add kdump on your system to write kernel dumps in case of sudden reboots etc.

Installing is very easy:
root@ubuntuserver:/etc# apt install linux-crashdump
Reading package lists... Done
Building dependency tree      
Reading state information... Done
The following additional packages will be installed:
  binutils binutils-common binutils-x86-64-linux-gnu crash kdump-tools kexec-tools libbinutils libdw1 libsnappy1v5 makedumpfile
Suggested packages:
The following NEW packages will be installed:
  binutils binutils-common binutils-x86-64-linux-gnu crash kdump-tools kexec-tools libbinutils libdw1 libsnappy1v5 linux-crashdump makedumpfile
0 upgraded, 11 newly installed, 0 to remove and 43 not upgraded.
Need to get 2,636 B/5,774 kB of archives.
After this operation, 26.0 MB of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 bionic-updates/main amd64 linux-crashdump amd64 [2,636 B]
Fetched 2,636 B in 0s (28.1 kB/s)    
Preconfiguring packages ...
Selecting previously unselected package binutils-common:amd64.
(Reading database ... 66831 files and directories currently installed.)
Preparing to unpack .../00-binutils-common_2.30-21ubuntu1~18.04_amd64.deb ...
Unpacking binutils-common:amd64 (2.30-21ubuntu1~18.04) ...
Selecting previously unselected package libbinutils:amd64.
Preparing to unpack .../01-libbinutils_2.30-21ubuntu1~18.04_amd64.deb ...
Unpacking libbinutils:amd64 (2.30-21ubuntu1~18.04) ...
Selecting previously unselected package binutils-x86-64-linux-gnu.
Preparing to unpack .../02-binutils-x86-64-linux-gnu_2.30-21ubuntu1~18.04_amd64.deb ...
Unpacking binutils-x86-64-linux-gnu (2.30-21ubuntu1~18.04) ...
Selecting previously unselected package binutils.
Preparing to unpack .../03-binutils_2.30-21ubuntu1~18.04_amd64.deb ...
Unpacking binutils (2.30-21ubuntu1~18.04) ...
Selecting previously unselected package libsnappy1v5:amd64.
Preparing to unpack .../04-libsnappy1v5_1.1.7-1_amd64.deb ...
Unpacking libsnappy1v5:amd64 (1.1.7-1) ...
Selecting previously unselected package crash.
Preparing to unpack .../05-crash_7.2.1-1ubuntu2_amd64.deb ...
Unpacking crash (7.2.1-1ubuntu2) ...
Selecting previously unselected package kexec-tools.
Preparing to unpack .../06-kexec-tools_1%3a2.0.16-1ubuntu1_amd64.deb ...
Unpacking kexec-tools (1:2.0.16-1ubuntu1) ...
Selecting previously unselected package libdw1:amd64.
Preparing to unpack .../07-libdw1_0.170-0.4_amd64.deb ...
Unpacking libdw1:amd64 (0.170-0.4) ...
Selecting previously unselected package makedumpfile.
Preparing to unpack .../08-makedumpfile_1%3a1.6.3-2_amd64.deb ...
Unpacking makedumpfile (1:1.6.3-2) ...
Selecting previously unselected package kdump-tools.
Preparing to unpack .../09-kdump-tools_1%3a1.6.3-2_amd64.deb ...
Unpacking kdump-tools (1:1.6.3-2) ...
Selecting previously unselected package linux-crashdump.
Preparing to unpack .../10-linux-crashdump_4. ...
Unpacking linux-crashdump ( ...
Processing triggers for ureadahead (0.100.0-20) ...
Setting up libdw1:amd64 (0.170-0.4) ...
Setting up kexec-tools (1:2.0.16-1ubuntu1) ...
Generating /etc/default/kexec...
Setting up binutils-common:amd64 (2.30-21ubuntu1~18.04) ...
Processing triggers for libc-bin (2.27-3ubuntu1) ...
Setting up makedumpfile (1:1.6.3-2) ...
Setting up libsnappy1v5:amd64 (1.1.7-1) ...
Processing triggers for systemd (237-3ubuntu10.12) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Setting up libbinutils:amd64 (2.30-21ubuntu1~18.04) ...
Setting up kdump-tools (1:1.6.3-2) ...

Creating config file /etc/default/kdump-tools with new version
Sourcing file `/etc/default/grub'
Sourcing file `/etc/default/grub.d/50-curtin-settings.cfg'
Sourcing file `/etc/default/grub.d/kdump-tools.cfg'
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-4.15.0-45-generic
Found initrd image: /boot/initrd.img-4.15.0-45-generic
Created symlink /etc/systemd/system/ → /lib/systemd/system/kdump-tools.service.
Setting up linux-crashdump ( ...
Setting up binutils-x86-64-linux-gnu (2.30-21ubuntu1~18.04) ...
Setting up binutils (2.30-21ubuntu1~18.04) ...
Setting up crash (7.2.1-1ubuntu2) ...
Processing triggers for ureadahead (0.100.0-20) ...
Processing triggers for libc-bin (2.27-3ubuntu1) ...
Processing triggers for systemd (237-3ubuntu10.12) ...
Within the installation you have to answer these questions:

After the installation the following parameter is added to the kernel cmdline:
grep -r crash /boot* |grep cfg
/boot/grub/grub.cfg:        linux    /boot/vmlinuz-4.15.0-46-generic root=UUID=a83c2a94-91c4-461a-b6a4-c7a81422a857 ro  maybe-ubiquity crashkernel=384M-:128M
/boot/grub/grub.cfg:            linux    /boot/vmlinuz-4.15.0-46-generic root=UUID=a83c2a94-91c4-461a-b6a4-c7a81422a857 ro  maybe-ubiquity crashkernel=384M-:128M
range=start-[end] 'start' is inclusive and 'end' is exclusive

The configuration is done via /etc/default/kdump-tools. Here the parameter to control the directory to dump the core into:

cat /etc/default/kdump-tools  |grep DIR
# KDUMP_COREDIR - local path to save the vmcore to.
Next step is to reboot and verify the kernel cmdline.

#cat /proc/cmdline 
BOOT_IMAGE=/boot/vmlinuz-4.15.0-46-generic root=UUID=a83c2a94-91c4-461a-b6a4-c7a81422a857 ro maybe-ubiquity crashkernel=384M-:128M

To get a coredump just use the following commands:
root@ubuntuserver:/etc# sysctl -w kernel.sysrq=1
kernel.sysrq = 1
root@ubuntuserver:/etc# echo c > /proc/sysrq-trigger

Google Jamboard ?!

Sun, 2019-06-09 04:24
By reorganising my Google drive i ran into "Jamboard"...
This is a tiny Google web application, where you can do some fast sketches but the functionality is really limited:

Ubuntu Server: eBook

Sat, 2019-06-01 09:31
For testing waagent (Microsoft Azure Linux Guest Agent) i downloaded Ubuntu Server. Ubuntu advertised an ebook for administrators:

Here the short summary from this webpage:

Server provisioning: what Network Admins and IT pros need to knowThis document is designed to help system administrators and DevOps focused organisations to understand bare metal server provisioning, understand its value proposition, and learn about how leading companies are using server provisioning solutions within their hyperscale environments.
Canonical’s MAAS helps organisations to take full advantage of existing hardware investments by maximising hardware efficiency, and a pathway to leverage the performance and security of hardware based solutions with the economics and efficiencies of the cloud.With MAAS = Metal As A Service

The eBook contains 6 chapters on 20 pages:
  1. Executive summary
  2. Cloud speed with bare metal reliability and efficiency 
  3. Get the most out of your hardware investment
  4. How the smartest IT Pros let software do the work
  5. Make hardware investments more strategic 
  6. Conclusion
Ubuntus MAAS is the idea to create your own cloud with your own metal. Its about the automation of installing and provisioning hardware. There are region controllers (regiond) and rack controllers (rackd) which will manage your systems by using DNS, DHCP, PXE, TFTP and some others...
They are introducing availibility zones like they exist in Amazon Web Services or Microsoft Azure:
 If you are interested take a look here:

Get started with MAAS
To download and install MAAS for free please visit

Oracle JDeveloper: Is this IDE dead? Are there new releases?

Fri, 2019-05-24 12:22
Some weeks ago i read the Java Magazine (

They report from a survay taken place in 2018 about Java. One of the questions was which application server do you use in production:

This was not really amazing.
But the question about the IDE gave a really surprising result:

More developers use IntelliJ than Eclipse?
Not really surprising was the usage of Oracle's JDeveloper: Only 1% of the developers use this tool.

You have to keep in mind, that with using Oracle's SOA Suite / BPEL / ESB you are forced to use JDeveloper - which means this SOA stuff is not used by many people out there.

If you take a look on the Oracle homepage you will find:

The last version was released in august 2017 - this does look like living software.

For architects and consultants JDeveloper can be very useful because it has a very nice visualization of XSDs and XSLTs (Take a look here). So hopefully JDeveloper will stay alive...

Wireguard: Status information / using the wg command

Fri, 2019-05-10 14:10

After the installation of wireguard on two servers i shut down the secondary server and after 4h i did the wg command:
root@zerberus:~# wg
interface: wg0
  public key: XXX=
  private key: (hidden)
  listening port: 46932

peer: YYY=
  allowed ips:
  latest handshake: 4 hours, 19 minutes, 2 seconds ago
  transfer: 348 B received, 436 B sent
With the "ip addr" command there is nothing really interesting:
root@zerberus:~# ip addr show wg0
5: wg0: mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet scope global wg0
       valid_lft forever preferred_lft forever
Just to get some information about the "wg" command:
root@zerberus:~# wg help
Usage: wg []

Available subcommands:
  show: Shows the current configuration and device information
  showconf: Shows the current configuration of a given WireGuard interface, for use with `setconf'
  set: Change the current configuration, add peers, remove peers, or change peers
  setconf: Applies a configuration file to a WireGuard interface
  addconf: Appends a configuration file to a WireGuard interface
  genkey: Generates a new private key and writes it to stdout
  genpsk: Generates a new preshared key and writes it to stdout
  pubkey: Reads a private key from stdin and writes a public key to stdout
You may pass `--help' to any of these subcommands to view usage.
and one more example:
root@zerberus:~# wg showconf wg0

ListenPort = 46932
PrivateKey = TTT=

PublicKey = XXX=
AllowedIPs =
Endpoint =

firefox extension do not work anymore....

Sat, 2019-05-04 02:39
Today some of my extensions stopped to work and a reinstall failed due to "Download failed. Please check your connection.":

There is an article about this issue, which says, that this is due to an expired certificate:

The workarounds stated there, do not work for my extensions, so i have to wait, that firefox gets a solution (and a new certificate).

For all others with this problem: Do not deinstall your extensions (like i did) - just wait...

Edit: Here the statement from mozilla:
On twitter i found this nice comment

Edit: For latest infos read

Wireguard: Installation & configuration

Fri, 2019-05-03 04:31
To install wireguard i followed this instruction.
First step is to add the repository to your machine:

root@zerberus:~# add-apt-repository ppa:wireguard/wireguard
 WireGuard is a novel VPN that runs inside the Linux Kernel. This is the Ubuntu packaging for WireGuard. More info may be found at its website, listed below.

More info:
Packages: wireguard wireguard-tools wireguard-dkms

Install with: $ apt install wireguard

For help, please contact
 Mehr Informationen:
[ENTER] drücken zum Weitermachen oder Strg-c, um das Hinzufügen abzubrechen.

OK:1 bionic InRelease
OK:2 bionic InRelease                                
OK:3 bionic InRelease                                                               
OK:4 bionic InRelease                                                       
Paketlisten werden gelesen... Fertig               
Then the installion:

root@zerberus:~# apt install wireguard
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.      
Statusinformationen werden eingelesen.... Fertig
Die folgenden Pakete wurden automatisch installiert und werden nicht mehr benötigt:
  btrfs-tools geoip-database-extra libcryptui0a libjs-openlayers seahorse-daemon
Verwenden Sie »apt autoremove«, um sie zu entfernen.
Die folgenden zusätzlichen Pakete werden installiert:
  wireguard-dkms wireguard-tools
Die folgenden NEUEN Pakete werden installiert:
  wireguard wireguard-dkms wireguard-tools
0 aktualisiert, 3 neu installiert, 0 zu entfernen und 1 nicht aktualisiert.
Es müssen 640 kB an Archiven heruntergeladen werden.
Nach dieser Operation werden 4.814 kB Plattenplatz zusätzlich benutzt.
Möchten Sie fortfahren? [J/n]
Holen:1 bionic/main amd64 wireguard-dkms all 0.0.20190123-wg1~bionic [551 kB]
Holen:2 bionic/main amd64 wireguard-tools amd64 0.0.20190123-wg1~bionic [85,2 kB]
Holen:3 bionic/main amd64 wireguard all 0.0.20190123-wg1~bionic [4.136 B]
Es wurden 640 kB in 0 s geholt (1.307 kB/s).
Vormals nicht ausgewähltes Paket wireguard-dkms wird gewählt.
(Lese Datenbank ... 471444 Dateien und Verzeichnisse sind derzeit installiert.)
Vorbereitung zum Entpacken von .../wireguard-dkms_0.0.20190123-wg1~bionic_all.deb ...
Entpacken von wireguard-dkms (0.0.20190123-wg1~bionic) ...
Vormals nicht ausgewähltes Paket wireguard-tools wird gewählt.
Vorbereitung zum Entpacken von .../wireguard-tools_0.0.20190123-wg1~bionic_amd64.deb ...
Entpacken von wireguard-tools (0.0.20190123-wg1~bionic) ...
Vormals nicht ausgewähltes Paket wireguard wird gewählt.
Vorbereitung zum Entpacken von .../wireguard_0.0.20190123-wg1~bionic_all.deb ...
Entpacken von wireguard (0.0.20190123-wg1~bionic) ...
wireguard-dkms (0.0.20190123-wg1~bionic) wird eingerichtet ...
Loading new wireguard-0.0.20190123 DKMS files...
Building for 4.17.0-rc3
Building initial module for 4.17.0-rc3
Secure Boot not enabled on this system.

Running module version sanity check.
 - Original module
   - No original module exists within this kernel
 - Installation
   - Installing to /lib/modules/4.17.0-rc3/updates/dkms/


DKMS: install completed.
wireguard-tools (0.0.20190123-wg1~bionic) wird eingerichtet ...
wireguard (0.0.20190123-wg1~bionic) wird eingerichtet ...
Trigger für man-db (2.8.3-2ubuntu0.1) werden verarbeitet ...
And then the configuration:
(i extracted the steps from the video here)
root@zerberus:~# wg genkey > /root/private.wireguard
Warning: writing to world accessible file.
Consider setting the umask to 077 and trying again.

root@zerberus:~# ls -l /root/
insgesamt 4
-rw-r--r-- 1 root root 45 Apr 27 18:55 private.wireguard

root@zerberus:~# cat /root/private.wireguard 
root@zerberus:~# wg pubkey  < /root/private.wireguard

root@zerberus:~# ip link add wg0 type wireguard
root@zerberus:~# ip addr add dev wg0
root@zerberus:~# wg set wg0 private-key /root/private.wireguard
root@zerberus:~# ip link set wg0 up

root@zerberus:~# ifconfig
wg0: flags=209  mtu 1420
        inet  netmask  destination
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
All the steps up to here, have to be done on both servers.
My setup was
  • server 1: "public ip", vpn ip
    public wireguard key XXX
    wirguard port: 46932 (how to get this number, just move on)
  • server 2: "public ip", vpn ip
    public wireguard key YYY
    wireguard port: 35891
 To get the public keys and the port number use this command:
root@zerberus:~# wg

interface: wg0
  public key: XXX
  private key: (hidden)
  listening port: 46932
Then use the ip, port and public key from the secondary server:
root@zerberus:~# wg set wg0 peer 23P8GMzwpnpaw38wEERXev1jJIQlkhB/lZB35wwXVD4= allowed-ips endpoint
Do the some on the secondary machine with the ip, port and public key from primary server.

And after that you can check with:
root@zerberus:~# ping

PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=47.0 ms
64 bytes from icmp_seq=2 ttl=64 time=63.8 ms
--- ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 47.018/55.442/63.866/8.424 ms
I think this was much easier than setting up IPSec or OpenVPN.

Review at amazon: SAP Cloud Platform

Mon, 2019-04-29 13:47
Last week i read this book:
Before starting with the Oracle Cloud i wanted to read something other than AWS or Microsoft Azure. I was surprised at the completely different target of this cloud in respect to AWS and Azure. It is much more focused on business and business value - which is clearly one core domains of SAP.

This book contains a very well written introduction into cloud services - many other books could take this as an example. Very impressing are the over 120 mainly conceptional pictures - they make it much easier to understand the SAP Cloud Platform.

If you are interested, take a look at my review at (like all my reviews: written in german ;-).

Oracle Database 19c (19.3) released!

Sat, 2019-04-27 13:59
And after nearly 3 months of waiting - Oracle released 19c:

First special feature: The rpm is still there and the release is only done for Linux and Oracle Solaris.

To get to the Linux download page just click here.

But the Grid Infrastructure is still not delivered as RPM package. :-(

Wireguard: An easy way to build VPNs

Sat, 2019-04-27 03:35
Last week i came across the following tool:

If you want to build up a VPN you can choose one of the following strategies:
  • based on IPSec
  • using TLS
(These two are the options to choose - of course there are some others...)

The nice thing with wireguard (from the linux point of view) is, that the wireguard interfaces are handled like all other  network interfaces on your device.

If you are really interested in this way, you should read the whitepaper. Here some excerpts:

... IPSec ... updating these data structures based on the results of a key exchange, generally done with IKEv2 [13], itself a complicated protocol with much choice and malleability. The complexity, as well as the sheer amount of code, of this solution is considerable. Administrators have a completely separate set of firewalling semantics and secure labeling for IPsec packets.... based solution that uses TLS. By virtue of it being in user space, it has very poor performance—since packets must be copied multiple times between kernel space and user space—and a long-lived daemon is required; OpenVPN appears far from stateless to an administrator. A WireGuard interface,wg0, can be added and configured to have a tunnelIP address of10.192.122.3in a/24subnet with the standard ip(8)utilities...One design goal of WireGuard is to avoid storing any state prior to authentication and to not send any responses to unauthenticated packets. With no state stored for unauthenticated packets, and with no response generated,WireGuard is invisible to illegitimate peers and network scanners. Several classes of attacks are avoided bynot allowing unauthenticated packets to influence any state. And more generally, it is possible to implement WireGuard in a way that requires no dynamic memory allocation at all, even for authenticated packets, as explained in section 7.So next step is to install this VPN solution and see, if the administration is really so easy as promised...

Oracle VM Server: Working with ovm cli

Fri, 2019-04-19 06:01
After getting the ovmcli run, here some commands which are quite helpful, when you are working with Oracle VM server.
But first:
Starting the ovmcli is done via
ssh admin@localhost -p 10000
at the OVM Manager.

After that you can get some overviews:
OVM> list server
Command: list server
Status: Success
Time: 2019-01-25 06:56:55,065 EST
  id:18:e2:a6:9d:5c:b6:48:3a:9b:d2:b0:0f:56:7e:ab:e9  name:oraclevm
OVM> list vm
Command: list vm
Status: Success
Time: 2019-01-25 06:56:57,357 EST
  id:0004fb0000060000fa3b1b883e717582  name:myAlpineLinux
OVM> list ServerPool
Command: list ServerPool
Status: Success
Time: 2019-01-25 06:57:12,165 EST
  id:0004fb0000020000fca85278d951ce27  name:MyServerPool
A complete list of all list commands can be obtained like this:
OVM> list ?
An overview which kind of command can be used like list:
OVM> help
For Most Object Types:
    create [(attribute1)="value1"] ... [on ]
    edit   (attribute1)="value1" ...
For Most Object Types with Children:
    add to
    remove from
Client Session Commands:
    set alphabetizeAttributes=[Yes|No]
    set commandMode=[Asynchronous|Synchronous]
    set commandTimeout=[1-43200]
    set endLineChars=[CRLF,CR,LF]
    set outputMode=[Verbose,XML,Sparse]
Other Commands:
If you want to get you vm.cfg file, you can use the id from "list vm" and type:
OVM> getVmCfgFileContent Vm id=0004fb0000060000fa3b1b883e717582
Command: getVmCfgFileContent Vm id=0004fb0000060000fa3b1b883e717582
Status: Success
Time: 2019-01-25 06:59:46,875 EST
  OVM_domain_type = xen_pvm
  bootargs =
  disk = [file:/OVS/Repositories/0004fb0000030000dad74d9c43176d2e/ISOs/0004fb0000150000226a713414eaa501.iso,xvda:cdrom,r,file:/OVS/Repositories/0004fb0000030000dad74d9c43176d2e/VirtualDisks/0004fb0000120000f62a7bba83063840.img,xvdb,w]
  bootloader = /usr/bin/pygrub
  vcpus = 1
  memory = 512
  on_poweroff = destroy
  OVM_os_type = Other Linux
  on_crash = restart
  cpu_weight = 27500
  OVM_description =
  cpu_cap = 0
  on_reboot = restart
  OVM_simple_name = myAlpineLinux
  name = 0004fb0000060000fa3b1b883e717582
  maxvcpus = 1
  vfb = [type=vnc,vncunused=1,vnclisten=,keymap=en-us]
  uuid = 0004fb00-0006-0000-fa3b-1b883e717582
  guest_os_type = linux
  OVM_cpu_compat_group =
  OVM_high_availability = false
  vif = []
Very helpful is the Oracle documentation (here).

Oracle Database 19c download

Wed, 2019-04-17 15:20
In january 2019 Oracle released the documentation for Oracle Database 19c.

More than 7 weeks later there is still nothing at

The gap between release date of the documentation and the on premises software was for 18c not so long...

Will 19c on premises software be released before may? Or later in summer?

AWS: Accessing S3 buckets from the internet and from ec2 instances (2)

Wed, 2019-04-10 12:42
After accessing a S3 bucket from an ec2 instance by adding an IAM role to my EC2 instance, i tried to get the access from an ec2 instance by using a AWS endpoint.

First step: Launch an ec2 instance within your VPC and try to access your S3 bucket:

[ec2-user@ip-172-31-30-93 ~]$ wget
--2019-02-02 18:29:28--
Auflösen des Hostnamen » («...
Verbindungsaufbau zu (||:443... verbunden.
HTTP-Anforderung gesendet, warte auf Antwort... 403 Forbidden
2019-02-02 18:29:28 FEHLER 403: Forbidden.

Second step: change the bucket policy to this:

    "Version": "2012-10-17",
    "Id": "Policy1119991119999",
    "Statement": [
            "Sid": "Access-to-specific-VPC-only",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": [
            "Condition": {
                "StringEquals": {
                    "aws:sourceVpc": "vpc-12e0cc74"
The access to the bucket is still forbidden. So next step is to add the endpoint:
Goto VPC -> endpoint:
And then choose the following:

(Here you have to select your route table ID!!!)

After that everything works like expected:
[ec2-user@ip-172-31-30-93 ~]$ wget
--2019-02-02 18:29:51--
Auflösen des Hostnamen » («...
Verbindungsaufbau zu (||:443... verbunden.
HTTP-Anforderung gesendet, warte auf Antwort... 200 OK
Länge: 130 [application/json]
In »»website.json.1«« speichern.

100%[===============================================================================================================>] 130         --.-K/s   in 0s     

2019-02-02 18:29:51 (5,28 MB/s) - »»website.json.1«« gespeichert [130/130]

Oracle VM Server: OVM CLI via ssh admin@localhost -p 10000 does not work

Sat, 2019-04-06 04:57

In my Oracle VM server installation the ovmcli refuses to work:
ssh -l admin localhost -p 10000 

Connection to localhost closed by remote host.

Connection to localhost closed.
There some workarounds like:
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss -l  admin localhost -p 10000
But the result is the same.

Here a debug output from ssh -v:
[root@oraVMManager mnt]# ssh -l admin localhost -p 10000  -v
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to localhost [::1] port 10000.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version ${POM.ARTIFACTID}-${POM.VERSION}
debug1: no match: ${POM.ARTIFACTID}-${POM.VERSION}
debug1: Authenticating to localhost:10000 as 'admin'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group1-sha1
debug1: kex: host key algorithm: ssh-dss
debug1: kex: server->client cipher: aes128-cbc MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-cbc MAC: hmac-sha1 compression: none
debug1: kex: diffie-hellman-group1-sha1 need=20 dh_need=20
debug1: kex: diffie-hellman-group1-sha1 need=20 dh_need=20
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Server host key: ssh-dss SHA256:E6FYsSD9om4ChxJT17vBGUyqHmz3kLLAIxxJZlYjJCM
debug1: Host '[localhost]:10000' is known and matches the DSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password,publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/admin
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentication succeeded (publickey).
Authenticated to localhost ([::1]:10000).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
debug1: Sending environment.
debug1: Sending env LANG = de_DE.UTF-8
debug1: channel 0: free: client-session, nchannels 1
Connection to localhost closed by remote host.
Connection to localhost closed.
Transferred: sent 3224, received 1432 bytes, in 0.0 seconds
Bytes per second: sent 2461309.8, received 1093236.9
debug1: Exit status -1

The solution was:
Upgrade the OVM Manager (take a look here)

And then:
ssh -l admin localhost -p 10000  -v
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending DSA key in /root/.ssh/known_hosts:1
RSA host key for [localhost]:10000 has changed and you have requested strict checking.
Host key verification failed.
Ok - this was not expected, but the upgrade changed the host key.

But after removing that line from the known_hosts file:
[root@oraVMManager mnt]# ssh -l admin localhost -p 10000  
OVM> list server
Command: list server
Status: Success
Time: 2019-01-25 05:52:14,849 EST
  id:18:e2:a6:9d:5c:b6:48:3a:9b:d2:b0:0f:56:7e:ab:e9  name:oraclevm
OVM> ?

review at amazon: Azure for Architects

Sun, 2019-03-31 10:31
This weekend i read "Azure for Architects - Implementing cloud design, DevOps, containers, IoT and serverless solutions on your public cloud".

After i had some trouble to publish my review on and i put in onto my blog (take a look here), i wrote a smaller review only about 2 chapters. And this worked...

One statement i liked, was:
This is not only true for security, but sometimes it is important to state the obvious.

If you are interested, take a look at my review at (like all my reviews: written in german ;-).

Microsoft Azure: Adding user requires more work as expected

Sat, 2019-03-23 02:49
Just to try some things in Microsoft Azure i wanted to add an additional user to my test account. But this was not so easy:

Go to "Azure Active Directory" and "Users":


 But then:

I thought this is not really a problem, because is my domain, so let's try to verify this one:

The problem is, that i am not able to change this settings. So i tried, if i am lucky, but:
So only way to add users in such a minimal setup, is to add accounts from etc..

Microsoft Azure: How to use waagent (Microsoft Azure Linux Agent)

Sat, 2019-03-16 15:35
After installation waagent on my ubunu server, i tried to use this tool.
First guess was to read the manpages, but there is no entry for waagent:
root@ubuntuserver:~# man waagent
No manual entry for waagent
See 'man 7 undocumented' for help when manual pages are not available.So for documentation you have to visit the Microsoft Azure portal:

Here are some commands i tried:
root@ubuntuserver:~# waagent -show-configuration
AutoUpdate.Enabled = True
AutoUpdate.GAFamily = Prod
Autoupdate.Frequency = 3600
CGroups.EnforceLimits = False
CGroups.Excluded = customscript,runcommand
DVD.MountPoint = /mnt/cdrom/secure
DetectScvmmEnv = False
EnableOverProvisioning = True
Extension.LogDir = /var/log/azure
Extensions.Enabled = True
HttpProxy.Host = None
HttpProxy.Port = None
Lib.Dir = /var/lib/waagent
Logs.Verbose = False
OS.AllowHTTP = False
OS.CheckRdmaDriver = False
OS.EnableFIPS = False
OS.EnableFirewall = True
OS.EnableRDMA = False
OS.HomeDir = /home
OS.OpensslPath = /usr/bin/openssl
OS.PasswordPath = /etc/shadow
OS.RootDeviceScsiTimeout = 300
OS.SshClientAliveInterval = 180
OS.SshDir = /etc/ssh
OS.SudoersDir = /etc/sudoers.d
OS.UpdateRdmaDriver = False
Pid.File = /var/run/
Provisioning.AllowResetSysUser = False
Provisioning.DecodeCustomData = False
Provisioning.DeleteRootPassword = True
Provisioning.Enabled = False
Provisioning.ExecuteCustomData = False
Provisioning.MonitorHostName = False
Provisioning.PasswordCryptId = 6
Provisioning.PasswordCryptSaltLength = 10
Provisioning.RegenerateSshHostKeyPair = False
Provisioning.SshHostKeyPairType = rsa
Provisioning.UseCloudInit = True
ResourceDisk.EnableSwap = False
ResourceDisk.Filesystem = ext4
ResourceDisk.Format = False
ResourceDisk.MountOptions = None
ResourceDisk.MountPoint = /mnt
ResourceDisk.SwapSizeMB = 0
or list all commands:
root@ubuntuserver:~# waagent -help
usage: /usr/sbin/waagent [-verbose] [-force] [-help] -configuration-path:-deprovision[+user]|-register-service|-version|-daemon|-start|-run-exthandlers|-show-configuration]