Ansible playbooks, ansible-galaxy, roles and collections

Posted on May 16, 2024 by Marco Antonio Carcano

Ansible is a powerful datacenter automation tool that enables nearly declarative automations - "Ansible playbooks, ansible-galaxy, roles and collections" is a primer with Ansible, gradually introducing concepts that we better elaborate in other posts following this one: as we already said, Ansible is a powerful tool, and as many powerful tool can make more pain than benefits if improperly managed - the aim of this post is providing a good baseline that enable quickly enable operating Ansible running ad hoc statements, playbooks and operating using Ansible Galaxy with shelf roles and collections .

This post begins where we left with the "Ansible Tutorial – Ansible Container How-To" post, writing a playbook for preparing hosts for being managed by Ansible, learning how to use Ansible Galaxy for downloading and installing shelf Ansible roles and collections. The outcome will be a running PostgreSQL instance we will use as the DB engine in the next post of the series..

Ansible Tutorial – Ansible Container Howto

Posted on May 15, 2024May 16, 2024 by Marco Antonio Carcano

Ansible is a powerful datacenter automation tool that enables nearly declarative automations - "Ansible Tutorial - Ansible Container Howto" is the first of a series of posts dedicated to Ansible, paying particularly attention at "doing all-right": Ansible is a powerful tool, and as many powerful tool can make more pain than benefits if improperly managed.

In this post we see how to quickly set up a containerised Ansible on a workstation, configuring the environment so that it can be run from the shell without explicitly invoking podman, providing a very friendly user experience the same way, enabling it to run statements as it was really installed on the system.

Wayland Tutorial – A Wayland HowTo

Posted on April 25, 2024April 25, 2024 by Marco Antonio Carcano

The first Wayland release is dated 2012, and it was of course in a very early stage. Now 16 years have passed since the initial design, they say Wayland is mature enough that it is safe to remove X11 sessions. In the Wayland Tutorial - A Wayland HowTo post we will go through everything it is worth the effort to know about Wayland, trying to answer the question: do Wayland replace the whole X Window system, or do it replace just the X11 protocol?

X Window Tutorial – X Display Server HowTo And Cheatsheet

Posted on April 17, 2024April 18, 2024 by Marco Antonio Carcano

Even just because of its very long service lifetime, it is certainly worth the effort to have a look at this amazing piece of software. It does not matter if we are about to switch to Wayland (that by the way cannot completely replace the whole X Window System - think for example to XDMCP): the truth is that systems running X Windows will stay here for 10 years more, so 'm sure it is still worth the effort to have a good understanding of it. The "X Window Tutorial - X Display Server HowTo And Cheatsheet" post provides you with all the necessary skills to become an expert on this amazing piece of software that really made the story of UNIX and Linux.

X window – display manager (remote XDMCP) and thin clients

Posted on April 2, 2024April 18, 2024 by Marco Antonio Carcano

X Window System is a legacy (1984) windowing system, that is a system providing the basic framework for a GUI environment initially developed as part of Project Athena at MIT. The currently available X protocol version is 11 (dated 1987!) - hence often people refer to X Window as "X11''.

It is really time I wanted to write a few posts on this amazing software that really made the story of IT on the UNIX and Linux platforms: it is one of my favorite software ever, it was really impressive in those years being able to run an application on a host while being able to just render on a remote display.

In the X window - remote display manager (XDMCP) and thin clients we see how to reproduce on a modern Linux distribution a very common setup of the late '80 and early '90: a remote server running applications rendered on X Window based thin clients.

Apache HTTPd With Mutual TLS and OCSP Stapling

Posted on March 6, 2024March 7, 2024 by Marco Antonio Carcano

TLS peers can verify if a certificate was revoked by checking the CRL (very old and very poorly performing method with lots of shortcomings) or query the OCSP endpoint of the CA that issued the certificate.

However this design still has a shortcoming: what happens if for any reason the OCSP endpoint is unreachable (by accident or by anything caused by the evil people out there)? The outcome is a security risk - if the policy is to deny connection if the OCSP status cannot be checked, you risk to disserve.

Conversely, if the policy is that OCSP status check is a nice to have, there’s a risk that, if a revoked certificate has been stolen by the evils out there, they can just prevent your client to query the OCSP server and hijack the connection to a rogue TLS server managed by them that uses the stolen revoked certificate. To mitigate this you can set up OCSP stapling, which consists of prefetching OCSP responses and attaching them to the X.509 certificate.

In the "Apache HTTPd With Mutual TLS and OCSP Stapling" post we see not only how to configure an Apache server to provide a stapled certificate, but also how to set up mutual TLS authentication, seeing in action what happens when a certificate is revoked.