Red Hat Certified Engineer

Working for Red Hat certainly has its perks. One of them being that I have access to all the content from Red Hat University and I am able to take Red Hat exams for free. With these perks come of course some expectations. Customers expect a Red Hat TAM to be knowledgeable on a wide range of Red Hat products, even if they are not directly related to the function of the TAM.

The most common certifications for System Administrators and also for new TAMs are the Red Hat Certified System Administrator (RHCSA) and the Red Hat Certified Engineer (RHCE). So after passing my RHCSA exam in December 2019, I passed the exam EX294V8 to become a Red Hat Certified Engineer (RHCE) in mid-February. The next step is obviously to become a Red Hat Certified Architect (RHCA), in my case focussed on Cloud technologies such as OpenShift and Containerisation.

To prepare for the RHCE, I used Red Hat University Online courses (RH294) and also prepared using Tomas Nevars Ansible Sample Exam. As others have already noted, the RHCE for RHEL8 is a pure Ansible exam, so knowing your Ansible playbooks in and out will help you with the exam. The above courses and sample exam are great preparations for the exam itself.

vim settings for YAML files

For editing YAML, be it for OpenShift / Kubernetes or Ansible, having your editor set up right can help to avoid common mistakes. So here is the minimalistic config in my ~/.vimrc to make working with YAML files easier. I am sure there are even more plugins or settings available, but this minimal set of commands works fine for me:

set ts=2
set sts=2
set sw=2
set expandtab

syntax on
filetype indent plugin on

set ruler
Read the rest of this entry

Podman: “desc:bad request: add_hostfwd: slirp_add_hostfwd failed”

In the past few months, on all my machines I have replaced Docker with Podman and mostly the transition has been quite smooth. There are still some rough edges here and there, but the overall experience of using Podman has been great!

However, when trying to start a very simple container, one often runs into the following issue:

$ podman run -p80:80 nginx:latest 
Error: error from slirp4netns while setting up port redirection: map[desc:bad request: add_hostfwd: slirp_add_hostfwd failed]

The error message looks very cryptic, but the issue is quite simple: As a regular user, one is typically not allowed to bind ports < 1024. So by trying to bind port 80, you will get the error above.

The fix is trivial, just use a port greater than 1024:

$ podman run -p8080:80 -d nginx:latest 
22d2be2966e9cb77246a8b698f9024de89f4e6d1a0edfe44209bbe4fd27aa8b5
$ curl localhost:8080
[..]
Welcome to nginx!
[..]

If you really need to use a port number lower than 1024, there are multiple ways to configure that:

  • Set net.ipv4.ip_unprivileged_port_start=80or similar in your sysctl
  • Add the CAP_NET_BIND_SERVICE capability to your process or user

gopass: “gpg: decryption failed: No secret key”

For a few years now I have been using the pass password manager. It is a wonderfully simple way to manage passwords using PGP to encrypt passwords in text files. The same files can then be placed in a git repository, which makes replicating passwords easy.

For different reasons I am now migrating to gopass, a Go implementation of pass with a few additional features. I am using Homebrew to install gopass on my machine: brew install gopass. Theoretically, gopass should work out-of-the-box and is compatible with the old pass utility. So I was quite surprised to see an error message like this:

$ gopass github
Entry 'github' not found. Starting search...
Found exact match in 'github.com/simonkrenger'
gpg: decryption failed: No secret key

Error: failed to retrieve secret 'github.com/simonkrenger': Failed to decrypt

Strange. But decrypting the password file directly using PGP works fine:

$ gpg -d ~/.password-store/github.com/simonkrenger.gpg
[..]

If the above command using gpg does not work, check your keys using gpg --list-keys and gpg --list-secret-keys. Especially when migrating to GPG2, sometimes keys do not get imported into the new keyrings. In case you need to import the old keyring into the new format like so:

$ gpg --import ~/.gnupg/pubring.gpg
$ gpg --import ~/.gnupg/secring.gpg

But even after importing the keys, I still received gpg: decryption failed: No secret key. So after searching around I found that I need to set the GPG_TTY variable:

$ export GPG_TTY=$(tty)

It seems that not setting the GPG_TTY environment variable leads to the error above. Which is quite misleading. After setting this environment variable (and adding it to the .bash_profile), gopass works as expected.

Linux Magic Reboot

If you have worked with remote Linux servers before, I am guessing you already encountered machines that just don’t want to reboot. This is typically due screwed-up network mounts or stuck processes, so the server will hang during shutdown. But it turns out that there are other ways to reboot a server.

One of these is the “Magic SysRq key“. To reboot a server using the SysRq trigger in the kernel, use the following two commands. First, enable the trigger:

echo 1 > /proc/sys/kernel/sysrq

Then, reboot the server the magic way by typing

echo b > /proc/sysrq-trigger

Note that this will reboot the server without unmounting or syncing the filesystems! There are also other options available via the SysRq trigger, some of them are listed in the Wikipedia article above.

.gitlab-ci.yml for “ansible-lint”

So I started working with GitLab (self-hosted and gitlab.com), which led me to the CI/CD features of GitLab. When using GitLab, one can define a custom CI pipeline just by placing a .gitlab-ci.yml file in your project (just like the .travis.yml for GitHub). After each commit to the defined git branch, the pipeline is then executed.

Since I also work with Ansible playbooks a lot, I wanted to use ansible-lint to check my playbooks after each commit. In addition to that, I also added a syntax check using ansible-playbook [..] --syntax-check, as ansible-lint will not pick up all syntax errors.

So here is my .gitlab-ci.yml:

Read the rest of this entry

Ansible: “python2 yum module is needed for this module”

I am currently toying around with GlusterFS and I am using Ansible to deploy and configure my server.

Using the yum module, I wanted to install the Gluster server package like so:

- name: Install glusterfs-server package
  yum:
    name: glusterfs-server
    state: latest

But when executing the playbook, I received the following error on executing this module:

Read the rest of this entry

Fedora 25: How to make “GNOME Classic” default

As I am working more and more with Linux, I am also using a virtual machine with Fedora 25 installed to play around with some things (notably Docker and Kubernetes). On Fedora 25, the default GNOME desktop environment is GNOME 3. But I personally prefer the GNOME Classic user interface.

To change the desktop environment, on login, select “GNOME Classic” as the desktop environment:

Read the rest of this entry

Workaround for WMI client over IPv6

Some years ago, I wrote some examples for the WMI client on Linux. I still get a lot of queries from people trying to use the WMI client to access Windows hosts and I am often happy to help if there are any problems.

One of the latest problems occurred when trying to access a Windows host over IPv6:

$ wmic -U 'user%password' //FD00:180::0:0:0:0:0 "Select Caption From Win32_OperatingSystem" [..] UNKNOWN - The WMI query had problems. The error text from wmic is: [librpc/rpc/dcerpc_util.c:343:dcerpc_parse_binding()] Unknown dcerpc transport 'FD00' [librpc/rpc/dcerpc_connect.c:337:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (c0000017) in dcerpc_pipe_connect_ncacn_ip_tcp_recv [librpc/rpc/dcerpc_connect.c:828:dcerpc_pipe_connect_b_recv()] failed NT status (c0000017) in dcerpc_pipe_connect_b_recv [wmi/wmic.c:196:main()] ERROR: Login to remote object. NTSTATUS: NT_STATUS_NO_MEMORY - Memory allocation error

This was quite a funny problem, because the same query seemed to work when accessing the host over IPv4. So we quickly suspected that the WMI client does not support IPv6. By looking at the underlying Samba code (e.g. dcerpc_util.c and binding.c), I guessed that this seems to be a parsing issue of some kind.

Read the rest of this entry

Hello world

My name is Simon Krenger, I am a Technical Account Manager (TAM) at Red Hat. I advise our customers in using Kubernetes, Containers, Linux and Open Source.

Elsewhere

  1. GitHub
  2. LinkedIn
  3. GitLab