System administration isn’t something that’s obvious to everyone, and it’s a subject that, when it’s more to do with the basics of networking and Linux, can seem a lot more daunting than learning about the latest trendy technologies (Docker, Terraform, Kubernetes, etc.). Also, with the bombardment of information and easy access to computer content and tutorials often more interesting than “classic” lectures, students are less and less attentive, present or participating. [Read More]

In an idealized world, we would all be free to access any service, made available by a community motivated by the common good rather than by the penurious enrichment of a few. However, we don’t live in that world. Today, everything is monetized: the smallest product or service only exists if it brings in enough money, without regard for the common good. The apparent gratuity of digital services is often accompanied by a more discreet but lucrative counterpart: the exploitation of our personal data. [Read More]

It may seem surprising that a modern service like Docker does not offer IPv6 in containers by default, especially when in a network with IPv6. In fact, for the same reason we saw in the introductory article, since the containers are in a virtual network, they cannot be reached by the box/router distributing the IPv6 subnet. The same phenomenon can be observed with IPv4: each container has an IPv4 in a subnet separate from the one in which our host machine is located. [Read More]

With Free and Orange, when IPv6 is not disabled, the Freebox (and some Livebox) provide a /64 IPv6 range to the connected equipment. But it turns out that it is a /60 range that is available and usable by each subscriber. This represents a total of 8 addressable /64 networks. Let’s see what it can be used for and how to use it. IPv6 reminders Contrary to IPv4, with IPv6 one avoids making NAT, i. [Read More]

It is sometimes convenient to have a domain distributed over two or more machines. This technique, as old as DNS, is interesting to spread the load between multiple hosts, or to provide a bit of high availability. Indeed, if a host becomes inaccessible, at least half of the requests will continue to be successful.

However, since TLS connections have become the norm, and certificates should be renewed automatically, it could be hard to control the validation and the distribution.

I will present you a technique which, with the help of a finely configured web server, allows to get a different certificate on each machine, but usable for the same subdomain.

[Read More]

If you buy a recent USB to Ethernet adapter, embedding a Realtek chip, you possibly face, like me, the following error, when connecting it:

r8152 4-1.1:1.0 (unnamed net_device) (uninitialized): Unknown version 0x6010
r8152 4-1.1:1.0 (unnamed net_device) (uninitialized): Unknown Device

[Read More]

Grsecurity has completely disabled, on purpose, the user namespace code for the kernel.

As the goal of this namespace is to gain (virtualy) root privilegies inside a namespace (in theory, it shouldn’t give more priviledgies than the one you initialy have outside of your namespace), there are some interesting use cases, or, in my case I need to perform some demo in front of my students.

[Read More]

Testing the cgroup memory is not something as easy as we can think. It can’t be only question of malloc(100000) in a loop, as the Linux kernel overcommit memory allocation: so even if we get effectively a 100000 bytes long memory space, this doesn’t decrease the physical available memory. To do so, this space need to be changed pages by pages, that can be tedious to do. And quite uncertain, because the kernel can take advantage of the swap partition… [Read More]

Are you using gitolite and gitweb? Two nice and lightweight projects, but perhaps you are tired to manage access control in gitweb?

Here is some simple tricks to use gitolite access list directly into gitweb, automatically.

[Read More]

My personal PGP key is the following: 0x842807a84573cc96.

pub   4096R/4573CC96 2014-06-23 [expires: 2022-06-30]
      Key fingerprint = E722 B5B7 3CA7 FA93 5FC1  AA09 8428 07A8 4573 CC96
uid                  Pierre-Olivier Mercier <nemunaire@nemunai.re>
sub   4096R/9D2855C3 2014-06-23 [expires: 2022-06-30]

[Read More]