Post-mortem cryptominer on CI infrastructure

[English version coming soon] Après les grandes plateformes de cloud, puis d’intégration continue (CI), se plaignant des cryptomineurs, il semble que la course à leur déploiement dans les petites installations de CI soit lancée. Mon infrastructure a été la cible d’un hacker individuel hier, m’obligeant à changer moi aussi quelques éléments de configuration pour m’adapter à ce nouveau contexte. Une sacrée surprise pour démarrer un beau samedi Dans ma quête de séparation des GAFAM et de contrôle de mes données personnelles, j’héberge depuis de nombreuses années une forge qui devient de plus en plus centrale pour mes projets. [Read More]

Multi-Hosts TLS Certificate

It is sometimes convenient to have a domain distributed over two or more machines. This technique, as old as DNS, is interesting to spread the load between multiple hosts, or to provide a bit of high availability. Indeed, if a host becomes inaccessible, at least half of the requests will continue to be successful.

However, since TLS connections have become the norm, and certificates should be renewed automatically, it could be hard to control the validation and the distribution.

I will present you a technique which, with the help of a finely configured web server, allows to get a different certificate on each machine, but usable for the same subdomain.

[Read More]

RTL8153B support for 4.9 kernel

If you buy a recent USB to Ethernet adapter, embedding a Realtek chip, you possibly face, like me, the following error, when connecting it:

r8152 4-1.1:1.0 (unnamed net_device) (uninitialized): Unknown version 0x6010
r8152 4-1.1:1.0 (unnamed net_device) (uninitialized): Unknown Device

[Read More]

Support for the user namespace in grsecurity kernel

Grsecurity has completely disabled, on purpose, the user namespace code for the kernel.

As the goal of this namespace is to gain (virtualy) root privilegies inside a namespace (in theory, it shouldn’t give more priviledgies than the one you initialy have outside of your namespace), there are some interesting use cases, or, in my case I need to perform some demo in front of my students.

[Read More]

Slow memhog for testing cgroups

Testing the cgroup memory is not something as easy as we can think. It can’t be only question of malloc(100000) in a loop, as the Linux kernel overcommit memory allocation: so even if we get effectively a 100000 bytes long memory space, this doesn’t decrease the physical available memory. To do so, this space need to be changed pages by pages, that can be tedious to do. And quite uncertain, because the kernel can take advantage of the swap partition… [Read More]

Use Gitolite Access Control In Gitweb

Are you using gitolite and gitweb? Two nice and lightweight projects, but perhaps you are tired to manage access control in gitweb?

Here is some simple tricks to use gitolite access list directly into gitweb, automatically.

[Read More]

PGP key

My personal PGP key is the following: 0x842807a84573cc96.

pub   4096R/4573CC96 2014-06-23 [expires: 2022-06-30]
Key fingerprint = E722 B5B7 3CA7 FA93 5FC1  AA09 8428 07A8 4573 CC96
uid                  Pierre-Olivier Mercier <nemunaire@nemunai.re>
sub   4096R/9D2855C3 2014-06-23 [expires: 2022-06-30]

[Read More]

Linux Kernel Configurations

My favorite distribution is Gentoo, for 7 years now. It allows me to have all the flexibility I need (the perfect world between stability with only legacy packages or recent ones on a constantly broken system; as in Gentoo, you always have choice) and it teaches me so many things each day.

As I’m used to control everything, here is a list of kernels' configurations I use currently.

[Read More]

My private SSH keys managment

I always have a different SSH key pair per machine. The aim is to really never copy my private key from a machine to another over network or USB stick.

[Read More]