This is to all the folks that still love to use Hyper-V

Youtube Video

Look how easy and swift life can be.

so this thread:

https://mangolassi.it/topic/13635/saltstack-use-cases

Got me all excited about saltstack, I hope it remains Opensource and free and available forever.

And I really wanted Active Directory replacement, I dont have AD at my work, we do have centralized I.T services like XMPP server/Nextcloud/some machines have secure VNC installed but not all, but nothing to manage the Windows clients. Thus it depends on the users most of the time.

So WannaCry came up and the max I can do is download the patch and host it on our NAS, and email everyone with the link and steps on how to do it, and tell them I am available for support just reply to the email and I will try to VNC to the machine or go manually and apply it (we are talking about managing 100+ machines).

But that did test our infrastructure readiness for similar scenarios and it was poor and slow, cause it depends on the users, who you just cant trust on doing the right thing, sometimes they get so busy, some think just that download the .msu file patch to their desktop means that they did it and applied the patch without even running it.

So that got me trialing SaltStack:

I did the basic stuff, Got Centos 7 minmial machine (2 cpu/2 gb ram) and installed SaltStack using this info :
https://repo.saltstack.com/#rhel

Then create 2 folders:
mkdir /srv/salt/
mkdir /srv/pillar/

Then edit this file:
/etc/salt/master

And uncomment the following lines, keeping the default config for them.
interface #(change this to your machine IP)
publish_port
user
ret_port
root_dir: /
file_roots:
base:
- /srv/salt
pillar_roots:
base:
- /srv/pillar

Then ensure firewalld is allowing the ports (puplish+ret) configured above to be opened or accessible in your LAN.

Currently I do not use SS for provisioning servers, or salt state files, but I reckon I will get to that once I am more knowledgeable with the tool

So the above covered the Centos Salt Master part, now for the minions, simply download the file:
https://repo.saltstack.com/#windows

And install it, during install you will be asked to provide the IP for the salt master + the ID name of the client minion machine. (It is important to come up with an minion naming plan prior)

And this covers the minion part, what I found is very interesting is that SS works even if the windows machine had kaspersky workstation security installed with everything set on high as well as UAC, usually kaspersky messes everything up.

Now go back to the Centos Salt master:

and type :

salt-key -L
You should see the new client minion name but it not authorized, thus type:
salt-key -A
to authorize the windows minion to connect (you can enable in the salt master config to accept all requests by default)

Now the actual patch part, lets say our windows minion ID is 123 in this example:

1. Download wannacry patch and put in Centos Salt Master dir of /srv/salt.
   and cd to that dir in the Master.

2. run the following on the Master:

salt '123' service.start 'wuauserv' && salt "" cp.get_file salt://wannacry_patch_x64.msu C:/wannacry_patch_x64.msu && salt '' cmd.run 'wusa.exe C:/wannacry_patch_x64.msu /quiet /norestart'

If you want the patch to work on selected machines, simply use salt -L '123,124' instead, and all machines use salt '*' instead.

The above command will apply the patch, without rebooting the machine.

3. Checking up on the patch after some time:

salt '123' cmd.run 'wmic qfe | find “4012212”'

This is based on:

https://technet.microsoft.com/library/security/MS17-010

Windows 7 for x64-based Systems Service Pack 1
(4012212)
Security Only[1]

This will return to you that the user have it installed, the minion might need to reboot first then it will be listed, not sure.

4. Cleanup and delete the file from Windows clients after all patched:

salt '123' cmd.run 'del C:\wannacry_patch_x64.msu'

I know the above is rough and un-tidy, but I like to help in increasing the popularity of this awesome solution that I am trialing and it is stable and speedy and works, truly a GPO solution that works.

@stacksofplates said in KVM in Production - Build it yourself:

I have 12 KVM hosts in production. For the very few machines that have stateful data, I use either the backup options built into the software/service that's running to a mounted location, my script, or I use ReaR. The rest of the systems are stored in Git.

Bare KVM is just fast and easy. I second that, but the issue there is no standard way to manage it, especially backups, so this leaves KVM a solution for person that knows much about, and usually the sole IT in that location, cause if there was other IT folks, they just pick ESXi or Hyper-V to ensure continuity.

@popester

Well what services do you use currently ?

Cause cloud for file sharing and storage can be great option. Also for small web sites.

Also CEOs just read email about Amazon and bam they are hooked like 7yr old kid, and they want to move everything to it, cause they read in the email that 33% cost reduction, 20% efficiency increase, 50% penis growth
and they actually believe it

Ever thought how come the word penis is pronounced peanus but we type it penis
I am now ..

@scottalanmiller said in If you are new drop in say hello and introduce yourself please!:

Welcome to @msff-amman-Itofficer from Jordan!

Hey,

I'm Emad Ramlawi, working at MSFF reconstructive surgery project in Amman Jordan.
My title currently is Information System Technician, but mostly referred to as I.T or I.T guy... and basically helping the organization in Amman to move to digital documents format, as well as supporting end users, and maintaining a couple of servers, and the network.

Oh lets not forget the printers, some days thats 90% of my job... supporting printers

Hi,

I know the community outgrew the Windows stuff, and favors Linux (Centos especially), but after being a reader in this community I wanted to share something, hopefully it might help someone and it is very Keep It Simple approach for backups for Windows environments and requires a Windows machine, preferably virtual machine, so here goes:

1)Download 7za.exe from:
http://www.7-zip.org/download.html

Either (old stable) Download 7-Zip 9.20 (2010-11-18) for Windows:
32-bit 7-Zip Command Line Version

Or (latest stable) Download 7-Zip 16.04 (2016-10-04) for Windows:
7-Zip Extra: standalone console version, 7z DLL, Plugin for Far Manager

2)Extract 7za.exe from those archives to the root of your drive (preferably the 32-bit version for broader compatibility).

3)Now to create backup files you will need to use the following plan at the backup location (NAS) create 2 folders:

· Archives
· Mirror

Archives will have multiple versions of archives of the files you select to backup, while Mirror will always have latest sync of the backup, this is intended so we don’t archive the real source files, and instead we archive the Mirror folder.

4)Now on the server that have access to the source files and backup location, create the following .cmd file (Supply_Unit_Backup.cmd) on the Desktop for example, in a folder called Scripts (optional).

robocopy.exe /MIR "source folder" "backup Mirror folder"

C:\7za.exe a –ttar "backup Archives folder\date and time in a windows batch script.tar" "backup Mirror folder"

Real life example of the above:

robocopy.exe /MIR "\192.168.1.200\Public\Supply Unit" "Z:\Supply_Unit_Backup\Mirror"

C:\7za.exe a -ttar "Z:\Supply_Unit_Backup\Archives%DATE:~10,4%%DATE:~4,2%%DATE:~7,2%__%TIME:~-11,2%hour.tar"
"Z:\Supply_Unit_Backup\Mirror"

Do note Robocopy command will do the sync or mirroring of the files, from the source folder to the Mirror folder, and it can support many useful argument, for example if you wish to grab/backup only excel files you can do the following:

robocopy.exe /MIR "source folder" "backup Mirror folder" .xls .xlsx

Also if you want to backup only specific files using robocopy, you will need to run this command instead:

robocopy.exe /MIR "source folder" "backup Mirror folder" uCalendar.ini

And as seen above basically anything that will be placed in the Mirror we will take archive snapshot of it on regular intervals, and robocopy is good with network shares and incremental backup runs.
The 7za a –ttar is recommended (TAR format), but you can choose any other archiving/compression format, I think it makes sense to use 7z format, but the added bonus with .tar is that you can open it in Linux natively, and when you compare archiving file types with each other, there is no real performance winner. However if you want to compress files I highly recommend using 7z format, which can be done by this command:

C:\7za.exe a "backup Archives folder\date and time in a windows batch script.7z" "backup Mirror folder"

And this way you can compress and reduce your backup files sizes, However using tar archive (or 7z with zero compression) a.k.a archiving have its benefits against compression, it is much faster performed and you can test the archives easier, and theoretically reduces corrupt the chance of file corruption; cause it takes less time dealing with the file than with compression.

Now create task with Windows task scheduler to execute the cmd by pointing Windows Task Scheduler to run the script inside the scripts folder at different intervals, depending on your work nature and selected files this can vary from weekly backups to 3 times a day backup.

And you will have similar output like the below:

The fact that we used 24 hour naming scheme will make your life a lot easier recognizing those files, I guess the only limitations we have is with this script that it you can’t run it each 1-59 minutes otherwise it will keep overwriting the same file over and over, for example if you ran the script 2 times at 11:01 and 11:20, you will get only 1 backup file, however if you ran it at 11:01 and 12:01 (hourly based) you will get 2 backup files.
For me this is not issue, cause I never handled situation where backups needed to be done on minutes bases, and I reckon that will be very interfering with the work, notice in the above screenshot I backup every 8PM + 1PM + 8AM, which translates in this company as after working hours when everybody leaves + break time + before working hours.

4)Retention policy:

Now that the backups are getting created you will notice that they can be populated quite easily, so you can create another cmd file (Purge_Backup.cmd) with the following command:

forfiles -p "backup Archives folder" -s -m . -d -8 -c "cmd /c del @file"

And have it run ok weekly basis, starting from the first working day of the week of the company, and what this will do is keep a week worth of backups always.
A real life example of this will be:

forfiles -p "Z:\Supply_Unit_Backup\Archives" -s -m . -d -8 -c "cmd /c del @path"

You can list files without deletion by:

forfiles -p "backup Archives folder" -s -m . -d -8 -c "cmd /c echo @file"

*note: UNC paths (\machine\share) are not supported, you will need to MAP them to a drive letter.

5)You can then test the backups manually (tar files) by selecting them all and right clicking them on the backup destination -> 7-zip -> test archive (you will need to have 7zip installed for the context menu to appear), or test from command line and schedule it, but I didn’t need to do this cause once you use archiving with zero compression format, everything just works. Especially since we move the files to another location first then we backup. This seems like a good method to backup but may not be appealing if you many large files.

You can test backups using

7za.exe t "backup Archives folder *.tar" >backup_log.txt

Then open the txt file and ensure the backup test result is = "Everything is Ok".

Extra Stuff:

You can use 7za to capture many folders and generate 1 file using windows system variables and produce log and have notepad open it for end users, for example:

7za.exe a -ttar "Backup%DATE:~10,4%%DATE:~4,2%%DATE:~7,2%__%TIME:~-11,2%hour.tar" "%USERPROFILE%\Desktop" "%USERPROFILE%\Documents" "%USERPROFILE%\Contacts" "%USERPROFILE%\Music" "%USERPROFILE%\Pictures" "%USERPROFILE%\Videos"

Will create backup folder, wherever you run this script and will take the following folders:

Desktop Music Documents Pictures Contacts Videos

And create singe tar archive out of them. Then using this command:

7za.exe t "Backup*.tar" >backup_log.txt

msg * Notepad will open shortly. Please ensure the backup test result is "Everything is Ok".

notepad.exe backup_log.txt

You can instruct users on how to verify that their backups are complete. This can work as no software approach for users to backup manually, you will be surprised with 7za engine and how fast it can capture data and create the archive, especially since there is no GUI involved. Also with a bit of tinkering and closing programs like Outlook automatically by the script you can actually make it work. I also use with the above script that is more targeted for users with a program called everything which search using indexing of NTFS volumes and I can pass it:
Everything.exe -admin -s "*.pst | *.ost" which will show the user the location of their Outlook files, so they can add it in the backup folder, and tell them to only launch the script from inside of their N.A.S secure share on weekly/monthly basis.

Hello,

Just raising awareness of this project that caught my eye:
https://github.com/yueyongyue/saltshaker/blob/master/README.md
especially checking that screenshots. sadly the instructions are not very clear:
https://github.com/yueyongyue/saltshaker/blob/master/install.txt

But I hope I can manage to install this on server separate from the salt master, and have it functioning with good guide.

Will keep you posted, and any help analyzing the instructions are welcomed.

So i finally hit it in my job, yes I knew it and felt it very clear.

Now i am the IT supervisor that is in charge of new responsibility of paying the mobile communication bills, do you actually believe this ?

And afterwards I have to create some sophisticated dashboard with a click of button that will detect old hardware age so we can replace it, using an outdated web solution that I have no part of, and was created by third party team.

How did i reach this place ... hopefully soon I will find quick escape. You see it coming and your working with garbage but you never really know it will reach this low.

I asked for IT assistant.
IT separate room
IT level/salary increase.

But all those takes ages, and many promises and words, and what do i get, a responsibility that have 0% IT skills in it

@irj

Torvalds wades into CTS Labs' AMD chip security report

https://www.fudzilla.com/news/45819-torvalds-wades-into-cts-labs-amd-chip-security-report

"looks more like stock manipulation than a security advisory".

"If you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah."

"I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?"

"News flash: If an attacker has the root password, your system is already completely hosed. Everything else is just details."

"It's the security industry that has taught everybody to not be critical of their findings."

He also thinks, "there are real security researchers". For many of the rest, it's all about giving even the most minor security bug. In Torvalds' words: "A catchy name and a website is almost required for a splashy security disclosure these days."

"security people need to understand that they look like clowns because of it. The whole security industry needs to just admit that they have a lot of sh*t going on, and they should use -- and encourage -- some critical thinking."

When the internet is faster than your HDD

They know there storage, and an expanded cockpit with ZFS manager, amazing team with great educational videos, check there zfs best practices:
Youtube Video

Also expanded cockpit with ZFS manager:
Youtube Video

More links:
https://www.45drives.com/
https://github.com/45Drives/cockpit-hardware
https://github.com/45Drives/cockpit-zfs-manager

Thanks for this
:flexed_biceps:

@Emad-R said in k8s VS slack:

devops-me2.slack.com

Also another reason i decided to do this, notice how much developers have support inside company... like they have 40 others DEVs, but its not the same with system admins and devops

Hi all,

I learned a lot from this community and appreciate being a member and I guess I'm ready to learn more this year.

I will be quick. I wish to start a learning circle (ideally ~10) with similar minded people about the below topics:
automation and container best practices, k8s (we can learn about others but k8s is the lead) and orchestration when do you use them, and best deployment practices and running it in a lab env, not as a managed service (so we actually learn).

the key is being involved and pooling resources and sharing knowledge, sure I can learn alone, which I am doing right now but I found myself more motivated and active with others

Looking for similar emotionally intelligent people, that love to learn as much as they love to share and grow. They should have solid Linux background but still venturing into container land. Where we learn together and in a fast pace way, we share code and learn in a best practice way, basically the same way the companies make us do it (try not to touch the prod servers manually and document shit).

Interested, hit me with your email so I can add you to the slack group.
devops-me2.slack.com

Currently, it is me alone with an old co-worker, and once you enter you will be not a member but a  true participant of this, I'm planning we all work in shared VPS account and we just have fun with it. while I can use nodebb forum, Its not effective as being a team on slack. I don't have all the procedure 100% figured out, but I am sure we will manage and if you have ideas let's do it.

The goal is running k8s best way possible and I would like if we can make it on multiple VPS providers or networks, also talk about best deployment practices as well as secure it, we will learn as we go. and I'm entering this without hiding any knowledge cause I learned this from the best (Scott) the more you share best practices and knowledge the better the world gets.

@scottalanmiller

I hated zulip for the same thing, sad to hear the Rocketchat. So push notifications is only affecting mobile users or all users ?

@JasGot

Galaxy Tab A 10.1 2019

@scottalanmiller

Nice liking the edits .

@scottalanmiller

Noticed huge visual artifacts until I installed this

I am using ryzen 3200 with vega 8 gpu

sudo add-apt-repository ppa:oibaf/graphics-drivers
sudo apt-get update

@JaredBusch

i think you look better this way

maybe your batman

https://www.phoronix.com/scan.php?page=news_item&px=Debian-New-DPL

https://www.debian.org/vote/2020/platforms/jcc

https://lists.debian.org/debian-vote/2020/03/msg00007.html

⠈⠳⣄⠀⠀⠀⠀ Be Bold. Be brave. Debian has got your back.

What other distro has this community and the possibility to be leader, its so democratic like really democratic not "US democracy" RIP Ian, and good luck Jonathan Carter