- Personal website of Tess Sluijter

Unimportant background
  RSS feed

About me

Blog archives






















> Weblog

> Sysadmin articles

> Maths teaching

Virtualization, Linux labs on Apple Silicon

2023-07-17 20:18:00

I've held off on spending money on a new Mac for a long, long time. I have two Macbook Airs from 2017, which are still holding up admirably for my studies and work. Honestly, their 8GB of RAM and aged i5 are still plenty good for most of my work. 

Sure, I did get an Asus laptop with a beefy Ryzen in there, for teaching purposes. But even that's an ultra-portable and nothing hugely expensive. 

I've had to bite the bullet though: the chances of me getting students with Apple Silicon laptops are growing. My current group at ITVitae has my first one and it's a matter of time before a commercial customer pops in with an M1 or M2. 

So, I got myself a second hand 2020 M1 Mac Mini from Mac Voor Minder. Good store, I'd highly recommend. 

I had hoped that, in the three years we've had the Apple Silicon systems out, virtualization would be a solved problem. Well... it's not really, if you want one of the big names. 

VirtualBox, forget about that. It's highly in beta and is useless. VMWare Fusion supposedly works, but I didn't manage to get it to do anything for me. And I'm not paying for Parallels, because most likely my students won't either! I need cheap/free solutions.

Turns out there's two.

  1. UTM, which uses Qemu under the hood. It's brilliant. Looks spiffy, has good options and does both virtualization (aarch64) and emulation (many other architectures). It does not have an API and it does not work with Vagrant. But I love it. 
  2. You can also install Qemu via Homebrew and then use the Vagrant-Qemu plugin to build VMs. It works well, although it doesn't support all great Vagrant options yet. One downside is that the amount of aarch64 images for Qemu on VagrantUp is small. 

I'm now rewriting the lab files for my classes, to make them work on M1/M2 ARM systems. I'm starting with the lab VM for my DevSecOps class and then moving onward to two small projects that I use in class. Updating my Linux+ class will take more work.

Maybe I should start making my own Vagrant box images. :) tags: , ,

View or add comments (curr. 1)

Preparing for (and passing) Red Hat's EX188, specialist in containers

2023-06-24 12:55:00

It's been well over a decade since I started doing Red Hat certifications, back in th RHEL6 era. Since then I've gone after many exams and certs, taking a few every year although not limited to Red Hat stuff. For Red Hat I'm basically making sure to take a new every 2.5-3 years, so I can offically retain my "RHCE" status from 2014. 

After my frustrating encounter with EX413 (security, 2017) and the fun EX407 (Ansible, 2020), it was time again! Since my agenda and wishlist are so incredibly stuffed, I will admit that I took "the easy way out" in renewing my RHCE by taking EX188.

EX188 is Red Hat's first exam in the line of certifying on the subject of container administration and development. It's about using Podman/Docker, to build and run containers in a local environment. No high availability, no Kubernetes or OpenShift... Basically a big step back from my CKA exam from last year.

But, pragmatism has its place. This year I've got a lot of other plans for my own studies and my work as teacher and this was a solid and educational way to get to a goal quickly.


To make sure I'm well enough prepared:

Testing from home

I still very much like that Red Hat will let you take their practical exams from home. Unfortunately they use a much harder-to-use setup than people like Linux Foundation. Preparing to take CKA from home was dead simple. Preparing for Red Hat Kiosk exams is a chore.

 The e-book says my Macbook Air from 2017 should work, but it doesn't. So I used Dick's Lenovo gaming laptop again. It only works with the 2020-08 ISO, because of it's built-in M970 GPU. I also had to buy a cheap Logitech webcam, because my Razer cam didn't work. 

Important: make really, really sure that you test your computer fully way before the scheduled exam date. You must do this. 

The exam itself

I enjoyed it! It's 2.5 hours, for a handful of tasks. Red Hat advise you to first read through all assignments before starting, because one task may rely on another. Reading all tasks will take about fifteen minutes. I advise that you really do read all tasks before starting. 

The task descriptions for EX188 are good. They are thorough and detailed, they give you all the information you need for success. I have two minor squibles with the task texts.

  1. One choice of words that is repeated in each task is ambiguous (but you don't have to worry about it).
  2. One task had two lines in it that 100% contradict each other. They offer an impossible conflict. After discussing the conflict with the proctor, I followed their advice to use a logical approach which rules out the impossibility itself. 

I needed the full 2.5 hours for the exam. I had 85% of the work done after ~1.5, but then needed the remaining 45 minutes for debugging the final 15%.

Again, I really enjoyed the exam. It's well put together, not frustrating at all. tags: ,

View or add comments (curr. 0)

Setting up Internet failover on UDM Pro, with Teltonika RUT241

2023-04-21 18:37:00

It's no secret that I use Ubiquiti equipment for my networking. My office runs on a UDM Pro, which has been great for me. 

The UDM Pro performs well and stable, it has a great feature set and it's easy to manage (for someone who wants to spend little time managing their network). Heck, even site-to-site VPN for my security cameras was simple!

My main WAN connection comes from MAC3Park, my housing company. They recently had an outage on my Internet connection, which lasted a few days. That messes with my backups and a few of my business processes, so I want to have at least some form of alternative in place. 

Luckily, the UDM Pro also makes it dead simple to configure automatic failover or even load balancing across two WAN connections! It really is amazingly simple! Or it should be, as we'll see in a bit. 

As a second Internet connection, I looked into getting 4G/5G from my mobile provider. Ubiquiti have their own LTE/4G/5G solution, which looks awesome but is a bit expensive. For half the price, I got a Teltonika RUT241 aimed at IoT solutions.

Sure, the LAN port on the RUT241 is slower (10/100Mbit), but seeing how the 4G connection averages around 20MBit that'll be fine. That's also where the "should be simple" I mentioned earlier comes in. 

The RUT241 worked great with my laptop, but hooking it up to the SFP RJ45-module on the UDM Pro it just wouldn't go. No amount of changing settings would make it work. Very odd! There was no DHCP lease and even a statically assigned IP wouldn't let me connect to the Teltonika.

Turns out that, upon closer inspection, my vendor sent me the wrong SFP module :) I'd ordered the 1G model (which does 10/100/1000), but they sent me the 2.5G (which does 1000/2500/10000). The latter will not work with the Teltonika. 

Time to get that SFP replaced by my vendor and we'll be good to go!


Or even better! I could just switch my cabled connection from MAC3Park (which is 1G) to port 10 and switch the Teltonika to port 9 (which natively does 100/1000). So basically, switch the definitions of WAN1 and WAN2 around!


That worked. 

I made port 9 WAN2 and port 10 WAN1. I switched the cables around and now port 9 happily runs at 100Mbit, connected to the Teltonika.

Even nicer: in bridge mode, port 9 gets the 4G IP address so it's perfectly accessible as intended. But in that same bridge mode, the RUT241 remains accessible on its static, private IP as well so you can still access the admin web interface. 

So if, for example, my internal LANs are and the Teltonik's private IP is, I've setup a traffic management route which says that is accessible via WAN2. That way I can manage the Teltonika web interface, from inside my office LAN, even when it's in bridge mode. Excellent!


I tested the setup! 

Setting the UDM Pro to failover between the connections works very well. Within 60 seconds, Internet-connectivity was restored. It does seem that the dynamic DNS setup does not quickly switch over, so a site-to-site VPN will fail for a lot longer.

Setting the UDM Pro to load balancing didn't work so well. The connection remained down after I pulled WAN1. tags: , ,

View or add comments (curr. 0)

PECB ISO/IEC 27001 Lead Implementer: training, examination and certification

2023-04-19 11:29:00

This month, I've put some time into formalizing my experience with the ISO 27001 standard for "Information Security Management Systems". That is, the business processes and security controls which an organization needs to have in place to be accredited as "ISO27001 certified"... which translates into: this organization has put the right things into place to identify, address and manage risk and to provide personnel and management with policies, standards and guidelines on how to securely operate their IT environment. 

It's a cliché that people in IT have a distaste for "auditing" and "compliance". And sure, I've never had much fun with it either! But I felt I was doing myself a disservice by not formalizing what I've learned over the past decades. Or to put it the other way around: making sure I properly learn the fundamentals, means that I can assist my customers better in properly structuring their IT security. 

So off I went, to my favored vendor of InfoSec trainings: TSTC in Veenendaal. :) 

They provide the PECB version of the ISO27001 LI training and examination. The PECB materials aren't awesome, but they get the job done. And yes, if you're a hands-on techie, then the material can be rather dreary. But overall I had a fun four days at TSTC, with a great class and a solid trainer. 

The exam experience was a bit different from what I'm used to with other vendors.

TLDR, in short: tags: , ,

View or add comments (curr. 0)

CFR 410: quick follow-up

2023-03-29 21:41:00

As a quick follow-up to this week's post about CSC 210 and CFR 410: I've now also gone through the majority of the course book for CFR 410. 

Like CSC I can say I'm of the opinion that the course book for CFR is solid. It's good. I might not like the CFR exam, but the book is good! tags: ,

View or add comments (curr. 0)

CertNexus CSC 210 and CFR 410

2023-03-24 10:27:00

About a month ago I re-sat CompTIA's Linux+ exam, to make sure I am still preparing my students properly for their own exams. I still like the Linux+ exam (which I first beta-tested in 2021) and I'm happy to say that my course's curriculum properly covers all "my kids" need to know.

This week I sat not one, but two exams. That makes four this year, so far. :D

Why the sudden rush, with two exams in a week? I'm applying as CertNexus Authorized Instructor, through an acceleration programme that CN are running. They invited professional trainer to prepare and take their exams for free, so CN can expand their pool of international trainers. 

I feel that's absolutely marvelous. What a great opportunity! I heartily applaud CertNexus for this step.

The first exam which I took was CSC-210: Cyber Secure Coder. The curriculum had a nice overlap with the secure coding / app hacking classes that our team taught at ${Customer}, which means it's a class I would feel comfortable teaching. It's not programming per sé, it's about having a properly secure design and way-of-work in building your software. The curriculum is language agnostic, though the example projects are mostly in Python and NodeJS. 

I went through the official book for CSC and I like the quality. I actually enjoyed it a lot more than CompTIA's style. I haven't gone through the slide decks yet, so I can't say anything about those yet. The exam, I really liked. The questions often tested for insight and when it asked to define certain concepts, it wasn't just dry regurgitation. 

I can definitely recommend CertNexus CSC to anyone who needs an entry-level training and/or certification for secure development. 

Now, CFR-410 (CyberSec First Responder) is a different beast. I took the beta back in 2021 and at the time I was not overly impressed. The exam has stayed the same: it still asks about outdated concepts and it still has dry fact-regurgitation questions. 

I haven't gone through the book and slides yet, I'll do that this weekend so I can update this post. 

have contact CertNexus to offer them feedback and help, so we can improve CFR. Simply complaining about it won't help anyone, I'd rather help them improve their product.

EDIT: CertNexus have indicated they will welcome any feedback I can provide them for CFR, so that's ace. I will work with them in the coming weeks. tags: , ,

View or add comments (curr. 0)

The value (or not) of Linux+

2023-03-18 19:30:00

On Discord, people frequently ask whether "is Linux+ worth it?". Here's my take.

The value depends on your market and on what you get out of it. In the US and UK, CompTIA is a well-known vendor but in other parts of the world they aren't. But left or right, Linux+ is not very well known.

I teach at a local school to prep young adults for the Linux+ exam. The school chose Linux+ because they can get heavily discounted vouchers for the exams, versus LPI, LF and others. For the school it was a matter of money: they really don't have much money and every dollar helps. 

Personally, I feel that the Linux+ curriculum is pretty solid as far as Linux sysadmin certs go. The exam itself is also decent and the vendor is mature. 

So in this case the value you'll get is from learning Linux system administration pretty in-depth. You'll also get a slip of paper which some might recognize and others will go "*cool, you passed a cert exam, good job*" (in a positivie sense). 

Linux+ is not worthless, it's just worth less (when compared to LFCS, LPIC1 and RHCSA). tags: , ,

View or add comments (curr. 0)

DevSecOps: who's responsible?

2023-03-04 08:20:00

Someone on Discord asked: "Question: Does DevSecOps type of work fall under ISSO's roles and responsibilities?"

That got me thinking. 

IMO: DevSecOps, like many things in InfoSec, is something everybody needs to get in on! 

Architects need to define reference designs and standards. The ISO needs to define requirements based on regulations and laws and industry standards. An AppSec team needs to provide the tooling. Another team needs to provide CI/CD pipeline integration for these tools. And yes, the devops squads themselves need to actually do stuff with all of the aforementioned things. Someone needs to provides trainings, someone needs to be doing vulnerability management. Etc.

One book on the subject which I heartily recommend, is the Application Security Program Handbook, by Derek Fisher.

I bought that book right after leaving my previous AppSec role, where we spent two years building an AppSec team that did a lot of things from that list. I was amazed by the book, because cover to cover it's everything we self-taught over those two years. tags: ,

View or add comments (curr. 0)

Older blog posts