Using LVM cache for storage tiering

SSDs are small, expensive but fast. HDDs are large and cheap, but slow. Lets combine the two technologies to get the speed of SSDs with the price and size of HDDs. This can be achieved with storage tiering using LVM cache. Hardware vs. Software solutions There are so called “Hybrid HDDs” on the market. The SSD part is relatively small and you can not tune that cache or getting any statistics about cache hits and cache misses. Further, modern SSD ….Read More

Installing RHEL 8 on Hetzner root servers

Hetzner is a very popular provider for so called root servers and VPS (Virtual private Servers) located in Germany with datacenters in Germany and Finnland. They are quite affordable and have good services as well. The default installation image, sorry Hetzner, is crap (i.e. no logical volumes). The rescue system is not only a nice tool to recover from botched system configurations, it also comes with an image installer which allows users to install a custom system. The default selection ….Read More

Migrating from CentOS8 to RHEL8

There are various reasons why to migrate from CentOS to RHEL. Quicker access to bugfixes and new minor releases as well as having a fully commercially supported system. Unfortunately most providers do not have an option to install RHEL but CentOS instead. There are different tutorial on the net how to migrate from RHEL to CentOS but almost no information about the other way round. It is quite simple and at the end of the day you have only Red ….Read More

Renew Letsencrypt certificates for Red Hat Satellite 6 and Capsule

Letsencrypt certificates are only valid for just three months. The procedure to renew x509 certificates in Red Hat Satellite 6 is not so straight forward and its even more complex for Capsule servers. In an earlier post I was writing about how to set up a Satellite 6 and a capsule using Letsencrypt certificates. This post is a follow up on that. Be aware: You must follow this procedure before the certificate expires or the Satellite simply stops working, all ….Read More

OpenID and SAML authentication with Keycloak and FreeIPA

Not every web application can handle Kerberos SSO, but some provide OpenID and/or SAML. There is how Keycloak comes into the game. You can use Keycloak to federate users from different sources. This guide shows how to integrate Keyclock and FreeIPA to authenticate users in WordPress. On clients that are enrolled in IPA, this even works without a password, a Kerberos ticket is good enough to log in. What is Keycloak Keycloak is the upstream project for Red Hat SSO. ….Read More

Installing Red Hat Satellite 6 with Letsencrypt certificates

Red Hat Satellite 6 is a nice tool for system life cycle management. It can get complex and even installation is sometimes tricky. This article is about how to install Satellite, it does not explain the principals and concepts behind it. Requirements A valid subscription for the Satellite (and optional for the capsule). The system requirements are listed here. There is one important thing the install guide is missing: Satellite 6.4 will not work in IPv6 only environments. There must ….Read More

Using Data Deduplication and Compression with VDO on RHEL 7 and 8

Storage deduplication technology has been on the market for quite some time now. Unfortunately all of the implementations have been vendor specific proprietary software. With VDO, there is now an open source Linux native solution available. Red hat has introduced VDO (Virtual Data Optimizer) in RHEL 7.5, a storage deduplication technology bough with Permabit in 2017. Of course it has been open sourced since then. In contrast to ZFS which provides the same functionality on the file system level, VDO ….Read More

Using MTA-STS to enhance email transport security and privacy

Overview SMTP is broken by design. It comes from a time when communication partners trusted each other and the NSA was intercepting facsimiles and phone calls instead of internet traffic. To enhance privacy, in 2002 RFC 3208 was added to the SMTP protocol. Unfortunately STARTTLS is only optional, it is not allowed to only accept encrypted connections. The RFC states: A publicly-referenced SMTP server MUST NOT require use of the STARTTLS extension in order to deliver mail locally. That is ….Read More