Recently I added a four port 1GbE card to my machine and I bought a RealTek one – mainly because I’m not made of money and I’m not spending hundreds on a network card, not when there’s whiskey to be drunk.

So I needed to add drivers for the RTL8111G chipset to my machine but VMWare doesn’t support this. Thus I had to find and add my own. Turns out there’s a lovely resouce called V-Front Online Depot for VMware ESXi which had exactly what I wanted. What follows is how I added the VIB to my machine.

First we need to allow community supported VIB’s to be loaded

esxcli software acceptance set --level=CommunitySupported

Next we need to make sure we can talk to the internet from our server

esxcli network firewall ruleset set -e true -r httpClient

Now we need to download the and install the VIB

esxcli software vib install -n net55-r8168 -d http://vibsdepot.v-front.de

Your value for n will of course different.

That should go away and install what you need then tell you if you need to reboot.


First enable the shell from within the GUI.

Now login as root or your administrator account.

Then let’s make sure we can get out of the box to the internet

esxcli network firewall ruleset set -e true -r httpClient

Now let’s put the server into MAINTENANCE MODE

vim-cmd /hostsvc/maintenance_mode_enter

Now let’s see what profiles are available to us

esxcli software sources profile list -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep ESXi-6.7.0-2019

Change the what you grep for depending on your version and year etc.

Now install the profile

esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-6.7.0-20190604001-standard

This takes some time to complete and here’s my example output

Update Result
Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.
Reboot Required: true
VIBs Installed: VMW_bootbank_bnxtnet_20.6.101.7-21vmw.670.2.48.13006603, VMW_bootbank_bnxtroce_20.6.101.0-20vmw.670.1.28.10302608, VMW_bootbank_brcmfcoe_11.4.1078.19-12vmw.670.2.48.13006603, VMW_bootbank_elxnet_11.4.1095.0-5vmw.670.1.28.10302608, VMW_bootbank_i40en_1.3.1-23vmw.670.2.48.13006603, VMW_bootbank_igbn_0.1.1.0-4vmw.670.2.48.13006603, VMW_bootbank_ipmi-ipmi-devintf_39.1-5vmw.670.1.28.10302608, VMW_bootbank_ipmi-ipmi-msghandler_39.1-5vmw.670.1.28.10302608, VMW_bootbank_ipmi-ipmi-si-drv_39.1-5vmw.670.1.28.10302608, VMW_bootbank_iser_1.0.0.0-1vmw.670.1.28.10302608, VMW_bootbank_ixgben_1.4.1-18vmw.670.2.48.13006603, VMW_bootbank_lpfc_11.4.33.18-12vmw.670.2.48.13006603, VMW_bootbank_lsi-mr3_7.708.07.00-2vmw.670.2.48.13006603, VMW_bootbank_lsi-msgpt2_20.00.05.00-1vmw.670.2.48.13006603, VMW_bootbank_lsi-msgpt35_09.00.00.00-1vmw.670.2.48.13006603, VMW_bootbank_lsi-msgpt3_17.00.01.00-3vmw.670.2.48.13006603, VMW_bootbank_misc-drivers_6.7.0-2.48.13006603, VMW_bootbank_mtip32xx-native_3.9.8-1vmw.670.1.28.10302608, VMW_bootbank_ne1000_0.8.4-2vmw.670.2.48.13006603, VMW_bootbank_nenic_1.0.21.0-1vmw.670.1.28.10302608, VMW_bootbank_net-vmxnet3_1.1.3.0-3vmw.670.2.48.13006603, VMW_bootbank_nfnic_4.0.0.17-0vmw.670.2.48.13006603, VMW_bootbank_nhpsa_2.0.22-3vmw.670.1.28.10302608, VMW_bootbank_nmlx4-core_3.17.13.1-1vmw.670.2.48.13006603, VMW_bootbank_nmlx4-en_3.17.13.1-1vmw.670.2.48.13006603, VMW_bootbank_nmlx4-rdma_3.17.13.1-1vmw.670.2.48.13006603, VMW_bootbank_nmlx5-core_4.17.13.1-1vmw.670.2.48.13006603, VMW_bootbank_nmlx5-rdma_4.17.13.1-1vmw.670.2.48.13006603, VMW_bootbank_ntg3_4.1.3.2-1vmw.670.1.28.10302608, VMW_bootbank_nvme_1.2.2.27-1vmw.670.2.48.13006603, VMW_bootbank_nvmxnet3_2.0.0.29-1vmw.670.1.28.10302608, VMW_bootbank_qedentv_2.0.6.4-10vmw.670.1.28.10302608, VMW_bootbank_sfvmk_1.0.0.1003-6vmw.670.2.48.13006603, VMW_bootbank_smartpqi_1.0.1.553-12vmw.670.1.28.10302608, VMW_bootbank_vmkfcoe_1.0.0.1-1vmw.670.1.28.10302608, VMW_bootbank_vmkusb_0.1-1vmw.670.2.48.13006603, VMW_bootbank_vmw-ahci_1.2.3-1vmw.670.1.28.10302608, VMware_bootbank_cpu-microcode_6.7.0-2.55.13644319, VMware_bootbank_elx-esx-libelxima.so_11.4.1184.1-2.48.13006603, VMware_bootbank_esx-base_6.7.0-2.60.13981272, VMware_bootbank_esx-ui_1.33.3-13454473, VMware_bootbank_esx-update_6.7.0-2.60.13981272, VMware_bootbank_lsu-hp-hpsa-plugin_2.0.0-16vmw.670.1.28.10302608, VMware_bootbank_lsu-intel-vmd-plugin_1.0.0-2vmw.670.1.28.10302608, VMware_bootbank_lsu-lsi-drivers-plugin_1.0.0-1vmw.670.2.48.13006603, VMware_bootbank_lsu-lsi-lsi-mr3-plugin_1.0.0-13vmw.670.1.28.10302608, VMware_bootbank_lsu-lsi-lsi-msgpt3-plugin_1.0.0-9vmw.670.2.48.13006603, VMware_bootbank_lsu-smartpqi-plugin_1.0.0-3vmw.670.1.28.10302608, VMware_bootbank_native-misc-drivers_6.7.0-2.48.13006603, VMware_bootbank_qlnativefc_3.1.8.0-4vmw.670.2.48.13006603, VMware_bootbank_vmware-esx-esxcli-nvme-plugin_1.2.0.36-2.48.13006603, VMware_bootbank_vsan_6.7.0-2.60.13805960, VMware_bootbank_vsanhealth_6.7.0-2.60.13805961, VMware_locker_tools-light_10.3.5.10430147-12986307
VIBs Removed: VMW_bootbank_bnxtnet_20.6.101.7-11vmw.670.0.0.8169922, VMW_bootbank_brcmfcoe_11.4.1078.0-8vmw.670.0.0.8169922, VMW_bootbank_elxnet_11.4.1094.0-5vmw.670.0.0.8169922, VMW_bootbank_i40en_1.3.1-18vmw.670.0.0.8169922, VMW_bootbank_igbn_0.1.0.0-15vmw.670.0.0.8169922, VMW_bootbank_ipmi-ipmi-devintf_39.1-4vmw.670.0.0.8169922, VMW_bootbank_ipmi-ipmi-msghandler_39.1-4vmw.670.0.0.8169922, VMW_bootbank_ipmi-ipmi-si-drv_39.1-4vmw.670.0.0.8169922, VMW_bootbank_iser_1.0.0.0-1vmw.670.0.0.8169922, VMW_bootbank_ixgben_1.4.1-11vmw.670.0.0.8169922, VMW_bootbank_lpfc_11.4.33.1-6vmw.670.0.0.8169922, VMW_bootbank_lsi-mr3_7.702.13.00-4vmw.670.0.0.8169922, VMW_bootbank_lsi-msgpt2_20.00.04.00-4vmw.670.0.0.8169922, VMW_bootbank_lsi-msgpt35_03.00.01.00-10vmw.670.0.0.8169922, VMW_bootbank_lsi-msgpt3_16.00.01.00-1vmw.670.0.0.8169922, VMW_bootbank_misc-drivers_6.7.0-0.0.8169922, VMW_bootbank_mtip32xx-native_3.9.6-1vmw.670.0.0.8169922, VMW_bootbank_ne1000_0.8.3-4vmw.670.0.0.8169922, VMW_bootbank_nenic_1.0.11.0-1vmw.670.0.0.8169922, VMW_bootbank_net-vmxnet3_1.1.3.0-3vmw.670.0.0.8169922, VMW_bootbank_nhpsa_2.0.22-1vmw.670.0.0.8169922, VMW_bootbank_nmlx4-core_3.17.9.12-1vmw.670.0.0.8169922, VMW_bootbank_nmlx4-en_3.17.9.12-1vmw.670.0.0.8169922, VMW_bootbank_nmlx4-rdma_3.17.9.12-1vmw.670.0.0.8169922, VMW_bootbank_nmlx5-core_4.17.9.12-1vmw.670.0.0.8169922, VMW_bootbank_nmlx5-rdma_4.17.9.12-1vmw.670.0.0.8169922, VMW_bootbank_ntg3_4.1.3.0-1vmw.670.0.0.8169922, VMW_bootbank_nvme_1.2.1.34-1vmw.670.0.0.8169922, VMW_bootbank_nvmxnet3_2.0.0.27-1vmw.670.0.0.8169922, VMW_bootbank_qedentv_2.0.6.4-8vmw.670.0.0.8169922, VMW_bootbank_smartpqi_1.0.1.553-10vmw.670.0.0.8169922, VMW_bootbank_vmkfcoe_1.0.0.0-1vmw.670.0.0.8169922, VMW_bootbank_vmkusb_0.1-1vmw.670.0.0.8169922, VMW_bootbank_vmw-ahci_1.2.0-6vmw.670.0.0.8169922, VMware_bootbank_cpu-microcode_6.7.0-0.0.8169922, VMware_bootbank_elx-esx-libelxima.so_11.4.1184.0-0.0.8169922, VMware_bootbank_esx-base_6.7.0-0.0.8169922, VMware_bootbank_esx-ui_1.25.0-7872652, VMware_bootbank_lsu-hp-hpsa-plugin_2.0.0-13vmw.670.0.0.8169922, VMware_bootbank_lsu-lsi-lsi-mr3-plugin_1.0.0-12vmw.670.0.0.8169922, VMware_bootbank_lsu-lsi-lsi-msgpt3-plugin_1.0.0-8vmw.670.0.0.8169922, VMware_bootbank_native-misc-drivers_6.7.0-0.0.8169922, VMware_bootbank_qlnativefc_3.0.1.0-5vmw.670.0.0.8169922, VMware_bootbank_vmware-esx-esxcli-nvme-plugin_1.2.0.32-0.0.8169922, VMware_bootbank_vsan_6.7.0-0.0.8169922, VMware_bootbank_vsanhealth_6.7.0-0.0.8169922, VMware_locker_tools-light_10.2.0.7253323-8169922
VIBs Skipped: VMW_bootbank_ata-libata-92_3.00.9.2-16vmw.670.0.0.8169922, VMW_bootbank_ata-pata-amd_0.3.10-3vmw.670.0.0.8169922, VMW_bootbank_ata-pata-atiixp_0.4.6-4vmw.670.0.0.8169922, VMW_bootbank_ata-pata-cmd64x_0.2.5-3vmw.670.0.0.8169922, VMW_bootbank_ata-pata-hpt3x2n_0.3.4-3vmw.670.0.0.8169922, VMW_bootbank_ata-pata-pdc2027x_1.0-3vmw.670.0.0.8169922, VMW_bootbank_ata-pata-serverworks_0.4.3-3vmw.670.0.0.8169922, VMW_bootbank_ata-pata-sil680_0.4.8-3vmw.670.0.0.8169922, VMW_bootbank_ata-pata-via_0.3.3-2vmw.670.0.0.8169922, VMW_bootbank_block-cciss_3.6.14-10vmw.670.0.0.8169922, VMW_bootbank_char-random_1.0-3vmw.670.0.0.8169922, VMW_bootbank_ehci-ehci-hcd_1.0-4vmw.670.0.0.8169922, VMW_bootbank_elxiscsi_11.4.1174.0-2vmw.670.0.0.8169922, VMW_bootbank_hid-hid_1.0-3vmw.670.0.0.8169922, VMW_bootbank_iavmd_1.2.0.1011-2vmw.670.0.0.8169922, VMW_bootbank_ima-qla4xxx_2.02.18-1vmw.670.0.0.8169922, VMW_bootbank_lpnic_11.4.59.0-1vmw.670.0.0.8169922, VMW_bootbank_misc-cnic-register_1.78.75.v60.7-1vmw.670.0.0.8169922, VMW_bootbank_net-bnx2_2.2.4f.v60.10-2vmw.670.0.0.8169922, VMW_bootbank_net-bnx2x_1.78.80.v60.12-2vmw.670.0.0.8169922, VMW_bootbank_net-cdc-ether_1.0-3vmw.670.0.0.8169922, VMW_bootbank_net-cnic_1.78.76.v60.13-2vmw.670.0.0.8169922, VMW_bootbank_net-e1000_8.0.3.1-5vmw.670.0.0.8169922, VMW_bootbank_net-e1000e_3.2.2.1-2vmw.670.0.0.8169922, VMW_bootbank_net-enic_2.1.2.38-2vmw.670.0.0.8169922, VMW_bootbank_net-fcoe_1.0.29.9.3-7vmw.670.0.0.8169922, VMW_bootbank_net-forcedeth_0.61-2vmw.670.0.0.8169922, VMW_bootbank_net-igb_5.0.5.1.1-5vmw.670.0.0.8169922, VMW_bootbank_net-ixgbe_3.7.13.7.14iov-20vmw.670.0.0.8169922, VMW_bootbank_net-libfcoe-92_1.0.24.9.4-8vmw.670.0.0.8169922, VMW_bootbank_net-mlx4-core_1.9.7.0-1vmw.670.0.0.8169922, VMW_bootbank_net-mlx4-en_1.9.7.0-1vmw.670.0.0.8169922, VMW_bootbank_net-nx-nic_5.0.621-5vmw.670.0.0.8169922, VMW_bootbank_net-tg3_3.131d.v60.4-2vmw.670.0.0.8169922, VMW_bootbank_net-usbnet_1.0-3vmw.670.0.0.8169922, VMW_bootbank_nvmxnet3-ens_2.0.0.21-1vmw.670.0.0.8169922, VMW_bootbank_ohci-usb-ohci_1.0-3vmw.670.0.0.8169922, VMW_bootbank_pvscsi_0.1-2vmw.670.0.0.8169922, VMW_bootbank_qcnic_1.0.2.0.4-1vmw.670.0.0.8169922, VMW_bootbank_qfle3_1.0.50.11-9vmw.670.0.0.8169922, VMW_bootbank_qfle3f_1.0.25.0.2-14vmw.670.0.0.8169922, VMW_bootbank_qfle3i_1.0.2.3.9-3vmw.670.0.0.8169922, VMW_bootbank_qflge_1.1.0.11-1vmw.670.0.0.8169922, VMW_bootbank_sata-ahci_3.0-26vmw.670.0.0.8169922, VMW_bootbank_sata-ata-piix_2.12-10vmw.670.0.0.8169922, VMW_bootbank_sata-sata-nv_3.5-4vmw.670.0.0.8169922, VMW_bootbank_sata-sata-promise_2.12-3vmw.670.0.0.8169922, VMW_bootbank_sata-sata-sil24_1.1-1vmw.670.0.0.8169922, VMW_bootbank_sata-sata-sil_2.3-4vmw.670.0.0.8169922, VMW_bootbank_sata-sata-svw_2.3-3vmw.670.0.0.8169922, VMW_bootbank_scsi-aacraid_1.1.5.1-9vmw.670.0.0.8169922, VMW_bootbank_scsi-adp94xx_1.0.8.12-6vmw.670.0.0.8169922, VMW_bootbank_scsi-aic79xx_3.1-6vmw.670.0.0.8169922, VMW_bootbank_scsi-bnx2fc_1.78.78.v60.8-1vmw.670.0.0.8169922, VMW_bootbank_scsi-bnx2i_2.78.76.v60.8-1vmw.670.0.0.8169922, VMW_bootbank_scsi-fnic_1.5.0.45-3vmw.670.0.0.8169922, VMW_bootbank_scsi-hpsa_6.0.0.84-3vmw.670.0.0.8169922, VMW_bootbank_scsi-ips_7.12.05-4vmw.670.0.0.8169922, VMW_bootbank_scsi-iscsi-linux-92_1.0.0.2-3vmw.670.0.0.8169922, VMW_bootbank_scsi-libfc-92_1.0.40.9.3-5vmw.670.0.0.8169922, VMW_bootbank_scsi-megaraid-mbox_2.20.5.1-6vmw.670.0.0.8169922, VMW_bootbank_scsi-megaraid-sas_6.603.55.00-2vmw.670.0.0.8169922, VMW_bootbank_scsi-megaraid2_2.00.4-9vmw.670.0.0.8169922, VMW_bootbank_scsi-mpt2sas_19.00.00.00-2vmw.670.0.0.8169922, VMW_bootbank_scsi-mptsas_4.23.01.00-10vmw.670.0.0.8169922, VMW_bootbank_scsi-mptspi_4.23.01.00-10vmw.670.0.0.8169922, VMW_bootbank_scsi-qla4xxx_5.01.03.2-7vmw.670.0.0.8169922, VMW_bootbank_shim-iscsi-linux-9-2-1-0_6.7.0-0.0.8169922, VMW_bootbank_shim-iscsi-linux-9-2-2-0_6.7.0-0.0.8169922, VMW_bootbank_shim-libata-9-2-1-0_6.7.0-0.0.8169922, VMW_bootbank_shim-libata-9-2-2-0_6.7.0-0.0.8169922, VMW_bootbank_shim-libfc-9-2-1-0_6.7.0-0.0.8169922, VMW_bootbank_shim-libfc-9-2-2-0_6.7.0-0.0.8169922, VMW_bootbank_shim-libfcoe-9-2-1-0_6.7.0-0.0.8169922, VMW_bootbank_shim-libfcoe-9-2-2-0_6.7.0-0.0.8169922, VMW_bootbank_shim-vmklinux-9-2-1-0_6.7.0-0.0.8169922, VMW_bootbank_shim-vmklinux-9-2-2-0_6.7.0-0.0.8169922, VMW_bootbank_shim-vmklinux-9-2-3-0_6.7.0-0.0.8169922, VMW_bootbank_uhci-usb-uhci_1.0-3vmw.670.0.0.8169922, VMW_bootbank_usb-storage-usb-storage_1.0-3vmw.670.0.0.8169922, VMW_bootbank_usbcore-usb_1.0-3vmw.670.0.0.8169922, VMW_bootbank_vmkata_0.1-1vmw.670.0.0.8169922, VMW_bootbank_vmkplexer-vmkplexer_6.7.0-0.0.8169922, VMW_bootbank_xhci-xhci_1.0-3vmw.670.0.0.8169922, VMware_bootbank_esx-dvfilter-generic-fastpath_6.7.0-0.0.8169922, VMware_bootbank_esx-xserver_6.7.0-0.0.8169922, VMware_bootbank_lsu-lsi-megaraid-sas-plugin_1.0.0-9vmw.670.0.0.8169922, VMware_bootbank_lsu-lsi-mpt2sas-plugin_2.0.0-7vmw.670.0.0.8169922, VMware_bootbank_rste_2.0.2.0088-7vmw.670.0.0.8169922

You should now bring the server out of MAINTENANCE MODE

vim-cmd /hostsvc/maintenance_mode_exit

Now go reboot and enjoy.


Having just been on a CAB call with over 60 people running through a list of over 400 items to work through I’m reminded why I try really hard not to work in places where these things happen.

When you work in a truly agile workflow we don’t need these. We don’t need these because a good agile workflow can fully replace a traditional CAB if the agile workflow is cross-disciplined throughout the business.

At the end of several hours, everyone who was speaking sounded dispirited and thoroughly pissed off – including the leader on the call. That sucks. If you’re the leader and the meeting is depressing you – imagine what everyone else feels like.

Seriously – stop having CABs but if you really have to have one these points may help you:

  • Circulate the CAB items early and anything with a LOW to NONE impact rating shouldn’t be discussed – they should be automatically approved unless someone wants to call out one of them during the CAB.
  • Don’t have CABs that last more than an hour at the very most.
  • Group your changes by impacted areas so you can release people quickly.
  • Don’t speak over someone when they’re speaking – especially if you’re leading the CAB.
  • Don’t get pissed off at people on the call – that’s unprofessional and upsets everyone on the call.
  • Build a cadence to your voice and maintain it. Humans take their cues from a leader of a group – be a good positive leader, not one that sounds like they don’t want to be there.
  • Use a good online communication tool that works for everyone – bad quality voice or video adds an extra cognitive load where enough already exists.
  • Stop having CABs. Seriously.


Why We Do This

The default image provided as the RHEL7 image from Azure Marketplace is woefully out of date. The kernel is 3.x and has some critical CIFS bugs which will cause issues with Azure Files. A number of critical sub-systems are out of date and need to be upgraded.

What Could Go BANG!

The kernel is NOT RedHat and so you may get push back from RedHat on support for this kernel if you start hitting edge cases. However, we use the cloud. If you’re tickling kernel bugs and no one else on the Internet is – you’re doing something horribly wrong. Rebuild.

3rd party software support may also push back on non-standard kernel. Push back on the push back!

Safety First

If in doubt, please backup your VM before you do this. If this fails it’s VERY hard to get the machine back into a production state.

How we do this

Update the base platform from the RedHat Repo

  • Login and sudo su to root.
  • Change to the \ directory
  • Update yum with yum update && yum upgrade
  • Accept the defaults and allow the update to happen – this may take some time, do something else in the meantime.
  • Install yum install yum-utils and then run package-cleanup --oldkernels

Upgrade the kernel from elrepo

  • Import the ELRepo public key with rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
  • Install the RHEL7 repo with rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm
  • Install the new kernel with yum --enablerepo=elrepo-kernel install kernel-ml
  • Check which menuentry is the new kernel with awk -F\' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg and make a note of that number
  • Set that number as the default kernel with grub2-set-default <<NUMBER>>
  • Regenerate grub with grub2-mkconfig -o /boot/grub2/grub.cfg

Update any encryption patches and dracut

  • Create a file called yumupdatefix.sh in /root with the following contents
#!/usr/bin/env bash

# get and test path to source of most recent install
unset -v ADE_SOURCE
ADE_SEARCH=/var/lib/waagent/Microsoft.Azure.Security.AzureDiskEncryptionForLinux*
for i in $ADE_SEARCH; do
  if [[ -d "$i" ]]; then
    [[ "$i" -nt $ADE_SOURCE ]] && ADE_SOURCE=$i
  fi
done

if [[ ! -d "${ADE_SOURCE}" ]]; then
  echo "patch failed - no source directory found matching ${ADE_SEARCH}"
  exit 1
fi

# get and test path to patch file
ADE_PATCH=${ADE_SOURCE}/main/oscrypto/rhel_72/encryptpatches/rhel_72_dracut.patch
if [[ ! -f "${ADE_PATCH}" ]]; then
  echo "patch failed - no patch file found matching ${ADE_PATCH}"
fi

# replace string {Encrypted_root_partition} by partition number (=2 in rhel azure gallery images)
sed -i.bak s/ENCRYPTED_DISK_PARTITION/2/ "${ADE_PATCH}"

# patch and run
bash -c "set -e; patch -b -d /usr/lib/dracut/modules.d/90crypt -p1 < ${ADE_PATCH}"
/usr/sbin/dracut -I ntfs-3g -f -v --kver `grubby --default-kernel | sed 's|/boot/vmlinuz-||g'`

The above script will generate a new initramfs image corresponding to the new kernel version with the patched up version of Dracut modules – getting warnings is FINE. Really.

  • Enable execution of this script with chmod a+x yumupdatefix.sh
  • Execute this script with ./yumupdatefix.sh
  • Ensure that the image it builds is the same version of the kernel-ml that was installed.
  • Reboot with reboot
  • Pray or even Prey
  • When the machine comes back up, it should take a few minutes, check the new kernel with uname -msr
  • Profit.

References

http://elrepo.org/tiki/tiki-index.php
http://elrepo.org/tiki/kernel-ml
https://blogs.msdn.microsoft.com/azuresecurity/2017/07/13/applying-updates-to-a-encrypted-azure-iaas-red-hat-vm-using-yum-update/
https://gist.github.com/mayank88mahajan/38faf934c86b89ad766c4c16dcd5f4aa

 


On the subject of encryption that’s getting so much press, one of my friends asked me what the PM was thinking. While we don’t actually call each other up and thus I have no idea what’s she’s thinking at any given moment, I may have an idea of how she’s thinking:

Simply put I suspect it’s a call for options. When you come up against an intractable problem you begin with an impossible answer. It’s an old methodology.  One that most of us were taught in school because we grew up before we could Google for everything. To get people out of their comfort zone you have to push them in unreasonable directions. I expected various technology groups to come up with options but so far all we have is people screaming and making a lot of noise.

One of the best ways to stop insurgents operating in this or any country is to disrupt communications – that’s hard to do because of encryption.

Encryption is the mainstay of much of geopolitics, commerce and humanity from the dawn of the common era. It’s is a boon and a curse. Over the last fifty years we have become extremely dependent on it and its usefulness. However, all these technologies of today were invented in isolation from reality in a past sure of the goodness of all men.

The problem is that those charged with developing these protocols have become used to the constraints of the technology and we need to think beyond them. At one time these technologies were the privilege of the developed world. However as ubiquitous technology opens the doors to more and more people our enemies use these techniques against us. The answer so far from the technology community is “it can’t be done”, where “it” refers to back doors in encryption. That’s not an acceptable answer because it’s not addressing the question.

When the government drafts an outrageous bills it’s looking for constructive responses. It’s asking for more effort from the subject matter experts to evaluate the real objectives.

The very idea of encryption is because we don’t trust anyone. Thus it’s impossible to accept that we should allow those who work against us to use our own technology against us.

While the ultimate decryption key is a sharp knife to a nerve cluster, that kind of behavior applied wholesale leads to a dark and dismal future and isn’t always a viable option. We’re still waiting for our technology experts to come up with an answer but many seem so enamored with their toys they can’t see past them.

Encryption is a tool.

A tool is used to execute an answer to a question.

The question is Security.

Isn’t it?

There’s an interesting blog post by Mythic Beasts on why encryption is vital. They seem to be missing the point. Everyone knows encryption is vital to the continued economic deliverable of the Internet as well as basic technology security.  While this blog post is an obvious political statement, we were rather hoping for options. Turning around and telling the wider society that the cat is out of the bag and that’s just tough is a stupid and arrogant thing to do. We’ve unleashed this double edged sword and we can’t put it back in the sheath but we must have more of an answer if we’re not to look like complete idiots to the rest of society. Like a child that spills their milk but just pouts and won’t clean it up.

When we look for an unreasonable answer this kind of response isn’t wan’t we’re expecting from people who should know better how to handle intractable problems.

So far there’s been little option provided which seems to suggest everyone is happy with the knife and nerves option.

Which is dumb.

So here, in clear and plain terms, is the question:

Given that encryption is easy to acquire and utilize, given our enemies have the access to same technologies as us, what are the options available to our society to ensure we are able to disrupt encrypted command and communication channels our enemies use whilst maintaining our freedoms to use it?

We all know we can’t put the cat back in the bag. I refuse to believe that a trillion dollar discipline such as ours can’t come up with some feasible answers that don’t involve the road to perdition.

If this is too tough a question for us, perhaps we’re not really worth the fuss.


Useful for converting PEM files for adding to things like JSON.

 

awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' filename.pem


Stay focused on the engineering reality defined by your capabilities and requirements. Line up the engineering tasks with the business value. A shift in the engineering tasks should be a conscious decision as a result of conversations between the technical and business leaders in order to better deliver on the business value. Technical debt can be discarded when the engineering objectives change. Remember all technology is transient and that pride cometh before a fall.