Links 2019-11-10

On too big to fail tech …

Links 2019-11-01

some politics after non-Brexit day …

  • The paranoid fantasy behind Brexit, Fintan O’Toole, The Guardian
    In the im­pe­ri­al ima­gi­na­ti­on, there are only two sta­tes: do­mi­nant and sub­mis­si­ve, co­lo­ni­s­er and co­lo­nis­ed. This dua­lism lin­gers. If Eng­land is not an im­pe­ri­al power, it must be the only other thing it can be: a co­l­ony.
  • Why we stop­ped trus­ting eli­tes, Wil­liam Da­vies, The Guar­di­an
    The notion that public figures and professionals are basically trustworthy has been integral to the health of representative democracies. After all, the very core of liberal democracy is the idea that a small group of people – politicians – can represent millions of others.
  • Die Politik ist bürgerverdrossen – Indiskretion Ehrensache
    Die Bür­ger­ge­sell­schaft wird als nicht zeit­ge­mäß emp­fun­den – al­lein Be­rufs­po­li­ti­ker ver­stün­den die Welt des Jah­res 2019 noch. […] Zu­sam­men­ge­fasst: Die Be­rufs­po­li­ti­ker möch­ten beim Weg­re­gie­ren nicht be­läs­tigt wer­den.
  • Die haben das Internet nicht verstanden? Ich denke, doch.
    Meine These zur neuen Urheberrechtsgesetzgebung und deren Artikel 11 und 13 ist ja, dass die gesamte Novelle vor allem ein Versuch ist, das Internet so umzugestalten, dass es zu einem, – sagen wir mal – konservativerem Verständnis davon, wie Medien funktionieren, passt.
  • Über Zugfahren in Europa
    Aber mit der Bahn über eine län­ge­re Stre­cke in ein an­de­res, eu­ro­päi­sches Land zu rei­sen, in eine Stadt ab­seits der paar Me­tro­po­len, die mit dem Rail­team er­reich­bar sind? Das kann ich nie­man­dem emp­feh­len, der nicht voll­kom­men schmerz­geil und mit einem di­cken Not­fall­geld­beu­tel ge­seg­net ist. An die­sem Punkt schä­me ich mich für “meine” Bahn, für “meine” EU.
  • Für einen Neubeginn in Europa, Emmanuel Macron
    Noch nie seit dem Zweiten Weltkrieg war Europa so wichtig. Und doch war Europa noch nie in so großer Gefahr.

Links 2019-10-27

Über Arbeit und ihre Umstände …

Links 2019-02-13

On Licenses, Open Source, Communities, etc

Links 2019-02-11

GDPR, DSGVO, etc.

Links 2019-01-23

On Java …

Ansible and Vagrant SSH Keys

I recently came across the question how to handle SSH keys with Vagrant and Ansible.

Vagrant

Traditionally all Vagrant boxes and VMs require a fixed login (vagrant) with a fixed SSH key. This was very convenient in a development context, but could raise security issues in case Vagrant VMs were used for anything important and users were not aware of the insecure key.

In current Vagrant versions only boxes (i. e. base images) use the insecure key. When Vagrant starts a new VM it generates a new individual SSH key for this instance. Vagrant keeps these custom keys in the .vagrant/machines subdirectory; so host to guest logins (like vagrant ssh) are still possible.

A vagrant up shows the multi-step procedure:

    workstation: Vagrant insecure key detected. Vagrant will automatically replace
    workstation: this with a newly generated keypair for better security.
    workstation: 
    workstation: Inserting generated public key within guest...
    workstation: Removing insecure key from the guest if it's present...
    workstation: Key inserted! Disconnecting and reconnecting using new SSH key...
==> workstation: Machine booted and ready!

To prevent this mechanism one can configure the VM with config.ssh.insert_key = False. This is necessary when modifying a box. Say you want to take a bento base box, install your development tools, and then repackage the VM as your own development box in order to distribute it to a development team. — With the default behaviour (config.ssh.insert_key = True) every repackage build would generate a new basebox with an individual ssh keypair; this makes the new boxes practically unusable, because every user would have to get and configure the custom SSH key for each box. With config.ssh.insert_key = False the box will retain the previous key; that means you users have the same experience as with a normal box.

Note: As a compromise between the two modes one can set a custom ssh key for all baseboxes with config.ssh.private_key_path. This might be useful for companies with many internal boxes. In this case one distribute one SSH key to use with all Vagrant boxes but not use the publicly known insecure standard key.

Ansible

If all VMs use the same SSH key the setup is straightforward: Configure all Vagrant VMs with config.ssh.insert_key = False or config.ssh.private_key_path and use that key for the Ansible login.

With Vagrant’s default behaviour there is no common SSH key for all VMs. In this case one has to configure Ansible to use the right keys for every VM, but the setup is still simple as long as you have the default /vagrant mount with the .vagrant subdirectory.

This subdirectory contains all Vagrant state and contains these files, right now the private_key is the important one:

$ find .vagrant/
.vagrant/
.vagrant/rgloader
.vagrant/rgloader/loader.rb
.vagrant/machines
.vagrant/machines/workstation
.vagrant/machines/workstation/virtualbox
.vagrant/machines/workstation/virtualbox/synced_folders
.vagrant/machines/workstation/virtualbox/vagrant_cwd
.vagrant/machines/workstation/virtualbox/index_uuid
.vagrant/machines/workstation/virtualbox/action_set_name
.vagrant/machines/workstation/virtualbox/private_key
.vagrant/machines/workstation/virtualbox/id
.vagrant/machines/workstation/virtualbox/box_meta
.vagrant/machines/workstation/virtualbox/action_provision
.vagrant/machines/workstation/virtualbox/creator_uid

I usually run one Vagrant VM as an Ansible controller (with node.vm.provision :ansible_local) and then 1 to N other VMs as installation targets. To enable access from the controller to the other VMs I include this line in the Ansible inventory: ansible_ssh_private_key_file=/vagrant/.vagrant/machines/{{ inventory_hostname }}/virtualbox/private_key

This should work just the same for running Ansible on your host machine and use it to provision the guest VMs. In this case the path would be a relative one: .vagrant/machines/....

The only important detail is the consistent naming of the VM in Vagrant and Ansible. With the ansible_ssh_private_key_file as above Vagrant’s VM name (set with config.vm.define) and Ansible’s inventory_hostname have to be the same. They are not required to match the guest’s hostname (config.vm.hostname), but I strongly recommend to either use the same value or use an obvious mapping. I usually try to use an FQDN for the hostname, and then use the short hostname (the first component) as the VM name and inventory name.

The only important detail is a consistent naming between Vagrant’s VM name (as set with config.vm.define), the VM’s hostname

Links 2019-01-08

On cloud computing and vendors …