code, music and rants

My Windows 11 and Pop!_OS 22.04 dual boot setup

2022-08-07T00:00:00+00:00

Tools and characteristics

GUID Partition Table (GPT)
UEFI
luks
Ventoy
USB drive with 32+ GB of space
ISOs:
- Pop!_OS
- Windows 11

Setup

Install and configure Ventoy

Ventoy installation instructions
Add Windows and Pop!_OS ISOs to ventoy folder in USB drive

Create partitions first using `gparted` in live `Pop!_OS`

Boot into Pop!_OS and create 5 partitions:

The EFI partition I recommend you use 512MB FAT32 (it is more than necessary)
The MSR partition should be 128MB FAT32 will be for Windows
The actual windows installation whatever you want, I recommend more than 100GB NTFS
The /boot partition for linux I recommend 1GB xfs
The Linux LVM partition whatever is left of the disk using linux pv

Install Windows 11, without encryption

When choosing partitions press Shift + F10 to open command prompt
In Command prompt, run diskpart
Run list disk to get a list of disks and their numbers
Run select disk to switch context to a specific disk
Run list partition to get a list of partitions and their numbers, you should see the partitions you created in step 1
Run select partition
Run create partition efi size=512 to create efi partition
Run select partition
Run create partition msr size=128 to create msr partition
Run exit to go back to windows installation
Make sure windows installer sees EFI and MSR partitions
Select the partition you created in step 1 for windows to be installed on
Install windows, updates, activate etc

Now install `Pop!_OS` (or Ubuntu)

Press Try Demo Mode to get to the desktop
Open terminal
sudo su -
fdisk -l to find your Linux LVM partition
cryptsetup luksFormat /dev/nvme#n#p# this will encrypt and ask you to setup a passphrase
cryptsetup open /dev/nvme#n#p# luks1 to decrypt the partition and mount it at /dev/mapper/luks1
pvcreate /dev/mapper/luks1 to create a Physical Volume that LVM can use
vgcreate vg_hostname /dev/mapper/luks1 (used vg_thinkpad last time)
lvcreate -L 100G -n lv_root vg_hostname # at least 100 GB
lvcreate -L 4G -n lv_swap vg_hostname
lvcreate -l100%FREE -n lv_home vg_hostname
Open the regular installer, choose custom partitioning
Create /boot without encryption
Select EFI partition and mount it at /boot/efi
Decrypt Linux LVM partition
Select 100 GB and pick / for it and format using xfs
Select 4 GB as swap
Select last LVM partition for /home and format using xfs
Should look something like this
When the installer finishes, don’t reboot
Open terminal, again
sudo su -
blkid /dev/nvme#n#p# for the Linux LVM partition
cryptsetup open /dev/nvme#n#p# luks1 to decrypt the partition
parted -ls
mount /dev/mapper/vg_thinkpad-lv_root /mnt Change volume group name
mount /dev/mapper/vg_thinkpad-lv_home /mnt/home Change vg name
mount /dev/nvme#n#p# /mnt/boot Change device and partition numbers
mount /dev/nvme1n1p1 /mnt/boot/efi Change device and partition numbers
for i in dev dev/pts proc sys run; do mount -B "/${i}" "/mnt/${i}"; done
chroot /mnt
We are now inside the installed system, not the live environment
cat /etc/crypttab Confirm UUID matched blkid output above
```
# cat /etc/crypttab
luks1 UUID=0000000 none luks
```
if /etc/crypttab does not exist create it

Next, confirm the / root partition UUID matches the Pop_OS UUID in /boot/efi/EFI/Pop-OS*

# grep "$(ls -d /boot/efi/EFI/Pop_OS-* | cut -d '-' -f2-)" /etc/fstab
UUID=3333333333  /  xfs  defaults  0  0

Confirm you have /, /boot, /boot/efi, /home and swap partitions in /etc/fstab

# cat /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
#           
PARTUUID=44444  /boot/efi  vfat  umask=0077  0  0
UUID=55555  /boot  xfs  defaults  0  0
UUID=666666  /home  xfs  defaults  0  0
UUID=3333333333  /  xfs  defaults  0  0
/dev/dm-2  none  swap  defaults  0  0

if swap in /etc/fstab does not show UUID, you can obtain it via the command: blkid | grep swap, now update swap line in /etc/fstab
As of kernel 5.11.0-40-generic there’s a ~45-second pause at boot while the system tries to find a non-existent resume device, so we’ll disable resume.
Create the file /etc/initramfs-tools/conf.d/noresume.conf with contents:
```
RESUME=none
```

If you want to mount /tmp as tmpfs (ramdisk) then:

ln -s /usr/share/systemd/tmp.mount /etc/systemd/system/
systemctl enable tmp.mount

Add timeout to UEFI boot loader

Reboot. Spam your spacebar for the menu. Select with arrows, add timeout with “t” or reduce with “T” (+/- also work), select default with “d”. Hold “l” to boot linux after POST or “w” to boot Windows after POST without visiting the menu.

A network interface may not specify both a network interface ID and a subnet

2022-07-23T00:00:00+00:00

Overview

This post will talk about error: Launching EC2 instance failed. Status Reason: A network interface may not specify both a network interface ID and a subnet on an AWS auto scaling group (ASG), see screenshot below:

What happened?

I had recently learned a you can set an ENI ID in a launch template (this was new information to me).

Before I became aware of this whenever I wanted my EC2 instances to keep the same private and public IP addresses after replacing said EC2 instances I would create the Elastic Network Interface (ENI) separately from the launch template and ASG, allow instances to describe ENIs and attach them to themselves (you can imagine this turns into a complex IAM policy), have scripts readily available in the instance to find the ENI, attach it to themselves and make this ENI the primary network interface.

All the above to say, when I learned I could set the ENI directly into the launch template I was happy I could simplify my setup. I still needed to create the ENI outside the launch template and ASG, which I was already doing. This meant I could update my current stacks and simplify them.

Lets test in a sandbox environment

I updated my pulumi modules and made the new versions available to use.

I apply the changes running pulumi up -s , I get an error saying something like cannot use vpc_zone_identifiers in an ASG that uses a launch template with assigned ENIs

I change my pulumi modules again and replace vpc_zone_identifiers with availability_zones, made new version available to use.

I apply the changes running pulumi up -s , this time the change went through! :D

In this scenario, I was updating an ASG that manages only 1 EC2 instance. I try to refresh the instance in my ASG and I notice it is taking a while for a new instance to show up, I decide to go look in Activity and see the error:

Launching EC2 instance failed. Status Reason:
A network interface may not specify both a network interface ID and a subnet

Which reminded me of the error about not being able to use vpc_zone_identifiers and I had to replace that parameter with availability_zones, I looked in the Details tab and noticed under Network I had values in both Availability Zones and Subnet ID

I asked a co-worker for help and they assumed we should be able to wipe the subnet IDs from the ASG using the aws cli.

We tried:

Passing only avalability zone without any subnet id, the subnet id stayed
Passing avalability zone and empty subnet id, threw an error
Passing avalability zone and , as the value for subnet id, no error but the subnet id stayed
Change subnet id to a subnet id in a different availability zone than the one we want to use and then pass only the availability zone we want to use, that threw an error

At this point, we assumed the ASG was in a state we would not be able to get it out from, we decided to replace the ASG

pulumi up --replace '**aws:autoscaling/group:Group::my-stack' -s 

New ASG had values under Availability Zones and no values under Subnet ID and a new instance was provisioned with the same ENI we were using before

Deploy Umami website analytics on Heroku via container

2022-07-17T00:00:00+00:00

Requirements

A Heroku Account
Heroku CLI
A docker runtime
- Docker Desktop
- docker cli + colima

Initial App Setup

Login to your Heroku Account
From the dashboard page click New > Create new app
Choose an App name and then click Create app

Database

Navigate to the Resources tab and click on the Find more add-ons button
Search for Heroku Postgres and follow its instructions to install the add-on
The add-on will set the DATABASE_URL automatically; you should not have to manually set it
You will need to set up the database tables by following the Create database tables section of the Install docs
You can find temporary connection details by following the Resources > Heroku Postgres > Settings > Database Credentials path

Deploy

Under the Settings > Config Vars section, set the HASH_SALT environment variable. Read the Install section for information about the HASH_SALT environment variable.

$ heroku login
heroku: Press any key to open up the browser to login or q to exit:
Opening browser to https://cli-auth.heroku.com/auth/cli/browser/
Logging in... done
Logged in your@email.com

docker login to heroku repo

$ heroku container:login
Login Succeeded

Pull latest postgresql umami version

docker pull docker.umami.is/umami-software/umami:postgresql-v1.33.3

Tag the container image with your app-name and process-type should be web

docker tag docker.umami.is/umami-software/umami:postgresql-v1.33.3 \
  registry.heroku.com//web

Push the container image to heroku
```
docker push registry.heroku.com//web
```

Create a new release so the new image is promoted

$ heroku container:release web -a 
Releasing images web to ... done

Once the release has finished, the website should be live. Follow the Open app button at the top of the dashboard to view it
Follow the Getting started guide starting from the Login step

How to VPN connect between Azure and AWS GovCloud Transit Gateway with Managed Services

2020-02-05T00:00:00+00:00

I want to thank Jun Kudo for their post, this all started learning from their post.

TL; DR

If you don’t want to read and just want to get it done, go here: janky-stuff/cloud/ipsec-between-azure-aws

Follow instructions there and run:

AWS_PROFILE=your-profile ./create_ipsec.sh --azure-cidr  \
  --azure-ip  --azure-ip  \
  --azure-location eastus --azure-resource-group  \
  --aws-cidr  --aws-vpc-id 

If you want to know details continue reading

Assumptions

AWS Side

You already have VPC(s)/subnets/route tables
You already have a transit gateway setup with VPCs and/or VPNs

Azure Side

You already have a Virtual Network
You already have a Gateway Subnet
You already have a Virtual Network Gateway with a public IP address

Note: if you don’t already have any resources listed in this section, I recommend you follow Jun Kudo’s instructions

The actual thing

1. Create customer gateway

Get the public IP addres for the Azure Virtual Network Gateway:

Create a static customer gateway

2. Create a VPN Connection

Parameter	Value
`Target Gateway Type`	`Transit Gateway` (existing transit gateway)
`Customer Gateway`	The one you just created
`Routing Options`	`Static`
`Static IP Prefixes`	Azure’s Virtual Network CIDR

Under Tunnel Options select Edit Tunnel 1 Options and Edit Tunnel 2 Options and use the options below for both tunnels:

Parameter	Value
`Phase 1 Encryption Algorithms`	`AES256`
`Phase 2 Encryption Algorithms`	`AES256`
`Phase 1 Integrity Algorithms`	`SHA2-256`
`Phase 2 Integrity Algorithms`	`SHA2-256`
`Phase 1 DH Group Numbers`	`14`
`Phase 2 DH Group Numbers`	`14`
`IkeVersion`	`ikev2`
`Phase 1 Lifetime (seconds)`
`Phase 2 Lifetime (seconds)`
`Rekey Margin Time (seconds)`
`Rekey Fuzz (percentage)`
`Replay Window Size (packets)`
`DPD Timeout (seconds)`

3. Obtain Pre-Shared Key and Public IPs

After the VPN is created, download its configuration.

This file will have 2 Pre-Shared Keys, 1 per tunnel.

Public IPs will be in Tunnel Details

4. Create Local Network Gateways

Create 1 Local Network Gateway per Tunnel, with the settings below:

Local Network Gateway	IP Address	Address Space
`aws-tunnel-01`	Outside IP Address for tunnel 1	AWS CIDRs you want Azure to have access to
`aws-tunnel-02`	Outside IP Address for tunnel 2	AWS CIDRs you want Azure to have access to

Note: aws-tunnel-01 and aws-tunnel-02 are suggested names, you may use whatever nomenclature you prefer.

5. Create Connections

Go to your existing Virtual Network Gateway in Azure and add 1 connection per Tunnel:

Settings should be similar to the ones below:

Connection Name	Connection Type	Local Network Gateway	Pre-Shared Key
`aws-tunnel-01`	Site-to-site (IPsec)	`aws-tunnel-01`	key for tunnel1
`aws-tunnel-02`	Site-to-site (IPsec)	`aws-tunnel-02`	key for tunnel2

Note: aws-tunnel-01 and aws-tunnel-02 are suggested names, you may use whatever nomenclature you prefer.

6. Configure Azure Connections IPSec Policy

I couldn’t find the following in the Azure Web Console, so I performed it using the cli.

7. Repeat this process per connection

Connection has no IPSec policy

$ az network vpn-connection ipsec-policy list \
  --resource-group  --connection-name 
[]

Add IPSec policy to connection

az network vpn-connection ipsec-policy add \
  --resource-group  --connection-name  \
  --dh-group DHGroup14 --ike-encryption AES256 --ike-integrity SHA256 \
  --ipsec-encryption AES256 --ipsec-integrity SHA256 --pfs-group PFS2048 \
  --sa-lifetime 3600 --sa-max-size 1024

Verify Connection has IPSec Policy

$ az network vpn-connection ipsec-policy list \
  --resource-group  --connection-name 
[
  {
    "dhGroup": "DHGroup14",
    "ikeEncryption": "AES256",
    "ikeIntegrity": "SHA256",
    "ipsecEncryption": "AES256",
    "ipsecIntegrity": "SHA256",
    "pfsGroup": "PFS2048",
    "saDataSizeKilobytes": 1024,
    "saLifeTimeSeconds": 3600
  }
]

Note: Azure CLI page

7. Tunnels should be up

AWS

Azure

8. Add Azure CIDR(s) to Transit Gateway Route Table

At this point Azure Resources within the Virtual Network associated to your Virtual Network Gateway know about AWS CIDRs, thanks to Local Network Gateways.

Add Azure CIDRs to Transit Gateway Route Table:

9. Add Azure CIDR(s) to AWS VPC Route tables

Now add Azure CIDRs to AWS VPC Route Tables and point them to the transit gateway

10. You’re done

Let me know if you know of a better way to do this!

Notes

BGP Issues

As of February 4, 2020. BGP peering seems to not be possible between AWS and Azure due a conflict with 169.254.0.0/16, Azure specifically states it does not allow this range in their virtual network

On the AWS side, 169.254.0.0/16 is used as the Inside IP CIDR in a VPN Connection. At least someone provided feedback to Azure on how to improve their Networking, see azure feedback

If someone figures out how to setup BGP between Azure and AWS, please let me know.

GovCloud VPN minimum requirements

You’ll know them after you download the VPN’s configuration:

Category "VPN" connections in the GovCloud region have a minimum requirement of
AES128, SHA2, and DH Group 14.

Virtual Network Gateway Healthprobe

Azure offers a healthprobe for Virtual Network Gateways that follows this format https://:8081

Troubleshooting Tunnels

AWS gives no logs for their VPN Connections they only provide metrics for them.

Azure on the other hand gives you some indicators in the connection’s Resource health section:

Mismatched IKE version showed this message on Azure

Mismatched algorithms showed this message on Azure

Make impostor syndrome your best friend

2018-03-14T00:00:00+00:00

If you are like me, a lot of times you doubt yourself and how capable you are at doing your job, no matter how hard you have pushed yourself, no matter how much anyone has told you how good you are.

You could be like:

"Hey guys, I did this thing because I was asked to do X,
but I recognized the person's problem was Y, so I just went ahead and made
something that helps this person but could also help more people and that is
why I'm telling you guys about it"

People see it

People tell you:

"This is so awesome, I never thought about this in this way, YOU ARE SO AWESOME"

You hear this and then impostor syndrome kicks in and tells you all the things that are wrong with your approach and all the time it will take you to make something that is better

Then you start telling people how awful your thing is because you just now realized how terrible it is.

If I am describing something you’ve felt, I’ve felt it too, you are not alone.

For the longest time, I thought impostor syndrome was an asshole who didn’t wanted me to ever be happy about anything I did or accomplished, but I was wrong.

I never took the time to actually think through what my impostor syndrome was actually trying to tell me.

"Hey, dude. Set expectations, communicate clearly, it might be a good idea to
tell people the use cases in which your thing may not work or the time/effort it
would/will take to make your thing do what they want."

My impostor syndrome, was trying to make me a better engineer, but I never allowed it to take over and let it "drive" for a little bit. See things from his point of view.

I never actually realized that the impostor syndrome WAS ME.

Me trying to be better. Me trying to get better. Me trying to improve. Me trying to empathize with someone. Me trying to be selfless and helpful. Me trying to work better with others. Me trying SO HARD TO MAKE PEOPLE SEE ME THE SAME WAY I SEE MYSELF.

But now after much thought, I realized I was focusing on the wrong things. I didn’t see the pattern. The pattern was:

Me trying

I never took the time to step back and actually see all the things I’ve achieved because I want to be something more, because I want to improve, because I want to belong, because I want to have a purpose.

But my impostor syndrome knew all this, my impostor syndrome was right there with me, I was never alone in this journey. I always had someone else’s perspective but I never gave my impostor syndrome a chance.

I would like to finish this post with this:

"Give your impostor syndrome a chance, listen to him/her, it is a part of you"

Thanks for reading.

Why I liked “Diet Cig” so much

2018-03-14T00:00:00+00:00

It was 1 sentence

It's hard to be a punk while wearing a skirt from their song “tummy ache”

This sentence made so many things click for me.

In high school, I just wanted to attend a lot of punk rock concerts from local bands In Mexicali, Baja California, Mexico. I remember a lot of my female friends will be "too pushy" or "annoying" for asking us (their male friends) to be at the concert first, or that we picked them up at their home and then go to the event.

I clearly remember being the idiot telling them shit like:

"it doesn't seem fair we have pick you up"

"it doesn't seem fair you always want us (male friends) to be there first before
showing up"

I’m a little sad to say that until now, that I’m in my thirties, just realized how much of an idiot I was. I was missing the context of them being girls in a Mexican city, of course they were not comfortable with other males they didn’t know. I didn’t know about the problems society had with them being high school girls dressing the way we "punks" dressed like, showing skin, skirts, jeans with holes, looking like we didn’t take a bath, among other things.

Anyways, this may not have a lot to do with what the song was about, but it really touched my heart.

Thanks Diet Cig!

Recovering F7D7302 using serial

2014-02-09T00:00:00+00:00

Last year, I was trying to help a friend change his router’s firmware (Belkin Share N300 Wireless N+ Router MiMo 3D & USB Port) to DD-WRT, he tried first and something didn’t work like it should and asked me for help, because I’ve been succesful to make DD-WRT work in other 2 routers (WRT54GL & F7D7301).

After a couple hours I suggested my friend we used tomato firmware instead of DD-WRT becuase tomato has a friendlier interface.

Yeah, right

He accepted and I flashed tomato, I swear I selected to “Reset to default settings”

The problem was that the router stopped working, I have just made a beautiful plastic brick :(

Tried several times the 30/30/30 reset and it didn’t work. We finally gave up on the router and decided to work on it later.

Gettin’ Jiggy wit It

Well, until the past weekend I had the oportunity to look further into this issue, thanks to Scott Gibson I was able to confirm the router’s serial port:

Pin 1: Vcc (3.3V) Pin 2: RX Pin 3: TX Pin 4: Gnd

Thanks to Gtoniser and their post I had the information on how to connect the Raspberry Pi and the router’s serial.

Setup the Pi

First, You have to comment the following line in /etc/inittab

T0:23:respawn:/sbin/getty -L ttyAMA0 115200 vt100

it should look like this:

T0:23:respawn:/sbin/getty -L ttyAMA0 115200 vt100

Reboot the RPi and now we can use the serial port.

How to connect the RPi

Thanks to lavalink for the image

Now we connect these ports to the router (Router should be off) RPi - Router GND <-> GND TX <-> RX RX <-> TX

Listen to the serial

Install minicom in the RPi

sudo apt-get install minicom

Then run minicom on the serial port of the RPi

sudo minicom -b 115200 -o -D /dev/ttyAMA0

Now power on the router while holding Ctrl + C and now the terminal should capture whatever is going in the router, sorry for not providing better looking images.

In this case, the router was stuck verifying something and since it was wrong it rebooted every time it got to that point, the good thing is that now I knew the bootloader was OK and I didn’t need to use jtag. I pressed the space bar to stop the verification and finally got to the CFE prompt. Cleared nvram and reboot

CFE> nvram erase
CFE> reboot

Success

I finally saw the device assigning and IP address to port, I connected a computer to Port 1 and openned 192.168.1.1

TOMATO was up and running, for some reason the hard reset was not doing its thing.

Now F7D7302 is working again :)

P.S. This is how the mess looked like

If you think I might be able to help you out contact me on Twitter

Sources: