Virtualbox 6.0 released

Today Oracle released virtualbox version 6.0:

 For Linux the following distributions are supported:

 So let's install the new version:

 dpkg -i virtualbox-6.0_6.0.0-127566~Ubuntu~bionic_amd64.deb 
Vormals nicht ausgewähltes Paket virtualbox-6.0 wird gewählt.
dpkg: Betreffend virtualbox-6.0_6.0.0-127566~Ubuntu~bionic_amd64.deb, welches virtualbox-6.0 enthält:
 virtualbox-6.0 kollidiert mit virtualbox
  virtualbox-5.2 liefert virtualbox und ist vorhanden und installiert.

dpkg: Fehler beim Bearbeiten des Archivs virtualbox-6.0_6.0.0-127566~Ubuntu~bionic_amd64.deb (--install):
 Kollidierende Pakete - virtualbox-6.0 wird nicht installiert
Fehler traten auf beim Bearbeiten von:
 virtualbox-6.0_6.0.0-127566~Ubuntu~bionic_amd64.deb

Ok - first deinstall the old version:

# dpkg -r virtualbox-5.2

(Lese Datenbank ... 421401 Dateien und Verzeichnisse sind derzeit installiert.)

Entfernen von virtualbox-5.2 (5.2.10-122088~Ubuntu~bionic) ...

Trigger für shared-mime-info (1.9-2) werden verarbeitet ...

Trigger für hicolor-icon-theme (0.17-2) werden verarbeitet ...

Trigger für desktop-file-utils (0.23-1ubuntu3.18.04.2) werden verarbeitet ...

Trigger für gnome-menus (3.13.3-11ubuntu1.1) werden verarbeitet ...

Trigger für bamfdaemon (0.5.3+18.04.20180207.2-0ubuntu1) werden verarbeitet ...

Rebuilding /usr/share/applications/bamf-2.index...

Trigger für mime-support (3.60ubuntu1) werden verarbeitet ...

and once again:

# dpkg -i virtualbox-6.0_6.0.0-127566~Ubuntu~bionic_amd64.deb 
(Lese Datenbank ... 420583 Dateien und Verzeichnisse sind derzeit installiert.)
Vorbereitung zum Entpacken von virtualbox-6.0_6.0.0-127566~Ubuntu~bionic_amd64.deb ...
Entpacken von virtualbox-6.0 (6.0.0-127566~Ubuntu~bionic) ...
virtualbox-6.0 (6.0.0-127566~Ubuntu~bionic) wird eingerichtet ...
addgroup: Die Gruppe »vboxusers« existiert bereits als Systemgruppe. Programmende.
Trigger für systemd (237-3ubuntu10.9) werden verarbeitet ...
Trigger für ureadahead (0.100.0-20) werden verarbeitet ...
Trigger für desktop-file-utils (0.23-1ubuntu3.18.04.2) werden verarbeitet ...
Trigger für gnome-menus (3.13.3-11ubuntu1.1) werden verarbeitet ...
Trigger für bamfdaemon (0.5.3+18.04.20180207.2-0ubuntu1) werden verarbeitet ...
Rebuilding /usr/share/applications/bamf-2.index...
Trigger für mime-support (3.60ubuntu1) werden verarbeitet ...
Trigger für hicolor-icon-theme (0.17-2) werden verarbeitet ...
Trigger für shared-mime-info (1.9-2) werden verarbeitet ...

The new GUI has a new submenu for each vm:

If you choose "Logs", you can directly open the logfiles for this vm:

Very nice feature!

AWS: Accessing S3 buckets from the internet and from ec2 instances

After reading about endpoints for AWS S3 i was wondering how i can use this feature.

First step was to create a bucket and just tried to access this bucket over the internet:

$ aws s3api create-bucket --bucket my.webtest --region eu-west-1 --create-bucket-configuration LocationConstraint=eu-west-1
{
    "Location": "http://my.webtest.s3.amazonaws.com/"
}

And the i put this location into my browser:

This is like expected, because i did not allow public access for this bucket:

Ok. Let's try this from an EC2 instance:

$ wget http://my.webtest.s3.amazonaws.com/
--2018-12-04 20:09:47--  http://my.webtest.s3.amazonaws.com/
Auflösen des Hostnamen »my.webtest.s3.amazonaws.com (my.webtest.s3.amazonaws.com)«... 52.216.107.108
Verbindungsaufbau zu my.webtest.s3.amazonaws.com (my.webtest.s3.amazonaws.com)|52.216.107.108|:80... verbunden.
HTTP-Anforderung gesendet, warte auf Antwort... 307 Temporary Redirect
Platz: http://my.webtest.s3-eu-west-1.amazonaws.com/[folge]
--2018-12-04 20:09:47--  http://my.webtest.s3-eu-west-1.amazonaws.com/
Auflösen des Hostnamen »my.webtest.s3-eu-west-1.amazonaws.com (my.webtest.s3-eu-west-1.amazonaws.com)«... 52.218.96.155
Verbindungsaufbau zu my.webtest.s3-eu-west-1.amazonaws.com (my.webtest.s3-eu-west-1.amazonaws.com)|52.218.96.155|:80... verbunden.
HTTP-Anforderung gesendet, warte auf Antwort... 403 Forbidden
2018-12-04 20:09:47 FEHLER 403: Forbidden.

This was not like expected, but how should my bucket know, that this access was from an EC2 instance beloging to the same AWS account.

Let's try to access the bucket with aws cli:

$ aws s3 ls
Unable to locate credentials. You can configure credentials by running "aws configure".

To get this working you have to add an IAM role to your EC2 instance. So let's create a new role:

 choose ec2:

and AmazonS3FullAccess:

Move on (without configuring tags)

 And then attach this role to your EC2 instance:

 and choose your new "AccessToS3Role":

After that the aws cli works like expected:

[ec2-user@ip-172-31-2-99 ~]$ aws s3 ls
2018-12-04 20:02:11 my.webtest
[ec2-user@ip-172-31-2-99 ~]$ aws s3 ls my.webtest 
2018-12-04 20:23:12        130 website.json

But still no access via wget possible. This is because the aws cli uses the Amazon API to access the keys which come with the IAM role attached to the ec2 instance. The wget does not know anything about these keys.

Edit: Finally i got the wget (or better: access without using aws cli) working: https://dietrichschroff.blogspot.com/2019/02/aws-accessing-s3-buckets-from-internet.html

AWS: IAM & security - Best practices: Using a non-root user

After my successful solutions architect practice i knew that i had to take care of my shortcomings in security.
So i decided to visit the IAM (Identity and Access Managemen) of AWS:

• Delete your root access keys
  I created them for using aws cli (installation or creating a static webpage)
• Activate MFA on your root account
  No - i will not use multi factor authentication for my playground.
• Create individual IAM users
  I think this is a good point (it is also mentioned inside the book AWS Certified Solutions Architect - Official Study Guide)

So let's move to IAM users:
Click an "add user"

Then insert a "user name", choose an access type and click next:

Then you have to create the first group:

 I created a group with full AWS access:

Then move on with creating the user:

 Additional Tags:

 And finally click "create user"

 This will show you a page with an AWS management console URL:

Use this URL to login with the new user:

 (i had to change the passwort - the checkbox "require password reset")

And then i am logged into my AWS Management console with this non-root user:

If you want to login with your root user, you have to use the link blow the "sign in" button:

Ubuntu: if WLAN is gone after an update and lspci lists no wlan devices

On my ubuntu laptop after an update the WLAN networking was gone. First check was to boot into Windows and check wether the WLAN devices is still working:
The WLAN still worked with Windows, so the worst case (hardware error) did not hit me ;-)

So i switched back to Ubuntu and tried the following:

$ lspci -nnk | grep -iA2 net;
02:00.0 Ethernet controller [0200]: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller [10ec:8168] (rev 15)
    Subsystem: Acer Incorporated [ALI] RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller [1025:104c]
    Kernel driver in use: r8169
    Kernel modules: r8169

Very strange - the WLAN network adapter was not even listed with lspci!
Another check shows:

$ lshw|grep -iA2 network
WARNUNG: Sie sollten dieses Programm mit Systemverwalterrechten (root) ausführen.
           *-network
                Beschreibung: Ethernet interface
                Produkt: RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller

It look like the hardware controller is missing, but the check with Windows explicitly showed, that the WLAN is still ok.

The solution was to run:

apt-get install bcmwl-kernel-source

(After connecting the laptop via ethernet to my router)

Then the commands showed up again with the WLAN adapter:

$ lspci -nnk | grep -iA2 net;
02:00.0 Ethernet controller [0200]: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller [10ec:8168] (rev 15)
    Subsystem: Acer Incorporated [ALI] RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller [1025:104c]
    Kernel driver in use: r8169
    Kernel modules: r8169
03:00.0 Network controller [0280]: Qualcomm Atheros QCA6174 802.11ac Wireless Network Adapter [168c:003e] (rev 32)
    Subsystem: Lite-On Communications Inc QCA6174 802.11ac Wireless Network Adapter [11ad:0807]
    Kernel driver in use: ath10k_pci
    Kernel modules: ath10k_pci, wl

$ lshw|grep -iA2 network

WARNUNG: Sie sollten dieses Programm mit Systemverwalterrechten (root) ausführen.

           *-network

                Beschreibung: Ethernet interface

                Produkt: RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller

--

           *-network

                Beschreibung: Kabellose Verbindung

                Produkt: QCA6174 802.11ac Wireless Network Adapter

                Hersteller: Qualcomm Atheros

                Physische ID: 0

I found the following with google:
https://ubuntuforums.org/showthread.php?t=1411216

So let's try this:

# apt-mark hold bcmwl-kernel-source
bcmwl-kernel-source auf Halten gesetzt.

Oracle VM Server x86: How to get a redundant network for the heartbeat (part 2)

A while ago i played around with Oracle VM Manager

• Setting up an Oracle VM Manager
• Setting up an Oracle VM Server node 
• discovering a node, creating a pool and repository 
• Oracle VM Server: my first vm: Error: HVM guest support is unavailable
• Oracle VM Server x86: Creation of a virtual machine 
• Oracle VM Server: How to add ISO images to your repository  
• Oracle VM Server x86: Discovering a server/node + setting up a repository, server pool and networking

I was wondering, if i can setup a redundant network for the heartbeat on my virtualbox playground. My question was: Can i add an additional network and stripe the heartbeat over both networks or do i have to configure 2 network interfaces and use bonding.

A few day ago i tried to stripe the "Heartbeat Network" over 2 networkss, but this failed: Oracle VM Server x86: How to get a redundant network for the heartbeat

Now i tried to configure bonding for the "Heartbeat Network":
First step is to navigate to "Server and VMs" and change to the perspective "Bond Ports":

Select the bond0 port and add eth1:

 Then click ok and after that make a check via perpective "Ethernet ports":

That was easy.

Conclusion: The heartbeat inside OVM is implemented, that it can only work on the same subnet. It is not possible to use two different subnets for the heartbeat.

AWS: What services are free of charge? How to control your costs...(part 3)

After looking into my bill (see post 1 and post 2) i was keen, how fine granular the cost statistics are inside the aws web console. So i moved to the billing dashboard and to the cost explorer:

This provides you with the following dashboard:

 

You can play around with the settings to get for example something like this:

For more information jump to: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/ce-what-is.html