Meeque.de – “Die Musik ist aus, und ist immer noch da.”

Shoot yourself in the foot: Docker, Nextcloud & git [en]

I did something stupid again. I noticed it, when I received notifications from my Prometheus monitoring. The probe that sends HTTP requests to my Nextcloud server was failing. Strangely, no other probes were failing. No high load, no memory exhaustion, no filesystem running full.

Manual testing confirmed that all my other web-apps worked as expected, only Nextcloud was responding with 502 errors. It looked like my nginx reverse-proxy could not reach the Nextcloud backend.

I ssh connected into the underlying host, and re-checked the vitals. They looked fine. Next I checked all the Docker containers that run my web-apps. All of them looked fine, except for my Nextcloud container, which was caught in a restart loop. And in the container’s logs, dozens of messages like this one had piled up:

Can't start Nextcloud because the version of the data (31.0.9.1) is higher than the docker image version (31.0.8.1) and downgrading is not supported. Are you sure you have pulled the newest image version?

Kudos to the maintainers of the Nextcloud Docker image! I wish all software had such precise and helpful log messages. At least in my case, this told me exactly what had gone wrong and how to fix it.

Indeed, I had accidentally downgraded to an older image version. I quickly upgraded to the latest one, which fixed the whole problem. Case closed.

Background – doing Docker the weird way

But how had I managed to downgrade my Nextcloud Docker image in the first place? Before answering this, let me share some background…

I’m using Ansible to manage most of my personal IT infrastructure. It’s a rather hybrid setup. It manages everything that runs here on meque.de, but also my laptop computer, some desktop VMs, and a couple of Rapberry Pis. In particular, I’m using Ansible’s community.docker.docker_container module to manage my Docker containers.

When configuring my Docker containers, I’m referencing Docker images by digest rather than by tag. For example, instead of this Docker image reference:

nextcloud:apache

I would use this one:

nextcloud@sha256:11f158050216614d585886600445e0a1b75ee224d6a6dddc5eba996cc9499fa6

This approach gives me more control about what code is actually running on my infra at any given time. I’ve worked with organizations that had policies that mandated this approach. And I was one of the guys who was supposed to encourage the implementation of these policies. Since I like to live what I preach, I started to adopt this policy for my own infra. Also, it kinda aligns with my control-freak tendencies.

There are some benefits to referencing software artifacts by immutable cryptographic identifiers (like Docker image digests) rather than by ephemeral aliases (like Docker tags). If something goes horribly wrong, it can make forensic analysis much easier. E.g. after a vulnerability becomes known for a specific image version – be it caused by neglect or by a deliberate supply-chain attack.

However, I believe that it is far more important to update to new software versions as early as possible. In general, this far more beneficial for information security than compliance to software traceability policies.

Here is the low-tech solution that I use to address trade-off:

In my Ansible IaC I’m maintaining a Docker image catalog (in an Ansible variables file in YAML format). Each image catalogue entry contains:
1. an image repository name,
2. a specific image digest,
3. an image tag that I want to follow.
When configuring a Docker container, my Ansible code references an image catalog entry to specify the image. It only uses repo name and digest (i.e. a and b), but not the tag (c).
I’m also using Ansible to setup Prometheus monitoring for all images in the catalog. Whenever the upstream Docker registry (i.e. Docker Hub) moves a Docker image tag to a new Docker image digest, this will show in my Prometheus alerts dashboard.
(I’m using Skopeo and Prometheus Script Exporter to implement this.)
Whenever I see alerts about outdated Docker image digests, I run a small update script on my Ansible code base. This just walks through my image catalog and updates all image digests (b) so that they follow the desired image tag (c) again.
(This script also leverages Skopeo.)
Then I run my main Ansible playbook, which recreates all Docker containers, based on the new image digest from the catalog. It also adjusts the Prometheus config to match the updated Docker image catalog.
Finally, I check for new Prometheus alerts and do some manual smoke-testing. If I’m happy with the result, I commit the updated Docker image catalog to the git repo that holds my Ansible code.
(If I’m not happy with the result, I can roll back by adjusting the image catalog manually.)

This approach balances my personal needs for control vs timely updates quite nicely. Most of it is automated, but it still requires human interaction.

Root cause & fix

Generally, my Docker image update approach works well. In itself, it was not the root cause of my Nextcloud outage. Instead, I had to make some mistakes on top of it…

In my Ansible git repo, I’m currently working with multiple branches. Recently, I was mostly working on a feature branch to implement new functionality that is not related to Nextcloud at all. However, I did update the image catalog in this branch and I did run it against my production infrastructure. This ensured that all my Docker containers were running up-to-date image versions. So far so good.

Yesterday, I switched back to my default branch, because I wanted to roll out some small improvement that were not related to my new feature. I was planning to merge these small changes into my feature branch later. But first, I ran my main Ansible playbook on the default branch. I had totally forgotten that my default branch contained an outdated version of my Docker image catalog. Once Ansible was done, my Nextcloud container was suddenly running an outdated Docker image version. But as the log messages later showed, Nexcloud does not like to do this (and I don’t blame it). So, we’re finally at the root cause of my Nextcloud outage.

To fix the problem, I simply ran my update script again on the default branch. Since the script is idempotent, it updated my Docker image catalog to the same image digests that I already had on my feature branch. After re-running the Ansible playbook, Nextcloud came up again with no complaints.

Lessons learned

According to my Prometheus metrics, the Nextcloud outage lasted about half an hour. This is not great, and I should be more careful in the future. And I should respond to Prometheus alerts more quickly. But overall, it wasn’t a big deal for a Nextcloud instance that’s just for my personal use.

Maybe I’ll need more automation, testing, rollbacks, etc. in the future. And a dedicated staging environment for all my infra. But for the time being, I’ll just be more careful when switching between branches. Always update the image catalog after switching to a new branch! Or, always update it on the default branch and merge it into all active feature branches afterwards.

I’ve had Nextcloud up and running for almost 2 years now. Afaict, this was the worst outage so far. This is fine.

Kodi on Raspberry Pi: First Impressions [en]

Background

I’ve been living without a proper TV for the past 20 years. Nevertheless, I’m consuming a shitload of video content. Mostly streaming services; the usual suspects. But also select contents from Germany’s public TV stations.

So far, I’ve been watching such videos on my laptop computer – I get a lot of screen-time there, far more than on my phone. I’ve always spent the extra buck on laptops with top notch displays and speakers. Living alone, this has been fine and I never felt the need for buying a TV or a stereo. But now I’ve moved into a bigger place and I’ve been busy buying all sorts of furniture and decor. I think that a big TV screen will ultimately become part of my setup.

Trouble is, I do not like those modern “smart” TVs. I’m almost exclusively using open-source software on all of my devices. And I’m trying to sandbox proprietary software (and software from other dubious sources) in VMs and containers as much as I can. I really hate the idea of having hardware with commercial software and an Internet connection (and probably cameras and microphones) running in my living room.

Kodi to the rescue?

So, the plan is buying a huge (but “dumb”) computer display and linking it up to a Raspberry Pi with some open-source media center software. There seem to be plenty of open-source projects that could do the software part. Yesterday, I started tinkering with one of them: Kodi, formerly known as XBMC.

I did not want to run a dedicated Kodi Linux distribution. Instead, I’m sticking to good old Raspberry Pi OS (previously “Raspbian”). I’m already using this on a few other Pi devices, and I’ve got good automation around it. I’m using Ansible scripts to manage these Pis and a few of other boxes, including my laptop and the servers that host this blog and everything else on meeque.de. These Ansible scripts take care of basic user configuration, ssh access, WiFi connection, software packages, etc.

Luckily, Raspberry Pi OS is based on Debian, and both come with a Kodi package. Or, more precisely, dozens of packages that contain various components of Kodi. So I knew that installing Kodi (and keeping it up to date) wouldn’t be a huge problem.

That said, I’m aiming for a lightweight Kodi deployment, without a full desktop environment. The Pi should simply boot right into Kodi. I was worried that this could be some hassle, but I found this guide that showed how easy it is. Kodi has a dedicated “standalone” mode that can be run from a terminal:

kodi-standalone

So I ssh-ed into the Pi, ran the above command, and the Kodi UI came up on the attached display. (Had to run it as root though, will try to set it up for a less privileged user later.)

Then I followed the same guide and set up a systemd service for Kodi. Just hacked it into my Ansible scripts right away. After reboot, the Kodi UI came up automatically, as desired. This was way more straight forward than I had feared.

Unfortunately, I do not have a USB keyboard at hand right now, but I found an old USB mouse and hooked it up to the Pi. This allowed me having a closer look at the Kodi UI. And getting familiar with some basic Kodi settings. Looks like it’s got all that I would expect from a media server, and I haven’t even tried any fancy add-ons yet. The default theme looks a bit old fashioned (early 2000s style, I reckon) but I bet there’s heaps of alternative out there.

Next I installed the Kore Official Remote for Kodi app on my Android phone. Following instructions in the app, I enabled the remote control HTTP API in the Kodi settings, configured a passphrase, and connected the app to it. Unfortunately, the app does not seem to allow managing the settings of the Kodi server itself. Guess I’ll have to resort to walking over to my Pi and configure Kodi from there. Or, find out how to work with Kodi config files over ssh, and mange them with Ansible…

The hardware – for now

So far, I haven’t settled on my TV hardware. I’m exploring Kodi on old hardware that I still had lying around. Namely an ancient 1600×1200 20″ LCD and a 1st generation Raspberry Pi with a USB WiFi dongle. The Pi only has 0.5 GB of RAM – I was very surprised that the Kodi UI can work with so little memory at all. The CPU is not the fastest either, so the UI feels very slow. Even the mouse pointer has significant lag. And I haven’t even tried playing any fancy media yet.

I’ve already ordered new hardware, which should make further exploration much more pleasant. I’ve opted for a Raspberry Pi 4 Model B with 4 GB of RAM. It’s not the latest model, but it looks like it can be operated with passive cooling. In contrast, active cooling (i.e. a fan) seems to be recommended for the latest Raspberry Pi 5.

What’s next?

I’ll still have a lot of exploration left to do. As mentioned before, I want to manage everything with Ansible asap. Including Kodi settings, Kodi add-ons, and updates. I couldn’t find a dedicated Ansible module for Kodi, so I’ll have to do lots of scripting myself. Let’s see how that will play out…

Ultimately I’d like to see the following capabilities in my new media center TV setup:

Playing media right from Kodi.
Both streamed media from the Internet and locally stored media.
Playing media from my laptop computer over Kodi, to leverage the attached screen and audio system.
There seems to be a myriad of options here, many of them proprietary. I guess a free AirPlay implementation like Shairplay will do the trick.
Using the screen attached to Kodi as a second display for my Laptop computer. This should work over the air using WiFi.
Again, there’s a myriad of options, many of them proprietary or even bound to special hardware. I might be able to use the AirPlay protocol here, too, or have a look at Miracast, Google Cast, etc.
Remote access to the Kodi UI from my laptop. I hope that this could be more convenient and more powerful than a remote control app on my phone.
A free remote desktop protocol should do the trick, maybe good old VNC or even Spice. (The latter is tailored to VM scenarios, not sure it makes sense for remote UI access over the network.)

There might be synergy between some of the above. I’m still hoping to solve most of it using Kodi add-ons. If that does not work out, I’ll have to run additional software next to Kodi. This might mean resorting to a full-fledged desktop environment after all.

If all goes well, I’ll be in the market for a big computer display and matching speakers soon. And for some kind flexible wall-mount, so I can rotate the display to various directions. I want to watch “TV” from the couch, but also work from my table. Who knows, maybe I’ll buy some DVB receiver hardware eventually, and rejoin the insanity that is broadcast television.

I might post further updates here…

Free at Last — XSS Edition [en]

Yesterday my employment contract ended, after more than ten years at a big software company. I feel free now. Weirdly. Cause it’s not like I wasn’t free in my work there. I had a lot of freedom in what I was working on and how I organized my work. And, I was working alongside some great colleagues from all around the world.

I haven’t left on bad terms either. In fact, I might have stayed longer, if it weren’t for some very favorable circumstances. As I’ve written in my good email to co-workers, the company made me an offer that I could not reject. (Not just me, I should mention. Many others got a similar offer, and some accepted it.)

Anyway, this week I finished my last work goal. Well, more of a side-project: I gave a talk about “The Browser’s Same Origin Policy“. For this talk, I’ve shown demos in the XSS Demo App that’s running alongside this blog (as I’ve announced a couple of years ago). For this new talk (but not just for this) I’ve made several improvements to this web-app:

Hosting on two distinct subdomains, in order to demo cross-origin stuff. Here they are:
- https://xss.meeque.de (same as before)
- https://yss.meeque.de (new)
Several stand-alone HTML probes and mocks that the XSS Demo App can interact with. Look for new payload presets that make use of these!
Payload outputs that are based on jQuery code, complementing the existing outputs (pure HTML, DOM APIs, Angular templates). Not sure why I had not added these earlier. Well, under the hood it’s all DOM anyway.
Numerous library upgrades. Most notably, upgraded Angular across several major release versions.
Lot’s of refactoring, which has made it much easier to implement the above improvements. Some of the code is still a little awkward. But I guess that’s what you get when you use a sophisticated framework like Angular for a web application that aims to show-case the intricacies of low-level browser behavior.
And an infinite increase in automated test coverage. Easy to achieve when you start at zero.

There’s also some new ideas that I haven’t implemented yet:

The style library that I’ve used is causing some pain. I’ll either need to fix the integration, or switch to a different one.
Some inline documentation would not hurt. For now, I’m the only one who knows how to use all of the app’s capabilities. Explanations for individual payload presets and payload outputs would not hurt either.
CSP support could be added to show how different policies can help prevent certain XSS attacks.
Saving custom payload presets could be helpful. Browser storage should be sufficient for this. And maybe some import/export capabilities.
Add some serious XSS challenges sounds like fun. Should be easy to implement as payload outputs.

Not sure, if any of this will ever materialize. I’m free for this kinda stuff now, at least for the next couple of months. But there’s also some other ideas floating around.

Bobr Kurva [en]

Folk depiction of a beaver, Bavaria, ca. 2015

I’m using the Czech spelling here, rather than the more common Polish Bóbr Kurwa — meaning (nsfw) and pronunciation are much the same anyway. It’s just because this has happened in Czechia recently:

V okolí Padrťských rybníků v chráněné krajinné oblasti Brdy postavil bobr hned několik hrází a vytvořil tak přírodní mokřad. Právě takový chtěla v místě vybudovat i správa chráněné krajinné oblasti.

My attempt at a translation:

In the vicinity of the Padrťské ponds in the protected landscape area Brdy, beavers built several dams, creating a natural wetland. Much like the one that the administration of the protected landscape area wanted to build at the same location.

An English language source pimped it up to this headline:

The government had been planning it for 7 years, beavers built the dam in two days and saved them $1 million

Though I understand the language, I do not follow Czech media regularly. But this story certainly swapped abroad, even into niche media like Fefe’s Blog.

Frankly, for a long time I hadn’t been aware that beavers are still common in the wild in Western/Central Europe. Especially in areas that are densely populated by humans. I mostly knew them from North American movies and documentaries.

Until I almost ran over a beaver on a bike trip, that is! This specimen was foraging along an artificial canal off the Isar river, just south of Munich. But it was quick to disappear into the waterside vegetation after I startled it:

Nouvelle-Aquitaine, Nouvelle Vague [en]

I guess I should not dabble in French wordplay, since I barely know the language. However, my surf trip this year did take me to the Atlantic coast of Nouvelle-Aquitaine and I did get to know many new waves…

…such as « Parlementia » at Guéthary, but more on that later.

Unlike previous years, I was too lazy to keep a detailed surf diary. But I’d still like to share some impressions from the trip. Let’s try a photo-story approach this time…

Bordeaux

I was traveling by train and I decided to have a stopover in Bordeaux, because I hadn’t been there before. No surfing here, but staying at the aptly named Central Hostel, I had some time to walk through the city:

It is said that the grand buildings by the riverfront “provided the model for Baron Haussmann’s 19th-century remodelling of Paris”.

Hossegor

My first surf destination was Hossegor, which has some of the most famous surf spots in Europe. I checked in at Surf Hostel Hossegor, not far from « Plage Centrale ». I had never been to Hossegor before, and I had been wondering whether a place with almost exclusively beach breaks would keep the promise?

I’m happy to say “yes”, it does. The long stretch of beach has a lot to offer. There are several pronounced sandbanks in the area, most reachable on foot or by bike. There was always something that worked, under normal swell conditions. Though most spots seemed to work best at mid-tide.

It was busy in the line up, but nowhere near as busy as the city beaches of northern Spain or the famous point breaks of Morocco. A Quiksilver pro contest and surf festival was taking place while I visited, but there was always plenty of waves to catch away from the contest location of the day.

There were a few days that were too stormy for surfing, but there wasn’t a single day when it was completely flat. I had to pick bigger boards on smaller days, but this was just right for warm-up.

I mostly left the camera at home when going surfing, but here’s some pics from several walks on the beach and bike trips:

Hossegor’s « La Sud » mostly closing out at high tide, …

Oh, one more thing: There’s heaps of outlet stores in Hossegor’s industrial zone. So I finally managed to get a new wet-suit and some other surfing swag.

Guéthary

For the second half of my trip, I relocated further south. I skipped Biarritz this time, since I had visited there 2 years earlier. Instead I headed to the small village of Guéthary, which is located on the Basque coast, between Biarritz and the boarder to Spain.

I stayed at L’escale, which I learned means “stopover” in French. Well, it was a rather prolonged stopover for me. Here’s some pics of the surf and the village:

Guéthary’s main spot « Parlementia » is rather far outside, making it hard to capture with a telephoto lens.

We did have a couple of down days here, sometimes the sea was too flat, other times it was too stormy. Luckily the hostel rented out bicycles, so I took the opportunity to explore the coast. It’s certainly more versatile than Hossegor’s endless beaches, as my trip to Saint-Jean-de-Luz shows:

The coast south of Guéthary is rather rocky…

On a different occasion I headed north, almost reaching Biarritz:

Uhabia beach to the right is just north of Guéthary, which is located on the hills seen in the back.

Surf-wise, this trip was a mixed experience. I can really have a lot of fun in smaller waves with a big board. But I’m still struggling with bigger and more exciting waves, even when they are fairly clean and not overcrowded. It seems that endurance has become a limiting factor here. Paddling to the right location in shifty peaks, I barely have enough paddling power left for the take-off. And getting out against a couple of whitewater waves, I arrive in the line-up breathless. Well, at least this gives me time to enjoy the landscape;)

The green scenery from behind the beach of Ilbarritz, with the Spanish parts of the Basque country in the distance.
The big hill in the background on the right is located just behind the border town of Hendaye.

Interrail — Voyage, Voyage [en]

Another train trip, this time to the French Atlantic coast. (So, pronounce the title of this post in French, please!) After questionable financial outcome of a similar trip 2 years ago, I gave Interrail another shot.

A train passing through the quaint Guéthary station.

This time, I put more effort into upfront planning and bought the smallest Interrail pass that fit my journey. Here is how it played out:

Product	From	To	Interrail Price *	Regular Price **	Notes

Interrail Pass (4 days in 1 month)			283	0

ICE (train)	München	Stuttgart	0	28
ICE (train)	Stuttgart	Paris	20	100
TGV (train)	Paris	Bordeaux	22	111	fast, but expensive connection, cheapest was 52, average was 80

TER (train)	Bordeaux	St Vincent De Tyrosse	0	33	cheapest was 25
Bus	St Vincent De Tyrosse	Hossegor	0	0	Free tourist bus

Uber	Hossegor	Labenne	28	28	No bus service on Sundays
TER (train)	Labenne	Guéthary	0	8

TER (train)	Guéthary	Biarritz	0	3
TGV (train)	Biarritz	Paris	22	134	cheapest was 92, average was 110
TGV (train)	Paris	Stuttgart	20	134	cheapest was 116, average was 130
ICE (train)	Stuttgart	München	0	25	could have been 0 with my “Deutschlandticket”, but could not find a good connection

Total			395	604

* all prices in EUR, rounded to the nearest, and may include booking fees
** prices may vary based on availability, season, time of purchase, etc.

So, it kinda paid off this time. I paid less then 400 EUR for the whole 4-week trip, transportation-wise. It would have been about 50% more without Interrail. Though admittedly, I did not do too much in-between traveling.

What pisses me off: Most of the trip could have been replaced by return flights MUC to BIQ, or similar. As I’m writing this, such flights go for about 350 EUR, about the same as the long distance segments of my trip. But I bet the flights can be much cheaper, if you book at the right time. I heard that other guests from Germany or Switzerland had paid less than 100 EUR return, with some low-cost airline. Under the current circumstances, it’s shocking that flying is still so cheep!

Then again, I find traveling by train more pleasant than flying. I’m a tall guy, so I appreciate extra leg room and the occasional walk to the bistro car. And, using my laptop computer without needing a chiropractor afterwards. The high-speed trains (DB ICE and SNCF TGV InOui) had great Wifi-Internet, too, and I found a recent Futurama season in the ICE media library.

Overall, everything worked out pretty well this time. Almost no delays and I made all my connections. Even changing to the train on the other side of the platform in Stuttgart within a 9 minute window. (Looks like construction work on the tracks means that there are no direct trains between Munich and Paris currently, and the ÖBB NightJet that otherwise services this route is temporarily suspended.)

Of course, international travel can still be confusing:

Warning: This route crosses through Austria [en]

Well, thanks for the warning, Google Maps:

Now I’m wondering: Do you know something about Austria that I’m not aware of? Or are you just upset about Austropop, après-ski, Opernball, and what happened in Braunau?

I should mention that I was planning a car trip from Munich to the Friuli region. (Shout-outs to Lago 3 Comuni Camping.) Any route that does not cross through Austria would have been at least four times longer.

Morocco — Surfing the Land of Rights [en]

Just returned from one of my yearly surf-trips, this time revisiting Morocco. Here is some old pics, from when I visited there back in 2011:

Unlike last year in Iberia or the year before that in Zanzibar, I only had four weeks. So I wanted to do less sight-seeing and traveling, and focus more on the surfing part. I also took fewer photos, so I’ll make it short this time.

Nov 19th, Week One, Tamraght

Like back in the day, I first headed to the area of Taghazout, a small coastal town north of Agadir. I had booked one week at CLI Surf, in the nearby town of Tamraght. A lot had changed here since my previous visit. The long beach that stretches from Taghazout south to Devil’s Rock is still there. Back in the day, the area between the beach and Tamraght had been a barren wasteland. Now it’s packed with hotel resorts and other tourism infrastructure, marketed as “Taghazout Bay”. Even the main road through Taghazout has been rerouted in order to accommodate some of the resorts. And there is a frickin’ golf-course further up the hillside.

The good thing is that Taghazout and Tamraght have kept some of their old charm. There’s definitely more touristy cafés, restaurants, souvenir shops and surf rentals everywhere. But there’s also ordinary produce stores, and most establishments seem to be small, locally owned business. Also good: public beach access is still possible everywhere. There’s a nice beach promenade just behind the beach at Taghazout Bay, and even more remote beaches are equipped with waste containers.

Which is good, because we had to drive to all sorts of spots to catch some waves. The first two days, we had decent swell, just right for warm-up. After some white-water and loads of close-outs on day one, day two was actually pretty fun. Sadly, the swell got smaller for the rest of the week, which meant that I was stuck on 8 foot foamies. But the CLI surf crew did a good job at finding the right spots, where some surfing was still possible.

A couple of days we ended up at the main beach in Agadir. Which was surprisingly nice and accessible, even though they’ve had big hotel resorts for ages there. Could not notice any severe pollution from the nearby industrial port either.

One day we even drove all the way south to Tifnit, which is sill the lovely fisherman’s village that it used to be. No large-scale tourism development yet, though I noticed a couple new inns and cafés:

Nov 26th, Week Two, Tamraght

I decided to stay in Tamraght for another week, but I moved over to nearby Mint Surf. Being a slightly smaller place, they could offer a more flexible surf-guiding package. Plus they made me a good offer for a nice double room all for myself.

Since the swell had picked up a little, I chose a 7′8″ board for most of the week. The first day, we went to Banana Point which had just the right size of waves. Unfortunately, it was also very crowded. One of my fellow guests just folded after a short while in the line-up. Everyone was dropping in on everyone else in the line-up. Party waves, as someone else would later call it. However, I caught some left-over waves a little further down from the main peak.

That’s why we mostly headed for beach-breaks for the rest of the week. Later that day, we went just north of Devil’s Rock, and we also had some good waves at Anza and KM11. As the title of this post says, Morocco is the land of right handed point-breaks. However, I did not get a chance to ride many of them. Anchor point was either too small, or too big, or too crowded. Boilers is still too sketchy for me, though it looked doable on one of the smaller days. We tried Killers once, which used to be my favorite spot on previous Morocco trips. The scenery bellow the cliffs is still stunning, but we weren’t lucky with the waves. Was just too soft after the tide started rising. Well, at least it wasn’t too crowded.

Towards the end of the week, the swell was getting smaller again, well below one meter. So we went to good old Tamri Beach. This beach lies perpendicular to the prevailing swells rolling in from the north-west, so it gets waves even when most other spots are flat. According to locals, the sand-banks there are not what they used to be, and in deed I struggled reading the waves there. The strong side-shore wind — and resulting current — didn’t help either. The next day the wind had calmed down, but it was rather cold and it was raining most of the time. I love being out there in the rain, but it was also very exhausting. Did not catch a single decent wave that day.

It was the only day of rain during my whole stay in Morocco. It wasn’t heavy rainfall, but it was steady. And it transformed the landscape thoroughly. All the gullies that lie dry for most of the year turned into muddy streams. There isn’t much vegetation to hold back the dirt, so some stretches of the coastal waters turned quite muddy. Check out these pics from Tamri and our drive back to Tamraght:

The last day of the week the swell was even smaller, so I grabbed an 8 foot soft-board, and joined in with the beginner’s lessons. They went to a beach break called One Palm, a little north of Taghazout. While the beginners got busy in the white-water, me and a couple of other guests paddled out. Looked like the waves were closing out mostly, but after a while we figured out the spot. I got some really nice rides, mostly rights, but also some lefts. At around one meter, the waves were just right for the big board. I could catch a lot of them, with no risk of nose-dives and no hassle paddling out again. Certainly the most fun session so far.

Dec 3rd, Week Three, Imsouane

I wanted to see something new after all, so I relocated to Imsoune for a week. It’s not much further north than Tamri beach, but it’s about an hour more to drive. The road does not follow the coast-line, but passes a small mountain-range and continues further inland. The Souk to Surf shuttle is a convenient travel option here.

I’ve always liked this stretch of road. The landscape is rough and barren, and makes the sea seem all the bluer. Although after the recent rainfall, the land looked just a wee bit greener. This may also be the reason why I didn’t see any of the iconic tree-climbing goats that can usually be spotted along the road. I guess they prefer fresh shoots of grass over thorny Argan Trees, if they have the choice.

I stayed at Auberge Tawala, which I can definitely recommend. It’s a small family business and the rooms are much simpler than the ones at Mint or CLI. But they are located right on the cliff in front of Cathedral Point, with direct beach access. They have a super-cozy terrace with a good view of the line-up:

Imsouane does not have as many surf spots as the Taghazout area, only two major ones. The good thing is that these are just a short walk away from anywhere in town. The more famous spot is called Imsouane Bay, or simply The Bay. It’s a long right-handed point break that peels around Imsouane’s peninsula, all the way from the busy fisherman’s port to the endless beach inside the bay. In the right conditions — low tide, with a decent swell from the north-west — you can ride hundreds of meters.

However, the wave can get rather soft in some sections. That’s why you’ll meet a lot of long-boarders there, who have it easier to stay on the wave. Consequently I picked a 9 foot hard-top for this spot. However, I made the mistake to stay at the busy main peak for too long. The stiff competition and the occasional clean-up set make it hard to catch waves there. Instead you can simply let yourself drift further down the wave and catch whatever leftovers roll through. Eventually, you’ll end up on the beach. Then it’s walk back, paddle out, and repeat. Took me a couple of days to learn how to apply this procedure efficiently.

Here’s some pics from Imsouane Bay:

The other surf spot, Cathedral Point, is all the way at the other side of town (right by Auberge Tawala, where I was staying). It’s also a right-hander, but much shorter than The Bay. In certain conditions a small left-hander further down the beach also worked quite well.

Main trouble here was the crowds once-again. It wasn’t as many surfers as over at The Bay, but there the crowds would spread out over the sheer length of the wave. At Cathedral, everyone was sitting in the same spot and dropping in on each other. In particular on smaller days, when I would be surfing an 8 foot softy.

On one of the bigger days, the waves reached about 2 meters, which deterred the big crowds. And the handful of surfers still in the line-up knew to play by the rules. I tried my luck with a nice 7′8″ mini Malibu. It was an awesome ride compared to the bigger boards I’ve used most of the time. And I did indeed catch a couple nice waves. But it was hard work paddling out and fighting the moderate current. I guess my endurance was the limiting factor here.

Here’s some pics from Cathedral Point and its surroundings:

Altogether, Imsouane is as packed with tourists as Thaghazout. But the large-scale tourism developments are still absent here. And everybody is here for the surf. This gives Imsouane a more laid-back vibe.

Dec 10th, Week Four, Tamraght

Nevertheless, I relocated to Mint Surf in Tamraght for the last week of my trip. Unfortunately, I fell sick and had to skip three days of surfing. The day after, I still felt super weak and opted for a mellow soft-top session at One Palm. I could barely stand upright on dry land, but the surf was super fun once again.

The remaining days were so flat that we could barely find surfable waves. One day we ended up at KM11, the next day we drove all the way north to Imsouane. The Bay did not look promising, so we tried the left-hander near Cathedral Point. This worked surprisingly well for about half an hour, but then it just went too soft. In the end we relocated to Tamri, which once again kept the promise as a reliable spot for smaller swells. I struggled with my 7′8″ hardtop, but in the end I caught a couple strong waves. A good conclusion to my trip.

I have not taken many photos during the last week, but here is some impressions from Mint Surf, Taghazout by night, and the beach front and hotels near Tamraght:

New OpenPGP Key [en]

I’ve been using OpenPGP for email signing (and very rarely for email encryption) for ages. In fact, the key that I’ve been using so far is from 2001:

Key ID: FA817B97927965CA
Fingerprint: E434 42D9 61CA EABF D4BF 36AC FA81 7B97 9279 65CA

This key (actually two sub-keys, one for signing, one for encryption) has a fairly low size by today’s standards. I’ve been aware of this for ages, but I’ve also been too lazy to roll out a new key. Well, until today. So, here is the new one finally:

Key ID: AA3FBEFBE3D75E3B
Fingerprint: 956F 3271 E9B2 8A45 A03C 35F1 AA3F BEFB E3D7 5E3B

It’s also signed with the old key, so if you trusted that, you can trust the new one, too. I’ve already configured my email client to use the new key from now on. And I will mark the old one as expired or revoked eventually…

One reason that I’ve been putting off key-rotation for so long: using OpenPGP, GnuPG, and similar has always seemed such a hassle. And I’m afraid that this has not improved much in the year 2023. Today, I’ve been wrestling with crashing CLI and desktop tools for OpenPGP, numerous error messages, discontinued key servers, etc. Yes, I know that SHA1 is considered insecure. But why should its use in the signatures on my old key keep me from using the old key to sign the new key? This is all still way too frustrating…

Shoot yourself in the foot: crypttab edition [en]

I’m running Ubuntu on my laptop, using the standard disk-encryption that the Ubuntu installer provides. (Well, the one it provided a couple of years back, when I last installed from scratch.) This setup uses cryptsetup with LUKS on the main partition. This in turn contains an LVM physical volume, which contains a volume group with two logical volumes: one for root, one for swap. So far so good.

Problem

Two days ago, I let my laptop run out of power. But when I restarted it, I wouldn’t get the usual prompt asking me for the disk-encryption passphrase. Instead the Ubuntu startup screen would just show a wait animation for several minutes and then drop me to the initramfs shell (BusyBox). One of the error messages complained that it couldn’t find the expected logical volume with the root filesystem. I had no idea why, so I suspected (wrongly) that some recent Ubuntu update broke something.

Workaround

I fired up my phone and my work laptop and started searching for solutions. At first, I couldn’t find any good advice. So I resorted to my work laptop for a couple of days and waited until the weekend would give me more time to deal with this.

And indeed, today I found a great solution to my problem. Unlike other suggestions elsewhere, it didn’t even need to run a live Linux distro. All I had to do was wait until the Ubuntu boot dropped me to the shell and then decrypt my main partition. In my case, this command did the trick:

$ cryptsetup open /dev/nvme0n1p3 crypt-disk

I entered my passphrase when prompted, then ran exit and the boot process continued normally.

Solution

But I still didn’t know what was going on. And I was pretty sure that the same thing would happen on the next boot. Suspecting broken packages, I first ran an apt upgrade, but I didn’t see anything suspicious. Then I went back to this other proposed solution, which recommended running update-initramfs. When I did, I got this:

$ sudo update-initramfs -u
update-initramfs: Generating /boot/initrd.img-5.15.0-78-generic
cryptsetup: WARNING: target 'crypt-disk' not found in /etc/crypttab

And indeed, the respective entry (which had always been there) was missing from my crypttab file. So I added the following:

# <target name>	<source device>		<key file>	<options>
crypt-disk UUID=e6d0b181-b36f-4833-b87d-c5c4946f88e7 none luks

When I ran update-initramfs again, I got no more warnings. So I took my chances an re-booted, and … it worked!

Root Cause

But how did the crypt-disk entry disappear from my crypttab in the first place? It dawned on me immediately:

I’m using Ansible to manage my boxes, including my laptop. I also use it to manage crypttab entries for some encrypted external USB disks. But I do not manage the crypt-disk entry in the crypttab file with Ansible — I just stick with whatever the Ubuntu installer has given me.

This isn’t a problem per-se. The Ansible crypttab module only manages individual entries, not the whole crypttab file. It leaves manual entries in peace. But a couple of weeks ago, I did some manual testing and deleted the crypttab file. Just wanted to verify that the next ansible-playbook run would fix everything. And yupp, it worked.

But I totally forgot that I had manual entries in the crypttab file. When checking the results of the playbook run, I didn’t realize that something important was missing. And the problem only manifested weeks later, when I booted my laptop.

So in the end it was all my fault. Nothing to blame on Ubuntu, as was my first instinct. Also: I should reboot more often.