DikapediaV2 - User contributions [en]

Du

2026-03-12T02:35:18Z

Ardika Sulistija:

du - estimate file space usage. Summarizes disk usage of each FILE, recursively for directories.

The two commands (df & du) reports their figures from different sources, and changes to the filesystems are not always considered in the same way.

The disk free command (abbreviated to "df") is the standard Linux/Unix command used to display available disk space for the file systems. The "df" command uses the statvfs() system call and asks the file system for the current space statistics. This information is obtained directly from the filesystem superblock, so only the whole values for the filesystem and not individual values for a single directory can be retrieved. The "Used" value amount reported includes files that are still held open by processes and in memory, but are no longer on the volume as mentioned above in the possible causes. These files would be flagged as "deleted" in the output of the "lsof" command, and the space consumed by these files will only be released once the process is no longer running.

The "df" command returns results quickly but not always accurately, where the "du" command takes longer, but is far more accurate representation of the persisted file system.

The disk usage command (abbreviated to "du") will display the file space allocated to each file and directory contained in the current directory. Links will be displayed as the size of the link file, not what is being linked to; the size of the content of directories is displayed, as expected. This reports allocation space and not the absolute file space on the the file system.

The "du" command interrogates the properties of existing files on the disk (volume) and does not include those files present in memory, thus it is a far more accurate.

====How To Use Du====
----

The [[Df|Df]] command lets you know how much space is used by each file system, but even then, you still need to figure out what is consuming all of that disk space. This is where du comes in.

Du can report how much disk space is consumed by each directory. When piping it to sort command, you can see which directories consume the most disk space.

A good method is to save the results in /tmp (if there’s is enough space) so you can refer to the output multiple times and not have to rerun du.

Du command will not output anything to the screen but instead it creates a sorted list of which directories consume the most space and outputs the list to /tmp/duck-root.

If you then use tail on that file, you can see the top ten directories that use space:
$ cd /
$ sudo du -ckx | sort -n > /tmp/duck-root

$ sudo tail /tmp/duck-root
67872 /lib/modules/2.6.24-19-server
67876 /lib/modules
69092 /var/cache/apt
69448 /var/cache
76924 /usr/share
82832 /lib
124164 /usr
404168 /
404168 total

As you can see, /usr is taking up the most disk space, then /lib, then /usr/share, etc...
*Note that the output separates out /var/cache/apt and /var/cache, so you can tell that /var/cache/apt is the subdirectory that consumes the most space under /var/cache.

=====If you just want to see the total du of a directory:=====

$ du -sh /home/ec2-user
28K /home/ec2-user

$ du -sh /home/
32K /home/

$ sudo du -sh /var
82M /var

=====If you want to display the biggest directories in the current working directory, run:=====
# du -a | sort -n -r | head -n 5

Another method:
* du -h → shows disk usage in human-readable format
* --max-depth=1 → only checks top-level directories
* sort -hr → sorts largest first
* 2>/dev/null → hides permission errors
[ec2-user@ringroadlimo var]$ sudo du -h --max-depth=1 / 2>/dev/null | sort -hr
20G /
19G /var
1.6G /usr
91M /boot
36M /etc
25M /run
5.1M /home
120K /opt
40K /root
4.0K /tmp
0 /sys
0 /srv
0 /proc
0 /mnt
0 /media
0 /local
0 /dev

=====If you want to find out top biggest directories under /home partition:=====
# du -a /home | sort -n -r | head -n 5

=====If /var/log is huge or you just want to quickly free up some space=====
# sudo journalctl --vacuum-time=7d

2025-12-11T18:48:50Z

Ardika Sulistija:

SSL / TLS

2025-12-11T18:48:10Z

Ardika Sulistija:

ADD NOTES:

What Happens in a TLS Handshake?: https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/
Good Video: https://www.youtube.com/watch?v=T4Df5_cojAs

====What is SSL?====
----

How Does SSL Work?: https://www.cloudflare.com/learning/ssl/how-does-ssl-work/

SSL stands for Secure Sockets Layer. A protocol for encrypting and securing communications that take place on the Internet. SSL was replaced by an updated protocol called TLS (Transport Layer Security) some time ago, but "SSL" is still widely used for this protocol.

Main purpose: Securing communications between a client and a server, but it can also secure email, VoIP, and other communications over unsecured networks.

=====These are the essential principles to grasp for understanding how SSL/TLS works:=====

* Secure communication begins with a TLS handshake, in which the two communicating parties open a secure connection and exchange the public key
* During the TLS handshake, the two parties generate session keys, and the session keys encrypt and decrypt all communications after the TLS handshake
* Different session keys are used to encrypt communications in each new session
* TLS ensures that the party on the server side, or the website the user is interacting with, is actually who they claim to be
* TLS also ensures that data has not been altered, since a message authentication code (MAC) is included with transmissions

With TLS, both HTTP data that users send to a website (by clicking, filling out forms, etc.) and the HTTP data that websites send to users is encrypted. Encrypted data has to be decrypted by the recipient using a key.

=====The TLS handshake=====

TLS communication sessions begin with a TLS handshake. A TLS handshake uses something called asymmetric encryption, meaning that two different keys are used on the two ends of the conversation. This is possible because of a technique called public key cryptography.

In public key cryptography, two keys are used:
# a public key, which the server makes available publicly,
# and a private key, which is kept secret and only used on the server side.

Data encrypted with the public key can only be decrypted with the private key, and vice versa.

!! During the TLS handshake, the client and server use the public and private keys to exchange randomly generated data, and this random data is used to create new keys for encryption, called the [[#Symmetric encryption with session keys|session keys]].

Asymmetric (Public Key) Encryption
"Hello" + Public Key = "362oy4h2ilef" + Private Key = "Hello"

=====Symmetric encryption with session keys=====

Unlike asymmetric encryption, in symmetric encryption the two parties in a conversation use the same key.

After the TLS handshake, both sides use the same session keys for encryption. Once session keys are in use, the public and private keys are not used anymore. Session keys are temporary keys that are not used again once the session is terminated. A new, random set of session keys will be created for the next session.

Symmetric Encryption
"Hello" + Session Key = "362oy4h2ilef" + Session Key = "Hello"

=====Authenticating the origin server=====

TLS communications from the server include a Message Authentication Code, or MAC, which is a digital signature confirming that the communication originated from the actual website. This authenticates the server, preventing man-in-the-middle attacks and domain spoofing. It also ensures that the data has not been altered in transit.

=====What is an SSL certificate?=====

An SSL certificate is a file installed on a website's [https://www.cloudflare.com/learning/cdn/glossary/origin-server/ origin server].

It's simply a data file containing the public key and the identity of the website owner, along with other information. Without an SSL certificate, a website's traffic can't be encrypted with TLS.

Technically, any website owner can create their own SSL certificate, and such certificates are called self-signed certificates. However, browsers do not consider self-signed certificates to be as trustworthy as SSL certificates issued by a certificate authority.

=====How does a website get an SSL certificate?=====

Website owners need to obtain an SSL certificate from a certificate authority, and then install it on their web server (often a web host can handle this process).

A certificate authority is an outside party who can confirm that the website owner is who they say they are. They keep a copy of the certificates they issue.

=====What is a CSR?=====

Certificate Signing Request (CSR)

A vital component in the process of obtaining your digital certificate for your web server. It is a block of encoded text that contains information about the entity that's requesting the certificate, including the organization's name, domain name, locality, and country.

When an entity desires a digital certificate from a Certificate Authority, it first generates a certificate signing request which includes the entity's public key. The Certificate Authority will then use the details in that CSR to create the final digital certificate that will be issued back to you.

It's important to note the private key associated with the request remains securely with the requester and is never sent out to the Certificate Authority because this insures the confidentiality of that given key pair. Once the Certificate Authority validates the entity's credentials and processes the CSR, the resulting certificate will be returned to the entity and can be installed on all of its server to facilitate secure communications.

=====Is it possible to get a free SSL certificate?=====

Yes. Cloudflare offers free SSL certificates, and there is also [[#Let's Encrypt |Let's Encrypt]].

=====What is the difference between HTTP and HTTPS?=====

The S in "HTTPS" stands for "secure." HTTPS is just HTTP with SSL/TLS. A website with an HTTPS address has a legitimate SSL certificate issued by a certificate authority, and traffic to and from that website is authenticated and encrypted with the SSL/TLS protocol.

Learn more about HTTPS: [https://www.cloudflare.com/learning/ssl/what-is-https/ What is HTTPS?]

=====Another description of how SSL connections work=====

If you've ever connected to a website using an HTTPS connection, you've been part of the public key infrastructure (PKI).

If you want to establish a secure connection to a website like dikapedia.com, you would go into your web browser and type in https://dikapedia.com. Your browser will then go to a trusted third party called the Certificate Authority, and they're going to ask them for a copy of the web server's public key. Then your web browser will pick a long random string of numbers, and it's going to use that as a shared secret key.

So it uses an asymmetric algorithm for bulk encryption, something like AES, as we start transferring data back and forth between your web browser and the web server. But first, you have to get that randomly chosen shared secret key over to the web server securely. And for that, it's actually going to use public key encryption (known as asymmetric encryption.

Now, using the public key that you downloaded from the Certificate Authority, your computer will then encrypt that random shared secret key that you just randomly created.

As an example, let's use a short number like 1234567 as thee shared secret. Once you encrypt that using the server's public key, which anyone in the world has access to, you can then send it over the Internet to the web server. Now, because it is encrypted with the public key, no one on the internet is going to be able to decrypt it unless they have the private key, and the only person who has that private key is the web server.

As we go across the internet, no one can see the fact that we are going to use 1234567 as the shared secret code. Once the web server receives that encrypted cipher text, it is going to use the server's private key to decrypt it and then get it back to that shared secret key that you submitted. Now I can read the plain text and I know the number is 1234567.

So far, this is all using asymmetrical encryption. Up to this point, everything that was done has to do with asymmetric encryption, but now that both you and the web server know the shared secret key, we can switch over and create a symmetric tunnel. To do this, we're going to use something like AES to create a TLS or SSL tunnel over the internet, and then communicate safely and securely through that tunnel to make sure nobody can see the data you're entering. This is going to be able to ensure that we have confidentiality because only we have access to this shared tunnel because we both have that shared secret key. And because the web server is the only device in the entire world that has its private key, you can be assured that only the web server knows who it is and who it claims to be when you sent that code over. This way, we have authentication. You know it's dikapedia.com. This gives us the identity of the server and it also lets your web browser know it can trust me.

If all of that occurs successfully, you're going to see the little padlock in the browser, indicating that you can communicate securely with each other over this encrypted tunnel.

====Let's Encrypt====
----

Let's Encrypt - Free SSL/TLS Certificates, a non-profit certificate authority run by Internet Security Research Group that provides X.509 certificates for Transport Layer Security encryption at no charge. The certificate is valid for 90 days, during which renewal can take place at any time. [Wikipedia]

Let's Encrypt - Recommended to use certbot: https://certbot.eff.org/
https://certbot.eff.org/lets-encrypt/centosrhel7-apache

Bitnami - OR you can use bncert-tool

Let’s Encrypt does the following:
* Confirms that you have control over the DNS domain being used, by having you create a DNS TXT record using the value that it provides.
* Obtains an SSL/TLS certificate.
* Modifies the Apache-related scripts to use the SSL/TLS certificate and redirects users browsing the site in HTTP mode to HTTPS mode.

=====How to install Let's Encrypt with Bitnami's HTTPS Configuration Tool, bncert-tool=====

[+] Generate and Install a Let's Encrypt SSL Certificate for a Bitnami Application 
https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/

[+] Learn about the Bitnami HTTPS Configuration Tool
https://docs.bitnami.com/aws/how-to/understand-bncert/

To run the Bitnami HTTPS Configuration Tool, follow the instructions below:
Download the Bitnami HTTPS Configuration Tool:
wget -O bncert-linux-x64.run https://downloads.bitnami.com/files/bncert/latest/bncert-linux-x64.run
sudo mkdir /opt/bitnami/bncert
sudo mv bncert-linux-x64.run /opt/bitnami/bncert/
sudo chmod +x /opt/bitnami/bncert/bncert-linux-x64.run
sudo ln -s /opt/bitnami/bncert/bncert-linux-x64.run /opt/bitnami/bncert-tool

Run the Bitnami HTTPS Configuration Tool:
sudo /opt/bitnami/bncert-tool

=====How to install Let's Encrypt with Certbot (Super Easy)=====

The following steps were done on Amazon Linux 2.

The instructions I used to set up Let's Encrypt SSL using Certbot on Amazon Linux 2: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html#letsencrypt

Amazon Linux 2023:
https://docs.aws.amazon.com/linux/al2023/ug/SSL-on-amazon-linux-2023.html

Follow the instructions above, it's really easy. Certbot pretty much does all the configuration for you, and will let you know where the key files are located and what not.

NOTE!!!: Before proceeding with the following steps, make sure you have the following DNS records:
* A record - @ - 23.20.238.64
* A record - www - 23.20.238.64

My output when I ran certbot, NOTE the ending is where info is provided:
[root@ip-172-31-33-239 ec2-user]# certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): <email>

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: dikapedia.com
2: www.dikapedia.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for dikapedia.com
http-01 challenge for www.dikapedia.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf/httpd-le-ssl.conf
Enabling site /etc/httpd/conf/httpd-le-ssl.conf by adding Include to root configuration
Deploying Certificate to VirtualHost /etc/httpd/conf/httpd-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/httpd/conf/httpd.conf to ssl vhost in /etc/httpd/conf/httpd-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://dikapedia.com and
https://www.dikapedia.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=dikapedia.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.dikapedia.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/dikapedia.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/dikapedia.com/privkey.pem
Your cert will expire on 2020-04-19. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

* Your certificate and chain have been saved at:
::/etc/letsencrypt/live/dikapedia.com/fullchain.pem
* Your key file has been saved at:
::/etc/letsencrypt/live/dikapedia.com/privkey.pem
* [[#Apache VirtualHost configuration when using Let's Encrypt|Certbot created an SSL vhost for 443 at /etc/httpd/conf/httpd-le-ssl.conf]]

* Your cert will expire on 2020-04-19.
* To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option.
* To non-interactively renew *all* of your certificates, run "certbot renew"
* Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt.
* You should make a secure [[Archiving and Compression|backup]] of this folder now!!! This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
* After installing SSL cert and creating backups, I created a [[Cron|cron job]]. By default, Certbot generates host certificates with a short, 90-day expiration time. If you have not configured your system to call the command automatically, you must re-run the certbot command manually before expiration. Certbot developers suggest running the command at least twice daily. This guarantees that any certificate found to be compromised is promptly revoked and replaced. Refer to this page on how to configure the automated certificate renewal.
** Refer to this [[Cron|page]] on how I configured automated certificate renewal using cron job.

How I installed Let's Encrypt using Certbot on Amazon Linux 2023: https://certbot.eff.org/instructions?ws=apache&os=pip

=====Apache VirtualHost configuration when using Let's Encrypt=====

The Certbot script creates the <VirtualHost...> block for 443 in the /etc/httpd/conf/httpd-le-ssl.conf file, instead of the default [[Apache|Apache]] configuration file (/etc/httpd/conf/httpd.conf).

In the [[Apache|Apache]] configuration file (/etc/httpd/conf/httpd.conf), there is a line including the httpd-le-ssl.conf file:
IncludeOptional conf.d/*.conf
Include /etc/httpd/conf/httpd-le-ssl.conf

The Vhost block for 443 contains the same first 6 lines as for Vhost *:80 ([[Apache#Redirects_and_Virtual_Hosts |example]]).
* Notice the Include /etc/letsencrypt/options-ssl-apache.conf line with the SSLCertificateFile and SSLCertificateKeyFile.
# cat /etc/httpd/conf/httpd-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot "/var/www"
ServerName dikapedia.com
ServerAlias www.dikapedia.com
RewriteEngine on
RedirectMatch ^/$ /wiki/
Options FollowSymLinks

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/dikapedia.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dikapedia.com/privkey.pem
</VirtualHost>
</IfModule>

=====How to renew Let's Encrypt cert (Certbot)=====

sudo certbot renew

Tested on Amazon Linux 2023.

Instructions from: https://certbot.eff.org/instructions?ws=apache&os=pip

Quiet method:
sudo certbot renew -q

=====How to set up automatic renewal=====

Instructions from: https://certbot.eff.org/instructions?ws=apache&os=pip

Per certbot's instructions - We recommend running the following line, which will add a cron job to the default crontab.

echo "0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo certbot renew -q" | sudo tee -a /etc/crontab > /dev/null

=====How to renew Lets Encrypt cert (Non-Certbot way)=====

$ sudo service apache2 stop # This stops the web server
$ sudo /usr/bin/letsencrypt renew # Renew certificate through Let's Encrypt
$ sudo service apache2 start # Starts web server back up

=====How to Delete Certbot Certificate (Cleanly)=====

Luckily, a feature exists to perform the deletion automatically for you. This command will offer an index from which you can select the domain name to delete:
$ sudo certbot delete

----

Another good AWS article: https://aws.amazon.com/blogs/compute/extending-amazon-linux-2-with-epel-and-lets-encrypt/

====GoDaddy SSL ====
----

Link: https://www.godaddy.com/help/install-ssl-certificates-16623

====Namecheap SSL ====
----

* Generating CSR on Apache + OpenSSL/ModSSL/Nginx + Heroku:
https://www.namecheap.com/support/knowledgebase/article.aspx/9446/14/generating-csr-on-apache--opensslmodsslnginx--heroku/#1

* How Do I Activate an SSL Certificate
https://www.namecheap.com/support/knowledgebase/article/794/67/how-do-i-activate-an-ssl-certificate/

* Installing an SSL certificate on Apache
https://www.namecheap.com/support/knowledgebase/article.aspx/9423/33/installing-an-ssl-certificate-on-apache

====[[CloudEndure (AWS) | SSL + MITM PROXIES + CLOUDENDURE]]====
----

====SSL content fixers====
----

https://wordpress.org/plugins/really-simple-ssl/

https://wordpress.org/plugins/ssl-insecure-content-fixer/

====How to check what TLS version an OS supports (CentOS5)====
----

* https://www.2daygeek.com/check-supported-tls-ssl-version-ciphers-linux/

openssl ciphers -v | awk '{print $2}' | sort | uniq
SSLv2
SSLv3

* NOTE I think the below command is misleading/wrong (do not use the below):
$ for proto in 1 1_1 1_2 1_3; do openssl s_client -connect example.com:443 "-tls${proto}" 2>/dev/null < <(sleep 1; echo q) | grep Protocol | uniq; done
Protocol : TLSv1

====How to check what SSL protocol versions are supported on a Linux system====
----
* https://www.2daygeek.com/check-supported-tls-ssl-version-ciphers-linux/

openssl ciphers -v | awk '{print $2}' | sort | uniq

====How to check what Ciphers are available (CentOS5)====
----
* https://community.tenable.com/s/article/How-to-check-the-SSL-TLS-Cipher-Suites-in-Linux-and-Windows
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-hardening_tls_configuration
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-hardening_tls_configuration#sec-Working_with_Cipher_Suites_in_OpenSSL
/usr/bin/openssl ciphers -v

Cipher Suites are named combinations of:

Key Exchange Algorithms (RSA, DH, ECDH, DHE, ECDHE, PSK)
Authentication/Digital Signature Algorithm (RSA, ECDSA, DSA)
Bulk Encryption Algorithms (AES, CHACHA20, Camellia, ARIA)
Message Authentication Code Algorithms (SHA-256, POLY1305)
Type of Encryption TLS v1.3, v1.2, v1.1, v1.0 or SSL v3, v2

Here is an example of a TLS v1.2 cipher suite from Openssl command 'openssl ciphers -v' output:
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
Key Exchange: ECDHE
Signature: RSA
Bulk Encryption: AES256-GCM
Message Authentication: SHA384

* To get a list of all cipher suites supported by your installation of OpenSSL, use the openssl command with the ciphers subcommand as follows:
$ openssl ciphers -v 'ALL:COMPLEMENTOFALL'
or
$ openssl ciphers -v | column -t

* Pass other parameters (referred to as cipher strings and keywords in OpenSSL documentation) to the ciphers subcommand to narrow the output. Special keywords can be used to only list suites that satisfy a certain condition. For example, to only list suites that are defined as belonging to the HIGH group, use the following command:
$ openssl ciphers -v 'HIGH'

NOTE: The cipher suites are distributed as part of OpenSSL, so you'll have to upgrade that package to gain access to new ones.

====TLS Full 10-Step Handshake (TLS 1.2 & Below)====
----
BEFORE ALL THIS IT ESTABLISHES A TCP HANDSHAKE!!

# ClientHello: Client sends over ciphersuites specifications that it supports + ClientRandom (32-bytes value; ensures each handshake produces fresh, unique keys, prevents replay attacks, provides entropy; To be later used with ServerRandom(ServerHello step) and pre-master secret(from key exchange).
2. ServerHello: Server chooses a cipher to use + ServerRandom(same details as ClientRandom).
3. Server sends over certificate (webserver certificate and intermediary certificate; also includes the pubkey). The browser then validates the certificates.(half the time of the entire handshake is taken up by this step because its computationally expensive thing for the browser to process)
4. Server sends over its side ServerKeyExchange (if server is using DH, it sends A, g, n). (RSA part: Server sends those values as Digitally signed (hash encrypted with private key). Browser uses the pubkey from the cert to validate the DS and authenticates that the browser is talking to the intended server/website. The server side has the private key associated with the pubkey.
5. Server sends ServerHelloDone, empty message indicating the server negotiation finished.
6. Client sends ClientKeyExchange (if DH, it sends B value). Browser calculates DH B and key K (pre-master secret (PSK)); Server receives B, and can now calculate the shared key K value. Both client and server concatenates PSK + ClientRandom + ServerRandom → Master Secret, which generates the AES and HMAC. All keys are generated in this step 6, so everyone has all keys needed for the TLS comms.
7. Client sends ChangeCipherSpec, indicates everything is fine and ready to start encryption. NOT A HANDSHAKE MESSAGE!
8. Client sends Finished. Sends the hash of all prior HANDSHAKE MESSAGES (steps 1-6). First encrypted message sent from client.This is a checker telling the server that it saw everything the server saw.
9. Server sends ShangeCipherSpec. Indicates everything is fine and ready to start encryption. NOT A HANDSHAKE MESSAGE!
10. Server sends Finished. Sends the hash of all prior HANDSHAKE MESSAGES (steps 1-6, and 8). First encrypted message sent from server. Client receives encrypted message and decrypts using key K.

AFTER ALL THIS, THEN IT STARTS THE HTTP connection.

Git

2025-12-08T15:26:41Z

Ardika Sulistija:

git - The stupid content tracker. Git is a stupid content tracker because it has no idea what's inside those blobs, and it doesn't try to store fine grained information like "lines 345-350 added, lines 502-508 removed" or anything like that.

https://github.com/git-guides

====Git Cheat Sheet====
----

https://git-scm.com/cheat-sheet

====How to clone github repository to your local terminal====
----
$ git clone https://github.com/ardikas/shell-scripts

====How to set up your terminal with remote access to your Github repo====
----

You may see this when you try to commit:
$ git commit
*** Please tell me who you are.

Run

git config --global user.email "you@example.com"
git config --global user.name "Your Name"

to set your account's default identity.
Omit --global to set the identity only in this repository.

fatal: empty ident name (for <ardika@DESKTOP-TOREEKS.localdomain>) not allowed

Do:
git config --global user.email "myemail@gmail.com"
git config --global user.name "ardikas"

Another way to init Github repo:
git init
git config user.name "someone"
git config user.email "someone@someplace.com"

====How to add SSH key and push using SSH====
----

If you do git push and get this error, that is because password authentication was deprecated:
$ git push
Username for 'https://github.com': ardikas
Password for 'https://ardikas@github.com':
remote: Support for password authentication was removed on August 13, 2021.
remote: Please see https://docs.github.com/en/get-started/getting-started-with-git/about-remote-repositories#cloning-with-https-urls for information on
currently recommended modes of authentication.
fatal: Authentication failed for 'https://github.com/ardikas/python-scripts/'

Instead, my preferred way is to use SSH keys.

Follow these steps to generate an SSH key, add it to your Git Hub, and authenticate:
* https://docs.github.com/en/get-started/getting-started-with-git/about-remote-repositories#cloning-with-ssh-urls
* https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-new-ssh-key
* https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#adding-your-ssh-key-to-the-ssh-agent

Then test the SSH key:
* NOTE!! YOU ALWAYS HAVE TO RUN THESE 3 COMMANNDS WHEN YOU OPEN A NEW SSH TERMINAL. The SSH agent only persists for the duration of the terminal session. Once the session is closed, the agent is no longer running, and the key needs to be added again the next time you open a terminal. Additionally, every time you open a new terminal, you’re starting a new shell session. That’s why you need to start the SSH agent and re-add your key each time.
$ eval "$(ssh-agent -s)"
$ ssh-add ~/.ssh/<githubkey>
$ ssh -T git@github.com
Hi ardikas! You've successfully authenticated, but GitHub does not provide shell access.

Change directory into the local clone of your repository (if you're not already there) and run:
$ git remote set-url origin git@github.com:ardikas/python-scripts.git

Now try editing a file (try the README) and then do:
$ git add -A
$ git commit -m "memo"

$ git push
Enumerating objects: 3, done.
Counting objects: 100% (3/3), done.
Delta compression using up to 8 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 1.28 KiB | 1.28 MiB/s, done.
Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
To github.com:ardikas/python-scripts.git
* [new branch] main -> main

=====Why does it appear to have two ssh key's set up on my system?=====

ardikas-mbp:cs-gy-6843 ardika$ ../github-ssh.sh
Agent pid 12617
Enter passphrase for /Users/Ardika/.ssh/ads9055_github:
Identity added: /Users/Ardika/.ssh/ads9055_github (ads9055@nyu.edu)
Hi ads9055! You've successfully authenticated, but GitHub does not provide shell access.

ardikas-mbp:cs-gy-6843 ardika$ ssh -T git@github.com
Hi ardikas! You've successfully authenticated, but GitHub does not provide shell access.

Your system appears to have two different SSH keys because SSH is likely using different identities depending on how it's configured. This happens for a few reasons:

1. Multiple SSH Keys in ~/.ssh Directory - Check how many SSH keys you have stored:
ls -l ~/.ssh/
* If you see multiple private keys (e.g., id_rsa, id_ecdsa, id_ed25519, github_rsa), your system may be using different keys for different connections.

2. SSH Config File (~/.ssh/config) - Your ~/.ssh/config file may specify different SSH identities for GitHub. Run:
cat ~/.ssh/config
* Example config file:
$ cat ~/.ssh/config
# Default GitHub account (personal)
Host github.com
HostName github.com
User git
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_ed25519

# Other GitHub account (school)
Host github.com
HostName github.com
User git
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/ads9055_github
* If you have two SSH keys mapped to GitHub, one may be used by default, and another when explicitly specified.
* Your issue comes from having two Host github.com entries in your ~/.ssh/config file. What's Happening?
** The first Host github.com block sets the SSH key to ~/.ssh/id_ed25519.
** The second Host github.com block sets the SSH key to ~/.ssh/ads9055_github, but it overrides the first one.
** Since both blocks use Host github.com, SSH always applies the last one in the file.
* [[#Using_Multiple_SSH_Keys_for_GitHub_on_One_Machine|HOW TO FIX THIS]]

3. Multiple GitHub Accounts
* Hi ads9055! might be your personal GitHub account.
* Hi ardikas! might be your work/school GitHub account.
* Each might have its own SSH key registered in GitHub → Settings → SSH and GPG keys.

4. SSH Agent Caching Multiple Keys - Run:
ssh-add -l
* This lists currently loaded SSH keys. If multiple are listed, your system is using more than one identity.
* If needed, you can remove all loaded keys and re-add a specific one:
ssh-add -D # Remove all SSH keys from memory
ssh-add ~/.ssh/github_rsa # Load only a specific key

5. To confirm which SSH key is being used when connecting to GitHub. The -vT flag provides verbose output, showing which identity file is being used.:
ssh -vT git@github.com

====Using Multiple SSH Keys for GitHub on One Machine====
----
To properly distinguish between two GitHub accounts, modify ~/.ssh/config like this:
# Default GitHub account (personal)
Host github-personal
HostName github.com
User git
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_ed25519

# Other GitHub account (school)
Host github-school
HostName github.com
User git
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/ads9055_github

How to Use These Identities in Git 
Since we've renamed the Host values (github.com → github-personal and github.com → github-school), you need to update your remote URLs in your repositories:

For Personal GitHub (personal), go to your personal repository folder and run:
git remote set-url origin git@github-personal:username/repository.git

For Work/School GitHub (school), go to your work-related repository folder and run:
git remote set-url origin git@github-work:ads9055/cs-gy-6843.git

How to Verify Which SSH Key is Used 
You can now test which key is being used by running:
ssh -T git@github-personal
ssh -T git@github-work

This setup ensures that: ✅ Personal GitHub (personal) uses ~/.ssh/id_ed25519.
✅ School GitHub (school) uses ~/.ssh/ads9055_github.

====How to commit/upload to git====
----
Note: For Ardika, follow the [[#How to add SSH key and push using SSH|How to add SSH key and push using SSH]] steps above to commit and push via your mac/pc.

To commit:
git add [new file]
git commit -m "memo"
git push

If you get: git@github.com: Permission denied (publickey), follow the steps below...

Workaround (need to find permanent fix):
* I put this as a script:
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/<githubkey>
ssh -T git@github.com
* Then run:
git remote set-url origin git@github.com:ardikas/terraform
git add * || git add [file]
git commit -m "memo"
git push

=====Fatal: The current branch main has no upstream branch=====
----

If you try to do git push but you get the following error:
fatal: The current branch main has no upstream branch.
To push the current branch and set the remote as upstream, use git push --set-upstream ads9055/CS-GY-6843-2025-Spring main

This error means that your current branch (main) does not have an upstream branch set for the remote repository. Essentially, Git doesn't know where to push your changes.

To resolve this, you need to set the upstream branch for your main branch. You can do this using the following command:
git push --set-upstream ads9055/CS-GY-6843-2025-Spring

This command will push the main branch to the remote repository ads9055/CS-GY-6843-2025-Spring and set the upstream branch, so future git push commands will know where to send the changes.

----

[+] [https://github.com/ardikas/ Ardika's GitHub Repositories]

----

$ git config --list
user.email=<my email>
user.name=ardikas
core.repositoryformatversion=0
core.filemode=true
core.bare=false
core.logallrefupdates=true
remote.origin.url=https://github.com/ardikas/shell-scripts
remote.origin.fetch=+refs/heads/*:refs/remotes/origin/*
branch.master.remote=origin
branch.master.merge=refs/heads/master

====How to select branch using git====
----
cd into the repo and run git checkout:

cd [repo directory]
git checkout [branch]

How to check which branch you are in:
git status

====How to remove files locally and sync it with GitHub Repo====
----

Remove the file from the locally cloned directory by running git rm <file>. (This will delete the actual file!)
ardikas-mbp:cs-gy-6843 ardika$ git rm testfile
rm 'testfile'

ardikas-mbp:cs-gy-6843 ardika$ git rm testfile2
rm 'testfile2'

Then commit and push:
ardikas-mbp:cs-gy-6843 ardika$ git commit -m "test remove files"
[main 8528739] test remove files
2 files changed, 0 insertions(+), 0 deletions(-)
delete mode 100644 testfile
delete mode 100644 testfile2

ardikas-mbp:cs-gy-6843 ardika$ git push
Enumerating objects: 3, done.
Counting objects: 100% (3/3), done.
Delta compression using up to 8 threads
Compressing objects: 100% (1/1), done.
Writing objects: 100% (2/2), 230 bytes | 230.00 KiB/s, done.
Total 2 (delta 0), reused 1 (delta 0), pack-reused 0
To github.com:ads9055/cs-gy-6843.git
b7f857d..8528739 main -> main

====What is the difference between git remote add and get remote set-url?====
----

Both git remote add and git remote set-url are commands used to manage remote repositories in Git, but they serve different purposes:

* git remote add:
** Purpose: This command is used to add a new remote repository to your local Git configuration.
** Usage: You typically use this when you want to associate a new remote repository with your local repository for the first time.
** Example:
git remote add origin git@github.com:your-username/repository-name.git
** Outcome: This adds a new remote repository named origin to your local configuration, pointing to the specified URL.

* git remote set-url:
** Purpose: This command is used to change the URL of an existing remote repository.
** Usage: You use this when you need to update the URL for an already configured remote repository, perhaps because the remote repository has moved or you want to switch from HTTP to SSH.
** Example:
git remote set-url origin git@github.com:your-username/new-repository-name.git
** Outcome: This updates the URL for the existing remote repository named origin to the new specified URL.

In summary, git remote add is for adding a new remote, and git remote set-url is for updating the URL of an existing remote. They help you manage your connections to remote repositories efficiently.

2025-08-28T20:05:21Z

Ardika Sulistija:

NetworkManager

2025-08-28T20:05:00Z

Ardika Sulistija:

2025-08-07T21:24:34Z

Ardika Sulistija:

Useful resources:
* https://docs.kinetica.com/7.1/install/nvidia_rhel/
* https://developer.nvidia.com/blog/streamlining-nvidia-driver-deployment-on-rhel-8-with-modularity-streams/
* Good Nvidia driver installation guide: https://docs.nvidia.com/cuda/pdf/CUDA_Installation_Guide_Linux.pdf

====What is Nvidia-smi?====
----

The nvidia-smi (NVIDIA System Management Interface) command in Linux is a utility provided by NVIDIA to monitor and manage GPU devices. It is part of the NVIDIA driver package and provides detailed information about the status of the NVIDIA GPUs installed on your system.

When you have Nvidia drivers installed, the command nvidia-smi outputs a neat table giving you information about your GPU, CUDA, and driver setup.

====How to install NVIDIA driver on RHEL8 for Specific GPU model (using .run file)====
----
The following steps uses NVIDIA's .run file.
For steps on how to install nvidia-driver via dnf/command line, please refer to this [https://developer.nvidia.com/blog/streamlining-nvidia-driver-deployment-on-rhel-8-with-modularity-streams/ link]

Another helpful link: https://www.if-not-true-then-false.com/2021/install-nvidia-drivers-on-centos-rhel-rocky-linux/

Notes:
• The following steps have been tested on Dell Precision 3480 (RTX A500 Laptop GPU) and Dell Precision 7670 (RTX A2000 8GB Laptop GPU).

Steps:
1. First connect to the system via SSH/PuTTy and check the NVIDIA graphics card model:
$ lspci | grep -i nvidia
In this example output, the NVIDIA graphics card is RTX A2000 8GB Laptop GPU.

2. Search the driver from Nvidia's website and download it locally

You can use wget to download the .run file directly from Nvidia’s website to the system. Tip: To get the correct URL link, click “Download” and then right-click on “Agree & Download”.
$ wget https://us.download.nvidia.com/XFree86/Linux-x86_64/550.90.07/NVIDIA-Linux-x86_64-550.90.07.run
3. Install prerequisites:
$ dzdo yum install gcc kernel-devel libglvnd-devel elfutils-libelf-devel
4. Then perform the following steps to disable the nouveau driver:
a. Edit the /etc/default/grub file and ensure that the options rd.driver.blacklist=nouveau nouveau.modeset=0 is at the end of the GRUB_CMD_LINUX line:
$ dzdo vi /etc/default/grub
Example:
GRUB_CMDLINE_LINUX="resume=/dev/mapper/cmw--rhel-swap rd.lvm.lv=cmw-rhel/root rd.lvm.lv=cmw-rhel/swap rhgb quiet audit=1 audit_backlog_limit=8192 pti=on page_poison=1 slub_debug=P fips=1 boot=UUID=1125ad64-b4b3-4995-928c-8f8a1fa2c48b rd.driver.blacklist=nouveau nouveau.modeset=0"

b. Save the file and exit.
c. Next, rebuild the GRUB configuration file:
$ dzdo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

d. Create the disable-nouveau.conf file under the /etc/modprobe.d/ directory:

$ dzdo vi /etc/modprobe.d/disable-nouveau.conf

And then insert these separate lines:
blacklist nouveau
options nouveau modeset=0

Example:
$ dzdo cat /etc/modprobe.d/disable-nouveau.conf
blacklist nouveau
options nouveau modeset=0

e. Modify the permissions and then regenerate the initramfs file by running dracut. Then reboot.
$ dzdo chmod 644 /etc/modprobe.d/disable-nouveau.conf
$ dzdo dracut -f
$ dzdo reboot

5. Log back in via SSH and then run the following commands:
$ dzdo init 3
$ chmod +x NVIDIA-Linux-x86_64-<version.number>.run
$ dzdo mount -o remount,exec /tmp
$ dzdo yum remove nvidia-driver

6. Then run the installer and answer the prompts:
$ dzdo ./NVIDIA-Linux-x86_64-<version.number>.run

Wait for graphical installer then Answer 5 prompts/ 4 questions:
* Install 32-bit compatibility Libraries – Yes
* Register with DKMS – No
* Initramfs rebuild – Yes
* Update X Configuration File – Yes
* Installation Complete – Click OK

7. Then confirm the latest driver version was installed successfully (check Driver Version):
$ nvidia-smi

8. Reboot the system and confirm that its booting up and working as expected. Once logged back in, re-run nvidia-smi to confirm.
$ dzdo reboot
$ nvidia-smi (or) $ nvidia-smi -q | grep -i “driver version”

9. Clean up: remove the .run installer once completed successfully.
$ dzdo rm NVIDIA-Linux-x86_64-<version.number>.run

=====How to uninstall the NVIDIA driver after installing it using the .run file=====
sudo ./NVIDIA-Linux-x86_64-<version.number>.run --uninstall

====How to check Nvidia driver version and other information====
----
$ nvidia-smi
Tue Jun 4 13:09:18 2024
+-----------------------------------------------------------------------------------------+
| NVIDIA-SMI 550.90.07 Driver Version: 550.90.07 CUDA Version: 12.4 |
|-----------------------------------------+------------------------+----------------------+
| GPU Name Persistence-M | Bus-Id Disp.A | Volatile Uncorr. ECC |
| Fan Temp Perf Pwr:Usage/Cap | Memory-Usage | GPU-Util Compute M. |
| | | MIG M. |
|=========================================+========================+======================|
| 0 NVIDIA RTX A2000 8GB Lap... Off | 00000000:01:00.0 Off | N/A |
| N/A 49C P0 25W / 60W | 1MiB / 8192MiB | 0% Default |
| | | N/A |
+-----------------------------------------+------------------------+----------------------+

+-----------------------------------------------------------------------------------------+
| Processes: |
| GPU GI CI PID Type Process name GPU Memory |
| ID ID Usage |
|=========================================================================================|
| No running processes found |
+-----------------------------------------------------------------------------------------+

Alternatively, you can run the following command which will give you the same information (or more) in a non-table format:
$ nvidia-smi -q
==============NVSMI LOG==============

Timestamp : Thu Jun 27 14:55:53 2024
Driver Version : 555.42.02
CUDA Version : 12.5

Attached GPUs : 1
GPU 00000000:02:00.0
Product Name : NVIDIA RTX A500 Laptop GPU
Product Brand : NVIDIA RTX
Product Architecture : Ampere
Display Mode : Disabled
Display Active : Disabled
Persistence Mode : Disabled
Addressing Mode : None
MIG Mode
Current : N/A
Pending : N/A
Accounting Mode : Disabled
Accounting Mode Buffer Size : 4000
Driver Model
Current : N/A
Pending : N/A
Serial Number : N/A
GPU UUID : GPU-fabe1493-c99a-410b-5941-abeb61f58c80
Minor Number : 0
VBIOS Version : 94.07.7C.00.0B

or
$ nvidia-smi -q | grep -i driver
Driver Version : 555.42.02
Driver Model

====NVIDIA DOCUMENTATION ON HOW TO DISABLE NOUVEAU====
----
https://docs.nvidia.com/ai-enterprise/deployment-guide-vmware/0.1.0/nouveau.html
https://docs.nvidia.com/ai-enterprise/deployment-guide-bare-metal/0.1.0/nouveau.html

====GSP Firmware====
----

GSP firmware being enabled has been causing issues with some Dell models that contain specific GPU hardware.

=====What is GSP?=====

Some GPUs include a GPU System Processor (GSP) which can be used to offload GPU initialization and management tasks. This processor is driven by firmware files distributed with the driver. The GSP firmware is used by default on GPUs which support it.

Offloading tasks which were traditionally performed by the driver on the CPU can improve performance due to lower latency access to GPU hardware internals.

Firmware files gsp_*.bin are installed in /lib/firmware/nvidia/560.28.03/. Each GSP firmware file is named after a GPU architecture (for example, gsp_tu10x.bin is named after Turing) and supports GPUs from one or more architectures.

=====Disabling GSP Mode=====
The driver can be forced to disable use of GSP firmware by setting the kernel module parameter nvidia.NVreg_EnableGpuFirmware=0.

The nvidia-smi utility can be used to query the current use of GSP firmware. It will display a valid version if GSP firmware is enabled, or “N/A” if disabled
$ nvidia-smi -q | grep -iE 'driver version|gsp'
Driver Version : 555.42.06
GSP Firmware Version : N/A

=====Enabling GSP Mode=====
The GSP firmware will be used by default for all Turing and later GPUs. The driver can be explicitly configured to use the GSP firmware by setting the kernel module parameter nvidia.NVreg_EnableGpuFirmware=1.

https://download.nvidia.com/XFree86/Linux-x86_64/560.28.03/README/gsp.html

=====Issues with the 560 Driver Not Able to Disable GSP=====

Nvidia then released the 560 driver, which also comes with the GSP enabled. However, starting with the 560 driver, Nvidia decided to make the open kernel module as the default installation instead of the proprietary version. From my research, I found that we were not able to disable the GSP firmware when using the open kernel module version of the driver, because it ignores the NVreg_EnableGpuFirmware=0 kernel parameter.

======How to check if Nvidia is Open-source or the proprietary version======
$ cat /proc/driver/nvidia/version
NVRM version: NVIDIA UNIX Open Kernel Module for x86_64 560.28.03 Release Build (dvs-builder@U16-A24-27-4) Thu Jul 18 20:46:24 UTC 2024
GCC version: gcc version 8.5.0 20210514 (Red Hat 8.5.0-18) (GCC)

$ rpm -qi kmod-nvidia-open-dkms-560.28.03-1.el8.x86_64
Name : kmod-nvidia-open-dkms
Epoch : 3
Version : 560.28.03
Release : 1.el8
Architecture: x86_64
Install Date: Mon 12 Aug 2024 10:51:53 AM EDT
Group : Unspecified
Size : 23911228
License : NVIDIA License
Signature : RSA/SHA512, Thu 18 Jul 2024 11:27:31 PM EDT, Key ID 9cd0a493d42d0685
Source RPM : kmod-nvidia-open-dkms-560.28.03-1.el8.src.rpm
Build Date : Thu 18 Jul 2024 11:25:41 PM EDT
Build Host : cf605bc53c42
Relocations : (not relocatable)
URL : http://www.nvidia.com/object/unix.html
Summary : NVIDIA driver open kernel module flavor
Description :
This package provides the open-source Nvidia kernel driver modules.
The modules are rebuilt through the DKMS system when a new kernel or modules become available.

To resolve this, you must uninstall the open kernel module and reinstall the proprietary version in order for the kernel parameter to work and successfully disable the GSP firmware. To install the proprietary version, use the command sudo dnf module install -y nvidia-driver:latest-dkms so that the GSP firmware gets disabled during the image process.

Here are some links as a reference:
* The updated nvidia_driver.sh script (See lines 30-60 for the fix): http://va3cngl01a.cacicorenet.com/linux_image/rhel8/-/blob/main/Dev_wk_files/nvidia_driver.sh
* From this link: https://download.nvidia.com/XFree86/Linux-x86_64/560.28.03/README/kernel_open.html it says "Because the two flavors of kernel modules are mutually exclusive, one or the other must be chosen at install time. By default, installation will choose which flavor of kernel modules to install, based on the GPUs detected in the system. If a pre-Turing GPU is detected, installation will default to the proprietary flavor of kernel modules. Otherwise, installation will default to the open flavor of kernel modules."
* Per https://www.reddit.com/r/linux_gaming/comments/1cp4heq/news_starting_with_nvidia_560_the_open_source/ it says "Starting in the release 560 series, it will be recommended to use the open flavor of NVIDIA Linux Kernel Modules wherever possible (Turing or later GPUs, or Ada or later when using GPU virtualization).
** If installing from the .run file, installation will detect what GPUs are present and default to installing the open kernel modules if all NVIDIA GPUs in the system can be driven by the open kernel modules. Distribution-specific repackaging of the NVIDIA driver may require additional steps, specific to that packaging, to choose the open flavor.
** In the release 560 series, it will still be possible to configure the .run file to install the proprietary flavor of kernel modules, with the --kernel-module-type=proprietary command line option. However, in the future, some GPUs may only be supported with the open flavor."

====How to List Available Nvidia Module Streams====
----
$ sudo dnf module list nvidia-driver
.
.
.
Name Stream Profiles Summary
nvidia-driver latest default [d], fm, ks, src Nvidia driver for latest branch
nvidia-driver latest-dkms default [d], fm, ks Nvidia driver for latest-dkms branch
nvidia-driver open-dkms [d] default [d], fm, ks, src Nvidia driver for open-dkms branch
nvidia-driver 515 default [d], fm, ks, src Nvidia driver for 515 branch
nvidia-driver 515-dkms default [d], fm, ks Nvidia driver for 515-dkms branch
nvidia-driver 515-open default [d], fm, ks, src Nvidia driver for 515-open branch
nvidia-driver 520 default [d], fm, ks, src Nvidia driver for 520 branch
nvidia-driver 520-dkms default [d], fm, ks Nvidia driver for 520-dkms branch
nvidia-driver 520-open default [d], fm, ks, src Nvidia driver for 520-open branch
nvidia-driver 525 default [d], fm, ks, src Nvidia driver for 525 branch
nvidia-driver 525-dkms default [d], fm, ks Nvidia driver for 525-dkms branch
nvidia-driver 525-open default [d], fm, ks, src Nvidia driver for 525-open branch
nvidia-driver 530 default [d], fm, ks, src Nvidia driver for 530 branch
nvidia-driver 530-dkms default [d], fm, ks Nvidia driver for 530-dkms branch
nvidia-driver 530-open default [d], fm, ks, src Nvidia driver for 530-open branch
nvidia-driver 535 default [d], fm, ks, src Nvidia driver for 535 branch
nvidia-driver 535-dkms default [d], fm, ks Nvidia driver for 535-dkms branch
nvidia-driver 535-open default [d], fm, ks, src Nvidia driver for 535-open branch
nvidia-driver 545 default [d], fm, ks, src Nvidia driver for 545 branch
nvidia-driver 545-dkms default [d], fm, ks Nvidia driver for 545-dkms branch
nvidia-driver 545-open default [d], fm, ks, src Nvidia driver for 545-open branch
nvidia-driver 550 default [d], fm, ks, src Nvidia driver for 550 branch
nvidia-driver 550-dkms default [d], fm, ks Nvidia driver for 550-dkms branch
nvidia-driver 550-open default [d], fm, ks, src Nvidia driver for 550-open branch
nvidia-driver 555 default [d], fm, ks, src Nvidia driver for 555 branch
nvidia-driver 555-dkms default [d], fm, ks Nvidia driver for 555-dkms branch
nvidia-driver 555-open default [d], fm, ks, src Nvidia driver for 555-open branch
nvidia-driver 560 default [d], fm, ks, src Nvidia driver for 560 branch
nvidia-driver 560-dkms default [d], fm, ks Nvidia driver for 560-dkms branch
nvidia-driver 560-open default [d], fm, ks, src Nvidia driver for 560-open branch

====Nvidia-plugin and Kernel Package Exclusions====
----

The exclusion of certain kernels by the NVIDIA plugin is likely due to compatibility issues between the installed NVIDIA driver version and the available kernel versions. Since our image specifies a particular version of the NVIDIA driver (e.g., nvidia-driver:570), the system ensures that only compatible kernels are used to prevent potential issues. In this scenario, you may see the following when trying to update a package or kernel:

- package kernel-core-4.18.0-477.21.1.el8_8.x86_64 from rhel-8-for-x86_64-baseos-rpms is filtered out by exclude filtering
- package kernel-core-4.18.0-477.27.1.el8_8.x86_64 from rhel-8-for-x86_64-baseos-rpms is filtered out by exclude filtering
- package kernel-core-4.18.0-513.5.1.el8_9.x86_64 from rhel-8-for-x86_64-baseos-rpms is filtered out by exclude filtering
- package kernel-debug-core-4.18.0-477.21.1.el8_8.x86_64 from rhel-8-for-x86_64-baseos-rpms is filtered out by exclude filtering
- package kernel-debug-core-4.18.0-477.27.1.el8_8.x86_64 from rhel-8-for-x86_64-baseos-rpms is filtered out by exclude filtering
- package kernel-4.18.0-513.24.1.el8_9.x86_64 from rhel-8-for-x86_64-baseos-rpms is filtered out by exclude filtering
- package kernel-4.18.0-513.5.1.el8_9.x86_64 from rhel-8-for-x86_64-baseos-rpms is filtered out by exclude filtering
- package kernel-4.18.0-513.18.1.el8_9.x86_64 from rhel-8-for-x86_64-baseos-rpms is filtered out by exclude filtering

To resolve this, disable the nvidia-plugin by creating this file:
dzdo vi /etc/dnf/plugins/nvidia.conf

[main]
enabled=0

Nvidia

2025-08-07T19:40:51Z

Ardika Sulistija:

SSH

2025-08-04T19:15:37Z

Ardika Sulistija:

ssh — SSH stands for Secure Shell. OpenSSH SSH client (remote login program).

The SSH protocol uses encryption to secure the connection between a client and a server. All user authentication, commands, output, and file transfers are encrypted to protect against attacks in the network.

Uses for SSH protocol:
* Providing secure access for users and automated processes.
* Interactive and automated file transfers
* Issuing remote commands
* Managing network infrastructure and other mission-critical system components.

====How Does the SSH Protocol Work====
----

The protocol works in the client-server model, which means that the connection is established by the SSH client connecting to the SSH Server.

After the setup phase the SSH protocol uses strong encryption and hashing algorithms to ensure the privacy and integrity of the data that is exchanged between the client and server.

# SSH Client initiates the connection by contacting the SSH Server
# SSH Server sends the server public key to the SSH Client
# Negotiate parameters and open secure channel
# User login to server host operating system

[[File:SSH diagram.png|class=img-responsive]]

=====How Does Authentication Work?=====
----

Initializing a connection in SSH consists of:
* Negotiating the version of protocol to use.
* Negotiating cryptoigraphic algorithms and other options to use
* Negotiating a one-time session key for encrypting the rest of the session
* Authenticating the server host using its host key
* Authenticating the user using a password, public key authentication, or other means.

After this, data can be exchanged, including terminal data, graphics, and files.

Public Key Authentication - The key-based authentication mechanism in SSH is called public key authentication.
* Essentially, some session-specific data is signed using the private identity key. The signature is then sent to the server that checks if the key used for signing is configured as an authorized key. The server then verifies the digital signature using the public key in the authorized key. The identity key is never sent to the server.
* The essential thing in public key authentication is that it allows one server to access another server without having to type in a password.
* This powerful feature is why it is so widely used for file transfers (using the SFTP protocol) and configuration management. It is also commonly used by system administrators for single sign-on.

====SSH Key Pairs====
----

Strong authentication with SSH keys
* The idea is to have a cryptographic key pair (Public and private keys), and configure the public key on the server to authorize access and grant anyone who has a copy of the private key to access the server.
* Private Keys (identify keys) are typically stored in a user's ~/.ssh directory on the client machine.
* The public key "fingerprint" is in the ~/.ssh/authorized_keys file on the server.

=====Different Type of SSH Keys=====
----

* RSA is well-regarded and supported everywhere. It is considered quite secure. Common key sizes go up to 4096 bits and as low as 1024. The key size is adjustable. You should choose RSA.
* DSA is not in common use anymore, as poor randomness when generating a signature can leak the private key. In the past, it was guaranteed to work everywhere as per RFC 4251, but this is no longer the case. DSA has been standardized as being only 1024 bits (in FIPS 186-2, though FIPS 186-3 has increased that limit). OpenSSH 7.0 and newer actually disable this algorithm. (WEAK)
* ECDSA is newer and is based on DSA. It has the same weaknesses as DSA, but it is generally thought to be more secure, even at smaller key sizes. It uses the NIST curves (P256).
* Ed25519, while not one you listed, is available on newer OpenSSH installations. It is similar to ECDSA but uses a superior curve, and it does not have the same weaknesses when weak RNGs are used as DSA/ECDSA. It is generally considered to be the strongest mathematically.

=====What Do SSH Keys Look Like=====
-----

A Private Key (identity key) will look something like this; Will have ---BEGIN, ---END:
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA0oDN+mOxkL6qJuBOP2LgcocJeqC2NWZ/kr6pTMitIyI0iejr
bUw9N7rTSgLUrwJPK/rexiUUkZZkOl6Q8VQYE5jj+vyFeRUPSjM67hC8FT5CuTsy
VFIVD29Vi+M4xEX98DhkUWGoBT2MIJVH1v4NRP+FNtXnUSlnryvdNKVtxBFpK/2S
TeC4g4MX5/GVwEUW7/mIWdEv/6f13grcPLs2wTbKrAS/tsyK0KiDjsjuTNV757C8
1sHM5MX7JtLLR8tdzqLrHdBVNgH2PmR76PEkYb7bZNeRhEGs8aRQ4cpPH+BQ0h5V
hkaZPsgaqbu5OBgDkdFULa3WrjWJcScLIf9WC5dZRntDvn2L/pPC24GKaKunU1GY
loL6Ii+z318Qi2N+RImsjBkCgYBcd+Jcl0lFSkKyWqdVB+2s6PDG0OKfxZwBSSpi
U78cRrEg7SqwxT8tj2wtUhc0e+EB61zzqaRT2rTWYOpEgS2nf+/gpWCuFxu47ClU
cAC2p32U8x40AeMsAuWv+iYzX+7Kd6zc0ttUVfalLNEZ1oETLmyOxveTGKLgKbgA
TwKlrQKBgQCj6SdAlGQHndlCutadpY5jQT9bUhg1dDsjckJ30EaaS+7cZXn2hcPJ
4UNXn0OmelqKym6K96f0+3EhXFUNEUzo/Tky3nZ9c+qA1goTAuoS/GYTQZJJJ0VG
A7w+S7LFGEoSflcI/Ph80cYKJJBzIUfr3BavDGlArnncvasNr0It4w==
-----END RSA PRIVATE KEY-----

A Public key fingerprint or authorized key will look like this:
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDSgM36Y7GQvqom4E4/YuByhwl6oLY1Zn+SvqlMyK0jIjSJ6OttTD03utNKAtSvAk8r+t7GJRSRlmQ
6XpDxVBgTmOP6/IV5FQ9KMzruELwVPkK5OzJUUhUPb1WL4zjERf3wOGRRYagFPYwglUfW/g1E/4U21edRKWevK900pW3EEWkr/ZJN4LiDgx
fn8ZXARRbv+YhZ0S//p/XeCtw8uzbBNsqsBL+2zIrQqIOOyO5M1XvnsLzDVGnZPhJmF7/7BwRR2bJATfK/j5VVe3ZK8RkuDoh7TzMn2hvqm
WcxDn1H+x2hAUOp4+zh+XF/NNeljKTnj8CUVvcGu8bhK2OrUm/F ec2-user@ip-172-31-33-239.ec2.internal

(Note, I had to break these lines up for the sake of showing how it looks on this wiki. Really the whole things is one long string)

=====Permissions=====
----

The proper permissions and other notes
drwx------ 1 ardika ardika 4096 Jan 13 14:26 .ssh/ # 700
-rw------- 1 ardika ardika 1671 Jan 6 21:59 .ssh/private_key.pem # 600
-rw-r--r-- 1 ardika ardika 404 Jun 13 2019 .ssh/public_key.pub # 644
-rw------- 1 ec2-user ec2-user 391 Jan 11 22:58 .ssh/authorized_keys # 600

====SSH Configuration File====
----

/etc/ssh/sshd_config - The SSH configuration file.

Configurations you can adjust:
- Listening port number
- RSAAuthentication 
- RSAAuthentication 
- PubkeyAuthentication 
- PasswordAuthentication 
- PermitRootLogin

Below are some "how-to's" when modifying the sshd_config file to enable/disable certain features of the SSH service.

====File Transfers over SSH====
----

* [[SCP|SCP]] - Secure Copy Protocol
:- SCP can only be used for transferring files, and is not interactive (everything has to be specified on the command line).
* [[SFTP|SFTP]] - Secure File Transfer Protocol
:- More elaborate, and allows interactive commands to do things like creating directories, deleting directories and files (all subject to system permissions, ofc), etc.
:- Allows for a range of operations on remote files - it is more like a remote file system protocl. An SFTP client's extra capabilities compared to an SCP client include resuming interrupted transfers, directory listings, and remote file removal.

Both SCP and SFTP utilize the same SSH encryption during file transfer with the same general level of overhead, SCP is usually much faster than SFTP at transferring files, especially on high latency networks. This is because SCP implements a more efficient transfer algorithm, one which does not require waiting for packet confirmations. This leads to faster speed but comes at the expense of not being able to interrupt a transfer, so unlike SFTP, SCP transfer cannot be canceled without terminating the session.

==== How to SSH without Keypairs, and use Password Authentication instead====
----

https://aws.amazon.com/premiumsupport/knowledge-center/ec2-password-login/

https://www.serverkaka.com/2018/08/enable-password-authentication-aws-ec2-instance.html

====SSH Troubleshooting====
----

Below are some of the common errors or issues you may run into with SSH:

=====Server refused our key=====
----

You might be unable to log in to an EC2 instance if:
* You're using an SSH private key but the corresponding public key is not in the authorized_keys file.
* You don't have permissions for your authorized_keys file.
* You don't have permissions for the .ssh folder.
* Your authorized_keys file or .ssh folder isn't named correctly.
* Your authorized_keys file or .ssh folder was deleted.
* Your instance was launched without a key, or it was launched with an incorrect key.

To connect to your EC2 instance after receiving the error "Server refused our key," you can update the instance's user data to append the specified SSH public key to the authorized_keys file, which sets the appropriate ownership and file permissions for the SSH directory and files contained in it.

=====Server refused public-key signature despite accepting key!=====
----

Could be due to:
* Could be due to changed permissions on the .ssh directory, the authorized_keys file, or even the home directories. Check permissions.
* Firewall

=====Permission denied=====
----

Check permissions!
Make sure you are using the correct user name, correct key, correct host, etc.

=====Connection Timeout || Connection Timed out=====
----

A connection timeout indicates that the client attempted to establish a network socket to the SSH server, but the server failed to respond within the timeout period.

* Ensure the destination host is correct
* Check firewall/security groups.
* Check the ports you are using or the service is listening on ($ grep -i port /etc/ssh/sshd_config).
* Check that the service is actually running and bound to the expected port.

=====Connection Refused=====
----

This means the request is routed to the host, but the host does not successfully accept the request.
* Ensure the destination host is correct
* Check firewall/security groups.
* Check the ports you are using or the service is listening on ($ grep -i port /etc/ssh/sshd_config).
* Check that the service is actually running and bound to the expected port.

=====Too Many Authentication Failures=====
----

This could happen if you have (default on my system) five or more DSA/RSA identity files stored in your .ssh directory. In this case if the -i option isn't specified at the command line the ssh client will first attempt to login using each identity (private key) and next prompt for password authentication. However, sshd drops the connection after five bad login attempts (again default may vary).

I was able to solve this issue by editing the ~/.ssh/config file on the local machine.

Added this line:
Host *
IdentitiesOnly=yes

And it worked.

=====Copied my private key to another EC2 instance/Bastion, but now when I ssh to another instance I'm getting asked for a passphrase when I shouldn't be=====
----

https://serverfault.com/questions/379938/ec2-instance-always-ask-me-to-enter-passphrase-for-the-pem-during-connection

If sharing a private key between 2 or more ec2 instances and if you try to establish a ssh connection from a ssh connection on ec2, use notepad to open .pem file on your local machine and copy the contents to the new .pem file you're creating in the ssh terminal. It will work 100% and won't ask you for any passphrase.

If you open your local .pem file with other text editors i.e. VSCode you will be asked for the passphrase when trying to use your new .pem file.

To check if the key is OK run: openssl rsa -check -in test.pem -noout like so:
# Bad key:
openssl rsa -check -in .ssh/ec2_nva_key.pem -noout
unable to load Private Key
139794998015904:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:815:

# Good key:
openssl rsa -check -in .ssh/ec2_nva_key.pem -noout
RSA key ok

=====How to connect to a RHEL 8 system running FIPS using PuTTY=====
----

RHEL 8: https://access.redhat.com/solutions/4906221

More FIPS (How can I make RHEL 6 or RHEL 7 FIPS 140-2 compliant? https://access.redhat.com/solutions/137833 )

====How to regain SSH access to an EC2 instance using User Data====
----

https://aws.amazon.com/premiumsupport/knowledge-center/user-data-replace-key-pair-ec2/

1. Create a new key pair.

2. If you create the private key in the Amazon EC2 console, retrieve the public key for the key pair.

3. Open the Amazon EC2 console.

4. Stop your instance.

5. Choose Actions, Instance Settings, and then choose View/Change User Data.

6. Copy the following script into the View/Change User Data dialog box:
Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0

--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"

#cloud-config
cloud_final_modules:
- [users-groups, once]
users:
- name: username
ssh-authorized-keys:
- PublicKeypair

Replace username with your user name, such as ec2-user. You can enter the default user name, or enter a custom user name, if one was previously set up for the instance. For a list of default user names, see General prerequisites for connecting to your instance.

Replace PublicKeypair with the public key retrieved in step 2. Be sure to enter the entire public key, starting with ssh-rsa.

7. Choose Save.

8. Start your instance.

9. After the cloud-init phase is complete, validate that the public key was replaced.

Important: Because the script contains a key pair, remove the script from the User Data field.

* Note: Notice the [users-groups, once] -- This will only run the user-data script once, which is the next boot up. If you want to run this again, you can change once to always. So be sure to remove the script from the User Data Field once you regain access.

ANOTHER GUIDE USING USER DATA SPECIFICALLY FOR PERMISSIONS DENIED ERROR (This didn't work for me after testing a couple times though): https://aws.amazon.com/premiumsupport/knowledge-center/ec2-linux-fix-permission-denied-errors/

----
References:
[+] https://aws.amazon.com/premiumsupport/knowledge-center/ec2-server-refused-our-key/
[+] https://serverfault.com/questions/716033/gitlab-server-refused-public-key-signature-despite-accepting-key-on-a-valid
[+] https://serverfault.com/questions/837981/too-many-authentication-failures-for-ec2-user

====How to set up SSH Agent Forwarding (for Bastion hosts)====
----

Really good article, very easy:

* Securely Connect to Linux Instances Running in a Private Amazon VPC:
https://aws.amazon.com/blogs/security/securely-connect-to-linux-instances-running-in-a-private-amazon-vpc/

* Configuring SSH Agent Forwarding in Windows Subsystem for Linux (Ubuntu 18.04):
https://stfc-cloud-docs.readthedocs.io/en/latest/howto/ConfigureSSHAgentForwardingInWindowsSubsystemForLinux.html

To update Ubuntu 18.04 LTS run:
sudo apt-get update
sudo apt-get upgrade

This left me with a nice up to date install. You can then run the following commands to start and add your key to the ssh agent:
# To get the environment variables set in the user's shell environment and start the agent:
eval $(ssh-agent -s)
ssh-add \<path-to-your-ssh-private-key\>

Then you can ssh to your Bastion host with agent forwarding using:
ssh -A ec2-user@<public_IP>

Then you can SSH to your instances in the private subnet:
ssh ec2-user@<private_IP>

* NOTE: You can view the private keys that were added to the agent:
$ ssh-add -l
2048 SHA256:naYvKCfcR+qJXL9A6YiohfaxpjjKEK4G4dW2rAcxLgg .ssh/ohio_key_for_home.pem (RSA)

* Another good link: https://www.ssh.com/ssh/agent

====Enable SSH Tunneling for Jump Servers====
----

To use an Ubuntu server as a jump server for SSH access to other hosts in a private network, you need to configure SSH to allow port forwarding. This setup enables users to SSH into the jump server and then use SSH to connect to other hosts within the private network.
Here’s a step-by-step guide to set this up:

1. Configure SSH to Allow TCP Forwarding
You need to edit the SSH configuration file to allow TCP forwarding. This is done by setting AllowTcpForwarding to yes. Open the SSH configuration file:
sudo vim /etc/ssh/sshd_config

Find the line that says AllowTcpForwarding and ensure it is set to yes. If the line is commented out (with a # at the beginning) or not present, you can add it or uncomment it:
AllowTcpForwarding yes

2. Restart the SSH Service
After making changes to the SSH configuration, restart the SSH service to apply the changes:
sudo systemctl restart sshd

3. Using SSH with Port Forwarding
Users can now SSH into the jump server and use local port forwarding to access hosts in the private network.

Example: Local Port Forwarding
Suppose you want to access a private host at 192.168.1.100 on port 22 through the jump server.
You can set up local port forwarding like this:
ssh -L 2222:192.168.1.100:22 user@jump_server

This command forwards connections from your local machine’s port 2222 to port 22 on 192.168.1.100 via the jump server.

After running this command, you can SSH into the private host by connecting to localhost on port 2222:
ssh -p 2222 dst_user@localhost

What Does AllowTcpForwarding Do?
AllowTcpForwarding</b is an SSH configuration directive that controls whether TCP port forwarding is permitted. When set to yes, it allows users to forward TCP ports, which is essential for scenarios like the one described above where you need to access private network hosts through a jump server.

Additional Security Considerations
* Restrict Access: Ensure that only authorized users can SSH into the jump server. This can be done using AllowUsers or AllowGroups directives in the SSH configuration file.
* Firewall Rules: Configure firewall rules to allow SSH access to the jump server and restrict access to the private network as needed.
* Key-Based Authentication: Encourage or enforce the use of key-based authentication for SSH to enhance security.

By following these steps, you can effectively use an Ubuntu server as a jump server to access hosts within a private network via SSH.

Ubuntu

2025-08-04T19:14:57Z

Ardika Sulistija:

==== How to upgrade Ubuntu linux kernel ====
----
Update/upgrade kernel:
$ sudo apt-get update && sudo apt-get upgrade
$ sudo apt-get dist-upgrade
$ sudo reboot

If the reboot doesn't work and it is still booting to the old kernel, then follow steps 3+ in section "How to Change the Default Ubuntu Kernel on AWS" on this page.

==== How to perform a major release upgrade ====
----

Ubuntu 14.04 LTS ------> Ubuntu 16.04 LTS ------> Ubuntu 18.04 LTS 

I tried replicating the above scenario in my test environment. For this, I launched an instance using the public AMI ami-47a23a30 and then performed the below steps for upgrading the instance from Ubuntu 14.04 to 16.04:

1. Update all current packages to their latest version.
$ sudo apt-get update && sudo apt-get upgrade

2. Now You will need to run the distribution upgrade.
$ sudo apt-get dist-upgrade

3. Create a Firewall Rule. As upgrade process started on port 1022. You will need to allow connections to this port on your instance security group[4].

4. Now to perform the upgrade to the ubuntu 16 version, you can run:
$ sudo do-release-upgrade

5. If the above command is giving you issues or cannot be found, then run the below command, once done, run Step 4 again:
$ sudo apt-get install update-manager-core

6. Once the instillation is completed and you SSH back into your instance, the following command can confirm what Ubuntu version you currently have installed.
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.7 LTS
Release: 16.04
Codename: xenial

To upgrade the instance OS from Ubuntu 16 to 18 you can follow the above steps again.
I've also attached links to help you upgrade from:

Ubuntu 14 ---> 16[5].
Ubuntu 16 ---> 18[6].
Ubuntu 18 ---> 20[7].

[5] https://www.digitalocean.com/community/tutorials/how-to-upgrade-to-ubuntu-16-04-lts

[6] https://www.cloudbooklet.com/how-to-upgrade-to-ubuntu-18-04-bionic-beaver/

[7] https://www.cloudbooklet.com/how-to-upgrade-to-ubuntu-20-04-lts/

====How to use apt-get on old Ubuntu (EOL)versions such as 12.04====
----

Because Ubuntu 12.04 has reached EOL, the aws repos no longer work.

In order for repos to work, you must edit the /etc/apt/sources.list file and replace all repos to 'old-releases' like so:
ubuntu@ip-172-31-85-14:~$ cat /etc/apt/sources.list
## Note, this file is written by cloud-init on first boot of an instance
## modifications made here will not survive a re-bundle.
## if you wish to make changes you can:
## a.) add 'apt_preserve_sources_list: true' to /etc/cloud/cloud.cfg
## or do the same in user-data
## b.) add sources in /etc/apt/sources.list.d
## c.) make changes to template file /etc/cloud/templates/sources.list.tmpl
#

# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://old-releases.ubuntu.com/ubuntu/ precise main restricted
deb-src http://old-releases.ubuntu.com/ubuntu/ precise main restricted

## Major bug fix updates produced after the final release of the
## distribution.
deb http://old-releases.ubuntu.com/ubuntu/ precise-updates main restricted
deb-src http://old-releases.ubuntu.com/ubuntu/ precise-updates main restricted

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://old-releases.ubuntu.com/ubuntu/ precise universe
deb-src http://old-releases.ubuntu.com/ubuntu/ precise universe
deb http://old-releases.ubuntu.com/ubuntu/ precise-updates universe
deb-src http://old-releases.ubuntu.com/ubuntu/ precise-updates universe

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://old-releases.ubuntu.com/ubuntu/ precise multiverse
deb-src http://old-releases.ubuntu.com/ubuntu/ precise multiverse
deb http://old-releases.ubuntu.com/ubuntu/ precise-updates multiverse
deb-src http://old-releases.ubuntu.com/ubuntu/ precise-updates multiverse

## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://old-releases.ubuntu.com/ubuntu/ precise-backports main restricted universe multiverse
deb-src http://old-releases.ubuntu.com/ubuntu/ precise-backports main restricted universe multiverse

## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu precise partner
# deb-src http://archive.canonical.com/ubuntu precise partner

deb http://old-releases.ubuntu.com/ubuntu precise-security main
deb-src http://old-releases.ubuntu.com/ubuntu precise-security main
deb http://old-releases.ubuntu.com/ubuntu precise-security universe
deb-src http://old-releases.ubuntu.com/ubuntu precise-security universe
# deb http://old-releases.ubuntu.com/ubuntu precise-security multiverse
# deb-src http://old-releases.ubuntu.com/ubuntu precise-security multiverse

=====How to Change the Default Ubuntu Kernel on AWS=====

https://meetrix.io/blog/aws/changing-default-ubuntu-kernel.html

Another similar method, which also works: https://discourse.ubuntu.com/t/how-to-downgrade-the-kernel-on-ubuntu-20-04-to-the-5-4-lts-version/26459

1)Launch instance in us-east-1 using AMI ami-000b3a073fc20e415 (Ubuntu 14.04)

2) Updated and installed old kernel (3.13.0-55-generic) and gcc:
$ sudo apt-get update
$ sudo apt-get install gcc
$ sudo apt-get install linux-headers-3.13.0-55-generic*
$ sudo apt-get install linux-image-3.13.0-55-generic*
$ sudo apt install -y module-init-tools

3) Then moved all the files I just downloaded to a new directory:
$ sudo mkdir /tmpdir
$ cd /var/cache/apt/archives
$ sudo mv linux-image-3.13.0-55-generic_3.13.0-55.94_amd64.deb /tmpdir/
$ sudo mv linux-headers-3.13.0-55-generic_3.13.0-55.94_amd64.deb /tmpdir/
$ sudo mv linux-headers-3.13.0-55_3.13.0-55.94_all.deb /tmpdir/
$ cd /tmpdir/
$ sudo dpkg -i *.deb

4) Update grub to boot to the old kernel:
$ sudo cp /etc/default/grub /etc/default/grub.bak
$ grep -A100 submenu /boot/grub/grub.cfg |grep menuentry
submenu 'Advanced options for Ubuntu' $menuentry_id_option 'gnulinux-advanced-93875578-5ca8-431a-af18-c049eac03817' {
menuentry 'Ubuntu, with Linux 3.13.0-170-generic' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-3.13.0-170-generic-advanced-93875578-5ca8-431a-af18-c049eac03817' {
menuentry 'Ubuntu, with Linux 3.13.0-170-generic (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-3.13.0-170-generic-recovery-93875578-5ca8-431a-af18-c049eac03817' {
menuentry 'Ubuntu, with Linux 3.13.0-55-generic' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-3.13.0-55-generic-advanced-93875578-5ca8-431a-af18-c049eac03817' {
menuentry 'Ubuntu, with Linux 3.13.0-55-generic (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-3.13.0-55-generic-recovery-93875578-5ca8-431a-af18-c049eac03817' {

5) Edit Grub and replace GRUB_DEFAULT to boot to 3.13.0-55-generic:
$ sudo vi /etc/default/grub
GRUB_DEFAULT="gnulinux-advanced-93875578-5ca8-431a-af18-c049eac03817>gnulinux-3.13.0-55-generic-advanced-93875578-5ca8-431a-af18-c049eac03817"

$ sudo update-grub

6) Boot into kernel: 3.13.0-55-generic
$ sudo reboot

$ uname -r
3.13.0-55-generic

==== EQUIVALENT TO LSINITRD IN UBUNTU====
----

* lsinitramfs
$ lsinitramfs /boot/initrd.img-3.13.0-55-generic | egrep -i 'xen|ena|nvme'
lib/modules/3.13.0-55-generic/kernel/drivers/net/xen-netback
lib/modules/3.13.0-55-generic/kernel/drivers/net/xen-netback/xen-netback.ko

====How can I make my secondary network interface work in my Ubuntu instance?====
----

[https://aws.amazon.com/premiumsupport/knowledge-center/ec2-ubuntu-secondary-network-interface/ How can I make my secondary network interface work in my Ubuntu instance?]

=====How can you make TWO network interfaces ON THE SAME SUBNET work in my Ubuntu 18.04/20.04 instance =====

To avoid asymmetric routing issues, use a single elastic network interface, or place duplicate elastic network interfaces into non-overlapping subnets.

As you know, having two interfaces on the same subnet will cause asymmetric routing issues. Adding a secondary network interface to a non-Amazon Linux EC2 instance causes traffic flow issues. These issues occur because the primary and secondary network interfaces are in the same subnet, and there is one routing table with one gateway. Traffic that comes into the secondary network interface leaves the instance using the primary network interface. But this isn't allowed, because the secondary IP address doesn't belong to the MAC address of the primary network interface.

So what if you NEED to have two interfaces of the same subnet attached to an Ubuntu instance? Here is how you can make it work. You will need to create two network config files for both interfaces, use different routing tables for each, but direct the traffic to the same default gateway (since they are in the same subnet). In this example, I am using Ubuntu 20.04 and have the following interfaces attached:
* Primary interface IP: 172.31.24.153
* Secondary interface IP: 172.31.28.195
* Default Gateway: 172.31.16.1

1) Rename the original network interface configuration file (/etc/netplan/50-cloud-init.yaml) to back it up, as it won't be used:
$ sudo mv /etc/netplan/50-cloud-init.yaml /etc/netplan/50-cloud-init.yaml.backup

2) Create a new network interface configuration file for the primary interface and add the following lines:
* Be sure to change eth0 to ens5 if on nitro.
$ sudo vi /etc/netplan/51-eth0.yaml

network:
version: 2
renderer: networkd
ethernets:
eth0:
addresses:
- 172.31.24.153/20
dhcp4: no
routes:
- to: 0.0.0.0/0
via: 172.31.16.1 # Default gateway
table: 1000
- to: 172.31.24.153
via: 0.0.0.0
scope: link
table: 1000
routing-policy:
- from: 172.31.24.153
table: 1000

3) Then create another network interface configuration file for the secondary interface with the following lines:
* Be sure to change eth1 to ens6 if on nitro.
$ sudo vi /etc/netplan/51-eth1.yaml

network:
version: 2
renderer: networkd
ethernets:
eth1:
addresses:
- 172.31.28.195/20
dhcp4: no
routes:
- to: 0.0.0.0/0
via: 172.31.16.1 # Default gateway
table: 1001
- to: 172.31.28.195
via: 0.0.0.0
scope: link
table: 1001
routing-policy:
- from: 172.31.28.195
table: 1001

4) Lastly, apply the new network configurations:
$ netplan --debug apply

====Migrating Ubuntu from Azure to AWS (using CE/MGN/DRS) ====
----

[+] Useful links: 
https://ubuntu.com/aws
https://ubuntu.com/blog/ubuntu-on-aws-gets-serious-performance-boost-with-aws-tuned-kernel
https://packages.ubuntu.com/search?keywords=linux-aws
https://launchpad.net/ubuntu/+source/linux-aws

In order to run Ubuntu from Azure in AWS, the Azure kernel needs to be replaced with the 'generic' AWS turned Ubuntu kernel (linux-aws) either on the source or target (preferably the target). This is because the azure kernel is not compatible with AWS hardware. The '-aws' kernels would have the required (xen) drivers needed to run on AWS.

Other requirements include disabling of any of the following services, if they are enabled:
/etc/systemd/system/multi-user.target.wants/
hv-fcopy-daemon.service
hv-vss-daemon.service
hv-kvp-daemon.service
ephemeral-disk-warning.service
walinuxagent.service

=====How to install linux-aws on the source=====

* NOTE:: The 'linux-aws' kernel will cause your source machine to fail to boot if you attempt to reboot the source machine after configuring Grub to use the 'linux-aws' kernel. It is important that you are aware of this as this kernel will not be compatible with the Azure underlying hardware. Please do ensure that you create a backup of your source machine if it is a production server. Additionally, please revert any changes made from the steps below if you are looking to reboot the source machine. With that being said, if you are uncomfortable with making such changes on your source machine, then I highly recommend making these changes on the target machine in AWS (using the rescue instance method).

METHOD 1:

1) Install 'linux-aws' kernel:
$ sudo apt-get install -y linux-aws

2) Verify the AWS drivers (XEN, ENA, NVME) are included:
$ sudo lsinitramfs /boot/initrd.img-5.4.0-1054-aws|grep -i xen
$ sudo lsinitramfs /boot/initrd.img-5.4.0-1054-aws|grep -i ena
$ sudo lsinitramfs /boot/initrd.img-5.4.0-1054-aws|grep -i nvme1n1p1

3) Recreate the grub:
$ sudo update-grub -o /boot/grub/grub.cfg

4) Verify that grub has valid entries for amazon linux kernel:
$ sudo grep -i aws /boot/grub/grub.cfg

5) Wait 10 minutes, and then relaunch the target machine from the CloudEndure console.

METHOD 2:
* The steps in this section can be found in the third-party document: https://meetrix.io/blog/aws/changing-default-ubuntu-kernel.html
1) On the source machine, install 'linux-aws' kernel:
$ sudo apt-get install -y linux-aws

2) Verify the AWS drivers (XEN, ENA, NVME) are included:
$ sudo lsinitramfs /boot/initrd.img-5.4.0-1054-aws|grep -i xen
$ sudo lsinitramfs /boot/initrd.img-5.4.0-1054-aws|grep -i ena
$ sudo lsinitramfs /boot/initrd.img-5.4.0-1054-aws|grep -i nvme

or just:
$ sudo lsinitramfs /boot/initrd.img-5.4.0-1099-aws | grep -iE 'xen|ena|nvme'

3) Create backup of grub:
$ sudo cp /etc/default/grub /etc/default/grub.bak

4) Show available kernel options:
$ grep -A100 submenu /boot/grub/grub.cfg |grep menuentry

Example output:
submenu 'Advanced options for Ubuntu' $menuentry_id_option 'gnulinux-advanced-c9ab74d2-63c9-4dba-993b-b89e598200c9' {
menuentry 'Ubuntu, with Linux 5.4.0-1055-azure' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.4.0-1055-azure-advanced-c9ab74d2-63c9-4dba-993b-b89e598200c9' {
menuentry 'Ubuntu, with Linux 5.4.0-1055-azure (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.4.0-1055-azure-recovery-c9ab74d2-63c9-4dba-993b-b89e598200c9' {
menuentry 'Ubuntu, with Linux 5.4.0-1054-aws' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.4.0-1054-aws-advanced-c9ab74d2-63c9-4dba-993b-b89e598200c9' {
menuentry 'Ubuntu, with Linux 5.4.0-1054-aws (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.4.0-1054-aws-recovery-c9ab74d2-63c9-4dba-993b-b89e598200c9' {
menuentry 'Ubuntu, with Linux 5.4.0-1049-azure' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.4.0-1049-azure-advanced-c9ab74d2-63c9-4dba-993b-b89e598200c9' {
menuentry 'Ubuntu, with Linux 5.4.0-1049-azure (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.4.0-1049-azure-recovery-c9ab74d2-63c9-4dba-993b-b89e598200c9' {

5) Identify the default menu entry by finding:

From the example output above, the menu entry for 'Advanced options for Ubuntu' is gnulinux-advanced-c9ab74d2-63c9-4dba-993b-b89e598200c9.

The menu entry for 'Ubuntu, with Linux 5.4.0-1054-aws' is gnulinux-5.4.0-1054-aws-advanced-c9ab74d2-63c9-4dba-993b-b89e598200c9.

Then concat the above strings with > in between "" like so:
"gnulinux-advanced-db937f23-4ed7-4c4b-8058-b23a860fae08>gnulinux-5.4.0-1054-aws-advanced-db937f23-4ed7-4c4b-8058-b23a860fae08"

6) Edit grub:
$ sudo vi /etc/default/grub

Replace GRUB_DEFAULT with value (With quotes) from step 5:
GRUB_DEFAULT="gnulinux-advanced-c9ab74d2-63c9-4dba-993b-b89e598200c>gnulinux-5.4.0-1054-aws-advanced-c9ab74d2-63c9-4dba-993b-b89e598200c9"

7) Update grub:
$ sudo update-grub

8) Then wait 10 minutes, and then re-launch target machine.

=====How to install linux-aws on the target=====

1) Detach the root volume (/dev/sda1) from the instance "i-0ef31abeed9534962" and then re-attach it to the "rescue" temporary instance as a secondary volume (/dev/sdf).

2) Run 'lsblk' to identify block device name of the root volume. Expect it to be something like /dev/xvdf1:
$ lsblk

3) Mount the volume to /mnt directory:
$ sudo mount /dev/xvdf1 /mnt

4) Set up the environment to install 'linux-aws':

Delete the following files;
$ sudo rm -rf /mntrec/etc/netplan/51-netcfg.yaml
$ sudo rm -rf /var/lib/cloud/*

Mount the necessary root file for the chroot to work normally:
$ sudo for i in dev proc sys run; do mount -o bind /$i /mnt/$i; done
$ sudo chroot /mnt

4) Install the 'linu-aws' kernel:
$ sudo apt install linux-aws

5) Reconfigure the grub file to boot from the 'linux-aws' kernel:
$ cd /boot/grub

# Create backup of the grub.cfg file:
$ cp grub.cfg grub.cfg_bac

Edit this file to have the entry only for linux-aws kernel and not for the azure kernel and the save and exit the file.
$ vi grub.cfg

Then exit chroot:
$ exit

6) Unmount the /mnt mountpoint:
$ sudo umount /mnt

7) Detach the volume from the temporary rescue instance and re-attach it back to "i-0ef31abeed9534962" as the root volume (/dev/sda1). The instance should boot successfully now.

=====Aws Replication Agent fails to install on Ubuntu18 in Azure=====

If installation fails with:
Cannot insert aws-replication-driver
Installation returned with code 2
Installation failed due to unspecified error:
Traceback (most recent call last):
File "shared/installer_linux/install_agent.py", line 1273, in main
SystemExit: 2

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "cirrus/installer_shared/installer_main.py", line 1033, in _main
File "cirrus/installer_shared/installer_main.py", line 905, in main
File "cirrus/installer_shared/installer_main.py", line 781, in install
File "cirrus/installer_shared/installer_main.py", line 365, in run_agent_installer
shared.installer_utils.cloud_utils.Error: Failed Installing the AWS Replication Agent [agent_version: 4.7.0, installation_id: , mac_addresses:, _origin_client_type: installer]

Most likely secure boot is enabled, which is a setting on the Azure console under "Security Type".

====Setting Homepage for Firefox via Command line====
----

1. Create the directory /etc/firefox/policies:
$ sudo mkdir /etc/firefox/policies
$ sudo chmod 755 /etc/firefox/polcies

2. Create the policies.json file:
$ sudo vi /etc/firefox/policies/policies.json

3. Enter the following configuration:
{
"policies": {
"Homepage": {
"URL": "https://dikapedia.com/",
"Locked": true,
"StartPage": "homepage-locked"
},
"Preferences": {
"browser.policies.loglevel": {
"Value": "debug",
"Status": "locked"
},
"browser.tabs.warnOnClose": {
"Value": false,
"Status": "default"
}
}
}
}
4. Modify the permissions of the policies.json file:
$ sudo chmod 644 /etc/firefox/policies/policies.json
5. Should be good to go.

====How to Remove Old Kernels on Ubuntu====
----

Sometimes, when you have a lot of kernel images under /boot, it can take up a lot of space. There are ways to clean up the /boot directory by removing old kernels. See this third-party document: https://linuxconfig.org/how-to-remove-old-kernels-on-ubuntu

====How to Set up an Ubuntu System as a Jump Server====
----

To use an Ubuntu server as a jump server for SSH access to other hosts in a private network, you need to configure SSH to allow port forwarding. This setup enables users to SSH into the jump server and then use SSH to connect to other hosts within the private network.
Here’s a step-by-step guide to set this up:

1. Configure SSH to Allow TCP Forwarding
You need to edit the SSH configuration file to allow TCP forwarding. This is done by setting AllowTcpForwarding to yes. Open the SSH configuration file:
sudo vim /etc/ssh/sshd_config

Find the line that says AllowTcpForwarding and ensure it is set to yes. If the line is commented out (with a # at the beginning) or not present, you can add it or uncomment it:
AllowTcpForwarding yes

2. Restart the SSH Service
After making changes to the SSH configuration, restart the SSH service to apply the changes:
sudo systemctl restart sshd

3. Using SSH with Port Forwarding
Users can now SSH into the jump server and use local port forwarding to access hosts in the private network.

Example: Local Port Forwarding
Suppose you want to access a private host at 192.168.1.100 on port 22 through the jump server.
You can set up local port forwarding like this:
ssh -L 2222:192.168.1.100:22 user@jump_server

This command forwards connections from your local machine’s port 2222 to port 22 on 192.168.1.100 via the jump server.

After running this command, you can SSH into the private host by connecting to localhost on port 2222:
ssh -p 2222 dst_user@localhost

What Does AllowTcpForwarding Do?
AllowTcpForwarding</b is an SSH configuration directive that controls whether TCP port forwarding is permitted. When set to yes, it allows users to forward TCP ports, which is essential for scenarios like the one described above where you need to access private network hosts through a jump server.

Additional Security Considerations
* Restrict Access: Ensure that only authorized users can SSH into the jump server. This can be done using AllowUsers or AllowGroups directives in the SSH configuration file.
* Firewall Rules: Configure firewall rules to allow SSH access to the jump server and restrict access to the private network as needed.
* Key-Based Authentication: Encourage or enforce the use of key-based authentication for SSH to enhance security.

By following these steps, you can effectively use an Ubuntu server as a jump server to access hosts within a private network via SSH.

====NetPlan YAML Configuration Parameters====
----

https://netplan.readthedocs.io/en/latest/netplan-yaml/

====Canonical Multipass====
----
https://multipass.run/docs/how-to-guides

Ubuntu

2025-08-04T19:14:33Z

Ardika Sulistija:

==== How to upgrade Ubuntu linux kernel ====
----
Update/upgrade kernel:
$ sudo apt-get update && sudo apt-get upgrade
$ sudo apt-get dist-upgrade
$ sudo reboot

If the reboot doesn't work and it is still booting to the old kernel, then follow steps 3+ in section "How to Change the Default Ubuntu Kernel on AWS" on this page.

==== How to perform a major release upgrade ====
----

Ubuntu 14.04 LTS ------> Ubuntu 16.04 LTS ------> Ubuntu 18.04 LTS 

I tried replicating the above scenario in my test environment. For this, I launched an instance using the public AMI ami-47a23a30 and then performed the below steps for upgrading the instance from Ubuntu 14.04 to 16.04:

1. Update all current packages to their latest version.
$ sudo apt-get update && sudo apt-get upgrade

2. Now You will need to run the distribution upgrade.
$ sudo apt-get dist-upgrade

3. Create a Firewall Rule. As upgrade process started on port 1022. You will need to allow connections to this port on your instance security group[4].

4. Now to perform the upgrade to the ubuntu 16 version, you can run:
$ sudo do-release-upgrade

5. If the above command is giving you issues or cannot be found, then run the below command, once done, run Step 4 again:
$ sudo apt-get install update-manager-core

6. Once the instillation is completed and you SSH back into your instance, the following command can confirm what Ubuntu version you currently have installed.
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.7 LTS
Release: 16.04
Codename: xenial

To upgrade the instance OS from Ubuntu 16 to 18 you can follow the above steps again.
I've also attached links to help you upgrade from:

Ubuntu 14 ---> 16[5].
Ubuntu 16 ---> 18[6].
Ubuntu 18 ---> 20[7].

[5] https://www.digitalocean.com/community/tutorials/how-to-upgrade-to-ubuntu-16-04-lts

[6] https://www.cloudbooklet.com/how-to-upgrade-to-ubuntu-18-04-bionic-beaver/

[7] https://www.cloudbooklet.com/how-to-upgrade-to-ubuntu-20-04-lts/

====How to use apt-get on old Ubuntu (EOL)versions such as 12.04====
----

Because Ubuntu 12.04 has reached EOL, the aws repos no longer work.

In order for repos to work, you must edit the /etc/apt/sources.list file and replace all repos to 'old-releases' like so:
ubuntu@ip-172-31-85-14:~$ cat /etc/apt/sources.list
## Note, this file is written by cloud-init on first boot of an instance
## modifications made here will not survive a re-bundle.
## if you wish to make changes you can:
## a.) add 'apt_preserve_sources_list: true' to /etc/cloud/cloud.cfg
## or do the same in user-data
## b.) add sources in /etc/apt/sources.list.d
## c.) make changes to template file /etc/cloud/templates/sources.list.tmpl
#

# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://old-releases.ubuntu.com/ubuntu/ precise main restricted
deb-src http://old-releases.ubuntu.com/ubuntu/ precise main restricted

## Major bug fix updates produced after the final release of the
## distribution.
deb http://old-releases.ubuntu.com/ubuntu/ precise-updates main restricted
deb-src http://old-releases.ubuntu.com/ubuntu/ precise-updates main restricted

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://old-releases.ubuntu.com/ubuntu/ precise universe
deb-src http://old-releases.ubuntu.com/ubuntu/ precise universe
deb http://old-releases.ubuntu.com/ubuntu/ precise-updates universe
deb-src http://old-releases.ubuntu.com/ubuntu/ precise-updates universe

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://old-releases.ubuntu.com/ubuntu/ precise multiverse
deb-src http://old-releases.ubuntu.com/ubuntu/ precise multiverse
deb http://old-releases.ubuntu.com/ubuntu/ precise-updates multiverse
deb-src http://old-releases.ubuntu.com/ubuntu/ precise-updates multiverse

## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://old-releases.ubuntu.com/ubuntu/ precise-backports main restricted universe multiverse
deb-src http://old-releases.ubuntu.com/ubuntu/ precise-backports main restricted universe multiverse

## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu precise partner
# deb-src http://archive.canonical.com/ubuntu precise partner

deb http://old-releases.ubuntu.com/ubuntu precise-security main
deb-src http://old-releases.ubuntu.com/ubuntu precise-security main
deb http://old-releases.ubuntu.com/ubuntu precise-security universe
deb-src http://old-releases.ubuntu.com/ubuntu precise-security universe
# deb http://old-releases.ubuntu.com/ubuntu precise-security multiverse
# deb-src http://old-releases.ubuntu.com/ubuntu precise-security multiverse

=====How to Change the Default Ubuntu Kernel on AWS=====

https://meetrix.io/blog/aws/changing-default-ubuntu-kernel.html

Another similar method, which also works: https://discourse.ubuntu.com/t/how-to-downgrade-the-kernel-on-ubuntu-20-04-to-the-5-4-lts-version/26459

1)Launch instance in us-east-1 using AMI ami-000b3a073fc20e415 (Ubuntu 14.04)

2) Updated and installed old kernel (3.13.0-55-generic) and gcc:
$ sudo apt-get update
$ sudo apt-get install gcc
$ sudo apt-get install linux-headers-3.13.0-55-generic*
$ sudo apt-get install linux-image-3.13.0-55-generic*
$ sudo apt install -y module-init-tools

3) Then moved all the files I just downloaded to a new directory:
$ sudo mkdir /tmpdir
$ cd /var/cache/apt/archives
$ sudo mv linux-image-3.13.0-55-generic_3.13.0-55.94_amd64.deb /tmpdir/
$ sudo mv linux-headers-3.13.0-55-generic_3.13.0-55.94_amd64.deb /tmpdir/
$ sudo mv linux-headers-3.13.0-55_3.13.0-55.94_all.deb /tmpdir/
$ cd /tmpdir/
$ sudo dpkg -i *.deb

4) Update grub to boot to the old kernel:
$ sudo cp /etc/default/grub /etc/default/grub.bak
$ grep -A100 submenu /boot/grub/grub.cfg |grep menuentry
submenu 'Advanced options for Ubuntu' $menuentry_id_option 'gnulinux-advanced-93875578-5ca8-431a-af18-c049eac03817' {
menuentry 'Ubuntu, with Linux 3.13.0-170-generic' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-3.13.0-170-generic-advanced-93875578-5ca8-431a-af18-c049eac03817' {
menuentry 'Ubuntu, with Linux 3.13.0-170-generic (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-3.13.0-170-generic-recovery-93875578-5ca8-431a-af18-c049eac03817' {
menuentry 'Ubuntu, with Linux 3.13.0-55-generic' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-3.13.0-55-generic-advanced-93875578-5ca8-431a-af18-c049eac03817' {
menuentry 'Ubuntu, with Linux 3.13.0-55-generic (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-3.13.0-55-generic-recovery-93875578-5ca8-431a-af18-c049eac03817' {

5) Edit Grub and replace GRUB_DEFAULT to boot to 3.13.0-55-generic:
$ sudo vi /etc/default/grub
GRUB_DEFAULT="gnulinux-advanced-93875578-5ca8-431a-af18-c049eac03817>gnulinux-3.13.0-55-generic-advanced-93875578-5ca8-431a-af18-c049eac03817"

$ sudo update-grub

6) Boot into kernel: 3.13.0-55-generic
$ sudo reboot

$ uname -r
3.13.0-55-generic

==== EQUIVALENT TO LSINITRD IN UBUNTU====
----

* lsinitramfs
$ lsinitramfs /boot/initrd.img-3.13.0-55-generic | egrep -i 'xen|ena|nvme'
lib/modules/3.13.0-55-generic/kernel/drivers/net/xen-netback
lib/modules/3.13.0-55-generic/kernel/drivers/net/xen-netback/xen-netback.ko

====How can I make my secondary network interface work in my Ubuntu instance?====
----

[https://aws.amazon.com/premiumsupport/knowledge-center/ec2-ubuntu-secondary-network-interface/ How can I make my secondary network interface work in my Ubuntu instance?]

=====How can you make TWO network interfaces ON THE SAME SUBNET work in my Ubuntu 18.04/20.04 instance =====

To avoid asymmetric routing issues, use a single elastic network interface, or place duplicate elastic network interfaces into non-overlapping subnets.

As you know, having two interfaces on the same subnet will cause asymmetric routing issues. Adding a secondary network interface to a non-Amazon Linux EC2 instance causes traffic flow issues. These issues occur because the primary and secondary network interfaces are in the same subnet, and there is one routing table with one gateway. Traffic that comes into the secondary network interface leaves the instance using the primary network interface. But this isn't allowed, because the secondary IP address doesn't belong to the MAC address of the primary network interface.

So what if you NEED to have two interfaces of the same subnet attached to an Ubuntu instance? Here is how you can make it work. You will need to create two network config files for both interfaces, use different routing tables for each, but direct the traffic to the same default gateway (since they are in the same subnet). In this example, I am using Ubuntu 20.04 and have the following interfaces attached:
* Primary interface IP: 172.31.24.153
* Secondary interface IP: 172.31.28.195
* Default Gateway: 172.31.16.1

1) Rename the original network interface configuration file (/etc/netplan/50-cloud-init.yaml) to back it up, as it won't be used:
$ sudo mv /etc/netplan/50-cloud-init.yaml /etc/netplan/50-cloud-init.yaml.backup

2) Create a new network interface configuration file for the primary interface and add the following lines:
* Be sure to change eth0 to ens5 if on nitro.
$ sudo vi /etc/netplan/51-eth0.yaml

network:
version: 2
renderer: networkd
ethernets:
eth0:
addresses:
- 172.31.24.153/20
dhcp4: no
routes:
- to: 0.0.0.0/0
via: 172.31.16.1 # Default gateway
table: 1000
- to: 172.31.24.153
via: 0.0.0.0
scope: link
table: 1000
routing-policy:
- from: 172.31.24.153
table: 1000

3) Then create another network interface configuration file for the secondary interface with the following lines:
* Be sure to change eth1 to ens6 if on nitro.
$ sudo vi /etc/netplan/51-eth1.yaml

network:
version: 2
renderer: networkd
ethernets:
eth1:
addresses:
- 172.31.28.195/20
dhcp4: no
routes:
- to: 0.0.0.0/0
via: 172.31.16.1 # Default gateway
table: 1001
- to: 172.31.28.195
via: 0.0.0.0
scope: link
table: 1001
routing-policy:
- from: 172.31.28.195
table: 1001

4) Lastly, apply the new network configurations:
$ netplan --debug apply

====Migrating Ubuntu from Azure to AWS (using CE/MGN/DRS) ====
----

[+] Useful links: 
https://ubuntu.com/aws
https://ubuntu.com/blog/ubuntu-on-aws-gets-serious-performance-boost-with-aws-tuned-kernel
https://packages.ubuntu.com/search?keywords=linux-aws
https://launchpad.net/ubuntu/+source/linux-aws

In order to run Ubuntu from Azure in AWS, the Azure kernel needs to be replaced with the 'generic' AWS turned Ubuntu kernel (linux-aws) either on the source or target (preferably the target). This is because the azure kernel is not compatible with AWS hardware. The '-aws' kernels would have the required (xen) drivers needed to run on AWS.

Other requirements include disabling of any of the following services, if they are enabled:
/etc/systemd/system/multi-user.target.wants/
hv-fcopy-daemon.service
hv-vss-daemon.service
hv-kvp-daemon.service
ephemeral-disk-warning.service
walinuxagent.service

=====How to install linux-aws on the source=====

* NOTE:: The 'linux-aws' kernel will cause your source machine to fail to boot if you attempt to reboot the source machine after configuring Grub to use the 'linux-aws' kernel. It is important that you are aware of this as this kernel will not be compatible with the Azure underlying hardware. Please do ensure that you create a backup of your source machine if it is a production server. Additionally, please revert any changes made from the steps below if you are looking to reboot the source machine. With that being said, if you are uncomfortable with making such changes on your source machine, then I highly recommend making these changes on the target machine in AWS (using the rescue instance method).

METHOD 1:

1) Install 'linux-aws' kernel:
$ sudo apt-get install -y linux-aws

2) Verify the AWS drivers (XEN, ENA, NVME) are included:
$ sudo lsinitramfs /boot/initrd.img-5.4.0-1054-aws|grep -i xen
$ sudo lsinitramfs /boot/initrd.img-5.4.0-1054-aws|grep -i ena
$ sudo lsinitramfs /boot/initrd.img-5.4.0-1054-aws|grep -i nvme1n1p1

3) Recreate the grub:
$ sudo update-grub -o /boot/grub/grub.cfg

4) Verify that grub has valid entries for amazon linux kernel:
$ sudo grep -i aws /boot/grub/grub.cfg

5) Wait 10 minutes, and then relaunch the target machine from the CloudEndure console.

METHOD 2:
* The steps in this section can be found in the third-party document: https://meetrix.io/blog/aws/changing-default-ubuntu-kernel.html
1) On the source machine, install 'linux-aws' kernel:
$ sudo apt-get install -y linux-aws

2) Verify the AWS drivers (XEN, ENA, NVME) are included:
$ sudo lsinitramfs /boot/initrd.img-5.4.0-1054-aws|grep -i xen
$ sudo lsinitramfs /boot/initrd.img-5.4.0-1054-aws|grep -i ena
$ sudo lsinitramfs /boot/initrd.img-5.4.0-1054-aws|grep -i nvme

or just:
$ sudo lsinitramfs /boot/initrd.img-5.4.0-1099-aws | grep -iE 'xen|ena|nvme'

3) Create backup of grub:
$ sudo cp /etc/default/grub /etc/default/grub.bak

4) Show available kernel options:
$ grep -A100 submenu /boot/grub/grub.cfg |grep menuentry

Example output:
submenu 'Advanced options for Ubuntu' $menuentry_id_option 'gnulinux-advanced-c9ab74d2-63c9-4dba-993b-b89e598200c9' {
menuentry 'Ubuntu, with Linux 5.4.0-1055-azure' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.4.0-1055-azure-advanced-c9ab74d2-63c9-4dba-993b-b89e598200c9' {
menuentry 'Ubuntu, with Linux 5.4.0-1055-azure (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.4.0-1055-azure-recovery-c9ab74d2-63c9-4dba-993b-b89e598200c9' {
menuentry 'Ubuntu, with Linux 5.4.0-1054-aws' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.4.0-1054-aws-advanced-c9ab74d2-63c9-4dba-993b-b89e598200c9' {
menuentry 'Ubuntu, with Linux 5.4.0-1054-aws (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.4.0-1054-aws-recovery-c9ab74d2-63c9-4dba-993b-b89e598200c9' {
menuentry 'Ubuntu, with Linux 5.4.0-1049-azure' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.4.0-1049-azure-advanced-c9ab74d2-63c9-4dba-993b-b89e598200c9' {
menuentry 'Ubuntu, with Linux 5.4.0-1049-azure (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.4.0-1049-azure-recovery-c9ab74d2-63c9-4dba-993b-b89e598200c9' {

5) Identify the default menu entry by finding:

From the example output above, the menu entry for 'Advanced options for Ubuntu' is gnulinux-advanced-c9ab74d2-63c9-4dba-993b-b89e598200c9.

The menu entry for 'Ubuntu, with Linux 5.4.0-1054-aws' is gnulinux-5.4.0-1054-aws-advanced-c9ab74d2-63c9-4dba-993b-b89e598200c9.

Then concat the above strings with > in between "" like so:
"gnulinux-advanced-db937f23-4ed7-4c4b-8058-b23a860fae08>gnulinux-5.4.0-1054-aws-advanced-db937f23-4ed7-4c4b-8058-b23a860fae08"

6) Edit grub:
$ sudo vi /etc/default/grub

Replace GRUB_DEFAULT with value (With quotes) from step 5:
GRUB_DEFAULT="gnulinux-advanced-c9ab74d2-63c9-4dba-993b-b89e598200c>gnulinux-5.4.0-1054-aws-advanced-c9ab74d2-63c9-4dba-993b-b89e598200c9"

7) Update grub:
$ sudo update-grub

8) Then wait 10 minutes, and then re-launch target machine.

=====How to install linux-aws on the target=====

1) Detach the root volume (/dev/sda1) from the instance "i-0ef31abeed9534962" and then re-attach it to the "rescue" temporary instance as a secondary volume (/dev/sdf).

2) Run 'lsblk' to identify block device name of the root volume. Expect it to be something like /dev/xvdf1:
$ lsblk

3) Mount the volume to /mnt directory:
$ sudo mount /dev/xvdf1 /mnt

4) Set up the environment to install 'linux-aws':

Delete the following files;
$ sudo rm -rf /mntrec/etc/netplan/51-netcfg.yaml
$ sudo rm -rf /var/lib/cloud/*

Mount the necessary root file for the chroot to work normally:
$ sudo for i in dev proc sys run; do mount -o bind /$i /mnt/$i; done
$ sudo chroot /mnt

4) Install the 'linu-aws' kernel:
$ sudo apt install linux-aws

5) Reconfigure the grub file to boot from the 'linux-aws' kernel:
$ cd /boot/grub

# Create backup of the grub.cfg file:
$ cp grub.cfg grub.cfg_bac

Edit this file to have the entry only for linux-aws kernel and not for the azure kernel and the save and exit the file.
$ vi grub.cfg

Then exit chroot:
$ exit

6) Unmount the /mnt mountpoint:
$ sudo umount /mnt

7) Detach the volume from the temporary rescue instance and re-attach it back to "i-0ef31abeed9534962" as the root volume (/dev/sda1). The instance should boot successfully now.

=====Aws Replication Agent fails to install on Ubuntu18 in Azure=====

If installation fails with:
Cannot insert aws-replication-driver
Installation returned with code 2
Installation failed due to unspecified error:
Traceback (most recent call last):
File "shared/installer_linux/install_agent.py", line 1273, in main
SystemExit: 2

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "cirrus/installer_shared/installer_main.py", line 1033, in _main
File "cirrus/installer_shared/installer_main.py", line 905, in main
File "cirrus/installer_shared/installer_main.py", line 781, in install
File "cirrus/installer_shared/installer_main.py", line 365, in run_agent_installer
shared.installer_utils.cloud_utils.Error: Failed Installing the AWS Replication Agent [agent_version: 4.7.0, installation_id: , mac_addresses:, _origin_client_type: installer]

Most likely secure boot is enabled, which is a setting on the Azure console under "Security Type".

====Setting Homepage for Firefox via Command line====
----

1. Create the directory /etc/firefox/policies:
$ sudo mkdir /etc/firefox/policies
$ sudo chmod 755 /etc/firefox/polcies

2. Create the policies.json file:
$ sudo vi /etc/firefox/policies/policies.json

3. Enter the following configuration:
{
"policies": {
"Homepage": {
"URL": "https://dikapedia.com/",
"Locked": true,
"StartPage": "homepage-locked"
},
"Preferences": {
"browser.policies.loglevel": {
"Value": "debug",
"Status": "locked"
},
"browser.tabs.warnOnClose": {
"Value": false,
"Status": "default"
}
}
}
}
4. Modify the permissions of the policies.json file:
$ sudo chmod 644 /etc/firefox/policies/policies.json
5. Should be good to go.

====How to Remove Old Kernels on Ubuntu====
----

Sometimes, when you have a lot of kernel images under /boot, it can take up a lot of space. There are ways to clean up the /boot directory by removing old kernels. See this third-party document: https://linuxconfig.org/how-to-remove-old-kernels-on-ubuntu

====How to Set up an Ubuntu System as a Jump Server====
----

To use an Ubuntu server as a jump server for SSH access to other hosts in a private network, you need to configure SSH to allow port forwarding. This setup enables users to SSH into the jump server and then use SSH to connect to other hosts within the private network.
Here’s a step-by-step guide to set this up:

1. Configure SSH to Allow TCP Forwarding
You need to edit the SSH configuration file to allow TCP forwarding. This is done by setting AllowTcpForwarding to yes. Open the SSH configuration file:
sudo vim /etc/ssh/sshd_config

Find the line that says AllowTcpForwarding and ensure it is set to yes. If the line is commented out (with a # at the beginning) or not present, you can add it or uncomment it:
AllowTcpForwarding yes

2. Restart the SSH Service
After making changes to the SSH configuration, restart the SSH service to apply the changes:
sudo systemctl restart sshd

3. Using SSH with Port Forwarding
Users can now SSH into the jump server and use local port forwarding to access hosts in the private network.

Example: Local Port Forwarding
Suppose you want to access a private host at 192.168.1.100 on port 22 through the jump server.
You can set up local port forwarding like this:
ssh -L 2222:192.168.1.100:22 user_cn@jump_server

This command forwards connections from your local machine’s port 2222 to port 22 on 192.168.1.100 via the jump server.

After running this command, you can SSH into the private host by connecting to localhost on port 2222:
ssh -p 2222 dst_user@localhost

What Does AllowTcpForwarding Do?
AllowTcpForwarding</b is an SSH configuration directive that controls whether TCP port forwarding is permitted. When set to yes, it allows users to forward TCP ports, which is essential for scenarios like the one described above where you need to access private network hosts through a jump server.

Additional Security Considerations
* Restrict Access: Ensure that only authorized users can SSH into the jump server. This can be done using AllowUsers or AllowGroups directives in the SSH configuration file.
* Firewall Rules: Configure firewall rules to allow SSH access to the jump server and restrict access to the private network as needed.
* Key-Based Authentication: Encourage or enforce the use of key-based authentication for SSH to enhance security.

By following these steps, you can effectively use an Ubuntu server as a jump server to access hosts within a private network via SSH.

====NetPlan YAML Configuration Parameters====
----

https://netplan.readthedocs.io/en/latest/netplan-yaml/

====Canonical Multipass====
----
https://multipass.run/docs/how-to-guides

Bluetoothctl

2025-07-30T17:37:49Z

Ardika Sulistija:

Bluetoothctl is a command-line tool used to interact with the Bluetooth subsystem on Linux systems. It provides a text-based interface for managing Bluetooth devices, including discovering, pairing, connecting, and configuring Bluetooth devices.

Key Features of Bluetoothctl:
* Device Discovery: Scan for nearby Bluetooth devices.
* Pairing: Pair with Bluetooth devices.
* Connecting: Establish a connection with paired devices.
* Trusting: Mark devices as trusted to allow automatic connections in the future.
* Agent Management: Manage Bluetooth agents, which handle pairing requests and PIN/passkey entry.
* Power Control: Turn Bluetooth on or off.
* Device Information: Retrieve information about connected and discovered devices.

Reference: https://usercomp.com/news/1466027/bluetooth-headset-pairing-issue-in-linux

====Check bluetooth service====
----
$ sudo systemctl status bluetooth

====Enable Bluetooth Adapter====
----
Use [[Rfkill|rfkill]] command.

$ rfkill list all
$ sudo rfkill unblock bluetooth

====Scan Bluetooth Devices====
----
$ sudo bluetoothctl scan on
Discovery started
.
.
.

====See Bluetooth Devices====
----
$ bluetoothctl devices

$ bluetoothctl devices | grep -i mx
Device D6:A3:C1:F9:2C:21 MX Master 3S
Device C7:A2:BB:7F:F3:49 MX Anywhere 2S

====Pair and Connect a Bluetooth Device====
----
$ dzdo bluetoothctl pair <device MAC>

$ dzdo bluetoothctl pair D6:A3:C1:F9:2C:21
Attempting to pair with D6:A3:C1:F9:2C:21
[CHG] Device D6:A3:C1:F9:2C:21 Paired: yes
Pairing successful

Once the pairing is complete, you need to connect the Bluetooth device:
$ sudo bluetoothctl connect D6:A3:C1:F9:2C:21
Attempting to connect to D6:A3:C1:F9:2C:21
Connection successful

====Trusting a Bluetooth Device====
----
If the pairing failed due to error "AuthenticationRejected", you may have to trust it first:
$ dzdo bluetoothctl pair D6:A3:C1:F9:2C:21
Attempting to pair with D6:A3:C1:F9:2C:21
Failed to pair: org.bluez.Error.AuthenticationRejected

$ dzdo bluetoothctl trust D6:A3:C1:F9:2C:21
[CHG] Device D6:A3:C1:F9:2C:21 Trusted: yes
Changing D6:A3:C1:F9:2C:21 trust succeeded

$ dzdo bluetoothctl pair D6:A3:C1:F9:2C:21
Attempting to pair with D6:A3:C1:F9:2C:21
[CHG] Device D6:A3:C1:F9:2C:21 Paired: yes
Pairing successful

2025-07-30T17:35:34Z

Ardika Sulistija:

Bluetoothctl is a command-line tool used to interact with the Bluetooth subsystem on Linux systems. It provides a text-based interface for managing Bluetooth devices, including discovering, pairing, connecting, and configuring Bluetooth devices.

Key Features of Bluetoothctl:
* Device Discovery: Scan for nearby Bluetooth devices.
* Pairing: Pair with Bluetooth devices.
* Connecting: Establish a connection with paired devices.
* Trusting: Mark devices as trusted to allow automatic connections in the future.
* Agent Management: Manage Bluetooth agents, which handle pairing requests and PIN/passkey entry.
* Power Control: Turn Bluetooth on or off.
* Device Information: Retrieve information about connected and discovered devices.

====Check bluetooth service====
----
$ sudo systemctl status bluetooth

====Enable Bluetooth Adapter====
----
Use rfkill command.

$ rfkill list all
$ sudo rfkill unblock bluetooth

====Scan Bluetooth Devices====
----
$ sudo bluetoothctl scan on
Discovery started
.
.
.

====See Bluetooth Devices====
----
$ bluetoothctl devices

$ bluetoothctl devices | grep -i mx
Device D6:A3:C1:F9:2C:21 MX Master 3S
Device C7:A2:BB:7F:F3:49 MX Anywhere 2S

====Pair and Connect a Bluetooth Device====
----
$ dzdo bluetoothctl pair <device MAC>

$ dzdo bluetoothctl pair D6:A3:C1:F9:2C:21
Attempting to pair with D6:A3:C1:F9:2C:21
[CHG] Device D6:A3:C1:F9:2C:21 Paired: yes
Pairing successful

Once the pairing is complete, you need to connect the Bluetooth device:
$ sudo bluetoothctl connect D6:A3:C1:F9:2C:21
Attempting to connect to D6:A3:C1:F9:2C:21
Connection successful

====Trusting a Bluetooth Device====
----
If the pairing failed due to error "AuthenticationRejected", you may have to trust it first:
$ dzdo bluetoothctl pair D6:A3:C1:F9:2C:21
Attempting to pair with D6:A3:C1:F9:2C:21
Failed to pair: org.bluez.Error.AuthenticationRejected

$ dzdo bluetoothctl trust D6:A3:C1:F9:2C:21
[CHG] Device D6:A3:C1:F9:2C:21 Trusted: yes
Changing D6:A3:C1:F9:2C:21 trust succeeded

$ dzdo bluetoothctl pair D6:A3:C1:F9:2C:21
Attempting to pair with D6:A3:C1:F9:2C:21
[CHG] Device D6:A3:C1:F9:2C:21 Paired: yes
Pairing successful