Amazon Linux 2023 on VirtualBox

Operating Systems, Technology

About seven months ago I threw my hat into a GitHub thread that had opened over a year before (March 2022!) asking Amazon to make good on its promise to release off-prem images of its AL 2023 operating system. My jab at Amazon was picked up in an article on The Register and a few weeks later there was finally some movement by Amazon, raising the profile of the issue and eventually leading to a release of KVM and VMware images mid-November. There was no image for VirtualBox and I mentioned this omission in a follow-up on GitHub. The current January 2024 release still only supports KVM and VMWare. The online instructions also omit VirtualBox. This is unusual because they had done so for previous versions of their OS.

Two weeks after the failure of Amazon to produce a VirtualBox image I decided to solve the problem myself . Here’s the environment in which I created the solution:

  • Windows 10
  • Oracle VirtualBox v7
  • WinZip / 7Zip or similar Zip tool
  • CDBurnerXP

First get the OVA file from the latest release page by navigating to the VMware sub-page and downloading the .ova file from the link therein. For the Jan 2024 release you want the file named al2023-vmware_esx-2023.3.20240122.0-kernel-6.1-x86_64.xfs.gpt.ova, and remember to check the SHA256 signature!

Using your preferred Zip tool open the .ova file and extract the .vmdk file therein.

You will find the VBoxManage.exe program in Program Files/Oracle and you can use it to generate a .vdi file for VirtualBox as follows:

  VBoxManage.exe clonehd al2023-___.vmdk al2023-___.vdi --format VDI

(I am using “___” as a shorthand.) Now create three files named “meta-data”, “network-config” and “user-data” as follows:

meta-data

local-hostname: myhost.mydomain.example.org

network-config

network:
  version: 2
  ethernets:
    enp0s3:
      dhcp4: false
      addresses:
        - 192.168.1.234/24
      gateway4: 192.168.1.1
      nameservers:
        addresses: [8.8.8.8]

user-data

package_upgrade: false
ssh_pwauth: True
chpasswd:
  list: |
    ec2-user:mY-C0mpl3x-Pwd
  expire: False
write_files:
  - path: /etc/cloud/cloud.cfg.d/80_disable_network_after_firstboot.cfg
    content: |
      network:
        config: disabled

These are YAML files with two-space indenting. If you are interested in such configurations, check out some official examples! Feel free to use a different IP address for your VM and whatever DNS nameserver you want, and choose a different (complex) password to your liking.

Finally use the command line tool from CDBurnerXP to create an ISO containing the above three files:

cdbxpcmd.exe --burn-data -name:cidata -file:meta-data -file:network-config -file:user-data -iso:seed.iso -format:iso -changefiledates

Run VirtualBox and add the al2023-___.vdi file to the collection of virtual media images. Then set up a new VM with the following configuration:

  • Type: Linux 64-bit
  • System: 4Gb RAM, 1 or 2 CPUs
  • Storage [Controller=IDE] mounted image seed.iso
  • Storage [Controller=SATA] mounted image al2023-___.vdi
  • Display: 33MB, 1 monitor, VMSVGA.
  • Network: bridged adapter, Realtek

Boot the VM and after some initialisation sequences you should be at a login prompt in a minute or two. Log in via the console or use PuTTY (SSH). The user name is ec2-user and the password is per the user-data file above. At this point you can unmount the seed.iso as it has done its job.

WUps

Operating Systems, Technology

Windows Update is both essential and painful. Regularly interrupting the normal flow of work, sometimes sapping all the energy out of the computers, taking control for long periods of time (on older machines this could be hours!) and occasionally “whoops…” Like the past few days where all except one of my PCs has choked on KB5034441. There are suggestions that the problem is due to the relatively new requirement that the Windows recovery partition have at least 250Mb of available space. All of mine have more than double that, so the update failure is likely more complex. The remedy (partition resizing) proposed by Microsoft is far more convoluted than anything the average user would be familiar with, and infeasible for any central IT administrator to apply to their many users. It comes with significant risks, notably disk corruption, and while the patch is an essential fix for a security issue, it only applies to the minority of people who have BitLocker enabled. Even for those affected, it only applies if physical access to the affected PC by an attacker is possible. That’s a lot of “if”s.

What should be done while we wait for Microsoft to fix their fix? Since the failed patch keeps insisting on a retry, my strategy is simple: ignore it. Or at least, instruct my PCs to ignore this particular patch.

Ignoring a WU patch

Microsoft once offered a tool call “Show or Hide Updates” that scanned for available updates and allowed you to select which of them would be hidden from the WU process. This tool doesn’t require any installation. Just run the wushowhide.diagcab file, select the Hide option, wait for it to present the list of available updates and (in this case) select the offending KB5034441. Sadly Microsoft no longer offer the S&HU tool on their site, but thanks to the Wayback Machine you can download wushowhide.diagcab from the archive.

After hiding the offending update via the S&HU tool, if it is still marked as “retry” in the Windows Update section of Windows Settings, just click the retry link and watch the update disappear.

What next?

Microsoft will eventually release a fix for KB5034441. This might be a revision of the patch, in which case the patch identifier may stay the same, which unfortunately means the S&HU configuration will prevent the fix from being applied. You could re-run S&HU to un-hide the patch, but only if you are sure the patch has been fixed.

Alternatively, Microsoft could withdraw the broken patch so it is no longer offered via WU. In its place they would issue a new patch with a new ID to be applied automatically via WU in the usual way. Hopefully this time without choking.

Wet January

LUE []

My small patch on planet Earth has not much climate but plenty of weather. An island subject to ocean buffeting, chills from northern icy regions and occasional heat from the nearby continent. Often on the same day. I recall being greeted by snow in the morning, beaming sunshine in the afternoon and torrential rain that evening. It has been a bit turbulent of late, two storms in two days. Winds at 100km/h, gusts even worse. And rain.

This has me a little peeved, to be honest. I like to go for a short walk now and then, clear the cobwebs out of my head, put some air in my lungs, stop staring at screens for a while. This January I was looking forward to my walks on account of my new hat, a deep blue pure wool Fedora, which sadly in this weather won’t last a minute unless it is nailed to my head. So I sit here with the rain drumming a tattoo on the window behind me while I stare at one of my screens and ponder another wet January day without a nice walk.

OK then. Coffee break is over. Time to get on with writing that report. I wonder if it would be odd to wear a hat while typing…?

Power trip

Hardware, Technology

Over the past several weeks we have had multiple power outages (long, short, brown, buzzing…). Partly due to recent storms, but mostly due to major work being done on local distribution lines. Some of my systems are in the clouds where industrial-grade power management is in place. (I hope.) My personal servers and dev/test systems are on-site and are subject to the vagaries of suburban power services. While “backup, backup, backup” is the mantra that ensures I won’t lose much, recovering from system corruption can be time-consuming.

Thankfully I also have an uninterruptible power supply (UPS) parked below the server shelving. Over the past month (and several outages) I have been pushed to refine and improve how the environment deals with sudden power issues. Here are some observations along the way:

  • apcupsd is brilliant. I have it running in my host server, interacting with the UPS over USB. To this I have added a number of new outage event scripts to deal with the various power-related scenarios.
  • My UPS can offer about half an hour of supply once the mains goes. But this is from a fully charged state, and with multiple outages happening on the same day the second or third time the panic alarm sounds the battery might not have had enough time to recharge. Therefore the event handling scripts should read the “minutes remaining” information from the UPS and act accordingly.
  • Don’t panic. One of the outages last week was for just 40 seconds. So, if the UPS minutes remaining will allow it, wait a bit before commencing a controlled shutdown.
  • The controlled shutdown of my host server will take care of saving the state of any running VMs. But there are also some NAS boxes, some of which are mounted over the network onto some of the VMs. I wanted my host server to also take care of shutting down the NAS boxes. Unfortunately they are from different manufacturers and none of them have UPS signalling support, but they have either SSH access or a Web interface, and I was able to script some shutdown commands from the host server to the NAS (after the VMs are saved). To ensure network connectivity, I also added a small Ethernet switch to the UPS. Power goes, switch stays up, host server saves VMs, shuts down NAS boxes, then shuts itself down.
  • I was not able to find a satisfactory way to shut down the UPS programmatically from the host server, while giving enough time for the host server to shut itself down before the UPS goes. More experimentation may be needed, but maybe on a separate mock-up environment rather than the real thing. After all, even if the UPS is left running, all it is powering is the small Ethernet switch as all other things have powered down.
  • There is no automated recovered when power is restored. I am OK with that, as I am generally on-prem anyway, and to be honest I don’t actually trust the power to be stable until at least 30 minutes after it has been restored.

Finally, one thought does occur to me every time the power goes: does the UPS have enough juice left to power the coffee machine?

A lesson in book judging

LUE

“Never judge a book by its cover.” – Mill on the Floss, George Eliot, 1860.

Many decades ago, when I was a young teen, a gentle knocking came on our front door and my mother got up to answer it. I peeked around the dining room door to see who it was. A dishevelled old man graced our doorstep, hair like that of a scarecrow, shoes with string for laces, an old jacket around his body and a cloth sack over his shoulder. He asked in almost a whisper “could I have a drop of water?

Several beggars roamed the housing estates in those days and you’d have at least one come knocking in any given week. The smell of alcohol would often announce them before they’d even reached the open front gate. If spotted early they would be shooed away at the window, or given a sharp “not today” before they’d even opened their mouth.

But not this man. I had seen him before and remembered that my mother would speak with him. This time she invited him into the hallway while she went to the kitchen. He saw me at the dining room door and smiled. I was transfixed, and returned a hesitant “hi“.

My mother soon returned with the glass of water and something in a paper bag that she handed to him. A sandwich? Then she pressed something into his palm, which I believe was some money. He took one small sip of the water, said “thank you, that hits the spot“, handed back the glass, saluted his forehead with two nicotine-stained fingers and bade his farewell as my mother closed the door.

I turned to my mother, “he lied about needing the water.

Yes,” she said, “he didn’t need the water, but he needed his dignity. He’s a good man who has fallen on hard times.”

Knowing that other such callers would be rapidly despatched, I asked her “how do you know he’s a good man?” I expected a “just because” kind of answer, but instead she opened the front door and told me to watch. The man was now two or three doors away, standing back from another front door and obviously being told there was nothing for him. He saluted softly and walked back to the front gate, and despite the rejection he closed it gently behind him.

That’s how I know,” she said.