gopass: “gpg: decryption failed: No secret key”

For a few years now I have been using the pass password manager. It is a wonderfully simple way to manage passwords using PGP to encrypt passwords in text files. The same files can then be placed in a git repository, which makes replicating passwords easy.

For different reasons I am now migrating to gopass, a Go implementation of pass with a few additional features. I am using Homebrew to install gopass on my machine: brew install gopass. Theoretically, gopass should work out-of-the-box and is compatible with the old pass utility. So I was quite surprised to see an error message like this:

$ gopass github
Entry 'github' not found. Starting search...
Found exact match in 'github.com/simonkrenger'
gpg: decryption failed: No secret key

Error: failed to retrieve secret 'github.com/simonkrenger': Failed to decrypt

Strange. But decrypting the password file directly using PGP works fine:

$ gpg -d ~/.password-store/github.com/simonkrenger.gpg
[..]

If the above command using gpg does not work, check your keys using gpg --list-keys and gpg --list-secret-keys. Especially when migrating to GPG2, sometimes keys do not get imported into the new keyrings. In case you need to import the old keyring into the new format like so:

$ gpg --import ~/.gnupg/pubring.gpg
$ gpg --import ~/.gnupg/secring.gpg

But even after importing the keys, I still received gpg: decryption failed: No secret key. So after searching around I found that I need to set the GPG_TTY variable:

$ export GPG_TTY=$(tty)

It seems that not setting the GPG_TTY environment variable leads to the error above. Which is quite misleading. After setting this environment variable (and adding it to the .bash_profile), gopass works as expected.

Linux Magic Reboot

If you have worked with remote Linux servers before, I am guessing you already encountered machines that just don’t want to reboot. This is typically due screwed-up network mounts or stuck processes, so the server will hang during shutdown. But it turns out that there are other ways to reboot a server.

One of these is the “Magic SysRq key“. To reboot a server using the SysRq trigger in the kernel, use the following two commands. First, enable the trigger:

echo 1 > /proc/sys/kernel/sysrq

Then, reboot the server the magic way by typing

echo b > /proc/sysrq-trigger

Note that this will reboot the server without unmounting or syncing the filesystems! There are also other options available via the SysRq trigger, some of them are listed in the Wikipedia article above.

.gitlab-ci.yml for “ansible-lint”

So I started working with GitLab (self-hosted and gitlab.com), which led me to the CI/CD features of GitLab. When using GitLab, one can define a custom CI pipeline just by placing a .gitlab-ci.yml file in your project (just like the .travis.yml for GitHub). After each commit to the defined git branch, the pipeline is then executed.

Since I also work with Ansible playbooks a lot, I wanted to use ansible-lint to check my playbooks after each commit. In addition to that, I also added a syntax check using ansible-playbook [..] --syntax-check, as ansible-lint will not pick up all syntax errors.

So here is my .gitlab-ci.yml:

Read the rest of this entry »

Kubernetes: BASH function to change namespace

So when working with a lot of different namespaces in Kubernetes and you only know the “oc project” command from OpenShift, you start to miss an easy way to change namespaces in Kubernetes.

The official documentation to switch namespaces proposes something like this:

$ kubectl config set-context $(kubectl config current-context) --namespace=<insert-namespace-name-here>

Not something that I want to type regularly. First I tried to create a BASH alias or something, which did not work. So I looked around for BASH functions. I found that Jon Whitcraft proposed a nice BASH function in a GitHub issue. I lightly modified this and placed this in my own .bashrc file:

function kubectlns() {
  ctx=`kubectl config current-context`
  ns=$1

  # verify that the namespace exists
  ns=`kubectl get namespace $1 --no-headers --output=go-template={{.metadata.name}} 2>/dev/null`
  if [ -z "${ns}" ]; then
    echo "Namespace (${1}) not found, using default"
    ns="default"
  fi

  kubectl config set-context ${ctx} --namespace="${ns}"
}

So to change your namespace, use something like this:

$ kubectlns simon
Context "kubernetes-admin@kubernetes" modified.

Nice and short.

Release of “MySQL 8 Recipes”

In the past few months, I worked closely with Packt Publishing to create a new video course for MySQL 8. Today, the video course was released into the world. I am pround to present to you the new video course “MySQL 8 Recipes“:

In this video course, I tried to include the most common tasks for database administrators while focussing on the new features of MySQL 8. I included the following main chapters:

  • Install and configure a new MySQL 8 database
  • Upgrade existing databases to MySQL 8
  • Perform typical administration tasks
  • Master the new querying features in MySQL 8
  • Perform performance-tuning tasks
  • Optimize your database
  • Access databases with PHP, Python, or Java

The video course was released under ISBN-13 9781788393638 and is available per now. Of course, since MySQL 8 is still under development, there will hopefully be many other new features in the new release. But I hope you enjoy this video course. Purchase it here.

Workaround for WMI client over IPv6

Some years ago, I wrote some examples for the WMI client on Linux. I still get a lot of queries from people trying to use the WMI client to access Windows hosts and I am often happy to help if there are any problems.

One of the latest problems occurred when trying to access a Windows host over IPv6:

$ wmic -U 'user%password' //FD00:180::0:0:0:0:0 "Select Caption From Win32_OperatingSystem"
[..]
UNKNOWN - The WMI query had problems. The error text from wmic is: [librpc/rpc/dcerpc_util.c:343:dcerpc_parse_binding()] Unknown dcerpc transport 'FD00'
[librpc/rpc/dcerpc_connect.c:337:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (c0000017) in dcerpc_pipe_connect_ncacn_ip_tcp_recv
[librpc/rpc/dcerpc_connect.c:828:dcerpc_pipe_connect_b_recv()] failed NT status (c0000017) in dcerpc_pipe_connect_b_recv
[wmi/wmic.c:196:main()] ERROR: Login to remote object.
NTSTATUS: NT_STATUS_NO_MEMORY - Memory allocation error

Read the rest of this entry »

iptables ACCEPT [0:0] brackets

So lately I have been working a lot more with Linux networking. Consider an iptables configuration like this:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7752:8249066]
[..]
-A RH-Firewall-1-FORWARD -p icmp -m icmp --icmp-type any -j ACCEPT 
-A RH-Firewall-1-FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A RH-Firewall-1-FORWARD -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
[..]
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited 
COMMIT
# Completed on Fri Nov 21 15:44:47 2014

Ever noticed the brackets right next to the chain? What are those? What do the numbers mean?

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7752:8249066]

The answer is pretty easy and pretty obvious in hindsight. These numbers report

  • packet counter for the chain
  • byte counter for the chain

So in our example above, the OUTPUT chain matched 7752 packets and 8249066 bytes.

libsqlplus.so: cannot open shared object file: No such file or directory

Recently I had to install SQL*Plus on a Linux host. In order to do so, I downloaded the appropriate Oracle Instant Client packages from the Oracle site. For my installation, I chose the ZIP files. After I unzipped the client and tried to run sqlplus, I go the following error:

simon@pandora instantclient_11_2$ ./sqlplus
./sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory

Read the rest of this entry »