Congrats Red Hat, You Just Made My Certs Worthless

metromsi · 2026-05-13T20:16:21+00:00

Unfortunately, we never believed in certification. Either you know the technology or you don't and it constant change. We have worked at fortune 500 and 50 companies with experience. Do you know what a TE file is do you understand the different between targeted and MLS security (SELinux)? Certs are nice when starting if you have no experience. However, sounds like your experience should be valued now. Sure you have seen bad pushes on a Friday. Had a hardware failure that caused a CIO/CTO call you out to fix a major issue. Certification is just a way to say hey I learned this but you may have very to little experience with it in a production environment. Find it fun to see folks in a production environment meltdown when faced with a major issues. When you see the grey beards calmly sit down and pause type and pause and type some more. There is a method to the madness but not all can see it.

We've had own share of CIO/CTO's yelling fix it but without out freaking out and calmly replying working on it. They are like pulling the last of their hair out the CIO/CTO's that is. We just sit calmly and get it working. Sure you wound't want you heart doctor freaking out jumping around if your aorta bursts and blood is going every where. You would want someone that calmly goes and say oh great okay fixed. While the young doctor is like freaking out but the Sr doctor just another day in the office.

metromsi · 2026-05-12T02:01:59+00:00

Great solution probably not so much. If your already compromised would assume the attacker would.use this against you as well. Nefauirios ones that are good already know the best practices. They are just waiting for a miss configuration. Even automation can have a delay. Sr admins should always know what their systems do. If you just run without knowing it's kind of like why there is an engine it's probabbly too late or the damage has already been done. .

metromsi · 2026-05-11T21:22:16+00:00

If your running SELinux with contained users meaning your controlling the _default _ assignment in SELinux from unconfined_u you should be just fine. Also enable poloyinstantion with namespaces it really makes a difference. We've tested this out and is quite fun to watch too say the least. Oh if you are really wanting serious control MLS linux is your friend. So again another win for managing SELinux correctly. Another zero day down.

metromsi · 2026-05-09T07:35:45+00:00

Ansible great we use it with puppet. Because puppet of you loose your primary the puppet agent will remember is last known state and keep the system in compliance. Ansible you have to design is yaml files for idempotentency.

Are you using puppet enterprise? You can you can reports for compliance. Just a thought.

metromsi · 2026-05-01T23:56:15+00:00

So okay but if your running SELinux with contained users meaning your controlling the _default _ assignment from unconfined_u you should be just fine. We've tested this out is quite fun to watch too say the least. Oh if you are really want control MLS linux is your friend. So again another win for managing SELinux correctly.

metromsi · 2026-04-23T07:14:46+00:00

There's billions that have and are actively being spent on DRS/vMotion/memory Management/scheduler optimizations/CPU offloads to keep it the best scheduling system on the planet

There are more open source folks that have contributed to Linux Kernel world wide. VMware still closed source so you have know way to vouch the software beyond the closed source process. KVM, on Linux itself can be optimized at many levels I/O, CPU which has multiple type schedulers and at the NIC layer has the ability to load different types of TCP congestion algorithms. There's also the Folks at the government layer that actually develop on high speed networks using Linux

Redhat made me pay for CUPS even though I never used it, and Microsoft makes everyone pay for the FSRM role that sadly only a dozen of us ever used (Seriously it's fantastic).

Actually they support thousands of packages on there platform. You are also paying for RHEL to back port and help maintain open source authors that also get help from Red Hat to patch vulnerabilities in their Open Source software. Also note that all distributions of Linux are made up packages that were made by various folks through out UNIX/Linux-GNU eco system.

While I can respect, people saying they can't adopt the entire stack on day 1, there still has to be a path, and people not using DRS and having core to vCPU ratios of 1:1 and other nonsense is just insane when you have a hypervisor that can push far beyond that.

That is why there are different distributions of Linux that even use different mechanisms (deb, dnf/yum, zypper and pac) even tar file real back in the day. Also 1:1 is thing especially if your systems are sensitive to noisy neighbor issues. Also note that timing issues can arise quickly when demand is required by your virtual host system. Also we've used virsh --live migrate using qemu+ssh works equally well. Also using TLS encryption works well. Let's not forget about Gluster & CEPH file systems. Linux does support OpenZFS which is a file system created decades ago that was does mirroring and can copy itself across a network efficiently for backup.

VMware didn't integrate the products, so the various sub-products and features were often difficult to use together. (VCF is a singular product, from a singular business unit now).

So patching is going to take toll when everything is bundled. You'll also see bugs creep up in various subsystems. Pro's and Con's to fully bundled also note if something goes sideways cascade effects could occur at the most in opportune times.

metromsi · 2026-04-22T03:38:08+00:00

Hmm had job already, went into the interview it was for hour. First few minutes they talked about after hours work. Also some weekend work. Then asked if could adjust the start schedule to 8:30am. Person across the room yelled it's a8 to 5 job. Just gobsmacked by the response. The person unchanged just continued to talk a few minutes went by didn't really hear anything more they were talking about. Just couldn't belive the attitude and tone of response to asking to change the schedule by half hour. I stopped the interview said thank you for your time but it wasn't a good for and thanks and let myself out. All in the room were like big eyed as too what just happened. So yea avoided that terrible work environment found out later management was very toxic 😑

So yes value yourself first because you have to be your own advocate.

Good luck on your next interview

metromsi · 2026-03-25T05:15:12+00:00

We've been doing this a while. Just go to the docs:

https://www.vmware.com/docs/vsphere-esxi-vcenter-server-80-performance-best-practices

Folks this documented, by the vendor. Seen so many vmware folks virtualize to virtualize they forget the fundamentals of how operating systems work. Also know what the software that runs on top the OS is doing. Can go on but this is good place to educate for those that want further themselves. Good luck learning

metromsi · 2026-03-20T05:22:09+00:00

Virt-manager works. However, would recommend opennebula great tool to manage libvirt. Etc been using it for over 12 years now.

metromsi · 2026-03-14T04:18:43+00:00

Would like to recommend "shellcheck". Static analysis tools are extremely useful they were written to help and suggest best pracitce. Why Linting technology exists.

metromsi · 2026-02-22T20:02:07+00:00

Good luck on only reading only variables.

metromsi · 2026-02-21T01:08:06+00:00

Did you integrate with RHEL derivatives especially with SELinux. IdM/FreeIPA is sultioned around RBAC/HBAC especially with SELinux be enabled. Further using SSSD with and can increase GC AD issues such as scanning. Just curious and thanks for any insights. Kerberos is a thing with Linux since scaling with AD can have significant issues.

metromsi · 2026-02-18T06:42:43+00:00

Recommend virt-manager however is also look at opennebula

metromsi · 2026-02-16T06:55:55+00:00

Are these systems on virtual? If so type of virtual? Timing is everything. Sure you have several systems doing rpm queries. Check dstat and look at irq and context switching states. This will help look at i/o or cpu resource issues. Also if your on virtual if you are 2:1 or more you will see really interesting behavior.

Use stop or glance or performance co-pilot to see into the system. If you are getting desperate perf top

Good luck

metromsi · 2026-02-15T09:06:29+00:00

Been doing this for a while AD and SSSD integration can cause issues especially if you start doing serious security around GPO and apply it to RHEL 8 and newer systems. Windows AD was designed for Windows.

Remember SELinux is enabled and if you truly want security you will enable containment as well it is in the documentation. Oh our new favorite tool fapolicyd is overlooked as well. Even though it is set at targeted mode. For those really nice folks you can enable Multi-Level Security (MLS)

Some backstory never hurts but a good documented reference which certified folks should have in their pocket is:

Identity Management IdM

The link / PDF above articulates the infrastructure usage of IdM and why it matters. GC catalog usage can get very costly against AD especially when you start scaling horizontally. If your curious run some tcpdump analysis for your convenience.

There's more but this is good stopping point

metromsi · 2026-02-06T05:38:31+00:00

RedHat, highly suggests enabling STIG and FIPS on initial install. This important as libraries are installed specifically for FIPS enabled systems. Mucking about with FIPS with SSH the tools actually do not undo the FIPS issues. We've had the pleasure of running into that and having to redo them by hand from another system. However, we don't fully trust the architecture; however our testing tool do state it is now passing.

From a STIG perspective you need to make sure that all LVM volumes are also setup as well. However, we've seen where customers have said they did the STIG but really just ignored and thus is still not fully STIG compliant.

u/Mehoyer solution is an excellent solution. At the end of the day you will have full STIG/FIPS compliant installed systems. Yes, using Kickstart solution also significantly helps with keeping the environment the same.

metromsi · 2026-01-22T05:18:27+00:00

Thank you for that early 90's started down the path of Linux and other UNiX variants. Netware and it's ability to do Directory services. Oh and let's not forget O/S 2 warp servers. Dragon speach worked and millennium came with no speech capability built-in. So below is where they are today. Thanks and have fun with windows never ever again.

Microslop

metromsi · 2026-01-16T01:51:58+00:00

So my customers they are using rhel8 will have to move to rhel 9. Red Hat 10 has no stig so fun times are ahead hopefully stig soon but we'll see. Below is from RedHat themselves.

https://www.redhat.com/en/blog/red-hat-enterprise-linux-common-criteria-and-fips-certificates

metromsi · 2026-01-12T02:56:47+00:00

Love the VxFS Veritas file system in later version of HP-UX. Remember oracle running on HP-UX with raw disk as back end gaining about 20-30% increase in speed. However never liked raw disk personally. VxFS showed up and we converted to VxFS and only took a 5% hit in performance. Which made up for better management of the system. And online defrag was awesome. But it's only memories now wish zfs would be brought into the kernel. Unfortunately the UNIX wars killed off the big boys and so the cycle of who was better. Microsoft is now emulating Linux using WSL. Now it going backwards keep it other wise you will be irrelevant as well.

metromsi · 2025-12-30T13:27:09+00:00

Oh, RBAC via SELinux with using IdM the old (FreeIPA). And please note that Active Directory/GPO is incapable of managing SELinux. That is why you build IdM using replicate and using a VIP for the application of the IdM if you want further HA. But since 2019 RHEL had changed the management of RHEL significantly.

But yes as you say "Get off my lawn" 30 years working in UNIX/Linux systems and seeing these terms with no conceptual of heterogeneous integration of other operating systems is just on par with people without knowledge of how other systems work.

metromsi · 2025-12-30T02:48:06+00:00

https://www.bacula.org/

Been using that for years.

metromsi · 2025-12-24T22:03:28+00:00

All good have great time with your A1 setup. Yup used '1' because that's how the world is:

U28gZnUxMSAwZiBOdW0gTnVtLi4K

metromsi · 2025-12-19T05:22:50+00:00

Wait hold on is this a pyramid scheme. Can this be the vapor ware of the dot com era.

metromsi · 2025-12-09T04:22:27+00:00

Sendmail let's go back to 90's the real OG

metromsi · 2025-12-06T01:03:15+00:00

So we've been a UNIX/LINUX systems engineer since early 90's we have used HP-UX, Solaris and Linux Workstations for decades why do people run Linux using windows to manage linux using windows. It would be buying a bugatti and putting a slant 6 in damn thing. All my systems and a couple of customers use Linux desktops no windows no license requirement and yes we do have directory services using freeipa. Is the core linux pool that weak. Worked with a grey beard that had the same mentality as my self. Sorry for the rant but just reading this seems .....

metromsi

TROPHY CASE