"Key was rejected by service" kernel module error on cloned VMs

Here's a quick blurb about something I recently ran into and found a fix for, and I'm hoping that the search indexing gods find this and help some other poor soul who has run into this sort of thing.

I've been playing around with KVM virtual machines on my home server recently, and have started using the virt-sparsify and virt-resize CLI tools respectively to generate a compressed golden machine image and apply that image to a new VM. For example:

sudo virt-sparsify --compress --convert qcow2 /dev/vg0/debian-base debian-base.qcow2
sudo virt-resize --expand /dev/sda2 --no-sparse debian-base.qcow2 /dev/vg0/new-vm

After doing this and booting the new machine, I got this failure after trying to load in a kernel module:

$ sudo modprobe bridge
modprobe: ERROR: could not insert 'bridge': Key was rejected by service

Uhhh, what? This seems to point to some secure boot signing-related thing, but I'm pretty sure nothing has gone awry with that since all I did was make a disk clone. After a bunch of experimenting, I discovered that cloning with straight dd would work fine, and would somehow taint the target disk so that future virt-resize runs would always result in a working target!

This was really weird, so I dug through the virt-resize manpage, and came across the --no-sparse flag which has this in its description:

The main time this can be a problem is if the target is a host partition (eg. virt-resize source.img /dev/sda4) because the usual partitioning tools tend to leave whatever data happened to be on the disk before.

If you have to reuse a target which contains data already, you should use the --no-sparse option. Note this can be much slower.

Well shit. My target VM that's receiving the image is using a LVM logical volume for its drive, which I'm sure has some leftover data on it. virt-resize --no-sparse fixes this issue for me, as does zeroing out the LV before applying the image. With the sparse copying, some old junk data must have been lurking in the new VM's partition, causing the issues.

read more

Home VPN with Wireguard

If you have an interest in Linux networking, by now you've probably heard of Wireguard. In case you haven't, it's a newer cross-platform VPN whose main attraction is that it's way way easier to set up on Linux than other VPNs that have come before it. If you've ever had to set up an IPSec VPN using Racoon or Openswan or StrongSwan or any other weird animal-based tool, then you know how much of a royal pain in the ass it is.

While I was on a tear improving my home network, I decided to finally bite the bullet and set Wireguard up on my router and laptop, allowing me to securely connect to my home network from anywhere. This post outlines what I did to make that happen, in case you want to replicate it in your own home network.

Fair bit of warning though: I'm assuming that you already have basic knowledge of networking: subnetting, routing, that kind of stuff.

read more

Anacron

Here's a Linux utility that I recently learned about: Anacron

Simliar to cron, it runs tasks on a periodic basis, but it will ensure the task runs when the computer is on.

My use case is that I want my backup repository integrity check to run once a week on my laptop, but when a cron @weekly task is going fire (midnight on Sunday) my laptop's going to be turned off. Anacron to the rescue!

So what I did is set up an anacron task to run my backup check script once a week, and then set up cron to run anacron every 10 minutes:

*/10 * * * *  /usr/sbin/anacron -s -t $HOME/.anacron/tab -S $HOME/.anacron/spool

And here's what my anacrontab looks like:

SHELL=/bin/bash
HOME=/home/nick

# period  delay  job-id  command
# # (days)  (min)
7 0 backup-check  $HOME/bin/backup.check
read more