Updating Raspbian

Raspbian is based on Debian. Upgrading it to the latest version is done the same way as upgrading a normal Debian distribution. To not make this my shortest blog ever, I’ll show how I upgrade one of my Raspberry Pi.

The upgrade to release N is performed by starting the process release N-1. For each upgrade:

  1. Update current release
  2. Prepare configuration for next release
  3. Run upgrade
  4. Clean up
  5. Validate result of upgrade

Update your current Raspbian

sudo apt-get update
sudo apt full-upgrade

Prepare configuration for next Raspbian version

Edit repository files and change the distribution name to stretch or buster, depending from where you are upgrading from. A list of releases for Raspbian can be found at the Wikipedia page.

sudo vim /etc/apt/sources.list

To update to stretch:

sources.list:

deb http://archive.raspbian.org/raspbian stretch main contrib non-free rpi

To update to buster:

sources.list:

deb http://archive.raspbian.org/raspbian buster main contrib non-free rpi

Note

You may have more repository servers configured. For instance, check the content of the file: /etc/apt/sources.list.d/raspi.list.

Make sure to enable IPv6 support.

Acquire::ForceIPv4 "false";

Run upgrade

sudo apt update
sudo apt dist-upgrade

Sample output for update to stretch

Sample output for update to buster

Clean up

sudo apt autoremove

Validate result of upgrade

After running the above commands again, they should not report any more updates or dependencies.

sudo apt dist-upgrade

Check Debian version

more /etc/os-release

The entries for version and codename should now match your targeted release. For buster, it is:

VERSION_ID=”10”
VERSION_CODENAME=buster
Let the world know

Competence by Title Principle

When in the last 15+ years someone asked me how to become a senior consultant, I answered: “Get hired as one.”

I meant it as a joke as there are enough companies out there searching for senior consultants. Why? Get maximum value out of a person and client. Assign a senior on a project, charge for a senior. Sometimes you only needed to understand how HR works to be hired as a senior consultant. The proceeding is known throughout the industry, even customers know that the senior consultant they pay for is not necessarily worth the money. Today it is not unusual that customers demand to evaluate a consultant for a few weeks. This is for once to see if the person fits into the team, and to see if the rate is justified. Hint: some senior people are junior, but their engagement is good enough to ignore this to some degree.

While the above behavior is still valid (search for wild west and SAP), in the last years I saw a change happening. I call it the Competence by Title Principle. It’s like the Dilbert Principle. In case you do not know the famous Dilbert Principle: “Under the Dilbert principle, employees who were never competent are promoted to management to limit the damage they can do”.

With the Competence by Title principle, I mean that people who were never competent are promoted to positions where they create maximum damage.

It is not that the person has no knowledge at all. They may have deep knowledge in another topic area. Take a BI consultant being promoted to Machine Learning consultant. Because his manager finds no better assignment, or it sounded like an interesting area. Reasons don’t matter. Now the BI consultant is now not only working in a new area, but also has an outbound function: consultant, evangelist, advocate, director, visionary, VP, etc. It’s part of the job function to show others what the software can and to convince them to use it.

Now to the shift in the last years that makes this dangerous. Everyone knows that you cannot be an expert by just printing expert on your business card. Everyone. Except for one person: the person named to be an expert.

For instance, let’s take the junior consultants that were hired 10+ years ago as senior consultants. At least most of them knew that they weren’t senior. They tried to learn fast and to limit the damage they can do (sometimes). The competence by title people, they believe that they deserve the title. They believe they actually know what they are talking about. That preparing a demo, tutorial, PowerPoint, meeting makes them experts.

Hint: No.

Preparing or demoing a tutorial or presenting some slides does not make you an expert. Real world experience does. Show your scars you earned while implementing a solution end to end at a customer, creating a business plan, justifying the costs, implement, put into production and maintain a solution. That kind of experience makes you an expert. If you do not know the troubles customers and partners are facing day in, day out while working with a solution, you are not an expert. Not knowing this, not having this experience makes you a lamer: unable to understand the consequences in real world.

Where do the experts come from? Software companies sometimes miss a trend. Even when they are located a Silicon Valley or have a global presence. For instance, machine learning or artificial intelligence isn’t new. I learned it in university 20+ years ago. And even then, it wasn’t new. But a company may have missed the. To have experts for a topic available, it takes time. Years. If a company missed a trend, they need to hire experts. If not enough experts want to join, you get creative.

How to spot one of those “experts”?

They are titled experts by a software company for a specific product, but are not part of the product team? They do not know whom to contact at the company to give back feedback? Do not have access to the project board and backlog for the product? Prepare and give trainings that lets the product shine, but are not going into the nitty gritty details? Ignore basic real-world scenarios for SSO, maintenance, roll-outs? For open source products: No commit rights on the project in GitHub/GitLab? What about pull requests, tickets? Provided some useful features? Run regular community events like Meetups? When a demo goes wrong, can they fix it on their own fast?

In all cases: do they have real-world experience, or are they just sit at their desk or travel around the world? Remember: It is not easy travelling a large part of your work time and be fully assigned to a full lifecycle project to gain expert knowledge. Not saying that it’s impossible, but not easy.

The above list is not complete but gives an idea how to spot those experts. Remember: there are real experts out there: working for/at customers. Sometimes working for years or decades on a topic. They know it inside out. They may even have worked on a topic before a vendor found out about it and decided to hype it. You can find at customer events, presenting their lessons learned and battles fought and lost and won. You can find them at a software company, but it is not easy. And if you do, most probably in the product team when they are working closely on real world scenarios together with customers. Rarely demoing some scripts.

What does the competency by title principle means for you? You want to be an expert? Earn it. Being promoted as an expert by your employer, have it on your business card, means nothing. Get some reputation, fill your CV with projects, a lot of projects. Get some scars. Show them with pride. At one point in time, people will recognize you for what you have achieved in projects, and then you are an expert. Until you reach that stage, your expert level is nothing else than a name tag on your business card.

Let the world know

Wieso, weshalb, warum: Weil man‘s kann: Sony Fernseher updaten

Früher hat man sich einen Fernseher gekauft und dann für Jahre oder gar Jahrzehnte einfach benutzt. Es gab ja wenig technischen Fortschritt. Zum Glück sind diese Zeiten vorbei, neue Geräte kommen im Abstand weniger Monate mit einer besseren Funktionalität (z.B. SD -> HD -> 4k -> 8k, HDMI 2.x, OLDED) und sollten dabei normalerweise auch den Energieverbrauch optimieren. Smart TVs haben ein Betriebssystem wie jeder andere Computer auch, und dieses wird ständig aktualisiert. Damit sichert man sich seinen Fernseher ab, bekommt neue Features, neue Apps oder kleinere Verbesserungen.

Mein Sony TV ist ein KD-55XE8096. Ein Smart TV mit Android. Für dieses Modell bietet Sony ein Update des Betriebssystems an. Damit kommt Alexa, Android 8 und Verbesserungen bei der HDMI Wiedergabe – Ton, Kanal Umschalten.

In der Theorie sollte die Aktualisierung automatisch erfolgen. Sony stellt eine neue Android Version bereit, der TV lädt sich diese runter und dann kann diese installiert werden. Sollte, hätte, könnte, würde. Macht aber nicht. Zuerst veröffentlichte Sony das Update auf Android 8, dann wurde es wegen Problemen zurückgerufen und machte es später wieder verfügbar. Mein TV wird unterstützt, aber es wird keine neue Version gefunden. Weder automatisch im Hintergrund, noch bei direkter Aufforderung. Die neue Version für Android TV wird nicht gefunden.

Noch ist man nicht komplett auf den Willen des Fernsehers sich zu aktualisieren angewiesen. Man kann / darf das Update auch manuell anstoßen und durchführen. Dafür stellt Sony eine Anleitung online bereit. Diese Anleitung ist einfach und verständlich. Update herunterladen, auf USB Stick kopieren, beim TV einstecken, starten und warten. Beten hilft, denn sollte beim Update was nicht klappen, hat man mit großer Wahrscheinlichkeit für eine Weile einen nicht funktionsfähigen Fernseher, wenn nicht sogar Elektroschrott.

No risk, no fun. Es war klar: ein Update werde ich machen. Eine Datei herunterladen, auf einen USB Stick kopieren und dann warten: das kann ich. Ein kleines Problem: der USB Stick. Und das MacBook Pro. Der USB Stick muss so formatiert sein das der Sony TV die Daten lesen kann. Den Adapter für USB-C auf USB Type A hat man als Mac Benutzer natürlich zur Hand. USB Stick auch. Formatiert wird der USB Stick über das Festplattendienstprogramm.

Damit der Fernseher die Daten lesen kann, ist als Format ExFAT und als Schema MBR zu nehmen. GUID funktionierte nicht, hier wollte der Fernseher den Stick formatieren.

Danach die Update-Datei (sony…255.pkg) kopieren und nachdem der Fernseher den USB Stick erkannt und die Installationsdatei gefunden hat, startet das Update.

Android TV startet und lädt die einzelnen Apps.

Nach einer Weile ist dann Android TV einsatzbereit und der Fernseher ist auf dem neuesten Stand.

Let the world know

OpenID Connect with Keycloak

This blog shows how to use Keycloak for OAuth 2.0 and OpenID Connect. Keycloak is an identity and access management solution. Among its list of supported authentication mechanisms are SAML 2.0 and OpenID Connect. It is open source and can be installed via Docker. I wrote how to install Keycloak via Docker in a separate blog. The content of this blog was created as a side effect of configuring NetWeaver ABAP with Keycloak for SAML 2.0 and OAuth 2.0.

Here I will detail the steps to create an OAuth client in Keycloak, assign an OAuth 2.0 scope to it and how to get the OpenID Connect tokens for the client. For a better readability the steps are available as independent blogs / articles.

  1. Create OAuth client in Keycloak
  2. Create OAuth scope
  3. Add OAuth scope to client
  4. Get OpenID Connect tokens
Let the world know

Get OpenID Connect tokens from Keycloak

After creating an OAuth 2.0 scope and client and assigning the scope to the client, we can test the configuration. To do this, we need to log on in Keycloak as the OAuth 2.0 client. Keycloak will then validate the client and provide the Access Tokens and the scope(s) assigned to the client.

I will use Postman to test the setup. The Postman requests can be found in my GitLab repository. The request is as following:

  • Type: POST
  • URL: http://localhost:8080/auth/realms/master/protocol/openid-connect/token
  • Header: Content-Type application/x-www-form-urlencoded
  • Body: grant_type=client_credentials&client_id=oidclient&client_secret=7bc40a29-3eba-4c01-a9f1-9ebbb2eb8e9c

To authenticate, you need to send the client_id and client secret. These are the same values as for the client in Keycloak.

client_id: oidclient
client_secret: 7bc40a29-3eba-4c01-a9f1-9ebbb2eb8e9c

The parameter grant_type informs Keycloak about the authentification type we want. Client_credentials means that we send the client secret, and together with the client id this authenticates the client. Make sure to protect the client secret! This also explains why HTTPS is a minimum requirement.

grant_type: client_credentials

Result

Keycloak returns the JWT, including the access and refresh token as well as the scope. The assigned scope ZDEMO_CDS_SALESORDERITEM_CDS_0001 is included, allowing the client to access resources that are assigned to that scope.

{
   "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIyeFlIOWNnTThaSzl2Rm1nSEN3QzFiMlRWQzdCZGNldWIyTjB0SGRjU3dZIn0.eyJqdGkiOiIzODM1ODk0My1jMDRmLTRhMTktOTVkMS0wMjY5YTYwNGUyYmUiLCJleHAiOjE1NzQzNDAwNDIsIm5iZiI6MCwiaWF0IjoxNTc0MzM2NDQyLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6IjBlMmQxMGIyLTQwOTMtNGUzNi1iMjJiLTQ0MTg4MTE5NjVjOCIsInR5cCI6IkJlYXJlciIsImF6cCI6Im9pZGNsaWVudCIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6Ijc2Y2QxOTY1LTFhYjgtNDM1ZC05NThiLWNiNDQxOGM1OWIwOCIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiWkRFTU9fQ0RTX1NBTEVTT1JERVJJVEVNX0NEU18wMDAxIHByb2ZpbGUgZW1haWwiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImNsaWVudEhvc3QiOiIxNzIuMTcuMC4xIiwiY2xpZW50SWQiOiJvaWRjbGllbnQiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQtb2lkY2xpZW50IiwiY2xpZW50QWRkcmVzcyI6IjE3Mi4xNy4wLjEiLCJlbWFpbCI6InNlcnZpY2UtYWNjb3VudC1vaWRjbGllbnRAcGxhY2Vob2xkZXIub3JnIn0.CTrO-XuNM0pxa3xrJNZqGTkPzd88_AcvVKtbG7dy6cMwg_n8f1P2k2afoQMG-sN6JQzQ-Ei_0OIGkXrV6TGWLZqBI3Tgu3NKDoLMWu1PS7N9YA1ubXJN_277L91usWzqmaE_9o5Q6ubenh319tyBL5JUqe5veEfv5WabzwsbPqbx7BfiTf3iE0_xEyWrdXCT64s60hGRSUZqC8Pgz2qLKArfDF_Bs_w20R7Cr50qHx3WJQNO-w_X2DiufmgKD5Cb8Ue8TlpA9o5F88ZKzce-GVplJKY8d35Wjr07DuDTVFQzSWsBSM0Oi0FKuBYGy4mfXjcz8g0tKtcplf2UFurqmA",
    "expires_in": 3600,
    "refresh_expires_in": 1800,
   "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJmZmI5NDQ5ZS02MGIxLTQyZTMtYmEwYy1iNjQ0NDc0MjZiNDQifQ.eyJqdGkiOiJkMDc2Yzk3NS04ODA0LTRhNDUtODE3NS1jMmYxZDJjYzExZjIiLCJleHAiOjE1NzQzMzgyNDIsIm5iZiI6MCwiaWF0IjoxNTc0MzM2NDQyLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL2F1dGgvcmVhbG1zL21hc3RlciIsInN1YiI6IjBlMmQxMGIyLTQwOTMtNGUzNi1iMjJiLTQ0MTg4MTE5NjVjOCIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJvaWRjbGllbnQiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiI3NmNkMTk2NS0xYWI4LTQzNWQtOTU4Yi1jYjQ0MThjNTliMDgiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiWkRFTU9fQ0RTX1NBTEVTT1JERVJJVEVNX0NEU18wMDAxIHByb2ZpbGUgZW1haWwifQ.blSzmr6gHXIhHY2ikAEXDiBfVQ17eVJsiWFdly8Krkk",
    "token_type": "bearer",
    "not-before-policy": 0,
    "session_state": "76cd1965-1ab8-435d-958b-cb4418c59b08",
    "scope": "ZDEMO_CDS_SALESORDERITEM_CDS_0001 profile email"
}

The content is encoded. Using a site like jwt.io, the content of the tokens can be decoded. For the access token:

{
	"jti": "38358943-c04f-4a19-95d1-0269a604e2be",
	"exp": 1574240042,
	"nbf": 0,
	"iat": 1574136442,
	"iss": "http://localhost:8080/auth/realms/master",
	"aud": "account",
	"sub": "0e2d10b2-4093-4e36-b22b-4418811965c8",
	"typ": "Bearer",
	"azp": "oidclient",
	"auth_time": 0,
	"session_state": "76cd1965-1ab8-435d-958b-cb4418c59b08",
	"acr": "1",
	"realm_access": {
		"roles": [
			"offline_access",
			"uma_authorization"
		]
	},
	"resource_access": {
		"account": {
			"roles": [
				"manage-account",
				"manage-account-links",
				"view-profile"
			]
		}
	},
	"scope": "ZDEMO_CDS_SALESORDERITEM_CDS_0001 profile email",
	"email_verified": false,
	"clientHost": "168.192.0.1",
	"clientId": "oidclient",
	"preferred_username": "service-account-oidclient",
	"clientAddress": "172.17.0.1",
	"email": "service-account-oidclient@placeholder.org"
}
Let the world know

Initial setup of profile generator in NW ABAP 7.5x Developer Edition

After installing NW ABAP 7.52 Developer Edition, you can run transaction PFCG and add new roles and authorizations. As the system is new, you first need to run transaction SU25 before you can create a new role and add authorizations to it.

Starting Profile Generator in PFCG for the first time will show a message.

Initially fill Profile Generator customer tables

Tx: SU25

Confirm that you know how to read SAP Notes.

The transaction shows a list of actions you can perform. As the system is a new one, do as the info message text stated: run action (1).

Click on Initially Fill the Customer Tables (1)

As the developer edition it is a standard SAP system, checking only the first item is enough.

The program is running and doing the needful.

After the loading finishes, a result screen is shown.

After executing the above steps, you can go back to profile generator and add new roles and authorizations.

Let the world know

Add OAuth 2.0 scope to client in Keycloak

After performing the previous steps in Keycloak, an OAuth 2.0 scope and client is available. To get the scope after the OAuth 2.0 client authenticates against Keycloak, you need to assign the scope to the client.

Log on to Keycloak and go to clients and select oidclient. This is the client created earlier.

Go to tab “Client Scopes”

Assign the previously created scope to the client.

Result

The scope is assigned to the client. Now the client can authenticate and Keycloak will issue the OIDC tokens and include the given scope.

Let the world know

Update PHP version on Amazon EC2

It was time to update the PHP version on my WordPress server. WordPress gave me warnings; the site health plugin gave me a warning. Plugins gave me warnings. PHP, IT news sites, the internet, warnings everywhere.

I knew that my PHP version was very old. But still supported. At least until beginning of 2019. When I configured the server for the first time several years ago, the installed PHP version was already not the latest. It was what yum install php gave me. Updating software is crucial, so I decided to finally touch my running system.

WordPress provides a site explaining how to update your PHP version. The update process in the documentation goes like: write an email to your hoster. Or: Not working in my case. For those that want to know how to update PHP on a Amazon AMI EC2 instance, here are the stops and my lessons learned.

Preparations

First, do a backup. Update WordPress and the plugins. Check that the plugins are compatible with PHP 7.2

  • Backup: See my blog on how to create a snapshot of a EC2 instance.
  • Update WordPress and plugins: Easy: just do as always and keep it up-to-date.
  • Check plugins for compatibility: A plugin is available to check the installed plugins and files for compatibility with PHP 7.x. Install and activate it and run a test.

The PHP Compatibility plugin is started from the WP Admin site. Hint: in my case, the plugin worked fine, but also crashed the server. After running it and saving the results, uninstall it.

This gives as an output an evaluation of the plugins and their compatibility status.

Update

Next step is to update PHP. Use the package manager for this. I’ll split the installation process in two parts: PHP and the additional packages.

sudo yum update
sudo yum install php72
sudo yum install php72-opcache php72-mysqlfnd php72-gd php72-pecl-imagick php72-bcmath

Result installation PHP 7.2

Result Installation of additional PHP packages

Activate PHP

After installing PHP 7.2 it must be activated. The old PHP version is still the default one, meaning that calling php is not calling php 7.2. To change the paths, run alternative. It will show the available alternatives and asks which one you want to use. I am going to use php 7.2, so the input here was 2.

alternatives --config php

php -version

Now PHP 7.2 is installed and activated. After restarting Apache WordPress will run on a newer PHP version.

Let the world know

Create OAuth 2.0 scope in Keycloak

OAuth uses scopes to restrict access to resources. “Scope is a mechanism in OAuth 2.0 to limit an application’s access to a user’s account. An application can request one or more scopes, this information is then presented to the user in the consent screen, and the access token issued to the application will be limited to the scopes granted.” [link]

A service is assigned to a scope, therefore without being allowed to access a scope, you cannot access the resource. You can create scopes independently from the resource, that is: first create a scope, then assign the scope to a service you want to access. In reality, you should first create the service and then assign a scope to it.

After knowing the scope, log in to Keycloak and create a client scope. Later this scope will be assigned to a client. If the client authenticates then in Keycloak, the scope is assigned to it and the client can access the service.

Click on create

In the following form, enter the data for the OAuth scope:

  • Name: Scope for service. Here I used ZDEMO_CDS_SALESORDERITEM_CDS_0001, a scope for a CDS Service. Don’t worry, it’s just an example, Gateway does not work with OpenId Connect.
  • Description: SAP Gateway OData service
  • Protocol: openid-connect
  • Display on Consent Screen: off

Save

The OAuth scope is created. It can now be assigned to a client.

Note

When you change the scope of the service, you need to update the scope information here too.

Let the world know

Add OAuth 2.0 client in Keycloak

In this article I will show how to add an OAuth 2.0 client in Keycloak.

Log in to Keycloak and select a realm. In a new (empty) installation of Keycloak, the realm Master is selected by default. The realm name is important, as it is part of the URL used later for OAuth authentication.

To create a new OAuth 2.0 client, click on create.

Insert your information for the client. Make sure the openid-connect is selected as client protocol.

Client ID: oidclient
Client Protocol: openid-connect

Click on save and the client configuration screen is shown. Here you can add and alter additional information.

Important

  • Access Type: confidential. This will require the OAuth 2.0 client to send a client secret to authenticate itself.
  • Service Accounts Enabled: On

  • Valid Redirect URIs: set to a valid one, like /

All other parameters should work as given.

Switch to tab Credentials

Here you can see the OAuth 2.0 client secret. As in the settings tab the access type was set to confidential, the client must send its client id and secret to Keycloak to authenticate itself. The client id is the name of the client (oidclient), and here you can see the secret: 7bc40…

You can now add the OAuth 2.0 scopes to the client.

Let the world know