tag:blogger.com,1999:blog-89920333268449286742024-03-06T06:36:02.875+01:00RobiNET://system logRobert Sochahttp://www.blogger.com/profile/01004864306686360835noreply@blogger.comBlogger87125tag:blogger.com,1999:blog-8992033326844928674.post-76398023307614723252023-03-06T10:15:00.005+01:002023-04-06T02:45:32.255+02:00Dockerfile for Alpine image with cached packagesTo speed up builds:
<pre class="brush: plain; toolbar: false">
# syntax=docker/dockerfile:1.5
FROM alpine
RUN --mount=type=cache,target=/var/cache/apk <<INSTALL
ln -s /var/cache/apk /etc/apk/cache
apk add -U \
curl \
bash \
go \
clang
rm /etc/apk/cache
INSTALL
</pre>Robert Sochahttp://www.blogger.com/profile/01941467127252183735noreply@blogger.com0tag:blogger.com,1999:blog-8992033326844928674.post-19027043373247649372022-12-24T11:59:00.021+01:002023-03-13T14:42:24.257+01:00Docker's multi-platform images - some benchmarks - for M1/ARM and X86_64<h1>Eenvironment</h1>
<pre>
M1: 8 cores, 8 GB RAM, 4 cores for docker
X86_64 A: 4 cores, 8 GB RAM (AMD Ryzen 5 3600 6-Core Processor), VM with Ubuntu 22.04
X86_64 B: 16 cores, 64 GB RAM (AMD Ryzen 9 5950X 16-Core Processor), Ubuntu 22.04, bare metal
</pre>
On all nodes
<pre>
docker run --rm --platform linux/amd64 alpine nproc
docker run --rm --platform linux/arm64 alpine nproc
</pre>
<br>
M1/X86_64 A<br>
Resuilt: 4
<br><br>
X86_64 B<br>
Resuilt: 32
<h1>Dockerfile</h1>
Base Dockerfile:<br>
<pre class="brush: plain; toolbar: false">
FROM ubuntu:22.04
ADD https://www.php.net/distributions/php-8.2.0.tar.gz /src/
WORKDIR src
RUN tar xzf php-8.2.0.tar.gz && rm php-8.2.0.tar.gz
ARG DEBIAN_FRONTEND noninteractive
ARG DEBCONF_NONINTERACTIVE_SEEN true
RUN apt-get update -qq && \
apt-get dist-upgrade -qq && \
apt-get install -qq \
build-essential \
libxml2-dev \
pkg-config \
libsqlite3-dev \
libssl-dev \
zlib1g-dev \
libonig-dev \
libsodium-dev \
libzip-dev && \
apt-get clean all && \
find /var/lib/apt/lists/ -type f -delete
WORKDIR /src/php-8.2.0
RUN ./configure \
--enable-mbstring \
--with-openssl \
--with-zlib \
--enable-bcmath \
--enable-intl \
--with-sodium \
--with-zip
</pre><br>
Prepare linux/arm64 environment on X86_64:<br>
<pre class="brush: plain; toolbar: false">
docker run --privileged --rm tonistiigi/binfmt --install arm64
docker run --rm --platform linux/arm64 alpine uname -a
</pre>
Prepare images (on both nodes):
<br><br>
linux/amd64<br>
<pre class="brush: plain; toolbar: false">
export DOCKER_BUILDKIT=1
docker builder prune -a -f
docker build --platform linux/amd64 -t wyga/docker-benchmark-multi-arch:amd64 -f Dockerfile .
</pre>
<br>
Results:<br>
M1: 326 s<br>
X86_64 A: 60 s<br>
<br><br>
linux/arm64<br>
<pre class="brush: plain; toolbar: false">
export DOCKER_BUILDKIT=1
docker builder prune -a -f
docker build --platform linux/arm64 -t wyga/docker-benchmark-multi-arch:arm64 -f Dockerfile .
</pre>
<br>
Results:<br>
M1: 40 s<br>
X86_64 A: 554 s<br>
<br><br>
Images are also availlible from:<br>
<pre>
docker pull wyga/docker-benchmark-multi-arch:amd64
docker pull wyga/docker-benchmark-multi-arch:arm64
</pre>
<br>
<h2>Benchmarks</h2>
<pre class="brush: plain; toolbar: false">
export DOCKER_BUILDKIT=1
/usr/bin/time -p docker run --rm wyga/docker-benchmark-multi-arch:amd64 make
/usr/bin/time -p docker run --rm wyga/docker-benchmark-multi-arch:amd64 make -j4
/usr/bin/time -p docker run --rm wyga/docker-benchmark-multi-arch:arm64 make
/usr/bin/time -p docker run --rm wyga/docker-benchmark-multi-arch:arm64 make -j4
</pre>
<h3>X86_64 A</h3>
Results:<br>
<pre>
AMD64 make: 537 s
AMD64 make -j4: 158 s
ARM64 make: 7519 s
ARM64 make -j4: 2231 s
</pre>
<h3>X86_64 B</h3>
Results:<br>
<pre>
AMD64 make: 368 s
AMD64 make -j4: 111 s
ARM64 make: 4861 s
ARM64 make -j4: 1580 s
</pre>
<h3>M1</h3>
<pre>
Results:<br>
AMD64 make: 4424 s
AMD64 make -j4 1570 s
ARM64 make 471 s
ARM64 make -j4: 184 s
</pre> Robert Sochahttp://www.blogger.com/profile/01941467127252183735noreply@blogger.com0tag:blogger.com,1999:blog-8992033326844928674.post-81941580876983374892022-12-15T12:02:00.004+01:002022-12-24T14:00:21.367+01:00The old story of /dev/md127I always used this solution to make sure that /dev/mdN will be /dev/mdN after restart (to prevent name change to /dev/md127 after reboot).
<pre>
mdadm --examime --scan >/etc/mdadm/mdadm.conf
# edit /etc/mdadm/mdadm.conf
# on debian/ubuntu
update-initramfs -u -k all
</pre>
Another solution (basicaly RTFM):<br>
<pre>
mdadm --create /dev/md0 -l 1 -n 2 --metadata=1.2 --homehost=any /dev/sdb /dev/sdc
</pre>
homehost == any - this is wildcard name of the host (hostname). By default current system hostname is inserted by mdadm.<br>
Starting with kernel 5.19 there is kernel option hostanme= which can be used to setup hostname at boot (before userspace). This can also be used to corellate user/kernel hostanmes.<br>
This is related to metadata format 1.2. With metadata verion 0.90 "Preferred Minor" property is used.
Robert Sochahttp://www.blogger.com/profile/01941467127252183735noreply@blogger.com0tag:blogger.com,1999:blog-8992033326844928674.post-15869645468082368212022-05-17T23:54:00.000+02:002022-05-17T23:54:11.923+02:00basic nginx config<pre>
server {
listen 80;
listen [::]:80;
server_name catch-all-for-nginx-wyga-cf;
server_name ~^test\d*\.nginx\.wyga\.cf$;
location /.well-known {
root /var/www/acme;
}
location / {
return https://$host;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name catch-all-for-nginx-wyga-cf;
server_name ~^test\d*\.nginx\.wyga\.cf$;
ssl_certificate /etc/nginx/tls/wyga-ca.pem;
ssl_certificate_key /etc/nginx/tls/wyga-ca.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
root /var/www/wyga;
index index.html;
location = /favicon.ico {
access_log off;
return 204;
}
location / {
try_files $uri $uri/ =404;
}
}
</pre>
Robert Sochahttp://www.blogger.com/profile/01941467127252183735noreply@blogger.com0tag:blogger.com,1999:blog-8992033326844928674.post-21588439888418020552022-05-17T22:02:00.006+02:002023-02-02T09:53:57.478+01:00self-signed certificate take 2Generate self-signed certificate (with basic constraints extension CA:TRUE):
<pre>
openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 \
-keyout /etc/nginx/tls/wyga-ca.key \
-out /etc/nginx/tls/wyga-ca.pem \
-subj '/CN=WYGA-CA/'
</pre>
Add CA as trusted to you browser (works with Chrome).</br></br>
Regenerate certificate with SNI names:
<pre>
openssl req -x509 -nodes -sha256 -days 3650 \
-key /etc/nginx/tls/wyga-ca.key \
-out /etc/nginx/tls/wyga-ca.pem \
-subj '/CN=WYGA-CA/' \
-addext "subjectAltName = DNS:test.nginx.wyga.cf, DNS:test1.nginx.wyga.cf, DNS: test2.nginx.wyga.cf"
</pre>
Firefox is more secure in that matter. This will not work with that browser ;)<br>
<pre>
d="change-me"
{
openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 \
-keyout "${d}.key" \
-out "${d}.pem" \
-subj '/CN=WYGA-CA/'
}
</pre>Robert Sochahttp://www.blogger.com/profile/01941467127252183735noreply@blogger.com0tag:blogger.com,1999:blog-8992033326844928674.post-78913757201984767292022-05-11T21:29:00.002+02:002022-05-11T21:29:43.977+02:00nginx proxy for HP iLO BMC (HTML5 console only)This some PoC for proxing access to HP iLO module via nginx. This allow accessing HTML console (no Java or .NET console).<br>
Tested only with iLO 4 (on proliant gen9 servers)<br>
<br>
bmc.conf:<br>
<pre>
include /etc/nginx/bmc-nodes.conf;
# https://www.rfc-editor.org/rfc/rfc7230#section-6.1
# https://datatracker.ietf.org/doc/html/rfc6455#section-4.2.1
# For iLO Connection: Upgrade is case-sensitive...
map $http_upgrade $connection_upgrade {
default Upgrade;
'' close;
}
# You need to listen on https port
# This will create mapping for <bmc_node> to map name to IP adddress
# For ex:
# server1.bmc.example.com
# serverN.bmc.example.com
# etc...
server {
listen 443 ssl;
server_name ~(?<bmc_node>.+)\.bmc\.example\.com;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_certificate /etc/nginx/tls/bmc.example.com.crt;
ssl_certificate_key /etc/nginx/tls/bmc.example.key;
proxy_http_version 1.1;
proxy_set_header Host $bmc_node;
# Set some message for unmapped hosts
#error_page 502 /bmc-missing.html;
# Set HTTP auth
#error_page 401 /bmc-auth.html;
#auth_basic "[BMC PROXY]";
#auth_basic_user_file /etc/nginx/bmc.passwd;
location / {
# Forece keep-alive to upstream...
proxy_set_header Authorization '';
proxy_set_header Connection '';
proxy_pass https://$bmc_node;
}
# WebSocket connection for HTML5 Console
location /wss/ircport {
proxy_set_header Authorization '';
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 1800;
proxy_pass https://$bmc_node;
}
# error page for 502
#location = /bmc-missing.html {
# auth_basic off;
# internal;
# root /var/www/bmc/;
#}
# error page for 401
#location = /bmc-auth.html {
# auth_basic off;
# internal;
# root /var/www/bmc/;
#}
}
</pre>
<br>
bmc-nodes.conf
<pre>
upstream server1 {
server 10.0.0.1:443;
keepalive 4;
}
upstream server2 {
server 10.0.0.2:443;
keepalive 4;
}
...
upstream serverN {
server 10.0.0.N:443;
keepalive 4;
}
</pre>
Robert Sochahttp://www.blogger.com/profile/01941467127252183735noreply@blogger.com0tag:blogger.com,1999:blog-8992033326844928674.post-65349409284673842862022-04-27T23:16:00.003+02:002022-04-27T23:16:44.449+02:00docker - arbitrary bridge's interface name For docker-compose:
<pre class="brush: plain; toolbar: false">
networks:
default:
driver_opts:
com.docker.network.bridge.name: br-name
</pre>
For CLI:
<pre class="brush: plain; toolbar: false">
docker network create -o com.docker.network.bridge.name=br-name name
</pre>
Robert Sochahttp://www.blogger.com/profile/01941467127252183735noreply@blogger.com0tag:blogger.com,1999:blog-8992033326844928674.post-18172683393433620492022-04-27T08:55:00.001+02:002022-04-27T08:56:52.280+02:00nginx vhost logging<pre class="brush: plain; toolbar: false">
log_format vhost_extra '$host $remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"'
' rt=$request_time uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"';
access_log /var/log/nginx/access.log vhost_extra;
</pre>Robert Sochahttp://www.blogger.com/profile/01941467127252183735noreply@blogger.com0tag:blogger.com,1999:blog-8992033326844928674.post-35155136775782002222021-10-10T11:49:00.004+02:002022-04-27T08:52:49.354+02:00HP NC550SFP DualPort 10GbE aktualizacja firmware<blockquote>Hewlett-Packard Company NC550SFP DualPort 10GbE Server Adapter</blockquote>
<blockquote>Emulex Corporation OneConnect OCe10100/OCe10102 Series 10 GbE (rev 02)</blockquote>
Firmware dla karty:
<a href="https://support.hpe.com/hpesc/public/swd/detail?swItemId=MTX_df124d8bd9a5482dacb949d39c" target="_blank">https://support.hpe.com/</a>
<a href="https://share.socha.it/public/hp-nc550sfp-firmware/UEFI_OneConnect-Flash-10.7.110.38-x64.iso">KOPIA</a>
</br>
System: Ubuntu 20.04 LTS
</br>
<pre>
mkdir ~/hp_update
cd ~/hp_update
wget "https://downloads.hpe.com/pub/softlib2/software1/cd-generic/p674746231/"\<br>"v119278/UEFI_OneConnect-Flash-10.7.110.38-x64.iso"
sudo mount UEFI_OneConnect-Flash-10.7.110.38-x64.iso /mnt
cp /mnt/initrd /mnt/UFI/oc10-4.9.416.15.ufi .
sudo umount /mnt
sudo mount initrd /mnt
cp /mnt/bin/flash .
</pre>
Update firmware:
<pre>
rmmod be2net
sudo ./flash -c -x -f oc10-4.9.416.15.ufi
</pre>
Po aktualizacji trzeba zrobić "reboot".
Testowane na:
<blockquote>HP EliteDesk 800 G2 TWR / Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz / 32 GB RAM / wersja firmware 2.53</blockquote>
<blockquote>OptiPlex 7060 MT / Intel(R) Core(TM) i5-8500 CPU @ 3.00GHz / 32 GB RAM / wersja firmware 1.9.1</blockquote>
Uwagi:
<div><ul style="text-align: left;"><li>Na OptiPlex 7060 konieczna była aktywacja opcji Enable Legacy OpROM</li><li>Na HP 800 G2 zadziałało tylko UEFI</li></ul></div>Robert Sochahttp://www.blogger.com/profile/01941467127252183735noreply@blogger.com1tag:blogger.com,1999:blog-8992033326844928674.post-75844709978187193362021-04-11T17:03:00.002+02:002021-04-11T17:03:27.493+02:00ssh batch executionI always forget correct syntax for this:
<pre class="brush: plain; toolbar: false">
ssh -o BatchMode=yes -o LogLevel=ERROR -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no user@host cmd
</pre>Robert Sochahttp://www.blogger.com/profile/01941467127252183735noreply@blogger.com0tag:blogger.com,1999:blog-8992033326844928674.post-35558234982589893672021-02-28T22:48:00.003+01:002021-02-28T22:48:54.445+01:00Traefik wildcard TLS with Digital Ocean DNS provider<pre class="brush: plain; toolbar: false">
version: "3.5"
services:
gateway:
image: traefik:2.4
restart: always
environment:
DO_AUTH_TOKEN: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
command:
- --providers.docker
- --providers.docker.exposedbydefault=false
- --entrypoints.http.address=:80
- --entrypoints.https.address=:443
- --certificatesresolvers.le.acme.httpchallenge=false
- --certificatesresolvers.le.acme.httpchallenge.entryPoint=http
- --certificatesresolvers.le.acme.dnschallenge=true
- --certificatesresolvers.le.acme.dnschallenge.provider=digitalocean
- --certificatesresolvers.le.acme.dnschallenge.delaybeforecheck=0"
- --certificatesResolvers.le.acme.storage=/acme/acme.json
#- "--certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory"
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- acme:/acme
default:
image: nginx:stable
restart: always
labels:
- traefik.enable=true
- traefik.http.middlewares.redirect.redirectscheme.scheme=https
- traefik.http.routers.app-http.rule=HostRegexp(`{default:.*}`)
- traefik.http.routers.app-http.entrypoints=http
- traefik.http.routers.app-http.middlewares=redirect
- traefik.http.routers.app-https.rule=HostRegexp(`{default:.*}`)
- traefik.http.routers.app-https.entrypoints=https
- traefik.http.routers.app-https.tls=true
- traefik.http.routers.app-https.tls.certresolver=le
- traefik.http.routers.app-https.tls.domains[0].main=test.example.com
- traefik.http.routers.app-https.tls.domains[0].sans=*.test.example.com,other.example.pl,*.other.example.pl
volumes:
- ./:/usr/share/nginx/html
volumes:
acme:
# vim: set tabstop=2 shiftwidth=2 expandtab autoindent indentexpr= nosmartindent :
</pre>Robert Sochahttp://www.blogger.com/profile/01941467127252183735noreply@blogger.com0tag:blogger.com,1999:blog-8992033326844928674.post-24998028664182418222020-08-20T02:00:00.004+02:002020-08-20T02:29:55.336+02:00CentOS 7/8 UEFI with ESP on RAID1
Kickstart configuration for RAID1 setup on UEFI firmware.
<pre class="brush: shell; toolbar: false">clearpart --all --initlabel
part raid.A0 --fstype=raid --ondisk=sda --size=512
part raid.A1 --fstype=raid --ondisk=sda --size=200
part raid.A2 --fstype=raid --ondisk=sda --size=1 --grow
part raid.B0 --fstype=raid --ondisk=sdb --size=512
part raid.B1 --fstype=raid --ondisk=sdb --size=200
part raid.B2 --fstype=raid --ondisk=sdb --size=1 --grow
raid /boot --device=0 --fstype=ext4 --level=1 raid.A0 raid.B0
raid /boot/efi --device=1 --fstype=efi --level=1 raid.A1 raid.B1
raid pv.1 --device=2 --fstype=lvmpv --level=1 raid.A2 raid.B2
volgroup storage pv.1
logvol / --fstype=ext4 --name=root --vgname=storage --size=8192
logvol swap --name=swap --vgname=storage --size=8192
logvol /srv --fstype=xfs --name=srv --vgname=storage --size=1 --grow
</pre>
All partitions are marked as RAID type (no esp or boot).<div>MDRAID for ESP is created with 1.0 metadata format (metadata at the end of the partition).</div><div><br /></div>Robert Sochahttp://www.blogger.com/profile/01941467127252183735noreply@blogger.com0tag:blogger.com,1999:blog-8992033326844928674.post-51236348716979336182020-05-27T17:20:00.004+02:002020-05-27T17:20:32.615+02:00Apache + PHP - deny policyThis is sample config for apache + php (mod_php) which by default blocks all .php and allow only specified locations:
<pre class="brush: shell; toolbar: false">
php_admin_value engine off
<FilesMatch "\.php$">
Deny from All
</FilesMatch>
<Location /index.php>
Allow From All
php_admin_value engine on
</Location>
<Location /sample/>
Allow From All
php_admin_value engine on
</Location>
</pre>
This assume there is catch all to index.ph somewhere (.htaccess or vhost).
Robert Sochahttp://www.blogger.com/profile/01941467127252183735noreply@blogger.com0tag:blogger.com,1999:blog-8992033326844928674.post-49608647168791523842020-02-06T09:47:00.001+01:002020-02-06T09:47:15.355+01:00IPSec policy via plain old setkeyIn old days I sometimes used IPSec keying (PSK) via manual rules (no IKE at all). I needed sample config for some PoC stuff.
So for "future" use:
On one side:
<pre>
#!/usr/sbin/setkey -f
flush;
spdflush;
add IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 esp 0x1000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>";
add IP2.IP2.IP2.IP2 IP1.IP1.IP1.IP1 esp 0x2000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>";
spdadd 100.100.0.0/16 100.64.0.0/16 any -P in ipsec esp/tunnel/IP1.IP1.IP1.IP1-IP2.IP2.IP2.IP2/require;
spdadd 100.64.0.0/16 100.100.0.0/16 any -P out ipsec esp/tunnel/IP2.IP2.IP2.IP2-IP1.IP1.IP1.IP1/require;
</pre>
On other side:
<pre>
#!/usr/sbin/setkey -f
flush;
spdflush;
add IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 esp 0x1000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>";
add IP2.IP2.IP2.IP2 IP1.IP1.IP1.IP1 esp 0x2000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>";
spdadd 100.100.0.0/16 100.64.0.0/16 any -P out ipsec esp/tunnel/IP1.IP1.IP1.IP1-IP2.IP2.IP2.IP2/require;
spdadd 100.64.0.0/16 100.100.0.0/16 any -P in ipsec esp/tunnel/IP2.IP2.IP2.IP2-IP1.IP1.IP1.IP1/require;
</pre>
Change spdadd policy direction only.
Robert Sochahttp://www.blogger.com/profile/01941467127252183735noreply@blogger.com0tag:blogger.com,1999:blog-8992033326844928674.post-6316214398008818622020-01-24T17:15:00.000+01:002020-01-24T17:15:04.201+01:00What is my IP? DNS way...What is my IP via <a href="https://github.com/rjsocha/dns-reflector">custom DNS server</a>:
<pre class="brush: shell; toolbar: false">
dig @ip.socha.it tell-me-my-ip +short
</pre>
Other use cases
<pre class="brush: shell; toolbar: false">
dig @ip.socha.it ip +short
dig @ip.nauka.ga ip +short
dig @ip.automatus.cf ip +short
dig @ip.socha.it ip TXT +short
dig @ip.socha.it ip TXT +short +tcp
</pre>Robert Sochahttp://www.blogger.com/profile/01941467127252183735noreply@blogger.com0tag:blogger.com,1999:blog-8992033326844928674.post-85879491439307602432020-01-24T09:31:00.000+01:002020-02-06T09:50:34.473+01:00What is my IP? The nginx way...Pure nginx solution ;)
<pre class="brush: shell; toolbar: false">
curl -sf ip.socha.it
</pre>
or
<pre class="brush: shell; toolbar: false">
curl -sf ip.socha.it/eol
</pre>
<br />
Nginx configuration:
<pre class="brush: shell; toolbar: false">
server {
listen 80;
server_name ip.socha.it;
default_type "text/plain";
location /eol {
return 200 "$remote_addr\n";
}
location / {
return 200 $remote_addr;
}
}
</pre>
Robert Sochahttp://www.blogger.com/profile/01941467127252183735noreply@blogger.com0tag:blogger.com,1999:blog-8992033326844928674.post-84103012445051434362020-01-19T16:51:00.000+01:002020-01-19T16:53:29.690+01:00Traefik v2 - private docker repositoryIt's time to migrate from Traefik v1 to Traefik v2.</br></br>
Sample project based on docker-compose service definition: priavate docker registry.</br></br>
Quick setup</br>
<pre class="brush: shell; toolbar: false">
curl -sf automatus.cf/private-registry | bash
</pre>
<br />
Or step by step.
</br></br>
<li>Install docker & docker-compose
<li>Create required directories
<pre class="brush: shell; toolbar: false">
mkdir registry
cd registry
mkdir {auth,default}
</pre>
<li>Create docker-compose.yml file:
</br>
<pre class="brush: plain; toolbar: false">
version: '3'
services:
gateway:
image: traefik:2.1
restart: always
command:
- "--providers.docker"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.http.address=:80"
- "--entrypoints.https.address=:443"
- "--certificatesResolvers.le.acme.httpchallenge=true"
- "--certificatesResolvers.le.acme.httpchallenge.entryPoint=http"
- "--certificatesResolvers.le.acme.storage=/acme/acme.json"
#- "--api.insecure=true"
#- "--certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory"
ports:
- 80:80
- 443:443
# API
#- 8080:8080
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- acme:/acme
- ./auth:/auth
registry:
restart: always
image: registry:2
environment:
REGISTRY_HTTP_SECRET: change-me
labels:
- "traefik.enable=true"
- "traefik.http.routers.http.rule=Host(`hostname-change-me`)"
- "traefik.http.routers.http.entrypoints=http"
- "traefik.http.routers.https.rule=Host(`hostname-change-me`)"
- "traefik.http.routers.https.entrypoints=https"
- "traefik.http.routers.https.tls=true"
- "traefik.http.routers.https.tls.certresolver=le"
- "traefik.http.middlewares.server-header.headers.customresponseheaders.server=docker-registry"
- "traefik.http.middlewares.redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.auth.basicauth.usersFile=/auth/passwd"
- "traefik.http.middlewares.auth.basicauth.realm=REGISTRY"
- "traefik.http.routers.http.middlewares=redirect,server-header"
- "traefik.http.routers.https.middlewares=server-header,auth"
volumes:
- registry:/var/lib/registry
# Catch-all default vhost
default:
image: nginx:stable
restart: always
labels:
- "traefik.enable=true"
- "traefik.http.routers.default.rule=HostRegexp(`{default:.*}`)"
- "traefik.http.routers.default.entrypoints=http"
- "traefik.http.routers.default.priority=1"
- "traefik.http.routers.default.middlewares=server-header"
volumes:
- ./default/default.conf:/etc/nginx/conf.d/default.conf
volumes:
acme:
registry:
# vim: set tabstop=2 shiftwidth=2 expandtab autoindent indentexpr= nosmartindent :
</pre>
<li>Create default/default.conf file:
<pre class="brush: plain; toolbar: false">
server {
listen 80 default_server;
return 204;
}
</pre>
<li>Create user and passwrd for registry access:
<pre class="brush: shell; toolbar: false">
htpasswd -c auth/passwd username >auth/passwd
#or
docker run --rm -it httpd:alpine htpasswd >auth/passwd
</pre>
<li>Start project
<pre class="brush: shell; toolbar: false">
docker-compose up -d
</pre>Robert Sochahttp://www.blogger.com/profile/01941467127252183735noreply@blogger.com0tag:blogger.com,1999:blog-8992033326844928674.post-7738283160260314162019-01-25T16:11:00.001+01:002019-01-25T16:24:50.323+01:00PowerShell - podpisywanie skryptów (self-signed cert)<style type="text/css">
.syntaxhighlighter {
overflow-y: hidden !important;
overflow-x: auto !important;
}
</style>
<pre class="brush: powershell; toolbar: false">
# Genracja CA
# {hex}30030101FF => ASN.1 BasicConstraints: CA:TRUE
# $asn1=([System.Security.Cryptography.X509Certificates.X509BasicConstraintsExtension]::new($true, $flase, 0,$true)).RawData
# $asn1 | Format-Hex -Encoding Ascii
$ca_params =@{
"Type" = "Custom";
"Subject" = "CN=Local CA";
"FriendlyName" = "Local CA";
"KeyAlgorithm" = "RSA";
"KeyLength" = 2048;
"KeyUsage" = "CertSign";
"TextExtension" = @("2.5.29.19={critical}{hex}30030101FF");
"NotAfter" = ((Get-Date).AddYears(10));
"CertStoreLocation" = "Cert:\CurrentUser\My";
}
$root=New-SelfSignedCertificate @ca_params
$root.ToString()
$cert_params =@{
"Signer" = $root;
"Type" = "CodeSigningCert";
"Subject" = "CN=Robert Socha";
"FriendlyName" = "Robert Socha CS";
"KeyAlgorithm" = "RSA";
"KeyLength" = 2048;
"KeyUsage" = "DigitalSignature";
"NotAfter" = ((Get-Date).AddYears(10));
"CertStoreLocation" = "Cert:\CurrentUser\My";
}
# Generacja certyfikatu do podpisywania kodu
$code=New-SelfSignedCertificate @cert_params
$code.ToString()
# Export certifkatu CA do zaufanych
$ca_file = [System.IO.Path]::GetTempFileName()
Export-Certificate -Type CERT -Cert $root -FilePath $ca_file -Force
Import-Certificate -CertStoreLocation Cert:\CurrentUser\Root -FilePath $ca_file
# Export certyfikatu podpisującego do zaufanych dostawców kodu
Export-Certificate -Type CERT -Cert $code -FilePath $ca_file -Force
Import-Certificate -CertStoreLocation Cert:\CurrentUser\TrustedPublisher -FilePath $ca_file
Remove-Item $ca_file
# $code=(Get-ChildItem cert:\CurrentUser\my -CodeSigningCert)[0]
# Skrypt do podpisania
'Write-Host "Hello, World!"' >.\sign_me.ps1
# https:/go.microsoft.com/fwlink/?LinkID=135170
Set-ExecutionPolicy -ExecutionPolicy AllSigned -Scope CurrentUser -Force
# Wartość domyślna dla wersji kliencikich Windows
# Set-ExecutionPolicy -ExecutionPolicy Undefined -Scope CurrentUser -Force
Set-AuthenticodeSignature .\sign_me.ps1 $code
.\sign_me.ps1
</pre>
<a href="https://gist.github.com/rjsocha/2de5405ed773cbac78dbe6d1d3761af9">GIST</a>
Robert Sochahttp://www.blogger.com/profile/01941467127252183735noreply@blogger.com0tag:blogger.com,1999:blog-8992033326844928674.post-85139921366186947252019-01-25T01:50:00.001+01:002019-01-25T01:59:22.012+01:00Time-Stamp Protocol (RFC 3161) + openssl<style type="text/css">
.syntaxhighlighter {
overflow-y: hidden !important;
overflow-x: auto !important;
}
</style>
Serwery TSP:<br />
<br />
<ul>
<li><a href="http://time.certum.pl/">http://time.certum.pl</a></li>
<li><a href="https://freetsa.org/">https://freetsa.org</a></li>
</ul>
<br />
<pre class="brush: bash; toolbar: false">
# Plik z danymi:
echo "Hello, World!" >data.txt
# Tworzenie zapytania
openssl ts -query -data data.txt -no_nonce -sha512 -out data.tsq
openssl ts -query -in data.tsq -text
</pre>
<blockquote>
<pre class="brush: plain; toolbar: false; gutter: false">
Version: 1
Hash Algorithm: sha512
Message data:
0000 - 92 16 18 bc 6d 9f 80 59-43 7c 5e 03 97 b1 3f 97 ....m..YC|^...?.
0010 - 3a b7 c7 a7 b8 1f 0c a3-1b 70 bf 44 8f d8 00 a4 :........p.D....
0020 - 60 b6 7e fd a0 02 00 88-bc 97 bf 7d 9d a9 7a 9e `.~........}..z.
0030 - 2c e7 b2 0d 46 e0 66 46-2e c4 4c f6 02 84 f9 a7 ,...F.fF..L.....
Policy OID: unspecified
Nonce: unspecified
Certificate required: no
Extensions:
</pre>
</blockquote>
<pre class="brush: bash; toolbar: false">
# Zapytanie z żądaniem certyfikatu podpisującego
openssl ts -query -data data.txt -no_nonce -sha512 -cert -out data-cert.tsq
openssl ts -query -in data-cert.tsq -text
</pre>
<blockquote>
<pre class="brush: plain; toolbar: false; gutter: false">
Version: 1
Hash Algorithm: sha512
Message data:
0000 - 92 16 18 bc 6d 9f 80 59-43 7c 5e 03 97 b1 3f 97 ....m..YC|^...?.
0010 - 3a b7 c7 a7 b8 1f 0c a3-1b 70 bf 44 8f d8 00 a4 :........p.D....
0020 - 60 b6 7e fd a0 02 00 88-bc 97 bf 7d 9d a9 7a 9e `.~........}..z.
0030 - 2c e7 b2 0d 46 e0 66 46-2e c4 4c f6 02 84 f9 a7 ,...F.fF..L.....
Policy OID: unspecified
Nonce: unspecified
Certificate required: yes
Extensions:
</pre>
</blockquote>
<pre class="brush: bash; toolbar: false">
# Wysyłanie zapytania do serwera
curl -s -H "Content-Type: application/timestamp-query" \
--data-binary @data.tsq \
http://time.certum.pl -o data.tsr
curl -s -H "Content-Type: application/timestamp-query" \
--data-binary @data-cert.tsq \
http://time.certum.pl -o data-cert.tsr
# Lub wykorzystując tsget
# Może być konieczna instalacja bindingów curla dla perla: apt-get install libwww-curl-perl
/usr/lib/ssl/misc/tsget -h http://time.certum.pl/ -e .tsr -v data.tsr data-cert.tsq
#> data.tsr: sending request, reply received, ./data.tsr written.
#> data-cert.tsq: sending request, reply received, ./data-cert.tsr written.
# Informację na temat odpowiedzi
openssl ts -reply -in data.tsr -text
</pre>
Plik odpowiedzi. Dla pliku data-cert.tsr wygląda tak samo (różni się tylko rozmiar pliku)
<br />
<blockquote>
<pre class="brush: plain; toolbar: false; gutter: false">
Status info:
Status: Granted.
Status description: unspecified
Failure info: unspecified
TST info:
Version: 1
Policy OID: 1.2.616.1.113527.2.5.1.11
Hash Algorithm: sha512
Message data:
0000 - 92 16 18 bc 6d 9f 80 59-43 7c 5e 03 97 b1 3f 97 ....m..YC|^...?.
0010 - 3a b7 c7 a7 b8 1f 0c a3-1b 70 bf 44 8f d8 00 a4 :........p.D....
0020 - 60 b6 7e fd a0 02 00 88-bc 97 bf 7d 9d a9 7a 9e `.~........}..z.
0030 - 2c e7 b2 0d 46 e0 66 46-2e c4 4c f6 02 84 f9 a7 ,...F.fF..L.....
Serial number: 0x038D7EAE927662
Time stamp: Jan 25 00:17:48 2019 GMT
Accuracy: 0x01 seconds, unspecified millis, unspecified micros
Ordering: no
Nonce: unspecified
TSA: DirName:/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum EV TSA SHA2
Extensions:
</pre>
</blockquote>
Pobieramy certyfikaty CA i pośredni (wymagany dla pliku data.tsr) z tej strony: <a href="https://www.certum.pl/pl/wsparcie/cert_wiedza_zaswiadczenia_klucze_certum/">https://www.certum.pl/pl/wsparcie/cert_wiedza_zaswiadczenia_klucze_certum/</a>
<br />
<pre class="brush: bash; toolbar: false">
wget https://www.certum.pl/CTNCA.pem
wget https://www.certum.pl/pl/upload_module/wysiwyg/zaswiadczenia/Certum_EV_TSA_SHA2/TSA-SHA2.pem
# Weryfikacja
# Odpowiedź z certyfikatem klucza podpisującego
openssl ts -verify -data data.txt -in data-cert.tsr -CAfile CTNCA.pem
# Odpowiedź bez certyfikatów
openssl ts -verify -data data.txt -in data.tsr -CAfile CTNCA.pem -untrusted TSA-SHA2.pem
</pre>
<br />
<a href="https://www.openssl.org/docs/manmaster/man1/ts.html">man openssl ts</a><br />
<a href="https://www.openssl.org/docs/man1.0.2/apps/tsget.html">man openssl tsget</a>Robert Sochahttp://www.blogger.com/profile/01941467127252183735noreply@blogger.com0tag:blogger.com,1999:blog-8992033326844928674.post-38741537157646664152016-04-19T00:11:00.002+02:002019-01-25T00:13:17.968+01:00CenOS 7 i bondingSetup:
/etc/modules-load.d/bonding.conf:<br />
<pre class="brush: bash;toolbar: false">
bonding
</pre>
/etc/modprobe.d/bonding.conf:<br />
<pre class="brush: bash">
options bonding max_bonds=0
</pre>
/etc/sysconfig/network-scripts/ifcfg-host0:<br/>
<pre class="brush: bash;toolbar: false">
NAME="host0"
DEVICE="host0"
NM_CONTROLLED=no
ONBOOT=yes
USERCTL=no
TYPE=Ethernet
BOOTPROTO=none
BONDING_OPTS="mode=802.3ad lacp_rate=slow miimon=250 xmit_hash_policy=layer2+3"
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
IPADDR=192.168.1.1
PREFIX=31
GATEWAY=192.168.1.0
</pre>
/etc/sysconfig/network-scripts/ifcfg-eno1:<br/>
<pre class="brush: bash;toolbar: false;">
NAME=eno1
DEVICE=eno1
TYPE=Ethernet
USERCTL=no
SLAVE=yes
MASTER=host0
BOOTPROTO=none
ONBOOT=yes
NM_CONTROLLED=no
</pre>
/etc/sysconfig/network-scripts/ifcfg-eno2:<br/>
<pre class="brush: bash;toolbar: false;">
NAME=eno2
DEVICE=eno2
TYPE=Ethernet
USERCTL=no
SLAVE=yes
MASTER=host0
BOOTPROTO=none
ONBOOT=yes
NM_CONTROLLED=no
</pre>Robert Sochahttp://www.blogger.com/profile/01941467127252183735noreply@blogger.com0tag:blogger.com,1999:blog-8992033326844928674.post-21993239122793160982016-04-16T15:53:00.001+02:002016-04-19T00:11:54.745+02:00Debian i bondingSetup:
<pre class="brush: plain;toolbar: false;">
apt-get install vlan ifensalve
</pre>
/etc/modules:<br />
<pre class="brush: plain;toolbar: false;">
bonding
</pre>
/etc/modprobe.d/bonding.conf:<br />
<pre class="brush: plain;toolbar: false;">
options bonding max_bonds=0
</pre>
/etc/network/interfaces:<br />
<pre class="brush: plain;toolbar: false;">
auto host0
iface host0 inet static
address 192.168.1.2
netmask 255.255.255.248
gateway 192.168.1.1
bond-slaves eno1 eno2
bond-mode 802.3ad
bond-miimon 250
bond-xmit-hash-policy layer2+3
</pre>Robert Sochahttp://www.blogger.com/profile/01941467127252183735noreply@blogger.com0tag:blogger.com,1999:blog-8992033326844928674.post-34073844976065941482016-04-16T15:46:00.003+02:002016-04-16T15:46:35.798+02:00iproute2 vlan<pre>ip link add link eth0 name eth0.100 type vlan id 100
ip link delete eth0.100
</pre>
Robert Sochahttp://www.blogger.com/profile/01941467127252183735noreply@blogger.com0tag:blogger.com,1999:blog-8992033326844928674.post-90309152227233795082016-04-16T15:40:00.002+02:002017-10-30T12:54:41.580+01:00Bonding przez sysfs<pre class="brush: plain;toolbar: false;">modprobe bonding max_bonds=0</pre>
<pre class="brush: plain;toolbar: false;">echo +host0 > /sys/class/net/bonding_masters
echo 802.3ad > /sys/class/net/host0/bonding/mode
echo +eno1 > /sys/class/net/host0/bonding/slaves
echo +eno2 > /sys/class/net/host0/bonding/slaves
</pre>
Robert Sochahttp://www.blogger.com/profile/01941467127252183735noreply@blogger.com0tag:blogger.com,1999:blog-8992033326844928674.post-90366638062181202512015-07-11T23:07:00.001+02:002015-07-11T23:07:24.284+02:00pygrub GRUB2 XEN<div>
Change line 428 from:</div>
<div>
<br /></div>
<blockquote class="tr_bq">
if arg.strip() == "${saved_entry}":</blockquote>
<div>
<br /></div>
<div>
into:</div>
<div>
<br /></div>
<blockquote class="tr_bq">
if arg.strip() == "${saved_entry}" or arg.strip() == "${next_entry}":</blockquote>
<div>
<br /></div>
<div>
from: <a href="http://virantha.com/2014/05/21/ubuntu-14-04-trusty-on-xenserver-62/">http://virantha.com/2014/05/21/ubuntu-14-04-trusty-on-xenserver-62/</a></div>
<div>
<br /></div>
Robert Sochahttp://www.blogger.com/profile/01941467127252183735noreply@blogger.com0tag:blogger.com,1999:blog-8992033326844928674.post-18720164723603805772014-11-23T11:54:00.000+01:002014-11-23T01:58:43.193+01:00Weryfikcja zgodności certyifkatu i klucz prywatnego<blockquote class="tr_bq">
openssl x509 -noout -modulus -in server.crt | openssl md5<br />
openssl rsa -noout -modulus -in server.key | openssl md5<br />
openssl req -noout -modulus -in server.csr | openssl md5
</blockquote>
<br />Robert Sochahttp://www.blogger.com/profile/01004864306686360835noreply@blogger.com0