Tuesday, April 2, 2019

How to use firewalld to filter traffic to docker

Note: My platform is on Docker CE 18.09 on Centos 7. YMMV I only recently started using docker, but there is one very important thing you need to know:
By default, all external source IPs are allowed to connect to the Docker daemon

Filtering by IP is actually easy once you know how, but I had a hell of a time finding the key information and for me that was three-fold:
1. If the "DOCKER-USER" chain is not present when Docker starts, Docker will add it and allow all connections being passed to it, therefore:
2. You must stop the docker service before configuring the DOCKER-USER iptables chain
3. You must add the DOCKER-USER chain (and rules) before the docker service starts

partial reference: https://github.com/moby/moby/issues/35043

i.e.:

service docker stop
firewall-cmd --permanent --direct --remove-chain ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --remove-rules ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --add-chain ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -i ens224 -s 1.2.3.4 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 2 -i ens224 -s 5.6.7.8 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 3 -i ens224 -j DROP
service firewalld reload
service docker start
Posted by Teridon at 1:05 PM 0 comments

Friday, October 19, 2018

yum repolist without connecting to repos


Here's how you get yum to list all the configured repos, without actually connecting to any of them (e.g. if your system is offline):

yum -C repolist all

The "-C" option tells yum to use the local cache, no matter how old the cache is.


Posted by Teridon at 1:02 PM 0 comments
Labels: , , , , , ,

Wednesday, August 15, 2018

Windows Schannel error event ID 36871 a fatal error occurred while creating an SSL server credential. The internal error state is 10011


I recently encountered this error on a Windows 7 system, after a vendor-provided update to some third-party software.  RDP stopped working after the update, and the problem turned out to be layered.  The TL;DR version is this:  FIPS was enabled but the Cipher suite settings did not have any FIPS-compliant algorithms defined.

First, the simple part:  the vendor disabled RDP via GPO.  That's an easy thing to undo and I won't detail it here.

But even after enabling RDP via GPO, it still wouldn't work.  The RDP client wouldn't connect.  When I connected with openssl s_client I got this:

# openssl s_client -connect system:3389
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 247 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
Looking in the Windows Event Log, I found an error from Schannel with Event ID 36871, and the error text "a fatal error occurred while creating an SSL server credential.  The internal error state is 10011."

I eventually narrowed this down to the fact that the vendor had turned on FIPS-compliant algorithms.  However, on this system, I had set the allowed cipher suites to "modern" algorithms like ECDHE-RSA-AES256-SHA384, which is not FIPS-compliant but is more secure; i.e. FIPS-compliant algorithms are old and less secure.

So the fix was to disable FIPS again.

Posted by Teridon at 8:10 AM 0 comments

Wednesday, August 9, 2017

Setup meinberg NTP client on Windows Server 2012 using ntp service account


I recently attempted to install the Meinberg NTP client on a Windows Server 2012 system, but ran into a problem during the installation.  At one point, the installer asks you what account to use for the service:  1)  a newly-created "ntp" service account, or 2) run as SYSTEM (there might be a third option, I don't remember.

Running ntp as SYSTEM seems like asking for trouble; you should always run services with the least privileges required.  So of course I chose to use the "ntp" service account.  I had successfully used it before on Windows 7 systems.

However, upon clicking "Next", the installer crashed!  Looks like the installer created an "ntp" account, but it was disabled, and had no password set.  Also, the service was not installed.

Here's what I did to workaround the issue:

  1. Run the installer again, this time using the SYSTEM account for the service
  2. Manually create the "ntp"user.  (optional:  set password to never expire)
  3. Open gpedit.msc 
  4. Under Local Computer Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment, add "ntp" to the following:
  • Change the system time
  • Deny access to this computer form the network
  • Deny log on as a batch job
  • Deny log on locally
  • Increase scheduling priority
  • Log on as a service
That done, you can open "services.msc" and change the service to log on as the "ntp" account.  Then restart the service.
Posted by Teridon at 9:33 AM 0 comments
Labels: , , , ,

Friday, August 4, 2017

Bonnie Tyler - Total Eclipse of the Heart - lyrics to the second verse

The complete lyrics to Bonnie Tyler's "Total Eclipse of the Heart" are nowhere to be found on the internet! They are all missing the second verse. I think this is it (transcribed by me) 
Turn around, every now and then I get a little bit reckless
and I dream of something wild
Turnaround, every now and then I get a little bit helpless
and I'm lying like a child in your arms
Turnaround, every now and then I get a little bit angry
and I know I've got to get out and cry
Turnaround, every now and then I get a little bit terrified
but then I see the look in your eyes
Turnaround bright eyes, every now and then I fall apart
Turnaround bright eyes, every now and then I fall apart
Posted by Teridon at 4:30 PM 0 comments

Thursday, May 5, 2016

get vCenter Server or Replication appliance update URL from command line using xmllint

My vCenter appliances (Server and Replication) are on an internal network and cannot get to the outside world. To update them, I mirror the update repositories on an internal web server, using the script from http://www.virtuallyghetto.com/2013/05/how-to-create-offline-update-repository.html

The script requires the update URL, which is easy to get manually from the appliance web interface, but I want to automate the update.

I found that the default update URL is stored in 

/opt/vmware/var/lib/vami/update/provider/provider-deploy.xml
and the user-entered update URL is stored in
/opt/vmware/var/lib/vami/update/provider/provider-runtime.xml

The appliances come with some command-line tools to parse XML; I'm using xmllint:

echo 'cat //property[@name="repositoryAddress"]/@value' | \
xmllint --shell /opt/vmware/var/lib/vami/update/provider/provider-deploy.xml | \
grep https
The output:
value="https://vapp-updates.vmware.com/vai-catalog/valm/vmw/05d561bc-f3c8-4115-bd9d-22baf13f7178/5.8.1.12927.latest"


Posted by Teridon at 9:53 AM 0 comments
Labels: , , , ,

Thursday, August 27, 2015

Fark Lite tampermonkey script updates

Updated Fark Lite to work with the current version of Fark.com (as of 2015-08-27)

download here 

/*
 Fark Lite
 Copyright (c) 2005, Rick Fletcher 
 Released under the GPL license
 http://www.gnu.org/copyleft/gpl.html

 --------------------------------------------------------------------
 This is a Greasemonkey user script.

 To install, you need Greasemonkey: http://greasemonkey.mozdev.org/
 Then restart Firefox and revisit this script.
 Under Tools, there will be a new menu item to "Install User Script".
 Accept the default configuration and install.

 To uninstall, go to Tools/Manage User Scripts,
 select "Fark Lite", and click Uninstall.
 --------------------------------------------------------------------
 
 Changelog

 0.3 2015-08-27 RCJ 
        update for Fark changes
 0.2.2  2005/10/08
  bug: no longer hiding the "view voting results" link on the comments page
 0.2.1  2005/10/03
  bug: updated to work with updated fark.com source
 0.2    2005/10/02
  new: refactored to use XPath
 0.1    2005/07/20
  initial release
*/

// ==UserScript==
// @name          Fark Lite
// @version       0.3
// @namespace     http://flet.ch/things/greasemonkey/
// @description   Strips fark.com down to just the links.  Hides links from categories you don't want to see.
// @include       http://*.fark.com/*
// @include       http://fark.com/*
// ==/UserScript==

(function () {

 var farklite = {

  config: {
   hide_search: true,           // remove the google search form at the top of the page
   hide_side_columns: true,     // remove the columns on either side of the page
   fix_link_target: true,       // make links open in the current window
   strip_passthru_script: true, // make links direct (instead of passing through the go.fark.com script)
   unwanted_categories:         // links that are in these categories will be removed
    [ "weeners", "satire", "video edit" ],
  },

  //fark_passthru_script_regex: /^http:\/\/\w+\.fark\.com.*l=([^&]+)/i,
  fark_passthru_script_regex: /^http:\/\/\w+\.fark\.com\/goto\/[0-9]+\/(.*)/i,

  // link_container_xpath: "//table[@class='nilink']/descendant::tr/td[position() = 1]/a",
  link_container_xpath: "//a[@class='outbound_link']",

  addCSS: function( css ) {
   var head = window.document.getElementsByTagName( "head" )[0];
   var style = window.document.createElement( "style" );
   style.setAttribute( "type", "text/css" );
   style.innerHTML = css;
   head.appendChild( style );
  },

  fixLinks: function() {
   var links = document.evaluate( this.link_container_xpath, document, null, XPathResult.UNORDERED_NODE_SNAPSHOT_TYPE, null );
   for( var link = null, i = 0; ( link = links.snapshotItem( i ) ); i++ ) {
    this.config.fix_link_target       && link.setAttribute( "target", "" );
    this.config.strip_passthru_script && link.setAttribute( "href", unescape( link.getAttribute( "href" ).replace( this.fark_passthru_script_regex, "http://$1" ) ) );
    this.config.strip_passthru_script && link.setAttribute( "onmouseover", "" );
    this.config.strip_passthru_script && link.setAttribute( "onmouseout", "" );
   }
  },


  removeUnwanted: function() {
   for( var i = 0; i < this.config.unwanted_categories.length; i++ ) {
    this.config.unwanted_categories[i] = this.config.unwanted_categories[i].toLowerCase().replace( /[^a-z]/, "" );
   }

   var link_category_xpath = "//tr[@class='headlineRow']/descendant::img[translate(@alt,'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz')='" + this.config.unwanted_categories.join( "' or translate(@alt,'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='" ) + "']/parent::*";
   var links = document.evaluate( link_category_xpath, document, null, XPathResult.UNORDERED_NODE_SNAPSHOT_TYPE, null );
   for( var link = null, i = 0; ( link = links.snapshotItem( i ) ); i++ ) {
    link.parentNode.parentNode.removeChild( link.parentNode );
   }
  },
 }

 farklite.addCSS( "td.howto, form div.howto:first-child, .banhead div, div.footnote { display: none; }" );
 farklite.config.hide_search       && farklite.addCSS( ".banhead form { display: none; }" );
 farklite.config.hide_side_columns && farklite.addCSS( ".newtoolbar, .entirelefttoolbar, .entirerighttoolbar { display: none; }" );
 
 farklite.removeUnwanted();
 farklite.fixLinks();
 farklite.fixLinks2();

})();
Posted by Teridon at 6:30 PM 0 comments
Labels: , , , , ,
Subscribe to: Posts (Atom)