tar -PcJf - /home | pv -s $(du -sb /home/user | awk '{print $?}') | xz -z -T0 -1 - > /mnt/backupTarget/home.tar.xz
Category: Linux
MSSQL on kubernetes (non azure)
1. Copy the code below into a file named mssql.yaml
2. Apply the deployment file to your kubernetes cluster using:
sed -i s/TXlDMG05bCZ4UEBzc3cwcmQ=/$(pwgen -s 120 1 | base64 -w 0)/ mssql.yaml; kubectl apply -f mssql.yaml
Note: username and password are base64 encoded and NOT encrypted.
Therefore do not store your credentials this way in a production environment, use
read -sep "Enter mssql sa password: " mssql_sa_pass; kubectl create secret generic mssql2 --from-literal=password=$mssql_sa_pass --type=kubernetes.io/basic-auth
instead of adding it to the deployment yaml file.
apiVersion: v1
data:
username: c2EK
password: TXlDMG05bCZ4UEBzc3cwcmQ=
kind: Secret
metadata:
name: mssql
type: kubernetes.io/basic-auth
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: mssql-deployment
spec:
replicas: 1
selector:
matchLabels:
app: mssql
template:
metadata:
labels:
app: mssql
spec:
terminationGracePeriodSeconds: 10
containers:
- name: mssql
image: mcr.microsoft.com/mssql/server:latest
ports:
- containerPort: 1433
env:
- name: MSSQL_PID
value: "Developer"
- name: ACCEPT_EULA
value: "Y"
- name: SA_PASSWORD
valueFrom:
secretKeyRef:
name: mssql
key: password
volumeMounts:
- name: mssql
mountPath: /var/opt/mssql
volumes:
- name: mssql
hostPath:
path: /srv/mssql
type: DirectoryOrCreate
initContainers:
- name: install
image: busybox
command:
- chown
- "10001:10001"
- "/work-dir"
volumeMounts:
- name: mssql
mountPath: "/work-dir"
---
apiVersion: v1
kind: Service
metadata:
name: mssql-deployment
spec:
selector:
app: mssql
ports:
- protocol: TCP
port: 1433
targetPort: 1433
type: LoadBalancer
m4 1.4.17 fails to compile
http://www.clfs.org/view/CLFS-3.0.0-SYSTEMD/mips64-64/cross-tools/m4.html
freadahead.c: In function 'freadahead': freadahead.c:91:3: error: #error "Please port gnulib freadahead.c to your platform! Look at the definition of fflush, fread, ungetc on your system, then report this to bug-gnulib." #error "Please port gnulib freadahead.c to your platform! Look at the definition of fflush, fread, ungetc on your system, then report this to bug-gnulib." ^~~~~ make[3]: *** [Makefile:1837: freadahead.o] Error 1 make[3]: Leaving directory '/tmp/m4-1.4.17/lib' make[2]: *** [Makefile:1602: all] Error 2 make[2]: Leaving directory '/tmp/m4-1.4.17/lib' make[1]: *** [Makefile:1506: all-recursive] Error 1 make[1]: Leaving directory '/tmp/m4-1.4.17' make: *** [Makefile:1461: all] Error 2
m4 does not compile with newer versions of gcc, therefore this patch is needed (thanks to stack overflow for linking to the 1.4.18 version, but as clfs uses 1.4.17 here is the port:
diff -ur m4-1.4.17/lib/fflush.c m4-1.4.17-patch/lib/fflush.c
--- m4-1.4.17/lib/fflush.c 2013-09-22 08:15:20.000000000 +0200
+++ m4-1.4.17-patch/lib/fflush.c 2020-02-04 17:23:47.964372943 +0100
@@ -33,7 +33,7 @@
#undef fflush
-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
/* Clear the stream's ungetc buffer, preserving the value of ftello (fp). */
static void
@@ -71,7 +71,7 @@
#endif
-#if ! (defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */)
+#if ! (defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */)
# if (defined __sferror || defined __DragonFly__) && defined __SNPT /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin */
@@ -145,7 +145,7 @@
if (stream == NULL || ! freading (stream))
return fflush (stream);
-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
clear_ungetc_buffer_preserving_position (stream);
diff -ur m4-1.4.17/lib/fpurge.c m4-1.4.17-patch/lib/fpurge.c
--- m4-1.4.17/lib/fpurge.c 2013-09-22 08:15:20.000000000 +0200
+++ m4-1.4.17-patch/lib/fpurge.c 2020-02-04 17:23:47.964372943 +0100
@@ -61,7 +61,7 @@
/* Most systems provide FILE as a struct and the necessary bitmask in
<stdio.h>, because they need it for implementing getc() and putc() as
fast macros. */
-# if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+# if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
fp->_IO_read_end = fp->_IO_read_ptr;
fp->_IO_write_ptr = fp->_IO_write_base;
/* Avoid memory leak when there is an active ungetc buffer. */
diff -ur m4-1.4.17/lib/freadahead.c m4-1.4.17-patch/lib/freadahead.c
--- m4-1.4.17/lib/freadahead.c 2013-09-22 08:15:20.000000000 +0200
+++ m4-1.4.17-patch/lib/freadahead.c 2020-02-04 17:23:47.976373311 +0100
@@ -25,7 +25,7 @@
size_t
freadahead (FILE *fp)
{
-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
if (fp->_IO_write_ptr > fp->_IO_write_base)
return 0;
return (fp->_IO_read_end - fp->_IO_read_ptr)
diff -ur m4-1.4.17/lib/freading.c m4-1.4.17-patch/lib/freading.c
--- m4-1.4.17/lib/freading.c 2013-09-22 08:15:20.000000000 +0200
+++ m4-1.4.17-patch/lib/freading.c 2020-02-04 17:23:47.972373188 +0100
@@ -31,7 +31,7 @@
/* Most systems provide FILE as a struct and the necessary bitmask in
<stdio.h>, because they need it for implementing getc() and putc() as
fast macros. */
-# if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+# if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
return ((fp->_flags & _IO_NO_WRITES) != 0
|| ((fp->_flags & (_IO_NO_READS | _IO_CURRENTLY_PUTTING)) == 0
&& fp->_IO_read_base != NULL));
diff -ur m4-1.4.17/lib/fseeko.c m4-1.4.17-patch/lib/fseeko.c
--- m4-1.4.17/lib/fseeko.c 2013-09-22 08:15:55.000000000 +0200
+++ m4-1.4.17-patch/lib/fseeko.c 2020-02-04 17:23:47.964372943 +0100
@@ -47,7 +47,7 @@
#endif
/* These tests are based on fpurge.c. */
-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
if (fp->_IO_read_end == fp->_IO_read_ptr
&& fp->_IO_write_ptr == fp->_IO_write_base
&& fp->_IO_save_base == NULL)
@@ -121,7 +121,7 @@
return -1;
}
-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
fp->_flags &= ~_IO_EOF_SEEN;
fp->_offset = pos;
#elif defined __sferror || defined __DragonFly__ /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin */
diff -ur m4-1.4.17/lib/stdio-impl.h m4-1.4.17-patch/lib/stdio-impl.h
--- m4-1.4.17/lib/stdio-impl.h 2013-09-22 08:20:02.000000000 +0200
+++ m4-1.4.17-patch/lib/stdio-impl.h 2020-02-04 17:23:47.964372943 +0100
@@ -18,6 +18,12 @@
the same implementation of stdio extension API, except that some fields
have different naming conventions, or their access requires some casts. */
+/* Glibc 2.28 made _IO_IN_BACKUP private. For now, work around this
+ problem by defining it ourselves. FIXME: Do not rely on glibc
+ internals. */
+#if !defined _IO_IN_BACKUP && defined _IO_EOF_SEEN
+# define _IO_IN_BACKUP 0x100
+#endif
/* BSD stdio derived implementations. */
Encrypted LVM remote unlock
Sometimes you want to have a strong Disk encryption but be still able to unlock it remotely. Sure, this is a compromise between security and usability, but here is what I come up with.
Before you follow my instructions, I allude you to carefully consider what that means for your thread model and system security.
0. You start with an normal lvm encrypted operating system.
1. Install dropbear and busybox
2. Edit the file /etc/initramfs-tools/initramfs.conf and add/modify Device and Network settings accordingly:
DROPBEAR=y
DEVICE=eth0
IP=192.168.2.19::192.168.2.1:255.255.255.0:PC-Name:eth0:off
The last line requires some explanation. It consists of:
Preboot-IPv4:rarp-Server:Gateway-IPv4:Subnetmask:Preboot-Hostname:Interface:autoconfigurationMethod
https://help.ubuntu.com/community/DisklessUbuntuHowto#Static_IP
To bypass the ssh host checks (which would fail, because effectively the preboot environment is an autonomous os, independent of the other), you should select a different IP than that of the fully booted system.
3. Place your ssh-public key into the initramf’s root users home directory
rm /etc/initramfs-tools/root/.ssh/*
vi /etc/initramfs-tools/root/.ssh/authorized_keys
For privacy reasons (if you don’t want someone to associate this device with you through the use of your public key) you may want to use a separate key-pare, as this public key.
4. After you’ve added your public key, you need to regenerate the initramfs image using:
update-initramfs -u
5. After that reboot using
systemctl reboot
6. Now while the System is waiting for you to enter the password, go to a different client and connect using your private key (User: root) and your predefined IP address.
7. To unlock your device and continue booting (which will uninitialize the initramfs leaving you within a shell without any mounted file systems or applications) you have to somehow insert the Plain-text password into /lib/cryptsetup/passfifo (without a line break at the end)
The easyest (but also unsafest) way is a simple echo:
echo -n "EncryptionKey" > /lib/cryptsetup/passfifo
iptables to rsyslog
log all dropped connections to syslog
iptables -N LOGGING iptables -A INPUT -j LOGGING iptables -A OUTPUT -j LOGGING iptables -j LOG --log-prefix "iptables: " iptables -A LOGGING -j DROP
check that this line is in /etc/rsyslog.conf
$ModLoad imklog
after that create the file /etc/rsyslog.d/01-iptables.conf with the content:
:msg, startswith, "iptables: " -/var/log/iptables.log & ~ :msg, regex, "^\[ *[0-9]*\.[0-9]*\] iptables: " -/var/log/iptables.log & ~
line 1 and line 3 are filters and log file locations, if they match the log is written to the specified log file.
line 2 and 4 tell rsyslog “don’t process future rules (if the one before matches), it’s done for this log entry”
now the only thing left is to create a log rotation rule
create the file /etc/logrotate.d/iptables with this content:
/var/log/iptables.log {
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
invoke-rc.d rsyslog rotate > /dev/null
iptables-save >> /var/log/iptables.log
endscript
}
Apache2 optimizations
To gain a faster page loading, you can enable the client side caching. That means that the browser of the connecting clients is storing the contents of your page until it expires.
Therefore you have to add the following under your virtual host entry (right before </VirtualHost>)
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 10 seconds"
ExpiresByType text/html "access plus 60 seconds"
ExpiresByType image/gif "access plus 120 minutes"
ExpiresByType image/jpeg "access plus 120 minutes"
ExpiresByType image/png "access plus 120 minutes"
ExpiresByType text/css "access plus 60 minutes"
ExpiresByType text/javascript "access plus 60 minutes"
ExpiresByType application/javascript "access plus 60 minutes"
ExpiresByType application/x-javascript "access plus 60 minutes"
ExpiresByType text/xml "access plus 60 minutes"
</IfModule>
After that run the following as root:
cd /etc/apache2/mods-enabled ln -s ../mods-available/expires.load expires.load ln -s ../mods-available/headers.load headers.load service apache2 restart
Also if you want to redirect all http traffic to https you should use HTTP Response code 301 instead of 302. This is something that is nearly everywhere you look for http to https redirects missing (“R=301”).
To accomplish this you simply have to replace “<VirtualHost *>” at the beginning of your website configuration file (replace server names 😉 ) with:
<VirtualHost example.org:80>
ServerName www.example.org
# Redirect http://(www.)example.org/* to https://www.example.org/*
RewriteEngine On
RewriteCond %{HTTP_HOST} ^(?:.*)example\.org$ [NC]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://www.example.org$1 [R=301,L]
</VirtualHost>
<VirtualHost example.org:443>
Also you should use the ServerName attribute and avoid using “<VirtualHost *>” for convenience and later usage.
Configuring https is as simple. First you have to get your certificate use startssl or lets encrypt.
After you have managed to get your certificate for (www.example.org; don’t miss typing the www subdomain 😉 ) place the files in the following directory:
The Private key: /etc/ssl/private/example.org.key
The Certificate File: /etc/ssl/certs/example.org.crt
The Intermediate Certificates File (e.g. lets encrypt or sub.class1.server.ca.pem): /etc/ssl/certs/letsencryptauthorityx1.pem or /etc/ssl/certs/sub.class1.server.ca.pem
After the files are there you have to add some text to your VirtualHost configuration section
<VirtualHost example.org:443>
ServerAdmin webmaster@example.org
ServerName www.example.org
SSLEngine on
SSLCertificateFile /etc/ssl/certs/example.org.crt
SSLCertificateKeyFile /etc/ssl/private/example.org.key
SSLCertificateChainFile /etc/ssl/certs/sub.class1.server.ca.pem
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder on
# SSLCipherSuite ALL:!ADH:!RC4:+HIGH:!MEDIUM:!LOW:!SSLv2:!SSLv3!EXPORT
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256"
# Replace Certificate Hashes below
Header always add Public-Key-Pins "pin-sha256=\"Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys=\"; pin-sha256=\"YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=\"; max-age=2592000; includeSubdomains"
Header always add Strict-Transport-Security "max-age=15768000"
Header always add Content-Security-Policy "default-src 'self';frame-ancestors 'self';style-src 'self' 'unsafe-inline';script-src 'self' 'unsafe-inline' 'unsafe-eval';font-src 'self' data:;img-src 'self' data:"
Header always add X-Content-Type-Options "nosniff"
Header always add X-Frame-Options "sameorigin"
Header always add X-XSS-Protection "1;mode=block"
As soon as WordPress stops using inline scripts, inline styles, fonts as “data:” urls and also images as “data:” urls, the line:
Header always add Content-Security-Policy "default-src 'self';frame-ancestors 'self';style-src 'self' 'unsafe-inline';script-src 'self' 'unsafe-inline' 'unsafe-eval';font-src 'self' data:;img-src 'self' data:"
can be changed to the more secure
Header always add Content-Security-Policy "default-src 'self';frame-ancestors 'self'"
Disable Zone Transfer BIND9
If you use webmin go to “Zone Defaults” and enter “none” into the “Allow transfers from…” text box.
If you don’t use webmin go to the file “/etc/bind/named.conf.options” and enter the following:
allow-transfer {
"none";
};
If this file doesn’t exist for you, just chech the config file “/etc/bin/named.conf” if there is an include with the ending “.conf.options” use that and otherwise enter directly in named.conf as last possibility (but check other included config files if it exists elsewhere).
Logfile Monitoring (PowerShell/Bash)
PowerShell:
Get-Content -Path .\log.txt -Tail 1 -Wait
Bash:
$Â tail -f filename $Â less +F filename $Â watch tail logfile
Status Monitoring – Statusbar
How to have one line updated, for example showing available disk space updated every second.
Within one line:
while true; do echo -ne “$(df | grep /dev/sda4)\\r”; sleep 1; done
how it works:
while true: start of endless loop
- echo:
- -n: prevents line warp after outputting
- -e: allows backslash escape keys
- $(command): Runs the command and inserts the output
- \\r: the first backslash escapes the second, and \r stands for jumping to the beginning of the line
- sleep 1: pause for one second
done: end of endless loop
Within a script, you can write it into multiple lines:
while true
do
   echo -ne “$(df | grep /dev/sda4)\\r”
   sleep 1
done