Docker versus Podman and iptables

I have recently been learning about podman, a tool for running containers that has a command syntax that matches Docker, but that does not require a Docker daemon and which does not require root privileges.

I ran into some unexpected problems publishing ports with Podman, which had to do with my default DROP policy on the iptables FORWARD chain. Below I will demonstrate some of the differences between Docker and Podman in terms of iptables changes, and provide a workaround for Podman.
Continue reading Docker versus Podman and iptables

Running a Python Flask application in a Docker container

I’ve played with Docker containers but haven’t really done anything, useful or otherwise, with them. I decided to create a Docker image that includes a web-based chatbot. You can find the Git repository for this (including the finished Dockerfile) at https://github.com/cherdt/docker-nltk-chatbot

Continue reading Running a Python Flask application in a Docker container

Kitchen CI – using the Vagrant driver

I’d previously been using the Docker driver with Kitchen CI and kitchen-ansible to test my Ansible playbooks. I really like using Kitchen CI. Test-driven infrastructure development! Regression testing! It’s great.

There were several reasons I decided to switch from the Docker driver to Vagrant. My target hosts are all either VMs or bare metal servers, so Vagrant VMs more closely resemble that environment. In particular, there are a couple areas where Docker containers don’t perform well for this purpose:

  • Configuring and testing SELinux settings
  • Configuring and testing systemd services

Continue reading Kitchen CI – using the Vagrant driver

Identifying DGA domains using Scrabble scores: a naive approach

I had the idea of applying Scrabble scores to DGA domains over the summer of 2018, but the idea was rekindled when I saw Marcus Ranum‘s keynote at BroCon 2018. He talked about the advantages of scoring systems: they are fast, they are simple, and they can be surprisingly effective.

Domain Generating Algorithms (DGAs)

Malware uses DGAs to generate hundreds or thousands of new domain names daily. The malware then attempts to contact some or all of the domains. If a successful attempt is made to a control server, the malware will receive new instructions for malicious activity. The people and systems managing the malware need only register one new domain a day, but a defender would have to anticipate and/or discover thousands a day. To read more about DGAs, I recommend these articles from Akamai:

Scrabble Scores and DGAs

I’ve noticed that some, not all Domain Generating Algorithms produce unreadable domains like:

rjklaflzzdglveziblyvvcyk.com

Continue reading Identifying DGA domains using Scrabble scores: a naive approach

Icinga2 and PagerDuty integration

E-mail is not a good way to get my attention in a timely fashion. E-mail is inherently asynchronous, and healthy minds may ignore it for hours or even days at a time. So how do I handle monitoring alerts? One way is by using PagerDuty, a service that can call, text, or send push notifications to you (among other features).

I followed the steps at PagerDuty’s Icinga2 Integration Guide, but no alerts were coming through. What went wrong?
Continue reading Icinga2 and PagerDuty integration

Integrating FreeIPA authentication with GitHub Enterprise

The GitHub Enterprise – Using LDAP documentation lists FreeIPA as a supported LDAP service.

Although I was able to successfully test a basic LDAP connection, the test failed after I specified the Email (using value “mail”) and SSH key (using value “ipaSshPubKey”) fields. I received the following error: Continue reading Integrating FreeIPA authentication with GitHub Enterprise

ipactl error: Failed to start Directory Service: Command ‘/bin/systemctl start dirsrv@FREEIPA-OSRIC-NET.service’ returned non-zero exit status 1

Earlier today I got an alert that the LDAP service on my FreeIPA server was down. This was not long after I had received another alert that the drive space on the /var partition was critical. I logged on, freed up some drive space, and tried to start the service:

$ sudo ipactl start
Starting Directory Service
Failed to start Directory Service: Command '/bin/systemctl start dirsrv@FREEIPA-OSRIC-NET.service' returned non-zero exit status 1

I tried running systemctl directly to see the error message:

$ sudo systemctl start dirsrv@FREEIPA-OSRIC-NET.service

Continue reading ipactl error: Failed to start Directory Service: Command ‘/bin/systemctl start dirsrv@FREEIPA-OSRIC-NET.service’ returned non-zero exit status 1

Icinga2 role permissions, filters

I have Icinga2 and Icingaweb2 set up for monitoring hosts and services for myself, but I wanted to expand on my current configuration and let web developers manage monitoring for their assets (development and staging hosts and web servers).

webdev is the name of one of my host groups, defined in my /etc/icinga2/conf.d/groups.conf file:

object HostGroup "webdev" {
  display_name = "Web Development Hosts"
}

The hosts I want developers to be able to monitor are members of the webdev host group.

First I created a new role in the web interface under Configuration — Authentication — Roles:
Continue reading Icinga2 role permissions, filters

ESXi upgrade from 5.5 to 6.7

ESXi 5.5 recently reached end-of-support (see End of General Support for vSphere 5.5), but my sales rep informed me that I was eligible for a free upgrade. Great! I set about doing just that.

First of all, I should note that you can’t upgrade directly from 5.5 to 6.7, so I upgraded to 6.5 first. I ran into several missteps along the way, which I have documented here: Continue reading ESXi upgrade from 5.5 to 6.7

Creating a histogram with Gnuplot

Gnuplot has plenty of examples on its histograms demo page. The demos use immigration.dat as a datasource, which you can find in gnuplot’s GitHub repository: immigration.dat data source.

While the examples demonstrate many of the available features, it’s not clear what some of the specific options do. You could read the documentation, but who has time for that? Some of us are just trying to create really simple histograms and don’t need to master the nuances of gnuplot.
Continue reading Creating a histogram with Gnuplot