rubysecurity.org

Cloud Architect / DevOps Engineer / SRE / Developer | /root

Home About Books Blog Portfolio Archive

    Tag Cloud


    Currently Reading

    Certified Kubernetes Administrator (CKA) Study Guide
    Certified Kubernetes Administrator (CKA) Study Guide
    38 / 155 Pages


    Latest Book Reviews

    Latest Posts

    March 2, 2020

    Running Ubuntu Server on an Intel NUC 10th i7

    by Alpha01

    Late last year, I purchased a secondary Intel NUC 8th i3 for my homelab. My main goal was to use this secondary NUC primarily to learn Mesos and Kubernetes more in depth. Little that I knew that the dual core i3 on the NUC was not truly powerful enough to run a simple ten node DC/OS cluster, let alone another Kubernetes cluster on the same machine. So I decided to wait until the new i7 10th generation Intel NUCs were released, so I can upgrade.

    The upgrade itself was not as easy as I first imagine. Both the RAM and hard drive were swapped from the old 8th gen NUC to the new 10th gen NUC. Ubuntu started up successfully, and all the memory was properly recognized on the new machine, however networking was not working. My first thought was that since now Linux was running on a new hardware, I needed to remove the old NIC’s udev configuration. I soon realized that apparently in the post systemd world, we no longer need to do this. After a quick Google search, I found a Reddit post that outline my exact problem. https://www.reddit.com/r/intelnuc/comments/eox6k1/caution_new_frost_canyon_nucs_have_an_integrated/

    I was shocked to learn that the new 10th gen NUC’s network card is so new that it doesn’t even have its driver on the latest Ubuntu Server LTS! Luckily compiling and loading the newer e1000e driver was a really easy task. The only caveat was that I had to go into the UEFI Bios and disable secure boot and allow 3rd party modules, otherwise the new kernel module would fail to load.

    After a few hours of usage, performance is completely night a day. The new 10th gen i7 hex core processor completely blows 8th gen i3 dual core, out of the water.

    Tags: [ ubuntu ]
    June 10, 2019

    Send Email from a Shell Script Using Gmail’s SMTP

    by Alpha01

    In my previous post, I enabled my local mail server to relay all outgoing mail to Google’s SMTP servers. However if you want to completely bypass using any sort of MTA, then you will only need to configure your Mail User Agent client to use Gmail STMP settings directly.

    In Linux, I’ve always used the mailx utility to send out email messages from the command line or from a shell script. By default, mailx uses the local mail server to send out messages, but configuring it to use a custom SMTP server is extremely easy.

    Inside a shell script configuration would look like this:

    to="[email protected]"
from="[email protected]"
email_config="
-S smtp-use-starttls \
-S ssl-verify=ignore \
-S smtp-auth=login \
-S smtp=smtp://smtp.gmail.com:587 \
-S from=$from \
-S [email protected] \
-S smtp-auth-password=ULTRASECUREPASSWORDHERE \
-S ssl-verify=ignore \
-S nss-config-dir=/etc/pki/nssdb \
$to"

echo "Test email from mailx" | mail -s "TEST" $email_config

    To have the mail settings configured to be used by mailx from the command line simply set your settings in ~/.mail.rc

    set smtp-use-starttls
set ssl-verify=ignore
set smtp=smtp://smtp.gmail.com:587
set smtp-auth=login
set smtp-auth-user=[email protected]
set smtp-auth-password=ULTRASECUREPASSWORDHERE
set from="[email protected]"
set nss-config-dir=/etc/pki/nssdb

    Resources

    Tags: [ google smtp ]
    May 25, 2019

    Configuring Postfix to use Gmail

    by Alpha01

    Configuring Postfix to use Gmail as the outgoing SMTP relay endpoint is a relatively simple process. I’m my case, I’m not using an @gmail.com account. Rather, since all of my domains use G Suite, I’ve created a special dedicated email account that I’ll be using to send out email from.

    Before starting configuring Postfix, it is important that you enable “Less secure app access” on the Gmail account that you will be configuring to send outgoing messages.

    I’m using CentOS 7.x as my mail server OS. These were the steps I used to configure Postfix.

    1). Install necessary packages:

    yum install postfix mailx cyrus-sasl cyrus-sasl-plain

    2). Create /etc/postfix/sasl_passwd file with the your authentication credentials:

    [smtp.gmail.com]:587    [email protected]:mypassword

    3). Update file permissions to lockdown access to our newly created authentication config file:

    chmod 600 /etc/postfix/sasl_passwd

    4). Use the postmap command to compile and hash the contents of sasl_passwd:

    postmap /etc/postfix/sasl_passwd

    5). Update /etc/postfix/main.cf

    relayhost = [smtp.gmail.com]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options =
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt

    6). Finally, enable and restart postfix:

    systemctl enable postfix
systemctl restart postfix

    Lastly, although it’s not needed to get a working Postfix to Gmail STMP config working. I would recommend enabling outgoing throttling. Otherwise Google might temporarily suspend your account from sending messages!

    Additional /etc/postfix/main.cf updates:

    smtp_destination_concurrency_limit = 2
smtp_destination_rate_delay = 10s
smtp_extra_recipient_limit = 5

    In my case, I configured Postfix to only handle two concurrent relay connections, wait at least 10 seconds to send out the email and set the recipient limit to 5 (per queue message session).

    NOTE: As I mentioned, since I’m not using an @gmail.com, I had to add an SPF DNS record so that the outgoing emails pass all of Google’s spam tests.

    DNS txt record:

    v=spf1 include:_spf.google.com ~all

    Example received email header that was sent from the newly Postfix to Gmail smtp configuration:

    Passing Gmail Email Header

    To conclude, it is import to remember that this Postfix configuration will overwrite whatever From source set by your mail user agent (as the above email header image demonstrates).

    Resources

    Tags: [ postfix google ]
    March 16, 2019

    Automatically Disable Different Jenkins Projects at Build Time

    by Alpha01

    I use Jenkins as my CI tool for all my personal projects. My current Jenkins build plans are fairly simple and not quite particularly complex (though I do plan on eventually start using Jenkins pipelines on my build jobs in the near future), given that most of my personal projects are WordPress and Drupal sites.

    My current configuration consists of two different basic Freestyle projects Jenkins builds. One for my staging build/job and the other for my production build/job respectively. Each time my staging Freestyle project builds, it automatically creates a git tag, which is later used by my production Freestyle project; where it’s pulled, build, and deploy from. This means that at no point I want my production Freestyle project to build whenever the corresponding staging Freestyle project fails (for example unit tests).

    Using the Groovy Postbuild Plugin, will give you the ability to modify Jenkins itself. In my case, I want to disable the productions Freestyle project whenever my staging Freestyle project.

    On this example my production project build/job is called rubysecurity.org.

    import jenkins.*
import jenkins.model.*

String production_project = "rubysecurity.org";

try {
  if (manager.build.result.isWorseThan(hudson.model.Result.SUCCESS)) {
    Jenkins.instance.getItem(production_project).disable()
    manager.listener.logger.println("Disabled ${production_project} build plan!");
    manager.createSummary("warning.gif").appendText("<h1>No production builds will be available on ${production_project} until the errors here are fixed!</h1>", false, false, false, "red")

  } else {
    Jenkins.instance.getItem(production_project).enable();
    manager.listener.logger.println("Enabled ${production_project} build plan.");
  }
} catch (Exception ex) {
   manager.listener.logger.println("Error disabling ${production_project}." + ex.getMessage());
}

    The example Groovy Post-Build script ensures the project build/job rubysecurity.org is enabled if it successfully finishes without any errors, otherwise rubysecurity.org will be disabled, and a custom error message is displayed on the failing staging build/job.

    Example error:

    Jenkins error

    Resources

    Tags: [ jenkins ]
    November 10, 2018

    Accessing KVM Guest Using Virtual Serial Console

    by Alpha01

    For the longest time, after creating my KVM guest virtual machines, I’ve only used virt-manager afterwards to do any sort of remote non-direct ssh connection. It wasn’t until now that I finally decided to start using the serial console feature of KVM, and I have to say, I kind of regret procrastinating on this, because this feature is really convenient.

    Enabling serial console access to a guest VM is a relatively easy process. In CentOS, it’s simply a matter of adding the following kernel parameter to GRUB_CMDLINE_LINUX in /etc/default/grub

    console=ttyS0

    After adding the console kernel parameter with the value of our virtual console’s device block file. Then we have to build new a grub menu and reboot:

    grub2-mkconfig -o /boot/grub2/grub.cfg

    Afterwards from the host system, you should be able to virsh console onto the guest VM.

    The only caveat with connecting to a guest using the virtual serial console is existing the console. In my case, the way to log off the console connection was using Ctrl+5 keyboard keys. This disconnection quirk reminded me of the good old days when I actually worked on physical servers and used IPMI’s serial over network feature and it’s associated unique key combination to properly close the serial connection.

    Resources

    Tags: [ kvm ]