Category: linux

Warpage and fail2ban via vector

Posted on by mario

A working version to block intruderce into warpgate

compose.yml

services:
  warpgate:
    container_name: warpgate
    image: ghcr.io/warp-tech/warpgate
    ports:
      - 2222:2222
      - 127.0.0.1:8888:8888
    volumes:
      - ./data:/data:Z
      - ./sockets:/var/run
    stdin_open: true
    tty: true
    restart: always
    environment:
      - WARPGATE__WEB__TRUST_PROXY_HEADERS=true
    logging:
      driver: json-file
      options:
        max-size: "50m"
        max-file: "3"
  vector:
    image: timberio/vector:latest-alpine
    container_name: vector
    restart: unless-stopped
    depends_on:
      - warpgate
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./vector.yaml:/etc/vector/vector.yaml:ro
      - /var/log/warpgate:/var/log/warpgate
    command: ["--config", "/etc/vector/vector.yaml"]

vector.yaml

sources:
  warpgate:
    type: docker_logs
    include_containers:
      - warpgate

transforms:
  to_fail2ban:
    type: remap
    inputs:
      - warpgate
    source: |
      raw = string!(.message)

      # ANSI Escape Codes entfernen
      msg = replace(raw, r'\x1b\[[0-9;]*m', "")

      ok = contains(msg, "WARN HTTP:") &&
           contains(msg, "/@warpgate/api/auth/login") &&
           contains(msg, "status=401") &&
           contains(msg, "client_ip")

      if !ok {
        abort
      }

      ts = format_timestamp!(.timestamp, "%Y-%m-%dT%H:%M:%SZ")

      parsed = parse_regex!(msg, r'client_ip\s*=\s*(?P[0-9a-fA-F\.:]+)')
      ip = parsed.ip

      .message = ts + " warpgate login failed ip=" + ip

sinks:
  fail2ban_file:
    type: file
    inputs:
      - to_fail2ban
    path: "/var/log/warpgate/auth.log"
    encoding:
      codec: text

/etc/fail2ban/filter.d/warpgate.conf

[Definition]
failregex = ^.*warpgate login failed ip=$
ignoreregex =

/etc/fail2ban/jail.d/warpgate.conf

[warpgate]
enabled  = true
filter   = warpgate
logpath  = /var/log/warpgate/auth.log

maxretry = 5
findtime = 300
bantime  = 300

ceph speed test

Posted on by mario

Schreiben (4K random write, 16 threads, 10 Sekunden)

rados bench -p  10 write --no-cleanup --object-size=4096 --concurrent-ios=16

Lesen (4K random read, 16 threads)

rados bench -p  10 rand --object-size=4096 --concurrent-ios=16

Schreib und Lese Test mit 4MB der default Größe für Ceph

rados bench -p  10 write --no-cleanup --object-size 4194304 --concurrent-ios 16

benchmark

bash -lc '
set -euo pipefail

POOL="ceph-ds"
SIZE="10G"
RUNTIME="30"
IODEPTH="32"
NUMJOBS="4"
RWMIXREAD="70"   # 70/30 read/write wie oft bei VM-Workloads
BS="4k"

IMG="fio-bench-$(hostname -s)-$(date +%Y%m%d-%H%M%S)"
DEV=""

cleanup() {
  set +e
  echo ""
  echo "[CLEANUP] unmap + remove (falls vorhanden) ..."
  if [ -n "${DEV:-}" ]; then
    rbd unmap "$DEV" >/dev/null 2>&1 || true
  else
    # falls DEV nicht gesetzt wurde, versuchen wir es über showmapped
    rbd showmapped 2>/dev/null | awk -v p="$POOL" -v i="$IMG" '"'"'$2==p && $3==i {print $5}'"'"' | while read -r d; do
      [ -n "$d" ] && rbd unmap "$d" >/dev/null 2>&1 || true
    done
  fi
  rbd rm "${POOL}/${IMG}" >/dev/null 2>&1 || true
  echo "[CLEANUP] fertig."
}
trap cleanup EXIT INT TERM

echo "[1/4] Create RBD image: ${POOL}/${IMG} (${SIZE})"
rbd create "${POOL}/${IMG}" --size "${SIZE}"

echo "[2/4] Map RBD image"
DEV="$(rbd map "${POOL}/${IMG}")"
echo "      -> mapped as: ${DEV}"

echo "[3/4] fio VM-like test (randrw ${BS}, iodepth=${IODEPTH}, numjobs=${NUMJOBS}, rwmixread=${RWMIXREAD}, runtime=${RUNTIME}s)"
fio --name="ceph-rbd-${IMG}" \
    --filename="${DEV}" \
    --direct=1 --ioengine=libaio \
    --rw=randrw --rwmixread="${RWMIXREAD}" \
    --bs="${BS}" --iodepth="${IODEPTH}" --numjobs="${NUMJOBS}" \
    --runtime="${RUNTIME}" --time_based=1 \
    --group_reporting --eta=never

echo "[4/4] Done. Cleanup will run automatically."
'

Ceph Cruch Map

Posted on by mario

crunch map

ceph osd crush add-bucket left rack
ceph osd crush add-bucket right rack

ceph osd crush move left root=default
ceph osd crush move right root=default

ceph osd crush move node-1 rack=right
ceph osd crush move node-2 rack=right
ceph osd crush move node-3 rack=right

ceph osd crush move node-4 rack=left
ceph osd crush move node-5 rack=left
ceph osd crush move node-6 rack=left

ceph osd tree

revert changes to default

ceph osd crush move node-1 root=default
ceph osd crush move node-2 root=default
ceph osd crush move node-3 root=default
ceph osd crush move node-4 root=default
ceph osd crush move node-5 root=default
ceph osd crush move node-6 root=default

Journalctl Tricks

Posted on by mario

journalctl command

vacuum / clean

journalctl --disk-usage
journalctl --vacuum-size=1G

--vacuum-size=BYTES   Reduce disk usage below specified size
--vacuum-files=INT    Leave only the specified number of journal files
--vacuum-time=TIME    Remove journal files older than specified time

read old journal

journcalctl --file /var/log/.../dsdsdsdsdsdsdsds.journal~

goto end of log

sudo journalctl -e

journalctl -e -u certbot.service
journalctl -xeu redis-server.service

list old boots

journalctl --list-boots

Alle Meldungen mit Kennzeichnung error, critical, alert oder emergency anzeigen

journalctl -p err -b

kernel messages only

journalctl -k -e

systemctl list-unit-files

systemctl --failed
# or
systemctl list-units --state=failed

journalctl -xb

Fish shell Add a directory to the path, but only if it exists

Posted on by mario

Add a directory to the path, but only if it exists.

function add_path_maybe -d "Add a directory to the path, but only if it exists"
    # If the path exists...
    if test -d $argv[1]
        # ...and if it's not already in the PATH...
        if not contains $argv[1] $PATH
            # ...push it to the start of the path.
            set PATH $argv[1] $PATH
        end
    end
end

Archive for category linux

Archives by Month: