Docker on Freebsd

Fireup FreeBSD 14 Instance on AWS ?!? Install Packages pkg install gmake go git vim Install Lima git clone https://github.com/lima-vm/lima /opt/lima Patch File cat << EOF > /opt/lima/pkg/sshutil/sshutil_others.go //go:build !darwin && !linux // +build !darwin,!linux package sshutil import ( "runtime" "github.com/sirupsen/logrus" ) func detectAESAcceleration() bool { var err error const fallback = runtime.GOARCH == "amd64" logrus.WithError(err).Warnf("cannot detect whether AES accelerator is available, assuming %v", fallback) return fallback } EOF Build gmake Copy Binaries cp /opt/lima/_output/bin/* /usr/local/bin/ mkdir -p /usr/local/share/doc/lima && cp -r /opt/lima/_output/share/doc/lima/* /usr/local/share/doc/lima/ cp -r /opt/lima/_output/share/lima /usr/local/share/lima Install QEMU pkg install qemu-nox11 Get CPU root@freebsd:/opt/lima # qemu-system-x86_64 -cpu help | grep -i cascadelake x86 Cascadelake-Server (alias configured by machine type) x86 Cascadelake-Server-noTSX (alias of Cascadelake-Server-v3) x86 Cascadelake-Server-v1 Intel Xeon Processor (Cascadelake) x86 Cascadelake-Server-v2 Intel Xeon Processor (Cascadelake) [ARCH_CAPABILITIES] x86 Cascadelake-Server-v3 Intel Xeon Processor (Cascadelake) [ARCH_CAPABILITIES, no TSX] x86 Cascadelake-Server-v4 Intel Xeon Processor (Cascadelake) [ARCH_CAPABILITIES, no TSX] x86 Cascadelake-Server-v5 Intel Xeon Processor (Cascadelake) [ARCH_CAPABILITIES, EPT switching, XSAVES, no TSX] Export CPU export QEMU_SYSTEM_X86_64="qemu-system-x86_64 -cpu Cascadelake-Server" Start Lima switch to user

Hashicorp - Vault

some Hands’on with Hashicorp Vault Source https://developer.hashicorp.com/vault/docs/get-started/developer-qs Install on macos brew tap hashicorp/tap brew install hashicorp/tap/vault Run on Docker in Background, you have to kill it later docker run -d -p 8200:8200 -e 'VAULT_DEV_ROOT_TOKEN_ID=dev-only-token' vault Unseal Key: 2KTIMp0Md52V2xTb0txxxxxxxxxxxxxxxxxxxxxxxxx= Root Token: dev-only-token this is a dev instance only and has no persistent data. don’t worry. Open Browser http://localhost:8200 -> root token Export in Terminal export VAULT_ADDR='http://0.0.0.0:8200' export VAULT_TOKEN="dev-only-token" Set Key curl --header "X-Vault-Token: $VAULT_TOKEN" \ --header "Content-Type: application/json" \ --request POST \ --data '{"data": {"password": "Hashi123"}}' \ -s http://127.

Docker - Container

Stuff for the running Containers List running Containers $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES f99ad3355bae blog "/home/docker/init_a…" 14 minutes ago Up 14 minutes 0.0.0.0:3031->3031/tcp quizzical_bardeen Shell into Containter docker exec -it f99ad3355bae bash first build cache apt-get update install Tools netstat ps tcpdump … apt-get install -y net-tools procps tcpdump telnet netcat sha256: 27a1368fbcb11db26404131aeb2b0e15d07bc32f61df6389a7c685df61bfc5aa

Alpine - Pandas on Docker Image

How to install Pandas on Alpine Linux Run Alpine Container docker run -it alpine add packages apk update apk add python3 py3-pip gcc python3-dev g++ add / build pandas time pip install pandas real 26m 13.14s user 30m 46.40s sys 3m 27.51s Happy Pandas ! sha256: afb99c7e3ed003bee48b65795a153c4fe7835fe3dae0759b70ab2bfb5adc4fd5

Fastapi

FastAPI - Dependencies and Custom Headers Source https://fastapi.tiangolo.com/tutorial/dependencies/dependencies-in-path-operation-decorators/ Code from fastapi import Depends, FastAPI, Header, HTTPException app = FastAPI() async def verify_token(x_token: str = Header()): if x_token != "fake-super-secret-token": raise HTTPException(status_code=400, detail="X-Token header invalid") async def verify_key(x_key: str = Header()): if x_key != "fake-super-secret-key": raise HTTPException(status_code=400, detail="X-Key header invalid") return x_key @app.get("/items/", dependencies=[Depends(verify_token), Depends(verify_key)]) async def read_items(): return [{"item": "Foo"}, {"item": "Bar"}] Test’s Failed no Custom Header curl -s http://localhost/api/items/ |jq { "detail": [ { "loc": [ "header", "x-token" ], "msg": "field required", "type": "value_error.

Acme-DNS

Web A simplified DNS server with a RESTful HTTP API to provide a simple way to automate ACME DNS challenges. Sounds promising, right ? Let’s give try ;) https://github.com/joohoi/acme-dns Setup fireup a new OpenBSD VM let’s do it in London. ip: 100.10.20.30 patch, update, add go doas su - syspatch pkg_add -Vu pkg_add go clone repo and build acme-dns cd /root git clone https://github.com/joohoi/acme-dns cd acme-dns export GOPATH=/tmp/acme-dns go build cp acme-dns /usr/local/sbin/ Create Selfsign Cert the RESTful API need’s a Cert.

Docker - Kuma Monitoring

Intro got a hint to try a nice monitoring tool. kuma. https://github.com/louislam/uptime-kuma pre-condition you have traefik running and a wildcard certificate for a domain. see the previous posts … .env we need few variables, edit the touch section appropriately cat << 'EOF' > .env # touch HOST="kuma" DOMAIN="your.domain" PORT=3001 # don't touch SERVICE="${HOST}" EOF docker-compose.yml … and the docker compose file … cat << 'EOF' > docker-compose.yml version: '3.3' networks: traefik: external: true services: uptime-kuma: image: louislam/uptime-kuma:1 container_name: uptime-kuma restart: always volumes: - .

Docker - Disk Cleanup

Docker Cleanup if you play round with docker and fill up all your diskspace, as i did, the following command cleaned lot of wasted space. speciall in the /var/lib/docker/overlay2 - Folder. docker system prune --all --volumes --force Result ... yl6ajwpa4nyicajls7e8xhjwo hveehb6rp5drucnmm7ti2rc5g ot7dr6b4qpxcf2vaq1r23n56k qk2qk4dq0nch1lnghozdazjq9 3uewt5kxbyhemx1q410qamha7 Total reclaimed space: 21.45GB sha256: 9770f41e2df8df14a08f6cd1ae244f7dff98afbb0baa10f076c8897210b18c44

Docker - Traefik - Wildcard Subdomain

Intro I was wondering if you can have Wildcart Certs for certain Subdomain. Idea is to provide a Service with “myservice.auth.your.domain” which automatically requests Authentication, while the same Service “myservice.whitelist.your.domain” is reachable through some Whitelisted IP only. As Traefik can Chain Middleware, but not implements some logic (If Whitelist -> ok, else do Basic Auth …), i have to build another solution. let’s have a look Prepare Folders cd /your/traffic/rootfolder mkdir -p config/dynamic .

Docker - Traefik - HugoBlog

Intro as i’m playing with traefik & docker, why not duplicate this blog in container ? for fun and profit ? let’s give at try … pre-condition you have traefik running and a wildcard certificate for a domain. see the previous posts … docker compose cat << 'EOF' > docker-compose.yml version: '3' services: hugo: image: jakejarvis/hugo-extended:latest ports: - 1313:1313 volumes: - ./src:/src command: server --buildDrafts --buildFuture --bind 0.0.0.0 restart: always networks: - traefik labels: - "traefik.

OpenBGPD - Upgrade Looking Glass

I’m running a BGP Looking Glass Server on https://bgp.stoege.net, where can get some view about BGP running on the Global Internet. Upgrade to 7.2 Did an Upgrade to the latest Version with my Script. Upgrade was sucessful, but the BGP Service needs some Fix. Website show as “500 Internal Server Error”, and the Logs got a few messages like this: tail -f /var/log/messages Oct 21 11:38:07 bapi slowcgi[62677]: execve /cgi-bin/bgplg: Permission denied Oct 21 11:38:07 bapi slowcgi[93993]: caught exit of unknown child 62677 Oct 21 11:38:12 bapi slowcgi[45500]: execve /cgi-bin/bgplg: Permission denied Reapply the Permission chmod 0550 /var/www/cgi-bin/bgplg chown www:daemon /var/www/cgi-bin/bgplg chmod 0555 /var/www/bin/bgpctl chmod 4555 /var/www/bin/ping* /var/www/bin/traceroute* Check Service $ curl --head "https://bgp.

OpenBSD 7.2

OpenBSD 7.2 finally released. Yesterday, the 53th Relase of OpenBSD got publised, the [Version 7.2)(https://www.openbsd.org/72.html). I’ll upgrade my boxes as usual with the following Script. The most obvious change is the Performance improvement for the Package Mangager, but there is always so more see undeadly Upgrade Guide As usual, follow to official Upgrade Guide. You can Upgrade with an USB Stick, ISO Image, PXE Boot or inline (from a running system).

Docker - Traefik - Wildcard Cert

Intro TLS is must, but do you wanna generate a own Certificate for each Service you Provide ? Specially, when you have a *.domain.tld Record set ? Trafik is able to handle that for you. Let’s Encrypt offers the possibility to use DNS Validation for Wildcard Domains. Here is a list of Providers that can automate DNS Verfication. Helpful URL https://doc.traefik.io/traefik/user-guides/docker-compose/acme-dns/ https://www.digitalocean.com/community/tutorials/how-to-use-traefik-v2-as-a-reverse-proxy-for-docker-containers-on-ubuntu-20-04 https://www.carluccio.de/reverse-proxy-traefik-mit-wildcard-zertifikaten/ https://linuxblog.xyz/posts/traefik-2-docker-compose/ https://medium.com/@KagundaJM/proxy-buffalo-app-with-traefik-and-lets-encrypt-on-digitalocean-505060edef4c Fully Example with Docker Compose, Traefik, Digital Ocean Prepare Env cd /where/ever/you/want mkdir data touch data/acme.

Docker - Traefik - Redirect

Simple (simple ???) Redirect for all Requests to another Page. At least, it works … docker-compose.yml whoami5: image: containous/whoami labels: - "traefik.enable=true" - "traefik.http.middlewares.redirect-regex.redirectregex.permanent=false" - "traefik.http.middlewares.redirect-regex.redirectregex.regex=(.)*" - "traefik.http.middlewares.redirect-regex.redirectregex.replacement=https://blog.stoege.net" - "traefik.http.routers.whoami5.middlewares=redirect-regex" - "traefik.http.routers.whoami5.rule=Host(`redirect.your.domain.de`)" - "traefik.http.routers.whoami5.tls.certresolver=letsencrypt" - "traefik.http.routers.whoami5.tls=true" sha256: f98bc4f9d6b271b301836a764b2e27e64eb9f6c774b5d7ce1887ed421ffbef75

Docker - Traefik - IPWhitelist

Whitelist IP Range docker-compose.yml whoami: image: containous/whoami labels: - "traefik.enable=true" - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, x.x.x.x/y" - "traefik.http.routers.whoami.middlewares=test-ipwhitelist@docker" - "traefik.http.routers.whoami.rule=Host(`whoami.your.domain.de`)" - "traefik.http.routers.whoami.tls.certresolver=letsencrypt" - "traefik.http.routers.whoami.tls=true" -> only “localhost” and SRC IP x.x.x.x/y can access this URL. Rest will be blocked. -> Disadvantage. Container needs to be restartet if the Source Range gets modified! we can do this better :) Move to File you may want to put your “IP Ranges” to a dedicated File and import it where needed.