Friday, March 16, 2018

Jenkins pipelines Jenkins code completion in Eclipse (doh! Who would have thought of using a IDE to write code! The new frontier is write pipeline code in a browser on a github tab.... next they will ask you to write pcode in hex format... then we will eat bananas on trees again)

picture 1: Jenkins developers discussing the use of Notepad to improve coding experience

picture 2: Jenkins developers celebrate their first successful Scripted pipeline

picture 3: Jenkins developers discover IDE

Thursday, March 15, 2018


ls -ltra /var/run/docker.sock
srw-rw----. 1 root docker 0 Feb 12 15:49 /var/run/docker.sock "s" stands for Unix socket

Communication between a Docker container and Docker daemon can happen via this socket (see Portainer and "docker in docker"
excellent explanation of the /var/run/docker.sock

This REST call via /var/run/docker.sock will create a cointainer:

docker pull nginx:latest
curl -H "Content-Type: application/json" -X POST --unix-socket /var/run/docker.sock -d '{"Image":"nginx"}' http://localhost/containers/create


This PRICELESS command, run on the host, can trace all the events handled by the docker daemon:

curl --unix-socket /var/run/docker.sock http://localhost/events

Jenkins console

interesting presentation (skip first 9 minutes)


println "I hacked you"
new File('/etc/passwd').text

println "${Jenkins.instance.root}"

"ls -ltr /".execute().text


on Jenkins CLI

the scripts by Sam

Sunday, March 11, 2018

dind docker in docker , permission denied on /var/run/docker.sock

Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.33/version: dial unix /var/run/docker.sock: connect: permission denied

ls -alh /var/run/docker.sock
srw-rw----. 1 root docker 0 Mar 11 15:45 /var/run/docker.sock

doing "chmod 777 /var/run/docker.sock" doesn't help

on the host:

docker version
Version: 1.12.6
API version: 1.24

in the container:

docker version
Version: 17.10.0-ce
API version: 1.33

The problem went away by installing on the host the latest docker version as per

Thursday, March 1, 2018


Priceless wiki

#disable DAC (must be root), will only log rule violations
setenforce 0
#enable it
setenforce 1

#display info
cat /etc/selinux/config

DAC and MAC (discretionary and mandatory access control). First DAC is applied, then MAC (if DAC succeeds).
#list user, role, type, level
ls -Z myfile

Access Vector Cache (AVC)

#view SELinux-Linux user mappings
semanage login -l

#view the SELinux context for processes
ps -eZ

#view SELinux context associated to your user
id -Z

#label a file with a type (transient)
chcon -t

#permanent relabeling of file

#restore default context for process

In Apache, if you get this:

[Tue Feb 27 14:11:52.105495 2018] [core:error] [pid 41356] (13)Permission denied: [client] AH00035: access to /index.html denied (filesystem path '/path/to/home') because search permissions are missing on a component of the path


ps -efZ | grep http

and check the httpd process, on which TYPE (httpd_t) it's running:

system_u:system_r:httpd_t:s0 root 37203 1 0 Feb28 ? 00:00:03 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0 apache 37206 37203 0 Feb28 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND

then you have to change the type of your file to be served

ls -Z /path/to/index.html
-rw-r--r--. admrun admrun unconfined_u:object_r:default_t:s0 /path/to/index.html

then you do

chcon -t httpd_t /path/to/index.html

if you get

chcon: failed to change context of "/path/to/myfile" to "˜unconfined_u:object_r:httpd_t:s": Permission denied

it's because httpd_t is a PROCESS type, not a FILE type ( see )

see here complete documentation of types

However it's better to change the context for the folder rather than for the individual files:

# semanage fcontext -a -t httpd_sys_content_t "/path/to(/.*)?"
# restorecon -R -v /path/to

see also "man semanage-fcontext" and

in Puppet (pueah) you can use and a clause like:

selinux::fcontext { '/path/to':
path => '/path/to(/.*)?',
setype => 'httpd_sys_content_t',