Monday, August 19, 2019

awesome Kubernetes Best Practices videos



there is a whole series, all same good

Wednesday, August 14, 2019

WebLogic, dramatic reduction of TLS sessions creation by rejectClientInitiatedRenegotiation

why the TLS Sessions are constantly invalidated, removed from cache and recreated, discovering that it's WLS SSLConfigUtils.configureClientInitSecureRenegotiation() who initiates this:

at sun.security.ssl.SSLSessionContextImpl.remove(SSLSessionContextImpl.java:132)

at sun.security.ssl.SSLSessionImpl.invalidate(SSLSessionImpl.java:673)

at weblogic.socket.utils.SSLConfigUtils.configureClientInitSecureRenegotiation(SSLConfigUtils.java:27)

at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:135)

at weblogic.socket.JSSEFilterImpl.isMessageComplete(JSSEFilterImpl.java:354)

at weblogic.socket.SocketMuxer.readReadySocketOnce(SocketMuxer.java:976)

at weblogic.socket.SocketMuxer.readReadySocket(SocketMuxer.java:917)

at weblogic.socket.NIOSocketMuxer.process(NIOSocketMuxer.java:599)

at weblogic.socket.NIOSocketMuxer.processSockets(NIOSocketMuxer.java:563)

at weblogic.socket.SocketReaderRequest.run(SocketReaderRequest.java:30)

at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:43)

at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:147)

at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:119)


the code responsible is:


public static void configureClientInitSecureRenegotiation(SSLEngine sslEngine, boolean clientInitSecureRenegotiation)

 {

   if (!IS_JDK_CLIENT_INIT_SECURE_RENEGOTIATION_PROPERTY_SET)

   {

     if ((sslEngine != null) && (!sslEngine.getUseClientMode()))

     {

       if (!clientInitSecureRenegotiation) {

         sslEngine.getSession().invalidate();

       }

       sslEngine.setEnableSessionCreation(clientInitSecureRenegotiation);

       if (isLoggable()) {

         SocketLogger.logDebug(clientInitSecureRenegotiation ? "Enabled" : "Disabled TLS client initiated secure renegotiation.");

       }

     }

   }

   else if (isLoggable()) {

     SocketLogger.logDebug("TLS client initiated secure renegotiation setting is configured with -Djdk.tls.rejectClientInitiatedRenegotiation");

   }

 }


so the invalidate() is called only if !clientInitSecureRenegotiation , but it appears that clientInitSecureRenegotiation=isClientInitSecureRenegotiationAccepted is always FALSE





in JSSESocketFactory:
  JSSEFilterImpl getJSSEFilterImpl(Socket connectedSocket, String host, int port)

    throws IOException

  {

    SSLEngine sslEngine = getSSLEngine(host, port);

    return new JSSEFilterImpl(connectedSocket, sslEngine, true);

  }

in JSSEFilterImpl:

public JSSEFilterImpl(Socket sock, SSLEngine engine, boolean clientMode)

    throws IOException

  {

    this(sock, engine, clientMode, false);  // parameter 4 is isClientInitSecureRenegotiationAccepted, THIS IS ALWAYS FALSE, and clientMode is always TRUE

  }

   

  public JSSEFilterImpl(Socket sock, SSLEngine engine, boolean clientMode, boolean isClientInitSecureRenegotiationAccepted)  // this constructor is ultimately invoked

    throws IOException

  {


so the only way to avoid session invalidation is by having IS_JDK_CLIENT_INIT_SECURE_RENEGOTIATION_PROPERTY_SET=false, that is by setting -Djdk.tls.rejectClientInitiatedRenegotiation=false (true or false doesn't seem to matter, as long as the variable is set)


Thanks to Carlo for the excellent analysis.





Sunday, August 11, 2019

Audit the content of a series of folders against a file

the audit.txt contains the list of original files:

/media/sf_shared/bashtests/dirtoaudit/
/media/sf_shared/bashtests/dirtoaudit/dir01
/media/sf_shared/bashtests/dirtoaudit/dir01/file01_01.txt
/media/sf_shared/bashtests/dirtoaudit/dir01/file02_01.txt
/media/sf_shared/bashtests/dirtoaudit/dir02
/media/sf_shared/bashtests/dirtoaudit/dir02/file01_02.txt
/media/sf_shared/bashtests/dirtoaudit/dir02/file02_02.txt

this script checks that in the folders

/media/sf_shared/bashtests/dirtoaudit/
/media/sf_shared/bashtests/dirtoaudit/dir01
/media/sf_shared/bashtests/dirtoaudit/dir02

there are no extra files or folders:




Of course this scales very poorly... I would never dream of writing complex logic in bash, unless I was absolutely forced




Saturday, August 10, 2019

OpenShift CI/CD

https://www.youtube.com/watch?v=65BnTLcDAJI good video on CI/CD, part 1


https://www.youtube.com/watch?v=wSFyg6Etwx8 part 2



https://www.youtube.com/watch?v=kbbK0VEy2qM OpenShift 4 CI/CD

essential is to have installed in Jenkins the "OpenShift Jenkins Pipeline (DSL) Plugin" https://github.com/openshift/jenkins-client-plugin



https://www.youtube.com/watch?v=pMDiiW1UqLo Openshift Pipelines with Tekton https://cloud.google.com/tekton/ and here is the code https://github.com/openshift/pipelines-tutorial

rpm useful commands

list files installed by an INSTALLED rpm (for an UNINSTALLED rpm, add -p and provide full path to .rpm file):

rpm -ql nginx.x86_64

or also (if the rpm is not installed yet) repoquery --list nginx.x86_64

verify that rpm installed files have not been tampered

rpm -V nginx.x86_64

display the postinstall and postuninstall scripts

rpm -q --scripts nginx.x86_64

which rpm provides a given file:

rpm -q --whatprovides /usr/sbin/nginx
or also
rpm -qf /usr/sbin/nginx

for a REALLY verbose verification output:

rpm -Vvv nginx.x86_64



Ref:

http://ftp.rpm.org/max-rpm/s1-rpm-verify-what-to-verify.html


https://www.cyberciti.biz/howto/question/linux/linux-rpm-cheat-sheet.php fantastic all-in-one rpm cheat sheet

SAML and JWT

Excellent side-by-side comparison https://medium.com/@robert.broeckelmann/saml2-vs-jwt-a-comparison-254bafd98e6


Useful terminology:


https://en.wikipedia.org/wiki/Trusted_computing_base

Bearer Tokens

Holder of Key

Sender Vouches

Proof of Possession

IdP https://en.wikipedia.org/wiki/Identity_provider



Openshift RedHat plugin for Intellij

https://plugins.jetbrains.com/plugin/12030-openshift-connector-by-red-hat

Sample video on how to use it https://www.youtube.com/watch?v=kCESA7a5i3M


I keep getting the message "odo not found, do you want to download it?" , I click "yes" and nothing visible happens.... even if I have odo.exe on the PATH, I still get the error message....

https://github.com/openshift/odo

It doesn't seem very popular though.... very few downloads.... but I don 't want to use Eclipse with its JBoss Openshift Client, I hate Eclipse...

However, Intellij has its own Cloud support for Openshift https://www.jetbrains.com/help/idea/working-with-clouds.html

CTRL-ALT-S, Cloud, Openshift

see also https://www.jetbrains.com/help/idea/run-debug-configuration-openshift-deployment.html



Openshift 4, interesting readings

https://computingforgeeks.com/red-hat-openshift-4-new-features/

https://cloudowski.com/articles/10-differences-between-openshift-and-kubernetes/

https://cloudowski.com/articles/honest-review-of-openshift-4/

https://cloudowski.com/articles/why-managing-container-images-on-openshift-is-better-than-on-kubernetes/

https://computingforgeeks.com/setup-openshift-origin-local-cluster-on-centos/ ( not working for me.... ) see also https://github.com/openshift/origin/blob/v4.0.0-alpha.0/docs/cluster_up_down.md


I have deployed https://github.com/vernetto/sbhello with OpenShift Online,
using the Catalog option "Red Hat OpenJDK 8".


.\oc.exe new-app openshift/java:8~https://github.com/vernetto/sbhello.git --name=sbhwpv3
.\oc.exe expose service sbhwpv3


https://github.com/fabric8io-images/run-java-sh



This makes still a very good Developer introducton https://www.youtube.com/watch?v=cY7KIEajqx4 (a bit outdated) by Grant Shipley, really intense and focused.


https://www.youtube.com/watch?v=-xJIvBpvEeE amazing on Openshift infrastructure management


https://coreos.com/ignition/docs/latest/ what is ignition

https://www.terraform.io/intro/index.html what is terraform

Thursday, August 1, 2019

Linux. find broadcast address of a given network interface

It's grotesque how in 2019 we still have to rely on primitive, ambiguous tools like grep and awk to extract information from a linux command

This is what I could came up to "find broadcast address of a given network interface":

ip a s dev docker0 | grep "inet.*brd" | awk '{print $4}'


To subtract 1 from IP (see here ):

cat checkip.ksh
echo "Enter ip:"
read IP_val
awk -F"/" -vvalip="$IP_val" '{if($NF==valip){split($1, A,".");A[4]-=1;VAL=A[1] OFS A[2] OFS A[3] OFS A[4]}} END{print VAL}' OFS="." ip_list



It's a mad world.

The broadcast address is always (?) the highest IP in the subnet range:
Network: 172.25.1.64/26
Broadcast: 172.25.1.127
HostMin: 172.25.1.65
HostMax: 172.25.1.126
Hosts/Net: 62

and the gateway will be (broadcast-1) = 172.25.1.126

To find out what the default gateway is:
cat /etc/sysconfig/network

initialization scripts in /etc/sysconfig/network-scripts/ifcfg-*



https://en.wikipedia.org/wiki/Broadcast_address