Hackfi – Page 14 – DevSecOps

Promethus inbuilt basic authentication and TLS

github : https://github.com/prometheus/prometheus/pull/8316

from v2.24.0 basic authentication and TLS is inbuilt into prometheus.

webconfig.yml

tls_server_config:
  cert_file: /etc/prometheus/prometheus.cert
  key_file: /etc/prometheus/prometheus.key

basic_auth_users:
  admin: $2y$12$/B1Z0Ohq/g9z/BlD30mi/uRDNdBRs/VrtAZrJDtY73Ttjc8RYHJ2O

Start prometheus with webconfig file

./prometheus --web.config.file=webconfig.yml

Prometheus will be accessible on https and with basic auth (admin/admin)
Password should be bcrypt encrypted – https://bcrypt-generator.com

More : https://github.com/roidelapluie/prometheus/blob/5b4f46a348ae3bc143629f25f0f997f39f30c2c2/docs/configuration/https.md

Disk IO read/write monitor

yum install sysstat -y

iostat -t

iostat -xtc

iostat -d

#More command

iostat -dx /dev/sda 5
sar
vmstat
badblock

Docker private registry server

echo '{
 "insecure-registries" : [ "192.168.0.183:5000" ]
}' > /etc/docker/daemon.json

docker run -d -p 5000:5000 --restart=always --name registry registry:2

registry-docker-compose.yml

version: '3'
services:
  registry:
    image: registry:2
    user: root:root
    restart: always
    container_name: registry
    environment:
      TZ: "Asia/Kolkata"
    volumes:
      - /mnt/registry:/var/lib/registry
    ports:
      - 5000:5000

sonarqube stage in jenkins

def git_url = 'https://github.com/initedit/note.initedit'
def git_branch = 'main'
def server_report = "ERROR"
pipeline
{
    agent
    {
        label 'master'
    }
    stages
    {
        
        stage('Git Checkout')
        {

                steps
                {
                    
                    git credentialsId: 'github', url: git_url , branch: git_branch

                }
               
        }
        
        stage('sonarqube analysis')
        {

                steps
                {
                        script 
                        {
                            withSonarQubeEnv('sonarqube') 
                            {
                                def temp_job_name = JOB_NAME.replaceAll('/','-')
                                sh "PATH=$PATH:/var/jenkins_home/node12/bin;NODE_PATH=/var/jenkins_home/node12/lib/node_modules;npm install typescript;/var/jenkins_home/sonar_scanner/bin/sonar-scanner -Dsonar.sourceEncoding=UTF-8  -Dsonar.sources=${WORKSPACE} -Dsonar.projectKey=${temp_job_name}-${git_branch} -Dsonar.projectName=${temp_job_name}-${git_branch};"
                                

                                    withCredentials([usernamePassword(credentialsId: 'sonarqube-user', usernameVariable: 'uname' , passwordVariable: 'upass')]) 
                                    {
                                        sh """
                                        cd .scannerwork
                                        sonar_job_url=\$(cat report-task.txt | grep ceTaskUrl | awk -F 'ceTaskUrl=' '{print \$NF}')
                                        while(true)
                                        do
                                            sonar_job_status=\$(curl -s --user "\$uname:\$upass" \$sonar_job_url | awk -F '"status":' '{print \$NF}' | cut -d ',' -f1 | sed 's/"//g')
                                            sleep 10
                                            if [ "\$sonar_job_status" != 'IN_PROGRESS' ]
                                            then
                                            echo "sonar job completed"
                                            
                                            #get new bugs
                                            new_vulnerabilities=\$(curl -s --user "\$uname:\$upass" http://sonarqube.initedit.com/api/measures/search_history?component="${temp_job_name}-${git_branch}"'&'metrics=new_vulnerabilities | awk -F '"value":' '{print \$NF}' | awk -F '}' '{print \$1}' | sed 's/"//g')
                                            new_bugs=\$(curl -s --user "\$uname:\$upass" http://sonarqube.initedit.com/api/measures/search_history?component="${temp_job_name}-${git_branch}"'&'metrics=new_bugs | awk -F '"value":' '{print \$NF}' | awk -F '}' '{print \$1}' | sed 's/"//g')
                                            new_violations=\$(curl -s --user "\$uname:\$upass" http://sonarqube.initedit.com/api/measures/search_history?component="${temp_job_name}-${git_branch}"'&'metrics=new_violations | awk -F '"value":' '{print \$NF}' | awk -F '}' '{print \$1}' | sed 's/"//g')
                                            
                                            echo "new_vulnerabilities=\$new_vulnerabilities new_bugs=\$new_bugs new_violations=\$new_violations" > /tmp/\${JOB_BASE_NAME}-\${BUILD_ID}.txt
                                            
                                            cat "/tmp/\${JOB_BASE_NAME}-\${BUILD_ID}.txt"
                                            
                                            echo "new_vulnerabilities: \$new_vulnerabilities , new_bugs : \$new_bugs , new_violations : \$new_violations"
                                            exit
                                            fi

                                        done
                                        """
                                    }
                            }

                            def qualitygate = waitForQualityGate()
                            server_report = qualitygate.status
                        }
                    
                }
                
        }
        stage('sonar-qualitygate')
        {
            steps
            {
                script
                {
                    if (server_report != 'OK') 
                    {
                        sh '''
                        echo "not ok"
                        '''
                    }
                    
                }
            }
        }
    }

}

101 questions list for troubleshooting issues

What error message your are getting? screenshot?
What actual issue you are facing share your screen?
What your are trying to accomplish?
When did it last work? approx. timing?
Is everyone in your team having the same issue?
What is the endpoint? Port? URL? IPaddress?
is this the first time you are accessing this URL?

Tmux , Screen, Nohup, – Run command in background

Why?
– Run process in background
– Run database backup in background

Tmux:

#List
tmux ls

#Start session
tmux new -s mysession

#Reconnect  
tmux a -t session_name

#Disconnect
ctrl + b + D


#Reconnect to 0 session
tmux a -t 0

More : https://tmuxcheatsheet.com

Screen :

#List
screen -ls

#Named session
screen -A -m -d -S session_name command

#Reconnect to named session
screen -r session_name 

#Disconnect
CTRL + a + d

https://gist.github.com/jctosta/af918e1618682638aa82

Nohup:

Nohup command &

It’s create nohup.out file in same directory with all command logs

https://www.thegeekdiary.com/nohup-command-examples-runs-a-command-that-keeps-running-after-you-log-out/

Jobs:

jobs
fg
bg

https://tldp.org/LDP/abs/html/x9644.html

Sonatype Nexus3 – Docker compose

version: '3'
services:
  jenkins:
    image: sonatype/nexus3:3.29.0
    user: root:root
    restart: always
    container_name: nexus
    environment:
      TZ: "Asia/Kolkata"
    volumes:
      - /opt/nexus-data:/nexus-data
    ports:
      - 8081:8081

Get admin passwords:

docker exec -it nexus bash

find / -iname admin.*

#OR

docker exec -it nexus  cat /nexus-data/admin.password

More : https://hub.docker.com/r/sonatype/nexus3#user-content-persistent-data

Nomad – Container orchestration example for Dev environment

#Install nomad

-Download the stable release form https://www.nomadproject.io/downloads

wget https://releases.hashicorp.com/nomad/1.0.1/nomad_1.0.1_linux_amd64.zip

unzip nomad_1.0.1_linux_amd64.zip

mv nomad /usr/local/bin/

#start nomad in dev mode

nomad agent -dev

nomad node status

#Install docker https://docs.docker.com/engine/install/centos/

yum-config-manager \
    --add-repo \
    https://download.docker.com/linux/centos/docker-ce.repo

yum install docker-ce docker-ce-cli containerd.io

systemctl start docker
systemctl enable docker

#Create simple nginx job file (nginx.nomad)

job "nginx" {
  datacenters = ["dc1"]
  type = "service"

  update {
    max_parallel = 1
    min_healthy_time = "10s"
    healthy_deadline = "3m"
    progress_deadline = "10m"
    auto_revert = false

    canary = 0
  }
  migrate {
    max_parallel = 1
    health_check = "checks"
    min_healthy_time = "10s"
    healthy_deadline = "5m"
  }
  group "cache" {
    count = 1

    network {
      port "nginx-port" {
        to = 80
      }
    }

    service {
      name = "nginx-port"
      tags = ["nginx", "web"]
      port = "nginx-port"

    }

    restart {
      attempts = 2
      interval = "30m"
      delay = "15s"
      mode = "fail"
    }

    ephemeral_disk {
      size = 300
    }


    task "nginx" {
      driver = "docker"

      config {
        image = "nginx"
        ports = ["nginx-port"]
      }

      resources {
        cpu    = 500
        memory = 256
      }

    }
  }
}

#Nomand commands for Run,Stop, job status and logs

nomad job status

nomad job run nginx.nomad

nomad job stop nginx

nomad job status nginx

nomad alloc status <Allocations ID>

nomad alloc logs <Allocations ID>

#Access webUI at http://127.0.0.1:4646

Strings command in linux

strings /lib64/libc.so.6 |grep GLIBC

strings /bin/ls

Usage: strings [option(s)] [file(s)]
 Display printable strings in [file(s)] (stdin by default)
 The options are:
  -a - --all                Scan the entire file, not just the data section [default]
  -d --data                 Only scan the data sections in the file
  -f --print-file-name      Print the name of the file before each string
  -n --bytes=[number]       Locate & print any NUL-terminated sequence of at
  -<number>                   least [number] characters (default 4).
  -t --radix={o,d,x}        Print the location of the string in base 8, 10 or 16
  -w --include-all-whitespace Include all whitespace as valid string characters
  -o                        An alias for --radix=o
  -T --target=<BFDNAME>     Specify the binary file format
  -e --encoding={s,S,b,l,B,L} Select character size and endianness:
                            s = 7-bit, S = 8-bit, {b,l} = 16-bit, {B,L} = 32-bit
  -s --output-separator=<string> String used to separate strings in output.
  @<file>                   Read options from <file>
  -h --help                 Display this information
  -v -V --version           Print the program's version number
strings: supported targets: elf64-x86-64 elf32-i386 elf32-iamcu elf32-x86-64 a.out-i386-linux pei-i386 pei-x86-64 elf64-l1om elf64-k1om elf64-little elf64-big elf32-little elf32-big pe-x86-64 pe-bigobj-x86-64 pe-i386 plugin srec symbolsrec verilog tekhex binary ihex

create bootable usb using dd

dd bs=4M if=/home/input.iso of=/dev/sd[?] conv=fdatasync status=progress

[?] = Run lsblk and find your USB