Specify starcluster sshmaster port - starcluster

When using starcluster, is it possible to specify the port number when SSHing into the master node? For example:
starcluster sshmaster mycluster --port 22

No. It is not possible to define the port number to use when connecting to master with "sshmaster". Here is the output of the "help" command over sshmaster.
%> starcluster sshmaster -h
StarCluster - (http://star.mit.edu/cluster) (v. 0.9999)
Software Tools for Academics and Researchers (STAR)
Please submit bug reports to starcluster#mit.edu
Usage: sshmaster [options] <cluster> [<remote-command>]
SSH to a cluster's master node
Example:
$ sshmaster mycluster
You can also execute commands without directly logging in:
$ starcluster sshmaster mycluster 'cat /etc/hosts'
Options:
-h, --help show this help message and exit
-u USER, --user=USER login as USER (defaults to root)
-X, --forward-x11 enable X11 forwarding
-A, --forward-agent enable authentication agent forwarding
-t, --pseudo-tty enable pseudo-tty allocation (for interactive commands
and screens)

Related

different ips in different terminal with torify

how can we get a different tor circuit with torify command in a separate terminal window? Specifically, if I type a command in a terminal 1 window
torify curl http://icanhazip.com
I receive my IP address in response.
but if I try it in another terminal window simultaneously I get the same IP which is a normal behavior.
what I am trying to achieve is to use a different config file in every new terminal window so as to get a different IP address in a different terminal window.
Use the -i (--isolate) option or --user and --pass to get stream isolation.
From man 1 torsocks:
-u, --user
Set username for the SOCKS5 authentication. Use for circuit isolation in Tor.
Note that you MUST have a password set either by the command line,
environment variable or configuration file (torsocks.conf(5).
-p, --pass
Set password for the SOCKS5 authentication. Use for circuit isolation in
Tor. Note that you MUST have a username set either by the command line,
environment variable or configuration file (torsocks.conf(5)).
-i, --isolate
Automatic tor isolation. Set the username and password for
the SOCKS5 authentication method to a PID/current time based value
automatically. Username and Password MUST NOT be set.
Example:
torify --user foo --pass password curl https://example.com/
Then, using a different set of credentials will get you a different circuit and exit relay:
torify --user foo2 --pass password2 curl https://example.com/
You can achieve the same using Tor's socks proxy directly with curl, and specify a unique proxy username/password combination to get stream isolation as well.
Example:
curl -Lv --socks5-hostname 127.0.0.1:9050 \
--proxy-user foo:password \
https://example.com/
Then, using a different set of credentials will get you a different circuit and exit relay:
curl -Lv --socks5-hostname 127.0.0.1:9050 \
--proxy-user foo2:password2 \
https://example.com/

Netcat:use a script to test ports are open from a given source-host to remote-host using netcat

I am trying to use a script to test ports are open from a given source-host to remote-host using netcat
So from a bastion, get the script to ssh to a source and from that source-host nc -v remote-host 1521
Ideally i will want to test from the source-host to multiple destinations
As an example:
/bin/bash
kinit # prompt for my creds
ssh source-host nc -v -n remote-host 1521
When I run script it will prompt for creds and then get error:
nc: gettaddrinfo: Name or service no known.
I suspect it is the -n flag but when I try without, it hangs
Any ideas of what I am doing wrong and how I can achieve in simplest way
Use ip address for remote-host instead or something like:
ssh source-host nc -v -n `dig +short remote-host` 80

How do I automate two layers of SSH plus a docker exec?

I do this multiple times a day. Any clues on automating it, so that I can run one command to get all the way to the logs? There are two ssh and then a docker exec.
➜ ~ ssh host
Last login: Tue Jun 27 15:44:11 2017 from 10.82.34.63
$ ssh another-host
Last login: Tue Jun 27 15:44:18 2017 from host
$ docker exec -it app-container bash
[root#app-container opt]# tail -f tomcat/logs/catalina.out
We can take advantage of ProxyCommand in OpenSSH for the first part (jumping through a proxy host to SSH to others). An example for your ~/.ssh/config would look like:
Host another-host
ProxyCommand ssh -W %h:%p host
HostName another-host
If all the hosts that you are proxying through happened to be in the same domain you could catch a bunch of them with a wildcard:
Host jumphost
Hostname host.mydomain
Host *.mydomain
ProxyCommand ssh -W %h:%p jumphost
For the second part, there is no need to exec into the container with a shell before using a command. Doing docker exec -it app-container tail -f tomcat/logs/catalina.out is perfectly valid.
Combined with the SSH configuration, you can allocate a pseudo TTY (-t) and then just do one command:
ssh -t another-host docker exec -it app-container tail -f tomcat/logs/catalina.out
This is at least a partial answer for ssh. Look at ssh usage output:
ssh (.... lots of options ....) [user#]hostname [command]
So, there's an optional command at the end of the argument list, after the required hostname. This indeed works as you would expect, you can "chain" another ssh command here that's executed remote:
ssh host ssh another-host
will do.
Note that your ssh will not allocate a tty in this case, so it will not enable you to have an interactive session. But of course, you can give this second ssh something to execute as well
ssh host ssh another-host docker exec [...]
For the last part, I just looked up the docker documentation. The option -t requires a tty, so you should leave it out. Then you should be able to execute whatever you like in your container, as long as it's nothing interactive:
ssh host ssh another-host docker exec -i app-container tail -f tomcat/logs/catalina.out
Of course, for full automation, use SSH keys and have an SSH agent running with your key added.

OpenLDAP Local configuration for Application Authentication

I have installed openLDAP on a Centos 7 server that is already running FreeIPA for user authentication. http://www.tecmint.com/setup-ldap-server-and-configure-client-authentication
The purpose of openLDAP is for a Nodejs application to manage users for the app. and will be running on separate server.
I can see that slapd is running (ps -ef | grep slapd):
ldap 1287 1 0 06:40 ? 00:00:00 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
So I was trying to change the defaults using the ldapadd command and I suspect to be connecting to the FreeIPA LDAP that is configured on the box (on some coammands using -x -h it is asking for a password which hasn't been set yet):
sudo ldapadd -H ldapi:/// -f ldaprootpasswd.ldif
SASL/GSS-SPNEGO authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (SPNEGO cannot find mechanisms to negotiate)
If I run an ldapsearch then I seem to be able to connect to openLDAP:
sudo ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" olcSuffix olcRootDN olcRootPW -LLL -Q
dn: olcDatabase={2}hdb,cn=config
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=co
I thought maybe that I could connect externally using a Windows LDAP tool but I get a connection error. I did confirm that the port is open and visible externally.
nmap -p 389 10.18.16.243
Starting Nmap 7.12 ( https://nmap.org ) at 2016-09-28 11:25 GMT Daylight Time
Nmap scan report for 10.18.16.243
Host is up (0.00s latency).
PORT STATE SERVICE
389/tcp filtered ldap
MAC Address: BB:BB:BB:BB:BB:00 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 19.92 seconds
I tried using -h instead of -H:
sudo ldapadd -a -x -h localhost -p 389 -D cn=Manager,dc=my-domain,dc=com -W -f ldaprootpasswd.ldif
This prompts me for a password but I have only just installed openLDAP and not set a password yet (olcRootPW is in the ldif file I am trying to apply).
Does anyone have experience with openLDAP for user authentication or have any ideas what config needs changing to get this up an running?
The secret incantation was:
sudo ldapmodify -a -Q -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif
Since "-a" forces add new entries when using ldapmodify this would be the same as above:
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif
"-Q" -- Enable SASL Quiet mode. Never prompt.
"-Y" -- Specify the SASL mechanism to be used for authentication. If it's not specified, the program will choose the best mechanism the server knows.

Error message from iscsiadm while trying to connect to a iscsi drive

I am trying to access a ISCSI drive on a machine with IP 1.0.0.13 (hostname store.blue.com). The machine in which I am trying to create connection has the IP 1.0.0.11 (Hostname: loc1.blue.com). From loc1.blue.com I could discover the iqn but not able to login due to below error.
[root#loc1 ~]# iscsiadm -m discovery -t sendtargets -p store.blue.com
1.0.0.13:3260,1 iqn2015-04.com.blue:store.target1
[root#loc1 ~]# iscsiadm -m node -targetname iqn2015-04.com.blue:store.target1 -p 1.0.0.13 -login
iscsiadm: can not recognize operation: 'gin'
At first I open ports for ISCSI 3260 & 860 and tried the connection but that didn't help. So I stopped iptables service and disabled firewall on both machines. Still I get the same error.
Please advise.
Your syntax is wrong - it's not -login, it's -l or --login (note the two dashes):
# iscsiadm -m node --targetname iqn2015-04.com.blue:store.target1 -p 1.0.0.13 --login
The syntax was incorrect. It should have been --targetname. Complete statement is as follows.
iscsiadm --mode node --targetname iqn2015-04.com.blue:store.target1 --portal store.blue.com:3260 --login

Resources