Monday, 21 September 2020

Debugging Kubernetes DNS

This is totally cribbed from here -> Debugging DNS Resolution


 Create dnsutils.yaml file


cat << EOF > ~/dnsutils.yaml


apiVersion: v1

kind: Pod

metadata:

  name: dnsutils

  namespace: default

spec:

  containers:

  - name: dnsutils

    image: gcr.io/kubernetes-e2e-test-images/dnsutils:1.3

    command:

      - sleep

      - "3600"

    imagePullPolicy: IfNotPresent

  restartPolicy: Always


EOF


Validate YAML


cat ~/dnsutils.yaml


apiVersion: v1

kind: Pod

metadata:

  name: dnsutils

  namespace: default

spec:

  containers:

  - name: dnsutils

    image: gcr.io/kubernetes-e2e-test-images/dnsutils:1.3

    command:

      - sleep

      - "3600"

    imagePullPolicy: IfNotPresent

  restartPolicy: Always


Apply to cluster


kubectl apply -f ~/dnsutils.yaml


pod/dnsutils created


Check running pods


kubectl get pods


NAME                                  READY   STATUS      RESTARTS   AGE

dnsutils                              1/1     Running     0          47s


Use dnsutils to lookup default K8s servicename


kubectl exec -ti dnsutils -- nslookup kubernetes.default


Server: 10.96.0.10

Address: 10.96.0.10#53


Name: kubernetes.default.svc.cluster.local

Address: 10.96.0.1


Use dnsutils to inspect /etc/resolv.conf


kubectl exec -ti dnsutils -- cat /etc/resolv.conf


nameserver 10.96.0.10

search default.svc.cluster.local svc.cluster.local cluster.local

options ndots:5


Use dnsutils to get help for the ping command


kubectl exec -ti dnsutils -- ping --help


BusyBox v1.26.2 (2018-05-30 13:53:45 GMT) multi-call binary.


Usage: ping [OPTIONS] HOST


Send ICMP ECHO_REQUEST packets to network hosts


-4,-6 Force IP or IPv6 name resolution

-c CNT Send only CNT pings

-s SIZE Send SIZE data bytes in packets (default:56)

-t TTL Set TTL

-I IFACE/IP Use interface or IP address as source

-W SEC Seconds to wait for the first response (default:10)

(after all -c CNT packets are sent)

-w SEC Seconds until ping exits (default:infinite)

(can exit earlier with -c CNT)

-q Quiet, only display output at start

and when finished

-p Pattern to use for payload


Use dnsutils to ping google.com


kubectl exec -ti dnsutils -- ping www.google.com


PING www.google.com (172.217.2.100): 56 data bytes

64 bytes from 172.217.2.100: seq=0 ttl=114 time=1.216 ms

64 bytes from 172.217.2.100: seq=1 ttl=114 time=1.328 ms

64 bytes from 172.217.2.100: seq=2 ttl=114 time=1.344 ms

64 bytes from 172.217.2.100: seq=3 ttl=114 time=1.278 ms

64 bytes from 172.217.2.100: seq=4 ttl=114 time=1.483 ms

64 bytes from 172.217.2.100: seq=5 ttl=114 time=1.393 ms

64 bytes from 172.217.2.100: seq=6 ttl=114 time=1.227 ms

64 bytes from 172.217.2.100: seq=7 ttl=114 time=1.343 ms

^C

--- www.google.com ping statistics ---

8 packets transmitted, 8 packets received, 0% packet loss

round-trip min/avg/max = 1.216/1.326/1.483 ms


Use dnsutils to send only 5 pings to google.com


kubectl exec -ti dnsutils -- ping -c 5 www.google.com


PING www.google.com (172.217.2.100): 56 data bytes

64 bytes from 172.217.2.100: seq=0 ttl=114 time=1.382 ms

64 bytes from 172.217.2.100: seq=1 ttl=114 time=1.480 ms

64 bytes from 172.217.2.100: seq=2 ttl=114 time=1.414 ms

64 bytes from 172.217.2.100: seq=3 ttl=114 time=1.326 ms

64 bytes from 172.217.2.100: seq=4 ttl=114 time=1.276 ms


--- www.google.com ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 1.276/1.375/1.480 ms


Use dnsutils to ping google.com with a 5-second Time To Live (TTL)


kubectl exec -ti dnsutils -- ping -t 5 www.google.com


PING www.google.com (172.217.2.100): 56 data bytes

^C

--- www.google.com ping statistics ---

276 packets transmitted, 0 packets received, 100% packet loss


Use dnsutils to ping google.com with a 5 second wait


kubectl exec -ti dnsutils -- ping -w 5 www.google.com


PING www.google.com (172.217.2.100): 56 data bytes

64 bytes from 172.217.2.100: seq=0 ttl=114 time=1.153 ms

64 bytes from 172.217.2.100: seq=1 ttl=114 time=1.660 ms

64 bytes from 172.217.2.100: seq=2 ttl=114 time=1.312 ms

64 bytes from 172.217.2.100: seq=3 ttl=114 time=1.144 ms

64 bytes from 172.217.2.100: seq=4 ttl=114 time=1.289 ms


--- www.google.com ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 1.144/1.311/1.660 ms


Delete pod

delete pod dnsutils

pod "dnsutils" deleted


SSL and Ciphers on my Synology DiskStation

 Whilst tinkering with my Synology DS-414 Network Attached Storage (NAS), I was trying/failing to SSH into the box: -

ssh -p 8822 admin@diskstation

I was seeing: -

Unable to negotiate with 192.168.1.17 port 8822: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

Thankfully this is easy to mitigate - I merely needed to see what ciphers my Mac had: -

ssh -Q cipher

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

and then choose my favourite: -

ssh -p 8822 -c aes256-cbc admin@diskstation

admin@diskstation's password: 
admin@DiskStation:~$ 

Once I added my SSH public key: -

vi ~/.ssh/authorized_keys 

I was off to the races !

Playing with Overcast podcasting app on iOS 14

 I'm not a total fan of the updated  Podcasts app on iOS 14, in terms of the new UI/UX, specifically the melange of Listen Now / Up Next, Latest Episodes and Recently Played.

I may get used to it, and/or Apple may update it further in an iOS 14 fix pack ....

Meantime, I'm tinkering with Overcast, and needed to find a way to export my huge array of podcasts from the Apple app.

Now that we live in a post-iTunes world, the options to export the podcasts from the app appears to have gone ....

Happily, this post did the trick: -

Exporting podcasts from iOS app as OPML

providing a rather useful little Bash script.

TBH I had not realised that macOS keeps its podcasts in a SQLite database: -

ls -al ~/Library/Group\ Containers/243LU875E5.groups.com.apple.podcasts/Documents/

total 65824

drwxr-xr-x@ 7 hayd  staff       224 21 Sep 12:28 .

drwx------  5 hayd  staff       160  5 Nov  2019 ..

-rw-r--r--@ 1 hayd  staff  33411072 21 Sep 12:28 MTLibrary.sqlite

-rw-r--r--@ 1 hayd  staff     32768 21 Sep 08:51 MTLibrary.sqlite-shm

-rw-r--r--@ 1 hayd  staff     32768 21 Sep 12:28 MTLibrary.sqlite-wal

-rw-r--r--@ 1 hayd  staff      1045 21 Sep 11:19 play_queue_restoration.data

-rw-r--r--@ 1 hayd  staff       236 21 Sep 12:28 upnext_items.data

and the Bash script allowed me to export that to an Outline Processor Markup Language (OPML) file: -

<?xml version="1.0" encoding="utf-8"?>
<opml version="1.0">
  <head><title>Podcast Subscriptions</title></head>
  <body>
    <outline text="feeds">
<outline type="rss" text="The Perfect Scam" title="The Perfect Scam" xmlUrl="http://perfectscam.aarp.libsynpro.com/rss" htmlUrl="https://www.aarp.org/podcasts/the-perfect-scam" />
<outline type="rss" text="No Country For Young Women" title="No Country For Young Women" xmlUrl="https://podcasts.files.bbci.co.uk/p063zy3c.rss" htmlUrl="http://www.bbc.co.uk/programmes/p063zy3c" />
<outline type="rss" text="WSJ Tech News Briefing" title="WSJ Tech News Briefing" xmlUrl="https://video-api.wsj.com/podcast/rss/wsj/tech-news-briefing" htmlUrl="https://www.wsj.com/podcasts/tech-news-briefing" />
<outline type="rss" text="iMore show" title="iMore show" xmlUrl="http://feeds.feedburner.com/PhoneDifferentPodcast" htmlUrl="http://www.imore.com/imore-show" />
<outline type="rss" text="Wild Wild Tech" title="Wild Wild Tech" xmlUrl="https://feeds.megaphone.fm/wildwildtech" htmlUrl="https://www.studio71.com/us/podcasts/" />
<outline type="rss" text="The Food Chain" title="The Food Chain" xmlUrl="https://podcasts.files.bbci.co.uk/p028z2z0.rss" htmlUrl="http://www.bbc.co.uk/programmes/p028z2z0" />
<outline type="rss" text="PodCTL - Enterprise Kubernetes" title="PodCTL - Enterprise Kubernetes" xmlUrl="http://www.buzzsprout.com/110399.rss" htmlUrl="http://blog.openshift.com" />
<outline type="rss" text="Friday Night Comedy from BBC Radio 4" title="Friday Night Comedy from BBC Radio 4" xmlUrl="http://downloads.bbc.co.uk/podcasts/radio4/fricomedy/rss.xml" htmlUrl="http://www.bbc.co.uk/programmes/p02pc9pj" />
<outline type="rss" text="Daily Tech News Show" title="Daily Tech News Show" xmlUrl="http://feeds.feedburner.com/DailyTechNewsShow" htmlUrl="http://www.dailytechnewsshow.com/" />
<outline type="rss" text="MacBreak Weekly (Audio)" title="MacBreak Weekly (Audio)" xmlUrl="http://leoville.tv/podcasts/mbw.xml" htmlUrl="https://twit.tv/shows/macbreak-weekly" />
<outline type="rss" text="The Archers Omnibus" title="The Archers Omnibus" xmlUrl="http://downloads.bbc.co.uk/podcasts/radio4/archersomni/rss.xml" htmlUrl="http://www.bbc.co.uk/programmes/b006qnkc" />
<outline type="rss" text="Command Line Heroes" title="Command Line Heroes" xmlUrl="https://feeds.pacific-content.com/commandlineheroes" htmlUrl="https://www.redhat.com/en/command-line-heroes" />
<outline type="rss" text="Comedy of the Week" title="Comedy of the Week" xmlUrl="http://www.bbc.co.uk/programmes/p02pc9x6/episodes/downloads.rss" htmlUrl="http://www.bbc.co.uk/programmes/p02pc9x6" />
<outline type="rss" text="Newsjack" title="Newsjack" xmlUrl="http://www.bbc.co.uk/programmes/b00kvs8r/episodes/downloads.rss" htmlUrl="http://www.bbc.co.uk/programmes/b00kvs8r" />
<outline type="rss" text="Tech Tent" title="Tech Tent" xmlUrl="http://www.bbc.co.uk/programmes/p01plr2p/episodes/downloads.rss" htmlUrl="http://www.bbc.co.uk/programmes/p01plr2p" />
<outline type="rss" text="Kermode and Mayo&apos;s Film Review" title="Kermode and Mayo&apos;s Film Review" xmlUrl="http://www.bbc.co.uk/programmes/b00lvdrj/episodes/downloads.rss" htmlUrl="http://www.bbc.co.uk/programmes/b00lvdrj" />
<outline type="rss" text="World Wise Web" title="World Wise Web" xmlUrl="https://podcasts.files.bbci.co.uk/w13xttzz.rss" htmlUrl="http://www.bbc.co.uk/programmes/w13xttzz" />
<outline type="rss" text="Risky Business" title="Risky Business" xmlUrl="http://risky.biz/feeds/risky-business/" htmlUrl="https://risky.biz/" />
<outline type="rss" text="Techmeme Ride Home" title="Techmeme Ride Home" xmlUrl="http://feeds.feedburner.com/TechmemeRideHome" htmlUrl="https://www.ridehome.info/podcast/techmeme-ride-home/" />
<outline type="rss" text="The Missing Cryptoqueen" title="The Missing Cryptoqueen" xmlUrl="https://podcasts.files.bbci.co.uk/p07nkd84.rss" htmlUrl="http://www.bbc.co.uk/programmes/p07nkd84" />
<outline type="rss" text="The CyberWire Daily" title="The CyberWire Daily" xmlUrl="https://thecyberwire.libsyn.com/rss" htmlUrl="https://thecyberwire.com/podcasts/daily-podcast" />
<outline type="rss" text="From Our Own Correspondent Podcast" title="From Our Own Correspondent Podcast" xmlUrl="http://www.bbc.co.uk/programmes/p02nrtpm/episodes/downloads.rss" htmlUrl="http://www.bbc.co.uk/programmes/p02nrtpm" />
<outline type="rss" text="Rocket" title="Rocket" xmlUrl="https://www.relay.fm/rocket/feed" htmlUrl="https://www.relay.fm/rocket" />
<outline type="rss" text="Chit Chat Across the Pond" title="Chit Chat Across the Pond" xmlUrl="https://podfeet.com/ccatp/ccatp-rss.xml" htmlUrl="http://podfeet.com/ccatp" />
<outline type="rss" text="The Checklist by SecureMac" title="The Checklist by SecureMac" xmlUrl="https://checklist.libsyn.com/rss" htmlUrl="http://securemac.com/checklist" />
<outline type="rss" text="In A Few Minutes" title="In A Few Minutes" xmlUrl="https://inafewminutes.libsyn.com/rss" htmlUrl="https://macosken.squarespace.com/inafewminutes" />
<outline type="rss" text="Kubernetes Podcast from Google" title="Kubernetes Podcast from Google" xmlUrl="https://kubernetespodcast.com/feeds/audio.xml" htmlUrl="https://kubernetespodcast.com" />
<outline type="rss" text="API: Aiden and Peter Integration Podcast" title="API: Aiden and Peter Integration Podcast" xmlUrl="https://feed.pippa.io/public/shows/5e1704c99b6e1973086002e4" htmlUrl="https://shows.acast.com/api" />
<outline type="rss" text="The Curious Cases of Rutherford &amp; Fry" title="The Curious Cases of Rutherford &amp; Fry" xmlUrl="https://podcasts.files.bbci.co.uk/b07dx75g.rss" htmlUrl="http://www.bbc.co.uk/programmes/b07dx75g" />
<outline type="rss" text="Mac OS Ken" title="Mac OS Ken" xmlUrl="http://macosken.libsyn.com/rss" htmlUrl="http://macosken.com" />
<outline type="rss" text="NosillaCast Apple Podcast" title="NosillaCast Apple Podcast" xmlUrl="https://www.podfeet.com/NosillaCast/rss.xml" htmlUrl="https://www.podfeet.com" />
<outline type="rss" text="Moral Maze" title="Moral Maze" xmlUrl="https://podcasts.files.bbci.co.uk/b006qk11.rss" htmlUrl="http://www.bbc.co.uk/programmes/b006qk11" />
<outline type="rss" text="Know a Little More" title="Know a Little More" xmlUrl="https://rss.acast.com/know-a-little-more" htmlUrl="http://www.dailytechnewsshow.com/" />
<outline type="rss" text="Tech News Now" title="Tech News Now" xmlUrl="https://feeds.megaphone.fm/CBS3434812209" htmlUrl="https://www.cnet.com/" />
<outline type="rss" text="Darknet Diaries" title="Darknet Diaries" xmlUrl="https://feeds.megaphone.fm/darknetdiaries" htmlUrl="https://darknetdiaries.com/" />
<outline type="rss" text="Big Technology Podcast" title="Big Technology Podcast" xmlUrl="https://feeds.redcircle.com/ee25c9f0-5d25-41ac-8c9c-89bb28f32974" htmlUrl="https://redcircle.com/shows/big-technology-podcast" />
<outline type="rss" text="This Week in Tech (Audio)" title="This Week in Tech (Audio)" xmlUrl="http://leoville.tv/podcasts/twit.xml" htmlUrl="https://twit.tv/shows/this-week-in-tech" />
<outline type="rss" text="People Fixing the World" title="People Fixing the World" xmlUrl="https://podcasts.files.bbci.co.uk/p04grdbc.rss" htmlUrl="http://www.bbc.co.uk/programmes/p04grdbc" />
<outline type="rss" text="Smashing Security" title="Smashing Security" xmlUrl="https://feeds.fireside.fm/smashingsecurity/rss" htmlUrl="http://www.smashingsecurity.com" />
<outline type="rss" text="The News Quiz Extra" title="The News Quiz Extra" xmlUrl="https://podcasts.files.bbci.co.uk/b010m2mj.rss" htmlUrl="http://www.bbc.co.uk/programmes/b010m2mj" />
<outline type="rss" text="Security Now (Audio)" title="Security Now (Audio)" xmlUrl="http://leoville.tv/podcasts/sn.xml" htmlUrl="https://twit.tv/shows/security-now" />
<outline type="rss" text="The Infinite Monkey Cage" title="The Infinite Monkey Cage" xmlUrl="http://downloads.bbc.co.uk/podcasts/radio4/timc/rss.xml" htmlUrl="http://www.bbc.co.uk/programmes/b00snr0w" />
    </outline>
  </body>
</opml>

which I exported to iCloud Drive, and then opened it directly into Overcast using the Share button on my iPhone.

Nice!

Saturday, 12 September 2020

TIL checking your routing tables on Ubuntu

 So, in the past, I've used tools such as ifconfig and route and netstat, but TIL something new ...

I was trying to debug a networking problem with a container running on one of my Secure Service Container (SSC) instances on an IBM z14.

Whilst the container was creating, networking was more like notworking.

Via direct access to the SSC, I could open a shell inside the running container, and poke about within its internals.

Whilst it had an IP address, as per:

ip address

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

       valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

    link/ether e2:3d:3e:bb:d0:81 brd ff:ff:ff:ff:ff:ff

    inet 172.16.148.4/24 brd 172.16.148.255 scope global eth0

       valid_lft forever preferred_lft forever


and a DNS configuration: -

cat /etc/resolv.conf

# Generated by RunQ

nameserver 8.8.8.8

I wasn't able to ping the outside world, whether 8.8.8.8 or anything else.

I suspect the routing table, but didn't have netstat or route installed and, of course, without internet access could not install them using apt-get update && apt-get install -y 

So what to do ?

At this point, I discovered ip route which goes alongside ip address as per this: -

ip route

default via 172.16.148.1 dev eth0 

172.16.148.0/24 dev eth0 proto kernel scope link src 172.16.148.4 

This (a) showed the routing table and (b more importantly, showed me what I was doing wrong ....

This was the WRONG subnet.

Without going down a rabbit hole, the Docker network that the SSC was using was WRONG :-(

Once I sorted this out, all was well ....

And ip route is now in the kitbag......

Thursday, 10 September 2020

More fun with adding users on Ubuntu

 Following my earlier post: -

TIL passwd on Ubuntu no longer supports the stdin option 

I found a better way ...

groupadd wasadmins

adduser --quiet --disabled-password --ingroup wasadmins -shell /bin/bash --home /home/wasadmin --gecos "wasadmin" wasadmin

echo "wasadmin:passw0rd!" | chpasswd

The main benefit of this is that, unlike useradd, the adduser command sets up the new user's profile, by copying from /etc/skel etc.

Nice!

MainframerZ - On YouTube

We had a great event last week, and it's now available on YouTube: -

REPLAY: MainframerZ Meetup 2nd September 2020

Just planning the next event ...

Keep an eye on the MainframerZ page ...

TIL passwd on Ubuntu no longer supports the stdin option

 In the past, I've used the passwd command in scripts to set a default password for new Linux accounts, as per this example: -

groupadd wasadmins

useradd -g wasadmins -d /home/wasadmin wasadmin

echo "passw0rd" | passwd wasadmin --stdin

( remembering that this is for NON-PROD boxes ONLY )

However, things appear to have changed, as that didn't work on Ubuntu 18.0.4

lsb_release -a

No LSB modules are available.

Distributor ID: Ubuntu

Description: Ubuntu 18.04.4 LTS

Release: 18.04

Codename: bionic

as the --stdin option is not supported, as per this: -

echo "passw0rd" | passwd wasadmin --stdin

passwd: unrecognized option '--stdin'
Usage: passwd [options] [LOGIN]

Options:
  -a, --all                     report password status on all accounts
  -d, --delete                  delete the password for the named account
  -e, --expire                  force expire the password for the named account
  -h, --help                    display this help message and exit
  -k, --keep-tokens             change password only if expired
  -i, --inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -l, --lock                    lock the password of the named account
  -n, --mindays MIN_DAYS        set minimum number of days before password
                                change to MIN_DAYS
  -q, --quiet                   quiet mode
  -r, --repository REPOSITORY   change password in REPOSITORY repository
  -R, --root CHROOT_DIR         directory to chroot into
  -S, --status                  report password status on the named account
  -u, --unlock                  unlock the password of the named account
  -w, --warndays WARN_DAYS      set expiration warning days to WARN_DAYS
  -x, --maxdays MAX_DAYS        set maximum number of days before password
                                change to MAX_DAYS

Thankfully the internet provided an alternate: -


specifically this: -

echo "wasadmin:passw0rd!" | chpasswd

which worked a treat.

I also had to add the -m switch to my useradd command to force it to create a home directory, so we now have this: -

groupadd wasadmins
useradd -g wasadmins -d /home/wasadmin -m wasadmin
echo "wasadmin:passw0rd!" | chpasswd

which does the job nicely!

Debugging Kubernetes DNS

This is totally cribbed from here -> Debugging DNS Resolution  Create dnsutils.yaml file cat << EOF > ~/dnsutils.yaml apiVersion...