Logging and the haproxy docker container

So you have configured and built and/or run your configuration file in the haproxy image as per https://hub.docker.com/_/haproxy/.

To repeat the steps are :

1. Create a haproxy.cfg file in a local directory
2. Create a Dockerfile in same directory containing

FROM haproxy:1.5
COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg

3. Build image with  above docker file using

docker build -t myhaproxy .

4. Check that your image with your configuration is in your image list using

docker images

5. Run your docker image....

docker run -d --name my-running-haproxy my-haproxy

Note that you could also mount the volume with the configuration.

But once its running how do you know what the problem is if something goes wrong? How do you access the logs?

Haproxy logs to syslog, so we would need to build our own version of haproxy with a underlying system with syslog configuration changes.

Or we could do this:


1. Change the configuration in haproxy.cfg to log to /dev/log and rebuild your image.

global

log /dev/log local2

2. When we run our haproxy run with -v /dev/log:/dev/log like this:

docker run -d --name my-running-haproxy -v /dev/log:/dev/log my-haproxy

3. See what is happening in your "host" syslog (/var/log/syslog)

References:
1. https://hub.docker.com/_/haproxy/
2. https://github.com/dockerfile/haproxy/issues/3

TightVNC Client, SSH, TightVNC Server

I have to make some notes on this before I forget. This post attempts to be that note.

Perhaps you have a Virtual Private Server (VPS) or just a server out there somewhere in the ether. You want to share or view a remote desktop, but you want a secure tunnel for those bits to travel down. In this scenario your server is a linux (some variant, lets not start a religious war about it) and you installed tightvncserver. In addition you have SSH running. On your client, lets say windows, you have putty and tightvncserver.

For those with OCD here is a recap:

Server:
1. TightVNCServer.
2. SSH

Client:
3. Putty
4. TightVNC Viewer.

The only note I will make about tightvncserver is that you should have it only listen on loopback (127.0.0.1) since this typically is not a service you want exposed. We use '-nolisten tcp' to ensure we do not allow external tcp connections outside of our SSH tunnel.

In /etc/init.d/tightvncserver you would have a start line such as:

su $USER -c '/usr/bin/tightvncserver -nolisten tcp -localhost :1'

On the client follow the instructions at: http://www.penguintutor.com/linux/tightvnc

In a nutshell, you: 

1. In Putty create a session  with a hostname (or IP) and port of the SSH service running on your remote linux box.
2. Select Connection->SSH->Tunnels and enter source port 5901 and destination of localhost:5901
3. Back to session selection in the left pane and type a name for saved sessions and click save.
4. Then Click open for the session and a SSH window to your target should open where you can login.
5. Once logged in there is now a tunnel in place.
6. Run TightVNCViewer and connect to 'localhost:1' 

The End of Democracy in Canada

Prime Minister Harper,

Like you I was born and raised in this country. My Father, a veteran, who volunteered to serve his country overseas, taught me the importance of democracy and to stand up to bullies and tyranny who refuse to allow the difference of opinions in a public forum. He felt it so important that he volunteered to fight against it leaving the comfort of home and family and travelling overseas into the unknown.

Whether you understand it or not, you are taking our country down a very dangerous path. Treating those who believe in protecting some of the last unmolested parts of our wilderness against those who would risk it for commercial profit as criminals and security threats will turn us into a police state. This is important as your government has weakened oversight and protections against large scale destruction of environment and property.

If we do this then what other "thought crimes" will be added to the list? Will it be arguing against cartel bank fees? Will it be disagreeing with new government policy? Will it be voting for a different party other than the one governing? Will it be posting this blog entry?

We may be at the beginning, but you do not know where it will end.

My Father has since passed away and sadly in a way I am glad he has. I would hate for him to learn that the risk he took to defend our democracy has been thrown away by this legislation.

Paying for Skills

Recently I had a lengthy phone interview with a hiring manager from a major telecommunications player. It was an excellent phone conversation on the technical aspects, on the work, and on the team. I was quite interested in the team and the work which pertained to penetration testing and ethical hacking.

That was until I learned how much they paid. For this highly skilled technical team the pay was insulting.

What has happened to IT salaries in Canada? Has the Temporary Foreign Slavery program enabled successful and profitable corporations to decrease IT salaries across Canada by staffing IT positions with falsely skilled labour (by falsely I mean labour that do not have the skills that they advertise usually brought into the country on the pretense that they could not find locally skilled individuals)?

The job we discussed would return me to a salary base I made 13 years ago.

What made this situation all the more absurd and insulting was the fact that the hiring manager spent 15 minutes of that interview waxing on about how successful that company is, how much money they were making on their various product lines. Then they close by offering garbage wages.

The final cherry on top was the statement of holiday where the number included statutory holidays.

Really? I mean REALLY?!

How do companies expect to attract, and more importantly, retain qualified skilled individuals especially security professionals?

Lubuntu, VNC, and SSH

This is a post for remembering. Not that it will be memorable but because I want to remember it. I now have a VPS, and never having played with these things in the past I need to remember what I did to access it. 

Initially I have SSH. So I can access the command line, so I am starting with bear skins and stone knives. What I want to to access a remote desktop securely. This probably means VNC/Vino/other(?) over SSH or SSL.

What are my choices. A "recent" post in the thread at [4] seems to give me the following choices.

• X/Windows nominal forwarding
• VNC
• RDP
• NX

The end result of this post was that you run VNC over SSH. The box already has a SSH server running so then its just a matter of tunneling to the VNC server. And making sure nobody else can use the VNC server. I may change my mind later but for now its VNC/SSH.

1. Is VNC installed on this machine?

dpkg --get-selections | grep vnc

Nope.

2. Is there even a desktop installed?
Ok, I assumed when I said Lubuntu I would get a desktop but no, they installed LTS. DOh!

lsb_release -aNo LSB modules are available.
Distributor ID:    Ubuntu
Description:    Ubuntu 14.04.1 LTS
Release:    14.04
Codename:    trusty

3. Lets install a desktop, otherwise there is little point in this.

sudo apt-get install lubuntu-desktop 
sudi apt-get install lxde

This will take a while.

2. Install VNC server.


apt-get install tightvncserver

3. Create a startup script for tightvncserver
Create a file called tightvncserver in /etc/init.d. Ensure its owned by root and has the right privs using:

chmod 0755 tightvncserver

I downloaded a version from

http://www.penguintutor.com/otherfiles/tightvncserver-init.txt 

and modified it.

Here is a copy of my script.

#!/bin/sh
### BEGIN INIT INFO
# Provides:          tightvncserver
# Required-Start:    $local_fs
# Required-Stop:     $local_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start/stop tightvncserver
### END INIT INFO

# More details see:
# http://www.penguintutor.com/linux/tightvnc

### Customize this entry
# Set the USER variable to the name of the user to start tightvncserver under
# This should not be root!!!
export USER=''
### End customization required

eval cd ~$USER

case "$1" in
  start)
# -localhost forces tightvncserver to listen on loopback only, this is for SSH tunnel usage.
    su $USER -c '/usr/bin/tightvncserver -localhost :1'
    echo "Starting TightVNC server for $USER "
    ;;
  stop)
    pkill Xtightvnc
    echo "Tightvncserver stopped"
    ;;
  *)
    echo "Usage: /etc/init.d/tightvncserver {start|stop}"
    exit 1
    ;;
esac
exit 0
You can test the script using start and stop commands. We add the script to the default runlevels using:

sudo update-rc.d tightvncserver defaults 

Notice that in the script I have it listening only on localhost. This is important since I do not want VNC listening on an external port addressable from the Internet. Instead  I will create a SSH tunnel to connect to it from whatever client I will be connecting from.

Setting up the tunnel with putty is a case of setting the tunnels section for the remote and your localhost. In addition I set the normal session parameters for target IP for the server running ssh and the port its listening on. Once I connect with Putty the tunnel is open.




Then I can connect to the server with my tightvncclient using localhost:5901

References:
1. Installing a lightweight LXDE+VNC desktop environment on your Ubuntu/Debian VPS, http://www.vandorp.biz/2012/01/installing-a-lightweight-lxdevnc-desktop-environment-on-your-ubuntudebian-vps/#.VKmmO2MkTzc
2. Setting up an SSH tunnel with PuTTY, http://realprogrammers.com/how_to/set_up_an_ssh_tunnel_with_putty.html
3. Remote GUI access to a Linux computer using Tightvnc, http://www.penguintutor.com/linux/tightvnc
4. Lubuntu/Remote Desktop Problems, http://ubuntuforums.org/showthread.php?t=2231787

Virtualbox without GUI

So I have a multi-core server which I have installed Ubuntu server. Currently, after update, it now stands at "Ubuntu 14.04.1 LTS".

$ lsb_release -a       
No LSB modules are available.        
Distributor ID:    Ubuntu        
Description: Ubuntu 14.04.1 LTS        
Release:    14.04        
Codename:    trusty

Ubuntu server is gui-less and so if I want to run Virtualbox then I am going to be using VBoxManage to create and modify VMs and VBoxHeadless to run them. Connecting to the VM will be using some form of remote desktop protocol.

First lets create the VM.

sudo VBoxManage createvm --name "plex" --register 

I am calling this plex because I want to run a plex server within this VM. Eventually. Hopefully.

Now that I have a VM construct I can now define its capabilities.

sudo VBoxManage modifyvm "plex"  --memory 1024 --acpi on --boot1 dvd --nic1 bridged --bridgeadapter1 br0

So in the above command I am defining a RAM of 1024 KB, The --acpi indicates that I will have  ACPI and I/O APIC support on the "motherboard" which is an advanced programmable interrupt controller (see http://www.virtualbox.org/manual/ch03.html#settings-motherboard). The --boot specifies the boot order of the device and I have set this to DVD for now. The --nic indicates the type of networking available to the VM which in this case is bridged - I want to be able to see this VM from my local network. Finally I indicate which bridge adapter I am using on the Host OS using --bridgeadapter1. I originally had to setup bridged networking on the host and the /etc/network/interfaces.

Since my VM will need a harddisk lets create one now using "createhd". I will keep the drive name the same as my VM and I will start it with a size of 10 GB.

sudo VBoxBoxManage createhd --filename plex.vdi --size 10000 

Next we will define a storage controller which will allow us to connect the virtual disk to the virtual machine.
 
sudo VBoxManage storagectl "plex" --name "IDE Controller" --add ide

And once the controller is created we can attach the drive, and other things to the VM. First lets attach the new virtual drive.

sudo VBoxManage storageattach plex -storagectl "IDE Controller" --port 0 --device 0 --type hdd --medium plex.vdi

And next lets attach an iso image of the install media of the OS I want to install in this VM.

sudo VBoxBoxManage storageattach plex --storagectl "IDE Controller" --port 1 --device 0 --type dvddrive --medium /home/someuser/isos/linuxmint-17.1-cinnamon-64bit.iso

So now we should be ready to go. We would start this VM with VBoxHeadless as:

sudo VBoxHeadless --startvm plex

This is now where the fun because because we need to connect to this VM with some remote mechanism. Future posts will cover those "travails".

In the meantime there are some useful commands to see what it is we created.

What IP is it running on?

sudo VBoxManage guestproperty get plex "/VirtualBox/GuestInfo/Net/0/V4/IP"

General information?

sudo VBoxManage showvminfo plex