OpenLDAP Migration

LDAP PKGSRC Cutover

# Compress ldap directory on WEB01.PROD
tar -C /home/webadmin/pkg/var/openldap -czvf /tmp/kimconnect-com.gz kimconnect-com
chmod 777 /tmp/kimconnect-com.gz
 
# Make a backup of ldap files
cd /home/webadmin/pkg/var/openldap
dateString=$(date +”%m_%d_%Y”)
mv kimconnect-com kimconnect-com_$dateString
 
# Pull files from WEB01.PROD while logon to WEB02.PROD as webadmin
scp -P{port-number} webadmin@WEB01:/tmp/kimconnect-com.gz /home/webadmin/pkg/var/openldap
 
# Untar
cd /home/webadmin/pkg/var/openldap && tar xvzf kimconnect-com.gz

Implement Docker & Portainer

Prerequisites:
OS: base image Centos 7

Create network bridge from command line:

# Network: x.x.x.128/26 Range: x.x.x.128-190 broadcast: x.x.x.191
docker network create -d macvlan \
–subnet=192.168.30.0/24 \
–gateway=192.168.30.254 \
–ip-range=192.168.30.128/26 \
-o parent=enp3s0f0 \
qa-vlan
 
# show result
docker network ls

Install Portainer:

# Create persistent volume
docker volume create portainer_data
 
# check created volumes
ls /var/lib/docker/volumes/
 
# Generate certs (optional and assuming no HAProxy)
openssl genrsa -out portainer.key 2048
openssl ecparam -genkey -name secp384r1 -out portainer.key
openssl req -new -x509 -sha256 -key portainer.key -out portainer.crt -days 3650
 
# Input these values
#Country Name (2 letter code) [XX]:US
#State or Province Name (full name):California
#Locality Name (eg, city) [Default City]:Long Beach
#Organization Name (eg, company) [Default Company Ltd]:kimconnect
#Organizational Unit Name (eg, section):Cloud
#Common Name (eg, your name or your server’s hostname)]:server01.kimconnect.com
#Email Address:admin@kimconnect.com
 
# move files into /local-certs
mkdir /var/lib/docker/volumes/portainer_data/certs
mv ~/portainer.crt /var/lib/docker/volumes/portainer_data/certs
mv ~/portainer.key /var/lib/docker/volumes/portainer_data/certs
 
# SELinux configuration – Enable IP forwarding
sysctl net.ipv4.conf.all.forwarding=1
sudo iptables -P FORWARD ACCEPT
 
# Run portainer with priviledged mode, SSL, persistent volume and company logo
docker run -d –privileged -p 9000:9000 –name portainer –restart always -v /var/lib/docker/volumes/portainer_data/certs:/certs -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/portainer_data portainer/portainer –ssl –sslcert /certs/portainer.crt –sslkey /certs/portainer.key –logo “http://kimconnect.com/uploads/logo.png”
 
# Configure firewall to open port 9000
# First discover the active zone of current machine
firewall-cmd –get-active-zones
# Open port 9000 to the public zone and reload firewalld
firewall-cmd –zone=public –add-port=9000/tcp –permanent
firewall-cmd –reload

Access Portainer via browser at the host’s IP

Manage Endpoints:

LDAP Integration:
Assuming that LDAP is already available in the environment. Portainer can be configured to use LDAP authentication as follows:
{Settings} > {Authentication} > {LDAP}
LDAP Server: LDAP-SERVER:PORTNUMBER
Reader DN: cn=root,dc=kimconnect,dc=com
Password: standard
Use TLS: true
Skip verification: true
base DN: dc=kimconnect,dc=com
Username attribute = uid
Filter: (objectClass=*)
Group Base DN: ou=people,dc=kimconnect,dc=com
Group Membership: memberOf
Group Filter: (objectClass=*)
Click {Test Connection} > {Save settings} > use a different browser to test login with an LDAP account to verify access

Dockerfile (Sample)

  • vim ~/Dockerfile
FROM ubuntu:16.04
 
RUN apt-get update && apt-get install -y curl vim ntp ntpdate cvs rsync git wget openssh-server tar iputils-ping tzdata
ENV TZ=America/Los_Angeles
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
RUN mkdir /var/run/sshd
RUN echo ‘root:[insert-password-here]’ | chpasswd
RUN sed -i ‘s/PermitRootLogin prohibit-password/PermitRootLogin yes/’ /etc/ssh/sshd_config
 
# SSH login fix
RUN sed ‘s@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g’ -i /etc/pam.d/sshd
 
ENV NOTVISIBLE “in users profile”
RUN echo “export VISIBLE=now” >> /etc/profile
 
EXPOSE 22
CMD [“/usr/sbin/sshd”, “-D”]
  • docker build -t ubuntu16_baseline .

Working with Repos

# Change into webadmin as that account has been given sudo access as required to build images
su – webadmin
 
# Check to see if ssh key is available
cat .ssh/id_rsa.pub
 
# If not, generate ssh key
ssh-keygen -t rsa
 
# view the ssh key
cat .ssh/id_rsa.pub
 
# Copy the output (key string) and paste it into
# Gitlab profile keys: https://git.kimconnect.com/profile/keys
# Prepare projects folder and clone the git repo
mkdir /home/webadmin/projects
cd /home/webadmin/projects
git init
git clone git@git.kimconnect.com:docker/app1.git
cd app1/
# build the image
sudo docker build -t app1 .
 
# After image named “app1” is built
# Access Portainer UI to create a container with that image

Working with Docker via CLI

Creating a Baseline Image of Ubuntu 16
# Download Ubuntu 16.04 LTS
[root@docker]# docker pull ubuntu:16.04
 
# Check Image_ID of Ubuntu
[root@docker]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
ubuntu 16.04 b9e15a5d1e1a 29 hours ago 115MB
portainer/portainer latest 6827bc26a94d 5 weeks ago 58.5MB
alpine latest 11cd0b38bc3c 2 months ago 4.41MB
 
# Clone the Ubuntu image by initiate its Image_ID to obtain a new instance_ID
[root@docker]# docker run -i -t b9e15a5d1e1a /bin/bash
root@77fc4f0f4910:/# exit
exit
 
[root@docker ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS        PORTS        NAMES
77fc4f0f4910 b9e15a5d1e1a “/bin/bash” 2 minutes ago Exited (0) About a minute ago    dreamy_fermi
172eae6e386a portainer/portainer “/portainer –ssl –…” 33 minutes ago Up 33 minutes    0.0.0.0:9000->9000/tcp portainer
de82f3306700 alpine:latest “/bin/sh” 2 hours ago Up 31 minutes            alpine-test
 
# Modify cloned Ubuntu container and merge changes to the downloaded Ubuntu 16.04 image
docker start 77fc4f0f4910
docker attach 77fc4f0f4910
apt-get update
apt-get upgrade
apt-get install -y curl vim ntp ntpdate cvs rsync git wget openssh-server tar
ntpdate -u -s 0.north-america.pool.ntp.org 1.north-america.pool.ntp.org 2.north-america.pool.ntp.org 3.north-america.pool.ntp.org
# Set root password
root@77fc4f0f4910:/# passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
# enable ssh-root-login
sed -i ‘s/prohibit-password/yes/’ /etc/ssh/sshd_config
service ssh reload
# Setup OpenSSH to autostart (this settting doesn’t persist)
systemctl enable ssh
exit
docker commit 77fc4f0f4910 ubuntu:16.04
 
# Check to verify that the modified Ubuntu image has been committed
[root@docker ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
ubuntu 16.04 0a7e4f1e1fdc 19 minutes ago 304MB
ubuntu <none> b9e15a5d1e1a 29 hours ago 115MB
portainer/portainer latest 6827bc26a94d 5 weeks ago 58.5MB
alpine latest 11cd0b38bc3c 2 months ago 4.41MB
Frequently Used Commands
# Check running containers
docker container ls -a
 
# How to stop an running VM
docker stop container_name
 
# Remove a container
docker container rm container_id
 
# Connect portainer to qa-vlan
docker network connect qa-vlan container_name
 
# Run a test container based on Alpine Linux (very small)
docker run -itd \
–network qa-vlan \
–name alpine-test \
alpine:latest
 
# Inspect alpine-test and look for “Networking” node to copy its MAC address
docker container inspect alpine-test
 
# Discover what the container’s interfaces are showing and check its route
docker exec alpine-test ip addr show eth0
docker exec alpine-test ip route

Working with Portainer GUI

Home > click on an Endpoint > {Containers} > {Add container} > input these variables:
Create container:
Name = remote_automation
Image = ubuntu16_baseline:latest
Always pull the image = true
Publish all exposed ports = true
Enable access control = false
 
Command:
Console = Interactive & TTY
 
Volumes:
volume = remote_automation (writeable)
 
Network:
network = qa-vlan
Hostname = remote-automation
Domain Name = kimconnect.com
IPv4 Address = 192.168.30.101
 
Restart Policy:
Restart policy = always

Set Memory & CPU limits:

Finally, click {Create container} > wait a few seconds to be redirected back to the Containers List

Old Notes:

# Install docker
yum install -y docker
systemctl enable docker
systemctl start docker
 
# Run docker
# docker volume create portainer_data
docker run –privileged –restart always –name=portainer -d -p 9000:9000 -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer
 
# Check running containers
docker ps -a
 
# Hide container
docker run -d –label owner=acme portainer
 
# Change container name
docker rename CONTAINER NEW_NAME
 
#### Delete all Containers and Images ####
#### Warning: this is irreversible ####
#!/bin/bash
# Delete all containers
docker rm $(docker ps -a -q)
# Delete all images
docker rmi $(docker images -q)
# Create persistent volume
 
# Remove all unused networks
docker system prune -f
 
# Remove all unused volumes
docker system prune –volumes -f
 
# Remove all stopped containers
docker container prune -f
 
# Remove all unused images
docker image prune -f
 
# Stop and remove all containers
docker container stop $(docker container ls -aq)
docker container rm $(docker container ls -aq)
 
docker volume create portainer_data
 
cd /var/lib/docker/volumes/
mkdir portainer_data
# mkdir cert && cd cert
 
 
 
# Run portainer
docker run -d –privileged -p 9000:9000 –name=portainer –restart always -v portainer_data:/portainer_data portainer/portainer -v /var/run/docker.sock:/var/run/docker.sock
 
docker run -d –privileged -p 9000:9000 –name=portainer –restart always -v portainer_data:/portainer_data portainer/portainer -v /var/run/docker.sock:/var/run/docker.sock -v /var/lib/docker/volumes/portainer_data/certs:/certs
 
# Set the Admin username and password:
 
# Troubleshooting firewall – use as needed
iptables -A INPUT -i docker0 -j ACCEPT
iptables -I INPUT 4 -p tcp -m state –state NEW -m tcp –dport 9000 -j ACCEPT
iptables -A INPUT -p tcp -m tcp –dport 9000 -j ACCEPT
 
# Enable IP forwarding
sysctl net.ipv4.conf.all.forwarding=1
iptables -P FORWARD ACCEPT
 
firewall-cmd –permanent –zone=public –add-port=9000/tcp
 
# Test SSL connection
openssl s_client -connect kimconnect.com:443 -prexit | less
 
# Stop/remove all running containers
docker stop $(docker ps -aq)
docker rm $(docker ps -aq)
 
# Remove all images
docker rmi $(docker images -q)
 
# Check logs
docker logs –tail 50 –follow –timestamps CONTAINERNAME
 
#################################################### OLD INFO #################################################
 
#### Install Docker ####
# Cleanup yum
yum clean all
# List repos
yum repolist
# enable Extras
vim /etc/yum.repos.d/CentOS_Base.repo
# Add enabled=1 into the Extras repos section
yum -y update
# Install prerequisites
sudo yum install -y yum-utils device-mapper-persistent-data lvm2
# Add Docker repo
yum-config-manager –add-repo https://download.docker.com/linux/centos/docker-ce.repo
# Install Docker-CE
yum -y install docker-ce docker-ce-cli containerd.io
# Start Docker
systemctl start docker
 
# “Mount Drive” driver
curl -fsSL https://raw.githubusercontent.com/CWSpear/local-persist/master/scripts/install.sh | sudo bash
 
#### General SSL cert and key ####
openssl x509 -outform der -in /etc/letsencrypt/live/kimconnect.com/fullchain.pem
-out /etc/letsencrypt/live/kimconnect.com/kimconnect.crt
openssl pkey -in /etc/letsencrypt/live/kimconnect.com/privkey.pem -out /etc/letsencrypt/live/kimconnect.com/kimconnect.key
 
#### Install Portainer ####
docker volume create portainer_data
ls /var/lib/docker/volumes
mkdir /var/lib/docker/volumes/portainer_data/certs
 
 
docker run -d –privileged -p 9000:9000 –name portainer –restart always -v “/var/run/docker.sock:/var/run/docker.sock” -v ~/local-certs:/certs -v portainer_data:/data portainer/portainer:latest –ssl –sslcert /etc/letsencrypt/live/kimconnect.com/kimconnect.crt –sslkey /etc/letsencrypt/live/kimconnect.com/kimconnect.key
 
docker run -d –privileged -p 9000:9000 –name portainer –restart always -v “/var/run/docker.sock:/var/run/docker.sock” -v portainer_data:/data portainer/portainer:latest  -l owner=acme
 
 
# With Logo
$ docker run -d -p 9000:9000 -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer –logo “https://www.docker.com/sites/all/themes/docker/assets/images/brand-full.svg”
 
# mypassword is plaintext here
$ echo -n mypassword > /etc/letsencrypt/live/kimconnect.com/portainer_password
$ docker run -d -p 9000:9000 -v /var/run/docker.sock:/var/run/docker.sock -v /tmp/portainer_password:/tmp/portainer_password portainer/portainer –admin-password-file /tmp/portainer_password
 
# Firewall stuff
firewall-cmd  –permanent –zone=public –add-port=9000/tcp
firewall-cmd  –permanent –zone=public –add-port=80/tcp
firewall-cmd  –permanent –zone=public –add-port=443/tcp
 
firewall-cmd –reload
 
 
firewall-cmd –permanent –zone=trusted –change-interface=docker0
firewall-cmd –permanent –zone=trusted –add-port=8000/tcp
firewall-cmd –reload
 
# Remove container by name
docker container ls
docker stop {instance_ID}
docker rm /portainer
 
# Resolve maxconnections issue
–ulimit nofile=65536:65536
 
# OR run at command
ulimit -u unlimited
 
### Optional Section ###
# optional: add a user into the Docker group
usermod -aG docker kimconnect
# optional: remove and cleanup docker
yum remove docker-ce
rm -rf /var/lib/docker
# Remove older versions of Docker
yum remove docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-engine

Restricting Access to Directory in Windows Shares

– Only allow Admins write access to root folders
– NTFS permissions at root directory for the “Everyone” group: Traverse Folder, List Folder
– Enable access based enumeration on the share to allow users to view ONLY folders in which they can access
– Create and apply security domain local groups with explicit permission semantics such as:
— FILESERVER1_Global_Accounting_ReadOnly or SHAREPOINT_Accounting_ReadOnly
FILESERVER1 _Global_Accounting_Modify
FILESERVER1 _Global_Accounting_FullControl
– Create a Global Deny group and add all disabled accounts into it
– Apply Global Deny group to root directory with Deny Full control permissions

Installing Team Foundation Server

1. Installation
a. All in one
b. Separate TFS and database (advanced)

2. Setup reporting
a. Warehouse database
b. Analysis servicesc. Reports

3. Configure Extension for Sharepoint
TFS Administration Console > {servername} > Application Tier > Extensions for Sharepoint Products > Grant Access > URL for TFS = http://{servername}:8080/tfs , Sharepoint web application = http://{sharepointservername}/ > OK

4. Configure TFS Build Service
Run tfs_server.exe > Configuration Center opens > select Configure Team Foundation Build Service > Start Wizard > Next > Select Team Project Collection = browse toward the correct Team Project Collection > Next > Build Services opens, User the default setting > Next > Run Team Foundation Service as User a user account = {Domain_Name}\{Service_Account} > Next > Next > Configure

5. Create Team Project Collection
TFS Administration Console > Team Project Collections > DefaultCollection would appear > Click Create Collection > give new collection a name do describe its purpose > fill in Description > Next > Enter the data tier where Team Project Collection will reside > Create a new database for this collection > Next > click Next to accept the predefined Reports configuration > Next > Verify > Complete > Close

match

– The match() method retrieves the matches when matching a string against a regular expression. Returns a Array of matches or null of none is found.
– Format: str.match(regex)
– Same as RegExp.exe() if regexp doesn’t have the /g flag
– Example:
var regex = /(.)\1+/g;
var str = “aab”;
console.log(str.match(regex));

logs [ ‘aa’, index: 0, input: ‘aab’ ]

Symantec Antivirus 10.1: How to delete a Quarantined file

  Double-click on the SAV shield icon in your Notification Area (lower right-hand corner of screen).
From the View menu choose Quarantine.
Select the file you want to delete.
NOTE: If in.mbx is listed Do NOT delete this file. This is your Eudora inbox. Contact Computer Support.
To select all files, click on the first file. Scroll to the end of the Quarantined files list. Hold down the SHIFT key and click on the last file.
Click the Delete button in the toolbar (looks like a red x).
In the take action dialog box, click Start Delete.
When status has changed to succeeded click Close button.
If more documents appear in the list, repeat steps 3 - 6 until finished.
When done, click Close. Click Exit to exit SAV.