blog
Table des matières
- 2026:
- 2025:
1 billet(s) pour avril 2026
| Notes ping ICMP | 2026/04/03 23:01 | Jean-Baptiste |
Notes ping ICMP
rootless
Allowing ping
Most distributions do not allow non-root users to send ICMP Echo Request packets (aka ping) by default.
To allow running ping without root, create /etc/sysctl.d/99-rootless.conf with the following content:
/etc/sysctl.d/99-rootless.conf
net.ipv4.ping_group_range = 0 2147483647
Then run the following command to reload the new sysctl configuration:
sudo sysctl --system
Source : https://rootlesscontaine.rs/getting-started/common/sysctl/
Notes SOPS
Voir :
Voir aussi :
- GPG
- HashiCorp Vault
# age-keygen -o ~/.config/sops/age/keys.txt
$ age-keygen -o "${HOME}"/private-key
Public key: age1p6svvezfcg3jz33d0ynd27n3j72p7tjrqxdkssmwsvph7ct3y44qxvv8s7
source <(sops completion bash) # SOPS variables export SOPS_AGE_KEY_FILE="${HOME}/private-key" # Ansible variables export ANSIBLE_SOPS_AGE_KEYFILE="$SOPS_AGE_KEY_FILE" # Public key export SOPS_AGE_RECIPIENTS=age1p6svvezfcg3jz33d0ynd27n3j72p7tjrqxdkssmwsvph7ct3y44qxvv8s7
Avec GPG # On récupère la fingerprint de notre clé gpg --list-keys # On export le fingerprint export SOPS_PGP_FP="<VOTRE FINGERPRINT>"
Usage
sops --encrypt --encrypted-regex '^(password|apiKey)$' --in-place ./secrets.yaml
sops -e secrets.yaml > secrets.enc.yaml sops -d secrets.enc.yaml > secrets.decrypted.yaml # Déconseillé sops edit secrets.yaml sops set plop.yaml '["user1"]["password"]' '"P@ssw0rd"' sops unset plop.yaml '["user1"]' sops encrypt --age age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw test.yaml > test.enc.yaml sops decrypt mynewtestfile.yaml sops -d mynewtestfile.yaml
# Chiffrer depuis stdin (JSON) echo '{"secret": "from-stdin"}' | sops encrypt --input-type json --output-type json /dev/stdin # Écrire le résultat dans un fichier sops decrypt secrets.enc.yaml --output secrets.yaml
Rotate / rekey
sops rotate -i example.yaml
Rekey
sops updatekeys -y secrets.enc.yaml
Looks for keys.txt in $XDG_CONFIG_HOME/sops/age/keys.txt; Falls back to $HOME/.config/sops/age/keys.txt if $XDG_CONFIG_HOME isn’t set.
Cloud
sops -e --kms arn:aws:kms:us-west-2:123456789012:key/your-key-id secrets.yaml > secrets.enc.yaml
Config
.sops.yaml
# creation rules are evaluated sequentially, the first match wins creation_rules: # upon creation of a file that matches the pattern *.dev.yaml, # KMS set A as well as PGP and age is used - path_regex: \.dev\.yaml$ age: 'age129h70qwx39k7h5x6l9hg566nwm53527zvamre8vep9e3plsm44uqgy8gla' # prod files use KMS set B in the PROD IAM, PGP and age - path_regex: \.prod\.yaml$ age: 'age129h70qwx39k7h5x6l9hg566nwm53527zvamre8vep9e3plsm44uqgy8gla'
creation_rules: # Prod : ne chiffrer que les secrets - path_regex: 'prod/.*' age: age1abc... encrypted_regex: '^(password|token|secret|key)$' # Dev : tout chiffrer - path_regex: '.*' age: age1abc...
# Injecter les secrets comme variables d'environnement sops exec-env secrets.enc.env 'echo DB_PASSWORD=$DB_PASSWORD' # DB_PASSWORD=super-secret-123
Notes podman secret
https://www.redhat.com/en/blog/podman-kubernetes-secrets
Création
read -s PLOP ; echo $PLOP > secret.txt ; rm secret.txt podman secret create secret1 secret.txt
Exemple fichier
podman run --rm --secret source=secret1,type=mount,uid=1001,gid=1001,mode=440 docker.io/library/alpine cat /run/secrets/secret1
Exemple variable d'environement
podman run --rm --secret secret1,type=env,target=ENVSE docker.io/library/alpine sh -c 'echo $ENVSE'
Notes ansible podman
ansible-doc -t connection -l | grep podman ansible-doc -t inventory -l | grep podman
play.yml
#! /usr/bin/ansible-playbook --- - name: test hosts: all connection: containers.podman.podman tasks: - name: Test command: ls -l
inventory.yml
plugin: containers.podman.podman_containers include_stopped: false #label_selectors: # role: api connection_plugin: containers.podman.podman
./plop.yml -i inventory.yml
Le conteneur doit avoir python3
blog.txt · Dernière modification : de 127.0.0.1