AdminSysGNULinux

Outils pour utilisateurs

Outils du site

Piste : blog
blog

Table des matières

3 billet(s) pour janvier 2026

Notes rsh rcp2026/01/21 18:08Jean-Baptiste
Git - Duplication d'un dépôt2026/01/19 10:22Jean-Baptiste
Exemple simple de conf Nagios2026/01/14 10:07Jean-Baptiste

Pb plugin Nagios centreon NSClient 403

Getting response 403 Your not allowed from NSClient++ running on Windows over the REST API but curl ok

Problème

https://community.icinga.com/t/getting-response-403-your-not-allowed-from-nsclient-running-on-windows-over-the-rest-api/4005 

$ /usr/lib/centreon/plugins/centreon_nsclient_restapi.pl --plugin=apps::nsclient::restapi::plugin --mode=query --hostname='192.168.1.161' --port='8443' --proto='https' --legacy-password='centreon' --insecure --command=check_cpu --arg="warning=time = '5m' and load > 80" --arg="critical=time = '5m' and load > 90" --arg=show-all
UNKNOWN: 403 Forbidden

Alors que le curl fonctionne 

curl -k -u centreon:centreon https://192.168.1.161:8443/api/v1/scripts/ext?all=true

Analyse - Création d'un MITM HTTPS avec socat

Décapsuler HTTPS en créant un MITM HTTP (HTTPS to HTTP)
socat TCP-LISTEN:8080,fork OPENSSL:10.12.50.161:8443,verify=0
Création des certificats pour encapsulation HTTPS (HTTP to HTTPS)

Voir : 

FQDN=localhost
 
#openssl genrsa -out plop.key 2048
#openssl req -new -key plop.key -x509  -subj '/CN=localhost'  -out plop.cert
#cat plop.key plop.cert > plop.pem
 
# Ou 
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout plop.key -out plop.crt

Résultats

Test OK
curl -k -u centreon:centreon https://127.0.0.1:1443/api/v1/scripts/ext?all=true
[root@centreon-central ~]# PORT=1443 FQDN=localhost
[root@centreon-central ~]# socat -v -ls OPENSSL-LISTEN:${PORT},reuseaddr,cert=${FQDN}.pem,verify=0,crlf,fork TCP4:localhost:8080
> 2025/04/04 12:27:38.353691  length=146 from=0 to=145
GET /api/v1/scripts/ext?all=true HTTP/1.1
Host: 127.0.0.1:1443
Authorization: Basic Y2VudHJlb246Y2VudHJlb24=
User-Agent: curl/7.61.1
Accept: */*

< 2025/04/04 12:27:38.378346  length=1681 from=0 to=1680
HTTP/1.1 200\r\r
Content-Length: 1544\r\r
Set-cookie: token=yapnxrpMCARCr4zdGc81tBDKsMlaZTXC; path=/\r\r
Set-cookie: uid=centreon; path=/\r\r
\r\r
Test NOK
/usr/lib/centreon/plugins/centreon_nsclient_restapi.pl --plugin=apps::nsclient::restapi::plugin --mode=query --hostname='127.0.0.1' --port='1443' --proto='https' --legacy-password='centreon' --insecure --command=check_cpu --arg="warning=time = '5m' and load > 80" --arg="critical=time = '5m' and load > 90" --arg=show-all
UNKNOWN: 403 Forbidden
[root@centreon-central ~]# socat -v -ls OPENSSL-LISTEN:${PORT},reuseaddr,cert=${FQDN}.pem,verify=0,crlf,fork TCP4:localhost:8080
> 2025/04/04 12:34:59.797373  length=315 from=0 to=314
GET /query/check_cpu?warning%3Dtime%20%3D%20%275m%27%20and%20load%20%3E%2080&critical%3Dtime%20%3D%20%275m%27%20and%20load%20%3E%2090&show-all HTTP/1.1
TE: deflate,gzip;q=0.3
Keep-Alive: 300
Connection: Keep-Alive, TE
Host: 127.0.0.1:1443
User-Agent: centreon::plugins::backend::http::useragent
Password: centreon

< 2025/04/04 12:34:59.804956  length=59 from=0 to=58
HTTP/1.1 403\r\r
Content-Length: 20\r\r
\r\r
403 Your not allowed

Solution

Ajouter les arguments ci-dessous pour l'authentification “basic”

  • --basic
  • --credentials
  • --username=centreon
  • --password=centreon
/usr/lib/centreon/plugins/centreon_plugins --plugin=apps::nsclient::restapi::plugin --mode=query --hostname='192.168.1.161' --port='8443' --proto='https' --basic --credentials --username=centreon --password=centreon --insecure --command=check_cpu --arg="warning=time = '5m' and load > 80" --arg="critical=time = '5m' and load > 90" --arg=show-all

Autres socat

Pour test 

socat -v -ls OPENSSL-LISTEN:${PORT},reuseaddr,cert=${FQDN}.pem,verify=0,crlf,fork SYSTEM:"echo HTTP/1.0 200; echo Content-Type\: text/plain; echo; echo \"hello from $(hostname) at \$(date)\""
2025/04/04 14:18 · Jean-Baptiste
, , , , , ,

Prometheus windows_export i386 compilation go lang

Brouillon

Nous avons besoin de récupérer le maximum de métriques sur un OS XP 32bits.

Une solution est d'utiliser windows_export (ancienement wmi_exporter) de Prometheus, cependant nous n'avons pas de version 32 bits compilée fournie par le projet.

Source : https://github.com/prometheus-community/windows_exporter

Ca ne marche pas en compilant

Go 1.10 is the last release to support Windows Vista or below

Voir :

La dernière version compatible Win32 :

Usage

C:\Program Files\windows_exporter\

Command line Usage

--config.file=CONFIG.FILE
--collectors.enabled="cpu,cs,memory,logical_disk,physical_disk,net,os,service,system"
--collector.tcp.enabled="metrics,connections_state"
--collector.performancecounter.objects=""
--collector.netframework.enabled="clrexceptions,clrinterop,clrjit,clrloading,clrlocksandthreads,clrmemory,clrremoting,clrsecurity"
--collector.process.include=".+"
--collector.scheduled_task.include=".+
--collector.service.include=".+"
--collector.net.enabled="metrics,nic_addresses"
--collector.net.nic-include=".+"
--collector.time.enabled="system_time,ntp"
Usage old version wmi_exporter-0.9.0
msiexec /i wmi_exporter-0.9.0-386.msi ENABLED_COLLECTORS=cpu,cs,logical_disk,logon,memory,net,os,process,service,system,tcp,vmware

On test : http://localhost:9182

Other

https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md 

time=2025-04-03T11:27:26.836Z level=WARN source=cs.go:75 msg="The cs collector is deprecated and will be removed in a future release. Logical processors has been moved to cpu_info collector. Physical memory has been moved to memory collector. Hostname has been moved to os collector."
time=2025-04-03T11:27:26.836Z level=WARN source=os.go:108 msg="The os collect holds a number of deprecated metrics and will be removed mid 2025. See https://github.com/prometheus-community/windows_exporter/pull/1596 for more information." collector=os

Old

Compile sur Windows

set http_proxy=http://192.168.1.221:3128
set https_proxy=http://192.168.1.221:3128

go install github.com/prometheus/promu@latest
set GOARCH=386
go install github.com/prometheus-community/windows_exporter@latest
cd $env:GOPATH/src/github.com/prometheus-community/windows_exporter
promu build -v
Compiled on GNU+Linux WSL
sudo apt-get install gcc-multilib
sudo apt-get install gcc-mingw-w64

go install github.com/prometheus/promu@latest

export http_proxy=http://192.168.1.221:3128
export https_proxy=http://192.168.1.221:3128

GOOS=windows GOARCH=386 CGO_ENABLED=1 CXX=i686-w64-mingw32-g++ CC=i686-w64-mingw32-gcc
export GOOS GOARCH CGO_ENABLED CXX CC
go install github.com/prometheus-community/windows_exporter@latest
cd ~/go/pkg/mod/github.com/prometheus-community/windows_exporter
promu build -v
go: downloading github.com/containerd/typeurl/v2 v2.2.3
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb
go: downloading github.com/gogo/protobuf v1.3.2
github.com/prometheus-community/windows_exporter/cmd/windows_exporter: go build github.com/prometheus-community/windows_exporter/cmd/windows_exporter: copying /tmp/go-build2685928784/b001/exe/a.out.exe: open windows_exporter.exe: permission denied
!! command failed: build -o windows_exporter.exe -ldflags -X github.com/prometheus/common/version.Version= -X github.com/prometheus/common/version.Revision=non-git -X github.com/prometheus/common/version.Branch=non-git -X github.com/prometheus/common/version.BuildUser=management@vlbvmdevadm01 -X github.com/prometheus/common/version.BuildDate=20250403-08:47:02  -extldflags '-static' -tags trimpath github.com/prometheus-community/windows_exporter/cmd/windows_exporter: exit status 1

Solution : remplacer build -o windows_exporter.exe par build -o /tmp/windows_exporter.exe 

go build -o /tmp/windows_exporter.exe -tags trimpath github.com/prometheus-community/windows_exporter/cmd/windows_exporter
Err windows_exporter.exe is not a valid Win32 application

Voir https://learn.microsoft.com/en-us/windows/win32/debug/pe-format 

$ file windows_exporter*
windows_exporter.exe:                    PE32 executable (console) Intel 80386, for MS Windows, 13 sections
windows_exporter_CompiledOnOuindoze.exe: PE32 executable (console) Intel 80386, for MS Windows, 13 section
2025/04/03 14:09 · Jean-Baptiste
, , ,

Notes xonsh - le shell Python

Le shell Python

IPython dans sa partie shell interractive vise le même objectif.

Voir : iPython 

  xonfig wizard      # Run the configuration wizard to create ~/.xonshrc
  xonfig tutorial    # Open the xonsh tutorial in the browser


    # XONSH WIZARD START
    source-foreign  "echo loading xonsh foreign shell"
    xontrib load coreutils
    # XONSH WIZARD END
2025/03/31 11:19 · Jean-Baptiste
,

Notes Podman

Voir :

Rootless : https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md

Installez slirp4netns (va être remplacé par pasta à partir de Podman 5) 

apt-get install slirp4netns

Ensuite, configurez une quantité d'espaces de noms réseau définis par l'utilisateur : 

echo "user.max_user_namespaces=28633" > /etc/sysctl.d/userns.conf
sysctl -p /etc/sysctl.d/userns.conf

Cette commande permet d'utiliser les espaces de noms réseau sans être root.

Conf registry

/etc/containers/registries.conf 

[registries.search]
registries = ['docker.io', 'quay.io', 'ghcr.io']
 
[registries.insecure]
registries = []

Exemple

podman build -t jibe/dokuwiki --build-arg http_proxy="$http_proxy" --build-arg https_proxy="$https_proxy" -f Containerfile .
 
podman run -a stdout --rm --name=dokuwiki1 -v $PWD/tmp/dokuwiki/data/:/var/www/wiki/www/data -v $PWD/tmp/dokuwiki/conf/:/var/www/wiki/www/conf -m 512m -p 8082:8080 jibe/dokuwiki

Contener - entrypoint 

$ podman run --entrypoint /usr/bin/echo -ti --rm debian -e 'Test1\nTest2'
Test1
Test2
#podman generate systemd --restart-policy=always -t 1 dokuwiki1
#podman generate systemd --restart=always -t 1 dokuwiki1
 
# podman generate systemd --new --files --name httpd
# quadlet ?

Autre 

echo 1 > /proc/sys/kernel/unprivileged_userns_clone

Conf UIDMAP

Colonne Description
1 Nom de l'utilisateur système sur le hôte
2 Numéro d'UID sur le hôte correspondant à l'UID 0 du NS
3 Plage; notre d'UID à l'intérieur du NS

/etc/subuid 

jean:100000:65536
test:165536:65536
plop:231072:65536
k8s:296608:65536

/etc/subgid 

jean:100000:65536
test:165536:65536
plop:231072:65536
k8s:296608:65536

Commandes utiles

Afficher tous les mappages de ports de conteneur utilisés 

podman port -a

Pour un container particulier 

podman port ctn-app1

Réseau

Podman prend en charge 2 réseaux backend pour les conteneurs : Netavark et CNI.

Pour vérifier quel backend réseau est utilisé : 

$ podman info --format {{.Host.NetworkBackend}}
netavark

Pour modifier le backend réseau, définissez la configuration dans /usr/share/containers/containers.conf : 

[network]
[...]
# Network backend determines what network driver will be used to set up and tear down container networks.
# Valid values are "cni" and "netavark".
network_backend = "netavark"

La commande podman network create créer un réseau compatible DNS.

Création d’un réseau appelé db_network en spécifiant le sous-réseau 10.87.0.0/24 et la passerelle 10.87.0.1 : 

podman network create --gateway 10.87.0.1 --subnet 10.87.0.0/24 db_network

La commande podman network inspect affiche les informations sur un réseau spécifique

La commande podman run --network permet d’ajouter le réseau DNS db_network à un nouveau conteneur

Re appliquer les règles réseau Podman 

podman network reload

Avant cette commande il faillait faire un restart des containers.

A common problem is that reloading the firewall deletes the netavark iptables rules resulting in a loss of network connectivity for rootful containers.

2025/03/28 21:22 · Jean-Baptiste
,

Access SFTP sans shell

Voir :

Voir également :

  • rssh
  • mysecureshell

Ou pour un acces exclusif en SFTP : 

#usermod -s /usr/lib/openssh/sftp-server username
echo "/usr/lib/openssh/sftp-server" >> /etc/shells

Source : http://www.debian-administration.org/article/94/How_to_restrict_users_to_SFTP_only_instead_of_SSH

Comme bash figure dans /etc/shells, c'est ok

/usr/local/bin/sftp.sh 

#! /bin/bash
/usr/lib/openssh/sftp-server -l INFO
chmod +x /usr/local/bin/sftp.sh

Tout est log dans /var/log/auth.log

/etc/passwd 

test:x:1003:1003:,,,:/home/test:/usr/local/bin/sftp.sh

Notes MySecureShell

/etc/ssh/sftp_config 

<Default>
        #Home                   /home/$USER     #overrite home of the user but if you want you can use
                                        #  environment variable (ie: Home /home/$USER)
        #LimitConnection         10      #max connection for the server sftp
        #LimitConnectionByUser   1       #max connection for the account
        #LimitConnectionByIP     2       #max connection by ip for the account
        LimitConnection         10      #max connection for the server sftp
        LimitConnectionByUser   5       #max connection for the account
        LimitConnectionByIP     10       #max connection by ip for the account
 
</Default>

/etc/shells 

/usr/bin/mysecureshell
/etc/init.d/mysecureshell restart
usermod -s /usr/bin/mysecureshell sftpuser
# sftp-verif

Verifing file rights of /usr/bin/mysecureshell                       [ FAILED ]
Rights problems have been detected 0755 and should be 4755
Do you want to repair /usr/bin/mysecureshell file rights ? (Y/n)
Debug

Voir : /var/log/sftp-server.log

Autres

useradd sftp_download -s /sbin/nologin -
passwd sftp_download
mkdir /download
# override default of no subsystems
#Subsystem      sftp    /usr/lib/openssh/sftp-server
Subsystem       sftp    internal-sftp

Match group sftponly
     ChrootDirectory /upload
     X11Forwarding no
     AllowTcpForwarding no
     AllowAgentForwarding no
     ForceCommand internal-sftp -d /%u
	 

PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
# PasswordAuthentication no
2025/03/24 15:06
, ,

<< Billets récents | Anciens billets >>

blog.txt · Dernière modification : de 127.0.0.1
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki