Docker4nerdctl
èæ¯ k8sã䜿ãã«ã¯containerdã䜿ããªããšãããªããŠãcontainerdã®ã¯ã©ã€ã¢ã³ããnerdctlãªãã§ãããããããã³ã³ããé¢ä¿ãšèšãã°dockerãªèš³ã§ãgithubãšãã§å ¬éãããŠããã·ã§ã«ã¹ã¯ãªããã¯dockerã³ãã³ãã䜿ãããŠãããå šéšæžãçŽãã®ããã©ãããããã ãããªæã«ã©ããããïŒãšã€ãªã¢ã¹ãäžæããããªããããã©ããããïŒãããªæã®ã¡ããæã ã¡ããæ sudo vim /usr/local/bin/docker #!/bin/bash # Redirect docker calls to nerdctl exec nerdctl "$@" sudo chmod +x /usr/local/bin/docker ããã§å šãŠã®dockerã³ãã³ããnerdctlã«ãªãã€ã¬ã¯ããããŸãïŒïŒçŽ æŽãããã
Master_of_athenz
Athenzãå®å šç解ãããé¡æ ã¯ããæžããŠããéãã§ããathenzãç解ãããã§ãã æ£çŽãå人éçºã¬ãã«ã§ã¯å šç¶ç解ããªããŠãããã€ã§ãããããã倧ããªäŒæ¥ã§ãå€ãã®ãµãŒãã¹ãåããŠããŠãµãŒãã¹éã§APIã䜿ãåããããšãã£ãŠãªããšå¿ é ã®æè¡ã«ãªããšæããŸãããããå éšãããã¯ãŒã¯ãšã¯ããããèªèšŒããã人ã ã£ãããµãŒãã¹ã®ã¿ã«ãµãŒãã¹ã®å©çšãéå®ããªããšãããä»®ã«å éšãããã¯ãŒã¯ã«æ»æè ãå ¥ã£ãŠããŸã£ãæã«å¥œãæŸé¡ããããŠããŸããããã ãšããããšã§ãathenzå®å šç解ãç®æããŠãã£ãŠãããããšæãã æµã athenzã®åã³ã³ããŒãã³ãã玹ä»ããŸãã athenzã§äœ¿ãããŠããRBACã«ã€ããŠèª¬æããŸã athenzãèªå® ã®ã¯ã©ã¹ã¿ãŒã«ã€ã³ã¹ããŒã«ããŸã ã€ã³ã¹ããŒã«ããathenzã䜿ã£ãŠè²ã ãšè©ŠããŠã¿ãããšæããŸããïŒãããã€ããšããã³ãã®éä¿¡ãæ¬äŒŒæ»æè ã«ãªã£ãŠã¿ããªã©ïŒ ããããathenzãšã¯ ã¢ããªã±ãŒã·ã§ã³éã®ã¢ã¯ã»ã¹ãå¶åŸ¡ããããã®ãã©ãããã©ãŒã ãã§ããã ã¢ã¯ã»ã¹å¶åŸ¡ã£ãŠã®ã¯ãREST APIãªã©ã®ãªãœãŒã¹ã«å¯ŸããŠãæš©éãäžããããšã ããã ã¢ã¯ã»ã¹å¶åŸ¡ãå®çŸããããã®æ§æèŠçŽ ãšããŠã¯ãïŒã€ãã£ãŠãèå¥ãèªèšŒãèªå¯ãã®ïŒã€ã ãã ã§ãathenzã®èªèšŒã ãã©ãRBACã£ãŠã®ã䜿ãããŠãããã ããã rbacãšã¯ ã¢ã¯ã»ã¹å¯Ÿè±¡ã圹å²ããšã«ã°ã«ãŒãåããããã§ãã°ã«ãŒãã«å¯ŸããŠæš©éãäžããæãããã®ã°ã«ãŒãã®ããšãroleã£ãŠãããã ããã 倧äºãªã®ã¯ã人ã§ã¯ãªããroleã«æš©éãäžããã£ãŠããšãã§ã人ãroleã«è¿œå ããã ã¡ãªã¿ã«ãroleã«ã¯è²ã ãã£ãŠãäŸãã°crudãå šéšã§ããroleãäœããããé²èŠ§ããã§ããªãroleãäœãããšãã§ããã ã¡ãªã¿ã«ãåroleã«äžããæš©éã®ããšãããªã·ãŒãšãããããã倧äºã roleã«policyãä»äžããããšããæãã ãªãœãŒã¹ã®æäŸè ããããã€ãããªãœãŒã¹ã®å©çšè ãããã³ããšããããããŠãäžå€®ã«athenzãããã ã§ãèå¥æ å ±ã®ããšãAthenz serviceãšãã£ãŠããããããã¡ãã£ãšé£ããããããšã§ãã¡ã€ã³ã£ãŠååãåºãŠãããã©ãã athenzã®ã¢ã¯ã»ã¹å¶åŸ¡ã®æµã ããã³ãããããã€ãã«ã¢ã¯ã»ã¹ãããšãããŸãããã³ãã¯äžå€®ã®athenzã«ããŒã¯ã³ãïŒããŒã«ããŒã¯ã³ïŒçºè¡ããŠããããããã®ãšããããã³ãèªèº«ã®ååšã蚌æããããã«x509蚌ææžãæ瀺ãããïŒããã§äžã€ç®ã®çåã誰ãx509蚌ææžãçºè¡ããŠãããã®ãïŒïŒã§ãçºè¡ããŠããã£ãããŒã¯ã³ãhttpããããŒã«ã€ããŠããããã€ãã«ã¢ã¯ã»ã¹ããã ãããã€ãã§ã¯athenz-proxyãapiã®åã§åããŠããããã§ãäžå€®ã«ããathenzããååŸããŠãããæ å ±ãšã¢ã¯ã»ã¹ãç §ããåãããŠãapiã«ãããã·ãããããªããã決å®ããæãã§ãã ã¢ãŒããã¯ãã£ãšã³ã³ããŒãã³ã 1. Management Server (ZMS) The ZMS is the central authority for managing and provisioning domain-based roles, policies, and resource permissions. It acts as the control plane where administrators define access control rules and service configurations. Key Features: Domain Management: Organizes services and resources into "domains" (like a namespace) with associated roles and policies. Role and Policy Definitions: Allows creation of roles (e.g., admin, reader) and policies specifying which roles can access specific resources. Audit Trails: Keeps a record of all configuration changes for security and compliance purposes. REST API: Provides APIs for managing domains, roles, and policies programmatically. Storage: Persistently stores configuration data in databases like MySQL. Athenz is a robust system for managing service-to-service authentication and fine-grained access control through its primary components: ZMS (Management Server), ZTS (Token Server), and its User Interface. 1. Management Server (ZMS) The ZMS is the central authority for managing and provisioning domain-based roles, policies, and resource permissions. It acts as the control plane where administrators define access control rules and service configurations. Key Features: Domain Management: Organizes services and resources into "domains" (like a namespace) with associated roles and policies. Role and Policy Definitions: Allows creation of roles (e.g., admin, reader) and policies specifying which roles can access specific resources. Audit Trails: Keeps a record of all configuration changes for security and compliance purposes. REST API: Provides APIs for managing domains, roles, and policies programmatically. Storage: Persistently stores configuration data in databases like MySQL. 2. Token Server (ZTS) The ZTS is the runtime component responsible for generating and validating short-lived tokens and certificates that services use to authenticate with one another. Key Features: Token Issuance: Issues Access Tokens (JWTs) and Role Tokens for authorization. Tokens are short-lived, improving security by reducing exposure to stolen credentials. Certificate Issuance: Provides short-lived X.509 certificates for mutual TLS authentication between services. Decentralized Authorization: Services can independently validate tokens or certificates using the ZTS public keys, reducing reliance on the ZTS during runtime. Dynamic Trust: Works seamlessly in dynamic environments like Kubernetes, issuing tokens based on pod identities. Integration: Compatible with OAuth 2.0 and OIDC for standardized authentication. 3. User Interface Athenz includes a user-friendly web-based UI that enables administrators and users to interact with the system without directly accessing APIs or configuration files. Key Features: Role and Policy Management: Intuitive interfaces for creating and managing roles, policies, and resource permissions. Domain Browsing: Easily navigate through domains and view their configurations. Audit and Reporting: Visualize audit logs and track changes to roles, policies, and resource access. Ease of Use: Simplifies complex RBAC configurations into a graphical and interactive platform, making it easier to onboard new administrators. ã³ã³ããŒãã³ãã®ãŸãšã Summary of Workflow: Setup Phase: Use the ZMS or UI to define domains, roles, and policies. Runtime Phase: Services request tokens or certificates from ZTS to authenticate with other services. Decentralized Validation: Tokens are validated locally by consuming services using ZTS-provided public keys. äžæŠçšèªèª¬æ atehnz service ïŒã¢ã¯ã»ã¹å ãèå¥ããããã®Info role : åãæš©éãæã€Athenz serviceãã°ã«ãŒããšããŠãŸãšãããã®ãAthenz serviceãè¿œå ããæãã Policy : Roleã§ã©ã®ãããªããšãè¡ããã®ããèšãããã® Domain : Athenz Service, Role, Policyã管çããåå空é x509蚌ææžïŒathenz serviceã§ããããšã蚌æãããã®ã ããŒã¯ã³ã®çš®é¡ èšå® ããã³ãåŽïŒ ãŸããã¢ã¯ã»ã¹å ãèå¥ããããã®athenz serviceãäœæããå¿ èŠãããã ãããŠãx509蚌ææžãååŸããå¿ èŠããããïŒããã¯ç§å¯éµãçæããŠãã©ããã«csrãéã£ãŠã蚌ææžãé åžããŠãããããšããæµãã ã£ãæ°ãããã®ã ãïŒ ã¡ãªãç°å¢ã«ãã£ãŠã¯ããããèªååãããŠããããšãããã ...
Nginx2vector2kafka2opensearch
nginxã®ã¡ããªã¯ã¹ãšãã°ãã¢ãã¿ãªã³ã°ããã ã¡ããªã¯ã¹ããŒã¿ã¯ä»¥äžã®ããã«æµã nginx -> vector -> kafka -> opensearch/influxDB ãšããæãã§ãnginxããåºãçãã°ãvectorã§ãšããkafkaã«éä¿¡ãkafkaãããopensearchãšinfluxDBããããããšã£ãŠããããšããæµãã«ããã®ãè¯ããã ã§ãnginxããã°ãåãåºã/var/log/nginx/access.logãšvectorãåãããŒã ã¹ããŒã¹ã§æ±ãããã®ã§ããã®äºã€ã¯ç©çãã·ã³äžã«ã€ã³ã¹ããŒã«ãããšããæµãã«ããããšæãã ç°å¢æ§æ 以äžã®3ã€ã®ãã·ã³ã䜿ã delta (100.64.1.48,192.168.3.1) : 192.168.3.1/24ã®ã«ãŒã¿,kafka, kafka-ui, opensearch master (192.168.3.8) : ãããã·ãµãŒãïŒnginxïŒãvector gamma/zeta/ã: ãªãªãžã³ kafkaãå°å ¥ããdocker composeã®èšå® services: kafka-broker: image: apache/kafka:3.7.0 container_name: kafka-broker ports: - "${KAFKA_BROKER_LOCAL_PORT}:9092" environment: KAFKA_NODE_ID: 1 KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: "CONTROLLER:PLAINTEXT,PLAINTEXT:PLAINTEXT,PLAINTEXT_HOST:PLAINTEXT" KAFKA_ADVERTISED_LISTENERS: "PLAINTEXT_HOST://localhost:${KAFKA_BROKER_LOCAL_PORT},PLAINTEXT://kafka-broker:${KAFKA_BROKER_PUBLIC_PORT}" KAFKA_PROCESS_ROLES: "broker,controller" KAFKA_CONTROLLER_QUORUM_VOTERS: "1@kafka-broker:${KAFKA_BROKER_CONTROLLER_PORT}" KAFKA_LISTENERS: "CONTROLLER://:${KAFKA_BROKER_CONTROLLER_PORT},PLAINTEXT_HOST://:${KAFKA_BROKER_LOCAL_PORT},PLAINTEXT://:${KAFKA_BROKER_PUBLIC_PORT}" KAFKA_INTER_BROKER_LISTENER_NAME: "PLAINTEXT" KAFKA_CONTROLLER_LISTENER_NAMES: "CONTROLLER" KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1 KAFKA_GROUP_INITIAL_REBALANCE_DELAY_MS: 0 KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: 1 KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: 1 KAFKA_LOG_DIRS: "/tmp/kraft-combined-logs" kafka-ui: container_name: kafka-ui image: provectuslabs/kafka-ui:v0.7.2 ports: - "${KAFKA_UI_PORT}:8080" depends_on: - kafka-broker restart: always environment: KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS: kafka-broker:${KAFKA_BROKER_PUBLIC_PORT} init-kafka: # kafka-topics ã³ãã³ãã䜿ãããã®ã§ confluenticsã®ã³ã³ãããå©çš image: confluentinc/cp-kafka:7.6.1 container_name: init-kafka depends_on: - kafka-broker entrypoint: ["/bin/sh", "-c"] command: | " # blocks until kafka is reachable kafka-topics --bootstrap-server kafka-broker:${KAFKA_BROKER_PUBLIC_PORT} --list echo -e 'Creating topics' kafka-topics --bootstrap-server kafka-broker:${KAFKA_BROKER_PUBLIC_PORT} --create --if-not-exists --topic nginx-log --replication-factor 1 --partitions 1 echo -e 'Successfully created :' kafka-topics --bootstrap-server kafka-broker:${KAFKA_BROKER_PUBLIC_PORT} --list " opensearchãå°å ¥ããèšå® version: '3' services: opensearch-node1: # This is also the hostname of the container within the Docker network (i.e. https://opensearch-node1/) image: opensearchproject/opensearch:latest # Specifying the latest available image - modify if you want a specific version container_name: opensearch-node1 environment: - cluster.name=opensearch-cluster # Name the cluster - node.name=opensearch-node1 # Name the node that will run in this container - discovery.seed_hosts=opensearch-node1,opensearch-node2 # Nodes to look for when discovering the cluster - cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2 # Nodes eligible to serve as cluster manager - bootstrap.memory_lock=true # Disable JVM heap memory swapping - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" # Set min and max JVM heap sizes to at least 50% of system RAM - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD} # Sets the demo admin user password when using demo configuration, required for OpenSearch 2.12 and later ulimits: memlock: soft: -1 # Set memlock to unlimited (no soft or hard limit) hard: -1 nofile: soft: 65536 # Maximum number of open files for the opensearch user - set to at least 65536 hard: 65536 volumes: - opensearch-data1:/usr/share/opensearch/data # Creates volume called opensearch-data1 and mounts it to the container ports: - 9200:9200 # REST API - 9600:9600 # Performance Analyzer networks: - opensearch-net # All of the containers will join the same Docker bridge network opensearch-node2: image: opensearchproject/opensearch:latest # This should be the same image used for opensearch-node1 to avoid issues container_name: opensearch-node2 environment: - cluster.name=opensearch-cluster - node.name=opensearch-node2 - discovery.seed_hosts=opensearch-node1,opensearch-node2 - cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2 - bootstrap.memory_lock=true - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD} ulimits: memlock: soft: -1 hard: -1 nofile: soft: 65536 hard: 65536 volumes: - opensearch-data2:/usr/share/opensearch/data networks: - opensearch-net opensearch-dashboards: image: opensearchproject/opensearch-dashboards:latest # Make sure the version of opensearch-dashboards matches the version of opensearch installed on other nodes container_name: opensearch-dashboards ports: - 5601:5601 # Map host port 5601 to container port 5601 expose: - "5601" # Expose port 5601 for web access to OpenSearch Dashboards environment: OPENSEARCH_HOSTS: '["https://opensearch-node1:9200","https://opensearch-node2:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query networks: - opensearch-net volumes: opensearch-data1: opensearch-data2: networks: opensearch-net: nginxãå°å ¥ããèšå® ããã¯æ®éã« ...
Comments_on_real_world_http
Real world httpã«æžããŠããããšã殎ãæžãããŠãããŸã éçºç°å¢ ã®åã«ãlanã®ipã¢ãã¬ã¹ãæžããŠããããã§ãã 100.64.1.27 : alpha 100.64.1.61 : evn 100.64.1.48 : delta (K8Sã¯ã©ã¹ã¿ãžã®GWã§ã) deltaã®åœ¹å² åã«ãDHCPãµãŒããšã«ãŒã¿ãäœæããèšäºãæžããã ãã¡ãã®èšäºã ãã ã§ãdeltaã¯DHCPãµãŒãå Œã«ãŒã¿ãšããç«ã¡äœçœ®ã§ãã
202411æTODO
2024/11/1æç¹ã§ã®ã¿ã¹ã¯ãªã¹ã éçºé¢ä¿ èªå® ã®K8Säžã«echo-serverãç«ãŠãŠãproxyãè€æ°ç«ãŠãŠãããã«vipãç«ãŠãŠãvegetaã§è² è·è©Šéšãã§ããããã«ãããããããŠãæ§ã ãªã¡ããªã¯ã¹ãåããããã«ããããã©ããããã ããããæµãçã«ã¯ãã ãã¶é åãã«ãªãããšã¯æ¿ç¥ã ãã ãŸããreal-world-httpãèªã¿ãããããã¯ãã ãã¶é·ãã®ãããã¡ã¢ãåããªããé²ããŠãããæçµç®çã¯ãããã·2å°ãšecho-server1å°ã®æ§æã§ãvegetaã§è² è·ããããããããã«ããããšã ãã¡ã®ãåèã«ãããšããããããããŠãå£ããŠåŠã¶k8sçãªæ¬ãè²·ã£ãã®ã§ããããèªãã§ãgoã§æžããecho-serverãã©ãºãã€ã«ãããã€ãããæãã§ãããããããããã€ãŸã§ã«ãããã ãã©ã ISUCONã®éå»åã解ããŸããããä»å¹Žã®ISUCONã«ããããçœæšãããšåºãããšã«ãªããŸãã足ãåŒã£åŒµããããªãã®ã§é 匵ããŸãã ãŒãŒïŒisucon14ã®ç³ã蟌ã¿ãå§ãŸã£ããšãã話ã§ããé 匵ããŸãããã äŒèšãœãããå°å ¥ããããã®èŸºãè¯ããã https://ledger-cli.org/ ååäŒç€Ÿã®èšç«ãé²ãã I and shiraki-san decided to develop GSLB using go lang. It is going to be funny Learn DNS ïŒãã£ã¡ã¯ããªãããæãã§é²ãã§ãããïŒ â> Done Learn How to write packer parser using Go on TCP Layer. It is also going to be funny. äŸã®ç«¶éŠ¬ã·ã¹ãã ãåããæãæ¥ããèªå® ã®k8sã§åãããããã«manifestãã¡ã€ã«ãæžããŠãã ããããããŽããé¡ãããŸãã§ãã Goèšèªã§distributed file systemãäœã£ãŠããïŒãã®youtubeãèŠãŠã§ãããããgoã§åæ£ã·ã¹ãã ãäœããã£ãŠå ¥ã£ãŠãããã®æ¬ã§ããããã©ã£ã¡ã§ãããããã ãåŸè ã ãšk8säžã«äœã£ãåæ£ã·ã¹ãã ãå±éããã®ã§ãäžã®ãã€ãšã芪åæ§ãé«ãæ°ãããŠããŸããã¯ãã ãã®ä» æ¯ææ©ãèµ·ããŠããã23æã«å¯ãŠ0630ã«èµ·ããç掻ãã§ãããšæé«ã ã æ©ãæ¥åå§èšã§äœãããã®æ¡ä»¶ãåã£ãŠããŠå£²ãã æ©ãyoutubeãã£ã³ãã«éèšããŠãçµè²»ç掻ãå§ããŠããïŒ é·æç®ç· ç°¿èš2çŽãšã£ãŠããïŒ åå°ãã©ãã«è²·ãããããããŠããïŒïŒãããŠè²¯éããïŒïŒããžãªè©±ãç掻費8äžãšãå ±é貯éå£åº§5äžä»¥å€ã¯å šéšãã£ã¡ã«åããŠããã ã€ãŸããæã®ã¯ã¬ã«æ¯æãã«äœ¿ãããéã¯17äžãšããããšã«ãªããä¿éºã§10ãã³èœãšãããã®ã§ãæ®ã7äžãããŸããããªãã®ãããã
ECDH ECDSA EdDSAãç解ãããŸã§ã¯æ»ããªã
ECDHå®å šç解ããã åè ECDHã玹ä»ããyoutube æ¥åæ²ç·æå·ãããªã€ãŒãã«äŸããŠããäŸ ECDHã®èª¬æ ããªãé¢çœãããECDHã ãŸããæ¥åæ²ç·äžã§è¶³ãç®ãšãããã®ãå®çŸ©ããã ããã¯ãããªã€ãŒãã§ãããäºç¹ã決ããŠããã®çŽç·ãåŒããšæ°ãã«æ¥åæ²ç·ãšäº€ããç¹ãçããããããx軞ã«å¯Ÿè±¡ã«æãæ²ããç¹ãããã足ãç®ã®çµæãšããã a + b = c ããã§ãp + p = 2pãšãããã®ãå®çŸ©å¯èœã§ãããpãšããã®ã¯ãæ¥ç·ãšãªãã ã§ãããã§äžæè°ãªã®ãã以äžã®çµåæ³åãæãç«ã€ããšã p + 2p = 3p 3p + p = 4p 2p + 2p = 4p å ã« p + 2p = 3p 3p + p = 4p ãèšç®ããŠåºãã4pã 2p + 2p = 4p ã§åºããïŒpãåãç¹ã«ãªããããã¯é¢çœãã ã§ã ã ãããªæãã§æåã®ç¹Gã決ããŠãkåããç¹Q Q = kP ãæ±ããããšã¯ç°¡åã§ãããïŒäŸãã°ãk = 128ã®æã¯ã2p+2p, 4P+4p,,,, 64p+64pã§èšç®é¢æ°ã¯å°ãªãæžããïŒ ããããQãšPããkãæ±ããããšã¯å°é£ã§ãããåããé çªã«ãã£ãŠãããããªãã®ã§ããã ãšããããšã§ãQãšããå€ããµãŒããšã¯ã©ã€ã¢ã³ãã§çæãããã ããããããããQ1,Q2. Q1 = K1P Q2 = k2P ãããŠãQ1ãšQ2ã亀æããŸããopensslã§ã¯RSAãªã©ã§çœ²åãæœãããŠäº€æãããã®ã§ãçæ£æ§ãæ ä¿ãããã ã§ãããªãã¹ã¿ãŒã·ãŒã¯ã¬ãããã Q = K1K2P ãšããŠãéµäº€æãå®äºããããå ã«å ±ééµãçæããŠæå·éä¿¡ãã¹ã¿ãŒãããããšããæãã ã çŽ æŽãããã æ¥åæ²ç·æå·ã®ã€ã¡ãŒãžã¯ã以äžã®ããã«èª¬æãããŠããŸãã ...
MTLS_on_OVPN
å ¬ééµæå·ã®äœç³»ãå®å šã«ç解ãã ã¯ããéµäº€æã¢ã«ãŽãªãºã ã眲åã¢ã«ãŽãªãºã ãæå·ã¢ã«ãŽãªãºã ãæå·ã¢ãŒããããã·ã¥ ã®ïŒã€ã®ã»ããïŒæå·ã¹ã€ãŒãïŒãæå®ããŠéä¿¡ãæå·åããããããã俺ãç¥ã£ãŠããæå·äœç³»ã®å šãŠã§ãã ã§ã§ãããopenVPNã§ã¯ã©ã€ã¢ã³ããšãµãŒãã®éä¿¡ãæå·åããŸãããã ãã®æã«è²ã ãšèšŒææžãçºè¡ãããšæããã§ããããã ã俺ã¯ã©ã®èšŒææžãã©ã®ããã«çšããããã®ããå šãããã£ãŠããªãã£ãã ã ãããä»åãæ¹ããŠopenVPNã§ã¯ã©ã€ã¢ã³ããšãµãŒããæ§ç¯ããéã®èšŒææžã®åœ¹å²ãªã©ã確èªããããšæãã éå»ã®åã®èšäº basic client site to site routeing ãã€ãåèã«ããŠããèšäº qiita ã§ã¯è¿œã£ãŠãããŸããã èªèšŒå± (CA) ã®èšç« ããããå§ãŸã£ãŠããã£ãœããã ããã $ ./easyrsa init-pki init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: path/to/easy-rsa/easyrsa3/pki CA蚌ææžã®çæ $ ./easyrsa build-ca ãã¹ãã¬ãŒãºãèãããã ããã§ãç§å¯éµãšå ¬ééµããã§ã«çæãããŠãããèªèšŒå±ã®ã ãµãŒã蚌ææžã®çæ $ ./easyrsa build-server-full server nopass ããã§ãCA蚌ææžãçæãããšãã®ãã¹ãã¬ãŒãºãåã³å ¥åããã ããã§ããããããµãŒãã®å ¬ééµã«çœ²åããããã(CSRãæžãã§ãã) DHéµã®çæ ããã§DHéµãçæãããã®ãããªãã ïŒïŒTLSã§ã®DHéµã¯æ¯åéããã®ã䜿ãããã®ã§ã¯ãªãã®ãïŒïŒ ãªãã»ã©ãchatGPTã«èããã®ã§ãã£ãŠãããã¯ãããããããã®æ®µéã§çæããããã®ã¯ãDHãã©ã¡ãŒã¿ïŒçŽ æ°ãšçæå ïŒã ãã ããã¯çŽåŸã ãã ã€ãŸãã y = g ^ (x) mod p ã®ãpãšgãçæããããã§ããµãŒããšã¯ã©ã€ã¢ã³ãã¯ãäºãé©åœã«xãéžã¶ããã§ãããã¯ãå®å šç解ã ã¡ãªã¿ã«ãecdhã䜿ã£ãŠéµäº€æãããããšãã§ããŸãã 蚌ææžå€±å¹ãªã¹ãã®çæïŒãã¡ããåç §ããŠããããŒãžã§ã¯ééã£ãŠããã®ã§æ³šæãå¿ èŠïŒ $ ./easyrsa gen-crl ãã¡ãããCAã®ç§å¯éµã§çœ²åããããã§ããã ã¯ã©ã€ã¢ã³ãçšç§å¯éµã®çæ $ cd easy-rsa/easyrsa3 $ ./easyrsa build-client-full username ã¯ããããã§ã¯ã©ã€ã¢ã³ãã®èšŒææžãšç§å¯éµãçæããããã§ããã ã§ã蚌ææžã¯CAãèªèšŒããå¿ èŠãããã®ã§ãåã³ãã¹ãã¬ãŒãºãå ¥ããæãã«ãªããŸãã ...
åããTLS Cipherãã¹ã¿ãŒã«ãªãããïŒ
åæç¥è TLSã§ã¯ã éµäº€æã¢ã«ãŽãªãºã ã䜿ã£ãŠå ±ééµã®ææãšãªãå€ã亀æããå ±ééµãçæãããã®éµãçšããŠéä¿¡ãæå·åãããããã§ããã éµå ±æã«äœ¿ãããæå·ããå ¬ééµæå·ãšèšããŸãããå ±ééµã¯ãå ±ééµæå·ã§ãã å ¬ééµæå· RSA DH ECDH DEH = DH ephemeral ECDHE = ECDH epemeral DHãšECDHã¯é¢æ£å¯Ÿæ°åé¡ã䜿ã£ãŠããŸã g^x mod p = y ã§ãy,p,gãäžãããããšããxãæ±ããããªãã£ãŠããšã å ±ééµæå· RC4 (å±æ®å) DES = (å±æ®å) 3DES ãããã ChaCha20 AES = æã䜿ãããŠããŠå®å š RC4 = ã¹ããªãŒã æå· AES = ãããã¯æå· ããã·ã¥é¢æ° MD5 SHA-1 SHA-2 SHA-3 TLSã®æå·ã¹ã€ãŒãã«ã€ã㊠ã¯ããããããã倧äºãªããšèšããŸããTLSã䜿ã£ãŠéä¿¡ãæå·åããããŸã§ã®æµãã§ããã TLSãã³ãã·ã§ã€ã¯ å®éã«TLSã®éä¿¡ãå§ãŸã ã§ã§ãããTLSãã³ãã·ã§ã€ã¯ã§äœã決ããŠãããïŒãªãã§ããã以äžã決ããŠããããã§ããã éµäº€æã¢ã«ãŽãªãºã 眲åã¢ã«ãŽãªãºã æå·ã¢ã«ãŽãªãºã æå·å©çšã¢ãŒã ããã·ã¥é¢æ° éµäº€æã¢ã«ãŽãªãºã ã¯äžã«æžãããRSA,ECDHE,DHEã§ãã 眲åã¢ã«ãŽãªãºã ã¯ãRSA/ECDHEãæå®ã§ããŸãããããã¯ãçºè¡ãããµãŒã蚌ææžã®éµã®çš®é¡ã«äŸåããŸããããããã倧äºã å®ã¯ãéµäº€æã¢ã«ãŽãªãºã ã§çæããããããã¯ãããã«ãµãŒã蚌ææžã®ç§å¯éµã§æå·åãããå ¬ééµã§åŸ©å·ããããã§ãããã§ãçæ£æ§ã確ããããã§ãããã ãããç¥ãããã£ããããã倧äºã ãã èŠããŠããããã®ããRSAãçšããéµäº€æã§ã¯ã眲åããªãããªããšããããšã蚌ææžã®å ¬ééµã¯ãã¯ã©ã€ã¢ã³ããçæããããªãã¹ã¿ãŒã·ãŒã¯ã¬ãããæå·åããããã«äœ¿ãããããããŠãç§å¯éµã§åŸ©å·ãããã ããã ECDHEã§ã¯ãæ¯åå ¬ééµãçæããããã ãããã§ããã®å ¬ééµã®æ£åœæ§ã蚌æããããã«ç§å¯éµã§çœ²åããå ¬ééµã§æ€èšŒãããã ããã RSAãçšããéµäº€æã§ã¯æ¯ååãå ¬ééµãšç§å¯éµã®ãã¢ã§éä¿¡ããªããããã ãããããªãã¹ã¿ãŒã·ã¯ã¬ãããå«ããŠãã ã ãããã¹ããŒãã³äºä»¶ã®æã¿ããã«ãæå·åããããã®ããã£ãšæºããŠãããŠãåŸã§ã©ãã«ãç§å¯éµãå ¥æããŠãããªãã¹ã¿ãŒã·ã¯ã¬ãããç¹å®ã ããã®éä¿¡å 容ãç¹å®ããšãã£ãããšãã§ããŠããŸããã ããããããåæ¹ç¹ç§æ§ããªãã£ãŠèšããŸããã ããã«å¯ŸããŠãECDHEãDHEã¯ãäžåäžåç§å¯éµãšå ¬ééµãçæãããã ãããã¯ãããã ãã ã§ããå ¬ééµããç§å¯éµã¯ãé 匵ãã°äœå¹Žããããã°ãæšæž¬å¯èœã ããïŒã ããåæ¹ç¹ç§æ§ã¯ããªããšæããã ãã©ã ãããchatGPTã«èããŠã¿ããããåž°ã£ãŠããŸããã Q. é¢æ£å¯Ÿæ°åé¡ã¯æéããããã°è§£èªå¯èœã§ããåã»ãã·ã§ã³ã§äœ¿ãããå ¬ééµããç§å¯éµãå²ãåºãããšããåçäžã¯å¯èœã§ãã ããã§ãåã»ãã·ã§ã³ã®å ¬ééµãšãæå·åãããéä¿¡å šãŠãä¿åããŠãã人ããããšããŸãããããããããšãæéãããããã°ãæå·æã解èªã§ãããšæãã®ã§ãããããã§ãããã ...
Mtailãªã©ã䜿ããnginxãå®ç§ã«ç£èŠãã
ããããããš k8säžã«echoãµãŒããåæ£ããã ãããã·ãµãŒã (nginx) ãç«ãŠãŠãããã€ãã«è² è·åæ£ã§ããããã«ãã Mtailã䜿ã£ãŠãnginxã®ãã°ãåéããŠãprometheus圢åŒã«å€æãtelegrafã§ååŸãinflux Dbã«éä¿¡ãïŒãã®ãšãã«ã¿ã°ãã€ãããããïŒ Cloudproberã§nginxãç£èŠããããcloudprober -> prometheusã«å€æ -> telegrafã§ååŸãinflux DBã«éä¿¡ïŒã¿ã°ãã€ããããããããªãïŒ ä»¥äžãå šãŠansibleã䜿ã£ãŠå®çŸããããšãã話ã ãããå³ããããªãã©ãããªïŒïŒ æ£çŽk8sã¯å¿ é ã§ã¯ãªããæéããããããã§ããã°ãå ã«goãšãã§ç°¡åãªecho-serverãäœã£ãŠ1ãå®äºãããŠããŸãã®ãå šç¶ããã ä»åã®ç®çã¯ãããŸã§nginxã®ã¢ãã¿ãªã³ã°ãã¬ãã¬ãã«ããã£ãŠããšã ããããã§ããk8sã®ç£èŠã¯ã¡ãã£ãšããŠã¿ãããããããªããã æåããprometheus圢åŒã§exportããŠãããã¿ããã ããããæ°ã«ãªããšããã§ã¯ãããŸãã ãã ãk8sã¯ãã®æ§è³ªäžãã³ã³ããããããã€ãããããã©ãããã³ã³ãããåã£ãŠãããã決ããå¿ èŠããããŸãããå€éšã«æŒãããããªãæ å ±ãå ¥ã£ãŠããã®ã§ããã°privateãªããžããªãç«ãŠããããªããããã§ãªããã°docker hubã§ããããªã
cronã§å®æçã«mysqldumpããå®æçã«ããã¯ã¢ãããµãŒãã«éãæ¹æ³ïŒããã¯ã¢ããé¯ãåãã«æ¥ãïŒ
èæ¯ MysqlãããŒã¿ããŒã¹ã«ããŠãµãŒãã¹ãéå¶ããŠããã ãããçŸåšãMysqlã®ããã¯ã¢ããã¯åã£ãŠããããå ããŒã¿ãæ¶ãããå šããŒã¿ãæ¶ããç¶æ³ã§ããã ããã§ãå ãµãŒãã§æ¯æ¥æå®ãããæå»ã«mysql_dumpãããããã¯ã¢ãããµãŒããå ãµãŒãããããŒã¿ãæã£ãŠãéãªcronãžã§ã ãäœããããšæã£ãŠããã 泚æç¹ãšããŠã¯ãæ¬çªãµãŒãã¯ã°ããŒãã«ã«ãããã¯ã¢ããé¯ã¯ããŒã«ã«ãããã¯ãŒã¯ã«ããã®ã§ãã°ããŒãã«ããããŒã«ã«ã«ã¯éããªãã£ãŠããšãïŒvpnãšã貌ã£ããããããã©ããã©ãïŒã®ã§ãããã¯ã¢ãããµãŒããcronã§scpãåãããŠå®æçã«é¶èãšããæãã AC æ¯æ¥å ãµãŒãããåãããmysqldumpãã¡ã€ã«ãããã¯ã¢ãããµãŒãã«çœ®ãããç¶æ ã«ãªã£ãŠãã é¢é£æè¡ cron åè èšå®ãã¡ã€ã« /var/spool/cron/crontabs/<user name> ãèšå®ãã¡ã€ã«ã§ãã rootãŠãŒã¶çšã®cronãèšå®ããæ¹æ³ã¯ã sudo vim /var/spool/cron/crontabs/root ã£ãŠæãã§éããŸãã ãã®ãã¡ã€ã«ã«å®è¡ããããžã§ããšå®è¡æ¥æïŒå®è¡ééãæå®å¯èœïŒãæå®ããŸãã 0 * * * * /home/backup.sh äºã€ã®*ãäœãè¡šããã§ããã ãå æ æ¥ æ ææ¥ã çµæ§å¿ããã¡ãªã®ããã·ã§ã«ã¹ã¯ãªããã®ããŒããã·ã§ã³ã§executeãå ¥ã£ãŠãªããŠãšã©ãŒã«ãªãããšãå€ãã®ã§æ°ãã€ããŠãïŒäžã®/home/backup.shïŒ ãã°ã«ã€ããŠïŒubuntuïŒ ããã©ã«ãã§ã¯ãã°ãåºåãããªãããã«ãªã£ãŠããã ãã¡ããåèã«ãã°ãåºåããããã«èšå®ãå€ãã vi /etc/rsyslog.d/50-default.conf # ã³ã¡ã³ãã¢ãŠã cron.* /var/log/cron.log # ãªã¹ã¿ãŒã service rsyslog restart mysqldump åèæç® ãã¡ã äžã®ã«ãããšãç¹å®ã®ãŠãŒã¶ãæã£ãŠããããŒã¿ããŒã¹ããã³ãããæ¹æ³ã¯ä»¥äžã®ããã«ãªãããªã mysqldump -u hoge -p -B some_database > database.sql ã¡ãªã¿ã«ããã¹ã¯ãŒãã®å ¥åãŸã§èªåã§ãããšãããšãããªæãã§ãã 0 21 * * * mysqldump -u -hogehoge --password="hogehoge" --no-tablespaces DB_NAME > /hoge/database.sql æ¯æ¥21:01ã«SCPã§ãšã£ãŠããcron jobãããããããã«dbãžã®æµã蟌ã¿ããã£ãŠããããšæé«ã ãããã ãŸããscpã§passwordãæããªããŠããããã«éµããªã¢ãŒããµãŒãã«ç»é² sudo vim /etc/ssh/sshd_config # 以äžãã³ã¡ã³ãã¢ãŠã PubkeyAuthentication yes ssh-keygenã§ç§å¯éµãšå ¬ééµãçæ ãã¹ãã¬ãŒãºãå ¥ããªãã®ããã€ã³ã ...