blog
Table des matières
4 billet(s) pour janvier 2026
| AWX sur K8S Kind - partage de fichier pour les blob - Execution pods | 2026/01/26 10:15 | Jean-Baptiste |
| Notes rsh rcp | 2026/01/21 18:08 | Jean-Baptiste |
| Git - Duplication d'un dépôt | 2026/01/19 10:22 | Jean-Baptiste |
| Exemple simple de conf Nagios | 2026/01/14 10:07 | Jean-Baptiste |
Notes VIO VMware Integrated OpenStack k8s
Commandes kubernetes utiles pour VIO
Lister tous les pods de tous les namespaces
kubectl get pods --all-namespaces
pour lister les logs d'un pods ici neutron-dhcp-agent-default-2s4z9 du namespace openstack :
kubectl logs --namespace=openstack neutron-dhcp-agent-default-2s4z9 --all-containers
Un shell sur un pod
kubectl exec -it --namespace=openstack neutron-dhcp-agent-default-2s4z9 -- /bin/bash
Exécuter une commande sur un pod sans ouvrir un shell dessus:
kubectl exec --namespace=openstack neutron-dhcp-agent-default-2s4z9 -- ls
Administration
Mot de passe / password / secret
$ kubectl -n openstack get secrets managedpasswords -o yaml |grep sql_root_password sql_root_password: ejdKNjk1anNqcXR0bDd2a2c3NDVnaHduMnhteDVtNno= $ echo ejdKNjk1anNqcXR0bDd2a2c3NDVnaHduMnhteDVtNno= |base64 -D
Alias
alias osapply='osctl apply' alias osctl='kubectl -n openstack' alias osctlw='osctl --watch' alias osdel='osctl delete' alias osedit='osctl edit' alias osget='osctl get' alias oslog='osctl logs' alias pods='kubectl get pods --all-namespaces --watch'
Exemples de commandes
viocli get deployment kubectl -n openstack get pods kubectl -n openstack get pods -o wide osctl get pods osctl get nodes -o wide kubectl get svc osctl describe pod mariadb-server-1 journalctl -u docker.service -u kubelet.service --no-pager -f helm list helm list -a helm list xa oslog mariadb-server-1 ovfenv timedatectl
Autres
Autres
kubeadm config images pull --v=5 #kubeadm reset kubeadm init --pod-network-cidr=10.244.0.0/16 --apiserver-advertise-address=192.168.56.21
kubectl get daemonsets --all-namespaces kubectl describe ds kubectl describe ds --all-namespaces kubectl get events kubectl get events --all-namespaces
kubectl cordon node-plop kubectl drain node-plop --ignore-daemonsets --delete-local-data kubectl delete node node-plop kubectl -n openstack delete machine node-plop
viossh () { ssh -i /root/.ssh/vsphere_tmp vioadmin@$(kubectl get nodes -o jsonpath='{.status.addresses[?(@.type=="ExternalIP")].address}' $1) }
Get a Shell to a Running Container
Voir https://kubernetes.io/docs/tasks/debug-application-cluster/get-shell-running-container/
Opening a shell when a Pod has more than one Container use --container or -c
kubectl -n namespace exec -it my-pod --container main-app -- /bin/bash
Lister tous les conteneurs d'un pod
kubectl -n openstack describe pod/vioadmin1-vioshim-7b6dc9f947-297lg kubectl -n openstack get pods vioadmin1-vioshim-7b6dc9f947-297lg -o jsonpath='{.spec.containers[*].name}*'
OpenStack VIO k8s - Troubleshooting
Troubleshooting VIO 6.0
============================== Troubleshooting Progression : ------------------------------ a- services running on Photon OS: If you encounter a problem running an application or appliance on Photon OS and you suspect it involves the operating system, you can troubleshoot by proceeding as follows. 1- Check the services running on Photon OS : systemctl status or systemctl --failed 2- Check jobs : osctl get job 3- Check the operating system log files /var/log et / : journalctl ... Next, run the following commands to view all services according to the order in which they were started: systemd-analyze critical-chain Use the troubleshooting tool that you think is most likely to help with the issue at hand. For example, use strace to identify the location of the failure. b- deployment VIO 6.0 ready : root@vio-mgt [ ~ ]# viocli get deployment PUBLIC VIP PRIVATE VIP HIGH AVAILABILITY 172.18.21.53 172.18.51.89 Enabled NODE NAME ROLE VALIDATION STATUS IP controller-cwpxtjf97w Controller Success Running 172.18.51.62 controller-h5dddpj668 Controller Success Running 172.18.51.61 controller-l2c8fpsd8g Controller Success Running 172.18.51.63 vio-mgt.etudes.acme.local Manager Success Running 172.18.51.60 SERVICE CONTROLLER READY FAILURES barbican barbican-api 2/2 - barbican-ks-listener 2/2 - barbican-worker 2/2 - cinder cinder-api 2/2 - cinder-scheduler 2/2 - cinder-volume 2/2 - glance glance-api 1/1 - glance-vmw-replicator 1/1 - heat heat-api 2/2 - heat-cfn 2/2 - heat-engine 2/2 - horizon horizon 2/2 - ingress ingress 2/2 - ingress-error-pages 1/1 - keystone keystone-api 2/2 - mariadb mariadb-server 3/3 - mariadb-ingress 2/2 - mariadb-ingress-error-pages 2/2 - mariadb1-etcd 3/3 - memcached memcached1-memcached 1/1 - memcached1-memcached-secondary 1/1 - neutron neutron-dhcp-agent-default 3/3 - neutron-metadata-agent-default 3/3 - neutron-server 2/2 - nova nova-api-metadata 2/2 - nova-api-osapi 2/2 - nova-conductor 2/2 - nova-consoleauth 1/1 - nova-mksproxy 1/1 - nova-placement-api 2/2 - nova-scheduler 2/2 - nova-compute compute-b78814fd-c34-compute 1/1 - openvswitch openvswitch-db 3/3 - openvswitch-vswitchd 3/3 - rabbitmq rabbitmq1-rabbitmq 3/3 - vioshim vioadmin1-vioshim 1/1 - vioutils node-config-manager 3/3 - OpenStack Deployment State: RUNNING c- analyse controller openstasck-control-plane running on Photon OS and status ready: root@vio-mgt [ ~ ]# kubectl get nodes NAME STATUS ROLES AGE VERSION controller-cwpxtjf97w Ready openstack-control-plane 6d19h v1.14.1 controller-h5dddpj668 Ready openstack-control-plane 6d19h v1.14.1 controller-l2c8fpsd8g Ready openstack-control-plane 6d19h v1.14.1 vio-mgt.etudes.acme.local Ready master 6d19h v1.14.1 root@vio-mgt [ ~ ]# kubectl get deployments NAME READY UP-TO-DATE AVAILABLE AGE vio-docker-registry 1/1 1 1 6d20h vio-helm-repo 1/1 1 1 6d20h vio-ingress-cntl-nginx-ingress-controller 1/1 1 1 6d20h vio-ingress-cntl-nginx-ingress-default-backend 1/1 1 1 6d20h vio-webui 1/1 1 1 6d20h root@vio-mgt [ ~ ]# kubectl get pods NAME READY STATUS RESTARTS AGE vio-docker-registry-ca-2vz8c 1/1 Running 0 6d19h vio-docker-registry-ca-5hqxb 1/1 Running 0 6d19h vio-docker-registry-ca-c9msq 1/1 Running 0 6d19h vio-docker-registry-ca-jl7t4 1/1 Running 0 6d20h vio-docker-registry-ddf5c8fc6-k5c7h 1/1 Running 0 6d20h vio-helm-repo-647784c488-xmshc 1/1 Running 0 6d20h vio-ingress-cntl-nginx-ingress-controller-7969c994b-824wx 1/1 Running 0 6d20h vio-ingress-cntl-nginx-ingress-default-backend-84ff56ff69-87pmp 1/1 Running 0 6d20h vio-webui-5fbd4b7589-9b5ns 1/1 Running 0 6d20h vio-webui-auth-proxy-0 1/1 Running 0 6d20h pour un service donné : glance root@vio-mgt [ ~ ]# kubectl -n openstack get pods |grep glance glance-api-79d574b8b8-5l6nh 2/2 Running 0 4h53m glance-bootstrap-ncln7 0/1 Completed 0 4h53m glance-db-init-x7cj9 0/1 Completed 0 4h53m glance-db-sync-tqdv7 0/1 Completed 0 4h53m glance-ks-endpoints-ljbx7 0/3 Completed 0 4h53m glance-ks-service-9lhxq 0/1 Completed 0 4h53m glance-ks-user-ljfm9 0/1 Completed 0 4h53m glance-metadefs-gfwtv 0/1 Completed 0 4h53m glance-rabbit-init-ttwcx 0/1 Completed 0 4h53m glance-storage-init-twtc2 0/1 Completed 0 4h53m glance-vmw-replicator-859f8fd458-dkmrp 1/1 Running 0 4h53m helm-glance-glance1-bfcqq5gj6m-77cgr 0/1 Completed 0 4h54m valid-glance-glance1-drstn2qx47-2wtzp Recherche "Error" pour des pods : root@vio-mgt [ ~ ]# kubectl -n openstack get pods | grep "Error" Recherche des Datastores de "Glance" kubectl -n openstack get glances.vio.vmware.com glance1 -o yaml | grep -i datastore Consulter les Logs de glance-api and glance-vmw-replicator : kubectl logs -n openstack glance-api-79d574b8b8-5l6nh glance-api -f kubectl logs -n openstack glance-vmw-replicator-859f8fd458-dkmrp glance-vmw-replicator -f
ovfenv > ovfenv.txt kubectl get pods -A -o wide > pods.txt journalctl -u kubelet > kubelet.txt journalctl -u docker > docker.txt viocli generate supportbundle
Pb
OpenStack VIO - Pb Réseau - Neutron - Init ImagePullBackOff
$ openstack image list
+--------------------------------------+------------+--------+
| ID | Name | Status |
+--------------------------------------+------------+--------+
| f423c7c6-17b4-4420-938b-cff43ab2a6bd | Debian-9.3 | active |
| f8029b36-ce50-4511-8087-efeaf0fdde7a | Debian-9.8 | active |
| 3e787c71-acda-4b7e-8df1-b988823204ac | MEM | active |
| 0bd6f7de-6da0-4f4e-b81f-f42c0aae2c58 | Photon 3.0 | active |
| 2198532e-84b2-41d0-8d75-0d560f4ac122 | SWF63-V2 | active |
| 46584f47-9fa0-4963-b711-83fd429eec17 | SWF69-V6 | active |
| 1c03e029-d7be-466c-bfb2-fbcb03037af1 | SWF71-V1 | active |
| 140e4ea5-1d72-4884-a4c1-a477ac06c317 | SWF79-V3 | active |
| d4343c41-bfa9-49d8-a4e9-f19bb6d91cd0 | SWF83-V2 | active |
| 7f0008dc-69a9-46c9-aa88-f51a6ec08f67 | SWF89-V1 | active |
| 64977fc8-1f1b-4d31-b395-00978827c7c0 | SWF90-V4 | active |
| 7bf26ab2-09fc-495d-be1e-810cbc1c72e6 | Win-2-NoOk | active |
| 2bb95302-b32f-49a7-b677-3962cf5f648f | Win-NoOk | active |
| dbdd23d1-1706-45fe-9c4b-8bda84017c98 | Win_1-NoOk | active |
+--------------------------------------+------------+--------+
$ openstack image list
Internal Server Error (HTTP 500)
root@vio-mgt [ ~ ]# viocli get deployment
neutron neutron-dhcp-agent-default 2/3 -
neutron-metadata-agent-default 2/3 -
OpenStack Deployment State: DEGRADED
root@vio-mgt [ ~ ]# reboot
root@vio-mgt [ ~ ]# viocli get deployment
neutron neutron-dhcp-agent-default 2/3 -
neutron-metadata-agent-default 2/3 -
vioshim vioadmin1-vioshim 0/1 -
OpenStack Deployment State: OUTAGE
root@vio-mgt [ ~ ]# kubectl get pods --all-namespaces |egrep -v "Completed|Running"
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system weave-net-9rwmg 0/2 ErrImageNeverPull 0 94m
openstack cinder-scheduler-d8578f6d-vjm5s 0/1 Evicted 0 2d20h
openstack cinder-volume-usage-audit-1585307400-xdn86 0/1 Init:0/1 0 95m
openstack compute-b78814fd-c34-compute-0 1/2 CrashLoopBackOff 21 2d19h
openstack glance-api-7fd496db87-czf2g 0/2 Evicted 0 2d20h
openstack glance-api-7fd496db87-f5mkp 0/2 Evicted 0 2d20h
openstack heat-api-84f4fc7666-8btcb 0/2 Evicted 0 2d20h
openstack heat-engine-cleaner-1585307400-mkkqw 0/1 Init:0/1 0 95m
openstack horizon-55868f757f-4p44w 0/1 Evicted 0 2d20h
openstack ingress-78c67ccdcf-2f967 0/3 Evicted 0 2d20h
openstack keystone-api-ddf57bdc9-gpzsl 0/1 Evicted 0 2d18h
openstack keystone-fernet-rotate-1585310400-vd27t 0/1 Init:0/1 0 45m
openstack mariadb-server-1 0/1 Init:0/2 0 106m
openstack neutron-dhcp-agent-default-cm5pd 0/1 Init:ImagePullBackOff 0 96m
openstack neutron-metadata-agent-default-pw2hl 0/1 Init:ImagePullBackOff 0 95m
openstack neutron-server-7744c854c9-lpl2d 0/2 Evicted 0 2d20h
openstack nova-api-osapi-784846d95c-64vv4 0/2 Evicted 0 2d20h
openstack nova-cell-setup-1585310400-94jjg 0/1 Init:0/1 0 45m
openstack nova-scheduler-66d85c789c-tmgj5 0/1 Evicted 0 2d20h
root@vio-mgt [ ~ ]#
# kubectl logs -n openstack neutron-dhcp-agent-default-cm5pd neutron-dhcp-agent-default -f
Error from server (BadRequest): container "neutron-dhcp-agent-default" in pod "neutron-dhcp-agent-default-cm5pd" is waiting to start: PodInitializing
root@vio-mgt [ ~ ]# kubectl get pods -n openstack |egrep "neutron-dhcp-agent-default|neutron-metadata-agent-default"
neutron-dhcp-agent-default-4rl9l 1/1 Running 0 2d20h
neutron-dhcp-agent-default-7xhds 1/1 Running 0 2d20h
neutron-dhcp-agent-default-cm5pd 0/1 Init:ImagePullBackOff 0 123m
neutron-metadata-agent-default-hxd2s 1/1 Running 0 2d20h
neutron-metadata-agent-default-pw2hl 0/1 Init:ImagePullBackOff 0 121m
neutron-metadata-agent-default-vmls5 1/1 Running 0 2d20h
Resolution ?
You can delete the weave pod and the pod might be able to pull the image.
Notes diff
Voir :
- tardiff / pkgdiff
- patch
- kdiff3 / kdiff3-qt
- git diff / git difftool
Liste outils de diffing :
- opendiff
- kdiff3
- tkdiff
- xxdiff
- meld
- kompare
- gvimdiff
- diffuse
- diffmerge
- ecmerge
- p4merge
- araxis
- bc3
- codecompare
- emerge
- vimdiff
- imediff
Et aussi
- diff
- sdiff
- jsondiff
git difftool --tool-help
diff
-w, --ignore-all-space
Ne tenir compte d'aucun espace.
-B, --ignore-blank-lines
Ne pas tenir compte des lignes vides.
diff -w -B /etc/hosts.bak /etc/hosts diff -y --width=160 fic1 fic2
Notes vimdiff
Installation
apt-get update && apt-get install vim
Syntaxe
vimdiff fichier1.txt fichier2.txt
: Exemple avec Git, liens kdiff3
do - Get changes from other window into the current window.
dp - Put the changes from current window into the other window.
]c - Jump to the next change.
[c - Jump to the previous change.
Ctrl W + Ctrl W - Changer de fenêtre
Ctrl w + [Flèche droite] Aller dans la fenêtre de droite
Ctrl w + [Flèche gauche] Aller dans la fenêtre de gauche
Hexa
Voir aussi :
- hexadiff
colordiff -y <(xxd debian-10.3.0-amd64-netinst.iso |head -10000) <(xxd debian-10.3.0-amd64-netinst-uefi.iso |head -10000) |more
Notes vim
Voir
- vim-addon-manager
Modeline magic
# vim: ai:ts=4:sw=4 # vim: enc=utf-8:nu:ai:si:et:ts=4:sw=4:ft=xdefaults: # vim: set ai et sts=2 sw=2 tw=80: # vim: syntax=apache ts=4 sw=4 sts=4 sr noet # YAML # .. vim: foldmarker=[[[,]]]:foldmethod=marker
vimrc
set modeline set modelines=5
vimrc
vimrc
filetype plugin indent on " show existing tab with 4 spaces width set tabstop=4 " when indenting with '>', use 4 spaces width set shiftwidth=4 " On pressing tab, insert 4 spaces set expandtab
Autres
Debian est installé par défaut avec un vim allégé, le apt:vim-tiny
Pour install le vrai apt:vim
apt-get update && apt-get install vim
Lancer le tutorat VIM
vimtutor
Ouvrir plusieurs fichiers simultanément - cote à cote comme avec vimdiff
vim -O fic1.md fic2.md
Ouvrir plusieurs fichiers simultanément - l'une au-dessus des autre
vim -o fic1.md fic2.md
Vim suppression de lignes avec motif
:g/toto/d
u : Undo (Annulez une modif, "édition-précédent") Ctrl-R: Redo changes (Annulez le annuler précédent)
Display non-printable character
:set list :set display+=uhex
Commande, trie
:%ls :%!sort -r
Voir également
$ cat hidden.txt ab $ wc --char hidden.txt 5 $ sed 's/\o302\xAD//' hidden.txt > fixed.txt wc --char fixed.txt 3
File browser
:Ex
for ex(ploring) the file directory.
Alternative
sudo update-alternatives --config editor
Insérer un caractère spécial comme un espace insécable
Use CTRL + K Ex with non-breakable space CTRL + K, <SPACE>, <SPACE>
Pb
Pb Debian Stretch (Debian 9) Copier-coller ne fonctionne pas avec la souris
Source :
Solution : Il suffit de maintenir la touche Shift enfoncée lors de la sélection du texte
Ou alors pour avoir le même comportement que Debian Jessie :
- /usr/share/vim/vim80/defaults.vim
" In many terminal emulators the mouse works just fine. By enabling it you " can position the cursor, Visually select and scroll with the mouse. "if has('mouse') " set mouse=a "endif
Correction avec Ansible
- name: bugfix vim replace: dest: /usr/share/vim/vim80/defaults.vim regexp: '^\s+set mouse=a' replace: '" set mouse=a' when: - ansible_os_family == 'Debian' - ansible_distribution_major_version == '9'
Ou
echo "set mouse-=a" >> ~/.vimrc
Chroot Linux
Voir :
Chroot Infinite BusyBox with systemd
- switch_root
libpam-chroot: /lib/security/pam_chroot.so
Voir fakeroot et consorts
- fakeroot
- fakeroot-ng
- proot
- become-root
- rootlesskit (Linux-native “fake root” for rootless containers) and yet slow):
Voir aussi :
- pivot_root & switch_root
- Docker
- bwrap
-
- ex :
firejail --dns=8.8.8.8 firefox
- Procenv
chrootont.sh
CHROOTDIR=/home/chroot mkdir ${CHROOTDIR} mkdir ${CHROOTDIR}/{dev,dev/pts,sys,proc,run,etc,bin,lib,lib64,usr,var,var/run,/var/log,var/lib,/etc/init.d,home,tmp,root} mount -t sysfs /sys ${CHROOTDIR}/sys mount -t proc proc ${CHROOTDIR}/proc mount -n -t tmpfs none ${CHROOTDIR}/dev mkdir ${CHROOTDIR}/dev/pts mkdir ${CHROOTDIR}/dev/shm mount -vt devpts -o gid=4,mode=620 none ${CHROOTDIR}/dev/pts mount -vt tmpfs none ${CHROOTDIR}/dev/shm mknod -m 622 ${CHROOTDIR}/dev/console c 5 1 mknod -m 666 ${CHROOTDIR}/dev/null c 1 3 mknod -m 666 ${CHROOTDIR}/dev/zero c 1 5 mknod -m 666 ${CHROOTDIR}/dev/ptmx c 5 2 mknod -m 666 ${CHROOTDIR}/dev/tty c 5 0 mknod -m 444 ${CHROOTDIR}/dev/random c 1 8 mknod -m 444 ${CHROOTDIR}/dev/urandom c 1 9 chown root:tty ${CHROOTDIR}/dev/{console,ptmx,tty} #mknod -m 600 ${CHROOTDIR}/dev/rtc c 254 0 cp -p /etc/hosts /etc/hostname /etc/resolv.conf /etc/nsswitch.conf /etc/host.conf /etc/gai.conf /etc/profile /etc/environment ${CHROOTDIR}/etc/ touch ${CHROOTDIR}/etc/fstab mkdir ${CHROOTDIR}/etc/network cp -p /etc/network/interfaces ${CHROOTDIR}/etc/network mkdir ${CHROOTDIR}/etc/default/ cp -p /etc/default/rsyslog ${CHROOTDIR}/etc/default/ cp -p /etc/default/ssh ${CHROOTDIR}/etc/default/ egrep "^root:|^jibe:^sshd:" /etc/passwd > ${CHROOTDIR}/etc/passwd chroot ${CHROOTDIR} /bin/bash #mount -vt devpts -o gid=4,mode=620 none /dev/pts #mount -vt tmpfs none /dev/shm chroot ${CHROOTDIR} /bin/bash exelist='ls mount ps bash dmesg vim tail'
Exemple avec bash
ldd /bin/bash mkdir ${CHROOTDIR}/lib/x86_64-linux-gnu/ -p cp -p /lib/x86_64-linux-gnu/libncurses.so.5 ${CHROOTDIR}/lib/x86_64-linux-gnu/ cp -p /lib/x86_64-linux-gnu/libtinfo.so.5 ${CHROOTDIR}/lib/x86_64-linux-gnu/ cp -p /lib/x86_64-linux-gnu/libdl.so.2 ${CHROOTDIR}/lib/x86_64-linux-gnu/ cp -p /lib/x86_64-linux-gnu/libc.so.6 ${CHROOTDIR}/lib/x86_64-linux-gnu/ cp -p /lib64/ld-linux-x86-64.so.2 ${CHROOTDIR}/lib64/ cp -p /bin/bash ${CHROOTDIR}/bin/ # Authentification cp -a /etc/pam.* /home/chroot/etc/ cp -a /etc/security /home/chroot/etc/ cp -p /etc/login.defs /home/chroot/etc/ cp -p /etc/securetty /home/chroot/etc/ cp -p /lib/x86_64-linux-gnu/libnss_files.so.2 /home/chroot/lib/x86_64-linux-gnu/libnss_files.so.2 cp -a /etc/rsyslog.* /home/chroot/etc/ cp -p /etc/init.d/rsyslog /home/chroot/etc/init.d/ mkdir /home/chroot/usr/lib cp -a /usr/lib/rsyslog /home/chroot/usr/lib/ mkdir -p /var/spool/rsyslog cp -p /usr/sbin/sshd /home/chroot/usr/sbin/ cp -a /etc/ssh/ /home/chroot/etc/ # Locale cp -a /usr/lib/locale /home/chroot/usr/lib/ #cp -a /usr/share/zoneinfo /home/chroot/usr/share/
Pour top, atop
'xterm': unknown terminal type
cp -a /lib/terminfo /home/chroot/lib/ touch ${CHROOTDIR}/var/log/wtmp touch ${CHROOTDIR}/var/log/auth.log touch ${CHROOTDIR}/var/log/messages ${CHROOTDIR}/var/log/syslog ${CHROOTDIR}/var/log/kern.log ${CHROOTDIR}/var/log/daemon.log ${CHROOTDIR}/var/log/lastlog cp -r /etc/skel /home/chroot/home/jibe touch /home/chroot/home/jibe/.Xauthority chown jibe: -R /home/chroot/home/jibe chroot ${CHROOTDIR} chmod 1777 /home/chroot/tmp #mkdir -p /var/cache/apt/archives/ cp -p /etc/init.d/ssh /home/chroot/etc/init.d/ #Pour les script init (services) cp -a /lib/lsb /home/chroot/lib/
Truc ?
/etc/passwd
chroot:x:1010:1015:,,,:/home/chroot:/usr/local/bin/chrootshell
/usr/local/bin/chrootshell
#! /bin/bash #exec -c /usr/sbin/chroot /home/$USER /bin/bash #sudo /usr/sbin/chroot /home/$USER /bin/bash sudo /usr/sbin/chroot /home/$USER /bin/bash -c "su - jibe"
http://smhteam.info/wiki/index.linux.php5?wiki=ChrooterUnUtilisateur
chroot ALL=(root) NOPASSWD: /usr/sbin/chroot
ATTENTION Grosse faille de sécurité que je n'explique pas (peut-être lié à PAM ou systemd) : Si l'utilisateur ouvre une session graphique avec le compte chrooté, chaque appli graphique sort du chroot. Malgrès mon noyau patché avec Grsecurity
mknod -m 666 /home/chroot/dev/tty8 c 4 8
Dans le chroot
/sbin/getty 38400 tty8
umount ${CHROOTDIR}/{dev/pts,dev,sys,proc,run} umount ${CHROOTDIR} rmdir ${CHROOTDIR}/{dev/pts,dev,sys,proc,run} rmdir ${CHROOTDIR} umount /chroot/* umount /chroot/*
Comment savoir si je suis dans un chroot ?
Les numeros d'inodes peuvent être un indice
ls -id /
Voir http://stackoverflow.com/questions/75182/detecting-a-chroot-jail-from-within
Firejail
Voir : https://firejail.wordpress.com/documentation-2/firefox-guide/
firefail --seccomp --debug firefox
Mount kernel virtual file systems
Source : https://git.yoctoproject.org/poky/plain/meta/recipes-core/initscripts/initscripts-1.0/sysfs.sh
sysfs.sh
#!/bin/sh # # SPDX-License-Identifier: GPL-2.0-only # ### BEGIN INIT INFO # Provides: mountvirtfs # Required-Start: # Required-Stop: # Default-Start: S # Default-Stop: # Short-Description: Mount kernel virtual file systems. # Description: Mount initial set of virtual filesystems the kernel # provides and that are required by everything. ### END INIT INFO if [ -e /proc ] && ! [ -e /proc/mounts ]; then mount -t proc proc /proc fi if [ -e /sys ] && grep -q sysfs /proc/filesystems && ! [ -e /sys/class ]; then mount -t sysfs sysfs /sys fi if [ -e /sys/kernel/debug ] && grep -q debugfs /proc/filesystems; then mount -t debugfs debugfs /sys/kernel/debug fi if [ -e /sys/kernel/config ] && grep -q configfs /proc/filesystems; then mount -t configfs configfs /sys/kernel/config fi if [ -e /sys/firmware/efi/efivars ] && grep -q efivarfs /proc/filesystems; then mount -t efivarfs efivarfs /sys/firmware/efi/efivars fi if ! [ -e /dev/zero ] && [ -e /dev ] && grep -q devtmpfs /proc/filesystems; then mount -n -t devtmpfs devtmpfs /dev fi
Pb /etc/machine-id: No such file or directory
-bash: /etc/machine-id: No such file or directory -bash: /proc/sys/kernel/random/boot_id: No such file or directory -bash: /proc/sys/kernel/random/uuid: No such file or directory
Autres
chroot --userspec=nobody
blog.txt · Dernière modification : de 127.0.0.1