blog
Table des matières
- 2026:
- 2025:
1 billet(s) pour avril 2026
| Notes ping ICMP | 2026/04/03 23:01 | Jean-Baptiste |
Notes cloudinit
Voir :
Voir aussi :
- Tiny Cloud
ubuntu@vm-testjb1:~$ curl 169.254.169.254/1.0/meta-data/public-keys/0/openssh-key ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCZQwNs9aV//oN/N/NmbVqL83ahLatiVccLR1w2YEVBGX2fj5ANnj7a7hNk1tyld+CQlP93I6z7CW9bBxUjwwcxYWeVmBVRBLtFnjhN56gL7jGfXy6uwtUAf84tKWRem10tThIZhjWIIMHfDyFT7vVVN/hk9E3tQ7CejHK3NzhBUjDzrQ8yVIRynveNe93KNlCHW8T0rD83vqmEwApep/EuGD4rwb1e4zYAeh0HXVQIQzaoXlz8OwEBgzkvygCRrtUJcn3bQIloBmu2KrDvPskhqgCU4I9sbkN/K9PLn5hJVmhHVT3Prf0eU8hbrzdnfXlczmLbmVYTqUlOIvrvbAT jibe@vmdeb1ubuntu@vm-testjb1:~$
#cloud-config packages: - git-core #cloud-config apt_update: true #! echo "plop" > /plop environment: "production" output: {all: '| tee -a /var/log/cloud-init-output.log'}
************************************************************************** # This system is using the EC2 Metadata Service, but does not appear to # # be running on Amazon EC2 or one of cloud-init's known platforms that # # provide a EC2 Metadata service. In the future, cloud-init may stop # # reading metadata from the EC2 Metadata Service unless the platform can # # be identified. # # # # If you are seeing this message, please file a bug against # # cloud-init at # # https://bugs.launchpad.net/cloud-init/+filebug?field.tags=dsid # # Make sure to include the cloud provider your instance is # # running on. # # # # For more information see # # https://bugs.launchpad.net/bugs/1660385 # # # # After you have filed a bug, you can disable this warning by # # launching your instance with the cloud-config below, or # # putting that content into # # /etc/cloud/cloud.cfg.d/99-ec2-datasource.cfg # # # # #cloud-config # # datasource: # # Ec2: # # strict_id: false # ************************************************************************** Disable the warnings above by: touch /home/ubuntu/.cloud-warnings.skip or touch /var/lib/cloud/instance/warnings/.skip
DRAFT - Se connecter à une instance dont on ne possède pas la clef
Voir :
aws --region=eu-central-1 ec2 describe-instances --output=table
my_script.sh
#!/bin/bash cat >> /home/ec2-user/.ssh/authorized_keys <<EOF ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCZQwNs9aV//oN/N/NmbVqL83ahLatiVccLR1w2YEVBGX2fj5ANnj7a7hNk1tyld+CQlP93I6z7CW9bBxUjwwcxYWeVmBVRBLtFnjhN56gL7jGfXy6uwtUAf84tKWRem10tThIZhjWIIMHfDyFT7vVVN/hk9E3tQ7CejHK3NzhBUjDzrQ8yVIRynveNe93KNlCHW8T0rD83vqmEwApep/EuGD4rwb1e4zYAeh0HXVQIQzaoXlz8OwEBgzkvygCRrtUJcn3bQIloBmu2KrDvPskhqgCU4I9sbkN/K9PLn5hJVmhHVT3Prf0eU8hbrzdnfXlczmLbmVYTqUlOIvrvbAT jibe@vmdeb1 EOF sed -i 's/^PasswordAuthentication/#&/' /etc/ssh/sshd_config systemctl restart sshd
base64 my_script.sh > my_script_base64.txt
aws ec2 --region=eu-central-1 modify-instance-attribute --instance-id i-08df328706b9e6d46 --attribute userData --value file://my_script_base64.txt
Autres
/var/lib/cloud/data/set-hostname
File /etc/cloud/cloud-init.disabled
Kernel
cloud-init=disabled
Pb
Pb temps de démarrage élevé
# systemd-analyze
Startup finished in 3.195s (kernel) + 23.788s (userspace) = 26.983s
graphical.target reached after 23.230s in userspace
# systemd-analyze blame
11.755s cloud-init-local.service
5.854s docker.service
3.440s mariadb.service
2.459s cloud-init.service
2.317s isc-dhcp-server.service
1.984s php7.3-fpm.service
1.916s proftpd.service
1.200s cloud-config.service
1.138s ifupdown-pre.service
946ms bind9.service
911ms dev-mapper-vgos\x2droot
Logs
- /var/log/cloud-init.log
- /var/log/cloud-init-output.log
curl http://169.254.169.254/openstack/2018-08-27/meta_data.json
Solution
dpkg -i cloud-init_20.2-2~deb10u1_all.deb cloud-guest-utils_0.29-1_all.deb echo "network: {config: disabled}" > /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg rm /etc/network/interfaces.d/50-cloud-init.cfg
Notes Cloud AWS - Ansible
ansible localhost -m ec2_instance -a "instance_ids=i-0713194bd2d67ddb2 state=stopped"
Notes client FTP lftp
Voir aussi :
- rclone
- curl
- ~/.netrc
- /usr/kerberos/bin/ftp (paquet krb5-workstation)
- far2l
wget (download)
wget --ftp-user=FTP_USERNAME --ftp-password='FTP_PASSWORD' ftp://URL/PATH_TO_FTP_DIRECTORY/* wget ftp://paul:123@serveur.org/fichier
curl
Download / Télécharger
curl -u utilisateur:motdepasse ftp://ftp.example.com/fichier.txt -O
Upload / Téléverser
curl -T monfichier.txt -u utilisateur:motdepasse ftp://ftp.example.com/
lftp
Exemple de configuration lftp
~/.lftp/rc
# set ftp:ssl-force false
set ssl:verify-certificate/ftp.truc.com no
#set prompt "lftp \S\? \u\@\h:\w> "
#set ftp:passive-mode off
#set ftp:ssl-force/ftp.adobe.com off
#set ftp:use-feat/ftp.adobe.com off
set cache:enable no
Exemple utilisation
Liste toutes les variables lftp
set -a
Passage en mode binaire. Nécessaire ?
# set type binary quote type i
Exemple 1
lftp ftp://user:Passw0rd@ftp1.acme.fr
NOTE : le mot de passe être défine dans ~/.netrc
Exemple 2 - Envois sosreport à RedHat
lftp -v -c 'open -e "set ftps:initial-prot ""; \ set ftp:ssl-force true; \ set ftp:ssl-protect-data true; \ set ssl:verify-certificate true; \ set ftp:proxy http://192.168.56.1:3128 ; \ open anonymous:ftp@dropbox.redhat.com ; \ cd incoming ; \ put testfile'
Exemple 2 - mirroir - comme un rsync sur FTP
NOTE : Il est aussi possible d'utiliser
- la commande wget
- curlftpfs avec rsync ⇒ à la place de curlftpfs il est préfèrable d'utiliser rclone
lftp user@example.com:/pub> mirror -v data /ftp_mirror lftp user@example.com:/pub> mirror -Rv /data/remote_copy .
Source : http://rajaseelan.com/2011/12/20/rsync-over-ftp/
lftp -c "set ftp:list-options -a; open ftp://user:password@your.ftp.com; lcd ./web; cd /web/public_html; mirror --reverse --delete --use-cache --verbose --allow-chown --allow-suid --no-umask --parallel=2 --exclude-glob .svn"
#!/bin/bash HOST="your.ftp.host.dom" USER="username" PASS="password" FTPURL="ftp://$USER:$PASS@$HOST" LCD="/path/of/your/local/dir" RCD="/path/of/your/remote/dir" #DELETE="--delete" lftp -c "set ftp:list-options -a; open '$FTPURL'; lcd $LCD; cd $RCD; mirror --reverse \ $DELETE \ --verbose \ --exclude-glob a-dir-to-exclude/ \ --exclude-glob a-file-to-exclude \ --exclude-glob a-file-group-to-exclude* \ --exclude-glob other-files-to-exclude"
Source : https://serverfault.com/questions/24622/how-to-use-rsync-over-ftp
Pb
Pb 1
lftp ftp://utilisateur:pass@ftp.serveur.org/Prod/Rapport lftp utilisateur@ftp.serveur.org:/Prod/Rapport> get Fichier.csv get: L'accès a échoué : 534 Policy requires SSL. (Fichier.csv) set ftp:ssl-protect-data true lftp ssmf@91.121.109.131:/Prod/Rapport> get LmkMonthlyExport-20150201.csv 2086953 octets transférés
- ~/.lftp/rc
set ftp:ssl-protect-data/ftp.serveur.org true
Pb 2
lftp utilisateur@ftp.serveur.org:/Prod/Rapport> get Fichier.csv get: L'accès a échoué : 534 Protection level negotiation failed. (Fichier.csv)
Voir https://access.redhat.com/solutions/336113
Au tout début de la connexion
set ftp:ssl-force true set ftp:ssl-protect-data true
Autres
rclone config
1 / ProFTPd can't handle '*' in file names \ (Asterisk,Ctl,Dot,Slash) 2 / PureFTPd can't handle '[]' or '*' in file names \ (BackSlash,Ctl,Del,Dot,RightSpace,Slash,SquareBracket) 3 / VsFTPd can't handle file names starting with dot \ (Ctl,LeftPeriod,Slash)
Paquet RPM lftp-scripts.noarch :
- /usr/share/lftp/convert-mozilla-cookies
- /usr/share/lftp/import-ncftp
- /usr/share/lftp/import-netscape
- /usr/share/lftp/verify-file
- /usr/share/lftp/xdg-move
Notes client DNS
Voir aussi les clients DNS :
Voir aussi :
/etc/resolv.conf
Voir aussi:
- /etc/nsswitch.conf
Hard limits for the /etc/resolv.conf file
NOTE : Le comportement est différent avec musl libc (alternative à glibc)
You need to be aware of the hard limits for name servers, domain name, and search domains when you create or edit the /etc/resolv.conf file.
The hard limits for the /etc/resolv.conf file are as follows:
- Maximum number of name servers is 3. (is hardcoded as the 4th will never be used)
- Maximum line size is 256. (avant glibc 2.26 ?)
- Maximum domain name length is 256 characters. (avant glibc 2.26 ?)
- Maximum search domains limit is 6.
- In glibc 2.25 and earlier, the search list is limited to six domains with a total of 256 characters. Since glibc 2.26, the search list is unlimited (RHEL 6 ; sous RHEL 7 et 8 ça dépend de la version de la glibc)
- Total number of characters for all search domains is 256. (avant glibc 2.26)
- Note: You should use only tab or space to separate host names in the search domain list.
Si plus de 3 serveurs dans /etc/resolv.conf : “Nameserver limits were exceeded, some nameservers have been omitted…”
Note: There is no limit on file size.
Le mot-clé search du fichier resolv.conf du système peut être surchargé indépendamment pour chaque processus en remplissant la variable d'environnement LOCALDOMAIN avec une liste de domaines de recherche séparés par des espaces.
Le mot-clé options du fichier resolv.conf du système peut être surchargé indépendamment pour chaque processus en remplissant la variable d'environnement RES_OPTIONS en une liste d'options de la bibliothèque resolver (séparées par des espaces)…
Redirection de port
sudo socat -v -v udp4-listen:53,reuseaddr,fork udp4:8.8.8.8:53
Test connexions
# UDP #host -U -W 1 127.0.0.1 8.8.8.8 host -W 1 127.0.0.1 8.8.8.8 # TCP host -T -W 1 127.0.0.1 8.8.8.8
echo "127.0.0.1,192.168.1.1,8.8.8.8" |tr "," "\n" |xargs -L1 -I% bash -c "host -W 1 plop.plop % |grep -q 'not found' && echo OK % || echo NOK %"
- name: Check DNS connectivity - UDP command: "host -W 1 127.0.0.1 {{ item | quote }}" check_mode: false changed_when: false register: cmd_host_udp failed_when: not ( cmd_host_udp.rc == 0 or ( cmd_host_udp.rc == 1 and cmd_host_udp.stdout_lines is search('not found') ) ) with_items: "{{ resolv_new_nameservers }}" - name: Check DNS connectivity - TCP command: "host -T -W 1 127.0.0.1 {{ item | quote }}" check_mode: false changed_when: false register: cmd_host_tcp failed_when: not ( cmd_host_tcp.rc == 0 or ( cmd_host_tcp.rc == 1 and cmd_host_tcp.stdout_lines is search('not found') ) ) with_items: "{{ resolv_new_nameservers }}"
Ou encore :
curl --dns-servers 192.168.0.1,192.168.0.2 https://example.com curl --dns-servers 10.0.0.1:53 https://example.com systemd-resolve HOSTNAME SERVERNAME
Conf Docker
Docker-compose
my-app: build: my-app dns: - 10.20.20.1 # dns server 1 - 10.21.21.2 # dns server 2 dns_search: ibm-edv.ibmnet.int
spec: containers: - name: test image: nginx dnsConfig: options: - name: timeout value: "2"
extra_hosts: - "somehost:162.242.195.82" - "otherhost:50.31.209.229"
Cache DNS coté client
Voir aussi :
- Rescached
/etc/systemd/resolved.conf
DNS=1.1.1.1 1.0.0.1
sudo mv /etc/resolv.conf /etc/resolv.conf.orig sudo ln -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
/etc/resolv.conf
nameserver 127.0.0.53 options edns0
Voir aussi /etc/nsswitch.conf
sudo pkill -USR1 systemd-resolve sudo systemd-resolve --flush-caches sudo resolvectl flush-caches sudo journalctl -u systemd-resolved > ~/resolved.txt sudo systemd-resolve --statistics
Flush DNS / Clear cache
Vider le cache DNS SystemD
systemd-resolve --flush-caches
Clear BIND Server DNS Cache
sudo rndc restart
Clear DNS cache for a particular domain, use the below command.
sudo rndc flushname <Domain_Name>
Clear the dnsmasq Server DNS Cache
sudo systemctl restart dnsmasq
Flush nscd server DNS Cache
sudo systemctl restart nscd
pdnsd
pdnsd-ctl empty-cache
Options
No ipv6 AAAA
# since glibc 2.36 options no-aaaa
no-tld-query (since glibc 2.14)
Pb
Pb Résolution noms courts
/etc/resolv.conf
# options rotate timeout:1 retries:1 # options rotate timeout:2 attempts: 1 options timeout:0 attempts:1 nameserver 192.168.10.10 nameserver 192.168.11.10 search domain1.local domain2.local domain domain2.local
Résolution FQDN OK
# getent hosts srv01.domain1.local 192.168.1.101 srv01.domain1.local
Résolution FQDN NOK
# getent hosts srv01 #
Solution
Placer search après domain ou alors commenter domain
According to the implementation of Glibc, if domain and search directives are both used, only the last instance will be used for DNS queries.
Source : https://access.redhat.com/solutions/5958611
The domain directive is an obsolete name for the search directive that handles one search list entry only.
Source : https://man7.org/linux/man-pages/man5/resolv.conf.5.html
/etc/resolv.conf
options rotate timeout:1 retries:1 # options rotate timeout:2 attempts: 1 nameserver 192.168.10.10 nameserver 192.168.11.10 domain domain2.local search domain1.local domain2.local
# getent hosts srv01 192.168.1.101 srv01.domain1.local # getent hosts srv01.domain1.local 192.168.1.101 srv01.domain1.local
Pb client DNS Linux résolution FQDN KO
$ getent hosts plop 192.168.21.25 plop.acme.local $ getent hosts plop.acme.local $ $ dig +short plop.acme.local 192.168.21.25
Solution
Vérif avec dig / nslookup et si OK le pb est ailleurs, par exemple dans la conf libc
/etc/nsswitch.conf
#hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname hosts: files dns myhostname
Outils
Dig
the step-by-step name resolution, you can do this:
dig +add +trace @8.8.8.8 www.google.com
kdig
kdig client (part of Knot):
kdig +tls @localhost -p 8353 foobar.test
check-soa
blaeu-resolve
blaeu-resolve -r 100 - -type NS meteofrance.com
Notes client DNS & diag
# /etc/systemd/resolved.conf sudo systemctl restart systemd-resolved.service
Conf
systemd-resolve --set-dns=192.168.1.1 -i wlan1
Status
systemd-resolve --status
Disable and stop the systemd-resolved service
sudo systemctl disable systemd-resolved.service sudo systemctl stop systemd-resolved
/etc/NetworkManager/NetworkManager.conf
[main] dns=default
unlink /etc/resolv.conf sudo service network-manager restart
DHCP DNS ?
/etc/systemd/network/enp0s31f6.network
[DHCP] UseDNS=true
Autre
ps aux |grep dnsmasq
Diag port ?
resolv.py
import socket for x in range(5): print(socket.getaddrinfo('gnu.org', 80))
# strace -e trace=connect python resolv.py 2>&1 | grep 53
connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.10.10")}, 16) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.20.20")}, 16) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.1.5")}, 16) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.10.10")}, 16) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.20.20")}, 16) = 0
lsof -i udp:53 time tcpdump udp port 53 -Qout -n |nl time strace -f -e trace=%network -p 29976 2>&1 |grep 'htons(53)' |nl
# sysdig -c lsof "'fd.l4proto=udp and fd.port=53'" COMMAND PID TID USER FD TYPE NAME systemd-resolve 2870470 2870470 systemd 12 ipv4 127.0.0.53:53
csysdig -v connections fd.ip=10.172.93.224 iftop -f "host 10.172.93.224"
Autres
windows
nslookup set detail
Todo
blog.txt · Dernière modification : de 127.0.0.1