Skip to content

Instantly share code, notes, and snippets.

@zukko78
zukko78 / systemd_service_hardening.md
Created January 24, 2024 05:31 — forked from ageis/systemd_service_hardening.md
Options for hardening systemd service units

security and hardening options for systemd service units

A common and reliable pattern in service unit files is thus:

NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
DevicePolicy=closed
ProtectSystem=strict
@zukko78
zukko78 / mysql-tcpdump.sh
Created June 19, 2023 19:54 — forked from bom-d-van/mysql-tcpdump.sh
tcpdump advanced filters
# https://www.percona.com/blog/2008/11/07/poor-mans-query-logging/
tcpdump -i eth0 -s 0 -l -w - dst port 3306 | strings | perl -e '
while(<>) { chomp; next if /^[^ ]+[ ]*$/;
if(/^(SELECT|UPDATE|DELETE|INSERT|SET|COMMIT|ROLLBACK|CREATE|DROP|ALTER)/i) {
if (defined $q) { print "$q\n"; }
$q=$_;
} else {
$_ =~ s/^[ \t]+//; $q.=" $_";
}
# sniff hypervisor
dmesg | grep Hypervisor
[ 0.000000] Hypervisor detected: KVM
# get key in bytes
etcdctl get $key -w fields | grep -oP "(?<=Value\" : \").*" | wc -c
# defrag status in MB
cat etcd_info/endpoint_status.json | jq '(.[0].Status.dbSize - .[0].Status.dbSizeInUse)/1000/1000'
@zukko78
zukko78 / gist:71f7cb79727d11237363bd2978e6c4ad
Created February 10, 2023 02:23 — forked from ipedrazas/gist:2c93f6e74737d1f8a791
List Docker Container Names and IPs
function drips(){
docker ps -q | xargs -n 1 docker inspect --format '{{ .NetworkSettings.IPAddress }} {{ .Name }}' | sed 's/ \// /'
}
@zukko78
zukko78 / ingres.yaml
Created July 4, 2022 17:00 — forked from houstondapaz/ingres.yaml
ingress nginx configuration snippet
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Server:SEU_SERVER";
more_set_headers "cache-Control: no-cache, no-store";
more_set_headers "pragma: no-cache";
if ($request_uri ~* \.(?:ico|css|js|gif|jpe?g|png|svg|woff2|woff|ttf|eo|mp3)$) {
more_set_headers "cache-control: public, must-revalidate, proxy-revalidate";
more_set_headers "pragma: public";
expires max;
}
rewrite ^/SUB_PATH(/?)(.*)$ /$2 break;
global:
scrape_interval: 60s
external_labels:
monitor: 'example'
rule_files:
- /etc/prometheus/config/*.rules
scrape_configs:
@zukko78
zukko78 / kube-router-cfg.yaml
Created January 19, 2022 20:52 — forked from bzub/kube-router-cfg.yaml
kubeadm kube-router troubleshooting
apiVersion: v1
kind: ConfigMap
metadata:
name: kube-router-cfg
namespace: kube-system
labels:
tier: node
k8s-app: kube-router
data:
cni-conf.json: |
@zukko78
zukko78 / 00_play.yml
Created December 11, 2021 05:08 — forked from halberom/00_play.yml
ansible - convoluted json_query foo - reducing a nested dict to just bits we can use
---
- hosts: localhost
connection: local
gather_facts: False
tasks:
# - include_vars: jsonfile.json
#
# - debug:
# var: ansible_devices
#
@zukko78
zukko78 / nginx_deployment.yaml
Created June 28, 2021 20:58 — forked from petitviolet/nginx_deployment.yaml
sample Nginx configuration on Kubernetes using ConfigMap to configure nginx.
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-conf
data:
nginx.conf: |
user nginx;
worker_processes 3;
error_log /var/log/nginx/error.log;
events {
@zukko78
zukko78 / kubedf
Created April 17, 2021 21:23 — forked from redmcg/kubedf
Bash script to show k8s PVC usage
#!/usr/bin/env bash
KUBEAPI=127.0.0.1:8001/api/v1/nodes
function getNodes() {
curl -s $KUBEAPI | jq -r '.items[].metadata.name'
}
function getPVCs() {
jq -s '[flatten | .[].pods[].volume[]? | select(has("pvcRef")) | '\