version: "3.7"
services:
lb:
image: index.docker.io/traefik:v1.7.14-alpine
hostname: traefik-webserver.example.com
restart: unless-stopped
Philip Schmid PhilipSchmid
PhilipSchmid
/ traefik-docker-compose.tmpl.md
Last active
August 27, 2019 09:21
PhilipSchmid
/ rancher-keycloak-idp-configuration.md
Last active
January 11, 2024 06:42
Rancher v2.X KeyCloak Authentication Backend Configuration
Ranchers official documentation about how to configure the Rancher <> KeyCloak setup is fine but definitely not sufficient to successfully configure it (https://rancher.com/docs/rancher/v2.x/en/admin-settings/authentication/keycloak/). That's the reason why here every single required step is documented down here.
I simply use the default master realm for the Rancher client. Nevertheless, it would sometimes absolutely make sense to use a custom KeyCloak realm.
- Login as
adminon https://keycloak.example.com/. Important: It's crucial that in KeyCloak the same username exists as you use as admin user on Rancher. Since I just use theadminaccount in this guide, this prerequisite is already achieved. - Create a new client under https://keycloak.example.com/auth/admin/master/console/#/realms/master/clients
Client ID:https://rancher.example.com/v1-saml/keycloak/saml/metadata
PhilipSchmid
/ multicast-on-linux.md
Last active
March 18, 2024 14:36
Testing Multicast Traffic on Linux
By default Linux ignores Broadcast and Multicast ICMP messages. That's why you need to enable it first:
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=0To join any mutlicast address (e.g. 224.10.10.10/24) just add it to your active interface (e.g. eth0) and append the keyword autojoin at the end:
PhilipSchmid
/ nic-isolation-readme.md
Last active
April 29, 2020 11:30
Automatically add Linux NIC to namespace at system boot (e.g. used for Ethernet USB dongles with dynamic identifier)
Save the file nic-isolation.service to /etc/systemd/system/nic-isolation.service.
Afterwards reload the systemd daemon and enable & start the "service":
sudo systemctl daemon-reload
sudo systemctl enable nic-isolation.service
sudo systemctl start nic-isolation.service
PhilipSchmid
/ clientless-linux-remote-access.md
Last active
February 25, 2022 10:49
Using Apache Guacamole in combination with VNC for clientless Linux remote access
Quick and dirty guide how to get Apache Guacamole in combination with VNC up and running.
sudo add-apt-repository -y ppa:remmina-ppa-team/freerdp-daily
sudo apt update
env DEBIAN_FRONTEND=noninteractive sudo apt install -y freerdp2-dev freerdp2-x11
PhilipSchmid
/ 0-rancher-vsphere-setup.md
Last active
August 1, 2023 17:47
How to set up a Rancher K8s cluster on VMware (incl. vSphere StorageClass)
- Configure the Network Protocol Profile on the vCenter according to: https://www.virtualthoughts.co.uk/2020/03/29/rancher-vsphere-network-protocol-profiles-and-static-ip-addresses-for-k8s-nodes/
- Ensure to create a service user with the regarding global and folder specific permissions: https://rancher.com/docs/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/vsphere/provisioning-vsphere-clusters/creating-credentials/
- Beside the vCenter role permissions from the official Rancher documentation, the following ones need to be provided in order to configure the Nodes via vApp options:
- Content Library: Read storage
- Extension: Register extension
- Beside the vCenter role permissions from the official Rancher documentation, the following ones need to be provided in order to configure the Nodes via vApp options:
- vSphere Tagging: Assign or Unassign vSphere Tag on Object
PhilipSchmid
/ 0-wireguard-readme.md
Last active
January 7, 2022 21:02
Wireguard installation on CentOS/RHEL 8 server and Ubuntu 20.04 client (IPv6 dual stack)
This two scripts install & configure Wireguard on a CentOS8 "server" (peer) and on a Ubuntu 18.04 "client" peer. Of course, if you replace the # Installation script parts, these instructions can also be used on other distributions like Debian, CentOS 7, Fedora, etc..
Possible pitfall: When you change something in the /etc/wireguard/wg0.conf configuration file on the server, ensure to disable the wg-quick@wg0 service in advance:
sudo systemctl stop wg-quick@wg0
sudo systemctl disable wg-quick@wg0
sudo vim /etc/wireguard/wg0.conf # edit what ever you like
sudo systemctl enable --now wg-quick@wg0
PhilipSchmid
/ kvm-windows-10-guest-ultrawide-resolution.md
Last active
April 26, 2024 17:58
3440x1440 resolution for Windows 10 KVM VM
virsh edit Windows10- Navigate to the
<video>section and change it to the following one:
<video>
<model type='qxl' ram='131072' vram='131072' vgamem='32768' heads='1' primary='yes'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</video>
PhilipSchmid
/ k8s-rbac-example.yaml
Created
October 23, 2020 15:12
A (more or less) complete RBAC example for Kubernetes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # https://kubernetes.io/docs/concepts/policy/pod-security-policy/ | |
| # Attention: This PSP has quite some loose restrictions! Do not just copy & paste it! | |
| apiVersion: policy/v1beta1 | |
| kind: PodSecurityPolicy | |
| metadata: | |
| name: example | |
| spec: | |
| allowPrivilegeEscalation: true | |
| allowedCapabilities: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Usage: ./minio-upload my-bucket my-file.zip | |
| bucket=$1 | |
| file=$2 | |
| host=minio.example.com | |
| s3_key=svc_example_user | |
| s3_secret=svc_example_user_password |