A common and reliable pattern in service unit files is thus:
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
DevicePolicy=closed
ProtectSystem=strict
Information can be put into dmi tables via some qemu-system hosts (x86_64 and aarch64). That information is exposed in Linux under /sys/class/dmi/id
and can be read with dmidecode
. The names are very annoyingly inconsistent. The point of this doc is to map them.
Example qemu cmdline:
qemu-system-x86_64 -smbios type=<type>,field=value[,...]
qemu-system-x86_64 -smbios type=0,vendor=superco,version=1.2.3
#!/bin/bash | |
# GIST_URL: https://gist.github.com/natemccurdy/797fa9128b7eef1f07be | |
# This script can be run to manually trigger Code Manager to deploy code from your control-repo. This sort of | |
# thing is neccesary when, for example: | |
# - You've turned on Code Manager but have not yet made an RBAC token. | |
# - You want to pull down the latest version of a Puppetfile module without pushing to your GMS. | |
# - Something has broken the post-receive hook on your GMS that would've triggered Code Manager. | |
# - Syntax errors in your Puppetfile prevent you from retrieving those fixes to that Puppetfile. | |
# - Puppetserver has crashed due to file-sync issues between code and code-staging. | |
# - Code Manager can't deploy your code for various reasons that are hard to track down. |
(From the PE documentation at: https://www.puppet.com/docs/pe/2023.4/upgrading_pe#upgrade_cautions-r10k-4-upgrade)
- Starting in PE 2023.4, if you use Code Manager or r10k, with SSH protocol for remote Git repository access, you must set up SSH host key verification.
To manage the known_hosts file and enable host key verification for Code Manager or r10k, you must define the puppet_enterprise::profile::master::r10k_known_hosts paramet er with an array of hashes specifying "name", "type", and "key" with your hostname, key type, and public key, respectively.
This is the error message you will see if running code deploy:
[alias] | |
# Basically `log --oneline --decorate --graph` with different colors and some additional info (author and date) | |
lg = log --graph --abbrev-commit --decorate --format=format:'%C(yellow)%h%C(reset) %C(normal)%s%C(reset) %C(dim white)%an%C(reset) %C(dim blue)(%ar)%C(reset) %C(dim black)%d%C(reset)' | |
# lg (see above) with --first-parent | |
lgp = log --graph --abbrev-commit --decorate --format=format:'%C(yellow)%h%C(reset) %C(normal)%s%C(reset) %C(dim white)%an%C(reset) %C(dim blue)(%ar)%C(reset) %C(dim black)%d%C(reset)' --first-parent | |
# https://stackoverflow.com/questions/61510067/show-specific-commits-in-git-log-in-context-of-other-commits | |
hl = "!f() { cd -- ${GIT_PREFIX:-.}; grep --color -E \"$(git log --pretty=%h \"$@\" | tr '\n' '|')\" || true; }; f" | |
hlp = "!f() { cd -- ${GIT_PREFIX:-.}; less -R -p $(git log --pretty=%h \"$@\" | tr '\n' '|'); }; f" |
#### General PFCTL Commands #### | |
$ pfctl -d disable # packet-filtering | |
$ pfctl -e enable # packet-filtering | |
$ pfctl -q # run quiet | |
$ pfctl -v -v # run even more verbose | |
#### Loading PF Rules #### | |
$ pfctl -f /etc/pf.conf # load /etc/pf.conf | |
$ pfctl -n -f /etc/pf.conf # parse /etc/pf.conf, but dont load it | |
$ pfctl -R -f /etc/pf.conf # load only the FILTER rules | |
$ pfctl -N -f /etc/pf.conf # load only the NAT rules |
Reference doc: https://puppet.com/docs/pe/2017.3/overview/api_index.html
API | Endpoint | RBAC Token | Certificate | How to whitelist a cert? |
---|---|---|---|---|
Activity | /activity-api/v1/ |
✅ | ✅ | puppet_enterprise::profile::console::whitelisted_certnames |
Node Classifier | /classifier-api/v1/ |
✅ | ✅ | puppet_enterprise::profile::console::whitelisted_certnames |
--internal
flag is used, a linux type dummy
interface is dynamically created by Libnetwork to act as the parent. This network is completely isolated and is the equivalent to a --internal
flag. This is a good mode for demoing.# Generate and use an oauth2 bearer token for the Twitter API in Ruby | |
# | |
# For Application-Only authentication to the twitter API, a 'bearer token' | |
# is required to authenticate agains their endpoints for rate limiting | |
# purposes. | |
# | |
# This script generates a bearer token by posting to twitter and then it | |
# uses that token to poll their API. | |
# | |
# Note, the base 64 encoded consumer credentials for the bearer token needs |