Skip to content

Instantly share code, notes, and snippets.

View jjo's full-sized avatar
🏠
Working from home

JuanJo Ciarlante jjo

🏠
Working from home
146 followers · 0 following
View GitHub Profile
@jjo
jjo / kubectl-root-in-host-nopriv.sh
Last active February 5, 2024 23:07
Yeah. Get a root shell at any Kubernetes *node* via `privileged: true` + `nsenter` sauce. PodSecurityPolicy will save us. DenyExecOnPrivileged didn't (kubectl-root-in-host-nopriv.sh exploits it)
#!/bin/sh
# Launch a Pod ab-using a hostPath mount to land on a Kubernetes node cluster as root
# without requiring `privileged: true`, in particular can abuse `DenyExecOnPrivileged`
# admission controller.
# Pod command in turn runs a privileged container using node's /var/run/docker.sock.
node=${1}
case "${node}" in
"")
nodeSelector=''
podName=${USER+${USER}-}docker-any
@jjo
jjo / openstack-neutron-gateway-mtu1500-workaround.txt
Last active December 29, 2023 07:03
## Workaround openstack nova+openvswitch mtu issues when no jumbo frames are available,
## by setting up udev at neutron-gateway to hook on routing interface creation to
## lower the MTU (thus trigger ICMPs for PMTU discovery)
## See: https://blueprints.launchpad.net/neutron/+spec/network-options-mtu
## keywords: openstack, nova, openvswitch, mtu, 1500, no jumbo frames
## Create these two files:
@jjo
jjo / nova-compute-lxd-inside-lxc.md
Last active December 29, 2023 07:01

nova-compute-lxd inside LXCs at nova-compute hosts

Goal: use an existing normal openstack deploy to create a nova-compute-lxd layer using same nova-compute hosts, by running its nova-compute LXD services inside a hosts' LXCs (you can't have several hypervisors run by the same nova-compute):

                       HOST 
.---------------------------------------------------.
|       jujud-m-32                                  |
@jjo
jjo / 01-promql-vector-label_replace-abuse.md
Last active November 23, 2023 18:38
PromQL fun abusing `vector()` and `label_replace()` to create ~arbitrary timeseries, note these are used from grafana's /explore (for those ${__to:...} expressions)

Building a sinusoidal, back from now, using vector and label_replace.

round(
    8  # <- number of nodes
    *
    (1-sin(vector((time()-(${__to:date:seconds}))/(3600*10) * pi()))) / 2
)
* on() group_right() (
 label_replace(vector(0.0445000) , "spend", "cpu", "", "") * 8 # &lt;- vCPU per node
@jjo
jjo / kubectl-root-in-host.sh
Last active May 11, 2023 15:34
#!/bin/sh
# Launch a Pod ab-using a privileged=true to land on a Kubernetes node cluster as root,
# uses `privileged: true` to then nsenter init mount its (root) namespace,
# hostPID and hostNetwork already set for the Pod.
node=${1}
case "${node}" in
"")
nodeSelector=''
podName=${USER+${USER}-}sudo-any
;;
@jjo
jjo / node-custom-setup.yaml
Last active January 28, 2023 03:23
Run commands at Kubernetes *nodes* via `privileged` DaemonSet + `nsenter` hack, very useful for setups requiring base packages pre-installed at nodes. Please take a moment to understand what it does, and *don't* use it for *production*. Grab the logs with: kubectl logs -n kube-system -l k8s-app=node-custom-setup -c init-node
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
namespace: kube-system
name: node-custom-setup
labels:
k8s-app: node-custom-setup
annotations:
command: &cmd apt-get update -qy && apt-get install -qy tgt ceph-fs-common ceph-common xfsprogs
@jjo
jjo / tg-cornix-hirn-free-setup_crypto-timba.md
Last active June 5, 2022 14:37

Steps to setup Telegram(TG) Cornix BOT autotrading, feeding from Hirn Crypto Free signals TG channel against Binance.

These signals instruct the BOT to trade altcoins against BTC, towards getting returns in BTC, typically via high-freq trading (sometimes ~handful trades per min).

  • [1] Add cornix bot to TG: https://t.me/cornix_trading_bot (free trial 2/weeks)
  • [2] Add Hirn Crypto Free (signals) to TG: https://t.me/hirn_Crypto (free)
  • [3] Create Binance API key, only allowing in-account trading (default), save key and secret
  • Setup cornix bot, from Main Menu ->
    • Add Another Client -> New Client -> Link to an existing account -> Binance using API <key>,<secret> from [3]
    • Subscribe to Channel -> should automagically show Hirn ... from [2]
@jjo
jjo / dotssh-config-add.cfg
Last active January 29, 2022 22:46
ssh config stanza to use `gcloud beta ssh ...` straight via `ssh` CLI
### Add below stanza to your ~/.ssh/config
## Parsed as vmname.REGION.PROJECT.gcp
Host *.*.*.gcp
ProxyCommand gcloud beta compute ssh --tunnel-through-iap $(echo %h|awk -v FS=. '{ printf ("--project=%%s --zone=%%s %%s", $3, $2, $1) }') --command="nc -q0 localhost 22"
@jjo
jjo / stackoverflow-69771076.txt
Created October 31, 2021 12:54
$ cat > foo.jsonnet
local applyModifications(obj, f) =
obj + {
[x] : f(obj[x]) for x in std.objectFieldsAll(obj)
}
;
applyModifications({
visible: "foo",
hidden:: "bar",
@jjo
jjo / stackoverflow-69771076.txt
Created October 31, 2021 12:53
$ /tmp cat > foo.jsonnet
local applyModifications(obj, f) =
obj + {
[x] : f(obj[x]) for x in std.objectFieldsAll(obj)
}
;
applyModifications({
visible: "foo",
hidden:: "bar",