security and hardening options for systemd service units
A common and reliable pattern in service unit files is thus:
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
DevicePolicy=closed
ProtectSystem=strict
#!/bin/sh | |
# cat <<EOF | ./subst.sh zzzlucy | |
# name=Lucy | |
# weather="Good, how about you?!" | |
# family=Smith | |
# EOF | |
set -a |
A common and reliable pattern in service unit files is thus:
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
DevicePolicy=closed
ProtectSystem=strict
Time | 1min | 5min | 15min | |
---|---|---|---|---|
14:08:59 | 0.93 | 1.10 | 1.28 | |
14:09:09 | 0.86 | 1.08 | 1.27 | |
14:09:19 | 0.95 | 1.09 | 1.27 | |
14:09:29 | 0.95 | 1.09 | 1.27 | |
14:09:39 | 1.25 | 1.15 | 1.29 | |
14:09:49 | 1.21 | 1.14 | 1.28 | |
14:09:59 | 1.18 | 1.14 | 1.28 | |
14:10:09 | 1.15 | 1.13 | 1.27 | |
14:10:19 | 1.13 | 1.13 | 1.27 |
apiVersion: "kafka.strimzi.io/v1alpha1" | |
kind: KafkaConnector | |
metadata: | |
name: bd6-mongo-connector | |
labels: | |
strimzi.io/cluster: my-connect-cluster | |
spec: | |
class: io.debezium.connector.mongodb.MongoDbConnector | |
image: "quay.io/tdonohue/debenhams-mongo:latest" | |
config: |
Let's deploy nginx!
We'll create a Deployment, a Service and a Route.
nginx-unprivileged
image (this Nginx image doesn't run nginx as root - because OpenShift doesn't like that!)package com.cleverbuilder.bookservice; | |
import java.util.ArrayList; | |
import java.util.List; | |
import javax.xml.bind.annotation.XmlAccessType; | |
import javax.xml.bind.annotation.XmlAccessorType; | |
import javax.xml.bind.annotation.XmlElement; | |
import javax.xml.bind.annotation.XmlRootElement; | |
import javax.xml.bind.annotation.XmlType; |
! 21/03/2020 https://twitter.com - remove annoyances/distractions | |
! Remove the annoying attention-sapping stuff: trending now, who to follow | |
twitter.com##div[aria-label='Timeline: Trending now'] | |
twitter.com##aside[aria-label='Who to follow'] | |
! 2020-10-03 Medium google login distraction | |
medium.com##div[id='credential_picker_container'] |
version: 1.0.0-quayio | |
type: Che Editor | |
name: theia-ide | |
id: org.eclipse.che.editor.theia | |
title: Eclipse Theia for Eclipse Che | |
description: Eclipse Theia | |
icon: https://pbs.twimg.com/profile_images/929088242456190976/xjkS2L-0_400x400.jpg | |
endpoints: | |
- name: "theia" | |
public: true |
package xyz.tomd.demos.fuse.springboot.amqxa; | |
import oracle.jdbc.xa.client.OracleXADataSource; | |
import oracle.jms.AQjmsFactory; | |
import org.apache.camel.component.jms.JmsComponent; | |
import org.messaginghub.pooled.jms.JmsPoolXAConnectionFactory; | |
import org.springframework.boot.SpringApplication; | |
import org.springframework.boot.autoconfigure.SpringBootApplication; | |
import org.springframework.boot.jta.XAConnectionFactoryWrapper; | |
import org.springframework.context.annotation.Bean; |
# Gets a list of all profiles and containers from a Red Hat JBoss Fuse Fabric topology | |
# Note this is very rough and probably doesn't work :-) | |
cd $FUSE_HOME | |
export JAVA_HOME=/c/extdot/dev/java/jdk1.8.0_92 | |
export FUSE_PASS=mypassword | |
/path/to/fuse/jboss-fuse-6.3.0.redhat-329/bin/client -a 8101 -h fuse.example.com -u adminmw fabric:container-list -p $FUSE_PASS > containerlist.txt | |
FIELDWIDTHS=$(head -1 containerlist.txt | grep -Po '.*? (?=\S|$)' | awk -v ORS=' ' '{printf length" "}') | |
awk -v FIELDWIDTHS="$FIELDWIDTHS" -v OFS=',' '{ print $1,$5 }' containerlist.txt | sed 's/ //' | awk '{$1=$1;print}' | |
awk -v FIELDWIDTHS="$FIELDWIDTHS" -v OFS=',' '{ print $1,$5 }' containerlist.txt | awk '{$1=$1;print}' | awk -F ',' '$1!="" {print "echo CONTAINER",$1; print "bin/client -a 8101 -h fuse.example.com -u adminmw -p $FUSE_PASS fabric:profile-display",$2} $1=="" { print "bin/client -a 8101 -h fuse.example.com -u adminmw -p $FUSE_PASS fabric:profile-display",$2 }' |