Paul Weil pweil-

## gist:61b3b233999d528ce62f737fb9218624
[root@ocp-master-30863601-0 0]# ausearch -m avc -ts recent
----
time->Wed Jun 13 16:53:26 2018
type=PROCTITLE msg=audit(1528908806.025:28): proctitle=2F62696E2F62617368002D65002F7573722F6C6F63616C2F62696E2F656E747279706F696E74002F6F70742F6170702D726F6F742F7372632F616E7369626C652E7368
type=SYSCALL msg=audit(1528908806.025:28): arch=c000003e syscall=2 success=no exit=-13 a0=7fda8ed30607 a1=80000 a2=1 a3=7fda8ef364f8 items=0 ppid=25690 pid=25707 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="entrypoint" exe="/usr/bin/bash" subj=system_u:system_r:container_t:s0:c613,c722 key=(null)
type=AVC msg=audit(1528908806.025:28): avc:  denied  { read open } for  pid=25707 comm="entrypoint" path="/etc/ld.so.cache" dev="sdb1" ino=33994991 scontext=system_u:system_r:container_t:s0:c613,c722 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
----
time->Wed Jun 13 16:53:26 2018
type=PROCTITLE msg=audit(1528908806.026:29): proctitle=2F62696E2F62617368002D65002F7573722F6

## mockup.go
// OpenShiftConfig holds configuration for OpenShift
type OpenShiftConfig struct {
	KubernetesConfig *KubernetesConfig `json:"kubernetesConfig,omitempty"`

	// ClusterUsername and ClusterPassword are temporary before AAD
	// authentication is enabled, and will be removed subsequently.
	ClusterUsername string `json:"clusterUsername,omitempty"`
	ClusterPassword string `json:"clusterPassword,omitempty"`

	ConfigBundles          map[string][]byte `json:"-"`

## gist:b33f9087684a93121e860d70687d6801
datasource:
  Azure:
    agent_command: [service, waagent, start]
    set_hostname: True
    hostname_bounce:
      interface: eth0
      policy: force
      command: "builtin"
      hostname_command: "hostname"

## gist:e6709ad4936301204f88064b01c644a2
[root@bastion ~]# df -h
Filesystem                              Size  Used Avail Use% Mounted on
/dev/mapper/rootvg-rootvol              8.0G  2.4G  5.7G  30% /
devtmpfs                                1.7G     0  1.7G   0% /dev
tmpfs                                   1.7G     0  1.7G   0% /dev/shm
tmpfs                                   1.7G  408K  1.7G   1% /run
tmpfs                                   1.7G     0  1.7G   0% /sys/fs/cgroup
/dev/sda1                               969M  127M  777M  14% /boot
/dev/mapper/rootvg-var                   16G  698M   16G   5% /var
/dev/mapper/docker_vg-docker--root--lv  200G   33M  200G   1% /var/lib/docker

## gist:abcaf54e44fb6eafb7501be83a40633d
[pweil@localhost codebase]$ mkdir tempgopath
[pweil@localhost codebase]$ cd tempgopath/
[pweil@localhost tempgopath]$ export GOPATH=`pwd`
[pweil@localhost tempgopath]$ go get https://github.com/Azure/acs-engine
package https:/github.com/Azure/acs-engine: "https://" not allowed in import path
[pweil@localhost tempgopath]$ go get github.com/Azure/acs-engine

## gist:2f2861cd5b709b2ed8a821c214ed45ce
[pweil@localhost origin]$ kubectl describe scc/anyuid
Name:                          anyuid
Namespace:
Labels:                        <none>
Annotations:                   kubernetes.io/description=anyuid provides all features of the restricted SCC but allows users to run with any UID and any GID.
Allow Host Dir Volume Plugin:  false
Allow Host IPC:                false
Allow Host Network:            false
Allow Host PID:                false
Allow Host Ports:              false

## gist:f906a584a77db5fb9fcd2148a736edbb
[pweil@localhost origin]$ oadm registry -o yaml
apiVersion: v1
items:
- apiVersion: v1
  kind: ServiceAccount
  metadata:
    creationTimestamp: null
    name: registry
- apiVersion: v1
  groupNames: null

## gist:910a65465a14f95931124046e3902bf4
apiVersion: v1
kind: DeploymentConfig
metadata:
  creationTimestamp: '2017-09-26T17:43:12Z'
  generation: 33
  labels:
    component: es
    deployment: logging-es-data-master-7bqbidg1
    logging-infra: elasticsearch
    provider: openshift

## gist:4448bbffd0a155d274ec8f50bac6d09c
---
  tOp45vCI:
    hash: 1de7B0FRafWkVGOgGLFJ
---
  prometheus:
    hash: $2a$12$EZGiozL9dmZL0c5UU9yGm.OfhdrVnr1Vv5fmhx8nKWKNT4QxDAkoO
    roles:
    - sg_role_prometheus

## gist:4568e46bfeecaa1975ffa2f1cb2b0090
[pweil@localhost bpm-demo]$ git clone ssh://brmsAdmin@localhost:8001/loan
Cloning into 'loan'...
ssh_exchange_identification: read: Connection reset by peer
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
[pweil@localhost bpm-demo]$ docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED              STATUS              PORTS                                                                NAMES
36a61c3452d6        pweil/loan-demo     "/opt/jboss/jboss-eap"   About a minute ago   Up About a minute   0.0.0.0:8001->8001/tcp, 9990/tcp, 0.0.0.0:8080->8080/tcp, 9999/tcp   jboss-brms-pweil
	[root@ocp-master-30863601-0 0]# ausearch -m avc -ts recent
	----
	time->Wed Jun 13 16:53:26 2018
	type=PROCTITLE msg=audit(1528908806.025:28): proctitle=2F62696E2F62617368002D65002F7573722F6C6F63616C2F62696E2F656E747279706F696E74002F6F70742F6170702D726F6F742F7372632F616E7369626C652E7368
	type=SYSCALL msg=audit(1528908806.025:28): arch=c000003e syscall=2 success=no exit=-13 a0=7fda8ed30607 a1=80000 a2=1 a3=7fda8ef364f8 items=0 ppid=25690 pid=25707 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="entrypoint" exe="/usr/bin/bash" subj=system_u:system_r:container_t:s0:c613,c722 key=(null)
	type=AVC msg=audit(1528908806.025:28): avc: denied { read open } for pid=25707 comm="entrypoint" path="/etc/ld.so.cache" dev="sdb1" ino=33994991 scontext=system_u:system_r:container_t:s0:c613,c722 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
	----
	time->Wed Jun 13 16:53:26 2018
	type=PROCTITLE msg=audit(1528908806.026:29): proctitle=2F62696E2F62617368002D65002F7573722F6
	// OpenShiftConfig holds configuration for OpenShift
	type OpenShiftConfig struct {
	KubernetesConfig *KubernetesConfig `json:"kubernetesConfig,omitempty"`

	// ClusterUsername and ClusterPassword are temporary before AAD
	// authentication is enabled, and will be removed subsequently.
	ClusterUsername string `json:"clusterUsername,omitempty"`
	ClusterPassword string `json:"clusterPassword,omitempty"`

	ConfigBundles map[string][]byte `json:"-"`
	datasource:
	Azure:
	agent_command: [service, waagent, start]
	set_hostname: True
	hostname_bounce:
	interface: eth0
	policy: force
	command: "builtin"
	hostname_command: "hostname"
	[root@bastion ~]# df -h
	Filesystem Size Used Avail Use% Mounted on
	/dev/mapper/rootvg-rootvol 8.0G 2.4G 5.7G 30% /
	devtmpfs 1.7G 0 1.7G 0% /dev
	tmpfs 1.7G 0 1.7G 0% /dev/shm
	tmpfs 1.7G 408K 1.7G 1% /run
	tmpfs 1.7G 0 1.7G 0% /sys/fs/cgroup
	/dev/sda1 969M 127M 777M 14% /boot
	/dev/mapper/rootvg-var 16G 698M 16G 5% /var
	/dev/mapper/docker_vg-docker--root--lv 200G 33M 200G 1% /var/lib/docker
	[pweil@localhost codebase]$ mkdir tempgopath
	[pweil@localhost codebase]$ cd tempgopath/
	[pweil@localhost tempgopath]$ export GOPATH=`pwd`
	[pweil@localhost tempgopath]$ go get https://github.com/Azure/acs-engine
	package https:/github.com/Azure/acs-engine: "https://" not allowed in import path
	[pweil@localhost tempgopath]$ go get github.com/Azure/acs-engine
	[pweil@localhost origin]$ kubectl describe scc/anyuid
	Name: anyuid
	Namespace:
	Labels: <none>
	Annotations: kubernetes.io/description=anyuid provides all features of the restricted SCC but allows users to run with any UID and any GID.
	Allow Host Dir Volume Plugin: false
	Allow Host IPC: false
	Allow Host Network: false
	Allow Host PID: false
	Allow Host Ports: false
	[pweil@localhost origin]$ oadm registry -o yaml
	apiVersion: v1
	items:
	- apiVersion: v1
	kind: ServiceAccount
	metadata:
	creationTimestamp: null
	name: registry
	- apiVersion: v1
	groupNames: null
	apiVersion: v1
	kind: DeploymentConfig
	metadata:
	creationTimestamp: '2017-09-26T17:43:12Z'
	generation: 33
	labels:
	component: es
	deployment: logging-es-data-master-7bqbidg1
	logging-infra: elasticsearch
	provider: openshift
	---
	tOp45vCI:
	hash: 1de7B0FRafWkVGOgGLFJ
	---
	prometheus:
	hash: $2a$12$EZGiozL9dmZL0c5UU9yGm.OfhdrVnr1Vv5fmhx8nKWKNT4QxDAkoO
	roles:
	- sg_role_prometheus
	[pweil@localhost bpm-demo]$ git clone ssh://brmsAdmin@localhost:8001/loan
	Cloning into 'loan'...
	ssh_exchange_identification: read: Connection reset by peer
	fatal: Could not read from remote repository.

	Please make sure you have the correct access rights
	and the repository exists.
	[pweil@localhost bpm-demo]$ docker ps
	CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
	36a61c3452d6 pweil/loan-demo "/opt/jboss/jboss-eap" About a minute ago Up About a minute 0.0.0.0:8001->8001/tcp, 9990/tcp, 0.0.0.0:8080->8080/tcp, 9999/tcp jboss-brms-pweil