Need advice on how to handle CVEs and automatic scanning

I'm sort of new to all this. I'm trying to get some sense of the state of security of all the machines I manage. I figured one way to do that is to automatically and periodically scan for CVEs. So I tried openSCAP and AWS inspector. And they just spam with huge lists of discovered problems on a fully updated system. Weirdly enough, what openSCAP calls medium, inspector happily calls high. So hard to judge severity just by looking at the list.

I've looked through the lists themselves, and there's one thing in common for all the problems: there are no patches yet, or state is some form of "needs confirmation." It seems unreasonable to hunt down the patches in all the relevant repositories and compile all the things myself, including dependencies. So I see two ways of handling those problems: ignore and wait for patches from upstream, or disable the package.

Ok, I can do that once, maybe twice. But how do I keep track of all that continuously without going insane? It's hard to believe that I'm the first to stumble on that problem, but googling does not help. It seems that I'm looking for the wrong things here.

What I'd like to be able to do is to track the state of those findings in time as I periodically scan my systems. So, once ignored item stays ignored, an item that does not yet have patches is marked one way, and the one that has a patch available is marked differently.

But maybe I'm approaching this all wrong? Any advice is welcome.

My machines are all Ubuntu if it matters. But it'd imagine, that situation is the same in other worlds.

https://redd.it/fvy0hz
@r_devops

How to develop more in-depth, SRE- relevant Linux knowledge?

Hi all,
I recently started my first SRE job straight out of college. While I have been using Linux as my primary OS for the past couple of years and I can use it comfortably, I feel my knowledge of linux is a bit lacking for an SRE. Can you all amazing people of r/devops suggest some resources or methods to learn more about how Linux stuff like process and memory management, user permissions, logging, networking, security etc?

Thank you for taking the time to read this!

https://redd.it/fvt6b7
@r_devops

Uninstall kustomize leftovers

Hi experts, what sort of techniques you used to uninstall Kustomize leftovers. Most of the time if you want to get rid of other resources installed by your Kustomize declaration, you execute \`kustomize build | kubectl delete -f -\` and followed by \`kustomize build | kubectl apply -f -\`. But this doesn't guarantee that it will remove those previous installed items that is not part of the manifest anymore or being renamed.

https://redd.it/fvvmz6
@r_devops

Deploys at Slack

Interesting post on the deploy process at Slack. I like how they go over how the deploy process evolved from rsync to something much more complicated:

https://slack.engineering/deploys-at-slack-cd0d28c61701

https://redd.it/fwbkhs
@r_devops

Stuck on SSH using CircleCI

Hi all,

I've just started using CircleCI to deploy code for me for personal projects. I have managed to get my config to deploy when using the \`circleci local execute\` cli but pushing it it always falls. I have tweaked the config as below to use the projects SSH key.

I generated a new SSH key and uploaded to the " Additional SSH Keys" section. When uploading the key I set the hostname to "[my-server.net](https://my-server.net)" (changed for obvious reasons). I then used the fingerprint that the web page showed and added to the config. I can log into the sever I need to using the key in question.

​

When running after a push it gets stuck at:

The authenticity of host 'my-server(123.123.123.123)' can't be established.
ECDSA key fingerprint is SHA256_VALUE.
Are you sure you want to continue connecting (yes/no)?

I then stop the job and then re-start allows SSH access to the run.

When I try to ssh in from within CircleCI I get the error:

username@my-server: Permission denied (publickey).

Can anyone suggest what I'm doing wrong?

​

version: 2.0
jobs:
build:
docker:
- image: cimg/base:2020.01
steps:
- checkout
- add_ssh_keys:
fingerprints:
- "my key fingerprint"
- run:
name: "Create build"
command: tar -czvf /tmp/build.tar.gz .
- run:
name: "Upload to remote server"
command: scp /tmp/build.tar.gz username@my-server:~/
- run:
name: "Install build"
command: |
ssh username@my-servertar -xvf build.tar.gz -C /var/www/vhosts/my-server/
ssh username@my-server"cd /var/www/vhosts/my-server/ && composer install"
- run:
name: "Reload NGINX"
command: ssh my-serversudo service nginx reload

Any suggestions would be massively appreciated.

https://redd.it/fwax4g
@r_devops

AWS CLI permission error

AWS CLI access denied - Workspaces

I’m getting an AWS CLI access denied error when attempting to get info about my AWS Workspaces machines.

Only thing I don’t get is that I am an aws administrator? Already double checked.

I’m running version 2.

I don’t want to check my workspaces one by one :(

Command I’m running

Aws workspaces describe-workspaces

https://redd.it/fw9g6u
@r_devops

Voice of reason

[Nothing new](https://i.imgur.com/XHdcKaG.jpg)

https://redd.it/fwennq
@r_devops

Need suggestions

I'm getting offer for a U.S client in my state(remotely in India) as a developer (Android,IOS,React, React Native,Angular). I'm in my last semester of B.tech and i was always interested in DevOps. Is it to be good idea to start as developer. I think it would be difficult to change profile after having experience as a developer . Do give your thoughts (i hope i won't regert this opportunity as recession is coming)

https://redd.it/fw7mp3
@r_devops

Packer hangs on building an Ubuntu 18 template on vmware (vsphere-iso: Waiting for SSH to become available...)

Hi,

I'm trying to build a vmware image of Ubuntu 18 with Packer , but it keeps failing with :

**vsphere-iso: Waiting for SSH to become available...**

I'm running Vmware vcenter 6.7, and packer 1.5.5 on a centos 8 host.
I have build centos7 and centos8 templates successfully.



Here is my variables file (variables.json)

{
"vsphere_server": "192.168.0.51",
"vsphere_username": "[email protected]",
"vsphere_password": "password",
"vsphere_datacenter": "Datacenter",
"vsphere_datastore": "datastore",
"vsphere_folder": "Templates",
"vsphere_host": "host.domain.local",
"vsphere_network": "network1",
"vsphere_template_folder": "Templates",
"ssh_root_username": "root",
"ssh_root_password": "password",
"ssh_username": "admin",
"ssh_password": "password"
}

Here is my json file (ubuntu18\_buildtemplate.json)

{
"builders": [
{
"type": "vsphere-iso",

"vcenter_server": "{{user `vsphere_server`}}",
"username": "{{user `vsphere_username`}}",
"password": "{{user `vsphere_password`}}",
"insecure_connection": "true",

"vm_name": "T-ubuntu18",
"datastore": "{{user `vsphere_datastore`}}",
"folder": "{{user `vsphere_folder`}}",
"host": "{{user `vsphere_host`}}",
"convert_to_template": "true",
"network": "{{user `vsphere_network`}}",
"boot_order": "disk,cdrom",

"guest_os_type": "ubuntu64Guest",

"ssh_username": "{{user `ssh_username`}}",
"ssh_password": "{{user `ssh_password`}}",

"CPUs": 1,
"RAM": 1024,
"RAM_reserve_all": false,

"disk_controller_type": "pvscsi",
"disk_size": 32768,
"disk_thin_provisioned": false,

"network_card": "vmxnet3",

"iso_paths": [
"[datastore] ISO/Linux/ubuntu-18.04.4-live-server-amd64.iso"
],


"floppy_files": [
"./ubuntu18_kickstart.cfg"
],
"boot_command": [
"<enter><wait><f6><wait><esc><wait>",
"<bs><bs><bs><bs><bs><bs><bs><bs><bs><bs>",
"<bs><bs><bs><bs><bs><bs><bs><bs><bs><bs>",
"<bs><bs><bs><bs><bs><bs><bs><bs><bs><bs>",
"<bs><bs><bs><bs><bs><bs><bs><bs><bs><bs>",
"<bs><bs><bs><bs><bs><bs><bs><bs><bs><bs>",
"<bs><bs><bs><bs><bs><bs><bs><bs><bs><bs>",
"<bs><bs><bs><bs><bs><bs><bs><bs><bs><bs>",
"<bs><bs><bs><bs><bs><bs><bs><bs><bs><bs>",
"<bs><bs><bs>",
"/install/vmlinuz",
" initrd=/install/initrd.gz",
" priority=critical",
" locale=en_US",
" file=/media/ubuntu18_kickstart.cfg",
"<enter>"
]
}
],

"provisioners": [
{
"type": "shell",
"inline": ["echo 'Template build complete'"]
}
]
}

Here is my kickstart file (ubuntu18\_kickstart.cfg)

&#x200B;

### Base system installation
d-i base-installer/kernel/override-image string linux-server

## Options to set on the command line
d-i debian-installer/locale string en_US.utf8
d-i console-setup/ask_detect boolean false
d-i console-setup/layout string USA

#--------------------------------------------------------------------------------
# ACCOUNTS
#--------------------------------------------------------------------------------
d-i passwd/user-fullname string admin
d-i passwd/username string admin
d-i passwd/user-password password password
d-i passwd/user-password-again password

password
d-i user-setup/allow-password-weak boolean true

d-i passwd/root-login boolean true
d-i passwd/root-password password password
d-i passwd/root-password-again password password

#--------------------------------------------------------------------------------
# Clock and time zone setup
#--------------------------------------------------------------------------------
#d-i clock-setup/utc boolean true
#d-i time/zone string UTC
#d-i time/zone string Europe/Paris


#Reboot after installation
reboot

#Use text mode install
text

#Install OS instead of upgrade
install


#--------------------------------------------------------------------------------
# NETWORK
#--------------------------------------------------------------------------------
# netcfg will choose an interface that has link if possible. This makes it
# skip displaying a list if there is more than one interface.
# netcfg/choose_interface=eth0 is set as the boot parameter.
#d-i netcfg/choose_interface select auto

# If you prefer to configure the network manually, uncomment this line and
# the static network configuration below.
#d-i netcfg/disable_autoconfig boolean true

# Disable that annoying WEP key dialog.
#d-i netcfg/wireless_wep string

# Static network configuration.
# IPv4 example
#d-i netcfg/get_ipaddress string xxx.96.102.139
#d-i netcfg/get_netmask string 255.255.255.192
#d-i netcfg/get_gateway string xxx.96.102.129
#d-i netcfg/get_nameservers string xxx.96.102.141
#d-i netcfg/confirm_static boolean true

# Any hostname and domain names assigned from dhcp take precedence over
# values set here. However, setting the values still prevents the questions
# from being shown, even if values come from dhcp.
# Hostname:
#netcfg netcfg/get_hostname string myhost

# Domain name:
#netcfg netcfg/get_domain string demo.local

# If you want to force a hostname, regardless of what either the DHCP
# server returns or what the reverse DNS entry for the IP is, uncomment
# and adjust the following line.
#d-i netcfg/hostname string myhost


#--------------------------------------------------------------------------------
# DISK PARTITIONNING
#--------------------------------------------------------------------------------
d-i partman-auto/disk string /dev/sda
d-i partman-auto/method string regular
d-i partman-partitioning/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true


#--------------------------------------------------------------------------------
# EXTRA PACKAGES
#--------------------------------------------------------------------------------

d-i pkgsel/include string openssh-server open-vm-tools


#--------------------------------------------------------------------------------
# BOOT LOADER
#--------------------------------------------------------------------------------

d-i grub-installer/only_debian boolean true

#--------------------------------------------------------------------------------
# POST SCRIPTS
#--------------------------------------------------------------------------------
d-i preseed/late_command string \
echo 'admin ALL=(ALL) NOPASSWD: ALL' > /target/etc/sudoers.d/admin ; \
in-target chmod 440 /etc/sudoers.d/admin ; \
systemctl enable ssh;\
systemctl start ssh;


#--------------------------------------------------------------------------------
# FINISH INSTALL
#--------------------------------------------------------------------------------
d-i finish-install/reboot_in_progress note

&#x200B;

&#x200B;

Running packer:

./packer build -var-file variables.json

ubuntu18_buildtemplate.json

&#x200B;

&#x200B;

Here is the packer output:

vsphere-iso: output will be in this color.

==> vsphere-iso: Creating VM...
==> vsphere-iso: Customizing hardware...
==> vsphere-iso: Mounting ISO images...
==> vsphere-iso: Creating floppy disk...
vsphere-iso: Copying files flatly from floppy_files
vsphere-iso: Copying file: ./ubuntu18_kickstart.cfg
vsphere-iso: Done copying files from floppy_files
vsphere-iso: Collecting paths from floppy_dirs
vsphere-iso: Resulting paths from floppy_dirs : []
vsphere-iso: Done copying paths from floppy_dirs
==> vsphere-iso: Uploading created floppy image
==> vsphere-iso: Adding generated Floppy...
==> vsphere-iso: Set boot order...
==> vsphere-iso: Power on VM...
==> vsphere-iso: Waiting 10s for boot...
==> vsphere-iso: Typing boot command...
==> vsphere-iso: Waiting for IP...
==> vsphere-iso: IP address: 192.168.0.22
==> vsphere-iso: Using ssh communicator to connect: 192.168.0.22
==> vsphere-iso: Waiting for SSH to become available...
==> vsphere-iso: Timeout waiting for SSH.
==> vsphere-iso: Power off VM...
==> vsphere-iso: Deleting Floppy image ...
==> vsphere-iso: Destroying VM...
Build 'vsphere-iso' errored: Timeout waiting for SSH.

I don't know why it's hanging on ssh connection.

Also is there a way to generate a proper kickstart file like a on Centos ?
Do you have any clue ?

Thank you very much for your help.

https://redd.it/fw67s6
@r_devops

AWS Health Check Pricing

According to [Route53 pricing](https://aws.amazon.com/route53/pricing/#Health_Checks), health checks are charged at $0.50 per health check per month with a cap of 200 instances.

Do the health checks mentioned there apply to only manually created health checks (e.g. a self managed EC2 instance) or does it apply to containers automatically created health checks? I've seen documentation that states health checks for some AWS managed resources are free of charge (e.g. lambdas, s3 buckets) but I cannot find an exhaustive list of those resources.

Specifically, I am trying to validate that health checks for containers spun up by ECS are included in the free of charge bucket. I have to imagine this is the case otherwise the cost and 200 limit would be incredibly prohibitive.

https://redd.it/fw4hn0
@r_devops

Issue tracking and sprint planning - open source

My company has been producing enterprise products for the last couple years and we have done all our sprint planning, issue tracking, etc via JIRA. We are going to be releasing a public, open source version of our product soon and I’m looking for good ways to manage publicly submitted issues. We could have them submitted to JIRA as well, but I like issue tracker on GitHub for this since I have a preference for it and think a lot of others do as well. But if we use github for public issues, we still need to manage our internal tasks and sprints, which we currently do in JIRA.

Does anyone have experience using both of these together?

If so, is it cumbersome, or easy to follow and keep things organized?

Does anyone have a better solution they are currently taking advantage of for this use case?

Thanks

https://redd.it/fw53eg
@r_devops

If switching from Lubuntu to Debian, what will I gain and what will I miss?

I am currently running Lubuntu 18.04, and now Lubuntu 20.04 is coming with LXDE replaced with LXQT and other changes that I am not familiar with.
I am wondering if switching to Debian is a good idea.

- If switching from Lubuntu to Debian, what will I gain and what will I miss?

- Which Debian + which desktop + stable/test/... installation is great?



I don't have a clear idea. The following is some considerations which might be relevant:

1. Light weight. Especially the desktop environment should provide convenience but no much more than necessary. I am fine in command line, but sometimes have to access GUI software as good alternatives. That was the reason that I switched from Ubuntu (Gnome) to Lubuntu (LXDE) a few years ago.

2. support for repositories and package management. Besides regular OS functionalities, I am learning

- data engineering technologies (Apach Spark, Kafka, Hadoop, ...), data analysis (R packages, Sckitlearn, Tensorflow, ...), and

- web services/applications (Flask, ASP.NET Core)

- programming languages and virtual machines (JVM, Java, Scala, .NET Core, C#, Python, R, ...)

- virtual machines (VirtualBox, KVM, ...) and containers (Docker) and compatible layers (Wine which is very essential to me as I am using some Windows programs via Wine).


Thanks.

https://redd.it/fvz00l
@r_devops

Deploying a .war application on a tomcat server

0

I am trying to deploy my hello.war file (Java application) on my tomcat server.

At first I do it from the "Manager App" on tomcat's default page, and it shows off afterwards in the Applications section. (Attached below circled in red)

But when I try to connect to it by clicking on that link ([https://ip-address/hello](https://ip-address/hello)) it gives me a standard "HTTP Status 404 – Not Found" with the description: "The origin server did not find a current representation for the target resource or is not willing to disclose that one exists." (picture below)

I even try putting my hello.war file manually in the server in the appropriate folder location ("/opt/tomcat/apache-tomcat-9.0.33/webapps") and add read, execute permissions to 'others' on the .war file, add user 'tomcat' as the owner of the file, restart the service. But still nothing seems to help and I still get that 404

https://redd.it/fvuld3
@r_devops

How to show "Prod" tag next to current deployed commit?

Hello,

I was wondering if anyone has used a tool that integrates with your deployment pipeline to show a tag next to the currently deployed commit when looking at your repo?

[A mockup of what I mean](https://familiarcycle.net/assets/images/azure-devops-repo-mockup.png)

Many services will show a green checkmark next to a commit when it has finished going through the CI/CD pipeline, but I find that style of UI to be lacking when there are multiple environments, such as Test, Staging, and Production.

https://redd.it/fvohtr
@r_devops

Is there any way to launch some commands on each created node automatically when autoscaling in AWS EKS cluster ?

I have set an AWS EKS cluster and i could launch some commands on each node manually, but when it comes to autoscaling it would be irrelevant to run yourself those commands on each created node, so is there any way to execute automatically some initialization commands on each newly created node and just before scheduling any pod on it ?

https://redd.it/fuwf4n
@r_devops

The *very first* connection using Ansible

I read lots of "first five minutes/first ten minutes" articles about using Ansible to set up and manage a server. But all of them seem to skip over the initial starting point. Here's the setup:

- I have a brand new VPS from some hosting company. (I'm partial to Ubuntu, but I suspect it doesn't matter.) They tell me the root password, and sure enough, I can SSH in.

- There's no .ssh directory, or any public key stuff installed on the target host.

- My end goal is to have an Ansible script (or set of scripts) that can take that totally-unconfigured server (with root password) and set up a non-root account, block root login, etc.

Any pointers to a single script or set of scripts? Many thanks.

**Update:** I realize I didn't ask the right question... I really want to know:

Do people use two different playbooks: one for the "brand new VPS" that only has root SSH access (and that creates a non-root account, turns off root login, etc) and a second playbook that gets run anytime the config needs to be tweaked?

https://redd.it/fuulkj
@r_devops

Prometheus for monitoring : What features do you think it lacks compared to APM tools?

I am sure many folks here use Prometheus/Grafana for monitoring infrastructure and applications. What features you find that Prometheus/Grafana lacks compared to full-fledged APM like DataDog?


Some features which I can think of are reporting - like generating PDF reports to send it to team or management. Another is a visualization of overall infra - in terms of server maps and microservices in them.


What are other such features you find lacking in Prometheus/Grafana compared to paid solutions?

https://redd.it/futqal
@r_devops

Should an authentication service have its own load balancer or sit behind the API Gateway?

I'm designing my first microservice architecture and I'm starting to understand how all of the pieces fit together. One thing that is confusing me a little is where in the network topology the authentication service should sit. It's not a "regular" microservice (or is it?) so I'm not sure if it should be treated the same as the others.

I'm planning to have the API gateway at `api.example.com` and the authentication service at `identity.example.com`, each with their own load balancer. All microservices and the authentication service will be in a private subnet.

What I like about this, is that users can login at a nice URL: `identity.example.com`.

The alternative is to put the authentication service behind the API gateway, accessible at `api.example.com/identity`. This is not a very elegant URL for users logging in.

[Architecture diagram for context](https://imgur.com/gg26CaW.png)

**What are the pros and cons to either approach?**

https://redd.it/futhi2
@r_devops

help finding a tool

I'm struggling to find a tool (that I assume exists), I think mostly because I can't find the right terms to Google.

What I'm looking for is a lean tool where I can manage all my configs/settings/variables that get used across different deployments of a project. So for example I have a 3rd Party API I'm using. For local development and the dev server, I want it to be https://dev.test.com/api/ and for staging and production I want it to be https://test.com/api. Furthermore, I want this variable available in Kubernetes YAML files, Dockerfiles, Python config files, and possibly other places.

Is there a simple tool that will allow me to keep one or two top level config files, then inject those variables into all the other places I need?


I think something like Terraform would work, but is also overkill to integrate just to get this one piece of functionality.

https://redd.it/fwpbzx
@r_devops