Skip to content

Instantly share code, notes, and snippets.

View IngussNeilands's full-sized avatar

Inguss Neilands IngussNeilands

View GitHub Profile
@IngussNeilands
IngussNeilands / ansible.cfg
Created October 31, 2017 16:38 — forked from nazarewk/ansible.cfg
Ansible SSH Agent forwarding with Jump (bastion) host
[defaults]
sudo_flags = SSH_AUTH_SOCK="$SSH_AUTH_SOCK" -H -S -n
[ssh_connection]
ssh_args=-o ForwardAgent=yes
@IngussNeilands
IngussNeilands / gist:59e515cd689ae1c5179edcf3df7c1cab
Last active November 3, 2017 11:07
Docker: Remove all images and containers
#!/bin/bash
# Delete all containers
docker rm $(docker ps -a -q)
# Delete all images
docker rmi $(docker images -q)
As of 1.13.0, see the new prune commands:
docker container prune # Remove all stopped containers
docker volume prune # Remove all unused volumes
@IngussNeilands
IngussNeilands / gist:baa4eff575504aae43e2bc039d83d6d3
Created November 6, 2017 12:03
prometheus queries
# Count metrics that have received samples in the last 5 minutes:
topk(100, count by (__name__, job)({__name__=~".+"}))
@IngussNeilands
IngussNeilands / 00_README.md
Created November 6, 2017 16:19 — forked from CrackerJackMack/00_README.md
ansible fact caching redis password different port

Everything I've read is that redis fact caching in ansible doesn't support db/password/ports, but that is untrue. It's undocumented and it will most likely change in the future but here is how it works. it takes the fact_caching_connection and split's it on the colon and passes it as *args to redis.StrictRedis. Db is typically 0 if you weren't sure. If you aren't sure if the ansible version you are using supports this, just check the plugins/redis.py for how it passes the connection string to StrictRedis. Works with 2.2.0.0 at least.

# hostname:port:db:password
localhost:6379:0:secret
public_ip:293451:0:supersercretnobodycanguessthis
@IngussNeilands
IngussNeilands / es-dump-index.py
Created November 8, 2017 10:40 — forked from spikeekips/es-dump-index.py
The simple script to dump the data from ElasticSearch for inserting by bulk API.
# -*- coding: utf-8 -*-
"""
################################################################################
Dump ElasticSearch index for inserting BULK
################################################################################
requires `rawes`.
for more details, run `-h` to show help message.
@IngussNeilands
IngussNeilands / PackerPolicy.json
Created March 2, 2018 15:42 — forked from MattSurabian/PackerPolicy.json
Minimum IAM policy required by AWS for Packer to do its thing. https://github.com/mitchellh/packer Permissions are broken out by API functionality and a resource array has been defined with a wild card for each group. For tighter security resource level permissions can be applied per this documentation: http://aws.typepad.com/aws/2013/07/resourc…
{
"Statement": [
{
"Sid": "PackerSecurityGroupAccess",
"Action": [
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress"
@IngussNeilands
IngussNeilands / packer-permissions.json
Created March 2, 2018 16:05 — forked from ogrodnek/packer-permissions.json
packer IAM permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "NonResourceBasedReadOnlyPermissions",
"Action": [
"ec2:DescribeSubnets",
"ec2:DescribeSnapshots",
"ec2:DescribeImages",
"ec2:DescribeVolumes",
@IngussNeilands
IngussNeilands / gist:10e42e24338d09c12c289d70d25fce53
Created August 22, 2018 12:47 — forked from aws-scripting-guy/gist:884ffa9d44bd14f7493a670543284552
AWS EC2 metadata. Check attached IAM role from EC2 instance. Get temporary credentials.
# Get IAM Role name from Instance Profile Id
curl http://169.254.169.254/latest/meta-data/iam/info
# Get credentials
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>
# More info
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
@IngussNeilands
IngussNeilands / main-wo-lb.tf.hcl
Created February 5, 2019 20:17 — forked from vranystepan/main-wo-lb.tf.hcl
# set Digital Ocean token with:
# export TF_VAR_do_token="..."
variable "do_token" {}
# set health check port
variable "hc_port" {
default = 8000
}
# Initialize provider
@IngussNeilands
IngussNeilands / kubectl-root-in-host-nopriv.pks.sh
Created November 28, 2019 09:59 — forked from jjo/kubectl-root-in-host-nopriv.sh
Yeah. Get a root shell at any Kubernetes *node* via `privileged: true` + `nsenter` sauce. PodSecurityPolicy will save us. DenyExecOnPrivileged didn't (kubectl-root-in-host-nopriv.sh exploits it)
#!/bin/sh
# Launch a Pod ab-using a hostPath mount to land on a Kubernetes node cluster as root
# without requiring `privileged: true`, in particular can abuse `DenyExecOnPrivileged`
# admission controller.
# Pod command in turn runs a privileged container using node's /var/run/docker.sock.
#
# Tweaked for PKS nodes, which run their docker stuff from different
# /var/vcap/... paths
node=${1}
case "${node}" in