Skip to content

Instantly share code, notes, and snippets.

View jjo's full-sized avatar
🏠
Working from home

JuanJo Ciarlante jjo

🏠
Working from home
155 followers · 0 following
View GitHub Profile
@jjo
jjo / Dockerfile
Last active October 21, 2024 22:58
Dockerfile to build a containerized `firefox` (under Debian), plus `run.sh` to run it -- READ THE DANGERS
# Use Debian Bookworm as the base image
FROM debian:bookworm-slim
# Update the package list and install necessary dependencies
RUN apt-get update && apt-get install -y \
firefox-esr \
libcanberra-gtk3-module \
libdbus-glib-1-2 \
libgtk-3-0 \
libx11-xcb1 \
@jjo
jjo / 01-promql-vector-label_replace-abuse.md
Last active November 23, 2023 18:38
PromQL fun abusing `vector()` and `label_replace()` to create ~arbitrary timeseries, note these are used from grafana's /explore (for those ${__to:...} expressions)

Building a sinusoidal, back from now, using vector and label_replace.

round(
    8  # <- number of nodes
    *
    (1-sin(vector((time()-(${__to:date:seconds}))/(3600*10) * pi()))) / 2
)
* on() group_right() (
 label_replace(vector(0.0445000) , "spend", "cpu", "", "") * 8 # &lt;- vCPU per node
@fusetim
fusetim / protonvpn-wireguard-generator.py
Last active March 15, 2025 07:29
Generate lots of Wireguard configuration for your ProtonVPN Account.
import http.client
import http.cookies
import json
import base64
import hashlib
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import x25519
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives import hashes
@jjo
jjo / docker-runc-cve-replace.sh
Last active February 15, 2019 08:08
#!/bin/bash
#
# Workaround CVE-2019-5736 via patched runc provided by
# https://github.com/rancher/runc-cve
# The script does:
# 1) find "docker-runc" executable and docker version
# 2) download corresponding patched runc
# 3) dpkg-divert (ie "permanently move") pkg installed runc and replace it by 2)
#
# Run with "-n" for dry-run.
@jjo
jjo / node-custom-setup.yaml
Last active January 28, 2023 03:23
Run commands at Kubernetes *nodes* via `privileged` DaemonSet + `nsenter` hack, very useful for setups requiring base packages pre-installed at nodes. Please take a moment to understand what it does, and *don't* use it for *production*. Grab the logs with: kubectl logs -n kube-system -l k8s-app=node-custom-setup -c init-node
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
namespace: kube-system
name: node-custom-setup
labels:
k8s-app: node-custom-setup
annotations:
command: &cmd apt-get update -qy && apt-get install -qy tgt ceph-fs-common ceph-common xfsprogs
@jjo
jjo / kubectl-root-in-host-nopriv.sh
Last active February 5, 2024 23:07
Yeah. Get a root shell at any Kubernetes *node* via `privileged: true` + `nsenter` sauce. PodSecurityPolicy will save us. DenyExecOnPrivileged didn't (kubectl-root-in-host-nopriv.sh exploits it)
#!/bin/sh
# Launch a Pod ab-using a hostPath mount to land on a Kubernetes node cluster as root
# without requiring `privileged: true`, in particular can abuse `DenyExecOnPrivileged`
# admission controller.
# Pod command in turn runs a privileged container using node's /var/run/docker.sock.
node=${1}
case "${node}" in
"")
nodeSelector=''
podName=${USER+${USER}-}docker-any
@jjo
jjo / kubectl-root-in-host.sh
Last active May 11, 2023 15:34
#!/bin/sh
# Launch a Pod ab-using a privileged=true to land on a Kubernetes node cluster as root,
# uses `privileged: true` to then nsenter init mount its (root) namespace,
# hostPID and hostNetwork already set for the Pod.
node=${1}
case "${node}" in
"")
nodeSelector=''
podName=${USER+${USER}-}sudo-any
;;
@jjo
jjo / kube-proxy-cleanup.ds.yaml
Last active January 31, 2019 21:00
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
namespace: kube-system
name: kube-proxy-cleanup
labels:
k8s-app: kube-proxy-cleanup
spec:
selector:
matchLabels:
@jjo
jjo / docker-netstat.out
Created August 1, 2017 19:17
docker containers sockets usage, example run inside minikube -- https://twitter.com/xjjo/status/892464000235130881
# docker ps|sed '1d;s,>,_,'|xargs -I@ sh -c 'set @;echo == $2;nsenter -n -t $(docker inspect -f "{{.State.Pid}}" $1) netstat -an'
== gcr.io/google_containers/k8s-dns-kube-dns-amd64@sha256:40790881bbe9ef4ae4ff7fe8b892498eecb7fe6dcc22661402f271e03f7de344
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN
tcp 0 0 172.17.0.6:52640 10.0.0.1:443 ESTABLISHED
tcp 0 0 :::10053 :::* LISTEN
tcp 0 0 :::10054 :::* LISTEN
tcp 0 0 :::10055 :::* LISTEN
tcp 0 0 :::8081 :::* LISTEN
@bse666
bse666 / upgrade.sh
Last active March 15, 2025 00:27
upgrade Ubuntu without interaction
# https://askubuntu.com/questions/250733/can-i-do-a-silent-or-unattended-release-upgrade
# The following command upgrades to the new stable release without prompts:
do-release-upgrade -f DistUpgradeViewNonInteractive
# The following command upgrades to the current development release without prompts:
do-release-upgrade -d -f DistUpgradeViewNonInteractive
# Really Unattended
## --force-confdef: ask dpkg to decide alone when it can and prompt otherwise.
## --force-confold: do not modify the current configuration file, the new version is installed with a .dpkg-dist suffix.
# create file /etc/apt/apt.conf.d/local