strigazi

http {
  log_format bodylog '$remote_addr - $remote_user [$time_local] '
      '"$request" $status $body_bytes_sent '
      '"$http_referer" "$http_user_agent" $request_time '
      '<"$request_body" >"$resp_body"';

  lua_need_request_body on;

  set $resp_body "";
  body_filter_by_lua '

strigazi

{
  "ignition": { "version": "3.0.0" },
  "systemd": {
    "units": [
      {
        "contents": "[Unit]\nDescription=Run heat-container-agent\nAfter=network-online.target\nWants=network-online.target\n\n[Service]\nExecStartPre=mkdir -p /var/lib/heat-container-agent\nExecStartPre=mkdir -p /var/run/heat-config\nExecStartPre=mkdir -p /var/run/os-collect-config\nExecStartPre=mkdir -p /opt/stack/os-config-refresh\nExecStartPre=mkdir -p /srv/magnum\nExecStartPre=-/bin/podman rm -f heat-container-agent\nExecStart=/bin/podman run \\\n        --name heat-container-agent \\\n        --privileged \\\n        --volume /srv/magnum:/srv/magnum \\\n        --volume /opt/stack/os-config-refresh:/opt/stack/os-config-refresh \\\n        --volume /run/systemd:/run/systemd \\\n        --volume /etc/:/etc/ \\\n        --volume /var/lib:/var/lib \\\n        --volume /var/run:/var/run \\\n        --volume /var/log:/var/log \\\n        --volume /tmp:/tmp \\\n        --volume /dev:/dev \\\n        --net=host \\\n        docker.io/o

strigazi

Content-Type: multipart/mixed; boundary="===============0805081514788562408=="
MIME-Version: 1.0

--===============0805081514788562408==
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config"

strigazi

Content-Type: multipart/mixed; boundary="===============1175957420267015713=="
MIME-Version: 1.0

--===============1175957420267015713==
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config"

strigazi

---
apiVersion: v1
kind: Service
metadata:
  name: go-server
  labels:
    app: go-server
spec:
  type: ClusterIP
  ports:

strigazi

---
# Source: nginx-ingress/templates/controller-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app: nginx-ingress
    chart: nginx-ingress-1.6.1
    component: "controller"
    heritage: Tiller

strigazi

#cloud-config
merge_how: dict(recurse_array)+list(append)
write_files:
  - path: /etc/sysconfig/heat-params
    owner: "root:root"
    permissions: "0600"
    content: |
      CGROUP_DRIVER="$CGROUP_DRIVER"
      NETWORK_DRIVER="$NETWORK_DRIVER"
      TLS_DISABLED="$TLS_DISABLED"

strigazi

root@strigazi-kubeadm-cluster-02:/home/ubuntu# strings /usr/bin/docker-runc  | tail -n5
.debug_str
.debug_loc
.debug_pubtypes
.debug_ranges
.debug_gdb_scripts
root@strigazi-kubeadm-cluster-02:/home/ubuntu# sha256sum /usr/bin/docker-runc 
6cd5b2d83cfe84fc59947cf4a17898ebfd03d61e13ce0dc179be787b77104a3a  /usr/bin/docker-runc
root@strigazi-kubeadm-cluster-02:/home/ubuntu# /usr/bin/docker-runc --version
runc version 1.0.0-rc5+dev

strigazi

[root@strigazi-fa-01 fedora]# sha256sum /usr/bin/runc
32ef8e0ae2b98dd0aab3e92699cac3d99894287f94e0887c5d23dc10c7b438b8  /usr/bin/runc
[root@strigazi-fa-01 fedora]# docker run gitlab-registry.cern.ch/strigazi/containers/cve-2019-5736-poc
...
Status: Downloaded newer image for gitlab-registry.cern.ch/strigazi/containers/cve-2019-5736-poc:latest
HAX2: argv: /proc/self/fd/3
HAX2: fd: -1
HAX2: res: -1, 9
[root@strigazi-fa-01 fedora]# strings /usr/bin/runc | tail -n 3
.text

strigazi

#!/bin/bash

# Thanks to https://github.com/tdg5/blog/blob/0d80ab3e5ad30fe08426b444f98c0b5774cc0578/_includes/scripts/dd_obs_test.sh

# Since we're dealing with dd, abort if any errors occur
set -e

TEST_FILE=${1:-dd_obs_testfile}
TEST_FILE_EXISTS=0
if [ -e "$TEST_FILE" ]; then TEST_FILE_EXISTS=1; fi