Skip to content

Instantly share code, notes, and snippets.

View tormath1's full-sized avatar

Mathieu Tortuyaux tormath1

View GitHub Profile
@tormath1
tormath1 / config.yml
Created August 29, 2022 15:22
# butane < config.yml > ignition.json
---
variant: flatcar
version: 1.0.0
storage:
disks:
- device: /dev/vda
partitions:
- number: 9
label: ROOT
@tormath1
tormath1 / README.md
Last active March 10, 2022 12:22
Run a Tor bridge on Flatcar

The goal of this Gist is to run a Tor bridge from a Flatcar instance provisioned through Ignition - in this example, it's deployed locally with QEMU but it can be extend elsewhere (with Terraform and so on.)

Requirements:

  • ct
  • qemu setup

Pull the latest stable release of Flatcar:

@tormath1
tormath1 / config.yml
Created December 13, 2021 16:29
# ct --platform custom < ./config.yml | jq > ignition.json
systemd:
units:
- name: update-engine.service
enable: true
- name: etcd-member.service
enable: true
- name: locksmithd.service
enable: true
dropins:
@tormath1
tormath1 / config.yaml
Created November 5, 2021 10:15
iptables restore
# ct --in-file ./config.yml --pretty > ./ignition.json
storage:
files:
- path: /var/lib/iptables/rules-save
filesystem: root
mode: 0644
contents:
inline: |
*filter
-A INPUT -p tcp --dport ssh -j ACCEPT
@tormath1
tormath1 / gist:9c30ef878795d9974d3aa8d39fd8aea1
Created August 4, 2021 12:32
sudo ./bin/kola run \
--board arm64-usr \
-d -v -b cl -p qemu \
--qemu-image /home/mathieu/kinvolk/arm64/flatcar_production_image.bin \
--qemu-bios=./flatcar_production_qemu_uefi_efi_code.fd \
cl.internet
=== RUN cl.internet/UpdateEngine
=== RUN cl.internet/DockerPing
=== RUN cl.internet/DockerEcho
=== RUN cl.internet/NTPDate
@tormath1
tormath1 / gentoo-define-libdirs.patch
Created July 21, 2021 15:44
From dacbed2586288c5040e61c2856f455f64c35d39c Mon Sep 17 00:00:00 2001
From: Mathieu Tortuyaux <[email protected]>
Date: Tue, 20 Jul 2021 14:07:48 +0200
Subject: [PATCH] dev-lang/perl: apply tmp flatcar changes
temporary patch to fix https://github.com/Perl/perl5/issues/10651#issuecomment-882722892
Signed-off-by: Mathieu Tortuyaux <[email protected]>
---
dev-lang/perl/files/define.patch | 11 +++++++++++
@tormath1
tormath1 / virt.patch
Created June 4, 2021 14:25
--- services/virt.te
+++ services/virt.te
@@ -1377,3 +1377,31 @@ sysnet_dns_name_resolve(virtlogd_t)
virt_manage_log(virtlogd_t)
virt_read_config(virtlogd_t)
+
+require {
+ type kernel_t;
+ type tmpfs_t;
@tormath1
tormath1 / selinux-policy-2.diff
Created June 4, 2021 14:15
patch to fix POLICY_PATCH applying
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass
index 5def86fbe..8f69847a9 100644
--- a/eclass/selinux-policy-2.eclass
+++ b/eclass/selinux-policy-2.eclass
@@ -179,11 +179,12 @@ selinux-policy-2_src_prepare() {
# Apply the additional patches refered to by the module ebuild.
# But first some magic to differentiate between bash arrays and strings
- if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]]; then
- [[ -n ${POLICY_PATCH[*]} ]] && eapply -d "${S}/refpolicy/policy/modules" "${POLICY_PATCH[@]}"
@tormath1
tormath1 / README.md
Last active May 2, 2021 11:39
generateCVE summary from a CVE list

Usage example:

$ go run ./main.go -cvefile ./cves.txt | jq
[
  {
    "score": 5.9,
    "severity": "MEDIUM",
    "description": "A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a denial of service. The highest threat from this vulnerability is to system availability."
  },
  {
@tormath1
tormath1 / gist:094ebd2b5215342676def5de14a27190
Created April 21, 2021 14:35
kubelet logs
Apr 21 14:33:28 localhost systemd[1]: Starting kubelet.service...
Apr 21 14:33:28 localhost systemd[1]: Started kubelet.service.
Apr 21 14:33:28 localhost kubelet[2722]: Flag --register-schedulable has been deprecated, will be removed in a future version
Apr 21 14:33:28 localhost kubelet[2722]: Flag --pod-manifest-path has been deprecated, This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Apr 21 14:33:29 localhost kubelet[2722]: I0421 14:33:29.498947 2722 server.go:417] Version: v1.18.0
Apr 21 14:33:29 localhost kubelet[2722]: I0421 14:33:29.499496 2722 plugins.go:100] No cloud provider specified.
Apr 21 14:33:29 localhost kubelet[2722]: I0421 14:33:29.592520 2722 server.go:646] --cgroups-per-qos enabled, but --cgroup-root was not specified. defaulting to /
Apr 21 14:33:29 localhost kubelet[2722]: I0421 14:33:29.593185 2722 container_manager_linux.go:266] con