https://luiscachog.io/tag/linux/LinuxWowchemy (https://wowchemy.com)en-usTue, 03 Dec 2019 00:00:00 +0000https://luiscachog.io/media/icon_hu4fa4dbbaafd6f1b45a88958b9b4a0dd0_11007_512x512_fill_lanczos_center_3.pnghttps://luiscachog.io/tag/linux/https://luiscachog.io/gestion-de-history/Tue, 03 Dec 2019 00:00:00 +0000https://luiscachog.io/gestion-de-history/<details class="toc-inpage d-print-none " open> <summary class="font-weight-bold">Table of Contents</summary> <nav id="TableOfContents"> <ul> <li><a href="#mostrar-la-fecha-y-hora-de-cuando-escribimos-comandos">Mostrar la fecha y hora de cuando escribimos comandos</a></li> <li><a href="#control-del-tamaño-del-archivo-de-logs-histórico">Control del tamaño del archivo de logs histórico</a> <ul> <li><a href="#control-de-duplicados-en-el-histórico">Control de duplicados en el histórico</a></li> <li><a href="#path-para-guardar-el-archivo-de-logs-histórico">Path para guardar el archivo de logs histórico</a></li> </ul> </li> </ul> </nav> </details> <p>El archivo de logs histórico (history) tiene varias opciones que podemos cambiar para tener un mejor control del mismo. Aquí vamos a ver algunas opciones para el control y gestión del fichero del log histórico (history).</p> <h2 id="mostrar-la-fecha-y-hora-de-cuando-escribimos-comandos">Mostrar la fecha y hora de cuando escribimos comandos</h2> <p>Para mostrar la fecha y hora en el formato que requieras puedes agregas las lineas siguientes:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">HISTTIMEFORMAT</span><span class="o">=</span><span class="s1">&#39;- %F %T - &#39;</span> </span></span></code></pre></div><h2 id="control-del-tamaño-del-archivo-de-logs-histórico">Control del tamaño del archivo de logs histórico</h2> <p>Tenemos dos variables de entorno para ello, <em>HISTSIZE</em> y <em>HISTFILESIZE</em>, que indican el tamaño del fichero, por ejemplo:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="nv">HISTSIZE</span><span class="o">=</span><span class="m">1000</span> </span></span><span class="line"><span class="cl"><span class="nv">HISTFILESIZE</span><span class="o">=</span><span class="m">1000</span> </span></span></code></pre></div><p>Con esto hacemos que el tamaño máximo del fichero de logs histórico sea de 1000 comandos o líneas.</p> <div class="alert alert-note"> <div> <p>Si ponemos el tamaño de la variable <em>HISTSIZE</em> a <strong>cero</strong> hacemos que no se guarde nada en el archivo de logs histórico</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">HISTSIZE</span><span class="o">=</span><span class="m">0</span> </span></span></code></pre></div> </div> </div> <h3 id="control-de-duplicados-en-el-histórico">Control de duplicados en el histórico</h3> <p>En el log histórico se van guardando <strong>TODOS</strong> los comandos que se van introduciendo aunque repitamos 20 veces el mismo comando, se guardará 20 veces, lo cual es en ocasiones una perdida de espacio. Por lo que podemos usar la variable <em>HISTCONTROL</em> para hacer 2 cosas:</p> <ul> <li>Eliminar los duplicados consecutivos con <em>ignoredups</em>.</li> <li>Eliminar los duplicados sean o no consecutivos con <em>erasedups</em>.</li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="nv">HISTCONTROL</span><span class="o">=</span>ignoredups </span></span><span class="line"><span class="cl"><span class="nv">HISTCONTROL</span><span class="o">=</span>erasedups </span></span></code></pre></div><h3 id="path-para-guardar-el-archivo-de-logs-histórico">Path para guardar el archivo de logs histórico</h3> <p>Por defecto el histórico se guarda en <code>~/.bash_history</code> pero podemos indicar donde guardarlo con la variable <em>HISTFILE</em>.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="nv">HISTFILE</span><span class="o">=</span>~/.bitacora. </span></span></code></pre></div><p>Un truco muy bueno cuando en un mismo servidor entran varios administradores que se pasan a root y poder controlar y guardar que hace cada uno es: Guardar un archivo de logs histórico por cada uno de ellos. Lo puedes hacer de la siguiente forma:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="nv">HISTSIZE</span><span class="o">=</span><span class="m">5000</span> </span></span><span class="line"><span class="cl"><span class="nv">HISTFILESIZE</span><span class="o">=</span><span class="m">5000</span> </span></span><span class="line"><span class="cl"><span class="nv">HISTFILE</span><span class="o">=</span>/root/.bash_hist-<span class="k">$(</span>who am i <span class="p">|</span> awk <span class="s1">&#39;{print $1}&#39;</span><span class="p">;</span><span class="nb">exit</span><span class="k">)</span> </span></span></code></pre></div><p>Con esto se guardará en el home de del usuario root un archivo de logs histórico por cada uno de los usuarios que se hayan pasado a root. El tamaño se puede ampliar o reducir a gusto. También podemos poner que ignore duplicados.</p> <p>Todas estas variables debemos ponerlas en un archivo donde se activen al arranque que puede ser <code>~/.bashrc</code>.</p> <p>Espero les sea útilidad.</p> <p>&#x1f604;</p>https://luiscachog.io/docker-login-the-right-way/Wed, 15 May 2019 00:00:00 +0000https://luiscachog.io/docker-login-the-right-way/<details class="toc-inpage d-print-none " open> <summary class="font-weight-bold">Table of Contents</summary> <nav id="TableOfContents"> <ul> <li><a href="#credential-store">Credential Store</a></li> <li><a href="#docker-credential-helpers">Docker Credential Helpers</a></li> <li><a href="#docker-credential-secret-service">docker-credential-secret service</a></li> </ul> </nav> </details> <h1 id="docker-login-the-right-way">Docker Login the right Way</h1> <p>Hi again!</p> <p>It is been a while since I wrote something here, as always, there is no much time for a hobby.</p> <p>I&rsquo;ve been working for a while with docker, not a production level, but for some applications that I use at work. And since the <a href="https://www.zdnet.com/article/docker-hub-hack-exposed-data-of-190000-users/" target="_blank" rel="noopener">Docker Hub Data breach</a> I put more atention on the security of my data/credentials, so I investigate a little about and found this official repository <a href="https://github.com/docker/docker-credential-helpers/" target="_blank" rel="noopener">https://github.com/docker/docker-credential-helpers/</a> from Docker where are the supported credential helpers.</p> <h2 id="credential-store">Credential Store</h2> <p>Docker keeps our credentials saved on a JSON file located on <code>~/.docker/config.json</code>, but unfortunatelly credentials are just encrypted on base64, here is an <a href="https://fosdem.org/2019/schedule/event/base64_not_encryption/" target="_blank" rel="noopener">articule/video</a> where there is an explanation for the why it is a bad idea to just use base64 encryption.</p> <p>The following is a diagram on how a plain text storage works:</p> <figure id="figure-docker-plain-text-storage"> <div class="d-flex justify-content-center"> <div class="w-100" ><img alt="Plain Text Storage" srcset=" /media/posts/docker-login-the-right-way/DockerPlainTextCredentials_hu371181661409e61f690ceccfb695d5d5_82530_0db582c8916ffc5cd1b1225c42276838.webp 400w, /media/posts/docker-login-the-right-way/DockerPlainTextCredentials_hu371181661409e61f690ceccfb695d5d5_82530_b27b4b3bd220158c0d85a61a2d4ae88b.webp 760w, /media/posts/docker-login-the-right-way/DockerPlainTextCredentials_hu371181661409e61f690ceccfb695d5d5_82530_1200x1200_fit_q90_h2_lanczos_3.webp 1200w" src="https://luiscachog.io/media/posts/docker-login-the-right-way/DockerPlainTextCredentials_hu371181661409e61f690ceccfb695d5d5_82530_0db582c8916ffc5cd1b1225c42276838.webp" width="760" height="570" loading="lazy" data-zoomable /></div> </div><figcaption> Plain Text Storage </figcaption></figure> <p>Here is an example on how <code>~/.docker/config.json</code> looks like when is using plain text credentials:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">cat ~/.docker/config.json </span></span><span class="line"><span class="cl"><span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;auths&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;https://index.docker.io/v1/&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;auth&#34;</span>: <span class="s2">&#34;azRjaDA6c3VwZXJzZWNyZXRwYXNzd29yZAo=&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;quay.io&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;auth&#34;</span>: <span class="s2">&#34;azRjaDA6c3VwZXJzZWNyZXRwYXNzd29yZAo=&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;HttpHeaders&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;User-Agent&#34;</span>: <span class="s2">&#34;Docker-Client/18.09.6 (linux)&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></div><p>After a successful <code>docker login</code> command, Docker stores a base64 encoded string from the concatenation of the username, a colon, and the password and associates this string to the registry the user is logging into:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">$ <span class="nb">echo</span> <span class="nv">azRjaDA6c3VwZXJzZWNyZXRwYXNzd29yZAo</span><span class="o">=</span> <span class="p">|</span> base64 -d - </span></span><span class="line"><span class="cl">luiscachog:supersecretpassword </span></span></code></pre></div><p>A <code>docker logout</code> command removes the entry from the JSON file for the given registry:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">$ docker <span class="nb">logout</span> quay.io </span></span><span class="line"><span class="cl">Remove login credentials <span class="k">for</span> quay.io </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ cat ~/.docker/config.json </span></span><span class="line"><span class="cl"><span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;auths&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;https://index.docker.io/v1/&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;auth&#34;</span>: <span class="s2">&#34;azRjaDA6c3VwZXJzZWNyZXRwYXNzd29yZAo=&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;HttpHeaders&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;User-Agent&#34;</span>: <span class="s2">&#34;Docker-Client/18.09.6 (linux)&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></div><h2 id="docker-credential-helpers">Docker Credential Helpers</h2> <p>Since docker version <code>1.11</code> implements support from an external credential store for registry authentication. That means we can use a native keychain of the OS. Using an external store is more secure than storing on a &ldquo;plain text&rdquo; Docker configuration file.</p> <figure id="figure-docker-secure-storage"> <div class="d-flex justify-content-center"> <div class="w-100" ><img alt="Secure Storage" srcset=" /media/posts/docker-login-the-right-way/DockerSecureCredentials_huadaed0eecd0771dd576c62f4a77f8685_87803_dfab2c86655b67a2dd7b453f742b7daa.webp 400w, /media/posts/docker-login-the-right-way/DockerSecureCredentials_huadaed0eecd0771dd576c62f4a77f8685_87803_67d1fdd1b117feb8b3cab43352b4a5be.webp 760w, /media/posts/docker-login-the-right-way/DockerSecureCredentials_huadaed0eecd0771dd576c62f4a77f8685_87803_1200x1200_fit_q90_h2_lanczos_3.webp 1200w" src="https://luiscachog.io/media/posts/docker-login-the-right-way/DockerSecureCredentials_huadaed0eecd0771dd576c62f4a77f8685_87803_dfab2c86655b67a2dd7b453f742b7daa.webp" width="760" height="543" loading="lazy" data-zoomable /></div> </div><figcaption> Secure Storage </figcaption></figure> <p>In order to use a external credential store, we need a program to interact with.</p> <p>The actual list of &ldquo;official&rdquo; Docker Credential Helper is:</p> <ol> <li>docker-credential-osxkeychain: Provides a helper to use the OS X keychain as credentials store.</li> <li>docker-credential-secretservice: Provides a helper to use the D-Bus secret service as credentials store.</li> <li>docker-credential-wincred: Provides a helper to use Windows credentials manager as store.</li> <li>docker-credential-pass: Provides a helper to use pass as credentials store.</li> </ol> <h2 id="docker-credential-secret-service">docker-credential-secret service</h2> <p>On this post we will explore the docker-credential-secretservice and how to configure it.</p> <ol> <li> <p>We need to download and install the helper. You can find the lastest release on <a href="https://github.com/docker/docker-credential-helpers/releases" target="_blank" rel="noopener">https://github.com/docker/docker-credential-helpers/releases</a>. Download it, extract it and make it executable.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">wget https://github.com/docker/docker-credential-helpers/releases/download/v0.6.2/docker-credential-secretservice-v0.6.2-amd64.tar.gz </span></span><span class="line"><span class="cl">tar -xf docker-credential-secretservice-v0.6.2-amd64.tar.gz </span></span><span class="line"><span class="cl">chmod +x docker-credential-secretservice </span></span><span class="line"><span class="cl">sudo mv docker-credential-secretservice /usr/local/bin/ </span></span></code></pre></div></li> <li> <p>Then, we need to specify the credential store in the file <code>~/.docker/config.json</code> to tell docker to use it. The value must be the one after the prefix <code>docker-credential-</code>. In this case:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;credsStore&#34;</span><span class="p">:</span> <span class="s2">&#34;secretservice&#34;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>To facilite the configuration and do not make mistakes, you can run:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sed -i <span class="s1">&#39;0,/{/s/{/{\n\t&#34;credsStore&#34;: &#34;secretservice&#34;,/&#39;</span> ~/.docker/config.json </span></span></code></pre></div></li> </ol> <p>From now we are uning an external store, so if you are currently logged in, you must run <code>docker logout</code> to remove the credentials from the file and run <code>docker login</code> tostart using the new ones.</p> <p>Let me know how this works for you.</p> <p><strong>References:</strong></p> <ul> <li>Docker Credential Helpers repository<sup id="fnref:1"><a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a></sup></li> <li>Docker Credential Store Documentation<sup id="fnref:2"><a href="#fn:2" class="footnote-ref" role="doc-noteref">2</a></sup></li> <li>Slides about this topic <sup id="fnref:3"><a href="#fn:3" class="footnote-ref" role="doc-noteref">3</a></sup></li> </ul> <div class="footnotes" role="doc-endnotes"> <hr> <ol> <li id="fn:1"> <p><a href="https://github.com/docker/docker-credential-helpers" target="_blank" rel="noopener">Docker Credential Helpers</a>&#160;<a href="#fnref:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p> </li> <li id="fn:2"> <p><a href="https://docs.docker.com/engine/reference/commandline/login/#credentials-store" target="_blank" rel="noopener">docker cli documentation</a>&#160;<a href="#fnref:2" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p> </li> <li id="fn:3"> <p><a href="https://www.slideshare.net/DavidYeung22/can-we-stop-saving-docker-credentials-in-plain-text-now" target="_blank" rel="noopener">Stop saving credential tokens in text files</a>&#160;<a href="#fnref:3" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p> </li> </ol> </div>