SSH Key-Pairs.

Remotely Connect to Linux Servers with SSH key-pairs

SSH: Authentication with Key-pairs

On your client machine:

  • Create ssh key pair by using the command ssh-keygen
    • It will create 2 files (Private key and Public key) in the .ssh folder.
[menit@fedora .ssh]$ ls 
id_rsa id_rsa.pub
  • It is recommended that you will use a passphrase to encrypt your private key
[menit@fedora .ssh]$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/menit/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/menit/.ssh/id_rsa
Your public key has been saved in /home/menit/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:E+n8J9Sjbdbi5A7uyu7LVAm2Y8fNBtSawvCyoR7l3Y4 menit@fedora
The key's randomart image is:
+---[RSA 3072]----+
|          ..     |
|      .  o  .    |
|       += .o     |
|      +++=o*     |
|     + =So* *    |
|    o o..B.+ o   |
|   . .  .o= B .  |
|    .  +E..X .   |
|       oB+o.+    |
+----[SHA256]-----+
```

How to Deploy your public key to your manage servers.

  • To connect to your Linux servers using ssh keys you will need to transfer the public key to your remote servers

There are 2 methods to transfer the public key to your server

The first method is to install the public key from your own host to your remote server using this command:

  • This command will create on the remote host .ssh folder and a file named authorized_keys and he will copy-paste the public key to this file.
ssh-copy-id -i /home/menit/.ssh/id_rsa.pub username@192.168.122.235

  • The second method is to copy your public key and paste it to your remote server under the .ssh folder to file named authorized_keys (if you can’t find such file you just need to create it.

Now you can connect to your machine using this command

[menit@fedora .ssh]$ ssh swarm@192.168.122.235

Connect to your remote server without the passphrase

To avoid the need to enter a passphrase every time you ssh to a remote host you can use sshagent to Cache your Authentication Credentials into the host memory.

[menit@fedora .ssh]$ ssh-agent bash
[menit@fedora .ssh]$ ssh-add id_rsa
Enter passphrase for id_rsa: ***********
Identity added: id_rsa (menit@fedora)

How to ssh to a remote host using the Root User account.

  1. On the remote host, you will need first to enable the login as root option: To enable it to remove # from the line “PermitRootLogin prohibit-password”
swarm@swarm3:/etc/ssh$ vim /etc/ssh/sshd_config

#LoginGraceTime 2m
PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

Exit and Save the file by pressing :wq

  1. Switch to you root account in the remote server and pass the Public ssh key to the authorized_keys file under the .ssh folder.
root@swarm3:~/.ssh# ls
authorized_keys

How to type sudo command with a password

To grant you user sudo permissions you will need to edit this config file:

[menit@fedora .ssh]$ sudo visudo

Under Allow people in group wheel paste this command

#Allow users to run all commands
menit ALL=(ALL) NOPASSWD: ALL

This is how it’s should be looked like in the config file:

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

#Allow users to run all commands
menit ALL=(ALL) NOPASSWD: ALL

It’s important you enter your new line entry at the bottom of the config file because the visudo file is processed from the top to bottom.

Creating and Using Docker Containers

In this post i will give you the basic commands to run and troubleshoot basic docker containers

Install Docker First

This is a simple command to run a Nginx docker container:

																
docker container run --publish 844:80 --detach --name Mynginx nginx

  • — Detach = Run container in the background
  • — name = name of the container
  • nginx = image to run

What happens in ‘Docker container run’?

  • Looks for that image locally in the image cache,If it does not exist in the image cache he fetches it from Docker Hub Repo.
  • Creates new container based on the image (nginx: latest by default)
  • Gives it a virtual IP on a private network
  • opens up port 8080 on the host and forwards to port 80 in the container
  • Start container by using the CMD in the image Dockerfile
docker container ls
docker container ls -a
  • ls = show running containers
  • ls -a = show all containers in all status
docker container logs Mynginx
  • logs = show logs for the specific container (Mynginx)
[root@fedora ~]# docker container ls -a
CONTAINER ID   IMAGE     COMMAND                  CREATED          STATUS          PORTS                                 NAMES
b1311034dc4c   nginx     "/docker-entrypoint.…"   4 minutes ago    Created                                               Webhost2
6a936dd1a1ed   nginx     "/docker-entrypoint.…"   10 minutes ago   Up 10 minutes   0.0.0.0:844->80/tcp, :::844->80/tcp   Webhost
[root@fedora ~]# docker container rm -f b13 6a9
b13
6a9
  • rm = Delete container
  • -f = force deletion of running container
  • b13,6a9 = containers ID’s

Whats going on inside a container

  • docker container top – show the process list in one container
root@fedora ~]# docker container top mysql
UID                 PID                 PPID                C                   STIME               TTY                 TIME                CMD
systemd+            56977               56956               0                   10:29               ?                   00:00:01            mysqld
  • docker container inspect – show details of one container configuration (Networking, mounts and more)
[root@fedora ~]# docker container inspect mysql 
[
    {
        "Id": "5a1896ceb2cf076c64066183125e6b3814fb5e7109e392fde842230802837e31",
        "Created": "2021-08-18T07:29:01.167554924Z",
        "Path": "docker-entrypoint.sh",
        "Args": [
            "mysqld"485003676Z",

  • Docker container stats = show performance stats for all containers
CONTAINER ID   NAME      CPU %     MEM USAGE / LIMIT     MEM %     NET I/O       BLOCK I/O         PIDS
f793d1abdadc   nginx     0.00%     9.875MiB / 31.03GiB   0.03%     16.9kB / 0B   7.04MB / 0B       9
5a1896ceb2cf   mysql     0.18%     443.1MiB / 31.03GiB   1.39%     27.9kB / 0B   38.5MB / 2.03GB   3

Getting a shell inside containers

  • docker container run -it = start new container interactively (if you exit the shell the container stopped)
[root@fedora ~]# docker container run --name meninginx -it nginx bash
root@64aa3ad9a53c:/# ls
bin		      etc    mnt   sbin  var
boot		      home   opt   srv
dev		      lib    proc  sys
docker-entrypoint.d   lib64  root  tmp
docker-entrypoint.sh  media  run   usr
root@64aa3ad9a53c:/# hostname
64aa3ad9a53c

To re-run a stopped container and enter to his shell

root@fedora ~]# docker container ls -a
CONTAINER ID   IMAGE     COMMAND                  CREATED          STATUS                       PORTS                                                  NAMES
64aa3ad9a53c   nginx     "/docker-entrypoint.…"   4 minutes ago    Exited (130) 7 seconds ago                                                          meninginx
f793d1abdadc   nginx     "/docker-entrypoint.…"   40 minutes ago   Up 40 minutes                80/tcp                                                 nginx
5a1896ceb2cf   mysql     "docker-entrypoint.s…"   44 minutes ago   Up 44 minutes                0.0.0.0:3306->3306/tcp, :::3306->3306/tcp, 33060/tcp   mysql
[root@fedora ~]# docker container start -ai meninginx 
root@64aa3ad9a53c:/# ls
bin  boot  dev	docker-entrypoint.d  docker-entrypoint.sh  etc	home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
root@64aa3ad9a53c:/# ^C
  • docker container exec -it = open interactive shell to inside of the container
[root@fedora ~]# docker container exec -it mysql bash
root@5a1896ceb2cf:/#

Containers Resources

Check how much Resources container is using

root@master:~# docker stats nginx

To Limit container Memory

root@master:~# docker run -d --name nginx1 --memory "200mb"  nginx:alpine

root@master:~# docker stats nginx nginx1

CONTAINER ID        NAME                CPU %               MEM USAGE / LIMIT     MEM %               NET I/O             BLOCK I/O           PIDS
8271c48d56c7        nginx               0.00%               4.055MiB / 3.817GiB   0.10%               1.01kB / 0B         12.2MB / 16.4kB     3
08fa208e8474        nginx1              0.00%               3.77MiB / 200MiB      1.88%               726B / 0B           0B / 16.4kB         3

To Limit container CPU

  • –cpuset-cpus 0,1 = You assign cpu 0 and cpu 1 (total 2 cpu)
  • –cpuset-cpus 0-2 = You assgin cpu from 0 to 2 (total of 3 cpu)
root@master:~# grep "model name" /proc/cpuinfo
model name      : Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz
model name      : Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz
root@master:~# grep "model name" /proc/cpuinfo | wc -l
2

root@master:~# docker run -d --name nginx2 --memory "300mb" --cpuset-cpus 0,1 nginx:alpine

Copy files from&to your container – docker cp

Copy Files from docker host to container

root@master:~# docker cp index.html nginx1:/usr/share/nginx/html/index.html

Copy Files from container to docker host

root@master:~# docker cp nginx1:/opt/test.txt .

All That you need to know about Docker Volumes.

Bind Volumes: How Map folders in your Docker host to your container

First lets create folder in our docker host

root@master:~# mkdir mysql
root@master:~# ls
index.html  mysql  snap

Map the new folder to the folder in the container

root@master:~# docker run -d -v /mnt/mysql:/var/lib/mysql  --name some-mysql -e MYSQL_ROOT_PASSWORD=my-secret-pw mysql

Now, Lets enter to the container and create new database.

root@master:~# docker exec -it some-mysql bash
root@43bbea76beca:/#  mysql -u root -pmy-secret-pw
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \\g.
Your MySQL connection id is 8
Server version: 8.0.22 MySQL Community Server - GPL

Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.
    
mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
4 rows in set (0.01 sec)

mysql> create database docker_db;
Query OK, 1 row affected (0.00 sec)

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| docker_db          |
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0.00 sec)

mysql> exit
root@43bbea76beca:/# exit
exit

Now lets delete the container.

root@master:~# docker rm -f some-mysql

Make sure that you have some data in our new folder in the docker host.

root@master:~# ls /mnt/mysql/
 auto.cnf        ca-key.pem        docker_db            ibdata1      '#innodb_temp'        private_key.pem   sys
 binlog.000001   ca.pem           '#ib_16384_0.dblwr'   ib_logfile0   mysql                public_key.pem    undo_001
 binlog.000002   client-cert.pem  '#ib_16384_1.dblwr'   ib_logfile1   mysql.ibd            server-cert.pem   undo_002
 binlog.index    client-key.pem    ib_buffer_pool       ibtmp1        performance_schema   server-key.pem

Lets restore our information in a new brand MySQL container, basically we using the same command as before.

root@master:~# docker run -d -v /mnt/mysql:/var/lib/mysql  --name some-mysql -e MYSQL_ROOT_PASSWORD=my-secret-pw mysql

Lets enter to our new container and check that we can see our new docker_db database.

root@master:~# docker exec  -ti some-mysql bash
root@814f0801e5d4:/# mysql -u root -pmy-secret-pw
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \\g.
Your MySQL connection id is 8
Server version: 8.0.22 MySQL Community Server - GPL

Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| docker_db          |
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0.00 sec)

mysql>

Normal Volume – Manage by docker

How to create a Normal Volume:

  • Important to know Normal volume created in the Docker Root Directory
root@master:~# docker volume create mysql_volume
mysql_volume

How to find Normal volume:

Long way….

root@master:~# docker info | grep -i root
WARNING: No swap limit support
 Docker Root Dir: /var/lib/docker
root@master:~# cd /var/lib/docker/
root@master:/var/lib/docker# ls
builder  buildkit  containers  image  network  overlay2  plugins  runtimes  swarm  tmp  trust  volumes
root@master:/var/lib/docker# ls volumes/
mysql_volume

Short way…

root@master:/var/lib/docker# docker volume ls
DRIVER              VOLUME NAME
local               mysql_volume

Lets create new MySQL container:

root@master:/var/lib/docker# docker run -d -v mysql_volume:/var/lib/mysql --name some-mysql -e MYSQL_ROOT_PASSWORD=my-secret-pw mysql

Now we can see all the data in our new docker volume.

root@master:/var/lib/docker/volumes/mysql_volume/_data# ls
 auto.cnf        ca-key.pem       '#ib_16384_0.dblwr'   ib_logfile0     mysql                public_key.pem    undo_001
 binlog.000001   ca.pem           '#ib_16384_1.dblwr'   ib_logfile1     mysql.ibd            server-cert.pem   undo_002
 binlog.000002   client-cert.pem   ib_buffer_pool       ibtmp1          performance_schema   server-key.pem
 binlog.index    client-key.pem    ibdata1             '#innodb_temp'   private_key.pem      sys

Anonymous Volumes: Be Careful when you use them (Not Recommended)

Lets create MySQL container this time with the tag -v we don’t specify any mapping to the Docker Host.

root@master:~# docker run -d -v /var/lib/mysql  --name some-mysql -e MYSQL_ROOT_PASSWORD=my-secret-pw mysql

To find where docker create the Anonymous volume we use this command

root@master:~# docker inspect some-mysql

Under mounts we can find what the name of the volume

In this output we can see the mapping and the location of the volume to the container folder.

  • Volume name “060239d0072093a4a2e984467751e163f197a0e40b57299a62ef17e83798815b”,
  • Volume location “/var/lib/docker/volumes/”
"Mounts": [
            {
                "Type": "volume",
                "Name": "060239d0072093a4a2e984467751e163f197a0e40b57299a62ef17e83798815b",
                "Source": "/var/lib/docker/volumes/060239d0072093a4a2e984467751e163f197a0e40b57299a62ef17e83798815b/_data",
                "Destination": "/var/lib/mysql",
                "Driver": "local",
                "Mode": "",
                "RW": true,
                "Propagation": ""
            }
        ],

If we will go the Volume Location folder we can find all MySQL data in the container in our docker root directory.

root@master:~# cd /var/lib/docker/volumes/060239d0072093a4a2e984467751e163f197a0e40b57299a62ef17e83798815b/_data
root@master:/var/lib/docker/volumes/060239d0072093a4a2e984467751e163f197a0e40b57299a62ef17e83798815b/_data# ls
 auto.cnf        ca-key.pem       '#ib_16384_0.dblwr'   ib_logfile0     mysql                public_key.pem    undo_001
 binlog.000001   ca.pem           '#ib_16384_1.dblwr'   ib_logfile1     mysql.ibd            server-cert.pem   undo_002
 binlog.000002   client-cert.pem   ib_buffer_pool       ibtmp1          performance_schema   server-key.pem
 binlog.index    client-key.pem    ibdata1             '#innodb_temp'   private_key.pem      sys

Important to know.

  • The Anonymous Volumes can be removed when you delete the container if you using this flag -v.
root@master:# docker rm -fv some-mysql

root@master:~# cd /var/lib/docker/volumes/060239d0072093a4a2e984467751e163f197a0e40b57299a62ef17e83798815b/_data
-bash: cd: /var/lib/docker/volumes/060239d0072093a4a2e984467751e163f197a0e40b57299a62ef17e83798815b/_data: No such file or directory

Remove Dangling volumes (volumes that are not in use with any container)

root@master:~# docker volume rm $(docker volume ls -f=dangling=true -q)

Change Docker Root Directory location.

In this post i am going to show you how to find the Docker Root Directory and how to change the location so that docker can save the files in some other location (For Backup or High Availability).

This is the commands to find and verify the Docker Root Folder.

root@master:~# docker info | grep -i root
 Docker Root Dir: /var/lib/docker

root@master:~# sudo du -sh /var/lib/docker/
2.7G    /var/lib/docker/

root@master:~# cd /var/lib/docker/
root@master:/var/lib/docker# ll
total 56
drwx--x--x 14 root root 4096 Nov 16 11:31 ./
drwxr-xr-x 40 root root 4096 Nov 16 07:53 ../
drwx------  2 root root 4096 Nov 16 07:53 builder/
drwx--x--x  4 root root 4096 Nov 16 07:53 buildkit/
drwx------  2 root root 4096 Nov 17 12:58 containers/
drwx------  3 root root 4096 Nov 16 07:53 image/
drwxr-x---  3 root root 4096 Nov 16 07:53 network/
drwx------ 46 root root 4096 Nov 17 12:58 overlay2/
drwx------  4 root root 4096 Nov 16 07:53 plugins/
drwx------  2 root root 4096 Nov 16 11:31 runtimes/
drwx------  2 root root 4096 Nov 16 07:53 swarm/
drwx------  2 root root 4096 Nov 17 12:42 tmp/
drwx------  2 root root 4096 Nov 16 07:53 trust/
drwx------ 13 root root 4096 Nov 16 13:41 volumes/

To change the location of the Root Directory

  • Stop all containers
  • Stop the Docker servicer
sudo systemctl stop docker

After all the above was done.We need to enter to the docker config file.

sudo vi /lib/systemd/system/docker.service

Now we need to move the docker folder form his old location to the new one.

root@master:/var/lib/docker# sudo rm -rf /mnt/docker

root@master:/var/lib/docker# ls /mnt/

root@master:/var/lib/docker# mv docker /mnt/

After we moved the folder we need to start the service again.

sudo systemctl restart docker

That’s it you ready to keep using Docker 🙂

Setup Jenkins(SSL) Using Docker & Nginx

Install Docker Engine | Install Docker Compose

Login to your Linux Server.

Create this directories.

mkdir ~/jenkins
mkdir ~/certs
mkdir ~/nginx/conf.d

Inside your nginx/conf.d/ directory create the jenkins.conf file:

ubuntu@IT-Jenkins:~/nginx/conf.d$ touch jenkins.conf

Copy this code to the jenkins.conf file:

server {
    listen 80;
    server_name <server.domain.com>;

    location / {

        proxy_pass <http://jenkins:8080>;
    }
}

Create Working Directory

ubuntu@IT-Jenkins:~$ mkdir jenkins-env

Inside your working directory create the docker-compose.yml file:

ubuntu@IT-Jenkins:~/jenkins-env$ touch jenkins-config.yml

Copy this code to the docker-compose.yml:

version: '3.3'
services:
  jenkins:
    image: "jenkins/jenkins:lts"
    user: root
    expose:
      - 8080
    ports:
      - 50000:50000
    container_name: it-jenkins
    volumes:
      - ~/jenkins:/var/jenkins_home
      - /var/run/docker.sock:/var/run/docker.sock
      - /usr/local/bin/docker:/usr/local/bin/docker
    networks:
      - jenkins_nw
    restart: unless-stopped
  nginx:
    image: "nginx:latest"
    links:
      - "jenkins"
      - "jenkins:jenkinssvc"
    ports:
      - "80:80"
      - "443:443"
    container_name: it-nginx
    volumes:
      - ~/certs:/etc/ssl
      - ~/nginx/conf.d:/etc/nginx/conf.d
      - /var/run/docker.sock:/tmp/docker.sock:ro
    networks:
      - jenkins_nw
    depends_on:
      - jenkins
    restart: unless-stopped

networks:
  jenkins_nw:
    driver: bridge

Bring the Environment up by executing the following command on a terminal:

ubuntu@IT-Jenkins:~/jenkins-env$ docker-compose up -d
Creating network "jenkins-env_jenkins_nw" with driver "bridge"
Creating it-jenkins ... done
Creating it-nginx   ... done

Open and Unlock Jenkins

Open your browser and type your server IP or DNS. (For example http://it-jenkins.argus-sec.com)

To ensure Jenkins is securely set up by the administrator, a password has been written to the log and this file on the server: /var/jenkins_home/secrets/initialAdminPassword

To retrieve the admin password , Log in to the Jenkins container:

ubuntu@IT-Jenkins:~/jenkins-env$ docker exec -it it-jenkins /bin/bash

In the Jenkins container open the file initialAdminPassword:

cat /var/jenkins_home/secrets/initialAdminPassword

Copy the password to your clipboard, Exit the container and paste it in to your jenkins setup page.

Complete the Jenkins setup.


Configure your Jenkins to use SSL Certificate

Using your certificates:

  • Copy your certificates (cert.key, cert.pem) to your ~/certs folder.

Change your nginx config file:

  • Go to your ~/nginx/conf.d folder and change the jenkins.conf file to support ssl by coping this code below.
server {
    listen 443 ssl;
    server_name it-jenkins.argus-sec.com;

    ssl_certificate /etc/ssl/jenkins.crt;
    ssl_certificate_key /etc/ssl/jenkins.key;

    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;
    location / {

        proxy_pass http://jenkins:8080;
    }
}

Make sure the syntax is OK:

ubuntu@IT-Jenkins:~/nginx/conf.d$ docker exec it-nginx nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Restart Nginx server:

 ubuntu@IT-Jenkins:~/nginx/conf.d$ docker exec it-nginx nginx -s reload

Login to your server using https:

%d bloggers like this: