Dokku deployment not working. Issue with SSH key - dokku

Here the error
fatal: 'fixcodes' does not appear to be a git repository
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
I have lost my public key, so I had to create a new one:
copy id_rsa.pub to dokku server
Add key:
root#localhost:/home/rapsli# dokku ssh-keys:add admin id_rsa.pub
SHA256:FBByHoCiZZzV2xDHmY7RvFhXcTXY0/Bvt1zPJJydmjw
creating a new application
root#localhost:/home/rapsli# dokku apps:create fixcodes
-----> Creating fixcodes... done
Then on my local machine add the remote repo:
git remote add dokku dokku#apps.example.com:fixcodes
trying to push to it fails.
(fixcodes-_8Vg9MY6) λ git push dokku master
fatal: 'fixcodes' does not appear to be a git repository
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
What is strange, I can login to the server machine just fine without password:
ssh dokku#apps.example.com
This works just fine, telling me that the keys are in place. Any ideas?

Related

Non-root user not able to start w3svc service in docker

I'm working with the docker image "mcr.microsoft.com/dotnet/framework/runtime:4.8-windowsservercore-ltsc2019". I've noticed that the default user for windowsservercore is ContainerAdministrator. If I try to run the image with the user ContainerUser (docker run -u ContainerUser mcr.microsoft.com/dotnet/framework/runtime:4.8-windowsservercore-ltsc2019) I get the following error: ERROR: Failed to stop or query status of service 'w3svc' error [80070005].
I think that the error is related to the permissions that the user needs to run ServiceMonitor. So, first of all, is it correct to assume that windowsservercore images must run with ContainerAdministrator and cannot run with ContainerUser?
If the assumption above is correct I would like to confirm if running the container with ContainerAdministrator can expose the container to a security issue. As far as I understand even if the ServiceMonitor.exe is started with ContainerAdministrator the external-facing process is the IIS Windows service, which runs under a local account in IIS_IUSRS group. So even if an attacker could compromise the application it will not have administrator access to the container. Can anyone confirm if this is correct?
ContainerAdministrator is a special virtual account.ContainerAdministrator is the default account when you run a container – so if your CMD instruction starts a console app, that app will run as ContainerAdministrator. If your app runs in the background as a Windows Service, then the account will be the service account, so ASP.NET apps run under application pool accounts.
you could refer to the below link:
Accessing the Docker host pipe inside windows container with non-admin user
I was in the same position you are. I can't confirm your assumption (though I assume the same). But I can provide our dockerfile which enabled us to run as non root (to comply with an AKS policy).
dockerfile
FROM mcr.microsoft.com/dotnet/framework/wcf:4.8-windowsservercore-ltsc2019
SHELL ["cmd", "/S", "/C"]
# username = '1000' so the k8s policy can verify it's a non-root user
RUN net user /add 1000
# We copy some config files in the actual startup.ps1 so we need write access here
RUN icacls C:\inetpub\wwwroot\ /grant 1000:(OI)(CI)F /t
# ServiceMonitor.exe puts some environment variables in the applicationHost.config
RUN icacls C:\Windows\System32\inetsrv\Config\ /grant 1000:(OI)(CI)F /t /c
# S-1-5-32-545 is group Builtin\Users which contains user 1000. Allows user to restart the w3svc service
RUN sc.exe sdset w3svc D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPDTLO;;;S-1-5-32-545)
COPY startup.ps1 /
WORKDIR /inetpub/wwwroot
ARG source=obj/Docker/publish
COPY ${source} .
USER 1000
ENTRYPOINT ["powershell", "/startup.ps1"]
startup.ps1
# ContainerAdministrators doesn't have these variables, but the
# custom account does have them. If this gets put into the applicationHost.config
# iis will try to write to the user specific temp directory, and fail (with an unrelated error)
Remove-Item env:TMP
Remove-Item env:TEMP
C:/ServiceMonitor.exe w3svc

Debian Stretch MariaDB cannot authenticate from PHP application

I'm using a fresh installation of Debian Stretch, and installed PHP7 and MariaDB as recommended:
sudo apt-get install nginx mariadb-server mariadb-client php-mysqli php7.0-fpm php7.0-curl
Then using sudo mysql_secure_installation I followed the prompts to remove test users etc.
MariaDB seems to use unix_socket authentication (which is a new concept to me). I like how it restricts root access to sudoers and allows me to grant DB permissions to specific OS users.
However I'd prefer to assign individual user/passwords for each web application running on the server. They all run as www-data user on the system and I see no reason to let them share databases.
So I created a user for my first PHP script and granted access to a new database:
CREATE USER 'telemetry'#'localhost' IDENTIFIED BY 'yeah_toast';
UPDATE mysql.user SET plugin='mysql_native_password' WHERE user='telemetry';
GRANT ALL PRIVILEGES ON telemetry TO 'telemetry'#'localhost';
FLUSH PRIVILEGES;
But it refuses to let me connect from the application:
[error] 19336#19336: *20 FastCGI sent in stderr: "PHP message: PHP Warning: mysqli::real_connect(): (HY000/1045): Access denied for user 'telemetry'#'localhost' (using password: YES) in /path/to/database.inc.php on line 30
The credentials I'm using from the application are as follows:
Host: localhost (also tried 127.0.0.1)
Username: telemetry
Password: yeah_toast
Database: telemetry
I tried deleting and re-creating the username in case it was a password problem, and creating a user #'localhost' and #'%' but none seem to work. In fact when I log in using the same credentials from the command line without sudo it works great (mysql -utelemetry -p).
Am I missing a MariaDB configuration step here?

Permission denied while using 'Kaa-Node restart'

I am trying on an application and previously it worked and the data was able to be persisted into MongoDB. But recenntly , we had a change of router and thus we went ahead to regenerate SDK and etc but we still has the connection error.
Error :
2017/01/26 9:24:27 [WARNING] [kaa_bootstrap_manager.c:612] (-7) - Could not find next Bootstrap access point (protocol: id=0x56C8FF92, version=1)
2017/01/26 9:24:27 [ERROR] [kaa_tcp_channel.c:307] (-7) - Kaa TCP channel [0x929A2016] error notifying bootstrap manager on access point failure
2017/01/26 9:24:27 [ERROR] [kaa_client.c:240] (-7) - Failed to process OUT event for the client socket 3
And thus , we went ahead with troubleshooting where one of the staffs i emailed passed me a link for troubleshooting .
https://kaaproject.github.io/kaa/docs/v0.10.0/Administration-guide/Troubleshooting/
I followed already but i had an error where im stucked with writing 'kaa-node restart' to restart the node service.
Here are the commands for troubleshooting:
Connect to your Kaa Sandbox via ssh:
$ ssh kaa#<YOUR-SANDBOX-IP>
password: kaa
Stop the Kaa service:
$ sudo service kaa-node stop
Clear the Kaa logs:
$ sudo rm -rf /var/log/kaa/*
Start the Kaa service:
$ sudo service kaa-node start
I typed 'sudo service kaa-node start'. it gave me:
kaa#kaa-sandbox.kaaproject.org:~$ sudo service kaa-node start
* Starting Kaa Node daemon (kaa-node):
/bin/bash: /var/log/kaa/kaa-node-server.init.log: Permission denied
Try verifying the Kaa host on the Management page. Also, the Sandbox Web UI (the Management page) is able to restart all the necessary Kaa services on the Sandbox after the Kaa host change.
Please note that the Kaa host should match the PC host IP address accessible from the network your applications are running in.
Please try and let me know if this works for you.

~/.ssh/id_rsa.pub not found error while installing capistrano as ansible playbook

I try to install https://github.com/roots/bedrock-ansible to get a bedrock deployment (http://roots.io/wordpress-stack/) running.
When I run "vagrant up", after some time I get the error:
TASK: [capistrano-setup | Setup deploy group] *********************************
skipping: [default]
TASK: [capistrano-setup | Setup deploy user] **********************************
skipping: [default]
TASK: [capistrano-setup | Adding public key to server] ************************
fatal: [default] => could not locate file in lookup: ~/.ssh/id_rsa.pub
FATAL: all hosts have already failed -- aborting
PLAY RECAP ********************************************************************
to retry, use: --limit #/Users/johannes/site.retry
default : ok=46 changed=16 unreachable=1 failed=0
Ansible failed to complete successfully. Any error output should be
visible above. Please fix these errors and try again.
I do not have a clou how i can fix this. Do you have an idea?
It seems the role is trying to find your local public key. It should be in the location in the error message '~/.ssh/id_rsa.pub', but it's not. So either you don't have one, or you keep it in another location.
If you're not familiar with generating SSH keys you probably don't have one. I personally like the GitHub help page for this: https://help.github.com/articles/generating-ssh-keys/
(you only have to perform steps 1 and 2).
If you do have SSH keys, but in a different location, the capistrano-install role in bedrock uses some variables:
deploy_user: deploy
deploy_keys:
- "~/.ssh/id_rsa.pub"
So you can set (multiple) public key files in the deploy_keys list and they will be added to the deploy_user's authorized keys.
All this is needed because Capistrano will use the deploy user to connect to the remote server later. http://blakesmith.me/2010/02/08/understanding-public-key-private-key-concepts.html

how to ssh in Openstack instance

I create Fedora instance in horizon by giving public key. But i didn't get any user and password to ssh the instance. Also tried to create instance from shell by running this,
nova boot --config-drive=true --flavor 3 --key-name testkey --image be1437b9-b7b4-4e56-a2c3-f92cdd0848ce --user-data cloud-config.txt test
Instance launched successfully in both case and when i try to login with root it ask me for password.
So please tell me what is the exact way to create a fedora instance in Openstack and what would be its user and password for ssh.
Just to confirm, I suppose that you have the corresponding .pem file for the keyname that you create (testkey) and this file has the appropriate permissions to be used to access using ssh. I mean chmod 600 of the .pem file.
If this is the case, you should go into the instance only executing the following sentence:
ssh -i testkey.pem root#<IP address>
Have you installed cloud-init package from epel repository?
So, you can get into the server using 'fedora' or 'cloud-user' user account.
http://docs.openstack.org/image-guide/content/ch_obtaining_images.html
Let leave cloud-init option in nova boot, I have also tried this one,
nova boot --flavor 3 --key-name testkey --image be1437b9-b7b4-4e56-a2c3-f92cdd0848ce test
In this command Instance launches successfully, but still I can't ssh the instance.
Where as now when I create instance from horizon I do ssh in that instance easily.
For the first time login it is recommended that you generate a key-pair (In ubuntu, https://help.ubuntu.com/community/SSH/OpenSSH/Keys) and inject into the image (http://docs.openstack.org/grizzly/basic-install/yum/content/basic-install_operate.html) and do SSH to the instance using the key-pair. Once you are logged in, you can create a user and using this user you can login through VNC console.

Resources