I have create a macvtap interface like that :
$ ip link add link wlan0 name gitea type macvtap
$ ip link set gitea address 68:61:6b:67:69:74 up
$ ip link show gitea
10: gitea#wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 500
link/ether 68:61:6b:67:69:74 brd ff:ff:ff:ff:ff:ff
And i have a xml template for my gitea container like that :
<devices>
<emulator>/usr/lib/libvirt/libvirt_lxc</emulator>
<filesystem type='mount'>
<source dir='/containers/prod/gitea' />
<target dir='/' />
</filesystem>
<console type='pty' />
<interface type='??'>
<source dev='gitea'/>
</filesystem>
</devices>
But what should I write in the interface part to pass the created macvtap interface to the container or what should I write to recreate the interface if we can not pass it directly.
Thanks in advance for your consideration.
libvirt has native support for creating macvtap interfaces on demand. See: https://libvirt.org/formatdomain.html#elementsNICSDirect
In your case it would look something like:
<interface type='direct'>
<source dev='wlan0' mode='bridge'/>
</interface>
But that won't give you the 'gitea' naming. The other option might be type='ethernet' but I don't have much experience with that, I'm not sure if it will work for you. I think the XML would look like
<interface type='ethernet'>
<target dev='gitea'/>
</interface>
(Also IIRC macvtap doesn't work with wifi devices so not sure if your setup will actually work either way)
Related
We are trying to start using google-repo in our project as the project is divided into multiple repositories. The problem is that our git server requires that one puts the username into the URL, e.g.
git clone ssh://username#git.server.com
But is it possible to get that into the manifest? I've tried the following
<?xml version="1.0" encoding="UTF-8"?>
<manifest>
<remote name="gerrit"
fetch="ssh://$USER#git.server.com"
review="ssh://$USER#git.server.com"
revision="refs/heads/master"/>
<default remote="gerrit" sync-j="4"/>
<project name="project" remote="gerrit" path="project"/>
</manifest>
but google-repo simply uses ssh://$USER#git.server.com when cloning (that is, it does not dereference environment variable $USER).
This is a ssh config issue, you should not add $USER in the remote of your manifest.
In ~/.ssh/config, add:
host whatever git.server.com
IdentityFile ~/.ssh/id_rsa
User <your_user>
IdentityFile should link to your ssh private key (YMMV).
You should now be able to
git clone ssh://git.server.com
I managed to set up artifactory using our existing tomcat. I have set to ARTIFACTORY_HOME=/opt/artifactory, that part works well. There is, however, also the jfrog access.war file, which needs to be running as well. I didn't figure out which variable to use to specify its home, therefore it defaults to ~/.jfrog_access, which is not at all what I like.
I moved the content over to my $ARTIFACTORY_HOME/access and symlinked it, but that's not the way to go for sure. Any help appreciated.
In case someone is stumbling over this thread and struggles with the same problem:
Solution for me was to also extract the Context files (access.xml and artifactory.xml which are available in the zip file under <zip extract>/misc/tomcat) to the Tomcat configuration folder, e.g. $CATALINA_HOME/conf/Catalina/localhost/. After that the $ARTIFACTORY_HOME env will be recognized on Access startup.
A previous answer finally put me on the right track for solving this problem on Amazon Linux.
In addition to copying access.xml and artifactory.xml to ${catalina.home}/host/MY_HOSTNAME, I found that some other changes were needed.
I modified the docBase attributes in the XML context files because my server has multiple hostnames:
/usr/share/tomcat8/conf/Catalina/repo.mydomain.org/access.xml
<Context path="/access" docBase="${catalina.home}/host/repo.mydomain.org/access.war">
<Parameter name="jfrog.access.bundled" value="true" override="true"/>
<!-- enable annotations scanning of access jar files -->
<JarScanner scanClassPath="false">
<JarScanFilter defaultPluggabilityScan="false" pluggabilityScan="access*" defaultTldScan="false"/>
</JarScanner>
</Context>
/usr/share/tomcat8/conf/Catalina/repo.mydomain.org/artifactory.xml
<Context crossContext="true" path="/artifactory" docBase="${catalina.home}/host/repo.mydomain.org/artifactory.war">
</Context>
Important Note: In order to prevent the above two XML files from being deleted by Tomcat Manager during upgrades via Undeploy/Deploy WAR, make sure they are owned by root and not writable by the tomcat user:
chown root.root access.xml artifactory.xml
chmod 644 access.xml artifactory.xml
If you forget to do the above, you will likely end up missing these files, which will break the communication between the access and artifactory web applications, resulting in login failures ("Username or Password Are Incorrect"). In this case, these errors result from the lack of communication between the web applications, not a problem with the credentials themselves.
/usr/share/tomcat8/conf/Catalina/repo.mydomain.org/manager.xml
This gives me the ability to upload new versions of access.war and artifactory.war via https://repo.mydomain.org:8443/manager/html:
<Context docBase="${catalina.home}/webapps/manager" privileged="true" antiResourceLocking="false">
</Context>
Additionally, I created the following folder to serve as the artifactory.home:
sudo mkdir /usr/share/artifactory
sudo chown tomcat.tomcat /usr/share/artifactory
tomcat8.conf
Add (or modify) the following line:
JAVA_OPTS="-Dartifactory.home=/usr/share/artifactory -Djfrog.access.home=/usr/share/artifactory/access -Dartifactory.access.client.serverUrl.override=http://localhost:8080/access"
Note: The Access Client URL specified above must use localhost in order to avoid the Server HTTP parameter from being overwritten by Apache and its modules. For instance, if I use:
https://repo.mydomain.org/access/api/v1/system/ping
The Server HTTP header value in the response is:
Server: Apache/2.4.33 (Amazon) OpenSSL/1.0.2k-fips mod_jk/1.2.43
And the Access Client produces the following exception:
[ERROR] (o.j.a.c.AccessClientImpl:154) - Access client/server version mismatch. Client version: 4.1.5, Server version: 2.4.33 (Amazon) OpenSSL
Which means the Access Client is depending on the first string matching #.#.# in the server header. This seems like a really fragile part of the Access Client. They should have used X-JFrog-Access-Server or something instead of trying to control a value that is set by the web server. So, to reiterate, use http://localhost:8080/access to connect directly to the tomcat server.
Artifactory 6.2.0 depends on Apache Derby (the specific version can be found in jfrog-artifactory-oss-6.2.0.zip\artifactory-oss-6.2.0\tomcat\lib). This should be added as a shared library to Tomcat:
mkdir /usr/share/tomcat8/shared
cd /usr/share/tomcat8/shared
wget http://central.maven.org/maven2/org/apache/derby/derby/10.11.1.1/derby-10.11.1.1.jar
Add or modify the following line in catalina.properties:
shared.loader=${catalina.home}/shared/*.jar
Since we want https://repo.mydomain.org to go to the Artifactory webapp:
mkdir /usr/share/tomcat8/host/repo.mydomain.org/ROOT
echo '<html><head><meta http-equiv="refresh" content="0;URL=/artifactory"></meta></head><body></body></html>' > /usr/share/tomcat8/host/repo.mydomain.org/ROOT/index.html
And make sure the services automatically start on reboot:
sudo chkconfig httpd on
sudo chkconfig tomcat8 on
Artifactory will then be available at the url:
https://repo.mydomain.org/artifactory/webapp/
I am using Logback for logging. Scribe appenders send the logs in real time to a central Scribe aggregator. But I don't know how to add source machine IP in the logs for each log events. Looking at the aggregated central Scribe logs, it is almost impossible to know which machine is sending the logs. Hence, appending the IP of source machine to each log event will be helpful, and will be really great if we can control that through logback configuration.
It's possible to pass down hostname to remote receiver thru contextName.
Add following to logback.xml on all appenders:
<contextName>${HOSTNAME}</contextName>
Then, on aggregator instance, it will be available for inclusion in the pattern:
<pattern>%contextName %d %-5level %logger{35} - %msg %n</pattern>
According to the Logback docs, there's now a CanonicalHostNamePropertyDefiner expressly to add a hostname to your logs. Add a define to your project:
<define name="hostname"
class="ch.qos.logback.core.property.CanonicalHostNamePropertyDefiner"/>
and access it as ${hostname}
well if you are working on a client server project then u can use MDC feature of slf4j/logback full document here and in this case you can have a well structured log file that you can identify which log is for which client
hope this helps!
I am new to Wix installer. I am trying to add firewall exception for my program.
My code is as follow:
<Component Id="_VIEW.EXE" Guid="*" Transitive="yes">
<File Id="view.exe"
Name="view.exe"
KeyPath="yes"
Source="$(var.INSTALLSOURCE)\view.exe">
<fire:FirewallException Id="view_firewall_domain_tcp"
Name="View"
Protocol="tcp"
Scope="any"
IgnoreFailure="yes"
Profile="domain" />
<fire:FirewallException Id="view_firewall_domain_udp"
Name="View"
Protocol="udp"
Scope="any"
IgnoreFailure="yes"
Profile="domain" />
<fire:FirewallException Id="view_firewall_private_tcp"
Name="View"
Protocol="tcp"
Scope="any"
IgnoreFailure="yes"
Profile="private" />
<fire:FirewallException Id="view_firewall_private_udp"
Name="View"
Protocol="udp"
Scope="any"
IgnoreFailure="yes"
Profile="private" />
</File>
</Component>
In my code, I add 4 firewall exception and each exception has different value for "Profile" and "Protocol" attributes. My expected result is 4 exceptions created:
NAME GROUP Profile Enabled Action Override Program Local Address Remote Address Protocol Local Port Remote Port Allowed Users Allowed Computers
view Domain Yes Allow No c:\test\view.exe Any Any TCP Any Any Any Any
view Domain Yes Allow No c:\test\view.exe Any Any UDP Any Any Any Any
view Private Yes Allow No c:\test\view.exe Any Any TCP Any Any Any Any
view Private Yes Allow No c:\test\view.exe Any Any UDP Any Any Any Any
But the actual result is only one exception is created and the value of "Protocol" attribute is "any" instead of "TCP" or "UDP":
NAME GROUP Profile Enabled Action Override Program Local Address Remote Address Protocol Local Port Remote Port Allowed Users Allowed Computers
view Domain Yes Allow No c:\test\view.exe Any Any Any Any Any Any Any
So, I have two questions:
Why is only one exception created? Must the name of the exception be unique?
Why does the value of the "Protocol" attribute not take effect?
I refer an official document about firewall extension:
http://wixtoolset.org/documentation/manual/v3/xsd/firewall/firewallexception.html
In the document, I saw some description about "File" attribute:
Identifier of a file to be granted access to all incoming ports and protocols. If you use File, you cannot also use Program.
If you use File and also Port or Protocol in the same FirewallException element, the exception will fail to install on Windows XP and Windows Server 2003. IgnoreFailure="yes" can be used to ignore the resulting failure, but the exception will not be added.
Does it mean that if I set firewall rule for a program, the "Protocol" and "Port" attributes will be "Any" automatically even I set "Protocol"?
The existing wix FirewallException custom actions make use of the XP/Server2003 windows firewall API. In this API, setting a firewall exception for a particular executable implies that all ports and all protocols will be opened to the exception.
For reference, the XP/Server2003 firewall API interfaces. Notice that INetFwOpenPort has the ability to get/set the port, while INetFwAuthorizedApplication does not.
If you want to create a firewall exception on a program and explicitly limit the port, protocol, and domain you'll need to make use of the windows 'advanced' firewall API that came with Vista. Check out these references:
Highlevel overview
Reference guide
Command-line reference guide
Sadly, nobody has yet implemented an AdvancedFirewallException extension for wix that makes use of these updated APIs. Maybe I'll run a kickstarter campaign to see if there interest in funding the development ;P
Try to use different Names for each FirewallExeption ID. This worked for me:
<File Id="sample.exe"
Name="sample.exe"
Source="..\TestFrame\bin\debug\sample.exe"
Vital="yes"
KeyPath='yes'>
<fire:FirewallException Id="FirewallDomainSampleTcp"
Name="Domain Sample TCP"
Protocol="tcp"
Port="8080"
Scope="any"
IgnoreFailure="yes"
Profile="domain" />
<fire:FirewallException Id="FirewallDomainSampleUdp"
Name="Domain Sample UDP"
Protocol="udp"
Port="8080"
Scope="any"
IgnoreFailure="yes"
Profile="domain" />
<fire:FirewallException Id="FirewallPrivatSampleTcp"
Name="Private Sample TCP"
Protocol="tcp"
Port="8080"
Scope="any"
IgnoreFailure="yes"
Profile="private" />
<fire:FirewallException Id="FirewallPrivateSampleUdp"
Name="Private Sample UDP"
Protocol="udp"
Port="8080"
Scope="any"
IgnoreFailure="yes"
Profile="private" />
</File>
I have been trying to set cpu affinity for a VM. Now, I edited the VM xml file present in /etc/libvirt/qemu/$VM.xml and put cpuset attribute. I have 4 cores and I put cpuset = '1,3'. But still when I did virsh vcpuinfo $VM, it showed that my VM's vcpus are still attached to pcpus 0 and 2. What am I doing wrong?
Would you mind pasting out the elements of your domain xml? you may refer to [CPU Allocation] to compare.
A handy tool is command taskset -p <your qemu process id> to see the CPU allocation on the KVM hypervisor.
BTW: you need qemu v0.8.5+ to get this feature.
Editing /etc/libvirt/qemu/$VM.xml under libvirt's hands is not what you should do, neither is setting the affinity without libvirt. In that case libvirt doesn't know about the settings.
The right thing to do is use 'virsh edit $VM', set what you want and stop and start the domain. You can also use virsh to pin each vCPU to particular host CPU(s):
for i in {1..X}; do # X is the number of VCPUs
virsh vcpupin $VM 0 1,3
done
virsh emulatorpin $VM 1,3
or
virsh numatune $VM --nodeset 1,3 # To pin to particular
You can use '--config' and '--live' to set it in config or for live domain respectively. For further options see the manual for comman virsh (man virsh).