Docker Swarm With Single Master

What is swarm?

Docker swarm is the concept which is use to do cluster management in dcockr. swarm contain multiple docker host know as nodes. Node can be a manager or worker.

Manager --> Manage swarm services 

Worker --> Fasilitate to run swarm services

How to configure docker swarm?

We need to have 3 servers

1--Master Node

2--Worker Node

Master --> 192.168.1.131

Worker-1 --> 192.168.1.132

Worker-2 --> 192.168.1.133

Step 1

Install and enable docker service in each servers

yum install docker-ce docker-ce-cli containerd.io

systemctl enable docker

systemctl start docker

Step 2

Configure docker swarm in manager node

docker swarm init --advertise-addr 192.168.1.131

Step 3

Add Worker Node to docker swarm. You will get join token for worker nodes from above command.

docker swarm join --token SWMTKN-1-4756c3muztsup58wb0hc8ewwturxwmp3s40gbmx3ts9m5dmbwr-dpt2duvjtsayw9w3l73q49r1e 192.168.1.131:2377

To verify the docker nodes

docker node ls

Step 4

Create Docker Service

Here I am using nginx docker image to create docker image. Initially I am creating three docker-nginx containers and expose port 80 and 443 for out side.

docker service create --replicas 3 -p 80:80 -p 443:443 --hostname=docker-nginx.local --name docker-nginx nginx

To verify the docker service 

docker service ls

Scale the service

docker service scale vqnerzh63o45=4

You can type manager IP to load the webserver default page.

http://192.168.1.131/

Zabbix Custom Email Alert

 

Features

• Graphs based on latest data are sent to your Email
• You can send messages both in private and group email
• Links to open Graph URL and Event URL.

Configuration / Installation

Zabbix server need to be install, configure and up and running.

• Put problem.sh, resolved.sh, acknowledged.sh and sendEmail in your AlertScriptsPath directory, the path is set inside your zabbix_server.conf

Script should be execute by zabbix user. Default path of the "alertScriptPath is 

Download all the scripts from Github.  Download Link

• Set below parameters in problem.sh, resolved.sh, acknowledged.sh files

SENDER="Zabbix-Alert<zabbix-alert@mycompany.com>"

ZBX_URL="https://mycompany.com/zabbix"

USERNAME="Admin" # Zabbix Username

PASSWORD="password" # Zabbix Password

Note: Better to use read only user instead of using admin user.

• Configure email server details in "sendEmail" client.

• Add 3 new media as "Zabbix Problem Email" , " Zabbix Resolved Email" and "Zabbix Acknowledged Email" in Zabbix web interface with these settings:

 

• Create an Action for Email Alert

Add host groups to condition list.

• Under Operation Tab, Put default subject and default message like this.

Default Subject:  

[{TRIGGER.SEVERITY}] : {TRIGGER.NAME}

Default Message: 

Problem started at {EVENT.TIME} on {EVENT.DATE}

Problem name: {TRIGGER.NAME}

Host: {HOST.NAME}

IP: {HOST.IP}

Severity: {TRIGGER.SEVERITY}

Original Problem ID: {EVENT.ID}

Status:  {EVENT.STATUS}

Trigger ID: {TRIGGER.ID}

Last Value: {ITEM.LASTVALUE}

Item ID: {ITEM.ID}

Item Graphic: [{ITEM.ID1}]

• Add operation details

• Then add Recovery Operation 

Default Subject:  

[Resolved] : {TRIGGER.NAME}

Default Message: 

Problem has been resolved at {EVENT.RECOVERY.TIME} on {EVENT.RECOVERY.DATE}

Problem name: {TRIGGER.NAME}

Host: {HOST.NAME}

IP: {HOST.IP}

Severity: {TRIGGER.SEVERITY}

Original Problem ID: {EVENT.ID}

Status:  {EVENT.STATUS}

Trigger ID: {TRIGGER.ID}

Last Value: {ITEM.LASTVALUE}

Item ID: {ITEM.ID}

Item Graphic: [{ITEM.ID1}]

• Add operation details Recovery

• Then add Acknowledgement Operation 

Default Subject:  

[Acknowledged] : {TRIGGER.NAME}

Default Message: 

{USER.FULLNAME} user acknowledged problem at {ACK.DATE} {ACK.TIME} with the following message:

{ACK.MESSAGE}

Problem name: {TRIGGER.NAME}

Host: {HOST.NAME}

IP: {HOST.IP}

Severity: {TRIGGER.SEVERITY}

Status:  {EVENT.STATUS}

Original Problem ID: {EVENT.ID}

Last Value: {ITEM.LASTVALUE}

• Add operation details for Acknowledgement

Sample Email Notifications

Problem Email

Recovery Email

NGINX RPM Build with Third-party Modules

 

Prerequisites

• OS with Centos 7 installed.
• Enable "epel-release" repo
• Install below packages
• openssl openssl-devel gcc gd-devel GeoIP GeoIP-devel libgdata-devel.x86_64 libgdata.x86_64 gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel gcc make automake autoconf libtool pcre pcre-devel libxml2 libxml2-devel curl curl-devel httpd-devel rpm-build.x86_64 rpm-build-libs.x86_64 redhat-lsb-core.x86_64 mhash.x86_64 mhash-devel.x86_64 patch.x86_64 luajit.x86_64 libmodsecurity.x86_64 dkms gcc make kernel-devel bzip2 binutils patch libgomp glibc-headers glibc-devel kernel-headers libXrandr libmodsecurity-devel.x86_64 git mlocate
• Download and install nginx source RPM from nginx repo (http://nginx.org/packages/centos/7/SRPMS)

• Download third-party modules from github or nginx module page
• GitHub :  https://github.com/
• Nginx   :  https://www.nginx.com/resources/wiki/modules/

Pleased third-party module in side the "/root/rpmbuild/SOURCES/modules"

• Modules we are going to include are as follow

• echo-nginx-module : https://github.com/openresty/echo-nginx-module
• lua-nginx-module : https://github.com/openresty/lua-nginx-module
• memc-nginx-module : https://github.com/openresty/memc-nginx-module
• nginx_cross_origin_module : https://github.com/yaoweibin/nginx_cross_origin_module
• nginx-goodies-nginx-sticky : https://github.com/Refinitiv/nginx-sticky-module-ng
• nginx-modsecurity-module : https://github.com/SpiderLabs/ModSecurity-nginx
• nginx-sticky-module
• nginx_upstream_check_module : https://github.com/yaoweibin/nginx_upstream_check_module
• ngx_devel_kit : https://github.com/vision5/ngx_devel_kit
• ngx_http_enhanced_memcached_module : https://github.com/bpaquet/ngx_http_enhanced_memcached_module
• ngx-http-secure-download : https://www.nginx.com/resources/wiki/modules/secure_download/
• redis2-nginx-module : https://github.com/openresty/redis2-nginx-module
• redis-nginx-module : https://github.com/onnimonni/redis-nginx-module
• set-misc-nginx-module : https://github.com/openresty/set-misc-nginx-module
• srcache-nginx-module : https://github.com/openresty/srcache-nginx-module

• We need to build modsecurity and LuaJit libiries separately and install on the server
• Modsecurity : https://github.com/SpiderLabs/ModSecurity
• LuaJIT: https://luajit.org/download/LuaJIT-2.0.5.tar.gz

Build ModSecurity

• Download ModSecurity from above URL 
• Execute below commands to build it.

./build.sh

./configure 

 make

make install  

Build LuaJIT

Download the LuaJIT from above URL. Then make the build and install.

make

make install 

Build NGINX with Modules

In some modules, its has patches to apply for nginx source code before build. You can check whether patches are include or not for that module by go through the each module folder. If you fine any patch file you have to patch it.

Ex: 

Apply Patches 

To apply patch you have to first extract the nginx source tar file. It is in "/root/rpmbuild/SOURCES".

Then execute this command

patch -p0 < /root/rpmbuild/SOURCES/modules/nginx-goodies-nginx-sticky/patches/cookies.patch

You have to put full path when it prompt for File path. You find the path from locate command.

Once you applied all the patches, create a tar.gz file of nginx source code. Backup old one before do it.

Then include module you want to build with nginx to nginx.spec file.

Now it is time build the nginx.
To build the nginx execute this command.

rpmbuild -bb nginx.spec

It will take some time to build the final RPM base on the number of modules you have added.
If you successfully completed the build you will get some thing like this at the end.

Note: If you are a beginner, add module by module and build.

Build RPM is locate under below location.

 

You can install the nginx now.

You can verify available modules by typing nginx -V command.

IPSec VPN for Linux

IPsec Protocols

Authentication Header (AH) and/or Encapsulating Security Payload (ESP) are the two protocols that we use to actually protect user data. Both of them can be used in transport or tunnel mode.

Authentication Header Protocol

AH offers authentication and integrity but it doesn’t offer any encryption. It protects the IP packet by calculating a hash value over almost all fields in the IP header. The fields it excludes are the ones that can be changed in transit (TTL and header checksum).

Encapsulating Security Payload Protocol

ESP is the more popular choice of the two since it allows you to encrypt IP traffic. We can use it in transport or tunnel mode.

ESP in Transport Mode

Configurations

There are many ways to configure IPsec VPN between two hosts. Here we are using  racoon to configure IPsec VPN between two hosts in transport mode. 

Step 01: Install racoon and ipsec-tools in each server

Step 02: Configure IPsec 

• Machine A IP: 192.168.1.170 add below content to /etc/ipsec-tools.conf

 

#!/usr/sbin/setkey -f
flush;
spdflush;

 

spdadd 192.168.1.170 192.168.1.171 any -P out ipsec
    esp/transport//require;
spdadd 192.168.1.171 192.168.1.170 any -P in ipsec
    esp/transport//require;

•  Machine B IP: 192.168.1.171 add below content to /etc/ipsec-tools.conf

 

#!/usr/sbin/setkey -f

flush;

spdflush;

 

spdadd 192.168.1.170 192.168.1.171 any -P in ipsec

    esp/transport//require;

spdadd 192.168.1.171 192.168.1.170 any -P out ipsec

    esp/transport//require; 

• To apply the policies restart the “setkey” service in both servers 

systemctl restart setkey 

• To verify the policies applied correctly you can use below command.

setkey -PD 

• Machine A IP: 192.168.1.170 put below content to “raccoon.conf” file. /etc/racoon/racoon.conf

log notify;

path pre_shared_key "/etc/racoon/psk.txt";

path certificate "/etc/racoon/certs";

 

remote anonymous {

exchange_mode main,aggressive;

lifetime time 2 min;

proposal {

encryption_algorithm aes 256;

hash_algorithm sha256;

authentication_method pre_shared_key;

dh_group modp1024;

}

generate_policy off;

} 

sainfo anonymous {

lifetime time 2 min;

pfs_group 2;

encryption_algorithm aes 256;

authentication_algorithm hmac_sha256;

compression_algorithm deflate;

}

• Machine B IP: 192.168.1.171 put below content to “raccoon.conf” file. /etc/racoon/racoon.conf

log notify;

path pre_shared_key "/etc/racoon/psk.txt";

path certificate "/etc/racoon/certs";

 

remote anonymous {

exchange_mode main,aggressive;

lifetime time 2 min;

proposal {

encryption_algorithm aes 256;

hash_algorithm sha256;

authentication_method pre_shared_key;

dh_group modp1024;

}

generate_policy off;

}

sainfo anonymous {

lifetime time 2 min;

pfs_group 2;

encryption_algorithm aes 256;

authentication_algorithm hmac_sha256;

compression_algorithm deflate;

}

• Add below line to /etc/racoon/psk.txt Host A: 192.168.1.170

192.168.1.171 a9993e364706816aba3e

• Add below line to /etc/racoon/psk.txt Host B: 192.168.1.171

192.168.1.170 a9993e364706816aba3e

If the tunnel is configured correctly, when you ping from each host you should be able to ping and can see the traffic go through the tunnel from wiresharq dump.

AH + ESP in Transport Mode

With transport mode we will use the original IP header, followed by an AH and ESP header. The transport layer, payload and ESP trailer will be encrypted.

Because we also use AH, the entire IP packet is authenticated.

In Transport Mode we can user AH and ESP together. With transport mode it will use the original IP header, followed by an AH and ESP header. The transport layer, payload and ESP trailer will be encrypted.
AH does not encrypt the content of the message but it makes sure that the sender is known and that the IP-header is untouched.

Configurations

• To enable “Authentication Headers” we have to add few policies to ipsec-tools.conf file

Host-A 192.168.1.170

 

#!/usr/sbin/setkey -f

flush;

spdflush;

# Put the ESP SAs in the DB

add 192.168.1.170 192.168.1.171 esp 31031 -E aes-cbc

0xdcc6981b0787002abf5dfc28d8b2221063b949316b35c51a7bdb65753e369c66;

add 192.168.1.171 192.168.1.170 esp 43241 -E aes-cbc

0x3a9fc0f3d7081ae4f4184250b658f69c0d5b220367a160b8592871d2eeef1523;

# AH SAs In the DB

add 192.168.1.170 192.168.1.171 ah 33362 -A hmac-sha256

0xf93c4f2b0034dd236e77d9aca68014d09dd7c2ef0571d7831082617b1b560324;

add 192.168.1.171 192.168.1.170 ah 30759 -A hmac-sha256

0xd3e451082bb8837e88f238c153f16664bc0b33542515d6d8d4b79050e06662c8;

spdadd 192.168.1.170 192.168.1.171 any -P out ipsec

esp/transport//require

ah/transport//require;

spdadd 192.168.1.171 192.168.1.170 any -P in ipsec

esp/transport//require

ah/transport//require;

Host-B 192.168.1.171

#!/usr/sbin/setkey -f

flush;

spdflush;

# Put the ESP SAs in the DB

add 192.168.1.170 192.168.1.171 esp 31031 -E aes-cbc

0xdcc6981b0787002abf5dfc28d8b2221063b949316b35c51a7bdb65753e369c66;

add 192.168.1.171 192.168.1.170 esp 43241 -E aes-cbc

0x3a9fc0f3d7081ae4f4184250b658f69c0d5b220367a160b8592871d2eeef1523;

# AH SAs In the DB

add 192.168.1.170 192.168.1.171 ah 33362 -A hmac-sha256

0xf93c4f2b0034dd236e77d9aca68014d09dd7c2ef0571d7831082617b1b560324;

add 192.168.1.171 192.168.1.170 ah 30759 -A hmac-sha256

0xd3e451082bb8837e88f238c153f16664bc0b33542515d6d8d4b79050e06662c8;

spdadd 192.168.1.170 192.168.1.171 any -P in ipsec

esp/transport//require

ah/transport//require;

spdadd 192.168.1.171 192.168.1.170 any -P out ipsec

esp/transport//require

ah/transport//require; 

• To apply the policies restart the “setkey” service in both servers 

systemctl restart setkey 

ESP in Transport Mode vs ESP + AH in Transport Mode  

This is packet capture for ESP in Transport mode

This is packet capture for AH + ESP in Transport Mode