How to decode audit log?

I want to know which command were used from proctitle:

# ausearch -k monitor-hosts
time->Tue Nov 28 11:45:57 2023
type=PROCTITLE msg=audit(1701143157.845:524997): proctitle=617564697463746C002D77002F7661722F6C6F672F706163656D616B65722F62756E646C657300002D7000776172002D6B006D6F6E69746F722D686F737473
type=SYSCALL msg=audit(1701143157.845:524997): arch=c000003e syscall=44 success=yes exit=1096 a0=4 a1=7ffe9d99d180 a2=448 a3=0 items=0 ppid=537026 pid=952862 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=245 comm="auditctl" exe="/usr/sbin/auditctl" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=CONFIG_CHANGE msg=audit(1701143157.845:524997): auid=1000 ses=245 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=add_rule key="monitor-hosts" list=4 res=1
time->Tue Nov 28 11:46:30 2023
type=PROCTITLE msg=audit(1701143190.320:525047): proctitle=63686D6F64006F2B72002F7661722F6C6F672F706163656D616B65722F62756E646C65732F7261626269746D712D62756E646C652D322F
type=PATH msg=audit(1701143190.320:525047): item=0 name="/var/log/pacemaker/bundles/rabbitmq-bundle-2/" inode=222367435 dev=fc:02 mode=040751 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cluster_var_log_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1701143190.320:525047): cwd="/root"
type=SYSCALL msg=audit(1701143190.320:525047): arch=c000003e syscall=268 success=yes exit=0 a0=ffffff9c a1=560747612670 a2=1ed a3=fffff3ff items=1 ppid=537026 pid=956001 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=245 comm="chmod" exe="/usr/bin/chmod" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="monitor-hosts"
Read More

How to enable NET_ADMIN permission to a pod with custom scc?

  1. Create custom scc: 
    $ oc whoami
system:admin
$ oc create -f scc.yaml

    This is the yaml file to create new scc:

    $ cat scc.yaml 
kind: SecurityContextConstraints
apiVersion: v1
metadata:
  name: my-scc
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities:
  - NET_ADMIN
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
fsGroup:
  type: RunAsAny
supplementalGroups:
  type: RunAsAny
users:
  - system:admin
  2. Create a serviceaccount in target namespace: 
    $ oc whoami
meiyan
$ oc new-project meiyan-scc-pod
$ oc create sa meiyansvcacct
  3. Bind the sa meiyansvcacct to custom scc: 
    $ oc whoami
system:admin
$ oc adm policy add-scc-to-user my-scc -z meiyansvcacct
  4. Modify priority of scc my-scc: 
    $ oc patch scc my-scc -p '{"priority":1}' --type merge
securitycontextconstraints.security.openshift.io/my-scc patched
  5. Create Pod in namespace: ``` apiVersion: v1 kind: Pod metadata: name: simple-pod spec: containers:
    • command:
    • /bin/sh
    • -c
    • | sleep infinity image: registry.access.redhat.com/rhel7/rhel-tools:latest imagePullPolicy: Always name: simple-deployment resources: {} securityContext: {} serviceAccount: meiyansvcacct ```
  6. Confirm the new pod is using custom scc: 
    $ oc get pod -o 'custom-columns=NAME:metadata.name,APPLIED SCC:metadata.annotations.openshift\.io/scc'
NAME         APPLIED SCC
simple-pod   my-scc
  7. WIP
Read More

How to enable NET_ADMIN permission to a deployment?

  1. Create a custom scc my-scc: 
    $ cat scc.yaml 
kind: SecurityContextConstraints
apiVersion: v1
metadata:
  name: my-scc
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities:
  - NET_ADMIN
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
fsGroup:
  type: RunAsAny
supplementalGroups:
  type: RunAsAny
users:
  - system:admin
  2. Create a new service account mysvcacct: 
    $ oc create sa mysvcacct -n $NAMESPACE
  3. Add SCC my-scc to SA mysvcacct: 
    $ oc adm policy add-scc-to-user my-scc -z mysvcacct
  4. Create a deployment with serviceAccountName and securityContext: ``` $ cat simple-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: labels: app: simple-deployment app.kubernetes.io/component: simple-deployment app.kubernetes.io/instance: simple-deployment app.kubernetes.io/part-of: simple-deployment app.openshift.io/runtime: redhat name: simple-deployment spec: replicas: 1 selector: matchLabels: app: simple-deployment type: Recreate template: metadata: labels: app: simple-deployment deploymentconfig: simple-deployment spec: serviceAccountName: mysvcacct containers:
    • image: registry.access.redhat.com/rhel7/rhel-tools:latest imagePullPolicy: Always name: simple-deployment command:
      • /bin/sh
      • -c
      • | sleep infinity resources: {} securityContext: capabilities: add:
        • NET_ADMIN ```
  5. Comfirm scc my-scc is used by the pod: 
    $ oc -n ${NAMESPACE} get pod -o 'custom-columns=NAME:metadata.name,APPLIED SCC:metadata.annotations.openshift\.io/scc'
NAME                                 APPLIED SCC
simple-deployment-5c675b55b6-6cr5t   my-scc
  6. Confirm ip route can be edited inside of the pod: 
    $ oc rsh simple-deployment-5c675b55b6-6cr5t
sh-4.2# ip r
default via 10.128.2.1 dev eth0 
10.128.0.0/14 dev eth0 
10.128.2.0/23 dev eth0 proto kernel scope link src 10.128.3.158 
172.30.0.0/16 via 10.128.2.1 dev eth0 
224.0.0.0/4 dev eth0 
sh-4.2# ip r del 224.0.0.0/4 dev eth0 
sh-4.2# ip r add 224.0.0.0/4 dev eth0 
sh-4.2#
Read More

How to update configurations for existing overcloud with director operator?

  1. Create new file workaround.yaml to pass new passwords: 
    [root@dell-r640-009 deploy]# tree
.
|-- tripleo_deploy_tarball
|   |-- net-config-two-nic-vlan-computedpdk-qe.yaml
|   |-- net-config-two-nic-vlan-computedpdksriov-qe.yaml
|   |-- net-config-two-nic-vlan-computehci_leaf1.yaml
|   |-- net-config-two-nic-vlan-computehci_leaf2.yaml
|   |-- net-config-two-nic-vlan-computehci.yaml
|   |-- net-config-two-nic-vlan-compute_leaf1.yaml
|   |-- net-config-two-nic-vlan-compute_leaf2.yaml
|   |-- net-config-two-nic-vlan-computesriov-qe.yaml
|   |-- net-config-two-nic-vlan-compute.yaml
|   `-- roles_data.yaml
`-- tripleo_heat_envs
 |-- cloud-names.yaml
 |-- containers-prepare-parameter.yaml
 |-- debug.yaml
 |-- network-common.yaml
 |-- network-environment.yaml
 |-- register-nic-templates.yaml
 |-- selinux.yaml
 |-- storage-backend.yaml
 |-- tls-certs.yaml
 |-- tls.yaml
 |-- updates.yaml
 `-- workarounds.yaml <-------------------------------
2 directories, 22 files
Read More

Installing packages with yum failed with error "unable to get local issuer certificate"

When installing packages or performing yum repolist:

# vi /var/log/dnf.log
2023-06-14T21:47:23-0400 DEBUG error: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://www.example.com/content/dist/layered/rhel8/x86_64/ansible/2.9/os/repodata/repomd.xml [SSL certificate problem: unable to get local issuer certificate] (https://www.example.com/content/dist/layered/rhel8/x86_64/ansible/2.9/os/repodata/repomd.xml).
2023-06-14T21:47:23-0400 WARNING Errors during downloading metadata for repository 'rhosp-ansible-2.9':
  - Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://www.example.com/content/dist/layered/rhel8/x86_64/ansible/2.9/os/repodata/repomd.xml [SSL certificate problem: unable to get local issuer certificate]
Read More

PTP troubleshooting on openshift

Check NIC driver & firmware version

Login to openshift nodes with ptp pod running on: ``` sh-4.4# ethtool -i ens1f0 driver: ice version: 1.11.16 <——- driver version firmware-version: 4.20 0x8001778b 1.3346.0 <——— firmware version expansion-rom-version: bus-info: 0000:10:00.0 supports-statistics: yes supports-test: yes supports-eeprom-access: yes supports-register-dump: yes supports-priv-flags: yes

Read More