HashiCorp Vault

This is more of just a quick note to remember some things for the LDAP configuration when NOT using Microsoft AD.

For OpenLDAP/FreeIPA, this is what you need for correct group listing/membership-

Group Filter: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
Group Attribute: cn
Group DN: cn=groups,cn=accounts,dc=<your domain>,dc=<your suffix>

Oxidized Container via Podman

I hadn’t really dived into familiarizing myself with Podman however, it does offer some really unique advantages over say Docker. Firstly, Docker requires that you run a daemon to manage your containers whilst Podman can start individual containers at boot via systemd. This is a huge benefit and so it looks like I’ll be moving most of my Docker containers over to Podman management. Podman is very easy to understand since… if you understand Docker, you understand Podman, the commands are even the same.

So on to Oxidized which is a RANCID replacement ( thank god ). It has a great community around it and support for lots and lots of different device types and works great with Gitlab.

So the important part for me was to get the systemd script setup for Oxidized, and here’s what that looks like;

more /etc/systemd/system/oxidized.service 
[Unit]
Description=Podman container-oxidized.service
Documentation=man:podman-generate-systemd(1)
Wants=network.target
After=network-online.target

[Service]
Restart=on-failure
ExecStart=/usr/bin/podman start oxidized
ExecStop=/usr/bin/podman stop -t 10 oxidized
ExecStopPost=/bin/rm -rf /etc/oxidized/pid
KillMode=none
Type=forking
PIDFile=/var/run/containers/storage/overlay-containers/.../userdata/conmon.pid

[Install]
WantedBy=multi-user.target

The command to initially generate this was;

podman generate systemd --name oxidized

However we have to enable Podman to also remove the .pid from Oxidized as sometimes that is not cleanly resolved so that is why;

ExecStopPost=/bin/rm -rf /etc/oxidized/pid

Has been added, finally save this file to say;

/etc/systemd/system/oxidized.service

And enable/start it via systemctl;

systemctl daemon-reload
systemctl enable oxidized
systemctl start oxidized

Site Back

Well this site is back, my career took me away for a while but I’m moving back into the FOSS space a bit and so hopefully we can get this updated.

Also it’s now running on an RPI 4B instead of a standard server which I guess is neat.. but in reality it’s just, you don’t need to burn the extra power these days even if you want to host your own site.

Dovecot 2.0.X for CentOS 6 with SSLv3 Disabled [ POODLE ]


Dovecot 2.0.X which ships with CentOS 6 does not have a flag to disable SSLv3 [ which is now broken by POODLE ]. Attached below are recompiled versions with SSLv3 disabled along with the SRC RPM.

dovecot-2.0.9-8.el6.x86_64.rpm
dovecot-devel-2.0.9-8.el6.x86_64.rpm
dovecot-mysql-2.0.9-8.el6.x86_64.rpm
dovecot-pgsql-2.0.9-8.el6.x86_64.rpm
dovecot-pigeonhole-2.0.9-8.el6.x86_64.rpm
dovecot-2.0.9-8.el6.src.rpm

Gluster 3.4.X is a turd


If you’re on 3.3 or older, skip 3.4.X or upgrade through it, it is full of memory leaks and bugs, 3.5.1+ is _considerably_ more stable. 3.4.4-1 has a massive memory leak that will eventually consume all available memory and crash. Avoid at all costs.

NEC-i SV8100 PBX another SIP / Asterisk Integration quirk


I’ve posted a few of these just for mental storage as well as making a public point that should be easily searched for when you’re racking your brain on why something doesn’t interoperate properly.

Here’s the latest;

NEC’s 8000 series PBXs that “support” SIP will fail to respond to Asterisk SIP/200 OKs after they place a INVITE if the asterisk UserAgent string contains at least parenthesis or dashes.

E.g:

sip.conf / [general]

useragent=asterisk-(11.7.0)

Will cause the NEC to fail to respond correctly to SIP/200

instead use something like:

useragent=11.7.0