A Global Marketplace connecting Engineers and Businesses
by kaitlyn.kristy9494@gmail.com
A Cisco Certified Network Professional executes and configures EIGRP-based solutions. Certified professionals must develop multi-area OSPF networks and configure OSPF routing as well. It is further the responsibility of Certified Professionals to develop eBGP-based solutions and perform routing configuration.
Professionals must know how to set up an IPv6-based solution, and they must record all the results of their implementation. Certified Professionals are responsible for IPv4 and IPv6 redistribution solutions as well. They further must design and develop Layer 3 Path Control Solutions and broadband connections. Certified professionals must also have a strong understanding of what resources are required, and they must implement VLAN-based solutions.
Read More: https://www.fieldengineer.com/skills/cisco-certified-network-professional
5 years, 1 month
Site & Process Automation Engineer
by ashaikfe@gmail.com
A site and Process Automation Engineer is somebody who helps organizations automate their production processes. The role of a site and Process Automation Engineer includes both installing, testing, troubleshooting, and maintaining automation systems.
Many firms in the IT and telecom sector need people with the skills to help them automate repetitive tasks or tasks that require a high level of precision. Site and process automation engineers focus on reducing the labor required to perform operational activities in these industries, helping firms to cut costs.
Read More: https://www.fieldengineer.com/skills/site-process-automation-engineer-eri...
5 years, 1 month
feasible to upgrade podman on CentOS 8 to current version?
by Robert P. J. Day
i just upgraded a CentOS box to CentOS 8, and i can see that the
version of podman is (unsurprisingly) a bit dated:
$ podman --version
podman version 1.0.2-dev
compared to my fedora 30 system:
$ podman --version
podman version 1.6.1
is it feasible to try to download and build from source to get the
latest version on my CentOS system, or would that just be more trouble
than it's worth?
rday
--
========================================================================
Robert P. J. Day Ottawa, Ontario, CANADA
http://crashcourse.ca
Twitter: http://twitter.com/rpjday
LinkedIn: http://ca.linkedin.com/in/rpjday
========================================================================
5 years, 1 month
Firewalling services provided by containers
by Alexander E. Patrakov
Hello.
I have tried Podman in Fedora 31. Not a rootless setup.
Software versions:
podman-1.6.2-2.fc31.x86_64
containernetworking-plugins-0.8.2-2.1.dev.git485be65.fc31.x86_64
IP and netmask of the Fedora machine in my network: 192.168.5.130/24.
Podman creates, on the start of the first container, its default
cni-podman0 bridge with IP and netmask 10.88.0.1/16.
I wanted to play through a situation when we are migrating from a
service (let's say, 9999/tcp) formerly provided by some software
installed directly on the host to the same service provided by the
same software, but in a podman container. And this software needs to
be firewalled: there is a whitelist of IP addresses (let's say
192.158.5.30 and 192.168.5.44) that have the privilege to talk to
192.168.5.130:9999.
With the old, non-containerized setup, implementing this kind of
whitelist is trivial. Add a new firewalld zone, add thenecessary ports
and whitelisted client IPs to it, set the target to REJECT or DROP,
done. However, once I switch to a containerized service, the firewall
becomes ineffective, because the packets hit the FORWARD chain, not
INPUT. I could not find a good solution that works in terms of the
exposed port (i.e. 9999, even if inside the container a different port
is used). I could either add iptables rules (yuck... firewalld exists
for a reason) to "raw" or "mangle" tables (but then I cannot reject),
or do something in the "filter" table with "-p tcp -m tcp -m conntrack
--ctorigdstport 9999" (that's better).
I think that firewald could see some improvement here. In order to
apply a whitelist of hosts that can connect, I should not need to care
whether the service is provided by something running on the host, or
by a container.
OK, another crazy idea: is it possible to use slirp4netns instead of
the default bridge for root-owned containers, just to avoid these
INPUT-vs-FORWARD firewall troubles?
--
Alexander E. Patrakov
5 years, 1 month
Trying to run podman within a locked down podman.
by Daniel Walsh
# cat ~/Dockerfile.podman
FROM podman/stable
RUN useradd podman
# podman run -ti --security-opt seccomp=/tmp/seccomp.json --user podman
--rm podman podman unshare cat /etc/subuid
ERRO[0000] unable to write system event: "write unixgram
@000ea->/run/systemd/journal/socket: sendmsg: no such file or directory"
podman:100000:65536
# podman run -ti --security-opt seccomp=unconfined --user podman --rm
podman podman unshare cat /proc/self/uid_map
ERRO[0000] unable to write system event: "write unixgram
@000df->/run/systemd/journal/socket: sendmsg: no such file or directory"
0 1000 1
# podman run -ti --security-opt seccomp=/tmp/seccomp.json --user podman
--rm podman podman unshare cat /proc/self/uid_map
ERRO[0000] unable to write system event: "write unixgram
@000e6->/run/systemd/journal/socket: sendmsg: no such file or directory"
0 1000 1
Running with Debug shows
DEBU[0000] error from newuidmap: newuidmap: write to uid_map failed:
Operation not permitted
WARN[0000] using rootless single mapping into the namespace. This might
break some images. Check /etc/subuid and /etc/subgid for adding subids
User Namespace does not seem to be working unless I add "clone" syscall,
and SETUID, SETGID
# podman run -ti --cap-add SETUID,SETGID --security-opt
seccomp=/tmp/seccomp.json --user podman --rm podman podman unshare cat
/proc/self/uid_map
ERRO[0000] unable to write system event: "write unixgram
@00103->/run/systemd/journal/socket: sendmsg: no such file or directory"
0 1000 1
1 100000 65536
```Need these SELinux Rules:
allow container_t nsfs_t:file read;
allow container_t proc_t:filesystem mount;
allow container_t tmpfs_t:filesystem { mount unmount };
```
I am getting close with this:
diff /usr/share/containers/seccomp.json /tmp/seccomp.json
367c367,370
< "unshare"
---
> "unshare",
> "clone",
> "keyctl",
> "pivot_root"
# podman run -ti --privileged --cap-add SETUID,SETGID --security-opt
seccomp=/tmp/seccomp.json --user podman --rm podman podman run
--net=host --cgroup-manager cgroupfs alpine echo hello
ERRO[0000] unable to write system event: "write unixgram
@0016a->/run/systemd/journal/socket: sendmsg: no such file or directory"
Trying to pull docker.io/library/alpine...
Getting image source signatures
Copying blob 89d9c30c1d48 done
Copying config 965ea09ff2 done
Writing manifest to image destination
Storing signatures
ERRO[0004] unable to write pod event: "write unixgram
@0016a->/run/systemd/journal/socket: sendmsg: no such file or directory"
Error: cannot configure rootless cgroup using the cgroupfs manager
executable file not found in $PATH: No such file or directory: OCI
runtime command not found error
5 years, 1 month