diff --git a/Makefile b/Makefile index c96f636..1802d49 100644 --- a/Makefile +++ b/Makefile @@ -31,3 +31,10 @@ age-seal: git restore $${f}.age 2>/dev/null && \ age --decrypt -i ~/.ssh/git.age $$f.age | diff -q - $$f 2>/dev/null 1>&2 && \ rm -f $$f || ( rm -f $$f.age; age --encrypt $$keys -o $$f.age $$f && rm -f $$f; ); done + +# Just a reference how it could work, requires root though +scan-image: + modprobe nbd + qemu-nbd -c /dev/nbd0 --read-only alpine-cloud-images/work/images/aws/3.15.4-x86_64-bios-cloudinit-aws-kubezero/image.qcow2 + mount /dev/nbd0 /mnt/temp/ + trivy rootfs /mnt/temp diff --git a/cleanup_amis.sh b/cleanup_amis.sh index 8a4b846..29ec47b 100755 --- a/cleanup_amis.sh +++ b/cleanup_amis.sh @@ -1,6 +1,9 @@ #!/bin/bash #set -x +echo "Are you really sure as AMIs might be used by customers !!" +read + TAG_FILTER="Name=tag:project,Values=zdt-alpine" #for r in $(aws ec2 describe-regions --query "Regions[].{Name:RegionName}" --output text); do diff --git a/overlay/zdt/configs/access.conf.age b/overlay/zdt/configs/access.conf.age index d440442..c69a60c 100644 Binary files a/overlay/zdt/configs/access.conf.age and b/overlay/zdt/configs/access.conf.age differ diff --git a/overlay/zdt/scripts/setup-common b/overlay/zdt/scripts/setup-common index df83875..191a1fc 100755 --- a/overlay/zdt/scripts/setup-common +++ b/overlay/zdt/scripts/setup-common @@ -23,13 +23,20 @@ sed -i -e "s/^[\s#]*rc_cgroup_mode=.*/rc_cgroup_mode=\"unified\"/" $TARGET/etc/r # Setup syslog-ng json logging cp $SETUP/syslog-ng.conf $TARGET/etc/syslog-ng/syslog-ng.conf cp $SETUP/syslog-ng.logrotate.conf $TARGET/etc/logrotate.d/syslog-ng +echo 'syslog set to json logging' + +# Change logrotate to run hourly rather than daily +mv $TARGET/etc/periodic/daily/logrotate $TARGET/etc/periodic/hourly/ +echo 'Switch logrotate to run hourly rather than daily' # Install cloudbender shutdown hook cp $SETUP/cloudbender.stop $TARGET/etc/local.d mkdir -p $TARGET/etc/cloudbender/shutdown.d +echo 'Installed cloudbender shutdown hook' # Install tools cp $SETUP/route53.py $TARGET/usr/local/bin +echo 'Installed route53.py' # ps_mem #wget https://raw.githubusercontent.com/pixelb/ps_mem/master/ps_mem.py diff --git a/overlay/zdt/scripts/setup.d/syslog-ng.conf b/overlay/zdt/scripts/setup.d/syslog-ng.conf index 1aa6e59..51e3591 100644 --- a/overlay/zdt/scripts/setup.d/syslog-ng.conf +++ b/overlay/zdt/scripts/setup.d/syslog-ng.conf @@ -13,4 +13,10 @@ source s_sys { system(); internal();}; destination d_mesg { file("/var/log/messages" template("$(format-json time=\"$UNIXTIME\" facility=\"$FACILITY\" host=\"$LOGHOST\" ident=\"$PROGRAM\" pid=\"$PID\" level=\"$PRIORITY\" message=\"$MESSAGE\")\n")); }; -log { source(s_sys); destination(d_mesg); }; +# filter ipvs loggging each SYN to closed port +# IPVS: rr: TCP 10.52.82.199:31021 - no destination available +filter f_drop_ipvs { not (facility(kern) and match("IPVS: rr:.*no destination available" value("MESSAGE"))); }; +# "message":"net_ratelimit: 16 callbacks suppressed" +filter f_drop_ipvs_ratelimit { not (facility(kern) and match("net_ratelimit:.*callbacks suppressed" value("MESSAGE"))); }; + +log { source(s_sys); filter(f_drop_ipvs); filter(f_drop_ipvs_ratelimit); destination(d_mesg); }; diff --git a/overlay/zdt/scripts/setup.d/syslog-ng.logrotate.conf b/overlay/zdt/scripts/setup.d/syslog-ng.logrotate.conf index cd481e7..0c4aecc 100644 --- a/overlay/zdt/scripts/setup.d/syslog-ng.logrotate.conf +++ b/overlay/zdt/scripts/setup.d/syslog-ng.logrotate.conf @@ -1,13 +1,13 @@ /var/log/messages { + nodateext rotate 2 missingok notifempty compress maxsize 64M - daily sharedscripts postrotate - invoke-rc.d syslog-ng reload > /dev/null + rc-service syslog-ng reload > /dev/null endscript }