From 4e997b7688f6511429401f7ed4ee88a1387162c5 Mon Sep 17 00:00:00 2001
From: Stefan Reimer <stefan@zero-downtime.net>
Date: Mon, 23 May 2022 16:12:09 +0200
Subject: [PATCH] fix: syslog-ng logrotate, add filter for kube, update
 access.conf

---
 Makefile                                        |   7 +++++++
 cleanup_amis.sh                                 |   3 +++
 overlay/zdt/configs/access.conf.age             | Bin 650 -> 602 bytes
 overlay/zdt/scripts/setup-common                |   7 +++++++
 overlay/zdt/scripts/setup.d/syslog-ng.conf      |   8 +++++++-
 .../scripts/setup.d/syslog-ng.logrotate.conf    |   4 ++--
 6 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index c96f636..1802d49 100644
--- a/Makefile
+++ b/Makefile
@@ -31,3 +31,10 @@ age-seal:
 		git restore $${f}.age 2>/dev/null && \
 		age --decrypt -i ~/.ssh/git.age $$f.age | diff -q - $$f 2>/dev/null 1>&2 && \
 		rm -f $$f || ( rm -f $$f.age; age --encrypt $$keys -o $$f.age $$f && rm -f $$f; ); done
+
+# Just a reference how it could work, requires root though
+scan-image:
+	modprobe nbd
+	qemu-nbd -c /dev/nbd0 --read-only alpine-cloud-images/work/images/aws/3.15.4-x86_64-bios-cloudinit-aws-kubezero/image.qcow2
+	mount /dev/nbd0 /mnt/temp/
+	trivy rootfs /mnt/temp
diff --git a/cleanup_amis.sh b/cleanup_amis.sh
index 8a4b846..29ec47b 100755
--- a/cleanup_amis.sh
+++ b/cleanup_amis.sh
@@ -1,6 +1,9 @@
 #!/bin/bash
 #set -x
 
+echo "Are you really sure as AMIs might be used by customers !!"
+read
+
 TAG_FILTER="Name=tag:project,Values=zdt-alpine"
 
 #for r in $(aws ec2 describe-regions --query "Regions[].{Name:RegionName}" --output text); do
diff --git a/overlay/zdt/configs/access.conf.age b/overlay/zdt/configs/access.conf.age
index d440442abb1fdd0e81a3287a8c2f94eeccaca6f6..c69a60c9ca9d78ec63e4ce7e8b1df3a2cbfa2807 100644
GIT binary patch
delta 581
zcmV-L0=oT*1=<9VAb)gBdQUlXYczN?a9DOza7-~PN^DhGLqlwGO>RR(Z&xsJS~NpR
zOGr0FZwg0vc~n(KIdf7^P<2;oXlzeOO)q#zGEinOW_MD0L{~Xkad|RLSaLW<YYHtb
zEg)n$a&JOtP%C72Z)itnSY$ReayDmWR$^FZaBXFGQ!-&tHGeB^NOe_OF*pit4xhTI
z(Si9O&2;ON8*%z054bJ+6llV8;w~mXl${9C)fOSj94{pQne~^nZzgQNV69Qsp-fmt
z7pe@7cp2Gx`<OSvOfFJa%&zUl;xl^CZ@9ak76mScUHU7=sTuK&Ny5;ev`4z;CrYcB
zovc(Tmx9>2U4O=}eK7No5CKXpKice;Ol}s}o^0Mc8}gG57{rV}wl*(I{D8!PLOUW9
zeE}a!ibfUQ@!kHezIT+X5|$3Q<jr8k4tPEMOHWjWNKE_=W)T}f9gt8&LYOI>0s>Eu
zL;C5-_RTP@^5Y#w?GnQuPj+vQ%WEZ7lW24sNgck1Gk^DnU@+W;AueW?h2(jqOhgib
z7XWcJFZ_6II6l;ce#>;9WgojS(ceYyEAA(d+@+GJ4<MSjFR^gXA+bCKNby2Dt$}{P
z!<Nv^)EYXvjebQbYiv?8y9_+gW#k+!{o?EuozadB``Y5pFKckeMZYK{!wUxCZc)Rj
ze5r}ULO%NBs}a-HO+XjY?d``b6)+B`*O_qOq?VZzW8_G&i~YP%u$v!5O2BW){C$$x
TSz{K{2AC<<_9aoRg2#T2GK&T4

delta 629
zcmV-*0*d|G1d0WaAb(VEM>8vBbwY4;R5Nu%b!ALePER;DR5U?hcuho7NKG?xZ8CL8
zMPz0%X9{sva8qPSHa9{;FnC!xQDHZ7LqSA#FGyl)T4H%YR7Z6|S9fG&cUnVNI0`K-
zEg)q=RA)&|X;@26Z#g$nY)VgbV`OD?VNGpDSZy*?YDjKpIDc+ZW^q<yPE`tj6><?O
z&Q1s?(25Jb^!MS83iW$)Gm>;4$9d|sp1gtZhWU)O2@;K{#O_VfvW^Q|K9_p>y^m6n
zlPWICg&;6h=80S`@js6fnT(WRBHOt`mJj59Ih+0bh%#YmESYkzd2vVTd)C#_9X!J9
z*?@KqaoTtJPk-_pL<>&dR-;^?Dfeny61cLE>D8K{%SiaLJ89qP3Kg_nVUL1%F7v11
z20q+F*#^q=0<k8s2uvzqBz%CIJvv{4<N-j^+S~_Ew^M`53tRp;mV4(U7NK{lSKxW#
z9rfW=nDz}oTLpaOGE{P+-BmS#0()6}u#njs^eR6q?|=7325$Xg!9pjV!!)I)XxZV6
z4cI8Pv0T0jvDfcKSHYRr!iH*h{(cw^4S~gCk;l6biYynb=7u6$zc!Eu2g%<mgkr)*
zQK%K{<wM#GlY(V+^$6oR&npEffk>6;d0CJFuWP6s$Y=7BfD+Mtm_6M+JT~4R)ri1U
zyK)Rqg>L)F=)Y*!p%5opV9<q3PT`q^PuT|A<lL~?ZWPeB!z@j0zo&s$n-iML(<otv
zc){X9?B4V#^3iodVT~9kDGsCmfGHs#3jvx7CAT?pHUJJeDX6)BPiPUmRVZ3L&BRD;
PSdImy*Uq5%7$UC5k#8P!

diff --git a/overlay/zdt/scripts/setup-common b/overlay/zdt/scripts/setup-common
index df83875..191a1fc 100755
--- a/overlay/zdt/scripts/setup-common
+++ b/overlay/zdt/scripts/setup-common
@@ -23,13 +23,20 @@ sed -i -e "s/^[\s#]*rc_cgroup_mode=.*/rc_cgroup_mode=\"unified\"/" $TARGET/etc/r
 # Setup syslog-ng json logging
 cp $SETUP/syslog-ng.conf $TARGET/etc/syslog-ng/syslog-ng.conf
 cp $SETUP/syslog-ng.logrotate.conf $TARGET/etc/logrotate.d/syslog-ng
+echo 'syslog set to json logging'
+
+# Change logrotate to run hourly rather than daily
+mv $TARGET/etc/periodic/daily/logrotate $TARGET/etc/periodic/hourly/
+echo 'Switch logrotate to run hourly rather than daily'
 
 # Install cloudbender shutdown hook
 cp $SETUP/cloudbender.stop  $TARGET/etc/local.d
 mkdir -p $TARGET/etc/cloudbender/shutdown.d
+echo 'Installed cloudbender shutdown hook'
 
 # Install tools
 cp $SETUP/route53.py  $TARGET/usr/local/bin
+echo 'Installed route53.py'
 
 # ps_mem
 #wget https://raw.githubusercontent.com/pixelb/ps_mem/master/ps_mem.py
diff --git a/overlay/zdt/scripts/setup.d/syslog-ng.conf b/overlay/zdt/scripts/setup.d/syslog-ng.conf
index 1aa6e59..51e3591 100644
--- a/overlay/zdt/scripts/setup.d/syslog-ng.conf
+++ b/overlay/zdt/scripts/setup.d/syslog-ng.conf
@@ -13,4 +13,10 @@ source s_sys { system(); internal();};
 
 destination d_mesg { file("/var/log/messages" template("$(format-json time=\"$UNIXTIME\" facility=\"$FACILITY\" host=\"$LOGHOST\" ident=\"$PROGRAM\" pid=\"$PID\" level=\"$PRIORITY\" message=\"$MESSAGE\")\n")); };
 
-log { source(s_sys); destination(d_mesg); };
+# filter ipvs loggging each SYN to closed port
+# IPVS: rr: TCP 10.52.82.199:31021 - no destination available
+filter f_drop_ipvs { not (facility(kern) and match("IPVS: rr:.*no destination available" value("MESSAGE"))); };
+# "message":"net_ratelimit: 16 callbacks suppressed"
+filter f_drop_ipvs_ratelimit { not (facility(kern) and match("net_ratelimit:.*callbacks suppressed" value("MESSAGE"))); };
+
+log { source(s_sys); filter(f_drop_ipvs); filter(f_drop_ipvs_ratelimit); destination(d_mesg); };
diff --git a/overlay/zdt/scripts/setup.d/syslog-ng.logrotate.conf b/overlay/zdt/scripts/setup.d/syslog-ng.logrotate.conf
index cd481e7..0c4aecc 100644
--- a/overlay/zdt/scripts/setup.d/syslog-ng.logrotate.conf
+++ b/overlay/zdt/scripts/setup.d/syslog-ng.logrotate.conf
@@ -1,13 +1,13 @@
 /var/log/messages
 {
+    nodateext
     rotate 2
     missingok
     notifempty
     compress
     maxsize 64M
-    daily
     sharedscripts
     postrotate
-      invoke-rc.d syslog-ng reload > /dev/null
+      rc-service syslog-ng reload > /dev/null
     endscript
 }