Month: November 2021

Synology Volume Low Capacity Notification

Synology Volume Low Capacity Notification

DSM 6

In DSM 6, notification can only set as global value

  • Control Panel => Notifications => Advanced => Internal Storage

  • Click on Low Capacity of Volume, then define the Warning and Critical space thresholds.

DSM 7

In DSM 7, notification can be defined at individual volume level.

  • Storage Manager
  • Click the three dots at the top right corner of the desired volume
  • Select Settings
  • Scroll down to Low Capacity Notification and set thresholds

References

Adjusting Alert Thresholds

NextCloud missing .ocdata error

NextCloud missing .ocdata error

After run NextCloudPi many days, got following message

Your data directory is invalid
Ensure there is a file called ".ocdata" in the root of the data directory.

Fix

Go to nextcloud/data, create an empty file

cd nexcloud/data
touch .ocdata

But I don't know why it was missing.

References

Nextcloud problem: missing .ocdata file [solution]

Operation Model using Hashicorp Vault

Operational Model using Hashicorp Vault

Steps

Preprepation

This is to create an operational task to pass it to operator. For example, SSH to host.

  • Vault Admin creates AppRole (role_id), pass role_id to Operator as operational task reference id

  • Vault Admin creates Admin Token (admin_token), pass it to App Token Admin

Now, Operator has a operational task reference id, role_id.

Change request

  • Task Requester submit request to Operator

  • Operator submit the request to App Token Admin

  • App Token Admin uses Admin Token against AppRole to create Secret ID (secret_id), pass it to Operator

  • Operator use role_id and secret_id login to retrieve App token, and retrieve credential, such as signed public key in SSH case

  • Operator pass credential to Task Performer

  • Then complete change task.

Roles

  • Vault Admin - can access vault to generate root token
  • App Token Admin - manage App operations
  • Operator - manage and issue AppRole credentials
  • Task Requester - Change requester
  • Task Performer - Change implemenator

Token or Keys

Root Token - Manage Vault
App Token - Manage App, for example, SSH App as whole
Role ID - Identify AppRole, for example, Project or Host
Secret ID - Retrieve Task Token
Task Token - Retrieve credential

Root Token should be revoken after used
App Token should be securely managed
Secret ID and Task Token should have short life

Other consideration

Secret ID and Task Token should be held by operator or task performer, this can be decided by how AppRole managed. If AppRole cannot restrict the task to be performed, then only can pass credential to task performer.

In order to identify the host, the Host Key Signing mentioned in following page should be considered.

Signed SSH Certificates

Cons

There is no clear info on the machines managed.

References

Admin Token for AppRole in Hashicorp Vault

Enable SSL for Hashicorp Vault

Enable SSL for Hashicorp Vault

Update configuration

vault.json

cat vault.json
{
  "backend": {
    "file": {
      "path": "/vault/file"
    }
  },
  "listener": {
    "tcp":{
      "address": "0.0.0.0:8200",
      "tls_enable": 1,
      "tls_cert_file": "/vault/config/cert.pem",
      "tls_key_file": "/vault/config/privkey.pem"
    }
  },
  "ui": true
}

Copy certificate files

Copy into /vault/config folder

Restart vault container

Unseal

References

Hashicorp - SSL/TLS Question #212

Admin Token for AppRole in Hashicorp Vault

Admin Token for AppRole in Hashicorp Vault

As suggested, root token should not be used, and it should be revoked immediately after used.

Root token

Follow the steps in page below to create a new root token and revoke it after used.

Generate a new root token for Hashicorp Vault

Admin token

For example, SSH secret engine, following admin policy can be created

vault policy write ssh-admin-policy - << EOF
# SSH secret engine
path "ssh-client-signer/sign/*" {
  capabilities = ["create", "read", "update", "delete", "sudo", "list" ]
}

# Mount the AppRole auth method
path "sys/auth/approle" {
  capabilities = [ "create", "read", "update", "delete", "sudo" ]
}

# Configure the AppRole auth method
path "sys/auth/approle/*" {
  capabilities = [ "create", "read", "update", "delete" ]
}

# Create and manage roles
path "auth/approle/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}

# Write ACL policies
path "sys/policies/acl/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}

##### Add other requirement if required. For example
# Write test data
# Set the path to "secret/data/mysql/*" if you are running `kv-v2`
path "secret/mysql/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}
EOF

Then create token under this policy

vault token create -field token -policy=ssh-admin-policy

The using this token follow the steps in page below:

Signed SSH Certificates using Hashicorp Vault in Practice

  • Generate role_id and secret_id
  • Login using role_id and secret_id
  • Generate SSH policy token
  • Use SSH policy token to generate signed public key
  • Use the signed public key and private key to login to remote system

Renew token itself

To get renew token before expired, run following command

vault token renew

The expire time can be view using following command

vault token lookup

References

Tokens
AppRole Pull Authentication

Macbook Pro unable to reinstall from Time Machine

Macbook Pro unable to reinstall from Time Machine

The reinstallation was hung with following message:

Preparing to restore "Machintosh HD"...

After a few hours, still the same. Hard reboot later found that no modification in old OS, even requested erasing the disk.

Actions taken

Formatted disk before retry, got same issue.

Possible issue

The possible issue could be that the Mac can not reach Time Machine backup, because there is no blinking of the backup USB disk.

Solution

Install fresh OS, then start performing OS transfer from Time Machine backup.

Generate a new root token for Hashicorp Vault

Generate a new root token for Hashicorp Vault

To generate a new root token without old token.

Steps

  • run shell in vault docker
$ docker exec -it vault sh
  • Unseal if haven't
$ vault operator unseal
  • Get Nonce and OTP
$ vault operator generate-root -init
Nonce         15565c79-cc9e-5e64b986-8506e7bd1918
...
OTP           mOXx7iVimjE6LXQ2Zna6NA==
...
  • Provide unseal key to retrieve Encoded Token

Note: Beware of last -.

echo $UNSEAL_KEY | vault operator generate-root -nonce=f67f4da3... -

Note: run vault operator generate-root only, will show nonce key.

The last person will get Encoded Token

Encoded Token    IxJpyqxn3YafOGhqhvP6cQ==
  • Get root token
vault operator generate-root \  -decode=IxJpyqxn3YafOGhqhvP6cQ== \  -otp=mOXx7iVimjE6LXQ2Zna6NA==

Revoke token

Note: The root token can be used to revoke itself.

Revoke a token and all the token's children:

$ vault token revoke 96ddf4bc-d217-f3ba-f9bd-017055595017Success! Revoked token (if it existed)

Revoke a token leaving the token's children:

$ vault token revoke -mode=orphan 96ddf4bc-d217-f3ba-f9bd-017055595017Success! Revoked token (if it existed)

Revoke a token by accessor:

$ vault token revoke -accessor 9793c9b3-e04a-46f3-e7b8-748d7da248daSuccess! Revoked token (if it existed)

References

Generate Root Tokens Using Unseal Keys
token revoke