Day: November 30, 2021

Synology Volume Low Capacity Notification

Synology Volume Low Capacity Notification

DSM 6

In DSM 6, notification can only set as global value

  • Control Panel => Notifications => Advanced => Internal Storage

  • Click on Low Capacity of Volume, then define the Warning and Critical space thresholds.

DSM 7

In DSM 7, notification can be defined at individual volume level.

  • Storage Manager
  • Click the three dots at the top right corner of the desired volume
  • Select Settings
  • Scroll down to Low Capacity Notification and set thresholds

References

Adjusting Alert Thresholds

NextCloud missing .ocdata error

NextCloud missing .ocdata error

After run NextCloudPi many days, got following message

Your data directory is invalid
Ensure there is a file called ".ocdata" in the root of the data directory.

Fix

Go to nextcloud/data, create an empty file

cd nexcloud/data
touch .ocdata

But I don't know why it was missing.

References

Nextcloud problem: missing .ocdata file [solution]

Operation Model using Hashicorp Vault

Operational Model using Hashicorp Vault

Steps

Preprepation

This is to create an operational task to pass it to operator. For example, SSH to host.

  • Vault Admin creates AppRole (role_id), pass role_id to Operator as operational task reference id

  • Vault Admin creates Admin Token (admin_token), pass it to App Token Admin

Now, Operator has a operational task reference id, role_id.

Change request

  • Task Requester submit request to Operator

  • Operator submit the request to App Token Admin

  • App Token Admin uses Admin Token against AppRole to create Secret ID (secret_id), pass it to Operator

  • Operator use role_id and secret_id login to retrieve App token, and retrieve credential, such as signed public key in SSH case

  • Operator pass credential to Task Performer

  • Then complete change task.

Roles

  • Vault Admin - can access vault to generate root token
  • App Token Admin - manage App operations
  • Operator - manage and issue AppRole credentials
  • Task Requester - Change requester
  • Task Performer - Change implemenator

Token or Keys

Root Token - Manage Vault
App Token - Manage App, for example, SSH App as whole
Role ID - Identify AppRole, for example, Project or Host
Secret ID - Retrieve Task Token
Task Token - Retrieve credential

Root Token should be revoken after used
App Token should be securely managed
Secret ID and Task Token should have short life

Other consideration

Secret ID and Task Token should be held by operator or task performer, this can be decided by how AppRole managed. If AppRole cannot restrict the task to be performed, then only can pass credential to task performer.

In order to identify the host, the Host Key Signing mentioned in following page should be considered.

Signed SSH Certificates

Cons

There is no clear info on the machines managed.

References

Admin Token for AppRole in Hashicorp Vault