I attempted to use Certbot by Let’s Encrypt for free SSL certificate for my subdomain using a Docker container but it was never successful, so I left it alone for a while. The DNS service that I use provides SSL certs but it charges me extra for subdomain. There are other services such as SSL for Free but they either limit the number of certificates or they charge for subdomains or they want me to pay like $10 per month for wildcard certificate. That’s pretty steep considering the host is being used only privately. The alternative is to create your own private CA authority and issue SSL cert and have the root CA cert on the machines that you use the hosts.
But this morning, I figured out a way to generate the free SSL cert for my subdomain using Certbot. I will write about what worked for me.
I wrote an article on creating a Jenkins slave on Linux. The method was to just create a bash script file that requires to be executed by hand. And it wouldn’t survive restarting the host, so what I need to do is to make the script a daemon (service).
Here is what I did before configuring the daemon.
Provision a Ubuntu host on Azure (it doesn’t matter where you provision the host as long as your Jenkins master on the public Internet and secured).
Update the system. (sudo apt update && sudo apt upgrade)
Open port 50000 (Inboud and Outbound) to the host. I am opening all protocols.
Creating a Daemon
We will create a script at home directory first. To contain everything for Jenkins slave, I am creating /home/azureuser/jenkins-slave directory. You can create jenkins-slave or whatever the directory name you would like anywhere.
Then create slave.sh in /home/azureuser/jenkins-slave directory with the following content. Change the URL and the secret acccording to the Jenkins node you have created on Jenkins master. Make the script executable by executing chmod +x slave.sh.
Also make sure you download agent.jar from Jenkins master to /home/azureuser/jenkins-slave directory. Also user opessl and keytool to trust the SSL cert. You can refer to the previous blog article on how to use keytool.
Now create /etc/systemd/system/jenkins-slave.service file with the following content. sudo vim /etc/systemd/system/jenkins-slave.service
Most of the articles I find on creating a permanent Jenkins slave on Linux requires the slave node to be exposed to public Internet. I want the Linux slave to be pinging Jenkins master just like Windows service. Here is the way I came up with.
Java (sudo dnf install java-11-openjdk.x86_64)
Check if the Java has been installed. (java -version) Result:
openjdk version "11.0.12" 2021-07-20 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.12+7-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.12+7-LTS, mixed mode, sharing)
Add a Permanent Node
Login to Jenkins master and click Manage Jenkins -> Manage Nodes and Clouds. Click New Node. And then give the node a name (like linux-node), select Permanent Agent and click OK.
And then, click Save button. If you navigate to the node that you just created, you should see something like…
I am trying to configure Oracle Linux 8 as my spare laptop. I need to install JetBrains products on it. I tried to install JetBrains Toolbox but it wouldn’t work. It’s packaged as AppImage file, so it should be pretty easy but when I execute it, a blank white window shows up and disappears.
So I looked for an alternative way to install JetBrains products. I installed snapd on it with the following command.
sudo dnf install snapd
Then, I searched for the JetBrains products like the following.
snap search jetbrains
Name Version Publisher Notes Summary
pycharm-community 2021.2.2 jetbrains✓ classic PyCharm Community Edition
phpstorm 2021.2.3 jetbrains✓ classic PhpStorm
pycharm-professional 2021.2.2 jetbrains✓ classic PyCharm Professional Edition
intellij-idea-community 2021.2.3 jetbrains✓ classic Capable & Ergonomic Java IDE
intellij-idea-ultimate 2021.2.3 jetbrains✓ classic Capable & Ergonomic Java IDE for Enterprise, Web & Mobile Development
webstorm 2021.2.2 jetbrains✓ classic WebStorm
datagrip 2021.2.4 jetbrains✓ classic DataGrip
clion 2021.2.3 jetbrains✓ classic A cross-platform IDE for C and C++
pycharm-educational 2021.2.2 jetbrains✓ classic Easy and Professional Tool to Learn & Teach Programming with Python
rubymine 2021.2.3 jetbrains✓ classic The Most Intelligent Ruby and Rails IDE
space 2021.2.0 jetbrains✓ - Desktop Application for JetBrains Space
rider 2021.2.2 jetbrains✓ classic A fast & powerful cross-platform .NET IDE
goland 2021.2.3 jetbrains✓ classic GoLand
intellij-idea-educational 2021.2.2 jetbrains✓ classic IntelliJ IDEA Educational Edition
kotlin 1.5.31 jetbrains✓ classic Command line Kotlin compiler
The first application I want to install is PyCharm, so I ran the following command to install it.
snap install pycharm-professional
If you search pycharm in your GNOME UI, you will be able to start to use it.
I still would like to use JetBrains’ Toolbox so I posted my question in their support forum to resolve
Before I posted it, I did a fair bit of research. Toolbox is packaged as AppImage, so you can check the command options like the following.
I learned that you can even extract files from the image like the following.
I did digging into the extracted files but I could not find a solution for it. Oh well, I can use JetBrains’ products anyway, so I’m happy for now.
nmap is a very useful tool to check the open ports. Yeah, bad guys could use it too but you want to make sure the host you have exposed to the Internet has the minimal number of ports open. When I scan my own host that hosts this blog site like nmap hayato-iriumi.net, I get the following output.
Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-23 18:27 PDT
Nmap scan report for hayato-iriumi.net (184.108.40.206)
Host is up (0.097s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
8080/tcp open http-proxy
I have the 4 ports open intentionally for my own management of my site. This makes me think what I should actually do down the road. I should close 22 and use a bastion to SSH into the host for management.
8080 is open for another management reason. Obviously, 80 is open for HTTP connection which redirects traffic to 443 (SSL, HTTPS). If you do nmap google.com, you can see port 80 and 443 are open to public as well.
Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-23 18:28 PDT
Nmap scan report for google.com (220.127.116.11)
Host is up (0.026s latency).
Other addresses for google.com (not scanned): 2607:f8b0:400a:805::200e
rDNS record for 18.104.22.168: sea30s08-in-f14.1e100.net
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Here is the first paragraph of nmap man page. It tells you what it’s supposed to do.
Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
man page for nmap is pretty big so there must be a lot we can do with this tool.
I wrote an article on how to install htop on Oracle Linux before. Thanks to Markus, I learned that installing htop is just a matter of enabling a repo on Oracle Linux 8. I have a Oracle Linux 7 host that I use for a customer and I wanted to install htop on it. I tried to look for epel repo in /etc/yum.repos.d/oracle-linux-ol7.repo but I could not find it. So the only option for me is to add the epel repo under /etc/yum.repo.d
I looked for EPEL repo for Oracle Linux 7 and added the following in /etc/yum.repos.d/oracle-epel-ol7.repo
name=Oracle Linux $releasever EPEL Packages for Development ($basearch)
Then run the following command.
sudo yum update
sudo yum install htop
Then, you get to install htop on Oracle Linux 7. 🙂
This blog is a dockerized WordPress blog. I noticed that my blog site was down this morning. I couldn’t even ssh into the host. I thought it was hacked somehow. After poking it around, I got it back up and running. Here is the things I did to get it back up.
When I did ping hayato-iriumi.net, I got response back.
After a while, I could hit the website but it wasn’t connecting to the database.
I couldn’t even ssh into the host, so I restarted it.
I was able to ssh into it now, so I checked the running containers with the following command. docker ps -a
I noticed that NGINX container was failing because it could not start because port 80 was already in use.
Checked which process was using port 80 with the following command. sudo netstat -pna | grep 80
It turned out that another instance of NGINX was hogging the port. I stopped it and disabled it with the following command. sudo systemctl stop nginx sudo systemctl disable nginx sudo apt remove nginx
I’m not sure what installed the instance of NGINX.
Restarted the host.
The site came back up.
I am seeing some errors in journalctl so something else may have caused the issue. This is a very common troubleshooting for Linux users but you should know where to look to troubleshoot Linux hosted service. I may rebuild this blog host again just in case it might have been hacked.