I have to create an ADMIN role user of InfluxDB at the time of initializing docker container. My script is:
echo "=> Starting InfluxDB ..."
exec influxd
#wait for the startup of influxdb
RET=1
while [[ RET -ne 0 ]]; do
echo "=> Waiting for confirmation of InfluxDB service startup ..."
sleep 3
curl -k ${API_URL}/ping 2> /dev/null
RET=$?
done
echo ""
RUN su- curl -XPOST 'http://localhost:8086/query' --data-urlencode "q=CREATE USER admin WITH PASSWORD 'password' WITH ALL PRIVILEGES"
Above script does create the user but issue is that the role of the user is not set to ADMIN. I need a user with ADMIN role. What can be the possible issue here ? Any help would be much appreciated
Use env variables (applicable for official InfluxDB docker image https://hub.docker.com/_/influxdb):
INFLUXDB_ADMIN_USER
The name of the admin user to be created. If this is unset, no admin user is created.
INFLUXDB_ADMIN_PASSWORD
The password for the admin user configured with INFLUXDB_ADMIN_USER. If this is unset, a random password is generated and printed to standard out.
Related
I'm trying out the Dynamic Security module for mosquitto and everything seems to work fine as long as I never systemctl restart mosquitto.service. After install mosquitto and enabling the Dynamic Security module, I ran these two commands:
mosquitto_ctrl dynsec init /etc/mosquitto/dynamic-security.json steve
systemctl restart mosquitto.service
Then I was able to create a user, role, subscribe and publish to a topic like this:
mosquitto_ctrl -u steve -P Pass1234 dynsec createClient john0
mosquitto_ctrl -u steve -P Pass1234 dynsec createRole role0
mosquitto_ctrl -u steve -P Pass1234 dynsec addClientRole john0 role0 1
mosquitto_ctrl -u steve -P Pass1234 dynsec addRoleACL role0 publishClientSend pizza allow
mosquitto_ctrl -u steve -P Pass1234 dynsec addRoleACL role0 subscribeLiteral pizza allow
mosquitto_sub -u john0 -P Pass1234 -t pizza
# then open a second terminal window and do this:
mosquitto_pub -u john0 -P Pass1234 -t pizza -m 'hi'
# result is the word `hi` appears in the first/original terminal window
I can repeatedly publish and subscribe to topics with the john0 user on the pizza topic.
However, the moment I have to reboot my server or if I run a systemctl restart mosquitto.service, then the john0 client no longer exists.
How do I prevent the john0 user and all the roles and access privileges from disappearing after a systemctl restart mosquitto.service?
EDIT
Here's my /etc/mosquitto/mosquitto.conf
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
allow_anonymous false
per_listener_settings false
plugin /usr/lib/x86_64-linux-gnu/mosquitto_dynamic_security.so
plugin_opt_config_file /etc/mosquitto/dynamic-security.json
Also, in my /etc/mosquitto/dynamic-security.json, the only record taht exists is he one for steve. I do not see any other clients in the dynamic-security.json file.
EDIT
Also, it seems if I manually edit the /etc/mosquitto/dynamic-security.json, it does NOT immediately take effect. I need to run systemctl restart mosquitto.service in order for the changes to take effect.
So I guess now my question is specifically how do I add clients and roles such that it meets all these criteria:
I can add them during run time and they immediately take effect without a systemctl restart mosquitto.service.
After a systemctl restart mosquitto.service, that the clients and roles still exist (ie. they are not deleted)
Mosquitto was configured to store its dynamic security state in /etc/mosquitto/dynamic-security.json.
Unfortunately, /etc/mosquitto is frequently not writable by mosquitto, for security reasons. State is generally meant to be stored in /var/lib/mosquitto, which Mosquitto is able to write to.
To fix this, change the configuration to read:
plugin_opt_config_file /var/lib/mosquitto/dynamic-security.json
If you have an existing dynamic-security.json file in /etc/mosquitto you can move it to /var/lib/mosquitto and retain whatever is currently in it:
mv /etc/mosquitto/dynamic-security.json /var/lib/mosquitto
chown mosquitto /var/lib/mosquitto/dynamic-security.json
chmod 700 /var/lib/mosquitto/dynamic-security.json
The chown line makes sure it's owned by the user mosquitto - if you run mosquitto as a different user, change this line to be the user you run it as.
The chmod line makes sure that only the file's owner (and root) can read the file. Even though the passwords in the file are encrypted, we don't want to make it any easier than necessary for an attacker to access it.
This happens due to permission issues for mosquitto
You can just simply do
chown mosquitto /etc/mosquitto/dynamic-security.json
After this when you use mosquitto_ctrl commands.
It will be visible in the json file.
I'm in the process of trying to find out or reset my PostgreSQL password, which is unknown to me, but which I need in order to migrate my database from SQLite3 to PostgreSQL.
I was trying to locate the hba_conf file so in the terminal I entered:
ps aux | grep postgres
and I found that the directory I needed to find was:
/Library/PostgreSQL/9.6/bin/postmaster -D/Library/PostgreSQL/9.6/data
My problem now is that it is not possible to locate this file because it apparently doesn't exist! When I cd to Library I'm unable to go any further because there is no PostgreSQL folder listed.
This is a bit of a dead end for me as I have no idea why PostgreSQL is not there. PSQL came with my version of Rails, and I updated it. When I type: 'psql -V' in the terminal, the answer is 'psql (PostgreSQL) 9.6.3'.
Help would be much appreciated, thanks :-)
From the library folder, if I run 'sudo su' then enter ls, I get the following:
.localized Calendars Dictionaries Internet Plug-Ins
Maps Saved Application State WebKit
Accounts CallServices Favorites Keyboard
Messages Screen Savers com.apple.nsurlsessiond
Address Book Plug-Ins ColorPickers FontCollections
Keyboard Layouts Metadata Services iMovie
Application Scripts Colors Fonts KeyboardServices
Passes Sharing
Application Support Compositions GameKit Keychains
PreferencePanes Sounds
Assistant Containers Google LanguageModeling
Preferences Spelling
Assistants Cookies Group Containers LaunchAgents
Printers Suggestions
Audio CoreData IdentityServices Logs
PubSub SyncedPreferences
Caches CoreFollowUp Input Methods Mail
Safari Voices
and if I enter ps I get this:
PID TTY TIME CMD
359 ttys000 0:00.02 login -pfl robertosullivan /bin/bash -c exec -
la bash /bin/bash
3267 ttys000 0:00.02 sudo su
3269 ttys000 0:00.01 su
3270 ttys000 0:00.00 sh
3271 ttys000 0:00.00 ps
If I try 'sudo find / -name psql' - I get:
find: /dev/fd/Library: No such file or directory
find: /dev/fd/Library: No such file or directory
/Library/PostgreSQL/9.6/bin/psql
/usr/local/bin/psql
/usr/local/Cellar/postgresql/9.6.3/bin/psql
When I try 'sudo find /Library/PostgreSQL/9.6/data -name *.conf' I get:
/Library/PostgreSQL/9.6/data/pg_hba.conf
/Library/PostgreSQL/9.6/data/pg_ident.conf
/Library/PostgreSQL/9.6/data/postgresql.auto.conf
/Library/PostgreSQL/9.6/data/postgresql.conf
The installation procedure creates a user account called postgres that is associated with the default Postgres role. In order to use Postgres, we can log into that account.
You can run the command you'd like with the postgres account directly with sudo
sudo -u postgres psql
This will prompt for the password for the postgres user.
If you don't have the password for this postgres user, follow the below steps:
sudo vim /etc/postgresql/9.3/main/pg_hba.conf
Around the line number 84,85 change that to
# Database administrative login by Unix domain socket
local all all trust
then Restart the PostgreSQL service via SUDO command
sudo /etc/init.d/postgresql restart
Now You can run the command to log in to the postgres account directly with sudo
sudo -u postgres psql
You will be now entered and will See the Postgresql terminal.Once you have successfully logged into postgres, you can change the password by the command
\password
and enter the NEW Password for Postgres default user, After Successfully changing the Password again go to the pg_hba.conf and revert the change to "md5"
Around the line number 84,85 change that now to
# Database administrative login by Unix domain socket
local all all md5
then Restart the PostgreSQL service via SUDO command
sudo /etc/init.d/postgresql restart
now you will be logged in as
psql -U postgres
with your new Password.
Please let me know if you have any Issues.
as we identified your data_dir as /Library/PostgreSQL/9.6/data/ and found configuration files in it, as we identified your postgres cluster is running with pg_ctl: server is running (PID: 88) /Library/PostgreSQL/9.6/bin/postgres "-D/Library/PostgreSQL/9.6/data, in order to reset your password do:
become a postgres user: sudo su - postgres
login locally with psql
reset the password with alter user USERNAME password 'NEW_PASSWORD'
after that you can connect as that user with psql -U USERNAME -h localhost using your new password
In my CI chain I execute end-to-end tests after a "docker-compose up". Unfortunately my tests often fail because even if the containers are properly started, the programs contained in my containers are not.
Is there an elegant way to verify that my setup is completely started before running my tests ?
You could poll the required services to confirm they are responding before running the tests.
curl has inbuilt retry logic or it's fairly trivial to build retry logic around some other type of service test.
#!/bin/bash
await(){
local url=${1}
local seconds=${2:-30}
curl --max-time 5 --retry 60 --retry-delay 1 \
--retry-max-time ${seconds} "${url}" \
|| exit 1
}
docker-compose up -d
await http://container_ms1:3000
await http://container_ms2:3000
run-ze-tests
The alternate to polling is an event based system.
If all your services push notifications to an external service, scaeda gave the example of a log file or you could use something like Amazon SNS. Your services emit a "started" event. Then you can subscribe to those events and run whatever you need once everything has started.
Docker 1.12 did add the HEALTHCHECK build command. Maybe this is available via Docker Events?
If you have control over the docker engine in your CI setup you could execute docker logs [Container_Name] and read out the last line which could be emitted by your application.
RESULT=$(docker logs [Container_Name] 2>&1 | grep [Search_String])
logs output example:
Agent pid 13
Enter passphrase (empty for no passphrase): Enter same passphrase again: Identity added: id_rsa (id_rsa)
#host SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6
#host SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6
parse specific line:
RESULT=$(docker logs ssh_jenkins_test 2>&1 | grep Enter)
result:
Enter passphrase (empty for no passphrase): Enter same passphrase again: Identity added: id_rsa (id_rsa)
I'm not sure if I have already logged in to a docker registry in cmd line by using cmd: docker login. How can you test or see whether you are logged in or not, without trying to push?
Edit 2020
Referring back to the (closed) github issue, where it is pointed out, there is no actual session or state;
docker login actually isn't creating any sort of persistent session, it is only storing the user's credentials on disk so that when authentication is required it can read them to login
As others have pointed out, an auths entry/node is added to the ~/.docker/config.json file (this also works for private registries) after you succesfully login:
{
"auths": {
"https://index.docker.io/v1/": {}
},
...
When logging out, this entry is then removed:
$ docker logout
Removing login credentials for https://index.docker.io/v1/
Content of docker config.json after:
{
"auths": {},
...
This file can be parsed by your script or code to check your login status.
Alternative method (re-login)
You can login to docker with docker login <repository>
$ docker login
Login with your Docker ID to push and pull images from Docker Hub. If
you don't have a Docker ID, head over to https://hub.docker.com to
create one.
Username:
If you are already logged in, the prompt will look like:
$ docker login
Login with your Docker ID to push and pull images from Docker Hub. If
you don't have a Docker ID, head over to https://hub.docker.com to
create one.
Username (myusername): # <-- "myusername"
For the original explanation for the ~/.docker/config.json, check question: how can I tell if I'm logged into a private docker registry
I use one of the following two ways for this check:
1: View config.json file:
In case you are logged in to "private.registry.com" you will see an entry for the same as following in ~/.docker/config.json:
"auths": {
"private.registry.com": {
"auth": "gibberishgibberishgibberishgibberishgibberishgibberish"
}
}
2: Try docker login once again:
If you are trying to see if you already have an active session with private.registry.com, try to login again:
bash$ docker login private.registry.com
Username (logged-in-user):
If you get an output like the above, it means logged-in-user already had an active session with private.registry.com. If you are just prompted for username instead, that would indicate that there's no active session.
You can do the following command to see the username you are logged in with and the registry used:
docker system info | grep -E 'Username|Registry'
The answers here so far are not so useful:
docker info no longer provides this info
docker logout is a major inconvenience - unless you already know the credentials and can easily re-login
docker login response seems quite unreliable and not so easy to parse by the program
My solution that worked for me builds on #noobuntu's comment: I figured that if I already known the image that I want to pull, but I'm not sure if the user is already logged in, I can do this:
try pulling target image
-> on failure:
try logging in
-> on failure: throw CannotLogInException
-> on success:
try pulling target image
-> on failure: throw CannotPullImageException
-> on success: (continue)
-> on success: (continue)
The docker cli credential scheme is unsurprisingly uncomplicated, just take a look:
cat ~/.docker/config.json
{
"auths": {
"dockerregistry.myregistry.com": {},
"https://index.docker.io/v1/": {}
This exists on Windows (use Get-Content ~\.docker\config.json) and you can also poke around the credential tool which also lists the username ... and I think you can even retrieve the password
. "C:\Program Files\Docker\Docker\resources\bin\docker-credential-wincred.exe" list
{"https://index.docker.io/v1/":"kcd"}
For private registries, nothing is shown in docker info. However, the logout command will tell you if you were logged in:
$ docker logout private.example.com
Not logged in to private.example.com
(Though this will force you to log in again.)
At least in "Docker for Windows" you can see if you are logged in to docker hub over the UI. Just right click the docker icon in the windows notification area:
Just checked, today it looks like this:
$ docker login
Authenticating with existing credentials...
Login Succeeded
NOTE: this is on a macOS with the latest version of Docker CE, docker-credential-helper - both installed with homebrew.
If you want a simple true/false value, you can pipe your docker.json to jq.
is_logged_in() {
cat ~/.docker/config.json | jq -r --arg url "${REPOSITORY_URL}" '.auths | has($url)'
}
if [[ "$(is_logged_in)" == "false" ]]; then
# do stuff, log in
fi
My AWS ECR build-script has:
ECR_HOSTNAME="${ACCOUNT_ID}.dkr.ecr.${REGION}.amazonaws.com"
TOKEN=$(jq -r '.auths["'$ECR_HOSTNAME'"]["auth"]' ~/.docker/config.json)
curl --fail --header "Authorization: Basic $TOKEN" https://$ECR_HOSTNAME/v2/
If accessing ECR fails, a login is done:
aws ecr get-login-password --region ${REGION} | docker login --username AWS --password-stdin https://$ECR_HOSTNAME
For this to work, a proper Docker credential store cannot be used. Default credentials store of ~/.docker/config.json is assumed.
Use command like below:
docker info | grep 'name'
WARNING: No swap limit support
Username: <strong>jonasm2009</strong>
On windows you can inspect the login "authorizations" (auths) by looking at this file:
[USER_HOME_DIR].docker\config.json
Example:
c:\USERS\YOUR_USERANME.docker\config.json
It will look something like this for windows credentials
{
"auths": {
"HOST_NAME_HERE": {},
"https://index.docker.io/v1/": {}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.09.0 (windows)"
},
"credsStore": "wincred",
"stackOrchestrator": "swarm"
}
On Linux if you have the secretservice enabled via the credsStore option in your ~/.docker/config.json like below:
"credsStore": "secretservice",
then you will not see the credentials in the config.json. Instead you need to query the credentials using the docker-credential-desktop, see the below answer for more details:
How to know if docker is already logged in to a docker registry server
In Azure Container Registry (ACR) following works as a login-check:
registry="contosoregistry.azurecr.io"
curl -v --header "Authorization: Bearer $access_token" https://$registry/v2/_catalog
If access token has expired, a HTTP/401 will be returned.
Options for getting an access token are from ~/.docker/config.json or requesting one from https://$registry/oauth2/token using a refresh token stored into Docker credStore: echo $registry | docker-credential-desktop get.
More information about refresh tokens and access tokens are at ACR integration docs.
To many answers above is just about how to check login status manually. To do it from command line you can use the command below.
cat ~/.docker/config.json | jq '.auths["<MY_REGISTRY_HOSTNAME>"]' -e > /dev/null && echo "OK" || echo "ERR"
Ensure you have jq command in your local. To test that run jq --version command. If you can't get an version output follow the directions from here to install it https://stedolan.github.io/jq/download/
Replace <MY_REGISTRY_HOSTNAME> with your registry address.
When you run it returns OK if you successfully login already otherwise ERR
NOTE: if you used a credential helper to login (e.g. google cloud auth tool for container registry) replace .auths keyword with .credHelpers
As pointed out by #Christian, best to try operation first then login only if necessary. Problem is that "if necessary" is not that obvious to do robustly. One approach is to compare the stderr of the docker operation with some strings that are known (by trial and error). For example,
try "docker OPERATION"
if it failed:
capture the stderr of "docker OPERATION"
if it ends with "no basic auth credentials":
try docker login
else if it ends with "not found":
fatal error: image name/tag probably incorrect
else if it ends with <other stuff you care to trap>:
...
else:
fatal error: unknown cause
try docker OPERATION again
if this fails: you're SOL!
Here's a powershell powershell command to check if you have previously logged into the registry, making use of the file $HOME/.docker/config.json that others have mentioned:
(Get-Content $HOME/.docker/config.json | ConvertFrom-Json).auths.PSobject.Properties.name -Contains "<registry_url>"
This returns a True / False boolean, so can use as follows:
if ((Get-Content $HOME/.docker/config.json | ConvertFrom-Json).auths.PSobject.Properties.name -Contains "<registry_url>" ) {
Write-Host Already logged into docker registry
} else {
Write-Host Logging into docker registry
docker login
}
If you want it to not fail if the file doesn't exist you need an extra check:
if ( (-Not (Test-Path $HOME/.docker/config.json)) -Or (-Not (Get-Content $HOME/.docker/config.json | ConvertFrom-Json).auths.PSobject.Properties.name -Contains "<registry_url>") )
{
Write-Host Already logged into docker registry
} else {
Write-Host Logging into docker registry
docker login
}
I chose to use the -Not Statements because for some reason when you chain a command after a failed condition with -And instead of -Or the command errors out.
How to start and and stop a Windows service remotely using PSEXEC? Preferably the syntax to write I tried the cmdlet given below
psexec \\Server -u Administrator -p Somepassword ServiceName
PSService on SysInternals is specifically for remotely controlling services::`
psservice [\\computer [-u username] [-p password]] <command> <options>
where:
query Displays the status of a service.
config Displays the configuration of a service.
setconfig Sets the start type (disabled, auto, demand) of a service.
start Starts a service.
stop Stops a service.
restart Stops and then restarts a service.
pause Pauses a service
cont Resumes a paused service.
depend Lists the services dependent on the one specified.
security Dumps the service's security descriptor.
find Searches the network for the specified service.
\\computer Targets the NT/Win2K system specified.
Include the -u switch with a username and password to login to the remote system if your security credentials do not permit you to obtain performance counter information from the remote system. If you specify the -u option, but not a password with the -p option, PsService will prompt you to enter the password and will not echo it to the screen.
Another alternative to psexec is sc. You can use sc to start or stop services remotely:
sc \\server start ServiceName
sc \\server stop ServiceName
There is no "login" information, so maybe you need to execute
net use \\server password /USER:user
before executing sc command.
One advantage over psexec is that no console window shows in the remote machine.
I can't test this right now, but it ought to be:
psexec \\server -u username -p password net start ArgusCommunityWorkerService
and
psexec \\server -u username -p password net stop ArgusCommunityWorkerService
Using PSEXEC
The below batch file will let you stop and start services on multiple remote machines. Create Computers.txt file in the same directory where the batch file runs from and list PC hostnames one per line.
#echo off
TITLE Manage Services v1.0
SET suffix=%date:~-4,4%%date:~-10,2%%date:~-7,2%_%time:~0,2%%time:~3,2%%time:~6,2%
SET /P username=Enter your admin username:
set "psCommand=powershell -Command "$pword = read-host 'Enter Password' -AsSecureString ; ^
$BSTR=[System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($pword); ^
[System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)""
for /f "usebackq delims=" %%p in (`%psCommand%`) do set password=%%p
:service
SET /P servicename=Enter service name:
:begin
echo ========================================
echo 1) Start
echo 2) Stop
echo 3) Choose another service
echo ========================================
ECHO.
set /p op=Select an option:
if "%op%"=="1" SET action=start
if "%op%"=="2" SET action=stop
if "%op%"=="3" goto service
psexec "\\#%~dp0Computers.txt" -u %username% -p %password% -h net %action% %servicename% >>%suffix%.log 2>&1
pause
cls
goto begin
Using PowerShell
# Point the script to the text file with remote computers
$RemoteComputers = Get-Content "$PSScriptRoot\Computers.txt"
# sets service name
$Service = "uvnc_service"
# Counter for progress bar
$counter = 0
ForEach ($Computer in $RemoteComputers) {
$counter++
Try
{
Write-Progress -Activity 'Processing computers' -CurrentOperation $Computer -PercentComplete (($counter / $RemoteComputers.count) * 100)
Start-Sleep -Milliseconds 200
Get-Service -Name $Service -ComputerName $Computer | Restart-Service -Force -ErrorAction Stop
Write-Output "$(Get-Date -format "yyyy-MM-dd hh:mm:ss"),$computer" | out-file -append -filepath "$PSScriptRoot\success.log"
}
Catch
{
Write-Output "$(Get-Date -format "yyyy-MM-dd hh:mm:ss"),$computer" | out-file -append -filepath "$PSScriptRoot\failed.log"
}
}
Refering to Microsoft, an alternative is using psservice, which is part of pstools downloadable under following link:
Download PsTools (2.7 MB)
If someone needs to
Start, stop, restart, etc... a Windows Service remotely
as mentioned in the official reference from Microsoft, the appropriate command using the provided executable
PsService.exe
could be something similar to following (Case 1 and case 2), if you are using Windows PowerShell
Case 1: User, who will perform the wished command (e.g. restart) after signed in, is remote computer user with appropriate rights
.\PsService.exe \\Remote-ComputerName-OR-ServerName -u
'RemoteComputerName-OR-ServerName\Remote-ComputerUser' -p
'Remote-ComputerUser-Password' restart ServiceName
Case 2: User, who will perform the wished command (e.g. restart) after signed in, is domain superuser (e.g. DomainAdministrator)
.\PsService.exe \\Remote-ComputerName-OR-ServerName -u
'DomainShortName\DomainAdministrator' -p
'DomainAdministrator-Password' restart ServiceName
PS: Notice in this case the single quoted parameter values for
username
-u
and password
-p
for complex password and/or username
That's it, your command should get executed smoothly, just be patient!