I am very new to Ansible vaults, I am a developer trying to access django site but there is a basic auth window pops up asking me to enter username and password before I can access the site, I asked the company that developed it and they suggested me to decrypt the below ansible vault for it, below are the steps I tried:
Basic auth
k8s_container_htpasswd: !vault |
$ANSIBLE_VAULT;1.1;AES256
33646232363535613765323564653861663464383261306630326161326564346533346364666539
3563323661333661363361623731366363383666643366370a393864303239303230623933326132
62393466393036393837396562646362613331336366666132626562376438643535333430663934
6537633864333962360a396564393035313564383730613465363762363866323766336163643030
65623064323137373231323639313834326661393362363033396137353539376236616434333262
64653833343463306362343637323663663463383966653866
here is what I tried:
$ ansible localhost -e '#/home/delphini/dash-123/dashboard/deploy/group_vars/staging_shared.yml' --ask-vault-pass -m debug -a 'var=k8s_container_htpasswd'
I entered the 64 characters length password and the output is below
[WARNING]: No inventory was parsed, only implicit localhost is available
localhost | SUCCESS => {
"k8s_container_htpasswd": "staging:$jun1$YRfgzEhO$c/iY6BSItTJhYhSOIaXmK."
}
so the username is: staging
password: $jun1$YRfgzEhO$c/iY6BSItTJhYhSOIaXmK.
but this username and password isn't working, am I doing something wrong? is there something else that I can try?
stack is Django, Docker, AWS EKS & ECR deployed in a private VPC.
Related
I have lost the Sonarqube Server admin password, want to recover that, any support will be appreciated.
Environment docker images:
sonarqube:7.9.5-community
postgres:12.5-alpine
I have gone through the previously answered block but unfortunately nothing worked out.
Best
The Idea is same as mentioned # Sonarqube Security Docs under the title "Reinstating Admin Access".
My Solution:
I had to spin up fresh Docker container in order to get the default crypted_password value. If you already know/have the crypted password value then no need to spin up fresh containers, just follow the below steps by replacing the crypted_password accordingly.
Below crypted_password value belongs to admin.
exec to postgres docker container :
docker exec -it POSTGRES-CONTAINER-NAME bash
Inside Postgres Container, login with the Credentials and follow on screen instructions:
psql -U sonar -W
Confirm the Database and Users :
select * from users;
Output must show a Sonarqube Users Table.
Then Update the password to default i.e. admin :
update users set crypted_password = '$2a$12$2NA1PhmvfPVwdwq5WeQj.Opb0z4OGYP8s2yPMRRum18bGV5nJK86W', salt=null where login = 'admin';
try login to Sonarqube server with default credentials,
ID : admin
Password : admin
To learn more about # Sonarqube Security Docs.
I'm able to connect to a remote WAS 8.5.5 deployment manager profile after supplying the user/pass from my local WAS 8.5 install. Given below is a typical wsadmin command...
./wsadmin.sh \
-lang jython \
-conntype SOAP -host myRemoteWASHost -port 12345 \
-user wasAdminUser -password wasPassword
How can I connect to remote password less; using the UserId and (xor) Password already populated in the remote WAS Profile soap.client.props file?
Put that userid and password in to soap.client.props in the profile from where you start the wsadmin tool. You may need to create new dummy local profile to not clash with your local profile, if the profile from where you run the wsadmin has different username/password.
We unfortunately had a developer leave without sharing our CircleCI unlock password, so I am in the process of trying to pull it out of our VM. I am wondering where the Unlock the console password is stored in CircleCI, if it is plain text or maybe if its hiding in MongoDB or some other mechanism. Thanks for the help.
Picture attached for clarity
UPDATE We are using Enterprise and I was able to surface this out of the docs
curl https://s3.amazonaws.com/circleci-enterprise/init-builder-0.2.sh | \
SERVICES_PRIVATE_IP=<private ip address of services box> \
CIRCLE_SECRET_PASSPHRASE=<passphrase entered on system console (services box port 8800) settings> \
CIRCLE_CONFIG_OPTION_1=<value> \
CIRCLE_CONFIG_OPTION_2=<value> \
bash
```
After looking at the bash script though it doesn't look like its actually DOING anything with the var? Weirdness....
Can you please try the following?
SSH into the services box and run sudo replicated auth reset. Then, visit https://<YOUR_CCIE_HOSTNAME>:8800/create-password to create a new console password. Replace <YOUR_CCIE_HOSTNAME> with the hostname CircleCI Enterprise is running on. Please let us know if it works/doesn't work.
-Ricardo
Developer Evangelist, CircleCI
We use Mattermost using the 'Production Docker' setup as described in Mattermost documentation. For authentication, we federate using GitHub:Enterprise.
To setup our Mattermost team, I imported the whole Slack history. This lead to the problem that everyone who did not yet log into Mattermost via GitHub:Enterprise was not able to login. Mattermost helpfully returned the error message
"An existing user is already attached to your gitlab account"
How can I fix this issue without having to setup a new Mattermost instance and force everyone to login once before importing the Slack data?
Prerequisites
In order for this to work, you need
GitHub:Enterprise Administrator permissions
On the Mattermost machine, either root permissions or an account that is allowed to control docker, and, if psql is not installed, a way to install the psql command-line tool.
Steps
ssh into the Mattermost vm/machine (where the mattermost docker containers are running).
Change to an account with docker permissions (root; or the account you setup during Mattermost installation; or ... )
Use docker ps and note the hash of the container mattermostdocker_db. We will assume it starts with 5c23.
Run docker inspect 5c23 | grep IPAddress. Note the IP address of the container. We will assume it is 172.17.0.2.
Ensure that the psql commandline tool is installed on the machine where mattermost/docker is running.
On debian: apt-get install postgresql-client
Connect to the mattermost db of postgresql running inside the docker container:
psql -h 172.17.0.2 -p 5432 -d mattermost -U postgres -W
The (default?) password seems to be postgres.
Verify that a user account with the correct email exists. Assume the email of the account that has the problem is 'john#example.com`
mattermost-# select email, authdata from users where email = 'john#example.com';
Connect to GitHub:Enterprise and open the admin console. We will assume the local github enterprise instance is at https://github.example.com.
Click on the rocket symbol, or
https://github.example.com/stafftools
Click on all users and find the user that cannot login. We assume the github username is john, which would correspond to https://github.example.com/john
Visit the stafftools user security page for that user.
https://github.example.com/stafftools/users/john/security
Click on the 'Search logs' link under the 'Audit logs' header. This will open a page with a query field. On this page, you will find the internal github user number for that user. Note this number. We will assume the number is 37.
Back in the psql console, update the user entry with the correct number:
update users set authservice = 'gitlab', authdata = '37' where email = 'john#example.com' ;
Exit the psql console with \q:
mattermost-# \q
Done. The user can now log into Mattermost with GitHub:Enterprise user authentication.
Notes
Don't forget to complete each statement in psql with a ;
It's gitlab, not github, even if you use GitHub:Enterprise
Tested with Mattermost 3.0, GitHub:Enterprise 2.6.2
We currently have a docker registry setup, that has security. Normally, in order to access it, from a developer's perspective, I have to do a long with the docker login --username=someuser --password=somepassword --email user#domain.com https://docker-registry.domain.com.
However, since I am currently trying to do an automatized deployment of a docker container in the cloud, one of the operations, which is the docker pull command, fails because the login was not performed (it works if I add the login in the template, but that's bad).
I was suggested to use the certificate to allow the pull from being done (.crt file). I tried installing the certificate using the steps explained here: https://www.linode.com/docs/security/ssl/ssl-apache2-centos
But it does not seem to work, I still have to do a manual login in order to be able to perform my docker pull from the registry.
Is there a way I can replace the login command by the use of the certificate?
As I see, it's wrong URL for SSL authentication between docker server and private registry server.
You can follow this:
Running a domain registry
While running on localhost has its uses, most people want their registry to be more widely available. To do so, the Docker engine requires you to secure it using TLS, which is conceptually very similar to configuring your web server with SSL.
Get a certificate
Assuming that you own the domain myregistrydomain.com, and that its DNS record points to the host where you are running your registry, you first need to get a certificate from a CA.
Create a certs directory:
mkdir -p certs
Then move and/or rename your crt file to: certs/domain.crt, and your key file to: certs/domain.key.
Make sure you stopped your registry from the previous steps, then start your registry again with TLS enabled:
docker run -d -p 5000:5000 --restart=always --name registry \
-v `pwd`/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
registry:2
You should now be able to access your registry from another docker host:
docker pull ubuntu
docker tag ubuntu myregistrydomain.com:5000/ubuntu
docker push myregistrydomain.com:5000/ubuntu
docker pull myregistrydomain.com:5000/ubuntu
Gotcha
A certificate issuer may supply you with an intermediate certificate. In this case, you must combine your certificate with the intermediate's to form a certificate bundle. You can do this using the cat command:
cat domain.crt intermediate-certificates.pem > certs/domain.crt