We Keep Coding

Rundeck 4.0.0 - Remote node command execution using ssh

I am having an issue with the most basic of Rundeck functions - namely, running a command over ssh on a remote node. I have generated a rsa key and added it via the Key Storage function. I have also created a yaml file for node definitions:
root#rundeck:/var/lib/rundeck# cat nodes.yml
mynode:
nodename: mynode
hostname: mynode
description: 'Some description'
ssh-authentication: privateKey # added - unsure if really required
ssh-keypath: /var/lib/rundeck/.ssh/id_rsa # added - unsure if really required
username: rundeck
osFamily: linux
The node is showing up correctly and command line ssh works just fine:
root#rundeck:/var/lib/rundeck/.ssh# ssh -i id_rsa rundeck#mynode date
Mon Apr 4 16:19:33 UTC 2022
The project settings are as below:
#Mon Apr 04 16:23:36 UTC 2022
#edit below
project.description=someproject
project.disable.executions=false
project.disable.schedule=false
project.execution.history.cleanup.batch=500
project.execution.history.cleanup.enabled=false
project.execution.history.cleanup.retention.days=60
project.execution.history.cleanup.retention.minimum=50
project.execution.history.cleanup.schedule=0 0 0 1/1 * ? *
project.jobs.gui.groupExpandLevel=1
project.label=somelabel
project.name=someproject
project.nodeCache.enabled=true
project.nodeCache.firstLoadSynch=true
project.output.allowUnsanitized=false
project.ssh-authentication=privateKey
project.ssh-command-timeout=0
project.ssh-connect-timeout=0
project.ssh-key-storage-path=keys/project/someproject/rundeck_id_rsa
resources.source.1.config.file=/var/lib/rundeck/nodes.yml
resources.source.1.config.format=resourceyaml
resources.source.1.config.requireFileExists=true
resources.source.1.config.writeable=true
resources.source.1.type=file
service.FileCopier.default.provider=jsch-scp
service.NodeExecutor.default.provider=jsch-ssh
Yet, when I try and run a Command from the UI, it fails:
Failed: SSHProtocolFailure: invalid privatekey: [B#7d7d0b2d
What am I doing incorrectly, and how do I successfully run a command over ssh on a remote node?

Your node definition needs the ssh-key-storage-path attribute pointing to the Rundeck user private key (created before on Rundeck Key Storage), also, the osFamily attribute must be set as unix (not linux, Rundeck only admits two values there: unix and windows).
To add an SSH node follow these steps:
If you're using a WAR-based installation execute: ssh-keygen -t rsa -b 4096. That generates two keys (private and public) on the user .ssh directory (the user that launches Rundeck). If you're using an RPM/DEB installation these keys are already created on the /var/lib/rundeck path.
Go to the remote SSH node (the account that you want to connect from Rundeck), then add the Rundeck server user public key to the authorized_keys file. Then you can test that connection with ssh user#xxx.xxx.xxx.xxx from the Rundeck server user account.
Launch Rundeck and then add to the Rundeck keys storage the rundeck user private key (remember to include the first and the last line "-----BEGIN RSA PRIVATE KEY-----" and "-----END RSA PRIVATE KEY-----") in my case I use this path keys/rundeck.
Create a new Project and then create the resources.xml file with remote node information. To generate that file just go to Project Settings > Edit Nodes > Click on the "Configure Nodes" button > Click on "Add Sources +" > Select "+ File" option > in the "Format" field select resourcexml and fill the path in "File Path" field (put the file name at the end, usually "resources.xml", also, select "Generate", "Include Server Node" and "Writeable" checkboxes and click on the "Save" button.
Now you can edit that file including the remote node, which in my case is "node00" (a Vagrant test image), on the key-storage-path attribute I used the same path created in step 3:
<?xml version="1.0" encoding="UTF-8"?>
<project>
<node name="hyperion" description="Rundeck server node" tags="" hostname="hyperion" osArch="amd64" osFamily="unix" osName="Linux" osVersion="4.15.0-66-generic" username="ruser"/>
<node name="node00" description="Node 00" tags="" hostname="192.168.33.20" osArch="amd64" osFamily="unix" osName="Linux" osVersion="3.10.0-1062.4.1.el7.x86_64" username="vagrant" ssh-key-storage-path="keys/rundeck"/>
</project>
On Rundeck GUI go to the sidebar and check your nodes on the "Nodes" section. Check.
Go to "Commands" (sidebar) and put the SSH remote node name as a filter and launch any command like this.
You can follow an entire guide here.
Alternatively, you can re-generate the key pairs with the following command: ssh-keygen -p -f /var/lib/rundeck/.ssh/id_rsa -m pem.

The keystorage save the private-key with crlf and this was the issue I recognize with version 4.2.1.
Do a dirty fix for ssh-exec.sh:
echo "$RD_CONFIG_SSH_KEY_STORAGE_PATH" > "$SSH_KEY_STORAGE_PATH"
insert these lines:
sed -i 's/\r$//' "$SSH_KEY_STORAGE_PATH"
SSHOPTS="$SSHOPTS -i $SSH_KEY_STORAGE_PATH"

lldb reports my remote aarch64 paltform as x86_64 (AOSP)

I'm trying to remotely debug a process on my aarch64 hardware. Why does the triplet start with x86_64? I would expect aarch64
(lldb) platform select remote-android
Platform: remote-android
Connected: no
(lldb) platform connect connect://localhost:5039
Platform: remote-android
Triple: x86_64-unknown-linux-android
OS Version: 30 (5.4.47-07670-gd50c0c10c465)
Hostname: localhost
Connected: yes
WorkingDir: /
Kernel: #136 SMP PREEMPT Thu Nov 26 11:09:46 EST 2020
My Android hardware is aarch64. I pushed lldb-server to the target with
adb push prebuilts/clang/host/linux-x86/clang-r383902b/runtimes_ndk_cxx/aarch64/lldb-server /data/local/tmp/lldb-server
Ran it with:
adb shell /data/local/tmp/lldb-server platform --listen "*:5039" --server
And connected with lldb (from prebuilts/clang/host/linux-x86/clang-r383902b/bin/lldb)
I am able to attach to processes on the target, even list processes (which show x86_64 triplets again to my confusing) but I can't add any symbols files, or target create. Those commands yield arch errors which is what led me back to the triplet in the platform command. (side note, I do build with -Wl,--build-id=sha1 -g -glldb)
When I see tutorials online, they're triplets report arm.
Notes:
Everything is done from the shell (no IDE),
Not running in Docker,
My hardware is rooted and even in permissive mode right now
Everything here is based on AOSP 11
clang tag: clang-r383902b

The cause of this was the clang version I was using, clang-r383902b. Setting my local manifest to pull from master and using clang-r399163b everything worked.
Specifically:
Extend the clang prebuid project in a local manifest
<?xml version="1.0" encoding="UTF-8"?>
<manifest>
<remote name="aosp" fetch="https://android.googlesource.com/" review="https://android-review.googlesource.com/" />
<extend-project path="prebuilts/clang/host/linux-x86" name="platform/prebuilts/clang/host/linux-x86" groups="trusty" revision="refs/heads/master" clone-depth="1" remote="aosp" />
</manifest>
Sync: repo sync -d prebuilts/clang/host/linux-x86
Re-push: CLANG_TAG=clang-r399163b adb push prebuilts/clang/host/linux-x86/${CLANG_TAG}/runtimes_ndk_cxx/aarch64/lldb-server /data/local/tmp/lldb-server (or whatever the newest tag is)
Re-run lldb-server
I experimented with using the newest lldb-server with the existing lldb and it still worked.

jboss wildfly 17.0.1 - What is the correct location of silent authentication challenge file?

Hi there, after reading many articles on internet, I know that jboss wildfly writes a challenge file in tmp directory for silent authentication (JBOSS-LOCAL-USER mechanism).
Per my understanding, the challenge file should be located at, e.g. $JBOSS_HOME/standalone/tmp/auth/local2639861357474361285.challenge. If the management cli client can access the file successfully on the same machine, silent authentication succeeds.
Let's say:
App server hostname: appserver
jboss wildfly version: 17.0.1
wildfly is running as a service account - wildfly:wildfly
My account for works: mike
If I ssh to appserver using mike, and then run $JBOSS_HOME/bin/jboss-cli.sh -c, I think that I should fail the silent authentication, but it succeeds eventually. And then I try:
tcpdump to listen 9990 to see if any valuable information, and found:
0x0000: 4500 0060 abf6 4000 4006 9721 0a3f 7181 E..`..#.#..!.?q.
0x0010: 0a3f 7181 276a 932e 7a86 87cf 5604 7121 .?q.'j..z...V.q!
0x0020: 8018 0058 f7d2 0000 0101 080a 0fcc 2e80 ...X............
0x0030: 0fcc 2e6a 0000 0028 032f 746d 702f 6c6f ...j...(./tmp/lo
0x0040: 6361 6c35 3336 3339 3030 3330 3638 3933 cal5363900306893
0x0050: 3137 3238 3532 2e63 6861 6c6c 656e 6765 172852.challenge
auditctl various path to see if any valuable information, and found that the challenge file is created at /tmp/
Is there any system properties to set the location of challenge file? Appreciate for any help!

It seems likely that Wildfly is using the java.io.tmpdir system property. One way to override this is to run standalone.sh with a command line. If I run $WILDFLY_HOME/bin/standalone.sh -Djava.io.tmpdir=/var/tmp for example I can see in the startup logs:
...
java.io.tmpdir = /var/tmp
...
Without it I get:
...
java.io.tmpdir = /tmp
...

It turns out that upon I configure the http-interface according to https://docs.jboss.org/author/display/WFLY/Elytron+Subsystem#ElytronSubsystem-usedefaultelytronmgmtauth, my http-interface settings become:
<management-interfaces>
<http-interface http-authentication-factory="management-http-authentication" ssl-context="httpsSSC">
<http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
<socket-binding http="management-http" https="management-https"/>
</http-interface>
</management-interfaces>
The challenge file will be created at /tmp/localxxxxxxxx.challenge.
Finally, I decide to stick with the default settings instead of using elytron for management authentication.

Xcode+Swift+XPC: How to start and deploy a Swift XPC target on MacOS

DISCLAIMER: I am relatively new to MacOS/Xcode
I want to build a simple XPC Launch Agent in Swift (ie: in ~/Library/LaunchAgents) but I could not find much documentation.
I started with Xcode XPC template but I do not know if it was a good idea for my Swift project.
I notice I should also have ~/Library/LaunchAgents/com.demo.myservice.plist
Versions:
- MacOS: 10.13.2
- Xcode: 9.2
Instruction to create the Xcode XPC Project:
File > New project
I chose the MacOS template: XPC
I create the bundle ‘com.demo.myservice’
It creates me an Objective-C project. So I delete all files (ie: myserviceProtocol.h, myservice.h, myservice.m, main.m and Info.plist
Create the files:
myserviceProtocol.swift
import Foundation
#objc(myserviceProtocol) protocol myserviceProtocol {
func ping()
}
myservice.swift
import Foundation
class myservice : NSObject, myserviceProtocol {
func ping() {
print("ping")
}
}
main.swift
import Foundation
class ServiceDelegate : NSObject, NSXPCListenerDelegate {
func listener(_ listener: NSXPCListener, shouldAcceptNewConnection newConnection: NSXPCConnection) -> Bool {
newConnection.exportedInterface = NSXPCInterface(with:myserviceProtocol.self)
let exportedObject = myservice()
newConnection.exportedObject = exportedObject
newConnection.resume()
return true
}
}
// Create the listener and resume it:
//
let delegate = ServiceDelegate()
let listener = NSXPCListener.service()
listener.delegate = delegate;
listener.resume()
Info.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>KeepAlive</key>
<true/>
<key>Label</key>
<string>com.demo.myservice</string>
<key>ProgramArguments</key>
<array>
<string>myservice</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
I build it:
I copied Info.plist into ~/Library/LaunchAgents/ : cp ~/Documents/myservice/myservice/Info.plist ~/Library/LaunchAgents/com.demo.myservice.plist
I retrieve my userid with id -u
And then I try to execute it from the command line (as it does not seem to do anything from Xcode):
sudo launchctl debug user/501/com.demo.myservice /Users/olivier/Library/Developer/Xcode/DerivedData/myservice-hbwefcgibyqbajguvblgcmxsnrmd/Build/Products/Debug/myservice.xpc
Configuration failed: 113: Could not find specified service
Could not find service "com.demo.myservice" in domain for uid: 501
I am not really sure of what I am doing. Was I right to use XPC template to create my swift XPC.

If you want your Agent to provide an XPC service, you need to expose it as a Mach Service.
The way you are initialising your Listener is for an XPC Service (notice capital S), an XPC Service is a bundle that is part of your application's bundle, located inside the Contents/XPCServices/ directory.
So in summary, you would have to:
1.) Create an Agent that exposes an XPC service via mach service. Your listener would look like:
let listener = NSXPCListener(machServiceName: "com.rderik.exampleXPC" )
2.) To consume your Agent's service you'll need to build the connection to that mach service.
let connection = NSXPCConnection(machServiceName: "com.rderik.exampleXPC")
I hope that helps.
If you want to read more, I wrote a tutorial on how to do that here:
https://rderik.com/blog/creating-a-launch-agent-that-provides-an-xpc-service-on-macos/

I'm not sure what your goal is. If you just want a daemon that is managed by launchd, then you don't need XPC. Just create a daemon (probably with the Command Line Tool project template) and create a launchd plist configuration file (see man launchd.plist).
XPC is intended to communicate with a host app. The service binary should be embedded in your app bundle and launchd will launch it when your app tries to connect. You don't need to modify ~/Library/LaunchAgents for this.
Your app needs to setup an NSXPCConnection to connect to the XPCListener you created.
Something like:
let connection = NSXPCConnection(serviceName: "com.demo.myservice")
let interface = NSXPCInterface(with: myserviceProtocol.self)
connection.remoteObjectInterface = interface
connection.resume()
let proxy = connection.remoteObjectProxyWithErrorHandler {(error) in
os_log("Connection Error: %{public}#", error.localizedDescription)
} as! myserviceProtocol
// message proxy here to communicate with service
Both scenarios are covered in more detail in the Daemons and Services Programming Guide

cannot attach to service manager-error

I am new in firebird and I would like to trace my firebird-database activities, hence I am trying to use Audit/Trace Services.
My firbird databse is on Server: 10.7.105.8
I am running this comman in my cmd:
C:\Program Files\Firebird\Firebird_2_5\bin>fbtracemgr -se 10.7.105.8:3050:service_mgr -user SYSDBA -password masterkey -start -name "User Trace 1" -config "fbtrace.conf" > C:\Users\Babak\Desktop\trace.out
but I get this error:
Can not attach to service manager
Service 3050 : Service_mgr is not defined
What should I do to solve this problem?
thank you so much
EDIT
thank you for your hints. I think my trace process works fine, but I cant find the information, what I need in my trace.out file
If I am starting my trace my command promp looks like this:
if in this step I take a look in my trace.out I can only see this:
Trace Session ID 3 Started
I am running some select queries in my firebird, and then I finish my trace with with ctr+c, then the only things, which I can see in my trace.out are something like this:
Trace session ID 3 started
2015-07-08 10:49:59.868874 ***** loading fbclient.dll proc=4116 64Bit DLL Preload
2015-07-08 10:49:59.869066 GetDllDirectoryA=""
2015-07-08 10:49:59.869075 GetModuleFileNameA="C:\Program Files\Firebird\Firebird_2_5\bin\fbclient.dll"
2015-07-08 10:49:59.869086 Log-Level is set to 0
2015-07-08 10:49:59.869096 fbclient.dll loaded by: C:\Program Files\Firebird\Firebird_2_5\bin\fbtracemgr.exe
2015-07-08 10:49:59.869113 ***** dimensio integration successfully fbclient.dll
2015-07-08 10:58:10.091330 ***** cleanup unload fbclientorg.dll proc=4116
and not more infos about queries, which I have run.
Could you please say me, what I have done wrong? or what should I do more?

As Mark says, check file "fbtrace.conf". This is a text file and you will see something like this:
# default database section
#
<database>
# Do we trace database events or not
enabled false
# Operations log file name. For use by system audit trace only
#log_filename
....
....
# Put transaction start/end records
log_transactions false <--- TO TEST, SET THIS TO TRUE
# Put sql statement prepare records
log_statement_prepare false <-- TO TEST, SET THIS TO TRUE
Set to true what you need to trace, save the file and check the result.

Firebird connection strings are of the format:
host/port:database
Where /port is optional and defaults to 3050, and database is either the alias or path of a database, or the name of a service. Replace :3050 with /3050 (or leave it off entirely).

The following worked for me:
Open start menu
Search for services and open it
Search Firebird Guardian in the services list.
Start Firebird Guardian if it is stopped or restart if it is running.
Now try to connect your server. It will work.