tag:dreamwidth.org,2010-03-06:483469 A dis-illusioned software engineer robbat2 2017-05-21T05:45:16Z tag:dreamwidth.org,2010-03-06:483469:238949 2017-05-21T05:45:16Z 2017-05-21T05:45:16Z public 0 &lt;&gt;Playing with the concepts around Cloud metadata services, specifically those that are network-based, rather than the ConfigDrive or serial port variants. <p>EC2 ensures that 169.254.169.254 is magically provide your instance with your data, and it won't be accessible to another instance. This is trivial to achieve if your instances are using routed or tap network; but is more complex if you are on a bridged network: the client will try to send the packets for 169.254.169.254 to the MAC of the default gateway. </p> <p>So far I can force bridged packets that would otherwise be headed for the gateway to be routed locally (and put 169.254.169.254/32 locally on the host). I don't have a good way to associate the packets with a specific instance yet. Using kernel packet marks work, but isn't really scalable. Main requirement is that a simple web service should be able to uniquely identify the client, even if they try to spoof themselves (learn mac+IP of another instance on the same hypervisor & bridge, and ask for it's metadata from the wrong interface)</p> <h3> Variant 1</h3> <pre> ebtables -t nat -N metadata || ebtables -t nat -F metadata for i in $(seq 0 20) ; do ebtables -t nat -A metadata -i vnet$i -j mark --mark-set $((256+$i)) --mark-target CONTINUE done ebtables -t broute -A metadata --limit 10/minute --limit-burst 2 --log --log-level debug --log-prefix "ebtables metadata" --log-ip ebtables -t nat -A metadata -j redirect ebtables -t nat -F PREROUTING ebtables -t nat -A PREROUTING -p IPv4 --logical-in br0 --ip-src 169.254.169.254 -j metadata ebtables -t nat -A PREROUTING -p IPv4 --logical-in br0 --ip-dst 169.254.169.254 -j metadata </pre> <h3>Variant 2</h3> <pre> ebtables -t broute -N metadata || ebtables -t broute -F metadata ebtables -t broute -F BROUTING ebtables -t broute -A BROUTING -p IPv4 --ip-src 169.254.169.254 -j metadata ebtables -t broute -A BROUTING -p IPv4 --ip-dst 169.254.169.254 -j metadata ebtables -t broute -A metadata --limit 10/minute --limit-burst 2 --log --log-level debug --log-prefix "ebtables metadata" --log-ip # Repeat the marks if you want them. ebtables -t broute -A metadata -j redirect </pre><br /><br /><img src="https://www.dreamwidth.org/tools/commentcount?user=robbat2&ditemid=238949" width="30" height="12" alt="comment count unavailable" style="vertical-align: middle;"/> comments tag:dreamwidth.org,2010-03-06:483469:238770 2015-06-05T17:25:29Z 2015-06-12T17:54:14Z public 0 <p>For the mutt users with GnuPG, depending on your configuration, you might notice that mutt's handling of GnuPG mail stopped working with GnuPG. There were a few specific cases that would have caused this, which I'll detail, but if you just want it to work again, put the below into your <tt>Muttrc</tt>, and make the tweak to <tt>gpg-agent.conf</tt>. The underlying cause for most if it is that secret key operations have moved to the agent, and many Mutt users used the agent-less mode, because Mutt handled the passphrase nicely on it's own.</p> <ul> <li><tt>-u</tt> must now come BEFORE <tt>--cleansign</tt></li> <li>Add <tt>allow-loopback-pinentry</tt> to <tt>gpg-agent.conf</tt>, and restart the agent</li> <li>The below config adds <tt>--pinentry-mode loopback</tt> before <tt>--passphrase-fd 0</tt>, so that GnuPG (and the agent) will accept it from Mutt still.</li> <li><tt>--verbose</tt> is optional, depending what you're doing, you might find <tt>--no-verbose</tt> cleaner.</li> <li><tt>--trust-model always</tt> is a personal preference for my Mutt mail usage, because I do try and curate my keyring</li> </ul> <pre> set pgp_autosign = yes set pgp_use_gpg_agent = no set pgp_timeout = 600 set pgp_sign_as="(your key here)" set pgp_ignore_subkeys = no set pgp_decode_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --no-auto-check-trustdb --batch --output - %f" set pgp_verify_command="gpg --pinentry-mode loopback --verbose --batch --output - --no-auto-check-trustdb --verify %s %f" set pgp_decrypt_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --batch --output - %f" set pgp_sign_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --batch --output - --armor --textmode %?a?-u %a? --detach-sign %f" set pgp_clearsign_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --batch --output - --armor --textmode %?a?-u %a? --detach-sign %f" set pgp_encrypt_sign_command="pgpewrap gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --batch --textmode --trust-model always --output - %?a?-u %a? --armor --encrypt --sign --armor -- -r %r -- %f" set pgp_encrypt_only_command="pgpewrap gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --batch --trust-model always --output --output - --encrypt --textmode --armor -- -r %r -- %f" set pgp_import_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --import -v %f" set pgp_export_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --export --armor %r" set pgp_verify_key_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --batch --fingerprint --check-sigs %r" set pgp_list_pubring_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --batch --with-colons --list-keys %r" set pgp_list_secring_command="gpg %?p?--pinentry-mode loopback --passphrase-fd 0? --verbose --batch --with-colons --list-secret-keys %r" </pre><br /><br /><img src="https://www.dreamwidth.org/tools/commentcount?user=robbat2&ditemid=238770" width="30" height="12" alt="comment count unavailable" style="vertical-align: middle;"/> comments