rules
Best way to setup a VirtualBox to avoid system crashes on a reboot
Sat, 03/25/2023 - 10:33 — Alexis Wilke
We now use permanent VirtualBox OSes to run part of our infrastructure.
We ran in all sorts of issues with those, but one thing for sure is that you do not want your OS hard drive to fill up because a (re)boot may not be possible after that. This is because the drive is likely to go bust if completely full.
You should, of course, have tools to let you know how filled up your hard drive is to make sure to catch such issues early. In our case, we had a Jira instance that filled up the drive mainly because we made one backup of the database per day. One day, one of those backup ended that ...
Docker, an advanced chroot utility
Fri, 11/29/2019 - 19:09 — Alexis Wilke
SECURITY WARNING
Before installing Docker and containers with services on your Linux system, make sure to read and understand the risks as mentioned on this Docker and iptables page. Especially, Docker will make all your containers visible to the entire world through your Internet connection. This is great if you want to indeed share that service with the rest of the world, it's very dangerous if you are working on that container service since it could have security issues that need patching and such. Docker documents a way to prevent that behavior by adding the following rule to your firewall:
iptables -I DOCKER-USER -i eth0 ! -s 192.168.1.0/24 -j DROP
This means that unless the IP address matches 192.168.1.0/24, the access is refused. The `eth0` interface name should be replaced with the interface name you use as the external ethernet connection. During development, you should always have such a rule.
That has not worked at all for me because my local network includes many other computers on my LAN and this rule blocks them all. So really not a useful idea.
Instead, I created my own entries based on some other characteristics. That includes the following lines in my firewall file:
*filter :DOCKER-USER - [0:0] -A DOCKER-USER -j early_forward -A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 80 --ctdir ORIGINAL -j DROP -A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 8080 --ctdir ORIGINAL -j DROP -A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 8081 --ctdir ORIGINAL -j DROP
My early_forward allows my LAN to continue to work. These are my firewall rules that allow my LAN computers to have their traffic forwarded as expected.
Then I have three rules that block port 80, 8080, and 8081 from Docker.
Docker will add new rules that will appear after (albeit not within the DOCKER-USER list) and will open ports for whatever necessary service you install in your Dockers.
Note that the only ports you have to block are ports that Docker will share and that you have otherwise open on your main server. If Docker opens port 5000 and your firewall does not allow connections to port 5000 from the outside, then you're already safe. On my end I have Apache running so as a result I block quite usual HTTP ports from Docker.
Docker
As we are helping various customers, we encounter new technologies.
In the old days, we used chroot to create a separate environment where you could have your own installation and prevent the software from within that environment access to everything on your computer. This is particularly useful for publicly facing services liek Apache, Bind, etc.
Protected Node Rules Support
The following features are available only when installing the Rules extension of protected nodes. This extension requires the thrid party Rules extension for Drupal.
Protected Node Rules Conditions
When handling a Node, it is possible to check whether the node is currently protected or locked.
Protected Nodes
A node is said protected when the node was protected by a password using the Protected node module.
Whether the user can view that node is irrevelant in this case. Only the fact that the node requires a password to be viewed is what this condition checks.
Locked Nodes
A ...
Protected Node Password Fork Feature
Password Fork
The new module allows for a password fork.
This means you can send your users to one specific page, and tell them about a password to use on that one page. Depending on the password, they will be sent to one of several nodes.
This works in a very similar way as the other password form, except that there is no specific destination, and the users need to know any one of the passwords.
The feature uses a specific URL defined as follow:
/protected-nodes?protected_pages=<nid1>,<nid2>,...&back=<url>
- protected_pages=<nid1>,<nid2>,...
This
To Do Rules
The To Do module includes a sub-module called To Do Rules extension.
Events
The Rules extension includes the events as follow.
Each event is sent once per user assigned to a To Do item, including self-assigned users. It includes 4 parameters: the To Do item (a node); the To Do item author; the currently logged in user; and the assigned user. The node supports additional tokens that can be used as conditions (see below).
- To Do Event Started
This event occurs when the Start button is clicked on a To Do item. This event is sent once.
- To Do Event Reminder
This event
To Do List API
To Do List offered Hooks
Since version 1.1, the To Do List module includes a few module_invoke() calls that other modules can catch via one of the following hooks.
To Do List Global Settings
Global Settings
Global settings are found under Administer » Site configuration » To do list (admin/settings/to_do).
Only To Do List administrators can edit the Global Settings.
To Do List Installation
Basic To Do List Installation
Install the module as usual, generally under your sites/all/modules folder. On a Unix command line, you can use the tar tool like this:
cd sites/all/modules tar -xf to_do.tar.gz
Then go to Administer » Site building » Modules and enable the To do list module.
To Do List Requirements
Requirements
The following are the requirements for the To Do List module.
To Do Items
The basic To Do List module offers you a new Node type and several User lists. There are no specific requirements for the main module to work other than Drupal Core.
Block
The Block module is mandatory, so in itself it is not a requirement.
In order to use the To Do List Block sub-module, you need the Core Block module.
Terms & Conditions
Terms and Conditions for the Online Services
offered by Made to Order Software Corporation
This Agreement ("Agreement") is by and between Made to Order Software Corporation ("m2osw") a Californian Corporation and You, your heirs, your agents, successors and assigns ("You" and "Your"), and is made effective as of the date of electronic execution, which is when you register for an electronic account to use the Web site of m2osw. This Agreement sets forth the terms and conditions of Your use of the Online Services ...
