Once I thought about automating the deployment of
my project. gitlab.com kindly provides all the tools for this, and of course I
decided to use it by sorting out and writing a small deployment script. In this
article, I share my experience with the community.

TL; DR

  • Configure VPS: disable
    root, password login, install dockerd, configure ufw
  • Generate certificates for
    server and client docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl
  • Enable dockerd control via
    tcp socket: remove the -H fd option: / / from docker config.
  • Register certificate paths
    in docker.json
  • Write in gitlab variables
    in CI / CD settings with certificate contents. Write a .gitlab-ci.yml script
    for the deployment.

I will show all examples on the Debian distribution
kit.

Initial
VPS Setup

So you bought an instance, the first thing to do is
protect your server from the aggressive outside world.

First, install the ufw firewall:

Turn on the default policy: block all incoming
connections, allow all outgoing connections:

Important: do not forget to allow ssh connection:

The general syntax is: Allow a port connection: ufw
allow 12345, where 12345 is the port number or the name of the service. Deny:
ufw deny 12345

Turn on the firewall:

We exit the session and log in again via ssh.

Add the user, assign him a password and add him to
the sudo group.

Next, according to the plan, you must disable the
password entry. To do this, copy your ssh key to the server:

Your server ip must be specified. Try now to log in
under the user created earlier, you no longer need to enter a password. Next,
in the configuration settings, change the following:

disable password entry:

Restart the sshd daemon:

Now, if you or someone else tries to log in as
root, it will fail.

Next, set dockerd, here I will not describe the
process, since everything can already be changed, follow the link to the
official website and go through the steps to install docker on your virtual
machine: https://docs.docker.com/install/linux/docker- ce / debian /

Certificate
Generation

To manage the docker daemon remotely, an encrypted
TLS connection is required. To do this, you need to have a certificate and a
key, which must be generated and transferred to your remote machine. Follow the
steps given in the instructions on the official docker website:
https://docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl
All generated * .pem files for the server, namely ca.pem, server.pem, key.pem
must be placed in the / etc / docker directory on the server.

Dockerd
setup

In the script to launch the docker daemon, remove
the -H df: // option, this option answers which host can control the docker
daemon.

Next, you need to create a settings file, if it is
not already there and prescribe options:

Let’s enable connections on port 2376:

Restart dockerd with the new settings:

Check:

If everything is green, then we believe that we
have successfully configured docker on the server.

Configuring
continuous deleivery on gitlab

In order for the gitalab worker to be able to
execute commands on the docker’s remote host, it is necessary to determine how
and where to store certificates and the key for an encrypted connection with
dockerd. I solved this problem by simply writing it into variables in the
gitlbab settings.

Simply display the contents of the certificates and
key via cat: cat ca.pem. Copy and paste into the value of the variables.

Let’s write the script for the deployment through
gitlab. The docker-in-docker (dind) image will be used.

The main problem was to “extract” the contents of
certificates in normal form from gitlab CI / CD variables. I could not
understand why the connection to the remote host did not work. On the host I
looked at the sudo journalctl -u docker log, there is a handshake error. I
decided to look at what is generally stored in variables, for this you can see
cat -A $ DOCKER_CERT_PATH / key.pem. The error was overcome by adding the
removal of the carriage symbol tr -d ‘\ r’.

Further in the script, you can add post-release
tasks at your discretion.

There are many ways and special utilities to
extract user password hashes from the system. Can I extract the password in
clear text? Can!

What are
we talking about?

Not so long ago, we made comprehensive material on
how to dump user passwords from a Windows system. Utility Windows Credentials
Editor – one of the most famous and universal solutions. However, recently,
French researchers released a completely great operating time of mimikatz. In
addition to the already known tricks, it can … extract user passwords in clear
text. True, only those who logged in to the system before. At first we thought
it was a fake, but the very first launch of the utility confirmed that
everything worked. The program provides its own console, from which you can run
the necessary modules for various situations (the concept of “Swiss
knife”). To extract passwords in plain text, you only need three commands:

How does
it look like?

Let’s try mimikatz. The conclusion will be in
French, but this should not scare you: to see passwords, you do not need to
speak the language of Charles De Gaulle:

How it works?

It would seem: what for to store passwords in clear
form, if authorization can be done even with a hash? In fact, the latter is not
possible everywhere. Therefore, there is a special wdigest security provider in
Windows to support authentication types such as HTTP Digest Authentication and
other schemes where you need to know the password (and the hash is not enough).
In the end, I’ll say that literally at the time the magazine was published,
similar functionality appeared in the WCE utility mentioned above.