Once I thought about automating the deployment of my project. gitlab.com kindly provides all the tools for this, and of course I decided to use it by sorting out and writing a small deployment script. In this article, I share my experience with the community.

TL; DR

  • Configure VPS: disable root, password login, install dockerd, configure ufw
  • Generate certificates for server and client docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl
  • Enable dockerd control via tcp socket: remove the -H fd option: / / from docker config.
  • Register certificate paths in docker.json
  • Write in gitlab variables in CI / CD settings with certificate contents. Write a .gitlab-ci.yml script for the deployment.

I will show all examples on the Debian distribution kit.

Initial VPS Setup

So you bought an instance, the first thing to do is protect your server from the aggressive outside world.

First, install the ufw firewall:

Turn on the default policy: block all incoming connections, allow all outgoing connections:

Important: do not forget to allow ssh connection:

The general syntax is: Allow a port connection: ufw allow 12345, where 12345 is the port number or the name of the service. Deny: ufw deny 12345

Turn on the firewall:

We exit the session and log in again via ssh.

Add the user, assign him a password and add him to the sudo group.

Next, according to the plan, you must disable the password entry. To do this, copy your ssh key to the server:

Your server ip must be specified. Try now to log in under the user created earlier, you no longer need to enter a password. Next, in the configuration settings, change the following:

disable password entry:

Restart the sshd daemon:

Now, if you or someone else tries to log in as root, it will fail.

Next, set dockerd, here I will not describe the process, since everything can already be changed, follow the link to the official website and go through the steps to install docker on your virtual machine: https://docs.docker.com/install/linux/docker- ce / debian /

Certificate Generation

To manage the docker daemon remotely, an encrypted TLS connection is required. To do this, you need to have a certificate and a key, which must be generated and transferred to your remote machine. Follow the steps given in the instructions on the official docker website: https://docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl All generated * .pem files for the server, namely ca.pem, server.pem, key.pem must be placed in the / etc / docker directory on the server.

Dockerd setup

In the script to launch the docker daemon, remove the -H df: // option, this option answers which host can control the docker daemon.

Next, you need to create a settings file, if it is not already there and prescribe options:

Let’s enable connections on port 2376:

Restart dockerd with the new settings:

Check:

If everything is green, then we believe that we have successfully configured docker on the server.

Configuring continuous deleivery on gitlab

In order for the gitalab worker to be able to execute commands on the docker’s remote host, it is necessary to determine how and where to store certificates and the key for an encrypted connection with dockerd. I solved this problem by simply writing it into variables in the gitlbab settings.

Simply display the contents of the certificates and key via cat: cat ca.pem. Copy and paste into the value of the variables.

Let’s write the script for the deployment through gitlab. The docker-in-docker (dind) image will be used.

The main problem was to “extract” the contents of certificates in normal form from gitlab CI / CD variables. I could not understand why the connection to the remote host did not work. On the host I looked at the sudo journalctl -u docker log, there is a handshake error. I decided to look at what is generally stored in variables, for this you can see cat -A $ DOCKER_CERT_PATH / key.pem. The error was overcome by adding the removal of the carriage symbol tr -d ‘\ r’.

Further in the script, you can add post-release tasks at your discretion.

There are many ways and special utilities to extract user password hashes from the system. Can I extract the password in clear text? Can!

What are we talking about?

Not so long ago, we made comprehensive material on how to dump user passwords from a Windows system. Utility Windows Credentials Editor – one of the most famous and universal solutions. However, recently, French researchers released a completely great operating time of mimikatz. In addition to the already known tricks, it can … extract user passwords in clear text. True, only those who logged in to the system before. At first we thought it was a fake, but the very first launch of the utility confirmed that everything worked. The program provides its own console, from which you can run the necessary modules for various situations (the concept of “Swiss knife”). To extract passwords in plain text, you only need three commands:

How does it look like?

Let’s try mimikatz. The conclusion will be in French, but this should not scare you: to see passwords, you do not need to speak the language of Charles De Gaulle:

How it works?

It would seem: what for to store passwords in clear form, if authorization can be done even with a hash? In fact, the latter is not possible everywhere. Therefore, there is a special wdigest security provider in Windows to support authentication types such as HTTP Digest Authentication and other schemes where you need to know the password (and the hash is not enough). In the end, I’ll say that literally at the time the magazine was published, similar functionality appeared in the WCE utility mentioned above.