I have a problem about connections to a docker containers from outside of my network. Iptables not worked yet for me (See this question).
The container open a connection on port 9010 which maps to its 443:
docker run -d [some other configs] --restart=always -p 9010:443 -p 9010:443/udp xxx/myImage
and I cannot see the client connections to this in my host:
root#ubuntu:~# netstat -anlp | grep ESTABLISHED
tcp 0 64 88.99.126.173:22 191.96.180.79:2543 ESTABLISHED 20855/sshd: root#pt
However I can see it inside container:
root#ubuntu:~# docker exec -it b7772c4d43dc /bin/bash -c 'netstat -anlp | grep ESTABLISHED'
tcp 0 0 ::ffff:172.17.0.2:443 ::ffff:191.96.180.79:3298 ESTABLISHED 7/python
Now I want to close this connection in that container, but since docker is from python:3.6-alpine image, there is not useful commands such as tcpkill command. How I can close this connections by bash inside my host.
I use the following script to open a ssh tunnel to a bunch servers always varying between mysql, redis and ssh ports.
I am doing this while being in the company vpn, but I had the same problem back in the days, when you worked in the office.
Usually I start the script and use the opened connection with other tools like SequelPro or PhpStorm to connect to webserver or databases. Ideally it would just run until I don't need it any more and then I would exit the jumpserver and the connections should close. That is fine as long as I don't loose the connection and get kicked out of the jumpserver.
#!/bin/sh
username="my-user"
jumpServer="my.bastionserver.net"
hosts=("my.awsserver1.com" "my.awsserver2.com" "my.awsserver3.com")
destMysqlPort=3306
destSshPort=22
destRedisPort=6379
x=10001
y=10002
z=10003
for i in "${hosts[#]}"; do
:
server=$i
sshTunnel="$sshTunnel -L $x:$server:$destMysqlPort -L $y:$server:$destSshPort -L $y:$server:$destRedisPort"
echo "Server: $server -- MYSQL: $x -- SSH: $y-- Redis: $z"
x=$((x + 3))
y=$((y + 3))
z=$((z + 3))
done
if [ -z "$sshTunnel" ]
then
echo "ssh tunnels are empty"
else
ssh $sshTunnel $username#$jumpServer -i ~/.ssh/aws
fi
the output is as follows:
$ ./awstunnel.sh
Server: my.awsserver1.com -- MYSQL: 10001 -- SSH: 10002-- Redis: 10003
Server: my.awsserver1.com -- MYSQL: 10004 -- SSH: 10005-- Redis: 10006
Server: my.awsserver1.com -- MYSQL: 10007 -- SSH: 10008-- Redis: 10009
[...]
When I try to connect again via this script I get the messages that the address is already in use:
bind [127.0.0.1]:10002: Address already in use
channel_setup_fwd_listener_tcpip: cannot listen to port: 10002
bind [127.0.0.1]:10005: Address already in use
channel_setup_fwd_listener_tcpip: cannot listen to port: 10005
[...]
How can I change the script so that I can start it again right away and don't have to wait for quite some time until the connection via this tunnel really closes?
I work from a Mac and the jumpserver is a Linux server, where I should not change settings.
Just like this, a little hint:
To get the PID of the last executed command you have to type:
echo "$!"
So, what you can do is just store the PID after each ssh login command like this for example:
#Store the pid of the last command in a variable named sshPid:
sshPid=$!
and when you are done just kill the corresponding PID with:
kill ${sshPid}
Tell me if that worked for you :p
Bguess
I want to share a Windows directory which is Sys64 in CentOS. I install cifs-utils in CentOS 7 and I run the command:
mount.cifs //ip/Sys64 share -o user=hostname,password=hostname_password
I get the following message:
mount error(112): Host is down Refer to the mount.cifs(8) manual page
(e.g. man mount.cifs)
cat /var/log/messages
Nov 21 13:51:44 zabbix kernel: CIFS VFS: cifs_mount failed w/return
code = -112
I tested with nmap:
[root#titi mnt]# nmap -p 445 ip -P0
Starting Nmap 6.40 ( http://nmap.org ) at 2018-11-21 14:25 CET Nmap
scan report for ip Host is up (0.069s latency). PORT STATE SERVICE
445/tcp open microsoft-ds
I want to share this directory, do you have any ideas on how I can do this?
i put vers=2.0
mount -t cifs -o vers=2.0,uid=1010,gid=1011,username=,password= //10.219.56.2/SysWOW64 share
I exploring a few options to setup kafka and I knew that the Zookeeper has to be up and running to initiate a kafka.
I would like to know how can I find the below.
1) hostname and port for my zookeeper instance---I checked the zoo.cfg and I could only find the ClientPort not the hostname, will hostname be the hostname of my box??
2) To check if ZooKeeper is up and running---I tried to do a ps -ef | grep "zoo" I could not find anything. May be I am using a wrong key word to search??
Any help would be really appreciated?
To check if Zookeeper is accessible. One method is to simply telnet to the proper port and execute the stats command.
root#host:~# telnet localhost 2181
Trying 127.0.0.1...
Connected to myhost.
Escape character is '^]'.
stats
Zookeeper version: 3.4.3-cdh4.0.1--1, built on 06/28/2012 23:59 GMT
Clients:
Latency min/avg/max: 0/0/677
Received: 4684478
Sent: 4687034
Outstanding: 0
Zxid: 0xb00187dd0
Mode: leader
Node count: 127182
Connection closed by foreign host.
One other way would be to use 4 letter commands to validate if zookeeper service is healthy or not
echo stat | nc <zookeeper ip> 2181
echo mntr | nc <zookeeper ip> 2181
echo isro | nc <zookeeper ip> 2181
More details on the documentation link below
https://zookeeper.apache.org/doc/r3.1.2/zookeeperAdmin.html#sc_zkCommands
Go to bin directory of Zookeeper and type
./zkServer.sh status
For More info go through below link:
http://www.ibm.com/developerworks/library/bd-zookeeper/
Hope this could help you.
echo stat | nc localhost 2181 | grep Mode
echo srvr | nc localhost 2181 | grep Mode #(From 3.3.0 onwards)
Above will work in whichever modes Zookeeper is running (standalone or embedded).
Another way
If zookeeper is running in standalone mode, its a JVM process. so -
jps | grep Quorum
will display list of jvm processes; something like this for zookeeper with process ID
HQuorumPeer
I did some test:
When it's running:
$ /usr/lib/zookeeper/bin/zkServer.sh status
JMX enabled by default
Using config: /usr/lib/zookeeper/bin/../conf/zoo.cfg
Mode: follower
When it's stopped:
$ zkServer status
JMX enabled by default
Using config: /usr/local/etc/zookeeper/zoo.cfg
Error contacting service. It is probably not running.
I'm not running on the same machine, but you get the idea.
Zookeeper is just a Java process and when you start a Zookeeper instance it runs a org.apache.zookeeper.server.quorum.QuorumPeerMain class. So you can check for a running Zookeeper like this:
jps -l | grep zookeeper
or even like this:
jps | grep Quorum
upd:
regarding this: will hostname be the hostname of my box?? - the answer is yes.
enter the below command to verify if zookeeper is running :
echo "ruok" | nc localhost 2181 ; echo
expected response: imok
From a Windows 10
Open Command Promt then type telnet localhost 2181and then you type srvr
OR
From inside bin folder, open a PowerShell window and type zkServer.sh status
I use:
jps
Depending on your installation a running Zookeeper would look like
HQuorumPeer
or sth. with zookeeper in it's name.
For people who uses the official docker image:
https://hub.docker.com/_/zookeeper
in the whitelist is only enabled srvr
See below the example:
telnet hostname 2181
Trying ::1...
Connected to localhost.
Escape character is '^]'.
srvr
Zookeeper version: 3.7.0-e3704b390a6697bfdf4b0bef79e3da7a4f6bac4b, built on 2021-03-17 09:46 UTC
Latency min/avg/max: 0/0.0/0
Received: 3
Sent: 2
Connections: 1
Outstanding: 0
Zxid: 0x0
Mode: standalone
Node count: 5
Connection closed by foreign host.
Doc:
ZOO_4LW_COMMANDS_WHITELIST
Defaults to srvr. Zookeeper's 4lw.commands.whitelist
A list of comma separated Four Letter Words commands that user wants to use. A valid Four Letter Words command must be put in this list else ZooKeeper server will not enable the command. By default the whitelist only contains "srvr" command which zkServer.sh uses. The rest of four letter word commands are disabled by default.
For Window, users Install mobaxterm https://mobaxterm.mobatek.net/download.html
The mobaxterm terminal allows you to run all Linux commands
For those of you who used homebrew, use this command -
/opt/homebrew/Cellar/zookeeper/3.8.1/bin/zkServer status
I have problem to connect to any mysql database using jdbc connector in google apps scripts, I'm using tutorial code:
var conn = Jdbc.getConnection("jdbc:mysql://host(or ip):3306/database", "username", "password");
But in each case ( I've tested 4 different databases on 4 different host names) i get the same error:
Failed to establish a database connection. Check connection string, username and password. (line 2)
I'm looking for some help, I have no idea what could be the problem ;-(
ps. usernames/passwords are ok.
pps. In each database remote access is working ( I've tested by using telnet).
Since your issue was Remote access to a MySQL Database I will post some related documentation so that future viewers like TonyMiao will have a avenue to fix their own related issues.
Step # 1: Login Using SSH (if server is outside your data center)
First, login over ssh to remote MySQL database server. You may need to login to your MySQL server as the root user:
ssh user#server1.cyberciti.biz
login as the root using su or sudo
su
or use sudo
sudo -i
OR directly login as root user if allowed:
ssh root#server1.cyberciti.biz
Step # 2: Edit the my.cnf file
Once connected you need to edit the MySQL server configuration file my.cnf using a text editor such as vi:
If you are using Debian/Ubuntu Linux file is located at /etc/mysql/my.cnf location.
If you are using Red Hat Linux/Fedora/Centos Linux file is located at /etc/my.cnf location.
If you are using FreeBSD you need to create a file /var/db/mysql/my.cnf location.
Edit the /etc/my.cnf, run:
# vi /etc/my.cnf
Step # 3: Once file opened, locate line that read as follows
[mysqld]
Make sure line skip-networking is commented (or remove line) and add following line
bind-address=YOUR-SERVER-IP
For example, if your MySQL server IP is 65.55.55.2 then entire block should be look like as follows:
[mysqld]
user = mysql
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
language = /usr/share/mysql/English
bind-address = 65.55.55.2
# skip-networking
....
..
....
Where,
bind-address: IP address to bind to.
skip-networking : Don’t listen for TCP/IP connections at all. All
interaction with mysqld must be made via Unix sockets. This option is
highly recommended for systems where only local requests are allowed.
Since you need to allow remote connection this line should be removed
from my.cnf or put it in comment state.
Step# 4 Save and Close the file
If you are using Debian / Ubuntu Linux, type the following command to restart the mysql server:
# /etc/init.d/mysql restart
OR
# systemctl restart mysql
If you are using RHEL / CentOS / Fedora / Scientific Linux, type the following command to restart the mysql server:
# /etc/init.d/mysqld restart
OR
# systemctl restart mysqld
If you are using FreeBSD, type the following command to restart the mysql server:
# /usr/local/etc/rc.d/mysql-server restart
OR
# service mysql-server restart
Step # 5 Grant access to remote IP address
Connect to mysql server:
$ mysql -u root -p mysql
GRANT ACCESS TO A NEW DATABASE
If you want to add a new database called foo for user bar and remote IP 202.54.10.20 then you need to type the following commands at mysql> prompt:
mysql> CREATE DATABASE foo;
mysql> GRANT ALL ON foo.* TO bar#'202.54.10.20' IDENTIFIED BY 'PASSWORD';
HOW DO I GRANT ACCESS TO AN EXISTING DATABASE?
Let us assume that you are always making connection from remote IP called 202.54.10.20 for database called webdb for user webadmin, To grant access to this IP address type the following command At mysql> prompt for existing database, enter:
mysql> update db set Host='202.54.10.20' where Db='webdb';
mysql> update user set Host='202.54.10.20' where user='webadmin';
Step # 6: Logout of MySQL
Type exit command to logout mysql:
mysql> exit
Step # 7: Open port 3306
You need to open TCP port 3306 using iptables or BSD pf firewall.
A SAMPLE IPTABLES RULE TO OPEN LINUX IPTABLES FIREWALL
/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 3306 -j ACCEPT
OR only allow remote connection from your web server located at 10.5.1.3:
/sbin/iptables -A INPUT -i eth0 -s 10.5.1.3 -p tcp --destination-port 3306 -j ACCEPT
OR only allow remote connection from your lan subnet 192.168.1.0/24:
/sbin/iptables -A INPUT -i eth0 -s 192.168.1.0/24 -p tcp --destination-port 3306 -j ACCEPT
Finally save all rules (RHEL / CentOS specific command):
# service iptables save
A SAMPLE FREEBSD / OPENBSD / NETBSD PF FIREWALL RULE ( /ETC/PF.CONF)
Use the following to open port # 3306 on a BSD based systems:
pass in on $ext_if proto tcp from any to any port 3306
OR allow only access from your web server located at 10.5.1.3:
pass in on $ext_if proto tcp from 10.5.1.3 to any port 3306 flags S/SA synproxy state
Step # 8: Test it
From your remote system or your desktop type the following command:
$ mysql -u webadmin -h 65.55.55.2 -p
Where,
-u webadmin: webadmin is MySQL username
-h IP or hostname: 65.55.55.2 is MySQL server IP address or hostname (FQDN)
-p : Prompt for password
You can also use the telnet or nc command to connect to port 3306 for testing purpose:
$ echo X | telnet -e X 65.55.55.2 3306
OR
$ nc -z -w1 65.55.55.2 3306
Sample outputs:
Connection to 65.55.55.2 3306 port [tcp/mysql] succeeded!
Resource information: Click Here!