Simple experiment with systemd-nspawn containers

For this test I used Fedora 25. Your mileage might vary in other operating systems, some things may be the same, some may not be.

WARNING: you’ll need to disable selinux so to me this was merely an interesting experiment and it lead to increasing my knowledge, specially in relation to selinux + containers. Bad mix, no security, containers don’t contain, etc.

Many thanks to the nice people from #fedora and #selinux that graciously lent their time to help me when I was trying to use nspawn with selinux enabled. With their help, specially Grift from #selinux, we were actually able to run it, but only in a way I’m so uncomfortable with that I ultimately considered this experiment to  be a #fail as I’m definitely not going to use them like that any time soon: there’s still a lot of work to do in order to run containers with some security. I hope the Docker infatuation leads to an universal solution towards security + containers from the good engineers at Red Hat and others involved in that work.

But it certainly was a success in terms of contributing to more experience beyond a quickly expiring benefit of familiarity with OpenVZ.

Enough words, here’s how simply it was…

Firstly, let’s setup a template from which we’re going to copy to new instances. As I’m using Fedora 25, I used DNF’s capability to install under a directory:

dnf --releasever=25 \
 --installroot=/var/lib/machines/template-fedora-25 \
 -y install systemd passwd dnf fedora-release \
 iproute less vi procps-ng tcpdump iputils

You’ll only need the first three lines, though, the fourth was just a few more packaged I preferred to have in my template.

Secondly, you’ll probably like to do further customization in your template, so you’ll enter your container just like it was (well, is) an enhanced chroot:

cd /var/lib/machines
systemd-nspawn -D template-fedora-25

Now we have a console, and the sky is the limit for what you can setup, like for instance defining a default pasword for root with passwd (but maybe you’ll not want to do this in a production environment).

For some weird reason, passwd constantly failed manipulating authentication tokens, but I solved it quickly by merely reinstalling passwd (dnf -y reinstall passwd). Meh…

I also ran dnf -y clean all before exiting the container in order to clean up unnecessary space wasted with package meta data that will be expired quickly.

When you’re done customizing, exit the container with ctrl + ]]] in about a second.

Finally, we’re ready to preserve the template:

cd template-fedora-25
tar --selinux --acls --xattrs czvf \
    ../$(basename $( pwd ) )-$(date +%Y%m%d).tar.gz .
cd ..

We’re now ready to create a test container and launch it in the background:

mkdir test
cd test
tar --selinux --acls -xattrs xzvf \
cd ..
machinectl start test

This container will probably not be able to run services exposed outside without help but you can login into its console with machinectl login test

You’ll also have automagic name resolution from your host computer to the containers it runs if you change the hosts entry in /etc/nsswitch.conf placing mymachines between files and dns (or as you see fit if otherwise in your setup):

hosts: files mymachines dns myhostname

If you had enable ssh in your container, you’d be able to do ssh test from the host machine. Or access a web server you installed in it. Who knows.

As you saw, despite a lot of words trying to explain every step of the way, it’s excruciatingly simple.

The next article (Simple experiment with systemd-networkd and systemd-resolved) expands this example with a bridge in the host machine in order to allow your containers to talk directly with the external world.

Happy hacking!

Zabbix Postfix (and Postgrey) templates

Today’s Zabbix templates are for Postfix and Postgrey (but separated in case you don’t use both).

Since I run a moderate volume set of email servers, I could probably have Zabbix request the data and parse the logs all the time, but why not do it in a way that could scale better? (yes, I know I have 3 greps that could be replaced by a single awk call, I just noticed it and will improve it in the future).

I took as base a few other examples and improved a bit upon them resulting in the following:

  1. A cron job selects the last entries of /var/log/maillog since the previous run (uses logtail from package logcheck in EPEL)
  2. Then pflogsumm is run on it as well as other queries gathering info not collected by pflogsumm (in my case, postgrey activity, rbl blocks, size of mail queue)
  3. Then zabbix_send is used to send the data to the monitoring server

The cron job gets the delta t you want to parse the logs, in my case it’s -1 as I’m going it per minute and that’s an argument to find … -mmin and you’d place it like this:

* * * * * /usr/local/bin/ -1

This setup will very likely require some adaptation to your particular environment, but I hope it’s useful to you.

Then you can make a screen combining the graphics from both templates as the following example:

Zabbix Keepalived template

I’m cleaning up some templates I’ve done for Zabbix and publishing them over here. The first one is Keepalived as a load balancer.

This template…

  • requires no scripts placed on the server
  • creates an application, Keepalived
  • collects from the agent:
    • if it is a master
    • if it is an IPv4 router
    • the number of keepalived processes
  • reports on
    • state changes (from master to backup or the reverse) as WARNING
    • backup server that’s neither a router or has keepalived routing as HIGH (your redundancy is impacted)
    • master server that’s neither a router nor has keepalived routing as DISASTER (your service will be impacted if there’s an availability issue in one real server as nothing else will automatically let IPVS know of a different table)

I still haven’t found a good way to report on the cluster other than creating triggers on hosts, though. Any ideas?

Up next is Postfix and, hopefully, IPVS Instance (not sure it can be done without scripts or writing an agent plugin, though. I haven’t done it yet).

Stallman’s great talk on surveillance

When did the great Richard Stallman start using slides?

Well, I don’t mind, they’re cute and funny!


“Should we have more surveillance than the USSR?” is a highly recommendable talk!

I’ll update this post later with more photos.

Batman v Superman is awesome, don’t let critics ruin movie for comic book fans

Last night I went to watch Batman V Superman and it’s a very good comic book movie. It’s not Lawrence of Arabia, or by any means a contender for Best Movie Oscar Award or anything like it, but it’s an excellent depiction of a good comic book movie.

I’m putting a view “more” link by force because the rest has spoilers. Just trust me: if you like good dark comic book stories, specially those featuring Batman and Superman and those that don’t try to fit a single story in one go, you’ll like the movie. I did. A lot (not that I don’t have some gripes with it, but it’s a god damn good action movie adapting comic book characters).

Remember: there be spoilers. Read at your own discretion.

Continue reading “Batman v Superman is awesome, don’t let critics ruin movie for comic book fans”

Contratos deixam de poder ser celebrados por telefone

Contratos deixam de poder ser celebrados por telefone – PÚBLICO


Muito abuso têm feito com isto. Já por duas vezes rebati (felizmente com sucesso) a EDP e a NOS (então Zon) que vinham alegando que eu por telefone tinha negociado redução do serviço.

Com a NOS tiveram o azar de eu ter contrato em papel na mão, assinado 3 meses antes da alegada redução para quase nada.

Então dizem que meros 3 meses depois de eu assinar um contrato para aumentar significativamente o serviço fui por telefone reduzir para menos do que tinha quando subscrevi serviço na TVCabo? Ora provem lá isso, que eu tenho aqui o contrato…

“Ai tem o contrato? Aguarde um momento por favor”


Já a EDP tentou alegar que o débito directo não estava autorizado e se eu autorizava novo mandato que mandavam novo contrato para assinar (provavelmente perdendo algum dos descontos).

Ao telefone tive literalmente de lhes gritar para que me enviassem provas do débito recusado, porque não voltava ao banco alegando problemas sem prova, e rejeitando qualquer responsabilidade por falhas, e ai deles que me cortassem a electricidade…

Como se recusaram a enviar, lá voltaram a tentar e deu. Que generosos!

Por isso telefone é muito giro e tal, mas tenham sempre o papel na mão…


Ooo… sorry for shouting. I hope I haven’t hurt your ears, specially if you enjoy that mantra about lazy Portuguese. Actually… the most people I hear it from are right-wing nuts parroting The Message their idols injected in their puny minds.

Here it goes, from OECD and restricted to the EU countries so it’s easier to understand:hours-worked-eu-2013One thousand, eight hundred and fifty two hours per year on average.

(Yes, I didn’t notice the graphic included other countries, I thought the EU filter reduced, and it did, the list of countries but it didn’t remove explicitly selected countries, I’ll fix that later)

Aha, your neo-liberal devil whispers in your ear… in average… now we got him!

Well, the definition of work for this graphic is:

Average annual hours worked is defined as the total number of hours actually worked per year divided by the average number of people in employment per year. Actual hours worked include regular work hours of full-time, part-time and part-year workers, paid and unpaid overtime, hours worked in additional jobs, and exclude time not worked because of public holidays, annual paid leave, own illness, injury and temporary disability, maternity leave, parental leave, schooling or training, slack work for technical or economic reasons, strike or labour dispute, bad weather, compensation leave and other reasons. The data cover employees and self-employed workers.

So this actually means that should you only consider full time jobs it would be an even higher value… and it’s not counting with “too many holidays”, or strikes, or whatever.

Reality calls, people…

(via Jan Wildeboer)

#ilovefs – I 💕 Free Software


Hey, it’s that time of the year when some megafuck dudes drop the strongest advertisement campaigns for selling chocolates, perfumes and flowers to your sweetheart!

But never fear! As usual in the world of Free Software, we like to turn things around 180º to turn around the evil powers into good powers and give a much better meaning to things.

As the GNU GPL and the copyleft movement have used copyright’s powers to bestow upon us the wonders of software freedom, let’s now turn this horrid day into a day of celebration of our love for Free Software.

Thank you all Free Software developers out there! I love your work and hope to be able to stand on your giant shoulders.

Love ya! 🙂