Port forwarding to get around corporate firewall restrictions

Let me take you on an adventure.

Today I needed to access a service inside a corporate network, but the service is firewalled from external use, and also from access via the VPN.

The suggestion was to use a machine already internal to the network and some port forwarding to get around this restriction. Ahah, I can get around this with a small container on the OpenShift cluster I thought.

So I need a tiny container just for forwarding ports. Google turned up - https://github.com/derkork/socat-openshift.

Docker inside a proxmox lxc container

Warning - this reduces security

Find the id of the container, you can list active containers with:

pct list

Edit the container config like:

vim /etc/pve/lxc/113.conf

Add the extra lines:

lxc.apparmor.profile: unconfined
lxc.cgroup.devices.allow: a
lxc.cap.drop:

Shutdown and restart the container.

To enable aufs/overlay in the container, it actually needs to be loaded on the proxmox host, this can be done with:

Accessing OpenShift/OKD registry directly

Sometimes you need to push images into the OpenShift registry locally for testing, the steps involved are below. Note that I start/stop local Openshift development with a command which includes:

BASE_DIR="/openshift/project"
export OPENSHIFT=$(ip addr show docker0 | grep "inet\b" | awk '{print $2}' | cut -d/ -f1)
oc cluster up --base-dir=${BASE_DIR} --public-hostname=${OPENSHIFT}

Which means it consistently listens on 172.17.0.1 which is available from within and outside of the OpenShift cluster, which 127.0.0.1 isn't.

Publishing some modules from a larger project - splitting out parts of a monorepo

When developing, often there are parts of the project that are worth releasing as separate independent projects. There is a tool from the Symfony authors - https://github.com/splitsh/lite - which can assist, but it took a little working out.

The script I've ended up using is below. I run it from the root of the project.

It should be usable by simply adjusting the few variables are the top and then run the script with bash.

Topics

Drupal8 Manipulating field groups on module install

While working on a timekeeping module I encountered an issue that couldn't be resolved with the config/install & config/optional combinations. This module requires other modules to be installed first, but then some field group manipulation was needed to add the timekeeping tab into the tabs on the main page, luckily, there are tests on the field group module, so with a bit of looking through tests and experimenting, it ends up like this:

hook_install() code

Topics

Rancher 2.0 in lxc

Note: Updated slightly now rancher 2.0 is GA.

There are a couple of tricks, but it is possible to get the Rancher beta running in an lxc container with some tweaks. Firstly, the lxc profile needs to be tweaked:

lxc profile edit default

The defaults that worked for me were:

Start a shell in a docker container that refuses to start

Sometimes, containers die, and you need to look inside to resolve, this one liner allows a quick way to adjust the 'container_name' and it will drop you right into the container so you can look around, then cleanup afterwards.

CTR="container_name"; docker commit $(docker ps -a | egrep " ${CTR}$" | awk '{ print $1 }') test; docker run --rm -ti --entrypoint=bash test; docker rmi test

Or maybe as a script, something like:

dnsmasq in ubuntu zesty

The systemd included in ubuntu zesty doesn't work nicely with dnsmasq by default, which is a pain if you are a developer and want to setup a local .test or similar domain. The way around this is to change the /etc/systemd/resolved.conf and uncomment/add a line like:
 

DNSStubListener=no

Then setup you dnsmasq as normal, probably by creating a file /etc/dnsmasq.d/test with the contents: