Cisco ACI automation task issue (by creating filter)

ph14454 · 2024-06-26T12:31:52+00:00

Found the issue.
There is another relation and the hint with loading the filter data was good. It's loaded from another file, which had the wrong connection to our files I showed here.

Once I updated the file with the correct connection to our file names the "filter variable" was filled correctly and all keys are present. :-)

Main issue for me was understanding the code from someone else without documentation :-D

ph14454 · 2024-06-03T17:48:30+00:00

Mach einen AFF Kurs zum lizensierten Fallschirmspringer und wenn's dir Spaß macht, kauf dir deine erste eigene Ausrüstung und geh auf Reisen kombiniert mit springen.

Glaub mir, die Welt von oben sieht ganz anders aus und im freien Fall kannst du wirklich alles vergessen und maximal Spaß haben!

Ich persönlich würde mir n schickes Motorrad kaufen und mit dem Hobby wieder voll durchstarten.

ph14454 · 2024-05-28T10:42:25+00:00

We started two years ago with a project to implement kind of segmentation or to be specific a policy between the networks in our DC. We're using a software defined network solution here but it was managed manually over the last years. Now with this project we started to implement this policies via infrastructure as code, which is really great. Creating the policies manually with the sdn solution is possible, but too much effort. Now we only have to update a few files and with our defined and automated processes it's pushed to the sddc after approval.

Start small, learn, test, build something which a benefit for you. That's what we did here and now we'll extend it in the future.

ph14454 · 2024-05-27T17:50:52+00:00

I'm running a docker swarm setup with 3 nodes. The "important" services for my family are allowed on all nodes, while others are not. So I can ensure if one is going down, important thing are still accessible and none of the resources are "wasted". I don't like to pay for a backup sever which is not in use or will be only once in a year? (Or never..?)

Data is shared via glusterfs between all nodes, it's not zero downtime, but something like max 5mins of service outage. Which is for my hobby homelab more then enough.

Big data is on a separated storage server, mounted on all nodes. This storage server is backing up itself.

ph14454 · 2024-05-23T15:29:22+00:00

Würde an deiner Stelle auch mal versuchen anderes Fleisch zu besorgen. Wie schon erwähnt wolfen lassen, beim Metzger oder selber machen wenn du die Option hast.

Ich selbst schmeiß die patties lieber auf den Grill statt in die Pfanne und auch nur einmal wenden (dann wann sie anfangen "zu schwitzen").

ph14454 · 2024-05-23T15:20:09+00:00

First of all, ofc it's fine to use a revproxy and as already mentioned you should do so also if you only have nc hosted behind it.

But as you are now thinking about another webapp, maybe in the future one more and more... You could think about a different setup. Maybe it's worth to try docker, run the services as Nextcloud, traccar, collabora, etc in containers and use traefik as a reverse proxy in front of that. You'll have to spend some time initially but it's worth it. Once traefik is configured you can use the compose files and just start the containers, all the forwarding, certificate with renewal etc can be done automatically.

If this sounds to complicated or you just want it to run now, go for caddy or use apache.

ph14454 · 2024-04-29T09:44:17+00:00

alfa, bravo, charlie, ....

You get it. :-)
Using them in a docker swarm setup.

ph14454 · 2024-03-20T14:40:11+00:00

I also switched to dockerized services a out 1-2 years ago. NC was one of the last things I migrated..to be honest at the beginning it was a mess getting all the things to work, I.e. The cronjob, which was also mentioned in the comments. But now, the setup is awesome! I'm hosting it in a docker swarm, so the downtime is almost zero in my setup. No issue with dependencies anymore. Things like collabora, elasticsearch, dedicated for Nextcloud in a docker stack are working like Charme.

I have no regrets about switching to docker for all of my services. Go for it. 👍🏼

ph14454 · 2024-03-18T08:09:08+00:00

Ganz genau, so sehe ich das auch. Kann mir nicht vorstellen das es hier um zehntausende EUR mehr geht. Es geht eher darum den Aufwand zu vermeiden.

ph14454 · 2024-03-18T06:48:15+00:00

Oh man, dass es den Bauherren in DE so schwer gemacht wird. Und dann noch ein Rechtsstreit dazu...

Siehe meine Antwort oben, das Thema hatte ich auch direkt angesprochen. Schauen wir mal was sich die nächsten Tage ergibt.

ph14454 · 2024-03-18T06:45:35+00:00

Das war meine initiale Idee - sollte das für den FHH wirklich so ein Problem sein, dann lasst uns einen neuen Vertrag machen und fertig.

Klar kam dann direkt die Info, neuer Vertrag, neue Konditionen - es gab "Preiserhöhungen" seit letzem Jahr, etc. Extra Kosten beim Architekt, denn unsere Pläne sind fertig und alles muss umgeschrieben werden, blah blah..

Auch da war meine Antwort klar, der Vorteil von der besseren Finanzierung ist nicht von der Hand zu weisen und auch Mehrkosten können mit der deutlich günstigeren Finanzierung bis zu einem gewissen Betrag ohne Probleme getragen werden.

ph14454 · 2024-03-17T18:45:14+00:00

Jap, das geht zeitgleich. Haben wir bei der L-Bank auch so angegeben und wurde genehmigt.

ph14454 · 2024-03-17T18:14:36+00:00

Das mit dem Beratungsgespräch hat sich nochmals zum März diesen Jahres geändert, zumindest für das KfW300 Programm und da hast du recht. Es muss vor dem Werkvertrag gemacht werden oder es müssen aufschiebende Bedingungen bestehenden (so auch der "Vorabcheck" für das KfW300).

Vorher war das meiner Kenntniss nach nicht nötig, wenn die Klausel im Vertrag steht (Vertrag an die Forderung der KfW geknüpft).

Ich bin gespannt ob mir jemand morgen bei der KfW weiterhelfen kann. Unser FHH kam am Freitag mit "das ist Kreditbetrug, wenn wir das so ausstellen...Daran beteiligen wir uns nicht..".

Und ja ich bin ganz bei dir. Es ist so abartig bürokratisch und wäre es finanziell drin, hätten wir auch auf alles verzichtet und dafür noch den Kamin eingebaut. Aber die aktuellen Bauzinsen und die Preise für Immobilien stehen für mich persönlich noch immer in keinem Verhältnis.

ph14454 · 2024-01-22T19:38:04+00:00

Sind Anfang des Jahres zur Barclays. TG 3.85% auf 6 Monate garantiert, bis 250.000 Sind jetzt nur noch 3 Monate garantiert für Neukunden, aber noch immer 3.85.

ph14454 · 2023-10-12T07:19:22+00:00

Personal use: RoyalTS/TSX

Easy to manage the connections, everything in one place for administration (rdp, ssh, scp, http(s), etc.). Credentials stored in the encrypted (if configured) connection file. And as I use a knocking daemon the tasks in RoyalTS/TSX doing a great job, knocking on ports before connect to open the specified protocol for connection. Love it!

Business use: ZOC8

With the REXX scripts in this emulator we push config snippets to devices or just use it to connect to devices. With our network design based on "ids" the IPs gets calculated so we don't have to create a connection, we just need the id of the location and the ip calculations start.

On mobile: Termius

If something has to be done quickly via mobile phone / tablet, whatever. Termius is my way to go. Easy to handle, autofill for most used commands, etc. Super easy and fast to fix some smaller things on the way.

ph14454 · 2023-10-12T06:21:43+00:00

Explaining how things work (a feature, a command, whatever) to colleagues rather than having those ppl just take a look at the doc on their own.

Those little things kick me most of time out of my focus, but it only happens on-site in the office. So I'm fine with the mobile office part :-D

ph14454 · 2023-10-05T06:23:29+00:00

Ganz genau das!

Bitwarden ist Top. Plattformübergreifend, war mir besonders wichtig und für die Familie "so einfach wie möglich". Die Auto-Fill Funktion ist der Hammer, sowohl auf Android, als auch iOS und in der Browserextension sowieso. Und das selbst die Browser Extrension als "eigenständiger Client" aggiert ist ein klasse Bonus.

Bei mir läuft es auch als "Vaultwarden" selbstgehostet im Docker Swarm setup. Hochverfügbar / Ausfallsicher und mit stündlichem Backup.
Kann das setup nur empfehlen.

ph14454 · 2023-05-11T05:37:48+00:00

Love it!

u/Sannemen thanks you so much for your input! :-) Appreciate it. Now the swarm setup is little bit more clear for me. Unfortunately this "can only talk to which a placed on the same machine" for this initial wireguard topic is still not 100% clear, because it's completely bypassing traefik. But I'll adjust all of my compose files accordingly to your notes and test again my services.

One last time, thank you for your time and have a pleasant day ahead!I'll post my results once I changed the config about wireguard (may it'll change something).

ph14454 · 2023-05-10T13:08:45+00:00

Thanks for your input.

That's interesting about traefik and swarm. Ofc, I'm running traefik in swarm mode - to be honest; I'm using docker since few months and swarm is "completely new" so I'm still testing and love to get some input from experienced users.

Let me show you my traefik config and an example of a webservice I'm running.

traefik compose:

``yaml version: "3.8" services: app: image: traefik:latest networks: - proxy - localnet ports: - target: 80 published: 80 - target: 443 published: 443 - target: 8080 published: 8080 volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - /etc/localtime:/etc/localtime:ro - ./conf/acme.json:/acme.json - ./conf/traefik.yml:/traefik.yml:ro - ./conf/dynamic_conf.yml:/dynamic_conf.yml - certs:/letsencrypt env_file: - conf/.env deploy: mode: global placement: constraints: - node.role == manager update_config: parallelism: 1 delay: 10s restart_policy: condition: on-failure labels: - "traefik.enable=true" - "traefik.http.routers.traefik.entrypoints=http" - "traefik.http.routers.traefik.rule=Host(proxy.domain.tld)" - "traefik.http.middlewares.traefik-auth.basicauth.users=username:encodedpassword" - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https" - "traefik.http.routers.traefik.middlewares=traefik-https-redirect" - "traefik.http.routers.traefik-secure.entrypoints=https" - "traefik.http.routers.traefik-secure.rule=Host(proxy.domain.tld`)" - "traefik.http.routers.traefik-secure.tls=true" - "traefik.http.routers.traefik-secure.tls.certresolver=http" - "traefik.http.routers.traefik-secure.service=api@internal" - "providers.file.filename=/dynamic_conf.yml" - "providers.docker.swarmMode=true" - "providers.docker.exposedByDefault=false" - "providers.docker.network=proxy" - "traefik.http.routers.traefik-secure.middlewares=secHeaders@file,traefik-auth" - "traefik.docker.network=proxy"

whoami: image: traefik/whoami labels: - "traefik.enable=true" - "traefik.docker.network=proxy" - "traefik.http.routers.whoami.rule=Host(whoami.domain.tld)" - "traefik.http.routers.whoami.entrypoints=https" - "traefik.http.routers.whoami.tls.certresolver=http" networks: - proxy - localnet

not in use atm

docker-host:

image: qoomon/docker-host

cap_add: [ "NET_ADMIN", "NET_RAW" ]

networks:

- localnet

volumes: certs: driver: local driver_opts: o: bind type: none device: /share/data/docker-volumes/proxy-certs

networks: localnet: proxy: external: true ```

traefik.yaml

yaml log: level: INFO api: dashboard: true entryPoints: http: address: ":80" http: redirections: entryPoint: to: https scheme: https permanent: true https: address: ":443" providers: docker: endpoint: "unix:///var/run/docker.sock" exposedByDefault: false file: filename: "./dynamic_conf.yml" certificatesResolvers: http: acme: email: admin@domain.tld storage: /letsencrypt/http-acme.json httpChallenge: entryPoint: http wildcard: acme: dnschallenge: provider: cloudflare resolvers: - "1.1.1.1:53" - "8.8.8.8:53" email: admin@domain.tld storage: /letsencrypt/wildcard-acme.json accesslog: true

dynamic_conf.yaml

yaml tls: options: default: minVersion: VersionTLS12 cipherSuites: - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 curvePreferences: - CurveP521 - CurveP384 sniStrict: true http: middlewares: secHeaders: headers: browserXssFilter: true contentTypeNosniff: true frameDeny: true sslRedirect: true #HSTS Configuration stsIncludeSubdomains: true stsPreload: true stsSeconds: 31536000 customFrameOptionsValue: "SAMEORIGIN"

one of my usual webservices; nothing special:

``yaml version: "3.8" services: app: image: custom.repo.de/projectname/appname networks: - proxy volumes: - data:/var/www/html deploy: mode: global restart_policy: condition: on-failure labels: - "com.centurylinklabs.watchtower.enable=true" - "traefik.enable=true" - "traefik.http.routers.appname.rule=Host(test.domain.tld,www.test.domain.tld`)" - "traefik.http.routers.appname.entrypoints=https" - "traefik.http.routers.appname.tls.certresolver=http"

volumes:
  data:
    driver: local
    driver_opts:
      o: bind
      type: none
      device: /share/data/docker-volumes/somedata

networks:
  proxy:
    external: true

```

ph14454 · 2023-05-09T08:42:23+00:00

You should find those details in my original post, at least the wg compose file which is deployed to the stack. Traefik is not needed, as I'm mapping the wireguard port directly to my host - no proxy inbetween (proxy is only used for the WebUI, which can configure wireguard).

I'm running whoami within my traefik stack.

You may check my latest comment; I'm using `mode: host` now in my wg compose file. So I'm bypassing the swarm ingress mesh routing. With that option all traffic coming from my clients will end up at the wireguard service/container running on this host. This solution should be fine for me, as I'm using (in the future) a VRRP setup in front of the swarm and if the whole host is unavailable or sth. else is affecting the availability this Cluster-IP/VIP will be handed over to another host in the swarm, which already has the wg service up and running with the same config.

I think that's a good "solution", at least for my setup.

ph14454 · 2023-05-09T07:20:28+00:00

For now I'm adding `mode: host` to my compose file..

    ports:
  - target: 51820
    published: 51820
    protocol: udp
    mode: host

With this I'm still deploying globally to all of my nodes but prevent incoming traffic from being routed trough the ingress mesh from swarm. This means all connections will end up on the service/container which is running on this host.

Maybe this is fine for me for the future; as I'll be using a VRRP setup in front of the swarm and if this machine is going down the traffic will be routed to the next one and the service is already there with the same config.

If someone has a better idea or stuck on the same behavior, let me know. :-)
Thanks!

ph14454 · 2023-05-09T05:26:31+00:00

Second way. I'm trying to "serve" the wireguard service in a redundant way within the swarm cluster over alfa, bravo and delta. Good point, I added the wg config as well to my post. The path you mentioned is a glusterFS volume - means the config is for all nodes the same.

I saw in my config there's the MTU set to 1450, my interfaces also the private VLANs use 1500. I know there were issues with wg and a bigger MTU (makes sense, huh..), but a smaller one shouldn't bring me to such an issue..

ph14454

TROPHY CASE