Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as the root user after compromising the target system.
Operating System
[root@twiggy ~]# uname -a ; cat /etc/*release
Linux twiggy 3.10.0-1127.8.2.el7.x86_64 #1 SMP Tue May 12 16:57:42 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
CentOS Linux release 7.8.2003 (Core)
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
CentOS Linux release 7.8.2003 (Core)
CentOS Linux release 7.8.2003 (Core)Firewall
[root@twiggy ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:4505
ACCEPT tcp -- anywhere anywhere tcp dpt:4506
ACCEPT tcp -- anywhere anywhere tcp dpt:irdmi
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:domain state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:http state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:4505 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:4505 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:4506 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:4506 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:irdmi state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:irdmi state NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:domain state NEW,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
DROP all -- anywhere anywhere Firewall is enforced
Services & Processes
[root@twiggy ~]# ps -auxwww
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.2 125472 2936 ? Ss 17:56 0:00 /usr/lib/systemd/systemd --switched-root --system --deserialize 22
root 563 0.3 0.6 37376 6996 ? Ss 17:56 0:22 /usr/lib/systemd/systemd-journald
root 583 0.0 0.1 45028 1060 ? Ss 17:56 0:00 /usr/lib/systemd/systemd-udevd
root 584 0.0 0.2 124840 2736 ? Ss 17:56 0:00 /usr/sbin/lvmetad -f
root 692 0.0 0.0 55532 588 ? S<sl 17:57 0:00 /sbin/auditd
dbus 715 0.0 0.1 58244 1864 ? Ss 17:57 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
root 729 0.0 0.2 99688 2124 ? Ss 17:57 0:00 /usr/bin/VGAuthService -s
root 730 0.0 0.3 314460 3284 ? Ssl 17:57 0:02 /usr/bin/vmtoolsd
root 732 0.0 0.1 26384 1516 ? Ss 17:57 0:00 /usr/lib/systemd/systemd-logind
polkitd 734 0.0 0.7 612248 7780 ? Ssl 17:57 0:00 /usr/lib/polkit-1/polkitd --no-debug
root 740 0.0 0.1 126388 1028 ? Ss 17:57 0:00 /usr/sbin/crond -n
root 749 0.0 0.0 110208 800 tty1 Ss+ 17:57 0:00 /sbin/agetty --noclear tty1 linux
chrony 752 0.0 0.1 117808 1412 ? S 17:57 0:00 /usr/sbin/chronyd
root 756 0.0 0.4 550296 4256 ? Ssl 17:57 0:00 /usr/sbin/NetworkManager --no-daemon
root 1003 0.0 0.2 112924 2588 ? Ss 17:57 0:00 /usr/sbin/sshd -D
root 1006 0.0 1.5 574304 16064 ? Ssl 17:57 0:00 /usr/bin/python2 -Es /usr/sbin/tuned -l -P
root 1007 0.0 4.0 393176 40760 ? Ss 17:57 0:00 /usr/bin/python /usr/bin/salt-api
mezz 1008 0.0 1.6 222592 17008 ? Ss 17:57 0:00 /opt/mezz/env/bin/python3 /opt/mezz/env/bin/gunicorn --access-logfile - --workers 3 --bind unix:/opt/mezz/helloworld.sock helloworld.wsgi:application
root 1009 0.0 4.1 396684 42180 ? Ss 17:57 0:00 /usr/bin/python /usr/bin/salt-master
root 1010 0.1 1.0 271668 10720 ? Ssl 17:57 0:06 /usr/sbin/rsyslogd -n
named 1021 0.0 5.7 171164 58064 ? Ssl 17:57 0:00 /usr/sbin/named -u named -c /etc/named.conf
root 1034 0.0 0.2 120908 2160 ? Ss 17:57 0:00 nginx: master process /usr/sbin/nginx
nginx 1035 0.5 0.4 122228 4196 ? S 17:57 0:33 nginx: worker process
root 1182 0.0 2.3 315112 24060 ? S 17:57 0:00 /usr/bin/python /usr/bin/salt-master
root 1234 4.0 6.8 1788080 69032 ? Sl 17:57 3:57 /usr/bin/python /usr/bin/salt-api
root 1237 0.0 3.8 477476 39480 ? Sl 17:57 0:00 /usr/bin/python /usr/bin/salt-master
root 1238 0.0 4.6 404220 47416 ? S 17:57 0:00 /usr/bin/python /usr/bin/salt-master
root 1242 0.1 7.5 433232 76864 ? S 17:57 0:10 /usr/bin/python /usr/bin/salt-master
root 1244 0.0 3.9 396764 39792 ? S 17:57 0:00 /usr/bin/python /usr/bin/salt-master
root 1245 0.0 3.9 470416 40084 ? Sl 17:57 0:04 /usr/bin/python /usr/bin/salt-master
root 1249 0.0 3.9 773264 40096 ? Sl 17:57 0:00 /usr/bin/python /usr/bin/salt-master
root 1250 0.0 5.7 579656 58676 ? Sl 17:57 0:00 /usr/bin/python /usr/bin/salt-master
root 1251 0.0 5.9 497696 60140 ? Sl 17:57 0:00 /usr/bin/python /usr/bin/salt-master
root 1252 0.0 5.9 497452 60064 ? Sl 17:57 0:00 /usr/bin/python /usr/bin/salt-master
root 1253 0.0 5.9 579796 60640 ? Sl 17:57 0:00 /usr/bin/python /usr/bin/salt-master
root 1254 0.0 5.9 497824 60176 ? Sl 17:57 0:00 /usr/bin/python /usr/bin/salt-master
mezz 2708 17.3 4.8 304440 49232 ? S 17:59 16:37 /opt/mezz/env/bin/python3 /opt/mezz/env/bin/gunicorn --access-logfile - --workers 3 --bind unix:/opt/mezz/helloworld.sock helloworld.wsgi:application
mezz 2710 17.3 4.8 304740 49380 ? S 17:59 16:38 /opt/mezz/env/bin/python3 /opt/mezz/env/bin/gunicorn --access-logfile - --workers 3 --bind unix:/opt/mezz/helloworld.sock helloworld.wsgi:application
mezz 2712 17.3 4.9 306288 50440 ? S 17:59 16:37 /opt/mezz/env/bin/python3 /opt/mezz/env/bin/gunicorn --access-logfile - --workers 3 --bind unix:/opt/mezz/helloworld.sock helloworld.wsgi:application
root 17304 0.0 0.5 158928 5716 ? Ss 19:29 0:00 sshd: r00t@pts/0
root 17306 0.0 0.1 115520 1968 pts/0 Ss 19:29 0:00 -bash
root 17646 0.0 0.1 155448 1768 pts/0 R+ 19:34 0:00 ps -auxwww
[root@twiggy ~]# systemctl list-units --state=running
UNIT LOAD ACTIVE SUB DESCRIPTION
session-4.scope loaded active running Session 4 of user root
auditd.service loaded active running Security Auditing Service
chronyd.service loaded active running NTP client/server
crond.service loaded active running Command Scheduler
dbus.service loaded active running D-Bus System Message Bus
getty@tty1.service loaded active running Getty on tty1
gunicorn.service loaded active running gunicorn daemon
lvm2-lvmetad.service loaded active running LVM2 metadata daemon
named.service loaded active running Berkeley Internet Name Domain (DNS)
NetworkManager.service loaded active running Network Manager
nginx.service loaded active running The nginx HTTP and reverse proxy server
polkit.service loaded active running Authorization Manager
rsyslog.service loaded active running System Logging Service
salt-api.service loaded active running The Salt API
salt-master.service loaded active running The Salt Master Server
sshd.service loaded active running OpenSSH server daemon
systemd-journald.service loaded active running Journal Service
systemd-logind.service loaded active running Login Service
systemd-udevd.service loaded active running udev Kernel Device Manager
tuned.service loaded active running Dynamic System Tuning Daemon
vgauthd.service loaded active running VGAuth Service for open-vm-tools
vmtoolsd.service loaded active running Service for virtual machines hosted on VMware
dbus.socket loaded active running D-Bus System Message Bus Socket
lvm2-lvmetad.socket loaded active running LVM2 metadata daemon socket
systemd-journald.socket loaded active running Journal Socket
systemd-udevd-control.socket loaded active running udev Control Socket
systemd-udevd-kernel.socket loaded active running udev Kernel Socket
LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.
27 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.named.service
nginx.service
gunicorn.service
salt-api.service
salt-master.service
DNS
[root@twiggy ~]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2024-08-02 02:40:46 EDT; 7 months 7 days ago
Process: 1019 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 1005 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 1021 (named)
CGroup: /system.slice/named.service
└─1021 /usr/sbin/named -u named -c /etc/named.conf
[root@twiggy ~]# cat /usr/lib/systemd/system/named.service
[Unit]
Description=Berkeley Internet Name Domain (DNS)
Wants=nss-lookup.target
Wants=named-setup-rndc.service
Before=nss-lookup.target
After=network.target
After=named-setup-rndc.service
[Service]
Type=forking
Environment=NAMEDCONF=/etc/named.conf
EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/run/named/named.pid
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
PrivateTmp=true
[Install]
WantedBy=multi-user.target/etc/named.conf/etc/sysconfig/named
[root@twiggy ~]# cat /etc/named.conf | grep -v '^[#/]'
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";[root@twiggy ~]# cat /etc/sysconfig/named
# BIND named process options
# ~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# OPTIONS="whatever" -- These additional options will be passed to named
# at startup. Don't add -t here, enable proper
# -chroot.service unit file.
# Use of parameter -c is not supported here. Extend
# systemd named*.service instead. For more
# information please read the following KB article:
# https://access.redhat.com/articles/2986001
#
# DISABLE_ZONE_CHECKING -- By default, service file calls named-checkzone
# utility for every zone to ensure all zones are
# valid before named starts. If you set this option
# to 'yes' then service file doesn't perform those
# checks.Empty
Web
[root@twiggy ~]# systemctl status nginx.service
● nginx.service - The nginx HTTP and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2024-08-02 02:40:46 EDT; 7 months 7 days ago
Process: 1030 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
Process: 1026 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
Process: 1025 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
Main PID: 1034 (nginx)
CGroup: /system.slice/nginx.service
├─1034 nginx: master process /usr/sbin/nginx
└─1035 nginx: worker process
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
[root@twiggy ~]# cat /usr/lib/systemd/system/nginx.service
[Unit]
Description=The nginx HTTP and reverse proxy server
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
# Nginx will fail to start if /run/nginx.pid already exists but has the wrong
# SELinux context. This might happen when running `nginx -t` from the cmdline.
# https://bugzilla.redhat.com/show_bug.cgi?id=1268621
ExecStartPre=/usr/bin/rm -f /run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
KillSignal=SIGQUIT
TimeoutStopSec=5
KillMode=process
PrivateTmp=true
[Install]
WantedBy=multi-user.target
[root@twiggy ~]# cat /etc/nginx/nginx.conf | grep -v '^[#/]'
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
[root@twiggy ~]# ll /etc/nginx/conf.d/
total 12K
4.0K -rw-r--r-- 1 root root 443 May 26 2020 salt.conf
0 drwxr-xr-x. 2 root root 40 May 26 2020 .
4.0K -rw-r--r-- 1 root root 469 May 18 2020 mezz.conf
4.0K drwxr-xr-x. 4 root root 4.0K May 18 2020 ..salt.conf
mezz.conf
SaltStack
[root@twiggy ~]# cat /etc/nginx/conf.d/salt.conf
server {
listen 8000 default_server;
location = /favicon.ico { access_log off; log_not_found off; }
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8080;
add_header X-Upstream salt-api/3000-1 always;
}
}listen 8000 default_serverproxy_pass http://127.0.0.1:8080;add_header X-Upstream salt-api/3000-1 always
Config
[root@twiggy ~]# ll /etc/salt/
total 140K
12K drwxr-xr-x. 79 root root 8.0K Jul 27 2020 ..
0 drwxr-xr-x. 2 root root 27 May 26 2020 master.d
0 drwxr-xr-x. 11 root root 243 May 18 2020 .
0 drwxr-xr-x. 4 root root 34 May 18 2020 pki
0 drwx------. 2 root root 6 Feb 4 2020 cloud.conf.d
0 drwx------. 2 root root 6 Feb 4 2020 cloud.deploy.d
0 drwx------. 2 root root 6 Feb 4 2020 cloud.maps.d
0 drwx------. 2 root root 6 Feb 4 2020 cloud.profiles.d
0 drwx------. 2 root root 6 Feb 4 2020 cloud.providers.d
0 drwxr-xr-x. 2 root root 6 Feb 4 2020 minion.d
0 drwxr-xr-x. 2 root root 6 Feb 4 2020 proxy.d
4.0K -rw-------. 1 root root 2.9K Feb 1 2020 cloud
52K -rw-r-----. 1 root root 51K Feb 1 2020 master
40K -rw-r-----. 1 root root 37K Feb 1 2020 minion
28K -rw-r-----. 1 root root 28K Feb 1 2020 proxy
4.0K -rw-r-----. 1 root root 344 Feb 1 2020 roster
[root@twiggy ~]# cat /etc/salt/cloud | grep -v '^[#/]' | tr -d '\n'
[root@twiggy ~]# cat /etc/salt/master | grep -v '^[#/]' | tr -d '\n'
[root@twiggy ~]# cat /etc/salt/minion | grep -v '^[#/]' | tr -d '\n'
[root@twiggy ~]# cat /etc/salt/proxy | grep -v '^[#/]' | tr -d '\n'
[root@twiggy ~]# cat /etc/salt/roster | grep -v '^[#/]' | tr -d '\n'master.d/pki/
master.d/salt-api.conf
[root@twiggy ~]# cat /etc/salt/master.d/salt-api.conf
rest_cherrypy:
port: 8080
host: 127.0.0.1
disable_ssl: truepki/master
[root@twiggy ~]# ll /etc/salt/pki/master/
total 8.0K
0 drwx------. 7 root root 146 May 18 2020 .
4.0K -r--------. 1 root root 1.7K May 18 2020 master.pem
4.0K -rw-r--r--. 1 root root 450 May 18 2020 master.pub
0 drwxr-xr-x. 2 root root 6 May 18 2020 minions_rejected
0 drwxr-xr-x. 2 root root 6 May 18 2020 minions
0 drwxr-xr-x. 2 root root 6 May 18 2020 minions_autosign
0 drwxr-xr-x. 2 root root 6 May 18 2020 minions_denied
0 drwxr-xr-x. 2 root root 6 May 18 2020 minions_pre
0 drwxr-xr-x. 4 root root 34 May 18 2020 ..API
[root@twiggy ~]# systemctl status salt-api.service
● salt-api.service - The Salt API
Loaded: loaded (/usr/lib/systemd/system/salt-api.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2024-08-02 02:40:46 EDT; 7 months 7 days ago
Docs: man:salt-api(1)
file:///usr/share/doc/salt/html/contents.html
https://docs.saltstack.com/en/latest/contents.html
Main PID: 1007 (salt-api)
CGroup: /system.slice/salt-api.service
├─1007 /usr/bin/python /usr/bin/salt-api
└─1234 /usr/bin/python /usr/bin/salt-api
[root@twiggy ~]# cat /usr/lib/systemd/system/salt-api.service
[Unit]
Description=The Salt API
Documentation=man:salt-api(1) file:///usr/share/doc/salt/html/contents.html https://docs.saltstack.com/en/latest/contents.html
After=network.target
[Service]
Type=notify
NotifyAccess=all
LimitNOFILE=8192
ExecStart=/usr/bin/salt-api
TimeoutStopSec=3
[Install]
WantedBy=multi-user.target/usr/bin/salt-api
[root@twiggy ~]# cat /usr/bin/salt-api
#!/usr/bin/python
# EASY-INSTALL-ENTRY-SCRIPT: 'salt==3000','console_scripts','salt-api'
__requires__ = 'salt==3000'
import re
import sys
from pkg_resources import load_entry_point
if __name__ == '__main__':
sys.argv[0] = re.sub(r'(-script\.pyw?|\.exe)?$', '', sys.argv[0])
sys.exit(
load_entry_point('salt==3000', 'console_scripts', 'salt-api')()
)Master
[root@twiggy ~]# systemctl status salt-master.service
● salt-master.service - The Salt Master Server
Loaded: loaded (/usr/lib/systemd/system/salt-master.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2024-08-02 02:40:47 EDT; 7 months 7 days ago
Docs: man:salt-master(1)
file:///usr/share/doc/salt/html/contents.html
https://docs.saltstack.com/en/latest/contents.html
Main PID: 1009 (salt-master)
CGroup: /system.slice/salt-master.service
├─1009 /usr/bin/python /usr/bin/salt-master
├─1182 /usr/bin/python /usr/bin/salt-master
├─1237 /usr/bin/python /usr/bin/salt-master
├─1238 /usr/bin/python /usr/bin/salt-master
├─1242 /usr/bin/python /usr/bin/salt-master
├─1244 /usr/bin/python /usr/bin/salt-master
├─1245 /usr/bin/python /usr/bin/salt-master
├─1249 /usr/bin/python /usr/bin/salt-master
├─1250 /usr/bin/python /usr/bin/salt-master
├─1251 /usr/bin/python /usr/bin/salt-master
├─1252 /usr/bin/python /usr/bin/salt-master
├─1253 /usr/bin/python /usr/bin/salt-master
└─1254 /usr/bin/python /usr/bin/salt-master
[root@twiggy ~]# cat /usr/lib/systemd/system/salt-master.service
[Unit]
Description=The Salt Master Server
Documentation=man:salt-master(1) file:///usr/share/doc/salt/html/contents.html https://docs.saltstack.com/en/latest/contents.html
After=network.target
[Service]
LimitNOFILE=100000
Type=notify
NotifyAccess=all
ExecStart=/usr/bin/salt-master
[Install]
WantedBy=multi-user.target/usr/bin/salt-master
[root@twiggy ~]# cat /usr/bin/salt-master
#!/usr/bin/python
# EASY-INSTALL-ENTRY-SCRIPT: 'salt==3000','console_scripts','salt-master'
__requires__ = 'salt==3000'
import re
import sys
from pkg_resources import load_entry_point
if __name__ == '__main__':
sys.argv[0] = re.sub(r'(-script\.pyw?|\.exe)?$', '', sys.argv[0])
sys.exit(
load_entry_point('salt==3000', 'console_scripts', 'salt-master')()
)Mezzanine
[root@twiggy ~]# cat /etc/nginx/conf.d/mezz.conf
server {
listen 80 default_server;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /opt/mezz/helloworld;
}
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://unix:/opt/mezz/helloworld.sock;
}
}listen 80 default_server/opt/mezz/helloworldproxy_pass http://unix:/opt/mezz/helloworld.sock
[root@twiggy ~]# systemctl status gunicorn.service
● gunicorn.service - gunicorn daemon
Loaded: loaded (/etc/systemd/system/gunicorn.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2024-08-02 02:40:45 EDT; 7 months 7 days ago
Main PID: 1008 (gunicorn)
CGroup: /system.slice/gunicorn.service
├─1008 /opt/mezz/env/bin/python3 /opt/mezz/env/bin/gunicorn --access-logfile - --workers 3 --bind unix:/opt/mezz/helloworl...
├─2708 /opt/mezz/env/bin/python3 /opt/mezz/env/bin/gunicorn --access-logfile - --workers 3 --bind unix:/opt/mezz/helloworl...
├─2710 /opt/mezz/env/bin/python3 /opt/mezz/env/bin/gunicorn --access-logfile - --workers 3 --bind unix:/opt/mezz/helloworl...
└─2712 /opt/mezz/env/bin/python3 /opt/mezz/env/bin/gunicorn --access-logfile - --workers 3 --bind unix:/opt/mezz/helloworl...
[root@twiggy ~]# cat /etc/systemd/system/gunicorn.service
[Unit]
Description=gunicorn daemon
After=network.target
[Service]
User=mezz
Group=nginx
WorkingDirectory=/opt/mezz/helloworld
ExecStart=/opt/mezz/env/bin/gunicorn --access-logfile - --workers 3 --bind unix:/opt/mezz/helloworld.sock helloworld.wsgi:application
[Install]
WantedBy=multi-user.target/opt/mezz/helloworld
[root@twiggy ~]# ll /opt/mezz/helloworld
total 176K
0 drwx--x---. 4 mezz mezz 58 Aug 2 2024 ..
0 drwxr-xr-x. 5 mezz mezz 160 May 28 2020 .
136K -rw-r--r--. 1 mezz mezz 136K May 28 2020 dev.db
0 drwxr-xr-x. 12 mezz mezz 160 May 18 2020 static
0 drwxr-xr-x. 3 mezz mezz 118 May 18 2020 helloworld
0 drwxr-xr-x. 2 mezz mezz 156 May 18 2020 deploy
24K -rw-r--r--. 1 mezz mezz 22K May 18 2020 fabfile.py
4.0K -rw-r--r--. 1 mezz mezz 374 May 18 2020 manage.py
4.0K -rw-r--r--. 1 mezz mezz 63 May 18 2020 .gitignore
4.0K -rw-r--r--. 1 mezz mezz 93 May 18 2020 .hgignore
4.0K -rw-r--r--. 1 mezz mezz 17 May 18 2020 requirements.txt
[root@twiggy ~]# cat /opt/mezz/helloworld/helloworld/local_settings.py | grep -v '^[#/]'
DEBUG = False
SECRET_KEY = "ayen*ger^e8innucg4&xb!b=w86ntc%!2s%8b6*4(cug66_@34"
NEVERCACHE_KEY = "!dytym^25k4n8+r5(y*d)zy1w#l_3tc_0%#j*l#d*9ywn_zd+b"
DATABASES = {
"default": {
# Ends with "postgresql_psycopg2", "mysql", "sqlite3" or "oracle".
"ENGINE": "django.db.backends.sqlite3",
# DB name or path to database file if using sqlite3.
"NAME": "dev.db",
# Not used with sqlite3.
"USER": "",
# Not used with sqlite3.
"PASSWORD": "",
# Set to empty string for localhost. Not used with sqlite3.
"HOST": "",
# Set to empty string for default. Not used with sqlite3.
"PORT": "",
}
}
ALLOWED_HOSTS = ["localhost", "127.0.0.1", "::1", "*"]