• List of iSCSI Mutual CHAP Posts by OS
  • Tools and Utilities for Windows
  • Unix and Linux Distros

slice2

slice2

Category Archives: Cisco

Create a Docker Container for your Cisco ESA, SMA or WSA Offline Content Updates

23 Monday Nov 2020

Posted by Slice2 in Cisco

≈ Leave a comment

This process demonstrates how to use a Docker container to update your Cisco ESA and SMA (and WSA) appliances.

This HOWTO assumes you have a functioning Docker environment, the Cisco ESA/SMA (or WSA) Offline Content license, the Cisco Offline Content Public internet facing server and the 20200302-123456789_ipServer-v1.tar file from Cisco.

1) On your Public internet facing Cisco Offline Content server, run the ipClient –apps command to update the Content folders.
> sudo perl ipClient-v9.0.pl –apps
a. The command above creates the /cisco/offline/ipclient/transferPackage/applications.tar file with all of the updates bundled inside.

2) On the Docker server, create the new working directory for your Dockerfile. In this case, the admin user’s home folder is /home/admin and the new folder is ciscooffct.
> sudo mkdir –p ciscooffct
> cd ciscooffct

3) Inside the ciscooffct folder, create a file named Dockerfile and copy/paste the section below into that file and save it. Note, you can edit (or remove) the label section below to whatever you want. It’s just for informational purposes.
> vi Dockerfile (in vi, enter wq! when done pasting in the text below to save)

# Base OS.
FROM ubuntu:18.04

# Update the OS and install perl and apache2 packages.
RUN apt-get update && apt-get install -y \
libconfig-tiny-perl \
libanyevent-dbi-perl \
liblwp-protocol-https-perl \
libxml-opml-simplegen-perl \
libdbd-csv-perl \
libanyevent-dbd-pg-perl \
libwww-perl \
apache2 \
vim-tiny \
vim \
inetutils-ping \
&& rm -rf /var/lib/apt/lists/*

# Create the apache folders and enable it.
RUN mkdir -pv /cisco/offline/ipclient
RUN mkdir -pv /cisco/offline/ipclient/files
RUN mkdir -pv /cisco/offline/ipclient/logs
RUN mkdir -pv /cisco/offline/ipclient/cert
RUN mkdir -pv /cisco/offline/ipclient/httpd
RUN mkdir -pv /cisco/offline/ipclient/httpd/manifests
RUN mkdir -pv /cisco/offline/ipclient/DATABASE
RUN mkdir -pv /cisco/offline/ipclient/transferPackage

RUN mkdir -pv /cisco/offline/
RUN mkdir -pv /cisco/offline/ipclient/updater
RUN mkdir -pv /cisco/offline/ipclient/updater/logs
RUN mkdir -pv /var/www/html/asyncos
RUN mkdir -pv /cisco/offline/ipServer

# Copy the modified processUploads.pl script to the image.
COPY 20200302-123456789_ipServer-v1.tar /cisco/offline/ipServer/
COPY applications.tar /cisco/offline/ipclient/transferPackage/
RUN ls -l /cisco/offline/ipServer/
RUN cd /cisco/offline/ipServer/ && tar -xf 20200302-123456789_ipServer-v1.tar
RUN chmod -R 755 /cisco/offline/ipServer

# Set one or more individual labels
LABEL version=”0.1-beta”
LABEL vendor1=”Cisco”
LABEL created-by=”slice2″
LABEL release-date=”2020-NOV-23″

# Apache ports
EXPOSE 80
EXPOSE 443

ENV APACHE_RUN_USER www-data
ENV APACHE_RUN_GROUP www-data
ENV APACHE_LOG_DIR /var/log/apache2

# Run Apache
CMD [“/usr/sbin/apache2ctl”, “-D”, “FOREGROUND”]

# Get a shell after you run the container.
CMD [“/bin/bash”]

4) When you purchased the Offline Content support contract from Cisco, you received the ipClient, ipServer and Certificate files. Locate the server side file 20200302-123456789_ipServer-v1.tar (or whatever your version string is) as you will need it for this to work.
a. Extract the tar file and edit the processUploads.pl script.
b. The sections below should be modified. For the $LOCAL_UPDATE_SERVER value, enter the IP address of your Docker container. This is usually 172.17.0.2 for the first container and increments by 1 for each container. Run the docker ps –a command to see how many containers are running (see the STATUS header). If it doesn’t say Exited, it’s running.

my $UPLOAD_PATH = “/cisco/offline/ipclient/transferPackage”;
my $HTTPD_PATH = “/var/www/html”;
my $LOCAL_UPDATE_SERVER = “your internal or private server IP or FQDN”;
open(LOG, “/cisco/offline/ipclient/updater/logs/cleanup.log”);

c. After you have edited the file, tar it back up using the same file name.

5) Move your files. Copy both files, 20200302-123456789_ipServer-v1.tar and /cisco/offline/ipclient/transferPackage/applications.tar (from the Public server), to the /home/<your username>/ciscooffct folder on your Docker server. It should look like this.
admin@lab01 ciscooffct]$ pwd

/home/admin/ciscooffct

[admin@lab01 ciscooffct]$ ls -l

-rwxr-xr-x. 1 admin admin 28160 Nov 5 15:06 20200302-123456789_ipServer-v1.tar
-rwxr-x—. 1 admin admin 1123635200 Nov 5 16:45 applications.tar
-rw-rw-r–. 1 admin admin 2362 Nov 5 17:36 Dockerfile

6) On the Docker server, build the image. The image name is ciscooffct and the tag is ESA-SMA.

> docker build -t ciscooffct:ESA-SMA .

7) Run the image now that it has been built.

> docker run -ti -p80:80 –name ciscooffct ciscooffct:ESA-SMA

a. You will notice that you have a new prompt inside the container.

root@d33c4054c299:/# df -h
Filesystem Size Used Avail Use% Mounted on
overlay 36G 27G 8.9G 75% /
tmpfs 64M 0 64M 0% /dev
tmpfs 3.8G 0 3.8G 0% /sys/fs/cgroup
shm 64M 0 64M 0% /dev/shm
/dev/mapper/centos_lab01-root 36G 27G 8.9G 75% /etc/hosts
tmpfs 3.8G 0 3.8G 0% /proc/asound
tmpfs 3.8G 0 3.8G 0% /proc/acpi
tmpfs 3.8G 0 3.8G 0% /proc/scsi
tmpfs 3.8G 0 3.8G 0% /sys/firmware

b. Open a new xterm or new xterm tab to get a prompt on the Docker host, not inside the container. On the Docker terminal, enter the command below to find the IP address of the container and ping it.

> docker exec ciscooffct cat /etc/hosts | grep 172
172.17.0.2 d33c4054c299

> ping 172.17.0.2

c. Next, get the running status of the container.

> docker ps -a | grep ciscooffct
d33c4054c299 ciscooffct:ESA-SMA “/bin/bash” 18 minutes ago Up 18 minutes
0.0.0.0:80->80/tcp, 443/tcp ciscooffct

d. Back in the container terminal (the one with the root@d33c4054c299:/# prompt), run the perl script and start Apache.
> cd /cisco/offline/ipServer/20200302-123456789_ipServer-v1

> perl processUploads.pl

> apachectl start

e. If you have one, launch a browser on your Docker server and test access to the update content. If not, simply launch a browser on another host and point it to the IP address of the Docker server (not the container).

8) Commit your changes and prepare the image for export. Keep the container running during this process.
a. Find the container ID (in Red)

> docker ps -a | grep cisco
42f04b35318a ciscooffct:ESA-SMA “/bin/bash” About a minute ago Up About a minute 0.0.0.0:80->80/tcp, 443/tcp ciscooffct

b. Commit your changes before saving the image. This captures the new content updates. For the “-a” value, just enter the person’s name or initials that committed the changes.

> docker commit -a “Slice2” 42f04b35318a ciscooffct:ESA-SMA
sha256:c2c51d8936a0f0fa3101057101df43e3fb0084ad017669fd20a97666634fa194

c. Save a copy of the image and increment the name by one using the v1 (v2, v3, etc.) method. Check the size of the file when done.

> docker save -o ciscooffctv1.tar ciscooffct:ESA-SMA
> du -h ciscooffctv1.tar
2.4G ciscooffctv1.tar

d. Transfer the file to the production Docker server on your internal (Private) network and place it in /tmp (or the location of your choice) and load it. Make sure the ownership/permissions on the .tar file are correct before you load it. Check with the Docker server admin and adjust accordingly with chown/chmod. By default, the .tar file is created with 0600 (rw——-).

> docker load < /tmp/ciscooffctv1.tar
Loaded image: ciscooffct:ESA-SMA

> docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
ciscooffct ESA-SMA c1c51d8936a0 22 minutes ago 2.5GB

> docker image ls | grep cisco (use this if you have a lot of images)
ciscooffct ESA-SMA c1c51d8936a0 23 hours ago 2.5GB

e. Start the Container using the incremented name (v1, etc.) so you know it’s new, start apache in the Container terminal and verify that it’s running.

> docker run -ti -p80:80 –name ciscooffctv1 ciscooffct:ESA-SMA

root@8ef4161ddfc5:/# apachectl start
> docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8ef4161ddfc5 ciscooffct:ESA-SMA “/bin/bash” 4 minutes ago Up 4 minutes 0.0.0.0:80->80/tcp, 443/tcp ciscooffctv1

9) Make sure your Cisco appliances are pointing to this Container (the Docker server IP). When done updating the ESA/SMA appliances (using the updatenow command on each ESA/SMA via ssh or serial terminal), stop the container and remove the image. The image is obsolete after updating because Cisco releases new Content Updates every 4 hours or so. There is no need to keep this image on the Docker server.

> docker stop ciscooffctv1
> docker rm ciscooffctv1

10) Consider a daily or weekly schedule for updates. The next time you need to update content on the appliances, simply move in a new applications.tar file from the Public offline content server and run steps 6, 7, 8 and 9. The distilled steps are.

Start of Public side:
a. Add the new applications.tar file to the working folder.
b. build
c. run
d. perl processUploads.pl and apachectl start
e. commit
f. save (burn ciscooffctv1.tar file to DVD, move to Private network)

Start of Private side:
g. load (check ownership/permissions before load)
h. run
i. apachectl start
j. updatenow (on the ESA/SMA)
k. stop
l. rm

HOWTO enable SSH on a Cisco ASA running 9.1.x

14 Saturday Nov 2015

Posted by Slice2 in Cisco

≈ Leave a comment

Tags

Security

# conf t
(config)# enable password <your password> encrypted

(config)# username <your username> password <your password> encrypted privilege 15

(config)# aaa authentication ssh console LOCAL

(config)# ssh <ip address> <netmask> inside

(config)# crypto key gen rsa gen mod 2048

(config)# ssh timeout 30

(config)# ssh version 2

Follow Blog via Email

Enter your email address to follow this blog and receive notifications of new posts by email.

Recent Posts

  • Patch Alma Linux 8.7 on an Offline or Air-Gapped System
  • HOWTO Remove /home logical volume and add that space to the root partition
  • Patch Rocky Linux 8.6 on an Offline or Air-Gapped System
  • HOWTO Install the Splunk Universal Forwarder on FreeBSD
  • HOWTO install a Splunk Universal Forwarder on Solaris 11 SPARC and x64 Using pkg(p5p) and tar
  • HOWTO install a Splunk Universal Forwarder on Solaris 10 SPARC and x64 Using pkgadd and tar
  • Recover Files from a Windows NTFS partition using Linux based SystemRescue
  • Sysmon Event ID 1 Process Creation rules for Splunk Universal Forwarder and McAfee All Access
  • Upgrading CentOS 7.2003 to 7.2009 on an Offline or Air-Gapped System
  • HOWTO Easily Resize the Default LVM Volume on Ubuntu 18.04
  • Create a Docker Container for your Cisco ESA, SMA or WSA Offline Content Updates
  • Apply the Mozilla Firefox STIG to Firefox on Ubuntu Linux 18.04
  • Dynamically Resize Those Tiny BlackArch Linux Terminals and Add a Scrollbar
  • Kali Linux OVA for Air-Gapped Use Build Process
  • HOWTO install the XFCE 4 Desktop on NetBSD 8.1
  • Build a Kali Linux ISO with the latest OS patches and packages
  • HOWTO quickly STIG Firefox 59.01
  • HOWTO mount a Synology NAS SMB share on Linux with SMBv1 disabled
  • Howto safely delete the WSUS WID on Windows 2012R2
  • HOWTO quickly STIG Firefox 45.0.1
  • Completing the vSphere vCenter Appliance Hardening Process
  • HOWTO install the XFCE 4.12 Desktop on NetBSD 7
  • Enabling TLS 1.2 on the Splunk 6.2x Console and Forwarders using Openssl and self signed certs.
  • HOWTO enable SSH on a Cisco ASA running 9.1.x
  • Apply a Windows 2012 R2 Domain GPO to a standalone Windows 2012 R2 server
  • Enable legacy SSL and Java SSL support in your browser for those old, crusty websites
  • HOWTO update FreeBSD 10.1 to the latest 11-current release
  • HOWTO Secure iSCSI Luns Between FreeBSD 10.1 and NetApp Storage with Mutual CHAP
  • HOWTO install the XFCE 4 Desktop on NetBSD 6.1.5
  • HOWTO Secure iSCSI Luns Between Ubuntu Server 14.10 and NetApp Storage with Mutual CHAP

Categories

  • Cisco (2)
  • ESXi (4)
  • FreeBSD (2)
  • HP (5)
  • iSCSI (12)
  • Linux (31)
  • Nessus (3)
  • NetApp (31)
  • NetBSD (10)
  • Oracle (9)
  • Security (48)
  • Solaris (9)
  • Splunk (5)
  • VMware (19)
  • Windows (20)
  • Wireshark (4)
  • XFCE (3)

Archives

  • February 2023
  • August 2022
  • July 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • November 2021
  • January 2021
  • December 2020
  • November 2020
  • August 2020
  • May 2020
  • September 2019
  • August 2019
  • March 2018
  • November 2016
  • March 2016
  • January 2016
  • November 2015
  • July 2015
  • June 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013

Blogroll

  • Adobe Security Bulletins
  • CentOS Blog
  • Cisco Security Blog
  • CSO Magazine
  • DHS National Vulnerability Database
  • Eric Sloof's NTPRO
  • HT SSL Tests
  • Intel Corp Security Advisories
  • Internet Usage World Stats
  • Kali Linux Blog
  • Linux Mint Blog
  • Meltdown and Spectre
  • Microsoft Security Blog
  • Microsoft Security Intelligence Report
  • Microsoft Security Research & Defense
  • Microsoft Security Response Center
  • MITRE CVE Site
  • NetApp Blogs
  • NetBSD Blog
  • Oracle OTN Security
  • Oracle Security Blog
  • PacketStorm
  • Redhat Security Blog
  • SC Magazine
  • Shodan Search Engine
  • US-CERT Alerts
  • US-CERT Bulletins
  • US-CERT Vulnerability Notes KB
  • VMware Blogs
  • VMware Security Advisories

Category Cloud

Cisco ESXi FreeBSD HP iSCSI Linux Nessus NetApp NetBSD Oracle Security Solaris Splunk VMware Windows Wireshark XFCE

Follow Blog via Email

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 38 other subscribers

Powered by WordPress.com.

 

Loading Comments...