omniverse A Few Thoughts About Research and Development

Spring clean all your git repos

Often we have a lot of git working copies at the machine. They can be old and with a lot unneeded git objects. They could be mass-cleaned to save inodes, optimize speed and lighten backups.

To ease cleaning let’s write a simple script with gc, pack and prune. Remember, gc --aggressive is misleading.

Let’s count how much objects are in all our git repositories:

(find . -name .git -type d -not -path '*exclude*' | xargs -L1 find ) | wc -l

Then use the script to mass-clean all repositories:

find . -name .git -not -path '*exclude*' | xargs -L1 -t gitcleanup.sh

And finally count again with the first one-liner.

For me this simple spring clean reduces git objects from 38631 to 7050.

How to make a network quarantine with firewalld

Surely it is not about reinventing a wheel but a short how-to about commands I cannot remember every time.

Sometimes it is needed to make a fully quarantined machine without incoming and outgoing network access, just with SSH connection from the local network. It can be achieved with a few firewalld / iptables commands.

RHEL 7 and CentOS 7 switched from a lot of well-known command line tools such as sysvinit, netstat, ipconfig to newer technologies (literally - systemctl, journalctl, ss, ip). Using iptables directly is not recommended too due to introducing the firewalld. Best tutorial I found is found at Digital Ocean. Native firewalld zones do no allow outgoing traffic filtering so it is needed to add “direct” rules which are clearly iptables rules. There are also Rich rules but I have not tried them yet.

So let’s assume you are in network 192.168.1.0/255. To filter limit outgoing traffic only to IPv4 SSH connections to local network run as root:

firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m tcp --sport=22 -s 192.168.1.0/16 -d 192.168.1.0/16 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport=22 -s 192.168.1.0/16 -d 192.168.1.0/16 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 98 -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 99 -j DROP

Then reload the firewalld:

firewall-cmd --reload

Rules are saved permanently at /etc/firewalld/direct.xml. Check the list of loaded rules:

firewall-cmd --direct --get-all-rules

To remove all direct rules run:

firewall-cmd --direct --remove-rules ipv4 filter OUTPUT
firewall-cmd --direct --remove-rules ipv6 filter OUTPUT
firewall-cmd --reload