Month: January 2022

stop(kill -SIGSTOP) current running process and start(kill -SIGCONT) into another terminal – linux

We can use screen, tmux, nohup command to run process in background.

But, what we can do if we already run the process and we want to send it to background.

We can use kill signal to achieve this.

kill -SIGSTOP PID 
kill -SIGCONT PID

SIGSTOP = pause the process
SIGCONT = continue the process

Here is example.

sleep-loop.sh

while(true)
do
echo "running loop...$(date +%s)"
sleep 5
done

You can close the 1st terminal after starting in running the SIGCONT in another terminal AND you can also close the 2nd second terminal as well as it’s running in backgroud.(kind of nohup)

Other method using jobs command

  1. Press CTRL + Z to Pause the current process
  2. bg = to send job to background
  3. disown %1

disow will remove form job queue and run in background so that we can close the terminal

More – https://stackoverflow.com/questions/625409/how-do-i-put-an-already-running-process-under-nohup

CKA certification tips

  • Join the exam 20 min before it start as it will take time to verify all your ID and Place.
  • During the exam you will have access to http://kubernetes.com/docs
  • Every question shows % weight so you can take high % weight questions first if it’s not related to other question.
  • Practice is very important. Complete mock testing at least 3-5 times
  • Complete your training with KodeKloud with practice and mock test.
  • You can practice your exam on killer.sh which you get it for free once you buy CKA certification. 2 mock sessions are available 36 hours each
  • killer.sh questions are hard. I was able to complete around 20 in 2 hours.
  • Exam time is 2 hours as of 25th JAN 2022
  • There was 17 question(there can be more than 17 also)

  • Exam result will be sent in 24 hours.(Exactly 24 hours 1 minute)

xargs understanding – linux

xargs pass the output(stdout) of first command to second command as argument. 

ls | xargs rm -f

This will remove all file listed by ls command

  • To understand properly what xargs is doing. use -p flag. It’s like dry-run.
[root@lp-k8control-1 xargs]# ls
test  test2  test3
[root@lp-k8control-1 xargs]# ls | xargs -p rm -f
rm -f test test2 test3 ?...

flag -n1 = one at a time

[root@lp-k8control-1 xargs]# ls | xargs -p -n1 rm -f
rm -f test ?...

flag -I % = run multiple command

[root@lp-k8control-1 xargs]# ls | xargs -p -n1 -I % /bin/bash -c 'ls %; ll %  '
/bin/bash -c ls test; ll test   ?...y
test

More : https://flaviocopes.com/linux-command-xargs/

32 GB SD card issue

One of the issue that i face with my raspberry pi 4 SD card. I removed it when it was in the pi case. Which broke the SD card chip in half internally.

Lesson : Always remove the SD carefully.

broke my 32 GB SD card while removing from Pi. I tried formatting with fdisk, mkfs.ext4 and Windows but none of them worked.

I have attached screenshot of fdisk /dev/sda where I have created 1 partition but when i try to delete the same it’s giving error No partition is defined yet!

https://i.stack.imgur.com/rRVNJ.png

Here is the lsblk output:

root@lp-arm-1:~# lsblk
NAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
loop0         7:0    0 88.1M  1 loop /snap/core/11803
loop1         7:1    0 48.9M  1 loop /snap/core18/2127
loop2         7:2    0   49M  1 loop /snap/core18/2248
loop3         7:3    0 57.4M  1 loop /snap/core20/1171
loop4         7:4    0 88.1M  1 loop /snap/core/11996
loop5         7:5    0 60.4M  1 loop /snap/lxd/21544
loop6         7:6    0 28.2M  1 loop /snap/snapd/13269
loop7         7:7    0 57.4M  1 loop /snap/core20/1084
loop8         7:8    0   62M  1 loop /snap/lxd/21032
loop9         7:9    0 28.2M  1 loop /snap/snapd/13643
sda           8:0    1 30.6M  0 disk
mmcblk0     179:0    0 59.7G  0 disk
├─mmcblk0p1 179:1    0  256M  0 part /boot/firmware
└─mmcblk0p2 179:2    0 59.4G  0 part /

Note: mmcblk0 is another working SD card

When try to format it with widows OS.

windows

Integrating Jenkins login with Keycloak

  • Run Keycloak with docker-compose
version: '3'
services:
  postgres:
      image: postgres:9.6
      volumes:
        - /opt/postgres/:/var/lib/postgresql/data
      environment:
        POSTGRES_DB: keycloak_db
        POSTGRES_USER: keycloak_user
        POSTGRES_PASSWORD: password
  keycloak:
      image: quay.io/keycloak/keycloak:latest
      environment:
        DB_VENDOR: POSTGRES
        DB_ADDR: postgres
        DB_DATABASE: keycloak_db
        DB_USER: keycloak_user
        DB_SCHEMA: public
        DB_PASSWORD: password
        KEYCLOAK_USER: admin
        KEYCLOAK_PASSWORD: admin
      ports:
        - 8080:8080
      depends_on:
        - postgres
  • Open Keycloak panel : http://192.168.0.184:8080 > add realm > Jenkins
  • Add client, Client > client-protocal=openid-connect > Root URL
  • Client > Jenkins-client > Installation > Keycloak OIDC JSON > Download

Note : Take the back up of /var/jenkins_home/config.xml or take a snapshot if it’s vm.

  • Manage Jenkins > Configure system > Global Keycloak Settings > add downloaded json data > Save
  • Manage Jenkins > Configure global security > Securiy Realm > Keycloak Authentication Plugin > Save and logout
  • Create Users in Keycloak realm “jenkins” and login with user(eg. admin1)

More https://www.keycloak.org/getting-started/getting-started-docker

Custom Daemonset command based on host_ip in kubernetes

Why?
– When we need to add some extra functionally to daemonset based on which worker node it’s running on

apiVersion: apps/v1
kind: DaemonSet
metadata:
  labels:
    app: custom-daemonset
  name: custom-daemonset
spec:
  selector:
    matchLabels:
      app: custom-daemonset
  template:
    metadata:
      labels:
        app: custom-daemonset
    spec:
      containers:
      - command:
        - /bin/bash
        - -c
        - |
          echo "$STARTUP_SCRIPT" > /tmp/STARTUP_SCRIPT.sh
          /bin/bash /tmp/STARTUP_SCRIPT.sh
        env:
        - name: HOST_IP
          valueFrom:
            fieldRef:
              fieldPath: status.hostIP
        - name: STARTUP_SCRIPT
          value: |
            #!/bin/bash
            if [ $HOST_IP == "192.168.0.184" ]; then
              echo "HOST_IP is $HOST_IP"
            else
              echo "HOST_IP does not match $HOST_IP"
            fi
            sleep 600
        image: nginx
        imagePullPolicy: IfNotPresent
        name: custom-daemonset

Ref : https://github.com/kubernetes/kubernetes/issues/24657#issuecomment-577747926

AD integration with linux ssh login and sudo access

ad_join.sh

#!/bin/bash

#check if already joined to domain

if [[ $(realm list) != "" ]]
then
echo "This server is already joined to domain."
realm list | head -n 1
exit
fi

function update_sssd_config() {
    sed -i 's/use_fully_qualified_names = True/use_fully_qualified_names = False/g' /etc/sssd/sssd.conf
    sed -i 's|/home/%u@%d|/home/%u|g' /etc/sssd/sssd.conf
    systemctl restart sssd
}

function restrict_ssh_access_group() {
    if [[ $(cat /etc/ssh/sshd_config | grep -o "updated_by_ad_join") != "updated_by_ad_join" ]]
    then
    echo "###############updated_by_ad_join.sh###############" >> /etc/ssh/sshd_config
    echo "AllowGroups root ssh-access-group" >> /etc/ssh/sshd_config
    systemctl restart sshd
    fi
}

function sudo_access_level_group() {
    if [[ $(cat /etc/sudoers | grep -o "updated_by_ad_join") != "updated_by_ad_join" ]]
    then
    echo "###############updated_by_ad_join.sh###############" >> /etc/sudoers
    echo "Cmnd_Alias SUDO_ACCESS_LEVEL1 = /usr/bin/ls, /usr/bin/cat " >> /etc/sudoers
    echo "Cmnd_Alias SUDO_ACCESS_LEVEL2 = /usr/bin/vi, /usr/bin/nano " >> /etc/sudoers

    echo "%sudo-group-level1 ALL=(ALL) NOPASSWD: SUDO_ACCESS_LEVEL1"  >> /etc/sudoers
    echo "%sudo-group-level2 ALL=(ALL) NOPASSWD: SUDO_ACCESS_LEVEL2"  >> /etc/sudoers
    echo "%sudo-group-full-access ALL=(ALL) NOPASSWD: ALL"  >> /etc/sudoers
    fi
}

#check os 
if [[ $(cat /etc/os-release | egrep "centos|redhat|fedora|rhel|oracle|rocky") != "" ]]
then
yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients  -y
realm join -vvv --user=administrator ad.example.com

#call function
update_sssd_config

restrict_ssh_access_group

sudo_access_level_group

fi

Jenkins AD integration and access management

  • First take the back up of /var/jenkins_home/config.xml or take a snapshot if it’s vm.

Method 1: (all user have same admin access)

  • Manage jenkins > Configure Global Security > Active Directory
Domain name : example.com
Domain Controller : ad.exmaple.com
Bind DN : [email protected]
Bind Password : <jenkins-svc-account password>

Note: You may need to apply the setting and then click on Test Domain.

Else it will give Error: simple bind failed: ad.example.com:389 error

Also Domain Name(example.com) should be resolved from jenkins host or entry should be in /etc/hosts 

192.168.122.6 example.com

Method 2: Matrix-based security

Method3: Role based strategy(pending)

AD user and jenkins screenshot for reference

  • Check ldap port in powershell
tnc example.com -port 389

Test-NetConnection -ComputerName example.com -Port 389

Build haskell static binary with docker

Why?
– Reduce surface attack
– Reduce docker image size

hola.sh

{-# LANGUAGE OverloadedStrings #-}
import Web.Scotty

import Data.Monoid (mconcat)

main = scotty 3000 $
    get "/:word" $ do
        beam <- param "word"
        html $ mconcat ["<h1>Scotty, ", beam, " me up!</h1>"]

alpine.Dockerfile

FROM haskell:8 AS build
WORKDIR /opt
RUN cabal update
RUN cabal install --lib scotty
COPY hola.hs .
#RUN ghc --make -threaded hola.hs  -o hola
RUN ghc --make -threaded -optl-static -optl-pthread hola.hs -o hola

FROM alpine:3.15.0
RUN addgroup -S group1 && adduser -S user1 -G group1
USER user1
WORKDIR /opt
COPY --from=build /opt/hola .
EXPOSE 3000
CMD ["/opt/hola"]

More on haskell static binary –