Author: Alok

DevSecOps

CKA certification tips

  • Join the exam 20 min before it start as it will take time to verify all your ID and Place.
  • During the exam you will have access to http://kubernetes.com/docs
  • Every question shows % weight so you can take high % weight questions first if it’s not related to other question.
  • Practice is very important. Complete mock testing at least 3-5 times
  • Complete your training with KodeKloud with practice and mock test.
  • You can practice your exam on killer.sh which you get it for free once you buy CKA certification. 2 mock sessions are available 36 hours each
  • killer.sh questions are hard. I was able to complete around 20 in 2 hours.
  • Exam time is 2 hours as of 25th JAN 2022
  • There was 17 question(there can be more than 17 also)

  • Exam result will be sent in 24 hours.(Exactly 24 hours 1 minute)

xargs understanding – linux

xargs pass the output(stdout) of first command to second command as argument. 

ls | xargs rm -f

This will remove all file listed by ls command

  • To understand properly what xargs is doing. use -p flag. It’s like dry-run.
[root@lp-k8control-1 xargs]# ls
test  test2  test3
[root@lp-k8control-1 xargs]# ls | xargs -p rm -f
rm -f test test2 test3 ?...

flag -n1 = one at a time

[root@lp-k8control-1 xargs]# ls | xargs -p -n1 rm -f
rm -f test ?...

flag -I % = run multiple command

[root@lp-k8control-1 xargs]# ls | xargs -p -n1 -I % /bin/bash -c 'ls %; ll %  '
/bin/bash -c ls test; ll test   ?...y
test

More : https://flaviocopes.com/linux-command-xargs/

32 GB SD card issue

One of the issue that i face with my raspberry pi 4 SD card. I removed it when it was in the pi case. Which broke the SD card chip in half internally.

Lesson : Always remove the SD carefully.

broke my 32 GB SD card while removing from Pi. I tried formatting with fdisk, mkfs.ext4 and Windows but none of them worked.

I have attached screenshot of fdisk /dev/sda where I have created 1 partition but when i try to delete the same it’s giving error No partition is defined yet!

https://i.stack.imgur.com/rRVNJ.png

Here is the lsblk output:

root@lp-arm-1:~# lsblk
NAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
loop0         7:0    0 88.1M  1 loop /snap/core/11803
loop1         7:1    0 48.9M  1 loop /snap/core18/2127
loop2         7:2    0   49M  1 loop /snap/core18/2248
loop3         7:3    0 57.4M  1 loop /snap/core20/1171
loop4         7:4    0 88.1M  1 loop /snap/core/11996
loop5         7:5    0 60.4M  1 loop /snap/lxd/21544
loop6         7:6    0 28.2M  1 loop /snap/snapd/13269
loop7         7:7    0 57.4M  1 loop /snap/core20/1084
loop8         7:8    0   62M  1 loop /snap/lxd/21032
loop9         7:9    0 28.2M  1 loop /snap/snapd/13643
sda           8:0    1 30.6M  0 disk
mmcblk0     179:0    0 59.7G  0 disk
├─mmcblk0p1 179:1    0  256M  0 part /boot/firmware
└─mmcblk0p2 179:2    0 59.4G  0 part /

Note: mmcblk0 is another working SD card

When try to format it with widows OS.

windows

Integrating Jenkins login with Keycloak

  • Run Keycloak with docker-compose
version: '3'
services:
  postgres:
      image: postgres:9.6
      volumes:
        - /opt/postgres/:/var/lib/postgresql/data
      environment:
        POSTGRES_DB: keycloak_db
        POSTGRES_USER: keycloak_user
        POSTGRES_PASSWORD: password
  keycloak:
      image: quay.io/keycloak/keycloak:latest
      environment:
        DB_VENDOR: POSTGRES
        DB_ADDR: postgres
        DB_DATABASE: keycloak_db
        DB_USER: keycloak_user
        DB_SCHEMA: public
        DB_PASSWORD: password
        KEYCLOAK_USER: admin
        KEYCLOAK_PASSWORD: admin
      ports:
        - 8080:8080
      depends_on:
        - postgres
  • Open Keycloak panel : http://192.168.0.184:8080 > add realm > Jenkins
  • Add client, Client > client-protocal=openid-connect > Root URL
  • Client > Jenkins-client > Installation > Keycloak OIDC JSON > Download

Note : Take the back up of /var/jenkins_home/config.xml or take a snapshot if it’s vm.

  • Manage Jenkins > Configure system > Global Keycloak Settings > add downloaded json data > Save
  • Manage Jenkins > Configure global security > Securiy Realm > Keycloak Authentication Plugin > Save and logout
  • Create Users in Keycloak realm “jenkins” and login with user(eg. admin1)

More https://www.keycloak.org/getting-started/getting-started-docker

Custom Daemonset command based on host_ip in kubernetes

Why?
– When we need to add some extra functionally to daemonset based on which worker node it’s running on

apiVersion: apps/v1
kind: DaemonSet
metadata:
  labels:
    app: custom-daemonset
  name: custom-daemonset
spec:
  selector:
    matchLabels:
      app: custom-daemonset
  template:
    metadata:
      labels:
        app: custom-daemonset
    spec:
      containers:
      - command:
        - /bin/bash
        - -c
        - |
          echo "$STARTUP_SCRIPT" > /tmp/STARTUP_SCRIPT.sh
          /bin/bash /tmp/STARTUP_SCRIPT.sh
        env:
        - name: HOST_IP
          valueFrom:
            fieldRef:
              fieldPath: status.hostIP
        - name: STARTUP_SCRIPT
          value: |
            #!/bin/bash
            if [ $HOST_IP == "192.168.0.184" ]; then
              echo "HOST_IP is $HOST_IP"
            else
              echo "HOST_IP does not match $HOST_IP"
            fi
            sleep 600
        image: nginx
        imagePullPolicy: IfNotPresent
        name: custom-daemonset

Ref : https://github.com/kubernetes/kubernetes/issues/24657#issuecomment-577747926

AD integration with linux ssh login and sudo access

ad_join.sh

#!/bin/bash

#check if already joined to domain

if [[ $(realm list) != "" ]]
then
echo "This server is already joined to domain."
realm list | head -n 1
exit
fi

function update_sssd_config() {
    sed -i 's/use_fully_qualified_names = True/use_fully_qualified_names = False/g' /etc/sssd/sssd.conf
    sed -i 's|/home/%u@%d|/home/%u|g' /etc/sssd/sssd.conf
    systemctl restart sssd
}

function restrict_ssh_access_group() {
    if [[ $(cat /etc/ssh/sshd_config | grep -o "updated_by_ad_join") != "updated_by_ad_join" ]]
    then
    echo "###############updated_by_ad_join.sh###############" >> /etc/ssh/sshd_config
    echo "AllowGroups root ssh-access-group" >> /etc/ssh/sshd_config
    systemctl restart sshd
    fi
}

function sudo_access_level_group() {
    if [[ $(cat /etc/sudoers | grep -o "updated_by_ad_join") != "updated_by_ad_join" ]]
    then
    echo "###############updated_by_ad_join.sh###############" >> /etc/sudoers
    echo "Cmnd_Alias SUDO_ACCESS_LEVEL1 = /usr/bin/ls, /usr/bin/cat " >> /etc/sudoers
    echo "Cmnd_Alias SUDO_ACCESS_LEVEL2 = /usr/bin/vi, /usr/bin/nano " >> /etc/sudoers

    echo "%sudo-group-level1 ALL=(ALL) NOPASSWD: SUDO_ACCESS_LEVEL1"  >> /etc/sudoers
    echo "%sudo-group-level2 ALL=(ALL) NOPASSWD: SUDO_ACCESS_LEVEL2"  >> /etc/sudoers
    echo "%sudo-group-full-access ALL=(ALL) NOPASSWD: ALL"  >> /etc/sudoers
    fi
}

#check os 
if [[ $(cat /etc/os-release | egrep "centos|redhat|fedora|rhel|oracle|rocky") != "" ]]
then
yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients  -y
realm join -vvv --user=administrator ad.example.com

#call function
update_sssd_config

restrict_ssh_access_group

sudo_access_level_group

fi

Jenkins AD integration and access management

  • First take the back up of /var/jenkins_home/config.xml or take a snapshot if it’s vm.

Method 1: (all user have same admin access)

  • Manage jenkins > Configure Global Security > Active Directory
Domain name : example.com
Domain Controller : ad.exmaple.com
Bind DN : jenkins-svc-account@example.com
Bind Password : <jenkins-svc-account password>

Note: You may need to apply the setting and then click on Test Domain.

Else it will give Error: simple bind failed: ad.example.com:389 error

Also Domain Name(example.com) should be resolved from jenkins host or entry should be in /etc/hosts 

192.168.122.6 example.com

Method 2: Matrix-based security

Method3: Role based strategy(pending)

AD user and jenkins screenshot for reference

  • Check ldap port in powershell
tnc example.com -port 389

Test-NetConnection -ComputerName example.com -Port 389

Build haskell static binary with docker

Why?
– Reduce surface attack
– Reduce docker image size

hola.sh

{-# LANGUAGE OverloadedStrings #-}
import Web.Scotty

import Data.Monoid (mconcat)

main = scotty 3000 $
    get "/:word" $ do
        beam <- param "word"
        html $ mconcat ["<h1>Scotty, ", beam, " me up!</h1>"]

alpine.Dockerfile

FROM haskell:8 AS build
WORKDIR /opt
RUN cabal update
RUN cabal install --lib scotty
COPY hola.hs .
#RUN ghc --make -threaded hola.hs  -o hola
RUN ghc --make -threaded -optl-static -optl-pthread hola.hs -o hola

FROM alpine:3.15.0
RUN addgroup -S group1 && adduser -S user1 -G group1
USER user1
WORKDIR /opt
COPY --from=build /opt/hola .
EXPOSE 3000
CMD ["/opt/hola"]

More on haskell static binary –