Alok – Page 3

Mithril sync cardano mainnet

Download the binary

wget https://github.com/input-output-hk/mithril/releases/download/2331.1/mithril-2331.1-linux-x64.tar.gz

tar -xzf mithril-2331.1-linux-x64.tar.gz

chmod +x *

set env variable

export NETWORK=mainnet

export AGGREGATOR_ENDPOINT=https://aggregator.release-mainnet.api.mithril.network/aggregator

export GENESIS_VERIFICATION_KEY=5b3139312c36362c3134302c3138352c3133382c31312c3233372c3230372c3235302c3134342c32372c322c3138382c33302c31322c38312c3135352c3230342c31302c3137392c37352c32332c3133382c3139362c3231372c352c31342c32302c35372c37392c33392c3137365d

get the latest snapshot list and download

mithril-client snapshot list


mithril-client snapshot download 87122ee3415112a1d2b215003e134652dd0ebf8f7588db8a0745336b9b249d4e

More : https://mithril.network/doc/manual/getting-started/bootstrap-cardano-node

Jenkins user last login time

Manage Jenkins > System logs > Add new log recorder > NAME > Logger=jenkins.security.SecurityListener , Log level = FINEST

emacs: User never leave emacs, they die at some point.

Create file

emacs abc.txt

Save file

CTRL+x , CTRL+S

Ctrl+x+k

exit

ctrl+x , ctrl+c

create bootable windows USB from linux os

Fedora Media Writer

2. SUSE Studio Imagewriter

3.UNetbootin

4. Ventoy

python check palindrome fast way

import sys

arg = sys.argv[1]
arg_length = len(sys.argv[1])

print("arg_length: ",arg_length)

def palindrome(arg, arg_length):
    for i in range(0,int(arg_length/2)): # for checking half string
        if arg[i] != arg[arg_length-i-1]:
            return False
    return True

print(palindrome(arg, arg_length))

Output:

[home@fedora ~]$ python3 palidrom.py 11211
arg_length:  5
True
[home@fedora ~]$ python3 palidrom.py noon
arg_length:  4
True
[home@fedora ~]$ python3 palidrom.py qwerty
arg_length:  6
False

kubernetes deployment scale up/down with bash

scale down deploy on weeknend:

####scale down####
namespaces="test,test2"
IFS=","

for namespace in $namespaces
do
    deployments=$(kubectl get deploy -n $namespace | grep -v '0/0' | awk '{print $1}' | sed 1d | tr '\n' ' ')
    IFS=" "
    for deploy in $deployments
    do
        replicas="$(kubectl get deploy $deploy -o=custom-columns='REPLICAS:spec.replicas' -n $namespace | sed 1d | tr '\n' ' ')"
        echo "namespace: $namespace deploy: $deploy replicas: $replicas"
        kubectl label deploy $deploy weekdays-replicas=$replicas -n $namespace --overwrite=true
        kubectl scale --replicas=0 statefulset $deploy -n "$namespace" || true
    done
done

scale-up:

####scale up####
namespaces="test,test2"
IFS=","
for namespace in $namespaces
do
    deployments=$(kubectl get deploy -n $namespace | awk '{print $1}' | sed 1d | tr '\n' ' ')
    IFS=" "
    for deploy in $deployments
    do
        replicas="$(kubectl get deploy $deploy -o=custom-columns='REPLICAS:metadata.labels.weekdays-replicas' -n $namespace | sed 1d | tr '\n' ' ')"
        echo "kubectl scale --replicas=$replicas statefulset $deploy -n "$namespace" || true"
    done
done

wordpress proxy with nginx

Error:

Mixed Content: The page at ” was loaded over HTTPS, but requested an insecure stylesheet ”. This request has been blocked; the content must be served over HTTPS.

install nginx with $IP_ADDRESS:8080

version: '3.1'

services:
  wordpress:
    image: wordpress:6.2.0
    restart: always
    ports:
      - 8080:80
    volumes:
      - ./wordpress:/var/www/html

  db:
    image: mysql:5.7.39
    restart: always
    ports:
      - 3310:3306
    environment:
      MYSQL_ROOT_PASSWORD: root
    volumes:
      - ./mysql:/var/lib/mysql

Update https://test.example.com inside wordpress admin panel

update wp-config.php

define('FORCE_SSL_ADMIN', true); if ( isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) && strpos( $_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false ) { $_SERVER['HTTPS'] = 'on'; }

/etc/nginx/conf.d/test.exmaple.conf nginx config

server {
    server_name test.example.com;
    location / {
        proxy_pass http://10.209.229.54:8080/; 
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_read_timeout    90;
        proxy_connect_timeout 90;
        proxy_redirect        off;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Port 443;
        proxy_set_header Proxy "";
    }

    listen 443 ssl;
    ssl_certificate /etc/nginx/ssl/cert.pem;
    ssl_certificate_key /etc/nginx/ssl/key.pem;

}

server {
    if ($host = test.example.com) {
        return 301 https://$host$request_uri;
    }
    server_name test.example.com;
    listen 80;
    return 404;
}

Reference:

Administration Over SSL

On demand ecs fargate as Jenkins worker node

Create separate ecs-farget template for different kind of workload.
Do the proper tagging of resources so that we get proper costing

Docker with TLS:

###### server
dockerd \
    --tlsverify \
    --tlscacert=ca.pem \
    --tlscert=server-cert.pem \
    --tlskey=server-key.pem \
    -H=0.0.0.0:2376

##### client
docker --tlsverify \
    --tlscacert=ca.pem \
    --tlscert=cert.pem \
    --tlskey=key.pem \
    -H=$HOST:2376 version

##### secure by default
mkdir -pv ~/.docker
cp -v {ca,cert,key}.pem ~/.docker
export DOCKER_HOST=tcp://$HOST:2376 DOCKER_TLS_VERIFY=1


##### make sure to have correct host/DNS name while creating the server cert

https://aws.amazon.com/blogs/containers/building-container-images-on-amazon-ecs-on-aws-fargate/

Read the secrets data from etcd of kubernetes

Find out etcd procecss id

ps -ef | grep etcd

Go to process directory of ectd

cd /proc/2626577/fd

List the files and look for “/var/lib/etcd/member/snap/db“

ls -ltr | grep db

To read any secret that is currently created by user in k8

#create secret

kubectl create secret generic secret1 --from-literal=secretname=helloworld

#read secret directly from etcd

cat /var/lib/etcd/member/snap/db | strings | grep secret1 -C 10

Encrypting Secret Data at Rest – https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/

https://jonathan18186.medium.com/certified-kubernetes-security-specialist-cks-preparation-part-8-runtime-security-system-9f705872c17

CKS Practice questions 2023

Create runtimeclass named sandboxed with handler runsc and run new pod using runtime as sandboxed with image nginx.
Set min TLS version to VersionTLS12 and cipher to TLS_AES_128_GCM_SHA256 for Kubelet nad kubeapi server
etcd with –-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Node-authrization to minimize the cluster role and remove clusterrole and anonymous access.
ImagePolicyWebhook with default deny add correct app endpoint url in kubeconfig file
auditing with maxage=10, rotate=5
falco runtime format %evt,%user.name,%user.id,%proc.name
network policy default deny, pod with name and namespace selector
create service account bind with role/clusterrole binding and create a pod, delete unsed sa
create a secret and mount to pod with readonly
Create service account with automounttoken off
create a pod with /root/profile using apparmor. podname=xyz, image=nginx
analyse 2 issues in Dockerfile and Deployment file
scan image with trivy and delete critical severity pod
fix kube-bench report for kube-api , kubelet, kube-controler
Upgrade k8 cluster from 1.25.4 to 1.26.0