- Linux – installation of different distro with lvm, encrypted lvm, plain
- Shell scripting – auto restart job , sed , awk
- Docker – jenkins setup, wordpress setup with persistent volume
- kubernetes – cluster setup, deployment
haproxy context based routing
http://192.168.0.228:8080/app1 => http://192.168.0.228:8081
http://192.168.0.228:8080/app2 => http://192.168.0.228:8082
haproxy.cfg
global
daemon
maxconn 256
defaults
timeout connect 10s
timeout client 30s
timeout server 30s
mode http
maxconn 3000
frontend http_in
bind *:8080
use_backend app1_backend if { path /app1 }
use_backend app2_backend if { path /app2 }
backend app1_backend
http-request set-path %[path,regsub(^/app1/?,/)]
server server1 192.168.0.228:8081
backend app2_backend
http-request set-path %[path,regsub(^/app2/?,/)]
server server1 192.168.0.228:8082more : https://grafana.com/tutorials/run-grafana-behind-a-proxy/#configure-haproxy
renew kubeapi server certs in kubernetes
kubeadm certs check-expiration
kubeadm certs renew allerror : x509: certificate has expired or is not yet valid
Note : move /etc/kubenetes/admin.conf to /root/.kube/config and restart control node and worker node to update cert
https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/
Expose localhost to public URL – localtunnel
npm install -g localtunnel
lt --port 8000lt --port 8000 --subdomain piserver
https://github.com/localtunnel/localtunnel
Alternative – https://ngrok.com/
Clamav antivirus scan in CICD – Jenkins
#install clamav
yum -y install epel-release
yum install clamav
#update clamav
/usr/bin/freshclam
#scan clamav
clamscan -r /tmp/
more : https://www.hostinger.in/tutorials/how-to-install-clamav-centos7
raspberry pi as kubernetes worker node
- Install docker
apt-get install \
apt-transport-https \
ca-certificates \
curl \
gnupg \
lsb-release
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo \
"deb [arch=arm64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
apt-get install docker-ce docker-ce-cli containerd.io
https://docs.docker.com/engine/install/ubuntu/
echo 'cgroup_memory=1' > /boot/cmdline.txt
echo '{
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"storage-driver": "overlay2"
}
' > /etc/docker/daemon.json
sudo sed -i '$ s/$/ cgroup_enable=cpuset cgroup_enable=memory cgroup_memory=1 swapaccount=1/' /boot/firmware/cmdline.txt
cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sudo sysctl --system
- Install kubernetes component
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
cat <<EOF | sudo tee /etc/apt/sources.list.d/kubernetes.list
deb https://apt.kubernetes.io/ kubernetes-xenial main
EOF
apt update && sudo apt install -y kubelet kubeadm kubectl
echo '[Service]
Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --cgroup-driver=systemd"
Environment="KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml"
# This is a file that "kubeadm init" and "kubeadm join" generates at runtime, populating the KUBELET_KUBEADM_ARGS variable dynamically
EnvironmentFile=-/var/lib/kubelet/kubeadm-flags.env
# This is a file that the user can use for overrides of the kubelet args as a last resort. Preferably, the user should use
# the .NodeRegistration.KubeletExtraArgs object in the configuration files instead. KUBELET_EXTRA_ARGS should be sourced from this file.
EnvironmentFile=-/etc/default/kubelet
ExecStart=
ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS' > /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
systemctl daemon-reload
systemctl restart kubeletzap proxy scanner
docker run -v /tmp/zap:/zap/wrk -t owasp/zap2docker-stable zap-full-scan.py -t "https://api.photo.initedit.com" -g gen.conf -r "https://api.photo.initedit.com".htmlfalco runtime security
https://falco.org/docs/getting-started/installation/
rpm --import https://falco.org/repo/falcosecurity-3672BA8F.asc
curl -s -o /etc/yum.repos.d/falcosecurity.repo https://falco.org/repo/falcosecurity-rpm.repo
yum -y install falco
#load falco driver
falco-driver-loader
lsmod | grep falco
modprobe falco-probe
#run falco
falco
# adduser will show alert messagetrivy docker image scanner CI
docker run -v /var/run/docker.sock:/var/run/docker.sock -v /root/trivy-cache:/root/.cache/ aquasec/trivy:0.18.3 image -f json nginxhttps://aquasecurity.github.io/trivy/v0.18.3/examples/report/
curl with URL and nodeport
curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/status/200"curl -s -H 'X-Canary: always' -HHost:app.example.com "http://192.168.0.184:30988/"while(true)
do curl -HHost:app.example.com "http://192.168.0.184:30988/"
sleep 0.5
done
https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/