/root/.blog linux

k8s Dashboard installation

Deploy the Dashboard

  1. install the kubernetes dashboard
[k8sadm@test-vm1 ~]$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

secret "kubernetes-dashboard-certs" created
serviceaccount "kubernetes-dashboard" created
role "kubernetes-dashboard-minimal" created
rolebinding "kubernetes-dashboard-minimal" created
deployment "kubernetes-dashboard" created
service "kubernetes-dashboard" created
  1. Deploy heapster to enable container cluster monitoring and performance analysis on your cluster
[k8sadm@test-vm1 ~]$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/influxdb/heapster.yaml

serviceaccount "heapster" created
deployment "heapster" created
service "heapster" created
  1. Deploy the influxdb backend for heapster to your cluster
[k8sadm@test-vm1 ~]$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/influxdb/influxdb.yaml

deployment "monitoring-influxdb" created
service "monitoring-influxdb" created
  1. Create the heapster cluster role binding for the dashboard:
[k8sadm@test-vm1 ~]$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/rbac/heapster-rbac.yaml

clusterrolebinding "heapster" created

Create an admin Service Account and Cluster Role Binding

  1. Create a file called k8s-admin-service-account.yaml with the text below
apiVersion: v1
kind: ServiceAccount
metadata:
  name: k8s-admin
  namespace: kube-system
  1. Apply the service account to your cluster
[k8sadm@test-vm1 ~]$ kubectl apply -f k8s-admin-service-account.yaml

serviceaccount "k8s-admin" created
  1. Create a file called k8s-admin-cluster-role-binding.yaml with the text below
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: k8s-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: k8s-admin
  namespace: kube-system
  1. Apply the cluster role binding to your cluster
[k8sadm@test-vm1 ~]$ kubectl apply -f k8s-admin-cluster-role-binding.yaml

clusterrolebinding "k8s-admin" created

Connect to the Dashboard

  1. Retrieve an authentication token for the eks-admin service account. Copy the <authentication_token> value from the output. You use this token to connect to the dashboard
[k8sadm@test-vm1 ~]$ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep k8s-admin | awk '{print $1}')

Name:         k8s-admin-token-b5zv4
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name=k8s-admin
              kubernetes.io/service-account.uid=bcfe66ac-39be-11e8-97e8-026dce96b6e8

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  11 bytes
token:      <authentication_token>
  1. Start the kubectl proxy
[k8sadm@test-vm1 ~]$ kubectl proxy

Starting to serve on 127.0.0.1:8001
  1. Open the following link with a web browser to access the dashboard endpoint: http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

  2. Choose Token, paste the <authentication_token> output from the previous command into the Token field, and choose SIGN IN.


sources:

  1. https://docs.aws.amazon.com/eks/latest/userguide/dashboard-tutorial.html

Continue with:

  1. K8s rook-ceph Install https://sunwfrk.com/rook-ceph-on-k8s/

Syncing a RPM repo for offline use

For example we want to sync the epel repo for offline use

If you are on CENTOS 7 you can just type:

# yum install epel-release

If not add the EPEL repo this way:

# wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# rpm -ivh epel-release-latest-7.noarch.rpm

Install the reposync utility which is included in 'yum-utils':

# yum install yum-utils createrepo

Create an offline copy with the latest files only ('-n' option):

# reposync -n --repoid=epel --download_path=/data

Create repomd (xml-rpm-metadata) repository

# createrepo /data/epel

When you later want to update the repo then just resync it:

# reposync -n --repoid=epel --download_path=/data

Remove older rpm's from the updated repo:

# repomanage -k1 -c -o /data/epel/ |xargs rm

Run createrepo with the --update flag to speed things up

# createrepo --update /var/www/html/repo

Split large file in smaller files

Split

# split -b300M bigfile.zip bigfile.zip.
# ls -al
total 3110156
drwxr-xr-x  2 root root       4096 Sep  6 21:02 .
drwx------ 19 root root       4096 Sep  6 21:01 ..
-rw-r--r--  1 root root 1592381288 Sep  6 21:01 bigfile.zip
-rw-r--r--  1 root root  314572800 Sep  6 21:01 bigfile.zip.aa
-rw-r--r--  1 root root  314572800 Sep  6 21:01 bigfile.zip.ab
-rw-r--r--  1 root root  314572800 Sep  6 21:01 bigfile.zip.ac
-rw-r--r--  1 root root  314572800 Sep  6 21:01 bigfile.zip.ad
-rw-r--r--  1 root root  314572800 Sep  6 21:01 bigfile.zip.ae
-rw-r--r--  1 root root   19517288 Sep  6 21:02 bigfile.zip.af

combine

# cat bigfile.zip.aa bigfile.zip.ab bigfile.zip.ac bigfile.zip.ad \
bigfile.zip.ae bigfile.zip.af > bigfile.zip

Encrypt or Decrypt files

encrypt.sh

#!/bin/bash

infile=$1
outfile=${infile}.enc

if [ -f ${infile} ]; then
    if [ -f ${outfile} ]; then
        echo "target file ${outfile} already exists"
        exit 1
    fi

    printf "Enter encryption password: "
    read pass

    if [ -z ${pass} ]; then
        echo "No password provided, using default: biscuit"
        pass=biscuit
    fi

    cat ${infile} |openssl enc -base64 -e -aes-256-cbc -nosalt -pass pass:${pass} > ${outfile}

fi

decrypt.sh

#!/bin/bash

infile=$1
outfile=`echo ${infile} |sed 's/\.enc//'`

if [ -f ${infile} ]; then
    if [ -f ${outfile} ]; then
        echo "target file ${outfile} already exists"
        exit 1
    fi

    printf "Enter decryption password: "
    read pass

    if [ -z ${pass} ]; then
        echo "No password provided, using default: biscuit"
        pass=biscuit
    fi

    cat ${infile} |openssl enc -base64 -d -aes-256-cbc -nosalt -pass pass:${pass} > ${outfile}

fi

Allow user process to use privileged ports

In this example we have a tomcat server running as user tomcat on Solaris or Linux. Both don't allow a normal user to listen on ports lower than 1024.

Solaris:

# usermod -K defaultpriv=basic,net_privaddr tomcat

Linux: (replace <java_home> with your path to java)

# setcap cap_net_bind_service=+ep <java_home>/bin/java
# echo "<java_home>/jre/lib/amd64/jli" >> /etc/ld.so.conf.d/java.conf
# ldconfig