https://www.youtube.com/watch?v=-GsvomI4CCQ very pragmatic Simplilearn tutorial,
you can practice on https://www.katacoda.com/courses/jenkins/build-docker-images which gives you a dockerized Jenkins with console
Awesome power-jenkins tip-pack https://www.youtube.com/watch?v=6BIry0cepz4 :
- run Jenkins in Docker (jenkins/jenkins)
- select plugins you want to use (use plugins.txt to predefine a list of plugins)
- use agents, with swarm plugin to register, automate the agent provisioning and make them ephemeral
- don't use Maven jobs, because it's not reproduceable
- use pipelines, with Jenkinsfile (pipeline/stages/stage/steps)
- in pipelines, do all work on agents ("agent any")
- user input stage should be run on master, to avoid blocking executors ("agent none")
- limit number of stages
- don't change $env variable, use withEnv(["hello=world"]) instead
- parameters (?)
- use parallelism, for end to end tests , and performance tests and in separate nodes
- "scripted" is groovish for power user, declarative is ok for regular user
- pipelines should be small, they are orchestration tools... do the heavy stuff fin shell scripts which are easier to test
- in a pipeline everything is serializable so it can be resumed on failure (continuation-passing style)... but some classes are not serializable like groovy.text.StreamingTemplateEngine, then you have to wrap it
- BlueOcean plugin, with Editor for declarative pipelines
- use shared libraries in pipelines to reuse code, also reuse files
- use views to show only the jobs you are interested in
- BuildMonitor plugin to view jobs
- API in JSON or XML
- to-have plugins: BuildMonitor, Job Config History (to version freestyle jobs), Job DSL, Throttle Concurrent Builds, Timestamper, Version Number plugin & Build-name-setter
Wednesday, August 28, 2019
Kubernetes academy
https://kubernetes.academy/lessons/introduction-to-kubectl awesome productivity tips from John Harris
source < (kubectl completion bash)
kubectx
kubens
kube-ps1 + kubeon
#doc on a k8s object
kubectl explain pod.spec.containers.ports
#grep json
kubectl get pod -n kube-system kube-scheduler-master -ojson | jq .metadata.labels
#show custom columns
kubectl get pod -n kube-system kube-scheduler-master -o custom-columns=NAME:.metadata.name,NS:.metadata.namespace
#show labels
kubectl get pod -n kube-system --show-labels
#show column with value of given label
kubectl get pod -n kube-system -L k8s-app
#filter by label value
kubectl get pod -n kube-system -l k8s-app=kube-dns -L k8s-app
#sort by
get pod -n kube-system -l k8s-app=kube-dns --sort-by='{.status.containerStatuses[*].restartCount}'
#trace execution (very verbose)
get pod -n kube-system -l k8s-app=kube-dns --sort-by='{.status.containerStatuses[*].restartCount}' -v10
https://kubernetes.academy/lessons/introduction-to-ingress
Monday, August 19, 2019
Wednesday, August 14, 2019
WebLogic, dramatic reduction of TLS sessions creation by rejectClientInitiatedRenegotiation
why the TLS Sessions are constantly invalidated, removed from cache and recreated, discovering that it's WLS SSLConfigUtils.configureClientInitSecureRenegotiation() who initiates this:
the code responsible is:
so the invalidate() is called only if !clientInitSecureRenegotiation , but it appears that clientInitSecureRenegotiation=isClientInitSecureRenegotiationAccepted is always FALSE
in JSSESocketFactory:
in JSSEFilterImpl:
so the only way to avoid session invalidation is by having IS_JDK_CLIENT_INIT_SECURE_RENEGOTIATION_PROPERTY_SET=false, that is by setting -Djdk.tls.rejectClientInitiatedRenegotiation=false (true or false doesn't seem to matter, as long as the variable is set)
Thanks to Carlo for the excellent analysis.
at sun.security.ssl.SSLSessionContextImpl.remove(SSLSessionContextImpl.java:132) at sun.security.ssl.SSLSessionImpl.invalidate(SSLSessionImpl.java:673) at weblogic.socket.utils.SSLConfigUtils.configureClientInitSecureRenegotiation(SSLConfigUtils.java:27) at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:135) at weblogic.socket.JSSEFilterImpl.isMessageComplete(JSSEFilterImpl.java:354) at weblogic.socket.SocketMuxer.readReadySocketOnce(SocketMuxer.java:976) at weblogic.socket.SocketMuxer.readReadySocket(SocketMuxer.java:917) at weblogic.socket.NIOSocketMuxer.process(NIOSocketMuxer.java:599) at weblogic.socket.NIOSocketMuxer.processSockets(NIOSocketMuxer.java:563) at weblogic.socket.SocketReaderRequest.run(SocketReaderRequest.java:30) at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:43) at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:147) at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:119)
the code responsible is:
public static void configureClientInitSecureRenegotiation(SSLEngine sslEngine, boolean clientInitSecureRenegotiation)
{
if (!IS_JDK_CLIENT_INIT_SECURE_RENEGOTIATION_PROPERTY_SET)
{
if ((sslEngine != null) && (!sslEngine.getUseClientMode()))
{
if (!clientInitSecureRenegotiation) {
sslEngine.getSession().invalidate();
}
sslEngine.setEnableSessionCreation(clientInitSecureRenegotiation);
if (isLoggable()) {
SocketLogger.logDebug(clientInitSecureRenegotiation ? "Enabled" : "Disabled TLS client initiated secure renegotiation.");
}
}
}
else if (isLoggable()) {
SocketLogger.logDebug("TLS client initiated secure renegotiation setting is configured with -Djdk.tls.rejectClientInitiatedRenegotiation");
}
}
so the invalidate() is called only if !clientInitSecureRenegotiation , but it appears that clientInitSecureRenegotiation=isClientInitSecureRenegotiationAccepted is always FALSE
in JSSESocketFactory:
JSSEFilterImpl getJSSEFilterImpl(Socket connectedSocket, String host, int port)
throws IOException
{
SSLEngine sslEngine = getSSLEngine(host, port);
return new JSSEFilterImpl(connectedSocket, sslEngine, true);
}
in JSSEFilterImpl:
public JSSEFilterImpl(Socket sock, SSLEngine engine, boolean clientMode)
throws IOException
{
this(sock, engine, clientMode, false); // parameter 4 is isClientInitSecureRenegotiationAccepted, THIS IS ALWAYS FALSE, and clientMode is always TRUE
}
public JSSEFilterImpl(Socket sock, SSLEngine engine, boolean clientMode, boolean isClientInitSecureRenegotiationAccepted) // this constructor is ultimately invoked
throws IOException
{
so the only way to avoid session invalidation is by having IS_JDK_CLIENT_INIT_SECURE_RENEGOTIATION_PROPERTY_SET=false, that is by setting -Djdk.tls.rejectClientInitiatedRenegotiation=false (true or false doesn't seem to matter, as long as the variable is set)
Thanks to Carlo for the excellent analysis.
Sunday, August 11, 2019
Audit the content of a series of folders against a file
the audit.txt contains the list of original files:
this script checks that in the folders
there are no extra files or folders:
Of course this scales very poorly... I would never dream of writing complex logic in bash, unless I was absolutely forced
/media/sf_shared/bashtests/dirtoaudit/ /media/sf_shared/bashtests/dirtoaudit/dir01 /media/sf_shared/bashtests/dirtoaudit/dir01/file01_01.txt /media/sf_shared/bashtests/dirtoaudit/dir01/file02_01.txt /media/sf_shared/bashtests/dirtoaudit/dir02 /media/sf_shared/bashtests/dirtoaudit/dir02/file01_02.txt /media/sf_shared/bashtests/dirtoaudit/dir02/file02_02.txt
this script checks that in the folders
/media/sf_shared/bashtests/dirtoaudit/ /media/sf_shared/bashtests/dirtoaudit/dir01 /media/sf_shared/bashtests/dirtoaudit/dir02
there are no extra files or folders:
Of course this scales very poorly... I would never dream of writing complex logic in bash, unless I was absolutely forced
Saturday, August 10, 2019
OpenShift CI/CD
https://www.youtube.com/watch?v=65BnTLcDAJI good video on CI/CD, part 1
https://www.youtube.com/watch?v=wSFyg6Etwx8 part 2
https://www.youtube.com/watch?v=kbbK0VEy2qM OpenShift 4 CI/CD
essential is to have installed in Jenkins the "OpenShift Jenkins Pipeline (DSL) Plugin" https://github.com/openshift/jenkins-client-plugin
https://www.youtube.com/watch?v=pMDiiW1UqLo Openshift Pipelines with Tekton https://cloud.google.com/tekton/ and here is the code https://github.com/openshift/pipelines-tutorial
https://www.youtube.com/watch?v=wSFyg6Etwx8 part 2
https://www.youtube.com/watch?v=kbbK0VEy2qM OpenShift 4 CI/CD
essential is to have installed in Jenkins the "OpenShift Jenkins Pipeline (DSL) Plugin" https://github.com/openshift/jenkins-client-plugin
https://www.youtube.com/watch?v=pMDiiW1UqLo Openshift Pipelines with Tekton https://cloud.google.com/tekton/ and here is the code https://github.com/openshift/pipelines-tutorial
rpm useful commands
list files installed by an INSTALLED rpm (for an UNINSTALLED rpm, add -p and provide full path to .rpm file):
rpm -ql nginx.x86_64
or also (if the rpm is not installed yet) repoquery --list nginx.x86_64
verify that rpm installed files have not been tampered
rpm -V nginx.x86_64
display the postinstall and postuninstall scripts
rpm -q --scripts nginx.x86_64
which rpm provides a given file:
rpm -q --whatprovides /usr/sbin/nginx
or also
rpm -qf /usr/sbin/nginx
for a REALLY verbose verification output:
rpm -Vvv nginx.x86_64
Ref:
http://ftp.rpm.org/max-rpm/s1-rpm-verify-what-to-verify.html
https://www.cyberciti.biz/howto/question/linux/linux-rpm-cheat-sheet.php fantastic all-in-one rpm cheat sheet
rpm -ql nginx.x86_64
or also (if the rpm is not installed yet) repoquery --list nginx.x86_64
verify that rpm installed files have not been tampered
rpm -V nginx.x86_64
display the postinstall and postuninstall scripts
rpm -q --scripts nginx.x86_64
which rpm provides a given file:
rpm -q --whatprovides /usr/sbin/nginx
or also
rpm -qf /usr/sbin/nginx
for a REALLY verbose verification output:
rpm -Vvv nginx.x86_64
Ref:
http://ftp.rpm.org/max-rpm/s1-rpm-verify-what-to-verify.html
https://www.cyberciti.biz/howto/question/linux/linux-rpm-cheat-sheet.php fantastic all-in-one rpm cheat sheet
SAML and JWT
Excellent side-by-side comparison https://medium.com/@robert.broeckelmann/saml2-vs-jwt-a-comparison-254bafd98e6
Useful terminology:
https://en.wikipedia.org/wiki/Trusted_computing_base
Bearer Tokens
Holder of Key
Sender Vouches
Proof of Possession
IdP https://en.wikipedia.org/wiki/Identity_provider
Useful terminology:
https://en.wikipedia.org/wiki/Trusted_computing_base
Bearer Tokens
Holder of Key
Sender Vouches
Proof of Possession
IdP https://en.wikipedia.org/wiki/Identity_provider
Openshift RedHat plugin for Intellij
https://plugins.jetbrains.com/plugin/12030-openshift-connector-by-red-hat
Sample video on how to use it https://www.youtube.com/watch?v=kCESA7a5i3M
I keep getting the message "odo not found, do you want to download it?" , I click "yes" and nothing visible happens.... even if I have odo.exe on the PATH, I still get the error message....
https://github.com/openshift/odo
It doesn't seem very popular though.... very few downloads.... but I don 't want to use Eclipse with its JBoss Openshift Client, I hate Eclipse...
However, Intellij has its own Cloud support for Openshift https://www.jetbrains.com/help/idea/working-with-clouds.html
CTRL-ALT-S, Cloud, Openshift
see also https://www.jetbrains.com/help/idea/run-debug-configuration-openshift-deployment.html
Sample video on how to use it https://www.youtube.com/watch?v=kCESA7a5i3M
I keep getting the message "odo not found, do you want to download it?" , I click "yes" and nothing visible happens.... even if I have odo.exe on the PATH, I still get the error message....
https://github.com/openshift/odo
It doesn't seem very popular though.... very few downloads.... but I don 't want to use Eclipse with its JBoss Openshift Client, I hate Eclipse...
However, Intellij has its own Cloud support for Openshift https://www.jetbrains.com/help/idea/working-with-clouds.html
CTRL-ALT-S, Cloud, Openshift
see also https://www.jetbrains.com/help/idea/run-debug-configuration-openshift-deployment.html
Openshift 4, interesting readings
https://computingforgeeks.com/red-hat-openshift-4-new-features/
https://cloudowski.com/articles/10-differences-between-openshift-and-kubernetes/
https://cloudowski.com/articles/honest-review-of-openshift-4/
https://cloudowski.com/articles/why-managing-container-images-on-openshift-is-better-than-on-kubernetes/
https://computingforgeeks.com/setup-openshift-origin-local-cluster-on-centos/ ( not working for me.... ) see also https://github.com/openshift/origin/blob/v4.0.0-alpha.0/docs/cluster_up_down.md
I have deployed https://github.com/vernetto/sbhello with OpenShift Online,
using the Catalog option "Red Hat OpenJDK 8".
https://github.com/fabric8io-images/run-java-sh
This makes still a very good Developer introducton https://www.youtube.com/watch?v=cY7KIEajqx4 (a bit outdated) by Grant Shipley, really intense and focused.
https://www.youtube.com/watch?v=-xJIvBpvEeE amazing on Openshift infrastructure management
https://coreos.com/ignition/docs/latest/ what is ignition
https://www.terraform.io/intro/index.html what is terraform
https://cloudowski.com/articles/10-differences-between-openshift-and-kubernetes/
https://cloudowski.com/articles/honest-review-of-openshift-4/
https://cloudowski.com/articles/why-managing-container-images-on-openshift-is-better-than-on-kubernetes/
https://computingforgeeks.com/setup-openshift-origin-local-cluster-on-centos/ ( not working for me.... ) see also https://github.com/openshift/origin/blob/v4.0.0-alpha.0/docs/cluster_up_down.md
I have deployed https://github.com/vernetto/sbhello with OpenShift Online,
using the Catalog option "Red Hat OpenJDK 8".
.\oc.exe new-app openshift/java:8~https://github.com/vernetto/sbhello.git --name=sbhwpv3 .\oc.exe expose service sbhwpv3
https://github.com/fabric8io-images/run-java-sh
This makes still a very good Developer introducton https://www.youtube.com/watch?v=cY7KIEajqx4 (a bit outdated) by Grant Shipley, really intense and focused.
https://www.youtube.com/watch?v=-xJIvBpvEeE amazing on Openshift infrastructure management
https://coreos.com/ignition/docs/latest/ what is ignition
https://www.terraform.io/intro/index.html what is terraform
Thursday, August 1, 2019
Linux. find broadcast address of a given network interface
It's grotesque how in 2019 we still have to rely on primitive, ambiguous tools like grep and awk to extract information from a linux command
This is what I could came up to "find broadcast address of a given network interface":
ip a s dev docker0 | grep "inet.*brd" | awk '{print $4}'
To subtract 1 from IP (see here ):
It's a mad world.
The broadcast address is always (?) the highest IP in the subnet range:
and the gateway will be (broadcast-1) = 172.25.1.126
To find out what the default gateway is:
cat /etc/sysconfig/network
initialization scripts in /etc/sysconfig/network-scripts/ifcfg-*
https://en.wikipedia.org/wiki/Broadcast_address
This is what I could came up to "find broadcast address of a given network interface":
ip a s dev docker0 | grep "inet.*brd" | awk '{print $4}'
To subtract 1 from IP (see here ):
cat checkip.ksh
echo "Enter ip:"
read IP_val
awk -F"/" -vvalip="$IP_val" '{if($NF==valip){split($1, A,".");A[4]-=1;VAL=A[1] OFS A[2] OFS A[3] OFS A[4]}} END{print VAL}' OFS="." ip_list
It's a mad world.
The broadcast address is always (?) the highest IP in the subnet range:
Network: 172.25.1.64/26 Broadcast: 172.25.1.127 HostMin: 172.25.1.65 HostMax: 172.25.1.126 Hosts/Net: 62
and the gateway will be (broadcast-1) = 172.25.1.126
To find out what the default gateway is:
cat /etc/sysconfig/network
initialization scripts in /etc/sysconfig/network-scripts/ifcfg-*
https://en.wikipedia.org/wiki/Broadcast_address
Subscribe to:
Posts (Atom)
