Page 3 of 6

k8s Seattle Meetup

Facebooktwittergoogle_pluslinkedinmailby feather

Meetup happened at Google Fremont.

Although there were other presentations, i could only participate the following:

1. Aqua: As there are ongoing security concerns regarding with Docker/MicroServices approaches, as a response, i see various solutions to that. After my initial bias that Aqua is YADSC(Yet-another Docker Security Scanning), i realized it has other capabilities as well. Beside the CVE scan, it has also

  • Container Inspection which actively checks suspicious behaviour
  • Fingerprint the image from dev to production, preventing spoofing
  • Multiregistry support like ECR, GCR, Quay, JFrog…
  • Anomality Detection on containers
  • Prevent malicious behaviours

Demo regarding to malicious behaviour was fork-bomb

Fork_bomb

which is also known-as 

:(){ :|:& };:

If you enter this command on your bash, you will see the effect, no responsibility is accepted:)

@chernymi demonstraited the effect of fork-bomb and container freezed, after we saw that Aqua can handle this anomality.

2. rktnetes: @wobscale beginned with explaining what is rkt and differentiation with docker, going deeper with Stage1-2-3 approach of rkt.

He continued pointing out the SPOF of dockerd for <1.11 and continerd for >=1.11

Finally, he started to explain rkynetes, which basically use rkt as the container runtime.

Some of the benefits can be summarized as

  • There is no daemon running the containers
  • Works with systemd
  • runc is supported:)
  • features/speed competes with kubernetes:

Official release seems to be coming with Kubernetes 1.3

As a summary, Kubernetes is creating its own ecosystem as well. Especially for the ones using GCP, as Google Container Engine is kubernetes, it makes sense to go with.

DevOpsDays Istanbul 2016 Ignite

Facebooktwittergoogle_pluslinkedinmailby feather

My ignite link during the conference is here.

Kubernetes (a.k.a. k8s) London Meetup

Facebooktwittergoogle_pluslinkedinmailby feather

One of my favorite thing2do when i visit London is to participate the SkillsMatter meetups.

This time i was lucky to join to the Kubernetes meetup!

Thanks for the Google to sponsor the pizza and beers before the meetup!

There was two seperate presentations:

Martin Devlin – Consul&Vault Integration with Kubernetes

Justin Santa Barbara – Kubernetes: Prologue,Present&Predictions

The second one, which is presented by Justin Santa Barbara, was interesting, also by the help of the cool presentation skills and positive energy of Justin!

Justin is one of the top committers on k8s project. 

Although there are various topics mentinoned, now i will be focusing some of the upcoming functions of the new releases:

1. Ingress: This can be referred as ingress traffic controller, waiting for L4&L7, so seems totally no need for AWS ELB in the future? 

2. DaemonSets: We can define certain pods to run on all nodes or on some nodes. Use-case of this can be 

  • having NewRelic run on each node (Which is the case for me currently)
  • having a log collection daemon on each node like SumoLogic
  • having a storage daemon like glusterd on each node

3. PetSets: This can be referred as stateful-application support. Self-healing databases can be a use-case, still trying to digout! 

The new release 1.3 is expected to be live by the end of June, lets see:)

Here are some pictures from the meetup:

kubernetes skillsmatter kubernetes skillsmatter

Playing with AWS Autoscale Lifecycle Hooks, triggering Lambda function

Facebooktwittergoogle_pluslinkedinmailby feather

Honestly, i was not aware that terminating an instance at AWS is equal to unplugging the server cable. That’s why, i lost so much time trying to trigger a custom code before the instance shutdown using init levels. But i failed!!! Why, because when you unplug the electric cable, there is no init process!! 🙂

Later on, i found the AWS lifecycle hooks. Autoscale group triggers an SNS which them invokes a Lambda function and the basic requirement “revoking IP from Security Group” can be done. Here is the related node.js but still it is missing to parse the incoming SNS (The IP is static)

[snippet id=”26″]

Scripted monitoring on NewRelic with Javascript

Facebooktwittergoogle_pluslinkedinmailby feather

By the help of the latest requirements on customers, i am getting more familiar with node.js and getting more used to be a node.js developer:)

Here is the one of the javascript code, which parses the output of a HTML and checks if a specific result is there or no. If not, NewRelic gives alarm:

 

[snippet id=”25″]

MongoDB given “not master” error after creating AWS Cloudformation template

Facebooktwittergoogle_pluslinkedinmailby feather

AWS has cool documentation but sometimes not guiding you practical solutions. If you have intended you use the following mongodb Cloudformation template:

https://aws.amazon.com/blogs/aws/mongodb-on-the-aws-cloud-new-quick-start-reference-deployment/

You will notice that, mongo is not operable. In order to achieve that you need to ssh and enter to mongo console by typing mongo:

When you check the repliaction set status you will see:

> rs.status ()
{
        "info" : "run rs.initiate(…) if not yet done for the set",
        "ok" : 0,
        "errmsg" : "no replset config has been received",
        "code" : 94

initiate the replica with:

> rs.initiate()
{
        "info2" : "no configuration explicitly specified — making one",
        "me" : "ip-10-0-2-241:27017",
        "ok" : 1
}
 
You can now check the status again:
 
s-1:PRIMARY> rs.status()
{
        "set" : "s-1",
        "date" : ISODate("2016-03-23T16:00:30.805Z"),
        "myState" : 1,
        "members" : [
                {
                        "_id" : 0,
                        "name" : "ip-10-0-2-241:27017",
                        "health" : 1,
                        "state" : 1,
                        "stateStr" : "PRIMARY",
                        "uptime" : 13924,
                        "optime" : Timestamp(1458748644, 1),
                        "optimeDate" : ISODate("2016-03-23T15:57:24Z"),
                        "electionTime" : Timestamp(1458748644, 2),
                        "electionDate" : ISODate("2016-03-23T15:57:24Z"),
                        "configVersion" : 1,
                        "self" : true
                }
        ],
        "ok" : 1
}

How to add a specific IP to your RDS security group on command line

Facebooktwittergoogle_pluslinkedinmailby feather

 

If you go towards DevOps, automated provisioning, you definetely will need to do things in automation.

 

Here is the command line, in case you need the new automated provisioned server to be added in your RDS security group:

aws rds rds-authorize-db-security-group-ingress –db-security-group-name mydbsecuritygroup –cidrip 192.168.1.10/27

How to block an IP on AWS?

Facebooktwittergoogle_pluslinkedinmailby feather

 

Security Groups on AWS by default blocks all, so you can just define what you allow. As a result, you cannot block an IP using Security Group, e.g. to prevent a specific IP to access to your web port

ACL is right there for that need. You need to define the IP/IPs which you want to block and remember to keep the rule 100 always in place:)

AWS ACL

AWS Elasticbeanstalk NewRelic agent installation

Facebooktwittergoogle_pluslinkedinmailby feather

Credits for @umitunal_

packages:
  yum:
    newrelic-sysmond: []
  rpm:
    newrelic: http://yum.newrelic.com/pub/newrelic/el5/x86_64/newrelic-repo-5-3.noarch.rpm
  commands:
    "01":
      command: nrsysmond-config –set license_key=xxxxxxxxxxxxxx
    "02":
      command: echo hostname=NameOfYourServer >> /etc/newrelic/nrsysmond.cfg
    "03":
      command: /etc/init.d/newrelic-sysmond start

AWS SSL Certificate cannot be added

Facebooktwittergoogle_pluslinkedinmailby feather

Although the private and public keys are valid (Already tested on another platform), AWS Web Console is giving error while i am trying to define under ELB Listeners.

In order to debug the situtation, the following command line will be helpful:

aws iam upload-server-certificate –server-certificate-name my-server-cert –certificate-body file://my-certificate.pem –private-key file://my-private-key.pem –certificate-chain file://my-certificate-chain.pem –debug


visited 41 states (18.2%)

Follow me on Strava