https://vlasov.pro/en/Recent content on DevOps NotesHugo -- gohugo.ioen-USSun, 25 Jan 2026 14:55:27 +0200https://vlasov.pro/en/p/dm-crypt-nuke/Thu, 16 Jan 2025 00:00:00 +0000https://vlasov.pro/en/p/dm-crypt-nuke/<img src="https://vlasov.pro/ru/p/dm-crypt-nuke/logo.webp" alt="Featured image of post Clever Disk Encryption with dm-crypt Nuke" /><h2 id="introduction">Introduction <a href="#introduction">¶</a></h2> <p>Disk encryption using <code>dm-crypt</code> is a reliable way to protect data. However, in extreme situations, it may be necessary to instantly and irreversibly destroy encryption keys to render the data inaccessible. The <strong>nuke</strong> mechanism can be used for this purpose, activated by entering a special password.</p> <p>In this article, we will explore how to implement <strong>nuke</strong> in <code>dm-crypt</code> using <strong>initramfs</strong>, <code>cryptsetup</code>, and <code>mkpasswd</code>.</p> <p>The developed hook is capable of:</p> <ol> <li>Decrypting the disk using data from a file.</li> <li>Prompting for a password if the file is not found.</li> <li>Deleting all keys if the entered password is a nuke password.</li> </ol> <p><strong>Important!</strong> This setup works on Ubuntu 22.04.5. Other distributions might require different configurations. In any case, here is an article on <a class="link" href="../gpt-btrfs-gnome/#grub-recovery-script" >recovering Grub</a>.</p> <h2 id="environment-setup">Environment Setup <a href="#environment-setup">¶</a></h2> <p>Before starting, ensure that the necessary utilities are installed:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">sudo apt update </span></span><span class="line"><span class="cl">sudo apt install cryptsetup initramfs-tools whois </span></span></code></pre></td></tr></table> </div> </div><h2 id="adding-mkpasswd-support-in-initramfs">Adding <code>mkpasswd</code> Support in initramfs <a href="#adding-mkpasswd-support-in-initramfs">¶</a></h2> <p>The <strong>nuke</strong> mechanism requires <code>mkpasswd</code>, which is used to verify the entered password. We need to add it to initramfs by creating a hook:</p> <p>File <code>/etc/initramfs-tools/hooks/mkpasswd</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl"><span class="cp">#!/bin/sh </span></span></span><span class="line"><span class="cl"><span class="cp"></span><span class="nb">set</span> -e </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="o">[</span> <span class="s2">&#34;</span><span class="nv">$1</span><span class="s2">&#34;</span> <span class="o">=</span> <span class="s2">&#34;prereqs&#34;</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">exit</span> <span class="m">0</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">. /usr/share/initramfs-tools/hook-functions </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> ! <span class="nb">command</span> -v mkpasswd 1&gt;/dev/null<span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;error: mkpasswd executable is not found, install it.&#34;</span> 1&gt;<span class="p">&amp;</span><span class="m">2</span> </span></span><span class="line"><span class="cl"> <span class="nb">exit</span> <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">copy_exec <span class="s2">&#34;</span><span class="k">$(</span><span class="nb">command</span> -v mkpasswd<span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl">copy_exec <span class="s2">&#34;</span><span class="k">$(</span><span class="nb">command</span> -v dd<span class="k">)</span><span class="s2">&#34;</span> /sbin </span></span></code></pre></td></tr></table> </div> </div><p>Make it executable:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">sudo chmod +x /etc/initramfs-tools/hooks/mkpasswd </span></span></code></pre></td></tr></table> </div> </div><h2 id="creating-the-decrypt_smart_nuke-script">Creating the <code>decrypt_smart_nuke</code> Script <a href="#creating-the-decrypt_smart_nuke-script">¶</a></h2> <p>File <code>/usr/lib/cryptsetup/scripts/decrypt_smart_nuke</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span><span class="lnt">116 </span><span class="lnt">117 </span><span class="lnt">118 </span><span class="lnt">119 </span><span class="lnt">120 </span><span class="lnt">121 </span><span class="lnt">122 </span><span class="lnt">123 </span><span class="lnt">124 </span><span class="lnt">125 </span><span class="lnt">126 </span><span class="lnt">127 </span><span class="lnt">128 </span><span class="lnt">129 </span><span class="lnt">130 </span><span class="lnt">131 </span><span class="lnt">132 </span><span class="lnt">133 </span><span class="lnt">134 </span><span class="lnt">135 </span><span class="lnt">136 </span><span class="lnt">137 </span><span class="lnt">138 </span><span class="lnt">139 </span><span class="lnt">140 </span><span class="lnt">141 </span><span class="lnt">142 </span><span class="lnt">143 </span><span class="lnt">144 </span><span class="lnt">145 </span><span class="lnt">146 </span><span class="lnt">147 </span><span class="lnt">148 </span><span class="lnt">149 </span><span class="lnt">150 </span><span class="lnt">151 </span><span class="lnt">152 </span><span class="lnt">153 </span><span class="lnt">154 </span><span class="lnt">155 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl"><span class="cp">#!/bin/sh </span></span></span><span class="line"><span class="cl"><span class="cp"></span><span class="nb">set</span> -e </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">KEYFILE_ENABLED</span><span class="o">=</span><span class="s1">&#39;false&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">NUKE_ENABLED</span><span class="o">=</span><span class="s1">&#39;false&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">KEYFILE_PATH</span><span class="o">=</span><span class="s1">&#39;&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">KEYFILE_OFFSET</span><span class="o">=</span><span class="m">0</span> </span></span><span class="line"><span class="cl"><span class="nv">KEYFILE_SIZE</span><span class="o">=</span><span class="s1">&#39;&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">NUKE_PASSWORD</span><span class="o">=</span><span class="s1">&#39;&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">CRYPTTAB_TRIED</span><span class="o">=</span><span class="s2">&#34;</span><span class="si">${</span><span class="nv">CRYPTTAB_TRIED</span><span class="p">?:</span><span class="nv">CRYPTTAB_TRIED</span><span class="p"> is not defined</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">CRYPTTAB_NAME</span><span class="o">=</span><span class="s2">&#34;</span><span class="si">${</span><span class="nv">CRYPTTAB_NAME</span><span class="p">?:</span><span class="nv">CRYPTTAB_NAME</span><span class="p"> is not defined</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">CRYPTTAB_SOURCE</span><span class="o">=</span><span class="s2">&#34;</span><span class="si">${</span><span class="nv">CRYPTTAB_SOURCE</span><span class="p">?:</span><span class="nv">CRYPTTAB_SOURCE</span><span class="p"> is not defined</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">ASKPASS</span><span class="o">=</span><span class="s1">&#39;/lib/cryptsetup/askpass&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># ┬─┐┬ ┐┌┐┐┌─┐┌┐┐o┌─┐┌┐┐┐─┐</span> </span></span><span class="line"><span class="cl"><span class="c1"># ├─ │ │││││ │ ││ ││││└─┐</span> </span></span><span class="line"><span class="cl"><span class="c1"># ┘ ┘─┘┘└┘└─┘ ┘ ┘┘─┘┘└┘──┘</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Logging helpers. Send the argument list to plymouth(1), or fold it</span> </span></span><span class="line"><span class="cl"><span class="c1"># and print it to the standard error.</span> </span></span><span class="line"><span class="cl">message<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nb">local</span> <span class="nv">IFS</span><span class="o">=</span><span class="s1">&#39; &#39;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">[</span> <span class="s2">&#34;</span><span class="si">${</span><span class="nv">0</span><span class="p">#/scripts/</span><span class="si">}</span><span class="s2">&#34;</span> !<span class="o">=</span> <span class="s2">&#34;</span><span class="nv">$0</span><span class="s2">&#34;</span> <span class="o">]</span> <span class="o">&amp;&amp;</span> <span class="o">[</span> -x /bin/plymouth <span class="o">]</span> <span class="o">&amp;&amp;</span> plymouth --ping<span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> plymouth message --text<span class="o">=</span><span class="s2">&#34;cryptsetup: </span><span class="nv">$*</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">elif</span> <span class="o">[</span> <span class="si">${#</span><span class="p">*</span><span class="si">}</span> -lt <span class="m">70</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;cryptsetup: </span><span class="nv">$*</span><span class="s2">&#34;</span> 1&gt;<span class="p">&amp;</span><span class="m">2</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="c1"># use busybox&#39;s fold(1) and sed(1) at initramfs stage</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;cryptsetup: </span><span class="nv">$*</span><span class="s2">&#34;</span> <span class="p">|</span> fold -s <span class="p">|</span> sed <span class="s1">&#39;1! s/^/ /&#39;</span> 1&gt;<span class="p">&amp;</span><span class="m">2</span> </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="m">0</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">parse_options<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nb">local</span> <span class="nv">IFS</span><span class="o">=</span><span class="s2">&#34;,&#34;</span> key value regex </span></span><span class="line"><span class="cl"> <span class="k">for</span> option in <span class="nv">$1</span><span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="nv">key</span><span class="o">=</span><span class="s2">&#34;</span><span class="si">${</span><span class="nv">option</span><span class="p">%%=*</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nv">value</span><span class="o">=</span><span class="s2">&#34;</span><span class="si">${</span><span class="nv">option</span><span class="p">#*=</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="s2">&#34;</span><span class="nv">$key</span><span class="s2">&#34;</span> in </span></span><span class="line"><span class="cl"> keyfile-path<span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">[</span> ! -e <span class="s2">&#34;</span><span class="nv">$value</span><span class="s2">&#34;</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> message <span class="s2">&#34;warning: keyfile at </span><span class="nv">$value</span><span class="s2"> does not exist&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="nb">export</span> <span class="nv">KEYFILE_ENABLED</span><span class="o">=</span><span class="s2">&#34;true&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">export</span> <span class="nv">KEYFILE_PATH</span><span class="o">=</span><span class="s2">&#34;</span><span class="nv">$value</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"> <span class="p">;;</span> </span></span><span class="line"><span class="cl"> keyfile-offset<span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">export</span> <span class="nv">KEYFILE_OFFSET</span><span class="o">=</span><span class="s2">&#34;</span><span class="nv">$value</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">;;</span> </span></span><span class="line"><span class="cl"> keyfile-size<span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">export</span> <span class="nv">KEYFILE_SIZE</span><span class="o">=</span><span class="s2">&#34;</span><span class="nv">$value</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">;;</span> </span></span><span class="line"><span class="cl"> nuke<span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="nv">regex</span><span class="o">=</span><span class="s1">&#39;(\$[^$]+){3,}&#39;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> ! <span class="nb">echo</span> <span class="s2">&#34;</span><span class="nv">$value</span><span class="s2">&#34;</span> <span class="p">|</span> grep -qE <span class="s2">&#34;</span><span class="nv">$regex</span><span class="s2">&#34;</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> message <span class="s2">&#34;</span><span class="k">$(</span><span class="nb">printf</span> <span class="s2">&#34;error: password hash does not match the regex &#39;%s&#39;: %s\n&#34;</span> <span class="s2">&#34;</span><span class="nv">$regex</span><span class="s2">&#34;</span> <span class="s2">&#34;</span><span class="nv">$value</span><span class="s2">&#34;</span><span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">exit</span> <span class="m">1</span> </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"> <span class="nb">export</span> <span class="nv">NUKE_ENABLED</span><span class="o">=</span><span class="s2">&#34;true&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">export</span> <span class="nv">NUKE_PASSWORD</span><span class="o">=</span><span class="s2">&#34;</span><span class="nv">$value</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">;;</span> </span></span><span class="line"><span class="cl"> none<span class="o">)</span> true<span class="p">;;</span> </span></span><span class="line"><span class="cl"> *<span class="o">)</span> </span></span><span class="line"><span class="cl"> message <span class="s2">&#34;error: unknown option </span><span class="nv">$key</span><span class="s2">: </span><span class="nv">$value</span><span class="s2">&#34;</span> 1&gt;<span class="p">&amp;</span><span class="m">2</span> </span></span><span class="line"><span class="cl"> <span class="nb">exit</span> <span class="m">1</span> </span></span><span class="line"><span class="cl"> <span class="p">;;</span> </span></span><span class="line"><span class="cl"> <span class="k">esac</span> </span></span><span class="line"><span class="cl"> <span class="k">done</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">read_keyfile<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">[</span> <span class="s2">&#34;</span><span class="nv">$KEYFILE_ENABLED</span><span class="s2">&#34;</span> !<span class="o">=</span> <span class="s1">&#39;true&#39;</span> <span class="o">]</span> <span class="o">||</span> <span class="o">[</span> <span class="s2">&#34;</span><span class="nv">$CRYPTTAB_TRIED</span><span class="s2">&#34;</span> -ne <span class="m">0</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">[</span> -n <span class="s2">&#34;</span><span class="nv">$KEYFILE_SIZE</span><span class="s2">&#34;</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> dd <span class="k">if</span><span class="o">=</span><span class="s2">&#34;</span><span class="nv">$KEYFILE_PATH</span><span class="s2">&#34;</span> <span class="nv">iflag</span><span class="o">=</span>skip_bytes <span class="nv">skip</span><span class="o">=</span><span class="s2">&#34;</span><span class="nv">$KEYFILE_OFFSET</span><span class="s2">&#34;</span> <span class="nv">bs</span><span class="o">=</span><span class="s2">&#34;</span><span class="nv">$KEYFILE_SIZE</span><span class="s2">&#34;</span> <span class="nv">count</span><span class="o">=</span><span class="m">1</span> 2&gt;/dev/null </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> dd <span class="k">if</span><span class="o">=</span><span class="s2">&#34;</span><span class="nv">$KEYFILE_PATH</span><span class="s2">&#34;</span> <span class="nv">iflag</span><span class="o">=</span>skip_bytes <span class="nv">skip</span><span class="o">=</span><span class="s2">&#34;</span><span class="nv">$KEYFILE_OFFSET</span><span class="s2">&#34;</span> 2&gt;/dev/null </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"> <span class="nb">exit</span> <span class="m">0</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">nuke<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> YES <span class="p">|</span> cryptsetup erase <span class="s2">&#34;</span><span class="nv">$CRYPTTAB_SOURCE</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> 1&gt;<span class="p">&amp;</span><span class="m">2</span> <span class="s1">&#39;&#39;&#39; </span></span></span><span class="line"><span class="cl"><span class="s1"> ________________ </span></span></span><span class="line"><span class="cl"><span class="s1"> ____/ ( ( ) ) \___ </span></span></span><span class="line"><span class="cl"><span class="s1"> /( ( ( ) _ )) ) )\ </span></span></span><span class="line"><span class="cl"><span class="s1"> (( ( )( ) ) ( ) ) </span></span></span><span class="line"><span class="cl"><span class="s1"> ((/ ( _( ) ( _) ) ( () ) ) </span></span></span><span class="line"><span class="cl"><span class="s1"> ( ( ( (_) (( ( ) .((_ ) . )_ </span></span></span><span class="line"><span class="cl"><span class="s1"> ( ( ) ( ( ) ) ) . ) ( ) </span></span></span><span class="line"><span class="cl"><span class="s1"> ( ( ( ( ) ( _ ( _) ). ) . ) ) ( ) </span></span></span><span class="line"><span class="cl"><span class="s1"> ( ( ( ) ( ) ( )) ) _)( ) ) ) </span></span></span><span class="line"><span class="cl"><span class="s1"> ( ( ( \ ) ( (_ ( ) ( ) ) ) ) )) ( ) </span></span></span><span class="line"><span class="cl"><span class="s1"> ( ( ( ( (_ ( ) ( _ ) ) ( ) ) ) </span></span></span><span class="line"><span class="cl"><span class="s1"> ( ( ( ( ( ) (_ ) ) ) _) ) _( ( ) </span></span></span><span class="line"><span class="cl"><span class="s1"> (( ( )( ( _ ) _) _(_ ( (_ ) </span></span></span><span class="line"><span class="cl"><span class="s1"> (_((__(_(__(( ( ( | ) ) ) )_))__))_)___) </span></span></span><span class="line"><span class="cl"><span class="s1"> ((__) \\||lll|l||/// \_)) </span></span></span><span class="line"><span class="cl"><span class="s1"> ( /(/ ( ) ) )\ ) </span></span></span><span class="line"><span class="cl"><span class="s1"> ( ( ( ( | | ) ) )\ ) </span></span></span><span class="line"><span class="cl"><span class="s1"> ( /(| / ( )) ) ) )) ) </span></span></span><span class="line"><span class="cl"><span class="s1"> ( ( ((((_(|)_))))) ) </span></span></span><span class="line"><span class="cl"><span class="s1"> ( ||\(|(|)|/|| ) </span></span></span><span class="line"><span class="cl"><span class="s1"> ( |(||(||)|||| ) </span></span></span><span class="line"><span class="cl"><span class="s1"> ( //|/l|||)|\\ \ ) </span></span></span><span class="line"><span class="cl"><span class="s1"> (/ / // /|//||||\\ \ \ \ _) </span></span></span><span class="line"><span class="cl"><span class="s1">-----------------------------!!! YOU ARE NUKED !!!----------------------------- </span></span></span><span class="line"><span class="cl"><span class="s1">&#39;&#39;&#39;</span> </span></span><span class="line"><span class="cl"> message <span class="s2">&#34;Data destroyed! They may try to extract information from you, but there&#39;s nothing more you can do. Good luck!&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">exit</span> <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">read_interactive<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nb">local</span> password salt </span></span><span class="line"><span class="cl"> <span class="nv">password</span><span class="o">=</span><span class="s2">&#34;</span><span class="k">$(</span><span class="nv">$ASKPASS</span> <span class="s2">&#34;Enter passphrase for </span><span class="nv">$CRYPTTAB_NAME</span><span class="s2"> (</span><span class="nv">$CRYPTTAB_SOURCE</span><span class="s2">): &#34;</span><span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">[</span> <span class="s2">&#34;</span><span class="nv">$NUKE_ENABLED</span><span class="s2">&#34;</span> <span class="o">=</span> <span class="s1">&#39;true&#39;</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nv">salt</span><span class="o">=</span><span class="s2">&#34;</span><span class="k">$(</span><span class="nb">echo</span> <span class="s2">&#34;</span><span class="nv">$NUKE_PASSWORD</span><span class="s2">&#34;</span> <span class="p">|</span> cut -d$ -f3<span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> method in bcrypt bcrypt-a sha256crypt sha512crypt md5crypt<span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> mkpasswd -m <span class="s2">&#34;</span><span class="nv">$method</span><span class="s2">&#34;</span> -S <span class="s2">&#34;</span><span class="nv">$salt</span><span class="s2">&#34;</span> <span class="s2">&#34;</span><span class="nv">$password</span><span class="s2">&#34;</span> 2&gt;/dev/null <span class="p">|</span> grep -qF -- <span class="s2">&#34;</span><span class="nv">$NUKE_PASSWORD</span><span class="s2">&#34;</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> nuke </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"> <span class="k">done</span> </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"> <span class="nb">printf</span> <span class="s2">&#34;%s&#34;</span> <span class="s2">&#34;</span><span class="nv">$password</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">exit</span> <span class="m">0</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># ┌─┐┬ ┬┬─┐┌─┐┬┌ ┐─┐</span> </span></span><span class="line"><span class="cl"><span class="c1"># │ │─┤├─ │ ├┴┐└─┐</span> </span></span><span class="line"><span class="cl"><span class="c1"># └─┘┘ ┴┴─┘└─┘┘ ┘──┘</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> ! <span class="nb">command</span> -v mkpasswd 1&gt;/dev/null 2&gt;<span class="p">&amp;</span>1<span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> message <span class="s2">&#34;error: mkpasswd binary is not found&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">exit</span> <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="k">elif</span> <span class="o">[</span> ! -f <span class="s2">&#34;</span><span class="nv">$ASKPASS</span><span class="s2">&#34;</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> message <span class="s2">&#34;error: </span><span class="nv">$ASKPASS</span><span class="s2"> does not exist&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">exit</span> <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="k">elif</span> <span class="o">[</span> ! -e <span class="s2">&#34;</span><span class="nv">$CRYPTTAB_SOURCE</span><span class="s2">&#34;</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> message <span class="s2">&#34;error: crypttab source device does not exist&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">exit</span> <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># ┌┌┐┬─┐o┌┐┐</span> </span></span><span class="line"><span class="cl"><span class="c1"># ││││─┤││││</span> </span></span><span class="line"><span class="cl"><span class="c1"># ┘ ┘┘ ┘┘┘└┘</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">parse_options <span class="s2">&#34;</span><span class="nv">$1</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl">read_keyfile </span></span><span class="line"><span class="cl">read_interactive </span></span></code></pre></td></tr></table> </div> </div><p>Make it executable:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">sudo chmod +x /usr/lib/cryptsetup/scripts/decrypt_smart_nuke </span></span></code></pre></td></tr></table> </div> </div><h2 id="boot-configuration">Boot Configuration <a href="#boot-configuration">¶</a></h2> <p>Edit <code>/etc/default/grub</code> and add the <code>cryptdevice</code> argument:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl"><span class="nv">GRUB_CMDLINE_LINUX_DEFAULT</span><span class="o">=</span><span class="s2">&#34;... cryptdevice=UUID=bb85fe0a-4ef7-49c4-b15c-fb613d51e9ef:cryptroot&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Then add the following line to <code>/etc/crypttab</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">cryptroot <span class="nv">UUID</span><span class="o">=</span>bb85fe0a-4ef7-49c4-b15c-fb613d51e9ef keyfile-path<span class="o">=</span>/dev/mmcblk0,keyfile-offset<span class="o">=</span>8932578598,keyfile-size<span class="o">=</span>11045,nuke<span class="o">=</span>HASH luks,discard,keyscript<span class="o">=</span>decrypt_smart_nuke </span></span></code></pre></td></tr></table> </div> </div><p>To generate a hash for the nuke password:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">mkpasswd -m sha512crypt --rounds<span class="o">=</span><span class="m">5000</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="updating-initramfs">Updating initramfs <a href="#updating-initramfs">¶</a></h2> <p>After making all changes, update initramfs and grub:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">sudo update-initramfs -u </span></span><span class="line"><span class="cl">sudo update-grub2 </span></span></code></pre></td></tr></table> </div> </div><h2 id="conclusion">Conclusion <a href="#conclusion">¶</a></h2> <p>Now, if the <strong>nuke password</strong> is entered at boot, the script will destroy the encryption keys, making the data inaccessible. This method is suitable for critical situations requiring rapid and irreversible data protection.</p> <p>Additionally, the system will decrypt itself automatically if the key file is present. If needed, the USB drive can be removed, prompting the system for a password.</p> <p><strong>Backup your LUKS header before enabling this!</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">sudo cryptsetup luksHeaderBackup /dev/sda1 --header-backup-file ./backup.luks </span></span></code></pre></td></tr></table> </div> </div>https://vlasov.pro/en/p/node-role-labeler/Tue, 08 Oct 2024 00:00:00 +0000https://vlasov.pro/en/p/node-role-labeler/<img src="https://vlasov.pro/ru/p/node-role-labeler/logo.webp" alt="Featured image of post Kubernetes Node role labeler" /><h2 id="description">Description <a href="#description">¶</a></h2> <p><a class="link" href="https://github.com/vlasov-y/node-role-labeler" target="_blank" rel="noopener" >Node Role Labeler</a> has long been sought after, a simple operator, but the task is fulfilled. The problem is that Kubernetes, specifically kubelet, cannot assign itself a label of <code>node-role.kubernetes.io/ROLE_NAME</code> when creating a node, because of the kubernetes.io protected prefix. Not very convenient.</p> <p>Here I have <a class="link" href="https://karpenter.sh" target="_blank" rel="noopener" >Karpenter</a>, or <a class="link" href="https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler" target="_blank" rel="noopener" >Cluster Autoscaler</a>, no matter what, I want nodes to have nice roles immediately, and it does not come out of the box only by hand. Now we can attach <code>node-role.cluster.local/NAME</code> and the operator will create an automatically copy with a domain kubernetes.io. In reverse also works. More information - read on GitHub.</p> <h2 id="demo">Demo <a href="#demo">¶</a></h2> <script src="https://asciinema.org/a/679600.js" id="asciicast-679600" async="true"></script> <h2 id="karpenter-configuration">Karpenter configuration <a href="#karpenter-configuration">¶</a></h2> <p>Here is how we can immediately attach labels to Karpenter nodes.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span><span class="lnt">81 </span><span class="lnt">82 </span><span class="lnt">83 </span><span class="lnt">84 </span><span class="lnt">85 </span><span class="lnt">86 </span><span class="lnt">87 </span><span class="lnt">88 </span><span class="lnt">89 </span><span class="lnt">90 </span><span class="lnt">91 </span><span class="lnt">92 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">karpenter.k8s.aws/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">EC2NodeClass</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">private</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">amiFamily</span><span class="p">:</span><span class="w"> </span><span class="l">AL2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">metadataOptions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">httpEndpoint</span><span class="p">:</span><span class="w"> </span><span class="l">enabled</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">httpProtocolIPv6</span><span class="p">:</span><span class="w"> </span><span class="l">disabled</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">httpPutResponseHopLimit</span><span class="p">:</span><span class="w"> </span><span class="m">2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">httpTokens</span><span class="p">:</span><span class="w"> </span><span class="l">required</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">role</span><span class="p">:</span><span class="w"> </span><span class="l">Karpenter-development-role</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">securityGroupSelectorTerms</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">tags</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">karpenter.sh/discovery</span><span class="p">:</span><span class="w"> </span><span class="l">development</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">subnetSelectorTerms</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">tags</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">karpenter.sh/discovery/development/subnet</span><span class="p">:</span><span class="w"> </span><span class="l">private</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tags</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">karpenter.sh/discovery</span><span class="p">:</span><span class="w"> </span><span class="l">development</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">karpenter.sh/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">NodePool</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="kc">on</span>-<span class="l">demand-amd64</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">disruption</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">budgets</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">nodes</span><span class="p">:</span><span class="w"> </span><span class="m">20</span><span class="l">%</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">nodes</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;5&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">duration</span><span class="p">:</span><span class="w"> </span><span class="l">20h</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">nodes</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">schedule</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="m">5</span><span class="w"> </span>*<span class="w"> </span>*<span class="w"> </span>*<span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">consolidationPolicy</span><span class="p">:</span><span class="w"> </span><span class="l">WhenUnderutilized</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">expireAfter</span><span class="p">:</span><span class="w"> </span><span class="l">720h</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">limits</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;200&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="l">400Gi</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">node-role.cluster.local/on-demand-amd64</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">nodeClassRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">private</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">requirements</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">kubernetes.io/arch</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">In</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">values</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">amd64</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">node.kubernetes.io/instance-type</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">In</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">values</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">r5a.4xlarge</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">r5a.2xlarge</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">r5a.xlarge</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">r5a.large</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">r5a.medium</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">r5.4xlarge</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">r5.2xlarge</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">r5.xlarge</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">r5.large</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">r5.medium</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">m6i.4xlarge</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">m6i.2xlarge</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">m6i.xlarge</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">m6i.large</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">m6i.medium</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">m5a.4xlarge</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">m5a.2xlarge</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">m5a.xlarge</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">m5a.large</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">m5a.medium</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">c6a.4xlarge</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">c6a.2xlarge</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">c6a.xlarge</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">c6a.large</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">c6a.medium</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">c6.4xlarge</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">c6.2xlarge</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">c6.xlarge</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">c6.large</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">c6.medium</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">t3a.4xlarge</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">t3a.2xlarge</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">t3a.xlarge</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">t3a.large</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">t3a.medium</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">karpenter.sh/capacity-type</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">In</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">values</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="kc">on</span>-<span class="l">demand</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div>https://vlasov.pro/en/p/btrfs-checksum/Sun, 30 Jul 2023 00:00:00 +0000https://vlasov.pro/en/p/btrfs-checksum/<img src="https://vlasov.pro/ru/p/btrfs-checksum/logo.webp" alt="Featured image of post BTRFS checksum benchmark" /><h2 id="introduction">Introduction <a href="#introduction">¶</a></h2> <p>I&rsquo;m switching to a new hardware and I&rsquo;m using a clean SSD. Now, I&rsquo;m facing the choice of the algorithm for the BTRFS file system. Here is a script that I used to determine which one was the fastest on my specific processor.</p> <h2 id="body">Body <a href="#body">¶</a></h2> <p>I started by searching for an utility to measure the performance of different hash algorithms. Why? Because, no matter how fast an algorithm seems on paper, if it&rsquo;s not supported by my processor - it will be slow. And how can I know what&rsquo;s supported by my processor? In the specification online, I didn&rsquo;t find any information.</p> <p>I stumbled upon the <a class="link" href="https://github.com/rhash/RHash" target="_blank" rel="noopener" >rhash</a> utility, which has a <code>--speed</code> key. That&rsquo;s where I tried to measure performance, but the results of <code>blake2b</code> and <code>crc32c</code> were almost identical, which seemed strange to me. In the end, I came up with this script.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="cp">#!/usr/bin/env bash </span></span></span><span class="line"><span class="cl"><span class="cp"></span><span class="nb">set</span> -eo pipefail </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">TMPFS</span><span class="o">=</span><span class="s2">&#34;</span><span class="k">$(</span>mktemp -d<span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">SIZE</span><span class="o">=</span><span class="s2">&#34;5G&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">mount -t tmpfs -o <span class="nv">size</span><span class="o">=</span><span class="s2">&#34;</span><span class="si">${</span><span class="nv">SIZE</span><span class="si">}</span><span class="s2">&#34;</span> tmpfs <span class="s2">&#34;</span><span class="si">${</span><span class="nv">TMPFS</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">cd</span> <span class="s2">&#34;</span><span class="si">${</span><span class="nv">TMPFS</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl">fallocate -l 4GiB btrfs </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">for</span> CSUM in crc32c xxhash sha256 blake2<span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> mkfs.btrfs -f -d single -m single --csum <span class="s2">&#34;</span><span class="si">${</span><span class="nv">CSUM</span><span class="si">}</span><span class="s2">&#34;</span> btrfs </span></span><span class="line"><span class="cl"> mount btrfs /mnt </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"> cd /mnt </span></span></span><span class="line"><span class="cl"><span class="s2"> echo &#34;</span>info: <span class="si">${</span><span class="nv">CSUM</span><span class="si">}</span><span class="s2">&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"> dd if=/dev/urandom of=test bs=4M count=1024 2&gt;/dev/null </span></span></span><span class="line"><span class="cl"><span class="s2"> rm -f test </span></span></span><span class="line"><span class="cl"><span class="s2"> for i in {1..1000}; do </span></span></span><span class="line"><span class="cl"><span class="s2"> dd if=/dev/urandom of=&#34;</span><span class="se">\$</span>i<span class="s2">&#34; bs=4M count=1 2&gt;/dev/null </span></span></span><span class="line"><span class="cl"><span class="s2"> done </span></span></span><span class="line"><span class="cl"><span class="s2"> rm -f /mnt/* </span></span></span><span class="line"><span class="cl"><span class="s2"> &#34;</span> <span class="p">|</span> /usr/bin/time bash </span></span><span class="line"><span class="cl"> umount /mnt </span></span><span class="line"><span class="cl"><span class="k">done</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">umount <span class="s2">&#34;</span><span class="si">${</span><span class="nv">TMPFS</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl">rm -rf <span class="s2">&#34;</span><span class="si">${</span><span class="nv">TMPFS</span><span class="si">}</span><span class="s2">&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><p>What&rsquo;s going on here?</p> <ol> <li>A tmpfs temporary mount point is created on 5 GB (right in the RAM, so it doesn&rsquo;t depend on SSD/HDD)</li> <li>Inside a file of 4 GB is created and then formatted as BTRFS with different hash algorithms</li> <li>For each algorithm, two file writing modes are performed: <ol> <li>One large file of 4 GB</li> <li>1000 files of 4 MB</li> </ol> </li> <li>At the end, the <code>time</code> command outputs the script execution time</li> </ol> <p>On my <em>11th Gen Intel(R) Core(TM) i7-11800H @ 2.30GHz</em> processor, the best result was shown by the old and good <strong>crc32c</strong> (~35 seconds), while the others were around ~52 seconds.</p>https://vlasov.pro/en/p/redis-migration/Sun, 25 Jun 2023 00:00:00 +0000https://vlasov.pro/en/p/redis-migration/<img src="https://vlasov.pro/ru/p/redis-migration/logo.webp" alt="Featured image of post Redis Migration Script" /><h2 id="old-method">Old Method <a href="#old-method">¶</a></h2> <p>Sometimes you need to migrate data from one Redis server to another, or between other databases. Previously, I could transfer data from a server only through a full backup, but this does not allow for migrating data between bases. Here is the algorithm.</p> <ol> <li>Enter into the original Redis and make Save</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="nv">REDISCLI_AUTH</span><span class="o">=</span><span class="s2">&#34;password&#34;</span> </span></span><span class="line"><span class="cl">redis-cli CONFIG GET DIR </span></span><span class="line"><span class="cl">redis-cli SAVE </span></span></code></pre></td></tr></table> </div> </div><p>The first command will print the path to the directory where the dump will be stored.</p> <ol start="2"> <li>Add arguments to the target Redis to disable AppendOnly and restart it</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">--dbfilename dump.rdb </span></span><span class="line"><span class="cl">--appendonly no </span></span></code></pre></td></tr></table> </div> </div><ol start="3"> <li>Copy the dump to the target Redis and execute its loading</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="nv">REDISCLI_AUTH</span><span class="o">=</span><span class="s2">&#34;password&#34;</span> </span></span><span class="line"><span class="cl">redis-cli BGREWRITEAOF </span></span></code></pre></td></tr></table> </div> </div><ol start="4"> <li>Move the target Redis to the AppendOnly mode by removing previously added keys</li> </ol> <blockquote> <p>Why migrate data between bases?</p> </blockquote> <p>In my old cluster, I had two services, each with their own Redis server. In any Redis there are 16 default databases, why not use #0 for service A and #2 for service B? Here you hit into the migration problem from base to base.</p> <h2 id="new-method">New Method <a href="#new-method">¶</a></h2> <p>Based on <a class="link" href="https://redis.io/commands/migrate/" target="_blank" rel="noopener" >MIGRATE</a>. The script is presented below. Its advantages are also.</p> <ol> <li>can migrate between bases</li> <li>no need to restart Redis</li> <li>no need to copy backups</li> <li>There is a check after transferring by calculating the hash sum considering both key contents</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="cp">#!/usr/bin/env sh </span></span></span><span class="line"><span class="cl"><span class="cp"></span><span class="nb">set</span> -e </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">SRC_HOSTNAME</span><span class="o">=</span><span class="s1">&#39;source-redis-hostname&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">SRC_PORT</span><span class="o">=</span><span class="s1">&#39;6379&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">SRC_PASSWORD</span><span class="o">=</span><span class="s1">&#39;password&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">SRC_DATABASE</span><span class="o">=</span><span class="s1">&#39;0&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">DEST_HOSTNAME</span><span class="o">=</span><span class="s1">&#39;destination-redis-hostname&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">DEST_PORT</span><span class="o">=</span><span class="s1">&#39;6379&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">DEST_PASSWORD</span><span class="o">=</span><span class="s1">&#39;password&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">DEST_DATABASE</span><span class="o">=</span><span class="s1">&#39;1&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">main<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> migrate <span class="p">|</span> xargs -0 <span class="nb">printf</span> <span class="s1">&#39;migration status: %s&#39;</span> </span></span><span class="line"><span class="cl"> <span class="nv">CHECKSUM</span><span class="o">=</span><span class="s2">&#34;</span><span class="k">$(</span>mktemp<span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">hash</span> --no-auth-warning -h <span class="s2">&#34;</span><span class="si">${</span><span class="nv">SRC_HOSTNAME</span><span class="si">}</span><span class="s2">&#34;</span> -p <span class="s2">&#34;</span><span class="si">${</span><span class="nv">SRC_PORT</span><span class="si">}</span><span class="s2">&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -a <span class="s2">&#34;</span><span class="si">${</span><span class="nv">SRC_PASSWORD</span><span class="si">}</span><span class="s2">&#34;</span> -n <span class="s2">&#34;</span><span class="si">${</span><span class="nv">SRC_DATABASE</span><span class="si">}</span><span class="s2">&#34;</span> <span class="p">|</span> tee <span class="s2">&#34;</span><span class="si">${</span><span class="nv">CHECKSUM</span><span class="si">}</span><span class="s2">&#34;</span> <span class="p">|</span> xargs -0 <span class="nb">printf</span> <span class="s1">&#39;source checksum: %s&#39;</span> </span></span><span class="line"><span class="cl"> <span class="nv">CHECKSUM_VERIFY</span><span class="o">=</span><span class="s2">&#34;</span><span class="si">${</span><span class="nv">CHECKSUM</span><span class="si">}</span><span class="s2">&#34;</span> <span class="nb">hash</span> --no-auth-warning -h <span class="s2">&#34;</span><span class="si">${</span><span class="nv">DEST_HOSTNAME</span><span class="si">}</span><span class="s2">&#34;</span> -p <span class="s2">&#34;</span><span class="si">${</span><span class="nv">DEST_PORT</span><span class="si">}</span><span class="s2">&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -a <span class="s2">&#34;</span><span class="si">${</span><span class="nv">DEST_PASSWORD</span><span class="si">}</span><span class="s2">&#34;</span> -n <span class="s2">&#34;</span><span class="si">${</span><span class="nv">DEST_DATABASE</span><span class="si">}</span><span class="s2">&#34;</span> <span class="p">|</span> xargs -0 <span class="nb">printf</span> <span class="s1">&#39;target checksum validation: %s&#39;</span> </span></span><span class="line"><span class="cl"> rm -f <span class="s2">&#34;</span><span class="si">${</span><span class="nv">CHECKSUM</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">hash<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nv">EXTRA_ARGS</span><span class="o">=</span><span class="s2">&#34;</span><span class="si">${</span><span class="p">@</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> redis-cli <span class="si">${</span><span class="nv">EXTRA_ARGS</span><span class="si">}</span> --raw --scan <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> sed -r <span class="s1">&#39;s/&#34;/\\&#34;/g; s/^(.+)$/GET &#34;\1&#34;/g;&#39;</span> <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> redis-cli <span class="si">${</span><span class="nv">EXTRA_ARGS</span><span class="si">}</span> <span class="p">|</span> sort <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> <span class="k">if</span> <span class="o">[</span> -f <span class="s2">&#34;</span><span class="si">${</span><span class="nv">CHECKSUM_VERIFY</span><span class="si">}</span><span class="s2">&#34;</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> sha256sum -c <span class="s2">&#34;</span><span class="si">${</span><span class="nv">CHECKSUM_VERIFY</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> sha256sum - </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">migrate<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nv">AUTH</span><span class="o">=</span><span class="s2">&#34;--no-auth-warning -h </span><span class="si">${</span><span class="nv">SRC_HOSTNAME</span><span class="si">}</span><span class="s2"> -p </span><span class="si">${</span><span class="nv">SRC_PORT</span><span class="si">}</span><span class="s2"> -a </span><span class="si">${</span><span class="nv">SRC_PASSWORD</span><span class="si">}</span><span class="s2"> -n </span><span class="si">${</span><span class="nv">SRC_DATABASE</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> redis-cli <span class="si">${</span><span class="nv">AUTH</span><span class="si">}</span> --raw --scan <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> tr <span class="s1">&#39;\n&#39;</span> <span class="s1">&#39;\0&#39;</span> <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> xargs -0 redis-cli <span class="si">${</span><span class="nv">AUTH</span><span class="si">}</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> MIGRATE <span class="s2">&#34;</span><span class="si">${</span><span class="nv">DEST_HOSTNAME</span><span class="si">}</span><span class="s2">&#34;</span> <span class="s2">&#34;</span><span class="si">${</span><span class="nv">DEST_PORT</span><span class="si">}</span><span class="s2">&#34;</span> <span class="s2">&#34;&#34;</span> <span class="s2">&#34;</span><span class="si">${</span><span class="nv">DEST_DATABASE</span><span class="si">}</span><span class="s2">&#34;</span> <span class="m">5000</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> COPY REPLACE AUTH <span class="s2">&#34;</span><span class="si">${</span><span class="nv">DEST_PASSWORD</span><span class="si">}</span><span class="s2">&#34;</span> KEYS </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">main </span></span></code></pre></td></tr></table> </div> </div>https://vlasov.pro/en/p/git-hacks/Sun, 18 Jun 2023 00:00:00 +0000https://vlasov.pro/en/p/git-hacks/<img src="https://vlasov.pro/ru/p/git-hacks/logo.webp" alt="Featured image of post My Experience with Git" /><h2 id="introduction">Introduction <a href="#introduction">¶</a></h2> <p>Frequently used commands and explanations for them. I hope this will be as useful to someone else as it has been to me.</p> <h2 id="main">Main <a href="#main">¶</a></h2> <h3 id="git-has-a-built-in-graphical-interface">Git has a built-in graphical interface <a href="#git-has-a-built-in-graphical-interface">¶</a></h3> <p><a class="link" href="https://git-scm.com/docs/gitk" target="_blank" rel="noopener" >Gitk</a> - a simple built-in graphical interface. I really like it for its precision and clarity. I try not to use any Git UI and do everything with commands, and this one works only in view mode.</p> <p><img src="https://vlasov.pro/ru/p/git-hacks/gitk-interface.png" width="1570" height="868" srcset="https://vlasov.pro/ru/p/git-hacks/gitk-interface_hu9045001261438640488.png 480w, https://vlasov.pro/ru/p/git-hacks/gitk-interface_hu9426254138151857176.png 1024w" loading="lazy" alt="Gitk Interface" class="gallery-image" data-flex-grow="180" data-flex-basis="434px" ></p> <ol> <li>Commit tree with tags and branches</li> <li>Hash of the selected commit from the tree</li> <li>List of changed files in this commit</li> <li>Diff mode toggle</li> <li>The diff of the commit with its description at the top</li> </ol> <p>On Manjaro, in addition to Git itself, you need to install <code>tk</code> for it to work. I don&rsquo;t know how it works on other distributions.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">pacman -Sy git tk </span></span></code></pre></td></tr></table> </div> </div><h3 id="how-to-update-environment-settings-based-on-the-diff-of-the-new-environment">How to update environment settings based on the diff of the new environment <a href="#how-to-update-environment-settings-based-on-the-diff-of-the-new-environment">¶</a></h3> <p>Here&rsquo;s the thing. In my infrastructure repository, I have, for example, values for Helmfile environments <strong>Development</strong> and <strong>Production</strong>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ruby" data-lang="ruby"><span class="line"><span class="cl"><span class="o">.</span> </span></span><span class="line"><span class="cl"><span class="err">├──</span> <span class="n">development</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">├──</span> <span class="n">main</span><span class="o">.</span><span class="n">yaml</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">└──</span> <span class="n">values</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">├──</span> <span class="n">cert</span><span class="o">-</span><span class="n">manager</span><span class="o">.</span><span class="n">yaml</span><span class="o">.</span><span class="n">gotmpl</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">├──</span> <span class="n">external</span><span class="o">-</span><span class="n">secrets</span><span class="o">.</span><span class="n">yaml</span><span class="o">.</span><span class="n">gotmpl</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">├──</span> <span class="n">fluentbit</span><span class="o">.</span><span class="n">yaml</span><span class="o">.</span><span class="n">gotmpl</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">├──</span> <span class="n">kube</span><span class="o">-</span><span class="n">prometheus</span><span class="o">-</span><span class="n">stack</span><span class="o">.</span><span class="n">yaml</span><span class="o">.</span><span class="n">gotmpl</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">├──</span> <span class="n">loki</span><span class="o">.</span><span class="n">yaml</span><span class="o">.</span><span class="n">gotmpl</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">└──</span> <span class="n">promtail</span><span class="o">.</span><span class="n">yaml</span><span class="o">.</span><span class="n">gotmpl</span> </span></span><span class="line"><span class="cl"><span class="err">└──</span> <span class="n">production</span> </span></span><span class="line"><span class="cl"> <span class="err">├──</span> <span class="n">main</span><span class="o">.</span><span class="n">yaml</span> </span></span><span class="line"><span class="cl"> <span class="err">└──</span> <span class="n">values</span> </span></span><span class="line"><span class="cl"> <span class="err">├──</span> <span class="n">cert</span><span class="o">-</span><span class="n">manager</span><span class="o">.</span><span class="n">yaml</span><span class="o">.</span><span class="n">gotmpl</span> </span></span><span class="line"><span class="cl"> <span class="err">├──</span> <span class="n">external</span><span class="o">-</span><span class="n">secrets</span><span class="o">.</span><span class="n">yaml</span><span class="o">.</span><span class="n">gotmpl</span> </span></span><span class="line"><span class="cl"> <span class="err">├──</span> <span class="n">fluentbit</span><span class="o">.</span><span class="n">yaml</span><span class="o">.</span><span class="n">gotmpl</span> </span></span><span class="line"><span class="cl"> <span class="err">├──</span> <span class="n">kube</span><span class="o">-</span><span class="n">prometheus</span><span class="o">-</span><span class="n">stack</span><span class="o">.</span><span class="n">yaml</span><span class="o">.</span><span class="n">gotmpl</span> </span></span><span class="line"><span class="cl"> <span class="err">├──</span> <span class="n">loki</span><span class="o">.</span><span class="n">yaml</span><span class="o">.</span><span class="n">gotmpl</span> </span></span><span class="line"><span class="cl"> <span class="err">└──</span> <span class="n">promtail</span><span class="o">.</span><span class="n">yaml</span><span class="o">.</span><span class="n">gotmpl</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="mi">5</span> <span class="n">directories</span><span class="p">,</span> <span class="mi">14</span> <span class="n">files</span> </span></span></code></pre></td></tr></table> </div> </div><p>So I was developing new applications, changing settings in development, and now I need to transfer all the same to production. To avoid recalling all the little things that need to be changed, I do the following.</p> <ol> <li>Switch to the branch with the current development</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">git checkout development </span></span></code></pre></td></tr></table> </div> </div><ol start="2"> <li>Check when production was last changed</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">git log -n <span class="m">1</span> --oneline -- ./production </span></span></code></pre></td></tr></table> </div> </div><p>Here, <code>./production</code> is the path to the folder we are interested in for file changes. You can specify a specific file or multiple sources. In this case, we will get the hash of the last commit that made any changes in production.</p> <ol start="3"> <li>Check the changes from that moment to the present</li> </ol> <p>Now we need to track all changes from the last version of production to the current moment, which is the current development.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">git diff 493d3aa..HEAD -- ./development </span></span></code></pre></td></tr></table> </div> </div><p>The hash <strong>493d3aa</strong> is the one I obtained in the previous point for production.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-diff" data-lang="diff"><span class="line"><span class="cl"><span class="gh">diff --git a/development/values/cert-manager.yaml.gotmpl b/development/values/cert-manager.yaml.gotmpl </span></span></span><span class="line"><span class="cl"><span class="gh">index 493d3aa..cb34bd2 100644 </span></span></span><span class="line"><span class="cl"><span class="gh"></span><span class="gd">--- a/development/values/cert-manager.yaml.gotmpl </span></span></span><span class="line"><span class="cl"><span class="gd"></span><span class="gi">+++ b/development/values/cert-manager.yaml.gotmpl </span></span></span><span class="line"><span class="cl"><span class="gi"></span><span class="gu">@@ -34,7 +34,8 @@ asdf: </span></span></span><span class="line"><span class="cl"><span class="gu"></span> alpha: cert-manager-a </span></span><span class="line"><span class="cl"> contextKey: </span></span><span class="line"><span class="cl"> beta: something-else </span></span><span class="line"><span class="cl"><span class="gd">- key: json </span></span></span><span class="line"><span class="cl"><span class="gd"></span><span class="gi">+ someSetting: </span></span></span><span class="line"><span class="cl"><span class="gi">+ subkey: cert-manager-example </span></span></span><span class="line"><span class="cl"><span class="gi"></span> urls: </span></span><span class="line"><span class="cl"> api: {{ quote .Values.apiURL }} </span></span><span class="line"><span class="cl"> web: {{ quote .Values.webURL }} </span></span></code></pre></td></tr></table> </div> </div><p>Thus, we can now manually transfer all the changes we are interested in to production without losing anything.</p> <h3 id="how-to-search-for-passwords-and-sensitive-data-using-commit-search">How to search for passwords and sensitive data using commit search <a href="#how-to-search-for-passwords-and-sensitive-data-using-commit-search">¶</a></h3> <p>Git has a built-in search for files in commits. You can use regular expressions to search for secret data. This is applicable in individual manual operations, but it would be much better to set up and constantly use <a class="link" href="https://gitleaks.io" target="_blank" rel="noopener" >Gitleaks</a> or <a class="link" href="https://aquasecurity.github.io/trivy/v0.42/docs/target/git-repository/" target="_blank" rel="noopener" >Trivy</a>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">git rev-list --all <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>xargs git grep -irnE <span class="s1">&#39;&#34;type&#34;:\s*&#34;service_account&#34;&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="https://vlasov.pro/git-grep-result.png" loading="lazy" alt="Search results for the substring &ldquo;val&rdquo;" ></p> <p>This way, you can find all files in history that contain secrets and perform rotation. It doesn&rsquo;t make sense to cut them out of history; it&rsquo;s better just to change the secrets.</p> <h3 id="rebase-strategies">Rebase strategies <a href="#rebase-strategies">¶</a></h3> <p>When you need to perform a rebase with a lot of conflicts and you know that you simply need to keep everything as it is in the current/target branch, you can do the following.</p> <ol> <li>Make sure that our local branch (which we will be rebasing) is pushed and is the same as in the cloud.</li> </ol> <p>Why is this necessary? For self-control. For example, I have a task to rebase the <em>development</em> branch onto <em>main</em> without changing it, just moving it. If at the start of the transfer I checked that there was no diff for <em>origin/development</em>, then after the transfer, I can compare <code>git diff origin/development..development</code>, and it should also be empty.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">git pull </span></span><span class="line"><span class="cl">git push </span></span></code></pre></td></tr></table> </div> </div><ol start="2"> <li>Perform one of the operations below</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">git rebase -i --strategy<span class="o">=</span>ort -Xtheirs main --empty<span class="o">=</span>keep </span></span><span class="line"><span class="cl">git rebase -i --strategy<span class="o">=</span>ort -Xours main --empty<span class="o">=</span>keep </span></span></code></pre></td></tr></table> </div> </div><p>Git will resolve all conflicts in favor of one of the branches, depending on <code>ours</code> or <code>theirs</code>.</p> <h3 id="how-to-reset-a-local-branch-to-the-state-of-the-cloud-if-someone-pushed-with-force">How to reset a local branch to the state of the cloud if someone pushed with force <a href="#how-to-reset-a-local-branch-to-the-state-of-the-cloud-if-someone-pushed-with-force">¶</a></h3> <p>This is quite simple. For example, we are working on <em>development</em>.</p> <ol> <li>Switch to the branch</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">git checkout development </span></span></code></pre></td></tr></table> </div> </div><ol start="2"> <li>Perform <code>git fetch</code></li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">git fetch --all </span></span></code></pre></td></tr></table> </div> </div><ol start="3"> <li>Perform a reset</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">git reset --hard origin/development </span></span></code></pre></td></tr></table> </div> </div><p>That&rsquo;s it; our branch is now exactly as it is in the cloud.</p>https://vlasov.pro/en/p/kind/Mon, 12 Jun 2023 00:00:00 +0000https://vlasov.pro/en/p/kind/<img src="https://vlasov.pro/ru/p/kind/logo.webp" alt="Featured image of post Kubernetes in Docker" /><h2 id="introduction">Introduction <a href="#introduction">¶</a></h2> <p>Sometimes you need Kubernetes locally for quick testing.</p> <ol> <li>Checking out a custom Helm chart</li> <li>Asking <code>kubectl explain</code> something</li> <li>Checking settings</li> </ol> <p>Starting to look for some cluster on first available project, which is not good because it can break something accidentally. It&rsquo;s not convenient to do something. Turns out there are many different lightweight and fast installers of Kubernetes. This may not be all of them, but those I either tried or passed by. They work a bit differently.</p> <ol> <li><strong>Minikube</strong> - one of the oldest, so to say. We met that standard installation kube-prometheus-stack on it simply didn&rsquo;t start, and on the next one - with it.</li> <li><strong>k3s</strong> - one of three engines from <a class="link" href="https://www.rancher.com" target="_blank" rel="noopener" >Rancher</a>. Great thing, used and using them for small projects at work. It&rsquo;s also two personal clusters exactly on k3s, but it&rsquo;s not vanilla, everything is put together in a single binary. It&rsquo;s both good and bad. Very lightweight and easy to install, but I ended up with Wireguard VPN rule issues with IPTables myself. I had to change Wireguard FwMark to <code>0x8000</code> and everything worked.</li> <li><strong>rke</strong> - another one of three engines. First one from Rancher. It&rsquo;s very good, especially because there is a <a class="link" href="https://registry.terraform.io/providers/rancher/rke/latest" target="_blank" rel="noopener" >Terraform Module</a> - great. I&rsquo;ve already been more similar to vanilla installation.</li> <li><strong>rke2</strong> - rke + k3s. Everything is put together in one binary, but apiserver, scheduler etc. are still seen as separate pods. I tried it, and it was a shame that there was no support from Terraform like with rke. It didn&rsquo;t impress me, practically speaking, because it was less stable than k3s or maybe my hands were just crooked.</li> <li><strong>Microk8s</strong> - from Canonical, haven&rsquo;t tried.</li> <li><strong>k0s</strong> - same as <em>k3s</em>, but community is smaller and documentation is worse, and that&rsquo;s&hellip; good.</li> <li><strong>kind</strong> - the highlight of today&rsquo;s program.</li> </ol> <h2 id="kind">kind <a href="#kind">¶</a></h2> <p>Why I want to tell you about it? It&rsquo;s the <strong>most vanilla</strong> way to get Kubernetes locally. There are many advantages.</p> <ol> <li>You can throw in a config</li> <li>Creates Kubernetes in Docker</li> <li><strong>You can create more than one node!</strong></li> <li>Uses <strong>vanilla kubeadm</strong>!</li> <li>All configurations, paths, and formats - standard kubeadm!</li> <li>It doesn&rsquo;t mess with iptables on the host</li> </ol> <p>There are some downsides.</p> <ol> <li>Control plane eats up 900 MiB RAM at a time</li> <li>You need to throw out ports from nodes on the host</li> </ol> <p>Here&rsquo;s an example configuration of kind:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Cluster</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kind.x-k8s.io/v1alpha4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">nodes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span>- <span class="nt">role</span><span class="p">:</span><span class="w"> </span><span class="l">control-plane</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">extraMounts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">hostPath</span><span class="p">:</span><span class="w"> </span><span class="l">/home/bzm/projects/kind/</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">containerPath</span><span class="p">:</span><span class="w"> </span><span class="l">/host</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kubeadmConfigPatches</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> kind: InitConfiguration </span></span></span><span class="line"><span class="cl"><span class="sd"> nodeRegistration: </span></span></span><span class="line"><span class="cl"><span class="sd"> kubeletExtraArgs: </span></span></span><span class="line"><span class="cl"><span class="sd"> seccomp-default: &#34;true&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> apiServer: </span></span></span><span class="line"><span class="cl"><span class="sd"> extraArgs: </span></span></span><span class="line"><span class="cl"><span class="sd"> enable-admission-plugins: NodeRestriction</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span>- <span class="nt">role</span><span class="p">:</span><span class="w"> </span><span class="l">worker</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">extraPortMappings</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">containerPort</span><span class="p">:</span><span class="w"> </span><span class="m">80</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hostPort</span><span class="p">:</span><span class="w"> </span><span class="m">80</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">listenAddress</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;127.0.0.1&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">containerPort</span><span class="p">:</span><span class="w"> </span><span class="m">443</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hostPort</span><span class="p">:</span><span class="w"> </span><span class="m">443</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">listenAddress</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;127.0.0.1&#34;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>So, you can put a bunch of nodes on one computer and everything is in containers. Configurations and settings are all like the official documentation. You need to try out some keys for api-server - easy. You need to refine something about security - easy. I really liked it.</p>https://vlasov.pro/en/p/redis-watchdog/Fri, 09 Jun 2023 00:00:00 +0000https://vlasov.pro/en/p/redis-watchdog/<img src="https://vlasov.pro/ru/p/redis-watchdog/logo.webp" alt="Featured image of post Redis Sentinel Watchdog" /><h2 id="introduction">Introduction <a href="#introduction">¶</a></h2> <p>I really love the charts from <a class="link" href="https://artifacthub.io/packages/search?org=bitnami&amp;sort=relevance&amp;page=1" target="_blank" rel="noopener" >Bitnami</a>; they are well-written and quite stable. Among other things, I always deploy <a class="link" href="https://artifacthub.io/packages/helm/bitnami/redis" target="_blank" rel="noopener" >Redis from their chart</a>. Everything would be fine if you just needed Redis without any High Availability, but that’s not always the case.</p> <blockquote> <p>What’s the difficulty in setting up Redis HA?</p> </blockquote> <p>The issue is that the connection drivers to Redis in client services must support Redis Sentinel. When we set up a cluster with Redis, a container with Sentinel is also launched—it&rsquo;s a kind of controller for the cluster that will replace the master if the current one goes down. It&rsquo;s very similar to a <a class="link" href="https://www.mongodb.com/docs/manual/core/replica-set-arbiter/" target="_blank" rel="noopener" >Mongo Arbiter</a>. Therefore, the connection mechanism changes because of this Sentinel.</p> <ol> <li>Connect to Sentinel</li> <li>Request the master’s address</li> <li>Connect to the master</li> <li>If the master is unavailable, go back to Sentinel</li> </ol> <p>Very often, applications do not support this. So what should you do in such a case? I decided that, as always, <strong>workarounds</strong> would help.</p> <p>Below is a fragment of <em>values.yaml</em> that I use to launch <em>bitnami/redis</em> using <a class="link" href="https://helmfile.readthedocs.io/en/latest/" target="_blank" rel="noopener" >Helmfile</a>.</p> <blockquote> <p>What’s going on there?</p> </blockquote> <p>Among other things, I create an additional sidecar container that requests the master’s address from Sentinel every N seconds and updates the service if it differs from the one created as an ExternalName type. Thus, we can simply point applications that do not know how to communicate with Sentinel to this service, and everything will work since the service will always point to the correct pod.</p> <p>This sidecar container consumes about <em>65 mCPU</em> and <em>1 MiB</em>. Of course, you could build an image and include redis-cli to connect directly, but I don’t want to maintain and store this image or update it.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span><span class="lnt">116 </span><span class="lnt">117 </span><span class="lnt">118 </span><span class="lnt">119 </span><span class="lnt">120 </span><span class="lnt">121 </span><span class="lnt">122 </span><span class="lnt">123 </span><span class="lnt">124 </span><span class="lnt">125 </span><span class="lnt">126 </span><span class="lnt">127 </span><span class="lnt">128 </span><span class="lnt">129 </span><span class="lnt">130 </span><span class="lnt">131 </span><span class="lnt">132 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># ┬─┐┬─┐┬─┐o┐─┐</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># │┬┘├─ │ ││└─┐</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># ┘└┘┴─┘┘─┘┘──┘</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span>{{- <span class="l">$name := &#34;redis&#34; }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span>{{- <span class="l">$masterServiceName := printf &#34;%s-master&#34; $name }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">nameOverride</span><span class="p">:</span><span class="w"> </span>{{<span class="w"> </span><span class="l">$name }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">fullnameOverride</span><span class="p">:</span><span class="w"> </span>{{<span class="w"> </span><span class="l">$name }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">architecture</span><span class="p">:</span><span class="w"> </span><span class="l">replication</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">auth</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">password</span><span class="p">:</span><span class="w"> </span>{{<span class="w"> </span><span class="l">quote .Values.secrets.redisPassword }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">replica</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">replicaCount</span><span class="p">:</span><span class="w"> </span><span class="m">3</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">limits</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="l">75Mi</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">requests</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="l">50m</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="l">25Mi</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">persistence</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">storageClass</span><span class="p">:</span><span class="w"> </span><span class="l">standard</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">size</span><span class="p">:</span><span class="w"> </span><span class="l">1Gi</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">podAntiAffinityPreset</span><span class="p">:</span><span class="w"> </span><span class="l">hard</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">sidecars</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">master-service-watchdog</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;{{`{{ printf &#34;bitnami/kubectl:%s.%s&#34; .Capabilities.KubeVersion.Major .Capabilities.KubeVersion.Minor }}`}}&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">imagePullPolicy</span><span class="p">:</span><span class="w"> </span><span class="l">IfNotPresent</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">command</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;/bin/sh&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;-ec&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">args</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> while sleep 5; do </span></span></span><span class="line"><span class="cl"><span class="sd"> MASTER_ADDRESS=&#34;$(kubectl exec -c sentinel &#34;${POD_NAME}&#34; -- sh -c &#34;REDISCLI_AUTH=&#39;$REDISCLI_AUTH&#39; redis-cli -p &#39;${REDIS_SENTINEL_PORT}&#39; SENTINEL get-master-addr-by-name this&#34; | head -1)&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> if ! kubectl get svc &#34;${MASTER_SERVICE}&#34; -o jsonpath=&#39;{.spec.externalName}&#39; | grep -qF &#34;${MASTER_ADDRESS}&#34;; then </span></span></span><span class="line"><span class="cl"><span class="sd"> echo &#34;info: master address has changed to ${MASTER_ADDRESS}&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> jq -Mnr --arg address &#34;${MASTER_ADDRESS}&#34; &#39;[{op:&#34;replace&#34;,path:&#34;/spec/externalName&#34;,value:$address}]&#39; | \ </span></span></span><span class="line"><span class="cl"><span class="sd"> xargs -0 kubectl patch svc &#34;${MASTER_SERVICE}&#34; --type=json --patch </span></span></span><span class="line"><span class="cl"><span class="sd"> fi </span></span></span><span class="line"><span class="cl"><span class="sd"> done</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">env</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">MASTER_SERVICE</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span>{{<span class="w"> </span><span class="l">quote $masterServiceName }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">POD_NAME</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">valueFrom</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">fieldRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">fieldPath</span><span class="p">:</span><span class="w"> </span><span class="l">metadata.name</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">REDISCLI_AUTH</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">valueFrom</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secretKeyRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;{{`{{ template &#34;common.names.fullname&#34; . }}`}}&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">redis-password</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">REDIS_SENTINEL_PORT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;{{`{{ .Values.sentinel.containerPorts.sentinel }}`}}&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">limits</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="l">100m</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="l">50Mi</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">requests</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="l">100m</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="l">50Mi</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">readOnlyRootFilesystem</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runAsNonRoot</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runAsUser</span><span class="p">:</span><span class="w"> </span><span class="m">1000</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">privileged</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">allowPrivilegeEscalation</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">capabilities</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">drop</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">ALL]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">seccompProfile</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">RuntimeDefault</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">serviceAccount</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">create</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">sentinel</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">masterSet</span><span class="p">:</span><span class="w"> </span><span class="l">this</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">automateClusterRecovery</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">downAfterMilliseconds</span><span class="p">:</span><span class="w"> </span><span class="m">2000</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">limits</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="l">50Mi</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">requests</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="l">50m</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="l">50Mi</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">networkPolicy</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">extraIngress</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">6379</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">from</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">namespaceSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kubernetes.io/metadata.name</span><span class="p">:</span><span class="w"> </span>{{<span class="w"> </span><span class="l">.Release.Namespace }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">rbac</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">create</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Allow watchdog to update our service</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;services&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">verbs</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;get&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;update&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;patch&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resourceNames</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>{{<span class="w"> </span><span class="l">quote $masterServiceName }}]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Allow exec into Redis pods</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;pods/exec&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">verbs</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;create&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;pods&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">verbs</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;get&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;list&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">pdb</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">create</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">raw</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">Service</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span>{{<span class="w"> </span><span class="l">$masterServiceName }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">ExternalName</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># 1.1.1.1 is just a stub value that is used for initial deployment</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># It will be overridden as soon as the first watchdog is ready</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">externalName</span><span class="p">:</span><span class="w"> </span><span class="m">1.1.1.1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">6379</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l">TCP</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">targetPort</span><span class="p">:</span><span class="w"> </span><span class="m">6379</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">redis</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div>https://vlasov.pro/en/p/timeshift/Sun, 01 Jan 2023 00:00:00 +0000https://vlasov.pro/en/p/timeshift/<img src="https://vlasov.pro/ru/p/timeshift/logo.webp" alt="Featured image of post Timeshift BTRFS Backups on Manjaro" /><h2 id="introduction">Introduction <a href="#introduction">¶</a></h2> <p><a class="link" href="https://github.com/linuxmint/timeshift" target="_blank" rel="noopener" >Timeshift</a> is a great tool! It helps making automated system backups. You can do it manually if you want to, but BTRFS snapshots are where it&rsquo;s at!</p> <ol> <li>Copying somewhere with <a class="link" href="https://linux.die.net/man/1/rsync" target="_blank" rel="noopener" >rsync</a>, with clever linking to save space as much as possible</li> <li>Using BTRFS snapshot</li> </ol> <p>The first option is pointless. This takes forever and isn&rsquo;t exciting, but BTRFS is what you need! It&rsquo;s done instantly and where duplicates are, the file system saves it itself. Plus, you can load them right when booting up.</p> <h2 id="system-requirements">System Requirements <a href="#system-requirements">¶</a></h2> <p>Part of the page on the main repository, but I also found some more:</p> <ol> <li>The default subvolume for the BTRFS filesystem should be <code>/</code></li> </ol> <p>When mounting a BTRFS partition either without specifying the mount option <em>subvol=</em> it will mount at the root. If not, the program crashes. Here&rsquo;s a script to check and correct this:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="nv">MP</span><span class="o">=</span><span class="s2">&#34;</span><span class="k">$(</span>mktemp -d<span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl">mount <span class="p">|</span> awk <span class="s1">&#39;/on \/ type btrfs/{print $1}&#39;</span> <span class="p">|</span> sudo xargs -I<span class="o">{}</span> mount <span class="o">{}</span> <span class="s2">&#34;</span><span class="nv">$MP</span><span class="s2">&#34;</span> <span class="o">&amp;&amp;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>sudo btrfs subvolume set-default <span class="m">5</span> <span class="s2">&#34;</span><span class="nv">$MP</span><span class="s2">&#34;</span><span class="p">;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>sudo umount <span class="s2">&#34;</span><span class="nv">$MP</span><span class="s2">&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><ol start="2"> <li>The root filesystem partition in <code>/etc/fstab</code> should be correctly configured</li> </ol> <p>The same <em>subvol=</em> option should be set to either <code>@*</code> or <em>/@</em>, it doesn&rsquo;t matter. Here&rsquo;s a script to tell if everything is correct:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">grep -E <span class="s1">&#39;^[^#].+/\s+btrfs&#39;</span> /etc/fstab <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>grep -oE <span class="s1">&#39;subvol=[^,]+&#39;</span> <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>cut -d<span class="o">=</span> -f2 <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>grep -qE <span class="s1">&#39;^/?@$&#39;</span> <span class="o">&amp;&amp;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span><span class="nb">echo</span> <span class="s1">&#39;OK&#39;</span> <span class="o">||</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span><span class="nb">echo</span> <span class="s1">&#39;Not OK&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="how-it-works">How it works <a href="#how-it-works">¶</a></h2> <p>When installing any package through <em>pamac</em> or <em>yay</em>, timeshift automatically kicks in if <code>etc/timeshift-autosnap.conf</code> doesn&rsquo;t include its skip.</p> <script id="asciicast-547865" src="https://asciinema.org/a/547865.js" async></script> <p><img src="https://vlasov.pro/ru/p/timeshift/timeshift-after-install.webp" width="820" height="655" srcset="https://vlasov.pro/ru/p/timeshift/timeshift-after-install_hu11808219343456374573.webp 480w, https://vlasov.pro/ru/p/timeshift/timeshift-after-install_hu1277256472034217943.webp 1024w" loading="lazy" alt="And now I have two backups too" class="gallery-image" data-flex-grow="125" data-flex-basis="300px" ></p>https://vlasov.pro/en/p/zsh-p10k/Sun, 25 Dec 2022 00:00:00 +0000https://vlasov.pro/en/p/zsh-p10k/<img src="https://vlasov.pro/ru/p/zsh-p10k/logo.webp" alt="Featured image of post Convenient and Colorful ZSH with p10k" /><h2 id="introduction">Introduction <a href="#introduction">¶</a></h2> <p>Previously, I described my experience with ZSH <a class="link" href="../shells" >here</a>. Now, things are a bit different; I have fully switched to <a class="link" href="https://github.com/romkatv/powerlevel10k" target="_blank" rel="noopener" >Powerlevel10k</a>.</p> <p>It&rsquo;s a very beautiful and convenient shell prompt that is easy to install and configure on the fly.</p> <h2 id="configuring-p10k">Configuring p10k <a href="#configuring-p10k">¶</a></h2> <p>You can configure p10k very easily, right on the go, even ten times a day.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">p10k configure </span></span></code></pre></td></tr></table> </div> </div><p>I have embedded the installation of p10k directly in my .zshrc, so you don&rsquo;t even have to follow the official instructions on the website. Well, almost. There are recommended fonts to ensure everything looks good, which are described <a class="link" href="https://github.com/romkatv/powerlevel10k#fonts" target="_blank" rel="noopener" >here</a>. Below, I recorded and showed what the configuration of p10k looks like. Unfortunately, the asciinema recording shows the beautiful elements as squares since these symbols are not supported in the recording. So, here’s a screenshot of the terminal window.</p> <p><img src="https://vlasov.pro/ru/p/zsh-p10k/tilix-screenshot.webp" width="872" height="658" srcset="https://vlasov.pro/ru/p/zsh-p10k/tilix-screenshot_hu9219161931832726404.webp 480w, https://vlasov.pro/ru/p/zsh-p10k/tilix-screenshot_hu10273949202985261343.webp 1024w" loading="lazy" alt="(Click the image to enlarge)" class="gallery-image" data-flex-grow="132" data-flex-basis="318px" ></p> <p>While the recording didn&rsquo;t turn out very well, at least I can show you the menus.</p> <script id="asciicast-547818" src="https://asciinema.org/a/547818.js" async></script> <h2 id="explanation-of-my-zshrc">Explanation of my .zshrc <a href="#explanation-of-my-zshrc">¶</a></h2> <p>Everything written below consists of snippets from my .zshrc, which you can download at the end of the article. For your convenience, I will duplicate the link <a class="link" href="files/dot.zshrc" >here</a>.</p> <h3 id="installing-p10k">Installing p10k <a href="#installing-p10k">¶</a></h3> <p>This is done with a simple condition and direct cloning from GitHub. If we have Git and p10k is not yet installed, we can clone it.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="k">if</span> <span class="nb">command</span> -v git &gt;/dev/null <span class="o">&amp;&amp;</span> <span class="o">[</span> ! -d ~/powerlevel10k <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;info: installing p10k&#34;</span> </span></span><span class="line"><span class="cl"> git clone --depth <span class="m">1</span> --single-branch https://github.com/romkatv/powerlevel10k.git ~/powerlevel10k </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="plugins">Plugins <a href="#plugins">¶</a></h3> <p>I install plugins simply by cloning them from GitHub. I added comments directly in the code for clarification.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="c1"># if we have git installed</span> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="nb">command</span> -v git &gt;/dev/null<span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="c1"># and folder with plugins is absent</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">[</span> ! -d /usr/share/zsh/plugins <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="c1"># let&#39;s create it with sudo</span> </span></span><span class="line"><span class="cl"> sudo mkdir -p /usr/share/zsh/plugins </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"> <span class="c1"># and jump in</span> </span></span><span class="line"><span class="cl"> <span class="nb">cd</span> /usr/share/zsh/plugins </span></span><span class="line"><span class="cl"> <span class="c1"># now, let&#39;s read every line between &lt;&lt;EOF and EOF lines below</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="nv">IFS</span><span class="o">=</span> <span class="nb">read</span> -r REPO<span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="c1"># and for every line, which will be available in variable named REPO</span> </span></span><span class="line"><span class="cl"> <span class="c1"># let&#39;s cut only last part of the url (ex: zsh-autosuggestions.git) and save to BASENAME var</span> </span></span><span class="line"><span class="cl"> <span class="nv">BASENAME</span><span class="o">=</span><span class="s2">&#34;</span><span class="k">$(</span>basename <span class="s2">&#34;</span><span class="nv">$REPO</span><span class="s2">&#34;</span><span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="c1"># now, we will remove .git from the end of BASENAME and check either such folder exists</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">[</span> ! -d <span class="s2">&#34;</span><span class="si">${</span><span class="nv">BASENAME</span><span class="p">%.git</span><span class="si">}</span><span class="s2">&#34;</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="c1"># if not, let&#39;s print an info message</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;</span><span class="si">${</span><span class="nv">REPO</span><span class="si">}</span><span class="s2">: Cloning to </span><span class="k">$(</span><span class="nb">pwd</span><span class="k">)</span><span class="s2">/</span><span class="si">${</span><span class="nv">BASENAME</span><span class="p">%.git</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="c1"># and finally clone that plugin</span> </span></span><span class="line"><span class="cl"> sudo git clone --depth <span class="m">1</span> --single-branch <span class="s2">&#34;</span><span class="nv">$REPO</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"> <span class="k">done</span> <span class="s">&lt;&lt;EOF </span></span></span><span class="line"><span class="cl"><span class="s">https://github.com/zsh-users/zsh-history-substring-search.git </span></span></span><span class="line"><span class="cl"><span class="s">https://github.com/zsh-users/zsh-syntax-highlighting.git </span></span></span><span class="line"><span class="cl"><span class="s">https://github.com/zsh-users/zsh-autosuggestions.git </span></span></span><span class="line"><span class="cl"><span class="s">EOF</span> </span></span><span class="line"><span class="cl"> <span class="c1"># after all plugins cloned, we cd back to the location we were</span> </span></span><span class="line"><span class="cl"> <span class="nb">cd</span> - &gt;/dev/null </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"><span class="c1"># okay, now we assume that all plugins are cloned and we have to include them</span> </span></span><span class="line"><span class="cl"><span class="c1"># once again, for every hardcoded path to .zsh file</span> </span></span><span class="line"><span class="cl"><span class="k">while</span> <span class="nv">IFS</span><span class="o">=</span> <span class="nb">read</span> -r SOURCE<span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="c1"># we skip the plugin if it starts with &#39;#&#39; (commented out)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="nb">echo</span> <span class="s2">&#34;</span><span class="nv">$SOURCE</span><span class="s2">&#34;</span> <span class="p">|</span> grep -qE <span class="s1">&#39;^#&#39;</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="k">continue</span> </span></span><span class="line"><span class="cl"> <span class="k">elif</span> <span class="o">[</span> -s <span class="s2">&#34;</span><span class="nv">$SOURCE</span><span class="s2">&#34;</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="c1"># if it is enabled, we just include it in current shell session with source command</span> </span></span><span class="line"><span class="cl"> <span class="nb">source</span> <span class="s2">&#34;</span><span class="k">$(</span>realpath <span class="s2">&#34;</span><span class="nv">$SOURCE</span><span class="s2">&#34;</span><span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"><span class="k">done</span> <span class="s">&lt;&lt;EOF </span></span></span><span class="line"><span class="cl"><span class="s">/usr/share/zsh/plugins/zsh-history-substring-search/zsh-history-substring-search.zsh </span></span></span><span class="line"><span class="cl"><span class="s">/usr/share/zsh/plugins/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh </span></span></span><span class="line"><span class="cl"><span class="s">/usr/share/zsh/plugins/zsh-autosuggestions/zsh-autosuggestions.zsh </span></span></span><span class="line"><span class="cl"><span class="s">EOF</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="adding-paths-to-path">Adding Paths to PATH <a href="#adding-paths-to-path">¶</a></h3> <p>Often, we install additional binaries in non-standard folders. For example, I use <em>~/.local/bin</em> for various tools like kubectl, helm, k9s, and others. Here, we check each folder, if it exists, and add it to the <em>PATH</em> variable.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="k">while</span> <span class="nv">IFS</span><span class="o">=</span> <span class="nb">read</span> -r P<span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">[</span> -d <span class="s2">&#34;</span><span class="nv">$P</span><span class="s2">&#34;</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">export</span> <span class="nv">PATH</span><span class="o">=</span><span class="s2">&#34;</span><span class="si">${</span><span class="nv">P</span><span class="si">}</span><span class="s2">:</span><span class="si">${</span><span class="nv">PATH</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"><span class="k">done</span> <span class="s">&lt;&lt;EOF </span></span></span><span class="line"><span class="cl"><span class="s">${HOME}/.local/share/gem/ruby/3.0.0/bin </span></span></span><span class="line"><span class="cl"><span class="s">${HOME}/projects/stm32/gcc-arm-none-eabi-10.3-2021.10/bin </span></span></span><span class="line"><span class="cl"><span class="s">${HOME}/.local/bin </span></span></span><span class="line"><span class="cl"><span class="s">EOF</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="aliases">Aliases <a href="#aliases">¶</a></h3> <p>Here everything is straightforward, with lots of different aliases.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="nb">alias</span> ..<span class="o">=</span><span class="s2">&#34;cd .. &amp;&amp; ls -lhA --color=auto&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">d</span><span class="o">=</span><span class="s1">&#39;sudo -E docker&#39;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">dc</span><span class="o">=</span><span class="s2">&#34;docker-compose&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">e</span><span class="o">=</span><span class="s2">&#34;exit&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">j</span><span class="o">=</span><span class="s2">&#34;sudo journalctl&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">l</span><span class="o">=</span><span class="s2">&#34;ls -lh --color=always&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">la</span><span class="o">=</span><span class="s2">&#34;ls -lhA --color=always&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">p</span><span class="o">=</span><span class="s2">&#34;ping 8.8.8.8&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">please</span><span class="o">=</span><span class="s1">&#39;sudo&#39;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">reborn</span><span class="o">=</span><span class="s2">&#34;sudo shutdown -r now&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">s</span><span class="o">=</span><span class="s1">&#39;sudo&#39;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">sctl</span><span class="o">=</span><span class="s2">&#34;sudo systemctl&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">svi</span><span class="o">=</span><span class="s2">&#34;sudo vim&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">svim</span><span class="o">=</span><span class="s2">&#34;sudo vim&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">t</span><span class="o">=</span><span class="s1">&#39;terraform&#39;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">k</span><span class="o">=</span><span class="s2">&#34;kubectl&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">kd</span><span class="o">=</span><span class="s2">&#34;kubectl describe&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">kg</span><span class="o">=</span><span class="s2">&#34;kubectl get&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">ky</span><span class="o">=</span><span class="s2">&#34;kubectl get -o yaml&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">ke</span><span class="o">=</span><span class="s1">&#39;kubectl exec -it&#39;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">vi</span><span class="o">=</span><span class="s2">&#34;vim&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">g</span><span class="o">=</span><span class="s2">&#34;git&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">b</span><span class="o">=</span><span class="s2">&#34;sudo btrfs&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">c</span><span class="o">=</span><span class="s2">&#34;code .&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> ansible-time<span class="o">=</span><span class="s2">&#34;time ansible-playbook&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="git-config">Git Config <a href="#git-config">¶</a></h3> <p>By the way, I also have a Git config. The link is <a class="link" href="files/dot.gitconfig" >here</a> or the same at the end of the page. Two interesting commands here:</p> <ol> <li><code>git ps</code> - pushes the branch, and if it doesn&rsquo;t exist yet, it catches the message from the Git error log and pushes with &ndash;set-upstream.</li> <li><code>git dpush</code> (dummy push) - adds all files and folders to the commit, writes a standard commit message, and pushes.</li> <li><code>git cc</code> - simply makes a commit with a standard message.</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ruby" data-lang="ruby"><span class="line"><span class="cl"><span class="o">[</span><span class="k">alias</span><span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="n">co</span> <span class="o">=</span> <span class="n">checkout</span> </span></span><span class="line"><span class="cl"><span class="n">a</span> <span class="o">=</span> <span class="n">add</span> <span class="o">.</span> </span></span><span class="line"><span class="cl"><span class="n">ci</span> <span class="o">=</span> <span class="n">commit</span> </span></span><span class="line"><span class="cl"><span class="n">cc</span> <span class="o">=</span> <span class="n">commit</span> <span class="o">-</span><span class="n">m</span> <span class="s1">&#39;Nothing special. Just regular commit.&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">ps</span> <span class="o">=</span> <span class="o">!</span> <span class="n">sh</span> <span class="o">-</span><span class="n">c</span> <span class="s1">&#39;git push &gt;/tmp/git-ps 2&gt;&amp;1 || grep -- &#34;git push --set-upstream&#34; /tmp/git-ps | sh&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">pt</span> <span class="o">=</span> <span class="n">push</span> <span class="o">--</span><span class="n">tags</span> </span></span><span class="line"><span class="cl"><span class="n">pts</span> <span class="o">=</span> <span class="o">!</span> <span class="n">sh</span> <span class="o">-</span><span class="n">c</span> <span class="s1">&#39;git push &amp;&amp; git push --tags&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">pl</span> <span class="o">=</span> <span class="n">pull</span> </span></span><span class="line"><span class="cl"><span class="n">st</span> <span class="o">=</span> <span class="n">status</span> </span></span><span class="line"><span class="cl"><span class="n">br</span> <span class="o">=</span> <span class="n">branch</span> </span></span><span class="line"><span class="cl"><span class="n">hist</span> <span class="o">=</span> <span class="n">log</span> <span class="o">--</span><span class="n">pretty</span><span class="o">=</span><span class="nb">format</span><span class="ss">:&#39;%h %ad | %s%d [%an]&#39;</span> <span class="o">--</span><span class="n">graph</span> <span class="o">--</span><span class="n">date</span><span class="o">=</span><span class="n">short</span> </span></span><span class="line"><span class="cl"><span class="n">type</span> <span class="o">=</span> <span class="n">cat</span><span class="o">-</span><span class="n">file</span> <span class="o">-</span><span class="n">t</span> </span></span><span class="line"><span class="cl"><span class="n">dump</span> <span class="o">=</span> <span class="n">cat</span><span class="o">-</span><span class="n">file</span> <span class="o">-</span><span class="nb">p</span> </span></span><span class="line"><span class="cl"><span class="n">dpush</span> <span class="o">=</span> <span class="o">!</span> <span class="n">sh</span> <span class="o">-</span><span class="n">c</span> <span class="s1">&#39;git add . &amp;&amp; git commit -m &#34;Nothing special. Just regular commit.&#34;&#39;</span> <span class="o">&amp;&amp;</span> <span class="n">git</span> <span class="n">push</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="kubeconfig">KUBECONFIG <a href="#kubeconfig">¶</a></h3> <p>Here, we look for the standard kubeconfig for <a class="link" href="https://k3s.io" target="_blank" rel="noopener" >k3s</a> or <a class="link" href="https://docs.rke2.io" target="_blank" rel="noopener" >rke2</a> and set it in KUBECONFIG.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="c1"># if there is no file at the path that is already being set in KUBECONFIG var</span> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="o">[</span> -z <span class="s2">&#34;</span><span class="nv">$KUBECONFIG</span><span class="s2">&#34;</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="c1"># for every filepath from the list below</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="nv">IFS</span><span class="o">=</span> <span class="nb">read</span> -r K<span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="c1"># check if file exists and it is not empty</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">[</span> -s <span class="s2">&#34;</span><span class="nv">$K</span><span class="s2">&#34;</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="c1"># change owner and group to current user</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> ! stat -c <span class="s1">&#39;%u:%g&#39;</span> <span class="s2">&#34;</span><span class="nv">$K</span><span class="s2">&#34;</span> <span class="p">|</span> grep -qF <span class="s2">&#34;</span><span class="k">$(</span>id -u<span class="k">)</span><span class="s2">:</span><span class="k">$(</span>id -g<span class="k">)</span><span class="s2">&#34;</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> sudo chown <span class="s2">&#34;</span><span class="si">${</span><span class="nv">USER</span><span class="si">}</span><span class="s2">:</span><span class="si">${</span><span class="nv">USER</span><span class="si">}</span><span class="s2">&#34;</span> <span class="s2">&#34;</span><span class="nv">$K</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;info </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">: chown </span><span class="nv">$K</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"> <span class="c1"># assign it to the KUBECONFIG variable</span> </span></span><span class="line"><span class="cl"> <span class="nb">export</span> <span class="nv">KUBECONFIG</span><span class="o">=</span><span class="s2">&#34;</span><span class="si">${</span><span class="nv">K</span><span class="si">}</span><span class="s2">:</span><span class="si">${</span><span class="nv">KUBECONFIG</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"> <span class="k">done</span> <span class="s">&lt;&lt;EOF </span></span></span><span class="line"><span class="cl"><span class="s">/etc/rancher/rke2/rke2.yaml </span></span></span><span class="line"><span class="cl"><span class="s">~/.kube/config </span></span></span><span class="line"><span class="cl"><span class="s">~/.kube/k3s.yaml </span></span></span><span class="line"><span class="cl"><span class="s">EOF</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span></code></pre></td></tr></table> </div> </div><p>Here’s the translated content of your Hugo page section into English, formatted in valid Markdown:</p> <h3 id="automatic-utility-downloads">Automatic Utility Downloads <a href="#automatic-utility-downloads">¶</a></h3> <p>Here&rsquo;s what&rsquo;s happening: <code>.zshrc</code> automatically checks to ensure that we have the binaries of the utilities we use installed. If the utility is missing, it downloads it; if not, it does nothing. However, I can manually update k9s by executing <code>_update_k9s</code>. This section installs the following utilities:</p> <ol> <li><a class="link" href="https://k9scli.io" target="_blank" rel="noopener" >k9s</a> - more details <a class="link" href="../k9s" >in my article</a></li> <li><a class="link" href="https://github.com/rikatz/kubepug" target="_blank" rel="noopener" >kubepug</a> - a tool for checking deprecated APIs in the cluster before upgrading the Kubernetes version</li> <li><a class="link" href="https://github.com/hidetatz/kubecolor" target="_blank" rel="noopener" >kubecolor</a> - a wrapper around kubectl for colorful output</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">_update_kubepug<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> mkdir -p ~/.local/bin </span></span><span class="line"><span class="cl"> <span class="nv">LOCATION</span><span class="o">=</span><span class="s2">&#34;</span><span class="k">$(</span>curl --connect-timeout <span class="m">1</span> -sS https://github.com/rikatz/kubepug/releases/latest -D- <span class="p">|</span> awk <span class="s1">&#39;/^location:/{print $2}&#39;</span><span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nv">LATEST_VERSION</span><span class="o">=</span><span class="s2">&#34;</span><span class="k">$(</span><span class="nb">echo</span> <span class="s2">&#34;</span><span class="nv">$LOCATION</span><span class="s2">&#34;</span> <span class="p">|</span> awk -F/ <span class="s1">&#39;{print $NF}&#39;</span> <span class="p">|</span> grep -oE <span class="s1">&#39;[0-9a-zA-Z_.-]+&#39;</span><span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> ! k9s version --short <span class="p">|</span> grep -qF <span class="s2">&#34;</span><span class="nv">$LATEST_VERSION</span><span class="s2">&#34;</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">printf</span> <span class="s2">&#34;Updating kubepug to %s\n&#34;</span> <span class="s2">&#34;</span><span class="nv">$LATEST_VERSION</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">printf</span> <span class="s1">&#39;https://github.com/rikatz/kubepug/releases/download/%s/kubepug_linux_%s.tar.gz&#39;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> <span class="s2">&#34;</span><span class="nv">$LATEST_VERSION</span><span class="s2">&#34;</span> <span class="s2">&#34;</span><span class="k">$(</span>uname -p <span class="p">|</span> sed <span class="s1">&#39;s/unknown/amd64/g&#39;</span> <span class="p">|</span> tr -d <span class="s1">&#39;[[:space:]]&#39;</span><span class="k">)</span><span class="s2">&#34;</span> <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> xargs curl -sSL <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> tar -xpzf - kubepug </span></span><span class="line"><span class="cl"> install kubepug ~/.local/bin/kubepug -m <span class="m">0755</span> </span></span><span class="line"><span class="cl"> rm -f kubepug </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="k">if</span> ! <span class="nb">command</span> -v kubepug <span class="p">&amp;</span>&gt;/dev/null<span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> _update_kubepug </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">_update_k9s<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> mkdir -p ~/.local/bin </span></span><span class="line"><span class="cl"> <span class="nv">LOCATION</span><span class="o">=</span><span class="s2">&#34;</span><span class="k">$(</span>curl --connect-timeout <span class="m">1</span> -sS https://github.com/derailed/k9s/releases/latest -D- <span class="p">|</span> awk <span class="s1">&#39;/^location:/{print $2}&#39;</span><span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nv">LATEST_VERSION</span><span class="o">=</span><span class="s2">&#34;</span><span class="k">$(</span><span class="nb">echo</span> <span class="s2">&#34;</span><span class="nv">$LOCATION</span><span class="s2">&#34;</span> <span class="p">|</span> awk -F/ <span class="s1">&#39;{print $NF}&#39;</span> <span class="p">|</span> grep -oE <span class="s1">&#39;[0-9a-zA-Z_.-]+&#39;</span><span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> ! k9s version --short <span class="p">|</span> grep -qF <span class="s2">&#34;</span><span class="nv">$LATEST_VERSION</span><span class="s2">&#34;</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">printf</span> <span class="s2">&#34;Updating k9s to %s\n&#34;</span> <span class="s2">&#34;</span><span class="nv">$LATEST_VERSION</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">printf</span> <span class="s1">&#39;https://github.com/derailed/k9s/releases/download/%s/k9s_Linux_%s.tar.gz&#39;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> <span class="s2">&#34;</span><span class="nv">$LATEST_VERSION</span><span class="s2">&#34;</span> <span class="s2">&#34;</span><span class="k">$(</span>uname -p <span class="p">|</span> sed <span class="s1">&#39;s/unknown/x86_64/g&#39;</span> <span class="p">|</span> tr -d <span class="s1">&#39;[[:space:]]&#39;</span><span class="k">)</span><span class="s2">&#34;</span> <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> xargs curl -sSL <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> tar -xpzf - k9s </span></span><span class="line"><span class="cl"> install k9s ~/.local/bin/k9s -m <span class="m">0755</span> </span></span><span class="line"><span class="cl"> rm -f k9s </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="k">if</span> ! <span class="nb">command</span> -v k9s <span class="p">&amp;</span>&gt;/dev/null<span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> _update_k9s </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">_update_kubecolor<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> mkdir -p ~/.local/bin </span></span><span class="line"><span class="cl"> <span class="nv">LOCATION</span><span class="o">=</span><span class="s2">&#34;</span><span class="k">$(</span>curl --connect-timeout <span class="m">1</span> -sS https://github.com/hidetatz/kubecolor/releases/latest -D- <span class="p">|</span> awk <span class="s1">&#39;/^location:/{print $2}&#39;</span><span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nv">LATEST_VERSION</span><span class="o">=</span><span class="s2">&#34;</span><span class="k">$(</span><span class="nb">echo</span> <span class="s2">&#34;</span><span class="nv">$LOCATION</span><span class="s2">&#34;</span> <span class="p">|</span> awk -F/ <span class="s1">&#39;{print $NF}&#39;</span> <span class="p">|</span> grep -oE <span class="s1">&#39;[0-9a-zA-Z_.-]+&#39;</span> <span class="p">|</span> sed <span class="s1">&#39;s/^v//g&#39;</span><span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> ! kubecolor --kubecolor-version <span class="p">|</span> grep -qF <span class="s2">&#34;</span><span class="nv">$LATEST_VERSION</span><span class="s2">&#34;</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">printf</span> <span class="s2">&#34;Updating kubecolor to %s\n&#34;</span> <span class="s2">&#34;</span><span class="nv">$LATEST_VERSION</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">printf</span> <span class="s1">&#39;https://github.com/hidetatz/kubecolor/releases/download/%s/kubecolor_%s_Linux_%s.tar.gz&#39;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> <span class="s2">&#34;v</span><span class="nv">$LATEST_VERSION</span><span class="s2">&#34;</span> <span class="s2">&#34;</span><span class="nv">$LATEST_VERSION</span><span class="s2">&#34;</span> <span class="s2">&#34;</span><span class="k">$(</span>uname -p <span class="p">|</span> sed <span class="s1">&#39;s/unknown/x86_64/g&#39;</span> <span class="p">|</span> tr -d <span class="s1">&#39;[[:space:]]&#39;</span><span class="k">)</span><span class="s2">&#34;</span> <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> xargs curl -sSL <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> tar -xpzf - kubecolor </span></span><span class="line"><span class="cl"> install kubecolor ~/.local/bin/kubecolor -m <span class="m">0755</span> </span></span><span class="line"><span class="cl"> rm -f kubecolor </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="k">if</span> ! <span class="nb">command</span> -v kubecolor <span class="p">&amp;</span>&gt;/dev/null<span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> _update_kubecolor </span></span><span class="line"><span class="cl"> <span class="nb">alias</span> <span class="nv">kubectl</span><span class="o">=</span><span class="s2">&#34;kubecolor&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">typeset</span> -g <span class="nv">POWERLEVEL9K_KUBECONTEXT_SHOW_ON_COMMAND</span><span class="o">=</span><span class="s2">&#34;</span><span class="si">${</span><span class="nv">POWERLEVEL9K_KUBECONTEXT_SHOW_ON_COMMAND</span><span class="si">}</span><span class="s2">|kubecolor&#34;</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span></code></pre></td></tr></table> </div> </div><p>Additionally, for several commands, if they exist, automatic loading of completion scripts is performed so that zsh knows what to suggest.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="c1">## Completions for 3rd-party binaries</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> COMMAND in kubectl helm k3d flux kubepug<span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="nb">command</span> -v <span class="s2">&#34;</span><span class="nv">$COMMAND</span><span class="s2">&#34;</span> &gt;/dev/null<span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">source</span> &lt;<span class="o">(</span><span class="s2">&#34;</span><span class="nv">$COMMAND</span><span class="s2">&#34;</span> completion zsh<span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"><span class="k">done</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="separate-environments">Separate Environments <a href="#separate-environments">¶</a></h3> <p>This is the smartest and at the same time simplest trick in my arsenal. The most valuable thing in work is that when you work on different projects/environments, the scariest thing you can do is to break something. The easiest way to do that is <strong>forgetting to switch</strong> to the desired environment and apply something where you didn&rsquo;t intend.</p> <p>This snippet of code prevents exactly that.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="k">if</span> <span class="o">[</span> -f env.sh <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">source</span> ./env.sh </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span></code></pre></td></tr></table> </div> </div><p>It&rsquo;s that simple. What actually happens? When zsh starts, it checks the directory it was launched from, and if there’s a file named exactly <code>env.sh</code>, it includes it in the context. Let me explain.</p> <p>I use <a class="link" href="https://github.com/ranger/ranger" target="_blank" rel="noopener" >Ranger</a> for navigation through folders from the terminal. Let&rsquo;s say I&rsquo;m working on a project and also have a blog. I created the following directories for my projects.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-plaintext" data-lang="plaintext"><span class="line"><span class="cl">. </span></span><span class="line"><span class="cl">├── MyBlog </span></span><span class="line"><span class="cl">│   ├── env.sh </span></span><span class="line"><span class="cl">│   └── kubeconfig.yaml </span></span><span class="line"><span class="cl">└── SuperWorkProject </span></span><span class="line"><span class="cl"> ├── development </span></span><span class="line"><span class="cl"> │   ├── env.sh </span></span><span class="line"><span class="cl"> │   └── kubeconfig.yaml </span></span><span class="line"><span class="cl"> └── production </span></span><span class="line"><span class="cl"> ├── env.sh </span></span><span class="line"><span class="cl"> └── kubeconfig.yaml </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">4 directories, 6 files </span></span></code></pre></td></tr></table> </div> </div><p>In my production project, I have two environments, all running Kubernetes, each with its <strong>separate</strong> <code>kubeconfig.yaml</code>. Let&rsquo;s say I need to work on production. In its <code>env.sh</code>, I will write the following.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="cp">#!/usr/bin/env sh </span></span></span><span class="line"><span class="cl"><span class="cp"></span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">KUBECONFIG</span><span class="o">=</span><span class="s1">&#39;~/projects/SuperWorkProject/production/kubeconfig.yaml&#39;</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">AWS_PROFILE</span><span class="o">=</span><span class="s1">&#39;production&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">pf<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> nohup sh -c <span class="s1">&#39;kubectl get po -n monitoring -l app.kubernetes.io/name=grafana -o name | xargs -I{} kubectl port-forward {} 3000&#39;</span> 1&gt;/dev/null <span class="p">&amp;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Now, I just open zsh in this folder or run <code>source ./env.sh</code>. That&rsquo;s it; now I&rsquo;m sure I&rsquo;m working with production. Additionally, I declared a function for port-forwarding.</p>https://vlasov.pro/en/p/kubernetes-oidc/Thu, 01 Dec 2022 00:00:00 +0000https://vlasov.pro/en/p/kubernetes-oidc/<img src="https://vlasov.pro/ru/p/kubernetes-oidc/kubernetes-oidc.webp" alt="Featured image of post Kubernetes Authorization via OIDC" /><h2 id="introduction">Introduction <a href="#introduction">¶</a></h2> <p>To authenticate in Kubernetes through kubeconfig for access via <a class="link" href="https://kubernetes.io/docs/tasks/tools/" target="_blank" rel="noopener" >kubectl</a>, ServiceAccounts are generally used. They are simply easier to create, but this is not the right approach. Tokens from ServiceAccounts are accessible to anyone who can read secrets in the namespace where the ServiceAccount was created, which means that actions can be taken on your behalf. Not secure&hellip;</p> <p>You can create a certificate, sign it in the cluster, and operate as a User. This is much better; no one can do anything on your behalf because we generated the private part locally and did not share it. I’ll explain how to do this since I&rsquo;ve figured it out.</p> <p>Recently, I finally tried <a class="link" href="https://goauthentik.io" target="_blank" rel="noopener" >Authentik</a> and also attempted to link it to the cluster via <a class="link" href="https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens" target="_blank" rel="noopener" >API server configuration</a>. It turned out to be even simpler in some aspects than dealing with certificates for users. This is what I will talk about.</p> <h2 id="access-via-serviceaccount">Access via ServiceAccount <a href="#access-via-serviceaccount">¶</a></h2> <p>Let’s create a ServiceAccount.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">kubectl create serviceaccount <span class="nb">test</span> </span></span></code></pre></td></tr></table> </div> </div><p>Previously, before Kubernetes 1.22, a token was automatically generated; now it needs to be created separately. You can generate a temporary one.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">kubectl create token <span class="nb">test</span> --duration<span class="o">=</span>10m </span></span></code></pre></td></tr></table> </div> </div><p>Alternatively, you can obtain a permanent token by creating a secret for it.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">kubectl apply -f - <span class="s">&lt;&lt;EOF </span></span></span><span class="line"><span class="cl"><span class="s">apiVersion: v1 </span></span></span><span class="line"><span class="cl"><span class="s">kind: Secret </span></span></span><span class="line"><span class="cl"><span class="s">metadata: </span></span></span><span class="line"><span class="cl"><span class="s"> name: test-sa-secret </span></span></span><span class="line"><span class="cl"><span class="s"> annotations: </span></span></span><span class="line"><span class="cl"><span class="s"> kubernetes.io/service-account.name: test </span></span></span><span class="line"><span class="cl"><span class="s">type: kubernetes.io/service-account-token </span></span></span><span class="line"><span class="cl"><span class="s">EOF</span> </span></span><span class="line"><span class="cl"><span class="nv">SA_TOKEN</span><span class="o">=</span><span class="s2">&#34;</span><span class="k">$(</span>kubectl get -o yaml secret test-sa-secret -o <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">&#39;{.data.token}&#39;</span> <span class="p">|</span> base64 -d<span class="k">)</span><span class="s2">&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Now we can write it in kubeconfig and use it.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">kubectl config current-context <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>xargs kubectl config get-contexts --no-headers <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>awk <span class="s1">&#39;{print $4}&#39;</span> <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>xargs kubectl config set-credentials <span class="s2">&#34;--token=</span><span class="si">${</span><span class="nv">SA_TOKEN</span><span class="si">}</span><span class="s2">&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="creating-a-user">Creating a User <a href="#creating-a-user">¶</a></h2> <p>This part is a bit more complicated. You need to create a certificate, a signing request, sign it, retrieve the public part, and only then are we ready to proceed. I’m attaching my script, but I don&rsquo;t want to describe all of this. I’m focusing on OIDC, so consider this as a nice bonus &#x1f604;</p> <p>How to use it:</p> <ol> <li>Write your name in the variable <em>NAME</em></li> <li>Write your company name in the variable <em>GROUP</em></li> <li>Change <em>CLUSTERROLE</em> if you really want to</li> <li>Run the script and read the instructions on the screen</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="nv">NAME</span><span class="o">=</span><span class="s1">&#39;john-johnson&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">GROUP</span><span class="o">=</span><span class="s1">&#39;asdfqwer&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">CLUSTERROLE</span><span class="o">=</span><span class="s1">&#39;cluster-admin&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">openssl ecparam -genkey -name prime256v1 <span class="p">|</span> openssl ec -out <span class="s2">&#34;</span><span class="nv">$NAME</span><span class="s2">.key&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">KEY_BASE64</span><span class="o">=</span><span class="s2">&#34;</span><span class="k">$(</span>base64 -w0 <span class="s2">&#34;</span><span class="nv">$NAME</span><span class="s2">.key&#34;</span><span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl">openssl req -new -key <span class="s2">&#34;</span><span class="nv">$NAME</span><span class="s2">.key&#34;</span> -out <span class="s2">&#34;</span><span class="nv">$NAME</span><span class="s2">.csr&#34;</span> -subj <span class="s2">&#34;/CN=</span><span class="nv">$NAME</span><span class="s2">/O=</span><span class="nv">$GROUP</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">CSR_BASE64</span><span class="o">=</span><span class="s2">&#34;</span><span class="k">$(</span>base64 -w0 <span class="s2">&#34;</span><span class="nv">$NAME</span><span class="s2">.csr&#34;</span><span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl">rm -f <span class="s2">&#34;</span><span class="nv">$NAME</span><span class="s2">.csr&#34;</span> <span class="s2">&#34;</span><span class="nv">$NAME</span><span class="s2">.key&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">cat <span class="s">&lt;&lt;EOF </span></span></span><span class="line"><span class="cl"><span class="s"># ┬ ┐┐─┐┬─┐┬─┐ ┌─┐┬─┐┬─┐┬─┐┌┐┐o┌─┐┌┐┐ </span></span></span><span class="line"><span class="cl"><span class="s"># │ │└─┐├─ │┬┘ │ │┬┘├─ │─┤ │ ││ ││││ </span></span></span><span class="line"><span class="cl"><span class="s"># ┘─┘──┘┴─┘┘└┘ └─┘┘└┘┴─┘┘ ┘ ┘ ┘┘─┘┘└┘ </span></span></span><span class="line"><span class="cl"><span class="s"> </span></span></span><span class="line"><span class="cl"><span class="s">1. Please, execute the following code using kubectl that has access to the cluster (using default admin credentials, for example) </span></span></span><span class="line"><span class="cl"><span class="s"> </span></span></span><span class="line"><span class="cl"><span class="s">kubectl apply -f - &lt;&lt;EOT </span></span></span><span class="line"><span class="cl"><span class="s">apiVersion: certificates.k8s.io/v1 </span></span></span><span class="line"><span class="cl"><span class="s">kind: CertificateSigningRequest </span></span></span><span class="line"><span class="cl"><span class="s">metadata: </span></span></span><span class="line"><span class="cl"><span class="s"> name: $GROUP:$NAME </span></span></span><span class="line"><span class="cl"><span class="s">spec: </span></span></span><span class="line"><span class="cl"><span class="s"> expirationSeconds: 31536000 # 1 year </span></span></span><span class="line"><span class="cl"><span class="s"> signerName: kubernetes.io/kube-apiserver-client </span></span></span><span class="line"><span class="cl"><span class="s"> usages: [&#34;client auth&#34;] </span></span></span><span class="line"><span class="cl"><span class="s"> username: $NAME </span></span></span><span class="line"><span class="cl"><span class="s"> request: $CSR_BASE64 </span></span></span><span class="line"><span class="cl"><span class="s">EOT </span></span></span><span class="line"><span class="cl"><span class="s">kubectl certificate approve &#39;$GROUP:$NAME&#39; </span></span></span><span class="line"><span class="cl"><span class="s">kubectl apply -f - &lt;&lt;EOT </span></span></span><span class="line"><span class="cl"><span class="s">apiVersion: rbac.authorization.k8s.io/v1 </span></span></span><span class="line"><span class="cl"><span class="s">kind: ClusterRoleBinding </span></span></span><span class="line"><span class="cl"><span class="s">metadata: </span></span></span><span class="line"><span class="cl"><span class="s"> name: user:${NAME}:${CLUSTERROLE} </span></span></span><span class="line"><span class="cl"><span class="s">roleRef: </span></span></span><span class="line"><span class="cl"><span class="s"> apiGroup: rbac.authorization.k8s.io </span></span></span><span class="line"><span class="cl"><span class="s"> kind: ClusterRole </span></span></span><span class="line"><span class="cl"><span class="s"> name: $CLUSTERROLE </span></span></span><span class="line"><span class="cl"><span class="s">subjects: </span></span></span><span class="line"><span class="cl"><span class="s">- apiGroup: rbac.authorization.k8s.io </span></span></span><span class="line"><span class="cl"><span class="s"> kind: User </span></span></span><span class="line"><span class="cl"><span class="s"> name: $NAME </span></span></span><span class="line"><span class="cl"><span class="s">EOT </span></span></span><span class="line"><span class="cl"><span class="s">kubectl get -o jsonpath=&#39;{.status.certificate}&#39; csr &#39;$GROUP:$NAME&#39; </span></span></span><span class="line"><span class="cl"><span class="s">echo </span></span></span><span class="line"><span class="cl"><span class="s"> </span></span></span><span class="line"><span class="cl"><span class="s">2. Please, execute the following code locally, on your PC, where you want to have those credentials inserted </span></span></span><span class="line"><span class="cl"><span class="s"> </span></span></span><span class="line"><span class="cl"><span class="s">kubectl config set &#34;users.$GROUP:$NAME.client-key-data&#34; &#34;$KEY_BASE64&#34; </span></span></span><span class="line"><span class="cl"><span class="s">kubectl config set &#34;users.$GROUP:$NAME.client-certificate-data&#34; &#34;-&#34; --set-raw-bytes=true </span></span></span><span class="line"><span class="cl"><span class="s"> </span></span></span><span class="line"><span class="cl"><span class="s">3. Now place the certificate that has been printed during step #1 in your kubeconfig client-certificate-data for user $GROUP:$NAME marker </span></span></span><span class="line"><span class="cl"><span class="s">4. Specify $GROUP:$NAME user in the context you want to use </span></span></span><span class="line"><span class="cl"><span class="s">EOF</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="google-oidc">Google OIDC <a href="#google-oidc">¶</a></h2> <ol> <li> <p>Configure the <a class="link" href="https://console.cloud.google.com/apis/credentials/consent" target="_blank" rel="noopener" ><strong>OAuth consent screen</strong></a></p> </li> <li> <p>Create <a class="link" href="https://console.cloud.google.com/apis/credentials/oauthclient" target="_blank" rel="noopener" >OAuth2 credentials</a> of type Web application, Authorized redirect URIs - in the list below.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-plaintext" data-lang="plaintext"><span class="line"><span class="cl">http://127.0.0.1:18000 </span></span><span class="line"><span class="cl">http://127.0.0.1:8000 </span></span><span class="line"><span class="cl">http://localhost:18000 </span></span><span class="line"><span class="cl">http://localhost:8000 </span></span></code></pre></td></tr></table> </div> </div></li> <li> <p>As a result, you will get the Client ID and Client Secret.</p> </li> </ol> <p>Great, now you need to install the <a class="link" href="https://github.com/int128/kubelogin" target="_blank" rel="noopener" >kubectl oidc-login plugin</a>.</p> <p>After installation, try to ensure everything works.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">kubectl oidc-login setup <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --oidc-issuer-url<span class="o">=</span>https://accounts.google.com <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --oidc-client-id<span class="o">=</span><span class="s1">&#39;YOUR CLIENT ID&#39;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --oidc-client-secret<span class="o">=</span><span class="s1">&#39;YOUR CLIENT SECRET&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><p>If everything is fine, your browser should open, you log in as someone, and a big beautiful instruction will appear in the console. Something like this.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-plaintext" data-lang="plaintext"><span class="line"><span class="cl">authentication in progress... </span></span><span class="line"><span class="cl">Opening in existing browser session. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">## 2. Verify authentication </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">You got a token with the following claims: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">{ </span></span><span class="line"><span class="cl"> &#34;iss&#34;: &#34;https://accounts.google.com&#34;, </span></span><span class="line"><span class="cl"> &#34;azp&#34;: &#34;longalphanum&#34;, </span></span><span class="line"><span class="cl"> &#34;aud&#34;: &#34;longalphanum&#34;, </span></span><span class="line"><span class="cl"> &#34;sub&#34;: &#34;longalphanum&#34;, </span></span><span class="line"><span class="cl"> &#34;at_hash&#34;: &#34;longalphanum&#34;, </span></span><span class="line"><span class="cl"> &#34;nonce&#34;: &#34;longalphanum&#34;, </span></span><span class="line"><span class="cl"> &#34;iat&#34;: longalphanum, </span></span><span class="line"><span class="cl"> &#34;exp&#34;: longalphanum </span></span><span class="line"><span class="cl">} </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">## 3. Bind a cluster role </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Run the following command: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> kubectl create clusterrolebinding oidc-cluster-admin --clusterrole=cluster-admin --user=&#39;https://accounts.google.com#12345678901234567890&#39; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">## 4. Set up the Kubernetes API server </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Add the following options to the kube-apiserver: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> --oidc-issuer-url=https://accounts.google.com </span></span><span class="line"><span class="cl"> --oidc-client-id=longalphanum </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">## 5. Set up the kubeconfig </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Run the following command: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> kubectl config set-credentials oidc \ </span></span><span class="line"><span class="cl"> --exec-api-version=client.authentication.k8s.io/v1beta1 \ </span></span><span class="line"><span class="cl"> --exec-command=kubectl \ </span></span><span class="line"><span class="cl"> --exec-arg=oidc-login \ </span></span><span class="line"><span class="cl"> --exec-arg=get-token \ </span></span><span class="line"><span class="cl"> --exec-arg=--oidc-issuer-url=https://accounts.google.com \ </span></span><span class="line"><span class="cl"> --exec-arg=--oidc-client-id=longalphanum \ </span></span><span class="line"><span class="cl"> --exec-arg=--oidc-client-secret=longalphanum </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">## 6. Verify cluster access </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Make sure you can access the Kubernetes cluster. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> kubectl --user=oidc get nodes </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">You can switch the default context to oidc. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> kubectl config set-context --current </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> --user=oidc </span></span></code></pre></td></tr></table> </div> </div><h2 id="authentik">Authentik <a href="#authentik">¶</a></h2> <p>This tool is great! Among its direct analogs, it&rsquo;s worth mentioning <a class="link" href="https://www.okta.com" target="_blank" rel="noopener" >Okta</a> and <a class="link" href="https://www.keycloak.org" target="_blank" rel="noopener" >Keycloak</a>. All three products are excellent; Okta is often considered the benchmark. Other options may be better or worse, but they are always compared to Okta. &#x1f604;</p> <p>I installed Authentik from the <a class="link" href="https://artifacthub.io/packages/helm/goauthentik/authentik" target="_blank" rel="noopener" >official chart</a>. It’s running locally, and I needed a certificate. I obtained one using Certbot with DNS verification. After that, we proceed as follows:</p> <ol> <li> <p><strong>Applications &gt; Providers</strong></p> <p>Create a <strong>Kubernetes</strong> provider of type OAuth2/OIDC</p> <ul> <li><strong>Client type</strong>: Confidential</li> <li><strong>Client ID</strong>: remember this</li> <li><strong>Client Secret</strong>: remember this</li> <li><strong>Redirect URIs</strong>: <code>http://(127.0.0.1|localhost):1?8000(/.*)?</code></li> </ul> </li> <li> <p><strong>Application &gt; Applications</strong></p> <p>Create an application <strong>Kubernetes</strong> and select the provider you created in step 1.</p> </li> <li> <p><strong>System</strong></p> <p>Create users (surprise, right?) and also create groups. I made <em>kubernetes:admin</em> and <em>kubernetes:restricted</em>. The first group will be assigned the cluster-admin role in Kubernetes, while the second will have read-only access. Don’t forget to add users to the corresponding groups.</p> </li> <li> <p><strong>System &gt; Certificates</strong></p> <p>I’m not sure about this step; I just haven’t checked it without a certificate. I uploaded the certificate obtained via Certbot here, and then selected this certificate in <em>Application &gt; Providers &gt; Kubernetes &gt; Edit &gt; Signing Key</em>. Kubernetes didn’t complain, so it might be possible to use a self-signed certificate, but I’m not sure; you’ll have to try it yourself.</p> </li> <li> <p><strong>Customization &gt; Property Mappings</strong></p> <p>Create a mapping with the following parameters:</p> <ul> <li> <p><strong>Name</strong>: Kubernetes</p> </li> <li> <p><strong>Scope name</strong>: kubernetes</p> </li> <li> <p><strong>Expression</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="n">all_groups</span> <span class="o">=</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;kubernetes:admin&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;kubernetes:restricted&#34;</span> </span></span><span class="line"><span class="cl"><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="k">return</span> <span class="nb">dict</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="n">groups</span><span class="o">=</span><span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="n">group</span> <span class="k">for</span> <span class="n">group</span> <span class="ow">in</span> <span class="n">all_groups</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">ak_is_group_member</span><span class="p">(</span><span class="n">request</span><span class="o">.</span><span class="n">user</span><span class="p">,</span> <span class="n">name</span><span class="o">=</span><span class="n">group</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="p">)</span> </span></span></code></pre></td></tr></table> </div> </div></li> </ul> <p>This way, for those who request this scope, Authentik will append the groups the user belongs to, iterating only through the Kubernetes groups.</p> </li> <li> <p>Verify kube-oidc-login</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">kubectl oidc-login setup <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --oidc-issuer-url<span class="o">=</span>https://authentik.example.com/application/o/kubernetes/ <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --oidc-client-id<span class="o">=</span><span class="s1">&#39;YOUR CLIENT ID&#39;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --oidc-client-secret<span class="o">=</span><span class="s1">&#39;YOUR CLIENT SECRET&#39;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --oidc-extra-scope<span class="o">=</span>kubernetes </span></span></code></pre></td></tr></table> </div> </div><p>Everything should work; just follow the instructions.</p> </li> <li> <p>Grant permissions to the group in Kubernetes</p> <p>Authentik will pass the group list, and now we need Kubernetes to pay attention to this. Add the following arguments to the API server:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">--oidc-groups-claim<span class="o">=</span>groups </span></span><span class="line"><span class="cl">--oidc-groups-prefix<span class="o">=</span>oidc: </span></span></code></pre></td></tr></table> </div> </div><p>Now you can create resources like these:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">rbac.authorization.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterRoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">oidc:kubernetes:admin</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">roleRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">apiGroup</span><span class="p">:</span><span class="w"> </span><span class="l">rbac.authorization.k8s.io</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cluster-admin</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">subjects</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span>- <span class="nt">apiGroup</span><span class="p">:</span><span class="w"> </span><span class="l">rbac.authorization.k8s.io</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Group</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">oidc:kubernetes:admin</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">rbac.authorization.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterRoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">this-name-is-custom</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">roleRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">apiGroup</span><span class="p">:</span><span class="w"> </span><span class="l">rbac.authorization.k8s.io</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">view</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">subjects</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span>- <span class="nt">apiGroup</span><span class="p">:</span><span class="w"> </span><span class="l">rbac.authorization.k8s.io</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Group</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">oidc:kubernetes:restricted</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div></li> </ol>https://vlasov.pro/en/p/wg-quick-netns/Fri, 25 Nov 2022 00:00:00 +0000https://vlasov.pro/en/p/wg-quick-netns/<img src="https://vlasov.pro/ru/p/wg-quick-netns/wireguard.webp" alt="Featured image of post wg-quick network namespace" /><h2 id="tldr">TL;DR <a href="#tldr">¶</a></h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="na">PreUp</span> <span class="o">=</span> <span class="s">ip netns list | grep -qF -- %i &amp;&amp; ip netns delete %i || true</span> </span></span><span class="line"><span class="cl"><span class="na">PostUp</span> <span class="o">=</span> <span class="s">(ip netns list | grep -qF -- %i || ip netns add %i) &amp;&amp; ip -n %i link set up lo &amp;&amp; IPS=&#34;$(ip address save dev %i | base64)&#34; &amp;&amp; ip link set %i netns %i &amp;&amp; echo &#34;$IPS&#34; | base64 -d | ip -n %i address restore dev %i &amp;&amp; ip -n %i link set up %i &amp;&amp; (ip -n %i route show default | grep -qF default || ip -n %i route add default dev %i) &amp;&amp; echo &#39;IyEvdXNyL2Jpbi9lbnYgc2gKc2V0IC1lCgpuZXRucz0nJXMnCgpjYXQgPDxFT0YgfCB4YXJncyAtMCBzdWRvIC1FIG5zZW50ZXIgIi0tbmV0PS92YXIvcnVuL25ldG5zLyRuZXRucyIgdW5zaGFyZSAtLW1vdW50IHNoIC1jCmZvciBjb25mIGluICIkbmV0bnMiICJ0dW4uJG5ldG5zIjsgZG8KICBpZiBbIC1mICIvdmFyL3J1bi9yZXNvbHZjb25mL2ludGVyZmFjZXMvXCRjb25mIiBdOyB0aGVuCiAgICBtb3VudCAtLWJpbmQgIi92YXIvcnVuL3Jlc29sdmNvbmYvaW50ZXJmYWNlcy9cJGNvbmYiIC9ldGMvcmVzb2x2LmNvbmYKICBmaQpkb25lCmV4cG9ydCBEQlVTX1NFU1NJT05fQlVTX0FERFJFU1M9dW5peDpwYXRoPS9kZXYvbnVsbApzdWRvIC1FIC11ICcjJHtTVURPX1VJRDotJChpZCAtdSl9JyAtZyAnIyR7U1VET19HSUQ6LSQoaWQgLWcpfScgLS0gJEAKRU9GCg==&#39; | base64 -d | xargs -0 -I{} printf {} %i &gt; /usr/local/bin/wg-%i-exec &amp;&amp; echo &#39;IyEvdXNyL2Jpbi9lbnYgc2gKc2V0IC1lCgppZiBbICIkKGlkIC11KSIgLW5lIDAgXTsgdGhlbgogIGVjaG8gImVycm9yOiBydW4gbWUgYXMgcm9vdCIgMT4mMgogIGV4aXQgMQpmaQoKbmV0bnM9JyVzJwppcCBuZXRucyBleGVjICIkbmV0bnMiIGlwIGxpbmsgc2V0ICIkbmV0bnMiIG5ldG5zIDEKaXAgbmV0bnMgZGVsZXRlICIkbmV0bnMiCnN5c3RlbWN0bCBzdG9wICJ3Zy1xdWlja0AkbmV0bnMuc2VydmljZSIK&#39; | base64 -d | xargs -0 -I{} printf {} %i &gt; /usr/local/bin/wg-%i-down &amp;&amp; chmod 0755 /usr/local/bin/wg-%i-* &amp;&amp; chown root:root /usr/local/bin/wg-%i-* &amp;&amp; echo &#39;bmV0bnM9JyVzJwpjYXQgPDxFT0YKIyAg4pSQIOKUrG/ilKzilIDilJDilKzilIDilJDilIzilIDilJDilKwg4pSQ4pSs4pSA4pSQ4pSs4pSA4pSQ4pSs4pSA4pSQICDilIzilJDilJDilKzilIDilJDilIzilJDilJDilIzilJDilJDilJDilIDilJAKIyAg4pSC4pSC4pSC4pSC4pSC4pSs4pSY4pSc4pSAIOKUgiDilKzilIIg4pSC4pSC4pSA4pSk4pSC4pSs4pSY4pSCIOKUgiAg4pSC4pSC4pSC4pSc4pSAICDilIIg4pSC4pSC4pSC4pSU4pSA4pSQCiMgIOKUlOKUtOKUmOKUmOKUmOKUlOKUmOKUtOKUgOKUmOKUmOKUgOKUmOKUmOKUgOKUmOKUmCDilJjilJjilJTilJjilJjilIDilJggIOKUmOKUlOKUmOKUtOKUgOKUmCDilJgg4pSY4pSU4pSY4pSA4pSA4pSYClRoYW5rcyBmb3IgdXNpbmcgbmV0bnMgd2ctcXVpY2sgd3JhcHBlciEKCi91c3IvbG9jYWwvYmluL3dnLSRuZXRucy1leGVjIENPTU1BTkQgICAtIGV4ZWN1dGUgc2hlbGwgY29tbWFuZCBpbiAkbmV0bnMgbmV0d29yayBuYW1lc3BhY2UKL3Vzci9sb2NhbC9iaW4vd2ctJG5ldG5zLWRvd24gICAgICAgICAgIC0gdXNlIGl0IGluc3RlYWQgb2Ygd2ctcXVpY2sgZG93biAkbmV0bnMKRU9G&#39; | base64 -d | xargs -0 -I{} printf {} %i | sh - </span> </span></span><span class="line"><span class="cl"><span class="na">PostDown</span> <span class="o">=</span> <span class="s">rm -f /usr/local/bin/wg-%i-* || true</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="introduction">Introduction <a href="#introduction">¶</a></h2> <p><a class="link" href="https://www.wireguard.com" target="_blank" rel="noopener" >Wireguard</a> is an awesome, simple VPN that is <a class="link" href="https://www.wireguard.com" target="_blank" rel="noopener" >already included in the kernel</a>. A very powerful and simple tool. It&rsquo;s much easier to set up than <a class="link" href="https://openvpn.net" target="_blank" rel="noopener" >OpenVPN</a>. For its simple configuration, the <a class="link" href="https://www.man7.org/linux/man-pages/man8/wg-quick.8.html" target="_blank" rel="noopener" >wg-quick</a> utility is used, which is part of wireguard tools. For better understanding, I&rsquo;ll additionally clarify that from my experience, most solutions like <a class="link" href="https://github.com/donaldzou/WGDashboard" target="_blank" rel="noopener" >WGDashboard</a> and <a class="link" href="https://github.com/ngoduykhanh/wireguard-ui" target="_blank" rel="noopener" >wireguard-ui</a> generate client configs specifically for wg-quick.</p> <h2 id="problem-statement">Problem Statement <a href="#problem-statement">¶</a></h2> <p>Move the wireguard interface to a separate network namespace so that applications can be run in it. Why do this? This eliminates the need to proxy traffic to blocked sites through Wireguard with some complex solutions. Need to access some restricted place - just launch another browser in the Wireguard namespace and that&rsquo;s it! For example, I rewrote the Exec line in the <a class="link" href="https://www.thunderbird.net/en-US/" target="_blank" rel="noopener" >Thunderbird</a> shortcut, which has no equally functional alternative yet, and now it always starts through VPN and can peacefully collect mail from any SMTP. We need to use vanilla wg-quick without modifications so it works out of the box.</p> <h2 id="solution-analysis">Solution Analysis <a href="#solution-analysis">¶</a></h2> <p><a class="link" href="https://www.man7.org/linux/man-pages/man8/wg-quick.8.html" target="_blank" rel="noopener" >In the documentation</a>, there are 4 ways for additional wg-quick interface configuration: PreUp, PostUp, PreDown, PostDown. So we need to write scripts that do everything needed. The ready solution is presented at the beginning of the article, and now let&rsquo;s analyze it. I&rsquo;ll transform this compressed code into human-readable form - it looks different but is identical in content. <strong>Note:</strong> the code contains <code>%i</code>, this is a wg-quick macro itself, wherever it encounters this macro, it substitutes the name of the interface being created.</p> <h3 id="preup">PreUp <a href="#preup">¶</a></h3> <p>Everything is simple here.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="c1"># search for our namespace in the list of network namespaces</span> </span></span><span class="line"><span class="cl"><span class="k">if</span> ip netns list <span class="p">|</span> grep -qF -- %i<span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="c1"># if found - delete it</span> </span></span><span class="line"><span class="cl"> ip netns delete %i </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="postup">PostUp <a href="#postup">¶</a></h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="k">if</span> ! ip netns list <span class="p">|</span> grep -qF -- %i<span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="c1"># create network namespace if it doesn&#39;t exist yet (and it shouldn&#39;t)</span> </span></span><span class="line"><span class="cl"> ip netns add %i </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"><span class="c1"># start the loopback interface there (the 127.0.0.1 one)</span> </span></span><span class="line"><span class="cl">ip -n %i link <span class="nb">set</span> up lo </span></span><span class="line"><span class="cl"><span class="c1"># save the list of network addresses that wg-quick assigned to the interface during creation</span> </span></span><span class="line"><span class="cl"><span class="c1"># and encode it in base64, because this is a binary stream in the ip utility format</span> </span></span><span class="line"><span class="cl"><span class="nv">IPS</span><span class="o">=</span><span class="s2">&#34;</span><span class="k">$(</span>ip address save dev %i <span class="p">|</span> base64<span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="c1"># move the interface to our special namespace</span> </span></span><span class="line"><span class="cl">ip link <span class="nb">set</span> %i netns %i </span></span><span class="line"><span class="cl"><span class="c1"># restore the addresses back, decoding them from the variable created earlier</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;</span><span class="nv">$IPS</span><span class="s2">&#34;</span> <span class="p">|</span> base64 -d <span class="p">|</span> ip -n %i address restore dev %i </span></span><span class="line"><span class="cl"><span class="c1"># start the network interface in that namespace</span> </span></span><span class="line"><span class="cl">ip -n %i link <span class="nb">set</span> up %i </span></span><span class="line"><span class="cl"><span class="c1"># look for a route to 0.0.0.0/0 in our namespace&#39;s route list</span> </span></span><span class="line"><span class="cl"><span class="k">if</span> ! ip -n %i route show default <span class="p">|</span> grep -qF default<span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="c1"># add it if not found</span> </span></span><span class="line"><span class="cl"> ip -n %i route add default dev %i </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"><span class="c1"># here was a script in base64, I decoded it directly for you in the text to make it clear what&#39;s there</span> </span></span><span class="line"><span class="cl"><span class="c1"># this script is decoded and the interface name is inserted into it using printf, which will always</span> </span></span><span class="line"><span class="cl"><span class="c1"># work with the script</span> </span></span><span class="line"><span class="cl">cat <span class="s">&lt;&lt;EOT | xargs -0 -I{} printf {} %i &gt; /usr/local/bin/wg-%i-exec </span></span></span><span class="line"><span class="cl"><span class="s">#!/usr/bin/env sh </span></span></span><span class="line"><span class="cl"><span class="s">set -e </span></span></span><span class="line"><span class="cl"><span class="s"> </span></span></span><span class="line"><span class="cl"><span class="s"># the interface name will land here in the variable </span></span></span><span class="line"><span class="cl"><span class="s">netns=&#39;%s&#39; </span></span></span><span class="line"><span class="cl"><span class="s"> </span></span></span><span class="line"><span class="cl"><span class="s"># and I&#39;ll explain this mess separately </span></span></span><span class="line"><span class="cl"><span class="s">cat &lt;&lt;EOF | xargs -0 sudo -E nsenter &#34;--net=/var/run/netns/$netns&#34; unshare --mount sh -c </span></span></span><span class="line"><span class="cl"><span class="s">for conf in &#34;$netns&#34; &#34;tun.$netns&#34;; do </span></span></span><span class="line"><span class="cl"><span class="s"> if [ -f &#34;/var/run/resolvconf/interfaces/\$conf&#34; ]; then </span></span></span><span class="line"><span class="cl"><span class="s"> mount --bind &#34;/var/run/resolvconf/interfaces/\$conf&#34; /etc/resolv.conf </span></span></span><span class="line"><span class="cl"><span class="s"> fi </span></span></span><span class="line"><span class="cl"><span class="s">done </span></span></span><span class="line"><span class="cl"><span class="s">export DBUS_SESSION_BUS_ADDRESS=unix:path=/dev/null </span></span></span><span class="line"><span class="cl"><span class="s">sudo -E -u &#39;#${SUDO_UID:-$(id -u)}&#39; -g &#39;#${SUDO_GID:-$(id -g)}&#39; -- $@ </span></span></span><span class="line"><span class="cl"><span class="s">EOF </span></span></span><span class="line"><span class="cl"><span class="s">EOT</span> </span></span><span class="line"><span class="cl"><span class="c1"># same kind of script, but we execute not a user command there, but wg-quick down</span> </span></span><span class="line"><span class="cl">cat <span class="s">&lt;&lt;EOT | xargs -0 -I{} printf {} %i &gt; /usr/local/bin/wg-%i-down </span></span></span><span class="line"><span class="cl"><span class="s">#!/usr/bin/env sh </span></span></span><span class="line"><span class="cl"><span class="s">set -e </span></span></span><span class="line"><span class="cl"><span class="s"> </span></span></span><span class="line"><span class="cl"><span class="s"># must be run as root </span></span></span><span class="line"><span class="cl"><span class="s">if [ &#34;$(id -u)&#34; -ne 0 ]; then </span></span></span><span class="line"><span class="cl"><span class="s"> echo &#34;error: run me as root&#34; 1&gt;&amp;2 </span></span></span><span class="line"><span class="cl"><span class="s"> exit 1 </span></span></span><span class="line"><span class="cl"><span class="s">fi </span></span></span><span class="line"><span class="cl"><span class="s"> </span></span></span><span class="line"><span class="cl"><span class="s">netns=&#39;%s&#39; </span></span></span><span class="line"><span class="cl"><span class="s"># return the interface back to the root netns </span></span></span><span class="line"><span class="cl"><span class="s">ip netns exec &#34;$netns&#34; ip link set &#34;$netns&#34; netns 1 </span></span></span><span class="line"><span class="cl"><span class="s"># delete our custom netns </span></span></span><span class="line"><span class="cl"><span class="s">ip netns delete &#34;$netns&#34; </span></span></span><span class="line"><span class="cl"><span class="s"># and stop via wg-quick, which will remove the interface itself </span></span></span><span class="line"><span class="cl"><span class="s">systemctl stop &#34;wg-quick@$netns.service&#34; </span></span></span><span class="line"><span class="cl"><span class="s">EOT</span> </span></span><span class="line"><span class="cl"><span class="c1"># change owner and permissions on files</span> </span></span><span class="line"><span class="cl">chmod <span class="m">0755</span> /usr/local/bin/wg-%i-* </span></span><span class="line"><span class="cl">chown root:root /usr/local/bin/wg-%i-* </span></span><span class="line"><span class="cl"><span class="c1"># just output text to screen when bringing up the interface - user help,</span> </span></span><span class="line"><span class="cl"><span class="c1"># which tells about the two scripts created earlier. This text is decoded and directly</span> </span></span><span class="line"><span class="cl"><span class="c1"># thrown to sh, i.e., executed on the fly, and there&#39;s only one cat there</span> </span></span><span class="line"><span class="cl">cat <span class="s">&lt;&lt;EOT | xargs -0 -I{} printf {} %i | sh - </span></span></span><span class="line"><span class="cl"><span class="s">netns=&#39;%s&#39; </span></span></span><span class="line"><span class="cl"><span class="s">cat &lt;&lt;EOF </span></span></span><span class="line"><span class="cl"><span class="s"># ┐ ┬o┬─┐┬─┐┌─┐┬ ┐┬─┐┬─┐┬─┐ ┌┐┐┬─┐┌┐┐┌┐┐┐─┐ </span></span></span><span class="line"><span class="cl"><span class="s"># │││││┬┘├─ │ ┬│ ││─┤│┬┘│ │ │││├─ │ │││└─┐ </span></span></span><span class="line"><span class="cl"><span class="s"># └┴┘┘┘└┘┴─┘┘─┘┘─┘┘ ┘┘└┘┘─┘ ┘└┘┴─┘ ┘ ┘└┘──┘ </span></span></span><span class="line"><span class="cl"><span class="s">Thanks for using netns wg-quick wrapper! </span></span></span><span class="line"><span class="cl"><span class="s"> </span></span></span><span class="line"><span class="cl"><span class="s">/usr/local/bin/wg-$netns-exec COMMAND - execute shell command in $netns network namespace </span></span></span><span class="line"><span class="cl"><span class="s">/usr/local/bin/wg-$netns-down - use it instead of wg-quick down $netns </span></span></span><span class="line"><span class="cl"><span class="s">EOF </span></span></span><span class="line"><span class="cl"><span class="s">EOT</span> </span></span></code></pre></td></tr></table> </div> </div><p>And here&rsquo;s the real madness. Let me explain the main points.</p> <ol> <li>When you move a network interface to another namespace, unfortunately, all IP addresses are lost from it. Therefore, we save them at the beginning and then restore them after the transfer.</li> <li>The loopback interface in the new namespace is disabled by default, so we enable it ourselves</li> <li>A route is added only to <code>0.0.0.0/0</code> because in principle our traffic has nowhere to go except to wireguard, so we send everything there regardless of what&rsquo;s written in AllowedIPs on the interface. This makes the script simpler, works the same way, and creates no vulnerabilities.</li> <li>Two scripts are created: <code>wg-%i-exec</code>, <code>wg-%i-down</code>. The first is needed to run programs in our network namespace, and the second is needed to simply do <code>wg-quick down</code>, because just executing <code>wg-quick down</code> won&rsquo;t stop the interface - you need to execute <em>wg-quick</em> inside our namespace</li> </ol> <h3 id="how-wg-i-exec-works">How wg-%i-exec works <a href="#how-wg-i-exec-works">¶</a></h3> <p>There are several problems that the script solves:</p> <ol> <li>Inside the namespace there&rsquo;s no resolv.conf, or there might not be. wg-quick always creates it for itself through <a class="link" href="https://manpages.ubuntu.com/manpages/trusty/man8/resolvconf.8.html" target="_blank" rel="noopener" >resolvconf</a>, even without all our tricks. That is, it&rsquo;s created for the interface. This is needed for DNS name resolution.</li> <li>We need to make it so that even when running exec as a user, they don&rsquo;t get root privileges as a bonus, but remain with their own privileges.</li> </ol> <p>I&rsquo;ll break down the script line by line into possibly even non-working shell code, but it will be more convenient to comment this way.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="cp">#!/usr/bin/env sh </span></span></span><span class="line"><span class="cl"><span class="cp"></span><span class="nb">set</span> -e </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># the interface name will land here in the variable</span> </span></span><span class="line"><span class="cl"><span class="nv">netns</span><span class="o">=</span><span class="s1">&#39;%s&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># and I&#39;ll explain this mess separately</span> </span></span><span class="line"><span class="cl">cat <span class="s">&lt;&lt;EOF | xargs -0 sudo -E nsenter &#34;--net=/var/run/netns/$netns&#34; unshare --mount sh -c </span></span></span><span class="line"><span class="cl"><span class="s">for conf in &#34;$netns&#34; &#34;tun.$netns&#34;; do </span></span></span><span class="line"><span class="cl"><span class="s"> if [ -f &#34;/var/run/resolvconf/interfaces/\$conf&#34; ]; then </span></span></span><span class="line"><span class="cl"><span class="s"> mount --bind &#34;/var/run/resolvconf/interfaces/\$conf&#34; /etc/resolv.conf </span></span></span><span class="line"><span class="cl"><span class="s"> fi </span></span></span><span class="line"><span class="cl"><span class="s">done </span></span></span><span class="line"><span class="cl"><span class="s">export DBUS_SESSION_BUS_ADDRESS=unix:path=/dev/null </span></span></span><span class="line"><span class="cl"><span class="s">sudo -E -u &#39;#${SUDO_UID:-$(id -u)}&#39; -g &#39;#${SUDO_GID:-$(id -g)}&#39; -- $@ </span></span></span><span class="line"><span class="cl"><span class="s">EOF</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># execute on behalf of sudo, preserving the current user&#39;s env, this will still be with root privileges</span> </span></span><span class="line"><span class="cl">sudo -E </span></span><span class="line"><span class="cl"><span class="c1"># nsenter will run us in this namespace</span> </span></span><span class="line"><span class="cl">nsenter <span class="s2">&#34;--net=/var/run/netns/</span><span class="nv">$NETNS</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="c1"># and then unmount everything that was mounted</span> </span></span><span class="line"><span class="cl">unshare --mount </span></span><span class="line"><span class="cl"><span class="c1"># shell command that will execute the script</span> </span></span><span class="line"><span class="cl">sh -c </span></span><span class="line"><span class="cl"><span class="s1">&#39; </span></span></span><span class="line"><span class="cl"><span class="s1"># where we mount resolv.conf created by wg-quick, if such exists at all </span></span></span><span class="line"><span class="cl"><span class="s1"># on Ubuntu and Fedora this is needed, on Manjaro - /etc/resolv.conf is already in place </span></span></span><span class="line"><span class="cl"><span class="s1">for conf in &#34;$netns&#34; &#34;tun.$netns&#34;; do </span></span></span><span class="line"><span class="cl"><span class="s1"> if [ -f &#34;/var/run/resolvconf/interfaces/\$conf&#34; ]; then </span></span></span><span class="line"><span class="cl"><span class="s1"> mount --bind &#34;/var/run/resolvconf/interfaces/\$conf&#34; /etc/resolv.conf </span></span></span><span class="line"><span class="cl"><span class="s1"> fi </span></span></span><span class="line"><span class="cl"><span class="s1">done </span></span></span><span class="line"><span class="cl"><span class="s1"># browsers won&#39;</span>t start without this </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">DBUS_SESSION_BUS_ADDRESS</span><span class="o">=</span>unix:path<span class="o">=</span>/dev/null </span></span><span class="line"><span class="cl"><span class="c1"># and using sudo preserving the same current user&#39;s env</span> </span></span><span class="line"><span class="cl">sudo -E </span></span><span class="line"><span class="cl"><span class="c1"># not on behalf of root, but already on behalf of the user who ran the exec script</span> </span></span><span class="line"><span class="cl">-u <span class="s1">&#39;#${SUDO_UID:-$(id -u)}&#39;</span> </span></span><span class="line"><span class="cl">-g <span class="s1">&#39;#${SUDO_GID:-$(id -g)}&#39;</span> </span></span><span class="line"><span class="cl"><span class="c1"># execute what they requested</span> </span></span><span class="line"><span class="cl">-- <span class="nv">$@</span> </span></span><span class="line"><span class="cl"><span class="err">&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="conclusion">Conclusion <a href="#conclusion">¶</a></h2> <p>Just insert these 3 lines into the config and that&rsquo;s it! No Ansible, dancing with tambourines, complex setup and maintenance.</p>https://vlasov.pro/en/p/gpt-btrfs-gnome/Sun, 20 Mar 2022 00:00:00 +0000https://vlasov.pro/en/p/gpt-btrfs-gnome/<img src="https://vlasov.pro/ru/p/gpt-btrfs-gnome/gparted.png" alt="Featured image of post GPT (UEFI) for Btrfs (/ and /boot) over dm-crypt" /><h2 id="introduction">Introduction <a href="#introduction">¶</a></h2> <p>The program in the article&rsquo;s photo is <a class="link" href="https://gparted.org" target="_blank" rel="noopener" >GParted</a>. I love and practice it. It&rsquo;s convenient and simple to do whatever you want with partitions. I couldn&rsquo;t decide what to use as the main image for the article. Let it be my current partitioning scheme &#x1f604;<br> I reinstall systems fairly often, a couple of times a year. The reasons vary: I built a small server, swapped my work PC for a laptop, or upgraded my parents&rsquo; computer with a larger drive&hellip; Just little things, really. I believe I have extensive experience with both Windows and various Linux distributions. This article is mostly just chit-chat, so please don&rsquo;t take offense. If someone happens to discover that comments have been allowed on the site for half a year, I would be sincerely glad &#x1f604;</p> <h2 id="partition-table-type">Partition Table Type <a href="#partition-table-type">¶</a></h2> <p>I used to think: &ldquo;Well, there&rsquo;s the old good MBR, and GPT was invented with their cursed UEFIs to run on laptops and prevent people from installing other operating systems! The 4-partition limitation - so what? If you want more, use logical partitions.&rdquo; I thought this way until January 2022, when I received a <a class="link" href="https://www.lenovo.com/ua/uk/laptops/ideapad/5-series/IdeaPad-5-14ARE05/p/88IPS501392" target="_blank" rel="noopener" >laptop</a> for work, and of course, I started thinking about how to set it up. &ldquo;I&rsquo;ll try GPT; I’ve never used it before. Let’s see if it works, what’s the difference?&rdquo; The result: <em>GPT UEFI forever!</em> Why&hellip;</p> <ol> <li>There’s no limit on the number of partitions.</li> <li>There’s no bootloader area at the beginning of the disk, meaning that the BIOS doesn’t load the disk by following a link at the start, <em>but rather a specific program found on one of however many FAT32 partitions</em>.</li> <li><a class="link" href="https://www.gnu.org/software/grub/" target="_blank" rel="noopener" >GRUB</a> sees all the neighbors on the disk, and so does <strong>the BIOS</strong>, as it turns out that the entry point is exactly the same UEFI program. You can access the BIOS from the bootloader menu, then back to the bootloader, then again to the BIOS, you get the idea&hellip;</li> <li>When you install Windows and it wipes the MBR without asking you (I won’t express my eloquent, uncensored opinion about Microsoft&rsquo;s respect for products not developed by them), and then you need to restore GRUB from a LiveUSB, or maybe some system update failed. It doesn&rsquo;t matter what happened. You just boot another OS straight from the BIOS! I really liked that.</li> <li>A downside, but really just a minor one, is that UEFI programs can only be on FAT32 partitions. Well, that&rsquo;s okay. I created it and forgot about it.</li> <li>Windows wasn&rsquo;t initially planned, but when it appeared, it turned out that it could be installed on any partitions in order, not just the first one as in the case of MBR, which is a huge plus.</li> </ol> <h2 id="file-systems">File Systems <a href="#file-systems">¶</a></h2> <p>I switched to BTRFS everywhere, on my work machine, server, and even the archive partition (auto, moto, photo &hellip;) is also on BTRFS. I really love and respect it; I tried it recently as well. I looked for various <a class="link" href="https://www.phoronix.com/scan.php?page=news_item&amp;px=Linux-5.14-File-Systems" target="_blank" rel="noopener" >performance benchmarks</a> and realized that on average, BTRFS is about the same as EXT4 but slower than XFS. &ldquo;To take it or not to take it?&rdquo; I wondered. So I took it for one simple and clear reason: my machines are not high-load servers, and I wouldn’t feel the performance difference &#x1f604; I’m satisfied with my choice.</p> <ol> <li>I have BTRFS RAID1 on two 1TB Barracuda HDDs on my home server - a software RAID, with no problems and at the first attempt.</li> <li>Built-in features: compression, defragmentation, error checking (which can indicate when drives are dying), snapshots. It&rsquo;s a dream!</li> <li>It turns out GRUB loads BTRFS and boots from BTRFS without any issues!</li> <li>It’s a pity there’s no built-in encryption. I had to layer dm-crypt on top - and no worries, everything is excellent.</li> <li>BTRFS is like a logical partition with rubber partitions inside, which aren&rsquo;t arranged sequentially as we are used to, but simply exist, all at once &#x1f604; No need to add space if it runs out or think about what will consume how much.</li> </ol> <p>Interestingly, I had to migrate the OS from one hardware to another. Here&rsquo;s how it looked with BTRFS.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="c1"># mount the root btrfs on the old machine</span> </span></span><span class="line"><span class="cl">mount /dev/sda1 -o <span class="nv">subvol</span><span class="o">=</span>/ /mnt </span></span><span class="line"><span class="cl"><span class="c1"># do the same on the new machine</span> </span></span><span class="line"><span class="cl">ssh user@new-pc mount /dev/sda1 -o <span class="nv">subvol</span><span class="o">=</span>/ /mnt </span></span><span class="line"><span class="cl"><span class="c1"># create a readonly snapshot of the system partition</span> </span></span><span class="line"><span class="cl">btrfs subvolume snapshot -r /mnt/@manjaro /mnt/@manjaro-ro </span></span><span class="line"><span class="cl"><span class="c1"># send it via SSH! simply amazing...</span> </span></span><span class="line"><span class="cl">btrfs send /mnt/@manjaro-ro <span class="p">|</span> ssh user@new-pc btrfs receive /mnt/@manjaro-ro </span></span><span class="line"><span class="cl"><span class="c1"># on the new machine, create a readwrite snapshot from the received readonly one</span> </span></span><span class="line"><span class="cl">ssh user@new-pc btrfs subvolume snapshot /mnt/@manjaro-ro /mnt/@manjaro </span></span><span class="line"><span class="cl"><span class="c1"># delete the readonly snapshot</span> </span></span><span class="line"><span class="cl">ssh user@new-pc btrfs subvolume del /mnt/@manjaro-ro </span></span><span class="line"><span class="cl"><span class="c1"># unmount everything</span> </span></span><span class="line"><span class="cl">umount /mnt </span></span><span class="line"><span class="cl">ssh user@new-pc umount /mnt </span></span></code></pre></td></tr></table> </div> </div><p>I have never migrated so easily and simply. Just remember to do the following manually later:</p> <ol> <li>Fix UUIDs in <code>/etc/fstab</code></li> <li>Update <code>/etc/hostname</code></li> <li><code>grub-install ... &amp;&amp; grub-mkconfig ...</code></li> </ol> <h2 id="gpt-partitions">GPT Partitions <a href="#gpt-partitions">¶</a></h2> <ol> <li>If Windows needs more space, I&rsquo;ll shrink Manjaro from the end.</li> <li>If I need another Linux, it will also need an EFI partition, but the boot partition isn’t necessary! Because multiple Linux systems can boot from one BTRFS boot - just different (subvolume) partitions.</li> </ol> <h2 id="operating-systems">Operating Systems <a href="#operating-systems">¶</a></h2> <ol> <li>It&rsquo;s hard to imagine anything better than Manjaro. I really like everything - <a class="link" href="https://wiki.manjaro.org/index.php/Main_Page" target="_blank" rel="noopener" >documentation</a>, utilities, <a class="link" href="https://wiki.manjaro.org/index.php/Manjaro_Kernels" target="_blank" rel="noopener" >ease of kernel update control with mhwd-kernel</a>, compatibility with all Vanilla Arch documentation. Fresh software, but not as bleeding-edge as Fedora, which is also nice! <a class="link" href="https://stabyourself.net/mari0/" target="_blank" rel="noopener" >There’s mari0</a></li> <li>Windows 10, just for games and Steam.</li> </ol> <h2 id="important-notes">Important Notes <a href="#important-notes">¶</a></h2> <ol> <li>Windows does not ask anyone and formats partitions with the <code>boot,esp</code> flags in FAT32 and puts its EFI there. This was resolved by manually creating the EFI-Windows partition and setting these flags. Linux doesn’t care where they are - it doesn’t affect booting, but the Windows installation fit in the space I needed.</li> <li>Initially, I didn’t separate boot, and it was also encrypted! It works perfectly! One downside: GRUB does not pull drivers and uses software-implemented algorithms for decryption, without leveraging CPU hardware capabilities. The initial decryption took me 5-7 seconds. People online complained about tens of seconds&hellip; For me, those 5-7 seconds were not critical, especially since it doesn’t affect work later, just at the beginning of the boot. However, I decided to remove that delay; I also don’t need paranoid security.</li> <li>To restore the bootloader, you also need to mount <em>efivars</em> before chrooting.</li> <li><a class="link" href="https://wiki.manjaro.org/index.php/GRUB/Restore_the_GRUB_Bootloader#EFI_System" target="_blank" rel="noopener" >Here&rsquo;s excellent documentation</a> on bootloader recovery.</li> <li>It&rsquo;s hard to find better <a class="link" href="https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#Configuring_mkinitcpio" target="_blank" rel="noopener" >documentation on system installation than this</a> for an encrypted partition.</li> <li>UUIDs in <code>/etc/fstab</code> must match those you need from the output of <code>blkid</code>.</li> </ol> <h2 id="unimportant-notes">Unimportant Notes <a href="#unimportant-notes">¶</a></h2> <ol> <li>This is what my boot screen looks like thanks to <a class="link" href="https://wiki.archlinux.org/title/plymouth" target="_blank" rel="noopener" >plymouth</a>. <a class="link" href="https://github.com/adi1090x/plymouth-themes" target="_blank" rel="noopener" >Theme Pack 2 - Flame</a>. (the image flickering only occurs in the browser; during boot, it’s smooth)</li> <li>I chose a theme for Grub <a class="link" href="https://www.gnome-look.org/browse?cat=109" target="_blank" rel="noopener" >here</a>. <a class="link" href="https://www.gnome-look.org/p/1603282" target="_blank" rel="noopener" >This is the one I took.</a></li> <li>dm-crypt can be patched to create a <a class="link" href="https://www.kali.org/tools/cryptsetup-nuke-password/" target="_blank" rel="noopener" >nuke password</a>. If entered, it destroys all keys, and the partition can no longer be decrypted. No matter who steals it, they will never be able to use it.</li> </ol> <h3 id="grub-recovery-script">Grub recovery script <a href="#grub-recovery-script">¶</a></h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="c1"># расшивровуем раздел с системой</span> </span></span><span class="line"><span class="cl">cryptsetup luksOpen /dev/nvme0n1p1 cryptroot </span></span><span class="line"><span class="cl"><span class="c1"># монтируем систему</span> </span></span><span class="line"><span class="cl">mount /dev/mapper/cryptroot -o <span class="nv">subvol</span><span class="o">=</span>@root /mnt </span></span><span class="line"><span class="cl"><span class="c1"># монтируем boot</span> </span></span><span class="line"><span class="cl">mount /dev/nvme0n1p2 -o <span class="nv">subvol</span><span class="o">=</span>@boot /mnt/boot </span></span><span class="line"><span class="cl"><span class="c1"># создаём папку efi если нет</span> </span></span><span class="line"><span class="cl">mkdir -p /mnt/boot/efi </span></span><span class="line"><span class="cl"><span class="c1"># монтируем efi в boot</span> </span></span><span class="line"><span class="cl">mount /dev/nvme0n1p3 /mnt/boot/efi </span></span><span class="line"><span class="cl"><span class="c1"># монтируем кучу всего для chroot</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> i in dev proc sys <span class="p">;</span> <span class="k">do</span> mount --bind /<span class="nv">$i</span> /mnt/<span class="nv">$i</span><span class="p">;</span> <span class="k">done</span> </span></span><span class="line"><span class="cl"><span class="c1"># монтируем efivars а то grub не встанет</span> </span></span><span class="line"><span class="cl">mount --bind /sys/firmware/efi/efivars /mnt/sys/firmware/efi/efivars </span></span><span class="line"><span class="cl"><span class="c1"># запрыгиваем в нашу систему</span> </span></span><span class="line"><span class="cl">chroot /mnt </span></span><span class="line"><span class="cl"><span class="c1"># ставим grub. тут нужны пояснения</span> </span></span><span class="line"><span class="cl"><span class="c1"># 1. в случае с mbr мы привыкли указывать диск, куда прописать загрузчик</span> </span></span><span class="line"><span class="cl"><span class="c1"># в случае с efi он ничего никуда не прописывает, а просто наполняет /boot</span> </span></span><span class="line"><span class="cl"><span class="c1"># 2. bootloader-id это просто для красоты - именно так BIOS будет подписывать нашу ось в списке</span> </span></span><span class="line"><span class="cl"><span class="c1"># можно и не писать, там по умолчанию будет manjaro</span> </span></span><span class="line"><span class="cl">grub-install --bootloader-id<span class="o">=</span><span class="s2">&#34;Manjaro&#34;</span> </span></span><span class="line"><span class="cl"><span class="c1"># если профукал весь раздел /boot вместе с образами ядра, то вот так они перегенерятся</span> </span></span><span class="line"><span class="cl">pacman -S linux </span></span><span class="line"><span class="cl"><span class="c1"># собираем initramfs образы</span> </span></span><span class="line"><span class="cl">mkinitcpio -P </span></span><span class="line"><span class="cl"><span class="c1"># собираем меню grub</span> </span></span><span class="line"><span class="cl">grub-mkconfig -o /boot/grub/grub.cfg </span></span><span class="line"><span class="cl"><span class="c1"># выходим из chroot</span> </span></span><span class="line"><span class="cl"><span class="nb">exit</span> </span></span><span class="line"><span class="cl"><span class="c1"># размонтируем и закрываем всё в обратном порядке</span> </span></span><span class="line"><span class="cl">umount /mnt/sys/firmware/efi/efivars </span></span><span class="line"><span class="cl"><span class="k">for</span> i in dev proc sys<span class="p">;</span> <span class="k">do</span> umount /mnt/<span class="nv">$i</span><span class="p">;</span> <span class="k">done</span> </span></span><span class="line"><span class="cl">umount /mnt/boot/efi </span></span><span class="line"><span class="cl">umount /mnt/boot </span></span><span class="line"><span class="cl">umount /mnt </span></span><span class="line"><span class="cl">cryptsetup luksClose cryptroot </span></span></code></pre></td></tr></table> </div> </div><h3 id="simple-explanation-of-os-booting-efi">Simple Explanation of OS Booting (EFI) <a href="#simple-explanation-of-os-booting-efi">¶</a></h3> <ol> <li>The BIOS starts up and finds all FAT32 partitions that contain an EFI folder and the familiar files. It loads one of the programs it finds, as requested.</li> <li>The EFI program is not as limited as MBR; it can do pretty much anything. In our case, it accesses the <code>/boot</code> partition with GRUB, discovers BTRFS, and loads the GRUB menu. This is where the theme we chose for GRUB is displayed.</li> <li>Now, we select what to boot from the GRUB menu.</li> <li>GRUB loads the entire initramfs of the selected operating system into RAM. This is what we generated with the <a class="link" href="https://wiki.archlinux.org/title/mkinitcpio" target="_blank" rel="noopener" >mkinitcpio</a> command. Initcpio is a program similar to EFI, but when it was created, EFI didn’t exist yet; only the limited MBR was around. I have a feeling that you could boot the system directly from EFI without the extra layer, but that’s another story&hellip; Also, along with initramfs, the kernel is loaded here since it’s also stored on <code>/boot</code>.</li> <li>Initcpio is a layered cake of <a class="link" href="https://wiki.archlinux.org/title/mkinitcpio#HOOKS" target="_blank" rel="noopener" >hooks</a> that are executed sequentially. Each one does something important and necessary. If we installed Plymouth, then right here, in one of the very first hooks, some beautiful graphics are drawn on the screen to hide a bunch of loading logs.</li> <li>One of the hooks is <em>encrypt</em> or <em>plymouth-encrypt</em>. This particular piece of the initramfs cake asks us for the password for the encrypted root. Up to this point, it hasn’t been accessed at all &#x1f604;</li> <li>Decryption, creating the first process, starting services, drivers, the graphical shell, and the whole process of booting up.</li> </ol> <h2 id="conclusion">Conclusion <a href="#conclusion">¶</a></h2> <p>I hope the article helped someone or provided some information. If you have suggestions or ideas, feel free to contact me!</p>https://vlasov.pro/en/p/k9s/Mon, 17 Jan 2022 00:00:00 +0000https://vlasov.pro/en/p/k9s/<img src="https://vlasov.pro/ru/p/k9s/k9s.webp" alt="Featured image of post Overview of k9s" /><h2 id="introduction">Introduction <a href="#introduction">¶</a></h2> <p><a class="link" href="https://github.com/derailed/k9s" target="_blank" rel="noopener" >k9s</a> - my favorite tool for working with Kubernetes clusters. I really like this tool, there are quite good analogues and even much prettier ones, but exactly here, hotkeys work well and it&rsquo;s very convenient to use from the terminal.</p> <p>Everything you can read in the repository page is also indicated what&rsquo;s fresh in memory, only that which I constantly use.</p> <h2 id="overview">Overview <a href="#overview">¶</a></h2> <h3 id="viewing-logs">Viewing logs <a href="#viewing-logs">¶</a></h3> <p>Just by pressing <code>L</code> you can view the logs of a separate pod, there too you can quickly choose a range of time for which these logs should be shown.</p> <h3 id="copying-to-clipboard-buffer">Copying to clipboard buffer <a href="#copying-to-clipboard-buffer">¶</a></h3> <p>By pressing <code>C</code> in the mode of viewing logs or manifest object, the screen content (the entire file or log, not only what is visible) is copied into the clipboard buffer. You need to have <code>xsel</code> installed as well.</p> <h3 id="port-forwarding">Port forwarding <a href="#port-forwarding">¶</a></h3> <p>Pressing <code>Shift + F</code> allows you to choose which ports to forward to your local machine so that you can access any service.</p> <h3 id="viewing-problematic-pods">Viewing problematic pods <a href="#viewing-problematic-pods">¶</a></h3> <p>By pressing <code>Ctrl + Z</code> in the list of pods, only those remain that are not Running.</p> <h3 id="searching-by-substring">Searching by substring <a href="#searching-by-substring">¶</a></h3> <p>Just press the backslash and write a substring that needs to be searched in the name or tags of object objects from the list. It&rsquo;s convenient when there are many objects.</p> <h2 id="demonstration">Demonstration <a href="#demonstration">¶</a></h2> <script id="asciicast-462297" src="https://asciinema.org/a/462297.js" async></script>https://vlasov.pro/en/p/terraform-notes/Sun, 16 Jan 2022 00:00:00 +0000https://vlasov.pro/en/p/terraform-notes/<img src="https://vlasov.pro/ru/p/terraform-notes/terraform.webp" alt="Featured image of post Notes on Terraform" /><h2 id="introduction">Introduction <a href="#introduction">¶</a></h2> <p><a class="link" href="https://www.terraform.io" target="_blank" rel="noopener" >Terraform</a> is a fantastic tool for automating resource creation in clouds like AWS, Azure, GCP, Hetzner, and many others. It&rsquo;s really cool. With <a class="link" href="https://github.com/tfutils/tfenv" target="_blank" rel="noopener" >tfenv</a>, you can easily and conveniently update Terraform locally and choose the desired version. You can <a class="link" href="https://github.com/tfutils/tfenv#terraform-version-file" target="_blank" rel="noopener" >create a file in the project&rsquo;s root</a> to specify the required version, allowing tfenv to automatically use the correct Terraform version for your project.<br> There are several practical recommendations I&rsquo;ve developed from reading the official documentation, which is excellent, as well as the modules and code written by AWS.</p> <h2 id="recommendations">Recommendations <a href="#recommendations">¶</a></h2> <p>Study the <a class="link" href="https://www.terraform-best-practices.com" target="_blank" rel="noopener" >official recommendations</a>. Below are my own notes.</p> <h3 id="1-do-not-duplicate-resource-type-in-the-name">1. Do not duplicate resource type in the name <a href="#1-do-not-duplicate-resource-type-in-the-name">¶</a></h3> <p>Incorrect</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-terraform" data-lang="terraform"><span class="line"><span class="cl"><span class="kr">resource</span> <span class="s2">&#34;aws_vpc&#34;</span> <span class="s2">&#34;production_vpc&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="na">cidr_block</span> = <span class="s2">&#34;172.16.0.0/16&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="na">tags</span> = <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="na">Name</span> = <span class="s2">&#34;Production VPC&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Correct</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-terraform" data-lang="terraform"><span class="line"><span class="cl"><span class="kr">resource</span> <span class="s2">&#34;aws_vpc&#34;</span> <span class="s2">&#34;production&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="na">cidr_block</span> = <span class="s2">&#34;172.16.0.0/16&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="na">tags</span> = <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="na">Name</span> = <span class="s2">&#34;Production&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>Explanation</strong></p> <ol> <li>In the code, you&rsquo;ll still reference the resource as <code>${aws_vpc.production.id}</code>—it’s already clear that this is a VPC, so there’s no need to waste characters on what’s already written.</li> <li>The same goes for the resource name; you&rsquo;ll always see the VPC in the list on the VPC page in the AWS Console, and there won’t be anything else. Again, why duplicate?</li> </ol> <h3 id="2-use-this-as-a-name-but-only-in-modules">2. Use <code>this</code> as a name, but only in modules <a href="#2-use-this-as-a-name-but-only-in-modules">¶</a></h3> <p>Suppose you have a module that creates a virtual machine and minimal attachments. Within the module, the virtual machine is unique.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-terraform" data-lang="terraform"><span class="line"><span class="cl"><span class="kr">resource</span> <span class="s2">&#34;aws_instance&#34;</span> <span class="s2">&#34;this&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="na">ami</span> = <span class="nb">data</span><span class="p">.</span><span class="nx">aws_ami</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> </span></span><span class="line"><span class="cl"> <span class="na">instance_type</span> = <span class="nb">var</span><span class="p">.</span><span class="nx">instance_type</span> </span></span><span class="line"><span class="cl"><span class="p">...</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Why come up with names for resources if it&rsquo;s the only one within the module? There’s no need. It’s also important to understand that this is the object name within the Terraform code. It&rsquo;s convenient when any resource type is simply <code>this</code>, but you should only do this within a single module that creates a logical unit. A virtual machine without its Security Group, which opens the ports, doesn’t make sense; thus, logically, it’s one piece.</p> <h3 id="3-create-standard-files-for-modules">3. Create standard files for modules <a href="#3-create-standard-files-for-modules">¶</a></h3> <table> <thead> <tr> <th>File</th> <th>Content</th> </tr> </thead> <tbody> <tr> <td>vars.tf</td> <td>All variables</td> </tr> <tr> <td>outputs.tf</td> <td>Output parameters</td> </tr> <tr> <td>versions.tf</td> <td>Section with <a class="link" href="https://www.terraform.io/language/settings#specifying-provider-requirements" target="_blank" rel="noopener" >provider requirements</a></td> </tr> <tr> <td>main.tf</td> <td>File with the root content</td> </tr> </tbody> </table> <h3 id="4-do-not-declare-providers-in-modules">4. Do not declare providers in modules <a href="#4-do-not-declare-providers-in-modules">¶</a></h3> <p>Specify <a class="link" href="https://www.terraform.io/language/settings#specifying-provider-requirements" target="_blank" rel="noopener" >version constraints</a>, but leave initialization to the discretion of the user of your module.</p> <h3 id="5-tags-variable">5. Tags variable <a href="#5-tags-variable">¶</a></h3> <p>Add a variable that will apply tags to all resources in the module.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-terraform" data-lang="terraform"><span class="line"><span class="cl"><span class="kr">variable</span> <span class="s2">&#34;tags&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="na">type</span> =<span class="nb"> map</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="na">description</span> = <span class="s2">&#34;Extra tags.&#34;</span> </span></span><span class="line"><span class="cl"> <span class="na">default</span> = <span class="p">{}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nx">locals</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="na">default_tags</span> = <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="na">Custom</span> = <span class="s2">&#34;Some default tags&#34;</span> </span></span><span class="line"><span class="cl"> <span class="na">Terraform</span> = <span class="s2">&#34;Path to module folder in your Git repo - helps to find code in the repo fast&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="na">tags</span> =<span class="nb"> merge</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="nx">local</span><span class="p">.</span><span class="nx">default_tags</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nb">var</span><span class="p">.</span><span class="nx">tags</span> </span></span><span class="line"><span class="cl"> <span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="kr"> </span></span></span><span class="line"><span class="cl"><span class="kr">resource</span> <span class="s2">&#34;aws_vpc&#34;</span> <span class="s2">&#34;production&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="na">cidr_block</span> = <span class="s2">&#34;172.16.0.0/16&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="na">tags</span> =<span class="nb"> merge</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="nx">local</span><span class="p">.</span><span class="nx">tags</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="na">Name</span> = <span class="s2">&#34;Production&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>In the <code>local.tags</code> variable, we first collect the final dictionary and then use it where needed within the module.</p> <h3 id="6-resource-naming-with-name_prefix">6. Resource naming with <code>name_prefix</code> <a href="#6-resource-naming-with-name_prefix">¶</a></h3> <p>Always, without exception, use a name prefix for creating resources. By changing just this variable, the code should create exactly the same infrastructure in the same account without any conflicts—this is a good module that can be reused.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-terraform" data-lang="terraform"><span class="line"><span class="cl"><span class="kr">variable</span> <span class="s2">&#34;name_prefix&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="na">type</span> = <span class="nx">string</span> </span></span><span class="line"><span class="cl"> <span class="na">description</span> = <span class="s2">&#34;Name prefix for all resources (required).&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nx">validation</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="na">condition</span> = <span class="nb">can</span><span class="p">(</span><span class="nb">regex</span><span class="p">(</span><span class="s2">&#34;^[a-z][a-z0-9-]+[a-z]$&#34;</span><span class="p">,</span> <span class="nb">var</span><span class="p">.</span><span class="nx">name_prefix</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="kr"> </span></span></span><span class="line"><span class="cl"><span class="kr">resource</span> <span class="s2">&#34;tls_private_key&#34;</span> <span class="s2">&#34;this&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="na">algorithm</span> = <span class="s2">&#34;RSA&#34;</span> </span></span><span class="line"><span class="cl"> <span class="na">rsa_bits</span> = <span class="m">4096</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="kr"> </span></span></span><span class="line"><span class="cl"><span class="kr">resource</span> <span class="s2">&#34;aws_key_pair&#34;</span> <span class="s2">&#34;this&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="na">key_name</span> = <span class="nb">var</span><span class="p">.</span><span class="nx">name_prefix</span> </span></span><span class="line"><span class="cl"> <span class="na">public_key</span> = <span class="nx">tls_private_key</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">public_key_openssh</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>And there’s no point in adding anything to the name if there&rsquo;s only one resource. Suppose this code is part of the same module for creating a virtual machine; it will be used like this.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-terraform" data-lang="terraform"><span class="line"><span class="cl"><span class="kr">module</span> <span class="s2">&#34;ec2_backend&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="na">source</span> = <span class="s2">&#34;./ec2&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="na">name_prefix</span> = <span class="s2">&#34;production-backend&#34;</span> </span></span><span class="line"><span class="cl"> <span class="na">instance_type</span> = <span class="s2">&#34;t3a.small&#34;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>This way, it will be clear from the prefix to which virtual machine the EC2 Key Pair belongs in the list. If there were two, then the name in the code would be <code>&quot;${var.name_prefix}-some-suffix&quot;</code>.</p> <h3 id="7-no-hyphens-in-resource-names">7. No hyphens in resource names <a href="#7-no-hyphens-in-resource-names">¶</a></h3> <p>Forget about using hyphens in resource names. It breaks the code analyzer in the IDE, and it causes issues in various situations.</p> <p>Incorrect</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-terraform" data-lang="terraform"><span class="line"><span class="cl"><span class="kr">module</span> <span class="s2">&#34;ec2-backend&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="na">source</span> = <span class="s2">&#34;./ec2&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="na">name_prefix</span> = <span class="s2">&#34;production-backend&#34;</span> </span></span><span class="line"><span class="cl"> <span class="na">instance_type</span> = <span class="s2">&#34;t3a.small&#34;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="kr"> </span></span></span><span class="line"><span class="cl"><span class="kr">output</span> <span class="s2">&#34;backend-ip&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">value</span> <span class="nb">module</span><span class="p">.</span><span class="nx">ec2</span><span class="o">-</span><span class="nx">backend</span><span class="p">.</span><span class="nx">private</span><span class="o">-</span><span class="nx">ipv4</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Correct</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-terraform" data-lang="terraform"><span class="line"><span class="cl"><span class="kr">module</span> <span class="s2">&#34;ec2_backend&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="na">source</span> = <span class="s2">&#34;./ec2&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="na">name_prefix</span> = <span class="s2">&#34;production-backend&#34;</span> </span></span><span class="line"><span class="cl"> <span class="na">instance_type</span> = <span class="s2">&#34;t3a.small&#34;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="kr"> </span></span></span><span class="line"><span class="cl"><span class="kr">output</span> <span class="s2">&#34;backend_ip&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">value</span> <span class="nb">module</span><span class="p">.</span><span class="nx">ec2_backend</span><span class="p">.</span><span class="nx">private_ipv4</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>I would like to emphasize that for the name of the resource in the cloud, I recommend using hyphens as much as possible—it looks nicer—but in Terraform, never.</p>https://vlasov.pro/en/p/figlet/Fri, 07 Jan 2022 00:00:00 +0000https://vlasov.pro/en/p/figlet/<img src="https://vlasov.pro/ru/p/figlet/bomberman.webp" alt="Featured image of post Figlet ASCII Graphics" /><blockquote> <p><a class="link" href="https://www.asciiart.eu/video-games/atomic-bomberman" target="_blank" rel="noopener" ><em>Bomberman from here.</em></a></p> </blockquote> <h2 id="introduction">Introduction <a href="#introduction">¶</a></h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"># ┬ ┬┬─┐┬ ┬ ┌─┐ # ┳━┓┳━┓┏┓┓┳━┓┳━┓┳━┓┓━┓┳━┓┓━┓ </span></span><span class="line"><span class="cl"># │─┤├─ │ │ │ │ # ┃ ┃┃━┫ ┃ ┃━┫┃━┃┃━┫┗━┓┣━ ┗━┓ </span></span><span class="line"><span class="cl"># ┘ ┴┴─┘┘─┘┘─┘┘─┘ # ┇━┛┛ ┇ ┇ ┛ ┇┇━┛┛ ┇━━┛┻━┛━━┛ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"># ┳━┓┓ ┳┓━┓ ┳━┓┏━┓┏━┓ # ┌┐┐┬─┐┌┐┐┐ ┬┌─┐┬─┐┬┌ </span></span><span class="line"><span class="cl"># ┃━┫┃┃┃┗━┓ ┣━ ┃ ┏━┛ # │││├─ │ ││││ ││┬┘├┴┐ </span></span><span class="line"><span class="cl"># ┛ ┇┗┻┇━━┛ ┻━┛┗━┛┗━━ # ┘└┘┴─┘ ┘ └┴┘┘─┘┘└┘┘ ┘ </span></span></code></pre></td></tr></table> </div> </div><p>I insert such captions in the source codes to visually separate chunks. In Terraform, for example.</p> <h2 id="installation">Installation <a href="#installation">¶</a></h2> <p>Install <a class="link" href="https://www.google.com/search?q=figlet%20install" target="_blank" rel="noopener" >figlet</a> in any way suitable for your distribution.<br> Download additional fonts.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">curl -Lo- <span class="s1">&#39;https://github.com/vlasov-y/figlet-fonts/archive/refs/tags/v1.1.tar.gz&#39;</span> <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>sudo tar -C <span class="s2">&#34;</span><span class="k">$(</span>figlet -I2<span class="k">)</span><span class="s2">&#34;</span> --strip-components <span class="m">1</span> -xpzvf - </span></span></code></pre></td></tr></table> </div> </div><h2 id="viewing-all-fonts">Viewing All Fonts <a href="#viewing-all-fonts">¶</a></h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">find <span class="s2">&#34;</span><span class="k">$(</span>figlet -I2<span class="k">)</span><span class="s2">&#34;</span> -type f -name <span class="s1">&#39;*.*f&#39;</span> <span class="p">|</span> <span class="k">while</span> <span class="nb">read</span> -r i<span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;&gt; </span><span class="nv">$i</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> figlet -f <span class="s2">&#34;</span><span class="nv">$i</span><span class="s2">&#34;</span> <span class="s2">&#34;</span><span class="k">$(</span>basename <span class="s2">&#34;</span><span class="nv">$i</span><span class="s2">&#34;</span><span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="k">done</span> <span class="p">|</span> less </span></span></code></pre></td></tr></table> </div> </div><h2 id="function-for-bashrc">Function for .bashrc <a href="#function-for-bashrc">¶</a></h2> <p>Be careful here. In the overwhelming majority of fonts, there are characters that won&rsquo;t display at all or will be shown incorrectly (as rectangles) for your colleagues who pulled the same code from Git. Through trial and error, I found a universal and beautiful font for myself - <em>Rusto</em>. There’s also <em>RustoFat</em>, which I actually like more, but it has its problems. &#x1f622;</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="c1"># ┬─┐┬ ┐┐─┐┌┐┐┌─┐</span> </span></span><span class="line"><span class="cl"><span class="c1"># │┬┘│ │└─┐ │ │ │</span> </span></span><span class="line"><span class="cl"><span class="c1"># ┘└┘┘─┘──┘ ┘ ┘─┘</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># ┳━┓┳ ┓┓━┓┏┓┓┏━┓┳━┓┳━┓┏┓┓</span> </span></span><span class="line"><span class="cl"><span class="c1"># ┃┳┛┃ ┃┗━┓ ┃ ┃ ┃┣━ ┃━┫ ┃ </span> </span></span><span class="line"><span class="cl"><span class="c1"># ┇┗┛┇━┛━━┛ ┇ ┛━┛┇ ┛ ┇ ┇ </span> </span></span></code></pre></td></tr></table> </div> </div><p>The captions above were generated using my function, so your Rusto will differ slightly. Add this function to your <code>.bashrc</code> or <code>.zshrc</code>, and you can use it. Also, you&rsquo;ll need to install <code>xsel</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">rusto <span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> figlet -f rusto <span class="s2">&#34;</span><span class="nv">$*</span><span class="s2">&#34;</span> <span class="p">|</span> sed <span class="s2">&#34;s@^@</span><span class="si">${</span><span class="nv">P</span><span class="k">:-</span><span class="p"># </span><span class="si">}</span><span class="s2">@g; s@┆@┘@g&#34;</span> <span class="p">|</span> tee /tmp/tt <span class="p">|</span> xsel -i -b </span></span><span class="line"><span class="cl"> cat /tmp/tt </span></span><span class="line"><span class="cl"> rm -f /tmp/tt </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">rustofat <span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> figlet -f rustofat <span class="s2">&#34;</span><span class="nv">$*</span><span class="s2">&#34;</span> <span class="p">|</span> sed <span class="s2">&#34;s@^@</span><span class="si">${</span><span class="nv">P</span><span class="k">:-</span><span class="p"># </span><span class="si">}</span><span class="s2">@g&#34;</span> <span class="p">|</span> tee /tmp/tt <span class="p">|</span> xsel -i -b </span></span><span class="line"><span class="cl"> cat /tmp/tt </span></span><span class="line"><span class="cl"> rm -f /tmp/tt </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>What happens here? When you execute the command in the console <code>rusto</code> or <code>rustofat</code>, the text passed as arguments to the commands will be transformed, displayed on the screen, and immediately copied to the clipboard. Also, the symbol <code>┆</code> is replaced with <code>┘</code> to make <em>Rusto</em> completely problem-free. Additionally, <code># </code> is prepended to the start of each line, allowing you to paste it directly into the source code. You can replace the hash by setting the variable <code>P</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">❯ rusto hello world </span></span><span class="line"><span class="cl"><span class="c1"># ┬ ┬┬─┐┬ ┬ ┌─┐ ┐ ┬┌─┐┬─┐┬ ┬─┐</span> </span></span><span class="line"><span class="cl"><span class="c1"># │─┤├─ │ │ │ │ ││││ ││┬┘│ │ │</span> </span></span><span class="line"><span class="cl"><span class="c1"># ┘ ┴┴─┘┘─┘┘─┘┘─┘ └┴┘┘─┘┘└┘┘─┘┘─┘</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">❯ <span class="nv">P</span><span class="o">=</span><span class="s1">&#39;// &#39;</span> rustofat changed comment char </span></span><span class="line"><span class="cl">// ┏━┓┳ ┳┳━┓┏┓┓┏━┓┳━┓┳━┓ ┏━┓┏━┓┏┏┓┏┏┓┳━┓┏┓┓┏┓┓ ┏━┓┳ ┳┳━┓┳━┓ </span></span><span class="line"><span class="cl">// ┃ ┃━┫┃━┫┃┃┃┃ ┳┣━ ┃ ┃ ┃ ┃ ┃┃┃┃┃┃┃┣━ ┃┃┃ ┃ ┃ ┃━┫┃━┫┃┳┛ </span></span><span class="line"><span class="cl">// ┗━┛┇ ┻┛ ┇┇┗┛┇━┛┻━┛┇━┛ ┗━┛┛━┛┛ ┇┛ ┇┻━┛┇┗┛ ┇ ┗━┛┇ ┻┛ ┇┇┗┛ </span></span></code></pre></td></tr></table> </div> </div><h2 id="bonus">Bonus <a href="#bonus">¶</a></h2> <p>I generate the daily report form like this.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="nv">LC_ALL</span><span class="o">=</span>C.POSIX date <span class="s1">&#39;+%d %B&#39;</span> <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>figlet <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>xargs -0 <span class="nb">printf</span> <span class="s1">&#39;```\n%s```\nNo blocks\nNo questions\nDone\\Doing:\n&#39;</span> <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>xsel -ib </span></span></code></pre></td></tr></table> </div> </div><p>It produces something like this.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="l">```</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="l">___ __ _ </span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="l">/ _ \ / /_ | | __ _ _ __ _ _ __ _ _ __ _ _ </span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="l">| | | | &#39;_ \ _ | |/ _` | &#39;_ \| | | |/ _` | &#39;__| | | |</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="l">| |_| | (_) | | |_| | (_| | | | | |_| | (_| | | | |_| |</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="l">\___/ \___/ \___/ \__,_|_| |_|\__,_|\__,_|_| \__, |</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="l">|___/ </span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="l">```</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="kc">No</span><span class="w"> </span><span class="l">blocks</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="kc">No</span><span class="w"> </span><span class="l">questions</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">Done\Doing</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span>- <span class="l">Drinking tea</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span>- <span class="l">Sleeping</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span>- <span class="l">Writing evening report</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span>- <span class="l">Emulating work</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Then I add what I did and send it to Slack.</p>https://vlasov.pro/en/p/manjaro-update/Thu, 06 Jan 2022 00:00:00 +0000https://vlasov.pro/en/p/manjaro-update/<img src="https://vlasov.pro/ru/p/manjaro-update/manjaro.webp" alt="Featured image of post Safe Update of Manjaro" /><h2 id="history">History <a href="#history">¶</a></h2> <p>It somehow happened that I updated my system fully, and both of my machines - the work machine and the personal server - broke. The Python 3.10 library crashed with a segfault, which caused the Kodi media server to malfunction. The Python Pip package also failed. It was quite frustrating in general. Fortunately, I had a backup. I really love <a class="link" href="https://manjaro.org" target="_blank" rel="noopener" >Manjaro</a> - it&rsquo;s the best operating system for professional use, and I never had any problems with updating except maybe New Year&rsquo;s Eve &#x1f604; This is my second time, and both times were on New Year&rsquo;s Eve. <strong>December 31, 2020</strong>, I made a full update of the system, but when I woke up to the new year, I found that X11 would not start because the drivers for Nvidia had expired. And then I thought: &ldquo;Well, I fixed it in 5 minutes, how about others? Are they DevOps or ordinary users?&rdquo; It seems like there was a transfer of drivers to the distribution&rsquo;s repository, a simple renaming, but that was enough. And again New Year&rsquo;s Eve! I install an update and Python3 crashes at the level of .so libraries &#x1f604; The system works overall, but it needs something in many places and some software can fail. Right away the <a class="link" href="https://github.com/ranger/ranger" target="_blank" rel="noopener" >ranger</a> stopped working, so I had to reinstall it again. This is what happened, and here&rsquo;s the script below.</p> <h2 id="script">Script <a href="#script">¶</a></h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="cp">#!/usr/bin/env sh </span></span></span><span class="line"><span class="cl"><span class="cp"></span><span class="c1">## Making root BTRFS subvolume snapshot before making full Manjaro update</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nb">set</span> -e </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">PARTITION</span><span class="o">=</span><span class="s2">&#34;</span><span class="k">$(</span>mount <span class="p">|</span> awk <span class="s1">&#39;$3~/^\/$/{print $1}&#39;</span><span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">SUBVOL</span><span class="o">=</span><span class="s2">&#34;</span><span class="k">$(</span>mount <span class="p">|</span> awk <span class="s1">&#39;$3~/^\/$/{print $6}&#39;</span> <span class="p">|</span> grep -oE <span class="s1">&#39;subvol=[^,)]+&#39;</span> <span class="p">|</span> cut -d<span class="o">=</span> -f2- <span class="p">|</span> sed -r <span class="s1">&#39;s/^\///g&#39;</span><span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">MOUNTPOINT</span><span class="o">=</span><span class="s2">&#34;/mnt&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">BACKUP</span><span class="o">=</span><span class="s2">&#34;</span><span class="k">$(</span>date +%Y-%m-%d <span class="p">|</span> xargs <span class="nb">printf</span> <span class="s2">&#34;backup/%s-%s&#34;</span> <span class="s2">&#34;</span><span class="nv">$SUBVOL</span><span class="s2">&#34;</span><span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">main<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> backup </span></span><span class="line"><span class="cl"> update </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">backup<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;Mounting </span><span class="nv">$PARTITION</span><span class="s2"> to </span><span class="nv">$MOUNTPOINT</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> mount <span class="s2">&#34;</span><span class="nv">$PARTITION</span><span class="s2">&#34;</span> <span class="s2">&#34;</span><span class="nv">$MOUNTPOINT</span><span class="s2">&#34;</span> -o <span class="nv">subvol</span><span class="o">=</span>/ </span></span><span class="line"><span class="cl"> <span class="nb">cd</span> <span class="s2">&#34;</span><span class="nv">$MOUNTPOINT</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> dirname <span class="s2">&#34;</span><span class="nv">$BACKUP</span><span class="s2">&#34;</span> <span class="p">|</span> xargs mkdir -p </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">[</span> ! -d <span class="s2">&#34;</span><span class="nv">$BACKUP</span><span class="s2">&#34;</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;Backing up </span><span class="nv">$SUBVOL</span><span class="s2"> to </span><span class="nv">$BACKUP</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> btrfs sub snap -r <span class="s2">&#34;</span><span class="nv">$SUBVOL</span><span class="s2">&#34;</span> <span class="s2">&#34;</span><span class="nv">$BACKUP</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;</span><span class="nv">$BACKUP</span><span class="s2"> exists already&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"> <span class="nb">cd</span> / </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;Unmounting </span><span class="nv">$MOUNTPOINT</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> umount <span class="s2">&#34;</span><span class="nv">$MOUNTPOINT</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">update<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;Running update&#34;</span> </span></span><span class="line"><span class="cl"> yay -Syu </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">main <span class="s2">&#34;</span><span class="nv">$@</span><span class="s2">&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="example-usage">Example Usage <a href="#example-usage">¶</a></h2> <script id="asciicast-460238" src="https://asciinema.org/a/460238.js" async></script> <p>And here&rsquo;s what happens if the backup is made today already.</p> <script id="asciicast-460241" src="https://asciinema.org/a/460241.js" async></script>https://vlasov.pro/en/p/pulseaudio-tcp/Wed, 17 Nov 2021 00:00:00 +0000https://vlasov.pro/en/p/pulseaudio-tcp/<img src="https://vlasov.pro/ru/p/pulseaudio-tcp/pulseaudio.webp" alt="Featured image of post PulseAudio over TCP" /><h2 id="introduction">Introduction <a href="#introduction">¶</a></h2> <p><a class="link" href="https://www.freedesktop.org/wiki/Software/PulseAudio/" target="_blank" rel="noopener" >PulseAudio</a> is a sound server, in my understanding. It runs on any Linux PC. Microphones, speakers, virtual devices - everything goes through PulseAudio and is controlled by it.</p> <h2 id="task">Task <a href="#task">¶</a></h2> <p>There’s a small server connected to a wall-mounted TV. I’m working on a PC with <a class="link" href="https://manjaro.org" target="_blank" rel="noopener" >Manjaro</a> and, to be honest, the headphones aren&rsquo;t great. They’ll do for work, but I want to listen to music through the TV.</p> <h2 id="sources">Sources <a href="#sources">¶</a></h2> <ol> <li><a class="link" href="https://wiki.archlinux.org/title/PulseAudio/Examples#Selecting_the_server_with_Zeroconf" target="_blank" rel="noopener" >Arch Wiki PulseAudio Examples</a></li> <li><a class="link" href="https://medium.com/@joao.paulo.silvasouza/how-to-configure-pulseaudio-for-multiple-devices-at-the-same-time-in-ubuntu-4943ef0c16db" target="_blank" rel="noopener" >Joao Paulo Silva de Souza&rsquo;s article on Medium</a></li> <li><a class="link" href="https://unix.stackexchange.com/a/443064" target="_blank" rel="noopener" >A good answer on Unix Overflow</a></li> <li><a class="link" href="https://unix.stackexchange.com/questions/443013/pulseaudio-simultanious-add-two-devices" target="_blank" rel="noopener" >And another one</a></li> </ol> <h2 id="solution">Solution <a href="#solution">¶</a></h2> <p>The traffic will be sent over TCP from the PC to the server (for simplicity, I’ll just refer to it as TV in the text, but it&rsquo;s actually a server on Manjaro).</p> <p>On both devices, we install the Zeroconf module so that the computers can find each other without issues.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">yay -S pulseaudio-zeroconf </span></span></code></pre></td></tr></table> </div> </div><p>Now, let&rsquo;s take the cookie file from one and copy it to the other so they are the same. I found it in my home directory on the PC.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">scp ~/.config/pulse/cookie server:/etc/pulse/cookie </span></span><span class="line"><span class="cl">sudo cp -f ~/.config/pulse/cookie /etc/pulse/cookie </span></span></code></pre></td></tr></table> </div> </div><p>Now we configure:</p> <ol> <li>The TV will be the PulseAudio <strong>server</strong>, as it <strong>receives</strong> the audio stream.</li> <li>The PC will be the PulseAudio <strong>client</strong>, as it <strong>sends</strong> the stream.</li> </ol> <p>On the TV, we run it as a regular user because there’s no need to start <code>pulseaudio --kill/--start</code> as root.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="nv">SUBNET</span><span class="o">=</span><span class="s1">&#39;192.168.0.0/24&#39;</span> </span></span><span class="line"><span class="cl">sudo mkdir -p /etc/pulse/default.pa.d/ </span></span><span class="line"><span class="cl">cat <span class="s">&lt;&lt;EOF | sudo tee /etc/pulse/default.pa.d/zeroconf.pa </span></span></span><span class="line"><span class="cl"><span class="s">load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1;${SUBNET} </span></span></span><span class="line"><span class="cl"><span class="s">load-module module-zeroconf-publish </span></span></span><span class="line"><span class="cl"><span class="s">EOF</span> </span></span><span class="line"><span class="cl">sudo systemctl <span class="nb">enable</span> --now avahi-daemon.service </span></span><span class="line"><span class="cl">pulseaudio --kill </span></span><span class="line"><span class="cl">pulseaudio --start </span></span></code></pre></td></tr></table> </div> </div><p>On the PC, it&rsquo;s almost the same.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="nv">SUBNET</span><span class="o">=</span><span class="s1">&#39;192.168.0.0/24&#39;</span> </span></span><span class="line"><span class="cl">sudo mkdir -p /etc/pulse/default.pa.d/ </span></span><span class="line"><span class="cl">cat <span class="s">&lt;&lt;EOF | sudo tee /etc/pulse/default.pa.d/zeroconf.pa </span></span></span><span class="line"><span class="cl"><span class="s">load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1;${SUBNET} </span></span></span><span class="line"><span class="cl"><span class="s">load-module module-zeroconf-discover </span></span></span><span class="line"><span class="cl"><span class="s">EOF</span> </span></span><span class="line"><span class="cl">sudo systemctl <span class="nb">enable</span> --now avahi-daemon.service </span></span><span class="line"><span class="cl">pulseaudio --kill </span></span><span class="line"><span class="cl">pulseaudio --start </span></span></code></pre></td></tr></table> </div> </div><p>That&rsquo;s it. Now in pavucontrol, you can direct some application through the tunnel to the PC!</p> <p><img src="https://vlasov.pro/ru/p/pulseaudio-tcp/pavucontrol.png" width="814" height="502" srcset="https://vlasov.pro/ru/p/pulseaudio-tcp/pavucontrol_hu15804026729683766190.png 480w, https://vlasov.pro/ru/p/pulseaudio-tcp/pavucontrol_hu1219485386400571975.png 1024w" loading="lazy" alt="Pavucontrol where Chrome streams directly to the TV via the server&rsquo;s HDMI" class="gallery-image" data-flex-grow="162" data-flex-basis="389px" ></p> <h2 id="bonus-that-doesnt-work">Bonus that doesn’t work <a href="#bonus-that-doesnt-work">¶</a></h2> <p>What would be nice next? Right, something that won&rsquo;t be useful but is interesting. I want both the PC and the TV to play the same stream.</p> <p>On the PC, let’s check what outputs we have and get their names.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="c1"># pacmd list-sinks | grep name:</span> </span></span><span class="line"><span class="cl">name: &lt;alsa_output.pci-0000_00_1b.0.analog-stereo&gt; </span></span><span class="line"><span class="cl">name: &lt;tunnel.aurelius.local.auto_null&gt; </span></span><span class="line"><span class="cl">name: &lt;tunnel.aurelius.local.auto_null.2&gt; </span></span><span class="line"><span class="cl">name: &lt;tunnel.aurelius.local.alsa_output.pci-0000_00_0e.0.hdmi-stereo&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Here we can see that the first one seems to be the headphones, while the others have come through the network. The 2nd and 3rd are likely the rear and front outputs on the case, while the last one is definitely the HDMI from the computer - which is what we need. So we need to combine the 1st and 4th.</p> <p>Still on the PC:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="nv">SLAVE_1</span><span class="o">=</span><span class="s1">&#39;alsa_output.pci-0000_00_1b.0.analog-stereo&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">SLAVE_2</span><span class="o">=</span><span class="s1">&#39;tunnel.aurelius.local.alsa_output.pci-0000_00_0e.0.hdmi-stereo&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">DEFAULT_SLAVE</span><span class="o">=</span><span class="s2">&#34;</span><span class="nv">$SLAVE_1</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl">cat <span class="s">&lt;&lt;EOF | sudo tee -a /etc/pulse/default.pa.d/zeroconf.pa </span></span></span><span class="line"><span class="cl"><span class="s">load-module module-combine-sink sink_name=combined sink_properties=&#34;device.description=&#39;Combined TV and PC&#39; slaves=${SLAVE_1},${SLAVE_2}&#34; </span></span></span><span class="line"><span class="cl"><span class="s">set-default-sink ${DEFAULT_SLAVE} </span></span></span><span class="line"><span class="cl"><span class="s">EOF</span> </span></span><span class="line"><span class="cl">pulseaudio --kill </span></span><span class="line"><span class="cl">pulseaudio --start </span></span></code></pre></td></tr></table> </div> </div><p>That&rsquo;s it &#x1f604; &hellip; Except it doesn&rsquo;t work. I don’t know why. The device has been added, it can be selected, and there are no errors in the logs, but the sound only goes to the headphones and not to the TV. At the same time, when I simply select the TV, it works. So it seems this module cannot combine tunnel and simple devices. I decided to write this anyway; maybe it will be useful to someone.</p>https://vlasov.pro/en/p/wireguard-ansible/Tue, 16 Nov 2021 00:00:00 +0000https://vlasov.pro/en/p/wireguard-ansible/<img src="https://vlasov.pro/ru/p/wireguard-ansible/wireguard.webp" alt="Featured image of post Wireguard Ansible" /><p><a class="link" href="https://github.com/vlasov-y/wireguard-ansible" target="_blank" rel="noopener" ><strong>GitHub</strong></a></p> <h2 id="update-from-november-25-2022">Update from November 25, 2022 <a href="#update-from-november-25-2022">¶</a></h2> <p>I switched to classic wg-quick from this Ansible setup. The solution turned out to be technically much simpler, and it meets my functional needs.</p> <h2 id="update-from-march-21-2022">Update from March 21, 2022 <a href="#update-from-march-21-2022">¶</a></h2> <p>I removed automatic key generation due to excessive implementation complexity and the inability to configure servers individually; it could only be done collectively. Now it’s different. Configuration changes are incompatible with the old version; please check the examples in the repository, as I have added documentation there.</p> <h2 id="introduction">Introduction <a href="#introduction">¶</a></h2> <p><a class="link" href="https://www.wireguard.com" target="_blank" rel="noopener" >Wireguard</a> is an amazing, simple VPN that is <a class="link" href="https://www.wireguard.com" target="_blank" rel="noopener" >already included in the kernel</a>. It’s a very powerful and straightforward tool. It installs much more easily than <a class="link" href="https://openvpn.net" target="_blank" rel="noopener" >OpenVPN</a>.</p> <h2 id="problem-statement">Problem Statement <a href="#problem-statement">¶</a></h2> <ul> <li>I live in Ukraine, and unfortunately, some internet resources are blocked, and access is sometimes necessary.</li> <li>I want to be able to remotely connect from my phone or someone else&rsquo;s computer to my home server.</li> <li>I want traffic to be proxied on the PC only for domains on the list, not everything.</li> </ul> <p>With these requests, I started working. For myself, all for myself. No one else needs it for now, although I posted it on <a class="link" href="https://github.com/vlasov-y/wireguard-ansible" target="_blank" rel="noopener" >GitHub</a>. Posted is a strong word. No documentation, nothing! Yes! Just lazy to write&hellip; Oh well.</p> <h2 id="solution-overview">Solution Overview <a href="#solution-overview">¶</a></h2> <p>I used Ansible, which can configure the network immediately. What it can do:</p> <ol> <li>Use a constant preshared key for all connections.</li> <li>Ability to specify your AllowedIPs.</li> <li>Ability to add peers with statically defined keys (since Ansible can&rsquo;t be run on the phone).</li> <li>Automatic selection of free rt_table IDs and fwmarks.</li> <li>Ability to set up more than one network on the same machines with a single run!</li> </ol> <p>What it can&rsquo;t do:</p> <ol> <li>Separate runs on one or a subgroup of hosts. Only all at once.</li> </ol> <h2 id="understanding-ansible-variables">Understanding Ansible Variables <a href="#understanding-ansible-variables">¶</a></h2> <blockquote> <p>all.yml</p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># CIDR networks</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">wireguard_networks</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">home</span><span class="p">:</span><span class="w"> </span><span class="m">192.168.99.0</span><span class="l">/24</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">vpn</span><span class="p">:</span><span class="w"> </span><span class="m">10.0.0.0</span><span class="l">/24</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># marks for routing - each network has its own</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">wireguard_fwmarks</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">home</span><span class="p">:</span><span class="w"> </span><span class="m">1000</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">vpn</span><span class="p">:</span><span class="w"> </span><span class="m">2000</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># preshared key for the network</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">wireguard_preshared_keys</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">home</span><span class="p">:</span><span class="w"> </span><span class="l">longalphanum</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">vpn</span><span class="p">:</span><span class="w"> </span><span class="l">longalphanum</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># keys for each server in each network where it exists</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">wireguard_keys</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">home</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">public_host</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">public</span><span class="p">:</span><span class="w"> </span><span class="l">longalphanum</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">private</span><span class="p">:</span><span class="w"> </span><span class="l">longalphanum</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">home_server</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">public</span><span class="p">:</span><span class="w"> </span><span class="l">longalphanum</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">private</span><span class="p">:</span><span class="w"> </span><span class="l">longalphanum</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">laptop</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">public</span><span class="p">:</span><span class="w"> </span><span class="l">longalphanum</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">private</span><span class="p">:</span><span class="w"> </span><span class="l">longalphanum</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">vpn</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">public_host</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">public</span><span class="p">:</span><span class="w"> </span><span class="l">longalphanum</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">private</span><span class="p">:</span><span class="w"> </span><span class="l">longalphanum</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">laptop</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">public</span><span class="p">:</span><span class="w"> </span><span class="l">longalphanum</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">private</span><span class="p">:</span><span class="w"> </span><span class="l">longalphanum</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">smartphone</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># only public key for the phone, as the private is not needed here</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">public</span><span class="p">:</span><span class="w"> </span><span class="l">longalphanum</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">wireguard_addresses</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># addresses for each server in each network</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">home</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">public_host</span><span class="p">:</span><span class="w"> </span><span class="m">192.168.99.1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">laptop</span><span class="p">:</span><span class="w"> </span><span class="m">192.168.99.2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">home_server</span><span class="p">:</span><span class="w"> </span><span class="m">192.168.99.3</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">vpn</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">public_host</span><span class="p">:</span><span class="w"> </span><span class="m">10.0.0.1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">laptop</span><span class="p">:</span><span class="w"> </span><span class="m">10.0.0.2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">smartphone</span><span class="p">:</span><span class="w"> </span><span class="m">10.0.0.3</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>We have a server with a public IP, and it will serve as the connection point for everyone. The topology is a star.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># these are variables for a specific host - the server</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">wireguard_enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">yes</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># wireguard-tools have already been installed, so we turn this off</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">wireguard_install_tools</span><span class="p">:</span><span class="w"> </span><span class="kc">no</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># list of peers</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">wireguard_peers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># for the home network</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">home</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># the first peer is our laptop, where we run Ansible</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">laptop</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># the second has inventory_hostname home_server</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">home_server</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># and keep the network so that it can always be reached,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># because the server is behind NAT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">keepalive_seconds</span><span class="p">:</span><span class="w"> </span><span class="m">25</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># the second network will only be used from the phone and PC</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">vpn</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">laptop</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># and here is the phone</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">smartphone</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># now we&#39;ll choose the ports it should listen on</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># for the others, it doesn&#39;t matter, but</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># for the server, it&#39;s better to specify everything statically</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># so nothing is regenerated if anything happens</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># and all clients don&#39;t need to be reconfigured</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># with new server credentials</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">wireguard_ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">home</span><span class="p">:</span><span class="w"> </span><span class="m">2000</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">vpn</span><span class="p">:</span><span class="w"> </span><span class="m">3000</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># enable masquerading so that the server can</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># release peer traffic to the Internet as a gateway</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">wireguard_masquarade</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">vpn</span><span class="p">:</span><span class="w"> </span><span class="l">auto</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Now, let’s specify variables for the laptop we are working on.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># and again explicitly enable the role</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">wireguard_enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">yes</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">wireguard_peers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">vpn</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># in the VPN network peers, only our public server</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">hostname</span><span class="p">:</span><span class="w"> </span><span class="l">public_host</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># we have a domain pointing to the server so we don’t need to remember the address</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">endpoint</span><span class="p">:</span><span class="w"> </span><span class="l">vpn.example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># routing all traffic through the VPN, and it&#39;s important to understand</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># that we are not sending all system traffic through Wireguard</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># we are telling Wireguard on the host to allow</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># everything that specifically comes to you on the output and does not match</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># in other networks by more narrow rules</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">allowed_ips</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="m">0.0.0.0</span><span class="l">/0</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="p">::</span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">keepalive_seconds</span><span class="p">:</span><span class="w"> </span><span class="m">25</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">home</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># the contact point for the home network is the same</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">hostname</span><span class="p">:</span><span class="w"> </span><span class="l">public_host</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">endpoint</span><span class="p">:</span><span class="w"> </span><span class="l">vpn.example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">keepalive_seconds</span><span class="p">:</span><span class="w"> </span><span class="m">25</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">allowed_ips</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># and in the paths, we specify only the subnet of the home network</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;{{ wireguard_networks.home }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># and enable proxying specific domains through the VPN</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">wireguard_proxy_domains</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">vpn</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">list</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">site.we.want.access</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">another.one</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>And the home server just needs to be accessible. It doesn’t need to be in the VPN.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># here I hope everything is already clear</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">wireguard_enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">yes</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">wireguard_peers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">home</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">hostname</span><span class="p">:</span><span class="w"> </span><span class="l">public_host</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">endpoint</span><span class="p">:</span><span class="w"> </span><span class="l">vpn.example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">allowed_ips</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;{{ wireguard_networks.home }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">keepalive_seconds</span><span class="p">:</span><span class="w"> </span><span class="m">25</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h2 id="conclusion">Conclusion <a href="#conclusion">¶</a></h2> <p>From any peer, there is access to any within the network. Traffic finds its way through the public server. Everything works. I measured with iperf; out of 80 Mbps, Wireguard delivers ~60 - to me, that’s an excellent result!</p>https://vlasov.pro/en/p/age/Sun, 12 Sep 2021 00:00:00 +0000https://vlasov.pro/en/p/age/<img src="https://vlasov.pro/ru/p/age/age.webp" alt="Featured image of post Age Encryption" /><h2 id="introduction">Introduction <a href="#introduction">¶</a></h2> <p><a class="link" href="https://age-encryption.org" target="_blank" rel="noopener" >Age</a> – a new utility, written in Go, that supposedly performs excellent asymmetric encryption and more. Indeed, it looks simple and somewhat reminds me of <a class="link" href="https://www.wireguard.com" target="_blank" rel="noopener" >Wireguard</a> (utility wg). It encrypts the input stream to the output stream. Simple and understandable. Among its distinguishing features is the ability to encrypt for a group of recipients, so each can decrypt. Today&rsquo;s task was to create backups btrfs disk partitions with home photos/video somewhere in the cloud, e.g., <a class="link" href="https://www.backblaze.com" target="_blank" rel="noopener" >Backblaze</a>, to save money. This is just not good enough (no trust in clouds). Data needs to be encrypted.</p> <p>A 300 GiB partition and loading it in one piece, then storing it as a whole is very uninteresting. <a class="link" href="https://man7.org/linux/man-pages/man1/split.1.html" target="_blank" rel="noopener" >Split</a> will help divide the file into chunks.</p> <h2 id="generating-key">Generating Key <a href="#generating-key">¶</a></h2> <p>It&rsquo;s claimed that you can use a simple SSH public key instead of Age keys. Let&rsquo;s try both ways.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">ssh-keygen -t ed25519 -o -a <span class="m">150</span> -qN <span class="s1">&#39;&#39;</span> -f id_ed25519 </span></span><span class="line"><span class="cl">age-keygen -o age.key </span></span><span class="line"><span class="cl">age-keygen -y age.key &gt; recipients.txt </span></span><span class="line"><span class="cl">cat id_ed25519.pub &gt;&gt; recipients.txt </span></span></code></pre></td></tr></table> </div> </div><p>We get such keys.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-plain" data-lang="plain"><span class="line"><span class="cl">age1qrcn5glms66thfv9cj5pzdwl3z87t9evzaqlxdj9ksravmw3mypswawuag </span></span><span class="line"><span class="cl">ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIObk2OuhYlrr3ezvf5gAWXgUdcLn4XQFa8B8GCRpBr9q user@host </span></span></code></pre></td></tr></table> </div> </div><h2 id="encryption">Encryption <a href="#encryption">¶</a></h2> <p>For simplicity, let&rsquo;s generate 10 MiB of random data and immediately compare the hash sums.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">dd <span class="k">if</span><span class="o">=</span>/dev/urandom <span class="nv">of</span><span class="o">=</span>data <span class="nv">bs</span><span class="o">=</span>1M <span class="nv">count</span><span class="o">=</span><span class="m">10</span> </span></span><span class="line"><span class="cl">cp data data.orig </span></span></code></pre></td></tr></table> </div> </div><p>Now we can encrypt. Using both archiving and splitting.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">tar -cz data <span class="p">|</span> age -R recipients.txt <span class="p">|</span> split -b 1MiB -d - chunk- </span></span></code></pre></td></tr></table> </div> </div><p>We get 10 files from chunk-00 to chunk-10.</p> <h2 id="decryption">Decryption <a href="#decryption">¶</a></h2> <p>Decrypting using SSH key.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">cat chunk-* <span class="p">|</span> age -d -i id_ed25519 <span class="p">|</span> tar xz </span></span><span class="line"><span class="cl">mv data data.ssh </span></span></code></pre></td></tr></table> </div> </div><p>Decrypting using Age key.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">cat chunk-* <span class="p">|</span> age -d -i age.key <span class="p">|</span> tar xz </span></span><span class="line"><span class="cl">mv data data.age </span></span></code></pre></td></tr></table> </div> </div><h2 id="verification">Verification <a href="#verification">¶</a></h2> <p>Checking the hash sums.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="c1"># sha256sum data*</span> </span></span><span class="line"><span class="cl">5ebc271a22cfb9af0430253c2d8f3b83d1c3f5fdd062dd0ecc6c1f2d7925b828 data.age </span></span><span class="line"><span class="cl">5ebc271a22cfb9af0430253c2d8f3b83d1c3f5fdd062dd0ecc6c1f2d7925b828 data.orig </span></span><span class="line"><span class="cl">5ebc271a22cfb9af0430253c2d8f3b83d1c3f5fdd062dd0ecc6c1f2d7925b828 data.ssh </span></span></code></pre></td></tr></table> </div> </div><p>It works. As always, later we&rsquo;ll find vulnerabilities, but you can use it.</p>https://vlasov.pro/en/p/python3-pip-air-gap/Sun, 29 Aug 2021 00:00:00 +0000https://vlasov.pro/en/p/python3-pip-air-gap/<img src="https://vlasov.pro/ru/p/python3-pip-air-gap/python.webp" alt="Featured image of post Installing Python Packages Offline" /><p>Suppose we want to install <a class="link" href="https://www.ansible.com" target="_blank" rel="noopener" >Ansible</a> offline.</p> <h2 id="creating-a-virtualenv">Creating a Virtualenv <a href="#creating-a-virtualenv">¶</a></h2> <p>We will create a virtual environment to download all dependencies without accidentally including unnecessary ones. First, let’s install <code>virtualenv</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">python3 -m pip install --upgrade --user virtualenv </span></span><span class="line"><span class="cl">python3 -m virtualenv venv </span></span></code></pre></td></tr></table> </div> </div><p>Now we can activate it.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">. ./venv/bin/activate </span></span></code></pre></td></tr></table> </div> </div><p>Now, for the duration of the terminal session, we are in an isolated Python virtual environment.</p> <h2 id="preparing-required-packages">Preparing Required Packages <a href="#preparing-required-packages">¶</a></h2> <p>By installing only what is needed in a clean environment, we will also pull in all dependencies. Additionally, <strong>make sure to include <code>setuptools</code> and <code>pip</code></strong>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">python3 -m pip install --upgrade pip setuptools ansible </span></span></code></pre></td></tr></table> </div> </div><p>Now we can create a list of what we have.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">python3 -m pip freeze &gt; requirements.txt </span></span></code></pre></td></tr></table> </div> </div><blockquote> <p>You can simply add <code>pip</code> and <code>setuptools</code> to <code>requirements.txt</code> without specifying versions (if they aren&rsquo;t already in the list).</p> </blockquote> <p>Example <code>requirements.txt</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-plaintext" data-lang="plaintext"><span class="line"><span class="cl">ansible==3.4.0 </span></span><span class="line"><span class="cl">ansible-base==2.10.11 </span></span><span class="line"><span class="cl">cryptography==2.8 </span></span><span class="line"><span class="cl">jinja2==2.11.3 </span></span><span class="line"><span class="cl">netaddr==0.7.19 </span></span><span class="line"><span class="cl">pbr==5.4.4 </span></span><span class="line"><span class="cl">jmespath==0.9.5 </span></span><span class="line"><span class="cl">ruamel.yaml==0.16.10 </span></span><span class="line"><span class="cl">ruamel.yaml.clib==0.2.2 </span></span><span class="line"><span class="cl">MarkupSafe==1.1.1 </span></span><span class="line"><span class="cl">pip </span></span><span class="line"><span class="cl">setuptools </span></span></code></pre></td></tr></table> </div> </div><p>Having the list of packages with dependencies, we can download them <strong>even without <code>venv</code></strong>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">python3 -m pip download --dest my-pip-packages -r requirements.txt </span></span></code></pre></td></tr></table> </div> </div><p>For convenience, let’s pack everything into an archive.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">tar -cpvzf pips.tgz my-pip-packages requirements.txt </span></span></code></pre></td></tr></table> </div> </div><h2 id="installing-in-an-offline-environment">Installing in an Offline Environment <a href="#installing-in-an-offline-environment">¶</a></h2> <blockquote> <p>Python should already be installed in advance.</p> </blockquote> <p>Unpack your archive and install everything you brought. <strong>Pip</strong> and <strong>setuptools</strong> should be installed separately at the beginning, followed by everything else. If the command is not run as a superuser, you need to either:</p> <ol> <li>Add <code>sudo</code> at the beginning</li> <li>Add the <code>--user</code> argument to pip to install packages only for the user running the command</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">tar -xpzvf pips.tgz </span></span><span class="line"><span class="cl">python3 -m pip install --upgrade --no-index --find-links python-packages pip setuptools </span></span><span class="line"><span class="cl">python3 -m pip install --upgrade --no-index --find-links my-pip-packages -r requirements.txt </span></span></code></pre></td></tr></table> </div> </div><p>Now you can run Ansible!</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">root@289f34a67cbd:/host# ansible --version </span></span><span class="line"><span class="cl">ansible 2.10.11 </span></span><span class="line"><span class="cl"> config <span class="nv">file</span> <span class="o">=</span> None </span></span><span class="line"><span class="cl"> configured module search <span class="nv">path</span> <span class="o">=</span> <span class="o">[</span><span class="s1">&#39;/root/.ansible/plugins/modules&#39;</span>, <span class="s1">&#39;/usr/share/ansible/plugins/modules&#39;</span><span class="o">]</span> </span></span><span class="line"><span class="cl"> ansible python module <span class="nv">location</span> <span class="o">=</span> /usr/local/lib/python3.6/dist-packages/ansible </span></span><span class="line"><span class="cl"> executable <span class="nv">location</span> <span class="o">=</span> /usr/local/bin/ansible </span></span><span class="line"><span class="cl"> python <span class="nv">version</span> <span class="o">=</span> 3.6.9 <span class="o">(</span>default, Jan <span class="m">26</span> 2021, 15:33:00<span class="o">)</span> <span class="o">[</span>GCC 8.4.0<span class="o">]</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="locales">Locales <a href="#locales">¶</a></h2> <p>There have been cases where in a severely stripped-down environment, like Docker Ubuntu 18.04, the package installation fails with the following error.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-plaintext" data-lang="plaintext"><span class="line"><span class="cl">ERROR: Exception: </span></span><span class="line"><span class="cl">Traceback (most recent call last): </span></span><span class="line"><span class="cl"> File &#34;/usr/local/lib/python3.6/dist-packages/pip/_internal/cli/base_command.py&#34;, line 173, in _main </span></span><span class="line"><span class="cl"> status = self.run(options, args) </span></span><span class="line"><span class="cl"> File &#34;/usr/local/lib/python3.6/dist-packages/pip/_internal/cli/req_command.py&#34;, line 203, in wrapper </span></span><span class="line"><span class="cl"> return func(self, options, args) </span></span><span class="line"><span class="cl"> File &#34;/usr/local/lib/python3.6/dist-packages/pip/_internal/commands/install.py&#34;, line 316, in run </span></span><span class="line"><span class="cl"> reqs, check_supported_wheels=not options.target_dir </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> File &#34;/usr/local/lib/python3.6/dist-packages/pip/_internal/operations/prepare.py&#34;, line 249, in unpack_url </span></span><span class="line"><span class="cl"> unpack_file(file.path, location, file.content_type) </span></span><span class="line"><span class="cl"> File &#34;/usr/local/lib/python3.6/dist-packages/pip/_internal/utils/unpacking.py&#34;, line 256, in unpack_file </span></span><span class="line"><span class="cl"> untar_file(filename, location) </span></span><span class="line"><span class="cl"> File &#34;/usr/local/lib/python3.6/dist-packages/pip/_internal/utils/unpacking.py&#34;, line 226, in untar_file </span></span><span class="line"><span class="cl"> with open(path, &#34;wb&#34;) as destfp: </span></span><span class="line"><span class="cl">UnicodeEncodeError: &#39;ascii&#39; codec can&#39;t encode character &#39;\xe9&#39; in position 117: ordinal not in range(128) </span></span></code></pre></td></tr></table> </div> </div><p>This can be resolved by setting environment variables before installing packages.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">LANGUAGE</span><span class="o">=</span><span class="s2">&#34;&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">LANG</span><span class="o">=</span><span class="s2">&#34;C.UTF-8&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">LC_CTYPE</span><span class="o">=</span><span class="s2">&#34;C.UTF-8&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">LC_NUMERIC</span><span class="o">=</span><span class="s2">&#34;C.UTF-8&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">LC_TIME</span><span class="o">=</span><span class="s2">&#34;C.UTF-8&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">LC_COLLATE</span><span class="o">=</span><span class="s2">&#34;C.UTF-8&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">LC_MONETARY</span><span class="o">=</span><span class="s2">&#34;C.UTF-8&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">LC_MESSAGES</span><span class="o">=</span><span class="s2">&#34;C.UTF-8&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">LC_PAPER</span><span class="o">=</span><span class="s2">&#34;C.UTF-8&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">LC_NAME</span><span class="o">=</span><span class="s2">&#34;C.UTF-8&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">LC_ADDRESS</span><span class="o">=</span><span class="s2">&#34;C.UTF-8&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">LC_TELEPHONE</span><span class="o">=</span><span class="s2">&#34;C.UTF-8&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">LC_MEASUREMENT</span><span class="o">=</span><span class="s2">&#34;C.UTF-8&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">LC_IDENTIFICATION</span><span class="o">=</span><span class="s2">&#34;C.UTF-8&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">LC_ALL</span><span class="o">=</span><span class="s2">&#34;C.UTF-8&#34;</span> </span></span></code></pre></td></tr></table> </div> </div>https://vlasov.pro/en/p/v4l2loopback/Thu, 22 Jul 2021 00:00:00 +0000https://vlasov.pro/en/p/v4l2loopback/<img src="https://github.com/umlaeute/v4l2loopback/blob/main/images/icon.png?raw=true" alt="Featured image of post Creating a Virtual Camera for Conferences" /><p>We don&rsquo;t always want to include a camera during the conference, so we found a way to display video or static images instead. The means of OS or browser doesn&rsquo;t provide this out of the box. I found <a class="link" href="https://github.com/umlaeute/v4l2loopback" target="_blank" rel="noopener" >this article</a> and, indeed, created a virtual camera module that is recognized by browsers as an ordinary camera &#x1f604;</p> <p>Below is a script with detailed comments. The only argument to it is the path to the file or image that should be transmitted in the stream.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="cp">#!/usr/bin/env sh </span></span></span><span class="line"><span class="cl"><span class="cp"></span><span class="nb">set</span> -e </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># label for the new webcam as it will be seen in browser</span> </span></span><span class="line"><span class="cl"><span class="nv">LABEL</span><span class="o">=</span><span class="s2">&#34;VirtualCam #0&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># module insertion in case if it was not inserted during this boot</span> </span></span><span class="line"><span class="cl"><span class="k">if</span> ! lsmod <span class="p">|</span> grep -qE <span class="s1">&#39;^v4l2loopback&#39;</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="c1"># camera is being created during the module loading</span> </span></span><span class="line"><span class="cl"> sudo modprobe v4l2loopback <span class="nv">devices</span><span class="o">=</span><span class="m">1</span> <span class="nv">exclusive_caps</span><span class="o">=</span><span class="m">1</span> <span class="nv">max_buffers</span><span class="o">=</span><span class="m">2</span> <span class="nv">card_label</span><span class="o">=</span><span class="s2">&#34;</span><span class="nv">$LABEL</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="c1"># wait for a while to finish module initialization</span> </span></span><span class="line"><span class="cl"> sleep <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># path to media file</span> </span></span><span class="line"><span class="cl"><span class="nv">F</span><span class="o">=</span><span class="s2">&#34;</span><span class="si">${</span><span class="nv">1</span><span class="p">:?File is not passed</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="c1"># getting path to newly created camera device</span> </span></span><span class="line"><span class="cl"><span class="nv">DEV</span><span class="o">=</span><span class="s2">&#34;</span><span class="k">$(</span>v4l2-ctl --list-devices 2&gt;/dev/null <span class="p">|</span> grep -A1 <span class="s2">&#34;</span><span class="nv">$LABEL</span><span class="s2">&#34;</span> <span class="p">|</span> grep -oE <span class="s1">&#39;/dev/video[0-9]+&#39;</span><span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="o">[</span> ! -f <span class="s2">&#34;</span><span class="nv">$F</span><span class="s2">&#34;</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="c1"># check in case if media file path does not exists</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;error: file </span><span class="nv">$F</span><span class="s2"> does not exists&#34;</span> &gt;<span class="p">&amp;</span><span class="m">2</span> </span></span><span class="line"><span class="cl"> <span class="nb">exit</span> <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># get file type and use proper streaming command</span> </span></span><span class="line"><span class="cl"><span class="k">case</span> <span class="s2">&#34;</span><span class="k">$(</span>file --mime-type --brief <span class="s2">&#34;</span><span class="nv">$F</span><span class="s2">&#34;</span> <span class="p">|</span> cut -d/ -f1<span class="k">)</span><span class="s2">&#34;</span> in </span></span><span class="line"><span class="cl"> video<span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="c1"># in case if file is video</span> </span></span><span class="line"><span class="cl"> ffmpeg -re -i <span class="s2">&#34;</span><span class="nv">$F</span><span class="s2">&#34;</span> -f v4l2 -vcodec rawvideo -pix_fmt yuv420p <span class="s2">&#34;</span><span class="nv">$DEV</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">;;</span> </span></span><span class="line"><span class="cl"> image<span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="c1"># in case if file is picture</span> </span></span><span class="line"><span class="cl"> ffmpeg -loop <span class="m">1</span> -re -i <span class="s2">&#34;</span><span class="nv">$F</span><span class="s2">&#34;</span> -f v4l2 -vcodec rawvideo -pix_fmt yuv420p <span class="s2">&#34;</span><span class="nv">$DEV</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">;;</span> </span></span><span class="line"><span class="cl"> *<span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="c1"># in case if file is something else</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s1">&#39;error: unknown mime type&#39;</span> &gt;<span class="p">&amp;</span><span class="m">2</span> </span></span><span class="line"><span class="cl"> <span class="nb">exit</span> <span class="m">2</span> </span></span><span class="line"><span class="cl"> <span class="p">;;</span> </span></span><span class="line"><span class="cl"><span class="k">esac</span> </span></span></code></pre></td></tr></table> </div> </div><p>So, in the end, we were able to stream Rick Ashley - Never Gonna Give You Up.</p> <div class="video-wrapper"> <iframe loading="lazy" src="https://www.youtube.com/embed/dQw4w9WgXcQ" allowfullscreen title="YouTube Video" > </iframe> </div> <p>One notable drawback is that FFmpeg consumes almost an entire core. Additionally, we are, of course, only transmitting the image, without any sound.</p>https://vlasov.pro/en/p/ceph-upgrade/Mon, 16 Nov 2020 00:00:00 +0000https://vlasov.pro/en/p/ceph-upgrade/<img src="https://vlasov.pro/ru/p/ceph-upgrade/ceph.webp" alt="Featured image of post CEPH Upgrade" /><h2 id="introduction">Introduction <a href="#introduction">¶</a></h2> <p>We have the following cluster:</p> <ul> <li>Ceph 15.2.1 installed with cephadm</li> <li>14 OSD</li> <li>3 MON</li> <li>3 RGW</li> <li>3 MDS</li> <li>3 CRUSH</li> </ul> <p>Version <em>15.2.4</em> has been released, and we want to upgrade.</p> <h2 id="getting-started">Getting Started <a href="#getting-started">¶</a></h2> <p>Cephadm provides a mechanism for upgrading, but it didn&rsquo;t work for me right away, so I had to <strong>assist</strong> it. Let&rsquo;s see what exactly needs to be upgraded.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">ceph orch upgrade check ceph/ceph 15.2.4 </span></span></code></pre></td></tr></table> </div> </div><p>A JSON file appears with a list of daemons that have already been upgraded and those that differ from the requested version, i.e., all of them at the moment. Time to get started.<br> So, the procedure has been launched, and now there are some commands worth running to get a summary.</p> <ol> <li><code>ceph status</code> - for general information about the cluster&rsquo;s state. You can run it in a separate terminal like this: <code>watch -n 10 ceph status</code></li> <li><code>ceph status -W cephadm</code> - definitely run this command in the terminal to monitor the orchestrator&rsquo;s log.</li> </ol> <h2 id="temporary-difficulties">Temporary Difficulties <a href="#temporary-difficulties">¶</a></h2> <p>We call <code>ceph orch ps</code> and see that all <em>monitors</em> and <em>managers</em> are upgraded, good, but now we&rsquo;re in <strong>HEALTH_ERROR</strong> with the error shown below.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-plain" data-lang="plain"><span class="line"><span class="cl">module &#39;cephadm&#39; has failed: auth get failed: failed to find client.crash.01 in keyring retval: -2 </span></span></code></pre></td></tr></table> </div> </div><p>It turns out that some keys are missing. You need to create one for each crash and restart the orchestration.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="k">for</span> i in <span class="k">$(</span>ceph orch ps <span class="p">|</span> grep -oE <span class="s1">&#39;crash.[0-9]+&#39;</span><span class="k">)</span><span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> ceph auth get-or-create <span class="s2">&#34;client.</span><span class="nv">$i</span><span class="s2">&#34;</span> mgr <span class="s2">&#34;profile crash&#34;</span> mon <span class="s2">&#34;profile crash&#34;</span> </span></span><span class="line"><span class="cl"><span class="k">done</span> </span></span><span class="line"><span class="cl">ceph orch upgrade stop </span></span><span class="line"><span class="cl">ceph mgr module disable cephadm </span></span><span class="line"><span class="cl">ceph mgr module <span class="nb">enable</span> cephadm </span></span><span class="line"><span class="cl">ceph orch upgrade start ceph/ceph 15.2.4 </span></span></code></pre></td></tr></table> </div> </div><p>Now we see that the <em>crashes</em> are ready too, good, but then everything seems to be stuck. Yes, HEALTH_OK, but <code>ceph orch ps</code> shows that all <em>OSDs</em> are still on the old version. The logs show the following.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-plain" data-lang="plain"><span class="line"><span class="cl">Upgrade: It is NOT safe to stop osd.0 </span></span></code></pre></td></tr></table> </div> </div><p>Aha, the orchestrator is afraid to stop OSD daemons with data. Let&rsquo;s help. Here is my situation.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="c1"># ceph osd tree</span> </span></span><span class="line"><span class="cl">ID CLASS WEIGHT TYPE NAME STATUS REWEIGHT PRI-AFF </span></span><span class="line"><span class="cl">-1 14.00000 root default </span></span><span class="line"><span class="cl">-3 5.00000 host <span class="m">01</span> </span></span><span class="line"><span class="cl"> <span class="m">0</span> hdd 1.00000 osd.0 up 1.00000 1.00000 </span></span><span class="line"><span class="cl"> <span class="m">1</span> hdd 1.00000 osd.1 up 1.00000 1.00000 </span></span><span class="line"><span class="cl"> <span class="m">2</span> hdd 1.00000 osd.2 up 1.00000 1.00000 </span></span><span class="line"><span class="cl"> <span class="m">3</span> hdd 1.00000 osd.3 up 1.00000 1.00000 </span></span><span class="line"><span class="cl"> <span class="m">4</span> hdd 1.00000 osd.4 up 1.00000 1.00000 </span></span><span class="line"><span class="cl">-5 5.00000 host <span class="m">02</span> </span></span><span class="line"><span class="cl"> <span class="m">5</span> hdd 1.00000 osd.5 up 1.00000 1.00000 </span></span><span class="line"><span class="cl"> <span class="m">6</span> hdd 1.00000 osd.6 up 1.00000 1.00000 </span></span><span class="line"><span class="cl"> <span class="m">7</span> hdd 1.00000 osd.7 up 1.00000 1.00000 </span></span><span class="line"><span class="cl"> <span class="m">8</span> hdd 1.00000 osd.8 up 1.00000 1.00000 </span></span><span class="line"><span class="cl"> <span class="m">9</span> hdd 1.00000 osd.9 up 1.00000 1.00000 </span></span><span class="line"><span class="cl">-7 4.00000 host <span class="m">03</span> </span></span><span class="line"><span class="cl"><span class="m">10</span> hdd 1.00000 osd.10 up 1.00000 1.00000 </span></span><span class="line"><span class="cl"><span class="m">11</span> hdd 1.00000 osd.11 up 1.00000 1.00000 </span></span><span class="line"><span class="cl"><span class="m">12</span> hdd 1.00000 osd.12 up 1.00000 1.00000 </span></span><span class="line"><span class="cl"><span class="m">13</span> hdd 1.00000 osd.13 up 1.00000 1.00000 </span></span></code></pre></td></tr></table> </div> </div><p>At first, I stopped OSDs one by one.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">ceph osd out osd.0 </span></span></code></pre></td></tr></table> </div> </div><p>Then I relaxed and began to decommission a whole server sequentially. When we decommission osd.0, after some time, when rebalancing finishes, <code>ceph status -W cephadm</code> complains about osd.1, and <code>ceph orch ps</code> shows that osd.0 is upgraded. The idea is clear; just don&rsquo;t forget to reintegrate it.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">ceph osd in osd.0 </span></span></code></pre></td></tr></table> </div> </div><p>In short, we decommission the OSDs of the first server, wait until cephadm complains about the next ones, and then reintegrate them. Further, <strong>wait for HEALTH_OK before decommissioning the next server&rsquo;s OSD</strong>, or you could lose data&hellip;<br> <strong>Based on your OSD tree</strong>, the plan, if done from scratch, is as follows:</p> <ol> <li>out 0, 1, 2, 3, 4</li> <li>wait for complaints about 5</li> <li>in 0, 1, 2, 3, 4</li> <li>wait for HEALTH_OK</li> <li>out 5, 6, 7, 8, 9</li> <li>wait for complaints about 10</li> <li>in 5, 6, 7, 8, 9</li> <li>wait for HEALTH_OK</li> <li>out 10, 11, 12, 13</li> <li>check that everything is upgraded with <code>ceph orch ps</code></li> <li>in 10, 11, 12, 13</li> <li>wait for HEALTH_OK</li> </ol> <div class="ascii-art"> ```plain ╔═╗╔═╗╔═╗╦ ╦ ╦ ╦╔═╗╔═╗╦═╗╔═╗╔╦╗╔═╗╔╦╗┬ ║ ║╣ ╠═╝╠═╣ ║ ║╠═╝║ ╦╠╦╝╠═╣ ║║║╣ ║║│ ╚═╝╚═╝╩ ╩ ╩ ╚═╝╩ ╚═╝╩╚═╩ ╩═╩╝╚═╝═╩╝o ``` </div> <h2 id="notes">Notes <a href="#notes">¶</a></h2> <p>The cluster is <em>half-empty</em>, so it was quick. If it were otherwise, it would have taken days&hellip;</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">% sudo ceph osd df <span class="o">[</span>22<span class="o">]</span> </span></span><span class="line"><span class="cl">ID CLASS WEIGHT REWEIGHT SIZE RAW USE DATA OMAP META AVAIL %USE VAR PGS STATUS </span></span><span class="line"><span class="cl"> <span class="m">0</span> hdd 1.00000 1.00000 5.5 TiB 1.4 GiB <span class="m">438</span> MiB <span class="m">39</span> KiB <span class="m">1024</span> MiB 5.5 TiB 0.03 1.11 <span class="m">37</span> up </span></span><span class="line"><span class="cl"> <span class="m">1</span> hdd 1.00000 1.00000 5.5 TiB 1.4 GiB <span class="m">454</span> MiB 2.2 MiB <span class="m">1022</span> MiB 5.5 TiB 0.03 1.12 <span class="m">46</span> up </span></span><span class="line"><span class="cl"> <span class="m">2</span> hdd 1.00000 1.00000 5.5 TiB 1.3 GiB <span class="m">314</span> MiB 1.0 MiB <span class="m">1023</span> MiB 5.5 TiB 0.02 1.01 <span class="m">24</span> up </span></span><span class="line"><span class="cl"> <span class="m">3</span> hdd 1.00000 1.00000 5.5 TiB 1.2 GiB <span class="m">161</span> MiB 2.5 MiB <span class="m">1022</span> MiB 5.5 TiB 0.02 0.90 <span class="m">34</span> up </span></span><span class="line"><span class="cl"> <span class="m">4</span> hdd 1.00000 1.00000 5.5 TiB 1.2 GiB <span class="m">242</span> MiB <span class="m">21</span> KiB <span class="m">1024</span> MiB 5.5 TiB 0.02 0.96 <span class="m">34</span> up </span></span><span class="line"><span class="cl"> <span class="m">5</span> hdd 1.00000 1.00000 5.5 TiB 1.2 GiB <span class="m">212</span> MiB 3.0 MiB <span class="m">1021</span> MiB 5.5 TiB 0.02 0.93 <span class="m">34</span> up </span></span><span class="line"><span class="cl"> <span class="m">6</span> hdd 1.00000 1.00000 5.5 TiB 1.5 GiB <span class="m">485</span> MiB <span class="m">533</span> KiB <span class="m">1023</span> MiB 5.5 TiB 0.03 1.14 <span class="m">35</span> up </span></span><span class="line"><span class="cl"> <span class="m">7</span> hdd 1.00000 1.00000 5.5 TiB 1.3 GiB <span class="m">280</span> MiB 1.8 MiB <span class="m">1022</span> MiB 5.5 TiB 0.02 0.99 <span class="m">41</span> up </span></span><span class="line"><span class="cl"> <span class="m">8</span> hdd 1.00000 1.00000 5.5 TiB 1.3 GiB <span class="m">265</span> MiB <span class="m">19</span> MiB <span class="m">1005</span> MiB 5.5 TiB 0.02 0.97 <span class="m">38</span> up </span></span><span class="line"><span class="cl"> <span class="m">9</span> hdd 1.00000 1.00000 5.5 TiB 1.4 GiB <span class="m">359</span> MiB <span class="m">949</span> KiB <span class="m">1023</span> MiB 5.5 TiB 0.02 1.05 <span class="m">28</span> up </span></span><span class="line"><span class="cl"><span class="m">10</span> hdd 1.00000 1.00000 5.5 TiB 1.2 GiB <span class="m">179</span> MiB <span class="m">467</span> KiB <span class="m">1024</span> MiB 5.5 TiB 0.02 0.91 <span class="m">33</span> up </span></span><span class="line"><span class="cl"><span class="m">11</span> hdd 1.00000 1.00000 5.5 TiB 1.1 GiB <span class="m">132</span> MiB 2.8 MiB <span class="m">1021</span> MiB 5.5 TiB 0.02 0.87 <span class="m">23</span> up </span></span><span class="line"><span class="cl"><span class="m">12</span> hdd 1.00000 1.00000 5.5 TiB 1.3 GiB <span class="m">358</span> MiB <span class="m">19</span> MiB <span class="m">1005</span> MiB 5.5 TiB 0.02 1.04 <span class="m">36</span> up </span></span><span class="line"><span class="cl"><span class="m">13</span> hdd 1.00000 1.00000 5.5 TiB 1.3 GiB <span class="m">301</span> MiB <span class="m">734</span> KiB <span class="m">1023</span> MiB 5.5 TiB 0.02 1.00 <span class="m">39</span> up </span></span><span class="line"><span class="cl"> TOTAL <span class="m">76</span> TiB <span class="m">18</span> GiB 4.1 GiB <span class="m">54</span> MiB <span class="m">14</span> GiB <span class="m">76</span> TiB 0.02 </span></span><span class="line"><span class="cl">MIN/MAX VAR: 0.87/1.14 STDDEV: 0.00 </span></span></code></pre></td></tr></table> </div> </div>https://vlasov.pro/en/p/docker/Fri, 21 Aug 2020 00:00:00 +0000https://vlasov.pro/en/p/docker/<img src="https://vlasov.pro/ru/p/docker/docker.webp" alt="Featured image of post Introduction to Docker" /><blockquote> <p>Written in collaboration with <a class="link" href="https://rebrainme.com/blog/docker/docker-ustanovka-nastrojka-i-pervye-shagi-v-sisteme/" target="_blank" rel="noopener" >ReBrainMe</a></p> </blockquote> <p><a class="link" href="https://www.docker.com/" target="_blank" rel="noopener" >Docker</a> is the de facto standard containerization engine, widely used for running applications in both development environments and high-load production environments. You can learn more about terminology <a class="link" href="https://rebrainme.com/blog/docker/terminologiya-v-docker/" target="_blank" rel="noopener" >here</a>.</p> <p>The purpose of this article is to install and run Docker locally, start getting acquainted with this fascinating system, and grasp the basics.</p> <h2 id="installing-docker">Installing Docker <a href="#installing-docker">¶</a></h2> <p>Docker has <a class="link" href="https://docs.docker.com/get-docker/" target="_blank" rel="noopener" >official instructions</a> for installation. In practice, I used the installation script (for Linux):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">curl -LO get.docker.com <span class="p">|</span> sudo sh - </span></span></code></pre></td></tr></table> </div> </div><p>If the <code>curl</code> utility is not installed, <a class="link" href="https://get.docker.com/" target="_blank" rel="noopener" >download the script</a> and run it manually:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sh /path/to/downloaded/script.sh </span></span></code></pre></td></tr></table> </div> </div><p>If you want to install a specific version of Docker, you can use the installation scripts from <a class="link" href="https://rancher.com/docs/rancher/v2.x/en/installation/requirements/installing-docker/" target="_blank" rel="noopener" >Rancher</a>, which you can <a class="link" href="https://github.com/rancher/install-docker" target="_blank" rel="noopener" >find and download here</a>. The script is run in the same way, you can change the URL in the <code>curl</code> command, and it will work.</p> <h2 id="configuring-docker">Configuring Docker <a href="#configuring-docker">¶</a></h2> <p>It works out of the box, but there are a couple of things I would recommend adjusting right away based on personal experience.</p> <h3 id="configure-the-logging-driver">Configure the logging driver <a href="#configure-the-logging-driver">¶</a></h3> <p>By default, the <a class="link" href="https://docs.docker.com/config/containers/logging/json-file/" target="_blank" rel="noopener" >json-file</a> driver is used, which does not limit the size of the <a class="link" href="https://en.wikipedia.org/wiki/JSON" target="_blank" rel="noopener" >JSON</a> file where logs for the corresponding container are stored. You can adjust this on Linux by editing the <em>/etc/docker/daemon.json</em> file. If the file does not exist, create it. The content to add:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;log-driver&#34;</span><span class="p">:</span> <span class="s2">&#34;json-file&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;log-opts&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;max-size&#34;</span><span class="p">:</span> <span class="s2">&#34;100m&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;max-file&#34;</span><span class="p">:</span> <span class="s2">&#34;1&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>This configures the json-file driver to not create more than one log file per container, with the file size not exceeding <code>100 MB</code>. This can be overridden when starting the container, but having these defaults saves you from wondering, <em>&ldquo;Where did 6 GB go in one day?&rdquo;</em></p> <h3 id="start-the-docker-service">Start the Docker service <a href="#start-the-docker-service">¶</a></h3> <p>Sometimes it does not start automatically after installation. You can fix this on Linux with:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sudo systemctl <span class="nb">enable</span> --now docker.service </span></span></code></pre></td></tr></table> </div> </div><p>Here, we used <a class="link" href="https://wiki.archlinux.org/index.php/Systemd" target="_blank" rel="noopener" >systemctl</a> to start the Docker Engine and enable it to start on boot.</p> <h3 id="add-the-user-to-the-docker-group">Add the user to the Docker group <a href="#add-the-user-to-the-docker-group">¶</a></h3> <p>To be able to interact with the Docker Engine as a <em>non-privileged user</em> (without <code>sudo</code>), you need to add the user to the Docker group.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sudo usermod -aG docker <span class="s2">&#34;</span><span class="nv">$USER</span><span class="s2">&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><p>For the changes to take effect, you need to reboot or use <a class="link" href="https://wiki.archlinux.org/index.php/Access_Control_Lists" target="_blank" rel="noopener" >ACL</a>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sudo setfacl -m <span class="s2">&#34;u:</span><span class="si">${</span><span class="nv">USER</span><span class="si">}</span><span class="s2">:rwx&#34;</span> /var/run/docker.sock </span></span></code></pre></td></tr></table> </div> </div><h2 id="getting-acquainted-with-dockerhub">Getting acquainted with DockerHub <a href="#getting-acquainted-with-dockerhub">¶</a></h2> <p><em>Containers</em> are created from <em>images</em>. An image is an ordered set of filesystem layers that were created during the build process. People share images by uploading them to a Docker Registry. The most popular one is <a class="link" href="https://hub.docker.com/" target="_blank" rel="noopener" >DockerHub</a>. Many software products are published here and supported <strong>officially</strong>, and there are many tools created by individuals or small communities that are as good as the official ones. <strong>It is important</strong> to check what you are downloading and running – whether it’s an unknown source with no documentation or an official build that is regularly updated and comes with clear documentation. There have been rumors of miners in unknown images&hellip; but that’s more of a rarity than a rule (in my experience).</p> <p>Here are some links to official images: <a class="link" href="https://hub.docker.com/_/haproxy" target="_blank" rel="noopener" >HaProxy</a>, <a class="link" href="https://hub.docker.com/_/nginx" target="_blank" rel="noopener" >Nginx</a>, <a class="link" href="https://hub.docker.com/_/postgres" target="_blank" rel="noopener" >PostgreSQL</a>, <a class="link" href="https://hub.docker.com/_/mysql" target="_blank" rel="noopener" >MySQL</a>, <a class="link" href="https://hub.docker.com/r/grafana/grafana" target="_blank" rel="noopener" >Grafana</a>, <a class="link" href="https://hub.docker.com/r/prom/prometheus" target="_blank" rel="noopener" >Prometheus</a>.</p> <h2 id="running-the-first-container">Running the first container <a href="#running-the-first-container">¶</a></h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sudo docker run --rm -it -p 8080:80 nginx:stable-alpine </span></span></code></pre></td></tr></table> </div> </div><p>Opening <a class="link" href="http://localhost:8080" target="_blank" rel="noopener" >http://localhost:8080</a> shows:</p> <p><img src="https://vlasov.pro/ru/p/docker/nginx-welcome.png" width="549" height="205" srcset="https://vlasov.pro/ru/p/docker/nginx-welcome_hu17821898986438557257.png 480w, https://vlasov.pro/ru/p/docker/nginx-welcome_hu8976578484894536805.png 1024w" loading="lazy" alt="Nginx welcome page" class="gallery-image" data-flex-grow="267" data-flex-basis="642px" ></p> <p>What did we do? Let’s break down the command step by step.</p> <p><em><code>sudo</code></em> – run the following command as another user, defaulting to the superuser <code>root</code>.<br> <em><code>docker</code></em> – run the Docker executable, found in one of the paths specified in the <code>PATH</code> environment variable.<br> <em><code>run</code></em> – create and start a new container.<br> <em><code>--rm</code></em> – remove it after it finishes running, so it doesn’t take up space.<br> <em><code>-i</code></em> – attach stdin/out/err from the shell to the container; run in interactive mode.<br> <em><code>-t</code></em> – create a TTY for the container.<br> <em><code>-p 8080:80</code></em> – forward port 8080 from the host to port 80 inside the container.<br> <em><code>nginx:stable-alpine</code></em> – use the nginx image with the tag stable-alpine to create the container. Other tags can be found on the <a class="link" href="https://hub.docker.com/_/nginx" target="_blank" rel="noopener" >Nginx DockerHub page</a>.</p> <h2 id="mounting">Mounting <a href="#mounting">¶</a></h2> <p>It’s often necessary to attach some data to the container or take it out so that it’s not lost when the container is recreated. More details can be found <a class="link" href="https://docs.docker.com/storage/volumes/" target="_blank" rel="noopener" >here</a>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;Hello world! Date: </span><span class="k">$(</span>date<span class="k">)</span><span class="s2">&#34;</span> &gt; /tmp/my_file.txt </span></span><span class="line"><span class="cl">sudo docker run --rm -it -p 8080:80 -v /tmp/my_file.txt:/usr/share/nginx/html/index.html:ro nginx:stable-alpine </span></span></code></pre></td></tr></table> </div> </div><p>Here we created the file <em>/tmp/my_file.txt</em> and mounted it to <em>/usr/share/nginx/html/index.html</em>. According to the container description, and by empirical means, we can determine that the web server&rsquo;s file path in the default configuration file is <em>/usr/share/nginx/html</em>, and the default file to open as the main page is index.html. Thus, we mount from the host to the container at the found path.</p> <p>When mounting, be careful. <strong>If mounting a file</strong>, it must already exist on the host at startup, otherwise, a directory will be created. When mounting, <strong>the path on the host must be absolute</strong>. When mounting a directory, the contents of the target path inside the container will <strong>disappear</strong> and be replaced by the contents of the host folder.</p> <h2 id="running-in-background-mode">Running in background mode <a href="#running-in-background-mode">¶</a></h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sudo docker run -d --name my1 -p 3000:3000 grafana/grafana </span></span></code></pre></td></tr></table> </div> </div><p>Here, a couple of new flags appeared. <em><code>-d</code></em> – run in the background. <em><code>--name my1</code></em> – set the container name to &ldquo;my1&rdquo;, as a random one is generated by default, but we want to assign our own. Check the container status.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sudo docker ps </span></span><span class="line"><span class="cl">sudo docker stats </span></span></code></pre></td></tr></table> </div> </div><p>The first command displays information about all running containers, and the second provides a brief summary of resource consumption. <a class="link" href="https://localhost:3000" target="_blank" rel="noopener" >Open Grafana</a>.</p> <p><img src="https://vlasov.pro/ru/p/docker/grafana-login.webp" width="562" height="570" srcset="https://vlasov.pro/ru/p/docker/grafana-login_hu3519326263104635802.webp 480w, https://vlasov.pro/ru/p/docker/grafana-login_hu5812811221392077487.webp 1024w" loading="lazy" alt="Grafana login page" class="gallery-image" data-flex-grow="98" data-flex-basis="236px" ></p> <p>We can log in, explore (login: admin, password: admin), and then stop the container.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sudo docker stop my1 </span></span><span class="line"><span class="cl">sudo docker ps -a </span></span></code></pre></td></tr></table> </div> </div><p>As you can see, the container is stopped but not deleted. We can start it again or remove it.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sudo docker start my1 </span></span><span class="line"><span class="cl">sudo docker rm -f my1 </span></span></code></pre></td></tr></table> </div> </div><h2 id="conclusion">Conclusion <a href="#conclusion">¶</a></h2> <p>We installed Docker, got acquainted with DockerHub, launched a couple of containers, and tried basic commands for running applications with Docker Community Edition.</p>https://vlasov.pro/en/plan/Wed, 22 Jul 2020 00:00:00 +0000https://vlasov.pro/en/plan/<h2 id="articles-to-write">Articles to Write <a href="#articles-to-write">¶</a></h2> <ul> <li><input checked="" disabled="" type="checkbox"> <strong>Reverse SSH Tunneling</strong>. There was an article that got lost. How to forward a port from a remote host using SSH.</li> <li><input disabled="" type="checkbox"> <strong>Migrating from <a class="link" href="https://ghost.org" target="_blank" rel="noopener" >Ghost</a> to <a class="link" href="https://gohugo.io" target="_blank" rel="noopener" >Hugo</a></strong>. Why I decided to switch to Hugo and how it went.</li> <li><input checked="" disabled="" type="checkbox"> <strong>The <a class="link" href="https://github.com/derailed/k9s" target="_blank" rel="noopener" >k9s</a> Utility</strong>. A great tool that I use daily for working with Kubernetes.</li> <li><input checked="" disabled="" type="checkbox"> <strong>Terraform Tips and Tricks</strong>. Examples, tricks, and useful links for working with Terraform.</li> <li><input disabled="" type="checkbox"> <strong>Boltology: The 20\80 Rule in IT</strong>. Who knows the 80/20 rule? It&rsquo;s true that 80% of efforts give 80% results, but you need to put 100% effort into the remaining 20%.</li> <li><input checked="" disabled="" type="checkbox"> <strong>Wireguard Ansible</strong>. An article about my development - Ansible playbooks for setting up and configuring Wireguard.</li> <li><input disabled="" type="checkbox"> <strong>Healthcheck.io</strong> (<a class="link" href="https://healthcheck.io" target="_blank" rel="noopener" >https://healthcheck.io</a>). A great service that can be sure of successful backups.</li> <li><input disabled="" type="checkbox"> How to search and work with Helm charts.</li> <li><input disabled="" type="checkbox"> My experience with <a class="link" href="https://argo-cd.readthedocs.io/en/stable/" target="_blank" rel="noopener" >ArgoCD</a>. <em>(Stable, automated, flexible, but not without flaws. I use it on a large production with clean hands. Recommend)</em></li> </ul>https://vlasov.pro/en/resume/Wed, 22 Jul 2020 00:00:00 +0000https://vlasov.pro/en/resume/<div class="resume"> <iframe class="resume" src="https://vlasov.pro/Resume Yurii Vlasov.pdf"> </embed> </div>https://vlasov.pro/en/p/xfreerdp/Tue, 07 Jul 2020 00:00:00 +0000https://vlasov.pro/en/p/xfreerdp/<img src="https://vlasov.pro/ru/p/xfreerdp/xfreerdp.webp" alt="Featured image of post xFreeRDP" /><p><a class="link" href="http://www.freerdp.com/" target="_blank" rel="noopener" >xFreeRDP</a> – a tool for connecting to RDP from Linux. After moving to <a class="link" href="https://manjaro.org/" target="_blank" rel="noopener" >Manjaro</a> I was unable to install <a class="link" href="https://vlasov.pro/en/p/remmina/" >Remmina</a>, so I had to look for an alternative. This option pleased me. You can create a one-line script for hosts that you often connect to and use like a catalog.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="cp">#!/usr/bin/env sh </span></span></span><span class="line"><span class="cl"><span class="cp"></span>xfreerdp /v:1.2.3.4 /u:username /p:password /w:1360 /h:730 /drive:tmp,/tmp </span></span></code></pre></td></tr></table> </div> </div><p>Here I explicitly set the display size for connection and mount <em>/tmp</em> from local machine to remote one, so you can get some files.</p>https://vlasov.pro/en/about/Wed, 01 Jul 2020 00:00:00 +0000https://vlasov.pro/en/about/<h2 id="about-me">About Me <a href="#about-me">¶</a></h2> <p>I work as a system engineer <em>(DevOps)</em>, and I am studying and trying to do my best. In the process of working, I understood how much everything is lacking in terms of understanding systems at various stages of the <em>life cycle of software development</em>.<br> I studied at <a class="link" href="https://csn.khai.edu/" target="_blank" rel="noopener" >KhAI</a> as a computer engineer and received a master&rsquo;s degree in May 2020. You should take what is written on this site critically - do not believe everything you hear. I am sometimes uneducated in many questions, but in any case, I try to write about what I am sure of. Please, keep in mind, that english version of the site is autotranslated with AI&rsquo;s, so errors are possible &#x1f604;</p> <h2 id="my-goals">My Goals <a href="#my-goals">¶</a></h2> <p>The list contains the goals that I pursue while keeping this blog afloat. They are ordered by priority according to importance, in descending order:</p> <ol> <li>Do not write nonsense.</li> <li>Write and maintain a set of materials that cover at least the minimum knowledge required for every IT professional working in the industry.</li> <li>Publish articles based on interesting and unusual solutions. These solutions should be interesting but should not standardize them as necessary to study.</li> <li>Support feedback and adjust the course of this blog.</li> <li>Use this resource as a &ldquo;CV&rdquo; when transitioning to any other company.</li> </ol>https://vlasov.pro/en/archives/Wed, 01 Jul 2020 00:00:00 +0000https://vlasov.pro/en/archives/https://vlasov.pro/en/search/Wed, 01 Jul 2020 00:00:00 +0000https://vlasov.pro/en/search/https://vlasov.pro/en/p/rsnapshot/Tue, 12 May 2020 00:00:00 +0000https://vlasov.pro/en/p/rsnapshot/<img src="https://vlasov.pro/ru/p/rsnapshot/rsnapshot.webp" alt="Featured image of post Rsnapshot" /><h2 id="introduction">Introduction <a href="#introduction">¶</a></h2> <p><a class="link" href="https://wiki.archlinux.org/index.php/Rsnapshot" target="_blank" rel="noopener" >Rsnapshot</a> is a great utility that can:</p> <ol> <li>Backup folders in the local system and store them in a backup storage (a designated folder somewhere nearby).</li> <li>Run scripts that create backups, store them locally, and rsnapshot takes these files and puts them in the same backup folder.</li> <li>Send backups via sftp somewhere.</li> <li>Store only diffs between backups, saving space.</li> </ol> <h2 id="retention">Retention <a href="#retention">¶</a></h2> <p>Rsnapshot has Retention Policies (I might not be calling it exactly right), which in the configuration start with <em>retain</em>. These are descriptions of <em>abstract plans</em> about how many recent backup copies to keep. <em>I struggled for a while until I realized that their names don&rsquo;t affect anything.</em> So if a plan is called <em>daily</em>, rsnapshot won&rsquo;t necessarily run it every day—you can run it monthly in cron if you want. I find it convenient to use names like daily, weekly, and monthly for configuration (for easier reading and maintenance).</p> <p>Retention policies written lower in the config are considered to be executed less frequently than those higher up, so the number for those should be smaller. Rsnapshot uses the content from the higher retention <code>i+1</code> to create the next lower retention <code>i</code>. Example:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-diff" data-lang="diff"><span class="line"><span class="cl"><span class="gi">+ date </span></span></span><span class="line"><span class="cl"><span class="gi"></span>Tue May 12 05:58:33 UTC 2020 </span></span><span class="line"><span class="cl"><span class="gi">+ rsnapshot daily </span></span></span><span class="line"><span class="cl"><span class="gi">+ ls -la /data/backups </span></span></span><span class="line"><span class="cl"><span class="gi"></span>total 48 </span></span><span class="line"><span class="cl">drwxrwxr-x. 11 y.vlasov y.vlasov 4096 May 12 05:57 . </span></span><span class="line"><span class="cl">drwxrwxr-x+ 6 root root 4096 Apr 27 09:43 .. </span></span><span class="line"><span class="cl">drwxr-xr-x. 6 root root 4096 May 12 05:57 daily.0 </span></span><span class="line"><span class="cl">drwxr-xr-x. 6 root root 4096 May 12 00:00 daily.1 </span></span><span class="line"><span class="cl">drwxr-xr-x. 6 root root 4096 May 11 00:00 daily.2 </span></span><span class="line"><span class="cl">drwxr-xr-x. 6 root root 4096 May 10 00:00 daily.3 </span></span><span class="line"><span class="cl">drwxr-xr-x. 6 root root 4096 May 9 00:00 daily.4 </span></span><span class="line"><span class="cl">drwxr-xr-x. 6 root root 4096 May 8 00:00 daily.5 </span></span><span class="line"><span class="cl">drwxr-xr-x. 6 root root 4096 May 7 00:00 daily.6 </span></span><span class="line"><span class="cl">drwxr-xr-x. 6 root root 4096 May 4 00:00 weekly.0 </span></span><span class="line"><span class="cl">drwxr-xr-x. 6 root root 4096 May 2 00:00 weekly.1 </span></span><span class="line"><span class="cl"><span class="gi">+ rsnapshot weekly </span></span></span><span class="line"><span class="cl"><span class="gi">+ ls -la /data/backups </span></span></span><span class="line"><span class="cl"><span class="gi"></span>total 48 </span></span><span class="line"><span class="cl">drwxrwxr-x. 11 y.vlasov y.vlasov 4096 May 12 05:57 . </span></span><span class="line"><span class="cl">drwxrwxr-x+ 6 root root 4096 Apr 27 09:43 .. </span></span><span class="line"><span class="cl">drwxr-xr-x. 6 root root 4096 May 12 05:57 daily.0 </span></span><span class="line"><span class="cl">drwxr-xr-x. 6 root root 4096 May 12 00:00 daily.1 </span></span><span class="line"><span class="cl">drwxr-xr-x. 6 root root 4096 May 11 00:00 daily.2 </span></span><span class="line"><span class="cl">drwxr-xr-x. 6 root root 4096 May 10 00:00 daily.3 </span></span><span class="line"><span class="cl">drwxr-xr-x. 6 root root 4096 May 9 00:00 daily.4 </span></span><span class="line"><span class="cl">drwxr-xr-x. 6 root root 4096 May 8 00:00 daily.5 </span></span><span class="line"><span class="cl">drwxr-xr-x. 6 root root 4096 May 7 00:00 weekly.0 </span></span><span class="line"><span class="cl">drwxr-xr-x. 6 root root 4096 May 4 00:00 weekly.1 </span></span><span class="line"><span class="cl">drwxr-xr-x. 6 root root 4096 May 2 00:00 weekly.2 </span></span></code></pre></td></tr></table> </div> </div><h2 id="backup-backup_script">Backup, backup_script <a href="#backup-backup_script">¶</a></h2> <p>So how does it perform a backup? Rsnapshot backs up <strong>all the steps</strong> listed in the configuration <strong>each time it is called</strong>.</p> <ul> <li><em>backup</em> - you specify a folder path to be backed up, and it copies it completely to the storage.</li> <li><em>backup_script</em> - you specify the path to a shell script that performs the backup itself, and places the resulting files/folders nearby, then rsnapshot moves them to the storage.</li> <li><em>other options</em> - <code>man rsnapshot</code>.</li> </ul> <h2 id="plan">Plan <a href="#plan">¶</a></h2> <ol start="0"> <li>Create a folder at the <em>snapshot_root</em> path.</li> <li>Write the rsnapshot.conf file (by default located at <em>/etc/rsnapshot.conf</em>).</li> <li>Add rsnapshot calls to the scheduler - cron.</li> </ol> <h2 id="example">Example <a href="#example">¶</a></h2> <p>Let&rsquo;s create the snapshot_root folder: <code>mkdir -p /data/backups</code>.</p> <h3 id="contents-of-etcrsnapshotconf">Contents of /etc/rsnapshot.conf <a href="#contents-of-etcrsnapshotconf">¶</a></h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="c1">## Note 1: You must use tabs to separate arguments on a line</span> </span></span><span class="line"><span class="cl">config_version 1.2 </span></span><span class="line"><span class="cl">snapshot_root /data/backups </span></span><span class="line"><span class="cl">no_create_root <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="c1">## Note 2: Paths may vary between OSes</span> </span></span><span class="line"><span class="cl">cmd_rm /usr/bin/rm </span></span><span class="line"><span class="cl">cmd_rsync /usr/bin/rsync </span></span><span class="line"><span class="cl">cmd_logger /usr/bin/logger </span></span><span class="line"><span class="cl"><span class="c1">## Retention configuration</span> </span></span><span class="line"><span class="cl">retain daily <span class="m">7</span> </span></span><span class="line"><span class="cl">retain weekly <span class="m">4</span> </span></span><span class="line"><span class="cl"><span class="c1">## Logging settings</span> </span></span><span class="line"><span class="cl">verbose <span class="m">2</span> </span></span><span class="line"><span class="cl">loglevel <span class="m">3</span> </span></span><span class="line"><span class="cl">lockfile /var/run/rsnapshot.pid </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Describing the actions</span> </span></span><span class="line"><span class="cl">backup /data/ghost ghost/ </span></span><span class="line"><span class="cl">backup_script /srv/my_soft/backup.sh my_soft/ </span></span></code></pre></td></tr></table> </div> </div><h3 id="contents-of-crontab">Contents of crontab <a href="#contents-of-crontab">¶</a></h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-plain" data-lang="plain"><span class="line"><span class="cl">0 0 * * * /usr/bin/rsnapshot daily 2&gt;&amp;1 | systemd-cat -t rsnapshot-daily </span></span><span class="line"><span class="cl">10 0 * * 0 /usr/bin/rsnapshot weekly 2&gt;&amp;1 | systemd-cat -t rsnapshot-weekly </span></span></code></pre></td></tr></table> </div> </div><h3 id="contents-of-srvmy_softbackupsh">Contents of /srv/my_soft/backup.sh <a href="#contents-of-srvmy_softbackupsh">¶</a></h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="cp">#!/usr/bin/env sh </span></span></span><span class="line"><span class="cl"><span class="cp"></span><span class="nb">set</span> -e </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">CMD</span><span class="o">=</span><span class="s1">&#39;&#39;&#39; </span></span></span><span class="line"><span class="cl"><span class="s1">rm -rf backup; \ </span></span></span><span class="line"><span class="cl"><span class="s1">pg_basebackup -U my_user -X stream -F plain -D backup 1&gt;/dev/null 2&gt;&amp;1 &amp;&amp; \ </span></span></span><span class="line"><span class="cl"><span class="s1">tar -C backup -czf - $(ls backup) </span></span></span><span class="line"><span class="cl"><span class="s1">&#39;&#39;&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">docker <span class="nb">exec</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -w /tmp <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> my_soft.postgres <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> /bin/sh -c <span class="s2">&#34;</span><span class="nv">$CMD</span><span class="s2"> 1&gt;pg_basebackup.tgz </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="contents-of-daily0">Contents of daily.0 <a href="#contents-of-daily0">¶</a></h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-plain" data-lang="plain"><span class="line"><span class="cl">/data/backups/daily.0 </span></span><span class="line"><span class="cl">├── ghost </span></span><span class="line"><span class="cl">│   └── data </span></span><span class="line"><span class="cl">├── my_soft </span></span><span class="line"><span class="cl">│   └── pg_basebackup.tgz </span></span><span class="line"><span class="cl">├── proxy </span></span><span class="line"><span class="cl">│   ├── certificates.tgz </span></span><span class="line"><span class="cl">│   └── haproxy.tgz </span></span><span class="line"><span class="cl">└── another_one </span></span><span class="line"><span class="cl"> └── another_backup_from_backup_script.tgz </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">5 directories, 4 files </span></span></code></pre></td></tr></table> </div> </div>https://vlasov.pro/en/p/rpm2pkg/Mon, 27 Apr 2020 00:00:00 +0000https://vlasov.pro/en/p/rpm2pkg/<img src="https://vlasov.pro/ru/p/rpm2pkg/rpm2pkg.webp" alt="Featured image of post RPM2PKG" /><blockquote> <p>It turned out that Skype and Slack can be installed from AUR with one command</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">yay -S slack-desktop skype </span></span></code></pre></td></tr></table> </div> </div><p>I left the article just for history</p> </blockquote> <p>I switched to <a class="link" href="https://manjaro.org/" target="_blank" rel="noopener" >Manjaro</a> and encountered the fact that Skype and Viber are packaged in RPM and DEB. What to do with Arch? On <a class="link" href="https://gitlab.com/vlasov-y/rpm2pkg" target="_blank" rel="noopener" >GitLab</a> I placed a simple script that converts rpm to pkg.</p> <h2 id="using-the-script">Using the Script <a href="#using-the-script">¶</a></h2> <ol> <li>Install dependencies</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sudo pacman -S rpm rpm2cpio cpio git </span></span><span class="line"><span class="cl">python3 -m pip install --upgrade --user pip pyyaml jinja2 </span></span></code></pre></td></tr></table> </div> </div><ol start="2"> <li>Clone repository</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">git clone --depth <span class="m">1</span> --single-branch git@gitlab.com:vlasov-y/rpm2pkg.git </span></span><span class="line"><span class="cl"><span class="nb">cd</span> rpm2pkg </span></span></code></pre></td></tr></table> </div> </div><ol start="3"> <li>Convert</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">curl -fLO https://repo.skype.com/latest/skypeforlinux-64.rpm </span></span><span class="line"><span class="cl">python3 rpm2pkg skypeforlinux-64.rpm </span></span><span class="line"><span class="cl"><span class="c1"># or add --install to install package automatically (interactive mode, will prompt you for confirmation)</span> </span></span><span class="line"><span class="cl"><span class="c1"># python3 rpm2pkg --install skypeforlinux-64.rpm</span> </span></span></code></pre></td></tr></table> </div> </div><ol start="4"> <li>Install</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sudo pacman -U skype*.pkg.tar.gz </span></span></code></pre></td></tr></table> </div> </div><ol start="5"> <li>Remove</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sudo pacman -R skype </span></span></code></pre></td></tr></table> </div> </div>https://vlasov.pro/en/p/nextcloud/Sat, 25 Apr 2020 00:00:00 +0000https://vlasov.pro/en/p/nextcloud/<img src="https://vlasov.pro/ru/p/nextcloud/nextcloud.webp" alt="Featured image of post Nextcloud" /><h2 id="launching-the-stack">Launching the Stack <a href="#launching-the-stack">¶</a></h2> <p><a class="link" href="https://nextcloud.com/" target="_blank" rel="noopener" ><strong>Nextcloud</strong></a> - personal cloud with gallery, email checking, online document editing, audio and radio listening, etc. A demo can be seen <a class="link" href="https://try.nextcloud.com/" target="_blank" rel="noopener" >here</a>. A clone of <a class="link" href="https://owncloud.org/" target="_blank" rel="noopener" >OwnCloud</a>, I tried initially and didn&rsquo;t find any issues, but there are slightly more applications than what I saw.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;3.7&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">nextcloud</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">nextcloud:18.0.3-apache</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">container_name</span><span class="p">:</span><span class="w"> </span><span class="l">nextcloud</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">restart</span><span class="p">:</span><span class="w"> </span><span class="l">unless-stopped</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">depends_on</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">postgres</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s1">&#39;8080:80&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./nextcloud:/var/www/html:rw</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">logging</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">driver</span><span class="p">:</span><span class="w"> </span><span class="l">json-file</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">options</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">max-size</span><span class="p">:</span><span class="w"> </span><span class="l">100m</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">postgres</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">postgres:11.7-alpine</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">container_name</span><span class="p">:</span><span class="w"> </span><span class="l">postgres</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">restart</span><span class="p">:</span><span class="w"> </span><span class="l">unless-stopped</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">networks</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">nextcloud</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./postgres:/var/lib/postgresql/data:rw</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">POSTGRES_DB=nextcloud</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">POSTGRES_USER=nextcloud</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">POSTGRES_PASSWORD=94dbd6b2-bd9f-4867-99af-37f8e4444640</span><span class="w"> </span><span class="c"># gitleaks:allow</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">logging</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">driver</span><span class="p">:</span><span class="w"> </span><span class="l">json-file</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">options</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">max-size</span><span class="p">:</span><span class="w"> </span><span class="l">100m</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h2 id="notes">Notes <a href="#notes">¶</a></h2> <ol> <li>Tried updating from 16.0.4.1 to 18.0.3 through 17.0.5 - everything failed. Reinstalled and restored files beforehand by downloading them myself from <code>./nextcloud/data/username/files</code>. Went back using file synchronization via <a class="link" href="https://nextcloud.com/install/#install-clients" target="_blank" rel="noopener" >client application</a>.</li> <li>The Admin account cannot be deleted through the UI. I created my own account, then tried to delete the standard one as I believe all accounts should always be unique, no fuss. You can delete it like this:</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sudo docker-compose <span class="nb">exec</span> -u www-data nextcloud php occ user:delete admin </span></span></code></pre></td></tr></table> </div> </div><ol start="3"> <li>For WebDAV and CalDAV to work properly, add the following configuration to your haproxy configuration file:</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">global </span></span><span class="line"><span class="cl"> log 127.0.0.1 local0 </span></span><span class="line"><span class="cl"> stats socket /var/run/haproxy.sock mode <span class="m">660</span> level admin expose-fd listeners </span></span><span class="line"><span class="cl"> stats timeout 30s </span></span><span class="line"><span class="cl"> user root </span></span><span class="line"><span class="cl"> group root </span></span><span class="line"><span class="cl"> daemon </span></span><span class="line"><span class="cl"> maxconn <span class="m">4096</span> </span></span><span class="line"><span class="cl"> nbproc <span class="m">1</span> </span></span><span class="line"><span class="cl"> <span class="c1"># Default SSL material locations</span> </span></span><span class="line"><span class="cl"> ca-base /etc/ssl/certs </span></span><span class="line"><span class="cl"> crt-base /etc/ssl/private </span></span><span class="line"><span class="cl"> <span class="c1"># general SSL config</span> </span></span><span class="line"><span class="cl"> ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 </span></span><span class="line"><span class="cl"> ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets </span></span><span class="line"><span class="cl"> tune.ssl.default-dh-param <span class="m">4096</span> </span></span><span class="line"><span class="cl"> ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 </span></span><span class="line"><span class="cl"> ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">defaults </span></span><span class="line"><span class="cl"> log global </span></span><span class="line"><span class="cl"> mode http </span></span><span class="line"><span class="cl"> option http-buffer-request </span></span><span class="line"><span class="cl"> option httplog </span></span><span class="line"><span class="cl"> option dontlognull </span></span><span class="line"><span class="cl"> option forwardfor </span></span><span class="line"><span class="cl"> timeout connect 5s </span></span><span class="line"><span class="cl"> timeout client 25s </span></span><span class="line"><span class="cl"> timeout server 25s </span></span><span class="line"><span class="cl"> timeout tunnel 3600s </span></span><span class="line"><span class="cl"> timeout http-keep-alive 1s </span></span><span class="line"><span class="cl"> timeout http-request 15s </span></span><span class="line"><span class="cl"> timeout queue 30s </span></span><span class="line"><span class="cl"> timeout tarpit 60s </span></span><span class="line"><span class="cl"> compression algo gzip </span></span><span class="line"><span class="cl"> compression <span class="nb">type</span> text/plain text/css text/xml text/javascript application/javascript application/x-javascript application/xml application/json </span></span><span class="line"><span class="cl"> errorfile <span class="m">400</span> /usr/local/etc/haproxy/errors/400.http </span></span><span class="line"><span class="cl"> errorfile <span class="m">403</span> /usr/local/etc/haproxy/errors/403.http </span></span><span class="line"><span class="cl"> errorfile <span class="m">408</span> /usr/local/etc/haproxy/errors/408.http </span></span><span class="line"><span class="cl"> errorfile <span class="m">500</span> /usr/local/etc/haproxy/errors/500.http </span></span><span class="line"><span class="cl"> errorfile <span class="m">502</span> /usr/local/etc/haproxy/errors/502.http </span></span><span class="line"><span class="cl"> errorfile <span class="m">503</span> /usr/local/etc/haproxy/errors/503.http </span></span><span class="line"><span class="cl"> errorfile <span class="m">504</span> /usr/local/etc/haproxy/errors/504.http </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">frontend http_https </span></span><span class="line"><span class="cl"> <span class="nb">bind</span> :80 </span></span><span class="line"><span class="cl"> <span class="nb">bind</span> :443 ssl crt /certificates/cloudflare.haproxy alpn h2,http/1.1 </span></span><span class="line"><span class="cl"> <span class="c1"># acls</span> </span></span><span class="line"><span class="cl"> acl dav path_reg -i ^/.well-known/<span class="o">(</span>carddav<span class="p">|</span>caldav<span class="o">)</span>.*$ </span></span><span class="line"><span class="cl"> acl webfinger path_reg -i ^/.well-known/<span class="o">(</span>carddav<span class="p">|</span>caldav<span class="o">)</span>.*$ </span></span><span class="line"><span class="cl"> <span class="c1"># proxy headers</span> </span></span><span class="line"><span class="cl"> http-request set-header X-Forwarded-Port %<span class="o">[</span>dst_port<span class="o">]</span> <span class="k">if</span> forwarded_port </span></span><span class="line"><span class="cl"> <span class="c1"># http-response set-header Access-Control-Allow-Credentials &#34;true&#34;</span> </span></span><span class="line"><span class="cl"> http-request add-header X-Forwarded-Proto https <span class="k">if</span> https forwarded_proto </span></span><span class="line"><span class="cl"> http-request replace-path <span class="o">(</span>.*<span class="o">)</span> /remote.php/dav <span class="k">if</span> dav </span></span><span class="line"><span class="cl"> http-request replace-path <span class="o">(</span>.*<span class="o">)</span> /public.php?service<span class="o">=</span>webfinger <span class="k">if</span> webfinger </span></span><span class="line"><span class="cl"> default_backend cloud </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">backend nextcloud </span></span><span class="line"><span class="cl"> http-response set-header Strict-Transport-Security <span class="s2">&#34;max-age=63072000; includeSubDomains; preload;&#34;</span> </span></span><span class="line"><span class="cl"> server default nextcloud:80 check </span></span></code></pre></td></tr></table> </div> </div><ol start="4"> <li>Authorization was rotating endlessly and only F5 allowed access. On the PC, the problem disappeared, but how about with a client for Android? <a class="link" href="https://github.com/nextcloud/android/issues/3623#issuecomment-568992424" target="_blank" rel="noopener" >Here</a>, it turned out that you can simply add a magic word to your config and you&rsquo;ll be able to log in forever.</li> </ol>https://vlasov.pro/en/p/shells/Wed, 22 Apr 2020 00:00:00 +0000https://vlasov.pro/en/p/shells/<img src="https://vlasov.pro/ru/p/shells/bash.webp" alt="Featured image of post Command Line Setup" /><blockquote> <p>Written together with <a class="link" href="https://rebrainme.com/blog/" target="_blank" rel="noopener" >ReBrainMe</a></p> </blockquote> <p>The command-line shell is used for any server manipulation. There are many ways to configure servers. It&rsquo;s important that it&rsquo;s comfortable for the administrator, but the <strong>main thing</strong> is that it&rsquo;s <strong>efficient</strong> in terms of time, effort, and cost. The command line can be colorful, with arrows of different colors showing the path to the current directory, time, CPU load, and other stuff. Here&rsquo;s an example from <a class="link" href="https://github.com/ohmyzsh/ohmyzsh/" target="_blank" rel="noopener" >here</a>:</p> <p><img src="https://vlasov.pro/ru/p/shells/ohmyzsh.webp" width="633" height="346" srcset="https://vlasov.pro/ru/p/shells/ohmyzsh_hu14244436401278716114.webp 480w, https://vlasov.pro/ru/p/shells/ohmyzsh_hu6890038653941497772.webp 1024w" loading="lazy" alt="ohmyzsh" class="gallery-image" data-flex-grow="182" data-flex-basis="439px" ></p> <p>It&rsquo;s beautiful, yes, but too many colors distract from the essence. Also, the Git repository branch is displayed, taking up vital space on the left, though it could be moved to the right.</p> <h2 id="command-line-shells">Command Line Shells <a href="#command-line-shells">¶</a></h2> <p>Shells come in different types, though they solve the same problems in very similar ways, they are configured differently and have different functionality. <em>Try different ones and find your own! &hellip; or write one yourself</em>.</p> <ul> <li><em>bash</em> – the de facto standard shell, with basic autocompletion and path completion, included in most distributions by default, often used as a script shell.</li> <li><em>fish</em> and <em>zsh</em> – two different shells that greatly surpass bash in functionality, often heard of.</li> <li><em>ksh, tsh, csh &hellip;</em> other shells, which may be just as good or even better, but are slightly less common.</li> </ul> <p>The goal of this article is to <strong>subjectively</strong> figure out what really needs to be in the terminal window and <em>suggest a solution</em> based on <strong>zsh</strong>.</p> <p>What is needed for the command line to be effective?</p> <h2 id="shell-requirements">Shell Requirements <a href="#shell-requirements">¶</a></h2> <ol> <li><em>Path autocompletion</em>. This is undeniably the main feature needed for navigating directory trees. It may seem that Bash has path autocompletion by default by pressing Tab twice. Try Zsh – you only need to press Tab once, a small thing, right? Now go back to Bash :) Additionally, Zsh can be configured to display a list of files matching the given prefix, which <em>eliminates the need to interrupt input and run ls -la, you can even select the option with arrow keys</em>. This is not used often, but it&rsquo;s convenient.</li> <li><em>Command history search</em>. If you’ve already switched to <a class="link" href="https://github.com/ranger/ranger" target="_blank" rel="noopener" >ranger</a>, this might become the most important requirement for you. At first, we learn about <strong>Ctrl+R</strong> to search for a command in the history of typed commands. Convenient, but not perfect. In Zsh, you can just type a piece of the command and use the arrow keys to select the one you need from the autosuggestions. Subjectively more convenient, and here’s why: to show the next command from history, you need to press Ctrl+R again, which is not very comfortable, especially when you skip over the one you need.</li> <li><em>Highlighting the command prompt</em>. When scrolling through a large number of logs in the terminal from different commands, you start to lose track and spend extra time distinguishing which block of logs belongs to which command, where the command itself is, etc. Highlighting the command prompt is really necessary, but not in a way that overshadows everything. Often, the first thing a beginner changes in a non-standard shell is the contents of the <strong>PS1</strong> variable. <a class="link" href="https://linoxide.com/how-tos/change-bash-prompt-variable-ps1/" target="_blank" rel="noopener" >Here’s a good description of PS1-4 variables</a>.</li> <li><em>Lightweight</em>. Briefly: when you&rsquo;re on a server where the loadavg is tens of times exceeded, you’ll regret setting up resource-intensive code in motd or the beginning of .zshrc (.bashrc) that outputs extensive CPU, memory, network, disk usage statistics, etc.</li> <li><em>Uncluttered</em>. Even if zsh is chosen for daily use, I write all scripts with a shebang for classic sh because it’s practically everywhere, and the syntax is standardized. In other words, it’s not recommended to write scripts using the non-standard syntaxes of advanced shells, as it will be a hassle to install them on every server.</li> <li><em>Comfort</em>. Efficiency and comfort are closely related. Setting a semi-transparent image as the background or picking fonts to your liking is also very important when you find yourself thinking that ugly fonts and a clunky interface kill your motivation to work completely. <em>Just don’t overdo it</em>.</li> </ol> <h2 id="aliases">Aliases <a href="#aliases">¶</a></h2> <p>It’s very convenient to declare aliases to speed up command typing.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="nb">alias</span> ..<span class="o">=</span><span class="s2">&#34;cd .. &amp;&amp; ls -lhA --color=auto&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">a</span><span class="o">=</span><span class="s2">&#34;ls -lhA --color=auto&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">d</span><span class="o">=</span><span class="s2">&#34;sudo docker&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">dc</span><span class="o">=</span><span class="s2">&#34;sudo docker-compose&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">die</span><span class="o">=</span><span class="s2">&#34;sudo shutdown now&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">e</span><span class="o">=</span><span class="s2">&#34;exit&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">g</span><span class="o">=</span><span class="s2">&#34;git&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">j</span><span class="o">=</span><span class="s2">&#34;sudo journalctl&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">k</span><span class="o">=</span><span class="s2">&#34;kubectl&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">l</span><span class="o">=</span><span class="s2">&#34;ls -lh --color=auto&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">la</span><span class="o">=</span><span class="s2">&#34;ls -lhA --color=auto&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">p</span><span class="o">=</span><span class="s2">&#34;ping 8.8.8.8&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">r</span><span class="o">=</span><span class="s2">&#34;ranger&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">reborn</span><span class="o">=</span><span class="s2">&#34;sudo shutdown -r now&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">s</span><span class="o">=</span><span class="s2">&#34;sudo&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">sctl</span><span class="o">=</span><span class="s2">&#34;sudo systemctl&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">sr</span><span class="o">=</span><span class="s2">&#34;screen -R&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">svi</span><span class="o">=</span><span class="s2">&#34;sudo vim&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">svim</span><span class="o">=</span><span class="s2">&#34;sudo vim&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">alias</span> <span class="nv">t</span><span class="o">=</span><span class="s2">&#34;terraform&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><p>And a little humor: <em>alias please=&lsquo;sudo&rsquo;</em> will make your interaction with the computer much smoother.</p> <h2 id="zsh-configuration">Zsh Configuration <a href="#zsh-configuration">¶</a></h2> <p><img src="https://vlasov.pro/ru/p/shells/my-zsh.png" width="676" height="276" srcset="https://vlasov.pro/ru/p/shells/my-zsh_hu5659858168636195027.png 480w, https://vlasov.pro/ru/p/shells/my-zsh_hu10784998609317191711.png 1024w" loading="lazy" alt="Example of a custom zsh configuration" class="gallery-image" data-flex-grow="244" data-flex-basis="587px" ></p> <p>As you can see, each command is highlighted between separators like <code>; &amp;&amp; |</code>, and the command is entered on the second line, after the prompt indicating the current directory and username with host. This makes long commands more readable and manageable. On the right, honestly <em>borrowed</em> from the standard settings shipped with zsh in <a class="link" href="https://manjaro.org/" target="_blank" rel="noopener" >Manjaro</a>, is the current Git repository branch. If there are changes, deletions, or additions, yellow, green, and red circles appear. Since it didn&rsquo;t take up much space, it was decided to keep it. Why not. When typing a command, the last one that matches the prefix is suggested. You can confirm the selection by pressing the right arrow key. The terminal emulator window is <a class="link" href="https://terminator-gtk3.readthedocs.io/en/latest/" target="_blank" rel="noopener" >Terminator</a>.</p> <p>To set up and configure the terminal window as in the example, follow these steps:</p> <ol> <li><a class="link" href="https://github.com/ohmyzsh/ohmyzsh/wiki/Installing-ZSH" target="_blank" rel="noopener" >Install</a> ohmyzsh</li> <li>Copy <a class="link" href="files/dot.zshrc" >.zshrc</a> to your home directory</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">install -o <span class="s2">&#34;</span><span class="k">$(</span>id -u<span class="k">)</span><span class="s2">&#34;</span> -g <span class="s2">&#34;</span><span class="k">$(</span>id -g<span class="k">)</span><span class="s2">&#34;</span> -m <span class="m">0644</span> .zshrc ~/.zshrc </span></span></code></pre></td></tr></table> </div> </div><ol start="3"> <li>Unpack the <a class="link" href="files/plugins.tgz" >plugins</a></li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sudo tar -xpzvf plugins.tgz / </span></span><span class="line"><span class="cl">sudo usermod -s <span class="s2">&#34;</span><span class="k">$(</span><span class="nb">command</span> -v zsh<span class="k">)</span><span class="s2">&#34;</span> <span class="s2">&#34;</span><span class="nv">$USER</span><span class="s2">&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><ol start="4"> <li>Set zsh as the default shell</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sudo usermod -s <span class="s2">&#34;</span><span class="k">$(</span><span class="nb">command</span> -v zsh<span class="k">)</span><span class="s2">&#34;</span> <span class="s2">&#34;</span><span class="nv">$USER</span><span class="s2">&#34;</span> </span></span></code></pre></td></tr></table> </div> </div>https://vlasov.pro/en/p/ceph-intro/Wed, 22 Apr 2020 00:00:00 +0000https://vlasov.pro/en/p/ceph-intro/<img src="https://vlasov.pro/ru/p/ceph-intro/ceph.webp" alt="Featured image of post Introduction to CEPH" /><h2 id="installation">Installation <a href="#installation">¶</a></h2> <p><a class="link" href="https://ceph.io/" target="_blank" rel="noopener" ><strong>CEPH</strong></a> is a distributed network storage system that supports S3, iSCSI, RBD, etc. It’s a great solution, with plenty of documentation available, but it can be tricky to figure out the correct installation method at first.</p> <h3 id="rook">Rook <a href="#rook">¶</a></h3> <p>The officially recommended way to install CEPH on Kubernetes. You can read about the experience of the team at <a class="link" href="https://flant.com/" target="_blank" rel="noopener" >Flant</a> <a class="link" href="https://habr.com/en/company/flant/blog/451818/" target="_blank" rel="noopener" >here</a>.</p> <h3 id="cephadm">Cephadm <a href="#cephadm">¶</a></h3> <p>Based on this, I wrote some Ansible playbooks and successfully managed a cluster deployed on a host. It accepted 40 GiB over the local network in 2 minutes and remained stable :)</p> <h3 id="deprecated--not-recommended">Deprecated / Not Recommended <a href="#deprecated--not-recommended">¶</a></h3> <p>The methods I tried that turned out to be either non-working or deprecated:</p> <ul> <li><a class="link" href="https://docs.ceph.com/docs/master/rados/deployment/" target="_blank" rel="noopener" ><strong>ceph-deploy</strong></a>: somewhere in the documentation, I found that this method is not recommended. Unfortunately, I had already spent a couple of days on it. I can’t provide a link since their SSL certificate expired, and I’m blocked from accessing the site due to HSTS.</li> <li><a class="link" href="https://github.com/ceph/ceph-ansible" target="_blank" rel="noopener" ><strong>ceph ansible</strong></a>: comprehensive and feature-rich, but CentOS 7 is no longer supported on the master branch, and the monitors didn’t synchronize. I couldn’t find a way to install the dashboard without monitoring, so I implemented it myself. I gained experience with Ansible, but then new issues arose, prompting me to switch to <em>cephadm</em>, which I’m glad I did.</li> </ul> <h2 id="useful-commands">Useful Commands <a href="#useful-commands">¶</a></h2> <p>Here&rsquo;s a <a class="link" href="https://sabaini.at/pages/ceph-cheatsheet.html" target="_blank" rel="noopener" >cheatsheet</a> I found helpful.<br> To view the list of disks in use on the servers:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ceph orch device ls </span></span><span class="line"><span class="cl">ceph device ls </span></span><span class="line"><span class="cl">ceph device ls-by-host ceph-server-0 </span></span></code></pre></td></tr></table> </div> </div><p>To check the space usage summary:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ceph osd df </span></span><span class="line"><span class="cl">ceph df </span></span><span class="line"><span class="cl">ceph df <span class="p">|</span> grep -oE <span class="s1">&#39;[0-9.]+\s*[a-zA-Z]+$&#39;</span> <span class="p">|</span> uniq <span class="p">|</span> sort -n </span></span></code></pre></td></tr></table> </div> </div><p>To view the cluster status:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ceph status </span></span><span class="line"><span class="cl">ceph -w </span></span></code></pre></td></tr></table> </div> </div><p>To see the infrastructure, including which services/containers are running and where:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ceph orch ls </span></span><span class="line"><span class="cl">ceph orch ps </span></span></code></pre></td></tr></table> </div> </div><h2 id="replacing-an-osd">Replacing an OSD <a href="#replacing-an-osd">¶</a></h2> <p><a class="link" href="https://m.habr.com/en/company/flant/blog/495870/" target="_blank" rel="noopener" >Here’s a good article</a> from the same Flant team, along with a <a class="link" href="https://m.habr.com/en/company/flant/blog/495870/comments/#comment_21477582" target="_blank" rel="noopener" >useful comment</a> that complements it well. I recreated the OSD when I expanded the block device on the server (virtual machine) to add space to the cluster. I followed this process:</p> <ol> <li>The cluster must be in HEALTH_OK state.</li> <li>Remove the OSD from the cluster.</li> <li>Delete the daemon (container) holding this OSD.</li> <li>Purge the OSD.</li> <li>Clear the partition.</li> <li>Reconnect it.</li> <li>Wait for HEALTH_OK.</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># The OSD we want to recreate</span> </span></span><span class="line"><span class="cl"><span class="nv">OSD</span><span class="o">=</span><span class="s1">&#39;osd.0&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Find the host</span> </span></span><span class="line"><span class="cl"><span class="nv">HOST</span><span class="o">=</span><span class="s2">&#34;</span><span class="k">$(</span>ceph device ls <span class="p">|</span> awk <span class="s2">&#34;/</span><span class="si">${</span><span class="nv">OSD</span><span class="si">}</span><span class="s2">/{print \$2}&#34;</span> <span class="p">|</span> cut -d: -f1<span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Get the name of the block device allocated to the OSD</span> </span></span><span class="line"><span class="cl"><span class="nv">DEV</span><span class="o">=</span><span class="s2">&#34;/dev/</span><span class="k">$(</span>ceph device ls <span class="p">|</span> awk <span class="s2">&#34;/</span><span class="si">${</span><span class="nv">OSD</span><span class="si">}</span><span class="s2">/{print \$2}&#34;</span> <span class="p">|</span> cut -d: -f2<span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Step 1</span> </span></span><span class="line"><span class="cl">ceph health <span class="p">|</span> grep -q <span class="s1">&#39;HEALTH_OK&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Step 2</span> </span></span><span class="line"><span class="cl">ceph osd out <span class="s2">&#34;</span><span class="nv">$OSD</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Step 3</span> </span></span><span class="line"><span class="cl">ceph orch daemon rm <span class="s2">&#34;</span><span class="nv">$OSD</span><span class="s2">&#34;</span> --force </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Step 4</span> </span></span><span class="line"><span class="cl">ceph osd purge <span class="s2">&#34;</span><span class="nv">$OSD</span><span class="s2">&#34;</span> --force </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Step 5</span> </span></span><span class="line"><span class="cl">ceph orch device zap <span class="s2">&#34;</span><span class="si">${</span><span class="nv">HOST</span><span class="si">}</span><span class="s2">:</span><span class="si">${</span><span class="nv">DEV</span><span class="si">}</span><span class="s2">&#34;</span> --force </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Step 6</span> </span></span><span class="line"><span class="cl"><span class="nv">NEW_ID</span><span class="o">=</span><span class="s2">&#34;osd.</span><span class="k">$(</span>ceph orch daemon add osd <span class="s2">&#34;</span><span class="si">${</span><span class="nv">HOST</span><span class="si">}</span><span class="s2">:</span><span class="si">${</span><span class="nv">DEV</span><span class="si">}</span><span class="s2">&#39; | awk &#39;{print </span><span class="nv">$3</span><span class="s2">}&#39;)&#34;</span> </span></span><span class="line"><span class="cl">sleep <span class="m">5</span> </span></span><span class="line"><span class="cl">ceph osd crush reweight <span class="s2">&#34;</span><span class="nv">$NEW_ID</span><span class="s2">&#34;</span> <span class="m">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Step 7</span> </span></span><span class="line"><span class="cl"><span class="k">while</span> ! ceph health <span class="p">|</span> grep -q <span class="s1">&#39;HEALTH_OK&#39;</span><span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> sleep <span class="m">5</span> </span></span><span class="line"><span class="cl"><span class="k">done</span> </span></span></code></pre></td></tr></table> </div> </div><p>In my experience, replacing an OSD with 15 GiB of data took about 30 minutes. This was tested on three <a class="link" href="https://www.hetzner.com/cloud#pricing" target="_blank" rel="noopener" >CX21 Hetzner</a> instances.</p> <h2 id="rbd-and-docker">RBD and Docker <a href="#rbd-and-docker">¶</a></h2> <p>Setting up RBD and integrating it with Docker:</p> <ol> <li>Create a pool.</li> <li>Initialize the pool.</li> <li>Create a user for the setup.</li> <li>Disable unnecessary features. Some RBD features aren’t supported in Linux kernels before 4.17, so they had to be disabled. You can check the options with:</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ceph config <span class="nb">help</span> rbd_default_features </span></span></code></pre></td></tr></table> </div> </div><ol start="5"> <li>Install the Docker volume plugin.</li> <li>Test on the container.</li> <li>Mount the volume and verify the file.</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Step 1</span> </span></span><span class="line"><span class="cl">ceph osd pool create rbd </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Step 2</span> </span></span><span class="line"><span class="cl">rbd pool init rbd </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Step 3</span> </span></span><span class="line"><span class="cl">ceph auth get-or-create client.rbd mon <span class="s1">&#39;profile rbd&#39;</span> osd <span class="s1">&#39;profile rbd pool=rbd&#39;</span> mgr <span class="s1">&#39;profile rbd pool=rbd&#39;</span> &gt; /etc/ceph/ceph.client.rbd.keyring </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Step 4</span> </span></span><span class="line"><span class="cl">ceph config <span class="nb">set</span> global rbd_default_features <span class="m">7</span> </span></span></code></pre></td></tr></table> </div> </div><p>I used this <a class="link" href="https://github.com/wetopi/docker-volume-rbd" target="_blank" rel="noopener" >volume driver</a>. Other options I found hadn’t been updated in 3-4 years and seemed abandoned. This driver doesn’t require anything to run on the side and <a class="link" href="https://docs.docker.com/engine/extend/" target="_blank" rel="noopener" >integrates directly into Docker</a>. Install it like this:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Step 5</span> </span></span><span class="line"><span class="cl">docker plugin install wetopi/rbd <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --alias<span class="o">=</span>rbd <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --grant-all-permissions <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> <span class="nv">LOG_LEVEL</span><span class="o">=</span><span class="m">1</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> <span class="nv">RBD_CONF_POOL</span><span class="o">=</span>rbd <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> <span class="nv">RBD_CONF_CLUSTER</span><span class="o">=</span>ceph <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> <span class="nv">RBD_CONF_KEYRING_USER</span><span class="o">=</span>client.rbd <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> <span class="nv">MOUNT_OPTIONS</span><span class="o">=</span><span class="s1">&#39;--options=noatime,discard&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Run a simple Docker Compose stack and mount the image:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;3.8&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">test</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">alpine</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">command</span><span class="p">:</span><span class="w"> </span><span class="l">sh -c &#39;cat /vol/test; date | tee /vol/test&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">data-volume:/vol</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">data-volume</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">vol1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">driver</span><span class="p">:</span><span class="w"> </span><span class="l">rbd</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">driver_opts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">size</span><span class="p">:</span><span class="w"> </span><span class="m">123</span><span class="w"> </span><span class="c"># MiB</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Run and verify:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Step 6</span> </span></span><span class="line"><span class="cl">sudo docker-compose up </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Step 7</span> </span></span><span class="line"><span class="cl">rbd map vol1 </span></span><span class="line"><span class="cl">mkdir /tmp/vol1 </span></span><span class="line"><span class="cl">mount /dev/rbd0 /tmp/vol1 </span></span><span class="line"><span class="cl"><span class="nb">cd</span> /tmp/vol1 </span></span><span class="line"><span class="cl">ls -la </span></span><span class="line"><span class="cl">cat <span class="nb">test</span> </span></span><span class="line"><span class="cl"><span class="nb">cd</span> / </span></span><span class="line"><span class="cl">umount /tmp/vol1 </span></span><span class="line"><span class="cl">rbd unmap /dev/rbd0 </span></span></code></pre></td></tr></table> </div> </div>https://vlasov.pro/en/p/remmina/Wed, 22 Apr 2020 00:00:00 +0000https://vlasov.pro/en/p/remmina/<img src="https://vlasov.pro/ru/p/remmina/remmina.webp" alt="Featured image of post Remmina" /><p>Great client application for connecting by RDP/VNC/etc. I installed it on Ubuntu 18.04 like this:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sudo add-apt-repository ppa:remmina-ppa-team/remmina-next </span></span><span class="line"><span class="cl">sudo apt update </span></span><span class="line"><span class="cl">sudo apt install remmina <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> remmina-plugin-exec <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> remmina-plugin-kwallet <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> remmina-plugin-nx <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> remmina-plugin-rdp <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> remmina-plugin-secret <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> remmina-plugin-spice <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> remmina-plugin-vnc <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> remmina-plugin-www <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> remmina-plugin-xdmcp <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> libfreerdp-plugins-standard </span></span><span class="line"><span class="cl">sudo ln -s /usr/lib/x86_64-linux-gnu/libssh.so.4 /usr/lib/x86_64-linux-gnu/libssh_threads.so.4 </span></span></code></pre></td></tr></table> </div> </div><p>More information is available on their <a class="link" href="https://remmina.org/" target="_blank" rel="noopener" >page</a>.</p>https://vlasov.pro/en/p/ssh-intro/Mon, 09 Mar 2020 00:00:00 +0000https://vlasov.pro/en/p/ssh-intro/<img src="https://vlasov.pro/ru/p/ssh-intro/openssh.webp" alt="Featured image of post Basics of SSH" /><h2 id="introduction">Introduction <a href="#introduction">¶</a></h2> <p><strong>S</strong>ecure <strong>Sh</strong>ell - de facto standard way to get access to a remote terminal on an virtual server. On the computer where you need to get access, <strong>SSH server</strong> is installed, and on the computer where the operator works, <strong>SSH client</strong> is installed. Through SSH we can:</p> <ol> <li>Transfer files</li> <li>Execute commands on the target server</li> <li>Get information about the target system and perform simple automation</li> </ol> <p>On Linux and MacOS, we have a terminal - SSH, which is usually set up by default. For Windows, I used the following options:</p> <ol> <li><a class="link" href="https://mobaxterm.mobatek.net/" target="_blank" rel="noopener" >MobaXTerm</a> - convenient, but paid. Suitable for non-commercial use, but you&rsquo;ll need to buy a license if you want to use it in a company. Advantages: <ul> <li>Immediately provides a file manager with drag-n-drop files to the target system</li> <li>Normal keyboard support and RSA key support</li> </ul> </li> <li><a class="link" href="https://git-scm.com/" target="_blank" rel="noopener" >Git</a> - when setting up Git, it includes Git Bash and an SSH client. Very close to the usual <a class="link" href="https://ru.wikipedia.org/wiki/Bash" target="_blank" rel="noopener" >Bash</a>.</li> </ol> <h2 id="connecting">Connecting <a href="#connecting">¶</a></h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">ssh <span class="o">[</span>-p &lt;ssh порт&gt;<span class="o">]</span> &lt;пользователь&gt;@&lt;ip целевого хоста&gt; </span></span></code></pre></td></tr></table> </div> </div><p>The port is optional, defaulting to <strong>22</strong>, but <em>it&rsquo;s highly recommended</em> not to run the SSH server on the standard port, as the world is full of automated bots that scan networks and find virtual machines with SSH on the standard port and simple passwords, trying to add them to some botnet. I once fell for this, but it&rsquo;s a different story&hellip;</p> <h2 id="copying-files">Copying Files <a href="#copying-files">¶</a></h2> <p>To copy files to the target host, you can use scp.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">scp <span class="o">[</span>-P &lt;ssh порт&gt;<span class="o">]</span> /path/to/local/file &lt;пользователь&gt;@&lt;ip целевого хоста&gt;:&lt;путь на сервере назначения&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Note:</p> <ol> <li>The port for scp is specified using <code>-P</code>, whereas for ordinary SSH - <code>-p</code>.</li> <li>The folder on the target machine should belong to the user you&rsquo;re connecting with, or you&rsquo;ll need permission to write to that folder\file.</li> </ol>https://vlasov.pro/en/p/ghost/Sun, 08 Mar 2020 00:00:00 +0000https://vlasov.pro/en/p/ghost/<img src="https://vlasov.pro/ru/p/ghost/ghost-logo.webp" alt="Featured image of post First Post on Ghost" /><blockquote> <p><em>Now the blog is written on <a class="link" href="https://docs.stack.jimmycai.com" target="_blank" rel="noopener" >Hugo</a>. This article is the first post from the old blog, which, just like that, was on Ghost.</em></p> </blockquote> <ul> <li><a class="link" href="#notes" >Notes</a></li> </ul> <p>First article. Reminded me of Isaac Asimov&rsquo;s &ldquo;<a class="link" href="https://ru.wikipedia.org/wiki/%D0%9F%D0%BE%D1%81%D0%BB%D0%B5%D0%B4%D0%BD%D0%B8%D0%B9_%D0%B2%D0%BE%D0%BF%D1%80%D0%BE%D1%81" target="_blank" rel="noopener" >The Last Question</a>&rdquo;, listened to on the way to work one of those ordinary days. A good thing - recommend it. Writing a good article, which will be a worthwhile read, is not as easy as it seemed at first. There are two reasons for this:</p> <ol> <li>Thoughts must be <em>useful</em>.</li> <li>The text should be <em>systematized</em>.</li> </ol> <p>The system is launched on <a class="link" href="https://ghost.org" target="_blank" rel="noopener" >Ghost</a> - the server is good, fast, and started easily, there&rsquo;s enough tooling for such a pseudo-blogger like me. There&rsquo;s a built-in plugin for choosing images from <a class="link" href="https://unsplash.com/" target="_blank" rel="noopener" >Unsplash</a> - images that can be published without fear of being sued for copyright infringement. docker-compose.yml file, which makes this whole thing easy to set up, is presented below.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;3.7&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ghost</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">ghost:3.9.0-alpine</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">container_name</span><span class="p">:</span><span class="w"> </span><span class="l">ghost</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">restart</span><span class="p">:</span><span class="w"> </span><span class="l">unless-stopped</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s1">&#39;80:2368&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">/data/ghost:/var/lib/ghost/content:rw</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">url=http://example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">logging</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">driver</span><span class="p">:</span><span class="w"> </span><span class="l">json-file</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">options</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">max-size</span><span class="p">:</span><span class="w"> </span><span class="l">100m</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h2 id="notes">Notes <a href="#notes">¶</a></h2> <ol> <li>Always <em>keep the version</em> of the image, from which the container will be started. This helps avoid problems with the stack restarting later on. If you use <code>latest</code>, it&rsquo;s possible that when you recreate the stack, <code>up -&gt; down</code> might start again a newer version, which won&rsquo;t be compatible with the current data and settings etc. Moreover, it&rsquo;s impossible to quickly and easily remember <em>which version was exactly launched at the moment of startup?</em></li> <li><strong>Always</strong> control the logging process. If using the standard Docker logging driver - json-file, then by default, the Docker daemon will receive logs and write them to a file for this container until <em>the disk runs out</em>. By default, the file is always one, but its location can be limited by setting the <code>max-size: 100m</code> option (I just took 100 MB, it&rsquo;s unlikely that anyone would read more than that). <a class="link" href="https://docs.docker.com/config/containers/logging/json-file/" target="_blank" rel="noopener" >More information about the json-file Docker logging driver</a>.</li> <li>I recommend always specifying <code>container_name</code> - it&rsquo;s easier to read <code>docker ps</code>.</li> </ol>https://vlasov.pro/en/p/reverse-ssh/Sun, 20 Oct 2019 00:00:00 +0000https://vlasov.pro/en/p/reverse-ssh/<img src="https://vlasov.pro/ru/p/reverse-ssh/ssh.png" alt="Featured image of post Reverse SSH Tunnels" /><h2 id="introduction">Introduction <a href="#introduction">¶</a></h2> <p>When needing to access a server located behind <a class="link" href="https://www.webopedia.com/definitions/nat/" target="_blank" rel="noopener" >NAT</a>, direct connection cannot be made. Instead, we need to come up with alternative methods. We&rsquo;ll explore how to use both direct and reverse SSH tunnels for these purposes.</p> <h2 id="tunnels">Tunnels <a href="#tunnels">¶</a></h2> <h3 id="reverse-tunnel">Reverse Tunnel <a href="#reverse-tunnel">¶</a></h3> <ul> <li>Created from the target server (CS) to a intermediate (PS).</li> <li>Socket created on PS.</li> <li>Direct tunnel - created from the initial server (NS) to PS.</li> <li>Socket located on NS.</li> </ul> <p><img src="https://vlasov.pro/ru/p/reverse-ssh/diagram.png" width="542" height="317" srcset="https://vlasov.pro/ru/p/reverse-ssh/diagram_hu17955256524260640580.png 480w, https://vlasov.pro/ru/p/reverse-ssh/diagram_hu3505688432812524674.png 1024w" loading="lazy" alt="Schematic diagram of the proposed method" class="gallery-image" data-flex-grow="170" data-flex-basis="410px" ></p> <p>Using two tunnels, we can access CS. Ports for any website or even just SSH server in CS can be cast and gain access into the system. SOCKS5 proxy can also be used to exit the network through CS.</p> <blockquote> <p>Intermediate Server must be accessible from both CS and NS</p> </blockquote> <h3 id="creating-user-on-ps">Creating User on PS <a href="#creating-user-on-ps">¶</a></h3> <p>Using a user that can only create tunnels is recommended for security purposes. Below code creates a new user with no home directory or interpreter:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sudo adduser -s /bin/false -M -N tunnel </span></span><span class="line"><span class="cl">sudo usermod -d / tunnel </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s1">&#39;tunnel:tunnel&#39;</span> <span class="p">|</span> sudo chpasswd </span></span><span class="line"><span class="cl">cat <span class="s">&lt;&lt;EOF | sudo tee -a /etc/ssh/sshd_config </span></span></span><span class="line"><span class="cl"><span class="s"> </span></span></span><span class="line"><span class="cl"><span class="s">Match User tunnel </span></span></span><span class="line"><span class="cl"><span class="s"> PasswordAuthentication yes </span></span></span><span class="line"><span class="cl"><span class="s"> AuthenticationMethods &#34;password&#34; </span></span></span><span class="line"><span class="cl"><span class="s">EOF</span> </span></span><span class="line"><span class="cl">sudo systemctl restart sshd </span></span></code></pre></td></tr></table> </div> </div><h3 id="reverse-tunnel-1">Reverse Tunnel <a href="#reverse-tunnel-1">¶</a></h3> <p>Now let&rsquo;s move on to creating tunnels. We&rsquo;ll need a reverse tunnel from PS to CS.</p> <p>Below is <code>sshpass</code> command, which is necessary for automatically entering passwords when connecting via SSH:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">mkdir -p ~/.ssh </span></span><span class="line"><span class="cl">ssh-keyscan -H jump-host &gt;&gt; ~/.ssh/known_hosts </span></span></code></pre></td></tr></table> </div> </div><p>Creating the reverse tunnel on CS:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sshpass -p <span class="s1">&#39;password&#39;</span> ssh -fNR 2222:localhost:22 tunnel@jump-host </span></span></code></pre></td></tr></table> </div> </div><ul> <li><code>ssh-keyscan -H jump-host</code> adds SSH Server&rsquo;s key to PS&rsquo;s known hosts.</li> <li><code>-fN</code> executes command and doesn&rsquo;t create a tty session.</li> <li><code>-R</code> creates the reverse tunnel.</li> <li><code>2222:localhost:22</code> translates into: proxying 127.0.0.1:2222 (default localhost) to PS at 127.0.0.1:22 on CS. So, it does exactly this: proxies 127.0.0.1:2222 from NS&rsquo;s default address <code>localhost</code> to PS&rsquo;s address <code>127.0.0.1</code>. Now we can access CS via PS.</li> <li>Checking the tunnel can be done with:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">ssh -p <span class="m">2222</span> localhost hostname </span></span></code></pre></td></tr></table> </div> </div><h3 id="direct-tunnel">Direct Tunnel <a href="#direct-tunnel">¶</a></h3> <p>To get into reverse tunnel on PS, a direct tunnel from NS needs to be created:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">mkdir -p ~/.ssh </span></span><span class="line"><span class="cl">ssh-keyscan -H jump-host &gt;&gt; ~/.ssh/known_hosts </span></span><span class="line"><span class="cl">sshpass -p <span class="s1">&#39;password&#39;</span> ssh -fNL 1234:localhost:2222 tunnel@jump-host </span></span></code></pre></td></tr></table> </div> </div><ul> <li><code>1234:localhost:2222</code> translates into: proxying 127.0.0.1:1234 from NS to PS at 127.0.0.1:2222 on CS, which means proxying from NS&rsquo;s address <code>localhost</code> at port <code>1234</code> to PS&rsquo;s address <code>127.0.0.1</code> at port <code>2222</code>. So, now we can access reverse tunnel on PS using direct tunnel.</li> <li>To access the tunnel:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">ssh -fND <span class="m">1329</span> -p <span class="m">1234</span> user-on-th@localhost </span></span></code></pre></td></tr></table> </div> </div><h3 id="socks5-proxy">SOCKS5 Proxy <a href="#socks5-proxy">¶</a></h3> <p>We can set up any browser to use a SOCKS5 proxy for directing all traffic. This is convenient when trying to access resources in local network CS from NS. After creating tunnels, the following command needs to be executed on NS:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">ssh -fND <span class="m">1329</span> -p <span class="m">1234</span> user-on-th@localhost </span></span></code></pre></td></tr></table> </div> </div><p>And to configure a browser&rsquo;s SOCKS5 proxy settings, look at this screenshot.</p> <p><img src="https://vlasov.pro/ru/p/reverse-ssh/proxy-settings.webp" width="1020" height="700" srcset="https://vlasov.pro/ru/p/reverse-ssh/proxy-settings_hu6932171806291270442.webp 480w, https://vlasov.pro/ru/p/reverse-ssh/proxy-settings_hu17882682458861990530.webp 1024w" loading="lazy" alt="KDE Plasma Proxy Settings" class="gallery-image" data-flex-grow="145" data-flex-basis="349px" ></p>https://vlasov.pro/en/p/openssl-snippet/Thu, 25 Apr 2019 00:00:00 +0000https://vlasov.pro/en/p/openssl-snippet/<img src="https://vlasov.pro/ru/p/openssl-snippet/https.webp" alt="Featured image of post OpenSSL Snippet" /><p>Here is the translated text:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span><span class="lnt">81 </span><span class="lnt">82 </span><span class="lnt">83 </span><span class="lnt">84 </span><span class="lnt">85 </span><span class="lnt">86 </span><span class="lnt">87 </span><span class="lnt">88 </span><span class="lnt">89 </span><span class="lnt">90 </span><span class="lnt">91 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="cp">#!/usr/bin/env sh </span></span></span><span class="line"><span class="cl"><span class="cp"></span><span class="nb">set</span> -e </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># path to private part of CA (PEM encoded)</span> </span></span><span class="line"><span class="cl"><span class="nv">CA_KEY</span><span class="o">=</span><span class="s1">&#39;ca.key&#39;</span> </span></span><span class="line"><span class="cl"><span class="c1"># path to public part of CA (PEM encoded)</span> </span></span><span class="line"><span class="cl"><span class="nv">CA_CRT</span><span class="o">=</span><span class="s1">&#39;ca.crt&#39;</span> </span></span><span class="line"><span class="cl"><span class="c1"># password to use CA</span> </span></span><span class="line"><span class="cl"><span class="nv">CA_PASSWORD</span><span class="o">=</span><span class="s1">&#39;longalphanum&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Country</span> </span></span><span class="line"><span class="cl"><span class="nv">C</span><span class="o">=</span><span class="s1">&#39;UA&#39;</span> </span></span><span class="line"><span class="cl"><span class="c1"># State</span> </span></span><span class="line"><span class="cl"><span class="nv">ST</span><span class="o">=</span><span class="s1">&#39;Kiev&#39;</span> </span></span><span class="line"><span class="cl"><span class="c1"># Location</span> </span></span><span class="line"><span class="cl"><span class="nv">L</span><span class="o">=</span><span class="s1">&#39;Kiev&#39;</span> </span></span><span class="line"><span class="cl"><span class="c1"># Organization</span> </span></span><span class="line"><span class="cl"><span class="nv">O</span><span class="o">=</span><span class="s1">&#39;No organization&#39;</span> </span></span><span class="line"><span class="cl"><span class="c1"># Organization unit</span> </span></span><span class="line"><span class="cl"><span class="nv">OU</span><span class="o">=</span><span class="s1">&#39;No unit&#39;</span> </span></span><span class="line"><span class="cl"><span class="c1"># Domain to issue final cert for</span> </span></span><span class="line"><span class="cl"><span class="nv">DOMAIN</span><span class="o">=</span><span class="s1">&#39;vlasov.pro&#39;</span> </span></span><span class="line"><span class="cl"><span class="c1"># Days while the certificate will be valid</span> </span></span><span class="line"><span class="cl"><span class="nv">DAYS</span><span class="o">=</span><span class="s1">&#39;365&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">subj<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;/C=</span><span class="si">${</span><span class="nv">C</span><span class="si">}</span><span class="s2">/ST=</span><span class="si">${</span><span class="nv">ST</span><span class="si">}</span><span class="s2">/L=</span><span class="si">${</span><span class="nv">L</span><span class="si">}</span><span class="s2">/O=</span><span class="si">${</span><span class="nv">O</span><span class="si">}</span><span class="s2">/OU=</span><span class="si">${</span><span class="nv">OU</span><span class="si">}</span><span class="s2">/CN=</span><span class="nv">$1</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="o">[</span> ! -f <span class="s2">&#34;</span><span class="nv">$CA_KEY</span><span class="s2">&#34;</span> <span class="o">]</span> <span class="o">||</span> <span class="o">[</span> <span class="s2">&#34;</span><span class="nv">$1</span><span class="s2">&#34;</span> <span class="o">=</span> <span class="s1">&#39;-ca&#39;</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s1">&#39;basicConstraints=CA:true&#39;</span> &gt; extfile.txt </span></span><span class="line"><span class="cl"> <span class="c1"># CA - used for signing of both server and client certs</span> </span></span><span class="line"><span class="cl"> <span class="c1"># generate private key</span> </span></span><span class="line"><span class="cl"> openssl ecparam -genkey -name prime256v1 <span class="p">|</span> openssl ec -out <span class="s2">&#34;</span><span class="nv">$CA_KEY</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="c1"># generate signing request</span> </span></span><span class="line"><span class="cl"> openssl req -new -key <span class="s2">&#34;</span><span class="nv">$CA_KEY</span><span class="s2">&#34;</span> -out ca.csr -subj <span class="s2">&#34;</span><span class="k">$(</span>subj <span class="s2">&#34;</span><span class="nv">$O</span><span class="s2"> CA&#34;</span><span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="c1"># csr + key = crt</span> </span></span><span class="line"><span class="cl"> openssl x509 -req -days <span class="m">3650</span> -in ca.csr -signkey <span class="s2">&#34;</span><span class="nv">$CA_KEY</span><span class="s2">&#34;</span> -extfile extfile.txt -out <span class="s2">&#34;</span><span class="nv">$CA_CRT</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> rm -f ca.csr </span></span><span class="line"><span class="cl"> <span class="c1"># convert crt to DER format</span> </span></span><span class="line"><span class="cl"> openssl x509 -inform PEM -outform DER -in <span class="s2">&#34;</span><span class="nv">$CA_CRT</span><span class="s2">&#34;</span> -out <span class="s2">&#34;</span><span class="nv">$CA_CRT</span><span class="s2">.der&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s1">&#39;Generated CA&#39;</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># generate and sign certificate</span> </span></span><span class="line"><span class="cl">cat <span class="s">&lt;&lt;EOF &gt;extfile.txt </span></span></span><span class="line"><span class="cl"><span class="s">[ req ] </span></span></span><span class="line"><span class="cl"><span class="s">req_extensions = req_ext </span></span></span><span class="line"><span class="cl"><span class="s">distinguished_name = req_distinguished_name </span></span></span><span class="line"><span class="cl"><span class="s"> </span></span></span><span class="line"><span class="cl"><span class="s">[req_distinguished_name] </span></span></span><span class="line"><span class="cl"><span class="s"> </span></span></span><span class="line"><span class="cl"><span class="s">[ req_ext ] </span></span></span><span class="line"><span class="cl"><span class="s">basicConstraints = CA:FALSE </span></span></span><span class="line"><span class="cl"><span class="s">keyUsage = nonRepudiation, digitalSignature, keyEncipherment </span></span></span><span class="line"><span class="cl"><span class="s">subjectAltName = @alt_names </span></span></span><span class="line"><span class="cl"><span class="s"> </span></span></span><span class="line"><span class="cl"><span class="s">[alt_names] </span></span></span><span class="line"><span class="cl"><span class="s">DNS.1 = $DOMAIN </span></span></span><span class="line"><span class="cl"><span class="s">DNS.2 = *.$DOMAIN </span></span></span><span class="line"><span class="cl"><span class="s">EOF</span> </span></span><span class="line"><span class="cl"><span class="c1"># issue</span> </span></span><span class="line"><span class="cl">openssl ecparam -genkey -name prime256v1 <span class="p">|</span> openssl ec -out <span class="s2">&#34;</span><span class="si">${</span><span class="nv">DOMAIN</span><span class="si">}</span><span class="s2">.key&#34;</span> <span class="c1"># key</span> </span></span><span class="line"><span class="cl">openssl req -new -key <span class="s2">&#34;</span><span class="si">${</span><span class="nv">DOMAIN</span><span class="si">}</span><span class="s2">.key&#34;</span> -out <span class="s2">&#34;</span><span class="si">${</span><span class="nv">DOMAIN</span><span class="si">}</span><span class="s2">.csr&#34;</span> -config extfile.txt -subj <span class="s2">&#34;</span><span class="k">$(</span>subj <span class="nv">$DOMAIN</span><span class="k">)</span><span class="s2">&#34;</span> <span class="c1"># csr</span> </span></span><span class="line"><span class="cl">openssl x509 -req <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -days <span class="s2">&#34;</span><span class="nv">$DAYS</span><span class="s2">&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -in <span class="s2">&#34;</span><span class="si">${</span><span class="nv">DOMAIN</span><span class="si">}</span><span class="s2">.csr&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -CA <span class="s2">&#34;</span><span class="nv">$CA_CRT</span><span class="s2">&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -out <span class="s2">&#34;</span><span class="si">${</span><span class="nv">DOMAIN</span><span class="si">}</span><span class="s2">.crt&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -CAkey <span class="s2">&#34;</span><span class="nv">$CA_KEY</span><span class="s2">&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -CAcreateserial <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -passin <span class="s2">&#34;pass:</span><span class="nv">$CA_PASSWORD</span><span class="s2">&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -extensions req_ext -extfile extfile.txt <span class="c1"># csr + rootCA.crt = crt </span> </span></span><span class="line"><span class="cl">rm -f <span class="s2">&#34;</span><span class="si">${</span><span class="nv">DOMAIN</span><span class="si">}</span><span class="s2">.csr&#34;</span> </span></span><span class="line"><span class="cl"><span class="c1"># convert DER -&gt; PEM</span> </span></span><span class="line"><span class="cl">openssl x509 -inform PEM -outform DER -in <span class="s2">&#34;</span><span class="si">${</span><span class="nv">DOMAIN</span><span class="si">}</span><span class="s2">.crt&#34;</span> -out <span class="s2">&#34;</span><span class="si">${</span><span class="nv">DOMAIN</span><span class="si">}</span><span class="s2">.der.crt&#34;</span> <span class="c1"># convert</span> </span></span><span class="line"><span class="cl"><span class="c1"># convert PEM -&gt; pkcs12</span> </span></span><span class="line"><span class="cl">openssl pkcs12 -export <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -inkey <span class="s2">&#34;</span><span class="si">${</span><span class="nv">DOMAIN</span><span class="si">}</span><span class="s2">.key&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -in <span class="s2">&#34;</span><span class="si">${</span><span class="nv">DOMAIN</span><span class="si">}</span><span class="s2">.crt&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -out <span class="s2">&#34;</span><span class="si">${</span><span class="nv">DOMAIN</span><span class="si">}</span><span class="s2">.pfx&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -password <span class="s2">&#34;pass:</span><span class="nv">$JKS_PASSWORD</span><span class="s2">&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -name <span class="s2">&#34;</span><span class="nv">$DOMAIN</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="c1"># create fullchain</span> </span></span><span class="line"><span class="cl">cat <span class="s2">&#34;</span><span class="si">${</span><span class="nv">DOMAIN</span><span class="si">}</span><span class="s2">.crt&#34;</span> <span class="s2">&#34;</span><span class="nv">$CA_CRT</span><span class="s2">&#34;</span> &gt; <span class="s2">&#34;</span><span class="si">${</span><span class="nv">DOMAIN</span><span class="si">}</span><span class="s2">.full&#34;</span> </span></span><span class="line"><span class="cl"><span class="c1"># verify</span> </span></span><span class="line"><span class="cl">openssl verify -CAfile <span class="s2">&#34;</span><span class="nv">$CA_CRT</span><span class="s2">&#34;</span> <span class="s2">&#34;</span><span class="si">${</span><span class="nv">DOMAIN</span><span class="si">}</span><span class="s2">.crt&#34;</span> </span></span><span class="line"><span class="cl"><span class="c1"># info</span> </span></span><span class="line"><span class="cl">log_info <span class="s2">&#34;Generated </span><span class="nv">$DOMAIN</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="k">done</span> </span></span><span class="line"><span class="cl">rm -f extfile.txt </span></span></code></pre></td></tr></table> </div> </div>