Docker how to run process as different user from vm

|

Problem statement:

When you run docker container, lots of enterprise organization do not allow you to run container as root or as sudo because it compromises the container file system access and for some other various reason.

I run into same situation while that I wanted to run the process as a user but my virtual machine instance username doesn’t match with container’s username’s UID.

e.g. 

$ id
uid=1000(circleci) gid=1000(circleci) groups=1000(circleci),4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),117(netdev),118(lxd),997(docker)
$ docker run -it --rm cimg/node:$CIRCLECI_NODE_TAG id
uid=3031(circleci) gid=3031(circleci) groups=3031(circleci),4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),117(netdev),118(lxd),997(docker)

so when you mount the file and run as circleci user it would fail.

Resolution:

If you want to run this as same uid as what it has on VM

Python Handy notes

|
print(“Hello, World!”)
x = 5
y = “John”
print(x)
print(y)
x = int(1) # x will be 1
x = float(1) # x will be 1.0
a = ” Hello, World! “
print(a.strip())
print(a[1])
print(a.split(“,”))
print(a.replace(“a”,”b”))
thislist = [“apple”, “banana”, “cherry”]
print(thislist)
print(thislist[1])
thislist.append(“orange”)
thislist.insert(1, “orange”)
thislist.remove(“banana”)
thislist.pop()
del thislist[0]
thislist.clear()
mylist = thislist.copy()
thistuple = (“apple”, “banana”, “cherry”)
print(thistuple)
if “apple” in thistuple:
print(“Yes, ‘apple’ is in the fruits tuple”)
thisset = {“apple”, “banana”, “cherry”}
thisset.add(“orange”)
print(thisset)
thisset.update([“orange”, “mango”, “grapes”])
print(thisset)
thisset.discard(“banana”)
thisdict = {
“brand”: “Ford”,
“model”: “Mustang”,
“year”: 1964
}
print(thisdict)
x = thisdict[“model”]
thisdict[“year”] = 2018
for x in thisdict:
print(x)
for x in thisdict:
print(dict[x])
for x in thisdict.values():
print(x)
for x, y in thisdict.items():
print(x, y)
if “model” in thisdict:
print(“Yes, ‘model’ is one of the keys in the thisdict dictionary”)
thisdict.pop(“model”)
if b > a:
print(“b is greater than a”)
elif a == b:
print(“a and b are equal”)
else:
print(“a is greater than b”)
i = 1
while i < 6:
print(i)
i += 1
for x in range(2, 6):
print(x)
for x in range(2, 30, 3):
print(x)
def my_function():
print(“Hello from a function”)
try:
print(x)
except:
print(“An exception occurred”)
try:
print(x)
except NameError:
print(“Variable x is not defined”)
except:
print(“Something else went wrong”)
f = open(“demofile.txt”)
f = open(“demofile.txt”, “r”)
print(f.read())
print(f.readline())
f.close()
f = open(“demofile2.txt”, “a”)
f.write(“Now the file has more content!”)
f.close()
f = open(“myfile.txt”, “w”) // create new if it doesnt exist
f = open(“myfile.txt”, “x”) //create new
import os
os.remove(“demofile.txt”)

print(“Hello, World!”)

x = 5
y = “John”
print(x)
print(y)

x = int(1) # x will be 1

x = float(1) # x will be 1.0

a = ” Hello, World! “
print(a.strip())

print(a[1])

print(a.split(“,”))

print(a.replace(“a”,”b”))

thislist = [“apple”, “banana”, “cherry”]
print(thislist)
print(thislist[1])

thislist.append(“orange”)

thislist.insert(1, “orange”)

thislist.remove(“banana”)

thislist.pop()

del thislist[0]

thislist.clear()

mylist = thislist.copy()

thistuple = (“apple”, “banana”, “cherry”)
print(thistuple)

if “apple” in thistuple:
print(“Yes, ‘apple’ is in the fruits tuple”)

thisset = {“apple”, “banana”, “cherry”}

thisset.add(“orange”)

print(thisset)

thisset.update([“orange”, “mango”, “grapes”])

print(thisset)

thisset.discard(“banana”)

thisdict = {
“brand”: “Ford”,
“model”: “Mustang”,
“year”: 1964
}
print(thisdict)

x = thisdict[“model”]

thisdict[“year”] = 2018

for x in thisdict:
print(x)

for x in thisdict:
print(dict[x])

for x in thisdict.values():
print(x)

for x, y in thisdict.items():
print(x, y)

if “model” in thisdict:
print(“Yes, ‘model’ is one of the keys in the thisdict dictionary”)

thisdict.pop(“model”)

if b > a:
print(“b is greater than a”)

elif a == b:
print(“a and b are equal”)

else:
print(“a is greater than b”)

i = 1
while i < 6:
print(i)
i += 1

for x in range(2, 6):
print(x)

for x in range(2, 30, 3):
print(x)

def my_function():
print(“Hello from a function”)

try:
print(x)
except:
print(“An exception occurred”)

try:
print(x)
except NameError:
print(“Variable x is not defined”)
except:
print(“Something else went wrong”)

f = open(“demofile.txt”)

f = open(“demofile.txt”, “r”)
print(f.read())

print(f.readline())

f.close()

f = open(“demofile2.txt”, “a”)
f.write(“Now the file has more content!”)
f.close()

f = open(“myfile.txt”, “w”) // create new if it doesnt exist

f = open(“myfile.txt”, “x”) //create new

import os
os.remove(“demofile.txt”)

Kubernetes container how to debug

|

Most of the time the container that you are running is very slim and has tight security due to which you can’t troubleshoot the process easily.

q.g. youcant run kubectl exec to troubleshoot.

You can use
kubectl debug to create a copy f the Pod with Configuration values changed for debugging purpose

Here is how you can do that
1. Copy the pod while adding a new cotainer and share the process of the existing container in new container.
kubectl get pod my-pod -n nameSpace

so your command would be to create a copy of my-app named my-app-debug that adds a new Ubuntu container for debugging

kubectl debug my-app -it –image=ubuntu –share-process –copy-to=my-app-debug


Flags and values:

The -i flag causes kubectl debug to attach to the new container by default. You can prevent this by specifying –attach=false. If your session becomes disconnected you can reattach using kubectl attach.

The –share-processes allows the containers in this Pod to see processes from the other containers in the Pod.

kubectl debug automatically generates a container name if you don’t choose one using the –container flag.

SSL Error : LibreSSL SSL_connect: SSL_ERROR_SYSCALL or openssl s_client write:errno=54

| 
   Trying 1.1.1.1....
* TCP_NODELAY set
* Connected to example.com (1.1.1.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:443
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:443
openssl s_client -connect example.com:443 -msg 
CONNECTED(00000006)
>>> TLS 1.2 Handshake [length 00bf], ClientHello
*
*
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated

If you are trying to connect to the site and its throwing above error then

Its MOST probably an issue with your SSL certificates private key. Sometime the way Private keys are placed on the your proxy/web/server end gets corrupted while copy pasting and its not able to send the response as “Server hello” As you can see above.

Double check with Private key if its base64 decode format to make sure the keys are matching correctly.

Also sometime the keys format are in following format. 

-----BEGIN PRIVATE KEY-----
MIIEv******************************************EQ
*
*
-----END PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-XXXX-CBC,11111111

mJiISQA***************************KJUH/ijPU
*
*
-----END RSA PRIVATE KEY-----⏎

If you see above the 1st key do not have RSA string in it.

The 2nd key have some other strings in first 2 lines before it started encoded string.

This creates issue on SSL cert at server side while responding to the request. Depending on what kind of server you are running you should convert your .pem/.pfx file in correct private key format. 


-----BEGIN RSA PRIVATE KEY-----
***
-----END RSA PRIVATE KEY-----⏎

To FIX this: You need to get your private key in correct format by using following command.

# RSA private key 

openssl pkcs12 -in myfile.pfx -nocerts -nodes | openssl rsa -out privkey.pem

Some other handy command. 

openssl x509 -text -noout -in /tmp/cert.kn
#if your .pfx/.pem file is password protected.
echo "YOUR_PASSWORD" > passfile

# Public Key
openssl pkcs12 -in myfile.pfx -nokeys -out certificate.pem -passin file:passfile
# RSA private key
openssl pkcs12 -in myfile.pfx  -nocerts -nodes | openssl rsa -out privkey.pem
# Private key
openssl pkcs12 -in myfile.pfx -nocerts -out private-key.pem -nodes

## if you want to use on AWS Certificate Manager.
openssl pkcs12 -in $pfx_cert -nocerts -nodes -passin file:passfile | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > $certs_dir/server.key
openssl pkcs12 -in $pfx_cert -clcerts -nokeys -passin file:passfile -out $certs_dir/cert.pem
openssl pkcs12 -in $pfx_cert -cacerts -nokeys -passin file:passfile -out $certs_dir/chain.pem

Hope this is helpful!

Terraform plan and apply from plan out file

| 


terraform init -input=false -backend=true -backend-config="bucket=${WHATEVER_S3_BUCKET}" -backend-config="key=state/terraform.tfstate" -backend-config="region=us-east-1" -backend-config="profile=${WHATEVER_PROFILE}"


terraform plan -var-file=tfvars/${ENV}.tfvars -out tf.out


terraform apply "tf.out" #  -auto-approve

How to renew your GPG key

|

gpg –list-keys
this gives you a list of all the keys on your computer. you need this to find the keyname that you are trying to update.
## name_of_the_key=`gpg –list-keys |grep -i Jayesh |grep -i uid |awk ‘{print $4}’`
gpg –edit-key [name_of_the_key]
command> list
lists the available subkeys
command> key [subkey]
choose the number of the subkey you want to edit; e.g. key 1
command> expire
expire lets you set a new expiration date for the subkey.
command> save

How to create custom service account login for EKS kubernetes access kubeconfig

|

Sometime for some automation to apply kubectl you may need a service account based login for running kubectl command. In order to do that you will need the required access for it and relevant ~/kube/config file.

Here is how you can generate one. This is an example for AWS EKS cluster.

wget https://github.com/jayeshmahajan/k8s-utility/blob/master/serviceaccount.sh

#!/bin/bash
#
# run in context of account
# ex. dev
# ./deployer.sh ClusterName CustomUser My_Env
_clustername=$1
_username_=$2
_env_=$3
export ROLE="cluster-admin"
export NS="kube-system"
echo "create service account ${_username_} for env ${_env_}"
kubectl create sa $_username_ -n $NS
echo "Bind SA ${_username_} with ClusterRole ${ROLE} for environment ${_env_}"
kubectl create clusterrolebinding $_username_ \
 --serviceaccount=$NS:$_username_ \
 --clusterrole=${ROLE} 
SECRET_NAME=$(kubectl get sa $_username_ -n $NS -o json | jq -r .secrets[0].name)
TOKEN=$(kubectl get secrets $SECRET_NAME -n $NS -o json | jq -r .data.token | base64 -D)
CA=$(kubectl get secrets $SECRET_NAME -n $NS -o json | jq -r '.data | .["ca.crt"]')
SERVER=$(aws eks describe-cluster --name $_clustername | jq -r .cluster.endpoint)
cat <<-EOF > $_username_-$_env_.yaml
apiVersion: v1
kind: Config
users:
- name: $_username_
  user:
    token: $TOKEN
clusters:
- cluster:
    certificate-authority-data: $CA
    server: $SERVER
  name: $_username_
contexts:
- context:
    cluster: $_username_
    user: $_username_
  name: $_username_
current-context: $_username_
EOF
echo "Created kubeconfig $_username_-$_env_.yaml"

sh +x serviceaccount.sh ClusterName ServiceAccount Environment

kubectl get nodes –kubeconfig ServiceAccount_Environment.yaml # replace yaml file with the one thats generate as part of output.

CKA certification cluster troubleshooting questions

| 
1. Very important things to remember. 

The string here and the path are very important. 
Always check the logs of kublet service. 

If the api server connection timeout then make sure that you are not missing anything in firewall. 
Make sure to check the logs to see the process is not complaining about it. Make sure path provides for all the configuration in config.yaml is correct and there is no syntax error. The logs will print details if there is any syntax error. 

[root@master ~]# cat /var/lib/kubelet/config.yaml | grep static
staticPodPath: /etc/kubernetes/manifests

2. POD and service DNS is not resolving in kubernetes.

Make sure that the busybox that you are trying to resolve it from is correct version. It should be following as per kubernetes doc.

kubectl apply -f https://k8s.io/examples/admin/dns/busybox.yaml

I was running older version of busybox that made pod DNS not working.

Pod DNS is:

10-3-3-3.<your_namespace>.pod.cluster.local

Service DNS is:

servicename.s<your_namespace>.svc.cluster.local