Friday, April 28, 2023

AWS-Certified-Solutions Architect Krishna Murthy Karra

Thursday, April 7, 2022

Thursday, February 24, 2022

Playing with OCP 4.9

Thursday 24 February 2022 16:46:16 +0000 (0:00:20.765) 0:05:44.496 *****

===============================================================================

openshift_node : Install openshift packages ----------------------------------------------------------------- 242.41s

openshift_node : Reboot the host and wait for it to come back ------------------------------------------------ 34.46s

openshift_node : Wait for node to report ready --------------------------------------------------------------- 20.77s

openshift_node : Approve node CSRs ---------------------------------------------------------------------------- 6.79s

openshift_node : Pull release image --------------------------------------------------------------------------- 6.63s

openshift_node : Get available cri-o RPM versions ------------------------------------------------------------- 4.68s

openshift_node : Pull MCD image ------------------------------------------------------------------------------- 3.39s

openshift_node : Get machine controller daemon image from release image --------------------------------------- 3.18s

openshift_node : Apply ignition manifest ---------------------------------------------------------------------- 2.49s

openshift_node : Fetch bootstrap ignition file locally -------------------------------------------------------- 2.10s

openshift_node : Setting sebool container_use_cephfs ---------------------------------------------------------- 1.73s

openshift_node : Setting sebool container_manage_cgroup ------------------------------------------------------- 1.64s

openshift_node : Setting sebool virt_use_samba ---------------------------------------------------------------- 1.54s

Gathering Facts ----------------------------------------------------------------------------------------------- 1.43s

openshift_node : Write /etc/containers/registries.conf -------------------------------------------------------- 1.25s

openshift_node : Enable the CRI-O service --------------------------------------------------------------------- 0.75s

openshift_node : Restart the CRI-O service -------------------------------------------------------------------- 0.64s

openshift_node : Check for cluster no proxy ------------------------------------------------------------------- 0.62s

openshift_node : Check for cluster http proxy ----------------------------------------------------------------- 0.62s

openshift_node : Check for cluster https proxy ---------------------------------------------------------------- 0.61s

(venv) [krishna@bastion openshift-ansible]$

(venv) [krishna@bastion openshift-ansible]$ oc get nodes

NAME STATUS ROLES AGE VERSION

ip-10-0-185-24.us-east-2.compute.internal Ready master,worker 5h55m v1.22.3+fdba464

ip-10-0-30-244.us-east-2.compute.internal Ready worker 3m31s v1.22.0-rc.0+a44d0f0

(venv) [krishna@bastion openshift-ansible]$ export RHEL_NODE=$(oc get nodes -l node.openshift.io/os_id=rhel -o jsonpath="{.items[0].metadata.name}")

(venv) [krishna@bastion openshift-ansible]$ echo "export RHEL_NODE=${RHEL_NODE}" >> ~/.bashrc

(venv) [krishna@bastion openshift-ansible]$ echo $RHEL_NODE

ip-10-0-30-244.us-east-2.compute.internal

(venv) [krishna@bastion openshift-ansible]$ ^C

(venv) [krishna@bastion openshift-ansible]$ history

1 sudo -i

2 id

3 ssh $(cat $HOME/RHEL_workers.txt) sudo yum repolist

4 pwd

5 ll

6 INV_FILE=$HOME/openshift-ansible/inventory/hosts

7 cat << EOF > $INV_FILE

[all:vars]

# SSH user, this user should allow ssh based auth without requiring a

# password. If using ssh key based auth, then the key should be managed by an

# ssh agent.

ansible_user=ec2-user

# If ansible_user is not root, ansible_become must be set to true and the

# user must be configured for passwordless sudo

ansible_become=True

###############################################################################

# Required configuration variables #

###############################################################################

openshift_kubeconfig_path="~/.kube/config"

# For running RHEL worker upgrades

[new_workers]

$(<$HOME/RHEL_workers.txt)

EOF

8 cd $HOME/openshift-ansible/

9 virtualenv venv

10 source venv/bin/activate

11 pip install -r requirements.txt

12 which ansible

13 oc login -u admin -p 0o3nYjrL6EZ9vICa

14 ansible-playbook -v -i inventory/hosts playbooks/scaleup.yml

15 oc get nodes

16 export RHEL_NODE=$(oc get nodes -l node.openshift.io/os_id=rhel -o jsonpath="{.items[0].metadata.name}")

17 echo "export RHEL_NODE=${RHEL_NODE}" >> ~/.bashrc

18 echo $RHEL_NODE

19 history

(venv) [krishna@bastion openshift-ansible]$ oc new-project needs-rhel

Now using project "needs-rhel" on server "https://api.cluster-r7h7v.r7h7v.sandbox212.krishna.com:6443".

You can add applications to this project with the 'new-app' command. For example, try:

oc new-app rails-postgresql-example

to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application:

kubectl create deployment hello-node --image=k8s.gcr.io/serve_hostname

(venv) [krishna@bastion openshift-ansible]$ oc annotate namespace needs-rhel openshift.io/node-selector="node.openshift.io/os_id=rhel"

namespace/needs-rhel annotated

(venv) [krishna@bastion openshift-ansible]$ kubectl create deployment hello-node --image=k8s.gcr.io/serve_hostname

deployment.apps/hello-node created

(venv) [krishna@bastion openshift-ansible]$ oc get pods -n needs-rhel --field-selector=spec.host=$RHEL_NODE -o wide

NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES

hello-node-5dd7685477-vqtkc 1/1 Running 0 16s 10.129.0.6 ip-10-0-30-244.us-east-2.compute.internal <none> <none>

(venv) [krishna@bastion openshift-ansible]$ cat playbooks/scaleup.yml

---

- name: Pre-scaleup checks

hosts: localhost

connection: local

gather_facts: no

tasks:

- import_role:

name: openshift_node

tasks_from: scaleup_checks.yml

- name: install nodes

hosts: new_workers

roles:

- openshift_node

(venv) [krishna@bastion openshift-ansible]$ oc get pods -A --field-selector=spec.host=$RHEL_NODE -o wide

NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES

needs-rhel hello-node-5dd7685477-vqtkc 1/1 Running 0 68s 10.129.0.6 ip-10-0-30-244.us-east-2.compute.internal <none> <none>

openshift-cluster-csi-drivers aws-ebs-csi-driver-node-dngbh 3/3 Running 0 7m19s 10.0.30.244 ip-10-0-30-244.us-east-2.compute.internal <none> <none>

openshift-cluster-node-tuning-operator tuned-pgqhv 1/1 Running 0 7m19s 10.0.30.244 ip-10-0-30-244.us-east-2.compute.internal <none> <none>

openshift-dns dns-default-5j5tq 2/2 Running 0 6m59s 10.129.0.4 ip-10-0-30-244.us-east-2.compute.internal <none> <none>

openshift-dns node-resolver-7pb22 1/1 Running 0 7m19s 10.0.30.244 ip-10-0-30-244.us-east-2.compute.internal <none> <none>

openshift-image-registry node-ca-hjv9n 1/1 Running 0 7m19s 10.0.30.244 ip-10-0-30-244.us-east-2.compute.internal <none> <none>

openshift-ingress-canary ingress-canary-jrbrr 1/1 Running 0 6m59s 10.129.0.5 ip-10-0-30-244.us-east-2.compute.internal <none> <none>

openshift-machine-config-operator machine-config-daemon-4sglx 2/2 Running 0 7m19s 10.0.30.244 ip-10-0-30-244.us-east-2.compute.internal <none> <none>

openshift-monitoring node-exporter-6ktb5 2/2 Running 0 7m19s 10.0.30.244 ip-10-0-30-244.us-east-2.compute.internal <none> <none>

openshift-multus multus-additional-cni-plugins-r4zv9 1/1 Running 0 7m19s 10.0.30.244 ip-10-0-30-244.us-east-2.compute.internal <none> <none>

openshift-multus multus-gw2p2 1/1 Running 0 7m19s 10.0.30.244 ip-10-0-30-244.us-east-2.compute.internal <none> <none>

openshift-multus network-metrics-daemon-snzvp 2/2 Running 0 7m19s 10.129.0.3 ip-10-0-30-244.us-east-2.compute.internal <none> <none>

openshift-network-diagnostics network-check-target-qk8bh 1/1 Running 0 7m19s 10.129.0.2 ip-10-0-30-244.us-east-2.compute.internal <none> <none>

openshift-sdn sdn-6lxjr 2/2 Running 0 7m19s 10.0.30.244 ip-10-0-30-244.us-east-2.compute.internal <none> <none>

(venv) [krishna@bastion openshift-ansible]$

Issue:-

oc login -u kubeadmin -p blah

error: x509: certificate is not valid for any names, but wanted to match oauth-openshift.apps.cluster-psk

Sol:- now we have to troubleshoot

1) To explore this environment, export KUBECONFIG using the configuration created by the installer:

export KUBECONFIG=~/.kube/config

2) Check to see whether the default ingresscontroller has a defaultCertificate configured. Pay special attention to what is defined for spec: (if that value is present):

oc get -n openshift-ingress-operator ingresscontroller/default -o json

"spec": {

"defaultCertificate": {

"name": "cee-cf-110"

}

or run cmd to get directly

oc get -n openshift-ingress-operator ingresscontroller/default -o jsonpath='{.spec.defaultCertificate.name}'

cee-cf-110

3) If the spec value is not present, you might want to check what certificate is being used. To do this, you would use oc describe as shown here. Run this command and compare your output to what's shown here:

oc describe -n openshift-ingress-operator ingresscontroller/default

Events:

Type Reason Age From Message

---- ------ ---- ---- -------

Normal Admitted 57m (x2 over 5h49m) ingress_controller ingresscontroller passed validation

Normal DeletedDefaultCertificate 57m certificate_controller Deleted default wildcard certificate "router-certs-default"

Normal Admitted 11m ingress_controller ingresscontroller passed validation

Normal CreatedDefaultCertificate 11m certificate_controller Created default wildcard certificate "router-certs-default"

Normal DeletedDefaultCertificate 10m certificate_controller Deleted default wildcard certificate "router-certs-default"

Normal Admitted 10m ingress_controller ingresscontroller passed validation

[root@bastion ~]# oc describe -n openshift-ingress-operator ingresscontroller/default

Certificates in RHOCP 4 are stored as secrets. Once you know the name of the certificate, you can use oc describe secret as shown here to get additional details. Your key focus will be the Data section of that output. Run this command and compare your output to what's shown here:

oc describe secret router-certs-default -n openshift-ingress

Name: router-certs-default

Namespace: openshift-ingress

Labels: <none>

Annotations: <none>

Type: kubernetes.io/tls

Data

====

tls.crt: 2404 bytes

tls.key: 1675 bytes

Notice how the secret is stored in openshift-ingress, but the ingress controller is in the openshift-ingress-operator namespace.

Friday, September 27, 2019

teraform - webservers

#!/bin/bash

yum install httpd -y
echo "

Deployed by terraform!!!

" > /var/www/html/index.html
service httpd start
chkconfig httpd on

teraform - ec2 instances

# Provision 2 ec2 instances

resource "aws_instance" "my-instance" {
ami = "${lookup(var.region_ami, var.aws_region)}"
instance_type = "t2.micro"
count = 3
vpc_security_group_ids = ["${aws_security_group.webservers_sg.id}"]
subnet_id = "${element(aws_subnet.subnets.*.id,count.index)}"
user_data = "${file("webserver.sh")}"
associate_public_ip_address = true

tags {
Name = "ByTerraform"
Department = "Training"
}
}

terraform - vpc subnet

# Define VPC
resource "aws_vpc" "myvpc" {
cidr_block = "${var.vpc_cidr}"

tags {
Name = "myvpc"
}
}

# Define subnet

resource "aws_subnet" "subnets" {
count = "${length(var.subnets_cidr)}"
availability_zone = "${element(data.aws_availability_zones.azs.names,count.index)}"
cidr_block = "${element(var.subnets_cidr,count.index)}"
vpc_id = "${aws_vpc.myvpc.id}"

tags {
Name = "Subnet-${count.index + 1}"
}
}

# Create and attach Internet Gateway

resource "aws_internet_gateway" "igw" {
vpc_id = "${aws_vpc.myvpc.id}"

tags {
Name = "myvpc-igw"
}
}

# Custom route table for public subnets
resource "aws_route_table" "public_rt" {
vpc_id = "${aws_vpc.myvpc.id}"

route {
cidr_block = "0.0.0.0/0"
gateway_id = "${aws_internet_gateway.igw.id}"
}

tags {
Name = "main"
}
}

# associate public route table for all public subnets

resource "aws_route_table_association" "a" {
# We have to fixit later
#count = "${length(aws_subnet.subnets.*.id)}"
subnet_id = "${element(aws_subnet.subnets.*.id,count.index)}"
route_table_id = "${aws_route_table.public_rt.id}"
}

teraform- variables

variable "aws_region" {
default = "ap-south-1"
}

# CIDR block for VPC
variable "vpc_cidr" {
default = "10.20.0.0/16"
}

# CIDR block for Subnet
variable "subnets_cidr" {
type = "list"
default = ["10.20.1.0/24", "10.20.2.0/24"]
}

# Region and AMI mapping variable
variable "region_ami" {
type = "map"

default = {
ap-south-1 = "ami-531a4c3c"
us-west-2 = "ami-f2d3638a"
}
}

terraform -secutiry groups

resource "aws_security_group" "webservers_sg" {
name = "webservers_sg"
description = "Allow http and ssh traffic"
vpc_id = "${aws_vpc.myvpc.id}"

ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}

ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}

egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}

Terraform - elb.tf

# Create a new load balancer
resource "aws_elb" "javahome_elb" {
name = "javahome-elb"

subnets = ["${aws_subnet.subnets.*.id}"]

listener {
instance_port = 80
instance_protocol = "http"
lb_port = 80
lb_protocol = "http"
}

health_check {
healthy_threshold = 2
unhealthy_threshold = 2
timeout = 3
target = "HTTP:80/index.html"
interval = 10
}

instances = ["${aws_instance.my-instance.*.id}"]
cross_zone_load_balancing = true
idle_timeout = 400
connection_draining = true
connection_draining_timeout = 400
security_groups = ["${aws_security_group.webservers_sg.id}"]

tags {
Name = "javahome-terraform-elb"
}
}

ansible playbook for instaling web server

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2019.07.24 23:56:35 =~=~=~=~=~=~=~=~=~=~=~=
hostname
xxxx.7dd7.example.xxxx.com
[devops@xxxx 0 ~/ansible_implementation]$ export GUID=`hostname | awk -F"." '{print $2}'`
[devops@xxxx 0 ~/ansible_implementation]$ cat << EOF > webserver_smoketest.yml
> - name: Verify the Apache service
> hosts: localhost
> tasks:
> - name: Ensure the webserver is reachable
> uri:
> url: http://xxxx1.${GUID}.internal
> status_code: 200
> EOF
[devops@xxxx 0 ~/ansible_implementation]$ ll
total 20
-rw-rw-r--. 1 devops devops 91 Jul 24 17:49 ansible.cfg
drwxrwxr-x. 4 devops devops 4096 Jul 24 18:09 ansible_implementation_grading/
-rw-rw-r--. 1 devops devops 106 Jul 24 17:50 hosts
-rw-rw-r--. 1 devops devops 1038 Jul 24 18:13 variable_test.yml
-rw-rw-r--. 1 devops devops 183 Jul 24 18:27 webserver_smoketest.yml
[devops@xxxx 0 ~/ansible_implementation]$ ansible-playbook variable_test.yml
[WARNING]: Could not match supplied host pattern, ignoring: webservers

PLAY [Install Apache and start the service] ****************************************************************************************************************************
skipping: no hosts matched

PLAY RECAP *************************************************************************************************************************************************************

[devops@xxxx 0 ~/ansible_implementation]$ cat hosts
frontend1.7dd7.internal
xxxxdb1.7dd7.internal
xxxx1.7dd7.internal
support1.7dd7.internal
xxxx2.7dd7.internal
[devops@xxxx 0 ~/ansible_implementation]$ cat variable_test.yml
- name: Install Apache and start the service
hosts: webservers
become: yes
vars:
web_pkg: httpd
firewall_pkg: firewalld
web_service: httpd
firewall_service: firewalld
python_pkg: python-httplib2
rule: http
tasks:
- name: Install the required packages
yum:
name:
- "{{ web_pkg }}"
- "{{ firewall_pkg }}"
- "{{ python_pkg }}"
state: latest
- name: Start and enable the {{ firewall_service }} service
service:
name: "{{ firewall_service }}"
enabled: true
state: started

- name: Start and enable the {{ web_service }} service
service:
name: "{{ web_service }}"
enabled: true
state: started
- name: Create web content to be served
copy:
content: "Example web content"
dest: /var/www/html/index.html
- name: Open the port for {{ rule }}
firewalld:
service: "{{ rule }}"
permanent: true
immediate: true
state: enabled

[devops@xxxx 0 ~/ansible_implementation]$ ll
total 20
-rw-rw-r--. 1 devops devops 91 Jul 24 17:49 ansible.cfg
drwxrwxr-x. 4 devops devops 4096 Jul 24 18:09 ansible_implementation_grading/
-rw-rw-r--. 1 devops devops 106 Jul 24 17:50 hosts
-rw-rw-r--. 1 devops devops 1038 Jul 24 18:13 variable_test.yml
-rw-rw-r--. 1 devops devops 183 Jul 24 18:27 webserver_smoketest.yml
[devops@xxxx 0 ~/ansible_implementation]$ more ansible.cfg
[defaults]
inventory = /home/devops/ansible_implementation/hosts
host_key_checking = False
[devops@xxxx 0 ~/ansible_implementation]$ cat
^C
[devops@xxxx 130 ~/ansible_implementation]$ cat /home/devops/ansible_implementation/hosts
frontend1.7dd7.internal
xxxxdb1.7dd7.internal
xxxx1.7dd7.internal
support1.7dd7.internal
xxxx2.7dd7.internal
[devops@xxxx 0 ~/ansible_implementation]$ cat /home/devops/ansible_implementation/hostsmore ansible.cfgllcat variable_test.yml hostsansible-playbook variable_test.yml
[WARNING]: Could not match supplied host pattern, ignoring: webservers

PLAY [Install Apache and start the service] ****************************************************************************************************************************
skipping: no hosts matched

PLAY RECAP *************************************************************************************************************************************************************

[devops@xxxx 0 ~/ansible_implementation]$ cat hosts
frontend1.7dd7.internal
xxxxdb1.7dd7.internal
xxxx1.7dd7.internal
support1.7dd7.internal
xxxx2.7dd7.internal
[devops@xxxx 0 ~/ansible_implementation]$ vi hosts
"hosts" 5L, 106Cfrontend1.7dd7.internal
xxxxdb1.7dd7.internal
xxxx1.7dd7.internal
support1.7dd7.internal
xxxx2.7dd7.internal
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 1,1All-- INSERT --2,1Top2,1All11,1All-- INSERT --1,1Allfrontend1.7dd7.internal2,1All1[1,2Allw3e4b5s6e7r8v9e10r10r1s2
[]1,13All1,12All:wq!
"hosts" 7L, 120C written

[devops@xxxx 0 ~/ansible_implementation]$ vi hostscat hosts ansible-playbook variable_test.yml

PLAY [Install Apache and start the service] ****************************************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************************************************************
ok: [xxxx1.7dd7.internal]
ok: [xxxxdb1.7dd7.internal]
ok: [support1.7dd7.internal]
ok: [frontend1.7dd7.internal]
ok: [xxxx2.7dd7.internal]

TASK [Install the required packages] ***********************************************************************************************************************************
changed: [xxxx2.7dd7.internal]
changed: [support1.7dd7.internal]
changed: [xxxxdb1.7dd7.internal]
changed: [frontend1.7dd7.internal]
changed: [xxxx1.7dd7.internal]

TASK [Start and enable the firewalld service] **************************************************************************************************************************
changed: [support1.7dd7.internal]
changed: [xxxx1.7dd7.internal]
changed: [frontend1.7dd7.internal]
changed: [xxxx2.7dd7.internal]
changed: [xxxxdb1.7dd7.internal]

TASK [Start and enable the httpd service] ******************************************************************************************************************************
changed: [xxxx1.7dd7.internal]
changed: [xxxxdb1.7dd7.internal]
changed: [support1.7dd7.internal]
changed: [frontend1.7dd7.internal]
changed: [xxxx2.7dd7.internal]

TASK [Create web content to be served] *********************************************************************************************************************************
changed: [xxxx1.7dd7.internal]
changed: [support1.7dd7.internal]
changed: [xxxx2.7dd7.internal]
changed: [frontend1.7dd7.internal]
changed: [xxxxdb1.7dd7.internal]

TASK [Open the port for http] ******************************************************************************************************************************************
changed: [xxxx2.7dd7.internal]
changed: [frontend1.7dd7.internal]
changed: [xxxxdb1.7dd7.internal]
changed: [xxxx1.7dd7.internal]
changed: [support1.7dd7.internal]

PLAY RECAP *************************************************************************************************************************************************************
xxxx1.7dd7.internal : ok=6 changed=5 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
xxxx2.7dd7.internal : ok=6 changed=5 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
xxxxdb1.7dd7.internal : ok=6 changed=5 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
frontend1.7dd7.internal : ok=6 changed=5 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
support1.7dd7.internal : ok=6 changed=5 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

[devops@xxxx 0 ~/ansible_implementation]$

Deploy docker container using kubectl

$ kubectl create -f deployment.yaml
Error from server (AlreadyExists): error when creating "deployment.yaml": deployments.extensions "webapp1" already exists
$ kubectl get deployment
NAME READY UP-TO-DATE AVAILABLE AGE
webapp1 1/1 1 1 37s
$ kubectl describe deployment webapp1
Name: webapp1
Namespace: default
CreationTimestamp: Sun, 28 Jul 2019 05:44:54 +0000
Labels: app=webapp1
Annotations: deployment.kubernetes.io/revision: 1
Selector: app=webapp1
Replicas: 1 desired | 1 updated | 1 total | 1 available | 0 unavailable
StrategyType: RollingUpdate
MinReadySeconds: 0
RollingUpdateStrategy: 1 max unavailable, 1 max surge
Pod Template:
Labels: app=webapp1
Containers:
webapp1:
Image: katacoda/docker-http-server:latest
Port: 80/TCP
Host Port: 0/TCP
Environment:
Mounts:
Volumes:
Conditions:
Type Status Reason
---- ------ ------
Available True MinimumReplicasAvailable
OldReplicaSets:
NewReplicaSet: webapp1-5f4c9c89 (1/1 replicas created)
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal ScalingReplicaSet 44s deployment-controller Scaled up replica set webapp1-5f4c9c89 to 1
$ kubectl create -f service.yaml
service/webapp1-svc created
$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1    443/TCP 2m21s
webapp1-svc NodePort 10.109.11.197    80:30080/TCP 5s
$ kubectl describe svc webapp1-svc
Name: webapp1-svc
Namespace: default
Labels: app=webapp1
Annotations:
Selector: app=webapp1
Type: NodePort
IP: 10.109.11.197
Port:    80/TCP
TargetPort: 80/TCP
NodePort:    30080/TCP
Endpoints: 172.18.0.4:80
Session Affinity: None
External Traffic Policy: Cluster
Events:
$ curl host01:30080

This request was processed by host: webapp1-5f4c9c89-kglpw

$ kubectl apply -f deployment.yaml
Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply
deployment.extensions/webapp1 configured
$ kubectl get deployment
NAME READY UP-TO-DATE AVAILABLE AGE
webapp1 1/1 1 1 73s
$ kubectl get pods
NAME READY STATUS RESTARTS AGE

Deploy Guestbook example on Kubernetes

Deploy Guestbook example on Kubernetes

master $ mkdir -p /root/tutorial; cd /root/tutorial; launch.sh
Waiting for Kubernetes to start...
Kubernetes started
master $ launch.sh
Waiting for Kubernetes to start...
Kubernetes started
master $ kubectl cluster-info
Kubernetes master is running at https://172.17.0.63:6443
KubeDNS is running at https://172.17.0.63:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
master $ kubectl get nodes
NAME STATUS ROLES AGE VERSION
master Ready master 28m v1.14.0
node01 Ready 28m v1.14.0
master $ kubectl create -f redis-master-controller.yaml
replicationcontroller/redis-master created
master $ kubectl get rc
NAME DESIRED CURRENT READY AGE
redis-master 1 1 1 4s
master $ kubectl get pods
NAME READY STATUS RESTARTS AGE
redis-master-cgwfh 1/1 Running 0 6s
master $ kubectl create -f redis-master-service.yaml
service/redis-master created
master $ kubectl get services
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 443/TCP 29m
redis-master ClusterIP 10.106.81.31    6379/TCP 2s
master $ kubectl describe services redis-master
Name: redis-master
Namespace: default
Labels: name=redis-master
Annotations:
Selector: name=redis-master
Type: ClusterIP
IP: 10.106.81.31
Port: 6379/TCP
TargetPort: 6379/TCP
Endpoints: 10.44.0.1:6379
Session Affinity: None
Events:
master $ kubectl create -f redis-slave-controller.yaml
replicationcontroller/redis-slave created
master $ kubectl create -f redis-slave-controller.yaml
Error from server (AlreadyExists): error when creating "redis-slave-controller.yaml": replicationcontrollers "redis-slave" already exists
master $ kubectl get rc
NAME DESIRED CURRENT READY AGE
redis-master 1 1 1 34s
redis-slave 2 2 2 5s
master $ kubectl create -f frontend-controller.yaml
replicationcontroller/frontend created
master $ kubectl get rc
NAME DESIRED CURRENT READY AGE
frontend 3 3 3 5s
redis-master 1 1 1 47s
redis-slave 2 2 2 18s
master $ kubectl get pods
NAME READY STATUS RESTARTS AGE
frontend-bvltj 1/1 Running 0 6s
frontend-cnwwx 1/1 Running 0 6s
frontend-q76tm 1/1 Running 0 6s
redis-master-cgwfh 1/1 Running 0 48s
redis-slave-rfl5v 1/1 Running 0 19s
redis-slave-zpfh8 1/1 Running 0 19s
master $ kubectl create -f frontend-service.yaml
service/frontend created
master $ kubectl get services
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
frontend NodePort 10.99.77.49 80:30080/TCP 1s
kubernetes ClusterIP 10.96.0.1 443/TCP 30m
redis-master ClusterIP 10.106.81.31    6379/TCP 43s
master $ kubectl get pods
NAME READY STATUS RESTARTS AGE
frontend-bvltj 1/1 Running 0 25s
frontend-cnwwx 1/1 Running 0 25s
frontend-q76tm 1/1 Running 0 25s
redis-master-cgwfh 1/1 Running 0 67s
redis-slave-rfl5v 1/1 Running 0 38s
redis-slave-zpfh8 1/1 Running 0 38s
master $ kubectl describe service frontend | grep NodePort
Type: NodePort
NodePort:    30080/TCP

docker capabalities

[node1] (local) root@192.168.0.13 ~
$ docker run --rm -it alpine chown nobody /
Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
050382585609: Pull complete
Digest: sha256:6a92cd1fcdc8d8cdec60f33dda4db2cb1fcdcacf3410a8e05b3741f44a9b5998
Status: Downloaded newer image for alpine:latest
[node1] (local) root@192.168.0.13 ~
$ docker run --rm -it --cap-drop ALL --cap-add CHOWN alpine chown nobody /
[node1] (local) root@192.168.0.13 ~
$ docker run --rm -it --cap-drop CHOWN alpine chown nobody /
chown: /: Operation not permitted
[node1] (local) root@192.168.0.13 ~
$ docker run --rm -it --cap-add chown -u nobody alpine chown nobody /
chown: /: Operation not permitted
[node1] (local) root@192.168.0.13 ~
$ docker run --rm -it alpine sh -c 'apk add -U libcap; capsh --print'
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/community/x86_64/APKINDEX.tar.gz
(1/1) Installing libcap (2.27-r0)
Executing busybox-1.30.1-r2.trigger
OK: 6 MiB in 15 packages
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+eip
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Ambient set =
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=0(root)
gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
[node1] (local) root@192.168.0.13 ~
$ docker run --rm -it alpine sh -c 'apk add -U libcap;capsh --help'
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/community/x86_64/APKINDEX.tar.gz
(1/1) Installing libcap (2.27-r0)
Executing busybox-1.30.1-r2.trigger
OK: 6 MiB in 15 packages
usage: capsh [args ...]
--help this message (or try 'man capsh')
--print display capability relevant state
--decode=xxx decode a hex string to a list of caps
--supports=xxx exit 1 if capability xxx unsupported
--drop=xxx remove xxx,.. capabilities from bset
--addamb=xxx add xxx,... capabilities to ambient set
--delamb=xxx remove xxx,... capabilities from ambient
--noamb=xxx reset the ambient capabilities
--caps=xxx set caps as per cap_from_text()
--inh=xxx set xxx,.. inheritiable set
--secbits= write a new value for securebits
--keep= set keep-capabability bit to
--uid= set uid to (hint: id )
--gid= set gid to (hint: id )
--groups=g,... set the supplemental groups
--user= set uid,gid and groups to that of user
--chroot=path chroot(2) to this path
--killit= send signal(n) to child
--forkfor= fork and make child sleep for sec
== re-exec(capsh) with args as for --
-- remaing arguments are for /bin/bash
(without -- [capsh] will simply exit(0))
[node1] (local) root@192.168.0.13 ~
$

docker swarm cluster

#
[node1] (local) root@192.168.0.23 ~$
[node1] (local) root@192.168.0.23 ~
$
[node1] (local) root@192.168.0.23 ~
$ docker run -dt ubuntu sleep infinity
Unable to find image 'ubuntu:latest' locally
latest: Pulling from library/ubuntu
7413c47ba209: Pull complete
0fe7e7cbb2e8: Pull complete
1d425c982345: Pull complete
344da5c95cec: Pull complete
Digest: sha256:c303f19cfe9ee92badbbbd7567bc1ca47789f79303ddcef56f77687d4744cd7a
Status: Downloaded newer image for ubuntu:latest
03fd033d6a89bb78b8a18970985d8bc9b30d5093834a73ffed752a532512042a
[node1] (local) root@192.168.0.23 ~
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
03fd033d6a89 ubuntu "sleep infinity" 5 seconds ago Up 4 seconds magical_dhawan
[node1] (local) root@192.168.0.23 ~
$ docker swarm init --advertise-addr $(hostname -i)
Swarm initialized: current node (1ofs9nrhqk9fncucz7aq4gagr) is now a manager.

To add a worker to this swarm, run the following command:

docker swarm join --token SWMTKN-1-060lwu0x956dwl0gnrpu72knzc2sfpe6n3vts59ure1h80dhc1-a00p2kt4m6kbvslfplw3mqbkw 192.168.0.23:2377

To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions.

[node1] (local) root@192.168.0.23 ~
$
[node1] (local) root@192.168.0.23 ~
$ docker info
Client:
Debug Mode: false

Server:
Containers: 1
Running: 1
Paused: 0
Stopped: 0
Images: 1
Server Version: 19.03.0-beta2
Storage Driver: overlay2
Backing Filesystem: xfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentriessplunk syslog
Swarm: active
NodeID: 1ofs9nrhqk9fncucz7aq4gagr
Is Manager: true
ClusterID: 3kxjilauu21dfk7m2pyyq2is9
Managers: 1
Nodes: 3
Default Address Pool: 10.0.0.0/8
SubnetSize: 24
Data Path Port: 4789
Orchestration:
Task History Retention Limit: 5
Raft:
Snapshot Interval: 10000
Number of Old Snapshots to Retain: 0
Heartbeat Tick: 1
Election Tick: 10
Dispatcher:
Heartbeat Period: 5 seconds
CA Configuration:
Expiry Duration: 3 months
Force Rotate: 0
Autolock Managers: false
Root Rotation In Progress: false
Node Address: 192.168.0.23
Manager Addresses:
192.168.0.23:2377
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 894b81a4b802e4eb2a91d1ce216b8817763c29fb
runc version: 029124da7af7360afa781a0234d1b083550f797c
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.4.0-154-generic
Operating System: Alpine Linux v3.9 (containerized)
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 31.4GiB
Name: node1
ID: 97d199c2-b974-4665-bdc6-f39d1d14cdff
Docker Root Dir: /var/lib/docker
Debug Mode: true
File Descriptors: 43
Goroutines: 181
System Time: 2019-07-28T04:38:26.261556065Z
EventsListeners: 0
Registry: https://index.docker.io/v1/
Labels:
Experimental: true
Insecure Registries:
127.0.0.1
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine

WARNING: API is accessible on http://0.0.0.0:2375 without encryption.
Access to the remote API is equivalent to root access on the host. Refer
to the 'Docker daemon attack surface' section in the documentation for
more information: https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface
WARNING: No swap limit support
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
[node1] (local) root@192.168.0.23 ~
$ docker node ls
ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION
1ofs9nrhqk9fncucz7aq4gagr * node1 Ready Active Leader 19.03.0-beta2
5m6d0kpfhtxlexjqfdgeen36p node2 Ready Active 19.03.0-beta2
i8igt9rtdmpboyy4geyudrzbd node3 Ready Active 19.03.0-beta2
[node1] (local) root@192.168.0.23 ~
$ docker service create --name sleep-app ubuntu sleep infinity
o9opnu7wgdzwtebfayg38tamt
overall progress: 1 out of 1 tasks
1/1: running
verify: Service converged
[node1] (local) root@192.168.0.23 ~
$ docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
o9opnu7wgdzw sleep-app replicated 1/1 ubuntu:latest
[node1] (local) root@192.168.0.23 ~
$ docker service update --replicas 7 sleep-app
sleep-app
[node1] (local) root@192.168.0.23 ~
$ docker service ps sleep-app
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
ccqjxztpwgp7 sleep-app.1 ubuntu:latest node1 Running Running 16 seconds ago
xhnnk882kanj sleep-app.2 ubuntu:latest node3 Running Preparing 3 seconds ago
s20fyygsfwbp sleep-app.3 ubuntu:latest node2 Running Preparing 3 seconds ago
3j2z7vihzvsq sleep-app.4 ubuntu:latest node3 Running Preparing 3 seconds ago
scscx0e8hjz3 sleep-app.5 ubuntu:latest node3 Running Preparing 3 seconds ago
hsynqxd1yte5 sleep-app.6 ubuntu:latest node1 Running Running 2 seconds ago
dd1lq6ap070t sleep-app.7 ubuntu:latest node2 Running Preparing 3 seconds ago
[node1] (local) root@192.168.0.23 ~
$ docker service ps sleep-app
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
ccqjxztpwgp7 sleep-app.1 ubuntu:latest node1 Running Running 22 seconds ago
xhnnk882kanj sleep-app.2 ubuntu:latest node3 Running Running 2 seconds ago
s20fyygsfwbp sleep-app.3 ubuntu:latest node2 Running Running 2 seconds ago
3j2z7vihzvsq sleep-app.4 ubuntu:latest node3 Running Running 2 seconds ago
scscx0e8hjz3 sleep-app.5 ubuntu:latest node3 Running Running 2 seconds ago
hsynqxd1yte5 sleep-app.6 ubuntu:latest node1 Running Running 8 seconds ago
dd1lq6ap070t sleep-app.7 ubuntu:latest node2 Running Running 3 seconds ago
[node1] (local) root@192.168.0.23 ~
$ docker service ps sleep-app --replicas
unknown flag: --replicas
See 'docker service ps --help'.
[node1] (local) root@192.168.0.23 ~
$ docker service ps --replicas
unknown flag: --replicas
See 'docker service ps --help'.
[node1] (local) root@192.168.0.23 ~
$ docker service ps sleep-app
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
ccqjxztpwgp7 sleep-app.1 ubuntu:latest node1 Running Running about a minute ago
xhnnk882kanj sleep-app.2 ubuntu:latest node3 Running Running about a minute ago
s20fyygsfwbp sleep-app.3 ubuntu:latest node2 Running Running about a minute ago
3j2z7vihzvsq sleep-app.4 ubuntu:latest node3 Running Running about a minute ago
scscx0e8hjz3 sleep-app.5 ubuntu:latest node3 Running Running about a minute ago
hsynqxd1yte5 sleep-app.6 ubuntu:latest node1 Running Running about a minute ago
dd1lq6ap070t sleep-app.7 ubuntu:latest node2 Running Running about a minute ago
[node1] (local) root@192.168.0.23 ~
$ docker service update --replicas 4 sleep-app
sleep-app
overall progress: 4 out of 4 tasks
1/4: running
2/4: running
3/4: running
4/4: running
verify: Service converged
[node1] (local) root@192.168.0.23 ~
$ docker service ps sleep-app
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
ccqjxztpwgp7 sleep-app.1 ubuntu:latest node1 Running Running about a minute ago
xhnnk882kanj sleep-app.2 ubuntu:latest node3 Running Running about a minute ago
s20fyygsfwbp sleep-app.3 ubuntu:latest node2 Running Running about a minute ago
3j2z7vihzvsq sleep-app.4 ubuntu:latest node3 Running Running about a minute ago
[node1] (local) root@192.168.0.23 ~
$ docker node ls
[node1] (local) root@192.168.0.23 ~$ docker node ls
ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION
1ofs9nrhqk9fncucz7aq4gagr * node1 Ready Active Leader 19.03.0-beta2
5m6d0kpfhtxlexjqfdgeen36p node2 Ready Active 19.03.0-beta2
i8igt9rtdmpboyy4geyudrzbd node3 Ready Ac
tive 19.03.0-beta2
[node1] (local) root@192.168.0.23 ~
$
[node1] (local) root@192.168.0.23 ~
$
[node1] (local) root@192.168.0.23 ~
$
[node1] (local) root@192.168.0.23 ~
$
[node1] (local) root@192.168.0.23 ~
$
[node1] (local) root@192.168.0.23 ~
$
[node1] (local) root@192.168.0.23 ~
$ date
Sun Jul 28 04:45:47 UTC 2019
[node1] (local) root@192.168.0.23 ~
$
[node1] (local) root@192.168.0.23 ~
$
[node1] (local) root@192.168.0.23 ~
$
[node1] (local) root@192.168.0.23 ~
$
[node1] (local) root@192.168.0.23 ~
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a94b251c4512 ubuntu:latest "sleep infinity" 7 minutes ago Up 7 minutes sleep-app.1.ccqjxztpwgp71vp1mltrqon9k
03fd033d6a89 ubuntu "sleep infinity" 9 minutes ago Up 9 minutes magical_dhawan
[node1] (local) root@192.168.0.23 ~
$ docker node ls
ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION
1ofs9nrhqk9fncucz7aq4gagr * node1 Ready Active Leader 19.03.0-beta2
5m6d0kpfhtxlexjqfdgeen36p node2 Ready Active 19.03.0-beta2
i8igt9rtdmpboyy4geyudrzbd node3 Ready Active 19.03.0-beta2
[node1] (local) root@192.168.0.23 ~
$ docker node update --availability drain ^C
[node1] (local) root@192.168.0.23 ~
$ docker node ls
ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION
1ofs9nrhqk9fncucz7aq4gagr * node1 Ready Active Leader 19.03.0-beta2
5m6d0kpfhtxlexjqfdgeen36p node2 Ready Active 19.03.0-beta2
i8igt9rtdmpboyy4geyudrzbd node3 Ready Active 19.03.0-beta2
[node1] (local) root@192.168.0.23 ~
$ docker node ls
ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION
1ofs9nrhqk9fncucz7aq4gagr * node1 Ready Active Leader 19.03.0-beta2
5m6d0kpfhtxlexjqfdgeen36p node2 Ready Active 19.03.0-beta2
i8igt9rtdmpboyy4geyudrzbd node3 Ready Active 19.03.0-beta2
[node1] (local) root@192.168.0.23 ~
$
[node1] (local) root@192.168.0.23 ~
$
[node1] (local) root@192.168.0.23 ~
$ docker node update --availability drain 5m6d0kpfhtxlexjqfdgeen36p
5m6d0kpfhtxlexjqfdgeen36p
[node1] (local) root@192.168.0.23 ~
$ docker node ls
ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION
1ofs9nrhqk9fncucz7aq4gagr * node1 Ready Active Leader 19.03.0-beta2
5m6d0kpfhtxlexjqfdgeen36p node2 Ready Drain 19.03.0-beta2
i8igt9rtdmpboyy4geyudrzbd node3 Ready Active 19.03.0-beta2
[node1] (local) root@192.168.0.23 ~
$
[node1] (local) root@192.168.0.23 ~
$ docker node ls
ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION
1ofs9nrhqk9fncucz7aq4gagr * node1 Ready Active Leader 19.03.0-beta2
5m6d0kpfhtxlexjqfdgeen36p node2 Ready Drain 19.03.0-beta2
i8igt9rtdmpboyy4geyudrzbd node3 Ready Active 19.03.0-beta2
[node1] (local) root@192.168.0.23 ~
$ docker service ps sleep-app
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
ccqjxztpwgp7 sleep-app.1 ubuntu:latest node1 Running Running 22 minutes ago
xhnnk882kanj sleep-app.2 ubuntu:latest node3 Running Running 22 minutes ago
he2en7xs7tao sleep-app.3 ubuntu:latest node1 Running Running about a minute ago
s20fyygsfwbp \_ sleep-app.3 ubuntu:latest node2 Shutdown Shutdown about a minute ago
3j2z7vihzvsq sleep-app.4 ubuntu:latest node3 Running Running 22 minutes ago
[node1] (local) root@192.168.0.23 ~
$ docker service rm sleep-app
sleep-app
[node1] (local) root@192.168.0.23 ~
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c785457c7ef7 ubuntu:latest "sleep infinity" About a minute ago Up About a minute sleep-app.3.he2en7xs7taoxxaysfdx4z7my
a94b251c4512 ubuntu:latest "sleep infinity" 22 minutes ago Up 22 minutes sleep-app.1.ccqjxztpwgp71vp1mltrqon9k
03fd033d6a89 ubuntu "sleep infinity" 25 minutes ago Up 24 minutes magical_dhawan
[node1] (local) root@192.168.0.23 ~
$ docker swarm leave --force
Node left the swarm.

Devops-Krishna