DevOps | DCMST

Differences between Kubernetes and Openshift

Thu, 25 Mar 2021 09:10:47 -0500

Differences between Kubernetes and Openshift

dcmst

Senior Container Infrastructure Consultant

@Red Hat

Kubernetes

Some assembly required

Kubernetes

Some assembly required

Kubernetes

Some assembly required

Openshift

Value Added

Openshift

Value Added

Openshift

Value Added

Openshift contains Kubernetes

Conclusion

Openshit IS a Kubernetes flavor

Thank You

Podman remote client on MacOS using Vagrant

Tue, 23 Feb 2021 00:00:00 +0000

Table of Contents

Introduction

Podman is a daemonless, open-source, Linux native tool designed to make it easy to find, run, build, share and deploy applications using Open Containers Initiative (OCI) Containers and Container Images.

That been said, the core of podman only runs in Linux! To use podman on macOS, we need to implement the remote client to manage container using a Linux as a backend.

Brief Architecture

The remote client uses a client-server model. We need Podman installed on a Linux VM that also has the SSH daemon running. On our MacOS, when you execute a Podman command:

Podman connects to the server via SSH.
It then connects to the Podman service by using systemd socket activation.
The Podman commands are executed on the Linux VM.
From the client’s point of view, it seems like Podman runs locally.

Installation

Install podman on MacOS

To install podman remote client on MacOS, we use Homebrew

$ brew install podman

Create a new ssh-keys on MacOS

We will need to connect via ssh to our vagrant VM, in order to do it passwordless, we will create a ssh-key, the commands for that are:

$ ssh-keygen -t rsa -b 4096 -C "podman+vagrant"
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/<USERNAME>/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/<USERNAME>/.ssh/id_rsa.
Your public key has been saved in /Users/<USERNAME>/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:+pGx7Wcn9WdfRYKJrcdMiKEIPKFRW1lQ1MXP/8i0PLA podman+vagrant
The key's randomart image is:
+---[RSA 4096]----+
| ....=B+. ooo ..|
| . ++. ..+oo.+ |
| o .. o +oo =|
| .o+ |
| S ..|
| . = . . o|
| . + . B oo|
| . o E X o|
| . .+.= o.|
+----[SHA256]-----+

cat /Users/<USERNAME>/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1y ... O3JH8w== podman+vagrant

Create a vagrant VM

We will use a Virtual Machine based on Fedora 33,

To create the specified Vagrantfile, we need to follow the next steps:

$ mkdir my-fedora && cd my-fedora

$ echo "Vagrant.configure("2") do |config|
 config.vm.box = "generic/fedora33"
 config.vm.hostname = "my-fedora"
 config.vm.provider "virtualbox" do |v|
 v.memory = 1024
 v.cpus = 1
 end
end" >> Vagrantfile

Implementation

At this moment we have:

Podman installed
A ssh-key with no password created
A VM created with vagrant

Let’s start our implementation

Copy ssh-key from MacOS to Linux VM

We use the ssh-copy-id command, and it will ask us for the vagrant user password. The default one is: vagrant

$ ssh-copy-id -i id_rsa.pub vagrant@127.0.0.1 -p 2222

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
vagrant@127.0.0.1's password:

Number of key(s) added: 1

Now try logging into the machine, with: "ssh -p '2222' 'vagrant@127.0.0.1'"
and check to make sure that only the key(s) you wanted were added.

You can verify connectivity with the command:

$ ssh vagrant@127.0.0.1 -p 2222
Last login: Tue Feb 23 07:33:45 2021 from 10.0.2.5
[vagrant@my-fedora ~]$

Configure the Linux VM

On this step we will:

Install the podman package and dependencies
Enable the podman service
Enable the sshd service

Installing podman

sudo dnf --enablerepo=updates-testing install podman libvarlink-util libvarlink

Enableling the podman service

We can enable and start the service permanently, using the following commands:

$ systemctl --user enable --now podman

Also, we will need to enable linger for this user in order for the socket to work when the user is not logged in.

sudo loginctl enable-linger $USER

You can verify that the socket is listening with a simple Podman command.

$ podman --remote info

Enableling the sshd service

In order for the client to communicate with the server you need to enable and start the SSH daemon on the Linux VM:

$ sudo systemctl enable --now sshd

Using the client

The first step in using the Podman remote client is to configure a connection. To do that, we need can add a connection by using the podman system connection add command.

$ podman system connection add <CONNECTION-NAME> ssh://vagrant@127.0.0.1:2222 --identity <SSH-KEY>
$ podman system connection add my-fedora ssh://vagrant@127.0.0.1:2222 --identity ~/.ssh/id_rsa.pub

We can verify that the connection is in place with the command:

$ podman system connection list
Name Identity URI
my-fedora* ~/.ssh/id_rsa.pub ssh://vagrant@127.0.0.1:2222/run/user/1000/podman/podman.sock

Now we can test the connection with the command:

$ podman info
host:
 arch: amd64
 buildahVersion: 1.18.0
 cgroupManager: systemd
 cgroupVersion: v2
 conmon:
 package: conmon-2.0.21-3.fc33.x86_64
 path: /usr/bin/conmon
 version: 'conmon version 2.0.21, commit: 0f53fb68333bdead5fe4dc5175703e22cf9882ab'
 cpus: 1
 distribution:
 distribution: fedora
 version: "33"
 eventLogger: journald
 hostname: my-fedora
 ...

Also, you can start running podman commands as you run them in docker:

$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE

Next steps

At this point we have installed everything that we need to start using podman on our MacOS, but podman only work if the Linux VM is up & running, otherwise you will receive an error similar to this:

$ podman images
Error: Cannot connect to the Podman socket, make sure there is a Podman REST API service running.: failed to create sshClient:
Connection to bastion host (ssh://vagrant@127.0.0.1:2222/run/user/1000/podman/podman.sock) failed.: dial tcp 127.0.0.1:2222: connect: connection refused

To avoid that behavior, what I implement is an automator workflow, here are the steps:

Get the vagrant VM id, to do that run:

$ vagrant global-status
id name provider state directory
--------------------------------------------------------------------------
894d683 my-fedora virtualbox running ~/vms/my-fedora

The above shows information about all known Vagrant environments
on this machine. This data is cached and may not be completely
up-to-date (use "vagrant global-status --prune" to prune invalid
entries). To interact with any of the machines, you can go to that
directory and run Vagrant, or you can use the ID directly with
Vagrant commands from any directory. For example:
"vagrant destroy 1a2b3c4d"

As you can see we are interested on get the id column, for this example: 894d683

Now, we need to open Automator, go to Launchpad -> search -> type automator, do click on the Automator Application

Launchpad + Automator

Then, we need to write an automator application, for this example I choose a workflow that it will run the command vagrant up <VM-ID>

$ vagrant up 894d683
Bringing machine 'my-fedora' up with 'virtualbox' provider...
==> default: Checking if box 'generic/fedora33' version '3.2.0' is up to date...
==> default: A newer version of the box 'generic/fedora33' for provider 'virtualbox' is
==> default: available! You currently have version '3.2.0'. The latest is version
==> default: '3.2.6'. Run `vagrant box update` to update.
==> default: Clearing any previously set forwarded ports...
==> default: Clearing any previously set network interfaces...
==> default: Preparing network interfaces based on configuration...
 default: Adapter 1: nat
==> default: Forwarding ports...
 default: 22 (guest) => 2222 (host) (adapter 1)
==> default: Running 'pre-boot' VM customizations...
==> default: Booting VM...
==> default: Waiting for machine to boot. This may take a few minutes...
 default: SSH address: 127.0.0.1:2222
 default: SSH username: vagrant
 default: SSH auth method: private key
==> default: Machine booted and ready!
==> default: Checking for guest additions in VM...
==> default: Setting hostname...
==> default: Machine already provisioned. Run `vagrant provision` or use the `--provision`
==> default: flag to force provisioning. Provisioners marked to run always will still run.

Automator Workflow

Save the Workflow and remember the location where you save it.
The final step is to add the workflow to our login items. Go to Systems Preferences -> Users & Groups -> Login Items and add the application that you save on the previous step.

Login Items Menu

And that is all, you will have a fully working podman command on your MacOS.

References:

Podman MacOS and windows install ¹
Detailed podman installation on MacOS ²
Automator Configuration ³

Backing Up a Ruckus Switch Config

Sat, 21 Nov 2020 00:00:00 +0000

I want to do some changes on my home network to improve the performance, so I will implement VLANs on my network. But before I do that I want to document how to perform a backup of my Ruckus ICX 7150 Switch.

In a past post I mentioned how to enable ssh and web cofiguration on the Ruckus switch, so my first attemtp was to download the configuration file from the web interface but unfortunately it is not possible to do it, there is not an option for that. What I did is go to the documentation and found the copy command but I need a TFTP server to be able to download the backup file.

Let’s start!

Install a TFTP server - This is easy will depend on your Operative System, for my is an ArchLinux laptop.
```
yay -Sy atftp
```
The configuration file for atftp is /etc/conf.d/atftpd

Next step, is login on your Ruckus switch and perform the copy command:

ssh <USER>@<SWITCH-IP>
copy running-config tftp <TFTP-SERVER-IP> myconfig.cfg

#In my case is:
ssh ruckus@192.168.50.5
copy running-config tftp 192.168.50.4 myconfig.cfg

Verify that the file is on your TFTP server, by default, the configured directory for atftp is /srv/atftp/ so you should go that location and verify that the generated file is created.
```
cd /srv/atftp
ls -la
```

That’s all, you can restore your switch configuration if needed.

Bye!

Docker Login the Right Way

Wed, 15 May 2019 00:00:00 +0000

Table of Contents

Hi again!

It is been a while since I wrote something here, as always, there is no much time for a hobby.

I’ve been working for a while with docker, not a production level, but for some applications that I use at work. And since the Docker Hub Data breach I put more atention on the security of my data/credentials, so I investigate a little about and found this official repository https://github.com/docker/docker-credential-helpers/ from Docker where are the supported credential helpers.

Credential Store

Docker keeps our credentials saved on a JSON file located on ~/.docker/config.json, but unfortunatelly credentials are just encrypted on base64, here is an articule/video where there is an explanation for the why it is a bad idea to just use base64 encryption.

The following is a diagram on how a plain text storage works:

Plain Text Storage

Here is an example on how ~/.docker/config.json looks like when is using plain text credentials:

cat ~/.docker/config.json
{
 "auths": {
 "https://index.docker.io/v1/": {
 "auth": "azRjaDA6c3VwZXJzZWNyZXRwYXNzd29yZAo="
 },
 "quay.io": {
 "auth": "azRjaDA6c3VwZXJzZWNyZXRwYXNzd29yZAo="
 }
 },
 "HttpHeaders": {
 "User-Agent": "Docker-Client/18.09.6 (linux)"
 }
}

After a successful docker login command, Docker stores a base64 encoded string from the concatenation of the username, a colon, and the password and associates this string to the registry the user is logging into:

$ echo azRjaDA6c3VwZXJzZWNyZXRwYXNzd29yZAo= | base64 -d -
d-cmst:supersecretpassword

A docker logout command removes the entry from the JSON file for the given registry:

$ docker logout quay.io
Remove login credentials for quay.io

$ cat ~/.docker/config.json
{
 "auths": {
 "https://index.docker.io/v1/": {
 "auth": "azRjaDA6c3VwZXJzZWNyZXRwYXNzd29yZAo="
 }
 },
 "HttpHeaders": {
 "User-Agent": "Docker-Client/18.09.6 (linux)"
 }
}

Docker Credential Helpers

Since docker version 1.11 implements support from an external credential store for registry authentication. That means we can use a native keychain of the OS. Using an external store is more secure than storing on a “plain text” Docker configuration file.

Secure Storage

In order to use a external credential store, we need a program to interact with.

The actual list of “official” Docker Credential Helper is:

docker-credential-osxkeychain: Provides a helper to use the OS X keychain as credentials store.
docker-credential-secretservice: Provides a helper to use the D-Bus secret service as credentials store.
docker-credential-wincred: Provides a helper to use Windows credentials manager as store.
docker-credential-pass: Provides a helper to use pass as credentials store.

docker-credential-secret service

On this post we will explore the docker-credential-secretservice and how to configure it.

We need to download and install the helper. You can find the lastest release on https://github.com/docker/docker-credential-helpers/releases. Download it, extract it and make it executable.

wget https://github.com/docker/docker-credential-helpers/releases/download/v0.6.2/docker-credential-secretservice-v0.6.2-amd64.tar.gz
tar -xf docker-credential-secretservice-v0.6.2-amd64.tar.gz
chmod +x docker-credential-secretservice
sudo mv docker-credential-secretservice /usr/local/bin/

Then, we need to specify the credential store in the file ~/.docker/config.json to tell docker to use it. The value must be the one after the prefix docker-credential-. In this case:
```
{
 "credsStore": "secretservice"
}
```
To facilite the configuration and do not make mistakes, you can run:
```
sed -i '0,/{/s/{/{\n\t"credsStore": "secretservice",/' ~/.docker/config.json
```

From now we are uning an external store, so if you are currently logged in, you must run docker logout to remove the credentials from the file and run docker login tostart using the new ones.

Let me know how this works for you.

References:

Docker Credential Helpers repository¹
Docker Credential Store Documentation²
Slides about this topic ³

Bulk Delete Rackspace Cloud Files data via API

Wed, 13 Feb 2019 00:00:00 +0000

Sometimes it is necessary to delete all the content of the Cloud Files containers, however, the API does not have a proper method to delete the data and the containers on the same API call. Also, accoring to the documentation, you can only delete empty containers.

So, in cases where you need to delete the data and the containers at the same time, you should follow the next steps:

Download Turbolift, I know it is an old tool.

git clone https://github.com/cloudnull/turbolift
cd turbolift

In order to get and isolated installation, we are going to create a Python Virtual Environment (virtualenv)
```
mkvirtualenv turbolift
workon turbolift
```
Install the tool
```
pip install turbolift
```

Now, prior to start to play with the API calls, we need to grab some data to authenticate with the API:

Variable	Definition
USERNAME	This is the Rackspace Public Cloud username
APIKEY	This is your API-KEY
REGION	This is the Region where the Cloud Files are located (dfw, ord, iad, lon, hkg)
TOKEN	The TOKEN is generated after you get authenticated
ENDPOINT	This ENDPOINT is given also after you get authenticated

Next step, we are going to use cURL, to perform all the API calls:

First of all, get the TOKEN:

USERNAME=YOUR-USERNAME
APIKEY=YOUR-APIKEY
TOKEN=$(curl -s -XPOST https://identity.api.rackspacecloud.com/v2.0/tokens \
 -d'{"auth":{"RAX-KSKEY:apiKeyCredentials":{"username":"'$USERNAME'","apiKey":"'$APIKEY'"}}}' \
 -H"Content-type:application/json" | jq '.access.token.id' | tr -d "\"")

Next step, get the ENDPOINT:

ENDPOINT=$(curl -s -XPOST https://identity.api.rackspacecloud.com/v2.0/tokens \
 -d'{"auth":{"RAX-KSKEY:apiKeyCredentials":{"username":"'$CL_USERNAME'","apiKey":"'$APIKEY'"}}}' \
 -H"Content-type:application/json" | jq '.access.serviceCatalog[] | select((.name=="cloudFiles") or (.name=="cloudFilesCDN")) | {name} + .
 endpoints[] | .publicURL' | tr -d "\"" | grep -v cdn | grep -i $REGION)

In this case we are skipping all te CDN endpoints, but you can add them if is necessary.

With all the collected data, next step is use turbolift to delete the Cloud Files container and their data. To do it, I use a for-loop:

for i in $(curl -s -H "X-Auth-Token: $TOKEN" $ENDPOINT); do turbolift -u $USERNAME -a $APIKEY --os-rax-auth $REGION delete -c $i ; done

Now, you have all the Data and Cloud Files containers deleted on one region.

😄

Configure SSH on a Ruckus Switch

Tue, 20 Nov 2018 00:00:00 +0000

I just have a Ruckus ICX 7150 Switch on my home and I’m trying to get access under ssh and web, to easy configuration and security instead of use telnet. So, I logged in using telnet and then run the following commands to configure a username/password and begin to receive petitions over port 22(ssh) and port 443(https). Let’s begin!

We will connect via telnet to the switch.
```
telnet SWITCH_IP
```

Once we are on the Switch CLI as a optional step, we can configure an IP on the switch.

device> enable
device# configure terminal
device(config)# ip address IP_ADDRESS/CIDR
device(config)# ip default-gateway IP_GATEWAY

Now, the next steps are for generate a SSL certificate, a username/password, activate password to login and enable thw web access and ssh access.

device(config)# crypto-ssl certificate generate
device(config)# username USERNAME password PASSWORD
device(config)# aaa authentication login default local
device(config)# aaa authentication web-server default local

It may take several minutes to generate the certificate key. After that, save the configuration.
```
device(config)# write memory
```

Now you are able to login on your switch using ssh or web.

References:

Blog with ruckus commands ¹

Ruckus ICX7150-C12P – Initial Configuration ↩︎

Set a hugo blog on Kubernetes

Mon, 18 Jun 2018 00:00:00 +0000

Table of Contents

Overview

Since last year I been trying to become an SRE (Site Reliability Engineer), so I been involved with some emerging technologies, like ansible, docker and on this time with kubernetes.

This time, I will try to explain how I containerized my blog using:

Architecture

So, I take some ideas from here and I modify them and adapt the architecture described to my options.

The principal changes that I made are:

My Kubernetes cluster is running on 2 cloud server on Rackspace Public Cloud
The container registry that I’m using is Quay
Rackspace Public Cloud does not support a Kubernetes LoadBalancer service automatically, so I simulate that behavior adding a Cloud Load Balancer manually after the Kubernetes service provide me the port.

Architecture

Containerized

I use Hugo to deploy my blog, I used to do it as mentioned on this previous post (In Spanish).

Now, as a part of containerize the blog it make sense to me to create two stages as described here:

The first stage is a defined build environment containing all required build tools (hugo, pygments) and the source of the website (Git repository).
The second stage is the build artifact (HTML and assets), from the first stage and a webserver to serve the artifact over HTTP.

Dockerfile

Here is the Dockerfile that containerize the blog:

FROM ubuntu:latest as STAGEONE

# install hugo
ENV HUGO_VERSION=0.41
ADD https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_${HUGO_VERSION}_Linux-64bit.tar.gz /tmp/
RUN tar -xf /tmp/hugo_${HUGO_VERSION}_Linux-64bit.tar.gz -C /usr/local/bin/

# install syntax highlighting
RUN apt-get update
RUN apt-get install -y python3-pygments

# build site
COPY source /source
RUN hugo --source=/source/ --destination=/public/

FROM nginx:stable-alpine
RUN apk --update add curl bash
RUN rm /etc/nginx/conf.d/default.conf
COPY modules/nginx.d-cmst.io.conf /etc/nginx/conf.d/d-cmst.io.conf
COPY --from=STAGEONE /public/ /usr/share/nginx/html/
EXPOSE 80 443

MAINTAINER dcmst <dcmst@gmx.com>

First Stage

Fetch the lastest Ubuntu image and name as STAGEONE
Install the last available hugo version from source.
Install pygments library to use it for highlighting.
Build the site with hugo and the output is set on /public as a build artifact.

Second Stage

Fetch the lastest stable nginx alpine image.
Update the image and install some utilities.
Delete the default nginx configuration file.
Copy the configuration files needed from the repository root directory.
Copy the build artifact /public from the previous stage (STAGEONE)

WordPress with Let's Encrypt SSL Certificate on a Load Balancer

Sun, 03 Sep 2017 00:00:00 +0000

Hi again,

As many of you know a lot of “Production” applications need to be configured to provide High Availability. With that in mind, a best practice architecture to your application is to add a Load Balancer as a front end who distribute your traffic between your application nodes, as you can appreciate on the next image:

HA Load Balancer diagram

SSL Offloading

In this case, my “Production” application is my blog, and I will install a SSL Certificate on the Cloud Load Balancer(CLB) to offloading the encryption/decryption to the CLB instead of doing it on the webserver. That way your webservers uses port 80 (HTTP), as always, and you serve your content trought port 443(HTTPS).

SSL-Offloading diagram

Here are the what I use to configure my WordPress with SSL Certificate:

SSL Certificate issued using Let’s Encrypt
A Client of Let’s Encrypt called acme
A Cloud Load Balancer
A WordPress installation

Step 1: Install acme.sh client

There is a lot of ACME clients supported by Let’s Encrypt, the most popular is Certbot. However, I prefer to use acme.sh.

Let’s install it:

git clone https://github.com/Neilpang/acme.sh.git
cd acme.sh
# Create a data home directory
sudo mkdir -p /opt/acme/data
# Actual command to install it
bash acme.sh --install --home /opt/acme --config-home /opt/acme/data --certhome /opt/acme/data/ssl-certs --accountemail your@email.com

Step 2: Issue SSL Certificate

Once acme.sh is installed, we proceed to issue our first SSL Certificate:

/opt/acme/acme.sh --issue -d example.com -w /var/www/vhosts/example.com/public_html
[Mon Aug 25 06:04:07 UTC 2017] Creating domain key
[Mon Aug 25 06:04:07 UTC 2017] The domain key is here: /opt/acme/data/ssl-certs/example.com/example.com.key
[Mon Aug 25 06:04:07 UTC 2017] Single domain='example.com'
[Mon Aug 25 06:04:07 UTC 2017] Getting domain auth token for each domain
[Mon Aug 25 06:04:07 UTC 2017] Getting webroot for domain='example.com'
[Mon Aug 25 06:04:07 UTC 2017] Getting new-authz for domain='example.com'
[Mon Aug 25 06:04:08 UTC 2017] The new-authz request is ok.
[Mon Aug 25 06:04:08 UTC 2017] Verifying:example.com
[Mon Aug 25 06:04:11 UTC 2017] Success
[Mon Aug 25 06:04:11 UTC 2017] Verify finished, start to sign.
[Mon Aug 25 06:04:11 UTC 2017] Cert success.
-----BEGIN CERTIFICATE-----
MIIE/zCCA+egAwIBAgISA2AIs/G8gWjkRkNOUb7zmqh1MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA4MjgwNTA0MDBaFw0x
NzExMjYwNTA0MDBaMBkxFzAVBgNVBAMTDmNvb2tpZWxhYnMubmV0MIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo8/4fXH0dOHcSlyXpsBoULhwQYkz4m0J
MegRHU2mhyy/jfKWM6KHDxHpFWUFajLJ/ORE4uncvjmRYeSVBxgv2R2cYoZyKd6v
txT+Cdj3jD9fBfDerfdfsdfsd6Y6mlr6Im61afKsFXIgLsprBpK22JU6HOz+0Fdo
lan09aaF8zLPtVzdfJw9MU55K7nzerxO8j4ro2lve0PHExkMIBCrXey50wcuqQRY
hwkbbXsm+wTES7TCn3tooSzFq6ore3JrSckxhFQ96EOea0s9CgYnw4d9rU/b3jyK
bFCILEJK64vgFHx0qvd0hBJFJG/HUtAXAVrFQjjlZlCmCMbnee1UTQIDAQABo4IC
DjCCAgowDgYDVR0pasoasoasogWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBR2KRpXKKgTorwfXpo44wgKyFUl
QzAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRj
MGEwLgYIKwYBBQUHMAASdTdddHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5v
cmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5v
cmcvMBkGA1UdEQQSMBCCDmNvb2tpZWxhYnMubmV0MIH+BgNVHSAEgfYwgfMwCAYG
Z4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0cDovL2Nw
cy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0aWZp
Y2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRpZXMg
YW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQb2xp
Y3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9yeS8w
DQYJKoZIhvcNAQELBQADggEBAFVGs82tzyVER6U0x7p/Q+6xplDFd6ap/dVX9G6i
eRPf4ayGykPSH9J3ewu398LOQd3DE93oWbqc7PfEC40Z5HqvCEY3fl9auep99/IF
rwhf36J7PXvEsPrUB6pxNFSBw9WX366Z1MP8qoIzm3XYEpp2D/SPniWY5+eQ42Pj
WNxxVksA4kFUF9wgKcrsCNTm0X8GZj5HUXC1OwtlopY2w42QrAMGwz1jM4nxv5Mc
Jim+nT0zmJUhAdQi8ocDjAl2PvcfdgfmkMr9IWH3al/GJSKy3a9Cq+BaIsIUYi6E
8M8Mj+00ONNn1folm9aVn+FW5fVCaxYN32ir8PnoTWkOXK8=
-----END CERTIFICATE-----
[Mon Aug 25 06:04:11 UTC 2017] Your cert is in /opt/acme/data/ssl-certs/example.com/example.com.cer
[Mon Aug 25 06:04:11 UTC 2017] Your cert key is in /opt/acme/data/ssl-certs/example.com/example.com.key
[Mon Aug 25 06:04:11 UTC 2017] The intermediate CA cert is in /opt/acme/data/ssl-certs/example.com/ca.cer
[Mon Aug 25 06:04:11 UTC 2017] And the full chain certs is there: /opt/acme/data/ssl-certs/example.com/fullchain.cer

Where the explained options are:

-issue: Issue a new certificate

-d (-domain) : Specifies a domain, used to issue, renew or revoke, etc.

-w (-webroot) : Specifies the web root folder for web root mode. This is the DocumentRoot where your site is hosted and it is necessary to verify it by Let’s Encrypt.

Step 3: Install SSL Certificate on Cloud Load Balancer

So, at this moment we have our SSL Certificate, Private Key, and Intermediate CA Certificate ready to install on our Cloud Load Balancer (CLB)

Your cert is in /opt/acme/data/ssl-certs/example.com/example.com.cer
Your cert key is in /opt/acme/data/ssl-certs/example.com/example.com.key
The intermediate CA cert is in /opt/acme/data/ssl-certs/example.com/ca.cer

So we should go to https://login.rackspace.com -> Rackspace Cloud -> Networking -> Cloud Load Balancers:

Rackspace Portal - Cloud Loud Balancer

Then, to Optional Features and Enable/Configure on “Secure Traffic SSL”

Rackspace Portal - Cloud Loud Balancer

Finally, we add our SSL Certificate, Private Key, and Intermediate CA Certificate to the CLB and save the configuration:

Rackspace Portal - Cloud Loud Balancer

Step 4: Configure WordPress

We are almost done, at this time we already have configured our SSL on the CLB to provide WordPress over HTTPS, however, WordPress is still with HTTP, so we need to reconfigure our WordPress with SSL.

Database queries

First of all, we should update the links from http to https; we are going to do it directly on the database doing the following queries:

Change all instances of example.com to your own. If you have the www as part of your WordPress Address(URL) in the WordPress Settings, add the ‘www’.

Also, if you have a custom table prefix in the WordPress database, something other than the default ‘wp_’, then you must change all the instances of ‘wp_’ to your own table prefix.

Update any embedded attachments/img that use http:This one updates the src attributes that use double quotes:

UPDATE `wp_posts` SET post_content = REPLACE(post_content, 'src=\"http://example.com', \
'src=\"https://example.com') WHERE post_content LIKE '%src=\"http://example.com%';

This one takes care of any src attributes that use single quotes:

UPDATE `wp_posts` SET post_content = REPLACE(post_content, 'src=\'http://example.com', \
'src=\'https://example.com') WHERE post_content LIKE '%src=\'http://example.com%';

Update any hard-coded URLs for links.This one updates the URL for href attributes that use double quotes:

UPDATE `wp_posts` SET post_content = REPLACE(post_content, 'href=\"http://example.com', \
'href=\"https://example.com') WHERE post_content LIKE '%href=\"http://example.com%';

This one updates the URL for href attributes that use single quotes:

UPDATE `wp_posts` SET post_content = REPLACE(post_content, 'href=\'http://example.com', \
'href=\'https://example.com') WHERE post_content LIKE '%href=\'http://example.com%';

Update any “pinged” links:

UPDATE `wp_posts` SET pinged = REPLACE(pinged, 'http://example.com', \
'https://example.com') WHERE pinged LIKE '%http://example.com%';

This step is just a confirmation step to make sure that there are no remaining http URLs for your site in the wp_posts table, except the GUID URLs.

You must replace WP_DB_NAME, near the beginning of the query, with the name of your database.

This will confirm that nowhere in the wp_posts table is there a remaining http URL, outside of the GUID column. This ignores URLs in the GUID column.

This query only searches; it does not replace anything, nor make any changes. So, this is safe to run. It’s a safe and quick way to check the wp_posts table while ignoring the guid column.

This SQL query should return an empty set. That would mean that it found no http URLs for your site. (This is all just 1 query. It’s 1 very, very long line.)

Remember to replace WP_DB_NAME, near the beginning of the query, with the name of your database.

```sql
SELECT * FROM `WP_DB_NAME`.`wp_posts` WHERE (CONVERT(`ID` USING utf8) LIKE \
'%%http://example.com%%' OR CONVERT(`post_author` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`post_date` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`post_date_gmt` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`post_content` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`post_title` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`post_excerpt` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`post_status` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`comment_status` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`ping_status` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`post_password` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`post_name` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`to_ping` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`pinged` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`post_modified` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`post_modified_gmt` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`post_content_filtered` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`post_parent` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`menu_order` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`post_type` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`post_mime_type` USING utf8) LIKE '%%http://example.com%%' \
OR CONVERT(`comment_count` USING utf8) LIKE '%%http://example.com%%');
```

Now, we move to the wp_comments table. This changes any comment author URLs that point to the http version of your site. This is in case you’ve ever replied to a comment while your URL was pointing to http.
```
UPDATE `wp_comments` SET comment_author_url = REPLACE(comment_author_url, \
'http://example.com', 'https://example.com') WHERE comment_author_url \
LIKE '%http://example.com%';
```

This updates the content of the comments on your site. If there are any links in the comments that are linking to an http URL on your site, they will be updated to https.

UPDATE `wp_comments` SET comment_content = REPLACE(comment_content, 'http://example.com', \
'https://example.com') WHERE comment_content LIKE '%http://example.com%';

Now we move to the wp_postmeta table. This takes care of any custom post meta that points to the http version of your site.

UPDATE `wp_postmeta` SET `meta_value` = REPLACE(meta_value, 'http://example.com', \
'https://example.com') WHERE meta_value LIKE '%http://example.com%';

Now we move to the wp_options table. Update the WordPress Address (URL) and Site Address (URL).

For the WordPress Address URL, you may have to modify example.com. If you have WordPress installed in some other directory, then modify this according to your own WordPress URL. For example, some people have WordPress installed in a subdirectory named “blog”, and so their WordPress Address would be https://example.com/blog.
```
UPDATE `wp_options` SET `option_value` = "https://example.com" \
WHERE `wp_options`.`option_name` = 'siteurl';
```
This one will update the Site Address URL (this is the home page of your site):
```
UPDATE `wp_options` SET `option_value` = "https://example.com" \
WHERE `wp_options`.`option_name` = 'home';
```

WordPress Control Panel

Besides, with run the queries directly on the database, we can update, or verify, the blog URLs, by going to Settings > General

And updating your WordPress Address (URL) and Site Address (URL) address fields.

WordPress - Change URL

WordPress Config File

Finally, we should add the following line to our wp_config.php file

$_SERVER['HTTPS']='on';

Now, you have configured WordPress with Let’s Encrypt SSL Certificate on a Load Balancer.

Build a Dynamic DNS Client with Rackspace API

Mon, 11 Apr 2016 00:00:00 +0000

This time I’ve want to create a homemade Server with my Raspberry Pi2 and publish it using my own sub-domain, the main problem is that the ISP provide me an dynamic IP and we should ensure that if my IP address change the sub-domain record should point to the new IP.

The instructions assume that you:

Have a domain
Have already changed your NS records to point to dns1.stabletransit.com and dns2.stabletransit.com.

You should download the latest version of rsdns from github

cd ~/bin/
git clone https://github.com/linickx/rsdns.git

Go to your Rackspace portal https://login.rackspace.com/ and grab your Username & API key (It’s under “Your Account” -> “Account Settings” -> “API Key”)
Create a configuration file for rsdns (~/.rsdns_config) with your settings.
```
#!/bin/bash
RSUSER=dcmst
RSAPIKEY=1234567890
RSPATH=~/bin/rsdns/
```
You need your domain created on Rackspace(It’s under “Networking” -> “Cloud DNS” -> “Create Domain”) if you don’t have your domain created you are able to created using rsdns:
```
./rsdns-domain.sh -d www.d-cmst.io -e dcmst@devcrumbs.com
```
Once you have a domain setup you need to create an A record. To create the A record you going to need an IP address, you can use http://icanhazip.com to get your actual current IP. Again to create a record you are able to do it from Rackspace panel (It’s under “Networking” -> “Cloud DNS” -> YOUR_DOMAIN -> “Add Record”) or you can use rsdns:
```
./rsdns-a.sh -n dynamic-host.d-cmst.io -i 123.123.123.123 -t 3600
```
In the above the TTL is set to 1hr (3600 secs), this is so that DNS caches do not keep the record too long. That’s all the pre-work done, now lets get your dynamic host setup!
The script to update your a record is rsdns-dc.sh, and you run it like this:
```
./rsdns-dc.sh -n dynamic-host.d-cmst.io
```
The script uses icanhazip to get your current IP, it then update the A record with it.

I never switch off my router so I have create a created a cronjob to run that script every 2 hours, plus the 1hr TTL should mean that the record is roughly in sync with my IP without making unnecessary requests

I use CentOS, so I can simply drop the following file called rsdns-dc into /etc/cron.d/ with this…

vim /etc/cron.d/rsdns-dc
* */2 * * * dcmst /home/dcmst/bin/rsdns/rsdns-dc.sh -n dynamic-host.d-cmst.io &>/dev/null

Now we are done! Private Dynamic DNS on your own zone using the Rackspace API.

View sources IP's in Apache Logs behind a Load Balancer

Fri, 13 Feb 2015 00:00:00 +0000

When you use the Rackspace Cloud Load Balancers, it is common that the IP logged in Apache is the Private IP (ServiceNet) from the Cloud Load Balancer, however, we can fix that.

We can view sources IP’s in Apache Logs doing some changes on Apache configuration file and also on the vhosts configuration files.

On your Apache configuration file, you should to find the line:

LogFormat "%h %l %u %t \"%r\" %&gt;s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

Modified to:

LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %&gt;s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

And also, on your vhosts configuration files you should to change the “combined” LogFormat definition will then be called in a “CustomLog” entry specific to your VirtualHost configuration. Here is an example VirtualHost definition to show you what I’m referring to:

ServerAdmin webmaster@example.com
DocumentRoot /var/www/html/example.com
ServerName example.com
ErrorLog logs/example.com-error_log
CustomLog logs/example.com-access_log combined

After adding the X-Forwarded-For definition to the LogFormat definition, you can restart Apache and view the logs to notice the difference. If all is done properly, you will see an actual public IP in the first field of your logs instead of the Cloud Load Balancer IP.

I'm a Racker

Mon, 31 Mar 2014 00:00:00 +0000

Since January 6th I working on Rackspace, the Open Cloud Company, so I’m a Racker almost 3 months ago and I’m loving every minute of it.

Rackspace - Kickoff

Everything stared on November 2013 when a Technical Recruiter contact me and started a proceess with some long tough interviews, ability tests, paperwork, etc; I have accepted a position as a Linux System Administrator I in the LATAM Team for Rackspace, so, I got to work for one of the most dynamic, fanatic, and fun tech companies in the world!

So, I was very excited, nervous, happy, all together.

The Castle

Since I came to The Castle, everything was wonderful, I have met nice, friendly, smart and fanatical people, like @SugarBear, a Rackspace Ambassador of Culture, or Graham Weston, Rackspace’s Chairman and Co-Funder. I met them at the Rookie Orientation (a.k.a Rookie’O), where I spend time with other Rookies learning about Rackspace history, culture and future plans.

On the Rookie’O, I was surprised and admired with all the energy that is transmitted between the new Rackers, it was awesome!

And I was inspired by the Rackspace Core Values:

Fanatical Support® in all we do.
Results first, substance over flash.
Committed to Greatness
Full Disclosure and Transparency
Passion for our Work
Treat fellow Rackers like Friends and Family

Which from my point of view I can applied to my personal life, and having great results.

Also is very comfortable to have a Coffe Shop, a soda machine or microwaves inside the Castle. It is pretty nice!

In general the first week in Rackspace, on the Rookie’O, I was a great experience, I can say that is one of my best experiences in my life.

Rackspace - Rookie O

Rackspace - Fanatical Jacket

Rackspace - Fuel station

Rackspace - Slide

Rackspace - Coffee Shop

My Goals

This is a new big challenge, because means:

Relocation in other country, specifically in San Antonio, TX, USA.
Leave my family in Mexico City, that means that I see my parents only for Skype or FaceTime :).
Know other culture, the “American” culture, with the Breakfast Tacos or Tex-Mex food (I really hate the Tex-Mex food yiack!) or the Lunch at noon, people do not always says “Good morning” and some details that I don’t understand but here is common.
Improve my skills in other language (English) event though I’m in the Rackspace LATAM team all the communications like emails or meetings are in English, so, it is very important for my job.
And the most important challenge for me is still learn about Linux, get my Red Hat Certifications, do my best at job and take advantage of this great opportunity. All of that to try to be a DevOps Engineer

Rackspace - LATAM Section

Rackspace - My Desk

I will be working on, providing Fanatical Support for our customers, resolving LATAM customer issues with Linux and working with remote teams from all around the world.

Summarizing, I’m a happy Racker 🙂

DevOps | DCMST

Differences between Kubernetes and Openshift

Differences between Kubernetes and Openshift

dcmst

Senior Container Infrastructure Consultant

@Red Hat

Kubernetes

Some assembly required

Kubernetes

Some assembly required

Kubernetes

Some assembly required

Openshift

Value Added

Openshift

Value Added

Openshift

Value Added

Openshift contains Kubernetes

Openshift contains Kubernetes

Conclusion

Openshit IS a Kubernetes flavor

Thank You

Podman remote client on MacOS using Vagrant

Introduction

Brief Architecture

Installation

Install podman on MacOS

Create a new ssh-keys on MacOS

Create a vagrant VM

Implementation

Copy ssh-key from MacOS to Linux VM

Configure the Linux VM

Installing podman

Enableling the podman service

Enableling the sshd service

Using the client

Next steps

Backing Up a Ruckus Switch Config

Docker Login the Right Way

Docker Login the right Way

Credential Store

Docker Credential Helpers

docker-credential-secret service

Bulk Delete Rackspace Cloud Files data via API

Configure SSH on a Ruckus Switch

Set a hugo blog on Kubernetes

Overview

Architecture

Containerized

Dockerfile

First Stage

Second Stage

WordPress with Let's Encrypt SSL Certificate on a Load Balancer

SSL Offloading

Step 1: Install acme.sh client

Step 2: Issue SSL Certificate

Step 3: Install SSL Certificate on Cloud Load Balancer

Step 4: Configure WordPress

Database queries

WordPress Control Panel

WordPress Config File

Build a Dynamic DNS Client with Rackspace API

View sources IP's in Apache Logs behind a Load Balancer

I'm a Racker

Previous

The Castle

My Goals