openssl pkey -in privateKey.key -pubout -outform pem | sha256sum
openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum
Thursday, June 20, 2019
Commands to check if the cert and private key match
Friday, June 7, 2019
System performance measure tool
vmstat -w 3 20
This will measure the system 3 times per second and show 20 data points
Here is what each column means:
This will measure the system 3 times per second and show 20 data points
Here is what each column means:
Procs
r: The number of processes waiting for run time.
b: The number of processes in uninterruptible sleep.
Memory
swpd: the amount of virtual memory used.
free: the amount of idle memory.
buff: the amount of memory used as buffers.
cache: the amount of memory used as cache.
inact: the amount of inactive memory. (-a option)
active: the amount of active memory. (-a option)
Swap
si: Amount of memory swapped in from disk (/s).
so: Amount of memory swapped to disk (/s).
IO
bi: Blocks received from a block device (blocks/s).
bo: Blocks sent to a block device (blocks/s).
System
in: The number of interrupts per second, including the clock.
cs: The number of context switches per second.
CPU
These are percentages of total CPU time.
us: Time spent running non-kernel code. (user time, including nice time)
sy: Time spent running kernel code. (system time)
id: Time spent idle. Prior to Linux 2.5.41, this includes IO-wait time.
wa: Time spent waiting for IO. Prior to Linux 2.5.41, included in idle.
st: Time stolen from a virtual machine. Prior to Linux 2.6.11, unknown. We can use fdisk -l to list all the disks in the system Then use the following command to see block size dumpe2fs /dev/sda1 | fgrep -e 'Block size' Sunday, April 14, 2019
The steps to create ingress in k8s
1. Create a namespace and service account
2. Create nginx server secret, basically a pair of crt and key file using the following command:
4. k8s rbac to allow the service account to do things
5. Deploy ingress controller using either daemon set or deployment
6. Use either NodePort service or LoadBalancer to allow access to the daemon set.
The above steps are really just the steps to make sure that the access to the services uses nginx ingress controller.
The next few steps are to deploy the actual application.
1. Deploy your actually application using either pods or replicateset or whatever you prefer.
2. Create an Ingress service which maps path to each app. It is this service also has tls and basic authentication in like the following:
2. Create nginx server secret, basically a pair of crt and key file using the following command:
openssl req -newkey rsa:2048 -nodes -keyout nginx.key -x509 -days 365 -out nginx.crt 4. k8s rbac to allow the service account to do things
5. Deploy ingress controller using either daemon set or deployment
6. Use either NodePort service or LoadBalancer to allow access to the daemon set.
The above steps are really just the steps to make sure that the access to the services uses nginx ingress controller.
The next few steps are to deploy the actual application.
1. Deploy your actually application using either pods or replicateset or whatever you prefer.
2. Create an Ingress service which maps path to each app. It is this service also has tls and basic authentication in like the following:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginx-test
annotations:
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: TheNameOfK8sSecret
# message to display with an appropriate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
tls:
- hosts:
- foo.bar.com
# This assumes tls-secret exists and the SSL
# certificate contains a CN for foo.bar.com
secretName: tls-secret
rules:
- host: foo.bar.com
http:
paths:
- path: /
backend:
# This assumes http-svc exists and routes to healthy endpoints
serviceName: http-svc
servicePort: 80
Friday, March 8, 2019
Update cello ansible agent to allow peer external endpoint to be available before start peers
first start services, then get IP address. then generate the deployment yaml file.
Wednesday, February 20, 2019
What information contains in a certificate?
Certificate is normally issued to an individual or a company by CA. In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the ownership of a public key. Which contains the following information.
openssl x509 -in tlsca.org2msp-cert.pem -text -noout
openssl x509 -in tlsca.org2msp-cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
df:c6:71:a4:bb:41:1f:73:83:ed:d5:95:93:24:2f:f6
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, ST=California, L=San Francisco, O=org2msp, CN=tlsca.org2msp
Validity
Not Before: Feb 20 17:20:00 2019 GMT
Not After : Feb 17 17:20:00 2029 GMT
Subject: C=US, ST=California, L=San Francisco, O=org2msp, CN=tlsca.org2msp
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:02:ea:14:c2:52:0d:02:10:02:c1:6e:41:8e:b7:
33:0e:73:4b:1f:9d:8a:b3:d0:90:41:2d:4f:49:4f:
ee:cf:20:05:d4:e6:26:99:d4:d4:90:1c:71:02:bc:
1f:30:15:b1:b2:d4:b2:49:d5:9f:7b:f8:20:15:e6:
cc:ae:75:05:12
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
1A:23:57:FF:C1:BC:12:26:EA:94:44:2A:35:E6:A6:AA:9A:58:26:B1:03:52:04:44:10:DA:54:AA:08:2D:D5:5D
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:68:f1:1c:b3:25:ac:a8:99:31:f1:a9:c5:ce:51:
c6:cc:90:2f:06:1e:d0:8c:51:e3:1c:f6:30:3d:dd:59:49:8e:
02:20:1b:88:49:b2:ce:c8:1e:30:52:d1:25:a7:7a:47:ff:a4:
03:1b:8d:e5:48:4e:6a:e9:2d:eb:07:36:d3:b5:c0:d4
Thursday, February 14, 2019
Install perf on fabric container
1. apt install linux-tools-generic
2. apt install linux-tools-4.4.0-141-generic
dstat
apt install dstat
dstat -cd --disk-util --disk-tps
apt install atop ioping
iotop
lsblk
ioping /dev/xvdc
2. apt install linux-tools-4.4.0-141-generic
dstat
apt install dstat
dstat -cd --disk-util --disk-tps
apt install atop ioping
iotop
lsblk
ioping /dev/xvdc
Sunday, February 10, 2019
Resize VirtualBox Hard disk
After your virtual machine run for awhile, you found that your originally allocated virtual hard disk may run out of the space. You may not always want to recreate the vm since you may have things in the VM that you do not want to destroy. Here is the process to size the hard disk without destroy what is already in the VM.
1. Use VBoxManage modifyhd command:
3. Use gparted iso mounted onto your VM and then boot up your VM.
4. Use the gparted to resize your disk, then reboot your VM. Your VM at this point will have resized disk size.
1. Use VBoxManage modifyhd command:
VBoxManage modifyhd NGINX.vdi --resize 30000
The parameter for --resize is in MB. 30000 is 30GB. 40000 is 40GB.2. If your VM has snapshots, you will have to do the exact same command for each snapshot vdi file. Without doing this, you will not be able to do the next step.
3. Use gparted iso mounted onto your VM and then boot up your VM.
4. Use the gparted to resize your disk, then reboot your VM. Your VM at this point will have resized disk size.
Subscribe to:
Posts (Atom)