Tong's Work Notes

Friday, October 1, 2021

backup and restore iPhone onto mac

backup entire phone onto mac, then click on Manage Backups, then right click on one of the backup, select Show in folder, find the backup folder, copy the entire folder to another location, then remove the folder to save space on mac.

To restore the backup to a phone, copy the entire folder back to this folder:

/Users/tongli/Library/Application Support/MobileSync/Backup

Then the phone manager will be able to find the backup, then you can restore that backup to an iPhone.

Sunday, September 26, 2021

What is import when follow the instructs to setup istio multicluster

When follow the instructions describe here to setup multicluster istio,

https://istio.io/latest/docs/setup/install/multicluster/primary-remote_multi-network/

One thing is not described in the process very clearly but will fail the process is to make sure that the kubenetes cluster config file contains the k8s API endpoint which should not use the loopback IP address 127.0.0.1. This is very important when use KinD to deploy two k8s clusters on one machine, by default, KinD will create multiple kubenetes context in the config file, each of the context will use server: https://127.0.0.1:<port number> which works fine when access from host machine, but this will fail when access the API server from any other places. To avoid this problem, once KinD sets up the cluster, going to the config file and edit the url to point to the docker container IP address with the default port which most likely be 6443. For example

server: https://172.19.0.3:6443

Doing this will ensure that the API server is not only accessible from the host but also from the apps running inside the k8s clusters.

Or simply use the following command to update, given that the cluster name is called kind-cluster1.

kubectl config set clusters.kind-cluster1.server https://172.19.0.3:6443

One other thing is also being ignored is that the two clusters should use the same root ca for their certificates. The certificate should be created in istio-system namespace and be named cacerts (if using default). The secret should have the following entries:

ca-cert.pem

ca-key.pem

cert-chain.pem

root-cert.pem

ca-cert.pem and ca-key will be the intermediate CA cert and key signed by the root cert.

That cert will be used by deployment.apps/istiod

Tuesday, September 14, 2021

How to build istio locally for debugging

To build istio locally then to debug, you need to setup two environment variables.

export TAG=30.1.2
export VERSION=$TAG

Once these two variables set, you can run the following command to build

make docker

If everything run correctly, there should be a list of istio images built, here is an example list

istio/install-cni                                     30.1.2 
istio/operator                                        30.1.2 
istio/istioctl                                        30.1.2 
istio/app_sidecar_centos_7                            30.1.2 
istio/app_sidecar_centos_8                            30.1.2 
istio/app_sidecar_debian_10                           30.1.2 
istio/app_sidecar_debian_9                            30.1.2 
istio/app_sidecar_ubuntu_focal                        30.1.2 
istio/app_sidecar_ubuntu_bionic                       30.1.2 
istio/app_sidecar_ubuntu_xenial                       30.1.2 
istio/app                                             30.1.2 
istio/proxyv2                                         30.1.2 
istio/pilot                                           30.1.2

After these images are built, upload these images to the cluster where istio will be deployed.

istioctl operator init --tag 30.1.2

If you do not have access to the cluster to upload the images, then you will need to push the images to a docker image repository, then use the following command

istioctl operator init --hub docker.io --tag 30.1.2

Wednesday, September 1, 2021

How to get the current running system ARCH and OS

export ARCH=$(case $(uname -m) in x86_64) echo -n amd64 ;; aarch64) echo -n arm64 ;; *) echo -n $(uname -m) ;; esac)
export OS=$(uname | awk '{print tolower($0)}')

Thursday, August 26, 2021

Own Dockerfile

# FROM alpine:3.13 as BUILDER
# 
# RUN wget https://github.com/ansible/ansible-runner/archive/refs/tags/1.4.7.tar.gz && \
#     tar -xvf 1.4.7.tar.gz
# 
# RUN apk add --no-cache py-pip build-base python3-dev linux-headers && \
#     pip install virtualenvwrapper
# RUN cd ansible-runner-1.4.7 && virtualenv ansible-runner && pip install -e .

FROM quay.io/operator-framework/ansible-operator:v1.11.0 as BASE

FROM alpine:3.13

LABEL maintainer="litong01@us.ibm.com"
ENV PYTHONUNBUFFERED=1

RUN apk add --no-cache py-pip bash openssl py3-cryptography tini tar unzip && \
    if [ ! -e /usr/bin/python ]; then ln -sf python3 /usr/bin/python ; fi && \
    pip install ansible ansible-runner

RUN mkdir -p /etc/ansible \
  && echo "localhost ansible_connection=local" > /etc/ansible/hosts \
  && echo '[defaults]' > /etc/ansible/ansible.cfg \
  && echo 'roles_path = /opt/ansible/roles' >> /etc/ansible/ansible.cfg \
  && echo 'library = /usr/share/ansible/openshift' >> /etc/ansible/ansible.cfg

COPY --from=BASE /usr/local/bin/ansible-operator /usr/local/bin/ansible-operator
# COPY --from=BUILDER /usr/bin/ansible-runner /usr/local/bin/ansible-runner

ENV HOME=/opt/ansible \
    USER_NAME=ansible \
    USER_UID=1001

# Ensure directory permissions are properly set
RUN echo "${USER_NAME}:x:${USER_UID}:0:${USER_NAME} user:${HOME}:/sbin/nologin" >> /etc/passwd \
  && mkdir -p ${HOME}/.ansible/tmp \
  && chown -R ${USER_UID}:0 ${HOME} \
  && chmod -R ug+rwx ${HOME}

WORKDIR ${HOME}
USER ${USER_UID}

COPY requirements.yml ${HOME}/requirements.yml
RUN ansible-galaxy collection install -r ${HOME}/requirements.yml \
  && chmod -R ug+rwx ${HOME}/.ansible \
  && mkdir -p ${HOME}/.ansible/plugins \
  && rm -rf /var/cache/apk/*

COPY watches.yaml ${HOME}/watches.yaml
COPY roles/ ${HOME}/roles/
COPY playbooks/ ${HOME}/playbooks/
COPY utilities/launcher/ ${HOME}/launcher/
COPY ansible.cfg ${HOME}/launcher/bin/
COPY utilities/downloader/ ${HOME}/downloader/

COPY plugins ${HOME}/.ansible/plugins
COPY ansible.cfg ${HOME}/.ansible.cfg
COPY test.yaml ${HOME}/test.yaml
ENTRYPOINT ["tini", "--", "/usr/local/bin/ansible-operator", "run", "--watches-file=./watches.yaml"]

Monday, August 23, 2021

Process of access AWS EKS

Here are the steps to access AWS EKS from command line.

1. Create a config file in ~/.aws directory named config with the following content

[default]
region = us-east-1
output = json

2. Create a credential file in ~/.aws directory named credentials with the following content, make sure that you use your own access key id and secret which should be available when you create them via AWS console

[default]
aws_access_key_id = XXXXXX
aws_secret_access_key = XXXXXXXXXXXXXX

3. Update kubeconfig and current context

aws eks --region <region-code> update-kubeconfig --name <cluster_name>

The region code should be us-east-1 if use the above example in config file. The name should be your eks cluster name

Thursday, August 19, 2021

Example to overwrite istio configuration parameters

The following is an example of config.yaml file which can be used to install istio with customized parameters:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  name: istiod
  namespace: istio-system
spec:
  components:
    pilot:
      enabled: true
      k8s:
        overlays:
        - kind: Deployment
          name: istiod
          patches:
          - path: spec.template.spec.containers.[name:discovery].args.[100]
            value: --grpcAddr=:15020
          - path: spec.template.spec.containers.[name:discovery].ports.[containerPort:15010]
            value:
              containerPort: 15020
              protocol: TCP
        - kind: Service
          name: istiod
          patches:
          - path: spec.ports.[port:15010]
            value:
              port: 15020
              name: grpc-xds
              protocol: TCP

In the above example, the changes have been made based on yaml files like the following, the patch first added a new entry to the args list, then changed a containerPort from 15010 to 15020, the last one also replaced port in the service.

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: istiod
  namespace: istio-system
spec:
  template:
    spec:
      containers:
      - args:
        - discovery
        - --monitoringAddr=:15014
        - --log_output_level=default:info
        - --domain
        - cluster.local
        - --keepaliveMaxServerConnectionAge
        - 30m
        env:
        - name: REVISION
          value: default
        - name: JWT_POLICY
          value: third-party-jwt
          .
          .
          .
        image: docker.io/istio/pilot:1.10.2
        name: discovery
        ports:
        - containerPort: 8080
          protocol: TCP
        - containerPort: 15010
          protocol: TCP
        - containerPort: 15017
          protocol: TCP
  
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: istiod
    install.operator.istio.io/owning-resource: unknown
    istio: pilot
    istio.io/rev: default
    operator.istio.io/component: Pilot
    release: istio
  name: istiod
  namespace: istio-system
spec:
  ports:
  - name: grpc-xds
    port: 15010
    protocol: TCP
  - name: https-dns
    port: 15012
    protocol: TCP
  - name: https-webhook
    port: 443
    protocol: TCP
    targetPort: 15017