Category Archives: linux

k3s lxc container

Run k3s inside LXD:


vim /etc/sysctl.d/90-lxd-limits.conf

fs.aio-max-nr = 524288

fs.inotify.max_queued_events = 1048576

fs.inotify.max_user_instances = 1048576

fs.inotify.max_user_watches = 1048576

kernel.dmesg_restrict = 1

kernel.keys.maxbytes = 2000000

kernel.keys.maxkeys = 2000

net.ipv4.neigh.default.gc_thresh3 = 8192

net.ipv6.neigh.default.gc_thresh3 = 8192

vm.max_map_count = 262144
lxc profile create k3s

wget https://raw.githubusercontent.com/ubuntu/microk8s/master/tests/lxc/microk8s.profile -O k3s.profile

cat k3s.profile 
name: k3s

config:

  boot.autostart: "true"

  linux.kernel_modules: ip_vs,ip_vs_rr,ip_vs_wrr,ip_vs_sh,ip_tables,ip6_tables,netlink_diag,nf_nat,overlay,br_netfilter

  raw.lxc: |

    lxc.apparmor.profile=unconfined

    lxc.mount.auto=proc:rw sys:rw cgroup:rw

    lxc.cgroup.devices.allow=a

    lxc.cap.drop=

  security.nesting: "true"

  security.privileged: "true"

description: ""

devices:

  aadisable:

    path: /sys/module/nf_conntrack/parameters/hashsize

    source: /sys/module/nf_conntrack/parameters/hashsize

    type: disk

  aadisable2:

    path: /dev/kmsg

    source: /dev/kmsg

    type: unix-char

  aadisable3:

    path: /sys/fs/bpf

    source: /sys/fs/bpf

    type: disk

  aadisable4:

    path: /proc/sys/net/netfilter/nf_conntrack_max

    source: /proc/sys/net/netfilter/nf_conntrack_max

    type: disk

cat k3s.profile | lxc profile edit k3s
CNAME="$(hostname)-k3s"

lxc launch -p default -p k3s ubuntu:20.04 ${CNAME}
lxc exec ${CNAME} -- unlink /etc/resolv.conf

lxc exec ${CNAME} -- bash -c "echo 'nameserver 1.1.1.1' > /etc/resolv.conf"

lxc exec ${CNAME} -- bash -c "echo 'nameserver 8.8.8.8' >> /etc/resolv.conf"

lxc exec ${CNAME} -- bash -c "echo '127.0.1.1 ${CNAME}' >> /etc/hosts"
lxc exec ${CNAME} -- apt install -y apparmor-utils avahi-daemon

lxc exec ${CNAME} -- bash -c "echo 'L /dev/kmsg - - - - /dev/console' > /etc/tmpfiles.d/kmsg.conf"
lxc exec ${CNAME} -- bash -c "curl -sfL https://get.k3s.io | sh -s - server --snapshotter=native --disable traefik"

lxc exec ${CNAME} -- k3s kubectl get pods --all-namespaces
NAME              STATUS   ROLES                  AGE   VERSION

my-node-k3s   Ready    control-plane,master   19m   v1.27.7+k3s2
Kill containers to fix LXC shutdown issue:
vim /etc/systemd/system/[email protected]

[Unit]

Description=Kill cgroup procs on shutdown for %i

DefaultDependencies=false

Before=shutdown.target umount.target

[Service]

# Instanced units are not part of system.slice for some reason

# without this, the service isn't started at shutdown

Slice=system.slice

ExecStart=/bin/bash -c "/usr/local/bin/k3s-killall.sh"

Type=oneshot

[Install]

WantedBy=shutdown.target
lxc exec ${CNAME} -- systemctl enable [email protected]
Helm install:

lxc exec ${CNAME} -- snap install helm --classic

helm 3.10.1 from Snapcrafters✪ installed
lxc exec ${CNAME} -- bash -c "mkdir -p \${HOME}/.kube/; cat /etc/rancher/k3s/k3s.yaml > \${HOME}/.kube/config"

lxc exec ${CNAME} -- bash -c "chmod 600 \${HOME}/.kube/config"
LoadBalancer:

helm upgrade --install ingress-nginx ingress-nginx \

  --repo https://kubernetes.github.io/ingress-nginx \

  --namespace ingress-nginx --create-namespace \

  --set service.type=LoadBalancer
kubectl --namespace ingress-nginx get services -o wide -w ingress-nginx-controller

NAME                       TYPE           CLUSTER-IP      EXTERNAL-IP     PORT(S)                      AGE   SELECTOR

ingress-nginx-controller   LoadBalancer   10.43.128.233   10.71.214.196   80:31957/TCP,443:30437/TCP   51s   app.kubernetes.io/component=controller,app.kubernetes.io/instance=ingress-nginx,app.kubernetes.io/name=ingress-nginx

i
Install dashboard:

GITHUB_URL=https://github.com/kubernetes/dashboard/releases

VERSION_KUBE_DASHBOARD=$(curl -w '%{url_effective}' -I -L -s -S ${GITHUB_URL}/latest -o /dev/null | sed -e 's|.*/||')

sudo k3s kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/${VERSION_KUBE_DASHBOARD}/aio/deploy/recommended.yaml
Or if not working specify version:

sudo k3s kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0/aio/deploy/recommended.yaml
vim dashboard.admin-user.yml

apiVersion: v1

kind: ServiceAccount

metadata:

  name: admin-user

  namespace: kubernetes-dashboard
vim dashboard.admin-user-role.yml

apiVersion: rbac.authorization.k8s.io/v1

kind: ClusterRoleBinding

metadata:

  name: admin-user

roleRef:

  apiGroup: rbac.authorization.k8s.io

  kind: ClusterRole

  name: cluster-admin

subjects:

- kind: ServiceAccount

  name: admin-user

  namespace: kubernetes-dashboard
k3s kubectl create -f dashboard.admin-user.yml -f dashboard.admin-user-role.yml

serviceaccount/admin-user created

clusterrolebinding.rbac.authorization.k8s.io/admin-user created
Ingress:

apiVersion: networking.k8s.io/v1

kind: Ingress

metadata:

  name: dashboard-nginx-ingress

  namespace: kubernetes-dashboard

  annotations:

    nginx.ingress.kubernetes.io/ssl-redirect: "false"

    kubernetes.io/ingress.class: "nginx"

    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

spec:

  rules:

  - host: e7470-k3s.local

    http:

      paths:

        - path: /

          pathType: Prefix

          backend:

            service:

              name: kubernetes-dashboard

              port:

                number: 443
Add your current user:

lxc config set ${CNAME} security.idmap.isolated true

lxc config set ${CNAME} security.idmap.size 200000

printf "uid $(id -u) $(id -u)\ngid $(id -g) $(id -g)" | lxc config set ${CNAME} raw.idmap -

lxc restart ${CNAME}
Create user (host) inside the container:

lxc exec ${CNAME} -- bash -c "groupadd -r k3s"

lxc exec ${CNAME} -- bash -c "chown root:k3s /etc/rancher/k3s/k3s.yaml"

lxc exec ${CNAME} -- bash -c "chmod g+r /etc/rancher/k3s/k3s.yaml"

lxc exec ${CNAME} -- bash -c "userdel ubuntu"

lxc exec ${CNAME} -- bash -c "groupadd -g $(id -g) $(id -gn)"

lxc exec ${CNAME} -- bash -c "useradd -u $(id -u) -g $(id -g) -m -G sudo $(id -un)"

lxc exec ${CNAME} -- bash -c "usermod -a -G k3s $(id -un)"

lxc exec ${CNAME} -- bash -c "mkdir /home/$(id -un)/.kube"

lxc exec ${CNAME} -- bash -c "cat /etc/rancher/k3s/k3s.yaml > /home/$(id -un)/.kube/config"

lxc exec ${CNAME} -- bash -c "chown -R $(id -u):$(id -g) /home/$(id -un)/.kube/"
Map directory:

lxc config device add ${CNAME} Projects disk source=/home/vit/1 path=/home/vit/1
Wrapper scripts:

vim ${HOME}/.local/bin/k3s

#!/usr/bin/env bash
CNAME="${CNAME:-e7470-k3s}"
lxc exec ${CNAME} --mode interactive --cwd "${PWD}" --user $(id -u) --group $(\

    lxc exec ${CNAME} -- getent group k3s | awk 'BEGIN{FS=":"}{print $3}'

  ) --env "HOME=/home/$(id -un)" -- \

  $(basename $0) $@

chmod +x ${HOME}/.local/bin/k3s ln -s ${HOME}/.local/bin/k3s .local/bin/kubectl ln -s ${HOME}/.local/bin/k3s .local/bin/helm

Errors were encountered while processing: netfilter-persistent iptables-persistent

Leave a reply

dpkg: error processing package netfilter-persistent (–configure):
installed netfilter-persistent package post-installation script subprocess returned error exit status 1
dpkg: dependency problems prevent configuration of iptables-persistent:
iptables-persistent depends on netfilter-persistent (= 1.0.4+nmu2ubuntu1.1); however:
Package netfilter-persistent is not configured yet.

dpkg: error processing package iptables-persistent (–configure):
dependency problems – leaving unconfigured
Processing triggers for systemd (237-3ubuntu10.57) …
No apport report written because the error message indicates its a followup error from a previous failure.
Processing triggers for man-db (2.8.3-2ubuntu0.1) …
Processing triggers for ureadahead (0.100.0-21) …
Errors were encountered while processing:
netfilter-persistent
iptables-persistent
Updating available updates count …
E: Sub-process /usr/bin/dpkg returned an error code (1)

apt-get remove –purge netfilter-persistent
apt install iptables-persistent

The connection to the server localhost:8080 was refused – did you specify the right host or port?

Leave a reply

mkdir ~/.kube
sudo k3s kubectl config view –raw | tee ~/.kube/config
chmod 600 ~/.kube/config

mysql 8 reset root password ubuntu

Leave a reply

systemctl stop mysql.service
systemctl set-environment MYSQLD_OPTS=”–skip-networking –skip-grant-tables”
systemctl start mysql.service

ALTER USER ‘root’@’localhost’ IDENTIFIED BY ‘the-new-password’;
flush privileges;

systemctl unset-environment MYSQLD_OPTS
systemctl revert mysql.service
systemctl restart mysql.service

docker ubuntu systemctl in container

Leave a reply

docker run \ --tty \ --privileged \ --volume /sys/fs/cgroup:/sys/fs/cgroup:ro \ robertdebock/ubuntu

Elasticsearch settings for single-node cluster

Leave a reply

Update default template:
curl -X PUT http://localhost:9200/_template/default -H ‘Content-Type: application/json’ -d ‘{“index_patterns”: [“*”],”order”: -1,”settings”: {“number_of_shards”: “1”,”number_of_replicas”: “0”}}’

If yellow indices exist, you can update them with:
curl -X PUT http://localhost:9200/_settings -H ‘Content-Type: application/json’ -d ‘{“index”: {“number_of_shards”: “1”,”number_of_replicas”: “0”}}’

If error: {“error”:{“root_cause”:[{“type”:”cluster_block_exception”,”reason”:”blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];”}],”type”:”cluster_block_exception”,”reason”:”blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];”},”status”:403}

curl -X PUT http://localhost:9200/_settings -H ‘Content-Type: application/json’ -d ‘{“index”: {“blocks”: {“read_only_allow_delete”: “false”}}}’

Device /dev/sdb excluded by a filter.

Leave a reply

vgextend my-lv /dev/sdb
Device /dev/sdb excluded by a filter.

wipefs -a /dev/sdb
/dev/sdb: 8 bytes were erased at offset 0x00000200 (gpt): 45 46 49 20 50 41 52 54
/dev/sdb: 8 bytes were erased at offset 0x77ffffe00 (gpt): 45 46 49 20 50 41 52 54
/dev/sdb: 2 bytes were erased at offset 0x000001fe (PMBR): 55 aa

vgextend my-lv /dev/sdb
Physical volume “/dev/sdb” successfully created.
Volume group “my-lv” successfully extended

ubuntu install rabbitmq

Leave a reply

curl -1sLf ‘https://dl.cloudsmith.io/public/rabbitmq/rabbitmq-erlang/setup.deb.sh’ | sudo -E bash

curl -s https://packagecloud.io/install/repositories/rabbitmq/rabbitmq-server/script.deb.sh | sudo bash
apt install rabbitmq-server

fortinet set default gw cli

Leave a reply

Fortinet_Lab # config router static Fortinet_Lab (static) # edit 1 new entry ‘1’ added Fortinet_Lab (1) # set gateway 10.80.144.1 Fortinet_Lab (1) # set dst 0.0.0.0/0 Fortinet_Lab (1) # set device port1 Fortinet_Lab (1) # end

ansible create user and upload ssh key

Leave a reply


---

- hosts: all_servers

  vars:

    ansible_python_interpreter: auto_legacy_silent

    users:

    - "user1"

    - "user2"

    - "user2"

  tasks:

  - name: "Ensure group admin exists"

    group:

      name: admin

      state: present

  - name: "Create user accounts"

    user:

      name: "{{ item }}"

      groups: "admin"

      shell: /bin/bash

    with_items: "{{ users }}"

  - name: "Add authorized keys"

    authorized_key:

      user: "{{ item }}"

      key: "{{ lookup('file', 'files/'+ item + '.pub') }}"

    with_items: "{{ users }}"

  - name: "Allow admin users to sudo without a password"

    lineinfile:

      dest: "/etc/sudoers" # path: in version 2.3

      state: "present"

      regexp: "^%admin"

      line: "%admin ALL=(ALL) NOPASSWD: ALL"
Create SSH user keys in files directory:
ssh-keygen -t rsa -f ~/files/user1.pub -C user1

ssh-keygen -t rsa -f ~/files/user2.pub -C user2

ssh-keygen -t rsa -f ~/files/user3.pub -C user3
Run ansible yaml:

ansible-playbook users_create.yaml
That will create 3 users in all_servers group with sudo privileges.