Wednesday, August 28, 2019

some tutorials on Jenkins Pipelines

https://www.youtube.com/watch?v=-GsvomI4CCQ very pragmatic Simplilearn tutorial,

you can practice on https://www.katacoda.com/courses/jenkins/build-docker-images which gives you a dockerized Jenkins with console



Awesome power-jenkins tip-pack https://www.youtube.com/watch?v=6BIry0cepz4 :

- run Jenkins in Docker (jenkins/jenkins)

- select plugins you want to use (use plugins.txt to predefine a list of plugins)

- use agents, with swarm plugin to register, automate the agent provisioning and make them ephemeral

- don't use Maven jobs, because it's not reproduceable

- use pipelines, with Jenkinsfile (pipeline/stages/stage/steps)

- in pipelines, do all work on agents ("agent any")

- user input stage should be run on master, to avoid blocking executors ("agent none")

- limit number of stages

- don't change $env variable, use withEnv(["hello=world"]) instead

- parameters (?)

- use parallelism, for end to end tests , and performance tests and in separate nodes

- "scripted" is groovish for power user, declarative is ok for regular user

- pipelines should be small, they are orchestration tools... do the heavy stuff fin shell scripts which are easier to test

- in a pipeline everything is serializable so it can be resumed on failure (continuation-passing style)... but some classes are not serializable like groovy.text.StreamingTemplateEngine, then you have to wrap it

- BlueOcean plugin, with Editor for declarative pipelines

- use shared libraries in pipelines to reuse code, also reuse files

- use views to show only the jobs you are interested in

- BuildMonitor plugin to view jobs

- API in JSON or XML

- to-have plugins: BuildMonitor, Job Config History (to version freestyle jobs), Job DSL, Throttle Concurrent Builds, Timestamper, Version Number plugin & Build-name-setter



Kubernetes academy

https://kubernetes.academy/lessons/introduction-to-kubectl awesome productivity tips from John Harris

source < (kubectl completion bash)

kubectx

kubens

kube-ps1 + kubeon

#doc on a k8s object
kubectl explain pod.spec.containers.ports

#grep json
kubectl get pod -n kube-system kube-scheduler-master -ojson | jq .metadata.labels

#show custom columns
kubectl get pod -n kube-system kube-scheduler-master -o custom-columns=NAME:.metadata.name,NS:.metadata.namespace


#show labels

kubectl get pod -n kube-system --show-labels

#show column with value of given label

kubectl get pod -n kube-system -L k8s-app

#filter by label value

kubectl get pod -n kube-system -l k8s-app=kube-dns -L k8s-app

#sort by

get pod -n kube-system -l k8s-app=kube-dns --sort-by='{.status.containerStatuses[*].restartCount}'

#trace execution (very verbose)

get pod -n kube-system -l k8s-app=kube-dns --sort-by='{.status.containerStatuses[*].restartCount}' -v10

https://kubernetes.academy/lessons/introduction-to-ingress



Monday, August 19, 2019

awesome Kubernetes Best Practices videos



there is a whole series, all same good

Wednesday, August 14, 2019

WebLogic, dramatic reduction of TLS sessions creation by rejectClientInitiatedRenegotiation

why the TLS Sessions are constantly invalidated, removed from cache and recreated, discovering that it's WLS SSLConfigUtils.configureClientInitSecureRenegotiation() who initiates this:

at sun.security.ssl.SSLSessionContextImpl.remove(SSLSessionContextImpl.java:132)

at sun.security.ssl.SSLSessionImpl.invalidate(SSLSessionImpl.java:673)

at weblogic.socket.utils.SSLConfigUtils.configureClientInitSecureRenegotiation(SSLConfigUtils.java:27)

at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:135)

at weblogic.socket.JSSEFilterImpl.isMessageComplete(JSSEFilterImpl.java:354)

at weblogic.socket.SocketMuxer.readReadySocketOnce(SocketMuxer.java:976)

at weblogic.socket.SocketMuxer.readReadySocket(SocketMuxer.java:917)

at weblogic.socket.NIOSocketMuxer.process(NIOSocketMuxer.java:599)

at weblogic.socket.NIOSocketMuxer.processSockets(NIOSocketMuxer.java:563)

at weblogic.socket.SocketReaderRequest.run(SocketReaderRequest.java:30)

at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:43)

at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:147)

at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:119)


the code responsible is:


public static void configureClientInitSecureRenegotiation(SSLEngine sslEngine, boolean clientInitSecureRenegotiation)

 {

   if (!IS_JDK_CLIENT_INIT_SECURE_RENEGOTIATION_PROPERTY_SET)

   {

     if ((sslEngine != null) && (!sslEngine.getUseClientMode()))

     {

       if (!clientInitSecureRenegotiation) {

         sslEngine.getSession().invalidate();

       }

       sslEngine.setEnableSessionCreation(clientInitSecureRenegotiation);

       if (isLoggable()) {

         SocketLogger.logDebug(clientInitSecureRenegotiation ? "Enabled" : "Disabled TLS client initiated secure renegotiation.");

       }

     }

   }

   else if (isLoggable()) {

     SocketLogger.logDebug("TLS client initiated secure renegotiation setting is configured with -Djdk.tls.rejectClientInitiatedRenegotiation");

   }

 }


so the invalidate() is called only if !clientInitSecureRenegotiation , but it appears that clientInitSecureRenegotiation=isClientInitSecureRenegotiationAccepted is always FALSE





in JSSESocketFactory:
  JSSEFilterImpl getJSSEFilterImpl(Socket connectedSocket, String host, int port)

    throws IOException

  {

    SSLEngine sslEngine = getSSLEngine(host, port);

    return new JSSEFilterImpl(connectedSocket, sslEngine, true);

  }

in JSSEFilterImpl:

public JSSEFilterImpl(Socket sock, SSLEngine engine, boolean clientMode)

    throws IOException

  {

    this(sock, engine, clientMode, false);  // parameter 4 is isClientInitSecureRenegotiationAccepted, THIS IS ALWAYS FALSE, and clientMode is always TRUE

  }

   

  public JSSEFilterImpl(Socket sock, SSLEngine engine, boolean clientMode, boolean isClientInitSecureRenegotiationAccepted)  // this constructor is ultimately invoked

    throws IOException

  {


so the only way to avoid session invalidation is by having IS_JDK_CLIENT_INIT_SECURE_RENEGOTIATION_PROPERTY_SET=false, that is by setting -Djdk.tls.rejectClientInitiatedRenegotiation=false (true or false doesn't seem to matter, as long as the variable is set)


Thanks to Carlo for the excellent analysis.





Sunday, August 11, 2019

Audit the content of a series of folders against a file

the audit.txt contains the list of original files:

/media/sf_shared/bashtests/dirtoaudit/
/media/sf_shared/bashtests/dirtoaudit/dir01
/media/sf_shared/bashtests/dirtoaudit/dir01/file01_01.txt
/media/sf_shared/bashtests/dirtoaudit/dir01/file02_01.txt
/media/sf_shared/bashtests/dirtoaudit/dir02
/media/sf_shared/bashtests/dirtoaudit/dir02/file01_02.txt
/media/sf_shared/bashtests/dirtoaudit/dir02/file02_02.txt

this script checks that in the folders

/media/sf_shared/bashtests/dirtoaudit/
/media/sf_shared/bashtests/dirtoaudit/dir01
/media/sf_shared/bashtests/dirtoaudit/dir02

there are no extra files or folders:




Of course this scales very poorly... I would never dream of writing complex logic in bash, unless I was absolutely forced




Saturday, August 10, 2019

OpenShift CI/CD

https://www.youtube.com/watch?v=65BnTLcDAJI good video on CI/CD, part 1


https://www.youtube.com/watch?v=wSFyg6Etwx8 part 2



https://www.youtube.com/watch?v=kbbK0VEy2qM OpenShift 4 CI/CD

essential is to have installed in Jenkins the "OpenShift Jenkins Pipeline (DSL) Plugin" https://github.com/openshift/jenkins-client-plugin



https://www.youtube.com/watch?v=pMDiiW1UqLo Openshift Pipelines with Tekton https://cloud.google.com/tekton/ and here is the code https://github.com/openshift/pipelines-tutorial

rpm useful commands

list files installed by an INSTALLED rpm (for an UNINSTALLED rpm, add -p and provide full path to .rpm file):

rpm -ql nginx.x86_64

or also (if the rpm is not installed yet) repoquery --list nginx.x86_64

verify that rpm installed files have not been tampered

rpm -V nginx.x86_64

display the postinstall and postuninstall scripts

rpm -q --scripts nginx.x86_64

which rpm provides a given file:

rpm -q --whatprovides /usr/sbin/nginx
or also
rpm -qf /usr/sbin/nginx

for a REALLY verbose verification output:

rpm -Vvv nginx.x86_64



Ref:

http://ftp.rpm.org/max-rpm/s1-rpm-verify-what-to-verify.html


https://www.cyberciti.biz/howto/question/linux/linux-rpm-cheat-sheet.php fantastic all-in-one rpm cheat sheet

SAML and JWT

Excellent side-by-side comparison https://medium.com/@robert.broeckelmann/saml2-vs-jwt-a-comparison-254bafd98e6


Useful terminology:


https://en.wikipedia.org/wiki/Trusted_computing_base

Bearer Tokens

Holder of Key

Sender Vouches

Proof of Possession

IdP https://en.wikipedia.org/wiki/Identity_provider



Openshift RedHat plugin for Intellij

https://plugins.jetbrains.com/plugin/12030-openshift-connector-by-red-hat

Sample video on how to use it https://www.youtube.com/watch?v=kCESA7a5i3M


I keep getting the message "odo not found, do you want to download it?" , I click "yes" and nothing visible happens.... even if I have odo.exe on the PATH, I still get the error message....

https://github.com/openshift/odo

It doesn't seem very popular though.... very few downloads.... but I don 't want to use Eclipse with its JBoss Openshift Client, I hate Eclipse...

However, Intellij has its own Cloud support for Openshift https://www.jetbrains.com/help/idea/working-with-clouds.html

CTRL-ALT-S, Cloud, Openshift

see also https://www.jetbrains.com/help/idea/run-debug-configuration-openshift-deployment.html



Openshift 4, interesting readings

https://computingforgeeks.com/red-hat-openshift-4-new-features/

https://cloudowski.com/articles/10-differences-between-openshift-and-kubernetes/

https://cloudowski.com/articles/honest-review-of-openshift-4/

https://cloudowski.com/articles/why-managing-container-images-on-openshift-is-better-than-on-kubernetes/

https://computingforgeeks.com/setup-openshift-origin-local-cluster-on-centos/ ( not working for me.... ) see also https://github.com/openshift/origin/blob/v4.0.0-alpha.0/docs/cluster_up_down.md


I have deployed https://github.com/vernetto/sbhello with OpenShift Online,
using the Catalog option "Red Hat OpenJDK 8".


.\oc.exe new-app openshift/java:8~https://github.com/vernetto/sbhello.git --name=sbhwpv3
.\oc.exe expose service sbhwpv3


https://github.com/fabric8io-images/run-java-sh



This makes still a very good Developer introducton https://www.youtube.com/watch?v=cY7KIEajqx4 (a bit outdated) by Grant Shipley, really intense and focused.


https://www.youtube.com/watch?v=-xJIvBpvEeE amazing on Openshift infrastructure management


https://coreos.com/ignition/docs/latest/ what is ignition

https://www.terraform.io/intro/index.html what is terraform

Thursday, August 1, 2019

Linux. find broadcast address of a given network interface

It's grotesque how in 2019 we still have to rely on primitive, ambiguous tools like grep and awk to extract information from a linux command

This is what I could came up to "find broadcast address of a given network interface":

ip a s dev docker0 | grep "inet.*brd" | awk '{print $4}'


To subtract 1 from IP (see here ):

cat checkip.ksh
echo "Enter ip:"
read IP_val
awk -F"/" -vvalip="$IP_val" '{if($NF==valip){split($1, A,".");A[4]-=1;VAL=A[1] OFS A[2] OFS A[3] OFS A[4]}} END{print VAL}' OFS="." ip_list



It's a mad world.

The broadcast address is always (?) the highest IP in the subnet range:
Network: 172.25.1.64/26
Broadcast: 172.25.1.127
HostMin: 172.25.1.65
HostMax: 172.25.1.126
Hosts/Net: 62

and the gateway will be (broadcast-1) = 172.25.1.126

To find out what the default gateway is:
cat /etc/sysconfig/network

initialization scripts in /etc/sysconfig/network-scripts/ifcfg-*



https://en.wikipedia.org/wiki/Broadcast_address