Wednesday, August 28, 2019

some tutorials on Jenkins Pipelines very pragmatic Simplilearn tutorial,

you can practice on which gives you a dockerized Jenkins with console

Awesome power-jenkins tip-pack :

- run Jenkins in Docker (jenkins/jenkins)

- select plugins you want to use (use plugins.txt to predefine a list of plugins)

- use agents, with swarm plugin to register, automate the agent provisioning and make them ephemeral

- don't use Maven jobs, because it's not reproduceable

- use pipelines, with Jenkinsfile (pipeline/stages/stage/steps)

- in pipelines, do all work on agents ("agent any")

- user input stage should be run on master, to avoid blocking executors ("agent none")

- limit number of stages

- don't change $env variable, use withEnv(["hello=world"]) instead

- parameters (?)

- use parallelism, for end to end tests , and performance tests and in separate nodes

- "scripted" is groovish for power user, declarative is ok for regular user

- pipelines should be small, they are orchestration tools... do the heavy stuff fin shell scripts which are easier to test

- in a pipeline everything is serializable so it can be resumed on failure (continuation-passing style)... but some classes are not serializable like groovy.text.StreamingTemplateEngine, then you have to wrap it

- BlueOcean plugin, with Editor for declarative pipelines

- use shared libraries in pipelines to reuse code, also reuse files

- use views to show only the jobs you are interested in

- BuildMonitor plugin to view jobs

- API in JSON or XML

- to-have plugins: BuildMonitor, Job Config History (to version freestyle jobs), Job DSL, Throttle Concurrent Builds, Timestamper, Version Number plugin & Build-name-setter

Kubernetes academy awesome productivity tips from John Harris

source < (kubectl completion bash)



kube-ps1 + kubeon

#doc on a k8s object
kubectl explain pod.spec.containers.ports

#grep json
kubectl get pod -n kube-system kube-scheduler-master -ojson | jq .metadata.labels

#show custom columns
kubectl get pod -n kube-system kube-scheduler-master -o,NS:.metadata.namespace

#show labels

kubectl get pod -n kube-system --show-labels

#show column with value of given label

kubectl get pod -n kube-system -L k8s-app

#filter by label value

kubectl get pod -n kube-system -l k8s-app=kube-dns -L k8s-app

#sort by

get pod -n kube-system -l k8s-app=kube-dns --sort-by='{.status.containerStatuses[*].restartCount}'

#trace execution (very verbose)

get pod -n kube-system -l k8s-app=kube-dns --sort-by='{.status.containerStatuses[*].restartCount}' -v10

Monday, August 19, 2019

awesome Kubernetes Best Practices videos

there is a whole series, all same good

Wednesday, August 14, 2019

WebLogic, dramatic reduction of TLS sessions creation by rejectClientInitiatedRenegotiation

why the TLS Sessions are constantly invalidated, removed from cache and recreated, discovering that it's WLS SSLConfigUtils.configureClientInitSecureRenegotiation() who initiates this:



at weblogic.socket.utils.SSLConfigUtils.configureClientInitSecureRenegotiation(

at weblogic.socket.JSSEFilterImpl.doHandshake(

at weblogic.socket.JSSEFilterImpl.isMessageComplete(

at weblogic.socket.SocketMuxer.readReadySocketOnce(

at weblogic.socket.SocketMuxer.readReadySocket(

at weblogic.socket.NIOSocketMuxer.process(

at weblogic.socket.NIOSocketMuxer.processSockets(


at weblogic.socket.SocketReaderRequest.execute(

at weblogic.kernel.ExecuteThread.execute(


the code responsible is:

public static void configureClientInitSecureRenegotiation(SSLEngine sslEngine, boolean clientInitSecureRenegotiation)




     if ((sslEngine != null) && (!sslEngine.getUseClientMode()))


       if (!clientInitSecureRenegotiation) {




       if (isLoggable()) {

         SocketLogger.logDebug(clientInitSecureRenegotiation ? "Enabled" : "Disabled TLS client initiated secure renegotiation.");




   else if (isLoggable()) {

     SocketLogger.logDebug("TLS client initiated secure renegotiation setting is configured with -Djdk.tls.rejectClientInitiatedRenegotiation");



so the invalidate() is called only if !clientInitSecureRenegotiation , but it appears that clientInitSecureRenegotiation=isClientInitSecureRenegotiationAccepted is always FALSE

in JSSESocketFactory:
  JSSEFilterImpl getJSSEFilterImpl(Socket connectedSocket, String host, int port)

    throws IOException


    SSLEngine sslEngine = getSSLEngine(host, port);

    return new JSSEFilterImpl(connectedSocket, sslEngine, true);


in JSSEFilterImpl:

public JSSEFilterImpl(Socket sock, SSLEngine engine, boolean clientMode)

    throws IOException


    this(sock, engine, clientMode, false);  // parameter 4 is isClientInitSecureRenegotiationAccepted, THIS IS ALWAYS FALSE, and clientMode is always TRUE



  public JSSEFilterImpl(Socket sock, SSLEngine engine, boolean clientMode, boolean isClientInitSecureRenegotiationAccepted)  // this constructor is ultimately invoked

    throws IOException


so the only way to avoid session invalidation is by having IS_JDK_CLIENT_INIT_SECURE_RENEGOTIATION_PROPERTY_SET=false, that is by setting -Djdk.tls.rejectClientInitiatedRenegotiation=false (true or false doesn't seem to matter, as long as the variable is set)

Thanks to Carlo for the excellent analysis.

Sunday, August 11, 2019

Audit the content of a series of folders against a file

the audit.txt contains the list of original files:


this script checks that in the folders


there are no extra files or folders:

Of course this scales very poorly... I would never dream of writing complex logic in bash, unless I was absolutely forced

Saturday, August 10, 2019

OpenShift CI/CD good video on CI/CD, part 1 part 2 OpenShift 4 CI/CD

essential is to have installed in Jenkins the "OpenShift Jenkins Pipeline (DSL) Plugin" Openshift Pipelines with Tekton and here is the code

rpm useful commands

list files installed by an INSTALLED rpm (for an UNINSTALLED rpm, add -p and provide full path to .rpm file):

rpm -ql nginx.x86_64

or also (if the rpm is not installed yet) repoquery --list nginx.x86_64

verify that rpm installed files have not been tampered

rpm -V nginx.x86_64

display the postinstall and postuninstall scripts

rpm -q --scripts nginx.x86_64

which rpm provides a given file:

rpm -q --whatprovides /usr/sbin/nginx
or also
rpm -qf /usr/sbin/nginx

for a REALLY verbose verification output:

rpm -Vvv nginx.x86_64

Ref: fantastic all-in-one rpm cheat sheet


Excellent side-by-side comparison

Useful terminology:

Bearer Tokens

Holder of Key

Sender Vouches

Proof of Possession


Openshift RedHat plugin for Intellij

Sample video on how to use it

I keep getting the message "odo not found, do you want to download it?" , I click "yes" and nothing visible happens.... even if I have odo.exe on the PATH, I still get the error message....

It doesn't seem very popular though.... very few downloads.... but I don 't want to use Eclipse with its JBoss Openshift Client, I hate Eclipse...

However, Intellij has its own Cloud support for Openshift

CTRL-ALT-S, Cloud, Openshift

see also

Openshift 4, interesting readings ( not working for me.... ) see also

I have deployed with OpenShift Online,
using the Catalog option "Red Hat OpenJDK 8".

.\oc.exe new-app openshift/java:8~ --name=sbhwpv3
.\oc.exe expose service sbhwpv3

This makes still a very good Developer introducton (a bit outdated) by Grant Shipley, really intense and focused. amazing on Openshift infrastructure management what is ignition what is terraform

Thursday, August 1, 2019

Linux. find broadcast address of a given network interface

It's grotesque how in 2019 we still have to rely on primitive, ambiguous tools like grep and awk to extract information from a linux command

This is what I could came up to "find broadcast address of a given network interface":

ip a s dev docker0 | grep "inet.*brd" | awk '{print $4}'

To subtract 1 from IP (see here ):

cat checkip.ksh
echo "Enter ip:"
read IP_val
awk -F"/" -vvalip="$IP_val" '{if($NF==valip){split($1, A,".");A[4]-=1;VAL=A[1] OFS A[2] OFS A[3] OFS A[4]}} END{print VAL}' OFS="." ip_list

It's a mad world.

The broadcast address is always (?) the highest IP in the subnet range:
Hosts/Net: 62

and the gateway will be (broadcast-1) =

To find out what the default gateway is:
cat /etc/sysconfig/network

initialization scripts in /etc/sysconfig/network-scripts/ifcfg-*