https://takac.dev/categories/tech-tips/ Recent content in tech-tips on takac.dev Hugo -- gohugo.io Thu, 16 Dec 2021 23:00:00 +0900 https://takac.dev/docker-how-to-solve-the-trouble-of-ssh-tunnel-connection/ Thu, 16 Dec 2021 23:00:00 +0900 https://takac.dev/docker-how-to-solve-the-trouble-of-ssh-tunnel-connection/ <p>I wanted to connect to some external site via my server in AWS because the site has IP address filters as security. However my apartment doesn't have a static IP address so I came up with an idea connecting to the site via SSH tunnel and if it runs as a container in docker-compose, it’s very easy to execute by the command “docker-compose up -d.” But there was a pitfall when digging an SSH tunnel on docker. Let me share what the trap was and how to solve it.</p> <p>The command which I executed on the CLI was like this.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>ssh -4f -NL 20000:hogeadmin.work:443 takashi@myadmin.server -p <span class="m">10023</span> </code></pre></div><p>So, I made a simple container with the following Dockerfile to execute ssh client.<br> [ssh-tunnel/Dockerfile]</p> <div class="highlight"><pre class="chroma"><code class="language-dockerfile" data-lang="dockerfile"><span class="ln"> 1</span><span class="k">FROM</span><span class="s"> alpine:latest</span><span class="err"> </span><span class="ln"> 2</span><span class="err"> </span><span class="ln"> 3</span><span class="err"></span><span class="k">RUN</span> <span class="nb">set</span> -x <span class="se">\ </span><span class="ln"> 4</span><span class="se"></span> <span class="o">&amp;&amp;</span> apk update <span class="se">\ </span><span class="ln"> 5</span><span class="se"></span> <span class="o">&amp;&amp;</span> apk upgrade <span class="se">\ </span><span class="ln"> 6</span><span class="se"></span> <span class="o">&amp;&amp;</span> apk add --no-cache <span class="se">\ </span><span class="ln"> 7</span><span class="se"></span> openssh-client <span class="se">\ </span><span class="ln"> 8</span><span class="se"></span> ca-certificates <span class="se">\ </span><span class="ln"> 9</span><span class="se"></span> bash <span class="se">\ </span><span class="ln">10</span><span class="se"></span> bind-tools<span class="err"> </span><span class="ln">11</span><span class="err"> </span><span class="ln">12</span><span class="err"></span><span class="k">EXPOSE</span><span class="s"> 20000-20010</span><span class="err"> </span><span class="ln">13</span><span class="err"> </span><span class="ln">14</span><span class="err"></span><span class="k">ENTRYPOINT</span> <span class="p">[</span> <span class="s2">&#34;/docker-entrypoint.sh&#34;</span> <span class="p">]</span><span class="err"> </span></code></pre></div><p>And, I made a simple script as docker-entrypoint.sh.<br> [ssh-tunnel/docker-entrypoint.sh]</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln"> 1</span><span class="cp">#!/bin/bash </span><span class="ln"> 2</span><span class="cp"></span><span class="nv">REMOTE_HOST</span><span class="o">=</span><span class="s1">&#39;x.x.x.x&#39;</span> <span class="ln"> 3</span><span class="nv">REMOTE_USER</span><span class="o">=</span><span class="s1">&#39;user-name&#39;</span> <span class="ln"> 4</span><span class="nv">REMOTE_PORT</span><span class="o">=</span><span class="s1">&#39;10023&#39;</span> <span class="ln"> 5</span> <span class="ln"> 6</span>connect_ssh_tunnel<span class="o">(){</span> <span class="ln"> 7</span> <span class="nb">local</span> <span class="nv">local_port</span><span class="o">=</span><span class="nv">$1</span><span class="p">;</span> <span class="nb">shift</span> <span class="ln"> 8</span> <span class="nb">local</span> <span class="nv">remote_port</span><span class="o">=</span><span class="nv">$1</span><span class="p">;</span> <span class="nb">shift</span> <span class="ln"> 9</span> <span class="nb">local</span> <span class="nv">fqdn</span><span class="o">=</span><span class="nv">$1</span><span class="p">;</span> <span class="nb">shift</span> <span class="ln">10</span> <span class="ln">11</span> ssh -4f -p <span class="si">${</span><span class="nv">REMOTE_PORT</span><span class="si">}</span> -NL <span class="si">${</span><span class="nv">local_port</span><span class="si">}</span>:<span class="si">${</span><span class="nv">fqdn</span><span class="si">}</span>:<span class="si">${</span><span class="nv">remote_port</span><span class="si">}</span> <span class="si">${</span><span class="nv">REMOTE_USER</span><span class="si">}</span>@<span class="si">${</span><span class="nv">REMOTE_HOST</span><span class="si">}</span> <span class="ln">12</span><span class="o">}</span> <span class="ln">13</span> <span class="ln">14</span>connect_ssh_tunnel <span class="s1">&#39;20000&#39;</span> <span class="s1">&#39;443&#39;</span> hogeadmin.work<span class="err">&#39;</span> <span class="ln">15</span> <span class="ln">16</span><span class="c1"># To keep running</span> <span class="ln">17</span>tail -f /dev/null </code></pre></div><p>And then, I made a docker-compose.yml file like this.</p> <div class="highlight"><pre class="chroma"><code class="language-yaml" data-lang="yaml"><span class="ln"> 1</span><span class="k">version</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;3.4&#39;</span><span class="w"> </span><span class="ln"> 2</span><span class="w"></span><span class="k">services</span><span class="p">:</span><span class="w"> </span><span class="ln"> 3</span><span class="w"> </span><span class="k">ssh-tunnel</span><span class="p">:</span><span class="w"> </span><span class="ln"> 4</span><span class="w"> </span><span class="k">build</span><span class="p">:</span><span class="w"> </span><span class="ln"> 5</span><span class="w"> </span><span class="k">context</span><span class="p">:</span><span class="w"> </span>./docker/ssh-tunnel<span class="w"> </span><span class="ln"> 6</span><span class="w"> </span><span class="k">restart</span><span class="p">:</span><span class="w"> </span>always<span class="w"> </span><span class="ln"> 7</span><span class="w"> </span><span class="k">container_name</span><span class="p">:</span><span class="w"> </span>ssh-tunnel<span class="w"> </span><span class="ln"> 8</span><span class="w"> </span><span class="k">ports</span><span class="p">:</span><span class="w"> </span><span class="ln"> 9</span><span class="w"> </span>- <span class="m">443</span><span class="p">:</span><span class="m">20000</span><span class="w"> </span><span class="ln">10</span><span class="w"> </span><span class="k">volumes</span><span class="p">:</span><span class="w"> </span><span class="ln">11</span><span class="w"> </span>- ./docker/ssh-tunnel/docker-entrypoint.sh<span class="p">:</span>/docker-entrypoint.sh<span class="p">:</span>ro<span class="w"> </span><span class="ln">12</span><span class="w"> </span>- ~/.ssh<span class="p">:</span>/root/.ssh<span class="p">:</span>ro<span class="w"> </span></code></pre></div><p>So, I run the command “docker-compose up -d” to run the container. And then, I tried to connect via curl command with the “--resolve” option.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>$ curl --resolve hogeadmin.work:443:127.0.0.1 https://hogeadmin.work/ <span class="ln">2</span>curl: <span class="o">(</span>35<span class="o">)</span> LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to hogeadmin.work </code></pre></div><p>I was confused because it’s just a simple thing but I got the above error. So, I tried to connect via the telnet command to check the port is alive or not.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>$ telnet localhost <span class="m">443</span> <span class="ln">2</span>Trying ::1... <span class="ln">3</span>Connected to localhost. <span class="ln">4</span>Escape character is <span class="s1">&#39;^]&#39;</span>. <span class="ln">5</span>Connection closed by foreign host. </code></pre></div><p>The connection was closed quickly. So, I tried to do the same thing in the container.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln"> 1</span>$ docker <span class="nb">exec</span> -it ssh-tunnel bash <span class="ln"> 2</span> <span class="ln"> 3</span>bash-5.1# apk update <span class="o">&amp;&amp;</span> apk add -f curl <span class="ln"> 4</span>fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/main/x86_64/APKINDEX.tar.gz <span class="ln"> 5</span>fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/community/x86_64/APKINDEX.tar.gz <span class="ln"> 6</span>v3.14.3-58-g7fc21b9dfb <span class="o">[</span>https://dl-cdn.alpinelinux.org/alpine/v3.14/main<span class="o">]</span> <span class="ln"> 7</span>v3.14.3-57-g005638434d <span class="o">[</span>https://dl-cdn.alpinelinux.org/alpine/v3.14/community<span class="o">]</span> <span class="ln"> 8</span>OK: <span class="m">14942</span> distinct packages available <span class="ln"> 9</span>OK: <span class="m">21</span> MiB in <span class="m">40</span> packages <span class="ln">10</span> <span class="ln">11</span>bash-5.1# curl localhost:20000 <span class="ln">12</span>&lt;html&gt; <span class="ln">13</span>&lt;head&gt;&lt;title&gt;400 The plain HTTP request was sent to HTTPS port&lt;/title&gt;&lt;/head&gt; <span class="ln">14</span>&lt;body&gt; <span class="ln">15</span>&lt;center&gt;&lt;h1&gt;400 Bad Request&lt;/h1&gt;&lt;/center&gt; <span class="ln">16</span>&lt;center&gt;The plain HTTP request was sent to HTTPS port&lt;/center&gt; <span class="ln">17</span>&lt;/body&gt; <span class="ln">18</span>&lt;/html&gt; </code></pre></div><p>I got the HTTP response as the above. So, the SSH tunnel in itself works correctly but it’s not able to connect via the mapped port which is defined in the docker-compose.yml file. So, I searched about the ssh client command and I realized that the “-L” option has the optional parameter called “bind_address.” So, I add &quot;0.0.0.0&quot; as bind address to the command in the script like this.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>connect_ssh_tunnel<span class="o">(){</span> <span class="ln">2</span> <span class="nb">local</span> <span class="nv">local_port</span><span class="o">=</span><span class="nv">$1</span><span class="p">;</span> <span class="nb">shift</span> <span class="ln">3</span> <span class="nb">local</span> <span class="nv">remote_port</span><span class="o">=</span><span class="nv">$1</span><span class="p">;</span> <span class="nb">shift</span> <span class="ln">4</span> <span class="nb">local</span> <span class="nv">fqdn</span><span class="o">=</span><span class="nv">$1</span><span class="p">;</span> <span class="nb">shift</span> <span class="ln">5</span> <span class="ln">6</span> ssh -4f -p <span class="si">${</span><span class="nv">REMOTE_PORT</span><span class="si">}</span> -NL 0.0.0.0:<span class="si">${</span><span class="nv">local_port</span><span class="si">}</span>:<span class="si">${</span><span class="nv">fqdn</span><span class="si">}</span>:<span class="si">${</span><span class="nv">remote_port</span><span class="si">}</span> <span class="si">${</span><span class="nv">REMOTE_USER</span><span class="si">}</span>@<span class="si">${</span><span class="nv">REMOTE_HOST</span><span class="si">}</span> <span class="ln">7</span><span class="o">}</span> </code></pre></div><p>And then, I restarted the docker-compose and tried again.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln"> 1</span>$ curl --resolve hogeadmin.work:443:127.0.0.1 https://hogeadmin.work/ <span class="ln"> 2</span>&lt;!DOCTYPE HTML&gt; <span class="ln"> 3</span>&lt;html <span class="nv">lang</span><span class="o">=</span><span class="s2">&#34;ja&#34;</span>&gt; <span class="ln"> 4</span> &lt;head&gt; <span class="ln"> 5</span> &lt;meta <span class="nv">charset</span><span class="o">=</span><span class="s2">&#34;utf-8&#34;</span>&gt; <span class="ln"> 6</span> &lt;/meta&gt; <span class="ln"> 7</span> &lt;/head&gt; <span class="ln"> 8</span> &lt;body&gt; <span class="ln"> 9</span> Forbidden <span class="ln">10</span> &lt;/body&gt; <span class="ln">11</span>&lt;/html&gt; </code></pre></div><p>Finally, I got the HTTP response so it works as I expected. However this way is simple way so it has some problems as follows.</p> <ul> <li>It’s impossible to get access to some multiple sites at the same time</li> <li>It will be a problem when the 443/tcp port is already used in other purpose</li> </ul> <p>But I have a solution that is a little bit complicated so I’ll share the way in another article in this blog in the near future.</p> https://takac.dev/docker-how-to-install-packages-to-busybox-image/ Sat, 07 Aug 2021 23:00:00 +0900 https://takac.dev/docker-how-to-install-packages-to-busybox-image/ <p><a href="https://hub.docker.com/_/busybox" target="_blank">Busybox image</a> is very useful to execute a simple binary on Docker because the image size is quite small. However there's no commands like apt-get or yum to install additional packages. So, if it's necessary to do that, using <a href="https://hub.docker.com/_/alpine" target="_blank">Alpine Linux image</a> is the best choice instead of <a href="https://hub.docker.com/_/busybox" target="_blank">Busybox image</a> . Let me share why is it and what we should do when it's necessary.</p> <p>First, what's &quot;busybox&quot; exactly? According to the <a href="https://www.busybox.net/about.html" target="_blank">official site</a> , it said &quot;BusyBox combines tiny versions of many common UNIX utilities into a single small executable.&quot; And also they said it's &quot;The Swiss Army Knife of Embedded Linux.&quot; It means that it's a &quot;tool&quot; not a &quot;distribution.&quot; On the other hand, Alpine Linux's <a href="https://alpinelinux.org/about/" target="_blank">official site</a> said &quot;Alpine Linux is a security-oriented, lightweight Linux distribution based on <a href="https://musl.libc.org/" target="_blank">musl libc</a> and <a href="https://www.busybox.net/about.html" target="_blank">busybox</a> .&quot; And also, as you know, Alpine Linux has the package management command &quot;apk.&quot; So, it means the following.</p> <div class="highlight"><pre class="chroma"><code class="language-text" data-lang="text"><span class="ln">1</span>Alpine Linux = BusyBox + musl libc + apk </code></pre></div><p>So, don't try to install some packages to <a href="https://hub.docker.com/_/busybox" target="_blank">Busybox image</a> . When you want to install something as a package, you should use <a href="https://hub.docker.com/_/alpine" target="_blank">Alpine Linux image</a> instead of <a href="https://hub.docker.com/_/busybox" target="_blank">Busybox image</a> . Of course, you can also use other images like Ubuntu, Debian, CentOS and so on but you should accept that its image size is going to be bigger than <a href="https://hub.docker.com/_/alpine" target="_blank">Alpine Linux image</a> .</p> https://takac.dev/prometheus-how-to-solve-blackbox-exporter-icmp-ping-failure/ Wed, 28 Jul 2021 23:00:00 +0900 https://takac.dev/prometheus-how-to-solve-blackbox-exporter-icmp-ping-failure/ <p>I set up my blackbox exporter to monitor some network appliances via ICMP but its RTT was always zero. I'll share how to investigate this problem and solve it.</p> <p>First I added the following module setting to blackbox.yml because I've never used ICMP monitoring before.</p> <div class="highlight"><pre class="chroma"><code class="language-yaml" data-lang="yaml"><span class="ln">1</span><span class="k">modules</span><span class="p">:</span><span class="w"> </span><span class="ln">2</span><span class="w"> </span><span class="k">icmp</span><span class="p">:</span><span class="w"> </span><span class="ln">3</span><span class="w"> </span><span class="k">prober</span><span class="p">:</span><span class="w"> </span>icmp<span class="w"> </span><span class="ln">4</span><span class="w"> </span><span class="k">timeout</span><span class="p">:</span><span class="w"> </span>5s<span class="w"> </span></code></pre></div><p>Then, I added the following setting to the Prometheus configuration file.</p> <div class="highlight"><pre class="chroma"><code class="language-yaml" data-lang="yaml"><span class="ln">1</span><span class="w"> </span>- <span class="k">job_name</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;icmp_check&#39;</span><span class="w"> </span><span class="ln">2</span><span class="w"> </span><span class="k">metrics_path</span><span class="p">:</span><span class="w"> </span>/probe<span class="w"> </span><span class="ln">3</span><span class="w"> </span><span class="k">params</span><span class="p">:</span><span class="w"> </span><span class="ln">4</span><span class="w"> </span><span class="k">module</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>icmp<span class="p">]</span><span class="w"> </span><span class="ln">5</span><span class="w"> </span><span class="k">static_configs</span><span class="p">:</span><span class="w"> </span><span class="ln">6</span><span class="w"> </span>- <span class="k">targets</span><span class="p">:</span><span class="w"> </span><span class="ln">7</span><span class="w"> </span>- <span class="s1">&#39;target01.hoge&#39;</span><span class="w"> </span><span class="ln">8</span><span class="w"> </span>- <span class="s1">&#39;target02.hoge&#39;</span><span class="w"> </span></code></pre></div><p>I restarted the Prometheus and the blackbox exporter and Prometheus got started to monitor the above two network appliances. Then, I searched its result by the following query on Prometheus's web UI.</p> <div class="highlight"><pre class="chroma"><code class="language-fallback" data-lang="fallback"><span class="ln">1</span>probe_icmp_duration_seconds{job=&#34;icmp_check&#34;, phase=&#34;rtt&#34;} </code></pre></div><p>However, the second one's value had not been captured correctly even though the first one was correct. Actually the 'rtt' was always zero. So, I tried to execute the ping command in the blackbox-exporter's container but the result was no problem. I was not sure why it happened so I decided to add the debug flag to the blackbox-exporter in my docker-compose.yml file like this.</p> <div class="highlight"><pre class="chroma"><code class="language-yaml" data-lang="yaml"><span class="ln"> 1</span><span class="w"> </span><span class="k">blackbox-exporter</span><span class="p">:</span><span class="w"> </span><span class="ln"> 2</span><span class="w"> </span><span class="k">container_name</span><span class="p">:</span><span class="w"> </span>blackbox-exporter<span class="w"> </span><span class="ln"> 3</span><span class="w"> </span><span class="k">build</span><span class="p">:</span><span class="w"> </span>./blackbox_exporter<span class="w"> </span><span class="ln"> 4</span><span class="w"> </span><span class="k">restart</span><span class="p">:</span><span class="w"> </span>always<span class="w"> </span><span class="ln"> 5</span><span class="w"> </span><span class="k">ports</span><span class="p">:</span><span class="w"> </span><span class="ln"> 6</span><span class="w"> </span>- <span class="s2">&#34;9115:9115&#34;</span><span class="w"> </span><span class="ln"> 7</span><span class="w"> </span><span class="k">command</span><span class="p">:</span><span class="w"> </span><span class="ln"> 8</span><span class="w"> </span>- <span class="s2">&#34;--log.level=debug&#34;</span><span class="w"> </span><span class="ln"> 9</span><span class="w"> </span><span class="k">sysctls</span><span class="p">:</span><span class="w"> </span><span class="ln">10</span><span class="w"> </span><span class="k">net.ipv4.ping_group_range</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;0 2147483647&#34;</span><span class="w"> </span></code></pre></div><p>After restarting the blackbox-exporter, I got the following logs.</p> <div class="highlight"><pre class="chroma"><code class="language-fallback" data-lang="fallback"><span class="ln">1</span>ts=2021-07-01T03:00:00.890Z caller=main.go:180 module=icmp target=target02.hoge level=debug msg=&#34;Beginning probe&#34; probe=icmp timeout_seconds=5 <span class="hl"><span class="ln">2</span>ts=2021-07-01T03:00:00.890Z caller=main.go:180 module=icmp target=target02.hoge level=debug msg=&#34;Resolving target address&#34; ip_protocol=ip6 </span><span class="hl"><span class="ln">3</span>ts=2021-07-01T03:00:00.892Z caller=main.go:180 module=icmp target=target02.hoge level=debug msg=&#34;Resolved target address&#34; ip=xxxx:xxxx:xxxx:xxxx::1 </span><span class="ln">4</span>ts=2021-07-01T03:00:00.892Z caller=main.go:180 module=icmp target=target02.hoge level=debug msg=&#34;Creating socket&#34; <span class="ln">5</span>ts=2021-07-01T03:00:00.892Z caller=main.go:180 module=icmp target=target02.hoge level=debug msg=&#34;Creating ICMP packet&#34; seq=57536 id=40265 <span class="ln">6</span>ts=2021-07-01T03:00:00.892Z caller=main.go:180 module=icmp target=target02.hoge level=debug msg=&#34;Writing out packet&#34; <span class="hl"><span class="ln">7</span>ts=2021-07-01T03:00:00.892Z caller=main.go:180 module=icmp target=target02.hoge level=debug msg=&#34;Error writing to socket&#34; err=&#34;write udp [::]:560-&gt;[xxxx:xxxx:xxxx:xxxx::1]:0: sendto: cannot assign requested address&#34; </span><span class="ln">8</span>ts=2021-07-01T03:00:00.892Z caller=main.go:180 module=icmp target=target02.hoge level=debug msg=&#34;Probe failed&#34; duration_seconds=0.001720556 <span class="ln">9</span>ts=2021-07-01T03:07:19.099Z </code></pre></div><p>And I realized that the second one's FQDN was solved as an IPv6 address. It caused the error because Docker uses the IPv4 only as default. So, it couldn't create a socket to send ICMP packets. That's why I added the following setting to the blackbox.yml file to use IPv4 preferably.</p> <div class="highlight"><pre class="chroma"><code class="language-yaml" data-lang="yaml"><span class="ln">1</span><span class="k">modules</span><span class="p">:</span><span class="w"> </span><span class="ln">2</span><span class="w"> </span><span class="k">icmp</span><span class="p">:</span><span class="w"> </span><span class="ln">3</span><span class="w"> </span><span class="k">prober</span><span class="p">:</span><span class="w"> </span>icmp<span class="w"> </span><span class="ln">4</span><span class="w"> </span><span class="k">timeout</span><span class="p">:</span><span class="w"> </span>5s<span class="w"> </span><span class="ln">5</span><span class="w"> </span><span class="k">icmp</span><span class="p">:</span><span class="w"> </span><span class="ln">6</span><span class="w"> </span><span class="k">preferred_ip_protocol</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;ip4&#34;</span><span class="w"> </span></code></pre></div><p>Then, I restarted the blackbox-exporter again and checked the logs.</p> <div class="highlight"><pre class="chroma"><code class="language-fallback" data-lang="fallback"><span class="ln">1</span>ts=2021-07-01T03:16:27.891Z caller=main.go:180 module=icmp target=target02.hoge level=debug msg=&#34;Beginning probe&#34; probe=icmp timeout_seconds=5 <span class="hl"><span class="ln">2</span>ts=2021-07-01T03:16:27.891Z caller=main.go:180 module=icmp target=target02.hoge level=debug msg=&#34;Resolving target address&#34; ip_protocol=ip4 </span><span class="hl"><span class="ln">3</span>ts=2021-07-01T03:16:27.892Z caller=main.go:180 module=icmp target=target02.hoge level=debug msg=&#34;Resolved target address&#34; ip=xxx.xxx.xxx.xxx </span><span class="ln">4</span>ts=2021-07-01T03:16:27.892Z caller=main.go:180 module=icmp target=target02.hoge level=debug msg=&#34;Creating socket&#34; <span class="ln">5</span>ts=2021-07-01T03:16:27.892Z caller=main.go:180 module=icmp target=target02.hoge level=debug msg=&#34;Creating ICMP packet&#34; seq=39633 id=48931 <span class="ln">6</span>ts=2021-07-01T03:16:27.892Z caller=main.go:180 module=icmp target=target02.hoge level=debug msg=&#34;Writing out packet&#34; <span class="ln">7</span>ts=2021-07-01T03:16:27.892Z caller=main.go:180 module=icmp target=target02.hoge level=debug msg=&#34;Waiting for reply packets&#34; <span class="ln">8</span>ts=2021-07-01T03:16:27.997Z caller=main.go:180 module=icmp target=target02.hoge level=debug msg=&#34;Found matching reply packet&#34; <span class="ln">9</span>ts=2021-07-01T03:16:27.997Z caller=main.go:180 module=icmp target=target02.hoge level=debug msg=&#34;Probe succeeded&#34; duration_seconds=0.106222366 </code></pre></div><p>The exporter used the IPv4 address as I expected. So, I searched its result by the following query on the web UI again.</p> <div class="highlight"><pre class="chroma"><code class="language-fallback" data-lang="fallback"><span class="ln">1</span>probe_icmp_duration_seconds{job=&#34;icmp_check&#34;, phase=&#34;rtt&#34;} </code></pre></div><p>Finally, the value has been captured correctly. Last, don't forget to turn off the debug log setting for blackbox-exporter to avoid filling up the disk.</p> <div class="highlight"><pre class="chroma"><code class="language-yaml" data-lang="yaml"><span class="ln">1</span><span class="w"> </span><span class="k">blackbox-exporter</span><span class="p">:</span><span class="w"> </span><span class="ln">2</span><span class="w"> </span><span class="k">container_name</span><span class="p">:</span><span class="w"> </span>blackbox-exporter<span class="w"> </span><span class="ln">3</span><span class="w"> </span><span class="k">build</span><span class="p">:</span><span class="w"> </span>./blackbox_exporter<span class="w"> </span><span class="ln">4</span><span class="w"> </span><span class="k">restart</span><span class="p">:</span><span class="w"> </span>always<span class="w"> </span><span class="ln">5</span><span class="w"> </span><span class="k">ports</span><span class="p">:</span><span class="w"> </span><span class="ln">6</span><span class="w"> </span>- <span class="s2">&#34;9115:9115&#34;</span><span class="w"> </span><span class="ln">7</span><span class="w"> </span><span class="c"># command:</span><span class="w"> </span><span class="ln">8</span><span class="w"> </span><span class="c"># - &#34;--log.level=debug&#34;</span><span class="w"> </span></code></pre></div> https://takac.dev/fluentd-warning-on-parser-filter-nested-repeat-operator-and-was-replaced-with-in-regular-expression/ Wed, 19 May 2021 00:35:00 +0900 https://takac.dev/fluentd-warning-on-parser-filter-nested-repeat-operator-and-was-replaced-with-in-regular-expression/ <p>I needed to add parser settings for CoreDNS working on my Kubernetes cluster for troubleshooting but I got an error &quot;nested repeat operator '+' and '' was replaced with '' in regular expression.&quot; I had no idea why it happened because the additional regular expression was valid. The cause of the error was my mistake so let me share what’s the cause of?</p> <p>First, I added log setting to the CoreDNS configuration like this.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln"> 1</span>$ kubectl get configmaps -n kube-system coredns -o yaml <span class="ln"> 2</span>apiVersion: v1 <span class="ln"> 3</span>data: <span class="ln"> 4</span> Corefile: <span class="p">|</span> <span class="ln"> 5</span> .:53 <span class="o">{</span> <span class="ln"> 6</span> log <span class="ln"> 7</span> <span class="ln"> 8</span> errors <span class="ln"> 9</span> health <span class="o">{</span> <span class="ln">10</span> lameduck 5s <span class="ln">11</span> <span class="o">}</span> <span class="ln">12</span> ready <span class="ln">13</span> : <span class="ln">14</span> : </code></pre></div><p>And then, I restarted the pod and got logs like this.</p> <div class="highlight"><pre class="chroma"><code class="language-text" data-lang="text"><span class="ln">1</span>[INFO] 172.31.57.199:54169 - 1916 &#34;A IN dynamodb.us-west-2.amazonaws.com. udp 50 false 512&#34; NOERROR qr,rd,ra 98 0.000921506s </code></pre></div><p>So, I create a regular expression string and test it on <a href="https://fluentular.herokuapp.com/">https://fluentular.herokuapp.com/</a>. Then, added the following filter to the Fluentd configuration.</p> <div class="highlight"><pre class="chroma"><code class="language-text" data-lang="text"><span class="ln"> 1</span>&lt;filter **&gt; <span class="ln"> 2</span> @type parser <span class="ln"> 3</span> key_name log <span class="ln"> 4</span> reserve_data true <span class="ln"> 5</span> replace_invalid_sequence true <span class="ln"> 6</span> &lt;parse&gt; <span class="ln"> 7</span> @type multi_format <span class="ln"> 8</span> &lt;pattern&gt; <span class="ln"> 9</span> format regexp <span class="ln">10</span> expression /^\[(?&lt;severity&gt;\S+)\] (?&lt;remote&gt;\d+\.\d+\.\d+\.\d+):(?&lt;port&gt;\d+) +- (?&lt;id&gt;\d+) +*&#34;(?&lt;type&gt;\S+) +(?&lt;class&gt;\S+) +(?&lt;name&gt;[^ ]+)\. +(?&lt;proto&gt;\S+) +(?&lt;size&gt;\d+) +(?&lt;do&gt;\S+) +(?&lt;bufsize&gt;\d+)&#34; +(?&lt;rcode&gt;\S+) +(?&lt;rflags&gt;[^ ]+) +(?&lt;rsize&gt;\d+) +(?&lt;duration&gt;\d+\.\d+)s$/ <span class="ln">11</span> &lt;/pattern&gt; <span class="ln">12</span> : <span class="ln">13</span> : </code></pre></div><p>After reloading the fluentd pod, then the following error appeared.</p> <div class="highlight"><pre class="chroma"><code class="language-text" data-lang="text"><span class="ln">1</span>2021-05-17 08:57:06 +0000 [info]: adding filter pattern=&#34;**&#34; type=&#34;parser&#34; <span class="ln">2</span>/usr/local/bundle/gems/fluentd-1.11.4/lib/fluent/config/types.rb:92: warning: nested repeat operator &#39;+&#39; and &#39;*&#39; was replaced with &#39;*&#39; in regular expression </code></pre></div><p>So, I deleted the expression and then I paste each element of the regular expression from the beginning one by one and then I found out the cause of the problem is &quot;(?<id>\d+) +*&quot;(?<type>\S+).&quot; As you see, there is &quot;+*&quot; as my mistake. So, I modify the part like this.</p> <div class="highlight"><pre class="chroma"><code class="language-text" data-lang="text"><span class="ln">1</span>^\[(?&lt;severity&gt;\S+)\] (?&lt;remote&gt;\d+\.\d+\.\d+\.\d+):(?&lt;port&gt;\d+) +- (?&lt;id&gt;\d+) +&#34;(?&lt;type&gt;\S+) +(?&lt;class&gt;\S+) +(?&lt;name&gt;[^ ]+)\. +(?&lt;proto&gt;\S+) +(?&lt;size&gt;\d+) +(?&lt;do&gt;\S+) +(?&lt;bufsize&gt;\d+)&#34; +(?&lt;rcode&gt;\S+) +(?&lt;rflags&gt;[^ ]+) +(?&lt;rsize&gt;\d+) +(?&lt;duration&gt;\d+\.\d+)s$ </code></pre></div><p>And then, I restarted the pod and the errors didn’t appear.</p> https://takac.dev/php-fatal-error-when-build-docker-image-with-composer/ Fri, 07 May 2021 00:25:00 +0900 https://takac.dev/php-fatal-error-when-build-docker-image-with-composer/ <p>I saw this news about the serious vulnerability in composer which is PHP package management software.</p> <p><a href="https://www.bankinfosecurity.com/php-composer-flaw-that-could-affect-millions-sites-patched-a-16523">https://www.bankinfosecurity.com/php-composer-flaw-that-could-affect-millions-sites-patched-a-16523</a></p> <p>So, I wanted to update composer in my Dockerfile but I realized that I already specified the version as follows.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>curl -sS https://getcomposer.org/installer <span class="p">|</span> php -- --install-dir<span class="o">=</span>/usr/bin --filename<span class="o">=</span>composer --version<span class="o">=</span>1.10.16 </code></pre></div><p>Because it was a workaround for an error related to hirak/prestissimo which I did before. So, I deleted it and built the Docker image again but I got a different error as follows.</p> <div class="highlight"><pre class="chroma"><code class="language-text" data-lang="text"><span class="ln">1</span>#14 281.5 122/122 [============================] 100% - Installing kylekatarnls/update-helper (1.2.0): Extracting archive <span class="ln">2</span>#14 281.5 <span class="ln">3</span>#14 281.5 Fatal error: Class UpdateHelper\ComposerPlugin contains 2 abstract methods and must therefore be declared abstract or implement the remaining methods (Composer\Plugin\PluginInterface::deactivate, Composer\Plugin\PluginInterface::uninstall) in … </code></pre></div><p>It looks some problem about kylekatarnls/update-helper library. So, I searched about the library and I found a clue on GitHub.</p> <p><a href="https://github.com/kylekatarnls/update-helper/issues/7">https://github.com/kylekatarnls/update-helper/issues/7</a></p> <p>So, I deleted composer.lock file and built the image again. Then the problem was solved. The above page said I need to delete the ‘vendor’ directory but it’s not necessary for docker build because it will be generated newly.</p> https://takac.dev/python-got-attributeerror-when-accessing-app-store-connect-api-using-appstoreconnect-library/ Thu, 06 May 2021 23:55:00 +0900 https://takac.dev/python-got-attributeerror-when-accessing-app-store-connect-api-using-appstoreconnect-library/ <p>I created a small Python program to get data via the App Store Connect API for report automation with the appstoreconnect library. After update recently, I got the following error.</p> <div class="highlight"><pre class="chroma"><code class="language-text" data-lang="text"><span class="ln"> 1</span>Traceback (most recent call last): <span class="ln"> 2</span> File &#34;/app/./main.py&#34;, line 88, in &lt;module&gt; <span class="ln"> 3</span> APP_STORECONNECT_API.execute() <span class="ln"> 4</span> File &#34;/app/app_store_connect.py&#34;, line 176, in execute <span class="ln"> 5</span> api = Api(self.API_KEY, self.CERT_FILE, self.ISSUER_ID) <span class="ln"> 6</span> File &#34;/usr/local/lib/python3.9/site-packages/appstoreconnect/api.py&#34;, line 51, in __init__ <span class="ln"> 7</span> token = self.token # generate first token <span class="ln"> 8</span> File &#34;/usr/local/lib/python3.9/site-packages/appstoreconnect/api.py&#34;, line 269, in token <span class="ln"> 9</span> self._token = self._generate_token() <span class="ln">10</span> File &#34;/usr/local/lib/python3.9/site-packages/appstoreconnect/api.py&#34;, line 64, in _generate_token <span class="ln">11</span> return jwt.encode({&#39;iss&#39;: self.issuer_id, &#39;exp&#39;: exp, &#39;aud&#39;: &#39;appstoreconnect-v1&#39;}, key, <span class="ln">12</span>AttributeError: &#39;str&#39; object has no attribute &#39;decode&#39; </code></pre></div><p>It depends on the above error, the problem happened here.</p> <p><a href="https://github.com/Ponytech/appstoreconnectapi/blob/0916ac75790b13cf6c89617209a1a6c2db1f16d1/appstoreconnect/api.py#L79-L80">https://github.com/Ponytech/appstoreconnectapi/blob/0916ac75790b13cf6c89617209a1a6c2db1f16d1/appstoreconnect/api.py#L79-L80</a></p> <p>And the author already realized about this issue.</p> <p><a href="https://github.com/Ponytech/appstoreconnectapi/issues/37">https://github.com/Ponytech/appstoreconnectapi/issues/37</a></p> <p>He said the cause of the problem is the type of return value was changed in the JWT library from byte to string since 2.0. So, I thought I should specify a version of JWT which is the latest before 2.0. And then, I checked the version history here.</p> <p><a href="https://pypi.org/project/PyJWT/#history">https://pypi.org/project/PyJWT/#history</a></p> <p>The latest 1.x version is 1.7.1 so I specified it explicitly when executing the pip command in my Dockerfile like this.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>pip install <span class="nv">PyJWT</span><span class="o">==</span>1.7.1 </code></pre></div><p>The problem was solved. So, this is one of the workarounds for now about this issue.</p> https://takac.dev/example-of-selenium-with-python-on-docker-with-latest-firefox/ Wed, 28 Apr 2021 00:24:00 +0900 https://takac.dev/example-of-selenium-with-python-on-docker-with-latest-firefox/ <p>This is an example of how to run the Selenium with Python on Docker with the latest FireFox and its geckodriver.</p> <p>The official Python docker image is based on Debian 10 (Buster)</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>$ docker run -i --rm python:3.9 cat /etc/os-release <span class="p">|</span> grep <span class="nv">VERSION</span><span class="o">=</span> <span class="ln">2</span><span class="nv">VERSION</span><span class="o">=</span><span class="s2">&#34;10 (buster)&#34;</span> </code></pre></div><p>In this image, the installable FireFox package by the default registered repository is the ESR version which stands for Extended Support Release. It’s like LTS on Ubuntu and this version is not up-to-date. At the time of this writing, the latest version is 87 but the ESR is 78.10.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>$ docker run -it --rm python:3.9 sh -c <span class="s2">&#34;apt update; apt search firefox | grep firefox-esr/stable&#34;</span> <span class="ln">2</span>firefox-esr/stable 78.10.0esr-1~deb10u1 amd64 </code></pre></div><p>And also, geckodriver which is necessary to use by Selenium is not included. That’s why I needed to install manually. Here is a Dockerfile example.</p> <div class="highlight"><pre class="chroma"><code class="language-dockerfile" data-lang="dockerfile"><span class="ln"> 1</span><span class="k">FROM</span><span class="s"> python:3.9</span><span class="err"> </span><span class="ln"> 2</span><span class="err"></span> <span class="err"> </span><span class="ln"> 3</span><span class="err"></span><span class="k">ENV</span> DEBIAN_FRONTEND noninteractive<span class="err"> </span><span class="ln"> 4</span><span class="err"></span><span class="k">ENV</span> GECKODRIVER_VER v0.29.0<span class="err"> </span><span class="ln"> 5</span><span class="err"></span><span class="k">ENV</span> FIREFOX_VER 87.0<span class="err"> </span><span class="ln"> 6</span><span class="err"></span> <span class="err"> </span><span class="ln"> 7</span><span class="err"></span><span class="k">RUN</span> <span class="nb">set</span> -x <span class="se">\ </span><span class="ln"> 8</span><span class="se"></span> <span class="o">&amp;&amp;</span> apt update <span class="se">\ </span><span class="ln"> 9</span><span class="se"></span> <span class="o">&amp;&amp;</span> apt upgrade -y <span class="se">\ </span><span class="ln">10</span><span class="se"></span> <span class="o">&amp;&amp;</span> apt install -y <span class="se">\ </span><span class="ln">11</span><span class="se"></span> firefox-esr <span class="se">\ </span><span class="ln">12</span><span class="se"></span> <span class="o">&amp;&amp;</span> pip install <span class="se">\ </span><span class="ln">13</span><span class="se"></span> requests <span class="se">\ </span><span class="ln">14</span><span class="se"></span> selenium <span class="se">\ </span><span class="ln">15</span><span class="se"></span> <span class="err"> </span><span class="ln">16</span><span class="err"></span><span class="c"># Add latest FireFox</span><span class="err"> </span><span class="ln">17</span><span class="err"></span><span class="k">RUN</span> <span class="nb">set</span> -x <span class="se">\ </span><span class="ln">18</span><span class="se"></span> <span class="o">&amp;&amp;</span> apt install -y <span class="se">\ </span><span class="ln">19</span><span class="se"></span> libx11-xcb1 <span class="se">\ </span><span class="ln">20</span><span class="se"></span> libdbus-glib-1-2 <span class="se">\ </span><span class="ln">21</span><span class="se"></span> <span class="o">&amp;&amp;</span> curl -sSLO https://download-installer.cdn.mozilla.net/pub/firefox/releases/<span class="si">${</span><span class="nv">FIREFOX_VER</span><span class="si">}</span>/linux-x86_64/en-US/firefox-<span class="si">${</span><span class="nv">FIREFOX_VER</span><span class="si">}</span>.tar.bz2 <span class="se">\ </span><span class="ln">22</span><span class="se"></span> <span class="o">&amp;&amp;</span> tar -jxf firefox-* <span class="se">\ </span><span class="ln">23</span><span class="se"></span> <span class="o">&amp;&amp;</span> mv firefox /opt/ <span class="se">\ </span><span class="ln">24</span><span class="se"></span> <span class="o">&amp;&amp;</span> chmod <span class="m">755</span> /opt/firefox <span class="se">\ </span><span class="ln">25</span><span class="se"></span> <span class="o">&amp;&amp;</span> chmod <span class="m">755</span> /opt/firefox/firefox<span class="err"> </span><span class="ln">26</span><span class="err"></span> <span class="err"> </span><span class="ln">27</span><span class="err"></span><span class="c"># Add geckodriver</span><span class="err"> </span><span class="ln">28</span><span class="err"></span><span class="k">RUN</span> <span class="nb">set</span> -x <span class="se">\ </span><span class="ln">29</span><span class="se"></span> <span class="o">&amp;&amp;</span> curl -sSLO https://github.com/mozilla/geckodriver/releases/download/<span class="si">${</span><span class="nv">GECKODRIVER_VER</span><span class="si">}</span>/geckodriver-<span class="si">${</span><span class="nv">GECKODRIVER_VER</span><span class="si">}</span>-linux64.tar.gz <span class="se">\ </span><span class="ln">30</span><span class="se"></span> <span class="o">&amp;&amp;</span> tar zxf geckodriver-*.tar.gz <span class="se">\ </span><span class="ln">31</span><span class="se"></span> <span class="o">&amp;&amp;</span> mv geckodriver /usr/bin/<span class="err"> </span><span class="ln">32</span><span class="err"></span> <span class="err"> </span><span class="ln">33</span><span class="err"></span><span class="k">COPY</span> ./app /app<span class="err"> </span><span class="ln">34</span><span class="err"></span> <span class="err"> </span><span class="ln">35</span><span class="err"></span><span class="k">WORKDIR</span><span class="s"> /app</span><span class="err"> </span><span class="ln">36</span><span class="err"></span> <span class="err"> </span><span class="ln">37</span><span class="err"></span><span class="k">CMD</span> python ./main.py<span class="err"> </span></code></pre></div><p>And this is an example using Selenium in Python code. [app/scraper.py]</p> <div class="highlight"><pre class="chroma"><code class="language-python" data-lang="python"><span class="ln"> 1</span><span class="kn">from</span> <span class="nn">selenium</span> <span class="kn">import</span> <span class="n">webdriver</span> <span class="ln"> 2</span><span class="kn">from</span> <span class="nn">selenium.webdriver.firefox.options</span> <span class="kn">import</span> <span class="n">Options</span> <span class="ln"> 3</span><span class="kn">from</span> <span class="nn">selenium.webdriver.firefox.firefox_binary</span> <span class="kn">import</span> <span class="n">FirefoxBinary</span> <span class="ln"> 4</span><span class="kn">import</span> <span class="nn">time</span> <span class="ln"> 5</span> <span class="ln"> 6</span><span class="c1"># FireFox binary path (Must be absolute path)</span> <span class="ln"> 7</span><span class="n">FIREFOX_BINARY</span> <span class="o">=</span> <span class="n">FirefoxBinary</span><span class="p">(</span><span class="s1">&#39;/opt/firefox/firefox&#39;</span><span class="p">)</span> <span class="ln"> 8</span> <span class="ln"> 9</span><span class="c1"># FireFox PROFILE</span> <span class="ln">10</span><span class="n">PROFILE</span> <span class="o">=</span> <span class="n">webdriver</span><span class="o">.</span><span class="n">FirefoxProfile</span><span class="p">()</span> <span class="ln">11</span><span class="n">PROFILE</span><span class="o">.</span><span class="n">set_preference</span><span class="p">(</span><span class="s2">&#34;browser.cache.disk.enable&#34;</span><span class="p">,</span> <span class="bp">False</span><span class="p">)</span> <span class="ln">12</span><span class="n">PROFILE</span><span class="o">.</span><span class="n">set_preference</span><span class="p">(</span><span class="s2">&#34;browser.cache.memory.enable&#34;</span><span class="p">,</span> <span class="bp">False</span><span class="p">)</span> <span class="ln">13</span><span class="n">PROFILE</span><span class="o">.</span><span class="n">set_preference</span><span class="p">(</span><span class="s2">&#34;browser.cache.offline.enable&#34;</span><span class="p">,</span> <span class="bp">False</span><span class="p">)</span> <span class="ln">14</span><span class="n">PROFILE</span><span class="o">.</span><span class="n">set_preference</span><span class="p">(</span><span class="s2">&#34;network.http.use-cache&#34;</span><span class="p">,</span> <span class="bp">False</span><span class="p">)</span> <span class="ln">15</span><span class="n">PROFILE</span><span class="o">.</span><span class="n">set_preference</span><span class="p">(</span><span class="s2">&#34;general.useragent.override&#34;</span><span class="p">,</span><span class="s2">&#34;Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0&#34;</span><span class="p">)</span> <span class="ln">16</span> <span class="ln">17</span><span class="c1"># FireFox Options</span> <span class="ln">18</span><span class="n">FIREFOX_OPTS</span> <span class="o">=</span> <span class="n">Options</span><span class="p">()</span> <span class="ln">19</span><span class="n">FIREFOX_OPTS</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">level</span> <span class="o">=</span> <span class="s2">&#34;trace&#34;</span> <span class="c1"># Debug</span> <span class="ln">20</span><span class="n">FIREFOX_OPTS</span><span class="o">.</span><span class="n">headless</span> <span class="o">=</span> <span class="bp">True</span> <span class="ln">21</span><span class="n">GECKODRIVER_LOG</span> <span class="o">=</span> <span class="s1">&#39;/geckodriver.log&#39;</span> <span class="ln">22</span> <span class="ln">23</span><span class="k">class</span> <span class="nc">Scraper</span><span class="p">:</span> <span class="ln">24</span> <span class="k">def</span> <span class="fm">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span> <span class="ln">25</span> <span class="n">ff_opt</span> <span class="o">=</span> <span class="p">{</span> <span class="ln">26</span> <span class="n">firefox_binary</span><span class="o">=</span><span class="n">FIREFOX_BINARY</span><span class="p">,</span> <span class="ln">27</span> <span class="n">firefox_profile</span><span class="o">=</span><span class="n">PROFILE</span><span class="p">,</span> <span class="ln">28</span> <span class="n">options</span><span class="o">=</span><span class="n">FIREFOX_OPTS</span><span class="p">,</span> <span class="ln">29</span> <span class="n">service_log_path</span><span class="o">=</span><span class="n">GECKODRIVER_LOG</span> <span class="ln">30</span> <span class="p">}</span> <span class="ln">31</span> <span class="bp">self</span><span class="o">.</span><span class="n">DRIVER</span> <span class="o">=</span> <span class="n">webdriver</span><span class="o">.</span><span class="n">Firefox</span><span class="p">(</span><span class="o">**</span><span class="n">ff_opt</span><span class="p">)</span> <span class="ln">32</span> <span class="ln">33</span> <span class="k">def</span> <span class="nf">scrape</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">link</span><span class="p">):</span> <span class="ln">34</span> <span class="k">try</span><span class="p">:</span> <span class="ln">35</span> <span class="bp">self</span><span class="o">.</span><span class="n">DRIVER</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="n">link</span><span class="p">)</span> <span class="ln">36</span> <span class="n">time</span><span class="o">.</span><span class="n">sleep</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span> <span class="c1"># just in case</span> <span class="ln">37</span> <span class="n">html</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">DRIVER</span><span class="o">.</span><span class="n">page_source</span> <span class="ln">38</span> <span class="ln">39</span> <span class="k">return</span> <span class="n">html</span> <span class="ln">40</span> <span class="ln">41</span> <span class="k">except</span> <span class="ne">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="ln">42</span> <span class="k">print</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> </code></pre></div><p>Execute the above class like this. [app/main.py]</p> <div class="highlight"><pre class="chroma"><code class="language-python" data-lang="python"><span class="ln">1</span><span class="kn">from</span> <span class="nn">scraper</span> <span class="kn">import</span> <span class="n">Scraper</span> <span class="ln">2</span> <span class="ln">3</span><span class="n">pretty_html</span> <span class="o">=</span> <span class="n">SCRAPER</span><span class="o">.</span><span class="n">scrape</span><span class="p">(</span><span class="n">link</span><span class="p">)</span><span class="o">.</span><span class="n">prettify</span><span class="p">()</span> </code></pre></div><p>One more tips, on ubuntu:20.04 docker image it’s possible to install the latest FireFox package, not ESR. So, another way is setting up Python environment based on this image.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>$ docker run -it --rm ubuntu:20.04 sh -c <span class="s2">&#34;apt update; apt search firefox | grep ^firefox/&#34;</span> <span class="ln">2</span>firefox/focal-updates,focal-security 88.0+build2-0ubuntu0.20.04.1 amd64 </code></pre></div><h2 id="reference">Reference</h2> <ul> <li><a href="https://www.linuxuprising.com/2019/12/how-to-install-latest-firefox-non-esr.html">https://www.linuxuprising.com/2019/12/how-to-install-latest-firefox-non-esr.html</a></li> </ul> https://takac.dev/ruby-aws-sam-build-error-with-mongoid-package/ Fri, 05 Feb 2021 23:59:00 +0900 https://takac.dev/ruby-aws-sam-build-error-with-mongoid-package/ <p>Same as <a href="https://takac.dev/ruby-bundle-install-hangs-indefinitely-with-high-cpu-usage" target="_blank">my last post</a> , I’m not a Ruby developer but I had an opportunity to help move some Ruby applications from EC2 to Lambda on AWS. At the time, I had a problem when I built a Ruby application with AWS SAM framework. Let me share why it happened and how I fixed it.</p> <p>I executed the build command &quot;sam build‘ for the Ruby application but it failed with the following error message.</p> <div class="highlight"><pre class="chroma"><code class="language-text" data-lang="text"><span class="ln">1</span>Build inside container returned response {&#34;jsonrpc&#34;: &#34;2.0&#34;, &#34;id&#34;: 1, &#34;error&#34;: {&#34;code&#34;: 400, &#34;message&#34;: &#34;RubyBundlerBuilder:CopySource - [Errno 2] No such file or directory: &#39;/tmp/samcli/source/vendor/bundle/ruby/2.7.0/gems/mongo-2.14.0/spec/support/ocsp&#39;&#34;}} <span class="ln">2</span> <span class="ln">3</span>Build Failed <span class="ln">4</span>Sending Telemetry: {&#39;metrics&#39;: [{&#39;commandRun&#39;: {&#39;awsProfileProvided&#39;: False, &#39;debugFlagProvided&#39;: True, &#39;region&#39;: &#39;&#39;, &#39;commandName&#39;: &#39;sam build&#39;, &#39;duration&#39;: 72694, &#39;exitReason&#39;: &#39;BuildInsideContainerError&#39;, &#39;exitCode&#39;: 1, &#39;requestId&#39;: &#39;c9a32492-242a-460b-8633-9c2b8c4b7650&#39;, &#39;installationId&#39;: &#39;a15de333-32e0-4651-b78a-c0843ab41c31&#39;, &#39;sessionId&#39;: &#39;970cf38b-8715-42bb-b726-c664597c56ab&#39;, &#39;executionEnvironment&#39;: &#39;CLI&#39;, &#39;pyversion&#39;: &#39;3.8.7&#39;, &#39;samcliVersion&#39;: &#39;1.15.0&#39;}}]} </code></pre></div><p>It was weird for me because all package files were already installed via &quot;bundle install&quot; command. However, the above error said &quot;No such file or directory&quot; and the file is the following.</p> <div class="highlight"><pre class="chroma"><code class="language-text" data-lang="text"><span class="ln">1</span>&#39;/tmp/samcli/source/vendor/bundle/ruby/2.7.0/gems/mongo-2.14.0/spec/support/ocsp&#39; </code></pre></div><p>In my Gemfile, I specified 'mongoid' and when I executed the &quot;bundle install&quot; command, the ‘mongo’ package was also installed because of the dependency. The automatically installed version was &quot;2.14.0&quot; which is the latest version and I checked the above file path in its GitHub repository.</p> <p><a href="https://github.com/mongodb/mongo-ruby-driver/blob/master/spec/support/ocsp">https://github.com/mongodb/mongo-ruby-driver/blob/master/spec/support/ocsp</a></p> <p>And then, I realized that the file is a symbolic link to the following path.</p> <div class="highlight"><pre class="chroma"><code class="language-text" data-lang="text"><span class="ln">1</span>../../.mod/drivers-evergreen-tools/.evergreen/ocsp </code></pre></div><p>And the <a href="https://github.com/mongodb/mongo-ruby-driver/tree/master/.mod" target="_blank">.mod</a> directory in the above path and &quot;drivers-evergreen-tools&quot; is a symbolic link to the other repository called <a href="https://github.com/mongodb-labs/drivers-evergreen-tools/tree/7489b21c4ef74a318c5c855c150cb05a727153b4" target="_blank">drivers-evergreen-tools</a> . That’s why it's become a broken link in the installed source code directory.</p> <p>So, I checked the commit log in the <a href="https://github.com/mongodb/mongo-ruby-driver/blob/master/spec/support/ocsp" target="_blank">mongo package repository</a> and the file was added on 9 Sep 2020. And then, I saw the list of the mongo package’s version on the <a href="https://rubygems.org/gems/mongo" target="_blank">gems</a> site. And it said as follows.</p> <div class="highlight"><pre class="chroma"><code class="language-text" data-lang="text"><span class="ln">1</span>2.14.0 - December 01, 2020 (886KB) <span class="ln">2</span>2.14.0.rc1 - October 09, 2020 (883KB) <span class="ln">3</span>2.13.2 - December 01, 2020 (862KB) <span class="ln">4</span>2.13.1 - October 09, 2020 (855KB) <span class="ln">5</span>2.13.0 - July 30, 2020 (855KB) </code></pre></div><p>So first, I deleted the installed directory and modified the version to 2.13.2 in the Gemfile as follows. And then, install the package again via &quot;bundle install&quot; command.</p> <div class="highlight"><pre class="chroma"><code class="language-text" data-lang="text"><span class="ln">1</span>gem &#39;mongo&#39;, &#39;~&gt; 2.13.2&#39; </code></pre></div><p>Luckily, the broken link had disappeared and succeeded to build by &quot;sam build&quot; command.</p> <p>So, I’m not sure what’s OCSP exactly and why they put the link in the repository. However, I hope it will be helpful for somebody who has the same problems.</p> https://takac.dev/ruby-bundle-install-hangs-indefinitely-with-high-cpu-usage/ Sun, 31 Jan 2021 00:08:05 +0900 https://takac.dev/ruby-bundle-install-hangs-indefinitely-with-high-cpu-usage/ <p>Actually, I’m not a Ruby developer but I had an opportunity to help move some Ruby applications from EC2 to Lambda on AWS. At that time, I had an issue when I execute &quot;bundle install&quot; inside the container to build with the SAM framework. The problem was the command didn’t finish indefinitely. I searched about it and found some people who had the same issue but there was no way to work around it. I think changing or deleting versions will solve the problem. Let me share how to do that.</p> <p>First, comment out all lines in the Gemfile, and then enable a package one by one. If you find the package which is the cause of the hanging, try the following way.</p> <ul> <li>If it’s already specified some version, delete it.</li> <li>Specify its latest version explicitly.</li> <li>Specify the previous version of the latest one or the one after next</li> </ul> <p>In my case, &quot;activesupport&quot; was the cause of the issue. Before I modified the Gemfile, it did have specified versions explicitly and installed &quot;6.0.3.4&quot; automatically by bundle. However, I checked rubygems.org and the latest version was &quot;6.1.1&quot; so I wrote it down like this and the problem was solved.</p> <div class="highlight"><pre class="chroma"><code class="language-text" data-lang="text"><span class="ln">1</span>gem &#39;activesupport&#39;, &#39;~&gt; 6.1.1&#39; </code></pre></div><p>I’m not sure this way will solve all the same issues but I hope it will be helpful for somebody who has the same problems.</p> https://takac.dev/docker-what-should-i-do-when-getting-503-service-unavailable-error-after-executing-docker-pull-command/ Sat, 26 Dec 2020 22:04:00 +0900 https://takac.dev/docker-what-should-i-do-when-getting-503-service-unavailable-error-after-executing-docker-pull-command/ <p>Getting &quot;503 service unavailable&quot; error after executing &quot;docker pull&quot; command is a very rare situation but there was in the past. So, it’s worth knowing for using docker. Most of the time, this is Docker Hub’ server side problem not client one. Once the error happens, we should visit their web site called <a href="https://status.docker.com/" target="_blank">Docker system status real-time view</a> before struggling. When the error happened, may be &quot;Docker Hub Registry&quot; is in some trouble status.</p> https://takac.dev/docker-how-to-solve-apache-403-forbidden-error/ Fri, 25 Dec 2020 01:28:00 +0900 https://takac.dev/docker-how-to-solve-apache-403-forbidden-error/ <p>It's a popular problem getting &quot;403 Forbidden&quot; errors from Apache. Even though it's working on the docker, it's the same but a little bit harder to investigate why it’s happened. However, most of the time, the cause of this problem is simple. Let’s take a look at some samples.</p> <p>First, let me show you the correct way. Here is the vhost configuration file as vhost.conf.</p> <div class="highlight"><pre class="chroma"><code class="language-text" data-lang="text"><span class="ln">1</span>&lt;VirtualHost *:80&gt; <span class="ln">2</span> DocumentRoot /var/www/html <span class="ln">3</span>&lt;/VirtualHost </code></pre></div><p>And make a directory and put a text file for verifying.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>mkdir app/web <span class="ln">2</span><span class="nb">echo</span> <span class="s2">&#34;Hoge&#34;</span> &gt; app/web/index.html </code></pre></div><p>And make a docker-compose.yml file like this.</p> <div class="highlight"><pre class="chroma"><code class="language-dockerfile" data-lang="dockerfile"><span class="ln"> 1</span>version: <span class="s1">&#39;3&#39;</span><span class="err"> </span><span class="ln"> 2</span><span class="err"></span>services:<span class="err"> </span><span class="ln"> 3</span><span class="err"></span> app:<span class="err"> </span><span class="ln"> 4</span><span class="err"></span> container_name: my-app<span class="err"> </span><span class="ln"> 5</span><span class="err"></span> image: php:7.4-apache<span class="err"> </span><span class="ln"> 6</span><span class="err"></span> ports:<span class="err"> </span><span class="ln"> 7</span><span class="err"></span> - 8080:80<span class="err"> </span><span class="ln"> 8</span><span class="err"></span> volumes:<span class="err"> </span><span class="ln"> 9</span><span class="err"></span> - ./app/web:/var/www/html<span class="err"> </span><span class="ln">10</span><span class="err"></span> - ./vhost.conf:/etc/apache2/sites-enabled/000-default.conf<span class="err"> </span></code></pre></div><p>Then, it’s ready for running. Execute it like this.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>docker-compose up </code></pre></div><p>And open a new terminal and execute curl command for verifying.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>$ curl localhost:8080 <span class="ln">2</span>Hoge </code></pre></div><p>This is what I expected. It’s totally no problem. But sometimes &quot;403 Forbidden&quot; errors appear. How it happens? Most of the time, the cause of the error is modifying document root directory. Here is a sample.</p> <p>Modify the document root setting in vhost.conf</p> <div class="highlight"><pre class="chroma"><code class="language-text" data-lang="text"><span class="ln">1</span>&lt;VirtualHost *:80&gt; <span class="ln">2</span> DocumentRoot /srv/app <span class="ln">3</span>&lt;/VirtualHost&gt; </code></pre></div><p>And modify docker-compose.yml too.</p> <div class="highlight"><pre class="chroma"><code class="language-dockerfile" data-lang="dockerfile"><span class="ln"> 1</span>version: <span class="s1">&#39;3&#39;</span><span class="err"> </span><span class="ln"> 2</span><span class="err"></span>services:<span class="err"> </span><span class="ln"> 3</span><span class="err"></span> app:<span class="err"> </span><span class="ln"> 4</span><span class="err"></span> container_name: my-app<span class="err"> </span><span class="ln"> 5</span><span class="err"></span> image: php:7.4-apache<span class="err"> </span><span class="ln"> 6</span><span class="err"></span> ports:<span class="err"> </span><span class="ln"> 7</span><span class="err"></span> - 8080:80<span class="err"> </span><span class="ln"> 8</span><span class="err"></span> volumes:<span class="err"> </span><span class="ln"> 9</span><span class="err"></span> - ./app/web:/srv/app<span class="err"> </span><span class="ln">10</span><span class="err"></span> - ./vhost.conf:/etc/apache2/sites-enabled/000-default.conf<span class="err"> </span></code></pre></div><p>However, if I execute curl command the same as the last time, the error will be returned.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln"> 1</span>$ curl localhost:8080 <span class="ln"> 2</span>&lt;!DOCTYPE HTML PUBLIC <span class="s2">&#34;-//IETF//DTD HTML 2.0//EN&#34;</span>&gt; <span class="ln"> 3</span>&lt;html&gt;&lt;head&gt; <span class="ln"> 4</span>&lt;title&gt;403 Forbidden&lt;/title&gt; <span class="ln"> 5</span>&lt;/head&gt;&lt;body&gt; <span class="ln"> 6</span>&lt;h1&gt;Forbidden&lt;/h1&gt; <span class="ln"> 7</span>&lt;p&gt;You don<span class="err">&#39;</span>t have permission to access this resource.&lt;/p&gt; <span class="ln"> 8</span>&lt;hr&gt; <span class="ln"> 9</span>&lt;address&gt;Apache/2.4.38 <span class="o">(</span>Debian<span class="o">)</span> Server at localhost Port 8080&lt;/address&gt; <span class="ln">10</span>&lt;/body&gt;&lt;/html&gt; </code></pre></div><p>The hint is Apache's default settings.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln"> 1</span>$ docker run -it --rm --entrypoint sh php:7.4-apache -c <span class="s2">&#34;cat /etc/apache2/apache2.conf&#34;</span> <span class="ln"> 2</span> : <span class="ln"> 3</span> : <span class="ln"> 4</span>&lt;Directory /&gt; <span class="ln"> 5</span> Options FollowSymLinks <span class="ln"> 6</span> AllowOverride None <span class="ln"> 7</span> Require all denied <span class="ln"> 8</span>&lt;/Directory&gt; <span class="ln"> 9</span> <span class="ln">10</span>&lt;Directory /usr/share&gt; <span class="ln">11</span> AllowOverride None <span class="ln">12</span> Require all granted <span class="ln">13</span>&lt;/Directory&gt; <span class="ln">14</span> <span class="ln">15</span>&lt;Directory /var/www/&gt; <span class="ln">16</span> Options Indexes FollowSymLinks <span class="ln">17</span> AllowOverride None <span class="ln">18</span> Require all granted <span class="ln">19</span>&lt;/Directory&gt; <span class="ln">20</span> : <span class="ln">21</span> : </code></pre></div><p>As you see above, the first setting is set &quot;all denied&quot; for the root directory. And then, &quot;/usr/share&quot; and &quot;/var/www/&quot; is granted. So, even though I modify the directory path in the vhost.conf and docker-compose.yml file, the modified directory is not granted. So, the response will be the error.</p> <p>So, how to fix it when I need to modify the document root directory? It’s necessary to add a grant setting like this.</p> <div class="highlight"><pre class="chroma"><code class="language-text" data-lang="text"><span class="ln">1</span>&lt;VirtualHost *:80&gt; <span class="ln">2</span> DocumentRoot /srv/app/web <span class="ln">3</span> <span class="ln">4</span> &lt;Directory &#34;/srv/app/web&#34;&gt; <span class="ln">5</span> AllowOverride all <span class="ln">6</span> Require all granted <span class="ln">7</span> &lt;/Directory&gt; <span class="ln">8</span>&lt;/VirtualHost&gt; </code></pre></div><p>The error will disappear.</p> <p>And also, mistakes of the mount point is also a popular cause of some problems. For example, confusing &quot;sites-available&quot; and &quot;sites-enabled&quot; directories. In the traditional way, add the configuration file to &quot;sites-available&quot; first, and then execute &quot;a2ensite&quot; command to make it enabled and then restart the Apache process with graceful option. However, when executing the Apache on docker, no need to do that. Just mount it to 000-default.conf file under the &quot;sites-enabled.&quot; If it’s mounted under the &quot;sites-available&quot; as follows, it will not be loaded by Apache.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span> volumes: <span class="ln">2</span> - ./app/web:/srv/app <span class="ln">3</span> - ./vhost.conf:/etc/apache2/sites-available/000-default.conf </code></pre></div> https://takac.dev/docker-run-apache-as-non-root-user-based-on-the-official-image/ Tue, 22 Dec 2020 23:40:00 +0900 https://takac.dev/docker-run-apache-as-non-root-user-based-on-the-official-image/ <p>Many docker images execute its main process as root but it’s not good for security reasons and it depends on Kubernetes cluster, <a href="https://kubernetes.io/docs/concepts/policy/pod-security-policy/" target="_blank">Pod Security Policies</a> is applied to avoid running containers as root. So, let’s take a look at how to run Apache Web Server as a non-root user.</p> <p>Before trying, here is running the origin image without modifying.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln"> 1</span>$ docker run -dt <span class="se">\ </span><span class="ln"> 2</span><span class="se"></span>--name my-app <span class="se">\ </span><span class="ln"> 3</span><span class="se"></span>--rm httpd:2.4 <span class="ln"> 4</span> <span class="ln"> 5</span>$ docker <span class="nb">exec</span> -it my-app sh -c <span class="s2">&#34;apt update; apt upgrade -y; apt install -y procps; ps -aux&#34;</span> <span class="ln"> 6</span> <span class="ln"> 7</span>&lt;installing&gt; <span class="ln"> 8</span> <span class="ln"> 9</span>USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND <span class="ln">10</span>root <span class="m">1</span> 0.3 0.0 <span class="m">5940</span> <span class="m">4388</span> pts/0 Ss+ 03:48 0:00 httpd -DFOREGROUND <span class="ln">11</span>daemon <span class="m">8</span> 0.0 0.1 <span class="m">1931504</span> <span class="m">11660</span> pts/0 Sl+ 03:48 0:00 httpd -DFOREGROUND <span class="ln">12</span>daemon <span class="m">9</span> 0.0 0.1 <span class="m">1931504</span> <span class="m">11660</span> pts/0 Sl+ 03:48 0:00 httpd -DFOREGROUND <span class="ln">13</span>daemon <span class="m">10</span> 0.0 0.1 <span class="m">1931504</span> <span class="m">11660</span> pts/0 Sl+ 03:48 0:00 httpd -DFOREGROUND <span class="ln">14</span>root <span class="m">92</span> 0.1 0.0 <span class="m">2388</span> <span class="m">696</span> pts/1 Ss+ 03:48 0:00 sh -c apt update<span class="p">;</span> apt upgrade -y<span class="p">;</span> <span class="ln">15</span>apt install -y procps<span class="p">;</span> ps -aux <span class="ln">16</span>root <span class="m">409</span> 0.0 0.0 <span class="m">7640</span> <span class="m">2676</span> pts/1 R+ 03:48 0:00 ps -aux <span class="ln">17</span> <span class="ln">18</span>$ docker stop my-app </code></pre></div><p>As you see, the first process is executed as root and other sub processes run as &quot;daemon&quot; user. When executing the &quot;docker run&quot; command, all I need to do to run the container as some specified user is adding the &quot;-u&quot; option. However, if I add the option without any modification, the container cannot use port 80 because it’s permitted to root only as default. That’s why it’s necessary to use the &quot;setcap&quot; command to modify the linux capability. So, I created the following Dockerfile.</p> <div class="highlight"><pre class="chroma"><code class="language-dockerfile" data-lang="dockerfile"><span class="ln">1</span><span class="k">FROM</span><span class="s"> httpd:2.4</span><span class="err"> </span><span class="ln">2</span><span class="err"> </span><span class="ln">3</span><span class="err"></span><span class="k">RUN</span> apt update <span class="se">\ </span><span class="ln">4</span><span class="se"></span> <span class="o">&amp;&amp;</span> apt upgrade -y <span class="se">\ </span><span class="ln">5</span><span class="se"></span> <span class="o">&amp;&amp;</span> apt install -y libcap2-bin procps <span class="se">\ </span><span class="ln">6</span><span class="se"></span> <span class="o">&amp;&amp;</span> setcap <span class="s1">&#39;cap_net_bind_service=+ep&#39;</span> /usr/local/apache2/bin/httpd <span class="se">\ </span><span class="ln">7</span><span class="se"></span> <span class="o">&amp;&amp;</span> chown www-data:www-data /usr/local/apache2/logs<span class="err"> </span><span class="ln">8</span><span class="err"> </span><span class="ln">9</span><span class="err"></span><span class="k">USER</span><span class="s"> www-data</span><span class="err"> </span></code></pre></div><p>In the above file, &quot;procps&quot; package is unnecessary for production. It’s just for verifying. And then, build the image.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>docker build -t non-root-apache . </code></pre></div><p>After the building process, run a container.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>docker run -it --rm <span class="se">\ </span><span class="ln">2</span><span class="se"></span>--name my-apache-app <span class="se">\ </span><span class="ln">3</span><span class="se"></span>-p 8888:80 <span class="se">\ </span><span class="ln">4</span><span class="se"></span>-v <span class="sb">`</span><span class="nb">pwd</span><span class="sb">`</span>/www:/usr/local/apache2/htdocs <span class="se">\ </span><span class="ln">5</span><span class="se"></span>non-root-apache </code></pre></div><p>After the container is up, open another terminal and test it via curl command.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>$ curl localhost:8888/test.txt <span class="ln">2</span>hoge </code></pre></div><p>The Apache’s log is also like this on the terminal as stdout.</p> <div class="highlight"><pre class="chroma"><code class="language-fallback" data-lang="fallback"><span class="ln">1</span>172.17.0.1 - - [22/Dec/2020:08:53:03 +0000] &#34;GET /test.txt HTTP/1.1&#34; 200 5 </code></pre></div><p>Just in case, check the result of ps command again.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>$ docker <span class="nb">exec</span> -it my-apache-app ps -aux <span class="ln">2</span>USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND <span class="ln">3</span>www-data <span class="m">1</span> 0.0 0.0 <span class="m">5940</span> <span class="m">4244</span> pts/0 Ss+ 08:16 0:00 httpd -DFOREGROUND <span class="ln">4</span>www-data <span class="m">7</span> 0.0 0.0 <span class="m">1931512</span> <span class="m">5420</span> pts/0 Sl+ 08:16 0:00 httpd -DFOREGROUND <span class="ln">5</span>www-data <span class="m">8</span> 0.0 0.1 <span class="m">1931512</span> <span class="m">7516</span> pts/0 Sl+ 08:16 0:00 httpd -DFOREGROUND <span class="ln">6</span>www-data <span class="m">9</span> 0.0 0.0 <span class="m">1931560</span> <span class="m">6060</span> pts/0 Sl+ 08:16 0:00 httpd -DFOREGROUND <span class="ln">7</span>www-data <span class="m">106</span> 0.0 0.0 <span class="m">7640</span> <span class="m">2676</span> pts/1 Rs+ 08:54 0:00 ps -aux </code></pre></div><p>As you see, all running processes are executed by the &quot;www-data&quot; user.</p> https://takac.dev/aws-create-external-aurora-replication-host-by-cli/ Tue, 08 Dec 2020 22:08:00 +0900 https://takac.dev/aws-create-external-aurora-replication-host-by-cli/ <p>One of the big advantages of using AWS is that it’s able to use reliable managed database services like RDS, Aurora. It’s also very easy to increase or decrease replicas. However sometimes, it’s necessary to create a replica externally to avoid bad effects on the production environment. I found the <a href="https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Replication.MySQL.html" target="_blank">official document</a> and I created an Aurora’s replica following the document. So, let me share the procedure.</p> <p>First, it needs to modify the Aurora’s default settings as follows.</p> <ul> <li>Set <strong>binlog_format</strong> parameter to <strong>MIXED</strong></li> <li>Set <strong>binlog_checksum</strong> parameter to <strong>NONE</strong></li> </ul> <p>Then, it needs to reboot to apply the above parameters. So, it will happen 10 or 20 seconds down time.</p> <p>After rebooting, it should make sure those parameters are applied correctly.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln"> 1</span>mysql&gt; SHOW VARIABLES LIKE <span class="s1">&#39;binlog_format&#39;</span><span class="p">;</span> <span class="ln"> 2</span>+---------------+-------+ <span class="ln"> 3</span><span class="p">|</span> Variable_name <span class="p">|</span> Value <span class="p">|</span> <span class="ln"> 4</span>+---------------+-------+ <span class="ln"> 5</span><span class="p">|</span> binlog_format <span class="p">|</span> MIXED <span class="p">|</span> <span class="ln"> 6</span>+---------------+-------+ <span class="ln"> 7</span><span class="m">1</span> row in <span class="nb">set</span> <span class="o">(</span>0.01 sec<span class="o">)</span> <span class="ln"> 8</span> <span class="ln"> 9</span>mysql&gt; show binary logs<span class="p">;</span> <span class="ln">10</span>+----------------------------+-----------+ <span class="ln">11</span><span class="p">|</span> Log_name <span class="p">|</span> File_size <span class="p">|</span> <span class="ln">12</span>+----------------------------+-----------+ <span class="ln">13</span><span class="p">|</span> mysql-bin-changelog.000001 <span class="p">|</span> <span class="m">120</span> <span class="p">|</span> <span class="ln">14</span><span class="p">|</span> mysql-bin-changelog.000002 <span class="p">|</span> <span class="m">120</span> <span class="p">|</span> <span class="ln">15</span>+----------------------------+-----------+ <span class="ln">16</span><span class="m">2</span> rows in <span class="nb">set</span> <span class="o">(</span>0.00 sec<span class="o">)</span> </code></pre></div><p>Then, make the retention term of the binlog file longer.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>mysql&gt; CALL mysql.rds_set_configuration<span class="o">(</span><span class="s1">&#39;binlog retention hours&#39;</span>, 144<span class="o">)</span><span class="p">;</span> <span class="ln">2</span>Query OK, <span class="m">0</span> rows affected <span class="o">(</span>0.00 sec<span class="o">)</span> </code></pre></div><p>And, create a replication user.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>mysql&gt; grant replication slave on *.- to <span class="s1">&#39;repl&#39;</span>@<span class="s1">&#39;%&#39;</span> identified by <span class="s1">&#39;fuga&#39;</span><span class="p">;</span> <span class="ln">2</span>Query OK, <span class="m">0</span> rows affected <span class="o">(</span>0.01 sec<span class="o">)</span> </code></pre></div><p>Set some common variables.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span><span class="nv">db_cluster_identifier</span><span class="o">=</span><span class="s1">&#39;temp-db-cluster&#39;</span> <span class="ln">2</span><span class="nv">db_instance_identifier</span><span class="o">=</span><span class="s1">&#39;temp-db-instance&#39;</span> <span class="ln">3</span><span class="nv">db_instance_class</span><span class="o">=</span><span class="s1">&#39;db.t2.small&#39;</span> <span class="ln">4</span><span class="nv">db_engine</span><span class="o">=</span><span class="s1">&#39;aurora-mysql&#39;</span> <span class="ln">5</span><span class="nv">cluster_parameter_group</span><span class="o">=</span>’my-cluster-param’ <span class="ln">6</span><span class="nv">db_parameter_group_name</span><span class="o">=</span>’my-db-param’ <span class="ln">7</span><span class="nv">db_name</span><span class="o">=</span>’targetdatabase’ </code></pre></div><p>Get the latest snapshot ID.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span><span class="nv">snapshot_identifier</span><span class="o">=</span><span class="sb">`</span>aws rds describe-db-cluster-snapshots <span class="se">\ </span><span class="ln">2</span><span class="se"></span> <span class="p">|</span> jq -r <span class="s1">&#39;.DBClusterSnapshots </span><span class="ln">3</span><span class="s1"> | sort_by(.SnapshotCreateTime) </span><span class="ln">4</span><span class="s1"> | reverse </span><span class="ln">5</span><span class="s1"> | .[0].DBClusterSnapshotIdentifier&#39;</span><span class="sb">`</span> </code></pre></div><p>Restore a new cluster from the above snapshot.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>aws rds restore-db-cluster-from-snapshot <span class="se">\ </span><span class="ln">2</span><span class="se"></span>--engine <span class="nv">$db_engine</span> <span class="se">\ </span><span class="ln">3</span><span class="se"></span>--db-cluster-identifier <span class="nv">$db_cluster_identifier</span> <span class="se">\ </span><span class="ln">4</span><span class="se"></span>--snapshot-identifier <span class="nv">$snapshot_identifier</span> <span class="se">\ </span><span class="ln">5</span><span class="se"></span>--db-cluster-parameter-group-name <span class="nv">$cluster_parameter_group</span> <span class="se">\ </span><span class="ln">6</span><span class="se"></span>--no-deletion-protection </code></pre></div><p>Wait for creating the above process. After it’s completed, add a new instance to the above cluster.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>aws rds create-db-instance <span class="se">\ </span><span class="ln">2</span><span class="se"></span>--engine <span class="nv">$db_engine</span> <span class="se">\ </span><span class="ln">3</span><span class="se"></span>--db-instance-identifier <span class="nv">$db_instance_identifier</span> <span class="se">\ </span><span class="ln">4</span><span class="se"></span>--db-instance-class <span class="nv">$db_instance_class</span> <span class="se">\ </span><span class="ln">5</span><span class="se"></span>--db-parameter-group-name <span class="nv">$db_parameter_group_name</span> <span class="se">\ </span><span class="ln">6</span><span class="se"></span>--db-cluster-identifier <span class="nv">$db_cluster_identifier</span> </code></pre></div><p>Wait for adding the instance process. Then, get the binlog’s position info from its events.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>aws rds describe-events <span class="se">\ </span><span class="ln">2</span><span class="se"></span>--source-identifier <span class="nv">$db_instance_identifier</span> <span class="se">\ </span><span class="ln">3</span><span class="se"></span>--source-type db-instance <span class="se">\ </span><span class="ln">4</span><span class="se"></span><span class="p">|</span> jq -r <span class="s1">&#39;.Events[] | .Message | select (. | test(&#34;Binlog&#34;))&#39;</span> <span class="ln">5</span> <span class="ln">6</span><span class="c1"># Output is like this</span> <span class="ln">7</span><span class="c1"># Binlog position from crash recovery is mysql-bin-changelog.000007 91466190</span> </code></pre></div><p>Get dump data from the above temporary cluster.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln"> 1</span><span class="nv">MYSQL_PWD</span><span class="o">=</span>’pass’ <span class="ln"> 2</span>mysqldump -h <span class="nv">$db_endpoint</span> <span class="se">\ </span><span class="ln"> 3</span><span class="se"></span> --user<span class="o">=</span>user <span class="se">\ </span><span class="ln"> 4</span><span class="se"></span> --quote-names <span class="se">\ </span><span class="ln"> 5</span><span class="se"></span> --flush-logs <span class="se">\ </span><span class="ln"> 6</span><span class="se"></span> --master-data<span class="o">=</span><span class="m">2</span> <span class="se">\ </span><span class="ln"> 7</span><span class="se"></span> --single-transaction <span class="se">\ </span><span class="ln"> 8</span><span class="se"></span> --hex-blob <span class="se">\ </span><span class="ln"> 9</span><span class="se"></span> --routines <span class="se">\ </span><span class="ln">10</span><span class="se"></span> --triggers <span class="se">\ </span><span class="ln">11</span><span class="se"></span> --events <span class="se">\ </span><span class="ln">12</span><span class="se"></span> --default-character-set<span class="o">=</span>utf8 <span class="se">\ </span><span class="ln">13</span><span class="se"></span> <span class="nv">$db_name</span> <span class="se">\ </span><span class="ln">14</span><span class="se"></span> &gt; dump_<span class="si">${</span><span class="nv">db_cluster_identifier</span><span class="si">}</span>.sql </code></pre></div><p>Create a MySQL server out of the Aurora cluster. At this time, I used docker-compose on a server.</p> <div class="highlight"><pre class="chroma"><code class="language-yaml" data-lang="yaml"><span class="ln"> 1</span><span class="k">version</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;3.7&#39;</span><span class="w"> </span><span class="ln"> 2</span><span class="w"></span><span class="k">services</span><span class="p">:</span><span class="w"> </span><span class="ln"> 3</span><span class="w"> </span><span class="k">local-replica</span><span class="p">:</span><span class="w"> </span><span class="ln"> 4</span><span class="w"> </span><span class="k">image</span><span class="p">:</span><span class="w"> </span>mysql<span class="p">:</span><span class="m">5.7</span><span class="w"> </span><span class="ln"> 5</span><span class="w"> </span><span class="k">restart</span><span class="p">:</span><span class="w"> </span>always<span class="w"> </span><span class="ln"> 6</span><span class="w"> </span><span class="k">ports</span><span class="p">:</span><span class="w"> </span><span class="ln"> 7</span><span class="w"> </span>- <span class="s2">&#34;13306:3306&#34;</span><span class="w"> </span><span class="ln"> 8</span><span class="w"> </span><span class="k">volumes</span><span class="p">:</span><span class="w"> </span><span class="ln"> 9</span><span class="w"> </span>- ./mysql<span class="p">:</span>/var/lib/mysql<span class="w"> </span><span class="ln">10</span><span class="w"> </span>- ./repl.cnf<span class="p">:</span>/etc/mysql/conf.d/repl.cnf<span class="w"> </span><span class="ln">11</span><span class="w"> </span><span class="k">env_file</span><span class="p">:</span><span class="w"> </span><span class="ln">12</span><span class="w"> </span>- .env_mysql<span class="w"> </span><span class="ln">13</span><span class="w"> </span><span class="k">user</span><span class="p">:</span><span class="w"> </span>mysql<span class="w"> </span></code></pre></div><p>The above repl.cnf file is like this.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span><span class="o">[</span>mysqld<span class="o">]</span> <span class="ln">2</span>server-id<span class="o">=</span><span class="m">100</span> <span class="ln">3</span>replicate-ignore-db<span class="o">=</span>mysql </code></pre></div><p>And make the &quot;mysql&quot; directory to be mounted for data.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>mkdir mysql </code></pre></div><p>Then, run the container with the official MySQL image.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>docker-compose up -d </code></pre></div><p>Import the dump file.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>mysql <span class="se">\ </span><span class="ln">2</span><span class="se"></span>--protocol tcp <span class="se">\ </span><span class="ln">3</span><span class="se"></span>-P <span class="m">13306</span> <span class="se">\ </span><span class="ln">4</span><span class="se"></span>-u root <span class="se">\ </span><span class="ln">5</span><span class="se"></span>-p <span class="se">\ </span><span class="ln">6</span><span class="se"></span>&lt; dump_<span class="si">${</span><span class="nv">db_cluster_identifier</span><span class="si">}</span>.sql </code></pre></div><p>Login and connect to the above DB and execute CHANGE MASTER command to modify the replication master info with the above binlog position info.</p> <div class="highlight"><pre class="chroma"><code class="language-mysql" data-lang="mysql"><span class="ln">1</span><span class="n">mysql</span><span class="o">&gt;</span> <span class="k">CHANGE</span> <span class="n">MASTER</span> <span class="k">TO</span> <span class="ln">2</span> <span class="n">MASTER_HOST</span> <span class="o">=</span> <span class="s1">&#39;my-master-host&#39;</span><span class="p">,</span> <span class="ln">3</span> <span class="n">MASTER_PORT</span> <span class="o">=</span> <span class="mi">3306</span><span class="p">,</span> <span class="ln">4</span> <span class="n">MASTER_USER</span> <span class="o">=</span> <span class="s1">&#39;repl&#39;</span><span class="p">,</span> <span class="ln">5</span> <span class="n">MASTER_PASSWORD</span> <span class="o">=</span><span class="err">’</span><span class="n">fuga</span><span class="err">’</span><span class="p">,</span> <span class="ln">6</span> <span class="n">MASTER_LOG_FILE</span> <span class="o">=</span> <span class="s1">&#39;mysql-bin-changelog.000007&#39;</span><span class="p">,</span> <span class="ln">7</span> <span class="n">MASTER_LOG_POS</span> <span class="o">=</span> <span class="mi">91466190</span><span class="p">;</span> </code></pre></div><p>Then, add grants on the local replica.</p> <div class="highlight"><pre class="chroma"><code class="language-mysql" data-lang="mysql"><span class="ln">1</span><span class="n">mysql</span><span class="o">&gt;</span> <span class="k">GRANT</span> <span class="k">SELECT</span><span class="p">,</span> <span class="n">RELOAD</span><span class="p">,</span> <span class="n">PROCESS</span><span class="p">,</span> <span class="k">REFERENCES</span><span class="p">,</span> <span class="k">INDEX</span><span class="p">,</span> <span class="k">SHOW</span> <span class="k">DATABASES</span><span class="p">,</span> <span class="k">CREATE</span> <span class="n">TEMPORARY</span> <span class="kp">TABLES</span><span class="p">,</span> <span class="k">LOCK</span> <span class="kp">TABLES</span><span class="p">,</span> <span class="n">EXECUTE</span><span class="p">,</span> <span class="k">SHOW</span> <span class="n">VIEW</span><span class="p">,</span> <span class="n">EVENT</span><span class="p">,</span> <span class="k">TRIGGER</span> <span class="k">ON</span> <span class="o">*</span><span class="p">.</span><span class="o">-</span> <span class="k">TO</span> <span class="s1">&#39;hoge&#39;</span><span class="o">@</span><span class="s1">&#39;%&#39;</span> <span class="k">IDENTIFIED</span> <span class="k">BY</span> <span class="n">PASSWORD</span> <span class="s1">&#39;*AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&#39;</span> <span class="k">WITH</span> <span class="k">GRANT</span> <span class="k">OPTION</span> </code></pre></div><p>Start slave.</p> <div class="highlight"><pre class="chroma"><code class="language-mysql" data-lang="mysql"><span class="ln"> 1</span><span class="n">mysql</span><span class="o">&gt;</span> <span class="n">start</span> <span class="n">slave</span><span class="p">;</span> <span class="ln"> 2</span> <span class="ln"> 3</span><span class="n">mysql</span><span class="o">&gt;</span> <span class="k">show</span> <span class="n">slave</span> <span class="n">status</span><span class="err">\</span><span class="n">G</span><span class="p">;</span> <span class="ln"> 4</span><span class="o">**************************-</span> <span class="mi">1</span><span class="p">.</span> <span class="n">row</span> <span class="o">***************************</span> <span class="ln"> 5</span> <span class="n">Slave_IO_State</span><span class="p">:</span> <span class="n">Waiting</span> <span class="k">for</span> <span class="n">master</span> <span class="k">to</span> <span class="n">send</span> <span class="n">event</span> <span class="ln"> 6</span> <span class="n">Master_Host</span><span class="p">:</span> <span class="n">my</span><span class="o">-</span><span class="n">master</span><span class="o">-</span><span class="n">host</span> <span class="ln"> 7</span> <span class="n">Master_User</span><span class="p">:</span> <span class="n">repl</span> <span class="ln"> 8</span> <span class="n">Master_Port</span><span class="p">:</span> <span class="mi">3306</span> <span class="ln"> 9</span> <span class="n">Connect_Retry</span><span class="p">:</span> <span class="mi">60</span> <span class="ln">10</span> <span class="n">Master_Log_File</span><span class="p">:</span> <span class="n">mysql</span><span class="o">-</span><span class="n">bin</span><span class="o">-</span><span class="n">changelog</span><span class="p">.</span><span class="mi">000002</span> <span class="ln">11</span> <span class="n">Read_Master_Log_Pos</span><span class="p">:</span> <span class="mi">4656141</span> <span class="ln">12</span> <span class="n">Relay_Log_File</span><span class="p">:</span> <span class="mi">80</span><span class="n">a8d68c1881</span><span class="o">-</span><span class="n">relay</span><span class="o">-</span><span class="n">bin</span><span class="p">.</span><span class="mi">000002</span> <span class="ln">13</span> <span class="n">Relay_Log_Pos</span><span class="p">:</span> <span class="mi">351215</span> <span class="ln">14</span> <span class="n">Relay_Master_Log_File</span><span class="p">:</span> <span class="n">mysql</span><span class="o">-</span><span class="n">bin</span><span class="o">-</span><span class="n">changelog</span><span class="p">.</span><span class="mi">000002</span> <span class="ln">15</span> <span class="n">Slave_IO_Running</span><span class="p">:</span> <span class="n">Yes</span> <span class="ln">16</span> <span class="n">Slave_SQL_Running</span><span class="p">:</span> <span class="n">Yes</span> <span class="ln">17</span> <span class="p">:</span> <span class="ln">18</span> <span class="p">:</span> <span class="ln">19</span><span class="mi">1</span> <span class="n">row</span> <span class="k">in</span> <span class="kt">set</span> <span class="p">(</span><span class="mi">0</span><span class="p">.</span><span class="mi">00</span> <span class="n">sec</span><span class="p">)</span> <span class="ln">20</span> <span class="ln">21</span><span class="n">ERROR</span><span class="p">:</span> <span class="ln">22</span><span class="n">No</span> <span class="n">query</span> <span class="n">specified</span> </code></pre></div><p>The temporary cluster is unnecessary anymore. So, it should be deleted. First, delete the instance.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>aws rds delete-db-instance <span class="se">\ </span><span class="ln">2</span><span class="se"></span>--db-instance-identifier <span class="nv">$db_instance_identifier</span> <span class="se">\ </span><span class="ln">3</span><span class="se"></span>--skip-final-snapshot </code></pre></div><p>Then, delete the cluster.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>aws rds delete-db-cluster <span class="se">\ </span><span class="ln">2</span><span class="se"></span>--db-cluster-identifier <span class="nv">$db_cluster_identifier</span> <span class="se">\ </span><span class="ln">3</span><span class="se"></span>--skip-final-snapshot </code></pre></div> https://takac.dev/docker-hub-error-429-too-many-requests/ Thu, 19 Nov 2020 14:17:00 +0900 https://takac.dev/docker-hub-error-429-too-many-requests/ <p>One day, I realized that one of my CodePipeline was failed to build the docker image. I investigated what caused the error. And then, I found out the following error message when executing docker build command.</p> <div class="highlight"><pre class="chroma"><code class="language-text" data-lang="text"><span class="ln">1</span>ERROR: failed to copy: httpReaderSeeker: failed open: unexpected status code https://registry-1.docker.io/v2/library/php/manifests/sha256:7b1cd0d9e1922e96ad3bc9fc44880cf7247f5a22a4badfd25480bf759edf2804: 429 Too Many Requests - Server message: toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit </code></pre></div><p>I remembered the news which I read before that Docker Hub got started to set some limits and I checked the link which is included in the above error.</p> <p><a href="https://www.docker.com/increase-rate-limit" target="_blank">Understanding Docker Hub Rate Limiting</a> </p> <p>However, I was confused because I’m working for a very small start-up company and the CodePipeline runs a few times a day so I couldn’t understand why I reached the limit. Then, I came out that it may be &quot;docker login&quot; is necessary because the CodePipeline environment is shared servers so anonymous access was added up together. So, I got a new log-in account for building image and added the following command before docker build command in the buildspec in the CodePipeline and then I solved the problem.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>docker login -u hoge-hoge -p fuga </code></pre></div> https://takac.dev/kibana-query-language-cheat-sheet-for-web-service/ Mon, 09 Nov 2020 17:00:00 +0900 https://takac.dev/kibana-query-language-cheat-sheet-for-web-service/ <p>I’m using ELK stack for collecting and searching logs from web servers, CDN, load balancers and so on. Let me share my cheat sheet of the Kibana query language I usually use. I’ll update this continually.</p> <h2 id="hide-empty-line">Hide empty line</h2> <p>If the logs are not well formatted, some empty line will appear and it’s bothering. So, I hide it by this query.</p> <div class="highlight"><pre class="chroma"><code class="language-json" data-lang="json"><span class="ln"> 1</span><span class="p">{</span> <span class="ln"> 2</span> <span class="nt">&#34;query&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 3</span> <span class="nt">&#34;bool&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 4</span> <span class="nt">&#34;must&#34;</span><span class="p">:</span> <span class="p">[</span> <span class="ln"> 5</span> <span class="p">{</span> <span class="ln"> 6</span> <span class="nt">&#34;regexp&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 7</span> <span class="nt">&#34;message.keyword&#34;</span><span class="p">:</span> <span class="s2">&#34;\n&#34;</span> <span class="ln"> 8</span> <span class="p">}</span> <span class="ln"> 9</span> <span class="p">}</span> <span class="ln">10</span> <span class="p">]</span> <span class="ln">11</span> <span class="p">}</span> <span class="ln">12</span> <span class="p">}</span> <span class="ln">13</span><span class="p">}</span> </code></pre></div><h2 id="redirected-http-access">Redirected HTTP access</h2> <p>Redirecting from HTTP to HTTPS is a popular way for load balancer settings because of the AOSSL (Always On SSL). It brings a lot of logs of the redirecting but most of the time it’s unnecessary for debugging or investigating issues. So, I hide it by this query.</p> <div class="highlight"><pre class="chroma"><code class="language-json" data-lang="json"><span class="ln"> 1</span><span class="p">{</span> <span class="ln"> 2</span> <span class="nt">&#34;query&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 3</span> <span class="nt">&#34;bool&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 4</span> <span class="nt">&#34;must&#34;</span><span class="p">:</span> <span class="p">[</span> <span class="ln"> 5</span> <span class="p">{</span> <span class="ln"> 6</span> <span class="nt">&#34;match&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 7</span> <span class="nt">&#34;cs-protocol.keyword&#34;</span><span class="p">:</span> <span class="s2">&#34;http&#34;</span> <span class="ln"> 8</span> <span class="p">}</span> <span class="ln"> 9</span> <span class="p">},</span> <span class="ln">10</span> <span class="p">{</span> <span class="ln">11</span> <span class="nt">&#34;match&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln">12</span> <span class="nt">&#34;sc-status&#34;</span><span class="p">:</span> <span class="s2">&#34;301&#34;</span> <span class="ln">13</span> <span class="p">}</span> <span class="ln">14</span> <span class="p">}</span> <span class="ln">15</span> <span class="p">]</span> <span class="ln">16</span> <span class="p">}</span> <span class="ln">17</span> <span class="p">}</span> <span class="ln">18</span><span class="p">}</span> </code></pre></div><h2 id="must-and-must-not">Must and Must Not</h2> <p>Sometimes, it’s necessary to combine complicated conditions. For example, the following query will pick up the logs which has &quot;JP&quot; on &quot;geoip_country_code&quot; field and also the status is not 2xx and 3xx.</p> <div class="highlight"><pre class="chroma"><code class="language-json" data-lang="json"><span class="ln"> 1</span><span class="p">{</span> <span class="ln"> 2</span> <span class="nt">&#34;query&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 3</span> <span class="nt">&#34;bool&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 4</span> <span class="nt">&#34;must&#34;</span><span class="p">:</span> <span class="p">[</span> <span class="ln"> 5</span> <span class="p">{</span> <span class="ln"> 6</span> <span class="nt">&#34;match&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 7</span> <span class="nt">&#34;geoip_country_code&#34;</span><span class="p">:</span> <span class="s2">&#34;JP&#34;</span> <span class="ln"> 8</span> <span class="p">}</span> <span class="ln"> 9</span> <span class="p">}</span> <span class="ln">10</span> <span class="p">],</span> <span class="ln">11</span> <span class="nt">&#34;must_not&#34;</span><span class="p">:</span> <span class="p">[</span> <span class="ln">12</span> <span class="p">{</span> <span class="ln">13</span> <span class="nt">&#34;range&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln">14</span> <span class="nt">&#34;status&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln">15</span> <span class="nt">&#34;gte&#34;</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="ln">16</span> <span class="nt">&#34;lt&#34;</span><span class="p">:</span> <span class="mi">400</span> <span class="ln">17</span> <span class="p">}</span> <span class="ln">18</span> <span class="p">}</span> <span class="ln">19</span> <span class="p">}</span> <span class="ln">20</span> <span class="p">]</span> <span class="ln">21</span> <span class="p">}</span> <span class="ln">22</span> <span class="p">}</span> <span class="ln">23</span><span class="p">}</span> </code></pre></div><h2 id="exclude-bot-logs-by-ua">Exclude bot logs by UA</h2> <p>There are a bunch of access to public web servers and CDN logs. When debugging, sometimes it’s bothering to search some specified logs. In that situation, I’ll use the following query to filter by the user-agents. Of Course it’s not perfect because there are millions of bots around the world and some wicked bots have fake user-agents but better than nothing.</p> <div class="highlight"><pre class="chroma"><code class="language-json" data-lang="json"><span class="ln"> 1</span><span class="p">{</span> <span class="ln"> 2</span> <span class="nt">&#34;query&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 3</span> <span class="nt">&#34;bool&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 4</span> <span class="nt">&#34;should&#34;</span><span class="p">:</span> <span class="p">[</span> <span class="ln"> 5</span> <span class="p">{</span> <span class="ln"> 6</span> <span class="nt">&#34;regexp&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 7</span> <span class="nt">&#34;cs(User-Agent)&#34;</span><span class="p">:</span> <span class="s2">&#34;.*bot.*&#34;</span> <span class="ln"> 8</span> <span class="p">}</span> <span class="ln"> 9</span> <span class="p">},</span> <span class="ln"> 10</span> <span class="p">{</span> <span class="ln"> 11</span> <span class="nt">&#34;regexp&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 12</span> <span class="nt">&#34;cs(User-Agent).keyword&#34;</span><span class="p">:</span> <span class="s2">&#34;.*spider.*&#34;</span> <span class="ln"> 13</span> <span class="p">}</span> <span class="ln"> 14</span> <span class="p">},</span> <span class="ln"> 15</span> <span class="p">{</span> <span class="ln"> 16</span> <span class="nt">&#34;regexp&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 17</span> <span class="nt">&#34;cs(User-Agent).keyword&#34;</span><span class="p">:</span> <span class="s2">&#34;.*google.*&#34;</span> <span class="ln"> 18</span> <span class="p">}</span> <span class="ln"> 19</span> <span class="p">},</span> <span class="ln"> 20</span> <span class="p">{</span> <span class="ln"> 21</span> <span class="nt">&#34;regexp&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 22</span> <span class="nt">&#34;cs(User-Agent).keyword&#34;</span><span class="p">:</span> <span class="s2">&#34;.*Google.*&#34;</span> <span class="ln"> 23</span> <span class="p">}</span> <span class="ln"> 24</span> <span class="p">},</span> <span class="ln"> 25</span> <span class="p">{</span> <span class="ln"> 26</span> <span class="nt">&#34;regexp&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 27</span> <span class="nt">&#34;cs(User-Agent).keyword&#34;</span><span class="p">:</span> <span class="s2">&#34;.*curl.*&#34;</span> <span class="ln"> 28</span> <span class="p">}</span> <span class="ln"> 29</span> <span class="p">},</span> <span class="ln"> 30</span> <span class="p">{</span> <span class="ln"> 31</span> <span class="nt">&#34;regexp&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 32</span> <span class="nt">&#34;cs(User-Agent).keyword&#34;</span><span class="p">:</span> <span class="s2">&#34;.*python.*&#34;</span> <span class="ln"> 33</span> <span class="p">}</span> <span class="ln"> 34</span> <span class="p">},</span> <span class="ln"> 35</span> <span class="p">{</span> <span class="ln"> 36</span> <span class="nt">&#34;regexp&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 37</span> <span class="nt">&#34;cs(User-Agent).keyword&#34;</span><span class="p">:</span> <span class="s2">&#34;.*Photon.*&#34;</span> <span class="ln"> 38</span> <span class="p">}</span> <span class="ln"> 39</span> <span class="p">},</span> <span class="ln"> 40</span> <span class="p">{</span> <span class="ln"> 41</span> <span class="nt">&#34;regexp&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 42</span> <span class="nt">&#34;cs(User-Agent).keyword&#34;</span><span class="p">:</span> <span class="s2">&#34;.*cortex.*&#34;</span> <span class="ln"> 43</span> <span class="p">}</span> <span class="ln"> 44</span> <span class="p">},</span> <span class="ln"> 45</span> <span class="p">{</span> <span class="ln"> 46</span> <span class="nt">&#34;regexp&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 47</span> <span class="nt">&#34;cs(User-Agent).keyword&#34;</span><span class="p">:</span> <span class="s2">&#34;.*crawler.*&#34;</span> <span class="ln"> 48</span> <span class="p">}</span> <span class="ln"> 49</span> <span class="p">},</span> <span class="ln"> 50</span> <span class="p">{</span> <span class="ln"> 51</span> <span class="nt">&#34;regexp&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 52</span> <span class="nt">&#34;cs(User-Agent).keyword&#34;</span><span class="p">:</span> <span class="s2">&#34;.*Crawler.*&#34;</span> <span class="ln"> 53</span> <span class="p">}</span> <span class="ln"> 54</span> <span class="p">},</span> <span class="ln"> 55</span> <span class="p">{</span> <span class="ln"> 56</span> <span class="nt">&#34;regexp&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 57</span> <span class="nt">&#34;cs(User-Agent).keyword&#34;</span><span class="p">:</span> <span class="s2">&#34;.*daum.*&#34;</span> <span class="ln"> 58</span> <span class="p">}</span> <span class="ln"> 59</span> <span class="p">},</span> <span class="ln"> 60</span> <span class="p">{</span> <span class="ln"> 61</span> <span class="nt">&#34;regexp&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 62</span> <span class="nt">&#34;cs(User-Agent).keyword&#34;</span><span class="p">:</span> <span class="s2">&#34;.*Hatena.*&#34;</span> <span class="ln"> 63</span> <span class="p">}</span> <span class="ln"> 64</span> <span class="p">},</span> <span class="ln"> 65</span> <span class="p">{</span> <span class="ln"> 66</span> <span class="nt">&#34;regexp&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 67</span> <span class="nt">&#34;cs(User-Agent).keyword&#34;</span><span class="p">:</span> <span class="s2">&#34;.*ltx71.*&#34;</span> <span class="ln"> 68</span> <span class="p">}</span> <span class="ln"> 69</span> <span class="p">},</span> <span class="ln"> 70</span> <span class="p">{</span> <span class="ln"> 71</span> <span class="nt">&#34;regexp&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 72</span> <span class="nt">&#34;cs(User-Agent).keyword&#34;</span><span class="p">:</span> <span class="s2">&#34;newspaper/.*&#34;</span> <span class="ln"> 73</span> <span class="p">}</span> <span class="ln"> 74</span> <span class="p">},</span> <span class="ln"> 75</span> <span class="p">{</span> <span class="ln"> 76</span> <span class="nt">&#34;regexp&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 77</span> <span class="nt">&#34;cs(User-Agent).keyword&#34;</span><span class="p">:</span> <span class="s2">&#34;.*Qwantify.*&#34;</span> <span class="ln"> 78</span> <span class="p">}</span> <span class="ln"> 79</span> <span class="p">},</span> <span class="ln"> 80</span> <span class="p">{</span> <span class="ln"> 81</span> <span class="nt">&#34;regexp&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 82</span> <span class="nt">&#34;cs(User-Agent).keyword&#34;</span><span class="p">:</span> <span class="s2">&#34;.*ubermetrics-technologies.com.*&#34;</span> <span class="ln"> 83</span> <span class="p">}</span> <span class="ln"> 84</span> <span class="p">},</span> <span class="ln"> 85</span> <span class="p">{</span> <span class="ln"> 86</span> <span class="nt">&#34;regexp&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 87</span> <span class="nt">&#34;cs(User-Agent).keyword&#34;</span><span class="p">:</span> <span class="s2">&#34;WF%2520search/Nutch-.*&#34;</span> <span class="ln"> 88</span> <span class="p">}</span> <span class="ln"> 89</span> <span class="p">},</span> <span class="ln"> 90</span> <span class="p">{</span> <span class="ln"> 91</span> <span class="nt">&#34;regexp&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 92</span> <span class="nt">&#34;cs(User-Agent).keyword&#34;</span><span class="p">:</span> <span class="s2">&#34;Apache-HttpClient.*&#34;</span> <span class="ln"> 93</span> <span class="p">}</span> <span class="ln"> 94</span> <span class="p">},</span> <span class="ln"> 95</span> <span class="p">{</span> <span class="ln"> 96</span> <span class="nt">&#34;regexp&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 97</span> <span class="nt">&#34;cs(User-Agent).keyword&#34;</span><span class="p">:</span> <span class="s2">&#34;Mozilla.*Yeti/.*https://naver.me/spd.*&#34;</span> <span class="ln"> 98</span> <span class="p">}</span> <span class="ln"> 99</span> <span class="p">},</span> <span class="ln">100</span> <span class="p">{</span> <span class="ln">101</span> <span class="nt">&#34;regexp&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln">102</span> <span class="nt">&#34;cs(User-Agent).keyword&#34;</span><span class="p">:</span> <span class="s2">&#34;.*TrendsmapResolver.*&#34;</span> <span class="ln">103</span> <span class="p">}</span> <span class="ln">104</span> <span class="p">},</span> <span class="ln">105</span> <span class="p">{</span> <span class="ln">106</span> <span class="nt">&#34;regexp&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln">107</span> <span class="nt">&#34;cs(User-Agent).keyword&#34;</span><span class="p">:</span> <span class="s2">&#34;-&#34;</span> <span class="ln">108</span> <span class="p">}</span> <span class="ln">109</span> <span class="p">}</span> <span class="ln">110</span> <span class="p">]</span> <span class="ln">111</span> <span class="p">}</span> <span class="ln">112</span> <span class="p">}</span> <span class="ln">113</span><span class="p">}</span> </code></pre></div> https://takac.dev/aws-cloudformation-example-creating-dynamodb-table-and-iam/ Tue, 20 Oct 2020 14:13:00 +0900 https://takac.dev/aws-cloudformation-example-creating-dynamodb-table-and-iam/ <p>Let me share an example of the CloudFormation configuration to create DynamoDB tables and an IAM user with particular policy to use it from some applications.</p> <p>I’ll create two tables for stage and production with TTL and also I set PAY_PER_REQUEST. So first, create the following YAML file as template.yml.</p> <div class="highlight"><pre class="chroma"><code class="language-yaml" data-lang="yaml"><span class="ln"> 1</span><span class="k">AWSTemplateFormatVersion</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;2010-09-09&#34;</span><span class="w"> </span><span class="ln"> 2</span><span class="w"></span><span class="k">Description</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;DynamoDB and IAM&#34;</span><span class="w"> </span><span class="ln"> 3</span><span class="w"> </span><span class="ln"> 4</span><span class="w"></span><span class="k">Resources</span><span class="p">:</span><span class="w"> </span><span class="ln"> 5</span><span class="w"> </span><span class="k">Policy</span><span class="p">:</span><span class="w"> </span><span class="ln"> 6</span><span class="w"> </span><span class="k">Type</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;AWS::IAM::ManagedPolicy&#39;</span><span class="w"> </span><span class="ln"> 7</span><span class="w"> </span><span class="k">Properties</span><span class="p">:</span><span class="w"> </span><span class="ln"> 8</span><span class="w"> </span><span class="k">Path</span><span class="p">:</span><span class="w"> </span>/<span class="w"> </span><span class="ln"> 9</span><span class="w"> </span><span class="k">PolicyDocument</span><span class="p">:</span><span class="w"> </span><span class="ln">10</span><span class="w"> </span><span class="k">Version</span><span class="p">:</span><span class="w"> </span><span class="ld">2012-10-17</span><span class="w"> </span><span class="ln">11</span><span class="w"> </span><span class="k">Statement</span><span class="p">:</span><span class="w"> </span><span class="ln">12</span><span class="w"> </span>- <span class="k">Effect</span><span class="p">:</span><span class="w"> </span>Allow<span class="w"> </span><span class="ln">13</span><span class="w"> </span><span class="k">Action</span><span class="p">:</span><span class="w"> </span><span class="ln">14</span><span class="w"> </span>- dynamodb<span class="p">:</span>List*<span class="w"> </span><span class="ln">15</span><span class="w"> </span>- dynamodb<span class="p">:</span>DescribeReservedCapacity*<span class="w"> </span><span class="ln">16</span><span class="w"> </span>- dynamodb<span class="p">:</span>DescribeLimits<span class="w"> </span><span class="ln">17</span><span class="w"> </span>- dynamodb<span class="p">:</span>DescribeTimeToLive<span class="w"> </span><span class="ln">18</span><span class="w"> </span><span class="k">Resource</span><span class="p">:</span><span class="w"> </span><span class="ln">19</span><span class="w"> </span>- <span class="s2">&#34;*&#34;</span><span class="w"> </span><span class="ln">20</span><span class="w"> </span><span class="ln">21</span><span class="w"> </span>- <span class="k">Effect</span><span class="p">:</span><span class="w"> </span>Allow<span class="w"> </span><span class="ln">22</span><span class="w"> </span><span class="k">Action</span><span class="p">:</span><span class="w"> </span><span class="ln">23</span><span class="w"> </span>- dynamodb<span class="p">:</span>DescribeTable<span class="w"> </span><span class="ln">24</span><span class="w"> </span>- dynamodb<span class="p">:</span>GetItem<span class="w"> </span><span class="ln">25</span><span class="w"> </span>- dynamodb<span class="p">:</span>Query<span class="w"> </span><span class="ln">26</span><span class="w"> </span>- dynamodb<span class="p">:</span>Scan<span class="w"> </span><span class="ln">27</span><span class="w"> </span>- dynamodb<span class="p">:</span>CreateTable<span class="w"> </span><span class="ln">28</span><span class="w"> </span>- dynamodb<span class="p">:</span>DeleteItem<span class="w"> </span><span class="ln">29</span><span class="w"> </span>- dynamodb<span class="p">:</span>UpdateItem<span class="w"> </span><span class="ln">30</span><span class="w"> </span>- dynamodb<span class="p">:</span>UpdateTable<span class="w"> </span><span class="ln">31</span><span class="w"> </span>- dynamodb<span class="p">:</span>PutItem<span class="w"> </span><span class="ln">32</span><span class="w"> </span><span class="k">Resource</span><span class="p">:</span><span class="w"> </span><span class="ln">33</span><span class="w"> </span>- !GetAtt<span class="w"> </span>DynamoDBTableUserListProd.Arn<span class="w"> </span><span class="ln">34</span><span class="w"> </span>- !GetAtt<span class="w"> </span>DynamoDBTableUserListStage.Arn<span class="w"> </span><span class="ln">35</span><span class="w"> </span><span class="k">User</span><span class="p">:</span><span class="w"> </span><span class="ln">36</span><span class="w"> </span><span class="k">Type</span><span class="p">:</span><span class="w"> </span>AWS<span class="p">::</span>IAM<span class="p">::</span>User<span class="w"> </span><span class="ln">37</span><span class="w"> </span><span class="k">Properties</span><span class="p">:</span><span class="w"> </span><span class="ln">38</span><span class="w"> </span><span class="k">ManagedPolicyArns</span><span class="p">:</span><span class="w"> </span><span class="ln">39</span><span class="w"> </span>- !Ref<span class="w"> </span>Policy<span class="w"> </span><span class="ln">40</span><span class="w"> </span><span class="k">UserName</span><span class="p">:</span><span class="w"> </span>dynamodb-user-list<span class="w"> </span><span class="ln">41</span><span class="w"> </span><span class="ln">42</span><span class="w"> </span><span class="k">DynamoDBTableUserListProd</span><span class="p">:</span><span class="w"> </span><span class="ln">43</span><span class="w"> </span><span class="k">Type</span><span class="p">:</span><span class="w"> </span>AWS<span class="p">::</span>DynamoDB<span class="p">::</span>Table<span class="w"> </span><span class="ln">44</span><span class="w"> </span><span class="k">Properties</span><span class="p">:</span><span class="w"> </span><span class="ln">45</span><span class="w"> </span><span class="k">TableName</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;user_list_prod&#34;</span><span class="w"> </span><span class="ln">46</span><span class="w"> </span><span class="k">BillingMode</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;PAY_PER_REQUEST&#34;</span><span class="w"> </span><span class="ln">47</span><span class="w"> </span><span class="k">KeySchema</span><span class="p">:</span><span class="w"> </span><span class="ln">48</span><span class="w"> </span><span class="sd">- </span><span class="ln">49</span><span class="sd"> AttributeName: &#34;user_id&#34;</span><span class="w"> </span><span class="ln">50</span><span class="w"> </span><span class="k">KeyType</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;HASH&#34;</span><span class="w"> </span><span class="ln">51</span><span class="w"> </span><span class="k">AttributeDefinitions</span><span class="p">:</span><span class="w"> </span><span class="ln">52</span><span class="w"> </span><span class="sd">- </span><span class="ln">53</span><span class="sd"> AttributeName: &#34;user_id&#34;</span><span class="w"> </span><span class="ln">54</span><span class="w"> </span><span class="k">AttributeType</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;N&#34;</span><span class="w"> </span><span class="ln">55</span><span class="w"> </span><span class="k">ProvisionedThroughput</span><span class="p">:</span><span class="w"> </span><span class="ln">56</span><span class="w"> </span><span class="k">ReadCapacityUnits</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;0&#34;</span><span class="w"> </span><span class="ln">57</span><span class="w"> </span><span class="k">WriteCapacityUnits</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;0&#34;</span><span class="w"> </span><span class="ln">58</span><span class="w"> </span><span class="ln">59</span><span class="w"> </span><span class="k">DynamoDBTableUserListStage</span><span class="p">:</span><span class="w"> </span><span class="ln">60</span><span class="w"> </span><span class="k">Type</span><span class="p">:</span><span class="w"> </span>AWS<span class="p">::</span>DynamoDB<span class="p">::</span>Table<span class="w"> </span><span class="ln">61</span><span class="w"> </span><span class="k">Properties</span><span class="p">:</span><span class="w"> </span><span class="ln">62</span><span class="w"> </span><span class="k">TableName</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;user_list_stage&#34;</span><span class="w"> </span><span class="ln">63</span><span class="w"> </span><span class="k">BillingMode</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;PAY_PER_REQUEST&#34;</span><span class="w"> </span><span class="ln">64</span><span class="w"> </span><span class="k">KeySchema</span><span class="p">:</span><span class="w"> </span><span class="ln">65</span><span class="w"> </span><span class="sd">- </span><span class="ln">66</span><span class="sd"> AttributeName: &#34;user_id&#34;</span><span class="w"> </span><span class="ln">67</span><span class="w"> </span><span class="k">KeyType</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;HASH&#34;</span><span class="w"> </span><span class="ln">68</span><span class="w"> </span><span class="k">AttributeDefinitions</span><span class="p">:</span><span class="w"> </span><span class="ln">69</span><span class="w"> </span><span class="sd">- </span><span class="ln">70</span><span class="sd"> AttributeName: &#34;user_id&#34;</span><span class="w"> </span><span class="ln">71</span><span class="w"> </span><span class="k">AttributeType</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;N&#34;</span><span class="w"> </span><span class="ln">72</span><span class="w"> </span><span class="k">ProvisionedThroughput</span><span class="p">:</span><span class="w"> </span><span class="ln">73</span><span class="w"> </span><span class="k">ReadCapacityUnits</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;0&#34;</span><span class="w"> </span><span class="ln">74</span><span class="w"> </span><span class="k">WriteCapacityUnits</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;0&#34;</span><span class="w"> </span><span class="ln">75</span><span class="w"> </span><span class="k">TimeToLiveSpecification</span><span class="p">:</span><span class="w"> </span><span class="ln">76</span><span class="w"> </span><span class="k">AttributeName</span><span class="p">:</span><span class="w"> </span>expired_at<span class="w"> </span><span class="ln">77</span><span class="w"> </span><span class="k">Enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></code></pre></div><p>And then, create the script as deploy.sh to deploy it.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln"> 1</span><span class="cp">#!/bin/bash </span><span class="ln"> 2</span><span class="cp"></span><span class="nv">STACK_NAME</span><span class="o">=</span><span class="s2">&#34;DynamoDBTableUserList&#34;</span> <span class="ln"> 3</span><span class="nv">S3_BUCKET</span><span class="o">=</span><span class="s2">&#34;your_bucket&#34;</span> <span class="ln"> 4</span><span class="nv">TEMPLATE_FILE</span><span class="o">=</span><span class="s1">&#39;template.yml&#39;</span> <span class="ln"> 5</span><span class="nv">OUTPUT_YAML</span><span class="o">=</span><span class="s1">&#39;output.yml&#39;</span> <span class="ln"> 6</span> <span class="ln"> 7</span><span class="nb">echo</span> -n <span class="s2">&#34;Packaging stack...&#34;</span> <span class="ln"> 8</span>aws cloudformation package <span class="se">\ </span><span class="ln"> 9</span><span class="se"></span>--template-file <span class="nv">$TEMPLATE_FILE</span> <span class="se">\ </span><span class="ln">10</span><span class="se"></span>--s3-bucket <span class="nv">$S3_BUCKET</span> <span class="se">\ </span><span class="ln">11</span><span class="se"></span>--output-template-file <span class="nv">$OUTPUT_YAML</span> <span class="ln">12</span><span class="nb">echo</span> <span class="s2">&#34; Done&#34;</span> <span class="ln">13</span> <span class="ln">14</span><span class="nb">echo</span> -n <span class="s2">&#34;Deploying stack... &#34;</span> <span class="ln">15</span>aws cloudformation deploy <span class="se">\ </span><span class="ln">16</span><span class="se"></span>--template-file <span class="nv">$OUTPUT_YAML</span> <span class="se">\ </span><span class="ln">17</span><span class="se"></span>--stack-name <span class="nv">$STACK_NAME</span> <span class="se">\ </span><span class="ln">18</span><span class="se"></span>--capabilities CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND <span class="ln">19</span><span class="nb">echo</span> <span class="s2">&#34;Done&#34;</span> </code></pre></div><p>And then, execute the above script.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>chmod u+x ./deploy.sh <span class="ln">2</span>./deploy.sh </code></pre></div><p>After that, go to the IAM page in the AWS web site and generate a new key to access the above DynamoDB tables from some applications.</p> <p>If you want to delete it, execute the following command.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>aws cloudformation delete-stack --stack-name <span class="s2">&#34;DynamoDBTableUserList&#34;</span> </code></pre></div> https://takac.dev/kubernetes-suspend-cronjobs-and-terminate-current-pod-without-restarting/ Mon, 19 Oct 2020 22:09:00 +0900 https://takac.dev/kubernetes-suspend-cronjobs-and-terminate-current-pod-without-restarting/ <p>It’s very easy to get information about how to suspend CronJob on Kubernetes clusters. It just executes the &quot;kubectl patch&quot; command. However, if its job is working at that time, the job will not be stopped and it’s impossible to terminate by &quot;kubectl delete pod&quot; command when the restartPolicy was set to &quot;OnFailure&quot; because even though the suspend flag modified to &quot;true&quot;, a new pod will be created right after deleting. There’s no command or options to do that in kubectl command but here is the work around which I came across.</p> <p>First I apply the following a test CronJob.</p> <div class="highlight"><pre class="chroma"><code class="language-yaml" data-lang="yaml"><span class="ln"> 1</span><span class="k">apiVersion</span><span class="p">:</span><span class="w"> </span>batch/v1beta1<span class="w"> </span><span class="ln"> 2</span><span class="w"></span><span class="k">kind</span><span class="p">:</span><span class="w"> </span>CronJob<span class="w"> </span><span class="ln"> 3</span><span class="w"></span><span class="k">metadata</span><span class="p">:</span><span class="w"> </span><span class="ln"> 4</span><span class="w"> </span><span class="k">name</span><span class="p">:</span><span class="w"> </span>cronjob-test<span class="w"> </span><span class="ln"> 5</span><span class="w"> </span><span class="k">namespace</span><span class="p">:</span><span class="w"> </span>app<span class="w"> </span><span class="ln"> 6</span><span class="w"></span><span class="k">spec</span><span class="p">:</span><span class="w"> </span><span class="ln"> 7</span><span class="w"> </span><span class="k">schedule</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;15 * * * *&#34;</span><span class="w"> </span><span class="ln"> 8</span><span class="w"> </span><span class="k">concurrencyPolicy</span><span class="p">:</span><span class="w"> </span>Forbid<span class="w"> </span><span class="ln"> 9</span><span class="w"> </span><span class="k">startingDeadlineSeconds</span><span class="p">:</span><span class="w"> </span><span class="m">60</span><span class="w"> </span><span class="ln">10</span><span class="w"> </span><span class="k">successfulJobsHistoryLimit</span><span class="p">:</span><span class="w"> </span><span class="m">5</span><span class="w"> </span><span class="ln">11</span><span class="w"> </span><span class="k">failedJobsHistoryLimit</span><span class="p">:</span><span class="w"> </span><span class="m">5</span><span class="w"> </span><span class="ln">12</span><span class="w"> </span><span class="k">jobTemplate</span><span class="p">:</span><span class="w"> </span><span class="ln">13</span><span class="w"> </span><span class="k">metadata</span><span class="p">:</span><span class="w"> </span><span class="ln">14</span><span class="w"> </span><span class="k">name</span><span class="p">:</span><span class="w"> </span>cronjob-test<span class="w"> </span><span class="ln">15</span><span class="w"> </span><span class="k">spec</span><span class="p">:</span><span class="w"> </span><span class="ln">16</span><span class="w"> </span><span class="k">template</span><span class="p">:</span><span class="w"> </span><span class="ln">17</span><span class="w"> </span><span class="k">spec</span><span class="p">:</span><span class="w"> </span><span class="ln">18</span><span class="w"> </span><span class="k">restartPolicy</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;OnFailure&#34;</span><span class="w"> </span><span class="ln">19</span><span class="w"> </span><span class="k">containers</span><span class="p">:</span><span class="w"> </span><span class="ln">20</span><span class="w"> </span>- <span class="k">name</span><span class="p">:</span><span class="w"> </span>cronjob-test<span class="w"> </span><span class="ln">21</span><span class="w"> </span><span class="k">image</span><span class="p">:</span><span class="w"> </span>alpine<span class="p">:</span>latest<span class="w"> </span><span class="ln">22</span><span class="w"> </span><span class="k">imagePullPolicy</span><span class="p">:</span><span class="w"> </span>Always<span class="w"> </span><span class="ln">23</span><span class="w"> </span><span class="k">command</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;tail&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;-f&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;/dev/null&#34;</span><span class="p">]</span><span class="w"> </span></code></pre></div><p>And deploy it but I don’t want to modify the schedule manually and don’t want to wait long so I deploy it by the following script which sets the schedule to the next minute automatically.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln"> 1</span><span class="cp">#!/bin/bash </span><span class="ln"> 2</span><span class="cp"></span> <span class="ln"> 3</span><span class="c1"># Get current hour and minute string</span> <span class="ln"> 4</span><span class="nv">hour</span><span class="o">=</span><span class="sb">`</span>date <span class="s1">&#39;+%-H&#39;</span><span class="sb">`</span> <span class="ln"> 5</span><span class="nv">min</span><span class="o">=</span><span class="sb">`</span>date <span class="s1">&#39;+%-M&#39;</span><span class="sb">`</span> <span class="ln"> 6</span> <span class="ln"> 7</span><span class="c1"># Increment or reset to 0</span> <span class="ln"> 8</span><span class="k">if</span> <span class="o">[</span> <span class="nv">$min</span> -eq <span class="m">59</span> <span class="o">]</span><span class="p">;</span><span class="k">then</span> <span class="ln"> 9</span> <span class="nb">let</span> hour++ <span class="ln">10</span> <span class="nv">min</span><span class="o">=</span><span class="m">0</span> <span class="ln">11</span><span class="k">else</span> <span class="ln">12</span> <span class="nb">let</span> min++ <span class="ln">13</span><span class="k">fi</span> <span class="ln">14</span> <span class="ln">15</span><span class="c1"># Deploy</span> <span class="ln">16</span>cat cronjob.yml <span class="se">\ </span><span class="ln">17</span><span class="se"></span><span class="p">|</span> sed <span class="s2">&#34;s/\(schedule: \).*/\1</span><span class="si">${</span><span class="nv">min</span><span class="si">}</span><span class="s2"> * * * */g&#34;</span> <span class="se">\ </span><span class="ln">18</span><span class="se"></span><span class="p">|</span> kubectl apply -f - <span class="o">||</span> <span class="nb">exit</span> <span class="m">1</span> <span class="ln">19</span> <span class="ln">20</span><span class="nb">printf</span> <span class="s2">&#34;Next schedule is %02d:%02d\n&#34;</span> <span class="nv">$hour</span> <span class="nv">$min</span> </code></pre></div><p>And then, a new pod will be created and it will run continuously. After that, modify the restart_policy to &quot;Never&quot;.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>kubectl get cronjobs.batch cronjob-test -o yaml <span class="se">\ </span><span class="ln">2</span><span class="se"></span><span class="p">|</span> sed <span class="s1">&#39;s/\(restartPolicy: \).*/\1Never/g&#39;</span> <span class="se">\ </span><span class="ln">3</span><span class="se"></span><span class="p">|</span> kubectl apply -f - </code></pre></div><p>Then, modify the suspend flag.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>kubectl patch cronjobs <span class="nv">$job_name</span> -p <span class="s1">&#39; </span><span class="ln">2</span><span class="s1">{ </span><span class="ln">3</span><span class="s1"> &#34;spec&#34;:{ </span><span class="ln">4</span><span class="s1"> &#34;suspend&#34;:&#39;</span>true<span class="s1">&#39; </span><span class="ln">5</span><span class="s1"> } </span><span class="ln">6</span><span class="s1">}&#39;</span> </code></pre></div><p>However, the current working pod is still working. So, it should be terminated but the target is the job not the pod.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span><span class="c1"># Get job batch ID which is generated by the CronJob</span> <span class="ln">2</span><span class="nv">job_batch_id</span><span class="o">=</span><span class="sb">`</span>kubectl get cronjobs.batch <span class="nv">$job_name</span> -o json <span class="p">|</span> jq -r <span class="s1">&#39;.status.active[0].name&#39;</span><span class="sb">`</span> <span class="ln">3</span> <span class="ln">4</span><span class="c1"># Delete the Job by the above ID</span> <span class="ln">5</span>kubectl delete <span class="s2">&#34;job.batch/</span><span class="si">${</span><span class="nv">job_batch_id</span><span class="si">}</span><span class="s2">&#34;</span> </code></pre></div><p>After the above, the current working pod will be disappeared and not recreated automatically. Of course, the next scheduled time arrived, a new pod will not be created because the suspend flag is set to &quot;true&quot; now.</p> <p>When roll back the settings, should to do like this.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln"> 1</span><span class="c1">## suspend flag</span> <span class="ln"> 2</span>kubectl patch cronjobs <span class="nv">$job_name</span> -p <span class="s1">&#39; </span><span class="ln"> 3</span><span class="s1">{ </span><span class="ln"> 4</span><span class="s1"> &#34;spec&#34;:{ </span><span class="ln"> 5</span><span class="s1"> &#34;suspend&#34;:false </span><span class="ln"> 6</span><span class="s1"> } </span><span class="ln"> 7</span><span class="s1">}&#39;</span> <span class="ln"> 8</span> <span class="ln"> 9</span><span class="c1">## restartPolicy</span> <span class="ln">10</span>kubectl get cronjobs.batch cronjob-test -o yaml <span class="se">\ </span><span class="ln">11</span><span class="se"></span><span class="p">|</span> sed <span class="s1">&#39;s/\(restartPolicy: \).*/\1OnFailure/g&#39;</span> <span class="se">\ </span><span class="ln">12</span><span class="se"></span><span class="p">|</span> kubectl apply -f - </code></pre></div><p>And then, when the next scheduled date comes, a new pod will be created.</p> https://takac.dev/should-to-avoid-to-use-public-docker-image-on-productions-straightly/ Sat, 17 Oct 2020 01:11:00 +0900 https://takac.dev/should-to-avoid-to-use-public-docker-image-on-productions-straightly/ <p>There are a lot of samples of Kubernetes and Docker Compose which define public images like nginx:alpine, golang php-fpm and so on. However even though it’s easy to use, it’s not good for production environments because there's a possibility that they are not up-to-date.</p> <p>For example, I’m trying with one of the famous official docker images &quot;nginx:alpine&quot; which is a lightweight NGINX image. I ran the image and executed the &quot;apk upgrade&quot; command, there were 10 packages that should be updated.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln"> 1</span>$ docker run -it --rm nginx:alpine sh -c <span class="s2">&#34;apk upgrade --update --no-cache&#34;</span> <span class="ln"> 2</span> <span class="ln"> 3</span>fetch https://dl-cdn.alpinelinux.org/alpine/v3.12/main/x86_64/APKINDEX.tar.gz <span class="ln"> 4</span>fetch https://dl-cdn.alpinelinux.org/alpine/v3.12/community/x86_64/APKINDEX.tar.gz <span class="ln"> 5</span><span class="o">(</span>1/10<span class="o">)</span> Upgrading musl <span class="o">(</span>1.1.24-r8 -&gt; 1.1.24-r9<span class="o">)</span> <span class="ln"> 6</span><span class="o">(</span>2/10<span class="o">)</span> Upgrading busybox <span class="o">(</span>1.31.1-r16 -&gt; 1.31.1-r19<span class="o">)</span> <span class="ln"> 7</span>Executing busybox-1.31.1-r19.post-upgrade <span class="ln"> 8</span><span class="o">(</span>3/10<span class="o">)</span> Upgrading alpine-baselayout <span class="o">(</span>3.2.0-r6 -&gt; 3.2.0-r7<span class="o">)</span> <span class="ln"> 9</span>Executing alpine-baselayout-3.2.0-r7.pre-upgrade <span class="ln">10</span>Executing alpine-baselayout-3.2.0-r7.post-upgrade <span class="ln">11</span><span class="o">(</span>4/10<span class="o">)</span> Upgrading ca-certificates-bundle <span class="o">(</span>20191127-r2 -&gt; 20191127-r4<span class="o">)</span> <span class="ln">12</span><span class="o">(</span>5/10<span class="o">)</span> Upgrading ssl_client <span class="o">(</span>1.31.1-r16 -&gt; 1.31.1-r19<span class="o">)</span> <span class="ln">13</span><span class="o">(</span>6/10<span class="o">)</span> Upgrading libcurl <span class="o">(</span>7.69.1-r0 -&gt; 7.69.1-r1<span class="o">)</span> <span class="ln">14</span><span class="o">(</span>7/10<span class="o">)</span> Upgrading curl <span class="o">(</span>7.69.1-r0 -&gt; 7.69.1-r1<span class="o">)</span> <span class="ln">15</span><span class="o">(</span>8/10<span class="o">)</span> Upgrading musl-utils <span class="o">(</span>1.1.24-r8 -&gt; 1.1.24-r9<span class="o">)</span> <span class="ln">16</span><span class="o">(</span>9/10<span class="o">)</span> Upgrading brotli-libs <span class="o">(</span>1.0.7-r5 -&gt; 1.0.9-r1<span class="o">)</span> <span class="ln">17</span><span class="o">(</span>10/10<span class="o">)</span> Upgrading libxml2 <span class="o">(</span>2.9.10-r4 -&gt; 2.9.10-r5<span class="o">)</span> <span class="ln">18</span>Executing busybox-1.31.1-r19.trigger <span class="ln">19</span>Executing ca-certificates-20191127-r4.trigger <span class="ln">20</span>OK: <span class="m">24</span> MiB in <span class="m">42</span> packages </code></pre></div><p>So, even though it’s unnecessary to add any packages and copy files, I usually create a Dockerfile like this.</p> <div class="highlight"><pre class="chroma"><code class="language-dockerfile" data-lang="dockerfile"><span class="ln">1</span><span class="k">FROM</span><span class="s"> nginx:alpine</span><span class="err"> </span><span class="ln">2</span><span class="err"></span><span class="k">RUN</span> apk upgrade --update --no-cache <span class="err"> </span></code></pre></div><p>And then, build and register it to my private image registry and all pods use this.</p> <p>On the other hand, I don’t use the &quot;latest&quot; tag because of the following reasons.</p> <ul> <li>It will be updated unexpectedly</li> <li>It’s hard to decide which version which I have to roll back when some troubles happen</li> </ul> <p>There’s one more thing which I usually pay attention to is the variations of base distribution. For example, the default base image of the Golang official image is Debian and also there are tags which are based on Alpine Linux. When using the Alpine based images, should to pay attention to tags because there are tags which Alpine’s version is included and not included one as follows.</p> <ul> <li>NOT Included：1.14.10-alpine, 1.14-alpine</li> <li>Included：1.14.10-alpine3.11, 1.14-alpine3.11, 1.14.10-alpine3.12, 1.14-alpine3.12</li> </ul> <p>In this case, should use the included one because if it’s not, one day the base image will be updated unexpectedly and it will be cause of build failure or execution failure of applications.</p> https://takac.dev/show-image-tags-for-each-revisions-of-kubernetes-deployments/ Fri, 16 Oct 2020 16:11:00 +0900 https://takac.dev/show-image-tags-for-each-revisions-of-kubernetes-deployments/ <p>One of the useful and powerful function is the roll back for me. Basically, all applications on our cluster are deployed automatically by CodePipeline in AWS but if some trouble happen, rolling back to the previous version is one of our options. At that time, all I have to do is the following command.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>$ kubectl rollout undo deployment my-app </code></pre></div><p>When I execute the following command, the list of the revisions which are still remaining on the database on the Kubernetes cluster will be displayed.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>$ kubectl rollout <span class="nb">history</span> deployment my-app </code></pre></div><p>The command’s response is:</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln"> 1</span>REVISION CHANGE-CAUSE <span class="ln"> 2</span><span class="m">29</span> &lt;none&gt; <span class="ln"> 3</span><span class="m">30</span> &lt;none&gt; <span class="ln"> 4</span><span class="m">31</span> &lt;none&gt; <span class="ln"> 5</span><span class="m">32</span> &lt;none&gt; <span class="ln"> 6</span><span class="m">33</span> &lt;none&gt; <span class="ln"> 7</span><span class="m">34</span> &lt;none&gt; <span class="ln"> 8</span><span class="m">35</span> &lt;none&gt; <span class="ln"> 9</span><span class="m">36</span> &lt;none&gt; <span class="ln">10</span><span class="m">37</span> &lt;none&gt; <span class="ln">11</span><span class="m">38</span> &lt;none&gt; <span class="ln">12</span><span class="m">39</span> &lt;none&gt; </code></pre></div><p>And then, if the application should be rolled back to the specific revisions, the following command will work.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>$ kubectl rollout undo deployment my-app --to-revision<span class="o">=</span><span class="m">35</span> </code></pre></div><p>However, I want to know which image was used for each revision because we use the date string like &quot;yyyymmddHHMMSS&quot; for image tags as I posted before.</p> <p><a href="https://takac.dev/whats-good-docker-image-tag" target="_blank">Docker: What’s better image tag than latest, none, and versions?</a> </p> <p>So, If I can see the list of revision numbers and image tags will be helpful for me. However, there’s no function in the kubectl command so I made a shell script like this.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln"> 1</span><span class="cp">#!/bin/bash </span><span class="ln"> 2</span><span class="cp"></span><span class="nv">deployment_name</span><span class="o">=</span><span class="si">${</span><span class="nv">1</span><span class="k">:-</span><span class="nv">NONE</span><span class="si">}</span> <span class="ln"> 3</span> <span class="ln"> 4</span><span class="k">if</span> <span class="o">[</span> <span class="nv">$deployment_name</span> <span class="o">==</span> NONE <span class="o">]</span><span class="p">;</span><span class="k">then</span> <span class="ln"> 5</span> <span class="nb">echo</span> <span class="s2">&#34;USAGE: </span><span class="nv">$0</span><span class="s2"> DEPLOYMENT_NAME&#34;</span> <span class="ln"> 6</span> <span class="nb">exit</span> <span class="m">1</span> <span class="ln"> 7</span><span class="k">fi</span> <span class="ln"> 8</span> <span class="ln"> 9</span><span class="nv">resource_name</span><span class="o">=</span><span class="sb">`</span>kubectl rollout <span class="nb">history</span> deployment <span class="nv">$deployment_name</span> -o name<span class="sb">`</span> <span class="ln">10</span><span class="nb">echo</span> <span class="s2">&#34;Resource name: </span><span class="nv">$resource_name</span><span class="s2">&#34;</span> <span class="ln">11</span><span class="k">for</span> rev in <span class="sb">`</span>kubectl rollout <span class="nb">history</span> <span class="nv">$resource_name</span> <span class="p">|</span> egrep <span class="s1">&#39;^[0-9]+&#39;</span> <span class="p">|</span> awk <span class="s1">&#39;{print $1}&#39;</span><span class="sb">`</span> <span class="ln">12</span><span class="k">do</span> <span class="ln">13</span> <span class="nv">image</span><span class="o">=</span><span class="sb">`</span>kubectl rollout <span class="nb">history</span> <span class="nv">$resource_name</span> --revision<span class="o">=</span><span class="si">${</span><span class="nv">rev</span><span class="si">}</span> <span class="p">|</span> grep Image: <span class="p">|</span> awk <span class="s1">&#39;{print $2}&#39;</span><span class="sb">`</span> <span class="ln">14</span> <span class="nb">printf</span> <span class="s2">&#34;%02d : %s\n&#34;</span> <span class="nv">$rev</span> <span class="nv">$image</span> <span class="ln">15</span><span class="k">done</span> </code></pre></div><p>And its response is like this.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln"> 1</span>Resource name: deployment.apps/my-app <span class="ln"> 2</span><span class="m">32</span> : my-registry/my-app:202010061110 <span class="ln"> 3</span><span class="m">33</span> : my-registry/my-app:202010070906 <span class="ln"> 4</span><span class="m">34</span> : my-registry/my-app:202010080051 <span class="ln"> 5</span><span class="m">35</span> : my-registry/my-app:202010080202 <span class="ln"> 6</span><span class="m">37</span> : my-registry/my-app:202010130703 <span class="ln"> 7</span><span class="m">38</span> : my-registry/my-app:202010130728 <span class="ln"> 8</span><span class="m">39</span> : my-registry/my-app:202010080300 <span class="ln"> 9</span><span class="m">40</span> : my-registry/my-app:202010130754 <span class="ln">10</span><span class="m">41</span> : my-registry/my-app:202010130823 <span class="ln">11</span><span class="m">42</span> : my-registry/my-app:202010130823 <span class="ln">12</span><span class="m">43</span> : my-registry/my-app:202010130940 </code></pre></div><p>As a result of this, I can choose the relevant revision by the deployment date.</p> https://takac.dev/run-memcached-persistently-on-kubernetes/ Thu, 15 Oct 2020 16:45:00 +0900 https://takac.dev/run-memcached-persistently-on-kubernetes/ <p>When running Memcached on the Kubernetes cluster, the cache data will disappear whenever the pod restarts. I know that Redis has the built-in replication and it can be able to have data on persistence disks. However, I have some reasons to run the Memecached on our Kubernetes cluster. So, I was thinking about it and I came across my mind the way using postStart and preStop in lifecycle settings.</p> <p>Before explaining, the disadvantages of this way are as follows.</p> <ul> <li>Cannot cope with node failures</li> <li>Need to add a persistent volume</li> </ul> <p>First, create a script file that loads a dump file if it exists, and then output an empty file for the readiness probe. (post_start.sh)</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln"> 1</span><span class="cp">#!/bin/ash </span><span class="ln"> 2</span><span class="cp"></span><span class="nv">memc_host</span><span class="o">=</span><span class="s2">&#34;127.0.0.1&#34;</span> <span class="ln"> 3</span><span class="nv">memc_port</span><span class="o">=</span><span class="m">11211</span> <span class="ln"> 4</span> <span class="ln"> 5</span><span class="c1"># Load previous prestop data</span> <span class="ln"> 6</span><span class="nv">dump_file</span><span class="o">=</span><span class="s2">&#34;</span><span class="si">${</span><span class="nv">DUMP_DIR</span><span class="si">}</span><span class="s2">/</span><span class="si">${</span><span class="nv">HOSTNAME</span><span class="si">}</span><span class="s2">.dump.prestop&#34;</span> <span class="ln"> 7</span><span class="k">if</span> <span class="o">[</span> -f <span class="nv">$dump_file</span> <span class="o">]</span><span class="p">;</span><span class="k">then</span> <span class="ln"> 8</span> <span class="nb">echo</span> <span class="s2">&#34;Loading previous prestop data...&#34;</span> <span class="ln"> 9</span> cat <span class="nv">$dump_file</span> <span class="p">|</span> nc <span class="nv">$memc_host</span> <span class="nv">$memc_port</span> <span class="ln">10</span><span class="k">fi</span> <span class="ln">11</span> <span class="ln">12</span><span class="c1"># For readiness probe</span> <span class="ln">13</span>touch /tmp/ready </code></pre></div><p>And then, create a script that dump data before termination.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span><span class="cp">#!/bin/ash </span><span class="ln">2</span><span class="cp"></span> <span class="ln">3</span><span class="c1"># Load previous prestop data</span> <span class="ln">4</span>/memcached-tool <span class="si">${</span><span class="nv">HOSTNAME</span><span class="si">}</span> dump &gt; <span class="si">${</span><span class="nv">DUMP_DIR</span><span class="si">}</span>/<span class="si">${</span><span class="nv">HOSTNAME</span><span class="si">}</span>.dump.prestop </code></pre></div><p>After creating the above scripts, build the container image with the scripts by the following Dockerfile.</p> <div class="highlight"><pre class="chroma"><code class="language-dockerfile" data-lang="dockerfile"><span class="ln"> 1</span><span class="k">FROM</span><span class="s"> memcached:1.6.6-alpine</span><span class="err"> </span><span class="ln"> 2</span><span class="err"> </span><span class="ln"> 3</span><span class="err"></span><span class="c"># Switch to root for installing packages</span><span class="err"> </span><span class="ln"> 4</span><span class="err"></span><span class="k">USER</span><span class="s"> root</span><span class="err"> </span><span class="ln"> 5</span><span class="err"> </span><span class="ln"> 6</span><span class="err"></span><span class="k">RUN</span> apk --update --no-cache add <span class="se">\ </span><span class="ln"> 7</span><span class="se"></span> bash <span class="se">\ </span><span class="ln"> 8</span><span class="se"></span> busybox-extras <span class="se">\ </span><span class="ln"> 9</span><span class="se"></span> perl<span class="err"> </span><span class="ln">10</span><span class="err"> </span><span class="ln">11</span><span class="err"></span><span class="k">COPY</span> memcached-tool /<span class="err"> </span><span class="ln">12</span><span class="err"></span><span class="k">COPY</span> post_start.sh /<span class="err"> </span><span class="ln">13</span><span class="err"></span><span class="k">COPY</span> pre_stop.sh /<span class="err"> </span><span class="ln">14</span><span class="err"> </span><span class="ln">15</span><span class="err"></span><span class="c"># Switch to memcache for running</span><span class="err"> </span><span class="ln">16</span><span class="err"></span><span class="k">USER</span><span class="s"> memcache</span><span class="err"> </span></code></pre></div><p>Finally, create the following YAML file and deploy it to the Kubernetes cluster.</p> <div class="highlight"><pre class="chroma"><code class="language-yaml" data-lang="yaml"><span class="ln"> 1</span><span class="k">apiVersion</span><span class="p">:</span><span class="w"> </span>apps/v1<span class="w"> </span><span class="ln"> 2</span><span class="w"></span><span class="k">kind</span><span class="p">:</span><span class="w"> </span>StatefulSet<span class="w"> </span><span class="ln"> 3</span><span class="w"></span><span class="k">metadata</span><span class="p">:</span><span class="w"> </span><span class="ln"> 4</span><span class="w"> </span><span class="k">name</span><span class="p">:</span><span class="w"> </span>memcached<span class="w"> </span><span class="ln"> 5</span><span class="w"> </span><span class="k">namespace</span><span class="p">:</span><span class="w"> </span>app<span class="w"> </span><span class="ln"> 6</span><span class="w"> </span><span class="k">labels</span><span class="p">:</span><span class="w"> </span><span class="ln"> 7</span><span class="w"> </span><span class="k">app</span><span class="p">:</span><span class="w"> </span>memcached<span class="w"> </span><span class="ln"> 8</span><span class="w"></span><span class="k">spec</span><span class="p">:</span><span class="w"> </span><span class="ln"> 9</span><span class="w"> </span><span class="k">replicas</span><span class="p">:</span><span class="w"> </span><span class="m">2</span><span class="w"> </span><span class="ln">10</span><span class="w"> </span><span class="ln">11</span><span class="w"> </span><span class="k">selector</span><span class="p">:</span><span class="w"> </span><span class="ln">12</span><span class="w"> </span><span class="k">matchLabels</span><span class="p">:</span><span class="w"> </span><span class="ln">13</span><span class="w"> </span><span class="k">app</span><span class="p">:</span><span class="w"> </span>memcached<span class="w"> </span><span class="ln">14</span><span class="w"> </span><span class="ln">15</span><span class="w"> </span><span class="k">serviceName</span><span class="p">:</span><span class="w"> </span>memcached<span class="w"> </span><span class="ln">16</span><span class="w"> </span><span class="k">template</span><span class="p">:</span><span class="w"> </span><span class="ln">17</span><span class="w"> </span><span class="k">metadata</span><span class="p">:</span><span class="w"> </span><span class="ln">18</span><span class="w"> </span><span class="k">labels</span><span class="p">:</span><span class="w"> </span><span class="ln">19</span><span class="w"> </span><span class="k">app</span><span class="p">:</span><span class="w"> </span>memcached<span class="w"> </span><span class="ln">20</span><span class="w"> </span><span class="k">spec</span><span class="p">:</span><span class="w"> </span><span class="ln">21</span><span class="w"> </span><span class="k">affinity</span><span class="p">:</span><span class="w"> </span><span class="ln">22</span><span class="w"> </span><span class="k">podAntiAffinity</span><span class="p">:</span><span class="w"> </span><span class="ln">23</span><span class="w"> </span><span class="k">requiredDuringSchedulingIgnoredDuringExecution</span><span class="p">:</span><span class="w"> </span><span class="ln">24</span><span class="w"> </span>- <span class="k">labelSelector</span><span class="p">:</span><span class="w"> </span><span class="ln">25</span><span class="w"> </span><span class="k">matchExpressions</span><span class="p">:</span><span class="w"> </span><span class="ln">26</span><span class="w"> </span>- <span class="k">key</span><span class="p">:</span><span class="w"> </span>app<span class="w"> </span><span class="ln">27</span><span class="w"> </span><span class="k">operator</span><span class="p">:</span><span class="w"> </span>In<span class="w"> </span><span class="ln">28</span><span class="w"> </span><span class="k">values</span><span class="p">:</span><span class="w"> </span><span class="ln">29</span><span class="w"> </span>- memcached<span class="w"> </span><span class="ln">30</span><span class="w"> </span><span class="k">topologyKey</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;kubernetes.io/hostname&#34;</span><span class="w"> </span><span class="ln">31</span><span class="w"> </span><span class="ln">32</span><span class="w"> </span><span class="k">containers</span><span class="p">:</span><span class="w"> </span><span class="ln">33</span><span class="w"> </span>- <span class="k">name</span><span class="p">:</span><span class="w"> </span>memcached<span class="w"> </span><span class="ln">34</span><span class="w"> </span><span class="k">image</span><span class="p">:</span><span class="w"> </span>registry/my-memcached<span class="p">:</span><span class="m">202010051112</span><span class="w"> </span><span class="ln">35</span><span class="w"> </span><span class="k">imagePullPolicy</span><span class="p">:</span><span class="w"> </span>IfNotPresent<span class="w"> </span><span class="ln">36</span><span class="w"> </span><span class="k">args</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;-U&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;0&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;-B&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;ascii&#34;</span><span class="p">]</span><span class="w"> </span><span class="ln">37</span><span class="w"> </span><span class="ln">38</span><span class="w"> </span><span class="k">ports</span><span class="p">:</span><span class="w"> </span><span class="ln">39</span><span class="w"> </span>- <span class="k">containerPort</span><span class="p">:</span><span class="w"> </span><span class="m">11211</span><span class="w"> </span><span class="ln">40</span><span class="w"> </span><span class="ln">41</span><span class="w"> </span><span class="k">env</span><span class="p">:</span><span class="w"> </span><span class="ln">42</span><span class="w"> </span>- <span class="k">name</span><span class="p">:</span><span class="w"> </span>DUMP_DIR<span class="w"> </span><span class="ln">43</span><span class="w"> </span><span class="k">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/var/tmp/memcache-dump&#34;</span><span class="w"> </span><span class="ln">44</span><span class="w"> </span><span class="ln">45</span><span class="w"> </span><span class="k">resources</span><span class="p">:</span><span class="w"> </span><span class="ln">46</span><span class="w"> </span><span class="k">requests</span><span class="p">:</span><span class="w"> </span><span class="ln">47</span><span class="w"> </span><span class="k">cpu</span><span class="p">:</span><span class="w"> </span>10m<span class="w"> </span><span class="ln">48</span><span class="w"> </span><span class="k">memory</span><span class="p">:</span><span class="w"> </span>16Mi<span class="w"> </span><span class="ln">49</span><span class="w"> </span><span class="ln">50</span><span class="w"> </span><span class="k">livenessProbe</span><span class="p">:</span><span class="w"> </span><span class="ln">51</span><span class="w"> </span><span class="k">tcpSocket</span><span class="p">:</span><span class="w"> </span><span class="ln">52</span><span class="w"> </span><span class="k">port</span><span class="p">:</span><span class="w"> </span><span class="m">11211</span><span class="w"> </span><span class="ln">53</span><span class="w"> </span><span class="k">initialDelaySeconds</span><span class="p">:</span><span class="w"> </span><span class="m">2</span><span class="w"> </span><span class="ln">54</span><span class="w"> </span><span class="k">periodSeconds</span><span class="p">:</span><span class="w"> </span><span class="m">5</span><span class="w"> </span><span class="ln">55</span><span class="w"> </span><span class="ln">56</span><span class="w"> </span><span class="k">readinessProbe</span><span class="p">:</span><span class="w"> </span><span class="ln">57</span><span class="w"> </span><span class="k">exec</span><span class="p">:</span><span class="w"> </span><span class="ln">58</span><span class="w"> </span><span class="k">command</span><span class="p">:</span><span class="w"> </span><span class="ln">59</span><span class="w"> </span>- cat<span class="w"> </span><span class="ln">60</span><span class="w"> </span>- /tmp/ready<span class="w"> </span><span class="ln">61</span><span class="w"> </span><span class="k">initialDelaySeconds</span><span class="p">:</span><span class="w"> </span><span class="m">5</span><span class="w"> </span><span class="ln">62</span><span class="w"> </span><span class="k">periodSeconds</span><span class="p">:</span><span class="w"> </span><span class="m">5</span><span class="w"> </span><span class="ln">63</span><span class="w"> </span><span class="ln">64</span><span class="w"> </span><span class="k">lifecycle</span><span class="p">:</span><span class="w"> </span><span class="ln">65</span><span class="w"> </span><span class="k">postStart</span><span class="p">:</span><span class="w"> </span><span class="ln">66</span><span class="w"> </span><span class="k">exec</span><span class="p">:</span><span class="w"> </span><span class="ln">67</span><span class="w"> </span><span class="k">command</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;/post_start.sh&#34;</span><span class="p">]</span><span class="w"> </span><span class="ln">68</span><span class="w"> </span><span class="k">preStop</span><span class="p">:</span><span class="w"> </span><span class="ln">69</span><span class="w"> </span><span class="k">exec</span><span class="p">:</span><span class="w"> </span><span class="ln">70</span><span class="w"> </span><span class="k">command</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;/pre_stop.sh&#34;</span><span class="p">]</span><span class="w"> </span><span class="ln">71</span><span class="w"> </span><span class="ln">72</span><span class="w"> </span><span class="k">volumeMounts</span><span class="p">:</span><span class="w"> </span><span class="ln">73</span><span class="w"> </span>- <span class="k">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;memcache-dump&#34;</span><span class="w"> </span><span class="ln">74</span><span class="w"> </span><span class="k">mountPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/var/tmp/memcache-dump&#34;</span><span class="w"> </span><span class="ln">75</span><span class="w"> </span><span class="ln">76</span><span class="w"> </span><span class="k">volumes</span><span class="p">:</span><span class="w"> </span><span class="ln">77</span><span class="w"> </span>- <span class="k">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;memcache-dump&#34;</span><span class="w"> </span><span class="ln">78</span><span class="w"> </span><span class="k">persistentVolumeClaim</span><span class="p">:</span><span class="w"> </span><span class="ln">79</span><span class="w"> </span><span class="k">claimName</span><span class="p">:</span><span class="w"> </span>memcache-efs<span class="w"> </span></code></pre></div><p>I know this is not a sophisticated way but it’s easy to create. So, I think it’s useful in some situations.</p> https://takac.dev/kubernetes-manifest-to-prevent-service-unavailable/ Wed, 14 Oct 2020 16:55:00 +0900 https://takac.dev/kubernetes-manifest-to-prevent-service-unavailable/ <p>Once build the CI/CD which runs automatically from build to deployment, developers are afraid that some problematic container image will be deployed and it will cause service unavailable. Especially web sites should be checked by some scraping tool like Selenium but it’s hard to do that for most start-up companies because of human resources. However, adding some settings to the Kubernetes manifest will reduce possibilities of problems.</p> <p>First, configure the rolling update settings like this.</p> <div class="highlight"><pre class="chroma"><code class="language-yaml" data-lang="yaml"><span class="ln">1</span><span class="w"> </span><span class="k">strategy</span><span class="p">:</span><span class="w"> </span><span class="ln">2</span><span class="w"> </span><span class="k">type</span><span class="p">:</span><span class="w"> </span>RollingUpdate<span class="w"> </span><span class="ln">3</span><span class="w"> </span><span class="k">rollingUpdate</span><span class="p">:</span><span class="w"> </span><span class="ln">4</span><span class="w"> </span><span class="k">maxSurge</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span><span class="ln">5</span><span class="w"> </span><span class="k">maxUnavailable</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></code></pre></div><p>Second, configure the liveness probe as follows.</p> <div class="highlight"><pre class="chroma"><code class="language-yaml" data-lang="yaml"><span class="ln">1</span><span class="w"> </span><span class="k">livenessProbe</span><span class="p">:</span><span class="w"> </span><span class="ln">2</span><span class="w"> </span><span class="k">tcpSocket</span><span class="p">:</span><span class="w"> </span><span class="ln">3</span><span class="w"> </span><span class="k">port</span><span class="p">:</span><span class="w"> </span><span class="m">80</span><span class="w"> </span><span class="ln">4</span><span class="w"> </span><span class="k">initialDelaySeconds</span><span class="p">:</span><span class="w"> </span><span class="m">15</span><span class="w"> </span><span class="ln">5</span><span class="w"> </span><span class="k">periodSeconds</span><span class="p">:</span><span class="w"> </span><span class="m">20</span><span class="w"> </span></code></pre></div><p>If the running application is simple, it’s enough until here but if it’s complex, should add some configuration. For example, cache server’s pods which have to do the pre cache loading process before service-in should add a readiness probe.</p> <p>Create an empty dir to share the readiness probe file in advance.</p> <div class="highlight"><pre class="chroma"><code class="language-yaml" data-lang="yaml"><span class="ln">1</span><span class="w"> </span><span class="k">volumes</span><span class="p">:</span><span class="w"> </span><span class="ln">2</span><span class="w"> </span>- <span class="k">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;readiness-check&#34;</span><span class="w"> </span><span class="ln">3</span><span class="w"> </span><span class="k">emptyDir</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></code></pre></div><p>And then, add a sidecar to run the script which executes pre cache loading and then create an empty file for readiness check.</p> <div class="highlight"><pre class="chroma"><code class="language-yaml" data-lang="yaml"><span class="ln">1</span><span class="w"> </span>- <span class="k">name</span><span class="p">:</span><span class="w"> </span>init-cache<span class="w"> </span><span class="ln">2</span><span class="w"> </span><span class="k">image</span><span class="p">:</span><span class="w"> </span>myregistry/webcache-init<span class="p">::</span><span class="m">202007301510</span><span class="w"> </span><span class="ln">3</span><span class="w"> </span><span class="k">command</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;/bin/ash&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;-c&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;/init.sh &amp;&amp; tail -f /dev/null&#34;</span><span class="p">]</span><span class="w"> </span><span class="ln">4</span><span class="w"> </span><span class="ln">5</span><span class="w"> </span><span class="k">volumeMounts</span><span class="p">:</span><span class="w"> </span><span class="ln">6</span><span class="w"> </span>- <span class="k">mountPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/tmp/readiness-check&#34;</span><span class="w"> </span><span class="ln">7</span><span class="w"> </span><span class="k">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;readiness-check&#34;</span><span class="w"> </span></code></pre></div><p>And also, add the mount setting and the readiness check to the main app container setting.</p> <div class="highlight"><pre class="chroma"><code class="language-yaml" data-lang="yaml"><span class="ln"> 1</span><span class="w"> </span>- <span class="k">name</span><span class="p">:</span><span class="w"> </span>webcache<span class="w"> </span><span class="ln"> 2</span><span class="w"> </span><span class="k">image</span><span class="p">:</span><span class="w"> </span>myregistry/webcache<span class="p">:</span><span class="m">202007301510</span><span class="w"> </span><span class="ln"> 3</span><span class="w"> </span><span class="k">imagePullPolicy</span><span class="p">:</span><span class="w"> </span>IfNotPresent<span class="w"> </span><span class="ln"> 4</span><span class="w"> </span><span class="k">ports</span><span class="p">:</span><span class="w"> </span><span class="ln"> 5</span><span class="w"> </span>- <span class="k">containerPort</span><span class="p">:</span><span class="w"> </span><span class="m">80</span><span class="w"> </span><span class="ln"> 6</span><span class="w"> </span><span class="k">readinessProbe</span><span class="p">:</span><span class="w"> </span><span class="ln"> 7</span><span class="w"> </span><span class="k">exec</span><span class="p">:</span><span class="w"> </span><span class="ln"> 8</span><span class="w"> </span><span class="k">command</span><span class="p">:</span><span class="w"> </span><span class="ln"> 9</span><span class="w"> </span>- cat<span class="w"> </span><span class="ln">10</span><span class="w"> </span>- /tmp/readiness-check/init_cache_ready<span class="w"> </span><span class="ln">11</span><span class="w"> </span><span class="k">initialDelaySeconds</span><span class="p">:</span><span class="w"> </span><span class="m">900</span><span class="w"> </span><span class="ln">12</span><span class="w"> </span><span class="k">periodSeconds</span><span class="p">:</span><span class="w"> </span><span class="m">5</span><span class="w"> </span><span class="ln">13</span><span class="w"> </span><span class="ln">14</span><span class="w"> </span><span class="ln">15</span><span class="w"> </span><span class="k">volumeMounts</span><span class="p">:</span><span class="w"> </span><span class="ln">16</span><span class="w"> </span>- <span class="k">mountPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/tmp/readiness-check&#34;</span><span class="w"> </span><span class="ln">17</span><span class="w"> </span><span class="k">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;readiness-check&#34;</span><span class="w"> </span></code></pre></div><p>By the way, from version 1.16, there's a new feature &quot;Startup Probe.&quot; It looks good to configure more flexibly. Actually I haven't tried yet because my production cluster is 1.14.</p> <p>Ok, here is the full YAML file.</p> <div class="highlight"><pre class="chroma"><code class="language-yaml" data-lang="yaml"><span class="ln"> 1</span><span class="k">apiVersion</span><span class="p">:</span><span class="w"> </span>apps/v1<span class="w"> </span><span class="ln"> 2</span><span class="w"></span><span class="k">kind</span><span class="p">:</span><span class="w"> </span>Deployment<span class="w"> </span><span class="ln"> 3</span><span class="w"></span><span class="k">metadata</span><span class="p">:</span><span class="w"> </span><span class="ln"> 4</span><span class="w"> </span><span class="k">name</span><span class="p">:</span><span class="w"> </span>webcache<span class="w"> </span><span class="ln"> 5</span><span class="w"> </span><span class="k">namespace</span><span class="p">:</span><span class="w"> </span>app<span class="w"> </span><span class="ln"> 6</span><span class="w"> </span><span class="k">labels</span><span class="p">:</span><span class="w"> </span><span class="ln"> 7</span><span class="w"> </span><span class="k">app</span><span class="p">:</span><span class="w"> </span>webcache<span class="w"> </span><span class="ln"> 8</span><span class="w"></span><span class="k">spec</span><span class="p">:</span><span class="w"> </span><span class="ln"> 9</span><span class="w"> </span><span class="k">replicas</span><span class="p">:</span><span class="w"> </span><span class="m">4</span><span class="w"> </span><span class="ln">10</span><span class="w"> </span><span class="k">selector</span><span class="p">:</span><span class="w"> </span><span class="ln">11</span><span class="w"> </span><span class="k">matchLabels</span><span class="p">:</span><span class="w"> </span><span class="ln">12</span><span class="w"> </span><span class="k">app</span><span class="p">:</span><span class="w"> </span>webcache<span class="w"> </span><span class="ln">13</span><span class="w"> </span><span class="k">strategy</span><span class="p">:</span><span class="w"> </span><span class="ln">14</span><span class="w"> </span><span class="k">rollingUpdate</span><span class="p">:</span><span class="w"> </span><span class="ln">15</span><span class="w"> </span><span class="k">maxSurge</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span><span class="ln">16</span><span class="w"> </span><span class="k">maxUnavailable</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="ln">17</span><span class="w"> </span><span class="k">type</span><span class="p">:</span><span class="w"> </span>RollingUpdate<span class="w"> </span><span class="ln">18</span><span class="w"> </span><span class="k">template</span><span class="p">:</span><span class="w"> </span><span class="ln">19</span><span class="w"> </span><span class="k">metadata</span><span class="p">:</span><span class="w"> </span><span class="ln">20</span><span class="w"> </span><span class="k">labels</span><span class="p">:</span><span class="w"> </span><span class="ln">21</span><span class="w"> </span><span class="k">app</span><span class="p">:</span><span class="w"> </span>webcache<span class="w"> </span><span class="ln">22</span><span class="w"> </span><span class="k">spec</span><span class="p">:</span><span class="w"> </span><span class="ln">23</span><span class="w"> </span><span class="k">affinity</span><span class="p">:</span><span class="w"> </span><span class="ln">24</span><span class="w"> </span><span class="k">podAntiAffinity</span><span class="p">:</span><span class="w"> </span><span class="ln">25</span><span class="w"> </span><span class="k">requiredDuringSchedulingIgnoredDuringExecution</span><span class="p">:</span><span class="w"> </span><span class="ln">26</span><span class="w"> </span>- <span class="k">labelSelector</span><span class="p">:</span><span class="w"> </span><span class="ln">27</span><span class="w"> </span><span class="k">matchExpressions</span><span class="p">:</span><span class="w"> </span><span class="ln">28</span><span class="w"> </span>- <span class="k">key</span><span class="p">:</span><span class="w"> </span>app<span class="w"> </span><span class="ln">29</span><span class="w"> </span><span class="k">operator</span><span class="p">:</span><span class="w"> </span>In<span class="w"> </span><span class="ln">30</span><span class="w"> </span><span class="k">values</span><span class="p">:</span><span class="w"> </span><span class="ln">31</span><span class="w"> </span>- webcache<span class="w"> </span><span class="ln">32</span><span class="w"> </span><span class="k">topologyKey</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;kubernetes.io/hostname&#34;</span><span class="w"> </span><span class="ln">33</span><span class="w"> </span><span class="ln">34</span><span class="w"> </span><span class="k">containers</span><span class="p">:</span><span class="w"> </span><span class="ln">35</span><span class="w"> </span>- <span class="k">name</span><span class="p">:</span><span class="w"> </span>webcache<span class="w"> </span><span class="ln">36</span><span class="w"> </span><span class="k">image</span><span class="p">:</span><span class="w"> </span>myregistry/webcache<span class="p">:</span><span class="m">202007301510</span><span class="w"> </span><span class="ln">37</span><span class="w"> </span><span class="k">imagePullPolicy</span><span class="p">:</span><span class="w"> </span>IfNotPresent<span class="w"> </span><span class="ln">38</span><span class="w"> </span><span class="k">ports</span><span class="p">:</span><span class="w"> </span><span class="ln">39</span><span class="w"> </span>- <span class="k">containerPort</span><span class="p">:</span><span class="w"> </span><span class="m">80</span><span class="w"> </span><span class="ln">40</span><span class="w"> </span><span class="k">readinessProbe</span><span class="p">:</span><span class="w"> </span><span class="ln">41</span><span class="w"> </span><span class="k">exec</span><span class="p">:</span><span class="w"> </span><span class="ln">42</span><span class="w"> </span><span class="k">command</span><span class="p">:</span><span class="w"> </span><span class="ln">43</span><span class="w"> </span>- cat<span class="w"> </span><span class="ln">44</span><span class="w"> </span>- /tmp/readiness-check/init_cache_ready<span class="w"> </span><span class="ln">45</span><span class="w"> </span><span class="k">initialDelaySeconds</span><span class="p">:</span><span class="w"> </span><span class="m">900</span><span class="w"> </span><span class="ln">46</span><span class="w"> </span><span class="k">periodSeconds</span><span class="p">:</span><span class="w"> </span><span class="m">5</span><span class="w"> </span><span class="ln">47</span><span class="w"> </span><span class="ln">48</span><span class="w"> </span><span class="k">resources</span><span class="p">:</span><span class="w"> </span><span class="ln">49</span><span class="w"> </span><span class="k">requests</span><span class="p">:</span><span class="w"> </span><span class="ln">50</span><span class="w"> </span><span class="k">cpu</span><span class="p">:</span><span class="w"> </span>10m<span class="w"> </span><span class="ln">51</span><span class="w"> </span><span class="k">memory</span><span class="p">:</span><span class="w"> </span>64Mi<span class="w"> </span><span class="ln">52</span><span class="w"> </span><span class="k">limits</span><span class="p">:</span><span class="w"> </span><span class="ln">53</span><span class="w"> </span><span class="k">cpu</span><span class="p">:</span><span class="w"> </span>1000m<span class="w"> </span><span class="ln">54</span><span class="w"> </span><span class="k">memory</span><span class="p">:</span><span class="w"> </span>1000Mi<span class="w"> </span><span class="ln">55</span><span class="w"> </span><span class="ln">56</span><span class="w"> </span><span class="k">livenessProbe</span><span class="p">:</span><span class="w"> </span><span class="ln">57</span><span class="w"> </span><span class="k">tcpSocket</span><span class="p">:</span><span class="w"> </span><span class="ln">58</span><span class="w"> </span><span class="k">port</span><span class="p">:</span><span class="w"> </span><span class="m">80</span><span class="w"> </span><span class="ln">59</span><span class="w"> </span><span class="k">initialDelaySeconds</span><span class="p">:</span><span class="w"> </span><span class="m">15</span><span class="w"> </span><span class="ln">60</span><span class="w"> </span><span class="k">periodSeconds</span><span class="p">:</span><span class="w"> </span><span class="m">20</span><span class="w"> </span><span class="ln">61</span><span class="w"> </span><span class="ln">62</span><span class="w"> </span><span class="k">lifecycle</span><span class="p">:</span><span class="w"> </span><span class="ln">63</span><span class="w"> </span><span class="k">preStop</span><span class="p">:</span><span class="w"> </span><span class="ln">64</span><span class="w"> </span><span class="k">exec</span><span class="p">:</span><span class="w"> </span><span class="ln">65</span><span class="w"> </span><span class="k">command</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;/bin/ash&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;-c&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;sleep 10&#34;</span><span class="p">]</span><span class="w"> </span><span class="ln">66</span><span class="w"> </span><span class="ln">67</span><span class="w"> </span><span class="k">volumeMounts</span><span class="p">:</span><span class="w"> </span><span class="ln">68</span><span class="w"> </span>- <span class="k">mountPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/tmp/readiness-check&#34;</span><span class="w"> </span><span class="ln">69</span><span class="w"> </span><span class="k">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;readiness-check&#34;</span><span class="w"> </span><span class="ln">70</span><span class="w"> </span><span class="ln">71</span><span class="w"> </span>- <span class="k">name</span><span class="p">:</span><span class="w"> </span>init-cache<span class="w"> </span><span class="ln">72</span><span class="w"> </span><span class="k">image</span><span class="p">:</span><span class="w"> </span>myregistry/webcache-init<span class="p">::</span><span class="m">202007301510</span><span class="w"> </span><span class="ln">73</span><span class="w"> </span><span class="k">command</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;/bin/ash&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;-c&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;/init.sh &amp;&amp; tail -f /dev/null&#34;</span><span class="p">]</span><span class="w"> </span><span class="ln">74</span><span class="w"> </span><span class="ln">75</span><span class="w"> </span><span class="k">resources</span><span class="p">:</span><span class="w"> </span><span class="ln">76</span><span class="w"> </span><span class="k">requests</span><span class="p">:</span><span class="w"> </span><span class="ln">77</span><span class="w"> </span><span class="k">cpu</span><span class="p">:</span><span class="w"> </span>10m<span class="w"> </span><span class="ln">78</span><span class="w"> </span><span class="k">memory</span><span class="p">:</span><span class="w"> </span>16Mi<span class="w"> </span><span class="ln">79</span><span class="w"> </span><span class="k">limits</span><span class="p">:</span><span class="w"> </span><span class="ln">80</span><span class="w"> </span><span class="k">cpu</span><span class="p">:</span><span class="w"> </span>100m<span class="w"> </span><span class="ln">81</span><span class="w"> </span><span class="k">memory</span><span class="p">:</span><span class="w"> </span>32Mi<span class="w"> </span><span class="ln">82</span><span class="w"> </span><span class="ln">83</span><span class="w"> </span><span class="k">volumeMounts</span><span class="p">:</span><span class="w"> </span><span class="ln">84</span><span class="w"> </span>- <span class="k">mountPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/tmp/readiness-check&#34;</span><span class="w"> </span><span class="ln">85</span><span class="w"> </span><span class="k">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;readiness-check&#34;</span><span class="w"> </span><span class="ln">86</span><span class="w"> </span><span class="ln">87</span><span class="w"> </span><span class="k">volumes</span><span class="p">:</span><span class="w"> </span><span class="ln">88</span><span class="w"> </span>- <span class="k">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;readiness-check&#34;</span><span class="w"> </span><span class="ln">89</span><span class="w"> </span><span class="k">emptyDir</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></code></pre></div> https://takac.dev/eliminate-unnecessary-instances-from-ec2-service-discovery/ Tue, 13 Oct 2020 00:00:00 +0900 https://takac.dev/eliminate-unnecessary-instances-from-ec2-service-discovery/ <p>EC2 Service Discovery is very useful in the Prometheus configuration especially when the autoscale is used. However, some temporary or test servers which do not need to be monitored will be cause of unnecessary alerts. So, I added some settings to avoid it.</p> <p>For example, if I would like to eliminate instances which have names including &quot;test&quot; or &quot;dev&quot;, I’ll add the following configurations.</p> <div class="highlight"><pre class="chroma"><code class="language-yaml" data-lang="yaml"><span class="ln">1</span><span class="w"> </span><span class="k">relabel_configs</span><span class="p">:</span><span class="w"> </span><span class="ln">2</span><span class="w"> </span>- <span class="k">source_labels</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>__meta_ec2_tag_Name<span class="p">]</span><span class="w"> </span><span class="ln">3</span><span class="w"> </span><span class="k">regex</span><span class="p">:</span><span class="w"> </span>.<span class="cp">*test.*</span><span class="w"> </span><span class="ln">4</span><span class="w"> </span><span class="k">action</span><span class="p">:</span><span class="w"> </span>drop<span class="w"> </span><span class="ln">5</span><span class="w"> </span>- <span class="k">source_labels</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>__meta_ec2_tag_Name<span class="p">]</span><span class="w"> </span><span class="ln">6</span><span class="w"> </span><span class="k">regex</span><span class="p">:</span><span class="w"> </span>.<span class="cp">*dev.*</span><span class="w"> </span><span class="ln">7</span><span class="w"> </span><span class="k">action</span><span class="p">:</span><span class="w"> </span>drop<span class="w"> </span></code></pre></div><p>As a result of the above, the Prometheus will ignore those nodes. So, if I would like to use some instances which are temporary or no need to be monitored, the names should include one of them like &quot;test-app&quot; or &quot;dev-web-server&quot;</p> https://takac.dev/variables-in-fluentds-config-are-useful/ Mon, 12 Oct 2020 00:07:00 +0900 https://takac.dev/variables-in-fluentds-config-are-useful/ <p>Fluentd is necessary software for operating Kubernetes clusters. Variables in the Fluentd’s configs are useful because they reduce redundant writing and also it will come in handy to switch environments between development and production.</p> <p>For example, I configure the fluentd which is running on our Kubernetes cluster as a DaemonSet as follows.</p> <div class="highlight"><pre class="chroma"><code class="language-text" data-lang="text"><span class="ln"> 1</span>&lt;match **&gt; <span class="ln"> 2</span> @type elasticsearch <span class="ln"> 3</span> type_name _doc <span class="ln"> 4</span> include_tag_key true <span class="ln"> 5</span> host &#34;#{ENV[&#39;ELASTICSEARCH_HOST&#39;]}&#34; <span class="ln"> 6</span> port &#34;#{ENV[&#39;ELASTICSEARCH_PORT&#39;]}&#34; <span class="ln"> 7</span> time_key time <span class="ln"> 8</span> reconnect_on_error true <span class="ln"> 9</span> reload_on_failure true <span class="ln">10</span> <span class="ln">11</span> ## Logstash format settings (index will be &#34;${tag}-%Y.%m&#34;) <span class="ln">12</span> logstash_format true <span class="ln">13</span> logstash_prefix ${tag} <span class="ln">14</span> logstash_prefix_separator - <span class="ln">15</span> logstash_dateformat %Y.%m <span class="ln">16</span> <span class="ln">17</span> &lt;buffer tag, time&gt; <span class="ln">18</span> @type file <span class="ln">19</span> timekey 1h <span class="ln">20</span> path /var/log/fluentd-buffers/${tag}.buffer <span class="ln">21</span> flush_mode interval <span class="ln">22</span> retry_type exponential_backoff <span class="ln">23</span> flush_thread_count 2 <span class="ln">24</span> flush_interval 5s <span class="ln">25</span> retry_forever <span class="ln">26</span> retry_max_interval 30 <span class="ln">27</span> chunk_limit_size 32M <span class="ln">28</span> queue_limit_length 100 <span class="ln">29</span> overflow_action drop_oldest_chunk <span class="ln">30</span> &lt;/buffer&gt; <span class="ln">31</span>&lt;/match&gt; </code></pre></div><p>As you see on line 5 and 6, I defined the ElasticSearch host and port by variables. And then, I configured the Kubernetes YAML file like this.</p> <div class="highlight"><pre class="chroma"><code class="language-yaml" data-lang="yaml"><span class="ln">1</span><span class="w"> </span><span class="k">env</span><span class="p">:</span><span class="w"> </span><span class="ln">2</span><span class="w"> </span>- <span class="k">name</span><span class="p">:</span><span class="w"> </span>ELASTICSEARCH_HOST<span class="w"> </span><span class="ln">3</span><span class="w"> </span><span class="k">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;es.mydomain&#34;</span><span class="w"> </span><span class="ln">4</span><span class="w"> </span>- <span class="k">name</span><span class="p">:</span><span class="w"> </span>ELASTICSEARCH_PORT<span class="w"> </span><span class="ln">5</span><span class="w"> </span><span class="k">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;9200&#34;</span><span class="w"> </span></code></pre></div><p>On the other hand, the YAML file for the development environment is like this.</p> <div class="highlight"><pre class="chroma"><code class="language-yaml" data-lang="yaml"><span class="ln">1</span><span class="w">　 </span><span class="k">env</span><span class="p">:</span><span class="w"> </span><span class="ln">2</span><span class="w"> </span>- <span class="k">name</span><span class="p">:</span><span class="w"> </span>ELASTICSEARCH_HOST<span class="w"> </span><span class="ln">3</span><span class="w"> </span><span class="k">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;host.docker.internal&#34;</span><span class="w"> </span><span class="ln">4</span><span class="w"> </span>- <span class="k">name</span><span class="p">:</span><span class="w"> </span>ELASTICSEARCH_PORT<span class="w"> </span><span class="ln">5</span><span class="w"> </span><span class="k">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;9200&#34;</span><span class="w"> </span></code></pre></div><p>So, this will be able to switch these environments easily.</p> https://takac.dev/pitfalls-of-original-defined-log-format-ingesting-by-fluentd/ Sun, 11 Oct 2020 00:00:00 +0900 https://takac.dev/pitfalls-of-original-defined-log-format-ingesting-by-fluentd/ <p>One day, I realized that the fluentd on our Kubernetes cluster was logging a lot of &quot;invalid date&quot; errors like this.</p> <div class="highlight"><pre class="chroma"><code class="language-text" data-lang="text"><span class="ln">1</span>#0 dump an error event: error_class=ArgumentError error=&#34;invalid date&#34; location=&#34;/usr/local/bundle/gems/fluent-plugin-elasticsearch-4.1.1/lib/fluent/plugin/out_elasticsearch.rb:519:in `parse&#39;&#34; tag=&#34;Fluent::ElasticsearchOutput::TimeParser.error&#34; time=2020-07-21 14:59:59.894536631 +0000 record={&#34;tag&#34;=&gt;&#34;hoge.fuga.kubernetes&#34;, &#34;time&#34;=&gt;2020-07-21 14:59:52.000000000 +0000, &#34;format&#34;=&gt;nil, &#34;value&#34;=&gt;&#34;1595343592&#34;} </code></pre></div><p>When ingesting HAProxy’s logs which I defined as JSON format, the error caused. I couldn’t understand why it happened because the above log said “TimeParser.error time=2020-07-21 14:59:59.894536631”. It looks the correct format that I expected. And also, other application logs like NGINX were no problem. Just this pod which has the HAProxy only.</p> <p>I checked the log format again in the HAProxy configuration file and it was the follows.</p> <div class="highlight"><pre class="chroma"><code class="language-text" data-lang="text"><span class="ln">1</span> log global <span class="ln">2</span> log-format &#39;{&#34;host&#34;:&#34;%H&#34;,&#34;ident&#34;:&#34;haproxy&#34;,&#34;pid&#34;:%pid,&#34;time&#34;:&#34;%Ts&#34;,&#34;haproxy&#34;:{&#34;conn&#34;:{&#34;act&#34;:%ac,&#34;fe&#34;:%fc,&#34;be&#34;:%bc,&#34;srv&#34;:%sc},&#34;queue&#34;:{&#34;backend&#34;:%bq,&#34;srv&#34;:%sq},&#34;time&#34;:{&#34;tq&#34;:%Tq,&#34;tw&#34;:%Tw,&#34;tc&#34;:%Tc,&#34;tr&#34;:%Tr,&#34;tt&#34;:%Tt},&#34;termination_state&#34;:&#34;%tsc&#34;,&#34;retries&#34;:%rc,&#34;network&#34;:{&#34;client_ip&#34;:&#34;%ci&#34;,&#34;client_port&#34;:%cp,&#34;frontend_ip&#34;:&#34;%fi&#34;,&#34;frontend_port&#34;:%fp},&#34;ssl&#34;:{&#34;version&#34;:&#34;%sslv&#34;,&#34;ciphers&#34;:&#34;%sslc&#34;},&#34;request&#34;:{&#34;method&#34;:&#34;%HM&#34;,&#34;uri&#34;:&#34;%[capture.req.uri,json(utf8s)]&#34;,&#34;protocol&#34;:&#34;%HV&#34;,&#34;header&#34;:{&#34;host&#34;:&#34;%[capture.req.hdr(0),json(utf8s)]&#34;,&#34;xforwardfor&#34;:&#34;%[capture.req.hdr(1),json(utf8s)]&#34;,&#34;referer&#34;:&#34;%[capture.req.hdr(2),json(utf8s)]&#34;,&#34;user-agent&#34;:&#34;%[capture.req.hdr(3),json(utf8s)]&#34;,&#34;content-length&#34;:&#34;%[capture.req.hdr(4),json(utf8s)]&#34;}},&#34;name&#34;:{&#34;backend&#34;:&#34;%b&#34;,&#34;frontend&#34;:&#34;%ft&#34;,&#34;server&#34;:&#34;%s&#34;},&#34;response&#34;:{&#34;status_code&#34;:%ST,&#34;header&#34;:{&#34;server&#34;:&#34;%[capture.res.hdr(0),json(utf8s)]&#34;,&#34;content-type&#34;:&#34;%[capture.res.hdr(1),json(utf8s)]&#34;,&#34;transfer-encoding&#34;:&#34;%[capture.res.hdr(2),json(utf8s)]&#34;,&#34;cache-control&#34;:&#34;%[capture.res.hdr(3),json(utf8s)]&#34;,&#34;via&#34;:&#34;%[capture.res.hdr(4),json(utf8s)]&#34;,&#34;location&#34;:&#34;%[capture.res.hdr(5),json(utf8s)]&#34;,&#34;content-encoding&#34;:&#34;%[capture.res.hdr(6),json(utf8s)]&#34;}},&#34;bytes&#34;:{&#34;uploaded&#34;:%U,&#34;read&#34;:%B}}}&#39; </code></pre></div><p>After a few minutes, I realized the value of the “time” column was quoted by double quotations. So, I deleted it and deployed the HAProxy again then the errors disappeared. Finally I found out that the time column in the log format must not be quoted because that will be ingested as String not Date.</p> https://takac.dev/how-many-pods-are-available-on-compute-nodes-of-aws-eks/ Sat, 10 Oct 2020 16:51:00 +0900 https://takac.dev/how-many-pods-are-available-on-compute-nodes-of-aws-eks/ <p>When getting started to use AWS EKS for building Kubernetes clusters, we should consider the limitations of the number of IP addresses it depends on the instance size. Actually, I didn’t know about it because I just overlooked it on the official document. I know it was my mistake but it should be a blind spot for some people so I’ll share my experience.</p> <p>After a few months since I got started to use our cluster, I realize that there’s some error logs of kubelet like this.</p> <div class="highlight"><pre class="chroma"><code class="language-text" data-lang="text"><span class="ln">1</span>RunPodSandbox from runtime service failed: rpc error: code = Unknown desc = failed to set up sandbox container &#34;xxxxxx&#34; network for pod &#34;hoge-1602061920-snvck&#34;: NetworkPlugin cni failed to set up pod &#34;hoge-1602061920-snvck_apps&#34; network: add cmd: failed to assign an IP address to container </code></pre></div><p>I investigated this problem and then I found out there’s some limitation of the pod’s number by EC2 instance’s restrictions. EC2 instances has the limitation of the number of ENI (Elastic Network Interface) and how many IP addresses it’s able to have. The limitation is defined depending on the instance size. For example, m5.Large instance is able to have 3 ENIs and 10 IP addresses for each ENI so totally 30 addresses. However the primary address of each ENI cannot be used for Pods so 27 addresses will be available for pods. Another example, m5.4xlarge instance is able to have 8 ENIs and 30 IP addresses for each ENI so 232 addresses will be available for pods.</p> <p>I’m not sure it’s enough compared to the resources like CPUs and memories for most people. However it should be considered before using EKS especially the cluster size is not large yet. In my case, after reaching the limitation, I’m operating as follows.</p> <ul> <li>Use NodeAffinity option to avoid running multiple pods on the same node and don’t increase the replica number over the number of nodes</li> <li>When running batches as CronJobs, adjust the schedule to avoid overlapping</li> </ul> <hr> <p>References</p> <ul> <li><a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html" target="_blank">AWS &amp;gt; Documentation &amp;gt; Amazon EC2 &amp;gt; User Guide for Linux Instances &amp;gt; Elastic network interfaces</a> </li> </ul> https://takac.dev/haproxy-running-on-k8s-and-output-a-lot-of-badreq-logs/ Fri, 09 Oct 2020 23:35:00 +0900 https://takac.dev/haproxy-running-on-k8s-and-output-a-lot-of-badreq-logs/ <p>When I was setting up HAProxy running on our Kubernetes cluster, I defined the log format as JSON and I got a lot of BADREQ logs with status code 400 as follows.</p> <div class="highlight"><pre class="chroma"><code class="language-json" data-lang="json"><span class="ln"> 1</span><span class="p">{</span> <span class="ln"> 2</span> <span class="nt">&#34;conn&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 3</span> <span class="nt">&#34;act&#34;</span><span class="p">:</span> <span class="mi">7</span><span class="p">,</span> <span class="ln"> 4</span> <span class="nt">&#34;fe&#34;</span><span class="p">:</span> <span class="mi">7</span><span class="p">,</span> <span class="ln"> 5</span> <span class="nt">&#34;be&#34;</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="ln"> 6</span> <span class="nt">&#34;srv&#34;</span><span class="p">:</span> <span class="mi">0</span> <span class="ln"> 7</span> <span class="p">},</span> <span class="ln"> 8</span> <span class="nt">&#34;queue&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln"> 9</span> <span class="nt">&#34;backend&#34;</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="ln">10</span> <span class="nt">&#34;srv&#34;</span><span class="p">:</span> <span class="mi">0</span> <span class="ln">11</span> <span class="p">},</span> <span class="ln">12</span> <span class="nt">&#34;time&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln">13</span> <span class="nt">&#34;tq&#34;</span><span class="p">:</span> <span class="mi">-1</span><span class="p">,</span> <span class="ln">14</span> <span class="nt">&#34;tw&#34;</span><span class="p">:</span> <span class="mi">-1</span><span class="p">,</span> <span class="ln">15</span> <span class="nt">&#34;tc&#34;</span><span class="p">:</span> <span class="mi">-1</span><span class="p">,</span> <span class="ln">16</span> <span class="nt">&#34;tr&#34;</span><span class="p">:</span> <span class="mi">-1</span><span class="p">,</span> <span class="ln">17</span> <span class="nt">&#34;tt&#34;</span><span class="p">:</span> <span class="mi">0</span> <span class="ln">18</span> <span class="p">},</span> <span class="ln">19</span> <span class="nt">&#34;termination_state&#34;</span><span class="p">:</span> <span class="s2">&#34;CR--&#34;</span><span class="p">,</span> <span class="ln">20</span> <span class="nt">&#34;retries&#34;</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="ln">21</span> <span class="nt">&#34;network&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln">22</span> <span class="nt">&#34;client_ip&#34;</span><span class="p">:</span> <span class="s2">&#34;172.31.79.179&#34;</span><span class="p">,</span> <span class="ln">23</span> <span class="nt">&#34;client_port&#34;</span><span class="p">:</span> <span class="mi">63740</span><span class="p">,</span> <span class="ln">24</span> <span class="nt">&#34;frontend_ip&#34;</span><span class="p">:</span> <span class="s2">&#34;172.31.76.184&#34;</span><span class="p">,</span> <span class="ln">25</span> <span class="nt">&#34;frontend_port&#34;</span><span class="p">:</span> <span class="mi">80</span> <span class="ln">26</span> <span class="p">},</span> <span class="ln">27</span> <span class="nt">&#34;ssl&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln">28</span> <span class="nt">&#34;version&#34;</span><span class="p">:</span> <span class="s2">&#34;-&#34;</span><span class="p">,</span> <span class="ln">29</span> <span class="nt">&#34;ciphers&#34;</span><span class="p">:</span> <span class="s2">&#34;-&#34;</span> <span class="ln">30</span> <span class="p">},</span> <span class="ln">31</span> <span class="nt">&#34;request&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln">32</span> <span class="nt">&#34;method&#34;</span><span class="p">:</span> <span class="s2">&#34;&lt;BADREQ&gt;&#34;</span><span class="p">,</span> <span class="ln">33</span> <span class="nt">&#34;uri&#34;</span><span class="p">:</span> <span class="s2">&#34;-&#34;</span><span class="p">,</span> <span class="ln">34</span> <span class="nt">&#34;protocol&#34;</span><span class="p">:</span> <span class="s2">&#34;&lt;BADREQ&gt;&#34;</span><span class="p">,</span> <span class="ln">35</span> <span class="nt">&#34;header&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln">36</span> <span class="nt">&#34;host&#34;</span><span class="p">:</span> <span class="s2">&#34;-&#34;</span><span class="p">,</span> <span class="ln">37</span> <span class="nt">&#34;xforwardfor&#34;</span><span class="p">:</span> <span class="s2">&#34;-&#34;</span><span class="p">,</span> <span class="ln">38</span> <span class="nt">&#34;referer&#34;</span><span class="p">:</span> <span class="s2">&#34;-&#34;</span> <span class="ln">39</span> <span class="p">}</span> <span class="ln">40</span> <span class="p">},</span> <span class="ln">41</span> <span class="nt">&#34;name&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln">42</span> <span class="nt">&#34;backend&#34;</span><span class="p">:</span> <span class="s2">&#34;https-in&#34;</span><span class="p">,</span> <span class="ln">43</span> <span class="nt">&#34;frontend&#34;</span><span class="p">:</span> <span class="s2">&#34;https-in&#34;</span><span class="p">,</span> <span class="ln">44</span> <span class="nt">&#34;server&#34;</span><span class="p">:</span> <span class="s2">&#34;&lt;NOSRV&gt;&#34;</span> <span class="ln">45</span> <span class="p">},</span> <span class="ln">46</span> <span class="nt">&#34;response&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln">47</span> <span class="nt">&#34;status_code&#34;</span><span class="p">:</span> <span class="mi">400</span><span class="p">,</span> <span class="ln">48</span> <span class="nt">&#34;header&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln">49</span> <span class="nt">&#34;xrequestid&#34;</span><span class="p">:</span> <span class="s2">&#34;-&#34;</span> <span class="ln">50</span> <span class="p">}</span> <span class="ln">51</span> <span class="p">},</span> <span class="ln">52</span> <span class="nt">&#34;bytes&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="ln">53</span> <span class="nt">&#34;uploaded&#34;</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="ln">54</span> <span class="nt">&#34;read&#34;</span><span class="p">:</span> <span class="mi">245</span> <span class="ln">55</span> <span class="p">}</span> <span class="ln">56</span><span class="p">}</span> </code></pre></div><p>As a result of researching these error logs, I realize that the cause of these errors is the liveness probe of Kubernetes like this.</p> <div class="highlight"><pre class="chroma"><code class="language-yaml" data-lang="yaml"><span class="ln">1</span><span class="w"> </span><span class="k">livenessProbe</span><span class="p">:</span><span class="w"> </span><span class="ln">2</span><span class="w"> </span><span class="k">tcpSocket</span><span class="p">:</span><span class="w"> </span><span class="ln">3</span><span class="w"> </span><span class="k">port</span><span class="p">:</span><span class="w"> </span><span class="m">80</span><span class="w"> </span><span class="ln">4</span><span class="w"> </span><span class="k">initialDelaySeconds</span><span class="p">:</span><span class="w"> </span><span class="m">15</span><span class="w"> </span><span class="ln">5</span><span class="w"> </span><span class="k">periodSeconds</span><span class="p">:</span><span class="w"> </span><span class="m">5</span><span class="w"> </span></code></pre></div><p>I’m not sure but I think health-check by TCP not HTTP will raise the same logs.</p> <p>Finally, I solved this problem by adding &quot;dontlognull&quot; option like this.</p> <div class="highlight"><pre class="chroma"><code class="language-text" data-lang="text"><span class="ln">1</span>defaults <span class="ln">2</span> mode http <span class="ln">3</span> option dontlognull <span class="ln">4</span> : <span class="ln">5</span> : </code></pre></div> https://takac.dev/test-web-page-on-local-k8s-via-https-w-o-specifying-port/ Tue, 06 Oct 2020 12:22:00 +0900 https://takac.dev/test-web-page-on-local-k8s-via-https-w-o-specifying-port/ <p>When I deploy some web application on the local Kubernetes cluster, I would like to test it like</p> <ul> <li>Without specifying a port number</li> <li>Via HTTPS</li> <li>Specify original FQDN not localhost</li> </ul> <p>For example, if I'm developing &quot;www.example.com,&quot; I would like to test by the URL like <a href="https://www.example.work/">https://www.example.work/</a>. So, Let me share how to do it.</p> <p>When deploying a web site on the Kubernetes on the local computer, I need to test the site with the URL like https://localhost:30000. But this is bothersome for testing because it depends on the web site, some links in the page don’t have the port number. And also, nowadays, most of the web site should be accessed via HTTPS, so I want to test the site via HTTPS. So I made a load balancer to solve the problem with NGINX.</p> <p>At first, I put the settings for redirecting from HTTP to HTTPS with the 307 status like this.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln"> 1</span>server <span class="o">{</span> <span class="ln"> 2</span> listen 80<span class="p">;</span> <span class="ln"> 3</span> server_name _<span class="p">;</span> <span class="ln"> 4</span> <span class="ln"> 5</span> <span class="nv">location</span> <span class="o">=</span> /any.example.com.pem <span class="o">{</span> <span class="ln"> 6</span> root /usr/share/nginx/html<span class="p">;</span> <span class="ln"> 7</span> <span class="o">}</span> <span class="ln"> 8</span> <span class="ln"> 9</span> location / <span class="o">{</span> <span class="ln">10</span> <span class="k">return</span> <span class="m">307</span> https://<span class="nv">$host$request_uri</span><span class="p">;</span> <span class="ln">11</span> <span class="o">}</span> <span class="ln">12</span><span class="o">}</span> </code></pre></div><p>The above setting includes a setting to download the dummy SSL cert file which I will explain later. And I set the redirecting status to 307, not 301 to keep the request's method and body just in case.</p> <p>And then, I put the settings for HTTPS like this.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln"> 1</span>map <span class="nv">$http_host</span> <span class="nv">$backend</span> <span class="o">{</span> <span class="ln"> 2</span> default <span class="nv">$http_host</span><span class="p">;</span> <span class="ln"> 3</span> example.work web_example<span class="p">;</span> <span class="ln"> 4</span> example.com web_example<span class="p">;</span> <span class="ln"> 5</span><span class="o">}</span> <span class="ln"> 6</span> <span class="ln"> 7</span>upstream web_example <span class="o">{</span> <span class="ln"> 8</span> server host.docker.internal:30000<span class="p">;</span> <span class="ln"> 9</span><span class="o">}</span> <span class="ln">10</span> <span class="ln">11</span>server <span class="o">{</span> <span class="ln">12</span> listen <span class="m">443</span> default ssl<span class="p">;</span> <span class="ln">13</span> server_name _<span class="p">;</span> <span class="ln">14</span> <span class="ln">15</span> <span class="c1"># SSL</span> <span class="ln">16</span> ssl_certificate /usr/local/nginx/cert/any.example.com.pem<span class="p">;</span> <span class="ln">17</span> ssl_certificate_key /usr/local/nginx/cert/any.example.com.key<span class="p">;</span> <span class="ln">18</span> <span class="ln">19</span> location / <span class="o">{</span> <span class="ln">20</span> proxy_set_header Host <span class="nv">$host</span><span class="p">;</span> <span class="ln">21</span> proxy_set_header X-Real-IP <span class="nv">$remote_addr</span><span class="p">;</span> <span class="ln">22</span> proxy_set_header X-Forwarded-Proto https<span class="p">;</span> <span class="ln">23</span> proxy_set_header X-Forwarded-Host <span class="nv">$host</span><span class="p">;</span> <span class="ln">24</span> proxy_set_header X-Forwarded-Server <span class="nv">$host</span><span class="p">;</span> <span class="ln">25</span> proxy_set_header X-Forwarded-For <span class="nv">$proxy_add_x_forwarded_for</span><span class="p">;</span> <span class="ln">26</span> <span class="ln">27</span> proxy_pass https://<span class="nv">$backend</span><span class="p">;</span> <span class="ln">28</span> <span class="ln">29</span> send_timeout 180<span class="p">;</span> <span class="ln">30</span> proxy_connect_timeout 600<span class="p">;</span> <span class="ln">31</span> proxy_read_timeout 600<span class="p">;</span> <span class="ln">32</span> proxy_send_timeout 600<span class="p">;</span> <span class="ln">33</span> <span class="o">}</span> <span class="ln">34</span><span class="o">}</span> </code></pre></div><p>The above setting accepts the following FQDNs.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>www.example.com <span class="ln">2</span>www.example.work </code></pre></div><p>because when developing on the local environment, some slightly different FQDN, <a href="http://www.example.work">www.example.work</a> in this case, is very useful for avoiding to modify the &quot;hosts file&quot; time and again. After accepting the request, NGINX transfers it to 30000 port on the localhost with some additional headers. The port should be changed depending on your target.</p> <p>Before running the above NGINX, I need to create a self-cert file. I'll create it with a simple docker image like this.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>FROM alpine:latest <span class="ln">2</span> <span class="ln">3</span>RUN apk update <span class="se">\ </span><span class="ln">4</span><span class="se"></span> <span class="o">&amp;&amp;</span> apk add --no-cache <span class="se">\ </span><span class="ln">5</span><span class="se"></span> openssl </code></pre></div><p>And then, create an OpenSSL setting file like this.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln"> 1</span><span class="o">[</span>req<span class="o">]</span> <span class="ln"> 2</span><span class="nv">default_bits</span> <span class="o">=</span> <span class="m">2048</span> <span class="ln"> 3</span><span class="nv">distinguished_name</span> <span class="o">=</span> req_distinguished_name <span class="ln"> 4</span><span class="nv">req_extensions</span> <span class="o">=</span> v3_req <span class="ln"> 5</span><span class="nv">x509_extensions</span> <span class="o">=</span> v3_ca <span class="ln"> 6</span><span class="nv">prompt</span> <span class="o">=</span> no <span class="ln"> 7</span> <span class="ln"> 8</span><span class="o">[</span> v3_ca <span class="o">]</span> <span class="ln"> 9</span><span class="nv">subjectKeyIdentifier</span> <span class="o">=</span> <span class="nb">hash</span> <span class="ln">10</span><span class="nv">authorityKeyIdentifier</span> <span class="o">=</span> keyid:always,issuer <span class="ln">11</span><span class="nv">basicConstraints</span> <span class="o">=</span> CA:FALSE <span class="ln">12</span> <span class="ln">13</span><span class="o">[</span> req_distinguished_name <span class="o">]</span> <span class="ln">14</span><span class="nv">countryName</span> <span class="o">=</span> JP <span class="ln">15</span><span class="nv">stateOrProvinceName</span> <span class="o">=</span> Tokyo <span class="ln">16</span><span class="nv">localityName</span> <span class="o">=</span> Shibuya <span class="ln">17</span><span class="nv">organizationName</span> <span class="o">=</span> Example Dot Com <span class="ln">18</span><span class="nv">organizationalUnitName</span> <span class="o">=</span> Infrastructure <span class="ln">19</span><span class="nv">commonName</span> <span class="o">=</span> example.com <span class="ln">20</span> <span class="ln">21</span><span class="o">[</span> v3_req <span class="o">]</span> <span class="ln">22</span><span class="c1"># Extensions to add to a certificate request</span> <span class="ln">23</span><span class="nv">basicConstraints</span> <span class="o">=</span> CA:FALSE <span class="ln">24</span><span class="nv">keyUsage</span> <span class="o">=</span> nonRepudiation, digitalSignature, keyEncipherment <span class="ln">25</span><span class="nv">extendedKeyUsage</span> <span class="o">=</span> clientAuth, serverAuth <span class="ln">26</span><span class="nv">subjectAltName</span> <span class="o">=</span> @alt_names <span class="ln">27</span> <span class="ln">28</span><span class="o">[</span> alt_names <span class="o">]</span> <span class="ln">29</span>DNS.1 <span class="o">=</span> localhost <span class="ln">30</span>DNS.2 <span class="o">=</span> example.com <span class="ln">31</span>DNS.3 <span class="o">=</span> *.example.com <span class="ln">32</span>DNS.4 <span class="o">=</span> example.work <span class="ln">33</span>DNS.5 <span class="o">=</span> *.example.work </code></pre></div><p>And then, create docker-entrypoint.sh to generate cert files with the above setting file.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln"> 1</span><span class="cp">#!/bin/ash </span><span class="ln"> 2</span><span class="cp"></span><span class="nv">dir</span><span class="o">=</span><span class="s2">&#34;/cert&#34;</span> <span class="ln"> 3</span><span class="nv">prefix</span><span class="o">=</span><span class="s2">&#34;any.example.com&#34;</span> <span class="ln"> 4</span><span class="nv">file_path_prefix</span><span class="o">=</span><span class="s2">&#34;</span><span class="si">${</span><span class="nv">dir</span><span class="si">}</span><span class="s2">/</span><span class="si">${</span><span class="nv">prefix</span><span class="si">}</span><span class="s2">&#34;</span> <span class="ln"> 5</span> <span class="ln"> 6</span><span class="c1"># Output files</span> <span class="ln"> 7</span><span class="nv">intermediate_file</span><span class="o">=</span><span class="s2">&#34;</span><span class="si">${</span><span class="nv">dir</span><span class="si">}</span><span class="s2">/dummy.cer&#34;</span> <span class="ln"> 8</span><span class="nv">cert_file</span><span class="o">=</span><span class="s2">&#34;</span><span class="si">${</span><span class="nv">file_path_prefix</span><span class="si">}</span><span class="s2">.crt&#34;</span> <span class="ln"> 9</span><span class="nv">csr_file</span><span class="o">=</span><span class="s2">&#34;</span><span class="si">${</span><span class="nv">file_path_prefix</span><span class="si">}</span><span class="s2">.csr&#34;</span> <span class="ln">10</span><span class="nv">key_file</span><span class="o">=</span><span class="s2">&#34;</span><span class="si">${</span><span class="nv">file_path_prefix</span><span class="si">}</span><span class="s2">.key&#34;</span> <span class="ln">11</span><span class="nv">output_pem</span><span class="o">=</span><span class="s2">&#34;</span><span class="si">${</span><span class="nv">file_path_prefix</span><span class="si">}</span><span class="s2">.pem&#34;</span> <span class="ln">12</span> <span class="ln">13</span><span class="k">if</span> <span class="o">[</span> ! -f <span class="nv">$output_pem</span> <span class="o">]</span><span class="p">;</span><span class="k">then</span> <span class="ln">14</span> <span class="c1"># Generate key and certificate files</span> <span class="ln">15</span> openssl req -sha256 -new -newkey rsa:4096 -days <span class="m">3650</span> -nodes -x509 <span class="se">\ </span><span class="ln">16</span><span class="se"></span> -extensions v3_req <span class="se">\ </span><span class="ln">17</span><span class="se"></span> -config /openssl.cnf <span class="se">\ </span><span class="ln">18</span><span class="se"></span> -keyout <span class="nv">$key_file</span> <span class="se">\ </span><span class="ln">19</span><span class="se"></span> -out <span class="nv">$cert_file</span> <span class="ln">20</span> <span class="ln">21</span> <span class="c1"># Generate dummy files</span> <span class="ln">22</span> touch <span class="nv">$csr_file</span> <span class="ln">23</span> touch <span class="nv">$intermediate_file</span> <span class="ln">24</span> <span class="ln">25</span> <span class="c1"># Gen integrated PEM file</span> <span class="ln">26</span> cat <span class="se">\ </span><span class="ln">27</span><span class="se"></span> <span class="nv">$cert_file</span> <span class="se">\ </span><span class="ln">28</span><span class="se"></span> <span class="nv">$intermediate_file</span> <span class="se">\ </span><span class="ln">29</span><span class="se"></span> <span class="nv">$key_file</span> <span class="se">\ </span><span class="ln">30</span><span class="se"></span> &gt; <span class="nv">$output_pem</span> <span class="ln">31</span><span class="k">else</span> <span class="ln">32</span> <span class="nb">echo</span> <span class="s2">&#34;Already existed.&#34;</span> <span class="ln">33</span><span class="k">fi</span> <span class="ln">34</span> <span class="ln">35</span><span class="c1"># Keep running</span> <span class="ln">36</span>tail -f /dev/null </code></pre></div><p>And then, create a docker-compose.yml to run the above 2 applications. Notice that it will use 80 and 443 ports so it’s necessary to quit in advance if some other application is using.</p> <div class="highlight"><pre class="chroma"><code class="language-yaml" data-lang="yaml"><span class="ln"> 1</span><span class="k">version</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;3.8&#39;</span><span class="w"> </span><span class="ln"> 2</span><span class="w"></span><span class="k">services</span><span class="p">:</span><span class="w"> </span><span class="ln"> 3</span><span class="w"> </span><span class="k">test-lb-nginx</span><span class="p">:</span><span class="w"> </span><span class="ln"> 4</span><span class="w"> </span><span class="k">image</span><span class="p">:</span><span class="w"> </span>nginx<span class="p">:</span>alpine<span class="w"> </span><span class="ln"> 5</span><span class="w"> </span><span class="k">restart</span><span class="p">:</span><span class="w"> </span>always<span class="w"> </span><span class="ln"> 6</span><span class="w"> </span><span class="k">container_name</span><span class="p">:</span><span class="w"> </span>dev-elb<span class="w"> </span><span class="ln"> 7</span><span class="w"> </span><span class="k">ports</span><span class="p">:</span><span class="w"> </span><span class="ln"> 8</span><span class="w"> </span>- <span class="m">80</span><span class="p">:</span><span class="m">80</span><span class="w"> </span><span class="ln"> 9</span><span class="w"> </span>- <span class="m">443</span><span class="p">:</span><span class="m">443</span><span class="w"> </span><span class="ln">10</span><span class="w"> </span><span class="k">volumes</span><span class="p">:</span><span class="w"> </span><span class="ln">11</span><span class="w"> </span>- ./docker/nginx/nginx.conf<span class="p">:</span>/etc/nginx/nginx.conf<span class="p">:</span>ro<span class="w"> </span><span class="ln">12</span><span class="w"> </span>- ./docker/nginx/conf.d<span class="p">:</span>/etc/nginx/conf.d<span class="p">:</span>rw<span class="w"> </span><span class="ln">13</span><span class="w"> </span>- ./docker/nginx/cert<span class="p">:</span>/usr/local/nginx/cert<span class="p">:</span>ro<span class="w"> </span><span class="ln">14</span><span class="w"> </span>- ./docker/nginx/cert<span class="p">:</span>/usr/share/nginx/html<span class="p">:</span>ro<span class="w"> </span><span class="ln">15</span><span class="w"> </span><span class="k">depends_on</span><span class="p">:</span><span class="w"> </span><span class="ln">16</span><span class="w"> </span>- gen-self-cert<span class="w"> </span><span class="ln">17</span><span class="w"> </span><span class="ln">18</span><span class="w"> </span><span class="k">gen-self-cert</span><span class="p">:</span><span class="w"> </span><span class="ln">19</span><span class="w"> </span><span class="k">build</span><span class="p">:</span><span class="w"> </span><span class="ln">20</span><span class="w"> </span><span class="k">context</span><span class="p">:</span><span class="w"> </span>./docker/self_cert<span class="w"> </span><span class="ln">21</span><span class="w"> </span><span class="k">restart</span><span class="p">:</span><span class="w"> </span>always<span class="w"> </span><span class="ln">22</span><span class="w"> </span><span class="k">container_name</span><span class="p">:</span><span class="w"> </span>gen-cert<span class="w"> </span><span class="ln">23</span><span class="w"> </span><span class="k">volumes</span><span class="p">:</span><span class="w"> </span><span class="ln">24</span><span class="w"> </span>- ./docker/self_cert/docker-entrypoint.sh<span class="p">:</span>/docker-entrypoint.sh<span class="p">:</span>ro<span class="w"> </span><span class="ln">25</span><span class="w"> </span>- ./docker/self_cert/openssl.cnf<span class="p">:</span>/openssl.cnf<span class="p">:</span>ro<span class="w"> </span><span class="ln">26</span><span class="w"> </span>- ./docker/nginx/cert<span class="p">:</span>/cert<span class="w"> </span><span class="ln">27</span><span class="w"> </span><span class="k">entrypoint</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/docker-entrypoint.sh&#34;</span><span class="w"> </span></code></pre></div><p>And run with the following command.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln">1</span>$ docker-compose up -d </code></pre></div><p>Access https://127.0.0.1/any.example.com.pem to get the generated cert file and then it should be imported to the system. (The way to import is different it depends on your OS)</p> <p>Before accessing the above containers, it's necessary to add some FQDNs which I want to test like this.</p> <div class="highlight"><pre class="chroma"><code class="language-text" data-lang="text"><span class="ln">1</span>127.0.0.1 www.example.work </code></pre></div><p>Finally, it's possible to get access by the following URL without specifying port via HTTPS. <a href="https://www.example.work/">https://www.example.work/</a></p> https://takac.dev/whats-good-docker-image-tag/ Sun, 04 Oct 2020 01:11:00 +0900 https://takac.dev/whats-good-docker-image-tag/ <p>In my opinion, and based on the experiences that I've operated our Kubernetes cluster on AWS EKS for my company's service, docker image tag should be date string like &quot;yyyymmddHHMMSS&quot;. So, let me share why I'm thinking about it.</p> <p>I know that most of the docker images of open source software like NGINX, MySQL, Go, PHP are version numbers or combined with base image names like Debian, Alpine. That’s why at first I put version number like &quot;appname:1.0&quot; but I realize that it’s not good because of the following reasons</p> <ul> <li>Hard to understand when the currently running image was built</li> <li>Need to concern about versioning rule when building the image</li> <li>When using CI/CD pipeline, need to define the version numbering rule in advance</li> <li>If somebody put a version manually, there's a possibility to make a mistake</li> </ul> <p>So, I came up with using a date string as a tag. For example, if the current date and time is 20/Sep/2020 12:30 I put the &quot;test-app:202009201230&quot; tag to the image. But it's bothering to put it manually, so I make a script like this.</p> <div class="highlight"><pre class="chroma"><code class="language-bash" data-lang="bash"><span class="ln"> 1</span><span class="cp">#!/bin/bash </span><span class="ln"> 2</span><span class="cp"></span><span class="nb">export</span> <span class="nv">DOCKER_BUILDKIT</span><span class="o">=</span><span class="m">1</span> <span class="ln"> 3</span><span class="nv">ECR_FQDN</span><span class="o">=</span><span class="s1">&#39;000000000000.dkr.ecr.us-west-2.amazonaws.com&#39;</span> <span class="ln"> 4</span><span class="nv">VER_DATE</span><span class="o">=</span><span class="sb">`</span>date <span class="s1">&#39;+%Y%m%d%H%M&#39;</span><span class="sb">`</span> <span class="ln"> 5</span><span class="nv">APP</span><span class="o">=</span><span class="s1">&#39;test-app&#39;</span> <span class="ln"> 6</span><span class="nv">TAG</span><span class="o">=</span><span class="s2">&#34;</span><span class="si">${</span><span class="nv">ECR_FQDN</span><span class="si">}</span><span class="s2">/</span><span class="si">${</span><span class="nv">APP</span><span class="si">}</span><span class="s2">:</span><span class="si">${</span><span class="nv">VER_DATE</span><span class="si">}</span><span class="s2">&#34;</span> <span class="ln"> 7</span> <span class="ln"> 8</span>docker build -t <span class="nv">$TAG</span> . <span class="se">\ </span><span class="ln"> 9</span><span class="se"></span><span class="o">&amp;&amp;</span> docker push <span class="nv">$TAG</span> <span class="se">\ </span><span class="ln">10</span><span class="se"></span><span class="o">&amp;&amp;</span> sed -i <span class="s2">&#34;s;\(image: \).*;\1</span><span class="si">${</span><span class="nv">TAG</span><span class="si">}</span><span class="s2">;g&#34;</span> ./deployment_prod.yml </code></pre></div><p>Of course, it depends on the projects, if its release version is managed very strictly, the version number will be good for the tag. But the project is updated and released frequently, I think the date string is better. Also, I usually avoid using the &quot;latest&quot; tag because it's hard to grasp which version is running now. The other problem of the &quot;latest&quot; tag is when I deploy on the Kubernetes cluster, it will not be a trigger to renew pods.</p>