SysAdmin | Luis Cacho

cURL to a specific target hostname

Fri, 23 Jun 2023 00:00:00 +0000

# Mockup command
curl -kv -H "Host: <target hostname>" <protocol>://<server ip address>:<port>

# Example command
curl -kv -H "Host: myapp.apps.example.com" https://152.10.10.1:443

Fix a borg lock issue

Fri, 23 Jun 2023 00:00:00 +0000

When you get the error:

# Example command

# ERROR output
borg info ssh://asdbqw55@a3rbqwrx.repo.borg.com/./repo
Enter passphrase for key ssh://asdbqw55@a3rbqwrx.repo.borg.com/./repo:
Failed to create/acquire the lock /Users/lcacho/.cache/borg/34961807af9e356640e09e9973ef4664598ee6706e4c2bccc4b2770c15e09d2b/lock.exclusive (timeout).

# Fix
borg break-lock ssh://asdbqw55@a3rbqwrx.repo.borg.com/./repo

References:

¹ Borg Break Lock

https://borgbackup.readthedocs.io/en/stable/usage/lock.html#borg-break-lock ↩︎

Python Alternatives in RHEL based OS

Thu, 22 Jun 2023 00:00:00 +0000

# To configure the unversioned `python` command to Python 3.11

alternatives --set python /usr/bin/python3.11

# To configure the unversioned `python` command to Python 2

alternatives --set python /usr/bin/python2

References:

¹Configure python on RHEL8

https://access.redhat.com/solutions/5380941 ↩︎

Change the field separator in awk

Thu, 19 Aug 2021 00:00:00 +0000

awk -F ":" '{print $1}'

# or if you want to do it programatically

awk 'BEGIN { FS=":" } { print $1 }'

# or you can also use a regular expression as a field separator.
# The following will print "bar" by using a regular expression to set the number "10" as a separator.

echo "foo 10 bar" | awk -F'[0-9][0-9]' '{print $2}'

MySQL Database Size

Fri, 06 Aug 2021 00:00:00 +0000

SELECT table_schema AS "Database",
ROUND(SUM(data_length + index_length) / 1024 / 1024, 2) AS "Size (MB)"
FROM information_schema.TABLES
GROUP BY table_schema;

AIX Tunning commands

Sun, 01 Aug 2021 00:00:00 +0000

no -a > no.txt
vmo -L > vmo.txt
ioo -L > ioo.txt

My journey to become CKA and CKAD

Thu, 26 Nov 2020 00:00:00 +0000

Hi, people that read me!

I usually don’t write about my achievements. Still, I’m proud of what I did, and in this post I want to share my journey to that back in July I passed two essential certifications for me, the CKA (Certified Kubernetes Administrator) and the CKAD (Certified Kubernetes Application Developer). Those certs are important to me because one of my professional goals is to apply all my knowledge as an SRE (Site Reliabilty Engineer), so I’m putting all my effort to get trained and gain experience as I believe that Kubernetes is and will continue to be widely used by the industry I want to be part of that.

I put a lot of hours/practice on my study lately, but my journey started probably 3 years ago, or even more time (don’t remember exacly). Still, I remember that I become interested when I was talking with my friends @yazpik and @tonyskapunk about the new stuff that is comming on tech, by that time they were running a Kubernetes Meetup at the Castle and I started to assist to each meetup.

Being honest, at the begginning, I barely understand all the concepts and projects that the speakers were talking about but once I started to get involved reading blog posts, practicing (Yeah I did the ‘Kubernetes the Hard way’ on minikube), also began to follow and test other exciting projects like Rancher. So after a while, I started to understand better what the speaker was trying to communicate. And that helps me a lot to understand not only the basics but some good projects that work in conjunction with Kubernetes.

With all the meetings that were held on Rackspace I get involved and I wanted to keep learning more so, I decided to assist to Kubecon North America 2018 that was held on Seattle, and I like to think that this set of conferences opened my mind for all the Kubernetes environment, and I feel that I need to keep learning even more about this awesome technology, that keeps me motivated to get my certifications too, in a nutshell I feel inspired about the conferences, the comunity, everything and I want to be part of it.

Talking about community, in that kubecon I met with some Latin-American friends that were interested in Kubernetes like @domix, @marKox,both from México, and @EdduMelendez from Peru, that from their trenches they are trying to grow the Kubernetes community on Spanish.

Mexicanos in Kubecon 2018

But returning to my certifications path, after a while I decided that I will have the certs by the end on this year, so back in March I get more serious studying and purchased the excellent course Certified Kubernetes Administrator (CKA) with Practice Tests a course by Mumshad Mannambeth that I highly recommend to reinforce the theory and also, becasue includes exercises similar to the exam that you can practice.

Once I feelt confident in me and my knowledge I get my coupon to present the CKA exam, and I passed!

My CKA Certification

I need tell you, it wasn’t easy, mostly because you need to be careful with the time/value of the questions and you need to weigh to reach the passing score, for this exam it was 74%.

Of course after I get the CKA certitification, I was super happy but on my train of thoughts, I keep thinking that I can use the CKA study as leverage to get the CKAD.

I already have the fundamentals of a CKA and just need some extra study to complement the CKAD curriculum, so I got commited (my wife too), and right away I got my CKAD exam coupon and I scheduled the test 2 weeks appart after I decided to get the cert (That’s 3 weeks appart after I took the CKA exam).

My approach works, I passed the CKAD certification!

My CKAD Certification

Now that I’m certified on Kubernetes I will look to be more involved in Cloud Native initiatives on my company, to apply the knowledge that I already have on current or new projects, and as always keep learning!

Backing Up a Ruckus Switch Config

Sat, 21 Nov 2020 00:00:00 +0000

I want to do some changes on my home network to improve the performance, so I will implement VLANs on my network. But before I do that I want to document how to perform a backup of my Ruckus ICX 7150 Switch.

In a past post I mentioned how to enable ssh and web cofiguration on the Ruckus switch, so my first attemtp was to download the configuration file from the web interface but unfortunately it is not possible to do it, there is not an option for that. What I did is go to the documentation and found the copy command but I need a TFTP server to be able to download the backup file.

Let’s start!

Install a TFTP server - This is easy will depend on your Operative System, for my is an ArchLinux laptop.
```
yay -Sy atftp
```
The configuration file for atftp is /etc/conf.d/atftpd

Next step, is login on your Ruckus switch and perform the copy command:

ssh <USER>@<SWITCH-IP>
copy running-config tftp <TFTP-SERVER-IP> myconfig.cfg

#In my case is:
ssh ruckus@192.168.50.5
copy running-config tftp 192.168.50.4 myconfig.cfg

Verify that the file is on your TFTP server, by default, the configured directory for atftp is /srv/atftp/ so you should go that location and verify that the generated file is created.
```
cd /srv/atftp
ls -la
```

That’s all, you can restore your switch configuration if needed.

Bye!

Gestion de History

Tue, 03 Dec 2019 00:00:00 +0000

Table of Contents

El archivo de logs histórico (history) tiene varias opciones que podemos cambiar para tener un mejor control del mismo. Aquí vamos a ver algunas opciones para el control y gestión del fichero del log histórico (history).

Mostrar la fecha y hora de cuando escribimos comandos

Para mostrar la fecha y hora en el formato que requieras puedes agregas las lineas siguientes:

export HISTTIMEFORMAT='- %F %T - '

Control del tamaño del archivo de logs histórico

Tenemos dos variables de entorno para ello, HISTSIZE y HISTFILESIZE, que indican el tamaño del fichero, por ejemplo:

HISTSIZE=1000
HISTFILESIZE=1000

Con esto hacemos que el tamaño máximo del fichero de logs histórico sea de 1000 comandos o líneas.

Si ponemos el tamaño de la variable HISTSIZE a cero hacemos que no se guarde nada en el archivo de logs histórico

export HISTSIZE=0

Control de duplicados en el histórico

En el log histórico se van guardando TODOS los comandos que se van introduciendo aunque repitamos 20 veces el mismo comando, se guardará 20 veces, lo cual es en ocasiones una perdida de espacio. Por lo que podemos usar la variable HISTCONTROL para hacer 2 cosas:

Eliminar los duplicados consecutivos con ignoredups.
Eliminar los duplicados sean o no consecutivos con erasedups.

HISTCONTROL=ignoredups
HISTCONTROL=erasedups

Path para guardar el archivo de logs histórico

Por defecto el histórico se guarda en ~/.bash_history pero podemos indicar donde guardarlo con la variable HISTFILE.

HISTFILE=~/.bitacora.

Un truco muy bueno cuando en un mismo servidor entran varios administradores que se pasan a root y poder controlar y guardar que hace cada uno es: Guardar un archivo de logs histórico por cada uno de ellos. Lo puedes hacer de la siguiente forma:

HISTSIZE=5000
HISTFILESIZE=5000
HISTFILE=/root/.bash_hist-$(who am i | awk '{print $1}';exit)

Con esto se guardará en el home de del usuario root un archivo de logs histórico por cada uno de los usuarios que se hayan pasado a root. El tamaño se puede ampliar o reducir a gusto. También podemos poner que ignore duplicados.

Todas estas variables debemos ponerlas en un archivo donde se activen al arranque que puede ser ~/.bashrc.

Espero les sea útilidad.

😄

Docker Login the Right Way

Wed, 15 May 2019 00:00:00 +0000

Table of Contents

Hi again!

It is been a while since I wrote something here, as always, there is no much time for a hobby.

I’ve been working for a while with docker, not a production level, but for some applications that I use at work. And since the Docker Hub Data breach I put more atention on the security of my data/credentials, so I investigate a little about and found this official repository https://github.com/docker/docker-credential-helpers/ from Docker where are the supported credential helpers.

Credential Store

Docker keeps our credentials saved on a JSON file located on ~/.docker/config.json, but unfortunatelly credentials are just encrypted on base64, here is an articule/video where there is an explanation for the why it is a bad idea to just use base64 encryption.

The following is a diagram on how a plain text storage works:

Plain Text Storage

Here is an example on how ~/.docker/config.json looks like when is using plain text credentials:

cat ~/.docker/config.json
{
 "auths": {
 "https://index.docker.io/v1/": {
 "auth": "azRjaDA6c3VwZXJzZWNyZXRwYXNzd29yZAo="
 },
 "quay.io": {
 "auth": "azRjaDA6c3VwZXJzZWNyZXRwYXNzd29yZAo="
 }
 },
 "HttpHeaders": {
 "User-Agent": "Docker-Client/18.09.6 (linux)"
 }
}

After a successful docker login command, Docker stores a base64 encoded string from the concatenation of the username, a colon, and the password and associates this string to the registry the user is logging into:

$ echo azRjaDA6c3VwZXJzZWNyZXRwYXNzd29yZAo= | base64 -d -
luiscachog:supersecretpassword

A docker logout command removes the entry from the JSON file for the given registry:

$ docker logout quay.io
Remove login credentials for quay.io

$ cat ~/.docker/config.json
{
 "auths": {
 "https://index.docker.io/v1/": {
 "auth": "azRjaDA6c3VwZXJzZWNyZXRwYXNzd29yZAo="
 }
 },
 "HttpHeaders": {
 "User-Agent": "Docker-Client/18.09.6 (linux)"
 }
}

Docker Credential Helpers

Since docker version 1.11 implements support from an external credential store for registry authentication. That means we can use a native keychain of the OS. Using an external store is more secure than storing on a “plain text” Docker configuration file.

Secure Storage

In order to use a external credential store, we need a program to interact with.

The actual list of “official” Docker Credential Helper is:

docker-credential-osxkeychain: Provides a helper to use the OS X keychain as credentials store.
docker-credential-secretservice: Provides a helper to use the D-Bus secret service as credentials store.
docker-credential-wincred: Provides a helper to use Windows credentials manager as store.
docker-credential-pass: Provides a helper to use pass as credentials store.

docker-credential-secret service

On this post we will explore the docker-credential-secretservice and how to configure it.

We need to download and install the helper. You can find the lastest release on https://github.com/docker/docker-credential-helpers/releases. Download it, extract it and make it executable.

wget https://github.com/docker/docker-credential-helpers/releases/download/v0.6.2/docker-credential-secretservice-v0.6.2-amd64.tar.gz
tar -xf docker-credential-secretservice-v0.6.2-amd64.tar.gz
chmod +x docker-credential-secretservice
sudo mv docker-credential-secretservice /usr/local/bin/

Then, we need to specify the credential store in the file ~/.docker/config.json to tell docker to use it. The value must be the one after the prefix docker-credential-. In this case:
```
{
 "credsStore": "secretservice"
}
```
To facilite the configuration and do not make mistakes, you can run:
```
sed -i '0,/{/s/{/{\n\t"credsStore": "secretservice",/' ~/.docker/config.json
```

From now we are uning an external store, so if you are currently logged in, you must run docker logout to remove the credentials from the file and run docker login tostart using the new ones.

Let me know how this works for you.

References:

Docker Credential Helpers repository¹
Docker Credential Store Documentation²
Slides about this topic ³

Bulk Delete Rackspace Cloud Files data via API

Wed, 13 Feb 2019 00:00:00 +0000

Sometimes it is necessary to delete all the content of the Cloud Files containers, however, the API does not have a proper method to delete the data and the containers on the same API call. Also, accoring to the documentation, you can only delete empty containers.

So, in cases where you need to delete the data and the containers at the same time, you should follow the next steps:

Download Turbolift, I know it is an old tool.

git clone https://github.com/cloudnull/turbolift
cd turbolift

In order to get and isolated installation, we are going to create a Python Virtual Environment (virtualenv)
```
mkvirtualenv turbolift
workon turbolift
```
Install the tool
```
pip install turbolift
```

Now, prior to start to play with the API calls, we need to grab some data to authenticate with the API:

Variable	Definition
USERNAME	This is the Rackspace Public Cloud username
APIKEY	This is your API-KEY
REGION	This is the Region where the Cloud Files are located (dfw, ord, iad, lon, hkg)
TOKEN	The TOKEN is generated after you get authenticated
ENDPOINT	This ENDPOINT is given also after you get authenticated

Next step, we are going to use cURL, to perform all the API calls:

First of all, get the TOKEN:

USERNAME=YOUR-USERNAME
APIKEY=YOUR-APIKEY
TOKEN=$(curl -s -XPOST https://identity.api.rackspacecloud.com/v2.0/tokens \
 -d'{"auth":{"RAX-KSKEY:apiKeyCredentials":{"username":"'$USERNAME'","apiKey":"'$APIKEY'"}}}' \
 -H"Content-type:application/json" | jq '.access.token.id' | tr -d "\"")

Next step, get the ENDPOINT:

ENDPOINT=$(curl -s -XPOST https://identity.api.rackspacecloud.com/v2.0/tokens \
 -d'{"auth":{"RAX-KSKEY:apiKeyCredentials":{"username":"'$CL_USERNAME'","apiKey":"'$APIKEY'"}}}' \
 -H"Content-type:application/json" | jq '.access.serviceCatalog[] | select((.name=="cloudFiles") or (.name=="cloudFilesCDN")) | {name} + .
 endpoints[] | .publicURL' | tr -d "\"" | grep -v cdn | grep -i $REGION)

In this case we are skipping all te CDN endpoints, but you can add them if is necessary.

With all the collected data, next step is use turbolift to delete the Cloud Files container and their data. To do it, I use a for-loop:

for i in $(curl -s -H "X-Auth-Token: $TOKEN" $ENDPOINT); do turbolift -u $USERNAME -a $APIKEY --os-rax-auth $REGION delete -c $i ; done

Now, you have all the Data and Cloud Files containers deleted on one region.

😄

Configure SSH on a Ruckus Switch

Tue, 20 Nov 2018 00:00:00 +0000

I just have a Ruckus ICX 7150 Switch on my home and I’m trying to get access under ssh and web, to easy configuration and security instead of use telnet. So, I logged in using telnet and then run the following commands to configure a username/password and begin to receive petitions over port 22(ssh) and port 443(https). Let’s begin!

We will connect via telnet to the switch.
```
telnet SWITCH_IP
```

Once we are on the Switch CLI as a optional step, we can configure an IP on the switch.

device> enable
device# configure terminal
device(config)# ip address IP_ADDRESS/CIDR
device(config)# ip default-gateway IP_GATEWAY

Now, the next steps are for generate a SSL certificate, a username/password, activate password to login and enable thw web access and ssh access.

device(config)# crypto-ssl certificate generate
device(config)# username USERNAME password PASSWORD
device(config)# aaa authentication login default local
device(config)# aaa authentication web-server default local

It may take several minutes to generate the certificate key. After that, save the configuration.
```
device(config)# write memory
```

Now you are able to login on your switch using ssh or web.

References:

Blog with ruckus commands ¹

Ruckus ICX7150-C12P – Initial Configuration ↩︎

Set a hugo blog on Kubernetes

Mon, 18 Jun 2018 00:00:00 +0000

Table of Contents

Overview

Since last year I been trying to become an SRE (Site Reliability Engineer), so I been involved with some emerging technologies, like ansible, docker and on this time with kubernetes.

This time, I will try to explain how I containerized my blog using:

Architecture

So, I take some ideas from here and I modify them and adapt the architecture described to my options.

The principal changes that I made are:

My Kubernetes cluster is running on 2 cloud server on Rackspace Public Cloud
The container registry that I’m using is Quay
Rackspace Public Cloud does not support a Kubernetes LoadBalancer service automatically, so I simulate that behavior adding a Cloud Load Balancer manually after the Kubernetes service provide me the port.

Architecture

Containerized

I use Hugo to deploy my blog, I used to do it as mentioned on this previous post (In Spanish).

Now, as a part of containerize the blog it make sense to me to create two stages as described here:

The first stage is a defined build environment containing all required build tools (hugo, pygments) and the source of the website (Git repository).
The second stage is the build artifact (HTML and assets), from the first stage and a webserver to serve the artifact over HTTP.

Dockerfile

Here is the Dockerfile that containerize the blog:

FROM ubuntu:latest as STAGEONE

# install hugo
ENV HUGO_VERSION=0.41
ADD https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_${HUGO_VERSION}_Linux-64bit.tar.gz /tmp/
RUN tar -xf /tmp/hugo_${HUGO_VERSION}_Linux-64bit.tar.gz -C /usr/local/bin/

# install syntax highlighting
RUN apt-get update
RUN apt-get install -y python3-pygments

# build site
COPY source /source
RUN hugo --source=/source/ --destination=/public/

FROM nginx:stable-alpine
RUN apk --update add curl bash
RUN rm /etc/nginx/conf.d/default.conf
COPY modules/nginx.luiscachog.io.conf /etc/nginx/conf.d/luiscachog.io.conf
COPY --from=STAGEONE /public/ /usr/share/nginx/html/
EXPOSE 80 443

MAINTAINER Luis Cacho <luiscachog@gmail.com>

First Stage

Fetch the lastest Ubuntu image and name as STAGEONE
Install the last available hugo version from source.
Install pygments library to use it for highlighting.
Build the site with hugo and the output is set on /public as a build artifact.

Second Stage

Fetch the lastest stable nginx alpine image.
Update the image and install some utilities.
Delete the default nginx configuration file.
Copy the configuration files needed from the repository root directory.
Copy the build artifact /public from the previous stage (STAGEONE)

My First Contribution to OpenStack project

Thu, 15 Mar 2018 00:00:00 +0000

I been working since last year using Ansible for fun and to trying to get prepared to become a DevOps, so I found an excelent OpenStack project called ARA Records Ansible.

Ansible Logo

ARA Logo

Basically it is a project from the OpenStack community that makes it easier to understand and troubleshoot your Ansible roles and playbooks. If you want more information, please refer to the Documentation Page.

Anyhow, I just found a little bug on the Ansible Role to install ARA ansible-role-ara on Debian based distros and just send the patch to fix it.

Here is the link to my contribution.

And, as I am proud of my first commit on a big project here is the screenshot too:

My First OpenStack Contribution

I feel happy and motivated to still learn about this Open-Source project and a lot more.

😄

Improve WD MyCloud performance

Fri, 16 Feb 2018 00:00:00 +0000

I’ve just noticed that my NAS a Western Digital My Cloud EX2 is going slower, so I decided to investigate about what can I do to improve its performance.

I assume that you already configure ssh on your NAS device. If is not configured you can follow the next instructions: https://support-en.wd.com/app/answers/detailweb/a_id/12861

Stop Indexing Services

/etc/init.d/wdmcserver stop
/etc/init.d/wdphotodbmerger stop

To do it forever, you should create the cronjob as:

crontab -e

And add the following lines:

@reboot /bin/sh /etc/init.d/wdmcserverd stop
@reboot /bin/sh /etc/init.d/wdphotodbmerger stop

References:

Western Digital knowledge base link¹

How to enable SSH (Secure Shell) on a My Cloud EX2 device ↩︎

SysAdmin | Luis Cacho

cURL to a specific target hostname

Fix a borg lock issue

Python Alternatives in RHEL based OS

Change the field separator in awk

MySQL Database Size

AIX Tunning commands

My journey to become CKA and CKAD

Backing Up a Ruckus Switch Config

Gestion de History

Mostrar la fecha y hora de cuando escribimos comandos

Control del tamaño del archivo de logs histórico

Control de duplicados en el histórico

Path para guardar el archivo de logs histórico

Docker Login the Right Way

Docker Login the right Way

Credential Store

Docker Credential Helpers

docker-credential-secret service

Bulk Delete Rackspace Cloud Files data via API

Configure SSH on a Ruckus Switch

Set a hugo blog on Kubernetes

Overview

Architecture

Containerized

Dockerfile

First Stage

Second Stage

My First Contribution to OpenStack project

Improve WD MyCloud performance

Stop Indexing Services