devops
Table of Contents
- 1. Devops
- 1.1. Links
- 1.2. DORA
- 1.3. trucos
- 1.4. systemd
- 1.5. tmux
- 1.6. ssh
- 1.7. wpa config
- 1.8. docker
- 1.9. vim
- 1.10. gcloud
- 1.11. kubernetes
- 1.12. ansible
- 1.13. nginx
- 1.14. iptables
- 1.15. swap
- 1.16. DevOps Engineer In Six Months or Less
- 1.17. DevOps Lessons from the Ski Industry
- 1.18. Devops (from Links)
- 1.19. Consejos
- 1.20. Cheat Sheet Pdf
- 1.21. TCP over ICMP
- 1.22. Newtork routing
- 1.23. KVM
- 1.24. avahi para multicast DNS
1. Devops
1.1. Links
- A curated list of everything Cloud/Programming/Infra
- kahun/awesome-sysadmin: A curated list of amazingly awesome open source sysadmin resources
- https://crontab.guru https://cron.help
- Live kernel patching with kpatch -> Actualizar el kernel sin reiniciar
- Alternativas a top
- Fxing Unable to correct problems, you have held broken packages
- CLI File Browser
- Backendlore
Setup de backends de alguien con experiencia - 7 Database Paradigms
1.2. DORA
- The 2019 Accelerate State of DevOps: Elite performance, productivity, and scaling | Google Cloud Blog
Deployment frequency - How often an organization successfully releases to production
Lead time for changes - The amount of time it takes a commit to get into production
Change failure rate - The percentage of deployments that cause a failure in production
Time to restore service - How long it takes an organization to recover from a failure in production
1.3. trucos
- listar procesos que impiden que se desmonte
lsof | grep /path/to/mount/ fuser -ik -mv /path/to/mount/ # Lista cuáles son, e interactivamente pregunta si matarlos
- borrado seguro en discos duros
- shred
- shred
- tests de carga de una web
- 9 things to do in your first minutes on a Linux server
- dependencias de apt
- Puedes instalar una versión específica con
apt install paquete=version - Cuando te ponga que
libqt4-dbus : Depends: qdbus (= 4:4.8.5+git192-g085f851+dfsg-2ubuntu4) but it is not going to be installed
-> Hay que instalar esa versión en concreto - Hacerlo de manera recursiva con cada error que te da
- Puedes instalar una versión específica con
- Montar imagen iso
sudo mount -o loop image.iso /mnt
https://www.cyberciti.biz/tips/how-to-mount-iso-image-under-linux.html
https://www.reddit.com/r/linuxquestions/comments/uswcl5/warning_device_writeprotected_mounted_readonly/
ISO will always be read-only. you can copy to another place and use mkisofs to recreate a new updated iso with your changes.
1.4. systemd
1.5. tmux
1.6. ssh
1.7. wpa config
1.8. docker
1.9. vim
1.10. gcloud
docker build -t app_name -f Dockerfile .
docker tag app_name eu.gcr.io/<project_id>/app_name:1.2.3
docker push eu.gcr.io/<project_id>/app_name:1.2.3
kubectl delete -f app.yaml
kubectl apply -f app.yaml
gcloud components install kubectl
kubectl create secret generic credentials \
--from-file=credentials.json=[KEY_FILE_PATH] # Credenciales json de cuenta de servicio
gcloud compute ssh --zone "europe-west1-b" "nombre-instancia" \
--project "dlinnovacion" --tunnel-through-iap
Copiar lo que pone en el visor de registros, estos filtros se aplican a
gcloud logging read 'timestamp >= "2020-04-20T19:00:00Z" AND timestamp <= "2020-04-21T09:00:00Z" AND resource.labels.container_name="<mycontainer>"' | grep 'textPayload' -A 2 | grep -v 'textPayload' | grep -v "\-\-"
- El AND no puede ir en minúscula
- gcp gcloud cheatsheet
1.10.1. Añadir regla al firewall
gcloud compute instances add-tags compute-engine-instance-name --tags=compute-engine-instance-name[,another-tag] gcloud compute firewall-rules create compute-engine-instance-name --target-tags compute-engine-instance-name --source-ranges=0.0.0.0/0 --allow=tcp:8989 --no-disabled
1.11. kubernetes
kubectl create deployment kubectl config set-context --current --namespace=NAMESPACE kubectl delete -f app.yaml kubectl apply -f app.yaml kubectl logs <pod> <container> kubectl describe pods --namespace=mynamespace kubectl create job --from=cronjobs/name name-manual-$(date +%s)
- https://kubernetes.io/docs/reference/kubectl/cheatsheet/
- https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands
- https://blog.papertrailapp.com/how-to-live-tail-kubernetes-logs/
- how to run job only once -> use pods
- A visual guide on troubleshooting Kubernetes deployments
- https://kubernetesinpractice.com/
1.12. ansible
1.13. nginx
1.13.1. nginx reverse proxy
Redirect an app running at 127.0.0.1:8000 to 443
default.conf
server {
listen 80;
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 443 ssl;
ssl_certificate /etc/nginx/cert.pem;
ssl_certificate_key /etc/nginx/key.pem;
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes docker run --name nginx-proxy -p 80:80 -p 443:443 -v $(pwd)/default.conf:/etc/nginx/conf.d/default.conf -v $(pwd)/cert.pem:/etc/nginx/cert.pem -v $(pwd)/key.pem:/etc/nginx/key.pem nginx
1.13.2. Server daemon & reload
nginx -g 'daemon on;'
nginx reload -s
1.14. iptables
man iptables man iptables-extension
iptables -t, --table <table> -A, --append <chain> <rule> -C, --check <chain> <rule> -D, --delete <chain> <rule> -F, --flush <chain> -L, --list-rules <chain>
1.14.1. Tablas (chains en orden de procesamiento)
filter (por defecto)
* INPUT
* FORWARD
* OUTPUT
nat
* PREROUTING
* OUTPUT
* POSTROUTING
mangle
tiene todos los chains de filter y nat
se usa para alteracion especializada del paquete (modifica TCP)
raw (alta prioridad, modifica antes que todos)
* PREROUTING
* INPUT
security (SELnux)
* INPUT
* FORWARD
* OUTPUT
1.14.2. Targets
-j, –jump <target> ACCEPT DROP (no devuelve nada por defecto) REJECT
(devuelve ICMP unreachable/prohibited) REDIRECT DNAT SNAT
1.15. swap
https://wiki.archlinux.org/title/swap
mkswap -U clear --size 4G --file /swapfile swapon /swapfile
Si estás con una versión más antigua de mkswap
# Crear un archivo de 4GB para el swap fallocate -l 4G /swapfile # Alternativamente, usando dd si fallocate no está disponible # dd if=/dev/zero of=/swapfile bs=1M count=4096 # Establecer los permisos correctos chmod 600 /swapfile # Crear el área de swap en el archivo mkswap /swapfile # Activar el archivo de swap swapon /swapfile # Para hacer que el cambio sea persistente, añade la siguiente línea a /etc/fstab echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
1.16. DevOps Engineer In Six Months or Less
1.17. DevOps Lessons from the Ski Industry
1.17.1. Engage Your Users
- Ski patrol spends every morning marking and re-marking trail
boundaries, difficulties, trees, stumps, cliffs and more(“Unmarked
Obstacles Exist” signs). Solid documentation is essential for
successful IT operations and breaking down DevOps silos - Ski with a buddy: Where does cross-training and pairing rank on your
team’s priority list? - You can’t force your users to act wisely, but you can certainly help
push them in the right direction -> a variety of seasonal and
year-round safety awareness programs. When’s the last time your
organization has had a meaningful security education campaign for
ops, developers, or end-users?
1.17.2. Incidents Happen
- Communications: Equipped with two-way radios, the Lift Operations
team was able to notify Ski Patrol within moments of the incident.
Does your incident escalation system (Slack/PagerDuty/email/etc.)
allow you to get the right stakeholders involved, immediately? Do you
truly communicate honestly with end-users during an incident? - Life Safety Skills: Ski Patrol are all trained EMTs, and most have
decades of emergency medical, avalanche, and mountaineering
experience. Does your on-call team have the training and access to
production they truly need to mitigate real-time issues? - Lift Evacuation: If a tree falls in the woods, on a lift cable, can
you hear it? No matter why the lift is disabled, Ski Patrol has
several methods to get guests to the ground safely. In the Teller
incident, Does your team know how to handle rollbacks? What about
dealing with data corruption? - Today’s lift systems are loaded with sensors that can automatically
stop the lift in case of critical component failure or tower
derailment. Newer lifts have four independent braking systems and
hundreds of safety sensors and controls. What unexpected single
points of failure exist in your critical environment? DNS, TLS
Certificates, and even “HA” databases are often a surprise.
1.17.3. Like it or not, you’re Testing In Production!
- Do you have the observability necessary to know when things start to
go wrong in production before it impacts your users? Is time spent on
non-production environments impacting what gets done in production?
Does your team understand the risk that various production
experiments pose?
1.18. Devops (from Links)
1.18.1. Faun
https://faun.dev/ -> Chat/Foro con gente devops
1.18.2. Overengineering
1.18.2.1. YAGNI, cargo cult and overengineering
1.18.2.2. How much engineering does my project need?
1.18.3. Architecture by diagrs
1.18.4. 7 Great Websites to Learn New Tech Skills
“7 Great Websites to Learn New Tech Skills” por Michael Vinh Xuan Thanh
https://link.medium.com/6XGAFMClf5
1.18.5. Tendencias
1.18.5.1. Docker vs containderd
1.18.5.2. The Roadmap To DevOps Developer for 2021 (List of Tools)
1.18.6. Advice to myself as dev
1.18.7. The codeless code
Fábulas sobre código http://thecodelesscode.com/contents
1.18.7.1. Overengineering can kill your product - Mind the Product
1.19. Consejos
- Lo importante es tener un entorno primero con todos los datos bien (no
perfectos) y luego subir esos datos al resto de entornos, en vez de
querer juntar de manera complicada datos de muchos entornos - La metaprogramación (código que genera código) es mejor evitarla
cuando vas a hacer un cambio importante. Puedes generar el código y
ejecutar eso en vez de ejecutar el código que ejecuta el código y te
quitas pasos intermedios
1.20. Cheat Sheet Pdf
Opinionated cheatsheet
sk3pp3r/cheat-sheet-pdf: 📜
A Cheat-Sheet Collection from the WWW
- nginx
- docker
- ansible
- python
- go
- git
- regular expressions
- powershell
- vim
- jenkins
- CI/CD
- Kubernetes
- Linux
- redis
- Slack
- GCloud
- AI, Neural Networks, Machine Learning, Deep Learning & Data Science
- PostgreSQL
- AJAX
- AWS
1.21. TCP over ICMP
1.22. Newtork routing
- nftables
iptables-translateconvierte de iptables a nftables- tc traffic
control, limit bandwitdh, simulate delays, stress test with poor
conectivity
https://serverfault.com/questions/453254/routing-between-two-networks-on-linux
# Edit /etc/sysctl.conf or $ echo 1 >> /proc/sys/net/ipv4/ip_forward net.ipv4.ip_forward=1 # Always accept loopback traffic iptables -A INPUT -i lo -j ACCEPT # We allow traffic from the LAN side iptables -A INPUT -i eth0 -j ACCEPT ###################################################################### # # ROUTING # ###################################################################### # eth0 is LAN # eth1 is WAN # Allow established connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Masquerade. iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE # fowarding iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow outgoing connections from the LAN side. iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
1.24. avahi para multicast DNS
- https://wiki.archlinux.org/title/avahi#systemd-resolved_prevents_nss-mdns_from_working
https://unix.stackexchange.com/questions/43762/how-do-i-get-to-use-local-hostnames-with-arch-linux
Change the line
hosts: mymachines resolve [!UNAVAIL=return] files myhostname dnstohosts: mymachines mdns_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns, save and exit. Themdns_minimalservice handles.locallookups and must be added beforeresolveanddns.
avahi-browse -art
No funciona si tienes activado el firewall!