devops

Table of Contents

1. Devops

1.2. DORA

1.3. trucos

  1. listar procesos que impiden que se desmonte
      lsof | grep /path/to/mount/
  fuser -ik -mv /path/to/mount/  # Lista cuáles son, e interactivamente pregunta si matarlos
  2. borrado seguro en discos duros
    • shred
  3. tests de carga de una web
  4. 9 things to do in your first minutes on a Linux server

    https://opensource.com/article/20/12/linux-server

  5. dependencias de apt
    • Puedes instalar una versión específica con
      apt install paquete=version
    • Cuando te ponga que
      libqt4-dbus : Depends: qdbus (= 4:4.8.5+git192-g085f851+dfsg-2ubuntu4) but it is not going to be installed
      -> Hay que instalar esa versión en concreto
    • Hacerlo de manera recursiva con cada error que te da
  6. Montar imagen iso
    sudo mount -o loop image.iso /mnt

    https://www.cyberciti.biz/tips/how-to-mount-iso-image-under-linux.html

    https://www.reddit.com/r/linuxquestions/comments/uswcl5/warning_device_writeprotected_mounted_readonly/
    ISO will always be read-only. you can copy to another place and use mkisofs to recreate a new updated iso with your changes.

1.4. systemd

1.5. tmux

1.6. ssh

1.7. wpa config

wpa_passphrase

1.8. docker

1.9. vim

1.10. gcloud

  docker build -t app_name -f Dockerfile .
  docker tag app_name eu.gcr.io/<project_id>/app_name:1.2.3
  docker push eu.gcr.io/<project_id>/app_name:1.2.3
  kubectl delete -f app.yaml
  kubectl apply -f app.yaml
  gcloud components install kubectl
  kubectl create secret generic credentials \
      --from-file=credentials.json=[KEY_FILE_PATH] # Credenciales json de cuenta de servicio
  gcloud compute ssh --zone "europe-west1-b" "nombre-instancia" \
      --project "dlinnovacion" --tunnel-through-iap

Copiar lo que pone en el visor de registros, estos filtros se aplican a

  gcloud logging read 'timestamp >= "2020-04-20T19:00:00Z" AND timestamp <= "2020-04-21T09:00:00Z" AND
  resource.labels.container_name="<mycontainer>"' | grep 'textPayload' -A 2 | grep -v 'textPayload' | grep -v "\-\-"

1.10.1. Añadir regla al firewall

  gcloud compute instances add-tags compute-engine-instance-name --tags=compute-engine-instance-name[,another-tag]
  gcloud compute firewall-rules create compute-engine-instance-name --target-tags compute-engine-instance-name --source-ranges=0.0.0.0/0 --allow=tcp:8989 --no-disabled

1.11. kubernetes

kubernetes

  kubectl create deployment
  kubectl config set-context --current --namespace=NAMESPACE
  kubectl delete -f app.yaml
  kubectl apply -f app.yaml
  kubectl logs <pod> <container>
  kubectl describe pods --namespace=mynamespace
  kubectl create job --from=cronjobs/name name-manual-$(date +%s)

1.12. ansible

1.13. nginx

1.13.1. nginx reverse proxy

Redirect an app running at 127.0.0.1:8000 to 443
default.conf

server {
    listen 80;

    location / {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

server {
    listen 443 ssl;

    ssl_certificate /etc/nginx/cert.pem;
    ssl_certificate_key /etc/nginx/key.pem;

    location / {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
docker run --name nginx-proxy -p 80:80 -p 443:443 -v $(pwd)/default.conf:/etc/nginx/conf.d/default.conf -v $(pwd)/cert.pem:/etc/nginx/cert.pem -v $(pwd)/key.pem:/etc/nginx/key.pem nginx

1.13.2. nginx dynamic dns

1.13.2.1. with redirection
http {
    lua_shared_dict target_ip 10m;

    server {
        listen 80;

        location /update {
            content_by_lua_block {
                local new_ip = ngx.var.arg_ip
                if new_ip then
                    ngx.shared.target_ip:set("ip", new_ip)
                    ngx.say("IP updated successfully to: " .. new_ip)
                else
                    ngx.status = ngx.HTTP_BAD_REQUEST
                    ngx.say("No IP provided")
                end
            }
        }

        location / {
            set $target_ip '';
            access_by_lua_block {
                local ip = ngx.shared.target_ip:get("ip")
                if ip then
                    ngx.var.target_ip = ip
                    return ngx.redirect("http://" .. ip, ngx.HTTP_MOVED_TEMPORARILY)
                else
                    ngx.status = ngx.HTTP_SERVICE_UNAVAILABLE
                    ngx.say("No target IP set")
                    ngx.exit(ngx.HTTP_SERVICE_UNAVAILABLE)
                end
            }

        }
    }
}

events {
    worker_connections 1024;
}
1.13.2.2. with proxy_pass
http {
    lua_shared_dict target_ip 10m;

    server {
        listen 80;

        location /update {
            content_by_lua_block {
                local new_ip = ngx.var.arg_ip
                if new_ip then
                    ngx.shared.target_ip:set("ip", new_ip)
                    ngx.say("IP updated successfully to: " .. new_ip)
                else
                    ngx.status = ngx.HTTP_BAD_REQUEST
                    ngx.say("No IP provided")
                end
            }
        }

        location / {
            set $target_ip '';
            access_by_lua_block {
                local ip = ngx.shared.target_ip:get("ip")
                if ip then
                    ngx.var.target_ip = ip
                else
                    ngx.status = ngx.HTTP_SERVICE_UNAVAILABLE
                    ngx.say("No target IP set")
                    ngx.exit(ngx.HTTP_SERVICE_UNAVAILABLE)
                end
            }
            proxy_pass http://$target_ip$request_uri;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
        }
    }

    # websockets
    server {
        listen 9090;

        location /update {
            content_by_lua_block {
                local new_ip = ngx.var.arg_ip
                if new_ip then
                    ngx.shared.target_ip:set("ip", new_ip)
                    ngx.say("IP updated successfully to: " .. new_ip)
                else
                    ngx.status = ngx.HTTP_BAD_REQUEST
                    ngx.say("No IP provided")
                end
            }
        }

        location / {
            set $target_ip '';
            access_by_lua_block {
                local ip = ngx.shared.target_ip:get("ip")
                if ip then
                    ngx.var.target_ip = ip
                else
                    ngx.status = ngx.HTTP_SERVICE_UNAVAILABLE
                    ngx.say("No target IP set")
                    ngx.exit(ngx.HTTP_SERVICE_UNAVAILABLE)
                end
            }
            proxy_pass http://$target_ip:9090$request_uri;
            proxy_set_header Host $host:9090;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
        }
    }
}

events {
    worker_connections 1024;
1.13.2.3. TODO add some more auth
local secret_key = "your_secret_key_here"
local provided_key = ngx.var.arg_key
local new_ip = ngx.var.arg_ip

if provided_key == secret_key then
        ngx.shared.target_ip:set("ip", new_ip)
        ngx.say("IP updated successfully")
else
        ngx.status = ngx.HTTP_FORBIDDEN
        ngx.say("Invalid secret key")
end

1.13.3. Server daemon & reload

nginx -g 'daemon on;'
nginx reload -s

1.14. iptables

man iptables man iptables-extension

  iptables

  -t, --table <table>
  -A, --append <chain> <rule>
  -C, --check <chain> <rule>
  -D, --delete <chain> <rule>
  -F, --flush <chain>
  -L, --list-rules <chain>

1.14.1. Tablas (chains en orden de procesamiento)

  filter (por defecto)
    * INPUT
    * FORWARD
    * OUTPUT
  nat
    * PREROUTING
    * OUTPUT
    * POSTROUTING
  mangle
    tiene todos los chains de filter y nat
    se usa para alteracion especializada del paquete (modifica TCP)
  raw (alta prioridad, modifica antes que todos)
    * PREROUTING
    * INPUT
  security (SELnux)
    * INPUT
    * FORWARD
    * OUTPUT

1.14.2. Targets

-j, –jump <target> ACCEPT DROP (no devuelve nada por defecto) REJECT
(devuelve ICMP unreachable/prohibited) REDIRECT DNAT SNAT

1.15. swap

https://wiki.archlinux.org/title/swap

mkswap -U clear --size 4G --file /swapfile
swapon /swapfile

Si estás con una versión más antigua de mkswap

# Crear un archivo de 4GB para el swap
fallocate -l 4G /swapfile

# Alternativamente, usando dd si fallocate no está disponible
# dd if=/dev/zero of=/swapfile bs=1M count=4096

# Establecer los permisos correctos
chmod 600 /swapfile

# Crear el área de swap en el archivo
mkswap /swapfile

# Activar el archivo de swap
swapon /swapfile

# Para hacer que el cambio sea persistente, añade la siguiente línea a /etc/fstab
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab

1.16. DevOps Engineer In Six Months or Less

https://github.com/Tikam02/DevOps-Guide

  1. Intro
  2. Configure
  3. Version
  4. Package
  5. Deploy
  6. Run

1.17. DevOps Lessons from the Ski Industry

https://medium.com/@nedmcclain/devops-lessons-from-the-ski-industry-e90cd4ae3633

1.17.1. Engage Your Users

  1. Ski patrol spends every morning marking and re-marking trail
    boundaries, difficulties, trees, stumps, cliffs and more(“Unmarked
    Obstacles Exist” signs). Solid documentation is essential for
    successful IT operations and breaking down DevOps silos
  2. Ski with a buddy: Where does cross-training and pairing rank on your
    team’s priority list?
  3. You can’t force your users to act wisely, but you can certainly help
    push them in the right direction -> a variety of seasonal and
    year-round safety awareness programs. When’s the last time your
    organization has had a meaningful security education campaign for
    ops, developers, or end-users?

1.17.2. Incidents Happen

  1. Communications: Equipped with two-way radios, the Lift Operations
    team was able to notify Ski Patrol within moments of the incident.
    Does your incident escalation system (Slack/PagerDuty/email/etc.)
    allow you to get the right stakeholders involved, immediately? Do you
    truly communicate honestly with end-users during an incident?
  2. Life Safety Skills: Ski Patrol are all trained EMTs, and most have
    decades of emergency medical, avalanche, and mountaineering
    experience. Does your on-call team have the training and access to
    production they truly need to mitigate real-time issues?
  3. Lift Evacuation: If a tree falls in the woods, on a lift cable, can
    you hear it? No matter why the lift is disabled, Ski Patrol has
    several methods to get guests to the ground safely. In the Teller
    incident, Does your team know how to handle rollbacks? What about
    dealing with data corruption?
  4. Today’s lift systems are loaded with sensors that can automatically
    stop the lift in case of critical component failure or tower
    derailment. Newer lifts have four independent braking systems and
    hundreds of safety sensors and controls. What unexpected single
    points of failure exist in your critical environment? DNS, TLS
    Certificates, and even “HA” databases are often a surprise.

1.17.3. Like it or not, you’re Testing In Production!

  1. Do you have the observability necessary to know when things start to
    go wrong in production before it impacts your users? Is time spent on
    non-production environments impacting what gets done in production?
    Does your team understand the risk that various production
    experiments pose?

1.18. Devops (from Links)

1.18.1. Faun

https://faun.dev/ -> Chat/Foro con gente devops

1.18.3. Architecture by diagrs

https://github.com/mingrammer/diagrams

1.18.4. 7 Great Websites to Learn New Tech Skills

“7 Great Websites to Learn New Tech Skills” por Michael Vinh Xuan Thanh
https://link.medium.com/6XGAFMClf5

1.18.5. Tendencias

1.18.5.1. Docker vs containderd

https://m.youtube.com/watch?v=2LgiAWtqOoA

1.18.5.2. The Roadmap To DevOps Developer for 2021 (List of Tools)

https://www.decipherzone.com/blog-detail/roadmap-devops-2021

1.18.7. The codeless code

Fábulas sobre código http://thecodelesscode.com/contents

1.18.7.1. Overengineering can kill your product - Mind the Product

https://www.mindtheproduct.com/overengineering-can-kill-your-product/

1.19. Consejos

  • Lo importante es tener un entorno primero con todos los datos bien (no
    perfectos) y luego subir esos datos al resto de entornos, en vez de
    querer juntar de manera complicada datos de muchos entornos
  • La metaprogramación (código que genera código) es mejor evitarla
    cuando vas a hacer un cambio importante. Puedes generar el código y
    ejecutar eso en vez de ejecutar el código que ejecuta el código y te
    quitas pasos intermedios

1.20. Cheat Sheet Pdf

Opinionated cheatsheet
sk3pp3r/cheat-sheet-pdf: 📜
A Cheat-Sheet Collection from the WWW

  1. nginx
  2. docker
  3. ansible
  4. python
  5. go
  6. git
  7. regular expressions
  8. powershell
  9. vim
  10. jenkins
  11. CI/CD
  12. Kubernetes
  13. Linux
  14. redis
  15. Slack
  16. GCloud
  17. AI, Neural Networks, Machine Learning, Deep Learning & Data Science
  18. PostgreSQL
  19. AJAX
  20. AWS

1.22. Newtork routing

  • nftables
  • iptables-translate convierte de iptables a nftables
  • tc traffic
    control, limit bandwitdh, simulate delays, stress test with poor
    conectivity

https://serverfault.com/questions/453254/routing-between-two-networks-on-linux

  # Edit /etc/sysctl.conf or $ echo 1 >> /proc/sys/net/ipv4/ip_forward
  net.ipv4.ip_forward=1
  # Always accept loopback traffic
  iptables -A INPUT -i lo -j ACCEPT
  # We allow traffic from the LAN side
  iptables -A INPUT -i eth0 -j ACCEPT
  ######################################################################
  #
  #                         ROUTING
  #
  ######################################################################
  # eth0 is LAN
  # eth1 is WAN
  # Allow established connections
  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  # Masquerade.
  iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
  # fowarding
  iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
  # Allow outgoing connections from the LAN side.
  iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

1.24. avahi para multicast DNS

Author: Julian Lopez Carballal

Created: 2024-10-21 Mon 09:50