Lookup
# List all plugins
ansible-doc -t lookup -l

# Use `ansible-doc -t lookup <plugin>` to see detail
ansible-doc -t lookup ping
winrm
- console output

在 hyper-v 那台機器 Enable Winrm 之後 一直出現下面的錯誤。 在 group 加上一行即可

ansible_winrm_transport=ntlm

hyper-v01 | UNREACHABLE! => {
    "changed": false,
    "msg": "ssl: the specified credentials were rejected by the server",
    "unreachable": true

}
- /etc/ansible/hosts
ansible_user=administrator
ansible_password=password
ansible_port=5986
ansible_connection=winrm
ansible_winrm_server_cert_validation=ignore
ansible_winrm_transport=ntlm
ab
ab -n 20 -c 20 -k https://default.hddv1.com/error
age
# generate public and private keys
age-keygen -o key.txt

# encrypt file with public key
age -r public_key -o file.txt.enc file.txt

# encrypt file with ssh key
age -R ~/.ssh/id_ed25519.pub file.txt > file.txt.enc

# decrypt file
age --decrypt -i key.txt file.txt.enc > file.txt
awk
# To lowercase
uuidgen|awk '{print tolower($0)}' # output: 649612b0-0fa4-4b50-9b13-17279f602a43

# To uppercase
echo 'hello world'|awk '{print toupper($0)}' # output: HELLO WORLD

# 提取子字符串: `substr(string, start, length)`
echo "hello world" | awk '{print substr($0, 1, 5)}' # output: hello

# 全局替換字符串中的正則表達式匹配項: `gsub(regex, replacement, string)`
# 替換字符串中首次匹配的正則表達式: `sub(regex, replacement, string)`
echo "hello world" | awk '{gsub(/world/, "everyone"); print $0}' # output: hello everyone

# 將數字轉換為整數
echo "3.14" | awk '{print int($0)}' # output: 3

# 返回平方根
echo "99" | awk '{print sqrt($0)}' # output: 9.94987

# 指數和對數
echo "2" | awk '{print exp($0), log($0)}' # output: 7.38906 0.693147
certbot
# Install
sudo apt install certbot python3-certbot-nginx python3-certbot-dns-route53

# 1. Generating Wildcard Certificates
sudo certbot certonly --manual --preferred-challenges=dns --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.example.com
### add txt record then press enter to continue

# 2. Generating Wildcard Certificates
sudo certbot certonly -d example.com -d *.example.com --dns-route53 --agree-tos --server https://acme-v02.api.letsencrypt.org/directory

# Automating Renewal
0 0 * * 1 /usr/bin/certbot certonly --dns-route53 -d *.example.com --quiet --post-hook "systemctl reload nginx"
cutycapt
# Capture website page as picture
xvfb-run --server-args="-screen 0, 1024x768x24" cutycapt --url=https://www.google.com --out="/tmp/google.png"
dnscontrol
dnscontrol get-zones --format=js --out=example.com.js r53 ROUTE53 example.com
dnscontrol get-zones --format=js --out=example.com.js cloudflare CLOUDFLAREAPI example.com
k6
k6 run k6.js
hey
hey -n 200000 -c 500 -h2 -z 30s https://a8-wss.hddv1.com/test
openfortivpn
# https://github.com/adrienverge/openfortivpn
sudo openfortivpn ip:port --username=ricky --pppd-use-peerdns=1
openssl
# 自簽名證書,要把 ca.p7b 匯入 certmgr.msc 的受信任的根憑證授權單位,Chrome 才吃的到。
openssl crl2pkcs7 -nocrl -certfile ca.crt -out ca.p7b
prlimit
# 更改 Max_open_files 遇到參數錯誤,原因為 CentOS6 與 CentOS7 指令不同
# CentOS6
for i in $(ps -ef | grep 'publish/server/game_server' | egrep -v 'grep|startall' | awk '{print $2}'); do echo -n "Max open files=1024000:1024000" > /proc/$i/limits; done

# CentOS7
for i in $(ps -ef | grep gateway | grep -v grep | awk '{print $2}'); do prlimit --pid $i --nofile=1024000:1024000 ; done
siege
siege --time=3s --concurrent=30000 https://a8-h5.hddv1.com/index.html
tr
# cat krypton2
YRIRY GJB CNFFJBEQ EBGGRA
# cat krypton2 | tr a-zA-Z n-za-mN-ZA-M
LEVEL TWO PASSWORD ROTTEN
vegeta
#!/usr/bin/env bash

attack() {
    echo "GET ${1}" |
        vegeta attack -duration=100s -header="User-Agent: baidu" -header="X-Forwarded-For: 47.0.0.1" -rate=500 -timeout=1s |
        vegeta encode |
        jaggr @count=rps \
            hist\[100,200,300,400,500\]:code \
            p25,p50,p95:latency \
            sum:bytes_in \
            sum:bytes_out |
        jplot rps+code.hist.100+code.hist.200+code.hist.300+code.hist.400+code.hist.500 \
            latency.p95+latency.p50+latency.p25 \
            bytes_in.sum+bytes_out.sum
}

if [[ -n ${1} ]]; then
    attack ${1}
fi

## -header="Connection: Upgrade" -header="Upgrade: websocket"
wrk
wrk -t10 -c1000 -d30s -H "User-Agent: baidu" "https://default.hddv1.com/error"
Vagrant with hyper-v provider
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
Common
# Find out processes swap usage command
for file in /proc/*/status ; do awk '/VmSwap|Name/{printf $2 " " $3}END{ print ""}' $file; done | sort -k 2 -n -r | less
Gitbook

Hide gitbook sidebar default.

raw_path=$(pwd)
npm install -g gitbook-cli
gitbook install
cd ~/.gitbook/versions/3.2.3/node_modules/gitbook-plugin-theme-default
sed -i "25i\ \ \ \ gitbook.storage.set('sidebar', false);" src/js/theme/sidebar.js
npm install -g browserify uglify-js less less-plugin-clean-css
npm install
src/build.sh
Install
- autocorrect

A linter and formatter for help you improve copywriting, to correct spaces, words, punctuations between CJK (Chinese, Japanese, Korean). Github

wget https://github.com/huacnlee/autocorrect/releases/download/v1.7.4/autocorrect-darwin-amd64.tar.gz
- bpf

BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more Kernel should higher than 4.1 Install from source is better

# `/usr/share/bcc/`
# https://github.com/iovisor/bcc
# https://github.com/iovisor/bcc/blob/master/docs/reference_guide.md#1-kernel-source-directory
# https://github.com/iovisor/bpftrace
yum install bcc-tools
- flamegraph

Stack trace visualizer

# https://github.com/brendangregg/FlameGraph
brew install flamegraph
- git-split-diffs

GitHub style split diffs in your terminal

npm install -g git-split-diffs
- glci

Test your Gitlab CI Pipelines changes locally using Docker. blog

yarn global add glci
- openresty
wget https://openresty.org/package/centos/openresty.repo -O /etc/yum.repos.d/openresty.repo
yum install -y openresty openresty-resty
- perf

Performance monitoring for the Linux kernel

# https://github.com/brendangregg/Misc/blob/master/perf_events/perf.md
# http://www.brendangregg.com/perf.html
yum install perf
- pptx2md

A pptx to markdown converter

pip3 install pptx2md
- sockperf

Network Benchmarking Utility

# https://github.com/Mellanox/sockperf
yum install sockperf
- upx

UPX - the Ultimate Packer for eXecutables

brew install upx
- wrk

Modern HTTP benchmarking tool

brew install wrk
LVM
# 確認 resize 在哪個 disk
lsblk

# 確認 `/dev/sde` 是否為該新增 disk 路徑
pvresize /dev/sde

# vgdisplay [vg 編號]
# 查 free  PE / Size 的編號
vgdisplay vg3

# 要升級的 lvm 硬碟路徑
lvdisplay

# lvresize -l +[free 的編號] 升級的 lvm 硬碟路徑
lvresize -l +38400 /dev/vg3/disklvm4

# resize
xfs_growfs /dev/vg3/disklvm4

# 檢查擴充是否成功
df -h
Migration zabbix
mysqldump -uroot --opt zabbix > zabbix.sql
rsync -az zabbix.sql newserver:/root
mysql -uroot zabbix < zabbix.sql
Re-create /dev/null
rm -f /dev/null
mknod /dev/null c 1 3
Script
Script Optimization

Advanced Shell Scripting Techniques: Automating Complex Tasks with Bash

  1. Use Built-in Commands: Built-in commands execute faster because they don’t require loading an external process.
  2. Minimize Subshells: Subshells can be expensive in terms of performance.
# Inefficient
output=$(cat file.txt)

# Efficient
output=$(<file.txt)
  1. Use Arrays for Bulk Data: When handling a large amount of data, arrays can be more efficient and easier to manage than multiple variables.
# Inefficient
item1="apple"
item2="banana"
item3="cherry"

# Efficient
items=("apple" "banana" "cherry")
for item in "${items[@]}"; do
    echo "$item"
done
  1. Enable Noclobber: To prevent accidental overwriting of files.
set -o noclobber
  1. Use Functions: Functions allow you to encapsulate and reuse code, making scripts cleaner and reducing redundancy.
  2. Efficient File Operations: When performing file operations, use efficient techniques to minimize resource usage.
# Inefficient
while read -r line; do
    echo "$line"
done < file.txt

# Efficient
while IFS= read -r line; do
    echo "$line"
done < file.txt
  1. Parallel Processing: Tools like xargs and GNU parallel can be incredibly useful.
  2. Error Handling: Robust error handling is critical for creating reliable and maintainable scripts.
# Exit on Error: Using set -e ensures that your script exits immediately if any command fails, preventing cascading errors.
set -e

# Custom Error Messages: Implement custom error messages to provide more context when something goes wrong.
command1 || { echo "command1 failed"; exit 1; }

# Trap Signals: Use the `trap` command to catch and handle signals and errors gracefully.
trap 'echo "Error occurred"; cleanup; exit 1' ERR

function cleanup() {
    # Cleanup code
}

# Validate Inputs: Always validate user inputs and script arguments to prevent unexpected behavior.
if [[ -z "$1" ]]; then
    echo "Usage: $0 <argument>"
    exit 1
fi

# Logging: Implement logging to keep track of script execution and diagnose issues.
logfile="script.log"
exec > >(tee -i $logfile)
exec 2>&1

echo "Script started"
  1. Automating Complex System Administration Tasks:
    1. Automated Backups
    2. System Monitoring
    3. User Management
    4. Automated Updates
    5. Network Configuration
Build with secret
  • Dockerfile
# syntax = docker/dockerfile:1.6
FROM golang:1.21.1-alpine3.18
RUN --mount=type=secret,id=mysecret,target=/root/.ssh/id_rsa git clone git@gitlab.com:ricky/repo.git
  • Command
export DOCKER_BUILDKIT=1
docker build --secret id=mysecret,src=id_rsa -t image .
Compose
# Force pull image
docker-compose up -d --pull always
Create buildx instance
# create buildx instance
docker buildx create --name builder --bootstrap --driver docker-container
# install emulators
docker run --privileged --rm tonistiigi/binfmt --install all
Create Network
docker network create -d bridge --subnet 172.100.0.0/24 --gateway 172.100.0.1 backend_dev
Multiple build-arg
docker build . -f ./scripts/Dockerfile \
  --build-arg Date=$(date) \
  --build-arg Tag=$(git rev-list -n 1 --tags) \
  --build-arg Commit=$(git describe --tags --abbrev=0)  \
  -t ops-cli
Multiple platform
# create and use buildx instance
docker buildx create --use --name builder
# build multiple platform
docker buildx build --push --platform linux/arm64,linux/amd64 -t zeyanlin/ops-cli .
Run container in different platform
finch run -it --rm --platform=linux/arm64 zeyanlin/ops-cli /bin/sh
File create time

1. Find Inode

$ stat dns.yaml
  File: dns.yaml
  Size: 1003        Blocks: 8          IO Block: 4096   regular file
Device: ca01h/51713d    Inode: 3595636     Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1000/  ubuntu)   Gid: ( 1000/  ubuntu)
Access: 2022-05-03 12:59:59.996755279 +0800
Modify: 2021-12-10 18:27:54.157585209 +0800
Change: 2022-01-07 14:57:58.619727878 +0800
 Birth: -

or

$ ls -i dns.yaml
3585173 dns.yaml

2. Find Filesystem

$ df dns.yaml
Filesystem     1K-blocks     Used Available Use% Mounted on
/dev/root      101583780 25703988  75863408  26% /

3. Get Create Time

$ sudo debugfs -R 'stat <3595636>' /dev/root
Inode: 3595636   Type: regular    Mode:  0644   Flags: 0x80000
Generation: 449657737    Version: 0x00000000:00000001
User:  1000   Group:  1000   Project:     0   Size: 1003
File ACL: 0
Links: 1   Blockcount: 8
Fragment:  Address: 0    Number: 0    Size: 0
 ctime: 0x61d7e476:93c13018 -- Fri Jan  7 14:57:58 2022
 atime: 0x6270b6cf:eda51d3c -- Tue May  3 12:59:59 2022
 mtime: 0x61b32baa:25923ce4 -- Fri Dec 10 18:27:54 2021
crtime: 0x61b32baa:25923ce4 -- Fri Dec 10 18:27:54 2021
Size of extra inode fields: 32
Inode checksum: 0x5b176bb2
EXTENTS:
(0):2665902
Display Ubuntu's Message of the Day
sudo chmod +x /etc/update-motd.d/*
List domains
sed 's/ //g' domains-info.md | awk -F '|' '{if($3 ~ /.*\.com/)print $3}' | sort | uniq
Search in git
git rev-list --all | xargs git grep -F ''
Count commits
git rev-list --count main
View a file of another branch
git show dev:main.go
Take a backup of untracked files
git ls-files --others --exclude-standard -z | xargs -0 tar rvf backup-untracked.zip
Submodule
# Add submodule
git submodule add -b main git@github.com:linzeyan/toha.git themes/toha

# Update submodule
git submodule update --init --remote

# Remove submodule
modulePath="themes/toha"
git submodule deinit -f ${modulePath}
git rm ${modulePath}
rm -rf .git/modules/${modulePath}
git config --remove-section submodule.${modulePath}.
rm -f .gitmodules
commit hash
git rev-parse HEAD
commit tag
git describe --tags
worktree
# list
git worktree list

# add
git worktree add ../dirname branch-name
git config
[user]
  email = zeyanlin@outlook.com
  name = Ricky
  signingkey = 2A4313489FDCA802ED6FCC214B03D879EA73DF37
[commit]
  gpgsign = true
git config1

For golang import package

[url "git@gitlab.example.com:"]
    insteadOf = https://gitlab.example.com/
git config2
[includeIf "gitdir:~/work/"]
    path = ~/.gitconfig-work
cleanup

doc

# artifacts
gitlab-rake gitlab:cleanup:orphan_job_artifact_files

# expire session
gitlab-rake gitlab:cleanup:sessions:active_sessions_lookup_keys

# lfs
gitlab-rake gitlab:cleanup:orphan_lfs_files

# project
gitlab-rake gitlab:cleanup:project_uploads
gitlab-rake gitlab:cleanup:remote_upload_files

# registry
gitlab-ctl registry-garbage-collect
gitlab-ctl registry-garbage-collect -m
migration
1. Copy Old Crontab、Old /etc/gitlab、update-ca-trust
2. Version should be same
3. Copy newest backup file
4. Stop Services
gitlab-ctl stop unicorn
gitlab-ctl stop puma
gitlab-ctl stop sidekiq
gitlab-ctl status
5. Restore

File must put in /var/opt/gitlab/backup

chown git:git backupfile
gitlab-backup restore BACKUP=11493107454_2018_04_25_10.6.4-ce
6. Check
gitlab-ctl reconfigure
gitlab-ctl restart
gitlab-rake gitlab:check SANITIZE=true
7. Unlock gitlab-runner at Admin Area
8. Pages: Add https settings in gitlab.rb, Admin Area -> Applications -> Destroy old System OAuth, and remove secret in gitlab-secret.json.
gitlab-ctl reconfigure
Install
brew install gnupg
Generate
gpg --full-generate-key

gpg --list-secret-keys
Generate Problem
$ gpg --full-generate-key
gpg: Sorry, no terminal at all requested - can't get input

Comment out no-tty in ~/.gnupg/gpg.conf

Add to git
gpg --armor --export 51ADF7101CA64B2508AE29EEC279555531A1DD62
Set .gitconfig
git config user.email zeyanlin@outlook.com
git config user.name Ricky
git config user.signingkey 51ADF7101CA64B2508AE29EEC279555531A1DD62
git config commit.gpgsign true
Delete key
gpg --delete-secret-keys 51ADF7101CA64B2508AE29EEC279555531A1DD62
Backup key
# https://www.jwillikers.com/backup-and-restore-a-gpg-key
gpg --list-secret-keys --keyid-format LONG

# Export key as a file, replace email-address and Enter the private key’s passphrase
gpg -o private.gpg --export-options backup --export-secret-keys rickylin@cloud-miner.net

# Restore key and enter the private key’s passphrase
gpg --import-options restore --import private.gpg
If GPG not work
echo 'export GPG_TTY=$(tty)' >> ~/.zshrc
gpgconf –kill gpg-agent
exec $SHELL
Encrypt file
# Encrypt file
gpg --symmetric --cipher-algo aes256 archive_file.tar

# Decrypt file
gpg --output archive_file.tar --decrypt archive_file.tar.gpg
cert-manager
# install the cert-manager CustomResourceDefinition resources
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.1/cert-manager.crds.yaml

# Add the Jetstack Helm repository
helm repo add jetstack https://charts.jetstack.io
helm repo update

# install the cert-manager helm chart
helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.13.1 \
  --set installCRDs=true
  --set prometheus.enabled=false \
  --set webhook.timeoutSeconds=4

# uninstalling
helm delete my-release
kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.1/cert-manager.crds.yaml

# create clusterissuer
kubectl apply -f cert-manager-resource.yaml

# generate certificate
kubectl apply -f cert-generate-resource.yaml

# create ingress controller
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/cloud/deploy.yaml

# create ingress
kubectl apply -f cert-ingress-resource.yaml
helm
# install plugin
helm plugin install https://github.com/chartmuseum/helm-push.git

# add repo
## helm repo add --username gitlab-ci-token --password ${CI_JOB_TOKEN} ${CI_PROJECT_NAME} ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/stable
helm repo add go2helm https://gitlab.go2cloudten.com/api/v4/projects/29/packages/helm/stable --username ricky

# push chart
## https://docs.gitlab.com/ee/user/packages/helm_repository/
helm cm-push ./proxy-0.1.0.tgz go2helm
kompose
kompose --file docker-compose.yml convert
gitlab-runner

link

gitlab-admin-service-account.yaml
# CA Certificate
kubectl get secret $(kubectl get secret | grep default | awk '{print $1}') -o jsonpath="{['data']['ca\.crt']}" | base64 --decode

# Service Token
kubectl apply -f gitlab-admin-service-account.yaml
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep gitlab | awk '{print $1}')

# https://gitlab.com/gitlab-org/charts/gitlab-runner/blob/master/values.yaml
echo | openssl s_client -CAfile ca.crt -connect gitlab.knowhow.it:443 > /tmp/certs/server.pem

# Install gitlab-runner from gitlab
helm repo add gitlab https://charts.gitlab.io
kubectl create namespace gitlab

kubectl --namespace gitlab create secret generic gitlab-certs --from-file=gitlab.knowhow.it.crt=/tmp/certs/server.pem --from-file=registry.knowhow.it.crt=/tmp/certs/server.pem

helm install --namespace gitlab k8srunner --set gitlabUrl=https://gitlab.knowhow.it,runnerRegistrationToken=VmyYjzmU_FjqyMJNJxJK,certsSecretName=gitlab-certs,rbac.create=true,runners.privileged=true,runners.tags=k8s,runners.image=alpine:3.12,runners.locked=false gitlab/gitlab-runner
k3d
k3d.yaml
# create cluster
k3d cluster create --config k3d.yaml

# delete cluster
k3d cluster delete local

# import image
k3d image import superapp -c local
kind
kind.yaml
# create cluster
kind create cluster --config kind.yaml

# delete cluster
kind delete cluster -n local

# import image
kind load docker-image superapp -n local
rancher
#!/usr/bin/env bash

docker run \
    -d \
    --restart=always  \
    --name rancher \
    --network=host \
    -v /etc/ssl/server.crt:/etc/rancher/ssl/cert.pem \
    -v /etc/ssl/server.key:/etc/rancher/ssl/key.pem \
    -v /etc/ssl/ca.crt:/etc/rancher/ssl/cacerts.pem \
    --privileged \
    rancher/rancher:latest
skaffold
#!/usr/bin/env bash

# https://github.com/GoogleContainerTools/skaffold/examples/getting-started
curl -Lo skaffold https://storage.googleapis.com/skaffold/releases/latest/skaffold-linux-amd64 && \
    sudo install skaffold /usr/local/bin/
k8s in k8s
#!/usr/bin/env bash

## Install kubernetes-in-kubernetes

helm repo add kvaps https://kvaps.github.io/charts

helm install kik kvaps/kubernetes --version 0.13.4 \
    --namespace kik \
    --create-namespace \
    --set persistence.storageClassName=local-path
argocd
#!/usr/bin/env bash

nameSpace='argocd'
port=8443

## helm
## https://github.com/argoproj/argo-helm/tree/master/charts/argo-cd
helm repo add argo https://argoproj.github.io/argo-helm
helm repo update
helm install argocd argo/argo-cd \
  --namespace ${nameSpace} --create-namespace \
  --set server.service.type=NodePort \
  --set server.service.nodePortHttps=${port}

## kubectl
# kubectl create namespace ${nameSpace}
# kubectl apply -n ${nameSpace} -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
# sleep 60

# kubectl apply -f - <<SVC
# apiVersion: v1
# kind: Service
# metadata:
#   labels:
#     app.kubernetes.io/component: server
#     app.kubernetes.io/name: argocd-server
#     app.kubernetes.io/part-of: argocd
#   name: argocd-server
#   namespace: ${nameSpace}
# spec:
#   type: NodePort
#   selector:
#     app.kubernetes.io/name: argocd-server
#   ports:
#     - name: https
#       nodePort: ${port}
#       port: 443
#       targetPort: 8080
# SVC

if ! which argocd 2>&1 >/dev/null; then
  wget https://github.com/argoproj/argo-cd/releases/download/v2.1.7/argocd-linux-amd64
  chmod 755 argocd-linux-amd64
  mv argocd-linux-amd64 /usr/local/bin/argocd
fi
sleep 120
account='admin'
password=$(kubectl -n ${nameSpace} get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d)
echo ${account}
echo ${password}
## CLI
# argocd login https://192.168.185.95:6443
# argocd app create guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path guestbook --dest-server https://kubernetes.default.svc --dest-namespace default

delete() {
  kubectl delete clusterrole argocd-application-controller ; kubectl delete clusterrole argocd-server
  kubectl delete clusterrolebindings argocd-application-controller ; kubectl delete clusterrolebindings argocd-server
}
cert manager
#!/usr/bin/env bash

## Install cert-manager
## https://cert-manager.io/docs/installation/

helm repo add jetstack https://charts.jetstack.io
helm install \
    cert-manager jetstack/cert-manager \
    --namespace cert-manager \
    --create-namespace \
    --version v1.7.2 \
    --set installCRDs=true \
    --set prometheus.enabled=false \
    --set webhook.timeoutSeconds=4
cilium
#!/usr/bin/env bash

set -eux

use_cli() {
curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-darwin-amd64.tar.gz{,.sha256sum}
shasum -a 256 -c cilium-darwin-amd64.tar.gz.sha256sum
sudo tar xzvfC cilium-darwin-amd64.tar.gz /usr/local/bin
rm cilium-darwin-amd64.tar.gz{,.sha256sum}
cilium install
}

helm install cilium cilium/cilium --version 1.11.0 \
  --namespace kube-system
ingress
#!/usr/bin/env bash

ingressClass='nginx'
ingressFile='/tmp/ing.yaml'
ingressIP='192.168.185.109'
ingressName='proxy'
ingressSuffix='ingress-nginx'
nameSpace='ingress'
nginxRepo='ingress-nginx'
replica=0

if [[ "$1" == "delete" ]]; then
    # Delete
    kubectl delete namespace ${nameSpace}
    kubectl delete IngressClass ${ingressClass}
    # kubectl delete ValidatingWebhookConfiguration ${ingressName}-ingress-nginx-admission
    exit $?
fi

if ! $(helm repo list | grep ${nginxRepo} >/dev/null); then
    echo "Install ${nginxRepo}"
    helm repo add ${nginxRepo} https://kubernetes.github.io/ingress-nginx
    helm repo update
fi

# --set controller.autoscaling.enabled=true \
# --set controller.autoscaling.maxReplicas=9 \
# --set controller.metrics.enabled=true \
helm install ${ingressName} ${nginxRepo}/${ingressSuffix} \
    --namespace ${nameSpace} --create-namespace \
    --set controller.ingressClass=${ingressClass} \
    --set controller.replicaCount=${replica} \
    --set controller.service.externalTrafficPolicy=Local
# --set controller.publishService.enabled=true
# --set controller.defaultBackend.port=443 \
# --set controller.hostNetwork=true \
# --set controller.kind=DaemonSet \
# --set controller.daemonset.useHostPorts=true \
# --set controller.service.loadBalancerIP=${ingressIP}

clusertIP=$(kubectl -n ingress get service | awk 'NR==2{print $3}')
cat <<-EOF >${ingressFile}
# apiVersion: v1
# kind: Service
# metadata:
#   name: ${ingressName}-${ingressSuffix}
# spec:
#   clusterIP: ${clusertIP}
#   externalIPs:
#   - ${ingressIP}
#   externalTrafficPolicy: Local
#   selector:
#     app: proxy-nginx-ingress
#   ports:
#   - name: https
#     port: 443
#     targetPort: 443
#   type: LoadBalancer
# status:
#   loadBalancer:
#     ingress:
#     - ip: ${ingressIP}
# \-\-\-
# kind: Endpoints
# apiVersion: v1
# metadata:
#   name: ${ingressName}-${ingressSuffix}
# subsets:
#   - addresses:
#       - ip: 54.238.209.164
#     ports:
#       - name: https
#         port: 443
      # - name: ssh
      #   port: 22
\-\-\-
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress
  annotations:
    kubernetes.io/ingress.class: ${ingressClass}
    nginx.ingress.kubernetes.io/upstream-vhost: own.go2cloudten.com
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/default-backend: ${ingressName}-${ingressSuffix}-controller
    nginx.ingress.kubernetes.io/http2-push-preload: "true"
    nginx.ingress.kubernetes.io/service-upstream: "true"
    # nginx.ingress.kubernetes.io/rewrite-target: /
spec:
#   defaultBackend:
#     service:
#       name: ${ingressName}-${ingressSuffix}
#       port:
#         number: 443
  rules:
  - host: gitlab.go2cloudten.com
    http:
      paths:
      - path: /*
        pathType: Prefix
        backend:
          service:
            name: ${ingressName}-${ingressSuffix}
            port:
              number: 443
#       - path: /*
#         pathType: Prefix
#         backend:
#           service:
#             name: ${ingressName}-${ingressSuffix}
#             port:
#               name: ssh
EOF
# kubectl -n ingress apply -f ${ingressFile}
krew
#!/usr/bin/env bash

set -x
cd "$(mktemp -d)" &&
    OS="$(uname | tr '[:upper:]' '[:lower:]')" &&
    ARCH="$(uname -m | sed -e 's/x86_64/amd64/' -e 's/\(arm\)\(64\)\?.*/\1\2/' -e 's/aarch64$/arm64/')" &&
    KREW="krew-${OS}_${ARCH}" &&
    curl -fsSLO "https://github.com/kubernetes-sigs/krew/releases/latest/download/${KREW}.tar.gz" &&
    tar zxvf "${KREW}.tar.gz" &&
    ./"${KREW}" install krew
export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"

kubectl krew install change-ns
kubectl change-ns nginx
prometheus
#!/usr/bin/env bash

nameSpace='monitoring'
prometheusPort=9090
grafanaPort=3000
kubeControllerManagerDefaultPort=10257

## helm
## https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack
## 1. monitoring every namespaces and export port
## 2. export grafana port
## 3. monitoring kubeControllerManager
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo update
helm install kube-prometheus-stack prometheus-community/kube-prometheus-stack \
  --namespace "${nameSpace}" \
  --create-namespace \
  --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \
  --set prometheus.prometheusSpec.ruleSelectorNilUsesHelmValues=false \
  --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false \
  --set prometheus.service.type=NodePort \
  --set prometheus.service.nodePort=${prometheusPort} \
  --set grafana.service.type=NodePort \
  --set grafana.service.nodePort=${grafanaPort} \
  --set kubeControllerManager.service.port=${kubeControllerManagerDefaultPort} \
  --set kubeControllerManager.service.targetPort=${kubeControllerManagerDefaultPort} \
  --set kubeControllerManager.ServiceMonitor.https=true \
  --set kubeControllerManager.ServiceMonitor.insecureSkipVerify=true \
  --set kubeControllerManager.ServiceMonitor.serverName=localhost

sleep 30

account=$(kubectl -n "${nameSpace}" get secret kube-prometheus-stack-grafana -o jsonpath="{.data.admin-user}" | base64 -d)
password=$(kubectl -n "${nameSpace}" get secret kube-prometheus-stack-grafana -o jsonpath="{.data.admin-password}" | base64 -d)
Create and use secret
command
kubectl -n nginx create secret docker-registry gitlab --docker-server=registry.go2cloudten.com --docker-username=ricky --docker-password="token or password"
config
imagePullSecrets:
  - name: gitlab
Run pod
kubectl run -it --rm --image=registry.go2cloudten.com/it/docker/backup test --image-pull-policy=IfNotPresent -- bash
Check port status
# `(echo >/dev/tcp/${host}/${port})`
(echo >/dev/tcp/192.168.57.24/80) &>/dev/null && echo "open" || echo "closed"

timeout 1 bash -c '>/dev/tcp/192.168.57.24/80 &>/dev/null' && echo "open" || echo "closed"

timeout 1 bash -c '>/dev/tcp/192.168.57.24/80' && echo "open" || echo "closed"
Block subnets
ip route add blackhole 192.168.0.0/24
texlive
  • macOS
# brew install textlive
# npm i -g mermaid-filter
# Render mermaid
pandoc -F mermaid-filter -o readme.pdf readme.md
  • Ubuntu
# sudo apt install pandoc -y
# sudo apt-get -y install texlive-latex-recommended texlive-pictures texlive-latex-extra texlive-fonts-recommended
# npm i -g mermaid-filter
pandoc -F mermaid-filter -o readme.pdf readme.md