We generally use python pexpect module to connect system remotely with ssh and execute our tasks. But sometimes pexpect module is not found to be installed in remote systems which create problems. And this problem can be solved with the python select module with poll.
Here is the sample code that can be used.
Sometime we need to access the services that are running in the host machine to be accessible from the docker container. e.g. In on of my project, we needed to connect to the oracle db (port 1521) from inside the container within code.
The default behaviour of containers are, they cant access the host network directly unless the firewall of the host machine allows the network interface of docker to ACCEPT the packets.
So the docker container will communicate with the host machine using the gateway ip. First find the gateway ip inside the container.
Run below command inside the container to get the gateway ip and observer I am not able to connect to port 1521.
[code language=”bash”]
# nc -vz dockerhost 1521
dockerhost [172.18.0.1] 1521 (?) : Connection timed out
# ip route | awk ‘/^default via /{print $3}’
172.18.0.1
[/code]
Next task is to get the interface name of the docker network which is binded with the container. Most of the cases its docker0.
But it can also be customized, so check ifconfig output which matches the inet addr of the container gateway.
[code language=”bash”]
# ifconfig
br-4e83b57c54cf Link encap:Ethernet HWaddr 02:42:AF:CD:B5:DA
inet addr:172.18.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
# ip addr show br-4e83b57c54cf
10: br-4e83b57c54cf: mtu 1500 qdisc noqueue state UP
link/ether 02:42:af:cd:b5:da brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 scope global br-4e83b57c54cf
valid_lft forever preferred_lft forever
[/code]
Here the interface name is : br-4e83b57c54cf
Now add a iptables rule in Linux host:
[code language=”bash”]
iptables -A INPUT -i br-4e83b57c54cf -j ACCEPT
[/code]
OR with firewalld
[code language=”bash”]
# firewall-cmd –permanent –zone=trusted –change-interface=br-294e81e5ac31
# firewall-cmd –reload
[/code]
Now try to access the host port from container.
[code language=”bash”]
# nc -vz dockerhost 1521
dockerhost [172.18.0.1] 1521 (?) open
[/code]
There are other ways also available on internet , but I found none of them working.
There are a lot of tools used for monitoring the performance in Linux.
Here is the list of tools in one image that covers what is monitored by what.
Recently I encountered this issue in OVMM 3.2.9 while starting a vm with
xm create <vm.cfg path>
The reason behind this found was : the vm was not shutdown properly and the lock file is still there even if VM is down.
So the places to look at :
/var/log/xen/xend-debug.log/var/run/ovs-agent/vm-*.lock
Sometimes we have to deal with global variables like User passwords, database password, API Keys, middleware boot properties in our chef recipes which shouldn’t be exposed outside.
One solution is we have to keep all the secrets in a data bag and encrypt them using a random secret key and later distribute the key to other node where the secrets are accessed.
The other solution if using chef-vault which we will cover in a later topics.
First we have to create a random encryption key:
openssl rand -base64 512 | tr -d ‘\r\n’ > rev_secret_key
We have to use this secret key now to encrypt the databag item “revpass” in data bag “rev_secret”.
[code language=”bash”]
export EDITOR=vi
knife data bag create −−secret-file ./rev_secret_key rev_secret revpass
[/code]
This will open the vi editor with JSON data would be:
{
“id”: “revpass”
}
Now add your secrets here in json format which will be:
{
“id”: “revpass”,“boot_pass”: “bootpassword”,
“db_pass”: “dbpassword”,
}
Save and exit.
Show the encrypted contents of your databag:
knife data bag show rev_secret revpass
Show the decrypted contents of your databag:
knife data bag show −−secret-file=./rev_secret_key rev_secret revpass
For your chef clients to be able to decrypt the databag when needed, just copy over the secret key (replace client-node with your IP/node name):
scp ./rev_secret_key client-node:/etc/chef/encrypted_data_bag_secret
OR
keep it in ~/.chef directory ad update settings in knife.rb file.
encrypted_data_bag_secret “~/.chef/encrypted_data_bag_secret”
Accessing secret in recipe:
OR Mention the secret key in recipe as below.
In your db recipe, add below line to
secret = Chef::EncryptedDataBagItem.load_secret(“/var/chef/cache/cookbooks/revrec-chef/files/default/revrec_secret_key”)
passwords = Chef::EncryptedDataBagItem.load(“rev_secret “, “revpass”)
dbpasswd = passwds[“db_pass”]
Use it inside a resource:
………
oradb_password = “#{dbpasswd}”
……..
Or keep it in a template how ever its suitable.
Note : If you are using password in a template turn of logging by adding this attribute in template resource:
……
sensitive true
…..
NOTE : Here we are only sending the process into background but exiting the programe still use the child shell of the current shell. So exiting the shell/terminal will kill the process.
NOTE : Here running process is moved into background, and exiting the shell will not kill the process and will still run.
Up to now we have been working with monolithic applications where different components of service are packaged into a single application which is easy to develop, test and deploy.But when it becomes large and complex it’s become difficult as one team to work on it and the risk of failure is high at deploy time.
So to overcome, a new trend has been followed to work with microservices where components of the monolithic application are divided into small microservices. Here every microsevice will have its own API to handle its part of the application.
Virtual Machines are too big to transfer and often too slow.
So containerization is the better choice when adopting Microservices architecture.
Container ???
Docker is one of the most popular container product, that is based on LXC and is an open platform to build , ship and run distributed applications.
Docker images are built from Dockerfile and the containers are built from images.
Installing Docker is easy. All the commands used here are in OEL6 in my workplace.
Update OS to atleast OEL6_UEK4 repo to use kernel > 4.1 (yum update and confirm kernel version, os > 6.4)
[ol6_UEKR4]
name=Latest Unbreakable Enterprise Kernel Release 4 for company Linux $releasever ($basearch)
baseurl=http://public-yum.company.com/repo/companyLinux/OL6/UEKR4/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-company
gpgcheck=1
enabled=1yum update and reboot
> use docker repo:
[dockerrepo]
name=Docker Repository
baseurl=https://yum.dockerproject.org/repo/main/companylinux/6
enabled=1
gpgcheck=1
gpgkey=https://yum.dockerproject.org/gpg
yum install btrfs-progs
mkfs.btrfs /dev/sdb ( Add a raw disk and format with brtfs )
(FS tab entry )/dev/sdb /var/lib/docker btrfs defaults 0 0
/etc/sysconfig/docker ( If any ) OR add in /etc/default/docker( to use it with CURL)
export HTTP_PROXY=”proxy_URL:port”
export HTTPS_PROXY=”proxy_URL:port”
In /etc/init.d/docker
Update
“$unshare” -m — $exec -d $other_args &>> $logfile &
to
$exec -d $other_args &>> $logfile &
# service docker start
# chkconfig docker on
service docker status
docker info
docker version
groupadd docker
usermod -a -G docker <local docker>
chmod g+rx /var/lob/docker
docker search oraclelinux
docker searcg centos
docker searcg registry
docker pull oraclelinux:6.6
here oraclelinux – image is 6.6 – version
docker images
export DOCKER_CONTENT_TRUST=1
Fork is nothing but a new process that looks exactly like the old or the parent process but still it is a different process with different process ID and having it’s own memory. Parent process creates a separate address space for child. Both parent and child process possess the same code segment, but execute independently from each other.
The simplest example of forking is when you run a command on shell in unix/linux. Each time a user issues a command, the shell forks a child process and the task is done.
When a fork system call is issued, a copy of all the pages corresponding to the parent process is created, loaded into a separate memory location by the OS for the child process, but in certain cases, this is not needed. Like in ‘exec’ system calls, there is not need to copy the parent process pages, as execv replaces the address space of the parent process itself.
Some of the applications in which forking is used are: telnetd(freebsd), vsftpd, proftpd, Apache13, Apache2, thttpd, PostgreSQL.
Threads are Light Weight Processes (LWPs). Traditionally, a thread is just a CPU (and some other minimal state) state with the process containing the remains (data, stack, I/O, signals). Threads require less overhead than “forking” or spawning a new process because the system does not initialize a new system virtual memory space and environment for the process. While most effective on a multiprocessor system where the process flow can be scheduled to run on another processor thus gaining speed through parallel or distributed processing, gains are also found on uniprocessor systems which exploit latency in I/O and other system functions which may halt process execution.
Some of the applications in which threading is used are: MySQL, Firebird, Apache2, MySQL 323