Kubernetes Time

Posted on June 18, 2019 by derekjbernard — Leave a comment

My previous post was sitting in drafts for almost a year. It looked post worthy, so I figured I would publish it now as a testament to my thoughts at the time.

So where am I at today?

Care and maintenance of my current infrastructure that supports WordPress and various python apps.

More focus on my team at work. Making sure we tighten up process documentation for the windows side of the house. Why can’t Microsoft tooling be backed by declarative text-based configuration? Then we could document alongside our SCCM configs. We could have change control tracking and version history with Git. It would be heaven in comparison to the non-idempotent PowerShell snippets it sometimes lets us export. Oh well. I’m lucky to have a systems administrator for the day to day windows administration stuff.

I achieved my RHCSA 7 certification and have finally started the migration to RHEL 7. My investment in Ansible automation with the RHEL 6 servers has made the transition much easier.

I snagged my AWS Certified Solutions Architect – Associate certification. Since I already administer our web DR servers in AWS, I figured it would be good to bolster my experience with some broader training and certification.

So now is the time! Kubernetes! I’m going to live it and love it until it is ingrained in my soul! I recently finished the Kubernetes Deep Dive course on A Cloud Guru by Nigel Poulton. It was fantastic! Nigel is super entertaining and engaging. The course does a great job at getting your head around Kubernetes, what it does, and how it does it. It’s definitely a great way to gain a foundational understanding of Kubernetes.

Unfortunately, the Kubernetes content on acloud.guru is still pretty slim. They don’t even have an EKS course. What? So I decided to switch over to linuxacademy.com and do some of those courses. I’m currently 60% done with the CKA course. It’s definitely not as exciting as Nigel Poulton’s content, but there are lots of builtin labs which is nice. Linux academy also has a Kubernetes the Hardway course. It covers the material found in the highly regarded https://github.com/kelseyhightower/kubernetes-the-hard-way . I don’t have a funded Google Cloud account, so being able to use the Linux Academy labs will be nice. The real deciding factor for switching to Linux Academy was an EKS Deep Dive course as well as further AWS certification prep courses that I want to take.

This is all part of my research and planning for an AWS EKS proof of concept project. Currently, I’m working with our AWS architect to draft a POC proposal for AWS credits. Hopefully, I’ll be learning more about Amazon’s implementation of Kubernetes in the near future.

Who knows, maybe I can even blog about it?

Posted in Certification, Containers, Kubernetes, Linux, my conscious streamed, Training

Containers. A Better Way Forward?

Posted on June 18, 2019 by derekjbernard — Leave a comment

I’ve been looking at leveraging containers for our next generation web infrastructure at work. On the surface, they appear to offer a nice development experience (especially with Docker) while offering the possibility of a flexible and scalable cluster environment ( not so much with Docker? ).

There are some things I’d like to achieve:

Improve developer experience.
Scale from small to large.
Cloud Vendor agnostic.
Easy to leverage Ansible for configuration.
Have an enterprise support option (for overlord peace of mind).

Currently, our servers are configured in a shared hosting model. Each app has it’s own folder and vhost configuration.We provide dev, qa, and production servers. Developers tend to develop locally for convenience and then push their changes to a git repo which triggers deployment to our dev servers. Most devs will use a stack install like bitnami or wampserver. Many devs are on windows which can complicate it further. We do have a few that use vagrant which is pretty nice, but the spin up time isn’t super fast when using a highly customized VagrantFile which is required to replicate our dev environment since we don’t offer a preconfigured box. Suffice it to say I’m yearning for a way to give devs an easy to use replica of our actual server environment.

On the surface, containers look like an ideal solution. They definitely can start off really small and they do horizontal scaling pretty well in theory. I’ve been playing with Docker and it’s a really slick solution. However, no one seems to be saying it’s great for production servers. This has led me to look at how the big boys run containers and I kept hearing about Kubernetes.

My cursory research on Kubernetes had two major things going for it. It was born out of Google and their need for scale and is how they run production container clusters. RedHat uses Kubernetes in its container solution. I respect googles scale and we use Red Hat at work.

Posted in Ansible, Containers, Docker, Kubernetes, Linux, my conscious streamed, OpenShift

CentOS 6 Hyper-V Gen 2 vm error: Boot Failed. EFI SCSI Device

Posted on July 5, 2016 by derekjbernard — 2 Comments

Attempting to deploy a Hyper-V Generation 2 VM template with a CentOS 6.8 vhdx would fail. The VM was in a powered on state, so I viewed the console. The VM had failed to boot with the error: Boot Failed. EFI SCSI Device.

BootFailed-EFI-SCSI-Device-Error

Disclaimer: Microsoft does not support CentOS 6 on a Generation 2 VM. So for production use and possibly your sanity, you may want to just use a Gen 1 VM for CentOS 6.8. For those of you that just want all that Gen 2 VM goodness on their CentOS 6 vm, read on.

One of the First Articles we found on this issue was for Ubuntu: Copying the VHD of a Generation 2 Linux VM–and not booting. So I went about retrofitting this solution for CentOS 6.

CentOS 6.8 uses legacy GRUB which expects grub.conf to be stored in the same location as the grub.efi bootloader and share the same base filename. GRUB 2 stores the grub config in a different location, so the directions for ubuntu didn’t address the configuration file.

The adapted directions for CentOS 6.8 would be:

	cp –r /boot/efi/EFI/redhat /boot/efi/EFI/BOOT
	mv /boot/efi/EFI/BOOT/grub.efi /boot/efi/EFI/BOOT/BOOTX64.EFI
	mv /boot/efi/EFI/BOOT/grub.conf /boot/efi/EFI/BOOT/BOOTX64.conf

view raw

centos_copy_grub_to_efi_auto_detect_path.txt

hosted with ❤ by GitHub

I was concerned about updates that modify grub (such as kernel updates). They would not be applied to the copied bootloader files. To address this, I configured /boot/efi/EFI/BOOT/BOOTX64.conf to chainload the original /boot/efi/EFI/redhat/grub.efi. That way the system would boot off of the default installed grub.efi and grub.conf, and any future updates that modified grub would work as expected.

Edit /boot/efi/EFI/BOOT/BOOTX64.conf and replace the boot option(s) with a chainloader entry:

	device (hd0) HD(1,800,64000,e9d9cc6d-84e0-48ad-acf2-76d19a620608)
	default=0
	timeout=0
	hiddenmenu
	title chainload default CentOS 6 bootloader
	root (hd0,0)
	chainloader /EFI/redhat/grub.efi

view raw

centos_6.8_bootx64.conf

hosted with ❤ by GitHub

I also reduced the timeout=0, and removed the splashimage. Note: You can view a diff of the BOOTX64.conf changes here.

Hyper-V UEFI firmware will now load the auto-detect EFI bootloader path ( /EFI/BOOT/BOOTX64.EFI ). BOOTX64.EFI then hands off the boot process to the system maintained /EFI/redhat/grub.efi using the /EFI/redhat/grub.conf configuration.

Things I learned (notes and references):

CentOS 6 uses legacy grub.

On a UEFI system, the CentOS 6 installer creates an ESP (EFI System Partition) on the first partition of the disk (e.g. /dev/sda1) mounted to /boot/efi

The bootloader ( grub.efi ) and configuration file ( grub.conf ) are placed in /boot/efi/EFI/redhat/

The installer registers the bootloader file location in the UEFI Firmware. In the Hyper-V VM settings under firmware, a “boot from file” entry stores the registration. A new vm from a vhdx template will be missing the “boot from file” setting and the UEFI firmware will not be able to locate the bootloader.

It may be possible to generate a “boot from file” entry using Set-VMFirmware powershell cmdlet. I couldn’t find examples for setting the file entry, but this looks promising:

http://itproctology.blogspot.com/2013/10/modifying-hyper-v-generation2-vm-boot.html

Legacy grub requires the configuration file to be in the same location as the bootloader with the same base filename.

source:

http://www.rodsbooks.com/efi-bootloaders/grub_legacy.html

UEFI automated detection relies on a standardized file path to the operating system loader. The format of the file path is defined as <EFI_SYSTEM_PARTITION>/BOOT/BOOT<MACHINE_TYPE_SHORT_NAME>.EFI; for example, the file path to the loader on an x86-64 system is /efi/BOOT/BOOTX64.EFI

source:

https://en.wikipedia.org/wiki/Extensible_Firmware_Interface#UEFI_booting

Tagged with: 2012 R2, CentOS, EFI, grub, Hyper-V, Linux, RHEL, template, vhdx
Posted in Hyper-V, Linux

OS X 10.7+ Pause Resume requires Print Operator

Posted on April 22, 2014 by derekjbernard — Leave a comment

I had a user running OS X 10.7.8 that is prompted when trying to resume print jobs after paper jams. A dialog stating:

Type the name and password of a user in the “Print Operator” group to allow this.

There are a number of fixes out there that have you modifying /etc/cups/cupsd.conf and /etc/authorization. However apple introduced a CLI tool called security back in 10.3. In 10.7 it’s authorizationdb function can set authorization for system preferences and more. The great thing about using this method is apple has maintained compatibility across versions including up to 10.9 mavericks as of this writing. You’ll also notice on 10.9 /etc/authorization is gone! So learn to love /usr/bin/security ! This is now the best way to modify various system privileges. Wish apple documented it a bit better though! Oh well they want you to use server profile manager! 🙂

Back to the solution: I decided I was fine with all my users being able to pause and resume their local print queues and perform printer operator functions.

To allow this I used the following command:

sudo security authorizationdb write system.print.operator allow

Done! Users can now pause and resume local print queues.

Tagged with: /usr/bin/security, 10.7, 10.9, authorization, authorizationdb, mac, os x, permissions, Print Operator, system preferences
Posted in Uncategorized

Acrobat JavaScript Vulnerability – vbscript Fix

Posted on May 8, 2009 by derekjbernard — Leave a comment

Acrobat and Reader are susceptible to a javascript exploit. I did some research and I hacked a quick and dirty fix to deploy out via gpo on my domain.

Credit Goes to these two excellent Resources that helped me throw to gether my script.

http://www.phishlabs.com/blog/archives/122

This Next one has more keys that can be used and shows you how to apply the registry settings to all the users on the system. Awesome!

http://www.symantec.com/connect/articles/adobe-vuln-workaround-vbscript-task-server

I wanted to quickly get this out and not worry about which version they had. It would have been better to detect the installs but I decided to brute force install all the registry keys. An added benefit of this method is that even if acrobat is installed after the script, the registry keys are already there to disable JavaScript. My main concern was getting this fix out quickly. So Consider this quick and dirty! 🙂 I haven’t even removed my echo’s for troubleshooting, they are just commented out.

Here is what I came up with:

‘ DisableAcrobatJSv1.vbs
‘ Author DerekJBernard https://derekjbernard.wordpress.com
‘ Version 1.0
‘ —————————————————————‘
‘
Option Explicit
On Error Resume Next
Dim objShell
Dim ChkInst
Dim strModify

ChkInst = “HKEY_USERS\.DEFAULT\Software\Adobe\AcroJSdisable”

‘ Create the Shell object
Set objShell = CreateObject(“WScript.Shell”)
strModify = objShell.RegRead(ChkInst)

If Err.Number <> 0 Then
‘wscript.echo “Description: ” & Err.Description
Err.Clear
Call WriteKeys
Else
‘wscript.echo “reg flag detected”
wscript.quit
End If

Sub WriteKeys

Dim App
Dim arrApp(1)
Dim ver
Dim key
Dim arrKey(3)
Dim regkey
Dim strComputer
Dim strKeyPath
Dim subkey
Dim arrSubKeys
Dim objreg

arrApp(0) = “\Software\Adobe\Acrobat Reader”
arrApp(1) = “\Software\Adobe\Adobe Acrobat”
arrKey(0) = “bConsoleOpen”
arrKey(1) = “bEnableJS”
arrKey(2) = “bEnableMenuItems”
arrKey(3) = “bEnableGlobalSecurity”
const HKEY_USERS = &H80000003
strComputer = “.”
strKeyPath = “”

Set objReg=GetObject(“winmgmts:{impersonationLevel=impersonate}!\\” _
& strComputer & “\root\default:StdRegProv”)

objReg.EnumKey HKEY_USERS, strKeyPath, arrSubKeys

For Each subkey In arrSubKeys
For each App in arrApp
For ver = 7 to 9 step 1
For each key in arrKey
If Key <> “bEnableGlobalSecurity” Then
regkey = “HKEY_USERS\” & subkey & App & “\” & ver & “.0\JSPrefs\” & key
objShell.RegWrite regkey,”00000000″, “REG_DWORD”
Else
regkey = “HKEY_USERS\” & subkey & App & “\” & ver & “.0\JSPrefs\” & key
objShell.RegWrite regkey,”00000001″, “REG_DWORD”
End IF
next
next
next
next

If Err.Number <> 0 Then
‘wscript.echo “Error: ” & Err.Number
‘wscript.echo “Error (Hex): ” & Hex(Err.Number)
‘wscript.echo “Source: ” & Err.Source
‘wscript.echo “Description: ” & Err.Description
Err.Clear
Else
objShell.RegWrite chkinst,”00000001″, “REG_DWORD”
‘wscript.echo “Installation registry flag set!”
End If

End Sub

‘wscript.echo “End”
wscript.quit

Tagged with: Acrobat Vunerability, security, vbscript
Posted in Uncategorized

Checking out WordPress

Posted on May 7, 2009 by derekjbernard — Leave a comment

At my work the marketing and web development teams have implemented wordpress and it looks great.

See today.ucf.edu

I thought I’d start playing with it. First stop create my own free wordpress blog.

derekjbernard.wordpress.com. – check

Next stop look closer?

Install dev version on my laptop -mmm… maybe

We’ll see how this goes. I am thinking about using bitnami to install wordpress on my macbookpro so I can play with it more. But I’ll mess with this blog for now. 🙂

Posted in Uncategorized