Aug 26ldclt with ldapsldctl not support X509 format, need certutil to import. $ mkdir openldap-cert-db $ cd openldap-cert-db $ certutil -N -d . $ certutil -A -n openldap-ca -t "P,P,P" -i $HOME/ca.pem -d . Then enter cert password. Result: $ ls -l total 76 drwxr-xr-x 2 root root 4096 Aug 26 05:16 . drwx------ 1…Openldap1 min readOpenldap1 min read
Aug 14View kube-apiserver journal log without timestampFor some reasons, my kube cluster have put kube-apiserver log and kube-audit log into system journal log. I must make it more easy to read. on the fist version I used sed instead of “ — output cat” option. sed 's/.*\]: //'|grep -E ^{ | jq . This is the…Kubernetes2 min readKubernetes2 min read
Aug 8“Maximum Performance” setting for Lonovo ThinkSystemIf electric bills is not your concern, So you can go with Maximum Performance. ssh to your server IPMI ip and apply these setting: asu set OperatingModes.ChooseOperatingMode "Maximum Performance" asu set Processors.CPUPstateControl None asu set Power.PowerPerformanceBias "Platform Controlled" asu set Power.PlatformControlledType "Maximum Performance" Verify: asu show OperatingModes.ChooseOperatingMode Processors.CPUPstateControl Power.PowerPerformanceBias Power.PlatformControlledType OperatingModes.ChooseOperatingMode="Maximum Performance" Power.PlatformControlledType="Maximum Performance" Power.PowerPerformanceBias="Platform Controlled" Processors.CPUPstateControl=NoneIpmi1 min readIpmi1 min read
Jul 30Fix: Calico FELIX_IPTABLESBACKEND issue in Redhat Linux 8.xFrom official docs says: FELIX_IPTABLESBACKEND This parameter controls which variant of iptables binary Felix uses. Set this to Auto for auto detection of the backend. If a specific backend is needed then use NFT for hosts using a netfilter backend or Legacy for others. [Default: Auto] Legacy, NFT, Auto On…Calico1 min readCalico1 min read
Jul 23Hide timestamp from journalctl outputSometimes output have a long line and I need to hide some info. Before: $ sudo journalctl --no-pager -u coredns --since='10 min ago' -- Logs begin at Sun 2023-07-23 09:48:00 +07, end at Sun 2023-07-23 10:10:31 +07. -- Jul 23 10:00:31 master1 coredns[23679]: [INFO] 127.0.0.1 A master1.cluster.local. IN 39 - 0.000146552s Jul 23…Linux1 min readLinux1 min read
Jul 11Setting Kong ingress SSL Cipher suiteGot asked from a friend about this one, so I have to noted it here. Solution1 use suite template: - name: KONG_NGINX_HTTP_SSL_PROTOCOLS value: TLSv1.2 TLSv1.3 - name: KONG_SSL_CIPHER_SUITE value: modern There are 3 templates: modern - intermediate - old The default template depends on Kong version. …Kong2 min readKong2 min read
Jul 2Basic containerd — ctr commandctr may not replaced docker command soon ,but I like it. # ctr image pull docker.io/library/tomcat:8 # ctr run -d --runc-binary=/usr/local/bin/crun docker.io/library/tomcat:8 tomcat # ctr c ls CONTAINER IMAGE RUNTIME tomcat docker.io/library/tomcat:8 io.containerd.runc.v2 # ctr task exec -t --exec-id 1 tomcat /bin/bash root@tomcat:/usr/local/tomcat# ps -eaf UID PID PPID C STIME TTY TIME CMD root 1 0 1 08:03 ? 00:00:01 /opt/java/openjdk/bin/java -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties... root 41 0 0 08:05 pts/0 00:00:00 /bin/bash root 44 41 0 08:05 pts/0 00:00:00 ps -eaf root@tomcat:/usr/local/tomcat# exit # ctr task kill tomcat # ctr c delete tomcat # ctr c ls CONTAINER IMAGE RUNTIME #Containerd1 min readContainerd1 min read
Jun 29containerd + crunI am a big fan of crun. now it’s time for containerd + crun Install containerd and crun binary file and this /etc/containerd/config.toml: version = 2 [plugins."io.containerd.runtime.v1.linux"] shim_debug = false [plugins."io.containerd.grpc.v1.cri".containerd] default_runtime_name = "crun" [plugins."io.containerd.grpc.v1.cri".containerd.runtimes] [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.crun] runtime_type = "io.containerd.runc.v2" [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.crun.options] BinaryName = "/usr/local/bin/crun" SystemdCgroup = true [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runsc] runtime_type = "io.containerd.runsc.v1" [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runsc.options] SystemdCgroup = true [plugins."io.containerd.grpc.v1.cri".registry.mirrors] [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"] endpoint = ["https:///mirror.blabla.com"] [plugins."io.containerd.grpc.v1.cri".registry.configs."https://mirror.blabla.com".tls] insecure_skip_verify = trueKubernetes1 min readKubernetes1 min read
Jun 18Kuma — Rate LimitWith this mesh service $ kubectl get svc -n kuma-demo echo NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE echo ClusterIP 10.96.201.208 <none> 80/TCP 106m $ kubectl get deployments.apps -n kuma-demo echo NAME READY UP-TO-DATE AVAILABLE AGE echo 1/1 1 1 112m And this Rate Limit policy apiVersion: kuma.io/v1alpha1 kind: RateLimit mesh: default metadata…Kuma2 min readKuma2 min read
Jun 10Deploy Alpine debug/utility podAlpine is the best choice for this job ,but need some more setting # debug.yaml apiVersion: apps/v1 kind: Deployment metadata: creationTimestamp: null labels: app: debug name: debug spec: replicas: 1 selector: matchLabels: app: debug strategy: {}…Kubernetes1 min readKubernetes1 min read
