AWS – S3 Bucket Read-only

We create S3 Bucket, we make it not public, we don’t change anything in the access rights. Immediately find the ARN created baketa.

Create a user, on the "Permisson" tab, go to "Attach existing policies directly" and find "AmazonS3ReadOnlyAccess". Let’s see the created user ARN.

We return to the settings of S3 Bucket already created and go to "Permisson", create a "Bucket Policy" with the following contents:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXXXXXXXXX:user/artem-mys3bucket"
            },
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": "arn:aws:s3:::artem-mys3bucket/*"
        }
    ]
}

Do not forget to replace the ARN with your own.

Terraform – AWS Cross Region Peering

Terraform configuration example, which creates 2 VPCs in different regions (EU and US) and creates connectivity between them.

variables.tf

//////////////// FIRST VPC /////////////////

variable "VPC_1_REGION" {
  default = "us-east-1"
}

variable "VPC_1_NAME" {
  default = "artem-terraform-US"
}

variable "VPC_1_KEY_INSTANCE" { 
  default = "artem.gatchenko"
}

variable "VPC_1_SUBNET" { 
  default = "192.168.1.0/24"
}

//////////////// SECOND VPC /////////////////

variable "VPC_2_REGION" {
  default = "eu-west-2"
}

variable "VPC_2_NAME" {
  default = "artem-terraform-EU"
}

variable "VPC_2_KEY_INSTANCE" { 
  default = "artem.gatchenko"
}

variable "VPC_2_SUBNET" { 
  default = "192.168.2.0/24"
}

///////////////// OTHER //////////////////////

variable "INSTANCE_TYPE" {
  default = "t2.micro"
}

variable "AMI" {
  type = "map"
  default = {
    eu-west-1 = "ami-f90a4880"
    eu-west-2 = "ami-f976839e"
    eu-west-3 = "ami-0e55e373"
    us-east-1 = "ami-0ff8a91507f77f867"
    us-west-1 = "ami-0bdb828fd58c52235"
    eu-west-1 = "ami-047bb4163c506cd98"
    ap-northeast-1 = "ami-06cd52961ce9f0d85"
    ap-southeast-1 = "ami-08569b978cc4dfa10"
  }
}

Continue reading "Terraform – AWS Cross Region Peering"

Kubernetes – Ingress Nginx: Replicas and Nodeselector

Replicas

Let’s look at the name and namespace of Ingress'а:

kubectl get deployments.apps --all-namespaces

Edit our Ingress:

kubectl edit deployments.apps nginx-ingress-controller -n ingress-nginx

And we find the string:

replicas: 1

Set 2 replicas:

replicas: 2

You can save changes and watch the number of Ingress Pods.

 

nodeSelector

We explicitly indicate on which nodes the Ingress should be run. Let’s see the current label:

kubectl get nodes --show-labels

Set the label:

kubectl label node NODE_NAME node-role.kubernetes.io/ingress=true

Edit Ingress again:

kubectl edit deployments.apps nginx-ingress-controller -n ingress-nginx

We are interested in Deployment, namely the block "spec" -> "containers". Add our "nodeSelector" block to it:

    spec:
      containers:
      nodeSelector:
        node-role.kubernetes.io/ingress: "true"

Terraform – Kubernetes cluster on AWS EC2

Terraform configuration example that creates Kubernetes cluster (Bare Metal) on AWS EC2. Creates Ingress with NodePort. IP addresses Ingress nodes.

This template creates the following EC2 instances:

  • 1 manager
  • 2 workers
  • 2 ingresses

variables.tf

variable "REGION" {
  default = "us-east-1"
}

variable "PROJECT_NAME" {
  default = "artem_k8s"
}

variable "SSH_USER" { 
  default = "ubuntu"
}

variable "SSH_KEY_NAME" { 
  default = "artem.gatchenko"
}

variable "SSH_KEY_PATH" { 
  default = "/home/artem/.ssh/id_rsa"
}

variable "VPC_SUBNET" { 
  default = "192.168.1.0/24"
}

variable "INSTANCE_TYPE" {
  default = "t2.micro"
}

variable "WORKER_NUMBER" {
  default = "2"
}

Continue reading "Terraform – Kubernetes cluster on AWS EC2"

QEMU/KVM – MacOS Mojave installation

1. Convert to ISO image

First we need the MacOS Mojave image.

Download the official only on the Mac

Follow the link: support.apple.com/macos/mojave

You will transfer to iTunes, agree with the license agreement, remove all the checkboxes about the update, and choose to download the image.

After the download is complete, you need to convert the downloaded image into ISO, for this we will download the repository:

git clone https://github.com/kholia/OSX-KVM.git

And run the script:

./mojave/create_iso_mojave.sh

Upon completion of which, the converted ISO image will appear on the desktop.

Continue reading "QEMU/KVM – MacOS Mojave installation"

FIX ERROR – virsh: operation failed: unable to find any master var store for loader

When you try to start a virtual machine with EFI using Virsh, the following message appears:

virsh start macos-manual
error: Failed to start domain macos-manual
error: operation failed: unable to find any master var store for loader: /var/lib/libvirt/qemu/nvram/OVMF_CODE.fd
Solution:

Install the package "ovmf"

apt install ovmf

Editing QEMU configuration file

vim /etc/libvirt/qemu.conf

Add the following line:

nvram = [
    "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd"
]

Restart libvirt

systemctl restart libvirt-bin

Nginx – SSL A+

To enhance cryptography, you must use the Diffie-Hellman parameter file with a length of at least 4096 bits.

Let’s create a file like this:

openssl dhparam -out /etc/nginx/ssl-dhparams.pem 4096

Will be added to the Nginx config file:

    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:TLS:2m;
    ssl_session_timeout 2m;
    ssl_buffer_size 4k;
    ssl_dhparam /etc/nginx/ssl-dhparams.pem;
    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;

    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';

You can use the following service to check: ssllabs.com

FIX ERROR – xcode-select: error: tool 'agvtool' requires Xcode

The Fastlane assembly on MacOS fell on the following error:

xcode-select: error: tool 'agvtool' requires Xcode, but active developer directory '/Library/Developer/CommandLineTools' is a command line tools instance
Solution:

Make sure that Xcode is installed, and then run the following command:

sudo xcode-select -s /Applications/Xcode.app/Contents/Developer