Saturday, December 28, 2019

UniFi Firewall Rules - Introduction

https://help.ubnt.com/hc/en-us/articles/115003173168-UniFi-USG-Firewall-Introduction-to-Firewall-Rules

Fedora: containers registries file

registries.conf is the configuration file which specifies which container registries should be consulted when completing image names which do not include a registry or domain portion.
/etc/containers/registries.conf

mounts.conf
/usr/share/containers/mounts.conf and optionally /etc/containers/mounts.conf

The mounts.conf files specify volume mount directories that are automatically mounted inside containers when executing the podman run or podman build commands.

Good resource: https://github.com/containers/libpod/blob/master/install.md

Adding a new machine as default gateway

1) Enable IP forwarding (server machine)
# echo 1 > /proc/sys/net/ipv4/ip_forward

To make the change permanent insert or edit the following line in edit /etc/sysctl.conf:
net.ipv4.ip_forward = 1

2) Iptables initial settings (server machine)
# iptables -F
# iptables -t nat -F
# iptables -t mangle -F
# iptables -X

3) Forward/Masquerade (server machine)
# iptables -A POSTROUTING -s 192.168.1.0/24 -o tun+ -j MASQUERADE -t nat
# iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
# iptables -I FORWARD -d 192.168.1.0/24 -j ACCEPT

4) In the client machine, add the new default gateway
# ip route del default
# ip route add default via 192.168.1.66

kubernetes: ingress - error when applying yml: apiVersion: extensions/v1beta1

Replace:
apiVersion: extensions/v1beta1

With:
apiVersion: networking.k8s.io/v1beta1

Example:
# helm install ./helmchart --name netdata -f netdata-chart-values.yaml
Error: validation failed: unable to recognize "": no matches for kind "Ingress" in version "policy/v1beta1"

Reference: https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/

Friday, December 20, 2019

Patch of day: ingress.yaml: change the yaml to ref the new API

https://github.com/netdata/helmchart/pull/67

Kubernetes: Deprecated APIs Removed In 1.16

$ kubectl apply -f metallb.yaml
unable to recognize "metallb.yaml": no matches for kind "PodSecurityPolicy" in version "extensions/v1beta1"
unable to recognize "metallb.yaml": no matches for kind "DaemonSet" in version "apps/v1beta2"
unable to recognize "metallb.yaml": no matches for kind "Deployment" in version "apps/v1beta2"

Solution:
# diff -ruN 1.15/metallb.yaml metallb.yaml
--- 1.15/metallb.yaml 2019-12-13 20:50:14.210740259 -0500
+++ metallb.yaml 2019-12-17 11:00:40.524374144 -0500
@@ -5,7 +5,7 @@
labels:
app: metallb
---
-apiVersion: extensions/v1beta1
+apiVersion: policy/v1beta1

kind: PodSecurityPolicy
metadata:
namespace: metallb-system
@@ -148,7 +148,7 @@
kind: Role
name: config-watcher
---
-apiVersion: apps/v1beta2
+apiVersion: apps/v1

kind: DaemonSet
metadata:
namespace: metallb-system
@@ -210,7 +210,7 @@
"beta.kubernetes.io/os": linux
---
-apiVersion: apps/v1beta2
+apiVersion: apps/v1
kind: Deployment
metadata:
namespace: metallb-system

More info: https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/

Thursday, December 12, 2019

Kubernetes: Failed to list *v1.Pod: Unauthorized

During the deploy, I got:

# tail -f /var/log/messages
Dec 12 15:02:06 nuc02 kubelet: E1212 15:02:06.616219 14119 kubelet.go:2267] node "nuc02" not found
Dec 12 15:02:06 nuc02 kubelet: E1212 15:02:06.716516 14119 kubelet.go:2267] node "nuc02" not found
Dec 12 15:02:06 nuc02 kubelet: E1212 15:02:06.807940 14119 reflector.go:123] k8s.io/client-go/informers/factory.go:134: Failed to list *v1beta1.RuntimeClass: Unauthorized
Dec 12 15:02:06 nuc02 kubelet: E1212 15:02:06.816840 14119 kubelet.go:2267] node "nuc02" not found
Dec 12 15:02:06 nuc02 kubelet: E1212 15:02:06.917208 14119 kubelet.go:2267] node "nuc02" not found
Dec 12 15:02:07 nuc02 kubelet: E1212 15:02:07.008060 14119 reflector.go:123] k8s.io/client-go/informers/factory.go:134: Failed to list *v1beta1.CSIDriver: Unauthorized
Dec 12 15:02:07 nuc02 kubelet: E1212 15:02:07.017483 14119 kubelet.go:2267] node "nuc02" not found
Dec 12 15:02:07 nuc02 kubelet: E1212 15:02:07.117833 14119 kubelet.go:2267] node "nuc02" not found
Dec 12 15:02:07 nuc02 kubelet: E1212 15:02:07.207991 14119 reflector.go:123] k8s.io/kubernetes/pkg/kubelet/config/apiserver.go:46: Failed to list *v1.Pod: Unauthorized
Dec 12 15:02:07 nuc02 kubelet: E1212 15:02:07.218048 14119 kubelet.go:2267] node "nuc02" not found
Dec 12 15:02:07 nuc02 kubelet: E1212 15:02:07.318227 14119 kubelet.go:2267] node "nuc02" not found
Dec 12 15:02:07 nuc02 kubelet: E1212 15:02:07.407474 14119 reflector.go:123] k8s.io/kubernetes/pkg/kubelet/kubelet.go:450: Failed to list *v1.Service: Unauthorized
Dec 12 15:02:07 nuc02 kubelet: E1212 15:02:07.418525 14119 kubelet.go:2267] node "nuc02" not found
Dec 12 15:02:07 nuc02 kubelet: E1212 15:02:07.518741 14119 kubelet.go:2267] node "nuc02" not found
Dec 12 15:02:07 nuc02 kubelet: E1212 15:02:07.609924 14119 reflector.go:123] k8s.io/kubernetes/pkg/kubelet/kubelet.go:459: Failed to list *v1.Node: Unauthorized
Dec 12 15:02:07 nuc02 kubelet: E1212 15:02:07.619005 14119 kubelet.go:2267] node "nuc02" not found
Dec 12 15:02:07 nuc02 kubelet: E1212 15:02:07.719284 14119 kubelet.go:2267] node "nuc02" not found

Workaround:
1) on node:
# rm -fr /var/lib/kubelet/pki/kubelet-client*

2) Restart the deploy

Related discussion: https://github.com/kubernetes/kubernetes/issues/69973
Kubespray from master github
Kubernetes: 1.16.x

Patch of the day: Kubespray - cri-o: redhat.yml - remove package cri-tools #5444

https://github.com/kubernetes-sigs/kubespray/pull/5444

Friday, December 6, 2019

keybase.io: Set a DNS TXT record in Google Domains

Go to your google domains account and select: DNS -> Custom resource records
- Set Name as @
- Set Type as TXT - Set TTL leave as 1H
- Set Text as (The-string-from-keybase-site-verification)
- Save and wait until the DNS servers propagate, keybase.io will automatically detect the new entry.

Fedora: Upgrade from 30 to 31

sudo dnf upgrade --refresh
sudo dnf install dnf-plugin-system-upgrade
sudo dnf system-upgrade download --releasever=31
sudo dnf system-upgrade reboot

https://fedoramagazine.org/upgrading-fedora-30-to-fedora-31/