Posts

https://www.sdxcentral.com/networking/virtualization/definitions/how-does-micro-segmentation-help-security-explanation/

give the wireless network higher priority than the wired WIRELESS CONNECTION > "Internet Protocol Version 4 (TCP/IPv4) Properties" > advanced TCP/IP setting > Automatic metric Uncheck it. That will enable a text box named “Interface metric”. Fill in a number. It needs to be larger than 1 (reserved for loopback) and the number(30) you choose for the wired network. WIRED CONNECTION > "Internet Protocol Version 4 (TCP/IPv4) Properties" > advanced TCP/IP setting > Automatic metric Again Uncheck “Automatic metric”, and fill in a number in the “Interface metric” box.

AppInfo 启动类型必须是自动或手动, 否则,msinstaller, services.msc, regedit 等都会报错: The Service command cannot be started, either because it is disabled or because it has no enabled devices associated with it AppInfo svchost.exe Facilitates the running of interactive applications with additional administrative privileges. Users will be unable to launch applications with the additional administrative privileges they may require to perform desired user tasks. These tools include regedit. Although safe to disable, this is not recommended since you need to boot into safe mode to enable again.

之前一直用pycharm,今天把code升级到1.3.2的时候, 突然提示我安装python扩展,决定试试。 结果发现python的解释器设置有问题, 总是设置为系统的解释器, 而虚拟环境的解释器不起作用。

apt remove --purge python3.5
reboot

结果ubuntu桌面启动不了。好多应用程序例如chrome,virtualbox都消失了, 造成了很大的麻烦。

Ctrl+Alt+F1进入虚拟控制台登录

apt install python3.5
apt install ubuntu-desktop

重新安装chrome和virtualbox

cd /etc/apt/sources.list.d
sudo mv google-chrome.list.save google-chrome.list
apt update
apt install google-chrome-stable

本地流线型开发

本地流线型开发

集成开发,测试部署

IDE

K8S POD Command Override OCR docker Entrypoint vs k8s command docker k8s entry ENTRYPOINT command arguments CMD args k8s command and args override the default OCR Entrypoint and Cmd Dockerfile FROM alpine:3.8 RUN apk add --no-cache curl ethtool && rm -rf /var/cache/apk/* CMD ["--version"] ENTRYPOINT ["curl"] cmd-override-pod.yaml apiVersion: v1 kind: Pod metadata: name: command-override labels: purpose: override-command spec: containers: - name: command-override-container image: bigo/curl:v1 command: ["curl"] args: ["--help"] restartPolicy: Never docker run -it bigo/curl:v1 curl 7.

Node-level Logging System component logs RUN IN CONTAINER(Y/N) Systemd(W/WO) LOGGER LOCATION kubelet and container runtime W/O /var/log kubelet and container runtime W journald scheduler Y /var/log kube-proxy Y /var/log /var/lib/kubelet/pods/<PodUID>/ /var/log/pods/<PodUID>/<container_name> ls -l /var/log/pods/<PodUID>/<container_name>/ lrwxrwxrwx 1 root root 165 3月 30 06:52 0.log -> /var/lib/docker/containers/e74eafc4b3f0cfe2e4e0462c93101244414eb3048732f409c29cc54527b4a021/e74eafc4b3f0cfe2e4e0462c93101244414eb3048732f409c29cc54527b4a021-json.log Cluster-level logging Use a node-level logging agent that runs on every node.

git clone git@github.com:wubigo/kubernetes.git
git remote add upstream https://github.com/kubernetes/kubernetes.git
git fetch --all
git checkout tags/v1.13.3 -b v1.13.3 
git branch -av|grep 1.13
* fix-1.13                            4807084f79 Add/Update CHANGELOG-1.13.md for v1.13.2.
  remotes/origin/release-1.13         4807084f79 Add/Update CHANGELOG-1.13.md for v1.13.2.

管理POD

func (kl *Kubelet) syncPod(o syncPodOptions) error {

基于腾讯云Go SDK开发

下载开发工具集

go get -u github.com/tencentcloud/tencentcloud-sdk-go

为集群准备CVM

从本地开发集群K8S读取安全凭证secretId和secretKey配置信息, 然后把安全凭证传送给SDK客户端

secretId, secretKey:= K8SClient.Secrets("namespace=tencent").Get("cloud-pass")
credential := CloudCommon.NewCredential("secretId", "secretKey")
client, _ := cvm.NewClient(credential, regions.Beijing)
request := cvm.NewAllocateHostsRequest()
request.FromJsonString(K8SClient.Configs("namespace=tencent").Get("K8S-TENCENT-PROD"))
response, err := client.AllocateHosts(request)

通过ANSIBLE在CVM搭建K8S集群

Ansible.Hosts().Get(response.ToJsonString())

调用ANSIBLE开始在CVM部署K8S集群

准备 创建角色和授权 kubectl create clusterrolebinding "cluster-admin-faas" \ --clusterrole=cluster-admin \ --user="cluster-admin-faas" 分别为FAAS核心服务和函数创建名字空间 kubectl apply -f https://raw.githubusercontent.com/openfaas/faas-netes/master/namespaces.yml 创建凭证 # generate a random password PASSWORD=$(head -c 12 /dev/urandom | shasum| cut -d' ' -f1) kubectl -n openfaas create secret generic basic-auth \ --from-literal=basic-auth-user=admin \ --from-literal=basic-auth-password="$PASSWORD" 在本地helm仓库增加openfaas helm repo add openfaas https://openfaas.github.io/faas-netes/ "openfaas" has been added to your repositories 开始安装 helm repo update \ && helm upgrade openfaas --install openfaas/openfaas \ --namespace openfaas \ --set basic_auth=true \ --set functionNamespace=openfaas-fn 默认通过NodePorts方式访问openfaas控制台

转录语音数据集

mozilla crowdsources the largest dataset of human voices available for use, including 18 different languages, adding up to almost 1,400 hours of recorded voice data from more than 42,000 contributors

https://blog.mozilla.org/blog/2019/02/28/sharing-our-common-voices-mozilla-releases-the-largest-to-date-public-domain-transcribed-voice-dataset/

简介

CNI是K8S的网络插件实现规范,与docker的CNM并不兼容,在K8S和docker的博弈过程中, K8S把docker作为默认的runtime并没有换来docker对K8S的支持。K8S决定支持CNI规范。 许多网络厂商的产品都提供同时都支持CNM和CNI的产品。

在容器网络环境,经常看到docker看不到K8S POD的IP网络配置, DOCKER容器有时候和POD无法通信。

CNI相对CNM是一个轻量级的规范。网络配置是基于JSON格式, 网络插件支持创建和删除指令。POD启动的时候发送创建指令。

POD运行时首先为分配一个网络命名空间,并把该网络命名空间制定给容器ID, 然后把CNI配置文件传送给CNI网络驱动。网络驱动连接容器到自己的网络, 并把分配的IP地址通过JSON文件报告给POD运行时POD终止的时候发送删除指令。

当前CNI指令负责处理IPAM, L2和L3, POD运行时处理端口映射(L4)

K8S网络基础

K8S网络基础

CNI插件

CNI实现方式

CNI有很多实现,在这里之列举熟悉的几个实现。并提供详细的说明文档。

  • Flannel

  • Kube-router

    Kube-router

  • OpenVSwitch

  • Calico

    Calico可以以非封装或非覆盖方式部署以支持高性能,高扩展扩展性数据中心网络需求

    CNI-Calico

  • Weave Net

  • 网桥

    CNI 网桥

Decide to gave hugo a shot after many years of being jekyll

version notes some only works on 1.13 kubeadm version: &version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.3", GitCommit:"721bfa751924da8d1680787490c54b9179b1fed0", GitTreeState:"clean", BuildDate:"2019-02-16T15:29:34Z", GoVersion:"go1.11.5", Compiler:"gc", Platform:"linux/amd64"} Starting with Kubernetes 1.12, the K8S.gcr.io/kube-${ARCH}, K8S.gcr.io/etcd and K8S.gcr.io/pause images don’t require an -${ARCH} suffix get all Pending pods kubectl get pods --field-selector=status.phase=Pending images list kubeadm config images list -v 4 I0217 07:28:13.305268 14495 interface.go:384] Looking for default routes with IPv4 addresses I0217 07:28:13.307275 14495 interface.

track http redirection http://wubigo.com/post -> http://wubigo.com/post/ -> https://wubigo.com/post/ curl -IL http://wubigo.com/post HTTP/1.1 301 Moved Permanently Location: https://wubigo.com/post Via: 1.1 varnish X-Cache: HIT X-Cache-Hits: 1 HTTP/1.1 200 OK Content-Length: 0 HTTP/1.1 301 Moved Permanently Strict-Transport-Security: max-age=31556952 Location: http://wubigo.com/post/ Access-Control-Allow-Origin: * X-Cache: HIT X-Cache-Hits: 1 HTTP/1.1 301 Moved Permanently Location: https://wubigo.com/post/ X-Cache: HIT X-Cache-Hits: 1 HTTP/1.1 200 OK Access-Control-Allow-Origin: * Cache-Control: max-age=600 X-Cache: HIT X-Cache-Hits: 1 main goal HTTP/2’s multiplexed connections, allowing multiple streams of data to reach all the endpoints independently.

微服务安全要点

  • 通信链路加密
  • 灵活的服务访问控制,包括细粒度访问策略
  • 访问日志审计
  • 服务提供方可替代性(batteries included)和可集成性

基本概念

  • 安全标识

在K8S,安全标识(service account)代表一个用户,一个服务或一组服务。

  • 安全命名

安全命名定义可运行服务的安全标识

微服务认证

  • 传输层认证
  • 终端用户认证

每一个终端请求通过JWT(JSON Web Token)校验, 支持Auth0, Firebase。

https://medium.facilelogin.com/securing-microservices-with-oauth-2-0-jwt-and-xacml-d03770a9a838

Normally, ${SNAP_DATA} points to /var/snap/microK8S/current. snap.microK8S.daemon-docker, is the docker daemon started using the arguments in ${SNAP_DATA}/args/dockerd

$snap start microK8S
$microK8S.docker pull registry.cn-beijing.aliyuncs.com/google_containers/pause:3.1
$microK8S.docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.1 K8S.gcr.io/pause:3.1


for resource under namespace kube-system all-namespaces don’t include kube-system

$microK8S.kubectl describe po calico-node-4sq5r --namespace=kube-system

https://events.static.linuxfound.org/sites/events/files/slides/2016%20-%20Linux%20Networking%20explained_0.pdf

generate configuration file $jupyter notebook --generate-config Writing default config to: /home/bigo/.jupyter/jupyter_notebook_config.py $ diff jupyter_notebook_config.py jupyter_notebook_config.py.bak c.NotebookApp.allow_remote_access = True c.NotebookApp.ip = '0.0.0.0' c.NotebookApp.open_browser = False set or reset password $jupyter notebook password Enter password: Verify password: [NotebookPasswordApp] Wrote hashed password to /home/bigo/.jupyter/jupyter_notebook_config.json then restart notebook server Sharing notebooks When people talk of sharing their notebooks, there are generally two paradigms they may be considering. Most often, individuals share the end-result of their work which means sharing non-interactive, pre-rendered versions of their notebooks; however, it is also possible to collaborate on notebooks with the aid version control systems such as Git

The Container Network Interface (CNI) is a library definition, and a set of tools under the umbrella of the Cloud Native Computing Foundation project. For more information visit their GitHub project. Kubernetes uses CNI as an interface between network providers and Kubernetes networking. Why Use CNI Kubernetes default networking provider, kubenet, is a simple network plugin that works with various cloud providers. Kubenet is a very basic network provider, and basic is good, but does not have very many features.

Note: Starting with TensorFlow 1.6, binaries use AVX instructions which may not run on older CPUs Have to build 1.6 or higher from source to run on older CPU Bazel 0.19.0 doesn’t read tools/bazel.rc anymore WARNING: The following rc files are no longer being read, please transfer their contents or import their path into one of the standard rc files: tensorflow-1.12.0/tools/bazel.rc $bazel build --config=opt //tensorflow/tools/pip_package:build_pip_package --cxxopt="-D_GLIBCXX_USE_CXX11_ABI=0" --sandbox_debug > build.