Kops: Add Policies for Migrated Apps

When migrating some old applications to a Kubernetes(k8s) cluster provisioned by kops, a lot of things might break and one of them is the missing policy for the node.

By default, nodes of a k8s cluster have the following permissions:

ec2:Describe*
 ecr:GetAuthorizationToken
 ecr:BatchCheckLayerAvailability
 ecr:GetDownloadUrlForLayer
 ecr:GetRepositoryPolicy
 ecr:DescribeRepositories
 ecr:ListImages
 ecr:BatchGetImage
 route53:ListHostedZones
 route53:GetChange
 // The following permissions are scoped to AWS Route53 HostedZone used to bootstrap the cluster
 // arn:aws:route53:::hostedzone/$hosted_zone_id
 route53:ChangeResourceRecordSets, ListResourceRecordSets, GetHostedZone

Additional policies can be added to the nodes’ role by

kops edit cluster ${CLUSTER_NAME}

Then adding something like:

spec:
  additionalPolicies:
    node: |
      [
        {
          "Effect": "Allow",
          "Action": ["dynamodb:*"],
          "Resource": ["*"]
        },
        {
          "Effect": "Allow",
          "Action": ["es:*"],
          "Resource": ["*"]
        }
      ]

Then it will be effective after:

kops update cluster ${CLUSTER_NAME} --yes

The new policy can be reviewed in AWS IAM console.

Most lines were copied from here: https://github.com/kubernetes/kops/blob/master/docs/iam_roles.md

🙂

几个 Linux 小工具

最近很忙, 有几个月没写 blog 了. 顺便写一下最近用到的很顺手的几个小工具, 当然, 都是跟 Linux 相关的.

Mutt 是个 CLI 界面的邮件工具, 我主要用它从程序里发邮件. 安装 mutt 很简单, 直接

apt-get install mutt

即可. mutt 的设置可以写在当前用户的”家”里:

cat ~/.mutt/muttrc
set smtp=”smtp://my.server.com:25/”
set from=”No reply <[email protected]>”

发送邮件的命令相当简单, 很容易和其他软件”串”到一起:

echo “This is the message” |mutt -s “This is the subject” -c “[email protected]” -a /tmp/attachment.txt /tmp/att2.txt — [email protected]

Httpie 是手工调试 HTTP 的好帮手, 而且比 curl 简单很多很多. 你记得住 curl 的那些开关么? 我反正是记不住的.

Pigz 是 gzip 的并行计算版. 我还没做性能测试, 应该不会更慢吧 🙂

Pendulum(钟摆, 这名字用的不错)是个 Python 日期函数库, 是标准函数的人性版, 句法更接近英语.

PS. Linux 25 岁了!

 

Distribute cron jobs to hours/minutes with Ansible

This is a handy trick to run a batch of cron jobs on different hour/minute combination so they won’t collide with each other and cause some pressure on the server.

The key is to use `with_indexed_items` and Jinja2 math:

- name: ansible daily cronjob {{ item.1 }}
  cron: user=ansible name=ansible-daily-{{ item.1 }} hour={{ item.0 % 24 }} minute= {{ (item.0 * 5) % 60 }}  job="/usr/local/run.sh {{ item.1  }}"
  with_indexed_items:
    - job_foo
    - job_bar

So the `job_foo` will be running at hour 0, minute 0 and `job_bar` will be running at hour 1, minute 5, etc…

🙂

Change Ganeti's Network Configuration

Ganeti is a cluster virtual server management software tool built on top of existing virtualization technologies such as Xen or KVM and other open source software. ”

This is how I changed the secondary network configuration using Ganeti command line tools.

1, First, say I need to change the network from 10.0.0.0/24 to 10.1.0.0/16, I first will remove all 10.0.0.0/24 NICs from all instances. The following command will remove the last NIC from the instance:

gnt-instance modify --net remove <instance>

2, After all 10.0.0.0/24 NICs have been removed from all instances, the network can be disconnected:

gnt-network disconnect <network>

3, Next is to remove the network CIDR from the cluster:

 gnt-network remove <network>

4, Re-add the network with the new CIDR:

gnt-network add --network=10.1.0.0/16 <network>

5, Re-connect the network to the cluster:

gnt-network connect<network> bridged <bridge>

6, Re-add the NIC from the new network to every instance:

 gnt-instance modify --net add:network=<network>,ip=pool <instance>

7, The new NIC won’t be effected until the instance is rebooted by Ganeti:

 gnt-instance reboot <instance>

8, Not sure if there’s a way to pickup the IP automatically, at least I can assign the IP manually by editing /etc/ network/ interfaces with the new IP.

9, Execute `ifup` to bring up the NIC. That’s it!  🙂