Updates from penguin Toggle Comment Threads | Keyboard Shortcuts

  • penguin 21:28 on 2020-01-25 Permalink | Reply
    Tags: check_mk, , ,   

    Check MK container/k8s deployment 

    In the company everybody seems to love Check MK. Me? Not so much, but a better alternative costs time and effort, both resources we don’t really have right now. Yet there’s a positive thing about it – because there’s an official docker container. Since I already coded a helm chart for stateful single container softwares (which I personally find super useful), I just wrote a Check MK YAML and installed it on my K8S cluster.

    And then nothing worked. Turns out, Apache – which is used in that very strange “Open Monitoring Distribution” which Check MK seems to have been at one point – has a slightly sub-optimal configuration for running in a container behind a load balancer using cert-manager.

    In short, you connect to the load balancer using “cmk.my.domain”, and it redirects you to the container port, which to itself is “https://cmk.my.domain:5000/” and just wrong. Which brings me to the question if anybody has ever tried to run the Check MK container in a k8s cluster or behind a load balancer, which brings me to the question that I’d rather use software which actively embraces that, which brings me to the question WHICH ONE?!? which brings us back to “no resources, no time”.

    So, bad luck, Check MK it is. But what about the bug? Reporting it you get an email “DONT CALL US – WE CALL YOU (and we probably won’t)“, with a ticket ID but no link. So probably no help here. So I “forked” the container, fooled around with it, and found a solution. The “fixed” container is now available on docker hub (sources on GitHub) and running nicely in our internal cluster. Let’s see which hidden bugs I have introduced 😉 . The stasico-Helm-YAML file I used to deploy Check MK in K8S is also available.

    TL;DR
     
  • penguin 00:28 on 2020-01-11 Permalink | Reply
    Tags: , ,   

    cert-manager too old … 

    Today cert-manager stopped issuing certificates, and all requests said “insecure website”. Uncool, since this affected our Confluence and our sign-in mechanism. So let’s find out what was happening, right? Turns out cert-manager considered itself “too old” (“your ACME client is too old”, literally) and wanted to be updated.

    So far, so good. Just perform helm update cert-manager cert-manager, right?

    Wrong.

    • First, I had to upgrade to helm3. All right, I could have used helm2, but helm3 was already on here, and it seemed easy. That went (fairly) easy.
    • Then I wanted to upgrade cert-manager. Turns out for that I actually had to upgrade the running k8s version 1.12.x to 1.13.x … otherwise I’d get errors from the helm chart. That just took ages cause AKS is a bit slow.
    • Finally done I wanted to upgrade cert-manager. Until I realized a lot of stateful pods were stuck in “initialization”. Turns out that AKS had issues moving the volumes around, I still don’t know why. (Did I mention I just don’t like pretty much anything about Azure? It’s just so incredibly cumbersome to use, and nothing is where you expect it). So I had to manually mount the volumes on the host the Pod was currently on and have an open TODO now, which just sucks.
    • Finally done I wanted to upgrade cert-manager. The upgrade went just peachy, until I realized that … nothing happened. Turns out they changed pretty much all API versions and annotation keys. So I had to rewrite / upgrade all ingress annotations, update the ClusterIssuer resources and delete the now obsolete former K8S CRDs.

    And just like that I had my certificates back. Wasn’t that easy? 😀

     

     
  • penguin 10:12 on 2019-08-25 Permalink | Reply
    Tags: boot, , uefi,   

    Win10 & Veracrypt & systemd-boot 

    There are some things seemingly nobody does. For example, …

    • double-booting Win10 and Linux
    • on an UEFI System
    • while the Win10 Partition is encrypted using VeraCrypt.

    Yes, it’s a complex scenario, but since MS in all of his (money-grabbing) wisdom does not include BitLocker in Win10 Home, this is a necessary precaution. I’ll not go over the installation of both systems (pretty straightforward, and Arch Linux has – as always – a nice Wiki entry about it).

    Unfortunately, Win10 likes to break its own boot manager on updates, which is very scary (“Your Windows partition is damaged”), and super annoying, but I think I got the solution now.

    So, the Linux-based (of course) solution for Windows 10 and VeraCrypt is:

    # esp partition - /loader/entries/winvera.conf
    title Windows 10 VeraCrypt
    efi /EFI/VeraCrypt/DcsBoot.efi

    This is in fact all you need to do. Now, if Windows fucks up its own boot loader, it seems systemd-boot just ignores everything, loads the correct VeraCrypt bootloader (as it is supposed to be), and all is well.

    It can happen though that Windows places its own boot manager back in front of systemd-boot again, so it’s used as the default one. Then use one of the methods described here, and you should be fine. (This did not happen to me, it always used the correct boot manager but fucked up Windows boot)

     
  • penguin 09:48 on 2019-04-19 Permalink | Reply
    Tags: ,   

    Windows after 13 years – and nothing changed 

    I have a Windows PC again, after about 13 years of abstinence and never looking back. (Why? Gaming. Once in 13 years is OK I guess).

    And nothing changed.

    Step 1: Uninstalling crap

    Uninstall those things from the Windows menu: Candy Crush, Cooking Fever, and three others I forgot to document. It’s a pristine ISO install, nothing from a vendor – I bought components myself, and I assembled myself. So this is Windows and Windows alone that’s to blame.

    And don’t forget all the crap which is in the Windows menu tiles – XBox & co, I mean you. (Removed about 7 super useless things here alone).

    Step 2: change mouse wheel direction

    Step 2: Change mouse wheel direction (sorry, Mac spoiled me). I can configure anything and everything in Windows – not that. Google helps, and I have to – of course – navigate the registry to find keys that look like this:

    HKLM\SYSTEM\CurrentControlSet\Enum\HID\...
    ... VID_046D&PID_C53D&MI_01&COL01\9&12BDBF6B&0&0000\...
    ... DeviceParameters\FlipFlopWheel

    (Set this to 1, and get the “VID_0…” whatever string from the “Advanced Settings” of the mouse properties dialogue. Brainfuck.

    Step 3: Disable cortana

    Oh yeah, disabling Cortana is almost easy (set this to 0):

    HKLM\SOFTWARE\Policies\Microsoft\Windows\...
    ... Windows Search\AllowCortana

    Step 4: Remove contacts icon from taskbar

    Removing the stupid “Contacts” icon on the task bar is super simple in contrast: Right-click, and uncheck “Show contacts”. Yay!

    Step 5: Re-login / Reboot

    Where the fuck can I log out?!

    Oh right, click the start menu, immediately see the unobtrusive grey junk icon which is supposed to be me in the leftmost area on top of all the other nondescriminate icons, click it, and see the menu pop up which offers to “log out”. How could I miss this.

    Summary

    Well, this is not all. This is just what I did today, after already tuning the system a while ago. In contrast Mac: Unpack, open (Laptops only here), start working. No candy crush removal necessary.

     
    • Nikolai 10:11 on 2019-04-19 Permalink | Reply

      One word: SteamPlay 🙂

  • penguin 09:56 on 2018-12-05 Permalink | Reply
    Tags: o365,   

    Powershell, O365 & Teams PSTN calling 

    Unfortunately you need a Windows system to administer Office 365 with PowerShell. It’s only API calls, but it’s not (yet, hopefully) migrated to .NET Core. So Mac & Linux users are out of luck, although .NET Core should be more than capable to do this.

    Anyhow.

    If you want to administer Teams with PowerShell, you … are in trouble. It’s barely documented, and it sucks. Those are the steps to be done:

    > $sess = New-CsOnlineSession ... 
    > Import-Module SkypeOnlineConnector ... 
    > Import-PSSession $sess

    … and this should be it. Now all the PowerShell commands for Teams (in my case: Grant-CsTeamsUpgradePolicy) should be available.

     
  • penguin 11:06 on 2018-10-17 Permalink | Reply
    Tags: , , ,   

    Misc Django I – forms 

    Custom form errors

    If you want to validate something in the view, and return with a custom error message in the same form, you can use the “Form.add_error(fieldname, errorstring)” method. And then, of course, return to the previous template.

    class MyView(View): 
        def get(self, request): 
            data = form.cleaned_data
            if len(res) > 0:
                form.add_error( 'login', "Diese Personalnummer existiert bereits!")
            return render(request, 'my_template.html', {'form': form})

    Dynamic choice fields in forms

    You want a form which fills its choice field from the database? And if the database changes, if you reload the page, the form should change as well? Of course! Django got you covered.

    class UserForm(forms.Form): 
        def __init__(self, *args, **kwargs):
            super(UserForm, self).__init__(*args, **kwargs) 
            self.fields['site'] = forms.ModelChoiceField( label="Site", queryset=Site.objects.all().order_by('name'), ) 
            for field in ('department', 'office', 'phone'):
                self.fields.move_to_end(field)
    
        login = forms.CharField(label="Login")
        email = forms.EmailField(label="Email")
        site = None # this is set in __init__() :)
        department = forms.CharField(label="Department")
        office = forms.CharField(label="Office")
        phone = forms.CharField(label="Phone")

    … now, why the “for field in (‘department’ …)” line you ask?

    Simple. The fields dict is an OrderedDict. If you replace a field it is appended to the end again. So in the form the “Site” input box would be displayed last, although it makes more sense to display it where it is in the original definition.

    Using “.move_to_end()” you can re-adjust this. If someone knows a better method … feel free to tell me.

    (Sources: here)

     
  • penguin 16:34 on 2018-10-16 Permalink | Reply
    Tags: , ,   

    Django, psql & “permission denied” on migrate 

    I got this error:

    psycopg2.ProgrammingError: permission denied for relation django_migrations

    … when I wanted to do a “python manage.py migrate”. This post had the solution. In short: You have to change the owner of the tables to the one specified in the Django configuration.

    This is how my script looks:

    #!/usr/bin/env bash
    echo "ALTER TABLE public.django_admin_log OWNER TO <new_owner>;" | psql -U <current_owner> <database>
    # ...

     

     
  • penguin 18:59 on 2018-09-26 Permalink | Reply
    Tags: ,   

    Firefox close tab buttons on mouse hover 

    I used to have Firefox’s TabMix Plus addon installed. And the feature I missed most – surprisingly – is to have the “close tab” buttons appear on a tab when you hover the mouse over it.

    Googling a little bit told me how to bring it back:

    .tabbrowser-tab:not([selected]):not([pinned]) .tab-close-button {
        visibility: hidden !important;
        margin-left: -16px !important;
    }
    .tabbrowser-tab:not([selected]):not([pinned]):hover .tab-close-button {
        visibility: visible !important; 
        margin-left: 0px    !important; 
        display: -moz-box   !important;
    }
     
  • penguin 12:18 on 2018-08-26 Permalink | Reply
    Tags: , , , , postgres   

    Databases with dokku 

    This is part 2 of a couple of blog posts about dokku, a amazing little Heroku clone.

    In the previous post I showed how to set up Dokku on a DigitalOcean droplet, and deployed a little hello-world container with a single git push. The reason why I wanted dokku thoug was the need of a database. As said – hosting comes cheap, databases usually come either expensive or with limited flexibility, or just too annoying configuration effort.

    Dokku is the perferct middle ground. Let’s see why.

    For me it was the existing postgres plugin which you can simply install and use. The whole process is incredibly easy, takes wbout two commands, and looks like this (let’s assume our “hello world” container uses a database):

    $ sudo dokku plugin:install https://github.com/dokku/dokku-postgres.git postgres

    That’s it, again.

    $ dokku postgres:create hello-world
    
    dokku postgres:create hello-world
    Waiting for container to be ready
    Creating container database Securing connection to database
    =====> Postgres container created: hello-world
    =====> Container Information
           Config dir: /var/lib/dokku/services/postgres/hello-world/config
           Data dir: /var/lib/dokku/services/postgres/hello-world/data
           Dsn: postgres://postgres:bd6b0725d710bb5a662bb628eee787b1@dokku-postgres-hello-world:5432/hello_world
           Exposed ports: -
           Id: 785ef252c748ed85739d1d6ad375a1e1bd66e925ac79358e9ffaa30ab852d6c0 
           Internal ip: 172.17.0.9
           Links: -
           Service root: /var/lib/dokku/services/postgres/hello-world
           Status: running
           Version: postgres:10.2
    
    $ docker ps
    
    CONTAINER ID   IMAGE                      COMMAND                  CREATED         STATUS         PORTS      NAMES
    cc99cccacf2c   dokku/hello-world:latest   "/bin/sh -c 'php-fpm…"   2 minutes ago   Up 2 minutes   80/tcp     hello-world.web.1
    785ef252c748   postgres:10.2              "docker-entrypoint.s…"   5 minutes ago   Up 5 minutes   5432/tcp   dokku.postgres.hello-world
    [...]
    

    This creates a database container with postgres 10.2, as you can see. You can influence a lot of behavior by using environment variables, see the GitHub page for more info.

    Then you link the container to the running app:

    $ dokku postgres:link hello-world hello-world
    -----> Setting config vars
           DATABASE_URL: postgres://postgres:bd6b0725d710bb5a662bb628eee787b1@dokku-postgres-hello-world:5432/hello_world
    -----> Restarting app hello-world
    -----> Releasing hello-world (dokku/hello-world:latest)...
    -----> Deploying hello-world (dokku/hello-world:latest)...
    -----> Attempting to run scripts.dokku.predeploy from app.json (if defined)
    -----> No Procfile found in app image
    -----> DOKKU_SCALE file found (/home/dokku/hello-world/DOKKU_SCALE)
    =====> web=1
    -----> Attempting pre-flight checks 
           For more efficient zero downtime deployments, create a file CHECKS. 
           See http://dokku.viewdocs.io/dokku/deployment/zero-downtime-deploys/ for examples 
           CHECKS file not found in container: Running simple container check...
    -----> Waiting for 10 seconds ...
    -----> Default container check successful!
    -----> Running post-deploy
    -----> Configuring hello-world.my-paas.for-myself.com...(using built-in template)
    -----> Creating http nginx.conf
    -----> Running nginx-pre-reload Reloading nginx
    -----> Setting config vars DOKKU_APP_RESTORE: 1
    -----> Found previous container(s) (14c349cb496d) named hello-world.web.1
    =====> Renaming container (14c349cb496d) hello-world.web.1 to hello-world.web.1.1535285386
    =====> Renaming container (cc99cccacf2c) serene_bassi to hello-world.web.1
    -----> Attempting to run scripts.dokku.postdeploy from app.json (if defined)
    -----> Shutting down old containers in 60 seconds
    =====> 14c349cb496d95cc4be1833f2e7f6ef2bef099a37c2a22cd4dcdb542f09bea0f
    =====> Application deployed:
           http://hello-world.my-paas.for-myself.com

    And done.

    What happened? You have now the environment variable $DATABASE_URL set in the hello-world app, that’s why the restart was necessary (which you can postpone, if you want, but you probably need it now, right?).

    Let’s check:

    $ docker exec -ti hello-world.web.1 /bin/sh 
    
    [now in the container]
    
    # env | grep DATABASE 
    DATABASE_URL=postgres://postgres:bd6b0725d710bb5a662bb628eee787b1@dokku-postgres-hello-world:5432/hello_world 
    

    That’s it. Super easy. Now if you’re using Django, you could use kennethreitz/dj-database-url to automatically parse and use it, and you’re done. (Probably every framework has something similar, so just have a look).

     
  • penguin 18:10 on 2018-08-25 Permalink | Reply
    Tags: , digitalocean, , , , , howto   

    Build your own PaaS with Dokku 

    I was looking for some “play” deployment method for a couple of things I want to try out. Most of them require a database. And it should be cheap, cause I don’t have any load on them and don’t earn any money, so I don’t want to spend basically no money if possible. The usual suspects are too expensive – AWS, Heroku, etc.

    So I looked around and found Dokku.

    Dokku is a set of – hang on – shell scripts – which basically emulate Heroku on a machine of your own. It’s integrated with Digital Ocean droplets out of the box, if you want it. And the whole thing is 5 € / month, which is perfect. It also integrates with a Dockerfile based deployment, so you do git push and everything just works.

    It’s amazing.

    This is how you get started. But before you can get started, you need a domain you control, either on AWS or any other hoster. This is for routing traffic to your deployments later. You also need a public SSH key, or better a public / private key pair. Once you have both you can …

    1. create a Digital Ocean account, and …
    2. add your SSH public key to your account, and …
    3. in that account, create a new droplet with a “Dokku” image preinstalled.
    4. Wait until the droplet finished provisioning.

    While the droplet is being created, you can also create a project locally to test it later:

    $ mkdir dokku-test
    $ cd dokku-test
    $ git init
    $ echo "FROM tutum/hello-world" > Dockerfile
    $ git add Dockerfile
    $ git commit -m "Initial commit"
    

    In this little test project we only create a Dockerfile from an hello-world image which displays “Hello world” in a browser so we can verify it worked.

    Once the droplet is done, you can start setting up your personal little PaaS. First, you have to configure your DNS. We will set up a wildcard entry for our deployments, and a non-wildcard entry for git. Let’s assume your domain is for-myself.com, then you would add …

    • my-paas.for-myself.com , type “A” (or “AAAA” if you are IPv6) to your droplet IP
    • *.my-paas.for-myself.com just the same

    Then you SSH into your droplet, and create your dokku project. (This is something you have to do for every project). All you have to do for this is:

    $ ssh root@DROPLET_IP
    ~# dokku apps:create hello-world
    -----> Creating hello-world... done
    ~# _

    Done.

    Now you configure a git remote URL for your project, and push it:

    $ git remote add dokku dokku@my-paas.for-myself.com:hello-world
    

    Again – done. If you push your project now (assuming DNS is already set), everything should happen automagically:

    $ git push --set-upstream dokku master
    X11 forwarding request failed
    Enumerating objects: 3, done.
    Counting objects: 100% (3/3), done.
    Writing objects: 100% (3/3), 241 bytes | 241.00 KiB/s, done.
    Total 3 (delta 0), reused 0 (delta 0)
    -----> Cleaning up...
    -----> Building hello-world from dockerfile...
    remote: build context to Docker daemon  2.048kB
    Step 1/1 : FROM tutum/hello-world
    latest: Pulling from tutum/hello-world
    658bc4dc7069: Pulling fs layer
    [... TRUNCATED ...]
    983d35417974: Pull complete
    Digest: sha256:0d57def8055178aafb4c7669cbc25ec17f0acdab97cc587f30150802da8f8d85
    Status: Downloaded newer image for tutum/hello-world:latest
     ---> 31e17b0746e4
    Successfully built 31e17b0746e4
    Successfully tagged dokku/hello-world:latest
    -----> Setting config vars
           DOKKU_DOCKERFILE_PORTS:  80/tcp
    -----> Releasing hello-world (dokku/hello-world:latest)...
    -----> Deploying hello-world (dokku/hello-world:latest)...
    -----> Attempting to run scripts.dokku.predeploy from app.json (if defined)
    -----> No Procfile found in app image
    -----> DOKKU_SCALE file not found in app image. Generating one based on Procfile...
    -----> New DOKKU_SCALE file generated
    =====> web=1
    -----> Attempting pre-flight checks
           For more efficient zero downtime deployments, create a file CHECKS.
           See http://dokku.viewdocs.io/dokku/deployment/zero-downtime-deploys/ for examples
           CHECKS file not found in container: Running simple container check...
    -----> Waiting for 10 seconds ...
    -----> Default container check successful!
    -----> Running post-deploy
    -----> Creating new /home/dokku/hello-world/VHOST...
    -----> Setting config vars
           DOKKU_PROXY_PORT_MAP:  http:80:80
    -----> Configuring hello-world.my-paas.for-myself.com...(using built-in template)
    -----> Creating http nginx.conf
    -----> Running nginx-pre-reload
           Reloading nginx
    -----> Setting config vars
           DOKKU_APP_RESTORE:  1
    =====> Renaming container (14c349cb496d) amazing_snyder to hello-world.web.1
    -----> Attempting to run scripts.dokku.postdeploy from app.json (if defined)
    =====> Application deployed:
           http://hello-world.my-paas.for-myself.com
    
    To my-paas.for-myself.com:hello-world
     * [new branch]      master -> master
    Branch 'master' set up to track remote branch 'master' from 'dokku'.

    And if you open your URL now (which is hello-world.my-paas.for-myself.com) you should see this image:

    Now, for 5 € / month you get:

    • A heroku-like, no-nonsense, fully automated, git-based deployment platform
    • A server which you control (and have to maintain, okay, but on which you can deploy …)
    • A database (or many of them – dokku provides great integration for databases btw; more on that in another post)
    • Publicly reachable deployments (for customers, testing, whatever)
    • Let’s Encrypt certificates (dokku provides support for these as well, again more in a later post)
    • And for 1 € more (it’s always 20% of the base price) you get backups of your system)

    That’s absolutely incredible. Oh, and did I mention that the maintainers are not only friendly, but also super responsive and incredibly helpful on Slack?

     
c
compose new post
j
next post/next comment
k
previous post/previous comment
r
reply
e
edit
o
show/hide comments
t
go to top
l
go to login
h
show/hide help
shift + esc
cancel