TuxITo

Your light in the linux world

Founding TuxITo

September 18, 2020 / / 0 Comments

In the middle of the global pandemic, where my work for my previous company (where I was an intern) was at a VERY low pace… I’ve decided that I had enough of it… I wanted to move forward…
I was already thinking of starting my own company and working as a freelancer for a long time, but there was always something. New Projects, too much work, …

But now… There was no work… At least not much… And I don’t like that… I need some pressure in my life. (Not to much… 😉 )

So I left my “golden cage” where I had all the job security I could wish for in this strange time and quit my job… Under the motto: “Life is to those who dare”
I had 8 weeks to find a job as a new founded freelancer. Otherwise I wouldn’t have a car anymore, no job, no money…

Life is to those who dare

Following was a VERY STRESSFUL period, where my wife and friends where supporting me. Because you get A LOT of phone calls, but after 3 weeks I still didn’t have anything. So you really start doubting yourself…

But during that 3th week I had an interview with a company for a job that I really wanted. It was perfect for me. Linux System Engineer. The thing that I had the most experience in… And yes… After 2 days stressing about it… I received a phone call… And YES, I got the job!!! I was happy as a kid in a candy store :-D.

Life is a bitch sometimes, but in the end… Everything will be just fine… One way or the other…

Easy way of managing config in Docker-compose

February 9, 2021 / / 0 Comments

Ever wanted that your config files in you docker-stack updated also when you released a new version of your stack through a CI/CD pipeline? Or you where in a development phase where you are constantly changing stuff in the config but you also wanted to make sure that you knew which config was used in what release in the pipeline? Well… Maybe you should try the next trick:


 variables:
   HOSTNAME: dockerhost.tuxito.be #Host to deploy docker-compose
 Clone or Pull Repo to Remote Host
 clone:
   image: alpine
   before_script:
     - apk add openssh-client git jq curl
     - eval $(ssh-agent -s)
     - echo "$SSH_PRIVATE_KEY_ANSIBLE" | tr -d '\r' | ssh-add -
     - mkdir -p ~/.ssh
     - chmod 700 ~/.ssh
     - /usr/bin/git config --global user.email "$GITLAB_USER_EMAIL"
     - /usr/bin/git config --global user.name "$GITLAB_USER_LOGIN"
     - GIT_CLONE_URL="$(curl --silent -XGET "$CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID?private_token=$ANSIBLE_TOKEN" | jq -r '.ssh_url_to_repo')"
   script:
     - ssh -o StrictHostKeyChecking=no ansible@$HOSTNAME "printf '%s\n    %s\n' 'Host *' 'StrictHostKeyChecking no' > ~/.ssh/config && chmod 600 ~/.ssh/config"
     - ssh -o StrictHostKeyChecking=no ansible@$HOSTNAME "if [ -d "$CI_PROJECT_NAME" ]; then (rm -rf $CI_PROJECT_NAME; git clone $GIT_CLONE_URL); else git clone $GIT_CLONE_URL; fi"
 Deploy stack
 deploy:
   image: alpine
   before_script:
     - apk add openssh-client git jq curl
     - eval $(ssh-agent -s)
     - echo "$SSH_PRIVATE_KEY_ANSIBLE" | tr -d '\r' | ssh-add -
     - mkdir -p ~/.ssh
     - chmod 700 ~/.ssh
   script:
     - ssh -o StrictHostKeyChecking=no ansible@$HOSTNAME "sed -i -E "/CONF_VERSION=/s/=.*/=$CI_JOB_ID/" $CI_PROJECT_NAME/deploy.sh"
     - ssh -o StrictHostKeyChecking=no ansible@$HOSTNAME "cd $CI_PROJECT_NAME; chmod +x deploy.sh; sudo ./deploy.sh"

I’m using a gitlab-ci pipeline file here.. But the eventual purpose can be achieved using all Ci/Cd tools. It is just a matter of changing the Variable name.

More importantly this line:

ssh -o StrictHostKeyChecking=no ansible@$HOSTNAME "sed -i -E "/CONF_VERSION=/s/=.*/=$CI_JOB_ID/" $CI_PROJECT_NAME/deploy.sh"

Here you wil find the ENVIRONMENT value used in the upcoming docker-compose file CONF_VERSION. Which on his term has the value of the $CI_JOB_ID which is a baked in value of Gitlab:

CI_JOB_ID
The unique ID of the current job that GitLab CI/CD uses internally.

If you where using Bamboo for example you could use bamboo.buildNumber.

Then for the trick in your docker-compose file:


 version: "3.7"
 services:
     elasticsearch:
       image: elasticsearch:${ELASTIC_VERSION}
       hostname: elasticsearch
       environment:
           - "discovery.type=single-node"
           - "xpack.monitoring.collection.enabled=true"
       ports:
           - 9200:9200
           - 9300:9300
       networks:
           - elastic
       volumes:
         - type: volume
           source: elasticsearch-data
           target: /usr/share/elasticsearch/data
         - type: volume
           source: snapshots
           target: /snapshots
       deploy:
         mode: replicated
         replicas: 1
         placement:
           constraints: [node.hostname == morsuv1416.agfa.be]
       secrets:
         - source: elasticsearch-config
           target: /usr/share/elasticsearch/config/elasticsearch.yml
           mode: 0644
           uid: "1000"
           gid: "1000"
filebeat:
       image: docker.elastic.co/beats/filebeat:${ELASTIC_VERSION}
       hostname: "{{.Node.Hostname}}-filebeat"
       ports:
         - "5066:5066"
       user: root
       networks:
         - elastic
       secrets:
         - source: filebeat-config
           target: /usr/share/filebeat/filebeat.yml
       volumes:
         - filebeat:/usr/share/filebeat/data
         - /var/run/docker.sock:/var/run/docker.sock
         - ...
secrets:
   elasticsearch-config:
     file: configs/elasticsearch.yml
     name: elasticsearch-config-v${CONF_VERSION}
   filebeat-config:
     file: configs/filebeat.yml
     name: filebeat-config-v${CONF_VERSION}

As you can see… The name in docker stack will change but there reference to the secret (aka Config file) will be the same in docker-compose.yml.

So all there is left in the deploy.sh script that we use in the the gitlab-ci file and you are good to go:

!/bin/bash
 export ELASTIC_VERSION=7.10.1
 export ELASTICSEARCH_USERNAME=elastic
 export ELASTICSEARCH_PASSWORD=changeme
 export ELASTICSEARCH_HOST=elasticsearch
 export KIBANA_HOST=kibana
 1 is PlaceHolder. Gets changed During deploy
 export CONF_VERSION=1
 docker network ls|grep elastic > /dev/null || docker network create --driver overlay --attachable elastic
 docker stack deploy --prune --compose-file docker-compose.yml elkstack

Happy dockering!

Nexus 3 Behind Traefik V2

October 19, 2020 / / 0 Comments

After A LOT of struggling to get Nexus 3 running behind Traefik2 I finally got in working, so I thought let’s share this with rest of the world… 😀

Running the GUI behind Traefik2 wasn’t a big deal… It was logging in and pushing the images to it that was a pain in the ass…

So… For everyone that is struggling with the same issue… Here is the answer… (I hope for you). And the problem wasn’t even my docker-compose file… But a setting IN Nexus 3…

My Setup is a docker swarm with 5 nodes. So just keep in mind that my docker-compose file is for a swarm (includes deploy settings and stuff). As an extra I also run my persistent storage on NFS. So it doesn’t matter on which worker the conatiner get’s deployed… So let’s start with the compose files:

Traefik V2

version: "3.7"
networks:
  proxy:
    driver: overlay
    external: true
  default:
    driver: overlay

########################### SERVICES
services:
  ############################# FRONTENDS

  # Traefik 2 - Reverse Proxy
  # Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600.
  # touch $DOCKERDIR/traefik2/acme/acme.json
  # chmod 600 $DOCKERDIR/traefik2/acme/acme.json
  # touch $DOCKERDIR/traefik2/traefik.log
  traefik:
    image: traefik:v2.2
    environment:
      - AWS_HOSTED_ZONE_ID=${AWS_HOSTED_ZONE_ID}
      - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
      - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
    hostname: traefik
    ports:
      - "80:80"
      - "443:443"
    deploy:
      restart_policy:
         condition: on-failure
      mode: replicated
      placement:
        constraints:
        - node.role == manager
        - node.hostname == elb.mydomain.com
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=proxy"
        - "traefik.http.routers.api.entrypoints=https"
        - "traefik.http.routers.api.rule=Host(`elb.mydomain.com`)"
        - "traefik.http.routers.api.service=api@internal"
        - "traefik.http.routers.api.tls=true"
        - "traefik.http.routers.api.tls.domains[0].main=mydomain.com"
        - "traefik.http.routers.api.tls.domains[0].sans=*.mydomain.com"
        - "traefik.http.routers.api.tls.certresolver=mytlschallenge"
        - "traefik.http.routers.api_http.entrypoints=http"
        - "traefik.http.routers.api_http.rule=Host(`elb.mydomain.com`)"
        - "traefik.http.routers.api_http.middlewares=traefik-redirectscheme"
        - "traefik.http.middlewares.traefik-redirectscheme.redirectscheme.scheme=https"
        - "traefik.http.services.api.loadbalancer.server.port=8080"
        ## Middlewares
        - "traefik.http.routers.traefik-rtr.middlewares=middlewares-basic-auth@file"
    command:
      - --api.insecure=true # set to 'false' on production
      - --api.dashboard=true
      - --api.debug=false
      - --log.level=WARN
      - --providers.docker=true
      - --providers.docker.swarmMode=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=proxy
      - --entrypoints.http.address=:80
      - --entrypoints.https.address=:443
      - --certificatesresolvers.mytlschallenge.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53
      #- --certificatesResolvers.mytlschallenge.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # Generates LE test certificates.  Can be removed for production
      - --certificatesResolvers.mytlschallenge.acme.dnsChallenge=true
      - --certificatesResolvers.mytlschallenge.acme.dnsChallenge.provider=route53
      - --certificatesresolvers.mytlschallenge.acme.email=${LE_EMAIL}
      - --certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json
      - --serverstransport.insecureskipverify=true

    volumes:
      - "nfs_traefik:/letsencrypt"
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - proxy
volumes:
  nfs_traefik:
    external: true

Nexus 3:

version: "3.7"
services:
  nexus:
    image: sonatype/nexus3
    environment:
      - "REGISTRY_HTTP_RELATIVEURLS=true"
      - "TZ=Europe/Brussels"
    deploy:
      mode: replicated
      replicas: 1
      restart_policy:
         condition: on-failure
      placement:
        constraints:
          - node.role == worker
      labels:
        - "traefik.enable=true"
        # Nexus Interface
        - "traefik.http.routers.nexus.entrypoints=https"
        - "traefik.http.routers.nexus.service=nexus"
        - "traefik.http.routers.nexus.rule=Host(`nexus.mydomain.com`)"
        - "traefik.http.routers.nexus.tls.certresolver=mytlschallenge"
        - "traefik.http.services.nexus.loadbalancer.server.port=8081"
        # Regsitry Endpoint
        - "traefik.http.routers.registry.rule=Host(`registry.mydomain.com`)"
        - "traefik.http.routers.registry.tls=true"
        - "traefik.http.routers.registry.service=registry"
        - "traefik.http.routers.registry.tls.certresolver=mytlschallenge"
        - "traefik.http.services.registry.loadbalancer.server.port=5000"
        - "traefik.docker.network=proxy"
    volumes:
      - "nexus_data:/nexus-data"
    networks:
      - proxy
    ports:
      - "8081:8081"
      - "5000:5000"

volumes:
  nexus_data:
    driver: local
    driver_opts:
      type: nfs
      o: addr=192.168.86.12,rw
      device: ":/volume1/Docker/NexusData"
networks:
  proxy:
    external: true

If you deploy these 2 compose files (replacing mydomain.com with your domain) you should have a running traefik V2 (with GUI, on elb.mydomain.com), a nexus running on nexus.mydomain.com and a repository endpoint on registry.mydomain.com.

The first time you open nexus you will be asked to give the admin user and the password… You can find this password under /nexus-data/admin.password in your container or nfs share if you did the same as me. Afterwards, just follow the setup.

Let’s create a Docker repository
Go to –> Settings –> Repositories –> Create Repository

  • Give the name of your repository
  • Check the HTTP connector and add port 5000 (the port you mentioned in the traefik labels for the repository url)
  • If you want to allow anonymous pulls, you can check that too (optional)
  • And I’ve also enabled the Docker V1 api (optional)
  • Click on “Save”

Now, if you try to login…

koen@pop-os:~/Projects/Docker/docker-ha/build$ docker login -u admin -p Password https://registry.mydomain.com:5000
Error response from daemon: Get https://registry.mydomain.com:5000/v2/: dial tcp 192.168.86.200:5000: connect: connection refused
OR
koen@pop-os:~/Projects/Docker/docker-ha/build$ docker login -u admin -p Password https://registry.mydomain.com
Error response from daemon: login attempt to https://registry.mydomain.com/v2/ failed with status: 404 Not Found

After A LOT of Googling around… I finally found the solution to this problem… Which wasn’t the traefik config… So here it comes… 😀

Go to Settings –> Realms and add the Docker Bearer Token Realm…

Now try to login again…

koen@pop-os:~/Projects/Docker/docker-ha/build$ docker login -u admin -p Password https://registry.mydomain.com

Login Succeeded

General Tips & Tricks

October 16, 2020 / / 0 Comments

I dedicate this blog post to all the several tips and tricks I came across the web. I will add the source of the tip/trick also. Maybe you can find more for you on the source that I didn’t add.

VIM Tips & Tricks

When you want to convert some ENV variables to lower… (I needed this to create a vault file in Ansible for the values of some environment values)

ggVGu

Or to Upper case:

ggVGU

Source: https://coderwall.com/p/anvddw/vim-convert-text-to-lowercase-or-uppercase

Adding git tag to release in Bamboo

September 29, 2020 / / 0 Comments

If you want to create a new version for your package in bamboo, you can add the version git tag to your package in Bamboo with following steps:

  • Add a script task in your build plan with following contents:

git_tag="$(git ls-remote --tags ${bamboo.planRepository.repositoryUrl} | cut -d/ -f3- | awk '/^[^{]*$/{version=$1}END{print version}')"
echo "git_tag=$git_tag" > git_tag.txt

This will strip the version tag from the git commit and added this to a txt file located in a working subdirectory package/apps/myapplication

  • Next you’ll need to inject the version into Bamboo. you can do this by adding a task “Inject Bamboo Variables”:

Now we can reuse this bamboo variable in a build plan by adding ${bamboo.myapplication.git_tag}

My Home Setup

September 22, 2020 / / 0 Comments

So this started in my head “I want to learn kubernetes…” Well… I learned it… But the learning didn’t stop with kubernetes…

Then the learning started with a course of Udemy (https://www.udemy.com/course/learn-devops-the-complete-kubernetes-course/learn/lecture/11278680?start=0#overview ) Excellent course. Learned me the ins and outs of kubernetes. But then of course… To put learning to practice I needed a kubernetes cluster. Yes, I could use minikube… But where is the fun in that… 😀

I started with creating a k3s rancher cluster. Because of it’s low system footprint and a awesome GUI to see whats is happening to your cluster.
I used this guide https://rancher.com/docs/rancher/v2.x/en/installation/k8s-install/create-nodes-lb/ and started with “Setup Infrastructure”… Very important… Read EVERYTHING.

After some cursing and reinstalling servers to make sure I had a clean slate to start, I managed to get it up and running… Happy me 🙂

So, now it was time to deploy something on the cluster… And I started with the nice low footprint gitea app for storing my ansible playbooks, kubernetes apps,… I could have used helm, the easy way… But I was here to learn, so I created the manifest on my own (with help of my good friend Google…). But I did it. It deployed. I could reach it with my external Nginx LoadBalancer. Happy me… 🙂

So… Then came helm… Let’s see how that works… I learned the true value of the values.yml… really… If you starting with pre-created helm charts… Take your time to go through the values.yml to edit it to your environment… It safes some headache…

So, I learned how Helm works, so I was thinking more and more to a fully home CI/CD setup. So what do I need… Keeping in mind that if it was possible I needed low footprint applications…

  • Docker repository: I went for Harbor. Great tool. Nice GUI. And scans your images on security flaws. https://goharbor.io/
  • Jenkins (widely used, so…)
  • Awx… To automatically run my playbooks in conjunction with jenkins . Yes, less low footprint, but hey… Sometimes you need to sacrifice to get want you want…

So, after all that was I installed on my kubernetes cluster… I was ready to start learning Jenkins, Kubernetes and of course some wordpress… And with deploying wordpress I learned the auto scaling functionality of kubernetes… :-D. So… Happy me… Again 😀

The final setup (for now…) looks like this:

And currently following applications are installed:

  • https://gitea.io/en-us/
  • https://rancher.com/
  • https://goharbor.io/
  • https://www.jenkins.io/
  • https://wordpress.com/
  • https://github.com/ansible/awx

Grow XFS FileSystem Without LVM

September 18, 2020 / / 0 Comments

When you have a NON-LVM xfs filesystem that you need to expand without rebooting on VMWare… Follow this guide… Bumped into this one day… So…

  • First of all expand your disk image to your desired size. In my example I went from 250GB –> 300GB
  • SSH into your VM. As you can see now the disk still remains at the 250GB
# Current partition size
[root@portainer02prod ~]# fdisk -l
 
Disk /dev/sda: 17.2 GB, 17179869184 bytes, 33554432 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x000d1b93
 
   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *        2048     2099199     1048576   83  Linux
/dev/sda2         2099200    31467519    14684160   8e  Linux LVM
 
Disk /dev/sdb: 268.4 GB, 268435456000 bytes, 524288000 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
  • Run following command to rescan your partition. (Here it is /dev/sdb that needs a resize)
[root@portainer02prod ~]# echo 1 > /sys/block/sdb/device/rescan
  • Confirm that this worked
[root@portainer02prod ~]# fdisk -l
 
Disk /dev/sda: 17.2 GB, 17179869184 bytes, 33554432 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x000d1b93
 
   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *        2048     2099199     1048576   83  Linux
/dev/sda2         2099200    31467519    14684160   8e  Linux LVM
 
Disk /dev/sdb: 322.1 GB, 322122547200 bytes, 629145600 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
  • Whoop Whoop (You should say now…). Now we can grow the XFS filesystem to the desired size and have some space on the disk again 🙂
[root@portainer02prod ~]# xfs_growfs /dev/sdb
meta-data=/dev/sdb               isize=512    agcount=4, agsize=16384000 blks
         =                       sectsz=512   attr=2, projid32bit=1
         =                       crc=1        finobt=0 spinodes=0
data     =                       bsize=4096   blocks=65536000, imaxpct=25
         =                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0 ftype=1
log      =internal               bsize=4096   blocks=32000, version=2
         =                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0
data blocks changed from 65536000 to 78643200 --> Resized

Installing docker swarm

September 18, 2020 / / 0 Comments
This guide will show you how to setup a docker swarm. Assuming you already have docker installed.

Setting up docker swarm

For setting up a swarm, you need at least 3 vm’s which will contain:

  • A manager Node (or more)
  • And worker nodes

Setting up a manager node

Log in to your Manager vm and run following command:

docker swarm init –advertise-addr <MANAGER-IP>

The other nodes in the swarm must be able to access the manager at the IP address. So be aware of Firewall restrictions, iptables,…

You will get a output like this:

Swarm initialized: current node (dxn1zf6l61qsb1josjja83ngz) is now a manager. To add a worker to this swarm, run the following command: docker swarm join \ --token SWMTKN-1-49nj1cmql0jkz5s954yi3oex3nedyz0fb0xx14ie39trti4wxv-8vxv8rssmk743ojnwacrr2e7c \ 192.168.99.100:2377 To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions.

You can add multiple Manager nodes this way:

[me@portainermgr01prod ~]$ docker swarm join-token manager To add a manager to this swarm, run the following command: docker swarm join --token SWMTKN-1-2vqxciwl7q5nmtv7vy6jbeh8ilo29u7bs1eko24ztazn8n87a7-d201wmooe8hd8ll19klmhyt0v 10.136.23.11:2377

Run the “docker swarm join –token SWMTKN-1-2vqxciwl7q5nmtv7vy6jbeh8ilo29u7bs1eko24ztazn8n87a7-d201wmooe8hd8ll19klmhyt0v 10.136.23.11:2377” on the other nodes you want to join as a manager.

Setting up the worker nodes

Log in to your worker nodes and run the command you got from the output of the manager node:

docker swarm join \ --token SWMTKN-1-49nj1cmql0jkz5s954yi3oex3nedyz0fb0xx14ie39trti4wxv-8vxv8rssmk743ojnwacrr2e7c \ 192.168.99.100:2377

If you don’t have the command available, you can run the following command on a manager node to retrieve the join command for a worker:

docker swarm join-token worker

After you have run the commands on your workers, you can check the status of your workers using following command on the MANAGER node:

[me@portainermgr01prod ~]$ docker node ls ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION onh1rgb37cbgsl2sx6zwlcrlh portainer01prod Ready Active 18.09.7 tyw38g3pl9q2km1kwi4mk0brd portainer02prod Ready Active 18.09.7 uu6sh1gk87bxkughvrwdezber portainer03prod Ready Active 18.09.7 vaq6nqm92vv1raq6pfdzl7y1s * portainermgr01prod Ready Active Leader 18.09.7 7d9g9cx5ce0wn5x114o1m0qz3 portainermgr02prod Ready Active Reachable 18.09.7 scpw73v2ei49udcg36oy2ltrf portainermgr03prod Ready Active Reachable 18.09.7 [me@portainermgr01prod ~]$

© 2025 TuxITo

Theme by Anders NorenUp ↑