After running the below script in the Amazon AMI Linux worker node as explained in https://docs.aws.amazon.com/eks/latest/userguide/restrict-ec2-credential-access.html ,
sudo yum install -y iptables-services
sudo yum install -y initscripts
sudo iptables --insert FORWARD 1 --in-interface eni+ --destination 169.254.169.254/32 --jump DROP
sudo iptables-save | tee /etc/sysconfig/iptables
sudo systemctl enable iptables.service
I am getting errors for the cert-manager-cainjector and cluster-autoscaler pods.The cert-manager-cainjector and cluster-autoscaler pods went into crashloopbackerror status with the below issue.
kubectl logs aws-cluster-autoscaler-5cd9d77588-tm4nz -n kube-system
Error from server: Get https://10.73.45.50:10250/containerLogs/kube-system/aws-cluster-autoscaler-5cd9d77588-tm4nz/aws-cluster-autoscaler: dial tcp 10.73.45.50:10250: connect: no route to host
I even tried to insert -A FORWARD -d 169.254.169.254/32 -i eni+ -j DROP directly into /etc/sysconfig/iptables file, restarted the iptables.service, but still no luck.
Both cert-manager-cainjector and cluster-autoscaler add-ons are configured with IRSA.
SSM add-on is configured with hostNetwork: true option and AmazonSSMManagedInstanceCore IAM role is added to the instance profile , so that SSM daemonset can work. Instance profile has been added with IAM role for SSM because IRSA does not seem to work in SSM agent.
Is there anything that can be done to fix this connect:no route to host issue?
I tried iptables script as prebootstrapcommands in node.Then it worked.
Related
I installed spinnaker on my AWS EC2, login into the dashboard in the first time but immediately after I logout and login again using the same base URL i am being directed to a different person github account, what might have happened, does it mean my account is hacked or what, somebody advise please.
Being directed to the link attached below, instead of the ip address taking me to the spinnaker dashboard and yet I am using the correct base address
These are the instructions i follow for Minnaker on EC2 (ap-southeast-2)
Pre-requisites
Obtain an AWS Elastic IP
From AWS EC2 console choose a Region preferably ap-southeast-2 and
launch an EC2 instance with 16 GB memory, 4 cpu min and 60 GB disk.
An initial deployment can be performed using instance= m4.xlarge
Attach the AWS Elastic IP to the Spinnaker Instance
Access the instance through SSH
Get minnaker
curl -LO https://github.com/armory/minnaker/releases/latest/download/minnaker.tgz
Untar
tar -xzvf minnaker.tgz
Go to minnaker directory
cd minnaker
Use the Public IP value from The Elastic IP as the $PUBLIC_IP
Obtain Private IP of the instance hostname -I and add them to local environment variables $PRIVATE_IP
export PRIVATE_IP=$(hostname -I)
export PUBLIC_IP=AWS_ELASTIC_IP
Execute the command below to install Open Source Spinnaker
./scripts/install.sh -o -P $PRIVATE_IP
Validate installation
UI
Validate installation going to generated URL https://PUBLIC_IP
Use user admin and get the password at etc/spinnaker/.hal/.secret/spinnaker_password
The UI should load
Kubernetes Deployment
Minnaker is deployed inside an EC2 as a lightweight Kubernetes K3S cluster
Run kubectl version
Get info from cluster kubectl cluster-info
Tweak bash completion and enable a simple alias.
kubectl completion bash
kubectl completion bash
echo 'source <(kubectl completion bash)' >>~/.bashrc
kubectl completion bash >/etc/bash_completion.d/kubectl
echo 'alias k=kubectl' >>~/.bashrc
`echo 'complete -F __start_kubectl k' >>~/.bashrc
Validate Spinnaker is running
k -n spinnaker get pods -o wide
Halyard Config
Validate a default halyard config is been set up
sudo chmod 755 /usr/local/bin/hal
#!/bin/bash
set -x
HALYARD=$(kubectl -n spinnaker get pod -l app=halyard -oname | cut -d'/' -f 2)
k -n spinnaker exec -it ${HAYLYARD} -- hal $# config
Minnaker repo
Clone the repository
Go to Scripts directory cd minnaker/scripts
Add permissions to the installation script chmod 775 all.sh
git clone https://github.com/armory/minnaker
References
armory/minnaker
I have installed rabbitmq-server on ubuntu , post installation I have checked if its running properly on the ports or not using netstat -lntu. Its running, plugins are enabled and same has been verified too. Even port 15672 is also open. What can be the reason that I am not able to acces web management console from the remote rabbitmq-server.
P.S : I have already created the admin user.
I have already tried allowing the port 15672 as mentioned in this question : How do I find my firewall is blocking mysql? | Ask Ubuntu. and also followed this one : Can't access RabbitMQ web management interface after fresh install | Stack Overflow and many more.
and lastly tried to edit rabbitmq-env.conf as suggested here : Web dispatch plugin | RabbitMQ.
By default, RabbitMQ creates a user named "guest" with password "guest”. You can also create your own administrator account on RabbitMQ server using following commands. Change password to your own password.
Step 1: Set the username and password by running the following commands
sudo rabbitmqctl add_user admin password
sudo rabbitmqctl set_user_tags admin administrator
sudo rabbitmqctl set_permissions -p / admin ".*" ".*" ".*"
Step 2: Enable and use the RabbitMQ management console
sudo rabbitmq-plugins enable rabbitmq_management
sudo chown -R rabbitmq:rabbitmq /var/lib/rabbitmq/
Next, you need to setup an administrator user account for accessing the RabbitMQ server management console. In the following commands, "mqadmin" is the administrator's username, "mqadminpassword" is the password. Remember to replace them with your own.
Step 3:: Add user and give the permission
sudo rabbitmqctl add_user mqadmin mqadminpassword
sudo rabbitmqctl set_user_tags mqadmin administrator
sudo rabbitmqctl set_permissions -p / mqadmin ".*" ".*" ".*"
Now open the http://[rabbitMQ-server-IP]:15672/ and You are Done 🎉🍾
For rabbitmq setup only need to do following things
1.install rabbitmq-server
sudo apt-get install rabbitmq-server
2.enable gui plugin
sudo rabbitmq-plugins enable rabbitmq_management
3.start rabbidmq-server
sudo rabbitmq-server start
4.see gui on browser(bellow information is given by default rabbitmq configuration)
http://localhost:15672/
username:guest
password:guest
I have installed it in RHEL 7 and configured it a bit.
It is up and running as a root.
I am trying to run Redis Service as non-root user.
Any pointers would be appreciated.
If the user and group “redis” has not been created,please create it.
useradd redis
Then change the owner of the file named "redis-server" and "redis-cli"(Actually,I advice chang all the files about redis but I do not know the path you installed).
chown redis. "your path"
create the script like this
vim /usr/lib/systemd/system/redis.service
Write the contents
[Unit]
Description=Redis In-Memory Data Store
After=network.target
[Service]
User=redis
Group=redis
Type=forking
ExecStart="the absolute path of redis-server" "ths absolute path of redis.conf"
ExecStop="the absolute path of redis-cli" shutdown
[Install]
WantedBy=multi-user.target
And then you can use the following codes
systemctl status redis
systemctl start redis //start the service
sysyemctl stop redis //stop the service
systemctl enable redia //start the service when system boot
I also paste the config in my machine and it works well for me
Wish this helps!
For those who use docker, you can build your own redis image with non-root user as the following:
FROM redis:6.0.10-alpine
# Create the home directory for the new non-root user.
RUN mkdir -p /home/nonroot
# Create an non-root user so our program doesn't run as root.
RUN adduser -S -h /home/nonroot nonroot
VOLUME /home/nonroot/tmp
HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \
CMD redis-cli ping
USER nonroot
EXPOSE 6379
Probably also add the working directory to the service since redis does not seem to change to that on its own (at least on my configuration):
WorkingDirectory=/var/lib/redis
I've made an ACS instance.
az acs create --orchestrator-type=kubernetes \
--resource-group $group \
--name $k8s_name \
--dns-prefix $kubernetes_server \
--generate-ssh-keys
az acs kubernetes get-credentials --resource-group $group --name $k8s_name
And run helm init it has provisioned tiller pod fine. I then ran helm install stable/redis and got a redis deployment up and running (seemingly).
I can kube exec -it into the redis pod, and can see it's binding on 0.0.0.0 and can log in with redis-cli -h localhost and redis-cli -h <pod_ip>, but not redis-cli -h <service_ip> (from kubectl get svc.)
If I run up another pod (which is how I ran into this issue) I can ping redis.default and it shows the DNS resolving to the correct service IP but gives no response. When I telnet <service_ip> 6379 or redis-cli -h <service_ip> it hangs indefinitely.
I'm at a bit of a loss as to how to debug further. I can't ssh into the node to see what docker is doing.
Also, I'd initially tried this with a standard Alphine-Redis image, so the helm was a fallback. I tried it yesterday and the helm one worked, but the manual one didn't. Today doing it (on a newly built ACS cluster) it's not working at all on either.
I'm going to spin up the cluster again to see if its a stable reproduce, but I'm pretty confident something fishy is going on.
PS - I have a VNet with overlapping subnet 10.0.0.0/16 in a different region, when I go into the address range I do get a warning there that there is a clash, could that affect it?
<EDIT>
Some new insight... It's something to do with alpine based images (which we've been aiming to use)...
So kube run a --image=nginx (which is ubuntu based) and I can shell in, install telnet and connect to the redis service.
But, e.g. kubectl run c --image=rlesouef/alpine-redis then shell in, and telnet doesn't work to the same redis service.
</EDIT>
There was a similar issue https://github.com/Azure/acs-engine/issues/539 that has been fixed recently. One thing to verify is to check if nslookup works in the container.
I have already installed node.js(v0.10.30) and npm. I'm able to establish a SSH connection between my mac and dreamhost VPS via terminal, but i cant do it in Cloud9. Someone help me, please?
./server.js -p 8080 -l 0.0.0.0 -a :
--settings Settings file to use
--help Show command line options.
-t Start in test mode
-k Kill tmux server in test mode
-b Start the bridge server - to receive commands from the cli [default: false]
-w Workspace directory
--port Port
--debug Turn debugging on
--listen IP address of the server
--readonly Run in read only mode
--packed Whether to use the packed version.
--auth Basic Auth username:password
--collab Whether to enable collab.
--no-cache Don't use the cached version of CSS
So you can use your own VPS,just change 0.0.0.0 to your server ip.