Michiel – michielonline.nl

Remove namespace on “Terminating”

When removing Namespaces are waiting for (already) deleted pods or deployments, there is something wrong…
But if you do not want to wait until the waiting is over, you can terminate the pod/deployment manually:

Run on the admin node:

NS=kubectl get ns |grep Terminating | awk 'NR==1 {print $1}' && kubectl get namespace "$NS" -o json | tr -d "\n" | sed "s/\"finalizers\": [[^]]+]/\"finalizers\": []/" | kubectl replace --raw /api/v1/namespaces/$NS/finalize -f -

Use of course at your own risk!

Send HAProxy logs to remote host

I Wanted to send my HAProxy logging to a remote server so my loadbalancer didn’t have to deal with logging.

In the haproxy.conf I changed this line:

global
       log 127.0.0.1 local0

To this:

global
        log 10.0.6.15 local0

All logging for HAProxy is now send to my logging server after a restart/reload of HAProxy.

This is how my logging server receives the logs send from HAProxy:

Mar 10 12:02:05 lb01 haproxy[27980]: <ip>:47970 [10/Mar/2016:12:02:05.645] http-proxy httpweb02/web02 0/0/0/1/1 200 441 - - ---- 3/1/0/0/0 0/0 "GET /server-status?auto HTTP/1.1"

I Want to remove these lines from the default syslog file on my logging server and send to a seperate file.

On the logging server, create the following file:

/etc/rsyslog.d/haproxy.conf

With the following content:

# HAProxy logging
:syslogtag, startswith, "haproxy" /data/log/haproxy/haproxy.log
& ~

This tells the rsyslog daemon to filter all messages starting with “haproxy” from the syslog tag and send it to my custom logging location: /data/log/haproxy/haproxy.log

The “& ~” line is not to log it to any default location like messages or syslog files.

Restart the rsyslog daemon on the logging server to activate this rsyslog filter.

Check SMTP certificate

If you need to check the SMTP certificate from commandline:

openssl s_client -connect mail.example.com:25 -starttls smtp

Create a SSL key and CSR for SSL certificate

Create a new SSL key with 4096 bit size (highly recommended):

openssl genrsa -out website.key 4096

Create the CSR so you can send it to your SSL certificate provider to create a certificate your you (don’t forget –sha256, also highly recommended for security):

openssl req -new -key website.key -out website.csr -sha256

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Noord-Holland
Locality Name (eg, city) []:Amsterdam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:website    
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:website.tld
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

As you can see, not all parts are required to fill in when creating a CSR file.

Examine generated key file

To examine a generated key file for example the key size enter the following:

openssl rsa -in website.key -check -text

You will get result like this:

Private-Key: (2048 bit)
modulus:
    <cut>
publicExponent: 65537 (0x10001)
privateExponent:
    <cut>
prime1:
    <cut>
prime2:
    <cut>
exponent1:
    <cut>
exponent2:
    <cut>
coefficient:
    <cut>
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
<cut>
-----END RSA PRIVATE KEY-----

Examine certificate request file (CSR)

To examine the content of a generated .csr file enter the following:

openssl req -text -noout -in website.csr

You will get information like this for example:

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=country, ST=province, L=city, O=business name, CN=common name
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    <cut>
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:www.example.com, DNS:example.com
    Signature Algorithm: sha256WithRSAEncryption
        <cut>

Examine certificate file (.p7b)

To examine a signed certificate file in p7b format enter the following:

openssl pkcs7 -in certificate.p7b -text -print_certs

Examine certificate file (.cer/.crt)

To examine a signed certificate file in .cer or .crt format enter the following:

openssl x509 -noout -text -in certificate.cer

Convert pfx to pem

To convert a .pfx certificate to a .pem file enter the following:

openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes

Convert p7b/pkcs7 to PEM certificate

To convert a .p7b certificate to a .pem certificate enter the following:

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem

After this you can view the certificates with vi/less.

If you receive an error like below, you probably have a wrong format:

140536229615264:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: PKCS7

If the certificate in in DER format enter the following:

openssl pkcs7 -inform der -print_certs -in certificate.p7b -out certificate.pem