Create new Kubernetes token to join

When adding new nodes to the cluster, a token is needed to join the new node to the cluster.

Login into the management node and create a new token:

kubeadm token create --print-join-command

The result is something like this:

kubeadm join 192.168.76.3:6443 --token vcatsw.x589176bunx86udn --discovery-token-ca-cert-hash sha256:35e8c087d7a951747beg3ea5e99c5b1701ac485a019e5474ae1b87c2db52022a

Remove namespace on “Terminating”

When removing Namespaces are waiting for (already) deleted pods or deployments, there is something wrong…
But if you do not want to wait until the waiting is over, you can terminate the pod/deployment manually:

Run on the admin node:

NS=kubectl get ns |grep Terminating | awk 'NR==1 {print $1}' && kubectl get namespace "$NS" -o json | tr -d "\n" | sed "s/\"finalizers\": [[^]]+]/\"finalizers\": []/" | kubectl replace --raw /api/v1/namespaces/$NS/finalize -f -

Use of course at your own risk!

Send HAProxy logs to remote host

I Wanted to send my HAProxy logging to a remote server so my loadbalancer didn’t have to deal with logging.

In the haproxy.conf I changed this line:

global
       log 127.0.0.1 local0

To this:

global
        log 10.0.6.15 local0

All logging for HAProxy is now send to my logging server after a restart/reload of HAProxy.

This is how my logging server receives the logs send from HAProxy:

Mar 10 12:02:05 lb01 haproxy[27980]: <ip>:47970 [10/Mar/2016:12:02:05.645] http-proxy httpweb02/web02 0/0/0/1/1 200 441 - - ---- 3/1/0/0/0 0/0 "GET /server-status?auto HTTP/1.1"

I Want to remove these lines from the default syslog file on my logging server and send to a seperate file.

On the logging server, create the following file:

/etc/rsyslog.d/haproxy.conf

With the following content:

# HAProxy logging
:syslogtag, startswith, "haproxy" /data/log/haproxy/haproxy.log
& ~

This tells the rsyslog daemon to filter all messages starting with “haproxy” from the syslog tag and send it to my custom logging location: /data/log/haproxy/haproxy.log

The “& ~” line is not to log it to any default location like messages or syslog files.

Restart the rsyslog daemon on the logging server to activate this rsyslog filter.

Show MySQL client history

Like most administrators I like to execute MySQL queries direct from the MySQL commandline.

But if you want to review whatever you entered in the client it is sometimes difficult to find.

However: All commands entered are also saved in your homedir from the Linux user you are logged in from.

cat ~/.mysql_history

The result is a complete list of commands you have used:

\q
show slave status\G
show master status;
show databases;
use testdb
INSERT INTO users(name) VALUES ('bla');
\q

PowerDNS AXFR transfer import

Lately I have been pretty busy with large DNS migration projects, and fortunately PowerDNS has created a very handy tool: zone2sql

Assume you can do an AXFR transfer (dig AXFR @<ip from old server> example.com), the output you get here you can convert to a MySQL query for example.

With this generated MySQL query you can import the whole zone without any trouble into the new database backend of the new server.

Prerequisites:

1. A working PowerDNS authoritative server

2. A MySQL/MariaDB backend

3. AXFR tranfer possibility

Steps:

1. Get the zone information: (in my test case the old nsauth server is 10.0.0.1)

dig AXFR @10.0.0.1 example.com > example.com.txt

2. Examine the output:

cat example.com.txt

; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> AXFR @10.0.0.1 example.com
; (1 server found)
;; global options: +cmd
example.com.             3600    IN      SOA     nsauth1.example.com. postmaster.example.com. 2015041601 43200 3600 3600000 86400
example.com.             3600    IN      NS      nsauth1.example.com.
example.com.             3600    IN      MX      10 mx1.example.com.
www.example.com.         86400   IN      A       10.0.0.100
example.com.             3600    IN      NS      nsauth2.example.com.
example.com.             3600    IN      SOA     nsauth1.example.com. postmaster.example.com. 2015041601 43200 3600 3600000 86400
;; Query time: 3 msec
;; SERVER: 10.0.0.1#53(10.0.0.1)
;; WHEN: ma jun 22 16:23:51 CEST 2015
;; XFR size: 6 records (messages 3, bytes 315)

3. With the zone2sql tool, convert the above information to a MySQL query:

zone2sql --gmysql --zone-name=example.com --zone=example.com.txt > example.com.sql

The output written to example.com.sql is like this:

insert into domains (name,type) values (example.com','NATIVE');
insert into records (domain_id, name, type,content,ttl,prio,disabled) select id ,'example.com', 'NS', 'nsauth1.example.com', 3600, 0, 0 from domains where name='example.com';

etc

4. Now import the generated .sql file in the MySQL/MariaDB backend server from commandline (assume the backend is running locally):

mysql -u root -p pdns < example.com.sql

After this is completed the new zone including all records is now available in the new authortitative server.

The PowerAdmin tool is very helpful (http://www.poweradmin.org/) and recently I managed to enable the LDAP user function which is very handy.

Set link status down for network interface

I Have encountered several situations where an “ifdown eth0” didn’t work, this command responded with an error or did nothing at all.

However, the command:

ip link set eth0 down

Did always work. 🙂

One of these situations were when configuring a teaming interface while the network cables were connected. When configuring a teaming interface, the slave interfaces must be in “down” state.

SSH key login without password

Create a public SSH key on your local server:

ssh-keygen -t rsa

Copy the public SSH key to the remote server

ssh-copy-id -i ~/.ssh/id_rsa.pub remote-host

After this is completed you can login with the existing username (of course on both servers) without a password.
For extra security you can set a password on your key file when you create it with the first command.

Ubuntu realmd configuration

Install packages:

apt install realmd sssd adcli -y

Try if you can discover the Active Directory domain:
realm discover domain.local

Join the domain:
realm join domain.local -U admin.username

Add access group to be able to login with SSH:
realm permit -g 'gp-linux-admins'

Replace the current/generated sssd.conf:
cat << EOF > /etc/sssd/sssd.conf
[sssd]
domains = domain.local
config_file_version = 2
services = nss, pam


[domain/domain.local]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = DOMAIN.LOCAL
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = domain.local
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad
use_fully_qualified_names = False
simple_allow_groups = gp-linux-admins
EOF

Restart SSSD:
systemctl restart sssd

Enable automatic creation of homedirectory for the user:
cat << EOF >> /etc/pam.d/common-session
session optional pam_mkhomedir.so skel=/etc/skel umask=077
EOF

Remove file by inode (for hard to remove files)

It is sometimes difficult to remove a file which has special characters in the filename.

In these occasions it is the easiest to remove the file by it’s inode.

To find out what inode (number) is linked to what file enter:

ls -li

The result is something like this:

51249160 drwxr-xr-x  2 user group  4096 aug 22 16:16 Desktop
51249164 drwxr-xr-x  5 user group  4096 aug 18 23:04 Documents
51249161 drwxr-xr-x 12 user group 16384 sep  3 17:56 Downloads
54012956 -rw-rw-r--  1 user group     0 sep  3 18:14 file_to_delete.txt

The first column is the inode part, if you want to delete a file, you’ll need that number.

Now let’s remove the file: file_to_delete.txt

michiel@desktop:~$ find . -inum 54012956 -exec rm -i {} \;
rm: remove regular empty file ‘./file_to_delete.txt’? y

You will see, Linux detects the filename from the inode number, this way you can check if the file is really the file you want to delete.

Use at your own risk.