diyIT
/
FreeBSD
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

.

This commit is contained in:
Sharad Ahlawat 2021-04-20 12:34:43 -07:00
parent 2e8bdabea2
commit 10b9cbeead
22 changed files with 483 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
configs/etc/defaults/devfs.rules
View File

@ -86,6 +86,7 @@ add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login add include $devfsrules_unhide_login
add path fuse unhide add path fuse unhide
add path zfs unhide add path zfs unhide
add path 'bpf*' unhide
# members of group uucp can access all usb and tty devices # members of group uucp can access all usb and tty devices
[usbrules=100] [usbrules=100]

5
jails/config/elk/elasticsearch.yml
View File

@ -28,6 +28,7 @@ node.name: node-1
xpack.security.audit.enabled: true xpack.security.audit.enabled: true
xpack.security.enabled: true xpack.security.enabled: true
xpack.security.authc.api_key.enabled: true
xpack.security.http.ssl.enabled: true xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.key: certs/diyprivkeyr.pem xpack.security.http.ssl.key: certs/diyprivkeyr.pem
@ -36,6 +37,10 @@ xpack.security.http.ssl.certificate_authorities: certs/cacert.pem
xpack.security.transport.ssl.key: certs/diyprivkeyr.pem xpack.security.transport.ssl.key: certs/diyprivkeyr.pem
xpack.security.transport.ssl.certificate: certs/diyfullchain.pem xpack.security.transport.ssl.certificate: certs/diyfullchain.pem
xpack.security.transport.ssl.certificate_authorities: certs/cacert.pem xpack.security.transport.ssl.certificate_authorities: certs/cacert.pem
xpack.monitoring.collection.enabled: true
xpack.monitoring.elasticsearch.collection.enabled: false
# #
# ----------------------------------- Paths ------------------------------------ # ----------------------------------- Paths ------------------------------------
# #

2
jails/config/elk/jvm.options
View File

@ -23,7 +23,7 @@
-Xms8G -Xms8G
-Xmx8G -Xmx8G
-XX:MaxMetaspaceSize=2G -XX:MaxMetaspaceSize=2G
-Xss2G -Xss1G
-Xnoclassgc -Xnoclassgc
-XX:MaxDirectMemorySize=2G -XX:MaxDirectMemorySize=2G

3
jails/config/elk/kibana.yml
View File

@ -58,6 +58,9 @@ server.ssl.key: /mnt/certs/diyprivkeyr.pem
#elasticsearch.ssl.certificate: /path/to/your/client.crt #elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key #elasticsearch.ssl.key: /path/to/your/client.key
xpack.security.enabled: true
xpack.encryptedSavedObjects.encryptionKey: "something_at_least_32_characters_this_is_it"
# Optional setting that enables you to specify a path to the PEM file for the certificate # Optional setting that enables you to specify a path to the PEM file for the certificate
# authority for your Elasticsearch instance. # authority for your Elasticsearch instance.
elasticsearch.ssl.certificateAuthorities: [ "/mnt/certs/cacert.pem" ] elasticsearch.ssl.certificateAuthorities: [ "/mnt/certs/cacert.pem" ]

19
jails/config/elk/logstash.conf
View File

@ -1,4 +1,4 @@
# Copyright (c) 2018-2021, diyIT.org # Copyright (c) 2018-2020, diyIT.org
# All rights reserved. # All rights reserved.
# #
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@ -18,6 +18,23 @@ input {
} }
} }
filter {
if "suricata" in [tags] {
json {
source => "message"
}
date {
match => [ "timestamp", "ISO8601" ]
}
if ![geoip] and [src_ip] !~ /^(10\.|192\.168\.)/ {
geoip {
add_tag => [ "GeoIP" ]
source => "src_ip"
}
}
}
}
output { output {
elasticsearch { elasticsearch {
ssl => true ssl => true

4
jails/config/elk/metricbeat.yml
View File

@ -98,8 +98,8 @@ output.elasticsearch:
# Authentication credentials - either API key or username/password. # Authentication credentials - either API key or username/password.
#api_key: "id:api_key" #api_key: "id:api_key"
#username: "elastic" username: "demo"
#password: "changeme" password: "demo"
# ------------------------------ Logstash Output ------------------------------- # ------------------------------ Logstash Output -------------------------------
#output.logstash: #output.logstash:

25
k8s/apps/deploy-pyserver.txt Normal file
View File

@ -0,0 +1,25 @@
cd pyserver
docker build -t localhost:5000/pyserver:0.1 -f Dockerfile .
# docker build -t sahlawat/pyserver:0.1 -f Dockerfile .
docker run -it -p 8080:8080 --rm localhost:5000/pyserver:0.1
# curl localhost:8080
# docker run -d -p 8080:8080 diyit/pyserver:0.1
docker push localhost:5000/pyserver:0.1
kubectl create namespace demo
kubectl config set-context --current --namespace=demo
kubectl create deployment myapp --image=localhost:5000/pyserver:0.1
kubectl expose deployment myapp --port=8080 --type=LoadBalancer
# kubectl get service
# kubectl get all
# curl 172.18.255.200:8080
kubectl scale deployment myapp --replicas=3
# kubectl get service
kubectl delete service myapp
kubectl delete deployment myapp
kubectl delete namespace/demo

21
k8s/apps/pyserver-deployment.yml Normal file
View File

@ -0,0 +1,21 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: myapp
name: myapp
spec:
replicas: 1
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
- name: myapp
image: localhost:5000/pyserver:v1
ports:
- containerPort: 8080

9
k8s/apps/pyserver/Dockerfile Normal file
View File

@ -0,0 +1,9 @@
FROM python:3.8-slim-buster
WORKDIR /usr/src/app
COPY requirements.txt ./
RUN pip install --upgrade pip
RUN pip install --no-cache-dir -r requirements.txt
COPY . .
ENTRYPOINT ["python"]
EXPOSE 8080
CMD ["app.py"]

14
k8s/apps/pyserver/app.py Normal file
View File

@ -0,0 +1,14 @@
from flask import Flask
import os
app = Flask(__name__)
@app.route('/')
def hello_world(count=0):
count += 1
return "Hello World! #" + str(count) + "\nfrom: " + os.getenv('HOSTNAME', "unknown") + "\n"
if __name__ == '__main__':
app.run(host='0.0.0.0', port='8080')

3
k8s/apps/pyserver/requirements.txt Normal file
View File

@ -0,0 +1,3 @@
flask
flask_cors
dapr

35
k8s/apps/pyserver/service.yaml Normal file
View File

@ -0,0 +1,35 @@
kind: Pod
apiVersion: v1
metadata:
name: pyserver
labels:
app: pyserver
spec:
containers:
- name: pyserver
image: localhost:5000/pyserver:0.1
---
kind: Service
apiVersion: v1
metadata:
name: pyserver
spec:
selector:
app: pyserver
ports:
# Port used by the Docker image
- port: 8080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: pyserver-ingress
spec:
rules:
- http:
paths:
- path: /
backend:
serviceName: pyserver
servicePort: 8080
---

18
k8s/kind-cilium-config.yaml Normal file
View File

@ -0,0 +1,18 @@
# a cluster with 3 control-plane nodes and 3 workers
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
- role: control-plane
- role: control-plane
- role: worker
- role: worker
- role: worker
networking:
disableDefaultCNI: true
podSubnet: "10.10.0.0/16"
serviceSubnet: "10.11.0.0/16"
containerdConfigPatches:
- |-
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5000"]
endpoint = ["http://kind-registry:5000"]

17
k8s/kind-vanilla-config.yaml Normal file
View File

@ -0,0 +1,17 @@
# a cluster with 3 control-plane nodes and 3 workers
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
- role: control-plane
- role: control-plane
- role: worker
- role: worker
- role: worker
networking:
podSubnet: "10.20.0.0/16"
serviceSubnet: "10.21.0.0/16"
containerdConfigPatches:
- |-
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5000"]
endpoint = ["http://kind-registry:5000"]

56
k8s/kind-vanilla-config.yaml-ingress Normal file
View File

@ -0,0 +1,56 @@
# a cluster with 3 control-plane nodes and 3 workers
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
kubeadmConfigPatches:
- |
kind: InitConfiguration
nodeRegistration:
kubeletExtraArgs:
node-labels: "ingress-ready=true"
extraPortMappings:
- containerPort: 80
hostPort: 80
protocol: TCP
- containerPort: 443
hostPort: 443
protocol: TCP
- role: control-plane
kubeadmConfigPatches:
- |
kind: InitConfiguration
nodeRegistration:
kubeletExtraArgs:
node-labels: "ingress-ready=true"
extraPortMappings:
- containerPort: 80
hostPort: 80
protocol: TCP
- containerPort: 443
hostPort: 443
protocol: TCP
- role: control-plane
kubeadmConfigPatches:
- |
kind: InitConfiguration
nodeRegistration:
kubeletExtraArgs:
node-labels: "ingress-ready=true"
extraPortMappings:
- containerPort: 80
hostPort: 80
protocol: TCP
- containerPort: 443
hostPort: 443
protocol: TCP
- role: worker
- role: worker
- role: worker
networking:
podSubnet: "10.20.0.0/16"
serviceSubnet: "10.21.0.0/16"
containerdConfigPatches:
- |-
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5000"]
endpoint = ["http://kind-registry:5000"]

12
k8s/metallb-configmap.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: ConfigMap
metadata:
namespace: metallb-system
name: config
data:
config: |
address-pools:
- name: default
protocol: layer2
addresses:
- 172.18.255.200-172.18.255.250

37
k8s/metallb-test.yaml Normal file
View File

@ -0,0 +1,37 @@
kind: Pod
apiVersion: v1
metadata:
name: foo-app
labels:
app: http-echo
spec:
containers:
- name: foo-app
image: hashicorp/http-echo:0.2.3
args:
- "-text=foo"
---
kind: Pod
apiVersion: v1
metadata:
name: bar-app
labels:
app: http-echo
spec:
containers:
- name: bar-app
image: hashicorp/http-echo:0.2.3
args:
- "-text=bar"
---
kind: Service
apiVersion: v1
metadata:
name: foo-service
spec:
type: LoadBalancer
selector:
app: http-echo
ports:
# Default port used by the image
- port: 5678

28
k8s/registry/kind-registry.sh Executable file
View File

@ -0,0 +1,28 @@
#!/bin/sh
reg_name='kind-registry'
reg_port='5000'
running="$(docker inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true)"
if [ "${running}" != 'true' ]; then
docker run \
-d --restart=always -p "${reg_port}:5000" --name "${reg_name}" \
registry:latest
fi
docker network connect "kind" "kind-registry"
# http://localhost:5000/v2/_catalog
# Portainer local
# https://documentation.portainer.io/v2.0/deploy/ceinstalldocker/
docker volume create portainer_data
docker run -d -p 9000:9000 --name=portainer --restart=unless-stopped -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce
docker run -d -p 9001:9001 --name portainer_agent --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v /var/lib/docker/volumes:/var/lib/docker/volumes portainer/agent
# Endpoints->Type:Docker->Connect via:socket
# http://localhost:9000
# Portainer kind
# https://documentation.portainer.io/v2.0/deploy/ceinstallk8s/
helm repo add portainer https://portainer.github.io/k8s/
helm repo update
helm install --create-namespace -n portainer portainer portainer/portainer --set service.type=LoadBalancer
# kubectl get services --all-namespaces
# http://lbIP:9000

80
k8s/registry/portainer-agent-k8s.yaml Normal file
View File

@ -0,0 +1,80 @@
apiVersion: v1
kind: Namespace
metadata:
name: portainer
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: portainer-sa-clusteradmin
namespace: portainer
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: portainer-crb-clusteradmin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: portainer-sa-clusteradmin
namespace: portainer
---
apiVersion: v1
kind: Service
metadata:
name: portainer-agent
namespace: portainer
spec:
type: LoadBalancer
selector:
app: portainer-agent
ports:
- name: http
protocol: TCP
port: 9001
targetPort: 9001
---
apiVersion: v1
kind: Service
metadata:
name: portainer-agent-headless
namespace: portainer
spec:
clusterIP: None
selector:
app: portainer-agent
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: portainer-agent
namespace: portainer
spec:
selector:
matchLabels:
app: portainer-agent
template:
metadata:
labels:
app: portainer-agent
spec:
serviceAccountName: portainer-sa-clusteradmin
containers:
- name: portainer-agent
image: portainer/agent:latest
imagePullPolicy: Always
env:
- name: LOG_LEVEL
value: DEBUG
- name: AGENT_CLUSTER_ADDR
value: "portainer-agent-headless"
- name: KUBERNETES_POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
ports:
- containerPort: 9001
protocol: TCP

72
k8s/setup-kind-cilium.txt Normal file
View File

@ -0,0 +1,72 @@
https://docs.cilium.io/en/v1.9/gettingstarted/kind/
kind create cluster --name=kind-cilium --config kind-cilium-config.yaml
kubectl cluster-info --context kind-kind-cilium
kubectl config use-context kind-kind-cilium
helm repo add cilium https://helm.cilium.io/
docker pull cilium/cilium:v1.9.5
kind load docker-image --name kind-cilium cilium/cilium:v1.9.5
helm install cilium cilium/cilium --version 1.9.5 \
--namespace kube-system \
--set nodeinit.enabled=true \
--set kubeProxyReplacement=partial \
--set hostServices.enabled=false \
--set externalIPs.enabled=true \
--set nodePort.enabled=true \
--set hostPort.enabled=true \
--set bpf.masquerade=false \
--set image.pullPolicy=IfNotPresent \
--set ipam.mode=kubernetes
kubectl create ns cilium-test
kubectl apply -n cilium-test -f https://raw.githubusercontent.com/cilium/cilium/v1.9/examples/kubernetes/connectivity-check/connectivity-check.yaml
# kubectl get pods --namespace cilium-test
export CILIUM_NAMESPACE=kube-system
helm upgrade cilium cilium/cilium --version 1.9.5 \
--namespace $CILIUM_NAMESPACE \
--reuse-values \
--set hubble.listenAddress=":4244" \
--set hubble.relay.enabled=true \
--set hubble.ui.enabled=true
> kubectl port-forward -n $CILIUM_NAMESPACE svc/hubble-ui --address 0.0.0.0 --address :: 12000:80
# open http://localhost:12000/ to access the UI
export HUBBLE_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/hubble/master/stable.txt)
curl -LO "https://github.com/cilium/hubble/releases/download/$HUBBLE_VERSION/hubble-linux-amd64.tar.gz"
curl -LO "https://github.com/cilium/hubble/releases/download/$HUBBLE_VERSION/hubble-linux-amd64.tar.gz.sha256sum"
sha256sum --check hubble-linux-amd64.tar.gz.sha256sum
tar zxf hubble-linux-amd64.tar.gz
sudo mv hubble /usr/local/bin
> kubectl port-forward -n $CILIUM_NAMESPACE svc/hubble-relay --address 0.0.0.0 --address :: 4245:80
# hubble --server localhost:4245 status
# hubble --server localhost:4245 observe
kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/master/manifests/namespace.yaml
kubectl create secret generic -n metallb-system memberlist --from-literal=secretkey="$(openssl rand -base64 128)"
kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/master/manifests/metallb.yaml
# kubectl get pods -n metallb-system --watch
docker network inspect -f '{{.IPAM.Config}}' kind
kubectl apply -f metallb-configmap.yaml
Test metallb:
kubectl apply -f metallb-test.yaml
LB_IP=$(kubectl get svc/foo-service -o=jsonpath='{.status.loadBalancer.ingress[0].ip}')
# should output foo and bar on separate lines
for _ in {1..10}; do
curl ${LB_IP}:5678
done
Ingress TBD:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/kind/deploy.yaml
kubectl wait --namespace ingress-nginx \
--for=condition=ready pod \
--selector=app.kubernetes.io/component=controller \
--timeout=90s

15
k8s/setup-kind-vanilla.txt Normal file
View File

@ -0,0 +1,15 @@
https://kind.sigs.k8s.io/docs/user/quick-start/
https://kind.sigs.k8s.io/docs/user/loadbalancer
kind create cluster --name=kind-vanilla --config kind-vanilla-config.yaml
kubectl cluster-info --context kind-kind-vanilla
kubectl config use-context kind-kind-vanilla
kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/master/manifests/namespace.yaml
kubectl create secret generic -n metallb-system memberlist --from-literal=secretkey="$(openssl rand -base64 128)"
kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/master/manifests/metallb.yaml
# kubectl get pods -n metallb-system --watch
docker network inspect -f '{{.IPAM.Config}}' kind
kubectl apply -f metallb-configmap.yaml

11
sync-k8s.sh Executable file
View File

@ -0,0 +1,11 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
rsync -av --del ahlawat@cvm-b:k8s/ k8s/