Backslash

Appearance

Blogs

 

  • K8s Cluster

    K8s cluster

    Create a cluster on VMs using libvirt. See article on initial libvirt/qemu

    Spawning VMs

    This article is written on the basis of a relative clean Debian VM that will serve eventually as one of 3 nodes. So start by cloning 2 times into 3 total VMs.

    Create the clones

    sh
    virt-clone --original k8s-master-01 --name k8s-worker-01 --file /mnt/ssd1/vms/kvm/k8s-worker-01.qcow2

    Start it up and make them appear unique (MACaddress is already handled)

    1. Change the Hostname
    sh
    sudo hostnamectl set-hostname k8s-worker-01
sudo sed -i "s/k8s-master-01/k8s-worker-01/g" /etc/hosts

    reboot

    1. Reset the Machine ID (Crucial for K8s)
    sh
    sudo rm -f /etc/machine-id /var/lib/dbus/machine-id
sudo systemd-machine-id-setup
sudo dbus-uuidgen --ensure
    1. Disable swap on all nodes
    sh
    sudo swapoff -a
sudo sed -i '/swap/s/^/#/' /etc/fstab
    1. Enable nftables

    nftables is default from k8s 1.33. So you should enable it so kubernetes can add its stuff. Unless you might end up with kubernetes starting to awaken iptables

    Leave the default nftsbles file if want no firewall restrictions to begin with

    sh
    sudo systemctl enable --now nftables
sudo systemctl start nftables

    Example of /etc/nftables.conf with some rules

    sh
    #!/usr/sbin/nft -f
flush ruleset
table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;
        ct state established,related accept
        iif lo accept
        ip protocol icmp accept
        tcp dport 22 accept  # SSH
        # K8s Control Plane (Run this on Master)
        tcp dport 6443 accept
        tcp dport { 2379, 2380 } accept
        # K8s Node Communication (Run on all nodes)
        tcp dport 10250 accept
        # CNI Overlay (Allow nodes to "tunnel" to each other)
        # If using Calico
        tcp dport 179 accept 
        udp dport 4789 accept
        tcp dport 443 accept
        ip protocol 4 accept

        # nodeports
        tcp dport 30000-32767 accept
    }
    chain forward {
        type filter hook forward priority 0; policy accept;
    }
}
    1. Make sure your nodes has STATIC IPs.

    or else you need to tear the whole thing down later probably

    Reboot

    Installing k8s

    sudo apt install -y apt-transport-https ca-certificates curl gpg

    containerd.io

    See docker homepage for up to date instructions

    sh
    sudo curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

sudo tee /etc/apt/sources.list.d/docker.sources <<EOF
Types: deb
URIs: https://download.docker.com/linux/debian
Suites: $(. /etc/os-release && echo "$VERSION_CODENAME")
Components: stable
Signed-By: /etc/apt/keyrings/docker.asc
EOF

sudo apt update
sudo apt install containerd.io

    config container.io

    sh
    containerd config default | sudo tee /etc/containerd/config.toml > /dev/null

sudo sed -i 's/SystemdCgroup = false/SystemdCgroup = true/g' /etc/containerd/config.toml

sudo systemctl restart containerd

    K8s

    sh
    curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.35/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg

echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.35/deb/ /' | sudo tee /etc/apt/sources.list.d/kubernetes.list

sudo apt update
sudo apt install -y kubelet kubeadm kubectl
sudo apt-mark hold kubelet kubeadm kubectl

    modeprobe overlay

    sh
    cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
overlay
br_netfilter
EOF

sudo modprobe overlay
sudo modprobe br_netfilter

    enable network forwarding

    sh
    sudo tee /etc/sysctl.d/kubernetes.conf <<EOT
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
EOT

sudo sysctl --system

    verify

    sh
    sudo sysctl net.bridge.bridge-nf-call-iptables net.bridge.bridge-nf-call-ip6tables net.ipv4.ip_forward

    all should be 1

    Initialize

    (only master node)

    sh
    sudo kubeadm init --apiserver-advertise-address=192.168.1.190 --pod-network-cidr=10.244.0.0/16

    To reset

    sh
    sudo kubeadm reset -f
sudo rm -rf /etc/cni/net.d

    Expected answer

    bash
    Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

Alternatively, if you are the root user, you can run:

  export KUBECONFIG=/etc/kubernetes/admin.conf

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/concepts/cluster-administration/addons/

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join 192.168.1.190:6443 --token x \
        --discovery-token-ca-cert-hash sha256:x

    save the command from this output and use it to join worker nodes later

    Verify first time

    sh
    kubectl get nodes

    Expected response before set up network and other nodes:

    bash
    NAME            STATUS     ROLES           AGE     VERSION
k8s-master-01   NotReady   control-plane   3m33s   v1.35.2

    Status NotReady is fine. Now is an OK time to join in a worker node if its ready. Can also add it any time later

    sh
    kubeadm join 192.168.1.190:6443 --token x \
        --discovery-token-ca-cert-hash sha256:x

    Network

    Container Network Interface (CNI) must be added before the cluster actually can do anything useful besides existing

    (only master node)

    Calico

    sh
    kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.30.0/manifests/calico.yaml

kubectl set env daemonset/calico-node  -n kube-system IP_AUTODETECTION_METHOD=interface=enp1s0

    TIP

    After CNI its a really good time to bootstrap GitOps with for example FluxCD

    Verify 2: Test app

    sh
    kubectl create deployment nginx-test --image=nginx --replicas=2

kubectl expose deployment nginx-test --port=80 --target-port=80 --type=NodePort
kubectl get svc nginx-test # get port and test in browser

    Load balancer

    kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.15.3/config/manifests/metallb-native.yaml

    make metallb-config.yaml

    yaml
    apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
  name: first-pool
  namespace: metallb-system
spec:
  addresses:
  - 192.168.1.50-192.168.1.60

  • KVM Qemu Windows 11

    Links

    How to Properly Install a Windows 11 Virtual Machine on KVM

    Add new VM

    After you have downloaded a Win 11 ISO image just follow the wizard as far as auto detecting OS and whatever you decide to do with the disk and stuff

    After going through the wizard you might not be able to boot it on the first attempt. Try add manually mount a 2nd CDROM with the same Win 11 image and it might just work.

    Without network

    Smart to install it without network so you get a local user easier.

    You might get stuck on "let's connect to a network"

    W11 install, stuck in "let's connect to a network" but there are no networks

    Hit shift + F10 > then type/write OOBE\BYPASSNRO and hit enter.

    It'll restart and you have to select language and country again, then you should be able to select "I don't have internet"

    Guest tools

    Downlod virtio-win.iso

    sh
    wget https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/latest-virtio/virtio-win.iso

    Mount it to CD-ROM

    Then open virtio-win-guest-tools inside Windows 11

    After this have been installed you should be able to Auto scale

    On the top menu of the guest window

    View -> Scale Display -> Auto resize VM with window

    Network

    When using nftables you need to apply this

    nft
    #!/usr/sbin/nft -f

flush ruleset

table inet filter {
  chain input {
    type filter hook input priority 0;

    # accept any localhost traffic
    iif lo accept

    # accept traffic originated from us
    ct state established,related accept

    #

  • OpenVPN Server

    OpenVPN Server

    So just a guide based on explanations from Google Gemini

    The following would be a set of commands and expected responses

    Step 1 Install

    sh
    sudo apt install openvpn easy-rsa -y

    Step 2 Initialize the PKI Directory

    Recommended: Create and secure a new directory for your CA

    sh
    make-cadir ~/openvpn-pki
cd ~/openvpn-pki

    Step 3 Create the Certificate Authority (CA)

    sh
    # Initialize the PKI environment
./easyrsa init-pki

    Response

    sh
    init-pki' complete; you may now create a CA or requests.

Your newly created PKI dir is:
* /home/atle/openvpn-pki/pki

Using Easy-RSA configuration:
* /home/atle/openvpn-pki/vars

    Build the CA. You will be prompted to enter a CA Passphrase. Make this secure and write it down.

    sh
    ./easyrsa build-ca

    Response

    sh
    CA creation complete. Your new CA certificate is at:
* /home/atle/openvpn-pki/pki/ca.crt

    Step 4 Generate Server Keys and Certificate

    Generate the server key and CSR. 'server' is the Common Name (CN). ./easyrsa gen-req server nopass

    sh
    Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /home/atle/openvpn-pki/pki/reqs/server.req
* key: /home/atle/openvpn-pki/pki/private/server.ke

    Sign the server certificate using the CA. You will be prompted for the CA Passphrase.

    sh
    ./easyrsa sign-req server server

    Response

    sh
    * /home/atle/openvpn-pki/vars
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
You are about to sign the following certificate:

  Requested CN:     'small'
  Requested type:   'server'
  Valid for:        '825' days


subject=
    commonName                = small

Type the word 'yes' to continue, or any other input to abort.
  Confirm requested details: yes

Using configuration from /home/atle/openvpn-pki/pki/1fa12698/temp.1.1
Enter pass phrase for /home/atle/openvpn-pki/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'small'
Certificate is to be certified until Dec 30 21:42:44 2027 GMT (825 days)

Write out database with 1 new entries
Database updated

Notice

  • Bitcoin LND

    How to run and operate a Bitcoind LND node

  • FreeBSD Samsung Cronos

    How to install FreeBSD alongside Linux and dual boot from GRUB with EFI enabled on a Samsung Cronos

  • FreeBSD install

    How to install FreeBSD and get some basic stuff up and running

  • .NET Core cli commands

    Collection of typical operations on .NET (dotnet) CLI (command-line interface)

  • ES6 modules

    ES6 modules and how to use them correctly

  • JS useful tricks

    JS tricks and standard functions that is not so commonly used

  • Linux Network

    Commands and recipes for network operations

  • nmcli how to use

    Network manager command line interface how to do typical operations

  • SQL Server Docker

    How you use SQL Server in Linux environment using docker, sqlcmd and VSCode

  • SSH best practices

    How to utilize the security features of ssh and use great features like public key encryption

  • GIT tricks

    GIT tricks that are not so commonly used