Chris Kim Oats87

## generate_new_kubeconfig.sh
#!/bin/bash
echo "This will generate a new kube config for accessing your RKE-created kubernetes cluster. This script MUST be run on a Kubernetes node."
echo "Please enter the IP of one of your control plane hosts, followed by [ENTER]:"

read cphost

openssl genrsa -out kube-admin.key 2048
openssl req -new -sha256 -key kube-admin.key -subj "/O=system:masters/CN=kube-admin" -out kube-admin.csr
sudo openssl x509 -req -in kube-admin.csr -CA /etc/kubernetes/ssl/kube-ca.pem -CAcreateserial -CAkey /etc/kubernetes/ssl/kube-ca-key.pem -out kube-admin.crt -days 365 -sha256
sudo rm -f /etc/kubernetes/ssl/kube-ca.srl

## get_rancher_logs.sh
#!/bin/sh
now=`date +%Y-%m-%d-%H-%M-%S`
for i in $(kubectl get po -n cattle-system | grep "rancher" | awk '{print $1}'); do
echo "Collecting Rancher Logs from: $i"
kubectl logs $i -n cattle-system > cs-$i-$now.log;
done

tar -zcvf rancher-logs-$now.tar.gz cs-*.log

## recreate_etcd_cert_secrets
for i in $(ls | grep kube-etcd | grep key.pem); do a=$(echo $i | awk -F"-" '{print $3}');b=$(echo $i | awk -F"-" '{print $4}');c=$(echo $i | awk -F"-" '{print $5}');d=$(echo $i | awk -F"-" '{print $6}'); kubectl -n kube-system create secret generic kube-etcd-$a-$b-$c-$d --from-literal=EnvName=KUBE_ETCD_${a}_${b}_${c}_${d} --from-literal=KeyEnvName=KUBE_ETCD_${a}_${b}_${c}_${d}_KEY --from-literal=KeyPath=/etc/kubernetes/ssl/kube-etcd-${a}-${b}-${c}-${d}-key.pem --from-literal=Path=/etc/kubernetes/ssl/kube-etcd-${a}-${b}-${c}-${d}.pem --from-file=Certificate=/etc/kubernetes/ssl/kube-etcd-${a}-${b}-${c}-${d}.pem --from-file=Key=/etc/kubernetes/ssl/kube-etcd-${a}-${b}-${c}-${d}-key.pem; done

## migrate-rancher-2-1-x-single-node
docker run -d --restart unless-stopped --name rancher -p 80:80 -p 443:443 -v /host/rancher:/var/lib/rancher rancher/rancher:v2.1.5

docker exec -it rancher /bin/bash

# cd /var/lib/rancher
# tar -zcvf pki.bundle.tar.gz -C /etc/kubernetes/ssl .
# cp -r /etc/kubernetes/ssl .
# exit

docker run --net=container:$(docker ps | grep rancher | awk '{print $1}') -it --volumes-from rancher rancher/rke-tools:v0.1.20

## gist:b056c1976fd0484e4f161ab063deb1b0
# Docker 17.03.2 on RHEL/CentOS 7

Rancher has discovered a few issues when running Upstream Docker 17.03.2 on RHEL/CentOS 7. This document is being written to document recommendations for Docker configuration in order to ensure reliability while operating Kubernetes and Rancher with RHEL/CentOS 7.

### Overlay2 Storage Driver

Currently, Upstream Docker 17.03.2 performs kernel version validations to enable overlay2. As official overlay2 support from the upstream Linux kernel was not enabled until version 4.0 or higher than the kernel. Red Hat backported overlay2 support to 3.10.0-514 of their kernel.

Overlay2 support can be enabled by setting the following contents in the `/etc/docker/daemon.json` file and restarting Docker. Please note that you must do this on a fresh docker installation, or remove all running containers before performing this action.
```{

## docker.json
{
  "storage-driver": "overlay2",
  "storage-opts": [
    "overlay2.override_kernel_check=true"
  ],
  "exec-opts": [
    "native.cgroupdriver=systemd"
  ]
}

## gist:d76e3c00e10e1774e633f1746cc263f7
sudo diskutil list

sudo diskutil unmount /dev/disk<x>

hdiutil convert -format UDRW -o <img-to-flash> <original-iso>.iso

sudo dd if=<img-to-flash>.dmg of=/dev/rdisk<x> bs=4m

## invalidate-service-account-tokens-and-restart-all-pods.sh
#!/bin/bash
export KUBECONFIG=$(pwd)/kube_config_cluster.yml
IFS=$'\n'; for i in $(kubectl get secrets --all-namespaces | grep "service-account-token"); do ns=$(echo $i | awk '{print $1}'); sec=$(echo $i | awk '{print $2}'); kubectl patch secret -n $ns $sec -p '{"metadata":{"finalizers": []}}' --type=merge && kubectl delete secret $sec -n $ns --wait=false; done
IFS=$'\n'; for i in $(kubectl get pods --all-namespaces | grep -v "NAME"); do  ns=$(echo $i | awk '{print $1}'); pod=$(echo $i | awk '{print $2}'); kubectl delete pod $pod -n $ns --wait=false; done

## docker.json
mkdir /etc/docker
cat << EOF > /etc/docker/daemon.json
{
"log-driver": "json-file",
"log-opts": {
    "max-size": "10m",
    "max-file": "6"
    }
}
EOF

## sysctl.conf
cat << EOF >> /etc/sysctl.conf
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.core.somaxconn = 32768
EOF
	#!/bin/bash
	echo "This will generate a new kube config for accessing your RKE-created kubernetes cluster. This script MUST be run on a Kubernetes node."
	echo "Please enter the IP of one of your control plane hosts, followed by [ENTER]:"

	read cphost

	openssl genrsa -out kube-admin.key 2048
	openssl req -new -sha256 -key kube-admin.key -subj "/O=system:masters/CN=kube-admin" -out kube-admin.csr
	sudo openssl x509 -req -in kube-admin.csr -CA /etc/kubernetes/ssl/kube-ca.pem -CAcreateserial -CAkey /etc/kubernetes/ssl/kube-ca-key.pem -out kube-admin.crt -days 365 -sha256
	sudo rm -f /etc/kubernetes/ssl/kube-ca.srl
	#!/bin/sh
	now=`date +%Y-%m-%d-%H-%M-%S`
	for i in $(kubectl get po -n cattle-system \| grep "rancher" \| awk '{print $1}'); do
	echo "Collecting Rancher Logs from: $i"
	kubectl logs $i -n cattle-system > cs-$i-$now.log;
	done

	tar -zcvf rancher-logs-$now.tar.gz cs-*.log
	docker run -d --restart unless-stopped --name rancher -p 80:80 -p 443:443 -v /host/rancher:/var/lib/rancher rancher/rancher:v2.1.5

	docker exec -it rancher /bin/bash

	# cd /var/lib/rancher
	# tar -zcvf pki.bundle.tar.gz -C /etc/kubernetes/ssl .
	# cp -r /etc/kubernetes/ssl .
	# exit

	docker run --net=container:$(docker ps \| grep rancher \| awk '{print $1}') -it --volumes-from rancher rancher/rke-tools:v0.1.20
	# Docker 17.03.2 on RHEL/CentOS 7

	Rancher has discovered a few issues when running Upstream Docker 17.03.2 on RHEL/CentOS 7. This document is being written to document recommendations for Docker configuration in order to ensure reliability while operating Kubernetes and Rancher with RHEL/CentOS 7.

	### Overlay2 Storage Driver

	Currently, Upstream Docker 17.03.2 performs kernel version validations to enable overlay2. As official overlay2 support from the upstream Linux kernel was not enabled until version 4.0 or higher than the kernel. Red Hat backported overlay2 support to 3.10.0-514 of their kernel.

	Overlay2 support can be enabled by setting the following contents in the `/etc/docker/daemon.json` file and restarting Docker. Please note that you must do this on a fresh docker installation, or remove all running containers before performing this action.
	```{
	{
	"storage-driver": "overlay2",
	"storage-opts": [
	"overlay2.override_kernel_check=true"
	],
	"exec-opts": [
	"native.cgroupdriver=systemd"
	]
	}
	sudo diskutil list

	sudo diskutil unmount /dev/disk<x>

	hdiutil convert -format UDRW -o <img-to-flash> <original-iso>.iso

	sudo dd if=<img-to-flash>.dmg of=/dev/rdisk<x> bs=4m
	#!/bin/bash
	export KUBECONFIG=$(pwd)/kube_config_cluster.yml
	IFS=$'\n'; for i in $(kubectl get secrets --all-namespaces \| grep "service-account-token"); do ns=$(echo $i \| awk '{print $1}'); sec=$(echo $i \| awk '{print $2}'); kubectl patch secret -n $ns $sec -p '{"metadata":{"finalizers": []}}' --type=merge && kubectl delete secret $sec -n $ns --wait=false; done
	IFS=$'\n'; for i in $(kubectl get pods --all-namespaces \| grep -v "NAME"); do ns=$(echo $i \| awk '{print $1}'); pod=$(echo $i \| awk '{print $2}'); kubectl delete pod $pod -n $ns --wait=false; done
	mkdir /etc/docker
	cat << EOF > /etc/docker/daemon.json
	{
	"log-driver": "json-file",
	"log-opts": {
	"max-size": "10m",
	"max-file": "6"
	}
	}
	EOF
	cat << EOF >> /etc/sysctl.conf
	net.bridge.bridge-nf-call-iptables = 1
	net.bridge.bridge-nf-call-ip6tables = 1
	net.core.somaxconn = 32768
	EOF