mjhuber

Istio Upgrade from 1.0.2 to 1.1.0.snapshot.1

documentation

TLDR; the upgrade went ok. You might have problems depending on your mtls configuration. You could have downtime if you don't adjust replicaCount & hpa settings for your gateways.

I created a GKE cluster and deployed istio 1.0.2 via helm, using all the default values.

• add certificates to ingress gateway
• enable mtls
• deploy sample httpbin application

mjhuber

HPA Autoscale Demo

1. I Created the manifests in hpa-demo namespace:

apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: nginx
  labels:

mjhuber

MTLS Migration

I got most of this info from Istio and there is some tertiary info here.

Use Case

This should be used to migrate towards an istio implementation. Since existing services are not using istio, some won't be able to use MTLS. This allows you to gradually migrate.

Steps

mjhuber

travis_fold:start:services
travis_time:start:14301690
$ sudo service docker start
start: Job is already running: docker

travis_time:end:14301690:start=1532301407880208255,finish=1532301407898748510,duration=18540255
travis_fold:end:services

travis_fold:start:git.checkout
travis_time:start:04f399a1

mjhuber

Easier Openstack Namespaces:

1. Put all your rc files in ~/openstack
2. Add below to your .bashrc:

# openstack rc helper function
osns () {
	for i in $(env | grep OS | cut -d = -f 1) ; do unset $i ; done
	source "$(find ~/openstack/ -type f -name $@* | head -n 1)"
}

mjhuber

Technical Challenge: Webapp deployment to AWS

The application has been deployed with the provided AWS resources and is available to view at http://testweb-elb-2116775699.eu-central-1.elb.amazonaws.com

Requirements

A one line command that, when invoked, deploys a webapp.

• App must be deployed to an EC2 instance in AWS
• The default page of the webapp must be viewable by a URL provided as output to the command.
• The webapp must not be a generic nginx or apache setup
• Only spend 3 hours creating

mjhuber

[defaults]
forks = 20
internal_poll_interval = 0.001

[ssh_connection]
ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o PreferredAuthentications=publickey
pipelining = true

mjhuber

#!/bin/bash

/usr/bin/docker ps --format='{{.ID}}' | \
xargs -n 1 -r /usr/bin/docker inspect -f '{{.ID}} {{.State.Running}} {{.State.StartedAt}}' | \
awk '$2 == "true" && $3 <= "'$(date -d 'yesterday' -Ins --utc | sed 's/+0000/Z/')'" { print $1 }' | \
xargs -r /usr/bin/docker kill

mjhuber

#!/bin/sh 
# snbforums thread:
# https://www.snbforums.com/threads/country-blocking-script.36732/page-2#post-311407

# Re-download blocklist if locally saved blocklist is older than this many days
BLOCKLISTS_SAVE_DAYS=15

# For the users of mips routers (kernel 2.x): You can now block sources with IPv6 with country blocklists
# Enable if you want to add huge country IPv6 netmask lists directly into ip6tables rules.
# Also, enabling this will add a *lot* of processing time!

mjhuber

version: '2'

services:
  proxy:
    image: traefik:latest
    container_name: proxy
    networks:
      - frontend
    restart: on-failure
    ports: