Attention: this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!
openssl genrsa -des3 -out rootCA.key 4096
// get journal logs from systemd services | |
# journalctl -u <service name>.service | |
# journalctl -u <service name>.service -n 100 --no-pager |
knife supermarket search openssh | |
knife supermarket download openssh | |
tar -xzvf openssh-2.10.3.tar.gz | |
knife supermarket download iptables | |
tar -xzvf iptables-8.0.0.tar.gz | |
knife cookbook upload iptables | |
knife cookbook upload openssh |
#!/bin/bash | |
wget -O ~/.ssh/devops_id_rsa ${DEVOPS_SSH_PRIVATE_KEY} > /dev/null 2>&1 && chmod 0600 ~/.ssh/devops_id_rsa | |
# get bastion IPs | |
scratch_ip=$(aws ec2 describe-instances --region "us-west-2" --filters "Name=tag:Name,Values=reputedly-scratch" --query 'Reservations[*].Instances[*].[PrivateIpAddress]' --output text) | |
orange_ip_list=$(aws ec2 describe-instances --region "us-west-2" --filters "Name=tag:Type,Values=orange" --query 'Reservations[*].Instances[*].[PrivateIpAddress]' --output text) | |
SAVEIFS=$IFS # Save current IFS | |
IFS=$'\n' # Change IFS to new line |
$ influx -ssl -host <host> -port <port> | |
# select database | |
> use <database name> | |
# set time format | |
> precision rfc3339 | |
# show all measurements | |
> show measurements |
FROM openjdk:8-jre-slim | |
ARG GPG_KEY=3F7A1D16FA4217B1DC75E1C9FFE35B7F15DFA1BA | |
ARG SHORT_DISTRO_NAME=zookeeper-3.5.5 | |
ARG DISTRO_NAME=apache-zookeeper-3.5.5-bin | |
ARG CONSUL_VERSION=1.5.3 | |
ARG CONSUL_TEMPLATE_VERSION=0.20.1 | |
ARG OPENSSL_VERSION=1.1.1c | |
ENV ZOO_CONF_DIR=/conf \ | |
ZOO_DATA_DIR=/data \ | |
ZOO_DATA_LOG_DIR=/datalog \ |
# Used by hashicorp | |
FROM debian:buster-slim | |
ARG CONSUL_VERSION=1.6.2 | |
ARG VAULT_VERSION=1.3.2 | |
ENV BIN_DIR=/bin | |
# Install required packages | |
RUN set -eux && \ | |
apt-get update && \ | |
DEBIAN_FRONTEND=noninteractive \ |
## start kafka-zookeeper cluster | |
$ nomad job run -no-color kafka-zookeeper.nomad | |
$ nomad job status -no-color kafka-zookeeper # verify allocations (containers) are running | |
## wait 30 seconds for kafka-zookeeper to discover and start kafka-brokers | |
$ nomad job run -no-color kafka-broker.nomad | |
$ nomad job status -no-color kafka-broker # verify allocations (containers) are running | |
## verify zookeeper cluster is up | |
run the following against each node to verify it is either a leader or follower, pull ip ports from kafka-zookeper-client service in consul |
docker-entrypoint.sh | |
``` | |
# create truststore and keystore from pem files if they exist | |
if [ -f "$ZOO_CONF_DIR/ssl/root-int-ca.pem" ] && [ -f "$ZOO_CONF_DIR/ssl/node.pem"]; then | |
# create truststore jks | |
truststore_password="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 12 | head -n 1)" | |
echo $truststore_password > $TRUSTSTORE_WORKING_DIRECTORY/truststore_password.txt | |
keytool -import -alias root-int-ca -trustcacerts -file $ZOO_CONF_DIR/ssl/root-int-ca.pem \ | |
-keystore $ZOO_CONF_DIR/ssl/kafka-truststore.jks -storepass $truststore_password |
# the "-" are important as the prevent go for placing LF, which will mess up the binary files | |
template { | |
destination = "local/conf/ssl/keystore_decoded.jks" | |
change_mode = "noop" | |
data =<<EOF | |
{{ $mtls_path := env "NOMAD_META_mtls_path" -}} | |
{{ with secret (printf "%s" $mtls_path) }}{{.Data.keystore | base64Decode }}{{ end -}} | |
EOF | |
} |