Nithish Murcherla nithu0115

## gist:f8deed67bf365cb9f4e49014679e3303
## ECS AMI - Amzn Linux2 - Using a secondary volume for docker overlay2 filesystem
#### — Replace the device names with appropriate names, as they vary depending on Instance type and volume type - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/device_naming.html
[1] https://github.com/docker/docker-ce/blob/v18.06.1-ce/components/packaging/rpm/systemd/docker.service#L4
[2] https://github.com/aws/amazon-ecs-init/blob/master/packaging/amazon-linux-ami/ecs.service#L19

UserData for 'c5d' with an instance store as the secondary volume

#!/bin/bash -x

## disable systemd from starting docker and ecs during cloud-init

## gist:bfaaa1d1f3069244ddce7c74de09b669

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                nithu0115
                / gist:bfaaa1d1f3069244ddce7c74de09b669
            
            
              Last active
              February 14, 2019 23:37
            
              
                Spark with EKS
              
          
    As of Feburary-14-2019, Spark does not have integration with EKS as spark binary would require to use aws-iam-authentator to fetch credential to authenticate to EKS cluster which will be integrated to kubernetes-client 4.1.2 release
Ref: fabric8io/kubernetes-client#1358
In order to integrate spark binary with EKS, we will have to do a custom build with fabric 4.1-SHAPSHOT version.
Prerequisites:

Java8
Apache-maven3.x.x and above

  
## gist:1f09ce1414f0430bdfe337d2e7461ce6
Services: eks; kubernetes

Summary
Gather logs from Worker Nodes without SSH'ing into the instacne

Q) How to get logs from a Worker nodes if customers cannot SSH into the instance as they don’t have a keypair associated (for security reasons) and without detaching the volume and attaching it to another instance to troubleshoot an issue?

Solution:

To gather logs, first run

## gist:c548a9bd60d370cbf4e54236a4e1f68a
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: mlsmaycon1
spec:
  schedule: "* * * * *"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 1
  jobTemplate:

## test.sh
#!/bin/bash -x
export C=extravagant-outfit-1571795722
PAYLOAD=$(aws eks describe-cluster --name $C --query 'cluster.{CA: certificateAuthority.data,Endpoint: endpoint}' --region us-east-2)
echo $PAYLOAD | jq -rc .CA | base64 -d > /tmp/public_cert
ENDPOINT=$(echo $PAYLOAD | jq -rc .Endpoint)
curl -iv --cacert /tmp/public_cert -H "Authorization: Bearer "$(aws eks get-token --cluster-name $C | jq -rc .status.token) $ENDPOINT/api/v1/namespaces/default/pods/
while [ $? -ne 0 ]; do
"command error"
sleep 10s
done

## kubectl-switch
#!/bin/bash

# If only one argument is given when calling this script, we do a namespace switch.
# If a second argument exists when calling this script, we do a cluster switch.
# When switching clusters, alert the user if that cluster is not found.

# The trap provides the current context on exit. The context names are sorted to provide consistency.
LRED=$(echo -en '\033[01;31m')
RESTORE=$(echo -en '\033[0m')
trap 'CURRENT_CONTEXT=$(kubectl config current-context) && echo && kubectl config get-contexts | head -n1 && kubectl config get-contexts | sed 1d | sort --key=1 -b | sed "s|\*\(.*\)${CURRENT_CONTEXT}\(.*\)$|${LRED}\*\1${CURRENT_CONTEXT}\2${RESTORE}|g"' 0 1 3 15

## testing.yaml
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: config-nginx
data:
  default.conf: |
    server {
      listen 80 default_server;
      listen [::]:80 default_server;

## test.yaml
---

apiVersion: v1
kind: ServiceAccount
metadata:
  name: csi-node-sa
  namespace: kube-system

---

## gist:f51c5388caab2372ab0d97f09a6a8da4
index a79f5a89cab1..768db651373f 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -750,6 +750,10 @@ static int nf_ct_resolve_clash(struct net *net, struct sk_buff *skb,
        const struct nf_conntrack_l4proto *l4proto;
        enum ip_conntrack_info oldinfo;
        struct nf_conn *loser_ct = nf_ct_get(skb, &oldinfo);
+
+        // Added by nithish
+        pr_debug("nf_ct_resolve_clash: %p clashes with %p\n", loser_ct, ct);

## tcp_keep_alive.yaml
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: startup-script
  labels:
    app: startup-script
spec:
  template:
    metadata:
      labels:
	## ECS AMI - Amzn Linux2 - Using a secondary volume for docker overlay2 filesystem
	#### — Replace the device names with appropriate names, as they vary depending on Instance type and volume type - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/device_naming.html
	[1] https://github.com/docker/docker-ce/blob/v18.06.1-ce/components/packaging/rpm/systemd/docker.service#L4
	[2] https://github.com/aws/amazon-ecs-init/blob/master/packaging/amazon-linux-ami/ecs.service#L19

	UserData for 'c5d' with an instance store as the secondary volume

	#!/bin/bash -x

	## disable systemd from starting docker and ecs during cloud-init
	Services: eks; kubernetes

	Summary
	Gather logs from Worker Nodes without SSH'ing into the instacne

	Q) How to get logs from a Worker nodes if customers cannot SSH into the instance as they don’t have a keypair associated (for security reasons) and without detaching the volume and attaching it to another instance to troubleshoot an issue?

	Solution:

	To gather logs, first run
	apiVersion: batch/v1beta1
	kind: CronJob
	metadata:
	name: mlsmaycon1
	spec:
	schedule: "* * * * *"
	concurrencyPolicy: Forbid
	successfulJobsHistoryLimit: 1
	failedJobsHistoryLimit: 1
	jobTemplate:
	#!/bin/bash -x
	export C=extravagant-outfit-1571795722
	PAYLOAD=$(aws eks describe-cluster --name $C --query 'cluster.{CA: certificateAuthority.data,Endpoint: endpoint}' --region us-east-2)
	echo $PAYLOAD \| jq -rc .CA \| base64 -d > /tmp/public_cert
	ENDPOINT=$(echo $PAYLOAD \| jq -rc .Endpoint)
	curl -iv --cacert /tmp/public_cert -H "Authorization: Bearer "$(aws eks get-token --cluster-name $C \| jq -rc .status.token) $ENDPOINT/api/v1/namespaces/default/pods/
	while [ $? -ne 0 ]; do
	"command error"
	sleep 10s
	done
	#!/bin/bash

	# If only one argument is given when calling this script, we do a namespace switch.
	# If a second argument exists when calling this script, we do a cluster switch.
	# When switching clusters, alert the user if that cluster is not found.

	# The trap provides the current context on exit. The context names are sorted to provide consistency.
	LRED=$(echo -en '\033[01;31m')
	RESTORE=$(echo -en '\033[0m')
	trap 'CURRENT_CONTEXT=$(kubectl config current-context) && echo && kubectl config get-contexts \| head -n1 && kubectl config get-contexts \| sed 1d \| sort --key=1 -b \| sed "s\|\\(.\)${CURRENT_CONTEXT}\(.\)$\|${LRED}\\1${CURRENT_CONTEXT}\2${RESTORE}\|g"' 0 1 3 15
	---
	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: config-nginx
	data:
	default.conf: \|
	server {
	listen 80 default_server;
	listen [::]:80 default_server;
	---

	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: csi-node-sa
	namespace: kube-system

	---
	index a79f5a89cab1..768db651373f 100644
	--- a/net/netfilter/nf_conntrack_core.c
	+++ b/net/netfilter/nf_conntrack_core.c
	@@ -750,6 +750,10 @@ static int nf_ct_resolve_clash(struct net net, struct sk_buff skb,
	const struct nf_conntrack_l4proto *l4proto;
	enum ip_conntrack_info oldinfo;
	struct nf_conn *loser_ct = nf_ct_get(skb, &oldinfo);
	+
	+ // Added by nithish
	+ pr_debug("nf_ct_resolve_clash: %p clashes with %p\n", loser_ct, ct);
	apiVersion: extensions/v1beta1
	kind: DaemonSet
	metadata:
	name: startup-script
	labels:
	app: startup-script
	spec:
	template:
	metadata:
	labels: