Linux Commands Cheat Sheet

Do you want to learn the Linux commands? If yes, then you are in the right place. There are uncountable commands in Linux. Generally, we use some of the Linux commands from the Linux commands cheat sheet regularly to perform the common tasks.

Types of Linux Commands

All the Linux commands are categorized into 7 different types. They are Basic Linux commands, File permission commands, Environment variables commands, User management commands, Networking commands, Process commands, VI Editing commands, Other Commands.

We are giving a detailed explanation for each and every Linux command with their examples for easy learning in the below sections. Have a look at them and follow them. Check the actual description of each Linux command in their manual page.

Basic Linux Commands

  • ls command:

It is used to list all files and directories of a directory. The ‘-l’ option gives the long listing format. Its syntax is $ ls [options] [file|dir]

Example: $ ls -l samplefile

  • ls-R command:

It gives the lists files in subdirectories. List recursively directory tree and syntax is $ ls -R [options] [file|dir]

Example: $ ls -R samplefile

  • ls -a Command:

It lists all files including hidden files starting with’.’ Its syntax is $ ls -a [options] [file|dir]

  • ls -al Command:

It lists all files details and directories with detailed information like permissions, size, owner, etc. Syntax is $ ls -al [options] [file|dir]

  • cd or cd ~ Command:

This command will navigate to the home directory or change the directory. Its syntax is $ cd [directory]

Example: $ cd Directory1

  • cd .. Command:

It moves one level up. Syntax is $ cd . . [directory]

  • cd Command:

Use this command to change to a particular directory. Its syntax is $ cd [directory]

Example: $ cd directory1

  • cd / Command:

This command will move to the root directory. Syntax is $ cd /

  • cat filename Command:

Create a new file using this command in Linux. Its syntax is $ cat filename.

Example: $ cat filename1

  • cat filename Command:

It displays the content in that particular file. The syntax is $ cat filename.

Example: $ cat filename1.

  • cat file1 file2 file3 Command:

It combines two files namely file1 and file2 and stores the output in a new file called file3. Its syntax is $ cat file1 file2 file3.

Example: $ cat add multiply arithmetic.

  • mv file “new file path” Command:

It moves the files to the new location. Syntax is $ mv file “new file path”.

Example: $ mv add “E:/Arithmeticopeartions/”.

  • mv filename new_file_name Command:

It renames or changes the file name to a new file name. Syntax is $ mv filename new_file_name.

Example: $ mv add sum

  • sudo Command:

sudo command allows a permitted user to run a command as root or another user. It runs commands in superuser mode. The syntax is $ sudo filename option

Example: $ sudo apt update

  • rm Command:

It is used to remove the files or directories. Syntax is $ rm filename or $ rm directory

Examples: $ rm sum and $ rm mydrive

  • man Command:

It is used to view the online reference manual pages for the commands or programs. It provides the help information of any commands. Its syntax is $ man commandname

Example: $ man cd

  • history Command:

It produces the list of previously used commands and gets the all past commands types in the current terminal session. The syntax is $ history

  • clear Command:

clear command is helpful to clear the terminal screen. The syntax is $ clear

  • mkdir directoryname Command:

It creates a new directory in the present working directory or at any specific path. Syntax is $ mkdir directoryname

Example: $ mkdir new_directory

$ mkdir -p new_directory: Here -p option is used to override the already available directory.

  • rmdir Command:

It helps to remove/ delete the empty directories. Syntax is $ rmdir [directory_name]

Example: $ rmdir new_directory

  • mv Command:

It is helpful to rename files or directories. mv command also moves a file or a directory to another location in the directory structure. Its syntax is $ mv file1 file2

Example: $ mv add sum

  • pr -x Command:

It divides the file into x columns. Syntax is $ pr -x filename.

Example: $ pr -5 add

  • pr -h Command:

It is useful to assign a header to the file. Syntax is $ pr -h filename

Example: $ pr -h sum

  • pr -n Command:

This command denotes the file with the line numbers. Its syntax is $ pr -n file

Example: $ pr -n sum

  • lp -nc , lpr c Command:

It prints the c number of copies of a file. lp stands for a line printer. Its syntax is $ lpr c filename

Example: $ lpr 5 sum

  • lp -d lp -P Command:

It specifies the name of the printer. The syntax is $ lp -P

  • apt-get Command:

It is a powerful and free front end package manager for Debian/Ubuntu systems. It is used to install new software packages, remove available software packages, upgrade existing software packages, and upgrade the entire operating system. Its syntax is $ apt-get package

Example: $ sudo apt-get update

  • mail -s ‘subject’ -c ‘cc-address’ -b ‘bcc-address’ ‘to-address’ Command:

It is a linux command used to send mail. Syntax is $ mail -s ‘subject’ -c ‘cc-address’ -b ‘bcc-address’ ‘to-address’

Example: $ mail -s ‘regarding_job’ -c ‘add@gmail.com’ -b ‘sum@gmail.com’ ‘arithmetic@gmail.com’

  • mail -s “Subject” to-address < Filename Command:

It is used to send an email with an attachment. Its syntax is $ mail -s “Subject” to-address < Filename

Example: $ mail -s “Addition of Numbers” sum@gmail.com < Addition

File Permission Commands

  • ls-l Command:

Use this command to show file type and access permission of any particular file. Syntax is $ ls-l filename

Example: $ ls-l sum

  • r Command:

It is used to give read permission to a file. The syntax is $ r filename.

Example: $ r sum

  • w Command:

It gives write permission to the file. The syntax is $ w filename

Example: $ w sum

  • x Command:

It is useful to provide execute permission to the file. Its syntax is $ x filename

Example: $ x sum

  • -= Command:

This command is used when you want to give no permission to a file. Syntax is $ -= filename

Example: $ -= file1

  • Chown user Command:

It is helpful to change the ownership of a file/directory. The syntax is $ chown user filename

Example: $ chown user file1

  • Chown user:group filename Command:

It changes the user and group for a file or directory. Syntax is $ chown user:group filename

Example: $ chown user:group sum

Environment Variables Command

  • echo $VARIABLE Command:

It displays the value of a variable or prints a text of the line. Its syntax is echo [option] [string]

Example: $ echo “Print this line” or $ echo $VARIABLE var1

  • env Command:

It lists all environment variables. The syntax is $ env

  • VARIABLE_NAME= variable_value Command:

It creates a new variable and assigns it a value. Syntax is $ VARIABLE_NAME= variable_value

Example: $ My_Variable= 10

  • Unset Command:

It removes a variable. Syntax is $ Unset VARIABLE_NAME

Example: $ Unset My_Variable

  • export Variable=value Command:

It is helpful to set the value of an environment variable. Syntax is $ export Variable=value

Example: $ export Variable1=90

User Management Commands of Linux

  • sudo adduser username Command:

It is used to create a username. The syntax is $ sudo adduser username

Example: $ sudo dduser user1

  • sudo passwd -l ‘username’ Command:

It is helpful to change the user password. Syntax is $ sudo passwd -l ‘username’

Example: $ sudo passwd -l ‘user1’

  • sudo userdel -r ‘username’ Command:

This command is used to add and delete users on Linux. Syntax is $ sudo userdel -r ‘username’

Example: $ sudo userdel -r ‘user1’

  • finger Command:

It is a user information lookup command which provides details of all users logged in. The Syntax $ finger

  • finger username Command:

It gives the login details of that particular user. Syntax $ finger username

Example: $ finger user1

Networking Commands

  • SSH username@ip-address or hostname Command:

You can log in to a remote Linux machine using SSH. The syntax is $ SSH username@ip-address or hostname

Example: $ SSH user1@https:11//1001

  • Ping hostname=”” or =”” Command:

It is used for analyzing the network and host connections. Syntax is $ Ping hostname=”” or =””

Example: $ Ping hostname=”host1″

  • dir Command:

It displays all files in the current directory of a remote computer. The syntax is $ dir

  • cd “dirname” Command:

It changes the current directory to “dirname” on a remote computer. Syntax is $ cd “dirname”

Example: $ cd “E”

  • put file Command:

It is helpful to upload the file from local to the remote computer. The syntax is $ put file

Example: $ put sum

  • get file Command:

It is used to download the file from remote to the local computer. The syntax is $ get file

Example: $ get add

  • quit Command:

It is used to logout from that network. The syntax is $ quit

Process Commands

  • bg Command:

You can send a process to the background with this command. The syntax is $ bg processname

Example: $ bg process1

  • fg Command:

To run a stopped process in the foreground. The syntax is $ fg processname.

Example: $ fg process1

  • top Command:

It gives the details of all active processes in the directory. The syntax is $ top

  • ps Command:

It produces the status of processes running for a user. The syntax is $ ps username

Example: $ ps user1

  • ps PID Command:

This command gives the status of a particular process. The syntax is $ ps PID processname

Example: $ ps PID process1

  • pidof Command:

It gives the process id of a process. The syntax is $ pidof processname.

Example: $ pidof process1

  • kill PID Command:

It kills a process. The syntax is $ kill PID processname

Example: $ kill PID process1

  • nice Command:

It is used to start a process with the given priority. The syntax is $ nice processname.

Example: $ nice process

  • renice Command:

It is used to change the priority of an already running process. The syntax is $ renice processname

Example: $ renice process2

  • df Command:

It provides free hard disk space on your system. The syntax is $ df

  • free Command:

It gives free RAM space on your system. The syntax is $ free

VI Editing Commands

  • i Command:

It inserts at the cursor i.e goes to insert mode. The syntax is $ i

  • a Command:

It is used to write after the cursor in insert mode. The syntax is $ a

  • A Command:

This command is used to write at the end of the line in insert mode. The syntax is $ A

  • ESC Command:

It is helpful to terminate insert mode. The syntax is $ ESC.

  • u Command:

It undoes the last change. The syntax is $ u.

  • U Command:

It undoes all changes to the entire line. The syntax is $ U

  • o Command:

It opens a new line in insert mode. The syntax is $ o

  • dd Command:

It deletes that particular line. The syntax is $ dd line number

Example: $ dd 25

  • 3dd Command:

This command deletes 3 lines. The syntax is $ 3dd line number

Example: $ 3dd 25

  • D Command:

It deletes the contents of a line after the cursor. The syntax is $ D

  • C Command:

It is used to delete the contents of a line after the cursor and insert new text. Press the ESC key to end the insertion. Syntax is $ C

  • dw Command:

Delete a word using this command. The syntax is $ dw

  • 4dw Command:

It is used to delete 4 words. The syntax is $ 4dw

  • cw Command:

It is used to change a word. Syntax is $ cw

  • x Command:

It deletes the character at the cursor. Syntax is $ x

  • r Command:

Replace the character. The syntax is $ r

  • R Command:

It overwrites characters from cursor onward. The syntax is $ R

  • s Command:

Substitute one character under the cursor and continue to insert. The syntax is $ s

  • S Command:

Substitutes the entire line and starts to insert at the beginning of the line. The syntax is $ S

  • ~ Command:

It is used to change the case of the individual character. Syntax is $ ~

Other Linux Commands

  • adduser/addgroup Command:

adduser adds a user and addgroup adds groups to the system. The syntax is $ adduser username

Example: $ sudo adduser tech

  • agetty Command:

agetty is a program that manages physical or virtual terminals and is invoked by init. It is the substitute for Linux getty.

Example: $ agetty -L 9600 ttyS1 vt100

  • alias Command:

It is a useful shell built-in command for creating shortcuts to a Linux command on a system.

Example: $ alias home’cd /home/drive/file1′

  • apropos Command:

This is used to search and display a short man page description of a program/ command. The syntax is $ apropos commandname

Example: $ apropos rm

  • aptitude Command:

It is a powerful text-based interface to the Debian Linux/GNU package management system. The syntax is $ aptitude package

Example: $ sudo aptitude update

  • arch Command:

This command is used to display the machine architecture or hardware name. The syntax is $ arch

  • arp Command:

ARP stands for Address Resolution Protocol that maps IP network addresses of a network neighbor with the hardware (MAC) addresses in an IPv4 network.

Example: $ sudo arp-scan –interface=enp2s0 –localnet

  • at Command:

It is used to schedule tasks to run in the forthcoming time. Syntax is $ at

Example: $ sudo echo “shutdown -h now” | at -m 15:20

  • atq Command:

This command is used to view jobs in at command queue. Syntax is $ atq

  • atrm Command:

It is helpful to delete/remove jobs from the queue. $ atrm 2

  • awk Command:

Awk is a programming language created for text processing and used as a data extraction and reporting tool.

Example: $ awk ‘//{print}’/etc/hosts

  • batch Command:

It is similar to at command which is useful to schedule tasks to run in a future time. Syntax is $ batch

  • basename Command:

It helps to print the name of a file stripping of directories in absolute path. Syntax is $ basename filename

Example: $ basename samplefile

  • bzip2 Command:

It is useful to compress or decompress the files. Syntax is $ bzip2 filename

Example: $ bzip2 -z filename #Compress

$ bzip2 -d filename.bz2 #Decompress

  • cal Command:

This command is used to print a calendar on the standard output. Syntax is $ cal

  • chgrp Command:

It is used to change the group ownership of a file. Syntax is $ chgrp new_group_name filename

Example: $ chgrp Product Multiplication.txt

  • chmod Command:

It is used to change/ update file access permissions. Syntax is $ chmod permission filename

Example: $ chmod +x product.txt

  • cksum Command:

This command is used to provide the checksum and byte count of the given input file. Syntax is $ cksum filename

Example: $ cksum product.txt

  • cmp Command:

It compares byte by byte comparison of two files. Syntax is $ cmp file1 file2

Example: $ cmp sum add

  • comm Command:

It is used to compare two sorted files line by line. Syntax is $ comm file1 file2

Example: $ comm product multiplication

  • cp Command:

It copies files and directories from one location to another. Syntax is $ cp location1 location2

Example: $ cp /home/arithmetic/add /home/arithmetic/product/

  • date Command:

It displays/ sets the system date and time. Syntax is $ date

Example: $ date –set=”20 Oct 2020 10:35:05″

  • diff Command:

The double advantage of this command is used to compare two files line by line and used to find the difference between two directories. Syntax is $ diff file1 file2

Example: $ diff sum add

  • dmidecode Command:

It retrieves the hardware information of any linux system. Syntax is $ dmidecode

Example: $ sudo dmidecode –type system

  • du Command:

It shows the disk space usage of files present in the directory as well as its subdirectories. The syntax is $ du directory

Example: $ du /home/arithmetic

  • eject Command:

eject command is used to eject removable media such as CD/DVD/ROM/floppy disk from the system. The syntax is $ eject disklocation

Example: $ eject /dev/cdrom

  • exit Command:

It is used to exit a shell. The syntax is $ exit

  • expr Command:

It is used to calculate an expression. The syntax is $ expr expression

Example: $ expr 15 * 5

  • factor Command:

It is used to display the prime factors of a number. The syntax is $ factor number

Example: $ factor 18

  • find Command:

It searches for files in the directory and its subdirectories. The syntax is $ find directory filename

Example: $ find /home/add/ -name product.txt

  • grep Command:

It searches for a specified pattern in the file and displays the output as lines containing that pattern. The syntax is $ grep

Example: $ grep ‘linuxcent’ domain-list.txt

  • groups Command:

Shows all names of groups of a user. The syntax is $ groups

  • gzip Command:

It helps to compress a file and replaces it with one having a .gz extension. The syntax is gzip filename

Example: $ gzip passwds.txt

  • gunzip Command:

It expands or restores files compressed with the gzip command. The syntax is $ gunzip gzfilename

Example: $ gunzip sum.gz

  • head Command:

It is helpful to display the first 10 lines of the specified file or stdin to the screen. The syntax is $ head

  • hostname Command:

This command is useful to print or set the system hostname. The syntax is $ hostname

Example: $ hostname New_hostname

  • id Command:

It shows user & group information for the current user or specified user. The syntax is $ id username

Example: $ id linuxcent

  • ifconfig Command:

It is used to configure Linux system network interfaces. The syntax is $ ifconfig

  • ionice Command:

This command is used to set or view process I/O scheduling class and priority of the specified process. The syntax is $ ionice process

Example: $ ionice -c 3 rm /var/logs/syslog

  • iostat Command:

iostat command is helpful to show the CPU and i/o statistics for devices and partitions. The syntax is $ iostat

  • ip Command:

It is used to display or manage devices, routing, policy routing, and tunnels. The syntax is $ ip addr

  • iw Command:

This is used to manage wireless devices and their configuration. The syntax is $ iw

Example: $ iw list

  • killall Command:

It kills a process with the help of its name. The syntax is $ killall processname

Example: $ killall process1

  • kmod Command:

It is useful to manage Linux kernel modules. To list all currently loaded modules, type. Syntax is $ kmod

Example: $ kmod list

  • last Command:

It displays a list of last logged in users. The syntax is $ last

  • ln Command:

This is used to create a soft link between files using -s flag. Syntax is $ ln -s file1 file2

Example: $ ln -s product multiplication

  • locate Command:

It is used to find a file with its name. The syntax is $ locate filename

Example: $ locate -b ‘add.txt’

  • lshw Command:

It gives detailed information on the hardware configuration of the machine. The syntax is $ lshw

  • lscpu Command:

This Linux command displays the system’s CPU architecture information. The syntax is $ lscpu

  • lsof Command:

It displays information related to files opened by processes. The syntax is $ lsof processname

Example: $ lsof -u add

  • lsusb Command:

It shows information: about USB buses in the system and devices connected to them. The syntax is $ lsusb

  • md5sum Command:

This command is used to compute and print the MD5 message digest of the file.

  • more Command:

It enables to view through relatively lengthy text files one screenful at a time. The syntax is $ more filename

Example: $ more add

  • nano Command:

You can open a file using this nano command. The syntax is $ nano filename

Example: $ nano sum

  • netstat Command:

It displays useful information such as routing tables, network connections, and others about Linux networking subsystems. Syntax is $ netstat

Example: $ netstat -a | more

  • nproc Command:

It shows the number of processing units present to the current process. The syntax is $ nproc

  • passwd Command:

This command is used to create/update passwords for user accounts. The syntax is $ passwd username

Example: $ passwd user1

  • pstree Command:

It displays running processes as a tree that is rooted at either PID or init if PID is omitted. The syntax is $ pstree

  • reboot Command:

This command is used to power-off, halt, or reboot a system. The syntax is $ reboot

  • scp Command:

It enables you to securely copy files between hosts on a network. Syntax is $ scp

Example: $ scp ~/names.txt root@192.168.56.10:/root/names.txt

  • shutdown Command:

It schedules a time for the system to be powered down. Its syntax is $ shutdown

Example: $ shutdown –poweroff

  • sleep Command:

This command is used to pause or delay for a specific amount of time. The syntax is $ sleep

Example: $ check.sh; sleep 5; sudo apt update

  • sort Command:

This is used to sort lines of text in the specified files from stdin. The syntax is $ sort

Example: $ sort add.txt

  • split Command:

It is used to split a large file into smaller pieces. The syntax is $ split filename

Example: $ split add

  • stat Command:

It is helpful to know the file system status. The syntax is $ state filename

Example: $ stat -f add.txt

  • su Command:

It is used to switch to another user ID or become root during a login session. The syntax is $ su

  • sum Command:

This command shows the checksum and blocks counts for all files on the command line. The syntax is $ sum output filename

Example: $ sum output add.txt

  • tac Command:

It concentrates and displays files in reverse. It prints each file to the standard output, shows the last line first. The syntax is $ tac filename

Example: $ tac sum.txt

  • tail Command:

It displays the last 10 lines of each file. The syntax is $ tail filename

Example: $ tail sum.txt

  • talk Command:

talk is used to talk to another network user/ system. Use a login name to talk to the user on the same machine and use ‘use@host’ to talk to a user on another machine. The syntax is $ talk

Example: $ talk person [ttyname] or $ talk ‘user@host’ [ttyname]

  • tee Command:

This is used to read from standard input & prints to standard output and files.

Example: $ echo “Testing how tee command works” | tee file1

  • time Command:

This command runs programs and summarizes system resource usage. The syntax is $ time

  • touch Command:

It changes file timestamps and it is used to create a file. The syntax is $ touch filename

  • uname Command:

It displays system information such as operating system, network node hostname kernel name, version, and release, etc. Syntax is $ uname

  • uniq Command:

It displays or omits repeated lines from input. The syntax is $ uniq

  • uptime Command:

It shows how long the system has been running, the number of logged on users, and system load averages. The syntax is $ uptime

  • wall Command:

This command is used to send/display a message to all users on the system. The syntax is $ wall “message”

Example: $ wall “This is Linux operating system”

  • wc Command:

This command displays the word, newline, and byte counts for each file. The syntax is $ wc filename

Example: $ wc add.txt

  • whatis Command:

It searches & shows a short or one-line manual page description of the provided command name. The syntax is $ whatis wget

  • who Command:

It shows details about users who are currently logged in. The syntax is $ who

  • which Command:

This command is used to get the absolute path of the file which would be executed in the current environment. The syntax is $ which who

  • whereis Command:

It helps to locate binary, source and manual files for commands. The syntax is $ whereis cat

  • yes Command:

This command is used to display a string repeatedly until when terminated or killed. The syntax is 4 yes

Example: $ yes “This is LinuxCent – Linux HowTos”

  • zcmp/zdiff Command:

zcmp and zdiff minimal utilities used to compare compressed files. Syntax is $ zcmp filesnames, $ zdiff filesnames

Example: $ zcmp domain-list.txt.zip basic_passwords.txt.zip

$ zdiff domain-list.txt.zip basic_passwords.txt.zip

  • zip Command:

It is simple & easy to use utility used to package & compress files. Syntax is $ zip packagename

Example: $ zip inarchive.zip foo.c bar.c –out outarchive.zip

We have mentioned all the Linux commands in the Linux Commands Cheatsheet. Make use of these countless commands that you might feel helpful.

How to get the docker container ip ?

The metadata information from the docker containers can be extracted using the docker inspect command.
We see the demonstration as follows:

The docker engine api is based around the golang templates and the commands use extensive formatting around the json function definitions.

[vamshi@node01 ~]$ docker inspect <container-name | container-id> -f '{{ .NetworkSettings.IPAddress }}'
172.17.0.2
[vamshi@node01 ~]$ docker inspect my-container --format='{{ .NetworkSettings.IPAddress }}'
172.17.0.2

RBACs in kubernetes

The kubernetes provides a Role based Access controls as a immediate mechanism as a security measure.

The roles are the grouping of PolicyRules and the capabilities and limitations within a namespace.
The Identities (or) Subjects are the users/ServiceAccounts which are assigned Roles which constitute a RBACs.
This process is acheived by referencing a role from RoleBinding to create RBACs.

In kubernetes there is Role and RoleBindings and the ClusterRole and ClusterRoleBinding.

There is no concept of a deny permission in the RBACs.

The Role and the Subject combined together defines a RoleBinding.

Now lets look at each of the terms in detail.

Subjects:

  • user
  • group
  • serviceAccount

Resources:

  • configmaps
  • pods
  • services

Verbs:

  • create
  • delete
  • get
  • list
  • patch
  • proxy
  • update
  • watch

You Create a kind:Role with a name and then binding with roleRef it to Subject by creating a kind: RoleBinding

[vamshi@master01 k8s]$ kubectl describe serviceaccounts builduser01 
Name:                builduser01
Namespace:           default
Labels:              
Annotations:         
Image pull secrets:  
Mountable secrets:   builduser01-token-rmjsd
Tokens:              builduser01-token-rmjsd
Events:              

The role builduser-role has the permissions to all the resources to create, delete, get, list, patch, update and watch.

[vamshi@master01 k8s]$ kubectl describe role builduser-role
Name: builduser-role
Labels:
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"builduser-role","namespace":"default"},"ru...
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
* [] [] [create delete get list patch update watch]

Using this you can limit the user access to your cluster

View the current clusterbindings on your kubernetes custer

[vamshi@master01 :~] kubectl get clusterrolebinding
NAME                                                   AGE
cluster-admin                                          2d2h
kubeadm:kubelet-bootstrap                              2d2h
kubeadm:node-autoapprove-bootstrap                     2d2h
kubeadm:node-autoapprove-certificate-rotation          2d2h
kubeadm:node-proxier                                   2d2h
minikube-rbac                                          2d2h
storage-provisioner                                    2d2h
system:basic-user                                      2d2h

The clusterrole describes the Resources and the verbs that are accessible the user.

[vamshi@linux-r5z3:~] kubectl describe clusterrole cluster-admin
Name:         cluster-admin
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  *.*        []                 []              [*]
             [*]                []              [*]

Listing the roles on Kubernetes:

[vamshi@master01 :~] kubectl get roles --all-namespaces
NAMESPACE     NAME                                             AGE
kube-public   kubeadm:bootstrap-signer-clusterinfo             2d2h
kube-public   system:controller:bootstrap-signer               2d2h
kube-system   extension-apiserver-authentication-reader        2d2h
kube-system   kube-proxy                                       2d2h
kube-system   kubeadm:kubelet-config-1.15                      2d2h
kube-system   kubeadm:nodes-kubeadm-config                     2d2h
kube-system   system::leader-locking-kube-controller-manager   2d2h
kube-system   system::leader-locking-kube-scheduler            2d2h
kube-system   system:controller:bootstrap-signer               2d2h
kube-system   system:controller:cloud-provider                 2d2h
kube-system   system:controller:token-cleaner                  2d2h

We can further examine the rolebindings on the for the name: system::leader-locking-kube-scheduler which is being associated with the service account kube-scheduler.

[vamshi@master01 :~]  kubectl describe rolebindings system::leader-locking-kube-scheduler -n kube-system
Name:         system::leader-locking-kube-scheduler
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
Role:
  Kind:  Role
  Name:  system::leader-locking-kube-scheduler
Subjects:
  Kind            Name                   Namespace
  ----            ----                   ---------
  User            system:kube-scheduler  
  ServiceAccount  kube-scheduler         kube-system

There is a category of the api groups which contains the following api tags:

apiextensions.k8s.io, apps, autoscaling, batch, Binding, certificates.k8s.io, events.k8s.io, extensions, networking.k8s.io, PodTemplate, policy, scheduling.k8s.io, Secret, storage.k8s.io

The complete roles available in Kubernetes are as follows:

APIService, CertificateSigningRequest, ClusterRole, ClusterRoleBinding, ComponentStatus, ConfigMap, ControllerRevision, CronJob, CSIDriver, CSINode, CustomResourceDefinition, DaemonSet, Deployment, Endpoints, Event, HorizontalPodAutoscaler, Ingress, Job, Lease, LimitRange, LocalSubjectAccessReview, MutatingWebhookConfiguration, Namespace, NetworkPolicy, Node, PersistentVolume, PersistentVolumeClaim, Pod, PodDisruptionBudget, PodSecurityPolicy, PriorityClass, ReplicaSet, ReplicationController, ResourceQuota, Role, RoleBinding, RuntimeClass, SelfSubjectAccessReview, SelfSubjectRulesReview, Service, ServiceAccount, StatefulSet, StorageClass, SubjectAccessReview, TokenReview, ValidatingWebhookConfiguration and VolumeAttachment

Generate SSL certificates using openssl

Generate SSL certificates using openssl with a Certificate Signing Request and signing it by a Certificate Authority.

The file ca.key and ca.crt are the Certificate Authority

We will be genrating the .key and .csr (Certificate Signing Request) files from the below command.

[root@node01 ssl]# openssl req -new -sha256 -newkey rsa:2048 -nodes -keyout linuxcent.com.key -days 365 -out linuxcent.com.csr -sha256 -subj "/C=IN/ST=TG/L=My Location/O=Company Ltd./OU=IT/CN=linuxcent.com/subjectAltName=DNS.1=linuxcent.com"

Verify the .csr file that is generated as shown below:

[root@node01 ssl]# openssl req -in linuxcent.com.csr -noout -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=IN, ST=TG, L=MY Location, O=Company Ltd., OU=IT, CN=linuxcent.com/subjectAltName=DNS.1=linuxcent.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:00:e4:b4:24:d7:22:ec:5d:c1:37:8c:d1:a0:62:17:
96:24:77:8d:75:4e:d5:74:15:4d:61:e0:8b:66:d6:
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         87:ef:83:b2:a6:f5:3a:f3:6f:1c:e4:02:ec:bf:5d:75:64:1d:
-- OUTPUT TRUNCATED --

Now we will using the root ca.key and [/code]ca.crt[/code] to digitally sign this .csr and generate a .crt

[root@node01 ssl]# openssl x509 -req -in linuxcent.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out linuxcent.com.crt -days 365 -sha256
Signature ok
subject=/C=IN/ST=TG/L=My Location/O=Company Ltd./OU=IT/CN=linuxcent.com/subjectAltName=DNS.1=linuxcent.com

We have generated the .crt file from the .csr

[root@node01 ssl]# ls linuxcent.com.crt linuxcent.com.key 
linuxcent.com.crt linuxcent.com.key

Therefore we have successfully generated the linuxcent.com.key file and linuxcent.com.crt, and digitally self signed with the root CA key and certificates.

Generating Self Signed SSL certificates using openssl

The x509 is the certificate signing utility we will be using here.

We generate the ssl self signed certificate using the following command, request as demonstrated below.

openssl req -x509 -days 365 -sha1 -newkey rsa:2048 -nodes -keyout linuxcent.com.key -out linuxcent.com.crt -sha256 -subj "/C=IN/ST=State/L=My Location/O=Company Ltd./OU=IT/CN=linuxcent.com/subjectAltName=DNS.1=linuxcent.com"

The Days parameter can be specified to any number of days depending on your requirement.

The Self signed certificates are mostly commonly used within the internal network or among small group of familiar individuals like an office for specific purposes and not advised to be used out in the public domain as the browser does not identify the certificate authenticity or the ingenuity of the concerned website. The Self-signed certificates are not validated with any third party until and unless you import them to the browsers previously.

Settingup the puppet master and puppet client server

Make sure that you have populated hostname properly on the puppet master server. You can do it with the hostnamectl command.
The hostname assumed by default is “puppet” for your puppet master, but you can give it anyname and reachable over your network to other servers with the mapped FQDN.

Its good practice to setup the /etc/hosts with an alias name called puppet if you are just starting for first time.

Installing the puppet yum repository sources to download the puppet packages.

[root@puppetmaster ~]# sudo rpm -Uvh https://yum.puppet.com/puppet5-release-el-7.noarch.rpm
Retrieving https://yum.puppet.com/puppet5-release-el-7.noarch.rpm
warning: /var/tmp/rpm-tmp.ibJsVY: Header V4 RSA/SHA256 Signature, key ID ef8d349f: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:puppet5-release-5.0.0-12.el7     ################################# [100%]

Installing the Puppet Master service from the yum repository.

[root@puppetmaster ~]# yum install puppetserver

Verify which packages are installed on your machine
[root@puppetmaster ~]# rpm -qa | grep -i puppet
puppetserver-5.3.13-1.el7.noarch
puppet5-release-5.0.0-12.el7.noarch
puppet-agent-5.5.20-1.el7.x86_64

Ensure that you give the following entries updated in the file /etc/puppetlabs/puppet/puppet.conf under the section

[master]
certname = puppetmaster.linuxcent.com
server = puppetmaster.linuxcent.com

Enabling the puppetserver Daemon and starting puppetserver

[root@puppetmaster ~]# systemctl enable puppetserver
[root@puppetmaster ~]# systemctl start puppetserver

The puppet server process starts on the port 8140.

[root@puppetmaster ~]# netstat -ntlp | grep 8140
tcp6       0      0 :::8140                 :::*                    LISTEN      21084/java

Settingup the puppet client.
Installing the yum repository to download the puppet installation packages.

[vamshi@node01 ~]$ sudo rpm -Uvh https://yum.puppet.com/puppet5-release-el-7.noarch.rpm

Installing the puppet agent.

[vamshi@node01 ~]$ sudo yum install puppet-agent

Once we have the puppet agent installed, we need to update the puppet client configuration with the puppetmaster FQDN by updating in the file /etc/puppetlabs/puppet/puppet.conf under the [master] section

[master]
certname = puppetmaster.linuxcent.com
server = puppetmaster.linuxcent.com

Running the puppet agent to setup communication with the puppet master

[vamshi@node01 ~]$ sudo puppet agent --test
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Caching catalog for node01.linuxcent.com
Info: Applying configuration version '1592492078'
Info: Creating state file /opt/puppetlabs/puppet/cache/state/state.yaml
Notice: Applied catalog in 0.02 seconds

With this we have successfully raised the signing request to the master
Listing the puppet agent details on the puppet master.

[root@puppetmaster ~]# puppet cert list --all
  "node01.linuxcent.com" (SHA256) 88:08:8A:CF:E3:5B:57:1C:AA:1C:A3:E5:36:47:60:0A:55:6F:C2:CC:9C:09:E1:E7:85:63:2D:29:36:3F:BF:34
[root@puppetmaster ~]# puppet cert sign node01.linuxcent.com
Signing Certificate Request for:
  "node01.linuxcent.com" (SHA256) 88:08:8A:CF:E3:5B:57:1C:AA:1C:A3:E5:36:47:60:0A:55:6F:C2:CC:9C:09:E1:E7:85:63:2D:29:36:3F:BF:34
Notice: Signed certificate request for node01.linuxcent.com
Notice: Removing file Puppet::SSL::CertificateRequest node01.linuxcent.com at '/etc/puppetlabs/puppet/ssl/ca/requests/node01.linuxcent.com.pem'

Now that we have successfully signed the puppet agent request, we are able to see the + sign on the left side of the agent host name as demonstrated in the following output.
[root@puppetmaster ~]# puppet cert list --all
+ "node01.linuxcent.com" (SHA256) 15:07:C2:C1:51:BA:C1:9C:76:06:59:24:D1:12:DC:E2:EE:C1:47:35:DD:BD:E8:79:1E:A5:9E:1D:83:EF:D1:61

The respective ssl signed requests will be saved under the location /etc/puppetlabs/puppet/ssl/ca/signed

[root@node01 signed]# ls
node01.linuxcent.com.pem  puppet.linuxcent.com.pem

To clean up and agent certificates

puppet cert clean node01.linuxcent.com

Which will remove the agent entries from the puppetmaster records and a new certificate request is required to be added to this puppetmaster.

The autosign.conf can also be used if you are going to manage a huge farm of puppet clients, and the manual signing of clients becomes are tedious task, We can setup the whiledcard like *.linuxcent.com to auto approve the signing requests originating from the client hosts present in the network domain of linuxcent.com.

nginx reverse proxy setup for kibana dashboard

How to Setup Nginx Reverse proxy for Kibana.

In this demonstration we will see how to setup the reverse proxy using the nginx webserver to the backend kibana.

We begin by installing the latest version of nginx server on our centos server:

$ sudo yum install nginx -y

The nginx package is going to be present in the epel-repo and you have to enable it.

$ sudo yum --enablerepo=epel install nginx -y

Once the nginx package is installed we need to enable to Daemon and start it with the following command:

[vamshi@node01 ~]$ sudo systemctl enable nginx --now
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.

We now add the create the nginx configuration file for kibana backend, and place it under the location /etc/nginx/conf.d/kibana as shown below:

We can setup the Restricted Access configuration if needed for enhanced security as shown below on the line with auth_basic and auth_basic_user_file, You may skip the Restricted Access configuration if you believe it is now required.

[vamshi@node01 nginx]$ sudo cat conf.d/kibana.conf
server {
    listen 80;
    server_name localhost;
    auth_basic "Restricted Access";
    auth_basic_user_file /etc/nginx/.htpasswd;
    location / {
        proxy_pass http://localhost:5601;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

With the configuration in place .. we now check the nginx config syntax using the -t option as shown below:

[vamshi@node01 nginx]$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Now restart the nginx server and head over to the browser.

$ sudo systemctl restart nginx

On you Browser enter the server ip or FQDN. and you will be auto redirected to the url http://your-kibana-server.com/app/kibana#/home
kibana-home

Setup htacess authorization config with user details.

We now install the htpasswd tool from the package httpd-tools as follows:

$ sudo yum install httpd-tools -y

Adding the Authorization details to our .htpasswd file.

[vamshi@node01 nginx]$ sudo htpasswd -c /etc/nginx/.htpasswd vamshi
New password: 
Re-type new password: 
Adding password for user vamshi

So We have now successfully added the Auth configuration

[vamshi@node01 nginx]$ sudo htpasswd -n /etc/nginx/.htpasswd 
New password: 
Re-type new password: 
/etc/nginx/.htpasswd:$apr1$tlinuxcentMY-htpassEsHEEanL21

As the password is 1 way encryption we cannot decode it and are required to generate new hash.
Verifying the htpasswd configuration logins from the curl command:

$ curl http://kibana-url -u<htpasswd-username>
[vamshi@node01 ~]$ curl kibana.linuxcent.com -uvamshi -I
Enter host password for user 'vamshi':
HTTP/1.1 302 Found
Server: nginx/1.16.1
Date: Thu, 07 Apr 2020 17:48:35 GMT
Content-Length: 0
Connection: keep-alive
location: /spaces/enter
kbn-name: kibana
kbn-license-sig: 2778f2f7e07680b7aefa85db2e7ce7bd33da5592b84cefe62efa8
kbn-xpack-sig: ce2a76732a2f58fcf288db70ad3ea
cache-control: no-cache

If you tend to enter the invalid credentials you will encounter a 401 http error code Restricting the Unauthorized access.

HTTP/1.1 401 Unauthorized
Server: nginx/1.16.1
Date: Thu, 07 Apr 2020 17:51:36 GMT
Content-Type: text/html
Content-Length: 179
Connection: keep-alive
WWW-Authenticate: Basic realm="Restricted Access"

Now we head over to the browser to check the htaccess login page in action as shows follows:
http://your-kibana-server.com
kibana-htpasswd-prompt
Conclusion: With the htpasswd in place, it provides an extra layer of authorized access to your sensitive urls.. in effect now you need to enter the htpasswd logins to access the same kibana dashboard.

Mounting the external volumes to jenkins docker container

Creating a docker volume

To use the external volume for our future container, we need to format a filesystem on the volume.
We use the ext4 filesystem to format our block device, we will demonstrate that as follows:

vamshi@node03:~$ sudo mkfs.ext4 /dev/sdb
mke2fs 1.43.4 (31-Jan-2017)
Discarding device blocks: done
Creating filesystem with 524288 4k blocks and 131072 inodes
Filesystem UUID: bc335e44-d8e9-4926-aa0a-fc7b954c28d1
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912

Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done

Here is the command to create a volume by mentioning the path to the block device and using it in the local scope

docker volume create jenkins_vol1 --driver local --opt device=/dev/sdb
jenkins_vol1

We have successfully creates a docker volume using a block device.

Inspecting the docker volume that is created:

vagrant@node03:~$ docker volume inspect jenkins_vol1
[
    {
        "CreatedAt": "2020-05-12T17:22:11Z",
        "Driver": "local",
        "Labels": {},
        "Mountpoint": "/var/lib/docker/volumes/jenkins_vol1/_data",
        "Name": "jenkins_vol1",
        "Options": {
            "device": "/dev/sdb",
            "type": "ext4"
        },
        "Scope": "local"
    }
]

Creating my jenkins container which will use the docker volume jenkins_vol1 and mount it to /var/jenkins_home/.m2

docker run -d -p 8080:8080 --name jenkins --mount 'type=volume,src=temp_vol,dst=/var/jenkins_home/.m2,
volume-driver=local' jenkins:latest

We have successfully started our container and now lots login to the container and check our volume.

jenkins@fc2c49313ddb:/$ df -hT
Filesystem     Type     Size  Used Avail Use% Mounted on
overlay        overlay   29G  4.9G   23G  18% /
tmpfs          tmpfs     64M     0   64M   0% /dev
tmpfs          tmpfs    970M     0  970M   0% /sys/fs/cgroup
shm            tmpfs     64M     0   64M   0% /dev/shm
/dev/sda3      ext4      29G  4.9G   23G  18% /var/jenkins_home
/dev/sdb       ext4     2.0G  6.0M  1.8G   1% /var/jenkins_home/.m2
tmpfs          tmpfs    970M     0  970M   0% /proc/acpi
tmpfs          tmpfs    970M     0  970M   0% /sys/firmware

As we can see from the output the mount point /var/jenkins_home/.m2 is mounted with block device /dev/sdb using a ext4 filesystem

/dev/sdb ext4 2.0G 6.0M 1.8G 1% /var/jenkins_home/.m2

Creating a 200MB temp filesystem volume.

docker volume create --name temp_vol --driver local --opt type=tmpfs --opt device=tmpfs --opt o=size=200m

The inspect of the temp_vol we created is as follows:

vamshi@node03:~$ docker volume inspect temp_vol
[
    {
        "CreatedAt": "2020-05-02T17:31:01Z",
        "Driver": "local",
        "Labels": {},
        "Mountpoint": "/var/lib/docker/volumes/temp_vol/_data",
        "Name": "temp_vol",
        "Options": {
            "device": "tmpfs",
            "o": "size=100m,uid=1000",
            "type": "tmpfs"
        },
        "Scope": "local"
    }
]
docker run -d -p 8080:8080 --name jenkins --mount 'type=volume,src=jenkins_vol1,dst=/var/jenkins_home/.m2,volume-driver=local' jenkins:latest
vamshi@node03:~$ docker exec -it jenkins bash
jenkins@2267ba462aa2:/$ df -hT
Filesystem     Type     Size  Used Avail Use% Mounted on
overlay        overlay   29G  4.9G   23G  18% /
tmpfs          tmpfs     64M     0   64M   0% /dev
tmpfs          tmpfs    970M     0  970M   0% /sys/fs/cgroup
shm            tmpfs     64M     0   64M   0% /dev/shm
/dev/sda3      ext4      29G  4.9G   23G  18% /var/jenkins_home
tmpfs          tmpfs    100M     0  100M   0% /var/jenkins_home/.m2
tmpfs          tmpfs    970M     0  970M   0% /proc/acpi
tmpfs          tmpfs    970M     0  970M   0% /sys/firmware
jenkins@2267ba462aa2:/$ exit

Here is shows the mount point details:

tmpfs tmpfs 200M 0 200M 0% /var/jenkins_home/.m2

Please note the mount point /var/jenkins_home/.m2 which has 200MB space as defined.

Thus we can make use of the docker volumes and use the persistent fileystems and attach the block disks to a running container.

Create a user and Grant privileges in mysql database

mysql database user creation

The user creation process in mysql is one of the most important steps in Database administration.
Below we will list some of the Important terms of Authentication, Authorization with practical demonstration.
The process of gaining access to the database engine with an active login credentials and a login request from a trusted source network ensures Authentication.

The part where in the user is allowed to access certain tables in databases or the whole or part of the Databases determines  Authorization.

In SQL administration, The user creation process involves Authentication and Authorization with a practical implementation of a unique username id, identified by the password, the critical component is the source network identification if logging from remote hosts. The permission to specific databases ensuring the least privileges based on the desired role is one of best the practices

Let’s connect using root access to the MySQL Command-Line Tool

[vamshi@mysql01 linuxcent]$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 14
Server version: 8.0.19 MySQL Community Server - GPL


Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

 

How to create a new mysql user and Grant the privileges

Sample Syntax:

CREATE USER 'mysql_user'@'hostname' IDENTIFIED BY 'user_password';

It is important to understand that the ‘username’ @ ‘hostname’ is a unique entry of identification pattern for Authenticating to the mysql engine.

The hostname field accepts the values such as [/code]“ip address” / 10.100.0.0/24 / localhost [/code]

And only the incoming requests will be allowed matching the user name.

The syntax for creating a user on mysql goes as follows:

Enabling access for a source of localhost identified by the authentication information

CREATE USER 'vamshi'@'localhost' IDENTIFIED BY 'user_password';

Enabling access for a source IP range of 10. network identified with /24 CIDR followed by the authentication information

CREATE USER 'vamshi'@'10.100.0.0/24' IDENTIFIED BY 'user_password';

Enabling access for a source IP range of specific hostname identified the authentication information

CREATE USER 'vamshi'@'hostname' IDENTIFIED BY 'user_password';

The First step of user access is done, Now we need to grant the access to the Databases, which grants the Privileges to perform actions on the DB by the new user.

Granting Privileges

This section deals with the Authorization;

On the mysqlcli prompt, you would need to issue the GRANT command with appropriate access permissions.

What are Privileges types in mysql?

The Grant Authorizes the Following actions

Like the ability to CREATE tables and databases, read or write FILES, and then even SHUTDOWN the server.

The most commonly used privileges are:

  • ALL PRIVILEGES: Grants all privileges to a user account.
  • SELECT: The user account is allowed to read a database.
  • INSERT: The user account is allowed to insert rows into a specific table.
  • UPDATE: The user account is allowed to update table rows.
  • CREATE: The user account is allowed to create databases and tables.
  • DROP: The user account is allowed to drop databases and tables.
  • DELETE: The user account is allowed to delete rows from a specific table.
  • PROCESS: The user is allowed to get the information about the threads executing within the server
  • SHUTDOWN: The user is allowed to use of the SHUTDOWN and RESTART statements within the server.

Now it’s time to grant the privileges to the new user on a tables belonging to a Database or all the tables on a given database;

Here’s what the Simple GRANT SQL statement looks like:

GRANT ALL PRIVILEGES ON Database_name.Table_name TO 'user@'hostname' ;

Let’s break this down and understand what we just told MySQL to do.

GRANT ALL PRIVILEGES (ALL types of Privileges) for only the given Database_Name and given Table_Name to the user Identified by ‘user@’hostname’

The Database_name and the Table_name can be replaced by the wildcard * means to every Database and Table in the Database respectively.

*.* to specify all databases on the server

database_name.* to specify all tables in one database

database_name.table_name to specify all columns of one table

The Privileges assigned to user while connecting from the source hostname can be a IP address / IP address range 10.100.0.0/24 or a DNS name or simple ‘%’ to allow access from anywhere.

Now For simplicity sake we can simulate the user vamshi will need access to only operate on the sales section of the reports Database.

GRANT ALL PRIVILEGES ON reports.sales TO 'joe@'mysql2.linuxcent.com';

What the above command does is to provide only login access to joe from mysql2.linuxcent.com and access the reports table from sales Database.

By replacing the database name with wildcard * will provide the privileges equivalent super_user level access.

This can be demonstrated as follows:

GRANT ALL PRIVILEGES ON *.* TO 'vamshi'@'%';

Or

GRANT INSERT, UPDATE, DELETE ON reports.* to 'vamshi'@'%';

How to Create Another non-root MYSQL DB Super User

This is just as a security measure whilst disabling the root login to the mysql engine.

GRANT ALL PRIVILEGES ON *.* TO 'vamshi_superuser'@'%';

Display MySQL User Account Privileges

To Display the Privileges granted to specific Mysql user Account, use the command SHOW GRANTS.

mysql> SHOW GRANTS FOR 'root'@'localhost' \G;
*************************** 1. row ***************************
Grants for root@localhost: GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE ON *.* TO `root`@`localhost` WITH GRANT OPTION
*************************** 2. row ***************************

Now to compare the results

Saving Your Changes to the MYSQL database

The changes made so far are to be saved to the special user database called the grant tables, In total there are 5 special tables in the mysql database such as

user
db
host
tables_priv
columns_priv

We commit the changes by issuing the FLUSH PRIVILEGES command at the mysql prompt:

mysql> flush privileges ;
Query OK, 0 rows affected (0.01 sec)

Initiating a docker swarm and getting the current docker swarm token

Creating a docker swarm cluster:

The docker swarm can be created by using the following command:

The syntax is defined as follows:

docker swarm init --advertise-addr [available interface IP adress]

The –advertise-addr is used to explicitly define the docker swarm advertise ip. If you have a single interface this option will not be needed but will be real handy if you have more than 1 active public accessible interfaces.
Let us initialize our docker swarm environment.

[vamshi@docker-swarm ~]$ docker swarm init --advertise-addr 10.100.0.20
Swarm initialized: current node (nodeidofmastercdq7nmmq3kcmb5l85k2e) is now a manager.

To add a worker to this swarm, run the following command:

    docker swarm join \
    --token SWMTKN-1-verylongstringofcharactercontainingthedockerswarmjoinstring-70bouyqwhfgdcgtw6o0fw6wup \
    10.100.0.20:2377

To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions.

The docker swarm creation can be viewed from the docker info command as follows:

[vamshi@docker-swarm ~]$ docker info | grep -C 2 Swarm
 Volume: local
 Network: bridge host macvlan null overlay
Swarm: active
 NodeID: nodeidofmastercdq7nmmq3kcmb5l85k2e
 Is Manager: true

The docker swarm explicitly uses the overlay and macvlan to enable the interhost network connectivity between the container over a swarm network

How to get the docker swarm join token:

This command can come in very handy when you forgot your docker swarm token and you need to join a new docker node to this docker swarm cluster.

[vamshi@docker-swarm ~]$ docker swarm join-token manager -q
SWMTKN-1-verylongstringofcharactercontainingthedockerswarmjoinstring-70bouyqwhfgdcgtw6o0fw6wup

Redirect the Std error and std output 2>&1

The redirect operation > is used in conjunction with stdoutput 1 and stderr 2.

command > [/dev/null] 2>&1

2 Represents the stderror. The &1 here represents the first argument which is /dev/null

The character 2 represents the stderr which takes the entire errors printed to the screen and then appends them to the /dev/null which is the first argument represented by &1.

So the command demonstration will be the following:

$ du -sh /* > /dev/null 2>&1

This redirect command will dump the errors and the output to /dev/null.

Explanation: the default behaviour of redirection operator is to redirect the stdout and we are redirecting them to devnul and then we followup the command with 2>&1 which mentions the stderr 2 and then redirects is to /dev/null, which is denoted by &1 describing the &1 as the first argument which is /dev/null

 

 

Docker Networking basics and the types of networks

The docker networking comprises of a overlay network and enabled communication with the outside resources using it.

There are following main types of built in connectivity networking drivers namely the bridged, host, macvlan, overlay network and the null driver with no network.

The docker container networking Model CNM architecture manages the networking for Docker container.

IPAM which stands for the IP address management works in a single docker node, and aids in Enabling the network connectivity among the doccker containers. Its primary responsibility is to allocate the IP address space for the subnets, allocation of the IP addresses to the endpoints and the network etc,.

The networking in docker is essentially an isolated sandbox environment, The isolation of the networking resources is possible by the namespaces

The overlay network enables the communication enabled the network spanning across many docker nodes on an environment like the Docker swarm network, The same networking logic is evident in a bridge networking but it is ony limited to a single docker host unlike the overlay network.

Here’s the output snippet from the docker info command; Listing the available network drivers.

# docker info
Plugins: 
 Volume: local
 Network: bridge host macvlan null overlay

The container networking enables connectivity inbetween the docker containers and also the host machine to docker container and vice-versa.

Listing the default networks in docker:

[vamshi@node01 nginx]$ docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
68b2ffd36e8f        bridge              bridge              local
c1aca4c87a2b        host                host                local
d5e48683def8        none                null                local

When a container is created by default it connects to the bridge network unless an extra arguments are specified.

When you install the docker by default a docker0 virtual interface is created which behaves as a bridge between the docker containers and the host system.

[vamshi@node01 nginx]$ brctl show
bridge name	bridge id		STP enabled	interfaces
docker0		8000.0242654b42ef	no

For brctl command we need to Install the bridge-util package.

We now examine the docker networks with docker network inspect.

Inspecting the various docker networks:

Inspecting the bridge network:

The bridge networking enables the network connectivity over the dockers in a single docker server host.

[vamshi@node01 nginx]$ docker network inspect bridge
[
    {
        "Name": "bridge",
        "Id": "68b2ffd36e8fcdc0c3b170dfdbdbc93bb58351d1b2c011abc80709928463f809",
        "Created": "2020-05-23T10:28:27.206979057Z",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.17.0.0/16",
                    "Gateway": "172.17.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Containers": {},
        "Options": {
            "com.docker.network.bridge.default_bridge": "true",
            "com.docker.network.bridge.enable_icc": "true",
            "com.docker.network.bridge.enable_ip_masquerade": "true",
            "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
            "com.docker.network.bridge.name": "docker0",
            "com.docker.network.driver.mtu": "1500"
        },
        "Labels": {}
    }
]

This bridge is shown with the ip addr command as follows:

# ip addr show docker0 
   docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:65:4b:42:ef brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:65ff:fe4b:42ef/64 scope link 
       valid_lft forever preferred_lft forever

Inspecting the host network.

[vamshi@node01 ~]$ docker network inspect host 
[
    {
        "Name": "host",
        "Id": "c1aca4c87a2b3e7db4661e0cdedc97245cd5dfdc8aa2c9e6fa4ff1d5ecf9f3c1",
        "Created": "2019-05-16T18:46:19.485377974Z",
        "Scope": "local",
        "Driver": "host",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": []
        },
        "Internal": false,
        "Attachable": false,
        "Containers": {},
        "Options": {},
        "Labels": {}
    }
]

Inspecting the null driver network

[vamshi@node01 ~]$ docker network inspect none
[
    {
        "Name": "none",
        "Id": "d5e48683def80b2e739b3be95e58fb11abc580ce29a33ba0df679a7a3972f532",
        "Created": "2019-05-16T18:46:19.477155061Z",
        "Scope": "local",
        "Driver": "null",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": []
        },
        "Internal": false,
        "Attachable": false,
        "Containers": {},
        "Options": {},
        "Labels": {}
    }
]

 

The following are special networking architectures to span across multihost docker servers enabling network connectivity among the docker containers.

1.Overlay network

2 macvlan network.

Let us inspect the multi host networking:

The core components of the docker interhost network consists of

Inspecting the overlay network:

[vamshi@docker-master ~]$ docker network inspect overlay-linuxcent 
[
    {
        "Name": "overlay-linuxcent",
        "Id": "qz5ucx9hthyva53cydei0y8yv",
        "Created": "2020-05-25T13:22:35.087032198Z",
        "Scope": "swarm",
        "Driver": "overlay",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "10.255.0.0/16",
                    "Gateway": "10.255.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Containers": {
            "ingress-sbox": {
                "Name": "overlay-linuxcent-endpoint",
                "EndpointID": "165beb97b22c2857e3637119016ef88e462a05d3b3251c4f66aa0fc9176cfe67",
                "MacAddress": "02:42:0a:ff:00:03",
                "IPv4Address": "10.255.0.3/16",
                "IPv6Address": ""
            }
        },
        "Options": {
            "com.docker.network.driver.overlay.vxlanid_list": "4096"
        },
        "Labels": {},
        "Peers": [
            {
                "Name": "node01.linuxcent.com-95ad856b6f56",
                "IP": "10.100.0.20"
            }
        ]
    }
]

The endpoint is the Virtual IP addressing that routes the traffic to the respective containers running on individual docker nodes.

Inspecting the macvlan network:

vamshi@docker-master ~]$ docker network inspect macvlan-linuxcent 
[
    {
        "Name": "macvlan-linuxcent",
        "Id": "99c6a20bd4029ce5a37139c6e6792ec4f8a075c94b5f3e71efc32d92d41f3f89",
        "Created": "2020-05-25T14:20:00.655299409Z",
        "Scope": "local",
        "Driver": "macvlan",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "172.20.0.0/16",
                    "Gateway": "172.20.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Containers": {},
        "Options": {},
        "Labels": {}
    }
]