Apple: How to Work with Terminal in Mac

by

Apple: How to Work with Terminal in Mac

The iOS operating system is basically modified UNIX with beautiful graphics. This means that if you need something to set up or automate, you can use the command line the UNIX shell.

The shell is available on Apple iMac and MacBooks. On the iPhones and iPads, the command line is hidden.

How to start a MAC terminal?

Click the launchpad on the bottom bar, find the terminal icon and launch it.

First commands

This command displays the current work directory you are in.

pwd

Since the iOS is de facto unix, the entire file system complies with the File Hierarchy Standard (FHS) that specifies the tree directory. At the top of the tree there is a “/” symbol. Under “/” are individual directories and files in tree structure.

Use this command to list the contents of the directory in which you are currently:

ls -l

The first column shows the type (d = directory) and system rights (r = read, w = write, x = execute) in the triad in the following order: owner, group, all. The third column shows who the owner is. The column shows the group that owns the given file. The sixth column shows the time of the last modification and the seventh file name.

Use this command to change the current work directory (to /home):

cd /home

If you specify this command without parameters, the cd command is set to the current home directory that you specify in the $HOME variable.

Do you want to view the contents of any Mac shell variable? For example, $HOME? It is simple:

echo $HOME

How to use terminal: basic advice

Hint#1: Arrow up to view the last commands.

Hint#2: Using Ctrl A, you will get to the top of the line by pressing Ctrl E at the end of the line.

Hint#3: Hold down the left mouse button to select the text and then right-click on the menu to select “copy” or “paste” as needed.

Hint#4: Magic button “home”: command Ctrl C to interrupt the execution of the current command and get back to the command prompt. For example, you can try this by entering a yes command on the terminal, which causes the ypsilon to endlessly. You interrupt this infinite program with Ctrl C.

Most useful commands in terminal

Overview of hard disk usage
This command displays the current use of disks that are “assembled” to your computer:

df -aH

Option H means human-readable output. By selecting and specifying that we want to display all mounted drives.

Which folder does the disk space take?
Use the cd command to set up the folder you want to see how much it takes. You can check the entire file system using the cd /. Using this command, you will be able to print out in a comprehensible manner how much you deal with:

du -sh /* 2>/dev/null

The beaked twin determines that we do not want to see any error messages.

What does MAC do now? Which processes are most active?

This command displays the most active processes.

top

Each process also has a PID (Process ID), according to which the process can be uniquely identified and, for example, shut down. Use the q button to finish the top.

How to find and destroy a particular process by name?

This command looks for the command bash – the command line you are running:

ps aux | grep bash | grep -v grep

The second column indicates the PID. In my case, it is 2335. Use this command to exit the program. beware, the terminal will disappear! Muhaha 😀

kill 2335

What is currently happening in the system? What bothers MAC?
With this command, you are constantly monitoring what the system says:

tail -f /var/log/system.log

To quit tail command, use Ctrl C

Where do I Find Bash

by

Where do I Find Bash

You can find bash as an executable program located in standard binary directories of your operating system.

If you are using an operating system which does not contain bash pre-installed (FreeBSD, Windows), you can download and build source code from gnu.org. Windows users can use Cygwin.

Bash supports two distinct operation modes: interactive and non-interactive mode. In interactive mode, the bash waits for you for entering commands. In non-interactive mode, the bash executes commands from the script file without waiting for the user’s commands.

Assuming you have bash installed, you can run bash from the terminal. Most terminals are pre-configured to start the shell program. To find out where is your bash located enter the following command:

echo $SHELL

Output: /bin/bash

Another way how to get path to bash:

echo $BASH

Output: /bin/bash

If you are not sure if you are using bash, enter:

echo $0

Output: -bash

$0 prints the program name, in our case it is actually running shell.

Linux: File System Hierarchy

by

Linux: File System Hierarchy

In this tutorial is described Filesystem Hierarchy Standard (FHS), which specifies required directories. The root directory is “/” and it should contain only the subdirectories.

/bin

  • Contains binaries which can be executed from the command line (ls, grep, mkdir…)
  • Programs that can be used by users (system, admin, normal users)
  • It can be in single-user mode

/boot

  • Contains everything required for the boot process
  • Kernel
  • Grant Unified Boot-loader
  • LILO (LInux LOader)

/sbin

  • Binaries
  • Program used by system and admin
  • Normal users can use programs in /bin if they are allowed
  • Usually, normal users do not have this directory in $PATH variable

/dev

  • Files of all devices
  • Created during installation operating system.
  • Create new devices: /dev/MAKEDEV
File Description
Sda First SCSI drive on the SCSI/SATA bus
md0 First group of meta discs (RAID)
ttyS0 First serial port
lp0 First parallel printer
null bin for bits
random Deterministic random bits
urandom Non-deterministic random bits

/etc

File Description
passwd Users information
fstab Partition and storage mounting information
rc or rc.d or rcX.d Run commands – commands that runs when OS starts

/home

  • The home directory for users
  • All data and system settings of users
  • Can be divided into groups (school, office, financial)

/root

  • Home directory for user root
  • Normal users don’t have permissions.

/lib

  • Libraries for programs
  • /lib/modules: kernel modules, network controls, file system control

/tmp

  • Temporary files
  • Used by running programs

/mnt

  • Mounting temporary file systems
  • File systems from /etc/fstab are mounted during start OS
  • Network file systems
  • /media: DVD, USB

/usr

  • Programs, libraries installed from OS distribution
  • Accessible for everyone
  • /usr/
Directory Description
local Software installed by admin on local device
X11R6 Files of Windows OS
bin Almost all commands for users
sbin Usually server’s programs
include Header files for C language
lib Stable libraries
  • /usr/share/
Directory Description
X11 Files of Windows OS
dict Glossary
man Manual pages
doc Documentation
info Information files
src source files

/var
Contains files that are changed when OS is running.

Subdirectory Description
log Logging files
run Run-time variable data
spool Program using queue (mails, printers)
mail Mailbox
local variable data from /usr/local
lib Holds dynamic data libraries/files
lock Lock files. Indicates that resource (database, file) is in use and should not be accessed by another process.

/opt
Third-party software

/proc

  • Created by OS kernel
  • Information about system
  • Stored only in RAM
  • Does not use any disc space
  • Every process has a subdirectory (by PID)
Subdirectory Description
/PID/status Stats about process
/PID/cmdline How was the process started and what input arguments
/PID/maps Region of contiguous virtual memory in a process or thread
/PID/environ Environment of process
  • Interesting files
File Description
cpuinfo Information about CPU
meminfo Usage of memory
version Kernel version
cmdline Kernel’s parameters from the boot loader
devices List of drivers for the kernel
interrupts Which interrupts are used and how many times
ioports list of currently registered port regions used for input or output communication.
dma ISA Direct Memory Access channel
kcore Image of physical system memory
cmdline Kernel’s parameters from the boot loader
cmdline Kernel’s parameters from the boot loader

/lost+found

  • Recovered or damaged data after a crash.
  • Each partition has its own /last+found directory.

How To Restart Jenkins Safely

by

Jenkins provides the Frontend User interface and the API to access the jenkins servers and API calls also can be sent from the URL

Process to restart jenkins server safely

Here is our jenkins server hosted on our url: http://jenkins.linuxcent.com:8080

And the API request to restart Jenkins safely is to run http://YourJenkins-url-or-ip/safeRestart
http://jenkins.linuxcent.com:8080/safeRestart
See the below screenshot for more information.

This option is reliable as the restart operation will wait for the currently running jobs to complete and then proceed with restart

Safe Restart jenkins from UI API

Force restart option in jenkins

http://jenkins.linuxcent.com:8080/restart
This option will restart the Jenkins forcefully and the currently running jobs will be subjected for force termination.
Forcefully Restart jenkins from UI API

Restart jenkins server from commandline

Through the command you can initiate the restart command, but this will be a forceful restart of Jenkins server.

It will be stopping and starting the jenkins server from commandline, although you can run the stop and then start with same results.

[vamshi@jenkins jenkins]$ sudo systemctl restart jenkins

On older systemv servers you can also initiate the restart using service command

[vamshi@jenkins jenkins]$ sudo service jenkins restart

How do you restart Jenkins?

Go to the Jenkins installation, open the cmd and run:

  • To stop: jenkins.exe stop.
  • To start: jenkins.exe start.
  • To restart: jenkins.exe restart.

Is the command used to restart Jenkins manually?

To restart Jenkins manually, you can use either of the following commands (by entering their URL in a browser). jenkins_url/safeRestart – Allows all running jobs to complete. … jenkins_url/restart – Forces a restart without waiting for builds to complete.

What is the command to restart Jenkins service on Windows?

  • To stop: jenkins.exe stop.
  • To start: jenkins.exe start.
  • To restart: jenkins.exe restart.

How long does it take to restart Jenkins?

I also restarted the Jenkins service and it worked. It did take 3-4 minutes after I restarted the service for the page to load up, though. So make sure you’re patient before moving on to something else.

How do I restart Jenkins in Kubernetes?

Just kubectl delete pods -l run=jenkins-ci – Will delete all pods with this label (your jenkins containers). Since they are under Deployment, it will re-create the containers. Network routing will be adjusted automatically (again because of the label selector).

How do I set Jenkins to restart itself?

Jenkins -> Manage Jenkins -> Manage Plugins -> Search for Safe Restart -> Install it. Then Restart Safely appear on the Dashboard.

How do I start Jenkins on port 8080?

  • Go to the directory where you installed Jenkins (by default, it’s under Program Files/Jenkins)
  • Open the Jenkins.xml configuration file.
  • Search –httpPort=8080 and replace the 8080 with the new port number that you wish.
  • Restart Jenkins for changes to take effect.

How do I start Jenkins on Mac?

Terminal and Start / Stop daemon
Start Jenkins: sudo launchctl load /Library/LaunchDaemons/org.jenkins-ci.plist.
Stop Jenkins: sudo launchctl unload /Library/LaunchDaemons/org.jenkins-ci.plist.

How do I run Jenkins job daily?

The steps for schedule jobs in Jenkins:

  • click on “Configure” of the job requirement.
  • scroll down to “Build Triggers” – subtitle.
  • Click on the checkBox of Build periodically.

How do I open Jenkins?

To start Jenkins from command line

  1. Open command prompt.
  2. Go to the directory where your war file is placed and run the following command: java -jar jenkins.war.

How to get the docker container ip ?

by

The metadata information from the docker containers can be extracted using the docker inspect command.
We see the demonstration as follows:

The docker engine api is based around the golang templates and the commands use extensive formatting around the json function definitions.

[vamshi@node01 ~]$ docker inspect <container-name | container-id> -f '{{ .NetworkSettings.IPAddress }}'
172.17.0.2
[vamshi@node01 ~]$ docker inspect my-container --format='{{ .NetworkSettings.IPAddress }}'
172.17.0.2

RBACs in kubernetes

by

The kubernetes provides a Role based Access controls as a immediate mechanism as a security measure.

The roles are the grouping of PolicyRules and the capabilities and limitations within a namespace.
The Identities (or) Subjects are the users/ServiceAccounts which are assigned Roles which constitute a RBACs.
This process is acheived by referencing a role from RoleBinding to create RBACs.

In kubernetes there is Role and RoleBindings and the ClusterRole and ClusterRoleBinding.

There is no concept of a deny permission in the RBACs.

The Role and the Subject combined together defines a RoleBinding.

Now lets look at each of the terms in detail.

Subjects:

  • user
  • group
  • serviceAccount

Resources:

  • configmaps
  • pods
  • services

Verbs:

  • create
  • delete
  • get
  • list
  • patch
  • proxy
  • update
  • watch

You Create a kind:Role with a name and then binding with roleRef it to Subject by creating a kind: RoleBinding

[vamshi@master01 k8s]$ kubectl describe serviceaccounts builduser01 
Name:                builduser01
Namespace:           default
Labels:              
Annotations:         
Image pull secrets:  
Mountable secrets:   builduser01-token-rmjsd
Tokens:              builduser01-token-rmjsd
Events:

The role builduser-role has the permissions to all the resources to create, delete, get, list, patch, update and watch.

[vamshi@master01 k8s]$ kubectl describe role builduser-role
Name: builduser-role
Labels:
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"builduser-role","namespace":"default"},"ru...
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
* [] [] [create delete get list patch update watch]

Using this you can limit the user access to your cluster

View the current clusterbindings on your kubernetes custer

[vamshi@master01 :~] kubectl get clusterrolebinding
NAME                                                   AGE
cluster-admin                                          2d2h
kubeadm:kubelet-bootstrap                              2d2h
kubeadm:node-autoapprove-bootstrap                     2d2h
kubeadm:node-autoapprove-certificate-rotation          2d2h
kubeadm:node-proxier                                   2d2h
minikube-rbac                                          2d2h
storage-provisioner                                    2d2h
system:basic-user                                      2d2h

The clusterrole describes the Resources and the verbs that are accessible the user.

[vamshi@linux-r5z3:~] kubectl describe clusterrole cluster-admin
Name:         cluster-admin
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  *.*        []                 []              [*]
             [*]                []              [*]

Listing the roles on Kubernetes:

[vamshi@master01 :~] kubectl get roles --all-namespaces
NAMESPACE     NAME                                             AGE
kube-public   kubeadm:bootstrap-signer-clusterinfo             2d2h
kube-public   system:controller:bootstrap-signer               2d2h
kube-system   extension-apiserver-authentication-reader        2d2h
kube-system   kube-proxy                                       2d2h
kube-system   kubeadm:kubelet-config-1.15                      2d2h
kube-system   kubeadm:nodes-kubeadm-config                     2d2h
kube-system   system::leader-locking-kube-controller-manager   2d2h
kube-system   system::leader-locking-kube-scheduler            2d2h
kube-system   system:controller:bootstrap-signer               2d2h
kube-system   system:controller:cloud-provider                 2d2h
kube-system   system:controller:token-cleaner                  2d2h

We can further examine the rolebindings on the for the name: system::leader-locking-kube-scheduler which is being associated with the service account kube-scheduler.

[vamshi@master01 :~]  kubectl describe rolebindings system::leader-locking-kube-scheduler -n kube-system
Name:         system::leader-locking-kube-scheduler
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
Role:
  Kind:  Role
  Name:  system::leader-locking-kube-scheduler
Subjects:
  Kind            Name                   Namespace
  ----            ----                   ---------
  User            system:kube-scheduler  
  ServiceAccount  kube-scheduler         kube-system

There is a category of the api groups which contains the following api tags:

apiextensions.k8s.io, apps, autoscaling, batch, Binding, certificates.k8s.io, events.k8s.io, extensions, networking.k8s.io, PodTemplate, policy, scheduling.k8s.io, Secret, storage.k8s.io

The complete roles available in Kubernetes are as follows:

APIService, CertificateSigningRequest, ClusterRole, ClusterRoleBinding, ComponentStatus, ConfigMap, ControllerRevision, CronJob, CSIDriver, CSINode, CustomResourceDefinition, DaemonSet, Deployment, Endpoints, Event, HorizontalPodAutoscaler, Ingress, Job, Lease, LimitRange, LocalSubjectAccessReview, MutatingWebhookConfiguration, Namespace, NetworkPolicy, Node, PersistentVolume, PersistentVolumeClaim, Pod, PodDisruptionBudget, PodSecurityPolicy, PriorityClass, ReplicaSet, ReplicationController, ResourceQuota, Role, RoleBinding, RuntimeClass, SelfSubjectAccessReview, SelfSubjectRulesReview, Service, ServiceAccount, StatefulSet, StorageClass, SubjectAccessReview, TokenReview, ValidatingWebhookConfiguration and VolumeAttachment

Generate SSL certificates using openssl

by

Generate SSL certificates using openssl with a Certificate Signing Request

The file ca.key and ca.crt are the Certificate Authority

We will be generating the .key and .csr (Certificate Signing Request) files from the below command.

[root@node01 ssl]# openssl req -new -sha256 -newkey rsa:2048 -nodes -keyout linuxcent.com.key -days 365 -out linuxcent.com.csr -sha256 -subj "/C=IN/ST=TG/L=My Location/O=Company Ltd./OU=IT/CN=linuxcent.com/subjectAltName=DNS.1=linuxcent.com"

The resultant files are a PEM certificate request .csr and a Private .key file. Now that we have successfully generated the .csr, we approach a Certificate Authority, Upload our CSR, and purchase the signer certificates along with Intermediate Chain keys for a given Number of days, typically done for 365 Days.

The -days flag is optional, and can be skipped as we are only generating a Signing Request.

Here we can use the openssl command to verify the .csr file that is generated as shown below:

[root@node01 ssl]# openssl req -in linuxcent.com.csr -noout -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=IN, ST=TG, L=MY Location, O=Company Ltd., OU=IT, CN=linuxcent.com/subjectAltName=DNS.1=linuxcent.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:00:e4:b4:24:d7:22:ec:5d:c1:37:8c:d1:a0:62:17:
96:24:77:8d:75:4e:d5:74:15:4d:61:e0:8b:66:d6:
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         87:ef:83:b2:a6:f5:3a:f3:6f:1c:e4:02:ec:bf:5d:75:64:1d:

- OUTPUT TRUNCATED --

In the next section we shall see How the .csr can be signed by a CA to generate a .crt PEM certificate

Signing a .csr with a Certificate Authority [Demo Purpose] – Sample CA files

Here is the process of Generating a Selfsigned certificate(Not to be used on public facing sites)

Now we will using the root ca.key and ca.crt to digitally sign this .csr and generate a .crt PEM certificate

x509 is a Certificate Data Management and Certificate Signing Utility

This generally takes the private key as input, and signs the certificate requests and Converting the certificate to various formats

[root@node01 ssl]# openssl x509 -req -in linuxcent.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out linuxcent.com.crt -days 365 -sha256

-subj "/C=IN/ST=TG/L=My Location/O=Company Ltd./OU=IT/CN=linuxcent.com/subjectAltName=DNS.1=linuxcent.com"

We have generated the .crt file from the .csr

[root@node01 ssl]# ls linuxcent.com.crt linuxcent.com.key 
linuxcent.com.crt linuxcent.com.key

We have successfully generated the linuxcent.com.key file and linuxcent.com.crt, and digitally self signed with the root CA key and certificates.

Generating Self Signed SSL certificates using openssl x509

The x509 is the certificate signing utility we will be using here.\ to generate a PEM certificate

Below is the complete command to generate the ssl self signed certificate.

openssl req -x509 -days 365 -sha1 -newkey rsa:2048 -nodes -keyout linuxcent.com.key -out linuxcent.com.crt -sha256 -subj "/C=IN/ST=State/L=My Location/O=Company Ltd./OU=IT/CN=linuxcent.com/subjectAltName=DNS.1=linuxcent.com"

The Days parameter can be specified to any number of days depending on your requirement

The Self signed certificates are mostly commonly used within the internal network or among small group of familiar individuals like an office for specific purposes and not advised to be used out in the public domain as the browser does not identify the certificate authenticity or the ingenuity of the concerned website. The Self-signed certificates are not validated with any third party until and unless you import them to the browsers previously.

Generating a Wildcard certificate Request.

[root@node01 ssl]# openssl req -new -sha256 -newkey rsa:2048 -nodes -keyout linuxcent.com.key -out linuxcent.com.csr -sha256 -subj "/C=IN/ST=TG/L=My Location/O=Company Ltd./OU=IT/CN=linuxcent.com/subjectAltName=DNS.1=*.linuxcent.com, linuxcent.com"

Mentioning the Alternate Domain as *.linuxcent.com will create a wildcard .CSR

The SANs often seen in shortform to SubjectAltName allows us to secure multiple subdomains using a SSL certificate

The CA signing process of the wildcard is identical and obviously costs more.

Puppet: Error: Could not parse for environment : Illegal class reference

by

The following errors appear due to missing of certain modules.

Error: Could not parse for environment production: Illegal class reference

To resolve this error you need to install the relevant puppet module from the module-repository.

For example :

Error: 'module' has no 'info' action.  See `puppet help module`.

[vamshi@node01 manifests]$ puppet module install puppetlabs-stdlib

Notice: Preparing to install into /home/vamshi/.puppetlabs/etc/code/modules ...

Notice: Created target directory /home/vamshi/.puppetlabs/etc/code/modules

Notice: Downloading from https://forgeapi.puppet.com ...

Notice: Installing -- do not interrupt ...

/home/vamshi/.puppetlabs/etc/code/modules

└── puppetlabs-stdlib (v6.3.0)

Settingup the puppet master and puppet client server

by

Make sure that you have populated hostname properly on the puppet master server. You can do it with the hostnamectl command.
The hostname assumed by default is “puppet” for your puppet master, but you can give it anyname and reachable over your network to other servers with the mapped FQDN.

Its good practice to setup the /etc/hosts with an alias name called puppet if you are just starting for first time.

Installing the puppet yum repository sources to download the puppet packages.

[root@puppetmaster ~]# sudo rpm -Uvh https://yum.puppet.com/puppet5-release-el-7.noarch.rpm
Retrieving https://yum.puppet.com/puppet5-release-el-7.noarch.rpm
warning: /var/tmp/rpm-tmp.ibJsVY: Header V4 RSA/SHA256 Signature, key ID ef8d349f: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:puppet5-release-5.0.0-12.el7     ################################# [100%]

Installing the Puppet Master service from the yum repository.

[root@puppetmaster ~]# yum install puppetserver

Verify which packages are installed on your machine
[root@puppetmaster ~]# rpm -qa | grep -i puppet
puppetserver-5.3.13-1.el7.noarch
puppet5-release-5.0.0-12.el7.noarch
puppet-agent-5.5.20-1.el7.x86_64

Ensure that you give the following entries updated in the file /etc/puppetlabs/puppet/puppet.conf under the section

[master]
certname = puppetmaster.linuxcent.com
server = puppetmaster.linuxcent.com

Enabling the puppetserver Daemon and starting puppetserver

[root@puppetmaster ~]# systemctl enable puppetserver
[root@puppetmaster ~]# systemctl start puppetserver

The puppet server process starts on the port 8140.

[root@puppetmaster ~]# netstat -ntlp | grep 8140
tcp6       0      0 :::8140                 :::*                    LISTEN      21084/java

Settingup the puppet client.
Installing the yum repository to download the puppet installation packages.

[vamshi@node01 ~]$ sudo rpm -Uvh https://yum.puppet.com/puppet5-release-el-7.noarch.rpm

Installing the puppet agent.

[vamshi@node01 ~]$ sudo yum install puppet-agent

Once we have the puppet agent installed, we need to update the puppet client configuration with the puppetmaster FQDN by updating in the file /etc/puppetlabs/puppet/puppet.conf under the [master] section

[master]
certname = puppetmaster.linuxcent.com
server = puppetmaster.linuxcent.com

Running the puppet agent to setup communication with the puppet master

[vamshi@node01 ~]$ sudo puppet agent --test
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Caching catalog for node01.linuxcent.com
Info: Applying configuration version '1592492078'
Info: Creating state file /opt/puppetlabs/puppet/cache/state/state.yaml
Notice: Applied catalog in 0.02 seconds

With this we have successfully raised the signing request to the master
Listing the puppet agent details on the puppet master.

[root@puppetmaster ~]# puppet cert list --all
  "node01.linuxcent.com" (SHA256) 88:08:8A:CF:E3:5B:57:1C:AA:1C:A3:E5:36:47:60:0A:55:6F:C2:CC:9C:09:E1:E7:85:63:2D:29:36:3F:BF:34
[root@puppetmaster ~]# puppet cert sign node01.linuxcent.com
Signing Certificate Request for:
  "node01.linuxcent.com" (SHA256) 88:08:8A:CF:E3:5B:57:1C:AA:1C:A3:E5:36:47:60:0A:55:6F:C2:CC:9C:09:E1:E7:85:63:2D:29:36:3F:BF:34
Notice: Signed certificate request for node01.linuxcent.com
Notice: Removing file Puppet::SSL::CertificateRequest node01.linuxcent.com at '/etc/puppetlabs/puppet/ssl/ca/requests/node01.linuxcent.com.pem'

Now that we have successfully signed the puppet agent request, we are able to see the + sign on the left side of the agent host name as demonstrated in the following output.
[root@puppetmaster ~]# puppet cert list --all
+ "node01.linuxcent.com" (SHA256) 15:07:C2:C1:51:BA:C1:9C:76:06:59:24:D1:12:DC:E2:EE:C1:47:35:DD:BD:E8:79:1E:A5:9E:1D:83:EF:D1:61

The respective ssl signed requests will be saved under the location /etc/puppetlabs/puppet/ssl/ca/signed

[root@node01 signed]# ls
node01.linuxcent.com.pem  puppet.linuxcent.com.pem

To clean up and agent certificates

puppet cert clean node01.linuxcent.com

Which will remove the agent entries from the puppetmaster records and a new certificate request is required to be added to this puppetmaster.

The autosign.conf can also be used if you are going to manage a huge farm of puppet clients, and the manual signing of clients becomes are tedious task, We can setup the whiledcard like *.linuxcent.com to auto approve the signing requests originating from the client hosts present in the network domain of linuxcent.com.

nginx reverse proxy setup for kibana dashboard

by

How to Setup Nginx Reverse proxy for Kibana.

In this demonstration we will see how to setup the reverse proxy using the nginx webserver to the backend kibana.

We begin by installing the latest version of nginx server on our centos server:

$ sudo yum install nginx -y

The nginx package is going to be present in the epel-repo and you have to enable it.

$ sudo yum --enablerepo=epel install nginx -y

Once the nginx package is installed we need to enable to Daemon and start it with the following command:

[vamshi@node01 ~]$ sudo systemctl enable nginx --now
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.

We now add the create the nginx configuration file for kibana backend, and place it under the location /etc/nginx/conf.d/kibana as shown below:

We can setup the Restricted Access configuration if needed for enhanced security as shown below on the line with auth_basic and auth_basic_user_file, You may skip the Restricted Access configuration if you believe it is now required.

[vamshi@node01 nginx]$ sudo cat conf.d/kibana.conf
server {
    listen 80;
    server_name localhost;
    auth_basic "Restricted Access";
    auth_basic_user_file /etc/nginx/.htpasswd;
    location / {
        proxy_pass http://localhost:5601;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

With the configuration in place .. we now check the nginx config syntax using the -t option as shown below:

[vamshi@node01 nginx]$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Now restart the nginx server and head over to the browser.

$ sudo systemctl restart nginx

On you Browser enter the server ip or FQDN. and you will be auto redirected to the url http://your-kibana-server.com/app/kibana#/home
kibana-home

Setup htacess authorization config with user details.

We now install the htpasswd tool from the package httpd-tools as follows:

$ sudo yum install httpd-tools -y

Adding the Authorization details to our .htpasswd file.

[vamshi@node01 nginx]$ sudo htpasswd -c /etc/nginx/.htpasswd vamshi
New password: 
Re-type new password: 
Adding password for user vamshi

So We have now successfully added the Auth configuration

[vamshi@node01 nginx]$ sudo htpasswd -n /etc/nginx/.htpasswd 
New password: 
Re-type new password: 
/etc/nginx/.htpasswd:$apr1$tlinuxcentMY-htpassEsHEEanL21

As the password is 1 way encryption we cannot decode it and are required to generate new hash.
Verifying the htpasswd configuration logins from the curl command:

$ curl http://kibana-url -u<htpasswd-username>
[vamshi@node01 ~]$ curl kibana.linuxcent.com -uvamshi -I
Enter host password for user 'vamshi':
HTTP/1.1 302 Found
Server: nginx/1.16.1
Date: Thu, 07 Apr 2020 17:48:35 GMT
Content-Length: 0
Connection: keep-alive
location: /spaces/enter
kbn-name: kibana
kbn-license-sig: 2778f2f7e07680b7aefa85db2e7ce7bd33da5592b84cefe62efa8
kbn-xpack-sig: ce2a76732a2f58fcf288db70ad3ea
cache-control: no-cache

If you tend to enter the invalid credentials you will encounter a 401 http error code Restricting the Unauthorized access. 

HTTP/1.1 401 Unauthorized
Server: nginx/1.16.1
Date: Thu, 07 Apr 2020 17:51:36 GMT
Content-Type: text/html
Content-Length: 179
Connection: keep-alive
WWW-Authenticate: Basic realm="Restricted Access"

Now we head over to the browser to check the htaccess login page in action as shows follows:
http://your-kibana-server.com
kibana-htpasswd-prompt
Conclusion: With the htpasswd in place, it provides an extra layer of authorized access to your sensitive urls.. in effect now you need to enter the htpasswd logins to access the same kibana dashboard.