There is a cool feature in docker called userns-remap, discovered while doing my RaspberryPi home server project; 15#issuecomment-1296311979, I can just enable userns-remap and docker does all remapping of uid and gid inside docker container to a non-root user on the host. https://docs.docker.com/engine/security/userns-remap/ How to enable *It is better to reinstall docker and remove all existing docker volumes Add below /etc/docker/daemon.json { "userns-remap": "default" } Restart the docker daemon $ sudo systemctl restart docker Ansible automation here In-Action # Run the Nginx container $ docker run -it -d nginx # Inside, the process thinks it is running as root! veerendra@atom:~$ docker exec -it nginx whoami root # But outside(on host namespace), the process running it as non-root user veerendra@atom:~$ ps aux | grep nginx 165536 350093 0.0 0.0 6320 4688 ? Ss 03:21 0:00 nginx: master process nginx -g daemon off; 165637 350208 0.0 0.0 6788 4288 ? S 03:21 0:01 nginx: worker process 165637 350209 0.0 0.0 6784 4284 ? S 03:21 0:00 nginx: worker process 165637 350210 0.0 0.0 6784 4284 ? S 03:21 0:01 nginx: worker process 165637 350212 0.0 0.0 6784 4284 ? S 03:21 0:01 nginx: worker process veerend+ 937492 0.0 0.0 6420 1844 pts/0 S+ 16:22 0:00 grep --color=auto nginx As you can see I have not specified any user while deploying the container, but the user inside the container is isolated i.e remapped to a non-root user(uid:165637, gid:165637) on the host ...

Introduction I have been working on a RaspberryPi home server project for quite some time. The project is a collection of applications to run on RaspberryPi and all applications are deployable with docker-compose files and ansible automation. One of the applications I was configuring is Pi-hole, a network-wide ad-blocker. I decided to use Pi-hole as also DHCP server for my LAN. When I look into docs, it says it has to be run as network_mode: host, because it allows Pi-hole to listen to DHCP broadcast packets. If the Pi-hole is deployed in bridge mode, there is a Linux bridge(Think of it as a router for a second!) which won’t allow broadcast packets. ...

Introduction Hello my dear fellow humans, hope you are having a great day. Today’s guide is on how to recover from a disaster for Strimzi Kafka with Velero. First of all, what is Strmzi Kafka? https://strimzi.io Strimzi provides a way to run an Apache Kafka cluster on Kubernetes in various deployment configurations. Back in a while, I worked on Strimzi Kafka deployment on Openshift, very easy to set up and manage production-level Kafka cluster on Kubernetes, I have to give credit to the Strimzi project team, did a great job on documentation, support on Github discussions and active developments. ...

👉 This writeup is part of “Elasticsearch Deploy Docs” series. Important Elasticsearch Configuration 📄 Official Docs Mainly 3 configuration files elasticsearch.yml - Elasticsearch config jvm.options - Elasticsearch JVM settings config log4j2.properties - Elasticsearch logging config Environment Variables export the ES_PATH_CONF etc/default/elasticsearch (Sourced environment variables from. Recommended) Settings 📄 Official Docs Before going to production, it is recommended go through be below elasticsearch configs. Refer sample_config directory for configuration Configuration Description Configuration Reference Path settings Log and data config Refer here Cluster name Cluster name Refer here Node name Node name Refer here Network host IP address that elasticsearch bind on Refer here Discovery settings Cluster discovery and initial master config Refer here Heap size JVM heap memory configuration Recommended heap size should be half of system memory. Make sure min and max heap memory same value. Refer here Heap dump path Heap dump location path config Default config is sufficient. Refer here GC logging Garbage collection logging configuration Default config is sufficient. Refer here Temp directory Configure private temporary directory that Elasticsearch uses is excluded from periodic cleanup Important System Configuration 📄 Offical Docs ...

👉 This writeup is part of “Elasticsearch Deploy Docs” series Install 📄 Office Docs Hardware Requirement 📄 Offical Docs Resource Minimum Recommended Memory 16 GB 64 GB CPU 8 Cores 16 Disk Depends Depends JDK Installation Pick JVM compatibility version with elasticsearch from here Install OpenJDK from here Download and install JDK 11 (Another guide here) $ apt-get install openjdk-11-jdk -y $ java -version openjdk version "11.0.6" 2020-01-14 OpenJDK Runtime Environment (build 11.0.6+10-post-Ubuntu-1ubuntu118.04.1) OpenJDK 64-Bit Server VM (build 11.0.6+10-post-Ubuntu-1ubuntu118.04.1, mixed mode, sharing) Elasticsearch Installation Download latest elasticsearch from here (As of today the latest version is 7.6.2) Recommended to download/install package via .dep or PPA which postscripts creates user, groups and adds under systemd Install via apt-get from here ...

👉 This writeup is part of “Elasticsearch Deploy Docs” series Rolling Upgrade Elasticsearch 📄 Official Docs ⚠️ A rolling upgrade allows an Elasticsearch cluster to be upgraded one node at a time so upgrading does not interrupt service As of now, the current latest version of elasticsearch is v7.7.1. Below procedure is for rolling upgrade from 7.6.2=>7.7.1. 1. Divide the cluster into 2 groups Example node names carbon-x a. Non master-eligible nodes carbon-2 carbon-3 b. Master-eligible nodes carbon-1 Upgrade order (Important!) ...

👉 This writeup is part of “Elasticsearch Deploy Docs” series Kibana Installation 📄 Office docs ❗ The elasticsearch should be up and running before you start kibana installation procedure Install via apt-get from here As of today the kibana version is 7.6.2 $ wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - $ sudo apt-get install apt-transport-https $ echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list $ sudo apt-get update && sudo apt-get install kibana Configure Kibana Refer kibana.yml configuration file in current directory and modify accordingly ...

👉 This writeup is part of “Elasticsearch Deploy Docs” series Elastalert 📄 Official docs 📂 Official project Repo Elastalert is developed by Yelp written in python, queries docs in elasticsearch and send alerts depends on the rules. Since Elastalert is not part of Elasticsearch plugin, we can install it where ever we want to. Installation ❗ Refer elasticsearch-deploy-notes/elastalert for example config $ sudo apt-get install python3-pip $ sudo pip3 install elastalert $ sudo pip3 install -U PyYAML $ mkdir -p /opt/elastalert/rules ## Copy alert rules yaml files and config file to /opt/elastalert and /opt/elastalert/rules accordingly from this repo Recommended to create index in elasticsearch for elastalert to store metadata $ elastalert-create-index Elastic Version: 7.7.0 Reading Elastic 6 index mappings: Reading index mapping 'es_mappings/6/silence.json' Reading index mapping 'es_mappings/6/elastalert_status.json' Reading index mapping 'es_mappings/6/elastalert.json' Reading index mapping 'es_mappings/6/past_elastalert.json' Reading index mapping 'es_mappings/6/elastalert_error.json' New index elastalert_status created Done! Test rules in case if it is needed $ elastalert-test-rule --config /opt/elastalert/config.yaml /opt/elastalert/rules/heartbeat_checks.yml Postfix Gmail SMTP In oder to use Gmail as SMTP, you need to enable 2-Factor authentication and generate app password ...

Introduction Hello guys, today I came up with an interesting write-up, that is how to set up backup and restore with Velero on Kubernetes. A year back I worked on Strimzi Kafka, a deployment solution for deploying production-level Kafka on Kubernetes. Strimzi Kafka uses persistance volume(PV) as a disk which is a managed disk from a cloud provider(e.g. Azure, AWS, etc), but I couldn’t find a proper backup solution in order to configure PV backup and restore. Sure, you can configure these managed disk backups from Terraform or manually in cloud provider portals. But tools like Velero, backup PV from kubernetes side which is more visible and easy to manage which is what you will see in a moment. ...

It has been 2 years since I wrote a new post. Due to busy work, moving to a new city, new jobs and getting married, I wasn’t able to keep up with writing blog posts. Finally, I’m back now, I have been thinking of changing blog themes for a long time. I spent some time exploring Jekyll themes and tried to modify them according to my requirements. As you can see here GitHub issue. ...