Devops

Neovim, vim-plug 설정

Neovim 설치 및 vim-plug 설정으로 개발, 운영 환경 구성 Neovim https://github.com/neovim/neovim{:target="_blank"} Vim-fork focused on extensibility and usability Neovim install 플랫폼 별 패키지 설치 방법 # macos $ brew install nvim # windows $ choco install neovim # linux (ubuntu) $ sudo apt install neovim # linux (centos) $ sudo yum install neovim vim-plug install Neovim 에 Plugin 지원을 위한 확장 툴 : vim 도 지원 https://github.com/junegunn/vim-plug{:target="_blank"} vim의 Vumdle과 같은 Minimalist Vim Plugin Manager ...

Traefik Proxy

Docker 기반 서비스 자동 감지 및 요청을 처리하는 Reverse proxy Traefik Proxy https://doc.traefik.io/traefik/{:target="_blank"} docker.sock 을 통해 Rule 기반 서비스를 찾고 요청을 처리함 Docker 이외에 Kubernetes, Docker Swarm, AWS, Mesos, Marathon 등을 지원 Quick Start https://doc.traefik.io/traefik/getting-started/quick-start/{:target="_blank"} docker-compose.yml reverse-proxy : traefik reverse proxy 서비스 Docker Out of Docker (DooD) 같은 형태로 서비스 감지 서비스와 같은 Docker network 내에 있어야 호출이 가능 whoami : Client 호출정보를 보여주는 간단한 서비스 labels 을 통해 whoami 서비스 Rule 등록 Host 기반 Rule 적용 : "traefik.http.routers.whoami.rule=Host(whoami.localhost)" traefik.http.routers.<router_name>.rule= Docker Routers 규칙{:target="_blank"} Rule 종류{:target="_blank"} 서비스에 Port 가 노출 되어야 함 : Expose port (or Publish port) version: '3' services: reverse-proxy: # The official v2 Traefik docker image image: traefik:v2.6 # Enables the web UI and tells Traefik to listen to docker command: --api.insecure=true --providers.docker ports: # The HTTP port - "80:80" # The Web UI (enabled by --api.insecure=true) - "8080:8080" volumes: # So that Traefik can listen to the Docker events - /var/run/docker.sock:/var/run/docker.sock whoami: # A container that exposes an API to show its IP address image: traefik/whoami labels: - "traefik.http.routers.whoami.rule=Host(`whoami.localhost`)" # reverse-proxy 서비스 시작 $ docker-compose up -d reverse-proxy # whoami 서비스 시작 $ docker-compose up -d whoami $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES e457ff5e01cb traefik/whoami "/whoami" 59 minutes ago Up 59 minutes 80/tcp traefik_whoami_1 Dashboard Router 확인 ...

ReaR (Relax & Recover) Basic

ReaR(Relax & Recover), Linux 재해 복구 도구 ReaR https://relax-and-recover.org/{:target="_blank"} Manual Page : https://github.com/rear/rear/blob/master/doc/rear.8.adoc{:target="_blank"} OS의 부팅 가능한 복구 시스템 구성, 시스템 파일 백업 및 복구 지원 Simple Example NFS 백업 서버 구성 ReaR 백업 및 복구 테스트 centos7, Hyper-v 환경 테스트 https://access.redhat.com/solutions/2115051{:target="_blank"} Backup용 NFS 서버 구성 백업서버 NFS 구성 # nfs-utils 설치 $ sudo yum install nfs-utils # 디렉토리 생성 $ sudo mkdir -p /storage/rear # nfs 서버 설정 $ cat /etc/exports /storage *(rw,sync,no_root_squash) # nfs-server start # sudo systemctl enable nfs-server $ sudo systemctl start nfs-server 대상 서버 구성 RaaR 설치 및 구성 # nfs clients $ sudo yum install nfs-utils # ReaR 설치 sudo yum install nfs-utils # 필요에 따라 아래 모듈 설치 # rear -d -v mkbackup 시 해당 모듈이 없다고 나오면 # WARNING: /usr/lib/grub/x86_64-efi/moddep.lst not found, grub2-mkimage will likely fail. # Please install the grub2-efi-x64-modules package to fix this. $ sudo yum install grub2-efi-x64-modules RaaR 설정 https://github.com/rear/rear/blob/master/doc/user-guide/03-configuration.adoc{:target="_blank"} /etc/rear/local.conf OUTPUT : Rescue media, BOOT용 이미지 ISO : ISO BOOT 이미지 생성 BACKUP, BACKUP_URL : Backup/Restore strategy, 시스템파일 및 백업 데이터 종류 및 위치 지정 NETFS : Use Relax-and-Recover internal backup with tar or rsync (or similar) BACKUP_URL 경로 및 HostName 폴더에 생성 BACKUP_PROG_EXCLUDE : 백업 제외 경로 지정 # /etc/rear/local.conf OUTPUT=ISO OUTPUT_URL=nfs://192.168.137.100/storage/rear BACKUP=NETFS BACKUP_URL=nfs://192.168.137.100/storage/rear # BACKUP_TYPE=incremental # FULLBACKUPDAY=Sun # BACKUP_PROG_EXCLUDE=('/syslogs/logs/*' '/var/log/*') Backup 실행 mkbackup : create rescue media and backup system mkbackuponly : backup system without creating rescue media mkrescue : create rescue media only ## verbose mode # -d : debug mode 의 경우 /tmp 밑에 파일을 지우지 않음 $ sudo rear -v mkbackup Backup 데이터 확인 # Backup 서버 $ hostname -I 192.168.137.100 # hostname 디렉토리별로 백업 $ tree /storage /storage └── rear ├── node1 │ ├── README │ ├── VERSION │ ├── backup.log │ ├── backup.tar.gz │ ├── rear-node1.iso │ └── rear-node1.log └── node2 ├── README ├── VERSION ├── backup.log ├── backup.tar.gz ├── rear-node2.iso └── rear-node2.log 복구 실행 백업된 rescue media (iso)로 부팅을 한 후, 복구 모드로 실행 ...

Kustomize Basic

kubernetes manifest 리소스 관리 도구 Kustomize https://kubernetes.io/ko/docs/tasks/manage-kubernetes-objects/kustomization/{:target="_blank"} kubernetes manifest (yaml) 파일을 Template 형태로 관리 Patch(Merge) 및 배포 해주는 툴 kubernetes 1.14 이후, kubectl 명령어로 kustomization 지원 Simple Example $ tree . . ├── deployment.yaml ├── kustomization.yaml └── version.yaml kustomization.yaml Manifest 파일의 기본 구조 및 리소스, 패치 파일을 기술하는 파일 resources: - deployment.yaml patchesStrategicMerge: - version.yaml resources : 리소스 파일 리스트 resources 이외에 configMapGenerator, secretGenerator 기능도 있음 https://kubernetes.io/ko/docs/tasks/manage-kubernetes-objects/kustomization/#kustomize-%EA%B8%B0%EB%8A%A5-%EB%A6%AC%EC%8A%A4%ED%8A%B8{:target="_blank"} patchesStrategicMerge : resources의 Patch 파일 Patch : yaml file merge ...

MinIO Windows Service 등록

MinIO Windows Service 등록 MinIO Service 등록 WinSW https://github.com/winsw/winsw{:target="_blank"} Windows 실행 파일을 서비스로 래핑해주는 툴 .NET Framework / Core 기반 Windows 플랫폼에서 실행 MinIO Service https://github.com/minio/minio-service/tree/master/windows{:target="_blank"} WinSW 최신 Release 다운로드 및 XML 설정 파일 작성 # choco install curl # 다운로드 $ curl -LO https://github.com/winsw/winsw/releases/download/v2.11.0/WinSW-x64.exe # rename $ move WinSW-x64.exe minio-service.exe minio-service.xml <service> <id>MinIO</id> <name>MinIO</name> <description>MinIO is a high performance object storage server</description> <executable>minio.exe</executable> <env name="MINIO_ROOT_USER" value="minio"/> <env name="MINIO_ROOT_PASSWORD" value="minio1234"/> <arguments>server d:\minio\data --console-address ":9001"</arguments> <logmode>rotate</logmode> </service> 서비스 등록 Administrator 권한으로 실행 minio 실행 파일 PATH 등록 or 같은 디렉토리에 위치 # service install $ minio-service.exe install 2021-12-09 15:57:24,987 INFO - Installing service 'MinIO (MinIO)'... 2021-12-09 15:57:25,085 INFO - Service 'MinIO (MinIO)' was installed successfully. # service status $ minio-service.exe status Stopped # service start $ minio-service.exe start 2021-12-09 16:05:59,133 INFO - Starting service 'MinIO (MinIO)'... 2021-12-09 16:06:00,322 INFO - Service 'MinIO (MinIO)' started successfully.

Rclone Basic

Go 언어로 만든 크로스 플랫폼 클라우드 스토리지 특화 백업 및 동기화 프로그램 Rclone https://rclone.org/{:target="_blank"} file, sftp 부터 Amazon S3, MinIO 와 같은 Object Storage, Cloud Storage 등의 많은 Providers 를 지원 Install 플랫폼 바이너리 다운로드 or 패키지 매니저 활용 https://rclone.org/downloads/{:target="_blank"} Rclone config Providers 설정 기반, config 파일을 통해 설정 Rclone config 기본 파일 위치 확인 # linux config 파일 위치 확인 $ rclone config file Configuration file is stored at: /home/<HOME>/.config/rclone/rclone.conf # windows $ rclone config file Configuration file is stored at: C:\Users\<HOME>\AppData\Roaming\rclone\rclone.conf Rclone config 추가 config 파일을 직접 수정 하거나 Interactive 화면을 통해 진행 $ rclone config No remotes found - make a new one n) New remote s) Set configuration password q) Quit config n/s/q> ... Rclone config 내용 확인 $ rclone config show Rclone Provider config Amazon S3 [mys3] type = s3 provider = AWS env_auth = true region = ap-northeast-2 location_constraint = ap-northeast-2 [mys3] type = s3 provider = AWS env_auth = true region = ap-northeast-2 location_constraint = ap-northeast-2 access_key_id = AKIAXXXXXXXXXXXXXXXX secret_access_key = 1oxxxxxxxxxxxxxxxxxxxxxxxxx MinIO [myminio] type = s3 provider = Minio env_auth = false access_key_id = KEYxxxxxxxxx secret_access_key = PWDxxxxxxxxx endpoint = http://minio-server SFTP 공개키 인증을 위해 key_file 지정하지 않으면 ssh_agent를 통해 접근시도 ...

Restic Basic

Snapshots 기능을 제공하는 modern backup program restic https://restic.net/{:target="_blank"} Go로 만들어진 백업 프로그램, 크로스프랫폼 지원 - from Linux, BSD, Mac and Windows - to many different storage types, including self-hosted and online services - easily, being a single executable that you can run without a server or complex setup - effectively, only transferring the parts that actually changed in the files you back up - securely, by careful use of cryptography in every part of the process - verifiably, enabling you to make sure that your files can be restored when needed - freely - restic is entirely free to use and completely open source Install Package 설치 및 Binary 지원 Package : https://restic.readthedocs.io/en/stable/020_installation.html{:target="_blank"} Binary : https://github.com/restic/restic/releases/tag/v0.12.1{:target="_blank"} $ curl -LO https://github.com/restic/restic/releases/download/v0.12.1/restic_0.12.1_linux_amd64.bz2 # install bzip2 $ sudo yum install bzip2 -y $ bunzip2 restic_0.12.1_linux_amd64.bz2 $ mv restic_0.12.1_linux_amd64 restic $ sudo mv restic /usr/local/bin $ restic restic is a backup program which allows saving multiple revisions of files and directories in an encrypted repository stored on different backends. Usage: restic [command] Available Commands: backup Create a new backup of files and/or directories cache Operate on local cache directories cat Print internal objects to stdout check Check the repository for errors copy Copy snapshots from one repository to another diff Show differences between two snapshots dump Print a backed-up file to stdout find Find a file, a directory or restic IDs forget Remove snapshots from the repository generate Generate manual pages and auto-completion files (bash, fish, zsh) help Help about any command init Initialize a new repository key Manage keys (passwords) list List objects in the repository ls List files in a snapshot migrate Apply migrations mount Mount the repository prune Remove unneeded data from the repository rebuild-index Build a new index recover Recover data from the repository restore Extract the data from a snapshot self-update Update the restic binary snapshots List all snapshots stats Scan the repository and show basic statistics tag Modify tags on snapshots unlock Remove locks other processes created version Print version information .... Backup & Restore Backup Repository 생성 # Repository 접근을 위한 패드워스 필요, 일단 1111 # -r, --repo repository repository to backup to or restore from (default: $RESTIC_REPOSITORY) $ restic init -r repo enter password for new repository: enter password again: created restic repository 7f3cfb3e9a at repo Please note that knowledge of your password is required to access the repository. Losing your password means that your data is irrecoverably lost. # password 파일 생성, -p 옵션으로 지정 $ echo 1111 > passwd Backup : snapshots 생성 # Backup # restic -r <repository> -p <passwd file> backup <Source> # -p, --password-file file file to read the repository password from (default: $RESTIC_PASSWORD_FILE) $ restic -r repo -p passwd backup /home/cdecl/temp/mvcapp repository e4ccc49d opened successfully, password is correct no parent snapshot found, will read all files Files: 79 new, 0 changed, 0 unmodified Dirs: 40 new, 0 changed, 0 unmodified Added to the repo: 4.854 MiB processed 79 files, 4.811 MiB in 0:00 snapshot 9aff8447 saved # 파일생성 및 다시백업 $ touch /home/cdecl/temp/mvcapp/test.txt $ restic -r repo -p passwd backup /home/cdecl/temp/mvcapp repository e4ccc49d opened successfully, password is correct using parent snapshot 9aff8447 Files: 1 new, 0 changed, 79 unmodified Dirs: 0 new, 4 changed, 36 unmodified Added to the repo: 7.742 KiB processed 80 files, 4.811 MiB in 0:00 snapshot f4b94d9b saved Snapshots 확인 # snapshots 2개 화인 확인 $ restic -r repo -p passwd snapshots repository e4ccc49d opened successfully, password is correct ID Time Host Tags Paths ------------------------------------------------------------------------------ 9aff8447 2021-11-25 15:17:52 centos1 /home/cdecl/temp/mvcapp f4b94d9b 2021-11-25 15:22:24 centos1 /home/cdecl/temp/mvcapp ------------------------------------------------------------------------------ 2 snapshots Snapshots 비교 $ restic -r repo -p passwd diff 9aff8447 f4b94d9b repository e4ccc49d opened successfully, password is correct comparing snapshot 9aff8447 to f4b94d9b: + /home/cdecl/temp/mvcapp/test.txt Files: 1 new, 0 removed, 0 changed Dirs: 0 new, 0 removed Others: 0 new, 0 removed Data Blobs: 0 new, 0 removed Tree Blobs: 5 new, 5 removed Added: 7.742 KiB Removed: 7.456 KiB Restore : Snapshots 에서 복원 # restic -r <repository> -p <passwd file> restore <snapshots id> -t <Target> $ restic -r repo -p passwd restore 9aff8447 -t restore-mvcapp repository e4ccc49d opened successfully, password is correct restoring <Snapshot 9aff8447 of [/home/cdecl/temp/mvcapp] at 2021-11-25 15:17:52.115925352 +0900 KST by cdecl@centos1> to restore-mvcapp MinIO & RClone Backend 지원 https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html{:target="_blank"} Local, SFTP, REST Server, Amazon S3, Minio Server, Microsoft Azure Blob Storage, Google Cloud Storage, Other Services via rclone 등 지원 MinIO Repository 만들기 $ export AWS_ACCESS_KEY_ID=key $ export AWS_SECRET_ACCESS_KEY=passwd $ restic init -r s3:http://minio.server:9000/restic enter password for new repository: enter password again: created restic repository 65a27250da at s3:http://minio.server:9000/restic Please note that knowledge of your password is required to access the repository. Losing your password means that your data is irrecoverably lost. # Backup $ restic -r s3:http://minio.server:9000/restic -p passwd backup /home/cdecl/temp/mvcapp # snapshots $ restic -r s3:http://minio.server:9000/restic -p passwd snapshots repository 65a27250 opened successfully, password is correct ID Time Host Tags Paths ------------------------------------------------------------------------------ 73d37fbd 2021-11-25 15:37:34 centos1 /home/cdecl/temp/mvcapp ------------------------------------------------------------------------------ 1 snapshots RClone Backend 로 사용 $ rclone config show [infradb] type = s3 env_auth = false access_key_id = key secret_access_key = passwd region = us-east-1 endpoint = http://minio.server:9000 # rclone config 사용 respository 만들기 $ restic init -r rclone:infradb:restic enter password for new repository: enter password again: created restic repository ce850667c9 at rclone:infradb:restic Please note that knowledge of your password is required to access the repository. Losing your password means that your data is irrecoverably lost. # Backup $ restic -r rclone:infradb:restic -p passwd backup /home/cdecl/temp/mvcapp # snapshots $ restic -r rclone:infradb:restic -p passwd snapshots Snapshots 관리 https://restic.readthedocs.io/en/stable/060_forget.html{:target="_blank"} $ restic -r rclone:infradb:restic -p passwd snapshots repository ce850667 opened successfully, password is correct ID Time Host Tags Paths ------------------------------------------------------------------------------ a3737738 2021-11-25 15:44:05 centos1 /home/cdecl/temp/mvcapp 00f16d70 2021-11-25 15:44:50 centos1 /home/cdecl/temp/mvcapp 0e83568a 2021-11-25 15:44:51 centos1 /home/cdecl/temp/mvcapp 4041e3ca 2021-11-25 15:44:53 centos1 /home/cdecl/temp/mvcapp eb1e56c7 2021-11-25 15:44:54 centos1 /home/cdecl/temp/mvcapp d81b3d2a 2021-11-25 15:44:55 centos1 /home/cdecl/temp/mvcapp ------------------------------------------------------------------------------ 6 snapshots # snapshots 1개 지우기 $ restic -r rclone:infradb:restic -p passwd forget d81b3d2a repository ce850667 opened successfully, password is correct [0:00] 100.00% 1 / 1 files deleted # 스냅샷의 파일에서 참조한 데이터는 여전히 저장소에 저장 # 참조되지 않은 데이터를 정리하려면 prune 명령 실행 $ restic -r rclone:infradb:restic -p passwd prune repository ce850667 opened successfully, password is correct loading indexes... loading all snapshots... finding data that is still in use for 5 snapshots [0:00] 100.00% 5 / 5 snapshots searching used packs... collecting packs for deletion and repacking [0:00] 100.00% 9 / 9 packs processed to repack: 0 blobs / 0 B this removes 0 blobs / 0 B to delete: 2 blobs / 1004 B total prune: 2 blobs / 1004 B remaining: 125 blobs / 4.862 MiB unused size after prune: 0 B (0.00% of remaining size) rebuilding index [0:00] 100.00% 8 / 8 packs processed deleting obsolete index files [0:00] 100.00% 6 / 6 files deleted removing 1 old packs [0:00] 100.00% 1 / 1 files deleted done # 최근 1개만 놔두고 snapshots 삭제 및 prune $ restic -r rclone:infradb:restic -p passwd forget --keep-last 1 --prune repository ce850667 opened successfully, password is correct Applying Policy: keep 1 latest snapshots keep 1 snapshots: ID Time Host Tags Reasons Paths --------------------------------------------------------------------------------------------- eb1e56c7 2021-11-25 15:44:54 centos1 last snapshot /home/cdecl/temp/mvcapp --------------------------------------------------------------------------------------------- 1 snapshots remove 4 snapshots: ID Time Host Tags Paths ------------------------------------------------------------------------------ a3737738 2021-11-25 15:44:05 centos1 /home/cdecl/temp/mvcapp 00f16d70 2021-11-25 15:44:50 centos1 /home/cdecl/temp/mvcapp 0e83568a 2021-11-25 15:44:51 centos1 /home/cdecl/temp/mvcapp 4041e3ca 2021-11-25 15:44:53 centos1 /home/cdecl/temp/mvcapp ------------------------------------------------------------------------------ 4 snapshots [0:00] 100.00% 4 / 4 files deleted 4 snapshots have been removed, running prune loading indexes... loading all snapshots... finding data that is still in use for 1 snapshots [0:00] 100.00% 1 / 1 snapshots searching used packs... collecting packs for deletion and repacking [0:00] 100.00% 8 / 8 packs processed to repack: 39 blobs / 47.305 KiB this removes 2 blobs / 1007 B to delete: 6 blobs / 2.950 KiB total prune: 8 blobs / 3.934 KiB remaining: 117 blobs / 4.858 MiB unused size after prune: 0 B (0.00% of remaining size) repacking packs [0:00] 100.00% 2 / 2 packs repacked rebuilding index [0:00] 100.00% 5 / 5 packs processed deleting obsolete index files [0:00] 100.00% 1 / 1 files deleted removing 5 old packs [0:00] 100.00% 5 / 5 files deleted done # snapshots 확인 $ restic -r rclone:infradb:restic -p passwd snapshots repository ce850667 opened successfully, password is correct ID Time Host Tags Paths ------------------------------------------------------------------------------ eb1e56c7 2021-11-25 15:44:54 centos1 /home/cdecl/temp/mvcapp ------------------------------------------------------------------------------ 1 snapshots forget 주요 인수 --keep-last n never delete the n last (most recent) snapshots --keep-hourly n for the last n hours in which a snapshot was made, keep only the last snapshot for each hour. --keep-daily n for the last n days which have one or more snapshots, only keep the last one for that day. --keep-weekly n for the last n weeks which have one or more snapshots, only keep the last one for that week. --keep-monthly n for the last n months which have one or more snapshots, only keep the last one for that month. --keep-yearly n for the last n years which have one or more snapshots, only keep the last one for that year. --keep-tag keep all snapshots which have all tags specified by this option (can be specified multiple times).

HAProxy Basic

네트워크 L4, L7 기능 Reverse proxy 및 Load balancing, HA 기능을 제공하는 최적화된 S/W HAProxy Basic 공식 블로그인 만큼 가장 잘 정리된 링크로 상세 설명 대체 Basic Configuration https://www.haproxy.com/blog/haproxy-configuration-basics-load-balance-your-servers/{:target="_blank"} 최소 설정 및 기본 항목에 대한 설명 설치 및 적용 centos 7 # install $ sudo yum install haproxy # start $ sudo systemctl start haproxy # status $ sudo systemctl status haproxy ● haproxy.service - HAProxy Load Balancer Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; vendor preset: disabled) Active: active (running) since 화 2021-11-23 13:55:48 KST; 5s ago Main PID: 227598 (haproxy-systemd) Tasks: 3 Memory: 1.9M CGroup: /system.slice/haproxy.service ├─227598 /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid ├─227599 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds └─227600 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds ... 버전 확인, 지원 모듈, 지원 polling 시스템 확인 epoll 사용 $ haproxy -vv HA-Proxy version 1.5.18 2016/05/10 Copyright 2000-2016 Willy Tarreau <willy@haproxy.org> Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18 OPTIONS = USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.7 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017 Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.32 2012-11-30 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. 기본설정 : /etc/haproxy/haproxy.cfg global : 전역 설정 defaults : 디폴트 설정 frontend : client로 부터 접속 정보, 5000 Port 대기 backend : 요청을 수행하는 서버로 전달, 3대의 서버로 전달 listen : frontend + backend 한꺼번에 정리할 수 있는 섹션, Stats Monitoring UI 설정 global log 127.0.0.1 local2 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 user haproxy group haproxy daemon # turn on stats unix socket stats socket /var/lib/haproxy/stats defaults mode http log global option httplog option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 3000 listen stats bind :8404 stats enable stats uri /monitor stats refresh 5s frontend front_main bind :5000 option forwardfor default_backend app backend app balance roundrobin server app1 192.168.28.15:30010 check server app2 192.168.28.16:30010 check server app3 192.168.28.17:30010 check SSL 인터페이스 https://serverfault.com/questions/738045/haproxy-to-terminate-ssl-also-send-ssl-to-backend-server{:target="_blank"} Frontend SSL Bind ... frontend front_main bind :5443 ssl crt /cert/path/domain_keypem.pem option forwardfor default_backend app ... Backend SSL 호출 ... backend app balance roundrobin mode http server app1 192.168.28.15:30443 ssl verify none server app2 192.168.28.16:30443 ssl verify none ... Four Essential Sections https://www.haproxy.com/blog/the-four-essential-sections-of-an-haproxy-configuration/{:target="_blank"} 4개의 기본 섹션 구조 설명 global # global settings here defaults # defaults here frontend # a frontend that accepts requests from clients backend # servers that fulfill the requests 기타 SSL 설정 : https://www.haproxy.com/blog/haproxy-ssl-termination/{:target="_blank"} 통계 Web UI : https://www.haproxy.com/blog/exploring-the-haproxy-stats-page/{:target="_blank"} ...

localhost.run과 ngrok - 로컬 서비스의 외부 노출 도구

로컬(localhost) 서비스를 터널링을 통해 외부에서 접근 가능하도록 만들어주는 도구들을 소개합니다. 개발 단계에서 로컬에서 실행 중인 서비스를 외부에 임시로 공개해야 할 때 유용합니다. (보안 및 안정성 문제로 실제 프로덕션 환경에서는 사용하지 않는 것을 권장합니다) 주요 사용 사례: 외부 API의 웹훅(webhook) 테스트 클라이언트에게 개발 중인 기능 데모 모바일 기기에서 로컬 개발 서버 접근 협업 시 로컬 개발 환경 공유 localhost.run https://localhost.run/{:target="_blank"} SSH 리버스 터널링을 활용하여 로컬 서비스를 외부에 노출 별도의 프로그램 설치가 필요 없고 SSH 클라이언트만 있으면 사용 가능 무료로 사용 가능하며 커스텀 도메인 지원 테스트용 서비스 실행 아래 예제에서는 간단한 웹 애플리케이션 컨테이너를 실행하여 테스트합니다. ...

Helm chart 생성, 배포

Kubernetes 패키지 매니저 도구인 helm을 통해 chart 생성 및 Kubernetes 배포 K3S 환경에서 테스트 Helm https://helm.sh/{:target="_blank"} Kubernetes 배포를 위한 패키지 매니저 툴 (e.g yum, choco) chart 라는 yaml 파일 기반의 템플릿 파일을 통해 패키지화 및 Kubernetes 설치 관리 Deployment, Service, Ingress 등 Kubernetes 서비스의 manifest 생성 및 설치 Helm Repository 를 통해 패키지 등록 및 다른 패키지 설치 가능 Helm Install 바이너리 직접 설치 및 설치 Script 활용 Homebrew, Chocolatey 등의 패키지로도 설치 가능 바이너리 다운로드 https://github.com/helm/helm/releases $ curl -LO https://get.helm.sh/helm-v3.7.1-linux-amd64.tar.gz $ tar -zxvf helm-v3.7.1-linux-amd64.tar.gz $ tree linux-amd64 linux-amd64 ├── LICENSE ├── README.md └── helm $ sudo cp linux-amd64/helm /usr/local/bin/ 설치 Script 활용 $ chmod 700 get_helm.sh $ ./get_helm.sh Creating Your Own Charts kubernetes 설치를 위한 chart 생성 및 세팅 https://helm.sh/docs/helm/helm_create/{:target="_blank"} # chart 생성 $ helm create mvcapp Creating mvcapp Chart directory 구조 Chart.yaml : Chart 버전, 이미지버전, 설명등을 기술하는 파일 values.yaml : manifest template 파일 기반, 기준 값을 세팅하는 파일 templates/ : kubernetes manifest template 파일 charts/ : chart 의존성 파일 $ tree mvcapp mvcapp ├── Chart.yaml ├── charts ├── templates │ ├── NOTES.txt │ ├── _helpers.tpl │ ├── deployment.yaml │ ├── hpa.yaml │ ├── ingress.yaml │ ├── service.yaml │ ├── serviceaccount.yaml │ └── tests │ └── test-connection.yaml └── values.yaml Chart.yaml 수정 version : Chart 버전 appVersion : Deploy 되는 image 버전 apiVersion: v2 name: mvcapp description: .net core test mvc application # ... 생략 type: application # ... 생략 version: 0.1.0 # ... 생략 appVersion: "0.6" # appVersion: "1.16.0" values.yaml 수정 replicaCount : Pod 의 replica 개수, 2개로 수정 image.repository : docker image 이름, cdecl/mvcapp 로 수정 service.type : On-Premise에서 테스트 목적, NodePort로 수정 service.nodePort : nodePort를 적용하기 위해 신규 추가 # Default values for mvcapp. # This is a YAML-formatted file. # Declare variables to be passed into your templates. replicaCount: 2 image: repository: cdecl/mvcapp pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. tag: "" imagePullSecrets: [] nameOverride: "" fullnameOverride: "" # ... 생략 service: type: NodePort # ClusterIP port: 80 nodePort: 30010 ingress: # ... 생략 resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. # limits: # cpu: 100m # memory: 128Mi # requests: # cpu: 100m # memory: 128Mi # ... 생략 templates/service.yaml 수정 nodePort 를 적용하기 위해 template 수정 spec.ports.nodePort: {{ .Values.service.nodePort }} 추가 apiVersion: v1 kind: Service metadata: name: {{ include "mvcapp.fullname" . }} labels: {{- include "mvcapp.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: - port: {{ .Values.service.port }} targetPort: http pro name: http nodePort: {{ .Values.service.nodePort }} selector: {{- include "mvcapp.selectorLabels" . | nindent 4 }} helm lint : chart 파일 검사 https://helm.sh/docs/helm/helm_lint/{:target="_blank"} $ helm lint mvcapp ==> Linting mvcapp [INFO] Chart.yaml: icon is recommended 1 chart(s) linted, 0 chart(s) failed helm template : kubernetes manifest 생성 https://helm.sh/docs/helm/helm_template/{:target="_blank"} values.yaml 에 세팅한 기준으로 manifest 생성 $ helm template mvcapp --- # Source: mvcapp/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: RELEASE-NAME-mvcapp labels: helm.sh/chart: mvcapp-0.1.0 app.kubernetes.io/name: mvcapp app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/version: "0.6" app.kubernetes.io/managed-by: Helm --- # Source: mvcapp/templates/service.yaml apiVersion: v1 kind: Service metadata: name: RELEASE-NAME-mvcapp labels: helm.sh/chart: mvcapp-0.1.0 app.kubernetes.io/name: mvcapp app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/version: "0.6" app.kubernetes.io/managed-by: Helm spec: type: NodePort ports: - port: 80 targetPort: http pro name: http selector: app.kubernetes.io/name: mvcapp app.kubernetes.io/instance: RELEASE-NAME --- # Source: mvcapp/templates/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: RELEASE-NAME-mvcapp labels: helm.sh/chart: mvcapp-0.1.0 app.kubernetes.io/name: mvcapp app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/version: "0.6" app.kubernetes.io/managed-by: Helm spec: replicas: 2 selector: matchLabels: app.kubernetes.io/name: mvcapp app.kubernetes.io/instance: RELEASE-NAME template: metadata: labels: app.kubernetes.io/name: mvcapp app.kubernetes.io/instance: RELEASE-NAME spec: serviceAccountName: RELEASE-NAME-mvcapp securityContext: {} containers: - name: mvcapp securityContext: {} image: "cdecl/mvcapp:0.6" imagePullPolicy: IfNotPresent ports: - name: http containerPort: 80 pro livenessProbe: httpGet: path: / port: http readinessProbe: httpGet: path: / port: http resources: {} --- # Source: mvcapp/templates/tests/test-connection.yaml apiVersion: v1 kind: Pod metadata: name: "RELEASE-NAME-mvcapp-test-connection" labels: helm.sh/chart: mvcapp-0.1.0 app.kubernetes.io/name: mvcapp app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/version: "0.6" app.kubernetes.io/managed-by: Helm annotations: "helm.sh/hook": test spec: containers: - name: wget image: busybox command: ['wget'] args: ['RELEASE-NAME-mvcapp:80'] restartPolicy: Never helm install : chart 활용 kubernetes service install https://helm.sh/docs/helm/helm_install/{:target="_blank"} install : helm install [NAME] [CHART] [flags] # 설치하지는 않고 테스트 $ helm install mvcapp-svc mvcapp --dry-run # 로컬 Chart 를 통한 설치 $ helm install mvcapp-svc mvcapp NAME: mvcapp-svc LAST DEPLOYED: Thu Nov 4 13:29:38 2021 NAMESPACE: default STATUS: deployed REVISION: 1 NOTES: 1. Get the application URL by running these commands: export NODE_PORT=$(kubectl get --namespace default -o jsonpath="{.spec.ports[0].nodePort}" services mvcapp-svc) export NODE_IP=$(kubectl get nodes --namespace default -o jsonpath="{.items[0].status.addresses[0].address}") echo http://$NODE_IP:$NODE_PORT $ kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.43.0.1 <none> 443/TCP 78d mvcapp-svc NodePort 10.43.202.254 <none> 80:31503/TCP 29s $ kubectl get pod NAME READY STATUS RESTARTS AGE mvcapp-svc-78ff4d97f9-hd9rf 1/1 Running 0 37s mvcapp-svc-78ff4d97f9-x4984 1/1 Running 0 37s KS3 export KUBECONFIG=/etc/rancher/k3s/k3s.yaml 세팅 ...