Group items tagged

contexts can be layered within one another

The children contexts can override these values at will

Nginx will error out on reading a configuration file with directives that are declared in the wrong context.

The most general context is the "main" or "global" context

Any directive that exist entirely outside of these blocks is said to inhabit the "main" context

The main context represents the broadest environment for Nginx configuration.

The "events" context is contained within the "main" context. It is used to set global options that affect how Nginx handles connections at a general level.

Nginx uses an event-based connection processing model, so the directives defined within this context determine how worker processes should handle connections.

the connection processing method is automatically selected based on the most efficient choice that the platform has available

a worker will only take a single connection at a time

When configuring Nginx as a web server or reverse proxy, the "http" context will hold the majority of the configuration.

fine-tune the TCP keep alive settings (keepalive_disable, keepalive_requests, and keepalive_timeout)

multiple declarations

each instance defines a specific virtual server to handle client requests

Each client request will be handled according to the configuration defined in a single server context, so Nginx must decide which server context is most appropriate based on details of the request.

listen: The ip address / port combination that this server block is designed to respond to.

server_name: This directive is the other component used to select a server block for processing.

configure files to try to respond to requests (try_files)

issue redirects and rewrites (return and rewrite)

set arbitrary variables (set)

Location contexts share many relational qualities with server contexts

multiple location contexts can be defined, each location is used to handle a certain type of client request, and each location is selected by virtue of matching the location definition against the client request through a selection algorithm

Location blocks live within server contexts and, unlike server blocks, can be nested inside one another.

The request URI is the portion of the request that comes after the domain name or IP address/port combination.

New directives at this level allow you to reach locations outside of the document root (alias), mark the location as only internally accessible (internal), and proxy to other servers or locations (using http, fastcgi, scgi, and uwsgi proxying).

These can then be used to do A/B testing by providing different content to different hosts.

configures Perl handlers for the location they appear in

set the value of a variable depending on the value of another variable

used to map MIME types to the file extensions that should be associated with them.

this context defines a named pool of servers that Nginx can then proxy requests to

The upstream context can then be referenced by name within server or location blocks to pass requests of a certain type to the pool of servers that have been defined.

function as a high performance mail proxy server

The mail context is defined within the "main" or "global" context (outside of the http context).

Nginx has the ability to redirect authentication requests to an external authentication server

the if directive in Nginx will execute the instructions contained if a given test returns "true".

The limit_except context is used to restrict the use of certain HTTP methods within a location context.

The result of the above example is that any client can use the GET and HEAD verbs, but only clients coming from the 192.168.1.1/24 subnet are allowed to use other methods.

Many directives are valid in more than one context

Declaring at higher levels provides you with a sane default

Nginx already engages in a well-documented selection algorithm for things like selecting server blocks and location blocks.

incorrect requests can get by with a redirect rather than a rewrite, which should execute with lower overhead.

ACLs allows flexible network traffic forwarding based on a variety of factors like pattern-matching and the number of connections to a backend

A backend is a set of servers that receives forwarded requests

adding more servers to your backend will increase your potential load capacity by spreading the load over multiple servers

mode http specifies that layer 7 proxying will be used

specifies the load balancing algorithm

health checks

A frontend defines how requests should be forwarded to backends

use_backend rules, which define which backends to use depending on which ACL conditions are matched, and/or a default_backend rule that handles every other case

A frontend can be configured to various types of network traffic

Load balancing this way will forward user traffic based on IP range and port

Generally, all of the servers in the web-backend should be serving identical content--otherwise the user might receive inconsistent content.

Using layer 7 allows the load balancer to forward requests to different backend servers based on the content of the user's request.

allows you to run multiple web application servers under the same domain and port

acl url_blog path_beg /blog matches a request if the path of the user's request begins with /blog.

Round Robin selects servers in turns

Selects the server with the least number of connections--it is recommended for longer sessions

This selects which server to use based on a hash of the source IP

ensure that a user will connect to the same server

require that a user continues to connect to the same backend server. This persistence is achieved through sticky sessions, using the appsession parameter in the backend that requires it.

HAProxy uses health checks to determine if a backend server is available to process requests.

The default health check is to try to establish a TCP connection to the server

If a server fails a health check, and therefore is unable to serve requests, it is automatically disabled in the backend

However, your load balancer is a single point of failure in these setups; if it goes down or gets overwhelmed with requests, it can cause high latency or downtime for your service.

A high availability (HA) setup is an infrastructure without a single point of failure

a static IP address that can be remapped from one server to another.

If that load balancer fails, your failover mechanism will detect it and automatically reassign the IP address to one of the passive servers.

Vegeta was designed to be run on the command line; it reads from stdin a list of HTTP transactions to generate, and sends results in binary format to stdout,

Vegeta is a really strong tool that caters to people who want a tool to test simple, static URLs (perhaps API end points) but also want a bit more functionality.

Vegeta can even be used as a Golang library/package if you want to create your own load testing tool.

Wrk is so damn fast

being fast and measuring correctly is about all that Wrk does

k6 is scriptable in plain Javascript

k6 is average or better. In some categories (documentation, scripting API, command line UX) it is outstanding.

Jmeter is a huge beast compared to most other tools.

Siege is a simple tool, similar to e.g. Apachebench in that it has no scripting and is primarily used when you want to hit a single, static URL repeatedly.

A good way of testing the testing tools is to not test them on your code, but on some third-party thing that is sure to be very high-performing.

use a tool like e.g. top to keep track of Nginx CPU usage while testing. If you see just one process, and see it using close to 100% CPU, it means you could be CPU-bound on the target side.

If you see multiple Nginx processes but only one is using a lot of CPU, it means your load testing tool is only talking to that particular worker process.

Network delay is also important to take into account as it sets an upper limit on the number of requests per second you can push through.

If, say, the Nginx default page requires a transfer of 250 bytes to load, it means that if the servers are connected via a 100 Mbit/s link, the theoretical max RPS rate would be around 100,000,000 divided by 8 (bits per byte) divided by 250 => 100M/2000 = 50,000 RPS. Though that is a very optimistic calculation - protocol overhead will make the actual number a lot lower so in the case above I would start to get worried bandwidth was an issue if I saw I could push through max 30,000 RPS, or something like that.

Wrk managed to push through over 50,000 RPS and that made 8 Nginx workers on the target system consume about 600% CPU.

MetalLB lets you define as many address pools as you want, and doesn’t care what “kind” of addresses you give it.

Once MetalLB has assigned an external IP address to a service, it needs to make the network beyond the cluster aware that the IP “lives” in the cluster.

In layer 2 mode, one machine in the cluster takes ownership of the service, and uses standard address discovery protocols (ARP for IPv4, NDP for IPv6) to make those IPs reachable on the local network

In BGP mode, all machines in the cluster establish BGP peering sessions with nearby routers that you control, and tell those routers how to forward traffic to the service IPs.

a human-edited configuration file in the Terraform language native syntax could be partially overridden using a programmatically-generated file in JSON syntax.

Terraform initially skips these override files when loading configuration, and then afterwards processes each one in turn (in lexicographical order).

Over-use of override files hurts readability, since a reader looking only at the original files cannot easily see that some portions of those files have been overridden without consulting all of the override files that are present.

A top-level block in an override file merges with a block in a normal configuration file that has the same block header.

Within a top-level block, an attribute argument within an override block replaces any argument of the same name in the original block.

Within a top-level block, any nested blocks within an override block replace all blocks of the same type in the original block.

The contents of nested configuration blocks are not merged.

If more than one override file defines the same top-level block, the overriding effect is compounded, with later blocks taking precedence over earlier blocks

The settings within terraform blocks are considered individually when merging.

If the required_providers argument is set, its value is merged on an element-by-element basis, which allows an override block to adjust the constraint for a single provider without affecting the constraints for other providers.

A controller tracks at least one Kubernetes resource type.

The controller(s) for that resource are responsible for making the current state come closer to that desired state.

in Kubernetes, a controller will send messages to the API server that have useful side effects.

Built-in controllers manage state by interacting with the cluster API server.

By contrast with Job, some controllers need to make changes to things outside of your cluster.

As long as the controllers for your cluster are running and able to make useful changes, it doesn't matter if the overall state is stable or not.

Kubernetes uses lots of controllers that each manage a particular aspect of cluster state.

a particular control loop (controller) uses one kind of resource as its desired state, and has a different kind of resource that it manages to make that desired state happen.

There can be several controllers that create or update the same kind of object.

Docker is developed in the Go language and utilizes LXC, cgroups, and the Linux kernel itself. Since it’s based on LXC, a Docker container does not include a separate operating system; instead it relies on the operating system’s own functionality as provided by the underlying infrastructure.

a VE there is no preloaded emulation manager software as in a VM.

LXC will boast bare metal performance characteristics because it only packages the needed applications.

a VM, which packages the entire OS and machine setup, including hard drive, virtual processors and network interfaces. The resulting bloated mass usually takes a long time to boot and consumes a lot of CPU and RAM.

don’t offer some other neat features of VM’s such as IaaS setups and live migration.

LXC as supercharged chroot on Linux. It allows you to not only isolate applications, but even the entire OS.

Libvirt, which allows the use of containers through the LXC driver by connecting to 'lxc:///'.

'LXC', is not compatible with libvirt, but is more flexible with more userspace tools.

Portable deployment across machines

Versioning: Docker includes git-like capabilities for tracking successive versions of a container

Component reuse: Docker allows building or stacking of already created packages.

Shared libraries: There is already a public registry (http://index.docker.io/ ) where thousands have already uploaded the useful containers they have created.

Docker taking the devops world by storm since its launch back in 2013.

LXC, while older, has not been as popular with developers as Docker has proven to be

LXC having a focus on sys admins that’s similar to what solutions like the Solaris operating system, with its Solaris Zones, Linux OpenVZ, and FreeBSD, with its BSD Jails virtualization system

it started out being built on top of LXC, Docker later moved beyond LXC containers to its own execution environment called libcontainer.

LXC tooling sticks close to what system administrators running bare metal servers are used to

The LXC command line provides essential commands that cover routine management tasks, including the creation, launch, and deletion of LXC containers.

Docker containers aim to be even lighter weight in order to support the fast, highly scalable, deployment of applications with microservice architecture.

With backing from Canonical, LXC and LXD have an ecosystem tightly bound to the rest of the open source Linux community.

Docker Swarm

Docker Trusted Registry

Docker Compose

Docker Machine

Kubernetes facilitates the deployment of containers in your data center by representing a cluster of servers as a single system.

Swarm is Docker’s clustering, scheduling and orchestration tool for managing a cluster of Docker hosts. 

rkt is a security minded container engine that uses KVM for VM-based isolation and packs other enhanced security features. 

Apache Mesos can run different kinds of distributed jobs, including containers. 

Elastic Container Service is Amazon’s service for running and orchestrating containerized applications on AWS

LXC offers the advantages of a VE on Linux, mainly the ability to isolate your own private workloads from one another. It is a cheaper and faster solution to implement than a VM, but doing so requires a bit of extra learning and expertise.

In full backups, two types of operations are performed to make the database consistent: committed transactions are replayed from the log file against the data files, and uncommitted transactions are rolled back.

You should use the --apply-log-only option to prevent the rollback phase.

An incremental backup copies each page whose LSN is newer than the previous incremental or full backup’s LSN.

Incremental backups do not actually compare the data files to the previous backup’s data files.

Incremental backups simply read the pages and compare their LSN to the last backup’s LSN.

The xtrabackup binary writes a file called xtrabackup_checkpoints into the backup’s target directory. This file contains a line showing the to_lsn, which is the database’s LSN at the end of the backup.

from_lsn is the starting LSN of the backup and for incremental it has to be the same as to_lsn (if it is the last checkpoint) of the previous/base backup.

If you do not use the --apply-log-only option to prevent the rollback phase, then your incremental backups will be useless.

If you restore it and start MySQL, InnoDB will detect that the rollback phase was not performed, and it will do that in the background, as it usually does for a crash recovery upon start.

xtrabackup --prepare --apply-log-only --target-dir=/data/backups/base \ --incremental-dir=/data/backups/inc1

The final data is in /data/backups/base, not in the incremental directory.

xtrabackup --prepare --target-dir=/data/backups/base \ --incremental-dir=/data/backups/inc2

Even if the --apply-log-only was used on the last step, backup would still be consistent but in that case server would perform the rollback phase.

This uses /bin/bash as PID1 and runs your program as the subprocess.

By using the exec form, we can run our program as PID1

if you use exec form to run a shell script to spawn your application, remember to use exec syscall to overwrite /usr/bin/bash otherwise it will act as senario1

/bin/bash can handle repeating zombie process

with Tini, SIGTERM properly terminates your process even if you didn’t explicitly install a signal handler for it.

run tini as PID1 and it will forward the signal for subprocesses.

tini is a signal proxy and it also can deal with zombie process issue automatically.

run your program with tini by passing --init flag to docker run

use docker stop, docker will wait for 10s for stopping container before killing a process (by default). The main process inside the container will receive SIGTERM, then docker daemon will wait for 10s and send SIGKILL to terminate process.

kill running containers immediately. it’s more like kill -9 and kill --SIGKILL

Trunk-based development is a more open model since all developers have access to the main code. This enables teams to iterate quickly and implement CI/CD.

Developers can create short-lived branches with a few small commits compared to other long-lived feature branching strategies.

Gitflow is an alternative Git branching model that uses long-lived feature branches and multiple primary branches.

Gitflow also has separate primary branch lines for development, hotfixes, features, and releases.

Trunk-based development is far more simplified since it focuses on the main branch as the source of fixes and releases.

Trunk-based development eases the friction of code integration.

trunk-based development model reduces these conflicts.

Adding an automated test suite and code coverage monitoring for this stream of commits enables continuous integration.

With continuous integration, developers perform trunk-based development in conjunction with automated tests that run after each committee to a trunk.

Instead of creating a feature branch and waiting to build out the complete specification, developers can instead create a trunk commit that introduces the feature flag and pushes new trunk commits that build out the feature specification within the flag.

Short running unit and integration tests are executed during development and upon code merge.

Automated tests provide a layer of preemptive code review.

A repository with a large amount of active branches has some unfortunate side effects

Merge branches to the trunk at least once a day

The “continuous” in CI/CD implies that updates are constantly flowing.

WordPlumblr allows its users to use custom domains that point to the WordPlumblr infrastructure

A CNAME is an alias. It allows one domain to point to another domain which, eventually if you follow the CNAME chain, will resolve to an A record and IP address.

For example, WordPlumblr might have assigned the CNAME 6equj5.wordplumblr.com for Foo.com. Foo.com and the other customers may have all initially resolved, at the end of the CNAME chain, to the same IP address.

you usually don't want to address memory directly but, instead, you set up a pointer to a block of memory where you're going to store something. If the operating system needs to move the memory around then it just updates the pointer to point to wherever the chunk of memory has been moved to.

the DNS spec enshrined that the root record -- the naked domain without any subdomain -- could not be a CNAME.

a way to support a CNAME at the root, but still follow the RFC and return an IP address for any query for the root record.

extended our authoritative DNS infrastructure to, in certain cases, act as a kind of DNS resolver.

allows the flexibility of having CNAMEs at the root without breaking the DNS specification.

We cache the CNAME responses -- respecting the DNS TTLs, just like a recursor should -- which means often we have the answer without having to traverse the chain.

CNAME flattening solved email resolution errors for us which was very key.

docker build --cache-from "$CI_REGISTRY_IMAGE:latest" -t "$CI_REGISTRY_IMAGE:new-tag"

But if you maintain a CHANGELOG in this format, and/or your Git tags are also your Docker tags, you can get the previous version and use cache the this image version.

script: - export PREVIOUS_VERSION=$(perl -lne 'print "v${1}" if /^##\s\[(\d\.\d\.\d)\]\s-\s\d{4}(?:-\d{2}){2}\s*$/' CHANGELOG.md | sed -n '2 p') - docker build --cache-from "$CI_REGISTRY_IMAGE:$PREVIOUS_VERSION" -t "$CI_REGISTRY_IMAGE:$CI_COMMIT_TAG" -f ./prod.Dockerfile .

« Docker layer caching » is enough to optimize the build time.

We're building a Docker image, dependencies are installed inside a container.We can't cache a dependencies directory if it doesn't exists in the job workspace.

Dependencies will always be installed from a container but will be extracted by the GitLab Runner in the job workspace. Our goal is to send the cached version in the build context.

- docker cp app:/var/www/html/vendor/ ./vendor

after_script

- docker cp app:/var/www/html/node_modules/ ./node_modules

To avoid old dependencies to be mixed with the new ones, at the risk of keeping unused dependencies in cache, which would make cache and images heavier.

If you need to cache directories in testing jobs, it's easier: use volumes !

version your cache keys !

sharing Docker image between jobs

In every job, we automatically get artifacts from previous stages.

docker save $DOCKER_CI_IMAGE | gzip > app.tar.gz

I personally use the « push / pull » technique,

kubeadm uses the network interface associated with the default gateway to set the advertise address for this particular control-plane node's API server. To use a different network interface, specify the --apiserver-advertise-address=<ip-address> argument to kubeadm init

Do not share the admin.conf file with anyone and instead grant users custom permissions by generating them a kubeconfig file using the kubeadm kubeconfig user command.

The token is used for mutual authentication between the control-plane node and the joining nodes. The token included here is secret. Keep it safe, because anyone with this token can add authenticated nodes to your cluster.

You must deploy a Container Network Interface (CNI) based Pod network add-on so that your Pods can communicate with each other. Cluster DNS (CoreDNS) will not start up before a network is installed.

Make sure that your Pod network plugin supports RBAC, and so do any manifests that you use to deploy it.

The cluster created here has a single control-plane node, with a single etcd database running on it.

The node-role.kubernetes.io/control-plane label is such a restricted label and kubeadm manually applies it using a privileged client after a node has been created.

kubectl taint nodes --all node-role.kubernetes.io/control-plane-

remove the node-role.kubernetes.io/control-plane:NoSchedule taint from any nodes that have it, including the control plane nodes, meaning that the scheduler will then be able to schedule Pods everywhere.

On Linux, control groups are used to constrain resources that are allocated to processes.

Both kubelet and the underlying container runtime need to interface with control groups to enforce resource management for pods and containers and set resources such as cpu/memory requests and limits.

When the cgroupfs driver is used, the kubelet and the container runtime directly interface with the cgroup filesystem to configure cgroups.

When systemd is chosen as the init system for a Linux distribution, the init process generates and consumes a root control group (cgroup) and acts as a cgroup manager.

Two cgroup managers result in two views of the available and in-use resources in the system.

Changing the cgroup driver of a Node that has joined a cluster is a sensitive operation. If the kubelet has created Pods using the semantics of one cgroup driver, changing the container runtime to another cgroup driver can cause errors when trying to re-create the Pod sandbox for such existing Pods. Restarting the kubelet may not solve such errors.

The approach to mitigate this instability is to use systemd as the cgroup driver for the kubelet and the container runtime when systemd is the selected init system.

Kubernetes 1.26 defaults to using v1 of the CRI API. If a container runtime does not support the v1 API, the kubelet falls back to using the (deprecated) v1alpha2 API instead.

by default they react to !commands in your chatroom. Commands can also trigger on regular expression matches, with or without a bot prefix.

Errbot also supports Markdown responses with Jinja2 templating.

Errbot supports webhooks; It has a small web server that can translate endpoints to your custom plugins.

It’s recommended that you configure this behind a web server such as nginx or Apache.

It works with the If This Then That (IFTTT) principle, meaning that you define a set of rules that the system then uses to take action.

Lita is a chat bot written in Ruby. Like the other bots I’ve mentioned, it is also open source and supports different chat platforms via plugins.

Gort is a newer entrant to the ChatOps space. As the name suggests it has been written in Go, and it is still under active development.

can persist information in databases, supports advanced parsers, and is extendable with custom skills.

Microservices also bring a set of additional benefits, such as easier scaling, the possibility to use multiple programming languages and technologies, and others.

Java is a frequent choice for building a microservices architecture as it is a mature language tested over decades and has a multitude of microservices-favorable frameworks, such as legendary Spring, Jersey, Play, and others.

A monolithic architecture keeps it all simple. An app has just one server and one database.

All the connections between units are inside-code calls.

split our application into microservices and got a set of units completely independent for deployment and maintenance.

Each of microservices responsible for a certain business function communicates either via sync HTTP/REST or async AMQP protocols.

ensure seamless communication between newly created distributed components.

The gateway became an entry point for all clients’ requests.

We also set the Zuul 2 framework for our gateway service so that the application could leverage the benefits of non-blocking HTTP calls.

we've implemented the Eureka server as our server discovery that keeps a list of utilized user profile and order servers to help them discover each other.

We also have a message broker (RabbitMQ) as an intermediary between the notification server and the rest of the servers to allow async messaging in-between.

microservices can definitely help when it comes to creating complex applications that deal with huge loads and need continuous improvement and scaling.

models directory is meant to hold tests for your models

controllers directory is meant to hold tests for your controllers

integration directory is meant to hold tests that involve any number of controllers interacting

Fixtures are a way of organizing test data; they reside in the fixtures folder

The test_helper.rb file holds the default configuration for your tests

Fixtures allow you to populate your testing database with predefined data before your tests run

Fixtures are database independent written in YAML.

one file per model.

Each fixture is given a name followed by an indented list of colon-separated key/value pairs.

Keys which resemble YAML keywords such as 'yes' and 'no' are quoted so that the YAML Parser correctly interprets them.

define a reference node between two different fixtures.

ERB allows you to embed Ruby code within templates

The YAML fixture format is pre-processed with ERB when Rails loads fixtures.

Rails by default automatically loads all fixtures from the test/fixtures folder for your models and controllers test.

Fixtures are instances of Active Record.

access the object directly

test_helper.rb specifies the default configuration to run our tests. This is included with all the tests, so any methods added to this file are available to all your tests.

test with method names prefixed with test_.

An assertion is a line of code that evaluates an object (or expression) for expected results.

bin/rake db:test:prepare

Every test contains one or more assertions. Only when all the assertions are successful will the test pass.

rake test command

run a particular test method from the test case by running the test and providing the test method name.

The . (dot) above indicates a passing test. When a test fails you see an F; when a test throws an error you see an E in its place.

we first wrote a test which fails for a desired functionality, then we wrote some code which adds the functionality and finally we ensured that our test passes. This approach to software development is referred to as Test-Driven Development (TDD).

objects with a single responsibility can easily be unit tested

a vanilla Rails 4 app directory contains models, views, controllers, and helpers does not mean you are restricted to those four domains.

we need a way to signal success or failure when using a service

what ActiveRecord save method uses

if the services role is to create or update rails models, it makes sense to return such an object as result.

utility objects to signal success or error

services will be used on the boundary between user interface and application

All the business logic is encapsulated in services and models

how we can use Service Objects, Status Objects and Rails’s Responders to produce a nice, consistent API

Unique string used to identify the operation.

The id MUST be unique among all operations described in the API.

A list of MIME types the operation can consume.

A list of MIME types the operation can produce

A unique parameter is defined by a combination of a name and location.

There can be one "body" parameter at most.

Required. The list of possible responses as they are returned from executing this operation.

The transfer protocol for the operation. Values MUST be from the list: "http", "https", "ws", "wss".

Declares this operation to be deprecated. Usage of the declared operation should be refrained. Default value is

A unique parameter is defined by a combination of a name and location.

Path

Query

Header