Group items tagged

In most cases, the eligible DOM elements are identified by HTML5 data attributes.

using JavaScript to progressively enhance the user experience for capable browsers without negatively impacting clients that do not support or do not enable JavaScript.

jquery-ujs attaches a handler to links with the data-method attribute

jquery-ujs attaches a handler to links or forms with the data-confirm attribute that displays a JavaScript confirmation dialog

Users double click links and buttons all the time.

Links and buttons that have a data-disable-with attribute get a click handler that disables the element and updates the text of the button to that which was provided in the data attribute and disables the button.

Thanks to jquery-ujs and Rails’ respond_with, setting remote: true is likely the quickest way to get your Rails application making AJAX requests.

Cross-Site Request Forgery (CSRF) is an attack wherein the attacker tricks the user into submitting a request to an application the user is likely already authenticated to.

a single, global ClusterRoleBinding.

RoleBindings per namespace enable to restrict granted permissions to the very namespaces only that Traefik is watching over, thereby following the least-privileges principle.

The scalability can be much better when using a Deployment

you will have a Single-Pod-per-Node model when using a DaemonSet,

start with the Daemonset

The Deployment has easier up and down scaling possibilities.

The DaemonSet automatically scales to all nodes that meets a specific selector and guarantees to fill nodes one at a time.

provide the TLS certificate via a Kubernetes secret in the same namespace as the ingress.

create secret generic

Name-based Routing

Path-based Routing

Traefik will merge multiple Ingress definitions for the same host/path pair into one definition.

specify priority for ingress routes

traefik.frontend.priority

When specifying an ExternalName, Traefik will forward requests to the given host accordingly and use HTTPS when the Service port matches 443.

By default Traefik will pass the incoming Host header to the upstream resource.

traefik.frontend.passHostHeader: "false"

type: ExternalName

By default, Traefik processes every Ingress objects it observes.

It is also possible to set the ingressClass option in Traefik to a particular value. Traefik will only process matching Ingress objects.

It is possible to split Ingress traffic in a fine-grained manner between multiple deployments using service weights.

annotations: traefik.ingress.kubernetes.io/service-weights: | my-app: 99% my-app-canary: 1%

Over time, the ratio may slowly shift towards the canary deployment until it is deemed to replace the previous main application, in steps such as 5%/95%, 10%/90%, 50%/50%, and finally 100%/0%.

While you may get Bob and Lola, and someone else may get Stan and Amy, in fact they are both sending requests to the same elastic pool of resources.

DNS component in FreeIPA is optional and user may choose to manage all DNS records manually in other third party DNS server.

Clients can be configured to automatically run DNS updates (nsupdate) when their IP address changes and thus keeping its DNS record up-to-date. DNS zones can be configured to synchronize client's reverse (PTR) record along with the forward (A, AAAA) DNS record.

You should only use names which are delegated to you by the parent domain.

DNSSEC validation.

General advice about DNS views is do not use them because views make DNS deployment harder to maintain and security benefits are questionable (when compared with ACL).

FreeIPA LDAP directory information tree is by default accessible to any user in the network

As DNS data are often considered as sensitive and as having access to cn=dns tree would be basically equal to being able to run zone transfer to all FreeIPA managed DNS zones, contents of this tree in LDAP are hidden by default.

standard system log (/var/log/messages or system journal)

BIND configuration (/etc/named.conf) can be updated to produce a more detailed log.

When posting a large declaration (hundreds of application services in a single declaration), you may experience a 500 error stating that the save sys config operation failed.

Even if you have asynchronous mode set to false, after 45 seconds AS3 sets asynchronous mode to true (API swap), and returns an async response.

When creating a new tenant using AS3, it must not use the same name as a partition you separately create on the target BIG-IP system.

if a Firewall_Address_List contains zero addresses, a dummy IPv6 address of ::1:5ee:bad:c0de is added in order to maintain a valid Firewall_Address_List. If an address is added to the list, the dummy address is removed.

use /mgmt/shared/appsvcs/declare?async=true if you have a particularly large declaration which will take a long time to process.

reviewing the Sizing BIG-IP Virtual Editions section (page 7) of Deploying BIG-IP VEs in a Hyper-Converged Infrastructure

To test whether your system has AS3 installed or not, use GET with the /mgmt/shared/appsvcs/info URI.

You may find it more convenient to put multi-line texts such as iRules into AS3 declarations by first encoding them in Base64.

no matter your BIG-IP user account name, audit logs show all messages from admin and not the specific user name.

JSONP 拯救 Cross-Domain JSON API Request

Rails gives your ability to configure application time zone.

It's not Rails responsible for adding time zone, but ActiveSupport

switch from Time.now to Time.zone.now

Time.zone.now

no need to use it explicitly as there is shorter and more clear option.

Time.zone.today

Time.zone.local

Time.zone.at

Time.zone.parse

DateTime.strptime(str, "%Y-%m-%d %H:%M %Z").in_time_zone

learn about is SSHKit and the various methods it provides

SSHKit was actually developed and released with Capistrano 3, and it’s basically a lower-level tool that provides methods for connecting and interacting with remote servers

on(): specifies the server to run on

within(): specifies the directory path to run in

with(): specifies the environment variables to run with

run on the application server

within the path specified

with certain environment variables set

execute(): the workhorse that runs the commands on your server

upload(): uploads a file from your local computer to your remote server

capture(): executes a command and returns its output as a string

upload() has the bang symbol (!) because that’s how it’s defined in SSHKit, and it’s just a convention letting us know that the method will block until it finishes.

I recommend you take a look at SSHKit’s example page to learn more

make sure we pushed all our local changes to the remote master branch

run this task before Capistrano runs its own deploy task

actually creates three separate tasks

I created a namespace called deploy to contain these tasks since that’s what they’re related to.

we’re using the callbacks inside a namespace to make sure Capistrano knows which tasks the callbacks are referencing.

custom recipe (a Capistrano term meaning a series of tasks)

/shared: holds files and directories that persist throughout deploys

When you run cap production deploy, you’re actually calling a Capistrano task called deploy, which then sequentially invokes other tasks

Deployment is hard and takes a while to sink in.

Vegeta was designed to be run on the command line; it reads from stdin a list of HTTP transactions to generate, and sends results in binary format to stdout,

Vegeta is a really strong tool that caters to people who want a tool to test simple, static URLs (perhaps API end points) but also want a bit more functionality.

Vegeta can even be used as a Golang library/package if you want to create your own load testing tool.

Wrk is so damn fast

being fast and measuring correctly is about all that Wrk does

k6 is scriptable in plain Javascript

k6 is average or better. In some categories (documentation, scripting API, command line UX) it is outstanding.

Jmeter is a huge beast compared to most other tools.

Siege is a simple tool, similar to e.g. Apachebench in that it has no scripting and is primarily used when you want to hit a single, static URL repeatedly.

A good way of testing the testing tools is to not test them on your code, but on some third-party thing that is sure to be very high-performing.

use a tool like e.g. top to keep track of Nginx CPU usage while testing. If you see just one process, and see it using close to 100% CPU, it means you could be CPU-bound on the target side.

If you see multiple Nginx processes but only one is using a lot of CPU, it means your load testing tool is only talking to that particular worker process.

Network delay is also important to take into account as it sets an upper limit on the number of requests per second you can push through.

If, say, the Nginx default page requires a transfer of 250 bytes to load, it means that if the servers are connected via a 100 Mbit/s link, the theoretical max RPS rate would be around 100,000,000 divided by 8 (bits per byte) divided by 250 => 100M/2000 = 50,000 RPS. Though that is a very optimistic calculation - protocol overhead will make the actual number a lot lower so in the case above I would start to get worried bandwidth was an issue if I saw I could push through max 30,000 RPS, or something like that.

Wrk managed to push through over 50,000 RPS and that made 8 Nginx workers on the target system consume about 600% CPU.

The upgrade procedure on control plane nodes should be executed one node at a time.

Manually upgrade your CNI provider plugin.

sudo systemctl daemon-reload sudo systemctl restart kubelet

If kubeadm upgrade fails and does not roll back, for example because of an unexpected shutdown during execution, you can run kubeadm upgrade again.

To recover from a bad state, you can also run kubeadm upgrade apply --force without changing the version that your cluster is running.

kubeadm-backup-etcd contains a backup of the local etcd member data for this control plane Node.

the contents of this folder can be manually restored in /var/lib/etcd

kubeadm-backup-manifests contains a backup of the static Pod manifest files for this control plane Node.

the contents of this folder can be manually restored in /etc/kubernetes/manifests

Enforces the version skew policies.

Upgrades the control plane components or rollbacks if any of them fails to come up.

Journaling guarantees that MongoDB can quickly recover write operations that were written to the journal but not written to data files in cases where mongod terminated due to a crash or other serious failure.

To use read concern level of "majority", replica sets must use WiredTiger storage engine.

Write concern describes the level of acknowledgement requested from MongoDB for write operations.

With stronger write concerns, clients must wait after sending a write operation until MongoDB confirms the write operation at the requested write concern level.

The HTTP interface is disabled by default. Do not enable the HTTP interface in production environments.

Avoid overloading the connection resources of a mongod or mongos instance by adjusting the connection pool size to suit your use case.

ensure that each mongod or mongos instance has access to two real cores or one multi-core physical CPU.

The WiredTiger storage engine is multithreaded and can take advantage of additional CPU cores

deployment.yaml: A basic manifest for creating a Kubernetes deployment

using the suffix .yaml for YAML files and .tpl for helpers.

helm get manifest

The helm get manifest command takes a release name (full-coral) and prints out all of the Kubernetes resources that were uploaded to the server. Each file begins with --- to indicate the start of a YAML document

Names should be unique to a release

The name: field is limited to 63 characters because of limitations to the DNS system.

release names are limited to 53 characters

{{ .Release.Name }}

The values that are passed into a template can be thought of as namespaced objects, where a dot (.) separates each namespaced element.

The Release object is one of the built-in objects for Helm

Using --dry-run will make it easier to test your code, but it won’t ensure that Kubernetes itself will accept the templates you generate.

Objects are passed into a template from the template engine.

create new objects within your templates

Objects can be simple, and have just one value. Or they can contain other objects or functions.

Release is one of the top-level objects that you can access in your templates.

Release.Namespace: The namespace to be released into (if the manifest doesn’t override)

Chart: The contents of the Chart.yaml file.

Files: This provides access to all non-special files in a chart.

Files.Get is a function for getting a file by name

Files.GetBytes is a function for getting the contents of a file as an array of bytes instead of as a string. This is useful for things like images.

Template: Contains information about the current template that is being executed

BasePath: The namespaced path to the templates directory of the current chart

Go’s naming convention

use only initial lower case letters in order to distinguish local names from those built-in.

If this is a subchart, the values.yaml file of a parent chart

Individual parameters passed with --set

While structuring data this way is possible, the recommendation is that you keep your values trees shallow, favoring flatness.

If you need to delete a key from the default values, you may override the value of the key to be null, in which case Helm will remove the key from the overridden values merge.

Kubernetes would then fail because you can not declare more than one livenessProbe handler.

When injecting strings from the .Values object into the template, we ought to quote these strings.

quote

Template functions follow the syntax functionName arg1 arg2...

While we talk about the “Helm template language” as if it is Helm-specific, it is actually a combination of the Go template language, some extra functions, and a variety of wrappers to expose certain objects to the templates.

Drawing on a concept from UNIX, pipelines are a tool for chaining together a series of template commands to compactly express a series of transformations.

pipelines are an efficient way of getting several things done in sequence

The repeat function will echo the given string the given number of times

default DEFAULT_VALUE GIVEN_VALUE. This function allows you to specify a default value inside of the template, in case the value is omitted.

all static default values should live in the values.yaml, and should not be repeated using the default command

Operators are implemented as functions that return a boolean value.

To use eq, ne, lt, gt, and, or, not etcetera place the operator at the front of the statement followed by its parameters just as you would a function.

if and

if or

with to specify a scope

range, which provides a “for each”-style loop

block declares a special kind of fillable template area

A pipeline is evaluated as false if the value is: a boolean false a numeric zero an empty string a nil (empty or null) an empty collection (map, slice, tuple, dict, array)

incorrect YAML because of the whitespacing

When the template engine runs, it removes the contents inside of {{ and }}, but it leaves the remaining whitespace exactly as is.

{{- (with the dash and space added) indicates that whitespace should be chomped left, while -}} means whitespace to the right should be consumed.

Newlines are whitespace!

an * at the end of the line indicates a newline character that would be removed

the indent function

Scopes can be changed. with can allow you to set the current scope (.) to a particular object.

range

The range function will “range over” (iterate through) the pizzaToppings list.

Just like with sets the scope of ., so does a range operator.

The toppings: |- line is declaring a multi-line string.

not a YAML list. It’s a big string.

the data in ConfigMaps data is composed of key/value pairs, where both the key and the value are simple strings.

The |- marker in YAML takes a multi-line string.

range can be used to iterate over collections that have a key and a value (like a map or dict).

In Helm templates, a variable is a named reference to another object. It follows the form $name

Variables are assigned with a special assignment operator: :=

{{- $relname := .Release.Name -}}

capture both the index and the value

the integer index (starting from zero) to $index and the value to $topping

For data structures that have both a key and a value, we can use range to get both

one variable that is always global - $ - this variable will always point to the root context.

$.

$.

Helm template language is its ability to declare multiple templates and use them together.

A named template (sometimes called a partial or a subtemplate) is simply a template defined inside of a file, and given a name.

If you declare two templates with the same name, whichever one is loaded last will be the one used.

naming convention is to prefix each defined template with the name of the chart: {{ define "mychart.labels" }}

prometheus 通过 HTTP 的方式来暴露的它本身的监控数据

需要配置 rbac 认证，因为我们需要在 prometheus 中去访问 Kubernetes 的相关信息

要获取的资源信息，在每一个 namespace 下面都有可能存在，所以我们这里使用的是 ClusterRole 的资源对象，值得一提的是我们这里的权限规则声明中有一个nonResourceURLs的属性，是用来对非资源型 metrics 进行操作的权限声明

PromQL其实就是 prometheus 便于数据聚合展示开发的一套 ad hoc 查询语言的，你想要查什么找对应函数取你的数据好了。