Group items tagged

this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates

Privacy Enhanced Mail (PEM), a failed method for secure email but the container format it used lives on

This is a PEM formatted file containing just the private-key of a specific certificate and is merely a conventional name and not a standardized one.

The rights on these files are very important

/etc/ssl/private

OpenSSL can convert these to .pem

.cert .cer .crt A .pem (or rarely .der) formatted file with a different extension

there are four different ways to present certificates and their components

used preferentially by open-source software

The parent format of PEM

a binary version of the base64-encoded PEM file.

X.509 certificates are one type of data that is commonly encoded using PEM.

Use COPY and RUN commands in proper order

Merge multiple RUN commands into one

alpine versions should be enough

problems with zombie processes

prepare separate Docker image for each component, and use Docker Compose to easily start multiple containers at the same time

Layers are cached and reused

Layers are immutable

rely on our base image updates

make a cleanup

alpine is a very tiny linux distribution, just about 4 MB in size.

CMD is a default command run after creating container without other command specified.

put your command inside array

entrypoint adds complexity

Entrypoint is a script, that will be run instead of command, and receive command as arguments

Without it, we would not be able to stop our application grecefully (SIGTERM is swallowed by bash script).

ADD has some logic for downloading remote files and extracting archives.

stick with COPY.

ADD

CMD instruction should be used to run the software contained by your image, along with any arguments

CMD should be given an interactive shell (bash, python, perl, etc)

COPY them individually, rather than all at once

COPY is preferred

using ADD to fetch packages from remote URLs is strongly discouraged

always use COPY

The best use for ENTRYPOINT is to set the image's main command, allowing that image to be run as though it was that command (and then use CMD as the default flags).

the image name can double as a reference to the binary as shown in the command above

ENTRYPOINT instruction can also be used in combination with a helper script

The VOLUME instruction should be used to expose any database storage area, configuration storage, or files/folders created by your docker container.

use USER to change to a non-root user

avoid installing or using sudo

avoid switching USER back and forth frequently.

always use absolute paths for your WORKDIR

ONBUILD is only useful for images that are going to be built FROM a given image

The “onbuild” image will fail catastrophically if the new build's context is missing the resource being added.

native database constraints

client-side validations

controller-level validations

Database constraints and/or stored procedures make the validation mechanisms database-dependent and can make testing and maintenance more difficult

Client-side validations can be useful, but are generally unreliable

combined with other techniques, client-side validation can be a convenient way to provide users with immediate feedback

it's a good idea to keep your controllers skinny

Active Record uses the new_record? instance method to determine whether an object is already in the database or not.

Creating and saving a new record will send an SQL INSERT operation to the database. Updating an existing record will send an SQL UPDATE operation instead. Validations are typically run before these commands are sent to the database

The bang versions (e.g. save!) raise an exception if the record is invalid.

save and update return false

create just returns the object

be used with caution

update_all

save also has the ability to skip validations if passed validate: false as argument.

valid? triggers your validations and returns true if no errors

After Active Record has performed validations, any errors found can be accessed through the errors.messages instance method

By definition, an object is valid if this collection is empty after running validations.

validations are not run when using new.

invalid? is simply the inverse of valid?.

To verify whether or not a particular attribute of an object is valid, you can use errors[:attribute]. I

Every time a validation fails, an error message is added to the object's errors collection,

All of them accept the :on and :message options, which define when the validation should be run and what message should be added to the errors collection if it fails, respectively.

validates that a checkbox on the user interface was checked when a form was submitted.

agree to your application's terms of service

use this helper when your model has associations with other models and they also need to be validated

valid? will be called upon each one of the associated objects.

work with all of the association types

Don't use validates_associated on both ends of your associations.

each associated object will contain its own errors collection

errors do not bubble up to the calling model

when you have two text fields that should receive exactly the same content

This validation creates a virtual attribute whose name is the name of the field that has to be confirmed with "_confirmation" appended.

To require confirmation, make sure to add a presence check for the confirmation attribute

this set can be any enumerable object.

The exclusion helper has an option :in that receives the set of values that will not be accepted for the validated attributes.

:in option has an alias called :within

validates the attributes' values by testing whether they match a given regular expression, which is specified using the :with option.

attribute does not match the regular expression by using the :without option.

validates that the attributes' values are included in a given set

:in option has an alias called :within

specify length constraints

:minimum

:maximum

:in (or :within)

:is - The attribute length must be equal to the given value.

:wrong_length, :too_long, and :too_short options and %{count} as a placeholder for the number corresponding to the length constraint being used.

split the value in a different way using the :tokenizer option:

validates that your attributes have only numeric values

By default, it will match an optional sign followed by an integral or floating point number.

set :only_integer to true.

allows a trailing newline character.

:greater_than

:greater_than_or_equal_to

:equal_to

:less_than

:less_than_or_equal_to

:odd - Specifies the value must be an odd number if set to true.

:even - Specifies the value must be an even number if set to true.

validates that the specified attributes are not empty

if the value is either nil or a blank string

validate associated records whose presence is required, you must specify the :inverse_of option for the association

an association is present, you'll need to test whether the associated object itself is present, and not the foreign key used to map the association

false.blank? is true

ensure the value will NOT be nil

validates that the specified attributes are absent

not either nil or a blank string

be sure that an association is absent

false.present? is false

validate the absence of a boolean field you should use validates :field_name, exclusion: { in: [true, false] }.

validates that the attribute's value is unique right before the object gets saved

a :scope option that you can use to specify other attributes that are used to limit the uniqueness check

a :case_sensitive option that you can use to define whether the uniqueness constraint will be case sensitive or not.

There is no default error message for validates_with.

To implement the validate method, you must have a record parameter defined, which is the record to be validated.

passes the record to a separate class for validation

validates attributes against a block

The block receives the record, the attribute's name and the attribute's value. You can do anything you like to check for valid data within the block

will let validation pass if the attribute's value is blank?, like nil or an empty string

the :message option lets you specify the message that will be added to the errors collection when validation fails

skips the validation when the value being validated is nil

specify when the validation should happen

raise ActiveModel::StrictValidationFailed when the object is invalid

You can do that by using the :if and :unless options, which can take a symbol, a string, a Proc or an Array.

use the :if option when you want to specify when the validation should happen

using eval and needs to contain valid Ruby code.

Using a Proc object gives you the ability to write an inline condition instead of a separate method

have multiple validations use one condition, it can be easily achieved using with_options.

implement a validate method which takes a record as an argument and performs the validation on it

validates_with method

implement a validate_each method which takes three arguments: record, attribute, and value

combine standard validations with your own custom validators.

:expiration_date_cannot_be_in_the_past,    :discount_cannot_be_greater_than_total_value

By default such validations will run every time you call valid?

errors[] is used when you want to check the error messages for a specific attribute.

Returns an instance of the class ActiveModel::Errors containing all errors.

lets you manually add messages that are related to particular attributes

using []= setter

errors[:base] is an array, you can simply add a string to it and it will be used as an error message.

use this method when you want to say that the object is invalid, no matter the values of its attributes.

clear all the messages in the errors collection

calling errors.clear upon an invalid object won't actually make it valid: the errors collection will now be empty, but the next time you call valid? or any method that tries to save this object to the database, the validations will run again.

the total number of error messages for the object.

.errors.full_messages.each

.field_with_errors

Continuous integration is a practice that encourages developers to integrate their code into a master branch of a shared repository early and often.

Port 7946 TCP/UDP for container network discovery

Port 4789 UDP for the container ingress network.

When you access port 8080 on any node, the swarm load balancer routes your request to an active container.

The routing mesh listens on the published port for any IP address assigned to the node.

publish a port for an existing service

To use an external load balancer without the routing mesh, set --endpoint-mode to dnsrr instead of the default value of vip

When a plugin cache directory is enabled, the terraform init command will still access the plugin distribution server to obtain metadata about which plugins are available, but once a suitable version has been selected it will first check to see if the selected plugin is already available in the cache directory.

When possible, Terraform will use hardlinks or symlinks to avoid storing a separate copy of a cached plugin in multiple directories.

Terraform will never itself delete a plugin from the plugin cache once it's been placed there.

A null queue driver is also included which discards queued jobs.

In your config/queue.php configuration file, there is a connections configuration option.

any given queue connection may have multiple "queues" which may be thought of as different stacks or piles of queued jobs.

each connection configuration example in the queue configuration file contains a queue attribute.

if you dispatch a job without explicitly defining which queue it should be dispatched to, the job will be placed on the queue that is defined in the queue attribute of the connection configuration

pushing jobs to multiple queues can be especially useful for applications that wish to prioritize or segment how jobs are processed

specify which queues it should process by priority.

If your Redis queue connection uses a Redis Cluster, your queue names must contain a key hash tag.

ensure all of the Redis keys for a given queue are placed into the same hash slot

all of the queueable jobs for your application are stored in the app/Jobs directory.

Job classes are very simple, normally containing only a handle method which is called when the job is processed by the queue.

we were able to pass an Eloquent model directly into the queued job's constructor. Because of the SerializesModels trait that the job is using, Eloquent models will be gracefully serialized and unserialized when the job is processing.

When the job is actually handled, the queue system will automatically re-retrieve the full model instance from the database.

The handle method is called when the job is processed by the queue

The arguments passed to the dispatch method will be given to the job's constructor

delay the execution of a queued job, you may use the delay method when dispatching a job.

dispatch a job immediately (synchronously), you may use the dispatchNow method.

specify a list of queued jobs that should be run in sequence.

Deleting jobs using the $this->delete() method will not prevent chained jobs from being processed. The chain will only stop executing if a job in the chain fails.

this does not push jobs to different queue "connections" as defined by your queue configuration file, but only to specific queues within a single connection.

To specify the queue, use the onQueue method when dispatching the job

To specify the connection, use the onConnection method when dispatching the job

defining the maximum number of attempts on the job class itself.

to defining how many times a job may be attempted before it fails, you may define a time at which the job should timeout.

using the funnel method, you may limit jobs of a given type to only be processed by one worker at a time

using the throttle method, you may throttle a given type of job to only run 10 times every 60 seconds.

If an exception is thrown while the job is being processed, the job will automatically be released back onto the queue so it may be attempted again.

dispatch a Closure. This is great for quick, simple tasks that need to be executed outside of the current request cycle

When dispatching Closures to the queue, the Closure's code contents is cryptographically signed so it can not be modified in transit.

Laravel includes a queue worker that will process new jobs as they are pushed onto the queue.

once the queue:work command has started, it will continue to run until it is manually stopped or you close your terminal

they will not notice changes in your code base after they have been started.

during your deployment process, be sure to restart your queue workers.

customize your queue worker even further by only processing particular queues for a given connection

The --once option may be used to instruct the worker to only process a single job from the queue

The --stop-when-empty option may be used to instruct the worker to process all jobs and then exit gracefully.

Daemon queue workers do not "reboot" the framework before processing each job.

Since queue workers are long-lived processes, they will not pick up changes to your code without being restarted.

php artisan queue:restart

The queue uses the cache to store restart signals

the queue workers will die when the queue:restart command is executed, you should be running a process manager such as Supervisor to automatically restart the queue workers.

each queue connection defines a retry_after option. This option specifies how many seconds the queue connection should wait before retrying a job that is being processed.

The --timeout option specifies how long the Laravel queue master process will wait before killing off a child queue worker that is processing a job.

When jobs are available on the queue, the worker will keep processing jobs with no delay in between them.

While sleeping, the worker will not process any new jobs - the jobs will be processed after the worker wakes up again

the numprocs directive will instruct Supervisor to run 8 queue:work processes and monitor all of them, automatically restarting them if they fail.

Laravel includes a convenient way to specify the maximum number of times a job should be attempted.

define a failed method directly on your job class, allowing you to perform job specific clean-up when a failure occurs.

a great opportunity to notify your team via email or Slack.

php artisan queue:retry all

php artisan queue:flush

When injecting an Eloquent model into a job, it is automatically serialized before being placed on the queue and restored when the job is processed

initialize the local CLI

install Tiller into your Kubernetes cluster

helm install

helm init --upgrade

By default, when Tiller is installed, it does not have authentication enabled.

helm repo update

Without a max history set the history is kept indefinitely, leaving a large number of records for helm and tiller to maintain.

helm init --upgrade

Whenever you install a chart, a new release is created.

helm list function will show you a list of all deployed releases.

helm delete

helm status

the Helm server (Tiller).

The Helm client (helm)

brew install kubernetes-helm

it can also be run locally, and configured to talk to a remote Kubernetes cluster.

Role-Based Access Control - RBAC for short

run Tiller in an RBAC-enabled Kubernetes cluster.

run kubectl get pods --namespace kube-system and see Tiller running.

helm inspect

Helm will look for Tiller in the kube-system namespace unless --tiller-namespace or TILLER_NAMESPACE is set.

For development, it is sometimes easier to work on Tiller locally, and configure it to connect to a remote Kubernetes cluster.

helm version should show you both the client and server version.

The --node-selectors flag allows us to specify the node labels required for scheduling the Tiller pod.

--override allows you to specify properties of Tiller’s deployment manifest.

helm init --override manipulates the specified properties of the final manifest (there is no “values” file).

The --output flag allows us skip the installation of Tiller’s deployment manifest and simply output the deployment manifest to stdout in either JSON or YAML format.

switch from the default backend to the secrets backend, you’ll have to do the migration for this on your own.

a beta SQL storage backend that stores release information in an SQL database (only postgres has been tested so far).

Helm requires that kubelet have access to a copy of the socat program to proxy connections to the Tiller API.

A Release is an instance of a chart running in a Kubernetes cluster. One chart can often be installed many times into the same cluster.

helm init --client-only

helm init --dry-run --debug

A panic in Tiller is almost always the result of a failure to negotiate with the Kubernetes API server

Tiller and Helm have to negotiate a common version to make sure that they can safely communicate without breaking API assumptions

helm delete --purge

Helm stores some files in $HELM_HOME, which is located by default in ~/.helm

A Chart is a Helm package. It contains all of the resource definitions necessary to run an application, tool, or service inside of a Kubernetes cluster.

A Repository is the place where charts can be collected and shared.

Set the $HELM_HOME environment variable

Helm installs charts into Kubernetes, creating a new release for each installation. And to find new charts, you can search Helm chart repositories.

chart repository is named stable by default

helm search shows you all of the available charts

helm inspect

To install a new package, use the helm install command. At its simplest, it takes only one argument: The name of the chart.

If you want to use your own release name, simply use the --name flag on helm install

additional configuration steps you can or should take.

Helm does not wait until all of the resources are running before it exits. Many charts require Docker images that are over 600M in size, and may take a long time to install into the cluster.

helm status

helm inspect values

helm inspect values stable/mariadb

override any of these settings in a YAML formatted file, and then pass that file during installation.

helm install -f config.yaml stable/mariadb

--values (or -f): Specify a YAML file with overrides.

--set (and its variants --set-string and --set-file): Specify overrides on the command line.

Values that have been --set can be cleared by running helm upgrade with --reset-values specified.

Chart designers are encouraged to consider the --set usage when designing the format of a values.yaml file.

--set-file key=filepath is another variant of --set. It reads the file and use its content as a value.

inject a multi-line text into values without dealing with indentation in YAML.

An unpacked chart directory

When a new version of a chart is released, or when you want to change the configuration of your release, you can use the helm upgrade command.

Kubernetes charts can be large and complex, Helm tries to perform the least invasive upgrade.

$ helm upgrade -f panda.yaml happy-panda stable/mariadb

deployment

If both are used, --set values are merged into --values with higher precedence.

The helm get command is a useful tool for looking at a release in the cluster.

A release version is an incremental revision. Every time an install, upgrade, or rollback happens, the revision number is incremented by 1.

helm history

you can rollback a deleted resource, and have it re-activate.

helm repo list

helm repo add

helm repo update

helm create

helm lint

helm package

Charts that are archived can be loaded into chart repositories.

chart repository server

Tiller can be installed into any namespace.

Limiting Tiller to only be able to install into specific namespaces and/or resource types is controlled by Kubernetes RBAC roles and rolebindings

Release names are unique PER TILLER INSTANCE

Charts should only contain resources that exist in a single namespace.

not recommended to have multiple Tillers configured to manage resources in the same namespace.

a client-side Helm plugin. A plugin is a tool that can be accessed through the helm CLI, but which is not part of the built-in Helm codebase.

Helm plugins are add-on tools that integrate seamlessly with Helm. They provide a way to extend the core feature set of Helm, but without requiring every new feature to be written in Go and added to the core tool.

Helm plugins live in $(helm home)/plugins

The Helm plugin model is partially modeled on Git’s plugin model

helm referred to as the porcelain layer, with plugins being the plumbing.

helm plugin install https://github.com/technosophos/helm-template

command is the command that this plugin will execute when it is called.

Environment variables are interpolated before the plugin is executed.

The command itself is not executed in a shell. So you can’t oneline a shell script.

Helm is able to fetch Charts using HTTP/S

Variables like KUBECONFIG are set for the plugin if they are set in the outer environment.

In Kubernetes, granting a role to an application-specific service account is a best practice to ensure that your application is operating in the scope that you have specified.

restrict Tiller’s capabilities to install resources to certain namespaces, or to grant a Helm client running access to a Tiller instance.

Service account with cluster-admin role

The cluster-admin role is created by default in a Kubernetes cluster

Deploy Tiller in a namespace, restricted to deploying resources only in that namespace

Deploy Tiller in a namespace, restricted to deploying resources in another namespace

When running a Helm client in a pod, in order for the Helm client to talk to a Tiller instance, it will need certain privileges to be granted.

SSL Between Helm and Tiller

The Tiller authentication model uses client-side SSL certificates.

creating an internal CA, and using both the cryptographic and identity functions of SSL.

Helm is a powerful and flexible package-management and operations tool for Kubernetes.

default installation applies no security configurations

with a cluster that is well-secured in a private network with no data-sharing or no other users or teams.

With great power comes great responsibility.

Choose the Best Practices you should apply to your helm installation

Role-based access control, or RBAC

Tiller’s gRPC endpoint and its usage by Helm

Kubernetes employ a role-based access control (or RBAC) system (as do modern operating systems) to help mitigate the damage that can be done if credentials are misused or bugs exist.

In the default installation the gRPC endpoint that Tiller offers is available inside the cluster (not external to the cluster) without authentication configuration applied.

Tiller stores its release information in ConfigMaps. We suggest changing the default to Secrets.

release information

charts

charts are a kind of package that not only installs containers you may or may not have validated yourself, but it may also install into more than one namespace.

Helm’s provenance tools to ensure the provenance and integrity of charts