ãããžã§ã¯ã管çã®ïŒçš®ã®ç¥åš
ãããžã§ã¯ããããžã¡ã³ãã«äžå¯æ¬ ãªãã® ã¿ã¹ã¯ç®¡çããŒã« ã³ãã¥ãã±ãŒã·ã§ã³ããŒã« wiki äŒç€Ÿéå¶ã«ãªããšã以äžã«äŒèšãœãããå ãã ãªãŒãã³ãœãŒã¹ãœããã§ä»£æ¿ããã ã¿ã¹ã¯ç®¡çããŒã«ïŒRedmine ã³ãã¥ãã±ãŒã·ã§ã³ããŒã«ïŒrocket.chat wiki : xwiki How to introduce Redmine ããã®docker composeãèµ°ãããã ã version: '3.7' services: redmine: image: redmine:6.0.1 ports: - "8008:3000" environment: REDMINE_DB_MYSQL: db REDMINE_DB_DATABASE: redmine REDMINE_DB_USERNAME: redmine REDMINE_DB_PASSWORD: redmine_password volumes: - redmine_data:/usr/src/redmine/files db: image: mysql:5.7 command: mysqld --character-set-server=utf8 --collation-server=utf8_unicode_ci #--default-authentication-plugin=mysql_native_password --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci environment: MYSQL_ROOT_PASSWORD: root_password MYSQL_DATABASE: redmine MYSQL_USER: redmine MYSQL_PASSWORD: redmine_password volumes: - mysql_data:/var/lib/mysql volumes: redmine_data: driver: local mysql_data: driver: local 詳ããã¯ããã¡ããèªãã§ã¿ãŠãã ããããšãã£ãæãã§ãã https://blog.ingenboy.com/post/introduce_redmine/ How to introduce rocket.chat volumes: mongodb_data: { driver: local } services: rocketchat: image: ${IMAGE:-registry.rocket.chat/rocketchat/rocket.chat}:${RELEASE:-latest} restart: always labels: traefik.enable: "true" traefik.http.routers.rocketchat.rule: Host(`${DOMAIN:-}`) traefik.http.routers.rocketchat.tls: "true" traefik.http.routers.rocketchat.entrypoints: https traefik.http.routers.rocketchat.tls.certresolver: le environment: MONGO_URL: "${MONGO_URL:-\ mongodb://${MONGODB_ADVERTISED_HOSTNAME:-mongodb}:${MONGODB_INITIAL_PRIMARY_PORT_NUMBER:-27017}/\ ${MONGODB_DATABASE:-rocketchat}?replicaSet=${MONGODB_REPLICA_SET_NAME:-rs0}}" MONGO_OPLOG_URL: "${MONGO_OPLOG_URL:\ -mongodb://${MONGODB_ADVERTISED_HOSTNAME:-mongodb}:${MONGODB_INITIAL_PRIMARY_PORT_NUMBER:-27017}/\ local?replicaSet=${MONGODB_REPLICA_SET_NAME:-rs0}}" ROOT_URL: ${ROOT_URL:-http://localhost:${HOST_PORT:-3000}} PORT: ${PORT:-3000} DEPLOY_METHOD: docker DEPLOY_PLATFORM: ${DEPLOY_PLATFORM:-} REG_TOKEN: ${REG_TOKEN:-} depends_on: - mongodb expose: - ${PORT:-3000} ports: - "${BIND_IP:-0.0.0.0}:${HOST_PORT:-3000}:${PORT:-3000}" mongodb: image: docker.io/bitnami/mongodb:${MONGODB_VERSION:-6.0} restart: always volumes: - mongodb_data:/bitnami/mongodb environment: MONGODB_REPLICA_SET_MODE: primary MONGODB_REPLICA_SET_NAME: ${MONGODB_REPLICA_SET_NAME:-rs0} MONGODB_PORT_NUMBER: ${MONGODB_PORT_NUMBER:-27017} MONGODB_INITIAL_PRIMARY_HOST: ${MONGODB_INITIAL_PRIMARY_HOST:-mongodb} MONGODB_INITIAL_PRIMARY_PORT_NUMBER: ${MONGODB_INITIAL_PRIMARY_PORT_NUMBER:-27017} MONGODB_ADVERTISED_HOSTNAME: ${MONGODB_ADVERTISED_HOSTNAME:-mongodb} MONGODB_ENABLE_JOURNAL: ${MONGODB_ENABLE_JOURNAL:-true} ALLOW_EMPTY_PASSWORD: ${ALLOW_EMPTY_PASSWORD:-yes} ããšã¯ã 以äžã®ãããªnginxãã¡ã€ã«ããããŠããããã·ããŠãã ããã ...
2025 1æTODO
2025/1/1æç¹ã§ã®ã¿ã¹ã¯ãªã¹ã éçºé¢ä¿ grafanaã極ãããããã®ãããŒãŒãŒ èªå® ã®K8Säžã«echo-serverãç«ãŠãŠãproxyãè€æ°ç«ãŠãŠãããã«vipãç«ãŠãŠãvegetaã§è² è·è©Šéšãã§ããããã«ãããããããŠãæ§ã ãªã¡ããªã¯ã¹ãåããããã«ããããã©ããããã ããããæµãçã«ã¯ãã ãã¶é åãã«ãªãããšã¯æ¿ç¥ã ãã ãŸããreal-world-httpãèªã¿ãããããã¯ãã ãã¶é·ãã®ãããã¡ã¢ãåããªããé²ããŠãããæçµç®çã¯ãããã·2å°ãšecho-server1å°ã®æ§æã§ãvegetaã§è² è·ããããããããã«ããããšã ãã¡ã®ãåèã«ãããšããããããããŠãå£ããŠåŠã¶k8sçãªæ¬ãè²·ã£ãã®ã§ããããèªãã§ãgoã§æžããecho-serverãã©ãºãã€ã«ãããã€ãããæãã§ãããããããããã€ãŸã§ã«ãããã ãã©ã Goèšèªã§distributed file systemãäœã£ãŠããïŒãã®youtubeãèŠãŠã§ãããããgoã§åæ£ã·ã¹ãã ãäœããã£ãŠå ¥ã£ãŠãããã®æ¬ã§ããããã©ã£ã¡ã§ãããããã ãåŸè ã ãšk8säžã«äœã£ãåæ£ã·ã¹ãã ãå±éããã®ã§ãäžã®ãã€ãšã芪åæ§ãé«ãæ°ãããŠããŸããã¯ãã äŸã®ç«¶éŠ¬ã·ã¹ãã ãåããæãæ¥ããèªå® ã®k8sã§åãããããã«manifestãã¡ã€ã«ãæžããŠãã ããããããŽããé¡ãããŸãã§ãã äŒç€Ÿèšç«é¢ä¿ äŒèšãœãããå°å ¥ããããã®èŸºãè¯ããã https://ledger-cli.org/ wikiãã©ãã«ã ããïŒx-wikiãæãããæ°ãããŠãããã©ãã«ã ããããŒããŠã§ã¢ã¯äœã«ããã決ãŸã£ãŠããŸããïŒïŒ ãã®ä» æ¯ææ©ãèµ·ããŠããã23æã«å¯ãŠ0630ã«èµ·ããç掻ãã§ãããšæé«ã ã æ©ãæ¥åå§èšã§äœãããã®æ¡ä»¶ãåã£ãŠããŠå£²ãã æ©ãyoutubeãã£ã³ãã«éèšããŠãçµè²»ç掻ãå§ããŠããïŒ é·æç®ç· ç°¿èš2çŽãšã£ãŠããïŒ åå°ãã©ãã«è²·ãããããããŠããïŒïŒãããŠè²¯éããïŒïŒããžãªè©±ãç掻費8äžãšãå ±é貯éå£åº§5äžä»¥å€ã¯å šéšãã£ã¡ã«åããŠããã ã€ãŸããæã®ã¯ã¬ã«æ¯æãã«äœ¿ãããéã¯17äžãšããããšã«ãªããä¿éºã§10ãã³èœãšãããã®ã§ãæ®ã7äžãããŸããããªãã®ãããã
Introduce_redmine
äºå§ã ä»ãŸã§ã¿ã¹ã¯ç®¡çã¯README.mdã䜿ã£ãŠããŠããããã ããã¯äžäººã§ã¿ã¹ã¯ã管çããåã«ã¯ç¢ºãã«åé¡ãªãã ããããæ¥å¹Žä»¥éãèªåãPMãããŠãããžã§ã¯ããé²ããããšãããªãå¢ããŠãããšæãã ããã§ãããžã§ã¯ã管çã·ã¹ãã ãå°å ¥ããããšã«ããã REDMINE OSSã®ãããžã§ã¯ããããžã¡ã³ãã·ã¹ãã ã§ãã ç¡æã§äœ¿ããã®ã§ãããå ¥ãããšããæãã§ãã docker composeã§äžçºèµ·å version: '3.7' services: redmine: image: redmine:6.0.1 ports: - "8008:3000" environment: REDMINE_DB_MYSQL: db REDMINE_DB_DATABASE: redmine REDMINE_DB_USERNAME: redmine REDMINE_DB_PASSWORD: redmine_password volumes: - redmine_data:/usr/src/redmine/files db: image: mysql:5.7 command: mysqld --character-set-server=utf8 --collation-server=utf8_unicode_ci #--default-authentication-plugin=mysql_native_password --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci environment: MYSQL_ROOT_PASSWORD: root_password MYSQL_DATABASE: redmine MYSQL_USER: redmine MYSQL_PASSWORD: redmine_password volumes: - mysql_data:/var/lib/mysql volumes: redmine_data: driver: local mysql_data: driver: local 倧äºãªã®ã¯ãdb.commanã®ãšãããæ¥æ¬èªã䜿ããããã«ããããæãã«ããŠããŸãã æåã³ãŒãããã«ããªããšæ¥æ¬èªãå ¥åããæã«ãšã©ãŒãåºãããã«ãªã£ãŠããŸããŸãã ããã³ããšã³ããããã·ã§ãããã· äŸã®ããšããnginxã§ããã³ããæ åœããŠããã ãããªãªãžã³ãèªå® ã®ãµãŒãã«æ åœããŠããã ããŸãã ãã®æããããã·æã®ãã¹ãããããåŒãç¶ããªããšãã°ããŸãããããæ°ãä»ããŠã ãã®ä»tips å®ã¯iphoneã®ã¢ããªã«redminePMãšããã®ãããã®ã§ãããããã§redmineã«ã¢ã¯ã»ã¹ããã«ã¯ã 管çãŒïŒèšå®ãŒïŒapiããã RESTã«ããWebãµãŒãã¹ãæå¹ã«ãã JSONPãæå¹ã«ãã ã«ãã§ãã¯ãå ¥ããŠãã ããã ...
How_to_have_multiple_services_with_multiple_origin_on_a_single_frontend_proxy
äºå§ã äŒç€Ÿã§ã¯L7ãããã·ã®éçšã»éçºãããŠããã è€æ°ã®EPïŒãã¡ã€ã³ïŒãæã£ãŠããã è€æ°ã®ãã¡ã€ã³ãã²ãšã€ã®L7ãããã·ïŒåäžã®IPïŒã§ãã°ããŠããã ããŠãããã¯ãã£ããã©ã®æ§ã«å®çŸããŠããã®ãïŒãšããã®ãä»åã®è°é¡ã IPã¢ãã¬ã¹ã¯DNSã«ãã£ãŠåäžã®ãã¡ã€ã³ãšçŽã¥ããããããšèªåã¯èªèããŠããããããã誀ãã ã£ãã ãããŠãèªåã¯ãäŒç€Ÿã«å ¥ããŸã§ãã¹ãããããŒãšããæŠå¿µãå šãåãã£ãŠããªãã£ãã HTTPã«ã¯ãã¹ãããããŒãšãããã®ããããããã«ãã£ãŠåäžIPäžã«è€æ°ã®ãã¡ã€ã³ãä¿æããããšãã§ããããã«ãªãã ãããŠããã€ã³ãã¯ãã¯ããHTTPã¯L7ã¬ã€ã€ãŒã§ãããIPã¯L3ã¬ã€ã€ãŒã§ãããšãããšããã«èœã¡çããšæãã åæ DNSã§ã®IPã¢ãã¬ã¹ãšãã¡ã€ã³ã®çŽã¥ãã¯äžå¯Ÿäžã§ã¯ãªããäžå¯Ÿå€ã§ãã£ãããããããã倧äºãªãšããã§ããã ãããŠãèªåã¯ãã¹ãããããŒã«ã€ããŠç解ããŠããªãã£ãã nginxã䜿ã£ãŠããŒãã£ã«ãµãŒããç«ãŠã chatgptãã åäžã®ç©çãµãŒããŒäžã§è€æ°ã®ãŠã§ããµã€ããã¢ããªã±ãŒã·ã§ã³ããã¹ãããããã«äœ¿çšãããæ©èœã§ããããããã®ããŒãã£ã«ãµãŒããŒã¯ãç°ãªããã¡ã€ã³åããµããã¡ã€ã³ã«å¯Ÿå¿ããŠãåå¥ã«èšå®ããããªãœãŒã¹ïŒäŸãã°ãŠã§ãããŒãžãã¢ããªã±ãŒã·ã§ã³ã®ãã¡ã€ã«ãSSL蚌ææžããã°ãã¡ã€ã«ãªã©ïŒã«ã¢ã¯ã»ã¹ãæäŸããŸãã Nginxã§ã¯ããããã®ããŒãã£ã«ãµãŒããŒãããµãŒããŒãããã¯ããšããŠèšå®ãã¡ã€ã«ã«èšè¿°ããŸãã以äžã¯ãNginxã§ã®ããŒãã£ã«ãµãŒããŒèšå®ã®åºæ¬çãªäŸã§ãïŒ server { listen 80; server_name example.com www.example.com; location / { root /var/www/example.com/html; index index.html index.htm; } error_page 404 /404.html; location = /404.html { root /var/www/example.com/html; } error_page 500 502 503 504 /50x.html; location = /50x.html { root /var/www/example.com/html; } } ãã¹ãããããŒã®åœ¹å² chatgptãã HTTPã®ãã¹ãããããŒã¯ãHTTPãªã¯ãšã¹ããéä¿¡ããéã«éåžžã«éèŠãªåœ¹å²ãæãããŸãããã®ããããŒã¯ãã¯ã©ã€ã¢ã³ãããªã¯ãšã¹ããéä¿¡ããéã«ãã©ã®ãã¹ãïŒãã¡ã€ã³åãŸãã¯IPã¢ãã¬ã¹ïŒãšããŒãã«å¯ŸããŠãªã¯ãšã¹ããæå³ãããŠããããæå®ããããã«äœ¿çšãããŸããç¹ã«ãäžã€ã®ãµãŒããŒãè€æ°ã®ãã¡ã€ã³ããã¹ãã£ã³ã°ããŠããå ŽåïŒä»®æ³ãã¹ãã£ã³ã°ïŒããã¹ãããããŒããªããšãµãŒããŒã¯ãªã¯ãšã¹ããã©ã®ãŠã§ããµã€ãã«å¯ŸããŠãªã®ãå€æã§ããŸããã HTTP/1.1ã§ã¯ãã¹ãããããŒã¯å¿ é ãšãããŠããŸããããã¯ãHTTP/1.0ãšç°ãªãããµãŒããŒãè€æ°ã®ãã¡ã€ã³ããã¹ãããŠããç¶æ³ãäžè¬çã«ãªã£ãããã§ãããªã¯ãšã¹ãã«ãã¹ãããããŒãå«ãŸããŠããªãå ŽåããµãŒããŒã¯400 Bad Requestã®ãšã©ãŒãè¿ãããšãå€ãã§ãã DNSã®Aã¬ã³ãŒã è€æ°ã®ãµããã¡ã€ã³ãåããµãŒããŒã®ãªãœãŒã¹ãæãå Žåããããå šãŠã«åãIPã¢ãã¬ã¹ãå²ãåœãŠãããšãäžè¬çã§ãã äŸãã°ã次ã®ããã«èšå®ããããšãã§ããŸãïŒ www.example.com â 192.0.2.1 mail.example.com â 192.0.2.1 ftp.example.com â 192.0.2.1 ãããã®ãµããã¡ã€ã³å šãŠã«åãAã¬ã³ãŒãã®IPã¢ãã¬ã¹ïŒ192.0.2.1ïŒãæå®ããããšã§ãäžã€ã®ãµãŒããŒãç°ãªããµãŒãã¹ïŒãŠã§ããã¡ãŒã«ãFTPãªã©ïŒãæäŸããããšãã§ããŸããããã¯ç¹ã«ããã¹ãã£ã³ã°ãµãŒãã¹ãè€æ°ã®ãŠã§ããµã€ããåäžã®ç©çãµãŒããŒã§ç®¡çããå Žåãªã©ã«äŸ¿å©ã§ãããŸããã¡ã³ããã³ã¹ãã¢ããã°ã¬ãŒããå¿ èŠãªå Žåã«ããäžç®æã§å€æŽãè¡ãã ãã§æžãããå¹ççã§ãã ...
Oh_my_zsh
ããã䜿ããã¡ãªã·ã§ã«ã§ã ãŸãèªåã¯ãã ãããšããªãã£ãã®ã§ãbashã䜿ã£ãŠããã®ã§ãããå 茩ãã¡ã®ã¿ãŒããã«è£ããèŠãŠãããšããªããããããã§ãããã queryãšãåºããŠéå»ã®ã³ãã³ããäžçºã§å®è¡ããããtmuxãšãã§è€æ°ç«ã¡äžãããããŸããšã«ãããããã ã§ãããŸãzshãšããã®ã䜿ã£ãŠããã£ãã€ã®ã§ããã ãšããããšã§ãzshã®ã«ã€ããŠããããæžããŠããããšæããŸãã How to install sudo apt install zsh chsh -s $(which zsh) sh -c "$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" (oh my zshã®ã€ã³ã¹ããŒã«) è²ã 調ã¹ãŠããæãã«ã«ã¹ã¿ãã€ãºããŠãã ãã
Docker4nerdctl
èæ¯ k8sã䜿ãã«ã¯containerdã䜿ããªããšãããªããŠãcontainerdã®ã¯ã©ã€ã¢ã³ããnerdctlãªãã§ãããããããã³ã³ããé¢ä¿ãšèšãã°dockerãªèš³ã§ãgithubãšãã§å ¬éãããŠããã·ã§ã«ã¹ã¯ãªããã¯dockerã³ãã³ãã䜿ãããŠãããå šéšæžãçŽãã®ããã©ãããããã ãããªæã«ã©ããããïŒãšã€ãªã¢ã¹ãäžæããããªããããã©ããããïŒãããªæã®ã¡ããæã ã¡ããæ sudo vim /usr/local/bin/docker #!/bin/bash # Redirect docker calls to nerdctl exec nerdctl "$@" sudo chmod +x /usr/local/bin/docker ããã§å šãŠã®dockerã³ãã³ããnerdctlã«ãªãã€ã¬ã¯ããããŸãïŒïŒçŽ æŽãããã
Master_of_athenz
Athenzãå®å šç解ãããé¡æ ã¯ããæžããŠããéãã§ããathenzãç解ãããã§ãã æ£çŽãå人éçºã¬ãã«ã§ã¯å šç¶ç解ããªããŠãããã€ã§ãããããã倧ããªäŒæ¥ã§ãå€ãã®ãµãŒãã¹ãåããŠããŠãµãŒãã¹éã§APIã䜿ãåããããšãã£ãŠãªããšå¿ é ã®æè¡ã«ãªããšæããŸãããããå éšãããã¯ãŒã¯ãšã¯ããããèªèšŒããã人ã ã£ãããµãŒãã¹ã®ã¿ã«ãµãŒãã¹ã®å©çšãéå®ããªããšãããä»®ã«å éšãããã¯ãŒã¯ã«æ»æè ãå ¥ã£ãŠããŸã£ãæã«å¥œãæŸé¡ããããŠããŸããããã ãšããããšã§ãathenzå®å šç解ãç®æããŠãã£ãŠãããããšæãã æµã athenzã®åã³ã³ããŒãã³ãã玹ä»ããŸãã athenzã§äœ¿ãããŠããRBACã«ã€ããŠèª¬æããŸã athenzãèªå® ã®ã¯ã©ã¹ã¿ãŒã«ã€ã³ã¹ããŒã«ããŸã ã€ã³ã¹ããŒã«ããathenzã䜿ã£ãŠè²ã ãšè©ŠããŠã¿ãããšæããŸããïŒãããã€ããšããã³ãã®éä¿¡ãæ¬äŒŒæ»æè ã«ãªã£ãŠã¿ããªã©ïŒ ããããathenzãšã¯ ã¢ããªã±ãŒã·ã§ã³éã®ã¢ã¯ã»ã¹ãå¶åŸ¡ããããã®ãã©ãããã©ãŒã ãã§ããã ã¢ã¯ã»ã¹å¶åŸ¡ã£ãŠã®ã¯ãREST APIãªã©ã®ãªãœãŒã¹ã«å¯ŸããŠãæš©éãäžããããšã ããã ã¢ã¯ã»ã¹å¶åŸ¡ãå®çŸããããã®æ§æèŠçŽ ãšããŠã¯ãïŒã€ãã£ãŠãèå¥ãèªèšŒãèªå¯ãã®ïŒã€ã ãã ã§ãathenzã®èªèšŒã ãã©ãRBACã£ãŠã®ã䜿ãããŠãããã ããã rbacãšã¯ ã¢ã¯ã»ã¹å¯Ÿè±¡ã圹å²ããšã«ã°ã«ãŒãåããããã§ãã°ã«ãŒãã«å¯ŸããŠæš©éãäžããæãããã®ã°ã«ãŒãã®ããšãroleã£ãŠãããã ããã 倧äºãªã®ã¯ã人ã§ã¯ãªããroleã«æš©éãäžããã£ãŠããšãã§ã人ãroleã«è¿œå ããã ã¡ãªã¿ã«ãroleã«ã¯è²ã ãã£ãŠãäŸãã°crudãå šéšã§ããroleãäœããããé²èŠ§ããã§ããªãroleãäœãããšãã§ããã ã¡ãªã¿ã«ãåroleã«äžããæš©éã®ããšãããªã·ãŒãšãããããã倧äºã roleã«policyãä»äžããããšããæãã ãªãœãŒã¹ã®æäŸè ããããã€ãããªãœãŒã¹ã®å©çšè ãããã³ããšããããããŠãäžå€®ã«athenzãããã ã§ãèå¥æ å ±ã®ããšãAthenz serviceãšãã£ãŠããããããã¡ãã£ãšé£ããããããšã§ãã¡ã€ã³ã£ãŠååãåºãŠãããã©ãã athenzã®ã¢ã¯ã»ã¹å¶åŸ¡ã®æµã ããã³ãããããã€ãã«ã¢ã¯ã»ã¹ãããšãããŸãããã³ãã¯äžå€®ã®athenzã«ããŒã¯ã³ãïŒããŒã«ããŒã¯ã³ïŒçºè¡ããŠããããããã®ãšããããã³ãèªèº«ã®ååšã蚌æããããã«x509蚌ææžãæ瀺ãããïŒããã§äžã€ç®ã®çåã誰ãx509蚌ææžãçºè¡ããŠãããã®ãïŒïŒã§ãçºè¡ããŠããã£ãããŒã¯ã³ãhttpããããŒã«ã€ããŠããããã€ãã«ã¢ã¯ã»ã¹ããã ãããã€ãã§ã¯athenz-proxyãapiã®åã§åããŠããããã§ãäžå€®ã«ããathenzããååŸããŠãããæ å ±ãšã¢ã¯ã»ã¹ãç §ããåãããŠãapiã«ãããã·ãããããªããã決å®ããæãã§ãã ã¢ãŒããã¯ãã£ãšã³ã³ããŒãã³ã 1. Management Server (ZMS) The ZMS is the central authority for managing and provisioning domain-based roles, policies, and resource permissions. It acts as the control plane where administrators define access control rules and service configurations. Key Features: Domain Management: Organizes services and resources into "domains" (like a namespace) with associated roles and policies. Role and Policy Definitions: Allows creation of roles (e.g., admin, reader) and policies specifying which roles can access specific resources. Audit Trails: Keeps a record of all configuration changes for security and compliance purposes. REST API: Provides APIs for managing domains, roles, and policies programmatically. Storage: Persistently stores configuration data in databases like MySQL. Athenz is a robust system for managing service-to-service authentication and fine-grained access control through its primary components: ZMS (Management Server), ZTS (Token Server), and its User Interface. 1. Management Server (ZMS) The ZMS is the central authority for managing and provisioning domain-based roles, policies, and resource permissions. It acts as the control plane where administrators define access control rules and service configurations. Key Features: Domain Management: Organizes services and resources into "domains" (like a namespace) with associated roles and policies. Role and Policy Definitions: Allows creation of roles (e.g., admin, reader) and policies specifying which roles can access specific resources. Audit Trails: Keeps a record of all configuration changes for security and compliance purposes. REST API: Provides APIs for managing domains, roles, and policies programmatically. Storage: Persistently stores configuration data in databases like MySQL. 2. Token Server (ZTS) The ZTS is the runtime component responsible for generating and validating short-lived tokens and certificates that services use to authenticate with one another. Key Features: Token Issuance: Issues Access Tokens (JWTs) and Role Tokens for authorization. Tokens are short-lived, improving security by reducing exposure to stolen credentials. Certificate Issuance: Provides short-lived X.509 certificates for mutual TLS authentication between services. Decentralized Authorization: Services can independently validate tokens or certificates using the ZTS public keys, reducing reliance on the ZTS during runtime. Dynamic Trust: Works seamlessly in dynamic environments like Kubernetes, issuing tokens based on pod identities. Integration: Compatible with OAuth 2.0 and OIDC for standardized authentication. 3. User Interface Athenz includes a user-friendly web-based UI that enables administrators and users to interact with the system without directly accessing APIs or configuration files. Key Features: Role and Policy Management: Intuitive interfaces for creating and managing roles, policies, and resource permissions. Domain Browsing: Easily navigate through domains and view their configurations. Audit and Reporting: Visualize audit logs and track changes to roles, policies, and resource access. Ease of Use: Simplifies complex RBAC configurations into a graphical and interactive platform, making it easier to onboard new administrators. ã³ã³ããŒãã³ãã®ãŸãšã Summary of Workflow: Setup Phase: Use the ZMS or UI to define domains, roles, and policies. Runtime Phase: Services request tokens or certificates from ZTS to authenticate with other services. Decentralized Validation: Tokens are validated locally by consuming services using ZTS-provided public keys. äžæŠçšèªèª¬æ atehnz service ïŒã¢ã¯ã»ã¹å ãèå¥ããããã®Info role : åãæš©éãæã€Athenz serviceãã°ã«ãŒããšããŠãŸãšãããã®ãAthenz serviceãè¿œå ããæãã Policy : Roleã§ã©ã®ãããªããšãè¡ããã®ããèšãããã® Domain : Athenz Service, Role, Policyã管çããåå空é x509蚌ææžïŒathenz serviceã§ããããšã蚌æãããã®ã ããŒã¯ã³ã®çš®é¡ èšå® ããã³ãåŽïŒ ãŸããã¢ã¯ã»ã¹å ãèå¥ããããã®athenz serviceãäœæããå¿ èŠãããã ãããŠãx509蚌ææžãååŸããå¿ èŠããããïŒããã¯ç§å¯éµãçæããŠãã©ããã«csrãéã£ãŠã蚌ææžãé åžããŠãããããšããæµãã ã£ãæ°ãããã®ã ãïŒ ã¡ãªãç°å¢ã«ãã£ãŠã¯ããããèªååãããŠããããšãããã ...
Nginx2vector2kafka2opensearch
nginxã®ã¡ããªã¯ã¹ãšãã°ãã¢ãã¿ãªã³ã°ããã ã¡ããªã¯ã¹ããŒã¿ã¯ä»¥äžã®ããã«æµã nginx -> vector -> kafka -> opensearch/influxDB ãšããæãã§ãnginxããåºãçãã°ãvectorã§ãšããkafkaã«éä¿¡ãkafkaãããopensearchãšinfluxDBããããããšã£ãŠããããšããæµãã«ããã®ãè¯ããã ã§ãnginxããã°ãåãåºã/var/log/nginx/access.logãšvectorãåãããŒã ã¹ããŒã¹ã§æ±ãããã®ã§ããã®äºã€ã¯ç©çãã·ã³äžã«ã€ã³ã¹ããŒã«ãããšããæµãã«ããããšæãã ç°å¢æ§æ 以äžã®3ã€ã®ãã·ã³ã䜿ã delta (100.64.1.48,192.168.3.1) : 192.168.3.1/24ã®ã«ãŒã¿,kafka, kafka-ui, opensearch master (192.168.3.8) : ãããã·ãµãŒãïŒnginxïŒãvector gamma/zeta/ã: ãªãªãžã³ kafkaãå°å ¥ããdocker composeã®èšå® services: kafka-broker: image: apache/kafka:3.7.0 container_name: kafka-broker ports: - "${KAFKA_BROKER_LOCAL_PORT}:9092" environment: KAFKA_NODE_ID: 1 KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: "CONTROLLER:PLAINTEXT,PLAINTEXT:PLAINTEXT,PLAINTEXT_HOST:PLAINTEXT" KAFKA_ADVERTISED_LISTENERS: "PLAINTEXT_HOST://localhost:${KAFKA_BROKER_LOCAL_PORT},PLAINTEXT://kafka-broker:${KAFKA_BROKER_PUBLIC_PORT}" KAFKA_PROCESS_ROLES: "broker,controller" KAFKA_CONTROLLER_QUORUM_VOTERS: "1@kafka-broker:${KAFKA_BROKER_CONTROLLER_PORT}" KAFKA_LISTENERS: "CONTROLLER://:${KAFKA_BROKER_CONTROLLER_PORT},PLAINTEXT_HOST://:${KAFKA_BROKER_LOCAL_PORT},PLAINTEXT://:${KAFKA_BROKER_PUBLIC_PORT}" KAFKA_INTER_BROKER_LISTENER_NAME: "PLAINTEXT" KAFKA_CONTROLLER_LISTENER_NAMES: "CONTROLLER" KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1 KAFKA_GROUP_INITIAL_REBALANCE_DELAY_MS: 0 KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: 1 KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: 1 KAFKA_LOG_DIRS: "/tmp/kraft-combined-logs" kafka-ui: container_name: kafka-ui image: provectuslabs/kafka-ui:v0.7.2 ports: - "${KAFKA_UI_PORT}:8080" depends_on: - kafka-broker restart: always environment: KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS: kafka-broker:${KAFKA_BROKER_PUBLIC_PORT} init-kafka: # kafka-topics ã³ãã³ãã䜿ãããã®ã§ confluenticsã®ã³ã³ãããå©çš image: confluentinc/cp-kafka:7.6.1 container_name: init-kafka depends_on: - kafka-broker entrypoint: ["/bin/sh", "-c"] command: | " # blocks until kafka is reachable kafka-topics --bootstrap-server kafka-broker:${KAFKA_BROKER_PUBLIC_PORT} --list echo -e 'Creating topics' kafka-topics --bootstrap-server kafka-broker:${KAFKA_BROKER_PUBLIC_PORT} --create --if-not-exists --topic nginx-log --replication-factor 1 --partitions 1 echo -e 'Successfully created :' kafka-topics --bootstrap-server kafka-broker:${KAFKA_BROKER_PUBLIC_PORT} --list " opensearchãå°å ¥ããèšå® version: '3' services: opensearch-node1: # This is also the hostname of the container within the Docker network (i.e. https://opensearch-node1/) image: opensearchproject/opensearch:latest # Specifying the latest available image - modify if you want a specific version container_name: opensearch-node1 environment: - cluster.name=opensearch-cluster # Name the cluster - node.name=opensearch-node1 # Name the node that will run in this container - discovery.seed_hosts=opensearch-node1,opensearch-node2 # Nodes to look for when discovering the cluster - cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2 # Nodes eligible to serve as cluster manager - bootstrap.memory_lock=true # Disable JVM heap memory swapping - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" # Set min and max JVM heap sizes to at least 50% of system RAM - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD} # Sets the demo admin user password when using demo configuration, required for OpenSearch 2.12 and later ulimits: memlock: soft: -1 # Set memlock to unlimited (no soft or hard limit) hard: -1 nofile: soft: 65536 # Maximum number of open files for the opensearch user - set to at least 65536 hard: 65536 volumes: - opensearch-data1:/usr/share/opensearch/data # Creates volume called opensearch-data1 and mounts it to the container ports: - 9200:9200 # REST API - 9600:9600 # Performance Analyzer networks: - opensearch-net # All of the containers will join the same Docker bridge network opensearch-node2: image: opensearchproject/opensearch:latest # This should be the same image used for opensearch-node1 to avoid issues container_name: opensearch-node2 environment: - cluster.name=opensearch-cluster - node.name=opensearch-node2 - discovery.seed_hosts=opensearch-node1,opensearch-node2 - cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2 - bootstrap.memory_lock=true - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD} ulimits: memlock: soft: -1 hard: -1 nofile: soft: 65536 hard: 65536 volumes: - opensearch-data2:/usr/share/opensearch/data networks: - opensearch-net opensearch-dashboards: image: opensearchproject/opensearch-dashboards:latest # Make sure the version of opensearch-dashboards matches the version of opensearch installed on other nodes container_name: opensearch-dashboards ports: - 5601:5601 # Map host port 5601 to container port 5601 expose: - "5601" # Expose port 5601 for web access to OpenSearch Dashboards environment: OPENSEARCH_HOSTS: '["https://opensearch-node1:9200","https://opensearch-node2:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query networks: - opensearch-net volumes: opensearch-data1: opensearch-data2: networks: opensearch-net: nginxãå°å ¥ããèšå® ããã¯æ®éã« ...
Comments_on_real_world_http
Real world httpã«æžããŠããããšã殎ãæžãããŠãããŸã éçºç°å¢ ã®åã«ãlanã®ipã¢ãã¬ã¹ãæžããŠããããã§ãã 100.64.1.27 : alpha 100.64.1.61 : evn 100.64.1.48 : delta (K8Sã¯ã©ã¹ã¿ãžã®GWã§ã) deltaã®åœ¹å² åã«ãDHCPãµãŒããšã«ãŒã¿ãäœæããèšäºãæžããã ãã¡ãã®èšäºã ãã ã§ãdeltaã¯DHCPãµãŒãå Œã«ãŒã¿ãšããç«ã¡äœçœ®ã§ãã
202411æTODO
2024/11/1æç¹ã§ã®ã¿ã¹ã¯ãªã¹ã éçºé¢ä¿ èªå® ã®K8Säžã«echo-serverãç«ãŠãŠãproxyãè€æ°ç«ãŠãŠãããã«vipãç«ãŠãŠãvegetaã§è² è·è©Šéšãã§ããããã«ãããããããŠãæ§ã ãªã¡ããªã¯ã¹ãåããããã«ããããã©ããããã ããããæµãçã«ã¯ãã ãã¶é åãã«ãªãããšã¯æ¿ç¥ã ãã ãŸããreal-world-httpãèªã¿ãããããã¯ãã ãã¶é·ãã®ãããã¡ã¢ãåããªããé²ããŠãããæçµç®çã¯ãããã·2å°ãšecho-server1å°ã®æ§æã§ãvegetaã§è² è·ããããããããã«ããããšã ãã¡ã®ãåèã«ãããšããããããããŠãå£ããŠåŠã¶k8sçãªæ¬ãè²·ã£ãã®ã§ããããèªãã§ãgoã§æžããecho-serverãã©ãºãã€ã«ãããã€ãããæãã§ãããããããããã€ãŸã§ã«ãããã ãã©ã ISUCONã®éå»åã解ããŸããããä»å¹Žã®ISUCONã«ããããçœæšãããšåºãããšã«ãªããŸãã足ãåŒã£åŒµããããªãã®ã§é 匵ããŸãã ãŒãŒïŒisucon14ã®ç³ã蟌ã¿ãå§ãŸã£ããšãã話ã§ããé 匵ããŸãããã äŒèšãœãããå°å ¥ããããã®èŸºãè¯ããã https://ledger-cli.org/ ååäŒç€Ÿã®èšç«ãé²ãã I and shiraki-san decided to develop GSLB using go lang. It is going to be funny Learn DNS ïŒãã£ã¡ã¯ããªãããæãã§é²ãã§ãããïŒ â> Done Learn How to write packer parser using Go on TCP Layer. It is also going to be funny. äŸã®ç«¶éŠ¬ã·ã¹ãã ãåããæãæ¥ããèªå® ã®k8sã§åãããããã«manifestãã¡ã€ã«ãæžããŠãã ããããããŽããé¡ãããŸãã§ãã Goèšèªã§distributed file systemãäœã£ãŠããïŒãã®youtubeãèŠãŠã§ãããããgoã§åæ£ã·ã¹ãã ãäœããã£ãŠå ¥ã£ãŠãããã®æ¬ã§ããããã©ã£ã¡ã§ãããããã ãåŸè ã ãšk8säžã«äœã£ãåæ£ã·ã¹ãã ãå±éããã®ã§ãäžã®ãã€ãšã芪åæ§ãé«ãæ°ãããŠããŸããã¯ãã ãã®ä» æ¯ææ©ãèµ·ããŠããã23æã«å¯ãŠ0630ã«èµ·ããç掻ãã§ãããšæé«ã ã æ©ãæ¥åå§èšã§äœãããã®æ¡ä»¶ãåã£ãŠããŠå£²ãã æ©ãyoutubeãã£ã³ãã«éèšããŠãçµè²»ç掻ãå§ããŠããïŒ é·æç®ç· ç°¿èš2çŽãšã£ãŠããïŒ åå°ãã©ãã«è²·ãããããããŠããïŒïŒãããŠè²¯éããïŒïŒããžãªè©±ãç掻費8äžãšãå ±é貯éå£åº§5äžä»¥å€ã¯å šéšãã£ã¡ã«åããŠããã ã€ãŸããæã®ã¯ã¬ã«æ¯æãã«äœ¿ãããéã¯17äžãšããããšã«ãªããä¿éºã§10ãã³èœãšãããã®ã§ãæ®ã7äžãããŸããããªãã®ãããã