5 Mayıs 2020 Salı

Block range of RFC1918 from external interface

We have to find out the external interface. You can find by ip route get 8.8.8.8 command. You will see a multi-column row after the run. The 5th value of this row shows your external interface. You can also get the interface name by using awk command as shown below.  We exporting interface name to make process easier. You can block RFC1918 subnets from the external interface to prevent these to go out by command that I prepared below. You can also replace $INET_IFACE variable by hard-coded way such as eth0. I found my external by this command: ip route get 8.8.8.8 | awk -- '{printf $5}'

export INET_IFACE=$(ip route get 8.8.8.8 | awk -- '{printf $5}')
iptables -A FORWARD -o $INET_IFACE -d 10.0.0.0/8 -j REJECT 
iptables -A FORWARD -o $INET_IFACE -d 172.16.0.0/12 -j REJECT 
iptables -A FORWARD -o $INET_IFACE -d 192.168.0.0/16 -j REJECT
iptables -A FORWARD -o $INET_IFACE -d 100.64.0.0/10 -j REJECT
iptables -A FORWARD -o $INET_IFACE -d 169.254.0.0/16 -j REJECT

Hard-coded way:

iptables -A FORWARD -o eth0 -d 10.0.0.0/8 -j REJECT 
iptables -A FORWARD -o eth0 -d 172.16.0.0/12 -j REJECT 
iptables -A FORWARD -o eth0 -d 192.168.0.0/16 -j REJECT
iptables -A FORWARD -o eth0 -d 100.64.0.0/10 -j REJECT
iptables -A FORWARD -o eth0 -d 169.254.0.0/16 -j REJECT
Share:

27 Ocak 2020 Pazartesi

Trust self-signed certificate at linux mint


Example certificate content for root and intermediate certificate:


sudo mkdir /usr/local/share/ca-certificates/extra
sudo cp root.cert.pem /usr/local/share/ca-certificates/extra/root.cert.crt
sudo update-ca-certificates

Important tip: You have to select the certificate at the top of the list that opens after "sudo update-ca-certificates" command.
Share:

22 Ocak 2019 Salı

Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

Hi, you have to unmask docker service by command given below if you getting some error during etc sn apshot-save like this "Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running"
rke --debug etcd snapshot-save

unmask command
systemctl unmask docker.service systemctl unmask docker.socket systemctl start docker.service
Share:

2 Kasım 2018 Cuma

26 Ekim 2018 Cuma

solving rancher 2.x setting default storageclass failure on gui

Hi everyone,
If you using rancher 2.x for kubernetes and and nfs-provisioner for storageclass and you cannot set nfs as your default storageclass you have to set this via kubectl.

You can do this by running this command in your main system.
kubectl patch storageclass nfs -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'

If you getting an error like cannot connect host:8080 you must run kubectl with --kubeconfig param that resolves your kube_config_cluster.yml.

example usage:
 kubectl patch storageclass nfs -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}' --kubeconfig=~/kube_config_cluster.yml

You also can add kube_config_cluster.yml as KUBECONFIG environment value by
export KUBECONFIG=/path/to/kube_config_cluster.yml
or adding in /etc/environment file for persistent usage.
Share:

25 Ekim 2018 Perşembe

Failed to list *v1alpha1.Certificate: the server could not find the requested resource (get certificates.certmanager.k8s.io)

Hi everone, if you getting an error like "Failed to list *v1alpha1.Certificate: the server could not find the requested resource (get certificates.certmanager.k8s.io)" in kube-system cert-manager pod's log you just have to install cert-manager catalog app into kube-system namespace in system project.
Share:

24 Ekim 2018 Çarşamba

kubernetes in container dns resolution problems with flannel vxlan backend

You can change net backend type vxlan to host-gw if you are using a ovh or kimsufi server and you don't sure server's vxlan support and docker containers outgoing connections fails because name resolution. I am using rancher and kubernetes and i changed my net-conf.json config from canal-config configmap. 

Change


net-conf.json



{
"Network": "10.42.0.0/16",
"Backend": {
"Type": "vxlan"
}
}


to 
net-conf.json



{
"Network": "10.42.0.0/16",
"Backend": {
"Type": "host-gw"
}
}

Share:

10 Eylül 2018 Pazartesi

Program.cs(15, 28): [CS0017] Program has more than one entry point defined. Compile with /main to specify the type that contains the entry point.

Hi,
If you getting error after adding after adding Microsoft.NET.Test.Sdk Nuget package to project reference you can just add 
<GenerateProgramFile>false</GenerateProgramFile>
property in Project PropertyGroup in your .csproj file like screenshot. This will prevent multiple Main function conflict error. 



Share:

7 Eylül 2018 Cuma

1 Eylül 2018 Cumartesi

Error on connection registry.npmjs.org via npm update


Hi guys, if you get an error like below on npm update. You can set npm strict-ssl false on terminal by typing 

npm config set strict-ssl false


Hostname/IP does not match certificate's altnames: Host: registry.npmjs.org. is not in the cert's altnames: DNS:a.sni.fastly.net, DNS:a.sni.global-ssl.fastly.net

If problem didn't solved you can try set dns 8.8.8.8 at your /etc/resolv.conf for linux.
Share:

26 Temmuz 2018 Perşembe

Resolving Kubernetes Pod has unbound PersistentVolumeClaims Error

Hi guys, I found a problem with volume configuration error during kubernetes container initialization. I tried a lot of way to solve this problem such as creating longhorn provisioner and local path and node but these ways didn't resolve problem on initialization. I used nfs-server-provisioner catalog app for helm and i see a new storage class named nfs. I remove my another storage classes to force new apps to use this storage class. This worked like a charm! Now i can install all of catalog apps without any persistence and volume based problem.
Share: