I recently ran into a problem. Our kube-apiserver is configured with OIDC authentication and the OIDC issuer is added with dns server records, but for some reason I need to override the dns server resolution and use the hostAlias IP address instead, but the actual test found that it always took DNS resolution, although the /etc/hosts file file has been added with custom hosts records. The domain names that are not registered with the dns server can still be resolved by /etc/hosts.
kubernetes supports local volume (local volume) since version 1.10. workloads (not only statefulsets types) can take advantage of local fast SSDs to get better performance than remote volumes (e.g. cephfs, RBD). Before the advent of local volume, statefulsets could also take advantage of local SSDs by configuring hostPath and binding to specific nodes via nodeSelector or nodeAffinity. However, the problem with hostPath is that administrators need to manually manage the directory of each node of the cluster, which is less convenient.
What is PodSecurityPolicy PodSecurityPolicy is a global resource used to control Pod security-related configuration. On a kubernetes cluster with RBAC enabled, if users are allowed to use kubectl, then PodSecurityPolicy must be enabled, otherwise users may use some privileged resources (e.g. privileged, hostNetwork, hostPath, etc.) and affect the stability of the node machine. With PSP turned on, users can only use resources allowed by the administrator. PSP supports the following (see official website for details).
Archiving, compressing, and decompressing files is a frequently used function, and we can do this with tools like tar and gzip. In Go, the standard libraries archive and compress provide us with these capabilities, and with this example, you will see that it is very easy to generate and handle compressed archives in a Go programming style. Archiving and Compression Before we start the code, we need to clarify the concepts of archiving and compression.
When buying a computer hard drive, there are still many pitfalls, collated some of the content previously seen, combined with their own buying experience to do some sorting. There are two main options for picking a storage device: SDD (solid state drive) and HDD (mechanical hard drive), and for some people who don’t know much about them, the difference between the two may be that SSDs are more expensive with higher performance.
1. Relationship between AOP and IOC AOP (Aspect Oriented Programming) is a programming design idea that aims to reduce the coupling between business logics by intercepting business process tangents and implementing specific modularization capabilities. This idea has been practiced in many well-known projects. For example, Spring’s PointCut, gRPC’s Interceptor, and Dubbo’s Filter. aOP is just a concept that has been applied in different scenarios, resulting in different implementations. Let’s start by discussing more specific RPC scenarios, using gRPC as an example.
GitOps was first introduced by Weaveworks, a Kubernetes management company, in 2017. Now that five years have passed, I’m sure you’ve heard of the concept, but you may not know what it is or what it has to do with DevOps. In this article, we’ll help you figure it out one by one. Infrastructure as Code Before we can understand GitOps, we need to understand what Infrastructure as Code is.
Since v1.11, kubernetes has enabled the resize feature and PersistentVolumeClaimResize admission controller by default, so that if the storage volume created by the user is not large enough, it can be expanded without losing the original data. Currently supported storage volumes for resize are AWS-EBS, GCE-PD, Azure Disk, Azure File, Glusterfs, Cinder, Portworx, and Ceph RBD. Block file systems such as GCE-PD, AWS-EBS, Azure Disk, Cinder, and Ceph RBD require file system expansion.
Introduction As a provider of the kubernetes platform, it is important to put some restrictions on certain “rogue” applications to prevent them from abusing the platform’s CPU, memory, disk, network, and other resources. For example, kubernetes provides limits on CPU and memory to prevent applications from using system resources without limits; kubernetes provides PVCs, such as cephfs and RBD, which also support capacity limits. However, earlier versions of kubernetes did not limit the capacity of the container’s rootfs.
Background Recently, I was configuring a network for the server room and came across a requirement to use ConnectX-4 as an Ethernet card, which supports both Infiniband and Ethernet, but the default is Infiniband mode, so I need to use the mlxconfig tool to do this switch. How to switch In the Using mlxconfig documentation, it is written how to switch the NIC to Infiniband mode. 1 2 3 4 5 6 7 8 9 10 11 12 13 $ mlxconfig -d /dev/mst/mt4103_pci_cr0 set LINK_TYPE_P1=1 LINK_TYPE_P2=1 Device #1: ---------- Device type: ConnectX3Pro PCI device: /dev/mst/mt4103_pci_cr0 Configurations: Next Boot New LINK_TYPE_P1 ETH(2) IB(1) LINK_TYPE_P2 ETH(2) IB(1) Apply new Configuration?
Background Recently, while running maintenance, I discovered that network devices (such as switches) have a feature to send logs remotely, i.e. they can send logs to a specified server via the syslog udp protocol. To do this, you can run rsyslog on the server and collect the logs. rsyslog configuration The default rsyslog configuration collects the system local configuration, so we need to write an rsyslog configuration for collecting remote logs.
This article describes how to configure easy A/B testing in Nginx. Background Prerequisites Sometimes we need to do simple A/B tests that don’t require complex conditions, so we can use Nginx’s ngx_http_split_clients_module module. Install the ngx_http_split_clients_module module Generally this module already comes with it, if not it is recommended to install our packaged N.WTF Configuring Nginx For example, we want 20% of our users to be forwarded to the URL https://example.
Cond in Golang’s sync package implements a conditional variable that can be used in scenarios where multiple Readers are waiting for a shared resource ready (if there is only one read and one write, a lock or channel takes care of it). Cond pooling point: multiple goroutines waiting, 1 goroutine notification event occurs. Each Cond is associated with a Lock (*sync.Mutex or *sync.RWMutex), which must be added when modifying conditions or calling Wait methods, protecting the condition.
Redundant DNS lookups Some applications that need to resolve external DNS domains, when running in a container, if we catch packets in the container’s network namespace for dns messages (udp port 53), we may find that several redundant attempts are made before they resolve correctly. Here are the packets I grabbed while ping google.com in the container’s network namespace. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 sudo nsenter -t 3885 -n tcpdump -i eth0 udp port 53 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 10:09:11.
Pod prioritization, preemption Pod prioritization and preemption, introduced in kubernetes v1.8, entered beta status in v1.11, and entered GA phase in v1.14, is already a mature feature. As the name suggests, the Pod priority, preemption feature, by subdividing applications into different priorities, prioritizes resources to high-priority applications, thus improving resource availability while guaranteeing the quality of service for high-priority applications. Let’s use the Pod priority and preemption function briefly. Ibu’s
Go has better ecological support and a smaller binary size than Kotlin Native. Why Use Go Mobile Go has better ecological support and a smaller binary size than Kotlin Native. Although the Go Mobile maintainers are suspected of running away, we have support for Apple Silicon and Catalyst through third-party Fork. Here’s a SDK with the same NASA API as in Developing Cross-Platform Library with Kotlin Native to see how it works.
The cross-platform principle of Kotlin Native Kotlin Native’s cross-platform is pretty much all-inclusive. JVM JS Android / Android NDK Apple Linux Windows WebAssembly In short, although Kotlin can run on JVM and call Java code, Kotlin is not Java, and with the help of LLVM, Pure Kotlin Code can be compiled into With LLVM, Pure Kotlin Code can be compiled into platform code to achieve VM-less cross-platform. It can be
When I was developing my own project, I needed to use MySQL for unit testing, so I started a MySQL container locally using docker, imitating the way of go-txdb. When I executed the test, the following error occurred. 1 2 mysql: [Warning] Using a password on the command line interface can be insecure. ERROR 2059 (HY000): Authentication plugin 'caching_sha2_password' cannot be loaded: dlopen(/usr/local/mysql/lib/plugin/caching_sha2_password.so, 2): image not found Cause Analysis Conclusion: The local client version is too low and does not support the server-side version of the authentication method.
When we want to start a series of interdependent services at the same time, it is particularly tedious to start them one by one and in strict order. This is where we can use docker compose to perform this series of operations. Compose Compose is a tool for defining and running multi-container Docker applications. With Compose you can use a YML file to configure all the services your application needs, and then create and start all the services from the YML file configuration with a single command.