Table des matières
- 2026:
- 2025:
1 billet(s) pour avril 2026
| Notes ping ICMP | 2026/04/03 23:01 | Jean-Baptiste |
Notes Kubernetes k8s - Diag
Voir :
sudo journalctl -f -u kubelet.service sudo journalctl -u containerd
kubectl cluster-info kubectl get componentstatus kubectl get ds -n kube-system kubectl get deploy -n kube-system kubectl get nodes kubectl get pods --field-selector status.phase!=Running -A kubectl events --types=Warning -A -w kubectl get events --all-namespaces --sort-by='.metadata.creationTimestamp'
Autre
- Use kubectl describe pod … to find the node running your Pod and the container ID (docker:…)
- SSH into the node
- Run docker exec -it -u root CONTAINER_ID /bin/bash
Si Metrics-server est installé
kubectl top node kubectl top pod --sort-by=memory -A
- 'systemctl status kubelet'
- 'journalctl -xeu kubelet'
Additionally, a control plane component may have crashed or exited when started by the container runtime.
To troubleshoot, list all containers using your preferred container runtimes CLI.
Here is one example how you may list all running Kubernetes containers by using crictl:
- 'crictl --runtime-endpoint unix:///var/run/containerd/containerd.sock ps -a | grep kube | grep -v pause'
Once you have found the failing container, you can inspect its logs with:
- 'crictl --runtime-endpoint unix:///var/run/containerd/containerd.sock logs CONTAINERID'
error execution phase wait-control-plane: could not initialize a Kubernetes cluster
To see the stack trace of this error execute with --v=5 or higher
Ulimits / Process ID limits and reservations
watch 'ps -e -w -o "thcount,cgname" --no-headers | awk "{a[\$2] += \$1} END{for (i in a) print a[i], i}" | sort --numeric-sort --reverse | head --lines=8'
Notes Kernel Linux
Voir :
Check running kernel version on the machine
inxi -zv8 | grep Kernel uname -r
Voir :
Bash Les bonnes pratiques
Faire des tests unitaires avec bats
Les pièges
rm -rf $var1/$var2
Si $var1 et $var2 sont vides on un un jolie
Solution : nounset
#! /bin/bash set -o nounset
et quand nécessaire utiliser
[ -z "${foo:-}" ]
Don’t use:
cd "${foo}" [...] cd ..
but
( cd "${foo}" [...] )
Les forks bombes
Les tubes nommés (pipes)
Source : https://blog.g3rt.nl/retain-exit-status-code-through-pipe.html
: traduire en Français
How to retain exit status codes through pipes in Bash scripts
Suppose you have a line
mysqldump | pigz
in your script. Then the exit status code will be of gzip, rather than mysqldump, while the most likely process to fail here is mysqldump.
To fix this, add this at the top of your bash scripts:
set -o pipefail
Arrêt du script lors de la moindre erreur
Voir http://redsymbol.net/articles/unofficial-bash-strict-mode/
set -euo pipefail
#!/bin/bash set -euo pipefail IFS=$'\n\t'
if $? SC2181
Source : https://www.shellcheck.net/wiki/SC2181
Code problématique
make mytarget if [ $? -ne 0 ] then echo "Build failed" fi
Code Correct
if ! make mytarget; then echo "Build failed" fi
Test
Conventions de nommage
Environment variables or shell variables introduced by the operating system, shell startup scripts, or the shell itself, etc., are usually all in CAPITALS1.
To prevent your variables from conflicting with these variables, it is a good practice to use lower_case variable names.
Autres
A la place de mkdir, privilégier install -d
#mkdir /tmp/plop install -d /tmp/plop
Préférer un unlink à rm pour supprimer un lien symbolique
Notes Kerberos
Alternatives :
- WebAuthn
Introductions
Voir
KDC Centre de Distribution des Clefs AS : Service d'Authentification TGT : Ticket-Granting Ticket TGS : Service d'emmision de tickets (Ticket-Granting Service)
Pincipal :
Compte utilisateur
Mais aussi de maniere plus large egalement compte pour identifier un service sur un serveur. Avec le SSO, vous prouvez votre identité une seule fois à Kerberos et celui-ci transmet votre TGT aux autres services ou machines comme preuve de votre identité.
NTP doit être OK.
Avec le SSO, vous prouvez votre identité une seule fois à Kerberos et celui-ci transmet votre TGT aux autres services ou machines comme preuve de votre identité.
Web SSO
apt-get source nginx-light sudo apt-get build-dep nginx-light sudo apt-get install krb5-multidev libkrb5-dev tar xf nginx_1.9.4.orig.tar.gz cd nginx-1.9.4 git clone https://github.com/stnoonan/spnego-http-auth-nginx-module #./configure --add-module=spnego-http-auth-nginx-module --with-http_ssl_module ./configure --add-module=spnego-http-auth-nginx-module --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_gzip_static_module --without-http_browser_module --without-http_geo_module --without-http_limit_req_module --without-http_limit_conn_module --without-http_memcached_module --without-http_referer_module --without-http_scgi_module --without-http_split_clients_module --without-http_ssi_module --without-http_userid_module --without-http_uwsgi_module --add-module=../debian/modules/nginx-echo make -j $(nproc) sudo make install #ln -s /usr/local/nginx/sbin/nginx /usr/sbin/ ln -s /usr/share/nginx/sbin/nginx /usr/sbin/nginx
$ ldd /usr/local/nginx/sbin/nginx |grep -i krb libgssapi_krb5.so.2 => /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 (0x00007f7ebcffd000) libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3 (0x00007f7ebcd25000) libkrb5support.so.0 => /usr/lib/x86_64-linux-gnu/libkrb5support.so.0 (0x00007f7ebba4e000)
$ nginx -V nginx version: nginx/1.9.4 built by gcc 5.2.1 20151010 (Debian 5.2.1-22) built with LibreSSL 2.1 (running with OpenSSL 1.0.2d 9 Jul 2015) TLS SNI support enabled configure arguments: --add-module=spnego-http-auth-nginx-module --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_gzip_static_module --without-http_browser_module --without-http_geo_module --without-http_limit_req_module --without-http_limit_conn_module --without-http_memcached_module --without-http_referer_module --without-http_scgi_module --without-http_split_clients_module --without-http_ssi_module --without-http_userid_module --without-http_uwsgi_module --add-module=../debian/modules/nginx-echo
https://www.cowley.tech/blog/2014/06/17/new-linux-active-directory-integration/
apt-get install realmd
Notes kdump
Voir :
/etc/default/grub
#GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet" GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb crashkernel=128M"
cp -p /boot/grub2/grub.cfg /boot/grub2/grub.cfg.bak grub2-mkconfig > /boot/grub2/grub.cfg
/etc/kdump.conf
default reboot
reboot
systemctl status kdump
Autres
Serveur
fence_kdump -o off --nodename=node1
Client
/usr/libexec/fence_kdump_send -i 5 -c 1 node1
Test
Crash
echo 1 > /proc/sys/kernel/sysrq echo c > /proc/sysrq-trigger
ls -lrt /var/crash/