Skip to content

Instantly share code, notes, and snippets.

View Oats87's full-sized avatar

Chris Kim Oats87

68 followers · 2 following
View GitHub Profile
@Oats87
Oats87 / generate_new_kubeconfig.sh
Created October 27, 2018 05:19
This bash script will sign an x509 certificate using the kube-ca located on any rancher node. This allows you to gain access back to your RKE-created kubernetes cluster should you lose the kube_config and cluster.yml for it, but still have SSH access to the hosts.
#!/bin/bash
echo "This will generate a new kube config for accessing your RKE-created kubernetes cluster. This script MUST be run on a Kubernetes node."
echo "Please enter the IP of one of your control plane hosts, followed by [ENTER]:"
read cphost
openssl genrsa -out kube-admin.key 2048
openssl req -new -sha256 -key kube-admin.key -subj "/O=system:masters/CN=kube-admin" -out kube-admin.csr
sudo openssl x509 -req -in kube-admin.csr -CA /etc/kubernetes/ssl/kube-ca.pem -CAcreateserial -CAkey /etc/kubernetes/ssl/kube-ca-key.pem -out kube-admin.crt -days 365 -sha256
sudo rm -f /etc/kubernetes/ssl/kube-ca.srl
@Oats87
Oats87 / get_rancher_logs.sh
Created December 4, 2018 01:11
This grabs the rancher server logs from the pods running and tars them
#!/bin/sh
now=`date +%Y-%m-%d-%H-%M-%S`
for i in $(kubectl get po -n cattle-system | grep "rancher" | awk '{print $1}'); do
echo "Collecting Rancher Logs from: $i"
kubectl logs $i -n cattle-system > cs-$i-$now.log;
done
tar -zcvf rancher-logs-$now.tar.gz cs-*.log
@Oats87
Oats87 / recreate_etcd_cert_secrets
Created December 6, 2018 23:56
Should be run from /etc/kubernetes/ssl on one of the etcd nodes
for i in $(ls | grep kube-etcd | grep key.pem); do a=$(echo $i | awk -F"-" '{print $3}');b=$(echo $i | awk -F"-" '{print $4}');c=$(echo $i | awk -F"-" '{print $5}');d=$(echo $i | awk -F"-" '{print $6}'); kubectl -n kube-system create secret generic kube-etcd-$a-$b-$c-$d --from-literal=EnvName=KUBE_ETCD_${a}_${b}_${c}_${d} --from-literal=KeyEnvName=KUBE_ETCD_${a}_${b}_${c}_${d}_KEY --from-literal=KeyPath=/etc/kubernetes/ssl/kube-etcd-${a}-${b}-${c}-${d}-key.pem --from-literal=Path=/etc/kubernetes/ssl/kube-etcd-${a}-${b}-${c}-${d}.pem --from-file=Certificate=/etc/kubernetes/ssl/kube-etcd-${a}-${b}-${c}-${d}.pem --from-file=Key=/etc/kubernetes/ssl/kube-etcd-${a}-${b}-${c}-${d}-key.pem; done
@Oats87
Oats87 / migrate-rancher-2-1-x-single-node
Created January 8, 2019 01:28
Steps for migrating a single-node 2.1.x installation to HA
docker run -d --restart unless-stopped --name rancher -p 80:80 -p 443:443 -v /host/rancher:/var/lib/rancher rancher/rancher:v2.1.5
docker exec -it rancher /bin/bash
# cd /var/lib/rancher
# tar -zcvf pki.bundle.tar.gz -C /etc/kubernetes/ssl .
# cp -r /etc/kubernetes/ssl .
# exit
docker run --net=container:$(docker ps | grep rancher | awk '{print $1}') -it --volumes-from rancher rancher/rke-tools:v0.1.20
@Oats87
Oats87 / gist:b056c1976fd0484e4f161ab063deb1b0
Created January 11, 2019 19:44
docker centos/rhel recommendations
# Docker 17.03.2 on RHEL/CentOS 7
Rancher has discovered a few issues when running Upstream Docker 17.03.2 on RHEL/CentOS 7. This document is being written to document recommendations for Docker configuration in order to ensure reliability while operating Kubernetes and Rancher with RHEL/CentOS 7.
### Overlay2 Storage Driver
Currently, Upstream Docker 17.03.2 performs kernel version validations to enable overlay2. As official overlay2 support from the upstream Linux kernel was not enabled until version 4.0 or higher than the kernel. Red Hat backported overlay2 support to 3.10.0-514 of their kernel.
Overlay2 support can be enabled by setting the following contents in the `/etc/docker/daemon.json` file and restarting Docker. Please note that you must do this on a fresh docker installation, or remove all running containers before performing this action.
```{
@Oats87
Oats87 / docker.json
Created January 17, 2019 21:38
centos/rhel docker.json config
{
"storage-driver": "overlay2",
"storage-opts": [
"overlay2.override_kernel_check=true"
],
"exec-opts": [
"native.cgroupdriver=systemd"
]
}
@Oats87
Oats87 / gist:d76e3c00e10e1774e633f1746cc263f7
Created February 2, 2019 05:39
dd to usb flash drive from iso on OS X
sudo diskutil list
sudo diskutil unmount /dev/disk<x>
hdiutil convert -format UDRW -o <img-to-flash> <original-iso>.iso
sudo dd if=<img-to-flash>.dmg of=/dev/rdisk<x> bs=4m
@Oats87
Oats87 / invalidate-service-account-tokens-and-restart-all-pods.sh
Last active September 11, 2019 06:13
#!/bin/bash
export KUBECONFIG=$(pwd)/kube_config_cluster.yml
IFS=$'\n'; for i in $(kubectl get secrets --all-namespaces | grep "service-account-token"); do ns=$(echo $i | awk '{print $1}'); sec=$(echo $i | awk '{print $2}'); kubectl patch secret -n $ns $sec -p '{"metadata":{"finalizers": []}}' --type=merge && kubectl delete secret $sec -n $ns --wait=false; done
IFS=$'\n'; for i in $(kubectl get pods --all-namespaces | grep -v "NAME"); do ns=$(echo $i | awk '{print $1}'); pod=$(echo $i | awk '{print $2}'); kubectl delete pod $pod -n $ns --wait=false; done
@Oats87
Oats87 / docker.json
Last active October 8, 2019 20:32
mkdir /etc/docker
cat << EOF > /etc/docker/daemon.json
{
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "6"
}
}
EOF
@Oats87
Oats87 / sysctl.conf
Last active October 8, 2019 20:31
cat << EOF >> /etc/sysctl.conf
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.core.somaxconn = 32768
EOF