Introduction

In continuation to the previous post about Docker Bench for Security, this time we are handle secure the Daemon Docker.

Result of Docker Bench for Security

Let’s start

🚨 2.1 — Ensure network traffic is restricted between containers on the default bridge

• Edit file /lib/systemd/system/docker.service
• Change ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock to ExecStart=/usr/bin/dockerd -H fd:// -containerd=/run/containerd/containerd.sock --config-file=/etc/docker/daemon.json
• Create file /etc/docker/daemon.json with below content

root@vagrant:/home/vagrant# cat /etc/docker/daemon.json
{
    "icc": false
}

• Reload daemon and restart docker service

root@vagrant:/home/vagrant# systemctl daemon-reload
root@vagrant:/home/vagrant# systemctl restart docker

⚠️ Keep in mind that this requires an option to connect the containers to the network

🚨 2.5 — Ensure aufs storage driver is not used

• Check if aufs storage is not used

root@vagrant:/home/vagrant# sudo docker info | grep Storage
WARNING: No swap limit support
 Storage Driver: aufs

• Update…

Introduction

I usually like used Nginx as proxy to host multiple services on the same server, but however, when we need to use a quick and simple configuration, it is good to use Traefik as our proxy server.

So let’s use Traefik !

What exactly is Traefik ???

An open-source reverse proxy and load balancer for HTTP and TCP-based applications that is easy, dynamic, automatic, fast, full-featured, production proven, provides metrics, and integrates with every major cluster technology.

Basically traefik is a reverse proxy and load balancer for HTTP / TCP apps . Is linked with various technologies and can be easily installed in any stack.

…

Intro

In this short post, I would like to introduce the K3S and the MicroK8s. K3s which is developed by Rancher, has become a hot topic as lightweight Kubernetes, but Ubuntu Canonical also develops a lightweight Kubernetes called Micro K8s because it is attached with Micro, it is lighter than normal Kubernetes. Both allow you to run Kubernetes without using a virtual machine like Minikube. I would like to compared what kind of function it has and how it differs.

General Information

k3s — Lightweight Kubernetes

k3s is developed by Rancher Labs, as Rancher says it is good for small devices such as IoT. I think the…

Intro

I think so curl is fun, I had many opportunities to play with curl by POSTing, or for example reading session from cookies, so would like to summarized it.

Test Environment

• Ubuntu 18.04 + docker and docker-compose
• Curl
• jq
• Jenkins for docker

Let’s start

• Simple docker-compose for Jenkins

version: '3.7'
services:
  jenkins:
    image: jenkins/jenkins:lts
    privileged: true
    user: root
    ports:
      - 8081:8080
      - 50000:50000
    container_name: jenkins
    volumes:
      - /tmpy:/var/jenkins_home
      - /var/run/docker.sock:/var/run/docker.sock
      - /usr/local/bin/docker:/usr/local/bin/docker

• Run command docker-compose up -d and after starting the container, go to the address http: //<IP-ADDRESS>: 8081. We will need password from container we can get it with this command docker exec…

Memo with syntax that is often used in the find command

Grep Recursive

vagrant@vagrant:~$ find ./ -name '*' | xargs grep example

If the extension is only txt, we can narrow it down when we find it.

vagrant@vagrant:~$ find ./ -name '*.txt' | xargs grep example

Total file size in gigabytes from one year ago to now

Can be used to estimate the amount of space after deletion while deleting previous files to reduce disk capacity.

root@vagrant:/# find ./ -mtime -365 -type f -printf "%s\n" |awk '{sum += $1; printf("\r%d",sum/1024/1024/1024) }; END{print""};'

Find files older than 1 year

root@vagrant:/# find ./ -mtime +366 -type f

Delete files older than 1 year

root@vagrant:/# find ./ -mtime +366 -type f -exec rm {} \;

Search for files with recent updates

With below command…

Introduction

Using containers offers great benefits, increasing the environment also means making difficult choices. We need to think what orchestration tools are the best for our situation and how to monitor the our system. Docker is the standard for container runtimes, but you have multiple options to choose from from container orchestration tools. For now Leaders in this case there are CNCF’s Kubernetes and AWS ECS. According to a 2020 survey, 83% of companies use Kubernetes as their container orchestration solution.

More info we can find in this survey

In this article, I will focus to compare ECS and Kubernetes…

Introduction

In K8s sometimes when we run pods, due to lack of resources like memory or CPU or some application error pods get evicted. In this case Kubernetes will try restart these evicted pods but , if there are still no resources left or the application has any errors, the pod will still be in evicted state.

Should we care about this?

Definitely yes, when we have many evicted pod in the cluster it can lead to a serious network load as each pod, although evicted, is connected to the network and is blocking the IP address which can lead to exhaustion. …

At the beginning

With minikube addons enable ingress we can easy to get started with Ingress in Minikube. We can resolve the host name set in Ingress on the local name server to use it more comfortably. It’s also easy to use nginx-ingress-controller instead of Minikube’s standard Ingress Controller, which is more comfortable with a custom Cluster Add-on. If you are using Ingress in production, you want to use Ingress to verify the operation on your local Minikube.

To use Ingress, you need an Ingress Controller that configures L7 LB based on the created Ingress object. For example in GKE, there is an…