Alternatives of tcpdump



There are many tools similar to tcpdump, as per https://en.wikipedia.org/wiki/Comparison_of_packet_analyzers

Here, I choose only Free and Open Source tools, whose docker image is available and tool is lightweight.

  1. Ngrep is best, for capture only those packets, whose payload has certain pattern.

  1. Packetbeat is lightweight open source packet analyzer. It sends data to Elastic Search OR Logstash. It is not inline to datapath. So no impact on latency. It consumes high CPU. Packetbeat can run as sidecar Docker container: https://www.elastic.co/guide/en/beats/packetbeat/current/running-on-docker.html
It can capture all HTTP headers from request and response https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-http.html

  1. Tranalyzer is Lightweight open-source flow generator and packet analyzer for practitioners and researchers

  1. Justniffer is like tcpdump. Tcpdump is for TCP, while Justniffer for HTTP. Useful to debug webserver.

Digital Certificate and SSL


1. cryptographic algorithms, 
1.1 Conventional cryptography (symmetric key)
1.2 Public Key cryptography 
2. message digest functions, = one-way hash
3. digital signatures
Encrypt 1. digest 2. seq number 3. etc. using private key

Certificate
DER is based on BER. Digital certificate is converted to binary format using DER. Then Base64 convert + add prefix BEGIN + add suffix END = PEM format.

Cipher suite
1. Key Exchange Method : RSA, DH. with / without signature
2. Cipher for data transfer
2.1 No encryption
2.2 Steam cipher
2.3 Block cipher
3. Message Digest for creating MAC.
3.1 no digest
3.2 MD5
3.3 SHA

SSL Record Protocol between TCP and HTTP layers
1. Input from HTTP goes to RPU (Record Protocol Unit)
2. Compress input
3. add MAC
4. encrypt
5. output as TCP payload

TCPdump inside docker


For TCPDump 1
=============

k get pod productpage-v1-8554d58bff-rz25r -o json | grep containerID

docker exec ff8e6d1a169bc225ad1e357b54445e9055423189b900176bcc6cdd393f9cd83d /bin/bash -c 'cat /sys/class/net/eth0/iflink'

ip link | grep ^47

tcpdump -i

For TCPDump 2
=============

add

- name: tcpdump
   image: corfr/tcpdump
   command:
     - /bin/sleep
     - infinity
 
k get pod productpage-v1-8554d58bff-rz25r -o json | grep containerID

docker exec 867662a10a0324059b71d3be9765069b900eca4f2f5f29fdb2e7b7792fcfc726 tcpdump -s 0 -n -w /tmp/container.pcap

docker cp 867662a10a0324059b71d3be9765069b900eca4f2f5f29fdb2e7b7792fcfc726:/tmp/container.pcap .

Istio Practical - 1


Installation

Istio version istio-1.3.0-rc.1 at path Downloads/istio-1.3.0-rc.1
Helm version helm-v2.14.3

sudo apt-get install socat

kubectl create serviceaccount tiller --namespace kube-system

kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller

helm init --wait --service-account tiller

kubectl create namespace istio-system

helm repo add istio.io https://storage.googleapis.com/istio-release/releases/1.2.5/charts/

helm repo update

helm template Downloads/istio-1.3.0-rc.1/install/kubernetes/helm/istio-init --name istio-init --namespace istio-system | kubectl apply -f -

helm install --wait --name istio --namespace istio-system Downloads/istio-1.3.0-rc.1/install/kubernetes/helm/istio \
  --set gateways.istio-ingressgateway.type=NodePort \
  --set gateways.istio-egressgateway.type=NodePort \
  --set grafana.enabled=true \
  --set kiali.enabled=true \
  --set kiali.dashboard.grafanaURL=http://localhost:3000 \
  --set kiali.dashboard.jaegerURL=http://localhost:16686 \
  --set servicegraph.enabled=true \
  --set telemetry-gateway.grafanaEnabled=true \
  --set telemetry-gateway.prometheusEnabled=true \
  --set tracing.enabled=true \
  --set sidecarInjectorWebhook.enabled=true \
  --set global.mtls.enabled=false

K8s Interfaces



Istio HandsOn


Istio 101


Istio 101 
Meetup event by
Kubernetes & Openshift India Community
https://www.meetup.com/kubernetes-openshift-India-Meetup/events/263328152/

=================

Challenge with microservice

- Service Discovery
- Load Balancing 
- Monitoring and Observability
- Network resiliency
- Latency
- Security
- ACL



Istio : Connect, Manage, Secure microservices. 
Istio has rich policy driven ops IFTTT

Istio has evolved. 
When people realized the challenges with micro services, Netflix OSS has developed following tools

Hystrix: Circuit Breaking
Zuul: Edge Router
Ribbon: Service Discovery, LB
Eureka: Service Registry
Brave / Zipkin: Tracing

Spectator / Atlas : Metrics

However they are specific to Java. Addition code was added existing Java application code. 

In case of Istio, side car proxy container is added to each pod. The existing application code is not modified. Istio can be used for application developed in any language and polyglot applications. 

Early version of Istio was not optimized. Industry was skeptical and reluctant to adopt Istio. For each request, Envoy Sidecar proxy contacts Mixer module for policy check. After the request is processed, it updates the metrics to Mixer. Later on Caching was added. The early adopters of Istio, themselves contribute back to Istio. Lately many many performance optimization happened in Istio. Now more and more micro service based applications are using Istio. 

Istio : Production deployment

Success : eBay, IBM
Failure : BigBasket https://tech.bigbasket.com/bigbaskets-experience-with-istio/

=================
Few analogy between Open Shift and Kubernetes. 
* project = namespace
* oc = kubectl
* oc expose service = ingress in k8s
=================
Side Car proxy can be injected by two ways
1. mannual injection with istioctl command
2. automatic injection: by annotation for mutation webhook
=================
istioctl modules talks with istio's control plane component by name Pilot
=================
IstioAuth module is not Citadel
================= We had interesting question about Mirroing / Shadowing the incoming request. How even a new TCP session will be created? 
Add

- name: tcpdump
   image: corfr/tcpdump
   command:
     - /bin/sleep
     - infinity
 
at Deployment.yaml
under spec: containers:

https://developers.redhat.com/blog/2019/02/27/sidecars-analyze-debug-network-traffic-kubernetes-pod/
=================
Cross cluster federation is also present at Istio, in case if the application is deployed on two different clusters hosted by two different cloud service provider. 
=================
There are set of istio-ctl commands for debugging the application deployment. I found this URL : https://istio.io/docs/ops/component-debugging/
=================
Envoy proxy is light weight, efficient and very powerful. It has lots of configuration options. One should avoid play around with them, at beginner stage. 
=================
Istio can be installed using Helm chart. Another option is to use Maistra Istio-operator. It is wrapper around Helm chart. 
=================
Redhat offers Istio as "OpenShift Service Mesh"
=================

Reference
https://github.com/redhat-developer-demos/istio-tutorial
https://redhat-developer-demos.github.io/istio-tutorial/istio-tutorial/1.1.x/index.html
https://developers.redhat.com/topics/service-mesh/
For cartoons : http://turnoff.us

Books

Slide Deck : https://docs.google.com/presentation/d/1H5T5C1YO6vRK_qd2VMWYAo7Gfp689p0-OcKaGxwt0RQ/edit#slide=id.g2c3a548945_0_385
=================

Disclaimer : This blog is just my note from an event, that I attended. It is not verbatim of any speech. This blog may not indicate the exact expression/opinion of speakers of the event, due to my possible mistake in taking note. Any corrections/suggestions are welcome. 

Turn Off


Today I came across an interesting website about all comics related to IT, computer, software etc. 

Let me share my faviorte list

K8s : http://turnoff.us/geek/the-depressed-developer-44/
Container : http://turnoff.us/geek/kernel-economics/

Python : 
http://turnoff.us/geek/the-depressed-developer-35/
http://turnoff.us/geek/python-private-methods/
http://turnoff.us/geek/math-class-2018/

Manager : http://turnoff.us/geek/the-realist-manager/
Social Media http://turnoff.us/geek/the-depressed-developer-23/
AI : 
http://turnoff.us/geek/python-robots/
http://turnoff.us/geek/chatbot/
http://turnoff.us/geek/sad-robot/
http://turnoff.us/geek/when-ai-meets-git/

Debug: http://turnoff.us/geek/the-last-resort/
USB : http://turnoff.us/geek/tobbys-world/
CI/CD : http://turnoff.us/geek/deployment-pipeline/
GW API : http://turnoff.us/geek/distributed-architecture-drama/

Computer Science concepts
Process v/s thread : http://turnoff.us/geek/dont-share-mutable-state/
Btree: http://turnoff.us/geek/binary-tree/
Zombie Process http://turnoff.us/geek/zombie-processes/
Idle CPU : http://turnoff.us/geek/idle/

K8s Hands-on - 2



Dashboard

Reference file for dashboard.yaml https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
Similar file, is present at Katacoda course

Each worker node has Kubelet. cAdvisor (port 4194) is part of Kubelet binary. It collects following data for node, pods and containers. 
- CPU usage
- Memory usage
- File system
- Network usage

Heapster collect / aggregate all the above data from cAdvisor over REST API. Heapster store this data to InfluxDB. Grafana access the data from InfluxDB and visulaise 

Heapster cal also store data in Google Cloud Monitoring service. Then Google Cloud Monitoring Console can access this data and visualize it. 

====================================

Horizontal scaling is possible with below command

kubectl scale --replicas=3 deployment x
====================================

Few more useful alias

alias kc='kubectl create'
alias kd='kubectl delete'
alias ka='kubectl apply'

Deployment can be store mannually as YAML file and created back again using that YAML file. 

kg deployment x -o yaml
k delete svc x
k delete deployment x

k create -f x.yaml
kubectl expose deployment x --port=80 --type=NodePort


Same applies for service

kg svc x -o yaml
kd svc x
kc -f x_svc.xml

Remove undwanted lines and change replicas value. 
ka -f x.yaml

==========================================
Guestbook example

kc -f redis_m_controller.yaml 
kg rc

Same example https://kubernetes.io/docs/tutorials/stateless-application/guestbook/ So related YAML files are also similar. E.g.

redis-master-controller.yaml is same as 
https://k8s.io/examples/application/guestbook/redis-master-deployment.yaml

redis-master-.yaml is same as 
https://raw.githubusercontent.com/kubernetes/website/master/content/en/examples/application/guestbook/redis-master-service.yaml

Same for redis-slave and PHP frontend. 
===========================================
To see log from any pod


k logs -f POD_NAME

K8s Hands-on - 1


One can find many useful articles about basic kubectl commands and minikube. Katacoda is one of the best website, for online hands-on with k8s. Here, I just shared my experience with katacoda and on-premise minikube cluster. 

First, one need set few alias at .bashrc file. 

alias k=kubectl
alias kg=kubectl get
alias m=minikube

Minikube

By default, minikube runs with 2 CPUs and 2GB RAM. It makes the system slow. minikube needs minimum 2 CPU. With trial and error i found, 1.5 GB is sufficient to run minikube. 

minikube start --memory 1536

Now few commands


kubectl config view
kubectl cluster-info
kubectl get nodes
kubectl desscribe node

minikube ip
minikube dashboard
minikube addons enable heapster
minikube addons list
minikube service list
minikube status

Service related commands


One can use svc in place of service for kubectl command, not for minikube commands

kubectl get svc 
command lists services only from default namespace, while
minikube service list 
command list services from all namespace. 
One can add "-n kube-system" for kubectl command. 
kubectl get svc -n kube-system
One can also add "--all-namespaces" for kubectl command
kubectl get svc --all-namespaces

Virtual Box


/home folder of host OS is mounted as /hosthome folder inside VirtualBox

To login to virtual box
minikube ssh
OR 
ssh to minikube's IP address with docker/tcuser
Note: None of the above methods work at Katacoda for first scenario "Launching single Node cluster" under "Introduction to Kubernets" hands-on.

Here are comparision of IP address and various interface within virtual box and outside virtual box



IP Address Interface Interface IP Address Remarks
Outside VBox Outside VBox Inside VBox Inside VBox
172.17.0.1 docker0 docker0 172.17.0.1 Pod network
192.168.99.1 vboxnet0 eth1 192.168.99.102 Minikube IP address

eth0 10.0.2.15 Node Internal IP
127.0.0.1 lo lo 127.0.0.1 Local interface


Deployment

I found, below 3 basic images to begin with

kubectl create deployment x --image=katacoda/docker-http-server
kubectl create deployment k --image=k8s.gcr.io/echoserver:1.10

kubectl create deployment i --image=nginx

The dployment should be exposed with below commans
For http-server and nginx
kubectl expose deployment x --port=80 --type=NodePort
kubectl expose deployment i --port=80 --type=NodePort
For echo-server

kubectl expose deployment k --port=8080 --type=NodePort

The deployment can be removed with

kubectl delete svc
kubectl delete deployment

Access Service

1. 
As per katacoda, the service can be tested with curl command as below

export PORT=$(kubectl get svc first-deployment -o go-template='{{range.spec.ports}}{{if .nodePort}}{{.nodePort}}{{"\n"}}{{end}}{{end}}')

echo "Accessing host01:$PORT"


curl host01:$PORT

There are alternate ways also

2.

curl $(minikube service x --url) 

3. The below command invoke browser with required URL

minikube service x

4. Using proxy

kubectl proxy

Open URL in browser
http://127.0.0.1:8001/api/v1/namespaces/default/pods/POD_NAME/proxy/ 

POD

To get details about pod in JSON format

1. 
kubectl get pods -o json

2.

kubectl proxy

Open URL in browser

http://127.0.0.1:8001/api/v1/namespaces/default/pods/ 

To login to pod

kubectl exec -it $POD_NAME bash

To get enviornment variables

kubectl exec $POD_NMAE env

Dashboard

Reference file for dashboard.yaml https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
Similar file, is present at Katacoda course

Dockercon 2019 SFO Recap & Announcements


This blog is just about key takeaway points from a Meetup Event : https://www.meetup.com/Docker-Bangalore/events/261474778/

and

https://github.com/collabnix/dockerbangalore/tree/master/slides/15th-June-2019-Dockercon19-Recap

=================================================

1. Dockercon 19 Recap & Announcement by 

Ajeet Singh Raina https://www.linkedin.com/in/ajeetsraina/




Importanat playlists



Docker Labs : https://github.com/collabnix/dockerlabs DockerLabs brings you tutorials that help you get hands-on experience using Docker & Kubernetes.

Ajeet discussed about Docker desktop enterprise and its feature application designer. Version Packs is used for backward compatibility.  https://blog.docker.com/2019/05/a-first-look-at-docker-desktop-enterprise/


"docker buildx" is useful to build Docker container image for various on-premises and cloud platform in one shot. At present, available only in enterprise version. 

One interesting webinar : "How Docker Simplifies Kubernetes for the Masses"


=================================================

2. Hardening and Securing your Kubernetes Platform – Munish Kumar Gupta

cAdvisor, is agent running at worker node, which collect usage information. It is not secure. As part of hardening, it is disabled. 

One should refer : Docker file best practicies https://docs.docker.com/develop/develop-images/dockerfile_best-practices/

Important resources about security : Center for Internet Security (CIS)
https://en.wikipedia.org/wiki/Center_for_Internet_Security
https://www.cisecurity.org/

If master node comes down, then also the application will be keep running. Yes, during deployment if master node come down then deployment got impacted. 

We should sepeate network for control plane (between master node, worker nodes) and user plane (for pod to pod communication among microservices)

We should have pod restart policy and health check API in plact at pod. 

Munish kept camera icon on right top cornet to indicate picture time. Instead of taking notes, one can take picture of that important slide. 



Generally at VISA deployment the VMs are run with 30 to 40 % of capacity. Containers run with higher capacity. 

https://github.com/collabnix/dockerbangalore/blob/master/slides/15th-June-2019-Dockercon19-Recap/-

=================================================

3. Next Gen Payments Platform For Evolving Digital Economy – Sachin Karjatkar & Prabhu Kadapenthangal Venkatesan





=================================================

4. Sentiment Analysis using Stanford NLP , Docker , Helidon Microservice - Saiyam Pathak

DockerHub can pull DOCKERFILE from github and build Docker container image with appropriate config settings at DockerHub website. 

Saiyam's suggested to use his github repository for K8s autoscaller components. https://github.com/saiyam1814/autoscaler 
It is based on K8s git hub repository https://github.com/kubernetes/autoscaler

Helidon is a collection of Java libraries for writing microservices that run on a fast web core powered by Netty. https://helidon.io

Torando is a Python web framework and asynchronous networking library, https://www.tornadoweb.org

https://stanfordnlp.github.io/CoreNLP/
https://nlp.stanford.edu/sentiment/
https://github.com/stanfordnlp/CoreNLP

Nginx is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.

Want to port forward a resource:
kubectl port-forward TYPE/NAME [LOCAL_PORT:]REMOTE_PORT
kubectl  port-forward deployment/saiyam 8081:8080


=================================================

5. Running Docker containers on IoT - Sangam Biradar

Docker repository for Raspberry Pi https://hub.docker.com/u/arm32v7

https://www.slideshare.net/sangambiradar370/docker-on-iot-dockercon19-sfo-recap-announcements-bangalore

Consonants of Bhagavad Gita Text



Consonants of Bhagavad Gita Text

Context

Sanskrit language’s alphabet is very scientific. All the consonants are divided in different classes. The different sounds made by birds is represented by class consonants (, , , , ङ) , amphibians (e.f. frog) sounds in class ट (ट, , , , ण ), mammals (e.g. sheep, goat, cows etc.) sounds by class (, , , , ) and all the divine prayers, mantras always contain at least one consonant from unclassified category (, , , , , , , , , , ,) . Thus, the alphabet sequence of Sanskrit (and most of the Indian languages) indicates evolution.

Here, an attempt is made to understand, the usage of consonants in holy Hindu scripture Shrimad Bhagavad Gita, using Python code.

Method

·         Shrimad Bhagavad Gita text file is loaded in Python code. This input file is UTF-8 format Unicode text.
·   From the input files, 37 consonants are identified. Their Unicode is 0xE0A495 for , to 0xE0A4BA for .
·         The dictionary data structure is used, to associate all the consonants with different consonant classes and with different speakers. For source code, please refer https://github.com/mpanchmatia/BhagavadGitaAlphabet



Some important findings

·         Shrimad Bhagavad Gita contains total 30271 consonants. The Devanagari (Hindi) script has total 37 unique Unicodes for consonants.
·         Out of these 30271 constantans, majority of consonants 40.22 % used in Shrimad Bhagavad Gita are belongs to unclassified category. The least contribution 2.15 % is from class ट. Here is the detail breakup.

Consonant class
Consonants
Count
Percentage
Class
, , , ,
2116
6.99 %
Class
, , , ,
1746
5.77 %
Class
, , , ,
650
2.15 %
Class
, , , , ,
8611
28.45 %
Class
, , , ,
4973
16.43 %
Unclassified
, , , , , , , , , , ,
12175
40.22 %
Total
30271
30271
100 %


·         The least one is  pronounced only for once by the lord Krishna.
·         The most frequent consonants uttered is , 3931 times and 
·         Out of these 30271 constantans, majority of consonants 80.37% of consonants are uttered by the lord Krishna and 13.39 % of constantans are uttered by Arjuna. Here is the detail breakup.

Speaker
Number of consonants
Percentage of consonants
Arjuna
4052
13.39 %
the lord Krishna
24330
80.37 %
Sanjay
1730
5.72 %
Dhritarashtra
42
0.14 %
None
117
0.39 %
Total
30271
100 %


Please refer https://github.com/mpanchmatia/BhagavadGitaAlphabet/blob/master/output.txt for deatil break-up of all consonants uttered by all characters. 

Future Scope

·         The scope of consonants analysis can be further extended, like, identify patterns that can be corelated to energy movement in the body and impact on brain from neuroscience perspective.

·         The analysis can be done to other ancient Sanskrit text, epic, hymns etc.

·         One can target famous text from other languages also and perform comparative analysis.