Eye Exercises

Posted by Manish Panchmatia on Friday, April 29, 2022 Labels: / Comments: (0)

Sunning
Sway the body, L to R and R to L 100 times

Trifala Eye wash

0.5 tea-spoon (1 tea-spoon) of Trifala Churn put it 250 ml (200 ml) boiling water for 3 to 4 min (3 to 5 min). keep it over night. morning make it luke warm. filter with 3 to 4 fold (thick) of clean cloth. put it in eye wash cup. 

Prepare for 2 -3 days quantity. keep it in fridge. take out and keep it at room temperature. it is not as effective as fresh one. 

it should be everyday. clean with soft cloth around eyes. do not press eyes. close your eyes for few seconds. 

Brand: SNPandit, Dabour, Amrua, VadyaNath

1. Blink eyes 5 times
2. 5 time clock wise
3. 5 time anti-clock wise
4. 5 time L side blink
5. 5 time R side blink
Repeat 3 times

Squeezing 
blinking 10 times
fast blink 5 x (clock + anticlock) 
10 round: squeeze eye and breath in , breath out and relax
Repeat 3 times
Palming

Grill Swinging 200 times. Blink every time

Prana Mudra
first two fingers are straight. thumb, ring and pinky are connected
Apaan Vayu Mudra
first finger at bottom of thumb. pinky straight. thumb, middle and ring are connected

Eye Ball movement
1. up and down  : Simple palming
2. left and right : Simple palming
3. diagonal 1:  (press and release) OR (Constant Pressure) 
4. diagonal 2 : (press and release) OR (Constant Pressure) 
5. clock wise : (press and release) OR (Constant Pressure) 
6. anti clock wise: (press and release)
7. The Figure Eight 5 rounds

Jyoti Trataka (Candle Exercise)

* Read
* Gaze 3 round: 60 s gaze + 30 s rest
* sift Gaze: move forward and backward 60 times

0. Chant OM. always open eye with blink and start with bottom of candle/stand. gently move your gaze. 

1. simple effortless gazing for 30 to 35 seconds (Press and Release Palming.)

2. look at details, steady gaze at wick of the candle: size different colors (golden, orange, yellow. black at center). of flame (constant pressure Palming with breathing)

3. defocus flame. be aware about surrounding of flame, its aura etc. close eye and connect it to 3rd eye. ANTAR Trataka. Recollect all details of flame. (Palming with Bhramari) (make sanklpa for good vision) 

spec is optional 
If possible do not blink. 
allow water to come out. 

4. 10 to 12 min of palming. spec shall be removed. 

5. three rounds of OM

6. Three fingers feather touch massage for face. Bring palm in front of you and then with blink of open eye. 

7. wash eyes with splash of cool water. 

Distance 2 feet to 4 feet.
You can do it every day. First to do preparation. First do daily first stage only. start with 10 seconds then increase 20 seconds, 30 seconds and so on. last stage is 2x or 3x
At least once in 15 days.

formation of stiles

* cool pads cucumber
* cotton deep in cold milk OR rose water and keep it on eyes for 10 to 15 seconds. 

Distance chart reading

1. 30 second read near chart
2. 30 second visualize
3. 30 second read distance chart
4. 30 second rest
Repeat 3 to 5 times

Ball Exercise

200 times V
200 times opposite of U
Blink every time

Jatru Trataka 

1. Up and Down
2. Right and Left
3. diagonal LT to RB
4. diagonal RT to LB
5. forward and backward: tip of nose
6. Both Right and Left = defocus
7. 3rd Eye

Daily

* daily eyeball exercises + Palming
* Jatru Trataka OR Jyoti Trataka







5G Standards Development Update in 3GPP – Release 17 and 18

Posted by Manish Panchmatia on Friday, April 22, 2022 Labels: / Comments: (0)

R17: Enhanced support for broadband & vertical use cases

R18: Advance technologies & applications, e.g. AI/ML, XR, high fy bands

R19: New vertical users, applications, deployment models, spectrum. 

================================

1. Service and system aspects

  • SA1: Service Requirements
  • SA2: System Architecture
  • SA3: Security
  • SA4: Codecs and Media Handling
  • SA5: Telecom Management
  • SA6: APIs and Applications

2. CT = Core Network and Terminals

  • CT1: Radio Application Protocols
  • CT3: External Networking
  • CT4: Core Network Protocols
  • CT6: Smart Card Applications

3. RAN: Radio Access Network

  • RAN1: Radio L1
  • RAN2: Radio L2& L3
  • RAN3: Radio N/w Interface
  • RAN4: Radio Performance Aspects
  • RAN5: Mobile Conformance Testing

================================

SA1  R17 (Service Requirements)

Majority of Work Area

  • eCAV: Enhanced Cyber-Physical Control ( industrial / factory vertical)
  • AVPROD: AV Service PRODuction ( A/V production vertical)
  • ATRAC: Asset TRACking ( warehouse vertical)
  • CMED: Critical MEDical applications ( medical vertical)
  • EAV: UAV Enhancement ( drone vertical)
  • 5GSAT: Satellites uses in 5G ( satellite vertical) 
  • REFEC: Enhanced Relays for coverage and energy efficiency ( various verticals) 
  • MUSIM: support for Multiple USIMs per UE
  • NCIS: Network Controlled Interactive Service

Ref: TR 21.917 R17

SA1 R18 (Service Requirements)

Work Areas for Vertical Markets

  • 5GSTAB: Satellite Backhaul ( satellite vertical)
  • SVCS: Satellite Access for Video Surveillance ( satellite vertical)
  • EXPOSE: Service Exposure for Verticals ( various verticals)
  • LPHAP: Low Power High Accuracy Positioning ( industrial / factory vertical)
  • SEI: Smart Energy & Infrastructure ( power grid vertical)
  • 5TRS: Timing Resiliency Service ( various verticals)

R17 was for specific verticals. R18 was not for specific verticals except satellite and power grid like

  • PIN/Pirates - Personal IoT Networks
  • Resident/Pirates - Residential 5G Networks
  • Ranging - UE Ranging Service and sidelink positioning
  • AMMT - AI/ML model transfer (Network - UE)
  • EASNAS - Enhancement to network slicing 
  • eMMTEL - IMS Evolution
  • TACMM - UE tactile & multi-modal communication  (gaming, robotic control) 
  • VMR - Vehicle Mounted Relays
  • PALS: Access to Localized Network Service
  • SFChain: Service Function Chaining
================================

SA2  R15 (System Architecture)

Baseline NR functionality for eMBB & URLLC

SA2  R16 (System Architecture) 5G phase 2

SA2  R17 (System Architecture)

Expand market reach of 5G: Satellite, IoT, Public Safety and MCS (Mission Critical Services), Edge Computing & Interactive Cloud Services,  UAS (unmanned Aerial Systems), 

Addtional Req of mobile operators and verticals: Enhancement, Performance & effeiciency improvement, targeting industrial, V2X, mMTC, eMBB, N/w slicing and IAB ( Integrated Access Backhaul) 

Edge Networking 

  • Since R15.uplink classifier or branching point
R17: 

  • 3 connectivity models

1. distributed anchor point

2. session breakout

3. multiple PDU session

  • discovery of edge application server 
  • N/w info. provisioning to local applications with low latency. E,g, N/w congestion, 
  • Seamless edge relocation
  • 3GPP application layer architecture support
  • DNAI based (I-)SMF selection

By SA2 and SA6 both. Complementary solution. 

SNPN (Standalone Non-Public Network)

R17:

  • New Functions
    • Credential Holder
    • NSS-AAF (Network Slice Specific Authentication and Authorization Function. )
  • UE onboarding & provisioning
  • IMS voice
  • Emergency Service
IIoT


R16: 
  • Integration of IEEE TSN. 
  • Time Sensitive Communication Services
  • Only DL Time Synchronization
R17:
  1. Time Synchronization 
  2. Time Sensitive Communication for any application 
  3. UL Time Synchronization also. TSN grandmaster clock can be at device also
  4. etc.
Ref: TS 23.501

N/w Automation 

R16:
  • N/W Automation and Data analytics by NWDAF
R17:
  • NWDAF = AnLF (Analytics Logical Function) + MTLF (Model Training Logical Functoin) 
  • Distributed NWDAF
  • Data collection coordination and delivery 
ATSSS (Access Traffic Steering, Switch and Splitting) Phase 2

  • Supporting MA PDU with 3GPP access leg over EPC and Non-3GPP access leg over 5GC

Location Services Phase 2
  • LRF: Location Retrieval Function
  • GMLC: Gateway Mobile Location Center
Unmanned Aerial System (UAV)
ProSe (Proximity Based Services)
Multicast/Broadcast Services
5G Advanced Interactive Services (5G-AIS).
Multimedia Priority Service (MPS) Phase 2:
Aadvanced V2X services -Phase 2
Architecture aspects for using satellite access in 5G.
Multi-USIM
Network Slicing Phase 2
Architecture Enhancement for NR Reduced Capability Devices
Minimization of Service Interruption (MINT)

Kube API and CRDs

Posted by Manish Panchmatia on Monday, January 10, 2022 Labels: , , / Comments: (0)

k api-resources

- Name
- Short name
- API version
- Namespaced (Boolean)
- Kind
- Verbs

k api-versions

* API not managed by controller
SubjectAccessReview It represent operation on object

* Kind has set of versions. All Kind are organized in group.

* We have multiple versions for a Kind

1. served version: List of versions available in API

2. Decodable version: Kube-API server knows how to decode that version. We can create object for specific kind with version x and retrieve object for same kind, with version y. When version change, schema also change. Kube-API server does schema conversion. 

3. storage version = encodable version: as per etcd

4. We can get preferred version with
k get --raw /apis/GROUP
For Example:
k get --raw /apis/networking.k8s.io

kubectl request with preferred version

* (1) Kube-API server (2) kube clients e.g. kubectl (3) client-go maintains mapping of resource types (e.g. pods) and kind (Pod) . Then REST end point is constructed as follows

- /apis/GROUP/VERSION/RESOURCE/NAME to get a cluster-scoped object
- /apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE/NAME to access a namespace-scoped object.

Without specifying NAME, we get KindList (e.g. ServiceList)

* Along with CRD, we define:
- group, kind, resource type
- versions: served version, storage version (used at etcd), decodable version, preferred version generally same as storage version. 
- namespace scoped or cluster scoped. This is scope for object, not for API. 
- URL endpoint

* Verbs

- get, list : GET
- watch : GET ....?watch=
- create, update: PUT
- patch: PATCH

* Generated values
- name : If generatedName is set
- creationTimestamp
- deletionTimestamp
- UID
- resourceVersion
- Any field set by mutating webhook
- port, IP for service object

Reference

minikube kubeconfig

Posted by Manish Panchmatia on Thursday, December 16, 2021 Labels: , , / Comments: (0)

  • from .kube/config file, extract  cluster.certificate-authority-data| base64 -d > ca.crt

openssl x509 -in ca.crt -text -noout > ca.crt.decode

From ca.crt.decode:

Issuer: CN = minikubeCA

Subject: CN = minikubeCA

  • from .kube/config file, extract  user.user. client-certificate-data | base64 -d > client.crt

openssl x509 -in client.crt -text -noout > client.crt.decode

From client.crt.decode

Issuer: CN = minikubeCA

Subject: O = system:masters, CN = kubernetes-admin

CKS Tips

Posted by Manish Panchmatia on Thursday, December 9, 2021 Labels: , , / Comments: (0)

1. Shortcut 

export do="--dry-run=client -o yaml"    # k get pod x $do
export now="--force --grace-period 0"   # k delete pod x $now
alias kn="k -n "namespace name""

2. VIM related

2.1 edit ~/.vimrc

set ts=2
set et
set sw=2
set nu

2.2 To search in vi "/var/lib"

We should issue comman
/\/var\/lib

Here \ is used as special character 

2.3 To change last word of line

use "$" to go end of line
then move one word back using "b"
then "cw" to change word.
If needed use "c$" to remove and replace till end of line. 

3. How to create pod, without YAML

kubectl run nginx --image=nginx  --dry-run=client -o yaml > pod.yaml

4.If we have file with name a.txt and its sha512. then steps:

1. first create and open file a.txt.sha512
2. enter value of sha512
3. add two times space
4. add file name. here it is a.txt
5. close a.txt.sha512 file
6. run command: sha512sum -c a.txt.sha512

5. OPA and gatekeeper. We can list constraint with 

k get constraint
NAME                                                           AGE
blacklistimages.constraints.gatekeeper.sh/pod-trusted-images   10m
requiredlabels.constraints.gatekeeper.sh/namespace-mandatory-labels   10m

Now, Here first part is constraint template and second part is constraint. So we can edit / view constraint 

k get blacklistimages pod-trusted-images -o yaml
k get requiredlabels namespace-mandatory-labels  -o yaml

To get template

k get constrainttemplate

Instead of typing such long spelling, easy way

1. k get crd
Then copy paste
2. k get constrainttemplates.templates.gatekeeper.sh

6. To find image

k get po -o=custom-columns=Image:"spec.containers[*].image"

k get po -o=custom-columns=Name:"metadata.name",Image:"spec.containers[0].image"

7. Useful command to set namespace

kubectl config set-context --current --namespace="namespace"

8. To install appArmor profile, we shall use
sudo apparmor_parser -q

sudo apparmot_status
will provide list of all profiles: loaded, complain mode, enforce mode
9. Mount secret as volume

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: mypod
    image: redis
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
      readOnly: true
  volumes:
  - name: foo
    secret:
      secretName: mysecret

10. securityContext.capabilities is only for container, not for pod

11. securityContext.readOnlyRootFilesystem is only for container, not for pod. Here we should use word "Root" and s is small in system.

12. Instead of applying (1) label to node and (2) then use nodeSelector, we can use nodeName in pod spec. 

spec:

  nodeName: cluster1-worker2 # add

13. To run command inside pod and take its output to outside pod. here the final command to be run inside the pod should be at the end. 

k -n team-purple exec gvisor-test > /opt/course/10/gvisor-test-dmesg -- dmesg

14. To run etcdctl

14.1. start with
ETCDCTL_API=3

14.2. Check input parameter of api server at master node
cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep etcd

14.3. Now do mapping. parameter value in kube-apiserver.yaml to input argument for etcd
--etcd-cafile  mapped to --cacert
--etcd-certfile mapped to --cert
--etcd-keyfile mapped to --key

14.4. then add below to command
get /registry/"k8s resource type"/"namespace name"/"k8s resource name"

So the complete command will be:

ETCDCTL_API=3 etcdctl --cacert "Path as per --etcd-certfile" --cert "path as per --etcd-certfile" --key "path as per --etcd-keyfile" get /registry/"K8s resource typ"/"name of the namespace"/"name of k8s resource"

There is no "=" for option/argument and value.

For details on Minikube please refer: http://layers7.blogspot.com/2020/06/minikube-etcd.html

15. For any pod, if automountServiceAccountToken is true OR not false OR absent, then we can log in to that pod. Whatever that pod has access, as per its SA, same we can get as follows. 

15.1. Its SA token is located/mounted inside pod
/run/secrets/kubernetes.io/serviceaccount/token
15.2. We can use this token as Bearer HTTP header. 
15.3. We can form URI = https://kubernetes.default/api/v1/namespaces/"name of namespace/"k8s resource type"/"k8s resource name"
Here namespaces is plural.
15.4. we should add -k option to curl command

So complete command will be
curl https://kubernetes.default/api/v1/namespaces/"name of namespace/"k8s resource type"/"k8s resource name" -H "Authorization
: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)" -k

See the difference

etcdctl: /registry/"k8s resource type"/"namespace name"/"k8s resource name"

curl URL: /api/v1/namespaces/"name of namespace/"k8s resource type"/"k8s resource name"

In short: 
etcdctl : first K8s resource then NS
curl URL: first NS then K8s resource. we need additional "namespaces"

16. If secret is mounted as volume or as ENV variable, then also we can access it using exec inside pod. 

17. TLS type secret

kubectl create secret tls my-tls-secret \
  --cert=path/to/cert/file \
  --key=path/to/key/file

* This TLS type secret we can use in ingress resource

  tls:
  - hosts:
      - sslexample.foo.com
    secretName: testsecret-tls

Please note: Here both k8s resources (1) ingress and (2) TLS type secret, should belong to same namespace


18. Few useful podman command. Same as docker command

podman build -t "tag or registryFQDN/user/image:version" .
Do not forget last "dot" It indicates PWD. Dockerfile from PWD
One can also mention other path of directory. not path of Dockerfile

podman push "registryFQDN/user/image:version"

19. This command will tell uid, gid and groups (fsgroup)

19.1 id
19.2 cat /etc/passwd

20. Note : all "resources" are always in plural in all k8s api server audit policy file.  e.g. cronjobs, podss etc.

21. We can specify readOnlyRootFileSystem as true inside container securityContext. Then to allow specific path as writeable, mount it as emptyDir

        volumeMounts:                     # add
        - mountPath: /tmp                 # add
          name: temp-vol                  # add
      volumes:                            # add
      - name: temp-vol                    # add
        emptyDir: {}                      # add

22. To upgrade k8s version
* k get node
It give kubelet version

22.1 k corden master --ignore-daemonsets
Note DaemonSet is plural

22.2 now log in to master

22.2.1 first update kubeadm
apt-get install kubeadm=1.x.y-00
Note: there is no V here

Before installing anything, we shall perform
apt-get update

22.2.2 kubeadm upgrade plan
It will suggest next command
22.2.3 kubeadm upgrade apply v1.x.y
Note: Here V is preesent

Now, optionally one can verify the upgrade is successful or not by running same command again
kubeadm upgrade plan

22.2.4 Now upgrade kubelet version
apt-get install kubelet=1.22.1-00
Note: No V here
22.2.5 Now optionally restart kubelet
systemctl daemon-reload && systemctl restart kubelet
22.2.6 exit from master node

22.3 k uncorden master
22.4 Now log in to worker

Here instead of 
22.2.2 kubeadm upgrade plan
22.2.3 kubeadm upgrade apply v1.x.y

We have to use
22.4.1 kubeadm upgrade node

now run same as 22.2.4 to 22.2.6 and update kubelet

22.5 same as 22.3 now uncordon worker
k uncordon worker


Basically
Master
cordon
Install new kuebadm, kubelet
kubeadm upgrade plan
kubeadm upgrade apply "newVersion"
uncordon

Worker
Same steps, except 2 commands for kubeadm, here only one command
kubeadm upgrade node

23. We should never echo ENV, which is loaded from secret

24. Never put password in plain text in YAML file

25. in DockerFile, if you copy a secret token one command using COPY or ADD. and in second line if you use RUN command and remove using "rm" command, then also it remains in previous layer. Avoid it. 

26. See various command start with 
kubectl config -h

27. To get pod from container ID

27.1 crictl ps --id "container ID"
It will give pod id

27.2 crictl pods --id "pod id"
Note: It is pods , not pod

28. Annotation for apparmor profile.
- for pod it is : metadata.annotations
- for deployment it is: spec.template.metadata.annotations

We can annotate pod using kubectl imperative command. Not possible for deployment 

k annotate pod "pod name" k1=v1 k2=v2 k3=v3

29. In network policy. podSelector applies to target pod and also in rule. namespaceSelector is only for rule. Both selector needs matchLabels. We cannot provide list of pods, by mentioning name of the pods. We can use matchExressions. However matchEpression also works on label k.v pair only. No other attributes like name, image name, container name etc. 

30. Use command c$ to replace from cursor till end of file. VI editor short cut. useful while editing YAML file copied from k8s docs and you wish to change some values. cw is used to change single word. If existing value has - or / then c$ is more useful. 

31. For K8s audit, specify log file path, which already exist. E.g. /var/log/audit.log

32. for k8s audit policy
We need to mention group of resource. Do not include version. To find API group, run the command
k api-resources

33 Specify image

33.1 k run for creating pod

kubectl run nginx --image=nginx -n mynamespace  

33.2 k create to create deployment, job, cronjob

kubectl create deployment nginx --image=nginx 

33.3 k set image, to upgrade. Only here we use container name. "www" in below example

kubectl set image deployment/frontend www=image:v2

34. CIS 

34.1 report's sections

You can get by runnning command

grep "INFO" "report file name"

====================================
1. Control plane

1.1 All config files  /* all file/folder permission and ownership */
1.2 API server
1.3 Controller-Manager
1.4 Scheduler

2. etcd

3. Control plane config

4. Worker node

4.1 worker node config files /* all file/folder permission and ownership */
4.2 kubelet

5. Policies

5.1 RBAC and SA
5.2 PSP
5.3 netpol and CNI
5.4 Secret mgmt
5.5 extensible admission control
5.7 General
====================================

34.2 section wise failure

You can get by runnning command

grep "check FAIL" "report file name"


35. To remove duplicate

cat "file name" | uniq

Note: It is uniq, not unique 

36. All the Kind always start with capital letter. Useful while searching audit log

37. RBAC

37.1 Note:
  • system:serviceaccount: (singular) is the prefix for service account usernames.
  • system:serviceaccounts: (plural) is the prefix for service account groups.
37.2 Grant a role to all service accounts in a namespace

kubectl create rolebinding serviceaccounts-view \
  --clusterrole=view \
  --group=system:serviceaccounts:my-namespace \
  --namespace=my-namespace

37.3 Grant a limited role to all service accounts cluster-wide (discouraged)

kubectl create clusterrolebinding serviceaccounts-view \
  --clusterrole=view \
 --group=system:serviceaccounts

39 Important paths

39.1. SA token inside pod
/var/run/secrets/kubernetes.io/serviceaccount/token

39.2. Kube-api manifest file at master node.
/etc/kubernetes/manifest/kube-apiserver.yaml

39.3. seccomp path at worker | master node
/var/lib/kubelet/seccomp/profiles/name.json
In YAML file of pod/deployment we mention 
localhostProfile: profiles/name.json

39.4 All apparmor profile file (not profile) are located at worker node
/etc/apparmod.d/

39.5 For runtime class configuration 

39.5.1 with containerd
/etc/containerd/config.toml
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.${HANDLER_NAME}]

39.5.2 with crio
/etc/crio/crio.conf
=============
38. module_request in SELinux