How Do You Troubleshoot a Kubernetes Dashboard Message about a 403 Forbidden Error?

Problem scenario
You created an EKS cluster. But when you open a web browser and go to the API endpoint, you get a 403 forbidden error.

The web browser shows something like this:

kind "Status"
apiVersion "v1"
metadata {}
status "Failure"
message "forbidden: User \"system:anonymous\" cannot get path \"/\""
reason "Forbidden"
details {}
code 403

How do you access the web UI in Kubernetes for the first time?

Possible Solution
The API endpoint as seen in the AWS Console for EKS is not a complete URL that you can browse to. Append a URL path. For example, append "/api" to the base URL (provided in the AWS Console).

Try appending "apis/extensions/v1beta1" to the base URL too.

You may also want to see this posting.

What Does the Phrase Cloud Native Mean?

Question
What does the phrase "Cloud Native" mean?

Answer
It is a descriptive term that that means having the qualities of cutting-edge cloud technologies. In our experience it connotes using microservices and containers primarily with open source technologies. In some ways it is cloud 2.0. Originally cloud computing referred to SaaS and possibly IaaS or PaaS, but now cloud computing is referring to CaaS and KaaS too.

The Cloud Native Computing Foundation is well-respected and has this definition. Stackify finds variations in the definition of "cloud native." We have found several more.

Oracle's definition denotes a need for code without regard for the cloud itself:
"Cloud native technologies are characterized by the use of containers, microservices, serverless functions, development pipelines, and infrastructure expressed as code."

IBM's definition also suggests that cloud computing is not necessary, but IBM makes no mention of code for something to be cloud-native:

What is cloud-native?
    Cloud-native refers less to where an application resides and more to how it is built and deployed.
    A cloud-native application consists of discrete, reusable components known as microservices that are designed to integrate into any cloud environment.
    These microservices act as building blocks and are often packaged in containers.
    Microservices work together as a whole to comprise an application, yet each can be independently scaled, continuously improved, and quickly iterated through automation and orchestration processes.
    The flexibility of each microservice adds to the agility and continuous improvement of cloud-native applications.

"Cloud native" (with no hyphen) is used interchangeably with Kubernetes in
Kubernetes Patterns (page three of "Kubernetes Patterns by Bilgin Ibryam and Roland Huß (O'Reilly). Copyright 2019 Bilgin Ibryam and Roland Huß, 978-1-492-05028-5").

One blogger writes '“Cloud Native” is the name of a particular approach to designing, building and running applications based on infrastructure-as-a-service combined with new operational tools and services like continuous integration, container engines and orchestrators.'

How Do You Troubleshoot a Bitbucket Webhook Invocation to Start a Jenkins Build?

Problem scenario
You have created a webhook in Bitbucket to call a Jenkins URL. You create the triggering event in the repository (e.g., by pushing code or creating a pull request). The build associated with the Jenkins URL does not start.

You manually tested the Jenkins URL, bypassing Bitbucket, with curl -X POST. The invocation successfully starts the build.

In the Bitbucket logs you see "Connection refused" or "403 Forbidden" errors when the triggering event happens to the given repository (configured with the webhook).

It seems as though the source server is different and potentially causing the problem (e.g, by virtue of its IP address). You do not think, but are not sure, that Jenkins has an authentication mechanism to differentiate the source IP address or other attributes about the source of the HTTP invocation to the URL.

What should you do to get Bitbucket to call the same URL?

Solution

Install and configure a Jenkins plugin that facilitates the integration with Bitbucket. Configure a Bitbucket server system-wide (in the Manage Jenkins section) of the Jenkins server.

Bitbucket with a manually-configured Jenkins URL can lead to 403 Forbidden errors that are not easily reproducible in other contexts. The Bitbucket invocation of the URL is not like a curl POST command or a wget command with respect to some crucial details of the REST API functionality.

What Are The Disadvantages of Using WordPress for a Programming Blog?

Question
What are the drawbacks of using WordPress when you want syntax highlighting for code in your blog?

Answer

1. When you paste PHP code, it will disappear. In Weebly for example, you can paste PHP code and there will be no automatic elimination of it. In Weebly, the PHP code remains as text. You have to get used to this. WordPress is clearly more flexible and mature than Weebly, but some of your drafted posts need to be cut and paste into a "code" block rather than a default text or "Paragraph" block in WordPress. It is easy to specify a "Paragraph" block, you just have to remember to do this. This text below is an example of what it looks like when you use the "code" block option (which is built in and not a plugin, so it is natively supported):

<?php
exec('bash /var/www/html/testScript.sh');
?>

The three lines above would be eliminated in a "Paragraph" block without any warning to the person creating a new post.

2. The syntax highlighters usually (or always) require the Gutenberg plugin. This plugin can be slow and have other drawbacks.

Here are two external blog postings which discuss the negative aspects of Gutenberg:
https://nachtimwald.com/2019/01/01/wordpress-gutenberg-editor-is-garbage-if-you-need-to-post-code/

https://networkbees.com/2018/12/07/wordpress-gutenberg-editor-sucks/

How Do You Analyze Code with SonarQube?

Problem scenario
You want to utilize SonarQube to do some analysis of some code. What do you do?

Solution
Prerequisites
This assumes you have SonarQube and SonarQube Scanner (aka sonar-scanner) installed. If you need assistance with either of these, see this link to install SonarQube or this link to install sonar-scanner.

Procedures

  1. Place the source code file (e.g., foo.py) in directory on the back-end of a server with Sonar-Scanner.
  2. The sonar-project.properties file should refer to the directory with the code in the stanza sonar.sources= stanza. The path after the equals sign is relative to the directory the sonar-project.properties file is in. So if you have a subdirectory named "contint" in the same directory that the sonar-project.properties file, your stanza will look like this:
sonar.sources=contint
  1. From the directory with sonar-project.properties, run the sonar-scanner -X command.
  2. Go to the web UI for SonarQube. Log in. Go to Projects. Click on the Project associated with the name specified in the sonar-project.properties file.
  3. Optional step if you only want to analyze code for one programming language. In the sonar-project.properties file, the sonar.language stanza should be specific to the code you want to analyze exclusively. There are codes (or abbrieviated symbols) for each languages. If you run the "sonar-scanner -X" on the back-end, you may see the different codes amongst other output. For three languages, here are the codes, but do not use the quotes:
    For Python, the code is "py". For C#, the code is "cs". For java, the code is "java".

Here is an example of the sonar.language stanza for Python:

sonar.language=py

If you want SonarQube Scanner to analyze each programming language, omit or comment out the sonar.language stanza

How Do You Deal with USB Device Failure When the USB Stick Is Known to Work with Other Computers?

Problem scenario
One of the below three situations describes your problem:

#1  You insert a USB stick and nothing happens.  You know the USB sticks work with other computers.

OR

#2  You insert a USB stick and nothing happens for a while.  There is a long delay.  You know the USB sticks work fine with other computers.

OR  

#3  You plug in a USB stick but you hear a different sound from what you are used to.  You hear a sound with three notes with the third note that is quieter than the first two.  You can hear it at 13-second mark of this 14-second clip.

The YouTube video above shows "USB Device Fail" when it plays the sound you are experiencing (and descibed above at the 13-second mark).  It is supposed to signify the USB drive insertion failed; this sound can be a "false negative" or benign.  In your case, there is indeed no drive letter appearing in Windows corresponding with your physical insertion of the stick.  What should you do?

Solution
If the problem is intermittent and happens infrequently, the solution may be to just live with it.  Otherwise you may need to reinstall the Windows OS.  If reinstalling the OS does not work, you may need to purchase a new computer or replace the USB ports inside the computer.  If the problem is intermittent, the problem would likely be solved by reinstalling the Windows OS. If none of the above are acceptable, you can read this external posting.

How Do You Troubleshoot the Ansible Error “directory was skipped as it does not seem to be a valid directory or it cannot be accessed”?

Problem scenario
You are using Ansible's find module.  You want it to find the destination of a symbolic link.  When you run the playbook you have a way of finding what the find module returns.  It is saying something about "directory was skipped as it does not seem to be a valid directory or it cannot be accessed."  What should you do?

Solution
Use the stat module.  Instead of the "paths" attribute use the "path" attribute.  

You can register the return value with "register".  If the variable is named foo, you can find the destination of the symbolic link with something like this:

shell:  echo "{{ foo.stat.lnk_target }}" > /tmp/destination.txt

How Do You Install Kerberos Key Distribution Center Server on a CentOS/RHEL/Fedora server?

Problem Scenario
You want to install the Kerberos KDC server on a Red Hat derivative of Linux.  You want to test it out with a second Red Hat distribution of Linux server as a client of the Kerberos centralized authentication server.  What do you do?

Solution
Prerequisites
Ensure the Kerberos authentication server can receive inbound connections over ports 88, 464, and 749.  Intermediate firewalls and/or software firewalls must allow these ports to receive inbound connections to the Kerberos authentication server.  With AWS the controlling Security Group for the Kerberos authentication server must allow for these ports based on the source IP address of each Kerberos client server.  (There are non-standard port configurations for Kerberos.  If you are using non-standard ports, ensure the firewalls permit connectivity accordingly.)  

Overview
The first five steps are to be done on the server that will do the authentication.  Steps 6 through 8 (inclusive) are to be done on the server that will be a client. Steps 9 through 11 are to be done back on the authentication server.  

1.  On the server that will be the centralize authorization server, the main Kerberos server, run this command:

sudo yum install -y krb5-server krb5-workstation krb5-libs

2.  Modify this file /etc/krb5.conf in at least six places.  It should look like the below but do two things 1) replace "fqdnfqdnfqdn" with the result of the FQDN of your server (even if it does not include the domain name in #2); if you don't know the FQDN of your server, run this command without quotes "hostname -f".   2) replace "CONTINUALINTEGRATION.COM" with the domain name of your choice.  (As a proof-of-concept, acme.com should work even if you do not own it.)

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_realm = CONTINUALINTEGRATION.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 CONTINUALINTEGRATION.COM = {
  kdc = fqdnfqdnfqdn
  admin_server = fqdnfqdnfqdn
 }

[domain_realm]
 .continualintegration.com = CONTINUALINTEGRATION.COM
 continualintegration.com = CONTINUALINTEGRATION.COM

3.a.  Run this: sudo /usr/sbin/kdb5_util create -s

3.b.  Respond to this prompt "Enter KDC database master key:" with the string of your choice.

4.a.  Run this but replace "contintuser" with a new username of your choice:  
sudo kadmin.local -q "addprinc contintuser"

4.b. Respond to the two prompts that follow with the string of your choice that will become the password.

5.  Run these commands:

sudo service krb5kdc start
sudo service kadmin start

6.  Log into the server that will be the Kerberos client.

7.  Run this command:  sudo yum install -y krb5-workstation krb5-libs

8.  Copy /etc/krb5.conf from the master server and place it on the client server.

9.  Go back to the Kerberos authentication server.  

10.  Run this command but replace "fqdnfqdnfqdn" with the FQDN of the Kerberos client server:

sudo kadmin.local -q "addprinc host/fqdnfqdnfqdn"

11.  Run this command but replace "fqdnfqdnfqdn" with the FQDN of the Kerberos client server:

sudo kadmin.local -q "ktadd -k /etc/krb5.keytab host/fqdnfqdnfqdn"

12.  From the client server, run these commands (but replace "contintuser" with the user you created earlier):

     sudo useradd contintuser
     sudo passwd contintuser
     su contintuser
     kinit

13.  Respond with the password for kerberos (entered in step #4.b. above).

14.  Run this command: klist

If you see something like this, Kerberos is working:

Ticket cache: KEYRING:persistent:1001:1001
Default principal: contintuser@CONTINUALINTEGRATION.COM

Valid starting       Expires              Service principal
05/12/2019 01:04:49  05/13/2019 01:04:49  krbtgt/CONTINUALINTEGRATION.COM@CONTINUALINTEGRATION.COM

How Do You Install Foreman on a RHEL Server?

Problem scenario
You want to install Foreman on a RHEL server.  What should you do?

Solution
Warning
If you install this on a server that is already a Puppet master server, your site.pp file will be overwritten.

Procedures
Tips:  With EC-2 instances, you can usually skip to step #3.

1.  Modify /etc/hostname to be the FQDN of your server (the result of a hostname -f command).

(A Google Cloud Platform virtual server will usually need step #2 to be performed.  But an EC-2 server will likely not need this to be done; if you do not need to do this step, skip to step #3.)

2.  Update /etc/hostname.  This file should have the FQDN of the server (not merely the short hostname).  Run this command if you needed to modify the /etc/hostname file:
sudo hostname --file /etc/hostname
# The above command will make the changes take effect.

3.  What you do for this step depends on whether or you not you are using GCP or AWS.  If you are using a GCP server, run these commands:
sudo yum -y install yum-utils 

sudo yum-config-manager --enable rhel-7-server-optional-rpms rhel-server-rhscl-7-rpms

If you are using an EC-2 (AWS) server, run this command:

sudo yum-config-manager --enable rhui-REGION-rhel-server-rhscl

4.  Run these commands:

sudo rpm -ivh http://yum.theforeman.org/releases/latest/el7/x86_64/foreman-release.rpm

sudo rpm -ivh https://yum.puppetlabs.com/puppet5/puppet5-nightly/puppet5-nightly-release-el-7.noarch.rpm

sudo yum -y install foreman foreman-installer

5.  Run this command:

sudo find / -name foreman-installer -type f

Based on the results above, run this:
sudo /path/to/foreman-installer --foreman-version

# Replace "path/to" with the results of the first command (e.g., /usr/sbin/").

Now you should have a web UI to log into.  From a web browser, you may be able to go to the external IP address (over port 80) provided that there are no firewall restrictions (e.g., no Security Groups blocking your workstation's IP address).  (You may have to confirm a security exception because of the site's certificate.  This is acceptable if it is a proof-of-concept and you are setting it up for the first time or you are in a very secure environment.  Otherwise you will want to secure your Foreman instance.

How Do You Use a Bound Method in Python?

Problem scenario
You want to write a Python program with a bound method.  What should you do?

Solution
This program uses a bound method.  The method funtest() is bound to objects that are members of the class "widgetfactory".  You cannot use the method without it being bound to this class.  (If you uncomment out the last line, you'll see it is a bound method and not an unbound method; the program will fail if you uncomment out the last line.)

#!/usr/bin/env python

class widgetfactory:
  def __init__(self):
    pass

  def funtest(self):  # This is a public method.
    print('This widget is working!')

goodwidget = widgetfactory()
goodwidget.funtest()
#funtest()     # This function (if uncommented out) will not work.  It must be bound to an object of the class "widgetfactory".