Why Cannot a User Approve a Release Pipeline to an Environment?

Problem scenario
A user in Azure DevOps cannot approve releases to a given environment. The permissions are correct; the user is a member of the relevant custom security group in the project. Why can't the user approve the deployment to an environment?

Solution
Can the user go to the Azure DevOps organization? Can the user also see the project? The organization subsumes a project, and the organization may need to have the member be added. A parent organization may be somewhat separately from the sub-environment.

The root cause is that the permissions are not actually correct. Check the members list of the project. It could be that the user is a member of a group, but not a member of the project itself. (It may not be enough to be a member of a group in a project. The user may need to be a member of the project itself for some configurations of Azure DevOps.)

The user may not have approval authority for a relevant resource; see this posting. See also this.

How Do You Troubleshoot a Kubernetes Cluster That is Not Working at the Node Level?

Problem scenario
The nodes in a Kubernetes cluster are not working. What should you do?

Possible Solution #1
Run this command: kubectl get nodes
For the node that is not healthy, assuming its hostname is called "foobar", run this command: kubectl describe node foobar

Possible Solution #2
If you have pods and no nodes (which could be the case), run this:
kubectl get pods
Then run:
kubectl logs

Possible solution #3
If you are using EKS, look at the user guide:
https://docs.aws.amazon.com/eks/latest/userguide/eks-ug.pdf

Possible solution #4
Run this command: kubectl describe pods
If there is an error about a subnet.env file not existing, see this posting.
If the output says something like "cni config uninitialized", see this posting.

How Do You Troubleshoot “java.io.IOException: Stream closed at java.base/java.lang.ProcessBuilder$NullOutputStream.write(ProcessBuilder.java:442)”?

Problem scenario
You are trying to run a Hadoop job. You get this error:
"java.io.IOException: Stream closed at java.base/java.lang.ProcessBuilder$NullOutputStream.write(ProcessBuilder.java:442)"

What should you do?

Solution
Is the "python" command recognized as such? You may need to install Python or link the python3 binary to be in a typical location where env variables would look for it (e.g., /usr/bin/python).

Here are commands that could help you:

whereis python3
sudo ln -s python3 /bin/python

If you need help installing Python, see this posting.

How Do You Find the Details of Permissions/Privileges of a User in GitHub Enterprise?

Problem scenario
You are using GitHub Enterprise. You want to see the details of a user's permissions (e.g., when it was created or before someone modified the user's ability to control repos). What do you do?

Solution

  1. Go to the Audit Log in the web UI. (To learn more about this, see this external site.)
  2. Search for the user by the username. In the results, find the oldest ones. Then find the "…" symbol near the bottom of the result that is from a day you want to examine. This "…" symbol will allow you to see many details.
  3. To see commits to individual repos, the above steps will not help you. To see who has committed to individual repos, you need to go to the main web UI for the repository, and then go to Insights. Then go to "Contributors".

How Do You Solve the MacOS Command Line Error “No Java runtime present…”?

Problem scenario
Using a MacOS, you are trying to run a command (e.g., a "java" command) from the Terminal utility (character prompt). You get the message "No Java runtime present", and the command fails. What should you do?

Solution
Using the GUI, download the .dmg file from here.

Once it is downloaded, double click it. Follow the menu steps (Continue -> Install -> (enter a password if/when prompted), -> Close). Make sure it is installed. Now you should not see that problem again.

To browse Mac products, see this link.

What Are Eight Ways of Rotating AWS IAM Keys?

Problem scenario
You want to rotate AWS IAM keys across a unique set of different AWS accounts. Regular rotation is a recommended practice for securing your AWS resources (per this Amazon posting). Just as passwords can be brute-forced and defeated through exhaustive attempts, access keys could be randomly generated and attempted via a malicious person or program; rotating the access keys can make hacking your AWS resources tremendously more difficult.

You want to evaluate many different options for changing the AWS access keys. What can you do to rotate AWS IAM/access keys?

Eight Possible Solutions (There is arguably overlap between some of the options depending on how you implement them. There could be nine methods here. It is difficult to discretely enumerate the number of combinations.)

  1. Manually rotate them with the AWS Console.
  2. Using AWS Lambda
  3. Using Boto3
  4. Using CloudFormation https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-create-generic-template.html
    (This also uses Lambda)
  5. Using Terraform
  6. Using AWS Config Managed Rule
    https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html
  7. Use this third party tool: https://aws-rotate-iam-keys.com
  8. Use Serverless.com
  9. Use AWS Trusted Advisor. (It provides recommendations and action links to rotate IAM access keys.)*
  10. Use the AWS CLI and possibly a crontab job.

See also this Amazon posting and this other one that delves into automation. This medium.com article may be useful for you too. AWS Config can help you comply with your InfoSec team's rules on rotating passwords (as this posting states).

* To learn more about Trusted Advisor, see this external posting.

IAM keys are AWS access keys. We know this because "[a]ccess keys are long-term credentials for an IAM user or the AWS account root user." (The quote was taken from this Amazon page.)

Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html

To learn about the difference between an IAM role and an IAM access key, see this posting.

How Do You Find a File by Name in GitHub (when it is not otherwise showing up)?

Problem scenario
You are searching GitHub for a file by its name. But for some reason it is not showing up in the results. What should you do?

Solution
Use the "filename:" option in the search terms before the name of the file you are looking for.
org:coolorgname filename:rio.yml

For some reason this "filename:" option returns more results. (This solution is supported by https://stackoverflow.com/questions/18991908/is-it-possible-to-search-for-a-particular-filename-on-github.)

How Do You Install “inspec” with gem from the Command Line?

Problem scenario
You want to install the inspec gem. What do you do?

Solution
Run this:
gem install inspec
(Taken from https://mitre-inspec-developer.netlify.app/installation/linuxinstall.html )

Does the inspec-bin command work? This may be a newer version that is already installed.

If you installed Ruby with root, which is not recommended according to https://stackoverflow.com/questions/24706277/error-sudo-gem-command-not-found, you may need to use "sudo" before the gem command. Ideally you would not use "sudo" before a gem command (according to the above external link).

How Do You Troubleshoot “Some of the defined forwarded ports would collide” after Running a Chef Kitchen or Ansible Molecule Command?

Problem scenario
You run a kitchen or molecule command. It fails with an error about ports. What should you do?

Solution
Find what other machines are running in your VPC. This error message seems to be relevant to Vagrant (because if you google it, you will see Vagrant-related postings). If you are using Vagrant, run this command: vagrant global-status

If you are not using Vagrant, you may want to use the nmap utility to track down the problem.

How Do You Terminate a Process Listening on a Given TCP Port?

Problem scenario
There is a process listening on a TCP port on your Linux system. How do you end it?

Solution
Assuming you want to terminate the process 5555, this is how you would find the PID:

sudo lsof -i :5555

To kill the process, the output of the above command will show you a PID. Run this command where 111222333 is the PID number you found above:

sudo kill -9 111222333