Your company wants you to start using YubiKey. You have an AWS account and it's time to reconfigure the access. I recommend to do this easily. I mean if you already have configured a MFA device as an authenticator application you can add another device and test in a first few days simultaneously.
Add new MFA device in your Console:
Let's pretend you have a new computer after you joined to a new company and you have to setup everything from scratch.
Usually I use macOS but it suits to a Linux machine even.
This is how my starting pack looks like:
I know that everyone uses Docker but sometimes you have to take care of some legacy server where you have, for example, LXC container in which your client runs a Docker container (I know it's weird).
Le'ts imagine you have in you LXC container a device which is mounted as "/var/lib/docker" path. You don't have enough space on it and you don't want to restart the server or even LXC daemon. Let's just replace it.
Add a new device:
lxc storage create new-device btrfs size=100GB
Add a new volume to the device:
lxc storage volume create new-device volume
Then we have get into the LXC container and stop the Docker daemon:
lxc exec lxc-container -- /bin/bash
systemctl stop docker
exit
Disable the previous device from the LXC container:
lxc config device remove lxc-container old-device
Add the new device:
lxc config device add lxc-container some-name disk pool=new-device path=/var/lib/docker source=volume
Run the Docker daemon in the container.
Some additional useful commands:
If you want to use EBS in your Kubernetes Persistent Volume.
EC2
Dynamic provisioning:
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: ebs-sc
provisioner: ebs.csi.aws.com
volumeBindingMode: WaitForFirstConsumer
parameters:
encrypted: "true"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ebs-claim
spec:
accessModes:
- ReadWriteOnce
storageClassName: ebs-sc
resources:
requests:
storage: 4Gi
---
apiVersion: v1
kind: Pod
metadata:
name: app
spec:
containers:
- name: app
image: centos
command: ["/bin/sh"]
args: ["-c", "while true; do echo $(date -u) >> /data/out.txt; sleep 5; done"]
volumeMounts:
- name: persistent-storage
mountPath: /data
volumes:
- name: persistent-storage
persistentVolumeClaim:
claimName: ebs-claim
Fargate
You can't mount Amazon EBS volumes to Fargate Pods.
More examples here.
If you have already created an EFS and you want to mount it in a Kubernetes Pod you have to add the EKS' Security Group to each mount target.
EC2
This example shows how to make a static provisioned EFS persistent volume (PV) mounted inside container with encryption in transit configured:
---
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: efs-sc
provisioner: efs.csi.aws.com
mountOptions:
- tls
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: efs-pv
spec:
capacity:
storage: 5Gi
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: efs-sc
csi:
driver: efs.csi.aws.com
volumeHandle: fs-03e456ec05d6df74e # Replace with you EFS identifier.
volumeAttributes:
encryptInTransit: "true"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: efs-claim
spec:
accessModes:
- ReadWriteOnce
storageClassName: efs-sc
resources:
requests:
storage: 5Gi
---
apiVersion: v1
kind: Pod
metadata:
name: efs-app
spec:
containers:
- name: app
image: centos
command: ["/bin/sh"]
args: ["-c", "while true; do echo $(date -u) >> /data/out.txt; sleep 5; done"]
volumeMounts:
- name: persistent-storage
mountPath: /data
volumes:
- name: persistent-storage
persistentVolumeClaim:
claimName: efs-claim
Fargate
A Pod running on AWS Fargate automatically mounts an Amazon EFS file system without needing the driver installation.
You can't use dynamic provisioning for persistent volumes with Fargate nodes but you can use static provisioning. An example how to use:
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: efs-sc
provisioner: efs.csi.aws.com
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: efs-pv
spec:
capacity:
storage: 5Gi
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
storageClassName: efs-sc
persistentVolumeReclaimPolicy: Retain
csi:
driver: efs.csi.aws.com
volumeHandle: fs-03e456ec05d6df74e # Replace with you EFS identifier.
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: efs-claim
spec:
accessModes:
- ReadWriteOnce
storageClassName: efs-sc
resources:
requests:
storage: 5Gi
---
apiVersion: v1
kind: Pod
metadata:
name: efs-app
spec:
containers:
- name: app
image: centos
command: ["/bin/sh"]
args: ["-c", "while true; do echo $(date -u) >> /data/out.txt; sleep 5; done"]
volumeMounts:
- name: persistent-storage
mountPath: /data
volumes:
- name: persistent-storage
persistentVolumeClaim:
claimName: efs-claim
More examples here.
In the normal mode:
Open ".vimrc" in your home directory to set permanently:
Post pisany w oparciu o Debiana 11.
Następnie otwieramy "/etc/bind/named.conf.options":
acl "trusted" {
ADRES_IP; # Serwer podstawowy
ADRES_IP; # Serwer zapasowy
};
options {
directory "/var/cache/bind";
recursion yes; # Pozwol na rekursywne zapytania.
allow-recursion { trusted; }; # Pozwol na rekursywne zapytania z listy zaufanych klientow.
allow-transfer { none; }; # Wylacz domyslny transfer strefy.
dnssec-validation auto;
auth-nxdomain no;
listen-on-v6 { any; };
forwarders {
8.8.8.8;
8.8.4.4;
};
};
Teraz "/etc/bind/named.conf.local":
zone "yolandi.pl" {
type master;
file "/etc/bind/db.yolandi.pl"; # Sciezka do pliku strefy
allow-transfer { ADRES_IP; }; # IP serwera zapasowego
};
Tworzymy "/etc/bind/zones/db.yolandi.pl":
$TTL 604800
@ IN SOA yolandi.pl. admin.yolandi.pl. (
2021051601 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
IN NS TWOJA_GLOWNA_DOMENA.
IN NS DOMENA_SERWERA_ZAPASOWEGO.
yolandi.pl. IN A ADRES_IP