DEV Community: Manjula Rajamani

Deploying Node-Red on Azure Container Instance

Manjula Rajamani — Thu, 05 Sep 2024 12:30:38 +0000

This guide provides instructions for deploying the Node-Red application on the Azure platform, utilizing Azure Container Instances, Azure Container Registry, and Azure Storage Account.

What is Azure Container Instance?
Azure Container Instances (ACI) is a managed service that allows you to run containers directly on the Microsoft Azure public cloud, without requiring the use of virtual machines (VMs)

For more information about Azure Container Instances, check out the official documentation at this link: Azure Container Instances Documentation.

What is Azure Container Registry?
Azure Container Registry is a private registry service for building, storing, and managing container images and related artifacts

For more information about Azure Container Registry, check out the official documentation at this link: Azure Container Registry Documentation.

What is an Azure Storage account?
The Azure Storage platform is Microsoft's cloud storage solution for modern data storage scenarios. Azure Storage offers highly available, massively scalable, durable, and secure storage for a variety of data objects in the cloud. Azure Storage data objects are accessible from anywhere in the world over HTTP or HTTPS via a REST API.

For more information about the Azure Storage account, check out the official documentation at this link: Azure Storage account Documentation.

Startup:
Before starting, ensure that you have an Azure account with an active subscription

Step 1:
Login into your Azure account



az login

Step 2:

Create a container registry and store the Node-RED image in the container registry
As of Node-RED 1.0, the repository on Docker Hub was renamed to nodered/node-red.
Log in to a registry using Azure CLI



az acr login --name myregistry
docker login myregistry.azurecr.io

If you are unfamiliar with creating an Azure Container Registry (ACR), you can refer to the following link for step-by-step instructions using the Azure portal: Get Started with Azure Container Registry

Step 3:

Create an Azure file share:
Run the following script to create a storage account to host the file share, and the share itself. The storage account name must be globally unique, so the script adds a random value to the base string.



# Change these parameters as needed
RESOURCE_GROUP=myResourceGroup
STORAGE_ACCOUNT_NAME=storageaccount$RANDOM
LOCATION=eastus
FILE_SHARE_NAME=node-red-share
IMAGE=testingregistrydevops.azurecr.io/node-red:latest
ACI_NAME=node-red

# Create the storage account with the parameters
az storage account create \
    --resource-group $RESOURCE_GROUP \
    --name $STORAGE_ACCOUNT_NAME \
    --location $LOCATION \
    --sku Standard_LRS

# Create the file share
az storage share-rm create \
    --resource-group $RESOURCE_GROUP \
    --storage-account $STORAGE_ACCOUNT_NAME \
    --name $FILE_SHARE_NAME \
    --quota 1024 \
    --enabled-protocols SMB \
    --output table

Step 4:

Get storage credentials:
To mount an Azure file share as a volume in Azure Container Instances, you need three values: the storage account name, the share name, and the storage access key.

Storage account name - If you used the preceding script, the storage account name was stored in the $STORAGE_ACCOUNT_NAME variable. To see the account name, type:



echo $STORAGE_ACCOUNT_NAME

Share name- This value is already known (defined as node-red-share in the preceding script). To see the file share name



echo $FILE_SHARE_NAME

Storage account key - This value can be found using the following command:



STORAGE_KEY=$(az storage account keys list --resource-group $RESOURCE_GROUP --account-name $STORAGE_ACCOUNT_NAME --query "[0].value" --output tsv)
echo $STORAGE_KEY

Step 5:

Deploy container and mount volume - CLI:
To mount an Azure file share as a volume in a container by using the Azure CLI, specify the share and volume mount point when you create the container with az container create. If you followed the previous steps, you can mount the share you created earlier by using the following command to create a container:



az container create \
        --resource-group $RESOURCE_GROUP \
        --name $ACI_NAME \
        --image $IMAGE \
        --dns-name-label unique-acidemo-label \
        --ports 1880 \
        --azure-file-volume-account-name $STORAGE_ACCOUNT_NAME \
        --azure-file-volume-account-key $STORAGE_ACCOUNT_KEY \
        --azure-file-volume-share-name $FILE_SHARE_NAME \
        --azure-file-volume-mount-path /aci/logs/

The --dns-name-label value must be unique within the Azure region where you create the container instance

Using Bash
You can combine the above commands and execute the bash script to create an Azure Container Instance for Node-RED.
Here is the bash script for Node-RED



#!/usr/bin/env bash

RESOURCE_GROUP=MyResourceGroup
STORAGE_ACCOUNT_NAME=storageaccount$RANDOM
LOCATION=eastus
FILE_SHARE_NAME=node-red-share
IMAGE=testingregistrydevops.azurecr.io/node-red:latest
ACI_NAME=node-red

# Function to handle errors
handle_error() {
    echo "Error: $1" >&2
    exit 1
}

# Azure Login
az login || handle_error "Failed to login to Azure"

# ACR Login
az acr login --name testingregistrydevops.azurecr.io || handle_error "Failed to login to ACR"

# Check if Resource Group exists
if az group show --name $RESOURCE_GROUP &>/dev/null; then
    echo "Resource group '$RESOURCE_GROUP' already exists."
else
    # Creating Resource Group
    az group create --name $RESOURCE_GROUP --location $LOCATION || handle_error "Failed to create resource group"
    echo "Resource group '$RESOURCE_GROUP' created."
fi

# Check if the Storage Account exists
if az storage account show --name $STORAGE_ACCOUNT_NAME --resource-group $RESOURCE_GROUP &>/dev/null; then
    echo "Storage account '$STORAGE_ACCOUNT_NAME' already exists."
else
    # Creating Storage Account
    az storage account create \
        --resource-group $RESOURCE_GROUP \
        --name $STORAGE_ACCOUNT_NAME \
        --location $LOCATION \
        --sku Standard_LRS || handle_error "Failed to create storage account"
    echo "Storage account '$STORAGE_ACCOUNT_NAME' created."
fi

# Creating File Share
echo "Creating file share '$FILE_SHARE_NAME'..."
if az storage share-rm create \
    --resource-group $RESOURCE_GROUP \
    --storage-account $STORAGE_ACCOUNT_NAME \
    --name $FILE_SHARE_NAME \
    --quota 1024 \
    --enabled-protocols SMB \
    --output table &>/dev/null; then
    echo "File share '$FILE_SHARE_NAME' created successfully."
else
    handle_error "Failed to create file share '$FILE_SHARE_NAME'"
fi

# Fetch Storage Account Key
STORAGE_ACCOUNT_KEY=$(az storage account keys list --resource-group $RESOURCE_GROUP --account-name $STORAGE_ACCOUNT_NAME --query "[0].value" --output tsv)
echo $STORAGE_ACCOUNT_KEY

# Creating Azure Container Instance for Node-Red
if az container show --resource-group $RESOURCE_GROUP --name $ACI_NAME &>/dev/null; then
    echo "Azure Container Instance '$ACI_NAME' already exists."
else
    # Creating Azure Container Instance for Node-Red
    az container create \
        --resource-group $RESOURCE_GROUP \
        --name $ACI_NAME \
        --image $IMAGE \
        --dns-name-label unique-acidemo-label \
        --ports 1880 \
        --azure-file-volume-account-name $STORAGE_ACCOUNT_NAME \
        --azure-file-volume-account-key $STORAGE_ACCOUNT_KEY \
        --azure-file-volume-share-name $FILE_SHARE_NAME \
        --azure-file-volume-mount-path /aci/logs/ || handle_error "Failed to create container instance"

    echo "Azure Container Instance '$ACI_NAME' created."
fi

After executing the file, you can make the application accessible using the public IP or Fully Qualified Domain Name (FQDN) of the Azure Container Instance.

Additionally, you can verify whether the file share is properly mounted using Azure Container Instances (ACI)

MicroBin on Fly.io

Manjula Rajamani — Wed, 17 May 2023 15:00:03 +0000

MicroBin is a tiny, feature rich, configurable, self-contained, and self-hosted paste bin web application. It is elementary to set up and use, and will only require a few megabytes of memory and disk storage.

Fly.io
Fly.io is a platform for running full-stack applications and databases close to the users without any DevOps. You can deploy your apps to Fly.io (it's about the simplest place to deploy a Docker Image) and use our CLI to launch instances in regions that are most important for their application.

Structure of MicroBin

Step 1:
Clone your repository

git clone https://github.com/manjularajamani/microbin.git
cd microbin/

Step 2:
Using Dockerfile(or pre-built Docker images)we can able to deploy the application on the fly.io app server

FROM rust:latest as build

WORKDIR /app

COPY . .

RUN \
  DEBIAN_FRONTEND=noninteractive \
  apt-get update &&\
  apt-get -y install ca-certificates tzdata &&\
  CARGO_NET_GIT_FETCH_WITH_CLI=true \
  cargo build --release

# https://hub.docker.com/r/bitnami/minideb
FROM bitnami/minideb:latest

# microbin will be in /app
WORKDIR /app

# copy time zone info
COPY --from=build \
  /usr/share/zoneinfo \
  /usr/share/zoneinfo

COPY --from=build \
  /etc/ssl/certs/ca-certificates.crt \
  /etc/ssl/certs/ca-certificates.crt

# copy built executable
COPY --from=build \
  /app/target/release/microbin \
  /usr/bin/microbin

# Expose webport used for the webserver to the docker runtime
EXPOSE 8080

ENTRYPOINT ["microbin"]

Or fetch Docker image from DockerHub: danielszabo99/microbin:latest

Step 3:

Install flyctl:
flyctl is a command line interface to the Fly.io platform.It allows users to manage authentication, application launch, deployment, network configuration, logging and more with just the one command.Install Flyctl CLI

Sign In:
If you already have a Fly.io account, all you need to do is sign in with flyctl

fly auth login

Your browser will open up with the Fly.io sign-in screen, enter your user name and password to sign in.

Step 4:
To deploy app into fly.io we need a fly.toml file

app = "microbin"
primary_region = "ams"
kill_signal = "SIGINT"
kill_timeout = "5s"

[experimental]
  entrypoint = ["microbin", "--highlightsyntax", "--private", "--qr", "--editable", "--enable-burn-after"]

[build]
  image = "danielszabo99/microbin:latest"

[[mounts]]
  source = "microbin_data"
  destination = "/app/pasta_data"

[http_service]
  internal_port = 8080
  force_https = true
  auto_stop_machines = true
  auto_start_machines = true

I've added only a few things that are enough for micro microbin

kill_signal:
The kill_signal option allows you to change what signal is sent so that you can trigger a softer, less disruptive shutdown.
kill_timeout:
When shutting down a Fly app instance, by default, after sending a signal, Fly gives an app instance five seconds to close down before being killed.
experimental:
This section is for flags and feature settings which have yet to be promoted into the main configuration.
build:
The image builder is used when you want to immediately deploy an existing public image
mounts:
This section supports the Volumes feature for persistent storage
auto_stop_machines:
Whether to automatically stop an application's machines when there's excess capacity, per region.
auto_start_machines:
Whether to automatically start an application's machines when a new request is made to the application and there's no excess capacity, per region.

Step 5:

Launch an App on Fly:
Fly.io enables you to deploy almost any kind of app using a Docker image.

flyctl launch 
      (or)
flyctl launch --image danielszabo99/microbin:latest

If you need to edit fly.toml and redeploy use the below command

flyctl deploy

Check Your App's Status:
The application has been deployed with a DNS hostname of microbin.fly.dev. Your deployment's name will, of course, be different. fly status give us basic details

flyctl status

Step 6:
The DESTROY command will remove an application from the Fly platform.

flyctl destroy <APPNAME>

Adding Custom Domains
Fly offers a simple command-line process for the manual configuration of custom domains and for people integrating Fly custom domains into their automated workflows.

Step 1:
Run flyctl ips list to see your app's addresses

flyctl ips list

Create an A record pointing to your v4 address, and an AAAA record pointing to your v6 address on your respective DNS.

Step 2:
You can add the custom domain to the application's certificates.

flyctl certs create <domain.name>

Step 3:
You can check on the progress by running the below command

flyctl certs show <domain.name>

Once the certificate is issued you can access your application to your Domain

Step 4:
To remove the hostname from the application, drop the certificates in the process.

flyctl certs delete <domain.name>

Seccomp security profiles

Manjula Rajamani — Mon, 20 Mar 2023 07:23:14 +0000

This blog post tries to exemplate how to run our code in a "Restricted-service operating mode" using libseccomp library

The Linux Kernel and Syscalls?

The kernel performs many jobs but we are going be focussing
on system calls

Linux Syscalls:

Strace:

Strace is used to record all the system calls made by the
particular request
Then we can use this information to debug or diagnose the problem

Examples:

The output on the screen after running the strace command was simply system calls made to run the ls command

Save the Trace execution to a file using option -O

The output would be dumped into trace.log file

Take look at the first line in the trace.log file

execve("/usr/bin/ls", ["ls", "test/"], [/* 40 vars */]) = 0

execve, is the name of a system call being executed.
The text within the parentheses is the arguments provided to the system call.
0 is a value returned by the execve system call.

Sorting the Result by Columns using option -c:

Obtaining Timing Information using option -t:

Attaching strace to Running Process using option -p:

Seccomp

seccomp (short for secure computing mode) is a computer security facility in the Linux kernel. seccomp allows a process to make a one-way transition into a "secure" state where it cannot make any system calls except exit() , sigreturn() , read() and write() to already-open file descriptors.

libseccomp

The libseccomp library provides an easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism.

Installing the libseccomp Library:

Step 1: Grab the latest release from the release page at libseccomp repository
Step 2: If you are building the libseccomp library from an official release tarball, you should follow the familiar three step process used by most autotools based applications:

Step 3: Install python3-devel using your package manager of choice to fulfil the dependencies needed

Example Code for Python bindings for the libseccomp library:

def setup_seccomp(log_only):
    f = SyscallFilter(ALLOW)
    # always log, even when returning an error
    f.set_attr(Attr.CTL_LOG, 1)
    action = LOG if log_only else ERRNO(errno.EACCES)
    # stop executions
    f.add_rule(action, "execve")
    f.add_rule(action, "execveat")
    f.add_rule(action, "vfork")
    f.add_rule(action, "fork")
    f.load()
    print(f'Seccomp enabled...')

Filter action values:

KILL_PROCESS - kill the process
KILL         - kill the thread
LOG          - allow the syscall to be executed after the action has been logged
ALLOW        - allow the syscall to execute
TRAP         - a SIGSYS signal will be thrown
NOTIFY       - a notification event will be sent via the notification API
ERRNO(x)     - syscall will return (x)
TRACE(x)     - if the process is being traced, (x) will be returned to the tracing process via PTRACE_EVENT_SECCOMP and the PTRACE_GETEVENTMSG option

Here is my repo which attempts to seccomp a simple python program.

https://github.com/manjularajamani/pyseccomp-playground/tree/main/seccompd-progs