DEV Community: Stepan Vrany The latest articles on DEV Community by Stepan Vrany (@stepanvrany). https://dev.to/stepanvrany https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F619117%2F5b8c45c4-a107-4b4a-869c-1b4e8142aac4.jpg DEV Community: Stepan Vrany https://dev.to/stepanvrany en Privacy matters: send instant messages without providing any personal details! Stepan Vrany Sun, 20 Mar 2022 15:28:32 +0000 https://dev.to/stepanvrany/privacy-matters-send-instant-messages-without-providing-any-personal-details-35eg https://dev.to/stepanvrany/privacy-matters-send-instant-messages-without-providing-any-personal-details-35eg <p>You might know WhatsApp, Telegram or Signal. These messengers share one concept - they use your cell phone number as the primary identifier. Moreover, you can't create an account without the cell phone number. </p> <h2> Do I need to care about cell phone number? </h2> <p>Technically it's possible to get totally anonymous cell phone number. You can use so-called prepaid (e)SIM cards together with <a href="https://silent.link/">anonymous or pseudonymous</a> payment methods.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s---KOctnFD--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/04jxtzfkhtnjfzsznpgx.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s---KOctnFD--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/04jxtzfkhtnjfzsznpgx.png" alt="Image description" width="880" height="408"></a></p> <p>In some countries you can even purchase "physical" SIM cards personally in supermarket. For instance, in Czechia it's still legal but this service is slowly vanishing all over the world. It's the same story, governments fight the terrorism. </p> <p>But the (legal) ownership of the cell phone number is just one part of the story. The next part of the story is traceability, in some circumstances service providers have to cooperate with regime and then it's <a href="https://www.quora.com/Can-my-location-be-traced-by-my-SIM-Does-my-cell-network-carrier-record-my-calls-as-audio">just a piece of cake to reveal you location</a>. Busted. </p> <h2> So let's avoid cell phone number </h2> <p>So our best choice is just don't use services that requires cell phone number. Problem solved.</p> <p>Well not quite. It's pretty hard to find such services nowadays. Everyone wants to know your number, even the email providers. I don't know the reason why it is like that but that's the reality and we need to cope with that.</p> <p>But I have good news, such providers do exist! There's just handful of them but they do exist! So let's look at them.</p> <h2> Threema </h2> <p>Threema is Switzerland-based instant messaging app with strong focus on privacy. <a href="https://threema.ch/en/faq/tablet">Providing your cell phone number is optional</a> so it perfectly fits to our list. </p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s---4yz_a7E--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/g0ogizs6kpytcb7c1dpe.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s---4yz_a7E--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/g0ogizs6kpytcb7c1dpe.png" alt="Image description" width="880" height="472"></a></p> <p>In Slovakia, it has bad reputation due to <a href="https://cs.wikipedia.org/wiki/Threema">Jan Kuciak`s case</a> but it has nothing to do with the Threema itself. It's rather about the compromised device. So Threema can be still considered as the more private alternative. Also check <a href="https://threema.ch/en/faq/data">the list of data collected by the provider</a>. </p> <h2> Matrix </h2> <p>Another interesting project is Matrix. It's using concept of homeservers so you have to find your homeserver (that does not require email address), create an account there and then you can freely communicate.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--FCe9-f67--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/5kgb61kxlbv5zfv9p8xp.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--FCe9-f67--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/5kgb61kxlbv5zfv9p8xp.png" alt="Image description" width="880" height="422"></a></p> <p>If you're concerned about the data collected by the homeservers - check <a href="https://matrix.org/~matthew/Response_to_-_Notes_on_privacy_and_data_collection_of_Matrix.pdf">this document</a>. Basically you can be tracked by some identifiers so you have to <strong>use this tool with caution together with other techniques to hide your identity</strong>. But it does not mean it's a bad tool. It's just about how you use this tool.</p> <h2> Session </h2> <p>This one is my personal favorite. It's easy to use, it does not need cell phone number and <a href="https://twitter.com/session_app/status/1505401249612677120">it does not collect any personal data</a>.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--XXq_zvpy--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/hbe5qitz3ypz7f8bmevr.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--XXq_zvpy--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/hbe5qitz3ypz7f8bmevr.png" alt="Image description" width="880" height="456"></a></p> <p>One major feature of session is the structure of the network - every message is transported through a <a href="https://getsession.org/blog/onion-requests-session-new-message-routing-solution">decentralized onion routing network</a> to obfuscate your identity as much as possible.</p> <p>Session also don't have any centralized identity management so you don't need to remember any username or password. Instead, you have to write down mnemonic seed that can be used to recover your identity on any device. This process is well-known in the world of crypto currencies.</p> <p>Enough of talking, check the <a href="https://getsession.org/faq#recovery-phrase">FAQ</a> to get more information about this tool! As I've mentioned before, this is my personal favorite so that's why I went through some features in detail. </p> <h2> Wrap </h2> <p>And that's all I was able to find. Unfortunately. In past 10 years we cared more about the convenience than privacy so here we are. Thankfully we have at least some tools so we need to take this opportunity, reclaim our privacy and make the other vendors to deliver similar features.</p> <blockquote> <p>And again, my personal favorite is <a href="https://getsession.org/">Session</a> due to extremely easy usage.</p> </blockquote> <p>It's very important to be able to communicate privately and hide our identity if needed. If no one can't determine our identity from the data collected - we can't be persecuted. Now nor in the future. </p> <p>And again, don't forget that tool works as intended only if it's used correctly. Even the most secure tool can reveal your identity and trust me there are <strong>bad actors</strong> that know how to abuse such information, <strong>especially those controlling monopoly on violence</strong>. Read the documentation. Read the FAQ. Read reddit discussions. Stay safe.</p> <p>If I could conclude with a one sentence, it would be: <strong>try to avoid services requiring your cell phone number.</strong></p> <p>Cheers!</p> privacy Getting started with Tor hidden services Stepan Vrany Wed, 02 Mar 2022 18:47:38 +0000 https://dev.to/stepanvrany/getting-started-with-tor-hidden-services-1m42 https://dev.to/stepanvrany/getting-started-with-tor-hidden-services-1m42 <p>This will be happening more and more frequently in the online world: people get silenced. If you're a ruler, it's tempting to selectively deliver only certain information and let's face it - surface web is perfectly equipped for such scenarios. Providers of services have too much to lose if disobey. This is just how power works. But that's a bit different topic...</p> <p>Today we're gonna talk about the world without centralised authorities, the world of Tor hidden services.</p> <h2> Enter the .onion! </h2> <p>In Tor we don't use standard domain names like <code>cz</code> or <code>eu</code>. We use specialised <code>.onion</code> generic name that is resolvable only in Tor network. Compared to standard domain names it has one major difference beyond the scope of the visibility - there's no vendor where you have to purchase a name for you service. </p> <p>This is how it works - you create a hidden service, a new keypair is generated and part of the public key is then used as your <code>.onion</code> name. You can read more about the mechanism in <a href="https://tor.stackexchange.com/a/1285" rel="noopener noreferrer">this post</a>. </p> <blockquote> <p>Please read previous 2 paragraphs again - there's no authority that's responsible for the allocation of names. And when there's no authority - you can't approach it and make it obey with the force πŸ‘Š</p> </blockquote> <p>Then you just point Tor daemon to your webserver and voila - everyone with Tor browser (or alternative configuration with SOCKS5 proxy) can access your hidden service! </p> <p>Now let's create our first hidden service. That's gonna be fun.</p> <h2> Part I: server </h2> <p>We need some server first. It can be anything, you can use tiny Raspberry Pi or you can purchase some VPS from Public Cloud providers. I don't have any specific recommendations here. Server in your homelab is more decentralized, on the other hand VPS is easy to obtain. It's up to you.</p> <p>I'm gonna use VPS purchased from Digital Ocean pre-installed with the latest LTS Ubuntu.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnxati8pp0jf0saga61o5.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnxati8pp0jf0saga61o5.png" alt="Image description"></a></p> <p>In a couple of seconds I can connect with ssh there and proceed with the configuration!</p> <h2> Part II: application </h2> <p>In this tutorial we'll be serving some dummy content from the application written in Go. For the sake of simplicity I'm gonna use some snippets from the <a href="https://github.com/gofiber/fiber#%EF%B8%8F-quickstart" rel="noopener noreferrer">Fiber framework's homepage</a>. So here we go, this is our application.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="s">"github.com/gofiber/fiber/v2"</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">app</span> <span class="o">:=</span> <span class="n">fiber</span><span class="o">.</span><span class="n">New</span><span class="p">()</span> <span class="n">app</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="s">"/"</span><span class="p">,</span> <span class="k">func</span><span class="p">(</span><span class="n">c</span> <span class="o">*</span><span class="n">fiber</span><span class="o">.</span><span class="n">Ctx</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">return</span> <span class="n">c</span><span class="o">.</span><span class="n">SendString</span><span class="p">(</span><span class="s">"Hello, World πŸ‘‹!"</span><span class="p">)</span> <span class="p">})</span> <span class="n">app</span><span class="o">.</span><span class="n">Listen</span><span class="p">(</span><span class="s">":3000"</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Once again, this is Go but you can write your application in any available tool. And of you want to serve static content - use <a href="https://caddyserver.com/" rel="noopener noreferrer">Caddy</a> or Nginx. </p> <p>So now I'm gonna build and test the app:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>go mod init main go mod tidy go build main.go ./main&amp; curl localhost:3000 </code></pre> </div> <p>This is what we get as the output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Hello, World πŸ‘‹! </code></pre> </div> <h2> Part III: supervision </h2> <p>In the modern operating system we can always use some way how to supervise your applications. This is extremely important and I'm gonna give you one specific example: when your server restarts, you want to make sure that applications starts together with the server. </p> <p>In the case we use Ubuntu so systemd service unit needs to configured.</p> <p>So let's move the application to some well-known path<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>mkdir /opt/app mv main /opt/app/main </code></pre> </div> <p>and create the systemd service unit in <code>/etc/systemd/system/app.service</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight systemd"><code><span class="k">[Unit]</span> <span class="nt">Description</span><span class="p">=</span>App <span class="nt">After</span><span class="p">=</span>network.target <span class="k">[Service]</span> <span class="nt">Type</span><span class="p">=</span>simple <span class="nt">ExecStart</span><span class="p">=</span>/opt/app/main <span class="k">[Install]</span> <span class="nt">WantedBy</span><span class="p">=</span>multi-user.target </code></pre> </div> <p>Now we can enable and start the service with <code>systemctl</code> commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>systemctl <span class="nb">enable </span>app systemctl start app </code></pre> </div> <p>Status of the service can be verified by invoking <code>systemctl status app</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>● app.service - App Loaded: loaded (/etc/systemd/system/app.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2022-03-02 18:08:29 UTC; 2s ago Main PID: 2289 (main) Tasks: 4 (limit: 1132) Memory: 1.3M CGroup: /system.slice/app.service └─2289 /opt/app/main </code></pre> </div> <h2> Part IV: Tor daemon </h2> <p>All the stuff we were doing till now was pretty much the same as you'd do for standard surface web app, right? So let's make it special. To do so we need to install Tor daemon first.</p> <p>In this Ubuntu 20.04 we just need to create a new apt source in <code>/etc/apt/sources.list.d/tor.list</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org focal main deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org focal main </code></pre> </div> <p>add public key to the keyring<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>wget <span class="nt">-qO-</span> https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg <span class="nt">--dearmor</span> | <span class="nb">tee</span> /usr/share/keyrings/tor-archive-keyring.gpg <span class="o">&gt;</span>/dev/null </code></pre> </div> <p>and install the package:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>apt-get update apt-get <span class="nb">install </span>tor <span class="nt">-y</span> </code></pre> </div> <p>If you're using different operating system - check out the <a href="https://support.torproject.org/rpm/" rel="noopener noreferrer">official documentation</a>. You know the drill I guess 😁 </p> <p>As the result we have Tor daemon running!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>systemctl status tor ● tor.service - Anonymizing overlay network for TCP (multi-instance-master) Loaded: loaded (/lib/systemd/system/tor.service; enabled; vendor preset: enabled) Active: active (exited) since Wed 2022-03-02 18:16:30 UTC; 1min 28s ago Main PID: 2959 (code=exited, status=0/SUCCESS) Tasks: 0 (limit: 1132) Memory: 0B CGroup: /system.slice/tor.service </code></pre> </div> <h2> Part V: pointing Tor to our app </h2> <p>And this is the very last part of this tutorial. Tor just needs to be configured to "advertise" our application to the network. </p> <p>Open the main configuration file <code>/etc/tor/torrc</code> and add following lines to the respective part of the configuration.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="err">HiddenServiceDir</span> <span class="err">/var/lib/tor/app/</span> <span class="err">HiddenServicePort</span> <span class="err">80</span> <span class="err">127.0.0.1:3000</span> </code></pre> </div> <p>The second line basically says that incoming traffic on port 80 should be routed to localhost:300. And this is the port where the simple app listens.</p> <p>Tor daemon needs to be restarted first with <code>systemctl restart tor</code> command and whent it's up again we can inspect <code>/var/lib/tor/app/</code> directory - the home directory of our hidden service.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">ls</span> /var/lib/tor/app/ <span class="nt">-lah</span> total 24K drwx--S--- 3 debian-tor debian-tor 4.0K Mar 2 18:22 <span class="nb">.</span> drwx--S--- 4 debian-tor debian-tor 4.0K Mar 2 18:23 .. drwx--S--- 2 debian-tor debian-tor 4.0K Mar 2 18:22 authorized_clients <span class="nt">-rw-------</span> 1 debian-tor debian-tor 63 Mar 2 18:22 <span class="nb">hostname</span> <span class="nt">-rw-------</span> 1 debian-tor debian-tor 64 Mar 2 18:22 hs_ed25519_public_key <span class="nt">-rw-------</span> 1 debian-tor debian-tor 96 Mar 2 18:22 hs_ed25519_secret_key </code></pre> </div> <p>The last 2 lines are interesting, this is the key pair I was talking about. Please note that private key needs to be kept in secret, anyone with access to this key can use your onion name for some nasty s**t! And when we talk about the name, let's just check the contents of the <code>hostname</code> file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> /var/lib/tor/app/hostname ocig6kqiahyictb5y7o37ympfragi4nlzimuylwsfco76ksi2l5edvyd.onion </code></pre> </div> <p>And this is, ladies and gentlemen, a domain name we can use from Tor browser. Let's do it. </p> <h2> Result </h2> <p>Install <a href="https://www.torproject.org/download/" rel="noopener noreferrer">Tor browser</a> or <a href="https://brave.com/download/" rel="noopener noreferrer">Brave</a> (Brave needs to be launched in specialised Tor mode) and enter onion name to the address bar.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbmlmlpwlizk1dgknm74a.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbmlmlpwlizk1dgknm74a.png" alt="Image description"></a></p> <p>This is the service we were working on! It looks just like any other web application but it has one major feature - putting this down requires much more effort that the surface web equivalent. </p> <p>Now you can share your fantastic content even with the folks who lives in less free countries πŸ”₯πŸ”₯πŸ”₯</p> <p><em>Do you need any help with Tor hidden service? Don't hesitate to contact me. I'm 100% committed to make world a better place through the free speech and better privacy ❀️</em></p> <p><em>Title image: <a href="https://www.deviantart.com/wuphaz/art/Tor-wallpaper-682786904" rel="noopener noreferrer">https://www.deviantart.com/wuphaz/art/Tor-wallpaper-682786904</a></em></p> privacy infrastructure tor Part IV: Telegram notifications Stepan Vrany Wed, 23 Feb 2022 10:17:22 +0000 https://dev.to/stepanvrany/part-iv-telegram-notifications-e1o https://dev.to/stepanvrany/part-iv-telegram-notifications-e1o <p>When we have all the monitoring component in the place we might be wondering how to receive notification when something went wrong. Good question. </p> <p>Alertmanager does the trick and it natively supports all the major channels - Slack, PagerDuty, OpsGenie and more. But it does not support Telegram which is kinda popular even for the business communication in smaller companies. </p> <p>Let's fix it with a few AWS resources and simple Go lambda function.</p> <h2> SNS </h2> <p>SNS is one of the supported Alermanager's channels. It's actually very convenient in this case since we have the IAM role attached to instance - we don't need to hassle with credentials. </p> <p>Let's dive into Terraform again.</p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="k">resource</span> <span class="s2">"aws_sns_topic"</span> <span class="s2">"prometheus_alerts"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"prometheus_alerts"</span> <span class="p">}</span> </code></pre> </div> <h2> SQS </h2> <p>The next part is the queue, we can possibly connect a lambda directly do SNS but SQS gives us more reliability. SQS will effectively become the only SNS subscriber and messages will be queued for the further processing.</p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="k">resource</span> <span class="s2">"aws_sqs_queue"</span> <span class="s2">"prometheus_alerts"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"prometheus_alerts"</span> <span class="p">}</span> </code></pre> </div> <p>And since SNS topic will be pushing messages to this queue - we also need to allow this:</p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="k">resource</span> <span class="s2">"aws_sqs_queue_policy"</span> <span class="s2">"prometheus_alerts"</span> <span class="p">{</span> <span class="nx">queue_url</span> <span class="p">=</span> <span class="nx">aws_sqs_queue</span><span class="p">.</span><span class="nx">prometheus_alerts</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="o">&lt;&lt;</span><span class="no">POLICY</span><span class="sh"> { "Version": "2012-10-17", "Id": "sqspolicy", "Statement": [ { "Sid": "First", "Effect": "Allow", "Principal": "*", "Action": "sqs:SendMessage", "Resource": "${aws_sqs_queue.prometheus_alerts.arn}", "Condition": { "ArnEquals": { "aws:SourceArn": "${aws_sns_topic.prometheus_alerts.arn}" } } } ] } </span><span class="no">POLICY </span><span class="p">}</span> </code></pre> </div> <p>Also, create the subscription:</p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="k">resource</span> <span class="s2">"aws_sns_topic_subscription"</span> <span class="s2">"prometheus_alerts"</span> <span class="p">{</span> <span class="nx">topic_arn</span> <span class="p">=</span> <span class="nx">aws_sns_topic</span><span class="p">.</span><span class="nx">prometheus_alerts</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"sqs"</span> <span class="nx">endpoint</span> <span class="p">=</span> <span class="nx">aws_sqs_queue</span><span class="p">.</span><span class="nx">prometheus_alerts</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <h2> Lambda function </h2> <p>Here we go again, Lambda needs role, permissions.. so let's create these resources first. </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="k">data</span> <span class="s2">"aws_caller_identity"</span> <span class="s2">"current"</span> <span class="p">{}</span> <span class="k">data</span> <span class="s2">"aws_region"</span> <span class="s2">"current"</span> <span class="p">{}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"alertmanager_notify"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"alertmanager_notify"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"lambda.amazonaws.com"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"alertmanager_notify"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"alertmanager_notify"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"logs:CreateLogGroup"</span><span class="p">,</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"arn:aws:logs:</span><span class="k">${data</span><span class="p">.</span><span class="nx">aws_region</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">name</span><span class="k">}</span><span class="s2">:</span><span class="k">${data</span><span class="p">.</span><span class="nx">aws_caller_identity</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">account_id</span><span class="k">}</span><span class="s2">:log-group:/aws/lambda/alertmanager_notify"</span><span class="p">,</span> <span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"logs:CreateLogStream"</span><span class="p">,</span> <span class="s2">"logs:PutLogEvents"</span><span class="p">,</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"arn:aws:logs:</span><span class="k">${data</span><span class="p">.</span><span class="nx">aws_region</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">name</span><span class="k">}</span><span class="s2">:</span><span class="k">${data</span><span class="p">.</span><span class="nx">aws_caller_identity</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">account_id</span><span class="k">}</span><span class="s2">:log-group:/aws/lambda/alertmanager_notify:*"</span><span class="p">,</span> <span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="s2">"Effect"</span><span class="err">:</span> <span class="s2">"Allow"</span><span class="p">,</span> <span class="s2">"Action"</span><span class="err">:</span> <span class="p">[</span> <span class="s2">"sqs:DeleteMessage"</span><span class="p">,</span> <span class="s2">"sqs:GetQueueAttributes"</span><span class="p">,</span> <span class="s2">"sqs:ReceiveMessage"</span><span class="p">,</span> <span class="p">],</span> <span class="s2">"Resource"</span><span class="err">:</span> <span class="p">[</span> <span class="nx">aws_sqs_queue</span><span class="p">.</span><span class="nx">prometheus_alerts</span><span class="p">.</span><span class="nx">arn</span><span class="p">,</span> <span class="p">]</span> <span class="p">},</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"alertmanager_notify"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">alertmanager_notify</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">alertmanager_notify</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <p>With such permissions, Lambda function is able to process messages from the SQS queue and delete them when processed. Cloudwatch part is pretty self-descriptive - we want to see some logs. Lambda function definition itself is straightforward:</p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="k">resource</span> <span class="s2">"aws_lambda_function"</span> <span class="s2">"alertmanager_notify"</span> <span class="p">{</span> <span class="nx">filename</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="nx">path</span><span class="p">.</span><span class="k">module}</span><span class="s2">/assets/function.zip"</span> <span class="nx">source_code_hash</span> <span class="p">=</span> <span class="nx">filebase64sha256</span><span class="p">(</span><span class="s2">"</span><span class="k">${</span><span class="nx">path</span><span class="p">.</span><span class="k">module}</span><span class="s2">/assets/function.zip"</span><span class="p">)</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="s2">"alertmanager_notify"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">handler</span> <span class="p">=</span> <span class="s2">"main"</span> <span class="nx">runtime</span> <span class="p">=</span> <span class="s2">"go1.x"</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">ignore_changes</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">filename</span><span class="p">,</span> <span class="nx">last_modified</span><span class="p">,</span> <span class="nx">source_code_hash</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">environment</span> <span class="p">{</span> <span class="nx">variables</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">TELEGRAM_TOKEN</span> <span class="p">=</span> <span class="err">&lt;</span><span class="nx">telegram</span> <span class="nx">token</span> <span class="nx">from</span> <span class="nx">bot</span> <span class="nx">father</span><span class="err">&gt;</span> <span class="nx">TELEGRAM_CHANNEL</span> <span class="p">=</span> <span class="err">&lt;</span><span class="nx">telegram</span> <span class="nx">group</span> <span class="nx">id</span><span class="err">&gt;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Note the <code>${path.module}/assets/function.zip</code>, this is a zip file with some dummy code. We only need this archive for the initial creation. The final code will be pushed to the AWS externally.</p> <h2> Lambda code </h2> <p>For the integration with Telegram we're gonna use <code>github.com/go-telegram-bot-api/telegram-bot-api</code> library. It's just thin wrapper over the Telegram API and it's sufficient for this use case. </p> <blockquote> <p>Please note that signatures of <code>handle</code> and <code>sendMessage</code> should ideally contain interface, some sort of <code>TelegramSender</code> or so. But for the sake of simplicity we use <code>BotAPI</code> directly 😊</p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"context"</span> <span class="s">"fmt"</span> <span class="s">"github.com/aws/aws-lambda-go/events"</span> <span class="s">"github.com/aws/aws-lambda-go/lambda"</span> <span class="n">tgbotapi</span> <span class="s">"github.com/go-telegram-bot-api/telegram-bot-api"</span> <span class="n">log</span> <span class="s">"github.com/sirupsen/logrus"</span> <span class="s">"os"</span> <span class="s">"strconv"</span> <span class="p">)</span> <span class="k">var</span> <span class="p">(</span> <span class="n">telegramToken</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"TELEGRAM_TOKEN"</span><span class="p">)</span> <span class="n">telegramChannel</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"TELEGRAM_CHANNEL"</span><span class="p">)</span> <span class="n">parseMode</span> <span class="o">=</span> <span class="s">"HTML"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">init</span><span class="p">()</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">SetFormatter</span><span class="p">(</span><span class="o">&amp;</span><span class="n">log</span><span class="o">.</span><span class="n">JSONFormatter</span><span class="p">{})</span> <span class="p">}</span> <span class="k">func</span> <span class="n">sendMessage</span><span class="p">(</span><span class="n">bot</span> <span class="o">*</span><span class="n">tgbotapi</span><span class="o">.</span><span class="n">BotAPI</span><span class="p">,</span> <span class="n">channel</span> <span class="kt">int64</span><span class="p">,</span> <span class="n">message</span> <span class="kt">string</span><span class="p">,</span> <span class="n">mode</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Info</span><span class="p">(</span><span class="s">"sending notification to Telegram"</span><span class="p">)</span> <span class="n">msg</span> <span class="o">:=</span> <span class="n">tgbotapi</span><span class="o">.</span><span class="n">NewMessage</span><span class="p">(</span><span class="n">channel</span><span class="p">,</span> <span class="n">message</span><span class="p">)</span> <span class="n">msg</span><span class="o">.</span><span class="n">ParseMode</span> <span class="o">=</span> <span class="n">mode</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">bot</span><span class="o">.</span><span class="n">Send</span><span class="p">(</span><span class="n">msg</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"could not send message: %s"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">func</span> <span class="n">handle</span><span class="p">(</span><span class="n">bot</span> <span class="o">*</span><span class="n">tgbotapi</span><span class="o">.</span><span class="n">BotAPI</span><span class="p">,</span> <span class="n">channel</span> <span class="kt">int64</span><span class="p">)</span> <span class="k">func</span><span class="p">(</span><span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">events</span><span class="o">.</span><span class="n">SQSEvent</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">return</span> <span class="k">func</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">event</span> <span class="n">events</span><span class="o">.</span><span class="n">SQSEvent</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">record</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">event</span><span class="o">.</span><span class="n">Records</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span> <span class="n">WithField</span><span class="p">(</span><span class="s">"message_id"</span><span class="p">,</span> <span class="n">record</span><span class="o">.</span><span class="n">MessageId</span><span class="p">)</span><span class="o">.</span> <span class="n">Info</span><span class="p">(</span><span class="s">"processing SQS record"</span><span class="p">)</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">sendMessage</span><span class="p">(</span><span class="n">bot</span><span class="p">,</span> <span class="n">channel</span><span class="p">,</span> <span class="n">record</span><span class="o">.</span><span class="n">Body</span><span class="p">,</span> <span class="n">parseMode</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"could process message: %s"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="c">// create telegram client</span> <span class="n">bot</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">tgbotapi</span><span class="o">.</span><span class="n">NewBotAPI</span><span class="p">(</span><span class="n">telegramToken</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"could not create telegram client"</span><span class="p">)</span> <span class="p">}</span> <span class="c">// parse</span> <span class="n">telegramChannelInt</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">strconv</span><span class="o">.</span><span class="n">ParseInt</span><span class="p">(</span><span class="n">telegramChannel</span><span class="p">,</span> <span class="m">10</span><span class="p">,</span> <span class="m">64</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"could not parse channel id"</span><span class="p">)</span> <span class="p">}</span> <span class="n">lambda</span><span class="o">.</span><span class="n">Start</span><span class="p">(</span><span class="n">handle</span><span class="p">(</span><span class="n">bot</span><span class="p">,</span> <span class="n">telegramChannelInt</span><span class="p">))</span> <span class="p">}</span> </code></pre> </div> <p>Let's deploy the function!</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">GOARCH</span><span class="o">=</span>amd64 <span class="nv">GOOS</span><span class="o">=</span>linux go build main.go zip <span class="k">function</span>.zip main aws lambda update-function-code <span class="nt">--function-name</span> alertmanager_notify <span class="nt">--zip-file</span> fileb://./function.zip </code></pre> </div> <h2> Alertmanager configuration </h2> <p>First of all, we need to allow interaction with SNS topic for the instance where the Alertmanager is running. Add this statement to the IAM policy from the first chapter:</p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"sns:Publish"</span><span class="p">,</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_sns_topic</span><span class="p">.</span><span class="nx">prometheus_alerts</span><span class="p">.</span><span class="nx">arn</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span><span class="err">,</span> </code></pre> </div> <p>The last bit is yaml for the Alertmanager. This is perhaps the simplest configuration:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <p><span class="na">global</span><span class="pi">:</span><br> <span class="na">resolve_timeout</span><span class="pi">:</span> <span class="s">1m</span><br> <span class="na">receivers</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sns</span><br> <span class="na">sns_configs</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="na">message</span><span class="pi">:</span> <span class="pi">|</span><br> <span class="s">{{ if eq .Status "firing" }}πŸ”₯ {{ end }}{{ if eq .Status "resolved" }}βœ… {{ end }}[{{ .Status | toUpper }}] {{ .CommonLabels.alertname }}</span><br> <span class="s">{{ range .Alerts }}</span><br> <span class="s">&lt;b&gt;Alert:&lt;/b&gt; {{ .Annotations.title }}{{ if .Labels.severity }} - <code>{{ .Labels.severity }}</code>{{ end }}</span><br> <span class="s">&lt;b&gt;Description:&lt;/b&gt; {{ .Annotations.description }}</span><br> <span class="s">&lt;b&gt;Details:&lt;/b&gt;</span><br> <span class="s">{{ range .Labels.SortedPairs }}- {{ .Name }}: &lt;i&gt;{{ .Value }}&lt;/i&gt;</span><br> <span class="s">{{ end }}</span><br> <span class="s">{{ end }}</span><br> <span class="na">sigv4</span><span class="pi">:</span><br> <span class="na">region</span><span class="pi">:</span> <span class="s">eu-west-1</span><br> <span class="na">topic_arn</span><span class="pi">:</span> <span class="s">&lt;SNS topic ARN&gt;</span><br> <span class="na">route</span><span class="pi">:</span><br> <span class="na">group_by</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="s2">"</span><span class="s">..."</span><br> <span class="na">group_interval</span><span class="pi">:</span> <span class="s">30s</span><br> <span class="na">group_wait</span><span class="pi">:</span> <span class="s">5s</span><br> <span class="na">receiver</span><span class="pi">:</span> <span class="s">sns</span><br> <span class="na">repeat_interval</span><span class="pi">:</span> <span class="s">3h</span></p> </code></pre> </div> <h2> <br> <br> <br> Result<br> </h2> <p>Now we're able to receive alerts in the Telegram group, see the following example that comes from the similar configuration. Pretty neat, huh?</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fveubwmhz7pvgsopficvf.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fveubwmhz7pvgsopficvf.png" alt="Image description"></a></p> <h2> Wrap </h2> <p>And this is the end of this series. I've been working on this setup in past two months and I must say I'm pretty happy with the overall result. </p> <p>Here's also one final disclaimer - do not forget to establish external monitoring for the Prometheus. Expose readiness server's probe to the internet and use tools such uptime robot because you really want to know when Prometheus goes down.</p> <blockquote> <p>Do you have any questions? Ping me on twitter or ask it directly here. I'll try to do my best to help you. </p> </blockquote> observability infrastructure devops Part III: Grafana Stepan Vrany Wed, 23 Feb 2022 09:06:02 +0000 https://dev.to/stepanvrany/part-iii-grafana-1dea https://dev.to/stepanvrany/part-iii-grafana-1dea <p>So now we have the Prometheus up and running and we even send some metrics there thanks to Grafana cloud agent. How to view these metrics in some more convenient way?</p> <p>Yes, the answer is Grafana, the best in class tool for the job. And since we have a Kubernetes cluster - we're gonna run it inside this cluster. Grafana is not really resource-intensive beast and this will be also cheaper than managed services like Amazon Managed Grafana.</p> <h2> Persistence </h2> <p>Grafana needs some persistent store for users, dashboards and other stuff. We can use Persistent Volume Claim but again - we want to keep our cluster lean. So our next choice is RDS in its smallest configuration.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"aws_caller_identity"</span> <span class="s2">"current"</span> <span class="p">{}</span> <span class="k">data</span> <span class="s2">"aws_region"</span> <span class="s2">"current"</span> <span class="p">{}</span> <span class="k">resource</span> <span class="s2">"random_password"</span> <span class="s2">"password"</span> <span class="p">{</span> <span class="nx">length</span> <span class="p">=</span> <span class="mi">32</span> <span class="nx">special</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"grafana_</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">environment</span><span class="k">}</span><span class="s2">"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_security_group_rule"</span> <span class="s2">"egress_all"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"egress"</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"0.0.0.0/0"</span><span class="p">,</span> <span class="p">]</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_security_group_rule"</span> <span class="s2">"ingress_posgres"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ingress"</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">5432</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">source_security_group_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">source_security_group_id</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">5432</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_db_subnet_group"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"grafana-</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">environment</span><span class="k">}</span><span class="s2">"</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">subnet_ids</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_db_instance"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">availability_zone</span> <span class="nx">allocated_storage</span> <span class="p">=</span> <span class="mi">10</span> <span class="nx">engine</span> <span class="p">=</span> <span class="s2">"postgres"</span> <span class="nx">engine_version</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">postgres_engine_version</span> <span class="nx">instance_class</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">postgres_instance_class</span> <span class="nx">identifier</span> <span class="p">=</span> <span class="s2">"grafana-</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">environment</span><span class="k">}</span><span class="s2">"</span> <span class="nx">db_name</span> <span class="p">=</span> <span class="s2">"grafana"</span> <span class="nx">username</span> <span class="p">=</span> <span class="s2">"root"</span> <span class="nx">password</span> <span class="p">=</span> <span class="nx">random_password</span><span class="p">.</span><span class="nx">password</span><span class="p">.</span><span class="nx">result</span> <span class="nx">skip_final_snapshot</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">db_subnet_group_name</span> <span class="p">=</span> <span class="nx">aws_db_subnet_group</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">name</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>You can see here some similarities with the EC2 instance from the first chapter. Once again we've created a separate Security Group with the only ingress rule allowing the communication only from the Kubernetes cluster. </p> <h2> Single sign-on </h2> <p>Grafana supports variety of single sign-on options, in this writeup we're gonna use Gitlab but you can use Github, some generic OIDC solution or the internal database. </p> <h2> Installation of Grafana </h2> <p>Let's prepare values files for the Grafana Helm chart.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">grafana.ini</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="na">domain</span><span class="pi">:</span> <span class="s">grafana.&lt;your domain name&gt;</span> <span class="na">root_url</span><span class="pi">:</span> <span class="s">https://grafana.&lt;your domain name&gt;/</span> <span class="na">enforce_domain</span><span class="pi">:</span> <span class="no">true</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">http</span> <span class="na">auth.anonymous</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="na">database</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">host</span><span class="pi">:</span> <span class="s">&lt;RDS endpoint from the previous steps&gt;</span> <span class="na">user</span><span class="pi">:</span> <span class="s">root</span> <span class="na">password</span><span class="pi">:</span> <span class="s">&lt;RDS password from the previous steps&gt;</span> <span class="na">name</span><span class="pi">:</span> <span class="s">grafana</span> <span class="na">ssl_mode</span><span class="pi">:</span> <span class="s">require</span> <span class="na">max_open_conn</span><span class="pi">:</span> <span class="m">25</span> <span class="na">max_idle_conn</span><span class="pi">:</span> <span class="m">25</span> <span class="na">unified_alerting</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">true</span> <span class="na">alerting</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="na">smtp</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="na">users</span><span class="pi">:</span> <span class="na">auto_assign_org</span><span class="pi">:</span> <span class="no">true</span> <span class="na">auth.gitlab</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">true</span> <span class="na">allow_sign_up</span><span class="pi">:</span> <span class="no">true</span> <span class="na">client_id</span><span class="pi">:</span> <span class="s">&lt;id from the Gitlab app&gt;</span> <span class="na">client_secret</span><span class="pi">:</span> <span class="s">&lt;secret from the Gitlab app&gt;</span> <span class="na">scopes</span><span class="pi">:</span> <span class="s">read_api</span> <span class="na">auth_url</span><span class="pi">:</span> <span class="s">https://gitlab.com/oauth/authorize</span> <span class="na">token_url</span><span class="pi">:</span> <span class="s">https://gitlab.com/oauth/token</span> <span class="na">api_url</span><span class="pi">:</span> <span class="s">https://gitlab.com/api/v4</span> <span class="na">allowed_groups</span><span class="pi">:</span> <span class="s">&lt;your Gitlab group&gt;</span> <span class="na">ingress</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> </code></pre> </div> <p>Note the <code>ingress.enabled</code> property. In this particular infrastructure we're using Traefik so we don't need to create <code>Ingress</code> object. Instead I've created a simple IngressRoute resource:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">traefik.containo.us/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">IngressRoute</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">grafana</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">grafana</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">entryPoints</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">websecure</span> <span class="na">routes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="s">Host(`grafana.&lt;your domain name&gt;`) &amp;&amp; PathPrefix(`/`)</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Rule</span> <span class="na">priority</span><span class="pi">:</span> <span class="m">1</span> <span class="na">services</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">grafana</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">scheme</span><span class="pi">:</span> <span class="s">http</span> </code></pre> </div> <p>If you're using Nginx ingress controller, then you just need to re-enable it in the values:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">ingress</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">true</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">kubernetes.io/ingress.class</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">grafana.&lt;your domain name&gt;</span> </code></pre> </div> <p>You know the drill I guess. Let's install this with simple Helm command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm repo add grafana https://grafana.github.io/helm-charts helm repo update helm upgrade <span class="nt">--install</span> grafana grafana/grafana <span class="nt">-n</span> grafana <span class="nt">-f</span> values.yaml <span class="nt">--version</span> 6.21.4 </code></pre> </div> <p>And that's it. For the administration tasks we just need one more thing - admin password:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get secret <span class="nt">--namespace</span> grafana grafana <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s2">"{.data.admin-password}"</span> | <span class="nb">base64</span> <span class="nt">--decode</span> <span class="p">;</span> <span class="nb">echo</span> </code></pre> </div> <h2> Adding Prometheus data source to Grafana </h2> <p>This is perhaps the most straightforward task, just log-in, open datasources section in settings and fill in the domain name we've defined in the first chapter.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--ZSF5h-s6--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/s0bq0qeapz27o3ddjoz7.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--ZSF5h-s6--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/s0bq0qeapz27o3ddjoz7.png" alt="Image description" width="880" height="647"></a></p> <h2> Wrap </h2> <p>And that's it! In the next chapter I'll show you how to forward alertmanager notifications to Telegram group. Stay tuned!</p> infrastructure observability devops Part II: Lean Prometheus scraper Stepan Vrany Tue, 22 Feb 2022 09:34:13 +0000 https://dev.to/stepanvrany/part-ii-lean-prometheus-scraper-10c1 https://dev.to/stepanvrany/part-ii-lean-prometheus-scraper-10c1 <p>In the previous chapter of this series we've created a EC2 instance with Prometheus remote-write collector. So today we're gonna push there some metrics with Grafana cloud agent.</p> <blockquote> <p>At the moment there's also a possibility to do this with a Prometheus in agent mode. However I did not test this setup yet so we're gonna stick to well-supported Grafana agent.</p> </blockquote> <h2> Kube state metrics </h2> <p>Personally I think that KSM are the most important metrics you need to monitor the cluster. They can show you restarting pods, pending pods and all the states we're trying to avoid somehow.</p> <p>All you need to do is just install KSM with helm chart:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm repo add prometheus-community https://prometheus-community.github.io/helm-charts helm repo update helm <span class="nb">install </span>ksm prometheus-community/kube-state-metrics <span class="se">\</span> <span class="nt">--set</span> image.tag<span class="o">=</span>v2.2.0 <span class="se">\</span> <span class="nt">--namespace</span> grafana-agent <span class="se">\</span> <span class="nt">--create-namespace</span> </code></pre> </div> <h2> Grafana cloud agent configuration </h2> <p>Now it's time to prepare configuration file for the scraper. Following snippet comes from the <a href="https://grafana.com/docs/grafana-cloud/kubernetes/integration-kubernetes/#configure-the-grafana-agent" rel="noopener noreferrer">official documentation</a> and it basically covers KSM, cadvisor and Kubelet.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">grafana-agent</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">grafana-agent</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="na">agent.yaml</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">server:</span> <span class="s">http_listen_port: 12345</span> <span class="s">metrics:</span> <span class="s">wal_directory: /tmp/grafana-agent-wal</span> <span class="s">global:</span> <span class="s">scrape_interval: 60s</span> <span class="s">external_labels:</span> <span class="s">cluster: cloud</span> <span class="s">configs:</span> <span class="s">- name: integrations</span> <span class="s">remote_write:</span> <span class="s">- url: http://p01.prometheus.local:9090/api/v1/write</span> <span class="s">scrape_configs:</span> <span class="s">- bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token</span> <span class="s">job_name: integrations/kubernetes/cadvisor</span> <span class="s">kubernetes_sd_configs:</span> <span class="s">- role: node</span> <span class="s">metric_relabel_configs:</span> <span class="s">- source_labels: [__name__]</span> <span class="s">regex: container_network_transmit_packets_total|kubelet_certificate_manager_server_ttl_seconds|storage_operation_duration_seconds_bucket|node_namespace_pod_container:container_memory_swap|container_fs_writes_total|container_network_receive_bytes_total|kube_daemonset_status_desired_number_scheduled|cluster:namespace:pod_cpu:active:kube_pod_container_resource_limits|rest_client_requests_total|node_namespace_pod_container:container_memory_working_set_bytes|kubernetes_build_info|kube_node_status_capacity|kubelet_pleg_relist_duration_seconds_bucket|kubelet_running_pods|storage_operation_errors_total|kubelet_running_containers|kube_daemonset_status_number_misscheduled|kube_job_failed|kube_statefulset_status_replicas|kube_job_status_succeeded|container_cpu_cfs_throttled_periods_total|kube_statefulset_status_update_revision|process_resident_memory_bytes|kubelet_pod_start_duration_seconds_count|kubelet_running_container_count|container_fs_writes_bytes_total|machine_memory_bytes|kubelet_cgroup_manager_duration_seconds_count|node_namespace_pod_container:container_memory_rss|kubelet_node_config_error|kubelet_runtime_operations_duration_seconds_bucket|kubelet_pleg_relist_interval_seconds_bucket|kube_job_spec_completions|kube_statefulset_status_current_revision|kube_statefulset_replicas|cluster:namespace:pod_cpu:active:kube_pod_container_resource_requests|kubelet_node_name|kubelet_pod_worker_duration_seconds_bucket|go_goroutines|kubelet_volume_stats_capacity_bytes|kube_horizontalpodautoscaler_status_current_replicas|node_namespace_pod_container:container_cpu_usage_seconds_total:sum_irate|kubelet_runtime_operations_errors_total|kube_daemonset_status_number_available|kube_deployment_status_replicas_available|up|storage_operation_duration_seconds_count|kube_daemonset_status_current_number_scheduled|kube_statefulset_status_replicas_updated|kube_node_status_condition|kube_node_status_allocatable|rest_client_request_duration_seconds_bucket|container_cpu_usage_seconds_total|namespace_workload_pod:kube_pod_owner:relabel|kubelet_pleg_relist_duration_seconds_count|kube_pod_owner|namespace_cpu:kube_pod_container_resource_requests:sum|kube_horizontalpodautoscaler_spec_max_replicas|kube_statefulset_status_replicas_ready|container_fs_reads_total|node_namespace_pod_container:container_memory_cache|container_network_transmit_packets_dropped_total|kubelet_volume_stats_inodes_used|kube_node_spec_taint|cluster:namespace:pod_memory:active:kube_pod_container_resource_requests|kube_pod_info|kubelet_cgroup_manager_duration_seconds_bucket|process_cpu_seconds_total|container_memory_cache|kube_statefulset_metadata_generation|kubelet_pod_worker_duration_seconds_count|volume_manager_total_volumes|namespace_cpu:kube_pod_container_resource_limits:sum|kube_deployment_metadata_generation|kube_replicaset_owner|container_memory_swap|kubelet_certificate_manager_client_ttl_seconds|kube_resourcequota|container_fs_reads_bytes_total|kubelet_runtime_operations_total|kube_horizontalpodautoscaler_status_desired_replicas|kube_pod_status_phase|kube_horizontalpodautoscaler_spec_min_replicas|kubelet_server_expiration_renew_errors|kube_pod_container_resource_limits|container_network_transmit_bytes_total|container_network_receive_packets_dropped_total|container_memory_working_set_bytes|kube_pod_container_status_waiting_reason|container_network_receive_packets_total|kube_namespace_created|namespace_workload_pod|kube_pod_container_resource_requests|kubelet_running_pod_count|namespace_memory:kube_pod_container_resource_limits:sum|kube_deployment_status_replicas_updated|kube_statefulset_status_observed_generation|kube_deployment_status_observed_generation|container_cpu_cfs_periods_total|node_quantile:kubelet_pleg_relist_duration_seconds:histogram_quantile|kubelet_certificate_manager_client_expiration_renew_errors|cluster:namespace:pod_memory:active:kube_pod_container_resource_limits|kube_daemonset_updated_number_scheduled|kubelet_volume_stats_inodes|kube_node_info|kube_deployment_spec_replicas|container_memory_rss|namespace_memory:kube_pod_container_resource_requests:sum|kubelet_volume_stats_available_bytes</span> <span class="s">action: keep</span> <span class="s">relabel_configs:</span> <span class="s">- replacement: kubernetes.default.svc.cluster.local:443</span> <span class="s">target_label: __address__</span> <span class="s">- regex: (.+)</span> <span class="s">replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor</span> <span class="s">source_labels:</span> <span class="s">- __meta_kubernetes_node_name</span> <span class="s">target_label: __metrics_path__</span> <span class="s">scheme: https</span> <span class="s">tls_config:</span> <span class="s">ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt</span> <span class="s">insecure_skip_verify: false</span> <span class="s">server_name: kubernetes</span> <span class="s">- bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token</span> <span class="s">job_name: integrations/kubernetes/kubelet</span> <span class="s">kubernetes_sd_configs:</span> <span class="s">- role: node</span> <span class="s">metric_relabel_configs:</span> <span class="s">- source_labels: [__name__]</span> <span class="s">regex: container_network_transmit_packets_total|kubelet_certificate_manager_server_ttl_seconds|storage_operation_duration_seconds_bucket|node_namespace_pod_container:container_memory_swap|container_fs_writes_total|container_network_receive_bytes_total|kube_daemonset_status_desired_number_scheduled|cluster:namespace:pod_cpu:active:kube_pod_container_resource_limits|rest_client_requests_total|node_namespace_pod_container:container_memory_working_set_bytes|kubernetes_build_info|kube_node_status_capacity|kubelet_pleg_relist_duration_seconds_bucket|kubelet_running_pods|storage_operation_errors_total|kubelet_running_containers|kube_daemonset_status_number_misscheduled|kube_job_failed|kube_statefulset_status_replicas|kube_job_status_succeeded|container_cpu_cfs_throttled_periods_total|kube_statefulset_status_update_revision|process_resident_memory_bytes|kubelet_pod_start_duration_seconds_count|kubelet_running_container_count|container_fs_writes_bytes_total|machine_memory_bytes|kubelet_cgroup_manager_duration_seconds_count|node_namespace_pod_container:container_memory_rss|kubelet_node_config_error|kubelet_runtime_operations_duration_seconds_bucket|kubelet_pleg_relist_interval_seconds_bucket|kube_job_spec_completions|kube_statefulset_status_current_revision|kube_statefulset_replicas|cluster:namespace:pod_cpu:active:kube_pod_container_resource_requests|kubelet_node_name|kubelet_pod_worker_duration_seconds_bucket|go_goroutines|kubelet_volume_stats_capacity_bytes|kube_horizontalpodautoscaler_status_current_replicas|node_namespace_pod_container:container_cpu_usage_seconds_total:sum_irate|kubelet_runtime_operations_errors_total|kube_daemonset_status_number_available|kube_deployment_status_replicas_available|up|storage_operation_duration_seconds_count|kube_daemonset_status_current_number_scheduled|kube_statefulset_status_replicas_updated|kube_node_status_condition|kube_node_status_allocatable|rest_client_request_duration_seconds_bucket|container_cpu_usage_seconds_total|namespace_workload_pod:kube_pod_owner:relabel|kubelet_pleg_relist_duration_seconds_count|kube_pod_owner|namespace_cpu:kube_pod_container_resource_requests:sum|kube_horizontalpodautoscaler_spec_max_replicas|kube_statefulset_status_replicas_ready|container_fs_reads_total|node_namespace_pod_container:container_memory_cache|container_network_transmit_packets_dropped_total|kubelet_volume_stats_inodes_used|kube_node_spec_taint|cluster:namespace:pod_memory:active:kube_pod_container_resource_requests|kube_pod_info|kubelet_cgroup_manager_duration_seconds_bucket|process_cpu_seconds_total|container_memory_cache|kube_statefulset_metadata_generation|kubelet_pod_worker_duration_seconds_count|volume_manager_total_volumes|namespace_cpu:kube_pod_container_resource_limits:sum|kube_deployment_metadata_generation|kube_replicaset_owner|container_memory_swap|kubelet_certificate_manager_client_ttl_seconds|kube_resourcequota|container_fs_reads_bytes_total|kubelet_runtime_operations_total|kube_horizontalpodautoscaler_status_desired_replicas|kube_pod_status_phase|kube_horizontalpodautoscaler_spec_min_replicas|kubelet_server_expiration_renew_errors|kube_pod_container_resource_limits|container_network_transmit_bytes_total|container_network_receive_packets_dropped_total|container_memory_working_set_bytes|kube_pod_container_status_waiting_reason|container_network_receive_packets_total|kube_namespace_created|namespace_workload_pod|kube_pod_container_resource_requests|kubelet_running_pod_count|namespace_memory:kube_pod_container_resource_limits:sum|kube_deployment_status_replicas_updated|kube_statefulset_status_observed_generation|kube_deployment_status_observed_generation|container_cpu_cfs_periods_total|node_quantile:kubelet_pleg_relist_duration_seconds:histogram_quantile|kubelet_certificate_manager_client_expiration_renew_errors|cluster:namespace:pod_memory:active:kube_pod_container_resource_limits|kube_daemonset_updated_number_scheduled|kubelet_volume_stats_inodes|kube_node_info|kube_deployment_spec_replicas|container_memory_rss|namespace_memory:kube_pod_container_resource_requests:sum|kubelet_volume_stats_available_bytes</span> <span class="s">action: keep</span> <span class="s">relabel_configs:</span> <span class="s">- replacement: kubernetes.default.svc.cluster.local:443</span> <span class="s">target_label: __address__</span> <span class="s">- regex: (.+)</span> <span class="s">replacement: /api/v1/nodes/${1}/proxy/metrics</span> <span class="s">source_labels:</span> <span class="s">- __meta_kubernetes_node_name</span> <span class="s">target_label: __metrics_path__</span> <span class="s">scheme: https</span> <span class="s">tls_config:</span> <span class="s">ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt</span> <span class="s">insecure_skip_verify: false</span> <span class="s">server_name: kubernetes</span> <span class="s">- job_name: integrations/kubernetes/kube-state-metrics</span> <span class="s">kubernetes_sd_configs:</span> <span class="s">- role: service</span> <span class="s">metric_relabel_configs:</span> <span class="s">- source_labels: [__name__]</span> <span class="s">regex: container_network_transmit_packets_total|kubelet_certificate_manager_server_ttl_seconds|storage_operation_duration_seconds_bucket|node_namespace_pod_container:container_memory_swap|container_fs_writes_total|container_network_receive_bytes_total|kube_daemonset_status_desired_number_scheduled|cluster:namespace:pod_cpu:active:kube_pod_container_resource_limits|rest_client_requests_total|node_namespace_pod_container:container_memory_working_set_bytes|kubernetes_build_info|kube_node_status_capacity|kubelet_pleg_relist_duration_seconds_bucket|kubelet_running_pods|storage_operation_errors_total|kubelet_running_containers|kube_daemonset_status_number_misscheduled|kube_job_failed|kube_statefulset_status_replicas|kube_job_status_succeeded|container_cpu_cfs_throttled_periods_total|kube_statefulset_status_update_revision|process_resident_memory_bytes|kubelet_pod_start_duration_seconds_count|kubelet_running_container_count|container_fs_writes_bytes_total|machine_memory_bytes|kubelet_cgroup_manager_duration_seconds_count|node_namespace_pod_container:container_memory_rss|kubelet_node_config_error|kubelet_runtime_operations_duration_seconds_bucket|kubelet_pleg_relist_interval_seconds_bucket|kube_job_spec_completions|kube_statefulset_status_current_revision|kube_statefulset_replicas|cluster:namespace:pod_cpu:active:kube_pod_container_resource_requests|kubelet_node_name|kubelet_pod_worker_duration_seconds_bucket|go_goroutines|kubelet_volume_stats_capacity_bytes|kube_horizontalpodautoscaler_status_current_replicas|node_namespace_pod_container:container_cpu_usage_seconds_total:sum_irate|kubelet_runtime_operations_errors_total|kube_daemonset_status_number_available|kube_deployment_status_replicas_available|up|storage_operation_duration_seconds_count|kube_daemonset_status_current_number_scheduled|kube_statefulset_status_replicas_updated|kube_node_status_condition|kube_node_status_allocatable|rest_client_request_duration_seconds_bucket|container_cpu_usage_seconds_total|namespace_workload_pod:kube_pod_owner:relabel|kubelet_pleg_relist_duration_seconds_count|kube_pod_owner|namespace_cpu:kube_pod_container_resource_requests:sum|kube_horizontalpodautoscaler_spec_max_replicas|kube_statefulset_status_replicas_ready|container_fs_reads_total|node_namespace_pod_container:container_memory_cache|container_network_transmit_packets_dropped_total|kubelet_volume_stats_inodes_used|kube_node_spec_taint|cluster:namespace:pod_memory:active:kube_pod_container_resource_requests|kube_pod_info|kubelet_cgroup_manager_duration_seconds_bucket|process_cpu_seconds_total|container_memory_cache|kube_statefulset_metadata_generation|kubelet_pod_worker_duration_seconds_count|volume_manager_total_volumes|namespace_cpu:kube_pod_container_resource_limits:sum|kube_deployment_metadata_generation|kube_replicaset_owner|container_memory_swap|kubelet_certificate_manager_client_ttl_seconds|kube_resourcequota|container_fs_reads_bytes_total|kubelet_runtime_operations_total|kube_horizontalpodautoscaler_status_desired_replicas|kube_pod_status_phase|kube_horizontalpodautoscaler_spec_min_replicas|kubelet_server_expiration_renew_errors|kube_pod_container_resource_limits|container_network_transmit_bytes_total|container_network_receive_packets_dropped_total|container_memory_working_set_bytes|kube_pod_container_status_waiting_reason|container_network_receive_packets_total|kube_namespace_created|namespace_workload_pod|kube_pod_container_resource_requests|kubelet_running_pod_count|namespace_memory:kube_pod_container_resource_limits:sum|kube_deployment_status_replicas_updated|kube_statefulset_status_observed_generation|kube_deployment_status_observed_generation|container_cpu_cfs_periods_total|node_quantile:kubelet_pleg_relist_duration_seconds:histogram_quantile|kubelet_certificate_manager_client_expiration_renew_errors|cluster:namespace:pod_memory:active:kube_pod_container_resource_limits|kube_daemonset_updated_number_scheduled|kubelet_volume_stats_inodes|kube_node_info|kube_deployment_spec_replicas|container_memory_rss|namespace_memory:kube_pod_container_resource_requests:sum|kubelet_volume_stats_available_bytes</span> <span class="s">action: keep</span> <span class="s">relabel_configs:</span> <span class="s">- action: keep</span> <span class="s">regex: ksm-kube-state-metrics</span> <span class="s">source_labels:</span> <span class="s">- __meta_kubernetes_service_name</span> </code></pre> </div> <p>You can see that it's pretty much the same scheme as the Prometheus configuration has. So if you need to adjust some metrics - check the official Prometheus documentation.</p> <p>Now you can just apply the configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> config.yaml </code></pre> </div> <h2> Grafana cloud agent deployment </h2> <p>When we have the configuration in place, we can proceed to the last bit - Deployment with the Grafana agent. Again, everything's described in the <a href="https://grafana.com/docs/grafana-cloud/kubernetes/integration-kubernetes/#deploy-grafana-agent-resources" rel="noopener noreferrer">official documentation</a> but this is what you need to do:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">MANIFEST_URL</span><span class="o">=</span>https://raw.githubusercontent.com/grafana/agent/main/production/kubernetes/agent-bare.yaml <span class="se">\</span> <span class="nv">NAMESPACE</span><span class="o">=</span>grafana-agent <span class="se">\</span> /bin/sh <span class="nt">-c</span> <span class="s2">"</span><span class="si">$(</span>curl <span class="nt">-fsSL</span> https://raw.githubusercontent.com/grafana/agent/release/production/kubernetes/install-bare.sh<span class="si">)</span><span class="s2">"</span> <span class="o">&gt;</span>Β deploy.yaml </code></pre> </div> <p>and apply the manifest:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> deploy.yaml </code></pre> </div> <p>As the result we have 2 pods running in the <code>grafana-agent</code> namespace.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>NAME READY STATUS RESTARTS AGE grafana-agent-6f8b68fd6-hbnkr 1/1 Running 0 6d16h ksm-kube-state-metrics-7d8f59c464-tb9st 1/1 Running 0 10d </code></pre> </div> <h2> Result </h2> <p>And guess what, now we have metrics stored in the Prometheus! If you're wondering why I communicate with <code>localhost:9090</code> - check the previous chapter. This is AWS SSM port-forwarding functionality that is really useful for some basic debugging.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzwt269wta0o82cnpe863.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzwt269wta0o82cnpe863.png" alt="Image description"></a></p> <h2> Wrap </h2> <p>So now we have the complete monitoring stack. But do we really need to use some strange port-forwarding to get there? Not really. The golden standard for the viewing of metrics is the Grafana and this is what we're gonna do in the next chapter. Stay tuned!</p> infrastructure observability devops Part I: EC2 with Prometheus Stepan Vrany Tue, 22 Feb 2022 09:09:14 +0000 https://dev.to/stepanvrany/part-i-ec2-with-prometheus-40ph https://dev.to/stepanvrany/part-i-ec2-with-prometheus-40ph <p>I'm a big fan of lean Kubernetes clusters. This means that I'm quite hesitant to run there some resource-intensive workload that can't be easily scaled. So what to do with Prometheus that fits such description?</p> <p>Well, there's a pretty new feature called <a href="https://prometheus.io/docs/prometheus/latest/feature_flags/#remote-write-receiver">remote write receiver</a> that can help us to run Prometheus somewhere else and <strong>keep Kubernetes clusters small</strong>.</p> <p>So let's just quickly go through the basic setup with single Prometheus server running in standalone EC2 instance.</p> <blockquote> <p>This tutorial is very AWS and Terraform specific but it does not necessarily means that you can't use it anywhere else. </p> </blockquote> <h2> Prometheus installation: summary </h2> <p>Let's summarize what we need in order to get this running: </p> <ul> <li>Security group with ingress rule for 9090 port</li> <li>S3 bucket for configuration files</li> <li>IAM role</li> <li>IAM permissions</li> <li>Instance profile with role attached</li> <li>EBS volume</li> <li>some <a href="https://cloudinit.readthedocs.io/en/latest/topics/examples.html">cloud-init</a> that puts all the pieces together and start the Prometheus</li> <li>internal hostname</li> </ul> <h2> Security group </h2> <p>So the story here is that some agent running inside the cluster will be accessing the Prometheus server. Such cluster has some Security Group attached so we can use it as the reference in our rules - <code>var.source_security_group_id</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ec2_prometheus_</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">environment</span><span class="k">}</span><span class="s2">"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_security_group_rule"</span> <span class="s2">"egress_all"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"egress"</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"0.0.0.0/0"</span><span class="p">,</span> <span class="p">]</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_security_group_rule"</span> <span class="s2">"ingress_prometheus"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ingress"</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">9090</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">source_security_group_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">source_security_group_id</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">9090</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p>Note the <code>0.0.0.0/0</code> egress rule. This is kinda classic rule that basically allow all outgoing communication. In our case we'll need it to pull Prometheus artifacts from GitHub. This might differ based on your configuration and security requirements. </p> </blockquote> <h2> S3 bucket for the configuration </h2> <p>S3 bucket is used as the store for prometheus config, rules config and the alertmanager config. We can also use userdata but it's no so convenient since every change in configuration files would replace the EC2 instance.</p> <p>Hence we render configuration files, put them into s3 bucket and Prometheus instance will be pulling them as needed.</p> <p>So the following snippet create one S3 bucket with 3 objects - config, rules and alertmanager config.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">prometheus_config</span> <span class="p">=</span> <span class="nx">yamlencode</span><span class="p">({</span> <span class="nx">global</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">scrape_interval</span> <span class="p">=</span> <span class="s2">"1m"</span><span class="p">,</span> <span class="p">},</span> <span class="nx">rule_files</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"/etc/prometheus/prometheus.rules.yaml"</span><span class="p">,</span> <span class="p">],</span> <span class="nx">alerting</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">alertmanagers</span> <span class="err">:</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">static_configs</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">targets</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"localhost:9093"</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> <span class="p">],</span> <span class="p">}</span> <span class="p">],</span> <span class="p">},</span> <span class="p">})</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"config"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">project_name</span><span class="k">}</span><span class="s2">-</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">environment</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_s3_object"</span> <span class="s2">"prometheus_config"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">id</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"prometheus.yaml"</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">templatefile</span><span class="p">(</span> <span class="s2">"</span><span class="k">${</span><span class="nx">path</span><span class="p">.</span><span class="k">module}</span><span class="s2">/prometheus.config.yaml"</span><span class="p">,</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">environment</span><span class="p">,</span> <span class="nx">s3_bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">config</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">prometheus_config</span><span class="p">,</span> <span class="p">}</span> <span class="p">)</span> <span class="nx">force_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_s3_object"</span> <span class="s2">"prometheus_rules"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">id</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"prometheus.rules.yaml"</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">templatefile</span><span class="p">(</span> <span class="s2">"</span><span class="k">${</span><span class="nx">path</span><span class="p">.</span><span class="k">module}</span><span class="s2">/prometheus.rules.config.yaml"</span><span class="p">,</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">environment</span><span class="p">,</span> <span class="nx">s3_bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">config</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">config_prometheus_rules</span><span class="p">,</span> <span class="p">}</span> <span class="p">)</span> <span class="nx">force_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_s3_object"</span> <span class="s2">"alertmanager_config"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">id</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"alertmanager.yaml"</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">templatefile</span><span class="p">(</span> <span class="s2">"</span><span class="k">${</span><span class="nx">path</span><span class="p">.</span><span class="k">module}</span><span class="s2">/alertmanager.config.yaml"</span><span class="p">,</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">environment</span><span class="p">,</span> <span class="nx">s3_bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">config</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">config_alertmanager</span><span class="p">,</span> <span class="p">}</span> <span class="p">)</span> <span class="nx">force_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <p>Now let's check all the templates referenced there. The first one is the prometheus config.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># prometheus configuration</span> <span class="c1"># environment: ${environment}</span> <span class="c1"># bucket: ${s3_bucket}</span> <span class="nn">---</span> <span class="s">${config}%</span> </code></pre> </div> <p>It does not contain anything special and same applies for the other files. This is the file for the rules<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># prometheus configuration</span> <span class="c1"># environment: ${environment}</span> <span class="c1"># bucket: ${s3_bucket}</span> <span class="nn">---</span> <span class="s">${config}</span> </code></pre> </div> <p>and this is the alertmanager configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># alertmanager configuration</span> <span class="c1"># environment: ${environment}</span> <span class="c1"># bucket: ${s3_bucket}</span> <span class="nn">---</span> <span class="s">${config}</span> </code></pre> </div> <p>The reason why we use just <code>config</code> placeholder is simple: we'd like to compose all the configuration with HCL, not YAML. Use <code>local.prometheus_config</code> for the reference. That's the magic.</p> <h2> IAM role, policy and instance profile </h2> <p>Everyone's playing some role. This EC2 instance is not different. It needs to communicate with s3 bucket and SSM (<a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/session-manager.html">for the remote management</a>) so we take this into account.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ec2_prometheus_</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">environment</span><span class="k">}</span><span class="s2">"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"ec2.amazonaws.com"</span> <span class="p">}</span> <span class="p">}]</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="p">})</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ec2_prometheus_</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">environment</span><span class="k">}</span><span class="s2">"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="c1"># SSM Session manager stuff</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ssm:DescribeAssociation"</span><span class="p">,</span> <span class="s2">"ssm:GetDeployablePatchSnapshotForInstance"</span><span class="p">,</span> <span class="s2">"ssm:GetDocument"</span><span class="p">,</span> <span class="s2">"ssm:DescribeDocument"</span><span class="p">,</span> <span class="s2">"ssm:GetManifest"</span><span class="p">,</span> <span class="s2">"ssm:ListAssociations"</span><span class="p">,</span> <span class="s2">"ssm:ListInstanceAssociations"</span><span class="p">,</span> <span class="s2">"ssm:PutInventory"</span><span class="p">,</span> <span class="s2">"ssm:PutComplianceItems"</span><span class="p">,</span> <span class="s2">"ssm:PutConfigurePackageResult"</span><span class="p">,</span> <span class="s2">"ssm:UpdateAssociationStatus"</span><span class="p">,</span> <span class="s2">"ssm:UpdateInstanceAssociationStatus"</span><span class="p">,</span> <span class="s2">"ssm:UpdateInstanceInformation"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ssmmessages:CreateControlChannel"</span><span class="p">,</span> <span class="s2">"ssmmessages:CreateDataChannel"</span><span class="p">,</span> <span class="s2">"ssmmessages:OpenControlChannel"</span><span class="p">,</span> <span class="s2">"ssmmessages:OpenDataChannel"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ec2messages:AcknowledgeMessage"</span><span class="p">,</span> <span class="s2">"ec2messages:DeleteMessage"</span><span class="p">,</span> <span class="s2">"ec2messages:FailMessage"</span><span class="p">,</span> <span class="s2">"ec2messages:GetEndpoint"</span><span class="p">,</span> <span class="s2">"ec2messages:GetMessages"</span><span class="p">,</span> <span class="s2">"ec2messages:SendReply"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">},</span> <span class="c1">// s3 for the configuration</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"s3:GetBucketLocation"</span><span class="p">,</span> <span class="s2">"s3:ListAllMyBuckets"</span><span class="p">,</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"s3:List*"</span><span class="p">,</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">arn</span><span class="p">,</span> <span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"s3:*"</span><span class="p">,</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"</span><span class="k">${</span><span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">arn</span><span class="k">}</span><span class="s2">/*"</span><span class="p">,</span> <span class="p">]</span> <span class="p">},</span> <span class="p">]</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="p">})</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_instance_profile"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ec2_prometheus_</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">environment</span><span class="k">}</span><span class="s2">"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> </code></pre> </div> <h2> EC2 instance </h2> <p>Now we can put all the pieces together and create the EC2 instance itself. In the following snippet you can also see the EBS volume and its attachment to the instance.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_ebs_volume"</span> <span class="s2">"prometheus_0"</span> <span class="p">{</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">availability_zone</span> <span class="nx">size</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">volume_size</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"gp2"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"prometheus_0"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">ami_id</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="p">]</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">subnet_id</span> <span class="nx">iam_instance_profile</span> <span class="p">=</span> <span class="nx">aws_iam_instance_profile</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">name</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">environment</span><span class="k">}</span><span class="s2">_prometheus_0"</span> <span class="p">}</span> <span class="nx">user_data_base64</span> <span class="p">=</span> <span class="nx">base64encode</span><span class="p">(</span> <span class="nx">templatefile</span><span class="p">(</span> <span class="s2">"</span><span class="k">${</span><span class="nx">path</span><span class="p">.</span><span class="k">module}</span><span class="s2">/cloud.init.yaml"</span><span class="p">,</span> <span class="p">{</span> <span class="nx">s3_bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">environment</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">environment</span><span class="p">,</span> <span class="p">}</span> <span class="p">)</span> <span class="p">)</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_volume_attachment"</span> <span class="s2">"prometheus_0"</span> <span class="p">{</span> <span class="nx">instance_id</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">prometheus_0</span><span class="p">.</span><span class="nx">id</span> <span class="nx">volume_id</span> <span class="p">=</span> <span class="nx">aws_ebs_volume</span><span class="p">.</span><span class="nx">prometheus_0</span><span class="p">.</span><span class="nx">id</span> <span class="nx">device_name</span> <span class="p">=</span> <span class="s2">"/dev/sdf"</span> <span class="p">}</span> </code></pre> </div> <p>Please note the <code>user_data_base64</code> property in the EC2 instance definition. This section refers to the YAML template with the following content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1">#cloud-config</span> <span class="c1"># environment: ${environment}</span> <span class="na">runcmd</span><span class="pi">:</span> <span class="c1"># install AWS CLI, neeeded for downloading of configuration files</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">apt-get update &amp;&amp; apt-get install unzip -y</span> <span class="s">curl -Lo awscli.zip https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip</span> <span class="s">unzip awscli.zip</span> <span class="s">./aws/install</span> <span class="s">rm awscli.zip</span> <span class="c1"># install prometheus binary</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">curl -Lo prometheus.tar.gz https://github.com/prometheus/prometheus/releases/download/v2.33.1/prometheus-2.33.1.linux-arm64.tar.gz</span> <span class="s">tar -xvf prometheus.tar.gz</span> <span class="s">cp ./prometheus-2.33.1.linux-arm64/prometheus /usr/local/bin/prometheus</span> <span class="s">rm -rf ./prometheus-2.33.1.linux-arm64</span> <span class="s">rm -rf prometheus.tar.gz</span> <span class="c1"># install alertmanager binary</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">curl -Lo alertmanager.tar.gz https://github.com/prometheus/alertmanager/releases/download/v0.23.0/alertmanager-0.23.0.linux-arm64.tar.gz</span> <span class="s">tar -xvf alertmanager.tar.gz</span> <span class="s">mv ./alertmanager-0.23.0.linux-arm64/alertmanager /usr/local/bin/alertmanager</span> <span class="s">rm -rf alertmanager-0.23.0.linux-arm64</span> <span class="s">rm alertmanager.tar.gz</span> <span class="c1"># vait for EBS volume</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">while [ ! -b $(readlink -f /dev/nvme1n1) ];</span> <span class="s">do</span> <span class="s">echo "waiting for device /dev/nvme1n1"</span> <span class="s">sleep 5</span> <span class="s">done</span> <span class="s"># format volume</span> <span class="s">blkid $(readlink -f /dev/nvme1n1) || mkfs -t ext4 $(readlink -f /dev/nvme1n1)</span> <span class="s"># create a mount</span> <span class="s">mkdir -p /data</span> <span class="s">if ! grep "/dev/nvme1n1" /etc/fstab;</span> <span class="s">then</span> <span class="s">echo "/dev/nvme1n1 /data ext4 defaults,discard 0 0" &gt;&gt; /etc/fstab</span> <span class="s">fi</span> <span class="s"># mount volume</span> <span class="s">mount /data</span> <span class="c1"># enable and start systemd services</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">systemctl daemon-reload</span> <span class="s">systemctl enable prepare-prometheus.service &amp;&amp; systemctl start prepare-prometheus.service &amp;&amp; sleep 10</span> <span class="s">systemctl enable prometheus.service &amp;&amp; systemctl start prometheus.service</span> <span class="s">systemctl enable alertmanager.service &amp;&amp; systemctl start alertmanager.service</span> <span class="na">write_files</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/usr/local/bin/prepare-prometheus</span> <span class="na">permissions</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0744'</span> <span class="na">content</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">#!/bin/sh</span> <span class="s">mkdir -p /etc/prometheus</span> <span class="s">aws s3 cp s3://${s3_bucket}/prometheus.yaml /etc/prometheus/prometheus.yaml</span> <span class="s">aws s3 cp s3://${s3_bucket}/alertmanager.yaml /etc/prometheus/alertmanager.yaml</span> <span class="s">aws s3 cp s3://${s3_bucket}/prometheus.rules.yaml /etc/prometheus/prometheus.rules.yaml</span> <span class="s">curl -X POST http://localhost:9090/-/reload || true</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/etc/systemd/system/prepare-prometheus.service</span> <span class="na">content</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">[Unit]</span> <span class="s">Description=Prepare prometheus / alertmanager configuration</span> <span class="s">Wants=network-online.target</span> <span class="s">After=network-online.target</span> <span class="s">[Service]</span> <span class="s">Type=oneshot</span> <span class="s">ExecStart=/usr/local/bin/prepare-prometheus</span> <span class="c1"># please note data.mount in dependencies</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/etc/systemd/system/prometheus.service</span> <span class="na">content</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">[Unit]</span> <span class="s">Description=Prometheus</span> <span class="s">Wants=network-online.target</span> <span class="s">After=network-online.target data.mount prepare-prometheus.service</span> <span class="s">[Service]</span> <span class="s">Type=simple</span> <span class="s">ExecStart=/usr/local/bin/prometheus \</span> <span class="s">--config.file /etc/prometheus/prometheus.yaml \</span> <span class="s">--storage.tsdb.path /data/ \</span> <span class="s">--web.enable-lifecycle \</span> <span class="s">--web.console.templates=/etc/prometheus/consoles \</span> <span class="s">--web.console.libraries=/etc/prometheus/console_libraries \</span> <span class="s">--enable-feature=remote-write-receiver</span> <span class="s">[Install]</span> <span class="s">WantedBy=multi-user.target</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/etc/systemd/system/alertmanager.service</span> <span class="na">content</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">[Unit]</span> <span class="s">Description=Alert Manager</span> <span class="s">Wants=network-online.target</span> <span class="s">After=network-online.target data.mount prepare-prometheus.service</span> <span class="s">[Service]</span> <span class="s">Type=simple</span> <span class="s">ExecStart=/usr/local/bin/alertmanager \</span> <span class="s">--config.file /etc/prometheus/alertmanager.yaml \</span> <span class="s">--storage.path=/data/</span> <span class="s">[Install]</span> <span class="s">WantedBy=multi-user.target</span> </code></pre> </div> <p>When you start the instance with such user data, it will download all the tools required and create systemd units for prometheus and alertmanager.</p> <p>Last but not least, there's also <code>prepare-prometheus</code> service. This oneshot (run for completion) downloads configuration files and puts them to the respective path - <code>/etc/prometheus</code>. And since prometheus and alertmanager services have this helper as a dependency - it's gonna happer before the prometheus starts.</p> <h2> Internal hostname </h2> <p>We'll also need to assign some hostname to the EC2 instance. The reason is obvious - we don't want to edit all the upcoming configuration files every time we replace the instance with the new one.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_route53_zone"</span> <span class="s2">"prometheus"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"prometheus.local"</span> <span class="nx">vpc</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"prometheus_0"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"p01.prometheus.local"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"A"</span> <span class="nx">records</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">prometheus_0</span><span class="p">.</span><span class="nx">private_ip</span><span class="p">,</span> <span class="p">]</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">prometheus</span><span class="p">.</span><span class="nx">zone_id</span> <span class="nx">ttl</span> <span class="p">=</span> <span class="mi">60</span> <span class="p">}</span> </code></pre> </div> <p>Please note the <code>vpc</code> block in <code>aws_route53_zone.prometheus</code> resource. This means that <code>prometheus.local</code> names will be resolvable in the VPC. We're gonna use this functionality in the upcoming chapters.</p> <h2> Connecting to the EC2 instance </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">INSTANCE_ID</span><span class="o">=</span><span class="si">$(</span>aws ec2 describe-instances <span class="se">\</span> <span class="nt">--filters</span> <span class="s1">'Name=tag:Name,Values=dev-ap-south-1_prometheus_0'</span> <span class="s1">'Name=instance-state-name,Values=running'</span> <span class="se">\</span> <span class="nt">--output</span> text <span class="nt">--query</span> <span class="s1">'Reservations[*].Instances[*].InstanceId'</span><span class="si">)</span> </code></pre> </div> <h2> Forwarding Prometheus to localhost </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ssm start-session <span class="nt">--target</span> <span class="s2">"</span><span class="k">${</span><span class="nv">INSTANCE_ID</span><span class="k">}</span><span class="s2">"</span> <span class="nt">--document-name</span> AWS-StartPortForwardingSession <span class="nt">--parameters</span> <span class="s1">'{"portNumber":["9090"],"localPortNumber":["9090"]}'</span> </code></pre> </div> <h2> Wrap </h2> <p>In this part we've gone through the basic configuration of standalone prometheus instance. Such setup does not require any manual configuration and it will handle even AMI updates - all the persistent data are stored on EBS. </p> <p>In the next chapter I'm gonna show you the other side - agents running in the Kubernetes cluster.</p> observability infrastructure devops ESP32 with Arduino CLI Stepan Vrany Sun, 02 May 2021 08:06:00 +0000 https://dev.to/stepanvrany/esp32-with-arduino-cli-36mh https://dev.to/stepanvrany/esp32-with-arduino-cli-36mh <p>A few days ago I've bought <a href="https://www.olimex.com/Products/IoT/ESP32/ESP32-POE-ISO/open-source-hardware" rel="noopener noreferrer">this beautiful ESP32-based development board</a>. I selected Olimex since it was the only manufacturer with PoE boards available in my region (west Europe). </p> <p>Here you can see how it looks with PoE-enabled Ethernet port connected. </p> <p><iframe class="tweet-embed" id="tweet-1388518748957691907-699" src="https://platform.twitter.com/embed/Tweet.html?id=1388518748957691907"> </iframe> // Detect dark theme var iframe = document.getElementById('tweet-1388518748957691907-699'); if (document.body.className.includes('dark-theme')) { iframe.src = "https://platform.twitter.com/embed/Tweet.html?id=1388518748957691907&amp;theme=dark" } </p> <p>And since I'm pretty new in this area I had to fight some battles to make it work with Arduino-cli. Here's some brief description of steps I had to do to successfully upload a sketch to the ESP32-POE-ISO.</p> <blockquote> <p>Please note that I'm Mac OS user so some details are relevant only for Apple users. </p> </blockquote> <h2> Create a new sketch </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> arduino-cli sketch new 01 <span class="nb">cd </span>01 </code></pre> </div> <p>Also, download some sample sketches from <a href="https://github.com/OLIMEX/ESP32-POE/tree/master/SOFTWARE/ARDUINO/ESP32_PoE_Ethernet_Arduino" rel="noopener noreferrer">Olimex's GitHub account</a>.</p> <h2> Arduino config file arduino-cli.yaml </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">board_manager</span><span class="pi">:</span> <span class="na">additional_urls</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">https://dl.espressif.com/dl/package_esp32_index.json</span> </code></pre> </div> <h2> Download the index </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> arduino-cli core update-index <span class="nt">--config-file</span> arduino-cli.yaml </code></pre> </div> <h2> Install the ESP32 core </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> arduino-cli core <span class="nb">install </span>esp32:esp32 </code></pre> </div> <h2> List the boards </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> arduino-cli board list </code></pre> </div> <p>sample output:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> <p>Port Type Board Name FQBN Core<br> /dev/cu.Bluetooth-Incoming-Port Serial Port Unknown<br><br> /dev/cu.debug-console Serial Port Unknown<br><br> /dev/cu.usbmodem009NTNHF15512 Serial Port Unknown<br><br> /dev/cu.usbserial-1310 Serial Port Unknown<br><br> /dev/cu.wlan-debug Serial Port Unknown </p> </code></pre> </div> <h2> <br> <br> <br> Try to compile the sketch<br> </h2> <br> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <p>arduino-cli compile <span class="nt">--fqbn</span> esp32:esp32:esp32-poe-iso <span class="nb">.</span></p> </code></pre> </div> <h2> <br> <br> <br> Try to upload the sketch<br> </h2> <br> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <p>arduino-cli upload <span class="nt">-p</span> /dev/cu.usbserial-1310 <span class="nt">--fqbn</span> esp32:esp32:esp32-poe-iso <span class="nb">.</span></p> </code></pre> </div> <h2> <br> <br> <br> Monitor the serial output<br> </h2> <br> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <p>screen /dev/cu.usbserial-1310 115200</p> </code></pre> </div> <h2> <br> <br> <br> Result<br> </h2> <p>After 30 - 40 minutes I was able to start with some basic development. Board is now connected to the Ethernet and it obtained an IPv4 address from my DHCP server.</p> <p><iframe class="tweet-embed" id="tweet-1388764656853000192-40" src="https://platform.twitter.com/embed/Tweet.html?id=1388764656853000192"> </iframe> // Detect dark theme var iframe = document.getElementById('tweet-1388764656853000192-40'); if (document.body.className.includes('dark-theme')) { iframe.src = "https://platform.twitter.com/embed/Tweet.html?id=1388764656853000192&amp;theme=dark" } </p> <p>Well, it was easier than I originally thought. Can't wait to test some more complex stuff! </p> arduino esp32 iot Getting started with Arduino and TinyGo: MBP M1 edition Stepan Vrany Wed, 28 Apr 2021 07:28:31 +0000 https://dev.to/stepanvrany/getting-started-with-arduino-and-tinygo-mbp-m1-edition-3am1 https://dev.to/stepanvrany/getting-started-with-arduino-and-tinygo-mbp-m1-edition-3am1 <p>Hey, this is gonna be a very short post. Today I wanted to play a bit with my old Arduino Uno but it took me some time to identify stuff that is specific for M1 processors.</p> <p>As the first thing, we need to install all the tooling. Since there's limited support for Apple Silicons - we're gonna use Rosetta 2. Hence all the <code>brew</code> commands need to be prepended with <code>arch -x86_64</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">arch</span> <span class="nt">-x86_64</span> brew tap tinygo-org/tools <span class="nb">arch</span> <span class="nt">-x86_64</span> brew <span class="nb">install </span>tinygo <span class="nb">arch</span> <span class="nt">-x86_64</span> brew tap osx-cross/avr <span class="nb">arch</span> <span class="nt">-x86_64</span> brew <span class="nb">install </span>avr-gcc <span class="nb">arch</span> <span class="nt">-x86_64</span> brew <span class="nb">install </span>avrdude </code></pre> </div> <p>Now we can create our first Go/Arduino project.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ~ <span class="nb">mkdir </span>app <span class="nb">cd </span>app <span class="nb">touch </span>main.go </code></pre> </div> <p>And we can create the first Go sketch.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"machine"</span> <span class="s">"time"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">led</span> <span class="o">:=</span> <span class="n">machine</span><span class="o">.</span><span class="n">LED</span> <span class="n">led</span><span class="o">.</span><span class="n">Configure</span><span class="p">(</span><span class="n">machine</span><span class="o">.</span><span class="n">PinConfig</span><span class="p">{</span><span class="n">Mode</span><span class="o">:</span> <span class="n">machine</span><span class="o">.</span><span class="n">PinOutput</span><span class="p">})</span> <span class="k">for</span> <span class="p">{</span> <span class="n">led</span><span class="o">.</span><span class="n">High</span><span class="p">()</span> <span class="n">time</span><span class="o">.</span><span class="n">Sleep</span><span class="p">(</span><span class="n">time</span><span class="o">.</span><span class="n">Millisecond</span> <span class="o">*</span> <span class="m">10000</span><span class="p">)</span> <span class="n">led</span><span class="o">.</span><span class="n">Low</span><span class="p">()</span> <span class="n">time</span><span class="o">.</span><span class="n">Sleep</span><span class="p">(</span><span class="n">time</span><span class="o">.</span><span class="n">Millisecond</span> <span class="o">*</span> <span class="m">10000</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This sketch will be blinking with integrated LED (ouptut 13). It's time to flash it to the Arduino!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tinygo flash <span class="nt">-target</span> arduino <span class="nt">-port</span> /dev/cu.usbmodem13201 </code></pre> </div> <blockquote> <p>Please note that device <code>/dev/cu.usbmodem13201</code><br> might be a bit different in your case. You can<br> identify the right one by listing <code>/dev/cu.*</code>.</p> </blockquote> arduino go