DEV Community: SyedAsadRazaDevops

Automating Daily Cost Reports in Azure for Your Production Subscription

SyedAsadRazaDevops — Thu, 16 Jan 2025 14:28:40 +0000

Managing costs effectively is one of the key aspects of optimizing your cloud resources. If you're like me, you want to stay informed about your daily Azure subscription expenses, especially for production environments. In this guide, I’ll show you how to set up automated daily cost emails for your production subscription in Azure. This setup is similar to the emails I receive for my development subscription, which provide clear insights into daily expenses.

Why Automate Daily Cost Reports?

Daily cost reports help you:

Track your spending trends and identify anomalies.
Stay within budget by monitoring expenses regularly.
Take proactive actions to optimize resource usage.

Here’s how you can set it up for your production environment.

Step 1: Access Azure Cost Management

Log in to the Azure Portal.
In the search bar, type Cost Management + Billing and select it.

Step 2: Navigate to Your Production Subscription

From the Cost Management dashboard, select Cost analysis.
Ensure the selected subscription is your production subscription.

Step 3: Configure a Custom Cost View

Use the filters in Cost analysis to tailor a view for your production subscription.
- Scope: Set it to your production subscription or resource group.
- Granularity: Select Daily.
- Group By: Choose options like resource group, service name, or location to analyze costs.
Save this custom view for quick access later.

Step 4: Set Up Scheduled Export

To automatically export your cost data daily:

Go to the Exports section under Cost Management.
Click + Add export and fill in the details:
- Name: Enter a name like “Daily Costs - Prod”.
- Subscription: Select your production subscription.
- Scope: Choose the desired scope (e.g., resource group or full subscription).
- Granularity: Choose Daily.
- Storage Account: Provide a storage account where the data will be saved.

Pro Tip: If you don’t have a storage account, create one under Storage Accounts in the Azure Portal.

Save the export. Azure will now automatically export daily cost data to your storage account.

Step 5: Enable Email Alerts

To receive daily cost emails like the one shown below:

Go to the Budgets section under Cost Management.
Click + Add to create a new budget.
- Name: Enter a name for the budget (e.g., “Prod Daily Costs”).
- Amount: Set a budget limit (e.g., $1000).
- Notification Threshold: Choose a percentage (e.g., 100% for daily updates).
- Email Recipients: Add your email address.
Save the budget.

Azure will now email you whenever the specified conditions are met.

Step 6: Optional - Use Logic Apps for Custom Email Reports

If you need more customization, use Azure Logic Apps:

Create a Logic App to query the Cost Management API daily.
Format the data as an email.
Send the email to your recipients.

This approach gives you greater flexibility, such as adding charts or filtering specific services.

Conclusion

By following these steps, you can automate daily cost emails for your production subscription, helping you monitor expenses effortlessly. This setup ensures transparency and allows you to manage resources proactively.

Do you use other methods to monitor your Azure costs? Share your insights in the comments below!

Exploring AI Services on AWS: A Comprehensive Overview

SyedAsadRazaDevops — Thu, 09 Jan 2025 13:17:17 +0000

Here is an image of an artistic representation of multiple hands interacting with the AWS console, showcasing various AWS services related to AI. The image depicts a collaborative lab setting where individuals are actively engaging with the AWS platform on different screens, highlighting services like Amazon SageMaker, Amazon Lex, Amazon Personalize, and Amazon Comprehend, among others. Elements reflect innovation, teamwork, and the practical application of AI in a cloud environment, including visual cues of AI, such as data visualizations or robotic elements, to emphasize the theme:

Exploring AI Services on AWS: A Comprehensive Overview

Introduction

As artificial intelligence (AI) continues to revolutionize industries, AWS provides a robust suite of services to help developers and organizations harness AI capabilities effectively. This article delves into key AWS services for AI, empowering you to build intelligent applications and drive innovation.

1. Amazon SageMaker: Building and Training Models

Amazon SageMaker is a fully managed service that enables you to build, train, and deploy machine learning models. It simplifies the process by providing a suite of tools to streamline each step, from data labeling to model evaluation. With SageMaker, developers can quickly prototype and iterate on machine learning applications, making it a cornerstone for AI development on AWS.

2. Amazon Rekognition: Image and Video Analysis

Amazon Rekognition offers advanced image and video analysis capabilities, providing features like facial recognition, object detection, and scene recognition. This service can be integrated into applications to enhance security, improve user experiences, and automate processes such as content moderation.

3. Amazon Lex: Conversational Interfaces

With Amazon Lex, you can create conversational interfaces for applications using voice and text. It enables developers to build chatbots and voice applications that deliver rich user experiences. Lex leverages the same technologies that power Amazon Alexa, making it an excellent choice for enhancing interactions within community platforms.

4. Amazon Personalize: Tailored Recommendations

Amazon Personalize allows you to create individualized user experiences by providing real-time product and content recommendations. Using machine learning, it analyzes user interactions and preferences to deliver customized suggestions, enhancing user engagement and satisfaction.

5. Amazon Comprehend: Natural Language Processing

Amazon Comprehend is a natural language processing (NLP) service that enables you to derive insights from text. It performs tasks like sentiment analysis, entity recognition, and topic modeling. By integrating Comprehend into your applications, you can gain valuable insights from user feedback, reviews, and discussions.

6. Amazon Translate: Multi-Language Support

To build global communities, Amazon Translate offers real-time, high-quality language translation for applications, enabling you to connect with users across different regions. This service supports numerous languages and helps facilitate better communication within diverse community settings.

Conclusion

AWS offers a powerful set of AI services that enable developers to build intelligent, user-centered applications. By leveraging services like Amazon SageMaker, Lex, Rekognition, and more, you can create innovative solutions that enhance user experience and drive engagement within your community. Embrace these technologies to stay ahead in the digital landscape and foster meaningful connections among users.

How to View WAF Logs and Add Custom Rules in Azure Front Door

SyedAsadRazaDevops — Thu, 09 Jan 2025 09:16:43 +0000

Azure Front Door's Web Application Firewall (WAF) is a powerful tool for protecting your applications from malicious traffic. However, effectively managing your WAF configuration is key to maintaining a balance between security and usability. In this blog post, we’ll explore two essential aspects:

How to view WAF logs in Azure Front Door to troubleshoot issues and gain insights.
How to add custom rules for specific URLs to ensure precise traffic control and enhanced security.

Real-World Scenario: The Importance of Logs and Custom Rules

In today’s interconnected world, even minor service disruptions can lead to significant setbacks. Recently, we encountered a "Service Unavailable" issue caused by blocked requests on a specific API, affecting critical operations.

What Happened?

A routine API request was blocked, resulting in an error message: "The request is blocked." Users were unable to proceed with their tasks. A reference ID was provided, pointing to the Web Application Firewall (WAF) as the culprit.

Error: Unexpected character encountered while parsing value: <. Path , line 0, position 0.
an unexpected character < while trying to parse a JSON value. This suggests that the response being parsed is an XML or HTML document, not JSON.

Possible Causes:

Firewall or Bot Protection Rules: Strict rules flagged legitimate traffic as suspicious.
Request Overload: High traffic triggered rate-limiting mechanisms.
Configuration Errors: Misconfigured rules led to unnecessary blockages.

This incident highlighted the need for effective troubleshooting using WAF logs and the ability to add custom rules to avoid false positives.

1. Viewing WAF Logs in Azure Front Door

When WAF blocks requests, logs provide invaluable insights, helping you understand the reasons behind the blockage and take corrective actions.

How to Access WAF Logs

Enable Diagnostic Logging:
- In the Azure portal, navigate to Front Door.
- Under the Monitoring section, select Diagnostics settings.
- Create a new diagnostic setting and enable WAF logs.
- Send these logs to one of the following destinations:
  - Log Analytics Workspace
  - Azure Storage Account
  - Event Hub

Analyze Logs in Log Analytics:

Open your Log Analytics Workspace and use the following query to filter WAF logs:

 AzureDiagnostics
 | where ResourceType == "FRONTDOOR_WAF"
 | project TimeGenerated, clientIP_s, requestUri_s, ruleName_s, action_s

Key fields to analyze include:
- requestUri_s: The URL of the request.
- clientIP_s: The client’s IP address.
- ruleName_s: The WAF rule triggered (e.g., Bot300100).
- action_s: The action taken (e.g., BLOCK, ALLOW).

Example log entry:

   TimeGenerated: 2025-01-08T12:34:56Z
   clientIP_s: 192.168.1.1
   requestUri_s: /api/AddDevice
   ruleName_s: Bot300100
   action_s: BLOCK

View Logs Through Security Analytics:
- Navigate to Front Door in the Azure portal.
- Go to the Analytics section and open the Security Report.
- The Security Report provides a summary of blocked requests, allowed traffic, and matched rules.
- For a deeper dive, download the CSV report for a detailed view of WAF activities. This is especially useful for quick audits and trend analysis without requiring advanced configurations.

2. Adding Custom Rules for Specific URLs

Default WAF rules might not always align with your application's unique requirements. For example, you may want to allow specific API endpoints while maintaining strict rules for others. Custom rules give you the flexibility to tailor WAF behavior to your needs.

How to Create a Custom Rule

Navigate to the WAF Policy:
- In the Azure portal, go to Front Door and CDN profiles.
- Select your Front Door profile and open the Web Application Firewall section.
- Access the WAF policy attached to your Front Door.
Add a Custom Rule:
- Click Custom Rules and select Add Custom Rule.
- Configure the rule with the following parameters:
  - Name: A descriptive name (e.g., AllowSpecificAPI).
  - Priority: Lower numbers indicate higher priority (e.g., 100).
  - Action: Choose Allow or Block.
  - Match Conditions:
  - Match Type: Use “URL path.”
  - Operator: Use “Contains” or “Equals.”
  - Value: Enter the specific URL (e.g., /api/AddDevice).
Test the Rule:
- Save and deploy the rule.
- Use tools like curl or Postman to test the custom rule.
- Check logs to confirm the rule is applied correctly.
Regularly Review and Update Rules:
- Monitor WAF logs to ensure the custom rule is functioning as intended.
- Modify rules based on new traffic patterns or security requirements.

Example: Allowing a Specific API Endpoint

If an endpoint like /api/AddDevice is frequently blocked but used by legitimate clients, you can create a custom rule as follows:

Match Conditions:
- URL Path = /api/AddDevice
- IP Address = Whitelisted IPs
Action: Allow

This ensures seamless access to the endpoint without compromising the security of other URLs.

Best Practices for Managing Azure Front Door WAF

Regular Log Reviews:

Analyze logs frequently to identify false positives and refine rules.
Detection Mode for Testing:

Test new rules in Detection mode before enforcing them to prevent unintended disruptions.
Leverage Rate Limiting:

Implement rate-limiting rules to protect against abusive traffic.
Enable Geo-Blocking:

Restrict traffic from regions that don’t require access to your application.
Use Custom Rules Sparingly:

Keep custom rules targeted and simple to avoid performance impacts.

Conclusion

Azure Front Door’s WAF is a robust tool for securing your applications. By learning to view logs effectively and create custom rules, you can fine-tune its behavior to suit your application’s specific needs. Regularly monitor, adapt, and optimize your WAF configuration to stay ahead of evolving threats.

Have you configured custom rules or analyzed logs in Azure Front Door WAF? Share your insights and tips in the comments below!

Unlocking Cloud-Native Security with Cilium and eBPF

SyedAsadRazaDevops — Thu, 19 Dec 2024 07:50:30 +0000

Introduction 🌐🔒🚀

As cloud-native applications scale, securing workloads while maintaining performance becomes critical. This is where Cilium, an open-source networking, observability, and security tool, shines. Backed by the power of eBPF (Extended Berkeley Packet Filter), Cilium provides secure, high-performance communication between microservices in Kubernetes environments.

What is Cilium? 🔍💻🔧

Cilium is a cloud-native networking solution that secures and monitors service-to-service communication. It leverages eBPF to operate within the Linux kernel, enabling dynamic programmability and reducing the performance overhead associated with traditional firewalls.

Key Features of Cilium

Network Security:
Identity-aware security policies based on Kubernetes labels.
Transparent encryption for secure data transport.
Observability:
Fine-grained visibility into network traffic using Hubble, Cilium's observability platform.
Real-time service dependency maps and network flow monitoring.
Scalability and Performance:
Kernel-level packet processing with eBPF for low latency.
Scales seamlessly in large Kubernetes clusters.
Service Mesh Integration:
Service mesh capabilities like traffic management, load balancing, and security.
Works alongside existing tools like Istio and Envoy.

How Cilium Works ⚙️📡📈

Cilium uses eBPF programs attached to various points in the Linux kernel, such as network interfaces and system calls. This allows it to inspect, modify, and route network packets in real-time. Kubernetes network policies are automatically translated into eBPF code, ensuring secure communication.

Deploying Cilium 🚀📦🔧

Prepare Your Environment:

Ensure you have a running Kubernetes cluster.
Install kubectl and helm if not already installed.

Add the Cilium Helm Repository:

helm repo add cilium https://helm.cilium.io/
helm repo update

Deploy Cilium Using Helm:

helm install cilium cilium/cilium --version <latest-version> \
  --namespace kube-system \
  --set kubeProxyReplacement=strict \
  --set k8sServiceHost=<your-k8s-api-server> \
  --set k8sServicePort=<your-k8s-api-port>

Verify Deployment:

kubectl get pods -n kube-system

Ensure that all Cilium-related pods are running.

Enable Hubble (Optional for Observability):

helm upgrade cilium cilium/cilium --namespace kube-system \
  --set hubble.enabled=true \
  --set hubble.relay.enabled=true \
  --set hubble.ui.enabled=true

Getting Started with Cilium 🛡️👨‍💻📊

Define Policies: Create Kubernetes NetworkPolicies or Cilium-specific policies.
Monitor Traffic: Use Hubble UI or CLI for observability.

Why Choose Cilium? ⚡🔐👀

Performance: Kernel-level processing ensures minimal performance impact.
Security: Built-in encryption and identity-aware access controls.
Visibility: Deep observability into cloud-native workloads.

Real-World Use Cases 🌍🏦🛒

- Financial Services: Enforcing strict network security for sensitive workloads.
- E-commerce: Scaling secure and reliable microservices.
- Healthcare: Ensuring data compliance and observability.

Conclusion 🎯✅📈

Cilium is redefining cloud-native security and observability with eBPF. Its seamless integration with Kubernetes, superior performance, and deep visibility make it a go-to solution for modern cloud-native architectures. Whether securing a microservices-based application or building a scalable Kubernetes platform, Cilium offers the best of both worlds: powerful security and unmatched performance.

Call to Action: 📢📚✨

Ready to enhance your Kubernetes security? Explore the official Cilium documentation and start your journey toward a more secure and observable cloud-native environment.

THANK'S FOR READING

How to Install Plugins in Kubernetes and Essential Plugins to Get Started

SyedAsadRazaDevops — Tue, 27 Aug 2024 11:37:49 +0000

Kubernetes is a powerful container orchestration platform, but its capabilities can be significantly extended with plugins. Plugins provide additional functionality that can enhance the operational capabilities of your Kubernetes clusters, streamline workflows, and add features not available out of the box. In this guide, we'll explore how to install plugins in Kubernetes and discuss some essential plugins to help you get started.

What Are Kubernetes Plugins?

Kubernetes plugins, or "kubectl plugins," are tools that extend the functionality of the kubectl command-line tool. These plugins can be developed by the community or Kubernetes administrators to add specific features or automate tasks. They are designed to be seamlessly integrated into your existing Kubernetes setup, providing extra capabilities while maintaining the core functionality of Kubernetes.

Why Use Kubernetes Plugins?

Plugins can help you:

Automate repetitive tasks: Speed up your workflows by automating common actions.
Enhance security: Integrate security tools to better manage and monitor your clusters.
Simplify management: Make cluster management easier with tools that provide additional insights or simplify complex commands.

Installing Plugins in Kubernetes

To install plugins in Kubernetes, follow these steps:

Step 1: Set Up Your Environment

Ensure you have the following prerequisites:

kubectl: The command-line tool for Kubernetes.
krew: A package manager for kubectl plugins.

Step 2: Install Krew

Krew is a plugin manager for kubectl that makes it easy to discover and install plugins. Follow these steps to install Krew:

Download Krew:

(
  set -x; cd "$(mktemp -d)" &&
  OS="$(uname | tr '[:upper:]' '[:lower:]')" &&
  ARCH="$(uname -m | sed 's/x86_64/amd64/;s/arm.*/arm/;s/aarch64$/arm64/')" &&
  KREW="krew-${OS}_${ARCH}" &&
  curl -fsSLO "https://github.com/kubernetes-sigs/krew/releases/latest/download/${KREW}.tar.gz" &&
  tar zxvf "${KREW}.tar.gz" &&
  ./"${KREW}" install krew
)

Add Krew to your PATH:

export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"

Verify the installation:

kubectl krew

You should see a list of Krew commands if the installation was successful.

Step 3: Install Plugins Using Krew

With Krew installed, you can now search for and install plugins. Here’s how:

Search for plugins:

kubectl krew search

This command lists all available plugins.

Install a plugin: For example, to install the kubectl neat plugin, which cleans up Kubernetes manifests to make them more readable, run:

kubectl krew install neat

Use the installed plugin: You can now use the plugin by prefixing the command with kubectl. For example:

kubectl neat -f my-pod.yaml

This command will clean up the my-pod.yaml file to make it more readable.

Essential Kubernetes Plugins to Get Started

Here are some essential plugins that every Kubernetes user should consider installing:

kubectl-neat Purpose: Simplifies Kubernetes manifests by removing clutter, such as managed fields and default values, making them easier to read and understand.

Installation:

kubectl krew install neat

Usage:

kubectl get pod my-pod -o yaml | kubectl neat

kubectl-ctx and kubectl-ns Purpose: Quickly switch between different Kubernetes contexts and namespaces. These plugins help manage multiple clusters and namespaces efficiently.

Installation:

kubectl krew install ctx
kubectl krew install ns

Usage:

kubectl ctx    # List all contexts
kubectl ctx my-context    # Switch to 'my-context'
kubectl ns my-namespace   # Switch to 'my-namespace'

kubectl-who-can Purpose: Helps identify which users or service accounts have permission to perform specific actions in the cluster. This is particularly useful for debugging RBAC issues.

Installation:

kubectl krew install who-can

Usage:

kubectl who-can create pods

kubectl-view-secret Purpose: It makes it easier to view Kubernetes secrets. The plugin decodes base64-encoded secrets in a human-readable format.

Installation:

kubectl krew install view-secret

Usage:

kubectl view-secret my-secret

kubectl-replace-image Purpose: Allows for easy replacement of container images in a running Kubernetes Deployment. This is useful when you want to quickly change the image of a deployment without editing the manifest file.

Installation:

kubectl krew install replace-image

Usage:

kubectl replace-image deployment/my-deployment container-name=new-image:tag

Conclusion

Plugins are a powerful way to extend Kubernetes' functionality and streamline workflows. Using Krew to install and manage plugins, you can easily add new features to your Kubernetes toolkit and improve your cluster management capabilities. Start with the essential plugins mentioned in this guide and explore the extensive list of available plugins to find tools that best suit your needs.

Share Your Experience

Have you used any other Kubernetes plugins that you find indispensable? Share your experiences and recommendations in the comments below!

Deploying a Microservices Application Using Helm on Kubernetes

SyedAsadRazaDevops — Sun, 28 Jul 2024 08:05:40 +0000

Helm, often described as the package manager for Kubernetes, simplifies the deployment and management of applications within Kubernetes clusters. This guide will walk you through deploying a microservices application using Helm, illustrating key concepts such as creating Helm charts, managing dependencies, and deploying a multi-service application.

Prerequisites

Before we begin, ensure you have the following tools installed:

kubectl: Kubernetes command-line tool.
minikube: Local Kubernetes cluster for development and testing.
Docker: For building container images.
Helm: Kubernetes package manager.

Overview

We will deploy a sample application consisting of two microservices:

Frontend Service: A simple web application that communicates with the backend service.
Backend Service: An API that returns a message.

We'll use Helm to package these services into charts, manage their dependencies, and deploy them to a Kubernetes cluster.

Step 1: Build Docker Images

First, we need to create Docker images for our frontend and backend services.

Backend Service
Create a simple Node.js backend service:

// backend/server.js
const express = require('express');
const app = express();

app.get('/api/message', (req, res) => {
    res.json({ message: 'Hello from the backend!' });
});

const port = 3000;
app.listen(port, () => {
    console.log(`Backend service running on port ${port}`);
});

Create a Dockerfile for the backend:

# backend/Dockerfile
FROM node:14
WORKDIR /app
COPY server.js .
RUN npm install express
EXPOSE 3000
CMD ["node", "server.js"]

Frontend Service
Create a simple HTML file for the frontend service:

<!-- frontend/index.html -->
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Frontend Service</title>
</head>
<body>
    <h1>Frontend Service</h1>
    <div id="message"></div>
    <script>
        fetch('/api/message')
            .then(response => response.json())
            .then(data => {
                document.getElementById('message').innerText = data.message;
            });
    </script>
</body>
</html>

Create a Dockerfile for the frontend:

# frontend/Dockerfile
FROM nginx:alpine
COPY index.html /usr/share/nginx/html

Build Docker Images
Navigate to each service directory and build the Docker images:
In backend directory
docker build -t backend-service
In frontend directory
docker build -t frontend-service

Step 2: Create Helm Charts

Create a Helm Chart for the Backend Service
Navigate to a working directory and create a new Helm chart:

helm create backend

This command generates a basic Helm chart structure. Modify the backend/templates/deployment.yaml file to suit our backend service:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ .Release.Name }}-backend
spec:
  replicas: 2
  selector:
    matchLabels:
      app: {{ .Release.Name }}-backend
  template:
    metadata:
      labels:
        app: {{ .Release.Name }}-backend
    spec:
      containers:
      - name: backend
        image: backend-service
        ports:
        - containerPort: 3000

Modify the backend/templates/service.yaml file:

apiVersion: v1
kind: Service
metadata:
  name: {{ .Release.Name }}-backend
spec:
  selector:
    app: {{ .Release.Name }}-backend
  ports:
    - protocol: TCP
      port: 80
      targetPort: 3000

Create a Helm Chart for the Frontend Service

Similarly, create a Helm chart for the frontend service:

helm create frontend

Modify the frontend/templates/deployment.yaml file:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ .Release.Name }}-frontend
spec:
  replicas: 2
  selector:
    matchLabels:
      app: {{ .Release.Name }}-frontend
  template:
    metadata:
      labels:
        app: {{ .Release.Name }}-frontend
    spec:
      containers:
      - name: frontend
        image: frontend-service
        ports:
        - containerPort: 80

Modify the frontend/templates/service.yaml file:

apiVersion: v1
kind: Service
metadata:
  name: {{ .Release.Name }}-frontend
spec:
  selector:
    app: {{ .Release.Name }}-frontend
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80

Step 3: Deploy Using Helm

Start your Minikube cluster:
minikube start

Deploy the Backend Service
Navigate to the backend directory and install the chart:

helm install backend ./backend

Deploy the Frontend Service
Navigate to the frontend directory and install the chart:

helm install frontend ./frontend

Step 4: Set Up Ingress

To expose the frontend service externally, we will set up an ingress.

Enable Ingress in Minikube
Enable the ingress addon:

minikube addons enable ingress

Create Ingress Resource
Create an ingress resource to route traffic to the frontend service:

# ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: frontend-ingress
spec:
  rules:
  - host: frontend.local
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: frontend
            port:
              number: 80

Apply the ingress configuration:

kubectl apply -f ingress.yaml

Add an entry to your /etc/hosts file to map frontend.local to the Minikube IP:

echo "$(minikube ip) frontend.local" | sudo tee -a /etc/hosts

Step 5: Verify the Deployment

Access the frontend service in your browser by navigating to http://frontend.local. You should see the frontend page displaying the message fetched from the backend service.

Conclusion

In this guide, we've deployed a microservices application using Helm on Kubernetes, demonstrating intermediate concepts like creating Helm charts, managing dependencies, and setting up ingress. Helm simplifies the deployment and management of Kubernetes applications, making it a powerful tool for cloud-native development.

By sharing this tutorial, you're providing valuable technical content to the CNCF community, helping others understand and leverage Helm for their Kubernetes deployments.

Deploy Teleport on a Linux ubuntu Server

SyedAsadRazaDevops — Mon, 12 Feb 2024 08:13:18 +0000

## Deploying Teleport on a Linux Ubuntu Server: A Step-by-Step Guide

Introduction:
Teleport is an open-source platform designed to secure and manage access to infrastructure. In this guide, we'll walk through the process of deploying Teleport on a Linux Ubuntu Server. By the end of this tutorial, you'll have a robust access management solution for your infrastructure.

Prerequisites:
Before we begin, make sure you have the following:

A Linux Ubuntu Server (18.04 LTS or later).
SSH access to your server with sudo privileges.
A domain or subdomain pointing to your server's IP address.
Step 1: Update and Upgrade Packages
Ensure that your server is up to date by running the following commands:



sudo apt update
sudo apt upgrade

Step 2: Install Docker and Docker Compose
Teleport relies on Docker, so let's install it along with Docker Compose:



sudo apt install docker.io docker-compose

Start and enable the Docker service:



sudo systemctl start docker
sudo systemctl enable docker

Step 3: Create Teleport Configuration
Create a directory to store your Teleport configuration:



sudo mkdir -p /etc/teleport

Now, create a teleport.yaml configuration file. You can use a text editor of your choice:



sudo nano /etc/teleport/teleport.yaml

Copy and paste the following example, replacing with your actual domain:




teleport:
  nodename: teleport-node
  data_dir: /var/lib/teleport
  ca_pin: ""
auth_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3025
  tokens: ["<your_secure_token>"]
  cluster_name: "<your_cluster_name>"
  authentication:
    oidc_connectors: []
ssh_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3022
  labels:
    env: "prod"
proxy_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3023
  web_listen_addr: 0.0.0.0:3080
  tunnel_listen_addr: 0.0.0.0:3024
  public_addr: "<your_domain>:3080"

Save and exit the text editor.

Step 4: Deploy Teleport
Use Docker Compose to deploy Teleport:



sudo docker-compose up -d

Teleport should now be running on your server.

Step 5: Access the Teleport Dashboard
Open your web browser and navigate to https://:3080. You'll be prompted to log in with the token specified in the configuration file.

Congratulations! You've successfully deployed Teleport on your Linux Ubuntu Server. This powerful tool provides secure access to your infrastructure, making it easier to manage and control user permissions.



sudo curl https://apt.releases.teleport.dev/gpg \
-o /usr/share/keyrings/teleport-archive-keyring.asc
source /etc/os-release
echo "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] \
https://apt.releases.teleport.dev/${ID?} ${VERSION_CODENAME?} stable/v12" \
| sudo tee /etc/apt/sources.list.d/teleport.list > /dev/null

sudo apt-get update
sudo apt-get install teleport

Chatwoot Production deployment on Ubuntu

SyedAsadRazaDevops — Wed, 20 Sep 2023 12:11:29 +0000

https://computingforgeeks.com/install-chatwoot-on-ubuntu-with-lets-encrypt-ssl/?expand_article=1

Deploying a Multi-Video Call Project with Node.js WebRTC Signaling Server: using STUN TURN on Ubuntu Server

SyedAsadRazaDevops — Mon, 28 Aug 2023 09:53:19 +0000

Deploying a Multi-Party Video Call Project with Node.js WebRTC Signaling Server: Implementing STUN and TURN on Ubuntu Server

Introduction

WebRTC (Web Real-Time Communication) has revolutionized how we enable real-time peer-to-peer communication directly within web applications. In this guide, we'll walk through the process of deploying a multi-party video call project utilizing a Node.js WebRTC signaling server. We'll also explore the implementation of STUN and TURN servers to enhance connectivity in challenging network environments.

Step-by-Step Setup

1. Server Setup
Obtain an Ubuntu server, either from a cloud provider (like AWS, Azure, or DigitalOcean) or a local machine.

Install Node.js and npm (Node.js package manager) on the server using the following commands:



sudo apt update
sudo apt install nodejs npm

2. Project Setup: WebRTC Signaling Server
Clone your Node.js project repository onto the server using Git.



git clone https://github.com/aljanabim/simple_webrtc_signaling_server.git

Navigate to the project directory and install project dependencies using npm:



cd your-project-directory
npm install

Configure your server to run the signaling server using Nginx:



server {
    listen 80;
    server_name video-call.myweb.com;

    location / {
        proxy_pass http://localhost:3030;
        # Other proxy settings
    }

    add_header Permissions-Policy "geolocation 'self'; camera 'self'; speaker 'self';";
}

3. Run the Application
Use a process manager like PM2 to start and manage your Node.js application:



pm2 start app.js

Peers interact with a signaling server to share the handshakes and start a direct peer-to-peer transmission.

4. Implementing STUN and TURN Servers
Set up your own or use public STUN and TURN servers for network traversal and media relaying.

That's the point when we need a STUN server. It allows to detect peers public network addresses and establish a peer-to-peer connection behind a NAT.

A way to solve this problem is to use a TURN server. It has a public address, so both peers can interact with TURN server even behind firewalls. So when no direct peer-to-peer connection available, TURN server transmits audio/video streams of both peers just like a common media server.

We will be using coturn, free open-source implementation of TURN and STUN Server, evolved from rfc5766-turn-server project with additional new advanced features.

Install and configure the coturn server for TURN:



sudo apt-get -y update
sudo apt-get upgrade
sudo apt-get install coturn
sudo systemctl stop coturn

Configure coturn's settings in /etc/turnserver.conf and start the service:



sudo nano /etc/default/coturn

and remove the # before TURNSERVER_ENABLED.
Let's work on etc/turnserver.conf

First, let's save the current configuration, in case we want to look through the structure later.



sudo  mv /etc/turnserver.conf /etc/turnserver.config.backup
# Now paste the following to /etc/turnserver.conf
sudo nano /etc/turnserver.config



# /etc/turnserver.conf
# STUN server port is 3478 for UDP and TCP, and 5349 for TLS.
# Allow connection on the UDP port 3478
listening-port=3478
# and 5349 for TLS (secure)
tls-listening-port=5349

# Require authentication
fingerprint
lt-cred-mech

# We will use the longterm authentication mechanism, but if
# you want to use the auth-secret mechanism, comment lt-cred-mech and 
# uncomment use-auth-secret
# Check: https://github.com/coturn/coturn/issues/180#issuecomment-364363272
#The static auth secret needs to be changed, in this tutorial
# we'll generate a token using OpenSSL
# use-auth-secret
# static-auth-secret=replace-this-secret
# ----
# If you decide to use use-auth-secret, After saving the changes, change the auth-secret using the following command:
# sed -i "s/replace-this-secret/$(openssl rand -hex 32)/" /etc/turnserver.conf
# This will replace the replace-this-secret text on the file with the generated token using openssl. 

# Specify the server name and the realm that will be used
# if is your first time configuring, just use the domain as name
server-name=myweb.com
realm=myweb.com

# Important: 
# Create a test user if you want
# You can remove this user after testing
user=admin:mypassword

total-quota=100
stale-nonce=600

# Path to the SSL certificate and private key. In this example we will use
# the letsencrypt generated certificate files.
cert=/etc/letsencrypt/live/stun.myweb.com/cert.pem
pkey=/etc/letsencrypt/live/stun.myweb.com/privkey.pem

# Specify the allowed OpenSSL cipher list for TLS/DTLS connections
cipher-list="ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384"

# Specify the process user and group
proc-user=turnserver
proc-group=turnserver

Remember to Enable port 3478 and 5349 for TCP and UDP incoming connection.



sudo nano /etc/turnserver.conf
sudo systemctl start coturn

5. Web Server Setup
Choose a web server Nginx to serve your Node.js application.
Configure SSL certificates for secure connections (use Let's Encrypt for automatic SSL certificate generation).

We need SSL certificate to configure out TURN server, so let's generate the SSL certificate using Let's Encrypt.



sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d stun-call.myweb.com -d turn-call.myweb.com



server {
    listen 443 ssl;
    server_name stun.myweb.com;

    ssl_certificate /etc/letsencrypt/live/stun.myweb.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/stun.myweb.com/privkey.pem;

    # Add other SSL settings here if needed

    location / {
        # Your existing configuration for handling requests
    }
}

6. Testing STUN and TURN Servers
Use the Trickle ICE tool to test your STUN and TURN servers.
Ensure that STUN server works with candidates of type "srflx" and TURN server with candidates of type "relay".

https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/

Conclusion
Deploying a multi-party video call project with a Node.js WebRTC signaling server is a powerful way to enable real-time communication within web applications. By implementing STUN and TURN servers, you enhance connectivity even in challenging network environments. Remember to allocate sufficient resources for TURN servers due to their higher processing and bandwidth requirements.

WebRTC continues to transform the way we communicate online, and with these steps, you're well on your way to creating seamless and robust real-time communication experiences.

https://tech.bloggernepal.com/2021/05/setup-stun-and-turn-server-on-ubuntu.html

How To Deploy Jitsi Meet(video conference) on Ubuntu

SyedAsadRazaDevops — Sun, 02 Apr 2023 10:20:06 +0000

Jitsi Meet is an open source video-conferencing application based on WebRTC.

A Jitsi Meet server provides multi-person video conference rooms that you can access using nothing more than your browser and provides comparable functionality to a Zoom or Skype conference call.

Step 1 — System Hostname

sudo hostnamectl set-hostname jitsi.my_domain.com

Check that this was successful by running the following:

hostname

Next, you will set a local mapping of the server’s hostname.

nano /etc/hosts

add this line

127.0.0.1 <jitsi.my_domain.com>

Step 2 — (Before Install) Must Configure Prosody XMPP Server

ERROR: I got an error in the jitsi-meet install.
Jitsi-meet : Depends: jitsi-meet-prosody (= 1.0.6776-1) but 1.0.6644-1 is to be installed

Solution: Add the Prosody package repository

To install the latest version, add the Prosody repository with the following command:

echo 'deb https://packages.prosody.im/debian focal main' | sudo tee /etc/apt/sources.list.d/prosody.list

Now, run the following command to download and import the Prosody public key.

wget https://prosody.im/files/prosody-debian-packages.key -O- | sudo apt-key add -

Next, update the local package index. Then, install

sudo apt update
sudo apt install prosody
sudo apt install libunbound-dev liblua5.3-dev
luarocks install luaunbound
systemctl status prosody

Step 3 — Install Jitsi

First, download the Jitsi GPG key with the wget downloading utility:

wget https://download.jitsi.org/jitsi-key.gpg.key

Next, add the GPG key you downloaded to apt’s keyring using the apt-key utility:

sudo apt-key add jitsi-key.gpg.key

Now, you will add the Jitsi repository to your server by creating a new sources file that contains the Jitsi repository. Open and create the new file:
sudo nano /etc/apt/sources.list.d/jitsi-stable.list. Add this line to the file for the Jitsi repository:

deb https://download.jitsi.org stable/

then install the jitsi-meet package:

sudo apt update
sudo apt install jitsi-meet

During the installation of jitsi-meet you will be prompted to enter the domain name.

after that select let's Encrypt SSL. (et's Encrypt is a non-profit certificate authority) or select no if you don't need to jitsi-web-cloud in next option.

Your Jitsi Meet server is now set up

How to force nginx webserver to reload client's browser for new release ?

SyedAsadRazaDevops — Thu, 16 Feb 2023 09:02:41 +0000

During a server migration a new nginx configuration was missing cache conrol directives. Hence, we ended up with a cached index.html which is very bad for our SPA that is not refreshed anymore if we deploy new code. We need the index.html to not be cached.

To configure Nginx to not reload a website from the cache when a client user hits the website, you can use the proxy_cache_bypass directive.

server {
    root /var/www/public_html/react/build;
    index index.html index.htm index.nginx-debian.html;
    server_name myapp.com www.myapp.com;

 location / {
        try_files $uri  /index.html;

    proxy_cache my_cache;
    proxy_cache_bypass $http_pragma;
    proxy_cache_revalidate on;
    proxy_cache_min_uses 3;
    proxy_cache_valid 200 60m;
    proxy_cache_valid 404 1m;
    proxy_cache_valid any 0;

    add_header Cache-Control "no-store, no-cache, must-revalidate";
    add_header Cache-Control "max-age=31536000, public";
    }

Using Google Cloud Platform for DevOps: Tools and Services for Improved Software Delivery

SyedAsadRazaDevops — Thu, 12 Jan 2023 13:24:47 +0000

Google Cloud Platform (GCP) is a cloud computing service offered by Google that provides a variety of tools and services for software development, including those for devops.

DevOps is a practice that aims to improve the collaboration and communication between development and operations teams in order to increase the speed and quality of software delivery. GCP offers a number of tools and services that can be used to support devops practices, including:

Containerization:

GCP provides Kubernetes Engine, a managed service for running containerized applications. This allows developers to easily deploy and manage their applications in a consistent and portable way, which can help to reduce the complexity of operations.

Continuous Integration and Continuous Deployment (CI/CD):

GCP offers Cloud Build, a fully-managed service for building, testing, and deploying code. This service can be integrated with other GCP services, such as GitHub, to automate the process of building, testing, and deploying code.

Monitoring and logging:

GCP provides Stackdriver, a service for monitoring and logging the performance and health of applications. This service can be used to track the performance of applications and identify and troubleshoot issues.

Infrastructure as Code:

GCP provides Terraform and Cloud Deployment Manager, that allows to manage and provision resources through code, this provides a way to automate the provisioning and management of GCP resources, which can help to reduce the time and effort required to set up and maintain infrastructure.

In addition to these services, GCP also provides a variety of other tools and services that can be used to support devops practices, such as load balancing, auto-scaling, and error reporting. With the help of GCP, devops teams can more easily and efficiently manage the deployment and maintenance of software applications.

In summary, GCP offers a variety of tools and services that can be used to support devops practices, including containerization, CI/CD, monitoring and logging, and infrastructure as code. These tools and services can help to increase the speed and quality of software delivery, and make it easier for devops teams to manage the deployment and maintenance of software applications.