星期日, 12月 27, 2020

Stackdriver-agent with openSUSE Leap 15.2 in GCP 安裝小記

Stackdriver-agent with openSUSE Leap 15.2 in GCP 安裝小記


OS: openSUSE Leap 15.2 in GCP


今天要來嘗試在 openSUSE Leap 15.2 in GCP 安裝 stackdriver 的 agent


首先先來談談爲何要在 GCP 的 OS 內安裝 stackdriver-agent


預設在 GCP 內使用 OS, GCP 是會提供相關監控的數值



  • 例如 CPU 用量 / 網路狀況 / 磁碟 IOPS


但是 如果是要監控 Memory Utilization / Disk Space Utilization 就是要安裝 Stackdriver-agent

安裝 agent 的官方頁面如下


但是目前 stackdriver-agent 只有針對已經支援的 OS 來進行安裝 script, 可惜的是 openSUSE Leap 沒有列在裡面, 所以我就嘗試用 SLES 的方式來修改, 讓 openSUSE Leap 15.2 in GCP 也可以看到相關資訊


所以以下為個人實驗, 不負責相關影響 


在 GCP 建立 openSUSE Leap 15.2 GCE




SSH 連入該台 GCE 進行安裝

切換為 root 身份進行處理 (個人習慣)


> sudo  su  -


下載 GCP add agent script 到目前目錄

# curl  -sSO  https://dl.google.com/cloudagents/add-monitoring-agent-repo.sh


觀察相關資訊

# ls

.bash_history  .gnupg  .ssh  add-monitoring-agent-repo.sh  bin


觀察 script 內容


# egrep  -v  '^#|^$'  add-monitoring-agent-repo.sh 


REPO_HOST='packages.cloud.google.com'

MONITORING_AGENT_DOCS_URL="https://cloud.google.com/monitoring/agent"

MONITORING_AGENT_SUPPORTED_URL="${MONITORING_AGENT_DOCS_URL}/#supported_operating_systems"

[[ -z "${REPO_SUFFIX-}" ]] && REPO_SUFFIX='all'

if [[ -f /etc/os-release ]]; then

  . /etc/os-release

fi

handle_debian() {

  lsb_release -v >/dev/null 2>&1 || { \

    apt-get update; apt-get -y install lsb-release; \

  }

  apt-get update; apt-get -y install apt-transport-https ca-certificates

  local CODENAME="$(lsb_release -sc)"

  local REPO_NAME="google-cloud-monitoring-${CODENAME}${REPO_SUFFIX+-${REPO_SUFFIX}}"

  cat > /etc/apt/sources.list.d/google-cloud-monitoring.list <<EOM

deb https://${REPO_HOST}/apt ${REPO_NAME} main

EOM

  curl --connect-timeout 5 -s -f "https://${REPO_HOST}/apt/doc/apt-key.gpg" | apt-key add -

}

handle_rpm() {

  lsb_release -v >/dev/null 2>&1 || yum -y install redhat-lsb-core

  local REPO_NAME="google-cloud-monitoring-${1}-\$basearch${REPO_SUFFIX+-${REPO_SUFFIX}}"

  cat > /etc/yum.repos.d/google-cloud-monitoring.repo <<EOM

[google-cloud-monitoring]

name=Google Cloud Monitoring Agent Repository

baseurl=https://${REPO_HOST}/yum/repos/${REPO_NAME}

enabled=1

gpgcheck=1

repo_gpgcheck=1

gpgkey=https://${REPO_HOST}/yum/doc/yum-key.gpg

       https://${REPO_HOST}/yum/doc/rpm-package-key.gpg

EOM

}

handle_redhat() {

  local VERSION_PRINTER='import platform; print(platform.dist()[1].split(".")[0])'

  local MAJOR_VERSION="$(python2 -c "${VERSION_PRINTER}")"

  handle_rpm "el${MAJOR_VERSION}"

}

handle_amazon_linux() {

  handle_rpm "amzn"

}

handle_suse() {

  SUSE_VERSION=${VERSION%%-*}

  local REPO_NAME="google-cloud-monitoring-sles${SUSE_VERSION}-\$basearch${REPO_SUFFIX+-${REPO_SUFFIX}}"

  zypper --non-interactive refresh || { \

    echo "Could not refresh zypper repositories."; \

    echo "This is not necessarily a fatal error; proceeding..."; \

  }

  cat > /etc/zypp/repos.d/google-cloud-monitoring.repo <<EOM

[google-cloud-monitoring]

name=Google Cloud Monitoring Agent Repository

baseurl=https://${REPO_HOST}/yum/repos/${REPO_NAME}

enabled=1

gpgcheck=1

repo_gpgcheck=1

gpgkey=https://${REPO_HOST}/yum/doc/yum-key.gpg

       https://${REPO_HOST}/yum/doc/rpm-package-key.gpg

EOM

  zypper --non-interactive --gpg-auto-import-keys refresh google-cloud-monitoring || \

    exit $?

}

case "${ID:-}" in

  amzn)

    echo 'Adding agent repository for Amazon Linux.'

    handle_amazon_linux

    ;;

  debian|ubuntu)

    echo 'Adding agent repository for Debian or Ubuntu.'

    handle_debian

    ;;

  rhel|centos)

    echo 'Adding agent repository for RHEL or CentOS.'

    handle_redhat

    ;;

  sles)

    echo 'Adding agent repository for SLES.'

    handle_suse

    ;;

  *)

    # Fallback for systems lacking /etc/os-release.

    if [[ -f /etc/debian_version ]]; then

      echo 'Adding agent repository for Debian.'

      handle_debian

    elif [[ -f /etc/redhat-release ]]; then

      echo 'Adding agent repository for Red Hat.'

      handle_redhat

    elif [[ -f /etc/SuSE-release ]]; then

      echo 'Adding agent repository for SLES.'

      handle_suse

    else

      echo >&2 'Unidentifiable or unsupported platform.'

      echo >&2 "See ${MONITORING_AGENT_SUPPORTED_URL} for a list of supported platforms."

      exit 1

    fi

esac


  • 這邊我只看 suse 的相關處理, 大概就是建立 /etc/zypp/repos.d/google-cloud-monitoring.repo 以及進行 gpg key import 與 refresh


仿造上面的做法來建立 /etc/zypp/repos.d/google-cloud-monitoring.repo


還沒做之前觀察 gpg key 資訊

# rpm  -qa  gpg-pubkey*


gpg-pubkey-307e3d54-5aaa90a5

gpg-pubkey-3dbdc284-53674dd4

gpg-pubkey-39db7c82-5847eb1f


建立 google-cloud-monitoring.repo 相關資訊

#vi  /etc/zypp/repos.d/google-cloud-monitoring.repo


內容如下

[google-cloud-monitoring-sles15-x86_64-all]

name=google-cloud-monitoring

enabled=1

autorefresh=1

baseurl=https://packages.cloud.google.com/yum/repos/google-cloud-monitoring-sles15-x86_64-all

type=rpm-md

keeppackages=0

gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg

       https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg


匯入 上面的 gpgkey

# rpm  --import  https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg

# rpm  --import  https://packages.cloud.google.com/yum/doc/yum-key.gpg


  • 這樣可以避免 Signature verification failed for file 'repomd.xml' 問題


進行 gpgkey 比對

# rpm  -qa  gpg-pubkey*


gpg-pubkey-3e1ba8d5-558ab6a8

gpg-pubkey-307e3d54-5aaa90a5

gpg-pubkey-3dbdc284-53674dd4

gpg-pubkey-a7317b0f-551deab2

gpg-pubkey-836f4beb-5fc97e5e

gpg-pubkey-39db7c82-5847eb1f

gpg-pubkey-ba07f4fb-5ac168db


  • 藍色部分爲新增進來的 Key



將 zypper refresh 以及加入 gpg key


# zypper --gpg-auto-import-keys  refresh



Retrieving repository 'google-cloud-monitoring' metadata ..............................[done]

Building repository 'google-cloud-monitoring' cache ...................................[done]

Retrieving repository 'Debug Repository' metadata .....................................[done]

Building repository 'Debug Repository' cache ..........................................[done]

Retrieving repository 'Update Repository (Debug)' metadata ............................[done]

Building repository 'Update Repository (Debug)' cache .................................[done]

Retrieving repository 'Non-OSS Repository' metadata ...................................[done]

Building repository 'Non-OSS Repository' cache ........................................[done]

Retrieving repository 'Main Repository' metadata ......................................[done]

Building repository 'Main Repository' cache ...........................................[done]

Retrieving repository 'Source Repository' metadata ....................................[done]

Building repository 'Source Repository' cache .........................................[done]

Retrieving repository 'Main Update Repository' metadata ...............................[done]

Building repository 'Main Update Repository' cache ....................................[done]

Retrieving repository 'Update Repository (Non-Oss)' metadata ..........................[done]

Building repository 'Update Repository (Non-Oss)' cache ...............................[done]

All repositories have been refreshed.




安裝 agent

# zypper  install  stackdriver-agent


Loading repository data...

Reading installed packages...

Resolving package dependencies...


The following 2 NEW packages are going to be installed:

  insserv-compat stackdriver-agent


2 new packages to install.

Overall download size: 1.2 MiB. Already cached: 0 B. After the operation, additional 5.2 MiB

will be used.

Continue? [y/n/v/...? shows all options] (y): y

Retrieving package insserv-compat-0.1-lp152.5.1.noarch  (1/2),  14.9 KiB (  8.5 KiB unpacked)

Retrieving: insserv-compat-0.1-lp152.5.1.noarch.rpm .....................[done (259.7 KiB/s)]

Retrieving package stackdriver-agent-6.1.0-1.sles15.x86_64

                                                        (2/2),   1.2 MiB (  5.2 MiB unpacked)

Retrieving: cde909b8d24e2beabdbd489e42e5bd65c64c14e09b710c56852736aecd3bf3a7-stackdrive[done]


Checking for file conflicts: ..........................................................[done]

(1/2) Installing: insserv-compat-0.1-lp152.5.1.noarch .................................[done]

(2/2) Installing: stackdriver-agent-6.1.0-1.sles15.x86_64 .............................[done]

Additional rpm output:


Note: This output shows SysV services only and does not include native

systemd services. SysV configuration data might be overridden by native

systemd configuration.


If you want to list systemd services use 'systemctl list-unit-files'.

To see services enabled on particular target use

'systemctl list-dependencies [target]'.


stackdriver-agent         0:off  1:off  2:on   3:on   4:on   5:on   6:off



觀察服務狀態

# systemctl status stackdriver-agent


● stackdriver-agent.service - LSB: start and stop Stackdriver Agent

   Loaded: loaded (/etc/init.d/stackdriver-agent; generated; vendor preset: disabled)

   Active: inactive (dead)



重新啟動服務

# systemctl  restart  stackdriver-agent


觀察服務狀態

# systemctl  status  stackdriver-agent


● stackdriver-agent.service - LSB: start and stop Stackdriver Agent

   Loaded: loaded (/etc/init.d/stackdriver-agent; generated; vendor preset: disabled)

   Active: active (running) since Sun 2020-12-27 13:59:30 UTC; 32s ago


觀察如果重開機是否會啟動服務


# systemctl  is-enabled stackdriver-agent


stackdriver-agent.service is not a native service, redirecting to systemd-sysv-install.

Executing: /usr/lib/systemd/systemd-sysv-install is-enabled stackdriver-agent

enabled


回 GCP 觀察相關資訊



  • 這個時候就發現 Memory Utilization / Disk Space Utilization 有相關資訊了


大功告成

~ enjoy it


Reference


星期日, 12月 06, 2020

使用 certbot 取得 Let’s Encrypt 憑證 with openSUSE in Azure 小記2

使用 certbot 取得 Let’s Encrypt 憑證 with openSUSE in Azure 小記2


上次寫使用 certbot 建立 Let’s Encrypt 憑證是 2020/9/15

一般來說是簽發 90 天, 所以最近就有收到 Let's Encrypt certificate expiration notice for domain 通知信件.


今天就是來寫如何手動取得憑證的小記


OS: openSUSE Leap 15.2 in Azure

DNS provider: gandi.net


首先會看到 Let’s Encrypt 官方網頁對套件做法已經改變, 他把他包進 snap 裡面


==== 原有 certbot 方式驗證是否仍可取得憑證 ====


在使用 snap 方式之前, 先來驗證如果是舊有的 certbot 指令是否可以取得 Let’s Encrypt 憑證


可以參考之前的文章



使用 zypper 指令安裝

# zypper  install  python3-certbot


# certbot  certonly  --manual  --preferred-challenges=dns  -d   ines.tw



驗證還是可以取得相關憑證的




==== 使用 snap 方式安裝並驗證可否取得憑證 ====


暫時小結論: 使用 snapd 目前會有 apparmor 問題, 所以暫時我還是使用 python3-certbot 來處理


使用 zypper 指令 新增 repo

# zypper  addrepo  --refresh https://download.opensuse.org/repositories/system:/snappy/openSUSE_Leap_15.2  snappy


Adding repository 'snappy' .............................................................................................[done]

Repository 'snappy' successfully added


URI         : https://download.opensuse.org/repositories/system:/snappy/openSUSE_Leap_15.2

Enabled     : Yes

GPG Check   : Yes

Autorefresh : Yes

Priority    : 99 (default priority)


Repository priorities are without effect. All enabled repositories share the same priority.



匯入  GPG Key

# zypper  --gpg-auto-import-keys  refresh


Retrieving repository 'Debug Repository' metadata ......................................................................[done]

Building repository 'Debug Repository' cache ...........................................................................[done]

Retrieving repository 'Update Repository (Debug)' metadata .............................................................[done]

Building repository 'Update Repository (Debug)' cache ..................................................................[done]

Retrieving repository 'Non-OSS Repository' metadata ....................................................................[done]

Building repository 'Non-OSS Repository' cache .........................................................................[done]

Retrieving repository 'Main Repository' metadata .......................................................................[done]

Building repository 'Main Repository' cache ............................................................................[done]

Retrieving repository 'Source Repository' metadata .....................................................................[done]

Building repository 'Source Repository' cache ..........................................................................[done]

Retrieving repository 'Main Update Repository' metadata ................................................................[done]

Building repository 'Main Update Repository' cache .....................................................................[done]

Retrieving repository 'Update Repository (Non-Oss)' metadata ...........................................................[done]

Building repository 'Update Repository (Non-Oss)' cache ................................................................[done]

Retrieving repository 'snappy' metadata -----------------------------------------------------------------------------------[-]


Automatically importing the following key:


  Repository:       snappy

  Key Name:         system:snappy OBS Project <system:snappy@build.opensuse.org>

  Key Fingerprint:  4F2FA05B 2C6589C3 FD12055E F7C6E425 ED340235

  Key Created:      Sat Oct 31 16:59:39 2020

  Key Expires:      Mon Jan  9 16:59:39 2023

  Rpm Name:         gpg-pubkey-ed340235-5f9d97fb



Retrieving repository 'snappy' metadata ................................................................................[done]

Building repository 'snappy' cache .....................................................................................[done]

All repositories have been refreshed.


Upgrade package cache

# zypper  dup  --from  snappy


Loading repository data...

Reading installed packages...

Computing distribution upgrade...


Nothing to do.


安裝 snapd


# zypper  install  snapd


Loading repository data...

Reading installed packages...

Resolving package dependencies...


The following 3 NEW packages are going to be installed:

  snapd squashfs system-user-daemon


3 new packages to install.

Overall download size: 15.0 MiB. Already cached: 0 B. After the operation, additional 68.0 MiB will be used.

Continue? [y/n/v/...? shows all options] (y):  Y


安裝完之後, 雖然官方文件說 You then need to either reboot, logout/login or source /etc/profile to have /snap/bin added to PATH.


但是我試過, #source  /etc/profile  不一定會把 /snap/bin 加入 $PATH, 還是登出登入比較保險


# systemctl  enable --now  snapd


  • 這一招還不錯, 起動 snapd 的同時, 設定開機啟動, 以往我都是分開兩個指令執行



# snap  install  core


error: cannot perform the following tasks:

- Setup snap "core" (10444) security profiles (cannot setup profiles for snap "core": cannot create host snap-confine apparmor configuration: cannot reload snap-confine apparmor profile: cannot load apparmor profiles: exit status 1

apparmor_parser output:

AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.core.10444 in /var/lib/snapd/apparmor/profiles/snap-confine.core.10444 at line 2: Could not open 'tunables/global'


  • 安裝失敗, apparmor 有問題


官方文件有提到 Tumbleweed 要額外設定 snapd.apparmor


  • 在 openSUSE Leap 15.2 使用該指令會找不到相關服務, snpad 也不是 openSUSE 的主要做法, 暫時先放棄


===================


暫時來說, 目前會先使用 python3-certbot 做法, 除非哪天只能在 snapd 才能取得再考慮 :)


~ enjoy it



Reference