Uly.me

cloud engineer

Archives for October 2020

GCP SSL Certificates

Here’s how to create a regional SSL Certificate.

gcloud compute ssl-certificates create my-ssl-cert \
--description "describe ssl certificate" \
--domains=domain1.com,domain2.com \
--certificate=cert.pem \
--private-key=private.key \
--region=us-central1

List the SSL certificates.

gcloud compute ssl-certificates list --project=project-id

Describe the SSL certificate.

gcloud compute ssl-certificates describe my-ssl-cert \
--region=us-central1 \
--project=project-id

Delete SSL certificate.

gcloud compute ssl-certificates delete my-ssl-cert \
--region=us-central1 \
--project=project-id

Check If Domain Joined

Here’s the command to check if instance is domain joined.

realm discover domain.com

To check if AD user is working.

id user@ad.example.com

To check if AD group is working.

getent group ad-group

SCP with a Key

SCP is a secure copy utility in Linux. You’ll need access to your system. In this example, a pem key is used to authenticate to a host. SCP copies filename.ext to the home directory of ec2-user. It’s important to add the target directory, otherwise it will not work.

Here’s how to use SCP with a key from local to server.

scp -i key.pem filename.ext user@server:/home/user

From server to local. Run the command from local machine.

scp user@server:/home/user/file.txt /local/directory

AWS S3 Make Object Public

Copy object or file to S3 bucket.

aws s3 cp filename.ext s3://bucketname/ --profile your-profile

To make it publicly available, run this command.

aws s3api put-object-acl \
--bucket bucket-name \
--key filename.ext \
--acl public-read \
--profile your-profile

OpenSSL Upgrade

Here’s how to upgrade to OpenSSL 1.1 on Redhat/Centos.

# check
openssl version
yum info openssl
# download and install
cd /usr/local/src
wget https://www.openssl.org/source/openssl-1.0.2-latest.tar.gz
tar -zxf openssl-1.0.2-latest.tar.gz
# compile
cd openssl-1.0.2a
./config
make
make test
make install
# update softlink
mv /usr/bin/openssl /root/
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
# verify new version
openssl version

SSH Script

Here’s my custom ssh script named login.sh using multiple arguments. 

#!/bin/bash
if [ $# -eq 0 ]
  then
    echo 'no server supplied'
        exit 1
fi
INPUT=$2
case "$INPUT" in
  abc)
    ssh user1@$1
    ;;
  def)
    ssh user2@$1
    ;;
  *)
    ssh user3@$1
    ;;
esac

How to use with expected outputs.

./login.sh
no server supplied
./login.sh server3 abc
ssh user1@server3
./login.sh server2 def
ssh user2@server2
./login.sh server1
ssh user3@server1

AWS Enable Enhance Network Support

When changing machine types, you may be asked to enable the latest ENA driver for Enhanced Network Support on an Amazon EC2 instance. There are several instructions depending on the Linux OS flavor. Here are the instructions to enable. In some cases, you may need to rebuild the kernel module. To verify that the ena module is installed, use the modinfo command as shown in the following example.

modinfo ena

You also may have to enable the enhanced networking attribute on the instance.

aws ec2 modify-instance-attribute --instance-id instance_id --ena-support

EFS Infrequent Access

Just like in S3, you can have to up to 92% in savings if you use Infrequent Access or IA with AWS EFS (Elastic File Storage). You can create a lifecycle policy to move data from standard storage to infrequent access. Files that are not being used after x number of days are then moved to Infrequent Access. The downside is, the data in IA do not count towards gaining burst credits. You will need to keep a certain amount of standard storage to prevent depleting your burst credits.

aws efs put-lifecycle-configuration \
--file-system-id fs-xxxxxxxx \
--lifecycle-policies TransitionToIA=AFTER_30_DAYS \
--region us-east-1