Категории: Все - containers - authentication

по Mike Ton 7 лет назад

989

MicroServices

JSON Web Tokens (JWT) are a compact and self-contained way for securely transmitting information between parties as a JSON object. They are used mainly for authentication and information exchange, and they incorporate a signature to verify the integrity of the data.

MicroServices

MicroServices

MachineLearning

What is

apt-get
ssh

JWT

JSON Web Tokens
https://jwt.io

Encoded

VERIFY SIGNATURE

HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), ) secret base64 encoded

RhS5_R99IA0u_UffKr8xDh05Ob9Lb-kOBlmOWlspcc0

PAYLOAD:DATA

{ "sub": "1234567890", "name": "JWT made easy", "admin": true }

eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpXVCBtYWRlIGVhc3kiLCJhZG1pbiI6dHJ1ZX0.

HEADER:ALGORITHM & TOKEN TYPE

{ "alg": "HS256", "typ": "JWT" }

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpXVCBtYWRlIGVhc3kiLCJhZG1pbiI6dHJ1ZX0.RhS5_R99IA0u_UffKr8xDh05Ob9Lb-kOBlmOWlspcc0

(uses)

Information Exchange

Authentication

Building Containers

Kubernetes
Pods Intro

Logical Application

(Pod)

nginx

// One or more containers.

// Shared namespace

// One IP per pod

// That have dependencies with each other

What is Kubernetes

(intro)

http://kubernetes.io/docs/user-guide/kubectl-cheatsheet/

// Kubernetes cheat sheet

kubectl get services

// List services

kubectl expose deployment nginx --port 80 --type LoadBalancer

// Expose nginx

kubectl get pods

// Get pods

kubectl run nginx --image=nginx:1.10.0

// Launch a single instance:

(setup)

Provision a Kubernetes Cluster with GKE using gcloud

gcloud container clusters create k0

Use project directory

cd craft/kubernetes

cd $GOPATH/src/github/com/udacity/ud615/craft/kubernetes

??? where is craft ???

pets vs. cattle

pods = anonymous instance (cattle)

vm/instance = single instance (pet)

diagram

(desktop)

(OSX)

(shell2)

docker run -e DISPLAY=192.168.59.3:0 jess/geary

# in another window

(shell1)

socat TCP-LISTEN:6000,reuseaddr,fork UNIX-CLIENT:\"$DISPLAY\"

open -a XQuartz

brew cask install xquartz

brew install socat

https://github.com/docker/docker/issues/8710

Creating Your Own Images

Public Vs Private Registries

Push Images

Create account on Dockerhub

Repeat for all images you created - monolith, auth and hello!

Login and use the docker push command

sudo docker push udacity/example-monolith:1.0.0

sudo docker login

https://hub.docker.com/register/

Add your own tag

For example (you can rename too!)

sudo docker tag monolith:1.0.0 udacity/example-monolith:1.0.0

sudo docker tag monolith:1.0.0 /monolith:1.0.0

Docker tag command help

docker tag -h

See all images

(products)

Comparison Of 4 Registries

A write up comparing some of the different registries: http://rancher.com/comparing-four-hosted-docker-registries/

Google Cloud Registry

Finally, Google Cloud Registry (GCR) is a strong options for large enterprises. https://cloud.google.com/container-registry/docs/

Quay

Quay is another popular registry because of it’s rich automated workflow for building containers from github. https://quay.io/

Docker Hub

Docker Hub is the registry we’re using in this class. Go ahead and sign up for docker hub and create a repository so that you can follow along with the remaining lessons: https://hub.docker.com/

Commands To Run on the VM Instance

See the running containers

sudo docker ps -a

(Hello)

Build the hello app

CID3=$(sudo docker run -d hello:1.0.0)

sudo docker build -t hello:1.0.0 .

cd hello

(Auth)

Build the auth app

CID2=$(sudo docker run -d auth:1.0.0)

sudo docker build -t auth:1.0.0 .

cd auth

(MonoLith)

Test the container

curl $CIP

curl

Run the monolith container and get it's IP

(or???)

CIP=$(sudo docker inspect --format '{{ .NetworkSettings.IPAddress }}' ${CID})

CID=$(sudo docker run -d monolith:1.0.0)

sudo docker inspect

sudo docker run -d monolith:1.0.0

// -d : dry run?

// Nope -d = detached. Instance doesn't take over your shell

Create a container for the app

sudo docker images monolith:1.0.0

// List the monolith image

sudo docker build -t monolith:1.0.0 .

// Build the app container

cat monolith/Dockerfile

// Look at the Dockerfile

Build a static binary of the monolith app

go build --tags netgo --ldflags '-extldflags "-lm -lstdc++ -static"'

// Why did you have to build the binary with such an ugly command line?

// You have to explicitly make the binary static. This is really important in the Docker community right now because alpine has a different implementation of libc. So your go binary wouldn't of had the lib it needed if it wasn't static. You created a static binary so that your application could be self-contained.

go get -u

cd ud615/app/monolith

Get the app code

git clone https://github.com/udacity/ud615.git

cd $GOPATH/src/github.com/udacity

mkdir -p $GOPATH/src/github.com/udacity

Install Go

export GOPATH=~/go

export PATH=$PATH:/usr/local/go/bin

// "export" makes the change visible to new programs launched by bash

sudo tar -C /usr/local -xzf go1.6.2.linux-amd64.tar.gz

rm -rf /usr/local/bin/go

wget https://storage.googleapis.com/golang/go1.6.2.linux-amd64.tar.gz

Dockerfiles

ENTRYPOINT

["hello"]

// app to execute

ADD

hello

/usr/bin/hello

// Add files from our machine to location in container

MAINTAINER

Mike Ton

MikeTonEmail@gmail.com

FROM

alpine:3.1

// Which base to build Docker from

// Contains step by step instructions for creating Docker Images

Talking To docker images

// Remove the docker containers from the system

// or

sudo docker rm $(sudo docker ps -aq)

sudo docker rm

// Verify no more instances running

// Stop an instance

sudo docker stop

// Connect to the nginx using the internal IP

curl http://172.18.0.2

// Inspect the container

sudo docker inspect sharp_bartik

sudo docker inspect f86cf066c304

// List all running container processes

sudo docker ps -aq

// For use in shell scripts you might want to just get a list of container IDs (-a stands for all instances, not just running, and -q is for "quiet" - show just the numeric ID):

Running Images with Docker

// Check how many instances are running

sudo ps aux | grep nginx

// Run another version of nginx

sudo docker run -d nginx:1.9.3

// Run a different version of nginx

sudo docker ps

// Check if it's up

sudo docker run -d nginx:1.10.0

// Run the first instance

Verify the versions match

// If your version of nginx from native package and Docker are different, you need to update the VM instance:

sudo dpkg -l | grep nginx

Pull nginx image

sudo docker pull nginx:1.10.0

Check Docker images

sudo docker images

Install Docker

sudo apt-get install docker.io

Containers
NameSpace Isolation

// Their own port???

Independent Packages
// Containers are similar to virtual machines, but much more lightweight
Installing Apps With Native OS Tools
PROBLEM! How to install 2 versions?

Modify nginx.conf

Need to specify a different port; 2 instances can't bind to the same port

Most OS allow one

(check that it's running)

curl http://127.0.0.1

sudo systemctl status nginx

(VM instance)

start nginx

sudo systemctl start nginx

update packages and install nginx

nginx -v

sudo apt-get install nginx

sudo apt-get update

(Cloud shell)

log into the VM instance

gcloud compute ssh ubuntu

launch a new VM instance

gcloud compute instances create ubuntu \ --image-project ubuntu-os-cloud \ --image ubuntu-1604-xenial-v20160420c

set compute/zone

gcloud config set compute/zone

gcloud compute zones list

// Note - Google Cloud shell is an ephemeral instance and will reset if you don't use it for more than 30 minutes. That is why you might have to set some configuration values again

Google Cloud Engine

12 Factor App

Background
The contributors to this document have been directly involved in the development and deployment of hundreds of apps, and indirectly witnessed the development, operation, and scaling of hundreds of thousands of apps via our work on the Heroku platform.

This document synthesizes all of our experience and observations on a wide variety of software-as-a-service apps in the wild. It is a triangulation on ideal practices for app development, paying particular attention to the dynamics of the organic growth of an app over time, the dynamics of collaboration between developers working on the app’s codebase, and avoiding the cost of software erosion.

Our motivation is to raise awareness of some systemic problems we’ve seen in modern application development, to provide a shared vocabulary for discussing those problems, and to offer a set of broad conceptual solutions to those problems with accompanying terminology. The format is inspired by Martin Fowler’s books Patterns of Enterprise Application Architecture and Refactoring.

https://12factor.net

12 FACTORS

XII. Admin processes

Run admin/management tasks as one-off processes

XI. Logs

Treat logs as event streams

X. Dev/prod parity

Keep development, staging, and production as similar as possible

IX. Disposability

Maximize robustness with fast startup and graceful shutdown

VIII. Concurrency

Scale out via the process model

VII. Port binding

Export services via port binding

VI. Processes

Execute the app as one or more stateless processes

V. Build, release, run

Strictly separate build and run stages

IV. Backing services

Treat backing services as attached resources

III. Config

Store config in the environment

II. Dependencies

Explicitly declare and isolate dependencies

I. Codebase

One codebase tracked in revision control, many deploys

(Intro)

The twelve-factor methodology can be applied to apps written in any programming language, and which use any combination of backing services (database, queue, memory cache, etc).

In the modern era, software is commonly delivered as a service: called web apps, or software-as-a-service. The twelve-factor app is a methodology for building software-as-a-service apps that:

And can scale up without significant changes to tooling, architecture, or development practices.

Minimize divergence between development and production, enabling continuous deployment for maximum agility;

Are suitable for deployment on modern cloud platforms, obviating the need for servers and systems administration;

Have a clean contract with the underlying operating system, offering maximum portability between execution environments;

Use declarative formats for setup automation, to minimize time and cost for new developers joining the project;

Tutorial
Container (Docker)

// Clean up

gcloud container clusters delete example-cluster

// list

gcloud container clusters list

// Run a container image

http://EXTERNAL-IP:8080

// View the app (replace EXTERNAL-IP with the external IP address you obtained in the previous step).

kubectl get service hello-node

// Copy the external IP address for the hello-node app

kubectl expose deployment hello-node --type="LoadBalancer"

// Expose the container. Note that the type="LoadBalancer option in kubectl requests that Google Cloud Platform provision a load balancer for your container.

kubectl run hello-node --image=gcr.io/google-samples/node-hello:1.0 --port=8080

// Run the container

gcloud container clusters create example-cluster

// Create a cluster (this step can take a few minutes to complete).

// Set gcloud defaults

gcloud config list

// To view your gcloud defaults at any time

gcloud config set compute/zone us-central1-b

CloudShell
(udacity)

app

MSA

(shell 3)

(interact with the auth and hello micro services)

curl -H "Authorization: Bearer $TOKEN" http://127.0.0.1:10082/secure

TOKEN=$(curl 127.0.0.1:10090/login -u user | jq -r '.token')

(auth service)

sudo ./bin/auth -http :10090 -health :10091

go build -o ./bin/auth ./auth

(hello service)

sudo ./bin/hello -http 0.0.0.0:10082

go build -o ./bin/hello ./hello

monolith

(shell 2)

(check out dependencies)

cat vendor/vendor.json

ls vendor/

//ls /vendor

(access the secure endpoint using the JWT)

curl -H "Authorization: Bearer $TOKEN" http://127.0.0.1:10081/secure

(login and assign the value of the JWT to a variable)

TOKEN=$(curl http://127.0.0.1:10081/login -u user | jq -r '.token')

// echo $TOKEN

(authenticate (password is password):)

curl http://127.0.0.1:10081/login -u user

// You can copy and paste the long token in to the next command manually, but copying long, wrapped lines in cloud shell is broken. To work around this, you can either copy the JWT token in pieces, or - more easily - by assigning the token to a shell variable as follows

// It prints out the token.

{"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6InVzZXJAZXhhbXBsZS5jb20iLCJleHAiOjE0NzM5MDQyNTQsImlhdCI6MTQ3MzY0NTA1NCwiaXNzIjoiYXV0aC5zZXJ2aWNlIiwic3ViIjoidXNlciJ9.GAVtMr NeAYr2dqiYwF8ai0rqd-CIvZpuuOJPHAZYbDM"}

(test)

curl http://127.0.0.1:10081/secure

// Will fail. Need to authenticate

curl http://127.0.0.1:10081

// {"message":"Hello"}

//curl http://127.0.0.1:10080

(shell 1)

(run)

sudo ./bin/monolith -http :10080 -http :10081

(build)

// Optional - if you run into errors building your go binaries, you probably need to install the dependencies first by running:

$ go get -u

go build -o ./bin/monolith ./monolith

mkdir bin

cd $GOPATH/src/github.com/udacity/ud615/app

(features)

https://cloud.google.com/shell/docs/features

Built-in authorization for access to Cloud Platform Console projects and resources

Web preview functionality

Language support for Java, Go, Python, Node.js, PHP and Ruby

Pre-installed Google Cloud SDK and other tools

(temp)

You can install additional software packages on the virtual machine instance but the installation will not persist after the instance terminates unless you install the software in your $HOME directory.

(persistant)

tmux support

Cloud Shell supports the default tmux key bindings. For example, if you press Ctrl+b and then %, tmux splits the current session window into left and right panes, which can be useful for debugging.

Cloud Shell uses tmux by default, which allows it to improve persistence across browser tab sessions. For example, if you refresh the Cloud Platform Console in a tab or connect to your Cloud Shell from a different machine, the session state will not be lost.

Authorization

Cloud Shell provides built-in authorization for access to projects and resources hosted on Google Cloud Platform. You don't need to perform additional authorization steps to access platform resource using the Cloud SDK gcloud command-line tool.

Web Preview

Cloud Shell provides web preview functionality that allows you to run web applications on the virtual machine instance and preview them from the Cloud Platform Console. The web applications must listen for HTTP requests on ports within the permitted range 8080 to 8084. These ports are only available to the secure Cloud Shell proxy service, which restricts access over HTTPS to your user account only.

Language support

PHP

Ruby

Python

Go

Node.js

v0.12.2 and v4.1.2 (use nvm to switch versions)

Java

You can ignore any error messages about not being able to change the versions of some binaries. The version change will persist until the Cloud Shell virtual machine instance is terminated. If you want to permanently switch to Java 1.7, add the first command above to your .bashrc file.

JRE/JDK 1.7 and 1.8

sudo update-java-alternatives -s java-1.7.0-openjdk-amd64

// To change back to 1.7.0

sudo update-java-alternatives -s java-1.8.0-openjdk-amd64

// change the current Cloud Shell session to use version 1.8 of the JRE and JDK,

Additional tools

gRPC compiler

MySQL client

iPython

Docker

Source control tools

Mercurial

Git

Build and package tools

(others)

pip

nvm

Maven

Make

npm

Gradle

Text editors

Nano

Vim

Emacs

Google SDKs and tools

gsutil for Cloud Storage

Google Cloud SDK including the gcloud command

Google App Engine SDK

Linux utilities

Standard Debian system utilities

Linux shell interpreters

sh

bash

5 GB of persistent disk storage

Persistent disk storage

Cloud Shell provisions 5 GB of free persistent disk storage mounted as your $HOME directory on the virtual machine instance. This storage is on a per-user basis and is available across projects. Unlike the instance itself, this storage does not time out on inactivity. All files you store in your home directory, including installed software, scripts and user configuration files like .bashrc and .vimrc, persist between sessions. Your $HOME directory is private to you and cannot be accessed by other users.

Note: If you do not access Cloud Shell regularly, the $HOME directory persistent storage may be recycled. You will receive an email notification before this occurs. Starting a Cloud Shell session will prevent its removal.

Command-line access to the instance from a web browser

Command-line access

Cloud Shell provides command-line access to the virtual machine instance in a terminal window that opens in the Google Cloud Platform Console. You can open multiple shell connections to the same instance. The instance persists between sessions.

A temporary Compute Engine virtual machine instance

Virtual machine instance

When you start Cloud Shell, it provisions an f1-micro Google Compute Engine virtual machine running a Debian-based Linux operating system. Cloud Shell instances are provisioned on a per-user, per-session basis. The instance persists while your Cloud Shell session is active and terminates after an hour of inactivity.

gcloud version

// displays a list of installed Cloud SDK components and their versions: