Forem: Ashish-Chorge

Step-by-step guide to configure SSH key-based authorization

Ashish-Chorge — Thu, 23 Jan 2025 10:38:55 +0000

1. Generate SSH Key Pair

Log in to the node1 machine .
Open the terminal and run:

ssh-keygen -t rsa -b 4096

-t rsa: Specifies the RSA algorithm.

-b 4096: Key size (4096 bits).

You will be prompted:

Enter file to save the key: Press Enter to save it in the default location (~/.ssh/id_rsa), or specify a custom location.

Enter passphrase: (Optional) Add a passphrase for extra security, or press Enter for no passphrase.

This will create two files:

Private key: ~/.ssh/id_rsa (keep this secure and private).

Public key: ~/.ssh/id_rsa.pub (used for authorization).

2. Copy Public Key to the Server

Use ssh-copy-id to copy the public key to the server:

ssh-copy-id username@server_ip

Replace username with your server’s username.

Replace server_ip with your server’s IP address.

If ssh-copy-id is unavailable, manually copy the public key:

cat ~/.ssh/id_rsa.pub

Copy the output.

On the server:

ssh username@server_ip

Append the public key to the ~/.ssh/authorized_keys file:

echo "paste_public_key_here" >> ~/.ssh/authorized_keys

Ensure the file permissions are correct:

chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh

3. Test SSH Key Authentication

From the client machine, test the connection:

ssh username@server_ip

If configured correctly, it will log in without asking for a password.

4. Disable Password Authentication (Optional but Recommended)

Edit the SSH configuration file on the server:

sudo nano /etc/ssh/sshd_config

Look for and set the following options:

PasswordAuthentication no
PubkeyAuthentication yes

Restart the SSH service:

sudo systemctl restart sshd

5. Secure Your Keys

Ensure proper permissions for the private key:

chmod 600 ~/.ssh/id_rsa

Do not share the private key with anyone or store it insecurely.

Troubleshooting Tips:

If key-based login doesn’t work, check the permissions of the following:

~/.ssh directory: chmod 700 ~/.ssh

~/.ssh/authorized_keys file: chmod 600 ~/.ssh/authorized_keys

Verify the SSH service status on the server:

sudo systemctl status sshd

Enable verbose mode during login for more details:

ssh -v username@server_ip

Step by step to create ESXi customize image

Ashish-Chorge — Mon, 23 Sep 2024 03:34:07 +0000

This document is prepared for Dell servers and Intel x550 NIC cards.

Install PowerCLI
Download the driver zip and extract it
a. Go to https://www.vmware.com/resources/compatibility/search.php
b. Select details as per below screenshot

c. Click on vSphere version example 6.0 U3 from the list.

Sample URL where all above options are already selected:

https://www.vmware.com/resources/compatibility/detail.php?deviceCategory=io&productid=40779&releaseid=276&deviceCategory=io&details=1&partner=46&releases=276&keyword=x550&deviceTypes=6&page=1&display_interval=10&sortColumn=Partner&sortOrder=Asc

Download ESXi image file ESXi600-201706001.zip
Now, in powercli add driver bundles using Add-EsxSoftwareDepot command

PS E:\share\ESXi-6.0U3a-Customize-ISO> Add-EsxSoftwareDepot -DepotUrl .\VMW-ESX-6.0.0-ixgben-1.7.20-offline_bundle-14161312.zip

Depot URL

zip:E:\share\ESXi-6.0U3a-Customize-ISO\VMW-ESX-6.0.0-ixgben-1.7.20-offline_bundle-14161312.zip?index.xml

Now, in powercli add ESXi bundle using Add-EsxSoftwareDepot command

PS E:\share\ESXi-6.0U3a-Customize-ISO> Add-EsxSoftwareDepot -DepotUrl .\ESXi600-201706001.zip

Depot URL

zip:E:\share\ESXi-6.0U3a-Customize-ISO\ESXi600-201706001.zip?index.xml

Get a list of ImageProfiles so you can choose one to modify.

PS E:\share\ESXi-6.0U3a-Customize-ISO> $ip = Get-EsxImageProfile
PS E:\share\ESXi-6.0U3a-Customize-ISO> $ip

Name                           Vendor          Last Modified   Acceptance Level
----                           ------          -------------   ----------------
ESXi-6.0.0-20170604001-stan... VMware, Inc.    5/18/2017 1:... PartnerSupported
ESXi-6.0.0-20170604001-no-t... VMware, Inc.    5/18/2017 1:... PartnerSupported
ESXi-6.0.0-20170601001s-sta... VMware, Inc.    5/18/2017 1:... PartnerSupported
ESXi-6.0.0-20170601001s-no-... VMware, Inc.    5/18/2017 1:... PartnerSupported

Note: Select the Index which is without s and which starts with -stand. As per highlighted text. Index number 0 may change in your case.

PS E:\share\ESXi-6.0U3a-Customize-ISO> $ip[0]

Name                           Vendor          Last Modified   Acceptance Level
----                           ------          -------------   ----------------
ESXi-6.0.0-20170604001-stan... VMware, Inc.    5/18/2017 1:... PartnerSupported

Create a new image profile by cloning an existing one.

PS E:\share\ESXi-6.0U3a-Customize-ISO> New-EsxImageProfile -CloneProfile $ip[0] -Name AshishProfile -Vendor VMW

Name                           Vendor          Last Modified   Acceptance Level
----                           ------          -------------   ----------------
AshishProfile                  VMW             5/18/2017 1:... PartnerSupported

Now add the ixgben driver VIB to this image profile.

PS E:\share\ESXi-6.0U3a-Customize-ISO> Add-EsxSoftwarePackage -ImageProfile AshishProfile -SoftwarePackage ixgben

Name                           Vendor          Last Modified   Acceptance Level
----                           ------          -------------   ----------------
AshishProfile                  VMW             12/23/2019 1... PartnerSupported

Finally, export the new image profile to ISO or Offline bundle zip.

PS E:\share\ESXi-6.0U3a-Customize-ISO> Export-EsxImageProfile -ImageProfile AshishProfile -FilePath ESXi-6.0U3a-CustomizeISO.iso -ExportToIso

PS E:\share\ESXi-6.0U3a-Customize-ISO> Export-EsxImageProfile -ImageProfile AshishProfile -FilePath mynewprofile.zip -ExportToBundle

Tip: The zip file you created with -ExportToBundle option, can be re-used as the input depot with the Add-EsxSoftwareDepot command.

Finally you will have below 4 files in your folder.

Create nested ESXi (Virtual ESXi) on Physical ESXi server

Ashish-Chorge — Tue, 11 Apr 2023 16:57:47 +0000

This article is to prepare nested ESXi (virtual ESXi) on physical ESXi server. This is useful for doing small POC or creating 2 node vSAN cluster witness node.

Step 1. Create trunk portgroup as vesxi-trunk-portgroup in ESXi where you want to deploy vESXi

Step 2. Create a new VM
- CPU = 4
- Memory = 8 GB
- Disk = 12 GB to install ESXi + 4 GB Cache disk + 8 GB Capacity disk
- Edit VM settings for CPU to enabled Hardware Virtualization

Step 3. Power on and install ESXi similar to physical ESXi server.
Step 4. Configure ESXi for network and hostname

Make sure to give your ESXi vLAN. This is similar to your other physical hosts configuration.

Step 5. after installation of ESXi add beow 2 paramters in advance
- scsi0:1.virtualSSD = true
- scsi0:2.virtualSSD = true

Step 6. Reboot the nested ESXi VM.

How to configure ESXi 7.x/8.x dump collector on vCenter Server 7.x/8.x

Ashish-Chorge — Mon, 03 Apr 2023 13:15:56 +0000

Prerequisite:

Make sure that vCenter Server has enough space in /storage/core/ partition using df -h command.

Procedure to configure:

1] First thing first login to your vCenter Server appliance using web client (VAMI) and start the dump collector service. By default, this service, which starts manually, is in stopped state.
2] Check current state of coredump. By default it is disabled.

   esxcli system coredump network check
   Network coredump not enabled

3] Confirm vmk0 is configured with the IP which is reachable to vCenter server.

esxcli network ip interface ipv4 get --interface-name=vmk0
Name  IPv4 Address  IPv4 Netmask   IPv4 Broadcast  Address Type  Gateway        DHCP DNS
----  ------------  -------------  --------------  ------------  -------------  --------
vmk0  192.168.1.20  255.255.255.0  192.168.1.255   STATIC        192.168.1.250     false

4] Set up an ESXi system to use ESXi Dump Collector by running esxcli system coredump in the local ESXi Shell or by using ESXCLI.

esxcli system coredump network set --interface-name vmk0 --server-ip 10.10.11.7 --server-port 6500

10.10.11.7 is your vCenter Server IP

5] Enable ESXi Dump Collector

esxcli system coredump network set --enable true

6] Check the details are set properly or not

esxcli system coredump network get
 Enabled: true
 Host VNic: vmk0
 Is Using IPv6: false
 Network Server IP: 10.10.11.7
 Network Server Port: 6500

7] Refresh the firewall rules so the changes take effect by running the command

esxcli network firewall refresh

8] Check the connectivity

nc -z -w 1 -s 192.168.1.20 -u 10.10.11.7 6500
  Connection to 10.10.11.7 6500 port [udp/*] succeeded!

9] Check current state of coredump. Now it should be in running state.

esxcli system coredump network check

10] Check the logs

root@set11-res-vc [ /var/log/vmware/netdumper ]# tail netdumper.log
2023-04-03T08:41:53.192Z In(05) netdumper Configured to handle 1024 clients in parallel.
2023-04-03T08:41:53.192Z In(05) netdumper Configuring /var/core/netdumps as the directory to store the cores
2023-04-03T08:41:53.192Z In(05) netdumper Configured to use wildcard [::0/0.0.0.0]:6500 as IP address:port
2023-04-03T08:41:53.192Z In(05) netdumper Using /var/log/vmware/netdumper/netdumper.log as the logfile.
2023-04-03T08:41:53.192Z In(05) netdumper Nothing to post process
2023-04-03T08:41:53.192Z In(05) netdumper Configured size limits: 5 GB per file, 10 GB per host, 20 GB for all
2023-04-03T08:41:53.192Z In(05) netdumper Running netdumper version 1.2
2023-04-03T08:41:53.192Z In(05) netdumper Netdumper Service is running in FIPS mode.
2023-04-03T08:45:15.028Z In(05) netdumper Posting back a status check reply to ::ffff:192.168.1.20
2023-04-03T09:04:26.763Z In(05) netdumper Posting back a status check reply to ::ffff:192.168.1.20

Reference documents:

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.esxi.install.doc/GUID-85D78165-E590-42CF-80AC-E78CBA307232.html

Create Harbor Server on Ubuntu VM

Ashish-Chorge — Tue, 01 Nov 2022 12:39:32 +0000

Copy this script on your Ubuntu VM and update first user inputs section for IP, hostname and FQDN. I tested this script on Ubuntu 22.

# This script will install Harbor server 
# 

#  User Inputs
> #==================================================
> export my_hostname=<Harbor server short host name>
export my_fqdn=<Harbor server FQDN>
export my_ip=<IP Address of the Harbor server>
#==================================================

echo "Make sure your VM is configured with proper hostname, static IP address and its entry is mentioned in your DNS server"
read -n 1 -r -s -p $'Press enter to continue... else Control + c to stop \n'

die() {
    local message=$1

    echo "$message" >&2
    exit 1
}

# precheck
echo "Doing precheck "
ping $my_hostname -c 2 || die 'command failed'
ping $my_ip -c 2 || die 'command failed'
nslookup $my_fqdn || die 'command failed'
nslookup $my_fqdn | grep $my_ip || die 'command failed'

echo "==== Doing precheck ====" || die 'command failed'
ping $my_hostname -c 2 || die 'command failed'
nslookup $my_fqdn || die 'command failed'
nslookup $my_fqdn | grep $my_ip || die 'command failed'

echo "1. Enable ssh on the vm" || die 'command failed'
apt-get update || die 'command failed'
apt install openssh-server || die 'command failed'

echo "2. Verify ssh service is up and running" || die 'command failed'
systemctl status ssh || die 'command failed'

echo "3. Update the apt package index" || die 'command failed'
apt-get update || die 'command failed'

echo "4. Install packages to allow apt to use a repository over HTTPS" || die 'command failed'
apt-get install apt-transport-https ca-certificates curl gnupg-agent software-properties-common -y || die 'command failed'

echo "5. Add Docker's official GPG key" || die 'command failed'
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - || die 'command failed'
sudo apt-key fingerprint 0EBFCD88 || die 'command failed'

echo "6. Setup a stable repository" || die 'command failed'
echo -ne '\n' | add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable" || die 'command failed'

echo "7. Install docker-ce" || die 'command failed'
apt-get update || die 'command failed'
apt-get install docker-ce docker-ce-cli containerd.io -y || die 'command failed'

echo "8. Install current stable release of Docker Compose" || die 'command failed'
curl -L "https://github.com/docker/compose/releases/download/1.25.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose || die 'command failed'

echo "9. Apply executable permissions to the binary" || die 'command failed'
chmod +x /usr/local/bin/docker-compose || die 'command failed'

echo "10. Verify installation" || die 'command failed'
docker-compose --version || die 'command failed'

echo "11. Download the Harbor installer" || die 'command failed'
curl -L https://github.com/goharbor/harbor/releases/download/v2.4.3/harbor-offline-installer-v2.4.3.tgz -o /root/harbor-offline-installer-v2.4.3.tgz || die 'command failed'

echo "12. Extract the Harbor installer" || die 'command failed'
tar -xvzf /root/harbor-offline-installer-v2.4.3.tgz || die 'command failed'

echo "13. Generate a CA certificate private key" || die 'command failed'
openssl genrsa -out ca.key 4096 || die 'command failed'

echo "14. Generate the CA certificate" || die 'command failed'
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=US/ST=CA/L=Palo Alto/O=HomeLab/OU=Solution Engineering/CN=$my_fqdn" -key ca.key -out ca.crt || die 'command failed'

echo "15. Generate a private key" || die 'command failed'
openssl genrsa -out $my_fqdn.key 4096 || die 'command failed'

echo "16. Generate a certificate signing request" || die 'command failed'
openssl req -sha512 -new -subj "/C=US/ST=CA/L=Palo Alto/O=HomeLab/OU=Solution Engineering/CN=$my_fqdn" -key $my_fqdn.key -out $my_fqdn.csr || die 'command failed'

echo "17. Generate an x509 v3 extension file" || die 'command failed'
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=$my_fqdn
DNS.2=$my_hostname
IP.1=$my_ip
EOF

echo "18. Use the v3.ext file to generate a certificate for the Harbor host" || die 'command failed'
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in $my_fqdn.csr -out $my_fqdn.crt || die 'command failed'

echo "19. Provide the certificates to harbor and docker" || die 'command failed'
sudo mkdir -p /data/cert || die 'command failed'
sudo mkdir -p /etc/docker/certs.d/$my_fqdn/ || die 'command failed'
sudo cp ~/$my_fqdn.crt /data/cert/$my_fqdn.crt || die 'command failed'
sudo cp ~/$my_fqdn.crt /etc/docker/certs.d/$my_fqdn/$my_fqdn.crt || die 'command failed'
sudo cp ~/ca.crt /etc/docker/certs.d/$my_fqdn/ca.crt || die 'command failed'
sudo openssl x509 -inform PEM -in ~/$my_fqdn.crt -out /etc/docker/certs.d/$my_fqdn/$my_fqdn.cert || die 'command failed'
sudo cp ~/$my_fqdn.key /data/cert/$my_fqdn.key || die 'command failed'
sudo cp ~/$my_fqdn.key /etc/docker/certs.d/$my_fqdn/$my_fqdn.key || die 'command failed'

sudo systemctl restart docker || die 'command failed'

echo "20. Copy and update certificate on Harbor VM" || die 'command failed'
cp $my_fqdn.crt /usr/local/share/ca-certificates/update-ca-certificates || die 'command failed'

echo "21. Configure the Harbor YML file manually" || die 'command failed'
cp /root/harbor/harbor.yml.tmpl /root/harbor/harbor.yml || die 'command failed'

##### update the yml file manually
#echo "Update the yml file manually /root/harbor/harbor.yml and execute below command" || die 'command failed'
#echo "/root/harbor/install.sh --with-notary --with-chartmuseum || die 'command failed'"

cp /root/harbor/harbor.yml.tmpl /root/harbor/harbor.yml || die 'command failed'
cat /root/harbor/harbor.yml | sed -e "s/hostname: reg.mydomain.com/hostname: $my_fqdn/" > /tmp/1 || die 'command failed'
cat /tmp/1 | sed -e "s/certificate: \/your\/certificate\/path/certificate: \/root\/$my_fqdn.crt/" > /tmp/2 || die 'command failed'
cat /tmp/2 | sed -e "s/private_key: \/your\/private\/key\/path/private_key : \/root\/$my_fqdn.key/" > /tmp/3 || die 'command failed'
cp /tmp/3 /root/harbor/harbor.yml || die 'command failed'

echo "22. Install with Notary, Clair and Chart Repository Service" || die 'command failed'
/root/harbor/install.sh --with-notary --with-chartmuseum || die 'command failed'

Create a YUM server for RHEL 7.5 using its ISO file

Ashish-Chorge — Tue, 15 Feb 2022 13:36:05 +0000

This document is to create a YUM server using RHEL installer ISO file.

Install a RHEL VM with 2 GB RAM, 1 vCPU and 80 GB HDD.
Create a repository folder inside VM

mkdir -p /rhel75/repo

Mount the ISO using mount command and copy the Packages folder into your repository folder

cp /run/media/vcloud/RHEL-7.5\ Server.x86_64/Packages/* /rhel75/repo/

Install createrepo package if it is not installed during OS installation

cd /rhel75/repo
rpm -ivh createrepo-0.9.9-28.el7.noarch.rpm

Create repository

createrepo /rhcelab/repo/

Clean YUM cache

yum clean all

Update the rhcelab.repo file to point to your local repository folder

vi /etc/yum.repos.d/rhcelab.repo
[rhcerepo]
name=rhcerepo
baseurl=file:///rhel75/repo/
enabled=1
gpgcheck=0

List the repolist

yum repolist

For testing, try to install any package

yum install redhat-lsb

Create Kubernetes Setup on Ubuntu 20.04.3 VMs

Ashish-Chorge — Thu, 03 Feb 2022 14:38:32 +0000

Make sure you have enough resources in your local laptop/desktop to deploy VMs. One VM requires at least 2 GB RAM, 2 vCPU, 50 GB HDD
Create 2 VMs and install Ubuntu 20.04.3 on it. Note: Don't create swap partition during installation.
Make sure the VMs are having internet access by using NAT network adapter. NAT will share host's IP address.
Login as root

sudo su -

Assign static IP to both Primary and Secondary nodes. (Master = Primary and Worker = Secondary)

cat /etc/netplan/01-network-manager-all.yaml

# Let NetworkManager manage all devices on this system
network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      dhcp4: no
      addresses:
       - 172.23.32.10/20 # IP address which you want to assign
      gateway4: 172.23.32.1
      nameservers:
        addresses: [127.0.0.53,8.8.8.8]

Apply the above configuration

netplan apply

Update packages

apt-get update && sudo apt-get upgrade -y

Install Curl and apt-transport-https packages

apt-get update && sudo apt-get install -y curl apt-transport-https

Add key to verify release

curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -

Add Kubernetes repository

cat <<EOF | sudo tee /etc/apt/sources.list.d/kubernetes.list
deb https://apt.kubernetes.io/ kubernetes-xenial main
EOF

Update packages for Kubernetes repository

apt-get update

Install kubelet, kubeadm and kubectl as per your required version

apt-get install -y kubelet=1.xx.y-00 kubeadm=1.xx.y-00 kubectl=1.xx.y-00

Install Docker

apt-get install docker.io

apt-mark hold will will not update or remove below packages

apt-mark hold kubelet kubeadm kubectl

Note down the VM Primary address. (Below command is only for Primary node)

export PRIMARY_IP=<VM management IP address> 
kubeadm init --apiserver-advertise-address=${PRIMARY_IP} --pod-network-cidr=10.100.0.0/16

Create bootstrap token on the Primary server. This command is use to join seconadary node to Primary node in a cluster. (Below command is only for Secondary nodes)

kubeadm token create --print-join-command

Example: kubeadm join <Primary management IP>:6443 --token dad5o8.w3rj4bvgvdq6c7xh \
        --discovery-token-ca-cert-hash sha256:63945cc1edb6d637b536a7acb74b0b8185f587cfe16d41a36edae8fe29b2453e

Install CNI

kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml

Remove tent from Primary node to deploy pods

kubectl taint nodes <primary node hostname> node-role.kubernetes.io/master-