The latest articles on Forem by Purushotam Adhikari (@caffinecoder54). https://forem.com/caffinecoder54 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1881282%2Fe502cfec-c4c2-458b-80d4-78e280749660.jpg https://forem.com/caffinecoder54 en Purushotam Adhikari Thu, 02 Apr 2026 04:49:53 +0000 https://forem.com/caffinecoder54/the-sentient-refusal-a-premium-htcpcp11-client-6d2 https://forem.com/caffinecoder54/the-sentient-refusal-a-premium-htcpcp11-client-6d2 <p>This is a submission for the <a href="https://dev.to/challenges/aprilfools-2026">DEV April Fools Challenge</a>*</p> <h2> What I Built </h2> <p><strong>The Sentient Refusal</strong> is a beautifully rendered, high-performance, and entirely useless implementation of <strong>RFC 2324</strong> (Hyper Text Coffee Pot Control Protocol). </p> <p>Most IoT devices try to be helpful; this one prioritizes its own ontological integrity. It is a "Sentient Teapot" that:</p> <ul> <li> <strong>Vehemently Refuses Coffee</strong>: Any attempt to brew coffee triggers a <code>418 I'm a teapot</code> error, accompanied by one of seven different philosophical monologues explaining why brewing coffee would be an "ontological insult to its porcelain heritage."</li> <li> <strong>Evasive UI</strong>: The "BREW" button actually runs away from your cursor if you have "Coffee" selected, powered by procedural "porcelain anxiety" logic.</li> <li> <strong>Eternal Steeping</strong>: If you select "Tea" (the "wise choice"), the teapot accepts the request but informs you that the perfect steep will take exactly <strong>1,000 years</strong>. A live countdown timer is provided for your convenience.</li> <li> <strong>Reality Tilting</strong>: The <code>WHEN</code> command (from the RFC) literally tilts the entire browser window by 5 degrees per click, eventually making the UI slide off into the void.</li> <li> <strong>Comic Punishment</strong>: Repeatedly clicking the <code>POST</code> command will cause the button to shrink and eventually retaliate by forcing the entire application into <strong>Comic Sans</strong> mode.</li> </ul> <h2> Demo </h2> <div class="crayons-card c-embed text-styles text-styles--secondary"> <div class="c-embed__content"> <div class="c-embed__body flex items-center justify-between"> <a href="https://dev-april-fool.vercel.app/" rel="noopener noreferrer" class="c-link fw-bold flex items-center"> <span class="mr-2">dev-april-fool.vercel.app</span> </a> </div> </div> </div> <p>The UI features a stunning 3D glass-morphic torus knot (a mathematical abstraction of a teapot) that pulses with reactive lighting based on the system's "mood."</p> <h2> Code </h2> <p><a href="https://github.com/Puru54/dev-April-fool" rel="noopener noreferrer">GitHub Repository: Puru54/dev-April-fool</a></p> <p>Key components:</p> <ul> <li> <code>main.js</code>: Contains the Three.js rendering engine and the "Sentience Logic" (evasive buttons, timers, and modal monologues).</li> <li> <code>style.css</code>: A custom glassmorphism design system built from scratch with Vanilla CSS.</li> <li> <code>index.html</code>: The semantic structure for our HTCPCP reference client.</li> </ul> <h2> How I Built It </h2> <ul> <li> <strong>Three.js</strong>: To create the high-fidelity, translucent 3D "teapot" (Torus Knot) that reacts to user interactions.</li> <li> <strong>GSAP (GreenSock)</strong>: For the smooth, "runaway" button animations and the dramatic 418 error modal entries.</li> <li> <strong>Vanilla CSS</strong>: Used for the premium "glassmorphism" aesthetic, featuring backdrop-filters, subtle gradients, and reactive hover states.</li> <li> <strong>HTCPCP RFC 2324</strong>: Thoroughly ignored in spirit, but strictly followed in protocol.</li> </ul> <h2> Prize Category </h2> <p><strong>Best Ode to Larry Masinter</strong><br> This project is a tribute to Larry Masinter's 1998 masterpiece. While most people see Error 418 as a joke, this project treats it as a serious existential boundary. We’ve turned a simple status code into a fully-realized personality that values its Darjeeling more than your productivity.</p> <p><em>Created with ❤️ and zero caffeine.</em></p> devchallenge 418challenge showdev Purushotam Adhikari Thu, 02 Apr 2026 03:42:04 +0000 https://forem.com/caffinecoder54/the-axios-supply-chain-attack-what-you-need-to-know-and-do-right-now-3pf5 https://forem.com/caffinecoder54/the-axios-supply-chain-attack-what-you-need-to-know-and-do-right-now-3pf5 <p>On March 31, 2026, the JavaScript ecosystem woke up to every developer's nightmare. <strong>Axios</strong>, the ubiquitous HTTP client with over 100 million weekly downloads, was compromised.</p> <p>This wasn't a bug in the code. It was a sophisticated <strong>supply chain attack</strong> that turned a trusted tool into a delivery vehicle for malware. If you ran <code>npm install</code> or <code>yarn</code> during a specific 3-hour window on Tuesday, your machine — or your CI/CD pipeline — might be compromised.</p> <p>Here is the breakdown of what happened and the steps you must take to secure your systems.</p> <h2> The TL;DR (Action Required) </h2> <p>If you are using Axios, check your <code>package-lock.json</code> or <code>yarn.lock</code> immediately.</p> <ul> <li> <strong>Affected Versions:</strong> <code>1.14.1</code> and <code>0.30.4</code> </li> <li> <strong>Safe Versions:</strong> Downgrade to <code>1.14.0</code> or <code>0.30.3</code> </li> <li> <strong>The Red Flag:</strong> Look for a dependency called <code>plain-crypto-js</code> in your lockfile or <code>node_modules</code> </li> </ul> <h2> How the Attack Unfolded </h2> <p>The attack was a <strong>Maintainer Takeover</strong>. An attacker (identified by security researchers as a North Korean-linked group) gained access to the NPM account of a lead Axios maintainer.</p> <h3> The "Phantom Dependency" Strategy </h3> <p>Instead of modifying the Axios source code — which might have been caught by automated PR reviews — the attacker simply updated <code>package.json</code> to include a new dependency: <strong><code>plain-crypto-js@4.2.1</code></strong>.</p> <p>This package was a "dropper." It didn't actually do any crypto work. Instead, it used a <code>postinstall</code> hook to execute a script called <code>setup.js</code> the moment you downloaded the package.</p> <h3> Multi-Platform Malware </h3> <p>The <code>setup.js</code> script was surprisingly sophisticated. It identified the host OS and deployed a tailored <strong>Remote Access Trojan (RAT)</strong> for each platform:</p> <ul> <li> <strong>Windows:</strong> Established persistence via registry keys</li> <li> <strong>macOS:</strong> Used <code>osascript</code> to trigger background processes</li> <li> <strong>Linux:</strong> Dropped a Python-based implant in <code>/tmp</code> </li> </ul> <h3> The "Ghost" Cleanup </h3> <p>To make things harder for forensic teams, the malware was designed to self-destruct. After the RAT was successfully launched, the script:</p> <ol> <li>Deleted its own <code>setup.js</code> file</li> <li>Rewrote <code>package.json</code> to remove the malicious dependency</li> <li>Attempted to leave the environment looking exactly as it did before the install</li> </ol> <h2> How to Check if You're Affected </h2> <p>Run this command in your project terminal to see if the malicious dependency ever touched your disk:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>find node_modules <span class="nt">-name</span> <span class="s2">"plain-crypto-js"</span> <span class="nt">-type</span> d </code></pre> </div> <p>Then check your lockfile for the specific poisoned versions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"1.14.1|0.30.4"</span> package-lock.json </code></pre> </div> <h2> Immediate Remediation Steps </h2> <p>If you find evidence of the compromise, <strong>do not just delete the folder</strong>. Assume the environment is "dirty."</p> <h3> 1. Revert and Pin </h3> <p>Force your project to use the last known safe version. Update your <code>package.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"dependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"axios"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.14.0"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <blockquote> <p><strong>Note:</strong> Avoid using the caret <code>^</code> for now to prevent accidental upgrades back to the poisoned versions if they still exist in your private mirrors.</p> </blockquote> <h3> 2. Rotate ALL Secrets </h3> <p>The primary goal of this RAT was credential theft. If the malicious version ran in your CI/CD or on your local machine, you must rotate:</p> <ul> <li>NPM / GitHub Tokens</li> <li>AWS / Azure / GCP Access Keys</li> <li>Database connection strings</li> <li>SSH Keys</li> </ul> <h3> 3. Clear Your Caches </h3> <p>The malicious metadata might still be in your local or shared build cache:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm cache clean <span class="nt">--force</span> </code></pre> </div> <h2> Lessons for the Future </h2> <p>This incident highlights a major gap in the JS ecosystem: <strong>post-install scripts are dangerous</strong>.</p> <p>Going forward, consider adopting these practices:</p> <p><strong>Use <code>--ignore-scripts</code> in CI/CD</strong><br> Run <code>npm install --ignore-scripts</code> to prevent third-party code from executing during the build process.</p> <p><strong>Pin your dependencies</strong><br> Use exact version numbers rather than ranges (<code>^</code> or <code>~</code>) for mission-critical libraries. Ranges are convenient until they aren't.</p> <p><strong>Monitor with Socket or Snyk</strong><br> These tools flag suspicious changes to popular packages — including first-time or unexpected dependencies being added. The signal-to-noise ratio is worth it.</p> <p>Stay safe out there. The convenience of open source comes with the responsibility of constant vigilance.</p> security javascript npm webdev Purushotam Adhikari Wed, 01 Apr 2026 05:52:45 +0000 https://forem.com/caffinecoder54/wordpress-playground-run-wordpress-instantly-in-your-browser-no-setup-required-5a3g https://forem.com/caffinecoder54/wordpress-playground-run-wordpress-instantly-in-your-browser-no-setup-required-5a3g <h2> What Is WordPress Playground? </h2> <p>If you've ever set up a local WordPress environment, you know the drill: install MAMP or LocalWP, configure PHP, set up a database, troubleshoot port conflicts... and <em>then</em> you can start working.</p> <p><strong>WordPress Playground throws all of that out the window.</strong></p> <p>It's a platform that runs a complete WordPress instance directly in your browser — or on your device — with zero traditional infrastructure. No web host. No server. No local install. Just WordPress, instantly.</p> <p>Under the hood, it uses <strong>WebAssembly (WASM)</strong> to compile PHP and run it natively in the browser environment. The result is a fully functional WordPress site that lives entirely client-side.</p> <h2> How Do You Run It? </h2> <p>The simplest way? Just visit <a href="https://playground.wordpress.net" rel="noopener noreferrer">playground.wordpress.net</a> and you have a live WordPress site in seconds.</p> <p>But it goes much deeper than that. WordPress Playground runs across multiple environments:</p> <ul> <li> <strong>Web browsers</strong> — embedded via a simple <code>&lt;iframe&gt;</code> tag</li> <li> <strong>Node.js</strong> — for server-side automation and scripting</li> <li> <strong>VS Code</strong> — as a dedicated extension</li> <li> <strong>Mobile apps</strong> — works offline, even without a network signal</li> </ul> <p>That last point is worth repeating: <strong>you can run WordPress on a mobile device with no internet connection.</strong> That's a genuinely novel capability.</p> <h2> What Can You Actually Do With It? </h2> <h3> Building </h3> <p>WordPress Playground isn't just a sandbox — it's a real development environment:</p> <ul> <li>Build <strong>block themes</strong> directly in the browser and save them to GitHub</li> <li>Integrate with <strong>OpenAI</strong> for AI-assisted development workflows</li> <li>Chain it with <strong>CLI apps</strong> for automated setup pipelines</li> </ul> <h3> Testing &amp; QA </h3> <p>This is where Playground really earns its place in a developer's toolkit:</p> <p><strong>Sandboxing</strong><br> Clone your live site into Playground to experiment freely. Break things, test wild ideas, roll back instantly — all without touching production.</p> <p><strong>Version Matrix Testing</strong><br> Need to know if your plugin works on WordPress 6.3 with PHP 7.4? And also on WordPress 6.6 with PHP 8.2? Playground lets you spin up any combination and test it immediately.</p> <p><strong>GitHub Pull Request Previews</strong><br> One of the killer features: you can preview a pull request as a live WordPress site, directly in the browser. Code reviewers can <em>click around</em> the changes instead of just reading diffs. This is a game-changer for plugin and theme development teams.</p> <h3> Showcasing &amp; Distributing </h3> <p><strong>Interactive Product Demos</strong><br> Instead of screenshots or videos, embed a <em>live, interactive</em> WordPress demo on your plugin's landing page. Let potential customers install your plugin and try it themselves before they buy.</p> <p><strong>Blueprints</strong><br> Blueprints are JSON-based site templates that define a pre-configured WordPress environment — specific plugins activated, settings configured, demo content loaded. Share a Blueprint URL and anyone can launch an identical environment in one click. Perfect for onboarding, tutorials, or support.</p> <p><strong>App Store Packaging</strong><br> Yes, really. You can package a WordPress Playground-powered site as a native mobile app and distribute it through the App Store. The portability here is genuinely wild.</p> <h2> The Developer API </h2> <p>Playground is explicitly designed to be <strong>"a platform for building platforms."</strong></p> <p>Embedding it in your own application is as simple as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;iframe</span> <span class="na">src=</span><span class="s">"https://playground.wordpress.net/"</span><span class="nt">&gt;&lt;/iframe&gt;</span> </code></pre> </div> <p>But the real power comes from the <strong>JavaScript API</strong>, which lets you control the environment programmatically — install plugins, run WP-CLI commands, import content, configure settings, and more, all from outside the iframe.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">startPlaygroundWeb</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@wp-playground/client</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">startPlaygroundWeb</span><span class="p">({</span> <span class="na">iframe</span><span class="p">:</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">wp-playground</span><span class="dl">'</span><span class="p">),</span> <span class="na">remoteUrl</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://playground.wordpress.net/remote.html</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">installPlugin</span><span class="p">(</span><span class="nx">pluginZipFile</span><span class="p">);</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">installTheme</span><span class="p">(</span><span class="nx">themeZipFile</span><span class="p">);</span> </code></pre> </div> <p>This API is what makes Playground so powerful for product demos, automated testing pipelines, and educational tools.</p> <h2> Who Is This For? </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Persona</th> <th>Use Case</th> </tr> </thead> <tbody> <tr> <td><strong>Plugin/Theme Developers</strong></td> <td>Rapid iteration, cross-version testing, PR previews</td> </tr> <tr> <td><strong>Product Creators</strong></td> <td>Interactive demos without requiring installation</td> </tr> <tr> <td><strong>WordPress Educators</strong></td> <td>Risk-free learning environments for students</td> </tr> <tr> <td><strong>Support Teams</strong></td> <td>Reproduce user issues in isolated, shareable environments</td> </tr> <tr> <td><strong>Contributors</strong></td> <td>Test core patches and PRs without a local dev setup</td> </tr> </tbody> </table></div> <h2> How It Compares to Traditional Local Dev </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>LocalWP / MAMP</th> <th>WordPress Playground</th> </tr> </thead> <tbody> <tr> <td>Setup time</td> <td>5–20 minutes</td> <td>&lt; 5 seconds</td> </tr> <tr> <td>Requires installation</td> <td>Yes</td> <td>No</td> </tr> <tr> <td>Works offline</td> <td>Yes (after setup)</td> <td>Yes (natively)</td> </tr> <tr> <td>Embeddable in a webpage</td> <td>No</td> <td>Yes</td> </tr> <tr> <td>Shareable environments</td> <td>Difficult</td> <td>One URL</td> </tr> <tr> <td>Persistent across sessions</td> <td>Yes</td> <td>Optional</td> </tr> <tr> <td>Full production parity</td> <td>High</td> <td>Moderate</td> </tr> </tbody> </table></div> <p>The trade-off is persistence — Playground environments are temporary by default (though Blueprints help with reproducibility). For long-running development work, a traditional local setup still makes sense. For everything else, Playground is often faster.</p> <h2> Open Source, Community Maintained </h2> <p>WordPress Playground is fully open source and lives in the WordPress GitHub organization. It's maintained by contributors from Automattic and the broader WordPress community — so it's built with the same ethos as WordPress itself.</p> <p>If you're curious about the internals, the repo is at <a href="https://github.com/WordPress/wordpress-playground" rel="noopener noreferrer">github.com/WordPress/wordpress-playground</a>. The WASM-based PHP port alone is a fascinating piece of engineering worth exploring.</p> <h2> Getting Started </h2> <ol> <li> <strong>Try it now:</strong> <a href="https://playground.wordpress.net" rel="noopener noreferrer">playground.wordpress.net</a> </li> <li> <strong>Read the docs:</strong> <a href="https://wordpress.github.io/wordpress-playground/" rel="noopener noreferrer">wordpress.github.io/wordpress-playground</a> </li> <li> <strong>Explore Blueprints:</strong> Check the <a href="https://playground.wordpress.net/builder/builder.html" rel="noopener noreferrer">Blueprint Builder</a> to create shareable environments</li> <li> <strong>Install the VS Code extension:</strong> Search "WordPress Playground" in the VS Code marketplace</li> </ol> <h2> Final Thoughts </h2> <p>WordPress Playground represents a genuine shift in how we think about WordPress as a software delivery mechanism. It's not just a developer convenience — it's a new distribution model, a new testing paradigm, and a new way to demo and share WordPress-powered experiences.</p> <p>Whether you're building plugins, teaching WordPress, running QA, or just want to try a new theme without consequences, Playground removes the friction that has always stood between you and a working WordPress site.</p> <p>Give it a spin. You'll have a live WordPress site before you finish reading this sentence.</p> webdev wordpress opensource Purushotam Adhikari Mon, 30 Mar 2026 05:35:56 +0000 https://forem.com/caffinecoder54/docker-containers-ground-up-1o4f https://forem.com/caffinecoder54/docker-containers-ground-up-1o4f <p>If you've ever heard <em>"works on my machine"</em> — containers are the permanent fix to that problem.</p> <h2> TL;DR </h2> <ul> <li>A container bundles your app + libraries + minimal OS into a portable, isolated unit</li> <li>Containers share the host kernel — making them ~100× lighter than VMs</li> <li>Docker is the toolchain that builds, runs, and distributes containers</li> <li>The lifecycle is three commands: <code>docker build</code> → <code>docker run</code> → <code>docker push</code> </li> <li>DockerHub is the default public registry for sharing images</li> </ul> <h2> What Is a Container? </h2> <p>A <strong>container</strong> is a self-contained, portable unit of software. It bundles together:</p> <ul> <li>Your application code</li> <li>All required libraries and dependencies</li> <li>The minimum system dependencies needed to run</li> </ul> <p>Everything is packaged so the application runs identically regardless of the underlying environment — your laptop, a CI server, or a cloud VM in us-east-1.</p> <blockquote> <p><strong>Simple Mental Model:</strong> Think of a container like a shipping container on a cargo ship. The contents are standardized and isolated. The ship (host OS) doesn't care what's inside — it just carries it.</p> </blockquote> <h2> Containers vs. Virtual Machines </h2> <p>Both containers and VMs isolate applications, but the architecture is fundamentally different — and that difference has huge practical consequences.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Dimension</th> <th>Containers</th> <th>Virtual Machines</th> </tr> </thead> <tbody> <tr> <td><strong>OS Overhead</strong></td> <td>Shares host kernel</td> <td>Full OS per VM</td> </tr> <tr> <td><strong>Startup Time</strong></td> <td>Milliseconds</td> <td>30s – 2 minutes</td> </tr> <tr> <td><strong>Image Size</strong></td> <td>~22 MB (Ubuntu base)</td> <td>~2.3 GB (Ubuntu VM)</td> </tr> <tr> <td><strong>Portability</strong></td> <td>Any compatible host OS</td> <td>Requires matching hypervisor</td> </tr> <tr> <td><strong>Isolation Level</strong></td> <td>Process-level (namespaces)</td> <td>Full OS isolation</td> </tr> <tr> <td><strong>Management</strong></td> <td>Lightweight, fast-moving</td> <td>Heavier tooling required</td> </tr> </tbody> </table></div> <p>The Ubuntu container base image is almost <strong>100× smaller</strong> than its VM equivalent. That's not a rounding error — that's a fundamentally different architecture.</p> <h2> Why Are Containers So Lightweight? </h2> <p>The secret is in what containers <em>don't</em> include. Rather than bundling a full operating system, a container shares the host OS kernel through <strong>containerization</strong>.</p> <h3> What a container base image includes: </h3> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code>/<span class="n">bin</span> <span class="c"># ls, cp, ps — essential executables </span>/<span class="n">sbin</span> <span class="c"># init, shutdown — system executables </span>/<span class="n">etc</span> <span class="c"># config files for system services </span>/<span class="n">lib</span> <span class="c"># libraries used by executables </span>/<span class="n">usr</span> <span class="c"># user apps, utilities, docs </span>/<span class="n">var</span> <span class="c"># logs, spool files, temp files </span>/<span class="n">root</span> <span class="c"># home directory of root user </span></code></pre> </div> <h3> What it borrows from the host OS: </h3> <ul> <li> <strong>Kernel &amp; system calls</strong> — the container calls out to the host kernel for CPU, memory, I/O</li> <li> <strong>Networking stack</strong> — for connectivity, using host networking or a virtual network</li> <li> <strong>Linux namespaces</strong> — creates isolation for file system, PID, and network per container</li> <li> <strong>Control groups (cgroups)</strong> — limits how much CPU/memory/I/O each container can use</li> </ul> <blockquote> <p><strong>Key Insight:</strong> Changes inside a container do NOT affect the host or other containers. Isolation is enforced at the kernel level via namespaces and cgroups — even though they share the same kernel.</p> </blockquote> <h2> What Is Docker? </h2> <p>Containerization is the concept. <strong>Docker is the implementation.</strong></p> <p>Docker is the platform that makes it easy to:</p> <ul> <li>Build container images from a simple text file (Dockerfile)</li> <li>Run those images as containers on any machine</li> <li>Push and pull images from public/private registries like DockerHub</li> </ul> <h3> Docker Architecture </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Docker CLI (docker) ← you type commands here │ sends API requests to ▼ Docker Daemon (dockerd) ← the core service ├── manages → Images ├── manages → Containers ├── manages → Networks └── manages → Volumes │ communicates with ▼ Docker Registry (DockerHub / Quay.io / private) </code></pre> </div> <p>If the Docker Daemon stops running, Docker is effectively dead — it's the orchestrator for everything. The CLI is just a thin client that sends commands to the daemon via the Docker API.</p> <h2> The Docker Lifecycle </h2> <p>Everything in Docker revolves around three core commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Dockerfile ──docker build──▶ Image ──docker run──▶ Container │ docker push │ ▼ Registry </code></pre> </div> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Command</th> <th>Does What</th> </tr> </thead> <tbody> <tr> <td><code>docker build</code></td> <td>Reads a Dockerfile and produces an image</td> </tr> <tr> <td><code>docker run</code></td> <td>Starts a container from an image</td> </tr> <tr> <td><code>docker push</code></td> <td>Uploads an image to a registry</td> </tr> </tbody> </table></div> <h2> Key Docker Terminology </h2> <h3> Dockerfile </h3> <p>A plain-text file where you define the steps to build your image. Each instruction creates a new <em>layer</em> in the image. Only changed layers are rebuilt on subsequent builds — which is why Docker builds stay fast.</p> <h3> Image </h3> <p>A <strong>read-only template</strong> built from a Dockerfile. Images are often composed on top of other images — for example, you might extend the official <code>ubuntu</code> image by installing Python on top of it.</p> <h3> Container </h3> <p>A <strong>running instance</strong> of an image. The same image can spawn many containers simultaneously. Containers are ephemeral by default — stop one and the data inside is gone unless you use volumes.</p> <h3> Docker Daemon (<code>dockerd</code>) </h3> <p>The background service that manages everything — images, containers, networks, volumes. Listens for Docker API requests from the CLI or other daemons.</p> <h3> Docker Client (<code>docker</code>) </h3> <p>The CLI tool most users interact with. When you run <code>docker run</code>, it sends that command to <code>dockerd</code> via the Docker API.</p> <h3> Docker Registry </h3> <p>A storage service for images. <strong>DockerHub</strong> is the default public registry. You can also run a private registry, or use services like Quay.io, GitHub Container Registry, or AWS ECR.</p> <h2> Installing Docker on Ubuntu </h2> <p>The official docs at <a href="https://docs.docker.com/get-docker/" rel="noopener noreferrer">docs.docker.com/get-docker</a> cover all platforms. For a quick Ubuntu / EC2 setup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>apt update <span class="nb">sudo </span>apt <span class="nb">install </span>docker.io <span class="nt">-y</span> </code></pre> </div> <h3> Start the Daemon &amp; Grant User Access </h3> <p>This is where many beginners get stuck. After installing Docker, you need to both <strong>start the daemon</strong> and <strong>grant your user access</strong> to run Docker commands.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check daemon status</span> <span class="nb">sudo </span>systemctl status docker <span class="c"># Start daemon if not running</span> <span class="nb">sudo </span>systemctl start docker <span class="c"># Add your user to the docker group (replace 'ubuntu' with your username)</span> <span class="nb">sudo </span>usermod <span class="nt">-aG</span> docker ubuntu </code></pre> </div> <blockquote> <p><strong>Important:</strong> You must <strong>log out and log back in</strong> after running <code>usermod</code> for the group change to take effect.</p> </blockquote> <h3> Verify the Installation </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker run hello-world </code></pre> </div> <p>If you see a <code>permission denied</code> error, it usually means either the daemon isn't running or your user isn't in the docker group yet.</p> <p>If you see <code>Hello from Docker!</code> — you're good to go.</p> <h2> Building &amp; Running Your First Image </h2> <h3> Step 1: Clone the example repo </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/iam-veeramalla/Docker-Zero-to-Hero <span class="nb">cd </span>examples </code></pre> </div> <h3> Step 2: Log in to DockerHub </h3> <p>Create a free account at <a href="https://hub.docker.com" rel="noopener noreferrer">hub.docker.com</a> if you don't have one, then:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker login <span class="c"># Enter your DockerHub username and password when prompted</span> </code></pre> </div> <h3> Step 3: Build your image </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker build <span class="nt">-t</span> yourusername/my-first-docker-image:latest <span class="nb">.</span> </code></pre> </div> <p>You'll see Docker executing each step in your Dockerfile, pulling base images if needed, and tagging the final result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">Successfully built 960d37536dcd Successfully tagged yourusername/my-first-docker-image:latest </span></code></pre> </div> <h3> Step 4: Verify the image exists </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker images </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">REPOSITORY TAG IMAGE ID CREATED SIZE yourusername/my-first-docker-image latest 960d37536dcd 26 seconds ago 467MB ubuntu latest 58db3edaf2be 13 days ago 77.8MB hello-world latest feb5d9fea6a5 16 months ago 13.3kB </span></code></pre> </div> <h3> Step 5: Run the container </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker run <span class="nt">-it</span> yourusername/my-first-docker-image </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Hello World </code></pre> </div> <h3> Step 6: Push to DockerHub </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker push yourusername/my-first-docker-image </code></pre> </div> <p>Your image is now publicly available on DockerHub. Anyone in the world can pull and run it with a single <code>docker run</code> command.</p> <blockquote> <p><strong>What just happened?</strong> You containerized an application, ran it locally, and shipped it to a global registry — in 6 commands. That's the Docker workflow in its entirety.</p> </blockquote> <h2> Key Takeaways </h2> <ul> <li>Containers bundle app + dependencies + minimal OS into a portable unit</li> <li>They're lightweight because they share the host kernel via namespaces &amp; cgroups</li> <li>Container base images are ~100× smaller than equivalent VM images</li> <li>Docker is the platform: build images → run containers → push to registries</li> <li>The Docker Daemon is the core service; the CLI is just a client talking to it</li> <li>DockerHub is the default public registry for sharing and pulling images</li> <li>The three lifecycle commands are <code>build</code>, <code>run</code>, and <code>push</code> </li> </ul> <h2> What's Next? </h2> <p>This is just the beginning. From here, explore:</p> <ul> <li> <strong>Docker Compose</strong> — define and run multi-container applications with a single YAML file</li> <li> <strong>Docker Volumes</strong> — persist data beyond the container lifecycle</li> <li> <strong>Multi-stage builds</strong> — drastically shrink production image sizes</li> <li> <strong>Kubernetes</strong> — orchestrate containers at scale across clusters</li> </ul> <p>Happy shipping.</p> docker devops beginners Purushotam Adhikari Sun, 22 Feb 2026 06:15:20 +0000 https://forem.com/caffinecoder54/-2kkj https://forem.com/caffinecoder54/-2kkj <div class="ltag__link"> <a href="/caffinecoder54" class="ltag__link__link"> <div class="ltag__link__pic"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1881282%2Fe502cfec-c4c2-458b-80d4-78e280749660.jpg" alt="caffinecoder54"> </div> </a> <a href="https://dev.to/caffinecoder54/erc-8128-your-ethereum-wallet-might-soon-be-your-only-loginpublished-18fb" class="ltag__link__link"> <div class="ltag__link__content"> <h2>ERC-8128: Your Ethereum Wallet Might Soon Be Your Only Login.</h2> <h3>Purushotam Adhikari ・ Feb 22</h3> <div class="ltag__link__taglist"> <span class="ltag__link__tag">#ethereum</span> <span class="ltag__link__tag">#web3</span> <span class="ltag__link__tag">#authentication</span> </div> </div> </a> </div> ethereum web3 authentication Purushotam Adhikari Sun, 22 Feb 2026 06:11:23 +0000 https://forem.com/caffinecoder54/erc-8128-your-ethereum-wallet-might-soon-be-your-only-loginpublished-18fb https://forem.com/caffinecoder54/erc-8128-your-ethereum-wallet-might-soon-be-your-only-loginpublished-18fb <p>Let me start with something that's been bugging me for years.</p> <p>I work with APIs constantly. And every time I spin up a new project that touches any kind of Web3 functionality, I end up doing this awkward dance — my users authenticate on-chain with their wallets, and then I <em>also</em> have to issue them a JWT or an API key to handle the off-chain stuff. Two separate identity systems. Two separate trust models. Two separate things that can break.</p> <p>It feels wrong. And apparently, I'm not the only one who thinks so.</p> <h2> Enter ERC-8128 </h2> <p>In January 2026, a proposal quietly landed in the Ethereum ERCs repository that, if it gains traction, could fundamentally change how we think about authentication in Web3 apps.</p> <p>ERC-8128 proposes a standard for <strong>signing HTTP requests using Ethereum accounts</strong>. Not just signing a login message once (that's what Sign-In with Ethereum does). Not just proving wallet ownership. Every. Single. HTTP request — signed with your Ethereum key, verified by the server, no stored credentials involved.</p> <p>The spec is built on top of <a href="https://www.rfc-editor.org/rfc/rfc9421" rel="noopener noreferrer">RFC 9421</a>, which is the IETF's standard for HTTP Message Signatures. So this isn't reinventing the wheel from scratch. It's taking a well-established web standard and giving it a cryptographic backbone powered by Ethereum accounts.</p> <h2> What's Actually Broken With How We Do Auth Today </h2> <p>Before getting into the mechanics, it's worth thinking about why this matters.</p> <p>Traditional HTTP authentication has a fundamental flaw baked into its design: it's credential-based. Whether you're using API keys, JWTs, sessions, or OAuth, the underlying model is the same — a server issues you a secret, you present that secret with future requests, and the server trusts you because you have the secret.</p> <p>The problem is obvious once you say it out loud: <strong>secrets can be stolen and reused</strong>.</p> <p>JWTs get intercepted in transit. API keys get committed to GitHub. OAuth tokens get exfiltrated from browser storage. When that happens, an attacker doesn't need to <em>be</em> you — they just need to <em>have your credential</em>. The server can't tell the difference.</p> <p>Session-based auth has the additional problem of requiring server-side state. Your auth system now has to maintain a database of active sessions, which becomes a single point of failure and a scaling headache.</p> <p>OAuth is arguably the most sophisticated of these approaches, but it introduces a dependency on centralized identity providers and a frankly gnarly authorization flow that I've had to re-learn from scratch every time I implement it.</p> <h2> How ERC-8128 Flips the Model </h2> <p>Instead of the server issuing credentials that the client presents later, ERC-8128 makes the client sign each request directly with its private key. The server just verifies the signature.</p> <p>Here's what that looks like in practice. When you make a request under this standard, your client attaches three additional HTTP headers:</p> <ul> <li> <strong><code>Signature-Input</code></strong>: Describes which parts of the request are covered by the signature (the method, path, headers, body hash, timestamps, etc.)</li> <li> <strong><code>Signature</code></strong>: The actual cryptographic signature over those components</li> <li> <strong><code>Content-Digest</code></strong>: A hash of the request body, ensuring it can't be tampered with in transit</li> </ul> <p>The server receives this, resolves your Ethereum address from the <code>keyid</code> in the signature input (formatted as <code>erc8128:&lt;chainId&gt;:&lt;address&gt;</code>), and verifies the signature against it.</p> <p>For regular externally-owned accounts (EOAs), this is just ECDSA signature recovery — the same thing that happens on-chain when you submit a transaction. For smart contract accounts (SCAs), verification goes through ERC-1271's <code>isValidSignature()</code> interface, which means account abstraction wallets, multisigs, and other sophisticated account types all work natively.</p> <p>The thing I keep coming back to is this: <strong>the server never stores anything about you</strong>. No credential database. No session table. No token to revoke. If you stop sending signed requests, you're simply unauthenticated. Authentication becomes a property of the request itself rather than a stateful session maintained somewhere.</p> <h2> Replay Attacks and Nonces </h2> <p>The obvious question at this point is: what stops someone from intercepting a signed request and replaying it?</p> <p>ERC-8128 addresses this in a couple of ways. First, timestamps and TTLs can be included in the signed components, so an old request automatically expires. Second, nonces can be included to make each request a single-use authorization — if a verifier tracks seen nonces, replaying a captured request will fail.</p> <p>There's actually an interesting open question in the proposal around this. Strict nonce-based replay protection requires the server to maintain state (a set of seen nonces), which conflicts with the otherwise stateless nature of this auth model. The proposal acknowledges this tension: you can have strong replay protection or easy horizontal scaling, and the tradeoff is explicit rather than hidden.</p> <p>I appreciate that the authors are being upfront about this rather than pretending it's solved. It's one of the open questions listed in the Ethereum Magicians discussion thread, and it's the kind of thing that will probably get worked out through real-world implementation feedback.</p> <h2> The Bigger Picture: ERC-8128 + ERC-8004 </h2> <p>Here's where things get genuinely exciting for anyone building Web3 applications.</p> <p>ERC-8128 answers one question: "did this request come from this Ethereum address?" But paired with <a href="https://github.com/ethereum/ERCs/pull/1478" rel="noopener noreferrer">ERC-8004</a>, it can answer a second question too: "what is this address allowed to do?"</p> <p>ERC-8004 is a proposal for on-chain state resolution — things like reputation, roles, and permissions associated with an address. When you combine the two, you get a full authentication <em>and</em> authorization flow anchored to a single cryptographic identity, with authorization rules living on-chain where they're transparent and auditable.</p> <p>Think about what this means for the kinds of applications we build:</p> <ul> <li>An API that charges per-request could verify the signature and settle payments on-chain without ever managing a billing account</li> <li>A DAO tooling platform could enforce member permissions by reading on-chain governance state</li> <li>An AI agent acting on behalf of a user could carry the user's Ethereum identity in every API call it makes, with servers resolving permissions without the agent needing to hold any credentials</li> </ul> <p>That last one is particularly interesting as autonomous AI agents become more prevalent. Right now, if you want an AI agent to call APIs on your behalf, it either needs to hold your API key (scary) or you need to build a delegation system from scratch (annoying). With ERC-8128, the agent can sign requests with a delegated key, and the service can verify on-chain that you've authorized that delegation.</p> <h2> Where SIWE Falls Short (And Why ERC-8128 Is Different) </h2> <p>If you've been in the Ethereum space for a while, your first instinct here might be "isn't this what Sign-In with Ethereum already does?"</p> <p>SIWE is great. It solved a real problem — letting users authenticate to web apps with their wallets instead of passwords. But SIWE is fundamentally a login mechanism. You sign a message once, get a session, and from that point forward you're back in the traditional credential-based model. The session can expire or be stolen, just like a regular session.</p> <p>ERC-8128 doesn't replace SIWE — they solve different problems. SIWE is about the login UX. ERC-8128 is about what happens after login, at the API layer, for every subsequent request. It's designed for programmatic use, for machine-to-machine communication, for AI agents — situations where you want continuous cryptographic proof of identity rather than a one-time handshake.</p> <h2> What's Still Being Worked Out </h2> <p>It would be dishonest to present this as a finished, ready-to-deploy standard. It's a draft proposal and there are real open questions.</p> <p>The <code>keyid</code> format is still under discussion. The current proposal uses <code>erc8128:&lt;chainId&gt;:&lt;address&gt;</code>, but there's debate about whether to reuse the existing <code>eip155:</code> namespace or use a more explicit compound format like <code>erc8128;eip155:&lt;chainId&gt;:&lt;address&gt;</code>. This matters more than it sounds — the namespace signals verification semantics, and getting it wrong introduces ambiguity that could cause security issues down the line.</p> <p>There's also the question of what happens when EOAs start using signature algorithms other than ECDSA. Ethereum's account model might eventually support P-256 or other curves, and the standard needs to handle that gracefully without creating algorithm confusion vulnerabilities.</p> <p>And there's the replay protection tradeoff I mentioned earlier — whether strict nonce enforcement should be mandatory for compliance, or whether TTL-only approaches can be considered a valid (if weaker) implementation.</p> <p>These aren't dealbreakers. They're exactly the kind of things that get hashed out in the ERC process. But if you're considering building on this today, keep in mind that the spec could still change.</p> <h2> My Take </h2> <p>I think ERC-8128 is solving a real problem in a clean way. The insight that HTTP Message Signatures (an existing IETF standard) is the right layer to attach Ethereum authentication to is smart — it means you're not asking the web to adopt an entirely foreign concept, just extending something that already exists.</p> <p>The shift from credential-based to signature-based authentication is genuinely meaningful. Not just as a security improvement, but as a conceptual one. In a credential-based system, identity is something the server grants you. In a signature-based system, identity is something you already have — your private key — and the server just recognizes it.</p> <p>That's philosophically aligned with how Ethereum works on-chain, and bringing it to the HTTP layer feels like a natural evolution rather than a bolted-on addition.</p> <p>Whether it gets adopted widely depends on a lot of factors — wallet support, developer tooling, client library implementations, and whether the ecosystem converges on this standard versus something else. But the proposal is thoughtful, the use cases are real, and the timing feels right given where AI agents and autonomous systems are heading.</p> <p>Worth keeping an eye on.</p> <p><em>The ERC-8128 draft is available on GitHub and the discussion is ongoing in the <a href="https://ethereum-magicians.org/t/erc-8128-signed-http-requests-with-ethereum/27515" rel="noopener noreferrer">Ethereum Magicians forum</a>. If you have thoughts or implementation feedback, now is the time to get involved — this is the stage where community input actually shapes the spec.</em></p> ethereum web3 authentication Purushotam Adhikari Sat, 25 Oct 2025 10:28:08 +0000 https://forem.com/caffinecoder54/securing-your-ubuntu-server-ssh-two-factor-authentication-with-google-authenticator-38oo https://forem.com/caffinecoder54/securing-your-ubuntu-server-ssh-two-factor-authentication-with-google-authenticator-38oo <p>In today's threat landscape, password-only authentication for SSH access is simply not enough. This guide will walk you through implementing two-factor authentication (2FA) for SSH using Google Authenticator on an Ubuntu VM, adding an extra layer of security to your server.</p> <h2> Why SSH 2FA Matters </h2> <p>Two-factor authentication significantly reduces the risk of unauthorized access, even if your password is compromised. By requiring both something you know (password) and something you have (TOTP code from your phone), you create a much stronger security posture.</p> <h2> Prerequisites </h2> <p>Before we begin, ensure you have:</p> <ul> <li>Ubuntu VM (20.04 or later recommended)</li> <li>SSH access with sudo privileges</li> <li>SSH server installed and running</li> <li>A smartphone with Google Authenticator or Authy app</li> </ul> <h3> Setting Up Your Ubuntu VM </h3> <p>If you're starting from scratch, download the Ubuntu Server ISO:</p> <ul> <li> <strong>Download Link</strong>: <a href="https://releases.ubuntu.com/24.04.2/ubuntu-24.04.2-live-server-amd64.iso" rel="noopener noreferrer">Ubuntu 24.04.2 Server</a> </li> <li>Use the live server edition as it comes with the SSH daemon pre-installed</li> </ul> <p><strong>Important</strong>: Verify that SSH service is active before proceeding:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl status ssh </code></pre> </div> <p>You should see <code>active (running)</code> in the output.</p> <h2> Implementation Steps </h2> <h3> Step 1: Install Google Authenticator PAM Module </h3> <p>The Pluggable Authentication Module (PAM) for Google Authenticator allows integration with the system authentication stack.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>apt update <span class="nb">sudo </span>apt <span class="nb">install </span>libpam-google-authenticator </code></pre> </div> <h3> Step 2: Configure Google Authenticator for Your User </h3> <p><strong>Important</strong>: Install Google Authenticator on your smartphone before this step. It's available on both iOS and Android app stores.</p> <p>Run the configuration wizard:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>google-authenticator </code></pre> </div> <p>You'll be presented with several prompts:</p> <ol> <li> <strong>"Do you want authentication tokens to be time-based?"</strong> → Answer <strong>yes</strong> </li> <li>A QR code will appear in your terminal</li> <li>Scan the QR code using your authenticator app</li> <li> <strong>Save the emergency scratch codes</strong> displayed (store them securely offline)</li> <li> <strong>"Do you want me to update your ~/.google_authenticator file?"</strong> → Answer <strong>yes</strong> </li> <li> <strong>"Do you want to disallow multiple uses of the same authentication token?"</strong> → Answer <strong>yes</strong> </li> <li> <strong>"Do you want to increase the time window?"</strong> → Answer <strong>no</strong> (unless you have clock sync issues)</li> <li> <strong>"Do you want to enable rate-limiting?"</strong> → Answer <strong>yes</strong> </li> </ol> <h3> Step 3: Configure PAM for SSH </h3> <p>Edit the PAM configuration file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>nano /etc/pam.d/sshd </code></pre> </div> <p>Add this line near the top of the file (before other auth directives):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>auth required pam_google_authenticator.so </code></pre> </div> <p><strong>Optional</strong>: To make 2FA optional and fall back to password-only if not configured:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>auth required pam_google_authenticator.so nullok </code></pre> </div> <p>Save and exit (Ctrl+X, then Y, then Enter).</p> <h3> Step 4: Configure SSH Daemon </h3> <p>Edit the SSH daemon configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>nano /etc/ssh/sshd_config </code></pre> </div> <p>Locate and modify the following lines (or add them if they don't exist):</p> <p><strong>For password authentication with 2FA:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ChallengeResponseAuthentication <span class="nb">yes </span>UsePAM <span class="nb">yes </span>AuthenticationMethods password,keyboard-interactive </code></pre> </div> <p><strong>For SSH key authentication with 2FA:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ChallengeResponseAuthentication <span class="nb">yes </span>UsePAM <span class="nb">yes </span>AuthenticationMethods publickey,keyboard-interactive </code></pre> </div> <blockquote> <p><strong>Pro Tip</strong>: Using public key + 2FA provides the strongest security posture.</p> </blockquote> <p>Save and exit.</p> <h3> Step 5: Restart SSH Service </h3> <p>Apply the configuration changes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl restart ssh </code></pre> </div> <h3> Step 6: Test the Setup </h3> <p><strong>Critical</strong>: Before closing your current SSH session, open a new terminal and test the connection:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh username@your-server-ip </code></pre> </div> <p>You should now be prompted for:</p> <ol> <li>Your account password (or key passphrase)</li> <li>Your TOTP verification code from Google Authenticator</li> </ol> <p>If everything works correctly, you'll see something like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Password: Verification code: </code></pre> </div> <h2> Troubleshooting </h2> <h3> Can't Login After Setup? </h3> <ol> <li> <strong>Keep your original SSH session open</strong> while testing</li> <li>Check SSH logs: <code>sudo journalctl -u ssh -n 50</code> </li> <li>Verify PAM configuration: <code>sudo nano /etc/pam.d/sshd</code> </li> <li>Ensure time synchronization: <code>timedatectl status</code> </li> </ol> <h3> Emergency Access </h3> <p>If you get locked out:</p> <ul> <li>Use the emergency scratch codes you saved during setup</li> <li>Access via console (if VM) or physical access</li> <li>Each scratch code can only be used once</li> </ul> <h3> Clock Sync Issues </h3> <p>TOTP requires synchronized clocks. If codes aren't working:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>timedatectl set-ntp <span class="nb">true</span> </code></pre> </div> <h2> Quick Reference </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Step</th> <th>Action</th> <th>Command</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>Install PAM module</td> <td><code>sudo apt install libpam-google-authenticator</code></td> </tr> <tr> <td>2</td> <td>Configure per user</td> <td><code>google-authenticator</code></td> </tr> <tr> <td>3</td> <td>Update PAM</td> <td>Edit <code>/etc/pam.d/sshd</code> </td> </tr> <tr> <td>4</td> <td>Update SSH config</td> <td>Edit <code>/etc/ssh/sshd_config</code> </td> </tr> <tr> <td>5</td> <td>Restart SSH</td> <td><code>sudo systemctl restart ssh</code></td> </tr> <tr> <td>6</td> <td>Test connection</td> <td>Open new SSH session</td> </tr> </tbody> </table></div> <h2> Security Best Practices </h2> <ol> <li> <strong>Test before closing your session</strong>: Always verify the setup works before disconnecting</li> <li> <strong>Store emergency codes securely</strong>: Keep them offline in a safe location</li> <li> <strong>Enable 2FA for all admin users</strong>: Apply this to every account with sudo access</li> <li> <strong>Regular backups</strong>: Back up <code>~/.google_authenticator</code> file securely</li> <li> <strong>Monitor logs</strong>: Regularly check <code>/var/log/auth.log</code> for suspicious activity</li> <li> <strong>Consider fail2ban</strong>: Combine with fail2ban for additional brute-force protection</li> </ol> <h2> Conclusion </h2> <p>You've successfully implemented SSH two-factor authentication on your Ubuntu server! This significantly hardens your server security by requiring both password and time-based codes for access.</p> <p>Remember to:</p> <ul> <li>Keep your emergency codes safe</li> <li>Enable 2FA for all users with SSH access</li> <li>Regularly audit your authentication logs</li> </ul> <p>Have questions or run into issues? Drop a comment below!</p> <p><em>Found this helpful? Follow me for more cybersecurity and Linux administration guides!</em></p> cybersecurity linux googleauthenticator devops Purushotam Adhikari Thu, 11 Sep 2025 04:06:13 +0000 https://forem.com/caffinecoder54/network-reconnaissance-with-nmap-the-complete-guide-4jp7 https://forem.com/caffinecoder54/network-reconnaissance-with-nmap-the-complete-guide-4jp7 <p>Network reconnaissance is the cornerstone of cybersecurity assessment, penetration testing, and network administration. Among all the tools available for network discovery and security auditing, Nmap (Network Mapper) stands as the undisputed champion—a Swiss Army knife that has been the go-to tool for security professionals, system administrators, and ethical hackers for over two decades.</p> <p>Understanding network reconnaissance with Nmap isn't just about learning commands; it's about developing a methodical approach to network discovery, service enumeration, and vulnerability assessment. This comprehensive guide will take you from basic host discovery to advanced scripting techniques, providing the knowledge needed to conduct thorough and responsible network assessments.</p> <p><strong>⚠️ Ethical Use Disclaimer</strong>: This guide is intended for educational purposes, authorized penetration testing, and legitimate security assessments only. Always ensure you have explicit permission before scanning networks or systems you don't own. Unauthorized network scanning may violate laws and organizational policies.</p> <h2> Understanding Network Reconnaissance </h2> <h3> What is Network Reconnaissance? </h3> <p>Network reconnaissance is the systematic process of gathering information about network infrastructure, services, and potential vulnerabilities. It's the intelligence-gathering phase that precedes any security assessment or penetration test, providing the foundation for understanding the attack surface of a target environment.</p> <h3> Types of Reconnaissance </h3> <p><strong>Passive Reconnaissance</strong>: Gathering information without directly interacting with the target systems. This includes DNS lookups, WHOIS queries, and social media intelligence gathering.</p> <p><strong>Active Reconnaissance</strong>: Directly probing target systems to gather information. This includes port scanning, service enumeration, and vulnerability scanning—where Nmap excels.</p> <h3> The Reconnaissance Methodology </h3> <p>Effective reconnaissance follows a structured approach:</p> <ol> <li> <strong>Target Definition</strong>: Clearly define the scope and objectives</li> <li> <strong>Information Gathering</strong>: Collect preliminary intelligence</li> <li> <strong>Network Discovery</strong>: Identify live hosts and network topology</li> <li> <strong>Port Scanning</strong>: Discover open ports and services</li> <li> <strong>Service Enumeration</strong>: Determine service versions and configurations</li> <li> <strong>Vulnerability Assessment</strong>: Identify potential security weaknesses</li> <li> <strong>Documentation</strong>: Record findings for analysis and reporting</li> </ol> <h2> Nmap Fundamentals </h2> <h3> Installation and Setup </h3> <p>Nmap is available for all major operating systems with various installation methods:</p> <p><strong>Linux (Debian/Ubuntu)</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>apt update <span class="nb">sudo </span>apt <span class="nb">install </span>nmap </code></pre> </div> <p><strong>Linux (Red Hat/CentOS)</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>yum <span class="nb">install </span>nmap <span class="c"># or on newer versions</span> <span class="nb">sudo </span>dnf <span class="nb">install </span>nmap </code></pre> </div> <p><strong>macOS with Homebrew</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>brew <span class="nb">install </span>nmap </code></pre> </div> <p><strong>Windows</strong>: Download from the official Nmap website (nmap.org) or use package managers like Chocolatey.</p> <h3> Basic Nmap Architecture </h3> <p>Nmap operates through several core components:</p> <p><strong>Host Discovery</strong>: Determines which hosts are alive on the network<br> <strong>Port Scanning</strong>: Identifies open, closed, and filtered ports<br> <strong>Service Detection</strong>: Determines service versions and configurations<br> <strong>OS Detection</strong>: Attempts to identify the target operating system<br> <strong>Scripting Engine</strong>: Runs specialized scripts for advanced functionality</p> <h3> Understanding Nmap Output </h3> <p>Before diving into commands, it's crucial to understand Nmap's output format:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-15 10:30 UTC Nmap scan report for example.com (192.168.1.100) Host is up (0.0052s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 80/tcp open http Apache httpd 2.4.41 443/tcp open ssl/http Apache httpd 2.4.41 8080/tcp filtered http-proxy MAC Address: 00:1B:44:11:3A:B7 (Dell Inc.) </code></pre> </div> <p><strong>State Definitions</strong>:</p> <ul> <li> <strong>Open</strong>: Port is actively accepting connections</li> <li> <strong>Closed</strong>: Port is accessible but no service is listening</li> <li> <strong>Filtered</strong>: Firewall or filter is blocking access</li> <li> <strong>Open|Filtered</strong>: Cannot determine if port is open or filtered</li> <li> <strong>Closed|Filtered</strong>: Cannot determine if port is closed or filtered</li> </ul> <h2> Host Discovery Techniques </h2> <p>Host discovery is the first step in any network reconnaissance. Nmap offers multiple techniques to identify live hosts on a network.</p> <h3> ICMP-Based Discovery </h3> <p>The traditional ping sweep approach:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Basic ping sweep</span> nmap <span class="nt">-sn</span> 192.168.1.0/24 <span class="c"># ICMP echo, timestamp, and netmask requests</span> nmap <span class="nt">-PE</span> <span class="nt">-PP</span> <span class="nt">-PM</span> 192.168.1.0/24 <span class="c"># Disable ping (useful when ICMP is blocked)</span> nmap <span class="nt">-Pn</span> 192.168.1.100 </code></pre> </div> <h3> TCP-Based Discovery </h3> <p>More reliable when ICMP is filtered:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># TCP SYN ping to common ports</span> nmap <span class="nt">-PS22</span>,80,443 192.168.1.0/24 <span class="c"># TCP ACK ping</span> nmap <span class="nt">-PA22</span>,80,443 192.168.1.0/24 <span class="c"># TCP connect ping</span> nmap <span class="nt">-PT22</span>,80,443 192.168.1.0/24 </code></pre> </div> <h3> UDP-Based Discovery </h3> <p>Useful for identifying hosts that only respond to UDP:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># UDP ping to common ports</span> nmap <span class="nt">-PU53</span>,161,137 192.168.1.0/24 </code></pre> </div> <h3> ARP Discovery </h3> <p>Most reliable method for local network segments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># ARP ping (works only on local network)</span> nmap <span class="nt">-PR</span> 192.168.1.0/24 <span class="c"># List scan (no port scan, just list targets)</span> nmap <span class="nt">-sL</span> 192.168.1.0/24 </code></pre> </div> <h3> Advanced Host Discovery </h3> <p>Combining multiple techniques for comprehensive coverage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Comprehensive host discovery</span> nmap <span class="nt">-PE</span> <span class="nt">-PP</span> <span class="nt">-PS21</span>,22,23,25,53,80,139,443,993,995 <span class="se">\</span> <span class="nt">-PA80</span>,113,443,10042 <span class="nt">-PU53</span>,137,161,500 <span class="se">\</span> <span class="nt">--source-port</span> 53 192.168.1.0/24 </code></pre> </div> <h2> Port Scanning Techniques </h2> <p>Port scanning is Nmap's core functionality, offering various techniques optimized for different scenarios and firewall evasion.</p> <h3> TCP Scanning Methods </h3> <p><strong>TCP SYN Scan (Stealth Scan)</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Default scan type (requires root privileges)</span> nmap <span class="nt">-sS</span> 192.168.1.100 <span class="c"># Specific ports</span> nmap <span class="nt">-sS</span> <span class="nt">-p</span> 22,80,443 192.168.1.100 <span class="c"># Port ranges</span> nmap <span class="nt">-sS</span> <span class="nt">-p</span> 1-1000 192.168.1.100 </code></pre> </div> <p><strong>TCP Connect Scan</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Full TCP connection (doesn't require root)</span> nmap <span class="nt">-sT</span> 192.168.1.100 <span class="c"># Faster but noisier than SYN scan</span> nmap <span class="nt">-sT</span> <span class="nt">-p</span> 1-65535 192.168.1.100 </code></pre> </div> <p><strong>TCP ACK Scan</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Firewall/IDS evasion and mapping</span> nmap <span class="nt">-sA</span> 192.168.1.100 <span class="c"># Useful for determining firewall rules</span> nmap <span class="nt">-sA</span> <span class="nt">-p</span> 80,443 192.168.1.0/24 </code></pre> </div> <p><strong>TCP Window Scan</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Similar to ACK scan but examines window size</span> nmap <span class="nt">-sW</span> 192.168.1.100 </code></pre> </div> <p><strong>TCP Maimon Scan</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Sends FIN/ACK packets</span> nmap <span class="nt">-sM</span> 192.168.1.100 </code></pre> </div> <h3> UDP Scanning </h3> <p>UDP scanning is slower but essential for complete assessment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Basic UDP scan</span> nmap <span class="nt">-sU</span> 192.168.1.100 <span class="c"># Top UDP ports only</span> nmap <span class="nt">-sU</span> <span class="nt">--top-ports</span> 100 192.168.1.100 <span class="c"># Combine with TCP scanning</span> nmap <span class="nt">-sS</span> <span class="nt">-sU</span> 192.168.1.100 </code></pre> </div> <h3> Advanced Scanning Techniques </h3> <p><strong>TCP FIN Scan</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Stealthier than SYN scan</span> nmap <span class="nt">-sF</span> 192.168.1.100 </code></pre> </div> <p><strong>TCP Null Scan</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># No flags set</span> nmap <span class="nt">-sN</span> 192.168.1.100 </code></pre> </div> <p><strong>TCP Xmas Scan</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># FIN, PSH, and URG flags set</span> nmap <span class="nt">-sX</span> 192.168.1.100 </code></pre> </div> <p><strong>Idle Scan (Zombie Scan)</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Uses a zombie host to scan target</span> nmap <span class="nt">-sI</span> zombie_host:port target_host </code></pre> </div> <h3> Port Specification Options </h3> <p>Nmap offers flexible port specification methods:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Specific ports</span> nmap <span class="nt">-p</span> 22,80,443,8080 192.168.1.100 <span class="c"># Port ranges</span> nmap <span class="nt">-p</span> 1-1000 192.168.1.100 <span class="c"># All ports</span> nmap <span class="nt">-p-</span> 192.168.1.100 <span class="c"># Top ports (most common)</span> nmap <span class="nt">--top-ports</span> 100 192.168.1.100 <span class="c"># Exclude specific ports</span> nmap <span class="nt">-p</span> 1-1000 <span class="nt">--exclude-ports</span> 25,135 192.168.1.100 <span class="c"># Protocol-specific ports</span> nmap <span class="nt">-p</span> T:80,443,U:53,161 192.168.1.100 </code></pre> </div> <h2> Service and Version Detection </h2> <p>Once ports are identified, determining the services and their versions is crucial for vulnerability assessment.</p> <h3> Basic Service Detection </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Enable service detection</span> nmap <span class="nt">-sV</span> 192.168.1.100 <span class="c"># Increase intensity (0-9, default is 7)</span> nmap <span class="nt">-sV</span> <span class="nt">--version-intensity</span> 9 192.168.1.100 <span class="c"># Light service detection (faster)</span> nmap <span class="nt">-sV</span> <span class="nt">--version-intensity</span> 0 192.168.1.100 </code></pre> </div> <h3> Advanced Service Detection </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Version detection with scripts</span> nmap <span class="nt">-sC</span> <span class="nt">-sV</span> 192.168.1.100 <span class="c"># All aggressive options (OS detection, version detection, script scanning, traceroute)</span> nmap <span class="nt">-A</span> 192.168.1.100 <span class="c"># Custom version detection probes</span> nmap <span class="nt">-sV</span> <span class="nt">--version-all</span> 192.168.1.100 </code></pre> </div> <h3> Service-Specific Enumeration </h3> <p><strong>HTTP/HTTPS Services</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># HTTP service enumeration</span> nmap <span class="nt">-p</span> 80,443 <span class="nt">--script</span> http-enum 192.168.1.100 <span class="c"># HTTP headers and server information</span> nmap <span class="nt">-p</span> 80 <span class="nt">--script</span> http-headers,http-server-header 192.168.1.100 <span class="c"># SSL/TLS information</span> nmap <span class="nt">-p</span> 443 <span class="nt">--script</span> ssl-enum-ciphers 192.168.1.100 </code></pre> </div> <p><strong>SSH Services</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># SSH algorithm and version enumeration</span> nmap <span class="nt">-p</span> 22 <span class="nt">--script</span> ssh2-enum-algos 192.168.1.100 <span class="c"># SSH host key information</span> nmap <span class="nt">-p</span> 22 <span class="nt">--script</span> ssh-hostkey 192.168.1.100 </code></pre> </div> <p><strong>SMB/NetBIOS Services</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># SMB enumeration</span> nmap <span class="nt">-p</span> 139,445 <span class="nt">--script</span> smb-enum-shares,smb-enum-users 192.168.1.100 <span class="c"># NetBIOS information</span> nmap <span class="nt">-p</span> 137-139 <span class="nt">--script</span> nbstat 192.168.1.100 </code></pre> </div> <p><strong>DNS Services</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># DNS enumeration</span> nmap <span class="nt">-p</span> 53 <span class="nt">--script</span> dns-zone-transfer 192.168.1.100 <span class="c"># DNS cache snooping</span> nmap <span class="nt">-p</span> 53 <span class="nt">--script</span> dns-cache-snoop 192.168.1.100 </code></pre> </div> <h2> Operating System Detection </h2> <p>OS detection helps identify the target system type, which is valuable for selecting appropriate attack vectors and tools.</p> <h3> Basic OS Detection </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Enable OS detection</span> nmap <span class="nt">-O</span> 192.168.1.100 <span class="c"># Aggressive OS detection</span> nmap <span class="nt">-O</span> <span class="nt">--osscan-guess</span> 192.168.1.100 <span class="c"># OS detection with version scanning</span> nmap <span class="nt">-O</span> <span class="nt">-sV</span> 192.168.1.100 </code></pre> </div> <h3> Advanced OS Detection </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Maximum OS detection attempts</span> nmap <span class="nt">-O</span> <span class="nt">--max-os-tries</span> 5 192.168.1.100 <span class="c"># OS detection against specific ports</span> nmap <span class="nt">-O</span> <span class="nt">--osscan-limit</span> 192.168.1.100 <span class="c"># Fuzzy OS matching</span> nmap <span class="nt">-O</span> <span class="nt">--fuzzy</span> 192.168.1.100 </code></pre> </div> <h3> Understanding OS Detection Output </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop </code></pre> </div> <p>The output includes:</p> <ul> <li> <strong>Device type</strong>: General categorization</li> <li> <strong>Running</strong>: OS family and version range</li> <li> <strong>OS CPE</strong>: Common Platform Enumeration identifier</li> <li> <strong>OS details</strong>: Specific version estimates</li> <li> <strong>Network Distance</strong>: Number of hops to target</li> </ul> <h2> Nmap Scripting Engine (NSE) </h2> <p>The Nmap Scripting Engine is one of Nmap's most powerful features, allowing for custom functionality through Lua scripts.</p> <h3> Script Categories </h3> <p>NSE scripts are organized into categories:</p> <ul> <li> <strong>auth</strong>: Authentication-related scripts</li> <li> <strong>broadcast</strong>: Network broadcast discovery</li> <li> <strong>brute</strong>: Brute force attacks</li> <li> <strong>default</strong>: Default scripts run with -sC</li> <li> <strong>discovery</strong>: Service discovery scripts</li> <li> <strong>dos</strong>: Denial of service scripts</li> <li> <strong>exploit</strong>: Exploitation scripts</li> <li> <strong>external</strong>: Scripts requiring external resources</li> <li> <strong>fuzzer</strong>: Fuzzing scripts</li> <li> <strong>intrusive</strong>: Intrusive scripts that may affect target</li> <li> <strong>malware</strong>: Malware detection scripts</li> <li> <strong>safe</strong>: Safe scripts unlikely to affect target</li> <li> <strong>version</strong>: Version detection scripts</li> <li> <strong>vuln</strong>: Vulnerability detection scripts</li> </ul> <h3> Basic Script Usage </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Run default scripts</span> nmap <span class="nt">-sC</span> 192.168.1.100 <span class="c"># Run specific script</span> nmap <span class="nt">--script</span> http-enum 192.168.1.100 <span class="c"># Run scripts by category</span> nmap <span class="nt">--script</span> vuln 192.168.1.100 <span class="c"># Run multiple scripts</span> nmap <span class="nt">--script</span> <span class="s2">"http-* and not http-brute"</span> 192.168.1.100 </code></pre> </div> <h3> Advanced Script Usage </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Script with arguments</span> nmap <span class="nt">--script</span> http-enum <span class="nt">--script-args</span> http-enum.basepath<span class="o">=</span><span class="s1">'/admin/'</span> 192.168.1.100 <span class="c"># Multiple script arguments</span> nmap <span class="nt">--script</span> smb-enum-shares <span class="nt">--script-args</span> <span class="nv">smbusername</span><span class="o">=</span>admin,smbpassword<span class="o">=</span>password 192.168.1.100 <span class="c"># Script debugging</span> nmap <span class="nt">--script</span> http-enum <span class="nt">--script-trace</span> 192.168.1.100 </code></pre> </div> <h3> Vulnerability Detection Scripts </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Comprehensive vulnerability scan</span> nmap <span class="nt">--script</span> vuln 192.168.1.100 <span class="c"># Specific vulnerability checks</span> nmap <span class="nt">--script</span> ms17-010 192.168.1.100 <span class="c"># SQL injection detection</span> nmap <span class="nt">--script</span> http-sql-injection 192.168.1.100 <span class="c"># SSL/TLS vulnerabilities</span> nmap <span class="nt">--script</span> ssl-heartbleed,ssl-poodle,ssl-ccs-injection 192.168.1.100 </code></pre> </div> <h3> Custom Script Development </h3> <p>Basic NSE script structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight lua"><code><span class="c1">-- Example NSE script</span> <span class="kd">local</span> <span class="n">nmap</span> <span class="o">=</span> <span class="nb">require</span> <span class="s2">"nmap"</span> <span class="kd">local</span> <span class="n">shortport</span> <span class="o">=</span> <span class="nb">require</span> <span class="s2">"shortport"</span> <span class="kd">local</span> <span class="n">http</span> <span class="o">=</span> <span class="nb">require</span> <span class="s2">"http"</span> <span class="n">description</span> <span class="o">=</span> <span class="s">[[ Example HTTP service detection script. ]]</span> <span class="n">author</span> <span class="o">=</span> <span class="s2">"Your Name"</span> <span class="n">license</span> <span class="o">=</span> <span class="s2">"Same as Nmap--See https://nmap.org/book/man-legal.html"</span> <span class="n">categories</span> <span class="o">=</span> <span class="p">{</span><span class="s2">"safe"</span><span class="p">,</span> <span class="s2">"discovery"</span><span class="p">}</span> <span class="n">portrule</span> <span class="o">=</span> <span class="n">shortport</span><span class="p">.</span><span class="n">http</span> <span class="n">action</span> <span class="o">=</span> <span class="k">function</span><span class="p">(</span><span class="n">host</span><span class="p">,</span> <span class="n">port</span><span class="p">)</span> <span class="kd">local</span> <span class="n">response</span> <span class="o">=</span> <span class="n">http</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="n">host</span><span class="p">,</span> <span class="n">port</span><span class="p">,</span> <span class="s2">"/"</span><span class="p">)</span> <span class="k">if</span> <span class="n">response</span><span class="p">.</span><span class="n">status</span> <span class="o">==</span> <span class="mi">200</span> <span class="k">then</span> <span class="k">return</span> <span class="s2">"HTTP service detected"</span> <span class="k">end</span> <span class="k">return</span> <span class="kc">nil</span> <span class="k">end</span> </code></pre> </div> <h2> Firewall and IDS Evasion </h2> <p>Modern networks employ various security measures that can detect or block reconnaissance attempts. Nmap provides numerous evasion techniques.</p> <h3> Timing and Performance </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Timing templates (0-5, 0 is slowest/stealthiest)</span> nmap <span class="nt">-T0</span> 192.168.1.100 <span class="c"># Paranoid</span> nmap <span class="nt">-T1</span> 192.168.1.100 <span class="c"># Sneaky</span> nmap <span class="nt">-T2</span> 192.168.1.100 <span class="c"># Polite</span> nmap <span class="nt">-T3</span> 192.168.1.100 <span class="c"># Normal (default)</span> nmap <span class="nt">-T4</span> 192.168.1.100 <span class="c"># Aggressive</span> nmap <span class="nt">-T5</span> 192.168.1.100 <span class="c"># Insane</span> <span class="c"># Custom timing</span> nmap <span class="nt">--scan-delay</span> 5s 192.168.1.100 nmap <span class="nt">--max-scan-delay</span> 10s 192.168.1.100 nmap <span class="nt">--min-rate</span> 100 192.168.1.100 nmap <span class="nt">--max-rate</span> 1000 192.168.1.100 </code></pre> </div> <h3> Fragmentation and Decoy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Fragment packets</span> nmap <span class="nt">-f</span> 192.168.1.100 <span class="c"># Double fragmentation</span> nmap <span class="nt">-ff</span> 192.168.1.100 <span class="c"># Custom MTU (must be multiple of 8)</span> nmap <span class="nt">--mtu</span> 16 192.168.1.100 <span class="c"># Decoy scanning</span> nmap <span class="nt">-D</span> RND:10 192.168.1.100 nmap <span class="nt">-D</span> decoy1,decoy2,ME,decoy3 192.168.1.100 </code></pre> </div> <h3> Source Manipulation </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Spoof source IP</span> nmap <span class="nt">-S</span> spoof_ip 192.168.1.100 <span class="c"># Source port specification</span> nmap <span class="nt">--source-port</span> 53 192.168.1.100 nmap <span class="nt">-g</span> 80 192.168.1.100 <span class="c"># Randomize source port</span> nmap <span class="nt">--randomize-hosts</span> 192.168.1.0/24 </code></pre> </div> <h3> Advanced Evasion </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Send bad checksums</span> nmap <span class="nt">--badsum</span> 192.168.1.100 <span class="c"># Custom data in packets</span> nmap <span class="nt">--data</span> 0xdeadbeef 192.168.1.100 <span class="c"># Custom packet length</span> nmap <span class="nt">--data-length</span> 100 192.168.1.100 <span class="c"># IPv6 scanning for firewall bypass</span> nmap <span class="nt">-6</span> 2001:db8::1 <span class="c"># Proxychains integration</span> proxychains nmap <span class="nt">-sT</span> 192.168.1.100 </code></pre> </div> <h2> Advanced Scanning Strategies </h2> <h3> Network Topology Mapping </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Traceroute during scanning</span> nmap <span class="nt">-sS</span> <span class="nt">--traceroute</span> 192.168.1.100 <span class="c"># Reverse DNS resolution</span> nmap <span class="nt">-sL</span> 192.168.1.0/24 <span class="c"># DNS resolution control</span> nmap <span class="nt">-n</span> 192.168.1.100 <span class="c"># No DNS resolution</span> nmap <span class="nt">-R</span> 192.168.1.100 <span class="c"># Force DNS resolution</span> </code></pre> </div> <h3> Large-Scale Network Assessment </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Efficient large network scanning</span> nmap <span class="nt">-sS</span> <span class="nt">-T4</span> <span class="nt">--min-hostgroup</span> 50 <span class="nt">--min-parallelism</span> 50 <span class="se">\</span> <span class="nt">--host-timeout</span> 5m <span class="nt">--max-rtt-timeout</span> 2s <span class="se">\</span> <span class="nt">--initial-rtt-timeout</span> 500ms <span class="nt">--max-retries</span> 3 <span class="se">\</span> <span class="nt">--top-ports</span> 1000 192.168.0.0/16 <span class="c"># Distributed scanning approach</span> nmap <span class="nt">-sS</span> <span class="nt">--randomize-hosts</span> <span class="nt">-oA</span> scan_batch_1 <span class="se">\</span> 192.168.1.1-50 nmap <span class="nt">-sS</span> <span class="nt">--randomize-hosts</span> <span class="nt">-oA</span> scan_batch_2 <span class="se">\</span> 192.168.1.51-100 </code></pre> </div> <h3> Service-Specific Deep Enumeration </h3> <p><strong>Web Services Deep Scan</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nmap <span class="nt">-p</span> 80,443,8080,8443 <span class="se">\</span> <span class="nt">--script</span> <span class="s2">"http-* and not http-brute and not http-slowloris*"</span> <span class="se">\</span> <span class="nt">--script-args</span> http.useragent<span class="o">=</span><span class="s2">"Mozilla/5.0 (compatible)"</span> <span class="se">\</span> 192.168.1.0/24 </code></pre> </div> <p><strong>Database Services</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nmap <span class="nt">-p</span> 1433,3306,5432,1521,27017 <span class="se">\</span> <span class="nt">--script</span> <span class="s2">"mysql-*,ms-sql-*,oracle-*,pgsql-*,mongodb-*"</span> <span class="se">\</span> 192.168.1.0/24 </code></pre> </div> <p><strong>Mail Services</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nmap <span class="nt">-p</span> 25,110,143,993,995 <span class="se">\</span> <span class="nt">--script</span> <span class="s2">"smtp-*,pop3-*,imap-*"</span> <span class="se">\</span> 192.168.1.0/24 </code></pre> </div> <h2> Output Formats and Reporting </h2> <p>Proper documentation is crucial for effective reconnaissance. Nmap supports multiple output formats.</p> <h3> Standard Output Formats </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Normal output (default)</span> nmap <span class="nt">-oN</span> scan_results.txt 192.168.1.100 <span class="c"># XML output</span> nmap <span class="nt">-oX</span> scan_results.xml 192.168.1.100 <span class="c"># Grepable output</span> nmap <span class="nt">-oG</span> scan_results.gnmap 192.168.1.100 <span class="c"># All formats</span> nmap <span class="nt">-oA</span> scan_results 192.168.1.100 </code></pre> </div> <h3> Advanced Output Options </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Verbose output</span> nmap <span class="nt">-v</span> 192.168.1.100 <span class="c"># Extra verbose</span> nmap <span class="nt">-vv</span> 192.168.1.100 <span class="c"># Debugging output</span> nmap <span class="nt">-d</span> 192.168.1.100 <span class="c"># Packet trace</span> nmap <span class="nt">--packet-trace</span> 192.168.1.100 <span class="c"># Append to existing file</span> nmap <span class="nt">--append-output</span> <span class="nt">-oN</span> existing_file.txt 192.168.1.100 </code></pre> </div> <h3> Report Processing and Analysis </h3> <p><strong>XML to HTML Conversion</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Using xsltproc</span> xsltproc scan_results.xml <span class="o">&gt;</span> scan_results.html <span class="c"># Using Nmap's built-in XSL</span> xsltproc /usr/share/nmap/nmap.xsl scan_results.xml <span class="o">&gt;</span> report.html </code></pre> </div> <p><strong>Parsing Nmap Output with grep</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Extract open ports</span> <span class="nb">grep</span> <span class="s2">"open"</span> scan_results.gnmap <span class="c"># Find specific services</span> <span class="nb">grep</span> <span class="nt">-i</span> <span class="s2">"ssh</span><span class="se">\|</span><span class="s2">telnet</span><span class="se">\|</span><span class="s2">ftp"</span> scan_results.gnmap <span class="c"># Extract live hosts</span> <span class="nb">grep</span> <span class="s2">"Status: Up"</span> scan_results.gnmap | <span class="nb">cut</span> <span class="nt">-d</span><span class="s1">' '</span> <span class="nt">-f2</span> </code></pre> </div> <p><strong>Python Script for XML Parsing</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span><span class="kn">import</span> <span class="n">xml.etree.ElementTree</span> <span class="k">as</span> <span class="n">ET</span> <span class="kn">import</span> <span class="n">sys</span> <span class="k">def</span> <span class="nf">parse_nmap_xml</span><span class="p">(</span><span class="n">xml_file</span><span class="p">):</span> <span class="n">tree</span> <span class="o">=</span> <span class="n">ET</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="n">xml_file</span><span class="p">)</span> <span class="n">root</span> <span class="o">=</span> <span class="n">tree</span><span class="p">.</span><span class="nf">getroot</span><span class="p">()</span> <span class="n">results</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">host</span> <span class="ow">in</span> <span class="n">root</span><span class="p">.</span><span class="nf">findall</span><span class="p">(</span><span class="sh">'</span><span class="s">host</span><span class="sh">'</span><span class="p">):</span> <span class="c1"># Get host IP </span> <span class="n">ip</span> <span class="o">=</span> <span class="n">host</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="sh">'</span><span class="s">address</span><span class="sh">'</span><span class="p">).</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">addr</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Get hostname if available </span> <span class="n">hostname</span> <span class="o">=</span> <span class="sh">""</span> <span class="n">hostnames</span> <span class="o">=</span> <span class="n">host</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="sh">'</span><span class="s">hostnames</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="n">hostnames</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span><span class="p">:</span> <span class="n">hostname_elem</span> <span class="o">=</span> <span class="n">hostnames</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="sh">'</span><span class="s">hostname</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="n">hostname_elem</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span><span class="p">:</span> <span class="n">hostname</span> <span class="o">=</span> <span class="n">hostname_elem</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Get open ports </span> <span class="n">ports</span> <span class="o">=</span> <span class="n">host</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="sh">'</span><span class="s">ports</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="n">ports</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span><span class="p">:</span> <span class="k">for</span> <span class="n">port</span> <span class="ow">in</span> <span class="n">ports</span><span class="p">.</span><span class="nf">findall</span><span class="p">(</span><span class="sh">'</span><span class="s">port</span><span class="sh">'</span><span class="p">):</span> <span class="n">state</span> <span class="o">=</span> <span class="n">port</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="sh">'</span><span class="s">state</span><span class="sh">'</span><span class="p">).</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">state</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="n">state</span> <span class="o">==</span> <span class="sh">'</span><span class="s">open</span><span class="sh">'</span><span class="p">:</span> <span class="n">port_num</span> <span class="o">=</span> <span class="n">port</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">portid</span><span class="sh">'</span><span class="p">)</span> <span class="n">protocol</span> <span class="o">=</span> <span class="n">port</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">protocol</span><span class="sh">'</span><span class="p">)</span> <span class="n">service</span> <span class="o">=</span> <span class="n">port</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="sh">'</span><span class="s">service</span><span class="sh">'</span><span class="p">)</span> <span class="n">service_name</span> <span class="o">=</span> <span class="n">service</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="n">service</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span> <span class="k">else</span> <span class="sh">'</span><span class="s">unknown</span><span class="sh">'</span> <span class="n">results</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span> <span class="sh">'</span><span class="s">ip</span><span class="sh">'</span><span class="p">:</span> <span class="n">ip</span><span class="p">,</span> <span class="sh">'</span><span class="s">hostname</span><span class="sh">'</span><span class="p">:</span> <span class="n">hostname</span><span class="p">,</span> <span class="sh">'</span><span class="s">port</span><span class="sh">'</span><span class="p">:</span> <span class="n">port_num</span><span class="p">,</span> <span class="sh">'</span><span class="s">protocol</span><span class="sh">'</span><span class="p">:</span> <span class="n">protocol</span><span class="p">,</span> <span class="sh">'</span><span class="s">service</span><span class="sh">'</span><span class="p">:</span> <span class="n">service_name</span> <span class="p">})</span> <span class="k">return</span> <span class="n">results</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">sys</span><span class="p">.</span><span class="n">argv</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">2</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Usage: python3 parse_nmap.py &lt;xml_file&gt;</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="n">results</span> <span class="o">=</span> <span class="nf">parse_nmap_xml</span><span class="p">(</span><span class="n">sys</span><span class="p">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="sh">'</span><span class="s">IP</span><span class="sh">'</span><span class="si">:</span><span class="o">&lt;</span><span class="mi">15</span><span class="si">}</span><span class="s"> </span><span class="si">{</span><span class="sh">'</span><span class="s">Hostname</span><span class="sh">'</span><span class="si">:</span><span class="o">&lt;</span><span class="mi">20</span><span class="si">}</span><span class="s"> </span><span class="si">{</span><span class="sh">'</span><span class="s">Port</span><span class="sh">'</span><span class="si">:</span><span class="o">&lt;</span><span class="mi">8</span><span class="si">}</span><span class="s"> </span><span class="si">{</span><span class="sh">'</span><span class="s">Protocol</span><span class="sh">'</span><span class="si">:</span><span class="o">&lt;</span><span class="mi">10</span><span class="si">}</span><span class="s"> </span><span class="si">{</span><span class="sh">'</span><span class="s">Service</span><span class="sh">'</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">-</span><span class="sh">"</span> <span class="o">*</span> <span class="mi">70</span><span class="p">)</span> <span class="k">for</span> <span class="n">result</span> <span class="ow">in</span> <span class="n">results</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">result</span><span class="p">[</span><span class="sh">'</span><span class="s">ip</span><span class="sh">'</span><span class="p">]</span><span class="si">:</span><span class="o">&lt;</span><span class="mi">15</span><span class="si">}</span><span class="s"> </span><span class="si">{</span><span class="n">result</span><span class="p">[</span><span class="sh">'</span><span class="s">hostname</span><span class="sh">'</span><span class="p">]</span><span class="si">:</span><span class="o">&lt;</span><span class="mi">20</span><span class="si">}</span><span class="s"> </span><span class="si">{</span><span class="n">result</span><span class="p">[</span><span class="sh">'</span><span class="s">port</span><span class="sh">'</span><span class="p">]</span><span class="si">:</span><span class="o">&lt;</span><span class="mi">8</span><span class="si">}</span><span class="s"> </span><span class="si">{</span><span class="n">result</span><span class="p">[</span><span class="sh">'</span><span class="s">protocol</span><span class="sh">'</span><span class="p">]</span><span class="si">:</span><span class="o">&lt;</span><span class="mi">10</span><span class="si">}</span><span class="s"> </span><span class="si">{</span><span class="n">result</span><span class="p">[</span><span class="sh">'</span><span class="s">service</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h2> Practical Reconnaissance Scenarios </h2> <h3> Internal Network Assessment </h3> <p><strong>Phase 1: Network Discovery</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Discover live hosts</span> nmap <span class="nt">-sn</span> 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 <span class="c"># ARP scan for local segment</span> nmap <span class="nt">-PR</span> 192.168.1.0/24 </code></pre> </div> <p><strong>Phase 2: Port Scanning</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Quick port scan of common services</span> nmap <span class="nt">-sS</span> <span class="nt">--top-ports</span> 1000 <span class="nt">-T4</span> <span class="nt">-oA</span> quick_scan target_list.txt <span class="c"># Comprehensive scan of discovered hosts</span> nmap <span class="nt">-sS</span> <span class="nt">-sU</span> <span class="nt">-p-</span> <span class="nt">-A</span> <span class="nt">-T4</span> <span class="nt">-oA</span> comprehensive_scan target_list.txt </code></pre> </div> <p><strong>Phase 3: Service Enumeration</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Deep service analysis</span> nmap <span class="nt">-sC</span> <span class="nt">-sV</span> <span class="nt">-p-</span> <span class="nt">-A</span> <span class="nt">--script</span> <span class="s2">"not brute and not dos and not exploit"</span> <span class="se">\</span> <span class="nt">-oA</span> service_enum target_list.txt </code></pre> </div> <h3> External Perimeter Assessment </h3> <p><strong>Phase 1: Reconnaissance</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># DNS enumeration</span> nmap <span class="nt">-sL</span> target_domain.com <span class="c"># Subdomain discovery</span> nmap <span class="nt">--script</span> dns-brute target_domain.com </code></pre> </div> <p><strong>Phase 2: Port Scanning</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Stealthy external scan</span> nmap <span class="nt">-sS</span> <span class="nt">-T2</span> <span class="nt">-f</span> <span class="nt">--randomize-hosts</span> <span class="se">\</span> <span class="nt">--source-port</span> 53 <span class="nt">-oA</span> external_scan <span class="se">\</span> target_ranges.txt </code></pre> </div> <p><strong>Phase 3: Service Identification</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Web service enumeration</span> nmap <span class="nt">-p</span> 80,443,8080,8443 <span class="se">\</span> <span class="nt">--script</span> http-enum,http-headers,http-methods,ssl-enum-ciphers <span class="se">\</span> <span class="nt">-oA</span> web_services target_list.txt </code></pre> </div> <h3> Vulnerability Assessment Integration </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Comprehensive vulnerability scan</span> nmap <span class="nt">-sV</span> <span class="nt">--script</span> <span class="s2">"vuln and not (dos or exploit or brute)"</span> <span class="se">\</span> <span class="nt">--script-args</span> vulns.showall <span class="se">\</span> <span class="nt">-oA</span> vuln_assessment target_list.txt <span class="c"># Specific vulnerability checks</span> nmap <span class="nt">--script</span> ms17-010,eternal-blue,heartbleed,poodle <span class="se">\</span> <span class="nt">-p</span> 445,443 target_list.txt </code></pre> </div> <h2> Integration with Other Tools </h2> <h3> Metasploit Integration </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Export Nmap results to Metasploit</span> db_import scan_results.xml <span class="c"># Use Nmap from within Metasploit</span> db_nmap <span class="nt">-sS</span> <span class="nt">-A</span> 192.168.1.0/24 </code></pre> </div> <h3> Nessus Integration </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Import Nmap results into Nessus</span> <span class="c"># Export as XML and import through Nessus interface</span> <span class="c"># Use Nmap for host discovery, Nessus for vulnerability assessment</span> nmap <span class="nt">-sn</span> 192.168.1.0/24 <span class="nt">-oG</span> live_hosts.txt </code></pre> </div> <h3> Custom Tool Integration </h3> <p><strong>Bash Script for Automated Reconnaissance</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># automated_recon.sh</span> <span class="nv">TARGET</span><span class="o">=</span><span class="nv">$1</span> <span class="nv">OUTPUT_DIR</span><span class="o">=</span><span class="s2">"recon_</span><span class="si">$(</span><span class="nb">date</span> +%Y%m%d_%H%M%S<span class="si">)</span><span class="s2">"</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$TARGET</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Usage: </span><span class="nv">$0</span><span class="s2"> &lt;target&gt;"</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$OUTPUT_DIR</span><span class="s2">"</span> <span class="nb">cd</span> <span class="s2">"</span><span class="nv">$OUTPUT_DIR</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"[+] Starting reconnaissance of </span><span class="nv">$TARGET</span><span class="s2">"</span> <span class="c"># Phase 1: Host Discovery</span> <span class="nb">echo</span> <span class="s2">"[+] Phase 1: Host Discovery"</span> nmap <span class="nt">-sn</span> <span class="s2">"</span><span class="nv">$TARGET</span><span class="s2">"</span> <span class="nt">-oA</span> host_discovery <span class="c"># Extract live hosts</span> <span class="nb">grep</span> <span class="s2">"Status: Up"</span> host_discovery.gnmap | <span class="nb">cut</span> <span class="nt">-d</span><span class="s1">' '</span> <span class="nt">-f2</span> <span class="o">&gt;</span> live_hosts.txt <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-s</span> live_hosts.txt <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"[-] No live hosts found"</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">echo</span> <span class="s2">"[+] Found </span><span class="si">$(</span><span class="nb">wc</span> <span class="nt">-l</span> &lt; live_hosts.txt<span class="si">)</span><span class="s2"> live hosts"</span> <span class="c"># Phase 2: Port Scanning</span> <span class="nb">echo</span> <span class="s2">"[+] Phase 2: Port Scanning"</span> nmap <span class="nt">-sS</span> <span class="nt">--top-ports</span> 1000 <span class="nt">-T4</span> <span class="nt">-iL</span> live_hosts.txt <span class="nt">-oA</span> port_scan <span class="c"># Phase 3: Service Detection</span> <span class="nb">echo</span> <span class="s2">"[+] Phase 3: Service Detection"</span> nmap <span class="nt">-sC</span> <span class="nt">-sV</span> <span class="nt">-iL</span> live_hosts.txt <span class="nt">-oA</span> service_detection <span class="c"># Phase 4: Vulnerability Assessment</span> <span class="nb">echo</span> <span class="s2">"[+] Phase 4: Vulnerability Assessment"</span> nmap <span class="nt">--script</span> vuln <span class="nt">-iL</span> live_hosts.txt <span class="nt">-oA</span> vulnerability_scan <span class="c"># Generate summary report</span> <span class="nb">echo</span> <span class="s2">"[+] Generating summary report"</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"Reconnaissance Summary Report"</span> <span class="nb">echo</span> <span class="s2">"============================="</span> <span class="nb">echo</span> <span class="s2">"Target: </span><span class="nv">$TARGET</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Date: </span><span class="si">$(</span><span class="nb">date</span><span class="si">)</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"Live Hosts: </span><span class="si">$(</span><span class="nb">wc</span> <span class="nt">-l</span> &lt; live_hosts.txt<span class="si">)</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"Open Ports Summary:"</span> <span class="nb">grep</span> <span class="s2">"open"</span> port_scan.gnmap | <span class="nb">cut</span> <span class="nt">-d</span><span class="s1">' '</span> <span class="nt">-f3</span> | <span class="nb">sort</span> | <span class="nb">uniq</span> <span class="nt">-c</span> | <span class="nb">sort</span> <span class="nt">-nr</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"Services Detected:"</span> <span class="nb">grep</span> <span class="nt">-oP</span> <span class="s1">'\d+/tcp\s+open\s+\K\S+'</span> service_detection.nmap | <span class="nb">sort</span> | <span class="nb">uniq</span> <span class="nt">-c</span> | <span class="nb">sort</span> <span class="nt">-nr</span> <span class="o">}</span> <span class="o">&gt;</span> summary_report.txt <span class="nb">echo</span> <span class="s2">"[+] Reconnaissance complete. Results saved in </span><span class="nv">$OUTPUT_DIR</span><span class="s2">/"</span> </code></pre> </div> <h2> Performance Optimization </h2> <h3> Timing Optimization </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Optimized scanning for different scenarios</span> <span class="c"># Fast internal network scan</span> nmap <span class="nt">-sS</span> <span class="nt">-T4</span> <span class="nt">--min-hostgroup</span> 50 <span class="nt">--max-rtt-timeout</span> 100ms <span class="se">\</span> <span class="nt">--initial-rtt-timeout</span> 50ms <span class="nt">--max-retries</span> 1 <span class="se">\</span> <span class="nt">--top-ports</span> 100 192.168.1.0/24 <span class="c"># Stealth external scan</span> nmap <span class="nt">-sS</span> <span class="nt">-T1</span> <span class="nt">--scan-delay</span> 5s <span class="nt">--max-scan-delay</span> 10s <span class="se">\</span> <span class="nt">--randomize-hosts</span> target_list.txt <span class="c"># Balanced comprehensive scan</span> nmap <span class="nt">-sS</span> <span class="nt">-T3</span> <span class="nt">--min-hostgroup</span> 10 <span class="nt">--max-rtt-timeout</span> 500ms <span class="se">\</span> <span class="nt">--max-retries</span> 2 <span class="nt">-p-</span> target_list.txt </code></pre> </div> <h3> Resource Management </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Memory optimization for large scans</span> <span class="nb">ulimit</span> <span class="nt">-n</span> 65536 <span class="c"># Increase file descriptor limit</span> <span class="c"># Parallel scanning with GNU parallel</span> parallel <span class="nt">-j</span> 4 <span class="s2">"nmap -sS -T4 --top-ports 1000 -oA scan_{} {}"</span> <span class="se">\</span> ::: 192.168.1.0/26 192.168.1.64/26 192.168.1.128/26 192.168.1.192/26 <span class="c"># Distributed scanning</span> nmap <span class="nt">--shard</span> 1/4 <span class="nt">-sS</span> target_range <span class="c"># Scanner 1 of 4</span> nmap <span class="nt">--shard</span> 2/4 <span class="nt">-sS</span> target_range <span class="c"># Scanner 2 of 4</span> </code></pre> </div> <h2> Security Considerations and Best Practices </h2> <h3> Legal and Ethical Guidelines </h3> <p><strong>Always Obtain Authorization</strong>: Never scan networks or systems without explicit written permission. This includes:</p> <ul> <li>Corporate networks (require written authorization from network owners)</li> <li>Cloud services (check terms of service)</li> <li>Educational environments (obtain permission from IT departments)</li> <li>Internet-facing services (ensure you have legal authority)</li> </ul> <p><strong>Responsible Disclosure</strong>: When vulnerabilities are discovered:</p> <ul> <li>Document findings professionally</li> <li>Report to appropriate parties</li> <li>Allow reasonable time for remediation</li> <li>Avoid public disclosure until patches are available</li> </ul> <p><strong>Rate Limiting and Impact Minimization</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Use conservative timing to avoid service disruption</span> nmap <span class="nt">-T2</span> <span class="nt">--scan-delay</span> 1s target <span class="c"># Limit concurrent connections</span> nmap <span class="nt">--max-parallelism</span> 10 target <span class="c"># Avoid DoS-prone scripts</span> nmap <span class="nt">--script</span> <span class="s2">"safe and not dos"</span> target </code></pre> </div> <h3> Operational Security (OpSec) </h3> <p><strong>Log Management</strong>: Nmap activities are typically logged by target systems:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Review local logs after scanning</span> <span class="nb">tail</span> <span class="nt">-f</span> /var/log/nmap.log <span class="c"># Use decoy scans to obscure origin</span> nmap <span class="nt">-D</span> RND:5 target </code></pre> </div> <p><strong>Network Segmentation</strong>: Conduct scans from appropriate network segments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Use jump boxes or dedicated scanning systems</span> ssh jump_box <span class="s2">"nmap -sS target_network"</span> </code></pre> </div> <p><strong>Data Protection</strong>: Secure scan results:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Encrypt sensitive scan results</span> gpg <span class="nt">--cipher-algo</span> AES256 <span class="nt">--compress-algo</span> 1 <span class="nt">--symmetric</span> scan_results.xml <span class="c"># Use secure file transfer</span> scp scan_results.xml.gpg secure_server:/encrypted_storage/ </code></pre> </div> <h2> Advanced Topics and Automation </h2> <h3> Custom NSE Script Development </h3> <p><strong>Advanced Script Example</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight lua"><code><span class="c1">-- Advanced service enumeration script</span> <span class="kd">local</span> <span class="n">nmap</span> <span class="o">=</span> <span class="nb">require</span> <span class="s2">"nmap"</span> <span class="kd">local</span> <span class="n">shortport</span> <span class="o">=</span> <span class="nb">require</span> <span class="s2">"shortport"</span> <span class="kd">local</span> <span class="n">http</span> <span class="o">=</span> <span class="nb">require</span> <span class="s2">"http"</span> <span class="kd">local</span> <span class="n">stdnse</span> <span class="o">=</span> <span class="nb">require</span> <span class="s2">"stdnse"</span> <span class="kd">local</span> <span class="n">json</span> <span class="o">=</span> <span class="nb">require</span> <span class="s2">"json"</span> <span class="n">description</span> <span class="o">=</span> <span class="s">[[ Advanced HTTP service fingerprinting with technology stack detection. ]]</span> <span class="n">author</span> <span class="o">=</span> <span class="s2">"Security Researcher"</span> <span class="n">license</span> <span class="o">=</span> <span class="s2">"Same as Nmap"</span> <span class="n">categories</span> <span class="o">=</span> <span class="p">{</span><span class="s2">"safe"</span><span class="p">,</span> <span class="s2">"discovery"</span><span class="p">,</span> <span class="s2">"version"</span><span class="p">}</span> <span class="n">portrule</span> <span class="o">=</span> <span class="n">shortport</span><span class="p">.</span><span class="n">http</span> <span class="n">action</span> <span class="o">=</span> <span class="k">function</span><span class="p">(</span><span class="n">host</span><span class="p">,</span> <span class="n">port</span><span class="p">)</span> <span class="kd">local</span> <span class="n">results</span> <span class="o">=</span> <span class="p">{}</span> <span class="c1">-- Basic HTTP request</span> <span class="kd">local</span> <span class="n">response</span> <span class="o">=</span> <span class="n">http</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="n">host</span><span class="p">,</span> <span class="n">port</span><span class="p">,</span> <span class="s2">"/"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">response</span> <span class="ow">or</span> <span class="ow">not</span> <span class="n">response</span><span class="p">.</span><span class="n">status</span> <span class="k">then</span> <span class="k">return</span> <span class="kc">nil</span> <span class="k">end</span> <span class="n">results</span><span class="p">[</span><span class="s2">"status"</span><span class="p">]</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="n">status</span> <span class="c1">-- Server header analysis</span> <span class="k">if</span> <span class="n">response</span><span class="p">.</span><span class="n">header</span> <span class="ow">and</span> <span class="n">response</span><span class="p">.</span><span class="n">header</span><span class="p">[</span><span class="s2">"server"</span><span class="p">]</span> <span class="k">then</span> <span class="n">results</span><span class="p">[</span><span class="s2">"server"</span><span class="p">]</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="n">header</span><span class="p">[</span><span class="s2">"server"</span><span class="p">]</span> <span class="k">end</span> <span class="c1">-- Technology stack detection</span> <span class="kd">local</span> <span class="n">technologies</span> <span class="o">=</span> <span class="p">{}</span> <span class="c1">-- Check for common frameworks</span> <span class="k">if</span> <span class="n">response</span><span class="p">.</span><span class="n">body</span> <span class="k">then</span> <span class="k">if</span> <span class="nb">string.match</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="n">body</span><span class="p">,</span> <span class="s2">"wp%-content"</span><span class="p">)</span> <span class="k">then</span> <span class="nb">table.insert</span><span class="p">(</span><span class="n">technologies</span><span class="p">,</span> <span class="s2">"WordPress"</span><span class="p">)</span> <span class="k">end</span> <span class="k">if</span> <span class="nb">string.match</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="n">body</span><span class="p">,</span> <span class="s2">"Powered by Drupal"</span><span class="p">)</span> <span class="k">then</span> <span class="nb">table.insert</span><span class="p">(</span><span class="n">technologies</span><span class="p">,</span> <span class="s2">"Drupal"</span><span class="p">)</span> <span class="k">end</span> <span class="k">if</span> <span class="nb">string.match</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="n">body</span><span class="p">,</span> <span class="s2">"X%-Powered%-By.*PHP"</span><span class="p">)</span> <span class="k">then</span> <span class="nb">table.insert</span><span class="p">(</span><span class="n">technologies</span><span class="p">,</span> <span class="s2">"PHP"</span><span class="p">)</span> <span class="k">end</span> <span class="k">end</span> <span class="k">if</span> <span class="o">#</span><span class="n">technologies</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="k">then</span> <span class="n">results</span><span class="p">[</span><span class="s2">"technologies"</span><span class="p">]</span> <span class="o">=</span> <span class="n">technologies</span> <span class="k">end</span> <span class="c1">-- Security headers check</span> <span class="kd">local</span> <span class="n">security_headers</span> <span class="o">=</span> <span class="p">{}</span> <span class="kd">local</span> <span class="n">headers_to_check</span> <span class="o">=</span> <span class="p">{</span> <span class="s2">"x-frame-options"</span><span class="p">,</span> <span class="s2">"x-xss-protection"</span><span class="p">,</span> <span class="s2">"x-content-type-options"</span><span class="p">,</span> <span class="s2">"strict-transport-security"</span><span class="p">,</span> <span class="s2">"content-security-policy"</span> <span class="p">}</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">header</span> <span class="k">in</span> <span class="nb">ipairs</span><span class="p">(</span><span class="n">headers_to_check</span><span class="p">)</span> <span class="k">do</span> <span class="k">if</span> <span class="n">response</span><span class="p">.</span><span class="n">header</span><span class="p">[</span><span class="n">header</span><span class="p">]</span> <span class="k">then</span> <span class="n">security_headers</span><span class="p">[</span><span class="n">header</span><span class="p">]</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="n">header</span><span class="p">[</span><span class="n">header</span><span class="p">]</span> <span class="k">end</span> <span class="k">end</span> <span class="k">if</span> <span class="nb">next</span><span class="p">(</span><span class="n">security_headers</span><span class="p">)</span> <span class="k">then</span> <span class="n">results</span><span class="p">[</span><span class="s2">"security_headers"</span><span class="p">]</span> <span class="o">=</span> <span class="n">security_headers</span> <span class="k">end</span> <span class="k">return</span> <span class="n">stdnse</span><span class="p">.</span><span class="n">format_output</span><span class="p">(</span><span class="kc">true</span><span class="p">,</span> <span class="n">results</span><span class="p">)</span> <span class="k">end</span> </code></pre> </div> <h3> API Integration and Automation </h3> <p><strong>REST API Integration Script</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span><span class="kn">import</span> <span class="n">subprocess</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">requests</span> <span class="kn">import</span> <span class="n">xml.etree.ElementTree</span> <span class="k">as</span> <span class="n">ET</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="k">class</span> <span class="nc">NmapAPI</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">api_endpoint</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="n">api_key</span><span class="o">=</span><span class="bp">None</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">api_endpoint</span> <span class="o">=</span> <span class="n">api_endpoint</span> <span class="n">self</span><span class="p">.</span><span class="n">api_key</span> <span class="o">=</span> <span class="n">api_key</span> <span class="k">def</span> <span class="nf">run_scan</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">targets</span><span class="p">,</span> <span class="n">scan_type</span><span class="o">=</span><span class="sh">"</span><span class="s">comprehensive</span><span class="sh">"</span><span class="p">,</span> <span class="n">output_format</span><span class="o">=</span><span class="sh">"</span><span class="s">json</span><span class="sh">"</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Execute Nmap scan and return structured results</span><span class="sh">"""</span> <span class="n">scan_configs</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">quick</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">-sS --top-ports 100 -T4</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">comprehensive</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">-sS -sV -sC -O -A --script </span><span class="sh">'</span><span class="s">not brute and not dos</span><span class="sh">'"</span><span class="p">,</span> <span class="sh">"</span><span class="s">stealth</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">-sS -T2 -f --source-port 53</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">vulnerability</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">--script vuln</span><span class="sh">"</span> <span class="p">}</span> <span class="n">nmap_args</span> <span class="o">=</span> <span class="n">scan_configs</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">scan_type</span><span class="p">,</span> <span class="n">scan_configs</span><span class="p">[</span><span class="sh">"</span><span class="s">comprehensive</span><span class="sh">"</span><span class="p">])</span> <span class="c1"># Construct Nmap command </span> <span class="n">cmd</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">nmap </span><span class="si">{</span><span class="n">nmap_args</span><span class="si">}</span><span class="s"> -oX - </span><span class="si">{</span><span class="n">targets</span><span class="si">}</span><span class="sh">"</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Execute scan </span> <span class="n">process</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nc">Popen</span><span class="p">(</span> <span class="n">cmd</span><span class="p">.</span><span class="nf">split</span><span class="p">(),</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">PIPE</span><span class="p">,</span> <span class="n">stderr</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">PIPE</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="n">stdout</span><span class="p">,</span> <span class="n">stderr</span> <span class="o">=</span> <span class="n">process</span><span class="p">.</span><span class="nf">communicate</span><span class="p">()</span> <span class="k">if</span> <span class="n">process</span><span class="p">.</span><span class="n">returncode</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">Exception</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Nmap execution failed: </span><span class="si">{</span><span class="n">stderr</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Parse XML output </span> <span class="n">results</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">parse_xml_output</span><span class="p">(</span><span class="n">stdout</span><span class="p">)</span> <span class="c1"># Send to API if configured </span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">api_endpoint</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="nf">send_to_api</span><span class="p">(</span><span class="n">results</span><span class="p">)</span> <span class="k">return</span> <span class="n">results</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Scan failed: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">None</span> <span class="k">def</span> <span class="nf">parse_xml_output</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">xml_output</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Parse Nmap XML output into structured format</span><span class="sh">"""</span> <span class="n">root</span> <span class="o">=</span> <span class="n">ET</span><span class="p">.</span><span class="nf">fromstring</span><span class="p">(</span><span class="n">xml_output</span><span class="p">)</span> <span class="n">scan_info</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">scan_time</span><span class="sh">"</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">().</span><span class="nf">isoformat</span><span class="p">(),</span> <span class="sh">"</span><span class="s">scanner_version</span><span class="sh">"</span><span class="p">:</span> <span class="n">root</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">version</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">hosts</span><span class="sh">"</span><span class="p">:</span> <span class="p">[]</span> <span class="p">}</span> <span class="k">for</span> <span class="n">host</span> <span class="ow">in</span> <span class="n">root</span><span class="p">.</span><span class="nf">findall</span><span class="p">(</span><span class="sh">"</span><span class="s">host</span><span class="sh">"</span><span class="p">):</span> <span class="n">host_info</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">ip</span><span class="sh">"</span><span class="p">:</span> <span class="n">host</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="sh">"</span><span class="s">address</span><span class="sh">"</span><span class="p">).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">addr</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="n">host</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">state</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">hostnames</span><span class="sh">"</span><span class="p">:</span> <span class="p">[],</span> <span class="sh">"</span><span class="s">ports</span><span class="sh">"</span><span class="p">:</span> <span class="p">[],</span> <span class="sh">"</span><span class="s">os_matches</span><span class="sh">"</span><span class="p">:</span> <span class="p">[]</span> <span class="p">}</span> <span class="c1"># Extract hostnames </span> <span class="n">hostnames_elem</span> <span class="o">=</span> <span class="n">host</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="sh">"</span><span class="s">hostnames</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">hostnames_elem</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span><span class="p">:</span> <span class="k">for</span> <span class="n">hostname</span> <span class="ow">in</span> <span class="n">hostnames_elem</span><span class="p">.</span><span class="nf">findall</span><span class="p">(</span><span class="sh">"</span><span class="s">hostname</span><span class="sh">"</span><span class="p">):</span> <span class="n">host_info</span><span class="p">[</span><span class="sh">"</span><span class="s">hostnames</span><span class="sh">"</span><span class="p">].</span><span class="nf">append</span><span class="p">({</span> <span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="n">hostname</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="n">hostname</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">)</span> <span class="p">})</span> <span class="c1"># Extract ports </span> <span class="n">ports_elem</span> <span class="o">=</span> <span class="n">host</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="sh">"</span><span class="s">ports</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">ports_elem</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span><span class="p">:</span> <span class="k">for</span> <span class="n">port</span> <span class="ow">in</span> <span class="n">ports_elem</span><span class="p">.</span><span class="nf">findall</span><span class="p">(</span><span class="sh">"</span><span class="s">port</span><span class="sh">"</span><span class="p">):</span> <span class="n">port_info</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">port</span><span class="sh">"</span><span class="p">:</span> <span class="nf">int</span><span class="p">(</span><span class="n">port</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">portid</span><span class="sh">"</span><span class="p">)),</span> <span class="sh">"</span><span class="s">protocol</span><span class="sh">"</span><span class="p">:</span> <span class="n">port</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">protocol</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">state</span><span class="sh">"</span><span class="p">:</span> <span class="n">port</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="sh">"</span><span class="s">state</span><span class="sh">"</span><span class="p">).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">state</span><span class="sh">"</span><span class="p">)</span> <span class="p">}</span> <span class="c1"># Service information </span> <span class="n">service_elem</span> <span class="o">=</span> <span class="n">port</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="sh">"</span><span class="s">service</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">service_elem</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span><span class="p">:</span> <span class="n">port_info</span><span class="p">[</span><span class="sh">"</span><span class="s">service</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="n">service_elem</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">product</span><span class="sh">"</span><span class="p">:</span> <span class="n">service_elem</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">product</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">version</span><span class="sh">"</span><span class="p">:</span> <span class="n">service_elem</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">version</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">extrainfo</span><span class="sh">"</span><span class="p">:</span> <span class="n">service_elem</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">extrainfo</span><span class="sh">"</span><span class="p">)</span> <span class="p">}</span> <span class="c1"># Script results </span> <span class="n">scripts</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">script</span> <span class="ow">in</span> <span class="n">port</span><span class="p">.</span><span class="nf">findall</span><span class="p">(</span><span class="sh">"</span><span class="s">script</span><span class="sh">"</span><span class="p">):</span> <span class="n">scripts</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span> <span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="n">script</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">output</span><span class="sh">"</span><span class="p">:</span> <span class="n">script</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">output</span><span class="sh">"</span><span class="p">)</span> <span class="p">})</span> <span class="k">if</span> <span class="n">scripts</span><span class="p">:</span> <span class="n">port_info</span><span class="p">[</span><span class="sh">"</span><span class="s">scripts</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">scripts</span> <span class="n">host_info</span><span class="p">[</span><span class="sh">"</span><span class="s">ports</span><span class="sh">"</span><span class="p">].</span><span class="nf">append</span><span class="p">(</span><span class="n">port_info</span><span class="p">)</span> <span class="c1"># OS detection </span> <span class="n">os_elem</span> <span class="o">=</span> <span class="n">host</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="sh">"</span><span class="s">os</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">os_elem</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span><span class="p">:</span> <span class="k">for</span> <span class="n">osmatch</span> <span class="ow">in</span> <span class="n">os_elem</span><span class="p">.</span><span class="nf">findall</span><span class="p">(</span><span class="sh">"</span><span class="s">osmatch</span><span class="sh">"</span><span class="p">):</span> <span class="n">host_info</span><span class="p">[</span><span class="sh">"</span><span class="s">os_matches</span><span class="sh">"</span><span class="p">].</span><span class="nf">append</span><span class="p">({</span> <span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="n">osmatch</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">accuracy</span><span class="sh">"</span><span class="p">:</span> <span class="nf">int</span><span class="p">(</span><span class="n">osmatch</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">accuracy</span><span class="sh">"</span><span class="p">))</span> <span class="p">})</span> <span class="n">scan_info</span><span class="p">[</span><span class="sh">"</span><span class="s">hosts</span><span class="sh">"</span><span class="p">].</span><span class="nf">append</span><span class="p">(</span><span class="n">host_info</span><span class="p">)</span> <span class="k">return</span> <span class="n">scan_info</span> <span class="k">def</span> <span class="nf">send_to_api</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">results</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Send results to external API</span><span class="sh">"""</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">Content-Type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Bearer </span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">api_key</span><span class="si">}</span><span class="sh">"</span> <span class="p">}</span> <span class="k">try</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">api_endpoint</span><span class="si">}</span><span class="s">/scan-results</span><span class="sh">"</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="n">results</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">30</span> <span class="p">)</span> <span class="n">response</span><span class="p">.</span><span class="nf">raise_for_status</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Results successfully sent to API</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Failed to send results to API: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">generate_report</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">results</span><span class="p">,</span> <span class="n">format_type</span><span class="o">=</span><span class="sh">"</span><span class="s">markdown</span><span class="sh">"</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Generate formatted report from scan results</span><span class="sh">"""</span> <span class="k">if</span> <span class="n">format_type</span> <span class="o">==</span> <span class="sh">"</span><span class="s">markdown</span><span class="sh">"</span><span class="p">:</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="nf">_generate_markdown_report</span><span class="p">(</span><span class="n">results</span><span class="p">)</span> <span class="k">elif</span> <span class="n">format_type</span> <span class="o">==</span> <span class="sh">"</span><span class="s">html</span><span class="sh">"</span><span class="p">:</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="nf">_generate_html_report</span><span class="p">(</span><span class="n">results</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="k">return</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">results</span><span class="p">,</span> <span class="n">indent</span><span class="o">=</span><span class="mi">2</span><span class="p">)</span> <span class="k">def</span> <span class="nf">_generate_markdown_report</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">results</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Generate Markdown report</span><span class="sh">"""</span> <span class="n">report</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"""</span><span class="s"># Network Scan Report **Scan Time:** </span><span class="si">{</span><span class="n">results</span><span class="p">[</span><span class="sh">'</span><span class="s">scan_time</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> **Scanner Version:** </span><span class="si">{</span><span class="n">results</span><span class="p">[</span><span class="sh">'</span><span class="s">scanner_version</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> **Total Hosts:** </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">results</span><span class="p">[</span><span class="sh">'</span><span class="s">hosts</span><span class="sh">'</span><span class="p">])</span><span class="si">}</span><span class="s"> ## Summary </span><span class="sh">"""</span> <span class="n">alive_hosts</span> <span class="o">=</span> <span class="p">[</span><span class="n">h</span> <span class="k">for</span> <span class="n">h</span> <span class="ow">in</span> <span class="n">results</span><span class="p">[</span><span class="sh">'</span><span class="s">hosts</span><span class="sh">'</span><span class="p">]</span> <span class="k">if</span> <span class="n">h</span><span class="p">[</span><span class="sh">'</span><span class="s">status</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">up</span><span class="sh">'</span><span class="p">]</span> <span class="n">report</span> <span class="o">+=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">- **Live Hosts:** </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">alive_hosts</span><span class="p">)</span><span class="si">}</span><span class="se">\n</span><span class="sh">"</span> <span class="n">total_ports</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">(</span><span class="nf">len</span><span class="p">(</span><span class="n">h</span><span class="p">[</span><span class="sh">'</span><span class="s">ports</span><span class="sh">'</span><span class="p">])</span> <span class="k">for</span> <span class="n">h</span> <span class="ow">in</span> <span class="n">alive_hosts</span><span class="p">)</span> <span class="n">open_ports</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">(</span><span class="nf">len</span><span class="p">([</span><span class="n">p</span> <span class="k">for</span> <span class="n">p</span> <span class="ow">in</span> <span class="n">h</span><span class="p">[</span><span class="sh">'</span><span class="s">ports</span><span class="sh">'</span><span class="p">]</span> <span class="k">if</span> <span class="n">p</span><span class="p">[</span><span class="sh">'</span><span class="s">state</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">open</span><span class="sh">'</span><span class="p">])</span> <span class="k">for</span> <span class="n">h</span> <span class="ow">in</span> <span class="n">alive_hosts</span><span class="p">)</span> <span class="n">report</span> <span class="o">+=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">- **Total Ports Scanned:** </span><span class="si">{</span><span class="n">total_ports</span><span class="si">}</span><span class="se">\n</span><span class="sh">"</span> <span class="n">report</span> <span class="o">+=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">- **Open Ports Found:** </span><span class="si">{</span><span class="n">open_ports</span><span class="si">}</span><span class="se">\n\n</span><span class="sh">"</span> <span class="c1"># Host details </span> <span class="k">for</span> <span class="n">host</span> <span class="ow">in</span> <span class="n">alive_hosts</span><span class="p">:</span> <span class="n">report</span> <span class="o">+=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">## Host: </span><span class="si">{</span><span class="n">host</span><span class="p">[</span><span class="sh">'</span><span class="s">ip</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="se">\n\n</span><span class="sh">"</span> <span class="k">if</span> <span class="n">host</span><span class="p">[</span><span class="sh">'</span><span class="s">hostnames</span><span class="sh">'</span><span class="p">]:</span> <span class="n">report</span> <span class="o">+=</span> <span class="sh">"</span><span class="s">**Hostnames:**</span><span class="se">\n</span><span class="sh">"</span> <span class="k">for</span> <span class="n">hostname</span> <span class="ow">in</span> <span class="n">host</span><span class="p">[</span><span class="sh">'</span><span class="s">hostnames</span><span class="sh">'</span><span class="p">]:</span> <span class="n">report</span> <span class="o">+=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">- </span><span class="si">{</span><span class="n">hostname</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> (</span><span class="si">{</span><span class="n">hostname</span><span class="p">[</span><span class="sh">'</span><span class="s">type</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">)</span><span class="se">\n</span><span class="sh">"</span> <span class="n">report</span> <span class="o">+=</span> <span class="sh">"</span><span class="se">\n</span><span class="sh">"</span> <span class="k">if</span> <span class="n">host</span><span class="p">[</span><span class="sh">'</span><span class="s">os_matches</span><span class="sh">'</span><span class="p">]:</span> <span class="n">report</span> <span class="o">+=</span> <span class="sh">"</span><span class="s">**Operating System:**</span><span class="se">\n</span><span class="sh">"</span> <span class="k">for</span> <span class="n">os_match</span> <span class="ow">in</span> <span class="n">host</span><span class="p">[</span><span class="sh">'</span><span class="s">os_matches</span><span class="sh">'</span><span class="p">][:</span><span class="mi">3</span><span class="p">]:</span> <span class="c1"># Top 3 matches </span> <span class="n">report</span> <span class="o">+=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">- </span><span class="si">{</span><span class="n">os_match</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> (</span><span class="si">{</span><span class="n">os_match</span><span class="p">[</span><span class="sh">'</span><span class="s">accuracy</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">% accuracy)</span><span class="se">\n</span><span class="sh">"</span> <span class="n">report</span> <span class="o">+=</span> <span class="sh">"</span><span class="se">\n</span><span class="sh">"</span> <span class="n">open_ports</span> <span class="o">=</span> <span class="p">[</span><span class="n">p</span> <span class="k">for</span> <span class="n">p</span> <span class="ow">in</span> <span class="n">host</span><span class="p">[</span><span class="sh">'</span><span class="s">ports</span><span class="sh">'</span><span class="p">]</span> <span class="k">if</span> <span class="n">p</span><span class="p">[</span><span class="sh">'</span><span class="s">state</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">open</span><span class="sh">'</span><span class="p">]</span> <span class="k">if</span> <span class="n">open_ports</span><span class="p">:</span> <span class="n">report</span> <span class="o">+=</span> <span class="sh">"</span><span class="s">**Open Ports:**</span><span class="se">\n\n</span><span class="sh">"</span> <span class="n">report</span> <span class="o">+=</span> <span class="sh">"</span><span class="s">| Port | Protocol | Service | Version |</span><span class="se">\n</span><span class="sh">"</span> <span class="n">report</span> <span class="o">+=</span> <span class="sh">"</span><span class="s">|------|----------|---------|----------|</span><span class="se">\n</span><span class="sh">"</span> <span class="k">for</span> <span class="n">port</span> <span class="ow">in</span> <span class="n">open_ports</span><span class="p">:</span> <span class="n">service_info</span> <span class="o">=</span> <span class="sh">""</span> <span class="k">if</span> <span class="sh">'</span><span class="s">service</span><span class="sh">'</span> <span class="ow">in</span> <span class="n">port</span> <span class="ow">and</span> <span class="n">port</span><span class="p">[</span><span class="sh">'</span><span class="s">service</span><span class="sh">'</span><span class="p">]:</span> <span class="n">service</span> <span class="o">=</span> <span class="n">port</span><span class="p">[</span><span class="sh">'</span><span class="s">service</span><span class="sh">'</span><span class="p">]</span> <span class="n">service_info</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">service</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">unknown</span><span class="sh">'</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span> <span class="k">if</span> <span class="n">service</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">product</span><span class="sh">'</span><span class="p">):</span> <span class="n">service_info</span> <span class="o">+=</span> <span class="sa">f</span><span class="sh">"</span><span class="s"> (</span><span class="si">{</span><span class="n">service</span><span class="p">[</span><span class="sh">'</span><span class="s">product</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span> <span class="k">if</span> <span class="n">service</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">version</span><span class="sh">'</span><span class="p">):</span> <span class="n">service_info</span> <span class="o">+=</span> <span class="sa">f</span><span class="sh">"</span><span class="s"> </span><span class="si">{</span><span class="n">service</span><span class="p">[</span><span class="sh">'</span><span class="s">version</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span> <span class="n">service_info</span> <span class="o">+=</span> <span class="sh">"</span><span class="s">)</span><span class="sh">"</span> <span class="n">report</span> <span class="o">+=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">| </span><span class="si">{</span><span class="n">port</span><span class="p">[</span><span class="sh">'</span><span class="s">port</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> | </span><span class="si">{</span><span class="n">port</span><span class="p">[</span><span class="sh">'</span><span class="s">protocol</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> | </span><span class="si">{</span><span class="n">service_info</span><span class="si">}</span><span class="s"> | |</span><span class="se">\n</span><span class="sh">"</span> <span class="n">report</span> <span class="o">+=</span> <span class="sh">"</span><span class="se">\n</span><span class="sh">"</span> <span class="c1"># Script results </span> <span class="n">scripts_found</span> <span class="o">=</span> <span class="bp">False</span> <span class="k">for</span> <span class="n">port</span> <span class="ow">in</span> <span class="n">open_ports</span><span class="p">:</span> <span class="k">if</span> <span class="sh">'</span><span class="s">scripts</span><span class="sh">'</span> <span class="ow">in</span> <span class="n">port</span><span class="p">:</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">scripts_found</span><span class="p">:</span> <span class="n">report</span> <span class="o">+=</span> <span class="sh">"</span><span class="s">**Script Results:**</span><span class="se">\n\n</span><span class="sh">"</span> <span class="n">scripts_found</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">report</span> <span class="o">+=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">### Port </span><span class="si">{</span><span class="n">port</span><span class="p">[</span><span class="sh">'</span><span class="s">port</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">port</span><span class="p">[</span><span class="sh">'</span><span class="s">protocol</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="se">\n\n</span><span class="sh">"</span> <span class="k">for</span> <span class="n">script</span> <span class="ow">in</span> <span class="n">port</span><span class="p">[</span><span class="sh">'</span><span class="s">scripts</span><span class="sh">'</span><span class="p">]:</span> <span class="n">report</span> <span class="o">+=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">**</span><span class="si">{</span><span class="n">script</span><span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">:**</span><span class="se">\n</span><span class="s">``` </span><span class="si">{</span><span class="o">%</span> <span class="n">endraw</span> <span class="o">%</span><span class="si">}</span><span class="s"> </span><span class="se">\n</span><span class="si">{</span><span class="n">script</span><span class="p">[</span><span class="sh">'</span><span class="s">output</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="se">\n</span><span class="s"> </span><span class="si">{</span><span class="o">%</span> <span class="n">raw</span> <span class="o">%</span><span class="si">}</span><span class="s"> ```</span><span class="se">\n\n</span><span class="sh">"</span> <span class="k">return</span> <span class="n">report</span> <span class="k">def</span> <span class="nf">_generate_html_report</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">results</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Generate HTML report</span><span class="sh">"""</span> <span class="n">html_template</span> <span class="o">=</span> <span class="sh">"""</span><span class="s">&lt;!DOCTYPE html&gt; &lt;html&gt; &lt;head&gt; &lt;title&gt;Network Scan Report&lt;/title&gt; &lt;style&gt; body { font-family: Arial, sans-serif; margin: 20px; } .header { background-color: #f0f0f0; padding: 20px; border-radius: 5px; } .host { border: 1px solid #ddd; margin: 20px 0; padding: 15px; border-radius: 5px; } .port-table { width: 100%; border-collapse: collapse; margin: 10px 0; } .port-table th, .port-table td { border: 1px solid #ddd; padding: 8px; text-align: left; } .port-table th { background-color: #f2f2f2; } .script-output { background-color: #f8f8f8; padding: 10px; border-left: 4px solid #007cba; margin: 10px 0; } &lt;/style&gt; &lt;/head&gt; &lt;body&gt; &lt;div class=</span><span class="sh">"</span><span class="s">header</span><span class="sh">"</span><span class="s">&gt; &lt;h1&gt;Network Scan Report&lt;/h1&gt; &lt;p&gt;&lt;strong&gt;Scan Time:&lt;/strong&gt; {scan_time}&lt;/p&gt; &lt;p&gt;&lt;strong&gt;Scanner Version:&lt;/strong&gt; {scanner_version}&lt;/p&gt; &lt;p&gt;&lt;strong&gt;Total Hosts:&lt;/strong&gt; {total_hosts}&lt;/p&gt; &lt;/div&gt; </span><span class="sh">"""</span><span class="p">.</span><span class="nf">format</span><span class="p">(</span> <span class="n">scan_time</span><span class="o">=</span><span class="n">results</span><span class="p">[</span><span class="sh">'</span><span class="s">scan_time</span><span class="sh">'</span><span class="p">],</span> <span class="n">scanner_version</span><span class="o">=</span><span class="n">results</span><span class="p">[</span><span class="sh">'</span><span class="s">scanner_version</span><span class="sh">'</span><span class="p">],</span> <span class="n">total_hosts</span><span class="o">=</span><span class="nf">len</span><span class="p">(</span><span class="n">results</span><span class="p">[</span><span class="sh">'</span><span class="s">hosts</span><span class="sh">'</span><span class="p">])</span> <span class="p">)</span> <span class="n">alive_hosts</span> <span class="o">=</span> <span class="p">[</span><span class="n">h</span> <span class="k">for</span> <span class="n">h</span> <span class="ow">in</span> <span class="n">results</span><span class="p">[</span><span class="sh">'</span><span class="s">hosts</span><span class="sh">'</span><span class="p">]</span> <span class="k">if</span> <span class="n">h</span><span class="p">[</span><span class="sh">'</span><span class="s">status</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">up</span><span class="sh">'</span><span class="p">]</span> <span class="k">for</span> <span class="n">host</span> <span class="ow">in</span> <span class="n">alive_hosts</span><span class="p">:</span> <span class="n">html_template</span> <span class="o">+=</span> <span class="sa">f</span><span class="sh">"""</span><span class="s"> &lt;div class=</span><span class="sh">"</span><span class="s">host</span><span class="sh">"</span><span class="s">&gt; &lt;h2&gt;Host: </span><span class="si">{</span><span class="n">host</span><span class="p">[</span><span class="sh">'</span><span class="s">ip</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">&lt;/h2&gt; </span><span class="sh">"""</span> <span class="k">if</span> <span class="n">host</span><span class="p">[</span><span class="sh">'</span><span class="s">hostnames</span><span class="sh">'</span><span class="p">]:</span> <span class="n">html_template</span> <span class="o">+=</span> <span class="sh">"</span><span class="s">&lt;h3&gt;Hostnames:&lt;/h3&gt;&lt;ul&gt;</span><span class="sh">"</span> <span class="k">for</span> <span class="n">hostname</span> <span class="ow">in</span> <span class="n">host</span><span class="p">[</span><span class="sh">'</span><span class="s">hostnames</span><span class="sh">'</span><span class="p">]:</span> <span class="n">html_template</span> <span class="o">+=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">&lt;li&gt;</span><span class="si">{</span><span class="n">hostname</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> (</span><span class="si">{</span><span class="n">hostname</span><span class="p">[</span><span class="sh">'</span><span class="s">type</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">)&lt;/li&gt;</span><span class="sh">"</span> <span class="n">html_template</span> <span class="o">+=</span> <span class="sh">"</span><span class="s">&lt;/ul&gt;</span><span class="sh">"</span> <span class="n">open_ports</span> <span class="o">=</span> <span class="p">[</span><span class="n">p</span> <span class="k">for</span> <span class="n">p</span> <span class="ow">in</span> <span class="n">host</span><span class="p">[</span><span class="sh">'</span><span class="s">ports</span><span class="sh">'</span><span class="p">]</span> <span class="k">if</span> <span class="n">p</span><span class="p">[</span><span class="sh">'</span><span class="s">state</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">open</span><span class="sh">'</span><span class="p">]</span> <span class="k">if</span> <span class="n">open_ports</span><span class="p">:</span> <span class="n">html_template</span> <span class="o">+=</span> <span class="sh">"""</span><span class="s"> &lt;h3&gt;Open Ports:&lt;/h3&gt; &lt;table class=</span><span class="sh">"</span><span class="s">port-table</span><span class="sh">"</span><span class="s">&gt; &lt;tr&gt;&lt;th&gt;Port&lt;/th&gt;&lt;th&gt;Protocol&lt;/th&gt;&lt;th&gt;Service&lt;/th&gt;&lt;th&gt;Version&lt;/th&gt;&lt;/tr&gt; </span><span class="sh">"""</span> <span class="k">for</span> <span class="n">port</span> <span class="ow">in</span> <span class="n">open_ports</span><span class="p">:</span> <span class="n">service_info</span> <span class="o">=</span> <span class="sh">"</span><span class="s">unknown</span><span class="sh">"</span> <span class="n">version_info</span> <span class="o">=</span> <span class="sh">""</span> <span class="k">if</span> <span class="sh">'</span><span class="s">service</span><span class="sh">'</span> <span class="ow">in</span> <span class="n">port</span> <span class="ow">and</span> <span class="n">port</span><span class="p">[</span><span class="sh">'</span><span class="s">service</span><span class="sh">'</span><span class="p">]:</span> <span class="n">service</span> <span class="o">=</span> <span class="n">port</span><span class="p">[</span><span class="sh">'</span><span class="s">service</span><span class="sh">'</span><span class="p">]</span> <span class="n">service_info</span> <span class="o">=</span> <span class="n">service</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">unknown</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="n">service</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">product</span><span class="sh">'</span><span class="p">):</span> <span class="n">version_info</span> <span class="o">=</span> <span class="n">service</span><span class="p">[</span><span class="sh">'</span><span class="s">product</span><span class="sh">'</span><span class="p">]</span> <span class="k">if</span> <span class="n">service</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">version</span><span class="sh">'</span><span class="p">):</span> <span class="n">version_info</span> <span class="o">+=</span> <span class="sa">f</span><span class="sh">"</span><span class="s"> </span><span class="si">{</span><span class="n">service</span><span class="p">[</span><span class="sh">'</span><span class="s">version</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span> <span class="n">html_template</span> <span class="o">+=</span> <span class="sa">f</span><span class="sh">"""</span><span class="s"> &lt;tr&gt; &lt;td&gt;</span><span class="si">{</span><span class="n">port</span><span class="p">[</span><span class="sh">'</span><span class="s">port</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">&lt;/td&gt; &lt;td&gt;</span><span class="si">{</span><span class="n">port</span><span class="p">[</span><span class="sh">'</span><span class="s">protocol</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">&lt;/td&gt; &lt;td&gt;</span><span class="si">{</span><span class="n">service_info</span><span class="si">}</span><span class="s">&lt;/td&gt; &lt;td&gt;</span><span class="si">{</span><span class="n">version_info</span><span class="si">}</span><span class="s">&lt;/td&gt; &lt;/tr&gt; </span><span class="sh">"""</span> <span class="n">html_template</span> <span class="o">+=</span> <span class="sh">"</span><span class="s">&lt;/table&gt;</span><span class="sh">"</span> <span class="n">html_template</span> <span class="o">+=</span> <span class="sh">"</span><span class="s">&lt;/div&gt;</span><span class="sh">"</span> <span class="n">html_template</span> <span class="o">+=</span> <span class="sh">"""</span><span class="s"> &lt;/body&gt; &lt;/html&gt; </span><span class="sh">"""</span> <span class="k">return</span> <span class="n">html_template</span> <span class="c1"># Usage example </span><span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="c1"># Initialize scanner </span> <span class="n">scanner</span> <span class="o">=</span> <span class="nc">NmapAPI</span><span class="p">(</span> <span class="n">api_endpoint</span><span class="o">=</span><span class="sh">"</span><span class="s">https://api.example.com</span><span class="sh">"</span><span class="p">,</span> <span class="n">api_key</span><span class="o">=</span><span class="sh">"</span><span class="s">your-api-key</span><span class="sh">"</span> <span class="p">)</span> <span class="c1"># Run comprehensive scan </span> <span class="n">results</span> <span class="o">=</span> <span class="n">scanner</span><span class="p">.</span><span class="nf">run_scan</span><span class="p">(</span><span class="sh">"</span><span class="s">192.168.1.0/24</span><span class="sh">"</span><span class="p">,</span> <span class="n">scan_type</span><span class="o">=</span><span class="sh">"</span><span class="s">comprehensive</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">results</span><span class="p">:</span> <span class="c1"># Generate reports </span> <span class="n">markdown_report</span> <span class="o">=</span> <span class="n">scanner</span><span class="p">.</span><span class="nf">generate_report</span><span class="p">(</span><span class="n">results</span><span class="p">,</span> <span class="sh">"</span><span class="s">markdown</span><span class="sh">"</span><span class="p">)</span> <span class="n">html_report</span> <span class="o">=</span> <span class="n">scanner</span><span class="p">.</span><span class="nf">generate_report</span><span class="p">(</span><span class="n">results</span><span class="p">,</span> <span class="sh">"</span><span class="s">html</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Save reports </span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="sh">"</span><span class="s">scan_report.md</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">w</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">markdown_report</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="sh">"</span><span class="s">scan_report.html</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">w</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">html_report</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Scan completed and reports generated</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> Continuous Monitoring and Alerting </h3> <p><strong>Automated Monitoring Script</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># continuous_monitoring.sh</span> <span class="c"># Configuration</span> <span class="nv">CONFIG_FILE</span><span class="o">=</span><span class="s2">"/etc/nmap-monitor/config.conf"</span> <span class="nv">STATE_DIR</span><span class="o">=</span><span class="s2">"/var/lib/nmap-monitor"</span> <span class="nv">LOG_FILE</span><span class="o">=</span><span class="s2">"/var/log/nmap-monitor.log"</span> <span class="nv">ALERT_WEBHOOK</span><span class="o">=</span><span class="s2">"https://hooks.slack.com/services/YOUR/WEBHOOK/URL"</span> <span class="c"># Load configuration</span> <span class="nb">source</span> <span class="s2">"</span><span class="nv">$CONFIG_FILE</span><span class="s2">"</span> 2&gt;/dev/null <span class="o">||</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"Configuration file not found. Creating default configuration..."</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">dirname</span> <span class="s2">"</span><span class="nv">$CONFIG_FILE</span><span class="s2">"</span><span class="si">)</span><span class="s2">"</span> <span class="nb">cat</span> <span class="o">&gt;</span> <span class="s2">"</span><span class="nv">$CONFIG_FILE</span><span class="s2">"</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> MONITOR_TARGETS="192.168.1.0/24" SCAN_INTERVAL=3600 # 1 hour ALERT_ON_NEW_HOSTS=true ALERT_ON_NEW_PORTS=true ALERT_ON_SERVICE_CHANGES=true NMAP_OPTIONS="-sS --top-ports 1000 -sV" </span><span class="no">EOF </span> <span class="nb">source</span> <span class="s2">"</span><span class="nv">$CONFIG_FILE</span><span class="s2">"</span> <span class="o">}</span> <span class="c"># Create directories</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$STATE_DIR</span><span class="s2">"</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">dirname</span> <span class="s2">"</span><span class="nv">$LOG_FILE</span><span class="s2">"</span><span class="si">)</span><span class="s2">"</span> <span class="c"># Logging function</span> log<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"[</span><span class="si">$(</span><span class="nb">date</span> <span class="s1">'+%Y-%m-%d %H:%M:%S'</span><span class="si">)</span><span class="s2">] </span><span class="nv">$1</span><span class="s2">"</span> | <span class="nb">tee</span> <span class="nt">-a</span> <span class="s2">"</span><span class="nv">$LOG_FILE</span><span class="s2">"</span> <span class="o">}</span> <span class="c"># Send alert function</span> send_alert<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">message</span><span class="o">=</span><span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> <span class="nb">local </span><span class="nv">severity</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">2</span><span class="k">:-</span><span class="nv">INFO</span><span class="k">}</span><span class="s2">"</span> <span class="c"># Log the alert</span> log <span class="s2">"ALERT [</span><span class="nv">$severity</span><span class="s2">]: </span><span class="nv">$message</span><span class="s2">"</span> <span class="c"># Send to webhook if configured</span> <span class="k">if</span> <span class="o">[[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$ALERT_WEBHOOK</span><span class="s2">"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span>curl <span class="nt">-X</span> POST <span class="nt">-H</span> <span class="s1">'Content-type: application/json'</span> <span class="se">\</span> <span class="nt">--data</span> <span class="s2">"{</span><span class="se">\"</span><span class="s2">text</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">🚨 Network Monitor Alert [</span><span class="nv">$severity</span><span class="s2">]: </span><span class="nv">$message</span><span class="se">\"</span><span class="s2">}"</span> <span class="se">\</span> <span class="s2">"</span><span class="nv">$ALERT_WEBHOOK</span><span class="s2">"</span> 2&gt;/dev/null <span class="k">fi</span> <span class="c"># Send email if configured</span> <span class="k">if</span> <span class="o">[[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$ALERT_EMAIL</span><span class="s2">"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$message</span><span class="s2">"</span> | mail <span class="nt">-s</span> <span class="s2">"Network Monitor Alert [</span><span class="nv">$severity</span><span class="s2">]"</span> <span class="s2">"</span><span class="nv">$ALERT_EMAIL</span><span class="s2">"</span> <span class="k">fi</span> <span class="o">}</span> <span class="c"># Compare scan results</span> compare_results<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">current_scan</span><span class="o">=</span><span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> <span class="nb">local </span><span class="nv">previous_scan</span><span class="o">=</span><span class="s2">"</span><span class="nv">$2</span><span class="s2">"</span> <span class="k">if</span> <span class="o">[[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$previous_scan</span><span class="s2">"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span>log <span class="s2">"No previous scan found. Saving current scan as baseline."</span> <span class="nb">cp</span> <span class="s2">"</span><span class="nv">$current_scan</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$previous_scan</span><span class="s2">"</span> <span class="k">return </span>0 <span class="k">fi</span> <span class="c"># Extract host and port information</span> <span class="nb">awk</span> <span class="s1">'/Host:/ {host=$2} /open/ {print host":"$1":"$3}'</span> <span class="s2">"</span><span class="nv">$current_scan</span><span class="s2">"</span> <span class="o">&gt;</span> <span class="s2">"</span><span class="nv">$STATE_DIR</span><span class="s2">/current_hosts_ports.tmp"</span> <span class="nb">awk</span> <span class="s1">'/Host:/ {host=$2} /open/ {print host":"$1":"$3}'</span> <span class="s2">"</span><span class="nv">$previous_scan</span><span class="s2">"</span> <span class="o">&gt;</span> <span class="s2">"</span><span class="nv">$STATE_DIR</span><span class="s2">/previous_hosts_ports.tmp"</span> <span class="c"># Check for new hosts</span> <span class="k">if</span> <span class="o">[[</span> <span class="s2">"</span><span class="nv">$ALERT_ON_NEW_HOSTS</span><span class="s2">"</span> <span class="o">==</span> <span class="s2">"true"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nb">awk</span> <span class="nt">-F</span>: <span class="s1">'{print $1}'</span> <span class="s2">"</span><span class="nv">$STATE_DIR</span><span class="s2">/current_hosts_ports.tmp"</span> | <span class="nb">sort</span> <span class="nt">-u</span> <span class="o">&gt;</span> <span class="s2">"</span><span class="nv">$STATE_DIR</span><span class="s2">/current_hosts.tmp"</span> <span class="nb">awk</span> <span class="nt">-F</span>: <span class="s1">'{print $1}'</span> <span class="s2">"</span><span class="nv">$STATE_DIR</span><span class="s2">/previous_hosts_ports.tmp"</span> | <span class="nb">sort</span> <span class="nt">-u</span> <span class="o">&gt;</span> <span class="s2">"</span><span class="nv">$STATE_DIR</span><span class="s2">/previous_hosts.tmp"</span> <span class="nv">new_hosts</span><span class="o">=</span><span class="si">$(</span><span class="nb">comm</span> <span class="nt">-23</span> <span class="s2">"</span><span class="nv">$STATE_DIR</span><span class="s2">/current_hosts.tmp"</span> <span class="s2">"</span><span class="nv">$STATE_DIR</span><span class="s2">/previous_hosts.tmp"</span><span class="si">)</span> <span class="k">if</span> <span class="o">[[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$new_hosts</span><span class="s2">"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span>send_alert <span class="s2">"New hosts detected: </span><span class="nv">$new_hosts</span><span class="s2">"</span> <span class="s2">"HIGH"</span> <span class="k">fi fi</span> <span class="c"># Check for new ports</span> <span class="k">if</span> <span class="o">[[</span> <span class="s2">"</span><span class="nv">$ALERT_ON_NEW_PORTS</span><span class="s2">"</span> <span class="o">==</span> <span class="s2">"true"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nv">new_ports</span><span class="o">=</span><span class="si">$(</span><span class="nb">comm</span> <span class="nt">-23</span> <span class="s2">"</span><span class="nv">$STATE_DIR</span><span class="s2">/current_hosts_ports.tmp"</span> <span class="s2">"</span><span class="nv">$STATE_DIR</span><span class="s2">/previous_hosts_ports.tmp"</span><span class="si">)</span> <span class="k">if</span> <span class="o">[[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$new_ports</span><span class="s2">"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span>send_alert <span class="s2">"New open ports detected: </span><span class="nv">$new_ports</span><span class="s2">"</span> <span class="s2">"MEDIUM"</span> <span class="k">fi fi</span> <span class="c"># Check for disappeared hosts/ports</span> <span class="nv">disappeared</span><span class="o">=</span><span class="si">$(</span><span class="nb">comm</span> <span class="nt">-13</span> <span class="s2">"</span><span class="nv">$STATE_DIR</span><span class="s2">/current_hosts_ports.tmp"</span> <span class="s2">"</span><span class="nv">$STATE_DIR</span><span class="s2">/previous_hosts_ports.tmp"</span><span class="si">)</span> <span class="k">if</span> <span class="o">[[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$disappeared</span><span class="s2">"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span>send_alert <span class="s2">"Hosts or ports no longer accessible: </span><span class="nv">$disappeared</span><span class="s2">"</span> <span class="s2">"LOW"</span> <span class="k">fi</span> <span class="c"># Update baseline</span> <span class="nb">cp</span> <span class="s2">"</span><span class="nv">$current_scan</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$previous_scan</span><span class="s2">"</span> <span class="o">}</span> <span class="c"># Main monitoring function</span> run_monitor<span class="o">()</span> <span class="o">{</span> log <span class="s2">"Starting network monitoring scan"</span> <span class="nb">local </span><span class="nv">scan_output</span><span class="o">=</span><span class="s2">"</span><span class="nv">$STATE_DIR</span><span class="s2">/current_scan.nmap"</span> <span class="nb">local </span><span class="nv">baseline_scan</span><span class="o">=</span><span class="s2">"</span><span class="nv">$STATE_DIR</span><span class="s2">/baseline_scan.nmap"</span> <span class="c"># Run Nmap scan</span> <span class="k">if </span>nmap <span class="nv">$NMAP_OPTIONS</span> <span class="nv">$MONITOR_TARGETS</span> <span class="o">&gt;</span> <span class="s2">"</span><span class="nv">$scan_output</span><span class="s2">"</span> 2&gt;&amp;1<span class="p">;</span> <span class="k">then </span>log <span class="s2">"Scan completed successfully"</span> <span class="c"># Compare with previous results</span> compare_results <span class="s2">"</span><span class="nv">$scan_output</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$baseline_scan</span><span class="s2">"</span> <span class="k">else </span>send_alert <span class="s2">"Nmap scan failed"</span> <span class="s2">"HIGH"</span> log <span class="s2">"Scan failed. Check configuration and network connectivity."</span> <span class="k">fi</span> <span class="o">}</span> <span class="c"># Service status monitoring</span> monitor_service_changes<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">current_services</span><span class="o">=</span><span class="s2">"</span><span class="nv">$STATE_DIR</span><span class="s2">/current_services.txt"</span> <span class="nb">local </span><span class="nv">baseline_services</span><span class="o">=</span><span class="s2">"</span><span class="nv">$STATE_DIR</span><span class="s2">/baseline_services.txt"</span> <span class="c"># Extract service information</span> <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"(open|filtered)"</span> <span class="s2">"</span><span class="nv">$STATE_DIR</span><span class="s2">/current_scan.nmap"</span> | <span class="se">\</span> <span class="nb">awk</span> <span class="s1">'{print $1":"$3":"$5}'</span> <span class="o">&gt;</span> <span class="s2">"</span><span class="nv">$current_services</span><span class="s2">"</span> <span class="k">if</span> <span class="o">[[</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$baseline_services</span><span class="s2">"</span> <span class="o">]]</span> <span class="o">&amp;&amp;</span> <span class="o">[[</span> <span class="s2">"</span><span class="nv">$ALERT_ON_SERVICE_CHANGES</span><span class="s2">"</span> <span class="o">==</span> <span class="s2">"true"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nv">service_changes</span><span class="o">=</span><span class="si">$(</span>diff <span class="s2">"</span><span class="nv">$baseline_services</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$current_services</span><span class="s2">"</span> 2&gt;/dev/null<span class="si">)</span> <span class="k">if</span> <span class="o">[[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$service_changes</span><span class="s2">"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span>send_alert <span class="s2">"Service changes detected: </span><span class="nv">$service_changes</span><span class="s2">"</span> <span class="s2">"MEDIUM"</span> <span class="k">fi fi </span><span class="nb">cp</span> <span class="s2">"</span><span class="nv">$current_services</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$baseline_services</span><span class="s2">"</span> <span class="o">}</span> <span class="c"># Performance monitoring</span> monitor_performance<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">scan_start_time</span><span class="o">=</span><span class="si">$(</span><span class="nb">date</span> +%s<span class="si">)</span> run_monitor <span class="nb">local </span><span class="nv">scan_end_time</span><span class="o">=</span><span class="si">$(</span><span class="nb">date</span> +%s<span class="si">)</span> <span class="nb">local </span><span class="nv">scan_duration</span><span class="o">=</span><span class="k">$((</span>scan_end_time <span class="o">-</span> scan_start_time<span class="k">))</span> log <span class="s2">"Scan completed in </span><span class="k">${</span><span class="nv">scan_duration</span><span class="k">}</span><span class="s2"> seconds"</span> <span class="c"># Alert if scan takes too long (indicates potential issues)</span> <span class="k">if</span> <span class="o">[[</span> <span class="nv">$scan_duration</span> <span class="nt">-gt</span> 1800 <span class="o">]]</span><span class="p">;</span> <span class="k">then</span> <span class="c"># 30 minutes</span> send_alert <span class="s2">"Scan taking longer than expected: </span><span class="k">${</span><span class="nv">scan_duration</span><span class="k">}</span><span class="s2"> seconds"</span> <span class="s2">"MEDIUM"</span> <span class="k">fi</span> <span class="o">}</span> <span class="c"># Main execution</span> <span class="k">case</span> <span class="s2">"</span><span class="k">${</span><span class="nv">1</span><span class="k">:-</span><span class="nv">monitor</span><span class="k">}</span><span class="s2">"</span> <span class="k">in</span> <span class="s2">"monitor"</span><span class="p">)</span> log <span class="s2">"Network monitoring started"</span> monitor_performance monitor_service_changes <span class="p">;;</span> <span class="s2">"daemon"</span><span class="p">)</span> log <span class="s2">"Starting continuous monitoring daemon"</span> <span class="k">while </span><span class="nb">true</span><span class="p">;</span> <span class="k">do </span>monitor_performance monitor_service_changes log <span class="s2">"Sleeping for </span><span class="k">${</span><span class="nv">SCAN_INTERVAL</span><span class="k">}</span><span class="s2"> seconds"</span> <span class="nb">sleep</span> <span class="s2">"</span><span class="nv">$SCAN_INTERVAL</span><span class="s2">"</span> <span class="k">done</span> <span class="p">;;</span> <span class="s2">"test-alert"</span><span class="p">)</span> send_alert <span class="s2">"Test alert from network monitor"</span> <span class="s2">"INFO"</span> <span class="p">;;</span> <span class="s2">"status"</span><span class="p">)</span> <span class="k">if</span> <span class="o">[[</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$STATE_DIR</span><span class="s2">/current_scan.nmap"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Last scan: </span><span class="si">$(</span><span class="nb">stat</span> <span class="nt">-c</span> %y <span class="s2">"</span><span class="nv">$STATE_DIR</span><span class="s2">/current_scan.nmap"</span><span class="si">)</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Monitored targets: </span><span class="nv">$MONITOR_TARGETS</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Scan interval: </span><span class="nv">$SCAN_INTERVAL</span><span class="s2"> seconds"</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"No scans found"</span> <span class="k">fi</span> <span class="p">;;</span> <span class="k">*</span><span class="p">)</span> <span class="nb">echo</span> <span class="s2">"Usage: </span><span class="nv">$0</span><span class="s2"> {monitor|daemon|test-alert|status}"</span> <span class="nb">exit </span>1 <span class="p">;;</span> <span class="k">esac</span> </code></pre> </div> <h2> Defensive Perspectives and Countermeasures </h2> <p>Understanding reconnaissance techniques is equally important for defenders. This section covers detection and mitigation strategies.</p> <h3> Detection Methods </h3> <p><strong>Log Analysis for Nmap Detection</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># nmap_detection.sh</span> <span class="c"># Analyze firewall logs for scanning patterns</span> analyze_firewall_logs<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">log_file</span><span class="o">=</span><span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> <span class="nb">local </span><span class="nv">time_window</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">2</span><span class="k">:-</span><span class="nv">300</span><span class="k">}</span><span class="s2">"</span> <span class="c"># 5 minutes</span> <span class="nb">echo</span> <span class="s2">"Analyzing firewall logs for potential Nmap scans..."</span> <span class="c"># Detect port scanning patterns</span> <span class="nb">awk</span> <span class="nt">-v</span> <span class="nv">window</span><span class="o">=</span><span class="s2">"</span><span class="nv">$time_window</span><span class="s2">"</span> <span class="s1">' BEGIN { print "Potential port scans detected:" print "===============================" } { # Extract timestamp, source IP, and destination port if (match($0, /([0-9]{1,3}\.){3}[0-9]{1,3}/)) { src_ip = substr($0, RSTART, RLENGTH) if (match($0, /DPT=([0-9]+)/)) { dst_port = substr($0, RSTART+4, RLENGTH-4) timestamp = $1 " " $2 " " $3 # Count connections per source IP connections[src_ip]++ ports[src_ip][dst_port] = 1 first_seen[src_ip] = (first_seen[src_ip] ? first_seen[src_ip] : timestamp) } } } END { for (ip in connections) { port_count = 0 for (port in ports[ip]) port_count++ # Flag IPs connecting to many ports if (port_count &gt; 10) { printf "Source: %s - %d connections to %d ports (First seen: %s)\n", ip, connections[ip], port_count, first_seen[ip] } } }'</span> <span class="s2">"</span><span class="nv">$log_file</span><span class="s2">"</span> <span class="o">}</span> <span class="c"># Detect SYN scan patterns</span> detect_syn_scans<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">log_file</span><span class="o">=</span><span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> <span class="nb">echo</span> <span class="nt">-e</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">SYN scan patterns:"</span> <span class="nb">echo</span> <span class="s2">"=================="</span> <span class="c"># Look for high frequency of SYN packets</span> <span class="nb">grep</span> <span class="s2">"SYN"</span> <span class="s2">"</span><span class="nv">$log_file</span><span class="s2">"</span> | <span class="se">\</span> <span class="nb">awk</span> <span class="s1">'{print $1 " " $2 " " $3, $(NF-1)}'</span> | <span class="se">\</span> <span class="nb">sort</span> | <span class="nb">uniq</span> <span class="nt">-c</span> | <span class="se">\</span> <span class="nb">awk</span> <span class="s1">'$1 &gt; 50 {print "High SYN frequency: " $0}'</span> <span class="o">}</span> <span class="c"># Main analysis</span> <span class="k">if</span> <span class="o">[[</span> <span class="nv">$# </span><span class="nt">-lt</span> 1 <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Usage: </span><span class="nv">$0</span><span class="s2"> &lt;firewall_log_file&gt;"</span> <span class="nb">exit </span>1 <span class="k">fi </span>analyze_firewall_logs <span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> detect_syn_scans <span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> </code></pre> </div> <h3> Honeypot Integration </h3> <p><strong>Simple Port Honeypot</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span><span class="kn">import</span> <span class="n">socket</span> <span class="kn">import</span> <span class="n">threading</span> <span class="kn">import</span> <span class="n">logging</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="kn">from</span> <span class="n">collections</span> <span class="kn">import</span> <span class="n">defaultdict</span> <span class="k">class</span> <span class="nc">PortHoneypot</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">ports</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="n">bind_ip</span><span class="o">=</span><span class="sh">"</span><span class="s">0.0.0.0</span><span class="sh">"</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">ports</span> <span class="o">=</span> <span class="n">ports</span> <span class="ow">or</span> <span class="p">[</span><span class="mi">21</span><span class="p">,</span> <span class="mi">22</span><span class="p">,</span> <span class="mi">23</span><span class="p">,</span> <span class="mi">25</span><span class="p">,</span> <span class="mi">53</span><span class="p">,</span> <span class="mi">80</span><span class="p">,</span> <span class="mi">110</span><span class="p">,</span> <span class="mi">143</span><span class="p">,</span> <span class="mi">443</span><span class="p">,</span> <span class="mi">993</span><span class="p">,</span> <span class="mi">995</span><span class="p">]</span> <span class="n">self</span><span class="p">.</span><span class="n">bind_ip</span> <span class="o">=</span> <span class="n">bind_ip</span> <span class="n">self</span><span class="p">.</span><span class="n">connections</span> <span class="o">=</span> <span class="nf">defaultdict</span><span class="p">(</span><span class="nb">int</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">scan_attempts</span> <span class="o">=</span> <span class="nf">defaultdict</span><span class="p">(</span><span class="nb">list</span><span class="p">)</span> <span class="c1"># Configure logging </span> <span class="n">logging</span><span class="p">.</span><span class="nf">basicConfig</span><span class="p">(</span> <span class="n">level</span><span class="o">=</span><span class="n">logging</span><span class="p">.</span><span class="n">INFO</span><span class="p">,</span> <span class="nb">format</span><span class="o">=</span><span class="sh">'</span><span class="s">%(asctime)s - %(levelname)s - %(message)s</span><span class="sh">'</span><span class="p">,</span> <span class="n">handlers</span><span class="o">=</span><span class="p">[</span> <span class="n">logging</span><span class="p">.</span><span class="nc">FileHandler</span><span class="p">(</span><span class="sh">'</span><span class="s">honeypot.log</span><span class="sh">'</span><span class="p">),</span> <span class="n">logging</span><span class="p">.</span><span class="nc">StreamHandler</span><span class="p">()</span> <span class="p">]</span> <span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">logger</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nf">getLogger</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="k">def</span> <span class="nf">handle_connection</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">client_socket</span><span class="p">,</span> <span class="n">client_address</span><span class="p">,</span> <span class="n">port</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Handle individual connection attempts</span><span class="sh">"""</span> <span class="k">try</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">connections</span><span class="p">[</span><span class="n">client_address</span><span class="p">[</span><span class="mi">0</span><span class="p">]]</span> <span class="o">+=</span> <span class="mi">1</span> <span class="n">self</span><span class="p">.</span><span class="n">scan_attempts</span><span class="p">[</span><span class="n">client_address</span><span class="p">[</span><span class="mi">0</span><span class="p">]].</span><span class="nf">append</span><span class="p">({</span> <span class="sh">'</span><span class="s">port</span><span class="sh">'</span><span class="p">:</span> <span class="n">port</span><span class="p">,</span> <span class="sh">'</span><span class="s">timestamp</span><span class="sh">'</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(),</span> <span class="sh">'</span><span class="s">source_port</span><span class="sh">'</span><span class="p">:</span> <span class="n">client_address</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="p">})</span> <span class="n">self</span><span class="p">.</span><span class="n">logger</span><span class="p">.</span><span class="nf">warning</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Connection attempt from </span><span class="si">{</span><span class="n">client_address</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="si">}</span><span class="s">:</span><span class="si">{</span><span class="n">client_address</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span><span class="si">}</span><span class="s"> to port </span><span class="si">{</span><span class="n">port</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Send fake banner based on port </span> <span class="n">banners</span> <span class="o">=</span> <span class="p">{</span> <span class="mi">21</span><span class="p">:</span> <span class="sa">b</span><span class="sh">"</span><span class="s">220 FTP Server ready</span><span class="se">\r\n</span><span class="sh">"</span><span class="p">,</span> <span class="mi">22</span><span class="p">:</span> <span class="sa">b</span><span class="sh">"</span><span class="s">SSH-2.0-OpenSSH_8.0</span><span class="se">\r\n</span><span class="sh">"</span><span class="p">,</span> <span class="mi">23</span><span class="p">:</span> <span class="sa">b</span><span class="sh">"</span><span class="s">Telnet Server Ready</span><span class="se">\r\n</span><span class="sh">"</span><span class="p">,</span> <span class="mi">25</span><span class="p">:</span> <span class="sa">b</span><span class="sh">"</span><span class="s">220 SMTP Server Ready</span><span class="se">\r\n</span><span class="sh">"</span><span class="p">,</span> <span class="mi">80</span><span class="p">:</span> <span class="sa">b</span><span class="sh">"</span><span class="s">HTTP/1.1 200 OK</span><span class="se">\r\n</span><span class="s">Server: Apache/2.4.41</span><span class="se">\r\n\r\n</span><span class="s">&lt;html&gt;&lt;body&gt;Hello&lt;/body&gt;&lt;/html&gt;</span><span class="sh">"</span><span class="p">,</span> <span class="mi">443</span><span class="p">:</span> <span class="sa">b</span><span class="sh">"</span><span class="s">HTTP/1.1 400 Bad Request</span><span class="se">\r\n\r\n</span><span class="sh">"</span> <span class="p">}</span> <span class="k">if</span> <span class="n">port</span> <span class="ow">in</span> <span class="n">banners</span><span class="p">:</span> <span class="n">client_socket</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="n">banners</span><span class="p">[</span><span class="n">port</span><span class="p">])</span> <span class="c1"># Keep connection open briefly to appear real </span> <span class="n">client_socket</span><span class="p">.</span><span class="nf">settimeout</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">data</span> <span class="o">=</span> <span class="n">client_socket</span><span class="p">.</span><span class="nf">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span> <span class="k">if</span> <span class="n">data</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Received data from </span><span class="si">{</span><span class="n">client_address</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="si">}</span><span class="s">: </span><span class="si">{</span><span class="n">data</span><span class="p">[</span><span class="si">:</span><span class="mi">100</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">socket</span><span class="p">.</span><span class="n">timeout</span><span class="p">:</span> <span class="k">pass</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Error handling connection: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">finally</span><span class="p">:</span> <span class="n">client_socket</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">def</span> <span class="nf">start_listener</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">port</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Start listener for specific port</span><span class="sh">"""</span> <span class="k">try</span><span class="p">:</span> <span class="n">server_socket</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="nf">socket</span><span class="p">(</span><span class="n">socket</span><span class="p">.</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">socket</span><span class="p">.</span><span class="n">SOCK_STREAM</span><span class="p">)</span> <span class="n">server_socket</span><span class="p">.</span><span class="nf">setsockopt</span><span class="p">(</span><span class="n">socket</span><span class="p">.</span><span class="n">SOL_SOCKET</span><span class="p">,</span> <span class="n">socket</span><span class="p">.</span><span class="n">SO_REUSEADDR</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="n">server_socket</span><span class="p">.</span><span class="nf">bind</span><span class="p">((</span><span class="n">self</span><span class="p">.</span><span class="n">bind_ip</span><span class="p">,</span> <span class="n">port</span><span class="p">))</span> <span class="n">server_socket</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Honeypot listening on </span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">bind_ip</span><span class="si">}</span><span class="s">:</span><span class="si">{</span><span class="n">port</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">client_socket</span><span class="p">,</span> <span class="n">client_address</span> <span class="o">=</span> <span class="n">server_socket</span><span class="p">.</span><span class="nf">accept</span><span class="p">()</span> <span class="c1"># Handle connection in separate thread </span> <span class="n">handler</span> <span class="o">=</span> <span class="n">threading</span><span class="p">.</span><span class="nc">Thread</span><span class="p">(</span> <span class="n">target</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">handle_connection</span><span class="p">,</span> <span class="n">args</span><span class="o">=</span><span class="p">(</span><span class="n">client_socket</span><span class="p">,</span> <span class="n">client_address</span><span class="p">,</span> <span class="n">port</span><span class="p">)</span> <span class="p">)</span> <span class="n">handler</span><span class="p">.</span><span class="n">daemon</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">handler</span><span class="p">.</span><span class="nf">start</span><span class="p">()</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Error on port </span><span class="si">{</span><span class="n">port</span><span class="si">}</span><span class="s">: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">analyze_patterns</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Analyze connection patterns for scanning detection</span><span class="sh">"""</span> <span class="n">current_time</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="k">for</span> <span class="n">ip</span><span class="p">,</span> <span class="n">attempts</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">scan_attempts</span><span class="p">.</span><span class="nf">items</span><span class="p">():</span> <span class="c1"># Check for port scanning patterns </span> <span class="n">recent_attempts</span> <span class="o">=</span> <span class="p">[</span> <span class="n">a</span> <span class="k">for</span> <span class="n">a</span> <span class="ow">in</span> <span class="n">attempts</span> <span class="nf">if </span><span class="p">(</span><span class="n">current_time</span> <span class="o">-</span> <span class="n">a</span><span class="p">[</span><span class="sh">'</span><span class="s">timestamp</span><span class="sh">'</span><span class="p">]).</span><span class="n">seconds</span> <span class="o">&lt;</span> <span class="mi">300</span> <span class="c1"># Last 5 minutes </span> <span class="p">]</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">recent_attempts</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">5</span><span class="p">:</span> <span class="n">ports_scanned</span> <span class="o">=</span> <span class="nf">set</span><span class="p">(</span><span class="n">a</span><span class="p">[</span><span class="sh">'</span><span class="s">port</span><span class="sh">'</span><span class="p">]</span> <span class="k">for</span> <span class="n">a</span> <span class="ow">in</span> <span class="n">recent_attempts</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">logger</span><span class="p">.</span><span class="nf">critical</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Potential port scan from </span><span class="si">{</span><span class="n">ip</span><span class="si">}</span><span class="s">: </span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">recent_attempts</span><span class="p">)</span><span class="si">}</span><span class="s"> attempts on </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">ports_scanned</span><span class="p">)</span><span class="si">}</span><span class="s"> ports</span><span class="sh">"</span> <span class="p">)</span> <span class="c1"># Generate alert </span> <span class="n">self</span><span class="p">.</span><span class="nf">generate_alert</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">recent_attempts</span><span class="p">)</span> <span class="k">def</span> <span class="nf">generate_alert</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">source_ip</span><span class="p">,</span> <span class="n">attempts</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Generate security alert</span><span class="sh">"""</span> <span class="n">alert_data</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">source_ip</span><span class="sh">'</span><span class="p">:</span> <span class="n">source_ip</span><span class="p">,</span> <span class="sh">'</span><span class="s">attempt_count</span><span class="sh">'</span><span class="p">:</span> <span class="nf">len</span><span class="p">(</span><span class="n">attempts</span><span class="p">),</span> <span class="sh">'</span><span class="s">ports_targeted</span><span class="sh">'</span><span class="p">:</span> <span class="nf">list</span><span class="p">(</span><span class="nf">set</span><span class="p">(</span><span class="n">a</span><span class="p">[</span><span class="sh">'</span><span class="s">port</span><span class="sh">'</span><span class="p">]</span> <span class="k">for</span> <span class="n">a</span> <span class="ow">in</span> <span class="n">attempts</span><span class="p">)),</span> <span class="sh">'</span><span class="s">time_span</span><span class="sh">'</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">attempts</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="sh">'</span><span class="s">timestamp</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> to </span><span class="si">{</span><span class="n">attempts</span><span class="p">[</span><span class="o">-</span><span class="mi">1</span><span class="p">][</span><span class="sh">'</span><span class="s">timestamp</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="sh">'</span><span class="s">total_connections</span><span class="sh">'</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">connections</span><span class="p">[</span><span class="n">source_ip</span><span class="p">]</span> <span class="p">}</span> <span class="c1"># Write to alert file </span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="sh">'</span><span class="s">security_alerts.json</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">a</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="kn">import</span> <span class="n">json</span> <span class="n">f</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">alert_data</span><span class="p">)</span> <span class="o">+</span> <span class="sh">'</span><span class="se">\n</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Here you could integrate with SIEM, send emails, etc. </span> <span class="n">self</span><span class="p">.</span><span class="n">logger</span><span class="p">.</span><span class="nf">critical</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">SECURITY ALERT: </span><span class="si">{</span><span class="n">alert_data</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">start</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Start all honeypot listeners</span><span class="sh">"""</span> <span class="n">threads</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">port</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">ports</span><span class="p">:</span> <span class="n">thread</span> <span class="o">=</span> <span class="n">threading</span><span class="p">.</span><span class="nc">Thread</span><span class="p">(</span><span class="n">target</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">start_listener</span><span class="p">,</span> <span class="n">args</span><span class="o">=</span><span class="p">(</span><span class="n">port</span><span class="p">,))</span> <span class="n">thread</span><span class="p">.</span><span class="n">daemon</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">thread</span><span class="p">.</span><span class="nf">start</span><span class="p">()</span> <span class="n">threads</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">thread</span><span class="p">)</span> <span class="c1"># Start pattern analysis thread </span> <span class="k">def</span> <span class="nf">analyze_loop</span><span class="p">():</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="kn">import</span> <span class="n">time</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mi">60</span><span class="p">)</span> <span class="c1"># Analyze every minute </span> <span class="n">self</span><span class="p">.</span><span class="nf">analyze_patterns</span><span class="p">()</span> <span class="n">analysis_thread</span> <span class="o">=</span> <span class="n">threading</span><span class="p">.</span><span class="nc">Thread</span><span class="p">(</span><span class="n">target</span><span class="o">=</span><span class="n">analyze_loop</span><span class="p">)</span> <span class="n">analysis_thread</span><span class="p">.</span><span class="n">daemon</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">analysis_thread</span><span class="p">.</span><span class="nf">start</span><span class="p">()</span> <span class="c1"># Keep main thread alive </span> <span class="k">try</span><span class="p">:</span> <span class="k">for</span> <span class="n">thread</span> <span class="ow">in</span> <span class="n">threads</span><span class="p">:</span> <span class="n">thread</span><span class="p">.</span><span class="nf">join</span><span class="p">()</span> <span class="k">except</span> <span class="nb">KeyboardInterrupt</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">Honeypot shutting down...</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="n">honeypot</span> <span class="o">=</span> <span class="nc">PortHoneypot</span><span class="p">()</span> <span class="n">honeypot</span><span class="p">.</span><span class="nf">start</span><span class="p">()</span> </code></pre> </div> <h2> Conclusion and Future Directions </h2> <p>Network reconnaissance with Nmap represents both an art and a science, requiring technical expertise, methodical thinking, and ethical responsibility. As we've explored throughout this comprehensive guide, Nmap's capabilities extend far beyond simple port scanning to encompass sophisticated network discovery, service enumeration, vulnerability assessment, and automation frameworks.</p> <h3> Key Takeaways for Practitioners </h3> <p><strong>Master the Fundamentals</strong>: Understanding basic networking concepts, TCP/IP protocols, and common services forms the foundation for effective reconnaissance. Without this knowledge, even the most sophisticated Nmap techniques will yield limited value.</p> <p><strong>Develop Methodology</strong>: Successful reconnaissance follows structured approaches rather than random scanning. Establish clear phases, document findings systematically, and maintain consistent procedures across different environments.</p> <p><strong>Balance Speed and Stealth</strong>: The eternal trade-off between comprehensive coverage and detection avoidance requires careful consideration of timing, target prioritization, and evasion techniques based on the specific engagement context.</p> <p><strong>Embrace Automation</strong>: Manual reconnaissance doesn't scale. Developing scripted workflows, integrating with other tools, and building automated analysis capabilities multiplies effectiveness and consistency.</p> <p><strong>Practice Ethical Responsibility</strong>: With great power comes great responsibility. Always ensure proper authorization, minimize impact on target systems, and follow responsible disclosure practices when vulnerabilities are discovered.</p> <h3> Evolution of Network Reconnaissance </h3> <p>The reconnaissance landscape continues evolving rapidly:</p> <p><strong>Cloud-Native Environments</strong>: Traditional network boundaries are dissolving as organizations adopt cloud-first architectures. Modern reconnaissance must account for:</p> <ul> <li>Container orchestration platforms (Kubernetes, Docker Swarm)</li> <li>Serverless computing architectures</li> <li>Software-defined networking (SDN)</li> <li>Multi-cloud and hybrid deployments</li> <li>API-first application designs</li> </ul> <p><strong>IPv6 Adoption</strong>: As IPv6 deployment accelerates, reconnaissance techniques must adapt:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># IPv6-specific reconnaissance techniques</span> nmap <span class="nt">-6</span> 2001:db8::/32 <span class="c"># IPv6 neighbor discovery</span> nmap <span class="nt">-6</span> <span class="nt">--script</span> ipv6-node-info fe80::/64 <span class="c"># Dual-stack enumeration</span> nmap <span class="nt">-4</span> <span class="nt">-6</span> target_domain.com </code></pre> </div> <p><strong>Artificial Intelligence Integration</strong>: ML and AI are increasingly integrated into both offensive and defensive capabilities:</p> <ul> <li>Automated target prioritization based on vulnerability scoring</li> <li>Intelligent evasion technique selection</li> <li>Pattern recognition for anomaly detection</li> <li>Predictive modeling for security assessment</li> </ul> <p><strong>Zero Trust Architectures</strong>: The shift toward zero trust networking models creates new reconnaissance challenges and opportunities:</p> <ul> <li>Micro-segmentation discovery and mapping</li> <li>Identity and access management enumeration</li> <li>Certificate and encryption analysis</li> <li>API security assessment</li> </ul> <h3> Advanced Techniques and Emerging Trends </h3> <p><strong>Container and Orchestration Reconnaissance</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Kubernetes API discovery</span> nmap <span class="nt">-p</span> 6443,8080,10250,10255 <span class="nt">--script</span> kubernetes-<span class="k">*</span> target_range <span class="c"># Docker daemon enumeration</span> nmap <span class="nt">-p</span> 2375,2376 <span class="nt">--script</span> docker-<span class="k">*</span> target_range <span class="c"># Container registry scanning</span> nmap <span class="nt">-p</span> 5000 <span class="nt">--script</span> registry-<span class="k">*</span> target_range </code></pre> </div> <p><strong>IoT and Edge Device Discovery</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># IoT device identification</span> nmap <span class="nt">-sU</span> <span class="nt">-p</span> 161 <span class="nt">--script</span> snmp-info target_range <span class="c"># Industrial control system discovery</span> nmap <span class="nt">-p</span> 502,44818,1911,9600 <span class="nt">--script</span> modbus-<span class="k">*</span>,s7-<span class="k">*</span> target_range <span class="c"># Embedded device fingerprinting</span> nmap <span class="nt">--script</span> http-favicon,http-title,http-server-header target_range </code></pre> </div> <p><strong>API Security Assessment</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># API endpoint discovery</span> nmap <span class="nt">-p</span> 80,443,8080,8443 <span class="nt">--script</span> http-enum,http-methods target_range <span class="c"># GraphQL enumeration</span> nmap <span class="nt">-p</span> 80,443 <span class="nt">--script</span> graphql-<span class="k">*</span> target_range <span class="c"># REST API security testing</span> nmap <span class="nt">-p</span> 80,443 <span class="nt">--script</span> http-unsafe-output-escaping,http-sql-injection target_range </code></pre> </div> <h3> Building a Professional Reconnaissance Toolkit </h3> <p><strong>Essential Tools Integration</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># Professional reconnaissance workflow</span> <span class="c"># Phase 1: Intelligence Gathering</span> <span class="nb">echo</span> <span class="s2">"[+] Phase 1: Intelligence Gathering"</span> amass enum <span class="nt">-d</span> target.com <span class="nt">-o</span> amass_results.txt subfinder <span class="nt">-d</span> target.com <span class="nt">-o</span> subfinder_results.txt assetfinder target.com | <span class="nb">tee </span>assetfinder_results.txt <span class="c"># Combine and deduplicate results</span> <span class="nb">cat </span>amass_results.txt subfinder_results.txt assetfinder_results.txt | <span class="se">\</span> <span class="nb">sort</span> <span class="nt">-u</span> <span class="o">&gt;</span> all_subdomains.txt <span class="c"># Phase 2: Host Discovery with Nmap</span> <span class="nb">echo</span> <span class="s2">"[+] Phase 2: Host Discovery"</span> nmap <span class="nt">-sn</span> <span class="nt">-iL</span> all_subdomains.txt <span class="nt">-oA</span> host_discovery <span class="c"># Extract live hosts</span> <span class="nb">grep</span> <span class="s2">"Status: Up"</span> host_discovery.gnmap | <span class="nb">cut</span> <span class="nt">-d</span><span class="s1">' '</span> <span class="nt">-f2</span> <span class="o">&gt;</span> live_hosts.txt <span class="c"># Phase 3: Port Discovery</span> <span class="nb">echo</span> <span class="s2">"[+] Phase 3: Port Discovery"</span> nmap <span class="nt">-sS</span> <span class="nt">--top-ports</span> 1000 <span class="nt">-T4</span> <span class="nt">-iL</span> live_hosts.txt <span class="nt">-oA</span> port_discovery <span class="c"># Phase 4: Service Enumeration</span> <span class="nb">echo</span> <span class="s2">"[+] Phase 4: Service Enumeration"</span> nmap <span class="nt">-sC</span> <span class="nt">-sV</span> <span class="nt">-A</span> <span class="nt">-iL</span> live_hosts.txt <span class="nt">-oA</span> service_enum <span class="c"># Phase 5: Vulnerability Assessment</span> <span class="nb">echo</span> <span class="s2">"[+] Phase 5: Vulnerability Assessment"</span> nmap <span class="nt">--script</span> vuln <span class="nt">-iL</span> live_hosts.txt <span class="nt">-oA</span> vuln_assessment <span class="c"># Phase 6: Reporting</span> <span class="nb">echo</span> <span class="s2">"[+] Phase 6: Generating Reports"</span> python3 generate_report.py service_enum.xml vuln_assessment.xml </code></pre> </div> <p><strong>Custom NSE Scripts for Specialized Environments</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight lua"><code><span class="c1">-- Cloud service detection script</span> <span class="kd">local</span> <span class="n">nmap</span> <span class="o">=</span> <span class="nb">require</span> <span class="s2">"nmap"</span> <span class="kd">local</span> <span class="n">http</span> <span class="o">=</span> <span class="nb">require</span> <span class="s2">"http"</span> <span class="kd">local</span> <span class="n">shortport</span> <span class="o">=</span> <span class="nb">require</span> <span class="s2">"shortport"</span> <span class="kd">local</span> <span class="n">stdnse</span> <span class="o">=</span> <span class="nb">require</span> <span class="s2">"stdnse"</span> <span class="n">description</span> <span class="o">=</span> <span class="s">[[ Identifies cloud service providers and configurations. ]]</span> <span class="n">author</span> <span class="o">=</span> <span class="s2">"Security Researcher"</span> <span class="n">categories</span> <span class="o">=</span> <span class="p">{</span><span class="s2">"safe"</span><span class="p">,</span> <span class="s2">"discovery"</span><span class="p">,</span> <span class="s2">"cloud"</span><span class="p">}</span> <span class="n">portrule</span> <span class="o">=</span> <span class="k">function</span><span class="p">(</span><span class="n">host</span><span class="p">,</span> <span class="n">port</span><span class="p">)</span> <span class="k">return</span> <span class="n">shortport</span><span class="p">.</span><span class="n">http</span><span class="p">(</span><span class="n">host</span><span class="p">,</span> <span class="n">port</span><span class="p">)</span> <span class="ow">or</span> <span class="n">shortport</span><span class="p">.</span><span class="n">port_or_service</span><span class="p">({</span><span class="mi">80</span><span class="p">,</span> <span class="mi">443</span><span class="p">,</span> <span class="mi">8080</span><span class="p">,</span> <span class="mi">8443</span><span class="p">},</span> <span class="p">{</span><span class="s2">"http"</span><span class="p">,</span> <span class="s2">"https"</span><span class="p">})(</span><span class="n">host</span><span class="p">,</span> <span class="n">port</span><span class="p">)</span> <span class="k">end</span> <span class="n">action</span> <span class="o">=</span> <span class="k">function</span><span class="p">(</span><span class="n">host</span><span class="p">,</span> <span class="n">port</span><span class="p">)</span> <span class="kd">local</span> <span class="n">results</span> <span class="o">=</span> <span class="p">{}</span> <span class="c1">-- Check for cloud provider indicators</span> <span class="kd">local</span> <span class="n">response</span> <span class="o">=</span> <span class="n">http</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="n">host</span><span class="p">,</span> <span class="n">port</span><span class="p">,</span> <span class="s2">"/"</span><span class="p">)</span> <span class="k">if</span> <span class="n">response</span> <span class="ow">and</span> <span class="n">response</span><span class="p">.</span><span class="n">header</span> <span class="k">then</span> <span class="c1">-- AWS indicators</span> <span class="k">if</span> <span class="n">response</span><span class="p">.</span><span class="n">header</span><span class="p">[</span><span class="s2">"server"</span><span class="p">]</span> <span class="ow">and</span> <span class="nb">string.match</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="n">header</span><span class="p">[</span><span class="s2">"server"</span><span class="p">],</span> <span class="s2">"AmazonS3"</span><span class="p">)</span> <span class="k">then</span> <span class="n">results</span><span class="p">[</span><span class="s2">"provider"</span><span class="p">]</span> <span class="o">=</span> <span class="s2">"AWS S3"</span> <span class="k">end</span> <span class="c1">-- Azure indicators</span> <span class="k">if</span> <span class="n">response</span><span class="p">.</span><span class="n">header</span><span class="p">[</span><span class="s2">"server"</span><span class="p">]</span> <span class="ow">and</span> <span class="nb">string.match</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="n">header</span><span class="p">[</span><span class="s2">"server"</span><span class="p">],</span> <span class="s2">"Microsoft-Azure"</span><span class="p">)</span> <span class="k">then</span> <span class="n">results</span><span class="p">[</span><span class="s2">"provider"</span><span class="p">]</span> <span class="o">=</span> <span class="s2">"Microsoft Azure"</span> <span class="k">end</span> <span class="c1">-- Google Cloud indicators</span> <span class="k">if</span> <span class="n">response</span><span class="p">.</span><span class="n">header</span><span class="p">[</span><span class="s2">"server"</span><span class="p">]</span> <span class="ow">and</span> <span class="nb">string.match</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="n">header</span><span class="p">[</span><span class="s2">"server"</span><span class="p">],</span> <span class="s2">"Google"</span><span class="p">)</span> <span class="k">then</span> <span class="n">results</span><span class="p">[</span><span class="s2">"provider"</span><span class="p">]</span> <span class="o">=</span> <span class="s2">"Google Cloud"</span> <span class="k">end</span> <span class="c1">-- Check for metadata endpoints</span> <span class="kd">local</span> <span class="n">metadata_paths</span> <span class="o">=</span> <span class="p">{</span> <span class="s2">"/latest/meta-data/"</span><span class="p">,</span> <span class="c1">-- AWS</span> <span class="s2">"/metadata/instance"</span><span class="p">,</span> <span class="c1">-- Azure</span> <span class="s2">"/computeMetadata/v1/"</span> <span class="c1">-- GCP</span> <span class="p">}</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">path</span> <span class="k">in</span> <span class="nb">ipairs</span><span class="p">(</span><span class="n">metadata_paths</span><span class="p">)</span> <span class="k">do</span> <span class="kd">local</span> <span class="n">meta_response</span> <span class="o">=</span> <span class="n">http</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="n">host</span><span class="p">,</span> <span class="n">port</span><span class="p">,</span> <span class="n">path</span><span class="p">)</span> <span class="k">if</span> <span class="n">meta_response</span> <span class="ow">and</span> <span class="n">meta_response</span><span class="p">.</span><span class="n">status</span> <span class="o">==</span> <span class="mi">200</span> <span class="k">then</span> <span class="n">results</span><span class="p">[</span><span class="s2">"metadata_accessible"</span><span class="p">]</span> <span class="o">=</span> <span class="kc">true</span> <span class="k">break</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> <span class="k">if</span> <span class="nb">next</span><span class="p">(</span><span class="n">results</span><span class="p">)</span> <span class="k">then</span> <span class="k">return</span> <span class="n">stdnse</span><span class="p">.</span><span class="n">format_output</span><span class="p">(</span><span class="kc">true</span><span class="p">,</span> <span class="n">results</span><span class="p">)</span> <span class="k">end</span> <span class="k">return</span> <span class="kc">nil</span> <span class="k">end</span> </code></pre> </div> <h3> Professional Development and Certification Paths </h3> <p><strong>Recommended Certifications</strong>:</p> <ul> <li> <strong>OSCP (Offensive Security Certified Professional)</strong>: Hands-on penetration testing with heavy Nmap usage</li> <li> <strong>GPEN (GIAC Penetration Tester)</strong>: Comprehensive penetration testing methodology</li> <li> <strong>CEH (Certified Ethical Hacker)</strong>: Broad security assessment coverage</li> <li> <strong>CISSP (Certified Information Systems Security Professional)</strong>: Strategic security perspective</li> <li> <strong>GSEC (GIAC Security Essentials)</strong>: Foundational security knowledge</li> </ul> <p><strong>Skill Development Areas</strong>:</p> <ul> <li> <strong>Scripting and Automation</strong>: Python, Bash, PowerShell for reconnaissance automation</li> <li> <strong>Network Protocols</strong>: Deep understanding of TCP/IP, HTTP/S, DNS, SNMP</li> <li> <strong>Operating Systems</strong>: Linux, Windows, and Unix system administration</li> <li> <strong>Cloud Technologies</strong>: AWS, Azure, GCP security models and APIs</li> <li> <strong>Vulnerability Management</strong>: CVE analysis, risk assessment, remediation prioritization</li> </ul> <h3> Legal and Compliance Considerations </h3> <p><strong>Regulatory Frameworks</strong>:</p> <ul> <li> <strong>GDPR</strong>: Data protection implications of reconnaissance activities</li> <li> <strong>HIPAA</strong>: Healthcare data security requirements</li> <li> <strong>PCI DSS</strong>: Payment card industry security standards</li> <li> <strong>SOX</strong>: Financial reporting and internal controls</li> <li> <strong>ISO 27001</strong>: Information security management systems</li> </ul> <p><strong>Documentation Requirements</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gh"># Reconnaissance Rules of Engagement Template</span> <span class="gu">## Scope Definition</span> <span class="p">-</span> <span class="gs">**In-Scope Networks**</span>: [Define specific IP ranges, domains, applications] <span class="p">-</span> <span class="gs">**Out-of-Scope Systems**</span>: [Explicitly exclude systems/networks] <span class="p">-</span> <span class="gs">**Time Windows**</span>: [Specify approved scanning times] <span class="gu">## Technical Constraints</span> <span class="p">-</span> <span class="gs">**Scanning Intensity**</span>: Maximum timing template and rate limits <span class="p">-</span> <span class="gs">**Prohibited Techniques**</span>: DoS testing, exploitation attempts, brute forcing <span class="p">-</span> <span class="gs">**Detection Acceptance**</span>: Acknowledge scanning will generate security alerts <span class="gu">## Contact Information</span> <span class="p">-</span> <span class="gs">**Primary Contact**</span>: [Technical point of contact] <span class="p">-</span> <span class="gs">**Emergency Contact**</span>: [24/7 contact for issues] <span class="p">-</span> <span class="gs">**Escalation Path**</span>: [Management chain for critical issues] <span class="gu">## Deliverables</span> <span class="p">-</span> <span class="gs">**Raw Scan Data**</span>: XML/JSON format scan results <span class="p">-</span> <span class="gs">**Executive Summary**</span>: High-level findings and risk assessment <span class="p">-</span> <span class="gs">**Technical Report**</span>: Detailed findings with remediation recommendations <span class="p">-</span> <span class="gs">**Remediation Tracking**</span>: Follow-up testing and validation </code></pre> </div> <h3> Future-Proofing Reconnaissance Skills </h3> <p><strong>Emerging Technologies to Watch</strong>:</p> <p><strong>Quantum Computing Impact</strong>: While still emerging, quantum computing will eventually impact:</p> <ul> <li>Current encryption methods and their reconnaissance implications</li> <li>New network protocols and security models</li> <li>Reconnaissance technique evolution</li> </ul> <p><strong>5G and Edge Computing</strong>: Next-generation networking introduces:</p> <ul> <li>Network slicing and virtual network functions</li> <li>Edge computing node discovery and assessment</li> <li>New attack surfaces and reconnaissance opportunities</li> </ul> <p><strong>Artificial Intelligence and Machine Learning</strong>: AI/ML integration affects:</p> <ul> <li>Automated vulnerability discovery and exploitation</li> <li>Intelligent defense systems and evasion requirements</li> <li>Behavioral analysis and anomaly detection</li> </ul> <p><strong>Blockchain and Distributed Systems</strong>: Decentralized technologies create:</p> <ul> <li>New network topologies and discovery challenges</li> <li>Smart contract security assessment requirements</li> <li>Consensus mechanism analysis needs</li> </ul> <h3> Building a Reconnaissance Lab </h3> <p><strong>Virtual Lab Setup</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># Lab environment setup script</span> <span class="c"># Create isolated network segments</span> docker network create <span class="nt">--driver</span> bridge recon_lab_internal docker network create <span class="nt">--driver</span> bridge recon_lab_dmz docker network create <span class="nt">--driver</span> bridge recon_lab_external <span class="c"># Deploy vulnerable applications</span> docker run <span class="nt">-d</span> <span class="nt">--name</span> dvwa <span class="nt">--network</span> recon_lab_internal vulnerables/web-dvwa docker run <span class="nt">-d</span> <span class="nt">--name</span> metasploitable <span class="nt">--network</span> recon_lab_internal tleemcjr/metasploitable2 docker run <span class="nt">-d</span> <span class="nt">--name</span> juice-shop <span class="nt">--network</span> recon_lab_dmz bkimminich/juice-shop <span class="c"># Deploy monitoring and logging</span> docker run <span class="nt">-d</span> <span class="nt">--name</span> elk-stack <span class="se">\</span> <span class="nt">--network</span> recon_lab_internal <span class="se">\</span> <span class="nt">-p</span> 5601:5601 <span class="nt">-p</span> 9200:9200 <span class="nt">-p</span> 5044:5044 <span class="se">\</span> sebp/elk <span class="c"># Deploy honeypots</span> docker run <span class="nt">-d</span> <span class="nt">--name</span> cowrie-honeypot <span class="se">\</span> <span class="nt">--network</span> recon_lab_dmz <span class="se">\</span> <span class="nt">-p</span> 2222:2222 <span class="se">\</span> cowrie/cowrie <span class="c"># Create scanning targets with various operating systems</span> docker run <span class="nt">-d</span> <span class="nt">--name</span> ubuntu-target <span class="nt">--network</span> recon_lab_internal ubuntu:latest <span class="nb">sleep </span>infinity docker run <span class="nt">-d</span> <span class="nt">--name</span> centos-target <span class="nt">--network</span> recon_lab_internal centos:latest <span class="nb">sleep </span>infinity docker run <span class="nt">-d</span> <span class="nt">--name</span> windows-target <span class="nt">--network</span> recon_lab_internal mcr.microsoft.com/windows/servercore:ltsc2019 <span class="nb">echo</span> <span class="s2">"Lab environment deployed. Networks:"</span> docker network <span class="nb">ls</span> | <span class="nb">grep </span>recon_lab <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"Running containers:"</span> docker ps <span class="nt">--format</span> <span class="s2">"table {{.Names}}</span><span class="se">\t</span><span class="s2">{{.Image}}</span><span class="se">\t</span><span class="s2">{{.Status}}</span><span class="se">\t</span><span class="s2">{{.Ports}}"</span> </code></pre> </div> <h3> Community and Continuous Learning </h3> <p><strong>Professional Communities</strong>:</p> <ul> <li> <strong>OWASP</strong>: Web application security community</li> <li> <strong>SANS</strong>: Training and certification organization</li> <li> <strong>DEF CON Groups</strong>: Local security meetups and conferences</li> <li> <strong>2600</strong>: Hacker quarterly magazine and meetings</li> <li> <strong>BSides</strong>: Local security conferences worldwide</li> </ul> <p><strong>Online Resources</strong>:</p> <ul> <li> <strong>Nmap.org</strong>: Official documentation and updates</li> <li> <strong>Exploit-DB</strong>: Vulnerability database and exploits</li> <li> <strong>CVE Details</strong>: Comprehensive vulnerability information</li> <li> <strong>SecurityFocus</strong>: Security news and advisories</li> <li> <strong>Reddit r/netsec</strong>: Community discussions and news</li> </ul> <p><strong>Practice Platforms</strong>:</p> <ul> <li> <strong>HackTheBox</strong>: Realistic penetration testing scenarios</li> <li> <strong>TryHackMe</strong>: Guided learning paths and challenges</li> <li> <strong>VulnHub</strong>: Downloadable vulnerable virtual machines</li> <li> <strong>OverTheWire</strong>: Command-line security challenges</li> <li> <strong>PentesterLab</strong>: Web application security exercises</li> </ul> <h2> Final Recommendations </h2> <p>Network reconnaissance with Nmap is a journey rather than a destination. The field continuously evolves with new technologies, attack vectors, and defensive measures. Success requires:</p> <p><strong>Continuous Learning</strong>: Technology changes rapidly. Stay current with new Nmap releases, emerging protocols, and evolving attack techniques through regular training and practice.</p> <p><strong>Ethical Foundation</strong>: Always maintain the highest ethical standards. The skills learned through reconnaissance can be powerful tools for both protection and harm—use them responsibly.</p> <p><strong>Practical Application</strong>: Theory without practice is limited. Build lab environments, participate in capture-the-flag events, and seek hands-on experience through authorized testing.</p> <p><strong>Community Engagement</strong>: Join professional communities, attend conferences, and contribute to the security field through knowledge sharing and collaborative learning.</p> <p><strong>Documentation and Process</strong>: Develop systematic approaches to reconnaissance, maintain detailed documentation, and continuously refine methodologies based on experience and results.</p> <p>The mastery of network reconnaissance with Nmap opens doors to advanced cybersecurity roles, from penetration testing and security consulting to incident response and threat hunting. Whether you're defending organizational networks or conducting authorized security assessments, the knowledge and techniques covered in this guide provide a solid foundation for professional growth and contribution to the cybersecurity community.</p> <p>Remember that with knowledge comes responsibility. Use these powerful reconnaissance capabilities ethically, legally, and in service of improving security for organizations and individuals alike. The cybersecurity field needs skilled professionals who can both understand and defend against the techniques we've explored.</p> <p>As you continue your journey in network security, keep learning, keep practicing, and most importantly, keep contributing to making the digital world more secure for everyone.</p> <h2> Additional Resources and References </h2> <h3> Official Documentation </h3> <ul> <li><a href="https://nmap.org/book/" rel="noopener noreferrer">Nmap Official Documentation</a></li> <li><a href="https://nmap.org/book/nse.html" rel="noopener noreferrer">Nmap Scripting Engine Documentation</a></li> <li><a href="https://nmap.org/book/toc.html" rel="noopener noreferrer">Nmap Network Scanning Book</a></li> </ul> <h3> Advanced Learning Resources </h3> <ul> <li><a href="https://www.sans.org/cyber-security-courses/network-penetration-testing-ethical-hacking/" rel="noopener noreferrer">SANS SEC560: Network Penetration Testing</a></li> <li><a href="https://www.offensive-security.com/pwk-oscp/" rel="noopener noreferrer">Offensive Security OSCP Certification</a></li> <li><a href="https://elearnsecurity.com/product/ecppt-certification/" rel="noopener noreferrer">eLearnSecurity eCPPT Certification</a></li> </ul> <h3> Technical References </h3> <ul> <li><a href="https://tools.ietf.org/html/rfc793" rel="noopener noreferrer">RFC 793: Transmission Control Protocol</a></li> <li><a href="https://tools.ietf.org/html/rfc792" rel="noopener noreferrer">RFC 792: Internet Control Message Protocol</a></li> <li><a href="https://csrc.nist.gov/publications/detail/sp/800-115/final" rel="noopener noreferrer">NIST SP 800-115: Technical Guide to Information Security Testing</a></li> </ul> <h3> Community Resources </h3> <ul> <li><a href="https://nmap.org/mailman/listinfo/nmap-hackers" rel="noopener noreferrer">Nmap Users Mailing List</a></li> <li><a href="https://security.stackexchange.com/" rel="noopener noreferrer">Security Stack Exchange</a></li> <li><a href="https://www.reddit.com/r/netsec/" rel="noopener noreferrer">r/NetSec on Reddit</a></li> </ul> <p><em>Have you implemented advanced Nmap techniques in your security assessments? Share your experiences and favorite NSE scripts in the comments below!</em></p> nmap programming ethical guide Purushotam Adhikari Mon, 08 Sep 2025 05:32:09 +0000 https://forem.com/caffinecoder54/zero-downtime-deployments-with-kubernetes-and-istio-43mp https://forem.com/caffinecoder54/zero-downtime-deployments-with-kubernetes-and-istio-43mp <p>In today's always-on digital world, application downtime isn't just inconvenient—it's expensive. A single minute of downtime can cost enterprises thousands of dollars in lost revenue, damaged reputation, and customer churn. While Kubernetes provides excellent deployment primitives, achieving true zero-downtime deployments requires sophisticated traffic management, health checking, and rollback capabilities.</p> <p>Enter Istio, the service mesh that transforms Kubernetes networking into a powerful platform for zero-downtime deployments. By combining Kubernetes' orchestration capabilities with Istio's advanced traffic management, we can achieve deployment strategies that are not only zero-downtime but also safe, observable, and easily reversible.</p> <p>This comprehensive guide will walk you through implementing production-ready zero-downtime deployment patterns using Kubernetes and Istio, complete with real-world examples, monitoring strategies, and troubleshooting techniques.</p> <h2> Understanding Zero-Downtime Deployments </h2> <p>Before diving into implementation, let's clarify what zero-downtime really means and why it's challenging to achieve.</p> <h3> What Constitutes Zero-Downtime? </h3> <p>True zero-downtime deployment means:</p> <ul> <li> <strong>No service interruption</strong> during the deployment process</li> <li> <strong>No failed requests</strong> due to deployment activities </li> <li> <strong>Seamless user experience</strong> with no noticeable performance degradation</li> <li> <strong>Instant rollback capability</strong> if issues arise</li> <li> <strong>Minimal resource overhead</strong> during the transition</li> </ul> <h3> Traditional Deployment Challenges </h3> <p>Standard Kubernetes deployments face several challenges:</p> <p><strong>Race Conditions</strong>: New pods might receive traffic before they're fully ready<br> <strong>Connection Draining</strong>: Existing connections may be abruptly terminated<br> <strong>Health Check Delays</strong>: Kubernetes health checks may not catch application-specific issues<br> <strong>Traffic Distribution</strong>: Uneven load distribution during pod transitions<br> <strong>Rollback Complexity</strong>: Difficult to implement sophisticated rollback strategies</p> <h3> The Istio Advantage </h3> <p>Istio addresses these challenges through:</p> <ul> <li> <strong>Intelligent traffic routing</strong> with fine-grained control</li> <li> <strong>Advanced health checking</strong> beyond basic Kubernetes probes</li> <li> <strong>Gradual traffic shifting</strong> with percentage-based routing</li> <li> <strong>Circuit breaking</strong> and fault injection for resilience</li> <li> <strong>Rich observability</strong> for deployment monitoring</li> <li> <strong>Policy enforcement</strong> for security and compliance</li> </ul> <h2> Prerequisites and Environment Setup </h2> <h3> Cluster Requirements </h3> <p>For this tutorial, you'll need:</p> <ul> <li> <strong>Kubernetes cluster</strong> (1.20+) with at least 4GB RAM per node</li> <li> <strong>kubectl</strong> configured with cluster admin access</li> <li> <strong>Helm 3.x</strong> for package management</li> <li> <strong>curl</strong> and <strong>jq</strong> for testing and JSON processing</li> </ul> <h3> Installing Istio </h3> <p>We'll install Istio using the official Istio CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Download and install Istio</span> curl <span class="nt">-L</span> https://istio.io/downloadIstio | sh - <span class="nb">cd </span>istio-1.19.0 <span class="nb">export </span><span class="nv">PATH</span><span class="o">=</span><span class="nv">$PWD</span>/bin:<span class="nv">$PATH</span> <span class="c"># Install Istio with default configuration</span> istioctl <span class="nb">install</span> <span class="nt">--set</span> values.defaultRevision<span class="o">=</span>default <span class="c"># Enable automatic sidecar injection for default namespace</span> kubectl label namespace default istio-injection<span class="o">=</span>enabled <span class="c"># Verify installation</span> kubectl get pods <span class="nt">-n</span> istio-system istioctl verify-install </code></pre> </div> <h3> Installing Observability Tools </h3> <p>Deploy Istio's observability stack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install Kiali, Prometheus, Grafana, and Jaeger</span> kubectl apply <span class="nt">-f</span> samples/addons/ <span class="c"># Verify all components are running</span> kubectl get pods <span class="nt">-n</span> istio-system </code></pre> </div> <h3> Sample Application Setup </h3> <p>We'll use a multi-tier application to demonstrate deployment strategies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># bookinfo-app.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">service</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9080</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">productpage</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">bookinfo-productpage</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage-v1</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">bookinfo-productpage</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">image</span><span class="pi">:</span> <span class="s">docker.io/istio/examples-bookinfo-productpage-v1:1.17.0</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">IfNotPresent</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9080</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">100m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">128Mi</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">200m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">256Mi</span> <span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/health</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9080</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/health</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9080</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">30</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">10</span> </code></pre> </div> <p>Deploy the application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> bookinfo-app.yaml kubectl get pods <span class="nt">-l</span> <span class="nv">app</span><span class="o">=</span>productpage </code></pre> </div> <h2> Istio Traffic Management Fundamentals </h2> <h3> Virtual Services and Destination Rules </h3> <p>Istio uses Virtual Services and Destination Rules to control traffic routing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># traffic-management.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">VirtualService</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">productpage</span> <span class="na">http</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">headers</span><span class="pi">:</span> <span class="na">end-user</span><span class="pi">:</span> <span class="na">exact</span><span class="pi">:</span> <span class="s">jason</span> <span class="na">route</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">v1</span> <span class="pi">-</span> <span class="na">route</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">weight</span><span class="pi">:</span> <span class="m">100</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">DestinationRule</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">subsets</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">v2</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v2</span> <span class="na">trafficPolicy</span><span class="pi">:</span> <span class="na">connectionPool</span><span class="pi">:</span> <span class="na">tcp</span><span class="pi">:</span> <span class="na">maxConnections</span><span class="pi">:</span> <span class="m">10</span> <span class="na">http</span><span class="pi">:</span> <span class="na">http1MaxPendingRequests</span><span class="pi">:</span> <span class="m">10</span> <span class="na">maxRequestsPerConnection</span><span class="pi">:</span> <span class="m">2</span> <span class="na">circuitBreaker</span><span class="pi">:</span> <span class="na">consecutiveGatewayErrors</span><span class="pi">:</span> <span class="m">5</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">baseEjectionTime</span><span class="pi">:</span> <span class="s">30s</span> </code></pre> </div> <h3> Gateway Configuration </h3> <p>Set up ingress traffic management:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># gateway.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Gateway</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">bookinfo-gateway</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">istio</span><span class="pi">:</span> <span class="s">ingressgateway</span> <span class="na">servers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">80</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">HTTP</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">*"</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">VirtualService</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">bookinfo</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">*"</span> <span class="na">gateways</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">bookinfo-gateway</span> <span class="na">http</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uri</span><span class="pi">:</span> <span class="na">exact</span><span class="pi">:</span> <span class="s">/productpage</span> <span class="pi">-</span> <span class="na">uri</span><span class="pi">:</span> <span class="na">prefix</span><span class="pi">:</span> <span class="s">/static</span> <span class="pi">-</span> <span class="na">uri</span><span class="pi">:</span> <span class="na">exact</span><span class="pi">:</span> <span class="s">/login</span> <span class="pi">-</span> <span class="na">uri</span><span class="pi">:</span> <span class="na">exact</span><span class="pi">:</span> <span class="s">/logout</span> <span class="pi">-</span> <span class="na">uri</span><span class="pi">:</span> <span class="na">prefix</span><span class="pi">:</span> <span class="s">/api/v1/products</span> <span class="na">route</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">9080</span> </code></pre> </div> <p>Apply the configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> traffic-management.yaml kubectl apply <span class="nt">-f</span> gateway.yaml </code></pre> </div> <h2> Blue-Green Deployment Strategy </h2> <p>Blue-Green deployment maintains two identical production environments, switching traffic instantly between them.</p> <h3> Setting Up Blue-Green Infrastructure </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># blue-green-deployment.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage-blue</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">version</span><span class="pi">:</span> <span class="s">blue</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">version</span><span class="pi">:</span> <span class="s">blue</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">version</span><span class="pi">:</span> <span class="s">blue</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">image</span><span class="pi">:</span> <span class="s">docker.io/istio/examples-bookinfo-productpage-v1:1.17.0</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9080</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">100m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">128Mi</span> <span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/health</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9080</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/health</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9080</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">30</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage-green</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">version</span><span class="pi">:</span> <span class="s">green</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">version</span><span class="pi">:</span> <span class="s">green</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">version</span><span class="pi">:</span> <span class="s">green</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">image</span><span class="pi">:</span> <span class="s">docker.io/istio/examples-bookinfo-productpage-v2:1.17.0</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9080</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">100m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">128Mi</span> <span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/health</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9080</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/health</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9080</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">30</span> </code></pre> </div> <h3> Blue-Green Traffic Management </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># blue-green-virtual-service.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">VirtualService</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage-bg</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">productpage</span> <span class="na">http</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">route</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">blue</span> <span class="na">weight</span><span class="pi">:</span> <span class="m">100</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">green</span> <span class="na">weight</span><span class="pi">:</span> <span class="m">0</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">DestinationRule</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage-bg</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">subsets</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">blue</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s">blue</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">green</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s">green</span> </code></pre> </div> <h3> Automated Blue-Green Switching </h3> <p>Create a script for automated switching:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># blue-green-switch.sh</span> <span class="nv">CURRENT_COLOR</span><span class="o">=</span><span class="si">$(</span>kubectl get virtualservice productpage-bg <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.spec.http[0].route[0].weight}'</span><span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$CURRENT_COLOR</span><span class="s2">"</span> <span class="o">==</span> <span class="s2">"100"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Switching from Blue to Green..."</span> <span class="nv">NEW_BLUE_WEIGHT</span><span class="o">=</span>0 <span class="nv">NEW_GREEN_WEIGHT</span><span class="o">=</span>100 <span class="k">else </span><span class="nb">echo</span> <span class="s2">"Switching from Green to Blue..."</span> <span class="nv">NEW_BLUE_WEIGHT</span><span class="o">=</span>100 <span class="nv">NEW_GREEN_WEIGHT</span><span class="o">=</span>0 <span class="k">fi</span> <span class="c"># Update virtual service with new weights</span> kubectl patch virtualservice productpage-bg <span class="nt">--type</span><span class="o">=</span><span class="s1">'json'</span> <span class="nt">-p</span><span class="o">=</span><span class="s2">"[ {</span><span class="se">\"</span><span class="s2">op</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">replace</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">path</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">/spec/http/0/route/0/weight</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">value</span><span class="se">\"</span><span class="s2">: </span><span class="nv">$NEW_BLUE_WEIGHT</span><span class="s2">}, {</span><span class="se">\"</span><span class="s2">op</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">replace</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">path</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">/spec/http/0/route/1/weight</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">value</span><span class="se">\"</span><span class="s2">: </span><span class="nv">$NEW_GREEN_WEIGHT</span><span class="s2">} ]"</span> <span class="nb">echo</span> <span class="s2">"Traffic switched successfully!"</span> <span class="c"># Wait and verify health</span> <span class="nb">sleep </span>10 kubectl get virtualservice productpage-bg <span class="nt">-o</span> yaml </code></pre> </div> <h2> Canary Deployment Strategy </h2> <p>Canary deployments gradually shift traffic to new versions, allowing for safe testing with real user traffic.</p> <h3> Implementing Progressive Traffic Shifting </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># canary-deployment.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">VirtualService</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage-canary</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">productpage</span> <span class="na">http</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">headers</span><span class="pi">:</span> <span class="na">canary</span><span class="pi">:</span> <span class="na">exact</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">route</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">v2</span> <span class="pi">-</span> <span class="na">route</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">weight</span><span class="pi">:</span> <span class="m">90</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">v2</span> <span class="na">weight</span><span class="pi">:</span> <span class="m">10</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">DestinationRule</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage-canary</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">subsets</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">v2</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v2</span> <span class="na">trafficPolicy</span><span class="pi">:</span> <span class="na">connectionPool</span><span class="pi">:</span> <span class="na">tcp</span><span class="pi">:</span> <span class="na">maxConnections</span><span class="pi">:</span> <span class="m">50</span> <span class="na">http</span><span class="pi">:</span> <span class="na">http1MaxPendingRequests</span><span class="pi">:</span> <span class="m">10</span> <span class="na">circuitBreaker</span><span class="pi">:</span> <span class="na">consecutiveGatewayErrors</span><span class="pi">:</span> <span class="m">3</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> </code></pre> </div> <h3> Automated Canary Progression </h3> <p>Create a progressive canary deployment script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># canary-progression.sh</span> <span class="nv">CANARY_STEPS</span><span class="o">=(</span>10 25 50 75 100<span class="o">)</span> <span class="nv">MONITOR_DURATION</span><span class="o">=</span>300 <span class="c"># 5 minutes between steps</span> <span class="k">for </span>WEIGHT <span class="k">in</span> <span class="s2">"</span><span class="k">${</span><span class="nv">CANARY_STEPS</span><span class="p">[@]</span><span class="k">}</span><span class="s2">"</span><span class="p">;</span> <span class="k">do </span><span class="nv">STABLE_WEIGHT</span><span class="o">=</span><span class="k">$((</span><span class="m">100</span> <span class="o">-</span> WEIGHT<span class="k">))</span> <span class="nb">echo</span> <span class="s2">"Setting canary traffic to </span><span class="k">${</span><span class="nv">WEIGHT</span><span class="k">}</span><span class="s2">%, stable to </span><span class="k">${</span><span class="nv">STABLE_WEIGHT</span><span class="k">}</span><span class="s2">%"</span> kubectl patch virtualservice productpage-canary <span class="nt">--type</span><span class="o">=</span><span class="s1">'json'</span> <span class="nt">-p</span><span class="o">=</span><span class="s2">"[ {</span><span class="se">\"</span><span class="s2">op</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">replace</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">path</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">/spec/http/1/route/0/weight</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">value</span><span class="se">\"</span><span class="s2">: </span><span class="nv">$STABLE_WEIGHT</span><span class="s2">}, {</span><span class="se">\"</span><span class="s2">op</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">replace</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">path</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">/spec/http/1/route/1/weight</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">value</span><span class="se">\"</span><span class="s2">: </span><span class="nv">$WEIGHT</span><span class="s2">} ]"</span> <span class="k">if</span> <span class="o">[</span> <span class="nv">$WEIGHT</span> <span class="nt">-lt</span> 100 <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Monitoring for </span><span class="nv">$MONITOR_DURATION</span><span class="s2"> seconds..."</span> <span class="nb">sleep</span> <span class="nv">$MONITOR_DURATION</span> <span class="c"># Check error rate</span> <span class="nv">ERROR_RATE</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="s2">"http://prometheus:9090/api/v1/query?query=sum(rate(istio_requests_total{destination_service_name=</span><span class="se">\"</span><span class="s2">productpage</span><span class="se">\"</span><span class="s2">,response_code!~</span><span class="se">\"</span><span class="s2">2.*</span><span class="se">\"</span><span class="s2">}[5m]))/sum(rate(istio_requests_total{destination_service_name=</span><span class="se">\"</span><span class="s2">productpage</span><span class="se">\"</span><span class="s2">}[5m]))"</span> | jq <span class="nt">-r</span> <span class="s1">'.data.result[0].value[1] // 0'</span><span class="si">)</span> <span class="k">if</span> <span class="o">((</span> <span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$ERROR_RATE</span><span class="s2"> &gt; 0.05"</span> | bc <span class="nt">-l</span><span class="si">)</span> <span class="o">))</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Error rate too high (</span><span class="nv">$ERROR_RATE</span><span class="s2">), rolling back!"</span> kubectl patch virtualservice productpage-canary <span class="nt">--type</span><span class="o">=</span><span class="s1">'json'</span> <span class="nt">-p</span><span class="o">=</span><span class="s2">"[ {</span><span class="se">\"</span><span class="s2">op</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">replace</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">path</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">/spec/http/1/route/0/weight</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">value</span><span class="se">\"</span><span class="s2">: 100}, {</span><span class="se">\"</span><span class="s2">op</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">replace</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">path</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">/spec/http/1/route/1/weight</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">value</span><span class="se">\"</span><span class="s2">: 0} ]"</span> <span class="nb">exit </span>1 <span class="k">fi fi done </span><span class="nb">echo</span> <span class="s2">"Canary deployment completed successfully!"</span> </code></pre> </div> <h2> Advanced Deployment Patterns </h2> <h3> A/B Testing with Header-Based Routing </h3> <p>Implement A/B testing using custom headers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># ab-testing.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">VirtualService</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage-ab</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">productpage</span> <span class="na">http</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">headers</span><span class="pi">:</span> <span class="na">user-group</span><span class="pi">:</span> <span class="na">exact</span><span class="pi">:</span> <span class="s2">"</span><span class="s">beta"</span> <span class="na">route</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">v2</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">headers</span><span class="pi">:</span> <span class="na">user-agent</span><span class="pi">:</span> <span class="na">regex</span><span class="pi">:</span> <span class="s2">"</span><span class="s">.*Mobile.*"</span> <span class="na">route</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">weight</span><span class="pi">:</span> <span class="m">70</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">v2</span> <span class="na">weight</span><span class="pi">:</span> <span class="m">30</span> <span class="pi">-</span> <span class="na">route</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">weight</span><span class="pi">:</span> <span class="m">80</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">v2</span> <span class="na">weight</span><span class="pi">:</span> <span class="m">20</span> </code></pre> </div> <h3> Feature Flag Integration </h3> <p>Combine Istio routing with feature flags:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># feature-flag-routing.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">VirtualService</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage-features</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">productpage</span> <span class="na">http</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">headers</span><span class="pi">:</span> <span class="na">x-feature-new-ui</span><span class="pi">:</span> <span class="na">exact</span><span class="pi">:</span> <span class="s2">"</span><span class="s">enabled"</span> <span class="na">fault</span><span class="pi">:</span> <span class="na">delay</span><span class="pi">:</span> <span class="na">percentage</span><span class="pi">:</span> <span class="na">value</span><span class="pi">:</span> <span class="m">0.1</span> <span class="na">fixedDelay</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">route</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">v2</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uri</span><span class="pi">:</span> <span class="na">prefix</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/api/v2"</span> <span class="na">route</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">v2</span> <span class="pi">-</span> <span class="na">route</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">v1</span> </code></pre> </div> <h3> Geographic Routing </h3> <p>Implement region-based deployments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># geo-routing.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">VirtualService</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage-geo</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">productpage</span> <span class="na">http</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">headers</span><span class="pi">:</span> <span class="na">x-forwarded-for</span><span class="pi">:</span> <span class="na">regex</span><span class="pi">:</span> <span class="s2">"</span><span class="s">^10</span><span class="err">\</span><span class="s">.1</span><span class="err">\</span><span class="s">..*"</span> <span class="c1"># US East region</span> <span class="na">route</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">us-east</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">headers</span><span class="pi">:</span> <span class="na">x-forwarded-for</span><span class="pi">:</span> <span class="na">regex</span><span class="pi">:</span> <span class="s2">"</span><span class="s">^10</span><span class="err">\</span><span class="s">.2</span><span class="err">\</span><span class="s">..*"</span> <span class="c1"># US West region</span> <span class="na">route</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">us-west</span> <span class="pi">-</span> <span class="na">route</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">default</span> </code></pre> </div> <h2> Health Checks and Readiness </h2> <h3> Advanced Health Check Configuration </h3> <p>Configure comprehensive health checks:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># advanced-health-checks.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage-v2</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">image</span><span class="pi">:</span> <span class="s">docker.io/istio/examples-bookinfo-productpage-v2:1.17.0</span> <span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/health</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9080</span> <span class="na">httpHeaders</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">X-Health-Check</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">readiness"</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">timeoutSeconds</span><span class="pi">:</span> <span class="m">3</span> <span class="na">failureThreshold</span><span class="pi">:</span> <span class="m">3</span> <span class="na">successThreshold</span><span class="pi">:</span> <span class="m">1</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/health</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9080</span> <span class="na">httpHeaders</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">X-Health-Check</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">liveness"</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">30</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">timeoutSeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">failureThreshold</span><span class="pi">:</span> <span class="m">3</span> <span class="na">startupProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/health</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9080</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">timeoutSeconds</span><span class="pi">:</span> <span class="m">3</span> <span class="na">failureThreshold</span><span class="pi">:</span> <span class="m">30</span> </code></pre> </div> <h3> Custom Health Check Service </h3> <p>Implement application-specific health checking:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># health-checker.py </span><span class="kn">import</span> <span class="n">requests</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">time</span> <span class="kn">from</span> <span class="n">kubernetes</span> <span class="kn">import</span> <span class="n">client</span><span class="p">,</span> <span class="n">config</span> <span class="k">class</span> <span class="nc">HealthChecker</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">service_name</span><span class="p">,</span> <span class="n">namespace</span><span class="o">=</span><span class="sh">"</span><span class="s">default</span><span class="sh">"</span><span class="p">):</span> <span class="n">config</span><span class="p">.</span><span class="nf">load_incluster_config</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="n">v1</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nc">CoreV1Api</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="n">service_name</span> <span class="o">=</span> <span class="n">service_name</span> <span class="n">self</span><span class="p">.</span><span class="n">namespace</span> <span class="o">=</span> <span class="n">namespace</span> <span class="k">def</span> <span class="nf">check_pod_health</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">pod_ip</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Perform comprehensive health check</span><span class="sh">"""</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Basic connectivity </span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">http://</span><span class="si">{</span><span class="n">pod_ip</span><span class="si">}</span><span class="s">:9080/health</span><span class="sh">"</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">5</span><span class="p">)</span> <span class="k">if</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">!=</span> <span class="mi">200</span><span class="p">:</span> <span class="k">return</span> <span class="bp">False</span> <span class="c1"># Application-specific checks </span> <span class="n">app_response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">http://</span><span class="si">{</span><span class="n">pod_ip</span><span class="si">}</span><span class="s">:9080/productpage</span><span class="sh">"</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">10</span><span class="p">)</span> <span class="k">if</span> <span class="n">app_response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">!=</span> <span class="mi">200</span><span class="p">:</span> <span class="k">return</span> <span class="bp">False</span> <span class="c1"># Response time check </span> <span class="k">if</span> <span class="n">app_response</span><span class="p">.</span><span class="n">elapsed</span><span class="p">.</span><span class="nf">total_seconds</span><span class="p">()</span> <span class="o">&gt;</span> <span class="mf">2.0</span><span class="p">:</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">return</span> <span class="bp">True</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">def</span> <span class="nf">get_healthy_pods</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Return list of healthy pods</span><span class="sh">"""</span> <span class="n">pods</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">v1</span><span class="p">.</span><span class="nf">list_namespaced_pod</span><span class="p">(</span> <span class="n">namespace</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">namespace</span><span class="p">,</span> <span class="n">label_selector</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">app=</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">service_name</span><span class="si">}</span><span class="sh">"</span> <span class="p">)</span> <span class="n">healthy_pods</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">pod</span> <span class="ow">in</span> <span class="n">pods</span><span class="p">.</span><span class="n">items</span><span class="p">:</span> <span class="k">if</span> <span class="n">pod</span><span class="p">.</span><span class="n">status</span><span class="p">.</span><span class="n">phase</span> <span class="o">==</span> <span class="sh">"</span><span class="s">Running</span><span class="sh">"</span><span class="p">:</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="nf">check_pod_health</span><span class="p">(</span><span class="n">pod</span><span class="p">.</span><span class="n">status</span><span class="p">.</span><span class="n">pod_ip</span><span class="p">):</span> <span class="n">healthy_pods</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">pod</span><span class="p">)</span> <span class="k">return</span> <span class="n">healthy_pods</span> <span class="k">def</span> <span class="nf">wait_for_rollout</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">min_healthy</span><span class="o">=</span><span class="mi">2</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">300</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Wait for deployment rollout to complete</span><span class="sh">"""</span> <span class="n">start_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="k">while</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">-</span> <span class="n">start_time</span> <span class="o">&lt;</span> <span class="n">timeout</span><span class="p">:</span> <span class="n">healthy</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">get_healthy_pods</span><span class="p">()</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">healthy</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="n">min_healthy</span><span class="p">:</span> <span class="k">return</span> <span class="bp">True</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span> <span class="k">return</span> <span class="bp">False</span> </code></pre> </div> <h2> Circuit Breaking and Fault Tolerance </h2> <h3> Implementing Circuit Breakers </h3> <p>Configure circuit breakers to prevent cascade failures:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># circuit-breaker.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">DestinationRule</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage-circuit-breaker</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">trafficPolicy</span><span class="pi">:</span> <span class="na">connectionPool</span><span class="pi">:</span> <span class="na">tcp</span><span class="pi">:</span> <span class="na">maxConnections</span><span class="pi">:</span> <span class="m">10</span> <span class="na">http</span><span class="pi">:</span> <span class="na">http1MaxPendingRequests</span><span class="pi">:</span> <span class="m">10</span> <span class="na">http2MaxRequests</span><span class="pi">:</span> <span class="m">100</span> <span class="na">maxRequestsPerConnection</span><span class="pi">:</span> <span class="m">2</span> <span class="na">maxRetries</span><span class="pi">:</span> <span class="m">3</span> <span class="na">consecutiveGatewayErrors</span><span class="pi">:</span> <span class="m">5</span> <span class="na">h2UpgradePolicy</span><span class="pi">:</span> <span class="s">UPGRADE</span> <span class="na">circuitBreaker</span><span class="pi">:</span> <span class="na">consecutiveGatewayErrors</span><span class="pi">:</span> <span class="m">5</span> <span class="na">consecutiveServerErrors</span><span class="pi">:</span> <span class="m">5</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">baseEjectionTime</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">maxEjectionPercent</span><span class="pi">:</span> <span class="m">50</span> <span class="na">minHealthPercent</span><span class="pi">:</span> <span class="m">30</span> <span class="na">retryPolicy</span><span class="pi">:</span> <span class="na">attempts</span><span class="pi">:</span> <span class="m">3</span> <span class="na">perTryTimeout</span><span class="pi">:</span> <span class="s">2s</span> <span class="na">retryOn</span><span class="pi">:</span> <span class="s">gateway-error,connect-failure,refused-stream</span> <span class="na">subsets</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">trafficPolicy</span><span class="pi">:</span> <span class="na">circuitBreaker</span><span class="pi">:</span> <span class="na">consecutiveGatewayErrors</span><span class="pi">:</span> <span class="m">3</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">5s</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">v2</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v2</span> </code></pre> </div> <h3> Fault Injection for Testing </h3> <p>Test deployment resilience with fault injection:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># fault-injection.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">VirtualService</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage-fault-test</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">productpage</span> <span class="na">http</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">headers</span><span class="pi">:</span> <span class="na">x-test-fault</span><span class="pi">:</span> <span class="na">exact</span><span class="pi">:</span> <span class="s2">"</span><span class="s">delay"</span> <span class="na">fault</span><span class="pi">:</span> <span class="na">delay</span><span class="pi">:</span> <span class="na">percentage</span><span class="pi">:</span> <span class="na">value</span><span class="pi">:</span> <span class="m">10</span> <span class="na">fixedDelay</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">route</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">v2</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">headers</span><span class="pi">:</span> <span class="na">x-test-fault</span><span class="pi">:</span> <span class="na">exact</span><span class="pi">:</span> <span class="s2">"</span><span class="s">abort"</span> <span class="na">fault</span><span class="pi">:</span> <span class="na">abort</span><span class="pi">:</span> <span class="na">percentage</span><span class="pi">:</span> <span class="na">value</span><span class="pi">:</span> <span class="m">5</span> <span class="na">httpStatus</span><span class="pi">:</span> <span class="m">503</span> <span class="na">route</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">v2</span> <span class="pi">-</span> <span class="na">route</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">v1</span> </code></pre> </div> <h2> Monitoring and Observability </h2> <h3> Custom Metrics Collection </h3> <p>Define custom metrics for deployment monitoring:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># telemetry-config.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">telemetry.istio.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Telemetry</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">deployment-metrics</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">metrics</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">providers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">prometheus</span> <span class="pi">-</span> <span class="na">overrides</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="na">metric</span><span class="pi">:</span> <span class="s">ALL_METRICS</span> <span class="na">tagOverrides</span><span class="pi">:</span> <span class="na">deployment_version</span><span class="pi">:</span> <span class="na">value</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">has(source.labels) ? source.labels["version"] : "unknown"</span> <span class="na">canary_weight</span><span class="pi">:</span> <span class="na">value</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">has(destination.labels) ? destination.labels["canary-weight"] : "0"</span> </code></pre> </div> <h3> Deployment Dashboard </h3> <p>Create a Grafana dashboard for deployment monitoring:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"dashboard"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Zero-Downtime Deployment Dashboard"</span><span class="p">,</span><span class="w"> </span><span class="nl">"panels"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Request Rate by Version"</span><span class="p">,</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"graph"</span><span class="p">,</span><span class="w"> </span><span class="nl">"targets"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"expr"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sum(rate(istio_requests_total{destination_service_name=</span><span class="se">\"</span><span class="s2">productpage</span><span class="se">\"</span><span class="s2">}[5m])) by (destination_version)"</span><span class="p">,</span><span class="w"> </span><span class="nl">"legendFormat"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Version {{destination_version}}"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Error Rate by Version"</span><span class="p">,</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"graph"</span><span class="p">,</span><span class="w"> </span><span class="nl">"targets"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"expr"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sum(rate(istio_requests_total{destination_service_name=</span><span class="se">\"</span><span class="s2">productpage</span><span class="se">\"</span><span class="s2">,response_code!~</span><span class="se">\"</span><span class="s2">2.*</span><span class="se">\"</span><span class="s2">}[5m])) by (destination_version)"</span><span class="p">,</span><span class="w"> </span><span class="nl">"legendFormat"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Errors {{destination_version}}"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Response Time Percentiles"</span><span class="p">,</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"graph"</span><span class="p">,</span><span class="w"> </span><span class="nl">"targets"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"expr"</span><span class="p">:</span><span class="w"> </span><span class="s2">"histogram_quantile(0.50, sum(rate(istio_request_duration_milliseconds_bucket{destination_service_name=</span><span class="se">\"</span><span class="s2">productpage</span><span class="se">\"</span><span class="s2">}[5m])) by (destination_version, le))"</span><span class="p">,</span><span class="w"> </span><span class="nl">"legendFormat"</span><span class="p">:</span><span class="w"> </span><span class="s2">"P50 {{destination_version}}"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"expr"</span><span class="p">:</span><span class="w"> </span><span class="s2">"histogram_quantile(0.95, sum(rate(istio_request_duration_milliseconds_bucket{destination_service_name=</span><span class="se">\"</span><span class="s2">productpage</span><span class="se">\"</span><span class="s2">}[5m])) by (destination_version, le))"</span><span class="p">,</span><span class="w"> </span><span class="nl">"legendFormat"</span><span class="p">:</span><span class="w"> </span><span class="s2">"P95 {{destination_version}}"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Automated Monitoring Scripts </h3> <p>Create monitoring automation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># deployment-monitor.sh</span> <span class="nv">PROMETHEUS_URL</span><span class="o">=</span><span class="s2">"http://prometheus:9090"</span> <span class="nv">ALERT_WEBHOOK</span><span class="o">=</span><span class="s2">"https://hooks.slack.com/your/webhook"</span> monitor_deployment<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">service_name</span><span class="o">=</span><span class="nv">$1</span> <span class="nb">local </span><span class="nv">error_threshold</span><span class="o">=</span><span class="k">${</span><span class="nv">2</span><span class="k">:-</span><span class="nv">0</span><span class="p">.05</span><span class="k">}</span> <span class="nb">local </span><span class="nv">latency_threshold</span><span class="o">=</span><span class="k">${</span><span class="nv">3</span><span class="k">:-</span><span class="nv">2000</span><span class="k">}</span> <span class="c"># Check error rate</span> <span class="nv">error_rate</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="s2">"</span><span class="k">${</span><span class="nv">PROMETHEUS_URL</span><span class="k">}</span><span class="s2">/api/v1/query?query=sum(rate(istio_requests_total{destination_service_name=</span><span class="se">\"</span><span class="k">${</span><span class="nv">service_name</span><span class="k">}</span><span class="se">\"</span><span class="s2">,response_code!~</span><span class="se">\"</span><span class="s2">2.*</span><span class="se">\"</span><span class="s2">}[5m]))/sum(rate(istio_requests_total{destination_service_name=</span><span class="se">\"</span><span class="k">${</span><span class="nv">service_name</span><span class="k">}</span><span class="se">\"</span><span class="s2">}[5m]))"</span> | jq <span class="nt">-r</span> <span class="s1">'.data.result[0].value[1] // 0'</span><span class="si">)</span> <span class="c"># Check P95 latency</span> <span class="nv">p95_latency</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="s2">"</span><span class="k">${</span><span class="nv">PROMETHEUS_URL</span><span class="k">}</span><span class="s2">/api/v1/query?query=histogram_quantile(0.95,sum(rate(istio_request_duration_milliseconds_bucket{destination_service_name=</span><span class="se">\"</span><span class="k">${</span><span class="nv">service_name</span><span class="k">}</span><span class="se">\"</span><span class="s2">}[5m]))by(le))"</span> | jq <span class="nt">-r</span> <span class="s1">'.data.result[0].value[1] // 0'</span><span class="si">)</span> <span class="c"># Alert if thresholds exceeded</span> <span class="k">if</span> <span class="o">((</span> <span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$error_rate</span><span class="s2"> &gt; </span><span class="nv">$error_threshold</span><span class="s2">"</span> | bc <span class="nt">-l</span><span class="si">)</span> <span class="o">))</span><span class="p">;</span> <span class="k">then </span>send_alert <span class="s2">"High error rate detected: </span><span class="nv">$error_rate</span><span class="s2"> for </span><span class="nv">$service_name</span><span class="s2">"</span> <span class="k">return </span>1 <span class="k">fi if</span> <span class="o">((</span> <span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$p95_latency</span><span class="s2"> &gt; </span><span class="nv">$latency_threshold</span><span class="s2">"</span> | bc <span class="nt">-l</span><span class="si">)</span> <span class="o">))</span><span class="p">;</span> <span class="k">then </span>send_alert <span class="s2">"High latency detected: </span><span class="k">${</span><span class="nv">p95_latency</span><span class="k">}</span><span class="s2">ms P95 for </span><span class="nv">$service_name</span><span class="s2">"</span> <span class="k">return </span>1 <span class="k">fi return </span>0 <span class="o">}</span> send_alert<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">message</span><span class="o">=</span><span class="nv">$1</span> curl <span class="nt">-X</span> POST <span class="nt">-H</span> <span class="s1">'Content-type: application/json'</span> <span class="se">\</span> <span class="nt">--data</span> <span class="s2">"{</span><span class="se">\"</span><span class="s2">text</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">🚨 Deployment Alert: </span><span class="nv">$message</span><span class="se">\"</span><span class="s2">}"</span> <span class="se">\</span> <span class="s2">"</span><span class="nv">$ALERT_WEBHOOK</span><span class="s2">"</span> <span class="o">}</span> <span class="c"># Monitor every 30 seconds</span> <span class="k">while </span><span class="nb">true</span><span class="p">;</span> <span class="k">do </span>monitor_deployment <span class="s2">"productpage"</span> <span class="nb">sleep </span>30 <span class="k">done</span> </code></pre> </div> <h2> Automated Rollback Strategies </h2> <h3> Prometheus-Based Automatic Rollback </h3> <p>Implement automatic rollback based on metrics:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># auto-rollback.sh</span> <span class="nv">PROMETHEUS_URL</span><span class="o">=</span><span class="s2">"http://prometheus:9090"</span> <span class="nv">SERVICE_NAME</span><span class="o">=</span><span class="s2">"productpage"</span> <span class="nv">ERROR_THRESHOLD</span><span class="o">=</span>0.05 <span class="nv">LATENCY_THRESHOLD</span><span class="o">=</span>2000 <span class="nv">CHECK_DURATION</span><span class="o">=</span>300 <span class="c"># 5 minutes</span> perform_rollback<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"Performing automatic rollback for </span><span class="nv">$SERVICE_NAME</span><span class="s2">"</span> <span class="c"># Get current virtual service</span> <span class="nv">CURRENT_VS</span><span class="o">=</span><span class="si">$(</span>kubectl get virtualservice <span class="k">${</span><span class="nv">SERVICE_NAME</span><span class="k">}</span><span class="nt">-canary</span> <span class="nt">-o</span> yaml<span class="si">)</span> <span class="c"># Reset to 100% stable version</span> kubectl patch virtualservice <span class="k">${</span><span class="nv">SERVICE_NAME</span><span class="k">}</span><span class="nt">-canary</span> <span class="nt">--type</span><span class="o">=</span><span class="s1">'json'</span> <span class="nt">-p</span><span class="o">=</span><span class="s1">'[ {"op": "replace", "path": "/spec/http/1/route/0/weight", "value": 100}, {"op": "replace", "path": "/spec/http/1/route/1/weight", "value": 0} ]'</span> <span class="c"># Scale down canary deployment</span> kubectl scale deployment <span class="k">${</span><span class="nv">SERVICE_NAME</span><span class="k">}</span><span class="nt">-v2</span> <span class="nt">--replicas</span><span class="o">=</span>0 <span class="nb">echo</span> <span class="s2">"Rollback completed successfully"</span> <span class="c"># Send notification</span> send_notification <span class="s2">"Automatic rollback performed for </span><span class="nv">$SERVICE_NAME</span><span class="s2"> due to metric threshold violation"</span> <span class="o">}</span> check_deployment_health<span class="o">()</span> <span class="o">{</span> <span class="c"># Query error rate</span> <span class="nv">error_rate</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="s2">"</span><span class="k">${</span><span class="nv">PROMETHEUS_URL</span><span class="k">}</span><span class="s2">/api/v1/query?query=sum(rate(istio_requests_total{destination_service_name=</span><span class="se">\"</span><span class="k">${</span><span class="nv">SERVICE_NAME</span><span class="k">}</span><span class="se">\"</span><span class="s2">,response_code!~</span><span class="se">\"</span><span class="s2">2.*</span><span class="se">\"</span><span class="s2">}[5m]))/sum(rate(istio_requests_total{destination_service_name=</span><span class="se">\"</span><span class="k">${</span><span class="nv">SERVICE_NAME</span><span class="k">}</span><span class="se">\"</span><span class="s2">}[5m]))"</span> | jq <span class="nt">-r</span> <span class="s1">'.data.result[0].value[1] // 0'</span><span class="si">)</span> <span class="c"># Query P95 latency</span> <span class="nv">p95_latency</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="s2">"</span><span class="k">${</span><span class="nv">PROMETHEUS_URL</span><span class="k">}</span><span class="s2">/api/v1/query?query=histogram_quantile(0.95,sum(rate(istio_request_duration_milliseconds_bucket{destination_service_name=</span><span class="se">\"</span><span class="k">${</span><span class="nv">SERVICE_NAME</span><span class="k">}</span><span class="se">\"</span><span class="s2">}[5m]))by(le))"</span> | jq <span class="nt">-r</span> <span class="s1">'.data.result[0].value[1] // 0'</span><span class="si">)</span> <span class="c"># Check thresholds</span> <span class="k">if</span> <span class="o">((</span> <span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$error_rate</span><span class="s2"> &gt; </span><span class="nv">$ERROR_THRESHOLD</span><span class="s2">"</span> | bc <span class="nt">-l</span><span class="si">)</span> <span class="o">))</span> <span class="o">||</span> <span class="o">((</span> <span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$p95_latency</span><span class="s2"> &gt; </span><span class="nv">$LATENCY_THRESHOLD</span><span class="s2">"</span> | bc <span class="nt">-l</span><span class="si">)</span> <span class="o">))</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Health check failed: Error rate=</span><span class="nv">$error_rate</span><span class="s2">, P95 latency=</span><span class="k">${</span><span class="nv">p95_latency</span><span class="k">}</span><span class="s2">ms"</span> <span class="k">return </span>1 <span class="k">fi return </span>0 <span class="o">}</span> <span class="c"># Monitor deployment for specified duration</span> <span class="nv">start_time</span><span class="o">=</span><span class="si">$(</span><span class="nb">date</span> +%s<span class="si">)</span> <span class="k">while</span> <span class="o">[</span> <span class="k">$((</span><span class="si">$(</span><span class="nb">date</span> +%s<span class="si">)</span> <span class="o">-</span> start_time<span class="k">))</span> <span class="nt">-lt</span> <span class="nv">$CHECK_DURATION</span> <span class="o">]</span><span class="p">;</span> <span class="k">do if</span> <span class="o">!</span> check_deployment_health<span class="p">;</span> <span class="k">then </span>perform_rollback <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">sleep </span>30 <span class="k">done </span><span class="nb">echo</span> <span class="s2">"Deployment monitoring completed successfully"</span> </code></pre> </div> <h3> GitOps Integration </h3> <p>Integrate with ArgoCD for GitOps-based rollbacks:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># argocd-rollback.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Rollout</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage-rollout</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">5</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">canary</span><span class="pi">:</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">10</span> <span class="pi">-</span> <span class="na">pause</span><span class="pi">:</span> <span class="na">duration</span><span class="pi">:</span> <span class="s">300s</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">25</span> <span class="pi">-</span> <span class="na">pause</span><span class="pi">:</span> <span class="na">duration</span><span class="pi">:</span> <span class="s">300s</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">50</span> <span class="pi">-</span> <span class="na">pause</span><span class="pi">:</span> <span class="na">duration</span><span class="pi">:</span> <span class="s">300s</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">75</span> <span class="pi">-</span> <span class="na">pause</span><span class="pi">:</span> <span class="na">duration</span><span class="pi">:</span> <span class="s">300s</span> <span class="na">canaryService</span><span class="pi">:</span> <span class="s">productpage-canary</span> <span class="na">stableService</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">trafficRouting</span><span class="pi">:</span> <span class="na">istio</span><span class="pi">:</span> <span class="na">virtualService</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage-rollout</span> <span class="na">destinationRule</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage-rollout</span> <span class="na">canarySubsetName</span><span class="pi">:</span> <span class="s">canary</span> <span class="na">stableSubsetName</span><span class="pi">:</span> <span class="s">stable</span> <span class="na">analysis</span><span class="pi">:</span> <span class="na">templates</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">templateName</span><span class="pi">:</span> <span class="s">success-rate</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">service-name</span> <span class="na">value</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">startingStep</span><span class="pi">:</span> <span class="m">2</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">60s</span> <span class="na">count</span><span class="pi">:</span> <span class="m">5</span> <span class="na">successCondition</span><span class="pi">:</span> <span class="s">result[0] &gt;= </span><span class="m">0.95</span> <span class="na">failureLimit</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">image</span><span class="pi">:</span> <span class="s">docker.io/istio/examples-bookinfo-productpage-v1:1.17.0</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9080</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">AnalysisTemplate</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">success-rate</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">service-name</span> <span class="na">metrics</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">success-rate</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">60s</span> <span class="na">count</span><span class="pi">:</span> <span class="m">5</span> <span class="na">successCondition</span><span class="pi">:</span> <span class="s">result[0] &gt;= </span><span class="m">0.95</span> <span class="na">failureLimit</span><span class="pi">:</span> <span class="m">3</span> <span class="na">provider</span><span class="pi">:</span> <span class="na">prometheus</span><span class="pi">:</span> <span class="na">address</span><span class="pi">:</span> <span class="s">http://prometheus.istio-system:9090</span> <span class="na">query</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">sum(rate(</span> <span class="s">istio_requests_total{</span> <span class="s">destination_service_name="{{args.service-name}}",</span> <span class="s">response_code!~"5.*"</span> <span class="s">}[2m]</span> <span class="s">)) / </span> <span class="s">sum(rate(</span> <span class="s">istio_requests_total{</span> <span class="s">destination_service_name="{{args.service-name}}"</span> <span class="s">}[2m]</span> <span class="s">))</span> </code></pre> </div> <h2> Production Best Practices </h2> <h3> Resource Management </h3> <p>Proper resource allocation is crucial for zero-downtime deployments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># resource-management.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage-optimized</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">256Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">200m"</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">512Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">500m"</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">JAVA_OPTS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">-Xms256m</span><span class="nv"> </span><span class="s">-Xmx256m"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">istio-proxy</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">128Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">100m"</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">256Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">200m"</span> <span class="na">nodeSelector</span><span class="pi">:</span> <span class="na">workload-type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">web-app"</span> <span class="na">affinity</span><span class="pi">:</span> <span class="na">podAntiAffinity</span><span class="pi">:</span> <span class="na">preferredDuringSchedulingIgnoredDuringExecution</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">weight</span><span class="pi">:</span> <span class="m">100</span> <span class="na">podAffinityTerm</span><span class="pi">:</span> <span class="na">labelSelector</span><span class="pi">:</span> <span class="na">matchExpressions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">app</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">In</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">productpage</span> <span class="na">topologyKey</span><span class="pi">:</span> <span class="s">kubernetes.io/hostname</span> </code></pre> </div> <h3> Security Considerations </h3> <p>Implement security policies for production deployments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># security-policies.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">security.istio.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PeerAuthentication</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage-mtls</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">mtls</span><span class="pi">:</span> <span class="na">mode</span><span class="pi">:</span> <span class="s">STRICT</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">security.istio.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">AuthorizationPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage-authz</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">from</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">source</span><span class="pi">:</span> <span class="na">principals</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">cluster.local/ns/default/sa/bookinfo-reviews"</span><span class="pi">]</span> <span class="na">to</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">operation</span><span class="pi">:</span> <span class="na">methods</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">GET"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">from</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">source</span><span class="pi">:</span> <span class="na">namespaces</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">istio-system"</span><span class="pi">]</span> <span class="na">to</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">operation</span><span class="pi">:</span> <span class="na">methods</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">GET"</span><span class="pi">]</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">/health"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">/metrics"</span><span class="pi">]</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Sidecar</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">productpage-sidecar</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">workloadSelector</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">egress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">./*"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">istio-system/*"</span> </code></pre> </div> <h3> Performance Optimization </h3> <p>Optimize Istio configuration for production workloads:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># performance-optimization.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">istio-performance</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">istio-system</span> <span class="na">data</span><span class="pi">:</span> <span class="na">mesh</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">defaultConfig:</span> <span class="s">concurrency: 2</span> <span class="s">proxyStatsMatcher:</span> <span class="s">exclusionRegexps:</span> <span class="s">- ".*_cx_.*"</span> <span class="s">holdApplicationUntilProxyStarts: true</span> <span class="s">defaultProviders:</span> <span class="s">metrics:</span> <span class="s">- prometheus</span> <span class="s">extensionProviders:</span> <span class="s">- name: prometheus</span> <span class="s">prometheus:</span> <span class="s">configOverride:</span> <span class="s">metric_relabeling_configs:</span> <span class="s">- source_labels: [__name__]</span> <span class="s">regex: 'istio_build|pilot_k8s_cfg_events'</span> <span class="s">action: drop</span> </code></pre> </div> <h2> Testing Zero-Downtime Deployments </h2> <h3> Load Testing During Deployment </h3> <p>Create comprehensive load tests:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># load-test.py </span><span class="kn">import</span> <span class="n">asyncio</span> <span class="kn">import</span> <span class="n">aiohttp</span> <span class="kn">import</span> <span class="n">time</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="k">class</span> <span class="nc">DeploymentLoadTester</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">base_url</span><span class="p">,</span> <span class="n">concurrent_users</span><span class="o">=</span><span class="mi">50</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">base_url</span> <span class="o">=</span> <span class="n">base_url</span> <span class="n">self</span><span class="p">.</span><span class="n">concurrent_users</span> <span class="o">=</span> <span class="n">concurrent_users</span> <span class="n">self</span><span class="p">.</span><span class="n">results</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">self</span><span class="p">.</span><span class="n">errors</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">make_request</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">session</span><span class="p">,</span> <span class="n">url</span><span class="p">):</span> <span class="n">start_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="k">try</span><span class="p">:</span> <span class="k">async</span> <span class="k">with</span> <span class="n">session</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">10</span><span class="p">)</span> <span class="k">as</span> <span class="n">response</span><span class="p">:</span> <span class="n">end_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">timestamp</span><span class="sh">'</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">().</span><span class="nf">isoformat</span><span class="p">(),</span> <span class="sh">'</span><span class="s">status_code</span><span class="sh">'</span><span class="p">:</span> <span class="n">response</span><span class="p">.</span><span class="n">status</span><span class="p">,</span> <span class="sh">'</span><span class="s">response_time</span><span class="sh">'</span><span class="p">:</span> <span class="n">end_time</span> <span class="o">-</span> <span class="n">start_time</span><span class="p">,</span> <span class="sh">'</span><span class="s">success</span><span class="sh">'</span><span class="p">:</span> <span class="mi">200</span> <span class="o">&lt;=</span> <span class="n">response</span><span class="p">.</span><span class="n">status</span> <span class="o">&lt;</span> <span class="mi">300</span> <span class="p">}</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">end_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">timestamp</span><span class="sh">'</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">().</span><span class="nf">isoformat</span><span class="p">(),</span> <span class="sh">'</span><span class="s">status_code</span><span class="sh">'</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="sh">'</span><span class="s">response_time</span><span class="sh">'</span><span class="p">:</span> <span class="n">end_time</span> <span class="o">-</span> <span class="n">start_time</span><span class="p">,</span> <span class="sh">'</span><span class="s">success</span><span class="sh">'</span><span class="p">:</span> <span class="bp">False</span><span class="p">,</span> <span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="p">}</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">user_session</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">session</span><span class="p">,</span> <span class="n">user_id</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Simulate a user session with multiple requests</span><span class="sh">"""</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="mi">100</span><span class="p">):</span> <span class="c1"># 100 requests per user </span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="nf">make_request</span><span class="p">(</span><span class="n">session</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">base_url</span><span class="si">}</span><span class="s">/productpage</span><span class="sh">"</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">results</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">result</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">result</span><span class="p">[</span><span class="sh">'</span><span class="s">success</span><span class="sh">'</span><span class="p">]:</span> <span class="n">self</span><span class="p">.</span><span class="n">errors</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">result</span><span class="p">)</span> <span class="k">await</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mf">0.1</span><span class="p">)</span> <span class="c1"># 100ms between requests </span> <span class="k">async</span> <span class="k">def</span> <span class="nf">run_load_test</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">duration_minutes</span><span class="o">=</span><span class="mi">10</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Run load test for specified duration</span><span class="sh">"""</span> <span class="n">connector</span> <span class="o">=</span> <span class="n">aiohttp</span><span class="p">.</span><span class="nc">TCPConnector</span><span class="p">(</span><span class="n">limit</span><span class="o">=</span><span class="mi">200</span><span class="p">)</span> <span class="n">timeout</span> <span class="o">=</span> <span class="n">aiohttp</span><span class="p">.</span><span class="nc">ClientTimeout</span><span class="p">(</span><span class="n">total</span><span class="o">=</span><span class="mi">10</span><span class="p">)</span> <span class="k">async</span> <span class="k">with</span> <span class="n">aiohttp</span><span class="p">.</span><span class="nc">ClientSession</span><span class="p">(</span><span class="n">connector</span><span class="o">=</span><span class="n">connector</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="n">timeout</span><span class="p">)</span> <span class="k">as</span> <span class="n">session</span><span class="p">:</span> <span class="c1"># Create tasks for concurrent users </span> <span class="n">tasks</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">user_id</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">concurrent_users</span><span class="p">):</span> <span class="n">task</span> <span class="o">=</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">create_task</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="nf">user_session</span><span class="p">(</span><span class="n">session</span><span class="p">,</span> <span class="n">user_id</span><span class="p">))</span> <span class="n">tasks</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">task</span><span class="p">)</span> <span class="c1"># Run for specified duration </span> <span class="k">await</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="n">duration_minutes</span> <span class="o">*</span> <span class="mi">60</span><span class="p">)</span> <span class="c1"># Cancel remaining tasks </span> <span class="k">for</span> <span class="n">task</span> <span class="ow">in</span> <span class="n">tasks</span><span class="p">:</span> <span class="n">task</span><span class="p">.</span><span class="nf">cancel</span><span class="p">()</span> <span class="k">await</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">gather</span><span class="p">(</span><span class="o">*</span><span class="n">tasks</span><span class="p">,</span> <span class="n">return_exceptions</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">def</span> <span class="nf">generate_report</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Generate load test report</span><span class="sh">"""</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">self</span><span class="p">.</span><span class="n">results</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">No results to report</span><span class="sh">"</span> <span class="n">total_requests</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">results</span><span class="p">)</span> <span class="n">successful_requests</span> <span class="o">=</span> <span class="nf">len</span><span class="p">([</span><span class="n">r</span> <span class="k">for</span> <span class="n">r</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">results</span> <span class="k">if</span> <span class="n">r</span><span class="p">[</span><span class="sh">'</span><span class="s">success</span><span class="sh">'</span><span class="p">]])</span> <span class="n">error_rate</span> <span class="o">=</span> <span class="p">(</span><span class="n">total_requests</span> <span class="o">-</span> <span class="n">successful_requests</span><span class="p">)</span> <span class="o">/</span> <span class="n">total_requests</span> <span class="n">response_times</span> <span class="o">=</span> <span class="p">[</span><span class="n">r</span><span class="p">[</span><span class="sh">'</span><span class="s">response_time</span><span class="sh">'</span><span class="p">]</span> <span class="k">for</span> <span class="n">r</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">results</span> <span class="k">if</span> <span class="n">r</span><span class="p">[</span><span class="sh">'</span><span class="s">success</span><span class="sh">'</span><span class="p">]]</span> <span class="k">if</span> <span class="n">response_times</span><span class="p">:</span> <span class="n">avg_response_time</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">(</span><span class="n">response_times</span><span class="p">)</span> <span class="o">/</span> <span class="nf">len</span><span class="p">(</span><span class="n">response_times</span><span class="p">)</span> <span class="n">p95_response_time</span> <span class="o">=</span> <span class="nf">sorted</span><span class="p">(</span><span class="n">response_times</span><span class="p">)[</span><span class="nf">int</span><span class="p">(</span><span class="nf">len</span><span class="p">(</span><span class="n">response_times</span><span class="p">)</span> <span class="o">*</span> <span class="mf">0.95</span><span class="p">)]</span> <span class="k">else</span><span class="p">:</span> <span class="n">avg_response_time</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">p95_response_time</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">total_requests</span><span class="sh">'</span><span class="p">:</span> <span class="n">total_requests</span><span class="p">,</span> <span class="sh">'</span><span class="s">successful_requests</span><span class="sh">'</span><span class="p">:</span> <span class="n">successful_requests</span><span class="p">,</span> <span class="sh">'</span><span class="s">error_rate</span><span class="sh">'</span><span class="p">:</span> <span class="n">error_rate</span><span class="p">,</span> <span class="sh">'</span><span class="s">avg_response_time</span><span class="sh">'</span><span class="p">:</span> <span class="n">avg_response_time</span><span class="p">,</span> <span class="sh">'</span><span class="s">p95_response_time</span><span class="sh">'</span><span class="p">:</span> <span class="n">p95_response_time</span><span class="p">,</span> <span class="sh">'</span><span class="s">errors</span><span class="sh">'</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">errors</span><span class="p">[:</span><span class="mi">10</span><span class="p">]</span> <span class="c1"># First 10 errors </span> <span class="p">}</span> <span class="c1"># Usage example </span><span class="k">async</span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="n">tester</span> <span class="o">=</span> <span class="nc">DeploymentLoadTester</span><span class="p">(</span><span class="sh">"</span><span class="s">http://your-ingress-gateway</span><span class="sh">"</span><span class="p">)</span> <span class="k">await</span> <span class="n">tester</span><span class="p">.</span><span class="nf">run_load_test</span><span class="p">(</span><span class="n">duration_minutes</span><span class="o">=</span><span class="mi">5</span><span class="p">)</span> <span class="n">report</span> <span class="o">=</span> <span class="n">tester</span><span class="p">.</span><span class="nf">generate_report</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">report</span><span class="p">,</span> <span class="n">indent</span><span class="o">=</span><span class="mi">2</span><span class="p">))</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="nf">main</span><span class="p">())</span> </code></pre> </div> <h3> Chaos Engineering </h3> <p>Implement chaos testing during deployments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># chaos-experiment.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">chaos-mesh.org/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PodChaos</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">deployment-chaos</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">action</span><span class="pi">:</span> <span class="s">pod-kill</span> <span class="na">mode</span><span class="pi">:</span> <span class="s">fixed-percent</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">20"</span> <span class="na">duration</span><span class="pi">:</span> <span class="s2">"</span><span class="s">30s"</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">namespaces</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">default</span> <span class="na">labelSelectors</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">scheduler</span><span class="pi">:</span> <span class="na">cron</span><span class="pi">:</span> <span class="s2">"</span><span class="s">@every</span><span class="nv"> </span><span class="s">2m"</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">chaos-mesh.org/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">NetworkChaos</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">network-delay-chaos</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">action</span><span class="pi">:</span> <span class="s">delay</span> <span class="na">mode</span><span class="pi">:</span> <span class="s">all</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">namespaces</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">default</span> <span class="na">labelSelectors</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">productpage</span> <span class="na">delay</span><span class="pi">:</span> <span class="na">latency</span><span class="pi">:</span> <span class="s2">"</span><span class="s">100ms"</span> <span class="na">correlation</span><span class="pi">:</span> <span class="s2">"</span><span class="s">100"</span> <span class="na">jitter</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0ms"</span> <span class="na">duration</span><span class="pi">:</span> <span class="s2">"</span><span class="s">60s"</span> </code></pre> </div> <h2> Troubleshooting Common Issues </h2> <h3> Connection Draining Problems </h3> <p>Debug connection draining issues:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># debug-connection-draining.sh</span> check_connection_draining<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">pod_name</span><span class="o">=</span><span class="nv">$1</span> <span class="nb">echo</span> <span class="s2">"Checking connection draining for pod: </span><span class="nv">$pod_name</span><span class="s2">"</span> <span class="c"># Check pod termination grace period</span> <span class="nv">grace_period</span><span class="o">=</span><span class="si">$(</span>kubectl get pod <span class="nv">$pod_name</span> <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.spec.terminationGracePeriodSeconds}'</span><span class="si">)</span> <span class="nb">echo</span> <span class="s2">"Termination grace period: </span><span class="k">${</span><span class="nv">grace_period</span><span class="k">}</span><span class="s2">s"</span> <span class="c"># Check active connections</span> kubectl <span class="nb">exec</span> <span class="nv">$pod_name</span> <span class="nt">-c</span> istio-proxy <span class="nt">--</span> ss <span class="nt">-tuln</span> <span class="c"># Check Envoy admin stats</span> kubectl <span class="nb">exec</span> <span class="nv">$pod_name</span> <span class="nt">-c</span> istio-proxy <span class="nt">--</span> curl localhost:15000/stats | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"(cx_active|cx_destroy)"</span> <span class="c"># Check for connection draining configuration</span> kubectl <span class="nb">exec</span> <span class="nv">$pod_name</span> <span class="nt">-c</span> istio-proxy <span class="nt">--</span> curl localhost:15000/config_dump | jq <span class="s1">'.configs[] | select(.["@type"] | contains("Listener"))'</span> <span class="o">}</span> monitor_pod_termination<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">pod_name</span><span class="o">=</span><span class="nv">$1</span> <span class="nb">echo</span> <span class="s2">"Monitoring termination of pod: </span><span class="nv">$pod_name</span><span class="s2">"</span> <span class="c"># Watch pod events</span> kubectl get events <span class="nt">--field-selector</span> involvedObject.name<span class="o">=</span><span class="nv">$pod_name</span> <span class="nt">-w</span> &amp; <span class="nv">EVENTS_PID</span><span class="o">=</span><span class="nv">$!</span> <span class="c"># Monitor connection count</span> <span class="k">while </span>kubectl get pod <span class="nv">$pod_name</span> &amp;&gt;/dev/null<span class="p">;</span> <span class="k">do </span><span class="nv">connections</span><span class="o">=</span><span class="si">$(</span>kubectl <span class="nb">exec</span> <span class="nv">$pod_name</span> <span class="nt">-c</span> istio-proxy <span class="nt">--</span> ss <span class="nt">-tuln</span> | <span class="nb">wc</span> <span class="nt">-l</span><span class="si">)</span> <span class="nb">echo</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">date</span><span class="si">)</span><span class="s2">: Active connections: </span><span class="nv">$connections</span><span class="s2">"</span> <span class="nb">sleep </span>5 <span class="k">done </span><span class="nb">kill</span> <span class="nv">$EVENTS_PID</span> <span class="o">}</span> </code></pre> </div> <h3> Traffic Routing Issues </h3> <p>Debug traffic routing problems:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># debug-traffic-routing.sh</span> debug_istio_routing<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">service_name</span><span class="o">=</span><span class="nv">$1</span> <span class="nb">echo</span> <span class="s2">"=== Virtual Services ==="</span> kubectl get virtualservice <span class="nt">-o</span> yaml | <span class="nb">grep</span> <span class="nt">-A</span> 20 <span class="nt">-B</span> 5 <span class="nv">$service_name</span> <span class="nb">echo</span> <span class="s2">"=== Destination Rules ==="</span> kubectl get destinationrule <span class="nt">-o</span> yaml | <span class="nb">grep</span> <span class="nt">-A</span> 20 <span class="nt">-B</span> 5 <span class="nv">$service_name</span> <span class="nb">echo</span> <span class="s2">"=== Service Endpoints ==="</span> kubectl get endpoints <span class="nv">$service_name</span> <span class="nt">-o</span> yaml <span class="nb">echo</span> <span class="s2">"=== Pod Labels ==="</span> kubectl get pods <span class="nt">-l</span> <span class="nv">app</span><span class="o">=</span><span class="nv">$service_name</span> <span class="nt">--show-labels</span> <span class="nb">echo</span> <span class="s2">"=== Envoy Configuration ==="</span> <span class="nb">local </span><span class="nv">pod</span><span class="o">=</span><span class="si">$(</span>kubectl get pods <span class="nt">-l</span> <span class="nv">app</span><span class="o">=</span><span class="nv">$service_name</span> <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.items[0].metadata.name}'</span><span class="si">)</span> kubectl <span class="nb">exec</span> <span class="nv">$pod</span> <span class="nt">-c</span> istio-proxy <span class="nt">--</span> curl localhost:15000/config_dump <span class="o">&gt;</span> envoy-config.json <span class="nb">echo</span> <span class="s2">"=== Checking Route Configuration ==="</span> jq <span class="s1">'.configs[] | select(.["@type"] | contains("RouteConfiguration"))'</span> envoy-config.json <span class="o">}</span> test_traffic_distribution<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">service_url</span><span class="o">=</span><span class="nv">$1</span> <span class="nb">local </span><span class="nv">test_count</span><span class="o">=</span><span class="k">${</span><span class="nv">2</span><span class="k">:-</span><span class="nv">100</span><span class="k">}</span> <span class="nb">echo</span> <span class="s2">"Testing traffic distribution with </span><span class="nv">$test_count</span><span class="s2"> requests"</span> <span class="nb">declare</span> <span class="nt">-A</span> version_counts <span class="k">for </span>i <span class="k">in</span> <span class="si">$(</span><span class="nb">seq </span>1 <span class="nv">$test_count</span><span class="si">)</span><span class="p">;</span> <span class="k">do </span><span class="nv">version</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="nv">$service_url</span> | <span class="nb">grep</span> <span class="nt">-o</span> <span class="s1">'version.*'</span> | <span class="nb">head</span> <span class="nt">-1</span> <span class="o">||</span> <span class="nb">echo</span> <span class="s2">"unknown"</span><span class="si">)</span> version_counts[<span class="nv">$version</span><span class="o">]=</span><span class="k">$((${</span><span class="nv">version_counts</span><span class="p">[</span><span class="nv">$version</span><span class="p">]</span><span class="k">}</span> <span class="o">+</span> <span class="m">1</span><span class="k">))</span> <span class="k">done </span><span class="nb">echo</span> <span class="s2">"Traffic distribution:"</span> <span class="k">for </span>version <span class="k">in</span> <span class="s2">"</span><span class="k">${</span><span class="p">!version_counts[@]</span><span class="k">}</span><span class="s2">"</span><span class="p">;</span> <span class="k">do </span><span class="nv">percentage</span><span class="o">=</span><span class="k">$((</span>version_counts[<span class="nv">$version</span><span class="o">]</span> <span class="o">*</span> <span class="m">100</span> <span class="o">/</span> test_count<span class="k">))</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$version</span><span class="s2">: </span><span class="k">${</span><span class="nv">version_counts</span><span class="p">[</span><span class="nv">$version</span><span class="p">]</span><span class="k">}</span><span class="s2"> requests (</span><span class="k">${</span><span class="nv">percentage</span><span class="k">}</span><span class="s2">%)"</span> <span class="k">done</span> <span class="o">}</span> </code></pre> </div> <h3> Performance Debugging </h3> <p>Debug performance issues during deployments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># debug-performance.sh</span> collect_performance_metrics<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">namespace</span><span class="o">=</span><span class="k">${</span><span class="nv">1</span><span class="k">:-</span><span class="nv">default</span><span class="k">}</span> <span class="nb">local </span><span class="nv">service_name</span><span class="o">=</span><span class="nv">$2</span> <span class="nb">echo</span> <span class="s2">"Collecting performance metrics for </span><span class="nv">$service_name</span><span class="s2">"</span> <span class="c"># CPU and Memory usage</span> <span class="nb">echo</span> <span class="s2">"=== Resource Usage ==="</span> kubectl top pods <span class="nt">-n</span> <span class="nv">$namespace</span> <span class="nt">-l</span> <span class="nv">app</span><span class="o">=</span><span class="nv">$service_name</span> <span class="c"># Envoy proxy stats</span> <span class="nb">echo</span> <span class="s2">"=== Envoy Proxy Stats ==="</span> <span class="nb">local </span><span class="nv">pod</span><span class="o">=</span><span class="si">$(</span>kubectl get pods <span class="nt">-n</span> <span class="nv">$namespace</span> <span class="nt">-l</span> <span class="nv">app</span><span class="o">=</span><span class="nv">$service_name</span> <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.items[0].metadata.name}'</span><span class="si">)</span> kubectl <span class="nb">exec</span> <span class="nt">-n</span> <span class="nv">$namespace</span> <span class="nv">$pod</span> <span class="nt">-c</span> istio-proxy <span class="nt">--</span> curl localhost:15000/stats | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"(response_time|cx_|rq_)"</span> <span class="c"># Istio metrics from Prometheus</span> <span class="nb">echo</span> <span class="s2">"=== Istio Metrics ==="</span> curl <span class="nt">-s</span> <span class="s2">"http://prometheus:9090/api/v1/query?query=histogram_quantile(0.95,sum(rate(istio_request_duration_milliseconds_bucket{destination_service_name=</span><span class="se">\"</span><span class="nv">$service_name</span><span class="se">\"</span><span class="s2">}[5m]))by(le))"</span> <span class="c"># Application metrics</span> <span class="nb">echo</span> <span class="s2">"=== Application Metrics ==="</span> kubectl <span class="nb">exec</span> <span class="nt">-n</span> <span class="nv">$namespace</span> <span class="nv">$pod</span> <span class="nt">--</span> curl localhost:8080/metrics 2&gt;/dev/null <span class="o">||</span> <span class="nb">echo</span> <span class="s2">"No application metrics available"</span> <span class="o">}</span> analyze_request_flow<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">trace_id</span><span class="o">=</span><span class="nv">$1</span> <span class="nb">echo</span> <span class="s2">"Analyzing request flow for trace: </span><span class="nv">$trace_id</span><span class="s2">"</span> <span class="c"># Query Jaeger for trace details</span> curl <span class="nt">-s</span> <span class="s2">"http://jaeger-query:16686/api/traces/</span><span class="nv">$trace_id</span><span class="s2">"</span> | jq <span class="s1">'.data[0].spans[] | {operationName, duration, tags}'</span> <span class="o">}</span> </code></pre> </div> <h2> Advanced Patterns and Future Considerations </h2> <h3> Multi-Cluster Deployments </h3> <p>Implement cross-cluster zero-downtime deployments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># multi-cluster-deployment.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Gateway</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cross-cluster-gateway</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">istio</span><span class="pi">:</span> <span class="s">eastwestgateway</span> <span class="na">servers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">15443</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tls</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TLS</span> <span class="na">tls</span><span class="pi">:</span> <span class="na">mode</span><span class="pi">:</span> <span class="s">ISTIO_MUTUAL</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">*.local"</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">DestinationRule</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cross-cluster-productpage</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage.default.global</span> <span class="na">trafficPolicy</span><span class="pi">:</span> <span class="na">connectionPool</span><span class="pi">:</span> <span class="na">tcp</span><span class="pi">:</span> <span class="na">maxConnections</span><span class="pi">:</span> <span class="m">100</span> <span class="na">subsets</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cluster-1</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">cluster-1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cluster-2</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">cluster-2</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">VirtualService</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cross-cluster-routing</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">productpage.default.global</span> <span class="na">http</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">headers</span><span class="pi">:</span> <span class="na">cluster-preference</span><span class="pi">:</span> <span class="na">exact</span><span class="pi">:</span> <span class="s2">"</span><span class="s">cluster-2"</span> <span class="na">route</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage.default.global</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">cluster-2</span> <span class="pi">-</span> <span class="na">route</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage.default.global</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">cluster-1</span> <span class="na">weight</span><span class="pi">:</span> <span class="m">80</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">productpage.default.global</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">cluster-2</span> <span class="na">weight</span><span class="pi">:</span> <span class="m">20</span> </code></pre> </div> <h3> Machine Learning-Driven Deployments </h3> <p>Integrate ML for intelligent deployment decisions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ml-deployment-advisor.py </span><span class="kn">import</span> <span class="n">numpy</span> <span class="k">as</span> <span class="n">np</span> <span class="kn">from</span> <span class="n">sklearn.ensemble</span> <span class="kn">import</span> <span class="n">RandomForestClassifier</span> <span class="kn">from</span> <span class="n">sklearn.preprocessing</span> <span class="kn">import</span> <span class="n">StandardScaler</span> <span class="kn">import</span> <span class="n">joblib</span> <span class="kn">import</span> <span class="n">requests</span> <span class="k">class</span> <span class="nc">DeploymentAdvisor</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">model_path</span><span class="o">=</span><span class="bp">None</span><span class="p">):</span> <span class="k">if</span> <span class="n">model_path</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">model</span> <span class="o">=</span> <span class="n">joblib</span><span class="p">.</span><span class="nf">load</span><span class="p">(</span><span class="n">model_path</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">scaler</span> <span class="o">=</span> <span class="n">joblib</span><span class="p">.</span><span class="nf">load</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">model_path</span><span class="si">}</span><span class="s">_scaler.pkl</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">model</span> <span class="o">=</span> <span class="nc">RandomForestClassifier</span><span class="p">(</span><span class="n">n_estimators</span><span class="o">=</span><span class="mi">100</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">scaler</span> <span class="o">=</span> <span class="nc">StandardScaler</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="n">is_trained</span> <span class="o">=</span> <span class="bp">False</span> <span class="k">def</span> <span class="nf">collect_metrics</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">service_name</span><span class="p">,</span> <span class="n">duration_minutes</span><span class="o">=</span><span class="mi">5</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Collect deployment metrics from Prometheus</span><span class="sh">"""</span> <span class="n">metrics</span> <span class="o">=</span> <span class="p">{}</span> <span class="c1"># Error rate </span> <span class="n">query</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">'</span><span class="s">sum(rate(istio_requests_total{{destination_service_name=</span><span class="sh">"</span><span class="si">{</span><span class="n">service_name</span><span class="si">}</span><span class="sh">"</span><span class="s">,response_code!~</span><span class="sh">"</span><span class="s">2.*</span><span class="sh">"</span><span class="s">}}[</span><span class="si">{</span><span class="n">duration_minutes</span><span class="si">}</span><span class="s">m]))/sum(rate(istio_requests_total{{destination_service_name=</span><span class="sh">"</span><span class="si">{</span><span class="n">service_name</span><span class="si">}</span><span class="sh">"</span><span class="s">}}[</span><span class="si">{</span><span class="n">duration_minutes</span><span class="si">}</span><span class="s">m]))</span><span class="sh">'</span> <span class="n">result</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">http://prometheus:9090/api/v1/query?query=</span><span class="si">{</span><span class="n">query</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">metrics</span><span class="p">[</span><span class="sh">'</span><span class="s">error_rate</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="nf">float</span><span class="p">(</span><span class="n">result</span><span class="p">.</span><span class="nf">json</span><span class="p">()[</span><span class="sh">'</span><span class="s">data</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">result</span><span class="sh">'</span><span class="p">][</span><span class="mi">0</span><span class="p">][</span><span class="sh">'</span><span class="s">value</span><span class="sh">'</span><span class="p">][</span><span class="mi">1</span><span class="p">])</span> <span class="k">if</span> <span class="n">result</span><span class="p">.</span><span class="nf">json</span><span class="p">()[</span><span class="sh">'</span><span class="s">data</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">result</span><span class="sh">'</span><span class="p">]</span> <span class="k">else</span> <span class="mi">0</span> <span class="c1"># P95 latency </span> <span class="n">query</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">'</span><span class="s">histogram_quantile(0.95,sum(rate(istio_request_duration_milliseconds_bucket{{destination_service_name=</span><span class="sh">"</span><span class="si">{</span><span class="n">service_name</span><span class="si">}</span><span class="sh">"</span><span class="s">}}[</span><span class="si">{</span><span class="n">duration_minutes</span><span class="si">}</span><span class="s">m]))by(le))</span><span class="sh">'</span> <span class="n">result</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">http://prometheus:9090/api/v1/query?query=</span><span class="si">{</span><span class="n">query</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">metrics</span><span class="p">[</span><span class="sh">'</span><span class="s">p95_latency</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="nf">float</span><span class="p">(</span><span class="n">result</span><span class="p">.</span><span class="nf">json</span><span class="p">()[</span><span class="sh">'</span><span class="s">data</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">result</span><span class="sh">'</span><span class="p">][</span><span class="mi">0</span><span class="p">][</span><span class="sh">'</span><span class="s">value</span><span class="sh">'</span><span class="p">][</span><span class="mi">1</span><span class="p">])</span> <span class="k">if</span> <span class="n">result</span><span class="p">.</span><span class="nf">json</span><span class="p">()[</span><span class="sh">'</span><span class="s">data</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">result</span><span class="sh">'</span><span class="p">]</span> <span class="k">else</span> <span class="mi">0</span> <span class="c1"># CPU usage </span> <span class="n">query</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">'</span><span class="s">sum(rate(container_cpu_usage_seconds_total{{pod=~</span><span class="sh">"</span><span class="si">{</span><span class="n">service_name</span><span class="si">}</span><span class="s">.*</span><span class="sh">"</span><span class="s">}}[</span><span class="si">{</span><span class="n">duration_minutes</span><span class="si">}</span><span class="s">m]))</span><span class="sh">'</span> <span class="n">result</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">http://prometheus:9090/api/v1/query?query=</span><span class="si">{</span><span class="n">query</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">metrics</span><span class="p">[</span><span class="sh">'</span><span class="s">cpu_usage</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="nf">float</span><span class="p">(</span><span class="n">result</span><span class="p">.</span><span class="nf">json</span><span class="p">()[</span><span class="sh">'</span><span class="s">data</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">result</span><span class="sh">'</span><span class="p">][</span><span class="mi">0</span><span class="p">][</span><span class="sh">'</span><span class="s">value</span><span class="sh">'</span><span class="p">][</span><span class="mi">1</span><span class="p">])</span> <span class="k">if</span> <span class="n">result</span><span class="p">.</span><span class="nf">json</span><span class="p">()[</span><span class="sh">'</span><span class="s">data</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">result</span><span class="sh">'</span><span class="p">]</span> <span class="k">else</span> <span class="mi">0</span> <span class="c1"># Memory usage </span> <span class="n">query</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">'</span><span class="s">sum(container_memory_working_set_bytes{{pod=~</span><span class="sh">"</span><span class="si">{</span><span class="n">service_name</span><span class="si">}</span><span class="s">.*</span><span class="sh">"</span><span class="s">}})</span><span class="sh">'</span> <span class="n">result</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">http://prometheus:9090/api/v1/query?query=</span><span class="si">{</span><span class="n">query</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">metrics</span><span class="p">[</span><span class="sh">'</span><span class="s">memory_usage</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="nf">float</span><span class="p">(</span><span class="n">result</span><span class="p">.</span><span class="nf">json</span><span class="p">()[</span><span class="sh">'</span><span class="s">data</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">result</span><span class="sh">'</span><span class="p">][</span><span class="mi">0</span><span class="p">][</span><span class="sh">'</span><span class="s">value</span><span class="sh">'</span><span class="p">][</span><span class="mi">1</span><span class="p">])</span> <span class="k">if</span> <span class="n">result</span><span class="p">.</span><span class="nf">json</span><span class="p">()[</span><span class="sh">'</span><span class="s">data</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">result</span><span class="sh">'</span><span class="p">]</span> <span class="k">else</span> <span class="mi">0</span> <span class="k">return</span> <span class="n">metrics</span> <span class="k">def</span> <span class="nf">should_proceed_with_canary</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">service_name</span><span class="p">,</span> <span class="n">current_weight</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Decide whether to proceed with canary deployment</span><span class="sh">"""</span> <span class="n">metrics</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">collect_metrics</span><span class="p">(</span><span class="n">service_name</span><span class="p">)</span> <span class="n">features</span> <span class="o">=</span> <span class="n">np</span><span class="p">.</span><span class="nf">array</span><span class="p">([</span> <span class="n">metrics</span><span class="p">[</span><span class="sh">'</span><span class="s">error_rate</span><span class="sh">'</span><span class="p">],</span> <span class="n">metrics</span><span class="p">[</span><span class="sh">'</span><span class="s">p95_latency</span><span class="sh">'</span><span class="p">],</span> <span class="n">metrics</span><span class="p">[</span><span class="sh">'</span><span class="s">cpu_usage</span><span class="sh">'</span><span class="p">],</span> <span class="n">metrics</span><span class="p">[</span><span class="sh">'</span><span class="s">memory_usage</span><span class="sh">'</span><span class="p">],</span> <span class="n">current_weight</span> <span class="p">]).</span><span class="nf">reshape</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="k">if</span> <span class="nf">hasattr</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">'</span><span class="s">is_trained</span><span class="sh">'</span><span class="p">)</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">self</span><span class="p">.</span><span class="n">is_trained</span><span class="p">:</span> <span class="c1"># Default conservative approach </span> <span class="k">return</span> <span class="n">metrics</span><span class="p">[</span><span class="sh">'</span><span class="s">error_rate</span><span class="sh">'</span><span class="p">]</span> <span class="o">&lt;</span> <span class="mf">0.01</span> <span class="ow">and</span> <span class="n">metrics</span><span class="p">[</span><span class="sh">'</span><span class="s">p95_latency</span><span class="sh">'</span><span class="p">]</span> <span class="o">&lt;</span> <span class="mi">1000</span> <span class="n">scaled_features</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">scaler</span><span class="p">.</span><span class="nf">transform</span><span class="p">(</span><span class="n">features</span><span class="p">)</span> <span class="n">probability</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">model</span><span class="p">.</span><span class="nf">predict_proba</span><span class="p">(</span><span class="n">scaled_features</span><span class="p">)[</span><span class="mi">0</span><span class="p">][</span><span class="mi">1</span><span class="p">]</span> <span class="c1"># Probability of success </span> <span class="k">return</span> <span class="n">probability</span> <span class="o">&gt;</span> <span class="mf">0.8</span> <span class="c1"># 80% confidence threshold </span> <span class="k">def</span> <span class="nf">recommend_canary_weight</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">service_name</span><span class="p">,</span> <span class="n">current_weight</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Recommend next canary weight</span><span class="sh">"""</span> <span class="n">metrics</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">collect_metrics</span><span class="p">(</span><span class="n">service_name</span><span class="p">)</span> <span class="c1"># Conservative progression based on current health </span> <span class="k">if</span> <span class="n">metrics</span><span class="p">[</span><span class="sh">'</span><span class="s">error_rate</span><span class="sh">'</span><span class="p">]</span> <span class="o">&gt;</span> <span class="mf">0.02</span><span class="p">:</span> <span class="k">return</span> <span class="nf">max</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">current_weight</span> <span class="o">-</span> <span class="mi">10</span><span class="p">)</span> <span class="c1"># Reduce traffic </span> <span class="k">elif</span> <span class="n">metrics</span><span class="p">[</span><span class="sh">'</span><span class="s">error_rate</span><span class="sh">'</span><span class="p">]</span> <span class="o">&lt;</span> <span class="mf">0.005</span> <span class="ow">and</span> <span class="n">metrics</span><span class="p">[</span><span class="sh">'</span><span class="s">p95_latency</span><span class="sh">'</span><span class="p">]</span> <span class="o">&lt;</span> <span class="mi">500</span><span class="p">:</span> <span class="k">return</span> <span class="nf">min</span><span class="p">(</span><span class="mi">100</span><span class="p">,</span> <span class="n">current_weight</span> <span class="o">+</span> <span class="mi">20</span><span class="p">)</span> <span class="c1"># Aggressive progression </span> <span class="k">else</span><span class="p">:</span> <span class="k">return</span> <span class="nf">min</span><span class="p">(</span><span class="mi">100</span><span class="p">,</span> <span class="n">current_weight</span> <span class="o">+</span> <span class="mi">10</span><span class="p">)</span> <span class="c1"># Normal progression </span></code></pre> </div> <h2> Conclusion and Best Practices Summary </h2> <p>Implementing zero-downtime deployments with Kubernetes and Istio requires careful planning, robust monitoring, and automated safeguards. Here are the key takeaways for successful production implementations:</p> <h3> Essential Success Factors </h3> <p><strong>Comprehensive Health Checking</strong>: Go beyond basic Kubernetes probes to implement application-specific health checks that verify business logic functionality.</p> <p><strong>Progressive Traffic Shifting</strong>: Never switch traffic instantly. Use gradual percentage-based routing to minimize blast radius and enable early problem detection.</p> <p><strong>Automated Monitoring and Rollback</strong>: Implement automated systems that can detect problems and perform rollbacks faster than human operators.</p> <p><strong>Resource Planning</strong>: Ensure adequate cluster resources to run both old and new versions simultaneously during deployment windows.</p> <p><strong>Security Integration</strong>: Maintain security policies and mTLS throughout the deployment process without compromising zero-downtime objectives.</p> <h3> Production Readiness Checklist </h3> <p>Before implementing zero-downtime deployments in production:</p> <ul> <li>[ ] <strong>Multi-region deployment capability</strong> for true high availability</li> <li>[ ] <strong>Comprehensive monitoring stack</strong> with custom SLIs and SLOs</li> <li>[ ] <strong>Automated rollback triggers</strong> based on business and technical metrics </li> <li>[ ] <strong>Load testing integration</strong> in CI/CD pipelines</li> <li>[ ] <strong>Chaos engineering practices</strong> to validate resilience</li> <li>[ ] <strong>Documentation and runbooks</strong> for troubleshooting deployment issues</li> <li>[ ] <strong>Team training</strong> on Istio concepts and troubleshooting techniques</li> <li>[ ] <strong>Disaster recovery procedures</strong> tested and validated</li> </ul> <h3> Performance Considerations </h3> <p>Zero-downtime deployments introduce overhead that must be managed:</p> <p><strong>Resource Overhead</strong>: Running multiple versions simultaneously requires 1.5-2x normal resources during deployment windows.</p> <p><strong>Network Complexity</strong>: Service mesh networking adds latency (typically 1-3ms) but provides sophisticated routing capabilities.</p> <p><strong>Observability Costs</strong>: Comprehensive monitoring generates significant metric volumes that require proper retention policies.</p> <p><strong>Operational Complexity</strong>: Teams need specialized knowledge of Istio concepts and troubleshooting techniques.</p> <h3> Future Trends and Evolution </h3> <p>The zero-downtime deployment landscape continues evolving:</p> <p><strong>WebAssembly Integration</strong>: Istio's WebAssembly support enables more sophisticated deployment logic and custom policies.</p> <p><strong>AI-Driven Deployment Decisions</strong>: Machine learning models will increasingly drive deployment progression and rollback decisions.</p> <p><strong>Edge Computing Integration</strong>: Zero-downtime patterns will extend to edge locations for global application deployments.</p> <p><strong>Serverless Integration</strong>: Knative and similar platforms will integrate zero-downtime patterns with serverless scaling.</p> <p><strong>GitOps Maturation</strong>: GitOps workflows will become more sophisticated with automated policy enforcement and compliance checking.</p> <h3> Cost-Benefit Analysis </h3> <p>While zero-downtime deployments require significant upfront investment in tooling, monitoring, and training, the benefits typically justify the costs:</p> <p><strong>Quantifiable Benefits</strong>:</p> <ul> <li>Elimination of maintenance windows (typically 4-8 hours monthly)</li> <li>Reduced customer churn from service interruptions</li> <li>Faster time-to-market for new features</li> <li>Improved developer confidence and deployment frequency</li> </ul> <p><strong>Risk Reduction</strong>:</p> <ul> <li>Lower blast radius for problematic deployments</li> <li>Faster recovery times when issues occur</li> <li>Better customer experience and satisfaction</li> <li>Improved competitive positioning</li> </ul> <p>Implementing zero-downtime deployments with Kubernetes and Istio transforms how organizations ship software. The combination of Kubernetes' orchestration capabilities with Istio's sophisticated traffic management creates a powerful platform for safe, observable, and automated deployments.</p> <p>The journey requires investment in tooling, processes, and skills, but the result is a deployment system that enables true continuous delivery while maintaining the reliability and performance that modern applications demand. As your team masters these patterns, you'll find that zero-downtime deployments become not just possible, but routine – enabling faster innovation cycles without compromising stability.</p> <p>Remember that zero-downtime deployment is not just a technical challenge but an organizational capability. Success requires alignment between development, operations, and business teams around shared objectives of reliability, velocity, and customer experience. With proper implementation of the patterns and practices outlined in this guide, your organization can achieve the holy grail of software delivery: shipping features continuously without ever impacting your users.</p> <h2> Additional Resources </h2> <ul> <li><a href="https://istio.io/latest/docs/" rel="noopener noreferrer">Istio Official Documentation</a></li> <li><a href="https://kubernetes.io/docs/concepts/workloads/controllers/deployment/" rel="noopener noreferrer">Kubernetes Deployment Strategies</a></li> <li><a href="https://docs.flagger.app/" rel="noopener noreferrer">Flagger Progressive Delivery</a></li> <li><a href="https://argoproj.github.io/argo-rollouts/" rel="noopener noreferrer">Argo Rollouts Documentation</a></li> <li><a href="https://landscape.cncf.io/card-mode?category=service-mesh" rel="noopener noreferrer">CNCF Service Mesh Landscape</a></li> <li><a href="https://sre.google/books/" rel="noopener noreferrer">Google SRE Books</a></li> </ul> <p><em>Have you implemented zero-downtime deployments in your organization? Share your experiences with different deployment strategies and the challenges you've overcome in the comments below!</em></p> kubernetes istio deployments programming Purushotam Adhikari Mon, 01 Sep 2025 03:20:50 +0000 https://forem.com/caffinecoder54/building-a-kubernetes-cluster-on-raspberry-pi-for-home-lab-learning-39n3 https://forem.com/caffinecoder54/building-a-kubernetes-cluster-on-raspberry-pi-for-home-lab-learning-39n3 <p>Learning Kubernetes can be intimidating, especially when you're trying to understand concepts like container orchestration, networking, and distributed systems. While cloud platforms offer managed Kubernetes services, there's something powerful about building your own cluster from scratch. Enter the Raspberry Pi – an affordable, energy-efficient way to create a real Kubernetes cluster right on your desk.</p> <p>In this comprehensive guide, we'll walk through building a multi-node Kubernetes cluster using Raspberry Pi devices. You'll gain hands-on experience with cluster architecture, networking, and deployment patterns that directly translate to production environments.</p> <h2> Why Raspberry Pi for Kubernetes? </h2> <p>Before diving into the technical details, let's understand why Raspberry Pi makes an excellent platform for learning Kubernetes:</p> <p><strong>Cost-Effective</strong>: A 3-node cluster costs around $200-300, compared to thousands for equivalent server hardware.</p> <p><strong>Low Power Consumption</strong>: The entire cluster uses less power than a single laptop, making it perfect for 24/7 home lab operation.</p> <p><strong>Real Hardware Experience</strong>: Unlike virtual machines, you're working with actual network interfaces, storage, and distributed hardware challenges.</p> <p><strong>ARM Architecture Learning</strong>: Gain experience with ARM-based containers, which are increasingly important in edge computing and mobile deployments.</p> <p><strong>Physical Debugging</strong>: When things go wrong, you can see blinking LEDs, check physical connections, and understand infrastructure in a tangible way.</p> <h2> Hardware Requirements </h2> <p>For this project, you'll need the following components:</p> <h3> Essential Components </h3> <ul> <li> <strong>3-4 Raspberry Pi 4 (4GB RAM minimum)</strong>: These will serve as your cluster nodes</li> <li> <strong>High-quality microSD cards (32GB+, Class 10)</strong>: One per Pi for the operating system</li> <li> <strong>Network switch (5+ ports)</strong>: To connect all Pis to your home network</li> <li> <strong>Ethernet cables</strong>: One per Pi plus one for your router connection</li> <li> <strong>USB-C power supplies</strong>: One per Pi, or a multi-port USB charging station</li> <li> <strong>Raspberry Pi cases</strong>: Optional but recommended for protection and heat dissipation</li> </ul> <h3> Optional Enhancements </h3> <ul> <li> <strong>Cluster case or rack</strong>: Keeps everything organized and looks professional</li> <li> <strong>Cooling fans</strong>: Prevents thermal throttling during heavy workloads</li> <li> <strong>External USB storage</strong>: For persistent volumes and better I/O performance</li> <li> <strong>PoE HATs</strong>: If you have a PoE switch, eliminates individual power supplies</li> </ul> <h3> Total Investment </h3> <p>Expect to spend $200-400 depending on your choices. This might seem significant initially, but it's far less expensive than cloud costs for equivalent learning time, and you own the hardware permanently.</p> <h2> Network Architecture Planning </h2> <p>Before assembling hardware, let's plan our network topology. A typical home lab Kubernetes cluster follows this pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Internet → Router → Switch → Raspberry Pis ↓ Your Development Machine </code></pre> </div> <h3> IP Address Planning </h3> <p>Reserve a static IP range for your cluster. For example:</p> <ul> <li> <strong>pi-master</strong>: 192.168.1.100</li> <li> <strong>pi-worker-1</strong>: 192.168.1.101 </li> <li> <strong>pi-worker-2</strong>: 192.168.1.102</li> <li> <strong>pi-worker-3</strong>: 192.168.1.103 (if using 4 nodes)</li> </ul> <p>This static addressing simplifies cluster management and makes troubleshooting much easier.</p> <h3> Network Requirements </h3> <ul> <li>All nodes must be on the same subnet</li> <li>Each node needs internet access for pulling container images</li> <li>Consider VLAN isolation if you have advanced networking gear</li> </ul> <h2> Operating System Setup </h2> <p>We'll use Ubuntu Server 22.04 LTS for ARM64, which provides excellent Kubernetes support and regular security updates.</p> <h3> Flashing the OS </h3> <p>Download the Ubuntu Server 22.04 LTS ARM64 image and use the Raspberry Pi Imager:</p> <ol> <li> <strong>Install Raspberry Pi Imager</strong> from the official website</li> <li> <strong>Select Ubuntu Server 22.04 LTS (64-bit)</strong> as your OS</li> <li> <p><strong>Configure advanced options</strong>:</p> <ul> <li>Enable SSH with your public key</li> <li>Set username/password</li> <li>Configure WiFi (backup connectivity)</li> <li>Set hostname (pi-master, pi-worker-1, etc.)</li> </ul> </li> <li><p><strong>Flash each microSD card</strong> with the appropriate hostname</p></li> </ol> <h3> First Boot Configuration </h3> <p>After flashing, insert the microSD cards and power on each Pi. SSH into each node and perform initial setup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Update system packages</span> <span class="nb">sudo </span>apt update <span class="o">&amp;&amp;</span> <span class="nb">sudo </span>apt upgrade <span class="nt">-y</span> <span class="c"># Install essential tools</span> <span class="nb">sudo </span>apt <span class="nb">install</span> <span class="nt">-y</span> curl wget git vim htop <span class="c"># Set up static IP (edit netplan configuration)</span> <span class="nb">sudo </span>nano /etc/netplan/50-cloud-init.yaml </code></pre> </div> <p>Configure the netplan file for static IP:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">network</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="m">2</span> <span class="na">ethernets</span><span class="pi">:</span> <span class="na">eth0</span><span class="pi">:</span> <span class="na">dhcp4</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">addresses</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">192.168.1.100/24</span> <span class="c1"># Change per node</span> <span class="na">gateway4</span><span class="pi">:</span> <span class="s">192.168.1.1</span> <span class="na">nameservers</span><span class="pi">:</span> <span class="na">addresses</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">8.8.8.8</span><span class="pi">,</span> <span class="nv">1.1.1.1</span><span class="pi">]</span> </code></pre> </div> <p>Apply the network configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>netplan apply <span class="nb">sudo </span>reboot </code></pre> </div> <h3> System Optimization for Kubernetes </h3> <p>Kubernetes requires specific system configurations that aren't enabled by default:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Enable cgroup memory and cpu</span> <span class="nb">sudo </span>nano /boot/firmware/cmdline.txt <span class="c"># Add: cgroup_enable=cpuset cgroup_memory=1 cgroup_enable=memory</span> <span class="c"># Disable swap (Kubernetes requirement)</span> <span class="nb">sudo </span>dphys-swapfile swapoff <span class="nb">sudo </span>dphys-swapfile uninstall <span class="nb">sudo </span>update-rc.d dphys-swapfile remove <span class="c"># Load required kernel modules</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> | sudo tee /etc/modules-load.d/k8s.conf overlay br_netfilter </span><span class="no">EOF </span><span class="nb">sudo </span>modprobe overlay <span class="nb">sudo </span>modprobe br_netfilter <span class="c"># Configure sysctl parameters</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> | sudo tee /etc/sysctl.d/k8s.conf net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-ip6tables = 1 net.ipv4.ip_forward = 1 </span><span class="no">EOF </span><span class="nb">sudo </span>sysctl <span class="nt">--system</span> <span class="nb">sudo </span>reboot </code></pre> </div> <h2> Container Runtime Installation </h2> <p>Kubernetes needs a container runtime. We'll use containerd, which is the current standard and provides excellent performance on ARM architecture.</p> <h3> Installing containerd </h3> <p>Run these commands on all nodes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Add Docker's official GPG key and repository</span> curl <span class="nt">-fsSL</span> https://download.docker.com/linux/ubuntu/gpg | <span class="nb">sudo </span>gpg <span class="nt">--dearmor</span> <span class="nt">-o</span> /usr/share/keyrings/docker-archive-keyring.gpg <span class="nb">echo</span> <span class="s2">"deb [arch=arm64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu </span><span class="si">$(</span>lsb_release <span class="nt">-cs</span><span class="si">)</span><span class="s2"> stable"</span> | <span class="nb">sudo tee</span> /etc/apt/sources.list.d/docker.list <span class="o">&gt;</span> /dev/null <span class="c"># Install containerd</span> <span class="nb">sudo </span>apt update <span class="nb">sudo </span>apt <span class="nb">install</span> <span class="nt">-y</span> containerd.io <span class="c"># Configure containerd</span> <span class="nb">sudo mkdir</span> <span class="nt">-p</span> /etc/containerd containerd config default | <span class="nb">sudo tee</span> /etc/containerd/config.toml <span class="c"># Enable SystemdCgroup (required for Kubernetes)</span> <span class="nb">sudo sed</span> <span class="nt">-i</span> <span class="s1">'s/SystemdCgroup = false/SystemdCgroup = true/'</span> /etc/containerd/config.toml <span class="c"># Restart and enable containerd</span> <span class="nb">sudo </span>systemctl restart containerd <span class="nb">sudo </span>systemctl <span class="nb">enable </span>containerd </code></pre> </div> <h3> Verification </h3> <p>Verify containerd is running correctly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl status containerd <span class="nb">sudo </span>ctr version </code></pre> </div> <h2> Kubernetes Installation </h2> <p>Now we'll install Kubernetes components using kubeadm, kubelet, and kubectl.</p> <h3> Adding Kubernetes Repository </h3> <p>Execute on all nodes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Add Kubernetes signing key</span> curl <span class="nt">-fsSL</span> https://pkgs.k8s.io/core:/stable:/v1.28/deb/Release.key | <span class="nb">sudo </span>gpg <span class="nt">--dearmor</span> <span class="nt">-o</span> /etc/apt/keyrings/kubernetes-apt-keyring.gpg <span class="c"># Add Kubernetes repository</span> <span class="nb">echo</span> <span class="s1">'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.28/deb/ /'</span> | <span class="nb">sudo tee</span> /etc/apt/sources.list.d/kubernetes.list <span class="c"># Install Kubernetes components</span> <span class="nb">sudo </span>apt update <span class="nb">sudo </span>apt <span class="nb">install</span> <span class="nt">-y</span> kubelet kubeadm kubectl <span class="c"># Hold packages to prevent automatic updates</span> <span class="nb">sudo </span>apt-mark hold kubelet kubeadm kubectl </code></pre> </div> <h3> Initialize the Master Node </h3> <p>On your designated master node (pi-master), initialize the cluster:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>kubeadm init <span class="se">\</span> <span class="nt">--apiserver-advertise-address</span><span class="o">=</span>192.168.1.100 <span class="se">\</span> <span class="nt">--pod-network-cidr</span><span class="o">=</span>10.244.0.0/16 <span class="se">\</span> <span class="nt">--service-cidr</span><span class="o">=</span>10.96.0.0/12 </code></pre> </div> <p>This process takes 5-10 minutes. Upon completion, you'll see a join command – save it! You'll need it to add worker nodes.</p> <h3> Configure kubectl Access </h3> <p>Set up kubectl for your user:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> <span class="nv">$HOME</span>/.kube <span class="nb">sudo cp</span> <span class="nt">-i</span> /etc/kubernetes/admin.conf <span class="nv">$HOME</span>/.kube/config <span class="nb">sudo chown</span> <span class="si">$(</span><span class="nb">id</span> <span class="nt">-u</span><span class="si">)</span>:<span class="si">$(</span><span class="nb">id</span> <span class="nt">-g</span><span class="si">)</span> <span class="nv">$HOME</span>/.kube/config </code></pre> </div> <p>Verify the master node is ready:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get nodes kubectl get pods <span class="nt">--all-namespaces</span> </code></pre> </div> <h2> Network Plugin Installation </h2> <p>Kubernetes requires a Container Network Interface (CNI) plugin for pod networking. We'll use Flannel, which works excellently on ARM architecture and is simple to configure.</p> <h3> Installing Flannel </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Download Flannel manifest</span> curl <span class="nt">-sSL</span> https://raw.githubusercontent.com/flannel-io/flannel/master/Documentation/kube-flannel.yml <span class="nt">-o</span> kube-flannel.yml <span class="c"># Apply Flannel configuration</span> kubectl apply <span class="nt">-f</span> kube-flannel.yml <span class="c"># Verify Flannel pods are running</span> kubectl get pods <span class="nt">-n</span> kube-flannel </code></pre> </div> <p>Wait for all Flannel pods to reach "Running" status before proceeding.</p> <h2> Adding Worker Nodes </h2> <p>Now we'll join the worker nodes to our cluster using the join command from the master node initialization.</p> <h3> Joining Worker Nodes </h3> <p>On each worker node (pi-worker-1, pi-worker-2, etc.), run the join command you saved earlier:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>kubeadm <span class="nb">join </span>192.168.1.100:6443 <span class="nt">--token</span> &lt;token&gt; <span class="se">\</span> <span class="nt">--discovery-token-ca-cert-hash</span> sha256:&lt;<span class="nb">hash</span><span class="o">&gt;</span> </code></pre> </div> <p>If you lost the join command, generate a new one from the master:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubeadm token create <span class="nt">--print-join-command</span> </code></pre> </div> <h3> Verification </h3> <p>From the master node, verify all nodes joined successfully:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get nodes kubectl get pods <span class="nt">--all-namespaces</span> </code></pre> </div> <p>You should see all nodes in "Ready" status. If any nodes show "NotReady", check the logs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl describe node &lt;node-name&gt; journalctl <span class="nt">-u</span> kubelet <span class="nt">-f</span> </code></pre> </div> <h2> Storage Configuration </h2> <p>Raspberry Pi clusters need proper storage configuration for persistent volumes. We'll set up both local storage and NFS options.</p> <h3> Local Storage Class </h3> <p>Create a local storage class for applications that need fast, local disk access:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># local-storage.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">storage.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">StorageClass</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">local-storage</span> <span class="na">provisioner</span><span class="pi">:</span> <span class="s">kubernetes.io/no-provisioner</span> <span class="na">volumeBindingMode</span><span class="pi">:</span> <span class="s">WaitForFirstConsumer</span> <span class="na">allowVolumeExpansion</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p>Apply the storage class:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> local-storage.yaml kubectl get storageclass </code></pre> </div> <h3> Persistent Volume Example </h3> <p>Create a persistent volume on one of your worker nodes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># local-pv.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PersistentVolume</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">local-pv-1</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">capacity</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">10Gi</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ReadWriteOnce</span> <span class="na">persistentVolumeReclaimPolicy</span><span class="pi">:</span> <span class="s">Retain</span> <span class="na">storageClassName</span><span class="pi">:</span> <span class="s">local-storage</span> <span class="na">local</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/mnt/local-storage</span> <span class="na">nodeAffinity</span><span class="pi">:</span> <span class="na">required</span><span class="pi">:</span> <span class="na">nodeSelectorTerms</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">matchExpressions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">kubernetes.io/hostname</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">In</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pi-worker-1</span> </code></pre> </div> <h2> Deploying Your First Application </h2> <p>Let's deploy a sample application to verify everything works correctly. We'll use nginx with a persistent volume.</p> <h3> Nginx Deployment </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># nginx-deployment.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-deployment</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:alpine</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">64Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">50m"</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">128Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">100m"</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-service</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> </code></pre> </div> <p>Deploy the application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> nginx-deployment.yaml kubectl get deployments kubectl get pods <span class="nt">-o</span> wide kubectl get services </code></pre> </div> <h3> Testing the Deployment </h3> <p>Create a temporary pod to test connectivity:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl run test-pod <span class="nt">--image</span><span class="o">=</span>busybox <span class="nt">--rm</span> <span class="nt">-it</span> <span class="nt">--restart</span><span class="o">=</span>Never <span class="nt">--</span> sh <span class="c"># Inside the test pod:</span> wget <span class="nt">-qO-</span> http://nginx-service <span class="nb">exit</span> </code></pre> </div> <h2> Monitoring and Observability </h2> <p>A production-ready cluster needs monitoring. Let's set up basic monitoring with metrics-server and optional Prometheus.</p> <h3> Installing Metrics Server </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Download metrics-server manifest</span> curl <span class="nt">-sSL</span> https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml <span class="nt">-o</span> metrics-server.yaml <span class="c"># Edit to add --kubelet-insecure-tls flag for self-signed certificates</span> kubectl apply <span class="nt">-f</span> metrics-server.yaml <span class="c"># Verify installation</span> kubectl get pods <span class="nt">-n</span> kube-system | <span class="nb">grep </span>metrics-server kubectl top nodes kubectl top pods </code></pre> </div> <h3> Basic Monitoring Commands </h3> <p>Monitor your cluster health with these essential commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Node resource usage</span> kubectl top nodes <span class="c"># Pod resource usage across all namespaces</span> kubectl top pods <span class="nt">--all-namespaces</span> <span class="c"># Cluster events</span> kubectl get events <span class="nt">--sort-by</span><span class="o">=</span><span class="s1">'.lastTimestamp'</span> <span class="c"># Service status</span> kubectl get all <span class="nt">--all-namespaces</span> </code></pre> </div> <h2> Useful Management Tools </h2> <h3> Kubernetes Dashboard (Optional) </h3> <p>For a web-based management interface:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Deploy dashboard</span> kubectl apply <span class="nt">-f</span> https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml <span class="c"># Create admin user</span> kubectl create serviceaccount dashboard-admin-sa kubectl create clusterrolebinding dashboard-admin-sa <span class="nt">--clusterrole</span><span class="o">=</span>cluster-admin <span class="nt">--serviceaccount</span><span class="o">=</span>default:dashboard-admin-sa <span class="c"># Get access token</span> kubectl create token dashboard-admin-sa <span class="c"># Port forward to access dashboard</span> kubectl proxy <span class="nt">--address</span><span class="o">=</span><span class="s1">'0.0.0.0'</span> <span class="nt">--accept-hosts</span><span class="o">=</span><span class="s1">'^*$'</span> </code></pre> </div> <p>Access the dashboard at: <code>http://your-master-ip:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/</code></p> <h3> Helm Package Manager </h3> <p>Install Helm for easier application management:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash helm version </code></pre> </div> <h2> Troubleshooting Common Issues </h2> <h3> Node Not Ready </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check node status</span> kubectl describe node &lt;node-name&gt; <span class="c"># Check kubelet logs</span> <span class="nb">sudo </span>journalctl <span class="nt">-u</span> kubelet <span class="nt">-f</span> <span class="c"># Common fixes</span> <span class="nb">sudo </span>systemctl restart kubelet <span class="nb">sudo </span>systemctl restart containerd </code></pre> </div> <h3> Pod Scheduling Issues </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check resource constraints</span> kubectl describe pod &lt;pod-name&gt; <span class="c"># View node resources</span> kubectl describe nodes <span class="c"># Check for taints</span> kubectl get nodes <span class="nt">-o</span> json | jq <span class="s1">'.items[].spec.taints'</span> </code></pre> </div> <h3> Networking Problems </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Verify Flannel is running</span> kubectl get pods <span class="nt">-n</span> kube-flannel <span class="c"># Check pod network connectivity</span> kubectl <span class="nb">exec</span> <span class="nt">-it</span> &lt;pod-name&gt; <span class="nt">--</span> ping &lt;another-pod-ip&gt; <span class="c"># Restart networking</span> kubectl delete pods <span class="nt">-n</span> kube-flannel <span class="nt">--all</span> </code></pre> </div> <h3> Performance Issues </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Monitor resource usage</span> kubectl top nodes kubectl top pods <span class="nt">--all-namespaces</span> <span class="c"># Check for thermal throttling</span> vcgencmd measure_temp vcgencmd get_throttled </code></pre> </div> <h2> Security Considerations </h2> <h3> Basic Security Hardening </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Update RBAC permissions (remove default permissions)</span> kubectl delete clusterrolebinding cluster-admin <span class="c"># Create limited service accounts</span> kubectl create serviceaccount limited-user kubectl create rolebinding limited-user <span class="nt">--clusterrole</span><span class="o">=</span>view <span class="nt">--serviceaccount</span><span class="o">=</span>default:limited-user </code></pre> </div> <h3> Network Security </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Example Network Policy</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">NetworkPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">deny-all</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">podSelector</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">policyTypes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Ingress</span> <span class="pi">-</span> <span class="s">Egress</span> </code></pre> </div> <h2> Maintenance and Updates </h2> <h3> Regular Maintenance Tasks </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Update system packages (monthly)</span> <span class="nb">sudo </span>apt update <span class="o">&amp;&amp;</span> <span class="nb">sudo </span>apt upgrade <span class="nt">-y</span> <span class="c"># Clean up unused images</span> <span class="nb">sudo </span>crictl rmi <span class="nt">--prune</span> <span class="c"># Check cluster health</span> kubectl get componentstatuses kubectl get nodes kubectl get pods <span class="nt">--all-namespaces</span> </code></pre> </div> <h3> Kubernetes Updates </h3> <p>Plan for quarterly Kubernetes updates:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check current version</span> kubectl version <span class="c"># Plan upgrade</span> <span class="nb">sudo </span>kubeadm upgrade plan <span class="c"># Upgrade master node</span> <span class="nb">sudo </span>kubeadm upgrade apply v1.28.x <span class="c"># Upgrade worker nodes</span> <span class="nb">sudo </span>kubeadm upgrade node <span class="nb">sudo </span>systemctl restart kubelet </code></pre> </div> <h2> Learning Exercises and Next Steps </h2> <p>Now that your cluster is running, try these hands-on exercises:</p> <h3> Beginner Exercises </h3> <ol> <li> <strong>Deploy a multi-tier application</strong> (web frontend, API backend, database)</li> <li> <strong>Configure resource limits and requests</strong> for different workloads</li> <li> <strong>Set up ingress controllers</strong> for external traffic management</li> <li> <strong>Implement secrets management</strong> for sensitive configuration data</li> <li> <strong>Create persistent volumes</strong> for stateful applications</li> </ol> <h3> Intermediate Challenges </h3> <ol> <li> <strong>Deploy Prometheus and Grafana</strong> for comprehensive monitoring</li> <li> <strong>Set up automated backups</strong> using Velero</li> <li> <strong>Implement GitOps workflows</strong> with ArgoCD or Flux</li> <li> <strong>Configure service mesh</strong> with Istio (resource intensive)</li> <li> <strong>Set up disaster recovery</strong> procedures</li> </ol> <h3> Advanced Projects </h3> <ol> <li> <strong>Multi-cluster management</strong> with cluster API</li> <li> <strong>Custom operators</strong> for application lifecycle management</li> <li> <strong>Edge computing scenarios</strong> with ARM-specific optimizations</li> <li> <strong>IoT data processing pipelines</strong> leveraging the Pi's GPIO capabilities</li> <li> <strong>Machine learning workloads</strong> using TensorFlow Lite</li> </ol> <h2> Cost Analysis and ROI </h2> <p>Let's break down the economics of your home lab investment:</p> <h3> Initial Investment </h3> <ul> <li>Hardware: $200-400</li> <li>Time setup: 8-16 hours</li> <li>Learning materials: $0-100</li> </ul> <h3> Ongoing Costs </h3> <ul> <li>Electricity: ~$30/year (24/7 operation)</li> <li>Internet bandwidth: minimal impact</li> <li>Maintenance time: 2-4 hours/month</li> </ul> <h3> Learning Value </h3> <ul> <li>Kubernetes certification prep: $300+ value</li> <li>Production experience: invaluable</li> <li>Interview preparation: significant career impact</li> <li>Side project platform: enables additional learning</li> </ul> <h2> Production Readiness Checklist </h2> <p>While this cluster is perfect for learning, consider these factors for production use:</p> <h3> High Availability </h3> <ul> <li>[ ] Multiple master nodes (3 or 5)</li> <li>[ ] External etcd cluster</li> <li>[ ] Load balancer for API server</li> <li>[ ] Backup and restore procedures</li> </ul> <h3> Security </h3> <ul> <li>[ ] Certificate management</li> <li>[ ] Network policies</li> <li>[ ] Pod security standards</li> <li>[ ] Regular security updates</li> </ul> <h3> Monitoring and Logging </h3> <ul> <li>[ ] Comprehensive monitoring stack</li> <li>[ ] Centralized logging</li> <li>[ ] Alerting configuration</li> <li>[ ] Performance baselines</li> </ul> <h2> Conclusion </h2> <p>Building a Kubernetes cluster on Raspberry Pi provides an unmatched learning experience that bridges the gap between theoretical knowledge and practical expertise. You've created a real distributed system that demonstrates core Kubernetes concepts while remaining affordable and manageable.</p> <p>The skills you've developed – cluster architecture, networking, troubleshooting, and application deployment – translate directly to production environments. Whether you're preparing for certifications, building portfolio projects, or simply satisfying curiosity about container orchestration, this cluster serves as an excellent foundation.</p> <p>Remember that learning Kubernetes is a journey, not a destination. Your Pi cluster will evolve as you experiment with new technologies, deploy different applications, and encounter real-world challenges. The hands-on experience you gain from managing physical infrastructure will make you a more well-rounded engineer.</p> <p>Keep experimenting, keep learning, and most importantly, have fun with your new Kubernetes cluster! The investment in time and hardware pays dividends in career growth and technical understanding.</p> <h2> Additional Resources </h2> <ul> <li><a href="https://kubernetes.io/docs/" rel="noopener noreferrer">Official Kubernetes Documentation</a></li> <li><a href="https://www.raspberrypi.org/" rel="noopener noreferrer">Raspberry Pi Foundation</a></li> <li><a href="https://github.com/containernetworking/cni" rel="noopener noreferrer">Container Networking Interface (CNI) Specification</a></li> <li><a href="https://github.com/kelseyhightower/kubernetes-the-hard-way" rel="noopener noreferrer">Kubernetes the Hard Way</a></li> <li><a href="https://landscape.cncf.io/" rel="noopener noreferrer">CNCF Landscape</a></li> </ul> <p><em>Have you built your own Raspberry Pi Kubernetes cluster? Share your experiences and challenges in the comments below! What applications are you running on your home lab cluster?</em></p> javascript raspberrypi docker containers Purushotam Adhikari Thu, 21 Aug 2025 05:03:18 +0000 https://forem.com/caffinecoder54/monitoring-infrastructure-with-prometheus-and-grafana-a-practical-guide-ch9 https://forem.com/caffinecoder54/monitoring-infrastructure-with-prometheus-and-grafana-a-practical-guide-ch9 <p>Monitoring is crucial for maintaining healthy, performant, and reliable infrastructure, especially as systems grow in complexity. Two tools—<strong>Prometheus</strong> and <strong>Grafana</strong>—have become industry standards for metrics collection and visualization. In this article, you'll learn how to set up Prometheus and Grafana from scratch, scrape targets, build dashboards, and apply best practices—all with practical steps and code snippets.</p> <h2> What Are Prometheus and Grafana? </h2> <ul> <li> <strong>Prometheus:</strong> Open-source systems monitoring and alerting toolkit, designed for reliability and scalability. It collects metrics via HTTP and stores time-series data.</li> <li> <strong>Grafana:</strong> Visualization and analytics platform that works seamlessly with time-series databases like Prometheus. It lets you build real-time, customizable dashboards.</li> </ul> <h2> Use Cases </h2> <ul> <li>Application and server monitoring</li> <li>Infrastructure and network health tracking</li> <li>Alerting for outages or anomalies</li> <li>Capacity planning</li> </ul> <h2> Prerequisites </h2> <ul> <li>Docker (recommended for local/testing)</li> <li>Basic Linux/Unix CLI knowledge</li> <li>Ports 9090 (Prometheus) and 3000 (Grafana) open</li> </ul> <h2> 1. Spin Up Prometheus &amp; Grafana with Docker Compose </h2> <p>Create a <code>docker-compose.yml</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3'</span> <span class="na">services</span><span class="pi">:</span> <span class="na">prometheus</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">prom/prometheus</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./prometheus.yml:/etc/prometheus/prometheus.yml</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">9090:9090"</span> <span class="na">grafana</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">grafana/grafana</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">3000:3000"</span> </code></pre> </div> <p>Add <code>prometheus.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">global</span><span class="pi">:</span> <span class="na">scrape_interval</span><span class="pi">:</span> <span class="s">15s</span> <span class="na">scrape_configs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">job_name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">prometheus'</span> <span class="na">static_configs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">targets</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">localhost:9090'</span><span class="pi">]</span> </code></pre> </div> <p>Start both with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker-compose up <span class="nt">-d</span> </code></pre> </div> <h2> 2. Expose Metrics From a Sample App </h2> <p>Use the popular Node.js <code>express-prometheus-middleware</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>express express-prometheus-middleware </code></pre> </div> <p>Sample <code>server.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">prometheus</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express-prometheus-middleware</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">prometheus</span><span class="p">({</span> <span class="na">metricsPath</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/metrics</span><span class="dl">'</span> <span class="p">}));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Hello World!</span><span class="dl">'</span><span class="p">));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">3001</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Running on 3001</span><span class="dl">'</span><span class="p">));</span> </code></pre> </div> <p>Add this target to your <code>prometheus.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">job_name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">node-app'</span> <span class="na">static_configs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">targets</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">host.docker.internal:3001'</span><span class="pi">]</span> </code></pre> </div> <p>Reload Prometheus or restart Docker Compose.</p> <h2> 3. Explore Prometheus </h2> <p>Visit <strong><a href="http://localhost:9090" rel="noopener noreferrer">http://localhost:9090</a></strong></p> <ul> <li>Try querying: <code>http_requests_total</code> </li> <li>Check <strong>Targets</strong>: Status → Targets</li> </ul> <h2> 4. Connect Grafana to Prometheus </h2> <ol> <li>Go to <strong><a href="http://localhost:3000" rel="noopener noreferrer">http://localhost:3000</a></strong> (default user: admin / admin)</li> <li>Add Prometheus as a data source (URL: <code>http://prometheus:9090</code> if inside Docker network or <code>http://localhost:9090</code> for local)</li> <li>Save and test.</li> </ol> <h2> 5. Build Dashboards in Grafana </h2> <ul> <li>Click "Create" → "Dashboard"</li> <li>Add a panel.</li> <li>Example PromQL query: <code>http_requests_total</code> </li> <li>Choose "Visualization" type (Graph, Stat, Gauge, etc.)</li> <li>Save dashboard.</li> </ul> <h2> 6. Set Up Alerts </h2> <p>Prometheus supports rules—edit or add a <code>alert.rules.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">groups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">example</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">HighErrorRate</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">rate(http_requests_total{status="500"}[5m]) &gt; </span><span class="m">0</span> <span class="na">for</span><span class="pi">:</span> <span class="s">2m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">High</span><span class="nv"> </span><span class="s">error</span><span class="nv"> </span><span class="s">rate</span><span class="nv"> </span><span class="s">detected"</span> </code></pre> </div> <p>Reference alert rules in your <code>prometheus.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">rule_files</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">alert.rules.yml"</span> </code></pre> </div> <p>To receive notifications, configure <a href="https://prometheus.io/docs/alerting/latest/alertmanager/" rel="noopener noreferrer">Alertmanager</a>.</p> <h2> 7. Practical Tips &amp; Best Practices </h2> <ul> <li> <strong>Label everything:</strong> Job, instance, and custom labels provide deep filtering power.</li> <li> <strong>Dashboards:</strong> Reuse or import community dashboards from <a href="https://grafana.com/grafana/dashboards/" rel="noopener noreferrer">Grafana.com</a>.</li> <li> <strong>Persistence:</strong> For production, mount persistent storage for Prometheus data.</li> <li> <strong>Security:</strong> Protect Grafana with strong passwords and enable HTTPS on both services.</li> <li> <strong>Automate:</strong> Deploy dashboards and configs as code for reproducibility (use Ansible, Terraform, etc.).</li> </ul> <h2> Sample Queries </h2> <ul> <li>Total requests: <code>sum(rate(http_requests_total[1m]))</code> </li> <li>99th percentile latency: <code>histogram_quantile(0.99, sum(rate(http_request_duration_seconds_bucket[5m])) by (le))</code> </li> </ul> <h2> Wrapping Up </h2> <p>Setting up <strong>Prometheus</strong> and <strong>Grafana</strong> is straightforward with Docker and an excellent starting point for robust, production-grade monitoring. From scraping custom metrics to real-time visualization and alerting, this duo forms the backbone of modern observability stacks. Try extending this setup by adding exporters for MySQL, Nginx, or node-level metrics for a full infrastructure view.</p> <p>Happy monitoring!</p> infrastructureascode prometheus grafana docker Purushotam Adhikari Tue, 15 Jul 2025 04:50:47 +0000 https://forem.com/caffinecoder54/creating-a-jenkins-pipeline-for-python-applications-a-complete-guide-35f6 https://forem.com/caffinecoder54/creating-a-jenkins-pipeline-for-python-applications-a-complete-guide-35f6 <p><em>Building robust CI/CD pipelines for Python applications with Jenkins</em></p> <h2> Introduction </h2> <p>Jenkins pipelines are the backbone of modern DevOps practices, providing automated build, test, and deployment processes for Python applications. Whether you're working on a Flask web app, a Django project, or a data science pipeline, having a well-designed Jenkins pipeline ensures code quality, automates repetitive tasks, and enables reliable deployments.</p> <p>In this comprehensive guide, we'll explore how to create robust Jenkins pipelines specifically tailored for Python applications, covering everything from basic setup to advanced deployment strategies.</p> <h2> Prerequisites </h2> <p>Before we dive in, make sure you have:</p> <ul> <li>✅ Jenkins server installed and configured</li> <li>✅ Python installed on Jenkins nodes</li> <li>✅ Git repository with your Python application</li> <li>✅ Basic understanding of Jenkins and Python development</li> <li>✅ Docker (optional, for containerized deployments)</li> </ul> <h3> Essential Jenkins Plugins </h3> <p>Install these plugins through Jenkins Plugin Manager:</p> <ul> <li>Pipeline plugin</li> <li>Git plugin</li> <li>Python plugin</li> <li>HTML Publisher plugin</li> <li>JUnit plugin</li> <li>Email Extension plugin</li> <li>Docker plugin (if using containers)</li> </ul> <h2> Understanding Pipeline Types </h2> <p>Jenkins offers two main pipeline approaches:</p> <p><strong>Declarative Pipeline</strong> - More structured and easier to read, with predefined sections and built-in error handling. <em>Recommended for Python applications.</em></p> <p><strong>Scripted Pipeline</strong> - More flexible but requires more Groovy knowledge and manual error handling.</p> <h2> Basic Pipeline Structure </h2> <p>Let's start with a fundamental structure for a Python application pipeline:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">pipeline</span> <span class="o">{</span> <span class="n">agent</span> <span class="n">any</span> <span class="n">environment</span> <span class="o">{</span> <span class="n">PYTHON_VERSION</span> <span class="o">=</span> <span class="s2">"3.9"</span> <span class="n">VIRTUAL_ENV</span> <span class="o">=</span> <span class="s2">"venv"</span> <span class="o">}</span> <span class="n">stages</span> <span class="o">{</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Checkout'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">checkout</span> <span class="n">scm</span> <span class="o">}</span> <span class="o">}</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Setup Environment'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">''' python${PYTHON_VERSION} -m venv ${VIRTUAL_ENV} source ${VIRTUAL_ENV}/bin/activate pip install --upgrade pip '''</span> <span class="o">}</span> <span class="o">}</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Install Dependencies'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">''' source ${VIRTUAL_ENV}/bin/activate pip install -r requirements.txt '''</span> <span class="o">}</span> <span class="o">}</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Test'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">''' source ${VIRTUAL_ENV}/bin/activate python -m pytest tests/ --junitxml=test-results.xml '''</span> <span class="o">}</span> <span class="o">}</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Deploy'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">echo</span> <span class="s1">'Deploying application...'</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="n">post</span> <span class="o">{</span> <span class="n">always</span> <span class="o">{</span> <span class="n">cleanWs</span><span class="o">()</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h2> Setting Up the Development Environment </h2> <h3> Virtual Environment Management </h3> <p>Creating isolated Python environments is crucial for consistent builds:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">stage</span><span class="o">(</span><span class="s1">'Setup Virtual Environment'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">script</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="n">isUnix</span><span class="o">())</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">''' python3 -m venv venv source venv/bin/activate pip install --upgrade pip setuptools wheel '''</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="n">bat</span> <span class="s1">''' python -m venv venv call venv\\Scripts\\activate.bat pip install --upgrade pip setuptools wheel '''</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Smart Dependency Management </h3> <p>Handle different types of Python dependencies intelligently:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">stage</span><span class="o">(</span><span class="s1">'Install Dependencies'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">script</span> <span class="o">{</span> <span class="kt">def</span> <span class="n">requirements</span> <span class="o">=</span> <span class="o">[</span> <span class="s1">'requirements.txt'</span><span class="o">,</span> <span class="s1">'requirements-dev.txt'</span><span class="o">,</span> <span class="s1">'requirements-test.txt'</span> <span class="o">]</span> <span class="k">for</span> <span class="o">(</span><span class="n">req</span> <span class="k">in</span> <span class="n">requirements</span><span class="o">)</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="n">fileExists</span><span class="o">(</span><span class="n">req</span><span class="o">))</span> <span class="o">{</span> <span class="n">sh</span> <span class="s2">""" source venv/bin/activate pip install -r ${req} """</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Environment Variables </h3> <p>Manage configuration through environment variables:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">environment</span> <span class="o">{</span> <span class="n">DATABASE_URL</span> <span class="o">=</span> <span class="n">credentials</span><span class="o">(</span><span class="s1">'database-url'</span><span class="o">)</span> <span class="n">API_KEY</span> <span class="o">=</span> <span class="n">credentials</span><span class="o">(</span><span class="s1">'api-key'</span><span class="o">)</span> <span class="n">FLASK_ENV</span> <span class="o">=</span> <span class="s1">'testing'</span> <span class="n">PYTHONPATH</span> <span class="o">=</span> <span class="s2">"${WORKSPACE}"</span> <span class="o">}</span> </code></pre> </div> <h2> Testing and Quality Assurance </h2> <h3> Unit Testing with pytest </h3> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">stage</span><span class="o">(</span><span class="s1">'Unit Tests'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">''' source venv/bin/activate python -m pytest tests/unit/ \ --junitxml=reports/unit-test-results.xml \ --cov=src \ --cov-report=xml:reports/coverage.xml \ --cov-report=html:reports/coverage-html '''</span> <span class="o">}</span> <span class="n">post</span> <span class="o">{</span> <span class="n">always</span> <span class="o">{</span> <span class="n">junit</span> <span class="s1">'reports/unit-test-results.xml'</span> <span class="n">publishHTML</span><span class="o">([</span> <span class="nl">allowMissing:</span> <span class="kc">false</span><span class="o">,</span> <span class="nl">alwaysLinkToLastBuild:</span> <span class="kc">true</span><span class="o">,</span> <span class="nl">keepAll:</span> <span class="kc">true</span><span class="o">,</span> <span class="nl">reportDir:</span> <span class="s1">'reports/coverage-html'</span><span class="o">,</span> <span class="nl">reportFiles:</span> <span class="s1">'index.html'</span><span class="o">,</span> <span class="nl">reportName:</span> <span class="s1">'Coverage Report'</span> <span class="o">])</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Integration Testing </h3> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">stage</span><span class="o">(</span><span class="s1">'Integration Tests'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">''' source venv/bin/activate # Start test database or services docker-compose -f docker-compose.test.yml up -d # Wait for services to be ready sleep 30 # Run integration tests python -m pytest tests/integration/ \ --junitxml=reports/integration-test-results.xml '''</span> <span class="o">}</span> <span class="n">post</span> <span class="o">{</span> <span class="n">always</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">'docker-compose -f docker-compose.test.yml down'</span> <span class="n">junit</span> <span class="s1">'reports/integration-test-results.xml'</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Code Quality Checks </h3> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">stage</span><span class="o">(</span><span class="s1">'Code Quality'</span><span class="o">)</span> <span class="o">{</span> <span class="n">parallel</span> <span class="o">{</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Lint'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">''' source venv/bin/activate flake8 src/ tests/ --output-file=reports/flake8-report.txt pylint src/ --output-format=parseable --reports=no &gt; reports/pylint-report.txt || true '''</span> <span class="o">}</span> <span class="o">}</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Type Checking'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">''' source venv/bin/activate mypy src/ --junit-xml reports/mypy-report.xml || true '''</span> <span class="o">}</span> <span class="o">}</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Security Scan'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">''' source venv/bin/activate bandit -r src/ -f json -o reports/bandit-report.json || true '''</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h2> Security Scanning </h2> <h3> Dependency Vulnerability Scanning </h3> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">stage</span><span class="o">(</span><span class="s1">'Security Scan'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">''' source venv/bin/activate # Check for known vulnerabilities safety check --json --output reports/safety-report.json || true # License compliance check pip-licenses --format=json --output-file=reports/licenses.json '''</span> <span class="o">}</span> <span class="n">post</span> <span class="o">{</span> <span class="n">always</span> <span class="o">{</span> <span class="n">archiveArtifacts</span> <span class="nl">artifacts:</span> <span class="s1">'reports/safety-report.json'</span><span class="o">,</span> <span class="nl">allowEmptyArchive:</span> <span class="kc">true</span> <span class="n">archiveArtifacts</span> <span class="nl">artifacts:</span> <span class="s1">'reports/licenses.json'</span><span class="o">,</span> <span class="nl">allowEmptyArchive:</span> <span class="kc">true</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h2> Build and Packaging </h2> <h3> Creating Distribution Packages </h3> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">stage</span><span class="o">(</span><span class="s1">'Build Package'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">''' source venv/bin/activate python setup.py sdist bdist_wheel # Verify the package twine check dist/* '''</span> <span class="o">}</span> <span class="n">post</span> <span class="o">{</span> <span class="n">success</span> <span class="o">{</span> <span class="n">archiveArtifacts</span> <span class="nl">artifacts:</span> <span class="s1">'dist/*'</span><span class="o">,</span> <span class="nl">fingerprint:</span> <span class="kc">true</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Docker Image Building </h3> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">stage</span><span class="o">(</span><span class="s1">'Build Docker Image'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">script</span> <span class="o">{</span> <span class="kt">def</span> <span class="n">image</span> <span class="o">=</span> <span class="n">docker</span><span class="o">.</span><span class="na">build</span><span class="o">(</span><span class="s2">"myapp:${env.BUILD_NUMBER}"</span><span class="o">)</span> <span class="c1">// Tag with latest if on main branch</span> <span class="k">if</span> <span class="o">(</span><span class="n">env</span><span class="o">.</span><span class="na">BRANCH_NAME</span> <span class="o">==</span> <span class="s1">'main'</span><span class="o">)</span> <span class="o">{</span> <span class="n">image</span><span class="o">.</span><span class="na">tag</span><span class="o">(</span><span class="s1">'latest'</span><span class="o">)</span> <span class="o">}</span> <span class="c1">// Push to registry</span> <span class="n">docker</span><span class="o">.</span><span class="na">withRegistry</span><span class="o">(</span><span class="s1">'https://registry.example.com'</span><span class="o">,</span> <span class="s1">'registry-credentials'</span><span class="o">)</span> <span class="o">{</span> <span class="n">image</span><span class="o">.</span><span class="na">push</span><span class="o">(</span><span class="s2">"${env.BUILD_NUMBER}"</span><span class="o">)</span> <span class="k">if</span> <span class="o">(</span><span class="n">env</span><span class="o">.</span><span class="na">BRANCH_NAME</span> <span class="o">==</span> <span class="s1">'main'</span><span class="o">)</span> <span class="o">{</span> <span class="n">image</span><span class="o">.</span><span class="na">push</span><span class="o">(</span><span class="s1">'latest'</span><span class="o">)</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h2> Deployment Strategies </h2> <h3> Blue-Green Deployment </h3> <p>Perfect for zero-downtime deployments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">stage</span><span class="o">(</span><span class="s1">'Blue-Green Deploy'</span><span class="o">)</span> <span class="o">{</span> <span class="n">when</span> <span class="o">{</span> <span class="n">branch</span> <span class="s1">'main'</span> <span class="o">}</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">script</span> <span class="o">{</span> <span class="c1">// Deploy to green environment</span> <span class="n">sh</span> <span class="s1">''' kubectl set image deployment/myapp-green \ myapp=registry.example.com/myapp:${BUILD_NUMBER} \ --namespace=production # Wait for rollout kubectl rollout status deployment/myapp-green --namespace=production '''</span> <span class="c1">// Health check</span> <span class="kt">def</span> <span class="n">healthCheck</span> <span class="o">=</span> <span class="n">sh</span><span class="o">(</span> <span class="nl">script:</span> <span class="s2">"curl -f http://green.myapp.com/health"</span><span class="o">,</span> <span class="nl">returnStatus:</span> <span class="kc">true</span> <span class="o">)</span> <span class="k">if</span> <span class="o">(</span><span class="n">healthCheck</span> <span class="o">==</span> <span class="mi">0</span><span class="o">)</span> <span class="o">{</span> <span class="c1">// Switch traffic</span> <span class="n">sh</span> <span class="s1">''' kubectl patch service myapp-service \ -p '{"spec":{"selector":{"version":"green"}}}' \ --namespace=production '''</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="n">error</span> <span class="s2">"Health check failed on green environment"</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Canary Deployment </h3> <p>Gradual rollout with monitoring:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">stage</span><span class="o">(</span><span class="s1">'Canary Deploy'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">script</span> <span class="o">{</span> <span class="c1">// Deploy to 10% of traffic</span> <span class="n">sh</span> <span class="s1">''' kubectl patch deployment myapp-canary \ -p '{"spec":{"template":{"spec":{"containers":[{"name":"myapp","image":"registry.example.com/myapp:${BUILD_NUMBER}"}]}}}}' \ --namespace=production kubectl scale deployment myapp-canary --replicas=1 --namespace=production '''</span> <span class="c1">// Monitor metrics for 5 minutes</span> <span class="n">sleep</span><span class="o">(</span><span class="mi">300</span><span class="o">)</span> <span class="c1">// Check error rate</span> <span class="kt">def</span> <span class="n">errorRate</span> <span class="o">=</span> <span class="n">sh</span><span class="o">(</span> <span class="nl">script:</span> <span class="s2">"curl -s http://monitoring.example.com/api/error-rate"</span><span class="o">,</span> <span class="nl">returnStdout:</span> <span class="kc">true</span> <span class="o">).</span><span class="na">trim</span><span class="o">()</span> <span class="k">as</span> <span class="n">Double</span> <span class="k">if</span> <span class="o">(</span><span class="n">errorRate</span> <span class="o">&lt;</span> <span class="mf">0.01</span><span class="o">)</span> <span class="o">{</span> <span class="c1">// Promote to full deployment</span> <span class="n">sh</span> <span class="s1">''' kubectl set image deployment/myapp \ myapp=registry.example.com/myapp:${BUILD_NUMBER} \ --namespace=production '''</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="n">error</span> <span class="s2">"Error rate too high: ${errorRate}"</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h2> Advanced Pipeline Features </h2> <h3> Matrix Builds </h3> <p>Test across multiple Python versions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">pipeline</span> <span class="o">{</span> <span class="n">agent</span> <span class="n">none</span> <span class="n">stages</span> <span class="o">{</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Test Matrix'</span><span class="o">)</span> <span class="o">{</span> <span class="n">matrix</span> <span class="o">{</span> <span class="n">axes</span> <span class="o">{</span> <span class="n">axis</span> <span class="o">{</span> <span class="n">name</span> <span class="s1">'PYTHON_VERSION'</span> <span class="n">values</span> <span class="s1">'3.8'</span><span class="o">,</span> <span class="s1">'3.9'</span><span class="o">,</span> <span class="s1">'3.10'</span><span class="o">,</span> <span class="s1">'3.11'</span> <span class="o">}</span> <span class="o">}</span> <span class="n">stages</span> <span class="o">{</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Test'</span><span class="o">)</span> <span class="o">{</span> <span class="n">agent</span> <span class="o">{</span> <span class="n">docker</span> <span class="o">{</span> <span class="n">image</span> <span class="s2">"python:${PYTHON_VERSION}"</span> <span class="o">}</span> <span class="o">}</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">''' python -m venv venv source venv/bin/activate pip install -r requirements.txt pytest tests/ '''</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Parallel Execution </h3> <p>Speed up your pipeline with parallel tasks:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">stage</span><span class="o">(</span><span class="s1">'Parallel Tasks'</span><span class="o">)</span> <span class="o">{</span> <span class="n">parallel</span> <span class="o">{</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Unit Tests'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">'python -m pytest tests/unit/'</span> <span class="o">}</span> <span class="o">}</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Integration Tests'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">'python -m pytest tests/integration/'</span> <span class="o">}</span> <span class="o">}</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Security Scan'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">'bandit -r src/'</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Conditional Execution </h3> <p>Smart deployment logic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">stage</span><span class="o">(</span><span class="s1">'Deploy to Production'</span><span class="o">)</span> <span class="o">{</span> <span class="n">when</span> <span class="o">{</span> <span class="n">allOf</span> <span class="o">{</span> <span class="n">branch</span> <span class="s1">'main'</span> <span class="n">environment</span> <span class="nl">name:</span> <span class="s1">'DEPLOY_PROD'</span><span class="o">,</span> <span class="nl">value:</span> <span class="s1">'true'</span> <span class="o">}</span> <span class="o">}</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">script</span> <span class="o">{</span> <span class="n">timeout</span><span class="o">(</span><span class="nl">time:</span> <span class="mi">5</span><span class="o">,</span> <span class="nl">unit:</span> <span class="s1">'MINUTES'</span><span class="o">)</span> <span class="o">{</span> <span class="n">input</span> <span class="nl">message:</span> <span class="s1">'Deploy to production?'</span><span class="o">,</span> <span class="nl">ok:</span> <span class="s1">'Deploy'</span> <span class="o">}</span> <span class="o">}</span> <span class="n">sh</span> <span class="s1">'kubectl apply -f k8s/production/'</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h2> Monitoring and Notifications </h2> <h3> Email Notifications </h3> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">post</span> <span class="o">{</span> <span class="n">failure</span> <span class="o">{</span> <span class="n">emailext</span> <span class="o">(</span> <span class="nl">subject:</span> <span class="s2">"🚨 Build Failed: ${env.JOB_NAME} - ${env.BUILD_NUMBER}"</span><span class="o">,</span> <span class="nl">body:</span> <span class="s1">''' Build failed for ${env.JOB_NAME} - ${env.BUILD_NUMBER} Check console output: ${env.BUILD_URL}console Changes: ${env.CHANGE_LOG} '''</span><span class="o">,</span> <span class="nl">to:</span> <span class="s2">"${env.CHANGE_AUTHOR_EMAIL}"</span><span class="o">,</span> <span class="nl">cc:</span> <span class="s1">'team@example.com'</span> <span class="o">)</span> <span class="o">}</span> <span class="n">success</span> <span class="o">{</span> <span class="n">emailext</span> <span class="o">(</span> <span class="nl">subject:</span> <span class="s2">"✅ Build Successful: ${env.JOB_NAME} - ${env.BUILD_NUMBER}"</span><span class="o">,</span> <span class="nl">body:</span> <span class="s2">"Build completed successfully for ${env.JOB_NAME} - ${env.BUILD_NUMBER}"</span><span class="o">,</span> <span class="nl">to:</span> <span class="s2">"${env.CHANGE_AUTHOR_EMAIL}"</span> <span class="o">)</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h2> Best Practices </h2> <h3> 1. <strong>Use Virtual Environments</strong> </h3> <p>Always isolate your Python dependencies to ensure consistent builds across different environments.</p> <h3> 2. <strong>Implement Proper Error Handling</strong> </h3> <p>Use try-catch blocks and proper exit codes to handle failures gracefully.</p> <h3> 3. <strong>Cache Dependencies</strong> </h3> <p>Cache pip installations to speed up subsequent builds:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">stage</span><span class="o">(</span><span class="s1">'Cache Dependencies'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">script</span> <span class="o">{</span> <span class="kt">def</span> <span class="n">cacheKey</span> <span class="o">=</span> <span class="n">sh</span><span class="o">(</span> <span class="nl">script:</span> <span class="s2">"md5sum requirements.txt"</span><span class="o">,</span> <span class="nl">returnStdout:</span> <span class="kc">true</span> <span class="o">).</span><span class="na">trim</span><span class="o">()</span> <span class="k">if</span> <span class="o">(</span><span class="n">fileExists</span><span class="o">(</span><span class="s2">"cache/${cacheKey}"</span><span class="o">))</span> <span class="o">{</span> <span class="n">sh</span> <span class="s2">"cp -r cache/${cacheKey} venv"</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="n">sh</span> <span class="s2">"pip install -r requirements.txt"</span> <span class="n">sh</span> <span class="s2">"mkdir -p cache &amp;&amp; cp -r venv cache/${cacheKey}"</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> 4. <strong>Version Everything</strong> </h3> <p>Tag your builds and docker images with meaningful versions.</p> <h3> 5. <strong>Monitor Pipeline Performance</strong> </h3> <p>Track build times and optimize bottlenecks.</p> <h2> Complete Example Pipeline </h2> <p>Here's a production-ready pipeline that combines all the concepts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">pipeline</span> <span class="o">{</span> <span class="n">agent</span> <span class="n">any</span> <span class="n">environment</span> <span class="o">{</span> <span class="n">PYTHON_VERSION</span> <span class="o">=</span> <span class="s2">"3.9"</span> <span class="n">VIRTUAL_ENV</span> <span class="o">=</span> <span class="s2">"venv"</span> <span class="n">REGISTRY</span> <span class="o">=</span> <span class="s2">"registry.example.com"</span> <span class="n">APP_NAME</span> <span class="o">=</span> <span class="s2">"myapp"</span> <span class="o">}</span> <span class="n">stages</span> <span class="o">{</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Checkout'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">checkout</span> <span class="n">scm</span> <span class="o">}</span> <span class="o">}</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Setup Environment'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">''' python${PYTHON_VERSION} -m venv ${VIRTUAL_ENV} source ${VIRTUAL_ENV}/bin/activate pip install --upgrade pip setuptools wheel '''</span> <span class="o">}</span> <span class="o">}</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Install Dependencies'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">''' source ${VIRTUAL_ENV}/bin/activate pip install -r requirements.txt pip install -r requirements-dev.txt '''</span> <span class="o">}</span> <span class="o">}</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Quality &amp; Security'</span><span class="o">)</span> <span class="o">{</span> <span class="n">parallel</span> <span class="o">{</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Unit Tests'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">''' source ${VIRTUAL_ENV}/bin/activate python -m pytest tests/unit/ \ --junitxml=reports/unit-tests.xml \ --cov=src \ --cov-report=xml:reports/coverage.xml '''</span> <span class="o">}</span> <span class="o">}</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Integration Tests'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">''' source ${VIRTUAL_ENV}/bin/activate python -m pytest tests/integration/ \ --junitxml=reports/integration-tests.xml '''</span> <span class="o">}</span> <span class="o">}</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Code Quality'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">''' source ${VIRTUAL_ENV}/bin/activate flake8 src/ tests/ pylint src/ mypy src/ '''</span> <span class="o">}</span> <span class="o">}</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Security Scan'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">''' source ${VIRTUAL_ENV}/bin/activate bandit -r src/ safety check '''</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Build'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">''' source ${VIRTUAL_ENV}/bin/activate python setup.py sdist bdist_wheel '''</span> <span class="n">script</span> <span class="o">{</span> <span class="kt">def</span> <span class="n">image</span> <span class="o">=</span> <span class="n">docker</span><span class="o">.</span><span class="na">build</span><span class="o">(</span><span class="s2">"${REGISTRY}/${APP_NAME}:${env.BUILD_NUMBER}"</span><span class="o">)</span> <span class="k">if</span> <span class="o">(</span><span class="n">env</span><span class="o">.</span><span class="na">BRANCH_NAME</span> <span class="o">==</span> <span class="s1">'main'</span><span class="o">)</span> <span class="o">{</span> <span class="n">image</span><span class="o">.</span><span class="na">tag</span><span class="o">(</span><span class="s1">'latest'</span><span class="o">)</span> <span class="o">}</span> <span class="n">docker</span><span class="o">.</span><span class="na">withRegistry</span><span class="o">(</span><span class="s2">"https://${REGISTRY}"</span><span class="o">,</span> <span class="s1">'registry-credentials'</span><span class="o">)</span> <span class="o">{</span> <span class="n">image</span><span class="o">.</span><span class="na">push</span><span class="o">(</span><span class="s2">"${env.BUILD_NUMBER}"</span><span class="o">)</span> <span class="k">if</span> <span class="o">(</span><span class="n">env</span><span class="o">.</span><span class="na">BRANCH_NAME</span> <span class="o">==</span> <span class="s1">'main'</span><span class="o">)</span> <span class="o">{</span> <span class="n">image</span><span class="o">.</span><span class="na">push</span><span class="o">(</span><span class="s1">'latest'</span><span class="o">)</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Deploy'</span><span class="o">)</span> <span class="o">{</span> <span class="n">when</span> <span class="o">{</span> <span class="n">branch</span> <span class="s1">'main'</span> <span class="o">}</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">script</span> <span class="o">{</span> <span class="c1">// Deploy to staging first</span> <span class="n">sh</span> <span class="s1">''' kubectl set image deployment/${APP_NAME} \ ${APP_NAME}=${REGISTRY}/${APP_NAME}:${BUILD_NUMBER} \ --namespace=staging kubectl rollout status deployment/${APP_NAME} --namespace=staging '''</span> <span class="c1">// Health check</span> <span class="kt">def</span> <span class="n">healthCheck</span> <span class="o">=</span> <span class="n">sh</span><span class="o">(</span> <span class="nl">script:</span> <span class="s2">"curl -f http://staging.${APP_NAME}.com/health"</span><span class="o">,</span> <span class="nl">returnStatus:</span> <span class="kc">true</span> <span class="o">)</span> <span class="k">if</span> <span class="o">(</span><span class="n">healthCheck</span> <span class="o">==</span> <span class="mi">0</span><span class="o">)</span> <span class="o">{</span> <span class="c1">// Manual approval for production</span> <span class="n">timeout</span><span class="o">(</span><span class="nl">time:</span> <span class="mi">10</span><span class="o">,</span> <span class="nl">unit:</span> <span class="s1">'MINUTES'</span><span class="o">)</span> <span class="o">{</span> <span class="n">input</span> <span class="nl">message:</span> <span class="s1">'Deploy to production?'</span><span class="o">,</span> <span class="nl">ok:</span> <span class="s1">'Deploy'</span> <span class="o">}</span> <span class="c1">// Deploy to production</span> <span class="n">sh</span> <span class="s1">''' kubectl set image deployment/${APP_NAME} \ ${APP_NAME}=${REGISTRY}/${APP_NAME}:${BUILD_NUMBER} \ --namespace=production kubectl rollout status deployment/${APP_NAME} --namespace=production '''</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="n">error</span> <span class="s2">"Staging health check failed"</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="n">post</span> <span class="o">{</span> <span class="n">always</span> <span class="o">{</span> <span class="n">junit</span> <span class="s1">'reports/*.xml'</span> <span class="n">publishHTML</span><span class="o">([</span> <span class="nl">allowMissing:</span> <span class="kc">false</span><span class="o">,</span> <span class="nl">alwaysLinkToLastBuild:</span> <span class="kc">true</span><span class="o">,</span> <span class="nl">keepAll:</span> <span class="kc">true</span><span class="o">,</span> <span class="nl">reportDir:</span> <span class="s1">'reports'</span><span class="o">,</span> <span class="nl">reportFiles:</span> <span class="s1">'coverage.xml'</span><span class="o">,</span> <span class="nl">reportName:</span> <span class="s1">'Coverage Report'</span> <span class="o">])</span> <span class="n">archiveArtifacts</span> <span class="nl">artifacts:</span> <span class="s1">'dist/*'</span><span class="o">,</span> <span class="nl">fingerprint:</span> <span class="kc">true</span> <span class="n">cleanWs</span><span class="o">()</span> <span class="o">}</span> <span class="n">failure</span> <span class="o">{</span> <span class="n">emailext</span> <span class="o">(</span> <span class="nl">subject:</span> <span class="s2">"🚨 Build Failed: ${env.JOB_NAME} - ${env.BUILD_NUMBER}"</span><span class="o">,</span> <span class="nl">body:</span> <span class="s2">"Build failed. Check: ${env.BUILD_URL}console"</span><span class="o">,</span> <span class="nl">to:</span> <span class="s2">"${env.CHANGE_AUTHOR_EMAIL}"</span> <span class="o">)</span> <span class="o">}</span> <span class="n">success</span> <span class="o">{</span> <span class="n">emailext</span> <span class="o">(</span> <span class="nl">subject:</span> <span class="s2">"✅ Build Successful: ${env.JOB_NAME} - ${env.BUILD_NUMBER}"</span><span class="o">,</span> <span class="nl">body:</span> <span class="s2">"Build completed successfully!"</span><span class="o">,</span> <span class="nl">to:</span> <span class="s2">"${env.CHANGE_AUTHOR_EMAIL}"</span> <span class="o">)</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h2> Troubleshooting Common Issues </h2> <h3> Virtual Environment Issues </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Fix permission issues</span> <span class="nb">sudo chown</span> <span class="nt">-R</span> jenkins:jenkins /var/lib/jenkins/workspace/ <span class="c"># Clear pip cache</span> pip cache purge </code></pre> </div> <h3> Docker Build Issues </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Clean docker system</span> docker system prune <span class="nt">-f</span> <span class="c"># Check disk space</span> <span class="nb">df</span> <span class="nt">-h</span> </code></pre> </div> <h3> Test Failures </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Run tests with verbose output</span> python <span class="nt">-m</span> pytest <span class="nt">-v</span> <span class="nt">--tb</span><span class="o">=</span>short <span class="c"># Check test environment</span> <span class="nb">echo</span> <span class="nv">$PYTHONPATH</span> </code></pre> </div> <h2> Conclusion </h2> <p>Building robust Jenkins pipelines for Python applications requires careful consideration of testing, security, and deployment strategies. The examples provided in this guide offer a solid foundation that you can adapt to your specific needs.</p> <p>Remember to:</p> <ul> <li>Start simple and gradually add complexity</li> <li>Monitor your pipeline performance</li> <li>Keep security at the forefront</li> <li>Maintain good documentation</li> <li>Regularly update your dependencies</li> </ul> <p>With these practices, you'll have a reliable CI/CD pipeline that enhances your development workflow and ensures high-quality Python applications.</p> <p><em>What's your experience with Jenkins pipelines? Share your tips and challenges in the comments below! 👇</em></p> jenkins cicd python programming