Forem: Tharun Shiv

What defines a good workplace/job? Here's what I think

Tharun Shiv — Wed, 26 Jan 2022 11:25:19 +0000

Here is what I think a good workplace is,

Teammates are supportive, transparent, give the credits you deserve and don't steal them
You are given opportunity to explore and learn
You are not blamed time and again for the mistakes you made
You are allowed to take part, however small or huge in any project of your team
Your time & health are valued
A good compensation
Your opinions are valued if it deserves them

What do you think makes a good workplace?

Tharun

Tharun ShivFollow

Site Reliability Engineer | Blogger | Podcasts | Youtube @ developertharun

[Solved] gpgkeys: protocol `https' not supported

Tharun Shiv — Wed, 26 Jan 2022 06:12:22 +0000

Problem:

sudo apt-key adv --fetch-keys 'https://mariadb.org/mariadb_release_signing_key.asc'
Executing: /tmp/tmp.o2I4wt3O3r/gpg.1.sh --fetch-keys
https://mariadb.org/mariadb_release_signing_key.asc
gpgkeys: protocol `https' not supported
gpg: no handler for keyserver scheme `https'
gpg: WARNING: unable to fetch URI https://mariadb.org/mariadb_release_signing_key.asc: keyserver error

Method 1: Install gnupg-curl

apt-get update
apt-get install gnupg-curl

Method 2: If the above does not resolve the issue, then get the key using CURL and add it manually

curl 'https://mariadb.org/mariadb_release_signing_key.asc' | apt-key add -

Method 3: If you trust the server, then use -k option to skip CA cert verification

curl -k 'https://mariadb.org/mariadb_release_signing_key.asc' | apt-key add -

The method 2 worked for me on Ubuntu Xenial.

Comment if it helped you or if you are aware of a better solution.

Thanks.

[Solved] E: Unable to correct problems, you have held broken packages.

Tharun Shiv — Wed, 26 Jan 2022 06:07:28 +0000

$ apt-get install mariadb-server
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies.
 mariadb-server : Depends: mariadb-server-10.5 (>= 1:10.5.13+maria~focal) but it is not going to be installed
N: Ignoring file 'maria.key' in directory '/etc/apt/sources.list.d/' as it has an invalid filename extension
N: Ignoring file 'apt-key' in directory '/etc/apt/sources.list.d/' as it has no filename extension
E: Unable to correct problems, you have held broken packages

Install aptitude

sudo apt-get install aptitude

Use aptitude to install packages

sudo aptitude install mariadb-server

Use the Yes or No options to find the right combinations of the packages and set them up.

Comment if you know any other efficient solutions.
thanks.

Here's a secret to get a promotion at work even with WFH

Tharun Shiv — Fri, 21 Jan 2022 17:04:47 +0000

Let us look at 8 ways in which you can become a better engineer at work. Engineering not just involves various technologies to deal with and keep them running, but also several non-technical characteristics.

1. Working as an Engineer is all about the right Mindset

a. No blame game

b. Thirst to solve

As an engineer we deal with multiple components and are a bridge between the users and the application. Even though the application is well written, a bigger responsibility falls upon Engineers to keep the applications and the services it uses up and running. In this process, there might be a few situations where one of the Engineers does a mistake that causes a disruption or even an outage. When this happens, the first thing to happen shouldn't be to blame anyone for the outage, but the following has to be performed.

i. Fix the issue

ii. Write an RCA ( Root Cause Analysis ) that mentions why the issue occurred in the first place, the names can be anonymous.

iii. Mention the first aid and the fix for the issue

iv. Discuss how the issue can be prevented the next time

v. Set an ETA for the fix

Another aspect is to have the right mindset to solve problems. As an Engineer you have the responsibility to optimize the infrastructure, fix issues, build automation tools, monitoring tools, and more, which requires a lot of problem-solving skills. Unless you have the thirst to solve the problems, you will only feel more stressed out, or even worse, would cause issues.

2. Communication

a. Overcommunication is not a problem

b. Be kind and show empathy

Are you performing a production activity or even a stage change that could affect other teams? Have you made progress in the project that you are working on? Make sure to keep the necessary stakeholders in sync always. Write emails, send slack messages well in advance before the production activity, just before and after the activity. It might sound like over-communication, but trust me, as the company scales, you need to keep everyone relevant to the component that you are working on in sync. This way, if they have to take any actions from their side, they will do it, or if they face any issues post-activity they'll know who the right person to get in touch with is.

One other important characteristic to have as a human being is to be kind and show empathy. This will apply to all levels of engineering on either side of the conversation, period. Whether someone asks a silly question, or does a mistake, or behaves rudely with you, you should never mirror that behavior.

3. Stay synced with the team

a. Do not miss team meetings

b. Prevent duplication of work

c. Do not compete, but contribute

In this work from home ( WFH ) period, the only time where you have an opportunity to speak to your teammates is during a team meet. The reason why this is special is, you get an opportunity to stay synced with your team on what they all are working on, whether they are blocked on any tasks, how you can contribute to their tasks and also you will be using this opportunity to convey on what you are working on and get help if necessary. This also prevents duplication of work.

4. Shadow teammates on tasks and issues

The best way to learn is by doing it hands-on and the best way to begin would be by watching how it is done. I also believe that the best way to retain the learned information is by performing it repeatedly. This also includes watching your teammates perform the activities. It ensures that the activity is done without any mistakes when there are several eyes to watch it.

5. No Spoon-feeding, do homework

Do not expect all details to be taught by your teammates and seniors. Read the documentation, watch tutorials, read engineering blogs, practice on your own, and suggest improvisations. Even a well-built system will have much more efficient solutions, that you can propose.

6. Be attentive and cautious on production

I've heard people pretending to work while watching web series. They might be proud of their multitasking skills, but as far as I know, there is no such thing as multitasking at work while watching a web series and I highly recommend one to not do that. If you are interested in watching a series, I would suggest you use that motivation to focus on the work, finish the tasks quickly and reward yourself with a couple of episodes later in the evening.

Attention is the core necessity of life, and the same holds true to an Engineer. Be attentive to the commands you run, the alerts you get, the trend the charts show, and the logs of the services and applications. Prepare for activities well in advance and let the actual activities be a no-brainer copy-paste so that you can pay attention to other indications during the activity.

7. Think before you hit enter

Do not underestimate sudo privilege. A lot of us have a habit to enter into the sudo mode as soon as we login into a machine, which is unnecessary. Even if the command you are running looks like a harmless command, make sure to get the process and commands reviewed by your teammates, seniors, or the subject experts, this will save you from outages.

8. Keep version control systems in sync

Whether it is NGINX config or any service config, make sure to keep the version control system that is isolated from the system in sync. No one hopes for the machine to become unresponsive, but when the machine becomes unusable all of a sudden, you have another opportunity to bring up alternate machines with the same configs as the previous ones. Keeping the version control system in sync also helps in automation.

This article was initially written for an SRE, but the more I read it, the more I felt that this is not just for an SRE but for any Engineer.

Check out my YouTube Channel here: Developer Tharun - YouTube

Thank you for reading the article.

Written by,

Tharun ShivFollow

Site Reliability Engineer | Blogger | Podcasts | Youtube @ developertharun

Thank you for reading, This is Tharun Shiv a.k.a Developer Tharun

MySQL MariaDB setup on Linux Ubuntu with SSL/TLS - 2022 - Video

Tharun Shiv — Thu, 20 Jan 2022 15:46:14 +0000

18 ways to ATTACK a Vault server | Production hardening | Tharun

Tharun Shiv — Sun, 16 Jan 2022 06:25:25 +0000

YouTube video

Podcast:

Episode

In this episode we will look at 18 ways in which your Hashicorp Vault server or any Linux server in general can be attacked. We will also discuss on how to prevent those and secure your server. This process is also known as production hardening.

Written by,

Tharun ShivFollow

Site Reliability Engineer | Blogger | Podcasts | Youtube @ developertharun

Thank you for reading, This is Tharun Shiv a.k.a Developer Tharun

System Architecture of WhatsApp end to end encryption of backup [2022]

Tharun Shiv — Sun, 16 Jan 2022 06:20:25 +0000

YouTube

Part 1:

Part 2:

Podcast:

Part 1:

Part 2:

Episode

In the above episodes we look at how WhatsApp encrypts the backups end to end. There are two flows involved here, one is based on password and the other without. We will look at the whitepaper of WhatsApp where they have mentioned about the entire process in detail.

Written by,

Tharun ShivFollow

Site Reliability Engineer | Blogger | Podcasts | Youtube @ developertharun

Thank you for reading, This is Tharun Shiv a.k.a Developer Tharun

Setup Vault in HA with MySQL backend in 10 minutes | Hashicorp | Tutorial | Tharun

Tharun Shiv — Sun, 16 Jan 2022 05:35:10 +0000

How to set up Vault in High Availability ( HA mode ) with MySQL as storage backend

In this tutorial we will look at how we can use MySQL as a backend to Vault. This setup will involve end to end TLS. We have already seen how to setup Vault with TLS frontend. We also saw how we can setup MySQL with TLS frontend. In this tutorial, we will look at how we can use TLS Enabled MySQL as a storage backend to Vault. This is a complete secure production setup.

Tutorial on how to setup Vault Dev & Production mode:

Hashicorp Vault | Dev and Prod server setup | Unseal | Policies | TLS setup | Tharun

Tharun Shiv ・ Jan 2 '22

#security #database #beginners #devops

Tutorial on how to setup TLS/SSL enabled MySQL/MariaDB:

Easiest way to setup MySQL/MariaDB with TLS/SSL in 10 minutes- v10.5 - Any OS - Ubuntu Focal | Developer Tharun

Tharun Shiv ・ Jan 15 '22

#mysql #beginners #tutorial #database

Create Vault user in MySQL

The Vault service needs credentials to login into MySQL server in order to store data and metadata in a backend. We will create this user in MySQL now.

mysql -uroot -p --ssl-ca=/etc/mysql/certs/ca.pem
<Enter password>

# create user
CREATE USER '<vault-mysql-username>'@'%' IDENTIFIED BY '<vault-mysql-password>';

# grant privileges
GRANT ALL PRIVILEGES ON vault.* TO '<vault-mysql-username>'@'%';

MySQL Bind Address

When setting up Vault, I came across difficulties bringing up the Vault server. I have listed the challenges and solution at the end of this post. One point I would like to address is the MySQL Bind address. This configuration of MySQL defines to which network interface the MySQL process binds to / listens on. The other clients such as Vault will be able to access MySQL by sending requests to this particular interface only.

We have seen where to set this in the below tutorial

Easiest way to setup MySQL/MariaDB with TLS/SSL in 10 minutes- v10.5 - Any OS - Ubuntu Focal | Developer Tharun

Tharun Shiv ・ Jan 15 '22

#mysql #beginners #tutorial #database

MySQL CA Pem file

Vault server needs the CA.pem of the MySQL server that we used in the MySQL TLS setup tutorial. Copy that to a directory that vault can access

cp ~/certs/ca.pem /opt/vault/tls/mysql-ca.pem

chown -R vault: /opt/vault/tls

Vault config

In the above tutorials we have setup Vault, now let us configure it to use MySQL Backend.

/etc/vault.d/vault.hcl:

ui = true ## or false

# MySQL backend config
storage "mysql" {
  ha_enabled = "true"
  address = "<mySQL-hostname>:3306"
  username = "<vault-mysql-username>"
  password = "<vault-mysql-password>"
  database = "<vault-mysql-database>"
  #plaintext_connection_allowed = "true" #non-TLS mysql
  #path to CA.pem to verify MySQL SSL
  tls_ca_file = "<path-to-mysql-ca-pem>" 
}

# Vault server listen configuration
listener "tcp" {
  address       = "<vault-hostname/IP>:8200"
  tls_cert_file = "<path-to-vault-tls-cert>"
  tls_key_file  = "<path-to-vault-tls-key>"
}

# the address to advertise for HA purpose
api_addr="https://<vault-hostname>:8200"

Restart Vault

Now we can go ahead export the Vault variables and restart the vault server

export VAULT_ADDR="https://<vault-server>:8200"
export VAULT_CACERT="<path-to-vault-tls-cert>"

# make sure MySQL is running and listening

# now restart / start Vault
service vault start 

# or
service vault restart

# check Vault server logs
journalctl -u vault.service 

# check Vault status
vault status

We have successfully setup Vault with TLS frontend, TLS MySQL backend, thereby securing Vault end to end making it a perfect Production setup.

Although there are 18 ways in which a Hashicorp Vault server can be attacked, and I have covered it in the below Video

Thank you for reading, This is Tharun Shiv a.k.a Developer Tharun

You can find more articles here: https://dev.to/developertharun

Roadrunners is a series that is aimed at delivering concepts as precisely as possible. Here, a roadrunner is referred to as a person who does things super fast & efficiently. Are you a roadrunner?

Thank you

Easiest way to setup MySQL/MariaDB with TLS/SSL in 10 minutes- v10.5 - Any OS - Ubuntu Focal | Developer Tharun

Tharun Shiv — Sat, 15 Jan 2022 16:58:40 +0000

MySQL/MariaDB setup

In this tutorial we will look at how to setup MariaDB/MySQL including SSL/TLS. This will enable the clients connecting with the MySQL server. We will add repository, install mariadb-server, generate certs, place them in the right folder, edit the configurations and test it.

Link to fetch the respective repository

Link to the MariaDB Downloads page

On the above page:

Choose a distribution
Choose a MariaDB Server version

Once you do this, you will be able to view the commands to install MariaDB Server on your system of any operating system ( OS ). In this tutorial I have chosen Ubuntu Focal ( 20.04 ) and a MariaDB Server version of 10.5

Add Apt Repositories



sudo apt-get install software-properties-common dirmngr apt-transport-https
sudo apt-key adv --fetch-keys 'https://mariadb.org/mariadb_release_signing_key.asc'
sudo add-apt-repository 'deb [arch=amd64,arm64,ppc64el,s390x] https://mirrors.aliyun.com/mariadb/repo/10.5/ubuntu focal main'

sudo apt update

Install MariaDB server



sudo apt install mariadb-server-10.5

Setup root user



service mysql status

mysql_secure_installation # walk through the process with default options along with the new password when prompted

root@ubuntu-focal:/etc/mysql# mysql_secure_installation 

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.

Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Setting the root password or using the unix_socket ensures that nobody
can log into the MariaDB root user without the proper authorisation.

Switch to unix_socket authentication [Y/n] Y
Enabled successfully!
Reloading privilege tables..
 ... Success!

Change the root password? [Y/n] Y
New password: <enter-new-password-here>
Re-enter new password: <enter-new-password-here>
Password updated successfully!
Reloading privilege tables..
 ... Success!

By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] Y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] Y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] Y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] Y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

Login into MySQL



mysql -uroot -p
Enter password: <enter-new-password-here>



Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 47
Server version: 10.5.13-MariaDB-1:10.5.13+maria~focal mariadb.org binary distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> select user,host from mysql.user;

+-------------+-----------+
| User        | Host      |
+-------------+-----------+
| root        | 127.0.0.1 |
| root        | ::1       |
| mariadb.sys | localhost |
| root        | localhost |
+-------------+-----------+
4 rows in set (0.004 sec)

MariaDB [(none)]> CREATE USER 'vault'@'192.%' IDENTIFIED BY '2%r3o0u8jf@e8owh*hfeu^8f0';
Query OK, 0 rows affected (0.001 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON vault.* TO 'vault'@'%';
Query OK, 0 rows affected (0.002 sec)

MariaDB [(none)]> select user,host from mysql.user;
----------+-----------+
| User        | Host      |
+-------------+-----------+
| vault       | %         |
| root        | 127.0.0.1 |
| root        | ::1       |
| mariadb.sys | localhost |
| root        | localhost |
+-------------+-----------+
5 rows in set (0.004 sec)

TLS Setup of MariaDB

We have setup MySQL/MariaDB above without TLS. For most of the setups the above would be sufficient. To take it to the next level, we will add TLS ability here such that the data transferred between the client and MySQL is encrypted and secure.

Generation of certificates

There are several ways to generate certificates. If you are at an organization, it probably has a standard way to generate a CA. You are free to go ahead and get the CA Cert, Server Cert and Server Key using that way. If not, follow the below steps. No Pre-requisites required.

Generate CA ( Certificate Authority ) Key and Certificates



mkdir ~/certs
cd ~/certs

# generate CA Key with 4096 bits
openssl genrsa -des3 -out ca.key 4096

# generate CA pem from the ca.key
openssl req -x509 -new -nodes -key ca.key -sha256 -days 900 -out ca.pem

How to make the operating system trust this self signed cert?



sudo apt-get install -y ca-certificates

#Convert the ca.pem certificate to a ca.crt certificate file.
openssl x509 -outform der -in ./ca.pem -out ./ca.crt

#Copy the ca.crt file to the /usr/local/share/ca-certificates directory.
sudo cp ./ca.crt /usr/local/share/ca-certificates

#Update the certificate store.
sudo update-ca-certificates

Generation of Server key and Server cert

We will generate server key and use it to generate a CSR ( Certificate Signing Request ). We will take this to the Certificate Authority and get it signed by the CA. Thus we will get the server cert. In this process we will also use the server extensions.



# Generate the server.key
openssl genrsa -out server.key 2048

# Generate the CSR and answer the questions
openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:KA
Locality Name (eg, city) []:Blr
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Developer Tharun
Organizational Unit Name (eg, section) []:Blog  
Common Name (e.g. server FQDN or YOUR name) []:server-fqdn.server.environment
Email Address []:sre@org.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <not mandatory, can be skipped, hit enter>
An optional company name []: <not mandatory, can be skipped, hit enter>

# Add the below to a file
# server.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = <mention the server FQDN>

# Create the cert using the Certificate Authority cert and key
openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key \
-CAcreateserial -out server.crt -days 365 -sha256 -extfile server.ext

# Verify the cert generated using the ca
# This way you will be able to verify that the server cert was created using this CA
openssl verify -CAfile ca.pem server.crt
server.crt: OK

Place the certs in the MySQL folder



# Create mysql certs folder
mkdir /etc/mysql/certs

cp ~/certs/ca.pem ~/certs/server.crt ~/certs/server.key /etc/mysql/certs

chown -R mysql: /etc/mysql/certs

Configure MySQL Server



# Place the config in the below file
# to override the configs in my.cnf
vim /etc/mysql/mariadb.conf.d/50-server.cnf

[mysqld]
bind-address    = 0.0.0.0
ssl_ca=/etc/mysql/certs/ca.pem
ssl_cert=/etc/mysql/certs/server.crt
ssl_key=/etc/mysql/certs/server.key

Restart MySQL



service mysql restart

We will be able to login without certificate too, as a root user. When we do this, the connection will not use SSL connection, the data will not be encrypted. Let's confirm that



mysql -uroot -p  # without any SSL/TLS encryption
<Enter password>



MariaDB [(none)]> \s
--------------
mysql  Ver 15.1 Distrib 10.5.13-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2

Connection id:          48
Current database:
Current user:           root@localhost
SSL:                    Not in use  #<-----------------------
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server:                 MariaDB
Server version:         10.5.13-MariaDB-1:10.5.13+maria~focal mariadb.org binary distribution
Protocol version:       10
Connection:             Localhost via UNIX socket
Server characterset:    utf8mb4
Db     characterset:    utf8mb4
Client characterset:    utf8
Conn.  characterset:    utf8
UNIX socket:            /run/mysqld/mysqld.sock
Uptime:                 3 hours 43 min 54 sec

Threads: 3  Questions: 110  Slow queries: 0  Opens: 34  Open tables: 27  Queries per second avg: 0.008
--------------

We can see above that SSL is not in use. Let us login using SSL abilities



mysql -p --ssl-ca=/etc/mysql/certs/ca.pem



MariaDB [(none)]> \s
--------------
mysql  Ver 15.1 Distrib 10.5.13-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2

Connection id:          33
Current database:
Current user:           root@localhost
SSL:                    Cipher in use is TLS_AES_256_GCM_SHA384
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server:                 MariaDB
Server version:         10.5.13-MariaDB-1:10.5.13+maria~focal mariadb.org binary distribution
Protocol version:       10
Connection:             Localhost via UNIX socket
Server characterset:    utf8mb4
Db     characterset:    utf8mb4
Client characterset:    utf8
Conn.  characterset:    utf8
UNIX socket:            /run/mysqld/mysqld.sock
Uptime:                 2 min 6 sec

Threads: 1  Questions: 68  Slow queries: 0  Opens: 32  Open tables: 25  Queries per second avg: 0.539
--------------

MariaDB [(none)]> SHOW VARIABLES LIKE '%ssl%';
+---------------------+-----------------------------+
| Variable_name       | Value                       |
+---------------------+-----------------------------+
| have_openssl        | YES                         |
| have_ssl            | YES                         |
| ssl_ca              | /etc/mysql/certs/ca.pem     |
| ssl_capath          |                             |
| ssl_cert            | /etc/mysql/certs/server.crt |
| ssl_cipher          |                             |
| ssl_crl             |                             |
| ssl_crlpath         |                             |
| ssl_key             | /etc/mysql/certs/server.key |
| version_ssl_library | OpenSSL 1.1.1f  31 Mar 2020 |
+---------------------+-----------------------------+
10 rows in set (0.001 sec)

How to Force users to use SSL?

We saw that the root user had a choice to choose between SSL and non-SSL connection. But what if we wanted to force a user and require SSL connection else drop the connection. This is possible by creating the user with REQUIRE SSL.



MariaDB [(none)]> create user 'tharun'@'%' identified by 'xr7y(#$&*ox8r7#Y$xo87n' REQUIRE SSL; 
Query OK, 0 rows affected (0.004 sec)

MariaDB [(none)]> show grants for 'tharun'@'%';
+-------------------------------------------------------------------------------------------------------------------+
| Grants for tharun@%
  |
+-------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO `tharun`@`%` IDENTIFIED BY PASSWORD '*A5F8D7B95653CF24C6DC9628BC84B0B2FF89D9DF' REQUIRE SSL |
+-------------------------------------------------------------------------------------------------------------------+
1 row in set (0.000 sec)

The user has been created. Now exit out of MySQL prompt and login using the tharun user



root@ubuntu-focal:~/certs# mysql -utharun -p
Enter password: 
ERROR 1045 (28000): Access denied for user 'tharun'@'localhost' (using password: YES)

We see that the user is not able to login without the ca.pem file. Here onwards the client will need the ca.pem file in order to connect to MySQL Server.

More trending articles on Hashicorp Vault:

What is Vault? Why do we need it?

Hashicorp Vault | What & Why? | All you need to know about Vault | Secrets management for roadrunners

Tharun Shiv ・ Jan 2 '22

#security #beginners #tutorial #devops

Set up a Vault Dev and Production server in 5 minutes:

Hashicorp Vault | Dev and Prod server setup | Unseal | Policies | TLS setup | Tharun

Tharun Shiv ・ Jan 2 '22

#security #database #beginners #devops

Thank you for reading, This is Tharun Shiv a.k.a Developer Tharun

You can find more articles here: https://dev.to/developertharun

Roadrunners is a series that is aimed at delivering concepts as precisely as possible. Here, a roadrunner is referred to as a person who does things super fast & efficiently. Are you a roadrunner?

Thank you

What are Vault User Policies & how to create them? Hashicorp Vault

Tharun Shiv — Sat, 15 Jan 2022 14:43:01 +0000

Hashicorp Vault

Hashicorp Vault is an opensource software from Hashicorp. Vault is used to manage secrets.

What is a secret?

Secrets can be considered as anything that one uses to authenticate, authorize themselves. Secrets are also pieces of information that are private to any user.

What are policies?

Policies help you create rules that define access to various secrets. We can create policies that allow certain level access like create access, update access, read access, delete access and so on. We then assign this policy to a particular authentication mechanism of a user. This user will have only those access mentioned in the policies attached to his credentials. This way, Vault makes sure that we provide minimal and only necessary access to Vault stakeholders.



# export variables that will be used by Vault when commands 
# are run in the current terminal session
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='s.hfAJfADfj...'

# check Vault server status
vault status

# login into Vault
vault login

# view current logged in token information
vault token lookup

# create policies and respective tokens
vim secret-user-policy.hcl
path "secret/data/*" {  capabilities = ["read"] }

vim secret-admin-policy.hcl
path "secret/data/*" {  capabilities = ["read", "create", "update"] }

# command to write policy
vault policy write secret-user-policy secret-user-policy.hcl
vault policy write secret-admin-policy secret-admin-policy.hcl

# read policy
vault policy read secret-user-policy
vault policy read secret-admin-policy

# list policies
vault policy list

# create token
vault token create -format=json -policy="secret-user-policy"
vault token create -format=json -policy="secret-admin-policy"
#

The hcl file contains the path and capabilities mainly. The path is used to mention which capabilities the enclosed ones are applicable to. Paths allow us to use regular expressions in them to match various Vault paths. The capabilities include:

read: Similar to the GET HTTP method, allows reading the data at the given path.
create: Similar to the POST & PUT HTTP Method, allows creating data at the given path. Very few parts of Vault distinguish between create and update, so most operations require both create and update capabilities. Parts of Vault that provide such a distinction are noted in documentation.
update: Similar to the POST & PUT HTTP Method, allows changing the data at the given path. In most parts of Vault, this implicitly includes the ability to create the initial value at the path.
delete: Similar to the DELETE HTTP Method, allows deleting the data at the given path.
list: Allows listing values at the given path.
sudo: Allows access to paths that are root-protected. Tokens are not permitted to interact with these paths unless they have the sudo capability
deny: Disallows access. This always takes precedence regardless of any other defined capabilities, including sudo.

Source

Testing the policies

Now testing the policies



# now open two tmux sessions for each type of user to test policies
tmux new -s demo # and split screens for admin and user

# at each of the tmux window
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='s.hfAJfADfj...'

vault login # enter repective tokens
vault token lookup # to view current logged in token information

# on admin window & notice versions
vault kv put secret/data/mysql username=root

# add multiple keys in a single command 
vault kv put secret/data/mysql username=root password=root

# prevent recording the value of the token in terminal history
vault kv put secret/data/googlecloud token=-

# read from a json file
vault kv put secret/data/googlecloud @apitoken.json

# add multiple keys in a single command 
vault kv put secret/data/aerospike \
     username=root \
     password=root \
     tlsname=securecert \
     namespace=hashicorp

# read secret
vault kv get secret/data/mysql

# ON USER WINDOW
vault kv put secret/data/mysql username=root # Will not work since this user does not have privileges

vault kv get secret/data/mysql

Thus, we have seen what goes into creating a policy, how to create one, and have also tested the policies to see the difference between them.

More trending articles on Hashicorp Vault:

What is Vault? Why do we need it?

Hashicorp Vault | What & Why? | All you need to know about Vault | Secrets management for roadrunners

Tharun Shiv ・ Jan 2 '22

#security #beginners #tutorial #devops

Set up a Vault Dev and Production server in 5 minutes:

Hashicorp Vault | Dev and Prod server setup | Unseal | Policies | TLS setup | Tharun

Tharun Shiv ・ Jan 2 '22

#security #database #beginners #devops

Written by,

Tharun ShivFollow

Site Reliability Engineer | Blogger | Podcasts | Youtube @ developertharun

Thank you for reading, This is Tharun Shiv a.k.a Developer Tharun

You can find more articles here: https://dev.to/developertharun

Roadrunners is a series that is aimed at delivering concepts as precisely as possible. Here, a roadrunner is referred to as a person who does things super fast & efficiently. Are you a roadrunner?

Thank you

8 ways to become a BETTER SRE ( Right now! ) | 8 non-technical characteristics to have

Tharun Shiv — Fri, 14 Jan 2022 11:25:11 +0000

Site Reliability Engineering, also popularly referred to as the SRE, is a role in Computer Science Engineering where the main purpose is to provision, maintain, monitor, and manage the infrastructure to provide maximum application uptime and reliability. SRE is an emerging role, but the tasks that the SRE does were always there ever since the first application that was developed. The scope of the software developers ends where they write code to develop the application and right from setting up the infrastructure, the various services that run on them, the network connectivity that is required, providing a platform for the application to run and making sure every part of the application is up and running reliably 24x7 is the duty of an SRE. We can consider Site Reliability Engineers are the strong bridge between the users and a reliable application.

Let us look at 8 ways in which you can become a better SRE at work. SRE not just involves various technologies to deal with and keep them running, but also several non-technical characteristics.

1. SRE is all about the right Mindset

a. No blame game

b. Thirst to solve

As an SRE we deal with multiple components and are a bridge between the users and the application. Even though the application is well written, a bigger responsibility falls upon SRE to keep the applications and the services it uses up and running. In this process, there might be a few situations where one of the SRE does a mistake that causes a disruption or even an outage. When this happens, the first thing to happen shouldn't be to blame anyone for the outage, but the following has to be performed.

i. Fix the issue

ii. Write an RCA ( Root Cause Analysis ) that mentions why the issue occurred in the first place, the names can be anonymous.

iii. Mention the first aid and the fix for the issue

iv. Discuss how the issue can be prevented the next time

v. Set an ETA for the fix

Another aspect is to have the right mindset to solve problems. As an SRE you have the responsibility to optimize the infrastructure, fix issues, build automation tools, monitoring tools, and more, which requires a lot of problem-solving skills. Unless you have the thirst to solve the problems, you will only feel more stressed out, or even worse, would cause issues.

2. Communication

a. Overcommunication is not a problem

b. Be kind and show empathy

3. Stay synced with the team

a. Do not miss team meetings

b. Prevent duplication of work

c. Do not compete, but contribute

4. Shadow teammates on tasks and issues

5. No Spoon-feeding, do homework

6. Be attentive and cautious on production

Attention is the core necessity of life, and the same holds true to an SRE. Be attentive to the commands you run, the alerts you get, the trend the charts show, and the logs of the services and applications. Prepare for activities well in advance and let the actual activities be a no-brainer copy-paste so that you can pay attention to other indications during the activity.

7. Think before you hit enter

8. Keep version control systems in sync

Listen to the Podcast with more examples and explanation

Read about what Site Reliability Engineering is and what are the 4 main things that the Site Reliability Engineers take part in: Link to the Article

Check out my YouTube Channel here: Developer Tharun - YouTube

Thank you for reading the article.

Written by,

Tharun ShivFollow

Site Reliability Engineer | Blogger | Podcasts | Youtube @ developertharun

Thank you for reading, This is Tharun Shiv a.k.a Developer Tharun

#1 What's Site Reliability Engineering [SRE] | Roles & Responsibilities | Technologies involved

Tharun Shiv — Sat, 08 Jan 2022 12:30:04 +0000

Site reliability engineering

Site Reliability Engineering, also popularly referred to as the SRE, is a role in Computer Science Engineering where the main purpose is to provision, maintain, monitor, and manage the infrastructure in order to provide maximum application uptime and reliability. SRE is an emerging role, but the tasks that the SRE does were always there ever since the first application that was developed. The scope of the software developers ends where they write code to develop the application and right from setting up the infrastructure, the various services that run on them, the network connectivity that is required, providing a platform for the application to run and making sure every part of the application is up and running reliably 24x7 is the duty of an SRE. In fact, we can consider Site Reliability Engineers are the strong bridge between the users and a reliable application.

Now, in order to explain the different responsibilities of an SRE, I have divided it into 4 different categories. I have always seen SRE this way, and definitely not as some ad-hoc process. The four categories in which I would classify the tasks of a Site Reliability Engineer are:

Create
Monitor
Manage
Destroy

Let's dive deep into each one of them.

Create

1. Provision virtual machines / PXE Baremetals

SREs are responsible for provisioning the virtual machines with the requested resources in terms of CPU, memory, disks, network configurations, and operating system. In case a bare metal needs to be set up, it is also performed with the provided configurations. The SREs use Linux commands, automation scripts to provision the server as quickly as possible. They are also responsible to be rack aware during provisioning. Example operating systems involve Linux Ubuntu, CentOS, Windows.

2. Setup services

Once the machines are provisioned, the SRE also takes care of setting up the services on the machines. These services can be networking services, proxy or load balancing services, container or orchestration services, message queues, databases, caching systems, big data services, or more, along with the disk setup. In this way, the SRE are exposed to a variety of technology and play an important role in the components involved in an application. Example technologies involve NGINX, Apache, RabbitMQ, Kafka, Hadoop, Traefik, MySQL, PostgreSQL, Aerospike, MongoDB, Redis, MinIO, Kubernetes, Apache Mesos, Marathon, MariaDB, Galera.

3. Optimize the infrastructure

Since there are several components and services that are being used in the infrastructure, there is a scope for improvements in terms of performance, efficiency, and security. The SRE optimizes the components by keeping them up to date, choosing the right service for the right job, patching the servers.

4. Write monitoring scripts

When the SRE are involved in maintaining an infrastructure of any size, they never underestimate any component of the infrastructure and write a monitoring script to monitor the components and metrics of each and every one of them. This provides the ability to get real-time alerts on any of the components malfunctioning and also a better view of the infrastructure. The SRE uses programming languages like Bash, Python, Golang, Perl, and tools like daemon processes, Riemann, InfluxDB, OpenTSDB, Kafka, Grafana, Prometheus, and APIs to monitor the infrastructure.

5. Write automation scripts

If there are more than 10 steps to be performed and chances are that the task has to be performed more than once, the SRE never hesitate to automate the task. This saves time and also prevents human error. The SRE uses programming languages like Bash, Python, Golang, Perl, Ansible to automate the tasks.

6. Manage users on the machines

One of the main security precaution that the SRE take is to restrict user access to the components in the infrastructure. They use various technologies like VPN ( Virtual Private Network ), firewall, configuration files, user management on machines, LDAP, sudoer configuration, PAM, OTP, two-factor authentications, SSH keys, and more to avoid unauthorized access to any component of the infrastructure.

These are the create aspects of a Site Reliability Engineer. In the next article we will read about the Monitor aspect of a Site Reliability Engineer.

Complete Video:

Watch the video above or listen to the full podcast exclusively below

Podcast:

You can find more articles here: https://www.tharunshiv.com

Thank you

Check out my YouTube Channel here: Developer Tharun - YouTube

Written by,

Tharun ShivFollow

Site Reliability Engineer | Blogger | Podcasts | Youtube @ developertharun

Thank you for reading, This is Tharun Shiv a.k.a Developer Tharun