카테고리 보관물:  IT

K8S

CKAD Cronjob 문제 후기 – 20250618

댓글 남기기

출제 문제

※ 기억에 의존해 복기하는 문제라 오류가 있을 수 있습니다.
참고만 부탁 드립니다.

  • 30분 마다 job을 스케쥴 처리할 수 있는 cronjob 생성
  • cronjob 이름은 grep, namespace는 devops 사용할 것
  • 성공 history는 64개, 실패 history는 160개 보관
  • job이 실행되고 8초 이내에 완료 되지 못하면 중단할 것
  • pod가 중단 되더라도 재실행 되지 않을 것
  • container 이름: busybox
    image: busybox:stable,
    command: [“grep”, “-i”, “NAMESERVER”, “/etc/resolv.conf”]
  • cronjob 테스트를 위해 job을 별도로 생성해볼 것
    job 이름: grep-test
    namespace: devops

# Kubernetes 메뉴얼
https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs
https://kubernetes.io/docs/concepts/workloads/controllers/job/

# cronjob-grep.yaml 생성

apiVersion: batch/v1
kind: CronJob
metadata:
  name: grep
  namespace: devops
spec:
  schedule: "*/30 * * * *"
  successfulJobsHistoryLimit: 64
  failedJobsHistoryLimit: 160
  jobTemplate:
    spec:
      activeDeadlineSeconds: 8
      template:
        spec:
          containers:
          - name: busybox
            image: busybox:stable
            imagePullPolicy: IfNotPresent
            command: ["grep", "-i", "NAMESERVER", "/etc/resolv.conf"]
          restartPolicy: Never
# job-grep-test.yaml 생성

apiVersion: batch/v1
kind: Job
metadata:
  name: grep-test
  namespace: devops
spec:
  activeDeadlineSeconds: 8
  template:
    spec:
      containers:
      - name: busybox
        image: busybox:stable
        imagePullPolicy: IfNotPresent
        command: ["grep", "-i", "NAMESERVER", "/etc/resolv.conf"]
      restartPolicy: Never
# cronjob 생성 및 상태 확인
$ k apply -f cronjob-grep.yaml
$ k get cronjob -n devops
$ k describe cronjob -n devops grep

# job 생성 및 실행 상태 확인
$ k apply -f job-grep-test.yaml
$ k get job -n devops
$ k describe job -n devops grep-test
$ k get po -n devops # pod의 Completed 상태 확인
Certificate

Let’s Encrypt 인증서 생성 실패

댓글 남기기

certbot을 통해 Let’s Encrypt 인증서 생성을 진행할 때 인증서 생성이 실패하는 경우가 있습니다.

다양한 경우의 수가 있겠지만 이 경우는 selinux의 차단으로 인해 발생하는 경우입니다.

[root@test ~]# sudo certbot certonly --cert-name sierracloud.kro.kr -d www.sierracloud.kro.kr

2025-01-01 01:13:22,268:DEBUG:certbot._internal.main:certbot version: 2.11.0
2025-01-01 01:13:22,268:DEBUG:certbot._internal.main:Location of certbot entry point: /bin/certbot
2025-01-01 01:13:22,268:DEBUG:certbot._internal.main:Arguments: ['--cert-name', 'sierracloud.kro.kr', '-d', 'www.sierracloud.kro.kr', '-v']
2025-01-01 01:13:22,268:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2025-01-01 01:13:22,275:DEBUG:certbot._internal.log:Root logging level set at 20
2025-01-01 01:13:22,276:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2025-01-01 01:13:22,276:DEBUG:certbot._internal.plugins.selection:Multiple candidate plugins: * standalone
Description: Runs an HTTP server locally which serves the necessary validation files under the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP server already running. HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='standalone', value='certbot._internal.plugins.standalone:Authenticator', group='certbot.plugins')
Initialized: <certbot._internal.plugins.standalone.Authenticator object at 0x7f1c2f226fa0>
Prep: True
......
2025-01-01 01:13:43,818:DEBUG:certbot.display.ops:Validator rejected "" when prompting for "Input the webroot for www.sierracloud.kro.kr:"
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/certbot/display/ops.py", line 339, in _get_validated
    validator(raw)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/plugins/webroot.py", line 343, in _validate_webroot
    raise errors.PluginError(webroot_path + " does not exist or is not a directory")
certbot.errors.PluginError:  does not exist or is not a directory
2025-01-01 01:13:43,820:DEBUG:certbot._internal.display.obj:Notifying user:  does not exist or is not a directory
2025-01-01 01:13:52,401:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 88, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/plugins/webroot.py", line 112, in perform
    self._set_webroots(achalls)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/plugins/webroot.py", line 129, in _set_webroots
    new_webroot = self._prompt_for_webroot(achall.domain,
  File "/usr/lib/python3.9/site-packages/certbot/_internal/plugins/webroot.py", line 151, in _prompt_for_webroot
    webroot = self._prompt_for_new_webroot(domain, True)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/plugins/webroot.py", line 178, in _prompt_for_new_webroot
    raise errors.PluginError(
certbot.errors.PluginError: Every requested domain must have a webroot when using the webroot plugin.

2025-01-01 01:13:52,401:DEBUG:certbot._internal.error_handler:Calling registered functions
2025-01-01 01:13:52,401:INFO:certbot._internal.auth_handler:Cleaning up challenges
2025-01-01 01:13:52,402:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2025-01-01 01:13:52,402:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/lib/python3.9/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1894, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1600, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 143, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 517, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 88, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/plugins/webroot.py", line 112, in perform
    self._set_webroots(achalls)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/plugins/webroot.py", line 129, in _set_webroots
    new_webroot = self._prompt_for_webroot(achall.domain,
  File "/usr/lib/python3.9/site-packages/certbot/_internal/plugins/webroot.py", line 151, in _prompt_for_webroot
    webroot = self._prompt_for_new_webroot(domain, True)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/plugins/webroot.py", line 178, in _prompt_for_new_webroot
    raise errors.PluginError(
certbot.errors.PluginError: Every requested domain must have a webroot when using the webroot plugin.
2025-01-01 01:13:52,404:ERROR:certbot._internal.log:Every requested domain must have a webroot when using the webroot plugin.

사용중인 Apache의 경우 설치시 selinux의 정책에 자동으로 추가 되어 허용 되었지만 certbot이 도메인 인증시 사용되는 80, 443 포트용 프로세스는 selinux에 정책이 등록 되지 않아 차단 되는 것으로 보입니다.
정책 추가보다는 selinux를 통한 제어가 불필요 하기 때문에 비활성화 처리 하도록 하겠습니다.

[root@test ~]# vi /etc/sysconfig/selinux
SELINUX=disabled

[root@test ~]# init 6

# 재기동 이후 selinux 상태 확인
[root@test ~]# sestatus -v
SELinux status:                 disabled

certbot을 통해 Let’s Encrypt 인증서 재생성을 진행해보도록 하겠습니다.

[root@test ~]# sudo certbot certonly --cert-name sierracloud.kro.kr -d www.sierracloud.kro.kr

2025-01-01 01:15:55,925:DEBUG:certbot._internal.main:certbot version: 2.11.0
2025-01-01 01:15:55,926:DEBUG:certbot._internal.main:Location of certbot entry point: /bin/certbot
2025-01-01 01:15:55,926:DEBUG:certbot._internal.main:Arguments: ['--cert-name', 'sierracloud.kro.kr', '-d', 'www.sierracloud.kro.kr', '-v']
2025-01-01 01:15:55,926:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2025-01-01 01:15:55,932:DEBUG:certbot._internal.log:Root logging level set at 20
2025-01-01 01:15:55,933:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2025-01-01 01:15:55,933:DEBUG:certbot._internal.plugins.selection:Multiple candidate plugins: * standalone
Description: Runs an HTTP server locally which serves the necessary validation files under the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP server already running. HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='standalone', value='certbot._internal.plugins.standalone:Authenticator', group='certbot.plugins')
Initialized: <certbot._internal.plugins.standalone.Authenticator object at 0x7fbbdcb02fa0>
Prep: True
......
2025-01-01 01:16:06,980:DEBUG:certbot._internal.display.obj:Notifying user:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/sierracloud.kro.kr/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/sierracloud.kro.kr/privkey.pem
This certificate expires on 2025-03-31.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
2025-01-01 01:16:06,982:DEBUG:certbot._internal.display.obj:Notifying user: If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
2025-01-01 01:16:36,715:DEBUG:certbot._internal.main:certbot version: 2.11.0
2025-01-01 01:16:36,715:DEBUG:certbot._internal.main:Location of certbot entry point: /bin/certbot
2025-01-01 01:16:36,715:DEBUG:certbot._internal.main:Arguments: []
2025-01-01 01:16:36,715:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2025-01-01 01:16:36,722:DEBUG:certbot._internal.log:Root logging level set at 30
2025-01-01 01:16:36,735:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): e5.o.lencr.org:80
2025-01-01 01:16:36,925:DEBUG:urllib3.connectionpool:http://e5.o.lencr.org:80 "POST / HTTP/1.1" 200 345
2025-01-01 01:16:36,926:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/live/sierracloud.kro.kr/cert.pem is signed by the certificate's issuer.
2025-01-01 01:16:36,927:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/live/sierracloud.kro.kr/cert.pem is: OCSPCertStatus.GOOD
2025-01-01 01:16:36,929:DEBUG:certbot._internal.display.obj:Notifying user: Found the following certs:
  Certificate Name: sierracloud.kro.kr
    Serial Number: 31398fee84f098d5790169b382cc7eb2878
    Key Type: ECDSA
    Domains: www.sierracloud.kro.kr
    Expiry Date: 2025-03-31 15:17:34+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/sierracloud.kro.kr/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/sierracloud.kro.kr/privkey.pem

실패 없이 완료 되었습니다!

Rocky

Rocky Linux 9.5 NIC IP Setting

댓글 남기기

과거의 RHEL/CentOS 계열 OS에서는 ifcfg-xxx 파일의 Manual한 IP 설정 후 Network Service 또는 ethernet 을 재기동 하여 수동 IP를 반영하였지만 아래와 같이 이제 더이상 network-scripts 하단의 설정 구성 방석은 지원하지 않습니다.

[root@localhost ~]# ll /etc/sysconfig/network-scripts/
total 4
-rw-r--r--. 1 root root 1244 Nov  7 13:30 readme-ifcfg-rh.txt

변경된 방식에 따라 system-connections 하단의 nmconnection 파일을 수정하여 [ipv4] 부분에 수동 IP를 설정하고 nmcli로 반영 하겠습니다.

[root@localhost ~]# ll /etc/NetworkManager/system-connections/
total 4
-rw-------. 1 root root 227 Dec 30 17:19 ens33.nmconnection

[root@localhost ~]# vi /etc/NetworkManager/system-connections/ens33.nmconnection

[ipv4]
method=manual
address1=192.168.0.100/24,192.168.0.1
dns=8.8.8.8

[root@localhost ~]# nmcli connection reload
[root@localhost ~]# nmcli connection up ens33
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)

[root@localhost ~]$ nmcli device show ens33
GENERAL.DEVICE:                         ens33
GENERAL.TYPE:                           ethernet
......
GENERAL.CONNECTION:                     ens33
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveConnection/2
WIRED-PROPERTIES.CARRIER:               on
IP4.ADDRESS[1]:                         192.168.0.100/24
IP4.GATEWAY:                            192.168.0.1
IP4.ROUTE[1]:                           dst = 192.168.0.0/24, nh = 0.0.0.0, mt = 100
IP4.ROUTE[2]:                           dst = 0.0.0.0/0, nh = 192.168.0.1, mt = 100
IP4.DNS[1]:                             8.8.8.8

실제 통신이 가능한지 ping 등을 통해 검증하면 끝입니다. 🙂