I have a simple script to deploy a pubsub application.
This script will run on every deploy of my Cloud Run service and I have a line with:
gcloud pubsub topics create some-topic
I want to improve my script if the topic already exist, currently if I run my script, the output will be:
ERROR: Failed to create topic [projects/project-id/topics/some-topic]: Resource already exists in the project (resource=some-topic).
ERROR: (gcloud.pubsub.topics.create) Failed to create the following: [some-topic].
I tried the flag --no-user-output-enabled but no success.
Is there a way to ignore if the resource already exists, or a way to check before create?
Yes.
You can repeat the operation knowing that, if the topic didn't exist beforehand, it will if the command succeeds.
You can swallow stderr (with 2>/dev/null) and then check whether the previous command ($?) succeeded (0):
gcloud pubsub topic create do-something 2>/dev/null
if [ $? -eq 0 ]
then
# Command succeeded, topic did not exist
echo "Topic ${TOPIC} did not exist, created."
else
# Command did not succeed, topic may (!) not have existed
echo "Failure"
fi
NOTE This approach misses the fact that, the command may fail and the topic didn't exist (i.e. some other issue).
Alternatively (more accurately and more expensively!) you can enumerate the topics first and then try (!) to create it if it doesn't exist:
TOPIC="some-topic"
RESULT=$(\
gcloud pubsub topics list \
--filter="name.scope(topics)=${TOPIC}" \
--format="value(name)" 2>/dev/null)
if [ "${RESULT}" == "" ]
then
echo "Topic ${TOPIC} does not exist, creating..."
gcloud pubsub topics create ${TOPIC}
if [ $? -eq 0 ]
then
# Command succeeded, topic created
else
# Command did not succeed, topic was not created
fi
fi
Depending on the complexity of your needs, you can automate using:
any of Google's (Pub/Sub) libraries which provide better error-handling and retry capabilities.
Terraform e.g. google_pubsub_topic
I had this same issue so I thought I'd try to give a full-fledged function to address this. Building on what #DazWilkin posted, below is a bash script that takes 2 inputs
Project you want to point to
Topic/Subscription Name (In this example the topic and subscription names are the same, however, it's quite straightforward to have an additional input be assigned to the subscription name)
The function will:
Check if the current working project is the same. If not it will set it
Check if the topic exists in the project. If not it will attempt to create it and wait for the response
Check if the subscription exists in the project. If not it will also attempt to create it and wait for a response
function create_pubsub() {
# Get Current Project
current_project=$(gcloud config get-value project)
echo "Current Project is: ${current_project}"
# Check if Current project matches the specified project
if [[ "$current_project" != "$1" ]]; then
gcloud config set project $1
else
echo "The project provided matches the current working project"
fi
# Check if topic exists in project
_topic=$(gcloud pubsub topics list \
--filter="name.scope(topics)=$2" \
--format="value(name)" 2>/dev/null)
# React accordingly
if [[ "${_topic}" != "" ]]; then
echo "Topic $2 already exists in project ${current_project}"
else
echo "The topic '$2' does not exist in project ${current_project}. Creating it now..."
gcloud pubsub topics create $2
# Check if command executed successfully
if [ $? -eq 0 ]; then
echo "Topic $2 was created successfully"
else
echo "An error occured. Topic was NOT created"
fi
fi
# Check if subscription exists in project
_subscription=$(gcloud pubsub subscriptions list \
--filter="name=projects/$1/subscriptions/$2" \
--format="value(name)" 2>/dev/null)
# React Accordingly
if [[ "${_subscription}" != "" ]]; then
echo "Subscription $2 already exists in project ${current_project}"
else
echo "The subscription '$2' does not exist in project ${current_project}. Creating it now..."
gcloud pubsub subscriptions create $2 --topic=$2
# Check if command executed successfully
if [ $? -eq 0 ]; then
echo "Subscription $2 was created successfully"
else
echo "An error occured. Subscription was NOT created"
fi
fi
}
After adding this function to your bashrc or zshrc file, the way you would call this function in the terminal would be create_pubsub <PROJECT_ID> <TOPIC_ID>
Hope this is helpful.
Related
I am using Dataproc with 1 job on 1 cluster.
I would like to start my job as soon as the cluster is created. I found that the best way to achieve this is to submit a job using an initialization script like below.
function submit_job() {
echo "Submitting job..."
gcloud dataproc jobs submit pyspark ...
}
export -f submit_job
function check_running() {
echo "checking..."
gcloud dataproc clusters list --region='asia-northeast1' --filter='clusterName = {{ cluster_name }}' |
tail -n 1 |
while read name platform worker_count preemptive_worker_count status others
do
if [ "$status" = "RUNNING" ]; then
return 0
fi
done
}
export -f check_running
function after_initialization() {
local role
role=$(/usr/share/google/get_metadata_value attributes/dataproc-role)
if [[ "${role}" == 'Master' ]]; then
echo "monitoring the cluster..."
while true; do
if check_running; then
submit_job
break
fi
sleep 5
done
fi
}
export -f after_initialization
echo "start monitoring..."
bash -c after_initialization & disown -h
is it possible? When I ran this on Dataproc, a job is not submitted...
Thank you!
Consider to use Dataproc Workflow, it is designed for workflows of multi-steps, creating cluster, submitting job, deleting cluster. It is better than init actions, because it is a first class feature of Dataproc, there will be a Dataproc job resource, and you can view the history.
Please consider to use cloud composer - then you can write a single script that creates the cluster, runs the job and terminates the cluster.
I found a way.
Put a shell script named await_cluster_and_run_command.sh on GCS. Then, add the following codes to the initialization script.
gsutil cp gs://...../await_cluster_and_run_command.sh /usr/local/bin/
chmod 750 /usr/local/bin/await_cluster_and_run_command.sh
nohup /usr/local/bin/await_cluster_and_run_command.sh &>>/var/log/master-post-init.log &
reference: https://github.com/GoogleCloudDataproc/initialization-actions/blob/master/post-init/master-post-init.sh
I am trying to create a TPM-based unlock script using tpm2-tools with instructions from Tevora Secure boot tpm2. I have set up the key, loaded it with cryptsetup luksAddKey secret.bin, then tested it using tpm2_unlock -c 0x81000000 --auth pci:sha1:0,2,3,7 and returns the value of secret.bin. For extra measures, to make sure it works, I loaded secret.bin into "/etc/crypttab", ran # update-initramfs -u -k all, and rebooted. Upon reboot, the system unlocked.
I copied over the following code into "/etc/initramfs-tools/hooks/tpm2"
#!/bin/sh -e
if [ "$1" = "prereqs" ]; then exit 0; fi
. /usr/share/initramfs-tools/hook-functions
copy_exec /usr/local/bin/tpm2_unseal
copy_exec /usr/local/lib/libtss2-tcti-device.so
I appended my etc/crypttab from cryptname UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx none luks to cryptname UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx none luks,keyscript=/usr/local/bin/passphrase-from-tpm
I rewrote the following script because the tpm2-tools command was outdated, edited in the new command, and stored it in /usr/local/bin/passphrase-from-tpm:
#!/bin/sh
set -e
echo "Unlocking via TPM" >&2
export TPM2TOOLS_TCTI="device:/dev/tpm0"
/usr/local/bin/tpm2_unseal -c 0x81000000 --auth pcr:sha1:0,2,3,7
if [ $? -eq 0 ]; then
exit
fi
/lib/cryptsetup/askpass "Unlocking the disk fallback $CRYPTTAB_SOURCE ($CRYPTTAB_NAME)\nEnter passphrase: "
I ran # update-initramfs -u -k all then rebooted. In reboot, I get the following error: /lib/cryptsetup/scripts/passphrase-from-tpm: line 5: /usr/local/bin/tpm2_unseal: not found
I have tried many times to edit passphrase-from-tpm unsuccessfully, including:
Moving both passphrase-from-tpm into "/boot/efi/EFI/BOOT/" and referencing crypttab to that file
Modifying passphrase-from-tpm to use a relative file path to tpm_unseal
Before I figured out how to create a backup linux boot using:
objcopy \
--add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 \
--add-section .cmdline=cmdline.txt --change-section-vma .cmdline=0x30000 \
--add-section .linux="/boot/vmlinuz" --change-section-vma .linux=0x40000 \
--add-section .initrd="/boot/initrd.img" --change-section-vma .initrd=0x3000000 \
/usr/lib/systemd/boot/efi/linuxx64.efi.stub /boot/EFI/BOOT/BOOT_RECX64.EFI
I would be locked out of the system completely because of the error and had to reinstall Ubuntu about 40 times. I have suffered a lot and want to quit but I am too stubborn to throw in the flag.
just copy tpm2_unseal to /usr/local/bin/
I'm trying to make a working setup following basically those instructions, plus a few others I have found. While not working 100% yet, check that both /etc/initramfs-tools/hooks/tpm2 and /usr/local/bin/passphrase-from-tpm are marked executable (sudo chmod ug+x $filename).
After making the initramfs, you can run the following to ensure that the TPM related files are actually in the image. Replace the path in the filename by whatever update-initramfs said it was generating:
$ lsinitramfs /boot/initrd.img-5.0.0-37-generic | egrep "(tpm|libtss)"
lib/cryptsetup/scripts/passphrase-from-tpm
lib/modules/5.0.0-37-generic/kernel/crypto/asymmetric_keys/tpm_key_parser.ko
lib/modules/5.0.0-37-generic/kernel/crypto/asymmetric_keys/asym_tpm.ko
lib/udev/rules.d/tpm-udev.rules
usr/local/lib/libtss2-sys.so.0
usr/local/lib/libtss2-mu.so.0
usr/local/lib/libtss2-sys.so.0.0.0
usr/local/lib/libtss2-tcti-device.so
usr/local/lib/libtss2-tcti-device.so.0
usr/local/lib/libtss2-tcti-device.so.0.0.0
usr/local/lib/libtss2-mu.so.0.0.0
usr/local/bin/tpm2_unseal
Additionally, I have modified /usr/local/bin/passphrase-from-tpm to the following:
#!/bin/sh
TPM_DEVICE=/dev/tpm0
TPM_REGISTER=0x81000001
TPM_SEAL_POLICY=sha256:0,2,4,7
export TPM2TOOLS_TCTI="device:$TPM_DEVICE"
if [ "$CRYPTTAB_TRIED" -eq 0 ]; then
echo "Unlocking via TPM" >&2
/usr/local/bin/tpm2_unseal -H $TPM_REGISTER -L $TPM_SEAL_POLICY
UNSEAL_STATUS=$?
echo "Unseal status $UNSEAL_STATUS" >&2
if [ $UNSEAL_STATUS -eq 0 ]; then
exit
fi
else
echo "TPM unlocking previously failed for $CRYPTTAB_SOURCE ($CRYPTTAB_NAME)" >&2
/lib/cryptsetup/askpass "Enter passphrase for $CRYPTTAB_SOURCE ($CRYPTTAB_NAME): "
fi
Note that the command line options to tpm2_unseal are for the 3.x versions of tpm2-tools. If you're using another version, you might need to update the options.
I pulled out various bits into variables at the top of the file. Modify TPM_REGISTER and TPM_SEAL_POLICY to match how you created the TPM object. set -e was removed since if any command failed, the whole script would exit, preventing the askpass fallback from ever running if tpm2_unseal failed.
Additionally, I noticed that if the script fails for some reason, systemd will attempt to run it again. If the secret in the TPM doesn't match the LUKS key, this will render the system unbootable, since the unseal succeeds, but unlocking fails, and systemd will run the script again.
Looking at the man page for crypttab, I discovered that one of the environment variables provided to the keyscript is CRYPTTAB_TRIED which is the number of tries it has attempted to unlock the volume. If CRYPTTAB_TRIED is 0, it'll attempt to use the TPM, as shown by this test (Running as non-root, so accessing the TPM device fails):
$ export CRYPTTAB_SOURCE=some_device
$ export CRYPTTAB_NAME=some_device_name
$ export CRYPTTAB_TRIED=0
$ ./passphrase-from-tpm
Unlocking via TPM
ERROR:tcti:src/tss2-tcti/tcti-device.c:440:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: Permission denied
ERROR: tcti init allocation routine failed for library: "device" options: "/dev/tpm0"
ERROR: Could not load tcti, got: "device"
Unseal status 1
When it tries running the script again, CRYPTTAB_TRIED will be greater than 0, making it display the password prompt instead:
$ export CRYPTTAB_TRIED=1
$ ./passphrase-from-tpm
TPM unlocking previously failed for some_device (some_device_name)
Enter passphrase for some_device (some_device_name):
Hopefully this is still of use to you, and helpful to anyone else trying to get the house of cards that is disk encryption with a TPM on Linux working.
I'm using the AWS CodeDeploy platform for automatic deployment of my REST services. The deployment script got a lot of steps that copy/configure/do other staff. If any of the steps fails - the entire deployment fails for this server and I got a clear notification about it. So, the last step I need is a health check - a validation that configuration was appropriate and all is up and running.
Of cause, I can make a couple curl POSTs, parse their results and use some extracted values within more curl POSTs to get some sanity coverage, but all this parsing sounds like a wheel invention.
Is there any convinient testing framework/tool that can be easily "packed" and invoked in scripts without installing a huge testing siutes on each of my production servers?
Given that you're doing REST you probably can rely on the status codes instead of parsing the body. If you get a code that's not in 2xx, then something is wrong.
If you want a more elaborate check you could add a special endpoint that does some DB queries and maybe sends some harmless queries to its integrations.
And the most complicated option would be to implement a smart post-deployment steps that follow some workflow procedure. You'd need either to use an elaborate bash-scripting, or use more advanced programming languages and frameworks (like RestAssured in Java or RestClient in Groovy).
Don't forget to introduce a loop with some timeout that does a health check since your first request may be sent too early while the app is still being deployed.
Here is an example of simple bash-script that checks the status and the version of the app:
#!/usr/bin/env bash
# Helps to define whether application deployment was successful by checking
# connection to HTTP resource. If the page is loaded and the response is 200
# or 201, then the script finishes successfully. In case connection refused
# is or Gateway Timeout (503) the script is trying to connect again within
# timeout period. Otherwise script finishes with fail.
# Needs required parameter url to application and optional parameters timeout
# (by default equals to 180) and artifact version. If artifact version
# parameter is given and the response is 200 or 201, then script also checks
# that # deployed version (gets from $url/version) equals to the passed
# version. If not, the script finishes with fail. Example of usage in bash
# script:
# sh post_deployment_test.sh http://blah.com/version 100 1.0.102-20160404.101644-5
# result=$?
#
# If $result value equals to 0, then connection is successfully established,
# otherwise, it is not established.
url=$1
timeout=$2
version=$3
if [ -z "$timeout" ]; then
timeout=180
fi
counter=0
delay=3
while [ $counter -le $timeout ]; do
command="curl -L -s -o /dev/null -w %{http_code} $url"
echo "Executing: $command"
status_code=$($command)
curl_code=$?
# Curl error code CURLE_COULDNT_CONNECT (7) means fail to connect to host or proxy.
# It occurs, in particular, in case when connection refused.
if [ $curl_code -ne 0 ] && [ $curl_code -ne 7 ]; then
echo "Connection is not established"
exit 1
fi
if [ $curl_code = 7 ] || [ $status_code = 503 ]; then
echo "Connection has not been established yet, because connection refused or service unavailable. Trying to connect again"
sleep $delay
let counter=$counter+$delay
continue
elif [ $status_code = 200 ] || [ $status_code = 201 ]; then
if [ -z "$version" ]; then
echo "Connection is successfully established"
exit 0
else
grep_result=`curl -L -s $url | grep $version`
if [ -z "$grep_result" ]; then
echo `curl -L -s $url`
echo "Deployed version doesn't equal to expected"
exit 1
else
echo "Connection is successfully established"
exit 0
fi
fi
else
echo "Connection is not established"
exit 1
fi
done
echo "Connection is not established"
exit 1
I've found something nice I was looking for: jasmine-node as a test runtime + frisby.js as a validation script tool.
It's both really portable (I just run npm install during the deployment) and really convenient in terms of scripting, e.g.(official example from frisby):
var frisby = require('frisby');
.get('https://api.twitter.com/1/statuses/user_timeline.json?screen_name=brightbit')
.expectStatus(200)
.expectHeaderContains('content-type', 'application/json')
.expectJSON('0', {
place: function(val) { expect(val).toMatchOrBeNull("Oklahoma City, OK"); }, // Custom matcher callback
user: {
verified: false,
location: "Oklahoma City, OK",
url: "http://brightb.it"
}
})
.expectJSONTypes('0', {
id_str: String,
retweeted: Boolean,
in_reply_to_screen_name: function(val) { expect(val).toBeTypeOrNull(String); }, // Custom matcher callback
user: {
verified: Boolean,
location: String,
url: String
}
})
.toss();
I am writing a plugin to check authentication to a https site and then search for a text in the response html,body to confirm successful login. I have created the following plugin
#!/bin/bash
add_uri='--no-check-certificate https://'
end_uri='/'
result=$(wget -O- $add_uri$1$end_uri --post-data=$2)
flag=`echo $result|awk '{print match($0,"QC Domain")}'`;
echo $flag
echo "Nagios refreshes properly1"
if [[ $flag -gt 0 ]] ; then
echo 'ALL SEEMS FINE!!'
exit 0
else
echo 'Some Problem'
exit 2
fi;
When I execute this plugin directly from command line
./check_nhttps <url here> '<very long post data with credential information>'
The plugin works as expected(For both + & - test cases) and there seems to be no issues.
But when the plugin runs from Nagios,
check_command check_nhttps! <url here> '<very long post data with credential information>'
It always shows critical error(Prints else condition text "Some Problem" too).
P.S : Tried sending the post data with double quotes also.
Please help!!!
I'd think its very probable that your post data contains some characters that confuse nagios, maybe a space, or even a !. Better put the post data into some file and use --post-file. Also, you might insert echo "$2" > /tmp/this_is_my_post_data_when_executed_by_nagios into your script and check if the post data is ok.
I have two VOD servers (RTSP) each on a different machine in a local network at home (vlc and Darwin streaming server).
What i am trying to do is a performance test that goes as follows:
* send in 10 requests, 50, then 100.
* redo the same but request multiple files instead of emulating multiple access to a single file.
* output statistics (speed, quality...etc).
What i have right now is OpenRstp which uses "-Q" to output Qos info but it is nowhere near what i need.
What i need is a free tool that can help me with this...all the ones i found (divesifeye and IxLoad) are not free.
Could anyone please suggest something useful?
I found a method that should do. It is based on openRTSP with "-Q" for Qos statistics.
the trick is how to redirect the data to a file as the Qos info only shows up after the feed is cut off. i wrote the following script to manage N-readings of a video feed/playlist. It will create a file that will contain the Qos info.
#!/bin/bash
f_rtsp(){
clear
echo -e "ENTER THE NUMBER OF STREAM USERS:"
echo -n "USER:"
read usr
for((i=1; i <= $usr;i++))
do
exec &> /$HOME/Desktop/results
echo -e "******************************* $i *****************************"
openRTSP -Q rtsp://<url>/<playlist-name>.sdp &
done
}
while : #Loop forever
do
cat <<!
Benchmark.RTSP
1.RTSP consumers
2.EXIT
!
echo -n "YOUR CHOICHE? :"
read choice
case $choice in
1|[rR]) f_rtsp ;;
2|[eE]) exit ;;
*) echo "\"$choice\"is not valid"; sleep 2 ;;
esac
done