devops-exercises

"...The organizational and cultural movement that aims to increase software delivery velocity, improve service reliability, and build shared ownership among software stakeholders"

• Collaboration
• Improved delivery
• Security
• Speed
• Scale
• Reliability

• One person is in charge of specific tasks. For example there is only one person who is allowed to merge the code of everyone else into the repository.
• Treating production differently from development environment. For example, not implementing security in development environment
• Not allowing someone to push to production on Friday ;)

• What DevOps teams or engineers should NOT focus on or do?
• Do DevOps teams or engineers have to be innovative or practice innovation as part of their role?

• mature/stable vs. cutting edge
• community size
• architecture aspects - agent vs. agentless, master vs. masterless, etc.
• learning curve

• CI/CD - Jenkins, Circle CI, Travis, Drone, Argo CD, Zuul
• Provisioning infrastructure - Terraform, CloudFormation
• Configuration Management - Ansible, Puppet, Chef
• Monitoring & alerting - Prometheus, Nagios
• Logging - Logstash, Graylog, Fluentd
• Code review - Gerrit, Review Board
• Code coverage - Cobertura, Clover, JaCoCo
• Issue tracking - Jira, Bugzilla
• Containers and Containers Orchestration - Docker, Podman, Kubernetes, Nomad
• Tests - Robot, Serenity, Gauge

• What we gain from doing so? Are there new features in the new platform? Does the new platform deals with some of the limitations presented in the current platform?
• What this suggestion is based on? In other words, did he/she tried out the new platform? Was there extensive technical research?
• What does the switch from one platform to another will require from the organization? For example, training users who use the platform? How much time the team has to invest in such move?

• Version control is the sytem of tracking and managing changes to software code.
• It helps software teams to manage changes to source code over time.
• Version control also helps developers move faster and allows software teams to preserve efficiency and agility as the team scales to include more developers.

• In Git, a commit is a snapshot of your repo at a specific point in time.
• The git commit command will save all staged changes, along with a brief description from the user, in a “commit” to the local repository.

• Merging is Git's way of putting a forked history back together again. The git merge command lets you take the independent lines of development created by git branch and integrate them into a single branch.

• A merge conflict is an event that occurs when Git is unable to automatically resolve differences in code between two commits. When all the changes in the code occur on different lines or in different files, Git will successfully merge commits without your help.

• Use a descriptive commit message
• Make each commit a logical unit
• Incorporate others' changes frequently
• Share your changes frequently
• Coordinate with your co-workers
• Don't commit generated files

Each piece of code (change/patch) is verified, to make the change is safe to merge. Today, it's a common practice to test the change using an automated build that makes sure the code can integrated. It can be one build which runs several tests in different levels (unit, functional, etc.) or several separate builds that all or some has to pass in order for the change to be merged into the repository.

For more info please read here

A complete different answer or CI process, can describe how a developer pushes code to a repository, a workflow then triggered to build a container image and push it to the registry. Once in the registry, the k8s cluster is applied with the new changes.

For more info please read here

• Commit and test often.
• Testing/Staging environment should be a clone of production environment.
• Clean up your environments (e.g. your CI/CD pipelines may create a lot of resources. They should also take care of cleaning up everything they create)
• The CI/CD pipelines should provide the same results when executed locally or remotely
• Treat CI/CD as another application in your organization. Not as a glue code.
• On demand environments instead of pre-allocated resources for CI/CD purposes
• Stages/Steps/Tasks of pipelines should be shared between applications or microservices (don't re-invent common tasks like "cloning a project")

1. App Repository - store them in the same repository of the application they are building or testing (perhaps the most popular one)
2. Central Repository - store all organization's/project's CI/CD pipelines in one separate repository (perhaps the best approach when multiple teams test the same set of projects and they end up having many pipelines)
3. CI repo for every app repo - you separate CI related code from app code but you don't put everything in one place (perhaps the worst option due to the maintenance)
4. The platform where the CI/CD pipelines are being executed (e.g. Kubernetes Cluster in case of Tekton/OpenShift Pipelines).

Both have advantages and disadvantages.With "configuration->deployment" model for example, where you build one image to be used by multiple deployments, there is less chance of deployments being different from one another, so it has a clear advantage of a consistent environment.

In immutable infrastructure paradigm, every change is actually a new infrastructure. So a changeto a server will result in a new server instead of updating it. Terraform is an example of technologywhich follows the immutable infrastructure paradigm.

From the article: "Thus, software distribution is about the mechanism and the community that takes the burden and decisions to build an assemblage of coherent software that can be shipped."

Different distributions can focus on different things like: focus on different environments (server vs. mobile vs. desktop), support specific hardware, specialize in different domains (security, multimedia, ...), etc. Basically, different aspects of the software and what it supports, get different priority in each distribution.

Read more here

• Source - Maintain build script within version control system so that user can build your app after cloning repository. Advantage: User can quickly checkout different versions of application. Disadvantage: requires build tools installed on users machine.
• Archive - collect all your app files into one archive (e.g. tar) and deliver it to the user. Advantage: User gets everything he needs in one file. Disadvantage: Requires repeating the same procedure when updating, not good if there are a lot of dependencies.
• Package - depends on the OS, you can use your OS package format (e.g. in RHEL/Fefodra it's RPM) to deliver your software with a way to install, uninstall and update it using the standard packager commands. Advantages: Package manager takes care of support for installation, uninstallation, updating and dependency management. Disadvantage: Requires managing package repository.
• Images - Either VM or container images where your package is included with everything it needs in order to run successfully. Advantage: everything is preinstalled, it has high degree of environment isolation. Disadvantage: Requires knowledge of building and optimizing images.

• Cathedral - source code released when software is released
• Bazaar - source code is always available publicly (e.g. Linux Kernel)

Caching is fast access to frequently used resources which are computationally expensive or IO intensive and do not change often. There can be several layers of cache that can start from CPU caches to distributed cache systems. Common ones are in memory caching and distributed caching.
Caches are typically data structures that contains some data, such as a hashtable or dictionary. However, any data structure can provide caching capabilities, like set, sorted set, sorted dictionary etc. While, caching is used in many applications, they can create subtle bugs if not implemented correctly or used correctly. For example,cache invalidation, expiration or updating is usually quite challenging and hard.

Stateless applications don't store any data in the host which makes it ideal for horizontal scaling and microservices.Stateful applications depend on the storage to save state and data, typically databases are stateful applications.

Reliability, when used in DevOps context, is the ability of a system to recover from infrastructure failure or disruption. Part of it is also being able to scale based on your organization or team demands.

You should be able to explain those that you mention.

• Simple cron job
• Pipeline with configuration management technology (such Puppet, Ansible, Chef, etc.)...

Read about Chaos Engineering here

IAC (infrastructure as code) is a declerative approach of defining infrastructure or architecture of a system. Some implementations are ARM templates for Azure and Terraform that can work across multiple cloud providers.

• fully automated process of provisioning, modifying and deleting your infrastructure
• version control for your infrastructure which allows you to quickly rollback to previous versions
• validate infrastructure quality and stability with automated tests and code reviews
• makes infrastructure tasks less repetitive

Build artifacts are usually stored in a repository. They can be used in release pipelines for deployment purposes. Usually there is retention period on the build artifacts.

This situation might lead to bugs which hard to identify and reproduce.

To better emphasize the difference, consider creating two virtual instances/servers.In declarative style, you would specify two servers and the tool will figure out how to reach that state.In procedural style, you need to specify the steps to reach the end state of two instances/servers - for example, create a loop and in each iteration of the loop create one instance (running the loop twice of course).

Note: cross-dependency is when you have two or more changes to separate projects and you would like to test them in mutual build instead of testing each change separately.

Read more here

Read more about it here

Read more about it here

Read more about it here

Wrong. No system can guarantee 100% availability as no system is safe from experiencing zero downtime.Many systems and services will fall somewhere between 99% and 100% uptime (or at least this is how most systems and services should be).

Read more about it here

• Old fashioned dashboards with not many options to customize it
• Containers readiness (this has improved with Jenkins X)
• By itself, it doesn't have many features. On the other hand, there many plugins created by the community to expand its abilities
• Managing Jenkins and its piplines as a code can be one hell of a nightmare

Each has its own disadvantages and advantages. Emails for example, if sent too often, can be eventually disregarded or ignored.

• Clone the project
• Install test dependencies (for example, if I need tox package to run the tests, I will install it in this stage)
• Run unit tests
• (Optional) report results (For example an email to the users)
• Archive the relevant logs/files

Jenkins documentation provides some basic intro for securing your Jenkins server.

You can describe the UI way to add new nodes but better to explain how to do in a way that scales like a script or using dynamic source for nodes like one of the existing clouds.

• Testing cross-dependencies (changes from multiple projects together)
• Starting builds from any stage (although Cloudbees implemented something called checkpoints)

Cloud service providers are companies that establish public clouds, manage private clouds, or offer on-demand cloud computing components (also known as cloud computing services) like Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service(SaaS). Cloud services can reduce business process costs when compared to on-premise IT.

• Pay as you go (or consumption-based payment) - you are paying only for what you are using. No upfront payments and payment stops when resources are no longer used.
• Scalable - resources are scaled down or up based on demand

IAAS - Infrastructure as a ServicePAAS - Platform as a ServiceSAAS - Software as a Service

• Public
• Hybrid
• Private

In On-Premise solution, it's quite the opposite. You need to take care of hardware, infrastructure teams and pay for everything which can be quite expensive. On the other hand it's tailored to your needs.

• Serverless Computing is still using servers. So saying there are no servers in serverless computing is completely wrong
• Serverless Computing allows you to have a different paying model. You basically pay only when your functions are running and not when the VM or containers are running as in other payment models

Read more about auto scaling here

False. Auto scaling adjusts capacity and this can mean removing some resources based on usage and performances.

Edge locations are basically content delivery network which caches data and insures lower latency and faster delivery to the users in any location. They are located in major cities in the world.

True.

1. Cost - regions vary in cost and AWS Price List API can assist in calculating the difference in cost between the different regions.
2. Speed
3. Features

Full explanation is hereIn short: it's used for managing users, groups, access policies & roles

True

• Set up MFA
• Delete root account access keys
• Create IAM users instead of using root for daily management

A way for allowing a service of AWS to use another service of AWS. You assign roles to AWS resources.For example, you can make use of a role which allows EC2 service to acesses s3 buckets (read and write).

Policies documents used to give permissions as to what a user, group or role are able to do. Their format is JSON.

There can be several reasons for that. One of them is lack of policy. To solve that, the admin has to attach the user with a policy what allows him to access the s3 bucket.

• Role
• Policy

Only a login access.

"a web service that provides secure, resizable compute capacity in the cloud".Read more here

Amazon Machine Images is "An Amazon Machine Image (AMI) provides the information required to launch an instance".Read more here

• Personal AMIs - AMIs you create
• AWS Marketplace for AMIs - Paid AMIs usually with bundled with licensed software
• Community AMIs - Free

"the instance type that you specify determines the hardware of the host computer used for your instance"Read more about instance types here

False. From the above list only compute optimized is available.

"provides block level storage volumes for use with EC2 instances. EBS volumes behave like raw, unformatted block devices."More on EBS here

On Demand - pay a fixed rate by the hour/second with no commitment. You can provision and terminate it at any given time.Reserved - you get capacity reservation, basically purchase an instance for a fixed time of period. The longer, the cheaper.Spot - Enables you to bid whatever price you want for instances or pay the spot price.Dedicated Hosts - physical EC2 server dedicated for your use.

"A security group acts as a virtual firewall that controls the traffic for one or more instances"More on this subject here

EBS

Learn more about EC2 RI here

AWS Lambda

Read more on it here

False. Charges are being made when the code is executed.

• Python, Ruby, Go

True

Learn more here

Learn more here

Learn more here

More on S3 here

An S3 bucket is a resource which is similar to folders in a file system and allows storing objects, which consist of data.

True

• Folder - any sub folder in an s3 bucket
• Object - The files which are stored in a bucket

• Object Lifecycles - Transfer objects between storage classes based on defined rules of time periods
• Object Sharing - Share objects via a URL link
• Object Versioning - Manage multiple versions of an object

Object Durability: The percent over a one-year time period that a file will not be lostObject Availability: The percent over a one-year time period that a file will be accessible

Glacier Deep Archive

Expedited, Standard and Bulk

False. Unlimited capacity.

"AWS Storage Gateway is a hybrid cloud storage service that gives you on-premises access to virtually unlimited cloud storage".More on Storage Gateway here

Explained in detail here

Stored Volumes - Data is located at customer's data center and periodically backed up to AWSCached Volumes - Data is stored in AWS cloud and cached at customer's data center for quick access

Learn more here

Learn more here

Learn more here

RPO - The maximum acceptable length of time during which data might be lost from your application due to an incident.

• The Cold Method - Periodically backups and sending the backups off-site
  
• Pilot Light - Data is mirrored to an environment which is always running
• Warm Standby - Running scaled down version of production environment
• Multi-site - Duplicated environment that is always running

Lowest - Multi-siteHighest - The cold method

More on CloudFront here

True

A transport solution which was designed for transferring large amounts of data (petabyte-scale) into and out the AWS cloud.

More on ELB here

• Application LB - layer 7 traffic
• Network LB - ultra-high performances or static IP address
• Classic LB - low costs, good for test or dev environments

More on the shared responsibility model here

False. It is responsible for Hardware in its sites but not for security groups which created and managed by the users.

Learn more about it here

Read more about it here

Learn more here

AWS definition: "AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS."

Learn more here

True

AWS definition: "KMS makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications."More on KMS here

It describes prohibited uses of the web services offered by AWS.More on AWS Acceptable Use Policy here

False. On some services, like EC2, CloudFront and RDS, penetration testing is allowed.

False.

False. Security key is an example of an MFA device.

Learn more here

Learn more here

Learn more here

Learn more here

Learn more here

cloud data warehouse

• You can confirm your suspicion by going to AWS Redshift console and see running queries graph. This should tell you if there are any long-running queries.
• If confirmed, you can query for running queries and cancel the irrelevant queries
• Check for connection leaks (query for running connections and include their IP)
• Check for table locks and kill irrelevant locking sessions

Amazon Elasticache is a fully managed Redis or Memcached in-memory data store.It's great for use cases like two-tier web applications where the most frequently accesses data is stored in ElastiCache so response time is optimal.

A MySQL & Postgresql based relational database. Also, the default database proposed for the user when using RDS for creating a database.Great for use cases like two-tier web applications that has a MySQL or Postgresql database layer and you need automated backups for your application.

Learn more here

EBS

AWS definition: "Amazon RDS Read Replicas provide enhanced performance and durability for RDS database (DB) instances. They make it easy to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads."Read more about here

"A logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define"Read more about it here.

False

True. Just to clarify, a single subnet resides entirely in one AZ.

"component that allows communication between instances in your VPC and the internet" (AWS docs).Read more about it here

True

docs.aws: "A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses."

False. Only one internet gateway can be attached to a single VPC.

False.

Read more about it here and here

Allows you to connect your corporate network to AWS network.

AWS CodeDeploy

CloudFormation

Cognito

Lightsail

Cost Explorer

Trusted Advisor

AWS Snowball

AWS RedShift

VPC

Amazon Aurora

AWS Database Migration Service (DMS)

AWS CloudTrail

AWS RDS

AWS DynamoDB

AWS Rekognition

AWS X-Ray

SNS

AWS Athena

AWS Glue

Amazon GuardDuty

AWS Organizations

AWS WAF

CloudWatch

AWS Inspector

Route 53

Amazon DocumentDB

AWS Cognito

Simple Queue Service (SQS)

AWS Shield

ElastiCache

Amazon S3 Transfer Acceleration

Route 53

Lambda - to define a function that gets an input and returns a certain string
API Gateway - to define the URL trigger (= when you insert the URL, the function is invoked).

Kinesis

More on Route 53 here

More on CloudWatch here

Read more on CloudTrail here

Read more about it here

• Topics - used for grouping multiple endpoints
• Subscribers - the endpoints where topics send messages to
• Publishers - the provider of the message (event, person, ...)

AWS definition: "AWS Organizations helps you centrally govern your environment as you grow and scale your workloads on AWS."More on Organizations here

Learn more here

More on AWS pricing model here

• TCO calculator
• AWS simple calculator
• Cost Explorer

• 24x7 customer service
• Trusted Advisor
• AWS personal Health Dashoard

Learn more here

Learn more here

• Basic, Developer, Business, Enterprise

True. You pay differently based on the chosen region.

AWS Definition: "AWS Infrastructure Event Management is a structured program available to Enterprise Support customers (and Business Support customers for an additional fee) that helps you plan for large-scale events such as product or application launches, infrastructure migrations, and marketing events."

Learn more here

AWS definition: "Lightsail is an easy-to-use cloud platform that offers you everything needed to build an application or website, plus a cost-effective, monthly plan."

Learn more here

Learn more here

Learn more here

Learn more here

AWS definition: "AWS X-Ray helps developers analyze and debug production, distributed applications, such as those built using a microservices architecture."Learn more here

Learn more about it here

Learn more about AWS Athena here

Learn more here

Learn more about it here

Learn more on Amazon Simple Workflow Service here

Learn more here

Read more here

Learn more here

Learn more here

AWS definition: "AWS Cloud9 is a cloud-based integrated development environment (IDE) that lets you write, run, and debug your code with just a browser"

Learn more here

Learn more here

AWS LambdaAWS Athena

Learn more about it here

Ethernet simply refers to the most common type of Local Area Network (LAN) used today. A LAN—in contrast to a WAN (Wide Area Network), which spans a larger geographical area—is a connected network of computers in a small area, like your office, college campus, or even home.

A set of protocols that define how two or more devices can communicate with each other.To learn more about TCP/IP, read here

When a device sends a packet to the broadcast MAC address (FF:FF:FF:FF:FF:FF​), it is delivered to all stations on the local network. It needs to be used in order for all devices to receive your packet at the datalink layer.

An Internet Protocol address (IP address) is a numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication.An IP address serves two main functions: host or network interface identification and location addressing.

You can read more about the OSI model in penguintutor.com

Multicast: Sending a message to a group of subscribers. It can be one-to-many or many-to-many.

1. Before sending a frame, it checks whether another host already transmitting a frame.
2. If no one transmitting, it starts transmitting the frame.
3. If two hosts transmitted at the same time, we have a collision.
4. Both hosts stop sending the frame and they send to everyone a 'jam signal' notifying everyone that a collision occurred
5. They are waiting for a random time before sending again
6. Once each host waited for a random time, they try to send the frame again and so the

• A client node sends a SYN data packet over an IP network to a server on the same or an external network. The objective of this packet is to ask/infer if the server is open for new connections.
• The target server must have open ports that can accept and initiate new connections. When the server receives the SYN packet from the client node, it responds and returns a confirmation receipt – the ACK packet or SYN/ACK packet.
• The client node receives the SYN/ACK from the server and responds with an ACK packet.

Bonus question: what is the RTT of LAN?

Penguintutor.com provides a good explanation.

A default gateway serves as an access point or IP router that a networked computer uses to send information to a computer in another network or the internet.

Systems keep an ARP look-up table where they store information about what IP addresses are associated with what MAC addresses. When trying to send a packet to an IP address, the system will first consult this table to see if it already knows the MAC address. If there is a value cached, ARP is not used.

Read more here

NAT stands for network address translation. It’s a way to map multiple local private addresses to a public one before transferring the information. Organizations that want multiple devices to employ a single IP address use NAT, as do most home routers.For example, your computer's private IP could be 192.168.1.100, but your router maps the traffic to it's public IP (e.g. 1.1.1.1). Any device on the internet would see the traffic coming from your public IP (1.1.1.1) instead of your private IP (192.168.1.100).

There is also "Management Plane" which refers to monitoring and management functions.

Latency. To have a good latency, a search query should be forwarded to the closest datacenter.

Throughput. To have a good throughput, the upload stream should be routed to an underutilized link.

• Keep caches updated (which means the request could be forwarded not to the closest datacenter)

00110011110100011101

• Hypertext Transfer Protocol (HTTP) - used for the webpages on the internet
• Simple Mail Transfer Protocol (SMTP) - email transmission
• Telecommunications Network - (TELNET) - terminal emulation to allow client access to telnet server
• File Transfer Protocol (FTP) - facilitates transfer of files between any two machines
• Domain Name System (DNS) - domain name translation
• Dynamic Host Configuration Protocol (DHCP) - allocates IP addresses, subnet masks and gateways to hosts
• Simple Network Management Protocol (SNMP) - gathers data of devices on the network

• Internet Protocol (IP) - assists in routing packets from one machine to another
• Internet Control Message Protocol (ICMP) - lets one know what is going such as error messages and debugging information

Read more [here](https://www.globalsign.com/en/blog/what-is-hsts-and-how-do-i-use-it#:~:text=HTTP%20Strict%20Transport%20Security%20(HSTS,and%20back%20to%20the%20browser.)

The internet refers to network of networks, transferring huge amounts of data around the globe.
The World Wide Web is an application running on millions of server, on top of the internet, accessed through what is know as the web browser

ISP (Internet Service Provider) is the local internet company provider.

• Administration
• Troubleshooting & Debugging
• Storage
• Networking
• Development
• Deployments

• touch - update file's timestamp. More commonly used for creating files
• ls - listing files and directories
• rm - remove files and directories
• cat - create, view and concatenate files
• cp - copy files and directories
• mkdir - create directories
• pwd - print current working directory (= at what path the user currently located)
• cd - change directory

• cd / -> change to the root directory
• cd ~ -> change to your home directory
• cd -> change to your home directory
• cd .. -> change to the directory above your current i.e parent directory
• cd . -> change to the directory you currently in
• cd - -> change to the last visited path

To list all the files, one can run ls -R /dir1

• file permissions, number of links, owner name, owner group, file size, timestamp of last modification and directory/file name

These are files directly not displayed after performing a standard ls direct listing. An example of these files are .bashrc which are used to execute some scripts. Some also store configuration about services on your host like .KUBECONFIG. The command used to list them is, ls -a

myProgram < input.txt > executionOutput.txt

• sed: a stream editor. Can be used for various purposes like replacing a word in a file: sed -i s/salad/burger/g

Using the mv command.

• rm -rf dir
• cat or less
• chmod 777 /tmp/x
• cd ~
• sed -i s/good/great/g /tmp/y

• whereis
• which

echo hello world
echo "hello world"

The echo command receives two separate arguments in the first execution and in the second execution it gets one argument which is the string "hello world". The output will be the same.

Using a pipe in Linux, allows you to send the output of one command to the input of another command. For example: cat /etc/services | wc -l

history command or .bash_history file

Most likely the default/generated $PATH was somehow modified or overridden thus not containing /bin/ where df would normally go.This issue could also happen if bash_profile or any configuration file of your interpreter was wrongly modified, causing erratics behaviours.You would solve this by fixing your $PATH variable:

As to fix it there are several options:

Note: There are many ways of getting errors like this: if bash_profile or any configuration file of your interpreter was wrongly modified; causing erratics behaviours,permissions issues, bad compiled software (if you compiled it by yourself)... there is no answer that will be true 100% of the time.

Alternatively if you are using a distro with systemd it's recommended to use systemd timers.

The root of the filesystem. The beginning of the tree.

• binaries
• configuration files
• home directories of the different users
• files that tend to change and be modified like logs
• temporary files

/tmp folder is cleaned automatically, usually upon reboot.

Using the chmod command.

• setuid is a linux file permission that permits a user to run a file or program with the permissions of the owner of that file. This is possible by elevation of current user privileges.
• setgid is a process when executed will run as the group that owns the file.

• chmod - changes access permissions to files system objects
• chown - changes the owner of file system files and directories
• chgrp - changes the group associated with a file system object

True

• No more disk space
• No more inodes
• No permissions

Depends on the language and settings used.When a script written in Bash fails to run a certain command it will keep running and will execute all other commands mentioned after the command which failed.Most of the time we would actually want the opposite to happen. In order to make Bash exist when a specific command fails, use 'set -e' in your script.

If Python, then using pdb is very useful.

Using the keyword read so for example read x will wait for user input and will store it in the variable x.

x = 2
echo $x

Should be x=2

shuf -i 9999999-99999999 -n 1

[[ $a = 1 ]] && b="yes, equal" || b="nope"

Hardware -> Kernel -> Daemons, System Libraries, Server Display.

journalctl

/var/log

tail -f <file_name>

dstat -t is great for identifying network and disk issues.netstat -tnlaup can be used to see which processes are running on which ports.lsof -i -P can be used for the same purpose as netstat.ngrep -d any metafilter for matching regex against payloads of packets.tcpdump for capturing packetswireshark same concept as tcpdump but with GUI (optional).

dstat -t is great for identifying network and disk issues.opensnoop can be used to see which files are being opened on the system (in real time).

strace is great for understanding what your program does. It prints every system call your program executed.

top will show you how much CPU percentage each process consumesperf is a great choice for sampling profiler and in general, figuring out what your CPU cycles are "wasted" onflamegraphs is great for CPU consumption visualization (http://www.brendangregg.com/flamegraphs.html)

• Check with top for anything unusual
• Run dstat -t to check if it's related to disk or network.
• Check if it's network related with sar
• Check I/O stats with iostat

• Allocating memory
• Schedule processes
• Control CPU

uname -a command

Applications can access system resources and indirectly the kernel space by making what is called "system calls".

An SSH server will have SSH daemon running. Depends on the distribution, you should be able to check whether the service is running (e.g. systemctl status sshd).

Telnet also allows you to connect to a remote host but as opposed to SSH where the communication is encrypted, in telnet, the data is sent in clear text, so it doesn't considered to be secured because anyone on the network can see what exactly is sent, including passwords.

It means that the key of the remote host was changed and doesn't match the one that stored on the machine (in ~/.ssh/known_hosts).

• The ? matches any single character
• The * matches zero or more characters

1. An IP address
2. The word "error" or "failure"
3. Lines which end with a number

lines 1 and 3.

I consider this as a good blog post to read more about it: https://shapeshed.com/unix-exit-codes

Another way to ask this: what happens from the moment you turned on the server until you get a prompt

For each file (and directory) in Linux there is an inode, a data structure which stores meta datarelated to the file like its size, owner, permissions, etc.

File name (it's part of the directory file)

Run mount

cat /proc/mounts

Hard link is the same file, using the same inode.Soft link is a shortcut to another file, using a different inode.

False

True

True.

There are many answers for this question. One way is running df -T

du -sh

False. /tmp is cleared upon system boot while /var/tmp is cleared every a couple of days or not cleared at all (depends on distro).

One can use uptime or top

This article summarizes the load average topic in a great way

pidstat

iostat -xz 1

You can use the commands top and free

sar -n TCP,ETCP 1

ps -ef

You can achieve that by specifying & at the end of the command.As to why, since some commands/processes can take a lot of time to finishexecution or run forever, you may want to run them in the background instead of waiting for them to finish before gaining control again in current session.

To view all available signals run kill -l

A background process. Most of these processes are waiting for requests or set of conditions to be met before actually running anything.Some examples: sshd, crond, rpcbind.

One reason it happens is when a parent process is programmed incorrectly. Every parent process should execute wait() to get the exit code from the child process which finished to run. But when the parent isn't checking for the child exit code, the child process can still exists although it finished to run.

You can also try closing/terminating the parent process. This will make the zombie process a child of init (1) which does periodic cleanups and will at some point clean up the zombie process.

If you mention at any point ps command with arugments, be familiar with what these arguments does exactly.

find /some_dir -iname *.yml -print0 | xargs -0 -r sed -i "s/1/2/g"

The ls executable is built for an incompatible architecture.

You can use the split command this way: split -l 25 some_file

This is a great article on the topic: https://www.computerhope.com/jargon/f/file-descriptor.htm

The loopback interface is a special, virtual network interface that your computer uses to communicate with itself. It is used mainly for diagnostics and troubleshooting, and to connect to servers running on the local machine.

False

Technically, yes.

• SSH - 22
• SMTP - 25
• HTTP - 80
• DNS - 53
• HTTPS - 443

Telnet is a type of client-server protocol that can be used to open a command line on a remote computer, typically a server.By default, all the data sent and received via telnet is transmitted in clear/plain text, therefore it should not be used as it does not encrypt any data between the client and the server.

One way would be ping6 ff02::1

• balance-rr: round robing bonding
• active-backup: a fault tolerance mode where only one is active
• balance-tlb: Adaptive transmit load balancing
• balance-alb: Adaptive load balancing

You can also run hostnamectl or hostname but that might print only a temporary hostname. The one in the file is the permanent one.

• dig
• host
• nslookup

In Fedora/CentOS/RHEL/Rocky it can be done with rpm or dnf commands.In Ubuntu it can be done with the apt command.

Package managers allow you to manage packages lifecycle as in installing, removing and updating the packages.
In addition, you can specify in a spec how a certain package will be installed - where to copy the files, which commands to run prior to the installation, post the installation, etc.

dnf provides /usr/bin/git

Systemd: systemctl enable [service_name] System V: update-rc.d [service_name] and add this line id:5678:respawn:/bin/sh /path/to/app to /etc/inittabUpstart: add Upstart init script at /etc/init/service.conf

1. SSH server is not installed
2. SSH server is not running

Nginx, Apache httpd.

adduser user_name --shell=/bin/false --no-create-homeYou can also add a user and then edit /etc/passwd.

su command.Use su - to switch to root

Re-install the OS IS NOT the right answer :)

Using the last command.

/proc/cpuinfo

dmidecoode

lsblk

True. Only in kernel space they have full access to hardware resources.

• Process ID namespaces: these namespaces include independent set of process IDs
• Mount namespaces: Isolation and control of mountpoints
• Network namespaces: Isolates system networking resources such as routing table, interfaces, ARP table, etc.
• UTS namespaces: Isolate host and domains
• IPC namespaces: Isolates interprocess communications
• User namespaces: Isolate user and group IDs
• Time namespaces: Isolates time machine

True. Inside the namespace it's PID 1 while to the parent namespace the PID is a different one.

False. The opposite is true. Parent PID namespace is aware and has visibility of processes in child PID namespace and child PID namespace has no visibility as to what is going on in the parent PID namespace.

False. Network namespace has its own interfaces and routing table. There is no way (without creating a bridge for example) for one network namespace to reach another.

True

False. In every child user namespace, it's possible to have a separate root user with uid of 0.

In time namespaces processes can use different system time.

From Wikipedia: "AWK is domain-specific language designed for text processing and typically used as a data extraction and reporting tool"

awk '{print $4}' file

awk 'length($0) > 79' file

Using system calls

• A program executes a trap instruction. The instruction jump into the kernel while raising the privileged level to kernel space.
• Once in kernel space, it can perform any privileged operation
• Once it's finished, it calls a "return-from-trap" instruction which returns to user space while reducing back the privilege level to user space.

fork() is used for creating a new process. It does so by cloning the calling process but the child process has its own PID and any memory locks, I/O operations and semaphores are not inherited.

• On success, the PID of the child process in parent and 0 in child process
• On error, -1 in the parent

Not enough memory to create a new process

wait() is used by a parent process to wait for the child process to finish execution.If wait is not used by a parent process then a child process might become a zombie process.

The kernel notifies the parent by sending the SIGCHLD to the parent.

The waitpid() is a non-blocking version of the wait() function.
It also supports using library routine (e.g. system()) to wait a child process without messing up with other children processes for which the process has not waited.

True in most cases though there are cases where wait() returns before the child exits.

It transforms the current running program into another program.
Given the name of an executable and some arguments, it loads the code and static data from the specified executable and overwrites its current code segment and current static code data. After initializing its memory space (like stack and heap) the OS runs the program passing any arguments as the argv of that process.

True
Since a succesful exec replace the current process, it can't return anything to the process that made the call.

fork(), exec() and the wait() system call is also included in this workflow.

Executes a program. The program is passed as a filename (or path) and must be a binary executable or a script.

"Pipes provide a unidirectional interprocess communication channel. A pipe has a read end and a write end. Data written to the write end of a pipe can be read from the read end of the pipe.A pipe is created using pipe(2), which returns two file descriptors, one referring to the read end of the pipe, the other referring to the write end."

• getline() originates in GNU C library and used to read lines from input stream and stores those lines in the buffer

This way provides a lot of flexibility. It allows the shell for example, to run code after the call to fork() but before the call to exec(). Such code can be used to alter the environment of the program it about to run.

The shell figures out, using the PATH variable, where the executable of the command resides in the filesystem. It then calls fork() to create a new child process for running the command. Once the fork was executed successfully, it calls a variant of exec() to execute the command and finally, waits the command to finish using wait(). When the child completes, the shell returns from wait() and prints out the prompt again.

• dd if=/dev/urandom of=new_file.txt bs=2MB count=1
• truncate -s 2M new_file.txt
• fallocate -l 2097152 new_file.txt

open("/my/file") = 5
read(5, "file content")

These system calls are reading the file /my/file and 5 is the file descriptor number.

From wikipedia: a context switch is the process of storing the state of a process or thread, so that it can be restored and resume execution at a later point

Another common way to task this questions is "what part of the tcp header does traceroute modify?"

This is a good article about the topic: https://ops.tips/blog/how-linux-creates-sockets

MemFree - The amount of unused physical RAM in your systemMemAvailable - The amount of available memory for new workloads (without pushing system to use swap) based on MemFree, Active(file), Inactive(file), and SReclaimable.

• Kernel
• Utilities
• Services
• Software/Packages Management

ls, wc, dd, df, du, ps, ip, cp, cd ...

• touch new_file
• echo "" > new_file

$OLDPWD

• ls
• find .
• echo *

A good answer can be found here

X=2 for example. But this will persist to new shells. To have it in new shells as well, use export X=2

It's used in commands to mark the end of commands options. One common example is when used with git to discard local changes: git checkout -- some_file

/dev

GPL v2

"responsible for making it easy to run programs (even allowing you to seemingly run many at the same time), allowing programs to share memory, enabling programs to interact with devices, and other fun stuff like that".

A process is a running program. A program is one or more instructions and the program (or process) is executed by the operating system.

• Create - allow to create new processes
• Delete - allow to remove/destroy processes
• State - allow to check the state of the process, whether it's running, stopped, waiting, etc.
• Stop - allow to stop a running process

• The OS is reading program's code and any additional relevant data
• Program's code is loaded into the memory or more specifically, into the address space of the process.
• Memory is allocated for program's stack (aka run-time stack). The stack also initialized by the OS with data like argv, argc and parameters to main()
• Memory is allocated for program's heap which is required for dynamically allocated data like the data structures linked lists and hash tables
• I/O initialization tasks are performed, like in Unix/Linux based systems where each process has 3 file descriptors (input, output and error)
• OS is running the program, starting from main()

False. It was true in the past but today's operating systems perform lazy loading which means only the relevant pieces required for the process to run are loaded first.

• Running - it's executing instructions
• Ready - it's ready to run but for different reasons it's on hold
• Blocked - it's waiting for some operation to complete. For example I/O disk request

• I/O operations (e.g. Reading from a disk)
• Waiting for a packet from a network

Even when using a system with one physical CPU, it's possible to allow multiple users to work on it and run programs. This is possible with time sharing where computing resources are shared in a way it seems to the user the system has multiple CPUs but in fact it's simply one CPU shared by applying multiprogramming and multi-tasking.

Somewhat the opposite of time sharing. While in time sharing a resource is used for a while by one entity and then the same resource can be used by another resource, in space sharing the space is shared by multiple entities but in a way where it's not being transferred between them.
It's used by one entity until this entity decides to get rid of it. Take for example storage. In storage, a file is yours until you decide to delete it.

CPU scheduler

• Allocating memory
• Schedule processes
• Control CPU

True

Buffer: Reserved place in RAM which is used to hold data for temporary purposesCache: Cache is usually used when processes reading and writing to the disk to make the process faster by making similar data used by different programs easily accessible.

Virtualization uses software to create an abstraction layer over computer hardware that allows the hardware elements of a single computer—processors, memory, storage and more - to be divided into multiple virtual computers, commonly called virtual machines (VMs).

Read more here

Hosted hypervisors and bare-metal hypervisors.

On the other hand, there will probably be some limitation regarding loading (any) drivers so a hosted hypervisor will usually benefit from having a better hardware compatibility.

Operating system virtualizationNetwork functions virtualizationDesktop virtualization

Yes, it's a operating-system-level virtualization, where the kernel is shared and allows to use multiple isolated user-spaces instances.

Role – Ansible roles allows you to group resources based on certain functionality/service such that they can be easily reused. In a role, you have directories for variables, defaults, files, templates, handlers, tasks, and metadata. You can then use the role by simply specifying it in your playbook.

• Agentless
• Minimal run requirements (Python & SSH) and simple to use
• Default mode is "push" (it supports also pull)
• Focus on simpleness and ease-of-use

True. In immutable infrastructure approach, you'll replace infrastructure instead of modifying it.
Ansible rather follows the mutable infrastructure paradigm where it allows you to change the configuration of different components, but this approach is not perfect and has its own disadvantges like "configuration drift" where different components may reach different state for different reasons.

False. It uses a procedural style.

While it's possible to provision resources with Ansible, some prefer to use tools that follow immutable infrastructure paradigm.Ansible doesn't saves state by default. So a task that creates 5 instances for example, when executed again will create additional 5 instances (unlessadditional check is implemented or explicit names are provided) while other tools might check if 5 instances exist. If only 4 exist (by checking the state file for example), one additional instance will be created to reach the end goal of 5 instances.

1. Ansible online docs
2. ansible-doc -l for list of modules and ansible-doc [module_name] for detailed information on a specific module

A dynamic inventory file tracks hosts from one or more sources like cloud providers and CMDB systems.

You should use one when using external sources and especially when the hosts in your environment are being automatically
spun up and shut down, without you tracking every change in these sources.

---
- name: Print information about my host
  hosts: localhost
  gather_facts: 'no'
  tasks:
      - name: Print hostname
        debug:
            msg: "It's me, {{ ansible_hostname }}"

When given a written code, always inspect it thoroughly. If your answer is “this will fail” then you are right. We are using a fact (ansible_hostname), which is a gathered piece of information from the host we are running on. But in this case, we disabled facts gathering (gather_facts: no) so the variable would be undefined which will result in failure.

when the environment variable 'BEST_YEAR' is empty or false.

{{ (certain_variable == 1) | ternary("one", "two") }}

{{ some_string_var | bool }}

A full list can be found at PlayBook Variables . Also, note there is a significant difference between Ansible 1.x and 2.x.

False. Ansible will execute a single task on all hosts before moving to the next task in a play. As for today, it uses 5 forks by default.
This behaviour is described as "strategy" in Ansible and it's configurable.

A strategy in Ansible describes how Ansible will execute the different tasks on the hosts. By default Ansible is using the "Linear strategy" which defines that each task will run on all hosts before proceeding to the next task.

• Linear: the default strategy in Ansible. Run each task on all hosts before proceeding.
• Free: For each host, run all the tasks until the end of the play as soon as possible
• Debug: Run tasks in an interactive way

- name: Some play
  hosts: databases
  serial: 4

If your group has 8 hosts. It will run the whole play on 4 hosts and then the same play on another 4 hosts.

"{{ some_var | type_debug }}"

Terraform.io: "Terraform is an infrastructure as code (IaC) tool that allows you to build, change, and version infrastructure safely and efficiently."

• It follows the immutable infrastructure approach which has benefits like avoiding a configuration drift over time
• Ansible and Puppet are more procedural (you mention what to execute in each step) and Terraform is declarative since you describe the overall desired state and not per resource or task. You can give the example of going from 1 to 2 servers in each tool. In Terraform you specify 2, in Ansible and puppet you have to only provision 1 additional server so you need to explicitly make sure you provision only another one server.

terraform_directoryproviders.tf -> List providers (source, version, etc.)variables.tf -> any variable used in other files such as main.tfmain.tf -> Lists the resources

False. Terraform follows immutable infrastructure paradigm.

A configuration is a root module along with a tree of child modules that are called as dependencies from the root module.

terraform init scans your code to figure which providers are you using and download them.terraform plan will let you see what terraform is about to do before actually doing it.terraform validate checks if configuration is syntactically valid and internally consistent within a directory.terraform apply will provision the resources specified in the .tf files.

HashiCorp: "Terraform uses resource blocks to manage infrastructure, such as virtual networks, compute instances, or higher-level components such as DNS records. Resource blocks represent one or more infrastructure objects in your Terraform configuration."

• resource: keyword for defining a resource
• "aws_instance": the type of the resource
• "web_server": the name of the resource

aws_instance.web_server

True

• Arguments: resource specific configurations
• Attributes: values exposed by the resource in a form of resource_type.resource_name.attribute_name. They are set by the provider or API usually.
• Meta-arguments: Functions of Terraform to change resource's behaviour

terraform.io: "Terraform relies on plugins called "providers" to interact with cloud providers, SaaS providers, and other APIs...Each provider adds a set of resource types and/or data sources that Terraform can manage. Every resource type is implemented by a provider; without providers, Terraform can't manage any kind of infrastructure."

libvirt

Input variables serve as parameters to the module in Terraform. They allow you for example to define once the value of a variable and use that variable in different places in the module so next time you would want to change the value, you will change it in one place instead of changing the value in different places in the module.

variable "app_id" {
  type = string
  description = "The id of application"
  default = "some_value"
}

Usually they are defined in their own file (vars.tf for example).

It doesn't show its value when you run terraform apply or terraform plan but eventually it's still recorded in the state file.

True

• Environment variable
• The file terraform.tfvars
• Using -var or -var-file

It keeps track of the IDs of created resources so that Terraform knows what it's managing.

terraform state mv

As such, tfstate shouldn't be stored in git repositories. secured storage such as secured buckets, is a better option.

• terraform apply file.terraform
• Above command will create tfstate file in the working folder.

• The state is stored by default in a local file named terraform.tfstate.

• Yes, It can also be stored remotely, which works better in a team environment. Given condition that remote location is not publicly accessible since tfstate file contain sensitive information as well. Access to this remote location must be only shared with team members.

• Don't edit it manually. tfstate was designed to be manipulated by terraform and not by users directly.
• Store it in secured location (since it can include credentials and sensitive data in general)
• Backup it regularly so you can roll-back easily when needed
• Store it in remote shared storage. This is especially needed when working in a team and the state can be updated by any of the team members
• Enabled versioning if the storage where you store the state file, supports it. Versioning is great for backups and roll-backs in case of an issue.

To avoid that, Terraform can apply state locking if the backend supports that. For example, AWS s3 supports state locking and consistency via DynamoDB. Often, if the backend support it, Terraform will make use of state locking automatically so nothing is required from the user to activate it.

There is no right or wrong here, but it seems that the overall preferred way is to have a dedicated state file per environment.

You use it this way: variable “my_var” {}

Provisioners

Provisioners used to execute actions on local or remote machine. It's extremely useful in case you provisioned an instance and you want to make a couple of changes in the machine you've created without manually ssh into it after Terraform finished to run and manually run them.

It's a resource which was successfully created but failed during provisioning. Terraform will fail and mark this resource as "tainted".

stringnumberboollist()set()map()object({<ATTR_NAME> = , ... })tuple([, ...])

• you want to reference resources not managed through terraform
• you want to reference resources managed by a different terraform module
• you want to cleanly compute a value with typechecking, such as with aws_iam_policy_document

A Terraform module is a set of Terraform configuration files in a single directory. Modules are small, reusable Terraform configurations that let you manage a group of related resources as if they were a single resource. Even a simple configuration consisting of a single directory with one or more .tf files is a module. When you run Terraform commands directly from such a directory, it is considered the root module. So in this sense, every Terraform configuration is part of a module.

The Terraform Registry provides a centralized location for official and community-managed providers and modules.

Terraform import is used to import existing infrastucture. It allows you to bring resources created by some other means (eg. manually launched cloud resources) and bring it under Terraform management.

resource "aws_instance" "tf_aws_instance" {
  ami           = data.aws_ami.ubuntu.id
  instance_type = "t3.micro"

  tags = {
    Name = "import-me"
  }
}

3. Run terraform command terraform import aws_instance.tf_aws_instance i-12345678

Containers are a form of operating system virtualization. A single container might be used to run anything from a small microservice or software process to a larger application. Inside a container are all the necessary executables, binary code, libraries, and configuration files, making them easy to ship and run with same expected results on different machines.

• Containers don't require an entire guest operating system as VMs. Containers share the system's kernel as opposed to VMs. They isolate themselves via the use of namespaces and cgroups
• It usually takes a few seconds to set up a container as opposed to VMs which can take minutes or at least more time than containers as there is an entire OS to boot and initialize as opposed to containers which has share of the underlying OS
• Virtual machines considered to be more secured than containers

• you need a lightweight solution
• Running multiple versions or instances of a single application

• Process ID namespaces: these namespaces include independent set of process IDs
• Mount namespaces: Isolation and control of mountpoints
• Network namespaces: Isolates system networking resources such as routing table, interfaces, ARP table, etc.
• UTS namespaces: Isolate host and domains
• IPC namespaces: Isolates interprocess communications
• User namespaces: Isolate user and group IDs
• Time namespaces: Isolates time machine

Docker CLI passes your request to Docker daemon.Docker daemon downloads the image from Docker HubDocker daemon creates a new container by using the image it downloadedDocker daemon redirects output from container to Docker CLI which redirects it to the standard output

podman run or docker run

Create a new image from a container’s changes

1. To remove one or more Docker images use the docker container rm command followed by the ID of the containers you want to remove.
2. The docker system prune command will remove all stopped containers, all dangling images, and all unused networks
3. docker rm $(docker ps -a -q) - This command will delete all stopped containers. The command docker ps -a -q will return all existing container IDs and pass them to the rm command which will delete them. Any running containers will not be deleted.

Docker can build images automatically by reading the instructions from a Dockerfile. A Dockerfile is a text document that contains all the commands a user could call on the command line to assemble an image.

COPY takes in a src and destination. It only lets you copy in a local file or directory from your host (the machine building the Docker image) into the Docker image itself.ADD lets you do that too, but it also supports 2 other sources. First, you can use a URL instead of a local file / directory. Secondly, you can extract a tar file from the source directly into the destination.Although ADD and COPY are functionally similar, generally speaking, COPY is preferred. That’s because it’s more transparent than ADD. COPY only supports the basic copying of local files into the container, while ADD has some features (like local-only tar extraction and remote URL support) that are not immediately obvious.

RUN lets you execute commands inside of your Docker image. These commands get executed once at build time and get written into your Docker image as a new layer.CMD is the command the container executes by default when you launch the built image. A Dockerfile can only have one CMD.You could say that CMD is a Docker run-time operation, meaning it’s not something that gets executed at build time. It happens when you run an image. A running image is called a container.

A common answer to this is to use hadolint project which is a linter based on Dockerfile best practices.

For example, you can use it to set up ELK stack where the services are: elasticsearch, logstash and kibana. Each running in its own container.

• Define the services you would like to run together in a docker-compose.yml file
• Run docker-compose up to run the services

Docker Cloud is built on top of the Docker Hub so Docker Cloud providesyou with more options/features compared to Docker Hub. One example isSwarm management which means you can create new swarms in Docker Cloud.

A Docker image is built up from a series of layers. Each layer represents an instruction in the image’s Dockerfile. Each layer except the very last one is read-only.Each layer is only a set of differences from the layer before it. The layers are stacked on top of each other. When you create a new container, you add a new writable layer on top of the underlying layers. This layer is often called the “container layer”. All changes made to the running container, such as writing new files, modifying existing files, and deleting files, are written to this thin writable container layer.The major difference between a container and an image is the top writable layer. All writes to the container that add new or modify existing data are stored in this writable layer. When the container is deleted, the writable layer is also deleted. The underlying image remains unchanged.Because each container has its own writable container layer, and all changes are stored in this container layer, multiple containers can share access to the same underlying image and yet have their own data state.

• You would like to run a certain application in a container on multiple different locations. Sure, if it's 2-3 servers/locations, you can do it by yourself but it can be challenging to scale it up to additional multiple location.
  
• Performing updates and changes across hundreds of containers
  
• Handle cases where the current load requires to scale up (or down)

Read more here

• If you deploy applications using containers and you need to manage scaling, rolling out updates, etc. You probably want to use Kubernetes
• If you manage low level infrastructure or baremetals, Kubernetes is probably not what you need or want

• Pod
• Service
• ReplicationController
• ReplicaSet
• DaemonSet
• Namespace
• ConfigMap...

metadata, kind and apiVersion

Kubectl is the Kubernetes command line tool that allows you to run commands against Kubernetes clusters. For example, you can use kubectl to deploy applications, inspect and manage cluster resources, and view logs.

A node is a virtual or a physical machine that serves as a worker for running the applications.
It's recommended to have at least 3 nodes in a production environment.

• Scheduling applications
• Managing desired state
• Rolling out new updates

kubectl get nodes

False. A Kubernetes cluster consists of at least 1 master and can have 0 workers (although that wouldn't be very useful...)

• API Server - the Kubernetes API. All cluster components communicate through it
• Scheduler - assigns an application with a worker node it can run on
• Controller Manager - cluster maintenance (replications, node failures, etc.)
• etcd - stores cluster configuration

• Kubelet - an agent responsible for node communication with the master.
• Kube-proxy - load balancing traffic between app components
• Container runtime - the engine runs the containers (Podman, Docker, ...)

A Pod is a group of one or more containers, with shared storage and network resources, and a specification for how to run the containers.
Pods are the smallest deployable units of computing that you can create and manage in Kubernetes.

If you are a Kubernetes beginner you should know that this is not a common way to run Pods. The common way is to run a Deployment which in turn runs Pod(s).
In addition, Pods and/or Deployments are usually defined in files rather than executed directly using only the CLI arguments.

Pods are usually indeed not created directly. You'll notice that Pods are usually created as part of another entities such as Deployments or ReplicaSets.
If a Pod dies, Kubernetes will not bring it back. This is why it's more useful for example to define ReplicaSets that will make sure that a given number of Pods will always run, even after a certain Pod dies.

A pod can include multiple containers but in most cases it would probably be one container per pod.

A web application with separate (= in their own containers) logging and monitoring components/adapters is one examples.
A CI/CD pipeline (using Tekton for example) can run multiple containers in one Pod if a Task contains multiple commands.

• Running - The Pod bound to a node and at least one container is running
• Failed - At least one container in the Pod terminated with a failure
• Succeeded - Every container in the Pod terminated with success
• Unknown - Pod's state could not be obtained
• Pending - Containers are not yet running (Perhaps images are still being downloaded or the pod wasn't scheduled yet)

False. By default, pods are non-isolated = pods accept traffic from any source.

False. "Pending" is after the Pod was accepted by the cluster, but the container can't run for different reasons like images not yet downloaded.

kubectl get po

kubectl get pods --all-namespaces

False. A single Pod can run on a single node.

kubectl delete pod pod_name

kubectl get po -o wide

Read more about it here

True.

1. Kubectl sends a request to the API server to create the Pod
2. The Scheduler detects that there is an unassigned Pod (by monitoring the API server)
3. The Scheduler chooses a node to assign the Pod to
4. The Scheduler updates the API server about which node it chose
5. Kubelet (which also monitors the API server) notices there is a Pod assigned to the same node on which it runs and that Pod isn't running
6. Kubelet sends request to the container engine (e.g. Docker) to create and run the containers
7. An update is sent by Kubelet to the API server (notifying it that the Pod is running)

• When you run kubectl describe pods <POD_NAME> it will tell whether the container is running:Status: Running
• Run a command inside the container: kubectl exec web -- ls

 Last State:     Terminated
   Reason:       Error
   Exit Code:    100

Another way to check what's going on, is to run kubectl logs <POD_NAME>. This will provide us with the logs from the containers running in that Pod.

livenessProbe:
  exec:
    command:
    - cat
    - /appStatus
  initialDelaySeconds: 10
  periodSeconds: 5

These lines make use of liveness probe. It's used to restart a container when it reaches a non-desired state.
In this case, if the command cat /appStatus fails, Kubernetes will kill the container and will apply the restart policy. The initialDelaySeconds: 10 means that Kubelet will wait 10 seconds before running the command/probe for the first time. From that point on, it will run it every 5 seconds, as defined with periodSeconds

readinessProbe:
      tcpSocket:
        port: 2017
      initialDelaySeconds: 15
      periodSeconds: 20

They define a readiness probe where the Pod will not be marked as "Ready" before it will be possible to connect to port 2017 of the container. The first check/probe will start after 15 seconds from the moment the container started to run and will continue to run the check/probe every 20 seconds until it will manage to connect to the defined port.

It wasn't able to pull the image specified for running the container(s). This can happen if the client didn't authenticated for example.
More details can be obtained with kubectl describe po <POD_NAME>.

1. The TERM signal is sent to kill the main processes inside the containers of the given Pod
2. Each container is given a period of 30 seconds to shut down the processes gracefully
3. If the grace period expires, the KILL signal is used to kill the processes forcefully and the containers as well

You can read more about it in kubernetes.io

You can read more about it in kubernetes.io

Only containers whose state set to Success will be able to receive requests sent to the Service.

A Deployment is a declarative statement for the desired state for Pods and Replica Sets.

kubectl edit deployment some-deployment

Also, when looking at the replicaset, you'll see the old replica doesn't have any pods and a new replicaset is created.

One way is by specifying the deployment name: kubectl delete deployment [deployment_name]Another way is using the deployment configuration file: kubectl delete -f deployment.yaml

The pod related to the deployment will terminate and the replicaset will be removed.

Using a Service.

"An abstract way to expose an application running on a set of Pods as a network service." - read more here
In simpler words, it allows you to add an internal or external connectivity to a certain application running in a container.

True

More on this topic here

The default is ClusterIP and it's used for exposing a port internally. It's useful when you want to enable internal communication between Pods and prevent any external access.

kubctl describe service <SERVICE_NAME>

kubectl expose rs some-replicaset --name=replicaset-svc --target-port=2017 --type=NodePort

It exposes a ReplicaSet by creating a service called 'replicaset-svc'. The exposed port is 2017 and the service type is NodePort which means it will be reachable externally.

Run kubectl describe service and if the IPs from "Endpoints" match any IPs from the output of kubectl get pod -o wide

Ingress

Read more here

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: someapp-ingress
spec:
  rules:
  - host: my.host
    http:
      paths:
      - backend:
          serviceName: someapp-internal-service
          servicePort: 8080

host is the entry point of the cluster so basically a valid domain address that maps to cluster's node IP address
the http line used for specifying that incoming requests will be forwarded to the internal service using http.
backend is referencing the internal service (serviceName is the name under metadata and servicePort is the port under the ports section).

There are multiple Ingress Controller implementations (the one from Kubernetes is Kubernetes Nginx Ingress Controller).

• Multiple sub-domains (multiple host entries, each with its own service)
• One domain with multiple services (multiple paths where each one is mapped to a different service/application)

kubectl get ingress

It specifies what do with an incoming request to the Kubernetes cluster that isn't mapped to any backend (= no rule to for mapping the request to a service). If the default backend service isn't defined, it's recommended to define so users still see some kind of message instead of nothing or unclear error.

Create Service resource that specifies the name of the default backend as reflected in kubectl desrcibe ingress ... and the port under the ports section.

True

Network Policies

spec:
  replicas: 2
  selector:
    matchLabels:
      type: backend
  template:
    metadata:
      labels:
        type: backend
    spec:
      containers:
      - name: httpd-yup
        image: httpd

It defines a replicaset for Pods whose type is set to "backend" so at any given point of time there will be 2 concurrent Pods running.

In simpler words, a ReplicaSet will ensure the specified number of Pods replicas is running for a selected Pod. If there are more Pods than defined in the ReplicaSet, some will be removed. If there are less than what is defined in the ReplicaSet then, then more replicas will be added.

The ReplicaSet will create a new Pod in order to reach the desired number of replicas.

False. It will terminate one of the Pods to reach the desired state of 2 replicas.

• The client (e.g. kubectl) sends a request to the API server to create a ReplicaSet
• The Controller detects there is a new event requesting for a ReplicaSet
• The controller creates new Pod definitions (the exact number depends on what is defined in the ReplicaSet definition)
• The scheduler detects unassigned Pods and decides to which nodes to assign the Pods. This information sent to the API server
• Kubelet detects that two Pods were assigned to the node it's running on (as it constantly watching the API server)
• Kubelet sends requests to the container engine, to create the containers that are part of the Pod
• Kubelet sends a request to the API server to notify it the Pods were created

kubectl get rs

kubectl delete -f rs.yaml --cascade=false

1

The replicaset web has 2 replicas. It seems that the containers inside the Pod(s) are not yet running since the value of READY is 0. It might be normal since it takes time for some containers to start running and it might be due to an error. Running kubectl describe po POD_NAME or kubectl logs POD_NAME can give us more information.

• Images are still being pulled
• There is an error and the containers can't reach the state "Running"

False. The Pods can be already running and initially they can be created by any object. It doesn't matter for the ReplicaSet and not a requirement for it to acquire and monitor them.

False. It will take care of running the missing Pods.

The field template in spec section is mandatory. It's used by the ReplicaSet to create new Pods when needed.

It will be visible under Events (the very last lines)

True (and not only the Pods but anything else it created).

True. When the label, used by a ReplicaSet in the selector field, removed from a Pod, that Pod no longer controlled by the ReplicaSet and the ReplicaSet will create a new Pod to compensate for the one it "lost".

In simpler words, Network Policies specify how pods are allowed/disallowed to communicate with each other and/or other network endpoints.

• Security: You want to prevent from everyone to communicate with a certain pod for security reasons
• Controling network traffic: You would like to deny network flow between two specific nodes

False. By default pods are non-isolated.

Denied. Both source and destination policies has to allow traffic for it to be allowed.

1. Metadata
2. Specification
3. Status (this automatically generated and added by Kubernetes)

YAML

kubectl get deployment [deployment_name] -o yaml

etcd

True

True

True

Namespaces allow you split your cluster into virtual clusters where you can group your applications in a way that makes sense and is completely separated from the other groups (so you can for example create an app with the same name in two different namespaces)

Another use case for namespaces is one cluster, multiple teams. When multiple teams use the same cluster, they might end up stepping on each others toes. For example if they end up creating an app with the same name it means one of the teams overriden the app of the other team because there can't be too apps in Kubernetes with the same name (in the same namespace).

False. When a namespace is deleted, the resources in that namespace are deleted as well.

• default
• kube-system
• kube-public
• kube-node-lease

• Master and Kubectl processes
• System processes

kubectl get namespaces

• A configmap, which contains cluster information
• Publicely accessible data

kubectl config view | grep namespace

It holds information on hearbeats of nodes. Each node gets an object which holds information about its availability.

Any resource you create while using Kubernetes.

True. With namespaces you can limit CPU, RAM and storage usage.

kubens some-namespace

kubectl create quota some-quota --hard-cpu=2,pods=2

Service.

No, you would have to create separate namespace in y namespace.

apiVersion: v1
kind: ConfigMap
metadata:
  name: some-configmap
data:
  some_url: samurai.jack

It's referencing the service "samurai" in the namespace called "jack".

Volume and Node.

kubectl api-resources --namespaced=true

apiVersion: v1
kind: ConfigMap
metadata:
  name: some-configmap
  namespace: some-namespace

and you can verify with: kubectl get configmap -n some-namespace

kubectl get all | grep [APP_NAME]

Lists the components that doesn't bound to a namespace.

kubectl describe pod pod_name

kubectl exec some-pod -it -- ls

kubectl expose deploy some-deployment --port=80 --target-port=8080

kubectl run nginx --image=nginx --restart=Never --port 80 --expose

kubectl scale deploy some-deployment --replicas=8

kubectl api-resources --namespaced=false

kubectl delete pods --field-selector=status.phase!='Running'

kubectl top pod

Outputs the status of each of the control plane components.

Minikube is a lightweight Kubernetes implementation. It create a local virtual machine and deploys a simple (single node) cluster.

Setting the replicas to 0 will shut down the process. Now start it with kubectl scale deployment [name] --replicas=1