Notes on provisioning, securing and maintaing cloud based resources at Digital Ocean, Google and AWS.
-
dotool.sh: Bash functions for createing resources in the Digital Ocean ecosystem.
-
nodeholder.sh: Bash functions for creating users and installing applications.
-
tetra.sh.enc: personalized Bash functions for securely managing microservices.
The 12 Factors App by the Heroku team is a guiding philosophy.
Two methods of virtualization:
- hypervisor for virtual private servers.
- container for containers based off of LXD / LXC, e.g. Docker.
. | Hypervisor | Container |
---|---|---|
KVM | Containers | |
DigitalOcean | Droplets | Kubernetes |
AWS | EC2 | Fargate |
GCP | Digtal Ocean | AWS |
---|---|---|
Devops Philosophy | CI/CD | AWS-CICD |
compute | droplet | EC2 |
bucket | spaces | S3/EBS |
images | images | AMI |
volumes | block storage | EFS |
snapshots | snapshots | EBS Snapshot |
network | virtual-network | VPC |
availability | availability | Regions |
Hashicorp was founded by Mitchell Hashimoto, the creator of Vagrant which shows basic usage with Puppet in 2012. Now HashiCorp's products do the automation and Puppet, Chef and Ansible are not necessary:
- Terraform: Infrastructure as code for provisioning, compliance, and management of any cloud, infrastructure, and service.
- Vault: Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.
- Consul: A multi-cloud service networking platform to connect and secure services across any runtime platform and public or private cloud.
- Nomad: Deploy and Manage Any Containerized, Legacy, or Batch Application. Nomad is an easy-to-use, flexible, and performant workload orchestrator that enables organizations to deploy applications on any infrastructure at scale.
Hashicorp | tetra.sh |
---|---|
terraform | tetra-create-vm-{digocean,google} |
vault | tetra-keys-add-{digocean,google} |
consul | tetra-{start,stop,update} |
nomad | tetra-run |
- certbot for TLS: Instructions for certbot on 20.04.
- acme.sh: pure Bash alternative to certbot.
- Nginx docs handles reverse-proxy and SSL certificates. A reverse-proxy maps an HTTP/S url with a domainanme, to a new domainame and port number.
- Why Docker? and What is a container at docker.com
- Get started Dockerfile: Dockerfile at Docker and best practices
- Glossary: worth a read, especially for layers and overlays.
- Docs on Volumes the preferred mechanism for data persistence
- Doc on services Services are really just “containers in production.”
- Compose files: Run, and scale services with the Docker platform via docker-compose.yml
- Overlay network [driver (bridge, host, overlay, 3rd-party)] (https://docs.docker.com/network/#network-drivers) creates a distributed network among multiple Docker daemon hosts.
- Networking: Docker container networking
- There are four major areas to consider when reviewing Docker security.
-
remote procedure calls (as opposed to REST or GraphQL requests).
-
One click digitalocean.com: notice IP table considerations since Docker manipulates iptable rules to provide network isolation
-
Docker Engine Faq: Docker frequently asked questions, 9 min read.
-
ICANN - Internet Corporation for Assigned Names and Numbers This is where domain names come from.
-
git: Git is version control for software development, written by Linus Torvalds.
-
Git From the Bits Up: Join GitHub trainer and evangelist Tim Berglund for more advanced look at "weird internals stuff" and obscure commands.
-
Git Tutorial for Beginners: Command-Line Fundamentals: Videos by Corey Schafer.