https://www.abarrak.com/ Wed, 04 Jun 2025 18:24:53 +0300 Wed, 04 Jun 2025 18:24:53 +0300 Jekyll v4.3.0 <p>     When I was writing <a href="https://github.com/abarrak/expiry_calculator">the expiry calculator</a> gem (extracted from a license management system), the library’s main logic has some sort of integration with <strong>ActiveRecord</strong>, and I needed to verify that the easy way.</p> <p>     Mocking the built-in active record connection pool and tables mapping showed to be cumbersome and may not ideally allow to validate the intended behaviour. Luckily, I found pieces in SO and Github to do the unit testing in few simple steps, with on the fly db (Sqlite). I have put it together in the following guide, polished for <strong>Rspec</strong> with ad-hoc migration methods.</p> <!-- post-excerpt --> <h2 id="steps">Steps</h2> <p><strong>1)</strong> Adding the required libraries in the dev group of our Gem spec file.</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="no">Gem</span><span class="o">::</span><span class="no">Specification</span><span class="p">.</span><span class="nf">new</span> <span class="k">do</span> <span class="o">|</span><span class="n">spec</span><span class="o">|</span> <span class="c1"># ..</span> <span class="n">spec</span><span class="p">.</span><span class="nf">add_development_dependency</span> <span class="s2">"activerecord"</span><span class="p">,</span> <span class="s2">"~&gt; 7"</span> <span class="n">spec</span><span class="p">.</span><span class="nf">add_development_dependency</span> <span class="s2">"sqlite3"</span><span class="p">,</span> <span class="s2">"~&gt; 2"</span> <span class="k">end</span> </code></pre></div></div> <p><strong>2.</strong> The db setup logic is extracted in a helper.<br /> Replace <code class="language-plaintext highlighter-rouge">posts</code> with your intended model with the attributes (columns) you need.</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># spec/support/db_helper.rb</span> <span class="k">module</span> <span class="nn">TestDbHelper</span> <span class="k">def</span> <span class="nf">establish_coonection</span> <span class="no">ActiveRecord</span><span class="o">::</span><span class="no">Base</span><span class="p">.</span><span class="nf">establish_connection</span> <span class="ss">adapter: </span><span class="s2">"sqlite3"</span><span class="p">,</span> <span class="ss">database: </span><span class="s2">":memory:"</span> <span class="k">end</span> <span class="k">def</span> <span class="nf">up</span> <span class="no">ActiveRecord</span><span class="o">::</span><span class="no">Base</span><span class="p">.</span><span class="nf">connection</span><span class="p">.</span><span class="nf">create_table</span> <span class="ss">:posts</span> <span class="k">do</span> <span class="o">|</span><span class="n">t</span><span class="o">|</span> <span class="n">t</span><span class="p">.</span><span class="nf">integer</span> <span class="ss">:name</span> <span class="n">t</span><span class="p">.</span><span class="nf">date</span> <span class="ss">:ends_at</span> <span class="n">t</span><span class="p">.</span><span class="nf">timestamps</span> <span class="k">end</span> <span class="k">end</span> <span class="k">def</span> <span class="nf">down</span> <span class="no">ActiveRecord</span><span class="o">::</span><span class="no">Base</span><span class="p">.</span><span class="nf">connection</span><span class="p">.</span><span class="nf">drop_table</span> <span class="ss">:posts</span> <span class="k">end</span> <span class="k">end</span> </code></pre></div></div> <p><strong>3.</strong> For convenience, I mixed in the helper in the example and example group classes of <strong>rspec</strong>.</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">require</span> <span class="s2">"support/db_helper"</span> <span class="no">RSpec</span><span class="p">.</span><span class="nf">configure</span> <span class="k">do</span> <span class="o">|</span><span class="n">config</span><span class="o">|</span> <span class="c1"># ...</span> <span class="n">config</span><span class="p">.</span><span class="nf">include</span> <span class="no">TestDbHelper</span> <span class="n">config</span><span class="p">.</span><span class="nf">extend</span> <span class="no">TestDbHelper</span> <span class="k">end</span> </code></pre></div></div> <p><strong>4.</strong> Then, we invoke the db functions.<br /> Also we build an anonymous model in <code class="language-plaintext highlighter-rouge">let</code> statements.</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="no">RSpec</span><span class="p">.</span><span class="nf">describe</span> <span class="no">MyGemClass</span> <span class="k">do</span> <span class="c1"># ...</span> <span class="n">context</span> <span class="s2">"Arguments"</span> <span class="k">do</span> <span class="n">establish_coonection</span> <span class="n">before</span> <span class="p">{</span> <span class="n">up</span> <span class="p">}</span> <span class="n">after</span> <span class="p">{</span> <span class="n">down</span> <span class="p">}</span> <span class="n">let</span><span class="p">(</span><span class="ss">:model_class</span><span class="p">)</span> <span class="k">do</span> <span class="no">Class</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="no">ActiveRecord</span><span class="o">::</span><span class="no">Base</span><span class="p">)</span> <span class="p">{</span> <span class="nb">self</span><span class="p">.</span><span class="nf">table_name</span> <span class="o">=</span> <span class="s2">"posts"</span> <span class="p">}</span> <span class="k">end</span> <span class="n">let</span><span class="p">(</span><span class="ss">:model</span><span class="p">)</span> <span class="p">{</span> <span class="n">model_class</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="ss">ends_at: </span><span class="no">Date</span><span class="p">.</span><span class="nf">today</span> <span class="o">+</span> <span class="mi">10</span><span class="p">)</span> <span class="p">}</span> <span class="k">end</span> <span class="k">end</span> </code></pre></div></div> <p><strong>5.</strong> Lastly, we use the model to test against in our case (<code class="language-plaintext highlighter-rouge">calculate</code> here).</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">it</span> <span class="s2">"supports active_record parameter with attr accessor"</span> <span class="k">do</span> <span class="n">expect</span><span class="p">(</span><span class="n">subject</span><span class="p">.</span><span class="nf">calculate</span><span class="p">(</span><span class="n">model</span><span class="p">,</span> <span class="ss">:ends_at</span><span class="p">)).</span><span class="nf">to</span> <span class="n">eq</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span> <span class="k">end</span> </code></pre></div></div> <p>Done.</p> <p><img src="/public/images/respec-test-ar-models-in-gems.png" class="post-image resize-lg center-image" /></p> Mon, 07 Apr 2025 00:00:00 +0300 https://www.abarrak.com/2025/04/07/testing-active-record-integration-in-libs https://www.abarrak.com/2025/04/07/testing-active-record-integration-in-libs rails activerecord unit testing testing rspec Ruby Rails Active Record Unit Testing <p>This post reviews four main virtualization options in short.<br /></p> <blockquote> 💡 VM technologies are essentially considered by people when addressing on-premise use cases or when building DR for data centers. </blockquote> <h3 id="vmware-virtualization">VMware Virtualization</h3> <ul> <li> <p>Started at (2003).</p> </li> <li> <p>Offers type-1 hypervisor that runs on bare-metal called <span class="key-text">ESXi</span> with minimum disk image footprint (32MB), with resources, storage, and networking capabilities, and UI console <span class="key-text">(DCUI)</span>.</p> </li> </ul> <!-- post-excerpt --> <ul> <li> <p>Includes distributed management system <span class="key-text">(vCenter)</span> for managing ESXi hosts, access control, migration (vMotion), HA, and distrusted resource scheduler (DRS).</p> </li> <li> <p><span class="key-text">vSphere client</span> UI: A web client for managing multiple ESXi hosts and vCenter resources.</p> </li> </ul> <figure> <img src="/public/images/virtualization-1.png" class="post-image-2 resize-md center-image" /> <figcaption>Fig.1: Outline setup for VMware.</figcaption> </figure> <h3 id="kvm">KVM</h3> <ul> <li> <p>Started at (2007).</p> </li> <li> <p>Linux based kernel virtual machines.</p> </li> <li> <p>Free and open-source .</p> </li> <li> <p>Basically, it’s a kernel module that allows the kernel to function as a hypervisor.</p> </li> <li> <p>Originally designed for x86 processors then ported to others (ARM, ESA/390, PowerPC).</p> </li> <li> <p>Supports <span class="key-text">HAV</span> (hardware-assisted virtualization).</p> </li> <li> <p><a href="https://libvirt.org/">Libvirt</a> is an abstraction library which facilitates working with KVM toolchains and its adapters.</p> </li> <li> <p>License: GNU GPL v2.</p> </li> </ul> <figure> <img src="/public/images/virtualization-2.png" class="post-image-2 resize-md center-image" /> <figcaption>Fig.2: KVM Internal Design.</figcaption> </figure> <h3 id="red-hat-virtualization">Red Hat Virtualization</h3> <ul> <li> <p>Started at (2009).</p> </li> <li> <p>An enterprise solution based on Linux KVM.</p> </li> <li> <p>Has integrations with AD and FreeIPA for domain and access control.</p> </li> <li> <p>Servers management UI.</p> </li> <li> <p>Superseded by OpenShift, now in maintenance mode since 2020.</p> </li> </ul> <figure> <img src="/public/images/virtualization-3.png" class="post-image-2 resize-md center-image" /> <figcaption>Fig.3: RedHat virtual manager UI.</figcaption> </figure> <h3 id="hyper-v">Hyper-V</h3> <ul> <li> <p>Started at (2008) by Microsoft.</p> </li> <li> <p>A native hypervisor for x86-64 systems only.</p> </li> <li> <p>Separates VMs using isolated partitions running their guest OSs.</p> </li> <li> <p>A single hyper-v with command line (CMD) is free.</p> </li> <li> <p>Requires <span class="key-text">HAV</span> (hardware-assisted virtualization).</p> </li> </ul> <figure> <img src="/public/images/virtualization-4.png" class="post-image-2 resize-md center-image" /> <figcaption>Fig. 4: Hyper-V overview.</figcaption> </figure> <figure> <img src="/public/images/virtualization-5.png" class="post-image-2 resize-md center-image" /> <figcaption>Fig. 5: Installation screen for Hyper-V 2019.</figcaption> </figure> <h3 id="openstack">OpenStack</h3> <ul> <li>The largest open source cloud infrastructure solution.</li> <li>Split to multiple components such as: <a href="https://docs.openstack.org/cinder/latest/">Cinder</a> (storage), <a href="https://github.com/openstack/nova">Nova</a> (compute), and <a href="https://docs.openstack.org/neutron/latest/">Neutron</a> (networking).</li> <li>OpenStack requires dedicated review for it is own. <br /> <a href="https://www.openstack.org/software/">The main reference</a>, and here’s a <a href="https://blog.purestorage.com/purely-educational/hyper-v-vs-openstack-a-comprehensive-comparison-of-virtualization-platforms/">good comparision article between it and hyper-V</a> for virtualization cases.</li> </ul> <figure> <img src="/public/images/virtualization-6.png" class="post-image-2 resize-md center-image" /> <figcaption>Fig. 6: OpenStack.</figcaption> </figure> <h4 id="takeaway"><b>Takeaway:</b></h4> <p>VMware stands out as enterprise solution for corporate and regularity requirements, especially when the support is a must. Conversely, for small projects and applications, I find KVM-QEMU based setup a good option.</p> <p>Finally, for building on-premise solution on top of open technologies, <strong>OpenStack is the obviously viable option</strong>.</p> Tue, 12 Nov 2024 00:00:00 +0300 https://www.abarrak.com/2024/11/12/virtualization-overview https://www.abarrak.com/2024/11/12/virtualization-overview virtualization Virtualization Operating Systems <p><img src="/public/images/iac-reflections-2.png" class="post-image resize-sm center-image" /></p> <p>This post is a follow up on <a href="/2022/09/23/reflections-on-iac-with-terraform">the previous one</a> where I discussed the concept of infrastructure as code and Terraform. In this post, I will provide few useful notes I took while working on IaC projects, with examples to illustrate the techniques on two of the public providers (AWS / Oracle).</p> <!-- post-excerpt --> <blockquote> 🔖 &nbsp; <b>Note:</b> I'm using whitespace freely to break long lines, which is in most cases not allowed in HCL statements. </blockquote> <h2 id="tips-and-tricks">Tips and Tricks</h2> <ol> <li> <p>Collect informative and actionable details about your environment <a href="https://developer.hashicorp.com/terraform/language/data-sources">using <code class="language-plaintext highlighter-rouge">data</code> blocks</a>.<br /> Seriously no need to hardcode these ids or names, instead using <code class="language-plaintext highlighter-rouge">data</code> blocks is one way to query from the external providers, By that, the automation code quality and modularity increase a bit.</p> <p>Here are examples showing how to query for some network resources.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="n">data</span> <span class="s">"aws_vpc"</span> <span class="s">"apps"</span> <span class="o">{</span> <span class="n">filter</span> <span class="o">{</span> <span class="n">name</span> <span class="o">=</span> <span class="s">"tag:Name"</span> <span class="n">values</span> <span class="o">=</span> <span class="o">[</span><span class="s">"apps-vpc"</span><span class="o">]</span> <span class="o">}</span> <span class="o">}</span> <span class="n">data</span> <span class="s">"aws_route_tables"</span> <span class="s">"apps"</span> <span class="o">{</span> <span class="n">filter</span> <span class="o">{</span> <span class="n">name</span> <span class="o">=</span> <span class="s">"vpc-id"</span> <span class="n">values</span> <span class="o">=</span> <span class="o">[</span> <span class="n">data</span><span class="o">.</span><span class="na">aws_vpc</span><span class="o">.</span><span class="na">apps_vpc</span><span class="o">.</span><span class="na">id</span> <span class="o">]</span> <span class="o">}</span> <span class="n">filter</span> <span class="o">{</span> <span class="n">name</span> <span class="o">=</span> <span class="s">"tag:Name"</span> <span class="n">values</span> <span class="o">=</span> <span class="o">[</span> <span class="s">"*rt-private-a"</span><span class="o">,</span> <span class="s">"*rt-private-b"</span><span class="o">,</span> <span class="s">"*rt-private-c"</span><span class="o">,</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div> </div> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code> data <span class="s2">"oci_core_drgs"</span> <span class="s2">"my_drg"</span> <span class="o">{</span> compartment_id <span class="o">=</span> data.comp.id <span class="o">}</span> </code></pre></div> </div> </li> <li> <p>Introduce variables to dry up and factorize your environment settings.<br /> Conventionally, <code class="language-plaintext highlighter-rouge">variables.tf</code> file describes the specification of the configurable variables <em>(type, default, description)</em>. Then, the variables are set either in <code class="language-plaintext highlighter-rouge">terraform.tfvars</code> file, passed as command arguments, or environment variables.</p> <p>Reference the vars in your code blocks as follows<code class="language-plaintext highlighter-rouge">${vars.my_var}</code>:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="c"># variables.tf</span> variable <span class="s2">"c_id"</span> <span class="o">{</span> <span class="nb">type</span> <span class="o">=</span> string <span class="o">}</span> variable <span class="s2">"routes"</span> <span class="o">{</span> <span class="nb">type</span> <span class="o">=</span> list<span class="o">(</span>string<span class="o">)</span> description <span class="o">=</span> <span class="s2">"VPN routes."</span> default <span class="o">=</span> <span class="o">[]</span> <span class="o">}</span> <span class="c"># tunnel.tf</span> resource <span class="s2">"oci_core_ipsec"</span> <span class="s2">"vpn"</span> <span class="o">{</span> compartment_id <span class="o">=</span> var.c_id static_routes <span class="o">=</span> var.routes <span class="o">}</span> </code></pre></div> </div> </li> <li> <p>Use output to express and state unknown information till after the apply.</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="c"># user input</span> output <span class="s2">"vpc_cidr_range"</span> <span class="o">{</span> value <span class="o">=</span> var.vpc_cidr_range description <span class="o">=</span> <span class="s2">"IPs CIDR."</span> <span class="o">}</span> <span class="c"># provisioned resource - aws</span> output <span class="s2">"main_zone_id"</span> <span class="o">{</span> value <span class="o">=</span> try<span class="o">(</span> aws_route53_zone.m.zone_id, <span class="s2">""</span> <span class="o">)</span> <span class="o">}</span> <span class="c"># provisioned resource - oci</span> output <span class="s2">"instances_details"</span> <span class="o">{</span> value <span class="o">=</span> module.i.instances_summary <span class="o">}</span> </code></pre></div> </div> </li> <li> <p>Declare a variable with sensitive flag for masking in logs and execution.</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code> output <span class="s2">"auth_token"</span> <span class="o">{</span> sensitive <span class="o">=</span> <span class="nb">true </span>value <span class="o">=</span> random_password.p.result <span class="o">}</span> </code></pre></div> </div> </li> <li> <p>Add locals to shorten long configuration parts or variables chain.</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code> locals <span class="o">{</span> az <span class="o">=</span> data. aws_availability_zone. main.name_suffix db_name <span class="o">=</span> <span class="s2">"</span><span class="k">${</span><span class="nv">var</span><span class="p">.prefix]</span><span class="k">}</span><span class="s2">-db"</span> db_admin_user <span class="o">=</span> <span class="s2">"postgres"</span> conf_id <span class="o">=</span> var.db_config_id tags <span class="o">=</span> merge<span class="o">(</span> tomap<span class="o">({</span> Env <span class="o">=</span> var.env <span class="o">})</span>, var.tags <span class="o">)</span> <span class="o">}</span> </code></pre></div> </div> </li> <li> <p>Revise the variable types: <code class="language-plaintext highlighter-rouge">string</code>, <code class="language-plaintext highlighter-rouge">number</code>, <code class="language-plaintext highlighter-rouge">boolean</code>, <code class="language-plaintext highlighter-rouge">list</code>, <code class="language-plaintext highlighter-rouge">map</code>, and <code class="language-plaintext highlighter-rouge">object</code>.</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code> variable <span class="s2">"db_ingress_ports"</span> <span class="o">{</span> <span class="nb">type</span> <span class="o">=</span> list<span class="o">(</span>object<span class="o">(</span> <span class="o">{</span> port <span class="o">=</span> string <span class="o">}</span> <span class="o">))</span> <span class="o">}</span> db_ingress_ports <span class="o">=</span> <span class="o">[</span> <span class="o">{</span> port <span class="o">=</span> <span class="s2">"5432"</span> <span class="o">}</span> <span class="o">]</span> </code></pre></div> </div> <p><a href="https://developer.hashicorp.com/terraform/language/expressions/types">Refer to the docs for more.</a></p> </li> <li> <p>Loop through repetitive resources using <code class="language-plaintext highlighter-rouge">count</code> and <code class="language-plaintext highlighter-rouge">count.index</code></p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code> resource <span class="s2">"aws_eip"</span> <span class="s2">"eips"</span> <span class="o">{</span> count <span class="o">=</span> 1 tags <span class="o">=</span> merge<span class="o">({</span> <span class="s2">"Name"</span> <span class="o">=</span> <span class="s2">"lb_ip_</span><span class="k">${</span><span class="nv">count</span><span class="p">.index</span><span class="k">}</span><span class="s2">"</span> <span class="o">}</span>, local.tags<span class="o">)</span> <span class="o">}</span> </code></pre></div> </div> </li> <li> <p>Utilize <code class="language-plaintext highlighter-rouge">hashicorp/random</code> module to generate ids or credentials.</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code> resource <span class="s2">"random_password"</span> <span class="s2">"ec2"</span> <span class="o">{</span> length <span class="o">=</span> 20 special <span class="o">=</span> <span class="nb">true </span>override_special <span class="o">=</span> <span class="s2">"@!-=+"</span> <span class="o">}</span> </code></pre></div> </div> </li> <li> <p>Import child modules into the main module using <code class="language-plaintext highlighter-rouge">source</code> attribute from various sources: <br /> local FS, git repository, github, a url, or the public terraform registry.</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="c"># redshift database deployment,</span> <span class="c"># via external module from the</span> <span class="c"># registry.</span> <span class="c">#</span> module <span class="s2">"redshift-db"</span> <span class="o">{</span> <span class="nb">source</span> <span class="o">=</span> <span class="s2">"terraform-aws-modules/redshift/aws"</span> version <span class="o">=</span> <span class="s2">"3.4.1"</span> cluster_identifier <span class="o">=</span> <span class="s2">"rd"</span> cluster_number_of_nodes <span class="o">=</span> 2 cluster_node_type <span class="o">=</span> <span class="s2">"dc2.large"</span> cluster_database_name <span class="o">=</span> <span class="s2">"rd"</span> cluster_master_username <span class="o">=</span> <span class="s2">"rd-user"</span> cluster_master_password <span class="o">=</span> random_password.pass.result encrypted <span class="o">=</span> <span class="nb">true </span>wlm_json_configuration <span class="o">=</span> jsonencode<span class="o">([</span> <span class="o">{</span> auto_wlm <span class="o">=</span> <span class="nb">true</span> <span class="o">}</span> <span class="o">])</span> cluster_iam_roles <span class="o">=</span> <span class="o">[</span> local.s3_role.iam_role_arn <span class="o">]</span> subnets <span class="o">=</span> data.aws_subnets.a enhanced_vpc_routing <span class="o">=</span> <span class="nb">true </span>publicly_accessible <span class="o">=</span> <span class="nb">true </span>vpc_security_group_ids <span class="o">=</span> <span class="o">[]</span> enable_logging <span class="o">=</span> <span class="nb">true </span>tags <span class="o">=</span> <span class="o">{}</span> <span class="o">}</span> </code></pre></div> </div> </li> <li> <p>When using multiple modules structure, variables can be passed around in <code class="language-plaintext highlighter-rouge">module</code> block.</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>module <span class="s2">"postgres"</span> <span class="o">{</span> <span class="nb">source</span> <span class="o">=</span> <span class="s2">"../base/oci_pg"</span> tenancy_id <span class="o">=</span> var.tenancy_id db_name <span class="o">=</span> var.postgres_db_name tags <span class="o">=</span> var.tags <span class="c"># etc ...</span> <span class="o">}</span> </code></pre></div> </div> </li> <li> <p>Use <code class="language-plaintext highlighter-rouge">for_each</code> iteration primitives (<code class="language-plaintext highlighter-rouge">.key</code>, <code class="language-plaintext highlighter-rouge">value.*</code>) for granular data structure looping over sets.</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># basic looping.</span> data <span class="s2">"aws_subnet"</span> <span class="s2">"subnet"</span> <span class="o">{</span> for_each <span class="o">=</span> toset<span class="o">(</span> data.aws_subnets.all.ids <span class="o">)</span> <span class="nb">id</span> <span class="o">=</span> each.value <span class="o">}</span> <span class="c"># basic looping with mapping.</span> resource <span class="s2">"aws_route53_record"</span> <span class="s2">"cns"</span> <span class="o">{</span> for_each <span class="o">=</span> <span class="o">{</span> <span class="k">for </span>r <span class="k">in </span>var.public_cnames : r[0] <span class="o">=&gt;</span> <span class="o">{</span> target : r[1], ttl : r[2] <span class="o">}</span> <span class="o">}</span> zone_id <span class="o">=</span> aws_route53_zone.main.id <span class="nb">type</span> <span class="o">=</span> <span class="s2">"CNAME"</span> name <span class="o">=</span> each.key ttl <span class="o">=</span> each.value.ttl records <span class="o">=</span> <span class="o">[</span>each.value.target] depends_on <span class="o">=</span> <span class="o">[</span> aws_route53_zone.main <span class="o">]</span> <span class="o">}</span> <span class="c"># advanced example.</span> resource <span class="s2">"aws_route"</span> <span class="s2">"vpn_routes"</span> <span class="o">{</span> for_each <span class="o">=</span> <span class="o">{</span> <span class="k">for </span>i <span class="k">in </span>setproduct<span class="o">(</span> data.aws_route_tables.p.ids, var.vpn_route<span class="o">)</span> : <span class="s2">"rt-entry.</span><span class="k">${</span><span class="nv">i</span><span class="p">[0]</span><span class="k">}</span><span class="s2">.</span><span class="k">${</span><span class="nv">i</span><span class="p">[1]</span><span class="k">}</span><span class="s2">"</span> <span class="o">=&gt;</span> <span class="o">{</span> rt_id <span class="o">=</span> i[0], cidr <span class="o">=</span> i[1] <span class="o">}</span> <span class="o">}</span> gateway_id <span class="o">=</span> aws_vpn_gateway.vgw.id route_table_id <span class="o">=</span> each.value.rt_id destination_cidr_block <span class="o">=</span> each.value.cidr <span class="o">}</span> </code></pre></div> </div> </li> <li> <p>review  the built-in functions of interest to your configurations: <br /> <code class="language-plaintext highlighter-rouge">tolist()</code>, <code class="language-plaintext highlighter-rouge">toset()</code>, <code class="language-plaintext highlighter-rouge">upper()</code>, <code class="language-plaintext highlighter-rouge">join()</code>, <code class="language-plaintext highlighter-rouge">lower()</code>, <code class="language-plaintext highlighter-rouge">max()</code>, <code class="language-plaintext highlighter-rouge">endswith()</code>, <code class="language-plaintext highlighter-rouge">chomp()</code>, <code class="language-plaintext highlighter-rouge">regex()</code>, <code class="language-plaintext highlighter-rouge">map()</code>, <code class="language-plaintext highlighter-rouge">reverse()</code>, <code class="language-plaintext highlighter-rouge">flatten()</code>, <code class="language-plaintext highlighter-rouge">file()</code>, <code class="language-plaintext highlighter-rouge">base64*()</code>, <code class="language-plaintext highlighter-rouge">timestamp()</code>, and much more.</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>locals <span class="o">{</span> prefix <span class="o">=</span> lower<span class="o">(</span>var.acc_prefix<span class="o">)</span> <span class="o">}</span> </code></pre></div> </div> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>provider <span class="s2">"kubernetes"</span> <span class="o">{</span> cluster_ca_certificate <span class="o">=</span> base64decode<span class="o">(</span> data.aws_eks_cluster.main. certificate_authority. 0.data <span class="o">)</span> <span class="o">}</span> </code></pre></div> </div> <p>They come in handy and can help solving several problems. <br /><a href="https://developer.hashicorp.com/terraform/language/functions">Refer to the docs here.</a></p> </li> <li> <p>You can add validation rules and message to your module vars in <code class="language-plaintext highlighter-rouge">variables.tf</code>.<br /> Here’s an example:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>variable <span class="s2">"prefix"</span> <span class="o">{</span> <span class="nb">type</span> <span class="o">=</span> string validation <span class="o">{</span> condition <span class="o">=</span> length<span class="o">(</span>var.prefix<span class="o">)</span> &lt; 10 error_message <span class="o">=</span> <span class="s2">"only less than 10 chars."</span> <span class="o">}</span> <span class="o">}</span> variable <span class="s2">"db_storage_iops"</span> <span class="o">{</span> <span class="nb">type</span> <span class="o">=</span> string default <span class="o">=</span> <span class="s2">"300000"</span> validation <span class="o">{</span> condition <span class="o">=</span> contains<span class="o">(</span> <span class="o">[</span><span class="s2">"300000"</span>, <span class="s2">"750000"</span><span class="o">]</span>, var.db_storage_iops <span class="o">)</span> error_message <span class="o">=</span> <span class="s2">"Only IOPS: 300K / 750K."</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div> </div> </li> <li> <p>Use the state CLI command to show, list, or manipulate the state once needed <em>(e.g. checking existing values, importing directly modified items outside IaC, etc.)</em>.</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># view the current state items.</span> terraform state list <span class="c"># clean outdated state.</span> terraform state <span class="nb">rm</span> <span class="se">\</span> <span class="s2">"aws_customer_gateway.main"</span> <span class="c"># importing drifted state.</span> terraform import <span class="se">\</span> <span class="s2">"aws_customer_gateway.main"</span> <span class="se">\</span> <span class="s2">"cgw-new-id-XXX"</span> </code></pre></div> </div> </li> <li> <p>Use <code class="language-plaintext highlighter-rouge">terraform console</code> to quickly experiment with <code class="language-plaintext highlighter-rouge">HCL</code> syntax and explore the current module data.</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># testing sorting out lists.</span> ❯ terraform console <span class="o">&gt;</span> <span class="o">&gt;</span> tolist<span class="o">(</span>concat<span class="o">(</span><span class="nb">sort</span><span class="o">(</span> <span class="o">[</span><span class="s2">"10.200.18.0/24"</span>, <span class="s2">"10.34.150.0/24"</span>, <span class="s2">"10.10.100.0/25"</span><span class="o">]</span> <span class="o">)))</span> tolist<span class="o">([</span> <span class="s2">"10.10.100.0/25"</span>, <span class="s2">"10.200.18.0/24"</span>, <span class="s2">"10.34.150.0/24"</span>, <span class="o">])</span> <span class="o">&gt;</span> </code></pre></div> </div> </li> </ol> <h3 id="final-thought-">Final Thought ..</h3> <p>Although, terraform and <code class="language-plaintext highlighter-rouge">HCL</code> definition language may have limitation around dynamic behavior sometimes, you will find ways to structure and approach your automation code declaratively, most of the time.</p> Thu, 17 Oct 2024 00:00:00 +0300 https://www.abarrak.com/2024/10/17/reflections-on-iac-with-terraform-2 https://www.abarrak.com/2024/10/17/reflections-on-iac-with-terraform-2 Infrastructure as Code Cloud Computing Linux Automation Automation IaC Cloud <p><img src="/public/images/traefik-1.png" class="post-image resize-sm center-image" /></p> <p>An interesting usecase I have encountered recently is establishing a secure path (bridge) between <a href="https://doc.traefik.io/traefik/">Traefik</a> as ingress controller and its destination backends.</p> <p>The post addresses <code class="language-plaintext highlighter-rouge">traefik</code> usage within Kubernetes, however it is applicable to other setups.</p> <!-- post-excerpt --> <h2 id="case">Case</h2> <p>A flow diagram is probably the way to explain the setup.</p> <p><img src="/public/images/traefik-ingress-passthrough.png" class="post-image-2 resize-sm center-image" /></p> <p>The main routing resource is a CRD that resembles the following snippet.</p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">traefik.containo.us/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">IngressRoute</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">web-ingressroute</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">web</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">entryPoints</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">websecure</span> <span class="na">routes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Rule</span> <span class="na">match</span><span class="pi">:</span> <span class="s">Host(`web.example.com`)</span> <span class="na">services</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">backend-svc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">web</span> <span class="na">port</span><span class="pi">:</span> <span class="m">443</span> <span class="na">scheme</span><span class="pi">:</span> <span class="s">https</span> <span class="na">passHostHeader</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">web-ingressroute-tls</span> </code></pre></div></div> <p>The secret here <code class="language-plaintext highlighter-rouge">web-ingressroute-tls</code> is a standard <code class="language-plaintext highlighter-rouge">tls</code> secret for the external route containing the private key, certificate, and ca certificate. Let’s mark it as secret (1).</p> <p>The target backend is a classic <a href="https://hub.docker.com/_/nginx">sidecar container <strong>“nginx”</strong></a> fronting the main container.</p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-conf</span> <span class="na">data</span><span class="pi">:</span> <span class="na">nginx.conf</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">user nginx;</span> <span class="s">worker_processes 3;</span> <span class="s">...</span> <span class="s">http {</span> <span class="s">server {</span> <span class="s">listen 443 ssl;</span> <span class="s">listen [::]:443 ssl;</span> <span class="s">server_name _;</span> <span class="s">ssl_certificate /etc/nginx/ssl/cert.pem;</span> <span class="s">ssl_certificate_key /etc/nginx/ssl/key.pem;</span> <span class="s">location / {</span> <span class="s">proxy_pass http://localhost:80;</span> <span class="s">proxy_http_version 1.1;</span> <span class="s">proxy_set_header X-Forwarded-Host $host;</span> <span class="s">proxy_set_header X-Forwarded-Server $host;</span> <span class="s">proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;</span> <span class="s">proxy_set_header Host $http_host;</span> <span class="s">proxy_set_header X-Forwarded-Proto $scheme;</span> <span class="s">}</span> <span class="s">}</span> <span class="s">}</span> </code></pre></div></div> <p>The pod is exposed using a cluster service <code class="language-plaintext highlighter-rouge">backend-svc</code> as denoted in the ingress-route.</p> <p><code class="language-plaintext highlighter-rouge">backend-tls</code> contains SSL certificate files that <code class="language-plaintext highlighter-rouge">nginx</code> uses and mounts. At the same time, it is intended for <code class="language-plaintext highlighter-rouge">traefik</code> to trust as the target certificate. As expected for internal services, this is an automatically rotated <em>self-signed certificate</em> by an internal issuer or “let’s encrypt”. Here is the second <code class="language-plaintext highlighter-rouge">tls</code> secret (2).</p> <h2 id="initial-approach">Initial Approach</h2> <p>First, most resources out there might guide you to explore setting the TLS options of the route:</p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">tls</span><span class="pi">:</span> <span class="na">options</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">backend-tls-opts</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">web</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">traefik.containo.us/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">TLSOption</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">backend-tls-opts</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">web</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">cipherSuites</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">...</span><span class="pi">]</span> <span class="na">clientAuth</span><span class="pi">:</span> <span class="na">clientAuthType</span><span class="pi">:</span> <span class="s">RequireAndVerifyClientCert</span> <span class="na">secretNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">backend-tls</span> <span class="na">minVersion</span><span class="pi">:</span> <span class="s">VersionTLS12</span> </code></pre></div></div> <p>But that didn’t work. <br /> The router logs shows internal errors (500) when connecting to the upstream (pod IP).</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>traefikee-ingress-proxy-57.. 10.244.0.128 - - <span class="o">[</span>15/Mar/2023:10:45:50 +0000] <span class="s2">"GET / HTTP/2.0"</span> 500 21 <span class="s2">"-"</span> <span class="s2">"-"</span> 2987228 <span class="s2">"web-web-ingressroute-6cd908afc82ca51c00cf@kubernetescrd"</span> <span class="s2">"https://10.244.2.105:443"</span> 2ms </code></pre></div></div> <p>This is despite that <code class="language-plaintext highlighter-rouge">nginx</code> was functioning fine when forwarded locally.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl port-forward svc/backend-svc 8443:443 </code></pre></div></div> <p>Serving requests and SSL/TLS settings were correct. The logs emit success (200) when reached over https. Basically, the backend itself was browsable.</p> <p>After further review, it turns out that <code class="language-plaintext highlighter-rouge">TLSOptions</code> as implemented above was merely for client side certificate when reaching the ingress router, an implementation of <em>mTLS</em> and not our case of <em>TLS passing</em>.</p> <h2 id="solution">Solution</h2> <p><code class="language-plaintext highlighter-rouge">ServersTransport</code> was what is needed to let <code class="language-plaintext highlighter-rouge">traefik</code> trust the backend certificate instead of faulting.</p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">kind</span><span class="pi">:</span> <span class="s">ServersTransport</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">web-transport</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">web</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">certificatesSecrets</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">backend-tls</span> <span class="na">rootCAsSecrets</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">backend-tls</span> <span class="na">serverName</span><span class="pi">:</span> <span class="s">web.example.com</span> </code></pre></div></div> <p>And appending to the route:</p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">serversTransport</span><span class="pi">:</span> <span class="s">web-transport</span> </code></pre></div></div> <p>Of course you may turn off the destination certificate check by setting <code class="language-plaintext highlighter-rouge">insecureSkipVerify: true</code> but that would defeat the purpose we aim for, an end to end TLS flow (bridging) !</p> Fri, 31 Mar 2023 00:00:00 +0300 https://www.abarrak.com/2023/03/31/e2e-treafik-tls-offloading https://www.abarrak.com/2023/03/31/e2e-treafik-tls-offloading Traefik Ingress Solutions Kubernetes SRE TLS Kubernetes SRE Traefik <p><img src="/public/images/aws-b-lib.png" class="post-image resize-sm center-image" /></p> <p>I have enjoyed reading <a href="https://aws.amazon.com/builders-library/reliability-and-constant-work/">this piece on stability and reliability by Colm MacCárthaigh</a>. It is part of a concise and valuable series by AWS about the art of system operations collected under the name “Amazon Builders’ Library”.</p> <p>The comparison between coffee urn and computers when building reliable operational model is perfect and up to the point. Then, three characteristics taken from this analogy are observed: 1. have a simple constant function that does not scale based on load stress solely, 2. no different modes or operational branching, 3. anti-fragility which is the preparations that hold systems reliable when most needed. The author mentions the coined term for these principles on reliability: <strong>“Constant Work Patterns”</strong>. Route 53 and S3 are presented as use cases that fit and demonstrate the model.</p> <!-- post-excerpt --> <p>The article has references to other content in the library. I would definitely check them out!</p> <p>Finally, thanks to whomever shared this recently <a href="https://news.ycombinator.com/item?id=34103426">on HN</a>!</p> Wed, 28 Dec 2022 00:00:00 +0300 https://www.abarrak.com/2022/12/28/on-aws-builder-lib https://www.abarrak.com/2022/12/28/on-aws-builder-lib Automation SRE System Design Cloud AWS Automation SRE System Design Cloud AWS <p><a href="https://github.com/roboll/helmfile">Helmfile is an orchestrator tool</a> for collecting, building, and deploying cloud-native apps. Basically it’s the packager for helm chart based applications.</p> <p>One of the interesting ideas I came along recently, is utilizing it for working in air-gapped environments, where access to the internet is not feasible.</p> <h2 id="use-case">Use Case</h2> <p>Let’s say you were deploying an application to a Kubernetes cluster. The idea is to package all dependencies and manifests beforehand in a local or control machine, then push the consolidated deployment directory to the offline machine.</p> <p>The diagram below depicts the flow.</p> <p><img src="/public/images/offline-deployment.png" class="post-image-2 resize-md center-image" /></p> <!-- post-excerpt --> <h2 id="example-deployment">Example Deployment</h2> <p>The script below is a custom version of deploying <a href="https://dexidp.io/">Dex</a> in offline mode, as an example.</p> <p>A simplified <code class="language-plaintext highlighter-rouge">helmfile</code> would look like this:</p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># helmfile.yaml</span> <span class="na">repositories</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dex</span> <span class="na">url</span><span class="pi">:</span> <span class="s">https://charts.dexidp.io</span> <span class="na">helmDefaults</span><span class="pi">:</span> <span class="na">verify</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">wait</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">waitForJobs</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">timeout</span><span class="pi">:</span> <span class="m">600</span> <span class="na">releases</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dex</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">dex</span> <span class="na">createNamespace</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">chart</span><span class="pi">:</span> <span class="s">dex/dex</span> <span class="na">version</span><span class="pi">:</span> <span class="s">0.11.1</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">config</span><span class="pi">:</span> <span class="na">issuer</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">requiredEnv "OIDC_ISSUER"</span> <span class="pi">}}</span> <span class="na">storage</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">kubernetes</span> <span class="na">config</span><span class="pi">:</span> <span class="na">inCluster</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">oauth2</span><span class="pi">:</span> <span class="na">skipApprovalScreen</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">staticClients</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">connectors</span><span class="pi">:</span> <span class="pi">[]</span> <span class="pi">-</span> <span class="na">ingress</span><span class="pi">:</span> <span class="pi">{}</span> </code></pre></div></div> <p>The following script saves archived version of the chart’s assets inside <code class="language-plaintext highlighter-rouge">./output</code>.</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># offline.sh</span> <span class="c">#!/bin/bash</span> <span class="nv">IMAGE_VERSION</span><span class="o">=</span>v2.34.0 <span class="nv">IMAGE</span><span class="o">=</span>ghcr.io/dexidp/dex <span class="nv">CHART_REPO</span><span class="o">=</span>https://charts.dexidp.io <span class="nv">CHART</span><span class="o">=</span>dex/dex <span class="nv">CHART_VERSION</span><span class="o">=</span>0.11.1 docker pull <span class="k">${</span><span class="nv">IMAGE</span><span class="k">}</span>:<span class="k">${</span><span class="nv">IMAGE_VERSION</span><span class="k">}</span> <span class="c"># tagging is optional</span> docker tag registry.local.lan/<span class="k">${</span><span class="nv">IMAGE</span><span class="k">}</span>:<span class="k">${</span><span class="nv">IMAGE_VERSION</span><span class="k">}</span> <span class="se">\</span> <span class="k">${</span><span class="nv">IMAGE</span><span class="k">}</span>:<span class="k">${</span><span class="nv">IMAGE_VERSION</span><span class="k">}</span> docker save registry.local.lan/<span class="o">{</span>IMAGE<span class="o">}</span>:<span class="k">${</span><span class="nv">IMAGE_VERSION</span><span class="k">}</span> <span class="se">\</span> <span class="nt">-o</span> ./output/images/<span class="o">{</span>IMAGE<span class="o">}</span>:<span class="k">${</span><span class="nv">IMAGE_VERSION</span><span class="k">}</span>.tar helm repo add <span class="k">${</span><span class="nv">CHART_REPO</span><span class="k">}</span> helm pull <span class="k">${</span><span class="nv">CHART</span><span class="k">}</span> <span class="nt">--version</span> <span class="k">${</span><span class="nv">CHART_VERSION</span><span class="k">}</span> <span class="nt">--destination</span> ./output/charts/ </code></pre></div></div> <p>Then, it should be a matter of executing the following sequence to prepare the final build directory:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ BUILD_TIME</span><span class="o">=</span><span class="si">$(</span><span class="nb">date</span> +%Y-%d-%m-at-%H-%M<span class="si">)</span> <span class="nv">$ </span>./offline.sh <span class="nv">$ </span><span class="nb">export</span> <span class="si">$(</span><span class="nb">cat</span> .env | xargs<span class="si">)</span> <span class="nv">$ </span>helmfile fetch <span class="nv">$ </span>helmfile build <span class="se">\</span> <span class="o">&gt;</span> ./output/final-<span class="nv">$BUILD_TIME</span>.yml </code></pre></div></div> <p>In case <code class="language-plaintext highlighter-rouge">helmfile</code> binary is not available in the target environment, just template plain manifests.</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>helmfile template <span class="se">\</span> <span class="o">&gt;</span> ./output/final-<span class="k">${</span><span class="nv">BUILD_TIME</span><span class="k">}</span>.yml </code></pre></div></div> <p>Finally, on the production node you would run something similar to this:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>docker load <span class="nt">-i</span> ./output/<span class="k">*</span>.tar <span class="nv">$ </span>docker push <span class="nv">$ </span>helmfile <span class="nb">sync</span> <span class="nt">--skip-deps</span> <span class="se">\</span> <span class="nt">-f</span> ./output/final-<span class="k">*</span>.yml </code></pre></div></div> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># In case `helm` is not available:</span> <span class="nv">$ </span>kubectl apply <span class="nt">-f</span> ./output/final-<span class="k">*</span>.yml </code></pre></div></div> <p>As you can see, this method is extensible and can be generalized for any helm-based deployment. For the complete example listing, refer to <a href="https://github.com/abarrak/dex-helmfile-offline">the github repo here.</a></p> <h2 id="conclusion">Conclusion</h2> <p>Certain security or compliance challenges imposed in air-gapped environments can make it hard to deliver cloud native deployments. Luckily, several CNCF projects (<a href="https://goharbor.io/docs/2.1.0/install-config/download-installer/">harbor</a>, <a href="https://docs.ranchermanager.rancher.io/pages-for-subheaders/air-gapped-helm-cli-install">rancher</a>, <a href="https://docs.k3s.io/installation/airgap">k3s</a>, to name few) provide options to tackle such environments. Additionally, the presented approach above is generic for any helm application to be deployed properly in offline mode.</p> Sat, 08 Oct 2022 00:00:00 +0300 https://www.abarrak.com/2022/10/08/using-helmfile-for-offline-deployments https://www.abarrak.com/2022/10/08/using-helmfile-for-offline-deployments Helm Helmfile Kubernetes Air-Gapped Automation Automation Kubernetes Helm Cloud <p><img src="/public/images/iac-reflections.png" class="post-image resize-md center-image" /></p> <p>Terraform has emerged as one of the top open source infrastructure as code (IaC) tools, since its initial release by Hashicorp back in 2014.</p> <p>The design philosophy behind the tool is to have <strong>declarative</strong>, and <strong>stateful</strong> representation for the underlying IT infrastructure (whether it be on public, on-premise, or hybrid cloud), which in turns simplify the control, collaboration, and auditing of the cloud resources.</p> <p>The classical example to show the main idea creating a VM:</p> <!-- post-excerpt --> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>provider <span class="s2">"aws"</span> <span class="o">{</span> <span class="o">}</span> resource <span class="s2">"aws_vpc"</span> <span class="s2">"vpc"</span> <span class="o">{</span> cidr_block <span class="o">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="o">}</span> resource <span class="s2">"aws_instance"</span> <span class="s2">"this"</span> <span class="o">{</span> ami <span class="o">=</span> <span class="s2">"ami-026b57f3c383c2eec"</span> instance_type <span class="o">=</span> <span class="s2">"t2.micro"</span> tags <span class="o">=</span> <span class="o">{</span> Name <span class="o">=</span> <span class="s2">"New example instance"</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>This is not limited to only compute resources, <a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs">many of AWS services are available as well</a>.</p> <h2 id="simplified-workflow">Simplified Workflow</h2> <p>The main workflow is conventionally as follows:</p> <p><img src="/public/images/terraform-diagram.png" class="post-image-2 resize-md center-image" /></p> <p>The flow maps cleanly to CLI commands:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>terraform init terraform plan terraform apply terraform show </code></pre></div></div> <p>Additional linting commands available as well:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>terraform <span class="nb">fmt </span>terraform validate </code></pre></div></div> <p>Disposal of resources is simplified as well (without authoring <code class="language-plaintext highlighter-rouge">.tf</code> manifests):</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>terraform destroy </code></pre></div></div> <h2 id="structure">Structure</h2> <p>It is recommended to factorize input values across environments into <code class="language-plaintext highlighter-rouge">variable</code> blocks. <br /> This enhances for security posture as well, like protecting sensitive data.</p> <p>Moreover, <code class="language-plaintext highlighter-rouge">output</code> blocks provide a way to capture and log information after applying state changes.</p> <p>The minimal structure of managed resources in terraform is shown below:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>tree ├── main.tf ├── outputs.tf ├── terraform.tfstate ├── terraform.tfstate.backup └── variables.tf </code></pre></div></div> <p>The variables and output files are separated to organize things up.</p> <p>The state is tracked in <code class="language-plaintext highlighter-rouge">.tfstate</code> file, and managed internally by Terraform.</p> <h2 id="providers">Providers</h2> <p>The mechanism behind provisioning the intended state of an infrastructure or platform, is performed on by <strong>“providers”</strong>. They are terraform extensions written in <code class="language-plaintext highlighter-rouge">Go</code> language exposing the resource types they implement, and interfacing with the target infrastructure / platform APIs.</p> <pre><code class="language-apl">provider "aws" { region = "us-east-1" } </code></pre> <p>The major providers <a href="https://registry.terraform.io">are available on the public terraform registry</a>, along with many platform agnostic plugins, such as <code class="language-plaintext highlighter-rouge">Helm</code> and <code class="language-plaintext highlighter-rouge">Kubernetes</code>.</p> <p><img src="/public/images/providers-iac.png" class="post-image-2 resize-md center-image" /></p> <p>Here’s an example for a simple helm releasing technique:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>provider <span class="s2">"helm"</span> <span class="o">{</span> kubernetes <span class="o">{</span> <span class="o">}</span> <span class="o">}</span> resource <span class="s2">"helm_release"</span> <span class="s2">"redis"</span> <span class="o">{</span> name <span class="o">=</span> <span class="s2">"redis-instance"</span> repository <span class="o">=</span> <span class="s2">"https://charts.bitnami.com/bitnami"</span> chart <span class="o">=</span> <span class="s2">"redis"</span> <span class="nb">set</span> <span class="o">{</span> name <span class="o">=</span> <span class="s2">"architecture"</span> value <span class="o">=</span> <span class="s2">"replication"</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <h2 id="terraform-vs-ansible">Terraform v.s. Ansible</h2> <p>Compared to Ansible as an orchestration tool on the infrastructure layer, I find that Terraform overall is more expressive and concise to enable building on modules in much elegant and feasible manner, with the excellent readability of HCL and dependency management of plugins.</p> <p>The state is a major difference to consider here.</p> <p>Ansible takes a stateless approach by always exchanging the desired state with the target resources in order to know the actual state then apply the delta, if needed. On the other hand, Terraform is stateful and manages the state in local or remote manner.</p> <h2 id="summary">Summary</h2> <p>All in all, codifying infra and platform layers <em>(e.g. using terraform)</em> can bring key benefits to organizations in adopting the DevOps practices, leading to operational excellence, eventually.</p> Fri, 23 Sep 2022 00:00:00 +0300 https://www.abarrak.com/2022/09/23/reflections-on-iac-with-terraform https://www.abarrak.com/2022/09/23/reflections-on-iac-with-terraform Infrastructure as Code Cloud Computing Linux Automation Automation IaC Cloud <p><br /> <img src="/public/images/dockerd-ddevmapper-pool-issue.png" class="post-image resize-md center-image" /></p> <h2 id="problem">Problem</h2> <p>Sometimes, when working with docker engine on CI systems, certain type of errors could arise from the challenging restrictions in the environment. This is typical due the inherent server-client architecture in docker.</p> <p>Here’s one of the problems that I’ve seen recently. When a client is connecting to <code class="language-plaintext highlighter-rouge">dockerd</code> in order to build an image or pull external images:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>failed to prepare a4mv4dh8qcq283c7x47a4nwpg: devmapper: Thin Pool has 161986 free data blocks which is less than minimum required 163840 free data blocks. Create more free space in thin pool or use dm.min_free_space option to change behavior </code></pre></div></div> <!-- post-excerpt --> <h2 id="analysis">Analysis</h2> <p>As the log suggests, clearly this is related to the storage limit incurred for the <a href="https://docs.docker.com/storage/storagedriver/device-mapper-driver/">device mapper driver</a>. Here, <code class="language-plaintext highlighter-rouge">Thin Pool</code> needs additional space to create and pull newer images but the limit is exceeded.</p> <p>To diagnose that, check disk usage on the daemon using <code class="language-plaintext highlighter-rouge">df -h</code> or <code class="language-plaintext highlighter-rouge">docker system</code> commands.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>docker system info <span class="nv">$ </span>docker system <span class="nb">df</span> </code></pre></div></div> <h2 id="resolutions">Resolutions</h2> <ol> <li> <p>A workaround is to increase the volume size if you can.</p> </li> <li> <p>Otherwise, you can run clean up procedure of outdated and unnecessary images.<br /> Periodically or through cron tab.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="c"># delete specific images by pattern:</span> <span class="nv">IMAGES</span><span class="o">=</span>my-apps docker images <span class="se">\</span> | <span class="nb">grep</span> <span class="nv">$IMAGES</span> <span class="se">\</span> | <span class="nb">awk</span> <span class="s1">'{print $1 ":" $2}'</span> <span class="se">\</span> | xargs docker rmi </code></pre></div> </div> <p>You can delete by <a href="https://docs.docker.com/engine/reference/commandline/image_prune/#filtering">label/date filtering</a>:</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="c"># delete 6 months old images:</span> docker image prune <span class="nt">-a</span> <span class="se">\</span> <span class="nt">--force</span> <span class="se">\</span> <span class="nt">--filter</span> <span class="s2">"until=4368h"</span> </code></pre></div> </div> <p>You may run <code class="language-plaintext highlighter-rouge">prune</code> to remove all dangling resources (images, containers, etc.)</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code> docker system prune <span class="c"># This will remove all unused images:</span> docker image prune <span class="nt">--all</span> </code></pre></div> </div> </li> </ol> Fri, 18 Feb 2022 00:00:00 +0300 https://www.abarrak.com/2022/02/18/resolving-dockerd-pool-size-less-than-minimum https://www.abarrak.com/2022/02/18/resolving-dockerd-pool-size-less-than-minimum cicd pipelines ddevmapper pool issue dockerd docker Software CICD Docker <p><img src="/public/images/uuids-db.png" class="post-image center-image" /></p> <p>Using universally unique identifiers (UUIDs) for exposed resource identifiers is <a href="https://github.com/eliotsykes/rails-security-checklist#ids">more secure</a>, and <a href="https://tomharrisonjr.com/uuid-or-guid-as-primary-keys-be-careful-7b2aa3dcb439">convenient for database distribution</a>. It is relatively simple to configure Active Record to generate <code class="language-plaintext highlighter-rouge">UUID</code> primary keys in migrations.</p> <h2 id="setup">Setup</h2> <p>Here are the steps:</p> <ol> <li> <p>Setup the default generation inside <code class="language-plaintext highlighter-rouge">config/application.rb</code>:</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="c1"># config/application.rb</span> <span class="k">module</span> <span class="nn">SampleApp</span> <span class="k">class</span> <span class="nc">Application</span> <span class="o">&lt;</span> <span class="no">Rails</span><span class="o">::</span><span class="no">Application</span> <span class="o">...</span> <span class="c1"># Change the primary key</span> <span class="c1"># default type to UUIDs.</span> <span class="n">config</span><span class="p">.</span><span class="nf">generators</span> <span class="k">do</span> <span class="o">|</span><span class="n">g</span><span class="o">|</span> <span class="n">g</span><span class="p">.</span><span class="nf">orm</span> <span class="ss">:active_record</span><span class="p">,</span> <span class="ss">primary_key_type: :uuid</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> </code></pre></div> </div> <p><!-- post-excerpt --></p> </li> <li> <p>Enable the database support:</p> </li> </ol> <ul> <li> <p>PostgresSQL:</p> <p>Enable <code class="language-plaintext highlighter-rouge">uuid-ossp</code> extension for random <code class="language-plaintext highlighter-rouge">:uuid</code> generation at the DB level.</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="c1"># db/migrations/xxxxx_enable_uuid_ossp_extension.rb.rb</span> <span class="k">class</span> <span class="nc">EnableUuidOsspExtension</span> <span class="o">&lt;</span> <span class="no">ActiveRecord</span><span class="o">::</span><span class="no">Migration</span><span class="p">[</span><span class="mf">5.2</span><span class="p">]</span> <span class="k">def</span> <span class="nf">change</span> <span class="n">enable_extension</span> <span class="s1">'uuid-ossp'</span> <span class="k">unless</span> <span class="n">extension_enabled?</span><span class="p">(</span><span class="s2">"uuid-ossp"</span><span class="p">)</span> <span class="k">end</span> <span class="k">end</span> </code></pre></div> </div> <p>For new Postgres versions ( &gt;= 9.4), <code class="language-plaintext highlighter-rouge">pgcrypto</code> extension can be used alternatively.</p> </li> <li> <p>SQLite:</p> <p>As <code class="language-plaintext highlighter-rouge">UUID</code> is not naively available in SQLite.</p> <p>A workaround is to utilize generic <code class="language-plaintext highlighter-rouge">varchar</code> or <code class="language-plaintext highlighter-rouge">blob(16)</code> columns instead. <a href="https://stackoverflow.com/a/52032839">Some people have reported</a> they needed to load the adapter file in order for it to work.</p> </li> <li> <p>SQL Server:</p> <p>Has <code class="language-plaintext highlighter-rouge">:uuid</code> native support (through <code class="language-plaintext highlighter-rouge">uniqueidentifier</code> column type) with the generator.</p> </li> </ul> <p><br /> Now newly generated tables will use <code class="language-plaintext highlighter-rouge">:uuid</code> by default for primary keys.</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># db/migrations/xxxxx_create_customers.rb</span> <span class="k">class</span> <span class="nc">CreateCustomers</span> <span class="o">&lt;</span> <span class="no">ActiveRecord</span><span class="o">::</span><span class="no">Migration</span><span class="p">[</span><span class="mf">5.2</span><span class="p">]</span> <span class="k">def</span> <span class="nf">change</span> <span class="n">create_table</span> <span class="ss">:customers</span><span class="p">,</span> <span class="ss">id: :uuid</span> <span class="k">do</span> <span class="o">|</span><span class="n">t</span><span class="o">|</span> <span class="n">t</span><span class="p">.</span><span class="nf">string</span> <span class="ss">:full_name</span><span class="p">,</span> <span class="ss">null: </span><span class="kp">false</span><span class="p">,</span> <span class="ss">index: </span><span class="kp">true</span> <span class="n">t</span><span class="p">.</span><span class="nf">string</span> <span class="ss">:email</span><span class="p">,</span> <span class="ss">index: </span><span class="kp">true</span> <span class="n">t</span><span class="p">.</span><span class="nf">uuid</span> <span class="ss">:ceeated_by</span><span class="p">,</span> <span class="ss">null: </span><span class="kp">false</span> <span class="n">t</span><span class="p">.</span><span class="nf">uuid</span> <span class="ss">:updated_by</span><span class="p">,</span> <span class="ss">null: </span><span class="kp">true</span> <span class="n">t</span><span class="p">.</span><span class="nf">timestamps</span> <span class="k">end</span> <span class="n">add_foreign_key</span> <span class="ss">:customers</span><span class="p">,</span> <span class="ss">:users</span><span class="p">,</span> <span class="ss">column: :created_by</span> <span class="n">add_foreign_key</span> <span class="ss">:customers</span><span class="p">,</span> <span class="ss">:users</span><span class="p">,</span> <span class="ss">column: :updated_by</span> <span class="k">end</span> <span class="k">end</span> </code></pre></div></div> <p>The snippet above shows <code class="language-plaintext highlighter-rouge">:uuid</code> type usage for other non-primary key columns too.</p> <p>In case you don’t require <code class="language-plaintext highlighter-rouge">UUID</code> key type, it’s possible to get the <code class="language-plaintext highlighter-rouge">integer</code> or <code class="language-plaintext highlighter-rouge">bigint</code> types back again:</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">create_table</span> <span class="ss">:cities</span><span class="p">,</span> <span class="ss">id: :integer</span> <span class="k">do</span> <span class="o">|</span><span class="n">t</span><span class="o">|</span> <span class="n">t</span><span class="p">.</span><span class="nf">string</span> <span class="ss">:name</span> <span class="n">t</span><span class="p">.</span><span class="nf">float</span> <span class="ss">:population</span> <span class="k">end</span> </code></pre></div></div> <h2 id="ordering-results">Ordering Results</h2> <p>A drawback of querying UUID-based tables is that ordering is not inferred as with the sequential keys. We have to set it up using default ordering scope, easily:</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># app/models/customer.rb</span> <span class="k">class</span> <span class="nc">Customer</span> <span class="o">&lt;</span> <span class="no">ApplicationRecord</span> <span class="o">...</span> <span class="n">default_scope</span> <span class="o">-&gt;</span> <span class="p">{</span> <span class="n">order</span><span class="p">(</span><span class="ss">created_at: :asc</span><span class="p">)</span> <span class="p">}</span> <span class="k">end</span> </code></pre></div></div> <p>Ensure that indices on <code class="language-plaintext highlighter-rouge">created_at</code> columns already added for boosted performance.</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># db/migrations/xxxxx_add_created_at_indices.rb</span> <span class="k">class</span> <span class="nc">AddCreatedAtIndices</span> <span class="o">&lt;</span> <span class="no">ActiveRecord</span><span class="o">::</span><span class="no">Migration</span><span class="p">[</span><span class="mf">5.2</span><span class="p">]</span> <span class="k">def</span> <span class="nf">change</span> <span class="n">add_index</span> <span class="ss">:customers</span><span class="p">,</span> <span class="ss">:created_at</span> <span class="n">add_index</span> <span class="ss">:surveys</span><span class="p">,</span> <span class="ss">:created_at</span> <span class="n">add_index</span> <span class="ss">:more_info</span><span class="p">,</span> <span class="ss">:created_at</span> <span class="k">end</span> <span class="k">end</span> </code></pre></div></div> <p>Keep in mind the additional storage cost of <code class="language-plaintext highlighter-rouge">:uuid</code> keys compared to sequential ones, which requires balancing the trade-offs when designing your data models.</p> Fri, 24 May 2019 00:00:00 +0300 https://www.abarrak.com/2019/05/24/uuid-primary-key-for-active-record-models https://www.abarrak.com/2019/05/24/uuid-primary-key-for-active-record-models Active Record UUID Primary Key Postgres Ruby Rails Software Ruby Rails Active Record <p><img src="/public/images/opt-img.jpg" class="post-image resize-md center-image" /></p> <p>In many times you may need to optimze rapidly a bunch of images at your hands. There are handy utilities that can help you reduce image sizes with simple commands in the terminal. The following lists some of these tools:</p> <h3 id="1-optipng-advanced-png-optimizer"><a href="http://optipng.sourceforge.net/">1. OptiPNG: Advanced PNG Optimizer</a>:</h3> <p>Get it for Mac OS X:</p> <div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>brew <span class="nb">install </span>optipng </code></pre></div></div> <p>For Linux Ubuntu:</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>apt-get <span class="nb">install </span>optipng </code></pre></div></div> <p>To optimize an image, run:</p> <div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>optipng &lt;img-name&gt;.png </code></pre></div></div> <!-- post-excerpt --> <p>To wildcard all images recursively in the current directory and sub directories:</p> <div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>find <span class="nb">.</span> <span class="nt">-iname</span> <span class="s2">"*.png"</span> <span class="nt">-exec</span> optipng <span class="nt">-o7</span> <span class="o">{}</span> <span class="se">\;</span> </code></pre></div></div> <h3 id="2-jpegoptim"><a href="https://github.com/tjko/jpegoptim">2. jpegoptim</a>:</h3> <p>Install for Mac OS X:</p> <div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>brew <span class="nb">install </span>jpegoptim </code></pre></div></div> <p>Install for Linux Ubuntu:</p> <div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>apt-get <span class="nb">install </span>jpegoptim </code></pre></div></div> <p>Run the next command to optimize an image, <code class="language-plaintext highlighter-rouge">-m</code> controls the image quality (0-100):</p> <div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>jpegoptim <span class="nt">-m70</span> &lt;img-name&gt; </code></pre></div></div> <p>Or optimize all recursively:</p> <div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>find <span class="nb">.</span> <span class="nt">-iname</span> <span class="s2">"*.jpg"</span> <span class="nt">-exec</span> jpegoptim <span class="nt">-m80</span> <span class="nt">-o</span> <span class="nt">-p</span> <span class="o">{}</span> <span class="se">\;</span> </code></pre></div></div> <h3 id="3-gifsicle"><a href="https://www.lcdf.org/gifsicle/">3. gifsicle</a>:</h3> <p>Install for Mac OS X:</p> <div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>brew <span class="nb">install </span>gifsicle </code></pre></div></div> <p>For Linux Ubuntu:</p> <div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>apt-get <span class="nb">install </span>gifsicle </code></pre></div></div> <p>The commands for single image, and a group of images respectively, are:</p> <div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># for single image.</span> gifsicle <span class="nt">--batch</span> <span class="nt">-V</span> <span class="nt">-O2</span> &lt;image-name&gt;.gif <span class="c"># to start from cureent dir and go down.</span> find <span class="nb">.</span> <span class="nt">-iname</span> <span class="s2">"*.gif"</span> <span class="nt">-exec</span> gifsicle <span class="nt">--batch</span> <span class="nt">-V</span> <span class="nt">-O2</span> <span class="o">{}</span> <span class="se">\;</span> </code></pre></div></div> <h3 id="aliases"><strong>Aliases</strong></h3> <p>Here are some aliases to keep commands nearby for fast run on the active directory images.</p> <p>Be warn that those (also the previously mentioned commands) all alter the original images.</p> <div class="language-sh highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">alias </span><span class="nv">compress_png</span><span class="o">=</span><span class="s2">"optipng -o7 *.png"</span> <span class="nb">alias </span><span class="nv">compress_jpg</span><span class="o">=</span><span class="s2">"jpegoptim -m80 *.jpg"</span> <span class="nb">alias </span><span class="nv">compress_gif</span><span class="o">=</span><span class="s2">"gifsicle --batch -V -O2 *.gif"</span> </code></pre></div></div> <p>You can tweak the optimization level and other options to suit your needs.</p> <h3 id="imageoptim"><strong>ImageOptim</strong></h3> <p>If you’d like to use a GUI application, <a href="https://imageoptim.com/mac">ImageOptim</a> is a pretty open source one for Mac OS X that supports multiple image formats.</p> <p><img src="/public/images/imageoptim.png" alt="ImageOptim Screen Shot" /></p> <p>Happy mature optimization :) !</p> Tue, 30 Aug 2016 00:00:00 +0300 https://www.abarrak.com/2016/08/30/optimize-images-from-your-terminal https://www.abarrak.com/2016/08/30/optimize-images-from-your-terminal Image Processing optipng jpegoptim gifsicle ImageOptim Image Processing Productivity