2024年1月24日 星期三

Kubernetes/k8s 開發筆記 - 在 Ubuntu 16.04 安裝 Kubeadm 以及處理 docker、containerd 版本過舊問題

之前已經用 docker 來封裝一些非常重的工作任務,像是 build fw 等。現在來試試看 kubeadm 這個工具,將維護整套系統的維度從 docker 轉進到 Kubernetes cluster,往後可以靠 k8s 來維護算力資源,像是動態調配算力單元等等。這些感覺滿像十多年前在 AWS 靠 autoscaling 做的事,真是熟悉的陌生人。

這篇僅處理在 Ubuntu 16.04 安裝 Kubeadm 後的啟動問題,並沒有處理其他使用細節,包括建立 node server 、 連上即加入 master server 等。

環境簡介:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.6 LTS
Release:        16.04
Codename:       xenial

$ curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
$ echo "deb http://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee -a /etc/apt/sources.list.d/kubernetes.list
$ sudo apt update
$ sudo apt install kubeadm
$ sudo apt-mark hold kubelet kubeadm kubectl

$ dpkg -l  | grep kube
ii  kubeadm                 1.28.2-00          amd64        Kubernetes Cluster Bootstrapping Tool
ii  kubectl                 1.28.2-00          amd64        Kubernetes Command Line Tool
ii  kubelet                 1.28.2-00          amd64        Kubernetes Node Agent
ii  kubernetes-cni          1.2.0-00           amd64        Kubernetes CNI

接著:

$ sudo kubeadm init --v=5
...
validating the existence and emptiness of directory /var/lib/etcd
[preflight] Some fatal errors occurred:
[ERROR CRI]: container runtime is not running: output: level=fatal msg="validate service connection: CRI v1 runtime API is not implemented for endpoint \"unix:///var/run/containerd/containerd.sock\": rpc error: code = Unimplemented desc = unknown service runtime.v1.RuntimeService"

發現有些問題,進行排除研究,部分資訊推導應當跟 docker , containerd 版本有高度相關,就先把 docker 跟 containerd 盡可能升級上去:

$ dpkg -l | grep containerd
ii  containerd              1.2.6-0ubuntu1~16.04.6+esm1  amd64        daemon to control runC
$ dpkg -l | grep docker
rc  docker                                     1.5-1                                           amd64        System tray for KDE3/GNOME2 docklet applications
ii  docker.io                                  18.09.7-0ubuntu1~16.04.7                        amd64        Linux container runtime
$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
$ echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
$ sudo apt update
$ sudo apt install docker-ce docker-ce-cli containerd.io

$ sudo docker version
Client: Docker Engine - Community
 Version:           20.10.7
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        f0df350
 Built:             Wed Jun  2 11:56:47 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.7
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       b0f5bc3
  Built:            Wed Jun  2 11:54:58 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.6
  GitCommit:        d71fcd7d8303cbf684402823e425e9dd2e99285d
 runc:
  Version:          1.0.0-rc95
  GitCommit:        b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

接著追蹤可能是 cri 插件的部分,試著排除:

$ cat /etc/containerd/config.toml | grep cri
enabled_plugins = ["cri"]

無效,繼續努力:

$ sudo mv /etc/containerd/config.toml /etc/containerd/config.toml.bak
$ containerd config default | sudo tee /etc/containerd/config.toml
$ sudo systemctl restart containerd
$ containerd config default | grep containerd.sock
  address = "/run/containerd/containerd.sock"

接著在試著  kubeadm init 還是有一樣的問題,查詢了細節滿有可能是 containerd 版本還是太舊了,有個關鍵資訊是說 1.6 版本以前會缺乏溝通介面

$ dpkg -L containerd.io | grep bin
/usr/bin
/usr/bin/containerd-shim-runc-v2
/usr/bin/containerd-shim
/usr/bin/containerd
/usr/bin/runc
/usr/bin/ctr
/usr/bin/containerd-shim-runc-v1

直接到 containerd.io 官網下載最新版 1.7.11 版的 binary 方案:

$ wget https://github.com/containerd/containerd/releases/download/v1.7.11/containerd-1.7.11-linux-amd64.tar.gz
$ tar xvf containerd-1.7.11-linux-amd64.tar.gzl
$ tar -tzvf containerd-1.7.11-linux-amd64.tar.gz
drwxr-xr-x root/root         0 2023-12-09 07:41 bin/
-rwxr-xr-x root/root  12185600 2023-12-09 07:41 bin/containerd-shim-runc-v2
-rwxr-xr-x root/root  28330360 2023-12-09 07:41 bin/ctr
-rwxr-xr-x root/root   7061504 2023-12-09 07:41 bin/containerd-shim
-rwxr-xr-x root/root   8761344 2023-12-09 07:41 bin/containerd-shim-runc-v1
-rwxr-xr-x root/root  26184312 2023-12-09 07:41 bin/containerd-stress
-rwxr-xr-x root/root  55551616 2023-12-09 07:41 bin/containerd

處理一下系統內部的:

$ sudo systemctl stop containerd
$ sudo mkdir -p /usr/bin/containerd-1.4.6
$ sudo mv /usr/bin/containerd* /usr/bin/containerd-1.4.6/
$ sudo mv /usr/bin/ctr /usr/bin/containerd-1.4.6/
$ tree /usr/bin/containerd-1.4.6/
/usr/bin/containerd-1.4.6/
├── containerd
├── containerd-shim
├── containerd-shim-runc-v1
├── containerd-shim-runc-v2
└── ctr

0 directories, 5 files

$ sudo cp ~/bin/c* /usr/bin/

準備重新啟動:

$ containerd --version
containerd github.com/containerd/containerd v1.7.11 64b8a811b07ba6288238eefc14d898ee0b5b99ba
$ containerd config default | sudo tee /etc/containerd/config.toml
$ sudo systemctl stop containerd
$ sudo systemctl start containerd
$ sudo systemctl status containerd
● containerd.service - containerd container runtime
   Loaded: loaded (/lib/systemd/system/containerd.service; enabled; vendor preset: enabled)
   Active: active (running); 14min ago
     Docs: https://containerd.io
  Process: 19396 ExecStartPre=/sbin/modprobe overlay (code=exited, status=0/SUCCESS)
 Main PID: 19406 (containerd)
    Tasks: 32
   Memory: 24.5M
      CPU: 187ms
   CGroup: /system.slice/containerd.service
           └─19406 /usr/bin/containerd
$ sudo systemctl stop docker
$ sudo systemctl start docker
$ sudo docker version
Client: Docker Engine - Community
 Version:           20.10.7
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        f0df350
 Built:             Wed Jun  2 11:56:47 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.7
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       b0f5bc3
  Built:            Wed Jun  2 11:54:58 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v1.7.11
  GitCommit:        64b8a811b07ba6288238eefc14d898ee0b5b99ba
 runc:
  Version:          1.0.0-rc95
  GitCommit:        b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

終於讓 docker version 也認到 containerd v1.7.11 了,接著就可以回到 kubeadm 啦 

$ sudo kubeadm init  --v=5
....

Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

Alternatively, if you are the root user, you can run:

  export KUBECONFIG=/etc/kubernetes/admin.conf

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/concepts/cluster-administration/addons/

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join ip:6443 --token ###### --discovery-token-ca-cert-hash sha256:###### 

此外,kubernetes 本身是建議關閉 swap 的使用來確保整體性能,由於我是在一台本身就有 swap 的機器上運行,由於不能關閉 swap ,只好設法去略過 swap 的檢查 (增加 --fail-swap-on=false ):

$ cat /etc/systemd/system/kubelet.service.d/10-kubeadm.conf | grep ExecStart
ExecStart=
ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS --fail-swap-on=false

相關資訊:

2024年1月23日 星期二

Javascript 開發筆記 - 盡可能使用 npm 指令處理套件安全更新,此例升級 electron 和 electron-builder



之前寫的練習擺在 github 一直收到套件安全的升級通知信(這只是其中一條),以前在處理這個時,都是人工改掉 package.json ,這次來用指令試試:

% git clone https://github.com/changyy/node-electron-based
% cd node-electron-based
% source env_nvm.sh 
Now using node v16.20.2 (npm v8.19.4)
% npm install
npm WARN deprecated asar@3.2.0: Please use @electron/asar moving forward.  There is no API change, just a package name change
npm WARN deprecated electron-osx-sign@0.6.0: Please use @electron/osx-sign moving forward. Be aware the API is slightly different

added 557 packages, and audited 558 packages in 10s

69 packages are looking for funding
  run `npm fund` for details

11 vulnerabilities (4 moderate, 7 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

接著就如上述所言,用 npm audit fix 查看一下:

% npm audit fix

up to date, audited 558 packages in 860ms

69 packages are looking for funding
  run `npm fund` for details

# npm audit report

electron  <=22.3.24
Severity: high
Depends on vulnerable versions of @electron/get
Electron vulnerable to out-of-package code execution when launched with arbitrary cwd - https://github.com/advisories/GHSA-7x97-j373-85x5
Electron context isolation bypass via nested unserializable return value - https://github.com/advisories/GHSA-p7v2-p9m8-qqg7
Electron affected by libvpx's heap buffer overflow in vp8 encoding - https://github.com/advisories/GHSA-qqvq-6xgj-jw8g
ASAR Integrity bypass via filetype confusion in electron - https://github.com/advisories/GHSA-7m48-wc93-9g85
fix available via `npm audit fix --force`
Will install electron@28.1.4, which is a breaking change
node_modules/electron

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install electron@28.1.4, which is a breaking change
node_modules/got
  @electron/get  <=1.14.1
  Depends on vulnerable versions of got
  node_modules/@electron/get

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/dir-compare/node_modules/minimatch
  dir-compare  <=2.4.0
  Depends on vulnerable versions of minimatch
  node_modules/dir-compare
    @electron/universal  1.0.1 - 1.3.3
    Depends on vulnerable versions of dir-compare
    node_modules/@electron/universal
      app-builder-lib  22.10.4 - 24.0.0-alpha.13
      Depends on vulnerable versions of @electron/universal
      node_modules/app-builder-lib
        dmg-builder  22.10.4 - 24.0.0-alpha.13
        Depends on vulnerable versions of app-builder-lib
        node_modules/dmg-builder
          electron-builder  19.25.0 || 22.10.4 - 24.6.0
          Depends on vulnerable versions of app-builder-lib
          Depends on vulnerable versions of dmg-builder
          Depends on vulnerable versions of simple-update-notifier
          node_modules/electron-builder

semver  7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/simple-update-notifier/node_modules/semver
  simple-update-notifier  1.0.7 - 1.1.0
  Depends on vulnerable versions of semver
  node_modules/simple-update-notifier

11 vulnerabilities (4 moderate, 7 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

使用 npm audit fix --force 處理:

% npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating electron to 28.1.4, which is a SemVer major change.

added 10 packages, removed 13 packages, changed 15 packages, and audited 555 packages in 4s

76 packages are looking for funding
  run `npm fund` for details

# npm audit report

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/dir-compare/node_modules/minimatch
  dir-compare  <=2.4.0
  Depends on vulnerable versions of minimatch
  node_modules/dir-compare
    @electron/universal  1.0.1 - 1.3.3
    Depends on vulnerable versions of dir-compare
    node_modules/@electron/universal
      app-builder-lib  22.10.4 - 24.0.0-alpha.13
      Depends on vulnerable versions of @electron/universal
      node_modules/app-builder-lib
        dmg-builder  22.10.4 - 24.0.0-alpha.13
        Depends on vulnerable versions of app-builder-lib
        node_modules/dmg-builder
          electron-builder  19.25.0 || 22.10.4 - 24.6.0
          Depends on vulnerable versions of app-builder-lib
          Depends on vulnerable versions of dmg-builder
          Depends on vulnerable versions of simple-update-notifier
          node_modules/electron-builder

semver  7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/simple-update-notifier/node_modules/semver
  simple-update-notifier  1.0.7 - 1.1.0
  Depends on vulnerable versions of semver
  node_modules/simple-update-notifier

8 vulnerabilities (2 moderate, 6 high)

To address all issues, run:
  npm audit fix

% git diff
diff --git a/package.json b/package.json
index f470e2b..4b7ac3d 100644
--- a/package.json
+++ b/package.json
@@ -19,7 +19,7 @@
     "concurrently": "^7.4.0",
     "copy-webpack-plugin": "^11.0.0",
     "cross-env": "^7.0.3",
-    "electron": "^20.1.1",
+    "electron": "^28.1.4",
     "electron-builder": "^23.3.3",
     "webpack-cli": "^4.10.0",
     "webpack-dev-server": "^4.11.0"

這樣應當算有處理到一個項目的更新,最後再看看之前的 build code 是否正常

% npm install
% npm run build

> simple-electron-app@1.0.0 build
> webpack-cli && electron-builder -mwl

assets by path ../../ 2.47 KiB
  assets by path ../../renderer/*.js 958 bytes
    asset ../../renderer/mainRenederer.js 910 bytes [emitted] [from: src/renderer/mainRenederer.js] [copied] [minimized]
    asset ../../renderer/index.js 48 bytes [emitted] [from: src/renderer/index.js] [copied] [minimized]
  asset ../../main/index.js 1.26 KiB [emitted] [from: src/main/index.js] [copied] [minimized]
  asset ../../preload/mainRenderer.js 289 bytes [emitted] [from: src/preload/mainRenderer.js] [copied] [minimized]
asset index.html 495 bytes [emitted] [from: src/html/mainRenderer/index.html] [copied]
asset index.js 253 bytes [emitted] [minimized] (name: mainRendererHTML)
./src/html/mainRenderer/index.js 380 bytes [built] [code generated]

WARNING in configuration
The 'mode' option has not been set, webpack will fallback to 'production' for this value.
Set 'mode' option to 'development' or 'production' to enable defaults for each environment.
You can also set it to 'none' to disable any default behavior. Learn more: https://webpack.js.org/configuration/mode/

webpack 5.89.0 compiled with 1 warning in 146 ms
  • electron-builder  version=23.6.0 os=23.2.0
  • description is missed in the package.json  appPackageFile=/Volumes/Data/UserData/tmp/node-electron-based/package.json
  • writing effective config  file=dist/builder-effective-config.yaml
  • packaging       platform=darwin arch=arm64 electron=28.1.4 appOutDir=dist/mac-arm64
  • downloading     url=https://github.com/electron/electron/releases/download/v28.1.4/electron-v28.1.4-darwin-arm64.zip size=95 MB parts=8
  • downloaded      url=https://github.com/electron/electron/releases/download/v28.1.4/electron-v28.1.4-darwin-arm64.zip duration=36.971s
  • default Electron icon is used  reason=application icon is not set
  • skipped macOS application code signing  reason=cannot find valid "Developer ID Application" identity or custom non-Apple code signing certificate, it could cause some undefined behaviour, e.g. macOS localized description not visible, see https://electron.build/code-signing allIdentities=     0 identities found
                                                Valid identities only
     0 valid identities found
  • building        target=macOS zip arch=arm64 file=dist/simple-electron-app-1.0.0-arm64-mac.zip
  • building        target=DMG arch=arm64 file=dist/simple-electron-app-1.0.0-arm64.dmg
  • Detected arm64 process, HFS+ is unavailable. Creating dmg with APFS - supports Mac OSX 10.12+
  • packaging       platform=linux arch=x64 electron=28.1.4 appOutDir=dist/linux-unpacked
  • downloading     url=https://github.com/electron/electron/releases/download/v28.1.4/electron-v28.1.4-linux-x64.zip size=102 MB parts=8
  • building block map  blockMapFile=dist/simple-electron-app-1.0.0-arm64.dmg.blockmap
  • building block map  blockMapFile=dist/simple-electron-app-1.0.0-arm64-mac.zip.blockmap
  • downloaded      url=https://github.com/electron/electron/releases/download/v28.1.4/electron-v28.1.4-linux-x64.zip duration=30.749s
  • building        target=snap arch=x64 file=dist/simple-electron-app_1.0.0_amd64.snap
  • building        target=AppImage arch=x64 file=dist/simple-electron-app-1.0.0.AppImage
  • application Linux category is set to default "Utility"  reason=linux.category is not set and cannot map from macOS docs=https://www.electron.build/configuration/linux
  • default Electron icon is used  reason=application icon is not set
  • application Linux category is set to default "Utility"  reason=linux.category is not set and cannot map from macOS docs=https://www.electron.build/configuration/linux
  • packaging       platform=win32 arch=arm64 electron=28.1.4 appOutDir=dist/win-arm64-unpacked
  • downloading     url=https://github.com/electron/electron/releases/download/v28.1.4/electron-v28.1.4-win32-arm64.zip size=108 MB parts=8
  • downloading     url=https://github.com/electron-userland/electron-builder-binaries/releases/download/snap-template-4.0-2/snap-template-electron-4.0-2-amd64.tar.7z size=1.5 MB parts=1
  • downloading     url=https://github.com/electron-userland/electron-builder-binaries/releases/download/appimage-12.0.1/appimage-12.0.1.7z size=1.6 MB parts=1
  • downloaded      url=https://github.com/electron-userland/electron-builder-binaries/releases/download/appimage-12.0.1/appimage-12.0.1.7z duration=5.225s
  • downloaded      url=https://github.com/electron-userland/electron-builder-binaries/releases/download/snap-template-4.0-2/snap-template-electron-4.0-2-amd64.tar.7z duration=5.425s
  • downloaded      url=https://github.com/electron/electron/releases/download/v28.1.4/electron-v28.1.4-win32-arm64.zip duration=42.26s
  • default Electron icon is used  reason=application icon is not set
  • downloading     url=https://github.com/electron-userland/electron-builder-binaries/releases/download/winCodeSign-2.6.0/winCodeSign-2.6.0.7z size=5.6 MB parts=1
  • downloaded      url=https://github.com/electron-userland/electron-builder-binaries/releases/download/winCodeSign-2.6.0/winCodeSign-2.6.0.7z duration=4.001s
  • downloading     url=https://github.com/electron-userland/electron-builder-binaries/releases/download/wine-4.0.1-mac/wine-4.0.1-mac.7z size=19 MB parts=3
  • downloaded      url=https://github.com/electron-userland/electron-builder-binaries/releases/download/wine-4.0.1-mac/wine-4.0.1-mac.7z duration=13.249s
  • building        target=nsis file=dist/simple-electron-app Setup 1.0.0.exe archs=arm64 oneClick=true perMachine=false
  • downloading     url=https://github.com/electron-userland/electron-builder-binaries/releases/download/nsis-3.0.4.1/nsis-3.0.4.1.7z size=1.3 MB parts=1
  • downloaded      url=https://github.com/electron-userland/electron-builder-binaries/releases/download/nsis-3.0.4.1/nsis-3.0.4.1.7z duration=5.637s
  • downloading     url=https://github.com/electron-userland/electron-builder-binaries/releases/download/nsis-resources-3.4.1/nsis-resources-3.4.1.7z size=731 kB parts=1
  • downloaded      url=https://github.com/electron-userland/electron-builder-binaries/releases/download/nsis-resources-3.4.1/nsis-resources-3.4.1.7z duration=4.013s
  • building block map  blockMapFile=dist/simple-electron-app Setup 1.0.0.exe.blockmap

編譯正常,接下來再繼續處理 

% npm audit fix

up to date, audited 555 packages in 730ms

76 packages are looking for funding
  run `npm fund` for details

# npm audit report

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/dir-compare/node_modules/minimatch
  dir-compare  <=2.4.0
  Depends on vulnerable versions of minimatch
  node_modules/dir-compare
    @electron/universal  1.0.1 - 1.3.3
    Depends on vulnerable versions of dir-compare
    node_modules/@electron/universal
      app-builder-lib  22.10.4 - 24.0.0-alpha.13
      Depends on vulnerable versions of @electron/universal
      node_modules/app-builder-lib
        dmg-builder  22.10.4 - 24.0.0-alpha.13
        Depends on vulnerable versions of app-builder-lib
        node_modules/dmg-builder
          electron-builder  19.25.0 || 22.10.4 - 24.6.0
          Depends on vulnerable versions of app-builder-lib
          Depends on vulnerable versions of dmg-builder
          Depends on vulnerable versions of simple-update-notifier
          node_modules/electron-builder

semver  7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/simple-update-notifier/node_modules/semver
  simple-update-notifier  1.0.7 - 1.1.0
  Depends on vulnerable versions of semver
  node_modules/simple-update-notifier

8 vulnerabilities (2 moderate, 6 high)

To address all issues, run:
  npm audit fix

故事大概起源於 electron-builder ,只好先把他升級看看

% cat package.json | jq '.devDependencies["electron-builder"]'
"^23.3.3"
% npm update --dev electron-builder
% cat package.json | jq '.devDependencies["electron-builder"]'
"^23.3.3"

看來只好靠這招了:

% npm install electron-builder@latest --save-dev
% cat package.json | jq '.devDependencies["electron-builder"]'
"^24.9.1"

如此也確認都沒事了:

% npm audit
found 0 vulnerabilities

最終,其實也只是改 package.json 兩行 XD

% git diff package.json 
diff --git a/package.json b/package.json
index f470e2b..4c830f1 100644
--- a/package.json
+++ b/package.json
@@ -19,8 +19,8 @@
     "concurrently": "^7.4.0",
     "copy-webpack-plugin": "^11.0.0",
     "cross-env": "^7.0.3",
-    "electron": "^20.1.1",
-    "electron-builder": "^23.3.3",
+    "electron": "^28.1.4",
+    "electron-builder": "^24.9.1",
     "webpack-cli": "^4.10.0",
     "webpack-dev-server": "^4.11.0"
   }

2024年1月11日 星期四

Synology NAS 使用 Private IP, 自訂網域 與 Wildcard SSL 來提供 HTTPS 服務並完成憑證定期更新與設定 @ DSM 7.2.1, DS723+

之前已經處理過 DS216play 的情況,撰寫過兩篇筆記:

這次在處理 DS723+ / DSM 7.2.1 時,有在追細一點,但整體上的流程 2022年的那篇只做了一半,他並沒有做到自動更新,而當時追的時候也沒追清楚。

簡略的流程:
  1. 參考 2022年的方式,先透過 acme.sh 產出憑證(例如用 Cloudflare 維護 DNS record 時,可以輕鬆呼叫 Cloudflare API 完成 txt record 更新),接著到 Synology 網頁管理 -> 控制台 -> 連線能力 -> 憑證 -> 新增 -> 新增憑證 -> 匯入憑證
  2. 這時匯入完畢後,其實在系統底層可以看到資訊,我原先在 2022年那篇誤認為 /usr/syno/etc/www/certificate/system_default/cert.conf 的描述位置(因為從 Nginx 設定檔有關),細追後,發現真正的位置在 /usr/syno/etc/certificate/_archive/ 某個目錄內
    • 用 cat /usr/syno/etc/certificate/_archive/INFO 可以看到你自己上傳的憑證,假設是在 /usr/syno/etc/certificate/MySelf 這目錄,內有 cert.pem, chain.pem, fullchain.pem, privkey.pem
  3. 這時若把 acme.sh 安置好,可以在 Synology NAS 內某個使用者的家目錄運行,那在他家目錄中就會有 ~/.acme.sh/*.YourDomain_ecc/ 這類位置,內有 ca.cer, '*.YourDomain.cer', '*.YourDomain.key', 'fullchain.cer' 和 '*.YourDomain.pkcs8',這時,就要把 /usr/syno/etc/certificate/MySelf 內的完成同步更新,例如使用 symbolic link 
  4. 後續,就回到 Synology 網頁介面 -> 控制台 -> 任務排程表 -> 新增一則任務並使用 root 權限 -> 設定每月執行一次 -> 在使用者定義指令碼那邊,可以直接呼叫 script (例如包裝成 renew-ssl.sh)在指定使用者家目錄完成憑證更新、接著在把 nginx reload
    • sudo -u YourNASUser bash /var/services/homes/YourNASUser/renew-ssl.sh
    • sudo nginx -t && sudo synopkg restart --service nginx && sudo synosystemctl reload nginx
目前看來,在 (2) 那邊找到的實際儲存位置時,透過 symbolic link 改到取 (3) 的資料,如此在控制台憑證列表可以立即觀看到 acme.sh renew 後的延長期限數字,這邊有提到 '*.YourDomain.pkcs8' 檔案格式,是跟 Synology NAS 使用的格式有關,他在呼叫 acme.sh renew 時,可以多添加 --to-pkcs8 參數來產生。


現況應當還有個隱憂,那就是 /usr/syno/etc/certificate/MySelf/*.pem 可完成自動更新,那 nginx 設定取得的憑證資訊是否也會更新?目前推猜好像不是同步的,且更新時機也還不明,只能等下個期週期後再來看看了。暫時推論是在設定憑證的系統預設時,才從 /usr/syno/etc/certificate/MySelf/*.pem 複製到 /usr/syno/etc/www/certificate/system_default/ 使用

2024年1月1日 星期一

使用 do-release-upgrade 把 Oracle Cloud - Ubuntu 18.04 升級至 20.04 再繼續升級到 22.04

在 2019年搶了一台 Ubuntu 18.04 後,一直在那邊做例行公事。應該近一年 apt upgrade 也沒法多升級什麼就涼在那邊,趁 2024-01-01 假期,來整理一下。

升級絕對有風險,請自行評估跟承擔,在此謹流水帳紀錄,適合我的 VM 情況不代表大家都能升。

由於之前有設定防火牆來做一些簡單的防護,這次升級時要打開 1022 port 來小心一下:

$ sudo iptables -I INPUT 1 -p tcp --dport 1022 -j ACCEPT
$ sudo service netfilter-persistent save

開始操作:

$ sudo do-release-upgrade 
...
Calculating the changes

Could not calculate the upgrade

An unresolvable problem occurred while calculating the upgrade.

This was likely caused by:
* Unofficial software packages not provided by Ubuntu
Please use the tool 'ppa-purge' from the ppa-purge
package to remove software from a Launchpad PPA and
try the upgrade again.

If none of this applies, then please report this bug using the
command 'ubuntu-bug ubuntu-release-upgrader-core' in a terminal. If
you want to investigate this yourself the log files in
'/var/log/dist-upgrade' will contain details about the upgrade.
Specifically, look at 'main.log' and 'apt.log'.

接著安裝一下:

$ sudo apt-get install ppa-purge
$ sudo do-release-upgrade 
...

又碰到問題,大概看了一下 bugs.launchpad.net/ubuntu/+source/llvm-toolchain-9/+bug/1886748 ,偷懶衝:

$ sudo apt install clang-9
$ sudo do-release-upgrade 
...
Do you want to start the upgrade? 


17 packages are going to be removed. 209 new packages are going to be 
installed. 759 packages are going to be upgraded. 

You have to download a total of 886 M. This download will take about 
1 hour 52 minutes with a 1Mbit DSL connection and about 1 day 10 
hours with a 56k modem. 

Fetching and installing the upgrade can take several hours. Once the 
download has finished, the process cannot be canceled. 

 Continue [yN]  Details [d]Y

...
System upgrade is complete.

Restart required 

To finish the upgrade, a restart is required. 
If you select 'y' the system will be restarted. 

Continue [yN] Y

所幸...連得上 XD 看來完成了 Ubuntu 20.04 了

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.6 LTS
Release: 20.04
Codename: focal

繼續升上去!

$ sudo do-release-upgrade 
...
Reading cache

Checking package manager

Continue running under SSH? 

This session appears to be running under ssh. It is not recommended 
to perform a upgrade over ssh currently because in case of failure it 
is harder to recover. 

If you continue, an additional ssh daemon will be started at port 
'1022'. 
Do you want to continue? 

Continue [yN] Y

Starting additional sshd 

To make recovery in case of failure easier, an additional sshd will 
be started on port '1022'. If anything goes wrong with the running 
ssh you can still connect to the additional one. 


To continue please press [ENTER]

Do you want to start the upgrade? 


12 packages are going to be removed. 128 new packages are going to be 
installed. 826 packages are going to be upgraded. 

You have to download a total of 746 M. This download will take about 
2 minutes with your connection. 

Installing the upgrade can take several hours. Once the download has 
finished, the process cannot be canceled. 

 Continue [yN]  Details [d] Y

done
Processing triggers for dbus (1.12.20-2ubuntu4.1) ...
Processing triggers for libgdk-pixbuf-2.0-0:amd64 (2.42.8+dfsg-1ubuntu0.2) ...
Reading package lists... Done    
Building dependency tree          
Reading state information... Done

Processing snap replacements

refreshing snap lxd

refreshing snap oracle-cloud-agent

Searching for obsolete software
Reading state information... Done

Remove obsolete packages? 


127 packages are going to be removed. 

Removing the packages can take several hours. 

 Continue [yN]  Details [d]Y

...

System upgrade is complete.

Restart required 

To finish the upgrade, a restart is required. 
If you select 'y' the system will be restarted. 

Continue [yN] Y

再次登入:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.3 LTS
Release: 22.04
Codename: jammy