$30 off During Our Annual Pro Sale. View Details »

sacloudns

kazeburo
April 02, 2021
Technology
2
260

 sacloudns

#さくらのマイクロコミュニティ (CLI/APIユーザの会) vol.1

kazeburo

April 02, 2021
Tweet

More Decks by kazeburo

See All by kazeburo
DNS水責め攻撃と監視 / DNS water torture attack Monitoring and SLO
kazeburo
4
3k
DBやめてみた / DNS water torture attack and countermeasures
kazeburo
13
7.9k
IaaSにおけるPlatform Engineeringとこれから / Platform engineering in IaaS
kazeburo
2
870
高信頼IaaSを実現するDevOps / DevOps for Highly Reliable IaaS
kazeburo
1
360
権威DNSサービスへのDDoSと
ハイパフォーマンスなベンチマーカ / DNS Pseudo random subdomain attack and High performance Benchmarker
kazeburo
3
3.6k
DNS権威サーバのクラウドサービス向けに行われた攻撃および対策 / DNS Pseudo-Random Subdomain Attack and mitigations
kazeburo
6
9.5k
「orchestratorとGTID運用を支える監視」の勉強 / Monitoring orchestrator and GTID operation
kazeburo
2
1.1k
最近の監視(仮)/Recent system monitoring with mackerel
kazeburo
3
4.2k
Mercari Item Search: 
Behind The Scenes (20min)
kazeburo
3
2.8k

Other Decks in Technology

See All in Technology
cloudflare-workersを使ってslack上に匿名チャットを作った話
sugawani
0
130
イベント企画設計における「フロントエンド」な考え方とその魅力
kgsi
1
1.8k
Managing "side effect" in Frontend Development
shinyaigeek
3
1.7k
Honoが良さそう🔥
is_ryo
0
150
Podman with WebAssembly
utam0k
2
230
EventStormingとRDRA2.0で大規模レガシーシステムのフルリニューアルPJに挑む
leveragestech
0
430
APIテスト導入から2年。アジャイルな組織で見えてきたmabl活用の道
bengo4com
0
1.9k
DMMオンラインサロン エンジニア採用資料/ for-software-engineers
onlinesalon
0
3.6k
visionOSについてGlobeeが取り組んでいること
toshi0383
0
200
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
6
5.1k
RealSense T265とD415とUFACTORY Lite 6で模倣学習の実験
hygradme
0
290
Exploring Postgres VACUUM with the VACUUM Simulator
keiko713
5
600

Featured

See All Featured
A Modern Web Designer's Workflow
chriscoyier
688
190k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
4k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
Git: the NoSQL Database
bkeepers
PRO
420
62k
The Art of Programming - Codeland 2020
erikaheidi
39
12k
Testing 201, or: Great Expectations
jmmastey
26
6.1k
How to Ace a Technical Interview
jacobian
272
22k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.4k
Stop Working from a Prison Cell
hatefulcrawdad
265
18k
From Idea to $5000 a Month in 5 Months
shpigford
376
45k
Large-scale JavaScript Application Architecture
addyosmani
501
110k
How GitHub (no longer) Works
holman
299
140k

Transcript

  1. sacloudns
    Masahiro Nagano (kazeburo)
    2021/04/02 ͘͞ΒͷϚΠΫϩίϛϡχςΟ vol.1

    View Slide

  2. Who ?
    • Masahiro Nagano (kazeburo)
    • 2021/01/18 ͘͞ΒΠϯλʔωοτೖࣾ
    • ͘͞ΒͷΫϥ΢υͷDNSɺΤϯϋϯευLBɺγϯϓϧ؂ࢹ͋ͨΓΛΈͯ·͢

    View Slide

  3. the beginning
    • ೖࣾͯ͠·΋ͳ͘ɺ͘͞ΒͷΫϥ΢υ DNSͷϨίʔυ൓ө·Ͱʹ͔͔Δ࣌ؒ
    ͷ୹ॖ (1෼Ҏ্͔Β20ඵఔ౓) Λ΍ͬͨ
    • ΤϯϋϯευLBΛࢼ͢ʹ͋ͨΓɺSSLূ໌ॻͷऔಘ͕ඞཁʹ
    • lego (https://github.com/go-acme/lego) ͕ΠϚΠν࢖͍ʹ͍͘
    • ׳Ε͍ͯͨ dehydrated (https://dehydrated.io/) Λ࢖͍͍ͨͷͰɺDNSΛม
    ߋ͢ΔίϚϯυ͕ཉ͍͠

    View Slide

  4. sacloudns

    View Slide

  5. sacloudns
    • cli53 (Cli for Amazon Route53:https://github.com/barnybug/cli53) ͷΑ͏
    ͳDNSΛૢ࡞͢ΔίϚϯυϥΠϯπʔϧ
    • Goݴޠ
    • github.com/sacloud/libsacloud/v2 Λར༻ 🙇
    • GoogleͰHit͠ͳ͍

    View Slide

  6. Usage
    Usage:
    sacloudns [OPTIONS]
    Help Options:
    -h, --help Show this help message
    Available commands:
    fzone find zone for the record
    list list zones
    radd add a record
    rdelete delete a record
    rset replace records or add a record
    version display version
    zone describe zone

    View Slide

  7. Usage
    • Ϩίʔυͷ௥Ճ
    • Ϩίʔυͷ࡟আ
    • κʔϯͷݕࡧ
    • ࣮ߦʹ͸ SAKURACLOUD_ACCESS_TOKEN,
    SAKURACLOUD_ACCESS_TOKEN_SECRET ͕ඞཁ
    ./sacloudns radd --zone example.com --name www --type A --data 192.168.0.1 --ttl 30
    ./sacloudns rdelete --zone example.com --name test --type A --data 192.168.0.1
    ./sacloudns fzone foo.bar.example.com

    View Slide

  8. wait propagation
    ਁಁ଴ͪͩͳΜͯݴΘͤͳ͍
    • TXT ͱ CNAME ʹݶΓɺϨίʔυͷ൓өΛ଴ͭ —wait Φϓγϣϯ͕࢖͑Δ
    • κʔϯͷ NS ϨίʔυΛௐ΂ɺͦͷDNSαʔόʹ޲͔ͬͯ 2ඵ ͝ͱʹΫΤϦ
    Λඈ͹ͯ֬͠ೝ

    View Slide

  9. wait propagation
    % ./sacloudns radd --wait --zone kazeburo.work --name test --type TXT --data test-test-test --ttl 30
    2021/02/05 16:44:22 Checking DNS record propagation.
    2021/02/05 16:44:22 Waiting for DNS record propagation.
    2021/02/05 16:44:24 Waiting for DNS record propagation.
    2021/02/05 16:44:26 Waiting for DNS record propagation.
    2021/02/05 16:44:28 Waiting for DNS record propagation.
    2021/02/05 16:44:30 Waiting for DNS record propagation.
    2021/02/05 16:44:33 Waiting for DNS record propagation.
    2021/02/05 16:44:35 Waiting for DNS record propagation.
    2021/02/05 16:44:37 Waiting for DNS record propagation.
    2021/02/05 16:44:39 Waiting for DNS record propagation.
    2021/02/05 16:44:41 Waiting for DNS record propagation.
    2021/02/05 16:44:43 Waiting for DNS record propagation.
    2021/02/05 16:44:45 Waiting for DNS record propagation.
    {“ID”:113300144171,”Name”:”kazeburo.work","Description":"","Tags":
    [],"Availability":"available","IconID":0,"CreatedAt":"2021-01-19T11:59:31+09:00","ModifiedAt":"2021-01-19T11:59:31+
    09:00","Records":[{"Name":"*","Type":"CNAME","RData":"site-1etp19k.proxylb1.sakura.ne.jp.","TTL":10},....

    View Slide

  10. 100%ศར
    (౰ࣾൺ)

    View Slide

  11. GitHub Actions ͱ
    sacloudns ͱ
    ͘͞ΒͷΦϒδΣΫτετϨʔδ Ͱ
    ΤϯϋϯευLBͷূ໌ॻߋ৽ࣗಈԽ

    View Slide

  12. ଓ͖

    View Slide

  13. 1. GitHubͷrepoʹɺpush͢Δ͔͋Δ͍͸
    scheduleΛ͔ͭͬͯఆظతʹϫʔΫϑϩʔΛى
    ಈ͠·͢ɻ
    2. ΦϒδΣΫτετϨʔδ͔Βݱࡏͷূ໌ॻʗ
    Let's Encrypt ͷೝূ৘ใΛ Sync
    3. dehydratedΛىಈ͠
    4. sacloudnsΛ࢖ͬͯdns-01ೝূͯ͠ূ໌ॻऔಘ
    (ZeroSSLͰ΋Մ)
    5. ূ໌ॻɾೝূ৘ใΛΦϒδΣΫτετϨʔδʹ
    ॻ͖໭͢
    6. ূ໌ॻ͕ߋ৽͞Ε͍ͯΕ͹ɺΤϯϋϯευϩʔυ
    όϥϯαʔʹΞοϓϩʔυ

    View Slide

  14. name: release
    on:
    push:
    branches:
    - main
    schedule:
    - cron: '19 1 * * *'
    jobs:
    renew-cert:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout
    uses: actions/checkout@v2
    with:
    fetch-depth: 0
    - name: install sacloudns
    run: |
    curl -s -LO https://github.com/kazeburo/sacloudns/releases/download/v0.0.4/
    sacloudns_linux_amd64.zip
    sudo unzip -d /usr/bin sacloudns_linux_amd64.zip sacloudns
    rm sacloudns_linux_amd64.zip
    - name: git pull dehydrated
    run: |
    git clone https://github.com/lukas2511/dehydrated.git -b v0.7.0 /opt/dehydrated
    cp -a ${GITHUB_WORKSPACE}/config /opt/dehydrated/config
    cp -a ${GITHUB_WORKSPACE}/hook.sh /opt/dehydrated/hook.sh
    cp -a ${GITHUB_WORKSPACE}/domains.txt /opt/dehydrated/domains.txt
    cp -a ${GITHUB_WORKSPACE}/template.jq /opt/dehydrated/template.jq
    - name: Sync accounts/certs from object storage
    env:
    AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
    AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    AWS_REGION: eu-west-1
    run: |
    cd /opt/dehydrated
    mkdir -p accounts
    mkdir -p certs
    aws --version
    aws --endpoint-url=https://s3.isk01.sakurastorage.jp s3 ls s3://bucket/ > dir-list
    if grep accounts/ dir-list > /dev/null; then
    aws --endpoint-url=https://s3.isk01.sakurastorage.jp s3 --only-show-errors --delete sync
    s3://bucket/accounts/ accounts
    fi
    if grep certs/ dir-list > /dev/null; then
    aws --endpoint-url=https://s3.isk01.sakurastorage.jp s3 --only-show-errors --delete sync
    s3://bucket/certs/ certs
    fi
    - name: Renew and generate certs
    env:
    SAKURACLOUD_ACCESS_TOKEN: ${{ secrets.SAKURACLOUD_ACCESS_TOKEN }}
    SAKURACLOUD_ACCESS_TOKEN_SECRET: ${{ secrets.SAKURACLOUD_ACCESS_TOKEN_SECRET }}
    run: |
    cd /opt/dehydrated
    ./dehydrated --register --accept-terms
    ./dehydrated -c -f config |& tee -a log
    - name: check suceeded
    run: |
    cd /opt/dehydrated
    if ! grep "dehydrated completed" log > /dev/null; then
    exit 1
    fi
    - name: sync to object storage
    env:
    AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
    AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    AWS_REGION: eu-west-1
    run: |
    cd /opt/dehydrated
    aws --endpoint-url=https://s3.isk01.sakurastorage.jp s3 --only-show-errors --delete sync
    accounts/ s3://bucket/accounts/
    aws --endpoint-url=https://s3.isk01.sakurastorage.jp s3 --only-show-errors --delete sync
    certs/ s3://bucket/certs/
    - name: run if new/renew
    env:
    SAKURACLOUD_ACCESS_TOKEN: ${{ secrets.SAKURACLOUD_ACCESS_TOKEN }}
    SAKURACLOUD_ACCESS_TOKEN_SECRET: ${{ secrets.SAKURACLOUD_ACCESS_TOKEN_SECRET }}
    run: |
    cd /opt/dehydrated
    if grep "Creating fullchain" log > /dev/null; then
    ELB_ID=$(curl -s --user $SAKURACLOUD_ACCESS_TOKEN:$SAKURACLOUD_ACCESS_TOKEN_SECRET
    https://secure.sakura.ad.jp/cloud/zone/is1a/api/cloud/1.1/commonserviceitem | jq -r
    ‘.CommonServiceItems[]|select(.Name==“MY-ELB" and .Provider.Class=="proxylb").ID'|head -1)
    jq -n -f template.jq --rawfile ServerCertificate certs/works/cert.pem --rawfile
    IntermediateCertificate certs/works/chain.pem --rawfile PrivateKey certs/works/privkey.pem |
    curl -d @- -X PUT -H "Content-Type: application/json" --user $SAKURACLOUD_ACCESS_TOKEN:
    $SAKURACLOUD_ACCESS_TOKEN_SECRET https://secure.sakura.ad.jp/cloud/zone/is1a/api/cloud/1.1/
    commonserviceitem/$ELB_ID/proxylb/sslcertificate
    fi
    ࢿྉ͸ެ։͠·͢

    View Slide

  15. ·ͱΊ
    • ΤϯϋϯευLB͸ 20ຕ·Ͱূ໌ॻొ࿥͕Մೳ͕ͩɺLet’s Encryptͷূ໌ॻ͸
    1ͭͷΈͰϫΠϧυΧʔυ ͕࢖͑ͳ͍
    • DNS-01ʹΑΔূ໌ॻऔಘͱɺAPIΛ࢖͏͜ͱͰΑΓॊೈͳSSLͱϩʔυόϥϯ
    αӡ༻͕ՄೳʹͳΓ·͢
    • ূ໌ॻ؅ཧͷϙϦγʔʹґΔͱ͜Ζ͸͋Γ·͕͢ɺGitHub ActionsͰߋ৽͸ָ

    View Slide

  16. ·ͱΊ2
    • sacloudns ศར
    • libsacloud ศར!!

    View Slide

  17. Ҏ্

    View Slide