GCP
gcp certification:
- Google Cloud Certified Cloud Digital Leader
- Google Cloud Certified Associate Cloud Engineer
- Google Cloud Certified DevOps Engineer
- Google Cloud Certified Machine Learning Engineer
- Google Cloud Certified Professional Cloud Architect
- Google Cloud Certified Professional Data Engineer
- Google Cloud Certified Professional Network Engineer
- Google Cloud Certified Professional Security Engineer
Cloud SDK
https://cloud.google.com/sdk/docs/install
默认安装的组件:
- bq
- bundled-python3-unix
- gsutil
- core
- gcloud-crc32c
- alpha
- beta
安装其它组件:
gcloud components install app-engine-go docker-credential-gcr kustomize log-streaming terraform-tools app-engine-python app-engine-python-extras gke-gcloud-auth-plugin kubectl kubectl-oidc
卸载:
gcloud components remove <component_id>
升级
gcloud components update
GCP Command Line Interface
使用:
gcloud --help
CLI credentials
初始化:
gcloud init
gcloud init --no-launch-browser
gcloud init --console-only
配置:
配置存储位置:
linux/unix: ~/.config/gcloud
windows: %APPDATA%\gcloud
配置管理:
// 创建配置
gcloud config configurations create [name]
// 列出配置
gcloud config configurations list
// 查看配置属性
gcloud config configurations describe [name]
// 激活配置
gcloud config configurations activate [name]
// 删除配置
gcloud config configurations delete [name]
属性管理:
// 查看属性
gcloud config list
// 切换account
gcloud config set account [account]
// 切换project
gcloud config set project [project]
// 查看可用属性
gcloud config set --help
// 显示可用属性的列表
gcloud topic configurations
登录:
// 默认打开浏览器授权
gcloud auth login
// 用于没有浏览器的机器
// 复制gcloud auth login --remote-bootstrap="命令在另外一台安装了浏览器和gcloud cli的机器打开。
// 将浏览器的输出帖回没有浏览器的机器。
gcloud auth login --no-browser
// 用于没有浏览器的机器,复制Https网址打开浏览器授权。
gcloud auth login --no-launch-browser
// 列出账号.
gcloud auth list
// 禁止通过cli登录
gcloud auth revoke [account]
// 查找凭据文件位置
gcloud info
Application Default Credentials(ADC):
// 将用户凭据提供给ADC(用于sdk或者terraform等交互)。
gcloud auth application-default login --no-launch-browser
交互式shell
gcloud beta interactive
compute
- Kubernetes: GKE(EKS)
- Compute engine(EC2): compute engine
- Batch
- workload manager
ServerLess
- cloud run
- cloud functions
- app engine
- api gateway
- endpoints
network
- VPC
- cloud router
- cloud DNS(route53)
- cloud domains(route53)
- cloud firewall(DNS firewall, network firewall, SG, ACL)
- cloud interconnect(direct connect)
- cloud VPN
- cloud NAT
- cloud CDN
- cloud load balancing
Cloud Load balancer
Application LB(http/https):
- external LB(gce): external global lb(gke-l7-global-external-managed), external classic global lb(gke-l7-gxlb), external regional lb(gke-l7-regional-external-managed).
- internal LB(gce-internal, gke-l7-rilb): internal regional lb.
Proxy LB(TCP/SSL):
- external
- internal
Passthrough LB(TCP/UDP):
- external
- internal
storage
- persistent disk(EBS): (balanced/extreme/ssd/standard) 创建vm的时候创建块存储。
- cloud storage(S3): (standard/nearline/coldline/archive) 可以在全球范围内随时存储和检索任意数量的数据
- cloud storage for filebase(S3): 专为需要存储和提供用户生成的内容(如照片或视频)的应用开发者而打造的
- filestore(EFS): file storage
Database
- Cloud SQL(RDS, Aurora): RDBMA
- Cloud Spanner(Aurora): RDBMS
- Cloud Bigtable(dynamoDB): NoSQL: Key-value
- datastore(dynamoDB): NoSQL: Indexed
- memorystore(elastiCache): In-memory data store, memcached/redis
- BigQuery
Security
- certificate authority service(ACM): Certificate management
- cloud identity(IAM):
- Identity and access management(IAM):
- Identity-Aware Proxy(IAM):
- cloud key management service(KMS):
IAM members:
- google account
- google service account
- google groups
- cloud identity domain
- google workspace domain
IAM basic roles:
- Owner
- Editor
- Viewer
- Billing Administrator
Service account types:
- user created
- built-in (compute engine or gke default SA)
- Google APIs SA
Operation
- Monitoring
- Debugger
- Logging
- Error reporting
- Trace
- Profiler
Analytics
- BigQuery
- Pub/Sub
CI/CD
- cloud build
- cloud deploy
- container registry
- artifact registry
- source repositories
how to ssh to vm
Metadata
分为Project metadata和instance metadata。
ssh
Only for external IP (public IP).
- ssh key for vm: add ssh pub key to instance metadata.
- ssh key for project: add ssh pub key to project metadata.
ssh to vm
ssh username_from_metadata@external_IP
gcloud
首次运行会创建ssh 密钥对,用户名是本地机器用户名,google_compute_engine.
公钥会自动上传到project/instance metadata.
gcloud compute ssh public-instance \
--project=PJ \
--zone=RZ
OS Login
设置 OS Login 元数据时,Compute Engine 会删除虚拟机的 authorized_keys 文件,并且不再接受来自项目或实例元数据中存储的 SSH 密钥的连接。
用户名为canuxcheng@gmail.com => canuxcheng_gmail_com
ssh
使用ssh需要将公钥上传到OS Login配置(忽略密钥中的用户名)。
gcloud compute os-login ssh-keys add \
--key-file=public_KEY_FILE_PATH \
--project=PROJECT \
--ttl=EXPIRE_TIME
ssh
ssh canuxcheng_gmail_com@IP
gcloud
首次运行会创建ssh 密钥对,公钥会自动上传到os login config.
gcloud compute ssh instance --internal-ip --project=PJ --zone=RZ
IAP
Identity-Aware Proxy
use internal ip directly:
gcloud compute ssh private-instance --project=PJ --zone=europe-west4-a --internal-ip
use iap:
gcloud compute ssh private-instance \
--project=PJ \
--zone=RZ \
--tunnel-through-iap