Updates from penguin Toggle Comment Threads | Keyboard Shortcuts

  • penguin 09:50 on 2018-05-25 Permalink | Reply
    Tags: helm, kubernetes, rbac   

    Helm in a kops cluster with RBAC 

    I created a K8S cluster on AWS with kops.

    I ran helm init to install tiller in the cluster.

    I ran helm list  to see if it worked.

    I got this:

    That sucked. And google proved … reluctant. What I could figure out is:

    Causes

    • kops sets up the cluster with RBAC enabled (which is good)
    • helm (well, tiller) uses a standard role for doing things (which might be ok, at least it was with my stackpoint cluster), but in that case (for whatever reason) it did not have sufficient privileges
    • so we need to prepare some cluster admin roles for helm to use

    Fixes

    Just do exactly as it says in the helm docs 🙂 :

    • apply the RBAC yaml file which creates the kube-system/tiller service account, and binds this to the cluster-admin  role.
    • install helm with: helm init --service-account tiller

    Is that secure? Not so much. With helm you can still do anything to the cluster at all. I might get to this in a later post.

     
  • penguin 18:10 on 2018-04-24 Permalink | Reply
    Tags: , gitlab   

    GitLab spot runners & Puppet 

    We are on AWS with GitLab. For ease of use, and because our build hosts degenerate for some reason (network issues), we decided to use spot instances with GitLab.

    The journey was all but easy. Here’s why.

    GitLab Runner configuration complaints

    First: The process

    To configure GitLab runner, you have to …

    • install GitLab,
    • write down the runner registration token,
    • start a runner,
    • manually a registration command using above token.

    That registration command will then modify the config file of the runner. That is important because you can’t just write a static, read-only config file and start the runner. This is not possible for two reasons:

    • when you execute the registration command, the runner wants to modify the config file to add yet another token (its “personal” token, not the general registration secret), so it must not be read-only
    • the runner has to be registered, so just starting it will do … nothing.

    That is in my eyes a huge design flaw, which undoubtedly has its reasons, but it still – sorry – sucks IMHO.

    Second: The configuration

    You can configure pretty much everything in the config file. But once the runner registers, the registration process for some reason appends a completely new config to any existing config file, so that … the state is weird. It works, but it looks fucked, and feels fucked.

    You can also set all configuration file entries using the gitlab-runner register  command. Well, not all: The global parameters (like, for example, log_level  or concurrent ) cannot be set. Those have to be in a pre-existing config file, so you need both – the file and the registration command, which will look super ugly in a very short time.

    Especially if you still use Puppet to manage the runners, cause then you just can’t just restart the runner once the config file changes. Because it will always change, because of above reasons.

    Third: The AWS permission documentation

    Another thing is that the list of AWS permissions the runner needs in order to create spot instances is nowhere to be found. Hint: EC2FullAccess  and S3FullAccess is not enough. We are using admin permissions right now, until we figured it out. Not nice.

    Our solution

    For this we’re still using Puppet (our K8S migration is still ongoing), and our solution so far looks like this:

    • Create a config file with puppet next to the designated config file location,
      • containing only global parameters.
      • The file has a puppet hook which triggers an exec that deletes the “final” config file if the puppet-created one has changed.
    • Start the GitLab runner.
    • Perform a “docker exec” which registers the runner in GitLab.
      • The “unless” contains a check that skips execution if the final config file is present.
      • The register  command sets all configuration values except the global ones. Like said above, the command appends all non-global config settings to any existing config file.

    Some code

    Does this look ugly? You bet.

    Should this be a puppet module? Most probably.

    Did I foresee this? Nope.

    Am I completely fed up? Yes.

    Is this stuff I want to do? No.

    Does it work?

    Yes (at least … 🙂 )

    Remarks

    If you wander what all those create::THING  entries are – it’s this:

    We have an awful lot of those, cause then we can do a lot of stuff in the config YAMLs and don’t need to go in puppet DSL code.

     
  • penguin 18:55 on 2018-04-18 Permalink | Reply
    Tags: osx,   

    Mac three finger gestures in browsers 

    Well, I *love* my three-finger-jump-to-top gesture in Firefox. It was gone.

    It took me about 2h to get it back by googling. And I blog so I don’t forget.

    Here’s where I should look next time straight away: System setting – Trackpad – rightmost tab – first setting.

     
  • penguin 08:26 on 2018-04-18 Permalink | Reply
    Tags:   

    Arch followup actions 

    Once you’ve installed Arch Linux, a couple of things are … nice.

    Packages

     

    Configurations

    For network manager, I prefer dnsmasq as the tool of choice, especially when using VPN connections:

    Enable services

    To-be-updated

    … from time to time 😉

     
  • penguin 18:27 on 2018-04-12 Permalink | Reply
    Tags: , vscode   

    Python & Visual Studio code 

    The official python plugin claims that the interpreters of Pipenv are automatically found.

    They are not.

    At least not on my machine.

    Here’s how you set them.

     
  • penguin 13:18 on 2018-03-28 Permalink | Reply
    Tags: , yubikey   

    Arch linux + yubikeys 

    To use “ykman” for arch linux, you do this:

    Sounds easy? Still had to google the things.

     
  • penguin 08:07 on 2018-02-23 Permalink | Reply
    Tags: font,   

    Ugly ligatures in Linux 

    Unfortunately boohomil went off grid. I still haven’t replicated his config fully. And it still sucks.

    One more step was fixing those super-ugly ligatures in Linux. Works at least in LibreOffice (just restart the app to see changes).

     
  • penguin 08:55 on 2018-02-01 Permalink | Reply
    Tags: commandline,   

    crontab and nano 

    Ever used update-alternatives to switch everything to vim and … crontab -e still used nano?

    Well, I had this. I found the answer:

     

     
  • penguin 11:55 on 2018-01-24 Permalink | Reply
    Tags:   

    Shutter can’t edit images on Arch 

    Unfortunately shutter does no longer work (or not yet, maybe, hopefully 😉 with Wayland on Arch. But I still use it for image editing, namely screenshot annotations, for which this is the best tool by far I have ever found. Not to mention the most private one, cause everybody and his dog wants you to upload “to the cloud” nowadays.

    On a freshly installed system you will find the “Edit” button grayed out though after you installed Shutter. Reason being there’s a lib missing which is not installed by default. This is how you install it:

    And the editing continues.

    (Original source: this one. Thanks!)

     
  • penguin 14:13 on 2018-01-20 Permalink | Reply
    Tags: ,   

    Install Arch with full disk encryption, btrfs and EFI 

    I recently had to re-install my beloved Arch Linux. For security I need (and use) full disk encryption. This is a cheatsheet for the whole procedure, because although the Arch Linux Wiki is excellent, it is also huge and sometimes you must pick your stuff together from many pages.

    This is what I am doing here 🙂

    NOTE: Usually you only have to follow the one subsection I link to!

    Overview

    One after another, we will do the following steps

    • Download and prepare Arch USB stick (skipped, you should know that 😉
    • Prepare the hard disk
    • Prepare the disk partitions
    • Add LVM “inside” the crypted partition
    • Create filesystems & mount partitions
    • Install arch
    • Configure boot manager

    Prepare the hard disk

    Use parted to init the disk and …

    1. init the disk using a GPT partitioning scheme, then create
    2. a GPT boot partition and put 100% of the remaining space in another partition (the first two actions behind the link)

    Prepare the disk partitions

    Basically,

    1. use the cryptsetup command to encrypt the main (big) partition,
    2. and create a file system on the boot partition (remember: it must be FAT32 for EFI boot, and it must be unencrypted!)

    Add an LVM “inside” the encrypted partition

    Cause we want “properly” encrypted swap (you can also encrypt swap using a /dev/random key every time, but then you will not persist data between reboots and you can’t do things like suspend-to-disk), we need at least two “partitions” “inside” the crypted volume. Sounds like LVM on LUKS? It does. We already used it 🙂 .

    1. Create LVM partitions inside the encrypted volume (Don’t forget to use cryptsetup luksOpen before, usually in step 1 in the last section 🙂

    NOTE: Do not follow the above link down to “prepare the boot partition”, cause they use ext2 and we need FAT32 for EFI boot partitions. Just don’t.

    I use the name “secure” for the VG, and I use btrfs cause I am so incredibly elite, and so we don’t need to set a specific size for the / and /home “partitions” and can just use btrfs subvolumes, while still being able to wipe the system without the home directories. That’s pretty neat if you need it (I never did, but now I can ;). So that’s the final setup:

    Create filesystems & mount partitions

    Of course, Arch has already a wiki page section for that. I did it 3 times in a different way until I found it and had to do it again. So here is my summary.

    NOTE: /boot is not on an encrypted partition 😉 , and the leading “ @” is a convention for subvolumes which should be mounted somewhere. I also don’t use compress=...  parameters, cause I don’t need / want transparent compression.

    Install arch

    Then you follow up with the usual installation procedure, but you stop at the “Initramfs” section. Here we will pick up again.

    Configure boot manager

    We are using systemd-boot. Or bootctl, as the binary is called. It should be already installed. The procedure is also outlined here. We also enable TRIM support, it seems to lessen security, but it raises SSD performance and life time.

    1. First, check if your system EFI is all right.
    2. Optionally install the Intel microcode updater package if you have an Intel CPU by doing pacman -S intel-ucode.
    3. Then run … bootctl --path=/boot install to install systemd-boot.

    Now create those files (all inside /mnt and relative to it, but of course you should be in a chroot right now :):

    You can get FS_UUID in the options line above by using the blkid command. If you don’t want to copy the UUID by hand, you can start console mouse support with copy-on-mark and paste-on-middleclick with gpm -m /dev/input/mice -t imps2. Note that the FS_UUID is the UUID of the encrypted luks partition, and not the filesystem within!

    The list of normal and dm-crypt related kernel parameters … well, is also in the Arch wiki.

    The key idea is to use the “systemd” parameters instead of the “normal” ones. The full list of hooks is of course also available, and the order is important.

    Now execute:

    … and actually, that should be it.

    Edits:

    • 2018-03-27 fixed a typo in the HOOKS documentation, clarified kernel boot parameters
     
c
compose new post
j
next post/next comment
k
previous post/previous comment
r
reply
e
edit
o
show/hide comments
t
go to top
l
go to login
h
show/hide help
shift + esc
cancel