The latest articles on DEV Community by Beppe (@beppe90). https://dev.to/beppe90 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F429500%2F916b7ec4-37ec-4b08-b9d3-443b43a30035.jpg https://dev.to/beppe90 en Beppe Tue, 08 Oct 2024 22:48:36 +0000 https://dev.to/beppe90/the-home-server-journey-6-your-new-blogging-career-4jp6 https://dev.to/beppe90/the-home-server-journey-6-your-new-blogging-career-4jp6 <p>Hello, folks!</p> <p>One thing that bothers me when writing about self-hosting, to have greater control of my data, is that I don't apply those principles to the articles themselves. I mean, there is no immediate risk of <strong>Minds</strong> or <strong>Dev.to</strong> taking down my publications, but the mere fact that they <em>could</em> do that leaves me concerned </p> <h3> The Right Tool for the Job </h3> <p>First I've looked at the tools I was already familiar with. I have some <a href="https://beppeinfo.github.io/" rel="noopener noreferrer">old blog</a> where I've posted updates during my <a href="https://summerofcode.withgoogle.com/" rel="noopener noreferrer"><strong>Google Summer of Code</strong></a> projects. It uses <a href="https://jekyllrb.com/" rel="noopener noreferrer"><strong>Jekyll</strong></a> to generate <a href="https://en.wikipedia.org/wiki/Static_web_page" rel="noopener noreferrer">static files</a>, automatically published by <a href="https://pages.github.com/" rel="noopener noreferrer"><strong>GitHub Pages</strong></a>. It works very well when you have the website tied to a <a href="https://www.atlassian.com/git/tutorials/what-is-version-control" rel="noopener noreferrer">version-controlled</a> repository, but it's cumbersome when you need to rebuild container images or replace files in a remote volume even for small changes</p> <p>When looking for something more dynamic, I initially though about using <a href="https://joinplu.me/" rel="noopener noreferrer"><strong>Plume</strong></a>, since it's easy to integrate with some applications I plan to deploy later, but unfortunately it's not well maintained anymore. As <strong>Ghost</strong> or <strong>Wordpress</strong> seem overkill, I ended up opting for the conveniences of <a href="https://writefreely.org/" rel="noopener noreferrer"><strong>WriteFreely</strong></a>: it lets me create and edit posts in-place, with <a href="https://www.markdownguide.org/" rel="noopener noreferrer"><strong>Markdown</strong></a> support and no need to upload new files. However, that comes with a cost: it requires a <a href="https://www.mysql.com/" rel="noopener noreferrer"><strong>MySQL</strong></a>[-compatible] database </p> <h3> Contrarian Vibes </h3> <p>It seems easy enough to just deploy a <strong>MySQL</strong> container and use it, right? Well... It seems that <a href="https://mariadb.org/en/#:~:text=MariaDB%20Server-,History,after%20his%20second%20daughter%2C%20Maria." rel="noopener noreferrer">there are some concerns about its licensing and development direction ever since the brand has been bought by <strong>Oracle</strong></a> (remember <a href="https://en.wikipedia.org/wiki/OpenOffice.org" rel="noopener noreferrer"><strong>OpenOffice</strong></a>?). That was the motivation for the <a href="https://mariadb.org/" rel="noopener noreferrer"><strong>MariaDB</strong></a> fork, distributed under the <strong>GPLv2</strong> license, which nowadays is not even a 100% drop-in replacement for <strong>MySQL</strong>, but still works for our case </p> <p>Reputation-related shenanigans aside, one great advantage of picking <strong>MariaDB</strong> is the ability to use a <a href="https://mariadb.com/kb/en/galera-cluster/" rel="noopener noreferrer"><strong>Galera</strong> Cluster</a>. Similarly to <a href="https://dev.to/beppe90/the-home-server-journey-5b-a-bridge-too-far-j0l">what we did for <strong>PostgreSQL</strong></a>, I wish to be able to scale it properly, and <strong>Galera</strong>'s replication works in an even more interesting manner, with multiple primary (read-write) instances and no need for a separate proxy!:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv2221vgcikcr05hmnj4v.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv2221vgcikcr05hmnj4v.png" alt="MariaDB-Galera topology" width="800" height="422"></a><br> (Man, I wish <strong>PostgreSQL</strong> had something similar...)</p> <p>Of course that requires a more complex setup for the database server itself, but thanks to <strong>Bitnami</strong>'s <strong>mariadb-galera</strong> <a href="https://github.com/bitnami/containers/tree/main/bitnami/mariadb-galera" rel="noopener noreferrer"><strong>Docker</strong> image</a> and <a href="https://github.com/bitnami/charts/tree/main/bitnami/mariadb-galera" rel="noopener noreferrer"><strong>Helm</strong> chart</a>, I've managed to get to something rather manageable for our purposes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mariadb-config</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">mariadb</span> <span class="na">data</span><span class="pi">:</span> <span class="na">BITNAMI_DEBUG</span><span class="pi">:</span> <span class="s2">"</span><span class="s">false"</span> <span class="c1"># Set to "true" for more debug information</span> <span class="na">MARIADB_GALERA_CLUSTER_NAME</span><span class="pi">:</span> <span class="s">galera</span> <span class="c1"># All pods being synchronized (has to reflect the number of replicas)</span> <span class="na">MARIADB_GALERA_CLUSTER_ADDRESS</span><span class="pi">:</span> <span class="s">gcomm://mariadb-state-0.mariadb-replication-service.default.svc.cluster.local,mariadb-state-1.mariadb-replication-service.default.svc.cluster.local</span> <span class="na">MARIADB_DATABASE</span><span class="pi">:</span> <span class="s">main</span> <span class="c1"># Default database</span> <span class="na">MARIADB_GALERA_MARIABACKUP_USER</span><span class="pi">:</span> <span class="s">backup</span> <span class="c1"># Replication user</span> <span class="nn">---</span> <span class="c1"># Source: mariadb-galera/templates/secrets.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mariadb-secret</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">mariadb</span> <span class="na">data</span><span class="pi">:</span> <span class="na">MARIADB_ROOT_PASSWORD</span><span class="pi">:</span> <span class="s">bWFyaWFkYg==</span> <span class="c1"># Administrator password</span> <span class="na">MARIADB_GALERA_MARIABACKUP_PASSWORD</span><span class="pi">:</span> <span class="s">YmFja3Vw</span> <span class="c1"># Replication user password</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mariadb-cnf-config</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">mariadb</span> <span class="na">data</span><span class="pi">:</span> <span class="c1"># Database server configuration</span> <span class="na">my.cnf</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">[client]</span> <span class="s">port=3306</span> <span class="s">socket=/opt/bitnami/mariadb/tmp/mysql.sock</span> <span class="s">plugin_dir=/opt/bitnami/mariadb/plugin</span> <span class="s">[mysqld]</span> <span class="s">explicit_defaults_for_timestamp</span> <span class="s">default_storage_engine=InnoDB</span> <span class="s">basedir=/opt/bitnami/mariadb</span> <span class="s">datadir=/bitnami/mariadb/data</span> <span class="s">plugin_dir=/opt/bitnami/mariadb/plugin</span> <span class="s">tmpdir=/opt/bitnami/mariadb/tmp</span> <span class="s">socket=/opt/bitnami/mariadb/tmp/mysql.sock</span> <span class="s">pid_file=/opt/bitnami/mariadb/tmp/mysqld.pid</span> <span class="s">bind_address=0.0.0.0</span> <span class="s">## Character set</span> <span class="s">##</span> <span class="s">collation_server=utf8_unicode_ci</span> <span class="s">init_connect='SET NAMES utf8'</span> <span class="s">character_set_server=utf8</span> <span class="s">## MyISAM</span> <span class="s">##</span> <span class="s">key_buffer_size=32M</span> <span class="s">myisam_recover_options=FORCE,BACKUP</span> <span class="s">## Safety</span> <span class="s">##</span> <span class="s">skip_host_cache</span> <span class="s">skip_name_resolve</span> <span class="s">max_allowed_packet=16M</span> <span class="s">max_connect_errors=1000000</span> <span class="s">sql_mode=STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_AUTO_VALUE_ON_ZERO,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE,ONLY_FULL_GROUP_BY</span> <span class="s">sysdate_is_now=1</span> <span class="s">## Binary Logging</span> <span class="s">##</span> <span class="s">log_bin=mysql-bin</span> <span class="s">expire_logs_days=14</span> <span class="s"># Disabling for performance per http://severalnines.com/blog/9-tips-going-production-galera-cluster-mysql</span> <span class="s">sync_binlog=0</span> <span class="s"># Required for Galera</span> <span class="s">binlog_format=row</span> <span class="s">## Caches and Limits</span> <span class="s">##</span> <span class="s">tmp_table_size=32M</span> <span class="s">max_heap_table_size=32M</span> <span class="s"># Re-enabling as now works with Maria 10.1.2</span> <span class="s">query_cache_type=1</span> <span class="s">query_cache_limit=4M</span> <span class="s">query_cache_size=256M</span> <span class="s">max_connections=500</span> <span class="s">thread_cache_size=50</span> <span class="s">open_files_limit=65535</span> <span class="s">table_definition_cache=4096</span> <span class="s">table_open_cache=4096</span> <span class="s">## InnoDB</span> <span class="s">##</span> <span class="s">innodb=FORCE</span> <span class="s">innodb_strict_mode=1</span> <span class="s"># Mandatory per https://github.com/codership/documentation/issues/25</span> <span class="s">innodb_autoinc_lock_mode=2</span> <span class="s"># Per https://www.percona.com/blog/2006/08/04/innodb-double-write/</span> <span class="s">innodb_doublewrite=1</span> <span class="s">innodb_flush_method=O_DIRECT</span> <span class="s">innodb_log_files_in_group=2</span> <span class="s">innodb_log_file_size=128M</span> <span class="s">innodb_flush_log_at_trx_commit=1</span> <span class="s">innodb_file_per_table=1</span> <span class="s"># 80% Memory is default reco.</span> <span class="s"># Need to re-evaluate when DB size grows</span> <span class="s">innodb_buffer_pool_size=2G</span> <span class="s">innodb_file_format=Barracuda</span> <span class="s">[galera]</span> <span class="s">wsrep_on=ON</span> <span class="s">wsrep_provider=/opt/bitnami/mariadb/lib/libgalera_smm.so</span> <span class="s">wsrep_sst_method=mariabackup</span> <span class="s">wsrep_slave_threads=4</span> <span class="s">wsrep_cluster_address=gcomm://</span> <span class="s">wsrep_cluster_name=galera</span> <span class="s">wsrep_sst_auth="root:"</span> <span class="s"># Enabled for performance per https://mariadb.com/kb/en/innodb-system-variables/#innodb_flush_log_at_trx_commit</span> <span class="s">innodb_flush_log_at_trx_commit=2</span> <span class="s"># MYISAM REPLICATION SUPPORT #</span> <span class="s">wsrep_mode=REPLICATE_MYISAM</span> <span class="s">[mariadb]</span> <span class="s">plugin_load_add=auth_pam</span> <span class="s">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">StatefulSet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mariadb-state</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceName</span><span class="pi">:</span> <span class="s">mariadb-replication-service</span> <span class="c1"># Use the internal/headless service name</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">2</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">mariadb</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">mariadb</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="c1"># Container is not run as root</span> <span class="na">fsGroup</span><span class="pi">:</span> <span class="m">1001</span> <span class="na">runAsUser</span><span class="pi">:</span> <span class="m">1001</span> <span class="na">runAsGroup</span><span class="pi">:</span> <span class="m">1001</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mariadb</span> <span class="na">image</span><span class="pi">:</span> <span class="s">docker.io/bitnami/mariadb-galera:11.5.2</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s2">"</span><span class="s">IfNotPresent"</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">bash</span> <span class="pi">-</span> <span class="s">-ec</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">exec /opt/bitnami/scripts/mariadb-galera/entrypoint.sh /opt/bitnami/scripts/mariadb-galera/run.sh</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mdb-mysql-port</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">3306</span> <span class="c1"># External access port (MySQL's default)</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mdb-galera-port</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">4567</span> <span class="c1"># Internal process port</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mdb-ist-port</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">4568</span> <span class="c1"># Internal process port</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mdb-sst-port</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">4444</span> <span class="c1"># Internal process port</span> <span class="na">envFrom</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">configMapRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mariadb-config</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">MARIADB_ROOT_PASSWORD</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mariadb-secret</span> <span class="na">key</span><span class="pi">:</span> <span class="s">MARIADB_ROOT_PASSWORD</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">MARIADB_GALERA_MARIABACKUP_PASSWORD</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mariadb-secret</span> <span class="na">key</span><span class="pi">:</span> <span class="s">MARIADB_GALERA_MARIABACKUP_PASSWORD</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">previous-boot</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/opt/bitnami/mariadb/.bootstrap</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mariadb-data</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/bitnami/mariadb</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mariadb-cnf</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/bitnami/conf/my.cnf</span> <span class="c1"># Overwrite any present configuration</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">my.cnf</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">empty-dir</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/tmp</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">tmp-dir</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">empty-dir</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/opt/bitnami/mariadb/conf</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">app-conf-dir</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">empty-dir</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/opt/bitnami/mariadb/tmp</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">app-tmp-dir</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">empty-dir</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/opt/bitnami/mariadb/logs</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">app-logs-dir</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">previous-boot</span> <span class="na">emptyDir</span><span class="pi">:</span> <span class="pi">{}</span> <span class="c1"># Use a fake directory for mounting unused but required paths</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mariadb-cnf</span> <span class="na">configMap</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mariadb-cnf-config</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">empty-dir</span> <span class="na">emptyDir</span><span class="pi">:</span> <span class="pi">{}</span> <span class="c1"># Use a fake directory for mounting unused but required paths</span> <span class="na">volumeClaimTemplates</span><span class="pi">:</span> <span class="c1"># Description of volume claim created for each replica</span> <span class="pi">-</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mariadb-data</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">storageClassName</span><span class="pi">:</span> <span class="s">nfs-small</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ReadWriteOnce</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">8Gi</span> <span class="nn">---</span> <span class="c1"># Headless service for internal replication/backup processes</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mariadb-replication-service</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">mariadb</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="na">clusterIP</span><span class="pi">:</span> <span class="s">None</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mariadb-galera-service</span> <span class="na">port</span><span class="pi">:</span> <span class="m">4567</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">mdb-galera-port</span> <span class="na">appProtocol</span><span class="pi">:</span> <span class="s">mysql</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mariadb-ist-service</span> <span class="na">port</span><span class="pi">:</span> <span class="m">4568</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">mdb-ist-port</span> <span class="na">appProtocol</span><span class="pi">:</span> <span class="s">mysql</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mariadb-sst-service</span> <span class="na">port</span><span class="pi">:</span> <span class="m">4444</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">mdb-sst-port</span> <span class="na">appProtocol</span><span class="pi">:</span> <span class="s">mysql</span> <span class="na">publishNotReadyAddresses</span><span class="pi">:</span> <span class="kc">true</span> <span class="nn">---</span> <span class="c1"># Exposed service for external access</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mariadb-service</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">LoadBalancer</span> <span class="c1"># Let it be accessible inside the local network</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">mariadb</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">3306</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">mdb-mysql-port</span> <span class="na">appProtocol</span><span class="pi">:</span> <span class="s">mysql</span> </code></pre> </div> <p>Incredibly, it works. My deployment has been running without issue for some time now:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get all <span class="nt">-n</span> choppa <span class="nt">-l</span> <span class="nv">app</span><span class="o">=</span>mariadb NAME READY STATUS RESTARTS AGE pod/mariadb-state-0 1/1 Running 2 <span class="o">(</span>3d1h ago<span class="o">)</span> 5d3h pod/mariadb-state-1 1/1 Running 2 <span class="o">(</span>3d1h ago<span class="o">)</span> 5d3h NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE service/mariadb-replication-service ClusterIP None &lt;none&gt; 4567/TCP,4568/TCP,4444/TCP 5d3h service/mariadb-service LoadBalancer 10.43.40.243 192.168.3.10,192.168.3.12 3306:31594/TCP 5d3h NAME READY AGE statefulset.apps/mariadb-state 2/2 5d3h </code></pre> </div> <p>(The 2 restarts were due to a power outage that exceeded the autonomy of my no-break's battery)</p> <h3> Solving one Problem to Reveal Another </h3> <p>I just started typing my first self-hosted blog post to realize something was missing: images. On <strong>Jekyll</strong> I had a folder for that, but on <strong>Minds</strong> and <strong>Dev.to</strong> they are hosted somewhere else, e.g. <code>https://dev-to-uploads.s3.amazonaws.com/uploads/articles/v2221vgcikcr05hmnj4v.png</code></p> <p>If complete self-hosting is a must, I now need some file server capable of generating shareable links, to be used in my <strong>Markdown</strong> image components. In summary, <a href="https://syncthing.net/" rel="noopener noreferrer"><strong>Syncthing</strong></a> is great for <strong>Dropbox</strong>-style backups, but can't share links, <a href="https://nextcloud.com/" rel="noopener noreferrer"><strong>NextCloud</strong></a> is too resource-heavy and <a href="https://www.seafile.com/en/home/" rel="noopener noreferrer"><strong>Seafile</strong></a> is interesting but apparently <a href="https://www.reddit.com/r/selfhosted/comments/151clya/comment/jsanslz/?utm_source=share&amp;utm_medium=web3x&amp;utm_name=web3xcss&amp;utm_term=1&amp;utm_content=share_button" rel="noopener noreferrer">has proprietary encryption</a>, which left me with the lightweight <a href="https://filebrowser.org/" rel="noopener noreferrer"><strong>Filebrowser</strong></a></p> <p>I don't expect or intend my file server to ever deal with a huge number of requests, so I've ran it as a simple deployment with a single pod:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">kind</span><span class="pi">:</span> <span class="s">PersistentVolumeClaim</span> <span class="c1"># Storage requirements component</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">filebrowser-pv-claim</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">filebrowser</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">storageClassName</span><span class="pi">:</span> <span class="s">nfs-big</span> <span class="c1"># The used storage class (1TB drive)</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ReadWriteOnce</span> <span class="c1">#- ReadWriteMany # For concurrent access (In case I try to use more replicas)</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">200Gi</span> <span class="c1"># Asking for a ~50 Gigabytes volume</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">filebrowser-config</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">filebrowser</span> <span class="na">data</span><span class="pi">:</span> <span class="c1"># Application settings file</span> <span class="na">.filebrowser.json</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">{</span> <span class="s">"port": 80,</span> <span class="s">"baseURL": "",</span> <span class="s">"address": "",</span> <span class="s">"log": "stdout",</span> <span class="s">"database": "/srv/filebrowser.db",</span> <span class="s">"root": "/srv"</span> <span class="s">}</span> <span class="s">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">filebrowser-deploy</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="s">1</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Recreate</span> <span class="c1"># Wait for the old container to be terminated before creating a new one</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">filebrowser</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">filebrowser</span> <span class="na">spec</span><span class="pi">:</span> <span class="c1"># Run this initial container to make sure at least an empty </span> <span class="c1"># database file exists prior to the main container starting,</span> <span class="c1"># as a workaround for a know bug (https://filebrowser.org/installation#docker)</span> <span class="na">initContainers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">create-database</span> <span class="na">image</span><span class="pi">:</span> <span class="s">busybox</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">/bin/touch"</span><span class="pi">,</span><span class="s2">"</span><span class="s">/srv/filebrowser.db"</span><span class="pi">]</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">filebrowser-data</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/srv</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">filebrowser</span> <span class="na">image</span><span class="pi">:</span> <span class="s">filebrowser/filebrowser:latest</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">IfNotPresent</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">file-port</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="s">80</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">filebrowser-readonly</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/.filebrowser.json</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">.filebrowser.json</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">filebrowser-data</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/srv</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">filebrowser-readonly</span> <span class="na">configMap</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">filebrowser-config</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">filebrowser-data</span> <span class="c1"># Label the volume for this deployment</span> <span class="na">persistentVolumeClaim</span><span class="pi">:</span> <span class="na">claimName</span><span class="pi">:</span> <span class="s">filebrowser-pv-claim</span> <span class="c1"># Reference volumen create by the claim</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">filebrowser-service</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">NodePort</span> <span class="c1"># Expose the service outside the cluster with an specific port</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">filebrowser</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="s">8080</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">file-port</span> <span class="na">nodePort</span><span class="pi">:</span> <span class="m">30080</span> </code></pre> </div> <p>(That's what I did here, make it makes the <code>filebrowser.db</code> file end up visible inside the root folder. It's probably a good idea to use <a href="https://kubernetes.io/docs/concepts/storage/volumes/#using-subpath" rel="noopener noreferrer"><strong>subpaths</strong></a> and mount them separately e.g. <code>srv/filebrowser.db</code> and <code>srv/data</code> for root)</p> <p>We can't upload or access the files from the Internet yet, but using <a href="https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport" rel="noopener noreferrer"><strong>NodePort</strong></a> an external port in the range <code>30000-32767</code> can be used to reach it locally. Use the default username <code>admin</code> and password <code>admin</code> to login and then change it in the settings:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3bqfugum7nwenvmgbzc7.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3bqfugum7nwenvmgbzc7.png" alt="Filebrowser screen" width="800" height="469"></a></p> <p>Click on each file you wish to share and the option to generate links will appear on the top. In <strong>Markdown</strong> syntax, shared images may be annexed with the statement <code></code> </p> <h3> One Step Forward. Two Steps Back </h3> <p>All set to deploy <strong>WriteFreely</strong>, right? As you might guess, no</p> <p>The application doesn't have an official <strong>Docker</strong> image, and the custom ones available are either too old or not available for the <strong>ARM64</strong> architecture. <a href="https://github.com/karlprieb/writefreely-docker" rel="noopener noreferrer">The repository provided by <strong>karlprieb</strong></a> is a good base to build your own, but it lead to crashes here when compiling the application itself. In the end, I found it easier to create one taking advantage of <strong>Alpine Linux</strong>'s packages:</p> <ul> <li>Dockerfile </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> alpine:3.20</span> <span class="k">LABEL</span><span class="s"> org.opencontainers.image.description="Simple WriteFreely image based on https://git.madhouse-project.org/algernon/writefreely-docker"</span> <span class="c"># Install the writefreely package</span> <span class="k">RUN </span>apk add <span class="nt">--no-cache</span> writefreely <span class="c"># Installation creates the writefreely user, so let's use it</span> <span class="c"># to run the application</span> <span class="k">RUN </span><span class="nb">mkdir</span> /opt/writefreely <span class="o">&amp;&amp;</span> <span class="nb">chown </span>writefreely <span class="nt">-R</span> /opt/writefreely <span class="k">COPY</span><span class="s"> --chown=writefreely:writefreely ./run.sh /opt/writefreely/</span> <span class="k">RUN </span><span class="nb">chmod</span> +x /opt/writefreely/run.sh <span class="c"># Base directory and exposed container port</span> <span class="k">WORKDIR</span><span class="s"> /opt/writefreely/</span> <span class="k">EXPOSE</span><span class="s"> 8080</span> <span class="c"># Set the default container user and group</span> <span class="k">USER</span><span class="s"> writefreely:writefreely</span> <span class="c"># Start script</span> <span class="k">ENTRYPOINT</span><span class="s"> ["/opt/writefreely/run.sh"]</span> </code></pre> </div> <ul> <li>Entrypoint script (run.sh) </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#! /bin/sh</span> writefreely <span class="nt">-c</span> /data/config.ini <span class="nt">--init-db</span> writefreely <span class="nt">-c</span> /data/config.ini <span class="nt">--gen-keys</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="k">${</span><span class="nv">WRITEFREELY_ADMIN_USER</span><span class="k">}</span><span class="s2">"</span> <span class="o">]</span> <span class="o">&amp;&amp;</span> <span class="o">[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="k">${</span><span class="nv">WRITEFREELY_ADMIN_PASSWORD</span><span class="k">}</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span>writefreely <span class="nt">-c</span> /data/config.ini <span class="nt">--create-admin</span> <span class="s2">"</span><span class="k">${</span><span class="nv">WRITEFREELY_ADMIN_USER</span><span class="k">}</span><span class="s2">:</span><span class="k">${</span><span class="nv">WRITEFREELY_ADMIN_PASSWORD</span><span class="k">}</span><span class="s2">"</span> <span class="k">fi </span>writefreely <span class="nt">-c</span> /data/config.ini </code></pre> </div> <p>Here I've published the image to <code>ancapepe/writefreely:latest</code> <a href="https://hub.docker.com/repository/docker/ancapepe/writefreely/general" rel="noopener noreferrer">on <strong>DockerHub</strong></a>, so use it if you wish and have no desire for alternative themes or other custom stuff. One more thing to do before running our blog is to prepare the database to receive its content, so log into the <strong>MariaDB</strong> server on port <code>3306</code> using you root user and execute those commands, replacing username and password to your liking:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">DATABASE</span> <span class="n">writefreely</span> <span class="nb">CHARACTER</span> <span class="k">SET</span> <span class="n">latin1</span> <span class="k">COLLATE</span> <span class="n">latin1_swedish_ci</span><span class="p">;</span> <span class="k">CREATE</span> <span class="k">USER</span> <span class="s1">'blog'</span> <span class="n">IDENTIFIED</span> <span class="k">BY</span> <span class="s1">'my_password'</span><span class="p">;</span> <span class="k">GRANT</span> <span class="k">ALL</span> <span class="k">ON</span> <span class="n">writefreely</span><span class="p">.</span><span class="o">*</span> <span class="k">TO</span> <span class="s1">'blog'</span><span class="p">;</span> </code></pre> </div> <p>Now apply a <strong>K8s</strong> manifest matching previous configurations and adjusting new ones to your liking:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">writefreely-config</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">writefreely</span> <span class="na">data</span><span class="pi">:</span> <span class="na">WRITEFREELY_ADMIN_USER</span><span class="pi">:</span> <span class="s">my_user</span> <span class="na">config.ini</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">[server]</span> <span class="s">hidden_host =</span> <span class="s">port = 8080</span> <span class="s">bind = 0.0.0.0</span> <span class="s">tls_cert_path =</span> <span class="s">tls_key_path =</span> <span class="s">templates_parent_dir = /usr/share/writefreely</span> <span class="s">static_parent_dir = /usr/share/writefreely</span> <span class="s">pages_parent_dir = /usr/share/writefreely</span> <span class="s">keys_parent_dir = </span> <span class="s">[database]</span> <span class="s">type = mysql</span> <span class="s">username = blog</span> <span class="s">password = my_password</span> <span class="s">database = writefreely</span> <span class="s">host = mariadb-service</span> <span class="s">port = 3306</span> <span class="s">[app]</span> <span class="s">site_name = Get To The Choppa</span> <span class="s">site_description = Notes on Conscious Self-Ownership</span> <span class="s">host = https://blog.choppa.xyz</span> <span class="s">editor = </span> <span class="s">theme = write</span> <span class="s">disable_js = false</span> <span class="s">webfonts = true</span> <span class="s">landing = /login</span> <span class="s">single_user = true</span> <span class="s">open_registration = false</span> <span class="s">min_username_len = 3</span> <span class="s">max_blogs = 1</span> <span class="s">federation = true</span> <span class="s">public_stats = true</span> <span class="s">private = false</span> <span class="s">local_timeline = true</span> <span class="s">user_invites = admin</span> <span class="c1"># If you wish to change the shortcut icon for your blog without modifying the image itself, add here the configmap entry generated by running `kubectl create configmap favicon-config --from-file=&lt;your .ico image path&gt;`</span> <span class="na">binaryData</span><span class="pi">:</span> <span class="na">favicon.ico</span><span class="pi">:</span> <span class="s">&lt;binary dump here&gt;</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">writefreely-secret</span> <span class="na">data</span><span class="pi">:</span> <span class="na">WRITEFREELY_ADMIN_PASSWORD</span><span class="pi">:</span> <span class="s">bXlfcGFzc3dvcmQ=</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">writefreely-deploy</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">writefreely</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">writefreely</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">writefreely</span> <span class="na">image</span><span class="pi">:</span> <span class="s">ancapepe/writefreely:latest</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s2">"</span><span class="s">IfNotPresent"</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">name</span><span class="pi">:</span> <span class="s">blog-port</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">WRITEFREELY_ADMIN_USER</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">configMapKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">writefreely-config</span> <span class="na">key</span><span class="pi">:</span> <span class="s">WRITEFREELY_ADMIN_USER</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">WRITEFREELY_ADMIN_PASSWORD</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">writefreely-secret</span> <span class="na">key</span><span class="pi">:</span> <span class="s">WRITEFREELY_ADMIN_PASSWORD</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">writefreely-volume</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/data/config.ini</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">config.ini</span> <span class="c1"># Use this if you set the custom favicon.ico image above</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">writefreely-volume</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/usr/share/writefreely/static/favicon.ico</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">favicon.ico</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">writefreely-volume</span> <span class="na">configMap</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">writefreely-config</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">writefreely-service</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">publishNotReadyAddresses</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">writefreely</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">blog-port</span> </code></pre> </div> <p>(You may add your own <code>favicon.ico</code> to the image itself if you're building it)</p> <p>Almost there. Now we just have to expose both our blog pages and file server to the Internet by adding the corresponding entries to our ingress component:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="c1"># Component type</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">proxy</span> <span class="c1"># Component name</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">choppa</span> <span class="c1"># You may add the default namespace for components as a paramenter</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">cert-manager.io/cluster-issuer</span><span class="pi">:</span> <span class="s">letsencrypt</span> <span class="na">kubernetes.io/ingress.class</span><span class="pi">:</span> <span class="s">traefik</span> <span class="na">status</span><span class="pi">:</span> <span class="na">loadBalancer</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="s">traefik</span> <span class="c1"># Type of controller being used</span> <span class="na">tls</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">choppa.xyz</span> <span class="pi">-</span> <span class="s">talk.choppa.xyz</span> <span class="pi">-</span> <span class="s">blog.choppa.xyz</span> <span class="pi">-</span> <span class="s">files.choppa.xyz</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">certificate</span> <span class="na">rules</span><span class="pi">:</span> <span class="c1"># Routing rules</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">choppa.xyz</span> <span class="c1"># Expected domain name of request, including subdomain</span> <span class="na">http</span><span class="pi">:</span> <span class="c1"># For HTTP or HTTPS requests</span> <span class="na">paths</span><span class="pi">:</span> <span class="c1"># Behavior for different base paths</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="c1"># For all request paths</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">welcome-service</span> <span class="c1"># Redirect to this service</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">8080</span> <span class="c1"># Redirect to this internal service port</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/.well-known/matrix/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">ImplementationSpecific</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">conduit-service</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">8448</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">talk.choppa.xyz</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">conduit-service</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">8448</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">test.choppa.xyz</span> <span class="c1"># Expected domain name of request, including subdomain</span> <span class="na">http</span><span class="pi">:</span> <span class="c1"># For HTTP or HTTPS requests</span> <span class="na">paths</span><span class="pi">:</span> <span class="c1"># Behavior for different base paths</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="c1"># For all request paths</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-service</span> <span class="c1"># Redirect to this service</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">80</span> <span class="c1"># Redirect to this internal service port</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">blog.choppa.xyz</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">writefreely-service</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">8080</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">files.choppa.xyz</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">filebrowser-service</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">8080</span> </code></pre> </div> <p>If everything went accordingly, you now have everything in place to log into your blog and start publishing. To get an idea of how your self-hosted articles will look like, pay a visit to <a href="https://blog.choppa.xyz/the-home-server-journey-1" rel="noopener noreferrer">the first chapter of this series</a> that I'm starting to publish on my server as well:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F16o1at7nb73rim3ue2tm.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F16o1at7nb73rim3ue2tm.png" alt="Blog page" width="800" height="721"></a></p> <p>Thanks for following along. See you next time</p> selfhosting kubernetes decentralization censorship Beppe Mon, 07 Oct 2024 10:13:49 +0000 https://dev.to/beppe90/the-home-server-journey-5b-a-bridge-too-far-j0l https://dev.to/beppe90/the-home-server-journey-5b-a-bridge-too-far-j0l <p>Hi all. This is a late addendum to <a href="https://dev.to/ancapepe/the-home-server-journey-5-rebuilding-burned-bridges-6n7">my last post</a></p> <p>As I have found out, <a href="https://www.imdb.com/title/tt0075784/" rel="noopener noreferrer">like the Allies had for those river crossings at Operation Market Garden</a>, <strong>stateful sets</strong> are not as trivial as they initially appear: most guides will just tell you what's their purpose and how to get them running, which leaves a false impression that synchronized data replication across pods happens automagically (sic)</p> <p>Well, it doesn't</p> <h3> Crossing that River. No Matter the Costs </h3> <p>That special type of <strong>deployment</strong> will only give you guarantees regarding the order of pods creation and deletion, their naming scheme and which <strong>persistent volume</strong> they will be bound to. Anything else is on the application logic. You may even violate the principle of using only the first pod for writing and the other ones for reading</p> <p>When it comes to more niche applications like <strong>Conduit</strong>, I will probably have to code my own replication solution at some point, but for more widely used software like <strong>PostgreSQL</strong> there are solutions already available, thankfully</p> <p>I came across articles by <a href="https://devopscube.com/deploy-postgresql-statefulset/" rel="noopener noreferrer">Bibin Wilson &amp; Shishir Khandelwal</a> and <a href="https://weng-albert.medium.com/mastering-high-availability-postgresql-meets-kubernetes-929846f6cc88" rel="noopener noreferrer">Albert Weng</a> (<a href="https://weng-albert.medium.com/how-to-create-an-nfs-storageclass-en-fe962242f44e" rel="noopener noreferrer">we've seen him here before</a>) detailing how to use a special variant of the database image to get replication working. Although a bit outdated, due to the <a href="https://hub.docker.com/r/bitnami/postgresql-repmgr" rel="noopener noreferrer"><strong>Docker</strong> registry used</a> I'm pretty sure that's based on the <a href="https://github.com/bitnami/charts/tree/main/bitnami/postgresql-ha" rel="noopener noreferrer"><strong>PostgreSQL</strong> High Availability <strong>Helm</strong> chart</a></p> <p>I don't plan on covering <a href="https://helm.sh/" rel="noopener noreferrer"><strong>Helm</strong></a> here as I think it adds complexity over already quite complex <strong>K8s</strong> manifests. Surely it might be useful for large-scale stuff, but let's keep things simple here. I have combined knowledge from the articles with the updated charts in order to created a trimmed-down version of the required manifests (it would be good to add <a href="https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/" rel="noopener noreferrer">liveliness and readiness probes</a> though):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-config</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">data</span><span class="pi">:</span> <span class="na">BITNAMI_DEBUG</span><span class="pi">:</span> <span class="s2">"</span><span class="s">false"</span> <span class="c1"># Set to "true" for more debug information</span> <span class="na">POSTGRESQL_VOLUME_DIR</span><span class="pi">:</span> <span class="s">/bitnami/postgresql</span> <span class="na">PGDATA</span><span class="pi">:</span> <span class="s">/bitnami/postgresql/data</span> <span class="na">POSTGRESQL_LOG_HOSTNAME</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="c1"># Set to "false" for less debug information</span> <span class="na">POSTGRESQL_LOG_CONNECTIONS</span><span class="pi">:</span> <span class="s2">"</span><span class="s">false"</span> <span class="c1"># Set to "true" for more debug information</span> <span class="na">POSTGRESQL_CLIENT_MIN_MESSAGES</span><span class="pi">:</span> <span class="s2">"</span><span class="s">error"</span> <span class="na">POSTGRESQL_SHARED_PRELOAD_LIBRARIES</span><span class="pi">:</span> <span class="s2">"</span><span class="s">pgaudit,</span><span class="nv"> </span><span class="s">repmgr"</span> <span class="c1"># Modules being used for replication</span> <span class="na">REPMGR_LOG_LEVEL</span><span class="pi">:</span> <span class="s2">"</span><span class="s">NOTICE"</span> <span class="na">REPMGR_USERNAME</span><span class="pi">:</span> <span class="s">repmgr</span> <span class="c1"># Replication user</span> <span class="na">REPMGR_DATABASE</span><span class="pi">:</span> <span class="s">repmgr</span> <span class="c1"># Replication information database</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-scripts-config</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">data</span><span class="pi">:</span> <span class="c1"># Script for pod termination</span> <span class="na">pre-stop.sh</span><span class="pi">:</span> <span class="pi">|-</span> <span class="s">#!/bin/bash</span> <span class="s">set -o errexit</span> <span class="s">set -o pipefail</span> <span class="s">set -o nounset</span> <span class="s"># Debug section</span> <span class="s">exec 3&gt;&amp;1</span> <span class="s">exec 4&gt;&amp;2</span> <span class="s"># Process input parameters</span> <span class="s">MIN_DELAY_AFTER_PG_STOP_SECONDS=$1</span> <span class="s"># Load Libraries</span> <span class="s">. /opt/bitnami/scripts/liblog.sh</span> <span class="s">. /opt/bitnami/scripts/libpostgresql.sh</span> <span class="s">. /opt/bitnami/scripts/librepmgr.sh</span> <span class="s"># Load PostgreSQL &amp; repmgr environment variables</span> <span class="s">. /opt/bitnami/scripts/postgresql-env.sh</span> <span class="s"># Auxiliary functions</span> <span class="s">is_new_primary_ready() {</span> <span class="s">return_value=1</span> <span class="s">currenty_primary_node="$(repmgr_get_primary_node)"</span> <span class="s">currenty_primary_host="$(echo $currenty_primary_node | awk '{print $1}')"</span> <span class="s">info "$currenty_primary_host != $REPMGR_NODE_NETWORK_NAME"</span> <span class="s">if [[ $(echo $currenty_primary_node | wc -w) -eq 2 ]] &amp;&amp; [[ "$currenty_primary_host" != "$REPMGR_NODE_NETWORK_NAME" ]]; then</span> <span class="s">info "New primary detected, leaving the cluster..."</span> <span class="s">return_value=0</span> <span class="s">else</span> <span class="s">info "Waiting for a new primary to be available..."</span> <span class="s">fi</span> <span class="s">return $return_value</span> <span class="s">}</span> <span class="s">export MODULE="pre-stop-hook"</span> <span class="s">if [[ "${BITNAMI_DEBUG}" == "true" ]]; then</span> <span class="s">info "Bash debug is on"</span> <span class="s">else</span> <span class="s">info "Bash debug is off"</span> <span class="s">exec 1&gt;/dev/null</span> <span class="s">exec 2&gt;/dev/null</span> <span class="s">fi</span> <span class="s">postgresql_enable_nss_wrapper</span> <span class="s"># Prepare env vars for managing roles</span> <span class="s">readarray -t primary_node &lt; &lt;(repmgr_get_upstream_node)</span> <span class="s">primary_host="${primary_node[0]}"</span> <span class="s"># Stop postgresql for graceful exit.</span> <span class="s">PG_STOP_TIME=$EPOCHSECONDS</span> <span class="s">postgresql_stop</span> <span class="s">if [[ -z "$primary_host" ]] || [[ "$primary_host" == "$REPMGR_NODE_NETWORK_NAME" ]]; then</span> <span class="s">info "Primary node need to wait for a new primary node before leaving the cluster"</span> <span class="s">retry_while is_new_primary_ready 10 5</span> <span class="s">else</span> <span class="s">info "Standby node doesn't need to wait for a new primary switchover. Leaving the cluster"</span> <span class="s">fi</span> <span class="s"># Make sure pre-stop hook waits at least 25 seconds after stop of PG to make sure PGPOOL detects node is down.</span> <span class="s"># default terminationGracePeriodSeconds=30 seconds</span> <span class="s">PG_STOP_DURATION=$(($EPOCHSECONDS - $PG_STOP_TIME))</span> <span class="s">if (( $PG_STOP_DURATION &lt; $MIN_DELAY_AFTER_PG_STOP_SECONDS )); then</span> <span class="s">WAIT_TO_PG_POOL_TIME=$(($MIN_DELAY_AFTER_PG_STOP_SECONDS - $PG_STOP_DURATION)) </span> <span class="s">info "PG stopped including primary switchover in $PG_STOP_DURATION. Waiting additional $WAIT_TO_PG_POOL_TIME seconds for PG pool"</span> <span class="s">sleep $WAIT_TO_PG_POOL_TIME</span> <span class="s">fi</span> <span class="s">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-secret</span> <span class="na">data</span><span class="pi">:</span> <span class="na">POSTGRES_PASSWORD</span><span class="pi">:</span> <span class="s">cG9zdGdyZXM=</span> <span class="c1"># Default user(postgres)'s password</span> <span class="na">REPMGR_PASSWORD</span><span class="pi">:</span> <span class="s">cmVwbWdy</span> <span class="c1"># Replication user's password</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">StatefulSet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-state</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceName</span><span class="pi">:</span> <span class="s">postgres-service</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">2</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="c1"># Container is not run as root</span> <span class="na">fsGroup</span><span class="pi">:</span> <span class="m">1001</span> <span class="na">runAsUser</span><span class="pi">:</span> <span class="m">1001</span> <span class="na">runAsGroup</span><span class="pi">:</span> <span class="m">1001</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">lifecycle</span><span class="pi">:</span> <span class="na">preStop</span><span class="pi">:</span> <span class="c1"># Routines to run before pod termination</span> <span class="na">exec</span><span class="pi">:</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/pre-stop.sh</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">25"</span> <span class="na">image</span><span class="pi">:</span> <span class="s">docker.io/bitnami/postgresql-repmgr:16.2.0</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s2">"</span><span class="s">IfNotPresent"</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">5432</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-port</span> <span class="na">envFrom</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">configMapRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-config</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">POSTGRES_PASSWORD</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-secret</span> <span class="na">key</span><span class="pi">:</span> <span class="s">POSTGRES_PASSWORD</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">REPMGR_PASSWORD</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-secret</span> <span class="na">key</span><span class="pi">:</span> <span class="s">REPMGR_PASSWORD</span> <span class="c1"># Write the pod name (from metadata field) to an environment variable in order to automatically generate replication addresses </span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">POD_NAME</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">fieldRef</span><span class="pi">:</span> <span class="na">fieldPath</span><span class="pi">:</span> <span class="s">metadata.name</span> <span class="c1"># Repmgr configuration</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">REPMGR_NAMESPACE</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">fieldRef</span><span class="pi">:</span> <span class="na">fieldPath</span><span class="pi">:</span> <span class="s">metadata.namespace</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">REPMGR_PARTNER_NODES</span> <span class="c1"># All pods being synchronized (has to reflect the number of replicas)</span> <span class="na">value</span><span class="pi">:</span> <span class="s">postgres-state-0.postgres-service.$(REPMGR_NAMESPACE).svc.cluster.local,postgres-state-1.postgres-service.$(REPMGR_NAMESPACE).svc.cluster.local</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">REPMGR_PRIMARY_HOST</span> <span class="c1"># Pod with write access. Everybody else replicates it</span> <span class="na">value</span><span class="pi">:</span> <span class="s">postgres-state-0.postgres-service.$(REPMGR_NAMESPACE).svc.cluster.local</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">REPMGR_NODE_NAME</span> <span class="c1"># Current pod name</span> <span class="na">value</span><span class="pi">:</span> <span class="s">$(POD_NAME)</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">REPMGR_NODE_NETWORK_NAME</span> <span class="na">value</span><span class="pi">:</span> <span class="s">$(POD_NAME).postgres-service.$(REPMGR_NAMESPACE).svc.cluster.local</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-db</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/bitnami/postgresql</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-scripts</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/pre-stop.sh</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">pre-stop.sh</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">empty-dir</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/tmp</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">tmp-dir</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">empty-dir</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/opt/bitnami/postgresql/conf</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">app-conf-dir</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">empty-dir</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/opt/bitnami/postgresql/tmp</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">app-tmp-dir</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">empty-dir</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/opt/bitnami/repmgr/conf</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">repmgr-conf-dir</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">empty-dir</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/opt/bitnami/repmgr/tmp</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">repmgr-tmp-dir</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">empty-dir</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/opt/bitnami/repmgr/logs</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">repmgr-logs-dir</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-scripts</span> <span class="na">configMap</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-scripts-config</span> <span class="na">defaultMode</span><span class="pi">:</span> <span class="m">0755</span> <span class="c1"># Access permissions (owner can execute processes)</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">empty-dir</span> <span class="c1"># Use a fake directory for mounting unused but required paths</span> <span class="na">emptyDir</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">volumeClaimTemplates</span><span class="pi">:</span> <span class="c1"># Description of volume claim created for each replica</span> <span class="pi">-</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-db</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">storageClassName</span><span class="pi">:</span> <span class="s">nfs-small</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ReadWriteOnce</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">8Gi</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-service</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="c1"># Default service type</span> <span class="na">clusterIP</span><span class="pi">:</span> <span class="s">None</span> <span class="c1"># Do not get a service-wide address</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">5432</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">postgres-port</span> </code></pre> </div> <p>As the <a href="https://bitnami.com/" rel="noopener noreferrer"><strong>Bitnami</strong></a> container runs as a non-root user for <a href="https://github.com/bitnami/containers/tree/main/bitnami/postgresql-repmgr#why-use-a-non-root-container" rel="noopener noreferrer">security reasons</a>, requires a <em><strong>"postgres"</strong></em> administrator name for the database and uses a different path structure, you won't be able to mount the data from the original <strong>PostgreSQL</strong> deployment without messing around with some configuration. So, unless you absolutely need the data, just start from scratch by deleting the volumes, maybe doing a backup first </p> <p>Notice how our <strong>ClusterIP</strong> is set to not have an shared address, making it a <strong>headless</strong> service, so that it only serves the purpose of exposing the target port of each individual pod, still accessible via <code>&lt;pod name&gt;.&lt;service-name&gt;:&lt;container port number&gt;</code>. We do that as our containers here are not meant to be accessed in a random or load-balanced manner</p> <p>If you're writing your own application, it's easy to define different addresses for writing to and reading from a replicated database, respecting the role of each copy. But a lot of useful software already around assumes a single connection is needed, and there's no simple way to get around that. That's why you need specific intermediaries or proxies like <a href="https://github.com/bitnami/containers/tree/main/bitnami/pgpool" rel="noopener noreferrer"><strong>Pgpool-II</strong></a> for <strong>PostgreSQL</strong>, that can appear to applications as a single entity, redirecting queries to the appropriate backend database depending on it's contents:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdz3yl62xevf7j7plrdzy.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdz3yl62xevf7j7plrdzy.png" alt="Postgres vs Postgres-HA" width="800" height="450"></a><br> (From the <a href="https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/README.md#differences-between-the-postgresql-ha-and-postgresql-helm-charts" rel="noopener noreferrer">PostgreSQL-HA documentation</a>)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-proxy-config</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">postgres-proxy</span> <span class="na">data</span><span class="pi">:</span> <span class="na">BITNAMI_DEBUG</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">PGPOOL_BACKEND_NODES</span><span class="pi">:</span> <span class="s">0:postgres-state-0.postgres-service:5432,1:postgres-state-1.postgres-service:5432</span> <span class="na">PGPOOL_SR_CHECK_USER</span><span class="pi">:</span> <span class="s">repmgr</span> <span class="na">PGPOOL_SR_CHECK_DATABASE</span><span class="pi">:</span> <span class="s">repmgr</span> <span class="na">PGPOOL_POSTGRES_USERNAME</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">PGPOOL_ADMIN_USERNAME</span><span class="pi">:</span> <span class="s">pgpool</span> <span class="na">PGPOOL_AUTHENTICATION_METHOD</span><span class="pi">:</span> <span class="s">scram-sha-256</span> <span class="na">PGPOOL_ENABLE_LOAD_BALANCING</span><span class="pi">:</span> <span class="s2">"</span><span class="s">yes"</span> <span class="na">PGPOOL_DISABLE_LOAD_BALANCE_ON_WRITE</span><span class="pi">:</span> <span class="s2">"</span><span class="s">transaction"</span> <span class="na">PGPOOL_ENABLE_LOG_CONNECTIONS</span><span class="pi">:</span> <span class="s2">"</span><span class="s">no"</span> <span class="na">PGPOOL_ENABLE_LOG_HOSTNAME</span><span class="pi">:</span> <span class="s2">"</span><span class="s">yes"</span> <span class="na">PGPOOL_NUM_INIT_CHILDREN</span><span class="pi">:</span> <span class="s2">"</span><span class="s">25"</span> <span class="na">PGPOOL_MAX_POOL</span><span class="pi">:</span> <span class="s2">"</span><span class="s">8"</span> <span class="na">PGPOOL_RESERVED_CONNECTIONS</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3"</span> <span class="na">PGPOOL_HEALTH_CHECK_PSQL_TIMEOUT</span><span class="pi">:</span> <span class="s2">"</span><span class="s">6"</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-proxy-secret</span> <span class="na">data</span><span class="pi">:</span> <span class="na">PGPOOL_ADMIN_PASSWORD</span><span class="pi">:</span> <span class="s">cGdwb29s</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-users-secret</span> <span class="na">data</span><span class="pi">:</span> <span class="na">usernames</span><span class="pi">:</span> <span class="s">dXNlcjEsdXNlcjIsdXNlcjM=</span> <span class="na">passwords</span><span class="pi">:</span> <span class="s">cHN3ZDEscHN3ZDIscHN3ZDM=</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-proxy-deploy</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">postgres-proxy</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">postgres-proxy</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">postgres-proxy</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">fsGroup</span><span class="pi">:</span> <span class="m">1001</span> <span class="na">runAsGroup</span><span class="pi">:</span> <span class="m">1001</span> <span class="na">runAsUser</span><span class="pi">:</span> <span class="m">1001</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-proxy</span> <span class="na">image</span><span class="pi">:</span> <span class="s">docker.io/bitnami/pgpool:4</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s2">"</span><span class="s">IfNotPresent"</span> <span class="na">envFrom</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">configMapRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-proxy-config</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">PGPOOL_POSTGRES_PASSWORD</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-secret</span> <span class="na">key</span><span class="pi">:</span> <span class="s">POSTGRES_PASSWORD</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">PGPOOL_SR_CHECK_PASSWORD</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-secret</span> <span class="na">key</span><span class="pi">:</span> <span class="s">REPMGR_PASSWORD</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">PGPOOL_ADMIN_PASSWORD</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-proxy-secret</span> <span class="na">key</span><span class="pi">:</span> <span class="s">PGPOOL_ADMIN_PASSWORD</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">PGPOOL_POSTGRES_CUSTOM_USERS</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-users-secret</span> <span class="na">key</span><span class="pi">:</span> <span class="s">usernames</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">PGPOOL_POSTGRES_CUSTOM_PASSWORDS</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-users-secret</span> <span class="na">key</span><span class="pi">:</span> <span class="s">passwords</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">pg-proxy-port</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">5432</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">empty-dir</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/tmp</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">tmp-dir</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">empty-dir</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/opt/bitnami/pgpool/etc</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">app-etc-dir</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">empty-dir</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/opt/bitnami/pgpool/conf</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">app-conf-dir</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">empty-dir</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/opt/bitnami/pgpool/tmp</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">app-tmp-dir</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">empty-dir</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/opt/bitnami/pgpool/logs</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">app-logs-dir</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">empty-dir</span> <span class="na">emptyDir</span><span class="pi">:</span> <span class="pi">{}</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-proxy-service</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">postgres-proxy</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">LoadBalancer</span> <span class="c1"># Let it be accessible inside the local network</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">postgres-proxy</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">5432</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">pg-proxy-port</span> </code></pre> </div> <p>I bet most of it is self explanatory by now. Just pay extra attention to the <code>NUM_INIT_CHILDREN</code>, <code>MAX_POLL</code> and <code>RESERVED_CONNECTIONS</code> variables and <a href="https://www.pgpool.net/mediawiki/index.php/Relationship_between_max_pool,_num_init_children,_and_max_connections" rel="noopener noreferrer">the relationship between them</a>, as their default values may not be appropriate at all for your application and result in too many connection refusals (Been there. Done that). Moreover, users other than administrator and replicator are blocked from access unless you add them to the custom lists of usernames and passwords, in the format <code>user1,user2,user3,..</code> and <code>pswd1,pswd2,pswd3,...</code>, here provided as <strong>base64</strong>-encoded secrets</p> <p>With all that configured, we can finally (this time I really mean it) deploy a useful, stateful and replicated application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get all <span class="nt">-n</span> choppa <span class="nt">-l</span> <span class="nv">app</span><span class="o">=</span>postgres NAME READY STATUS RESTARTS AGE pod/postgres-state-0 1/1 Running 0 40h pod/postgres-state-1 1/1 Running 0 40h NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE service/postgres-service ClusterIP None &lt;none&gt; 5432/TCP 40h <span class="nv">$ </span>kubectl get all <span class="nt">-n</span> choppa <span class="nt">-l</span> <span class="nv">app</span><span class="o">=</span>postgres-proxy NAME READY STATUS RESTARTS AGE pod/postgres-proxy-deploy-74bbdd9b9d-j2tsn 1/1 Running 0 40h NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE service/postgres-proxy-service LoadBalancer 10.43.217.63 192.168.3.10,192.168.3.12 5432:30217/TCP 40h NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/postgres-proxy-deploy 1/1 1 1 40h NAME DESIRED CURRENT READY AGE replicaset.apps/postgres-proxy-deploy-74bbdd9b9d 1 1 1 40h </code></pre> </div> <p>(Some nice usage of component <a href="https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/" rel="noopener noreferrer">labels</a> for selection)</p> <h3> Into the Breach! </h3> <p>You should be able to view your database you the <code>postgres</code> user the same way we did last time. After informing the necessary custom users to <strong>Pgpoll</strong>, now not only I can get my <strong>Telegram</strong> bridge back running (using the proxy address for the connection string), but also install <strong>WhatsApp</strong> and <strong>Discord</strong> ones. Although they're written in <strong>Go</strong> rather than <strong>Python</strong>, configuration is very similar, with the relevant parts below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">whatsapp-config</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">whatsapp</span> <span class="na">data</span><span class="pi">:</span> <span class="na">config.yaml</span><span class="pi">:</span> <span class="pi">|</span> <span class="s"># Homeserver details.</span> <span class="s">homeserver:</span> <span class="s"># The address that this appservice can use to connect to the homeserver.</span> <span class="s">address: https://talk.choppa.xyz</span> <span class="s"># The domain of the homeserver (also known as server_name, used for MXIDs, etc).</span> <span class="s">domain: choppa.xyz</span> <span class="s"># ...</span> <span class="s"># Application service host/registration related details.</span> <span class="s"># Changing these values requires regeneration of the registration.</span> <span class="s">appservice:</span> <span class="s"># The address that the homeserver can use to connect to this appservice.</span> <span class="s">address: http://whatsapp-service:29318</span> <span class="s"># The hostname and port where this appservice should listen.</span> <span class="s">hostname: 0.0.0.0</span> <span class="s">port: 29318</span> <span class="s"># Database config.</span> <span class="s">database:</span> <span class="s"># The database type. "sqlite3-fk-wal" and "postgres" are supported.</span> <span class="s">type: postgres</span> <span class="s"># The database URI.</span> <span class="s"># SQLite: A raw file path is supported, but `file:&lt;path&gt;?_txlock=immediate` is recommended.</span> <span class="s"># https://github.com/mattn/go-sqlite3#connection-string</span> <span class="s"># Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable</span> <span class="s"># To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql</span> <span class="s">uri: postgres://whatsapp:mautrix@postgres-proxy-service/matrix_whatsapp?sslmode=disable</span> <span class="s"># Maximum number of connections. Mostly relevant for Postgres.</span> <span class="s">max_open_conns: 20</span> <span class="s">max_idle_conns: 2</span> <span class="s"># Maximum connection idle time and lifetime before they're closed. Disabled if null.</span> <span class="s"># Parsed with https://pkg.go.dev/time#ParseDuration</span> <span class="s">max_conn_idle_time: null</span> <span class="s">max_conn_lifetime: null</span> <span class="s"># The unique ID of this appservice.</span> <span class="s">id: whatsapp</span> <span class="s"># Appservice bot details.</span> <span class="s">bot:</span> <span class="s"># Username of the appservice bot.</span> <span class="s">username: whatsappbot</span> <span class="s"># Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty</span> <span class="s"># to leave display name/avatar as-is.</span> <span class="s">displayname: WhatsApp bridge bot</span> <span class="s">avatar: mxc://maunium.net/NeXNQarUbrlYBiPCpprYsRqr</span> <span class="s"># Whether or not to receive ephemeral events via appservice transactions.</span> <span class="s"># Requires MSC2409 support (i.e. Synapse 1.22+).</span> <span class="s">ephemeral_events: true</span> <span class="s"># Should incoming events be handled asynchronously?</span> <span class="s"># This may be necessary for large public instances with lots of messages going through.</span> <span class="s"># However, messages will not be guaranteed to be bridged in the same order they were sent in.</span> <span class="s">async_transactions: false</span> <span class="s"># Authentication tokens for AS &lt;-&gt; HS communication. Autogenerated; do not modify.</span> <span class="s">as_token: &lt;same as token as in registration.yaml&gt;</span> <span class="s">hs_token: &lt;same hs token as in registration.yaml&gt;</span> <span class="s"># ...</span> <span class="s"># Config for things that are directly sent to WhatsApp.</span> <span class="s">whatsapp:</span> <span class="s"># Device name that's shown in the "WhatsApp Web" section in the mobile app.</span> <span class="s">os_name: Mautrix-WhatsApp bridge</span> <span class="s"># Browser name that determines the logo shown in the mobile app.</span> <span class="s"># Must be "unknown" for a generic icon or a valid browser name if you want a specific icon.</span> <span class="s"># List of valid browser names: https://github.com/tulir/whatsmeow/blob/efc632c008604016ddde63bfcfca8de4e5304da9/binary/proto/def.proto#L43-L64</span> <span class="s">browser_name: unknown</span> <span class="s"># Proxy to use for all WhatsApp connections.</span> <span class="s">proxy: null</span> <span class="s"># Alternative to proxy: an HTTP endpoint that returns the proxy URL to use for WhatsApp connections.</span> <span class="s">get_proxy_url: null</span> <span class="s"># Whether the proxy options should only apply to the login websocket and not to authenticated connections.</span> <span class="s">proxy_only_login: false</span> <span class="s"># Bridge config</span> <span class="s">bridge:</span> <span class="s"># ...</span> <span class="s"># Settings for handling history sync payloads.</span> <span class="s">history_sync:</span> <span class="s"># Enable backfilling history sync payloads from WhatsApp?</span> <span class="s">backfill: true</span> <span class="s"># ...</span> <span class="s"># Shared secret for authentication. If set to "generate", a random secret will be generated,</span> <span class="s"># or if set to "disable", the provisioning API will be disabled.</span> <span class="s">shared_secret: generate</span> <span class="s"># Enable debug API at /debug with provisioning authentication.</span> <span class="s">debug_endpoints: false</span> <span class="s"># Permissions for using the bridge.</span> <span class="s"># Permitted values:</span> <span class="s"># relay - Talk through the relaybot (if enabled), no access otherwise</span> <span class="s"># user - Access to use the bridge to chat with a WhatsApp account.</span> <span class="s"># admin - User level and some additional administration tools</span> <span class="s"># Permitted keys:</span> <span class="s"># * - All Matrix users</span> <span class="s"># domain - All users on that homeserver</span> <span class="s"># mxid - Specific user</span> <span class="s">permissions:</span> <span class="s">"*": relay</span> <span class="s">"@ancapepe:choppa.xyz": admin</span> <span class="s">"@ancompepe:choppa.xyz": user</span> <span class="s"># Settings for relay mode</span> <span class="s">relay:</span> <span class="s"># Whether relay mode should be allowed. If allowed, `!wa set-relay` can be used to turn any</span> <span class="s"># authenticated user into a relaybot for that chat.</span> <span class="s">enabled: false</span> <span class="s"># Should only admins be allowed to set themselves as relay users?</span> <span class="s">admin_only: true</span> <span class="s"># ...</span> <span class="s"># Logging config. See https://github.com/tulir/zeroconfig for details.</span> <span class="s">logging:</span> <span class="s">min_level: debug</span> <span class="s">writers:</span> <span class="s">- type: stdout</span> <span class="s">format: pretty-colored</span> <span class="na">registration.yaml</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">id: whatsapp</span> <span class="s">url: http://whatsapp-service:29318</span> <span class="s">as_token: &lt;same as token as in config.yaml&gt;</span> <span class="s">hs_token: &lt;same hs token as in config.yaml&gt;</span> <span class="s">sender_localpart: SH98XxA4xvgFtlbx1NxJm9VYW6q3BdYg</span> <span class="s">rate_limited: false</span> <span class="s">namespaces:</span> <span class="s">users:</span> <span class="s">- regex: ^@whatsappbot:choppa\.xyz$</span> <span class="s">exclusive: true</span> <span class="s">- regex: ^@whatsapp_.*:choppa\.xyz$</span> <span class="s">exclusive: true</span> <span class="s">de.sorunome.msc2409.push_ephemeral: true</span> <span class="s">push_ephemeral: true</span> <span class="s">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">whatsapp-deploy</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">whatsapp</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">whatsapp</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">whatsapp</span> <span class="na">image</span><span class="pi">:</span> <span class="s">dock.mau.dev/mautrix/whatsapp:latest</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s2">"</span><span class="s">IfNotPresent"</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span> <span class="s2">"</span><span class="s">/usr/bin/mautrix-whatsapp"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-c"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">/data/config.yaml"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-r"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">/data/registration.yaml"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--no-update"</span> <span class="pi">]</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">29318</span> <span class="na">name</span><span class="pi">:</span> <span class="s">whatsapp-port</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">whatsapp-volume</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/data/config.yaml</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">config.yaml</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">whatsapp-volume</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/data/registration.yaml</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">registration.yaml</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">whatsapp-volume</span> <span class="na">configMap</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">whatsapp-config</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">whatsapp-service</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">publishNotReadyAddresses</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">whatsapp</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">29318</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">whatsapp-port</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">discord-config</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">discord</span> <span class="na">data</span><span class="pi">:</span> <span class="na">config.yaml</span><span class="pi">:</span> <span class="pi">|</span> <span class="s"># Homeserver details.</span> <span class="s">homeserver:</span> <span class="s"># The address that this appservice can use to connect to the homeserver.</span> <span class="s">address: https://talk.choppa.xyz</span> <span class="s"># The domain of the homeserver (also known as server_name, used for MXIDs, etc).</span> <span class="s">domain: choppa.xyz</span> <span class="s"># What software is the homeserver running?</span> <span class="s"># Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.</span> <span class="s">software: standard</span> <span class="s"># The URL to push real-time bridge status to.</span> <span class="s"># If set, the bridge will make POST requests to this URL whenever a user's discord connection state changes.</span> <span class="s"># The bridge will use the appservice as_token to authorize requests.</span> <span class="s">status_endpoint: null</span> <span class="s"># Endpoint for reporting per-message status.</span> <span class="s">message_send_checkpoint_endpoint: null</span> <span class="s"># Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?</span> <span class="s">async_media: false</span> <span class="s"># Should the bridge use a websocket for connecting to the homeserver?</span> <span class="s"># The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,</span> <span class="s"># mautrix-asmux (deprecated), and hungryserv (proprietary).</span> <span class="s">websocket: false</span> <span class="s"># How often should the websocket be pinged? Pinging will be disabled if this is zero.</span> <span class="s">ping_interval_seconds: 0</span> <span class="s"># Application service host/registration related details.</span> <span class="s"># Changing these values requires regeneration of the registration.</span> <span class="s">appservice:</span> <span class="s"># The address that the homeserver can use to connect to this appservice.</span> <span class="s">address: http://discord-service:29334</span> <span class="s"># The hostname and port where this appservice should listen.</span> <span class="s">hostname: 0.0.0.0</span> <span class="s">port: 29334</span> <span class="s"># Database config.</span> <span class="s">database:</span> <span class="s"># The database type. "sqlite3-fk-wal" and "postgres" are supported.</span> <span class="s">type: postgres</span> <span class="s"># The database URI.</span> <span class="s"># SQLite: A raw file path is supported, but `file:&lt;path&gt;?_txlock=immediate` is recommended.</span> <span class="s"># https://github.com/mattn/go-sqlite3#connection-string</span> <span class="s"># Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable</span> <span class="s"># To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql</span> <span class="s">uri: postgres://discord:mautrix@postgres-proxy-service/matrix_discord?sslmode=disable</span> <span class="s"># Maximum number of connections. Mostly relevant for Postgres.</span> <span class="s">max_open_conns: 20</span> <span class="s">max_idle_conns: 2</span> <span class="s"># Maximum connection idle time and lifetime before they're closed. Disabled if null.</span> <span class="s"># Parsed with https://pkg.go.dev/time#ParseDuration</span> <span class="s">max_conn_idle_time: null</span> <span class="s">max_conn_lifetime: null</span> <span class="s"># The unique ID of this appservice.</span> <span class="s">id: discord</span> <span class="s"># Appservice bot details.</span> <span class="s">bot:</span> <span class="s"># Username of the appservice bot.</span> <span class="s">username: discordbot</span> <span class="s"># Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty</span> <span class="s"># to leave display name/avatar as-is.</span> <span class="s">displayname: Discord bridge bot</span> <span class="s">avatar: mxc://maunium.net/nIdEykemnwdisvHbpxflpDlC</span> <span class="s"># Whether or not to receive ephemeral events via appservice transactions.</span> <span class="s"># Requires MSC2409 support (i.e. Synapse 1.22+).</span> <span class="s">ephemeral_events: true</span> <span class="s"># Should incoming events be handled asynchronously?</span> <span class="s"># This may be necessary for large public instances with lots of messages going through.</span> <span class="s"># However, messages will not be guaranteed to be bridged in the same order they were sent in.</span> <span class="s">async_transactions: false</span> <span class="s"># Authentication tokens for AS &lt;-&gt; HS communication. Autogenerated; do not modify.</span> <span class="s">as_token: &lt;same as token as in registration.yaml&gt;</span> <span class="s">hs_token: &lt;same hs token as in registration.yaml&gt;</span> <span class="s"># Bridge config</span> <span class="s">bridge:</span> <span class="s"># ...</span> <span class="s"># The prefix for commands. Only required in non-management rooms.</span> <span class="s">command_prefix: '!discord'</span> <span class="s"># Permissions for using the bridge.</span> <span class="s"># Permitted values:</span> <span class="s"># relay - Talk through the relaybot (if enabled), no access otherwise</span> <span class="s"># user - Access to use the bridge to chat with a Discord account.</span> <span class="s"># admin - User level and some additional administration tools</span> <span class="s"># Permitted keys:</span> <span class="s"># * - All Matrix users</span> <span class="s"># domain - All users on that homeserver</span> <span class="s"># mxid - Specific user</span> <span class="s">permissions:</span> <span class="s">"*": relay</span> <span class="s">"@ancapepe:choppa.xyz": admin</span> <span class="s">"@ancompepe:choppa.xyz": user</span> <span class="s"># Logging config. See https://github.com/tulir/zeroconfig for details.</span> <span class="s">logging:</span> <span class="s">min_level: debug</span> <span class="s">writers:</span> <span class="s">- type: stdout</span> <span class="s">format: pretty-colored</span> <span class="na">registration.yaml</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">id: discord</span> <span class="s">url: http://discord-service:29334</span> <span class="s">as_token: &lt;same as token as in config.yaml&gt;</span> <span class="s">hs_token: &lt;same hs token as in config.yaml&gt;</span> <span class="s">sender_localpart: KYmI12PCMJuHvD9VZw1cUzMlV7nUezH2</span> <span class="s">rate_limited: false</span> <span class="s">namespaces:</span> <span class="s">users:</span> <span class="s">- regex: ^@discordbot:choppa\.xyz$</span> <span class="s">exclusive: true</span> <span class="s">- regex: ^@discord_.*:choppa\.xyz$</span> <span class="s">exclusive: true</span> <span class="s">de.sorunome.msc2409.push_ephemeral: true</span> <span class="s">push_ephemeral: true</span> <span class="s">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">discord-deploy</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">discord</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">discord</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">discord</span> <span class="na">image</span><span class="pi">:</span> <span class="s">dock.mau.dev/mautrix/discord:latest</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s2">"</span><span class="s">IfNotPresent"</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span> <span class="s2">"</span><span class="s">/usr/bin/mautrix-discord"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-c"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">/data/config.yaml"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-r"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">/data/registration.yaml"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--no-update"</span> <span class="pi">]</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">29334</span> <span class="na">name</span><span class="pi">:</span> <span class="s">discord-port</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">discord-volume</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/data/config.yaml</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">config.yaml</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">discord-volume</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/data/registration.yaml</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">registration.yaml</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">discord-volume</span> <span class="na">configMap</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">discord-config</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">discord-service</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">publishNotReadyAddresses</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">discord</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">29334</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">discord-port</span> </code></pre> </div> <blockquote> <p>Logging into your account will still change depending on the service being bridged. As always, consult <a href="https://docs.mau.fi/bridges/python/setup.html" rel="noopener noreferrer">the official documentation</a></p> </blockquote> <p>We may forget for a while the multiple opened messaging windows just to communicate with our peers. That river has been crossed!</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbr4n4spd2t4f0wg6kcsk.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbr4n4spd2t4f0wg6kcsk.png" alt="Nheko communities" width="410" height="474"></a></p> selfhosting kubernetes censorship decentralization Beppe Sun, 29 Sep 2024 16:34:21 +0000 https://dev.to/beppe90/the-home-server-journey-5-rebuilding-burned-bridges-6n7 https://dev.to/beppe90/the-home-server-journey-5-rebuilding-burned-bridges-6n7 <p>Hello again. It's been a while (in relative terms)</p> <p>Having our own <strong>Matrix</strong> rooms feels amazing indeed, but left us too isolated, at least until we manage to bring people in. I know that <a href="https://dev.to/ancapepe/the-home-server-journey-1-motivation-and-approach-5fhj">in the beginning</a> I've warned about making sacrifices, but it doesn't have to be that hard. In life some metaphorical burned bridges are better left unrepaired, but here let's try reconnecting to our old Internet life in an interesting way, right?</p> <h3> Notes on Infrastructure </h3> <p>I have waited a bit to resume publishing because there were 2 things bothering me about my setup: power reliability and storage coupling</p> <p>I don't live near a big urban center, and power oscillations or outages are pretty common here. Having those causing frequent downtime on my server would be quite annoying, so I went after a <strong>nobreak</strong> to ensure more energy stability for my devices</p> <p>With that out the way, as I have said on <a href="https://dev.to/ancapepe/the-home-server-journey-4-enter-the-matrix-55ki">the previous article</a>, ideally your <strong>K8s</strong> system would have an external and dedicated storage provider. I certainly wasn't satisfied with mixing <strong>K8s</strong> node and <strong>NFS</strong> server functionality in the same machines, but the ones I was using were the only units with high-bandwith <strong>USB 3.0</strong> ports, desirable for external drives. So I've decided to invest a bit more and acquire an extra <strong>Raspberry Pi 5</strong> for my cluster, leaving the <strong>RPi4</strong> for data management</p> <p>Not only the <strong>RPi5</strong> gives me more performance, but it also <a href="https://www.cnx-software.com/2023/11/05/raspberry-pi-5-review-raspberry-pi-os-bookworm-benchmarks-power-consumption/" rel="noopener noreferrer">is more equivalent to the <strong>Odroid N2+</strong></a>. As it comes with a beefier power supply (5V-5A), intended for video applications that I'm not doing, I've tried using it for the <strong>RPi4</strong> connected to the current-hungry hard drives. However, <a href="https://forums.raspberrypi.com/viewtopic.php?t=364252" rel="noopener noreferrer">its circuit is simply not made to use all that juice</a>, so as a last piece of the puzzle I had to get an externally powered <strong>USB3</strong> hub:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk3ejgeixz94tnphs3f9q.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk3ejgeixz94tnphs3f9q.png" alt="New server hardware"></a><br> (The resulting <em>Frankenstein</em> is not a pretty sight)</p> <p>If that mess of a wiring is too hard to understand (I bet it is), have a quick diagram of how it works below:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6f00k7gi4k9dw3o575y5.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6f00k7gi4k9dw3o575y5.png" alt="Server connections"></a></p> <blockquote> <p>At first I was worried that using a single <strong>USB</strong> port for 2 disks would be a bottleneck, but even in the best case, sequential reading, HDDs cannot saturate the 5Gbps bandwidth the <strong>RPi4</strong> can handle on that interface, and the 1Gbps Ethernet will be a greater constraint anyway</p> </blockquote> <h3> Keeping the State, Orchestrated Style </h3> <p>One thing that you notice when deploying all sorts of applications is how much they rely on databases, <a href="https://en.wikipedia.org/wiki/Relational_database" rel="noopener noreferrer"><strong>relational</strong></a> or <a href="https://en.wikipedia.org/wiki/NoSQL" rel="noopener noreferrer"><strong>non-relational</strong></a>, in order to delegate internal data management and remain <strong>stateless</strong>. That's true to the point that we can hardly progress here without having some <strong>DBMS</strong> running first</p> <p>It's common to have databases running as off-node services just like <strong>NFS</strong>, but the ability to escalate them horizontally is then lost. Here, we'll resort to <strong>Kubernetes</strong> <strong>stateful</strong> features in order to keep data management inside the cluster. For that, instead of a <strong>Deployment</strong> we require a <a href="https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/" rel="noopener noreferrer"><strong>StatefulSet</strong></a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-config</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">choppa</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">data</span><span class="pi">:</span> <span class="na">POSTGRES_DB</span><span class="pi">:</span> <span class="s">choppadb</span> <span class="c1"># Default database</span> <span class="na">POSTGRES_USER</span><span class="pi">:</span> <span class="s">admin</span> <span class="c1"># Default user</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-secret</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">choppa</span> <span class="na">data</span><span class="pi">:</span> <span class="na">POSTGRES_PASSWORD</span><span class="pi">:</span> <span class="s">Z290eW91</span> <span class="c1"># Default user's password</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">StatefulSet</span> <span class="c1"># Component type</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-state</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">choppa</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceName</span><span class="pi">:</span> <span class="s">postgres-service</span> <span class="c1"># Do not give a service name to each replica</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">2</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:16.4</span> <span class="c1"># Current stable version at 17.0, but let's be a bit conservative</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s2">"</span><span class="s">IfNotPresent"</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">5432</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-port</span> <span class="na">envFrom</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">configMapRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-config</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">POSTGRES_PASSWORD</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-secret</span> <span class="na">key</span><span class="pi">:</span> <span class="s">POSTGRES_PASSWORD</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/var/lib/postgresql/data</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-db</span> <span class="na">volumeClaimTemplates</span><span class="pi">:</span> <span class="c1"># Description of volume claim created for each replica</span> <span class="pi">-</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-db</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">storageClassName</span><span class="pi">:</span> <span class="s">nfs-small</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ReadWriteOnce</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">5Gi</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres-service</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">choppa</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">LoadBalancer</span> <span class="c1"># Let it be accessible inside the local network</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">5432</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">postgres-port</span> </code></pre> </div> <p>(At first we're using a <a href="https://www.postgresql.org/" rel="noopener noreferrer"><strong>PostgreSQL</strong></a> image from <a href="https://hub.docker.com/_/postgres/" rel="noopener noreferrer">the official <strong>DockerHub</strong> repository</a>, but different databases such as <a href="https://www.mysql.com/" rel="noopener noreferrer"><strong>MySQL</strong></a>/<a href="https://mariadb.org/" rel="noopener noreferrer"><strong>MariaDB</strong></a> or <a href="https://www.mongodb.com/" rel="noopener noreferrer"><strong>MongoDB</strong></a> will follow a similar pattern)</p> <p>The biggest difference from previous deployments is that we don't explicitly define a <strong>Persistent Volume Claim</strong> to be referenced by all replicas, but give the <strong>StatefulSet</strong> a template on how to request a distinct storage area for each Pod. Moreover, the <code>serviceName</code> configuration defines how stateful pods will get their specific hostnames from the internal <strong>DNS</strong>, in the format <code>&lt;pod name&gt;.&lt;service-name&gt;:&lt;container port number&gt;</code></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpbvkrl9xvoq9fi966q74.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpbvkrl9xvoq9fi966q74.png" alt="Stateful pods"></a><br> (I have tried using a stateful configuration for <strong>Conduit</strong> as well, but also wasn't able to increase the number of replicas due to some authentication issues)</p> <p>Notice how those pods follow a different naming scheme. <a href="https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/" rel="noopener noreferrer"><strong>ReplicaSets</strong></a> with persisting data changes have to be created, deleted and updated/synchronized in a very particular order, therefore they cannot be as ephemeral as stateless ones, with asynchronously managed and randomly named containers. Those constraints are the reason we should avoid <strong>StatefulSets</strong> wherever possible </p> <h3> A Telegram from an Old Friend </h3> <p>As I've promised, today we're learning how to keep in touch with people in the centralized world from our new <strong>Matrix</strong> home. And that's achieved through the power of <a href="https://github.com/mautrix" rel="noopener noreferrer"><strong>Mautrix</strong> bridges</a>. As I'm a big user of <strong>Telegram</strong>, that's what I'll be using as an example, but the process is mostly the same for other services, like <strong>Discord</strong> or <strong>WhatsApp</strong></p> <p>Long story short, the bridge needs to be configured on 2 ends: how to interact with your third-party service account and how to register onto your <strong>Matrix</strong> server. The templates for those settings may be automatically generated using the same container image we'll me pulling into our <strong>K8s</strong> cluster:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create a directory for configuration files and enter it</span> <span class="nv">$ </span>docker run <span class="nt">--rm</span> <span class="nt">-v</span> <span class="sb">`</span><span class="nb">pwd</span><span class="sb">`</span>:/data:z dock.mau.dev/mautrix/telegram:latest Didn<span class="s1">'t find a config file. Copied default config file to /data/config.yaml Modify that config file to your liking. Start the container again after that to generate the registration file. # Change the configuration file to match your requirements and preferences $ docker run --rm -v `pwd`:/data:z dock.mau.dev/mautrix/telegram:latest Registration generated and saved to /data/registration.yaml Didn'</span>t find a registration file. Generated one <span class="k">for </span>you. See https://docs.mau.fi/bridges/general/registering-appservices.html on how to use it. </code></pre> </div> <p>Now you either manually add the contents of <code>config.yaml</code> and <code>registration.yaml</code> to a <strong>ConfigMap</strong> manifest file or automatically generate/print it with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>kubectl create configmap telegram-config <span class="nt">--from-file</span><span class="o">=</span>./config.yaml <span class="nt">--from-file</span><span class="o">=</span>./registration.yaml <span class="nt">--dry-run</span><span class="o">=</span>client <span class="nt">-o</span> yaml </code></pre> </div> <p>(Running as super user is required as the folder permissions are modified. <code>--dry-run</code> prevents the configuration from being directly applied, so that you may adjust possible mistakes, pipe the results to a <strong>YAML</strong> file or add the result to a bigger manifest)</p> <p>Bridge configuration is quite long, so I'll reduce it below to only the most relevant parts. For information on all options, consult <a href="https://docs.mau.fi/bridges/index.html" rel="noopener noreferrer">the official documentation</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">telegram-config</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">telegram</span> <span class="na">data</span><span class="pi">:</span> <span class="na">config.yaml</span><span class="pi">:</span> <span class="pi">|</span> <span class="s"># Homeserver details</span> <span class="s">homeserver:</span> <span class="s"># The address that this appservice can use to connect to the homeserver.</span> <span class="s">address: http://conduit-service:8448</span> <span class="s"># The domain of the homeserver (for MXIDs, etc).</span> <span class="s">domain: choppa.xyz</span> <span class="s"># ...</span> <span class="s"># Application service host/registration related details</span> <span class="s"># Changing these values requires regeneration of the registration.</span> <span class="s">appservice:</span> <span class="s"># The address that the homeserver can use to connect to this appservice.</span> <span class="s">address: http://telegram-service:29317</span> <span class="s"># When using https:// the TLS certificate and key files for the address.</span> <span class="s">tls_cert: false</span> <span class="s">tls_key: false</span> <span class="s"># The hostname and port where this appservice should listen.</span> <span class="s">hostname: 0.0.0.0</span> <span class="s">port: 29317</span> <span class="s"># ...</span> <span class="s"># The full URI to the database. SQLite and Postgres are supported.</span> <span class="s"># Format examples:</span> <span class="s"># SQLite: sqlite:filename.db</span> <span class="s"># Postgres: postgres://username:password@hostname/dbname</span> <span class="s">database: postgres://telegram:mautrix@postgres-service/matrix_telegram</span> <span class="s"># ...</span> <span class="s"># Authentication tokens for AS &lt;-&gt; HS communication. Autogenerated; do not modify.</span> <span class="s">as_token: &lt;same as token from registration.yaml&gt;</span> <span class="s">hs_token: &lt;same hs token from registration.yaml&gt;</span> <span class="s"># ...</span> <span class="s"># Bridge config</span> <span class="s">bridge:</span> <span class="s"># ...</span> <span class="s"># Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth</span> <span class="s">#</span> <span class="s"># If set, custom puppets will be enabled automatically for local users</span> <span class="s"># instead of users having to find an access token and run `login-matrix`</span> <span class="s"># manually.</span> <span class="s"># If using this for other servers than the bridge's server,</span> <span class="s"># you must also set the URL in the double_puppet_server_map.</span> <span class="s">login_shared_secret_map:</span> <span class="s">choppa.xyz: &lt;your access token&gt;</span> <span class="s"># ...</span> <span class="s"># ...</span> <span class="s"># Telegram config</span> <span class="s">telegram:</span> <span class="s"># Get your own API keys at https://my.telegram.org/apps</span> <span class="s">api_id: &lt;id you have generated&gt;</span> <span class="s">api_hash: &lt;hash you have generated&gt;</span> <span class="s"># (Optional) Create your own bot at https://t.me/BotFather</span> <span class="s">bot_token: disabled</span> <span class="s"># ...</span> <span class="na">registration.yaml</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">id: telegram</span> <span class="s">as_token: &lt;same as token from config.yaml&gt;</span> <span class="s">hs_token: &lt;same hs token from config.yaml&gt;</span> <span class="s">namespaces:</span> <span class="s">users:</span> <span class="s">- exclusive: true</span> <span class="s">regex: '@telegram_.*:choppa\.xyz'</span> <span class="s">- exclusive: true</span> <span class="s">regex: '@telegrambot:choppa\.xyz'</span> <span class="s">aliases:</span> <span class="s">- exclusive: true</span> <span class="s">regex: \#telegram_.*:choppa\.xyz</span> <span class="s">url: http://telegram-service:29317</span> <span class="s">sender_localpart: HyMPlWT_552RAGkFtnuy_ZNNpkKrSSaHDndS_nmb9VIZ4RiJLH0uiSas3fi_IV_x</span> <span class="s">rate_limited: false</span> <span class="s">de.sorunome.msc2409.push_ephemeral: true</span> <span class="s">push_ephemeral: true</span> <span class="s">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">telegram-deploy</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">telegram</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">telegram</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">telegram</span> <span class="na">image</span><span class="pi">:</span> <span class="s">dock.mau.dev/mautrix/telegram:latest</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s2">"</span><span class="s">IfNotPresent"</span> <span class="c1"># Custom container initialization command (overrides the one defined in the image)</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span> <span class="s2">"</span><span class="s">python3"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-m"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">mautrix_telegram"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-c"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">/data/config.yaml"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-r"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">/data/registration.yaml"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--no-update"</span> <span class="pi">]</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">29317</span> <span class="c1"># Has to match the appservice configuration</span> <span class="na">name</span><span class="pi">:</span> <span class="s">telegram-port</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">telegram-volume</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/data/config.yaml</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">config.yaml</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">telegram-volume</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/data/registration.yaml</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">registration.yaml</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">telegram-volume</span> <span class="na">configMap</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">telegram-config</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">telegram-service</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">publishNotReadyAddresses</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">telegram</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">29317</span> <span class="c1"># Has to match the registration url</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">telegram-port</span> </code></pre> </div> <p>After applying the changes, the bridge pod is deployed, but it keeps failing and restarting... Why?</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmrb73989w9eeyykp2676.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmrb73989w9eeyykp2676.png" alt="Bridge failure"></a></p> <p>Visualizing the logs give us a clearer picture of what's happening:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl logs telegram-deploy-84489fb64d-srmrc <span class="nt">--namespace</span><span class="o">=</span>choppa  ✔  default ⎈ <span class="o">[</span>2024-09-29 15:28:34,871] <span class="o">[</span>INFO@mau.init] Initializing mautrix-telegram 0.15.2 <span class="o">[</span>2024-09-29 15:28:34,879] <span class="o">[</span>INFO@mau.init] Initialization <span class="nb">complete </span><span class="k">in </span>0.19 seconds <span class="o">[</span>2024-09-29 15:28:34,879] <span class="o">[</span>DEBUG@mau.init] Running startup actions... <span class="o">[</span>2024-09-29 15:28:34,879] <span class="o">[</span>DEBUG@mau.init] Starting database... <span class="o">[</span>2024-09-29 15:28:34,879] <span class="o">[</span>DEBUG@mau.db] Connecting to postgres://telegram:password-redacted@postgres-service/matrix_telegram <span class="o">[</span>2024-09-29 15:28:34,946] <span class="o">[</span>CRITICAL@mau.init] Failed to initialize database Traceback <span class="o">(</span>most recent call last<span class="o">)</span>: File <span class="s2">"/usr/lib/python3.11/site-packages/mautrix/bridge/bridge.py"</span>, line 216, <span class="k">in </span>start_db await self.db.start<span class="o">()</span> File <span class="s2">"/usr/lib/python3.11/site-packages/mautrix/util/async_db/asyncpg.py"</span>, line 71, <span class="k">in </span>start self._pool <span class="o">=</span> await asyncpg.create_pool<span class="o">(</span>str<span class="o">(</span>self.url<span class="o">)</span>, <span class="k">**</span>self._db_args<span class="o">)</span> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File <span class="s2">"/usr/lib/python3.11/site-packages/asyncpg/pool.py"</span>, line 403, <span class="k">in </span>_async__init__ await self._initialize<span class="o">()</span> File <span class="s2">"/usr/lib/python3.11/site-packages/asyncpg/pool.py"</span>, line 430, <span class="k">in </span>_initialize await first_ch.connect<span class="o">()</span> File <span class="s2">"/usr/lib/python3.11/site-packages/asyncpg/pool.py"</span>, line 128, <span class="k">in </span>connect self._con <span class="o">=</span> await self._pool._get_new_connection<span class="o">()</span> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File <span class="s2">"/usr/lib/python3.11/site-packages/asyncpg/pool.py"</span>, line 502, <span class="k">in </span>_get_new_connection con <span class="o">=</span> await connection.connect<span class="o">(</span> ^^^^^^^^^^^^^^^^^^^^^^^^^ File <span class="s2">"/usr/lib/python3.11/site-packages/asyncpg/connection.py"</span>, line 2329, <span class="k">in </span>connect <span class="k">return </span>await connect_utils._connect<span class="o">(</span> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File <span class="s2">"/usr/lib/python3.11/site-packages/asyncpg/connect_utils.py"</span>, line 991, <span class="k">in </span>_connect conn <span class="o">=</span> await _connect_addr<span class="o">(</span> ^^^^^^^^^^^^^^^^^^^^ File <span class="s2">"/usr/lib/python3.11/site-packages/asyncpg/connect_utils.py"</span>, line 828, <span class="k">in </span>_connect_addr <span class="k">return </span>await __connect_addr<span class="o">(</span>params, True, <span class="k">*</span>args<span class="o">)</span> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File <span class="s2">"/usr/lib/python3.11/site-packages/asyncpg/connect_utils.py"</span>, line 876, <span class="k">in </span>__connect_addr await connected asyncpg.exceptions.InvalidPasswordError: password authentication failed <span class="k">for </span>user <span class="s2">"telegram"</span> <span class="o">[</span>2024-09-29 15:28:34,950] <span class="o">[</span>DEBUG@mau.init] Stopping database due to SystemExit <span class="o">[</span>2024-09-29 15:28:34,950] <span class="o">[</span>DEBUG@mau.init] Database stopped </code></pre> </div> <p>If you pay attention to the configuration shown, there's a database section where you may either configure <a href="https://www.sqlite.org/" rel="noopener noreferrer"><strong>SQLite</strong></a> (local file, let's avoid that) or <strong>PostgreSQL</strong> usage, required by the bridge. I wouldn't go on a tangent about databases for nothing, right?</p> <p>The problem is that the connection string defined, which follows the format <code>postgres://&lt;user&gt;:&lt;password&gt;@&lt;server hostname&gt;/&lt;database name&gt;</code>, is referencing a user and a database that don't exist (I wouldn't use the administrator account for a simple bot). So let's fix that by logging as the main user into the <strong>DBMS</strong> with a <strong>PostgreSQL</strong>-compatible client of your choice. Here I'm using <a href="https://sqlectron.github.io/" rel="noopener noreferrer"><strong>SQLectron</strong></a>:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff5eos3bv8p9ra1f5860i.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff5eos3bv8p9ra1f5860i.png" alt="SQLectron"></a></p> <p>From there, use this sequence of <a href="https://www.w3schools.com/sql/sql_intro.asp" rel="noopener noreferrer"><strong>SQL</strong></a> commands that are pretty much self-explanatory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">DATABASE</span> <span class="n">matrix_telegram</span><span class="p">;</span> <span class="k">CREATE</span> <span class="k">USER</span> <span class="n">telegram</span> <span class="k">WITH</span> <span class="n">PASSWORD</span> <span class="s1">'mautrix'</span><span class="p">;</span> <span class="k">GRANT</span> <span class="k">CONNECT</span> <span class="k">ON</span> <span class="k">DATABASE</span> <span class="n">matrix_telegram</span> <span class="k">TO</span> <span class="n">telegram</span><span class="p">;</span> <span class="c1">-- Personal note: ENTER THE DATABASE !!</span> <span class="k">GRANT</span> <span class="k">ALL</span> <span class="k">ON</span> <span class="k">SCHEMA</span> <span class="k">public</span> <span class="k">TO</span> <span class="n">telegram</span><span class="p">;</span> <span class="k">GRANT</span> <span class="k">ALL</span> <span class="k">ON</span> <span class="k">ALL</span> <span class="n">TABLES</span> <span class="k">IN</span> <span class="k">SCHEMA</span> <span class="k">public</span> <span class="k">TO</span> <span class="n">telegram</span><span class="p">;</span> <span class="k">GRANT</span> <span class="k">ALL</span> <span class="k">ON</span> <span class="k">ALL</span> <span class="n">SEQUENCES</span> <span class="k">IN</span> <span class="k">SCHEMA</span> <span class="k">public</span> <span class="k">TO</span> <span class="n">telegram</span><span class="p">;</span> <span class="c1">-- Give priveleges for all newly created tables as well</span> <span class="k">ALTER</span> <span class="k">DEFAULT</span> <span class="k">PRIVILEGES</span> <span class="k">FOR</span> <span class="k">USER</span> <span class="n">telegram</span> <span class="k">IN</span> <span class="k">SCHEMA</span> <span class="k">public</span> <span class="k">GRANT</span> <span class="k">SELECT</span><span class="p">,</span> <span class="k">INSERT</span><span class="p">,</span> <span class="k">UPDATE</span><span class="p">,</span> <span class="k">DELETE</span> <span class="k">ON</span> <span class="n">TABLES</span> <span class="k">TO</span> <span class="n">telegram</span><span class="p">;</span> </code></pre> </div> <p>(A bit overkill but, hey, works for me... If some commands fail you may need to wait a bit for the pods to synchronize or even reduce the number of replicas to 1 while making changes)</p> <blockquote> <p>Errata: Once again we cannot use stateful features to the fullest. Replicating data across pods is not done automatically by the <strong>K8s</strong> system and dependends on the application. It took me a while to figure that out and I'll have to study how to do it properly for each case. For now we'll keep it at only one instance and address proper replication later</p> </blockquote> <p>If you still get some log errors about an unknown token, go into the admin room of your <strong>Conduit</strong> server and send this message:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2gls98w1tzqhaouz25z1.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2gls98w1tzqhaouz25z1.png" alt="Registering appservice"></a></p> <p>Finally, start a private chat with <code>@telegrambot&lt;your server name&gt;</code> (default name, may be changed in the config) and follow the login procedure:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffkswo9lah0f63lhn26rw.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffkswo9lah0f63lhn26rw.png" alt="Telegram bot login"></a></p> <p>Invites for your <strong>Telegram</strong> groups and private chats should start appearing, and now you can be happy again!</p> <p>Thanks for reading. See you next time</p> selfhosting kubernetes censorship decentralization Beppe Fri, 20 Sep 2024 23:24:25 +0000 https://dev.to/beppe90/the-home-server-journey-4-enter-the-matrix-55ki https://dev.to/beppe90/the-home-server-journey-4-enter-the-matrix-55ki <p>Hello</p> <p>Time to forget about <a href="https://dev.to/ancapepe/the-home-server-journey-3-an-actually-global-hello-2af6">simple demo containers</a> and struggle [not so much] with the configuration details of fully-featured applications. Today we not only put <strong>Kubernetes</strong> to production-level usage, but find out about some strengths and weaknesses of <a href="https://en.wikipedia.org/wiki/Distributed_computing" rel="noopener noreferrer"><strong>distributed computing</strong></a></p> <h3> Notes on storage </h3> <p>Code nowadays, more than ever, works consuming and producing huge amounts of data, that usually has (or "have", since "data" is plural for "datum"?) to be kept for later. It's no surprise then that the capacity to store information is one of the most valuable commodities in IT, always at risk of being depleted due to poor optimization</p> <p>In the containerized world, where application instances can be created and recreated dynamically, extra steps have to be taken for reusing disk space and avoiding duplication whenever possible. That's why <strong>K8s</strong> adopts a layered approach: deployments don't create <a href="https://kubernetes.io/docs/concepts/storage/persistent-volumes/" rel="noopener noreferrer"><strong>Persistent Volumes</strong></a>, roughly equivalent to root folders, on their own, but set their storage requirements via <a href="https://kubernetes.io/docs/concepts/storage/persistent-volumes/#binding" rel="noopener noreferrer"><strong>Persistent Volume Claims</strong></a> </p> <p>Long story short, administrators either create the necessary volumes manually or let the claims be managed by a <a href="https://kubernetes.io/docs/concepts/storage/storage-classes/" rel="noopener noreferrer"><strong>Storage Class</strong></a>, to provide volumes on demand. Like ingresses have multiple controller implementations, depending on the backend, storage classes allow for different providers, offering a variety of <strong>local</strong> and <strong>remote</strong> (including <strong>cloud</strong>) data resources:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqjeeybd47u8xrd0qiy5p.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqjeeybd47u8xrd0qiy5p.png" alt="Nana's tutorial" width="800" height="544"></a><br> (Screenshot from <a href="https://www.youtube.com/watch?v=X48VuDVv0do" rel="noopener noreferrer">Nana's tutorial</a>)</p> <p>Although local is an easy to use option, it quickly betrays the purpose of container orchestration: tying storage to a specific machine's disk path prevents multiple pod replicas from being distributed among multiple nodes for <a href="https://en.wikipedia.org/wiki/Load_balancing_(computing)" rel="noopener noreferrer">load balancing</a>. Besides, if we wish to avoid cloud providers (like <strong>Google</strong> or <strong>AWS</strong>) to have full control of our data, we're left with [local] network storage solutions like <a href="https://wiki.archlinux.org/title/NFS" rel="noopener noreferrer"><strong>NFS</strong></a></p> <p>If you remember <a href="https://dev.to/ancapepe/the-home-server-journey-1-motivation-and-approach-5fhj">the first article</a>, my setup consists of one <strong>USB</strong> hard disk (meant for persistent volumes) connected to each node board. That's not ideal for <strong>NFS</strong>, as decoupling storage from the <strong>K8s</strong> cluster, using a dedicated computer, would prevent node crashes compromising data availability to the rest. Still, I can at least make the devices share disks with each other</p> <p>In order to expose external drive's partition to the network, begin by ensuring that they're mounted during initialization by editing <code>/etc/fstab</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Finding the partition's UUID (assuming a EXT4-formatted disk)</span> <span class="o">[</span>ancapepe@ChoppaServer-1 ~]<span class="nv">$ </span>lsblk <span class="nt">-f</span> NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS sda └─sda1 ext4 1.0 69c7df98-0349-4c47-84ce-514a1699ccf1 869.2G 0% mmcblk0 ├─mmcblk0p1 vfat FAT16 BOOT_MNJRO 42D4-5413 394.8M 14% /boot └─mmcblk0p2 ext4 1.0 ROOT_MNJRO 83982167-1add-4b6a-ad63-3479493a4510 44.4G 18% /var/lib/kubelet/pods/ae500dcf-b765-4f37-be8c-ee20fbb3ea1b/volume-subpaths/welcome-volume/welcome/0 / zram0 <span class="o">[</span>SWAP] <span class="c"># Creating the mount point for the external partition</span> <span class="o">[</span>ancapepe@ChoppaServer-1 ~]<span class="nv">$ </span><span class="nb">sudo mkdir</span> /storage <span class="c"># Adding line with mount configuration to fstab </span> <span class="o">[</span>ancapepe@ChoppaServer-1 ~]<span class="nv">$ </span><span class="nb">echo</span> <span class="s1">'UUID=69c7df98-0349-4c47-84ce-514a1699ccf1 /storage ext4 defaults,noatime 0 2'</span> | <span class="nb">sudo tee</span> <span class="nt">-a</span> /etc/fstab <span class="c"># Check the contents</span> <span class="o">[</span>ancapepe@ChoppaServer-1 ~]<span class="nv">$ </span><span class="nb">cat</span> /etc/fstab <span class="c"># Static information about the filesystems.</span> <span class="c"># See fstab(5) for details.</span> <span class="c"># &lt;file system&gt; &lt;dir&gt; &lt;type&gt; &lt;options&gt; &lt;dump&gt; &lt;pass&gt;</span> <span class="nv">PARTUUID</span><span class="o">=</span>42045b6f-01 /boot vfat defaults,noexec,nodev,showexec 0 0 <span class="nv">PARTUUID</span><span class="o">=</span>42045b6f-02 / ext4 defaults 0 1 <span class="nv">UUID</span><span class="o">=</span>69c7df98-0349-4c47-84ce-514a1699ccf1 /storage ext4 defaults,noatime 0 2 </code></pre> </div> <p>Reboot and check if you can access the contents of the <code>/storage</code> folder (or whatever path you've chosen). Proceed by setting up the <strong>NFS</strong> server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install required packages (showing the ones for Manjaro Linux)</span> <span class="o">[</span>ancapepe@ChoppaServer-1 ~]<span class="nv">$ </span><span class="nb">sudo </span>pacman <span class="nt">-S</span> nfs-utils rpcbind <span class="c"># ...</span> <span class="c"># Installation process ...</span> <span class="c"># ...</span> <span class="c"># Add disk sharing configurations (Adapt to you local network address range)</span> <span class="o">[</span>ancapepe@ChoppaServer-1 ~]<span class="nv">$ </span><span class="nb">echo</span> <span class="s1">'/storage 192.168.3.0/24(rw,sync,no_wdelay,no_root_squash,insecure)'</span> | <span class="nb">sudo tee</span> <span class="nt">-a</span> /etc/exports <span class="c"># Check the contents</span> <span class="o">[</span>ancapepe@ChoppaServer-1 ~]<span class="nv">$ </span><span class="nb">cat</span> /etc/exports <span class="c"># /etc/exports - exports(5) - directories exported to NFS clients</span> <span class="c">#</span> <span class="c"># Example for NFSv3:</span> <span class="c"># /srv/home hostname1(rw,sync) hostname2(ro,sync)</span> <span class="c"># Example for NFSv4:</span> <span class="c"># /srv/nfs4 hostname1(rw,sync,fsid=0)</span> <span class="c"># /srv/nfs4/home hostname1(rw,sync,nohide)</span> <span class="c"># Using Kerberos and integrity checking:</span> <span class="c"># /srv/nfs4 *(rw,sync,sec=krb5i,fsid=0)</span> <span class="c"># /srv/nfs4/home *(rw,sync,sec=krb5i,nohide)</span> <span class="c">#</span> <span class="c"># Use `exportfs -arv` to reload.</span> /storage 192.168.3.0/24<span class="o">(</span>rw,sync,no_wdelay,no_root_squash,insecure<span class="o">)</span> <span class="c"># Update exports based on configuration</span> <span class="o">[</span>ancapepe@ChoppaServer-1 ~]<span class="nv">$ </span><span class="nb">sudo </span>exportfs <span class="nt">-arv</span> <span class="c"># Enable and start related initialization services</span> <span class="o">[</span>ancapepe@ChoppaServer-1 ~]<span class="nv">$ </span>systemctl <span class="nb">enable</span> <span class="nt">--now</span> rpcbind nfs-server <span class="c"># Check if shared folders are visible</span> <span class="o">[</span>ancapepe@ChoppaServer-1 ~]<span class="nv">$ </span>showmount localhost <span class="nt">-e</span> Export list <span class="k">for </span>localhost: /storage 192.168.3.0/24 </code></pre> </div> <p>(Remember that your mileage may vary)</p> <p><em>Phew</em>, and that's just the first part of it! Not only you have to do the same process for every machine whose storage you wish to share, but afterwards it's necessary to install a <strong>NFS</strong> provisioner to the <strong>K8s</strong> cluster. Here I have used <a href="https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner" rel="noopener noreferrer"><strong>nfs-subdir-external-provisioner</strong></a>, not as-it-is, but modifying 2 manifest files to my liking:</p> <ul> <li>Modified <code>deploy/rbac.yaml</code> (Access permissions): </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nfs-client-provisioner</span> <span class="c1"># replace with namespace where provisioner is deployed</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">nfs-storage</span> <span class="nn">---</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nfs-client-provisioner-runner</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">nodes"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">list"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">watch"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">persistentvolumes"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">list"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">watch"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">create"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">delete"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">persistentvolumeclaims"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">list"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">watch"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">update"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">storage.k8s.io"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">storageclasses"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">list"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">watch"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">events"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">create"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">update"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">patch"</span><span class="pi">]</span> <span class="nn">---</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRoleBinding</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">run-nfs-client-provisioner</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nfs-client-provisioner</span> <span class="c1"># replace with namespace where provisioner is deployed</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">nfs-storage</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nfs-client-provisioner-runner</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="nn">---</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">leader-locking-nfs-client-provisioner</span> <span class="c1"># replace with namespace where provisioner is deployed</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">nfs-storage</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">endpoints"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">list"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">watch"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">create"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">update"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">patch"</span><span class="pi">]</span> <span class="nn">---</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">RoleBinding</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">leader-locking-nfs-client-provisioner</span> <span class="c1"># replace with namespace where provisioner is deployed</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">nfs-storage</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nfs-client-provisioner</span> <span class="c1"># replace with namespace where provisioner is deployed</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">nfs-storage</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">name</span><span class="pi">:</span> <span class="s">leader-locking-nfs-client-provisioner</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> </code></pre> </div> <p>(Here just set the namespace to your liking)</p> <ul> <li>Modified <code>deploy/deployment.yaml</code> (Storage classes): </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nfs-client-provisioner</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nfs-client-provisioner</span> <span class="c1"># replace with namespace where provisioner is deployed</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">nfs-storage</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Recreate</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nfs-client-provisioner</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nfs-client-provisioner</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">nfs-client-provisioner</span> <span class="na">containers</span><span class="pi">:</span> <span class="c1"># 1TB disk on Odroid N2+</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nfs-client-provisioner-big</span> <span class="na">image</span><span class="pi">:</span> <span class="s">registry.k8s.io/sig-storage/nfs-subdir-external-provisioner:v4.0.2</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nfs-root-big</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/persistentvolumes</span> <span class="c1"># CAN'T CHANGE THIS PATH</span> <span class="na">env</span><span class="pi">:</span> <span class="c1"># Environment variables</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">PROVISIONER_NAME</span> <span class="na">value</span><span class="pi">:</span> <span class="s">nfs-provisioner-big</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">NFS_SERVER</span> <span class="c1"># Hostnames don't resolve in setting env vars</span> <span class="na">value</span><span class="pi">:</span> <span class="s">192.168.3.10</span> <span class="c1"># Looking for a way to make it more flexible</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">NFS_PATH</span> <span class="na">value</span><span class="pi">:</span> <span class="s">/storage</span> <span class="c1"># 500GB disk on Raspberry Pi 4B</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nfs-client-provisioner-small</span> <span class="na">image</span><span class="pi">:</span> <span class="s">registry.k8s.io/sig-storage/nfs-subdir-external-provisioner:v4.0.2</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nfs-root-small</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/persistentvolumes</span> <span class="c1"># CAN'T CHANGE THIS PATH</span> <span class="na">env</span><span class="pi">:</span> <span class="c1"># Environment variables</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">PROVISIONER_NAME</span> <span class="na">value</span><span class="pi">:</span> <span class="s">nfs-provisioner-small</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">NFS_SERVER</span> <span class="na">value</span><span class="pi">:</span> <span class="s">192.168.3.11</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">NFS_PATH</span> <span class="na">value</span><span class="pi">:</span> <span class="s">/storage</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nfs-root-big</span> <span class="na">nfs</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">192.168.3.10</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/storage</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nfs-root-small</span> <span class="na">nfs</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">192.168.3.11</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/storage</span> <span class="nn">---</span> <span class="c1"># 1TB disk on Odroid N2+</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">storage.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">StorageClass</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nfs-big</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">choppa</span> <span class="na">provisioner</span><span class="pi">:</span> <span class="s">nfs-provisioner-big</span> <span class="na">parameters</span><span class="pi">:</span> <span class="na">archiveOnDelete</span><span class="pi">:</span> <span class="s2">"</span><span class="s">false"</span> <span class="na">reclaimPolicy</span><span class="pi">:</span> <span class="s">Retain</span> <span class="nn">---</span> <span class="c1"># 500GB disk on Raspberry Pi 4B</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">storage.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">StorageClass</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nfs-small</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">choppa</span> <span class="na">provisioner</span><span class="pi">:</span> <span class="s">nfs-provisioner-small</span> <span class="na">parameters</span><span class="pi">:</span> <span class="na">archiveOnDelete</span><span class="pi">:</span> <span class="s2">"</span><span class="s">false"</span> <span class="na">reclaimPolicy</span><span class="pi">:</span> <span class="s">Retain</span> </code></pre> </div> <p>(Make sure that all namespace settings match the RBAC rules. Also notice that, the way the provisioner works, I had to create on storage class for each shared disk)</p> <p>If everything goes according to plan, applying a test like the one below will make volumes appear to meet the claims and the <code>SUCCESS</code> file to be written on each one:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">kind</span><span class="pi">:</span> <span class="s">PersistentVolumeClaim</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-claim-big</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">storageClassName</span><span class="pi">:</span> <span class="s">nfs-big</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ReadWriteMany</span> <span class="c1"># Concurrent access</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">1Mi</span> <span class="nn">---</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PersistentVolumeClaim</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-claim-small</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">storageClassName</span><span class="pi">:</span> <span class="s">nfs-small</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ReadWriteMany</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">1Mi</span> <span class="nn">---</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-pod-big</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-pod-big</span> <span class="na">image</span><span class="pi">:</span> <span class="s">busybox:stable</span> <span class="na">command</span><span class="pi">:</span> <span class="c1"># Replace the default command for the image by this</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">/bin/sh"</span> <span class="na">args</span><span class="pi">:</span> <span class="c1"># Custom command arguments</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-c"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">touch</span><span class="nv"> </span><span class="s">/mnt/SUCCESS</span><span class="nv"> </span><span class="s">&amp;&amp;</span><span class="nv"> </span><span class="s">exit</span><span class="nv"> </span><span class="s">0</span><span class="nv"> </span><span class="s">||</span><span class="nv"> </span><span class="s">exit</span><span class="nv"> </span><span class="s">1"</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-volume</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/mnt"</span> <span class="na">restartPolicy</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Never"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-volume</span> <span class="na">persistentVolumeClaim</span><span class="pi">:</span> <span class="na">claimName</span><span class="pi">:</span> <span class="s">test-claim-big</span> <span class="nn">---</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-pod-small</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-pod-small</span> <span class="na">image</span><span class="pi">:</span> <span class="s">busybox:stable</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">/bin/sh"</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-c"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">touch</span><span class="nv"> </span><span class="s">/mnt/SUCCESS</span><span class="nv"> </span><span class="s">&amp;&amp;</span><span class="nv"> </span><span class="s">exit</span><span class="nv"> </span><span class="s">0</span><span class="nv"> </span><span class="s">||</span><span class="nv"> </span><span class="s">exit</span><span class="nv"> </span><span class="s">1"</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-volume</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/mnt"</span> <span class="na">restartPolicy</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Never"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-volume</span> <span class="na">persistentVolumeClaim</span><span class="pi">:</span> <span class="na">claimName</span><span class="pi">:</span> <span class="s">test-claim-small</span> </code></pre> </div> <p>(Thanks to Albert Weng for <a href="https://weng-albert.medium.com/how-to-create-an-nfs-storageclass-en-fe962242f44e" rel="noopener noreferrer">the very useful guide</a>)</p> <h3> Your Very Own Messaging Service </h3> <p>Now that we have real storage at our disposal, some real apps would be nice. One of the first things that come to mind when I think about data I'd like to protect is the history of my private conversations, where most spontaneous interactions happen and most ideas get forgotten</p> <p>If you're a old school person wishing to host your own messaging, I bet you'd go for <a href="https://en.wikipedia.org/wiki/IRC" rel="noopener noreferrer"><strong>IRC</strong></a> or <a href="https://xmpp.org/" rel="noopener noreferrer"><strong>XMPP</strong></a>. But I'm more of a late millennial, so it's easier to get drawn to fancy stuff like <a href="https://matrix.org/" rel="noopener noreferrer"><strong>Matrix</strong></a>, a protocol for federated communication</p> <p><strong><em>"And what's federation?"</em></strong>, you may ask. Well, to this day, the best video about it I've seen is the one from <a href="https://odysee.com/@SimplyExplained:4e" rel="noopener noreferrer"><strong>Simply Explained</strong></a>. Even though it's focused on <strong>Mastodon</strong> and the <strong>Fediverse</strong> (We'll get there eventually), the same concepts apply:</p> <p><iframe width="710" height="399" src="https://www.youtube.com/embed/S57uhCQBEk0"> </iframe> </p> <p>As any open protocol, the <a href="https://spec.matrix.org/latest/" rel="noopener noreferrer"><strong>Matrix</strong> specification</a> has a number of different implementations, most famously <a href="https://github.com/matrix-org/synapse" rel="noopener noreferrer"><strong>Synapse</strong></a> (Python) and <a href="https://github.com/matrix-org/dendrite" rel="noopener noreferrer"><strong>Dendrite</strong></a> (Go). I've been, however, particularly endeared to <a href="https://conduit.rs/" rel="noopener noreferrer"><strong>Conduit</strong></a>, a lightweight <strong>Matrix</strong> server written in <strong>Rust</strong>. Here I'll show the deployment configuration as recommended by its maintainer, <a href="https://gitlab.com/timokoesters" rel="noopener noreferrer"><strong>Timo Kösters</strong></a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">kind</span><span class="pi">:</span> <span class="s">PersistentVolumeClaim</span> <span class="c1"># Storage requirements component</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">conduit-pv-claim</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">choppa</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">conduit</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">storageClassName</span><span class="pi">:</span> <span class="s">nfs-big</span> <span class="c1"># The used storage class (1TB drive)</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ReadWriteOnce</span> <span class="c1"># For synchronous access, as we don't want data corruption</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">50Gi</span> <span class="c1"># Asking for a ~50 Gigabytes volume</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="c1"># Read-only data component</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">conduit-config</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">choppa</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">conduit</span> <span class="na">data</span><span class="pi">:</span> <span class="na">CONDUIT_CONFIG</span><span class="pi">:</span> <span class="s1">'</span><span class="s">'</span> <span class="c1"># Leave empty to inform that we're not using a configuration file</span> <span class="na">CONDUIT_SERVER_NAME</span><span class="pi">:</span> <span class="s1">'</span><span class="s">choppa.xyz'</span> <span class="c1"># The server name that will appear after registered usernames </span> <span class="na">CONDUIT_DATABASE_PATH</span><span class="pi">:</span> <span class="s1">'</span><span class="s">/var/lib/matrix-conduit/'</span> <span class="c1"># Database directory path. Uses the permanent volume</span> <span class="na">CONDUIT_DATABASE_BACKEND</span><span class="pi">:</span> <span class="s1">'</span><span class="s">rocksdb'</span> <span class="c1"># Recommended for performance, sqlite alternative</span> <span class="na">CONDUIT_ADDRESS</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0.0.0.0'</span> <span class="c1"># Listen on all IP addresses/Network interfaces</span> <span class="na">CONDUIT_PORT</span><span class="pi">:</span> <span class="s1">'</span><span class="s">6167'</span> <span class="c1"># Listening port for the process inside the container</span> <span class="na">CONDUIT_MAX_CONCURRENT_REQUESTS</span><span class="pi">:</span> <span class="s1">'</span><span class="s">200'</span> <span class="c1"># Network usage limiting options</span> <span class="na">CONDUIT_MAX_REQUEST_SIZE</span><span class="pi">:</span> <span class="s1">'</span><span class="s">20000000'</span> <span class="c1"># (in bytes, ~20 MB)</span> <span class="na">CONDUIT_ALLOW_REGISTRATION</span><span class="pi">:</span> <span class="s1">'</span><span class="s">true'</span> <span class="c1"># Allow other people to register in the server (requires token)</span> <span class="na">CONDUIT_ALLOW_FEDERATION</span><span class="pi">:</span> <span class="s1">'</span><span class="s">true'</span> <span class="c1"># Allow communication with other instances</span> <span class="na">CONDUIT_ALLOW_CHECK_FOR_UPDATES</span><span class="pi">:</span> <span class="s1">'</span><span class="s">true'</span> <span class="na">CONDUIT_TRUSTED_SERVERS</span><span class="pi">:</span> <span class="s1">'</span><span class="s">["matrix.org"]'</span> <span class="na">CONDUIT_ALLOW_WELL_KNOWN</span><span class="pi">:</span> <span class="s1">'</span><span class="s">true'</span> <span class="c1"># Generate "/.well-known/matrix/{client,server}" endpoints</span> <span class="na">CONDUIT_WELL_KNOWN_CLIENT</span><span class="pi">:</span> <span class="s1">'</span><span class="s">https://talk.choppa.xyz'</span> <span class="c1"># return value for "/.well-known/matrix/client"</span> <span class="na">CONDUIT_WELL_KNOWN_SERVER</span><span class="pi">:</span> <span class="s1">'</span><span class="s">talk.choppa.xyz:443'</span> <span class="c1"># return value for "/.well-known/matrix/server"</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="c1"># Read-only encrypted data</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">conduit-secret</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">choppa</span> <span class="na">data</span><span class="pi">:</span> <span class="na">CONDUIT_REGISTRATION_TOKEN</span><span class="pi">:</span> <span class="s">bXlwYXNzd29yZG9yYWNjZXNzdG9rZW4=</span> <span class="c1"># Registration token/password in base64 format</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">conduit-deploy</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">choppa</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="c1"># Keep it at 1 as the database has an access lock</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Recreate</span> <span class="c1"># Wait for replica to be terminated completely befor creating a new one</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">conduit</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">conduit</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">conduit</span> <span class="na">image</span><span class="pi">:</span> <span class="s">ancapepe/conduit:next</span> <span class="c1"># fork of matrixconduit/matrix-conduit:next</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s2">"</span><span class="s">IfNotPresent"</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">6167</span> <span class="c1"># Has to match the configuration above</span> <span class="na">name</span><span class="pi">:</span> <span class="s">conduit-port</span> <span class="na">envFrom</span><span class="pi">:</span> <span class="c1"># Take all data from a config file </span> <span class="pi">-</span> <span class="na">configMapRef</span><span class="pi">:</span> <span class="c1"># As environment variables</span> <span class="na">name</span><span class="pi">:</span> <span class="s">conduit-config</span> <span class="na">env</span><span class="pi">:</span> <span class="c1"># Set environment variables one by one</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">CONDUIT_REGISTRATION_TOKEN</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="c1"># Take data from a secret</span> <span class="na">name</span><span class="pi">:</span> <span class="s">conduit-secret</span> <span class="c1"># Secret source</span> <span class="na">key</span><span class="pi">:</span> <span class="s">CONDUIT_REGISTRATION_TOKEN</span> <span class="c1"># Data entry key</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/var/lib/matrix-conduit/</span> <span class="c1"># Mount the referenced volume into this path (database)</span> <span class="na">name</span><span class="pi">:</span> <span class="s">rocksdb</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">rocksdb</span> <span class="c1"># Label the volume for this deployment</span> <span class="na">persistentVolumeClaim</span><span class="pi">:</span> <span class="na">claimName</span><span class="pi">:</span> <span class="s">conduit-pv-claim</span> <span class="c1"># Reference volumen create by the claim</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">conduit-service</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">choppa</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">conduit</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8448</span> <span class="c1"># Using the default port for federation (not required)</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">conduit-port</span> </code></pre> </div> <p>One thing you should know is that the K8s architecture is optimized for <a href="https://www.redhat.com/en/topics/cloud-native-apps/stateful-vs-stateless" rel="noopener noreferrer"><strong>stateless applications</strong></a>, which don't store changing information within themselves and whose output depend solely on input from the user or auxiliary processes. <strong>Conduit</strong>, on the contrary, is tightly coupled with its high-performance database, <a href="https://rocksdb.org/" rel="noopener noreferrer"><strong>RocksDB</strong></a>, and has <strong>stateful</strong> behavior. That's why we need to take extra care by not replicating our process in order to prevent <a href="https://www.mathworks.com/products/polyspace/static-analysis-notes/what-data-races-how-avoid-during-software-development.html" rel="noopener noreferrer">data races</a> when accessing storage</p> <blockquote> <p>There's actually a way to run multiple replicas of a stateful pod, that requires different component types to create one volume copy for each container and keep all them in sync. But let's keep it "simple" for now. More on that in a future chapter</p> </blockquote> <p>We introduce here a new component type, <a href="https://kubernetes.io/docs/concepts/configuration/secret/" rel="noopener noreferrer"><strong>Secret</strong></a>, intended for sensible information such as passwords and access tokens. It requires that all data is set in a <a href="https://www.base64encode.org/" rel="noopener noreferrer"><strong>Base64</strong>-encoded</a> format for obfuscation, which could be achieved with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">echo</span> <span class="nt">-n</span> mypasswordoraccesstoken | <span class="nb">base64 </span><span class="nv">bXlwYXNzd29yZG9yYWNjZXNzdG9rZW4</span><span class="o">=</span> </code></pre> </div> <p>You might also have noticed that I jumped the gun a bit and acquired a proper domain for myself (so that my <strong>Matrix</strong> server looks nice, of course). I've found one available at a promotional price on <a href="https://www.dynadot.com/" rel="noopener noreferrer"><strong>Dynadot</strong></a>, which now seems even more like a good decision, considering <a href="https://www.techdirt.com/2024/09/18/extwitters-brazil-ban-evasion-cloudflare-cdn-becomes-latest-battleground/" rel="noopener noreferrer">how easy is to bend Cloudflare</a>. Conveniently, the registrar also provides a DNS service, so... 2 for the price of one:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6xblncydbwyx78jqa9vp.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6xblncydbwyx78jqa9vp.png" alt="Dynadot DNS" width="670" height="487"></a></p> <p>The <a href="https://en.wikipedia.org/wiki/List_of_DNS_record_types" rel="noopener noreferrer"><strong>CNAME</strong></a> record is basically an alias: the subdomain <code>talk.choppa.xyz</code> is simply redirected to <code>choppa.xyz</code> and just works as a hint for our <strong>reverse proxy</strong> from the previous chapter:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="c1"># Component type</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">proxy</span> <span class="c1"># Component name</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">choppa</span> <span class="c1"># You may add the default namespace for components as a paramenter</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">cert-manager.io/cluster-issuer</span><span class="pi">:</span> <span class="s">letsencrypt</span> <span class="na">kubernetes.io/ingress.class</span><span class="pi">:</span> <span class="s">traefik</span> <span class="na">status</span><span class="pi">:</span> <span class="na">loadBalancer</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="s">traefik</span> <span class="na">tls</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">choppa.xyz</span> <span class="pi">-</span> <span class="s">talk.choppa.xyz</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">certificate</span> <span class="na">rules</span><span class="pi">:</span> <span class="c1"># Routing rules</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">choppa.xyz</span> <span class="c1"># Expected domain name of request, including subdomain</span> <span class="na">http</span><span class="pi">:</span> <span class="c1"># For HTTP or HTTPS requests</span> <span class="na">paths</span><span class="pi">:</span> <span class="c1"># Behavior for different base paths</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="c1"># For all request paths</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">welcome-service</span> <span class="c1"># Redirect to this service</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">8080</span> <span class="c1"># Redirect to this internal service port</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/.well-known/matrix/</span> <span class="c1"># Paths for Conduit delegation</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">ImplementationSpecific</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">conduit-service</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">8448</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">talk.choppa.xyz</span> <span class="c1"># Conduit server subdomain</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">conduit-service</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">8448</span> </code></pre> </div> <p>If your <code>CONDUIT_SERVER_NAME</code> differs from the [sub]domain where your server is hosted, other <strong>Matrix</strong> federated instances will look for the actual address in <a href="https://en.wikipedia.org/wiki/Well-known_URI" rel="noopener noreferrer"><strong>Well-known URIs</strong></a>. Normally you'd have to serve them manually, but <strong>Conduit</strong> has a convenient <a href="https://docs.conduit.rs/delegation.html" rel="noopener noreferrer">automatic delegation</a> feature that helps your set it up with the <code>CONDUIT_WELL_KNOWN_*</code> env variables</p> <blockquote> <p>Currently, at version <code>0.8</code>, automatically delegation via env vars is not working properly. Timo has helped me debug it (Thanks!) at <a href="https://matrix.to/#/#conduit:fachschaften.org" rel="noopener noreferrer">Conduit's Matrix room</a> and I have submitted a <a href="https://gitlab.com/famedly/conduit/-/merge_requests/718" rel="noopener noreferrer">patch</a>. Let's hope it gets fixed for <code>0.9</code>. Meanwhile, you may use the custom image I'm referencing in the configuration example</p> <p>Update: Aaaaaand... it's merged!</p> </blockquote> <p>With ALL that said, let's apply the deployment and hope for the best:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzsrpv8wy6sbvepkg5wjf.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzsrpv8wy6sbvepkg5wjf.png" alt="Conduit running" width="800" height="663"></a><br> (Success !?)</p> <p>With your instance running, you can now use <strong>Matrix</strong> clients [that support registration tokens] like <a href="https://element.io/" rel="noopener noreferrer"><strong>Element</strong></a> or <a href="https://nheko-reborn.github.io/" rel="noopener noreferrer"><strong>Nheko</strong></a> to register your user, login and have fun!</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F18tteovs8d3pjzbddd9p.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F18tteovs8d3pjzbddd9p.png" alt="Element login" width="800" height="419"></a></p> <p>See you soon </p> selfhosting kubernetes censorship decentralization Beppe Wed, 18 Sep 2024 12:48:32 +0000 https://dev.to/beppe90/the-home-server-journey-3-an-actually-global-hello-2af6 https://dev.to/beppe90/the-home-server-journey-3-an-actually-global-hello-2af6 <p>Hi again</p> <p>For starters, I apologize for setting up the wrong expectations: <a href="https://dev.to/ancapepe/the-home-server-journey-1-motivation-and-approach-5fhj"><strong>chapter 1</strong></a> anticipated all that stuff about <strong>external IPs</strong> and <strong>name servers</strong> [like it would be immediately necessary], but event in <a href="https://dev.to/ancapepe/the-home-server-journey-2-the-control-room-fng"><strong>chapter 2</strong></a> we still only accessed applications inside the <strong>local network</strong></p> <p>In my defense, I wished to make all the prerequisites clear from the get-go, so that there where no surprises about what you were getting into. Anyway, let's address that today, sooner rather than later, shall we?</p> <h3> Your Virtual Home Receptionist </h3> <p>The reason why you can't simply type <code>http://&lt;my WAN IP&gt;:8080</code> or <code>http://mybeautifuldomain.com:8080</code> to view the test page you're running is due to <strong>K3s</strong> (and <strong>Kubernetes</strong> implementations in general) not exposing pods by default. And that's the sensible decision, considering that not every application is supposed to be reached from outside, like a <strong>database</strong> providing storage for your backend service</p> <blockquote> <p>Those access restrictions are created with the container runtime using <a href="https://en.wikipedia.org/wiki/Iptables" rel="noopener noreferrer"><strong>iptables</strong></a> to set network rules. I've learned it the hard way when <strong>K3s</strong> conflicted with the <a href="https://netfilter.org/projects/nftables/" rel="noopener noreferrer"><strong>nftables</strong></a> system service I had already running (fixed by disabling the latter). Time to update to new tools, <strong>containerd</strong>!</p> </blockquote> <p>Moreover, while it's obvious where external requests should go to when we have a single application, how to handle many containers exposed to Internet access? For instance, it's not practical or sometimes even possible to demand an explicit port to select different Web services (e.g. <code>mydomain.com:8081</code> and <code>mydomain.com:8082</code>), being the standard to use the default <code>80</code> and <code>443</code> ports for <strong>HTTP</strong> and <strong>HTTPS</strong>, respectively</p> <p>With such requirement, it's common to share a single IP address (<strong>host</strong> and <strong>port</strong>) using <strong>paths</strong> (e.g. <code>mydomain.com/app1</code> and <code>mydomain.com/app2</code>) or <strong>subdomains</strong> (e.g. <code>app1.mydomain.com</code> and <code>app2.mydomain.com</code>) to address a particular process. To achieve that, messages have to be interpreted for rerouting [to a local port] before reaching their intended target, a task performed by what is known as a <a href="https://www.cloudflare.com/learning/cdn/glossary/reverse-proxy/" rel="noopener noreferrer"><strong>reverse proxy</strong></a></p> <p>In <strong>K8s</strong> terminology, the component responsible for that functionality is called <a href="https://kubernetes.io/docs/concepts/services-networking/ingress/" rel="noopener noreferrer"><strong>Ingress</strong></a>. It's actually a common interface for different implementations named <strong>Ingress Controllers</strong>, of which it's <strong>usually</strong> recommended (if you're not doing anything fancy or advanced) to use the <a href="https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/" rel="noopener noreferrer"><strong>NGINX</strong></a>-based one, as it's <a href="https://github.com/kubernetes/ingress-nginx" rel="noopener noreferrer">officially maintained</a></p> <p>I emphasize <strong>usually</strong> because <strong>K3s</strong> is different and comes with a <a href="https://traefik.io/traefik/" rel="noopener noreferrer"><strong>Traefik</strong></a>-based ingress controller by default. Taking that into account, as much as I like <strong>NGINX</strong> outside the container's world, I'd rather keep things simple and use what's already in place</p> <blockquote> <p>It's totally fine to use <strong>Ingress-Nginx</strong>, tough. Just get into the <a href="https://github.com/kubernetes/ingress-nginx" rel="noopener noreferrer"><strong>GitHub</strong> repository</a> and follow the instructions. I've used it myself before running into problems with upgrades (but you're not that dumb, right?). Be aware that all components will be created in their own predefined namespace, valid system-wide</p> </blockquote> <p>Now we may use the provided controller to set our <strong>ingress</strong> rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="c1"># Component type</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">proxy</span> <span class="c1"># Component name</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">test</span> <span class="c1"># You may add the default namespace for components as a paramenter</span> <span class="na">status</span><span class="pi">:</span> <span class="na">loadBalancer</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="s">traefik</span> <span class="c1"># Type of controller being used </span> <span class="na">rules</span><span class="pi">:</span> <span class="c1"># Routing rules</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">choppaserver.dynv6.net</span> <span class="c1"># Expected domain name of request, including subdomain</span> <span class="na">http</span><span class="pi">:</span> <span class="c1"># For HTTP or HTTPS requests (standard ports)</span> <span class="na">paths</span><span class="pi">:</span> <span class="c1"># Behavior for different base paths</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="c1"># For all request paths</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">welcome-service</span> <span class="c1"># Redirect to this service</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">8080</span> <span class="c1"># Redirect to this internal service port</span> </code></pre> </div> <blockquote> <p>As now the ingress exposes the service to the external network, it's not required to set the configuration <code>type: LoadBalancer</code> for <code>welcome-service</code>, as done <a href="https://dev.to/ancapepe/the-home-server-journey-2-the-control-room-fng">on the previous chapter</a>, which changes its behavior to the default <a href="https://kubernetes.io/docs/concepts/services-networking/service/#type-clusterip" rel="noopener noreferrer"><strong>ClusterIP</strong></a></p> </blockquote> <p>Save it to a file, apply the manifest with <code>kubectl</code>, and in the case everything is correct (including the network instructions from the first article), the test page should be accessible via domain name <strong>OR</strong> you get something like this:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg0k7y0qiij5y1mt2grlt.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg0k7y0qiij5y1mt2grlt.png" alt="Image description" width="800" height="541"></a></p> <p>Which is just the browser being picky with non-secure access, using <code>http://</code> instead of <code>https://</code> or not having valid certificates (more on that later). If you want to check the contents of the page, just be a pro for now and use <code>curl</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>curl <span class="s2">"http://choppaserver.dynv6.net"</span> &lt;<span class="o">!</span>DOCTYPE HTML&gt; &lt;html <span class="nv">lang</span><span class="o">=</span><span class="s2">"en"</span><span class="o">&gt;</span> &lt;<span class="nb">head</span><span class="o">&gt;</span> &lt;meta <span class="nv">charset</span><span class="o">=</span><span class="s2">"utf-8"</span><span class="o">&gt;</span> &lt;title&gt;Directory listing <span class="k">for</span> /&lt;/title&gt; &lt;/head&gt; &lt;body&gt; &lt;h1&gt;Directory listing <span class="k">for</span> /&lt;/h1&gt; &lt;hr&gt; &lt;ul&gt; &lt;li&gt;&lt;a <span class="nv">href</span><span class="o">=</span><span class="s2">"welcome.txt"</span><span class="o">&gt;</span>welcome.txt&lt;/a&gt;&lt;/li&gt; &lt;/ul&gt; &lt;hr&gt; &lt;/body&gt; &lt;/html&gt; <span class="nv">$ </span>curl <span class="s2">"http://choppaserver.dynv6.net/welcome.txt"</span> Hello, world! </code></pre> </div> <p>(Almost the same... Who needs browsers anyway?)</p> <h3> Papers, please </h3> <p>Seriously, though, <a href="https://www.cloudflare.com/learning/ssl/what-is-an-ssl-certificate/" rel="noopener noreferrer"><strong>SSL certificates</strong></a> are important nowadays [with <strong>HTTPS</strong> being ubiquitous], and we need to get one. The easiest way is to let them be automatically generated by <a href="https://cert-manager.io/" rel="noopener noreferrer"><strong>cert-manager</strong></a>. To cut it short, <a href="https://github.com/cert-manager/cert-manager/releases" rel="noopener noreferrer">get the latest version of the manifest file from <strong>GitHub</strong></a> or simply install directly from the download link:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> https://github.com/jetstack/cert-manager/releases/download/&lt;desired version&gt;/cert-manager.yaml namespace/cert-manager created customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io created serviceaccount/cert-manager-cainjector created serviceaccount/cert-manager created serviceaccount/cert-manager-webhook created clusterrole.rbac.authorization.k8s.io/cert-manager-cainjector created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-issuers created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificates created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-orders created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-challenges created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created clusterrole.rbac.authorization.k8s.io/cert-manager-cluster-view created clusterrole.rbac.authorization.k8s.io/cert-manager-view created clusterrole.rbac.authorization.k8s.io/cert-manager-edit created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-approve:cert-manager-io created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificatesigningrequests created clusterrole.rbac.authorization.k8s.io/cert-manager-webhook:subjectaccessreviews created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-cainjector created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-issuers created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificates created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-orders created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-challenges created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-approve:cert-manager-io created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificatesigningrequests created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-webhook:subjectaccessreviews created role.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created role.rbac.authorization.k8s.io/cert-manager:leaderelection created role.rbac.authorization.k8s.io/cert-manager-webhook:dynamic-serving created rolebinding.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created rolebinding.rbac.authorization.k8s.io/cert-manager:leaderelection created rolebinding.rbac.authorization.k8s.io/cert-manager-webhook:dynamic-serving created service/cert-manager created service/cert-manager-webhook created deployment.apps/cert-manager-cainjector created deployment.apps/cert-manager created deployment.apps/cert-manager-webhook created mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created </code></pre> </div> <p>(Quite a few pieces, huh?)</p> <p>Wait for the manager pods to complete their initialization:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flhbz4tfuigh23q3vsch9.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flhbz4tfuigh23q3vsch9.png" alt="Cert-manager pods" width="800" height="439"></a></p> <p>The manifest not only creates many standard <strong>K8s</strong> resources but also defines new custom ones, like the <strong>ClusterIssuer</strong> we have to manually add now for each environment (only one in our case):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">cert-manager.io/v1</span> <span class="c1"># API service created by cert-manager</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterIssuer</span> <span class="c1"># Custom component type</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">letsencrypt</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">cert-manager</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">acme</span><span class="pi">:</span> <span class="c1"># The ACME server URL</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://acme-v02.api.letsencrypt.org/directory</span> <span class="c1"># Email address used for ACME registration</span> <span class="na">email</span><span class="pi">:</span> <span class="s">&lt;your e-mail here&gt;</span> <span class="c1"># Name of a secret used to store the ACME account private key</span> <span class="na">privateKeySecretRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">letsencrypt</span> <span class="c1"># Enable the HTTP-01 challenge provider</span> <span class="na">solvers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">http01</span><span class="pi">:</span> <span class="na">ingress</span><span class="pi">:</span> <span class="na">class</span><span class="pi">:</span> <span class="s">traefik</span> <span class="c1"># Ingress controller type</span> </code></pre> </div> <p>(As always, save the <strong>.yaml</strong> and apply. A <strong>ClusterIssuer</strong> is not namespace-scoped and can be used by <strong>Certificate</strong> resources in any namespace)</p> <p>Here we're using the <strong>ACME</strong> challenge with an <strong>HTTP01</strong> solver to get a valid result from the <a href="https://letsencrypt.org/" rel="noopener noreferrer"><strong>Let's Encrypt</strong></a> certificate authority, and I honestly can't explain to you properly what all that means. However, one thing that I know is that this particular solver requires the ability to open port <code>80</code> to receive requests. It's common for <a href="https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers" rel="noopener noreferrer"><strong>system ports</strong></a> (below <code>1024</code>) to be restricted by your <strong>ISP</strong>, and if that's your case a <strong>DNS01</strong> solver might be useful. Please consult <a href="https://cert-manager.io/docs/configuration/acme/" rel="noopener noreferrer">the documentation</a> for more</p> <p>Finally, we can edit our ingress manifest to define the domains requiring a certificate:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="c1"># Component type</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">proxy</span> <span class="c1"># Component name</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">test</span> <span class="c1"># You may add the default namespace for components as a paramenter</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">cert-manager.io/cluster-issuer</span><span class="pi">:</span> <span class="s">letsencrypt</span> <span class="c1"># Reference the utilized ClusterIssuer name </span> <span class="na">kubernetes.io/ingress.class</span><span class="pi">:</span> <span class="s">traefik</span> <span class="c1"># Ingress controller type (yes, again)</span> <span class="na">status</span><span class="pi">:</span> <span class="na">loadBalancer</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="s">traefik</span> <span class="c1"># Ingress controller type</span> <span class="na">tls</span><span class="pi">:</span> <span class="c1"># Certificate options</span> <span class="pi">-</span> <span class="na">hosts</span><span class="pi">:</span> <span class="c1"># List of valid hosts</span> <span class="pi">-</span> <span class="s">choppaserver.dynv6.net</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">certificate</span> <span class="c1"># Secret component that will store the certificates </span> <span class="na">rules</span><span class="pi">:</span> <span class="c1"># Routing rules</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">choppaserver.dynv6.net</span> <span class="c1"># Expected domain name of request, including subdomain</span> <span class="na">http</span><span class="pi">:</span> <span class="c1"># For HTTP or HTTPS requests</span> <span class="na">paths</span><span class="pi">:</span> <span class="c1"># Behavior for different base paths</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="c1"># For all request paths</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">welcome-service</span> <span class="c1"># Redirect to this service</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">8080</span> <span class="c1"># Redirect to this internal service port</span> </code></pre> </div> <p>After a while, a secret with the name defined in <code>secretName</code> should appear in the namespace you're using:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsgkxo97p4yxlpgwkhfn9.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsgkxo97p4yxlpgwkhfn9.png" alt="Certificate secret" width="800" height="442"></a></p> <p>And the browser should stop complaining about the lack of security in your Web page:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc0r15yi1f7m4dqwke9gg.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc0r15yi1f7m4dqwke9gg.png" alt="Secure access" width="694" height="492"></a></p> <p>Congrats! Now you the actual world can hear you say "hello". For more information on setting up <strong>cert-manager</strong>, see <a href="https://levelup.gitconnected.com/easy-steps-to-install-k3s-with-ssl-certificate-by-traefik-cert-manager-and-lets-encrypt-d74947fe7a8" rel="noopener noreferrer">this guide</a> (or <a href="https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes" rel="noopener noreferrer">this one</a> for <strong>Ingress-Nginx</strong>)</p> <p>See you next time</p> selfhosting kubernetes censorship decentralization Beppe Tue, 17 Sep 2024 00:47:49 +0000 https://dev.to/beppe90/the-home-server-journey-2-the-control-room-fng https://dev.to/beppe90/the-home-server-journey-2-the-control-room-fng <p>I confess that not adding some application deployment to <a href="https://dev.to/ancapepe/the-home-server-journey-1-motivation-and-approach-5fhj">our first article</a> left me a bit frustrated, but I was unsure about it's length, even more so for an author whose reputation alone wouldn't [yet] make people pay more attention that what's natural. But let's fix that right away and get something running. </p> <h3> Hello, World! </h3> <p>As we're talking about <strong>Internet</strong> servers, what better than a <strong>Web</strong> page? I've found a very fitting test container in <strong>jdkelley</strong>'s <a href="https://hub.docker.com/r/jdkelley/simple-http-server" rel="noopener noreferrer"><code>simple-http-server</code></a>, but there was an issue: no image available for the <strong>ARM</strong> architecture. That's the only reason why I had to build one and publish it to <a href="https://hub.docker.com/repository/docker/ancapepe/http-server/general" rel="noopener noreferrer">my own repository</a>, I swear</p> <p>If those concepts related to containers are still confusing to you, I recommend following <strong>Nana Janashia</strong>'s tutorials and crash courses. She's an amazing teacher and I wouldn't be able to quickly summarize all the knowledge she provides. Her <strong>Docker</strong> lectures compilation is linked below:</p> <p><iframe width="710" height="399" src="https://www.youtube.com/embed/3c-iBn73dDE"> </iframe> </p> <p>With that out of the way (thanks, Nana), let's use our test image in our first <strong>Kubernetes</strong> <a href="https://kubernetes.io/docs/concepts/workloads/controllers/deployment/" rel="noopener noreferrer"><strong>deployment</strong></a>, where containers are encapsulated as <a href="https://kubernetes.io/docs/concepts/workloads/pods/" rel="noopener noreferrer"><strong>pods</strong></a>. From now on I'll be abusing comments inside the <a href="https://en.wikipedia.org/wiki/YAML" rel="noopener noreferrer"><strong>YAML</strong></a>-format <strong>manifest files</strong> as it's an easier and more compact way to describe each parameter:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="c1"># Specification version</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="c1"># Static/immutable data/information component</span> <span class="na">metadata</span><span class="pi">:</span> <span class="c1"># Identification attributes</span> <span class="na">name</span><span class="pi">:</span> <span class="s">welcome-config</span> <span class="c1"># Component name</span> <span class="na">data</span><span class="pi">:</span> <span class="c1"># Contents list</span> <span class="na">welcome.txt</span><span class="pi">:</span> <span class="pi">|</span> <span class="c1"># Data item name and contents</span> <span class="s">Hello, world!</span> <span class="s">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="c1"># Immutable application management component</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">welcome-deploy</span> <span class="c1"># Component name</span> <span class="na">labels</span><span class="pi">:</span> <span class="c1"># Markers used for identification by other components</span> <span class="na">app</span><span class="pi">:</span> <span class="s">welcome</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">2</span> <span class="c1"># Number of application pod instances</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="c1"># Markers searched for in other components</span> <span class="na">app</span><span class="pi">:</span> <span class="s">welcome</span> <span class="na">template</span><span class="pi">:</span> <span class="c1"># Settings for every pod that is part of this deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">welcome</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="c1"># List of deployed container in each pod replica</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">welcome</span> <span class="c1"># Container name</span> <span class="na">image</span><span class="pi">:</span> <span class="s">ancapepe/http-server:python-latest</span> <span class="c1"># Image used for this container</span> <span class="na">ports</span><span class="pi">:</span> <span class="c1"># List of exposed network ports for this container</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8000</span> <span class="c1"># Port number</span> <span class="na">name</span><span class="pi">:</span> <span class="s">welcome-http</span> <span class="c1"># Optional port label for reference </span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="c1"># Data storages accessible to this container</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">welcome-volume</span> <span class="c1"># Storage name</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/serve/welcome.txt</span> <span class="c1"># Storage path inside this container</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">welcome.txt</span> <span class="c1"># Storage path inside the original volume</span> <span class="na">volumes</span><span class="pi">:</span> <span class="c1"># List of volumes available for mounting</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">welcome-volume</span> <span class="c1"># Volume name</span> <span class="na">configMap</span><span class="pi">:</span> <span class="c1"># Use a ConfigMap component as data source</span> <span class="na">name</span><span class="pi">:</span> <span class="s">welcome-config</span> <span class="c1"># ConfigMap reference name</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="c1"># Internal network access component</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">welcome-service</span> <span class="c1"># Component name</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">LoadBalancer</span> <span class="c1"># Expose service to non-K8s processes</span> <span class="na">selector</span><span class="pi">:</span> <span class="c1"># Bind to deployments with those labels</span> <span class="na">app</span><span class="pi">:</span> <span class="s">welcome</span> <span class="na">ports</span><span class="pi">:</span> <span class="c1"># List of exposed ports</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="c1"># Use TCP Internet protocol</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="c1"># Listen on port 8080</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">welcome-http</span> <span class="c1"># Redirect trafic to this container port</span> </code></pre> </div> <p>(Copy it to a text editor and save it to something like <code>welcome.yaml</code>)</p> <p>Among other things, <strong>Kubernetes</strong> are a solution for <a href="https://www.nops.io/blog/horizontal-vs-vertical-scaling" rel="noopener noreferrer"><strong>horizontal scaling</strong></a>: if your application process is bogged down by many requests, you may instantiate extra copies of it (<strong>replicas</strong>) in order to server a larger demand, even dynamically, but here we'll work with a prefixed amount. Moreover, see how <a href="https://kubernetes.io/docs/concepts/services-networking/service/" rel="noopener noreferrer"><strong>services</strong></a> not only centralize access to all pods of a deployment, but allow us to use a different connection port than the one defined in the <strong>Docker</strong> image </p> <p>A concept you should have in mind when working with <strong>K8s</strong> is <a href="https://simple.wikipedia.org/wiki/Idempotence" rel="noopener noreferrer"><strong>idempotence</strong></a>: manifests such as above don't describe a sequence of operations to set up your pods and auxiliary components, but the <strong>desired final state</strong>, from which the operations (to either create or restore the deployment) are automatically defined. That way, trying to re-apply an already [successfully] applied configuration will result in no changes to the cluster</p> <p>The time has come to get our hands dirty. Surely you may submit your <strong>YAML</strong> files by copying each new version to one of your nodes and invoking <code>k3s kubectl</code> via <strong>SSH</strong>, but how about doing that from the comfort of your desktop, where you have originally edited and saved the manifests?</p> <p>It is possible to install <strong>kubectl</strong> independently of the <strong>K8s</strong> cluster (follow <a href="https://kubernetes.io/docs/tasks/tools/#kubectl" rel="noopener noreferrer">the instructions for each platform</a>), but it won't work out-of-the-box, as your local client doesn't know how to find the remote cluster yet:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get nodes E0916 18:45:31.872817 11709 memcache.go:265] couldn<span class="s1">'t get current server API group list: Get "http://localhost:8080/api?timeout=32s": dial tcp [::1]:8080: connect: connection refused E0916 18:45:31.873268 11709 memcache.go:265] couldn'</span>t get current server API group list: Get <span class="s2">"http://localhost:8080/api?timeout=32s"</span>: dial tcp <span class="o">[</span>::1]:8080: connect: connection refused E0916 18:45:31.875167 11709 memcache.go:265] couldn<span class="s1">'t get current server API group list: Get "http://localhost:8080/api?timeout=32s": dial tcp [::1]:8080: connect: connection refused E0916 18:45:31.875837 11709 memcache.go:265] couldn'</span>t get current server API group list: Get <span class="s2">"http://localhost:8080/api?timeout=32s"</span>: dial tcp <span class="o">[</span>::1]:8080: connect: connection refused E0916 18:45:31.877524 11709 memcache.go:265] couldn<span class="s1">'t get current server API group list: Get "http://localhost:8080/api?timeout=32s": dial tcp [::1]:8080: connect: connection refused The connection to the server localhost:8080 was refused - did you specify the right host or port? </span></code></pre> </div> <p>In order to get that information, log into one of your cluster machines and get the system configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>ancapepe@ChoppaServer-1 ~]<span class="nv">$ </span>k3s kubectl config view apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://127.0.0.1:6443 name: default contexts: - context: cluster: default user: default name: default current-context: default kind: Config preferences: <span class="o">{}</span> <span class="nb">users</span>: - name: default user: client-certificate-data: DATA+OMITTED client-key-data: DATA+OMITTED </code></pre> </div> <p>(Here authentication data is omitted for safety reasons. in order to show the complete configuration, add the <code>--raw</code> option to the end of the command)</p> <p>Copy the <strong>raw</strong> output of the command, change the <code>server</code> IP (just the <code>127.0.0.1</code>) to match your master node's one, and overwrite your desktop's <strong>kubeconfig</strong> file (on Linux, the default location is <code>&lt;user home directory&gt;/.kube/confg</code>) with these modified contents. Now you should be able to use the control client successfully:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get nodes NAME STATUS ROLES AGE VERSION odroidn2-master Ready control-plane,master 9d v1.30.3+k3s1 rpi4-agent Ready &lt;none&gt; 9d v1.30.3+k3s1 </code></pre> </div> <p>Finally, apply our test deployment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> welcome.yaml configmap/welcome-config created deployment.apps/welcome-deploy created service/welcome-service created <span class="nv">$ </span>kubectl get pods NAME READY STATUS RESTARTS AGE welcome-deploy-5bd4cb78b-hvj9z 1/1 Running 0 75s welcome-deploy-5bd4cb78b-xb99p 1/1 Running 0 75s </code></pre> </div> <p>If you regret your decision (already?), that operation may be reverted using the same manifest:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl delete <span class="nt">-f</span> welcome.yaml configmap <span class="s2">"welcome-config"</span> deleted deployment.apps <span class="s2">"welcome-deploy"</span> deleted service <span class="s2">"welcome-service"</span> deleted <span class="nv">$ </span>kubectl get pods NAME READY STATUS RESTARTS AGE welcome-deploy-5bd4cb78b-hvj9z 1/1 Terminating 0 114s welcome-deploy-5bd4cb78b-xb99p 1/1 Terminating 0 114s <span class="c"># A little while later</span> <span class="nv">$ </span>kubectl get pods No resources found <span class="k">in </span>default namespace. </code></pre> </div> <p>As you can see, pods of a given deployment get a random suffix attached to their names, in order to differentiate them. Also, all <strong>Kubernetes</strong> are organized in <a href="https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" rel="noopener noreferrer"><strong>namespaces</strong></a> to help with resource management. If not informed as a <code>kubectl</code> command option or inside the file itself, the <code>default</code> namespace is used</p> <p>In order to perform the same operation with a particular namespace, create it first (if not created already):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create namespace <span class="nb">test </span>namespace/test created <span class="nv">$ </span>kubectl apply <span class="nt">-f</span> welcome.yaml <span class="nt">--namespace</span><span class="o">=</span><span class="nb">test </span>configmap/welcome-config created deployment.apps/welcome-deploy created service/welcome-service created <span class="nv">$ </span>kubectl get all <span class="nt">--namespace</span><span class="o">=</span><span class="nb">test </span>NAME READY STATUS RESTARTS AGE pod/welcome-deploy-5bd4cb78b-5df7d 1/1 Running 0 16s pod/welcome-deploy-5bd4cb78b-9cpdj 1/1 Running 0 16s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE service/welcome-service LoadBalancer 10.43.194.209 192.168.3.10,192.168.3.11 8080:31238/TCP 16s NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/welcome-deploy 2/2 2 2 16s NAME DESIRED CURRENT READY AGE replicaset.apps/welcome-deploy-5bd4cb78b 2 2 2 16s </code></pre> </div> <p>(See how namespaces allow to easily select all components that we wish to monitor)</p> <p>With a successful deployment, our Web page should be displayed by accessing one of the external IPs from the <a href="https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer" rel="noopener noreferrer"><strong>LoadBalancer</strong></a> service (which are the node IPs) on any browser (generally you have to make the usage of <strong>HTTP</strong> over <strong>HTTPS</strong> explicitly):</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhafgte4bzmsn1zb6x84c.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhafgte4bzmsn1zb6x84c.png" alt="Accessing Web application from browser" width="785" height="889"></a><br> (Opening the listed file works too!)</p> <p>Congrats! Go add it to your list of <strong>LinkedIn</strong>'s skills (just kidding)</p> <p>Again, if you're interested in understanding all those concepts in more depth, in order to follow along this and the next chapters of our guide, Nana comes to the rescue again with her <strong>Kubernetes</strong> tutorial:</p> <p><iframe width="710" height="399" src="https://www.youtube.com/embed/X48VuDVv0do"> </iframe> </p> <h3> A nicer view </h3> <p>That's all well and good, but I bet you can imagine how, as you're developing and running more and more components, issuing commands and keeping track of stuff using <code>kubectl</code> gets quite repetitive. One may open multiple terminals running the <code>get</code> command with <code>--watch</code> as option for automatic updates, but switching between windows is not that great either</p> <p>Thankfully, for whoever likes that approach, there are friendlier <a href="https://en.wikipedia.org/wiki/Graphical_user_interface" rel="noopener noreferrer"><strong>GUI</strong></a>s to help manage yours clusters and deployments. <a href="https://ranchermanager.docs.rancher.com/" rel="noopener noreferrer"><strong>Rancher</strong></a>, developed by the same folks from <strong>K3s</strong>, is one of them, but honestly I've found too complicated to set up. In my previous job I came across an alternative that I consider much more practical: <a href="https://k8slens.dev/" rel="noopener noreferrer"><strong>Lens</strong></a></p> <p>After installing it, if you're interested, there's not much to do to get it running for your cluster. Select the option to add a new one from a <strong>kubeconfig</strong> and paste the contents from your local <strong>kubectl</strong> configuration:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd11l4t19tu3fedcmbotn.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd11l4t19tu3fedcmbotn.png" alt="Lens cluster configuration" width="800" height="381"></a></p> <p>If everything is correct, you'll be able to access it, visualize your resources, edit manifest files, and even use the integrate terminal to create new components with <code>kubectl</code> (There doesn't seem to be a widget for creation, only modification or deletion of existing components):</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc5eu8ejyfgrptvhnqx38.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc5eu8ejyfgrptvhnqx38.png" alt="Image description" width="800" height="428"></a><br> (I don't know about you, but that's what I'll be using from now on)</p> <p>That's it for now! Thanks for reading and let's start making some real-world stuff next time</p> <p><a href="https://dev.to/ancapepe/the-home-server-journey-3-an-actually-global-hello-2af6"><strong>Chapter 3</strong></a></p> kubernetes censorship decentralization selfhosting Beppe Sun, 15 Sep 2024 12:22:52 +0000 https://dev.to/beppe90/the-home-server-journey-1-motivation-and-approach-5fhj https://dev.to/beppe90/the-home-server-journey-1-motivation-and-approach-5fhj <p>Inspired by the recent <strong>Twitter</strong>/<strong>X</strong> situation here in Brazil (no strong opinions on Elon Musk and all this drama, but it surely sucks to lose access to an useful service) and by <a href="https://lettersfrommercia.substack.com/p/time-to-take-privacy-seriously" rel="noopener noreferrer">an important article by Ceadda of Mercia</a>, I've decided to set an old project of mine in motion.</p> <p>Truth is, we grow so used to many readily accessible (even if not completely free) platforms on the Internet that we end up taking this ability to communicate and inform ourselves for granted. We easily forget how liberty has to be conquered every day, and that has to be backed by power i.e. the capacity to do what we want to do</p> <p>Anyway, there are plenty of speeches and commentary around that would do a much better job than me in convincing you of that reality, not to mention the risks of providing all your data directly to third-parties. So here I intend to concentrate where I can add something meaningful: give you some ideas and guidance on how you may own your Internet life a bit more</p> <h3> <em>Living in reality is knowing where things come from and where they go to</em> </h3> <p>Social media, messaging, videos, photos, e-mail, blogs like this one and every other thing that we access on the Internet are all hosted out there, on <strong><em>The Cloud</em></strong>. However, as the saying goes, <strong><em>"'The Cloud' is just someone else's computer"</em></strong>. And why couldn't it be YOUR computer? Well, it could, if you're willing to make some sacrifices </p> <p>You won't be able to run e.g. a personal <strong>Facebook</strong> or <strong>Instagram</strong> server from home, but if you care more about the <em>functionality</em> they provide, well, you may be able to actually own something close to it. Of course your friends would have to come over to your place, and many probably won't. That's part of what I meant by "make some sacrifices": your personalized Web presence will be a bit lonely until it gets some traction</p> <p>But, let's be real, if you're looking into building homeservers having almost no friends is probably the case already... I say it from experience</p> <p>Ok, ok, maybe you DO have quite some friends [on the Internet] and don't want to give up interacting with them. You'd still find usefulness in having your own "cloud" storage/backup, or a less censorable place to publish your ideas </p> <p>I'll try to show a bit of everything. Pick whatever suits you </p> <h3> <em>The meat and potatoes of the issue</em> </h3> <p>I don't plan on being condescending to the point of assuming you don't know the distinction between hardware as software. You might have already figured out that those personal software services would need dedicated hardware to be run, and it would be a good thing to have a relatively low-cost solution, so that affording a brand new <strong>Intel x86</strong> PC (calm down, <strong>Apple M1</strong> users) to keep turned on 24/7 is not a requirement</p> <p>A common approach that I have adopted is resorting to <strong>ARM</strong>-based single board computers. They are cheaper, consume less power and take less space inside my modest house. Below I display my humble initial setup of an <strong>Hardkernel Odroid N2+</strong> and a well-know <strong>Raspberry Pi 4</strong>:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs5re7cpdkqy3pyy9wl9x.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs5re7cpdkqy3pyy9wl9x.png" alt="Odroid N2+ and Raspberry Pi 4 in a home cluster" width="800" height="522"></a><br> (Size doesn't matter if you know how to use it, or so they say)</p> <p>I have also attached one spare hard drive to each one of them using external <strong>USB 3.0</strong> to <strong>SATA</strong> adapter cases, so that we have larger and more reliable storage. Besides, as you might have noticed, there is no screen, keyboard or mouse there, because I'll be managing everything software-wise from my desktop, over the local network (<a href="https://www.cisco.com/c/en/us/products/switches/what-is-a-lan-local-area-network.html" rel="noopener noreferrer"><strong>LAN</strong></a>)</p> <blockquote> <p>Please make sure you have the correct/recommended power supply connected to each board, specially when using external devices powered through USB. I've just had some <strong>undervoltage</strong> issues with the Raspberri Pi for not using the ideal one</p> </blockquote> <p>Both machines are running <a href="https://manjaro.org/products/download/arm" rel="noopener noreferrer">the minimal <strong>ARM</strong> version of <strong>Manjaro Linux</strong></a>. As a long-time user of <strong>Manjaro</strong> on my PC, I found it easier to let <a href="https://gitlab.manjaro.org/manjaro-arm/applications/manjaro-arm-installer" rel="noopener noreferrer"><strong>manjaro-arm-installer</strong></a> choose the right configuration for each board, download the image and write it to its respective SD card. There are plenty of options for operating systems, with it's own installation instructions, but generally you'll be taking and <strong>.img</strong> file and flashing it to the card with some tool like <a href="https://etcher.balena.io/" rel="noopener noreferrer"><strong>Etcher</strong></a> or <strong>dd</strong>. Take a look at what you like the most (preferably some <strong>Linux <a href="https://en.wikipedia.org/wiki/Command-line_interface" rel="noopener noreferrer">CLI</a></strong> version) or just use the same I did, you'll have to consult extra documentation regardless, as I can't give you all the details without making this article too long for my taste</p> <p>Notes on networking</p> <p>Needless to say, your server machines need Internet connection, preferably <strong>Ethernet</strong>, so that it can be detected without logging into each one locally and configuring Wi-Fi. Another [not so obvious] requirement is that at least one of them (your master) has to be exposed outside of your LAN, so that external devices can reach it (and you can imagine why that's not possible by default). If you have access to your router configuration (I DO hope you have), usually your <a href="https://en.wikipedia.org/wiki/Network_address_translation" rel="noopener noreferrer"><strong>NAT</strong></a> or <a href="https://en.wikipedia.org/wiki/Firewall_(computing)" rel="noopener noreferrer"><strong>Firewall</strong></a> settings, that's achieved by forwarding the ports used by the services you got running e.g. port <strong>80/TCP</strong> for <strong>HTTP</strong> and <strong>443/TCP</strong> for <strong>HTTPS</strong> (Web pages):</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjc0kbviyaqj73wzo8i2j.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjc0kbviyaqj73wzo8i2j.png" alt="Port forwarding" width="800" height="706"></a><br> (If you're using standard <strong>IPv4</strong>, the machine's host address is valid exclusively inside your LAN, and only the router/gateway has also a global <a href="https://en.wikipedia.org/wiki/Wide_area_network" rel="noopener noreferrer"><strong>WAN</strong></a> IP. Even with all the <a href="https://en.wikipedia.org/wiki/IPv6" rel="noopener noreferrer"><strong>IPv6</strong></a> goodies enabled, reachability from outside might be limited for security reasons)</p> <p>I'd also recommend reserving static IPs for each one of your server's network interfaces, so that we don't get any unpleasant surprises with changing addresses:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqwmzw77rjjo7ip7te45f.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqwmzw77rjjo7ip7te45f.png" alt="Static IPs reservation" width="800" height="502"></a></p> <p>After redirecting incoming traffic from router <strong>WAN</strong> address to server machine <strong>LAN</strong> address on the given ports, it's time to make yourself easier to find. Passing your <strong>WAN</strong> IP around so that people may type it into the browser bar would already work, but that's both hard to remember and unreliable, as addresses attributed to your machine usually change from time to time (lucky you if a static global IP is available).</p> <p>Then why not give your virtual place a proper memorable name, like <strong><em>"mybeautifulsite.com"</em></strong>, that everybody could know? Well, that what name service (<a href="https://en.wikipedia.org/wiki/Domain_Name_System" rel="noopener noreferrer"><strong>DNS</strong></a>) is for.</p> <p>Sadly <strong>domains</strong> are one aspect of Internet centralization that still cannot be trivially avoided (I know about <a href="https://www.geeksforgeeks.org/top-best-blockchain-dns-software/" rel="noopener noreferrer"><strong>blockchain DNS</strong></a>, but who supports it?), so you have to rely on a third-party service (e.g. <strong>Cloudflare</strong>) in order to propagate your <strong>hostname</strong> across the Web. Generally you have to pay a <a href="https://www.cloudflare.com/learning/dns/glossary/what-is-a-domain-name-registrar/" rel="noopener noreferrer"><strong>registrar</strong></a> for the right to use a certain name (it's a way to prevent the ambiguity from 2 hosts using the same one), but for testing purposes you may rely on free DNS services (such as <strong>No-IP</strong> or <strong>Dynv6</strong>) that provide you a somewhat uglier subdomain alternative:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fna5wzugfv8f5xef3zwb9.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fna5wzugfv8f5xef3zwb9.png" alt="DNS zone" width="800" height="272"></a><br> (They were so kind to tell the entire world my router's IP)</p> <p>If you don't manage to get your hands on a static <strong>WAN</strong> IP, it's important that your <strong>DNS</strong> service has support for being automatically updated about changes in your dynamic address. Your router itself might be able to notify the <a href="https://www.cloudflare.com/learning/dns/glossary/dynamic-dns/" rel="noopener noreferrer"><strong>DDNS</strong></a>, but if the proper protocol option is not available you may run a refresh client from one of your computers:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyao0l5tji3ypplwdfp0k.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyao0l5tji3ypplwdfp0k.png" alt="DDNS configuration" width="757" height="1024"></a><br> (Again, there's too much variation across routers and services for me to cover it here)</p> <p>Just don't go trying to reach your server via <strong>DNS</strong> right after naming it. Propagation takes a while, as many name servers across the world have to be informed. If getting anxious, you may try to check the state of that process using <a href="https://dnschecker.org/" rel="noopener noreferrer">some Web service</a> or <strong>nslookup</strong> command on your <strong>Linux</strong> system (also available under the same name on <strong>Windows</strong>, apparently, but who in his/her right mind still uses it?)</p> <h3> <em>Becoming the helmsman</em> </h3> <p>If you've ever tried using a non-mainstream <a href="https://en.wikipedia.org/wiki/Linux_distribution" rel="noopener noreferrer"><strong>Linux distro</strong></a>, you probably know the pain of looking for a package, not finding it even in a third-party repository, trying to compile it from source and failing miserably over and over (Been there. Done that). <strong>Manjaro</strong>, as an <a href="https://archlinux.org/" rel="noopener noreferrer"><strong>Arch</strong></a>-based OS, at least has the very welcome access to the <a href="https://aur.archlinux.org/" rel="noopener noreferrer"><strong>AUR</strong></a>, a community repository for compilation scripts that automate the process for us mere humans, but not all are regularly maintained and many still break, for a plethora of reasons that you eventually have to figure out and fix in a case-by-case basis</p> <p>A way to avoid those headaches would be welcome</p> <p>For a long time, I've been the kind of person that sees <strong>Linux</strong>'s <a href="https://en.wikipedia.org/wiki/Dependency_hell" rel="noopener noreferrer">Dependency Hell</a> as a feature rather than a bug: <em>"It's efficient for storage"</em>, <em>"It forces developers to keep their software updated and in sync with others"</em>, <em>"Library duplication is r*tarded"</em>, I've been telling myself. I still find it somewhat true, and don't see <a href="https://en.wikipedia.org/wiki/Sandbox_(computer_security)" rel="noopener noreferrer">sandboxed</a> solutions like <strong>Flatpak</strong>, <strong>Snap</strong> and <strong>AppImage</strong> with good eyes, or even <a href="https://realpython.com/python-virtual-environments-a-primer/" rel="noopener noreferrer">virtual environments</a> for more than prototyping... Ok, maybe I'm still THAT kind of person, but I've found <a href="https://en.wikipedia.org/wiki/OS-level_virtualization" rel="noopener noreferrer"><strong>containers</strong></a> to be pretty neat</p> <p>Having worked a bit with <a href="https://search.brave.com/search?q=docker&amp;source=desktop" rel="noopener noreferrer"><strong>Docker</strong></a> in a previous job, I was convinced of how useful this level of isolation is for automated testing and deployment of applications, being able to change system settings and replicate them across countless [physical or virtual] machines. You really start visualizing containers as loosely coupled independent entities exchanging messages, which in turn naturally evolves into the main focus of my approach here: <a href="https://www.vmware.com/topics/container-orchestration" rel="noopener noreferrer"><strong>orchestration</strong></a></p> <p>And to cut it short, I'd guess in 9 of 10 cases that word would mean using one of the many implementations of <a href="https://kubernetes.io/" rel="noopener noreferrer"><strong>Kubernetes</strong></a> (<strong>K8s</strong> for short). Not that there aren't other solutions, but I'm not knowledgeable enough to evaluate them properly and I went for what is more popular i.e. with more available documentation. Let me make it clear that this guide is a mish-mash of a number of tutorials and <strong>Stack Overflow</strong> threads, compiled, updated and adjusted by an amateur who is really stubborn about making all work together. So please bear in mind it might not be the most elegant solution</p> <p>For tiny single-board computers, there is a lightweight implementation of <strong>K8s</strong> called <a href="https://docs.k3s.io/" rel="noopener noreferrer"><strong>K3s</strong></a>, which has worked well for me. If you're using <strong>Arch</strong>-based systems (assuming that you have actually gotten the machines set up), keep following my steps for <strong>K3s</strong> installation. On <strong>Debian</strong>-based systems like <strong>Ubuntu</strong> or <strong>Raspbian</strong>, you'd be probably better off following <strong>NetworkChuck</strong>'s guide linked below. Otherwise, you'll have to do your own research:</p> <p><iframe width="710" height="399" src="https://www.youtube.com/embed/X9fSMGkjtug"> </iframe> </p> <p>As already mentioned, here I have accessed my servers from a desktop, via <a href="https://en.wikipedia.org/wiki/Secure_Shell" rel="noopener noreferrer"><strong>SSH</strong></a>, and installed <strong>K3s</strong> using <strong>yay</strong>, but you may use any other package manager with <strong>AUR</strong> access like <strong>pikaur</strong> or <strong>pamac</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>ssh ancapepe@192.168.3.10 ancapepe@192.168.3.10<span class="s1">'s password: Welcome to Manjaro ARM ~~Website: https://manjaro.org ~~Forum:  https://forum.manjaro.org/c/arm ~~Matrix: #manjaro-arm-public:matrix.org Last login: Wed Sep 11 18:41:48 2024 from 192.168.3.8 [ancapepe@ChoppaServer-1 ~]$ sudo pacman -S yay [sudo] password for ancapepe: resolving dependencies... looking for conflicting packages... Packages (1) yay-12.3.1-1 Total Download Size: 3.31 MiB Total Installed Size: 8.88 MiB :: Proceed with installation? [Y/n] y :: Retrieving packages... yay-12.3.1-1-aarch64 3.3 MiB 2.33 MiB/s 00:01 [#############################################################################] 100% (1/1) checking keys in keyring [#############################################################################] 100% (1/1) checking package integrity [#############################################################################] 100% (1/1) loading package files [#############################################################################] 100% (1/1) checking for file conflicts [#############################################################################] 100% (1/1) checking available disk space [#############################################################################] 100% :: Processing package changes... (1/1) installing yay [#############################################################################] 100% Optional dependencies for yay sudo: privilege elevation [installed] doas: privilege elevation :: Running post-transaction hooks... (1/1) Arming ConditionNeedsUpdate... [ancapepe@ChoppaServer-1 ~]$ sudo pacman -S containerd fakeroot ... (More of the same) ... [ancapepe@ChoppaServer-1 ~]$ yay -S k3s-bin AUR Explicit (1): k3s-bin-1.30.3+k3s1-1 ... (Too much to show here. Just follow along) ... </span></code></pre> </div> <p>(Do that for each board. Teaching how to use a terminal is outside the scope of this guide)</p> <p>Hopefully everything went well and you have <strong>K3s</strong> installed on all your servers, but it's still not doing anything. <strong>Kubernetes</strong> applies the concepts of <strong>master</strong> and <strong>worker</strong> nodes: masters coordinate workers so that all can work as a single system, namely a <a href="https://kubernetes.io/docs/concepts/architecture/" rel="noopener noreferrer"><strong>Cluster</strong></a>; both may dot the heavy lifting of running applications; <a href="https://kubernetes.io/docs/concepts/architecture/nodes/" rel="noopener noreferrer"><strong>Node</strong></a> is simply the abstraction used for each [physical or virtual] computer</p> <p>[AFAIK] With <strong>K3s</strong> things are kept simple and only your first node will run as a master, or <strong>[K3s] server</strong> in this case (yes, terminology gets confusing). In order to initialize it as such when your main machine boots, open your <strong>K3s</strong> <a href="https://en.wikipedia.org/wiki/Init" rel="noopener noreferrer"><strong>init</strong></a> file for modification with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>ancapepe@ChoppaServer-1 ~]<span class="nv">$ </span><span class="nb">sudo </span>systemctl edit k3s <span class="nt">--full</span> </code></pre> </div> <p>(The file will be opened with the application defined in your <strong>$EDITOR</strong> <a href="https://en.wikipedia.org/wiki/Environment_variable" rel="noopener noreferrer">environment variable</a>, be it <strong>vim</strong>, <strong>emacs</strong> or even <strong>nano</strong>, a competition I don't want to be dragged into. Talking about undesired fights, I know <strong>systemd</strong> is not the only init system out there, but I haven't tried this with distros that use <strong>OpenRC</strong> or <strong>Upstart</strong>)</p> <p>Edit the line starting with <code>ExecStart</code> to look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">ExecStart</span><span class="o">=</span>/usr/bin/k3s server <span class="nt">--write-kubeconfig-mode</span><span class="o">=</span>644 <span class="nt">--node-name</span> &lt;your chosen master node name&gt; </code></pre> </div> <p>And finally enable the initialization service with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>ancapepe@ChoppaServer-1 ~]<span class="nv">$ </span><span class="nb">sudo </span>systemctl <span class="nb">enable </span>containerd <span class="o">[</span>ancapepe@ChoppaServer-1 ~]<span class="nv">$ </span><span class="nb">sudo </span>systemctl <span class="nb">enable </span>k3s <span class="nt">--now</span> </code></pre> </div> <p>Not quite finally, actually. Before you restart your board to bring up <strong>K3s</strong>, you have to make sure that the <a href="https://en.wikipedia.org/wiki/Cgroups" rel="noopener noreferrer"><strong>cgroups</strong></a> feature, required by all <strong>containerized</strong> applications, is enabled and available in your system:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>ancapepe@ChoppaServer-1 ~]<span class="nv">$ </span><span class="nb">grep </span>cgroup /proc/mounts cgroup2 /sys/fs/cgroup cgroup2 rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot 0 0 <span class="o">[</span>ancapepe@ChoppaServer-1 ~]<span class="nv">$ </span><span class="nb">cat</span> /proc/cgroups <span class="c">#subsys_name   hierarchy      num_cgroups    enabled </span> cpuset 0      51     1 cpu    0      51     1 cpuacct 0      51     1 blkio  0      51     1 memory 0      51     0 devices 0      51     1 freezer 0      51     1 net_cls 0      51     1 perf_event     0      51     1 net_prio       0      51     1 pids   0      51     1 rdma   0      51     1 </code></pre> </div> <p>(TL;DR: <strong>Cgroups</strong> system <strong>v2</strong> running, <strong>memory</strong> cgroup disabled)</p> <p>If <strong>v1</strong> system or none at all appears, you're probably using an old <a href="https://en.wikipedia.org/wiki/Kernel_(operating_system)" rel="noopener noreferrer"><strong>kernel</strong></a>, so update it. If the <strong>memory</strong> cgroup is not enabled, you have to find the particular way in which you switch it on for your device (for <strong>Raspberry Pi</strong>, that means adding <code>cgroup_enable=memory</code> at the end of the single line in the <code>/boot/cmdline.txt</code> file)</p> <p>Moreover, we must tell <strong>containerd</strong>, the <a href="https://en.wikipedia.org/wiki/Daemon_(computing)" rel="noopener noreferrer"><strong>daemon</strong></a> that manages your containers behind the curtains, to use the right cgroup for its main process, <strong>runc</strong>, by running the commands below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create a containerd configuration directory</span> <span class="o">[</span>ancapepe@ChoppaServer-1 ~]<span class="nv">$ </span><span class="nb">sudo mkdir</span> <span class="nt">-p</span> /etc/containerd <span class="c"># Write the default settings to a configuration file</span> <span class="o">[</span>ancapepe@ChoppaServer-1 ~]<span class="nv">$ </span><span class="nb">sudo </span>containerd config default | <span class="nb">sudo tee</span> /etc/containerd/config.toml <span class="c"># Find and replace the given string inside the file</span> <span class="o">[</span>ancapepe@ChoppaServer-1 ~]<span class="nv">$ </span><span class="nb">sudo sed</span> <span class="nt">-i</span> <span class="s1">'s/ SystemdCgroup = false/ SystemdCgroup = true/'</span> /etc/containerd/config.toml </code></pre> </div> <p>(The <code>#</code> character at the beginning of a line denotes a comment, which is not supposed to be typed. For more information on what you're doing there consult <a href="https://www.nocentino.com/posts/2021-12-27-installing-and-configuring-containerd-as-a-kubernetes-container-runtime/" rel="noopener noreferrer">this</a> article and the <a href="https://www.geeksforgeeks.org/sed-command-in-linux-unix-with-examples/" rel="noopener noreferrer"><strong>sed</strong></a> command documentation)</p> <p>Now you may reboot the <strong>master</strong> node, and hopefully everything will start running properly. Your <strong>SSH</strong> connection will be terminated so it should be established again when the device finishes starting up:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>leonardo@ChoppaServer-1 ~]<span class="nv">$ </span><span class="nb">sudo </span>reboot <span class="o">[</span><span class="nb">sudo</span><span class="o">]</span> password <span class="k">for </span>leonardo: Broadcast message from root@ChoppaServer-1 on pts/1 <span class="o">(</span>Sat 2024-09-14 20:31:07 <span class="nt">-03</span><span class="o">)</span>: The system will reboot now! <span class="o">[</span>leonardo@ChoppaServer-1 ~]<span class="nv">$ </span>Read from remote host 192.168.3.10: Connection reset by peer Connection to 192.168.3.10 closed. client_loop: send disconnect: Broken pipe <span class="nv">$ </span>ssh leonardo@192.168.3.10 leonardo@192.168.3.10<span class="s1">'s password: Welcome to Manjaro ARM ~~Website: https://manjaro.org ~~Forum:  https://forum.manjaro.org/c/arm ~~Matrix: #manjaro-arm-public:matrix.org Last login: Sat Sep 14 17:30:32 2024 from 192.168.3.8 [leonardo@ChoppaServer-1 ~]$ </span></code></pre> </div> <p>(At this point you may check the status of the enabled services using <a href="https://www.freedesktop.org/software/systemd/man/latest/systemctl.html#status%20PATTERN%E2%80%A6%7CPID%E2%80%A6%5D" rel="noopener noreferrer"><strong>systemctl status</strong></a>)</p> <p>With the <strong>master</strong> system set up, let's try connecting our <strong>worker</strong> nodes to it. That connection is established by sharing a common key or <strong>token</strong> generated by master and stored in a predetermined file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Displays content of the token file</span> <span class="o">[</span>leonardo@ChoppaServer-1 ~]<span class="nv">$ </span><span class="nb">sudo cat</span> /var/lib/rancher/k3s/server/token <span class="o">[</span><span class="nb">sudo</span><span class="o">]</span> password <span class="k">for </span>leonardo: K10d4e8b232cbf03832752443a07cc6206e092733c8ae55c0e64407dcb2e1775f45::server:44a1a8b25c4a8f1d8a0d48164eff2303 </code></pre> </div> <p>Copy that file, guard it well, and repeat the same process (since the first ssh command) for each one of your workers, only changing the way the <strong>K3s</strong> service file is edited, as now it should contain:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">ExecStart</span><span class="o">=</span>/usr/bin/k3s agent <span class="nt">--server</span> https://&lt;your master node IP&gt;:6443 <span class="nt">--token</span> &lt;your master token&gt; <span class="nt">--node-name</span> &lt;your chosen worker node name&gt; </code></pre> </div> <p>Take your time in repeating all that stuff, just make sure that you follow through. If everything works as intended, from any one of your nodes you'd be able to run the command below successfully:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>leonardo@ChoppaServer-2 ~]<span class="nv">$ </span>k3s kubectl get nodes NAME             STATUS  ROLES                 AGE   VERSION odroidn2-master  Ready   control-plane,master  7d5h  v1.30.3+k3s1 rpi4-agent       Ready   &lt;none&gt;                8d    v1.30.3+k3s1 </code></pre> </div> <p>(Yay!)</p> <p>That's it for now. I hope it wasn't very tiring</p> <p>Next time we'll actually deploy applications and get a proper way to manage them</p> <p><a href="https://dev.to/ancapepe/the-home-server-journey-2-the-control-room-fng"><strong>Chapter 2</strong></a></p> kubernetes censorship decentralization selfhosting