DEV Community: Raven Spencer

A Media Server on Steroids - Walkthrough

Raven Spencer — Sat, 14 Dec 2024 20:00:00 +0000

Introduction

Good day all, here is the section that keeps me engaged with the current-day readers while also never being more than an extra scroll to people who, also like me, have been looking up other people’s new builds all afternoon (or are interested in how someone creates “the thingamagiggy” to work with the “such-and-such”) and wants to get straight to the actual meat of the article: the experience, or steps.

For this reason, I will keep this brief. (... i.e. skip to the next section)

So, as some of you have seen me post about it on LinkedIn, yes, I got an old family laptop to run a K3S Cluster Jellyfin server application operating through Proxmox. Would I recommend the configuration to others? If they were into making a media server fail-tolerant, upgradeable, scalable, overkill, private (no unnecessary internet access), and cost-effective (practically free or relatively cheap)...

Then yes…

This proof-of-concept setup is for people like me who want the most scalable and future-proofed option, and enjoy their privacy. Also, this is a techie-made build which means it might gloss over some bits deemed unnecessary to go in full depth for brevity. Ha! You thought a full walkthrough meant I would write a 20-page paper with footnotes??

I’m not a masochist… most of the time…

Anyway, let’s talk parts.

Obtaining the hardware for a Home Server

In numbered fashion!

An old/unused Laptop or PC [ This will be the server ]. Most any device after 1999 will do, but here is a list of the minimum requirements:
- 64bit VT CPU (Virtualization-capable)
- Bare minimum 4 GB RAM
- Hard Drive - 256GB min → 1+ TB (I also added external storage for media/db files)
- And an Ethernet jack
An unused USB or removable drive [ This will be used to set up the server OS to Proxmox ].
Two or more Ethernet Cables, for the best connectivity
A home PC with an Ethernet port (the Bastion computer)
And a way to connect to the internet (either directly attaching to the router or using a router connected to an HTTP Proxy like Squid Proxy for passing HTTP requests like I did)
Pick up a router (an easy thrift store buy if one isn’t lying around) be sure it has more than one ethernet jack and can handle Wi-Fi.

Making a Proxy… Squid-like

— as of December 2024

This step details how to start up a forward proxy if you plan on creating a private network in your home (separate from your home network).

Setup your router and login to the admin page
Check that your computer (or the Bastion) is attached.
Set up your PC with a Static IP (Google ‘How to set up a Static IP... ’ with your specific router name). Remember the Static IP of your PC for later steps

This step involves opening up your private network to the internet when you need to update and operate Kubernetes (K3S).

Download and install Squid for Windows under ‘Console App’ (or Squid for Linux and Mac under ‘Current Squid Release Series → tar.gz’).
Google 'How to install Squid for...' if you need further help installing.

LATER you will configure the /Squid/etc/squid/squid.conf file to allow http_proxy access to the static IP address you configured on the router for your PC. This way, when your PC is hooked to both networks, it can act as a liaison (or the Bastion) between the server and the internet, and not the other way around.

Setting up Proxmox VE

— as of December 2024

This step entails how to create a bootable media to set up an OS, like Proxmox.

Go to the SourceForge Ventoy Download: Ventoy download | SourceForge.net and run the installer (with your USB drive plugged in)
- Set up and install Ventoy, ISO/Image files can be ‘dragged and dropped’ into the new directory easily without needing to be flashed individually and will run like it was flashed.
Go to the Proxmox website: Downloads - Proxmox Virtual Environment and download the Proxmox image to the Ventoy directory (or flash it)
Eject the USB Drive and plug it into your server (or "Laptop")
Turn the "Laptop" off and connect it to your private router via an ethernet cable.
Turn it on and for Ventoy it should bring you to a boot/GRUB screen with your image as an option. (Else, hit F12 and boot to the USB)
Select and let it boot into the Proxmox VE installation setup page.
Follow the step-by-step process, most of the default settings should be fine. Keep track of your password (the username will be ‘root’ when first logging in).

— (Proxy): When setting up your HTTP Proxy in step 4, put in the Static IP Address of your assigned Squid Proxy or Proxy Server you assigned at the private router step (e.g. 192.168.#.#:3128). Then go to your private router's admin page and set the newly attached server to a new Static IP address. You will also want to configure your /Squid/etc/squid/squid.conf file so that it can accept requests from the Server Static IP. Add acl localnet src <your-server-IP> in the file.

When done with the installation, make sure both your Proxy (or the Bastion) and the server are connected to your private router, then go to your browser and type in your server’s IP address and port 8006, like this: 192.168.#.#:8006. This should bring you to a login page for your Proxmox server.

— Sweet! You are ready for the magic of K3S now!

Booting up the Ubuntu Servers (VMs) in Proxmox

— as of December 2024

This section is for building the Nodes where K3S will deploy resources and run Jellyfin.

Boot up the 2 VMs [ The first will be the Controlplane Node and the Second will be the Worker Node where Jellyfin will be with the configured port. ].
Go under the server and select ‘Create a VM’ from the top right options, set the RAM to around 1024 - 2000+ and storage at 32 GB as this is all it needs to manage at minimum capacity, and set the image to ‘Ubuntu server’ or set the URL to the latest download link on the official website: Get Ubuntu Server | Download.

— TIP: Note that Proxmox can’t pull from the internet without a DNS server connection. To rectify this, download the image on your PC and go to the Proxmox server settings ‘Used Images’ to copy it to the server via “drag and drop”. This way it stores the image locally to create VMs.
Name the server something like “controlplane-node01” to keep track of it. Other than that, leave other settings as default and keep track of passwords.
Do the same with the second VM, except name it “worker-node01” and set the RAM limit to 4000 - 6000+ with 50GB.
- Any other VM made after this should copy step 4. Except, give it a name with a different number like ‘002’ or ‘013’.

— (Proxy): You should also set up your Squid/HTTP Proxy to accept requests from the server IPs which you will have to set as static IPs on your router. Once that is taken care of, you should be able to update your VMs and give Kubernetes access to HTTP by setting the environmental variables HTTP_PROXY and HTTPS_PROXY both to the URL of your PC Squid Proxy: http://192.168.#.#:3128

Adding External Storage to your VMs (MORE!!)

— as of December 2024

This step is for setting up the persistent shared storage and is needed if you plan on adding more storage space.

Attach your external storage to the server and mount it to the device using the command line. Google How to mount your storage option if needed.
In the Proxmox web GUI, go under your Proxmox server settings, and on the left panel, click 'Storage' then on the top click 'Add Storage'. Click on the storage type you attach and where it is mounted.
- Google if you need further instructions on your specific storage type, I used USB haha, but you can even just use space on your system.
After formatting the storage, go to your worker-node VM and click on 'Hardware'. Then click 'Add Hardware', select 'Storage', and add from your attached storage medium.
Afterward, go to your worker-node command line and mount the new storage like in step 1. BE SURE TO MAKE NOTE OF WHERE YOU MOUNT YOUR EXTRA STORAGE (This is important to set up persistent volumes across pods) on the attached storage, also create 2 new directories:
- One for your media files (/mnt/extra-storage/media)
- And one for your database and jellyfin configurations (/mnt/extra-storage/data)

Anytime you want to add media, just turn off the Proxmox server, detach the external storage if you went with that, and attach it to your PC to add your media, reattach to server, turn it back on and done! I use the sftp command to add media while the server is on and refresh the Jellyfin library within the admin web GUI. sftp -r <admin-username@worker-node-IP-address> <ON-PC-media-to-upload-folder> <ON-WORKER-NODE-persistent-media-directory>

— Now you are set to install K3S, your lightweight microservices architecture!

Installing Lightweight Kubernetes (K3S) on Proxmox

— as of December 2024

This is where the fun begins as K3S is installed on the VMs.

Using the K3S Quick-Start Guide (Quick-Start Guide | K3s), go into the Controlplane Node (VM) command line to install K3S (SSH to copy and paste). Make sure you are connected to the internet or proxy (export HTTP_PROXY="192.168.#.#:3128"). Run curl google.com to test.
Run sudo curl -sfL <https://get.k3s.io> | sh -
Link the Worker Node (VM) to the Controlplane via K3S by going into its command line (check if you have the proxy set up).
Replace SERVERIP with the controlplane node IP and CONTROLPLANENODETOKEN with the controlplane node Token (at /var/lib/rancher/k3s/server/node-token) and run sudo curl -sfL <https://get.k3s.io> | K3S_URL=<https://SERVERIP:6443> K3S_TOKEN=CONTROLPLANENODETOKEN sh -
Now verify by going to the Controlplan Node command line and run sudo kubectl get nodes and the worker VM/Node should be there along with the controlplane node.

Prepping the Jellyfin K3S Deployment

— as of December 2024

Time to start running the Kubernetes environment!

SSH into the controlplane node and clone this template on my GitHub git clone RavenEsc/jellyfin-k8s-deployment, or wget <my-repo> and inflate the tarball. Again, ensure you can connect to the internet: curl google.com. MAKE SURE YOU ARE RUNNING COMMANDS IN THE DIRECTORY, cd jellyfin-k8s-deployment.
If you want to easily set up the variables, install Helm and proceed to part “A”. If you want to run the K3S files directly with Kubectl, move to part “B”.

A.

Go to “./jellyfin-charts/values.yaml” and edit the following variables. (labeled as “# !!” in the file)
- nodeSelector.kubernetes.io/hostname, set to the name of your worker node
- dataVolumeConfig.storage, set this to “100Gi” minimum
- dataVolumeConfig.hostPath, set this to the path that you want to store the jellyfin data files (this is the same path where you store your data files on the mounted storage medium with Proxmox)
- mediaVolumeConfig.storage, set this to how much space you wanted for the media, I did “800Gi”
- mediaVolumeConfig.hostPath, set this to the path that you want to store your media files (this is the same path where you store your media files on the mounted storage medium with Proxmox)
Run helm install jellyfin ./jellyfin-charts --namespace jellyfin --create-namespace (You can use the --dry-run and --debug option to test before deploying)

B.

After setting these environmental variables with export:
- WNODENAME=<your-worker-node-name>
- DATASTORAGE=<your-data-path-storage-size>
- DATAPATH=<your-data-path>
- MEDIASTORAGE=<your-media-path-storage-size>
- MEDIAPATH=<your-media-path>
Run the custom bash script with: chmod +x ./jellyfin-k8s-deployment/ykvar.sh && ./ykvar.sh -nv (Be sure to check if the variables changed cat ./k8s/deploy/jellyfindeploy.yaml).
Then run sudo kubectl create -Rf ./k8s (You can use the --dry-run=client to test before deploying)
— TIP: The ykvar.sh script has options, so check them out with ./ykvar.sh -h help option.
Check that the deployments are running with sudo kubectl get deploy -n jellyfin-server ( Deployment should be 1/1 ).
Check that the service is up with sudo kubectl get svc -n jellyfin-server ( Service should be accessible by the configured port 30096 on the Static Worker Node/VM IP. You can check by typing in the IP and port number into your PC browser and a Jellyfin page should come up if the Pod is up ).
Check if the Persistent storage is up with sudo kubectl get pv -n jellyfin-server and if the Claim from the deployment is attached with sudo kubectl get pvc -n jellyfin-server (Look to see that both are up and they say, under the "STATE" field, “BOUND” )

Test the K3S Jellyfin Server running on Proxmox

— as of December 2024

Go into the Jellyfin Web GUI and set up the server with the quickstart (save passwords).
Add some media, if you do not have media on your server, simply add it to the persistent media storage path mounted before. Utilize a transfer tool like SFTP to send the media from your PC to your Worker-Node IP over the network.
Set the media directory up as a media library (organized however you want it) and try viewing the media and its impact on your worker node with the resource usage visualizer on Proxmox’s VM summary page.
After all goes well, it’s time to test durability. Delete the current deployment pod with 'sudo kubectl delete pod/jellyfin-deployment-##########-##### -n jellyfin' replacing the pod name with the current pod up which can be found with 'sudo kubectl get pod -n jellyfin'.
- After it is deleted, check if a new pod took its place with 'sudo kubectl get pod -n jellyfin'. (If not, check if your Proxy is up as it needs a connection to access the jellyfin image)
- If so, refresh the Jellyfin page on your PC and either a login page or a “select server” screen will pop up. Give the service inside the Pod time to reconfigure (at most 5 minutes) then either select the server and hit "connect", it should bring you to sign in, and/or log in with your username and password. After that, you will be greeted with the home page and all of your media where it was if it functioned properly.

If not, look below or ask in the comments section if needed. Running on limited resources or old hardware might have weird outcomes. When in doubt, Google or DuckDuckGo or whatever you use.

Done! General Challenges

— as of December 2024

As you may have noticed, Jellyfin is not built to be a multi-tier application. I ran into some roadblocks while developing this solution as I would need to change the Jellyfin source code and make my own container image (which would probably not be reasonable to upkeep without a high demand or a team). And although I want to make the best of the best before anyone sees it, I want to open this up to the world as a “look how far it's come”! I am also reminded not to let things go on too long before asking for criticism. The intention of this walkthrough was to share the work I have done and hopefully get to inspire others in their paths. Was making a K3S cluster on a single old laptop with limited resources overkill?

Yes, absolutely.

But I wanted to make a solution that was not only able to use our extra devices but also had the option to scale if someone wanted to. Proxmox is great at that, and K3S isn’t the end. You could add more devices and make a makeshift server rack. Make it even more secure by utilizing Jellyfin’s HTTPS port, or find some way to keep sessions and profile preferences persistent so you can run more than 1 pod at a time (trust me, I’m trying)! You could even turn this into a cloud-based or remote configuration with secure and accessible storage and viewing options! For now, I am happy with where it is, and so are my users!

Overall, I am glad to have tried and I hope you have found this as interesting as I have.

Oh, and to the people just here for the “How to…” and “Is it possible to make…” google searches,

sup.

Passing My CKA!

Raven Spencer — Tue, 18 Jun 2024 20:46:18 +0000

Introduction

Hello, fellow developing cloud architecture network administration engineering Kubernetes cyber security consultants! 😮‍💨
I'm excited to share my journey to becoming a Certified Kubernetes Administrator (CKA). It’s been a whirlwind of learning experiences and growth!

My Journey

08/2023: AWS Solutions Architect Associate and CSPM Development

In August, I successfully passed my AWS Solutions Architect Associate exam. This was a significant milestone for me, as it not only validated my cloud expertise but also sparked my interest in exploring more advanced cloud technologies. To build on this knowledge, I developed a Cloud Security Monitoring Tool (CSPM), which was fully deployable via Terraform and GitHub. This project was my first foray into the world of automation and infrastructure as code, laying the groundwork for my future Kubernetes journey.

10/2023: Diving into Kubernetes

After completing my AWS certification, I was eager to dive deeper into container technology. I asked my mentor about learning Kubernetes since I barely understood AWS ECS, ECR, and EKS. I started by learning Kubernetes (k8s) on the terminal, a hands-on approach that felt both exciting and challenging. This step marked the beginning of my deep dive into container orchestration.

11/2023: Starting with the Basics

To get a solid understanding of Kubernetes, I began with an introductory course on YouTube. This course provided a basic overview and was essential for building my foundational knowledge. It was a lighter introduction, but it gave me the intrigue to tackle more complex topics.

12/2023: Intensive Learning with KodeKloud Udemy Course

After completing the introductory course, I realized I needed more comprehensive training to truly master Kubernetes. I enrolled in the KodeKloud Udemy course specifically designed for the CKA exam. This course offered in-depth lessons and practical labs that significantly enhanced my understanding of Kubernetes. I spent countless hours working through exercises and scenarios, gradually building my competence.

01/2024 to 04/2024: The Learning Curve

Learning Kubernetes was not an overnight process. It required dedication and persistence. During these months, I immersed myself in various aspects of Kubernetes, from cluster architecture to deployment strategies. I also expanded my knowledge beyond Kubernetes, delving into computer networking, logging architecture, Linux commands, Secrets management, industry standards, ETCD, Kubeadm, Kubectl, YAML, JSONpath, updating clusters, Linux file system architecture, and backup and restore.

05/2024: Exam Preparation

With a solid foundation, I scheduled my exam and began rigorous preparation. I took numerous mock exams using resources like Killercoda, Killer.sh, and materials from the Linux Foundation. The PSI ‘at-home’ testing proved to be a stressful process. I had never been through such a rigid testing environment of that caliber. The stress of the testing environment was real, but I learned to control what I could and let go of the rest. And honestly, it went better than I expected.

05/30/2024: First Attempt

So I went into the PSI browser, followed the step they gave me and on my first attempt, I scored 60, just shy of the 66 needed to pass. I identified my weak areas, particularly in networking and cluster updates, and dedicated two more weeks to intensive study.

06/13/2024: The Final Attempt

Feeling confident, and after having gone through the process of PSI testing, I retook the exam and scored 78! The 6-month-long study was done, and I officially became a Certified Kubernetes Administrator. The journey had its ups and downs, but looking back every moment was worth it.

Conclusion

I’m incredibly excited to have achieved this milestone. The journey taught me the importance of persistence, continuous learning, and the value of a supportive community. I’m grateful to everyone who supported me along the way.
As I move forward, I plan to take a month to reset and reflect on my current skills. My goal is to continue learning and growing, building on the foundation I've established. I’m looking forward to connecting with others who are on a similar path and sharing our experiences. Maybe one day, I will get to see you at a conference when I can afford it. 😂
Until then, thank you for reading, and here’s to the next chapter!

How is Amazon Web Services ensuring AI is Securely handling Our Data?

Raven Spencer — Fri, 15 Mar 2024 01:35:07 +0000

(AWS Innovate GenerativeAI + Data 2024 Reflection)

I am continuously flabbergasted at the sheer amount of options when it comes to technology. Like, how many routers or phones are out there when it’s time to replace the old one? It’s because of all of these options that we have to consider the following:

Where do I save money?
How long until I replace it?

In the end, you will most often run into having to take a risk. To TRUST the developers, to TRUST the manufacturers, to TRUST the sellers. And while we can’t escape risk, we can mitigate it. We can lower the risk, by learning more about it, and acting responsibly!

This is precisely what Amazon Web Services (AWS) are pushing.

Now, this is not an AWS insider and not a comprehensive recap on AWS’s part. This article is intended for both people who want to learn about whether AWS is a safe option for their AI (Artificial Intelligence) apps and tools (at home and business), and people who want to learn from another perspective on AWS Innovate 2024: GenerativeAI + Data Conference.
With that in mind, grab your grain of salt and read!

Introduction

At the beginning of their 2024 conference, AWS Director of Enterprise Strategy, Tom Godden, spoke on AWS’s approach to handling DATA with their ML and AI services. And what I would consider a theme came from Godden’s phrasing from AWS:

Responsible AI

Now, as I went to the following sessions, I went to only 7 of them (out of the 35 they had going). I picked the ones that stood out to me, but also tried to get a general perspective, as some sessions overlapped in concepts. It was these concepts that led me to narrow down AWS their handling of Generative AI, AI that generates content from user input (or GenAI), with our DATA to three areas:

Transparency
Adaptability
&
Flexibility

Transparency

Now it comes as no surprise that this is one of the points. Because of course, you would want to market your business as trustworthy. And the biggest way to do that would be to set out what is expected of them and how they are doing it well.

So how do we take them at their word?

First, we see their claims on their GenAI Services. They don’t claim “nothing bad will happen to your DATA” In fact, Tom Godden spoke on behalf of AWS saying that if something DOES happen to your GenAI DATA, such as mishandling or violating customer DATA privacy because it is in AWS’s hands, AWS will assist in proving that their services are secure and private.

To my knowledge, AWS in general says that they cannot access a user’s data, as it is encrypted by the user’s account. So to summarize, AWS is not in control of our DATA, contrary to popular belief that if you have the hardware, you have the DATA. But, again, can we take their word for it? The next point shares more on GenAI’s DATA usage.

Adaptability

Now here’s the nitty-gritty, the coup-de-gras of AWS’s cloud resources and whether they are safe or not.

AWS has done quite a bit to showcase its ethics (compliance) with handling DATA, but even more so as the popularity of ML and GenAI rise.
At the conference sessions, I went to many demonstrations, as my focus was to see the bare-bones code and services used to make GenAI in the cloud possible. In those demos, I got to see many different test applications and Proof-of-Concepts. As I am only professionally curious about ML, LLMs, AI, and GenAI I can only speak on my knowledge, in hopes I am at a similar spot as most others in my curiosity.

But to summarize, AWS promotes Governance (giving privileged access permissions) and security in their infrastructure, tools, and our applications.

Their bottom layer, hardware, and infrastructure, provide updates, patches, and overall handles all of the tedious and time-consuming parts of security management.
This leads to giving you complete access to handle your DATA without worrying about the security of your servers.
Also, AWS gives tools for monitoring their tools and your apps.
Some examples they shared in their AI tools of pursuing security and privacy:

Amazon Bedrock, the Foundation Model (FM) ML template platform, now has Guardrails to keep sensitive and harmful DATA from both being accessed and produced.
Amazon SageMaker, the all-in-one ML model developer platform, utilizes Amazon's in-house services each with their own encryption, validation, and monitoring solutions (pursuing up-to-date security standards on all fronts)
AWS Glue, DataZone, LakeFormation, Clean Rooms, Aurora, RDS, DynamoDB, etc.. to name some similar services used for data storage and sharing (each with its own encryption in transit and at rest)

I would love to go into even more detail on the capabilities of some of these services and how each advancement has its relative security options, but for the sake of time and the long section, there is one more train of thought to consider.

Flexibility

The final point I would like to make springboards from an AWS value:

‘Learn and Be Curious’

They have put in their value system that learning and improving by being curious leads to innovation and challenges their services to become better. Objectively speaking, better includes security. So by looking at what AWS is doing, as mentioned throughout their Innovate Conference, we can see if they are holding themselves to this. And it not only applies to AWS, but to us as potential users of their tools and services. We should continue to learn and grow so that we are not blindsided by a TOS (terms of service) change or a lack of development and effort on Amazon’s side.
Funnily enough, AWS promotes this as they give users control over more and more security and privacy features in their ML and AI services and models.

So… What Now?

We have gone over some of the key points of this event. But it would be improper to end without something to take home or to work.

One way I heard it said in a session:

What do you do on Monday?

Mark Roy, AWS Principal ML Architect

No doubt putting your data in a place out of your reach is TRUSTING in that storage entity. And there isn’t a claim you can make against it either, as there is a good assortment of evidence that AWS has your best interest in mind as their business needs to stay afloat. But as a community, we all need to pitch in to push for better security to give AWS an incentive to keep up with our needs. I hope I have shed some light on what I have learned about using cloud services from the Innovate Conference: GenAI + DATA 2024, especially Generative AI.

With all of the hubbub on GenAI and the legalities and unethical behavior about it, I thought I could give some peace of mind to those who are worried about their data’s security when it is in an AWS server.

Cause, after all, the goal is to be:

Concerned, not Worried.

Hopefully, this allows you to make an informed decision on whether you can trust Amazon’s ML services with your DATA. And if you are still uncomfortable, that is fine, I wanted to give an assurance, but it will be different for each use case and business need.

So what do you take away from this?

DEV Community: Raven Spencer

A Media Server on Steroids - Walkthrough

Introduction

Obtaining the hardware for a Home Server

Making a Proxy… Squid-like

Setting up Proxmox VE

Booting up the Ubuntu Servers (VMs) in Proxmox

Adding External Storage to your VMs (MORE!!)

Installing Lightweight Kubernetes (K3S) on Proxmox

Prepping the Jellyfin K3S Deployment

A.

B.

Test the K3S Jellyfin Server running on Proxmox

Done! General Challenges

Passing My CKA!

Introduction

My Journey

08/2023: AWS Solutions Architect Associate and CSPM Development

10/2023: Diving into Kubernetes

11/2023: Starting with the Basics

12/2023: Intensive Learning with KodeKloud Udemy Course

01/2024 to 04/2024: The Learning Curve

05/2024: Exam Preparation

05/30/2024: First Attempt

06/13/2024: The Final Attempt

Conclusion

How is Amazon Web Services ensuring AI is Securely handling Our Data?

Introduction

Transparency

Adaptability

Flexibility

So… What Now?