rvs's questions

Resource Management for Pods and Containers describes how to set resource requets and limits for "regular" pods in Kubernetes. Is there a supported/reccomended way to set these limits for control plane components such as kube-apiserver?

Things I considered:

• Modifying static manifests, e.g. in /etc/kubernetes/manifests/kube-apiserver.yaml. This could work but it will be overwritten by kubeadm during next upgrade.
• Setting kube-reserved or system-reserved flags. This could work too however again - they are defined in just one ConfigMap (e.g. kubelet-config-1.21) and will be overwritten by kubeadm during node upgrade. The same limits will apply to control plane nodes and worker nodes and I don't want that.

I can overcome this with something like ansible but then ansible will be "figting" with kubeadm and I'd like to avoid that.

What problem am I trying to solve?

I have a small homelab kubernetes installation. I'd like to allow running regular pods on control plane node(s), but I'd like to be able to reserve some resources (primarily memory) for control plane components. I.e. I'd like to be able to set requests on things like kube-apiserver so that scheduler knows not to put any other pods (they will also have appropriate requests) in its place.

Is there a way to define hardlinks inside puppet manifest?

It seems file type can only define symbolic links, but I need it to be hard links in order to make some of my chrooted applications to work. For example, I need to hardlink

/etc/hosts -> $chroot/etc/hosts
/etc/resolvf.com -> $chroot/etc/resolv.conf

and so on.

What can be the simplest way to archive that?

Update: thanks, I've ended with following defines:

define hardlinkdir(source=$name, target) {                                                                                                                   
    exec {                                                                                                                                                   
        "hardlinkdir-$name":                                                                                                                                 
            command => "cp -r --link $target $source",                                                                                                       
            path    => "/usr/bin:/bin",                                                                                                                      
            creates => $source;                                                                                                                              
    }                                                                                                                                                        
}                                                                                                                                                            

define hardlink(source=$name, target) {                                                                                                                      
    exec {                                                                                                                                                   
        "hardlink-$name":                                                                                                                                    
            command => "ln --force $target $source",                                                                                                         
            path    => "/usr/bin:/bin",                                                                                                                      
            unless  => "test $source -ef $target";                                                                                                           
    }                                                                                                                                                        
}

Sure, they are not perfect, but they does the job and it's everything I need.

Thank you for your help!

I'm running ec2 debian instance and trying to get puppet working on it. I'd like my hostnames to be something more readable, so I've changed /etc/hostname, run /etc/init.d/hostname.sh start and I can see my human-readable hostname in the prompt. Every other app seems to be working fine with it, but not puppet (and actually it seems it's facter problem):

$ cat /etc/hostname 
service.XXX.com
$ hostname
service.XXX.com
$ facter | egrep '(host|domain)'
domain => compute-1.amazonaws.com
hostname => ec2-107-22-XXX-XXX
$ cat /etc/debian_version 
6.0.1

I've already cheched facter code and it seems it does not anything more than parsing hostname output. Where is this thing come from? I want my hostnames!

Recently we had a problem with our CDN service: one of edge locations cached incomplete version of javascript file and our customers from United Arab Emirates (and maybe some other nearby countries) were not able to use our service. This issue is resolved now, but we've realized that monitoring of our CDN network might be a good idea.

We need to monitor:

1. Resources are available.
2. They have correct content-type, content-encoding (gzip), expires and some other headers
3. They have same size on all geo locations.
4. Resources often change names (we are changing filename suffix when updating it with a new version), so we need to have ability to change monitored resource urls quickly and in best case automatically during deploys.

Since our CDN provider have a lot of servers in different locations, we need to track this from many different locations as well. I've seen a lot of services that can track website from many locations, but all of them seems to be focused on measuring availability and speed, while for this issue we are more focused on consistency.

So, I believe we have following options:

1. Find a hosted monitoring service which can do required. Does anyone know any?
2. Write a monitoring script using some list/network of proxy servers. Is there are any reliable list/service for this?
3. Write a script using tor exit node specification to track our resources from different locations.
4. Use some other CDN that have this functionality out of the box and guarantee that all copies of out resources on all locations are consistent. But we'd still like to have some 3rd-party monitoring.

What is better approach? Can you suggest something else to solve our problem?

Thanks.

I'm wondering what are best practices for overriding variables in puppet. I'd like to have all my nodes (which located in different places, some of them are qa, some live) with same classes. Now I have something like this:

class base_linux {
   <...> # something which requires $env and $relayhost variables
}

class linux_live {
   $relayhost="1.1.1.1"
   $env = "prod"

   include base_linux
}

class linux_qa {
   $relayhost="2.2.2.2" # override relayhost

   include base_linux
}

class linux_trunk {
   $env = "trunk" # override env

   inlude linux_qa
}

node "trunk01" {
   include linux_trunk
   include <something else>
}
node "trunk02" {
   $relayhost = "3.3.3.3" # override relayhost
   include linux_trunk
   include <something else>
}

node "prod01" {
   include linux_prod
}

So, I'd like to have some defaults in base_linux, which can be overrided by linux_qa/linux_live, which can be overrided in higher level classes and node definition.

Of course, it does not work (and not expected to work). It does not work with class inheritance as well. Probably, I'll be able to archive using global scope variables, but it does not seems like a good idea to me.

What is the best way to solve this problem?

I'm trying to write a single rpm spec for RHEL/CentOS/SL 5 and 6. This spec is for python app, so there is no differences in build process. But on RHEL/CentOS5 I need to add one additional dependency.

How would I define dependency only for el5? I've tried following:

%if 0%{?redhat} == 5 || 0%{?centos} == 5
Requires:   kmod-coretemp
%endif

Does not work (build on CentOS5 does not adds kmod-coretemp dependency).

I've tried also following:

%if %{?dist} == "el5"

It reports with syntax error. I'm sure dist macro is set and contains 'el5'. But I'm not sure what is the syntax of if conditionals in rpm? rpmguide does not have detailed answer.

We have a network 10.10.0.0/24, and one of the hosts (server0, 10.10.0.123) have puppetmaster installed. Others are connecting to it and everything seems fine.

Another one host (server1) is on another network and have openvpn connection to to puppetmaster host, openvpn network is 192.168.124.0/24 (192.168.124.1 - server0, 192.168.124.6 - server1).

Everything was working some time ago, but now when I'm trying to run puppet on server1 it fails with no message:

/usr/sbin/puppetd --no-daemonize --debug -o --server server0.fqdn
<...>
debug: Loaded state in 0.00 seconds
debug: Using cached certificate for ca
debug: Using cached certificate for server1
debug: Using cached certificate_revocation_list for ca
debug: catalog supports formats: b64_zlib_yaml marshal pson raw yaml; using pson
err: Could not retrieve catalog from remote server: 
info: Not using expired catalog for server1 from cache; expired at Fri May 27 15:56:15 +0300 2011
notice: Using cached catalog
err: Could not retrieve catalog; skipping run

Can't understand what am I missing. Telnet to puppet port works fine, as well as http. I've tried to connect to both 192.168.124.X and 10.10.0.X ips.

Here is the routing table to server1:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.124.1   192.168.124.5   255.255.255.255 UGH   0      0        0 tun0
192.168.124.5   0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.10.0.0       192.168.124.5   255.255.255.0   UG    0      0        0 tun0
192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         192.168.10.X    0.0.0.0         UG    0      0        0 eth0

tcpdump of connection attempt:

15:44:17.556745 IP 192.168.124.6.59261 > 192.168.124.1.8140: S 3630206975:3630206975(0) win 5840 <mss 1460,sackOK,timestamp 333953908 0,nop,wscale 7>
15:44:17.938407 IP 192.168.124.1.8140 > 192.168.124.6.59261: S 3687729362:3687729362(0) ack 3630206976 win 5792 <mss 1366,sackOK,timestamp 3325304835 333953908,nop,wscale 7>
15:44:17.938417 IP 192.168.124.6.59261 > 192.168.124.1.8140: . ack 1 win 46 <nop,nop,timestamp 333954290 3325304835>
15:44:17.939187 IP 192.168.124.6.59261 > 192.168.124.1.8140: P 1:106(105) ack 1 win 46 <nop,nop,timestamp 333954291 3325304835>
15:44:18.274663 IP 192.168.124.1.8140 > 192.168.124.6.59261: F 1:1(0) ack 1 win 46 <nop,nop,timestamp 3325305329 333954290>
15:44:18.274893 IP 192.168.124.6.59261 > 192.168.124.1.8140: F 106:106(0) ack 2 win 46 <nop,nop,timestamp 333954626 3325305329>
15:44:18.533685 IP 192.168.124.1.8140 > 192.168.124.6.59261: R 3687729363:3687729363(0) win 0
15:44:18.753026 IP 192.168.124.1.8140 > 192.168.124.6.59261: R 3687729364:3687729364(0) win 0

Why does it resets connection?

There's nothing in puppetmaster log, even when running with -d switch.

Any ideas? Thanks.

We have number of CentOS/RHEL5 servers in datacenter, which are secured with border firewall (basically, only http/https and ssh are allowed). Sometimes me (as systems administrator) & selected developers are required to connect to some local services.

Currently we are doing this by ssh proxying or by mapping some external ip:ports to internal one (to protocols which are supports encryption). But it's not always convenient to use ssh and I'd like to remove all custom firewall rules (for security reasons). So I need to use some vpn solution. OpenVPN seems to be fine and I think I'll stick with it. But I'm wondering if there are some (may be better?) alternatives. Requirements are:

• Allow simulations connections for 2-5 users.
• Users should have separate accounts (username/password and/or cert)
• Total number of users: I believe not more than 10
• It should work perfectly under Windows XP/Vista/7 and any Linux
• Server should work perfectly on one of our CentOS servers
• I need to have ability to remove user account/invalidate cert
• It should be opensource or at least free
• (optional) user should have ability to re-issue cert and/or change password without my attention.

I'm trying to set up libvirtd on my headless gentoo server. I'd like to have remote control via tls. I've followed libvirt remote access guide, but it don't work for me: client virt-manager shows following error:

unable to connect to libvirtd at 'xxx.xxx.info': Connection refused

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/connection.py", line 1055, in _try_open
    None], flags)
  File "/usr/lib/python2.6/site-packages/libvirt.py", line 107, in openAuth
    if ret is None:raise libvirtError('virConnectOpenAuth() failed')
libvirtError: unable to connect to libvirtd at 'xxx.xxx.info': Connection refused

Here is my current server libvirtd config (comments stripped):

listen_tls = 1 
tls_port = "16514"
auth_tls = "none"
tls_no_verify_address = 1

And it does not listens to port 16514: lsof -i tcp:16514 prints nothing.

I also have following in my log just after libvirtd start:

Mar 30 14:46:02 fs dnsmasq[27523]: started, version 2.52 cachesize 150
Mar 30 14:46:02 fs dnsmasq[27523]: compile time options: no-IPv6 GNU-getopt DBus I18N DHCP no-TFTP
Mar 30 14:46:02 fs dnsmasq-dhcp[27523]: DHCP, IP range 192.168.122.2 -- 192.168.122.254, lease time 1h
Mar 30 14:46:02 fs dnsmasq[27523]: reading /etc/resolv.conf
Mar 30 14:46:02 fs dnsmasq[27523]: using nameserver 192.168.1.3#53
Mar 30 14:46:02 fs dnsmasq[27523]: bad address at /etc/hosts line 2
Mar 30 14:46:02 fs dnsmasq[27523]: read /etc/hosts - 15 addresses
Mar 30 14:46:10 fs kernel: IN=eth1 OUT= MAC=01:00:5e:00:00:01:00:18:82:ed:d1:df:08:00 SRC=172.28.36.1 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=62606 PROTO=2 
Mar 30 14:46:33 fs kernel: IN=virbr0 OUT= MAC=01:00:5e:00:00:01:26:a8:55:dc:5f:05:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2 

"kernel: IN=virbr0" are dropped packets logged by -j LOG rule in my iptables config. However, I've tried with all iptables rules allowed - nothing changed.

Certs seems to be fine as well (maybe not?):

# ls -R /etc/pki/
/etc/pki/:
CA  libvirt

/etc/pki/CA:
ca.info  cacert.pem  cakey.pem

/etc/pki/libvirt:
private  servercert.pem

/etc/pki/libvirt/private:
server.info  servercert.pem  serverkey.pem

I'm on gentoo running

[ebuild   R   ] app-emulation/libvirt-0.8.8-r1  USE="json libvirtd lvm lxc network nls parted python qemu udev virt-network -avahi -caps -debug -iscsi -macvtap -nfs -numa -openvz -pcap -phyp -policykit -sasl (-selinux) -uml -virtualbox -xen" 0 kB

libvirtd is running:

# ps ax | grep [v]irt
30484 ?        Sl     0:00 /usr/sbin/libvirtd -d
30735 ?        S      0:00 /usr/sbin/dnsmasq --strict-order --bind-interfaces --pid-file=/var/run/libvirt/network/default.pid --conf-file=  --except-interface lo --listen-address 192.168.122.1 --dhcp-range 192.168.122.2,192.168.122.254 --dhcp-lease-max=253 --dhcp-no-override

Anything else I should check. How do I debug this issue?

SOLVED:

I'd run libvirtd with --lsiten flag. It's possible to specify it in /etc/conf.d/libvirtd file. Also, I've found another error in my configuration: when adding connection in virt-manager, you must specify an hypervisor, so url would look like quemu+tsl://user@host/system, not just quemu+tsl://user@host/