#nixos-kubernetes on 2018-09-06

08:00 johanot has joined #nixos-kubernetes

12:15 johanot has quit [Remote host closed the connection]

12:52 johanot has joined #nixos-kubernetes

13:45 ixxie has joined #nixos-kubernetes

13:46 <ixxie> yo

13:46 <ixxie> johanot: tried to build your branch and got https://gist.github.com/ixxie/65ea21e7158a3c657372c1b8742e4d6f

13:46 <ixxie> of course I might have made a mistake porting that configuration

14:11 <ixxie> https://github.com/fluxcraft/fluxcluster/blob/master/modules/kube.nix

14:12 <ixxie> https://github.com/fluxcraft/fluxcluster/blob/master/fluxcluster.nix

14:38 <johanot> ixxie: hmm.. looks strange. I'm gonna have to look at that later, will be off for 2-3 hrs now.

14:38 <ixxie> thanks johanot

14:43 <johanot> "signal: killed" .. OOM? :P

14:44 <srhb> Yeah that looks like OOM

14:46 johanot has quit [Quit: leaving]

14:57 <ixxie> srhb: what is OOM?

15:02 <srhb> ixxie: Out of memory

15:02 <srhb> ixxie: The build failed to allocate enough memory while doing something, so it barfed :)

15:41 <ixxie> aah

15:42 <ixxie> srhb: I was actually thinking to move the build process from my laptop to the master or something

15:42 <ixxie> but I guess a dedicate deployer may be wiser if the master runs stuff

16:06 <ixxie> srhb: any tips on how to manage the build without scaling up the build machine?

16:06 <srhb> More swap?

16:07 <ixxie> hmmm

16:07 <ixxie> gonna dig up an option for that

16:11 <ixxie> srhb: are you sure Nix can use swap?

16:12 <srhb> ixxie: Yup. It's completely transparent to Nix.

16:12 <srhb> It just appears as "moar rams"

16:12 <ixxie> so any clue to which setting to tweak?

16:12 <srhb> ixxie: On a NixOS machine?

16:12 <ixxie> yeah

16:13 <ixxie> oh

16:13 <ixxie> wait

16:13 <ixxie> I remember now I have a whole volume for swap on this machine

16:13 <ixxie> I just need to specify in swapDevices

16:13 <ixxie> that should do the trick :)

16:32 <ixxie> srhb: I guess there is a very good usecase for swap when you run Nix is a memory constrained environment xD

16:33 <srhb> ixxie: Oh yeah, bigtime. Especially with the 2.0.x memory leaks.

16:33 <srhb> Well, actually not leaks. But definitely not efficient memory usage.

16:37 <ixxie> does nixops already use 2.0?

16:39 <ixxie> it also seems Nix's memory usage on my machine is capped to about 4GB (I have 8)

16:44 <srhb> ixxie: iirc nixops just uses whichever Nix is on PATH

16:44 <srhb> And there's no cap, normally

16:46 <ixxie> hmm I see

17:15 <ixxie> srhb: speak of the devil: https://discourse.nixos.org/t/nix-2-1-released/875

17:17 <srhb> Yup, indeed. Not in any release yet (except as nixUnstable)

17:53 ixxie has quit [Ping timeout: 252 seconds]

17:57 ixxie has joined #nixos-kubernetes

18:01 johanot has joined #nixos-kubernetes

18:08 <ixxie> srhb: so with swap the build suceeded, but while it seems kubernetes is installed (I see k8s containers when I run `docker ps`) it seems I don't have a `kubectl` command available in my path

18:08 <ixxie> nor does the root user

18:13 <srhb> ixxie: You can just add it to environment.systemPackages

18:13 <srhb> It's funny that you expect that. I think we debated whether the module should do that. I lean towards "don't silently stick things on the global PATH"

18:13 <srhb> But good feedback.

18:15 <johanot> While testing something else today I realized that the etcd module sticks "etcdctl" on PATH, I thought I had to ask for it specifically. Apparently not :)

18:16 <johanot> my personal opinion is that the system PATH should be kept as clean as possible, but I'm not totally immune to the other argument still.

18:16 <ixxie> srhb: well, at the very least the current version on unstable DOES supply kubectl

18:16 <ixxie> because I haven't had to install it seperately

18:16 <ixxie> so if you remove it you better warn people somehow

18:17 <srhb> ixxie: Ah. My main concern is that it's easy to accidentally depend on things in /run/current-system in the actual module if you stick it on there automatically.

18:17 <ixxie> fair enough!

18:17 <srhb> ixxie: That's funny though, I don't see it being set automatically on unstable

18:17 <johanot> ixxie: kubectl is part of the outputs from the kubernetes package, also in stable.

18:17 <srhb> Oh, right, I see..

18:18 <johanot> but that doesn't put in in PATH :)

18:18 <srhb> It does...

18:18 <johanot> it in*

18:18 <srhb> environment.systemPackages = [ cfg.package ];

18:18 <johanot> damn, thought I removed that

18:19 <srhb> In current unstable?

18:19 <srhb> Jaka Hudoklin 2014-11-23 01:27:04 +0100 1147) environment.systemPackages = [ cfg.package ];

18:19 <johanot> Ah.. No, but in 1.11

18:19 <srhb> Right, I think you did

18:19 <ixxie> alrighty

18:20 <srhb> So either release notes or bring it back.

18:20 * srhb shrugs

18:20 <johanot> It didn't feel right to have all k8s thingies on global path

18:20 <srhb> I agree.

18:20 <johanot> but of course, relnotes.. aye aye :P

18:22 <ixxie> hmmm

18:22 <ixxie> [ixxie@flux-master:~]$ kubectl get pods --all-namespaces

18:22 <ixxie> The connection to the server localhost:8080 was refused - did you specify the right host or port?

18:22 <ixxie> what do I make of this?

18:23 <johanot> ixxie: export KUBECONFIG=/etc/kubernetes/cluster-admin.kubeconfig

18:25 <ixxie> [ixxie@flux-master:~]$ kubectl get pods --all-namespaces

18:25 <ixxie> error: unable to read client-key /var/lib/kubernetes/secrets/cluster-admin-key.pem for cluster-admin due to open /var/lib/kubernetes/secrets/cluster-admin-key.pem: permission denied

18:26 <johanot> ixxie: Sorry. Should have linked you here in the first place: https://github.com/NixOS/nixpkgs/pull/45670/files#diff-8c4e3a8a3bb211a53525fb97850e1fcfR115

18:26 <johanot> Basically, you need to be root to access the private key for the cluster-admin cert

18:27 <johanot> It's the reason why I made a wrapper for kubectl in my test cluster: https://github.com/johanot/machines-mirror/blob/master/configurations/nixos/nixos-1.nix#L5

18:28 <ixxie> oh right

18:28 <ixxie> you did this today right? I missed that yesterday

18:29 <ixxie> but I suppose there is a more permenant setup to be done where certain users get access to the cert?

18:29 <johanot> ixxie: nope. I added firewall ports today, because I wanted to demonstrate that the nixos firewall doesn't have to be disabled to use the k8s module. But the kubectl wrap was there yesterday as well

18:31 <johanot> The auto-generated cert and kubeconfig is a way of getting the same functionality as before, where an admin (having a console on the master-server) can obtain cluster-admin rights.

18:32 <johanot> Additional users/roles/rolebindings must be added manually, for now.

18:33 <ixxie> alrighty

18:33 <ixxie> I only dimly follow whats going on here, but I am sick and quite tired now; so I will try out the wrapper tomorrow and probably ask more questions at some point

18:34 <ixxie> thanks a bunch for all the info again!

18:34 <johanot> ixxie: any time :)

18:34 <ixxie> good night!

18:35 <johanot> Users that aren't up for a deeply granular access control scheme, are most welcome to just copy the admin cert and key around as needed. At least RBAC ensures that random people without any (or a self-signed) cert cannot access the cluster.

18:35 <johanot> Before, everyone could just access port 8080, no questions asked.

18:36 <johanot> ixxie: see ya. gn

18:37 <ixxie> right

18:37 <ixxie> see ya!

18:37 ixxie has quit [Quit: Lost terminal]

19:08 johanot has quit [Quit: leaving]