#nixos-kubernetes on 2019-09-05

05:34 <jybs> haha

05:34 <jybs> "not very active

05:34 <jybs> :P

05:34 <srhb> o/

05:35 <jybs> node is just rebuilding now on unstable

05:36 <srhb> jybs: We have some single node tests in the tree if you're curious

05:36 <srhb> jybs: eg. nix-build nixos/tests/kubernetes/dns.nix -A singlenode

05:43 <jybs> Man updating to unstable pushes a lot of data

05:43 <srhb> Oh, I forgot, current unstable is broken with vulkan-headers until next bump, I think..

05:44 <srhb> 8d1510a is the last that worked for me, until it bumps again.

05:44 <jybs> Oh dear

05:44 <srhb> But yeah, release bumps are big :P

05:44 <srhb> Not a big issue, it just fails to evaluate..

05:45 <srhb> Might only be in certain cases.. :)

05:45 <srhb> (Like, vulkan sounds graphics related.)

05:46 <jybs> On older versions kubectl just worked, but with newer ones I have to export KUBECONFIG=/etc/kubernetes/cluster-admin.kubeconfig

05:46 <jybs> Is that expected?

05:47 <srhb> jybs: Yeah, the tests wrap it to set the env var.

05:47 <srhb> jybs: Look in base.nix

05:47 <jybs> Yeah I can do it myself, just thought it was odd it changed

05:48 <srhb> I think it's not the only magical default to go away.

05:48 <jybs> Will i need to remove my current config?

05:49 <jybs> (/var/lib/...)

05:50 <srhb> jybs: Something you made by hand?

05:57 <srhb> Building a test node on master now. #yolo

05:57 <srhb> At least it has the latest fixes in. :P

06:08 <srhb> Maybe that was not a great idea. Sigh, release windows are always such a mess. :P

06:10 <jybs> OK here we go

06:12 <jybs> Now it seems to just not get anywhere :(

06:12 <jybs> /nix/store/dax0d72jklvln5i3f3m2ikbp7zpij0z5-bash-4.4-p23/bin/bash -e /nix/store/dgf2y7bv3f4znbqnkhpa8q60y1y0dv6b-unit-script-kubelet-online-sta

06:12 <jybs> seems to be hung

06:13 <srhb> No logs?

06:13 <jybs> : Condition check resulted in Kubernetes Kubelet Service being skipped.

06:13 <srhb> Yeah, those are the systemd deps we dropped in that PR.

06:14 <jybs> *sigh*

06:14 <srhb> Maybe unstable was bad advice, at least until next bump... I've been testing on master, so..

06:14 <srhb> Not that helpful :)

06:14 <jybs> :)

06:14 <jybs> Is fine

06:17 <jybs> Did your test off master work?

06:21 <srhb> Yeah! Trying to build a fresh one off 8d1510a + cherry-pick 11e72e547d013894dfce88e68d0ec80a8bf0b545 -m1

06:22 <srhb> Because meanwhile, master got broken on some other packages I need. :P

06:25 <srhb> Seems to work fine!

06:25 <srhb> coredns running happilly.

06:26 <jybs> Do you use nix to create your containers?

06:27 <jybs> (I ask as I wait for all of kubernetes to compile)

06:27 <srhb> jybs: Usually yes :)

06:27 <jybs> Oooh cool. Systemd in the containers?

06:27 <srhb> Nope. Barebones single executable stuff.

06:28 <srhb> If I need an init system I don't run it in docker.

06:28 <jybs> It's less needing an init system, more a system which already knows all about how to start things

06:29 <jybs> Do you use k8 on nixos in prod?

06:29 <srhb> Not until october. :P

06:29 <jybs> lol

06:29 <srhb> (I left that job a while back, but going back then :))

06:30 <srhb> They've been running k8s on NixOS in prod since.. What, january last year? Something like that.

06:30 <jybs> OK

06:30 <jybs> It seems like a pretty good combo (if I can get it to work)

06:31 <srhb> I'm sure we can work it out. fwiw my config was simply masterAddress = "myHostname" and roles = [ "master" "node" ]; with nothing else

06:31 <srhb> Though I prefer to run the explicit approach rather than the smarts, but for testing this is nice.

06:31 <jybs> And the hostname doesn't have to resolve via DNS right?

06:31 <jybs> It can be /etc/hosts only?

06:32 <srhb> jybs: Yeah.

06:32 <srhb> I'm just on my laptop now, so it was its own hostname.

06:32 <jybs> I don't suppose you'd be up for some random non nix k8 questions?

06:32 <jybs> :P

06:33 <srhb> You can try, but I'm rusty!

06:33 <srhb> until october, hopefully xP

06:33 <jybs> OK - so my main one is can you run a prod cluster with three machines. I've asked elsehwere but always get a full range of answers

06:33 <jybs> so 3 x master+node

06:33 <srhb> Yeah, absolutely.

06:33 <jybs> with stacked etcd

06:34 <srhb> I like to keep things separate, but without any further concerns like extreme resource usage or whatnot, it's fine.

06:35 <jybs> They are mid level machines. 28 core, half a terrabte ram, 6TB SSD

06:36 <srhb> That doesn't mean anything to me without a gauge of the workload.

06:36 <jybs> Hoping to get Prometheus + friends, Elastic + friends+ PostgreSQL + some random small containers on there

06:36 <jybs> So high capacity stuff, but not doing much

06:36 <srhb> Probably fine. You can always move the master components away to some laptops or whatnot if the need arises.

06:36 <srhb> :P

06:36 <srhb> Not like they need a lot.

06:36 <jybs> I don't so much *need* k8 as want it :P

06:37 <srhb> how strange!

06:37 <srhb> ;)

06:37 <jybs> ha

06:37 <jybs> 99% of the world I suppose

06:37 <srhb> I guess. I prefer to run everything off k8s basically

06:37 <srhb> But it's a good platform to allow people that are not opsy to deploy things on.

06:37 <srhb> Though it is fun, sure :P

06:38 <srhb> Maybe one day we get a distributed nix thing and I'll change my mind :P

06:38 <jybs> For us it's more about getting a foothold in a datacenter with something which we can extend

06:39 <jybs> gah master build didn't work

06:39 <srhb> What's up?

06:39 <srhb> Oh and yeah that's a good point

06:40 <jybs> systemd-timesyncd.service: Failed with result 'exit-code'.

06:40 <jybs> I see this every so often and never know what causes it

06:40 <srhb> That doesn't sound like a bad failure, probably just bad setup of that service.

06:41 <jybs> ooh k8 is up anyway

06:42 <jybs> Should kubectl get nodes show my node is a master?

06:42 <jybs> I get a role of <none>

06:42 <srhb> It should just say Ready

06:42 <srhb> That's fine

06:42 <jybs> Ok that's fine then

06:42 <jybs> I think I'm good

06:42 <srhb> You might want to do some more networking setup

06:42 <srhb> Because probably you don't have a lot of connectivity to services at this point

06:43 <jybs> Yeah I think I saw a section on that in the k8 section of the nixos docs?

06:43 <srhb> ie. I'm not sure you can curl https://10.0.0.1

06:43 <jybs> I'll have a look

06:44 <jybs> I can't

06:44 <srhb> fwiw I'm not very happy with flannel, but it's what we use in the tests

06:44 <jybs> But because unable to get local issuer certificate

06:44 <srhb> Ah that's fine

06:44 <srhb> just throw -k at it

06:44 <jybs> Forbidden

06:44 <srhb> That's also fine :P

06:45 <srhb> The keys and stuff are in /var/lib/kubernetes/secrets iirc

06:46 <jybs> And if I want to join three servers I just do it manually, not via nix right?

06:47 <srhb> jybs: Take a look at how the multinode tests do it

06:48 <srhb> jybs: It uses the easyCerts mechanism and makes it easy to do the joining.

06:48 <srhb> But you can also do it by hand of course.

06:48 <jybs> Hangon

06:49 <jybs> "Note: Multi-master (HA) clusters are not supported by the easyCerts module."

06:49 <jybs> Sorry this is why I assumed I couldn't

06:50 <srhb> Right, if you're building a prod cluster, I wouldn't do easyCerts anyway.

06:50 <jybs> Of course

06:50 <srhb> The test exchanges the token through the shared tmpfs of the vms

06:50 <srhb> Which is a bit cheaty, but nice for testing multinode functionality :P

06:52 <srhb> For a real setup, by far the most involved part is setting up proper PKI.

06:52 <jybs> Which ones are the MN tests? Are they in nixpkgs/nixos/tests/kubernetes/?

06:52 <srhb> Which goes for.. Well, anything, not just k8s :P

06:52 <srhb> jybs: They're in both dns and rbac, under the multinode name :)

06:52 <srhb> None of them are multi-master though

06:52 <srhb> iirc.

06:52 <jybs> That's fine

06:53 <srhb> What I would suggest you do if you want to do multimaster right away is get rid of roles = [ ... ]; and set it up manually through the low level interface

06:53 <srhb> From there it's basically following any k8s-the-hard-way guide.

06:53 <srhb> And working out errors in the journal as you go along :)

06:53 <srhb> The daemons are actually quite informative about what's wrong at any given point.

06:54 <jybs> the hard way sounds ominous, but cool

06:54 <srhb> It should be called "kubernetes, but you do all the PKI stuff" ;-)

06:54 <srhb> The rest is easy.

06:56 <jybs> Amazing

06:56 <jybs> helm deploying away

06:56 <jybs> Thanks so much for the help!

06:58 <srhb> You're welcome!

06:58 <srhb> Sorry about the so-so state of the module and stuff

06:59 <srhb> Hopefully we can fix that real soon, and definitely in time for 20.03

06:59 <jybs> To be fair it doesn't matter as long as it works in the end

06:59 <jybs> Once it's in it's in

06:59 <srhb> I hope you'll stick around or at least come back, more people means more feedback means better modules :)

06:59 <jybs> Oh I'll be back

06:59 <srhb> Great!

06:59 <jybs> most likely tomorrow when I can't work out the PKI

06:59 <srhb> xD

06:59 <jybs> Gotta go, thanks again

06:59 <srhb> See you :)