From 1009e24f1d709fd071497ad1e1911853b72f8030 Mon Sep 17 00:00:00 2001 From: ducoterra Date: Mon, 17 Aug 2020 10:47:28 -0400 Subject: [PATCH] add more details --- README.md | 103 ++++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 84 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index cc0bd95..93006fc 100644 --- a/README.md +++ b/README.md @@ -2,48 +2,69 @@ ## Raspberry Pi -Enable cgroups by adding the following to the end of /boot/cmdline.txt +### Set static DNS + +For the love of god do this before anything else. Your pods depend on it. ```bash -cgroup_memory=1 cgroup_enable=memory +echo 'static domain_name_servers=1.1.1.1 1.0.0.1' >> /etc/dhcpcd.conf +service dhcpcd restart ``` -Enable legacy iptables +### Wait for network at boot + +Because so many services rely on proper mounting of nfs you should really wait for network at boot: ```bash -sudo iptables -F -sudo update-alternatives --set iptables /usr/sbin/iptables-legacy -sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy -sudo reboot +raspi-config +> boot +> Wait for network ``` -Install k3s on our sacrificial server (assuming you have etcd configured) +### Install K3s + +Enable cgroups and legacy iptables ```bash -curl -sfL https://get.k3s.io | sh -s - server \ - --datastore-endpoint=https://3.14.3.102:2379,https://3.14.3.107:2379,https://3.14.3.103:2379 \ +echo "$(cat /boot/cmdline.txt) cgroup_memory=1 cgroup_enable=memory" > /boot/cmdline.txt +iptables -F +update-alternatives --set iptables /usr/sbin/iptables-legacy +update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy +reboot +``` + +Install k3s on our lead server (assuming you have etcd configured) to generate token and certs + +```bash +curl -sfL https://get.k3s.io | sh -s - +systemctl stop k3s +export token=$(cat /var/lib/rancher/k3s/server/node-token) +curl -sfL https://get.k3s.io | sh -s - \ + --datastore-endpoint=https://3.14.3.102:2379,https://3.14.3.103:2379,https://3.14.3.107:2379 \ --datastore-cafile=/certs/ca.pem \ --datastore-certfile=/certs/client.pem \ --datastore-keyfile=/certs/client-key.pem \ + --token $token +journalctl -u k3s -f ``` Join worker node (token located at /var/lib/rancher/k3s/server/node-token) ```bash export token= -curl -sfL https://get.k3s.io | sh -s - server \ - --datastore-endpoint=https://3.14.3.102:2379,https://3.14.3.107:2379,https://3.14.3.103:2379 \ +curl -sfL https://get.k3s.io | sh -s - \ + --datastore-endpoint=https://3.14.3.102:2379,https://3.14.3.103:2379,https://3.14.3.107:2379 \ --datastore-cafile=/certs/ca.pem \ --datastore-certfile=/certs/client.pem \ --datastore-keyfile=/certs/client-key.pem \ - --token $token \ - --server https://3.14.3.107 + --token $token ``` Generate certs for a new user ```bash -export USER= +export USER= + mkdir $USER cd $USER openssl genrsa -out $USER.key 2048 @@ -51,13 +72,57 @@ openssl req -new -key $USER.key -out $USER.csr -subj "/CN=$USER/O=user" sudo openssl x509 -req -in $USER.csr -CA /var/lib/rancher/k3s/server/tls/client-ca.crt -CAkey /var/lib/rancher/k3s/server/tls/client-ca.key -CAcreateserial -out $USER.crt -days 5000 sudo chown pi:pi $USER.crt sudo kubectl create namespace $USER -sudo kubectl -n $USER create role $USER --verb=get,list,create,update,patch,watch,delete,deletecollection --resource=deployments,pods,pods/exec,pods/log,pods/attach,services,ingresses,secrets,configmaps,persistentvolumeclaims -sudo kubectl -n $USER create rolebinding -n ducoterra $USER --role=$USER --user=$USER +sudo kubectl -n $USER create role $USER --verb=get,list,create,update,patch,watch,delete,deletecollection --resource=deployments,daemonsets,pods,pods/exec,pods/log,pods/attach,services,secrets,configmaps,persistentvolumeclaims,endpoints,ingresses.extensions,ingresses.networking.k8s.io +sudo kubectl -n $USER create rolebinding -n $USER $USER --role=$USER --user=$USER +sudo kubectl create clusterrole volume --verb=get,list,create,update,patch,watch,delete,deletecollection --resource=persistentvolumes +sudo kubectl create clusterrolebinding --role=volume --user=$USER +``` + +Copy certs + +```bash +export SERVER= +export USER= +scp $SERVER:~/$USER/$USER.crt $SERVER:~/$USER/$USER.csr $SERVER:~/$USER/$USER.key certs/ ``` Test a bunch of deploys ```bash -for i in {1..100}; do kubectl create deploy test$i --image=nginx; done; -for i in {1..100}; do kubectl delete deploy test$i; done; +for i in {1..10}; do kubectl create deploy test$i --image=nginx; done; +for i in {1..10}; do kubectl delete deploy test$i; done; ``` + +To uninstall + +```bash +/usr/local/bin/k3s-uninstall.sh +``` + +### Install Docker + +```bash +curl -sSL https://get.docker.com | sh +sudo usermod -aG docker pi +docker run hello-world +sudo apt-get install -y libffi-dev libssl-dev +sudo apt-get install -y python3 python3-pip +sudo apt-get remove python-configparser +sudo pip3 -v install docker-compose +``` + +### Add NFS for local-storage + +Disable local-path: + +```bash +echo 'freenas:/mnt/enc0/pi /var/lib/rancher/k3s/storage nfs noexec,nosuid,nofail 0 0' >> /etc/fstab +mkdir -p /var/lib/rancher/k3s/storage +mount -a +``` + +### Pihole password + +```bash +echo $(kubectl get secret pihole --output=jsonpath='{.data.WEBPASSWORD}' | base64 --decode) +``` \ No newline at end of file