Rin
/
snek-tech-blog
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

typos and formatting

feature/font
AtelierSnek 2022-11-08 19:37:08 +11:00
parent cc76809638
commit 45cdeba428
1 changed files with 35 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
content/posts/rootless-containers-alpine.md
View File

@ -1,5 +1,5 @@
---
title: "Rootless Containers on Alpine"
title: "Rootless Containers on Alpine Part 1: Prep Work"
date: 2022-11-08T19:30:15+11:00
draft: false
showSummary: true
@ -13,12 +13,12 @@ series_order: 1
# Part One: Prep Work
## Background
**(Ashe)**
So. We recently murdered a server's terminal via `do_distro_upgrade`.
**(Tammy)** Was it really that bad?
**(Ashe)** Yes.
> **(Ashe)**
> So. We recently murdered a server's terminal via `do_distro_upgrade`.
>
> **(Tammy)** Was it really that bad?
>
> **(Ashe)** Yes.
```
% man 7z
@ -27,9 +27,10 @@ WARNING: terminal is not fully functional
```
It was in fact *that bad*. So we figured, well, we can spend a few hours, days, whatever fixing this...
**(Tammy)** Or we could just build a new server!
> **(Tammy)** Or we could just build a new server!
>
> **(Ashe)** Right.
**(Ashe)** Right.
So, after asking some friends about their opinions, we settled on Alpine Linux. And why not also migrate all of our
pm2 workloads to containers while we're at it? We've been meaning to learn more about containers for a while now.
@ -107,9 +108,10 @@ f.close()
```
This is probably overkill for our use-case, but that's also fine.
**(Doll)** So this one just runs script and copies to /etc/?
> **(Doll)** So this one just runs script and copies to /etc/?
>
> **(Ashe)** Yes Doll, that's right.
**(Ashe)** Yes Doll, that's right.
With that done, we can move onto the last prep step.
### CGroups V2
@ -133,11 +135,11 @@ From here, we can enable CGroups V2 by setting `rc_cgroup_mode` to `unified`
rc_cgroup_mode="unified"
```
**(Doll)** Doll confused.
**(Ashe)** So was I, for a bit. Despite what `rc.conf` says, cgroups V2 does *not* seem to be enabled on Alpine
unless `rc_cgroup_mode` is set to `unified`. The [Alpine Wiki](https://wiki.alpinelinux.org/wiki/OpenRC#cgroups\_v2)
seems to agree here, but isn't super clear. We'll find out if this is sufficient.
> **(Doll)** Doll confused.
>
> **(Ashe)** So was I, for a bit. Despite what `rc.conf` says, cgroups V2 does *not* seem to be enabled on Alpine
> unless `rc_cgroup_mode` is set to `unified`. The [Alpine Wiki](https://wiki.alpinelinux.org/wiki/OpenRC#cgroups\_v2)
> seems to agree here, but isn't super clear. We'll find out if this is sufficient.
Next step is configuring the controllers we want to use:
@ -184,10 +186,10 @@ We spent some time trying to adapt the [install script](https://github.com/conta
nerdctl provides to our purposes, however this is a bit excessive for what we need,
so we'll just do it the "[hard way](https://github.com/containerd/containerd/blob/main/docs/rootless.md)".
**(Tammy)** Wait, this isn't the "hard way", is it?
**(Ashe)** Nope. Adapting a 500 line script would be hard and annoying. We're better served by just doing it manually,
and providing instructions for anyone following along. So in that vein:
> **(Tammy)** Wait, this isn't the "hard way", is it?
>
> **(Ashe)** Nope. Adapting a 500 line script would be hard and annoying. We're better served by just doing it manually,
> and providing instructions for anyone following along. So in that vein:
### Getting containerd running in rootlesskit
First, let's get containerd running at the CLI, and then we can make it into an OpenRC Script.
@ -225,9 +227,10 @@ ip rule [list] | add|del SELECTOR ACTION
[rootlesskit:child ] error: parsing message from fd 3: EOF
```
**(Doll)** That looks like it broke, Miss.
**(Ashe)** *sigh*, yeah, that's broken alright. That output looks like ip didn't like the command supplied to it, so let's find out what that was.
> **(Doll)** That looks like it broke, Miss.
>
> **(Ashe)** *sigh*, yeah, that's broken alright. That output looks like ip didn't like the command supplied to it,
> so let's find out what that was.
Some troubleshooting later, it looks like this is to do with BusyBox's implementation of the ip commands. We've raised
[an issue](https://github.com/rootless-containers/slirp4netns/issues/304), and we'll see how that goes.
@ -263,7 +266,9 @@ The error is more interesting. CRI here stands for [Container Runtime Interface]
it seems to be used for Kubernetes. Since we won't be using kubernetes here, we can just disable it by adding
`disabled_plugins = ["io.containerd.grpc.v1.cri"]` to our `config.toml`.
**(Tammy)** If you *are* interested in Kubernetes, make sure to check out our [Home Server Build-Out]({{< ref "home-server-build-out" >}}) series. We're planning on setting up an entire cloud environment there.
> **(Tammy)** If you *are* interested in Kubernetes, make sure to check out our
> [Home Server Build-Out]({{< ref "home-server-build-out" >}}) series.
> We're planning on setting up an entire cloud environment there.
Let's try that again (cutting out any info stuff):
```sh
@ -280,7 +285,7 @@ and `containerd` couldn't find an OpenTelemetry endpoint.
We'll be skipping OpenTelemetry for now, but that sounds like a fun topic for a second blog post along side setting up
Grafana.
**(Doll)** Doll will remember! Will remind Miss' to make a post about this!
> **(Doll)** Doll will remember! Will remind Miss' to make a post about this!
### Setting up devmapper
@ -448,8 +453,8 @@ nerdctl do that for it's mainline storage, and using our "persistent" pool for n
For this we'll need `device-mapper`, `lvm2-dmeventd`, and `thin-provisioning-tools`, so we'll `apk add` those in.
**(Ashe)** I'm going to skip showing the terminal output for installing packages from here on in to save space. I'm sure
you've gotten the idea by now.
> **(Ashe)** I'm going to skip showing the terminal output for installing packages from here on in to save space.
> I'm sure you've gotten the idea by now.
First up is creating a thin pool, which we'll do as follows:
```sh
@ -577,11 +582,11 @@ Command failed.
>
> **(Ashe)** No. It does not. Hmm. Let's investigate.
>
> **(Ashe)** Ah. Found it. Looks like devmapper isn't supported in rootless configs. Now we know.
> **(Ashe)** Ah. Found it. Looks like devmapper isn't supported in
> [rootless configs](https://github.com/containerd/containerd/tree/main/docs/snapshotters). Now we know.
{{< alert >}}
**(Ashe)** Rootless containerd [does **not** support the devmapper snapshotter]
(https://github.com/containerd/containerd/tree/main/docs/snapshotters).
**(Ashe)** Rootless containerd does **not** support the devmapper snapshotter!
{{< /alert >}}
> **(Octavia)** And on that bomb-shell, I think it's about time we wrapped this up. Looks like we'll have to make this