typos and formatting
parent
cc76809638
commit
45cdeba428
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
title: "Rootless Containers on Alpine"
|
title: "Rootless Containers on Alpine Part 1: Prep Work"
|
||||||
date: 2022-11-08T19:30:15+11:00
|
date: 2022-11-08T19:30:15+11:00
|
||||||
draft: false
|
draft: false
|
||||||
showSummary: true
|
showSummary: true
|
||||||
|
@ -13,12 +13,12 @@ series_order: 1
|
||||||
# Part One: Prep Work
|
# Part One: Prep Work
|
||||||
|
|
||||||
## Background
|
## Background
|
||||||
**(Ashe)**
|
> **(Ashe)**
|
||||||
So. We recently murdered a server's terminal via `do_distro_upgrade`.
|
> So. We recently murdered a server's terminal via `do_distro_upgrade`.
|
||||||
|
>
|
||||||
**(Tammy)** Was it really that bad?
|
> **(Tammy)** Was it really that bad?
|
||||||
|
>
|
||||||
**(Ashe)** Yes.
|
> **(Ashe)** Yes.
|
||||||
|
|
||||||
```
|
```
|
||||||
% man 7z
|
% man 7z
|
||||||
|
@ -27,9 +27,10 @@ WARNING: terminal is not fully functional
|
||||||
```
|
```
|
||||||
It was in fact *that bad*. So we figured, well, we can spend a few hours, days, whatever fixing this...
|
It was in fact *that bad*. So we figured, well, we can spend a few hours, days, whatever fixing this...
|
||||||
|
|
||||||
**(Tammy)** Or we could just build a new server!
|
> **(Tammy)** Or we could just build a new server!
|
||||||
|
>
|
||||||
|
> **(Ashe)** Right.
|
||||||
|
|
||||||
**(Ashe)** Right.
|
|
||||||
So, after asking some friends about their opinions, we settled on Alpine Linux. And why not also migrate all of our
|
So, after asking some friends about their opinions, we settled on Alpine Linux. And why not also migrate all of our
|
||||||
pm2 workloads to containers while we're at it? We've been meaning to learn more about containers for a while now.
|
pm2 workloads to containers while we're at it? We've been meaning to learn more about containers for a while now.
|
||||||
|
|
||||||
|
@ -107,9 +108,10 @@ f.close()
|
||||||
```
|
```
|
||||||
This is probably overkill for our use-case, but that's also fine.
|
This is probably overkill for our use-case, but that's also fine.
|
||||||
|
|
||||||
**(Doll)** So this one just runs script and copies to /etc/?
|
> **(Doll)** So this one just runs script and copies to /etc/?
|
||||||
|
>
|
||||||
|
> **(Ashe)** Yes Doll, that's right.
|
||||||
|
|
||||||
**(Ashe)** Yes Doll, that's right.
|
|
||||||
With that done, we can move onto the last prep step.
|
With that done, we can move onto the last prep step.
|
||||||
|
|
||||||
### CGroups V2
|
### CGroups V2
|
||||||
|
@ -133,11 +135,11 @@ From here, we can enable CGroups V2 by setting `rc_cgroup_mode` to `unified`
|
||||||
rc_cgroup_mode="unified"
|
rc_cgroup_mode="unified"
|
||||||
```
|
```
|
||||||
|
|
||||||
**(Doll)** Doll confused.
|
> **(Doll)** Doll confused.
|
||||||
|
>
|
||||||
**(Ashe)** So was I, for a bit. Despite what `rc.conf` says, cgroups V2 does *not* seem to be enabled on Alpine
|
> **(Ashe)** So was I, for a bit. Despite what `rc.conf` says, cgroups V2 does *not* seem to be enabled on Alpine
|
||||||
unless `rc_cgroup_mode` is set to `unified`. The [Alpine Wiki](https://wiki.alpinelinux.org/wiki/OpenRC#cgroups\_v2)
|
> unless `rc_cgroup_mode` is set to `unified`. The [Alpine Wiki](https://wiki.alpinelinux.org/wiki/OpenRC#cgroups\_v2)
|
||||||
seems to agree here, but isn't super clear. We'll find out if this is sufficient.
|
> seems to agree here, but isn't super clear. We'll find out if this is sufficient.
|
||||||
|
|
||||||
|
|
||||||
Next step is configuring the controllers we want to use:
|
Next step is configuring the controllers we want to use:
|
||||||
|
@ -184,10 +186,10 @@ We spent some time trying to adapt the [install script](https://github.com/conta
|
||||||
nerdctl provides to our purposes, however this is a bit excessive for what we need,
|
nerdctl provides to our purposes, however this is a bit excessive for what we need,
|
||||||
so we'll just do it the "[hard way](https://github.com/containerd/containerd/blob/main/docs/rootless.md)".
|
so we'll just do it the "[hard way](https://github.com/containerd/containerd/blob/main/docs/rootless.md)".
|
||||||
|
|
||||||
**(Tammy)** Wait, this isn't the "hard way", is it?
|
> **(Tammy)** Wait, this isn't the "hard way", is it?
|
||||||
|
>
|
||||||
**(Ashe)** Nope. Adapting a 500 line script would be hard and annoying. We're better served by just doing it manually,
|
> **(Ashe)** Nope. Adapting a 500 line script would be hard and annoying. We're better served by just doing it manually,
|
||||||
and providing instructions for anyone following along. So in that vein:
|
> and providing instructions for anyone following along. So in that vein:
|
||||||
|
|
||||||
### Getting containerd running in rootlesskit
|
### Getting containerd running in rootlesskit
|
||||||
First, let's get containerd running at the CLI, and then we can make it into an OpenRC Script.
|
First, let's get containerd running at the CLI, and then we can make it into an OpenRC Script.
|
||||||
|
@ -225,9 +227,10 @@ ip rule [list] | add|del SELECTOR ACTION
|
||||||
[rootlesskit:child ] error: parsing message from fd 3: EOF
|
[rootlesskit:child ] error: parsing message from fd 3: EOF
|
||||||
```
|
```
|
||||||
|
|
||||||
**(Doll)** That looks like it broke, Miss.
|
> **(Doll)** That looks like it broke, Miss.
|
||||||
|
>
|
||||||
**(Ashe)** *sigh*, yeah, that's broken alright. That output looks like ip didn't like the command supplied to it, so let's find out what that was.
|
> **(Ashe)** *sigh*, yeah, that's broken alright. That output looks like ip didn't like the command supplied to it,
|
||||||
|
> so let's find out what that was.
|
||||||
|
|
||||||
Some troubleshooting later, it looks like this is to do with BusyBox's implementation of the ip commands. We've raised
|
Some troubleshooting later, it looks like this is to do with BusyBox's implementation of the ip commands. We've raised
|
||||||
[an issue](https://github.com/rootless-containers/slirp4netns/issues/304), and we'll see how that goes.
|
[an issue](https://github.com/rootless-containers/slirp4netns/issues/304), and we'll see how that goes.
|
||||||
|
@ -263,7 +266,9 @@ The error is more interesting. CRI here stands for [Container Runtime Interface]
|
||||||
it seems to be used for Kubernetes. Since we won't be using kubernetes here, we can just disable it by adding
|
it seems to be used for Kubernetes. Since we won't be using kubernetes here, we can just disable it by adding
|
||||||
`disabled_plugins = ["io.containerd.grpc.v1.cri"]` to our `config.toml`.
|
`disabled_plugins = ["io.containerd.grpc.v1.cri"]` to our `config.toml`.
|
||||||
|
|
||||||
**(Tammy)** If you *are* interested in Kubernetes, make sure to check out our [Home Server Build-Out]({{< ref "home-server-build-out" >}}) series. We're planning on setting up an entire cloud environment there.
|
> **(Tammy)** If you *are* interested in Kubernetes, make sure to check out our
|
||||||
|
> [Home Server Build-Out]({{< ref "home-server-build-out" >}}) series.
|
||||||
|
> We're planning on setting up an entire cloud environment there.
|
||||||
|
|
||||||
Let's try that again (cutting out any info stuff):
|
Let's try that again (cutting out any info stuff):
|
||||||
```sh
|
```sh
|
||||||
|
@ -280,7 +285,7 @@ and `containerd` couldn't find an OpenTelemetry endpoint.
|
||||||
We'll be skipping OpenTelemetry for now, but that sounds like a fun topic for a second blog post along side setting up
|
We'll be skipping OpenTelemetry for now, but that sounds like a fun topic for a second blog post along side setting up
|
||||||
Grafana.
|
Grafana.
|
||||||
|
|
||||||
**(Doll)** Doll will remember! Will remind Miss' to make a post about this!
|
> **(Doll)** Doll will remember! Will remind Miss' to make a post about this!
|
||||||
|
|
||||||
### Setting up devmapper
|
### Setting up devmapper
|
||||||
|
|
||||||
|
@ -448,8 +453,8 @@ nerdctl do that for it's mainline storage, and using our "persistent" pool for n
|
||||||
|
|
||||||
For this we'll need `device-mapper`, `lvm2-dmeventd`, and `thin-provisioning-tools`, so we'll `apk add` those in.
|
For this we'll need `device-mapper`, `lvm2-dmeventd`, and `thin-provisioning-tools`, so we'll `apk add` those in.
|
||||||
|
|
||||||
**(Ashe)** I'm going to skip showing the terminal output for installing packages from here on in to save space. I'm sure
|
> **(Ashe)** I'm going to skip showing the terminal output for installing packages from here on in to save space.
|
||||||
you've gotten the idea by now.
|
> I'm sure you've gotten the idea by now.
|
||||||
|
|
||||||
First up is creating a thin pool, which we'll do as follows:
|
First up is creating a thin pool, which we'll do as follows:
|
||||||
```sh
|
```sh
|
||||||
|
@ -577,11 +582,11 @@ Command failed.
|
||||||
>
|
>
|
||||||
> **(Ashe)** No. It does not. Hmm. Let's investigate.
|
> **(Ashe)** No. It does not. Hmm. Let's investigate.
|
||||||
>
|
>
|
||||||
> **(Ashe)** Ah. Found it. Looks like devmapper isn't supported in rootless configs. Now we know.
|
> **(Ashe)** Ah. Found it. Looks like devmapper isn't supported in
|
||||||
|
> [rootless configs](https://github.com/containerd/containerd/tree/main/docs/snapshotters). Now we know.
|
||||||
|
|
||||||
{{< alert >}}
|
{{< alert >}}
|
||||||
**(Ashe)** Rootless containerd [does **not** support the devmapper snapshotter]
|
**(Ashe)** Rootless containerd does **not** support the devmapper snapshotter!
|
||||||
(https://github.com/containerd/containerd/tree/main/docs/snapshotters).
|
|
||||||
{{< /alert >}}
|
{{< /alert >}}
|
||||||
|
|
||||||
> **(Octavia)** And on that bomb-shell, I think it's about time we wrapped this up. Looks like we'll have to make this
|
> **(Octavia)** And on that bomb-shell, I think it's about time we wrapped this up. Looks like we'll have to make this
|
||||||
|
|
Loading…
Reference in New Issue