Rui Carmo
May 18^th 2019, in the evening · 3 min read

Five Less Than Kubernetes, But More Fun

Breaking stuff can be relaxing, and that’s what I’ve been doing this Saturday. And for the past month, really. Ever since k3s came out, I’ve been relishing having a minimal Kubernetes distribution whose internals I can tinker with trivially on ARM devices.

I now have three k3s clusters running: a “stable” cluster on Azure where I deploy test services based on publicly available containers, a test cluster where I iterate upon the Azure deployment template I built (yes, I’m reinventing AKS for fun), and my battered old ARM cluster at home, where I’m trying to sort out niggling details like private registry support.

Since that’s largely undocumented at this point, I decided to jot down some notes regarding it, as well as how to set up a trivial ingress using the built-in traefik (which is currently my favorite way to expose container services).

Private Insecure Registry (k3s v0.5.0)

I’ve long run my own instance of registry:2 at home (in fact, I even had my own build of it for older ARM CPUs).

Now that I have sorted out multiarch manifests and push my test images to it from the i7 where I cross-compile, I wanted to have k3s talk to it as well, but it is a royal pain to add TLS support to a private registry inside a LAN, so I prefer to run it via HTTP only.

As it happens, k3s primes CRI-O/containerd via a TOML template that lives in /var/lib/rancher/k3s/agent/etc/containerd/config.toml.tmpl, and to add an insecure registry to it you need to fill out the plugins.cri.registry.mirrors section while preserving the other important bits (like CNI and Docker Hub):

[plugins.opt]
path = "{{ .NodeConfig.Containerd.Opt }}"

[plugins.cri]
stream_server_address = "{{ .NodeConfig.AgentConfig.NodeName }}"
stream_server_port = "10010"
  [plugins.cri.cni]
    bin_dir = "{{ .NodeConfig.AgentConfig.CNIBinDir }}"
    conf_dir = "{{ .NodeConfig.AgentConfig.CNIConfDir }}"

[plugins.cri.registry.mirrors]
  [plugins.cri.registry.mirrors."docker.io"]
    endpoint = ["https://registry-1.docker.io"]
  [plugins.cri.registry.mirrors."registry.lan:5000"]
    endpoint = ["http://registry.lan:5000"]

To deploy this, I have (as is usual for me) a Makefile target that iterates through all the nodes:

NODE_TOKEN:=$(shell sudo cat /var/lib/rancher/k3s/server/node-token)
NODES=node1 node2 node3 node4

debug:
    echo ${NODE_TOKEN}

add-%:
    echo "curl -sfL https://get.k3s.io | K3S_URL=https://master:6443 K3S_TOKEN=${NODE_TOKEN} sh -" | ssh $*

deploy-toml:
    $(foreach NODE, $(NODES), \
        cat config.toml.tmpl | ssh $(NODE) sudo tee /var/lib/rancher/k3s/agent/etc/containerd/config.toml.tmpl;) 

reboot-nodes:
    -$(foreach NODE, $(NODES), \
        ssh $(NODE) sudo reboot;)

Deploying and Exposing a k3s Service

With the above configuration (and a fresh image in registry.lan), setting up a service with images from my private registry is as simple as this:

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: node-red-deployment
  labels:
    app: node-red
spec:
  replicas: 1
  selector:
    matchLabels:
      app: node-red
  template:
    metadata:
      labels:
        app: node-red
    spec:
      containers:
      - name: node-red
        image: registry.lan:5000/node-red:slim # my WIP custom build of Node-RED
        imagePullPolicy: Always # grab from the registry every time 
        env:
        - name: PUID
          value: "1000"
        - name: PGID
          value: "1000"
        ports:
        - containerPort: 1880
        volumeMounts:
        - mountPath: /data
          name: data-volume
      volumes:
      - name: data-volume
        hostPath:
          path: /srv/state/node-red # /srv is a shared NFS mount in my home setup
          type: Directory
---
apiVersion: v1
kind: Service
metadata:
  name: node-red
spec:
  selector:
    app: node-red
  ports:
  - protocol: TCP
    port: 80
    targetPort: 1880
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: master.lan
spec:
  rules:
  - host: master.lan
    http:
      paths:
      - backend:
          serviceName: node-red
          servicePort: 80

Caveats

It’s still a bit of a mouthful, though. I find Kubernetes to be a bit overkill, and its manifests do little to assuage me in that regard.

More to the point, stitching together these stanzas is both error-prone and a chore, but I’ll grant that the end result is (marginally) better than docker-compose for playing around.

Also, things like kubectl --all-namespaces=true get all -o wide make it plain the CLI needs better ergonomics–I can never remember half the options. But I digress.

Obviously, that Ingress is a bit too simple. As it happens master.lan is the master node, which is the only cluster node that can talk to the outside directly, and since my home router does not allow me to define custom DNS entries (no CNAMEs, so I only get an A record for each IP) that limits my options a bit.

But traefik can do a lot more than just mapping hostnames, so I intend to make a few more tweaks.

Rui Carmo
May 15^th 2019, at lunchtime

Zebra Event Horizon

the inner courtyard of the EDP building, with its characteristic slats and shade patterns — A unique perspective at the entrance of EDP's new HQ building, just after lunch

Rui Carmo
May 11^th 2019, in the evening · 8 min read

The Surface Laptop

With Build 2019 come and gone, and even though I’m not really the target of most of the announcements and/or see them as logical consequences of the path Microsoft is currently taking, I thought it was time to dust off some notes I’ve left lingering around and never got around to post about something else – the Surface Laptop. But first, a little perspective.

Rui Carmo
May 4^th 2019, at breakfast · 1 min read

Remote Python Development in Visual Studio Code ※

I’ve been waiting for this ever since WSL came out (and then some). The SSH support is broken for me, but it seems fixable (hopefully soon), and even though I’m a bit sad that a) these things still come later in the game than “mainstream” features and b) that they appear to be tested in isolation, I’m glad that there are people working on it at all.

Rui Carmo
April 26^th 2019, in the afternoon

Alien Octopus Lovers

Rui Carmo
April 26^th 2019, at dawn · 1 min read

Samsung makes iFixit remove Galaxy Fold teardown ※

I’ve been following this unmitigated disaster for a few days now, and I just can’t wrap my head around how they actually thought the device was ready in any practical sense.

As much as I would love a WestWorld-style foldable tablet (hint: but not running Android), mechanically it makes exactly zero sense for the screen to be a single panel–aiming for that introduced fatal compromises to durability that will take a long while to fix at an acceptable price.

Rui Carmo
April 21^st 2019, at night · 4 min read

Notes on Continuous Integration and multi-architecture Docker Images

I spent most of the intervening week in a haze (mostly pondering a few personal matters), but decided to scratch a few personal itches regarding my DevOps pipeline, most of which have to do with the lack of updated versions of Docker base images that I rely on–not for Intel/AMD CPUs, but for ARM machines. And since I like dealing with lower-level stuff as a distraction from work, I decided to rebuild everything as multiarch Docker images.

Rui Carmo
April 15^th 2019, in the afternoon · 1 min read

K3s - Lightweight Kubernetes ※

Another thing I’ve been tinkering with for a while–in this case since the initial release. It is still a bit broken networking-wise but shows great promise for on-premises setups, and I’m currently trying to get it to work on my ARM cluster (which relies on oubound NAT through the master node, something that gets k3s quite confused).

Rui Carmo
April 15^th 2019, in the morning · 1 min read

Carnets - Jupyter for iOS ※

I’ve been beta-testing Carnets for a few weeks now, and it works beautifully as a local Jupyter (Python 3) notebook environment on the iPad.

The project section on Nicolas’ GitHub should give you an idea of how far it’s come.

Rui Carmo
April 14^th 2019, at night · 3 min read

The Armchair Sysadmin

I’m on vacation for a week, so I naturally went to town on all the stuff I’ve been neglecting due to work–including the menagerie of miscellaneous hardware around the house (and my office too, but that will likely be a topic for another post).

Rui Carmo
April 11^th 2019, at dawn · 1 min read

Next major macOS version will split up iTunes ※

It only took Apple what, ten years between realizing this needed to happen and actually getting around to doing it?

On the other hand, given the way macOS apps are being systematically dumbed down to match their iOS counterparts, I suspect this will be a severe pain for anyone who uses iTunes to locally manage iOS devices, and will likely kill iCloud Music Library (which is the only Apple “music” cloud service I actually use).

Rui Carmo
April 10^th 2019, in the morning

Open Skies

The view from the IST Alameda Campus — A visit to my old campus to plan for the 30th anniversary of our course.

Rui Carmo
April 7^th 2019, in the evening · 4 min read

Tinkerbells

The war against failed package deliveries continues, and although it’s been almost two months since it began, it’s still a work in progress. I’ve been doing a lot more stuff (including rebuilding my home infrastructure and running some cloud benchmarks), but a recent delivery miss bumped this back to the top of the order of business, so today I spent a couple of hours tinkering with electronics.

Rui Carmo
April 5^th 2019, at late afternoon

Long Sunset

A glimpse of the sunset through some trees — A fleeting moment as I walked back to Amoreiras.

Rui Carmo
March 27^th 2019, at dinnertime · 1 min read

Th Appl MacBook Kyboad Problm ※

Brilliant. Simply brilliant. Although I’m skeptical public shaming will actually fix the problem, Apple fully deserves this kind of (very) public feedback regarding the MacBook keyboard, and then some.

Rui Carmo
March 26^th 2019, at dawn · 1 min read

Regarding the ‘Show Time’ Apple Event ※

Like Gruber, I am not especially enthusiastic about yesterday’s announcements (largely because the most interesting are, as usual, US-centric). I’m more interested in News than anything else, but that’s just the core service, not the magazines–and I am expecting to be disappointed in terms of local sources.

Apple Pay in Portugal by end of this year would be nice, but that’s as far as my expectations go.

Rui Carmo
March 24^th 2019, at teatime · 6 min read

Pixels Camp 3.0

Wow, the past three days were a blast. In case you’re just tuning in, this year I was back at Pixels Camp (along with roughly 1600 other people) wearing many hats, and we all had an amazing time. And like last year, I decided to do a litte summary of what went on from my perspective–except that this time I’m doing it a little bit earlier.

Rui Carmo
March 19^th 2019, in the afternoon · 1 min read

Microsoft @ Pixels Camp ※

I really like how the copy turned out on this one–I miss writing for events, even though it can be a grind when you’re asked to do 20 posts a week.

And it’s a great challenge too, since the MxChip AZ3166 is an awesome piece of hardware–I’ve had one since last year to tinker with, and it’s just perfect for prototyping with Azure IoT Hub, as well as a great way to get started with Arduino in general.

Rui Carmo
March 18^th 2019, at night · 1 min read

Finally, a new iPad mini ※

At long last. The mini is (for me at least) the perfect size, and the mini 4 has been my “most personal” computer ever since it came out—it is still the first device I reach for in the mornings and often the last I put aside. Pretty much everything on this site (including the source code) was drafted on it.

That pencil, though. I really hate the way it charges…

Rui Carmo
March 16^th 2019, at late afternoon · 3 min read

Meanwhile, on my end...

The past month has gone by in a blur, but until I am able to fully catch up I decided to put some useful tidbits out there, since macOS is still my preferred platform and I have a lot of personal backlog to go through–so best to space it out and get started right away: