WIP Local prometheus to graph etcd
Ability to graph etcd metrics locally to identify issues
Prometheus
scrape_configs:
- job_name: etcd
static_configs:
superseb
/ rancher-extract-selfsigned-ca.sh
Created Nov 11, 2019
Extract self signed CA certificate from Rancher
View rancher-extract-selfsigned-ca.sh
| #!/usr/bin/env bash | |
| CONTID=$(docker ps | grep -E "rancher/rancher:|rancher/rancher |rancher/rancher@|rancher_rancher" | awk '{ print $1 }') | |
| docker exec $CONTID kubectl get listenconfigs cli-config -o jsonpath={.caCerts} > /tmp/cacerts | |
| curl --cacert /tmp/cacerts https://localhost |
View local-prom-graph-etcd.md
View eks-in-rancher-debug.md
EKS in Rancher debug
# Configure CLUSTERID (can be found in UI)
CLUSTERID=c-tc6mc
# Get service account token, endpoint and ca certificate
docker exec $(docker ps | grep -E "rancher/rancher:|rancher/rancher |rancher/rancher@|rancher_rancher" | awk '{ print $1 }') kubectl -n cattle-system get secret "c-${CLUSTERID}" -o json | docker run -i oildex/jq:1.6 jq -r '.data.cluster | @base64d' | docker run -i oildex/jq:1.6 jq -r '.rootCACert | @base64d' > ca.crt
docker exec $(docker ps | grep -E "rancher/rancher:|rancher/rancher |rancher/rancher@|rancher_rancher" | awk '{ print $1 }') kubectl -n cattle-system get secret "c-${CLUSTERID}" -o json | docker run -i oildex/jq:1.6 jq -r '.data.cluster | @base64d' | docker run -i oildex/jq:1.6 jq -r '.serviceAccountToken' > token
docker exec $(docker ps | grep -E "rancher/rancher:|rancher/rancher |rancher/rancher@|rancher_rancher" | awk '{ print $1 }') kubectl -n cattle-system get secret "c-${CLUSTERID}" -o json | docker run -i oildex/jq:1.6 jq -r '.data.clust
superseb
/ test-local-etcd-kube-apiserver-etcdservers-list.sh
Last active Sep 4, 2019
Test if local etcd is first in kube-apiserver etcd-server list
View test-local-etcd-kube-apiserver-etcdservers-list.sh
| #!/bin/bash | |
| if docker inspect kube-apiserver >/dev/null 2>&1; then | |
| if docker inspect etcd >/dev/null 2>&1; then | |
| # We are running on a etcd + controlplane node | |
| API_ADVERTISE_IP=$(docker inspect kube-apiserver --format='{{range .Args}}{{.}}{{"\n"}}{{end}}' | grep advertise-address | awk -F= '{ print $2 }') | |
| API_FIRST_ETCD_IP=$(docker inspect kube-apiserver --format='{{range .Args}}{{.}}{{"\n"}}{{end}}' | grep etcd-servers | awk -F= '{ print $2 }' | awk -F',' '{ print $1 }' | sed -e 's_https://__g' | sed -e 's_:2379__g') | |
| if [ "$API_ADVERTISE_IP" != "$API_FIRST_ETCD_IP" ]; then | |
| echo "FAIL: First etcd IP ($API_FIRST_ETCD_IP) if not equal to kube-apiserver advertise IP ($API_ADVERTISE_IP)" | |
| exit 1 | |
| else |
superseb
/ intermediate-certificate-rancher.md
Last active Sep 2, 2019
Generate CA, intermediate CA and server certificate with DNS alt names using Terraform in Docker and launch Rancher
View intermediate-certificate-rancher.md
Generate CA, intermediate CA and server certificate with DNS alt names using Terraform in Docker and launch Rancher
Generate CA, intermediate CA and server certificate
docker run --rm -v $PWD/testcerts:/tmp/certs/files -e TF_VAR_ip_addresses='["127.0.0.1"]' -e TF_VAR_dns_names='["yolo.seb.local"]' superseb/intermediate
Run Rancher
View test-pleg.md
PLEG tester
A few commands to run to test what triggers PLEG.
Docker response time
When using Docker, all container statuses are compared and it needs to happen within 3 minutes. Else the following log will be shown:
superseb
/ walkthrough-suse-docker-upgrade-kube-proxy.md
Created Aug 20, 2019
Walkthrough on debugging case regarding upgrading Docker on SLES (SuSE) and kube-proxy not starting
View walkthrough-suse-docker-upgrade-kube-proxy.md
Walkthrough on debugging case regarding upgrading Docker on SLES (SuSE) and kube-proxy not starting
Brief walkthrough of steps taken to debug issue seen when Docker was upgraded on a SLES (SuSE) and kube-proxy not being started automatically after the upgrade.
Error seen was:
starting container process caused \"process_linux.go:424: container init caused \\\"process_linux.go:390: setting cgroup config for procHooks process caused \\\\\\\"failed to write a *:* rwm to devices.allow: write /sys/fs/cgroup/devices/docker/8103ad3afeece25eda0d0f7799c35ee9f7986ebf80b36d28dad4472c3542953a/devices.allow: invalid argument\\\\\\\"\\\"\": unknown"
View rancher-rke-etcd-snapshot-intro.md
Rancher/RKE etcd snapshot intro
Brief description of what is done where/how/what etc
Repositories/tools involved:
- https://github.com/rancher/rke-tools The repository containing the the source for the rke-tools image which is used for all snapshot operations. See https://github.com/rancher/rke-tools/blob/master/main.go#L36 for available flags.
- https://github.com/rancher/rke RKE has an etcd subcommand to run operations on etcd. See https://github.com/rancher/rke/blob/master/cmd/etcd.go for options
View nginx.conf
| events { | |
| worker_connections 4096; ## Default: 1024 | |
| } | |
| http { | |
| upstream kubernetes { | |
| server ip_of_controlplane_node1:6443; | |
| server ip_of_controlplane_node2:6443; | |
| server ip_of_controlplane_node3:6443; |
View kubectl-diagnostic.sh
| #!/usr/bin/env bash | |
| if [ $# -eq 0 ]; then | |
| # Check if run on controlplane node, we can use that kubeconfig | |
| if [ -f /opt/rke/etc/kubernetes/ssl/kube-controller-manager.pem ]; then | |
| KUBECTLCERT=/opt/rke/etc/kubernetes/ssl/kube-controller-manager.pem | |
| elif [ -f /etc/kubernetes/ssl/kube-controller-manager.pem ]; then | |
| KUBECTLCERT=/etc/kubernetes/ssl/kube-controller-manager.pem | |
| fi | |
| if [ -f /opt/rke/etc/kubernetes/ssl/kube-controller-manager-key.pem ]; then | |
| KUBECTLKEY=/opt/rke/etc/kubernetes/ssl/kube-controller-manager-key.pem |
NewerOlder