superseb

#!/bin/bash
if docker inspect kube-apiserver >/dev/null 2>&1; then
  if docker inspect etcd >/dev/null 2>&1; then
    # We are running on a etcd + controlplane node
    API_ADVERTISE_IP=$(docker inspect kube-apiserver --format='{{range .Args}}{{.}}{{"\n"}}{{end}}' | grep advertise-address | awk -F= '{ print $2 }')
    API_FIRST_ETCD_IP=$(docker inspect kube-apiserver --format='{{range .Args}}{{.}}{{"\n"}}{{end}}' | grep etcd-servers | awk -F= '{ print $2 }' | awk -F',' '{ print $1 }' | sed -e 's_https://__g' | sed -e 's_:2379__g')
    if [ "$API_ADVERTISE_IP" != "$API_FIRST_ETCD_IP" ]; then
      echo "FAIL: First etcd IP ($API_FIRST_ETCD_IP) if not equal to kube-apiserver advertise IP ($API_ADVERTISE_IP)"
      exit 1
    else

superseb

Generate CA, intermediate CA and server certificate with DNS alt names using Terraform in Docker and launch Rancher

Generate CA, intermediate CA and server certificate

docker run --rm -v $PWD/testcerts:/tmp/certs/files -e TF_VAR_ip_addresses='["127.0.0.1"]' -e TF_VAR_dns_names='["yolo.seb.local"]' superseb/intermediate

Run Rancher

superseb

PLEG tester

A few commands to run to test what triggers PLEG.

Docker response time

When using Docker, all container statuses are compared and it needs to happen within 3 minutes. Else the following log will be shown:

superseb

Walkthrough on debugging case regarding upgrading Docker on SLES (SuSE) and kube-proxy not starting

Brief walkthrough of steps taken to debug issue seen when Docker was upgraded on a SLES (SuSE) and kube-proxy not being started automatically after the upgrade.

Error seen was:

starting container process caused \"process_linux.go:424: container init caused \\\"process_linux.go:390: setting cgroup config for procHooks process caused \\\\\\\"failed to write a *:* rwm to devices.allow: write /sys/fs/cgroup/devices/docker/8103ad3afeece25eda0d0f7799c35ee9f7986ebf80b36d28dad4472c3542953a/devices.allow: invalid argument\\\\\\\"\\\"\": unknown"

superseb

Rancher/RKE etcd snapshot intro

Brief description of what is done where/how/what etc

Repositories/tools involved:

• https://github.com/rancher/rke-tools The repository containing the the source for the rke-tools image which is used for all snapshot operations. See https://github.com/rancher/rke-tools/blob/master/main.go#L36 for available flags.
• https://github.com/rancher/rke RKE has an etcd subcommand to run operations on etcd. See https://github.com/rancher/rke/blob/master/cmd/etcd.go for options

superseb

events {
  worker_connections  4096;  ## Default: 1024
}

http {
    upstream kubernetes {
        server ip_of_controlplane_node1:6443;
        server ip_of_controlplane_node2:6443;
        server ip_of_controlplane_node3:6443;

superseb

#!/usr/bin/env bash
if [ $# -eq 0 ]; then
    # Check if run on controlplane node, we can use that kubeconfig
    if [ -f /opt/rke/etc/kubernetes/ssl/kube-controller-manager.pem ]; then
      KUBECTLCERT=/opt/rke/etc/kubernetes/ssl/kube-controller-manager.pem
    elif [ -f /etc/kubernetes/ssl/kube-controller-manager.pem ]; then
      KUBECTLCERT=/etc/kubernetes/ssl/kube-controller-manager.pem
    fi
    if [ -f /opt/rke/etc/kubernetes/ssl/kube-controller-manager-key.pem ]; then
      KUBECTLKEY=/opt/rke/etc/kubernetes/ssl/kube-controller-manager-key.pem

superseb

# This script puts a static CA certificate which invalidates any certificate connections to Rancher
# Used for testing only

# Static CA certificate
CACERTS="-----BEGIN CERTIFICATE-----\nMIIDLzCCAhegAwIBAgIJAPRzXYsKEAGmMA0GCSqGSIb3DQEBCwUAMBkxFzAVBgNV\nBAMMDk15IG93biByb290IENBMB4XDTE5MDcyMTEyMDU1N1oXDTI5MDcxODEyMDU1\nN1owGTEXMBUGA1UEAwwOTXkgb3duIHJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUA\nA4IBDwAwggEKAoIBAQDi1EiWf8mpCx/z+xA92efHcn1V12/Lv2le82mlvxX8kRL1\n8KZKw95K6TL3iAUT+p2fPPd3Gq33uXhqwlJN2Mrg4Qi0vH0bX/wN38uoY4lGXYhz\nHD8XwrurG32sHLHYrDyJIxZGrerZu0RoQ3sNxKKzkPf4wi3fYByVkXXkfmeSngEM\n2rTBMei6KPBlRxyzL1DAu0Hs3EzmKE65+Z3FgH75z1NUzZNtUcjZNt5ZSFx2/OuX\n059EVu+wlylbJ9iXMXUCcyr1UeWzPlivkktc37sX8IlQIfoi4PB05j7o+y80YmjD\nOdThuYRIJIuXxl1I4wE2lUbVP5GQk3vTGfUHtPmpAgMBAAGjejB4MB0GA1UdDgQW\nBBRcmI0PcldXvOSdYN6kJuB2pLkYWDBJBgNVHSMEQjBAgBRcmI0PcldXvOSdYN6k\nJuB2pLkYWKEdpBswGTEXMBUGA1UEAwwOTXkgb3duIHJvb3QgQ0GCCQD0c12LChAB\npjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBWJBHgsLwrrz2XOCbr\nsUCuzJWskW5W8c3hRieGptRnFoF//M/WmcvX9W/eBHg1l

superseb

Retrieve cluster.rkestate from RKE v0.2.x cluster

Run preferrably on controlplane nodes, saves the state in cluster.rkestate.

docker run --rm --net=host -v $(docker inspect kubelet --format '{{ range .Mounts }}{{ if eq .Destination "/etc/kubernetes" }}{{ .Source }}{{ end }}{{ end }}')/ssl:/etc/kubernetes/ssl:ro --entrypoint bash $(docker inspect $(docker images -q --filter=label=org.label-schema.vcs-url=https://github.com/rancher/hyperkube.git) --format='{{index .RepoTags 0}}' | tail -1) -c 'kubectl --kubeconfig /etc/kubernetes/ssl/kubecfg-kube-node.yaml -n kube-system get configmap full-cluster-state -o json | jq -r .data.\"full-cluster-state\" | jq -r .' > cluster.rkestate

superseb

Retrieve full-cluster-state from etcd directly

etcdctl

docker exec -e ETCDCTL_ENDPOINTS=$(docker exec etcd /bin/sh -c "etcdctl member list | cut -d, -f5 | sed -e 's/ //g' | paste -sd ','") etcd etcdctl get /registry/configmaps/kube-system/full-cluster-state | tail -n1 | tr -c '[:print:]\t\r\n' '[ *]' | sed 's/^.*{"desiredState/{"desiredState/'  | docker run -i oildex/jq:1.6 jq -r . > cluster.rkestate 2>/dev/null

curl