Migration from k3os to openSUSE MicroOS #35
Comments
mysticaltech
changed the title
|
@sysrich I saw your article here https://rootco.de/2020-12-09-microos-pi-network-monitor/. I know it does not explain how to run MicroOS on Hetzner, but it says that Hetzner has included the ISO, unfortunately running
Last but not least, if you have done this before or have any user-data example or general guidance, it would be very much appreciated. Am trying you move away from k3os as soon as possible, and I know that MicroOS is a much better solution (thanks to your hard work in part I would imagine)! 🙏 |
|
Watching for your progress, thanks for sharing! I also stuck with k3os and my bare metal setup. Seeking for similar functionality from another os. |
|
About installing MicroOS on Hetzner, did you see https://github.com/balta3/hetzner-microos? It could give some useful hints in the direction of an automated install ok MicroOS on hetzner.cloud |
|
Thanks, @mnencia, yes, thanks for sharing, I saw it too. It is interesting. But that method seems simpler https://major.io/2021/08/20/deploy-fedora-coreos-in-hetzner-cloud/. I believe OpenSuse MicroOS inspired itself a good deal from Fedora CoreOS, as it even supports "ignition", maybe it even shares some code, so that method should work! 🤞 Will keep you folks posted, ASAP. Hopefully this week. |
|
Folks, recap on the advances. Both methods above have failed.
However, the good news is that MicroOS has images already loaded with k3s, so we have this option https://downloadcontent.opensuse.org/tumbleweed/appliances/iso/openSUSE-MicroOS.x86_64-k3s-SelfInstall.iso For now, attempts to install it via kexec on the rescue env have failed, because of space limitations. Even when I load it on volumes. But there are still things to try and I have already requested Hetzner support to add it to their list of ISO (as a plan B), hopefully, they'll do so. Let's see! 🤞 If you can think of something, do not hesitate! |
I think that's by purpose. You can mark the filesystem as rw by running |
|
Oh wow, will try ASAP @mnencia! 🙏 |
|
I tried it, but Ignition does not read the configuration, probably because the partition is not labeled "ignition". What about trying to use cloud-init? It should not require modifying the image, but only defining the right user-data content. |
|
Awesome! Did you create a folder in That's the format of mine for instance: Also, with the Hetzner console, you can basically "plug a virtual monitor in the server' and see the boot process, which will tell you if the ignition is picked up or not, or what are the errors generated. If it goes too fast, just use screen recording software.
|
|
Also, if you are going to retry, do not forget to resize the Last but not least, this image is probably best, because it has k3s installed in it already, we just need to see how it's done and how it updates, with transactional updates too or not. If it uses transactional updates then great, if not we can just install the k3s tumbleweed package in the vanilla MicroOS (above), and have it update in a transactional manner along with other OS updates. Source: https://mirrorcache.opensuse.org/tumbleweed/appliances/ |
|
@mnencia About cloud-init, it could work and is worth a shot too. My initial attempts failed, but I did not try everything. About ignition, another thing worth a shot is creating |
|
Creating |
|
The docs are not great, but https://en.opensuse.org/Portal:MicroOS/Design reveals the proper ignition location! The above should work 🤞 |
|
I tried putting it under |
|
As documented here:
https://en.opensuse.org/Portal:MicroOS/Ignition
The only valid location for an ignition configuration is a seperate storage
device with a volume name of ignition and a subdirectory named ignition
…On Fri 4. Feb 2022 at 11:43, Marco Nenciarini ***@***.***> wrote:
I tried putting it under /boot/writable, mounted with the command mount
-o subvol=/@/boot/writable /dev/sda4 /mnt, but it doesn't work anyway.
Probably there is some subtle requirement that is missing.
—
Reply to this email directly, view it on GitHub
<#35 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAJENIDMI73FRHOO7SZSPXLUZOUT7ANCNFSM5NFVEL2A>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Thank you @sysrich, really appreciate the guidance! 🙏 I obviously had completely missed that! 🤦 Will attempt it with an attached volume. @mnencia If you are going to try this before me, just wanted to share this new finding of mine, the
|
|
If it's possible to resize the btrfs filesystem ourselves from hetzners rescue system, we could maybe just add a small, labeled partition at the end? That one wouldn't require an external volume. Going to test that :) |
|
I think the Looking in the system and initrd content it looks like there is no ignition handling code running in the SelfInstall flavor. |
|
I've tried with the volume and MicroOS based on Leap 15.3 (Experimental) and it works |
|
@mnencia Great find, and well done. If we can find the Default raw image for MicroOS based on Tumbleweed that works, that's it! Maybe the ignition logic for these is located somewhere else? And does not support volumes. @phaer Please let us know if you try with partioniong and it works with the k3s self install image, it would be ideal! Just FYI folks, when I ran Also, I believe it's important to rezize the btrfs to |
|
Hi, my approach did not work with the k3s self install image, but it did work with the one based on leap 15.3, as recommended by @mnencia. I did not yet succeed to install k3s on this, as the default repo seems unavailable after boot. Here's the terraform snippet I used to provision my test server. provisioner "remote-exec" {
inline = [
"set -ex",
"gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 0x22C07BA534178CD02EFE22AAB88B2FD43DBDC284",
"export MIRROR_URL='https://download.opensuse.org/repositories/openSUSE:/Leap:/Micro:/5.1/images'",
"export IMAGE_NAME='openSUSE-Leap-Micro.x86_64-Default.raw.xz'",
"export IMAGE_URL=$MIRROR_URL/$IMAGE_NAME",
"curl --progress-bar -L -o $IMAGE_NAME $IMAGE_URL",
"curl --progress-bar -L -o $IMAGE_NAME.sha256 $IMAGE_URL.sha256",
"curl --progress-bar -L -o $IMAGE_NAME.sha256.asc $IMAGE_URL.sha256.asc",
"gpg --verify $IMAGE_NAME.sha256.asc",
"sha256sum -c $IMAGE_NAME.sha256",
"cat $IMAGE_NAME | xz -d | dd of=/dev/sda status=progress",
"sgdisk -e /dev/sda",
"partprobe /dev/sda",
"parted -s /dev/sda resizepart 3 99%",
"parted -s /dev/sda mkpart primary ext2 99% 100%",
"mount /dev/sda3 /mnt/ && btrfs filesystem resize max /mnt && umount /mnt",
"mke2fs -L ignition /dev/sda4",
"mount /dev/sda4 /mnt",
"mkdir /mnt/ignition",
"cp /root/config.ign /mnt/ignition/config.ign",
"umount /mnt",
"shutdown -r +1",
"sleep 1",
"exit 0"
]
|
|
This works and the resulting system is executing ignition |
|
Wonderful! You made my day @mnencia! :-) Well done everyone. Now serious business can begin! |
|
Now the next steps are very clear:
I will definitely look at this as soon as I can but if you continue the work, please do not hesitate to share your success and failures, so we advance faster! The last step will be to configure the cluster with kured for automatic safe rebooting after upgrades, and also |
|
This list of commands works for me. I had to remove the gpg and sha256sum verification because they do not match. |
|
Beautiful! Yes, image verification is not a big issue for now. |
Interesting, I had the same problem when I tried that image, but just failed to reproduce it. Could be that those keys were just updated, or maybe there's inconsistent state between mirrors and we got different redirects. @mnencia Could you try if verification works if you use the following mirror for all 3 files (qcow, sha256sum, gpg signature)? If so, I would report that issue upstream. It is of course most important to get it to work at all, so great that it works without verification as a first step! 🎉 |
|
More good news team, someone was kind enough to reply and explain how to do this! 🍾
|
|
So this is the proper package to work with: https://build.opensuse.org/package/show/devel:kubic/k3s |
|
Was able to execute some of the commands, it re-packaged v1.23.3+k3s1, but the test build failed on my machine. Some weird errors, about failed DNS requests to proxy.golang.com (see screenshot). Tried to disable the proxy, was not successful yet. I suspect, that my environment itself must not be compatible, as I am on Fedora, and ideally, that build process is tuned for Tumbleweed machines. So maybe will try from a live openSUSE USB at some point. Anyways, there is a path forward to try to speed up releases, now we know what the flow is, and how to submit upgrade requests ourselves.
|
|
About Node upgrades, one came through, and the Have replaced the image with the one from openSUSE as initially suggested by @mnencia, this one
|
|
Something else we need to fix is SSH hardening. It seems that password auth is still active. And the ports that are hit, do not make sense to me, as those are supposed to be blocked by the firewall, just checked.
|
|
This is what happened on my control node: It looks like it is trying to execute That's weird as https://github.com/weaveworks/kured/blob/main/cmd/kured/main.go#L666 should correctly split it in subparts. |
|
The |
|
If you put quote around the command you get a similar error |
|
Can't contribute anything to the reboot command atm, but
Disabling password auth would definitely be a good idea. But those ports seem harmless. The logged ones are source ports, so the first log line means that 221.131.165.75 is connecting from port 56702 to our local port 22 (implicitly, because thats the only one our sshd listens to. |
|
@mnencia Good news, the
|
|
Just pushed created a new |
|
However, it rendered, my control-plane unaccessible. So I guess, Kured in more for worker nodes, also saw that in the docs yesterday. I will comb the k3s logs for more details.
|
|
@phaer About the SSH ports, thanks for explaining! Definitely we can remove password auth through ignition normally. |
|
FYI, when my first_control_plane stopped "correctly" it seems, to reboot. Accessing these logs through
|
|
And then, there is this error again and again! And also tried to re-run k3s-sever without the
|
|
My guess is that we first ban control-plane nodes from |
|
If we exhaust all avenues, maybe we could go back to https://github.com/rancher/system-upgrade-controller, like used in k3os! |
|
I found the initial issue with the restart command. Once you say it you cannot believe you missed it until then: diff --git a/kured/patch.yaml b/kured/patch.yaml
index bfec414..bf72a0c 100644
--- a/kured/patch.yaml
+++ b/kured/patch.yaml
@@ -17,4 +17,4 @@ spec:
- name: kured
command:
- /usr/bin/kured
- - --reboot-command="/usr/bin/systemctl reboot"
+ - --reboot-command=/usr/bin/systemctl rebootIn pr #51 |
|
Regarding the restart of control-plane nodes, the main issue here is the fact that there are only two nodes. Etcd does not work well with only two nodes because if one restart the other loses the quorum anyway, so the cluster is unusable until the restarted node works again. There are also other issues:
|
|
I have a cluster with 3 masters, let's see how it reacts to the restart. |
|
Perfect! Thanks for the explanations. |
|
Thanks for all that work on upgrades! Shall we consider to split the different topics in this thread (k3s packaging, ssh hardening and reboot-on-upgrades atm) into different issues? We could also use GitHubs project feature to keep discussion a bit more browseable. Another question I'd like to discuss is: Are there still benefits in using k3s? As we are using MicroOS, kubic with kubeadm seems to be comparable in setup complexity and according to k3s README the differences don't seem to big these days? |
|
Great suggestions @phaer! Was thinking along the same lines. Probably we need to close this issue and move on to other ones, as it's +100 comments long 😅 About projects on Github, I've never used those, but would be very curious to try, let me know what you think both. About Kubic, it's heavyweight because of kubeadm, and even the Kubic team seems to be exploring k3s, as a lightweight Kubernetes option, see https://build.opensuse.org/package/show/devel:kubic/k3s. Last but not least, as you know, the Rancher folks just joined SUSE and they are the core maintainers of k3s, especially Darren Sheppard, the "inventor" of k3s, who is now SUSE's Chief Architect! And yesterday have managed to inform him about our woes with the infrequent k3s version upgrades released via the "openSUSE Factory" channel. See here. So Kubic with kubeadm is definitely a plan B, but perhaps let's just give k3s another chance. As the upgrades, for instance, are a lot simpler! Just replace the binary... For kubeadm, oh my! |
|
This was just merged into master! |
Recently Rancher, the creators of k3s and k3os has been bought by SUSE. And in doing so, they've dropped official support for k3os (k3s on the other hand is thriving and has been separated from Rancher).
I went on to contact Jacob Blain Christen, the lead maintainer of k3os, and he told me that he'll continue to do releases on the weekends and that the project could live on if the community maintained it.
However, that is not a stable backing for this project, so I made my own research and concluded that OpenSuse MicroOS, has HUGE backing has it piggybacks on Tumbleweed, a major OpenSuse distro, and has stable and automated transactional updates, as such it's now the best OS to replace k3os.
The text was updated successfully, but these errors were encountered: