Add SSH Gateway instructions

c07c1389 · Frank Berghaus · 82a61b31 · c07c1389
Commit c07c1389 authored 2 years ago by Frank Berghaus
--- a/step-by-step/README.md
+++ b/step-by-step/README.md
@@ -21,6 +21,7 @@ CLUSTER_NAME="________" \
 WORKER_FLAVOR="mpcdf.large"
 NUM_WORKERS=3
 KUBERNETES_VERSION=1.26
+CLIENT_CIDR=130.183.0.0/16
 ```
 This is meant to ease the use of the instructions below. You can, of course,
 enter values in place of using the variables below.
@@ -121,8 +122,8 @@ openstack loadbalancer listener create k8s-control-plane \
    --protocol TCP \
    --protocol-port 6443 \
    --allowed-cidr 192.168.0.0/24 \
-    --allowed-cidr 130.183.0.0/16 \
+    --allowed-cidr 10.0.0.0/8 \
-    --allowed-cidr 10.0.0.0/8
+    --allowed-cidr $CLIENT_CIDR
 openstack loadbalancer pool create \
    --name k8s-control-plane-pool \
    --lb-algorithm ROUND_ROBIN \
@@ -151,6 +152,43 @@ openstack loadbalancer member create k8s-control-plane-pool \
 ### Get SSH access to your cluster
+#### Using a Gateway
+This option is simpler than using the loadbalancer, but means you require an
+additional floating IP. Setup a security group allowing SSH traffic from the
+machines you would like to connect from:
+```bash
+openstack security group create ssh-secgroup
+openstack security group rule create ssh-secgroup \
+    --dst-port 22 \
+    --protocol tcp \
+    --remote-ip $CLIENT_CIDR
+openstack port create k8s-ssh-gateway \
+    --network k8s-net \
+    --fixed-ip subnet=k8s-subnet,ip-address=192.168.0.255255 \
+    --security-group k8s-secgroup \
+    --security-group ssh-secgroup
+openstack floating ip create "${EXTERNAL_NETWORK}" \
+    --description "${CLUSTER_NAME}-gate" \
+    --port k8s-ssh-gateway
+openstack server create k8s-ssh-gateway \
+    --image "Debian 11" \
+    --flavor mpcdf.tiny \
+    --port k8s-ssh-gateway \
+    --security-group ssh-gateway-secgroup \
+    --key-name $KEYNAME
+```
+You can then connect to the gateway machine using it's floating IP. From there
+you can ssh onward to your k8s controllers and workers. If you administrate the
+Kubernetes cluster from the gateway machine you don't need to give the
+loadbalancer a floating-ip, just use the loadbalancers IP on the kubernetes
+network.
+Note that the campus firewall will not allow SSH connections from outside the
+campus networks. More information is in the [Connecting FAQ](https://docs.mpcdf
+.mpg.de/faq/connecting.html#how-can-i-log-into-the-machines-at-the-mpcdf).
 #### Using the loadbalancer
 This sets up the loadbalancer to distribute ssh traffic to the control plane
 nodes. Once you are on a control plane node you can reach the rest of the
@@ -187,6 +225,11 @@ openstack loadbalancer member create ssh-control-plane-pool \
    --address 192.168.0.6 \
    --protocol-port 22
 ```
+The timeout options in the listener are supposed to stop the loadbalancer from
+ending idle connections. This does not seem to work at the time of writing -
+meaning that idle SSH connectino will be cut after about a minute (50s). You can
+mitigate this by setting the SSH options `ServerAliveInterval` to something less
+than 50.
 ## Bootstrapping kubernetes
@@ -216,6 +259,8 @@ Wait a moment for the node to come up and run the base configuration script.
 #### Configuration
+*TL;DR:* Use the shell scripts in the root directory of this repository as guide.
 Use the provided `kubeadm.yaml` and fill in you *cluster name* and the *floating
 IP or DNS name of the load balancer*. Copy the resulting configuration to the
 control plane using scp.
@@ -329,7 +374,7 @@ curl https://raw.githubusercontent.com/projectcalico/calico/v3.25.0/manifests/ca
    | kubectl apply -f -
 ```
-### Plug Kubernetes into OpenStack
+## Plug Kubernetes into OpenStack
 You can use the OpenStack cloud provider
 [integration](https://github.com/kubernetes/cloud-provider-openstack) to
 provision persistent storage and load balancers for external access to your
@@ -371,3 +416,26 @@ kubectl apply -f cloud-provider-openstack/manifests/controller-manager/openstack
 kubectl apply -f cloud-provider-openstack/manifests/cinder-csi-plugin
 kubectl apply -f cinder.yaml
 ```
+## Containerd root and state volumes
+Containerd has two directories where it stores `root` and `state` data, by
+default these are:
+```
+# persistent data location
+root = "/var/lib/containerd"
+# runtime state information
+state = "/run/containerd"
+```
+To avoid your operating system grinding to a halt when the root disk fills with
+container images it is wise to create volumes for both or each. Create the
+volumes, attach them to your instances, format them, mount them, and update the
+containerd configuration. Here are example command to create and attach a
+volume:
+```bash
+openstack volume create  k8s-worker-vol-1--size 50
+openstack server add volume k8s-worker-1 k8s-worker-vol-1
+```
+The output of the second command will tell you which device the (`/dev/vd?`) the
+volume is attached as.