postgres and kubernetes

I just noticed the official postgres docker images having a hard time when used in kubernetes pods in case that very kubernetes cluster is secured with pod security policies.

This took me a while to figure out. Just trying to instantiate a vanilla postgres pod would result in variations of permission denials.

So this is what needs to be done:

1. Patch the postgres container entry point to not mkdirs and chowns (especially remove the $PGDFLT shit)
2. If you actually use a persistent volume to contain the data directory, you have to use an init container to set the permissions right (UID/GID 999), like in this somewhat simplified example:

   ...
   spec:
     initContainers:
     - name: init-0
       image: busybox
       command:
       - /bin/chown
       - -R
       - '999'
       - "$PGDATA"
       volumeMounts:
       - name: persistent-volume
         mountPath: "$PGDATA"
   ...

3. If the data directory resides inside the container AUFS, choose a different location for it – especially something other than /var/something/… (as kubernetes does untimely volume initialization patterns below /var) and point $PGDATA there. Create that directory at build time and give it the proper permissions (for UID/GID 999)

 

Finally, add a security context for the pod to let the container processes run with the postgres user (which will skip the defunct user switch in the entry point)

TL;DR

 

Allright, here’s everything bound together for maximum convenience, for details check out the git repository :

apiVersion: apps/v1
kind: Deployment
metadata:
  name: db
spec:
  selector:
    matchLabels:
      app.kubernetes.io/component: postgres
  replicas: 1
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app.kubernetes.io/component: postgres
    spec:
      securityContext:
        runAsUser: 999
      containers:
        - image: zerofudge/postgres:9.6
          name: db
          ports:
            - containerPort: 5432

 

Happy kubernauting!! 🙂

 

/kthxbye

Esoteric Code

Sometimes I notice how weirdly esoteric code can get when you choose proper abstractions. I just wrote this:

/**
 * will be emitted to ask for the death of an actor
 */
public final static class Decease extends Message<Void> {
    public Decease(Void nul) { super(nul); }
}

That made me chuckle…

Building Variations of Docker Images

This is no post on “best practices” on how to build or deploy customised versions of docker images. I don’t even know if this technique is advisable or not. Nevertheless, I came up with this when I was in dire need and out of time (so normal case).

The Problem

I faced the issue of having to set up an elasticsearch cluster along with all bells and whistles needed for an effective nolow-ops approach. I went with docker images which I built based on the officially provided ones. As I’m totally wild for automation, I made sure I had code for just about anything and my favourite tool to do so is gradle (of course).

At one point I decided to include extra “client” nodes (which hold no data and aren’t supposed to be ranked to master ever). As I didn’t want to spoil the nice gradle build with specialties while also abhorring anything unDRY I had to come up with some niftiness.

 

The Situation

The typical elasticsearch deployment comes also with related technologies to complement the use case. Normally there is logstash instances and a kibana host, monitoring stuff and backup, maybe an extra database or two. To ease the setup I put all resources for a specific docker image into dedicated sub folders, which would also determine the image tag.

So, having a folder like:

$base/awesome/elk/logstash/

would result in a docker image tagged like:

$registry/awesome/elk/logstash:$version

All those images would later be bound into a specific docker-compose based deployment.

All was well. Until I needed variations on that.

 

The Way Out

Build Configuration. That’s how I call it momentarily. I know.
Basically, its just a bunch of properties under an extra build (name) space. I’m bad at explaining. Maybe I come up with something better eventually.

Nevertheless, the existence of a specifically named property file in the current build context defines a variant of the very same build. So every resource is copied and filtered over using the key-value-pairs provided for the current variant.

Here is a build script dealing with that:

task build_elk(description: 'builds the ELK stack docker images') {
    doFirst {
        file("${projectDir}/etc/docker/elk").eachDir { File dir ->
            // iterate over build configs
            def cfgs = dir.listFiles().findAll {it.name =~ /build\.config/} ?: [null]

            cfgs.each { File cfg ->
                def cprops = new Properties()
                if (cfg) {
                    println ">>> Building config ${cfg.name - 'build.config.' - '.properties'}"
                    cfg?.withInputStream {cprops.load(it)}
                }

                def tag = "${registry}/${dir.name}${cprops['image_path'] ?: ''}:${AUX_IMG_VERSION}"

                copy {
                    from dir
                    into "${buildDir}/elk/$tag"
                    exclude 'build.config.**'
                    filter(ReplaceTokens, tokens: cprops)
                }

                exec {
                    workingDir "${buildDir}/elk/$tag"
                    commandLine 'docker', 'build', '--rm','--force-rm', '--no-cache', '-t', tag, '.'
                }
            }
        }
    }
}

The Way Forward

Lot’s of generification. Leveling this into the fabric of gradle itself. Maybe make a plugin. Maybe.

Development Bullshittery explained perfectly

perfectly analysed, couldn’t have said it better…
Awesome read!

[…] Sorry to say, but because of the short-sighted way in which management must think (again, likely due to the incentives provided by the larger economic environment), the integrity of your software system isn’t even on their radar. If they notice it at all, they’ll more likely see it as an obstacle to cut through rather than a constraint to respect. […]

read along behind the link

Playlisting..

My new thing is: creating playlists out of my huge music collection based on random keywords. Was kinda surprised about the athmospheric consistency created. But then, this might just be my taste of music. Anyways, this is for getting up, maybe:

Some Velvet Morning / Slowdive
Morning rise / Slowdive
Morning Star / Sea of Is
Good Morning Hypocrite / Electric President
Morning Life / Feeder
Morning Star / Fastball
Good Morning Good Morning / The Beatles
Another Morning Stoner / And You Will Know Us By The Trail Of Dead
August Morning Haze / Oneida
Till Morning Reputations / Songs: Ohia
Until The Morning Comes / Tindersticks
Cry Til The Morning / Richard Ashcroft
Good Morning Girl / The Brian Jonestown Massacre
In The Cold Light Of Morning / Placebo
Mourning This Morning / Dredg
Until The Morning / Thievery Corporation
II. Morning Breaks (And Roosters Complain) / The Apples In Stereo
in the morning / Built To Spill
Woke Up This Morning / Doug Martsch
Morning’s After Me / Lou Barlow
saturday morning / The Minders
the village in the morning / The Magnetic Fields
Good Morning Mr. Edminton / Of Montreal
Morning Rain / I Am Kloot
Scalpel Morning / The Summerlad
Industrial Morning / Guided By Voices
Butterfly Mornings / Hope Sandoval & The Warm Inventions
Wasted Early Sunday Morning / Sneaker Pimps
Good Morning / The Dandy Warhols
Velvet Morning / The Verve
Pure Morning / Placebo
Sail Of The Silver Morning / The Cotton Jones Basket Ride
By Morning Light / The Cotton Jones Basket Ride
Cool Morning Sun / Viva Voce
Monday Morning / Death Cab for Cutie
Morning After / Code Pie
Pierce the Morning Rain / Dinosaur Jr.
So Tired In The Morning / Erland & The Carnival
Morning Sun / The Wilderness of Manitoba
Faded In The Morning / Unknown Mortal Orchestra
When Sunday Morning Comes / Rogue Wave
The Sorid Light of Morning / Jessica Bailiff
Perfect Morning / Long Arm

Link

the modern developer, a sad tale

Full ACK to that!!

Link

XNA finally declared dead

this is bad news indeed, time to rush out my XBIG piece before the current console generation is left by indie lovers  

code review illustrated

via davidwalsh.name

good one!

Jetstrap – The Bootstrap Interface Builder

Meet your new favorite web tool.

Watch how easy it is to get a high fidelity, beautiful responsive web page up and running. Drag-and-drop a large set of official Bootstrap components right to your page. You’ll be pounding out awesomeness in no time.

Watch the video

via jetstrap.com

this is teh awesome! forget your wireframing, this is it! based on twitter’s bootstrap js lib

Where developers go to laugh and cry

via codecrap.com

omg, my eyes are bleeding! sad thing is, I see awful crap like that alot