kubernetes &mdash; LinuxPizza https://blogs.linux.pizza/tag:kubernetes Personal notes and occasional posts - 100% human, 0% AI generated Wed, 29 Apr 2026 12:02:56 +0000 Random stuff cheat-sheet https://blogs.linux.pizza/random-stuff-cheat-sheet <![CDATA[LVM stuff WARNING: PV /dev/sda2 in VG vg0 is using an old PV header, modify the VG to update. Update the metadata with the vgck command - where the "vg0" is your own pool. vgck --updatemetadata vg0 curl stuff Curl a specific IP with a another host-header curl -H "Host: subdomain.example.com" http://172.243.6.400/ git stuff tell git.exe to use the built-in CA-store in Windows git config --global http.sslBackend schannel random stuff See which process is using a file fuser file Import RootCert into Java-keystore example sudo /usr/lib/java/jdk8u292-b10-jre/bin/keytool -import -alias some-rootcert -keystore /usr/lib/java/jdk8u292-b10-jre/lib/security/cacerts -file /usr/share/ca-certificates/extra/someRoot.crt` Apache2 configs example Enable AD-authentication for web-resources Location / AuthName "AD authentication" AuthBasicProvider ldap AuthType Basic AuthLDAPGroupAttribute member AuthLDAPGroupAttributeIsDN On AuthLDAPURL ldap://IP:389/OU=Users,OU=pizza,DC=linux,DC=pizza? sAMAccountName?sub?(objectClass=) AuthLDAPBindDN cn=tomcat7,ou=ServiceAccounts,ou=Users,OU=pizza,dc=linux,dc=pizza AuthLDAPBindPassword "exec:/bin/cat /etc/apache2/ldap-password.conf" Require ldap-group CN=somegroup,OU=Groups,OU=pizza,DC=linux,DC=pizza ProxyPass "http://localhost:5601/" ProxyPassReverse "http://localhost:5601/" /Location Insert Matomo tracking script in Apache using modsubstitute AddOutputFilterByType SUBSTITUTE text/html Substitute "s-/head-script type=\"text/javascript\"var paq = paq || [];paq.push(['trackPageView']);paq.push(['enableLinkTracking']);(function() {var u=\"https://matomo.example.com/\";paq.push(['setTrackerUrl', u+'matomo.php']);paq.push(['setSiteId', '1']);var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);})();/script/head-n" Load balance backend-servers Proxy balancer://k3singress BalancerMember http://x.x.x.1:80 BalancerMember http://x.x.x.2:80 BalancerMember http://x.x.x.3:80 BalancerMember http://x.x.x.4:80 ProxySet lbmethod=bytraffic ProxySet connectiontimeout=5 timeout=30 SetEnv force-proxy-request-1.0 1 SetEnv proxy-nokeepalive 1 /Proxy ProxyPass "/" "balancer://k3singress/" ProxyPassReverse "/" "balancer://k3singress/" ProxyVia Full ProxyRequests On ProxyPreserveHost On Basic Apache-config for PHP-FPM VirtualHost :80 ServerName www.example.com DocumentRoot /srv/www.example.com/htdocs Directory /srv/www.example.com/htdocs AllowOverride All Require all granted DirectoryIndex index.html index.htm index.php FilesMatch "\.php$" SetHandler proxy:unix:/run/php/www.example.com.sock|fcgi://localhost /FilesMatch /Directory SetEnvIf x-forwarded-proto https HTTPS=on /VirtualHost Basic PHP-fpm pool [www.example.com] user = USER group = GROUP listen = /var/run/php/$pool.sock listen.owner = www-data listen.group = www-data pm = ondemand pm.processidletimeout = 10 pm.maxchildren = 1 chdir = / phpadminvalue[sendmailpath] = /usr/sbin/sendmail -t -i -f no-reply@ftp.selea.se phpadminvalue[mail.log] = /srv/ftp.selea.se/log/mail.log phpadminvalue[openbasedir] = /srv/ftp.selea.se:/tmp phpadminvalue[memorylimit] = 64M phpadminvalue[uploadmaxfilesize] = 64M phpadminvalue[postmaxsize] = 64M phpadminvalue[maxexecutiontime] = 180 phpadminvalue[maxinputvars] = 1000 phpadminvalue[disablefunctions] = passthru,exec,shellexec,system,procopen,popen,curlexec,curlmultiexec,parseinifile,showsource,mail Netplan - use device MAC instead of /etc/machine-id for DHCP network: ethernets: eth0: dhcp4: true dhcp-identifier: mac version: 2 HPs apt repo for various utilities for proliant machines deb http://downloads.linux.hpe.com/SDR/repo/mcp buster/current non-free psql stuff CREATE DATABASE yourdbname; CREATE USER youruser WITH ENCRYPTED PASSWORD 'yourpass'; GRANT ALL PRIVILEGES ON DATABASE yourdbname TO youruser; Get entity for AD/SMB based user so you can put it in getent passwd USERNAME Nicely shutdown NetApp cluster system node autosupport invoke -node -type all -message "MAINT=48h Power Maintenance" system node halt -node -skip-lif-migration-before-shutdown true -ignore-quorum-warnings true -inhibit-takeover true Allow a process to listen on ports 0-1000 in systemd.service file [Service] AmbientCapabilities=CAPNETBINDSERVICE #linux #kubernetes #netplan #php-fpm #apache #LVM ]]> LVM stuff 
WARNING: PV /dev/sda2 in VG vg0 is using an old PV header, modify the VG to update.

Update the metadata with the vgck command – where the “vg0” is your own pool.

vgck --updatemetadata vg0

curl stuff

Curl a specific IP with a another host-header

curl -H "Host: subdomain.example.com" http://172.243.6.400/

git stuff

tell git.exe to use the built-in CA-store in Windows

git config --global http.sslBackend schannel

random stuff

See which process is using a file

fuser file

Import RootCert into Java-keystore example

sudo /usr/lib/java/jdk8u292-b10-jre/bin/keytool -import -alias some-rootcert -keystore /usr/lib/java/jdk8u292-b10-jre/lib/security/cacerts -file /usr/share/ca-certificates/extra/someRoot.crt`

Apache2 configs example

Enable AD-authentication for web-resources

<Location />
   AuthName "AD authentication"
   AuthBasicProvider ldap
   AuthType Basic
   AuthLDAPGroupAttribute member
   AuthLDAPGroupAttributeIsDN On
   AuthLDAPURL ldap://IP:389/OU=Users,OU=pizza,DC=linux,DC=pizza? 
   sAMAccountName?sub?(objectClass=*)
   AuthLDAPBindDN cn=tomcat7,ou=ServiceAccounts,ou=Users,OU=pizza,dc=linux,dc=pizza
  AuthLDAPBindPassword "exec:/bin/cat /etc/apache2/ldap-password.conf"
  Require ldap-group 
  CN=some_group,OU=Groups,OU=pizza,DC=linux,DC=pizza
  ProxyPass "http://localhost:5601/"
  ProxyPassReverse "http://localhost:5601/"

</Location>

Insert Matomo tracking script in Apache using mod_substitute

AddOutputFilterByType SUBSTITUTE text/html
Substitute "s-</head>-<script type=\"text/javascript\">var _paq = _paq || [];_paq.push(['trackPageView']);_paq.push(['enableLinkTracking']);(function() {var u=\"https://matomo.example.com/\";_paq.push(['setTrackerUrl', u+'matomo.php']);_paq.push(['setSiteId', '1']);var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);})();</script></head>-n"

Load balance backend-servers

<Proxy balancer://k3singress>
	BalancerMember http://x.x.x.1:80
	BalancerMember http://x.x.x.2:80
	BalancerMember http://x.x.x.3:80
	BalancerMember http://x.x.x.4:80
	ProxySet lbmethod=bytraffic
	ProxySet connectiontimeout=5 timeout=30
	SetEnv force-proxy-request-1.0 1
	SetEnv proxy-nokeepalive 1
</Proxy>
       ProxyPass "/" "balancer://k3singress/"
       ProxyPassReverse "/" "balancer://k3singress/"
       ProxyVia Full
       ProxyRequests On
       ProxyPreserveHost On

Basic Apache-config for PHP-FPM

<VirtualHost *:80>
  ServerName www.example.com
  DocumentRoot /srv/www.example.com/htdocs
  <Directory /srv/www.example.com/htdocs>
    AllowOverride All
    Require all granted
    DirectoryIndex index.html index.htm index.php
    <FilesMatch "\.php$">
      SetHandler proxy:unix:/run/php/www.example.com.sock|fcgi://localhost
    </FilesMatch>
  </Directory>
  SetEnvIf x-forwarded-proto https HTTPS=on
</VirtualHost>

Basic PHP-fpm pool

[www.example.com]
user = USER
group = GROUP

listen = /var/run/php/$pool.sock

listen.owner = www-data
listen.group = www-data

pm = ondemand
pm.process_idle_timeout = 10
pm.max_children = 1

chdir = /

php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f no-reply@ftp.selea.se
php_admin_value[mail.log] = /srv/ftp.selea.se/log/mail.log
php_admin_value[open_basedir] = /srv/ftp.selea.se:/tmp
php_admin_value[memory_limit] = 64M
php_admin_value[upload_max_filesize] = 64M
php_admin_value[post_max_size] = 64M
php_admin_value[max_execution_time] = 180
php_admin_value[max_input_vars] = 1000

php_admin_value[disable_functions] = passthru,exec,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,mail

Netplan – use device MAC instead of /etc/machine-id for DHCP

network:
  ethernets:
    eth0:
      dhcp4: true
      dhcp-identifier: mac
  version: 2

HPs apt repo for various utilities for proliant machines

deb http://downloads.linux.hpe.com/SDR/repo/mcp buster/current non-free

psql stuff

CREATE DATABASE yourdbname;
CREATE USER youruser WITH ENCRYPTED PASSWORD 'yourpass';
GRANT ALL PRIVILEGES ON DATABASE yourdbname TO youruser;

Get entity for AD/SMB based user so you can put it in /etc/passwd:

getent passwd USERNAME

Nicely shutdown NetApp cluster

system node autosupport invoke -node * -type all -message "MAINT=48h Power Maintenance"
system node halt -node * -skip-lif-migration-before-shutdown true -ignore-quorum-warnings true -inhibit-takeover true

Allow a process to listen on ports 0-1000 in systemd.service file

[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE

#linux #kubernetes #netplan #php-fpm #apache #LVM

]]> https://blogs.linux.pizza/random-stuff-cheat-sheet Fri, 30 Jun 2023 07:53:42 +0000 Kubectl cheat-sheet https://blogs.linux.pizza/kubectl-cheat-sheet <![CDATA[## Just some random #kubectl commands for myself. I have tested these on 1.20 1.25 Get all ingress logs (if your ingress is nginx) kubectl logs -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx Get all logs from Deployment kubectl logs deployment/deployment -n namespace --watch Why is the pod stuck in "ContainerCreating"? kubectl get events --sort-by=.metadata.creationTimestamp --watch Restart your deployment, nice and clean kubectl rollout restart deployment/deployment -n namespace Check which namespaces are using the most disk space kubectl get namespace --no-headers | xargs -I {} sh -c 'echo {}; kubectl get pods -n {} --no-headers | xargs -I {} sh -c "kubectl logs {} -n {} | wc -c"' | awk '{print $1" "($2/1024/1024)" MB"}' | sort -k2 -n -r | head Check if any pods are using a lot of disk space kubectl get pods --all-namespaces -o json | jq '.items[].spec.containers[].resources.requests.storage' | grep -v null Check the Kubernetes event logs for any disk-related errors kubectl get events --field-selector involvedObject.kind=Node,reason=OutOfDisk I'll add more when I find more usefull stuff #linux #k8s #kubernetes #kubectl #ingress #nginx #deployment #logs]]> Just some random #kubectl commands for myself. I have tested these on 1.20 <> 1.25

Get all ingress logs (if your ingress is nginx)

kubectl logs -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx

Get all logs from Deployment

kubectl logs deployment/<deployment> -n <namespace> --watch

Why is the pod stuck in “ContainerCreating”?

kubectl get events --sort-by=.metadata.creationTimestamp --watch

Restart your deployment, nice and clean

kubectl rollout restart deployment/<deployment> -n <namespace>

Check which namespaces are using the most disk space

kubectl get namespace --no-headers | xargs -I {} sh -c 'echo {}; kubectl get pods -n {} --no-headers | xargs -I {} sh -c "kubectl logs {} -n {} | wc -c"' | awk '{print $1" "($2/1024/1024)" MB"}' | sort -k2 -n -r | head

Check if any pods are using a lot of disk space

kubectl get pods --all-namespaces -o json | jq '.items[].spec.containers[].resources.requests.storage' | grep -v null

kubectl get events --field-selector involvedObject.kind=Node,reason=OutOfDisk

I'll add more when I find more usefull stuff

#linux #k8s #kubernetes #kubectl #ingress #nginx #deployment #logs

]]> https://blogs.linux.pizza/kubectl-cheat-sheet Tue, 28 Feb 2023 08:04:47 +0000 Creating a PV and PVC on NFS for K8s https://blogs.linux.pizza/creating-a-pv-and-pvc-on-nfs-for-k8s <![CDATA[Took myself ages to figure this out, so I am noting this down for my future self. Just a note - this is not the indented workflow, but rather a "getting started with kubernetes" step. First, we need to add NFS as a storage class: apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: managed-nfs-storage provisioner: k8s-sigs.io/nfs-subdir-external-provisioner # or choose another name, must match deployment's env PROVISIONERNAME' parameters: archiveOnDelete: "false" Then, we can add the actual storage: kind: PersistentVolume apiVersion: v1 metadata: name: nfs-persistentvolume spec: capacity: storage: 1Gi accessModes: ReadWriteMany storageClassName: "nfs" # Empty string must be explicitly set otherwise default StorageClass will be set / or custom storageClassName name nfs: path: "/path/to/share" server: "xxx.xxx.xxx.xxx" readOnly: false claimRef: name: nfs-persistentvolumeclaim namespace: default --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: nfs-persistentvolumeclaim namespace: default spec: accessModes: ReadWriteMany resources: requests: storage: 1Gi storageClassName: "nfs" # Empty string must be explicitly set otherwise default StorageClass will be set / or custom storageClassName name volumeName: nfs-persistentvolume Hope this helps Bonus - run a Minecraft Bedrock inside K8S using your newly created PVC as storage apiVersion: apps/v1 kind: Deployment metadata: name: mc-bedrock labels: app: mc-bedrock spec: replicas: 1 template: metadata: name: mc-bedrock labels: app: mc-bedrock spec: containers: name: mc-bedrock image: itzg/minecraft-bedrock-server imagePullPolicy: Always resources: requests: cpu: 500m memory: 4Gi env: name: EULA value: "TRUE" name: GAMEMODE value: survival name: DIFFICULTY value: normal name: WHITELIST value: "false" name: ONLINEMODE value: "true" name: ALLOWCHEATS value: "true" volumeMounts: mountPath: /data name: data volumes: name: data persistentVolumeClaim: claimName: nfs-persistentvolumeclaim selector: matchLabels: app: mc-bedrock --- apiVersion: v1 kind: Service metadata: name: mc-bedrock labels: app: mc-bedrock spec: selector: app: mc-bedrock ports: port: 19132 protocol: UDP type: LoadBalancer Get the IP assigned for the service kubectl get service mc-bedrock -o jsonpath='{.status.loadBalancer.ingress[0].ip}' Restart the pods in the deployment kubectl logs -f deployment/mc-bedrock #linux #k8s #kubernetes #pvc #pv #minecraft]]> Took myself ages to figure this out, so I am noting this down for my future self. Just a note – this is not the indented workflow, but rather a “getting started with kubernetes” step.

First, we need to add NFS as a storage class:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: managed-nfs-storage
provisioner: k8s-sigs.io/nfs-subdir-external-provisioner # or choose another name, must match deployment's env PROVISIONER_NAME'
parameters:
  archiveOnDelete: "false"

Then, we can add the actual storage:

kind: PersistentVolume
apiVersion: v1
metadata:
  name: nfs-persistentvolume
spec:
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  storageClassName: "nfs" # Empty string must be explicitly set otherwise default StorageClass will be set / or custom storageClassName name
  nfs:
    path: "/path/to/share"
    server: "xxx.xxx.xxx.xxx"
    readOnly: false
  claimRef:
    name: nfs-persistentvolumeclaim
    namespace: default
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nfs-persistentvolumeclaim
  namespace: default
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
  storageClassName: "nfs" # Empty string must be explicitly set otherwise default StorageClass will be set / or custom storageClassName name
  volumeName: nfs-persistentvolume

Hope this helps

Bonus – run a Minecraft Bedrock inside K8S using your newly created PVC as storage

apiVersion: apps/v1
kind: Deployment
metadata:
  name: mc-bedrock
  labels:
    app: mc-bedrock
spec:
  replicas: 1
  template:
    metadata:
      name: mc-bedrock
      labels:
        app: mc-bedrock
    spec:
      containers:
        - name: mc-bedrock
          image: itzg/minecraft-bedrock-server
          imagePullPolicy: Always
          resources:
            requests:
              cpu: 500m
              memory: 4Gi
          env:
            - name: EULA
              value: "TRUE"
            - name: GAMEMODE
              value: survival
            - name: DIFFICULTY
              value: normal
            - name: WHITE_LIST
              value: "false"
            - name: ONLINE_MODE
              value: "true"
            - name: ALLOW_CHEATS
              value: "true"
          volumeMounts:
            - mountPath: /data
              name: data
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: nfs-persistentvolumeclaim
  selector:
    matchLabels:
      app: mc-bedrock
---
apiVersion: v1
kind: Service
metadata:
  name: mc-bedrock
  labels:
    app: mc-bedrock
spec:
  selector:
    app: mc-bedrock
  ports:
    - port: 19132
      protocol: UDP
  type: LoadBalancer

Get the IP assigned for the service

kubectl get service mc-bedrock -o jsonpath='{.status.loadBalancer.ingress[0].ip}'

Restart the pods in the deployment

kubectl logs -f deployment/mc-bedrock

#linux #k8s #kubernetes #pvc #pv #minecraft

]]> https://blogs.linux.pizza/creating-a-pv-and-pvc-on-nfs-for-k8s Tue, 06 Jul 2021 14:18:39 +0000