jlh

joined 2 years ago
[–] jlh@lemmy.jlh.name 29 points 3 months ago

Can't have personnel costs if you get all your agents killed

[–] jlh@lemmy.jlh.name 18 points 3 months ago (1 children)

You know things are bad when they're arresting Quakers.

[–] jlh@lemmy.jlh.name 1 points 3 months ago* (last edited 3 months ago)

Kubernetes is more stable than docker compose. Docker compose is fishing for containers after the ship capsized. Frustrating and nothing works out of the box.

[–] jlh@lemmy.jlh.name 3 points 3 months ago

Zed is great! Not as many features as IntelliJ, but insanely fast, and new features are being added all the time.

[–] jlh@lemmy.jlh.name 261 points 3 months ago (4 children)

Insane that Github blocked their entire development without discussing it with them though. Ban the contributor, not the entire open source project.

[–] jlh@lemmy.jlh.name 2 points 3 months ago

Yeah, I think you pick up things from all over the place as a consultant. I see lots of different environments and learn from them.

Ah yeah, external-dns operator is great! it's maybe a bit basic at times but its super convenient to just have A/AAAA records appear for all your loadbalancer svcs and HTTPRoutes. Saves a ton of time.

That's super unfortunate that the certs are siloed off. Maybe they can give you a NS record for a subdomain for you to use ACME on? I've seen that at some customers. Super important that all engineers have access to self-service certs, imo.

Rook is great! It definitely can be quite picky about hardware and balancing, as I've learned from trying to set it up with two nodes at home with spare hdds and ssds 😅 Very automated once it's all set up and you understand its needs, though. NFS provisioner is also a good option for a storageclass as a first step, that's what I used in my homelab from 2021 to 2023.

Heres my rook config:
https://codeberg.org/jlh/h5b/src/branch/main/argo/external_applications/rook-ceph-helm.yaml
https://codeberg.org/jlh/h5b/src/branch/main/argo/custom_applications/rook-ceph

Up to 3 nodes and 120TiB now and I'm about to add 4 more nodes. I probably would recommend just automatically adding disks instead of manually adding them, I'm just a bit more cautious and manual with my homelab "pets".

I'm not very far on my RHCE yet tbh 😅 Red hat courses are a bit hard to follow 😅 But hopefully will make some progress before the summer.

The CKA and CKS certs are great! Some really good courses for those on udemy and acloudguru, there's a good lab environment on killer.sh, and the practice exams are super useful. I definitely recommend those certs, you learn a lot and it's a good way to demonstrate your expertise.

[–] jlh@lemmy.jlh.name 4 points 3 months ago

it's a classic anarchism vs centralization struggle, happens a lot in federations historically. Sometimes you do need everyone to stop slacking off and fight off the invaders.

[–] jlh@lemmy.jlh.name 1 points 3 months ago (2 children)

Well, my point was to explain how Kubernetes simplifies devops to the point of being simpler than most proxmox or Ansible setups. That's especially true if you have a platform/operations team managing the cluster for you.

Some more details missed here would be that external-dns and cert-manager operators usually handle the DNS records and certs for you in k8s, you just have to specify the hostname in the HTTPRoute/VirtualService and in the Certificate. For storage, ansible probably simplifies some of this away, but LVM is likely more manual to set up and manage than pointing a PVC at a storageclass and saying "100Gi".

Either way, I appreciate the discussion, it's always good to compare notes on production setups. No hard feelings even in the case that we disagree on things. I'm a Red Hat Openshift consultant myself these days, working on my RHCE, so maybe we'll cross paths some day in a Red Hat environment!

[–] jlh@lemmy.jlh.name 1 points 3 months ago (4 children)

You're not using a reverse proxy on rhel, so you'll need to also make sure that the ports you want are available, and set up a dns record for it, and set up certbot.

On k8s, I believe istio gateways are meant to be reused across services. You're using a reverse proxy so the ports will already be open, so no need to use firewall-cmd. What would be wrong with the Service included in the elasticsearch chart?

It's also worth looking at the day 2 implications.

For backups you're looking at bespoke cronjobs to either rsync your database or clone your entire 100gb disk image, compared to either using velero or backing up your underlying storage.

For updates, you need to run system updates manually on rhel, likely requiring a full reboot of the node, while in kubernetes, renovate can handle rolling updates in the background with minimal downtime. Not to mention the process required to find a new repo when rhel 11 comes out.

[–] jlh@lemmy.jlh.name 3 points 3 months ago (2 children)

There's much more tooling for containerd containers than there is for LXC

[–] jlh@lemmy.jlh.name 1 points 3 months ago* (last edited 3 months ago) (1 children)

I have 33 database servers in my homelab across 11 postgres clusters, all with automated barman backups to S3.

Here is the entire config for the db cluster that runs my Lemmy instance

This stuff is all automated these days.

[–] jlh@lemmy.jlh.name 1 points 3 months ago* (last edited 3 months ago) (6 children)

Yeah I'm not saying everybody has to go and delete their infra, I just think that all new production environments should be k8s by default.

The production-scale Grafana LGTM stack only runs on Kubernetes fwiw. Docker and VMs are not supported. I'm a bit surprised that Kubernetes wouldn't have enough availability to be able to co-locate your general workloads and your observability stack, but that's totally fair to segment those workloads.

I've heard the argument that "kubernetes has more moving parts" a lot, and I think that is a misunderstanding. At a base level, all computers have infinite moving parts. QEMU has a lot of moving parts, containerd has a lot of moving parts. The reason why people use kubernetes is that all of those moving parts are automated and abstracted away to reduce the daily cognitive load for us operations folk. As an example, I don't run manual updates for minor versions in my homelab. I have a k8s CronJob that runs renovate, which goes and updates my Deployments in git, and ArgoCD automatically deploys the changes. Technically that's a lot of moving parts to use, but it saves me a lot of manual work and thinking, and turns my whole homelab into a sort of automated cloud service that I can go a month without thinking about.

I'm not sure if container break-out attacks are a reasonable concern for homelabs. See the relatively minor concern in the announcement I made as an Unraid employee last year when Leaky Vessels happened. Keep in mind that containerd uses cgroups under the hood.

Yeah, apparmor/selinux isn't very popular in the k8s space. I think it's easy enough to use them, plenty of documentation out there; but Openshift/okd is the only distribution that runs it out of the box.

view more: ‹ prev next ›