I am trying to install falco on my kubernetes cluster with helm chart. I am deploying as Deamonset and using ebpf but getting error on my init containers. What should I do?
This is my values yaml
You are getting this error message due to not having the kernel headers installed so the eBPF driver can be compiled.
Before compiling the eBPF driver, the loader script tries to download it from https://download.falco.org, but it doesn't find it because the Oracle Linux distribution is not officially supported (it is not offered as a prebuilt driver, to be more precise).
The quickest solution would be to install the Kernel Drivers on each Kubernetes node, so Falco can compile the driver the next time it tries to start.
It is also possible to use the project Driverkit to build Falco drivers on your own (as the Falco project does) and make them available somewhere else, but then you'd need to pass the URL for the driver to the Helm Chart. This avoids polluting the system with packages you'd need only once.
You are also welcome to contribute to the project by adding support for the Oracle Linux distribution, which is relatively simple since it is quite similar to the Red Hat distribution. Once it is supported, the drivers will be available to anyone using the same kernel/distribution.
For further information, you can visit the Falco Slack channel and ask for help there, or ping anyone in the community
Related
I'm pretty new on Google Cloud, and I just wanted to deploy my first streamlit webapp. I'm on Windows in command line. I already did the Google Cloud "Hello World" Example, which worked without any error.
When I deploy the streamlit webapp, I got after 3-4 minutes waiting "Updating Server" the following error:
ERROR: (gcloud.app.deploy) Error Response: [9] Flex operation projects/XXXX/regions/us-central1/operations/f0c89d22-2d09-410d-bf99-fc49ad337800 error [FAILED_PRECONDITION]: An internal error occurred while processing task /app-engine-flex/flex_await_healthy/flex_await_healthy>2021-05-27T06:13:50.278Z10796.jc.0: 2021-05-27 06:15:32.787 An update to the [server] config option section was detected. To have these changes be reflected, please restart streamlit.
That's my app.yaml file:
service: default
runtime: custom
env: flex
manual_scaling:
instances: 1
resources:
cpu: 1
memory_gb: 0.5
disk_size_gb: 10
Posting my comment as an answer for better visibility and to summarize.
In this particular case, the error was caused by a mistake in the Dockerfile.
Here are some steps you can follow to fix or narrow down the error:
Try to deploy a test app to see the differences in configuration. Example.
Try deploying your app after updating the gcloud with gcloud components update command.
Make sure you run the SDK as an Admin.
If the error recurs, run the gcloud app deploy app.yaml --verbosity=debug to try getting more specified error.
It's good practice to include references in questions for folks who aren't familiar with e.g. Streamlit. I assume it's this: https://streamlit.io/
I suspect (!) that Streamlit does not (by default) satisfy App Engine's requirements:
A web app on port 8080
No additional (apt get) dependencies
No C-based dependencies
The Streamlit wiki references various deployment alternatives and includes Google Kubernetes Engine (aka GKE) (see below) but not App Engine.
This doesn't mean that it won't work on App Engine (standard) just that it may not be trivial.
The GKE instructions reference installing Cython an optimizing c-compiler and that gives me pause about using App Engine standard. Unless you're familiar with Kubernetes, I'd discourage you from trying GKE as there's more complexity.
So, it would be helpful if others with experience with Streamlit weigh in but, until then, you may wish to consider using Streamlit sharing.
It would be helpful if someone who has deployed Streamlit to App Engine (flexible?) or perhaps Cloud Run can provide an overview.
I'm running a Neo4j instance (version 4.2.2) in a pod within a Kubernetes cluster, in standalone mode. The server starts, I can create, find and update nodes and relationships, however, when trying to install a UUID using apoc.uuid.install, the procedure hangs and never seems to finish.
I'd also like to mention that apoc.uuid.enabled=true is set in neo4j.conf, I've set a constraint on the designated UUID field before running install and I can't find any errors in the logs. I've also tried this functionality in non-K8s environments and I have no problem using it there.
The helm charts used for this deployment are taken from https://github.com/neo4j-contrib/neo4j-helm.
Did anyone experience this behavior? If yes, how did you manage to solve it?
I have two servers at my home with Gentoo Linux ~amd64.I would like to install Kubernetes on them to play with it a bit.
Gentoo now packages all the Kubernetes related dependencies under one package called sys-cluster/kubernetes and the latest version available at the moment is 1.18.3.
the last time I played with Kubernetes was several years ago and I think I completely forgot everything.
so I installed kubernetes on both servers. since I use systemd and the package contains only kubelet systemd service I created systemd init scripts for also kube-apiserver, kube-controller-manager, kube-proxy and kube-scheduler.
now this package also comes with kubeadm but I would like to know how to install and configure kubernetes manually.
now I want to create a kubeconfig file for my cluster configuration.
I googled and found the following url: http://docs.shippable.com/deploy/tutorial/create-kubeconfig-for-self-hosted-kubernetes-cluster/
the first step is Make sure you can access the cluster but I thought I wanted to create kubeconfig in order for the services to properly know how to access my cluster!
this web site already talks about secrets that where already configured which aren't.. i'm starting from scratch and this is not probably the way to go.
In general I want to know how to properly create a kubeconfig file for my setup, then i'll configure the services to use this kubeconfig file and go on from there.
so any information regarding this issue would be greatly appreciated.
so I asked this also in Kubernetes slack channel and they provided me this project: https://github.com/kelseyhightower/kubernetes-the-hard-way
it's a documentation project on how to configure kubernetes the hard way, in the documentation they set it up in google cloud, but it's easy to understand what they did on cloud and how to configure the same on your network.
I'm a bit confused about what version of kubernetes I need and what method to use to deploy it.
I have deployed 1.5 the manual way. But there is a fix we need (PR-41597). This fix doesn't seem to have been merge in 1.5 but it is in 1.6.
But I can't find any way to install 1.6 without kubeadm. The documentation clearly states that kubeadm should not be used in production. And the kubeadm way does not allow for upgrades anyway. So I would prefer to stay away from kubeadm.
So I either have to get that fix merged in 1.5 or find a way to install 1.6 without kubeadm. Am I missing something here? Any help would be much appreciated. Thanks.
There are plenty of ways to install Kubernetes 1.6:
https://kubernetes.io/docs/getting-started-guides
For example, CoreOS's CloudFormation installer supports 1.6: https://coreos.com/kubernetes/docs/latest/kubernetes-on-aws.html#announcement-to-regular-users-of-kube-aws
As does Canonical's Juju templates: https://jujucharms.com/canonical-kubernetes/
If you need more specific assistance, please share more about your target environment (cloud/bare metal, OS, etc.).
A fairly low-level set of instructions can be found in https://github.com/kelseyhightower/kubernetes-the-hard-way; this may help you to tailor your own setup process.
For CentOS specifically, your best bet might be Kargo. This doesn't yet support 1.6, but it is active, so it should receive a 1.6 patch soon.
I read about using haproxy and keepalived to avoid spof for haproxy. Is it possible to do this in ec2?
Say I have 2 instances. Each with haproxy and keepalived installed. The VIP shall be aws elastic IP.
In theory this should be possible, there are blog posts dotted around with instructions on how to do it. However I have been trying to test this over the past few days but not had any luck with it.
Amazon blocks multicast on EC2 (Classic) so the primary communication method for Keepalived will not work. You need to install the latest version (at time of writing this is 1.2.13) which has unicast support built in. This should allow you to bypass the multicast restrictions that Amazon puts in place. I think the version of the keepalived package is 1.2.7 in the repos (yum install keepalived) which does not have the unicast patch included..
You should be able to use wget to download the latest TAR, unpackage it and build it from source (./configure prefix=/, make, make install). Make sure you have the GCC package and openssl-devel package installed before trying to configure as it will fail with errors otherwise.
If I get it working in the meantime I will come back and put a link to my blog with the exact steps needed :)