I'm trying to use the google sheets and gmail APIs, and I'd like to access the credentials file as a K8s secret (which seem to be mounted as symlinks).
However, the google oauth2 python client specifically says that credential files cannot be symbolic links.
Is there a workaround for this?
Is there a workaround for this?
There are at least two that I can think of off-hand: environment variables, or an initialization mechanism through which the symlinks are copied to files
Hopefully the first one is straightforward, using env: valueFrom: secretKeyRef: etc.
And for the second approach, I lumped them into "initialization mechanism" because it will depend on your preference between the 3 ways I can immediately think of to do this trick.
Using an initContainer: and a Pod-scoped volume: emptyDir: would enable you to copy the secret to a volume that is shared amongst your containers, and that directory will be cleaned up by kubernetes on the destruction of your Pod
Using an explicit command: to run some shell before launching your actual application:
command:
- bash
- -ec
- |
cp /path/to/my/secret/* ./my-secret-directory/
./bin/launch-my-actual-server
Or, finally (and I would guess you have already considered this), have the application actually read in the contents and then write them back to a file of your choice
Related
I am writing a shell script to delete Virtual machines in Azure. As part of that, I need to access a YAML file (as shown below) that has azure service principal for different subscriptions. Now I am not sure how to load this YAML file in my script.
123456-5897-1223357-7889:
subscription_id: "123456789"
client_id: "123456789"
secret: "123456789"
tenant: "1234567899"
azure_cloud_environment: "AzureCloud"
578945-5897-1223357-7889:
subscription_id: "987456123"
client_id: "987456123"
secret: "987456123"
tenant: "987456123"
azure_cloud_environment: "AzureCloud"
is there a way to source this file as we do in GCP or is there a way to load the file from YAML file
gcloud auth activate-service-account --key-file="/tmp/project1.json"
gcloud config set project project1
I dont think its possible to do that, the only auth option you can do (with a file) is replacing .azure/azureProfile.json (cant recall right now for sure, it might be another file under .azure folder) under users profile, but its format is completely different (not sure where you got these files).
I have a large set of read-only configuration files (around 4k) which is used by the microservice to process some XML files and supposed to be read via Apache Commons Configuration.
These files are of the following types:
Properties file
XML
dtd
xfo
xslt
5 of these files will need some environment variables to be substituted in their content, such as third party software location, or different services URL based on the environment the files are deployed in.
Now, I need to make these files available for 4 microservices at run time.
I'm using fabric8.io maven docker plugin with dockerfile for image generation.
Kubernetes, helm, Jenkinsfile, and ArgoCD for the spring-boot microservices CD/CI.
The 2 challenges that I'm facing is how to substitute the variables inside of these static files, and how to make these files available for each pod.
I have three solutions in mind but I would like to know what is the best/optimal 12-factor approach for this problem.
Solution 1: is to deploy the files as a separate pod and allow other pods to access to some volume mount that it provides.
Solution 2: Add the files to the microservice image during the docker image build.
Solution 3: Add the files as a container of each microservice pod.
You could upload this file to a kubernetes ConfigMap.
https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/
apiVersion: v1
kind: ConfigMap
data:
haproxy.cfg: "complete file contents"
It can contain entire file, and mount this file in a pod directory
volumeMounts:
- mountPath: /usr/local/etc/haproxy
name: config
volumes:
- name: config
configMap:
name: env-config-haproxy
items:
- key: haproxy.cfg
path: haproxy.cfg
There is another solution: mounting the files as a volume (backed by cloud storage) and substituting values on-access within the service and that's a solution I'd go with by default.
Solutions 1 and especially 3 add a lot of complexity. Solution 2 may be a good choice too, however to choose the best option you really need to answer another question - how are the config files and env substitutions changing with respect to the application container versions?
i.e. When you change the files, should all of the services get new versions?
Question
How can I see symlinks of docker linux-containers from a windows host? (Even if I have to place an intermediate linux machine exposing the filesystem via NFS or Samba)
Context
In a DEVEL environment, I have this structure in a certain remote filesystem in a Linux within the office:
/files/repos/app-1
/files/repos/app-2
/files/repos/lib-x
/files/repos/lib-y
both app-1 and app-2 use those libraries which are vendored and symlinked like this:
/files/repos/app-1/vendor/my-company/lib-x => /files/repos/lib-x
/files/repos/app-1/vendor/my-company/lib-y => /files/repos/lib-y
/files/repos/app-2/vendor/my-company/lib-x => /files/repos/lib-x
/files/repos/app-2/vendor/my-company/lib-y => /files/repos/lib-y
The developers need to be in Windows.
So the developers have their IDE pointing to some mounted unit, for example Z:\ where they see all the repos and projects.
This allows us the following:
Edit any of the projects from it's own folder, and run the unit-tests for that project, including running the lib-x and lib-y.
Develope any of the libraries and have them updated in the depending applications (note I say I am in DEVEL, not PRE or PROD).
From the IDE, pointing see the "complete structure" of any of the applications (for instance app-1) also see the classes of the lib-x and lib-y so the autocompletion and so works perfectly.
This has been working like this for nearly a decade and works perfectly.
Problems
The developers need the connection to the server to develop and we wanted to mutate to local dockers so we can make the devels work from home.
Going to docker
We now decided that we are not going to use anymore the office-servers and we are going to setup all the development within docker containers.
What does actually work
We just installed docker desktop in Windows and shared C:\repos from the host into the dockers.
We now have some devel machines FROM ubuntu:xxx and run them mounting the volumes.
We made the symlinks within the app-1 and app-2 to lib-x and lib-y from inside the linux containers.
This does work perfectly and also the repositories work fine if we run the applications in the local dockers
Problem with symlinks in linux container and windows host
The problem is now the IDE: While it reads the files in C:\repos\app-1, the symlink that has been created within the linux containers can't be seen from the host.
This makes the IDE to be unable to follow C:\repos\app-1\vendor\lib-x and all the code-completion helpers are broken.
I already know Windows does not support symlink compatible with linux symlinks.
This forces us to look for an alternate solution.
Solution we've though with Samba
Initially I thought that as well as in the old topology a linux server just shared the filesystem via samba and the windows could just read the symlinks contents as they were demapped at the serverside and not the clientside, I thought that I could run another docker machine with a samba server just to locally share the "things seen from the linux" into the Windows host again.
To do so, I setup this docker-compose:
version: "3.7"
services:
samba:
container_name: samba
hostname: samba
image: dperson/samba
volumes:
- //c/Users/xavi/Documents/repos/test_samba:/mount
ports:
- "139:139"
- "445:445"
command: samba.sh -s "test_samba;/mnt/repos/test_samba;yes;no;yes;all"
restart: always
But this conflicts as 445 is locally already used.
If I turn down the local SMB, then in the next reboot, docker is unable to share C:\ into docker (I was not consciuos it does this sharing via SMB, could it be turned into a NFS or so?)
If I map to another port, like 10445:445 then the client is unable to access it, as client samba ports in windows seem to be not configurable.
Mapping an IP
So I tried to map an IP:
version: "3.7"
services:
samba:
container_name: samba
hostname: samba
image: dperson/samba
volumes:
- //c/Users/xavi/Documents/repos/test_samba:/mount
ports:
- "139:139"
- "192.168.4.83:445:445"
command: samba.sh -s "test_samba;/mnt/repos/test_samba;yes;no;yes;all"
restart: always
networks:
samba:
ipv4_address: 192.168.4.83
networks:
samba:
ipam:
driver: default
config:
- subnet: "192.168.4.0/16"
But is seems that this still creates problems:
It seems the IP is only for internal docker networking but not seen from the host
It seems the original service still listens not to 127.0.0.1:445 but to 0.0.0.0:445 so still "blocking" the attachment to listen to 192.168.4.83:445
So question
How could I make a windows host to see the "demapped contents of symlinks" to make the IDE see the vendored content that is linked from inside docker linux containers?
TL;DR
Run git-bash as administrator.
Issue export MSYS=winsymlinks:nativestrict in git-bash.
From there on, ln -s works in windows.
Links are seen from inside the docker.
Details
We'll walk thru these steps:
Preparation: Prepare a temporary dir with some files within the abc directory.
See it fail: We'll try to make a symlink and see it fail.
Create symlink: We'll create the symlink in windows and see it. We'll point xyz to abc.
Run docker: We'll then run docker with ubuntu and change contents in xyz.
Check in ubuntu container: We'll see the changes also in abc from within the docker.
Check in windows host: Well check both abc and xyz from ouside the container.
1. Preparation
In a git-bash go to /c and create a temporary dir tmp.
Inside it, create an abc dir and throw some contents there.
cd /c
mkdir tmp
cd tmp/
mkdir abc
cd abc/
echo 1111 > old_1
echo 2222 > old_2
echo 3333 > old_3
Here's a sample session:
2. See it fail
First let's try the "normal" way and see it fail.
In a git-bash, navigate to /c/tmp
Then do a symlink making xyz to point to abc: ln -s abc xyz
See it fails, by ls-ing the tmpand see xyz is a regular dir.
To be sure, create new content in xyz and see it's not there in abc.
Try to create the link. It will not become a symlink, but rather create a copy of the directory.
cd /c/tmp/
ln -s abc xyz
Create new_bad in xyz and don't see it in abc.
cd xyz/
touch new_bad
cd ../abc/
ls -l
Clear the wrong xyz
rm -Rf xyz/
Here's a sample session:
3. Create symlink
Here it comes the real stuff. The inspiration comes from #Slayvin's answer here, as well as here Git Bash shell fails to create symbolic links and the official git-for-windows repo here https://github.com/git-for-windows/git/pull/156
First open a new git-bash in Administrator mode. The reason is that only admins can create links in windows.
Once you are a CLI admin, navigate to the destination and set this evironment variable:
export MSYS=winsymlinks:nativestrict
This will tell the runtime subsytem of git-bash to actually use the symlinks feature. As we are admins we'll succeed.
The do just "normal symlinks" as you would expect: ln -s abc xyz
It works!!! Now next move is to test within docker!
NOTE: As per Sebastian's answer here https://stackoverflow.com/a/40914277/1315009 you DON'T need to be administrator to create symlinks in git-bash if you enabled the developer tools. In the search-bar write for developers and enable it:
4. Run docker + 5. Check in docker
The bash with admin privileges is no longer needed. So we'll close it and re-instantiate a "normal" bash.
In it, run an ubuntu continainer with docker. Use -it to interact with the ubuntu's bash. Use winpty to allow -it to work.
Bind-mount the /c/tmp directory so both abc and xyz are reachable. I chose to mount it to /files.
From inside, cd /files and see that xyz is actually a symlink.
Create some new content in xyz
Run and see:
winpty docker run -it --rm --mount type=bind,source="c:\tmp",target=/files --name ubuntu-link ubuntu
cd /files/
ls -l
Create content:
cd xyz
echo "yeaaahh" > new_good
Check it's really a symlink by going to abc:
cd ..
cd abc/
cat new_good
Sample session:
6. Check in windows host
Step out from the docker. Stay in the git-bash.
Again: This git-bash does not need to be privileged. The only moment we had to be admin was to "create" the symlink in windows.
From the unprivileged bash, explore abc as well as xyz and see that there's the content we created from inside the docker, appearing in both the original directory and in the symlink.
Sample session:
Final check
We can finally go to a classical CMD to see how it looks like. We can see it's clearly indicated that it's a symlink for a directory and we also see the target there:
Golden touch
If you have the "developer tools" activates as stated above, the only missing thing is the ENV VAR.
We can set this by editing the .bashrc at your windows home:
By doing this we can just use git-bash completely normally and start creating the symlinks from windows without any overload.
Caution
The symlinks created this way work from windows and are seen from inside docker. But not the oposite. If you create symlinks inside the container they don't get created in windows.
Therefore, in mounted volumes, setup the symlinks always from git-bash and consume them from the container. If you create them from the container, they still can be consumed from the container. But won't be usable from windows.
Conclussion
It can be done fully from the linux flavour commands via git-bash. Only that you need to be admin to create the links and tell the git-bash runtime to use that feature. And that the link needs to be done from windows, instead from inside the ubuntu.
I encountered a similar problem with my setup: developing on Windows 10 (where both the IDE and Docker are running), and having the website running inside the container (Linux).
I used to work on a library that is required by the website, working on both projects in parallel. And to do so, the library directory was symlinked (in host/Windows) in the vendor path.
Something like:
+ my-website
↪ vendor
↪ company
↪ my-package (->symlink here)
↪ ...
↪ docker-compose.yml
+ external-packages
↪ company
↪ my-package (real files here)
But with Docker, that setup doesn't work anymore.
So the trick is to mount a volume in docker-compose like this:
volumes:
- ./:/my-app
- ../external-packages/company:/my-app/vendor/company
So the files in vendor are 'seen' by the web server (inside the container), and we can keep the symlink (made in windows) between the my-package folders, so the IDE sees them as well.
I hope this will help you.
I'm trying to set up a linux container with isolated mount namespace using unshare tool from util-linux package :
% sudo unshare -m -f /bin/bash
So I'm expecting that bash will be launched in a namespace, where the mount namespace, i.e. filesystems, will be completely isolated form the host one, however I still can modify the host FS (create/delete files on the host FS). What am I doing wrong here?
A mount namespace only creates a separate mount tree by copying the parent tree.
You still have to remount the file systems as read-only, unmount them, mount a tmpfs over them or pivot_root into a clean tree to prevent access. Switching to an umapped user via user namespaces can help to some extent but it won't prevent access to world-readable/writable files.
If you need to setup more complex namespace environments - containers basically - you can use firejail or runc to automate those tasks based on configuration files. systemd-nspawn provides some intermediate featureset between accessing the primitives directly, as unshare does, and container runtimes.
I assume that mount namespace is isolated because mount/unmount in the namespace does not have impact on the host FS. So I think modifying FS is another issue, probably related to userns, but not fully sure about this.
My company currently is using S3fs and Ec2 from AWS. We have been mounted our s3 buckets on our Ec2 instances, but after some time (a week, for example) some of the buckets unmount by themselves and our server instances become nearly useless. The error is "Transport endpoint not connected."
S3fs version: 1.61 build from source
FUSE version: 2.84.1 build from source
OS: Linux, Ubuntu 11.04
Is there some kind of safe mechanism for preventing (or at least detecting) these problems?
Great insight. Hadn't thought about this. But here are 3 precautionary steps we can take:
1) Create an auto-mount so that in the very unlikely event that EC2 is down, S3 gets mounted back on once EC2 comes back via /etc/fstab
2) or/and if you prefer, create a secondary auto-mount using cron:
echo "/usr/bin/s3fs [s3 bucket name] [mountpoint path] -o allow_other" >> automount-s3
sudo mv automount-s3 /usr/sbin
sudo chown root:ubuntu /usr/sbin/automount-s3
sudo chmod +x /usr/sbin/automount-s3
crontab -e
add this line
#reboot /usr/sbin/automount-s3
3) I would also create another hourly cron to check whether S3 is still mounted - this can be done by checking if a dummy file exists in your EC2 path. If the file doesn't exist, cron will do a manual mount by calling "/usr/bin/s3fs -o allow_other [s3 bucket name] [mountpoint path]". It would be good to trigger an email to the admin and log it in the system as well.
s3fs is a nice idea but keep in mind that even though the call to s3 might be somewhat internal (or let's say "on their network"), you're still mounting a filesystem over HTTP. That is not going to be stable in the long-run.
Maybe you can re-phrase your question to ask for alternatives and share what you're trying to accomplish by using any kind of (I'm guessing) shared network filesystem. I can see the appeal, but with Amazon EC2 people usually use a shared nothing approach and anything extra network-related should be avoided to be able to recycle instances easier, etc..
Happy to extend my answer.