I have a simple gitlab-runner setup on its own ubuntu server. It was registered using:
sudo gitlab-runner register -n --url https://gitlab.com/ --registration-token {{GITLAB_REGISTRATION_TOKEN}} --executor shell --description "{{GITLAB_RUNNER_DESCRIPTION}}"
The only gitlab-runner process (ps -ef) that is running is:
/usr/bin/gitlab-runner run --working-directory /home/gitlab-runner --config /etc/gitlab-runner/config.toml --service gitlab-runner --syslog --user gitlab-runner
My /etc/gitlab-runner/config.toml config file contains:
concurrent = 1
check_interval = 0
[[runners]]
name = "iouze/landing"
url = "https://gitlab.com/"
token = "0530b.....6f9"
executor = "shell"
[runners.cache]
When my CI pipeline triggers, jobs sometimes gets picked up as user gitlab-runner user, in which case they run correctly (as a sheell executor).
But sometimes, it runs as root, in which case it runs as a docker executor, and then gives errors (because the script is running in an unexpected environment).
Why would it run sometimes as root when there is clearly a --user on the service?
I am running on gitlab.com and the pipeline jobs were sometimes getting picked up by the shared runners that are already configured there. I disabled the shared runners
Related
I use a shutdown-script to backup the files on an instance before it is shutdown.
In this shutdown-script, the gsutil tool is used to send files to a bucket at google cloud storage.
/snap/bin/gsutil -m rsync -d -r /home/ganjin/notebook gs://ganjin-computing/XXXXXXXXXXX/TEST-202104/notebook
It worked well for long days. But recently, there occurs some error as below.
If I run the code manually, it works well. It seems that there is something wrong with jobs management of systemd.
Could anyone give me some hint?
INFO shutdown-script: /snap/bin/gsutil -m rsync -d -r /home/ganjin/notebook gs://ganjin-computing/XXXXXXXXXXX/TEST-202104/notebook
Apr 25 03:00:41 instance-XXXXXXXXXXX systemd[1]: Requested transaction contradicts existing jobs: Transaction for snap.google-cloud-sdk.gsutil.d027e14e-3905-4c96-9e42-c1f5ee9c6b1d.scope/start is destructive (poweroff.target has 'start' job queued, but 'stop' is included in transaction).
Apr 25 03:00:41 instance-XXXXXXXXXXX shutdown-script: INFO shutdown-script: internal error, please report: running "google-cloud-sdk.gsutil" failed: cannot create transient scope: DBus error "org.freedesktop.systemd1.TransactionIsDestructive": [Transaction for snap.google-cloud-sdk.gsutil.d027e14e-3905-4c96-9e42-c1f5ee9c6b1d.scope/start is destructive (poweroff.target has 'start' job queued, but 'stop' is included in transaction).]
Update gsutil with -f option.
update gsutil -f
If the above command doesn’t work then try the command below:
sudo apt-get update && sudo apt-get --only-upgrade install google-cloud-sdk
Update guest environment and try to shutdown the instance. Use the link below as a reference to update the guest environment.
https://cloud.google.com/compute/docs/images/install-guest-environment#update-guest
If still facing issues do forceful shutdown:
sudo poweroff -f
I'm new to openshift or K8'S. I have installed Openshift v3.11.0+bf985b1-463 cluster in my centos 7.
While running prerequisites.yml and deploy_cluster.yml run status is successful. And i have updated htpasswd and granted the cluster-admin role for my user.
htpasswd -b ${HTPASSWD_PATH}/htpasswd $OKD_USERNAME ${OKD_PASSWORD}
oc adm policy add-cluster-role-to-user cluster-admin $OKD_USERNAME
and i have create the user and identity also by the below cmd.
oc create user bob
oc create identity ldap_provider:bob
oc create useridentitymapping ldap_provider:bob bob
When i try to login with oc login -u bob -p password it say's
Login failed (401 Unauthorized)
Verify you have provided correct credentials.
But i can able to login with oc login -u system:admin
For your information: the okd deploy_cluster.yml ran successfully but the below pod is in error state.
Is that cause the problem? cmd oc get pods
Suggest me how can i fix the issue. Thank you.
UPDATE:
I have ran the deploy_cluster.yml once again the login issue is solved able to login. But it fails with the below error.
This phase can be restarted by running: playbooks/openshift-logging/config.yml
Node logging-es-data-master-ioblern6 in cluster logging-es was unable to rollout. Please see documentation regarding recovering during a rolling cluster restart
In openshift console the Logging Pod have the below event.
But all the servers have enough memory like more than 65% is free.
And the Ansible version is 2.6.5
1 Master node config:
4CPU, 16GB RAM, 50GB HDD
2 Slave and 1 infra node config:
4CPU, 16GB RAM, 20GB HDD
To create a new user try to follow these steps:
1 Create on each master node the password entry in htpasswd file with:
$ htpasswd -b </path/to/htpasswd> <user_name>
$ htpasswd -b /etc/origin/master/htpasswd myUser myPassword
2 Restart on each master node the master api and master controllers
$ master-restart controllers && master-restart api
or
$ /usr/local/bin/master-restart api && /usr/local/bin/master-restart controllers
3 Apply needed roles
$ oc adm policy add-cluster-role-to-user cluster-admin myUser
4 Login as myUser
$ oc login -u myUser -p myPassword
Running again the deploy_cluster.yaml after configuring the htpasswd file, will force the restart of master controllers and api so you've been able to login as your new user.
About the other problem, registry-console and loggin-es-data-master pods not running it's because you cannot run again the deploy_cluster.yaml when your cluster is already up and running so you have to uninstall okd and then run again the playbook. This happens because the SDN is already working and all your nodes already own all needed certificates.
$ ansible-playbook -i path/to/inventory /usr/share/ansible/openshift-ansible/playbooks/adhoc/uninstall.yml
and then again
$ ansible-playbook -i path/to/inventory /usr/share/ansible/openshift-ansible/playbooks/deploy_cluster.yml
More detailed informations are here
If, after all this procedure, the logging-es-data-master pod should not run then uninstall the logging component with
$ ansible-playbook -i /path/to/inventory> /usr/share/ansible/openshift-ansible/playbooks/openshift-logging/config.yml -e openshift_logging_install_logging=False -e openshift_logging_purge_logging=true
and then uninstall the whole okd and install it again.
If your cluster is already working and you cannot perform again the installation so try only to uninstall and reinstall the logging component:
$ ansible-playbook -i /path/to/inventory> /usr/share/ansible/openshift-ansible/playbooks/openshift-logging/config.yml -e openshift_logging_install_logging=False -e openshift_logging_purge_logging=true
$ ansible-playbook -i /path/to/inventory> /usr/share/ansible/openshift-ansible/playbooks/openshift-logging/config.yml -e openshift_logging_install_logging=True
RH detailed instructinos are here
Basic setup
Using:
Fedora 30, fully upgraded (kernel 5.1.19)
Podman 1.4.4
I have this Dockerfile:
FROM fedora:30
ENV LANG C.UTF-8
RUN dnf upgrade -y \
&& dnf install -y \
openssh-clients \
openvpn \
slirp4netns \
&& dnf clean all
CMD ["openvpn", "--config", "/vpn/ovpn.config", "--auth-user-pass", "/vpn/ovpn.auth"]
Which I build with:
podman build -t peque/vpn .
Now, in order to be able to run it successfully, I have to take care of some SELinux issues (see Connect to VPN with Podman).
Fixing SELinux permission issues
sudo dnf install udica
I define this ovpn_container.cil custom policy for the VPN container:
(block ovpn_container
(blockinherit container)
(blockinherit restricted_net_container)
(allow process process (capability (chown dac_override fsetid fowner mknod net_raw setgid setuid setfcap setpcap net_bind_service sys_chroot kill audit_write net_admin)))
(allow process default_t (dir (open read getattr lock search ioctl add_name remove_name write)))
(allow process default_t (file (getattr read write append ioctl lock map open create)))
(allow process default_t (sock_file (getattr read write append open)))
(allow process tun_tap_device_t (chr_file (ioctl open read write)))
(allow process self (netlink_route_socket (nlmsg_write)))
(allow process unreserved_port_t (tcp_socket (name_connect)))
)
I apply the policy with:
sudo semodule -r ovpn_container
sudo semodule -i ovpn_container.cil /usr/share/udica/templates/{base_container.cil,net_container.cil}
Running the container
Now I can successfully run the container with:
podman run -v $(pwd):/vpn:Z --cap-add=NET_ADMIN --device=/dev/net/tun --security-opt label=type:ovpn_container.process -it peque/vpn
Issues
Once the container is running, I open a terminal, within the container, from which I want to ssh to remote servers:
podman exec -it container_name bash
From the container I am able to ssh to remote servers successfully, but only if they are not within the VPN.
When I try to ssh to servers in the VPN, it gets stuck for a while and then throws this error:
$ ssh server.domain.com
ssh: connect to host server.domain.com port 22: Connection refused
kex_exchange_identification: Connection closed by remote host
What could I be missing?
I have a service account and key json file contents in my process. Trying to spawn "docker gcr.io/my-project/my-image" to upload images to container registry.
I tried docker login -u _json_key -p "$(cat keyfile.json)" https://[HOSTNAME] from Advanced Authentication tutorial, which returns success during login, but still docker push returns error:
You do not currently have an active account selected.
Please run:
$ gcloud auth login
Ideally, I would like to trigger docker push without configuring gcloud SDK. Also would not want to store key json contents to a file. I'd like to keep it in process memory.
The correct command to run for docker clients 18.03 and newer is gcloud auth configure-docker.
If you read the fine print for your command docker login -u _json_key -p "$(cat keyfile.json)" https://[HOSTNAME] it mentions for older Docker clients e.g. several years old. This is not the correct command to run today.
With the constant improvements, new features, Kubernetes, etc. you do not want to be running old commands or configurations.
gcloud auth configure-docker
So here's what i have to do: i need to set up some containers automatically using docker. One of them is liek this: Debian Squeeze with limited CPU shares and limited memory (1 cpu share and 512 mb memory),preinstalled apache2,build-essential,php5,mysql-server-5.5,openssh-server and with some ports opened (8000 for Apache and 1500 for MySQL). So i created the following dockerfile :
FROM debian:squeeze
MAINTAINER Name < email : >
# Update the repository sources list
RUN apt-get update
# Install apache, PHP, and supplimentary programs. curl and lynx-cur are for debugging the container.
RUN DEBIAN_FRONTEND=noninteractive apt-get -y install apache2 build-essential php5 mysql-server openssh-server libapache2-mod-php5 php5-mysql php5-gd php-pear php-apc php5-curl curl lynx-cur
# Enable apache mods.
RUN a2enmod php5
RUN a2enmod rewrite
# Manually set up the apache environment variables
ENV APACHE_RUN_USER www-data
ENV APACHE_RUN_GROUP www-data
ENV APACHE_LOG_DIR /var/log/apache2
ENV APACHE_LOCK_DIR /var/lock/apache2
ENV APACHE_PID_FILE /var/run/apache2.pid
EXPOSE 80
# Copy site into place.
ADD www /var/www/site
# Update the default apache site with the config we created.
ADD apache-config.conf /etc/apache2/sites-enabled/000-default.conf
# By default, simply start apache.
CMD /usr/sbin/apache2ctl -D FOREGROUND
#CMD [ "mysqladmin -u root password mysecretpasswordgoeshere"]
EXPOSE 3306
the content of apache-config.conf is this:
<VirtualHost *:80>
ServerAdmin me#mydomain.com
DocumentRoot /var/www/site
<Directory /var/www/site/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order deny,allow
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
and in www folder i put a php file with this code:
<?php
$connect=mysql_connect("localhost:1500","root","") or die("Unable to Connect");
?>
to test the connection to the mysql server
then
i build all this into an image like this:
sudo docker build --rm --tag="tag_name" .
and then i run the image like this
sudo docker run -c=1 -m="512m" --net=bridge -p 8000:80 -p 1500:3306 -d --name="container_name" tag_name
It seems to work,the apache server works when i access localhost:8000/site in my browser but is shows "Unable to connect". what am i doing wrong?
And another problem is that,the contaienr is running but i can't attach to it.I run this command
sudo docker attach CONTAINER_ID
and then nothing happens,can't do anythign else from there,What am i doing wrong?
I have to build few more dockerfiles similar to this to create containers.All those must be hosted on a ZFS file system and i have to configure a container repository of 50gb based on it,what does this mean and how do i do that?
I'm sorry for my english,it's not my native language :(
Thank you in advance
MySQL issue
in the PHP code
$connect=mysql_connect("localhost:1500","root","") or die("Unable to Connect");
localhost refers to the container IP address. Since there is no MySQL server running in that container the connection will fail.
In this gist, I've changed a bit your example to have the container start both MySQL and Apache (I assume this was your first intent) using the following instruction: CMD bash -c '(mysqld &); /usr/sbin/apache2ctl -D FOREGROUND' and changed the PHP code to connect to the MySQL server on localhost:3306.
Docker attach
The docker attach command is meant to allow you to interact with the process currently running in the foreground of a container. Unless that process is a shell, it won't provide you with a shell in that container.
Take this example:
Start a container running a shell process
docker run -it --rm base bash
You are now in interactive mode in your container and can play around with the shell running in the foreground in that container:
root#de8f16a13571:/# ls
bin boot dev etc home lib lib64 media mnt opt proc root run sbin selinux srv sys tmp usr var
if you now exit the shell by typing exit the shell process will end, and as that was the process running in the foreground in the container, that container will stop.
root#de8f16a13571:/# exit
exit
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
Now start a new container named test running bash again:
docker run -it --name test base bash
verify you can interact with it and detach from it by hitting keys Ctrl+p+q. You end up back in the docker host shell.
verify that the container named test is still running:
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
81f0f1094f4a base:latest "bash" 6 seconds ago Up 5 seconds test
You can then use the docker attach command to attach to the bash program in the container:
docker attach test
root#81f0f1094f4a:/# ls
bin boot dev etc home lib lib64 media mnt opt proc root run sbin selinux srv sys tmp usr var
ZSH
And regarding ZSH, I don't know what all that means either. Also note that having 3 questions at once makes it difficult for the community to come up with a single answer that would answer all 3 ; maybe consider posting a new question for those.
Please comment if my assumptions about how you run MySQL or what your intent is with docker attach are wrong.