From 9b9e914d500ea3f465459395a634ca29fdadf167 Mon Sep 17 00:00:00 2001 From: Dean Sheather Date: Tue, 15 Jun 2021 06:54:24 +1000 Subject: [PATCH 1/5] Avoid pulling full values file during install (#401) Co-authored-by: Katie Horne --- package.json | 2 +- setup/installation.md | 40 +++++++++++++++++++++++----------------- 2 files changed, 24 insertions(+), 18 deletions(-) diff --git a/package.json b/package.json index b7ec7e10f..a48211917 100644 --- a/package.json +++ b/package.json @@ -12,7 +12,7 @@ "format:check": "prettier --check '**/*.{css,html,js,json,jsx,ts,tsx,yaml,yml}'", "format:write": "prettier --write '**/*.{css,html,js,json,jsx,ts,tsx,yaml,yml}'", "lint": "markdownlint --config .markdownlint.jsonc --rules .markdownlint-rules '**/*.md'", - "lint:fix": "markdownlint --fix '**/*.md'" + "lint:fix": "markdownlint --config .markdownlint.jsonc --rules .markdownlint-rules --fix '**/*.md'" }, "devDependencies": { "@types/minimist": "^1.2.1", diff --git a/setup/installation.md b/setup/installation.md index f49c804fa..1b994c335 100644 --- a/setup/installation.md +++ b/setup/installation.md @@ -46,42 +46,40 @@ kubectl config set-context --current --namespace=coder `helm search repo coder -l`) ```console - helm install coder coder/coder --namespace coder + helm install coder coder/coder --namespace coder --version= ``` **Steps 3-5 are optional for non-production deployments.** -1. Get a copy of your Helm chart so that you can modify it; you'll need to - modify the Helm chart to update your PostgreSQL databases (step 4) and enable - dev URLs (step 5): +1. Get a copy of your Helm config values so that you can modify it; you'll need + to modify these values to update your PostgreSQL databases (step 4) and + enable dev URLs (step 5): - a. Get a copy of your existing Helm chart and save it as `current-values.yaml`: - `helm show values coder/coder > current-values.yaml` + a. Create an empty file called `values.yaml` which will contain your + deployment configuration options. - b. Edit the `current-values.yaml` file as needed. Be sure to remove the lines - that you are _not_ modifying, otherwise the contents of `current-values.yaml` - will override those in the default chart. + b. Edit the `values.yaml` file as needed. > View the > [configuration options available in the `values.yaml` file.](https://github.com/cdr/enterprise-helm#values) c. Upgrade/install your Coder deployment with the updated Helm chart (be sure - to replace the placeholder value with your Coder version). **This must be done - whenever you update the Helm chart:** + to replace the placeholder value with your Coder version). **This must be + done whenever you update the Helm chart:** ```console - helm upgrade coder coder/coder -n coder --version= --values current-values.yaml + helm upgrade coder coder/coder --namespace coder --version= --values values.yaml ``` > If you omit `--version`, you'll upgrade to the latest version, excluding > release candidates (RCs). To include RCs, provide the `--devel` flag. > > We do not provide documentation for RCs, and you should not use them unless - you've been instructed to do so by Coder. You can identify RCs by the - presence of `-rc` in the version number (e.g., `1.16.0-rc.1`). + > you've been instructed to do so by Coder. You can identify RCs by the + > presence of `-rc` in the version number (e.g., `1.16.0-rc.1`). 1. Ensure that you have superuser privileges to your PostgreSQL database. Add - the following to your Helm chart so that Coder uses your external PostgreSQL + the following to your Helm values so that Coder uses your external PostgreSQL databases: ```yaml @@ -96,14 +94,22 @@ kubectl config set-context --current --namespace=coder ``` To create the `passwordSecret`, run - `kubectl create secret generic --from-file=test=/dev/stdin` + `kubectl create secret generic --from-literal="password=UserDefinedPassword"` (be sure to replace `UserDefinedPassword` with your actual password). + > Put a space before the command to prevent it from being saved in your shell + > history. + > + > Running this command could potentially expose your database password to + > other users on your system through `/proc`. If this is a concern, you can + > use `--from-file=password=/dev/stdin` instead of `--from-literal=...` to + > enter your password and press `Ctrl+D` when you're done to submit it. + You can find/define these values in your [PostgreSQL server configuration file](https://www.postgresql.org/docs/current/config-setting.html). > For more information, [see our guide](../guides/deployments/postgres.md) on - setting up a PostgreSQL instance. + > setting up a PostgreSQL instance. 1. [Enable dev URL usage](../admin/devurls.md). Dev URLs allow users to access the web servers running in your workspace. To enable, provide a wildcard From 88fda0a393244e6df61a9baef741d72801295c49 Mon Sep 17 00:00:00 2001 From: Kyle Carberry Date: Tue, 15 Jun 2021 11:39:30 -0400 Subject: [PATCH 2/5] chore: Add solution for Docker problems (#369) * chore: Add solution for Docker problems Co-authored-by: Katie Horne Co-authored-by: Jonathan Yu --- guides/troubleshooting/docker-problems.md | 115 ++++++++++++++++++++++ manifest.json | 3 + 2 files changed, 118 insertions(+) create mode 100644 guides/troubleshooting/docker-problems.md diff --git a/guides/troubleshooting/docker-problems.md b/guides/troubleshooting/docker-problems.md new file mode 100644 index 000000000..6f7a4029d --- /dev/null +++ b/guides/troubleshooting/docker-problems.md @@ -0,0 +1,115 @@ +--- +title: Docker key storage issues +description: Learn how to solve Docker key storage issues inside Coder workspaces. +--- + +When using Coder, you may encounter the following error: + +```console +docker: Error response from daemon: OCI runtime create failed: +container_linux.go:370: starting container process caused: +process_linux.go:459: container init caused: join session keyring: +create session key: disk quota exceeded: unknown. +``` + +## Why this happens + +The kernel allocates a system key for each container created. When lots of +developers are sharing the same instance, you may run into limits on the number +and size of keys each user can have. + +## Resolution + +To fix this error, you can increase `maxkeys` and `maxbytes`. These are global +settings that apply to *all* users sharing the same system. You can modify this +by adding the following to the `sysctl` configuration file: + +```console +sudo sysctl -w kernel.keys.maxkeys=20000 +sudo sysctl -w kernel.keys.maxbytes=400000 +``` + +Alternatively, you can use a DaemonSet with `kubectl apply` to make changes to +`sysctl`: + +```yaml +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: increase-limits + namespace: kube-system + labels: + app: increase-limits + k8s-app: increase-limits +spec: + selector: + matchLabels: + k8s-app: increase-limits + template: + metadata: + labels: + name: increase-limits + k8s-app: increase-limits + annotations: + seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + spec: + nodeSelector: + kubernetes.io/os: linux + initContainers: + - name: sysctl + image: alpine:3 + command: + - sysctl + - -w + - kernel.keys.maxkeys=20000 + - kernel.keys.maxbytes=400000 + resources: + requests: + cpu: 10m + memory: 1Mi + limits: + cpu: 100m + memory: 5Mi + securityContext: + # We need to run as root in a privileged container to modify + # /proc/sys on the host (for sysctl) + runAsUser: 0 + privileged: true + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + containers: + - name: pause + image: k8s.gcr.io/pause:3.5 + command: + - /pause + resources: + requests: + cpu: 10m + memory: 1Mi + limits: + cpu: 100m + memory: 5Mi + securityContext: + runAsNonRoot: true + runAsUser: 65535 + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + terminationGracePeriodSeconds: 5 +``` + +At a later point, you can delete the DaemonSet by running: + +```console +$ kubectl delete --namespace=kube-system daemonset increase-limits +daemonset.apps "increase-limits" deleted +``` + +However, note that the setting will persist until the node restarts or another +program sets the `kernel.keys.maxkeys` and `kernel.keys.maxkeys` settings. diff --git a/manifest.json b/manifest.json index 025f08d55..538c32120 100644 --- a/manifest.json +++ b/manifest.json @@ -354,6 +354,9 @@ "children": [ { "path": "./guides/troubleshooting/inotify-watch-limits.md" + }, + { + "path": "./guides/troubleshooting/docker-problems.md" } ] } From 9f4384e8df863ab9909e1199fc996b39791b9a82 Mon Sep 17 00:00:00 2001 From: Mike Terhar Date: Tue, 15 Jun 2021 15:37:51 -0400 Subject: [PATCH 3/5] Configuring external database validation (#352) * secret name can be anything, key must be password Co-authored-by: Katie Horne --- guides/deployments/postgres.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/deployments/postgres.md b/guides/deployments/postgres.md index d8fe9f8fa..d57631831 100644 --- a/guides/deployments/postgres.md +++ b/guides/deployments/postgres.md @@ -35,7 +35,7 @@ or cluster. Kubernetes Secret containing the password: ```console - kubectl create secret generic --from-file=test=/dev/stdin + kubectl create secret generic --from-file=password=/dev/stdin ``` We recommend using the syntax provided above, which reads credentials from From d51fed1ea280925beb6c701a9cb71f7d144cb290 Mon Sep 17 00:00:00 2001 From: Mike Terhar Date: Tue, 15 Jun 2021 15:38:24 -0400 Subject: [PATCH 4/5] Clarify that the quota counts running workspaces (#407) * Clarify that the quota counts running workspaces --- admin/organizations.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/admin/organizations.md b/admin/organizations.md index e3730f442..28361be24 100644 --- a/admin/organizations.md +++ b/admin/organizations.md @@ -42,7 +42,8 @@ organization. You can set the: Finally, you can set **Resource Quotas**. These are limits on the number of **CPUs** and **GPUs**, as well as the amount of **memory** and **disk space**, -each developer can use across *all* of their workspaces in this organization. +each developer can request concurrently for running workspaces in this +organization. When you've set your parameters, click **Create** to proceed. From a82bab83591e15a64d44198ab9c5943562585fc1 Mon Sep 17 00:00:00 2001 From: Katie Horne Date: Tue, 15 Jun 2021 16:02:58 -0500 Subject: [PATCH 5/5] Add CODER_RUNTIME var to docs --- workspaces/variables.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/workspaces/variables.md b/workspaces/variables.md index c4731e8f3..cf2ad4201 100644 --- a/workspaces/variables.md +++ b/workspaces/variables.md @@ -57,4 +57,8 @@ env | grep CODER_ CODER_WP_NAME The name of the workspace provider hosting the environment + + CODER_RUNTIME + Whether the workspace is a CVM or not +