VMs in small ARM servers

2022-08-04 12:23

Background (I swear I get to VMs later)

I have been running a personal server at my office for a little while (See 1 and 2) where I run a number of containerized services.

Mi server "producción" Pinky, en su forma final. Radxa Zero con 4GB de RAM y 32GB de eMMC, 2 HDDs de 1TB en RAID1 con btrfs. pic.twitter.com/ckhPloQXPO
— Roberto H. Alsina (@ralsina) August 4, 2022

Since I had it, I wanted to add a way to easily deploy my own experimental code so I can do quick "servers" for things I am playing with.

I could just create my code as, say, a flask app and create containers for them and deploy them that way, and then add ingress rules in my gateway and ... it gets exhausting pretty fast.

What I wanted was a way to run my own Heroku, sorta. Just write a bit of code, run a command, have it be available.

After googling I found a solution that didn't require me to implement a k8s cluster: faasd. The promise is:

Run a shell script to install faasd
Write your code as a function
Run a command to deploy
It all runs out of a single ingress path (except CORS of course)

So, minimal config, ease of deployment, no need to constant tweaking of my gateway. All good!

Except ... faasd doesn't play along with Docker. Both use containerd and cni and other things as their backend, and faasd says that really, they like specific versions so they should install them, not the system, and then running docker gets pretty dicey.

So, I could just get a second server. It's not like I don't have more small computers.

Tengo un problema.

Pero también tengo soluciones! pic.twitter.com/u1qj5d21Cj
— Roberto H. Alsina (@ralsina) August 2, 2022

But my server has spare capacity! So I don't WANNA START A SECOND SERVER!

Also, this is going to often be toy code I have not carefully vetted for security, so it would be better if it ran in isolation.

So? I needed a VM.

Really, a VM inside a tiny ARM computer

My server is a Radxa Zero. It's smaller than a credit card. It has, however, 4 cores, and 4GB of RAM, so surely there must be a way to run a VM in it that can isolate Faasd and let it run its wonky versions of things while the rest of the system doesn´t care.

And yes, there is!

Firecracker claims that you can start a VM fast, that it has overhead comparable to a container, and that it provides isolation! It's what Amazon uses for Lambda, so it should be enough for me.

On the other hand, Firecracker is a pain if you aren't a freaking Amazon SRE, which I am really not, but ...

Ignite is a VM manager that has a "container UX" and can manage VMs declaratively!

So I set out to run ignite on my server. And guess what? It works!

It's packaged for Arch, which is what I am using, so I just installed it, run a couple of scripts to create a VM:

[ralsina@pinky faas]$ cat build.sh
#!/bin/sh -x
# Create and configure a VM with faasd in it
set -e

NAME=faas

waitport() {
    while ! nc -z $1 $2 ; do sleep 1 ; done
}

sudo ignite create weaveworks/ignite-ubuntu \
        --cpus 2 \
        --memory 1GB \
        --size 10GB \
        --ssh=id_rsa.pub \
        -p 8082:8081 \
        --name $NAME

sudo ignite vm start $NAME

IP=$(sudo ignite vm ls | grep faas | cut -f9 -d\        )
waitport $IP 22

ssh -o "StrictHostKeyChecking no" root@$IP mkdir -p /var/lib/faasd/secrets
ssh root@$IP "echo $(pass faas.ralsina.me) > /var/lib/faasd/secrets/basic-auth-password"
scp setup.sh root@$IP:
ssh root@$IP sh setup.sh

# Login
export OPENFAAS_URL=http://localhost:8082
ssh root@$IP cat /var/lib/faasd/secrets/basic-auth-password | faas-cli login --password-stdin

# Setup test function
faas-cli store deploy figlet

echo 'Success!' | faas-cli invoke figlet

[ralsina@pinky faas]$ cat setup.sh
#!/bin/sh -x

set -e
apt update
apt upgrade -y
apt install -y git

git clone https://github.com/openfaas/faasd
cd faasd
./hack/install.sh

If you run build.sh it will create a ubuntu-based VM with Faasd installed, start it, map a port to it, setup SSH keys so you can ssh into it, and configure authentication for Faasd so you can log into that too.

Does it work?

Indeed it does!

Are there any problems?

There is one and it's pretty bad.

If the server closes badly (and that means: without explicitly shutting down the VM), the VM gets corrupted, every time. It either ends in a "Running" state in ignite while it's dead in containerd, or the network allocation is somehow duplicated and denied, or one of half a dozen other failure states at which point it's easier to remove everything in /var/lib/firecracker and recreate it.

Is it easy to deploy stuff?

You betcha! Here's an example from https://nombres.ralsina.me, if I run build.sh it builds it, deploy.sh deploys it, the actual code is in the busqueda/ and historico/ folders.

It's very simple to write code, and it's very simple to deploy.

If I found a better way to handle the VMs I would consider this finished.

CORS config for FaaS

2022-07-21 13:05

Because I want to be able to deploy random python code easily to my own server, I have setup a "Function as a Service" thing, called faasd (think of it as poor people's AWS lambda). More details on how, why and how it turned out will come in the future. BUT: this explains how to fix the unavoidable headache CORS will give you.

Situation:

The Faasd server runs in some machine, which is proxied by a Nginx server available at https://faasd.ralsina.me
Apps are just HTML pages somewhere inside either https://ralsina.me or some other similar domain.

What will happen?

You will setup your function, test it out using curl, be happy it works, then set it up in your web app and get an error in the console about how CORS is not allowing the request.

What is CORS and why is it annoying me?

CORS is a way for a service living in a certain URL to say which other URLs are allowed to call it. So, if the app are in, say, https://nombres.ralsina.me and the function lives in https://faas.ralsina.me then the ORIGIN for the app is not the same as the ORIGIN for the function, so this is a "Cross Origin Request" and you are trying to do "Cross Origin Resource Sharing" (CORS) and the browser won't let you.

How do I fix it?

There are a number of fixes you can try, but they all come down to the same two basic approaches:

Option 1

Make it so the request is not cross-source. To do that, move the function somehow into the same URL as the page, and bob's your uncle.

So, just change the proxy config so nombres.ralsina.me/functions is proxied to the faasd server's /functions and change the page to use a request that is not cross-origin, and that's fixed.

I don't want to do this because I don't want to have to setup the proxy differently for each app.

Option 2

Have the function return a header that says "Access-Control-Allow-Origin: something". That "something" should be the origin of the request (in our example nombres.ralsina.me) or "*" to say "I don't care".

So, you may say "Fine, I'll just add that header in my response and it will work!". Oh sweet summer child. That will NOT work (at least not in the case of Faasd)

Why?

Because web browsers don't just make the request they want and then look at the headers. They do a special preflight request, which is something like "Hey, server, if I were to ask you to give me /functions/whatever from this origin, would you give me a CORS permission or not?"

That request is done using the OPTIONS HTTP method, and Faasd (and, to be honest, most web frameworks) will not process those by passing them to your code.

So, even if your function says CORS is allowed, you still will get CORS errors.

You can see this if you examine your browser's HTTP traffic using the developer tools. There will be an OPTIONS preflight request, and that one doesn't have the header.

So, the easiest thing is to add those in the proxy.

So, in my case, in the proxy's nginx.conf, I had to add this in "the right place":

  add_header 'Access-Control-Allow-Origin' '*';

What is the right place will vary depending on how you have configured things. But hey, there you go.

Mi solución de backup

2022-07-15 15:25

Intro

¿Los backups son importantes, ok? Yo lo sé, vos deberías saberlo. ¿Entonces, por qué la mayoría no tiene backups decentes de sus compus?

Porque la mayoría de las maneras de hacer backups son inconvenientes o inútiles.

Así que acá está la solución que yo implementé, que hace mis backups útiles y convenientes.

La herramienta de backup en sí

Uso restic porque está buena. Funciona, es rápida, es eficiente con el espacio, y es fácil.

Nada más hay que escribir un script como este:

#!/bin/bash -x

# Backup dónde?
MOUNTDIR=/backup
BACKUPDIR=$MOUNTDIR/backup-$HOSTNAME

if [ -d $BACKUPDIR ]
then
    # Backups con password
    export RESTIC_PASSWORD=passwordgoeshere

    # Backup qué cosa?
    restic -r $BACKUPDIR --verbose backup \
            /home/ralsina \
            --exclude ~ralsina/.cargo \
            --exclude ~ralsina/.local/share/Steam/ \
            --exclude ~ralsina/.cache \
            --exclude ~ralsina/.config/google-chrome/ \
            --exclude ~ralsina/.rustup \
            --exclude ~ralsina/.npm \
            --exclude ~ralsina/.gitbook \
            \
            /etc/systemd/system/backup.* \
            /usr/local/bin

    # Guardar un backup por día de los últimos 7 días que hay backups
    restic -r $MOUNTDIR/backup-pinky forget --prune --keep-daily=7
    # Limpieza
    restic -r $MOUNTDIR/backup-pinky prune
    # Asegurate que están en disco
    sync; sync; sync; sync
fi

La regla 3-2-1 de los backups

Dice la regla 3-2-1:

3 copias de los datos (1 backup primario, dos secundarios)
2 medios de almacenamiento distinto
1 remoto

En mi caso, es así:

Backup primario es en el disco
Backup secundario es a disco en otra máquina (un script similar, usando sftp)
Backup terciario a un pen drive (medio distinto) que después va en mi bolsillo (remoto)

Para hacer los backups primario y secondario son dos versiones de ese script (en realidad el mismo script, con argumentos).

El backup terciario es un poco más complicado, porque quiero que sea conveniente.

La manera conveniente de hacer backup a un medio removible

Esta es mi "user story":

Como persona que quiere un backup offsite pero no tiene ganas de transmitir todos esos datos, quiero enchufar un pen drive en la máquina a backupear y que AUTOMÁTICAMENTE se haga el backup de los datos al pen drive.

Entonces, cuando en algún momento el backup termine, lo puedo desenchufar y llevármelo.

Digamos que encontrar la forma de hacer eso me tomó varias horas y estoy bastante seguro que mi solución es más complicada de lo necesario. Pero bueno, funciona, así que está bien.

Siendo esto Linux en el año 2022 ... esta solución implica systemd. Y porque es systemd, es complicado.

Automount

Lo primero es montar el pen drive automáticamente en un lugar conocido. Para eso se necesitan dos cosas. Un servicio de automount, para que systemd monte algo en /backup:

/etc/systemd/system/backup.automount

[Unit]
Description=Automount Backup

[Automount]
Where=/backup
TimeoutIdleSec=5min

[Install]
WantedBy=multi-user.target

Y un servicio de mount, para que sepa qué se monta en /backup y cómo:

/etc/systemd/system/backup.mount

[Unit]
Description=Backup
Wants=backup.service
Before=backup.service

[Mount]
What=/dev/disk/by-uuid/74cac511-4d7a-4221-9c0f-e554de12fbf1
Where=/backup
Type=ext4
Options=auto

[Install]
WantedBy=multi-user.target

Las partes interesantes son:

Wants y Before: ese backup.service v a a ser un servicio systemd que efectivamente corre el script de backup. Queremos que lo haga, y que lo haga DESPUÉS de que el pen drive se haya montado.
Where y What: "Where" dónde se monta y "What" es el UUID del pen drive como lo muestra sudo blkid

Hay que habilitar e iniciar el servicio automount, no hace falta hacer nada con el de mount.

Por supuesto después viene el servicio de backup en sí. Es un "oneshot": cuando arranca ejecuta el script de backup:

/etc/systemd/system/backup.service

[Unit]
Description=Backup
Requires=backup.mount
After=backup.mount

[Service]
Type=oneshot
ExecStart=/usr/local/bin/backup.sh

[Install]
WantedBy=multi-user.target

Hay que habiliatarlo pero no hacer "start". Ya que está en el "Wanted" del mount, cuando el dispositivo se monta el backup se ejecuta.

O ASÍ SERÍA EN UN MUNDO EN EL QUE LAS COSAS TIENEN SENTIDO

Lamentablemente el dispositivo solo se monta cuando, después de ser insertado, alguien trata de usar el mountpoint. Así que con estos servicios nada pasa hasta que, después de enchufar el pen drive uno va y hace algo como ls /backup, lo que dispara el mount, que a su vez inicia el script de backup.

¿Y cómo se arregla? Ni idea. Mi workaround fue agregar OTROS DOS SERVICIOS, así ls /backup se ejecuta una vez por minuto.

/etc/systemd/system/backup_try.timer

[Unit]
Description=Try to run backup

[Timer]
OnUnitActiveSec=1min

[Install]
WantedBy=timers.target

/etc/systemd/system/backup_try.service

[Unit]
Description=Trigger Backup

[Service]
Type=oneshot
ExecStart=/bin/ls /backup

[Install]
WantedBy=multi-user.target

Y con eso, sí, puedo enchufar el pen drive cuando llego a la oficina a la mañana y desenchufarlo más tarde, sabiendo que tiene un backup de hoy adentro.

Radxa Zero!

2022-07-12 19:49

Lo qué?

Las Raspberry Pi son útiles, buenas y baratas. Excepto por un detalle: es imposible comprarlas.

No hay stock de Raspberry PI 4, no hay stock de Raspberry Pi Zero 2W, no hay stock de nada, excepto Pi Pico (que son microcontroladores) y Pi 400 (que no son lo que quiero).

Entonces busqué alternativas, y encontré la buena gente de Allnet China que vende la línea Rock Pi.

¿Cómo son las Rock Pi?

Son ... parecidas a las Raspberry
En hardware, en algunos casos, son mejores!
En software ... están un poco más crudas.
En compatibilidad son más complicadas.

Pero ... HAY STOCK y A BUEN PRECIO y MANDAN A ARGENTINA!

Así que me compre un par de Radxa Zeros. Son como una Pi Zero ... pero la CPU es mas o menos como la de una Pi 4????

Tuve un problemita inicialmente para pagarlo pero me lo resolvieron de inmediato y me upgradearon el shipping a FedEx, así que llegaron en dos semanas y no pagué aduana.

Eso sí, FedEx no te avisa que cuando te lo traen te van a cobrar "algo", y no te dicen cuánto ni que tenés que pagar cash.

En mi caso fueron $5400 y no me avisaron a tiempo asi que tuve que esperar un día extra.

Y qué tal andan?

Hermoso. La CPU es rápida. Manjaro anda 10 puntos (una vez que entendí como instalarlo).

Tiene eMMC así que no necesita tarjeta SD!

Un problema es que no he podido hacer andar mi display 1920x480 (hay solo una mención de otra persona en la Internet intentándolo, tampoco le anduvo)

Salvo eso? Excelente.

Estoy migrando mi server Pinky a una Radxa, ya que la tengo y consume lo mismo que la Pi 3

Si bien leí varias advertencias sobre que se pueden recalentar no parecen pasar de los 48 grados en uso normal.

En general, las recomiendo, pero cada uno tendrá que ver cuánto quiere gastar y para qué.

The cases I built for my mini servers

2022-07-04 23:23

I have written a couple posts about my raspberry-pi home servers. And people seem to like the cases I 3d-printed for them.

Well, if you liked them here they are.

For a Raspberry pi 3-based server you need:

The case itself
Caps to lock each disk in its slot: 1 and 2
Cap to lock the pi in its slot

For a Raspberry pi 4-based server you need:

The case itself
Caps to lock each disk in its slot: 1 and 2
Cap to lock the pi in its slot

All these are just the following designs from thingiverse slapped together:

Pi 3 sleeve case: here
Pi 4 sleeve case: here
HDD case: here

They work better (or at all!) if you use a powered USB hub. There is no room in the case for it, just buy one you like and glue it to the side :-)

Case with a USB server glued to it

Ralsina.Me — El sitio web de Roberto Alsina

Publicaciones sobre linux (publicaciones antiguas, página 21)