Ortelius Blog

Topics include Supply Chain Security, Microservice Management, Neat Tricks, and Contributor insights.

How to Bake an Ortelius Pi Part 2 | The Preparation

raspberry-pi-4b

Introduction

In part 1, of this series we installed Ubuntu Server 22.04.4 LTS on our Raspberry Pis. In Part 2 we will prepare our three Pis for DHCP, DNS, NFS (Network File System) storage with a Synology NAS and install MicroK8s.

Roadmap

networking --> orchestrator --> storage --> certificate store --> load balancer --> proxy/api gateway --> evidence store --> cloudflare --> observability --> secret store --> ZeroTier --> everything else

IP Addresses and DHCP

We need to give the Pis a home address so that they are contactable and this is where either a static IP addresse or DHCP comes in. Your home internet router generally comes with DHCP pre-configured. I use the tp-link | AX5400 Wi-Fi 6 Router and so I will use my router as the example here.

  • Login to your home router with your browser and look for your DHCP configuration
  • Mine is Network –> DHCP Server
18-dhcp-network-button

19-dhcp-server-button

  • Here you will see the IP pool range that your router is handing out to your device on your home network
  • I don’t want the entire range to be handed out as I need at least two static IP’s to be availble for the Metallb load balancer which will run in Kubernetes and one for the Synology NAS.
20-dhcp-server-range

  • My Pi’s have the following IPs which I have reserved with their mac addresses
  • You can get the mac addresses from the DHCP list of IPs handed out to your Pis
  • Reserving an IP means you tell DHCP to always give these devices the same IP and never to any other device so in a sense making sure they stay static
21-dhcp-server-reservation


DNS

Local.gd

If you don’t have something like NextDNS or similar you can use local.gd which works very well and is very easy to setup.

A easy way to serve localhost is to use DNS that always resolves to 127.0.0.1. For example you could use ortelius.local.gd when developing locally and it will resolve to 127.0.0.1. Any subdomain like *.local.gd will work. Its the easiest way to serve localhost as its DNS that always resolves to 127.0.0.1.

  • The use of subdomains and sub-sub-domains work too as in the example below
$ dig startup.local.gd
ortelius.local.gd.                  86400 IN A 127.0.0.1

$ dig www.startup.local.gd
www.ortelius.local.gd.              86400 IN A 127.0.0.1

$ dig my.project.company.local.gd
aliens.are.real.ortelius.local.gd.  86400 IN A 127.0.0.1

$ dig alderaan.local.gd
xrpl.local.gd.                      86400 IN A 127.0.0.10.0.1
  • Edit localhosts on Linux and Mac here with sudo rights sudo vi /etc/hosts
  • Edit Windows localhosts file here as administrator windows\System32\drivers\etc\hosts

NextDNS

For DNS I use NextDNS but this is not just DNS its complete protection for all your devices no matter where you go in the world for all your devices including your Pi MicroK8s nodes. It will use 127.0.0.1:53 to resolve your local IPs but to do that we need to do some configuration by logging into the NextDNS portal and installing the cli.

Take note

NextDNS is free up to 300,000 queries/month, once you reach that limit resolution stops.

  • Think of a domain name for your environment mine is pangarabbit.com
  • Go to the NextDNS Wiki here
  • Install the cli on each Pi and on your NAS so that you can SSH into your NAS and install NextDNS
  • Here is a doc on how to configure SSH for a Synology NAS
sh -c 'sh -c "$(curl -sL https://nextdns.io/install)"'
  • Run sudo nextdns config to view your config
  • Run sudo nextdns config edit to edit for each Pi and NAS and configure like this
debug false
cache-size 10MB
max-ttl 5s
mdns all
cache-max-age 0s
use-hosts true
auto-activate true
listen localhost:53
profile <your profile id goes here>
log-queries false
report-client-info true
discovery-dns
hardened-privacy false
timeout 5s
setup-router false
control /var/run/nextdns.sock
detect-captive-portals false
bogus-priv true
max-inflight-requests 256
  • Run sudo nextdns restart to restart the service
  • Run sudo nextdns status to check the service status
  • Then in your NextDNS portal go to Settings
nextdns settings

  • Then scroll down to Rewrites
nextdns rewrites

  • And add your private network DNS records like in this example for the Pis and your NAS
nextdns records

nextdns records nas

  • NextDNS will instantly auto refresh all your NextDNS agents with any configuration changes

Great DNS is done!

NFS Prep

Enable NFS on the Synology

  • Login to the Synology and go to File Services
synology file services

  • On the SMB/AFP/NFS tab and scroll until you see NFS and enable NFS and enable NFSv4 support
synology nfs services


synology nfs services

Configure Shared Folder

  • Go to File Sharing
synology file services

  • Click Create
synology file services

  • Create a name for your folder share, I used Pi8s
synology file services

  • Skip encryption
  • Apply your config

synology file services

  • Right click your newly created Shared Folder and select Edit
synology file services

  • Select Permissions tab
synology file services

  • Select Local usersdrop down and give the admin Read/Write permissions by checking the box
synology file services

synology file services

  • Select NFS Permissions and then Create
synology file services

synology file services

  • Configure like this then click OK
synology file services

  • This 192.168.0.0/24 indicates that only the devices on this subnet can access NFS

  • You would need to change it to your network subnet which you can get from your DHCP configuration

  • Congrats you just configured the Synology for NFS!

OS Prep

Pis | Ubuntu Server 22.04.4 LTS

  • Update all packages to the latest on each Pi with sudo apt update -y && sudo apt upgrade -y then go and make coffee

Kubectl | Your machine

  • Kubectl docs here
  • Kubectl quick reference here
  • Install Kubectl here on your local machine
  • Install and setup Kubectl on Mac here
  • Install and setup Kubectl on Windows here
  • Install and setup Kubectl on Linux here

Helm | Your machine

  • Helm docs here
  • Helm cheat sheet here
  • Install Helm here on your local machine
  • Install Helm with Homebrew package manager brew install helm generally used on Mac
  • Install Helm with Chocolatey windows package manager choco install kubernetes-helm

MicroK8s Prep

Microk8s Installation

  • SSH into each Pi and configure the Pi BIOS sudo vi /boot/firmware/cmdline.txt and add the following cgroup_enable=memory cgroup_memory=1
  • Below is the config from my Pi as an example
cgroup_enable=memory cgroup_memory=1 console=serial0,115200 dwc_otg.lpm_enable=0 console=tty1 root=LABEL=writable rootfstype=ext4 rootwait fixrtc quiet splash
  • Install Kernel Modules sudo apt install linux-modules-extra-raspi
  • Referenced from here
  • Install Microk8s on each Pi
sudo snap install microk8s --classic
  • This installs the latest version of Microk8s

Create highly available 3 node cluster with MicroK8s

MicroK8s uses Dqlite as a highly available SQLite database to store the Kubernetes logic without any configuration. In Canonicals own words High-availability SQLite Dqlite is a fast, embedded, persistent SQL database with Raft consensus that is perfect for fault-tolerant IoT and Edge devices.

  • Choose a Pi to start the process, I used pi01
  • SSH onto pi01 and run this command on pi01
sudo microk8s add-node
  • You will need to do this 3 times on the same node and each time you will need to copy the unique join instruction with the unique key for each node you wish to join
  • This will return some joining instructions which should be executed on the MicroK8s instance that you wish to join to the cluster (NOT THE NODE YOU RAN add-node FROM)
# EXAMPLE from Canonicals docs
From the node you wish to join to this cluster, run the following:
microk8s join 192.168.1.230:25000/92b2db237428470dc4fcfc4ebbd9dc81/2c0cb3284b05

Use the '--worker' flag to join a node as a worker not running the control plane, eg:
microk8s join 192.168.1.230:25000/92b2db237428470dc4fcfc4ebbd9dc81/2c0cb3284b05 --worker

If the node you are adding is not reachable through the default interface you can use one of the following:
microk8s join 192.168.1.230:25000/92b2db237428470dc4fcfc4ebbd9dc81/2c0cb3284b05
microk8s join 10.23.209.1:25000/92b2db237428470dc4fcfc4ebbd9dc81/2c0cb3284b05
microk8s join 172.17.0.1:25000/92b2db237428470dc4fcfc4ebbd9dc81/2c0cb3284b05
  • Referenced from here
  • On the same Pi run sudo microk8s config
  • This will return config you will need to access your Microk8s cluster
  • On your computer you will need to configure Kubectl by editing your kube config
  • My Kubectl configuration is here on my Mac /Users/<username>/.kube/config
- cluster:
    certificate-authority-data: <your certificate authority data goes here>
    server: https://<your local network IP for your Pi goes here>:16443
  name: microk8s-cluster
- context:
    cluster: microk8s-cluster
    namespace: default
    user: <your user goes here>
  name: microk8s
users:
- name: <your user goes here>
  user:
    client-certificate-data: <your client certificate data goes here>
  • Kubectl quick reference here
  • Use Kubectl to connect to your cluster
  • To view your current kube config
kubectl config view
  • Get your available contexts
kubectl config get-context
  • Switch context to Microk8s
kubectl config use-context microk8s
  • Run the following to see all namespaces
kubectl get ns
  • Run the following to see all pods
kubectl get pods --all-namespaces

Well done you have now setup your Microk8s Kubernetes cluster with DHCP, DNS and preparation for NFS.

Conclusion

By this stage you should have three Pi’s each with MicroK8s in an HA configuration and a Synology ready with NFS for centralised storage. Stay tuned for Part 3 where we will use GitOps using Gimlet as the UI to Fluxcd to deploy the following CSI Driver NFS for Kubernetes, Cert Manager, MetalLB Load Balancer, Traefik Proxy and Ortelius.

Next Steps

How to Bake an Ortelius Pi | Part 3 | The GitOps Configuration

Meet the Author


Learn More About:

Sachawharton