Kubernetes in rootless docker

gautaz · February 22, 2024, 2:58pm

Hello,

I am trying to use kind (kubernetes in docker) with my rootless docker installation on NixOS.

I am following this documentation: kind – Rootless

One step is to ensure that the file /etc/systemd/system/user@.service.d/delegate.conf contains the following:

[Service]
Delegate=yes

Is there any already existing NixOS option to ensure that?
I browsed the systemd options but I am not sure if any of it fulfills the need…

If no NixOS option works, what would be the best way to add this file to the system with nix flakes?

papanito · March 9, 2024, 4:32pm

I tried the following

  systemd.services."user@".serviceConfig.Delegate="cpu cpuset io memory pids";

  systemd.packages = [(
    pkgs.writeTextFile {
      name = "delegate.conf";
      text = ''
      [Service]
      Delegate=yes
      '';
      destination = "/etc/systemd/system/user@.service.d/delegate.conf";
    })];

Which actually creates the desired file, but even after daemon-reload I still get the error

ERROR: failed to create cluster: running kind with rootless provider requires setting systemd property “Delegate=yes”, see kind – Rootless

Remark: The first line also defines Delegate, as this is apparently for k3s

gautaz · March 10, 2024, 12:00pm

In the meantime, I have switch to podman for the following reasons:

it’s built to be rootless from the beginning
gpu access seem to work well (even in rootless mode)
I was able to create a kind cluster with it (but I didn’t have time to test a workload deployment on it)

I did not either test gpu access from within the kind cluster, that’s for a next step.

papanito · March 17, 2024, 12:37pm

I also use podman, still kind does not run .I can start a container using podman

podman run nginx
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-local-resolvers.envsh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2024/03/17 13:09:26 [notice] 1#1: using the "epoll" event method
2024/03/17 13:09:26 [notice] 1#1: nginx/1.25.4
2024/03/17 13:09:26 [notice] 1#1: built by gcc 12.2.0 (Debian 12.2.0-14)
2024/03/17 13:09:26 [notice] 1#1: OS: Linux 6.7.7
2024/03/17 13:09:26 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 524288:524288
2024/03/17 13:09:26 [notice] 1#1: start worker processes
2024/03/17 13:09:26 [notice] 1#1: start worker process 24
...

papanito · March 17, 2024, 1:26pm

I can do this, which actually starts a cluster

systemd-run --scope --user kind create cluster
Running as unit: run-rabf1207a1e7c478b9d077dd13535f895.scope; invocation ID: 52456500a8a04ef493ce903e5d2e430f
enabling experimental podman provider
Creating cluster "kind" ...
 ✓ Ensuring node image (kindest/node:v1.29.2) 🖼
 ✓ Preparing nodes 📦
 ✓ Writing configuration 📜
 ✓ Starting control-plane 🕹
 ✓ Installing CNI 🔌
 ✓ Installing StorageClass 💾
Set kubectl context to "kind-kind"
You can now use your cluster with: