diff --git a/GPU_passthrough/readme.md b/GPU_passthrough/readme.md index de3e54e..46c047b 100644 --- a/GPU_passthrough/readme.md +++ b/GPU_passthrough/readme.md @@ -4,39 +4,51 @@ Intel VT-d & VT-x – Intel Compatible list All AMD CPUs from Bulldozer onwards should be compatible. 2) Get device IDs: -lspci -nn +`lspci -nn` 3) Enable IOMMU in GRUB (check Intel or AMD commands below - choose the right one) nano /etc/default/grub -GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on iommu=pt" -GRUB_CMDLINE_LINUX_DEFAULT="quiet amd_iommu=on" -save and exit -5) run the command "update-grub" -now reboot +`GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on iommu=pt"` -6) Enable VFIO Modules -nano /etc/modules +`GRUB_CMDLINE_LINUX_DEFAULT="quiet amd_iommu=on"` + +Verify that IOMMU is enabled by running `dmesg | grep -e DMAR -e IOMMU` and looking for a line indicating it is enabled + +Save and exit + +4) run the command `"update-grub"` now reboot + +5) Enable VFIO Modules +`nano /etc/modules` Add the following modules: +``` vfio vfio_iommu_type1 vfio_pci vfio_virqfd +``` Then, save and exit -Next run: -update-initramfs -u -k all -and reboot +6) `update-initramfs -u -k all` and reboot -7) GPU Isolation From the Host (amend the below to include the IDs of the device you want to isolate) -echo "options vfio-pci ids=10de:1381,10de:0fbc disable_vga=1" > /etc/modprobe.d/vfio.conf +Verify the modules are enabled with `dmesg | grep -i vfio` and checking the driver version line is present + +8) GPU Isolation From the Host (amend the below to include the IDs of the device you want to isolate) + +`echo "options vfio-pci ids=10de:1381,10de:0fbc disable_vga=1" > /etc/modprobe.d/vfio.conf` 8) Blacklist GPU drivers (here are all that you would ever need) +``` echo "blacklist radeon" >> /etc/modprobe.d/blacklist.conf echo "blacklist nouveau" >> /etc/modprobe.d/blacklist.conf echo "blacklist nvidia" >> /etc/modprobe.d/blacklist.conf echo "blacklist nvidiafb" >> /etc/modprobe.d/blacklist.conf echo "blacklist nvidia_drm" >> /etc/modprobe.d/blacklist.conf +``` + +Reboot your machine, be sure to use the web gui because with the gpu passed through you will no longer get video out. +The start up will begin but then appear to hang even though proxmox has started fine. 9) Create a new VM and add the GPU via hardware menu You may need to set it as primary GPU diff --git a/Immich/docker-compose.yaml b/Immich/docker-compose.yaml index f1f2c53..83e44db 100644 --- a/Immich/docker-compose.yaml +++ b/Immich/docker-compose.yaml @@ -9,10 +9,11 @@ services: - /home/ubuntu/docker/immich/upload:/usr/src/app/upload env_file: - .env + ports: + - 2283:3001 depends_on: - redis - database - - typesense restart: always immich-microservices: @@ -29,7 +30,6 @@ services: depends_on: - redis - database - - typesense restart: always immich-machine-learning: @@ -41,25 +41,6 @@ services: - .env restart: always - immich-web: - container_name: immich_web - image: ghcr.io/immich-app/immich-web:${IMMICH_VERSION:-release} - env_file: - - .env - restart: always - - typesense: - container_name: immich_typesense - image: typesense/typesense:0.24.1@sha256:9bcff2b829f12074426ca044b56160ca9d777a0c488303469143dd9f8259d4dd - environment: - - TYPESENSE_API_KEY=${TYPESENSE_API_KEY} - - TYPESENSE_DATA_DIR=/data - # remove this to get debug messages - - GLOG_minloglevel=1 - volumes: - - /home/ubuntu/docker/immich/tsdata:/data - restart: always - redis: container_name: immich_redis image: redis:6.2-alpine@sha256:70a7a5b641117670beae0d80658430853896b5ef269ccf00d1827427e3263fa3 @@ -67,7 +48,7 @@ services: database: container_name: immich_postgres - image: postgres:14-alpine@sha256:28407a9961e76f2d285dc6991e8e48893503cc3836a4755bbc2d40bcc272a441 + image: tensorchord/pgvecto-rs:pg14-v0.1.11 env_file: - .env environment: @@ -78,18 +59,4 @@ services: - /home/ubuntu/docker/immich/pgdata:/var/lib/postgresql/data restart: always - immich-proxy: - container_name: immich_proxy - image: ghcr.io/immich-app/immich-proxy:${IMMICH_VERSION:-release} - environment: - # Make sure these values get passed through from the env file - - IMMICH_SERVER_URL - - IMMICH_WEB_URL - ports: - - 2283:8080 - depends_on: - - immich-server - - immich-web - restart: always - ## there is a known issue with Traefik: see here https://github.com/immich-app/immich/discussions/437#discussioncomment-3609797 diff --git a/Kubernetes/Rancher-Deployment/readme.md b/Kubernetes/Rancher-Deployment/readme.md index 17ec073..2df141f 100644 --- a/Kubernetes/Rancher-Deployment/readme.md +++ b/Kubernetes/Rancher-Deployment/readme.md @@ -42,3 +42,73 @@ kubectl get svc -n cattle-system # Go to Rancher GUI Hit the url… and create your account Be patient as it downloads and configures a number of pods in the background to support the UI (can be 5-10mins) + +# Bonus: Accessing Rancher through Ingress (Traefik) +Do you want that precious green lock in your URL bar? If you have Traefik (or another Kubernetes Ingress controller) +deployed and a Let's Encrypt issuer with Cert-Manager, the Rancher Helm chart offers support to automatically configure +an ingress route with TLS certificate injection to access the Rancher UI via the `rancher` Kubernetes Service created +by the Helm install (`kubectl -n cattle-system get service`). This can be configured retroactively after your initial +`helm install ...`, but is a bit simpler to set up as part of your initial Rancher installation if you have the +prerequisites in place. + +You first need to save the TLS certificate and key that you want Traefik to use for Rancher as a Kubernetes Secret +called `tls-rancher-ingress`. You can do this manually, or let Cert-Manager generate a certificate for you and +store it in a Secret, using `kubectl` to create a Kubernetes Certificate resource to generate the certificate and +populate the Secret for you: +```yaml +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: rancher-my-org + namespace: cattle-system +spec: + commonName: rancher.my.org + dnsNames: + - rancher.my.org + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + secretName: tls-rancher-ingress +``` +This can take anywhere from a few minutes to 15-20 minutes to generate, so sit tight. You'll know it is ready when +the certificate's `Ready` status shows `True` in the output of: +```bash +kubectl -n cattle-system get certificate rancher-my-org +``` +While you're waiting, make sure that your DNS record for `rancher.my.org` points to your Traefik deployment, +instead of a LoadBalancer IP from kubeVIP. +This can be an CNAME record using your Traefik FQDN, or an A record using the same IP address as Traefik. + +Once the certificate and DNS record are ready, you can run your Rancher installation with one extra value set to +configure your Ingress provider to use your custom certificate: +```bash +helm install rancher rancher-latest/rancher \ + --namespace cattle-system \ + --set hostname=rancher.my.org \ + --set bootstrapPassword=admin \ + --set ingress.tls.source=secret +``` +If you are doing this after already installing Rancher (with the default setting of `ingress.tls.source=rancher`), +you can overwrite the self-generated `tls-rancher-ingress` secret with your own certificate, then update your +deployment. You may want to get your current Rancher version using `helm ls -n cattle-system` and provide it +in your `helm upgrade` command so you don't unexpectedly upgrade your Rancher version. +```bash +helm upgrade rancher rancher-stable/rancher \ + --namespace cattle-system \ + --set hostname=rancher.my.org \ + --set ingress.tls.source=secret \ + --version +``` +## Ingress TLS Troubleshooting +You can validate the contents of your `tls-rancher-ingress` Secret using commands like this: +```bash +kubectl -n cattle-system get secret tls-rancher-ingress -o jsonpath='{.data}' | jq '."tls.crt"' | tr -d '"' | base64 --decode | openssl x509 -text +``` +If you previously had your `rancher.my.org` DNS record associated with your LoadBalancer IP, your browser may be caching +that old record. You may need to clear your browser's DNS cache, use an Incognito/Private window, etc. + +There are also helpful instructions covering a handful of situations in Rancher's documentation: +* [Adding TLS Secrets](https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/resources/add-tls-secrets) +* [Update Rancher Certificate](https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/resources/update-rancher-certificate) + diff --git a/Traefik-Secure/docker-compose.yaml b/Traefik-Secure/docker-compose.yaml index 543404a..4cb674c 100644 --- a/Traefik-Secure/docker-compose.yaml +++ b/Traefik-Secure/docker-compose.yaml @@ -29,18 +29,20 @@ services: labels: - "traefik.enable=true" - "traefik.http.routers.traefik.entrypoints=http" # restricts dashboard to internal entrypoint - - "traefik.http.routers.traefik.rule=Host(`traefik-docker.yourdomain.com`)" + - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.yourdomain.co.uk`)" # if you want a internal domain, get the wildcard cert for it and then choos traefik-dashboard.home.yourdomain.co.uk or what you want - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:password-hash" - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https" - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https" - "traefik.http.routers.traefik.middlewares=traefik-https-redirect" - "traefik.http.routers.traefik-secure.entrypoints=https" - - "traefik.http.routers.traefik-secure.rule=Host(`traefik-docker.yourdomain.com`)" + - "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.yourdomain.co.uk`)" # if you want a internal domain, get the wildcard cert for it and then choos traefik-dashboard.home.yourdomain.co.uk or what you want - "traefik.http.routers.traefik-secure.middlewares=traefik-auth" - "traefik.http.routers.traefik-secure.tls=true" - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare" - - "traefik.http.routers.traefik-secure.tls.domains[0].main=yourdomain.co.uk" - - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.yourdomain.co.uk" + #- "traefik.http.routers.traefik-secure.tls.domains[0].main=home.yourdomain.co.uk" # If you want *.home.yourdomain.co.uk subdomain or something else, you have to get the certifcates at first + #- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.home.yourdomain.co.uk" # get a wildcard certificat for your .home.yourdomain.co.uk + - "traefik.http.routers.traefik-secure.tls.domains[0].main=yourdomain.co.uk" #if you use the .home.yourdomain.co.uk entry you have to change the [0] into [1] + - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.yourdomain.co.uk" # same here, change 0 to 1 - "traefik.http.routers.traefik-secure.service=api@internal" networks: