From 0a03c29c221d952ae36a7c695c49ba575accc608 Mon Sep 17 00:00:00 2001 From: Firef4rt <64369103+Firef4rt@users.noreply.github.com> Date: Wed, 3 Jan 2024 12:56:48 +0100 Subject: [PATCH 1/7] traefik-secure add *.home. yourdomain.co.uk entry Add to config a .home and wildcard cert with *.home. to seperate the the internal exposed services and the external in a easy way. --- Traefik-Secure/docker-compose.yaml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/Traefik-Secure/docker-compose.yaml b/Traefik-Secure/docker-compose.yaml index 543404a..4cb674c 100644 --- a/Traefik-Secure/docker-compose.yaml +++ b/Traefik-Secure/docker-compose.yaml @@ -29,18 +29,20 @@ services: labels: - "traefik.enable=true" - "traefik.http.routers.traefik.entrypoints=http" # restricts dashboard to internal entrypoint - - "traefik.http.routers.traefik.rule=Host(`traefik-docker.yourdomain.com`)" + - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.yourdomain.co.uk`)" # if you want a internal domain, get the wildcard cert for it and then choos traefik-dashboard.home.yourdomain.co.uk or what you want - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:password-hash" - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https" - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https" - "traefik.http.routers.traefik.middlewares=traefik-https-redirect" - "traefik.http.routers.traefik-secure.entrypoints=https" - - "traefik.http.routers.traefik-secure.rule=Host(`traefik-docker.yourdomain.com`)" + - "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.yourdomain.co.uk`)" # if you want a internal domain, get the wildcard cert for it and then choos traefik-dashboard.home.yourdomain.co.uk or what you want - "traefik.http.routers.traefik-secure.middlewares=traefik-auth" - "traefik.http.routers.traefik-secure.tls=true" - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare" - - "traefik.http.routers.traefik-secure.tls.domains[0].main=yourdomain.co.uk" - - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.yourdomain.co.uk" + #- "traefik.http.routers.traefik-secure.tls.domains[0].main=home.yourdomain.co.uk" # If you want *.home.yourdomain.co.uk subdomain or something else, you have to get the certifcates at first + #- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.home.yourdomain.co.uk" # get a wildcard certificat for your .home.yourdomain.co.uk + - "traefik.http.routers.traefik-secure.tls.domains[0].main=yourdomain.co.uk" #if you use the .home.yourdomain.co.uk entry you have to change the [0] into [1] + - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.yourdomain.co.uk" # same here, change 0 to 1 - "traefik.http.routers.traefik-secure.service=api@internal" networks: From f4c7a7983f2b9f0a7a0dc058c38a72127bc27cca Mon Sep 17 00:00:00 2001 From: StianJosok <82154520+StianJosok@users.noreply.github.com> Date: Tue, 16 Jan 2024 22:16:17 +0100 Subject: [PATCH 2/7] Update docker-compose.yaml Updated for v1.91.0 (no longer uses typesense) and v1.88.0 (no longer uses immich-web or immich-proxy, port - 2283:3001 exposed on immich-server). I'm not sure how to deal with Traefik labels or other URL stuff you had going on in there, but these are the changed made for it to function on the localhost:2283 Documentation: https://github.com/immich-app/immich/releases/tag/v1.91.0 https://github.com/immich-app/immich/discussions/5086 --- Immich/docker-compose.yaml | 39 +++----------------------------------- 1 file changed, 3 insertions(+), 36 deletions(-) diff --git a/Immich/docker-compose.yaml b/Immich/docker-compose.yaml index f1f2c53..83e44db 100644 --- a/Immich/docker-compose.yaml +++ b/Immich/docker-compose.yaml @@ -9,10 +9,11 @@ services: - /home/ubuntu/docker/immich/upload:/usr/src/app/upload env_file: - .env + ports: + - 2283:3001 depends_on: - redis - database - - typesense restart: always immich-microservices: @@ -29,7 +30,6 @@ services: depends_on: - redis - database - - typesense restart: always immich-machine-learning: @@ -41,25 +41,6 @@ services: - .env restart: always - immich-web: - container_name: immich_web - image: ghcr.io/immich-app/immich-web:${IMMICH_VERSION:-release} - env_file: - - .env - restart: always - - typesense: - container_name: immich_typesense - image: typesense/typesense:0.24.1@sha256:9bcff2b829f12074426ca044b56160ca9d777a0c488303469143dd9f8259d4dd - environment: - - TYPESENSE_API_KEY=${TYPESENSE_API_KEY} - - TYPESENSE_DATA_DIR=/data - # remove this to get debug messages - - GLOG_minloglevel=1 - volumes: - - /home/ubuntu/docker/immich/tsdata:/data - restart: always - redis: container_name: immich_redis image: redis:6.2-alpine@sha256:70a7a5b641117670beae0d80658430853896b5ef269ccf00d1827427e3263fa3 @@ -67,7 +48,7 @@ services: database: container_name: immich_postgres - image: postgres:14-alpine@sha256:28407a9961e76f2d285dc6991e8e48893503cc3836a4755bbc2d40bcc272a441 + image: tensorchord/pgvecto-rs:pg14-v0.1.11 env_file: - .env environment: @@ -78,18 +59,4 @@ services: - /home/ubuntu/docker/immich/pgdata:/var/lib/postgresql/data restart: always - immich-proxy: - container_name: immich_proxy - image: ghcr.io/immich-app/immich-proxy:${IMMICH_VERSION:-release} - environment: - # Make sure these values get passed through from the env file - - IMMICH_SERVER_URL - - IMMICH_WEB_URL - ports: - - 2283:8080 - depends_on: - - immich-server - - immich-web - restart: always - ## there is a known issue with Traefik: see here https://github.com/immich-app/immich/discussions/437#discussioncomment-3609797 From 9ca2135eb5255b1d26b759b13dd739a8452df192 Mon Sep 17 00:00:00 2001 From: cyberops7 <18562612+cyberops7@users.noreply.github.com> Date: Thu, 25 Jan 2024 21:59:02 -0700 Subject: [PATCH 3/7] Adding Ingress TLS notes to README --- Kubernetes/Rancher-Deployment/readme.md | 70 +++++++++++++++++++++++++ 1 file changed, 70 insertions(+) diff --git a/Kubernetes/Rancher-Deployment/readme.md b/Kubernetes/Rancher-Deployment/readme.md index 17ec073..2df141f 100644 --- a/Kubernetes/Rancher-Deployment/readme.md +++ b/Kubernetes/Rancher-Deployment/readme.md @@ -42,3 +42,73 @@ kubectl get svc -n cattle-system # Go to Rancher GUI Hit the url… and create your account Be patient as it downloads and configures a number of pods in the background to support the UI (can be 5-10mins) + +# Bonus: Accessing Rancher through Ingress (Traefik) +Do you want that precious green lock in your URL bar? If you have Traefik (or another Kubernetes Ingress controller) +deployed and a Let's Encrypt issuer with Cert-Manager, the Rancher Helm chart offers support to automatically configure +an ingress route with TLS certificate injection to access the Rancher UI via the `rancher` Kubernetes Service created +by the Helm install (`kubectl -n cattle-system get service`). This can be configured retroactively after your initial +`helm install ...`, but is a bit simpler to set up as part of your initial Rancher installation if you have the +prerequisites in place. + +You first need to save the TLS certificate and key that you want Traefik to use for Rancher as a Kubernetes Secret +called `tls-rancher-ingress`. You can do this manually, or let Cert-Manager generate a certificate for you and +store it in a Secret, using `kubectl` to create a Kubernetes Certificate resource to generate the certificate and +populate the Secret for you: +```yaml +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: rancher-my-org + namespace: cattle-system +spec: + commonName: rancher.my.org + dnsNames: + - rancher.my.org + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + secretName: tls-rancher-ingress +``` +This can take anywhere from a few minutes to 15-20 minutes to generate, so sit tight. You'll know it is ready when +the certificate's `Ready` status shows `True` in the output of: +```bash +kubectl -n cattle-system get certificate rancher-my-org +``` +While you're waiting, make sure that your DNS record for `rancher.my.org` points to your Traefik deployment, +instead of a LoadBalancer IP from kubeVIP. +This can be an CNAME record using your Traefik FQDN, or an A record using the same IP address as Traefik. + +Once the certificate and DNS record are ready, you can run your Rancher installation with one extra value set to +configure your Ingress provider to use your custom certificate: +```bash +helm install rancher rancher-latest/rancher \ + --namespace cattle-system \ + --set hostname=rancher.my.org \ + --set bootstrapPassword=admin \ + --set ingress.tls.source=secret +``` +If you are doing this after already installing Rancher (with the default setting of `ingress.tls.source=rancher`), +you can overwrite the self-generated `tls-rancher-ingress` secret with your own certificate, then update your +deployment. You may want to get your current Rancher version using `helm ls -n cattle-system` and provide it +in your `helm upgrade` command so you don't unexpectedly upgrade your Rancher version. +```bash +helm upgrade rancher rancher-stable/rancher \ + --namespace cattle-system \ + --set hostname=rancher.my.org \ + --set ingress.tls.source=secret \ + --version +``` +## Ingress TLS Troubleshooting +You can validate the contents of your `tls-rancher-ingress` Secret using commands like this: +```bash +kubectl -n cattle-system get secret tls-rancher-ingress -o jsonpath='{.data}' | jq '."tls.crt"' | tr -d '"' | base64 --decode | openssl x509 -text +``` +If you previously had your `rancher.my.org` DNS record associated with your LoadBalancer IP, your browser may be caching +that old record. You may need to clear your browser's DNS cache, use an Incognito/Private window, etc. + +There are also helpful instructions covering a handful of situations in Rancher's documentation: +* [Adding TLS Secrets](https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/resources/add-tls-secrets) +* [Update Rancher Certificate](https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/resources/update-rancher-certificate) + From 49a531af244f1d5db97be913f651cd1dc9bbc417 Mon Sep 17 00:00:00 2001 From: rc14193 <62862738+rc14193@users.noreply.github.com> Date: Mon, 29 Jan 2024 22:03:51 -0500 Subject: [PATCH 4/7] Improve readme readability --- GPU_passthrough/readme.md | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/GPU_passthrough/readme.md b/GPU_passthrough/readme.md index de3e54e..0f3bbe8 100644 --- a/GPU_passthrough/readme.md +++ b/GPU_passthrough/readme.md @@ -4,39 +4,44 @@ Intel VT-d & VT-x – Intel Compatible list All AMD CPUs from Bulldozer onwards should be compatible. 2) Get device IDs: -lspci -nn +`lspci -nn` 3) Enable IOMMU in GRUB (check Intel or AMD commands below - choose the right one) nano /etc/default/grub -GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on iommu=pt" -GRUB_CMDLINE_LINUX_DEFAULT="quiet amd_iommu=on" -save and exit -5) run the command "update-grub" -now reboot +`GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on iommu=pt"` -6) Enable VFIO Modules -nano /etc/modules +`GRUB_CMDLINE_LINUX_DEFAULT="quiet amd_iommu=on"` + +Save and exit + +4) run the command `"update-grub"` now reboot + +5) Enable VFIO Modules +`nano /etc/modules` Add the following modules: +``` vfio vfio_iommu_type1 vfio_pci vfio_virqfd +``` Then, save and exit -Next run: -update-initramfs -u -k all -and reboot +6) `update-initramfs -u -k all` and reboot 7) GPU Isolation From the Host (amend the below to include the IDs of the device you want to isolate) -echo "options vfio-pci ids=10de:1381,10de:0fbc disable_vga=1" > /etc/modprobe.d/vfio.conf + +`echo "options vfio-pci ids=10de:1381,10de:0fbc disable_vga=1" > /etc/modprobe.d/vfio.conf` 8) Blacklist GPU drivers (here are all that you would ever need) +``` echo "blacklist radeon" >> /etc/modprobe.d/blacklist.conf echo "blacklist nouveau" >> /etc/modprobe.d/blacklist.conf echo "blacklist nvidia" >> /etc/modprobe.d/blacklist.conf echo "blacklist nvidiafb" >> /etc/modprobe.d/blacklist.conf echo "blacklist nvidia_drm" >> /etc/modprobe.d/blacklist.conf +``` 9) Create a new VM and add the GPU via hardware menu You may need to set it as primary GPU From 885ccf9ad4c55563f6aae88b7ed726b2e4640698 Mon Sep 17 00:00:00 2001 From: rc14193 <62862738+rc14193@users.noreply.github.com> Date: Mon, 29 Jan 2024 22:08:12 -0500 Subject: [PATCH 5/7] Add IOMMU verify line from video --- GPU_passthrough/readme.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/GPU_passthrough/readme.md b/GPU_passthrough/readme.md index 0f3bbe8..9265a90 100644 --- a/GPU_passthrough/readme.md +++ b/GPU_passthrough/readme.md @@ -13,6 +13,8 @@ nano /etc/default/grub `GRUB_CMDLINE_LINUX_DEFAULT="quiet amd_iommu=on"` +Verify that IOMMU is enabled by running `dmesg | grep -e DMAR -e IOMMU` and looking for a line indicating it is enabled + Save and exit 4) run the command `"update-grub"` now reboot From 4062f01df1d1e79619ed6ed79c15cf6cf85025cc Mon Sep 17 00:00:00 2001 From: rc14193 <62862738+rc14193@users.noreply.github.com> Date: Mon, 29 Jan 2024 22:10:25 -0500 Subject: [PATCH 6/7] Add modules verify line from video --- GPU_passthrough/readme.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/GPU_passthrough/readme.md b/GPU_passthrough/readme.md index 9265a90..b83220e 100644 --- a/GPU_passthrough/readme.md +++ b/GPU_passthrough/readme.md @@ -32,7 +32,9 @@ Then, save and exit 6) `update-initramfs -u -k all` and reboot -7) GPU Isolation From the Host (amend the below to include the IDs of the device you want to isolate) +Verify the modules are enabled with `dmesg | grep -i vfio` and checking the driver version line is present + +8) GPU Isolation From the Host (amend the below to include the IDs of the device you want to isolate) `echo "options vfio-pci ids=10de:1381,10de:0fbc disable_vga=1" > /etc/modprobe.d/vfio.conf` From e0fcbf354cbb4195c64bf1954cd7f72f272f7fda Mon Sep 17 00:00:00 2001 From: rc14193 <62862738+rc14193@users.noreply.github.com> Date: Mon, 29 Jan 2024 22:21:56 -0500 Subject: [PATCH 7/7] Add reboot note after blacklist --- GPU_passthrough/readme.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/GPU_passthrough/readme.md b/GPU_passthrough/readme.md index b83220e..46c047b 100644 --- a/GPU_passthrough/readme.md +++ b/GPU_passthrough/readme.md @@ -47,6 +47,9 @@ echo "blacklist nvidiafb" >> /etc/modprobe.d/blacklist.conf echo "blacklist nvidia_drm" >> /etc/modprobe.d/blacklist.conf ``` +Reboot your machine, be sure to use the web gui because with the gpu passed through you will no longer get video out. +The start up will begin but then appear to hang even though proxmox has started fine. + 9) Create a new VM and add the GPU via hardware menu You may need to set it as primary GPU You may need to add a ROM BAR