https://rancher.com/ logo
#rke2
Title
w

wonderful-helicopter-16401

05/03/2022, 4:23 AM
Hi, I am doing my first install of Rancher on RKE2 (2.6) and am having some issues with accessing
/var/lib/rancher/rke2/*server/manifests*
to configure nginx as a daemonset as outlined in these docs. It appears the permissions for the
server
directory are not set properly on any of the nodes in this cluster. I'm seeing the steps were tested in 2.5.6. So, is this a bug or intended? Also, what permissions should I set on that directory to complete the final step in those docs?
c

creamy-pencil-82913

05/03/2022, 4:56 AM
What do you mean not set properly. What permissions are you expecting, and what do you see?
🤔 1
You're intended to do that as root, since having a world-writable directory that gets deployed to your cluster would be a bad thing.
🎯 1
w

wonderful-helicopter-16401

05/03/2022, 11:58 AM
Here is what I am getting...
user@srv1:/var/lib/rancher/rke2$ cd server
-bash: cd: server: Permission denied
user@srv1:/var/lib/rancher/rke2$ sudo cd server
sudo: cd: command not found
Thank you for the reply. I found the answer. I used
sudo bash
instead of trying to cd down to that level. I ended up at the rke2 directory trying to figure out why I couldn't
sudo cd
down to the location required. I found an article that discussed permissions as the issue, hence my question. Your response had me search other forums. The fourth one said I needed to use either
sudo bash
or
sudo su
and then I would be able to cd to the full path.
I get why the permissions would need to be changed back after making a change. I couldn't work out how to get step 5 of the docs done. And, since I was also thinking that if it was a permissions issue, I'd like to know what they should ultimately be so I could document the changes/requirements. It's been many years, but I seem to recall having to make frequent permissions changes to ultimately get everything properly accessible and secure in websites of yester-year. So, the notion was not completely foreign or made up. Hope this helps others that get the same issue as they learn.
r

rapid-helmet-86074

05/03/2022, 2:41 PM
If you did a recent RKE2 install you may not need to do the step of chaning nginx ingress controller to a DaemonSet as when I did it several months ago (with RKE2 v1.21.6 if I recall correctly), I was able to run
kubectl get daemonsets -A
and see that it was already a DaemonSet.
🤔 1
w

wonderful-helicopter-16401

05/04/2022, 3:21 PM
Thank you for that observation. It has me curious about the docs. I will be setting up a second cluster in the next week or so and I'll take a look at that. I'm going to create my own set of documentation that cleans up the process for me. While doing this first install, I felt like I was jumping back and forth and trying to figure out which was the chicken and which was the egg at times. I'll either validate that experience and have some feedback on docs or I'll realize I was just getting confused.
r

rapid-helmet-86074

05/04/2022, 3:23 PM
A lot was slightly off/wrong on the docs for me using RKE2 v1.21 & Rancher 2.6 on the install. Sad to hear they're still that way.
c

creamy-pencil-82913

05/04/2022, 3:38 PM
Can you link to the docs page that you're looking at?
r

rapid-helmet-86074

05/04/2022, 4:39 PM
The ones that I recall quickly are all on https://rancher.com/docs/rancher/v2.6/en/installation/resources/k8s-tutorials/ha-rke2/ . When I was first using the page something in I think step 1 was malformed and I had to go back to the 2.5 install page to see the info but that looks fixed. Steps 4 & 5 are both incorrect if using RKE2 v1.21.x (and presumably higher), so noting what versions those are for and/or having a link or note about differences in the different supported versions would be good. I can't remember what it was from months ago past that.
c

creamy-pencil-82913

05/04/2022, 4:55 PM
interesting, I’ll pass that along to the docs team. If you ever notice something like that, there’s an Edit This Page button at the bottom of every page, if you can take a moment to even just comment on what you’d like improved in the docs that helps close the loop better than just noting it on Slack.
w

wonderful-helicopter-16401

05/04/2022, 7:13 PM
I suspect the consistent problem I had is that I was installing my first RKE2 (v1.23) and my first Rancher (v2.6) and the references/notes had me going to other docs to figure out some detail that the main doc assumed I'd know. Then those second docs might have a step/action that was inconsistent with what I was originally trying to do. I've watched numerous videos, read several docs outside of Rancher to try and piece it all together so that the HA RKE2 Rancher install made sense. I'm just about there, I think. of course, most resources in the wild pertain to docker, so it's been interesting. One area I had a lot of confusion on was setting up a load balancer. Looks like we need two load balancers? One for RKE2 and the other for Rancher. Anyway, the chicken/egg comment from above had a lot to do with documentation around load balancers and figuring out that I needed the RKE2 one in place before doing anything with the other one. When I write that it seems logical and simple, but when bouncing between several docs...
c

creamy-pencil-82913

05/04/2022, 7:15 PM
You don’t technically need two load-balancers, but if you are using dedicated agents to run the Rancher app to keep the server nodes free for running etcd+control-plane, then you would probably want that, since you won’t have the same nodes for the control-plane LB as you will for the ingress LB.
w

wonderful-helicopter-16401

05/04/2022, 7:20 PM
That makes sense. Separate LBs is what I prefer for our situation. The docs on the Rancher LB also emphasize not adding anything other than Rancher to its external LB.
r

rapid-helmet-86074

05/04/2022, 7:21 PM
I'm prototyping in small dev environments but trying to keep it moderately production-like. I have 3 nodes for Rancher HA RKE2 cluster, then a downstream RKE2 cluster with 3 control plane/etcd & 5 worker nodes. I have a DNS hostname pointing at the three Rancher RKE2 nodes (and if I set it up manually rather than with Rancher UI commands then another DNS hostname pointing at the three downstream RKE2 control plane nodes). I then have a single external HAProxy instance that points to port 443 on all 5 worker nodes that has a wildcard DNS entry for a subdomain and then I set up my Ingress objects to use that subdomain and go through that HAProxy (I expect the prod instance to put the HAProxy equivalent in a DMZ).
👍 1
3 Views