jailmaker/templates/k3s/config

85 lines
3.1 KiB
Plaintext
Raw Permalink Normal View History

startup=0
gpu_passthrough_intel=0
gpu_passthrough_nvidia=0
# Turning off seccomp filtering improves performance at the expense of security
seccomp=1
# Use macvlan networking to provide an isolated network namespace,
# so kubernetes can manage firewall rules
# Alternatively use --network-macvlan=eno1 instead of --network-bridge
# Ensure to change eno1/br1 to the interface name you want to use
# You may want to add additional options here, e.g. bind mounts
# For k3s we allow the use of keyrings and cgroups,
# You should add capability perf_event_open for tools like intel_gpu_top.
# A bind mount is used to give k3s access to circular message buffer (/dev/kmsg)
systemd_nspawn_user_args=--network-bridge=br1
--resolv-conf=bind-host
--system-call-filter='add_key keyctl bpf'
--bind=/dev/kmsg
# You can mount additional paths/devices like this:
# --bind=/dev/ttyUSB0
# Script to run on the HOST before starting the jail
# Load kernel module and config kernel settings required for k8s/containerd
pre_start_hook=#!/usr/bin/bash
set -euo pipefail
echo 'PRE_START_HOOK'
# Set kernel parameters
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Ensure that bridge traffic is processed by iptables (if using br nw)
echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables
# Set memory overcommit - needed for k3s kubelet
echo 1 > /proc/sys/vm/overcommit_memory
# Optional, increase inotify instances and watches. May be needed when
# running many apps
echo 1280 > /proc/sys/fs/inotify/max_user_instances
echo 655360 > /proc/sys/fs/inotify/max_user_watches
# Increase max tracked connections in conntrack
echo 196608 > /proc/sys/net/netfilter/nf_conntrack_max
# required for bridging and filtering network traffic
modprobe br_netfilter
# used for container storage
modprobe overlay
# enable nat and packet filter modules
modprobe iptable_nat
modprobe iptable_filter
# Only used while creating the jail
distro=debian
release=bookworm
# Install k3s, dependencies, helm inside jail
# https://docs.k3s.io/quick-start
initial_setup=#!/usr/bin/bash
set -euo pipefail
# Install dependencies
apt-get update && apt-get install curl jq git -y
# Setup helm and k3s
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
curl -sfL https://get.k3s.io | \
INSTALL_K3S_CHANNEL=latest sh -s - server --cluster-init
kubectl version
# Optional: Enable Intel HW Acceleration for Plex, Jellyfin, Frigate etc.
# Uncomment below line
# apt-get -y install {va-driver-all,ocl-icd-libopencl1,intel-opencl-icd,vainfo,intel-gpu-tools}
# You generally will not need to change the options below
systemd_run_default_args=--property=KillMode=mixed
--property=Type=notify
--property=RestartForceExitStatus=133
--property=SuccessExitStatus=133
--property=Delegate=yes
--property=TasksMax=infinity
--collect
--setenv=SYSTEMD_NSPAWN_LOCK=0
systemd_nspawn_default_args=--keep-unit
--quiet
--boot
--bind-ro=/sys/module
--inaccessible=/sys/module/apparmor