zolfa
/
tendermint
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 221 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
144 Commits
183 Branches
291 MiB
Tree: 571cebc826
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '571cebc826'
${ noResults }
tendermint/mintnet-kubernetes/README.md

229 lines
7.2 KiB
Raw Normal View History

copy mintnet-kubernetes from https://github.com/tendermint/mintnet-kubernetes
8 years ago
update minikube version
8 years ago
copy mintnet-kubernetes from https://github.com/tendermint/mintnet-kubernetes
8 years ago
[mintnet-kubernetes] join commands in the QuickStart examples
8 years ago
copy mintnet-kubernetes from https://github.com/tendermint/mintnet-kubernetes
8 years ago
update minikube version
8 years ago
copy mintnet-kubernetes from https://github.com/tendermint/mintnet-kubernetes
8 years ago
[mintnet-kubernetes] join commands in the QuickStart examples
8 years ago
copy mintnet-kubernetes from https://github.com/tendermint/mintnet-kubernetes
8 years ago
 
  1. # Tendermint network powered by Kubernetes

  2. 

  3. ![Tendermint plus Kubernetes](img/t_plus_k.png)
  4. 

  5. * [QuickStart (MacOS)](#quickstart-macos)
  6. * [QuickStart (Linux)](#quickstart-linux)
  7. * [Usage](#usage)
  8. * [Security](#security)
  9. * [Fault tolerance](#fault-tolerance)
  10. * [Starting process](#starting-process)
  11. 

  12. This should primarily be used for testing purposes or for tightly-defined
  13. chains operated by a single stakeholder (see [the security
  14. precautions](#security)). If your desire is to launch an application with many
  15. stakeholders, consider using our set of Ansible scripts.
  16. 

  17. ## QuickStart (MacOS)

  18. 

  19. [Requirements](https://github.com/kubernetes/minikube#requirements)
  20. 

  21. ```
  22. curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/darwin/amd64/kubectl && chmod +x kubectl && sudo mv kubectl /usr/local/bin/kubectl
  23. curl -Lo minikube https://storage.googleapis.com/minikube/releases/v0.18.0/minikube-darwin-amd64 && chmod +x minikube && sudo mv minikube /usr/local/bin/
  24. minikube start
  25. 

  26. git clone https://github.com/tendermint/tools.git && cd tools/mintnet-kubernetes/examples/basecoin && make create
  27. ```
  28. 

  29. ## QuickStart (Linux)

  30. 

  31. [Requirements](https://github.com/kubernetes/minikube#requirements)
  32. 

  33. ```
  34. curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl && chmod +x kubectl && sudo mv kubectl /usr/local/bin/kubectl
  35. curl -Lo minikube https://storage.googleapis.com/minikube/releases/v0.18.0/minikube-linux-amd64 && chmod +x minikube && sudo mv minikube /usr/local/bin/
  36. minikube start
  37. 

  38. git clone https://github.com/tendermint/tools.git && cd tools/mintnet-kubernetes/examples/basecoin && make create
  39. ```
  40. 

  41. ### Verify everything works

  42. 

  43. **Using a shell:**
  44. 

  45. 1. wait until all the pods are `Running`.
  46. 

  47.    ```
  48.    kubectl get pods -w -o wide -L tm
  49.    ```
  50. 

  51. 2. query the Tendermint app logs from the first pod.
  52. 

  53.    ```
  54.    kubectl logs -c tm -f tm-0
  55.    ```
  56. 

  57. 3. use [Rest API](https://tendermint.com/docs/internals/rpc) to fetch the
  58.    status of the second pod's Tendermint app. Note we are using `kubectl exec`
  59.    because pods are not exposed (and should not be) to the outer network.
  60. 

  61.    ```
  62.    kubectl exec -c tm tm-0 -- curl -s http://tm-1.basecoin:46657/status | json_pp
  63.    ```
  64. 

  65. **Using the dashboard:**
  66. 

  67. ```
  68. minikube dashboard
  69. ```
  70. 

  71. ### Clean up

  72. 

  73. ```
  74. make destroy
  75. ```
  76. 

  77. ## Usage

  78. 

  79. ### (1/4) Setup a Kubernetes cluster

  80. 

  81. - locally using [Minikube](https://github.com/kubernetes/minikube)
  82. - on GCE with a single click in the web UI
  83. - on AWS using [Kubernetes Operations](https://github.com/kubernetes/kops/blob/master/docs/aws.md)
  84. - on Linux machines (Digital Ocean) using [kubeadm](https://kubernetes.io/docs/getting-started-guides/kubeadm/)
  85. - on AWS, Azure, GCE or bare metal using [Kargo (Ansible)](https://kubernetes.io/docs/getting-started-guides/kargo/)
  86. 

  87. Please refer to [the official
  88. documentation](https://kubernetes.io/docs/getting-started-guides/) for overview
  89. and comparison of different options. See our guides for [Google Cloud
  90. Engine](docs/SETUP_K8S_ON_GCE.md) or [Digital Ocean](docs/SETUP_K8S_ON_DO.md).
  91. 

  92. **Make sure you have Kubernetes >= 1.5, because you will be using StatefulSets,
  93. which is a beta feature in 1.5.**
  94. 

  95. ### (2/4) Create a configuration file

  96. 

  97. Download a template:
  98. 

  99. ```
  100. curl -Lo app.yaml https://github.com/tendermint/tools/raw/master/mintnet-kubernetes/app.template.yaml
  101. ```
  102. 

  103. Open `app.yaml` in your favorite editor and configure your app container
  104. (navigate to `- name: app`). Kubernetes DSL (Domain Specific Language) is very
  105. simple, so it should be easy. You will need to set Docker image, command and/or
  106. run arguments. Replace variables prefixed with `YOUR_APP` with corresponding
  107. values. Set genesis time to now and preferable chain ID in ConfigMap.
  108. 

  109. Please note if you are changing `replicas` number, do not forget to update
  110. `validators` set in ConfigMap. You will be able to scale the cluster up or down
  111. later, but new pods (nodes) won't become validators automatically.
  112. 

  113. ### (3/4) Deploy your application

  114. 

  115. ```
  116. kubectl create -f ./app.yaml
  117. ```
  118. 

  119. ### (4/4) Observe your cluster

  120. 

  121. **web UI** <-> https://github.com/kubernetes/dashboard
  122. 

  123. The easiest way to access Dashboard is to use kubectl. Run the following command in your desktop environment:
  124. 

  125. ```
  126. kubectl proxy
  127. ```
  128. 

  129. kubectl will handle authentication with apiserver and make Dashboard available at [http://localhost:8001/ui](http://localhost:8001/ui)
  130. 

  131. **shell**
  132. 

  133. List all the pods:
  134. 

  135. ```
  136. kubectl get pods -o wide -L tm
  137. ```
  138. 

  139. StatefulSet details:
  140. 

  141. ```
  142. kubectl describe statefulsets tm
  143. ```
  144. 

  145. First pod details:
  146. 

  147. ```
  148. kubectl describe pod tm-0
  149. ```
  150. 

  151. Tendermint app logs from the first pod:
  152. 

  153. ```
  154. kubectl logs tm-0 -c tm -f
  155. ```
  156. 

  157. App logs from the first pod:
  158. 

  159. ```
  160. kubectl logs tm-0 -c app -f
  161. ```
  162. 

  163. Status of the second pod's Tendermint app:
  164. 

  165. ```
  166. kubectl exec -c tm tm-0 -- curl -s http://tm-1.<YOUR_APP_NAME>:46657/status | json_pp
  167. ```
  168. 

  169. ## Security

  170. 

  171. Due to the nature of Kubernetes, where you typically have a single master, the
  172. master could be a SPOF (Single Point Of Failure). Therefore, you need to make
  173. sure only authorized people can access it. And these people themselves had
  174. taken basic measures in order not to get hacked.
  175. 

  176. These are the best practices:
  177. 

  178. - all access to the master is over TLS
  179. - access to the API Server is X.509 certificate or token based
  180. - etcd is not exposed directly to the cluster
  181. - ensure that images are free of vulnerabilities ([1](https://github.com/coreos/clair))
  182. - ensure that only authorized images are used in your environment
  183. - disable direct access to Kubernetes nodes (no SSH)
  184. - define resource quota
  185. 

  186. Resources:
  187. 

  188. - https://kubernetes.io/docs/admin/accessing-the-api/
  189. - http://blog.kubernetes.io/2016/08/security-best-practices-kubernetes-deployment.html
  190. - https://blog.openshift.com/securing-kubernetes/
  191. 

  192. ## Fault tolerance

  193. 

  194. Having a single master (API server) is a bad thing also because if something
  195. happens to it, you risk being left without an access to the application.
  196. 

  197. To avoid that you can [run Kubernetes in multiple
  198. zones](https://kubernetes.io/docs/admin/multiple-zones/), each zone running an
  199. [API server](https://kubernetes.io/docs/admin/high-availability/) and load
  200. balance requests between them. Do not forget to make sure only one instance of
  201. scheduler and controller-manager are running at once.
  202. 

  203. Running in multiple zones is a lightweight version of a broader [Cluster
  204. Federation feature](https://kubernetes.io/docs/admin/federation/). Federated
  205. deployments could span across multiple regions (not zones). We haven't tried
  206. this feature yet, so any feedback is highly appreciated! Especially, related to
  207. additional latency and cost of exchanging data between the regions.
  208. 

  209. Resources:
  210. 

  211. - https://kubernetes.io/docs/admin/high-availability/
  212. 

  213. ## Starting process

  214. 

  215. ![StatefulSet](img/statefulset.png)
  216. 

  217. Init containers (`tm-gen-validator`) are run before all other containers,
  218. creating public-private key pair for each pod. Every `tm` container then asks
  219. other pods for their public keys, which are served with nginx (`pub-key`
  220. container). When `tm` container have all the keys, it forms a genesis file and
  221. starts Tendermint process.
  222. 

  223. ## TODO

  224. 

  225. - [ ] run tendermint from tmuser
  226.   ```
  227.   securityContext:
  228.     fsGroup: 999
  229.   ```