troubleshooting

network policy:

https://minikube.sigs.k8s.io/docs/handbook/network_policy/

https://docs.tigera.io/calico/latest/network-policy/get-started/calico-policy/calico-network-policy

persistent volume:

https://minikube.sigs.k8s.io/docs/handbook/persistent_volumes/

1
2
3

sudo snap install --classic microk8s
sudo microk8s enable dns:<dns_ip>

config files are at /var/snap/microk8s/current, and you need to replace all docker.io with some docker mirror to prevent init errors.

run microk8s inspect to get errors like hostname casing, and missing file like /var/snap/microk8s/current/var/kubernetes/backend/localnode.yaml

you need to configure multiple registries for docker.io and registry.k8s.io under /var/snap/microk8s/current/args/certs.d

in order to use some mirror site which does not support /v2 url, you have to add override_path = true in config

mirror sites:

https://github.com/docker-mirrors/website

https://github.com/cmliu/CF-Workers-docker.io/issues/8

https://github.com/kubesre/docker-registry-mirrors

https://github.com/lawrenceching/gitbook/blob/master/docker-repositories-in-china.md

reference:

https://github.com/containerd/containerd/blob/main/docs/hosts.md

https://microk8s.io/docs/registry-private

install k3s

1
2
3
4

curl -sfL https://get.k3s.io > k3s_setup.sh
# replace the line if GITHUB_URL to some github mirror instead
bash k3s_setup.sh

k3s mirror

1
2

curl -sfL https://rancher-mirror.rancher.cn/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn sh -​

registry config:

https://docs.k3s.io/installation/private-registry

k0s install:

https://docs.k0sproject.io/stable/install/

1
2
3
4

curl -sSLf https://get.k0s.sh | sudo sh
sudo k0s install controller --single
sudo k0s start

config:

https://docs.k0sproject.io/stable/runtime/

if you want to use ssh port forwarding as systemd service, keep in mind that the default user for execution is root, and you need to use the public key of root to login.

or you can change the user executing the task in service config:

1
2
3

[System]
User=xxx

chisel can be used for port forwarding by http compared with wstunnel, able to survive nginx (still need to configure websocket upgrades).

1
2
3
4
5

# server, allowing reverse port forwarding
chisel server -p <port> --auth <user>:<pass> --reverse
# client
chisel client --auth <user>:<pass> <protocol>://<url> <local_addr>:<remote_addr> R:<remote_addr>:<local_addr>

if you want to have multiple host sharing same ip because of proxy forwarding or different network locations, then you need to change the system host mapping file.

in linux and macos it is at /etc/hosts

in windows, C:\Windows\System32\drivers\etc\hosts

you need to configure the host file on the proxy machine if you want to avoid name clashes with proxies. these host names can be less informative to hide the intent.

on latest ubuntu 24.04 the sshd config includes files under /etc/ssh/sshd_config.d which has a file named 50-cloud-init.conf has the line overriding any other setting afterwords.

1
2

PasswordAuthentication yes

you need to change both /etc/ssh/sshd_config and this file to disable password authentication.

-R will not allow you to open 0.0.0.0 port on remote machine unless you configure something in /etc/ssh/sshd_config like below.

1
2
3

AllowTcpForwarding yes
GatewayPorts clientspecified

if not, use socat to finally deliver the forwarded remote local port to remote public port.

1
2

socat TCP-LISTEN:<lport>,reuseaddr,fork TCP:<rhost>:<rport>

port forwarding failure can be corrected.

1
2
3
4
5
6
7

# get the process pid of the port
sudo lsof -i :<port>
lsof -i :<port>
# kill the process
kill <port>
# rerun lsof to check if the port is freed

n2n can be in handy if you do not have too many ports on internet and still want to access all ports in between your local machines.

if connection is unstable, use -o ServerAliveInterval=60 -o ServerAliveCountMax=3 to extend the timeout period.

解压asar的时候 注意不要移动app.asar的位置 解压完毕之后再移动

1
2
3
4
5
6

# to prevent 'unable to find xxx in app.asar.unpacked' issue, do not move app.asar yet.
asar e app.asar app
mkdir asar
cp app.asar asar
rm app.asar

use slim toolkit to shrink docker image size

with iptable, you can constrain docker container network

1
2

sudo iptables -I DOCKER-USER -d <ip_range> -j DROP

it does not work if you block all local ip ranges.

to use host provided proxy servers, one can set environment variables before running containers.

1
2

docker run -e http_proxy=<proxy_addr> -e https_proxy=<proxy_addr> -e all_proxy=<proxy_addr> -e no_proxy=<bypass_addrs>

or better, use tun2proxy (linux only)

run server:

1
2

docker run -d -v /dev/net/tun:/dev/net/tun --sysctl net.ipv6.conf.default.disable_ipv6=0 --cap-add NET_ADMIN --name tun2proxy tun2proxy --proxy <proto>://[username[:password]@]host:port

container forced to use proxy:

1
2

docker run -it --network "container:tun2proxy" <image_name>[:tag]

with docker for mac, you can use the following domain name to get host and gateway ip:

• host.docker.internal

• gateway.docker.internal

for podman:

• host.containers.internal

• gateway.containers.internal

latest docker mirror:

https://zhuanlan.zhihu.com/p/704011584

login mysql with empty password then execute command to make it remotely available:

1
2

mysql -uroot --password= -e "grant all privileges on *.* to root@'%' identified by '' with grant option; commit;"

create volume and attach volume to container, since containers will be reset after system restarts.

1
2
3
4

docker volume create <volume_name>
docker run -it -d --rm -v <volume_name>:<container_mountpoint> --name <container_name> <image_name>
docker volume inspect <volume_name> # get info on created volume

when using mindsdb, it sucks because having bad pypi mirrors.

set pip index url globally:

1
2

pip config set global.index-url https://pypi.tuna.tsinghua.edu.cn/simple

or pass it as environment variable:

1
2

docker run -it -d -e PIP_INDEX_URL=https://pypi.tuna.tsinghua.edu.cn/simple -n <container_name> <image_name>

if you want to save container states into images, use docker commit <container_name> <image_name>[:image_tag]

Keep in mind that the docker commit command only saves the changes made to a container’s file system. It does not save any changes made to the container’s settings or network configurations. To save all changes made to a container, including settings and network configurations, you can use the docker export and docker import commands instead.

when exporting ports, if not specifying host ip, you cannot reach the service inside the container. do this instead: docker run -p 0.0.0.0:<host_port>:<container_port> <rest_commands>

it seems to be the proxy (fastgithub). disable http proxy so we can connect to container again, or use clash to make rules to let “localhost” or subnet requests passing through.

if you want to change ip routings or some other configurations passed when docker run, you need to change the file called hostconfig.json located in /var/lib/docker/containers/<container_id> with PortBindings sections. you stop the container first. find and change the config file then start it. tutorial

seems not working. fuck.

1
2
3
4
5
6
7
8

"PortBindings": {
"80/tcp": [
{
"HostPort": "8080"
}
],
}

containers can only contact each other if they share the same network. better give unique ip for each container within same network. it can also use container name as host name instead of static ip. tutorial

create a network (not overlapping with anything shown in ifconfig, notice the subnet mask):

1
2

docker network create --subnet=172.18.0.0/16 <network_name>

start container with given network (again not overlapping with addresses in ifconfig, not the starting address):

1
2

docker run --rm -d -it --net <network_name> --ip <ipaddress> --name <container_name>

to check what ip the container is at:

1
2

docker inspect <container_id/container_name> | grep IPAddress

now you might can talk to the container without port mappings.