Cluster system

This is an idea dreamt up by @samp20 that may one day become a reality. The goals are to:

  • Create a cluster management system for small clusters.
  • Be simpler to setup and use than Kubernetes.
  • Work across networks. For example between a cloud provider and self-hosted.

Parts list

Here's the parts that are proposed for this project:

  • Python based core.
  • PostgreSQL database for cluster configuration.
  • runc (or other OCI compliant runtime) for container management.
  • NFTables for firewall configuration.
  • Python Flask for web UI/API.
  • Caddy for HTTPS ingress proxy.

General architecture

projects:cluster-architecture.png

RunC integration

RunC containers are created with a config.json and a rootfs. RunC can generate a base configuration. While we could technically include that in the cluster config directly, it probably makes more sense to use the RunC generated config and merge the cluster config into it. A Docker config (Docker uses RunC under the hood) is even more restricted, specifying what syscalls are allowed for example. We may want to add this in the future, but not initially.

Pulling the root filesystem

There exists a few tools that can help with this. Skopeo and Umoci. An example is below:

  1. skopeo copy docker://busybox:latest oci:busybox:latest. Will create a busybox folder.
  2. umoci unpack --image busybox:latest bundle. Unpacks the OCI image into an OCI runtime bundle in the bundle folder. This bundle also has a config.json. It'll be interesting to compare that with the RunC generated one.

It may be preferred to follow the OCI conversion spec directly instead of relying on a 3rd party tool such as Umoci.

Network and Wireguard

This will use the pyroute2 python module. This has support for Wireguard and Network Namespaces (their example is with a veth pair).

NFTables

NFTables comes with its own python interface that wraps around libnftables. There's a good tutorial to get started here https://ral-arturo.org/2020/11/22/python-nftables-tutorial.html.

The scope of this will initially be to configure the forward chains to forward from the container's virtual ethernet to the wireguard tunnel. In the future this can be extended to implement firewall policies between containers.

Caddy

Caddy can be configured directly through JSON.

  • projects/cluster
  • Last modified: 10 days ago
  • by samp20