python logs within kubernetes

by default, the logs won’t print out from the kubernetes pod. this is because Kubernetes would buffer the stdin, stdout, stdout.

the way to sort this out is make

PYTHONUNBUFFERED

If this is set to a non-empty string it is equivalent to specifying the -u option

in helm chart, something like this

kind: Service
apiVersion: v1
metadata:
  labels:
    app: example
  name: example
spec:
  ports:
  - port: 5000
    targetPort: 5000
  selector:
    app: example
---
kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    app: example
  name: example
spec:
  replicas: 1
  strategy: {}
  selector:
    matchLabels:
      app: example
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: example
    spec:
      containers:
      - image: example
        imagePullPolicy: IfNotPresent
        name: example
        ports:
        - containerPort: 443
        resources: {}
        env:
          - name: PYTHONUNBUFFERED
            value: "0"
      restartPolicy: Always
status: {}

docker privilege

 

the -privilege is powerful yet dangerous:

https://blog.trendmicro.com/trendlabs-security-intelligence/why-running-a-privileged-container-in-docker-is-a-bad-idea/

 

while the alternative is just to mount the sock

docker run -v /var/run/docker.sock:/var/run/docker.sock 

it’s not strictly docker-in-docker, but it should be able to serve most use cases.

options to configure AWS provider in terraform

provider “aws” {
region           = “us-east-1”
access_key  = “your-access-key-here”
secret_key   = “your-secret-key-here”
}

or point to the profile

provider “aws” {
region                                  = “us-east-1”
shared_credentials_file  = “~/.aws/credentials”   //default: “~/.aws/credentials”
profile                                  = “tf-admin”                        //default: “default”
}

Set up container runtime variable

As the image command is only run during build time, however, while running the container, we might need to access some environment or configuration variable. here is the workaround:

ARG variable=unknown ## Build time
ENV variable=${variable} ## Run time

Then to pass in the arg,

docker build--build-arg version=0.0.1

for docker-compose, then

container:
  image: image
  restart: always
  build:
    context: dockerfile
    args:
      version: ${version} ## alternatively, default a value here

for docker-compose,

${version}

can be used to retrieve the environment variable