Installing Che on Minikube

This article explains how to create a single-node Kubernetes cluster with Minikube to deploy Che.

Remember that single-node Kubernetes clusters are suited only for testing or single-user development. Do NOT use such clusters to run Che for organizations or developer teams.

Using Minikube to configure Kubernetes

This section describes how to use Minikube to prepare a local single-node Kubernetes cluster.

Prerequisites
Procedure
  1. Start Minikube (it is important to allocate at least 4GB of RAM but 8GB are recommended):

    $ minikube start --addons=ingress --vm=true --memory=8192

Installing Che on Minikube using chectl

This section describes how to install Che on Minikube using chectl.

Prerequisites
Procedure
  • Run the following command:

    $ chectl server:deploy --platform minikube
Add option --installer helm to use the helm chart and install a single-user instance of Che.

Importing certificates to browsers

This section describes how to import a root certificate authority into a web browser to use Che with self-signed TLS certificates.

When a TLS certificate is not trusted, the error message "Your Eclipse Che server may be using a self-signed certificate. To resolve the issue, import the server CA certificate in the browser." blocks the login process. To prevent this, add the public part of the self-signed CA certificate into the browser after installing Che.

Adding certificates to Google Chrome on Linux or Windows

Procedure
  1. Navigate to URL where Che is deployed.

  2. Save the certificate:

    1. Click the warning or open lock icon on the left of the address bar.

    2. Click Certificates and navigate to the Details tab.

    3. Select the top-level certificate which is the Root certificate authority and export it:

      • On Linux, click the Export button.

      • On Windows, click the Save to file button.

  3. Go to Google Chrome Settings, then to the Authorities tab

  4. In the left panel, select Advanced and continue to Privacy and security.

  5. At the center of the screen, click Manage certificates and navigate to Authorities tab.

  6. Click the Import button and open the saved certificate file.

  7. Select Trust this certificate for identifying websites and click the OK button.

  8. After adding the Che certificate to the browser, the address bar displays the closed lock icon next to the URL, indicating a secure connection.

Adding certificates to Google Chrome and Safari on macOS

Procedure
  1. Navigate to URL where Che is deployed.

  2. Save the certificate:

    1. Click the lock icon on the left of the address bar.

    2. Click Certificates.

    3. Select the certificate to use and drag its displayed large icon to the desktop.

  3. Open the Keychain Access application.

  4. Select the System keychain and drag the saved certificate file to it.

  5. Double-click the imported CA, then go to Trust and select When using this certificate: Always Trust.

  6. Restart the browser for the added certificated to take effect.

Adding certificates to Firefox

Procedure
  1. Navigate to URL where Che is deployed.

  2. Save the certificate:

    1. Click the lock icon on the left of the address bar.

    2. Click the > button next to the Connection not secure warning.

    3. Click the More information button.

    4. Click the View Certificate button on the Security tab.

    5. Select the second certificate tab. The certificate Common Name should start with ingress-operator

    6. Click the PEM (cert) link and save the certificate.

  3. Navigate to about:preferences, search for certificates, and click View Certificates.

  4. Go to the Authorities tab, click the Import button, and open the saved certificate file.

  5. Check Trust this CA to identify websites and click OK.

  6. Restart Firefox for the added certificated to take effect.

  7. After adding the Che certificate to the browser, the address bar displays the closed lock icon next to the URL, indicating a secure connection.

Running Minikube inside an LXC container

This section describes how to properly configure an LXC container for Minikube when the hypervisor uses ZFS, Btrfs, or LVM to provision the containers storage.

Background

The chectl command-line tool requires the Minikube Ingress plug-in to be enabled in Minikube. At the same time, the Minikube Ingress plug-in requires the Docker daemon to be running with the overlay filesystem driver.

Problem

According to Docker storage drivers, the Docker overlay2 driver is only supported with the Ext4 and XFS file systems (with ftype=1).

Solution

create a virtual block device inside a volume, which in the case of Btrfs is impossible and requires to use a file as the virtual block device.

Procedure

In the following instructions, change the zfsPool or LVM volume_group name and dockerstorage according to your use case and preferences.

  1. Create a fixed size ZFS dataset or LVM volume on the hypervisor side:

    $ zfs create -V 50G zfsPool/dockerstorage           #USING ZFS
    $ lvcreate -L 50G -n dockerstorage volumegroup_name #USING LVM
  2. Use a partition tool to create a partition inside the virtual block device:

    $ parted /dev/zvol/zfsPool/dockerstorage --script mklabel gpt                      #USING ZFS
    $ parted /dev/zvol/zfsPool/dockerstorage --script mkpart primary 1 100%            #USING ZFS
    $ parted /dev/mapper/volumegroup_name-dockerstorage --script mklabel gpt           #USING LVM
    $ parted /dev/mapper/volumegroup_name-dockerstorage --script mkpart primary 1 100% #USING LVM

    Observe references called:

    • For ZFS: dockerstorage-part1 inside the /dev/zvol/zfsPool directory

    • For LVM: volumegroup_name-dockerstorage1 inside the /dev/mapper directory

      This is the partition of the virtual block device to be used to store /var/lib/docker from the LXC container.

  3. Format the virtual partition to XFS with the ftype flag set to 1:

    $ mkfs.xfs -n ftype=1 /dev/zvol/zfsPool/dockerstorage-part1       #FOR ZFS
    $ mkfs.xfs -n ftype=1 /dev/mapper/volumegroup_name-dockerstorage1 #FOR LVM
  4. Attach the virtual partition to the container (minikube is the name of the LXC container, dockerstorage is the name for the storage instance in LXC configuration):

    $ lxc config device add minikube dockerstorage disk path=/var/lib/docker \
      source=/dev/zvol/zfsPool/dockerstorage-part1       #FOR ZFS
    $ lxc config device add minikube dockerstorage disk path=/var/lib/docker \
      source=/dev/mapper/volumegroup_name-dockerstorage1 #FOR LVM

    Check the filesystem inside the container using the df command:

    $ df -T /var/lib/docker
  5. Use the following LXC configuration profile in the LXC container to allow it to run Minikube:

    config:
      linux.kernel_modules: ip_vs,ip_vs_rr,ip_vs_wrr,ip_vs_sh,ip_tables,ip6_tables,netlink_diag,nf_nat,overlay,br_netfilter
      raw.lxc: |
        lxc.apparmor.profile=unconfined
        lxc.mount.auto=proc:rw sys:rw
        lxc.cgroup.devices.allow=a
        lxc.cap.drop=
      security.nesting: "true"
      security.privileged: "true"
    description: Profile supporting minikube in containers
    devices:
      aadisable:
        path: /sys/module/apparmor/parameters/enabled
        source: /dev/null
        type: disk
      aadisable2:
        path: /sys/module/nf_conntrack/parameters/hashsize
        source: /sys/module/nf_conntrack/parameters/hashsize
        type: disk
      aadisable3:
        path: /dev/kmsg
        source: /dev/kmsg
        type: disk
    name: minikube
  6. After starting and setting up networking and the Docker service inside the container, start Minikube:

    $ minikube start --vm-driver=none --extra-config kubeadm.ignore-preflight-errors=SystemVerification