Considering I am the operations team, just goes to show how much I have left to learn. I didn’t know about the external-dns operator.

Unfortunately, my company is a bit strange with certs and won’t let me handle them myself. Something to check out at home I guess.

I agree with you about the LVM. I have been meaning to set up Rook forever but never got around to it. It might still take a while but thanks for the reminder.

Wow. That must have been some work. I don’t have these certs myself but I’m looking at the CKA and CKS (or whatever that’s called). For sure, I loved our discussion. Thanks for your help.

I am using a reverse proxy in production. I just didn’t mention it here.

I’d have to set up a DNS record for both. I’d also have to create and rotate certs for both.

We use LVM, I simply mounted a volume for /usr/share/elasticsearch. The VMWare team will handle the underlying storage.

I agree with manually dealing with the repo. I dont think I’d set up unattended upgrades for my k8s cluster either so that’s moot. Downtime is not a big deal: this is not external and I’ve got 5 nodes. I guess if I didn’t use Ansible it would be a bit more legwork but that’s about it.

Overall I think we missed each other here.

No idea. I personally use PVs and PVCs with k3s and it’s trivial there with some downtime

There’s a GUI for containerd?

By more moving parts I mean:

Running ElasticSearch on RHEL:

• add repo and dnf install elasticsearch.
• check SELinux
• write config
• firewall-cmd to open ports.

In k8s:

• grab elasticsearch container image
• edit variables in manifest (we use helm)
• depending on if the automatically configured SVC is good, leave it alone or edit it.
• write the VS and gateway (we use Istio)
• firewall-cmd to open ports

Maybe it’s just me but I find option 1 easier. Maybe I’m just lazy. That’s probably the overarching reason lol

Ah thanks, I’ll go through it!

I prefer some of my applications to be on VMs. For example, my observability stack (ELK + Grafana) which I like to keep separate from other environments. I suppose the argument could be made that I should spin up a separate k8s cluster if I want to do that but it’s faster to deploy directly on VMs, and there’s also less moving parts (I run two 50 node K8S clusters so I’m not averse to containers, just saying). Easier and relatively secure tool for the right job. Sure, I could mess with cgroups and play with kernel parameters and all of that jazz to secure k8s more but why bother when I can make my life easier by trusting Red Hat? Also I’m not yet running a k8s version that supports SELinux and I tend to keep it enabled.

Sometimes, VMs are simply the better solution.

I run a semi-production DB cluster at work. We have 17 VMs running and it’s resilient (a different team handles VMWare and hardware)

QEMU is legacy? Pray tell me how you’re running VMs on architectures other than x86 on modern computers without QEMU

Not calling you out specifically OP, but can someone tell me why this is a thing on the internet?

multiple 12GB drives

GB??? I assume TB automatically when people say this but it still is a speedbreaker when I’m thinking about the post.

Find me a car produced in 2024 or later which does this

Scalpers made it expensive though

Yeah unfortunately ROCM is shit last I heard

Deepseek 1.5B doesn’t exist. I don’t know why the Deepseek team named the models on Huggingface like this, but what is labelled as “Deepseek 1.5B” is actually not the OG Deepseek 70B model distilled to 1.5B, it’s a different model either trained or finetuned by the Deepseek team. My theory is some sort of intentional manipulation on their part so people stay confused on whether they are actually running the Deepseek model or not. There is a lot of commentary on this online, sorry I don’t have the links from the top of my head.

Obligatory: you’re not running deepseek 1.5B. You’re running some other distilled model which was finetuned by the deepseek folks

Spend $500, buy a beefy used GPU and run Whisper + Mistral small. It’ll be a bit slow but now you can maintain your privacy on your own hardware! Best of both worlds.

It sucks that other ROMs are not as up to par in terms of security. That and the US doesn’t have any other options either. Europe has Xiaomi and Fairphone at least, if anybody wants variety

Good plan. I’m balking at having to pay 500 for a mobile device which I know won’t last me for more than 4 years at maximum (unless I spend more and buy iFixit repair kits which isn’t my forté). If the FairPhone was available in the US I’d consider it but I guess running Graphene is probably a better idea given the price you got the device at. Thanks

Xe is insanely talented. If she is who I think she is, then I’ve watched her speak and her depth of knowledge across computer science topics is insane.

I look forward to TOR’s PoW coming out for FOSS WAFs