ops: tune crypto guardrails after rollout

2026-05-19 13:35:56 -03:00 · 2026-05-19 13:35:56 -03:00 · 0ae76bf1ca
commit 0ae76bf1ca
parent a3e14ce0f2
4 changed files with 52 additions and 17 deletions
--- a/services/crypto/xmr-miner/configmap-sources.yaml
+++ b/services/crypto/xmr-miner/configmap-sources.yaml
@ -10,11 +10,6 @@ data:
  # OPTIONAL: p2pool SHA256 (exact 64-hex chars). Leave blank to skip verification.
  P2POOL_SHA256: ""
  # REQUIRED: set to the official xmrig ARM64 tarball URL (static build preferred)
  XMRIG_URL: "https://github.com/xmrig/xmrig/releases/download/v6.21.3/xmrig-6.21.3-linux-static-arm64.tar.gz"
  # OPTIONAL: xmrig SHA256. Leave blank to skip verification.
  XMRIG_SHA256: ""
  # Threads for xmrig (default 1 to avoid RAM spikes; override after testing)
  XMRIG_THREADS: "1"
  # Extra args for xmrig if you want (space-separated)
--- a/services/crypto/xmr-miner/deployment.yaml
+++ b/services/crypto/xmr-miner/deployment.yaml
@ -6,7 +6,7 @@ metadata:
  namespace: crypto
  labels:
    app: monero-p2pool
-    atlas.bstein.dev/workload-profile: light
+    atlas.bstein.dev/workload-profile: heavy
 spec:
  replicas: 1
  selector:
@ -15,7 +15,7 @@ spec:
    metadata:
      labels:
        app: monero-p2pool
-        atlas.bstein.dev/workload-profile: light
+        atlas.bstein.dev/workload-profile: heavy
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "crypto"
@ -35,14 +35,14 @@ spec:
            - matchExpressions:
              - key: hardware
                operator: In
-                values: ["rpi4","rpi5"]
+                values: ["rpi5"]
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 50
              preference:
                matchExpressions:
                - key: hardware
                  operator: In
-                  values: ["rpi4"]
+                  values: ["rpi5"]
      initContainers:
        - name: fetch-p2pool
          image: alpine:3.20
@ -93,11 +93,11 @@ spec:
            periodSeconds: 10
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
            limits:
              cpu: 500m
-              memory: 512Mi
+              memory: 3Gi
            limits:
              cpu: 1500m
              memory: 4Gi
          volumeMounts:
            - { name: p2pool-bin, mountPath: /opt/p2pool }
      volumes:
--- a/services/crypto/xmr-miner/xmrig-daemonset.yaml
+++ b/services/crypto/xmr-miner/xmrig-daemonset.yaml
@ -30,7 +30,7 @@ spec:
                values: ["rpi4","rpi5"]
      containers:
        - name: xmrig
-          image: ghcr.io/tari-project/xmrig@sha256:80defbfd0b640d604c91cb5101d3642db7928e1e68ee3c6b011289b3565a39d9
+          image: ghcr.io/tari-project/xmrig@sha256:d590a41613fea974f155280920095ea10c3710f55ecf16fc38fd3a1c18718129
          imagePullPolicy: IfNotPresent
          env:
            - name: XMRIG_THREADS
@ -43,8 +43,12 @@ spec:
              set -eu
              THR="${XMRIG_THREADS:-1}"
              EXTRA="${XMRIG_EXTRA_ARGS:-}"
              IO_PREFIX=""
              if command -v ionice >/dev/null 2>&1; then
                IO_PREFIX="ionice -c3"
              fi
              # p2pool ignores wallet user; use 'x' or fixed difficulty with x+<diff>
-              exec nice -n 19 ionice -c3 xmrig \
+              exec nice -n 19 ${IO_PREFIX} xmrig \
                -o p2pool.crypto.svc.cluster.local:3333 \
                -u x \
                -k \
--- a/services/maintenance/scripts/rpi_resource_reservation.sh
+++ b/services/maintenance/scripts/rpi_resource_reservation.sh
@ -6,6 +6,8 @@ unit="k3s-agent"
 unit_file="${host_root}/etc/systemd/system/${unit}.service"
 config_dir="${host_root}/etc/rancher/k3s/config.yaml.d"
 config_file="${config_dir}/90-atlas-rpi-reservations.yaml"
 kubelet_config_dir="${host_root}/var/lib/rancher/k3s/agent/etc/kubelet.conf.d"
 kubelet_config_file="${kubelet_config_dir}/90-atlas-rpi-reservations.conf"
 if [ ! -f "${unit_file}" ]; then
  echo "k3s-agent unit not found; this guardrail only manages worker agents"
@ -17,7 +19,7 @@ cat > "${tmp_file}" <<'EOF'
 # Managed by Flux via services/maintenance/scripts/rpi_resource_reservation.sh.
 # Keep RPi workers below saturation so kubelet and the OS keep enough headroom
 # to evict or recover before the board wedges.
-kubelet-arg+:
+kubelet-arg:
  - "system-reserved=cpu=250m,memory=384Mi,ephemeral-storage=1Gi"
  - "kube-reserved=cpu=150m,memory=256Mi,ephemeral-storage=1Gi"
  - "eviction-hard=memory.available<512Mi,nodefs.available<10%,imagefs.available<10%"
@ -34,9 +36,43 @@ if [ ! -f "${config_file}" ] || ! cmp -s "${tmp_file}" "${config_file}"; then
 fi
 rm -f "${tmp_file}"
 kubelet_tmp_file="$(mktemp)"
 cat > "${kubelet_tmp_file}" <<'EOF'
 apiVersion: kubelet.config.k8s.io/v1beta1
 kind: KubeletConfiguration
 systemReserved:
  cpu: 250m
  memory: 384Mi
  ephemeral-storage: 1Gi
 kubeReserved:
  cpu: 150m
  memory: 256Mi
  ephemeral-storage: 1Gi
 evictionHard:
  memory.available: 512Mi
  nodefs.available: 10%
  imagefs.available: 10%
 evictionSoft:
  memory.available: 768Mi
  nodefs.available: 15%
  imagefs.available: 15%
 evictionSoftGracePeriod:
  memory.available: 1m
  nodefs.available: 2m
  imagefs.available: 2m
 evictionMaxPodGracePeriod: 60
 EOF
 if [ ! -f "${kubelet_config_file}" ] || ! cmp -s "${kubelet_tmp_file}" "${kubelet_config_file}"; then
  mkdir -p "${kubelet_config_dir}"
  install -m 0644 "${kubelet_tmp_file}" "${kubelet_config_file}"
  changed=1
 fi
 rm -f "${kubelet_tmp_file}"
 if [ "${changed}" -eq 1 ]; then
  delay="$(( (RANDOM % 420) + 30 ))"
-  echo "updated ${config_file}; restarting ${unit} after ${delay}s"
+  echo "updated RPi kubelet reservations; restarting ${unit} after ${delay}s"
  sleep "${delay}"
  chroot "${host_root}" /bin/systemctl daemon-reload
  chroot "${host_root}" /bin/systemctl restart "${unit}"