#refarch (2023-02)

Cloud Posse Reference Architecture

2023-02-03

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
02:46:48 PM

@Erik Osterman (Cloud Posse) has joined the channel

Christopher Pieper avatar
Christopher Pieper
02:47:03 PM

@Christopher Pieper has joined the channel

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

So I could use some assistance with understanding the whole “aws-teams” “aws-teams-roles” and “aws-sso” components.. Currently I have an account created in my org that I would like to enable a set of users access to create aws resources in using atmos.. I have setup this group with the AdministratorAccess permissions set tied to the account in question.. My issue arises in how I configure them with the identity account’s roles which is what is used by atmos. Now I only want this team to have Admin access for this one account only. Suggestions as to how I could go about this?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Ben Smith (Cloud Posse) @Dan Miller (Cloud Posse)

So I could use some assistance with understanding the whole “aws-teams” “aws-teams-roles” and “aws-sso” components.. Currently I have an account created in my org that I would like to enable a set of users access to create aws resources in using atmos.. I have setup this group with the AdministratorAccess permissions set tied to the account in question.. My issue arises in how I configure them with the identity account’s roles which is what is used by atmos. Now I only want this team to have Admin access for this one account only. Suggestions as to how I could go about this?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

I chatted with him yesterday

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@Christopher Pieper let us know if you need more help on this

Ben Smith (Cloud Posse) avatar
Ben Smith (Cloud Posse)
02:48:07 PM

@Ben Smith (Cloud Posse) has joined the channel

Dan Miller (Cloud Posse) avatar
Dan Miller (Cloud Posse)
02:48:08 PM

@Dan Miller (Cloud Posse) has joined the channel

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
02:48:20 PM

@Andriy Knysh (Cloud Posse) has joined the channel

Jeremy G (Cloud Posse) avatar
Jeremy G (Cloud Posse)
02:48:20 PM

@Jeremy G (Cloud Posse) has joined the channel

johncblandii avatar
johncblandii
02:48:21 PM

@johncblandii has joined the channel

Maxim Mironenko (Cloud Posse) avatar
Maxim Mironenko (Cloud Posse)
02:48:21 PM

@Maxim Mironenko (Cloud Posse) has joined the channel

Andy Miguel (Cloud Posse) avatar
Andy Miguel (Cloud Posse)
02:48:21 PM

@Andy Miguel (Cloud Posse) has joined the channel

Yonatan Koren avatar
Yonatan Koren
02:48:21 PM

@Yonatan Koren has joined the channel

RB avatar
RB
02:48:21 PM

@RB has joined the channel

Dan Meyers avatar
Dan Meyers
02:48:21 PM

@Dan Meyers has joined the channel

Hugo Samayoa avatar
Hugo Samayoa
02:48:22 PM

@Hugo Samayoa has joined the channel

Steven Hopkins avatar
Steven Hopkins
02:48:22 PM

@Steven Hopkins has joined the channel

Max Lobur (Cloud Posse) avatar
Max Lobur (Cloud Posse)
02:48:22 PM

@Max Lobur (Cloud Posse) has joined the channel

Leo Przybylski avatar
Leo Przybylski
02:48:22 PM

@Leo Przybylski has joined the channel

Lucky avatar
Lucky
02:48:22 PM

@Lucky has joined the channel

Ralf Pieper avatar
Ralf Pieper
03:42:19 PM

@Ralf Pieper has joined the channel

omry avatar
omry
04:04:16 PM

@omry has joined the channel

johntellsall avatar
johntellsall
04:36:28 PM

@johntellsall has joined the channel

2023-02-21

johncblandii avatar
johncblandii

hey folks, i’m working through setting up the refarch and I have aws-teams, aws-team-roles, and aws-sso deployed. I’m unable to use my SSO creds to run Terraform, though.

All of my configs are basically straight from the module READMEs except the permission_sets in tfstate-backend and teams/team-roles. Any insight here would be great

√ . [xy-core-gbl-identity] (HOST) infrastructure ⨠ aws sts get-caller-identity
{
    "UserId": "AROXYZDFHBTIJLNHGWBBH:[email protected]",
    "Account": "0123456789",
    "Arn": "arn:aws:sts::0123456789:assumed-role/AWSReservedSSO_IdentityAdminRoleAccess_xzypdq/[email protected]"
}

√ . [xy-core-gbl-identity] (HOST) infrastructure ⨠ aws sts get-caller-identity --profile xy-core-gbl-identity-admin
{
    "UserId": "AROXYZDFHBTIKLO6H2Y6S:botocore-session-1677008620",
    "Account": "0123456789",
    "Arn": "arn:aws:sts::0123456789:assumed-role/xy-core-gbl-identity-admin/botocore-session-1677008620"
}

√ . [xy-core-gbl-identity] (HOST) infrastructure ⨠ aws sts get-caller-identity --profile xy-core-gbl-audit-admin

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::0123456789:assumed-role/AWSReservedSSO_IdentityAdminRoleAccess_xzypdq/[email protected] is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::9876543210:role/xy-core-gbl-audit-admin

√ . [xy-core-gbl-identity] (HOST) infrastructure ⨠ aws sts get-caller-identity --profile xy-core-gbl-root-terraform

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::0123456789:assumed-role/AWSReservedSSO_IdentityAdminRoleAccess_xzypdq/[email protected] is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::456789321:role/xy-core-gbl-root-terraform
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Andriy Knysh (Cloud Posse) @RB @Jeremy White (Cloud Posse)

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

@johncblandii I belive to use SSO with terraform, you have to use AWS profiles, not roles

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
provider "aws" {
  region = var.region

  profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null

  dynamic "assume_role" {
    for_each = module.iam_roles.profiles_enabled ? [] : ["role"]
    content {
      role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn)
    }
  }
}

module "iam_roles" {
  source  = "../account-map/modules/iam-roles"
  context = module.this.context
}

variable "import_profile_name" {
  type        = string
  default     = null
  description = "AWS Profile name to use when importing a resource"
}

variable "import_role_arn" {
  type        = string
  default     = null
  description = "IAM Role ARN to use when importing a resource"
}

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
provider "aws" {
  region = var.region

  profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null

  dynamic "assume_role" {
    for_each = module.iam_roles.profiles_enabled ? [] : ["role"]
    content {
      role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn)
    }
  }
}
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

are you using profiles or roles?

johncblandii avatar
johncblandii

I did set profiles_enabled: true on account map

johncblandii avatar
johncblandii

let me make sure i ran everything with that in place

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we actually using IAM roles to work with TF in geodesic. I beleive we did it with SSO and profiles a few times and encountered a lot of issues (I don’t remember all the details, it was long time ago)

johncblandii avatar
johncblandii

how would i use roles + ssm? it seems when i use assume-role it selects a profile, but assuming again always shows my SSO user

johncblandii avatar
johncblandii

and would we have the same issue on spacelift?

johncblandii avatar
johncblandii

nm…it wouldn’t use SSO…ignore last question

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we use roles with Spacelift

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

for the same reason that the roles generated by SSO are dynamic

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
User: arn:aws:sts::0123456789:assumed-role/AWSReservedSSO_IdentityAdminRoleAccess_xzypdq/[email protected] is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::9876543210:role/xy-core-gbl-audit-admin
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

the dynamic role above does not have the permissions b/c the aws-teams, aws-team-roles components don’t know anything about it - so the role arn:aws:iam::9876543210:role/xy-core-gbl-audit-admin does not have permissions for the dynamic roles to assume it

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

if you use profiles, you need to make sure you use profiles everywhere

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

for that reason, we don’t use profiles in geodesic and Spacelift

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we provision the IAM roles which we use with Spacelift and to work with TF in geodesic

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

we can also provision SSO for access to AWS console

johncblandii avatar
johncblandii
    {
        "Sid": "RoleAssumeRole",
        "Effect": "Allow",
        "Principal": {
            "AWS": [
                "arn<img src="/assets/images/custom_emojis/aws.png" alt="aws" class="em em--custom-icon em-aws">iam:root",
                "arn<img src="/assets/images/custom_emojis/aws.png" alt="aws" class="em em--custom-icon em-aws">iam:root"
            ]
        },
        "Action": [
            "sts:TagSession",
            "sts:AssumeRole"
        ],
        "Condition": {
            "StringEquals": {
                "aws<i class="em em-PrincipalType""></i> "AssumedRole"
            },
            "ArnLike": {
                "aws<i class="em em-PrincipalArn""></i> [
                    "arn<img src="/assets/images/custom_emojis/aws.png" alt="aws" class="em em--custom-icon em-aws">iam:role/aws-reserved/sso.amazonaws.com*/AWSReservedSSO_AdministratorAccess_*",
                    "arn<img src="/assets/images/custom_emojis/aws.png" alt="aws" class="em em--custom-icon em-aws">iam:role/aws-reserved/sso.amazonaws.com*/AWSReservedSSO_IdentityAdminRoleAccess_*",
                    "arn<img src="/assets/images/custom_emojis/aws.png" alt="aws" class="em em--custom-icon em-aws">iam:role/xy-core-gbl-identity-admin",
                    "arn<img src="/assets/images/custom_emojis/aws.png" alt="aws" class="em em--custom-icon em-aws">iam:role/xy-core-gbl-identity-spacelift"
                ]
            }
        }
    }, ``` ```
johncblandii avatar
johncblandii

so this seems to say it can assume the role

johncblandii avatar
johncblandii

console access w/ sso does work here

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

keep in mind that for cross-account access, you need to have permissions on both sides

johncblandii avatar
johncblandii

just need to be able to run this locally to verify plans/create some infra for spacelift deploy

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

the primary role has to have a trust policy to allow the delegated (or dynamic from SSO) roles to assume it

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

the delegated (or dynamic SSO) roles need to have permission to assume the primary role

johncblandii avatar
johncblandii

meaning the identity-admin, right?

johncblandii avatar
johncblandii

if so, that works

johncblandii avatar
johncblandii

or do you mean the [account]-admin?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

identity-admin needs to have a trust policy to allow the dynamic SSO roles to assume it

johncblandii avatar
johncblandii

yes, that’s there

johncblandii avatar
johncblandii

same aws-reserved principal

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

the dynamic SSO roles need to have permissions to assume identity-admin

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

i would go to AWS console in the two account and check the trust policy in one and the permissions in the other (it’s also easier to manually change it until it works)

johncblandii avatar
johncblandii

that’s what i was verifying and both sides look accurate

johncblandii avatar
johncblandii

identity: trusts IdentityAdminRoleAccess assume + gbl-identity-admin

johncblandii avatar
johncblandii

audit: trusts same from current account and identity

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

maybe you did not show everything, but this

aws:PrincipalArn": [
                        "arn:aws:iam::123456789:role/aws-reserved/sso.amazonaws.com*/AWSReservedSSO_AdministratorAccess_*",
                        "arn:aws:iam::123456789:role/aws-reserved/sso.amazonaws.com*/AWSReservedSSO_IdentityAdminRoleAccess_*",
                        "arn:aws:iam::987654321:role/xy-core-gbl-identity-admin",
                        "arn:aws:iam::987654321:role/xy-core-gbl-identity-spacelift"
                    ]
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

does not include anything about this

User: arn:aws:sts::0123456789:assumed-role/AWSReservedSSO_IdentityAdminRoleAccess_xzypdq/[email protected] is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::9876543210:role/xy-core-gbl-audit-admin
johncblandii avatar
johncblandii

identity sso -> xy-core-gbl-identity-admin -> audit

^ those assumes would take the last principal there, right?

johncblandii avatar
johncblandii

but assume seems to ignore the 1st assume

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

i would just allow the account’s roots on both sides to assume and trust to check if it works in principal

johncblandii avatar
johncblandii

ok. i’ll try that real quick

johncblandii avatar
johncblandii

yeah, forcing the sso user on there from identity works so i’ll likely need to update this module to support that

johncblandii avatar
johncblandii

there is aws_saml_login_enabled but not sso-specific.

johncblandii avatar
johncblandii

so we basically need to duplicate this and set the account to the identity acct:

format("arn:%s:iam::%s:role/aws-reserved/sso.amazonaws.com*/AWSReservedSSO_%%s_*", local.aws_partition, module.account_map.outputs.full_account_map[acct]),
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

you can try it first in the AWS console. Once it’s working, update the component. (you can DM me or somebody else from CP to review the code together)

johncblandii avatar
johncblandii

i did

johncblandii avatar
johncblandii

i can upstream this as well

johncblandii avatar
johncblandii

i have another PR i need to do as well to address aws-sso so it supports core-identity as an account name and still works

johncblandii avatar
johncblandii

i will fill out the specifics in a little bit: https://github.com/cloudposse/terraform-aws-components/pull/567.

gotta handle a meeting

#567 SSO upgrades

what

• Describe high-level what changed as a result of these commits (i.e. in plain-english, what do these changes mean?) • Use bullet points to be concise and to the point.

why

• Provide the justifications for the changes (e.g. business case). • Describe why these changes were made (e.g. why do these commits fix the problem?) • Use bullet points to be concise and to the point.

references

• Link to any supporting github issues or helpful documentation to add some context (e.g. stackoverflow). • Use closes #123, if this PR closes a GitHub issue #123

johncblandii avatar
johncblandii

updated description

johncblandii avatar
johncblandii

oh and i’m SSO auth’d from Leapp, renamed role to the xy-core-gbl-identity which can assume role to xy-core-gbl-admin just fine

2023-02-22

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Sean Nguyen @Christopher Pieper @Alex Siegman @mike186 @Amrutha Sunkara

Sean Nguyen avatar
Sean Nguyen
05:59:00 PM

@Sean Nguyen has joined the channel

Alex Siegman avatar
Alex Siegman
05:59:00 PM

@Alex Siegman has joined the channel

mike186 avatar
mike186
05:59:00 PM

@mike186 has joined the channel

Amrutha Sunkara avatar
Amrutha Sunkara
05:59:00 PM

@Amrutha Sunkara has joined the channel

Sean Nguyen avatar
Sean Nguyen

2023-02-23

Sean Nguyen avatar
Sean Nguyen

We have a single administrative stack, but lately have found it takes a very long time to plan given that the # of our stacks has recently exploded (we’re at 1200+ Spacelift stacks currently).

Has anyone considered splitting their administrative stack into multiple admin stacks? Perhaps along tenant lines

Sean Nguyen avatar
Sean Nguyen

not sure if this is the right channel btw

RB avatar

Yes, we’ve done this using context filters

RB avatar

See the upstreamed spacelift component

Sean Nguyen avatar
Sean Nguyen

Cool! So if we’re going from a single admin stack to multiple admin stacks (per tenant), would we manually initialize the new admin stacks via the Spacelift UI?

Sean Nguyen avatar
Sean Nguyen

Or perhaps… the existing admin stack could create and manage child admin stacks??? e.g.

• infrastructure (original admin stack): ◦ tenant0-infrastructure ◦ tenant1-infrastructure ◦ . . . ◦ tenantN-infrastructure

RB avatar

We’ve implemented the infra admin stack which creates a specific set of child stacks, policies, and spaces

We have discussed an admin stack of admin stacks which is probably the best way to do this

RB avatar

Oh and you can also split up admin stacks by tags as well which is a recent feature added to the spacelift automation module

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(congrats on hitting 1200 stacks!)

2
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We have another customer up to 1500 stacks and we broke each space into it’s own admin stack, and organized spaces by team.

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@RB were you going to be working on creating a component for each spacelift-space? I think this was a new optimization we recently talked about. This way the spaces themselves have their own terraform state, which should further improve performance.

RB avatar

I believe Sean mentioned he was working on one. Id be happy to create one too

Sean Nguyen avatar
Sean Nguyen

Yeah, I wrote one which creates all of our spaces based on data out of our account-map remote-state

1
RB avatar

Oh nice! I’d love to check it out. Have you considered upstreaming to terraform-aws-components?

Sean Nguyen avatar
Sean Nguyen

Yeah I definitely thought about it, but was afraid it might be too specific to our org since I also rolled in some Okta group management stuff into it as well

1
Sean Nguyen avatar
Sean Nguyen

Feel free to take a look (assuming y’all still have access to our monorepo)

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

If you’re open to it @Sean Nguyen we can maybe generalize it. I think it relates to some work that @RB might be undertaking.

Sean Nguyen avatar
Sean Nguyen

That’s fine with me. None of what we’ve implemented is particularly fancy.

Sean Nguyen avatar
Sean Nguyen

FWIW, it might be a little more ergonomic to allow users to specify Space membership using the spacelift_space_by_path datasource ( perhaps as an alternative rather than in-lieu of space_id).

It seems that user-created spaces (not legacy and not root ) spaces have some suffix attached to them. For example, a user-created space with name core-dev might have a space_id which is called core-dev-01ABCDEF

Sean Nguyen avatar
Sean Nguyen
#587 Upstream `spacelift-spaces`

what

• Upstream spacelift-spaces

why

spacelift-spaces component creates Spacelift Spaces based on data from account-map remote-state.

references

https://docs.spacelift.io/concepts/spaces/

2
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Thanks a lot!

2023-02-24

2023-02-28

johncblandii avatar
johncblandii

the only policy attached to an admin stack is TRIGGER Administrative Policy. shouldn’t it get the git push-specific policies too?

johncblandii avatar
johncblandii

for context, we do not see PRs triggering admin stack runs

RB avatar

It needs one more policy

RB avatar
# <https://spacelift.io/changelog/en/changing-the-default-stack-push-behavior>
package spacelift

track {
  input.push.branch = input.stack.branch
}

propose { true }

johncblandii avatar
johncblandii

ah, ok. i figured. the repo doesn’t have it referenced, though

johncblandii avatar
johncblandii

testing it out

johncblandii avatar
johncblandii

that worked. sweet. i’ll push a PR to have that updated in the README/etc (unless there is one already)

1
johncblandii avatar
johncblandii

worker pools user-data.sh is failing to run after this log and before the next. Any ideas why this would fail to run?

  echo "Turning on swap" | tee -a /var/log/spacelift/info.log
  dd if=/dev/zero of=/swapfile bs=128M count=32 2>/var/log/spacelift/error.log
  chmod 600 /swapfile 2>/var/log/spacelift/error.log
  mkswap /swapfile 2>/var/log/spacelift/error.log
  swapon /swapfile 2>/var/log/spacelift/error.log
  swapon -s | tee -a /var/log/spacelift/info.log
johncblandii avatar
johncblandii
[   92.483719] cloud-init[2707]: Turning on swap
[  115.488749] cloud-init[2707]: Feb 28 00:17:31 cloud-init[2707]: util.py[WARNING]: Failed running /var/lib/cloud/instance/scripts/user-data.sh [1]
[  115.522340] cloud-init[2707]: Feb 28 00:17:31 cloud-init[2707]: cc_scripts_user.py[WARNING]: Failed to run module scripts-user (scripts in /var/lib/cloud/instance/scripts)
[  115.526699] cloud-init[2707]: Feb 28 00:17:31 cloud-init[2707]: util.py[WARNING]: Running module scripts-user (<module 'cloudinit.config.cc_scripts_user' from '/usr/lib/python2.7/site-packages/cloudinit/config/cc_scripts_user.pyc'>) failed
johncblandii avatar
johncblandii

pretty much a stock deploy here. nothing extra special done with it

johncblandii avatar
johncblandii

yup. removed the swap lines and the worker starts up just fine

johncblandii avatar
johncblandii

it seems like the first line is the culprit

dd if=/dev/zero of=/swapfile bs=128M count=32 2>/var/log/spacelift/error.log

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Jeremy White (Cloud Posse) any ideas?

johncblandii avatar
johncblandii

i tried adjusting the size of the swap and the size of the instance. neither worked

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

If you ssh to the node, and run it manually what do you see?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Maybe a small node type does not have 4GB of free space?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(Oh disregard, I see you already tried that)

johncblandii avatar
johncblandii

I haven’t set it up to ssh yet. I may do that today

johncblandii avatar
johncblandii

permission error on the spacelift log file @Erik Osterman (Cloud Posse)

johncblandii avatar
johncblandii

does user-data run in sudo mode by default?

johncblandii avatar
johncblandii

well that didn’t work with sudo either.

sudo dd if=/dev/zero of=/swapfile bs=128M count=32 2>/var/log/spacelift/error.log
sh: /var/log/spacelift/error.log: Permission denied
johncblandii avatar
johncblandii

took off the log and get this:

sh-4.2$ sudo dd if=/dev/zero of=/swapfile bs=128M count=32
dd: error writing '/swapfile': No space left on device
johncblandii avatar
johncblandii
sh-4.2$ df
Filesystem     1K-blocks    Used Available Use% Mounted on
devtmpfs         3988388       0   3988388   0% /dev
tmpfs            3997176       0   3997176   0% /dev/shm
tmpfs            3997176     372   3996804   1% /run
tmpfs            3997176       0   3997176   0% /sys/fs/cgroup
/dev/nvme0n1p1   8376300 8375292      1008 100% /
johncblandii avatar
johncblandii

(increasing the size, btw; should be good after)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Ah! makes sense. Can you upstream any fixes?

johncblandii avatar
johncblandii

no fix needed. it already supported a block device mapping so just added a bigger volume

johncblandii avatar
johncblandii

well, i could update the README example so that’s clear. i’ll do that

    keyboard_arrow_up