Use the -n CLI option with tmpfs mount in all sample Varnish manifests.

This is a best practice for Varnish and should be encouraged by the example configs.

Use the -n CLI option with tmpfs mount in all sample Varnish manifests.
This is a best practice for Varnish and should be encouraged by the example configs.
272ce32e · Geoff Simmons · 23bb6c6c · 272ce32e · 272ce32e · 272ce32e
Commit 272ce32e authored Mar 13, 2019 by Geoff Simmons
13 changed files
--- a/deploy/varnish.yaml
+++ b/deploy/varnish.yaml
@@ -27,6 +27,8 @@ spec:
        - name: adm-secret
          mountPath: "/var/run/varnish"
          readOnly: true
+        - name: varnish-home
+          mountPath: "/var/run/varnish-home"
        livenessProbe:
          exec:
            command:
@@ -38,6 +40,9 @@ spec:
          httpGet:
            path: /ready
            port: k8s
+        args:
+          - -n
+          - /var/run/varnish-home
      volumes:
      - name: adm-secret
        secret:
@@ -45,3 +50,6 @@ spec:
          items:
          - key: admin
            path: _.secret
+      - name: varnish-home
+        emptyDir:
+          medium: "Memory"
--- a/docs/varnish-pod-template.md
+++ b/docs/varnish-pod-template.md
@@ -44,6 +44,65 @@ for details about available options.
        - workspace_client=256k
 ```

+### Using ``-n`` to mount the Varnish home directory in tmpfs
+
+The [sample manifest](/deploy/varnish.yaml) shown in the
+[deployment instructions](/deploy/) uses the ``-n`` command-line
+option to set the Varnish home directory to a path mounted in
+tmpfs. The same configuration is used in all of the sample Varnish
+deployments shown in the [``examples/`` folder](/examples/).
+
+This is a best practice for Varnish, and is recommeneded for all
+deployments. Among other things, the home directory contains the files
+that are mapped to shared memory, used by Varnish for logging and
+statistics. The tmpfs mount ensures that there is no file I/O involved
+in any of the work that Varnish does for these purposes.
+
+The configuration for ``-n`` requires that an ``emptyDir`` volume is
+defined in the Pod template with ``medium:"Memory"`` specified in
+order to use tmpfs:
+
+```
+    spec:
+      # [...]
+      volumes:
+      # [...]
+      - name: varnish-home
+        emptyDir:
+          medium: "Memory"
+```
+
+In ``spec.container``, the path of the home directory is specified for
+the volume mount, and that path is used as the argument of the ``-n``
+option:
+
+```
+    spec:
+      containers:
+      - image: varnish-ingress/varnish
+        # [...]
+        volumeMounts:
+        # [...]
+        - name: varnish-home
+          mountPath: "/var/run/varnish-home"
+        # [...]
+        args:
+          - -n
+          - /var/run/varnish-home
+```
+
+You may of course choose a different path name. Note that this use of
+``-n`` means that other commands in the Varnish container that access
+shared memory, such as
+[``varnishlog``](https://varnish-cache.org/docs/6.1/reference/varnishlog.html),
+[``varnishstat``](https://varnish-cache.org/docs/6.1/reference/varnishstat.html)
+or
+[``varnishadm``](https://varnish-cache.org/docs/6.1/reference/varnishadm.html),
+must also be called with the ``-n`` option set to the Varnish home
+directory (for example when executed via ``kubectl exec``).
+
+### Restrictions on command-line arguments
+
 Because of the fact that the container starts with a number of options
 in order to implement the role of an Ingress, there are restrictions
 on the options that you can or should set. Some of them result in

--- a/examples/architectures/cluster-and-ns-wide/varnish-coffee.yaml
+++ b/examples/architectures/cluster-and-ns-wide/varnish-coffee.yaml
@@ -28,6 +28,8 @@ spec:
        - name: adm-secret
          mountPath: "/var/run/varnish"
          readOnly: true
+        - name: varnish-home
+          mountPath: "/var/run/varnish-home"
        livenessProbe:
          exec:
            command:
@@ -39,6 +41,9 @@ spec:
          httpGet:
            path: /ready
            port: k8s
+        args:
+          - -n
+          - /var/run/varnish-home
      volumes:
      - name: adm-secret
        secret:
@@ -46,3 +51,6 @@ spec:
          items:
          - key: admin
            path: _.secret
+      - name: varnish-home
+        emptyDir:
+          medium: "Memory"
--- a/examples/architectures/cluster-and-ns-wide/varnish-system.yaml
+++ b/examples/architectures/cluster-and-ns-wide/varnish-system.yaml
@@ -28,6 +28,8 @@ spec:
        - name: adm-secret
          mountPath: "/var/run/varnish"
          readOnly: true
+        - name: varnish-home
+          mountPath: "/var/run/varnish-home"
        livenessProbe:
          exec:
            command:
@@ -39,6 +41,9 @@ spec:
          httpGet:
            path: /ready
            port: k8s
+        args:
+          - -n
+          - /var/run/varnish-home
      volumes:
      - name: adm-secret
        secret:
@@ -46,3 +51,6 @@ spec:
          items:
          - key: admin
            path: _.secret
+      - name: varnish-home
+        emptyDir:
+          medium: "Memory"
--- a/examples/architectures/clusterwide/varnish.yaml
+++ b/examples/architectures/clusterwide/varnish.yaml
@@ -28,6 +28,8 @@ spec:
        - name: adm-secret
          mountPath: "/var/run/varnish"
          readOnly: true
+        - name: varnish-home
+          mountPath: "/var/run/varnish-home"
        livenessProbe:
          exec:
            command:
@@ -39,6 +41,9 @@ spec:
          httpGet:
            path: /ready
            port: k8s
+        args:
+          - -n
+          - /var/run/varnish-home
      volumes:
      - name: adm-secret
        secret:
@@ -46,3 +51,6 @@ spec:
          items:
          - key: admin
            path: _.secret
+      - name: varnish-home
+        emptyDir:
+          medium: "Memory"
--- a/examples/architectures/multi-controller/varnish-coffee.yaml
+++ b/examples/architectures/multi-controller/varnish-coffee.yaml
@@ -30,6 +30,8 @@ spec:
        - name: adm-secret
          mountPath: "/var/run/varnish"
          readOnly: true
+        - name: varnish-home
+          mountPath: "/var/run/varnish-home"
        livenessProbe:
          exec:
            command:
@@ -41,6 +43,9 @@ spec:
          httpGet:
            path: /ready
            port: k8s
+        args:
+          - -n
+          - /var/run/varnish-home
      volumes:
      - name: adm-secret
        secret:
@@ -48,3 +53,6 @@ spec:
          items:
          - key: admin
            path: _.secret
+      - name: varnish-home
+        emptyDir:
+          medium: "Memory"
--- a/examples/architectures/multi-controller/varnish-tea.yaml
+++ b/examples/architectures/multi-controller/varnish-tea.yaml
@@ -30,6 +30,8 @@ spec:
        - name: adm-secret
          mountPath: "/var/run/varnish"
          readOnly: true
+        - name: varnish-home
+          mountPath: "/var/run/varnish-home"
        livenessProbe:
          exec:
            command:
@@ -41,6 +43,9 @@ spec:
          httpGet:
            path: /ready
            port: k8s
+        args:
+          - -n
+          - /var/run/varnish-home
      volumes:
      - name: adm-secret
        secret:
@@ -48,3 +53,6 @@ spec:
          items:
          - key: admin
            path: _.secret
+      - name: varnish-home
+        emptyDir:
+          medium: "Memory"
--- a/examples/architectures/multi-varnish-ns/varnish-coffee.yaml
+++ b/examples/architectures/multi-varnish-ns/varnish-coffee.yaml
@@ -30,6 +30,8 @@ spec:
        - name: adm-secret
          mountPath: "/var/run/varnish"
          readOnly: true
+        - name: varnish-home
+          mountPath: "/var/run/varnish-home"
        livenessProbe:
          exec:
            command:
@@ -41,6 +43,9 @@ spec:
          httpGet:
            path: /ready
            port: k8s
+        args:
+          - -n
+          - /var/run/varnish-home
      volumes:
      - name: adm-secret
        secret:
@@ -48,3 +53,6 @@ spec:
          items:
          - key: admin
            path: _.secret
+      - name: varnish-home
+        emptyDir:
+          medium: "Memory"
--- a/examples/architectures/multi-varnish-ns/varnish-tea.yaml
+++ b/examples/architectures/multi-varnish-ns/varnish-tea.yaml
@@ -30,6 +30,8 @@ spec:
        - name: adm-secret
          mountPath: "/var/run/varnish"
          readOnly: true
+        - name: varnish-home
+          mountPath: "/var/run/varnish-home"
        livenessProbe:
          exec:
            command:
@@ -41,6 +43,9 @@ spec:
          httpGet:
            path: /ready
            port: k8s
+        args:
+          - -n
+          - /var/run/varnish-home
      volumes:
      - name: adm-secret
        secret:
@@ -48,3 +53,6 @@ spec:
          items:
          - key: admin
            path: _.secret
+      - name: varnish-home
+        emptyDir:
+          medium: "Memory"
--- a/examples/namespace/varnish.yaml
+++ b/examples/namespace/varnish.yaml
@@ -28,6 +28,8 @@ spec:
        - name: adm-secret
          mountPath: "/var/run/varnish"
          readOnly: true
+        - name: varnish-home
+          mountPath: "/var/run/varnish-home"
        livenessProbe:
          exec:
            command:
@@ -40,14 +42,8 @@ spec:
            path: /ready
            port: k8s
        args:
-        # varnishd command-line options
-        # In this example: varnishd -l 80M -p default_grace=10
-        # These are default values for the given options in Varnish 6.1.
-        # Shown here to demonstrate setting options for Varnish.
-        - -l
-        - 80M
-        - -p
-        - default_grace=10
+          - -n
+          - /var/run/varnish-home
      volumes:
      - name: adm-secret
        secret:
@@ -55,3 +51,6 @@ spec:
          items:
          - key: admin
            path: _.secret
+      - name: varnish-home
+        emptyDir:
+          medium: "Memory"
--- a/examples/varnish_pod_template/cli-args.yaml
+++ b/examples/varnish_pod_template/cli-args.yaml
@@ -27,6 +27,8 @@ spec:
        - name: adm-secret
          mountPath: "/var/run/varnish"
          readOnly: true
+        - name: varnish-home
+          mountPath: "/var/run/varnish-home"
        livenessProbe:
          exec:
            command:
@@ -42,12 +44,15 @@ spec:
        # varnishd command-line options
        # In this example:
        # varnishd -s malloc,256m -t 900 -p workspace_client=256k
-        - -s
-        - malloc,256m
-        - -t
-        - "900"
-        - -p
-        - workspace_client=256k
+        # in addition to the -n arg used for all deployments.
+          - -n
+          - /var/run/varnish-home
+          - -s
+          - malloc,256m
+          - -t
+          - "900"
+          - -p
+          - workspace_client=256k
      volumes:
      - name: adm-secret
        secret:
@@ -55,3 +60,6 @@ spec:
          items:
          - key: admin
            path: _.secret
+      - name: varnish-home
+        emptyDir:
+          medium: "Memory"
--- a/examples/varnish_pod_template/env.yaml
+++ b/examples/varnish_pod_template/env.yaml
@@ -27,6 +27,8 @@ spec:
        - name: adm-secret
          mountPath: "/var/secret"
          readOnly: true
+        - name: varnish-home
+          mountPath: "/var/run/varnish-home"
        livenessProbe:
          exec:
            command:
@@ -38,6 +40,9 @@ spec:
          httpGet:
            path: /ready
            port: k8s
+        args:
+          - -n
+          - /var/run/varnish-home
        env:
        # Use the PROXY protocol (cf. proxy.yaml).
        - name: PROTO
@@ -77,6 +82,9 @@ spec:
          items:
          - key: admin
            path: adm.secret
+      - name: varnish-home
+        emptyDir:
+          medium: "Memory"
 ---
 apiVersion: v1
 kind: Service

--- a/examples/varnish_pod_template/proxy.yaml
+++ b/examples/varnish_pod_template/proxy.yaml
@@ -27,6 +27,8 @@ spec:
        - name: adm-secret
          mountPath: "/var/run/varnish"
          readOnly: true
+        - name: varnish-home
+          mountPath: "/var/run/varnish-home"
        livenessProbe:
          exec:
            command:
@@ -38,6 +40,9 @@ spec:
          httpGet:
            path: /ready
            port: k8s
+        args:
+          - -n
+          - /var/run/varnish-home
        env:
        # PROTO=PROXY causes the listener at the http port to accept
        # the PROXY protocol (v1 or v2).
@@ -51,3 +56,6 @@ spec:
          items:
          - key: admin
            path: _.secret
+      - name: varnish-home
+        emptyDir:
+          medium: "Memory"