From 87638b868926d2ada0e0889269d1ad3017b7d934 Mon Sep 17 00:00:00 2001 From: Jason Brooks Date: Mar 20 2018 20:15:27 +0000 Subject: * FROM f28 * Add ${STATE_DIR}/kubelet to tmpfiles * Add kubelet system-container ADDLT_MOUNTS * Update kubelet based openshift/node * Enable mount propagation in /var/lib/kubelet --- diff --git a/Dockerfile b/Dockerfile index a09ebf2..f7652f7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,25 +1,27 @@ -FROM registry.fedoraproject.org/kubernetes-node:rawhide -MAINTAINER "Jason Brooks" +FROM registry.fedoraproject.org/kubernetes-node:28 ENV container=docker ENV NAME=kubernetes-kubelet VERSION=0 RELEASE=0 ARCH=x86_64 -LABEL BZComponent="$NAME" \ +LABEL bzcomponent="$NAME" \ name="$FGC/$NAME" \ version="$VERSION" \ release="$RELEASE.$DISTTAG" \ architecture="$ARCH" \ - atomic.type='system' + atomic.type='system' \ + maintainer="Jason Brooks " # Containerized kubelet requires nsenter -RUN dnf install -y util-linux ethtool && dnf clean all +RUN dnf install -y --setopt=tsflags=nodocs util-linux ethtool systemd-udev e2fsprogs xfsprogs && dnf clean all LABEL RUN /usr/bin/docker run -d --privileged --net=host --pid=host -v /:/rootfs:ro -v /sys:/sys:rw -v /var/run:/var/run:rw -v /run:/run:rw -v /var/lib/docker:/var/lib/docker:rw -v /var/lib/kubelet:/var/lib/kubelet:slave -v /var/log/containers:/var/log/containers:rw COPY launch.sh /usr/bin/kubelet-docker.sh -COPY service.template config.json.template /exports/ +COPY manifest.json tmpfiles.template service.template config.json.template /exports/ -RUN mkdir -p /exports/hostfs/etc/kubernetes && cp /etc/kubernetes/{config,kubelet} /exports/hostfs/etc/kubernetes +RUN mkdir -p /exports/hostfs/etc/cni/net.d && \ + mkdir -p /exports/hostfs/etc/kubernetes && \ + cp /etc/kubernetes/{config,kubelet} /exports/hostfs/etc/kubernetes ENTRYPOINT ["/usr/bin/kubelet-docker.sh"] diff --git a/config.json.template b/config.json.template index 0e64af2..f6edd13 100644 --- a/config.json.template +++ b/config.json.template @@ -232,14 +232,12 @@ "source": "proc" }, { + "source": "/dev", "destination": "/dev", - "type": "tmpfs", - "source": "tmpfs", + "type": "bind", "options": [ - "nosuid", - "strictatime", - "mode=755", - "size=65536k" + "rbind", + "rslave" ] }, { @@ -268,36 +266,24 @@ ] }, { - "destination": "/dev/mqueue", - "type": "mqueue", - "source": "mqueue", - "options": [ - "nosuid", - "noexec", - "nodev" - ] - }, - { + "type": "bind", + "source": "/sys", "destination": "/sys", - "type": "sysfs", - "source": "sysfs", "options": [ - "nosuid", - "noexec", - "nodev" + "rbind", + "rw" ] }, { - "destination": "/sys/fs/cgroup", - "type": "cgroup", - "source": "cgroup", - "options": [ - "nosuid", - "noexec", - "nodev", - "relatime", - "ro" - ] + "type": "bind", + "source": "/etc/cni/net.d", + "destination": "/etc/cni/net.d", + "options": [ + "bind", + "slave", + "rw", + "mode=777" + ] }, { "type": "bind", @@ -310,13 +296,30 @@ ] }, { + "type": "bind", + "source": "/etc/localtime", + "destination": "/etc/localtime", + "options": [ + "rbind", + "ro" + ] + }, + { + "type": "bind", + "source": "/etc/pki", + "destination": "/etc/pki", + "options": [ + "bind", + "ro" + ] + }, + { "destination": "/etc/resolv.conf", "type": "bind", "source": "/etc/resolv.conf", "options": [ "ro", - "rbind", - "rprivate" + "bind" ] }, { @@ -331,8 +334,8 @@ }, { "type": "bind", - "source": "/var/run/", - "destination": "/var/run/", + "source": "/var/run/secrets", + "destination": "/var/run/secrets", "options": [ "rbind", "rw", @@ -341,7 +344,7 @@ }, { "type": "bind", - "source": "/run", + "source": "${RUN_DIRECTORY}", "destination": "/run", "options": [ "rbind", @@ -351,7 +354,7 @@ }, { "type": "bind", - "source": "/var/lib", + "source": "${STATE_DIRECTORY}", "destination": "/var/lib", "options": [ "bind", @@ -361,11 +364,11 @@ }, { "type": "bind", - "source": "/var/lib/kubelet", + "source": "${STATE_DIRECTORY}/kubelet", "destination": "/var/lib/kubelet", "options": [ "rbind", - "rslave", + "rshared", "rw", "mode=755" ] @@ -379,14 +382,24 @@ "rw", "mode=755" ] + }, + { + "destination": "/tmp", + "type": "tmpfs", + "source": "tmpfs", + "options": [ + "mode=755", + "size=65536k" + ] } + $ADDTL_MOUNTS ], "linux": { "rootfsPropagation": "rslave", "resources": { "devices": [ { - "allow": false, + "allow": true, "access": "rwm" } ] @@ -397,7 +410,6 @@ } ], "devices": null, - "apparmorProfile": "", - "selinuxProcessLabel": "" + "apparmorProfile": "" } } diff --git a/launch.sh b/launch.sh index 4e8ea66..f7242e3 100755 --- a/launch.sh +++ b/launch.sh @@ -5,6 +5,6 @@ source /etc/kubernetes/config TEMP_KUBELET_ARGS='--cgroup-driver=systemd --cgroups-per-qos=false --enforce-node-allocatable=' -ARGS=$(echo "$@ $TEMP_KUBELET_ARGS $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBELET_API_SERVER $KUBELET_ADDRESS $KUBELET_PORT $KUBELET_HOSTNAME $KUBE_ALLOW_PRIV $KUBELET_ARGS" | xargs -n1 | sort -u -t = -k 1,1 | xargs) +ARGS="$@ $TEMP_KUBELET_ARGS $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBELET_API_SERVER $KUBELET_ADDRESS $KUBELET_PORT $KUBELET_HOSTNAME $KUBE_ALLOW_PRIV $KUBELET_ARGS" exec /usr/bin/kubelet $ARGS --containerized diff --git a/manifest.json b/manifest.json new file mode 100644 index 0000000..1c8f6f4 --- /dev/null +++ b/manifest.json @@ -0,0 +1,6 @@ +{ + "version": "1.0", + "defaultValues": { + "ADDTL_MOUNTS": "" + } +} diff --git a/tmpfiles.template b/tmpfiles.template new file mode 100644 index 0000000..b15bfa8 --- /dev/null +++ b/tmpfiles.template @@ -0,0 +1,3 @@ +d ${STATE_DIRECTORY}/kubelet - - - - - +d /var/lib/cni - - - - - +d /var/run/secrets - - - - -