From d3dc36e1463106b7323a248441ff39914d1666e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20F=20Bj=C3=B6rklund?= Date: Mon, 31 Aug 2020 20:00:06 +0200 Subject: [PATCH 1/6] Clean up the docker installation Remove local things from kind, replace with packages. Use the "clean-install" script for a nicer Dockerfile. --- deploy/kicbase/Dockerfile | 46 ++++++++++++++++++++++++--------------- 1 file changed, 28 insertions(+), 18 deletions(-) diff --git a/deploy/kicbase/Dockerfile b/deploy/kicbase/Dockerfile index 776a03601397..eb5a355d5c8f 100644 --- a/deploy/kicbase/Dockerfile +++ b/deploy/kicbase/Dockerfile @@ -4,39 +4,54 @@ ARG COMMIT_SHA # could be changed to any debian that can run systemd FROM kindest/base:v20200430-2c0eee40 as base USER root -# specify version of everything explicitly using 'apt-cache policy' -RUN apt-get update && apt-get install -y --no-install-recommends \ + +# remove files that were installed by kind, replaced by packages +RUN rm \ + /etc/crictl.yaml \ + /etc/systemd/system/multi-user.target.wants/containerd.service \ + /opt/cni/bin/host-local \ + /opt/cni/bin/loopback \ + /opt/cni/bin/portmap \ + /opt/cni/bin/ptp \ + /usr/local/bin/containerd \ + /usr/local/bin/containerd-shim \ + /usr/local/bin/containerd-shim-runc-v2 \ + /usr/local/bin/crictl \ + /usr/local/bin/ctr \ + /usr/local/sbin/runc + +# install system requirements from the regular distro repositories +RUN clean-install \ lz4 \ gnupg \ sudo \ docker.io \ + containerd \ openssh-server \ dnsutils \ runc \ # libglib2.0-0 is required for conmon, which is required for podman - libglib2.0-0 \ - # removing kind's crictl config - && rm /etc/crictl.yaml + libglib2.0-0 # Install cri-o/podman dependencies: RUN sh -c "echo 'deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list" && \ curl -LO https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/xUbuntu_20.04/Release.key && \ - apt-key add - < Release.key && apt-get update && \ - apt-get install -y --no-install-recommends containers-common catatonit conmon containernetworking-plugins podman-plugins varlink + apt-key add - < Release.key && \ + clean-install containers-common catatonit conmon containernetworking-plugins cri-tools podman-plugins varlink # install cri-o based on https://github.com/cri-o/cri-o/commit/96b0c34b31a9fc181e46d7d8e34fb8ee6c4dc4e1#diff-04c6e90faac2675aa89e2176d2eec7d8R128 RUN sh -c "echo 'deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/1.18:/1.18.3/xUbuntu_20.04/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list" && \ curl -LO https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/1.18:/1.18.3/xUbuntu_20.04/Release.key && \ - apt-key add - < Release.key && apt-get update && \ - apt-get install -y --no-install-recommends cri-o=1.18.3~3 + apt-key add - < Release.key && \ + clean-install cri-o=1.18.3~3 # install podman RUN sh -c "echo 'deb https://dl.bintray.com/afbjorklund/podman focal main' > /etc/apt/sources.list.d/podman.list" && \ curl -L https://bintray.com/user/downloadSubjectPublicKey?username=afbjorklund -o afbjorklund-public.key.asc && \ - apt-key add - < afbjorklund-public.key.asc && apt-get update && \ - apt-get install -y --no-install-recommends podman=1.9.3~1 + apt-key add - < afbjorklund-public.key.asc && \ + clean-install podman=1.9.3~1 -RUN mkdir -p /usr/lib/cri-o-runc/sbin && cp /usr/local/sbin/runc /usr/lib/cri-o-runc/sbin/runc +RUN mkdir -p /usr/lib/cri-o-runc/sbin && cp /usr/sbin/runc /usr/lib/cri-o-runc/sbin/runc COPY entrypoint /usr/local/bin/entrypoint # automount service @@ -71,12 +86,7 @@ USER root # https://github.com/kubernetes-sigs/kind/blob/master/images/base/files/usr/local/bin/entrypoint RUN mkdir -p /kind # Deleting leftovers -RUN apt-get clean -y && rm -rf \ - /var/cache/debconf/* \ - /var/lib/apt/lists/* \ - /var/log/* \ - /tmp/* \ - /var/tmp/* \ +RUN rm -rf \ /usr/share/doc/* \ /usr/share/man/* \ /usr/share/local/* \ From 90566878443ddcd90930638325228b3e5978ac37 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20F=20Bj=C3=B6rklund?= Date: Sun, 27 Sep 2020 15:14:01 +0200 Subject: [PATCH 2/6] Also remove the extra containerd configuration --- deploy/kicbase/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/deploy/kicbase/Dockerfile b/deploy/kicbase/Dockerfile index eb5a355d5c8f..f7045f1d7ab0 100644 --- a/deploy/kicbase/Dockerfile +++ b/deploy/kicbase/Dockerfile @@ -8,6 +8,7 @@ USER root # remove files that were installed by kind, replaced by packages RUN rm \ /etc/crictl.yaml \ + /etc/systemd/system/containerd.service \ /etc/systemd/system/multi-user.target.wants/containerd.service \ /opt/cni/bin/host-local \ /opt/cni/bin/loopback \ From 85f8d057570eac829767615407f6dd9ba7209c31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20F=20Bj=C3=B6rklund?= Date: Sat, 12 Sep 2020 12:34:51 +0200 Subject: [PATCH 3/6] Fork all files needed for kindbase from upstream This is for reference, to be able to combine them --- Makefile | 11 +- deploy/kicbase/Dockerfile | 2 +- deploy/kindbase/Dockerfile | 122 +++++++++ deploy/kindbase/files/etc/crictl.yaml | 1 + .../etc/sysctl.d/10-network-security.conf | 4 + .../etc/systemd/system/containerd.service | 29 +++ .../files/usr/local/bin/clean-install | 39 +++ .../kindbase/files/usr/local/bin/entrypoint | 235 ++++++++++++++++++ 8 files changed, 441 insertions(+), 2 deletions(-) create mode 100644 deploy/kindbase/Dockerfile create mode 100644 deploy/kindbase/files/etc/crictl.yaml create mode 100644 deploy/kindbase/files/etc/sysctl.d/10-network-security.conf create mode 100644 deploy/kindbase/files/etc/systemd/system/containerd.service create mode 100755 deploy/kindbase/files/usr/local/bin/clean-install create mode 100755 deploy/kindbase/files/usr/local/bin/entrypoint diff --git a/Makefile b/Makefile index 2a87f19f67d6..98e4b3c1e092 100644 --- a/Makefile +++ b/Makefile @@ -20,6 +20,7 @@ RAW_VERSION=$(VERSION_MAJOR).$(VERSION_MINOR).$(VERSION_BUILD) VERSION ?= v$(RAW_VERSION) KUBERNETES_VERSION ?= $(shell egrep "DefaultKubernetesVersion =" pkg/minikube/constants/constants.go | cut -d \" -f2) +KIND_VERSION ?= v20200430-2c0eee40 KIC_VERSION ?= $(shell egrep "Version =" pkg/drivers/kic/types.go | cut -d \" -f2) # Default to .0 for higher cache hit rates, as build increments typically don't require new ISO versions @@ -47,6 +48,7 @@ BUILD_IMAGE ?= us.gcr.io/k8s-artifacts-prod/build-image/kube-cross:v$(GO_VERSIO ISO_BUILD_IMAGE ?= $(REGISTRY)/buildroot-image KVM_BUILD_IMAGE ?= $(REGISTRY)/kvm-build-image:$(GO_VERSION) +KIND_BASE_IMAGE_GCR ?= $(REGISTRY)/kindbase:$(KIND_VERSION) KIC_BASE_IMAGE_GCR ?= $(REGISTRY)/kicbase:$(KIC_VERSION) KIC_BASE_IMAGE_GH ?= $(REGISTRY_GH)/kicbase:$(KIC_VERSION) KIC_BASE_IMAGE_HUB ?= kicbase/stable:$(KIC_VERSION) @@ -576,8 +578,15 @@ endif storage-provisioner-image: out/storage-provisioner-$(GOARCH) ## Build storage-provisioner docker image docker build -t $(STORAGE_PROVISIONER_IMAGE) -f deploy/storage-provisioner/Dockerfile --build-arg arch=$(GOARCH) . +.PHONY: kind-base-image +kind-base-image: ## builds the base image used for kind. + docker rmi -f $(KIND_BASE_IMAGE_GCR)-snapshot || true + docker build -f ./deploy/kindbase/Dockerfile -t local/kindbase:$(KIND_VERSION)-snapshot ./deploy/kindbase + docker tag local/kindbase:$(KIND_VERSION)-snapshot $(KIND_BASE_IMAGE_GCR)-snapshot + docker tag local/kindbase:$(KIND_VERSION)-snapshot $(KIND_BASE_IMAGE_GCR) + .PHONY: kic-base-image -kic-base-image: ## builds the base image used for kic. +kic-base-image: kind-base-image ## builds the base image used for kic. docker rmi -f $(KIC_BASE_IMAGE_GCR)-snapshot || true docker build -f ./deploy/kicbase/Dockerfile -t local/kicbase:$(KIC_VERSION)-snapshot --build-arg COMMIT_SHA=${VERSION}-$(COMMIT) --cache-from $(KIC_BASE_IMAGE_GCR) --target base ./deploy/kicbase docker tag local/kicbase:$(KIC_VERSION)-snapshot $(KIC_BASE_IMAGE_GCR)-snapshot diff --git a/deploy/kicbase/Dockerfile b/deploy/kicbase/Dockerfile index f7045f1d7ab0..00ee69d6af5a 100644 --- a/deploy/kicbase/Dockerfile +++ b/deploy/kicbase/Dockerfile @@ -2,7 +2,7 @@ ARG COMMIT_SHA # using base image created by kind https://github.com/kubernetes-sigs/kind/blob/v0.8.1/images/base/Dockerfile # which is an ubuntu 20.04 with an entry-point that helps running systemd # could be changed to any debian that can run systemd -FROM kindest/base:v20200430-2c0eee40 as base +FROM gcr.io/k8s-minikube/kindbase:v20200430-2c0eee40 as base USER root # remove files that were installed by kind, replaced by packages diff --git a/deploy/kindbase/Dockerfile b/deploy/kindbase/Dockerfile new file mode 100644 index 000000000000..d03bb0a62e4a --- /dev/null +++ b/deploy/kindbase/Dockerfile @@ -0,0 +1,122 @@ +# Copyright 2018 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# kind node base image +# +# For systemd + docker configuration used below, see the following references: +# https://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/ + +# start from ubuntu 19.10, this image is reasonably small as a starting point +# for a kubernetes node image, it doesn't contain much we don't need +FROM ubuntu:20.04 + +# Configure containerd and runc binaries from kind-ci/containerd-nightlies repository +# The repository contains latest stable releases and nightlies built for multiple architectures +ARG CONTAINERD_VERSION="v1.3.3-14-g449e9269" +# Configure CNI binaries from upstream +ARG CNI_VERSION="v0.8.5" +# Configure crictl binary from upstream +ARG CRICTL_VERSION="v1.18.0" + +# copy in static files (configs, scripts) +COPY files/ / + +# Install dependencies, first from apt, then from release tarballs. +# NOTE: we use one RUN to minimize layers. +# +# First we must ensure that our util scripts are executable. +# +# The base image already has: ssh, apt, snapd, but we need to install more packages. +# Packages installed are broken down into (each on a line): +# - packages needed to run services (systemd) +# - packages needed for kubernetes components +# - packages needed by the container runtime +# - misc packages kind uses itself +# After installing packages we cleanup by: +# - removing unwanted systemd services +# - disabling kmsg in journald (these log entries would be confusing) +# +# Then we install containerd from our nightly build infrastructure, as this +# build for multiple architectures and allows us to upgrade to patched releases +# more quickly. +# +# Next we download and extract crictl and CNI plugin binaries from upstream. +# +# Next we ensure the /etc/kubernetes/manifests directory exists. Normally +# a kubeadm debain / rpm package would ensure that this exists but we install +# freshly built binaries directly when we build the node image. +# +# Finally we adjust tempfiles cleanup to be 1 minute after "boot" instead of 15m +# This is plenty after we've done initial setup for a node, but before we are +# likely to try to export logs etc. +RUN echo "Ensuring scripts are executable ..." \ + && chmod +x /usr/local/bin/clean-install /usr/local/bin/entrypoint \ + && echo "Installing Packages ..." \ + && DEBIAN_FRONTEND=noninteractive clean-install \ + systemd \ + conntrack iptables iproute2 ethtool socat util-linux mount ebtables udev kmod \ + libseccomp2 \ + bash ca-certificates curl rsync \ + && find /lib/systemd/system/sysinit.target.wants/ -name "systemd-tmpfiles-setup.service" -delete \ + && rm -f /lib/systemd/system/multi-user.target.wants/* \ + && rm -f /etc/systemd/system/*.wants/* \ + && rm -f /lib/systemd/system/local-fs.target.wants/* \ + && rm -f /lib/systemd/system/sockets.target.wants/*udev* \ + && rm -f /lib/systemd/system/sockets.target.wants/*initctl* \ + && rm -f /lib/systemd/system/basic.target.wants/* \ + && echo "ReadKMsg=no" >> /etc/systemd/journald.conf \ + && ln -s "$(which systemd)" /sbin/init \ + && echo "Installing containerd ..." \ + && export ARCH=$(dpkg --print-architecture | sed 's/ppc64el/ppc64le/' | sed 's/armhf/arm/') \ + && export CONTAINERD_BASE_URL="https://github.com/kind-ci/containerd-nightlies/releases/download/containerd-${CONTAINERD_VERSION#v}" \ + && curl -sSL --retry 5 --output /tmp/containerd.tgz "${CONTAINERD_BASE_URL}/containerd-${CONTAINERD_VERSION#v}.linux-${ARCH}.tar.gz" \ + && tar -C /usr/local -xzvf /tmp/containerd.tgz \ + && rm -rf /tmp/containerd.tgz \ + && rm -f /usr/local/bin/containerd-stress /usr/local/bin/containerd-shim-runc-v1 \ + && curl -sSL --retry 5 --output /usr/local/sbin/runc "${CONTAINERD_BASE_URL}/runc.${ARCH}" \ + && chmod 755 /usr/local/sbin/runc \ + && containerd --version \ + && systemctl enable containerd \ + && echo "Installing crictl ..." \ + && curl -fSL "https://github.com/kubernetes-sigs/cri-tools/releases/download/${CRICTL_VERSION}/crictl-${CRICTL_VERSION}-linux-${ARCH}.tar.gz" | tar xzC /usr/local/bin \ + && echo "Installing CNI binaries ..." \ + && export ARCH=$(dpkg --print-architecture | sed 's/ppc64el/ppc64le/' | sed 's/armhf/arm/') \ + && export CNI_TARBALL="${CNI_VERSION}/cni-plugins-linux-${ARCH}-${CNI_VERSION}.tgz" \ + && export CNI_URL="https://github.com/containernetworking/plugins/releases/download/${CNI_TARBALL}" \ + && curl -sSL --retry 5 --output /tmp/cni.tgz "${CNI_URL}" \ + && mkdir -p /opt/cni/bin \ + && tar -C /opt/cni/bin -xzf /tmp/cni.tgz \ + && rm -rf /tmp/cni.tgz \ + && find /opt/cni/bin -type f -not \( \ + -iname host-local \ + -o -iname ptp \ + -o -iname portmap \ + -o -iname loopback \ + \) \ + -delete \ + && echo "Ensuring /etc/kubernetes/manifests" \ + && mkdir -p /etc/kubernetes/manifests \ + && echo "Adjusting systemd-tmpfiles timer" \ + && sed -i /usr/lib/systemd/system/systemd-tmpfiles-clean.timer -e 's#OnBootSec=.*#OnBootSec=1min#' \ + && echo "Modifying /etc/nsswitch.conf to prefer hosts" \ + && sed -i /etc/nsswitch.conf -re 's#^(hosts:\s*).*#\1dns files#' + +# tell systemd that it is in docker (it will check for the container env) +# https://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/ +ENV container docker +# systemd exits on SIGRTMIN+3, not SIGTERM (which re-executes it) +# https://bugzilla.redhat.com/show_bug.cgi?id=1201657 +STOPSIGNAL SIGRTMIN+3 +# NOTE: this is *only* for documentation, the entrypoint is overridden later +ENTRYPOINT [ "/usr/local/bin/entrypoint", "/sbin/init" ] diff --git a/deploy/kindbase/files/etc/crictl.yaml b/deploy/kindbase/files/etc/crictl.yaml new file mode 100644 index 000000000000..1a5daba3b929 --- /dev/null +++ b/deploy/kindbase/files/etc/crictl.yaml @@ -0,0 +1 @@ +runtime-endpoint: unix:///var/run/containerd/containerd.sock \ No newline at end of file diff --git a/deploy/kindbase/files/etc/sysctl.d/10-network-security.conf b/deploy/kindbase/files/etc/sysctl.d/10-network-security.conf new file mode 100644 index 000000000000..3d9c71c3e764 --- /dev/null +++ b/deploy/kindbase/files/etc/sysctl.d/10-network-security.conf @@ -0,0 +1,4 @@ +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks. +net.ipv4.conf.default.rp_filter=1 +net.ipv4.conf.all.rp_filter=1 diff --git a/deploy/kindbase/files/etc/systemd/system/containerd.service b/deploy/kindbase/files/etc/systemd/system/containerd.service new file mode 100644 index 000000000000..fb97bf814ca6 --- /dev/null +++ b/deploy/kindbase/files/etc/systemd/system/containerd.service @@ -0,0 +1,29 @@ +# derived containerd systemd service file from the official: +# https://github.com/containerd/containerd/blob/master/containerd.service +[Unit] +Description=containerd container runtime +Documentation=https://containerd.io +After=network.target +# disable rate limiting +StartLimitIntervalSec=0 + +[Service] +ExecStartPre=-/sbin/modprobe overlay +ExecStart=/usr/local/bin/containerd +Restart=always +RestartSec=1 + +Delegate=yes +KillMode=process +Restart=always +# Having non-zero Limit*s causes performance problems due to accounting overhead +# in the kernel. We recommend using cgroups to do container-local accounting. +LimitNPROC=infinity +LimitCORE=infinity +LimitNOFILE=1048576 +# Comment TasksMax if your systemd version does not supports it. +# Only systemd 226 and above support this version. +TasksMax=infinity + +[Install] +WantedBy=multi-user.target diff --git a/deploy/kindbase/files/usr/local/bin/clean-install b/deploy/kindbase/files/usr/local/bin/clean-install new file mode 100755 index 000000000000..33b3238b7518 --- /dev/null +++ b/deploy/kindbase/files/usr/local/bin/clean-install @@ -0,0 +1,39 @@ +#!/bin/sh + +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# A script encapsulating a common Dockerimage pattern for installing packages +# and then cleaning up the unnecessary install artifacts. +# e.g. clean-install iptables ebtables conntrack + +set -o errexit + +if [ $# = 0 ]; then + echo >&2 "No packages specified" + exit 1 +fi + +apt-get update +apt-get install -y --no-install-recommends "$@" +apt-get clean -y +rm -rf \ + /var/cache/debconf/* \ + /var/lib/apt/lists/* \ + /var/log/* \ + /tmp/* \ + /var/tmp/* \ + /usr/share/doc/* \ + /usr/share/man/* \ + /usr/share/local/* diff --git a/deploy/kindbase/files/usr/local/bin/entrypoint b/deploy/kindbase/files/usr/local/bin/entrypoint new file mode 100755 index 000000000000..98dc77022a5b --- /dev/null +++ b/deploy/kindbase/files/usr/local/bin/entrypoint @@ -0,0 +1,235 @@ +#!/bin/bash + +# Copyright 2019 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit +set -o nounset +set -o pipefail + +fix_mount() { + echo 'INFO: ensuring we can execute /bin/mount even with userns-remap' + # necessary only when userns-remap is enabled on the host, but harmless + # The binary /bin/mount should be owned by root and have the setuid bit + chown root:root /bin/mount + chmod -s /bin/mount + + # This is a workaround to an AUFS bug that might cause `Text file + # busy` on `mount` command below. See more details in + # https://github.com/moby/moby/issues/9547 + if [[ "$(stat -f -c %T /bin/mount)" == 'aufs' ]]; then + echo 'INFO: detected aufs, calling sync' >&2 + sync + fi + + echo 'INFO: remounting /sys read-only' + # systemd-in-a-container should have read only /sys + # https://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/ + # however, we need other things from `docker run --privileged` ... + # and this flag also happens to make /sys rw, amongst other things + mount -o remount,ro /sys + + echo 'INFO: making mounts shared' >&2 + # for mount propagation + mount --make-rshared / +} + +fix_cgroup() { + echo 'INFO: fix cgroup mounts for all subsystems' + # For each cgroup subsystem, Docker does a bind mount from the current + # cgroup to the root of the cgroup subsystem. For instance: + # /sys/fs/cgroup/memory/docker/ -> /sys/fs/cgroup/memory + # + # This will confuse Kubelet and cadvisor and will dump the following error + # messages in kubelet log: + # `summary_sys_containers.go:47] Failed to get system container stats for ".../kubelet.service"` + # + # This is because `/proc//cgroup` is not affected by the bind mount. + # The following is a workaround to recreate the original cgroup + # environment by doing another bind mount for each subsystem. + local docker_cgroup_mounts + docker_cgroup_mounts=$(grep /sys/fs/cgroup /proc/self/mountinfo | grep docker || true) + if [[ -n "${docker_cgroup_mounts}" ]]; then + local docker_cgroup cgroup_subsystems subsystem + docker_cgroup=$(echo "${docker_cgroup_mounts}" | head -n 1 | cut -d' ' -f 4) + cgroup_subsystems=$(echo "${docker_cgroup_mounts}" | cut -d' ' -f 5) + echo "${cgroup_subsystems}" | + while IFS= read -r subsystem; do + mkdir -p "${subsystem}${docker_cgroup}" + mount --bind "${subsystem}" "${subsystem}${docker_cgroup}" + done + fi +} + +fix_machine_id() { + # Deletes the machine-id embedded in the node image and generates a new one. + # This is necessary because both kubelet and other components like weave net + # use machine-id internally to distinguish nodes. + echo 'INFO: clearing and regenerating /etc/machine-id' >&2 + rm -f /etc/machine-id + systemd-machine-id-setup +} + +fix_product_name() { + # this is a small fix to hide the underlying hardware and fix issue #426 + # https://github.com/kubernetes-sigs/kind/issues/426 + if [[ -f /sys/class/dmi/id/product_name ]]; then + echo 'INFO: faking /sys/class/dmi/id/product_name to be "kind"' >&2 + echo 'kind' > /kind/product_name + mount -o ro,bind /kind/product_name /sys/class/dmi/id/product_name + fi +} + +fix_product_uuid() { + # The system UUID is usually read from DMI via sysfs, the problem is that + # in the kind case this means that all (container) nodes share the same + # system/product uuid, as they share the same DMI. + # Note: The UUID is read from DMI, this tool is overwriting the sysfs files + # which should fix the attached issue, but this workaround does not address + # the issue if a tool is reading directly from DMI. + # https://github.com/kubernetes-sigs/kind/issues/1027 + [[ ! -f /kind/product_uuid ]] && cat /proc/sys/kernel/random/uuid > /kind/product_uuid + if [[ -f /sys/class/dmi/id/product_uuid ]]; then + echo 'INFO: faking /sys/class/dmi/id/product_uuid to be random' >&2 + mount -o ro,bind /kind/product_uuid /sys/class/dmi/id/product_uuid + fi + if [[ -f /sys/devices/virtual/dmi/id/product_uuid ]]; then + echo 'INFO: faking /sys/devices/virtual/dmi/id/product_uuid as well' >&2 + mount -o ro,bind /kind/product_uuid /sys/devices/virtual/dmi/id/product_uuid + fi +} + +fix_kmsg() { + # In environments where /dev/kmsg is not available, the kubelet (1.15+) won't + # start because it cannot open /dev/kmsg when starting the kmsgparser in the + # OOM parser. + # To support those environments, we link /dev/kmsg to /dev/console. + # https://github.com/kubernetes-sigs/kind/issues/662 + if [[ ! -e /dev/kmsg ]]; then + if [[ -e /dev/console ]]; then + echo 'WARN: /dev/kmsg does not exist, symlinking /dev/console' >&2 + ln -s /dev/console /dev/kmsg + else + echo 'WARN: /dev/kmsg does not exist, nor does /dev/console!' >&2 + fi + fi +} + +configure_proxy() { + # ensure all processes receive the proxy settings by default + # https://www.freedesktop.org/software/systemd/man/systemd-system.conf.html + mkdir -p /etc/systemd/system.conf.d/ + cat </etc/systemd/system.conf.d/proxy-default-environment.conf +[Manager] +DefaultEnvironment="HTTP_PROXY=${HTTP_PROXY:-}" "HTTPS_PROXY=${HTTPS_PROXY:-}" "NO_PROXY=${NO_PROXY:-}" +EOF +} + +select_iptables() { + # based on: https://github.com/kubernetes/kubernetes/blob/ffe93b3979486feb41a0f85191bdd189cbd56ccc/build/debian-iptables/iptables-wrapper + local mode=nft + num_legacy_lines=$( (iptables-legacy-save || true; ip6tables-legacy-save || true) 2>/dev/null | grep '^-' | wc -l || true) + if [ "${num_legacy_lines}" -ge 10 ]; then + mode=legacy + else + num_nft_lines=$( (timeout 5 sh -c "iptables-nft-save; ip6tables-nft-save" || true) 2>/dev/null | grep '^-' | wc -l || true) + if [ "${num_legacy_lines}" -ge "${num_nft_lines}" ]; then + mode=legacy + fi + fi + + echo "INFO: setting iptables to detected mode: ${mode}" >&2 + update-alternatives --set iptables "/usr/sbin/iptables-${mode}" > /dev/null + update-alternatives --set ip6tables "/usr/sbin/ip6tables-${mode}" > /dev/null +} + +enable_network_magic(){ + # well-known docker embedded DNS is at 127.0.0.11:53 + local docker_embedded_dns_ip='127.0.0.11' + + # first we need to detect an IP to use for reaching the docker host + local docker_host_ip + docker_host_ip="$( (getent ahostsv4 'host.docker.internal' | head -n1 | cut -d' ' -f1) || true)" + if [[ -z "${docker_host_ip}" ]]; then + docker_host_ip=$(ip -4 route show default | cut -d' ' -f3) + fi + + # patch docker's iptables rules to switch out the DNS IP + iptables-save \ + | sed \ + `# switch docker DNS DNAT rules to our chosen IP` \ + -e "s/-d ${docker_embedded_dns_ip}/-d ${docker_host_ip}/g" \ + `# we need to also apply these rules to non-local traffic (from pods)` \ + -e 's/-A OUTPUT \(.*\) -j DOCKER_OUTPUT/\0\n-A PREROUTING \1 -j DOCKER_OUTPUT/' \ + `# switch docker DNS SNAT rules rules to our chosen IP` \ + -e "s/--to-source :53/--to-source ${docker_host_ip}:53/g"\ + | iptables-restore + + # now we can ensure that DNS is configured to use our IP + cp /etc/resolv.conf /etc/resolv.conf.original + sed -e "s/${docker_embedded_dns_ip}/${docker_host_ip}/g" /etc/resolv.conf.original >/etc/resolv.conf + + # fixup IPs in manifests ... + curr_ipv4="$( (getent ahostsv4 $(hostname) | head -n1 | cut -d' ' -f1) || true)" + echo "INFO: Detected IPv4 address: ${curr_ipv4}" >&2 + if [ -f /kind/old-ipv4 ]; then + old_ipv4=$(cat /kind/old-ipv4) + echo "INFO: Detected old IPv4 address: ${old_ipv4}" >&2 + # sanity check that we have a current address + if [[ -z $curr_ipv4 ]]; then + echo "ERROR: Have an old IPv4 address but no current IPv4 address (!)" >&2 + exit 1 + fi + # kubernetes manifests are only present on control-plane nodes + sed -i "s#${old_ipv4}#${curr_ipv4}#" /etc/kubernetes/manifests/*.yaml || true + # this is no longer required with autodiscovery + sed -i "s#${old_ipv4}#${curr_ipv4}#" /var/lib/kubelet/kubeadm-flags.env || true + fi + if [[ -n $curr_ipv4 ]]; then + echo -n "${curr_ipv4}" >/kind/old-ipv4 + fi + + # do IPv6 + curr_ipv6="$( (getent ahostsv6 $(hostname) | head -n1 | cut -d' ' -f1) || true)" + echo "INFO: Detected IPv6 address: ${curr_ipv6}" >&2 + if [ -f /kind/old-ipv6 ]; then + old_ipv6=$(cat /kind/old-ipv6) + echo "INFO: Detected old IPv6 address: ${old_ipv6}" >&2 + # sanity check that we have a current address + if [[ -z $curr_ipv6 ]]; then + echo "ERROR: Have an old IPv6 address but no current IPv6 address (!)" >&2 + fi + # kubernetes manifests are only present on control-plane nodes + sed -i "s#${old_ipv6}#${curr_ipv6}#" /etc/kubernetes/manifests/*.yaml || true + # this is no longer required with autodiscovery + sed -i "s#${old_ipv6}#${curr_ipv6}#" /var/lib/kubelet/kubeadm-flags.env || true + fi + if [[ -n $curr_ipv6 ]]; then + echo -n "${curr_ipv6}" >/kind/old-ipv6 + fi +} + +# run pre-init fixups +fix_kmsg +fix_mount +fix_cgroup +fix_machine_id +fix_product_name +fix_product_uuid +configure_proxy +select_iptables +enable_network_magic + +# we want the command (expected to be systemd) to be PID1, so exec to it +exec "$@" From a4e4a719ba3f775ba0563d7a12913ce3af367463 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20F=20Bj=C3=B6rklund?= Date: Sat, 12 Sep 2020 12:40:16 +0200 Subject: [PATCH 4/6] Specify snapshot version of ubuntu used for kind Also fix the 19.10 comment, it hadn't been updated --- deploy/kindbase/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/kindbase/Dockerfile b/deploy/kindbase/Dockerfile index d03bb0a62e4a..bdd3b38c846b 100644 --- a/deploy/kindbase/Dockerfile +++ b/deploy/kindbase/Dockerfile @@ -17,9 +17,9 @@ # For systemd + docker configuration used below, see the following references: # https://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/ -# start from ubuntu 19.10, this image is reasonably small as a starting point +# start from ubuntu 20.04, this image is reasonably small as a starting point # for a kubernetes node image, it doesn't contain much we don't need -FROM ubuntu:20.04 +FROM ubuntu:focal-20200423 # Configure containerd and runc binaries from kind-ci/containerd-nightlies repository # The repository contains latest stable releases and nightlies built for multiple architectures From 8a18334cba52db1b960060dd0020f54b6e7c352d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20F=20Bj=C3=B6rklund?= Date: Sun, 27 Sep 2020 15:00:33 +0200 Subject: [PATCH 5/6] Complete the fork of kindbase by copy/paste Base kicbase directly on ubuntu, without kindbase Move all the files that are still copied and used Avoid installing software only to be deleted later The entrypoint had already been forked since earlier --- Makefile | 11 +- .../10-network-security.conf | 0 deploy/kicbase/Dockerfile | 103 ++++++-- .../usr/local/bin => kicbase}/clean-install | 0 deploy/kindbase/Dockerfile | 122 --------- deploy/kindbase/files/etc/crictl.yaml | 1 - .../etc/systemd/system/containerd.service | 29 --- .../kindbase/files/usr/local/bin/entrypoint | 235 ------------------ 8 files changed, 85 insertions(+), 416 deletions(-) rename deploy/{kindbase/files/etc/sysctl.d => kicbase}/10-network-security.conf (100%) rename deploy/{kindbase/files/usr/local/bin => kicbase}/clean-install (100%) delete mode 100644 deploy/kindbase/Dockerfile delete mode 100644 deploy/kindbase/files/etc/crictl.yaml delete mode 100644 deploy/kindbase/files/etc/systemd/system/containerd.service delete mode 100755 deploy/kindbase/files/usr/local/bin/entrypoint diff --git a/Makefile b/Makefile index 98e4b3c1e092..2a87f19f67d6 100644 --- a/Makefile +++ b/Makefile @@ -20,7 +20,6 @@ RAW_VERSION=$(VERSION_MAJOR).$(VERSION_MINOR).$(VERSION_BUILD) VERSION ?= v$(RAW_VERSION) KUBERNETES_VERSION ?= $(shell egrep "DefaultKubernetesVersion =" pkg/minikube/constants/constants.go | cut -d \" -f2) -KIND_VERSION ?= v20200430-2c0eee40 KIC_VERSION ?= $(shell egrep "Version =" pkg/drivers/kic/types.go | cut -d \" -f2) # Default to .0 for higher cache hit rates, as build increments typically don't require new ISO versions @@ -48,7 +47,6 @@ BUILD_IMAGE ?= us.gcr.io/k8s-artifacts-prod/build-image/kube-cross:v$(GO_VERSIO ISO_BUILD_IMAGE ?= $(REGISTRY)/buildroot-image KVM_BUILD_IMAGE ?= $(REGISTRY)/kvm-build-image:$(GO_VERSION) -KIND_BASE_IMAGE_GCR ?= $(REGISTRY)/kindbase:$(KIND_VERSION) KIC_BASE_IMAGE_GCR ?= $(REGISTRY)/kicbase:$(KIC_VERSION) KIC_BASE_IMAGE_GH ?= $(REGISTRY_GH)/kicbase:$(KIC_VERSION) KIC_BASE_IMAGE_HUB ?= kicbase/stable:$(KIC_VERSION) @@ -578,15 +576,8 @@ endif storage-provisioner-image: out/storage-provisioner-$(GOARCH) ## Build storage-provisioner docker image docker build -t $(STORAGE_PROVISIONER_IMAGE) -f deploy/storage-provisioner/Dockerfile --build-arg arch=$(GOARCH) . -.PHONY: kind-base-image -kind-base-image: ## builds the base image used for kind. - docker rmi -f $(KIND_BASE_IMAGE_GCR)-snapshot || true - docker build -f ./deploy/kindbase/Dockerfile -t local/kindbase:$(KIND_VERSION)-snapshot ./deploy/kindbase - docker tag local/kindbase:$(KIND_VERSION)-snapshot $(KIND_BASE_IMAGE_GCR)-snapshot - docker tag local/kindbase:$(KIND_VERSION)-snapshot $(KIND_BASE_IMAGE_GCR) - .PHONY: kic-base-image -kic-base-image: kind-base-image ## builds the base image used for kic. +kic-base-image: ## builds the base image used for kic. docker rmi -f $(KIC_BASE_IMAGE_GCR)-snapshot || true docker build -f ./deploy/kicbase/Dockerfile -t local/kicbase:$(KIC_VERSION)-snapshot --build-arg COMMIT_SHA=${VERSION}-$(COMMIT) --cache-from $(KIC_BASE_IMAGE_GCR) --target base ./deploy/kicbase docker tag local/kicbase:$(KIC_VERSION)-snapshot $(KIC_BASE_IMAGE_GCR)-snapshot diff --git a/deploy/kindbase/files/etc/sysctl.d/10-network-security.conf b/deploy/kicbase/10-network-security.conf similarity index 100% rename from deploy/kindbase/files/etc/sysctl.d/10-network-security.conf rename to deploy/kicbase/10-network-security.conf diff --git a/deploy/kicbase/Dockerfile b/deploy/kicbase/Dockerfile index 00ee69d6af5a..13b32a36294b 100644 --- a/deploy/kicbase/Dockerfile +++ b/deploy/kicbase/Dockerfile @@ -1,26 +1,92 @@ +# Copyright 2018 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# kind node base image +# +# For systemd + docker configuration used below, see the following references: +# https://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/ + +# start from ubuntu 20.04, this image is reasonably small as a starting point +# for a kubernetes node image, it doesn't contain much we don't need +FROM ubuntu:focal-20200423 + +# copy in static files (configs, scripts) +COPY 10-network-security.conf /etc/sysctl.d/10-network-security.conf +COPY clean-install /usr/local/bin/clean-install +COPY entrypoint /usr/local/bin/entrypoint + +# Install dependencies, first from apt, then from release tarballs. +# NOTE: we use one RUN to minimize layers. +# +# First we must ensure that our util scripts are executable. +# +# The base image already has: ssh, apt, snapd, but we need to install more packages. +# Packages installed are broken down into (each on a line): +# - packages needed to run services (systemd) +# - packages needed for kubernetes components +# - packages needed by the container runtime +# - misc packages kind uses itself +# After installing packages we cleanup by: +# - removing unwanted systemd services +# - disabling kmsg in journald (these log entries would be confusing) +# +# Next we ensure the /etc/kubernetes/manifests directory exists. Normally +# a kubeadm debain / rpm package would ensure that this exists but we install +# freshly built binaries directly when we build the node image. +# +# Finally we adjust tempfiles cleanup to be 1 minute after "boot" instead of 15m +# This is plenty after we've done initial setup for a node, but before we are +# likely to try to export logs etc. +RUN echo "Ensuring scripts are executable ..." \ + && chmod +x /usr/local/bin/clean-install /usr/local/bin/entrypoint \ + && echo "Installing Packages ..." \ + && DEBIAN_FRONTEND=noninteractive clean-install \ + systemd \ + conntrack iptables iproute2 ethtool socat util-linux mount ebtables udev kmod \ + libseccomp2 \ + bash ca-certificates curl rsync \ + && find /lib/systemd/system/sysinit.target.wants/ -name "systemd-tmpfiles-setup.service" -delete \ + && rm -f /lib/systemd/system/multi-user.target.wants/* \ + && rm -f /etc/systemd/system/*.wants/* \ + && rm -f /lib/systemd/system/local-fs.target.wants/* \ + && rm -f /lib/systemd/system/sockets.target.wants/*udev* \ + && rm -f /lib/systemd/system/sockets.target.wants/*initctl* \ + && rm -f /lib/systemd/system/basic.target.wants/* \ + && echo "ReadKMsg=no" >> /etc/systemd/journald.conf \ + && ln -s "$(which systemd)" /sbin/init \ + && echo "Ensuring /etc/kubernetes/manifests" \ + && mkdir -p /etc/kubernetes/manifests \ + && echo "Adjusting systemd-tmpfiles timer" \ + && sed -i /usr/lib/systemd/system/systemd-tmpfiles-clean.timer -e 's#OnBootSec=.*#OnBootSec=1min#' \ + && echo "Modifying /etc/nsswitch.conf to prefer hosts" \ + && sed -i /etc/nsswitch.conf -re 's#^(hosts:\s*).*#\1dns files#' + +# tell systemd that it is in docker (it will check for the container env) +# https://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/ +ENV container docker +# systemd exits on SIGRTMIN+3, not SIGTERM (which re-executes it) +# https://bugzilla.redhat.com/show_bug.cgi?id=1201657 +STOPSIGNAL SIGRTMIN+3 +# NOTE: this is *only* for documentation, the entrypoint is overridden later +ENTRYPOINT [ "/usr/local/bin/entrypoint", "/sbin/init" ] + ARG COMMIT_SHA -# using base image created by kind https://github.com/kubernetes-sigs/kind/blob/v0.8.1/images/base/Dockerfile +# using base image created by kind https://github.com/kubernetes-sigs/kind/blob/2c0eee40/images/base/Dockerfile # which is an ubuntu 20.04 with an entry-point that helps running systemd # could be changed to any debian that can run systemd -FROM gcr.io/k8s-minikube/kindbase:v20200430-2c0eee40 as base USER root -# remove files that were installed by kind, replaced by packages -RUN rm \ - /etc/crictl.yaml \ - /etc/systemd/system/containerd.service \ - /etc/systemd/system/multi-user.target.wants/containerd.service \ - /opt/cni/bin/host-local \ - /opt/cni/bin/loopback \ - /opt/cni/bin/portmap \ - /opt/cni/bin/ptp \ - /usr/local/bin/containerd \ - /usr/local/bin/containerd-shim \ - /usr/local/bin/containerd-shim-runc-v2 \ - /usr/local/bin/crictl \ - /usr/local/bin/ctr \ - /usr/local/sbin/runc - # install system requirements from the regular distro repositories RUN clean-install \ lz4 \ @@ -54,7 +120,6 @@ RUN sh -c "echo 'deb https://dl.bintray.com/afbjorklund/podman focal main' > /et RUN mkdir -p /usr/lib/cri-o-runc/sbin && cp /usr/sbin/runc /usr/lib/cri-o-runc/sbin/runc -COPY entrypoint /usr/local/bin/entrypoint # automount service COPY automount/minikube-automount /usr/sbin/minikube-automount COPY automount/minikube-automount.service /usr/lib/systemd/system/minikube-automount.service diff --git a/deploy/kindbase/files/usr/local/bin/clean-install b/deploy/kicbase/clean-install similarity index 100% rename from deploy/kindbase/files/usr/local/bin/clean-install rename to deploy/kicbase/clean-install diff --git a/deploy/kindbase/Dockerfile b/deploy/kindbase/Dockerfile deleted file mode 100644 index bdd3b38c846b..000000000000 --- a/deploy/kindbase/Dockerfile +++ /dev/null @@ -1,122 +0,0 @@ -# Copyright 2018 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# kind node base image -# -# For systemd + docker configuration used below, see the following references: -# https://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/ - -# start from ubuntu 20.04, this image is reasonably small as a starting point -# for a kubernetes node image, it doesn't contain much we don't need -FROM ubuntu:focal-20200423 - -# Configure containerd and runc binaries from kind-ci/containerd-nightlies repository -# The repository contains latest stable releases and nightlies built for multiple architectures -ARG CONTAINERD_VERSION="v1.3.3-14-g449e9269" -# Configure CNI binaries from upstream -ARG CNI_VERSION="v0.8.5" -# Configure crictl binary from upstream -ARG CRICTL_VERSION="v1.18.0" - -# copy in static files (configs, scripts) -COPY files/ / - -# Install dependencies, first from apt, then from release tarballs. -# NOTE: we use one RUN to minimize layers. -# -# First we must ensure that our util scripts are executable. -# -# The base image already has: ssh, apt, snapd, but we need to install more packages. -# Packages installed are broken down into (each on a line): -# - packages needed to run services (systemd) -# - packages needed for kubernetes components -# - packages needed by the container runtime -# - misc packages kind uses itself -# After installing packages we cleanup by: -# - removing unwanted systemd services -# - disabling kmsg in journald (these log entries would be confusing) -# -# Then we install containerd from our nightly build infrastructure, as this -# build for multiple architectures and allows us to upgrade to patched releases -# more quickly. -# -# Next we download and extract crictl and CNI plugin binaries from upstream. -# -# Next we ensure the /etc/kubernetes/manifests directory exists. Normally -# a kubeadm debain / rpm package would ensure that this exists but we install -# freshly built binaries directly when we build the node image. -# -# Finally we adjust tempfiles cleanup to be 1 minute after "boot" instead of 15m -# This is plenty after we've done initial setup for a node, but before we are -# likely to try to export logs etc. -RUN echo "Ensuring scripts are executable ..." \ - && chmod +x /usr/local/bin/clean-install /usr/local/bin/entrypoint \ - && echo "Installing Packages ..." \ - && DEBIAN_FRONTEND=noninteractive clean-install \ - systemd \ - conntrack iptables iproute2 ethtool socat util-linux mount ebtables udev kmod \ - libseccomp2 \ - bash ca-certificates curl rsync \ - && find /lib/systemd/system/sysinit.target.wants/ -name "systemd-tmpfiles-setup.service" -delete \ - && rm -f /lib/systemd/system/multi-user.target.wants/* \ - && rm -f /etc/systemd/system/*.wants/* \ - && rm -f /lib/systemd/system/local-fs.target.wants/* \ - && rm -f /lib/systemd/system/sockets.target.wants/*udev* \ - && rm -f /lib/systemd/system/sockets.target.wants/*initctl* \ - && rm -f /lib/systemd/system/basic.target.wants/* \ - && echo "ReadKMsg=no" >> /etc/systemd/journald.conf \ - && ln -s "$(which systemd)" /sbin/init \ - && echo "Installing containerd ..." \ - && export ARCH=$(dpkg --print-architecture | sed 's/ppc64el/ppc64le/' | sed 's/armhf/arm/') \ - && export CONTAINERD_BASE_URL="https://github.com/kind-ci/containerd-nightlies/releases/download/containerd-${CONTAINERD_VERSION#v}" \ - && curl -sSL --retry 5 --output /tmp/containerd.tgz "${CONTAINERD_BASE_URL}/containerd-${CONTAINERD_VERSION#v}.linux-${ARCH}.tar.gz" \ - && tar -C /usr/local -xzvf /tmp/containerd.tgz \ - && rm -rf /tmp/containerd.tgz \ - && rm -f /usr/local/bin/containerd-stress /usr/local/bin/containerd-shim-runc-v1 \ - && curl -sSL --retry 5 --output /usr/local/sbin/runc "${CONTAINERD_BASE_URL}/runc.${ARCH}" \ - && chmod 755 /usr/local/sbin/runc \ - && containerd --version \ - && systemctl enable containerd \ - && echo "Installing crictl ..." \ - && curl -fSL "https://github.com/kubernetes-sigs/cri-tools/releases/download/${CRICTL_VERSION}/crictl-${CRICTL_VERSION}-linux-${ARCH}.tar.gz" | tar xzC /usr/local/bin \ - && echo "Installing CNI binaries ..." \ - && export ARCH=$(dpkg --print-architecture | sed 's/ppc64el/ppc64le/' | sed 's/armhf/arm/') \ - && export CNI_TARBALL="${CNI_VERSION}/cni-plugins-linux-${ARCH}-${CNI_VERSION}.tgz" \ - && export CNI_URL="https://github.com/containernetworking/plugins/releases/download/${CNI_TARBALL}" \ - && curl -sSL --retry 5 --output /tmp/cni.tgz "${CNI_URL}" \ - && mkdir -p /opt/cni/bin \ - && tar -C /opt/cni/bin -xzf /tmp/cni.tgz \ - && rm -rf /tmp/cni.tgz \ - && find /opt/cni/bin -type f -not \( \ - -iname host-local \ - -o -iname ptp \ - -o -iname portmap \ - -o -iname loopback \ - \) \ - -delete \ - && echo "Ensuring /etc/kubernetes/manifests" \ - && mkdir -p /etc/kubernetes/manifests \ - && echo "Adjusting systemd-tmpfiles timer" \ - && sed -i /usr/lib/systemd/system/systemd-tmpfiles-clean.timer -e 's#OnBootSec=.*#OnBootSec=1min#' \ - && echo "Modifying /etc/nsswitch.conf to prefer hosts" \ - && sed -i /etc/nsswitch.conf -re 's#^(hosts:\s*).*#\1dns files#' - -# tell systemd that it is in docker (it will check for the container env) -# https://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/ -ENV container docker -# systemd exits on SIGRTMIN+3, not SIGTERM (which re-executes it) -# https://bugzilla.redhat.com/show_bug.cgi?id=1201657 -STOPSIGNAL SIGRTMIN+3 -# NOTE: this is *only* for documentation, the entrypoint is overridden later -ENTRYPOINT [ "/usr/local/bin/entrypoint", "/sbin/init" ] diff --git a/deploy/kindbase/files/etc/crictl.yaml b/deploy/kindbase/files/etc/crictl.yaml deleted file mode 100644 index 1a5daba3b929..000000000000 --- a/deploy/kindbase/files/etc/crictl.yaml +++ /dev/null @@ -1 +0,0 @@ -runtime-endpoint: unix:///var/run/containerd/containerd.sock \ No newline at end of file diff --git a/deploy/kindbase/files/etc/systemd/system/containerd.service b/deploy/kindbase/files/etc/systemd/system/containerd.service deleted file mode 100644 index fb97bf814ca6..000000000000 --- a/deploy/kindbase/files/etc/systemd/system/containerd.service +++ /dev/null @@ -1,29 +0,0 @@ -# derived containerd systemd service file from the official: -# https://github.com/containerd/containerd/blob/master/containerd.service -[Unit] -Description=containerd container runtime -Documentation=https://containerd.io -After=network.target -# disable rate limiting -StartLimitIntervalSec=0 - -[Service] -ExecStartPre=-/sbin/modprobe overlay -ExecStart=/usr/local/bin/containerd -Restart=always -RestartSec=1 - -Delegate=yes -KillMode=process -Restart=always -# Having non-zero Limit*s causes performance problems due to accounting overhead -# in the kernel. We recommend using cgroups to do container-local accounting. -LimitNPROC=infinity -LimitCORE=infinity -LimitNOFILE=1048576 -# Comment TasksMax if your systemd version does not supports it. -# Only systemd 226 and above support this version. -TasksMax=infinity - -[Install] -WantedBy=multi-user.target diff --git a/deploy/kindbase/files/usr/local/bin/entrypoint b/deploy/kindbase/files/usr/local/bin/entrypoint deleted file mode 100755 index 98dc77022a5b..000000000000 --- a/deploy/kindbase/files/usr/local/bin/entrypoint +++ /dev/null @@ -1,235 +0,0 @@ -#!/bin/bash - -# Copyright 2019 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -o errexit -set -o nounset -set -o pipefail - -fix_mount() { - echo 'INFO: ensuring we can execute /bin/mount even with userns-remap' - # necessary only when userns-remap is enabled on the host, but harmless - # The binary /bin/mount should be owned by root and have the setuid bit - chown root:root /bin/mount - chmod -s /bin/mount - - # This is a workaround to an AUFS bug that might cause `Text file - # busy` on `mount` command below. See more details in - # https://github.com/moby/moby/issues/9547 - if [[ "$(stat -f -c %T /bin/mount)" == 'aufs' ]]; then - echo 'INFO: detected aufs, calling sync' >&2 - sync - fi - - echo 'INFO: remounting /sys read-only' - # systemd-in-a-container should have read only /sys - # https://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/ - # however, we need other things from `docker run --privileged` ... - # and this flag also happens to make /sys rw, amongst other things - mount -o remount,ro /sys - - echo 'INFO: making mounts shared' >&2 - # for mount propagation - mount --make-rshared / -} - -fix_cgroup() { - echo 'INFO: fix cgroup mounts for all subsystems' - # For each cgroup subsystem, Docker does a bind mount from the current - # cgroup to the root of the cgroup subsystem. For instance: - # /sys/fs/cgroup/memory/docker/ -> /sys/fs/cgroup/memory - # - # This will confuse Kubelet and cadvisor and will dump the following error - # messages in kubelet log: - # `summary_sys_containers.go:47] Failed to get system container stats for ".../kubelet.service"` - # - # This is because `/proc//cgroup` is not affected by the bind mount. - # The following is a workaround to recreate the original cgroup - # environment by doing another bind mount for each subsystem. - local docker_cgroup_mounts - docker_cgroup_mounts=$(grep /sys/fs/cgroup /proc/self/mountinfo | grep docker || true) - if [[ -n "${docker_cgroup_mounts}" ]]; then - local docker_cgroup cgroup_subsystems subsystem - docker_cgroup=$(echo "${docker_cgroup_mounts}" | head -n 1 | cut -d' ' -f 4) - cgroup_subsystems=$(echo "${docker_cgroup_mounts}" | cut -d' ' -f 5) - echo "${cgroup_subsystems}" | - while IFS= read -r subsystem; do - mkdir -p "${subsystem}${docker_cgroup}" - mount --bind "${subsystem}" "${subsystem}${docker_cgroup}" - done - fi -} - -fix_machine_id() { - # Deletes the machine-id embedded in the node image and generates a new one. - # This is necessary because both kubelet and other components like weave net - # use machine-id internally to distinguish nodes. - echo 'INFO: clearing and regenerating /etc/machine-id' >&2 - rm -f /etc/machine-id - systemd-machine-id-setup -} - -fix_product_name() { - # this is a small fix to hide the underlying hardware and fix issue #426 - # https://github.com/kubernetes-sigs/kind/issues/426 - if [[ -f /sys/class/dmi/id/product_name ]]; then - echo 'INFO: faking /sys/class/dmi/id/product_name to be "kind"' >&2 - echo 'kind' > /kind/product_name - mount -o ro,bind /kind/product_name /sys/class/dmi/id/product_name - fi -} - -fix_product_uuid() { - # The system UUID is usually read from DMI via sysfs, the problem is that - # in the kind case this means that all (container) nodes share the same - # system/product uuid, as they share the same DMI. - # Note: The UUID is read from DMI, this tool is overwriting the sysfs files - # which should fix the attached issue, but this workaround does not address - # the issue if a tool is reading directly from DMI. - # https://github.com/kubernetes-sigs/kind/issues/1027 - [[ ! -f /kind/product_uuid ]] && cat /proc/sys/kernel/random/uuid > /kind/product_uuid - if [[ -f /sys/class/dmi/id/product_uuid ]]; then - echo 'INFO: faking /sys/class/dmi/id/product_uuid to be random' >&2 - mount -o ro,bind /kind/product_uuid /sys/class/dmi/id/product_uuid - fi - if [[ -f /sys/devices/virtual/dmi/id/product_uuid ]]; then - echo 'INFO: faking /sys/devices/virtual/dmi/id/product_uuid as well' >&2 - mount -o ro,bind /kind/product_uuid /sys/devices/virtual/dmi/id/product_uuid - fi -} - -fix_kmsg() { - # In environments where /dev/kmsg is not available, the kubelet (1.15+) won't - # start because it cannot open /dev/kmsg when starting the kmsgparser in the - # OOM parser. - # To support those environments, we link /dev/kmsg to /dev/console. - # https://github.com/kubernetes-sigs/kind/issues/662 - if [[ ! -e /dev/kmsg ]]; then - if [[ -e /dev/console ]]; then - echo 'WARN: /dev/kmsg does not exist, symlinking /dev/console' >&2 - ln -s /dev/console /dev/kmsg - else - echo 'WARN: /dev/kmsg does not exist, nor does /dev/console!' >&2 - fi - fi -} - -configure_proxy() { - # ensure all processes receive the proxy settings by default - # https://www.freedesktop.org/software/systemd/man/systemd-system.conf.html - mkdir -p /etc/systemd/system.conf.d/ - cat </etc/systemd/system.conf.d/proxy-default-environment.conf -[Manager] -DefaultEnvironment="HTTP_PROXY=${HTTP_PROXY:-}" "HTTPS_PROXY=${HTTPS_PROXY:-}" "NO_PROXY=${NO_PROXY:-}" -EOF -} - -select_iptables() { - # based on: https://github.com/kubernetes/kubernetes/blob/ffe93b3979486feb41a0f85191bdd189cbd56ccc/build/debian-iptables/iptables-wrapper - local mode=nft - num_legacy_lines=$( (iptables-legacy-save || true; ip6tables-legacy-save || true) 2>/dev/null | grep '^-' | wc -l || true) - if [ "${num_legacy_lines}" -ge 10 ]; then - mode=legacy - else - num_nft_lines=$( (timeout 5 sh -c "iptables-nft-save; ip6tables-nft-save" || true) 2>/dev/null | grep '^-' | wc -l || true) - if [ "${num_legacy_lines}" -ge "${num_nft_lines}" ]; then - mode=legacy - fi - fi - - echo "INFO: setting iptables to detected mode: ${mode}" >&2 - update-alternatives --set iptables "/usr/sbin/iptables-${mode}" > /dev/null - update-alternatives --set ip6tables "/usr/sbin/ip6tables-${mode}" > /dev/null -} - -enable_network_magic(){ - # well-known docker embedded DNS is at 127.0.0.11:53 - local docker_embedded_dns_ip='127.0.0.11' - - # first we need to detect an IP to use for reaching the docker host - local docker_host_ip - docker_host_ip="$( (getent ahostsv4 'host.docker.internal' | head -n1 | cut -d' ' -f1) || true)" - if [[ -z "${docker_host_ip}" ]]; then - docker_host_ip=$(ip -4 route show default | cut -d' ' -f3) - fi - - # patch docker's iptables rules to switch out the DNS IP - iptables-save \ - | sed \ - `# switch docker DNS DNAT rules to our chosen IP` \ - -e "s/-d ${docker_embedded_dns_ip}/-d ${docker_host_ip}/g" \ - `# we need to also apply these rules to non-local traffic (from pods)` \ - -e 's/-A OUTPUT \(.*\) -j DOCKER_OUTPUT/\0\n-A PREROUTING \1 -j DOCKER_OUTPUT/' \ - `# switch docker DNS SNAT rules rules to our chosen IP` \ - -e "s/--to-source :53/--to-source ${docker_host_ip}:53/g"\ - | iptables-restore - - # now we can ensure that DNS is configured to use our IP - cp /etc/resolv.conf /etc/resolv.conf.original - sed -e "s/${docker_embedded_dns_ip}/${docker_host_ip}/g" /etc/resolv.conf.original >/etc/resolv.conf - - # fixup IPs in manifests ... - curr_ipv4="$( (getent ahostsv4 $(hostname) | head -n1 | cut -d' ' -f1) || true)" - echo "INFO: Detected IPv4 address: ${curr_ipv4}" >&2 - if [ -f /kind/old-ipv4 ]; then - old_ipv4=$(cat /kind/old-ipv4) - echo "INFO: Detected old IPv4 address: ${old_ipv4}" >&2 - # sanity check that we have a current address - if [[ -z $curr_ipv4 ]]; then - echo "ERROR: Have an old IPv4 address but no current IPv4 address (!)" >&2 - exit 1 - fi - # kubernetes manifests are only present on control-plane nodes - sed -i "s#${old_ipv4}#${curr_ipv4}#" /etc/kubernetes/manifests/*.yaml || true - # this is no longer required with autodiscovery - sed -i "s#${old_ipv4}#${curr_ipv4}#" /var/lib/kubelet/kubeadm-flags.env || true - fi - if [[ -n $curr_ipv4 ]]; then - echo -n "${curr_ipv4}" >/kind/old-ipv4 - fi - - # do IPv6 - curr_ipv6="$( (getent ahostsv6 $(hostname) | head -n1 | cut -d' ' -f1) || true)" - echo "INFO: Detected IPv6 address: ${curr_ipv6}" >&2 - if [ -f /kind/old-ipv6 ]; then - old_ipv6=$(cat /kind/old-ipv6) - echo "INFO: Detected old IPv6 address: ${old_ipv6}" >&2 - # sanity check that we have a current address - if [[ -z $curr_ipv6 ]]; then - echo "ERROR: Have an old IPv6 address but no current IPv6 address (!)" >&2 - fi - # kubernetes manifests are only present on control-plane nodes - sed -i "s#${old_ipv6}#${curr_ipv6}#" /etc/kubernetes/manifests/*.yaml || true - # this is no longer required with autodiscovery - sed -i "s#${old_ipv6}#${curr_ipv6}#" /var/lib/kubelet/kubeadm-flags.env || true - fi - if [[ -n $curr_ipv6 ]]; then - echo -n "${curr_ipv6}" >/kind/old-ipv6 - fi -} - -# run pre-init fixups -fix_kmsg -fix_mount -fix_cgroup -fix_machine_id -fix_product_name -fix_product_uuid -configure_proxy -select_iptables -enable_network_magic - -# we want the command (expected to be systemd) to be PID1, so exec to it -exec "$@" From 5ab4bc64fc2265a3f66915cb81088b61f0c90358 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20F=20Bj=C3=B6rklund?= Date: Tue, 29 Sep 2020 20:13:05 +0200 Subject: [PATCH 6/6] Remove the base target from kicbase docker build --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 2a87f19f67d6..cf86209e3bab 100644 --- a/Makefile +++ b/Makefile @@ -579,7 +579,7 @@ storage-provisioner-image: out/storage-provisioner-$(GOARCH) ## Build storage-pr .PHONY: kic-base-image kic-base-image: ## builds the base image used for kic. docker rmi -f $(KIC_BASE_IMAGE_GCR)-snapshot || true - docker build -f ./deploy/kicbase/Dockerfile -t local/kicbase:$(KIC_VERSION)-snapshot --build-arg COMMIT_SHA=${VERSION}-$(COMMIT) --cache-from $(KIC_BASE_IMAGE_GCR) --target base ./deploy/kicbase + docker build -f ./deploy/kicbase/Dockerfile -t local/kicbase:$(KIC_VERSION)-snapshot --build-arg COMMIT_SHA=${VERSION}-$(COMMIT) --cache-from $(KIC_BASE_IMAGE_GCR) ./deploy/kicbase docker tag local/kicbase:$(KIC_VERSION)-snapshot $(KIC_BASE_IMAGE_GCR)-snapshot docker tag local/kicbase:$(KIC_VERSION)-snapshot $(KIC_BASE_IMAGE_GCR) docker tag local/kicbase:$(KIC_VERSION)-snapshot $(KIC_BASE_IMAGE_HUB)