[fcos] rebase on recent master

Makefile

@@ -19,11 +19,6 @@ export GOPROXY=https://proxy.golang.org
 
 GOTAGS = "containers_image_openpgp exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_ostree_stub"
 
-# grab the version from a dummy pkg in k8s.io/code-generator from vendor/modules.txt (read by go list)
-versionPath=$(shell GO111MODULE=on go list -f {{.Dir}} k8s.io/code-generator/cmd/client-gen)
-codegeneratorRoot=$(versionPath:/cmd/client-gen=)
-codegeneratorTarget:=./vendor/k8s.io/code-generator
-
 .PHONY: clean test test-unit test-e2e verify update install-tools
 # Remove build artifaces
 # Example:
@@ -60,14 +55,13 @@ go-deps:
 	go mod tidy
 	go mod vendor
 	go mod verify
-	# go mod does not vendor in scripts so we need to get them manually...
-	@mkdir -p $(codegeneratorRoot)
-	@cp $(codegeneratorRoot)/generate-groups.sh $(codegeneratorTarget) && chmod +x $(codegeneratorTarget)/generate-groups.sh
-	@cp $(codegeneratorRoot)/generate-internal-groups.sh $(codegeneratorTarget) && chmod +x $(codegeneratorTarget)/generate-internal-groups.sh
+	# make scripts executable
+	chmod +x ./vendor/k8s.io/code-generator/generate-groups.sh
+	chmod +x ./vendor/k8s.io/code-generator/generate-internal-groups.sh
 
 install-tools:
-	GO111MODULE=on go build -o $(GOPATH)/bin/golangci-lint -mod=vendor ./vendor/github.com/golangci/golangci-lint/cmd/golangci-lint
-	GO111MODULE=on go build -o $(GOPATH)/bin/gosec -mod=vendor ./vendor/github.com/securego/gosec/cmd/gosec
+	GO111MODULE=on go build -o $(GOPATH)/bin/golangci-lint ./vendor/github.com/golangci/golangci-lint/cmd/golangci-lint
+	GO111MODULE=on go build -o $(GOPATH)/bin/gosec ./vendor/github.com/securego/gosec/cmd/gosec
 
 # Run verification steps
 # Example:
@@ -77,8 +71,16 @@ verify: install-tools
 	# Remove once https://github.com/golangci/golangci-lint/issues/597 is
 	# addressed
 	gosec -severity high --confidence medium -exclude G204 -quiet ./...
+	# Remove the vendor/k8s.io/code-generator vendor hack
+	# once code-generator plays nice with go modules, see
+	# https://github.com/kubernetes/kubernetes/issues/82531 and
+	# https://github.com/kubernetes/kubernetes/pull/85559
+	pushd vendor/k8s.io/code-generator && cp go.mod go.mod.bak && go mod vendor && popd
 	hack/verify-codegen.sh
 	hack/verify-generated-bindata.sh
+	rm -f vendor/k8s.io/code-generator/go.mod
+	mv vendor/k8s.io/code-generator/go.mod.bak vendor/k8s.io/code-generator/go.mod
+	rm -rf vendor/k8s.io/code-generator/vendor
 
 # Template for defining build targets for binaries.
 define target_template =
@@ -105,6 +107,6 @@ Dockerfile.rhel7: Dockerfile Makefile
 	(echo '# THIS FILE IS GENERATED FROM '$<' DO NOT EDIT' && \
 	 sed -e s,org/openshift/release,org/ocp/builder, -e s,/openshift/origin-v4.0:base,/ocp/4.0:base, < $<) > $@.tmp && mv $@.tmp $@
 
-# This was copied from https://github.com/openshift/cluster-image-registry-operato
+# This was copied from https://github.com/openshift/cluster-image-registry-operator
 test-e2e:
 	go test -timeout 120m -v$${WHAT:+ -run="$$WHAT"} ./test/e2e/

OWNERS

@@ -10,3 +10,5 @@ approvers:
   - sinnykumari
   - yuqi-zhang
   - vrutkovs
+
+component: "Machine Config Operator"

pkg/controller/container-runtime-config/container_runtime_config_controller.go

@@ -552,9 +552,9 @@ func (ctrl *Controller) syncContainerRuntimeConfig(key string) error {
 				}
 			}
 
-			ctrRuntimeConfigIgn := createNewIgnition(map[string][]byte{
-				storageConfigPath: storageTOML,
-				crioConfigPath:    crioTOML,
+			ctrRuntimeConfigIgn := createNewIgnition([]ignitionConfig{
+				{filePath: storageConfigPath, data: storageTOML},
+				{filePath: crioConfigPath, data: crioTOML},
 			})
 			rawCtrRuntimeConfigIgn, err := json.Marshal(ctrRuntimeConfigIgn)
 			if err != nil {
@@ -766,9 +766,9 @@ func registriesConfigIgnition(templateDir string, controllerConfig *mcfgv1.Contr
 			return nil, fmt.Errorf("could not update policy json with new changes: %v", err)
 		}
 	}
-	registriesIgn := createNewIgnition(map[string][]byte{
-		registriesConfigPath: registriesTOML,
-		policyConfigPath:     policyJSON,
+	registriesIgn := createNewIgnition([]ignitionConfig{
+		{filePath: registriesConfigPath, data: registriesTOML},
+		{filePath: policyConfigPath, data: policyJSON},
 	})
 	return &registriesIgn, nil
 }

pkg/controller/container-runtime-config/helpers.go

@@ -60,27 +60,35 @@ type tomlConfigCRIO struct {
 	} `toml:"crio"`
 }
 
+// ignitionConfig is a struct that holds the filepath and date of the various configs
+// Using a struct array ensures that the order of the ignition files always stay the same
+// ensuring that double MCs are not created due to a change in the order
+type ignitionConfig struct {
+	filePath string
+	data     []byte
+}
+
 type updateConfigFunc func(data []byte, internal *mcfgv1.ContainerRuntimeConfiguration) ([]byte, error)
 
 // createNewIgnition takes a map where the key is the path of the file, and the value is the
 // new data in the form of a byte array. The function returns the ignition config with the
 // updated data.
-func createNewIgnition(configs map[string][]byte) ignTypes.Config {
+func createNewIgnition(configs []ignitionConfig) ignTypes.Config {
 	tempIgnConfig := ctrlcommon.NewIgnConfigSpecV3()
 	mode := 0644
 	overwrite := true
 	// Create ignitions
-	for filePath, data := range configs {
+	for _, ignConf := range configs {
 		// If the file is not included, the data will be nil so skip over
-		if data == nil {
+		if ignConf.data == nil {
 			continue
 		}
-		configdu := dataurl.New(data, "text/plain")
+		configdu := dataurl.New(ignConf.data, "text/plain")
 		configdu.Encoding = dataurl.EncodingASCII
 		strConfigdu := configdu.String()
 		configTempFile := ignTypes.File{
 			Node: ignTypes.Node{
-				Path:      filePath,
+				Path:      ignConf.filePath,
 				Overwrite: &overwrite,
 			},
 			FileEmbedded1: ignTypes.FileEmbedded1{

pkg/daemon/update.go

@@ -159,9 +159,11 @@ func (dn *Daemon) drain() error {
 		if err == wait.ErrWaitTimeout {
 			failMsg := fmt.Sprintf("%d tries: %v", backoff.Steps, lastErr)
 			MCDDrainErr.WithLabelValues(failTime, failMsg).SetToCurrentTime()
+			dn.recorder.Eventf(getNodeRef(dn.node), corev1.EventTypeWarning, "FailedToDrain", failMsg)
 			return errors.Wrapf(lastErr, "failed to drain node (%d tries): %v", backoff.Steps, err)
 		}
 		MCDDrainErr.WithLabelValues(failTime, err.Error()).SetToCurrentTime()
+		dn.recorder.Eventf(getNodeRef(dn.node), corev1.EventTypeWarning, "FailedToDrain", err.Error())
 		return errors.Wrap(err, "failed to drain node")
 	}
 

pkg/operator/status.go

@@ -163,6 +163,27 @@ const (
 	asExpectedReason = "AsExpected"
 )
 
+func (optr *Operator) clearDegradedStatus(task string) error {
+	co, err := optr.fetchClusterOperator()
+	if err != nil {
+		return err
+	}
+	if co == nil {
+		return nil
+	}
+	if cov1helpers.IsStatusConditionFalse(co.Status.Conditions, configv1.OperatorDegraded) {
+		return nil
+	}
+	degradedStatusCondition := cov1helpers.FindStatusCondition(co.Status.Conditions, configv1.OperatorDegraded)
+	if degradedStatusCondition == nil {
+		return nil
+	}
+	if degradedStatusCondition.Reason != task+"Failed" {
+		return nil
+	}
+	return optr.syncDegradedStatus(syncError{})
+}
+
 // syncDegradedStatus applies the new condition to the mco's ClusterOperator object.
 func (optr *Operator) syncDegradedStatus(ierr syncError) (err error) {
 	co, err := optr.fetchClusterOperator()

pkg/operator/sync.go

@@ -63,6 +63,9 @@ func (optr *Operator) syncAll(syncFuncs []syncFunc) error {
 		if syncErr.err != nil {
 			break
 		}
+		if err := optr.clearDegradedStatus(sf.name); err != nil {
+			return fmt.Errorf("error clearing degraded status: %v", err)
+		}
 	}
 
 	if err := optr.syncDegradedStatus(syncErr); err != nil {

templates/common/_base/files/nm-ignore-sdn.yaml

@@ -5,5 +5,5 @@ contents:
   inline: |
     # ignore known SDN-managed devices
     [device]
-    match-device=interface-name:br-int;interface-name:br-local;interface-name:br-nexthop,interface-name:k8s-*;interface-name:tun0;interface-name:br0;driver:veth
+    match-device=interface-name:br-int;interface-name:br-local;interface-name:br-nexthop,interface-name:ovn-k8s-*,interface-name:k8s-*;interface-name:tun0;interface-name:br0;driver:veth
     managed=0

templates/common/vsphere/files/vsphere-hostname.yaml

@@ -0,0 +1,14 @@
+filesystem: "root"
+mode: 0755
+path: "/usr/local/bin/vsphere-hostname.sh"
+contents:
+  inline: |
+    #!/usr/bin/env bash
+    set -e
+
+    if [ $(hostname -s) = "localhost" ]; then
+      if hostname=$(/bin/vmtoolsd --cmd 'info-get guestinfo.hostname'); then
+          /usr/bin/hostnamectl --transient --static set-hostname ${hostname}
+      fi
+    fi
+

templates/common/vsphere/units/vsphere-hostname.yaml

@@ -0,0 +1,16 @@
+name: "vsphere-hostname.service"
+enabled: true
+contents: |
+  [Unit]
+  Description=vSphere hostname
+  After=vmtoolsd.service
+  Before=kubelet.service
+
+  [Service]
+  ExecStart=/usr/local/bin/vsphere-hostname.sh
+  Restart=on-failure
+  RestartSec=15
+
+  [Install]
+  WantedBy=multi-user.target
+

templates/master/00-master/baremetal/files/NetworkManager-resolv-prepender.yaml

@@ -7,7 +7,7 @@ contents:
     IFACE=$1
     STATUS=$2
     # If $DHCP6_FQDN_FQDN is not empty and is not localhost.localdomain
-    [[ -n "$DHCP6_FQDN_FQDN" && "$DHCP6_FQDN_FQDN" != "localhost.localdomain" ]] && hostname $DHCP6_FQDN_FQDN
+    [[ -n "$DHCP6_FQDN_FQDN" && "$DHCP6_FQDN_FQDN" != "localhost.localdomain" && "$DHCP6_FQDN_FQDN" =~ "." ]] && hostnamectl set-hostname --static --transient $DHCP6_FQDN_FQDN
     case "$STATUS" in
         up|down|dhcp4-change|dhcp6-change)
         logger -s "NM resolv-prepender triggered by ${1} ${2}."

templates/master/00-master/baremetal/files/baremetal-haproxy.yaml

@@ -17,9 +17,9 @@ contents:
       - name: resource-dir
         hostPath:
           path: "/etc/kubernetes/static-pod-resources/haproxy"
-      - name: kubeconfig
+      - name: kubeconfigvarlib
         hostPath:
-          path: "/etc/kubernetes/kubeconfig"
+          path: "/var/lib/kubelet"
       - name: run-dir
         empty-dir: {}
       - name: conf-dir
@@ -111,7 +111,7 @@ contents:
         image: {{ .Images.baremetalRuntimeCfgImage }}
         command:
         - monitor
-        - "/etc/kubernetes/kubeconfig"
+        - "/var/lib/kubelet/kubeconfig"
         - "/config/haproxy.cfg.tmpl"
         - "/etc/haproxy/haproxy.cfg"
         - "--api-vip"
@@ -129,8 +129,8 @@ contents:
           mountPath: "/config"
         - name: chroot-host
           mountPath: "/host"
-        - name: kubeconfig
-          mountPath: "/etc/kubernetes/kubeconfig"
+        - name: kubeconfigvarlib
+          mountPath: "/var/lib/kubelet"
         terminationMessagePolicy: FallbackToLogsOnError
         imagePullPolicy: IfNotPresent
       hostNetwork: true

templates/master/01-master-container-runtime/_base/files/crio.yaml

@@ -155,7 +155,7 @@ contents:
     # Changes the verbosity of the logs based on the level it is set to. Options
     # are fatal, panic, error, warn, info, and debug. This option supports live
     # configuration reload.
-    log_level = "error"
+    log_level = "info"
 
     # The UID mappings for the user namespace of each container. A range is
     # specified in the form containerUID:HostUID:Size. Multiple ranges must be

templates/master/01-master-kubelet/_base/files/kubelet.yaml

@@ -20,7 +20,6 @@ contents:
     kubeAPIQPS: 50
     kubeAPIBurst: 100
     rotateCertificates: true
-    runtimeCgroups: /system.slice/crio.service
     serializeImagePulls: false
     staticPodPath: /etc/kubernetes/manifests
     systemCgroups: /system.slice

templates/master/01-master-kubelet/_base/units/kubelet.yaml

@@ -22,6 +22,7 @@ contents: |
         --kubeconfig=/var/lib/kubelet/kubeconfig \
         --container-runtime=remote \
         --container-runtime-endpoint=/var/run/crio/crio.sock \
+        --runtime-cgroups=/system.slice/crio.service \
         --node-labels=node-role.kubernetes.io/master,node.openshift.io/os_id=${ID} \
 {{- if .KubeletIPv6}}
         --node-ip :: \

templates/worker/00-worker/baremetal/files/NetworkManager-resolv-prepender.yaml

@@ -7,7 +7,7 @@ contents:
     IFACE=$1
     STATUS=$2
     # If $DHCP6_FQDN_FQDN is not empty and is not localhost.localdomain
-    [[ -n "$DHCP6_FQDN_FQDN" && "$DHCP6_FQDN_FQDN" != "localhost.localdomain" ]] && hostname $DHCP6_FQDN_FQDN
+    [[ -n "$DHCP6_FQDN_FQDN" && "$DHCP6_FQDN_FQDN" != "localhost.localdomain" && "$DHCP6_FQDN_FQDN" =~ "." ]] && hostnamectl set-hostname --static --transient $DHCP6_FQDN_FQDN
     case "$STATUS" in
         up|down|dhcp4-change|dhcp6-change)
         logger -s "NM resolv-prepender triggered by ${1} ${2}."

templates/worker/00-worker/openstack/files/openstack-disable-tx-checksum-offload.yaml

@@ -0,0 +1,10 @@
+filesystem: "root"
+mode: 0744
+path: "/etc/NetworkManager/dispatcher.d/pre-up.d/disable-tx-checksum-offload.sh"
+contents:
+  inline: |
+    #!/bin/bash
+    # This is a workaround for BZ#1794714
+    if [[ ! -e /var/lib/cni/bin/ovn-k8s-cni-overlay ]]; then
+      nmcli con modify ${CONNECTION_UUID} ethtool.feature-tx-checksum-ip-generic off;
+    fi

templates/worker/00-worker/ovirt/files/ovirt-disable-tx-checksum-offload.yaml

@@ -0,0 +1,10 @@
+filesystem: "root"
+mode: 0744
+path: "/etc/NetworkManager/dispatcher.d/pre-up.d/disable-tx-checksum-offload.sh"
+contents:
+  inline: |
+    #!/bin/bash
+    # This is a workaround for BZ#1794714
+    if [[ ! -e /var/lib/cni/bin/ovn-k8s-cni-overlay ]]; then
+      nmcli con modify ${CONNECTION_UUID} ethtool.feature-tx-checksum-ip-generic off;
+    fi

templates/worker/01-worker-container-runtime/_base/files/crio.yaml

@@ -155,7 +155,7 @@ contents:
     # Changes the verbosity of the logs based on the level it is set to. Options
     # are fatal, panic, error, warn, info, and debug. This option supports live
     # configuration reload.
-    log_level = "error"
+    log_level = "info"
 
     # The UID mappings for the user namespace of each container. A range is
     # specified in the form containerUID:HostUID:Size. Multiple ranges must be

templates/worker/01-worker-kubelet/_base/files/kubelet.yaml

@@ -20,7 +20,6 @@ contents:
     kubeAPIQPS: 50
     kubeAPIBurst: 100
     rotateCertificates: true
-    runtimeCgroups: /system.slice/crio.service
     serializeImagePulls: false
     staticPodPath: /etc/kubernetes/manifests
     systemCgroups: /system.slice

templates/worker/01-worker-kubelet/_base/units/kubelet.yaml

@@ -22,6 +22,7 @@ contents: |
         --kubeconfig=/var/lib/kubelet/kubeconfig \
         --container-runtime=remote \
         --container-runtime-endpoint=/var/run/crio/crio.sock \
+        --runtime-cgroups=/system.slice/crio.service \
         --node-labels=node-role.kubernetes.io/worker,node.openshift.io/os_id=${ID} \
 {{- if .KubeletIPv6}}
         --node-ip :: \