Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for Container Linux Config snippets #145

Merged
merged 3 commits into from
Mar 19, 2018
Merged

Add support for Container Linux Config snippets #145

merged 3 commits into from
Mar 19, 2018

Conversation

dghubble
Copy link
Member

@dghubble dghubble commented Feb 25, 2018
edited
Loading

Introduce the ability for users to supply Container Linux Config "snippets" for controllers or workers. Snippets are valid Container Linux Configs which are additively merged into the base Container Linux Configs that Typhoon uses to provision controllers and workers. Configs are validated, merged into a single config for use in instance user-data. Validation errors are shown with line numbers during terraform plan.

This is a major feature and has been long awaited.

  • Allows users to add custom systemd units, network configs, files, raid arrays, or other customizations related to on-host disk provisioning that is supported by Container Linux Configs (at Ignition v2.0.0).
  • Reduces user temptation to add a Terraform variable for every option. This helps keep Typhoon modules readable and maintainable over the long run.
  • See the Container Linux Config spec and examples

Examples

Suppose a user would like to enable the BBR congestion control algorithm (arbitrary example customization). That requires setting a /etc/sysctl.d/bbr.conf file on hosts and would previously have necessitated making a tiny fork of Typhoon with the change. Now:

# bbr-conf
storage:
  files:
    - path: /etc/sysctl.d/bbr.conf
      filesystem: root
      contents:
        inline: |
          net.core.default_qdisc=fq
          net.ipv4.tcp_congestion_control=bbr

module "digital-ocean-nemo" {
  source = "git::https://github.com/poseidon/typhoon//digital-ocean/container-linux/kubernetes?ref=v1.9.3"

  providers = {
    digitalocean = "digitalocean.default"
    local = "local.default"
    null = "null.default"
    template = "template.default"
    tls = "tls.default"
  }

  region   = "nyc3"
  dns_zone = "digital-ocean.example.com"

  cluster_name     = "nemo"
  image            = "coreos-stable"
  controller_count = 1
  controller_type  = "s-2vcpu-2gb"
  worker_count     = 2
  worker_type      = "s-1vcpu-1gb"
  ssh_fingerprints = ["d7:9d:79:ae:56:32:73:79:95:88:e3:a2:ab:5d:45:e7"]

  # output assets dir
  asset_dir = "/home/user/.secrets/clusters/nemo"

  # Container Linux Config custom snippets (NEW!)
  controller_clc_snippets = [
    "${file("./bbr-conf")}",
  ]
  worker_clc_snippets = [
    "${file("./bbr-conf")}"
  ]
}

Users may supply a list of valid Container Linux Config snippets to declare host disk provisioning details like systemd units, files, network configuration, etc.

Caveats

  • Requires terraform-provider-ct v0.2.1 plugin
  • There are limits to what additive merging (technically append) will allow. You cannot remove bits of the base config used by Typhoon. This reaffirms Typhoon's focus on minimalism.
  • Typhoon cannot make guarantees about different end-user customizations. We'll continue to design, build, and test clusters as usual, but will not entertain reports concerning end-user's customizations (e.g. "I customized X and now Y is broken").

Partially addresses #140

This was referenced Feb 25, 2018
Closed
Closed
dghubble added a commit that referenced this pull request Feb 26, 2018
@dghubble
Recommend installing terraform-provider-ct v0.2.1
983c7aa 
* Upcoming releases may begin to use features that require
the `terraform-provider-ct` plugin v0.2.1
* New users should use `terraform-provider-ct` v0.2.1. Existing
users can safely drop-in replace their v0.2.0 plugin with v0.2.1
as well (location referenced in ~/.terraformrc).
* See #145
@dghubble dghubble changed the title Add support for custom Container Linux Config snippets Add support for Container Linux Config snippets Mar 19, 2018
@dghubble
Add Container Linux Config snippets feature
f3730b2 
* Introduce the ability to support Container Linux Config
"snippets" for controllers and workers on cloud platforms.
This allows end-users to customize hosts by providing Container
Linux configs that are additively merged into the base configs
defined by Typhoon. Config snippets are validated, merged, and
show any errors during `terraform plan`
* Example uses include adding systemd units, network configs,
mounts, files, raid arrays, or other disk provisioning features
provided by Container Linux Configs (using Ignition low-level)
* Requires terraform-provider-ct v0.2.1 plugin
@dghubble
Add Container Linux Config snippet docs
18d08de
@dghubble
Improve changelog with migration links
29108fd
@dghubble dghubble merged commit 29108fd into poseidon:master Mar 19, 2018
@dghubble dghubble deleted the ct-snippets branch March 20, 2018 05:45
@bendrucker bendrucker mentioned this pull request Apr 10, 2018
Closed
bendrucker added a commit to TakeScoop/typhoon that referenced this pull request Apr 10, 2018
@bendrucker
Remove ability to set multiple authorized keys for "core" user
0091040 
* poseidon#145
* Additional users can be easily added upstream
@bendrucker bendrucker mentioned this pull request Apr 10, 2018
Merged
@bendrucker bendrucker mentioned this pull request Apr 23, 2018
Merged
@cjose3
Copy link

cjose3 commented May 2, 2018
edited
Loading

Hi @dghubble, I would like run kubelet with enable-controller-attach-detach = false.
can I use worker_clc_snippets|controller_clc_snippets to update the the systemd unit of kubelet.service?

I would like add another option to ExecStart:

ExecStart=/usr/lib/coreos/kubelet-wrapper \
          --allow-privileged \
          --anonymous-auth=false \
          --client-ca-file=/etc/kubernetes/ca.crt \
          --cluster_dns=${k8s_dns_service_ip} \
          --cluster_domain=${cluster_domain_suffix} \
          --cni-conf-dir=/etc/kubernetes/cni/net.d \
          --exit-on-lock-contention \
          --hostname-override=$${COREOS_DIGITALOCEAN_IPV4_PRIVATE_0} \
          --kubeconfig=/etc/kubernetes/kubeconfig \
          --lock-file=/var/run/lock/kubelet.lock \
          --network-plugin=cni \
          --node-labels=node-role.kubernetes.io/node \
          --pod-manifest-path=/etc/kubernetes/manifests \
          --volume-plugin-dir=/var/lib/kubelet/volumeplugins \
->        --enable-controller-attach-detach=false

Is it possible using this snippets?

I think that maybe could be I good idea add the option --config to to config kubelet via file

Like this:

ExecStart=/usr/lib/coreos/kubelet-wrapper \
          --allow-privileged \
          --anonymous-auth=false \
          --client-ca-file=/etc/kubernetes/ca.crt \
          --cluster_dns=${k8s_dns_service_ip} \
          --cluster_domain=${cluster_domain_suffix} \
          --cni-conf-dir=/etc/kubernetes/cni/net.d \
          --exit-on-lock-contention \
          --hostname-override=$${COREOS_DIGITALOCEAN_IPV4_PRIVATE_0} \
          --kubeconfig=/etc/kubernetes/kubeconfig \
          --lock-file=/var/run/lock/kubelet.lock \
          --network-plugin=cni \
          --node-labels=node-role.kubernetes.io/node \
          --pod-manifest-path=/etc/kubernetes/manifests \
          --volume-plugin-dir=/var/lib/kubelet/volumeplugins \
->        --config=/etc/kubernetes/kubeletconfig.yml

And create this file /etc/kubernetes/kubeletconfig.yml using ct

storage:
  files:
    - path: /etc/kubernetes/kubeletconfig.yml
      filesystem: root
      contents:
        inline: |
          ${kubelet_config_file}

And kubelet_config_file will be a new variable to typhoon.

Please let me know if it is possible and I will be the pr.
Regards!

@valer-cara
Copy link
Contributor

valer-cara commented Nov 29, 2019
edited
Loading

👍 @cjose3 - also encountered the need to customize the kubelet-wrapper params while trying to mount localvolumes via the local storage provisioner.

kubelet will fail to initialize local volumes located in a sane path on the system (eg: /mnt) because that path is not bound within the kubelet's container.

MountVolume.NewMounter initialization failed for volume "local-pv-7610af06" : path "/mnt/localstore" does not exist

I'd need to add another line to RKT_RUN_ARGS here, i'm guessing like:

--volume mnt,kind=host,source=/mnt
--mount volume=mnt,target=/mnt

Will fork for now, but I wish it was easier.

Side note, i found that out the hard way, stracing kubelet 🤦‍♀️ 😿

...
newfstatat(AT_FDCWD, "/mnt/localstore", 0xc001a046b8, 0) = -1 ENOENT 
...

ip-10-0-61-212 mnt # ls -l /proc/$(pgrep kubelet)/cwd
lrwxrwxrwx. 1 root root 0 Nov 29 20:55 /proc/971/cwd -> /var/lib/rkt/pods/run/33fc0b9d-4a38-45db-be49-e79fa051f009/stage1/rootfs/opt/stage2/hyperkube/rootfs

AT_FDCWD - "stat relative to the cwd of the process"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dghubble @cjose3 @valer-cara