mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-26 21:17:23 +00:00
Merge pull request #44359 from ncdc/var-lib-dockershim
Automatic merge from submit-queue Make the dockershim root directory configurable Make the dockershim root directory configurable so things like integration tests (e.g. in OpenShift) can run as non-root. cc @sttts @derekwaynecarr @yujuhong @Random-Liu @kubernetes/sig-node-pr-reviews @kubernetes/rh-cluster-infra
This commit is contained in:
Kubernetes Submit Queue
GitHub
commit
06cdb02fca
@ -73,6 +73,10 @@ type KubeletFlags struct {
|
|||||||
// NodeIP is IP address of the node.
|
// NodeIP is IP address of the node.
|
||||||
// If set, kubelet will use this IP address for the node.
|
// If set, kubelet will use this IP address for the node.
|
||||||
NodeIP string
|
NodeIP string
|
||||||
|
|
||||||
|
// DockershimRootDirectory is the path to the dockershim root directory. Defaults to
|
||||||
|
// /var/lib/dockershim if unset. Exposed for integration testing (e.g. in OpenShift).
|
||||||
|
DockershimRootDirectory string
|
||||||
}
|
}
|
||||||
|
|
||||||
// KubeletServer encapsulates all of the parameters necessary for starting up
|
// KubeletServer encapsulates all of the parameters necessary for starting up
|
||||||
@ -92,6 +96,7 @@ func NewKubeletServer() *KubeletServer {
|
|||||||
KubeletFlags: KubeletFlags{
|
KubeletFlags: KubeletFlags{
|
||||||
KubeConfig: flag.NewStringFlag("/var/lib/kubelet/kubeconfig"),
|
KubeConfig: flag.NewStringFlag("/var/lib/kubelet/kubeconfig"),
|
||||||
RequireKubeConfig: false,
|
RequireKubeConfig: false,
|
||||||
|
DockershimRootDirectory: "/var/lib/dockershim",
|
||||||
},
|
},
|
||||||
KubeletConfiguration: config,
|
KubeletConfiguration: config,
|
||||||
}
|
}
|
||||||
@ -129,6 +134,9 @@ func (f *KubeletFlags) AddFlags(fs *pflag.FlagSet) {
|
|||||||
fs.StringVar(&f.HostnameOverride, "hostname-override", f.HostnameOverride, "If non-empty, will use this string as identification instead of the actual hostname.")
|
fs.StringVar(&f.HostnameOverride, "hostname-override", f.HostnameOverride, "If non-empty, will use this string as identification instead of the actual hostname.")
|
||||||
|
|
||||||
fs.StringVar(&f.NodeIP, "node-ip", f.NodeIP, "IP address of the node. If set, kubelet will use this IP address for the node")
|
fs.StringVar(&f.NodeIP, "node-ip", f.NodeIP, "IP address of the node. If set, kubelet will use this IP address for the node")
|
||||||
|
|
||||||
|
fs.StringVar(&f.DockershimRootDirectory, "experimental-dockershim-root-directory", f.DockershimRootDirectory, "Path to the dockershim root directory.")
|
||||||
|
fs.MarkHidden("experimental-dockershim-root-directory")
|
||||||
}
|
}
|
||||||
|
|
||||||
// addFlags adds flags for a specific componentconfig.KubeletConfiguration to the specified FlagSet
|
// addFlags adds flags for a specific componentconfig.KubeletConfiguration to the specified FlagSet
|
||||||
|
|||||||
@ -812,7 +812,7 @@ func RunKubelet(kubeFlags *options.KubeletFlags, kubeCfg *componentconfig.Kubele
|
|||||||
if kubeDeps.OSInterface == nil {
|
if kubeDeps.OSInterface == nil {
|
||||||
kubeDeps.OSInterface = kubecontainer.RealOS{}
|
kubeDeps.OSInterface = kubecontainer.RealOS{}
|
||||||
}
|
}
|
||||||
k, err := builder(kubeCfg, kubeDeps, standaloneMode, kubeFlags.HostnameOverride, kubeFlags.NodeIP)
|
k, err := builder(kubeCfg, kubeDeps, standaloneMode, kubeFlags.HostnameOverride, kubeFlags.NodeIP, kubeFlags.DockershimRootDirectory)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("failed to create kubelet: %v", err)
|
return fmt.Errorf("failed to create kubelet: %v", err)
|
||||||
}
|
}
|
||||||
@ -892,11 +892,11 @@ func startKubelet(k kubelet.KubeletBootstrap, podCfg *config.PodConfig, kubeCfg
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func CreateAndInitKubelet(kubeCfg *componentconfig.KubeletConfiguration, kubeDeps *kubelet.KubeletDeps, standaloneMode bool, hostnameOverride string, nodeIP string) (k kubelet.KubeletBootstrap, err error) {
|
func CreateAndInitKubelet(kubeCfg *componentconfig.KubeletConfiguration, kubeDeps *kubelet.KubeletDeps, standaloneMode bool, hostnameOverride, nodeIP, dockershimRootDir string) (k kubelet.KubeletBootstrap, err error) {
|
||||||
// TODO: block until all sources have delivered at least one update to the channel, or break the sync loop
|
// TODO: block until all sources have delivered at least one update to the channel, or break the sync loop
|
||||||
// up into "per source" synchronizations
|
// up into "per source" synchronizations
|
||||||
|
|
||||||
k, err = kubelet.NewMainKubelet(kubeCfg, kubeDeps, standaloneMode, hostnameOverride, nodeIP)
|
k, err = kubelet.NewMainKubelet(kubeCfg, kubeDeps, standaloneMode, hostnameOverride, nodeIP, dockershimRootDir)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
@ -936,7 +936,7 @@ func parseResourceList(m componentconfig.ConfigurationMap) (v1.ResourceList, err
|
|||||||
|
|
||||||
// RunDockershim only starts the dockershim in current process. This is only used for cri validate testing purpose
|
// RunDockershim only starts the dockershim in current process. This is only used for cri validate testing purpose
|
||||||
// TODO(random-liu): Move this to a separate binary.
|
// TODO(random-liu): Move this to a separate binary.
|
||||||
func RunDockershim(c *componentconfig.KubeletConfiguration) error {
|
func RunDockershim(c *componentconfig.KubeletConfiguration, dockershimRootDir string) error {
|
||||||
// Create docker client.
|
// Create docker client.
|
||||||
dockerClient := dockertools.ConnectToDockerOrDie(c.DockerEndpoint, c.RuntimeRequestTimeout.Duration,
|
dockerClient := dockertools.ConnectToDockerOrDie(c.DockerEndpoint, c.RuntimeRequestTimeout.Duration,
|
||||||
c.ImagePullProgressDeadline.Duration)
|
c.ImagePullProgressDeadline.Duration)
|
||||||
@ -978,7 +978,7 @@ func RunDockershim(c *componentconfig.KubeletConfiguration) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
ds, err := dockershim.NewDockerService(dockerClient, c.SeccompProfileRoot, c.PodInfraContainerImage,
|
ds, err := dockershim.NewDockerService(dockerClient, c.SeccompProfileRoot, c.PodInfraContainerImage,
|
||||||
streamingConfig, &pluginSettings, c.RuntimeCgroups, c.CgroupDriver, dockerExecHandler)
|
streamingConfig, &pluginSettings, c.RuntimeCgroups, c.CgroupDriver, dockerExecHandler, dockershimRootDir)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|||||||
@ -46,7 +46,7 @@ func main() {
|
|||||||
verflag.PrintAndExitIfRequested()
|
verflag.PrintAndExitIfRequested()
|
||||||
|
|
||||||
if s.ExperimentalDockershim {
|
if s.ExperimentalDockershim {
|
||||||
if err := app.RunDockershim(&s.KubeletConfiguration); err != nil {
|
if err := app.RunDockershim(&s.KubeletConfiguration, s.DockershimRootDirectory); err != nil {
|
||||||
fmt.Fprintf(os.Stderr, "error: %v\n", err)
|
fmt.Fprintf(os.Stderr, "error: %v\n", err)
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -242,6 +242,7 @@ experimental-bootstrap-token-auth
|
|||||||
experimental-check-node-capabilities-before-mount
|
experimental-check-node-capabilities-before-mount
|
||||||
experimental-cri
|
experimental-cri
|
||||||
experimental-dockershim
|
experimental-dockershim
|
||||||
|
experimental-dockershim-root-directory
|
||||||
experimental-fail-swap-on
|
experimental-fail-swap-on
|
||||||
experimental-kernel-memcg-notification
|
experimental-kernel-memcg-notification
|
||||||
experimental-keystone-ca-file
|
experimental-keystone-ca-file
|
||||||
|
|||||||
@ -84,7 +84,7 @@ type PersistentCheckpointHandler struct {
|
|||||||
store CheckpointStore
|
store CheckpointStore
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewPersistentCheckpointHandler() (CheckpointHandler, error) {
|
func NewPersistentCheckpointHandler(dockershimRootDir string) (CheckpointHandler, error) {
|
||||||
fstore, err := NewFileStore(filepath.Join(dockershimRootDir, sandboxCheckpointDir))
|
fstore, err := NewFileStore(filepath.Join(dockershimRootDir, sandboxCheckpointDir))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
|||||||
@ -60,9 +60,6 @@ const (
|
|||||||
|
|
||||||
defaultSeccompProfile = "unconfined"
|
defaultSeccompProfile = "unconfined"
|
||||||
|
|
||||||
// dockershimRootDir is the root directory for dockershim
|
|
||||||
dockershimRootDir = "/var/lib/dockershim"
|
|
||||||
|
|
||||||
// Internal docker labels used to identify whether a container is a sandbox
|
// Internal docker labels used to identify whether a container is a sandbox
|
||||||
// or a regular container.
|
// or a regular container.
|
||||||
// TODO: This is not backward compatible with older containers. We will
|
// TODO: This is not backward compatible with older containers. We will
|
||||||
@ -150,9 +147,9 @@ var internalLabelKeys []string = []string{containerTypeLabelKey, containerLogPat
|
|||||||
|
|
||||||
// NOTE: Anything passed to DockerService should be eventually handled in another way when we switch to running the shim as a different process.
|
// NOTE: Anything passed to DockerService should be eventually handled in another way when we switch to running the shim as a different process.
|
||||||
func NewDockerService(client dockertools.DockerInterface, seccompProfileRoot string, podSandboxImage string, streamingConfig *streaming.Config,
|
func NewDockerService(client dockertools.DockerInterface, seccompProfileRoot string, podSandboxImage string, streamingConfig *streaming.Config,
|
||||||
pluginSettings *NetworkPluginSettings, cgroupsName string, kubeCgroupDriver string, execHandler dockertools.ExecHandler) (DockerService, error) {
|
pluginSettings *NetworkPluginSettings, cgroupsName string, kubeCgroupDriver string, execHandler dockertools.ExecHandler, dockershimRootDir string) (DockerService, error) {
|
||||||
c := dockertools.NewInstrumentedDockerInterface(client)
|
c := dockertools.NewInstrumentedDockerInterface(client)
|
||||||
checkpointHandler, err := NewPersistentCheckpointHandler()
|
checkpointHandler, err := NewPersistentCheckpointHandler(dockershimRootDir)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|||||||
@ -187,7 +187,7 @@ type KubeletBootstrap interface {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// create and initialize a Kubelet instance
|
// create and initialize a Kubelet instance
|
||||||
type KubeletBuilder func(kubeCfg *componentconfig.KubeletConfiguration, kubeDeps *KubeletDeps, standaloneMode bool, hostnameOverride string, nodeIP string) (KubeletBootstrap, error)
|
type KubeletBuilder func(kubeCfg *componentconfig.KubeletConfiguration, kubeDeps *KubeletDeps, standaloneMode bool, hostnameOverride, nodeIP, dockershimRootDir string) (KubeletBootstrap, error)
|
||||||
|
|
||||||
// KubeletDeps is a bin for things we might consider "injected dependencies" -- objects constructed
|
// KubeletDeps is a bin for things we might consider "injected dependencies" -- objects constructed
|
||||||
// at runtime that are necessary for running the Kubelet. This is a temporary solution for grouping
|
// at runtime that are necessary for running the Kubelet. This is a temporary solution for grouping
|
||||||
@ -282,7 +282,7 @@ func getRuntimeAndImageServices(config *componentconfig.KubeletConfiguration) (i
|
|||||||
|
|
||||||
// NewMainKubelet instantiates a new Kubelet object along with all the required internal modules.
|
// NewMainKubelet instantiates a new Kubelet object along with all the required internal modules.
|
||||||
// No initialization of Kubelet and its modules should happen here.
|
// No initialization of Kubelet and its modules should happen here.
|
||||||
func NewMainKubelet(kubeCfg *componentconfig.KubeletConfiguration, kubeDeps *KubeletDeps, standaloneMode bool, hostnameOverride string, nodeIP string) (*Kubelet, error) {
|
func NewMainKubelet(kubeCfg *componentconfig.KubeletConfiguration, kubeDeps *KubeletDeps, standaloneMode bool, hostnameOverride, nodeIP, dockershimRootDir string) (*Kubelet, error) {
|
||||||
if kubeCfg.RootDirectory == "" {
|
if kubeCfg.RootDirectory == "" {
|
||||||
return nil, fmt.Errorf("invalid root directory %q", kubeCfg.RootDirectory)
|
return nil, fmt.Errorf("invalid root directory %q", kubeCfg.RootDirectory)
|
||||||
}
|
}
|
||||||
@ -553,7 +553,7 @@ func NewMainKubelet(kubeCfg *componentconfig.KubeletConfiguration, kubeDeps *Kub
|
|||||||
// Create and start the CRI shim running as a grpc server.
|
// Create and start the CRI shim running as a grpc server.
|
||||||
streamingConfig := getStreamingConfig(kubeCfg, kubeDeps)
|
streamingConfig := getStreamingConfig(kubeCfg, kubeDeps)
|
||||||
ds, err := dockershim.NewDockerService(klet.dockerClient, kubeCfg.SeccompProfileRoot, kubeCfg.PodInfraContainerImage,
|
ds, err := dockershim.NewDockerService(klet.dockerClient, kubeCfg.SeccompProfileRoot, kubeCfg.PodInfraContainerImage,
|
||||||
streamingConfig, &pluginSettings, kubeCfg.RuntimeCgroups, kubeCfg.CgroupDriver, dockerExecHandler)
|
streamingConfig, &pluginSettings, kubeCfg.RuntimeCgroups, kubeCfg.CgroupDriver, dockerExecHandler, dockershimRootDir)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user