From 42f566ae58c14b93112ec15636ba203fcf40cfb0 Mon Sep 17 00:00:00 2001 From: Naadir Jeewa Date: Wed, 3 Jul 2019 13:28:10 +0100 Subject: [PATCH 1/5] etcd: Ensure etcd binaries are world executable Signed-off-by: Naadir Jeewa --- cluster/images/etcd/Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cluster/images/etcd/Dockerfile b/cluster/images/etcd/Dockerfile index d7ae7766cea..ee7886f515a 100644 --- a/cluster/images/etcd/Dockerfile +++ b/cluster/images/etcd/Dockerfile @@ -16,4 +16,6 @@ FROM BASEIMAGE EXPOSE 2379 2380 4001 7001 COPY etcd* etcdctl* /usr/local/bin/ +RUN chmod +x /usr/local/bin/etcd* /usr/local/bin/etcdctl* COPY migrate-if-needed.sh migrate /usr/local/bin/ +RUN chmod +x /usr/local/bin/migrate-if-needed.sh /usr/local/bin/migrate From 3783aa50511af21a13f175ace7de6dc3c6cf93cb Mon Sep 17 00:00:00 2001 From: Naadir Jeewa Date: Wed, 3 Jul 2019 13:28:20 +0100 Subject: [PATCH 2/5] etcd: Allow Makefile to be used on SELinux systems Adds check for SELinux and then adds the :z parameter to the volume mounts in order to work on SELinux enabled systems such as Fedora. Signed-off-by: Naadir Jeewa --- cluster/images/etcd/Makefile | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/cluster/images/etcd/Makefile b/cluster/images/etcd/Makefile index 874f3a86bd1..86ca41ca408 100644 --- a/cluster/images/etcd/Makefile +++ b/cluster/images/etcd/Makefile @@ -49,6 +49,12 @@ PUSH_REGISTRY?=staging-k8s.gcr.io MANIFEST_IMAGE := $(PUSH_REGISTRY)/etcd +SELINUX_ENABLED := $(shell cat /sys/fs/selinux/enforce 2> /dev/null || echo 0) + +ifeq ($(SELINUX_ENABLED),1) + DOCKER_VOL_OPTS?=:z +endif + # This option is for running docker manifest command export DOCKER_CLI_EXPERIMENTAL := enabled # golang version should match the golang version from https://github.com/coreos/etcd/releases for the current ETCD_VERSION. @@ -78,7 +84,7 @@ build: find ./ -maxdepth 1 -type f | xargs -I {} cp {} $(TEMP_DIR) # Compile migrate - docker run --interactive -v $(shell pwd)/../../../:/go/src/k8s.io/kubernetes -v $(TEMP_DIR):/build -e GOARCH=$(ARCH) golang:$(GOLANG_VERSION) \ + docker run --interactive -v $(shell pwd)/../../../:/go/src/k8s.io/kubernetes$(DOCKER_VOL_OPTS) -v $(TEMP_DIR):/build$(DOCKER_VOL_OPTS) -e GOARCH=$(ARCH) golang:$(GOLANG_VERSION) \ /bin/bash -c "CGO_ENABLED=0 go build -o /build/migrate k8s.io/kubernetes/cluster/images/etcd/migrate" @@ -99,7 +105,7 @@ else # For each release create a tmp dir 'etcd_release_tmp_dir' and unpack the release tar there. for version in $(BUNDLED_ETCD_VERSIONS); do \ etcd_release_tmp_dir=$(shell mktemp -d); \ - docker run --interactive -v $${etcd_release_tmp_dir}:/etcdbin golang:$(GOLANG_VERSION) /bin/bash -c \ + docker run --interactive -v $${etcd_release_tmp_dir}:/etcdbin golang:$(GOLANG_VERSION)$(DOCKER_VOL_OPTS) /bin/bash -c \ "git clone https://github.com/coreos/etcd /go/src/github.com/coreos/etcd \ && cd /go/src/github.com/coreos/etcd \ && git checkout v$${version} \ @@ -145,7 +151,7 @@ push-manifest: docker manifest push --purge ${MANIFEST_IMAGE}:${IMAGE_TAG} unit-test: - docker run --interactive -v $(shell pwd)/../../../:/go/src/k8s.io/kubernetes -e GOARCH=$(ARCH) golang:$(GOLANG_VERSION) \ + docker run --interactive -v $(shell pwd)/../../../:/go/src/k8s.io/kubernetes$(DOCKER_VOL_OPTS) -e GOARCH=$(ARCH) golang:$(GOLANG_VERSION) \ /bin/bash -c "CGO_ENABLED=0 go test -v k8s.io/kubernetes/cluster/images/etcd/migrate" # Integration tests require both a golang build environment and all the etcd binaries from a `k8s.gcr.io/etcd` image (`/usr/local/bin/etcd-`, ...). @@ -158,7 +164,7 @@ build-integration-test-image: build docker build --pull -t etcd-integration-test $(TEMP_DIR)_integration_test integration-test: - docker run --interactive -v $(shell pwd)/../../../:/go/src/k8s.io/kubernetes -e GOARCH=$(ARCH) etcd-integration-test \ + docker run --interactive -v $(shell pwd)/../../../:/go/src/k8s.io/kubernetes$(DOCKER_VOL_OPTS) -e GOARCH=$(ARCH) etcd-integration-test \ /bin/bash -c "CGO_ENABLED=0 go test -tags=integration k8s.io/kubernetes/cluster/images/etcd/migrate -args -v 10 -logtostderr true" integration-build-test: build-integration-test-image integration-test From bdcea67730055695714551f9fb464aa816d4521f Mon Sep 17 00:00:00 2001 From: Naadir Jeewa Date: Wed, 3 Jul 2019 13:28:10 +0100 Subject: [PATCH 3/5] etcd: Ensure etcd binaries are world executable Signed-off-by: Naadir Jeewa --- cluster/images/etcd/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/cluster/images/etcd/Makefile b/cluster/images/etcd/Makefile index 86ca41ca408..ec49e899805 100644 --- a/cluster/images/etcd/Makefile +++ b/cluster/images/etcd/Makefile @@ -97,6 +97,7 @@ ifeq ($(ARCH),amd64) curl -sSL --retry 5 https://github.com/coreos/etcd/releases/download/v$$version/etcd-v$$version-linux-amd64.tar.gz | tar -xz -C $$etcd_release_tmp_dir --strip-components=1; \ cp $$etcd_release_tmp_dir/etcd $$etcd_release_tmp_dir/etcdctl $(TEMP_DIR)/; \ cp $(TEMP_DIR)/etcd $(TEMP_DIR)/etcd-$$version; \ + chmod +x $(TEMP_DIR)/etcd-$$version; \ cp $(TEMP_DIR)/etcdctl $(TEMP_DIR)/etcdctl-$$version; \ done else From 8c27ac488a6b06ea35fd34ea8e1473353286b2fc Mon Sep 17 00:00:00 2001 From: Naadir Jeewa Date: Thu, 4 Jul 2019 10:03:55 +0100 Subject: [PATCH 4/5] etcd: Change perms in Makefile, not Dockerfile --- cluster/images/etcd/Dockerfile | 2 -- cluster/images/etcd/Makefile | 29 ++++++++++++++++------------- 2 files changed, 16 insertions(+), 15 deletions(-) diff --git a/cluster/images/etcd/Dockerfile b/cluster/images/etcd/Dockerfile index ee7886f515a..d7ae7766cea 100644 --- a/cluster/images/etcd/Dockerfile +++ b/cluster/images/etcd/Dockerfile @@ -16,6 +16,4 @@ FROM BASEIMAGE EXPOSE 2379 2380 4001 7001 COPY etcd* etcdctl* /usr/local/bin/ -RUN chmod +x /usr/local/bin/etcd* /usr/local/bin/etcdctl* COPY migrate-if-needed.sh migrate /usr/local/bin/ -RUN chmod +x /usr/local/bin/migrate-if-needed.sh /usr/local/bin/migrate diff --git a/cluster/images/etcd/Makefile b/cluster/images/etcd/Makefile index ec49e899805..4ec0e858904 100644 --- a/cluster/images/etcd/Makefile +++ b/cluster/images/etcd/Makefile @@ -51,6 +51,9 @@ MANIFEST_IMAGE := $(PUSH_REGISTRY)/etcd SELINUX_ENABLED := $(shell cat /sys/fs/selinux/enforce 2> /dev/null || echo 0) +# Install binaries matching base distro permissions +BIN_INSTALL := install -m 0555 + ifeq ($(SELINUX_ENABLED),1) DOCKER_VOL_OPTS?=:z endif @@ -79,14 +82,15 @@ ifeq ($(ARCH),s390x) endif build: - # Copy the content in this dir to the temp dir, - # without copying the subdirectories. - find ./ -maxdepth 1 -type f | xargs -I {} cp {} $(TEMP_DIR) + # Explicitly copy files to the temp directory + $(BIN_INSTALL) migrate-if-needed.sh $(TEMP_DIR) + install Dockerfile $(TEMP_DIR) # Compile migrate - docker run --interactive -v $(shell pwd)/../../../:/go/src/k8s.io/kubernetes$(DOCKER_VOL_OPTS) -v $(TEMP_DIR):/build$(DOCKER_VOL_OPTS) -e GOARCH=$(ARCH) golang:$(GOLANG_VERSION) \ - /bin/bash -c "CGO_ENABLED=0 go build -o /build/migrate k8s.io/kubernetes/cluster/images/etcd/migrate" - + migrate_tmp_dir=$(shell mktemp -d); \ + docker run --interactive -v $(shell pwd)/../../../:/go/src/k8s.io/kubernetes$(DOCKER_VOL_OPTS) -v $${migrate_tmp_dir}:/build$(DOCKER_VOL_OPTS) -e GOARCH=$(ARCH) golang:$(GOLANG_VERSION) \ + /bin/bash -c "CGO_ENABLED=0 go build -o /build/migrate k8s.io/kubernetes/cluster/images/etcd/migrate"; \ + $(BIN_INSTALL) $${migrate_tmp_dir}/migrate $(TEMP_DIR) ifeq ($(ARCH),amd64) @@ -95,10 +99,9 @@ ifeq ($(ARCH),amd64) for version in $(BUNDLED_ETCD_VERSIONS); do \ etcd_release_tmp_dir=$(shell mktemp -d); \ curl -sSL --retry 5 https://github.com/coreos/etcd/releases/download/v$$version/etcd-v$$version-linux-amd64.tar.gz | tar -xz -C $$etcd_release_tmp_dir --strip-components=1; \ - cp $$etcd_release_tmp_dir/etcd $$etcd_release_tmp_dir/etcdctl $(TEMP_DIR)/; \ - cp $(TEMP_DIR)/etcd $(TEMP_DIR)/etcd-$$version; \ - chmod +x $(TEMP_DIR)/etcd-$$version; \ - cp $(TEMP_DIR)/etcdctl $(TEMP_DIR)/etcdctl-$$version; \ + $(BIN_INSTALL) $$etcd_release_tmp_dir/etcd $$etcd_release_tmp_dir/etcdctl $(TEMP_DIR)/; \ + $(BIN_INSTALL) $(TEMP_DIR)/etcd $(TEMP_DIR)/etcd-$$version; \ + $(BIN_INSTALL) $(TEMP_DIR)/etcdctl $(TEMP_DIR)/etcdctl-$$version; \ done else @@ -112,9 +115,9 @@ else && git checkout v$${version} \ && GOARM=$(GOARM) GOARCH=$(ARCH) ./build \ && cp -f bin/$(ARCH)/etcd* bin/etcd* /etcdbin; echo 'done'"; \ - cp $$etcd_release_tmp_dir/etcd $$etcd_release_tmp_dir/etcdctl $(TEMP_DIR)/; \ - cp $(TEMP_DIR)/etcd $(TEMP_DIR)/etcd-$$version; \ - cp $(TEMP_DIR)/etcdctl $(TEMP_DIR)/etcdctl-$$version; \ + $(BIN_INSTALL) $$etcd_release_tmp_dir/etcd $$etcd_release_tmp_dir/etcdctl $(TEMP_DIR)/; \ + $(BIN_INSTALL) $(TEMP_DIR)/etcd $(TEMP_DIR)/etcd-$$version; \ + $(BIN_INSTALL) $(TEMP_DIR)/etcdctl $(TEMP_DIR)/etcdctl-$$version; \ done # Add this ENV variable in order to workaround an unsupported arch blocker From b1b7ea3229008cc72a0ff8607f1112b989d125d4 Mon Sep 17 00:00:00 2001 From: Naadir Jeewa Date: Thu, 4 Jul 2019 10:13:37 +0100 Subject: [PATCH 5/5] etcd: Add comment re: SELinux Signed-off-by: Naadir Jeewa --- cluster/images/etcd/Makefile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/cluster/images/etcd/Makefile b/cluster/images/etcd/Makefile index 4ec0e858904..4b863c4cf94 100644 --- a/cluster/images/etcd/Makefile +++ b/cluster/images/etcd/Makefile @@ -49,11 +49,12 @@ PUSH_REGISTRY?=staging-k8s.gcr.io MANIFEST_IMAGE := $(PUSH_REGISTRY)/etcd -SELINUX_ENABLED := $(shell cat /sys/fs/selinux/enforce 2> /dev/null || echo 0) - # Install binaries matching base distro permissions BIN_INSTALL := install -m 0555 +# Hosts running SELinux need :z added to volume mounts +SELINUX_ENABLED := $(shell cat /sys/fs/selinux/enforce 2> /dev/null || echo 0) + ifeq ($(SELINUX_ENABLED),1) DOCKER_VOL_OPTS?=:z endif