From ce90b83689f08cb5ebb6b632dab7f95a48060425 Mon Sep 17 00:00:00 2001 From: Brendan Burns Date: Fri, 13 Nov 2015 20:03:15 +0000 Subject: [PATCH] Update some flags --- cluster/images/hyperkube/Dockerfile | 7 +++ cluster/images/hyperkube/Makefile | 3 +- cluster/images/hyperkube/master-multi.json | 3 ++ cluster/images/hyperkube/master.json | 48 +++++++++++++++++++-- cluster/images/hyperkube/setup-files.sh | 43 +++++++++++++++++++ cluster/images/hyperkube/teardown.sh | 31 ++++++++++++++ cluster/images/hyperkube/turnup.sh | 50 ++++++++++++++++++++++ docs/getting-started-guides/docker.md | 6 +-- pkg/util/mount/nsenter_mount.go | 1 + 9 files changed, 185 insertions(+), 7 deletions(-) create mode 100644 cluster/images/hyperkube/setup-files.sh create mode 100755 cluster/images/hyperkube/teardown.sh create mode 100755 cluster/images/hyperkube/turnup.sh diff --git a/cluster/images/hyperkube/Dockerfile b/cluster/images/hyperkube/Dockerfile index 8ea5bb63da8..853e7c7871e 100644 --- a/cluster/images/hyperkube/Dockerfile +++ b/cluster/images/hyperkube/Dockerfile @@ -8,6 +8,7 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update -y \ file \ util-linux \ socat \ + curl \ && DEBIAN_FRONTEND=noninteractive apt-get autoremove -y \ && DEBIAN_FRONTEND=noninteractive apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* @@ -21,3 +22,9 @@ COPY master.json /etc/kubernetes/manifests/master.json COPY safe_format_and_mount /usr/share/google/safe_format_and_mount RUN chmod a+rx /usr/share/google/safe_format_and_mount + +COPY setup-files.sh /setup-files.sh +RUN chmod a+rx /setup-files.sh + +COPY make-ca-cert.sh /make-ca-cert.sh +RUN chmod a+x /make-ca-cert.sh diff --git a/cluster/images/hyperkube/Makefile b/cluster/images/hyperkube/Makefile index 47304fc03a9..5b9c47282ea 100644 --- a/cluster/images/hyperkube/Makefile +++ b/cluster/images/hyperkube/Makefile @@ -1,9 +1,10 @@ # build the hyperkube image. -VERSION=v1.0.1 +VERSION=v1.1.1 all: cp ../../saltbase/salt/helpers/safe_format_and_mount . + cp ../../saltbase/salt/generate-cert/make-ca-cert.sh . curl -O https://storage.googleapis.com/kubernetes-release/release/${VERSION}/bin/linux/amd64/hyperkube sed -i "s/VERSION/${VERSION}/g" master-multi.json master.json docker build -t gcr.io/google_containers/hyperkube:${VERSION} . diff --git a/cluster/images/hyperkube/master-multi.json b/cluster/images/hyperkube/master-multi.json index 53c1aec5431..17a555c749b 100644 --- a/cluster/images/hyperkube/master-multi.json +++ b/cluster/images/hyperkube/master-multi.json @@ -12,6 +12,8 @@ "/hyperkube", "controller-manager", "--master=127.0.0.1:8080", + "--terminated-pod-gc-threshold=100", + "--min-resync-period=3m", "--v=2" ] }, @@ -25,6 +27,7 @@ "--address=0.0.0.0", "--etcd-servers=http://127.0.0.1:4001", "--cluster-name=kubernetes", + "--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota", "--v=2" ] }, diff --git a/cluster/images/hyperkube/master.json b/cluster/images/hyperkube/master.json index 9a89ee3ed97..0cd1b52ed64 100644 --- a/cluster/images/hyperkube/master.json +++ b/cluster/images/hyperkube/master.json @@ -12,8 +12,17 @@ "/hyperkube", "controller-manager", "--master=127.0.0.1:8080", + "--min-resync-period=3m", + "--service-account-private-key-file=/srv/kubernetes/server.key", + "--root-ca-file=/srv/kubernetes/ca.crt", "--v=2" - ] + ], + "volumeMounts": [ + { + "name": "data", + "mountPath": "/srv/kubernetes" + } + ] }, { "name": "apiserver", @@ -25,8 +34,22 @@ "--address=127.0.0.1", "--etcd-servers=http://127.0.0.1:4001", "--cluster-name=kubernetes", - "--v=2" - ] + "--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ResourceQuota", + "--client-ca-file=/srv/kubernetes/ca.crt", + "--basic-auth-file=/srv/kubernetes/basic_auth.csv", + "--min-request-timeout=300", + "--tls-cert-file=/srv/kubernetes/server.cert", + "--tls-private-key-file=/srv/kubernetes/server.key", + "--token-auth-file=/srv/kubernetes/known_tokens.csv", + "--allow-privileged=True", + "--v=4" + ], + "volumeMounts": [ + { + "name": "data", + "mountPath": "/srv/kubernetes" + } + ] }, { "name": "scheduler", @@ -37,6 +60,25 @@ "--master=127.0.0.1:8080", "--v=2" ] + }, + { + "name": "setup", + "image": "gcr.io/google_containers/hyperkube:VERSION", + "command": [ + "/setup-files.sh" + ], + "volumeMounts": [ + { + "name": "data", + "mountPath": "/data" + } + ] + } + ], + "volumes": [ + { + "name": "data", + "emptyDir": {} } ] } diff --git a/cluster/images/hyperkube/setup-files.sh b/cluster/images/hyperkube/setup-files.sh new file mode 100644 index 00000000000..a9d716a9a4c --- /dev/null +++ b/cluster/images/hyperkube/setup-files.sh @@ -0,0 +1,43 @@ +#!/bin/bash + +# Copyright 2015 The Kubernetes Authors All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This script is intended to set up the files necessary to run a master. +# It currently creates: +# * The basic auth file for access to the kubernetes api server +# * Service tokens for accessing the kubernetes api server +# * The CA cert and keys for HTTPS access to the kubernetes api server +set -o errexit +set -o nounset +set -o pipefail + +create_token() { + echo $(cat /dev/urandom | base64 | tr -d "=+/" | dd bs=32 count=1 2> /dev/null) +} + +# Create basic token authorization +echo "admin,admin,admin" > /data/basic_auth.csv + +# Create HTTPS certificates +CERT_DIR=/data /make-ca-cert.sh $(hostname -i) + +# Create known tokens for service accounts +echo "$(create_token),admin,admin" >> /data/known_tokens.csv +echo "$(create_token),kubelet,kubelet" >> /data/known_tokens.csv +echo "$(create_token),kube_proxy,kube_proxy" >> /data/known_tokens.csv + +while true; do + sleep 3600 +done diff --git a/cluster/images/hyperkube/teardown.sh b/cluster/images/hyperkube/teardown.sh new file mode 100755 index 00000000000..f94a8a1041a --- /dev/null +++ b/cluster/images/hyperkube/teardown.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +# Copyright 2015 The Kubernetes Authors All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Tears down an existing cluster. Warning destroys _all_ docker containers on the machine + +set -o errexit +set -o nounset +set -o pipefail + +echo "Warning, this will delete all Docker containers on this machine." +echo "Proceed? [Y/n]" + +read resp +if [[ $resp == "n" || $resp == "N" ]]; then + exit 0 +fi + +docker ps -aq | xargs docker rm -f diff --git a/cluster/images/hyperkube/turnup.sh b/cluster/images/hyperkube/turnup.sh new file mode 100755 index 00000000000..14b1b520a7f --- /dev/null +++ b/cluster/images/hyperkube/turnup.sh @@ -0,0 +1,50 @@ +#!/bin/bash + +# Copyright 2015 The Kubernetes Authors All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Useful for testing images and changes, turns up a fresh single node cluster + +set -o errexit +set -o nounset +set -o pipefail + +docker run --net=host -d gcr.io/google_containers/etcd:2.2.1 \ + /usr/local/bin/etcd \ + --addr=127.0.0.1:4001 \ + --bind-addr=0.0.0.0:4001 \ + --data-dir=/var/etcd/data + +docker run --pid=host \ + --volume=/:/rootfs:ro \ + --volume=/sys:/sys:ro \ + --volume=/dev:/dev \ + --volume=/var/lib/docker/:/var/lib/docker:rw \ + --volume=/var/lib/kubelet/:/var/lib/kubelet:rw \ + --volume=/var/run:/var/run:rw \ + --net=host \ + --pid=host \ + --privileged=true \ + -d gcr.io/google_containers/hyperkube:v${K8S_VERSION} \ + /hyperkube kubelet \ + --containerized \ + --hostname-override="127.0.0.1" \ + --address="0.0.0.0" \ + --api-servers=http://localhost:8080 \ + --config=/etc/kubernetes/manifests --v=10 + +docker run -d --net=host --privileged \ + gcr.io/google_containers/hyperkube:v${K8S_VERSION} \ + /hyperkube proxy \ + --master=http://127.0.0.1:8080 --v=2 diff --git a/docs/getting-started-guides/docker.md b/docs/getting-started-guides/docker.md index b320925de6a..e5e272c2bb2 100644 --- a/docs/getting-started-guides/docker.md +++ b/docs/getting-started-guides/docker.md @@ -84,7 +84,7 @@ parameters as follows: ``` 4. Decide what Kubernetes version to use. Set the `${K8S_VERSION}` variable to - a value such as "1.0.7". + a value such as "1.1.1". ### Step One: Run etcd @@ -124,8 +124,8 @@ At this point you should have a running Kubernetes cluster. You can test this by downloading the kubectl binary for `${K8S_VERSION}` (look at the URL in the following links) and make it available by editing your PATH environment variable. -([OS X](http://storage.googleapis.com/kubernetes-release/release/v1.0.7/bin/darwin/amd64/kubectl)) -([linux](http://storage.googleapis.com/kubernetes-release/release/v1.0.7/bin/linux/amd64/kubectl)) +([OS X](http://storage.googleapis.com/kubernetes-release/release/v1.1.1/bin/darwin/amd64/kubectl)) +([linux](http://storage.googleapis.com/kubernetes-release/release/v1.1.1/bin/linux/amd64/kubectl)) For example, OS X: diff --git a/pkg/util/mount/nsenter_mount.go b/pkg/util/mount/nsenter_mount.go index c22863971aa..6735c024cd3 100644 --- a/pkg/util/mount/nsenter_mount.go +++ b/pkg/util/mount/nsenter_mount.go @@ -176,6 +176,7 @@ func (n *NsenterMounter) IsLikelyNotMountPoint(file string) (bool, error) { exec := exec.New() out, err := exec.Command(nsenterPath, args...).CombinedOutput() if err != nil { + glog.Errorf("Failed to nsenter mount, return file doesn't exist: %v", err) // If the command itself is correct, then if we encountered error // then most likely this means that the directory does not exist. return true, os.ErrNotExist