Update some flags

cluster/images/hyperkube/Dockerfile

@@ -8,6 +8,7 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update -y \
     file \
     util-linux \
     socat \
+    curl \
     && DEBIAN_FRONTEND=noninteractive apt-get autoremove -y \
     && DEBIAN_FRONTEND=noninteractive apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
@@ -21,3 +22,9 @@ COPY master.json /etc/kubernetes/manifests/master.json
 
 COPY safe_format_and_mount /usr/share/google/safe_format_and_mount
 RUN chmod a+rx /usr/share/google/safe_format_and_mount
+
+COPY setup-files.sh /setup-files.sh
+RUN chmod a+rx /setup-files.sh
+
+COPY make-ca-cert.sh /make-ca-cert.sh
+RUN chmod a+x /make-ca-cert.sh

cluster/images/hyperkube/Makefile

@@ -1,9 +1,10 @@
 # build the hyperkube image.
 
-VERSION=v1.0.1
+VERSION=v1.1.1
 
 all:
 	cp ../../saltbase/salt/helpers/safe_format_and_mount .
+	cp ../../saltbase/salt/generate-cert/make-ca-cert.sh  .
 	curl -O https://storage.googleapis.com/kubernetes-release/release/${VERSION}/bin/linux/amd64/hyperkube
 	sed -i "s/VERSION/${VERSION}/g" master-multi.json master.json
 	docker build -t gcr.io/google_containers/hyperkube:${VERSION} .

cluster/images/hyperkube/master-multi.json

@@ -12,6 +12,8 @@
               "/hyperkube",
               "controller-manager",
               "--master=127.0.0.1:8080",
+              "--terminated-pod-gc-threshold=100",
+              "--min-resync-period=3m",
               "--v=2"
         ]
     },
@@ -25,6 +27,7 @@
               "--address=0.0.0.0",
               "--etcd-servers=http://127.0.0.1:4001",
               "--cluster-name=kubernetes",
+              "--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota",
               "--v=2"
         ]
     },

cluster/images/hyperkube/master.json

@@ -12,8 +12,17 @@
               "/hyperkube",
               "controller-manager",
               "--master=127.0.0.1:8080",
+              "--min-resync-period=3m",
+              "--service-account-private-key-file=/srv/kubernetes/server.key",
+              "--root-ca-file=/srv/kubernetes/ca.crt",
               "--v=2"
-        ]
+        ],
+      "volumeMounts": [
+        {
+          "name": "data",
+          "mountPath": "/srv/kubernetes"
+        }
+      ]
     },
     {
       "name": "apiserver",
@@ -25,8 +34,22 @@
               "--address=127.0.0.1",
               "--etcd-servers=http://127.0.0.1:4001",
               "--cluster-name=kubernetes",
-              "--v=2"
+              "--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ResourceQuota",
-        ]
+              "--client-ca-file=/srv/kubernetes/ca.crt",
+              "--basic-auth-file=/srv/kubernetes/basic_auth.csv",
+              "--min-request-timeout=300",
+              "--tls-cert-file=/srv/kubernetes/server.cert",
+              "--tls-private-key-file=/srv/kubernetes/server.key",
+              "--token-auth-file=/srv/kubernetes/known_tokens.csv",
+              "--allow-privileged=True",
+              "--v=4"
+        ],
+      "volumeMounts": [
+        {
+          "name": "data",
+          "mountPath": "/srv/kubernetes"
+        }
+      ]
     },
     {
       "name": "scheduler",
@@ -37,6 +60,25 @@
               "--master=127.0.0.1:8080",
               "--v=2"
         ]
+    },
+    {
+      "name": "setup",
+      "image": "gcr.io/google_containers/hyperkube:VERSION",
+      "command": [
+              "/setup-files.sh"
+      ],
+      "volumeMounts": [
+        {
+          "name": "data",
+          "mountPath": "/data"
+        }
+      ]
+    }
+  ],
+  "volumes": [
+    {
+      "name": "data",
+      "emptyDir": {}
     }
   ]
  }

cluster/images/hyperkube/setup-files.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+# Copyright 2015 The Kubernetes Authors All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This script is intended to set up the files necessary to run a master.
+# It currently creates:
+#  * The basic auth file for access to the kubernetes api server
+#  * Service tokens for accessing the kubernetes api server
+#  * The CA cert and keys for HTTPS access to the kubernetes api server
+set -o errexit
+set -o nounset
+set -o pipefail
+
+create_token() {
+  echo $(cat /dev/urandom | base64 | tr -d "=+/" | dd bs=32 count=1 2> /dev/null)
+}
+
+# Create basic token authorization
+echo "admin,admin,admin" > /data/basic_auth.csv
+
+# Create HTTPS certificates
+CERT_DIR=/data /make-ca-cert.sh $(hostname -i)
+
+# Create known tokens for service accounts
+echo "$(create_token),admin,admin" >> /data/known_tokens.csv
+echo "$(create_token),kubelet,kubelet" >> /data/known_tokens.csv
+echo "$(create_token),kube_proxy,kube_proxy" >> /data/known_tokens.csv
+
+while true; do
+  sleep 3600
+done

cluster/images/hyperkube/teardown.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# Copyright 2015 The Kubernetes Authors All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Tears down an existing cluster.  Warning destroys _all_ docker containers on the machine
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+echo "Warning, this will delete all Docker containers on this machine."
+echo "Proceed? [Y/n]"
+
+read resp
+if [[ $resp == "n" || $resp == "N" ]]; then
+  exit 0
+fi
+
+docker ps -aq | xargs docker rm -f

cluster/images/hyperkube/turnup.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+
+# Copyright 2015 The Kubernetes Authors All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Useful for testing images and changes, turns up a fresh single node cluster
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+docker run --net=host -d gcr.io/google_containers/etcd:2.2.1 \
+  /usr/local/bin/etcd \
+    --addr=127.0.0.1:4001 \
+    --bind-addr=0.0.0.0:4001 \
+    --data-dir=/var/etcd/data
+
+docker run --pid=host \
+  --volume=/:/rootfs:ro \
+  --volume=/sys:/sys:ro \
+  --volume=/dev:/dev \
+  --volume=/var/lib/docker/:/var/lib/docker:rw \
+  --volume=/var/lib/kubelet/:/var/lib/kubelet:rw \
+  --volume=/var/run:/var/run:rw \
+  --net=host \
+  --pid=host \
+  --privileged=true \
+  -d gcr.io/google_containers/hyperkube:v${K8S_VERSION} \
+  /hyperkube kubelet \
+    --containerized \
+    --hostname-override="127.0.0.1" \
+    --address="0.0.0.0" \
+    --api-servers=http://localhost:8080 \
+    --config=/etc/kubernetes/manifests --v=10
+
+docker run -d --net=host --privileged \
+  gcr.io/google_containers/hyperkube:v${K8S_VERSION} \
+  /hyperkube proxy \
+    --master=http://127.0.0.1:8080 --v=2

docs/getting-started-guides/docker.md

@@ -84,7 +84,7 @@ parameters as follows:
     ```
 
 4. Decide what Kubernetes version to use.  Set the `${K8S_VERSION}` variable to
-   a value such as "1.0.7".
+   a value such as "1.1.1".
 
 ### Step One: Run etcd
 
@@ -124,8 +124,8 @@ At this point you should have a running Kubernetes cluster.  You can test this
 by downloading the kubectl binary for `${K8S_VERSION}` (look at the URL in the
 following links) and make it available by editing your PATH environment
 variable.
-([OS X](http://storage.googleapis.com/kubernetes-release/release/v1.0.7/bin/darwin/amd64/kubectl))
+([OS X](http://storage.googleapis.com/kubernetes-release/release/v1.1.1/bin/darwin/amd64/kubectl))
-([linux](http://storage.googleapis.com/kubernetes-release/release/v1.0.7/bin/linux/amd64/kubectl))
+([linux](http://storage.googleapis.com/kubernetes-release/release/v1.1.1/bin/linux/amd64/kubectl))
 
 For example, OS X:
 

pkg/util/mount/nsenter_mount.go

@@ -176,6 +176,7 @@ func (n *NsenterMounter) IsLikelyNotMountPoint(file string) (bool, error) {
 	exec := exec.New()
 	out, err := exec.Command(nsenterPath, args...).CombinedOutput()
 	if err != nil {
+		glog.Errorf("Failed to nsenter mount, return file doesn't exist: %v", err)
 		// If the command itself is correct, then if we encountered error
 		// then most likely this means that the directory does not exist.
 		return true, os.ErrNotExist