From 8e90e67eea8547d804f912cd6f165ea08fd24c05 Mon Sep 17 00:00:00 2001 From: Ian Campbell Date: Thu, 6 Apr 2017 09:29:36 +0100 Subject: [PATCH 1/8] swarmd: host pid namespace for CNI access to /proc/PID/ns/net Since containers are spawned by containerd (which is in the host PID namespace) and not in the swarmd container's namespace. Signed-off-by: Ian Campbell --- projects/swarmd/swarmd.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/projects/swarmd/swarmd.yml b/projects/swarmd/swarmd.yml index 2302ddb8e..fa4effbc6 100644 --- a/projects/swarmd/swarmd.yml +++ b/projects/swarmd/swarmd.yml @@ -48,6 +48,7 @@ services: - CAP_SYS_CHROOT - CAP_KILL - CAP_AUDIT_WRITE + pid: host net: host binds: - /run/containerd/containerd.sock:/run/containerd/containerd.sock From f5732b2cb55e65429b3e74fe68b705b621631fb1 Mon Sep 17 00:00:00 2001 From: Ian Campbell Date: Tue, 11 Apr 2017 10:57:30 +0100 Subject: [PATCH 2/8] swarmd: Add ntpd Follows https://github.com/docker/moby/pull/1576 Signed-off-by: Ian Campbell --- projects/swarmd/swarmd.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/projects/swarmd/swarmd.yml b/projects/swarmd/swarmd.yml index fa4effbc6..db98c6605 100644 --- a/projects/swarmd/swarmd.yml +++ b/projects/swarmd/swarmd.yml @@ -19,6 +19,15 @@ services: - CAP_SYS_ADMIN oomScoreAdj: -800 readonly: true + - name: ntpd + image: "linuxkit/openntpd:a38eabb308d0405f58894979f8b8031a6c7e1134" + capabilities: + - CAP_SYS_TIME + - CAP_SYS_NICE + - CAP_SYS_CHROOT + - CAP_SETUID + - CAP_SETGID + net: host - name: dhcpcd image: "linuxkit/dhcpcd:2def74ab3f9233b4c09ebb196ba47c27c08b0ed8" binds: From 5b0f92fb9eec3190657d267f4075c19646247214 Mon Sep 17 00:00:00 2001 From: Ian Campbell Date: Thu, 11 May 2017 19:00:40 +0100 Subject: [PATCH 3/8] swarmd: Update to latest images (from linuxkit.yml) Signed-off-by: Ian Campbell --- projects/swarmd/swarmd.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/projects/swarmd/swarmd.yml b/projects/swarmd/swarmd.yml index db98c6605..aa1a19a1c 100644 --- a/projects/swarmd/swarmd.yml +++ b/projects/swarmd/swarmd.yml @@ -1,11 +1,14 @@ kernel: - image: "mobylinux/kernel:4.9.x" + image: "linuxkit/kernel:4.9.x" cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - - "mobylinux/init:c0007f0cdf1ef821a981fcc676e3f1c2dd9ab5b1" + - linuxkit/init:b3740303f3d1e5689a84c87b7dfb48fd2a40a192 + - linuxkit/runc:2649198589ef0020d99f613adaeda45ce0093a38 + - linuxkit/containerd:cf2614f5a96c569a0bd4bd54e054a65ba17d167f + - linuxkit/ca-certificates:3344cdca1bc59fdfa17bd7f0fcbf491b9dbaa288 onboot: - name: sysctl - image: "mobylinux/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c" + image: "linuxkit/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c" net: host pid: host ipc: host @@ -14,7 +17,7 @@ onboot: readonly: true services: - name: rngd - image: "mobylinux/rngd:3dad6dd43270fa632ac031e99d1947f20b22eec9" + image: "linuxkit/rngd:61a07ced77a9747708223ca16a4aec621eacf518" capabilities: - CAP_SYS_ADMIN oomScoreAdj: -800 From 6c87493ec5721021536198b8b2429cf6e530ebd7 Mon Sep 17 00:00:00 2001 From: Ian Campbell Date: Tue, 25 Apr 2017 13:48:09 +0100 Subject: [PATCH 4/8] swarmd: Add metadata service Also update other users of linuxkit/metadata to the newest build while I'm here. Signed-off-by: Ian Campbell --- examples/gcp.yml | 2 +- projects/etcd/etcd.yml | 2 +- projects/etcd/prom-us-central1-f.yml | 2 +- projects/swarmd/swarmd.yml | 9 +++++++++ 4 files changed, 12 insertions(+), 3 deletions(-) diff --git a/examples/gcp.yml b/examples/gcp.yml index 843a80ad1..f2b85b059 100644 --- a/examples/gcp.yml +++ b/examples/gcp.yml @@ -27,7 +27,7 @@ onboot: net: host command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] - name: metadata - image: "linuxkit/metadata:c5567e65e9125f0a4c4b8cb9d56a86377be62652" + image: "linuxkit/metadata:a810b68fec9c9282cf096eed50605ddd6b2f3142" binds: - /dev:/dev - /var:/var diff --git a/projects/etcd/etcd.yml b/projects/etcd/etcd.yml index 184f2371b..2a03210a7 100644 --- a/projects/etcd/etcd.yml +++ b/projects/etcd/etcd.yml @@ -43,7 +43,7 @@ onboot: net: host command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] - name: metadata - image: "linuxkit/metadata:c5567e65e9125f0a4c4b8cb9d56a86377be62652" + image: "linuxkit/metadata:a810b68fec9c9282cf096eed50605ddd6b2f3142" binds: - /dev:/dev - /var:/var diff --git a/projects/etcd/prom-us-central1-f.yml b/projects/etcd/prom-us-central1-f.yml index a4d12e6f3..788e99d4a 100644 --- a/projects/etcd/prom-us-central1-f.yml +++ b/projects/etcd/prom-us-central1-f.yml @@ -27,7 +27,7 @@ onboot: net: host command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] - name: metadata - image: "linuxkit/metadata:c5567e65e9125f0a4c4b8cb9d56a86377be62652" + image: "linuxkit/metadata:a810b68fec9c9282cf096eed50605ddd6b2f3142" binds: - /dev:/dev - /var:/var diff --git a/projects/swarmd/swarmd.yml b/projects/swarmd/swarmd.yml index aa1a19a1c..69d013c85 100644 --- a/projects/swarmd/swarmd.yml +++ b/projects/swarmd/swarmd.yml @@ -15,6 +15,15 @@ onboot: capabilities: - CAP_SYS_ADMIN readonly: true + - name: metadata + image: "linuxkit/metadata:a810b68fec9c9282cf096eed50605ddd6b2f3142" + binds: + - /dev:/dev + - /var:/var + - /tmp/etc/resolv.conf:/etc/resolv.conf + net: host + capabilities: + - CAP_SYS_ADMIN services: - name: rngd image: "linuxkit/rngd:61a07ced77a9747708223ca16a4aec621eacf518" From 14b0c00133deff656a70b1811b8f4c4f9d0b614a Mon Sep 17 00:00:00 2001 From: Ian Campbell Date: Thu, 11 May 2017 19:05:04 +0100 Subject: [PATCH 5/8] swarmd: Switch to oneshot DHCP Signed-off-by: Ian Campbell --- projects/swarmd/swarmd.yml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/projects/swarmd/swarmd.yml b/projects/swarmd/swarmd.yml index 69d013c85..bca05be83 100644 --- a/projects/swarmd/swarmd.yml +++ b/projects/swarmd/swarmd.yml @@ -15,6 +15,17 @@ onboot: capabilities: - CAP_SYS_ADMIN readonly: true + - name: dhcpcd + image: "linuxkit/dhcpcd:2def74ab3f9233b4c09ebb196ba47c27c08b0ed8" + binds: + - /var:/var + - /tmp/etc:/etc + capabilities: + - CAP_NET_ADMIN + - CAP_NET_BIND_SERVICE + - CAP_NET_RAW + net: host + command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] - name: metadata image: "linuxkit/metadata:a810b68fec9c9282cf096eed50605ddd6b2f3142" binds: @@ -40,17 +51,6 @@ services: - CAP_SETUID - CAP_SETGID net: host - - name: dhcpcd - image: "linuxkit/dhcpcd:2def74ab3f9233b4c09ebb196ba47c27c08b0ed8" - binds: - - /var:/var - - /tmp/etc:/etc - capabilities: - - CAP_NET_ADMIN - - CAP_NET_BIND_SERVICE - - CAP_NET_RAW - net: host - oomScoreAdj: -800 - name: swarmd image: "mobylinux/swarmd:cf11a7626278ebf17efe2780c138b4e626b02c73" command: ["/usr/bin/swarmd", "--containerd-addr=/run/containerd/containerd.sock", "--log-level=debug", "--state-dir=/var/lib/containerd/swarmd"] From 1b31a0ea3b56d0c1de149473473a5d7dbcaa039b Mon Sep 17 00:00:00 2001 From: Ian Campbell Date: Thu, 11 May 2017 19:08:48 +0100 Subject: [PATCH 6/8] swarmd: Mount persistent disk on /var/lib/swarmd Signed-off-by: Ian Campbell --- projects/swarmd/swarmd.yml | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/projects/swarmd/swarmd.yml b/projects/swarmd/swarmd.yml index bca05be83..762e191d2 100644 --- a/projects/swarmd/swarmd.yml +++ b/projects/swarmd/swarmd.yml @@ -26,6 +26,22 @@ onboot: - CAP_NET_RAW net: host command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] + - name: format + image: "linuxkit/format:d78093e943f9c88386e30c00353f9476d34fb551" + binds: + - /dev:/dev + capabilities: + - CAP_SYS_ADMIN + - CAP_MKNOD + - name: mount + image: "linuxkit/mount:fc7164d7c4e1fe5d1da395c7f949fb332cffe752" + binds: + - /dev:/dev + - /var:/var:rshared,rbind + capabilities: + - CAP_SYS_ADMIN + rootfsPropagation: shared + command: ["/mount.sh", "/var/lib/swarmd"] - name: metadata image: "linuxkit/metadata:a810b68fec9c9282cf096eed50605ddd6b2f3142" binds: @@ -53,7 +69,7 @@ services: net: host - name: swarmd image: "mobylinux/swarmd:cf11a7626278ebf17efe2780c138b4e626b02c73" - command: ["/usr/bin/swarmd", "--containerd-addr=/run/containerd/containerd.sock", "--log-level=debug", "--state-dir=/var/lib/containerd/swarmd"] + command: ["/usr/bin/swarmd", "--containerd-addr=/run/containerd/containerd.sock", "--log-level=debug", "--state-dir=/var/lib/swarmd"] capabilities: - CAP_CHOWN - CAP_DAC_OVERRIDE @@ -74,6 +90,7 @@ services: binds: - /run/containerd/containerd.sock:/run/containerd/containerd.sock - /var/lib/containerd:/var/lib/containerd + - /var/lib/swarmd:/var/lib/swarmd - /etc/resolv.conf:/etc/resolv.conf outputs: - format: kernel+initrd From a28d34f18c2bf1fca82c0d0db91eb61308c7fb3a Mon Sep 17 00:00:00 2001 From: Ian Campbell Date: Fri, 12 May 2017 19:37:43 +0100 Subject: [PATCH 7/8] Modernise swarmd pkg build Uses multi stage builds and the tree-sh as tag. Signed-off-by: Ian Campbell --- .../swarmd/{Dockerfile.build => Dockerfile} | 12 +++--- projects/swarmd/swarmd/Dockerfile.pkg | 4 -- projects/swarmd/swarmd/Makefile | 38 ++++--------------- 3 files changed, 13 insertions(+), 41 deletions(-) rename projects/swarmd/swarmd/{Dockerfile.build => Dockerfile} (80%) delete mode 100644 projects/swarmd/swarmd/Dockerfile.pkg diff --git a/projects/swarmd/swarmd/Dockerfile.build b/projects/swarmd/swarmd/Dockerfile similarity index 80% rename from projects/swarmd/swarmd/Dockerfile.build rename to projects/swarmd/swarmd/Dockerfile index 006b0c6d6..8a86aa577 100644 --- a/projects/swarmd/swarmd/Dockerfile.build +++ b/projects/swarmd/swarmd/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.7-alpine3.5 +FROM golang:1.7-alpine3.5 AS build RUN \ apk update && apk upgrade && \ @@ -10,9 +10,6 @@ RUN \ make \ && true -WORKDIR / -COPY Dockerfile.build Dockerfile.pkg Makefile /build/ - # PR https://github.com/docker/swarmkit/pull/1965 from ijc25/containerd ENV SWARMKIT_PR=1965 ENV SWARMKIT_COMMIT=82e9f43d84e9a0586903392cbe5bbac15fdbf552 @@ -32,5 +29,8 @@ RUN strip /build/dist/usr/bin/swarmd /build/dist/usr/bin/swarmctl RUN cp -r /etc/ssl /build/dist/etc/ssl -WORKDIR /build -CMD ["/bin/tar", "cf", "-", "-C", "dist", "."] +FROM scratch +WORKDIR / +ENTRYPOINT [] +COPY --from=build /build/dist / +CMD ["/usr/bin/swarmd", "--containerd-addr=/run/containerd/containerd.sock", "--log-level=debug", "--state-dir=/var/lib/swarmd"] diff --git a/projects/swarmd/swarmd/Dockerfile.pkg b/projects/swarmd/swarmd/Dockerfile.pkg deleted file mode 100644 index 4af147f72..000000000 --- a/projects/swarmd/swarmd/Dockerfile.pkg +++ /dev/null @@ -1,4 +0,0 @@ -FROM scratch -WORKDIR / -ADD swarmd.tar . -CMD ["/usr/bin/swarmd", "--containerd-addr=/run/containerd/containerd.sock", "--log-level=debug", "--state-dir=/var/lib/swarmd"] diff --git a/projects/swarmd/swarmd/Makefile b/projects/swarmd/swarmd/Makefile index 76ded8798..5b4340b17 100644 --- a/projects/swarmd/swarmd/Makefile +++ b/projects/swarmd/swarmd/Makefile @@ -1,38 +1,14 @@ -.PHONY: tag push clean container +.PHONY: tag push all: push -SHASUM=alpine:3.5 IMAGE=swarmd -DEPS=Dockerfile.build Makefile -# Include Dockerfile.pkg here so hash works -swarmd.tag: $(DEPS) Dockerfile.pkg - BUILD=$$(tar cf - $^ | docker build -f $< -q -) && [ -n "$$BUILD" ] && echo "Built $$BUILD" && echo "$$BUILD" > $@ +HASH?=$(shell git ls-tree HEAD -- ../$(notdir $(CURDIR)) | awk '{print $$3}') -swarmd.tar: swarmd.tag - docker run --rm --net=none --log-driver=none $(shell cat swarmd.tag) > $@ +default: push -container: Dockerfile.pkg swarmd.tar - tar cf - $^ | docker build --no-cache -f $< -t $(IMAGE):build - +tag: Dockerfile + docker build -t linuxkit/$(IMAGE):$(HASH) . -hash: $(DEPS) Dockerfile.pkg - find $^ -type f | xargs cat | DOCKER_CONTENT_TRUST=1 docker run --rm -i $(SHASUM) sha1sum | sed 's/ .*//' > $@ - -push: hash container - docker pull mobylinux/$(IMAGE):$(shell cat hash) || \ - (docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) && \ - docker push mobylinux/$(IMAGE):$(shell cat hash)) - docker rmi $(IMAGE):build - rm -f hash - -tag: hash container - docker pull mobylinux/$(IMAGE):$(shell cat hash) || \ - docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) - docker rmi $(IMAGE):build - rm -f hash - -clean: - rm -f hash - rm -f swarmd.tag swarmd.tar - -.DELETE_ON_ERROR: +push: tag + docker pull linuxkit/$(IMAGE):$(HASH) || docker push linuxkit/$(IMAGE):$(HASH) From 0fb3d1c6e9bc33a29e8e5602d80698faf0a15fb2 Mon Sep 17 00:00:00 2001 From: Ian Campbell Date: Fri, 12 May 2017 19:15:42 +0100 Subject: [PATCH 8/8] Updated swarmd commit Signed-off-by: Ian Campbell --- projects/swarmd/swarmd.yml | 2 +- projects/swarmd/swarmd/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/projects/swarmd/swarmd.yml b/projects/swarmd/swarmd.yml index 762e191d2..431c01654 100644 --- a/projects/swarmd/swarmd.yml +++ b/projects/swarmd/swarmd.yml @@ -68,7 +68,7 @@ services: - CAP_SETGID net: host - name: swarmd - image: "mobylinux/swarmd:cf11a7626278ebf17efe2780c138b4e626b02c73" + image: "linuxkit/swarmd:a2f57f14f07fb6d7cded7832b2dabe878b28554e" command: ["/usr/bin/swarmd", "--containerd-addr=/run/containerd/containerd.sock", "--log-level=debug", "--state-dir=/var/lib/swarmd"] capabilities: - CAP_CHOWN diff --git a/projects/swarmd/swarmd/Dockerfile b/projects/swarmd/swarmd/Dockerfile index 8a86aa577..94c6d6605 100644 --- a/projects/swarmd/swarmd/Dockerfile +++ b/projects/swarmd/swarmd/Dockerfile @@ -12,7 +12,7 @@ RUN \ # PR https://github.com/docker/swarmkit/pull/1965 from ijc25/containerd ENV SWARMKIT_PR=1965 -ENV SWARMKIT_COMMIT=82e9f43d84e9a0586903392cbe5bbac15fdbf552 +ENV SWARMKIT_COMMIT=321b9c6600a9422c3245b277a1b3ae599244d4b7 RUN mkdir -p $GOPATH/src/github.com/docker && \ cd $GOPATH/src/github.com/docker && \