From 6d495fc92f12e37818901f95f0f0eac1a80c6a4a Mon Sep 17 00:00:00 2001 From: Ian Campbell Date: Wed, 5 Apr 2017 16:36:29 +0100 Subject: [PATCH 1/5] swarmd: allow all capabilities The existing set was randomly rather than carefully chosen, lets just be honest and use "all" until the proper set can be determined. Signed-off-by: Ian Campbell --- projects/swarmd/swarmd.yml | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/projects/swarmd/swarmd.yml b/projects/swarmd/swarmd.yml index f5e164723..2548f0a3d 100644 --- a/projects/swarmd/swarmd.yml +++ b/projects/swarmd/swarmd.yml @@ -32,20 +32,7 @@ services: image: "linuxkit/swarmd:a2f57f14f07fb6d7cded7832b2dabe878b28554e" command: ["/usr/bin/swarmd", "--containerd-addr=/run/containerd/containerd.sock", "--log-level=debug", "--state-dir=/var/lib/swarmd"] capabilities: - - CAP_CHOWN - - CAP_DAC_OVERRIDE - - CAP_FSETID - - CAP_FOWNER - - CAP_MKNOD - - CAP_NET_RAW - - CAP_SETGID - - CAP_SETUID - - CAP_SETFCAP - - CAP_SETPCAP - - CAP_NET_BIND_SERVICE - - CAP_SYS_CHROOT - - CAP_KILL - - CAP_AUDIT_WRITE + - all pid: host net: host binds: From 5cc219cf7227ef1be4aa5a0cbf50369e3ce1b691 Mon Sep 17 00:00:00 2001 From: Ian Campbell Date: Wed, 24 May 2017 15:14:42 +0100 Subject: [PATCH 2/5] swarmd: Modernize build Uses the alpine base container. Networking is not disabled because we still clone at build time. No swarmd.yml update because the commit referenced here no longer exists in the upstream repo after a force push. This will change in the next commit. Signed-off-by: Ian Campbell --- projects/swarmd/swarmd/Dockerfile | 22 ++++++++++++++++------ projects/swarmd/swarmd/Makefile | 5 +++-- 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/projects/swarmd/swarmd/Dockerfile b/projects/swarmd/swarmd/Dockerfile index 94c6d6605..404ef382a 100644 --- a/projects/swarmd/swarmd/Dockerfile +++ b/projects/swarmd/swarmd/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.7-alpine3.5 AS build +FROM linuxkit/alpine:630ee558e4869672fae230c78364e367b8ea67a9 AS build RUN \ apk update && apk upgrade && \ @@ -6,10 +6,13 @@ RUN \ ca-certificates \ gcc \ git \ + go \ libc-dev \ make \ && true +ENV GOPATH=/root/go + # PR https://github.com/docker/swarmkit/pull/1965 from ijc25/containerd ENV SWARMKIT_PR=1965 ENV SWARMKIT_COMMIT=321b9c6600a9422c3245b277a1b3ae599244d4b7 @@ -23,14 +26,21 @@ RUN git checkout $SWARMKIT_COMMIT RUN make binaries GO_GCFLAGS="-buildmode pie --ldflags '-extldflags \"-fno-PIC -static\"'" -RUN mkdir -p /build/dist/usr/bin/ /build/dist/etc -RUN cp bin/swarmd bin/swarmctl /build/dist/usr/bin/ -RUN strip /build/dist/usr/bin/swarmd /build/dist/usr/bin/swarmctl +RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/ +RUN apk add --no-cache --initdb -p /out \ + alpine-baselayout \ + busybox \ + ca-certificates \ + iptables \ + musl \ + util-linux -RUN cp -r /etc/ssl /build/dist/etc/ssl +RUN mkdir -p /out/usr/bin/ /out/etc +RUN cp bin/swarmd bin/swarmctl /out/usr/bin/ +RUN strip /out/usr/bin/swarmd /out/usr/bin/swarmctl FROM scratch WORKDIR / ENTRYPOINT [] -COPY --from=build /build/dist / +COPY --from=build /out / CMD ["/usr/bin/swarmd", "--containerd-addr=/run/containerd/containerd.sock", "--log-level=debug", "--state-dir=/var/lib/swarmd"] diff --git a/projects/swarmd/swarmd/Makefile b/projects/swarmd/swarmd/Makefile index 5b4340b17..13ae4dd66 100644 --- a/projects/swarmd/swarmd/Makefile +++ b/projects/swarmd/swarmd/Makefile @@ -1,6 +1,7 @@ .PHONY: tag push all: push +ORG?=linuxkit IMAGE=swarmd HASH?=$(shell git ls-tree HEAD -- ../$(notdir $(CURDIR)) | awk '{print $$3}') @@ -8,7 +9,7 @@ HASH?=$(shell git ls-tree HEAD -- ../$(notdir $(CURDIR)) | awk '{print $$3}') default: push tag: Dockerfile - docker build -t linuxkit/$(IMAGE):$(HASH) . + docker build --no-cache -t $(ORG)/$(IMAGE):$(HASH) . push: tag - docker pull linuxkit/$(IMAGE):$(HASH) || docker push linuxkit/$(IMAGE):$(HASH) + docker pull $(ORG)/$(IMAGE):$(HASH) || docker push $(ORG)/$(IMAGE):$(HASH) From 04c7bae77ed47314af88de5124fa2c9be8ca2a50 Mon Sep 17 00:00:00 2001 From: Ian Campbell Date: Wed, 24 May 2017 14:24:38 +0100 Subject: [PATCH 3/5] swarmd: Build from my WIP branch This is much more functional (includes networking). Requires switching to an alpine base because CNI networking backends (such as weave) can expect iptables binaries to be present, or may want to shell out to scripts etc. Signed-off-by: Ian Campbell --- projects/swarmd/swarmd.yml | 2 +- projects/swarmd/swarmd/Dockerfile | 11 ++++++----- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/projects/swarmd/swarmd.yml b/projects/swarmd/swarmd.yml index 2548f0a3d..e68ced597 100644 --- a/projects/swarmd/swarmd.yml +++ b/projects/swarmd/swarmd.yml @@ -29,7 +29,7 @@ services: - name: ntpd image: "linuxkit/openntpd:45deeb05f736162d941c9bf494983f655ab80aa5" - name: swarmd - image: "linuxkit/swarmd:a2f57f14f07fb6d7cded7832b2dabe878b28554e" + image: "linuxkit/swarmd:1002422b78339a767559058d704b086889e90447" command: ["/usr/bin/swarmd", "--containerd-addr=/run/containerd/containerd.sock", "--log-level=debug", "--state-dir=/var/lib/swarmd"] capabilities: - all diff --git a/projects/swarmd/swarmd/Dockerfile b/projects/swarmd/swarmd/Dockerfile index 404ef382a..08d060f6a 100644 --- a/projects/swarmd/swarmd/Dockerfile +++ b/projects/swarmd/swarmd/Dockerfile @@ -13,15 +13,16 @@ RUN \ ENV GOPATH=/root/go -# PR https://github.com/docker/swarmkit/pull/1965 from ijc25/containerd -ENV SWARMKIT_PR=1965 -ENV SWARMKIT_COMMIT=321b9c6600a9422c3245b277a1b3ae599244d4b7 +# https://github.com/ijc25/swarmkit/tree/containerd-wip +ENV SWARMKIT_REPO=https://github.com/ijc25/swarmkit +ENV SWARMKIT_BRANCH=containerd-wip +ENV SWARMKIT_COMMIT=cb429323fa86df0c279a8d629e674f79a20e01e3 RUN mkdir -p $GOPATH/src/github.com/docker && \ cd $GOPATH/src/github.com/docker && \ - git clone https://github.com/docker/swarmkit.git + git clone $SWARMKIT_REPO WORKDIR $GOPATH/src/github.com/docker/swarmkit -RUN [ -z "$SWARMKIT_PR" ] || git fetch origin pull/$SWARMKIT_PR/head +RUN [ -z "$SWARMKIT_BRANCH" ] || git fetch origin $SWARMKIT_BRANCH RUN git checkout $SWARMKIT_COMMIT RUN make binaries GO_GCFLAGS="-buildmode pie --ldflags '-extldflags \"-fno-PIC -static\"'" From 36d3445258086bec9a9e6c965d42e0a3902ae9cc Mon Sep 17 00:00:00 2001 From: Ian Campbell Date: Wed, 31 May 2017 17:59:35 +0100 Subject: [PATCH 4/5] swarmd: do not need explicit host net namespace anymore Signed-off-by: Ian Campbell --- projects/swarmd/swarmd.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/projects/swarmd/swarmd.yml b/projects/swarmd/swarmd.yml index e68ced597..cc61a28b9 100644 --- a/projects/swarmd/swarmd.yml +++ b/projects/swarmd/swarmd.yml @@ -34,7 +34,6 @@ services: capabilities: - all pid: host - net: host binds: - /run/containerd/containerd.sock:/run/containerd/containerd.sock - /var/lib/containerd:/var/lib/containerd From 183d692e0002d7697f2dd362095a9c26ebff6611 Mon Sep 17 00:00:00 2001 From: Ian Campbell Date: Fri, 12 May 2017 00:17:22 +0100 Subject: [PATCH 5/5] swarmd: Enable ip_forward Signed-off-by: Ian Campbell --- projects/swarmd/swarmd.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/projects/swarmd/swarmd.yml b/projects/swarmd/swarmd.yml index cc61a28b9..25eb41670 100644 --- a/projects/swarmd/swarmd.yml +++ b/projects/swarmd/swarmd.yml @@ -9,6 +9,8 @@ init: onboot: - name: sysctl image: "linuxkit/sysctl:3aa6bc663c2849ef239be7d941d3eaf3e6fcc018" + binds: + - /etc/sysctl.d/01-swarmd.conf:/etc/sysctl.d/01-swarmd.conf - name: dhcpcd image: "linuxkit/dhcpcd:7d2b8aaaf20c24ad7d11a5ea2ea5b4a80dc966f1" command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] @@ -39,3 +41,6 @@ services: - /var/lib/containerd:/var/lib/containerd - /var/lib/swarmd:/var/lib/swarmd - /etc/resolv.conf:/etc/resolv.conf +files: + - path: /etc/sysctl.d/01-swarmd.conf + contents: 'net.ipv4.ip_forward = 1'