rke/services/services.go

package services

import (
	"context"
	"fmt"

	"github.com/docker/docker/api/types/container"
	"github.com/docker/go-connections/nat"
	"github.com/rancher/rke/docker"
	"github.com/rancher/rke/hosts"
	"github.com/rancher/rke/log"
	v3 "github.com/rancher/rke/types"
	"github.com/rancher/rke/util"
	"github.com/sirupsen/logrus"
)

const (
	ETCDRole    = "etcd"
	ControlRole = "controlplane"
	WorkerRole  = "worker"

	SidekickServiceName   = "sidekick"
	RBACAuthorizationMode = "rbac"

	KubeAPIContainerName                        = "kube-apiserver"
	KubeletContainerName                        = "kubelet"
	KubeproxyContainerName                      = "kube-proxy"
	KubeControllerContainerName                 = "kube-controller-manager"
	SchedulerContainerName                      = "kube-scheduler"
	EtcdContainerName                           = "etcd"
	EtcdSnapshotContainerName                   = "etcd-rolling-snapshots"
	EtcdSnapshotOnceContainerName               = "etcd-snapshot-once"
	EtcdSnapshotRemoveContainerName             = "etcd-remove-snapshot"
	EtcdRestoreContainerName                    = "etcd-restore"
	EtcdDownloadBackupContainerName             = "etcd-download-backup"
	EtcdServeBackupContainerName                = "etcd-Serve-backup"
	EtcdChecksumContainerName                   = "etcd-checksum-checker"
	EtcdStateFileContainerName                  = "etcd-extract-statefile"
	ControlPlaneConfigMapStateFileContainerName = "extract-statefile-configmap"
	NginxProxyContainerName                     = "nginx-proxy"
	SidekickContainerName                       = "service-sidekick"
	LogLinkContainerName                        = "rke-log-linker"
	LogCleanerContainerName                     = "rke-log-cleaner"

	KubeAPIPort        = 6443
	SchedulerPort      = 10251
	KubeControllerPort = 10252
	KubeletPort        = 10248
	KubeproxyPort      = 10256

	WorkerThreads = util.WorkerThreads

	ContainerNameLabel = "io.rancher.rke.container.name"
	MCSLabel           = "label=level:s0:c1000,c1001"
	SELinuxLabel       = "label=type:rke_container_t"
)

type RestartFunc func(context.Context, *hosts.Host) error

func runSidekick(ctx context.Context, host *hosts.Host, prsMap map[string]v3.PrivateRegistry, sidecarProcess v3.Process) error {
	isRunning, err := docker.IsContainerRunning(ctx, host.DClient, host.Address, SidekickContainerName, true)
	if err != nil {
		return err
	}
	imageCfg, hostCfg, _ := GetProcessConfig(sidecarProcess, host)
	isUpgradable := false
	if isRunning {
		isUpgradable, err = docker.IsContainerUpgradable(ctx, host.DClient, imageCfg, hostCfg, SidekickContainerName, host.Address, SidekickServiceName)
		if err != nil {
			return err
		}

		if !isUpgradable {
			log.Infof(ctx, "[%s] Sidekick container already created on host [%s]", SidekickServiceName, host.Address)
			return nil
		}
	}

	if err := docker.UseLocalOrPull(ctx, host.DClient, host.Address, sidecarProcess.Image, SidekickServiceName, prsMap); err != nil {
		return err
	}
	if isUpgradable {
		if err := docker.DoRemoveContainer(ctx, host.DClient, SidekickContainerName, host.Address); err != nil {
			return err
		}
	}
	if _, err := docker.CreateContainer(ctx, host.DClient, host.Address, SidekickContainerName, imageCfg, hostCfg); err != nil {
		return err
	}
	if host.DockerInfo.OSType == "windows" {
		// windows dockerfile VOLUME declaration must to satisfy one of them:
		//  - a non-existing or empty directory
		//  - a drive other than C:
		// so we could use a script to **start** the container to put expected resources into the "shared" directory,
		// like the action of `/usr/bin/sidecar.ps1` for windows rke-tools container
		return docker.StartContainer(ctx, host.DClient, host.Address, SidekickContainerName)
	}
	return nil
}

func removeSidekick(ctx context.Context, host *hosts.Host) error {
	return docker.DoRemoveContainer(ctx, host.DClient, SidekickContainerName, host.Address)
}

func GetProcessConfig(process v3.Process, host *hosts.Host) (*container.Config, *container.HostConfig, string) {
	imageCfg := &container.Config{
		Entrypoint: process.Command,
		Cmd:        process.Args,
		Env:        process.Env,
		Image:      process.Image,
		Labels:     process.Labels,
		User:       process.User,
	}
	// var pidMode container.PidMode
	// pidMode = process.PidMode
	_, portBindings, _ := nat.ParsePortSpecs(process.Publish)
	hostCfg := &container.HostConfig{
		VolumesFrom:  process.VolumesFrom,
		Binds:        process.Binds,
		NetworkMode:  container.NetworkMode(process.NetworkMode),
		PidMode:      container.PidMode(process.PidMode),
		Privileged:   process.Privileged,
		PortBindings: portBindings,
	}
	if len(process.RestartPolicy) > 0 {
		hostCfg.RestartPolicy = container.RestartPolicy{Name: process.RestartPolicy}
	}
	// The MCS label only needs to be applied when container is not running privileged, and running privileged negates need for applying the label
	// If Docker is configured with selinux-enabled:true, we need to specify MCS label to allow files from service-sidekick to be shared between containers
	if !process.Privileged && hosts.IsDockerSELinuxEnabled(host) {
		logrus.Debugf("Found selinux in DockerInfo.SecurityOptions on host [%s]", host.Address)
		// Check for containers having the sidekick container
		for _, volumeFrom := range hostCfg.VolumesFrom {
			if volumeFrom == SidekickContainerName {
				logrus.Debugf("Found [%s] in VolumesFrom on host [%s], applying MCSLabel [%s]", SidekickContainerName, host.Address, MCSLabel)
				hostCfg.SecurityOpt = []string{MCSLabel}
			}
		}
		// Check for sidekick container itself
		if value, ok := imageCfg.Labels[ContainerNameLabel]; ok {
			if value == SidekickContainerName {
				logrus.Debugf("Found [%s=%s] in Labels on host [%s], applying MCSLabel [%s]", ContainerNameLabel, SidekickContainerName, host.Address, MCSLabel)
				hostCfg.SecurityOpt = []string{MCSLabel}
			}
		}
		// We apply the label because we do not rewrite SELinux labels anymore on volume mounts (no :z)
		logrus.Debugf("Applying security opt label [%s] for etcd container on host [%s]", SELinuxLabel, host.Address)
		hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)

	}
	return imageCfg, hostCfg, process.HealthCheck.URL
}

func GetHealthCheckURL(useTLS bool, port int) string {
	if useTLS {
		return fmt.Sprintf("%s%s:%d%s", HTTPSProtoPrefix, HealthzAddress, port, HealthzEndpoint)
	}
	return fmt.Sprintf("%s%s:%d%s", HTTPProtoPrefix, HealthzAddress, port, HealthzEndpoint)
}

func createLogLink(ctx context.Context, host *hosts.Host, containerName, plane, image string, prsMap map[string]v3.PrivateRegistry) error {
	logrus.Debugf("[%s] Creating log link for Container [%s] on host [%s]", plane, containerName, host.Address)
	containerInspect, err := docker.InspectContainer(ctx, host.DClient, host.Address, containerName)
	if err != nil {
		return err
	}
	containerID := containerInspect.ID
	containerLogPath := containerInspect.LogPath
	containerLogLink := fmt.Sprintf("%s/%s_%s.log", hosts.RKELogsPath, containerName, containerID)
	imageCfg := &container.Config{
		Image: image,
		Tty:   true,
		Cmd: []string{
			"sh",
			"-c",
			fmt.Sprintf("mkdir -p %s ; ln -s %s %s", hosts.RKELogsPath, containerLogPath, containerLogLink),
		},
	}
	hostCfg := &container.HostConfig{
		Binds: []string{
			"/var/lib:/var/lib",
		},
		Privileged: true,
	}
	if err := docker.DoRemoveContainer(ctx, host.DClient, LogLinkContainerName, host.Address); err != nil {
		return err
	}
	if err := docker.DoRunContainer(ctx, host.DClient, imageCfg, hostCfg, LogLinkContainerName, host.Address, plane, prsMap); err != nil {
		return err
	}
	if err := docker.DoRemoveContainer(ctx, host.DClient, LogLinkContainerName, host.Address); err != nil {
		return err
	}
	logrus.Debugf("[%s] Successfully created log link for Container [%s] on host [%s]", plane, containerName, host.Address)
	return nil
}
Set up kubernetes components 2017-10-29 11:45:21 +02:00			`package services`

			`import (`
Add context.Context to everything and also make logging pluggable 2018-01-09 15:10:56 -07:00			`"context"`
Add GenetatePlan() and use it internally 2018-02-13 02:47:56 +02:00			`"fmt"`
Add services sidekick container 2017-12-09 01:05:55 +02:00
			`"github.com/docker/docker/api/types/container"`
Extend rke to tolerate the Windows host 1. Support to configure Flannel as "host-gw" backend 2. Define the network component yaml and ingress controller yaml only schedule to non-Windows node 3. Support to configure Docker container's port publishing 2018-05-30 16:30:12 +08:00			`"github.com/docker/go-connections/nat"`
Add services sidekick container 2017-12-09 01:05:55 +02:00			`"github.com/rancher/rke/docker"`
			`"github.com/rancher/rke/hosts"`
Add context.Context to everything and also make logging pluggable 2018-01-09 15:10:56 -07:00			`"github.com/rancher/rke/log"`
Remove references to rancher/types 2020-07-11 09:24:19 -07:00			`v3 "github.com/rancher/rke/types"`
Switch all concurrent tasks to use worker pool 2018-10-18 00:26:54 +02:00			`"github.com/rancher/rke/util"`
Log RKE components to a specific location 2018-03-21 19:20:58 +02:00			`"github.com/sirupsen/logrus"`
Set up kubernetes components 2017-10-29 11:45:21 +02:00			`)`

			`const (`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 15:55:35 +02:00			`ETCDRole = "etcd"`
			`ControlRole = "controlplane"`
			`WorkerRole = "worker"`

Enable RBAC and needed addons/network plugin configuration 2017-12-14 23:56:19 +02:00			`SidekickServiceName = "sidekick"`
			`RBACAuthorizationMode = "rbac"`
Check image locally before pull 2017-12-13 01:29:24 +01:00
Add util command 2020-09-28 14:59:44 +02:00			`KubeAPIContainerName = "kube-apiserver"`
			`KubeletContainerName = "kubelet"`
			`KubeproxyContainerName = "kube-proxy"`
			`KubeControllerContainerName = "kube-controller-manager"`
			`SchedulerContainerName = "kube-scheduler"`
			`EtcdContainerName = "etcd"`
			`EtcdSnapshotContainerName = "etcd-rolling-snapshots"`
			`EtcdSnapshotOnceContainerName = "etcd-snapshot-once"`
			`EtcdSnapshotRemoveContainerName = "etcd-remove-snapshot"`
			`EtcdRestoreContainerName = "etcd-restore"`
			`EtcdDownloadBackupContainerName = "etcd-download-backup"`
			`EtcdServeBackupContainerName = "etcd-Serve-backup"`
			`EtcdChecksumContainerName = "etcd-checksum-checker"`
			`EtcdStateFileContainerName = "etcd-extract-statefile"`
			`ControlPlaneConfigMapStateFileContainerName = "extract-statefile-configmap"`
			`NginxProxyContainerName = "nginx-proxy"`
			`SidekickContainerName = "service-sidekick"`
			`LogLinkContainerName = "rke-log-linker"`
			`LogCleanerContainerName = "rke-log-cleaner"`
Add healtcheck for services components Integrate healthcheck with each service 2017-12-20 00:18:27 +02:00
Add local option to deploy/remove kubernetes on local machine Remove insecure port from kube-api Use cluster.yml config Pass config dir to cluster up/remove 2017-12-22 03:01:53 +02:00			`KubeAPIPort = 6443`
Add healtcheck for services components Integrate healthcheck with each service 2017-12-20 00:18:27 +02:00			`SchedulerPort = 10251`
			`KubeControllerPort = 10252`
use healthz endpoint for kubelet healthcheck 2019-07-18 22:42:01 +02:00			`KubeletPort = 10248`
Add healtcheck for services components Integrate healthcheck with each service 2017-12-20 00:18:27 +02:00			`KubeproxyPort = 10256`
Switch all concurrent tasks to use worker pool 2018-10-18 00:26:54 +02:00
			`WorkerThreads = util.WorkerThreads`
Configure MCS labels if selinux is enabled 2019-08-14 12:53:32 +02:00
			`ContainerNameLabel = "io.rancher.rke.container.name"`
			`MCSLabel = "label=level:s0:c1000,c1001"`
Do not rewrite SELinux labels on volume mounts 2021-03-16 10:54:01 +01:00			`SELinuxLabel = "label=type:rke_container_t"`
Set up kubernetes components 2017-10-29 11:45:21 +02:00			`)`

Add restart components to custom certs 2019-01-14 19:51:20 +02:00			`type RestartFunc func(context.Context, *hosts.Host) error`

Add GenetatePlan() and use it internally 2018-02-13 02:47:56 +02:00			`func runSidekick(ctx context.Context, host *hosts.Host, prsMap map[string]v3.PrivateRegistry, sidecarProcess v3.Process) error {`
Add context.Context to everything and also make logging pluggable 2018-01-09 15:10:56 -07:00			`isRunning, err := docker.IsContainerRunning(ctx, host.DClient, host.Address, SidekickContainerName, true)`
Add services sidekick container 2017-12-09 01:05:55 +02:00			`if err != nil {`
			`return err`
			`}`
Configure MCS labels if selinux is enabled 2019-08-14 12:53:32 +02:00			`imageCfg, hostCfg, _ := GetProcessConfig(sidecarProcess, host)`
Fix sidekick upgrade 2018-08-02 02:33:29 +02:00			`isUpgradable := false`
Add services sidekick container 2017-12-09 01:05:55 +02:00			`if isRunning {`
Fix sidekick upgrade 2018-08-02 02:33:29 +02:00			`isUpgradable, err = docker.IsContainerUpgradable(ctx, host.DClient, imageCfg, hostCfg, SidekickContainerName, host.Address, SidekickServiceName)`
			`if err != nil {`
			`return err`
			`}`

			`if !isUpgradable {`
			`log.Infof(ctx, "[%s] Sidekick container already created on host [%s]", SidekickServiceName, host.Address)`
			`return nil`
			`}`
Add services sidekick container 2017-12-09 01:05:55 +02:00			`}`
Add GenetatePlan() and use it internally 2018-02-13 02:47:56 +02:00
Fix sidekick upgrade 2018-08-02 02:33:29 +02:00			`if err := docker.UseLocalOrPull(ctx, host.DClient, host.Address, sidecarProcess.Image, SidekickServiceName, prsMap); err != nil {`
Add services sidekick container 2017-12-09 01:05:55 +02:00			`return err`
			`}`
Fix sidekick upgrade 2018-08-02 02:33:29 +02:00			`if isUpgradable {`
			`if err := docker.DoRemoveContainer(ctx, host.DClient, SidekickContainerName, host.Address); err != nil {`
			`return err`
			`}`
			`}`
Typos 2018-04-24 14:44:17 +02:00			`if _, err := docker.CreateContainer(ctx, host.DClient, host.Address, SidekickContainerName, imageCfg, hostCfg); err != nil {`
Add services sidekick container 2017-12-09 01:05:55 +02:00			`return err`
			`}`
Support to generate Windows worker plan - Put Windows worker plan generating back to reduce the changing from Windows on rancher/rancher - Prepare for rke bootstraps Windows cluster Issue: https://github.com/rancher/rancher/issues/16460 2019-07-05 12:23:48 +08:00			`if host.DockerInfo.OSType == "windows" {`
			`// windows dockerfile VOLUME declaration must to satisfy one of them:`
			`// - a non-existing or empty directory`
			`// - a drive other than C:`
			`// so we could use a script to start the container to put expected resources into the "shared" directory,`
			// like the action of `/usr/bin/sidecar.ps1` for windows rke-tools container
			`return docker.StartContainer(ctx, host.DClient, host.Address, SidekickContainerName)`
			`}`
Add services sidekick container 2017-12-09 01:05:55 +02:00			`return nil`
			`}`

Add context.Context to everything and also make logging pluggable 2018-01-09 15:10:56 -07:00			`func removeSidekick(ctx context.Context, host *hosts.Host) error {`
			`return docker.DoRemoveContainer(ctx, host.DClient, SidekickContainerName, host.Address)`
Add services sidekick container 2017-12-09 01:05:55 +02:00			`}`
Add GenetatePlan() and use it internally 2018-02-13 02:47:56 +02:00
Configure MCS labels if selinux is enabled 2019-08-14 12:53:32 +02:00			`func GetProcessConfig(process v3.Process, host hosts.Host) (container.Config, *container.HostConfig, string) {`
Add GenetatePlan() and use it internally 2018-02-13 02:47:56 +02:00			`imageCfg := &container.Config{`
			`Entrypoint: process.Command,`
			`Cmd: process.Args,`
			`Env: process.Env,`
			`Image: process.Image,`
Add container name labels 2018-05-03 22:07:41 +02:00			`Labels: process.Labels,`
support etcd custom uid/gid 2019-07-24 21:58:50 +02:00			`User: process.User,`
Add GenetatePlan() and use it internally 2018-02-13 02:47:56 +02:00			`}`
			`// var pidMode container.PidMode`
			`// pidMode = process.PidMode`
Extend rke to tolerate the Windows host 1. Support to configure Flannel as "host-gw" backend 2. Define the network component yaml and ingress controller yaml only schedule to non-Windows node 3. Support to configure Docker container's port publishing 2018-05-30 16:30:12 +08:00			`_, portBindings, _ := nat.ParsePortSpecs(process.Publish)`
Add GenetatePlan() and use it internally 2018-02-13 02:47:56 +02:00			`hostCfg := &container.HostConfig{`
Extend rke to tolerate the Windows host 1. Support to configure Flannel as "host-gw" backend 2. Define the network component yaml and ingress controller yaml only schedule to non-Windows node 3. Support to configure Docker container's port publishing 2018-05-30 16:30:12 +08:00			`VolumesFrom: process.VolumesFrom,`
			`Binds: process.Binds,`
			`NetworkMode: container.NetworkMode(process.NetworkMode),`
			`PidMode: container.PidMode(process.PidMode),`
			`Privileged: process.Privileged,`
			`PortBindings: portBindings,`
Add GenetatePlan() and use it internally 2018-02-13 02:47:56 +02:00			`}`
			`if len(process.RestartPolicy) > 0 {`
			`hostCfg.RestartPolicy = container.RestartPolicy{Name: process.RestartPolicy}`
			`}`
Apply MCS label when privileged is false 2019-08-30 16:33:22 +02:00			`// The MCS label only needs to be applied when container is not running privileged, and running privileged negates need for applying the label`
Dont relabel volumes on upstream Docker & SELinux 2020-05-19 21:50:24 +02:00			`// If Docker is configured with selinux-enabled:true, we need to specify MCS label to allow files from service-sidekick to be shared between containers`
			`if !process.Privileged && hosts.IsDockerSELinuxEnabled(host) {`
			`logrus.Debugf("Found selinux in DockerInfo.SecurityOptions on host [%s]", host.Address)`
			`// Check for containers having the sidekick container`
			`for _, volumeFrom := range hostCfg.VolumesFrom {`
			`if volumeFrom == SidekickContainerName {`
			`logrus.Debugf("Found [%s] in VolumesFrom on host [%s], applying MCSLabel [%s]", SidekickContainerName, host.Address, MCSLabel)`
			`hostCfg.SecurityOpt = []string{MCSLabel}`
			`}`
			`}`
			`// Check for sidekick container itself`
			`if value, ok := imageCfg.Labels[ContainerNameLabel]; ok {`
			`if value == SidekickContainerName {`
			`logrus.Debugf("Found [%s=%s] in Labels on host [%s], applying MCSLabel [%s]", ContainerNameLabel, SidekickContainerName, host.Address, MCSLabel)`
			`hostCfg.SecurityOpt = []string{MCSLabel}`
Configure MCS labels if selinux is enabled 2019-08-14 12:53:32 +02:00			`}`
			`}`
Do not rewrite SELinux labels on volume mounts 2021-03-16 10:54:01 +01:00			`// We apply the label because we do not rewrite SELinux labels anymore on volume mounts (no :z)`
			`logrus.Debugf("Applying security opt label [%s] for etcd container on host [%s]", SELinuxLabel, host.Address)`
			`hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)`

Configure MCS labels if selinux is enabled 2019-08-14 12:53:32 +02:00			`}`
Add GenetatePlan() and use it internally 2018-02-13 02:47:56 +02:00			`return imageCfg, hostCfg, process.HealthCheck.URL`
			`}`

			`func GetHealthCheckURL(useTLS bool, port int) string {`
			`if useTLS {`
			`return fmt.Sprintf("%s%s:%d%s", HTTPSProtoPrefix, HealthzAddress, port, HealthzEndpoint)`
			`}`
			`return fmt.Sprintf("%s%s:%d%s", HTTPProtoPrefix, HealthzAddress, port, HealthzEndpoint)`
			`}`
Log RKE components to a specific location 2018-03-21 19:20:58 +02:00
			`func createLogLink(ctx context.Context, host *hosts.Host, containerName, plane, image string, prsMap map[string]v3.PrivateRegistry) error {`
			`logrus.Debugf("[%s] Creating log link for Container [%s] on host [%s]", plane, containerName, host.Address)`
			`containerInspect, err := docker.InspectContainer(ctx, host.DClient, host.Address, containerName)`
			`if err != nil {`
			`return err`
			`}`
			`containerID := containerInspect.ID`
			`containerLogPath := containerInspect.LogPath`
Remove container dead log links on cluster remove 2018-06-27 20:37:51 +02:00			`containerLogLink := fmt.Sprintf("%s/%s_%s.log", hosts.RKELogsPath, containerName, containerID)`
Log RKE components to a specific location 2018-03-21 19:20:58 +02:00			`imageCfg := &container.Config{`
			`Image: image,`
			`Tty: true,`
			`Cmd: []string{`
			`"sh",`
			`"-c",`
Remove container dead log links on cluster remove 2018-06-27 20:37:51 +02:00			`fmt.Sprintf("mkdir -p %s ; ln -s %s %s", hosts.RKELogsPath, containerLogPath, containerLogLink),`
Log RKE components to a specific location 2018-03-21 19:20:58 +02:00			`},`
			`}`
			`hostCfg := &container.HostConfig{`
			`Binds: []string{`
Fix container log location for ros 2018-06-25 20:40:51 +02:00			`"/var/lib:/var/lib",`
Log RKE components to a specific location 2018-03-21 19:20:58 +02:00			`},`
			`Privileged: true,`
			`}`
			`if err := docker.DoRemoveContainer(ctx, host.DClient, LogLinkContainerName, host.Address); err != nil {`
			`return err`
			`}`
			`if err := docker.DoRunContainer(ctx, host.DClient, imageCfg, hostCfg, LogLinkContainerName, host.Address, plane, prsMap); err != nil {`
			`return err`
			`}`
			`if err := docker.DoRemoveContainer(ctx, host.DClient, LogLinkContainerName, host.Address); err != nil {`
			`return err`
			`}`
			`logrus.Debugf("[%s] Successfully created log link for Container [%s] on host [%s]", plane, containerName, host.Address)`
			`return nil`
			`}`