mirror of
https://github.com/rancher/rke.git
synced 2025-04-27 03:11:03 +00:00
Revert "Do not rewrite SELinux labels on volume mounts"
This commit is contained in:
Sebastiaan van Steenis
GitHub
parent
e0b892247f
commit
51a6b50a84
@ -99,7 +99,6 @@ const (
|
|||||||
NameLabel = "name"
|
NameLabel = "name"
|
||||||
|
|
||||||
WorkerThreads = util.WorkerThreads
|
WorkerThreads = util.WorkerThreads
|
||||||
SELinuxLabel = services.SELinuxLabel
|
|
||||||
|
|
||||||
serviceAccountTokenFileParam = "service-account-key-file"
|
serviceAccountTokenFileParam = "service-account-key-file"
|
||||||
|
|
||||||
|
|||||||
@ -60,15 +60,9 @@ func doDeployFile(ctx context.Context, host *hosts.Host, fileName, fileContents,
|
|||||||
}
|
}
|
||||||
hostCfg := &container.HostConfig{
|
hostCfg := &container.HostConfig{
|
||||||
Binds: []string{
|
Binds: []string{
|
||||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
if hosts.IsDockerSELinuxEnabled(host) {
|
|
||||||
// We apply the label because we do not rewrite SELinux labels anymore on volume mounts (no :z)
|
|
||||||
logrus.Debugf("Applying security opt label [%s] for [%s] container on host [%s]", SELinuxLabel, ContainerName, host.Address)
|
|
||||||
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
|
|
||||||
}
|
|
||||||
|
|
||||||
if err := docker.DoRunOnetimeContainer(ctx, host.DClient, imageCfg, hostCfg, ContainerName, host.Address, ServiceName, prsMap); err != nil {
|
if err := docker.DoRunOnetimeContainer(ctx, host.DClient, imageCfg, hostCfg, ContainerName, host.Address, ServiceName, prsMap); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|||||||
@ -266,10 +266,10 @@ func (c *Cluster) BuildKubeAPIProcess(host *hosts.Host, serviceOptions v3.Kubern
|
|||||||
services.SidekickContainerName,
|
services.SidekickContainerName,
|
||||||
}
|
}
|
||||||
Binds := []string{
|
Binds := []string{
|
||||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
||||||
}
|
}
|
||||||
if c.Services.KubeAPI.AuditLog != nil && c.Services.KubeAPI.AuditLog.Enabled {
|
if c.Services.KubeAPI.AuditLog != nil && c.Services.KubeAPI.AuditLog.Enabled {
|
||||||
Binds = append(Binds, fmt.Sprintf("%s:/var/log/kube-audit", path.Join(host.PrefixPath, "/var/log/kube-audit")))
|
Binds = append(Binds, fmt.Sprintf("%s:/var/log/kube-audit:z", path.Join(host.PrefixPath, "/var/log/kube-audit")))
|
||||||
bytes, err := yaml.Marshal(c.Services.KubeAPI.AuditLog.Configuration.Policy)
|
bytes, err := yaml.Marshal(c.Services.KubeAPI.AuditLog.Configuration.Policy)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logrus.Warnf("Error while marshalling auditlog policy: %v", err)
|
logrus.Warnf("Error while marshalling auditlog policy: %v", err)
|
||||||
@ -358,7 +358,7 @@ func (c *Cluster) BuildKubeControllerProcess(host *hosts.Host, serviceOptions v3
|
|||||||
services.SidekickContainerName,
|
services.SidekickContainerName,
|
||||||
}
|
}
|
||||||
Binds := []string{
|
Binds := []string{
|
||||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
||||||
}
|
}
|
||||||
|
|
||||||
for arg, value := range c.Services.KubeController.ExtraArgs {
|
for arg, value := range c.Services.KubeController.ExtraArgs {
|
||||||
@ -485,29 +485,29 @@ func (c *Cluster) BuildKubeletProcess(host *hosts.Host, serviceOptions v3.Kubern
|
|||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
Binds = []string{
|
Binds = []string{
|
||||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
||||||
"/etc/cni:/etc/cni:rw",
|
"/etc/cni:/etc/cni:rw,z",
|
||||||
"/opt/cni:/opt/cni:rw",
|
"/opt/cni:/opt/cni:rw,z",
|
||||||
fmt.Sprintf("%s:/var/lib/cni", path.Join(host.PrefixPath, "/var/lib/cni")),
|
fmt.Sprintf("%s:/var/lib/cni:z", path.Join(host.PrefixPath, "/var/lib/cni")),
|
||||||
"/var/lib/calico:/var/lib/calico",
|
"/var/lib/calico:/var/lib/calico:z",
|
||||||
"/etc/resolv.conf:/etc/resolv.conf",
|
"/etc/resolv.conf:/etc/resolv.conf",
|
||||||
"/sys:/sys:rprivate",
|
"/sys:/sys:rprivate",
|
||||||
host.DockerInfo.DockerRootDir + ":" + host.DockerInfo.DockerRootDir + ":rw,rslave",
|
host.DockerInfo.DockerRootDir + ":" + host.DockerInfo.DockerRootDir + ":rw,rslave,z",
|
||||||
fmt.Sprintf("%s:%s:shared", path.Join(host.PrefixPath, "/var/lib/kubelet"), path.Join(host.PrefixPath, "/var/lib/kubelet")),
|
fmt.Sprintf("%s:%s:shared,z", path.Join(host.PrefixPath, "/var/lib/kubelet"), path.Join(host.PrefixPath, "/var/lib/kubelet")),
|
||||||
"/var/lib/rancher:/var/lib/rancher:shared",
|
"/var/lib/rancher:/var/lib/rancher:shared,z",
|
||||||
"/var/run:/var/run:rw,rprivate",
|
"/var/run:/var/run:rw,rprivate",
|
||||||
"/run:/run:rprivate",
|
"/run:/run:rprivate",
|
||||||
fmt.Sprintf("%s:/etc/ceph", path.Join(host.PrefixPath, "/etc/ceph")),
|
fmt.Sprintf("%s:/etc/ceph", path.Join(host.PrefixPath, "/etc/ceph")),
|
||||||
"/dev:/host/dev:rprivate",
|
"/dev:/host/dev:rprivate",
|
||||||
"/var/log/containers:/var/log/containers",
|
"/var/log/containers:/var/log/containers:z",
|
||||||
"/var/log/pods:/var/log/pods",
|
"/var/log/pods:/var/log/pods:z",
|
||||||
"/usr:/host/usr:ro",
|
"/usr:/host/usr:ro",
|
||||||
"/etc:/host/etc:ro",
|
"/etc:/host/etc:ro",
|
||||||
}
|
}
|
||||||
|
|
||||||
// Special case to simplify using flex volumes
|
// Special case to simplify using flex volumes
|
||||||
if path.Join(host.PrefixPath, "/var/lib/kubelet") != "/var/lib/kubelet" {
|
if path.Join(host.PrefixPath, "/var/lib/kubelet") != "/var/lib/kubelet" {
|
||||||
Binds = append(Binds, "/var/lib/kubelet/volumeplugins:/var/lib/kubelet/volumeplugins:shared")
|
Binds = append(Binds, "/var/lib/kubelet/volumeplugins:/var/lib/kubelet/volumeplugins:shared,z")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
Binds = append(Binds, host.GetExtraBinds(kubelet.BaseService)...)
|
Binds = append(Binds, host.GetExtraBinds(kubelet.BaseService)...)
|
||||||
@ -622,7 +622,7 @@ func (c *Cluster) BuildKubeProxyProcess(host *hosts.Host, serviceOptions v3.Kube
|
|||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
Binds = []string{
|
Binds = []string{
|
||||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
||||||
"/run:/run",
|
"/run:/run",
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -740,7 +740,7 @@ func (c *Cluster) BuildSchedulerProcess(host *hosts.Host, serviceOptions v3.Kube
|
|||||||
services.SidekickContainerName,
|
services.SidekickContainerName,
|
||||||
}
|
}
|
||||||
Binds := []string{
|
Binds := []string{
|
||||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
||||||
}
|
}
|
||||||
|
|
||||||
for arg, value := range c.Services.Scheduler.ExtraArgs {
|
for arg, value := range c.Services.Scheduler.ExtraArgs {
|
||||||
@ -910,8 +910,8 @@ func (c *Cluster) BuildEtcdProcess(host *hosts.Host, etcdHosts []*hosts.Host, se
|
|||||||
}
|
}
|
||||||
|
|
||||||
Binds := []string{
|
Binds := []string{
|
||||||
fmt.Sprintf("%s:%s", path.Join(host.PrefixPath, "/var/lib/etcd"), services.EtcdDataDir),
|
fmt.Sprintf("%s:%s:z", path.Join(host.PrefixPath, "/var/lib/etcd"), services.EtcdDataDir),
|
||||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
||||||
}
|
}
|
||||||
|
|
||||||
if serviceOptions.Etcd != nil {
|
if serviceOptions.Etcd != nil {
|
||||||
|
|||||||
@ -51,7 +51,6 @@ const (
|
|||||||
CleanerContainerName = "kube-cleaner"
|
CleanerContainerName = "kube-cleaner"
|
||||||
LogCleanerContainerName = "rke-log-cleaner"
|
LogCleanerContainerName = "rke-log-cleaner"
|
||||||
RKELogsPath = "/var/lib/rancher/rke/log"
|
RKELogsPath = "/var/lib/rancher/rke/log"
|
||||||
SELinuxLabel = "label=type:rke_container_t"
|
|
||||||
|
|
||||||
B2DOS = "Boot2Docker"
|
B2DOS = "Boot2Docker"
|
||||||
B2DPrefixPath = "/mnt/sda1/rke"
|
B2DPrefixPath = "/mnt/sda1/rke"
|
||||||
@ -307,14 +306,11 @@ func buildCleanerConfig(host *Host, toCleanDirs []string, cleanerImage string) (
|
|||||||
}
|
}
|
||||||
bindMounts := []string{}
|
bindMounts := []string{}
|
||||||
for _, vol := range toCleanDirs {
|
for _, vol := range toCleanDirs {
|
||||||
bindMounts = append(bindMounts, fmt.Sprintf("%s:%s", vol, vol))
|
bindMounts = append(bindMounts, fmt.Sprintf("%s:%s:z", vol, vol))
|
||||||
}
|
}
|
||||||
hostCfg := &container.HostConfig{
|
hostCfg := &container.HostConfig{
|
||||||
Binds: bindMounts,
|
Binds: bindMounts,
|
||||||
}
|
}
|
||||||
if IsDockerSELinuxEnabled(host) {
|
|
||||||
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
|
|
||||||
}
|
|
||||||
return imageCfg, hostCfg
|
return imageCfg, hostCfg
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -86,7 +86,7 @@ func DeployStateOnPlaneHost(ctx context.Context, host *hosts.Host, stateDownload
|
|||||||
}
|
}
|
||||||
hostCfg := &container.HostConfig{
|
hostCfg := &container.HostConfig{
|
||||||
Binds: []string{
|
Binds: []string{
|
||||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
||||||
},
|
},
|
||||||
Privileged: true,
|
Privileged: true,
|
||||||
}
|
}
|
||||||
@ -142,7 +142,7 @@ func doRunDeployer(ctx context.Context, host *hosts.Host, containerEnv []string,
|
|||||||
}
|
}
|
||||||
hostCfg := &container.HostConfig{
|
hostCfg := &container.HostConfig{
|
||||||
Binds: []string{
|
Binds: []string{
|
||||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
||||||
},
|
},
|
||||||
Privileged: true,
|
Privileged: true,
|
||||||
}
|
}
|
||||||
@ -300,7 +300,7 @@ func FetchFileFromHost(ctx context.Context, filePath, image string, host *hosts.
|
|||||||
}
|
}
|
||||||
hostCfg := &container.HostConfig{
|
hostCfg := &container.HostConfig{
|
||||||
Binds: []string{
|
Binds: []string{
|
||||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
||||||
},
|
},
|
||||||
Privileged: true,
|
Privileged: true,
|
||||||
}
|
}
|
||||||
|
|||||||
@ -112,8 +112,8 @@ func SaveBackupBundleOnHost(ctx context.Context, host *hosts.Host, alpineSystemI
|
|||||||
hostCfg := &container.HostConfig{
|
hostCfg := &container.HostConfig{
|
||||||
|
|
||||||
Binds: []string{
|
Binds: []string{
|
||||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
||||||
fmt.Sprintf("%s:/backup", etcdSnapshotPath),
|
fmt.Sprintf("%s:/backup:z", etcdSnapshotPath),
|
||||||
},
|
},
|
||||||
Privileged: true,
|
Privileged: true,
|
||||||
}
|
}
|
||||||
@ -149,8 +149,8 @@ func ExtractBackupBundleOnHost(ctx context.Context, host *hosts.Host, alpineSyst
|
|||||||
hostCfg := &container.HostConfig{
|
hostCfg := &container.HostConfig{
|
||||||
|
|
||||||
Binds: []string{
|
Binds: []string{
|
||||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
|
||||||
fmt.Sprintf("%s:/backup", etcdSnapshotPath),
|
fmt.Sprintf("%s:/backup:z", etcdSnapshotPath),
|
||||||
},
|
},
|
||||||
Privileged: true,
|
Privileged: true,
|
||||||
}
|
}
|
||||||
|
|||||||
@ -374,7 +374,7 @@ func RunGetStateFileFromConfigMap(ctx context.Context, controlPlaneHost *hosts.H
|
|||||||
}
|
}
|
||||||
hostCfg := &container.HostConfig{
|
hostCfg := &container.HostConfig{
|
||||||
Binds: []string{
|
Binds: []string{
|
||||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(controlPlaneHost.PrefixPath, "/etc/kubernetes")),
|
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(controlPlaneHost.PrefixPath, "/etc/kubernetes")),
|
||||||
},
|
},
|
||||||
NetworkMode: container.NetworkMode("host"),
|
NetworkMode: container.NetworkMode("host"),
|
||||||
RestartPolicy: container.RestartPolicy{Name: "no"},
|
RestartPolicy: container.RestartPolicy{Name: "no"},
|
||||||
|
|||||||
@ -346,16 +346,12 @@ func RunEtcdSnapshotSave(ctx context.Context, etcdHost *hosts.Host, prsMap map[s
|
|||||||
}
|
}
|
||||||
hostCfg := &container.HostConfig{
|
hostCfg := &container.HostConfig{
|
||||||
Binds: []string{
|
Binds: []string{
|
||||||
fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
|
fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
|
||||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
|
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
|
||||||
NetworkMode: container.NetworkMode("host"),
|
NetworkMode: container.NetworkMode("host"),
|
||||||
RestartPolicy: container.RestartPolicy{Name: restartPolicy},
|
RestartPolicy: container.RestartPolicy{Name: restartPolicy},
|
||||||
}
|
}
|
||||||
|
|
||||||
if hosts.IsDockerSELinuxEnabled(etcdHost) {
|
|
||||||
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
|
|
||||||
}
|
|
||||||
|
|
||||||
if once {
|
if once {
|
||||||
log.Infof(ctx, "[etcd] Running snapshot save once on host [%s]", etcdHost.Address)
|
log.Infof(ctx, "[etcd] Running snapshot save once on host [%s]", etcdHost.Address)
|
||||||
logrus.Debugf("[etcd] Using command [%s] for snapshot save once container [%s] on host [%s]", getSanitizedSnapshotCmd(imageCfg, es.BackupConfig), EtcdSnapshotOnceContainerName, etcdHost.Address)
|
logrus.Debugf("[etcd] Using command [%s] for snapshot save once container [%s] on host [%s]", getSanitizedSnapshotCmd(imageCfg, es.BackupConfig), EtcdSnapshotOnceContainerName, etcdHost.Address)
|
||||||
@ -417,16 +413,12 @@ func RunGetStateFileFromSnapshot(ctx context.Context, etcdHost *hosts.Host, prsM
|
|||||||
}
|
}
|
||||||
hostCfg := &container.HostConfig{
|
hostCfg := &container.HostConfig{
|
||||||
Binds: []string{
|
Binds: []string{
|
||||||
fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
|
fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
|
||||||
},
|
},
|
||||||
NetworkMode: container.NetworkMode("host"),
|
NetworkMode: container.NetworkMode("host"),
|
||||||
RestartPolicy: container.RestartPolicy{Name: "no"},
|
RestartPolicy: container.RestartPolicy{Name: "no"},
|
||||||
}
|
}
|
||||||
|
|
||||||
if hosts.IsDockerSELinuxEnabled(etcdHost) {
|
|
||||||
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
|
|
||||||
}
|
|
||||||
|
|
||||||
if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdStateFileContainerName, etcdHost.Address); err != nil {
|
if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdStateFileContainerName, etcdHost.Address); err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
@ -488,14 +480,11 @@ func DownloadEtcdSnapshotFromS3(ctx context.Context, etcdHost *hosts.Host, prsMa
|
|||||||
log.Infof(ctx, s3Logline)
|
log.Infof(ctx, s3Logline)
|
||||||
hostCfg := &container.HostConfig{
|
hostCfg := &container.HostConfig{
|
||||||
Binds: []string{
|
Binds: []string{
|
||||||
fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
|
fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
|
||||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
|
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
|
||||||
NetworkMode: container.NetworkMode("host"),
|
NetworkMode: container.NetworkMode("host"),
|
||||||
RestartPolicy: container.RestartPolicy{Name: "no"},
|
RestartPolicy: container.RestartPolicy{Name: "no"},
|
||||||
}
|
}
|
||||||
if hosts.IsDockerSELinuxEnabled(etcdHost) {
|
|
||||||
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
|
|
||||||
}
|
|
||||||
if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdDownloadBackupContainerName, etcdHost.Address); err != nil {
|
if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdDownloadBackupContainerName, etcdHost.Address); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -547,14 +536,11 @@ func RestoreEtcdSnapshot(ctx context.Context, etcdHost *hosts.Host, prsMap map[s
|
|||||||
}
|
}
|
||||||
hostCfg := &container.HostConfig{
|
hostCfg := &container.HostConfig{
|
||||||
Binds: []string{
|
Binds: []string{
|
||||||
"/opt/rke/:/opt/rke/",
|
"/opt/rke/:/opt/rke/:z",
|
||||||
fmt.Sprintf("%s:/var/lib/rancher/etcd", path.Join(etcdHost.PrefixPath, "/var/lib/etcd")),
|
fmt.Sprintf("%s:/var/lib/rancher/etcd:z", path.Join(etcdHost.PrefixPath, "/var/lib/etcd")),
|
||||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
|
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
|
||||||
NetworkMode: container.NetworkMode("host"),
|
NetworkMode: container.NetworkMode("host"),
|
||||||
}
|
}
|
||||||
if hosts.IsDockerSELinuxEnabled(etcdHost) {
|
|
||||||
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
|
|
||||||
}
|
|
||||||
if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdRestoreContainerName, etcdHost.Address); err != nil {
|
if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdRestoreContainerName, etcdHost.Address); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -624,13 +610,10 @@ func RunEtcdSnapshotRemove(ctx context.Context, etcdHost *hosts.Host, prsMap map
|
|||||||
|
|
||||||
hostCfg := &container.HostConfig{
|
hostCfg := &container.HostConfig{
|
||||||
Binds: []string{
|
Binds: []string{
|
||||||
fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
|
fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
|
||||||
},
|
},
|
||||||
RestartPolicy: container.RestartPolicy{Name: "no"},
|
RestartPolicy: container.RestartPolicy{Name: "no"},
|
||||||
}
|
}
|
||||||
if hosts.IsDockerSELinuxEnabled(etcdHost) {
|
|
||||||
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
|
|
||||||
}
|
|
||||||
if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdSnapshotRemoveContainerName, etcdHost.Address); err != nil {
|
if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdSnapshotRemoveContainerName, etcdHost.Address); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -667,12 +650,9 @@ func GetEtcdSnapshotChecksum(ctx context.Context, etcdHost *hosts.Host, prsMap m
|
|||||||
}
|
}
|
||||||
hostCfg := &container.HostConfig{
|
hostCfg := &container.HostConfig{
|
||||||
Binds: []string{
|
Binds: []string{
|
||||||
"/opt/rke/:/opt/rke/",
|
"/opt/rke/:/opt/rke/:z",
|
||||||
}}
|
}}
|
||||||
|
|
||||||
if hosts.IsDockerSELinuxEnabled(etcdHost) {
|
|
||||||
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
|
|
||||||
}
|
|
||||||
if err := docker.DoRunContainer(ctx, etcdHost.DClient, imageCfg, hostCfg, EtcdChecksumContainerName, etcdHost.Address, ETCDRole, prsMap); err != nil {
|
if err := docker.DoRunContainer(ctx, etcdHost.DClient, imageCfg, hostCfg, EtcdChecksumContainerName, etcdHost.Address, ETCDRole, prsMap); err != nil {
|
||||||
return checksum, err
|
return checksum, err
|
||||||
}
|
}
|
||||||
@ -751,14 +731,11 @@ func StartBackupServer(ctx context.Context, etcdHost *hosts.Host, prsMap map[str
|
|||||||
|
|
||||||
hostCfg := &container.HostConfig{
|
hostCfg := &container.HostConfig{
|
||||||
Binds: []string{
|
Binds: []string{
|
||||||
fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
|
fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
|
||||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
|
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
|
||||||
NetworkMode: container.NetworkMode("host"),
|
NetworkMode: container.NetworkMode("host"),
|
||||||
RestartPolicy: container.RestartPolicy{Name: "no"},
|
RestartPolicy: container.RestartPolicy{Name: "no"},
|
||||||
}
|
}
|
||||||
if hosts.IsDockerSELinuxEnabled(etcdHost) {
|
|
||||||
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
|
|
||||||
}
|
|
||||||
if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdServeBackupContainerName, etcdHost.Address); err != nil {
|
if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdServeBackupContainerName, etcdHost.Address); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -802,14 +779,11 @@ func DownloadEtcdSnapshotFromBackupServer(ctx context.Context, etcdHost *hosts.H
|
|||||||
|
|
||||||
hostCfg := &container.HostConfig{
|
hostCfg := &container.HostConfig{
|
||||||
Binds: []string{
|
Binds: []string{
|
||||||
fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
|
fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
|
||||||
fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
|
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
|
||||||
NetworkMode: container.NetworkMode("host"),
|
NetworkMode: container.NetworkMode("host"),
|
||||||
RestartPolicy: container.RestartPolicy{Name: "on-failure"},
|
RestartPolicy: container.RestartPolicy{Name: "on-failure"},
|
||||||
}
|
}
|
||||||
if hosts.IsDockerSELinuxEnabled(etcdHost) {
|
|
||||||
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
|
|
||||||
}
|
|
||||||
if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdDownloadBackupContainerName, etcdHost.Address); err != nil {
|
if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdDownloadBackupContainerName, etcdHost.Address); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -852,13 +826,6 @@ func setEtcdPermissions(ctx context.Context, etcdHost *hosts.Host, prsMap map[st
|
|||||||
hostCfg := &container.HostConfig{
|
hostCfg := &container.HostConfig{
|
||||||
Binds: []string{dataBind},
|
Binds: []string{dataBind},
|
||||||
}
|
}
|
||||||
|
|
||||||
if hosts.IsDockerSELinuxEnabled(etcdHost) {
|
|
||||||
// We apply the label because we do not rewrite SELinux labels anymore on volume mounts (no :z)
|
|
||||||
logrus.Debugf("Applying security opt label [%s] for [%s] container on host [%s]", SELinuxLabel, EtcdPermFixContainerName, etcdHost.Address)
|
|
||||||
hostCfg.SecurityOpt = []string{SELinuxLabel}
|
|
||||||
}
|
|
||||||
|
|
||||||
if err := docker.DoRunOnetimeContainer(ctx, etcdHost.DClient, imageCfg, hostCfg, EtcdPermFixContainerName,
|
if err := docker.DoRunOnetimeContainer(ctx, etcdHost.DClient, imageCfg, hostCfg, EtcdPermFixContainerName,
|
||||||
etcdHost.Address, ETCDRole, prsMap); err != nil {
|
etcdHost.Address, ETCDRole, prsMap); err != nil {
|
||||||
return err
|
return err
|
||||||
|
|||||||
@ -52,7 +52,6 @@ const (
|
|||||||
|
|
||||||
ContainerNameLabel = "io.rancher.rke.container.name"
|
ContainerNameLabel = "io.rancher.rke.container.name"
|
||||||
MCSLabel = "label=level:s0:c1000,c1001"
|
MCSLabel = "label=level:s0:c1000,c1001"
|
||||||
SELinuxLabel = "label=type:rke_container_t"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
type RestartFunc func(context.Context, *hosts.Host) error
|
type RestartFunc func(context.Context, *hosts.Host) error
|
||||||
@ -143,10 +142,6 @@ func GetProcessConfig(process v3.Process, host *hosts.Host) (*container.Config,
|
|||||||
hostCfg.SecurityOpt = []string{MCSLabel}
|
hostCfg.SecurityOpt = []string{MCSLabel}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
// We apply the label because we do not rewrite SELinux labels anymore on volume mounts (no :z)
|
|
||||||
logrus.Debugf("Applying security opt label [%s] for etcd container on host [%s]", SELinuxLabel, host.Address)
|
|
||||||
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
|
|
||||||
|
|
||||||
}
|
}
|
||||||
return imageCfg, hostCfg, process.HealthCheck.URL
|
return imageCfg, hostCfg, process.HealthCheck.URL
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user