Add z option to volume binds

README.md

@@ -185,6 +185,25 @@ RKE will ask some questions around the cluster file like number of the hosts, ip
 More information about RKE design, configuration and usage can be found in this [blog post](http://rancher.com/an-introduction-to-rke/).
 
 
+## Operating Systems Notes
+
+### Atomic OS
+
+- Container volumes may have some issues in Atomic OS due to SELinux, most of volumes are mounted in rke with option `z`, however user still need to run the following commands before running rke:
+```
+# mkdir /opt/cni /etc/cni
+# chcon -Rt svirt_sandbox_file_t /etc/cni
+# chcon -Rt svirt_sandbox_file_t /opt/cni
+```
+- OpenSSH 6.4 shipped by default on Atomic CentOS which doesn't support SSH tunneling and therefore breaks rke, upgrading OpenSSH to the latest version supported by Atomic host will solve this problem:
+```
+# atomic host upgrade
+```
+- Atomic host doesn't come with docker group by default, you can change ownership of docker.sock to enable specific user to run rke:
+```
+# chown <user> /var/run/docker.sock
+```
+
 ## License
 Copyright (c) 2017 [Rancher Labs, Inc.](http://rancher.com)
 

hosts/hosts.go

@@ -216,7 +216,7 @@ func buildCleanerConfig(host *Host, toCleanDirs []string, cleanerImage string) (
 	}
 	bindMounts := []string{}
 	for _, vol := range toCleanDirs {
-		bindMounts = append(bindMounts, fmt.Sprintf("%s:%s", vol, vol))
+		bindMounts = append(bindMounts, fmt.Sprintf("%s:%s:z", vol, vol))
 	}
 	hostCfg := &container.HostConfig{
 		Binds: bindMounts,

services/etcd.go

@@ -89,8 +89,8 @@ func buildEtcdConfig(host *hosts.Host, etcdService v3.ETCDService, initCluster,
 	hostCfg := &container.HostConfig{
 		RestartPolicy: container.RestartPolicy{Name: "always"},
 		Binds: []string{
-			"/var/lib/etcd:/etcd-data",
-			"/etc/kubernetes:/etc/kubernetes",
+			"/var/lib/etcd:/etcd-data:z",
+			"/etc/kubernetes:/etc/kubernetes:z",
 		},
 		NetworkMode: "host",
 	}

services/etcd_test.go

@@ -13,7 +13,7 @@ const (
 	TestInitEtcdClusterString = "etcd-etcd1=https://1.1.1.1:2380,etcd-etcd2=https://2.2.2.2:2380"
 	TestEtcdImage             = "etcd/etcdImage:latest"
 	TestEtcdNamePrefix        = "--name=etcd-"
-	TestEtcdVolumeBind        = "/var/lib/etcd:/etcd-data"
+	TestEtcdVolumeBind        = "/var/lib/etcd:/etcd-data:z"
 	TestEtcdExtraArgs         = "--foo=bar"
 )
 

services/kubeapi.go

@@ -62,7 +62,7 @@ func buildKubeAPIConfig(host *hosts.Host, kubeAPIService v3.KubeAPIService, etcd
 			SidekickContainerName,
 		},
 		Binds: []string{
-			"/etc/kubernetes:/etc/kubernetes",
+			"/etc/kubernetes:/etc/kubernetes:z",
 		},
 		NetworkMode:   "host",
 		RestartPolicy: container.RestartPolicy{Name: "always"},

services/kubeapi_test.go

@@ -12,7 +12,7 @@ const (
 	TestEtcdConnString      = "https://1.1.1.1:2379,https://2.2.2.2:2379"
 	TestKubeAPIImage        = "rancher/k8s:latest"
 	TestInsecureBindAddress = "--insecure-bind-address=127.0.0.1"
-	TestKubeAPIVolumeBind   = "/etc/kubernetes:/etc/kubernetes"
+	TestKubeAPIVolumeBind   = "/etc/kubernetes:/etc/kubernetes:z"
 	TestKubeAPIExtraArgs    = "--foo=bar"
 )
 

services/kubecontroller.go

@@ -51,7 +51,7 @@ func buildKubeControllerConfig(kubeControllerService v3.KubeControllerService, a
 			SidekickContainerName,
 		},
 		Binds: []string{
-			"/etc/kubernetes:/etc/kubernetes",
+			"/etc/kubernetes:/etc/kubernetes:z",
 		},
 		NetworkMode:   "host",
 		RestartPolicy: container.RestartPolicy{Name: "always"},

services/kubecontroller_test.go

@@ -11,7 +11,7 @@ const (
 	TestKubeControllerClusterCidr           = "10.0.0.0/16"
 	TestKubeControllerServiceClusterIPRange = "10.1.0.0/16"
 	TestKubeControllerImage                 = "rancher/k8s:latest"
-	TestKubeControllerVolumeBind            = "/etc/kubernetes:/etc/kubernetes"
+	TestKubeControllerVolumeBind            = "/etc/kubernetes:/etc/kubernetes:z"
 	TestKubeControllerExtraArgs             = "--foo=bar"
 	TestClusterCidrPrefix                   = "--cluster-cidr="
 	TestServiceIPRangePrefix                = "--service-cluster-ip-range="

services/kubelet.go

@@ -43,6 +43,7 @@ func buildKubeletConfig(host *hosts.Host, kubeletService v3.KubeletService, unsc
 			"--allow-privileged=true",
 			"--cloud-provider=",
 			"--kubeconfig=" + pki.GetConfigPath(pki.KubeNodeCertName),
+			"--volume-plugin-dir=/var/lib/kubelet/volumeplugins",
 			"--require-kubeconfig=True",
 		},
 	}
@@ -64,20 +65,19 @@ func buildKubeletConfig(host *hosts.Host, kubeletService v3.KubeletService, unsc
 			SidekickContainerName,
 		},
 		Binds: []string{
-			"/etc/kubernetes:/etc/kubernetes",
-			"/usr/libexec/kubernetes/kubelet-plugins:/usr/libexec/kubernetes/kubelet-plugins",
-			"/etc/cni:/etc/cni:ro",
-			"/opt/cni:/opt/cni:ro",
+			"/etc/kubernetes:/etc/kubernetes:z",
+			"/etc/cni:/etc/cni:ro,z",
+			"/opt/cni:/opt/cni:ro,z",
 			"/etc/resolv.conf:/etc/resolv.conf",
 			"/sys:/sys",
-			"/var/lib/docker:/var/lib/docker:rw",
-			"/var/lib/kubelet:/var/lib/kubelet:shared",
+			"/var/lib/docker:/var/lib/docker:rw,z",
+			"/var/lib/kubelet:/var/lib/kubelet:shared,z",
 			"/var/run:/var/run:rw",
 			"/run:/run",
 			"/etc/ceph:/etc/ceph",
 			"/dev:/host/dev",
-			"/var/log/containers:/var/log/containers",
-			"/var/log/pods:/var/log/pods"},
+			"/var/log/containers:/var/log/containers:z",
+			"/var/log/pods:/var/log/pods:z"},
 		NetworkMode:   "host",
 		PidMode:       "host",
 		Privileged:    true,

services/kubelet_test.go

@@ -13,7 +13,7 @@ const (
 	TestKubeletClusterDNSServer    = "10.1.0.3"
 	TestKubeletInfraContainerImage = "test/test:latest"
 	TestKubeletImage               = "rancher/k8s:latest"
-	TestKubeletVolumeBind          = "/etc/kubernetes:/etc/kubernetes"
+	TestKubeletVolumeBind          = "/etc/kubernetes:/etc/kubernetes:z"
 	TestKubeletExtraArgs           = "--foo=bar"
 	TestClusterDomainPrefix        = "--cluster-domain="
 	TestClusterDNSServerPrefix     = "--cluster-dns="

services/kubeproxy.go

@@ -38,7 +38,7 @@ func buildKubeproxyConfig(host *hosts.Host, kubeproxyService v3.KubeproxyService
 			SidekickContainerName,
 		},
 		Binds: []string{
-			"/etc/kubernetes:/etc/kubernetes",
+			"/etc/kubernetes:/etc/kubernetes:z",
 		},
 		NetworkMode:   "host",
 		RestartPolicy: container.RestartPolicy{Name: "always"},

services/kubeproxy_test.go

@@ -9,7 +9,7 @@ import (
 
 const (
 	TestKubeproxyImage      = "rancher/k8s:latest"
-	TestKubeproxyVolumeBind = "/etc/kubernetes:/etc/kubernetes"
+	TestKubeproxyVolumeBind = "/etc/kubernetes:/etc/kubernetes:z"
 	TestKubeproxyExtraArgs  = "--foo=bar"
 )
 

services/scheduler.go

@@ -39,7 +39,7 @@ func buildSchedulerConfig(host *hosts.Host, schedulerService v3.SchedulerService
 			SidekickContainerName,
 		},
 		Binds: []string{
-			"/etc/kubernetes:/etc/kubernetes",
+			"/etc/kubernetes:/etc/kubernetes:z",
 		},
 		NetworkMode:   "host",
 		RestartPolicy: container.RestartPolicy{Name: "always"},

services/scheduler_test.go

@@ -9,7 +9,7 @@ import (
 
 const (
 	TestSchedulerImage      = "rancher/k8s:latest"
-	TestSchedulerVolumeBind = "/etc/kubernetes:/etc/kubernetes"
+	TestSchedulerVolumeBind = "/etc/kubernetes:/etc/kubernetes:z"
 	TestSchedulerExtraArgs  = "--foo=bar"
 )