Merge pull request #268 from galal-hussein/atomic_centos

Add z option to volume binds
2025-08-18 06:47:13 +00:00 · 2018-02-06 16:22:05 -08:00 · 2018-02-06 16:22:05 -08:00 · c19059200b
commit c19059200b
parent 3538a7dab6 aed28bb44e
14 changed files with 40 additions and 21 deletions
--- a/README.md
+++ b/README.md
@ -222,6 +222,25 @@ ingress:

 RKE will deploy Nginx Ingress controller as a DaemonSet with `hostnetwork: true`, so ports `80`, and `443` will be opened on each node where the controller is deployed.

+## Operating Systems Notes
+
+### Atomic OS
+
+- Container volumes may have some issues in Atomic OS due to SELinux, most of volumes are mounted in rke with option `z`, however user still need to run the following commands before running rke:
+```
+# mkdir /opt/cni /etc/cni
+# chcon -Rt svirt_sandbox_file_t /etc/cni
+# chcon -Rt svirt_sandbox_file_t /opt/cni
+```
+- OpenSSH 6.4 shipped by default on Atomic CentOS which doesn't support SSH tunneling and therefore breaks rke, upgrading OpenSSH to the latest version supported by Atomic host will solve this problem:
+```
+# atomic host upgrade
+```
+- Atomic host doesn't come with docker group by default, you can change ownership of docker.sock to enable specific user to run rke:
+```
+# chown <user> /var/run/docker.sock
+```
+
 ## License

 Copyright (c) 2017 [Rancher Labs, Inc.](http://rancher.com)
--- a/hosts/hosts.go
+++ b/hosts/hosts.go
@ -220,7 +220,7 @@ func buildCleanerConfig(host *Host, toCleanDirs []string, cleanerImage string) (
 	}
 	bindMounts := []string{}
 	for _, vol := range toCleanDirs {
-		bindMounts = append(bindMounts, fmt.Sprintf("%s:%s", vol, vol))
+		bindMounts = append(bindMounts, fmt.Sprintf("%s:%s:z", vol, vol))
 	}
 	hostCfg := &container.HostConfig{
 		Binds: bindMounts,
--- a/services/etcd.go
+++ b/services/etcd.go
@ -90,8 +90,8 @@ func buildEtcdConfig(host *hosts.Host, etcdService v3.ETCDService, initCluster,
 	hostCfg := &container.HostConfig{
 		RestartPolicy: container.RestartPolicy{Name: "always"},
 		Binds: []string{
-			"/var/lib/etcd:/etcd-data",
-			"/etc/kubernetes:/etc/kubernetes",
+			"/var/lib/etcd:/etcd-data:z",
+			"/etc/kubernetes:/etc/kubernetes:z",
 		},
 		NetworkMode: "host",
 	}
--- a/services/etcd_test.go
+++ b/services/etcd_test.go
@ -13,7 +13,7 @@ const (
 	TestInitEtcdClusterString = "etcd-etcd1=https://1.1.1.1:2380,etcd-etcd2=https://2.2.2.2:2380"
 	TestEtcdImage             = "etcd/etcdImage:latest"
 	TestEtcdNamePrefix        = "--name=etcd-"
-	TestEtcdVolumeBind        = "/var/lib/etcd:/etcd-data"
+	TestEtcdVolumeBind        = "/var/lib/etcd:/etcd-data:z"
 	TestEtcdExtraArgs         = "--foo=bar"
 )

--- a/services/kubeapi.go
+++ b/services/kubeapi.go
@ -62,7 +62,7 @@ func buildKubeAPIConfig(host *hosts.Host, kubeAPIService v3.KubeAPIService, etcd
 			SidekickContainerName,
 		},
 		Binds: []string{
-			"/etc/kubernetes:/etc/kubernetes",
+			"/etc/kubernetes:/etc/kubernetes:z",
 		},
 		NetworkMode:   "host",
 		RestartPolicy: container.RestartPolicy{Name: "always"},
--- a/services/kubeapi_test.go
+++ b/services/kubeapi_test.go
@ -12,7 +12,7 @@ const (
 	TestEtcdConnString      = "https://1.1.1.1:2379,https://2.2.2.2:2379"
 	TestKubeAPIImage        = "rancher/k8s:latest"
 	TestInsecureBindAddress = "--insecure-bind-address=127.0.0.1"
-	TestKubeAPIVolumeBind   = "/etc/kubernetes:/etc/kubernetes"
+	TestKubeAPIVolumeBind   = "/etc/kubernetes:/etc/kubernetes:z"
 	TestKubeAPIExtraArgs    = "--foo=bar"
 )

--- a/services/kubecontroller.go
+++ b/services/kubecontroller.go
@ -51,7 +51,7 @@ func buildKubeControllerConfig(kubeControllerService v3.KubeControllerService, a
 			SidekickContainerName,
 		},
 		Binds: []string{
-			"/etc/kubernetes:/etc/kubernetes",
+			"/etc/kubernetes:/etc/kubernetes:z",
 		},
 		NetworkMode:   "host",
 		RestartPolicy: container.RestartPolicy{Name: "always"},
--- a/services/kubecontroller_test.go
+++ b/services/kubecontroller_test.go
@ -11,7 +11,7 @@ const (
 	TestKubeControllerClusterCidr           = "10.0.0.0/16"
 	TestKubeControllerServiceClusterIPRange = "10.1.0.0/16"
 	TestKubeControllerImage                 = "rancher/k8s:latest"
-	TestKubeControllerVolumeBind            = "/etc/kubernetes:/etc/kubernetes"
+	TestKubeControllerVolumeBind            = "/etc/kubernetes:/etc/kubernetes:z"
 	TestKubeControllerExtraArgs             = "--foo=bar"
 	TestClusterCidrPrefix                   = "--cluster-cidr="
 	TestServiceIPRangePrefix                = "--service-cluster-ip-range="
--- a/services/kubelet.go
+++ b/services/kubelet.go
@ -44,6 +44,7 @@ func buildKubeletConfig(host *hosts.Host, kubeletService v3.KubeletService) (*co
 			"--allow-privileged=true",
 			"--cloud-provider=",
 			"--kubeconfig=" + pki.GetConfigPath(pki.KubeNodeCertName),
+			"--volume-plugin-dir=/var/lib/kubelet/volumeplugins",
 			"--require-kubeconfig=True",
 			"--fail-swap-on=" + strconv.FormatBool(kubeletService.FailSwapOn),
 		},
@ -53,20 +54,19 @@ func buildKubeletConfig(host *hosts.Host, kubeletService v3.KubeletService) (*co
 			SidekickContainerName,
 		},
 		Binds: []string{
-			"/etc/kubernetes:/etc/kubernetes",
-			"/usr/libexec/kubernetes/kubelet-plugins:/usr/libexec/kubernetes/kubelet-plugins",
-			"/etc/cni:/etc/cni:ro",
-			"/opt/cni:/opt/cni:ro",
+			"/etc/kubernetes:/etc/kubernetes:z",
+			"/etc/cni:/etc/cni:ro,z",
+			"/opt/cni:/opt/cni:ro,z",
 			"/etc/resolv.conf:/etc/resolv.conf",
 			"/sys:/sys",
-			"/var/lib/docker:/var/lib/docker:rw",
-			"/var/lib/kubelet:/var/lib/kubelet:shared",
+			"/var/lib/docker:/var/lib/docker:rw,z",
+			"/var/lib/kubelet:/var/lib/kubelet:shared,z",
 			"/var/run:/var/run:rw",
 			"/run:/run",
 			"/etc/ceph:/etc/ceph",
 			"/dev:/host/dev",
-			"/var/log/containers:/var/log/containers",
-			"/var/log/pods:/var/log/pods"},
+			"/var/log/containers:/var/log/containers:z",
+			"/var/log/pods:/var/log/pods:z"},
 		NetworkMode:   "host",
 		PidMode:       "host",
 		Privileged:    true,
--- a/services/kubelet_test.go
+++ b/services/kubelet_test.go
@ -13,7 +13,7 @@ const (
 	TestKubeletClusterDNSServer    = "10.1.0.3"
 	TestKubeletInfraContainerImage = "test/test:latest"
 	TestKubeletImage               = "rancher/k8s:latest"
-	TestKubeletVolumeBind          = "/etc/kubernetes:/etc/kubernetes"
+	TestKubeletVolumeBind          = "/etc/kubernetes:/etc/kubernetes:z"
 	TestKubeletExtraArgs           = "--foo=bar"
 	TestClusterDomainPrefix        = "--cluster-domain="
 	TestClusterDNSServerPrefix     = "--cluster-dns="
--- a/services/kubeproxy.go
+++ b/services/kubeproxy.go
@ -38,7 +38,7 @@ func buildKubeproxyConfig(host *hosts.Host, kubeproxyService v3.KubeproxyService
 			SidekickContainerName,
 		},
 		Binds: []string{
-			"/etc/kubernetes:/etc/kubernetes",
+			"/etc/kubernetes:/etc/kubernetes:z",
 		},
 		NetworkMode:   "host",
 		RestartPolicy: container.RestartPolicy{Name: "always"},
--- a/services/kubeproxy_test.go
+++ b/services/kubeproxy_test.go
@ -9,7 +9,7 @@ import (

 const (
 	TestKubeproxyImage      = "rancher/k8s:latest"
-	TestKubeproxyVolumeBind = "/etc/kubernetes:/etc/kubernetes"
+	TestKubeproxyVolumeBind = "/etc/kubernetes:/etc/kubernetes:z"
 	TestKubeproxyExtraArgs  = "--foo=bar"
 )

--- a/services/scheduler.go
+++ b/services/scheduler.go
@ -39,7 +39,7 @@ func buildSchedulerConfig(host *hosts.Host, schedulerService v3.SchedulerService
 			SidekickContainerName,
 		},
 		Binds: []string{
-			"/etc/kubernetes:/etc/kubernetes",
+			"/etc/kubernetes:/etc/kubernetes:z",
 		},
 		NetworkMode:   "host",
 		RestartPolicy: container.RestartPolicy{Name: "always"},
--- a/services/scheduler_test.go
+++ b/services/scheduler_test.go
@ -9,7 +9,7 @@ import (

 const (
 	TestSchedulerImage      = "rancher/k8s:latest"
-	TestSchedulerVolumeBind = "/etc/kubernetes:/etc/kubernetes"
+	TestSchedulerVolumeBind = "/etc/kubernetes:/etc/kubernetes:z"
 	TestSchedulerExtraArgs  = "--foo=bar"
 )