From aed28bb44e752711d9ed7c1a725314c12ef6d183 Mon Sep 17 00:00:00 2001 From: galal-hussein Date: Thu, 25 Jan 2018 23:29:21 +0200 Subject: [PATCH] Add z option to volume binds --- README.md | 19 +++++++++++++++++++ hosts/hosts.go | 2 +- services/etcd.go | 4 ++-- services/etcd_test.go | 2 +- services/kubeapi.go | 2 +- services/kubeapi_test.go | 2 +- services/kubecontroller.go | 2 +- services/kubecontroller_test.go | 2 +- services/kubelet.go | 16 ++++++++-------- services/kubelet_test.go | 2 +- services/kubeproxy.go | 2 +- services/kubeproxy_test.go | 2 +- services/scheduler.go | 2 +- services/scheduler_test.go | 2 +- 14 files changed, 40 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index 3559d272..ae1bf132 100644 --- a/README.md +++ b/README.md @@ -185,6 +185,25 @@ RKE will ask some questions around the cluster file like number of the hosts, ip More information about RKE design, configuration and usage can be found in this [blog post](http://rancher.com/an-introduction-to-rke/). +## Operating Systems Notes + +### Atomic OS + +- Container volumes may have some issues in Atomic OS due to SELinux, most of volumes are mounted in rke with option `z`, however user still need to run the following commands before running rke: +``` +# mkdir /opt/cni /etc/cni +# chcon -Rt svirt_sandbox_file_t /etc/cni +# chcon -Rt svirt_sandbox_file_t /opt/cni +``` +- OpenSSH 6.4 shipped by default on Atomic CentOS which doesn't support SSH tunneling and therefore breaks rke, upgrading OpenSSH to the latest version supported by Atomic host will solve this problem: +``` +# atomic host upgrade +``` +- Atomic host doesn't come with docker group by default, you can change ownership of docker.sock to enable specific user to run rke: +``` +# chown /var/run/docker.sock +``` + ## License Copyright (c) 2017 [Rancher Labs, Inc.](http://rancher.com) diff --git a/hosts/hosts.go b/hosts/hosts.go index 75f348da..609e54c5 100644 --- a/hosts/hosts.go +++ b/hosts/hosts.go @@ -216,7 +216,7 @@ func buildCleanerConfig(host *Host, toCleanDirs []string, cleanerImage string) ( } bindMounts := []string{} for _, vol := range toCleanDirs { - bindMounts = append(bindMounts, fmt.Sprintf("%s:%s", vol, vol)) + bindMounts = append(bindMounts, fmt.Sprintf("%s:%s:z", vol, vol)) } hostCfg := &container.HostConfig{ Binds: bindMounts, diff --git a/services/etcd.go b/services/etcd.go index 743d06e6..495d7484 100644 --- a/services/etcd.go +++ b/services/etcd.go @@ -89,8 +89,8 @@ func buildEtcdConfig(host *hosts.Host, etcdService v3.ETCDService, initCluster, hostCfg := &container.HostConfig{ RestartPolicy: container.RestartPolicy{Name: "always"}, Binds: []string{ - "/var/lib/etcd:/etcd-data", - "/etc/kubernetes:/etc/kubernetes", + "/var/lib/etcd:/etcd-data:z", + "/etc/kubernetes:/etc/kubernetes:z", }, NetworkMode: "host", } diff --git a/services/etcd_test.go b/services/etcd_test.go index 9639fdd6..cffb87ff 100644 --- a/services/etcd_test.go +++ b/services/etcd_test.go @@ -13,7 +13,7 @@ const ( TestInitEtcdClusterString = "etcd-etcd1=https://1.1.1.1:2380,etcd-etcd2=https://2.2.2.2:2380" TestEtcdImage = "etcd/etcdImage:latest" TestEtcdNamePrefix = "--name=etcd-" - TestEtcdVolumeBind = "/var/lib/etcd:/etcd-data" + TestEtcdVolumeBind = "/var/lib/etcd:/etcd-data:z" TestEtcdExtraArgs = "--foo=bar" ) diff --git a/services/kubeapi.go b/services/kubeapi.go index a859a23d..bf15ccbe 100644 --- a/services/kubeapi.go +++ b/services/kubeapi.go @@ -62,7 +62,7 @@ func buildKubeAPIConfig(host *hosts.Host, kubeAPIService v3.KubeAPIService, etcd SidekickContainerName, }, Binds: []string{ - "/etc/kubernetes:/etc/kubernetes", + "/etc/kubernetes:/etc/kubernetes:z", }, NetworkMode: "host", RestartPolicy: container.RestartPolicy{Name: "always"}, diff --git a/services/kubeapi_test.go b/services/kubeapi_test.go index 8e48124d..e9f823e5 100644 --- a/services/kubeapi_test.go +++ b/services/kubeapi_test.go @@ -12,7 +12,7 @@ const ( TestEtcdConnString = "https://1.1.1.1:2379,https://2.2.2.2:2379" TestKubeAPIImage = "rancher/k8s:latest" TestInsecureBindAddress = "--insecure-bind-address=127.0.0.1" - TestKubeAPIVolumeBind = "/etc/kubernetes:/etc/kubernetes" + TestKubeAPIVolumeBind = "/etc/kubernetes:/etc/kubernetes:z" TestKubeAPIExtraArgs = "--foo=bar" ) diff --git a/services/kubecontroller.go b/services/kubecontroller.go index 1d81bb3d..56b53104 100644 --- a/services/kubecontroller.go +++ b/services/kubecontroller.go @@ -51,7 +51,7 @@ func buildKubeControllerConfig(kubeControllerService v3.KubeControllerService, a SidekickContainerName, }, Binds: []string{ - "/etc/kubernetes:/etc/kubernetes", + "/etc/kubernetes:/etc/kubernetes:z", }, NetworkMode: "host", RestartPolicy: container.RestartPolicy{Name: "always"}, diff --git a/services/kubecontroller_test.go b/services/kubecontroller_test.go index dad1844b..ff828955 100644 --- a/services/kubecontroller_test.go +++ b/services/kubecontroller_test.go @@ -11,7 +11,7 @@ const ( TestKubeControllerClusterCidr = "10.0.0.0/16" TestKubeControllerServiceClusterIPRange = "10.1.0.0/16" TestKubeControllerImage = "rancher/k8s:latest" - TestKubeControllerVolumeBind = "/etc/kubernetes:/etc/kubernetes" + TestKubeControllerVolumeBind = "/etc/kubernetes:/etc/kubernetes:z" TestKubeControllerExtraArgs = "--foo=bar" TestClusterCidrPrefix = "--cluster-cidr=" TestServiceIPRangePrefix = "--service-cluster-ip-range=" diff --git a/services/kubelet.go b/services/kubelet.go index 3d68bbfa..85adf8b9 100644 --- a/services/kubelet.go +++ b/services/kubelet.go @@ -43,6 +43,7 @@ func buildKubeletConfig(host *hosts.Host, kubeletService v3.KubeletService, unsc "--allow-privileged=true", "--cloud-provider=", "--kubeconfig=" + pki.GetConfigPath(pki.KubeNodeCertName), + "--volume-plugin-dir=/var/lib/kubelet/volumeplugins", "--require-kubeconfig=True", }, } @@ -64,20 +65,19 @@ func buildKubeletConfig(host *hosts.Host, kubeletService v3.KubeletService, unsc SidekickContainerName, }, Binds: []string{ - "/etc/kubernetes:/etc/kubernetes", - "/usr/libexec/kubernetes/kubelet-plugins:/usr/libexec/kubernetes/kubelet-plugins", - "/etc/cni:/etc/cni:ro", - "/opt/cni:/opt/cni:ro", + "/etc/kubernetes:/etc/kubernetes:z", + "/etc/cni:/etc/cni:ro,z", + "/opt/cni:/opt/cni:ro,z", "/etc/resolv.conf:/etc/resolv.conf", "/sys:/sys", - "/var/lib/docker:/var/lib/docker:rw", - "/var/lib/kubelet:/var/lib/kubelet:shared", + "/var/lib/docker:/var/lib/docker:rw,z", + "/var/lib/kubelet:/var/lib/kubelet:shared,z", "/var/run:/var/run:rw", "/run:/run", "/etc/ceph:/etc/ceph", "/dev:/host/dev", - "/var/log/containers:/var/log/containers", - "/var/log/pods:/var/log/pods"}, + "/var/log/containers:/var/log/containers:z", + "/var/log/pods:/var/log/pods:z"}, NetworkMode: "host", PidMode: "host", Privileged: true, diff --git a/services/kubelet_test.go b/services/kubelet_test.go index fc7666e5..61b83f19 100644 --- a/services/kubelet_test.go +++ b/services/kubelet_test.go @@ -13,7 +13,7 @@ const ( TestKubeletClusterDNSServer = "10.1.0.3" TestKubeletInfraContainerImage = "test/test:latest" TestKubeletImage = "rancher/k8s:latest" - TestKubeletVolumeBind = "/etc/kubernetes:/etc/kubernetes" + TestKubeletVolumeBind = "/etc/kubernetes:/etc/kubernetes:z" TestKubeletExtraArgs = "--foo=bar" TestClusterDomainPrefix = "--cluster-domain=" TestClusterDNSServerPrefix = "--cluster-dns=" diff --git a/services/kubeproxy.go b/services/kubeproxy.go index cc823f96..43a27442 100644 --- a/services/kubeproxy.go +++ b/services/kubeproxy.go @@ -38,7 +38,7 @@ func buildKubeproxyConfig(host *hosts.Host, kubeproxyService v3.KubeproxyService SidekickContainerName, }, Binds: []string{ - "/etc/kubernetes:/etc/kubernetes", + "/etc/kubernetes:/etc/kubernetes:z", }, NetworkMode: "host", RestartPolicy: container.RestartPolicy{Name: "always"}, diff --git a/services/kubeproxy_test.go b/services/kubeproxy_test.go index cd66341d..6134d888 100644 --- a/services/kubeproxy_test.go +++ b/services/kubeproxy_test.go @@ -9,7 +9,7 @@ import ( const ( TestKubeproxyImage = "rancher/k8s:latest" - TestKubeproxyVolumeBind = "/etc/kubernetes:/etc/kubernetes" + TestKubeproxyVolumeBind = "/etc/kubernetes:/etc/kubernetes:z" TestKubeproxyExtraArgs = "--foo=bar" ) diff --git a/services/scheduler.go b/services/scheduler.go index 4d1ca669..671415fc 100644 --- a/services/scheduler.go +++ b/services/scheduler.go @@ -39,7 +39,7 @@ func buildSchedulerConfig(host *hosts.Host, schedulerService v3.SchedulerService SidekickContainerName, }, Binds: []string{ - "/etc/kubernetes:/etc/kubernetes", + "/etc/kubernetes:/etc/kubernetes:z", }, NetworkMode: "host", RestartPolicy: container.RestartPolicy{Name: "always"}, diff --git a/services/scheduler_test.go b/services/scheduler_test.go index e69f9108..d2c2389e 100644 --- a/services/scheduler_test.go +++ b/services/scheduler_test.go @@ -9,7 +9,7 @@ import ( const ( TestSchedulerImage = "rancher/k8s:latest" - TestSchedulerVolumeBind = "/etc/kubernetes:/etc/kubernetes" + TestSchedulerVolumeBind = "/etc/kubernetes:/etc/kubernetes:z" TestSchedulerExtraArgs = "--foo=bar" )