mirror of
https://github.com/rancher/rke.git
synced 2025-04-27 19:25:44 +00:00
192 lines
7.4 KiB
Go
192 lines
7.4 KiB
Go
package services
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
|
|
"github.com/docker/docker/api/types/container"
|
|
"github.com/docker/go-connections/nat"
|
|
"github.com/rancher/rke/docker"
|
|
"github.com/rancher/rke/hosts"
|
|
"github.com/rancher/rke/log"
|
|
v3 "github.com/rancher/rke/types"
|
|
"github.com/rancher/rke/util"
|
|
"github.com/sirupsen/logrus"
|
|
)
|
|
|
|
const (
|
|
ETCDRole = "etcd"
|
|
ControlRole = "controlplane"
|
|
WorkerRole = "worker"
|
|
|
|
SidekickServiceName = "sidekick"
|
|
RBACAuthorizationMode = "rbac"
|
|
|
|
KubeAPIContainerName = "kube-apiserver"
|
|
KubeletContainerName = "kubelet"
|
|
KubeproxyContainerName = "kube-proxy"
|
|
KubeControllerContainerName = "kube-controller-manager"
|
|
SchedulerContainerName = "kube-scheduler"
|
|
EtcdContainerName = "etcd"
|
|
EtcdSnapshotContainerName = "etcd-rolling-snapshots"
|
|
EtcdSnapshotOnceContainerName = "etcd-snapshot-once"
|
|
EtcdSnapshotRemoveContainerName = "etcd-remove-snapshot"
|
|
EtcdRestoreContainerName = "etcd-restore"
|
|
EtcdDownloadBackupContainerName = "etcd-download-backup"
|
|
EtcdServeBackupContainerName = "etcd-Serve-backup"
|
|
EtcdChecksumContainerName = "etcd-checksum-checker"
|
|
EtcdStateFileContainerName = "etcd-extract-statefile"
|
|
ControlPlaneConfigMapStateFileContainerName = "extract-statefile-configmap"
|
|
NginxProxyContainerName = "nginx-proxy"
|
|
SidekickContainerName = "service-sidekick"
|
|
LogLinkContainerName = "rke-log-linker"
|
|
LogCleanerContainerName = "rke-log-cleaner"
|
|
|
|
KubeAPIPort = 6443
|
|
SchedulerPort = 10251
|
|
KubeControllerPort = 10252
|
|
KubeletPort = 10248
|
|
KubeproxyPort = 10256
|
|
|
|
WorkerThreads = util.WorkerThreads
|
|
|
|
ContainerNameLabel = "io.rancher.rke.container.name"
|
|
MCSLabel = "label=level:s0:c1000,c1001"
|
|
)
|
|
|
|
type RestartFunc func(context.Context, *hosts.Host) error
|
|
|
|
func runSidekick(ctx context.Context, host *hosts.Host, prsMap map[string]v3.PrivateRegistry, sidecarProcess v3.Process) error {
|
|
isRunning, err := docker.IsContainerRunning(ctx, host.DClient, host.Address, SidekickContainerName, true)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
imageCfg, hostCfg, _ := GetProcessConfig(sidecarProcess, host)
|
|
isUpgradable := false
|
|
if isRunning {
|
|
isUpgradable, err = docker.IsContainerUpgradable(ctx, host.DClient, imageCfg, hostCfg, SidekickContainerName, host.Address, SidekickServiceName)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if !isUpgradable {
|
|
log.Infof(ctx, "[%s] Sidekick container already created on host [%s]", SidekickServiceName, host.Address)
|
|
return nil
|
|
}
|
|
}
|
|
|
|
if err := docker.UseLocalOrPull(ctx, host.DClient, host.Address, sidecarProcess.Image, SidekickServiceName, prsMap); err != nil {
|
|
return err
|
|
}
|
|
if isUpgradable {
|
|
if err := docker.DoRemoveContainer(ctx, host.DClient, SidekickContainerName, host.Address); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
if _, err := docker.CreateContainer(ctx, host.DClient, host.Address, SidekickContainerName, imageCfg, hostCfg); err != nil {
|
|
return err
|
|
}
|
|
if host.DockerInfo.OSType == "windows" {
|
|
// windows dockerfile VOLUME declaration must to satisfy one of them:
|
|
// - a non-existing or empty directory
|
|
// - a drive other than C:
|
|
// so we could use a script to **start** the container to put expected resources into the "shared" directory,
|
|
// like the action of `/usr/bin/sidecar.ps1` for windows rke-tools container
|
|
return docker.StartContainer(ctx, host.DClient, host.Address, SidekickContainerName)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func removeSidekick(ctx context.Context, host *hosts.Host) error {
|
|
return docker.DoRemoveContainer(ctx, host.DClient, SidekickContainerName, host.Address)
|
|
}
|
|
|
|
func GetProcessConfig(process v3.Process, host *hosts.Host) (*container.Config, *container.HostConfig, string) {
|
|
imageCfg := &container.Config{
|
|
Entrypoint: process.Command,
|
|
Cmd: process.Args,
|
|
Env: process.Env,
|
|
Image: process.Image,
|
|
Labels: process.Labels,
|
|
User: process.User,
|
|
}
|
|
// var pidMode container.PidMode
|
|
// pidMode = process.PidMode
|
|
_, portBindings, _ := nat.ParsePortSpecs(process.Publish)
|
|
hostCfg := &container.HostConfig{
|
|
VolumesFrom: process.VolumesFrom,
|
|
Binds: process.Binds,
|
|
NetworkMode: container.NetworkMode(process.NetworkMode),
|
|
PidMode: container.PidMode(process.PidMode),
|
|
Privileged: process.Privileged,
|
|
PortBindings: portBindings,
|
|
}
|
|
if len(process.RestartPolicy) > 0 {
|
|
hostCfg.RestartPolicy = container.RestartPolicy{Name: process.RestartPolicy}
|
|
}
|
|
// The MCS label only needs to be applied when container is not running privileged, and running privileged negates need for applying the label
|
|
// If Docker is configured with selinux-enabled:true, we need to specify MCS label to allow files from service-sidekick to be shared between containers
|
|
if !process.Privileged && hosts.IsDockerSELinuxEnabled(host) {
|
|
logrus.Debugf("Found selinux in DockerInfo.SecurityOptions on host [%s]", host.Address)
|
|
// Check for containers having the sidekick container
|
|
for _, volumeFrom := range hostCfg.VolumesFrom {
|
|
if volumeFrom == SidekickContainerName {
|
|
logrus.Debugf("Found [%s] in VolumesFrom on host [%s], applying MCSLabel [%s]", SidekickContainerName, host.Address, MCSLabel)
|
|
hostCfg.SecurityOpt = []string{MCSLabel}
|
|
}
|
|
}
|
|
// Check for sidekick container itself
|
|
if value, ok := imageCfg.Labels[ContainerNameLabel]; ok {
|
|
if value == SidekickContainerName {
|
|
logrus.Debugf("Found [%s=%s] in Labels on host [%s], applying MCSLabel [%s]", ContainerNameLabel, SidekickContainerName, host.Address, MCSLabel)
|
|
hostCfg.SecurityOpt = []string{MCSLabel}
|
|
}
|
|
}
|
|
}
|
|
return imageCfg, hostCfg, process.HealthCheck.URL
|
|
}
|
|
|
|
func GetHealthCheckURL(useTLS bool, port int) string {
|
|
if useTLS {
|
|
return fmt.Sprintf("%s%s:%d%s", HTTPSProtoPrefix, HealthzAddress, port, HealthzEndpoint)
|
|
}
|
|
return fmt.Sprintf("%s%s:%d%s", HTTPProtoPrefix, HealthzAddress, port, HealthzEndpoint)
|
|
}
|
|
|
|
func createLogLink(ctx context.Context, host *hosts.Host, containerName, plane, image string, prsMap map[string]v3.PrivateRegistry) error {
|
|
logrus.Debugf("[%s] Creating log link for Container [%s] on host [%s]", plane, containerName, host.Address)
|
|
containerInspect, err := docker.InspectContainer(ctx, host.DClient, host.Address, containerName)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
containerID := containerInspect.ID
|
|
containerLogPath := containerInspect.LogPath
|
|
containerLogLink := fmt.Sprintf("%s/%s_%s.log", hosts.RKELogsPath, containerName, containerID)
|
|
imageCfg := &container.Config{
|
|
Image: image,
|
|
Tty: true,
|
|
Cmd: []string{
|
|
"sh",
|
|
"-c",
|
|
fmt.Sprintf("mkdir -p %s ; ln -s %s %s", hosts.RKELogsPath, containerLogPath, containerLogLink),
|
|
},
|
|
}
|
|
hostCfg := &container.HostConfig{
|
|
Binds: []string{
|
|
"/var/lib:/var/lib",
|
|
},
|
|
Privileged: true,
|
|
}
|
|
if err := docker.DoRemoveContainer(ctx, host.DClient, LogLinkContainerName, host.Address); err != nil {
|
|
return err
|
|
}
|
|
if err := docker.DoRunContainer(ctx, host.DClient, imageCfg, hostCfg, LogLinkContainerName, host.Address, plane, prsMap); err != nil {
|
|
return err
|
|
}
|
|
if err := docker.DoRemoveContainer(ctx, host.DClient, LogLinkContainerName, host.Address); err != nil {
|
|
return err
|
|
}
|
|
logrus.Debugf("[%s] Successfully created log link for Container [%s] on host [%s]", plane, containerName, host.Address)
|
|
return nil
|
|
}
|