Browse Source

MaaS: Slightly clean systemd and enable Stdout logging for journald

This PS updates the charts and images for running systemd in a more
kubernetes friendly  way:
 - The hosts cgroupfs is mounted in read only
 - Required mounts are created (tmp tmp/lock)
 - A tty is created for the container
 - A unit is added to each image that streams journald to stdout

Follow up patches will improve the image builds, create cgroups in an
init container, and also drop unrequired privileges from the containers
in addition to compatibility with recent helm-toolkits.

Change-Id: If3b0df28fea967c5ff67df51e1e95bc74f906222
Signed-off-by: Pete Birley <pete@port.direct>
Pete Birley 10 months ago
parent
commit
426f8dacf3

+ 1
- 1
charts/maas/templates/bin/_start.sh.tpl View File

@@ -33,4 +33,4 @@ fi
33 33
 
34 34
 chsh -s /bin/bash maas
35 35
 
36
-exec /bin/systemd --system
36
+exec /sbin/init --log-target=console 3>&1

+ 20
- 0
charts/maas/templates/deployment-rack.yaml View File

@@ -14,6 +14,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 14
 See the License for the specific language governing permissions and
15 15
 limitations under the License.
16 16
 */}}
17
+
17 18
 {{- if .Values.manifests.rack_deployment }}
18 19
 {{- if empty .Values.conf.maas.url.maas_url -}}
19 20
 {{- tuple "maas_region_ui" "default" "region_ui" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.maas.url "maas_url" | quote | trunc 0 -}}
@@ -55,6 +56,7 @@ spec:
55 56
         - name: maas-rack
56 57
           image: {{ .Values.images.tags.maas_rack }}
57 58
           imagePullPolicy: {{ .Values.images.pull_policy }}
59
+          tty: true
58 60
           env:
59 61
             - name: MAAS_ENDPOINT
60 62
               value: {{ .Values.conf.maas.url.maas_url }}
@@ -69,6 +71,15 @@ spec:
69 71
           securityContext:
70 72
             privileged: true
71 73
           volumeMounts:
74
+            - mountPath: /sys/fs/cgroup
75
+              name: host-sys-fs-cgroup
76
+              readOnly: true
77
+            - mountPath: /run
78
+              name: pod-run
79
+            - mountPath: /run/lock
80
+              name: pod-run-lock
81
+            - mountPath: /tmp
82
+              name: pod-tmp
72 83
 {{- if .Values.conf.maas.ntp.disable_ntpd_rack }}
73 84
             - name: maas-bin
74 85
               mountPath: /usr/sbin/ntpd
@@ -96,6 +107,15 @@ spec:
96 107
 {{- end }}
97 108
 {{ if $mounts_maas_rack.volumeMounts }}{{ toYaml $mounts_maas_rack.volumeMounts | indent 12 }}{{ end }}
98 109
       volumes:
110
+        - name: host-sys-fs-cgroup
111
+          hostPath:
112
+            path: /sys/fs/cgroup
113
+        - name: pod-run
114
+          emptyDir: {}
115
+        - name: pod-run-lock
116
+          emptyDir: {}
117
+        - name: pod-tmp
118
+          emptyDir: {}
99 119
 {{- if .Values.manifests.secret_ssh_key }}
100 120
         - name: maas-ssh
101 121
           emptyDir: {}

+ 19
- 0
charts/maas/templates/statefulset-region.yaml View File

@@ -52,6 +52,7 @@ spec:
52 52
         - name: maas-region
53 53
           image: {{ .Values.images.tags.maas_region }}
54 54
           imagePullPolicy: {{ .Values.images.pull_policy }}
55
+          tty: true
55 56
 {{ tuple $envAll $envAll.Values.pod.resources.maas_region | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
56 57
           ports:
57 58
             - name: r-ui
@@ -64,6 +65,15 @@ spec:
64 65
           command:
65 66
             - /tmp/start.sh
66 67
           volumeMounts:
68
+            - mountPath: /sys/fs/cgroup
69
+              name: host-sys-fs-cgroup
70
+              readOnly: true
71
+            - mountPath: /run
72
+              name: pod-run
73
+            - mountPath: /run/lock
74
+              name: pod-run-lock
75
+            - mountPath: /tmp
76
+              name: pod-tmp
67 77
             - name: maas-region-secret
68 78
               mountPath: /var/lib/maas/secret
69 79
               subPath: REGION_SECRET
@@ -104,6 +114,15 @@ spec:
104 114
 {{- end }}
105 115
 {{- if $mounts_maas_region.volumeMounts }}{{ toYaml $mounts_maas_region.volumeMounts | indent 12 }}{{ end }}
106 116
       volumes:
117
+        - name: host-sys-fs-cgroup
118
+          hostPath:
119
+            path: /sys/fs/cgroup
120
+        - name: pod-run
121
+          emptyDir: {}
122
+        - name: pod-run-lock
123
+          emptyDir: {}
124
+        - name: pod-tmp
125
+          emptyDir: {}
107 126
         - name: maas-etc
108 127
           configMap:
109 128
             name: maas-etc

+ 5
- 1
images/maas-rack-controller/Dockerfile View File

@@ -45,5 +45,9 @@ RUN systemctl enable register-rack-controller.service
45 45
 RUN mv /usr/sbin/tcpdump /usr/bin/tcpdump
46 46
 RUN ln -s /usr/bin/tcpdump /usr/sbin/tcpdump
47 47
 
48
+COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
49
+RUN mkdir -p /etc/systemd/system/basic.target.wants ;\
50
+    ln -s /etc/systemd/system/journalctl-to-tty.service /etc/systemd/system/basic.target.wants/journalctl-to-tty.service
51
+
48 52
 # initalize systemd
49
-CMD ["/sbin/init"]
53
+CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"]

+ 13
- 0
images/maas-rack-controller/scripts/journalctl-to-tty.service View File

@@ -0,0 +1,13 @@
1
+[Unit]
2
+Description=Journald console log streamer
3
+Requires=systemd-journald.service
4
+After=systemd-journald.service
5
+
6
+[Service]
7
+Restart=always
8
+RestartSec=0
9
+ExecStart=/bin/journalctl -f
10
+StandardOutput=tty
11
+
12
+[Install]
13
+WantedBy=basic.target

+ 5
- 1
images/maas-region-controller/Dockerfile View File

@@ -62,5 +62,9 @@ RUN cd /usr/lib/python3/dist-packages/maasserver && patch compose_preseed.py < /
62 62
 RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/2.3_route.patch
63 63
 RUN cd /usr/lib/python3/dist-packages/maasserver/models/signals && patch interfaces.py < /tmp/2.3_recursion_fix.patch
64 64
 
65
+COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
66
+RUN mkdir -p /etc/systemd/system/basic.target.wants ;\
67
+    ln -s /etc/systemd/system/journalctl-to-tty.service /etc/systemd/system/basic.target.wants/journalctl-to-tty.service
68
+
65 69
 # initalize systemd
66
-CMD ["/sbin/init"]
70
+CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"]

+ 13
- 0
images/maas-region-controller/journalctl-to-tty.service View File

@@ -0,0 +1,13 @@
1
+[Unit]
2
+Description=Journald console log streamer
3
+Requires=systemd-journald.service
4
+After=systemd-journald.service
5
+
6
+[Service]
7
+Restart=always
8
+RestartSec=0
9
+ExecStart=/bin/journalctl -f
10
+StandardOutput=tty
11
+
12
+[Install]
13
+WantedBy=basic.target

Loading…
Cancel
Save