MaaS: Slightly clean systemd and enable Stdout logging for journald

This PS updates the charts and images for running systemd in a more
kubernetes friendly  way:
 - The hosts cgroupfs is mounted in read only
 - Required mounts are created (tmp tmp/lock)
 - A tty is created for the container
 - A unit is added to each image that streams journald to stdout

Follow up patches will improve the image builds, create cgroups in an
init container, and also drop unrequired privileges from the containers
in addition to compatibility with recent helm-toolkits.

Change-Id: If3b0df28fea967c5ff67df51e1e95bc74f906222
Signed-off-by: Pete Birley <pete@port.direct>

charts/maas/templates/bin/_start.sh.tpl

@@ -33,4 +33,4 @@ fi
 
 chsh -s /bin/bash maas
 
-exec /bin/systemd --system
+exec /sbin/init --log-target=console 3>&1

charts/maas/templates/deployment-rack.yaml

@@ -14,6 +14,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */}}
+
 {{- if .Values.manifests.rack_deployment }}
 {{- if empty .Values.conf.maas.url.maas_url -}}
 {{- tuple "maas_region_ui" "default" "region_ui" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.maas.url "maas_url" | quote | trunc 0 -}}
@@ -55,6 +56,7 @@ spec:
         - name: maas-rack
           image: {{ .Values.images.tags.maas_rack }}
           imagePullPolicy: {{ .Values.images.pull_policy }}
+          tty: true
           env:
             - name: MAAS_ENDPOINT
               value: {{ .Values.conf.maas.url.maas_url }}
@@ -69,6 +71,15 @@ spec:
           securityContext:
             privileged: true
           volumeMounts:
+            - mountPath: /sys/fs/cgroup
+              name: host-sys-fs-cgroup
+              readOnly: true
+            - mountPath: /run
+              name: pod-run
+            - mountPath: /run/lock
+              name: pod-run-lock
+            - mountPath: /tmp
+              name: pod-tmp
 {{- if .Values.conf.maas.ntp.disable_ntpd_rack }}
             - name: maas-bin
               mountPath: /usr/sbin/ntpd
@@ -96,6 +107,15 @@ spec:
 {{- end }}
 {{ if $mounts_maas_rack.volumeMounts }}{{ toYaml $mounts_maas_rack.volumeMounts | indent 12 }}{{ end }}
       volumes:
+        - name: host-sys-fs-cgroup
+          hostPath:
+            path: /sys/fs/cgroup
+        - name: pod-run
+          emptyDir: {}
+        - name: pod-run-lock
+          emptyDir: {}
+        - name: pod-tmp
+          emptyDir: {}
 {{- if .Values.manifests.secret_ssh_key }}
         - name: maas-ssh
           emptyDir: {}

charts/maas/templates/statefulset-region.yaml

@@ -52,6 +52,7 @@ spec:
         - name: maas-region
           image: {{ .Values.images.tags.maas_region }}
           imagePullPolicy: {{ .Values.images.pull_policy }}
+          tty: true
 {{ tuple $envAll $envAll.Values.pod.resources.maas_region | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
           ports:
             - name: r-ui
@@ -64,6 +65,15 @@ spec:
           command:
             - /tmp/start.sh
           volumeMounts:
+            - mountPath: /sys/fs/cgroup
+              name: host-sys-fs-cgroup
+              readOnly: true
+            - mountPath: /run
+              name: pod-run
+            - mountPath: /run/lock
+              name: pod-run-lock
+            - mountPath: /tmp
+              name: pod-tmp
             - name: maas-region-secret
               mountPath: /var/lib/maas/secret
               subPath: REGION_SECRET
@@ -104,6 +114,15 @@ spec:
 {{- end }}
 {{- if $mounts_maas_region.volumeMounts }}{{ toYaml $mounts_maas_region.volumeMounts | indent 12 }}{{ end }}
       volumes:
+        - name: host-sys-fs-cgroup
+          hostPath:
+            path: /sys/fs/cgroup
+        - name: pod-run
+          emptyDir: {}
+        - name: pod-run-lock
+          emptyDir: {}
+        - name: pod-tmp
+          emptyDir: {}
         - name: maas-etc
           configMap:
             name: maas-etc

images/maas-rack-controller/Dockerfile

@@ -45,5 +45,9 @@ RUN systemctl enable register-rack-controller.service
 RUN mv /usr/sbin/tcpdump /usr/bin/tcpdump
 RUN ln -s /usr/bin/tcpdump /usr/sbin/tcpdump
 
+COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
+RUN mkdir -p /etc/systemd/system/basic.target.wants ;\
+    ln -s /etc/systemd/system/journalctl-to-tty.service /etc/systemd/system/basic.target.wants/journalctl-to-tty.service
+
 # initalize systemd
-CMD ["/sbin/init"]
+CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"]

images/maas-rack-controller/scripts/journalctl-to-tty.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Journald console log streamer
+Requires=systemd-journald.service
+After=systemd-journald.service
+
+[Service]
+Restart=always
+RestartSec=0
+ExecStart=/bin/journalctl -f
+StandardOutput=tty
+
+[Install]
+WantedBy=basic.target

images/maas-region-controller/Dockerfile

@@ -62,5 +62,9 @@ RUN cd /usr/lib/python3/dist-packages/maasserver && patch compose_preseed.py < /
 RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/2.3_route.patch
 RUN cd /usr/lib/python3/dist-packages/maasserver/models/signals && patch interfaces.py < /tmp/2.3_recursion_fix.patch
 
+COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
+RUN mkdir -p /etc/systemd/system/basic.target.wants ;\
+    ln -s /etc/systemd/system/journalctl-to-tty.service /etc/systemd/system/basic.target.wants/journalctl-to-tty.service
+
 # initalize systemd
-CMD ["/sbin/init"]
+CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"]

images/maas-region-controller/journalctl-to-tty.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Journald console log streamer
+Requires=systemd-journald.service
+After=systemd-journald.service
+
+[Service]
+Restart=always
+RestartSec=0
+ExecStart=/bin/journalctl -f
+StandardOutput=tty
+
+[Install]
+WantedBy=basic.target