MaaS: Slightly clean systemd and enable Stdout logging for journald
This PS updates the charts and images for running systemd in a more kubernetes friendly way: - The hosts cgroupfs is mounted in read only - Required mounts are created (tmp tmp/lock) - A tty is created for the container - A unit is added to each image that streams journald to stdout Follow up patches will improve the image builds, create cgroups in an init container, and also drop unrequired privileges from the containers in addition to compatibility with recent helm-toolkits. Change-Id: If3b0df28fea967c5ff67df51e1e95bc74f906222 Signed-off-by: Pete Birley <pete@port.direct>
This commit is contained in:
parent
8adc845af5
commit
426f8dacf3
@ -33,4 +33,4 @@ fi
|
||||
|
||||
chsh -s /bin/bash maas
|
||||
|
||||
exec /bin/systemd --system
|
||||
exec /sbin/init --log-target=console 3>&1
|
||||
|
@ -14,6 +14,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.rack_deployment }}
|
||||
{{- if empty .Values.conf.maas.url.maas_url -}}
|
||||
{{- tuple "maas_region_ui" "default" "region_ui" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.maas.url "maas_url" | quote | trunc 0 -}}
|
||||
@ -55,6 +56,7 @@ spec:
|
||||
- name: maas-rack
|
||||
image: {{ .Values.images.tags.maas_rack }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
tty: true
|
||||
env:
|
||||
- name: MAAS_ENDPOINT
|
||||
value: {{ .Values.conf.maas.url.maas_url }}
|
||||
@ -69,6 +71,15 @@ spec:
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
- mountPath: /sys/fs/cgroup
|
||||
name: host-sys-fs-cgroup
|
||||
readOnly: true
|
||||
- mountPath: /run
|
||||
name: pod-run
|
||||
- mountPath: /run/lock
|
||||
name: pod-run-lock
|
||||
- mountPath: /tmp
|
||||
name: pod-tmp
|
||||
{{- if .Values.conf.maas.ntp.disable_ntpd_rack }}
|
||||
- name: maas-bin
|
||||
mountPath: /usr/sbin/ntpd
|
||||
@ -96,6 +107,15 @@ spec:
|
||||
{{- end }}
|
||||
{{ if $mounts_maas_rack.volumeMounts }}{{ toYaml $mounts_maas_rack.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
- name: host-sys-fs-cgroup
|
||||
hostPath:
|
||||
path: /sys/fs/cgroup
|
||||
- name: pod-run
|
||||
emptyDir: {}
|
||||
- name: pod-run-lock
|
||||
emptyDir: {}
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
{{- if .Values.manifests.secret_ssh_key }}
|
||||
- name: maas-ssh
|
||||
emptyDir: {}
|
||||
|
@ -52,6 +52,7 @@ spec:
|
||||
- name: maas-region
|
||||
image: {{ .Values.images.tags.maas_region }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
tty: true
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.maas_region | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
ports:
|
||||
- name: r-ui
|
||||
@ -64,6 +65,15 @@ spec:
|
||||
command:
|
||||
- /tmp/start.sh
|
||||
volumeMounts:
|
||||
- mountPath: /sys/fs/cgroup
|
||||
name: host-sys-fs-cgroup
|
||||
readOnly: true
|
||||
- mountPath: /run
|
||||
name: pod-run
|
||||
- mountPath: /run/lock
|
||||
name: pod-run-lock
|
||||
- mountPath: /tmp
|
||||
name: pod-tmp
|
||||
- name: maas-region-secret
|
||||
mountPath: /var/lib/maas/secret
|
||||
subPath: REGION_SECRET
|
||||
@ -104,6 +114,15 @@ spec:
|
||||
{{- end }}
|
||||
{{- if $mounts_maas_region.volumeMounts }}{{ toYaml $mounts_maas_region.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
- name: host-sys-fs-cgroup
|
||||
hostPath:
|
||||
path: /sys/fs/cgroup
|
||||
- name: pod-run
|
||||
emptyDir: {}
|
||||
- name: pod-run-lock
|
||||
emptyDir: {}
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
- name: maas-etc
|
||||
configMap:
|
||||
name: maas-etc
|
||||
|
@ -45,5 +45,9 @@ RUN systemctl enable register-rack-controller.service
|
||||
RUN mv /usr/sbin/tcpdump /usr/bin/tcpdump
|
||||
RUN ln -s /usr/bin/tcpdump /usr/sbin/tcpdump
|
||||
|
||||
COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
|
||||
RUN mkdir -p /etc/systemd/system/basic.target.wants ;\
|
||||
ln -s /etc/systemd/system/journalctl-to-tty.service /etc/systemd/system/basic.target.wants/journalctl-to-tty.service
|
||||
|
||||
# initalize systemd
|
||||
CMD ["/sbin/init"]
|
||||
CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"]
|
||||
|
@ -0,0 +1,13 @@
|
||||
[Unit]
|
||||
Description=Journald console log streamer
|
||||
Requires=systemd-journald.service
|
||||
After=systemd-journald.service
|
||||
|
||||
[Service]
|
||||
Restart=always
|
||||
RestartSec=0
|
||||
ExecStart=/bin/journalctl -f
|
||||
StandardOutput=tty
|
||||
|
||||
[Install]
|
||||
WantedBy=basic.target
|
@ -62,5 +62,9 @@ RUN cd /usr/lib/python3/dist-packages/maasserver && patch compose_preseed.py < /
|
||||
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/2.3_route.patch
|
||||
RUN cd /usr/lib/python3/dist-packages/maasserver/models/signals && patch interfaces.py < /tmp/2.3_recursion_fix.patch
|
||||
|
||||
COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
|
||||
RUN mkdir -p /etc/systemd/system/basic.target.wants ;\
|
||||
ln -s /etc/systemd/system/journalctl-to-tty.service /etc/systemd/system/basic.target.wants/journalctl-to-tty.service
|
||||
|
||||
# initalize systemd
|
||||
CMD ["/sbin/init"]
|
||||
CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"]
|
||||
|
13
images/maas-region-controller/journalctl-to-tty.service
Normal file
13
images/maas-region-controller/journalctl-to-tty.service
Normal file
@ -0,0 +1,13 @@
|
||||
[Unit]
|
||||
Description=Journald console log streamer
|
||||
Requires=systemd-journald.service
|
||||
After=systemd-journald.service
|
||||
|
||||
[Service]
|
||||
Restart=always
|
||||
RestartSec=0
|
||||
ExecStart=/bin/journalctl -f
|
||||
StandardOutput=tty
|
||||
|
||||
[Install]
|
||||
WantedBy=basic.target
|
Loading…
Reference in New Issue
Block a user