MaaS: Slightly clean systemd and enable Stdout logging for journald

This PS updates the charts and images for running systemd in a more
kubernetes friendly  way:
 - The hosts cgroupfs is mounted in read only
 - Required mounts are created (tmp tmp/lock)
 - A tty is created for the container
 - A unit is added to each image that streams journald to stdout

Follow up patches will improve the image builds, create cgroups in an
init container, and also drop unrequired privileges from the containers
in addition to compatibility with recent helm-toolkits.

Change-Id: If3b0df28fea967c5ff67df51e1e95bc74f906222
Signed-off-by: Pete Birley <pete@port.direct>
This commit is contained in:
Pete Birley 2018-06-14 22:02:23 -05:00
parent 8adc845af5
commit 426f8dacf3
7 changed files with 76 additions and 3 deletions

View File

@ -33,4 +33,4 @@ fi
chsh -s /bin/bash maas
exec /bin/systemd --system
exec /sbin/init --log-target=console 3>&1

View File

@ -14,6 +14,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.rack_deployment }}
{{- if empty .Values.conf.maas.url.maas_url -}}
{{- tuple "maas_region_ui" "default" "region_ui" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.maas.url "maas_url" | quote | trunc 0 -}}
@ -55,6 +56,7 @@ spec:
- name: maas-rack
image: {{ .Values.images.tags.maas_rack }}
imagePullPolicy: {{ .Values.images.pull_policy }}
tty: true
env:
- name: MAAS_ENDPOINT
value: {{ .Values.conf.maas.url.maas_url }}
@ -69,6 +71,15 @@ spec:
securityContext:
privileged: true
volumeMounts:
- mountPath: /sys/fs/cgroup
name: host-sys-fs-cgroup
readOnly: true
- mountPath: /run
name: pod-run
- mountPath: /run/lock
name: pod-run-lock
- mountPath: /tmp
name: pod-tmp
{{- if .Values.conf.maas.ntp.disable_ntpd_rack }}
- name: maas-bin
mountPath: /usr/sbin/ntpd
@ -96,6 +107,15 @@ spec:
{{- end }}
{{ if $mounts_maas_rack.volumeMounts }}{{ toYaml $mounts_maas_rack.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: host-sys-fs-cgroup
hostPath:
path: /sys/fs/cgroup
- name: pod-run
emptyDir: {}
- name: pod-run-lock
emptyDir: {}
- name: pod-tmp
emptyDir: {}
{{- if .Values.manifests.secret_ssh_key }}
- name: maas-ssh
emptyDir: {}

View File

@ -52,6 +52,7 @@ spec:
- name: maas-region
image: {{ .Values.images.tags.maas_region }}
imagePullPolicy: {{ .Values.images.pull_policy }}
tty: true
{{ tuple $envAll $envAll.Values.pod.resources.maas_region | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
ports:
- name: r-ui
@ -64,6 +65,15 @@ spec:
command:
- /tmp/start.sh
volumeMounts:
- mountPath: /sys/fs/cgroup
name: host-sys-fs-cgroup
readOnly: true
- mountPath: /run
name: pod-run
- mountPath: /run/lock
name: pod-run-lock
- mountPath: /tmp
name: pod-tmp
- name: maas-region-secret
mountPath: /var/lib/maas/secret
subPath: REGION_SECRET
@ -104,6 +114,15 @@ spec:
{{- end }}
{{- if $mounts_maas_region.volumeMounts }}{{ toYaml $mounts_maas_region.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: host-sys-fs-cgroup
hostPath:
path: /sys/fs/cgroup
- name: pod-run
emptyDir: {}
- name: pod-run-lock
emptyDir: {}
- name: pod-tmp
emptyDir: {}
- name: maas-etc
configMap:
name: maas-etc

View File

@ -45,5 +45,9 @@ RUN systemctl enable register-rack-controller.service
RUN mv /usr/sbin/tcpdump /usr/bin/tcpdump
RUN ln -s /usr/bin/tcpdump /usr/sbin/tcpdump
COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
RUN mkdir -p /etc/systemd/system/basic.target.wants ;\
ln -s /etc/systemd/system/journalctl-to-tty.service /etc/systemd/system/basic.target.wants/journalctl-to-tty.service
# initalize systemd
CMD ["/sbin/init"]
CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"]

View File

@ -0,0 +1,13 @@
[Unit]
Description=Journald console log streamer
Requires=systemd-journald.service
After=systemd-journald.service
[Service]
Restart=always
RestartSec=0
ExecStart=/bin/journalctl -f
StandardOutput=tty
[Install]
WantedBy=basic.target

View File

@ -62,5 +62,9 @@ RUN cd /usr/lib/python3/dist-packages/maasserver && patch compose_preseed.py < /
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/2.3_route.patch
RUN cd /usr/lib/python3/dist-packages/maasserver/models/signals && patch interfaces.py < /tmp/2.3_recursion_fix.patch
COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
RUN mkdir -p /etc/systemd/system/basic.target.wants ;\
ln -s /etc/systemd/system/journalctl-to-tty.service /etc/systemd/system/basic.target.wants/journalctl-to-tty.service
# initalize systemd
CMD ["/sbin/init"]
CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"]

View File

@ -0,0 +1,13 @@
[Unit]
Description=Journald console log streamer
Requires=systemd-journald.service
After=systemd-journald.service
[Service]
Restart=always
RestartSec=0
ExecStart=/bin/journalctl -f
StandardOutput=tty
[Install]
WantedBy=basic.target