Fetch CONTAINERID from Docker API in kuryr-cni

In Kuryr CNI container's entrypoint we were talking to K8s API to get the current container's CONTAINERID. This worked fine in most cases, but in more busy environments the value may be not saved into the K8s API yet and we end up with "null" as CONTAINERID. This obviously breaks kuryr-cni script that's being injected onto the host. Instead of implementing retries on "null" this commit uses another approach and fetches CONTAINERID from Docker API. Closes-Bug: 1777133 Change-Id: If0bbd55c4dc03077132b140a9a12cf6bd0f0cd03
2018-06-15 15:18:50 +02:00 · 2018-06-15 15:18:50 +02:00 · 8b7d695d43
parent 7e52b9ef3f
commit 8b7d695d43
1 changed files with 20 additions and 24 deletions
--- a/44
+++ b/44
@ -6,35 +6,31 @@ function cleanup() {
 }

 function deploy() {
-    local serviceaccount_path
-    serviceaccount_path="/var/run/secrets/kubernetes.io/serviceaccount"
-
-    # Prepare token.
-    KUBE_TOKEN=$(<${serviceaccount_path}/token)
-    POD_NAMESPACE=$(<${serviceaccount_path}/namespace)
-
-    CONTAINERID=""
-    x=0
-    while [ -z ${CONTAINERID} ] && [ $x -lt 9 ]; do
-        sleep 5
-
-        CONTAINERID=$(curl -vvv -H "Authorization: Bearer $KUBE_TOKEN" --cacert ${serviceaccount_path}/ca.crt \
-          https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/api/v1/namespaces/${POD_NAMESPACE}/pods/${KURYR_CNI_POD_NAME} | jq -r '.["status"]["containerStatuses"][0]["containerID"]')
-
-        CONTAINERID=${CONTAINERID#*//}
-        ((x++)) || true
-    done;
-
-    # There's no point to run if we cannot get CONTAINERID.
-    if [ -z ${CONTAINERID} ]; then
-        exit 1
-    fi
+    POD_NAMESPACE=$(</var/run/secrets/kubernetes.io/serviceaccount/namespace)

    # Write the script to a file.
    cat > /kuryr-cni << EOF
 #!/bin/bash -x
+
+finder="
+import json
+import sys
+
+containers=json.load(sys.stdin)
+for container in containers:
+    if ('Labels' in container and
+            container['Labels'].get('io.kubernetes.pod.name') == '${KURYR_CNI_POD_NAME}' and
+            container['Labels'].get('io.kubernetes.pod.namespace') == '${POD_NAMESPACE}' and
+            container['Labels'].get('io.kubernetes.docker.type') == 'container'):
+        print(container['Id'])
+        break
+"
+
+# TODO(dulek): We might want to fetch socket path from config.
+CONTAINERID=\`curl --unix-socket /var/run/docker.sock http://v1.24/containers/json 2> /dev/null | python -c "\${finder}"\`
+
 envs=(\$(env | grep ^CNI_))
-docker exec \${envs[@]/#/--env } -i "${CONTAINERID}" kuryr-cni --config-file /etc/kuryr/kuryr.conf
+docker exec \${envs[@]/#/--env } -i "\${CONTAINERID}" kuryr-cni --config-file /etc/kuryr/kuryr.conf
 EOF

    # Copy the script into the designated location