diff --git a/.zuul.yaml b/.zuul.yaml index f7f37fca9e..f57b98d26d 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -1,3 +1,29 @@ +- secret: + name: magnum_docker_login + data: + user: !encrypted/pkcs1-oaep + - rxOFTiiWYyvD5fzSRM3uMXoLKAF9rUzgY3AhyLbIkQ5dUfKO8cJ5zasJG+3qVOyT6hjOO + sCkWC7Cta74cxDr7cMjH4m80R8hD5o6/Q7m3xMnwRz/6s12vpd1LXOMp6R7ahXCmH/Cxe + 2O7UeFUN7vX0JKIWw47ioitqqQ1GywFzBgiCN9f8Qg7sIdaner5MmQD+3x8XmqKMEqr88 + /j2Nxc4UHvhK+zkjDMM21+7RH33vC2KVteA8hbnKLd621D+8ocPQRihdQ221xiXtij38C + hTSHvYYgphEbZK2G/iwbG+Ol+orc215UE+ZnDXrxI6f20rit2KVboaWrUkuKgwHqJJ8mx + SQ/QFFhe4gW2b3WkB18eDb1APob+sGFCxd6gjWO9DjOK2LTpioUQPfgMNDU1JJ4p0HlIl + mHI7PK4LrX5jZzguA+NRj+vg7+7R78wWD0U6kM/nhouIK19VMEfL1DslJ+nqvLoniod6u + sztgHJ7EEqrrUAsOE2PssGt5wRZpqx5w8+KiFFFrsVcOtHmGBh3DwUNTGMtMpcq5XTICx + +7/irRonpxElqsdCZNKtzv/zmAioiwHLaZZPyDrzk80QyIUc9ljCEuQgCLbDM0jVZjntY + c+S6EYqYuAUPymMZ9p/ctRIDIU1dzvwnlddOc4IF34iqUCmTrI527pRBStjqdU= + password: !encrypted/pkcs1-oaep + - Vcw08awGz2D3UAr2ceufpOJHAP9kkUqenjlChN2gSd1GIUpsehJY0fmAYQNZ4y6CH97Cu + 7Z4lGRf+UV0Ql/QlJXkdlEHhrmdzAE391y1bpzzP583R5zSJHlLqEFL12Wf4mM62LGGTw + HaJzWvwUzKxmHuJQddLNN+NvXsdU2he4gGViG5gmOmr9wKrxjp/T9hVhYcR8eLxGg9/Bo + JzGabDgl/PdtXVzCS9Xhg6RP1Vdq/JeVPNuERFYvZWM7YvxbTXMRp7/V83tLy7UtCXusi + ge8LaYgTMuBMioBaD7snmI08HZilo34hKg5fRHkf4ZRvbC+baJxEumSX5zfWoO10Jw8Dc + 4FK8d0O2+2erAwvyZIWSdj/EGlwUqPJ0qHIMbOl3ahMEHujQ42UHhtUpYS4kMEdBcdOOU + C3eruiqligGbClK3Mpf1MVlJC8jmkeRofseQmSt7arQ6RAlMn64k8kr1/biMs0saaGKbw + Nw7PhUQTf67yemJvB1zHOI4i9SEkApRNoBmtOe9UxeJxlsDnvOUUteOja3EnIrdIt8Qnk + N+yvPc0MhDVNU0SHJp+AiHJ6jk/tXDkKNnoZJH0BHGPDNp+/pC2ckLxzOrXLPGJkVglwA + 4gTl0N/3dRouxVITTmeVwGfffCo/jrdrr1gIr5FAzbiz2jQxF0OOXqRA1YRHn8= + - job: name: magnum-functional-base parent: legacy-dsvm-base @@ -25,6 +51,7 @@ - ^specs/.*$ - ^install-guide/.*$ - ^releasenotes/.*$ + - ^dockerfiles/.*$ vars: ironic: 0 ceilometer: 0 @@ -61,6 +88,7 @@ - ^specs/.*$ - ^install-guide/.*$ - ^releasenotes/.*$ + - ^dockerfiles/.*$ vars: ironic: 0 ceilometer: 0 @@ -269,6 +297,29 @@ vars: image_name: centos-dcos +- job: + name: container-build + pre-run: playbooks/container-builder-setup-gate.yaml + run: playbooks/container-builder.yaml + post-run: playbooks/container-builder-copy-logs.yaml + timeout: 1200 + irrelevant-files: + - ^.*\.rst$ + - ^api-ref/.*$ + - ^doc/.*$ + - ^specs/.*$ + - ^install-guide/.*$ + - ^releasenotes/.*$ + - ^magnum/.*$ + +- job: + name: container-publish + parent: container-build + post-run: playbooks/container-publish.yaml + secrets: + - magnum_docker_login + timeout: 1200 + - project: templates: - openstack-cover-jobs @@ -286,6 +337,7 @@ - magnum-functional-swarm-mode - openstack-tox-cover: voting: false + - container-build gate: queue: magnum jobs: @@ -304,3 +356,6 @@ - magnum-dib-buildimage-fedora-atomic-25 - magnum-dib-buildimage-ubuntu-mesos - magnum-dib-buildimage-centos-dcos + post: + jobs: + - container-publish diff --git a/magnum/drivers/common/image/heat-container-agent/Dockerfile b/dockerfiles/heat-container-agent/Dockerfile similarity index 100% rename from magnum/drivers/common/image/heat-container-agent/Dockerfile rename to dockerfiles/heat-container-agent/Dockerfile diff --git a/magnum/drivers/common/image/heat-container-agent/config.json.template b/dockerfiles/heat-container-agent/config.json.template similarity index 100% rename from magnum/drivers/common/image/heat-container-agent/config.json.template rename to dockerfiles/heat-container-agent/config.json.template diff --git a/magnum/drivers/common/image/heat-container-agent/launch b/dockerfiles/heat-container-agent/launch similarity index 100% rename from magnum/drivers/common/image/heat-container-agent/launch rename to dockerfiles/heat-container-agent/launch diff --git a/magnum/drivers/common/image/heat-container-agent/manifest.json b/dockerfiles/heat-container-agent/manifest.json similarity index 100% rename from magnum/drivers/common/image/heat-container-agent/manifest.json rename to dockerfiles/heat-container-agent/manifest.json diff --git a/magnum/drivers/common/image/heat-container-agent/scripts/50-heat-config-docker-compose b/dockerfiles/heat-container-agent/scripts/50-heat-config-docker-compose similarity index 100% rename from magnum/drivers/common/image/heat-container-agent/scripts/50-heat-config-docker-compose rename to dockerfiles/heat-container-agent/scripts/50-heat-config-docker-compose diff --git a/magnum/drivers/common/image/heat-container-agent/scripts/55-heat-config b/dockerfiles/heat-container-agent/scripts/55-heat-config similarity index 100% rename from magnum/drivers/common/image/heat-container-agent/scripts/55-heat-config rename to dockerfiles/heat-container-agent/scripts/55-heat-config diff --git a/magnum/drivers/common/image/heat-container-agent/scripts/configure_container_agent.sh b/dockerfiles/heat-container-agent/scripts/configure_container_agent.sh similarity index 100% rename from magnum/drivers/common/image/heat-container-agent/scripts/configure_container_agent.sh rename to dockerfiles/heat-container-agent/scripts/configure_container_agent.sh diff --git a/magnum/drivers/common/image/heat-container-agent/scripts/heat-config-notify b/dockerfiles/heat-container-agent/scripts/heat-config-notify similarity index 100% rename from magnum/drivers/common/image/heat-container-agent/scripts/heat-config-notify rename to dockerfiles/heat-container-agent/scripts/heat-config-notify diff --git a/magnum/drivers/common/image/heat-container-agent/scripts/hooks/atomic b/dockerfiles/heat-container-agent/scripts/hooks/atomic similarity index 100% rename from magnum/drivers/common/image/heat-container-agent/scripts/hooks/atomic rename to dockerfiles/heat-container-agent/scripts/hooks/atomic diff --git a/magnum/drivers/common/image/heat-container-agent/scripts/hooks/docker-compose b/dockerfiles/heat-container-agent/scripts/hooks/docker-compose similarity index 100% rename from magnum/drivers/common/image/heat-container-agent/scripts/hooks/docker-compose rename to dockerfiles/heat-container-agent/scripts/hooks/docker-compose diff --git a/magnum/drivers/common/image/heat-container-agent/scripts/hooks/script b/dockerfiles/heat-container-agent/scripts/hooks/script similarity index 100% rename from magnum/drivers/common/image/heat-container-agent/scripts/hooks/script rename to dockerfiles/heat-container-agent/scripts/hooks/script diff --git a/magnum/drivers/common/image/heat-container-agent/scripts/write-os-apply-config-templates.sh b/dockerfiles/heat-container-agent/scripts/write-os-apply-config-templates.sh similarity index 100% rename from magnum/drivers/common/image/heat-container-agent/scripts/write-os-apply-config-templates.sh rename to dockerfiles/heat-container-agent/scripts/write-os-apply-config-templates.sh diff --git a/magnum/drivers/common/image/heat-container-agent/service.template b/dockerfiles/heat-container-agent/service.template similarity index 100% rename from magnum/drivers/common/image/heat-container-agent/service.template rename to dockerfiles/heat-container-agent/service.template diff --git a/magnum/drivers/common/image/heat-container-agent/tmpfiles.template b/dockerfiles/heat-container-agent/tmpfiles.template similarity index 100% rename from magnum/drivers/common/image/heat-container-agent/tmpfiles.template rename to dockerfiles/heat-container-agent/tmpfiles.template diff --git a/dockerfiles/kubernetes-apiserver/Dockerfile b/dockerfiles/kubernetes-apiserver/Dockerfile new file mode 100644 index 0000000000..f44d1eddff --- /dev/null +++ b/dockerfiles/kubernetes-apiserver/Dockerfile @@ -0,0 +1,39 @@ +ARG KUBE_VERSION=v1.13.0 + +FROM registry.fedoraproject.org/fedora:rawhide +RUN curl -o /root/kubectl -O https://storage.googleapis.com/kubernetes-release/release/${KUBE_VERSION}/bin/linux/amd64/kubectl + +FROM gcr.io/google-containers/kube-apiserver-amd64:${KUBE_VERSION} + +ENV container=docker + +ENV NAME=kubernetes-apiserver VERSION=0.1 RELEASE=8 ARCH=x86_64 +LABEL bzcomponent="$NAME" \ + name="$FGC/$NAME" \ + version="$VERSION" \ + release="$RELEASE.$DISTTAG" \ + architecture="$ARCH" \ + atomic.type='system' \ + maintainer="Jason Brooks " + +COPY launch.sh /usr/bin/kube-apiserver-docker.sh + +COPY service.template config.json.template /exports/ + +# copy kubectl into the host, another way to do this would be: +# +# echo "runc exec -- kube-apiserver /usr/bin/kubectl \$@" \ +# > /exports/hostfs/usr/local/bin/kubectl && chmod +x \ +# /exports/hostfs/usr/local/bin/kubectl +# +# however, this would require hard-coding the container name + +COPY apiserver config /etc/kubernetes/ +RUN mkdir -p /exports/hostfs/usr/local/bin/ +COPY --from=0 /root/kubectl /exports/hostfs/usr/local/bin/ +RUN chmod +x /exports/hostfs/usr/local/bin/kubectl && \ + mkdir -p /exports/hostfs/etc/kubernetes && \ + cp /etc/kubernetes/config /exports/hostfs/etc/kubernetes/ && \ + cp /etc/kubernetes/apiserver /exports/hostfs/etc/kubernetes/ + +ENTRYPOINT ["/usr/bin/kube-apiserver-docker.sh"] diff --git a/dockerfiles/kubernetes-apiserver/apiserver b/dockerfiles/kubernetes-apiserver/apiserver new file mode 100644 index 0000000000..8d2a0062f4 --- /dev/null +++ b/dockerfiles/kubernetes-apiserver/apiserver @@ -0,0 +1,26 @@ +### +# kubernetes system config +# +# The following values are used to configure the kube-apiserver +# + +# The address on the local server to listen to. +KUBE_API_ADDRESS="--insecure-bind-address=127.0.0.1" + +# The port on the local server to listen on. +# KUBE_API_PORT="--port=8080" + +# Port minions listen on +# KUBELET_PORT="--kubelet-port=10250" + +# Comma separated list of nodes in the etcd cluster +KUBE_ETCD_SERVERS="--etcd-servers=http://127.0.0.1:2379,http://127.0.0.1:4001" + +# Address range to use for services +KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=10.254.0.0/16" + +# default admission control policies +KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota" + +# Add your own! +KUBE_API_ARGS="" diff --git a/dockerfiles/kubernetes-apiserver/config b/dockerfiles/kubernetes-apiserver/config new file mode 100644 index 0000000000..8c0a28493f --- /dev/null +++ b/dockerfiles/kubernetes-apiserver/config @@ -0,0 +1,22 @@ +### +# kubernetes system config +# +# The following values are used to configure various aspects of all +# kubernetes services, including +# +# kube-apiserver.service +# kube-controller-manager.service +# kube-scheduler.service +# kubelet.service +# kube-proxy.service +# logging to stderr means we get it in the systemd journal +KUBE_LOGTOSTDERR="--logtostderr=true" + +# journal message level, 0 is debug +KUBE_LOG_LEVEL="--v=0" + +# Should this cluster be allowed to run privileged docker containers +KUBE_ALLOW_PRIV="--allow-privileged=false" + +# How the controller-manager, scheduler, and proxy find the apiserver +KUBE_MASTER="--master=http://127.0.0.1:8080" diff --git a/dockerfiles/kubernetes-apiserver/config.json.template b/dockerfiles/kubernetes-apiserver/config.json.template new file mode 100644 index 0000000000..c08b958572 --- /dev/null +++ b/dockerfiles/kubernetes-apiserver/config.json.template @@ -0,0 +1,192 @@ +{ + "ociVersion": "1.0.0", + "platform": { + "os": "linux", + "arch": "amd64" + }, + "process": { + "terminal": false, + "user": { + "uid": 996, + "gid": 994 + }, + "args": [ + "/usr/bin/kube-apiserver-docker.sh" + ], + "env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "TERM=xterm" + ], + "cwd": "/", + "capabilities": { + "bounding": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE", + "CAP_DAC_READ_SEARCH" + ], + "permitted": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE", + "CAP_DAC_READ_SEARCH" + ], + "inheritable": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE", + "CAP_DAC_READ_SEARCH" + ], + "effective": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE", + "CAP_DAC_READ_SEARCH" + ], + "ambient": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE", + "CAP_DAC_READ_SEARCH" + ] + }, + "rlimits": [ + { + "type": "RLIMIT_NOFILE", + "hard": 131072, + "soft": 131072 + } + ] + }, + "root": { + "path": "rootfs", + "readonly": true + }, + "mounts": [ + { + "destination": "/proc", + "type": "proc", + "source": "proc" + }, + { + "destination": "/dev", + "type": "tmpfs", + "source": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "type": "devpts", + "source": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "type": "tmpfs", + "source": "shm", + "options": [ + "nosuid", + "noexec", + "nodev", + "mode=1777", + "size=65536k" + ] + }, + { + "destination": "/dev/mqueue", + "type": "mqueue", + "source": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "type": "sysfs", + "source": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys/fs/cgroup", + "type": "cgroup", + "source": "cgroup", + "options": [ + "nosuid", + "noexec", + "nodev", + "relatime", + "ro" + ] + }, + { + "type": "bind", + "source": "/etc/kubernetes", + "destination": "/etc/kubernetes", + "options": [ + "rbind", + "ro", + "rprivate" + ] + }, + { + "destination": "/etc/resolv.conf", + "type": "bind", + "source": "/etc/resolv.conf", + "options": [ + "ro", + "rbind", + "rprivate" + ] + }, + { + "destination": "/var/run/kubernetes", + "type": "bind", + "source": "/var/run/kubernetes", + "options": [ + "rw", + "rbind" + ] + } + ], + "linux": { + "resources": { + "devices": [ + { + "allow": false, + "access": "rwm" + } + ] + }, + "namespaces": [ + { + "type": "pid" + }, + { + "type": "ipc" + }, + { + "type": "mount" + } + ], + "devices": null, + "apparmorProfile": "" + } +} diff --git a/dockerfiles/kubernetes-apiserver/launch.sh b/dockerfiles/kubernetes-apiserver/launch.sh new file mode 100755 index 0000000000..d2dcd3ecf6 --- /dev/null +++ b/dockerfiles/kubernetes-apiserver/launch.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +. /etc/kubernetes/apiserver +. /etc/kubernetes/config + +ARGS="$@ $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBE_ETCD_SERVERS $KUBE_API_ADDRESS $KUBE_API_PORT $KUBELET_PORT $KUBE_ALLOW_PRIV $KUBE_SERVICE_ADDRESSES $KUBE_ADMISSION_CONTROL $KUBE_API_ARGS" + +ARGS=$(echo $ARGS | sed s#--tls-ca-file=/etc/kubernetes/certs/ca.crt##) + +exec /usr/local/bin/kube-apiserver $ARGS diff --git a/dockerfiles/kubernetes-apiserver/service.template b/dockerfiles/kubernetes-apiserver/service.template new file mode 100644 index 0000000000..d895a99825 --- /dev/null +++ b/dockerfiles/kubernetes-apiserver/service.template @@ -0,0 +1,12 @@ +[Unit] +Description=kubernetes-apiserver + +[Service] +ExecStart=$EXEC_START +ExecStop=$EXEC_STOP +Restart=on-failure +WorkingDirectory=$DESTDIR + +[Install] +WantedBy=multi-user.target + diff --git a/dockerfiles/kubernetes-apiserver/sources b/dockerfiles/kubernetes-apiserver/sources new file mode 100644 index 0000000000..e69de29bb2 diff --git a/dockerfiles/kubernetes-controller-manager/Dockerfile b/dockerfiles/kubernetes-controller-manager/Dockerfile new file mode 100644 index 0000000000..2c7fd9b6d4 --- /dev/null +++ b/dockerfiles/kubernetes-controller-manager/Dockerfile @@ -0,0 +1,24 @@ +ARG KUBE_VERSION=v1.13.0 +FROM gcr.io/google-containers/kube-controller-manager-amd64:${KUBE_VERSION} + +ENV container=docker + +ENV NAME=kubernetes-controller-manager VERSION=0.1 RELEASE=8 ARCH=x86_64 +LABEL bzcomponent="$NAME" \ + name="$FGC/$NAME" \ + version="$VERSION" \ + release="$RELEASE.$DISTTAG" \ + architecture="$ARCH" \ + atomic.type='system' \ + maintainer="Jason Brooks " + +COPY launch.sh /usr/bin/kube-controller-manager-docker.sh + +COPY service.template config.json.template /exports/ + +COPY controller-manager config /etc/kubernetes/ +RUN mkdir -p /exports/hostfs/etc/kubernetes && \ + cp /etc/kubernetes/config /exports/hostfs/etc/kubernetes/ && \ + cp /etc/kubernetes/controller-manager /exports/hostfs/etc/kubernetes/ + +ENTRYPOINT ["/usr/bin/kube-controller-manager-docker.sh"] diff --git a/dockerfiles/kubernetes-controller-manager/config b/dockerfiles/kubernetes-controller-manager/config new file mode 100644 index 0000000000..8c0a28493f --- /dev/null +++ b/dockerfiles/kubernetes-controller-manager/config @@ -0,0 +1,22 @@ +### +# kubernetes system config +# +# The following values are used to configure various aspects of all +# kubernetes services, including +# +# kube-apiserver.service +# kube-controller-manager.service +# kube-scheduler.service +# kubelet.service +# kube-proxy.service +# logging to stderr means we get it in the systemd journal +KUBE_LOGTOSTDERR="--logtostderr=true" + +# journal message level, 0 is debug +KUBE_LOG_LEVEL="--v=0" + +# Should this cluster be allowed to run privileged docker containers +KUBE_ALLOW_PRIV="--allow-privileged=false" + +# How the controller-manager, scheduler, and proxy find the apiserver +KUBE_MASTER="--master=http://127.0.0.1:8080" diff --git a/dockerfiles/kubernetes-controller-manager/config.json.template b/dockerfiles/kubernetes-controller-manager/config.json.template new file mode 100644 index 0000000000..21f6eed080 --- /dev/null +++ b/dockerfiles/kubernetes-controller-manager/config.json.template @@ -0,0 +1,183 @@ +{ + "ociVersion": "1.0.0", + "platform": { + "os": "linux", + "arch": "amd64" + }, + "process": { + "terminal": false, + "user": { + "uid": 996, + "gid": 994 + }, + "args": [ + "/usr/bin/kube-controller-manager-docker.sh" + ], + "env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "TERM=xterm" + ], + "cwd": "/", + "capabilities": { + "bounding": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE", + "CAP_DAC_READ_SEARCH" + ], + "permitted": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE", + "CAP_DAC_READ_SEARCH" + ], + "inheritable": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE", + "CAP_DAC_READ_SEARCH" + ], + "effective": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE", + "CAP_DAC_READ_SEARCH" + ], + "ambient": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE", + "CAP_DAC_READ_SEARCH" + ] + }, + "rlimits": [ + { + "type": "RLIMIT_NOFILE", + "hard": 131072, + "soft": 131072 + } + ] + }, + "root": { + "path": "rootfs", + "readonly": true + }, + "mounts": [ + { + "destination": "/proc", + "type": "proc", + "source": "proc" + }, + { + "destination": "/dev", + "type": "tmpfs", + "source": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "type": "devpts", + "source": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "type": "tmpfs", + "source": "shm", + "options": [ + "nosuid", + "noexec", + "nodev", + "mode=1777", + "size=65536k" + ] + }, + { + "destination": "/dev/mqueue", + "type": "mqueue", + "source": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "type": "sysfs", + "source": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys/fs/cgroup", + "type": "cgroup", + "source": "cgroup", + "options": [ + "nosuid", + "noexec", + "nodev", + "relatime", + "ro" + ] + }, + { + "type": "bind", + "source": "/etc/kubernetes", + "destination": "/etc/kubernetes", + "options": [ + "rbind", + "ro", + "rprivate" + ] + }, + { + "destination": "/etc/resolv.conf", + "type": "bind", + "source": "/etc/resolv.conf", + "options": [ + "ro", + "rbind", + "rprivate" + ] + } + ], + "linux": { + "resources": { + "devices": [ + { + "allow": false, + "access": "rwm" + } + ] + }, + "namespaces": [ + { + "type": "pid" + }, + { + "type": "ipc" + }, + { + "type": "mount" + } + ], + "devices": null, + "apparmorProfile": "" + } +} diff --git a/dockerfiles/kubernetes-controller-manager/controller-manager b/dockerfiles/kubernetes-controller-manager/controller-manager new file mode 100644 index 0000000000..1a9e3f204c --- /dev/null +++ b/dockerfiles/kubernetes-controller-manager/controller-manager @@ -0,0 +1,7 @@ +### +# The following values are used to configure the kubernetes controller-manager + +# defaults from config and apiserver should be adequate + +# Add your own! +KUBE_CONTROLLER_MANAGER_ARGS="" diff --git a/dockerfiles/kubernetes-controller-manager/launch.sh b/dockerfiles/kubernetes-controller-manager/launch.sh new file mode 100755 index 0000000000..3cc2d38b0d --- /dev/null +++ b/dockerfiles/kubernetes-controller-manager/launch.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +. /etc/kubernetes/controller-manager +. /etc/kubernetes/config + +ARGS="$@ $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBE_MASTER $KUBE_CONTROLLER_MANAGER_ARGS" + +ARGS="${ARGS} --secure-port=0" + +exec /usr/local/bin/kube-controller-manager $ARGS diff --git a/dockerfiles/kubernetes-controller-manager/service.template b/dockerfiles/kubernetes-controller-manager/service.template new file mode 100644 index 0000000000..d73b0b35c8 --- /dev/null +++ b/dockerfiles/kubernetes-controller-manager/service.template @@ -0,0 +1,12 @@ +[Unit] +Description=kubernetes-controller-manager + +[Service] +ExecStart=$EXEC_START +ExecStop=$EXEC_STOP +Restart=on-failure +WorkingDirectory=$DESTDIR + +[Install] +WantedBy=multi-user.target + diff --git a/dockerfiles/kubernetes-controller-manager/sources b/dockerfiles/kubernetes-controller-manager/sources new file mode 100644 index 0000000000..e69de29bb2 diff --git a/dockerfiles/kubernetes-kubelet/Dockerfile b/dockerfiles/kubernetes-kubelet/Dockerfile new file mode 100644 index 0000000000..4b5c29c3c6 --- /dev/null +++ b/dockerfiles/kubernetes-kubelet/Dockerfile @@ -0,0 +1,24 @@ +ARG KUBE_VERSION=v1.13.0 +FROM gcr.io/google-containers/hyperkube-amd64:${KUBE_VERSION} + +ENV container=docker + +ENV NAME=kubernetes-kubelet VERSION=0 RELEASE=8 ARCH=x86_64 +LABEL bzcomponent="$NAME" \ + name="$FGC/$NAME" \ + version="$VERSION" \ + release="$RELEASE.$DISTTAG" \ + architecture="$ARCH" \ + atomic.type='system' \ + maintainer="Jason Brooks " + +COPY launch.sh /usr/bin/kubelet-docker.sh +COPY kubelet config /etc/kubernetes/ + +COPY manifest.json tmpfiles.template service.template config.json.template /exports/ + +RUN mkdir -p /exports/hostfs/etc/cni/net.d && \ + mkdir -p /exports/hostfs/etc/kubernetes && \ + cp /etc/kubernetes/{config,kubelet} /exports/hostfs/etc/kubernetes + +ENTRYPOINT ["/usr/bin/kubelet-docker.sh"] diff --git a/dockerfiles/kubernetes-kubelet/config b/dockerfiles/kubernetes-kubelet/config new file mode 100644 index 0000000000..8c0a28493f --- /dev/null +++ b/dockerfiles/kubernetes-kubelet/config @@ -0,0 +1,22 @@ +### +# kubernetes system config +# +# The following values are used to configure various aspects of all +# kubernetes services, including +# +# kube-apiserver.service +# kube-controller-manager.service +# kube-scheduler.service +# kubelet.service +# kube-proxy.service +# logging to stderr means we get it in the systemd journal +KUBE_LOGTOSTDERR="--logtostderr=true" + +# journal message level, 0 is debug +KUBE_LOG_LEVEL="--v=0" + +# Should this cluster be allowed to run privileged docker containers +KUBE_ALLOW_PRIV="--allow-privileged=false" + +# How the controller-manager, scheduler, and proxy find the apiserver +KUBE_MASTER="--master=http://127.0.0.1:8080" diff --git a/dockerfiles/kubernetes-kubelet/config.json.template b/dockerfiles/kubernetes-kubelet/config.json.template new file mode 100644 index 0000000000..62ad4a5592 --- /dev/null +++ b/dockerfiles/kubernetes-kubelet/config.json.template @@ -0,0 +1,424 @@ +{ + "ociVersion": "1.0.0", + "platform": { + "os": "linux", + "arch": "amd64" + }, + "process": { + "terminal": false, + "user": {}, + "args": [ + "/usr/bin/kubelet-docker.sh" + ], + "env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "TERM=xterm" + ], + "noNewPrivileges": false, + "cwd": "/", + "capabilities": { + "bounding": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_MAC_OVERRIDE", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND" + ], + "permitted": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_MAC_OVERRIDE", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND" + ], + "inheritable": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_MAC_OVERRIDE", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND" + ], + "effective": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_MAC_OVERRIDE", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND" + ], + "ambient": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_MAC_OVERRIDE", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND" + ] + }, + "rlimits": [ + { + "type": "RLIMIT_NOFILE", + "hard": 131072, + "soft": 131072 + } + ] + }, + "root": { + "path": "rootfs", + "readonly": true + }, + "mounts": [ + { + "destination": "/proc", + "type": "proc", + "source": "proc" + }, + { + "source": "/dev", + "destination": "/dev", + "type": "bind", + "options": [ + "rbind", + "rslave" + ] + }, + { + "destination": "/dev/pts", + "type": "devpts", + "source": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "type": "tmpfs", + "source": "shm", + "options": [ + "nosuid", + "noexec", + "nodev", + "mode=1777", + "size=65536k" + ] + }, + { + "type": "bind", + "source": "/sys", + "destination": "/sys", + "options": [ + "rbind", + "rw" + ] + }, + { + "type": "bind", + "source": "/etc/cni/net.d", + "destination": "/etc/cni/net.d", + "options": [ + "bind", + "slave", + "rw", + "mode=777" + ] + }, + { + "type": "bind", + "source": "/etc/kubernetes", + "destination": "/etc/kubernetes", + "options": [ + "rbind", + "ro", + "rprivate" + ] + }, + { + "type": "bind", + "source": "/etc/localtime", + "destination": "/etc/localtime", + "options": [ + "rbind", + "ro" + ] + }, + { + "type": "bind", + "source": "/etc/hosts", + "destination": "/etc/hosts", + "options": [ + "rbind", + "ro" + ] + }, + { + "type": "bind", + "source": "/etc/pki", + "destination": "/etc/pki", + "options": [ + "bind", + "ro" + ] + }, + { + "destination": "/etc/resolv.conf", + "type": "bind", + "source": "/etc/resolv.conf", + "options": [ + "ro", + "bind" + ] + }, + { + "type": "bind", + "source": "/", + "destination": "/rootfs", + "options": [ + "rbind", + "rslave", + "ro" + ] + }, + { + "type": "bind", + "source": "/var/run/secrets", + "destination": "/var/run/secrets", + "options": [ + "rbind", + "rw", + "mode=755" + ] + }, + { + "type": "bind", + "source": "${RUN_DIRECTORY}", + "destination": "/run", + "options": [ + "rbind", + "rw", + "mode=755" + ] + }, + { + "type": "bind", + "source": "${STATE_DIRECTORY}", + "destination": "/var/lib", + "options": [ + "bind", + "rw", + "mode=755" + ] + }, + { + "type": "bind", + "source": "${STATE_DIRECTORY}/kubelet", + "destination": "/var/lib/kubelet", + "options": [ + "rbind", + "rshared", + "rw", + "mode=755" + ] + }, + { + "type": "bind", + "source": "/var/log", + "destination": "/var/log", + "options": [ + "bind", + "rw", + "mode=755" + ] + }, + { + "destination": "/tmp", + "type": "tmpfs", + "source": "tmpfs", + "options": [ + "mode=755", + "size=65536k" + ] + } + $ADDTL_MOUNTS + ], + "linux": { + "rootfsPropagation": "rslave", + "resources": { + "devices": [ + { + "allow": true, + "access": "rwm" + } + ] + }, + "namespaces": [ + { + "type": "mount" + } + ], + "devices": null, + "apparmorProfile": "" + } +} diff --git a/dockerfiles/kubernetes-kubelet/kubelet b/dockerfiles/kubernetes-kubelet/kubelet new file mode 100644 index 0000000000..a623673960 --- /dev/null +++ b/dockerfiles/kubernetes-kubelet/kubelet @@ -0,0 +1,17 @@ +### +# kubernetes kubelet (minion) config + +# The address for the info server to serve on (set to 0.0.0.0 or "" for all interfaces) +KUBELET_ADDRESS="--address=127.0.0.1" + +# The port for the info server to serve on +# KUBELET_PORT="--port=10250" + +# You may leave this blank to use the actual hostname +KUBELET_HOSTNAME="--hostname-override=127.0.0.1" + +# Edit the kubelet.kubeconfig to have correct cluster server address +KUBELET_KUBECONFIG=/etc/kubernetes/kubelet.kubeconfig + +# Add your own! +KUBELET_ARGS="--cgroup-driver=systemd --fail-swap-on=false" diff --git a/dockerfiles/kubernetes-kubelet/launch.sh b/dockerfiles/kubernetes-kubelet/launch.sh new file mode 100755 index 0000000000..1b809ff721 --- /dev/null +++ b/dockerfiles/kubernetes-kubelet/launch.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +. /etc/kubernetes/kubelet +. /etc/kubernetes/config + +TEMP_KUBELET_ARGS='--cgroups-per-qos=false --enforce-node-allocatable=' + +ARGS="$@ $TEMP_KUBELET_ARGS $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBELET_API_SERVER $KUBELET_ADDRESS $KUBELET_PORT $KUBELET_HOSTNAME $KUBE_ALLOW_PRIV $KUBELET_ARGS" + +ARGS=$(echo $ARGS | sed s/--cadvisor-port=0//) + +exec /hyperkube kubelet $ARGS --containerized diff --git a/dockerfiles/kubernetes-kubelet/manifest.json b/dockerfiles/kubernetes-kubelet/manifest.json new file mode 100644 index 0000000000..1c8f6f4008 --- /dev/null +++ b/dockerfiles/kubernetes-kubelet/manifest.json @@ -0,0 +1,6 @@ +{ + "version": "1.0", + "defaultValues": { + "ADDTL_MOUNTS": "" + } +} diff --git a/dockerfiles/kubernetes-kubelet/service.template b/dockerfiles/kubernetes-kubelet/service.template new file mode 100644 index 0000000000..54d70b0c0d --- /dev/null +++ b/dockerfiles/kubernetes-kubelet/service.template @@ -0,0 +1,13 @@ +[Unit] +Description=kubernetes-kubelet +After=docker.service + +[Service] +ExecStart=$EXEC_START +ExecStop=$EXEC_STOP +Restart=on-failure +WorkingDirectory=$DESTDIR + +[Install] +WantedBy=multi-user.target + diff --git a/dockerfiles/kubernetes-kubelet/sources b/dockerfiles/kubernetes-kubelet/sources new file mode 100644 index 0000000000..e69de29bb2 diff --git a/dockerfiles/kubernetes-kubelet/tmpfiles.template b/dockerfiles/kubernetes-kubelet/tmpfiles.template new file mode 100644 index 0000000000..b15bfa8e15 --- /dev/null +++ b/dockerfiles/kubernetes-kubelet/tmpfiles.template @@ -0,0 +1,3 @@ +d ${STATE_DIRECTORY}/kubelet - - - - - +d /var/lib/cni - - - - - +d /var/run/secrets - - - - - diff --git a/dockerfiles/kubernetes-proxy/Dockerfile b/dockerfiles/kubernetes-proxy/Dockerfile new file mode 100644 index 0000000000..a4a16c7a69 --- /dev/null +++ b/dockerfiles/kubernetes-proxy/Dockerfile @@ -0,0 +1,24 @@ +ARG KUBE_VERSION=v1.13.0 +FROM gcr.io/google-containers/kube-proxy-amd64:${KUBE_VERSION} +ENV container=docker + +ENV NAME=kubernetes-proxy VERSION=0 RELEASE=8 ARCH=x86_64 +LABEL bzcomponent="$NAME" \ + name="$FGC/$NAME" \ + version="$VERSION" \ + release="$RELEASE.$DISTTAG" \ + architecture="$ARCH" \ + atomic.type='system' \ + maintainer="Jason Brooks " + +COPY launch.sh /usr/bin/kube-proxy-docker.sh + +COPY service.template config.json.template /exports/ + +COPY proxy config /etc/kubernetes/ +RUN mkdir -p /exports/hostfs/etc/kubernetes && \ + cp /etc/kubernetes/config /exports/hostfs/etc/kubernetes/ && \ + cp /etc/kubernetes/proxy /exports/hostfs/etc/kubernetes/ + +ENTRYPOINT ["/usr/bin/kube-proxy-docker.sh"] + diff --git a/dockerfiles/kubernetes-proxy/config b/dockerfiles/kubernetes-proxy/config new file mode 100644 index 0000000000..8c0a28493f --- /dev/null +++ b/dockerfiles/kubernetes-proxy/config @@ -0,0 +1,22 @@ +### +# kubernetes system config +# +# The following values are used to configure various aspects of all +# kubernetes services, including +# +# kube-apiserver.service +# kube-controller-manager.service +# kube-scheduler.service +# kubelet.service +# kube-proxy.service +# logging to stderr means we get it in the systemd journal +KUBE_LOGTOSTDERR="--logtostderr=true" + +# journal message level, 0 is debug +KUBE_LOG_LEVEL="--v=0" + +# Should this cluster be allowed to run privileged docker containers +KUBE_ALLOW_PRIV="--allow-privileged=false" + +# How the controller-manager, scheduler, and proxy find the apiserver +KUBE_MASTER="--master=http://127.0.0.1:8080" diff --git a/dockerfiles/kubernetes-proxy/config.json.template b/dockerfiles/kubernetes-proxy/config.json.template new file mode 100644 index 0000000000..e8f7d83d59 --- /dev/null +++ b/dockerfiles/kubernetes-proxy/config.json.template @@ -0,0 +1,358 @@ +{ + "ociVersion": "1.0.0", + "platform": { + "os": "linux", + "arch": "amd64" + }, + "process": { + "terminal": false, + "user": { + "uid": 0, + "gid": 0 + }, + "args": [ + "/usr/bin/kube-proxy-docker.sh" + ], + "env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "TERM=xterm" + ], + "cwd": "/", + "capabilities": { + "bounding": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_MAC_OVERRIDE", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND" + ], + "permitted": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_MAC_OVERRIDE", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND" + ], + "inheritable": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_MAC_OVERRIDE", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND" + ], + "effective": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_MAC_OVERRIDE", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND" + ], + "ambient": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_MAC_OVERRIDE", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND" + ] + }, + "rlimits": [ + { + "type": "RLIMIT_NOFILE", + "hard": 131072, + "soft": 131072 + } + ] + }, + "root": { + "path": "rootfs", + "readonly": true + }, + "mounts": [ + { + "destination": "/proc", + "type": "proc", + "source": "proc" + }, + { + "destination": "/dev", + "type": "tmpfs", + "source": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "type": "devpts", + "source": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "type": "tmpfs", + "source": "shm", + "options": [ + "nosuid", + "noexec", + "nodev", + "mode=1777", + "size=65536k" + ] + }, + { + "destination": "/dev/mqueue", + "type": "mqueue", + "source": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "type": "sysfs", + "source": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys/fs/cgroup", + "type": "cgroup", + "source": "cgroup", + "options": [ + "nosuid", + "noexec", + "nodev", + "relatime", + "ro" + ] + }, + { + "type": "bind", + "source": "/etc/kubernetes", + "destination": "/etc/kubernetes", + "options": [ + "rbind", + "ro", + "rprivate" + ] + }, + { + "destination": "/etc/resolv.conf", + "type": "bind", + "source": "/etc/resolv.conf", + "options": [ + "ro", + "rbind", + "rprivate" + ] + }, + { + "type": "bind", + "source": "/run", + "destination": "/run", + "options": [ + "rbind", + "rw", + "mode=755" + ] + } + ], + "linux": { + "resources": { + "devices": [ + { + "allow": false, + "access": "rwm" + } + ] + }, + "namespaces": [ + { + "type": "pid" + }, + { + "type": "ipc" + }, + { + "type": "mount" + } + ], + "devices": null, + "apparmorProfile": "" + } +} diff --git a/dockerfiles/kubernetes-proxy/launch.sh b/dockerfiles/kubernetes-proxy/launch.sh new file mode 100755 index 0000000000..ea865354ca --- /dev/null +++ b/dockerfiles/kubernetes-proxy/launch.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +. /etc/kubernetes/proxy +. /etc/kubernetes/config + +ARGS="$@ $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBE_MASTER $KUBE_PROXY_ARGS" + +exec /usr/local/bin/kube-proxy $ARGS diff --git a/dockerfiles/kubernetes-proxy/proxy b/dockerfiles/kubernetes-proxy/proxy new file mode 100644 index 0000000000..034276831b --- /dev/null +++ b/dockerfiles/kubernetes-proxy/proxy @@ -0,0 +1,7 @@ +### +# kubernetes proxy config + +# default config should be adequate + +# Add your own! +KUBE_PROXY_ARGS="" diff --git a/dockerfiles/kubernetes-proxy/service.template b/dockerfiles/kubernetes-proxy/service.template new file mode 100644 index 0000000000..3abf07a4ff --- /dev/null +++ b/dockerfiles/kubernetes-proxy/service.template @@ -0,0 +1,12 @@ +[Unit] +Description=kubernetes-proxy + +[Service] +ExecStart=$EXEC_START +ExecStop=$EXEC_STOP +Restart=on-failure +WorkingDirectory=$DESTDIR + +[Install] +WantedBy=multi-user.target + diff --git a/dockerfiles/kubernetes-proxy/sources b/dockerfiles/kubernetes-proxy/sources new file mode 100644 index 0000000000..e69de29bb2 diff --git a/dockerfiles/kubernetes-scheduler/Dockerfile b/dockerfiles/kubernetes-scheduler/Dockerfile new file mode 100644 index 0000000000..6731c9d8cd --- /dev/null +++ b/dockerfiles/kubernetes-scheduler/Dockerfile @@ -0,0 +1,23 @@ +ARG KUBE_VERSION=v1.13.0 +FROM gcr.io/google-containers/kube-scheduler-amd64:${KUBE_VERSION} +ENV container=docker + +ENV NAME=kubernetes-scheduler VERSION=0.1 RELEASE=8 ARCH=x86_64 +LABEL bzcomponent="$NAME" \ + name="$FGC/$NAME" \ + version="$VERSION" \ + release="$RELEASE.$DISTTAG" \ + architecture="$ARCH" \ + atomic.type='system' \ + maintainer="Jason Brooks " + +COPY launch.sh /usr/bin/kube-scheduler-docker.sh + +COPY service.template config.json.template /exports/ + +COPY scheduler config /etc/kubernetes/ +RUN mkdir -p /exports/hostfs/etc/kubernetes && \ + cp /etc/kubernetes/config /exports/hostfs/etc/kubernetes/ && \ + cp /etc/kubernetes/scheduler /exports/hostfs/etc/kubernetes/ + +ENTRYPOINT ["/usr/bin/kube-scheduler-docker.sh"] diff --git a/dockerfiles/kubernetes-scheduler/config b/dockerfiles/kubernetes-scheduler/config new file mode 100644 index 0000000000..8c0a28493f --- /dev/null +++ b/dockerfiles/kubernetes-scheduler/config @@ -0,0 +1,22 @@ +### +# kubernetes system config +# +# The following values are used to configure various aspects of all +# kubernetes services, including +# +# kube-apiserver.service +# kube-controller-manager.service +# kube-scheduler.service +# kubelet.service +# kube-proxy.service +# logging to stderr means we get it in the systemd journal +KUBE_LOGTOSTDERR="--logtostderr=true" + +# journal message level, 0 is debug +KUBE_LOG_LEVEL="--v=0" + +# Should this cluster be allowed to run privileged docker containers +KUBE_ALLOW_PRIV="--allow-privileged=false" + +# How the controller-manager, scheduler, and proxy find the apiserver +KUBE_MASTER="--master=http://127.0.0.1:8080" diff --git a/dockerfiles/kubernetes-scheduler/config.json.template b/dockerfiles/kubernetes-scheduler/config.json.template new file mode 100644 index 0000000000..0af371c114 --- /dev/null +++ b/dockerfiles/kubernetes-scheduler/config.json.template @@ -0,0 +1,183 @@ +{ + "ociVersion": "1.0.0", + "platform": { + "os": "linux", + "arch": "amd64" + }, + "process": { + "terminal": false, + "user": { + "uid": 996, + "gid": 994 + }, + "args": [ + "/usr/bin/kube-scheduler-docker.sh" + ], + "env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "TERM=xterm" + ], + "cwd": "/", + "capabilities": { + "bounding": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE", + "CAP_DAC_READ_SEARCH" + ], + "permitted": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE", + "CAP_DAC_READ_SEARCH" + ], + "inheritable": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE", + "CAP_DAC_READ_SEARCH" + ], + "effective": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE", + "CAP_DAC_READ_SEARCH" + ], + "ambient": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE", + "CAP_DAC_READ_SEARCH" + ] + }, + "rlimits": [ + { + "type": "RLIMIT_NOFILE", + "hard": 131072, + "soft": 131072 + } + ] + }, + "root": { + "path": "rootfs", + "readonly": true + }, + "mounts": [ + { + "destination": "/proc", + "type": "proc", + "source": "proc" + }, + { + "destination": "/dev", + "type": "tmpfs", + "source": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "type": "devpts", + "source": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "type": "tmpfs", + "source": "shm", + "options": [ + "nosuid", + "noexec", + "nodev", + "mode=1777", + "size=65536k" + ] + }, + { + "destination": "/dev/mqueue", + "type": "mqueue", + "source": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "type": "sysfs", + "source": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys/fs/cgroup", + "type": "cgroup", + "source": "cgroup", + "options": [ + "nosuid", + "noexec", + "nodev", + "relatime", + "ro" + ] + }, + { + "type": "bind", + "source": "/etc/kubernetes", + "destination": "/etc/kubernetes", + "options": [ + "rbind", + "ro", + "rprivate" + ] + }, + { + "destination": "/etc/resolv.conf", + "type": "bind", + "source": "/etc/resolv.conf", + "options": [ + "ro", + "rbind", + "rprivate" + ] + } + ], + "linux": { + "resources": { + "devices": [ + { + "allow": false, + "access": "rwm" + } + ] + }, + "namespaces": [ + { + "type": "pid" + }, + { + "type": "ipc" + }, + { + "type": "mount" + } + ], + "devices": null, + "apparmorProfile": "" + } +} diff --git a/dockerfiles/kubernetes-scheduler/launch.sh b/dockerfiles/kubernetes-scheduler/launch.sh new file mode 100755 index 0000000000..bcc20f702d --- /dev/null +++ b/dockerfiles/kubernetes-scheduler/launch.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +. /etc/kubernetes/scheduler +. /etc/kubernetes/config + +ARGS="$@ $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBE_MASTER $KUBE_SCHEDULER_ARGS" + +exec /usr/local/bin/kube-scheduler $ARGS diff --git a/dockerfiles/kubernetes-scheduler/scheduler b/dockerfiles/kubernetes-scheduler/scheduler new file mode 100644 index 0000000000..f6fc507b72 --- /dev/null +++ b/dockerfiles/kubernetes-scheduler/scheduler @@ -0,0 +1,7 @@ +### +# kubernetes scheduler config + +# default config should be adequate + +# Add your own! +KUBE_SCHEDULER_ARGS="" diff --git a/dockerfiles/kubernetes-scheduler/service.template b/dockerfiles/kubernetes-scheduler/service.template new file mode 100644 index 0000000000..d5a7e5e1e5 --- /dev/null +++ b/dockerfiles/kubernetes-scheduler/service.template @@ -0,0 +1,12 @@ +[Unit] +Description=kubernetes-scheduler + +[Service] +ExecStart=$EXEC_START +ExecStop=$EXEC_STOP +Restart=on-failure +WorkingDirectory=$DESTDIR + +[Install] +WantedBy=multi-user.target + diff --git a/playbooks/container-builder-copy-logs.yaml b/playbooks/container-builder-copy-logs.yaml new file mode 100644 index 0000000000..9bf7114dc7 --- /dev/null +++ b/playbooks/container-builder-copy-logs.yaml @@ -0,0 +1,54 @@ +- hosts: all + tasks: + - name: collect ansible_async logs + synchronize: + src: '/home/zuul/.ansible_async' + dest: '{{ zuul.executor.log_root }}' + mode: pull + copy_links: true + verify_host: true + + - shell: + cmd: | + set +o errexit + mkdir -p logs + # copy system log + sudo cp -r /var/log logs/system_log + if which journalctl ; then + # the journal gives us syslog() and kernel output, so is like + # a concatenation of the above. + sudo journalctl --no-pager | sudo tee logs/syslog.txt > /dev/null + sudo journalctl --no-pager -u docker.service | sudo tee logs/docker.log > /dev/null + fi + # sudo config + # final memory usage and process list + ps -eo user,pid,ppid,lwp,%cpu,%mem,size,rss,cmd > logs/ps.txt + # docker related information + (docker info && docker system df && docker system df -v) > logs/docker-info.txt + # fix the permissions for logs folder + sudo chmod -R 777 logs + # rename files to .txt; this is so that when displayed via + # logs.openstack.org clicking results in the browser shows the + # files, rather than trying to send it to another app or make you + # download it, etc. + # firstly, rename all .log files to .txt files + for f in $(find logs -name "*.log"); do + sudo mv $f ${f/.log/.txt} + done + # Update symlinks to new file names + for f in $(find logs -name "*FAILED*"); do + sudo mv ${f} ${f}.gz + sudo ln -sf ${f#*/000_FAILED_}.gz ${f}.gz + done + # Compress all text logs + find logs -iname '*.txt' -execdir gzip -9 {} \+ + find logs -iname '*.json' -execdir gzip -9 {} \+ + executable: /bin/bash + chdir: "{{ zuul.project.src_dir }}" + + - synchronize: + src: '{{ zuul.project.src_dir }}/logs' + dest: '{{ zuul.executor.log_root }}' + mode: pull + copy_links: true + verify_host: true diff --git a/playbooks/container-builder-setup-gate.yaml b/playbooks/container-builder-setup-gate.yaml new file mode 100644 index 0000000000..4c1815b70a --- /dev/null +++ b/playbooks/container-builder-setup-gate.yaml @@ -0,0 +1,37 @@ +- hosts: all + tasks: + + - name: setup swap + block: + - command: fallocate -l20g /swap + - file: + path: /swap + mode: 0600 + - command: mkswap /swap + - command: swapon /swap + become: True + + - name: setup logging + shell: + cmd: | + mkdir logs + ln -s $(pwd)/logs /tmp/logs + mkdir -p /tmp/logs/{ansible,build} + executable: /bin/bash + chdir: "{{ zuul.project.src_dir }}" + + - name: copy setup script + copy: + src: "{{ zuul.executor.work_root }}/{{ zuul.project.src_dir }}/tools/install_docker_UBUNTU.sh" + dest: /tmp/setup.sh + mode: 0755 + + - name: run node setup script + shell: /tmp/setup.sh + become: true + + - name: changing permission of Docker socket to 666 + file: + path: /run/docker.sock + mode: 666 + become: true diff --git a/playbooks/container-builder-vars.yaml b/playbooks/container-builder-vars.yaml new file mode 100644 index 0000000000..832c7e70aa --- /dev/null +++ b/playbooks/container-builder-vars.yaml @@ -0,0 +1,14 @@ +magnum_src_dir: "src/git.openstack.org/openstack/magnum" + +repository: docker.io/openstackmagnumtest +kubernetes_version: v1.11.3 +kubernetes_images: + - name: kubernetes-apiserver + - name: kubernetes-controller-manager + - name: kubernetes-kubelet + - name: kubernetes-scheduler + - name: kubernetes-proxy + +magnum_images: + - name: heat-container-agent + tag: stein-dev diff --git a/playbooks/container-builder.yaml b/playbooks/container-builder.yaml new file mode 100644 index 0000000000..4e2a7857aa --- /dev/null +++ b/playbooks/container-builder.yaml @@ -0,0 +1,34 @@ +- hosts: all + tasks: + - include_vars: container-builder-vars.yaml + + - name: Build images + block: + - docker_image: + path: "{{ magnum_src_dir }}/dockerfiles/{{ item.name }}" + name: "{{ item.name }}" + repository: "{{ repository }}/{{ item.name }}" + tag: "{{ item.tag}}" + push: no + with_items: "{{ magnum_images }}" + - docker_image: + path: "{{ magnum_src_dir }}/dockerfiles/{{ item.name }}" + name: "{{ item.name }}" + repository: "{{ repository }}/{{ item.name }}" + tag: "{{ kubernetes_version }}" + buildargs: + KUBE_VERSION: "{{ kubernetes_version }}" + push: no + with_items: "{{ kubernetes_images }}" + async: 1000 + poll: 0 + register: pull + - async_status: + jid: "{{ item.ansible_job_id }}" + with_items: "{{ pull.results }}" + register: pull_result + until: + - pull_result.finished is defined + - pull_result.finished + retries: 1000 + delay: 5 diff --git a/playbooks/container-publish.yaml b/playbooks/container-publish.yaml new file mode 100644 index 0000000000..a313e08e43 --- /dev/null +++ b/playbooks/container-publish.yaml @@ -0,0 +1,12 @@ +- hosts: all + tasks: + - include_vars: container-builder-vars.yaml + + - name: Push images to DockerHub + block: + - command: docker login -u {{ magnum_docker_login.user }} -p {{ magnum_docker_login.password }} + no_log: False + - command: docker push {{ repository }}/{{ item.name }}:{{ tag }} + with_items: "{{ magnum_images }}" + - command: docker push {{ repository }}/{{ item.name }}:{{ kubernetes_version }} + with_items: "{{ kubernetes_images }}" diff --git a/tools/install_docker_UBUNTU.sh b/tools/install_docker_UBUNTU.sh new file mode 100644 index 0000000000..290bfb35ca --- /dev/null +++ b/tools/install_docker_UBUNTU.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +set -o xtrace +set -o errexit + +# Setup Docker repo and add signing key +sudo apt-get update +sudo apt-get install -y \ + apt-transport-https \ + ca-certificates \ + curl \ + software-properties-common +curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - +sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" +sudo apt-get update +sudo apt-get -y install --no-install-recommends docker-ce + +sudo systemctl start docker --now + +sudo docker info + +sudo apt-get install python-pip + +sudo pip install docker + +echo "Completed $0."