Prepare Kubelet for multiple container runtime
This change introduces default recommended values for Kubelet on CoreOS: - Usage of CNI (Container Networking Interface) with Flannel - Update deprecated Kubelet Args (--config) - Bind mount recommended CoreOS folders in Kubelet It also introduces a new parameter: CONTAINER_RUNTIME which will allow to switch between rkt and docker as container runtime. For now only docker is used. Partially-Implements: blueprint coreos-best-pratice Change-Id: I1db1c3c06198b41098472f5c28405c533b91b41e
This commit is contained in:
parent
ed173776ca
commit
c270539b16
|
@ -31,27 +31,61 @@ write_files:
|
|||
INSECURE_REGISTRY_ARGS=""
|
||||
fi
|
||||
|
||||
uuid_file="/var/run/kubelet-pod.uuid"
|
||||
CONF_FILE=/etc/systemd/system/kubelet.service
|
||||
cat > $CONF_FILE <<EOF
|
||||
[Service]
|
||||
Environment=KUBELET_VERSION=${KUBE_VERSION}
|
||||
Environment=KUBELET_ACI=${HYPERKUBE_IMAGE_REPO}
|
||||
Environment="RKT_OPTS=--uuid-file-save=${uuid_file} \
|
||||
--volume dns,kind=host,source=/etc/resolv.conf \
|
||||
--mount volume=dns,target=/etc/resolv.conf \
|
||||
--volume rkt,kind=host,source=/opt/bin/host-rkt \
|
||||
--mount volume=rkt,target=/usr/bin/rkt \
|
||||
--volume var-lib-rkt,kind=host,source=/var/lib/rkt \
|
||||
--mount volume=var-lib-rkt,target=/var/lib/rkt \
|
||||
--volume stage,kind=host,source=/tmp \
|
||||
--mount volume=stage,target=/tmp \
|
||||
--volume var-log,kind=host,source=/var/log \
|
||||
--mount volume=var-log,target=/var/log"
|
||||
ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/manifests
|
||||
ExecStartPre=/usr/bin/mkdir -p /opt/cni/bin
|
||||
ExecStartPre=/usr/bin/mkdir -p /var/log/containers
|
||||
ExecStartPre=-/usr/bin/rkt rm --uuid-file=${uuid_file}
|
||||
ExecStart=/usr/lib/coreos/kubelet-wrapper \
|
||||
--api-servers=http://127.0.0.1:8080 \
|
||||
--address=0.0.0.0 \
|
||||
--cni-conf-dir=/etc/kubernetes/cni/net.d \
|
||||
--network-plugin=cni \
|
||||
--register-node=true \
|
||||
--container-runtime=${CONTAINER_RUNTIME}
|
||||
--register-schedulable=false \
|
||||
--allow-privileged=true \
|
||||
--config=/etc/kubernetes/manifests \
|
||||
--pod-manifest-path=/etc/kubernetes/manifests \
|
||||
--hostname-override=${KUBE_NODE_IP} \
|
||||
--logtostderr=true \
|
||||
--v=0 \
|
||||
${INSECURE_REGISTRY_ARGS}
|
||||
ExecStop=-/usr/bin/rkt stop --uuid-file=${uuid_file}
|
||||
Restart=always
|
||||
RestartSec=10
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
EOF
|
||||
|
||||
TEMPLATE=/opt/bin/host-rkt
|
||||
mkdir -p $(dirname $TEMPLATE)
|
||||
cat << EOF > $TEMPLATE
|
||||
#!/bin/sh
|
||||
# This is bind mounted into the kubelet rootfs and all rkt shell-outs go
|
||||
# through this rkt wrapper. It essentially enters the host mount namespace
|
||||
# (which it is already in) only for the purpose of breaking out of the chroot
|
||||
# before calling rkt. It makes things like rkt gc work and avoids bind mounting
|
||||
# in certain rkt filesystem dependancies into the kubelet rootfs. This can
|
||||
# eventually be obviated when the write-api stuff gets upstream and rkt gc is
|
||||
# through the api-server. Related issue:
|
||||
# https://github.com/coreos/rkt/issues/2878
|
||||
exec nsenter -m -u -i -n -p -t 1 -- /usr/bin/rkt "\$@"
|
||||
EOF
|
||||
|
||||
systemctl enable kubelet
|
||||
systemctl --no-block start kubelet
|
||||
|
|
|
@ -43,17 +43,35 @@ write_files:
|
|||
fi
|
||||
KUBE_MASTER_URI="$KUBE_PROTOCOL://$KUBE_MASTER_IP:$KUBE_API_PORT"
|
||||
|
||||
uuid_file="/var/run/kubelet-pod.uuid"
|
||||
CONF_FILE=/etc/systemd/system/kubelet.service
|
||||
cat > $CONF_FILE <<EOF
|
||||
[Service]
|
||||
Environment=KUBELET_VERSION=${KUBE_VERSION}
|
||||
Environment=KUBELET_ACI=${HYPERKUBE_IMAGE_REPO}
|
||||
Environment="RKT_OPTS=--uuid-file-save=${uuid_file} \
|
||||
--volume dns,kind=host,source=/etc/resolv.conf \
|
||||
--mount volume=dns,target=/etc/resolv.conf \
|
||||
--volume rkt,kind=host,source=/opt/bin/host-rkt \
|
||||
--mount volume=rkt,target=/usr/bin/rkt \
|
||||
--volume var-lib-rkt,kind=host,source=/var/lib/rkt \
|
||||
--mount volume=var-lib-rkt,target=/var/lib/rkt \
|
||||
--volume stage,kind=host,source=/tmp \
|
||||
--mount volume=stage,target=/tmp \
|
||||
--volume var-log,kind=host,source=/var/log \
|
||||
--mount volume=var-log,target=/var/log"
|
||||
ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/manifests
|
||||
ExecStartPre=/usr/bin/mkdir -p /opt/cni/bin
|
||||
ExecStartPre=/usr/bin/mkdir -p /var/log/containers
|
||||
ExecStartPre=-/usr/bin/rkt rm --uuid-file=${uuid_file}
|
||||
ExecStart=/usr/lib/coreos/kubelet-wrapper \
|
||||
--api-servers=${KUBE_MASTER_URI} \
|
||||
--address=0.0.0.0 \
|
||||
--cni-conf-dir=/etc/kubernetes/cni/net.d \
|
||||
--network-plugin=cni \
|
||||
--container-runtime=${CONTAINER_RUNTIME} \
|
||||
--register-node=true \
|
||||
--allow-privileged=true \
|
||||
--config=/etc/kubernetes/manifests \
|
||||
--pod-manifest-path=/etc/kubernetes/manifests \
|
||||
--hostname-override=${KUBE_NODE_IP} \
|
||||
--logtostderr=true \
|
||||
--v=0 \
|
||||
|
@ -64,9 +82,25 @@ write_files:
|
|||
${INSECURE_REGISTRY_ARGS}
|
||||
Restart=always
|
||||
RestartSec=10
|
||||
ExecStop=-/usr/bin/rkt stop --uuid-file=${uuid_file}
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
EOF
|
||||
|
||||
TEMPLATE=/opt/bin/host-rkt
|
||||
mkdir -p $(dirname $TEMPLATE)
|
||||
cat << EOF > $TEMPLATE
|
||||
#!/bin/sh
|
||||
# This is bind mounted into the kubelet rootfs and all rkt shell-outs go
|
||||
# through this rkt wrapper. It essentially enters the host mount namespace
|
||||
# (which it is already in) only for the purpose of breaking out of the chroot
|
||||
# before calling rkt. It makes things like rkt gc work and avoids bind mounting
|
||||
# in certain rkt filesystem dependancies into the kubelet rootfs. This can
|
||||
# eventually be obviated when the write-api stuff gets upstream and rkt gc is
|
||||
# through the api-server. Related issue:
|
||||
# https://github.com/coreos/rkt/issues/2878
|
||||
exec nsenter -m -u -i -n -p -t 1 -- /usr/bin/rkt "\$@"
|
||||
EOF
|
||||
|
||||
systemctl enable kubelet
|
||||
systemctl --no-block start kubelet
|
||||
|
|
|
@ -68,5 +68,17 @@ write_files:
|
|||
After=flanneld.service
|
||||
EOF
|
||||
|
||||
CNI=/etc/kubernetes/cni/net.d/10-flannel.conf
|
||||
mkdir -p $(dirname $CNI)
|
||||
cat << EOF > $CNI
|
||||
{
|
||||
"name": "podnet",
|
||||
"type": "flannel",
|
||||
"delegate": {
|
||||
"isDefaultGateway": true
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
systemctl enable flanneld
|
||||
systemctl --no-block start flanneld
|
||||
|
|
|
@ -68,5 +68,17 @@ write_files:
|
|||
After=flanneld.service
|
||||
EOF
|
||||
|
||||
CNI=/etc/kubernetes/cni/net.d/10-flannel.conf
|
||||
mkdir -p $(dirname $CNI)
|
||||
cat << EOF > $CNI
|
||||
{
|
||||
"name": "podnet",
|
||||
"type": "flannel",
|
||||
"delegate": {
|
||||
"isDefaultGateway": true
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
systemctl enable flanneld
|
||||
systemctl --no-block start flanneld
|
||||
|
|
|
@ -42,3 +42,4 @@ write_files:
|
|||
KUBE_CERTS_PATH="$KUBE_CERTS_PATH"
|
||||
HOST_CERTS_PATH="$HOST_CERTS_PATH"
|
||||
HYPERKUBE_IMAGE_REPO="$HYPERKUBE_IMAGE_REPO"
|
||||
CONTAINER_RUNTIME="$CONTAINER_RUNTIME"
|
||||
|
|
|
@ -43,3 +43,4 @@ write_files:
|
|||
KUBE_CERTS_PATH="$KUBE_CERTS_PATH"
|
||||
HOST_CERTS_PATH="$HOST_CERTS_PATH"
|
||||
HYPERKUBE_IMAGE_REPO="$HYPERKUBE_IMAGE_REPO"
|
||||
CONTAINER_RUNTIME="$CONTAINER_RUNTIME"
|
||||
|
|
|
@ -242,6 +242,14 @@ parameters:
|
|||
- allowed_pattern: "^$|.*/"
|
||||
default: ""
|
||||
|
||||
container_runtime:
|
||||
type: string
|
||||
description: >
|
||||
Container runtime to use with Kubernetes.
|
||||
default: "docker"
|
||||
constraints:
|
||||
- allowed_values: ["docker"]
|
||||
|
||||
resources:
|
||||
|
||||
######################################################################
|
||||
|
@ -398,6 +406,7 @@ resources:
|
|||
auth_url: {get_param: auth_url}
|
||||
hyperkube_image: {get_param: hyperkube_image}
|
||||
insecure_registry_url: {get_param: insecure_registry_url}
|
||||
container_runtime: {get_param: container_runtime}
|
||||
|
||||
######################################################################
|
||||
#
|
||||
|
@ -443,6 +452,7 @@ resources:
|
|||
auth_url: {get_param: auth_url}
|
||||
hyperkube_image: {get_param: hyperkube_image}
|
||||
insecure_registry_url: {get_param: insecure_registry_url}
|
||||
container_runtime: {get_param: container_runtime}
|
||||
|
||||
outputs:
|
||||
|
||||
|
|
|
@ -173,6 +173,11 @@ parameters:
|
|||
type: string
|
||||
description: insecure registry url
|
||||
|
||||
container_runtime:
|
||||
type: string
|
||||
description: >
|
||||
Container runtime to use with Kubernetes.
|
||||
|
||||
resources:
|
||||
|
||||
master_wait_handle:
|
||||
|
@ -250,6 +255,7 @@ resources:
|
|||
insecure_registry_url: { get_param: insecure_registry_url }
|
||||
hyperkube_image: { get_param: hyperkube_image }
|
||||
"$INSECURE_REGISTRY_URL": {get_param: insecure_registry_url}
|
||||
"$CONTAINER_RUNTIME": {get_param: container_runtime}
|
||||
|
||||
configure_etcd:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
|
|
|
@ -128,6 +128,11 @@ parameters:
|
|||
type: string
|
||||
description: insecure registry url
|
||||
|
||||
container_runtime:
|
||||
type: string
|
||||
description: >
|
||||
Container runtime to use with Kubernetes.
|
||||
|
||||
resources:
|
||||
|
||||
minion_wait_handle:
|
||||
|
@ -182,6 +187,7 @@ resources:
|
|||
insecure_registry_url: { get_param: insecure_registry_url }
|
||||
hyperkube_image: { get_param: hyperkube_image }
|
||||
"$INSECURE_REGISTRY_URL": {get_param: insecure_registry_url}
|
||||
"$CONTAINER_RUNTIME": {get_param: container_runtime}
|
||||
|
||||
write_kubeconfig:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
|
|
Loading…
Reference in New Issue