Without this, heat container agents using kubectl version
1.18.x (e.g. ussuri-dev) fail because they do not have the correct
KUBECONFIG in the environment.
Task: 39938
Story: 2007591
Change-Id: Ifc212478ae09c658adeb6ba4c8e8afc8943e3977
The tags on quay.io/coreos/etcd follow the same format as
https://github.com/etcd-io/etcd/releases compared to k8s.gcr.io which
modifies the canonical version tag by dropping the "v" prefix.
Story: 2007475
Task: 39184
Change-Id: If44eb55a68c13f8e1706242c099578ed1f264d62
Now Magnum is using podman and systemd to manage the etcd service
and start heat-container-agent. In cases where the nodes pull images
from docker.io or another mirror registry with high latency, the etcd
or heat container agent service take long time to start, which is
causing timeout when bootstraping k8s cluster for fedora atomic/coreos
drivers. This patch fixes it by adding TimeoutStartSec for the systemd
services.
Task: 37452
Story: 2006459
Change-Id: I89855983f45544f202fc94ede396d1b0c44d286e
Choose whether system containers etcd, kubernetes and the heat-agent will be
installed with podman or atomic. This label is relevant for k8s_fedora drivers.
k8s_fedora_atomic_v1 defaults to use_podman=false, meaning atomic will be used
pulling containers from docker.io/openstackmagnum. use_podman=true is accepted
as well, which will pull containers by k8s.gcr.io.
k8s_fedora_coreos_v1 defaults and accepts only use_podman=true.
Fix upgrade for k8s_fedora_coreos_v1 and magnum-cordon systemd unit.
Task: 37242
Story: 2005201
Change-Id: I0d5e4e059cd4f0458746df7c09d2fd47c389c6a0
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
Using the atomic cli to install kubelet breaks mount
propagation of secrets, configmaps and so on. Using podman
in a systemd unit works.
Additionally, with this change all atomic commands are dropped,
containers are pulled from gcr.io (ofiicial kubernetes containers).
Finally, after this patch only by starting the heat-agent with
ignition, we can use fedora coreos as a drop-in replacement.
* Drop del of docker0
This command to remove docker0 is carried from
earlier versions of docker. This is not an issue
anymore.
story: 2006459
task: 36871
Change-Id: I2ed8e02f5295e48d371ac9e1aff2ad5d30d0c2bd
Signed-off-by: Spyros Trigazis <spyridon.trigazi@cern.ch>
Rolling ugprade is an important feature for a managed k8s service,
at this stage, two user cases will be covered:
1. Upgrade base operating system
2. Upgrade k8s version
Known limitation: When doing operating system upgrade, there is no
chance to call kubectl drain to evict pods on that node.
Task: 30185
Story: 2002210
Change-Id: Ibbed59bc135969174a20e5243ff8464908801a23
This reverts commit e8d0ee1b14.
This commit is reverted for two reasons:
* It is undesirable that the end user can inject proxy config into
the magnum-conductor service via the cluster template.
* The proxy settings for the magnum-conductor service may not be
the same as those which are required in the cluster template for
the end user VM.
Systemd, docker and podman all include native mechanisms for setting
environment variables for proecesses, and this should be used by the
cloud operator / deployment tooling to configure the required proxy
settings for the magnum-conductor service.
In particular this patch makes it impossible for the cloud operator
to specify their own http_proxy via the environment, the user supplied
cluster template setting will always be used.
Change-Id: I33da19ad6764bedcf15f2a08381063e2471f8991
The scripts run by cloud-init for the master and minion nodes currently
write proxy environment variables into /bin/bashrc when they are defined.
These variables will only be introduced into the running environment
when a new bash shell is started. The /bin/sh used by the fragment
scripts will ignore /etc/bashrc, so the new shells invoked per fragment
will not have the http proxy variables present. This means that the
master/minion node deployment fails when behind an http proxy.
This patch adds explicit exports for HTTP_PROXY and HTTPS_PROXY when those
variables are defined, and not empty.
Task: 29863
Change-Id: Id05c90d5bf99d720ae6002b38d3291e364e1e0c4
HTTP(S) proxy can be specified when creating the template.
https://docs.openstack.org/magnum/latest/admin/magnum-proxy.html
However, it is not being utilized when talking to a public etcd discovery
service, which result in failed cluster creation. We need to be able to
use HTTP(S) proxy when services are running behind a firewall.
Change-Id: I13d86b0dc7c232a51149107f0412219388d8c2cd
story: 2004664
- Start workers as soon as the master VM is created, rather than
waiting all the services ready.
- Move all the SoftwareDeployment outside of kubemaster stack.
- Tweak the scripts in SoftwareDeployment so that they can be combined
into a single script.
Story: 2004573
Task: 28347
Change-Id: Ie48861253615c8f60b34a2c1e9ad6b91d3ae685e
Co-Authored-By: Lingxian Kong <anlin.kong@gmail.com>
Set client and peer auth to true and add
trusted_ca configuration to enable authentication
via certs for both clients and other etcd members.
Change-Id: I1d0fbd6f89dc2e95e016299c5ce0c68eb4fe8e1a
Closes-Bug: #1759813
In Fedora Atomic 27 etcd and flanneld are removed from the base image.
Install them as a system containers.
* update docker-storage configuration
* add etcd and flannel tags as labels
Change-Id: I2103c7c3d50f4b68ddc11abff72bc9e3f22839f3
Closes-Bug: #1735381
Kubernetes uses cetificates, kubeconfig and the kubernetes openstack
cloud provider configuration from /srv/kubernetes and /etc/sysconfig.
The upstream kubernetes system containers used with atomic hosts
mounts /etc/kubernetes, we can unify the location of all kubernetes
configuration and also be able to use the upstream containers
unmodified.
Implements: blueprint run-kube-as-container
Change-Id: I9b2da390745836d9a66b7c8fc995a35cb74993e9
Allow setting the size of a volume for etcd storage.
Default is 0 which matches the current behavior - no persistency.
Related-Bug: #1697655
Change-Id: I8a30df63684133a902ae209ba6c124da2a567d3f
With this patch following are done:-
- Configure Etcd with TLS support
Configure Following to commuicate with TLS enabled Etcd:-
- Flannel
Etcd also listens at http://127.0.0.1:2379, so on master nodes
etcdctl and kube apiserver can communicate without using
certificates.
if TLS_DISABLED="True" then TLS is not enabled for etcd.
Change-Id: I2147b67c4e346a4415e1f76c19ac68e94cb0a0fa
Partially-Implements: blueprint secure-etcd-cluster-coe
Similarly to pep8 checks, this allows enforcing a consistent
style of the shell scripts accross modfications. For now
only the indentation is enforced to reduce code churn.
Closes-Bug: 1648099
Change-Id: Ie66cbe1aea4bd01a8bba8833ef6cbd2cff6a7c6a
The 2 k8s atomic drivers we currently support are added to the
same driver. This breaks ironic support with the stevedore
work I'm currently doing.
With stevedore, we can choose only one driver based on the
server_type, os and coe. We won't be able to pick a driver and
then choose an implementation bases on server_type.
Partially-Implements: blueprint magnum-baremetal-full-support
Co-Authored-By: Spyros Trigazis <strigazi@gmail.com>
Change-Id: Ic1b8103551f48f85baa2ed9ff32d5b70b1fab84e
This is workaround fix to support baremetal.
Following items are remained to support.
* Documents
* Functional test
To test this template, there are some requirements and problem as below.
Requirements:
* `ephemeral_disk` on ironic baremetal flavor
`ephemeral_disk` is used for docker storage instead of cinder volume.
* `fixed_subnet` must be setup with dns_nameservers like following.
* `neutron subnet-update private-subnet --dns-nameserver 8.8.8.8`
* `fixed_subnet` must be IP version 4.
if you use devstack, please add following configuration.
* `IP_VERSION=4`
* Fedora 23 image including kubernetes, etcd, flannel.
Problem:
Ironic stores `instance_info` about nova instance.
`instance_info` contains config_drive data, but this data can be
too large to store ironic.nodes table.
Magnum uses large config drive data to setup k8s.
It means, we can not start ironic instance by Magnum.
Workaround fix is changing column type of ironic.nodes.instance_info.
Following sql will help you.
`alter table ironic.nodes modify instance_info LONGTEXT;`
Partial-Implements: blueprint magnum-baremetal-full-support
Change-Id: Ica87610b9114bff4277b492de8fe528fe2860108
Closes-Bug: #1454895
Closes-Bug: #1472938
Co-Authored-By: Spyros Trigazis <strigazi@gmail.com>
Make scripts adaptable to different network interface.
Some scripts currently query eth0 directly to get the IP of
the node. This causes the script to fail if the node uses
a different network interface. The change passes in the
IP from Heat so that it is not susceptible to the particular
network interface being used.
This change is necessary to use the stock image from Atomic,
since eth0 is not used in this image.
This patch is broken out from the patch:
https://review.openstack.org/#/c/276232/
so that it can proceed independently.
Co-Authored-By: Corey O'Brien <coreypobrien@gmail.com>
Partially-Implements: blueprint atomic23
Change-Id: If8f972d8dabc8304484dfaff8d4e7f1f8755507b
Rename heat-kubernetes to kubernetes, heat-mesos to mesos,
docker-swarm to swarm in templates. We use heat templates and
no other methods, so I think it is unnecessary to add heat before
coe. kubernetes, mesos, swarm are better than
heat-kubernetes, heat-mesos, docker-swarm.
Change-Id: I257b35c1c4ef55d3172095736f550f2c55c8d81f
Closes-Bug: #1514682
This patch adds proxy in follow places:
1. etcd needs ETCD_DISCOVERY_PROXY when try to do discovery
/etc/etcd/etcd.conf
2. docker daemon need set proxy to allow downloads images
/etc/systemd/system/docker.service.d/proxy.conf
3. and for os level, we need to set http_proxy, https_proxy and no_proxy too
/etc/bashrc
Implements: blueprint discovery-proxy
Co-authored-by: Manjeet Singh Bhatia <manjeet.s.bhatia@intel.com>
Change-Id: I19c92dc9b4fe195037b5ad4ca49b529cf6be4cfb
* Configure etcd to use a discovery_url to bootstrap the cluster.
* Users can provide discovery_url for individual bay.
* If discovery_url is not provided, it will be generated at runtime
by using a discovery service.
* Admin can set the endpoint of the discovery service in config file.
Default is the public etcd discovery service.
Change-Id: I9dd3a47f6d50ebadf74c4ee65701183f18c9d629
Partially-Implements: blueprint make-master-ha
As described in [1], the line [cluster] in /etc/etcd/etcd.conf
is incorrect. It is interpreted as an environment variable
without a value and ignored which is said by a systemd developer
on #systemd irc channel. The comments "# [member]" is not necessary.
[1] http://www.freedesktop.org/software/systemd/man/
systemd.exec.html#EnvironmentFile=
Change-Id: Iceb71540c04f93da16f9469f545c0b19a6cf58db
Closes-Bug: #1481269
Recent versions of etcd requires one to explicitly set
ETCD_ADVERTISE_CLIENT_URLS when using ETCD_LISTEN_CLIENT_URLS.
See: 89bcc18d24
Change-Id: I948a5c842a6350d2b38834a63c2719287c9203ea
Partially-Implements: blueprint make-master-ha
Closes-Bug: #1477289
Bharat Kunwar
Feilong Wang
Spyros Trigazis
Spyros Trigazis
Jonathan Rosser
Guang Yee
Lingxian Kong
Mathieu Velten
Ricardo Rocha
yatin
Dirk Mueller
Spyros Trigazis
OTSUKA, Yuanying
Vijendar Komalla
Ton Ngo
Hua Wang
Eli Qiao
Hongbin Lu