Reserve tiller ports as part of controller bootstrap
Ephemeral port reservation was taking place only after the initial controller unlock. This still allowed for kubernetes based services to claim the tiller ports in the ephemeral range after initial bootstrap. Include tiller port reservation as part of the bootstrap manifests and add an explicit dependency with the platform::kubernetes::master class. Change-Id: I7540cdfdd13ded63d154ee8ea0b1c8c326491d63 Closes-Bug: #1856209 Signed-off-by: Robert Church <robert.church@windriver.com>
This commit is contained in:
parent
04478ab209
commit
34f3c3ff41
|
@ -9,6 +9,7 @@ Exec {
|
|||
|
||||
include ::platform::config::bootstrap
|
||||
include ::platform::users::bootstrap
|
||||
include ::platform::sysctl::bootstrap
|
||||
include ::platform::ldap::bootstrap
|
||||
include ::platform::drbd::bootstrap
|
||||
include ::platform::postgresql::bootstrap
|
||||
|
|
|
@ -9,6 +9,7 @@ Exec {
|
|||
|
||||
include ::platform::config::bootstrap
|
||||
include ::platform::users::bootstrap
|
||||
include ::platform::sysctl::bootstrap
|
||||
include ::platform::ldap::bootstrap
|
||||
include ::platform::drbd::bootstrap
|
||||
include ::platform::postgresql::bootstrap
|
||||
|
|
|
@ -358,6 +358,7 @@ class platform::kubernetes::master
|
|||
contain ::platform::kubernetes::coredns
|
||||
contain ::platform::kubernetes::firewall
|
||||
|
||||
Class['::platform::sysctl::controller::reserve_ports'] -> Class[$name]
|
||||
Class['::platform::etcd'] -> Class[$name]
|
||||
Class['::platform::docker::config'] -> Class[$name]
|
||||
# Ensure DNS is configured as name resolution is required when
|
||||
|
|
|
@ -84,10 +84,30 @@ class platform::sysctl
|
|||
}
|
||||
|
||||
|
||||
class platform::sysctl::controller::reserve_ports
|
||||
inherits ::platform::sysctl::params {
|
||||
|
||||
# Reserve ports in the ephemeral port range:
|
||||
#
|
||||
# Incorporate the reserved keystone port (35357) from
|
||||
# /usr/lib/sysctl.d/openstack-keystone.conf
|
||||
#
|
||||
# Helm v2.13.1 hardcodes the following Tiller ports when installed in the
|
||||
# k8s cluster: 44134 (server), 44135 (probe), 44136 (trace). Reserve them
|
||||
# from the ephemeral port range. This will avoid potential port conflicts
|
||||
# that will cause the tiller pod to crash when the port is assigned to
|
||||
# another client/server
|
||||
sysctl::value { 'net.ipv4.ip_local_reserved_ports':
|
||||
value => '35357,44134-44136'
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
class platform::sysctl::controller
|
||||
inherits ::platform::sysctl::params {
|
||||
|
||||
include ::platform::sysctl
|
||||
include ::platform::sysctl::controller::reserve_ports
|
||||
|
||||
# Engineer VM page cache tunables to prevent significant IO delays that may
|
||||
# occur if we flush a buildup of dirty pages. Engineer VM settings to make
|
||||
|
@ -129,20 +149,6 @@ class platform::sysctl::controller
|
|||
sysctl::value { 'kernel.shmmax':
|
||||
value => '167772160'
|
||||
}
|
||||
|
||||
# Reserve ports in the ephemeral port range:
|
||||
#
|
||||
# Incorporate the reserved keystone port (35357) from
|
||||
# /usr/lib/sysctl.d/openstack-keystone.conf
|
||||
#
|
||||
# Helm v2.13.1 hardcodes the following Tiller ports when installed in the
|
||||
# k8s cluster: 44134 (server), 44135 (probe), 44136 (trace). Reserve them
|
||||
# from the ephemeral port range. This will avoid potential port conflicts
|
||||
# that will cause the tiller pod to crash when the port is assigned to
|
||||
# another client/server
|
||||
sysctl::value { 'net.ipv4.ip_local_reserved_ports':
|
||||
value => '35357,44134-44136'
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
@ -159,3 +165,8 @@ class platform::sysctl::storage {
|
|||
class platform::sysctl::controller::runtime {
|
||||
include ::platform::sysctl::controller
|
||||
}
|
||||
|
||||
|
||||
class platform::sysctl::bootstrap {
|
||||
include ::platform::sysctl::controller::reserve_ports
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue