k3s/pkg/daemons/agent/agent.go

package agent

import (
	"bufio"
	"math/rand"
	"os"
	"path/filepath"
	"strings"
	"time"

	"github.com/opencontainers/runc/libcontainer/system"
	"github.com/rancher/k3s/pkg/daemons/config"
	"github.com/rancher/k3s/pkg/daemons/executor"
	"github.com/sirupsen/logrus"
	"k8s.io/apimachinery/pkg/util/net"
	"k8s.io/component-base/logs"
	"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"

	_ "k8s.io/component-base/metrics/prometheus/restclient" // for client metric registration
	_ "k8s.io/component-base/metrics/prometheus/version"    // for version metric registration
)

func Agent(config *config.Agent) error {
	rand.Seed(time.Now().UTC().UnixNano())

	logs.InitLogs()
	defer logs.FlushLogs()

	if err := startKubelet(config); err != nil {
		return err
	}

	if !config.DisableKubeProxy {
		return startKubeProxy(config)
	}

	return nil
}

func startKubeProxy(cfg *config.Agent) error {
	argsMap := map[string]string{
		"proxy-mode":           "iptables",
		"healthz-bind-address": "127.0.0.1",
		"kubeconfig":           cfg.KubeConfigKubeProxy,
		"cluster-cidr":         cfg.ClusterCIDR.String(),
	}
	if cfg.NodeName != "" {
		argsMap["hostname-override"] = cfg.NodeName
	}

	args := config.GetArgsList(argsMap, cfg.ExtraKubeProxyArgs)
	logrus.Infof("Running kube-proxy %s", config.ArgString(args))
	return executor.KubeProxy(args)
}

func startKubelet(cfg *config.Agent) error {
	argsMap := map[string]string{
		"healthz-bind-address":     "127.0.0.1",
		"read-only-port":           "0",
		"cluster-domain":           cfg.ClusterDomain,
		"kubeconfig":               cfg.KubeConfigKubelet,
		"eviction-hard":            "imagefs.available<5%,nodefs.available<5%",
		"eviction-minimum-reclaim": "imagefs.available=10%,nodefs.available=10%",
		"fail-swap-on":             "false",
		//"cgroup-root": "/k3s",
		"cgroup-driver":                "cgroupfs",
		"authentication-token-webhook": "true",
		"anonymous-auth":               "false",
		"authorization-mode":           modes.ModeWebhook,
	}
	if cfg.PodManifests != "" && argsMap["pod-manifest-path"] == "" {
		argsMap["pod-manifest-path"] = cfg.PodManifests
	}
	if err := os.MkdirAll(argsMap["pod-manifest-path"], 0755); err != nil {
		logrus.Errorf("Failed to mkdir %s: %v", argsMap["pod-manifest-path"], err)
	}
	if cfg.RootDir != "" {
		argsMap["root-dir"] = cfg.RootDir
		argsMap["cert-dir"] = filepath.Join(cfg.RootDir, "pki")
		argsMap["seccomp-profile-root"] = filepath.Join(cfg.RootDir, "seccomp")
	}
	if cfg.CNIConfDir != "" {
		argsMap["cni-conf-dir"] = cfg.CNIConfDir
	}
	if cfg.CNIBinDir != "" {
		argsMap["cni-bin-dir"] = cfg.CNIBinDir
	}
	if cfg.CNIPlugin {
		argsMap["network-plugin"] = "cni"
	}
	if len(cfg.ClusterDNS) > 0 {
		argsMap["cluster-dns"] = cfg.ClusterDNS.String()
	}
	if cfg.ResolvConf != "" {
		argsMap["resolv-conf"] = cfg.ResolvConf
	}
	if cfg.RuntimeSocket != "" {
		argsMap["container-runtime"] = "remote"
		argsMap["container-runtime-endpoint"] = cfg.RuntimeSocket
		argsMap["containerd"] = cfg.RuntimeSocket
		argsMap["serialize-image-pulls"] = "false"
	} else if cfg.PauseImage != "" {
		argsMap["pod-infra-container-image"] = cfg.PauseImage
	}
	if cfg.ListenAddress != "" {
		argsMap["address"] = cfg.ListenAddress
	}
	if cfg.ClientCA != "" {
		argsMap["anonymous-auth"] = "false"
		argsMap["client-ca-file"] = cfg.ClientCA
	}
	if cfg.ServingKubeletCert != "" && cfg.ServingKubeletKey != "" {
		argsMap["tls-cert-file"] = cfg.ServingKubeletCert
		argsMap["tls-private-key-file"] = cfg.ServingKubeletKey
	}
	if cfg.NodeName != "" {
		argsMap["hostname-override"] = cfg.NodeName
	}
	defaultIP, err := net.ChooseHostInterface()
	if err != nil || defaultIP.String() != cfg.NodeIP {
		argsMap["node-ip"] = cfg.NodeIP
	}
	root, hasCFS, hasPIDs := checkCgroups()
	if !hasCFS {
		logrus.Warn("Disabling CPU quotas due to missing cpu.cfs_period_us")
		argsMap["cpu-cfs-quota"] = "false"
	}
	if !hasPIDs {
		logrus.Warn("Disabling pod PIDs limit feature due to missing cgroup pids support")
		argsMap["cgroups-per-qos"] = "false"
		argsMap["enforce-node-allocatable"] = ""
		argsMap["feature-gates"] = addFeatureGate(argsMap["feature-gates"], "SupportPodPidsLimit=false")
	}
	if root != "" {
		argsMap["runtime-cgroups"] = root
		argsMap["kubelet-cgroups"] = root
	}
	if system.RunningInUserNS() {
		argsMap["feature-gates"] = addFeatureGate(argsMap["feature-gates"], "DevicePlugins=false")
	}

	argsMap["node-labels"] = strings.Join(cfg.NodeLabels, ",")
	if len(cfg.NodeTaints) > 0 {
		argsMap["register-with-taints"] = strings.Join(cfg.NodeTaints, ",")
	}
	if !cfg.DisableCCM {
		argsMap["cloud-provider"] = "external"
	}

	if cfg.Rootless {
		// flags are from https://github.com/rootless-containers/usernetes/blob/v20190826.0/boot/kubelet.sh
		argsMap["cgroup-driver"] = "none"
		argsMap["feature-gates=SupportNoneCgroupDriver"] = "true"
		argsMap["cgroups-per-qos"] = "false"
		argsMap["enforce-node-allocatable"] = ""
	}

	if cfg.ProtectKernelDefaults {
		argsMap["protect-kernel-defaults"] = "true"
	}

	args := config.GetArgsList(argsMap, cfg.ExtraKubeletArgs)
	logrus.Infof("Running kubelet %s", config.ArgString(args))

	return executor.Kubelet(args)
}

func addFeatureGate(current, new string) string {
	if current == "" {
		return new
	}
	return current + "," + new
}

func checkCgroups() (root string, hasCFS bool, hasPIDs bool) {
	f, err := os.Open("/proc/self/cgroup")
	if err != nil {
		return "", false, false
	}
	defer f.Close()

	scan := bufio.NewScanner(f)
	for scan.Scan() {
		parts := strings.Split(scan.Text(), ":")
		if len(parts) < 3 {
			continue
		}
		systems := strings.Split(parts[1], ",")
		for _, system := range systems {
			if system == "pids" {
				hasPIDs = true
			} else if system == "cpu" {
				p := filepath.Join("/sys/fs/cgroup", parts[1], parts[2], "cpu.cfs_period_us")
				if _, err := os.Stat(p); err == nil {
					hasCFS = true
				}
			}
		}
	}

	// Examine process ID 1 to see if there is a cgroup assigned to it.
	// When we are not in a container, process 1 is likely to be systemd or some other service manager.
	// It either lives at `/` or `/init.scope` according to https://man7.org/linux/man-pages/man7/systemd.special.7.html
	// When containerized, process 1 will be generally be in a cgroup, otherwise, we may be running in
	// a host PID scenario but we don't support this.
	g, err := os.Open("/proc/1/cgroup")
	if err != nil {
		return "", false, false
	}
	defer g.Close()
	root = ""
	scan = bufio.NewScanner(g)
	for scan.Scan() {
		parts := strings.Split(scan.Text(), ":")
		if len(parts) < 3 {
			continue
		}
		systems := strings.Split(parts[1], ",")
		for _, system := range systems {
			if system == "name=systemd" {
				last := parts[len(parts)-1]
				if last != "/" && last != "/init.scope" {
					root = "/systemd"
				}
			}
		}
	}

	return root, hasCFS, hasPIDs
}
Initial Commit 2019-01-01 08:23:01 +00:00			`package agent`

			`import (`
Prepare for initial release 2019-01-22 21:14:58 +00:00			`"bufio"`
Initial Commit 2019-01-01 08:23:01 +00:00			`"math/rand"`
Prepare for initial release 2019-01-22 21:14:58 +00:00			`"os"`
Continued refactoring 2019-01-09 16:54:15 +00:00			`"path/filepath"`
Prepare for initial release 2019-01-22 21:14:58 +00:00			`"strings"`
Initial Commit 2019-01-01 08:23:01 +00:00			`"time"`

Add rootless support 2019-03-08 22:47:44 +00:00			`"github.com/opencontainers/runc/libcontainer/system"`
Continued refactoring 2019-01-09 16:54:15 +00:00			`"github.com/rancher/k3s/pkg/daemons/config"`
Encapsulate execution logic This moves all the calls to cobra root commands to one package so that we can change the behavior of running components as embedded or external. 2020-04-27 17:09:58 +00:00			`"github.com/rancher/k3s/pkg/daemons/executor"`
Initial Commit 2019-01-01 08:23:01 +00:00			`"github.com/sirupsen/logrus"`
Prepare for initial release 2019-01-22 21:14:58 +00:00			`"k8s.io/apimachinery/pkg/util/net"`
Updates for k8s 1.14 2019-04-08 17:53:52 +00:00			`"k8s.io/component-base/logs"`
Bind kubelet to all interfaces and use webhook auth 2019-04-26 22:02:30 +00:00			`"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"`
Add rootless support 2019-03-08 22:47:44 +00:00
Update k3s for k8s 1.17.0 2019-12-12 01:23:55 +00:00			`_ "k8s.io/component-base/metrics/prometheus/restclient" // for client metric registration`
			`_ "k8s.io/component-base/metrics/prometheus/version" // for version metric registration`
Initial Commit 2019-01-01 08:23:01 +00:00			`)`

			`func Agent(config *config.Agent) error {`
			`rand.Seed(time.Now().UTC().UnixNano())`

Refactor node password location 2019-11-05 09:45:07 +00:00			`logs.InitLogs()`
			`defer logs.FlushLogs()`

Encapsulate execution logic This moves all the calls to cobra root commands to one package so that we can change the behavior of running components as embedded or external. 2020-04-27 17:09:58 +00:00			`if err := startKubelet(config); err != nil {`
			`return err`
			`}`
Add ability to disable kubeproxy 2020-04-27 16:31:25 +00:00
			`if !config.DisableKubeProxy {`
			`return startKubeProxy(config)`
			`}`
Initial Commit 2019-01-01 08:23:01 +00:00
			`return nil`
			`}`

Add ability to disable kubeproxy 2020-04-27 16:31:25 +00:00			`func startKubeProxy(cfg *config.Agent) error {`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`argsMap := map[string]string{`
			`"proxy-mode": "iptables",`
			`"healthz-bind-address": "127.0.0.1",`
Refactor certs 2019-05-29 18:53:51 +00:00			`"kubeconfig": cfg.KubeConfigKubeProxy,`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`"cluster-cidr": cfg.ClusterCIDR.String(),`
			`}`
Refactor node password location 2019-11-05 09:45:07 +00:00			`if cfg.NodeName != "" {`
			`argsMap["hostname-override"] = cfg.NodeName`
			`}`
Initial Commit 2019-01-01 08:23:01 +00:00
Refactor node password location 2019-11-05 09:45:07 +00:00			`args := config.GetArgsList(argsMap, cfg.ExtraKubeProxyArgs)`
Encapsulate execution logic This moves all the calls to cobra root commands to one package so that we can change the behavior of running components as embedded or external. 2020-04-27 17:09:58 +00:00			`logrus.Infof("Running kube-proxy %s", config.ArgString(args))`
			`return executor.KubeProxy(args)`
Initial Commit 2019-01-01 08:23:01 +00:00			`}`

Encapsulate execution logic This moves all the calls to cobra root commands to one package so that we can change the behavior of running components as embedded or external. 2020-04-27 17:09:58 +00:00			`func startKubelet(cfg *config.Agent) error {`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`argsMap := map[string]string{`
			`"healthz-bind-address": "127.0.0.1",`
			`"read-only-port": "0",`
Add --cluster-domain option 2019-04-12 06:06:35 +00:00			`"cluster-domain": cfg.ClusterDomain,`
Refactor certs 2019-05-29 18:53:51 +00:00			`"kubeconfig": cfg.KubeConfigKubelet,`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`"eviction-hard": "imagefs.available<5%,nodefs.available<5%",`
			`"eviction-minimum-reclaim": "imagefs.available=10%,nodefs.available=10%",`
			`"fail-swap-on": "false",`
			`//"cgroup-root": "/k3s",`
Enable aggregation layer Configure kube-apiserver, kubelets, and kube-proxy for use with aggregation layer in order for metrics-server deployment to function correctly. 2019-04-10 18:09:38 +00:00			`"cgroup-driver": "cgroupfs",`
			`"authentication-token-webhook": "true",`
Add anonymous-auth=false and remove NodeRestriction 2019-08-27 04:36:56 +00:00			`"anonymous-auth": "false",`
Bind kubelet to all interfaces and use webhook auth 2019-04-26 22:02:30 +00:00			`"authorization-mode": modes.ModeWebhook,`
Initial Commit 2019-01-01 08:23:01 +00:00			`}`
Suppport static pods at ${datadir}/agent/pod-manifests 2020-04-27 16:41:57 +00:00			`if cfg.PodManifests != "" && argsMap["pod-manifest-path"] == "" {`
			`argsMap["pod-manifest-path"] = cfg.PodManifests`
			`}`
			`if err := os.MkdirAll(argsMap["pod-manifest-path"], 0755); err != nil {`
			`logrus.Errorf("Failed to mkdir %s: %v", argsMap["pod-manifest-path"], err)`
			`}`
Continued refactoring 2019-01-09 16:54:15 +00:00			`if cfg.RootDir != "" {`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`argsMap["root-dir"] = cfg.RootDir`
			`argsMap["cert-dir"] = filepath.Join(cfg.RootDir, "pki")`
			`argsMap["seccomp-profile-root"] = filepath.Join(cfg.RootDir, "seccomp")`
Initial Commit 2019-01-01 08:23:01 +00:00			`}`
Continued refactoring 2019-01-09 16:54:15 +00:00			`if cfg.CNIConfDir != "" {`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`argsMap["cni-conf-dir"] = cfg.CNIConfDir`
Initial Commit 2019-01-01 08:23:01 +00:00			`}`
Continued refactoring 2019-01-09 16:54:15 +00:00			`if cfg.CNIBinDir != "" {`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`argsMap["cni-bin-dir"] = cfg.CNIBinDir`
Initial Commit 2019-01-01 08:23:01 +00:00			`}`
Add cni plugin to kubelet if docker is used 2019-04-30 20:12:02 +00:00			`if cfg.CNIPlugin {`
			`argsMap["network-plugin"] = "cni"`
			`}`
Continued refactoring 2019-01-09 16:54:15 +00:00			`if len(cfg.ClusterDNS) > 0 {`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`argsMap["cluster-dns"] = cfg.ClusterDNS.String()`
Initial Commit 2019-01-01 08:23:01 +00:00			`}`
Kubelet resolv.conf DNS update Allow the kubelet resolv-conf flag to be set, or automatically discovered from /etc/resolv.conf & /run/systemd/resolve/resolv.conf if no loopback devices are present, or create our own which points to nameserver 8.8.8.8 2019-03-26 22:15:16 +00:00			`if cfg.ResolvConf != "" {`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`argsMap["resolv-conf"] = cfg.ResolvConf`
Kubelet resolv.conf DNS update Allow the kubelet resolv-conf flag to be set, or automatically discovered from /etc/resolv.conf & /run/systemd/resolve/resolv.conf if no loopback devices are present, or create our own which points to nameserver 8.8.8.8 2019-03-26 22:15:16 +00:00			`}`
Continued refactoring 2019-01-09 16:54:15 +00:00			`if cfg.RuntimeSocket != "" {`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`argsMap["container-runtime"] = "remote"`
			`argsMap["container-runtime-endpoint"] = cfg.RuntimeSocket`
Run kubelet with containerd flag The containerd flag was accidentally added to kubelet and is deprecated, but needed for cadvisor to properly connect with the k3s containerd socket, so adding for now. 2020-01-16 17:21:19 +00:00			`argsMap["containerd"] = cfg.RuntimeSocket`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`argsMap["serialize-image-pulls"] = "false"`
Allow --pause-image to set docker sandbox image also 2019-12-10 23:16:26 +00:00			`} else if cfg.PauseImage != "" {`
			`argsMap["pod-infra-container-image"] = cfg.PauseImage`
Initial Commit 2019-01-01 08:23:01 +00:00			`}`
Continued refactoring 2019-01-09 16:54:15 +00:00			`if cfg.ListenAddress != "" {`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`argsMap["address"] = cfg.ListenAddress`
Continued refactoring 2019-01-09 16:54:15 +00:00			`}`
Refactor certs 2019-05-29 18:53:51 +00:00			`if cfg.ClientCA != "" {`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`argsMap["anonymous-auth"] = "false"`
Refactor certs 2019-05-29 18:53:51 +00:00			`argsMap["client-ca-file"] = cfg.ClientCA`
Add node name to node cert generation 2019-04-19 18:20:34 +00:00			`}`
Refactor certs 2019-05-29 18:53:51 +00:00			`if cfg.ServingKubeletCert != "" && cfg.ServingKubeletKey != "" {`
			`argsMap["tls-cert-file"] = cfg.ServingKubeletCert`
			`argsMap["tls-private-key-file"] = cfg.ServingKubeletKey`
Continued refactoring 2019-01-09 16:54:15 +00:00			`}`
			`if cfg.NodeName != "" {`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`argsMap["hostname-override"] = cfg.NodeName`
Continued refactoring 2019-01-09 16:54:15 +00:00			`}`
			`defaultIP, err := net.ChooseHostInterface()`
			`if err != nil \|\| defaultIP.String() != cfg.NodeIP {`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`argsMap["node-ip"] = cfg.NodeIP`
Continued refactoring 2019-01-09 16:54:15 +00:00			`}`
Check for cgroup pids support If cgroup pids are not supported add a feature-gates flag SupportPodPidsLimit=false for kubelet. 2019-04-12 23:45:59 +00:00			`root, hasCFS, hasPIDs := checkCgroups()`
Cleanup docker cgroup errors in kubelet 2019-03-04 05:00:47 +00:00			`if !hasCFS {`
Prepare for initial release 2019-01-22 21:14:58 +00:00			`logrus.Warn("Disabling CPU quotas due to missing cpu.cfs_period_us")`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`argsMap["cpu-cfs-quota"] = "false"`
Prepare for initial release 2019-01-22 21:14:58 +00:00			`}`
Check for cgroup pids support If cgroup pids are not supported add a feature-gates flag SupportPodPidsLimit=false for kubelet. 2019-04-12 23:45:59 +00:00			`if !hasPIDs {`
			`logrus.Warn("Disabling pod PIDs limit feature due to missing cgroup pids support")`
			`argsMap["cgroups-per-qos"] = "false"`
			`argsMap["enforce-node-allocatable"] = ""`
			`argsMap["feature-gates"] = addFeatureGate(argsMap["feature-gates"], "SupportPodPidsLimit=false")`
			`}`
Cleanup docker cgroup errors in kubelet 2019-03-04 05:00:47 +00:00			`if root != "" {`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`argsMap["runtime-cgroups"] = root`
			`argsMap["kubelet-cgroups"] = root`
Cleanup docker cgroup errors in kubelet 2019-03-04 05:00:47 +00:00			`}`
Add rootless support 2019-03-08 22:47:44 +00:00			`if system.RunningInUserNS() {`
Check for cgroup pids support If cgroup pids are not supported add a feature-gates flag SupportPodPidsLimit=false for kubelet. 2019-04-12 23:45:59 +00:00			`argsMap["feature-gates"] = addFeatureGate(argsMap["feature-gates"], "DevicePlugins=false")`
Add rootless support 2019-03-08 22:47:44 +00:00			`}`
Initial Commit 2019-01-01 08:23:01 +00:00
Expose node labels and taints and add node roles 2019-05-07 23:47:07 +00:00			`argsMap["node-labels"] = strings.Join(cfg.NodeLabels, ",")`
			`if len(cfg.NodeTaints) > 0 {`
			`argsMap["register-with-taints"] = strings.Join(cfg.NodeTaints, ",")`
			`}`
Add k3s cloud provider 2019-10-15 21:17:26 +00:00			`if !cfg.DisableCCM {`
			`argsMap["cloud-provider"] = "external"`
			`}`

rootless: add kubelet flags automatically Fix https://github.com/rancher/k3s/issues/784 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> 2019-10-19 10:18:51 +00:00			`if cfg.Rootless {`
			`// flags are from https://github.com/rootless-containers/usernetes/blob/v20190826.0/boot/kubelet.sh`
			`argsMap["cgroup-driver"] = "none"`
			`argsMap["feature-gates=SupportNoneCgroupDriver"] = "true"`
			`argsMap["cgroups-per-qos"] = "false"`
			`argsMap["enforce-node-allocatable"] = ""`
			`}`

update cis flag implementation to propogate the rest of the way through to kubelet Signed-off-by: Brian Downs <brian.downs@gmail.com> 2020-07-20 23:31:56 +00:00			`if cfg.ProtectKernelDefaults {`
			`argsMap["protect-kernel-defaults"] = "true"`
			`}`

Add rootless support 2019-03-08 22:47:44 +00:00			`args := config.GetArgsList(argsMap, cfg.ExtraKubeletArgs)`
Encapsulate execution logic This moves all the calls to cobra root commands to one package so that we can change the behavior of running components as embedded or external. 2020-04-27 17:09:58 +00:00			`logrus.Infof("Running kubelet %s", config.ArgString(args))`
Initial Commit 2019-01-01 08:23:01 +00:00
Encapsulate execution logic This moves all the calls to cobra root commands to one package so that we can change the behavior of running components as embedded or external. 2020-04-27 17:09:58 +00:00			`return executor.Kubelet(args)`
Initial Commit 2019-01-01 08:23:01 +00:00			`}`
Prepare for initial release 2019-01-22 21:14:58 +00:00
Check for cgroup pids support If cgroup pids are not supported add a feature-gates flag SupportPodPidsLimit=false for kubelet. 2019-04-12 23:45:59 +00:00			`func addFeatureGate(current, new string) string {`
			`if current == "" {`
			`return new`
			`}`
			`return current + "," + new`
			`}`

			`func checkCgroups() (root string, hasCFS bool, hasPIDs bool) {`
Prepare for initial release 2019-01-22 21:14:58 +00:00			`f, err := os.Open("/proc/self/cgroup")`
			`if err != nil {`
Check for cgroup pids support If cgroup pids are not supported add a feature-gates flag SupportPodPidsLimit=false for kubelet. 2019-04-12 23:45:59 +00:00			`return "", false, false`
Prepare for initial release 2019-01-22 21:14:58 +00:00			`}`
			`defer f.Close()`

			`scan := bufio.NewScanner(f)`
			`for scan.Scan() {`
			`parts := strings.Split(scan.Text(), ":")`
			`if len(parts) < 3 {`
			`continue`
			`}`
			`systems := strings.Split(parts[1], ",")`
			`for _, system := range systems {`
Check for cgroup pids support If cgroup pids are not supported add a feature-gates flag SupportPodPidsLimit=false for kubelet. 2019-04-12 23:45:59 +00:00			`if system == "pids" {`
			`hasPIDs = true`
			`} else if system == "cpu" {`
Prepare for initial release 2019-01-22 21:14:58 +00:00			`p := filepath.Join("/sys/fs/cgroup", parts[1], parts[2], "cpu.cfs_period_us")`
			`if _, err := os.Stat(p); err == nil {`
Check for cgroup pids support If cgroup pids are not supported add a feature-gates flag SupportPodPidsLimit=false for kubelet. 2019-04-12 23:45:59 +00:00			`hasCFS = true`
Cleanup docker cgroup errors in kubelet 2019-03-04 05:00:47 +00:00			`}`
When there is a defined cgroup for PID 1, assume we are containerized and set a root Signed-off-by: Chris Kim <oats87g@gmail.com> 2020-12-07 03:23:44 +00:00			`}`
			`}`
			`}`

			`// Examine process ID 1 to see if there is a cgroup assigned to it.`
			`// When we are not in a container, process 1 is likely to be systemd or some other service manager.`
Handle the case when systemd lives under `/init.scope` Signed-off-by: Chris Kim <oats87g@gmail.com> 2020-12-08 18:26:54 +00:00			// It either lives at `/` or `/init.scope` according to https://man7.org/linux/man-pages/man7/systemd.special.7.html
When there is a defined cgroup for PID 1, assume we are containerized and set a root Signed-off-by: Chris Kim <oats87g@gmail.com> 2020-12-07 03:23:44 +00:00			`// When containerized, process 1 will be generally be in a cgroup, otherwise, we may be running in`
			`// a host PID scenario but we don't support this.`
			`g, err := os.Open("/proc/1/cgroup")`
			`if err != nil {`
			`return "", false, false`
			`}`
			`defer g.Close()`
			`root = ""`
			`scan = bufio.NewScanner(g)`
			`for scan.Scan() {`
			`parts := strings.Split(scan.Text(), ":")`
			`if len(parts) < 3 {`
			`continue`
			`}`
			`systems := strings.Split(parts[1], ",")`
			`for _, system := range systems {`
			`if system == "name=systemd" {`
Cleanup docker cgroup errors in kubelet 2019-03-04 05:00:47 +00:00			`last := parts[len(parts)-1]`
Handle the case when systemd lives under `/init.scope` Signed-off-by: Chris Kim <oats87g@gmail.com> 2020-12-08 18:26:54 +00:00			`if last != "/" && last != "/init.scope" {`
Appease kubelet warnings on docker for mac On my environment, the name=systemd entry in /proc/self/cgroup looks like: 13:name=systemd:/docker/917b388b40c70b17a3283d852d38bfcdc84d1bf8242e32a779eacd98a610e499 Kubelet periodically complains like: E0802 06:42:52.667123 1 summary_sys_containers.go:47] Failed to get system container stats for "/docker/917b388b40c70b17a3283d852d38bfcdc84d1bf8242e32a779eacd98a610e499/kube-proxy": failed to get cgroup stats for "/docker/917b388b40c70b17a3283d852d38bfcdc84d1bf8242e32a779eacd98a610e499/kube-proxy": failed to get container info for "/docker/917b388b40c70b17a3283d852d38bfcdc84d1bf8242e32a779eacd98a610e499/kube-proxy": unknown container "/docker/917b388b40c70b17a3283d852d38bfcdc84d1bf8242e32a779eacd98a610e499/kube-proxy" 2019-08-02 06:52:21 +00:00			`root = "/systemd"`
Prepare for initial release 2019-01-22 21:14:58 +00:00			`}`
			`}`
			`}`
			`}`

Check for cgroup pids support If cgroup pids are not supported add a feature-gates flag SupportPodPidsLimit=false for kubelet. 2019-04-12 23:45:59 +00:00			`return root, hasCFS, hasPIDs`
Prepare for initial release 2019-01-22 21:14:58 +00:00			`}`