mirror of
https://github.com/k3s-io/k3s.git
synced 2024-06-07 19:41:36 +00:00
Merge branch 'master' into selinux-install
This commit is contained in:
commit
5753dbd6ae
@ -1,12 +1,7 @@
|
||||
./bin
|
||||
./etc
|
||||
./build/data
|
||||
./build/data.tar.gz
|
||||
./pkg/data/zz_generated_bindata.go
|
||||
./package/data.tar.gz
|
||||
./.vagrant
|
||||
./.cache
|
||||
./.dapper
|
||||
./data-dir
|
||||
./dist
|
||||
./.trash-cache
|
||||
|
92
.drone.yml
92
.drone.yml
@ -59,6 +59,31 @@ steps:
|
||||
event:
|
||||
- tag
|
||||
|
||||
- name: rpm-publish
|
||||
image: centos:7
|
||||
environment:
|
||||
PRIVATE_KEY:
|
||||
from_secret: private_key
|
||||
PRIVATE_KEY_PASS_PHRASE:
|
||||
from_secret: private_key_pass_phrase
|
||||
AWS_S3_BUCKET:
|
||||
from_secret: aws_s3_bucket
|
||||
AWS_ACCESS_KEY_ID:
|
||||
from_secret: aws_access_key_id
|
||||
AWS_SECRET_ACCESS_KEY:
|
||||
from_secret: aws_secret_access_key
|
||||
commands:
|
||||
- scripts/provision/generic/centos7/yum-install-rpm-tools
|
||||
- scripts/package-rpm
|
||||
when:
|
||||
instance:
|
||||
- drone-publish.rancher.io
|
||||
ref:
|
||||
- refs/head/master
|
||||
- refs/tags/*
|
||||
event:
|
||||
- tag
|
||||
|
||||
- name: test
|
||||
image: rancher/dapper:v0.4.2
|
||||
secrets: [ gcloud_auth ]
|
||||
@ -154,6 +179,31 @@ steps:
|
||||
event:
|
||||
- tag
|
||||
|
||||
- name: rpm-publish
|
||||
image: centos:7
|
||||
environment:
|
||||
PRIVATE_KEY:
|
||||
from_secret: private_key
|
||||
PRIVATE_KEY_PASS_PHRASE:
|
||||
from_secret: private_key_pass_phrase
|
||||
AWS_S3_BUCKET:
|
||||
from_secret: aws_s3_bucket
|
||||
AWS_ACCESS_KEY_ID:
|
||||
from_secret: aws_access_key_id
|
||||
AWS_SECRET_ACCESS_KEY:
|
||||
from_secret: aws_secret_access_key
|
||||
commands:
|
||||
- scripts/provision/generic/centos7/yum-install-rpm-tools
|
||||
- scripts/package-rpm
|
||||
when:
|
||||
instance:
|
||||
- drone-publish.rancher.io
|
||||
ref:
|
||||
- refs/head/master
|
||||
- refs/tags/*
|
||||
event:
|
||||
- tag
|
||||
|
||||
- name: test
|
||||
image: rancher/dapper:v0.4.2
|
||||
secrets: [ gcloud_auth ]
|
||||
@ -273,7 +323,8 @@ steps:
|
||||
- DOCKER_USERNAME
|
||||
- DOCKER_PASSWORD
|
||||
- DRONE_TAG
|
||||
when:
|
||||
|
||||
trigger:
|
||||
instance:
|
||||
- drone-publish.rancher.io
|
||||
ref:
|
||||
@ -286,3 +337,42 @@ depends_on:
|
||||
- amd64
|
||||
- arm64
|
||||
- arm
|
||||
|
||||
---
|
||||
kind: pipeline
|
||||
name: dispatch
|
||||
|
||||
platform:
|
||||
os: linux
|
||||
arch: amd64
|
||||
|
||||
steps:
|
||||
- name: dispatch
|
||||
image: rancher/dapper:v0.4.2
|
||||
environment:
|
||||
PAT_USERNAME:
|
||||
from_secret: pat_username
|
||||
PAT_TOKEN:
|
||||
from_secret: github_token
|
||||
commands:
|
||||
- dapper dispatch
|
||||
volumes:
|
||||
- name: docker
|
||||
path: /var/run/docker.sock
|
||||
|
||||
trigger:
|
||||
instance:
|
||||
- drone-publish.rancher.io
|
||||
ref:
|
||||
- refs/head/master
|
||||
- refs/tags/*
|
||||
event:
|
||||
- tag
|
||||
|
||||
volumes:
|
||||
- name: docker
|
||||
host:
|
||||
path: /var/run/docker.sock
|
||||
|
||||
depends_on:
|
||||
- manifest
|
1
.gitignore
vendored
1
.gitignore
vendored
@ -28,3 +28,4 @@ __pycache__
|
||||
/tests/.tox/
|
||||
/tests/.vscode
|
||||
/sonobuoy-output
|
||||
*.tmp
|
||||
|
@ -1,13 +1,13 @@
|
||||
FROM golang:1.13.8-alpine3.10
|
||||
|
||||
RUN apk -U --no-cache add bash git gcc musl-dev docker vim less file curl wget ca-certificates jq linux-headers zlib-dev tar zip squashfs-tools npm coreutils \
|
||||
python2 python3 py3-pip python3-dev openssl-dev libffi-dev libseccomp libseccomp-dev make libuv-static
|
||||
RUN pip3 install 'tox==3.6.0'
|
||||
RUN apk -U --no-cache --repository http://dl-3.alpinelinux.org/alpine/edge/main/ add sqlite-dev sqlite-static
|
||||
python2 openssl-dev libffi-dev libseccomp libseccomp-dev make libuv-static
|
||||
|
||||
RUN apk -U --no-cache --repository http://dl-3.alpinelinux.org/alpine/edge/main/ add sqlite-dev sqlite-static libselinux libselinux-dev
|
||||
RUN mkdir -p /go/src/golang.org/x && \
|
||||
cd /go/src/golang.org/x && git clone https://github.com/golang/tools && \
|
||||
git -C /go/src/golang.org/x/tools checkout -b current aa82965741a9fecd12b026fbb3d3c6ed3231b8f8 && \
|
||||
go install golang.org/x/tools/cmd/goimports
|
||||
cd /go/src/golang.org/x && git clone https://github.com/golang/tools && cd tools && \
|
||||
git checkout -b current aa82965741a9fecd12b026fbb3d3c6ed3231b8f8 && \
|
||||
go install golang.org/x/tools/cmd/goimports && cd
|
||||
RUN rm -rf /go/src /go/pkg
|
||||
|
||||
ARG DAPPER_HOST_ARCH
|
||||
@ -17,6 +17,9 @@ RUN if [ "${ARCH}" == "amd64" ]; then \
|
||||
curl -sL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s v1.15.0; \
|
||||
fi
|
||||
|
||||
ARG SELINUX=true
|
||||
ENV SELINUX $SELINUX
|
||||
|
||||
ARG DQLITE=true
|
||||
ENV DQLITE $DQLITE
|
||||
COPY --from=rancher/dqlite-build:v1.3.1-r1 /dist/artifacts /usr/src/
|
||||
|
68
Vagrantfile
vendored
68
Vagrantfile
vendored
@ -1,12 +1,13 @@
|
||||
BOX = "generic/alpine310"
|
||||
OS = (ENV['OS'] || "alpine310")
|
||||
BOX_REPO = (ENV['BOX_REPO'] || "generic")
|
||||
HOME = File.dirname(__FILE__)
|
||||
PROJECT = File.basename(HOME)
|
||||
MOUNT_TYPE = ENV['MOUNT_TYPE'] || "nfs"
|
||||
NUM_NODES = (ENV['NUM_NODES'] || 0).to_i
|
||||
NODE_CPUS = (ENV['NODE_CPUS'] || 4).to_i
|
||||
NODE_MEMORY = (ENV['NODE_MEMORY'] || 8192).to_i
|
||||
NETWORK_PREFIX = ENV['NETWORK_PREFIX'] || "10.135.135"
|
||||
VAGRANT_PROVISION = ENV['VAGRANT_PROVISION'] || "./scripts/vagrant-provision"
|
||||
VAGRANT_PROVISION = ENV['VAGRANT_PROVISION'] || "./scripts/provision/vagrant"
|
||||
MOUNT_TYPE = ENV['MOUNT_TYPE'] || "nfs"
|
||||
|
||||
# --- Rules for /etc/sudoers to avoid password entry configuring NFS:
|
||||
# %admin ALL = (root) NOPASSWD: /usr/bin/sed -E -e * -ibak /etc/exports
|
||||
@ -14,61 +15,36 @@ VAGRANT_PROVISION = ENV['VAGRANT_PROVISION'] || "./scripts/vagrant-provision"
|
||||
# %admin ALL = (root) NOPASSWD: /sbin/nfsd restart
|
||||
# --- May need to add terminal to System Preferences -> Security & Privacy -> Privacy -> Full Disk Access
|
||||
|
||||
# --- Check for missing plugins
|
||||
required_plugins = %w( vagrant-alpine vagrant-timezone )
|
||||
plugin_installed = false
|
||||
required_plugins.each do |plugin|
|
||||
unless Vagrant.has_plugin?(plugin)
|
||||
system "vagrant plugin install #{plugin}"
|
||||
plugin_installed = true
|
||||
def provision(vm, node_num)
|
||||
node_os = (ENV["OS_#{node_num}"] || OS)
|
||||
vm.box = (ENV["BOX_#{node_num}"] || ENV["BOX"] || "#{BOX_REPO}/#{node_os}")
|
||||
vm.hostname = "#{PROJECT}-#{node_num}-#{node_os}"
|
||||
vm.network "private_network", ip: "#{NETWORK_PREFIX}.#{100+node_num}"
|
||||
vm.provision "shell",
|
||||
path: VAGRANT_PROVISION,
|
||||
env: { 'HOME' => HOME, 'GOPATH' => ENV['GOPATH'], 'BOX' => vm.box }
|
||||
end
|
||||
end
|
||||
# --- If new plugins installed, restart Vagrant process
|
||||
if plugin_installed === true
|
||||
exec "vagrant #{ARGV.join' '}"
|
||||
end
|
||||
|
||||
provision = <<SCRIPT
|
||||
# --- Use system gopath if available
|
||||
export GOPATH=#{ENV['GOPATH']}
|
||||
# --- Default to root user for vagrant ssh
|
||||
cat <<\\EOF >/etc/profile.d/root.sh
|
||||
[ $EUID -ne 0 ] && exec sudo -i
|
||||
EOF
|
||||
# --- Set home to current directory
|
||||
cat <<\\EOF >/etc/profile.d/home.sh
|
||||
export HOME="#{HOME}" && cd
|
||||
EOF
|
||||
. /etc/profile.d/home.sh
|
||||
# --- Run vagrant provision script if available
|
||||
if [ ! -x #{VAGRANT_PROVISION} ]; then
|
||||
echo 'WARNING: Unable to execute provision script "#{VAGRANT_PROVISION}"'
|
||||
exit
|
||||
fi
|
||||
echo "running '#{VAGRANT_PROVISION}'..." && \
|
||||
#{VAGRANT_PROVISION} && \
|
||||
echo "finished '#{VAGRANT_PROVISION}'!"
|
||||
SCRIPT
|
||||
|
||||
Vagrant.configure("2") do |config|
|
||||
|
||||
config.vm.provider "virtualbox" do |v|
|
||||
v.cpus = NODE_CPUS
|
||||
v.memory = NODE_MEMORY
|
||||
v.customize ["modifyvm", :id, "--audio", "none"]
|
||||
end
|
||||
|
||||
config.vm.box = BOX
|
||||
config.vm.hostname = PROJECT
|
||||
config.vm.synced_folder ".", HOME, type: MOUNT_TYPE
|
||||
config.vm.provision "shell", inline: provision
|
||||
if Vagrant.has_plugin?("vagrant-timezone")
|
||||
config.timezone.value = :host
|
||||
end
|
||||
config.vm.synced_folder ".", HOME, type: MOUNT_TYPE
|
||||
|
||||
config.vm.network "private_network", ip: "#{NETWORK_PREFIX}.100" if NUM_NODES==0
|
||||
|
||||
if NUM_NODES==0
|
||||
provision(config.vm, 0)
|
||||
else
|
||||
(1..NUM_NODES).each do |i|
|
||||
config.vm.define ".#{i}" do |node|
|
||||
node.vm.network "private_network", ip: "#{NETWORK_PREFIX}.#{100+i}"
|
||||
node.vm.hostname = "#{PROJECT}-#{i}"
|
||||
provision(node.vm, i)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
@ -2,7 +2,9 @@
|
||||
Description=Lightweight Kubernetes
|
||||
Documentation=https://k3s.io
|
||||
After=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=notify
|
||||
ExecStartPre=-/sbin/modprobe br_netfilter
|
||||
ExecStartPre=-/sbin/modprobe overlay
|
||||
ExecStart=/usr/local/bin/k3s server {{ extra_server_args | default("") }}
|
||||
@ -12,6 +14,7 @@ LimitNOFILE=infinity
|
||||
LimitNPROC=infinity
|
||||
LimitCORE=infinity
|
||||
TasksMax=infinity
|
||||
TimeoutStartSec=infinity
|
||||
Restart=always
|
||||
RestartSec=5s
|
||||
|
||||
|
@ -2,7 +2,11 @@
|
||||
Description=Lightweight Kubernetes
|
||||
Documentation=https://k3s.io
|
||||
After=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=notify
|
||||
ExecStartPre=-/sbin/modprobe br_netfilter
|
||||
ExecStartPre=-/sbin/modprobe overlay
|
||||
ExecStart=/usr/local/bin/k3s agent --server https://{{ master_ip }}:6443 --token {{ hostvars[groups['master'][0]]['token'] }}
|
||||
KillMode=process
|
||||
Delegate=yes
|
||||
@ -10,6 +14,7 @@ LimitNOFILE=infinity
|
||||
LimitNPROC=infinity
|
||||
LimitCORE=infinity
|
||||
TasksMax=infinity
|
||||
TimeoutStartSec=infinity
|
||||
Restart=always
|
||||
RestartSec=5s
|
||||
|
||||
|
6
go.mod
6
go.mod
@ -7,9 +7,9 @@ replace (
|
||||
github.com/containerd/btrfs => github.com/containerd/btrfs v0.0.0-20181101203652-af5082808c83
|
||||
github.com/containerd/cgroups => github.com/containerd/cgroups v0.0.0-20190717030353-c4b9ac5c7601
|
||||
github.com/containerd/console => github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50
|
||||
github.com/containerd/containerd => github.com/rancher/containerd v1.3.3-k3s1
|
||||
github.com/containerd/containerd => github.com/rancher/containerd v1.3.3-k3s2
|
||||
github.com/containerd/continuity => github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02
|
||||
github.com/containerd/cri => github.com/rancher/cri v1.3.0-k3s.3
|
||||
github.com/containerd/cri => github.com/rancher/cri v1.3.0-k3s.4
|
||||
github.com/containerd/fifo => github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c
|
||||
github.com/containerd/go-runc => github.com/containerd/go-runc v0.0.0-20190911050354-e029b79d8cda
|
||||
github.com/containerd/typeurl => github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd
|
||||
@ -94,6 +94,7 @@ require (
|
||||
github.com/mattn/go-sqlite3 v1.13.0
|
||||
github.com/natefinch/lumberjack v2.0.0+incompatible
|
||||
github.com/opencontainers/runc v1.0.0-rc9
|
||||
github.com/opencontainers/selinux v1.3.1-0.20190929122143-5215b1806f52
|
||||
github.com/pkg/errors v0.8.1
|
||||
github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8 // indirect
|
||||
github.com/rancher/dynamiclistener v0.2.0
|
||||
@ -122,6 +123,5 @@ require (
|
||||
k8s.io/component-base v0.0.0
|
||||
k8s.io/cri-api v0.0.0
|
||||
k8s.io/klog v1.0.0
|
||||
k8s.io/kubelet v0.0.0
|
||||
k8s.io/kubernetes v1.16.0
|
||||
)
|
||||
|
8
go.sum
8
go.sum
@ -708,10 +708,10 @@ github.com/quasilyte/go-consistent v0.0.0-20190521200055-c6f3937de18c/go.mod h1:
|
||||
github.com/quobyte/api v0.1.2/go.mod h1:jL7lIHrmqQ7yh05OJ+eEEdHr0u/kmT1Ff9iHd+4H6VI=
|
||||
github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8 h1:83l9gPhYtgxODlZKU0Odq4pQuDcMZEVgAh364+PV3OU=
|
||||
github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8/go.mod h1:4XHkfaUj+URzGO9sohoAgt2V9Y8nIW7fugpu0E6gShk=
|
||||
github.com/rancher/containerd v1.3.3-k3s1 h1:j8NGZdXKsZd2ne0XQg6OBfMJ/NkY/Qri6QhscGrJp2M=
|
||||
github.com/rancher/containerd v1.3.3-k3s1/go.mod h1:ZMfzmqce2Z+QSEqdHMfeJs1TZ/UeJ1aDrazjpQT4ehM=
|
||||
github.com/rancher/cri v1.3.0-k3s.3 h1:j/Sq2LMyg6gBn2MS1j5dEudpdL+UYVH7ubbewUCXkS0=
|
||||
github.com/rancher/cri v1.3.0-k3s.3/go.mod h1:Ht5T1dIKzm+4NExmb7wDVG6qR+j0xeXIjjhCv1d9geY=
|
||||
github.com/rancher/containerd v1.3.3-k3s2 h1:RZr+TqFt7+YsrSYkyytlhW4HmneWeFNM7IymNOoGW6A=
|
||||
github.com/rancher/containerd v1.3.3-k3s2/go.mod h1:ZMfzmqce2Z+QSEqdHMfeJs1TZ/UeJ1aDrazjpQT4ehM=
|
||||
github.com/rancher/cri v1.3.0-k3s.4 h1:BXER8109dxgNw4qq8HHOCJ+3sHO+9AA1cwZTOLlqoTo=
|
||||
github.com/rancher/cri v1.3.0-k3s.4/go.mod h1:Ht5T1dIKzm+4NExmb7wDVG6qR+j0xeXIjjhCv1d9geY=
|
||||
github.com/rancher/cri-tools v1.17.0-k3s1 h1:jfu97FowbraTDc7b6fxWtO+dq+DU2oW+ABBQSEFiRb0=
|
||||
github.com/rancher/cri-tools v1.17.0-k3s1/go.mod h1:bRTZttsvk+nCG8tSFs8D6UUx8CkMXR5TAsRLS0fXAqI=
|
||||
github.com/rancher/dynamiclistener v0.2.0 h1:KucYwJXVVGhZ/NndfMCeQoCafT/VN7kvqSGgmlX8Lxk=
|
||||
|
45
install.sh
45
install.sh
@ -26,6 +26,9 @@ set -e
|
||||
# If set to 'skip' will not create symlinks, 'force' will overwrite,
|
||||
# default will symlink if command does not exist in path.
|
||||
#
|
||||
# - INSTALL_K3S_SKIP_ENABLE
|
||||
# If set to true will not enable or start k3s service.
|
||||
#
|
||||
# - INSTALL_K3S_SKIP_START
|
||||
# If set to true will not start k3s service.
|
||||
#
|
||||
@ -166,11 +169,6 @@ setup_env() {
|
||||
${invalid_chars}"
|
||||
fi
|
||||
|
||||
# --- set related files from system name ---
|
||||
SERVICE_K3S=${SYSTEM_NAME}.service
|
||||
UNINSTALL_K3S_SH=${SYSTEM_NAME}-uninstall.sh
|
||||
KILLALL_K3S_SH=k3s-killall.sh
|
||||
|
||||
# --- use sudo if we are not already root ---
|
||||
SUDO=sudo
|
||||
if [ $(id -u) -eq 0 ]; then
|
||||
@ -202,6 +200,11 @@ setup_env() {
|
||||
SYSTEMD_DIR=/etc/systemd/system
|
||||
fi
|
||||
|
||||
# --- set related files from system name ---
|
||||
SERVICE_K3S=${SYSTEM_NAME}.service
|
||||
UNINSTALL_K3S_SH=${UNINSTALL_K3S_SH:-${BIN_DIR}/${SYSTEM_NAME}-uninstall.sh}
|
||||
KILLALL_K3S_SH=${KILLALL_K3S_SH:-${BIN_DIR}/k3s-killall.sh}
|
||||
|
||||
# --- use service or environment location depending on systemd/openrc ---
|
||||
if [ "${HAS_SYSTEMD}" = true ]; then
|
||||
FILE_K3S_SERVICE=${SYSTEMD_DIR}/${SERVICE_K3S}
|
||||
@ -389,7 +392,7 @@ setup_binary() {
|
||||
|
||||
if ! $SUDO chcon -u system_u -r object_r -t container_runtime_exec_t ${BIN_DIR}/k3s 2>/dev/null 2>&1; then
|
||||
if $SUDO grep SELINUX=enforcing /etc/selinux/config >/dev/null 2>&1; then
|
||||
fatal "Failed to apply container_runtime_exec_t to ${BIN_DIR}/k3s, please install k3s_selinux RPM"
|
||||
fatal "Failed to apply container_runtime_exec_t to ${BIN_DIR}/k3s, please install k3s-selinux RPM"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
@ -425,7 +428,7 @@ create_symlinks() {
|
||||
|
||||
for cmd in kubectl crictl ctr; do
|
||||
if [ ! -e ${BIN_DIR}/${cmd} ] || [ "${INSTALL_K3S_SYMLINK}" = force ]; then
|
||||
which_cmd=$(which ${cmd} || true)
|
||||
which_cmd=$(which ${cmd} 2>/dev/null || true)
|
||||
if [ -z "${which_cmd}" ] || [ "${INSTALL_K3S_SYMLINK}" = force ]; then
|
||||
info "Creating ${BIN_DIR}/${cmd} symlink to k3s"
|
||||
$SUDO ln -sf k3s ${BIN_DIR}/${cmd}
|
||||
@ -441,13 +444,13 @@ create_symlinks() {
|
||||
# --- create killall script ---
|
||||
create_killall() {
|
||||
[ "${INSTALL_K3S_BIN_DIR_READ_ONLY}" = true ] && return
|
||||
info "Creating killall script ${BIN_DIR}/${KILLALL_K3S_SH}"
|
||||
$SUDO tee ${BIN_DIR}/${KILLALL_K3S_SH} >/dev/null << \EOF
|
||||
info "Creating killall script ${KILLALL_K3S_SH}"
|
||||
$SUDO tee ${KILLALL_K3S_SH} >/dev/null << \EOF
|
||||
#!/bin/sh
|
||||
[ $(id -u) -eq 0 ] || exec sudo $0 $@
|
||||
|
||||
for bin in /var/lib/rancher/k3s/data/**/bin/; do
|
||||
[ -d $bin ] && export PATH=$bin:$PATH
|
||||
[ -d $bin ] && export PATH=$PATH:$bin:$bin/aux
|
||||
done
|
||||
|
||||
set -x
|
||||
@ -485,7 +488,7 @@ killtree() {
|
||||
}
|
||||
|
||||
getshims() {
|
||||
lsof | sed -e 's/^[^0-9]*//g; s/ */\t/g' | grep -w 'k3s/data/[^/]*/bin/containerd-shim' | cut -f1 | sort -n -u
|
||||
ps -e -o pid= -o args= | sed -e 's/^ *//; s/\s\s*/\t/;' | grep -w 'k3s/data/[^/]*/bin/containerd-shim' | cut -f1
|
||||
}
|
||||
|
||||
killtree $({ set +x; } 2>/dev/null; getshims; set -x)
|
||||
@ -520,20 +523,20 @@ ip link delete flannel.1
|
||||
rm -rf /var/lib/cni/
|
||||
iptables-save | grep -v KUBE- | grep -v CNI- | iptables-restore
|
||||
EOF
|
||||
$SUDO chmod 755 ${BIN_DIR}/${KILLALL_K3S_SH}
|
||||
$SUDO chown root:root ${BIN_DIR}/${KILLALL_K3S_SH}
|
||||
$SUDO chmod 755 ${KILLALL_K3S_SH}
|
||||
$SUDO chown root:root ${KILLALL_K3S_SH}
|
||||
}
|
||||
|
||||
# --- create uninstall script ---
|
||||
create_uninstall() {
|
||||
[ "${INSTALL_K3S_BIN_DIR_READ_ONLY}" = true ] && return
|
||||
info "Creating uninstall script ${BIN_DIR}/${UNINSTALL_K3S_SH}"
|
||||
$SUDO tee ${BIN_DIR}/${UNINSTALL_K3S_SH} >/dev/null << EOF
|
||||
info "Creating uninstall script ${UNINSTALL_K3S_SH}"
|
||||
$SUDO tee ${UNINSTALL_K3S_SH} >/dev/null << EOF
|
||||
#!/bin/sh
|
||||
set -x
|
||||
[ \$(id -u) -eq 0 ] || exec sudo \$0 \$@
|
||||
|
||||
${BIN_DIR}/${KILLALL_K3S_SH}
|
||||
${KILLALL_K3S_SH}
|
||||
|
||||
if which systemctl; then
|
||||
systemctl disable ${SYSTEM_NAME}
|
||||
@ -548,7 +551,7 @@ rm -f ${FILE_K3S_SERVICE}
|
||||
rm -f ${FILE_K3S_ENV}
|
||||
|
||||
remove_uninstall() {
|
||||
rm -f ${BIN_DIR}/${UNINSTALL_K3S_SH}
|
||||
rm -f ${UNINSTALL_K3S_SH}
|
||||
}
|
||||
trap remove_uninstall EXIT
|
||||
|
||||
@ -567,10 +570,10 @@ rm -rf /etc/rancher/k3s
|
||||
rm -rf /var/lib/rancher/k3s
|
||||
rm -rf /var/lib/kubelet
|
||||
rm -f ${BIN_DIR}/k3s
|
||||
rm -f ${BIN_DIR}/${KILLALL_K3S_SH}
|
||||
rm -f ${KILLALL_K3S_SH}
|
||||
EOF
|
||||
$SUDO chmod 755 ${BIN_DIR}/${UNINSTALL_K3S_SH}
|
||||
$SUDO chown root:root ${BIN_DIR}/${UNINSTALL_K3S_SH}
|
||||
$SUDO chmod 755 ${UNINSTALL_K3S_SH}
|
||||
$SUDO chown root:root ${UNINSTALL_K3S_SH}
|
||||
}
|
||||
|
||||
# --- disable current service if loaded --
|
||||
@ -704,6 +707,8 @@ openrc_start() {
|
||||
|
||||
# --- startup systemd or openrc service ---
|
||||
service_enable_and_start() {
|
||||
[ "${INSTALL_K3S_SKIP_ENABLE}" = true ] && return
|
||||
|
||||
[ "${HAS_SYSTEMD}" = true ] && systemd_enable
|
||||
[ "${HAS_OPENRC}" = true ] && openrc_enable
|
||||
|
||||
|
57
package/k3s.spec
Normal file
57
package/k3s.spec
Normal file
@ -0,0 +1,57 @@
|
||||
# vim: sw=4:ts=4:et
|
||||
|
||||
%define install_path /usr/bin
|
||||
%define util_path %{_datadir}/k3s
|
||||
%define install_sh %{util_path}/.install.sh
|
||||
%define uninstall_sh %{util_path}/.uninstall.sh
|
||||
|
||||
Name: k3s
|
||||
Version: %{k3s_version}
|
||||
Release: %{k3s_release}%{?dist}
|
||||
Summary: Lightweight Kubernetes
|
||||
|
||||
Group: System Environment/Base
|
||||
License: ASL 2.0
|
||||
URL: http://k3s.io
|
||||
|
||||
BuildRequires: systemd
|
||||
Requires(post): k3s-selinux >= %{k3s_policyver}
|
||||
|
||||
%description
|
||||
The certified Kubernetes distribution built for IoT & Edge computing.
|
||||
|
||||
%install
|
||||
install -d %{buildroot}%{install_path}
|
||||
install dist/artifacts/%{k3s_binary} %{buildroot}%{install_path}/k3s
|
||||
install -d %{buildroot}%{util_path}
|
||||
install install.sh %{buildroot}%{install_sh}
|
||||
|
||||
%post
|
||||
# do not run install script on upgrade
|
||||
echo post-install args: $@
|
||||
if [ $1 == 1 ]; then
|
||||
INSTALL_K3S_BIN_DIR=%{install_path} \
|
||||
INSTALL_K3S_SKIP_DOWNLOAD=true \
|
||||
INSTALL_K3S_SKIP_ENABLE=true \
|
||||
UNINSTALL_K3S_SH=%{uninstall_sh} \
|
||||
%{install_sh}
|
||||
fi
|
||||
%systemd_post k3s.service
|
||||
exit 0
|
||||
|
||||
%postun
|
||||
echo post-uninstall args: $@
|
||||
# do not run uninstall script on upgrade
|
||||
if [ $1 == 0 ]; then
|
||||
%{uninstall_sh}
|
||||
rm -rf %{util_path}
|
||||
fi
|
||||
exit 0
|
||||
|
||||
%files
|
||||
%{install_path}/k3s
|
||||
%{install_sh}
|
||||
|
||||
%changelog
|
||||
* Mon Mar 2 2020 Erik Wilson <erik@rancher.com> 0.1-1
|
||||
- Initial version
|
@ -397,6 +397,7 @@ func get(envInfo *cmds.Agent) (*config.Node, error) {
|
||||
|
||||
nodeConfig := &config.Node{
|
||||
Docker: envInfo.Docker,
|
||||
DisableSELinux: envInfo.DisableSELinux,
|
||||
ContainerRuntimeEndpoint: envInfo.ContainerRuntimeEndpoint,
|
||||
FlannelBackend: controlConfig.FlannelBackend,
|
||||
}
|
||||
@ -474,6 +475,7 @@ func get(envInfo *cmds.Agent) (*config.Node, error) {
|
||||
nodeConfig.AgentConfig.DisableCCM = controlConfig.DisableCCM
|
||||
nodeConfig.AgentConfig.DisableNPC = controlConfig.DisableNPC
|
||||
nodeConfig.AgentConfig.Rootless = envInfo.Rootless
|
||||
nodeConfig.DisableSELinux = envInfo.DisableSELinux
|
||||
|
||||
return nodeConfig, nil
|
||||
}
|
||||
|
15
pkg/agent/containerd/command.go
Normal file
15
pkg/agent/containerd/command.go
Normal file
@ -0,0 +1,15 @@
|
||||
// +build !windows
|
||||
|
||||
package containerd
|
||||
|
||||
import (
|
||||
"os/exec"
|
||||
"syscall"
|
||||
)
|
||||
|
||||
func addDeathSig(cmd *exec.Cmd) {
|
||||
// not supported in this OS
|
||||
cmd.SysProcAttr = &syscall.SysProcAttr{
|
||||
Pdeathsig: syscall.SIGKILL,
|
||||
}
|
||||
}
|
7
pkg/agent/containerd/command_windows.go
Normal file
7
pkg/agent/containerd/command_windows.go
Normal file
@ -0,0 +1,7 @@
|
||||
package containerd
|
||||
|
||||
import "os/exec"
|
||||
|
||||
func addDeathSig(_ *exec.Cmd) {
|
||||
// not supported in this OS
|
||||
}
|
@ -8,13 +8,13 @@ import (
|
||||
"os"
|
||||
"os/exec"
|
||||
"path/filepath"
|
||||
"syscall"
|
||||
"time"
|
||||
|
||||
"github.com/containerd/containerd"
|
||||
"github.com/containerd/containerd/namespaces"
|
||||
"github.com/natefinch/lumberjack"
|
||||
"github.com/opencontainers/runc/libcontainer/system"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/rancher/k3s/pkg/agent/templates"
|
||||
util2 "github.com/rancher/k3s/pkg/agent/util"
|
||||
"github.com/rancher/k3s/pkg/daemons/config"
|
||||
@ -66,9 +66,7 @@ func Run(ctx context.Context, cfg *config.Node) error {
|
||||
cmd := exec.Command(args[0], args[1:]...)
|
||||
cmd.Stdout = stdOut
|
||||
cmd.Stderr = stdErr
|
||||
cmd.SysProcAttr = &syscall.SysProcAttr{
|
||||
Pdeathsig: syscall.SIGKILL,
|
||||
}
|
||||
addDeathSig(cmd)
|
||||
if err := cmd.Run(); err != nil {
|
||||
fmt.Fprintf(os.Stderr, "containerd: %s\n", err)
|
||||
}
|
||||
@ -170,6 +168,22 @@ func setupContainerdConfig(ctx context.Context, cfg *config.Node) error {
|
||||
PrivateRegistryConfig: privRegistries,
|
||||
}
|
||||
|
||||
selEnabled, selConfigured, err := selinuxStatus()
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "failed to detect selinux")
|
||||
}
|
||||
if cfg.DisableSELinux {
|
||||
containerdConfig.SELinuxEnabled = false
|
||||
if selEnabled {
|
||||
logrus.Warn("SELinux is enabled for system but has been disabled for containerd by override")
|
||||
}
|
||||
} else {
|
||||
containerdConfig.SELinuxEnabled = selEnabled
|
||||
}
|
||||
if containerdConfig.SELinuxEnabled && !selConfigured {
|
||||
logrus.Warnf("SELinux is enabled for k3s but process is not running in context '%s', k3s-selinux policy may need to be applied", SELinuxContextType)
|
||||
}
|
||||
|
||||
containerdTemplateBytes, err := ioutil.ReadFile(cfg.Containerd.Template)
|
||||
if err == nil {
|
||||
logrus.Infof("Using containerd template at %s", cfg.Containerd.Template)
|
||||
|
27
pkg/agent/containerd/selinux.go
Normal file
27
pkg/agent/containerd/selinux.go
Normal file
@ -0,0 +1,27 @@
|
||||
package containerd
|
||||
|
||||
import (
|
||||
"github.com/opencontainers/selinux/go-selinux"
|
||||
)
|
||||
|
||||
const (
|
||||
SELinuxContextType = "container_runtime_t"
|
||||
)
|
||||
|
||||
func selinuxStatus() (bool, bool, error) {
|
||||
if !selinux.GetEnabled() {
|
||||
return false, false, nil
|
||||
}
|
||||
|
||||
label, err := selinux.CurrentLabel()
|
||||
if err != nil {
|
||||
return true, false, err
|
||||
}
|
||||
|
||||
ctx, err := selinux.NewContext(label)
|
||||
if err != nil {
|
||||
return true, false, err
|
||||
}
|
||||
|
||||
return true, ctx["type"] == SELinuxContextType, nil
|
||||
}
|
10
pkg/agent/netpol/netpol_windows.go
Normal file
10
pkg/agent/netpol/netpol_windows.go
Normal file
@ -0,0 +1,10 @@
|
||||
package netpol
|
||||
|
||||
import (
|
||||
"context"
|
||||
daemonconfig "github.com/rancher/k3s/pkg/daemons/config"
|
||||
)
|
||||
|
||||
func Run(ctx context.Context, nodeConfig *daemonconfig.Node) error {
|
||||
panic("Netpol is not supported on windows ensure to pass --disable-network-policy")
|
||||
}
|
@ -1,3 +1,5 @@
|
||||
// +build !windows
|
||||
|
||||
package netpol
|
||||
|
||||
import (
|
||||
|
@ -1,6 +1,8 @@
|
||||
// Apache License v2.0 (copyright Cloud Native Labs & Rancher Labs)
|
||||
// - modified from https://github.com/cloudnativelabs/kube-router/blob/d6f9f31a7b/pkg/controllers/netpol/network_policy_controller.go
|
||||
|
||||
// +build !windows
|
||||
|
||||
package netpol
|
||||
|
||||
import (
|
||||
|
@ -1,6 +1,8 @@
|
||||
// Apache License v2.0 (copyright Cloud Native Labs & Rancher Labs)
|
||||
// - modified from https://github.com/cloudnativelabs/kube-router/tree/d6f9f31a7b/pkg/utils
|
||||
|
||||
// +build !windows
|
||||
|
||||
package netpol
|
||||
|
||||
import (
|
||||
|
@ -1,3 +1,5 @@
|
||||
// +build !windows
|
||||
|
||||
package syssetup
|
||||
|
||||
import (
|
||||
|
3
pkg/agent/syssetup/setup_windows.go
Normal file
3
pkg/agent/syssetup/setup_windows.go
Normal file
@ -0,0 +1,3 @@
|
||||
package syssetup
|
||||
|
||||
func Configure() {}
|
@ -10,6 +10,7 @@ import (
|
||||
type ContainerdConfig struct {
|
||||
NodeConfig *config.Node
|
||||
IsRunningInUserNS bool
|
||||
SELinuxEnabled bool
|
||||
PrivateRegistryConfig *Registry
|
||||
}
|
||||
|
||||
@ -20,6 +21,7 @@ const ContainerdConfigTemplate = `
|
||||
[plugins.cri]
|
||||
stream_server_address = "127.0.0.1"
|
||||
stream_server_port = "10010"
|
||||
enable_selinux = {{ .SELinuxEnabled }}
|
||||
|
||||
{{- if .IsRunningInUserNS }}
|
||||
disable_cgroup = true
|
||||
|
@ -28,6 +28,7 @@ type Agent struct {
|
||||
Rootless bool
|
||||
RootlessAlreadyUnshared bool
|
||||
WithNodeID bool
|
||||
DisableSELinux bool
|
||||
AgentShared
|
||||
ExtraKubeletArgs cli.StringSlice
|
||||
ExtraKubeProxyArgs cli.StringSlice
|
||||
@ -127,6 +128,12 @@ var (
|
||||
Usage: "(agent/node) Registering and starting kubelet with set of labels",
|
||||
Value: &AgentConfig.Labels,
|
||||
}
|
||||
DisableSELinuxFlag = cli.BoolFlag{
|
||||
Name: "disable-selinux",
|
||||
Usage: "(agent/node) Disable SELinux in containerd if currently enabled",
|
||||
Hidden: true,
|
||||
Destination: &AgentConfig.DisableSELinux,
|
||||
}
|
||||
)
|
||||
|
||||
func NewAgentCommand(action func(ctx *cli.Context) error) cli.Command {
|
||||
@ -169,6 +176,7 @@ func NewAgentCommand(action func(ctx *cli.Context) error) cli.Command {
|
||||
NodeLabels,
|
||||
NodeTaints,
|
||||
DockerFlag,
|
||||
DisableSELinuxFlag,
|
||||
CRIEndpointFlag,
|
||||
PauseImageFlag,
|
||||
PrivateRegistryFlag,
|
||||
|
@ -216,6 +216,7 @@ func NewServerCommand(action func(*cli.Context) error) cli.Command {
|
||||
NodeLabels,
|
||||
NodeTaints,
|
||||
DockerFlag,
|
||||
DisableSELinuxFlag,
|
||||
CRIEndpointFlag,
|
||||
PauseImageFlag,
|
||||
PrivateRegistryFlag,
|
||||
|
@ -25,6 +25,7 @@ type Node struct {
|
||||
Docker bool
|
||||
ContainerRuntimeEndpoint string
|
||||
NoFlannel bool
|
||||
DisableSELinux bool
|
||||
FlannelBackend string
|
||||
FlannelConf string
|
||||
FlannelConfOverride bool
|
||||
|
@ -16,6 +16,7 @@ const (
|
||||
NodeArgsAnnotation = "k3s.io/node-args"
|
||||
NodeEnvAnnotation = "k3s.io/node-env"
|
||||
NodeConfigHashAnnotation = "k3s.io/node-config-hash"
|
||||
OmittedValue = "********"
|
||||
)
|
||||
|
||||
func getNodeArgs() (string, error) {
|
||||
@ -31,7 +32,7 @@ func getNodeArgs() (string, error) {
|
||||
for i, arg := range nodeArgsList {
|
||||
if isSecret(arg) {
|
||||
if i+1 < len(nodeArgsList) {
|
||||
nodeArgsList[i+1] = ""
|
||||
nodeArgsList[i+1] = OmittedValue
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -52,7 +53,7 @@ func getNodeEnv() (string, error) {
|
||||
}
|
||||
for key := range k3sEnv {
|
||||
if isSecret(key) {
|
||||
k3sEnv[key] = ""
|
||||
k3sEnv[key] = OmittedValue
|
||||
}
|
||||
}
|
||||
k3sEnvJSON, err := json.Marshal(k3sEnv)
|
||||
|
@ -8,6 +8,7 @@ import (
|
||||
"strings"
|
||||
|
||||
"github.com/rancher/k3s/pkg/token"
|
||||
"github.com/rancher/k3s/pkg/util"
|
||||
)
|
||||
|
||||
type entry struct {
|
||||
@ -141,7 +142,7 @@ func writePasswords(passwdFile string, records [][]string) error {
|
||||
}
|
||||
defer out.Close()
|
||||
|
||||
if err := out.Chmod(0600); err != nil {
|
||||
if err := util.SetFileModeForFile(out, 0600); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
|
@ -1,3 +1,5 @@
|
||||
// +build !windows
|
||||
|
||||
package rootless
|
||||
|
||||
import (
|
||||
|
@ -1,3 +1,5 @@
|
||||
// +build !windows
|
||||
|
||||
package rootless
|
||||
|
||||
import (
|
||||
|
5
pkg/rootless/rootless_windows.go
Normal file
5
pkg/rootless/rootless_windows.go
Normal file
@ -0,0 +1,5 @@
|
||||
package rootless
|
||||
|
||||
func Rootless(stateDir string) error {
|
||||
panic("Rootless not supported on windows")
|
||||
}
|
@ -1,3 +1,5 @@
|
||||
// +build !windows
|
||||
|
||||
package rootlessports
|
||||
|
||||
import (
|
||||
|
10
pkg/rootlessports/controller_windows.go
Normal file
10
pkg/rootlessports/controller_windows.go
Normal file
@ -0,0 +1,10 @@
|
||||
package rootlessports
|
||||
|
||||
import (
|
||||
"context"
|
||||
coreClients "github.com/rancher/wrangler-api/pkg/generated/controllers/core/v1"
|
||||
)
|
||||
|
||||
func Register(ctx context.Context, serviceController coreClients.ServiceController, httpsPort int) error {
|
||||
panic("Rootless is not supported on windows")
|
||||
}
|
@ -24,6 +24,7 @@ import (
|
||||
"github.com/rancher/k3s/pkg/rootlessports"
|
||||
"github.com/rancher/k3s/pkg/servicelb"
|
||||
"github.com/rancher/k3s/pkg/static"
|
||||
"github.com/rancher/k3s/pkg/util"
|
||||
v1 "github.com/rancher/wrangler-api/pkg/generated/controllers/core/v1"
|
||||
"github.com/rancher/wrangler/pkg/leader"
|
||||
"github.com/rancher/wrangler/pkg/resolvehome"
|
||||
@ -263,12 +264,12 @@ func writeKubeConfig(certs string, config *Config) error {
|
||||
if config.ControlConfig.KubeConfigMode != "" {
|
||||
mode, err := strconv.ParseInt(config.ControlConfig.KubeConfigMode, 8, 0)
|
||||
if err == nil {
|
||||
os.Chmod(kubeConfig, os.FileMode(mode))
|
||||
util.SetFileModeForPath(kubeConfig, os.FileMode(mode))
|
||||
} else {
|
||||
logrus.Errorf("failed to set %s to mode %s: %v", kubeConfig, os.FileMode(mode), err)
|
||||
}
|
||||
} else {
|
||||
os.Chmod(kubeConfig, os.FileMode(0600))
|
||||
util.SetFileModeForPath(kubeConfig, os.FileMode(0600))
|
||||
}
|
||||
|
||||
if kubeConfigSymlink != kubeConfig {
|
||||
|
15
pkg/util/file.go
Normal file
15
pkg/util/file.go
Normal file
@ -0,0 +1,15 @@
|
||||
// +build !windows
|
||||
|
||||
package util
|
||||
|
||||
import (
|
||||
"os"
|
||||
)
|
||||
|
||||
func SetFileModeForPath(name string, mode os.FileMode) error {
|
||||
return os.Chmod(name, mode)
|
||||
}
|
||||
|
||||
func SetFileModeForFile(file *os.File, mode os.FileMode) error {
|
||||
return file.Chmod(mode)
|
||||
}
|
13
pkg/util/file_windows.go
Normal file
13
pkg/util/file_windows.go
Normal file
@ -0,0 +1,13 @@
|
||||
package util
|
||||
|
||||
import (
|
||||
"os"
|
||||
)
|
||||
|
||||
func SetFileModeForPath(name string, mode os.FileMode) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func SetFileModeForFile(file *os.File, mode os.FileMode) error {
|
||||
return nil
|
||||
}
|
@ -46,12 +46,20 @@ STATIC_SQLITE="
|
||||
-extldflags '-static -lm -ldl -lz -lpthread $DQLITE_STATIC_SQLITE'
|
||||
"
|
||||
TAGS="ctrd apparmor seccomp no_btrfs netcgo osusergo providerless $DQLITE_TAGS"
|
||||
RUNC_TAGS="apparmor seccomp"
|
||||
RUNC_STATIC="static"
|
||||
|
||||
if [ "$SELINUX" = "true" ]; then
|
||||
TAGS="$TAGS selinux"
|
||||
RUNC_TAGS="$RUNC_TAGS selinux"
|
||||
fi
|
||||
|
||||
if [ "$STATIC_BUILD" != "true" ]; then
|
||||
STATIC="
|
||||
"
|
||||
STATIC_SQLITE="
|
||||
"
|
||||
RUNC_STATIC=""
|
||||
else
|
||||
TAGS="static_build libsqlite3 $TAGS"
|
||||
fi
|
||||
@ -109,13 +117,16 @@ ln -s containerd ./bin/ctr
|
||||
# echo Building containerd
|
||||
# CGO_ENABLED=0 go build -tags "$TAGS" -ldflags "$VERSIONFLAGS $LDFLAGS $STATIC" -o bin/containerd ./cmd/containerd/
|
||||
echo Building runc
|
||||
make EXTRA_LDFLAGS="-w -s" BUILDTAGS="apparmor seccomp" -C ./vendor/github.com/opencontainers/runc static
|
||||
rm -f ./vendor/github.com/opencontainers/runc/runc
|
||||
make EXTRA_LDFLAGS="-w -s" BUILDTAGS="$RUNC_TAGS" -C ./vendor/github.com/opencontainers/runc $RUNC_STATIC
|
||||
cp -f ./vendor/github.com/opencontainers/runc/runc ./bin/runc
|
||||
|
||||
echo Building containerd-shim
|
||||
rm -f ./vendor/github.com/containerd/containerd/bin/containerd-shim
|
||||
make -C ./vendor/github.com/containerd/containerd bin/containerd-shim
|
||||
cp -f ./vendor/github.com/containerd/containerd/bin/containerd-shim ./bin/containerd-shim
|
||||
|
||||
echo Building containerd-shim-runc-v2
|
||||
rm -f ./vendor/github.com/containerd/containerd/bin/containerd-shim-runc-v2
|
||||
make -C ./vendor/github.com/containerd/containerd bin/containerd-shim-runc-v2
|
||||
cp -f ./vendor/github.com/containerd/containerd/bin/containerd-shim-runc-v2 ./bin/containerd-shim-runc-v2
|
||||
|
11
scripts/dispatch
Executable file
11
scripts/dispatch
Executable file
@ -0,0 +1,11 @@
|
||||
#!/bin/sh
|
||||
set -e
|
||||
set -x
|
||||
|
||||
REPO="https://api.github.com/repos/rancher/k3s-upgrade/dispatches"
|
||||
|
||||
# send dispatch event to REPO
|
||||
curl -XPOST -u "${PAT_USERNAME}:${PAT_TOKEN}" \
|
||||
-H "Accept: application/vnd.github.everest-preview+json" \
|
||||
-H "Content-Type: application/json" $REPO \
|
||||
--data '{"event_type": "create_tag", "client_payload": {"tag":"'"$DRONE_TAG"'"}}'
|
78
scripts/package-rpm
Executable file
78
scripts/package-rpm
Executable file
@ -0,0 +1,78 @@
|
||||
#!/bin/bash
|
||||
set -e -x
|
||||
|
||||
cd $(dirname $0)/..
|
||||
|
||||
ARCH=${DRONE_STAGE_ARCH:-$(arch)}
|
||||
. ./scripts/version.sh
|
||||
|
||||
if [[ ! "$VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(\-[^\+]*)?\+k3s.+$ ]]; then
|
||||
echo "k3s version $VERSION does not match regex for rpm upload"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
TMPDIR=$(mktemp -d)
|
||||
cleanup() {
|
||||
exit_code=$?
|
||||
trap - EXIT INT
|
||||
rm -rf ${TMPDIR}
|
||||
exit ${exit_code}
|
||||
}
|
||||
trap cleanup EXIT INT
|
||||
|
||||
export HOME=${TMPDIR}
|
||||
|
||||
BIN_SUFFIX=""
|
||||
if [ ${ARCH} = aarch64 ] || [ ${ARCH} = arm64 ]; then
|
||||
BIN_SUFFIX="-arm64"
|
||||
elif [ ${ARCH} = armv7l ] || [ ${ARCH} = arm ]; then
|
||||
BIN_SUFFIX="-armhf"
|
||||
fi
|
||||
|
||||
# capture version of k3s
|
||||
k3s_version=$(sed -E -e 's/^v([^-+]*).*$/\1/' <<< $VERSION)
|
||||
# capture pre-release and metadata information of k3s
|
||||
k3s_release=$(sed -E -e 's/\+k3s/+/; s/\+/-/g; s/^[^-]*//; s/^--/dev-/; s/-+/./g; s/^\.+//; s/\.+$//;' <<< $VERSION)
|
||||
# k3s-selinux policy version needed for functionality
|
||||
k3s_policyver=0.1-1
|
||||
|
||||
rpmbuild \
|
||||
--define "k3s_version ${k3s_version}" \
|
||||
--define "k3s_release ${k3s_release}" \
|
||||
--define "k3s_policyver ${k3s_policyver}" \
|
||||
--define "k3s_binary k3s${BIN_SUFFIX}" \
|
||||
--define "_sourcedir ${PWD}" \
|
||||
--define "_specdir ${PWD}" \
|
||||
--define "_builddir ${PWD}" \
|
||||
--define "_srcrpmdir ${PWD}" \
|
||||
--define "_rpmdir ${PWD}/dist/rpm" \
|
||||
--define "_buildrootdir ${PWD}/.rpm-build" \
|
||||
-bb package/k3s.spec
|
||||
|
||||
if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then
|
||||
echo "PRIVATE_KEY not defined, skipping rpm sign and upload"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
cat <<\EOF >~/.rpmmacros
|
||||
%_signature gpg
|
||||
%_gpg_name ci@rancher.com
|
||||
EOF
|
||||
gpg --import - <<<"$PRIVATE_KEY"
|
||||
|
||||
expect <<EOF
|
||||
set timeout 60
|
||||
spawn sh -c "rpmsign --addsign dist/rpm/**/k3s-*.rpm"
|
||||
expect "Enter pass phrase:"
|
||||
send -- "$PRIVATE_KEY_PASS_PHRASE\r"
|
||||
expect eof
|
||||
lassign [wait] _ _ _ code
|
||||
exit \$code
|
||||
EOF
|
||||
|
||||
if [ -z "$AWS_S3_BUCKET" ]; then
|
||||
echo "AWS_S3_BUCKET skipping rpm upload"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
rpm-s3 --bucket $AWS_S3_BUCKET dist/rpm/**/k3s-*.rpm
|
31
scripts/provision/generic/alpine310/vagrant
Executable file
31
scripts/provision/generic/alpine310/vagrant
Executable file
@ -0,0 +1,31 @@
|
||||
#!/bin/bash
|
||||
set -ve
|
||||
|
||||
apk add -q -f curl libc6-compat tzdata
|
||||
download_go
|
||||
download_dqlite
|
||||
# ---
|
||||
cat <<EOF >/etc/profile.d/build.sh
|
||||
export SELINUX=true
|
||||
export DQLITE=true
|
||||
export STATIC_BUILD=true
|
||||
EOF
|
||||
. /etc/profile.d/build.sh
|
||||
# ---
|
||||
. /tmp/docker-run
|
||||
# ---
|
||||
go get -u github.com/go-delve/delve/cmd/dlv
|
||||
# ---
|
||||
cat <<EOF >/etc/profile.d/docker.sh
|
||||
export DOCKER_HOST=tcp://10.0.2.2:2375
|
||||
EOF
|
||||
. /etc/profile.d/docker.sh
|
||||
# ---
|
||||
(
|
||||
if ! docker version --format '{{.Server.Version}}' >/tmp/docker-server-version; then
|
||||
echo "WARNING: Unable to connect to the docker socket, to enable docker in vagrant run the following command on the host:"
|
||||
echo "docker run -d -v /var/run/docker.sock:/var/run/docker.sock -p 127.0.0.1:2375:2375 alpine/socat TCP-LISTEN:2375,fork UNIX-CONNECT:/var/run/docker.sock"
|
||||
else
|
||||
echo "Using host docker server v$(cat /tmp/docker-server-version)"
|
||||
fi
|
||||
)
|
37
scripts/provision/generic/centos7/gen-gpg-keys
Executable file
37
scripts/provision/generic/centos7/gen-gpg-keys
Executable file
@ -0,0 +1,37 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e -x
|
||||
|
||||
TMPDIR=$(mktemp -d)
|
||||
cleanup() {
|
||||
exit_code=$?
|
||||
trap - EXIT INT
|
||||
rm -rf ${TMPDIR}
|
||||
exit ${exit_code}
|
||||
}
|
||||
trap cleanup EXIT INT
|
||||
|
||||
export HOME=${TMPDIR}
|
||||
|
||||
gpg --batch --gen-key - <<EOF
|
||||
%echo Generating a default key
|
||||
Key-Type: default
|
||||
Subkey-Type: default
|
||||
Name-Real: Rancher
|
||||
Name-Comment: CI
|
||||
Name-Email: ci@rancher.com
|
||||
Expire-Date: 0
|
||||
|
||||
# Key-Length: 4096
|
||||
# Subkey-Length: 4096
|
||||
Passphrase: $PRIVATE_KEY_PASS_PHRASE
|
||||
# %no-protection
|
||||
# %no-ask-passphrase
|
||||
|
||||
# Do a commit here, so that we can later print "done" :-)
|
||||
%commit
|
||||
%echo done
|
||||
EOF
|
||||
|
||||
gpg --armor --export ci@rancher.com >public.key
|
||||
gpg --armor --export-secret-key ci@rancher.com >private.key
|
46
scripts/provision/generic/centos7/vagrant
Executable file
46
scripts/provision/generic/centos7/vagrant
Executable file
@ -0,0 +1,46 @@
|
||||
#!/bin/bash
|
||||
set -ve
|
||||
|
||||
download_go
|
||||
# ---
|
||||
cat <<EOF >/etc/profile.d/build.sh
|
||||
export SELINUX=true
|
||||
# export DQLITE=true
|
||||
# export STATIC_BUILD=true
|
||||
EOF
|
||||
. /etc/profile.d/build.sh
|
||||
# ---
|
||||
sed -E 's|apk( -U)?( --no-cache)?( --repository [^ ]*)? add|yum install -y|g' -i /tmp/docker-run
|
||||
sed -E 's/-dev/-devel/g' -i /tmp/docker-run
|
||||
. /tmp/docker-run
|
||||
# ---
|
||||
go get -u github.com/go-delve/delve/cmd/dlv
|
||||
# ---
|
||||
# docker install instructions slightly changed from https://kubernetes.io/docs/setup/production-environment/container-runtimes/
|
||||
# default "exec-opts": ["native.cgroupdriver=cgroupfs"], and set "selinux-enabled": true
|
||||
yum remove -y docker docker-common
|
||||
yum install -y yum-utils device-mapper-persistent-data lvm2
|
||||
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
|
||||
yum update -y && yum install -y containerd.io-1.2.10 docker-ce-19.03.4 docker-ce-cli-19.03.4
|
||||
mkdir -p /etc/docker
|
||||
cat > /etc/docker/daemon.json <<EOF
|
||||
{
|
||||
"log-driver": "json-file",
|
||||
"log-opts": {
|
||||
"max-size": "100m"
|
||||
},
|
||||
"selinux-enabled": true,
|
||||
"storage-driver": "overlay2",
|
||||
"storage-opts": [
|
||||
"overlay2.override_kernel_check=true"
|
||||
]
|
||||
}
|
||||
EOF
|
||||
# ---
|
||||
systemctl daemon-reload
|
||||
systemctl disable --now firewalld
|
||||
systemctl disable --now docker
|
||||
# ---
|
||||
# set selinux to permissive for dev & testing purposes only
|
||||
setenforce 0
|
||||
sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
|
7
scripts/provision/generic/centos7/yum-install-rpm-tools
Executable file
7
scripts/provision/generic/centos7/yum-install-rpm-tools
Executable file
@ -0,0 +1,7 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e -x
|
||||
|
||||
yum install -y git expect yum-utils rpm-build rpm-sign python-deltarpm epel-release
|
||||
yum install -y python2-pip
|
||||
pip install git+git://github.com/Voronenko/rpm-s3.git@5695c6ad9a08548141d3713328e1bd3f533d137e
|
26
scripts/provision/generic/ubuntu1804/vagrant
Executable file
26
scripts/provision/generic/ubuntu1804/vagrant
Executable file
@ -0,0 +1,26 @@
|
||||
#!/bin/bash
|
||||
set -ve
|
||||
|
||||
download_go
|
||||
# ---
|
||||
cat <<EOF >/etc/profile.d/build.sh
|
||||
export SELINUX=true
|
||||
# export DQLITE=true
|
||||
# export STATIC_BUILD=true
|
||||
EOF
|
||||
. /etc/profile.d/build.sh
|
||||
# ---
|
||||
apt-get install -y \
|
||||
build-essential \
|
||||
pkg-config \
|
||||
libseccomp-dev \
|
||||
libsqlite3-dev \
|
||||
libselinux1-dev \
|
||||
zlib1g-dev \
|
||||
|
||||
# ---
|
||||
sed -E 's|apk( -U)?( --no-cache)?( --repository [^ ]*)? add|apt-get install -y|g' -i /tmp/docker-run
|
||||
. /tmp/docker-run
|
||||
# ---
|
||||
go get -u github.com/go-delve/delve/cmd/dlv
|
||||
# ---
|
101
scripts/provision/vagrant
Executable file
101
scripts/provision/vagrant
Executable file
@ -0,0 +1,101 @@
|
||||
#!/bin/bash
|
||||
set -ve
|
||||
|
||||
PROVISION="scripts/provision/$BOX/vagrant"
|
||||
|
||||
if [ ! -f /etc/vagrant_box_build_time ]; then
|
||||
echo "This script should only be called during vagrant provisioning"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ $HOME == /go/* ]]; then
|
||||
echo "Must not launch vagrant from /go/"
|
||||
exit 1
|
||||
fi
|
||||
cd
|
||||
|
||||
# --- Default to root user for vagrant ssh
|
||||
cat <<\EOF >/etc/profile.d/root.sh
|
||||
[ $EUID -ne 0 ] && exec sudo -i
|
||||
EOF
|
||||
|
||||
# --- Setup go version
|
||||
if [ -z "${GOPATH}" ]; then
|
||||
GOPATH=$(realpath $HOME/../../../..)
|
||||
echo "WARNING: Assuming GOPATH=$GOPATH"
|
||||
else
|
||||
echo "Using parent GOPATH=$GOPATH"
|
||||
fi
|
||||
|
||||
# --- Setup basic env
|
||||
cat <<EOF >/etc/profile.d/env.sh
|
||||
export ARCH=amd64
|
||||
export GO111MODULE=off
|
||||
export GOPATH="$GOPATH"
|
||||
export PATH=/usr/local/bin:$PATH:/usr/local/go/bin:$GOPATH/bin
|
||||
export HOME="$HOME" && cd
|
||||
EOF
|
||||
. /etc/profile.d/env.sh
|
||||
|
||||
# --- Clean go cache
|
||||
rm -rf .cache/go-build || true
|
||||
|
||||
# --- Set color prompt
|
||||
sed -i 's|:/bin/ash$|:/bin/bash|g' /etc/passwd
|
||||
cat <<\EOF >/etc/profile.d/color.sh
|
||||
alias ls='ls --color=auto'
|
||||
export PS1='\033[31m[ \033[90m\D{%F 🐮 %T}\033[31m ]\n\[\033[36m\]\u\[\033[m\]@\[\033[32m\]\h\[\033[35m\]:\[\033[33;1m\]\w\[\033[m\]\$ '
|
||||
EOF
|
||||
|
||||
# --- Setup install script from docker run commands
|
||||
mkdir -p ${GOPATH}/bin
|
||||
mkdir -p /go
|
||||
ln -sf $GOPATH/bin /go/bin
|
||||
sed ':a;N;$!ba;s/\\\n/ /g' <Dockerfile.dapper | grep '^RUN ' | sed -e 's/^RUN //' >/tmp/docker-run
|
||||
export BINDIR=/go/bin
|
||||
export GOPATH=/go
|
||||
export HOME=/tmp
|
||||
|
||||
# --- Add k3s motd
|
||||
cat <<\EOF >/etc/motd
|
||||
, ,
|
||||
,-----------|'------'| |\ ____
|
||||
/. '-'@ o|-' | | /___ \
|
||||
|/| | .. | | | __ __) | ____
|
||||
| .________.'----' | |/ /|__ < / __/
|
||||
| || | || | < ___) |\__ \
|
||||
\__|' \__|' |_|\_\_____/____/
|
||||
|
||||
EOF
|
||||
|
||||
# --- Utility function to download go
|
||||
download_go() {
|
||||
goversion=$(grep "^FROM " Dockerfile.dapper | sed -e 's/^FROM golang:\(.*\)-.*/\1/')
|
||||
if [ -z "$goversion" ]; then
|
||||
echo "Cannot find version of go to fetch"
|
||||
return 1
|
||||
fi
|
||||
echo "Installing go $goversion"
|
||||
curl -sL https://storage.googleapis.com/golang/go${goversion}.linux-${ARCH}.tar.gz | tar -xzf - -C /usr/local
|
||||
}
|
||||
|
||||
# --- Utility function to download dqlite
|
||||
download_dqlite() {
|
||||
dqliteURL="https://github.com/$(grep dqlite-build Dockerfile.dapper | sed -e 's/^.*--from=\([^ ]*\).*$/\1/' -e 's|:|/releases/download/|')/dqlite-$ARCH.tgz"
|
||||
if [ -z "$dqliteURL" ]; then
|
||||
echo "Cannot find dqlite URL to fetch"
|
||||
return 1
|
||||
fi
|
||||
mkdir -p /usr/src/
|
||||
echo "Downloading DQLITE from $dqliteURL"
|
||||
curl -sL $dqliteURL -o /usr/src/dqlite.tgz
|
||||
}
|
||||
|
||||
# --- Run vagrant provision script if available
|
||||
if [ ! -f "${PROVISION}" ]; then
|
||||
echo 'WARNING: Unable to execute provision script "${PROVISION}"'
|
||||
exit
|
||||
fi
|
||||
echo "running '${PROVISION}'..." && \
|
||||
. ${PROVISION} && \
|
||||
echo "finished '${PROVISION}'!"
|
15
scripts/test
15
scripts/test
@ -13,19 +13,18 @@ mkdir -p $artifacts
|
||||
|
||||
# ---
|
||||
|
||||
[ "$ARCH" = 'arm' ] && \
|
||||
early-exit "Skipping sonobuoy, images not available for $ARCH."
|
||||
|
||||
E2E_OUTPUT=$artifacts test-run-sonobuoy
|
||||
|
||||
# ---
|
||||
|
||||
if [ "$DRONE_BUILD_EVENT" = 'tag' ]; then
|
||||
printf "\033[33mSkipping remaining tests on tag.\033[m\n"
|
||||
exit 0
|
||||
fi
|
||||
[ "$DRONE_BUILD_EVENT" = 'tag' ] && \
|
||||
early-exit 'Skipping remaining tests on tag.'
|
||||
|
||||
if [ "$ARCH" != 'amd64' ]; then
|
||||
printf "\033[33mSkipping remaining tests, images not available for $ARCH.\033[m\n"
|
||||
exit 0
|
||||
fi
|
||||
[ "$ARCH" != 'amd64' ] && \
|
||||
early-exit "Skipping remaining tests, images not available for $ARCH."
|
||||
|
||||
# ---
|
||||
|
||||
|
@ -437,6 +437,14 @@ export -f provision-cluster
|
||||
|
||||
# ---
|
||||
|
||||
early-exit() {
|
||||
printf "\033[33m$1\033[m\n"
|
||||
exit $2
|
||||
}
|
||||
export -f early-exit
|
||||
|
||||
# ---
|
||||
|
||||
run-test() {
|
||||
export PROVISION_LOCK=$(mktemp)
|
||||
./scripts/test-runner $@ &
|
||||
|
@ -1,14 +1,38 @@
|
||||
#!/bin/bash
|
||||
|
||||
all_services=(
|
||||
coredns
|
||||
local-path-provisioner
|
||||
metrics-server
|
||||
traefik
|
||||
)
|
||||
|
||||
export NUM_SERVERS=1
|
||||
export NUM_AGENTS=1
|
||||
export SERVER_ARGS='--no-deploy=traefik,coredns,local-storage,metrics-server'
|
||||
export WAIT_SERVICES="${all_services[@]}"
|
||||
|
||||
start-test() {
|
||||
docker exec $(cat $TEST_DIR/servers/1/metadata/name) check-config || true
|
||||
verify-valid-versions $(cat $TEST_DIR/servers/1/metadata/name)
|
||||
verify-airgap-images $(cat $TEST_DIR/{servers,agents}/*/metadata/name)
|
||||
}
|
||||
export -f start-test
|
||||
|
||||
# -- check for changes to the airgap image list
|
||||
verify-airgap-images() {
|
||||
local airgap_image_list='scripts/airgap/image-list.txt'
|
||||
|
||||
for name in $@; do
|
||||
docker exec $name crictl images -o json \
|
||||
| jq -r '.images[].repoTags[0] | select(. != null)'
|
||||
done | sort -u >$airgap_image_list.tmp
|
||||
|
||||
if ! diff $airgap_image_list{,.tmp}; then
|
||||
echo '[ERROR] Failed airgap image check'
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
export -f verify-airgap-images
|
||||
|
||||
# --- create a basic cluster and check for valid versions
|
||||
LABEL=BASICS run-test
|
||||
|
@ -1,85 +0,0 @@
|
||||
#!/bin/bash
|
||||
set -ve
|
||||
|
||||
cd $(dirname $0)/..
|
||||
|
||||
if [ ! -f /etc/vagrant_box_build_time ]; then
|
||||
echo "This script should only be called during vagrant provisioning"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
ARCH=amd64
|
||||
if [[ $HOME == /go/* ]]; then
|
||||
echo "Must not launch vagrant from /go/"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -z "${GOPATH}" ]; then
|
||||
GOPATH=$(realpath $HOME/../../../..)
|
||||
echo "WARNING: Assuming GOPATH=$GOPATH"
|
||||
else
|
||||
echo "Using parent GOPATH=$GOPATH"
|
||||
fi
|
||||
goversion=$(grep "^FROM " Dockerfile.dapper | sed -e 's/^FROM golang:\(.*\)-.*/\1/')
|
||||
|
||||
if [ -z "$goversion" ]; then
|
||||
echo "Cannot find version of go to fetch"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Installing go $goversion"
|
||||
apk add -q -f curl libc6-compat tzdata
|
||||
curl -sL https://storage.googleapis.com/golang/go${goversion}.linux-${ARCH}.tar.gz | tar -xzf - -C /usr/local
|
||||
# ---
|
||||
cat <<EOF >/etc/profile.d/build.sh
|
||||
export STATIC_BUILD=true
|
||||
EOF
|
||||
# ---
|
||||
cat <<EOF >/etc/profile.d/go.sh
|
||||
export GOPATH=$GOPATH
|
||||
export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
|
||||
EOF
|
||||
. /etc/profile.d/go.sh
|
||||
# ---
|
||||
sed -i 's|:/bin/ash$|:/bin/bash|g' /etc/passwd
|
||||
cat <<\EOF >/etc/profile.d/color.sh
|
||||
alias ls='ls --color=auto'
|
||||
export PS1='\033[31m[ \033[90m\D{%F %T}\033[31m ]\n\[\033[36m\]\u\[\033[m\]🐮\[\033[32m\]\h:\[\033[33;1m\]\w\[\033[m\]$ '
|
||||
EOF
|
||||
# ---
|
||||
mkdir -p ${GOPATH}/bin
|
||||
mkdir -p /go
|
||||
ln -s $GOPATH/bin /go/bin
|
||||
sed ':a;N;$!ba;s/\\\n/ /g' <Dockerfile.dapper | grep '^RUN ' | sed -e 's/^RUN //' >/tmp/docker-run
|
||||
export BINDIR=/go/bin
|
||||
export GOPATH=/go
|
||||
export HOME=/tmp && cd
|
||||
. /tmp/docker-run
|
||||
cd /go
|
||||
go get github.com/rancher/trash
|
||||
rm -rf /go
|
||||
cd
|
||||
# ---
|
||||
cat <<EOF >/etc/profile.d/docker.sh
|
||||
export DOCKER_HOST=tcp://10.0.2.2:2375
|
||||
EOF
|
||||
. /etc/profile.d/docker.sh
|
||||
# ---
|
||||
cat <<\EOF >>/etc/motd
|
||||
, ,
|
||||
,-----------|'------'| |\ ____
|
||||
/. '-'@ o|-' | | /___ \
|
||||
|/| | .. | | | __ __) | ____
|
||||
| .________.'----' | |/ /|__ < / __/
|
||||
| || | || | < ___) |\__ \
|
||||
\__|' \__|' |_|\_\_____/____/
|
||||
|
||||
EOF
|
||||
# ---
|
||||
set +v
|
||||
if ! docker version --format '{{.Server.Version}}' >/tmp/docker-server-version; then
|
||||
echo "WARNING: Unable to connect to the docker socket, to enable docker in vagrant run the following command on the host:"
|
||||
echo "docker run -d -v /var/run/docker.sock:/var/run/docker.sock -p 127.0.0.1:2375:2375 alpine/socat TCP-LISTEN:2375,fork UNIX-CONNECT:/var/run/docker.sock"
|
||||
else
|
||||
echo "Using host docker server v$(cat /tmp/docker-server-version)"
|
||||
fi
|
@ -1,6 +1,15 @@
|
||||
#!/bin/bash
|
||||
|
||||
ARCH=${ARCH:-$(go env GOARCH)}
|
||||
SUFFIX="-${ARCH}"
|
||||
GIT_TAG=$DRONE_TAG
|
||||
TREE_STATE=clean
|
||||
COMMIT=$DRONE_COMMIT
|
||||
|
||||
if [ -d .git ]; then
|
||||
if [ -z "$GIT_TAG" ]; then
|
||||
GIT_TAG=$(git tag -l --contains HEAD | head -n 1)
|
||||
fi
|
||||
if [ -n "$(git status --porcelain --untracked-files=no)" ]; then
|
||||
DIRTY="-dirty"
|
||||
TREE_STATE=dirty
|
||||
@ -8,13 +17,9 @@ fi
|
||||
|
||||
COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1)
|
||||
if [ -z "${COMMIT}" ]; then
|
||||
COMMIT=$(git rev-parse HEAD)
|
||||
COMMIT=$(git rev-parse HEAD || true)
|
||||
fi
|
||||
fi
|
||||
|
||||
GIT_TAG=${DRONE_TAG:-$(git tag -l --contains HEAD | head -n 1)}
|
||||
|
||||
ARCH=$(go env GOARCH)
|
||||
SUFFIX="-${ARCH}"
|
||||
|
||||
VERSION_CONTAINERD=$(grep github.com/containerd/containerd go.mod | head -n1 | awk '{print $4}')
|
||||
if [ -z "$VERSION_CONTAINERD" ]; then
|
||||
|
11
vendor/github.com/containerd/containerd/container.go
generated
vendored
11
vendor/github.com/containerd/containerd/container.go
generated
vendored
@ -36,6 +36,7 @@ import (
|
||||
prototypes "github.com/gogo/protobuf/types"
|
||||
ver "github.com/opencontainers/image-spec/specs-go"
|
||||
ocispec "github.com/opencontainers/image-spec/specs-go/v1"
|
||||
"github.com/opencontainers/selinux/go-selinux/label"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
@ -242,7 +243,17 @@ func (c *container) NewTask(ctx context.Context, ioCreate cio.Creator, opts ...N
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
spec, err := c.Spec(ctx)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
for _, m := range mounts {
|
||||
if spec.Linux != nil && spec.Linux.MountLabel != "" {
|
||||
context := label.FormatMountLabel("", spec.Linux.MountLabel)
|
||||
if context != "" {
|
||||
m.Options = append(m.Options, context)
|
||||
}
|
||||
}
|
||||
request.Rootfs = append(request.Rootfs, &types.Mount{
|
||||
Type: m.Type,
|
||||
Source: m.Source,
|
||||
|
35
vendor/github.com/containerd/cri/pkg/server/container_create.go
generated
vendored
35
vendor/github.com/containerd/cri/pkg/server/container_create.go
generated
vendored
@ -39,6 +39,7 @@ import (
|
||||
"github.com/davecgh/go-spew/spew"
|
||||
imagespec "github.com/opencontainers/image-spec/specs-go/v1"
|
||||
runtimespec "github.com/opencontainers/runtime-spec/specs-go"
|
||||
"github.com/opencontainers/selinux/go-selinux/label"
|
||||
"github.com/pkg/errors"
|
||||
"golang.org/x/net/context"
|
||||
runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
|
||||
@ -173,6 +174,18 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta
|
||||
return nil, errors.Wrapf(err, "failed to generate container %q spec", id)
|
||||
}
|
||||
|
||||
meta.ProcessLabel = spec.Process.SelinuxLabel
|
||||
if config.GetLinux().GetSecurityContext().GetPrivileged() {
|
||||
// If privileged don't set the SELinux label but still record it on the container so
|
||||
// the unused MCS label can be release later
|
||||
spec.Process.SelinuxLabel = ""
|
||||
}
|
||||
defer func() {
|
||||
if retErr != nil {
|
||||
_ = label.ReleaseLabel(spec.Process.SelinuxLabel)
|
||||
}
|
||||
}()
|
||||
|
||||
log.G(ctx).Debugf("Container %q spec: %#+v", id, spew.NewFormatter(spec))
|
||||
|
||||
// Set snapshotter before any other options.
|
||||
@ -324,7 +337,7 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta
|
||||
|
||||
func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxPid uint32, config *runtime.ContainerConfig,
|
||||
sandboxConfig *runtime.PodSandboxConfig, imageConfig *imagespec.ImageConfig, extraMounts []*runtime.Mount,
|
||||
ociRuntime config.Runtime) (*runtimespec.Spec, error) {
|
||||
ociRuntime config.Runtime) (retSpec *runtimespec.Spec, retErr error) {
|
||||
|
||||
specOpts := []oci.SpecOpts{
|
||||
customopts.WithoutRunMount,
|
||||
@ -366,11 +379,27 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
|
||||
specOpts = append(specOpts, oci.WithEnv(env))
|
||||
|
||||
securityContext := config.GetLinux().GetSecurityContext()
|
||||
selinuxOpt := securityContext.GetSelinuxOptions()
|
||||
processLabel, mountLabel, err := initSelinuxOpts(selinuxOpt)
|
||||
labelOptions := toLabel(securityContext.GetSelinuxOptions())
|
||||
if len(labelOptions) == 0 {
|
||||
// Use pod level SELinux config
|
||||
if sandbox, err := c.sandboxStore.Get(sandboxID); err == nil {
|
||||
labelOptions, err = label.DupSecOpt(sandbox.ProcessLabel)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
processLabel, mountLabel, err := label.InitLabels(labelOptions)
|
||||
if err != nil {
|
||||
return nil, errors.Wrapf(err, "failed to init selinux options %+v", securityContext.GetSelinuxOptions())
|
||||
}
|
||||
defer func() {
|
||||
if retErr != nil {
|
||||
_ = label.ReleaseLabel(processLabel)
|
||||
}
|
||||
}()
|
||||
|
||||
specOpts = append(specOpts, customopts.WithMounts(c.os, config, extraMounts, mountLabel))
|
||||
|
||||
if !c.config.DisableProcMount {
|
||||
|
60
vendor/github.com/containerd/cri/pkg/server/helpers.go
generated
vendored
60
vendor/github.com/containerd/cri/pkg/server/helpers.go
generated
vendored
@ -298,47 +298,55 @@ func (c *criService) ensureImageExists(ctx context.Context, ref string, config *
|
||||
return &newImage, nil
|
||||
}
|
||||
|
||||
func initSelinuxOpts(selinuxOpt *runtime.SELinuxOption) (string, string, error) {
|
||||
if selinuxOpt == nil {
|
||||
return "", "", nil
|
||||
func toLabel(selinuxOptions *runtime.SELinuxOption) (labels []string) {
|
||||
if selinuxOptions == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
// Should ignored selinuxOpts if they are incomplete.
|
||||
if selinuxOpt.GetUser() == "" ||
|
||||
selinuxOpt.GetRole() == "" ||
|
||||
selinuxOpt.GetType() == "" {
|
||||
return "", "", nil
|
||||
if selinuxOptions.User != "" {
|
||||
labels = append(labels, "user:"+selinuxOptions.User)
|
||||
}
|
||||
if selinuxOptions.Role != "" {
|
||||
labels = append(labels, "role:"+selinuxOptions.Role)
|
||||
}
|
||||
if selinuxOptions.Type != "" {
|
||||
labels = append(labels, "type:"+selinuxOptions.Type)
|
||||
}
|
||||
if selinuxOptions.Level != "" {
|
||||
labels = append(labels, "level:"+selinuxOptions.Level)
|
||||
}
|
||||
|
||||
// make sure the format of "level" is correct.
|
||||
ok, err := checkSelinuxLevel(selinuxOpt.GetLevel())
|
||||
if err != nil || !ok {
|
||||
return
|
||||
}
|
||||
|
||||
func initLabelsFromOpt(selinuxOpts *runtime.SELinuxOption) (string, string, error) {
|
||||
return initLabels(toLabel(selinuxOpts))
|
||||
}
|
||||
|
||||
func initLabels(options []string) (string, string, error) {
|
||||
for _, opt := range options {
|
||||
if strings.HasPrefix(opt, "level:") {
|
||||
if err := checkSelinuxLevel(strings.TrimPrefix(opt, "level:")); err != nil {
|
||||
return "", "", err
|
||||
}
|
||||
|
||||
labelOpts := fmt.Sprintf("%s:%s:%s:%s",
|
||||
selinuxOpt.GetUser(),
|
||||
selinuxOpt.GetRole(),
|
||||
selinuxOpt.GetType(),
|
||||
selinuxOpt.GetLevel())
|
||||
|
||||
options, err := label.DupSecOpt(labelOpts)
|
||||
if err != nil {
|
||||
return "", "", err
|
||||
}
|
||||
}
|
||||
return label.InitLabels(options)
|
||||
}
|
||||
|
||||
func checkSelinuxLevel(level string) (bool, error) {
|
||||
func checkSelinuxLevel(level string) error {
|
||||
if len(level) == 0 {
|
||||
return true, nil
|
||||
return nil
|
||||
}
|
||||
|
||||
matched, err := regexp.MatchString(`^s\d(-s\d)??(:c\d{1,4}((.c\d{1,4})?,c\d{1,4})*(.c\d{1,4})?(,c\d{1,4}(.c\d{1,4})?)*)?$`, level)
|
||||
if err != nil || !matched {
|
||||
return false, errors.Wrapf(err, "the format of 'level' %q is not correct", level)
|
||||
if err != nil {
|
||||
return errors.Wrapf(err, "the format of 'level' %q is not correct", level)
|
||||
}
|
||||
return true, nil
|
||||
if !matched {
|
||||
return fmt.Errorf("the format of 'level' %q is not correct", level)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// isInCRIMounts checks whether a destination is in CRI mount list.
|
||||
|
23
vendor/github.com/containerd/cri/pkg/server/sandbox_run.go
generated
vendored
23
vendor/github.com/containerd/cri/pkg/server/sandbox_run.go
generated
vendored
@ -34,6 +34,7 @@ import (
|
||||
"github.com/davecgh/go-spew/spew"
|
||||
imagespec "github.com/opencontainers/image-spec/specs-go/v1"
|
||||
runtimespec "github.com/opencontainers/runtime-spec/specs-go"
|
||||
"github.com/opencontainers/selinux/go-selinux/label"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/sirupsen/logrus"
|
||||
"golang.org/x/net/context"
|
||||
@ -158,6 +159,18 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox
|
||||
return nil, errors.Wrap(err, "failed to generate sandbox container spec")
|
||||
}
|
||||
log.G(ctx).Debugf("Sandbox container %q spec: %#+v", id, spew.NewFormatter(spec))
|
||||
sandbox.ProcessLabel = spec.Process.SelinuxLabel
|
||||
defer func() {
|
||||
if retErr != nil {
|
||||
_ = label.ReleaseLabel(sandbox.ProcessLabel)
|
||||
}
|
||||
}()
|
||||
|
||||
if securityContext.GetPrivileged() {
|
||||
// If privileged don't set selinux label, but we still record the MCS label so that
|
||||
// the unused label can be freed later.
|
||||
spec.Process.SelinuxLabel = ""
|
||||
}
|
||||
|
||||
var specOpts []oci.SpecOpts
|
||||
userstr, err := generateUserString(
|
||||
@ -328,7 +341,7 @@ func (c *criService) RunPodSandbox(ctx context.Context, r *runtime.RunPodSandbox
|
||||
}
|
||||
|
||||
func (c *criService) generateSandboxContainerSpec(id string, config *runtime.PodSandboxConfig,
|
||||
imageConfig *imagespec.ImageConfig, nsPath string, runtimePodAnnotations []string) (*runtimespec.Spec, error) {
|
||||
imageConfig *imagespec.ImageConfig, nsPath string, runtimePodAnnotations []string) (retSpec *runtimespec.Spec, retErr error) {
|
||||
// Creates a spec Generator with the default spec.
|
||||
// TODO(random-liu): [P1] Compare the default settings with docker and containerd default.
|
||||
specOpts := []oci.SpecOpts{
|
||||
@ -403,11 +416,15 @@ func (c *criService) generateSandboxContainerSpec(id string, config *runtime.Pod
|
||||
},
|
||||
}))
|
||||
|
||||
selinuxOpt := securityContext.GetSelinuxOptions()
|
||||
processLabel, mountLabel, err := initSelinuxOpts(selinuxOpt)
|
||||
processLabel, mountLabel, err := initLabelsFromOpt(securityContext.GetSelinuxOptions())
|
||||
if err != nil {
|
||||
return nil, errors.Wrapf(err, "failed to init selinux options %+v", securityContext.GetSelinuxOptions())
|
||||
}
|
||||
defer func() {
|
||||
if retErr != nil && processLabel != "" {
|
||||
_ = label.ReleaseLabel(processLabel)
|
||||
}
|
||||
}()
|
||||
|
||||
supplementalGroups := securityContext.GetSupplementalGroups()
|
||||
specOpts = append(specOpts,
|
||||
|
6
vendor/github.com/containerd/cri/pkg/server/service.go
generated
vendored
6
vendor/github.com/containerd/cri/pkg/server/service.go
generated
vendored
@ -25,6 +25,7 @@ import (
|
||||
|
||||
"github.com/containerd/containerd"
|
||||
"github.com/containerd/containerd/plugin"
|
||||
"github.com/containerd/cri/pkg/store/label"
|
||||
cni "github.com/containerd/go-cni"
|
||||
runcapparmor "github.com/opencontainers/runc/libcontainer/apparmor"
|
||||
runcseccomp "github.com/opencontainers/runc/libcontainer/seccomp"
|
||||
@ -104,14 +105,15 @@ type criService struct {
|
||||
// NewCRIService returns a new instance of CRIService
|
||||
func NewCRIService(config criconfig.Config, client *containerd.Client) (CRIService, error) {
|
||||
var err error
|
||||
labels := label.NewStore()
|
||||
c := &criService{
|
||||
config: config,
|
||||
client: client,
|
||||
apparmorEnabled: runcapparmor.IsEnabled() && !config.DisableApparmor,
|
||||
seccompEnabled: runcseccomp.IsEnabled(),
|
||||
os: osinterface.RealOS{},
|
||||
sandboxStore: sandboxstore.NewStore(),
|
||||
containerStore: containerstore.NewStore(),
|
||||
sandboxStore: sandboxstore.NewStore(labels),
|
||||
containerStore: containerstore.NewStore(labels),
|
||||
imageStore: imagestore.NewStore(client),
|
||||
snapshotStore: snapshotstore.NewStore(),
|
||||
sandboxNameIndex: registrar.NewRegistrar(),
|
||||
|
9
vendor/github.com/containerd/cri/pkg/store/container/container.go
generated
vendored
9
vendor/github.com/containerd/cri/pkg/store/container/container.go
generated
vendored
@ -20,6 +20,7 @@ import (
|
||||
"sync"
|
||||
|
||||
"github.com/containerd/containerd"
|
||||
"github.com/containerd/cri/pkg/store/label"
|
||||
"github.com/docker/docker/pkg/truncindex"
|
||||
runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
|
||||
|
||||
@ -101,13 +102,15 @@ type Store struct {
|
||||
lock sync.RWMutex
|
||||
containers map[string]Container
|
||||
idIndex *truncindex.TruncIndex
|
||||
labels *label.Store
|
||||
}
|
||||
|
||||
// NewStore creates a container store.
|
||||
func NewStore() *Store {
|
||||
func NewStore(labels *label.Store) *Store {
|
||||
return &Store{
|
||||
containers: make(map[string]Container),
|
||||
idIndex: truncindex.NewTruncIndex([]string{}),
|
||||
labels: labels,
|
||||
}
|
||||
}
|
||||
|
||||
@ -119,6 +122,9 @@ func (s *Store) Add(c Container) error {
|
||||
if _, ok := s.containers[c.ID]; ok {
|
||||
return store.ErrAlreadyExist
|
||||
}
|
||||
if err := s.labels.Reserve(c.ProcessLabel); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := s.idIndex.Add(c.ID); err != nil {
|
||||
return err
|
||||
}
|
||||
@ -165,6 +171,7 @@ func (s *Store) Delete(id string) {
|
||||
// So we need to return if there are error.
|
||||
return
|
||||
}
|
||||
s.labels.Release(s.containers[id].ProcessLabel)
|
||||
s.idIndex.Delete(id) // nolint: errcheck
|
||||
delete(s.containers, id)
|
||||
}
|
||||
|
2
vendor/github.com/containerd/cri/pkg/store/container/metadata.go
generated
vendored
2
vendor/github.com/containerd/cri/pkg/store/container/metadata.go
generated
vendored
@ -61,6 +61,8 @@ type Metadata struct {
|
||||
// StopSignal is the system call signal that will be sent to the container to exit.
|
||||
// TODO(random-liu): Add integration test for stop signal.
|
||||
StopSignal string
|
||||
// ProcessLabel is the SELinux process label for the container
|
||||
ProcessLabel string
|
||||
}
|
||||
|
||||
// MarshalJSON encodes Metadata into bytes in json format.
|
||||
|
90
vendor/github.com/containerd/cri/pkg/store/label/label.go
generated
vendored
Normal file
90
vendor/github.com/containerd/cri/pkg/store/label/label.go
generated
vendored
Normal file
@ -0,0 +1,90 @@
|
||||
/*
|
||||
Copyright 2017 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package label
|
||||
|
||||
import (
|
||||
"sync"
|
||||
|
||||
"github.com/opencontainers/selinux/go-selinux"
|
||||
)
|
||||
|
||||
type Store struct {
|
||||
sync.Mutex
|
||||
levels map[string]int
|
||||
Releaser func(string)
|
||||
Reserver func(string)
|
||||
}
|
||||
|
||||
func NewStore() *Store {
|
||||
return &Store{
|
||||
levels: map[string]int{},
|
||||
Releaser: selinux.ReleaseLabel,
|
||||
Reserver: selinux.ReserveLabel,
|
||||
}
|
||||
}
|
||||
|
||||
func (s *Store) Reserve(label string) error {
|
||||
s.Lock()
|
||||
defer s.Unlock()
|
||||
|
||||
context, err := selinux.NewContext(label)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
level := context["level"]
|
||||
// no reason to count empty
|
||||
if level == "" {
|
||||
return nil
|
||||
}
|
||||
|
||||
if _, ok := s.levels[level]; !ok {
|
||||
s.Reserver(label)
|
||||
}
|
||||
|
||||
s.levels[level]++
|
||||
return nil
|
||||
}
|
||||
|
||||
func (s *Store) Release(label string) {
|
||||
s.Lock()
|
||||
defer s.Unlock()
|
||||
|
||||
context, err := selinux.NewContext(label)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
level := context["level"]
|
||||
if level == "" {
|
||||
return
|
||||
}
|
||||
|
||||
count, ok := s.levels[level]
|
||||
if !ok {
|
||||
return
|
||||
}
|
||||
switch {
|
||||
case count == 1:
|
||||
s.Releaser(label)
|
||||
delete(s.levels, level)
|
||||
case count < 1:
|
||||
delete(s.levels, level)
|
||||
case count > 1:
|
||||
s.levels[level] = count - 1
|
||||
}
|
||||
}
|
2
vendor/github.com/containerd/cri/pkg/store/sandbox/metadata.go
generated
vendored
2
vendor/github.com/containerd/cri/pkg/store/sandbox/metadata.go
generated
vendored
@ -61,6 +61,8 @@ type Metadata struct {
|
||||
RuntimeHandler string
|
||||
// CNIresult resulting configuration for attached network namespace interfaces
|
||||
CNIResult *cni.CNIResult
|
||||
// ProcessLabel is the SELinux process label for the container
|
||||
ProcessLabel string
|
||||
}
|
||||
|
||||
// MarshalJSON encodes Metadata into bytes in json format.
|
||||
|
9
vendor/github.com/containerd/cri/pkg/store/sandbox/sandbox.go
generated
vendored
9
vendor/github.com/containerd/cri/pkg/store/sandbox/sandbox.go
generated
vendored
@ -20,6 +20,7 @@ import (
|
||||
"sync"
|
||||
|
||||
"github.com/containerd/containerd"
|
||||
"github.com/containerd/cri/pkg/store/label"
|
||||
"github.com/docker/docker/pkg/truncindex"
|
||||
|
||||
"github.com/containerd/cri/pkg/netns"
|
||||
@ -62,13 +63,15 @@ type Store struct {
|
||||
lock sync.RWMutex
|
||||
sandboxes map[string]Sandbox
|
||||
idIndex *truncindex.TruncIndex
|
||||
labels *label.Store
|
||||
}
|
||||
|
||||
// NewStore creates a sandbox store.
|
||||
func NewStore() *Store {
|
||||
func NewStore(labels *label.Store) *Store {
|
||||
return &Store{
|
||||
sandboxes: make(map[string]Sandbox),
|
||||
idIndex: truncindex.NewTruncIndex([]string{}),
|
||||
labels: labels,
|
||||
}
|
||||
}
|
||||
|
||||
@ -79,6 +82,9 @@ func (s *Store) Add(sb Sandbox) error {
|
||||
if _, ok := s.sandboxes[sb.ID]; ok {
|
||||
return store.ErrAlreadyExist
|
||||
}
|
||||
if err := s.labels.Reserve(sb.ProcessLabel); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := s.idIndex.Add(sb.ID); err != nil {
|
||||
return err
|
||||
}
|
||||
@ -125,6 +131,7 @@ func (s *Store) Delete(id string) {
|
||||
// So we need to return if there are error.
|
||||
return
|
||||
}
|
||||
s.labels.Release(s.sandboxes[id].ProcessLabel)
|
||||
s.idIndex.Delete(id) // nolint: errcheck
|
||||
delete(s.sandboxes, id)
|
||||
}
|
||||
|
5
vendor/modules.txt
vendored
5
vendor/modules.txt
vendored
@ -151,7 +151,7 @@ github.com/container-storage-interface/spec/lib/go/csi
|
||||
github.com/containerd/cgroups
|
||||
# github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1 => github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50
|
||||
github.com/containerd/console
|
||||
# github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69 => github.com/rancher/containerd v1.3.3-k3s1
|
||||
# github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69 => github.com/rancher/containerd v1.3.3-k3s2
|
||||
github.com/containerd/containerd
|
||||
github.com/containerd/containerd/api/events
|
||||
github.com/containerd/containerd/api/services/containers/v1
|
||||
@ -288,7 +288,7 @@ github.com/containerd/continuity/pathdriver
|
||||
github.com/containerd/continuity/proto
|
||||
github.com/containerd/continuity/syscallx
|
||||
github.com/containerd/continuity/sysx
|
||||
# github.com/containerd/cri v0.0.0-00010101000000-000000000000 => github.com/rancher/cri v1.3.0-k3s.3
|
||||
# github.com/containerd/cri v0.0.0-00010101000000-000000000000 => github.com/rancher/cri v1.3.0-k3s.4
|
||||
github.com/containerd/cri
|
||||
github.com/containerd/cri/pkg/annotations
|
||||
github.com/containerd/cri/pkg/api/runtimeoptions/v1
|
||||
@ -306,6 +306,7 @@ github.com/containerd/cri/pkg/server/io
|
||||
github.com/containerd/cri/pkg/store
|
||||
github.com/containerd/cri/pkg/store/container
|
||||
github.com/containerd/cri/pkg/store/image
|
||||
github.com/containerd/cri/pkg/store/label
|
||||
github.com/containerd/cri/pkg/store/sandbox
|
||||
github.com/containerd/cri/pkg/store/snapshot
|
||||
github.com/containerd/cri/pkg/util
|
||||
|
Loading…
Reference in New Issue
Block a user