Commit Graph

1803 Commits

Author SHA1 Message Date
Akihiro Suda
cb73461a5b AkihiroSuda/containerd-fuse-overlayfs -> containerd/fuse-overlayfs-snapshotter
The repo has been moved.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-03-24 10:34:34 -07:00
Akihiro Suda
e672c988e4 rootless: allow kernel.dmesg_restrict=1
When `/dev/kmsg` is unreadable due to sysctl value `kernel.dmesg_restrict=1`,
bind-mount `/dev/null` into `/dev/kmsg`

Fix issue 3011

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-03-24 01:03:14 -07:00
Akihiro Suda
6e8284e3d4 rootless: enable resource limitation (requires cgroup v2, systemd)
Now rootless mode can be used with cgroup v2 resource limitations.
A pod is executed in a cgroup like "/user.slice/user-1001.slice/user@1001.service/k3s-rootless.service/kubepods/podd0eb6921-c81a-4214-b36c-d3b9bb212fac/63b5a253a1fd4627da16bfce9bec58d72144cf30fe833e0ca9a6d60ebf837475".

This is accomplished by running `kubelet` in a cgroup namespace, and enabling `cgroupfs` driver for the cgroup hierarchy delegated by systemd.

To enable cgroup v2 resource limitation, `k3s server --rootless` needs to be launched as `systemctl --user` service.
Please see the comment lines in `k3s-rootless.service` for the usage.

Running `k3s server --rootless` via a terminal is not supported.
When it really needs to be launched via a terminal, `systemd-run --user -p Delegate --tty` needs to be prepended to create a systemd scope.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-03-24 00:37:30 -07:00
Akihiro Suda
11ef43011a bump up RootlessKit
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-03-24 00:37:30 -07:00
Brian Downs
9bae285bfd
Merge pull request #3091 from briandowns/put_etcd_save_in_goroutine
put etcd bootstrap save call in goroutine and update comment
2021-03-17 15:51:17 -07:00
Jacob Blain Christen
59a39e9a3b
containerd: v1.4.4-k3s1 (#3090)
Addresses k3s-io/k3s#3066 and CVE-2021-21334

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
2021-03-17 14:38:42 -07:00
Brian Downs
400a632666 put etcd bootstrap save call in goroutine and update comment
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2021-03-17 14:33:00 -07:00
Martin Norrsken
989b21a0da Remove unit files after disabling, instead of before
Signed-off-by: Martin Norrsken <martin.norrsken@gmail.com>
2021-03-17 10:08:50 -07:00
Hussein Galal
73df65d93a
remove etcd data dir when etcd is disabled (#3059)
* remove etcd data dir when etcd is disabled

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix comment

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* more fixes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* use debug instead of info logs

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-03-16 18:14:43 +02:00
Jacob Blain Christen
618b0f98bf
registry mirror repository rewrites (#3064)
Support repository regex rewrite rules when fetching image content.

Example configuration:
```yaml
# /etc/rancher/k3s/registries.yaml
mirrors:
  "docker.io":
    endpoint:
    - "https://registry-1.docker.io/v2"
    rewrite:
      "^library/alpine$": "my-org/alpine"
```

This will instruct k3s containerd to fetch content for `alpine` images
from `docker.io/my-org/alpine` instead of the default
`docker.io/library/alpine` locations.

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
2021-03-15 16:17:27 -07:00
Brian Downs
7c99f8645d
Have Bootstrap Data Stored in etcd at Completed Start (#3038)
* have state stored in etcd at completed start and remove unneeded code
2021-03-11 13:07:40 -07:00
Chris Kim
69f96d6225
Define a Controllers and LeaderControllers on the server config (#3043)
Signed-off-by: Chris Kim <oats87g@gmail.com>
2021-03-11 10:39:00 -08:00
Brad Davidson
8ace8975d2 Don't start up multiple apiserver load balancers
get() is called in a loop until client configuration is successfully
retrieved. Each iteration will try to configure the apiserver proxy,
which will in turn create a new load balancer. Skip creating a new
load balancer if we already have one.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-03-08 17:05:25 -08:00
Brad Davidson
c0d129003b Handle loadbalancer port in TIME_WAIT
If the port wanted by the client load balancer is in TIME_WAIT, startup
will fail. Set SO_REUSEPORT so that it can be listened on again
immediately.

The configurable Listen call wants a context, so plumb that through as
well.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-03-08 17:05:25 -08:00
Brad Davidson
7cdfaad6ce
Always use static ports for client load-balancers (#3026)
* Always use static ports for the load-balancers

This fixes an issue where RKE2 kube-proxy daemonset pods were failing to
communicate with the apiserver when RKE2 was restarted because the
load-balancer used a different port every time it started up.

This also changes the apiserver load-balancer port to be 1 below the
supervisor port instead of 1 above it. This makes the apiserver port
consistent at 6443 across servers and agents on RKE2.

Additional fixes below were required to successfully test and use this change
on etcd-only nodes.

* Actually add lb-server-port flag to CLI
* Fix nil pointer when starting server with --disable-etcd but no --server
* Don't try to use full URI as initial load-balancer endpoint
* Fix etcd load-balancer pool updates
* Update dynamiclistener to fix cert updates on etcd-only nodes
* Handle recursive initial server URL in load balancer
* Don't run the deploy controller on etcd-only nodes
2021-03-06 02:29:57 -08:00
David Nuzik
58a2870e3b
Merge pull request #3002 from davidnuzik/docs-housekeeping
Docs housekeeping
2021-03-05 09:35:53 -07:00
David Nuzik
c171d4bb07 Update GITHUB_URL
Signed-off-by: David Nuzik <david.nuzik@rancher.com>
2021-03-05 09:34:18 -07:00
David Nuzik
4816d54caa Update .md files with url and email corrections
* BUILDING.md
* CODE_OF_CONDUCT.md
* CONTRIBUTING.md
* MAINTAINERS
* README.md

Signed-off-by: David Nuzik <david.nuzik@rancher.com>
2021-03-05 09:34:18 -07:00
Hussein Galal
c26b737b24
Mark disable components flags as experimental (#3018)
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-03-05 00:05:20 +02:00
Brian Downs
4d1f9eda9d
Etcd Snapshot/Restore to/from S3 Compatible Backends (#2902)
* Add functionality for etcd snapshot/restore to and from S3 compatible backends.
* Update etcd restore functionality to extract and write certificates and configs from snapshot.
2021-03-03 11:14:12 -07:00
Hussein Galal
1bf04b6a50
Merge pull request #3003 from galal-hussein/fix_etcd_only_nodes
Fix etcd only nodes
2021-03-02 02:16:02 +02:00
Brad Davidson
66b9e9c4c8 Suppress test failure due to incompatible server
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-03-01 14:23:59 -08:00
Brad Davidson
4fb073e799 Log clearer error on startup if NPC cannot be started
Servers should always be upgraded before agents, but generally this
isn't required because things are compatible between versions. In this
case we're OK with failing closed if the user upgrades out of order, but
we should give a clearer message about what steps are required to fix
the issue.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-03-01 14:23:59 -08:00
Brad Davidson
7734015db7 Add script to test server/agent version compatibility
We have had a couple issues with newer agents not working with old
servers or vice versa. Add a CI test to test variations on
uplevel/downlevel server/agent against latest, stable, and the previous
branch.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-03-01 14:23:59 -08:00
galal-hussein
ef999f0b4f change error to warn when removing self from etcd members
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-03-02 00:19:57 +02:00
Erik Wilson
669d0c0e31
Merge pull request #2910 from erikwilson/traefik-v2
Traefik v2 integration
2021-03-01 15:18:46 -07:00
galal-hussein
885b7391a2 update dynamiclistener
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-03-01 23:51:07 +02:00
galal-hussein
d6124981d5 remove etcd member if disable etcd is passed
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-03-01 23:50:50 +02:00
Erik Wilson
4e5218b62c
Apply suggestions from code review
Logging cleanup

Co-authored-by: Brad Davidson <brad@oatmail.org>
2021-03-01 10:44:24 -07:00
Erik Wilson
4aac6b6bd0
Update to Traefik 2.4.2 and combine manifests 2021-03-01 10:44:24 -07:00
Erik Wilson
54a35505f0
Remove Traefik v1 migration 2021-03-01 10:44:24 -07:00
Chin-Ya Huang
cc96f8140a
Allow download traefik static file and rename
Allow writing static files regardless of the version.

Signed-off-by: Chin-Ya Huang <chin-ya.huang@suse.com>
2021-03-01 10:44:24 -07:00
Chin-Ya Huang
10e0328977
Traefik v2 integration
K3s upgrade via watch over file change of static file and manifest
and triggers helm-controller for change. It seems reasonable to
only allow upgrade traefik v1->v2 when there is no existing custom
traefik HelmChartConfig in the cluster to avoid any
incompatibility.

Here also separate the CRDs and put them into a different chart
to support CRD upgrade.

Signed-off-by: Chin-Ya Huang <chin-ya.huang@suse.com>
2021-03-01 10:44:23 -07:00
Brad Davidson
f970e49b7d Wait for apiserver to become healthy before starting agent controllers
It is possible that the apiserver may serve read requests but not allow
writes yet, in which case flannel will crash on startup when trying to
configure the subnet manager.

Fix this by waiting for the apiserver to become fully ready before
starting flannel and the network policy controller.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-26 19:28:53 -08:00
Brad Davidson
9b39c1c117 Hide the airgap-extra-registry flag
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-26 16:08:49 -08:00
galal-hussein
fad2a046c3 update master to 1.20.4
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-02-23 23:31:08 -08:00
David Nuzik
f9fdb94df2
Merge pull request #2972 from galal-hussein/update_stable
mark v1.20.4-k3s1 as stable
2021-02-23 12:44:30 -07:00
galal-hussein
236a2e3abe use v1.20.4-k3s1 as stable
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-02-23 20:24:25 +02:00
Brad Davidson
0f55f167fd Update k3s-root to v0.8.1
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-18 09:46:15 -08:00
Brad Davidson
88dd601941 Limit zstd decoder memory
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-17 11:48:03 -08:00
Brad Davidson
ae5b93a264 Use HasSuffixI utility function
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-17 11:48:03 -08:00
Brad Davidson
ec661c67d7 Add support for retagging images on load from tarball
Adds support for retagging images to appear to have been sourced from
one or more additional registries as they are imported from the tarball.
This is intended to support RKE2 use cases with system-default-registry
where the images need to appear to have been pulled from a registry
other than docker.io.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-17 11:48:03 -08:00
Hussein Galal
5749f66aa3
Add disable flags for control components (#2900)
* Add disable flags to control components

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* golint

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* more fixes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fixes to disable flags

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Add comments to functions

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Fix joining problem

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* more fixes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* golint

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix ticker

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix role labels

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* more fixes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-02-12 17:35:57 +02:00
Brian Downs
21d1690d5d
update usage text (#2926)
update to the --cluster-init usage flag to indicate it's for Etcd
2021-02-10 15:54:04 -07:00
Brad Davidson
6e768c301e Use appropriate response codes for authn/authz failures
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-09 16:28:20 -08:00
Brad Davidson
374271e9a0
Collect IPs from all pods before deciding to use internal or external addresses (#2909)
* Collect IPs from all pods before deciding to use internal or external addresses

@Taloth correctly noted that the code that iterates over ServiceLB pods
to collect IP addresses was failing to add additional internal IPs once
the map contained ANY entry from a previous node. This may date back to
when ServiceLB used a Deployment instead of a DaemonSet, so there was
only ever a single pod.

The new behavior is to collect all internal and external IPs, and then
construct the address list of a single type - external if there are any,
otherwise internal.

https://github.com/k3s-io/k3s/issues/1652#issuecomment-774497788

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Co-authored-by: Brian Downs <brian.downs@gmail.com>
2021-02-09 16:26:57 -08:00
Brad Davidson
e06119729b
Improve handling of comounted cpu,cpuacct controllers (#2911)
* Improve handling of comounted cpu,cpuacct controllers

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-09 16:12:58 -08:00
Erik Wilson
41fd27ab56
Merge pull request #2913 from erikwilson/vagrant-opensuse15
Add opensuse 15 vagrant provision
2021-02-09 13:36:36 -07:00
Erik Wilson
473e340acd
Add opensuse 15 vagrant provision 2021-02-09 13:07:32 -07:00
Brad Davidson
ad5e504cf0
Allow joining clusters when the server CA is trusted by the OS CA bundle (#2743)
* Add tests to clientaccess/token
* Fix issues in clientaccess/token identified by tests
* Update tests to close coverage gaps
* Remove redundant check turned up by code coverage reports
* Add warnings if CA hash will not be validated

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-08 22:28:57 -08:00