From 8a3ca5eefa18f79999c3f1d098767803b6941007 Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Mon, 26 Aug 2019 14:59:38 +0900 Subject: [PATCH] update components; enable slirp4netns-seccomp Signed-off-by: Akihiro Suda --- Dockerfile | 34 +++++++++---------- boot/rootlesskit.sh | 2 +- ...e-sysctl-error-when-running-in-usern.patch | 10 +++--- ...2-kube-proxy-allow-running-in-userns.patch | 34 +++++++++---------- ...feature-gate-SupportNoneCgroupDriver.patch | 28 +++++++-------- 5 files changed, 54 insertions(+), 54 deletions(-) diff --git a/Dockerfile b/Dockerfile index 24c5a43..2647cef 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,22 +4,22 @@ ### Version definitions # use ./hack/show-latest-commits.sh to get the latest commits -# 2019-07-28T04:55:48Z -ARG ROOTLESSKIT_COMMIT=93164c4427c9c75aa3199b8baa5005ce9adfcd69 -# 2019-07-28T04:08:29Z -ARG SLIRP4NETNS_COMMIT=96ff33cafc1dabf1437b87133850ed2324b2c640 -# 2019-07-27T01:26:32Z -ARG RUNC_COMMIT=9ae790178ee4535e1afd865eed70a7f7cdb655ac -# 2019-07-26T23:09:22Z -ARG MOBY_COMMIT=917a8b42594317e4b547c4d34a6bc733f32a9974 -# 2019-07-26T21:13:02Z -ARG CONTAINERD_COMMIT=eabb536b1f376a259e3450a9d8f6fc7e6a18367e -# 2019-07-25T01:24:20Z -ARG CRIO_COMMIT=b94a84cd6d126b12c837db3650fed546376c1f58 -# 2019-07-24T15:32:15Z -ARG CNI_PLUGINS_COMMIT=ded2f1757770e8e2aa41f65687f8fc876f83048b -# 2019-07-27T16:25:56Z -ARG KUBERNETES_COMMIT=23649560c060ad6cd82da8da42302f8f7e38cf1e +# 2019-08-26T05:55:14Z +ARG ROOTLESSKIT_COMMIT=229dd40047cafffbc6489b30ed9105d64bebcc42 +# 2019-08-25T17:18:54Z +ARG SLIRP4NETNS_COMMIT=29db6bd2d7297dfc1c556ab3801e7cd079291946 +# 2019-08-25T20:15:15Z +ARG RUNC_COMMIT=3525eddec5418b1e12118fe9f40c9a1cb41e0fb6 +# 2019-08-25T01:46:46Z +ARG MOBY_COMMIT=cd1356d9ea6307659add38d6689a5b2ecb214c90 +# 2019-08-23T19:06:03Z +ARG CONTAINERD_COMMIT=4a2f61c4f2b43b0c6e6636e48de89b1cb4860408 +# 2019-08-22T21:06:18Z +ARG CRIO_COMMIT=c9764ea645d79279a72e279a36c2172c5d2a3298 +# 2019-08-14T18:26:26Z +ARG CNI_PLUGINS_COMMIT=485be65581341430f9106a194a98f0f2412245fb +# 2019-08-26T04:40:21Z +ARG KUBERNETES_COMMIT=36b2914207d50abba2eb9aa5a252a94224eb5037 ## Version definitions (cont.) ARG DOCKER_CLI_RELEASE=19.03.0 @@ -55,7 +55,7 @@ RUN mkdir /out && \ #### slirp4netns (slirp4netns-build) FROM alpine:3.10 AS slirp4netns-build -RUN apk add --no-cache git build-base autoconf automake libtool linux-headers glib-dev glib-static libcap-static libcap-dev +RUN apk add --no-cache git build-base autoconf automake libtool linux-headers glib-dev glib-static libcap-static libcap-dev libseccomp-dev RUN git clone https://github.com/rootless-containers/slirp4netns.git /slirp4netns WORKDIR /slirp4netns ARG SLIRP4NETNS_COMMIT diff --git a/boot/rootlesskit.sh b/boot/rootlesskit.sh index 0d1978e..49a63fc 100755 --- a/boot/rootlesskit.sh +++ b/boot/rootlesskit.sh @@ -33,7 +33,7 @@ if [[ $_U7S_CHILD == 0 ]]; then # * /opt: copy-up is required for mounting /opt/cni/bin rootlesskit \ --state-dir $rk_state_dir \ - --net=slirp4netns --mtu=65520 --disable-host-loopback --slirp4netns-sandbox=true \ + --net=slirp4netns --mtu=65520 --disable-host-loopback --slirp4netns-sandbox=true --slirp4netns-seccomp=true \ --port-driver=builtin \ --copy-up=/etc --copy-up=/run --copy-up=/var/lib --copy-up=/opt \ --pidns \ diff --git a/src/patches/kubernetes/0001-kubelet-cm-ignore-sysctl-error-when-running-in-usern.patch b/src/patches/kubernetes/0001-kubelet-cm-ignore-sysctl-error-when-running-in-usern.patch index 187df20..8de0e39 100644 --- a/src/patches/kubernetes/0001-kubelet-cm-ignore-sysctl-error-when-running-in-usern.patch +++ b/src/patches/kubernetes/0001-kubelet-cm-ignore-sysctl-error-when-running-in-usern.patch @@ -1,4 +1,4 @@ -From 446629d78a49ba7f830437cdad46cdc413bfd1d8 Mon Sep 17 00:00:00 2001 +From edc4f7664108c5739af6c5cc4b1af15ffa3149c0 Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Tue, 21 Aug 2018 16:45:04 +0900 Subject: [PATCH 1/3] kubelet/cm: ignore sysctl error when running in userns @@ -10,10 +10,10 @@ Signed-off-by: Akihiro Suda 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/pkg/kubelet/cm/BUILD b/pkg/kubelet/cm/BUILD -index 4ac55b4b30..a55ebba794 100644 +index 46f1c8fccd..8d65dfffa9 100644 --- a/pkg/kubelet/cm/BUILD +++ b/pkg/kubelet/cm/BUILD -@@ -89,6 +89,7 @@ go_library( +@@ -90,6 +90,7 @@ go_library( "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs:go_default_library", "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd:go_default_library", "//vendor/github.com/opencontainers/runc/libcontainer/configs:go_default_library", @@ -22,7 +22,7 @@ index 4ac55b4b30..a55ebba794 100644 "//vendor/k8s.io/utils/path:go_default_library", ], diff --git a/pkg/kubelet/cm/container_manager_linux.go b/pkg/kubelet/cm/container_manager_linux.go -index aa4cc8ac5a..a8de98330f 100644 +index da651b7842..a6b381153e 100644 --- a/pkg/kubelet/cm/container_manager_linux.go +++ b/pkg/kubelet/cm/container_manager_linux.go @@ -32,6 +32,7 @@ import ( @@ -33,7 +33,7 @@ index aa4cc8ac5a..a8de98330f 100644 "k8s.io/klog" v1 "k8s.io/api/core/v1" -@@ -391,7 +392,11 @@ func setupKernelTunables(option KernelTunableBehavior) error { +@@ -402,7 +403,11 @@ func setupKernelTunables(option KernelTunableBehavior) error { klog.V(2).Infof("Updating kernel flag: %v, expected value: %v, actual value: %v", flag, expectedValue, val) err = sysctl.SetSysctl(flag, expectedValue) if err != nil { diff --git a/src/patches/kubernetes/0002-kube-proxy-allow-running-in-userns.patch b/src/patches/kubernetes/0002-kube-proxy-allow-running-in-userns.patch index cb09237..8dabe31 100644 --- a/src/patches/kubernetes/0002-kube-proxy-allow-running-in-userns.patch +++ b/src/patches/kubernetes/0002-kube-proxy-allow-running-in-userns.patch @@ -1,4 +1,4 @@ -From 665f1772f32d9833ac0d08e18f45521269f999e1 Mon Sep 17 00:00:00 2001 +From 6e252338b3ac1b4fd34d0106e0138ab1a13d2113 Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Thu, 23 Aug 2018 14:14:44 +0900 Subject: [PATCH 2/3] kube-proxy: allow running in userns @@ -12,10 +12,10 @@ Signed-off-by: Akihiro Suda 4 files changed, 24 insertions(+), 2 deletions(-) diff --git a/cmd/kube-proxy/app/BUILD b/cmd/kube-proxy/app/BUILD -index 55a6768291..7fb0a9716c 100644 +index 86a69857cf..ee8ec0c8f7 100644 --- a/cmd/kube-proxy/app/BUILD +++ b/cmd/kube-proxy/app/BUILD -@@ -77,6 +77,7 @@ go_library( +@@ -76,6 +76,7 @@ go_library( "//pkg/util/node:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library", @@ -23,7 +23,7 @@ index 55a6768291..7fb0a9716c 100644 ], "@io_bazel_rules_go//go/platform:darwin": [ "//pkg/proxy/metrics:go_default_library", -@@ -84,6 +85,7 @@ go_library( +@@ -83,6 +84,7 @@ go_library( "//pkg/util/node:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library", @@ -31,7 +31,7 @@ index 55a6768291..7fb0a9716c 100644 ], "@io_bazel_rules_go//go/platform:dragonfly": [ "//pkg/proxy/metrics:go_default_library", -@@ -91,6 +93,7 @@ go_library( +@@ -90,6 +92,7 @@ go_library( "//pkg/util/node:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library", @@ -39,7 +39,7 @@ index 55a6768291..7fb0a9716c 100644 ], "@io_bazel_rules_go//go/platform:freebsd": [ "//pkg/proxy/metrics:go_default_library", -@@ -98,6 +101,7 @@ go_library( +@@ -97,6 +100,7 @@ go_library( "//pkg/util/node:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library", @@ -47,7 +47,7 @@ index 55a6768291..7fb0a9716c 100644 ], "@io_bazel_rules_go//go/platform:linux": [ "//pkg/proxy/metrics:go_default_library", -@@ -105,6 +109,7 @@ go_library( +@@ -104,6 +108,7 @@ go_library( "//pkg/util/node:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library", @@ -55,7 +55,7 @@ index 55a6768291..7fb0a9716c 100644 ], "@io_bazel_rules_go//go/platform:nacl": [ "//pkg/proxy/metrics:go_default_library", -@@ -112,6 +117,7 @@ go_library( +@@ -111,6 +116,7 @@ go_library( "//pkg/util/node:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library", @@ -63,7 +63,7 @@ index 55a6768291..7fb0a9716c 100644 ], "@io_bazel_rules_go//go/platform:netbsd": [ "//pkg/proxy/metrics:go_default_library", -@@ -119,6 +125,7 @@ go_library( +@@ -118,6 +124,7 @@ go_library( "//pkg/util/node:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library", @@ -71,7 +71,7 @@ index 55a6768291..7fb0a9716c 100644 ], "@io_bazel_rules_go//go/platform:openbsd": [ "//pkg/proxy/metrics:go_default_library", -@@ -126,6 +133,7 @@ go_library( +@@ -125,6 +132,7 @@ go_library( "//pkg/util/node:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library", @@ -79,7 +79,7 @@ index 55a6768291..7fb0a9716c 100644 ], "@io_bazel_rules_go//go/platform:plan9": [ "//pkg/proxy/metrics:go_default_library", -@@ -133,6 +141,7 @@ go_library( +@@ -132,6 +140,7 @@ go_library( "//pkg/util/node:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library", @@ -87,7 +87,7 @@ index 55a6768291..7fb0a9716c 100644 ], "@io_bazel_rules_go//go/platform:solaris": [ "//pkg/proxy/metrics:go_default_library", -@@ -140,6 +149,7 @@ go_library( +@@ -139,6 +148,7 @@ go_library( "//pkg/util/node:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library", @@ -96,7 +96,7 @@ index 55a6768291..7fb0a9716c 100644 "@io_bazel_rules_go//go/platform:windows": [ "//pkg/proxy/winkernel:go_default_library", diff --git a/cmd/kube-proxy/app/server_others.go b/cmd/kube-proxy/app/server_others.go -index a86a9593cf..da58bc0f5e 100644 +index ecd3427813..fcedc03cf4 100644 --- a/cmd/kube-proxy/app/server_others.go +++ b/cmd/kube-proxy/app/server_others.go @@ -25,6 +25,7 @@ import ( @@ -105,9 +105,9 @@ index a86a9593cf..da58bc0f5e 100644 + libcontainersystem "github.com/opencontainers/runc/libcontainer/system" "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" -@@ -214,6 +215,12 @@ func newProxyServer( + utilnet "k8s.io/apimachinery/pkg/util/net" +@@ -216,6 +217,12 @@ func newProxyServer( iptInterface.AddReloadFunc(proxier.Sync) @@ -120,7 +120,7 @@ index a86a9593cf..da58bc0f5e 100644 return &ProxyServer{ Client: client, EventClient: eventClient, -@@ -225,7 +232,7 @@ func newProxyServer( +@@ -227,7 +234,7 @@ func newProxyServer( Broadcaster: eventBroadcaster, Recorder: recorder, ConntrackConfiguration: config.Conntrack, @@ -142,7 +142,7 @@ index 87e3da69e9..8f148a1470 100644 "//vendor/k8s.io/utils/exec:go_default_library", ] + select({ diff --git a/pkg/proxy/userspace/proxier.go b/pkg/proxy/userspace/proxier.go -index ae55842b30..91d44fc13a 100644 +index 46d9e9c86c..c777eb91ee 100644 --- a/pkg/proxy/userspace/proxier.go +++ b/pkg/proxy/userspace/proxier.go @@ -26,6 +26,7 @@ import ( diff --git a/src/patches/kubernetes/0003-kubelet-new-feature-gate-SupportNoneCgroupDriver.patch b/src/patches/kubernetes/0003-kubelet-new-feature-gate-SupportNoneCgroupDriver.patch index c61b8cc..b8c5778 100644 --- a/src/patches/kubernetes/0003-kubelet-new-feature-gate-SupportNoneCgroupDriver.patch +++ b/src/patches/kubernetes/0003-kubelet-new-feature-gate-SupportNoneCgroupDriver.patch @@ -1,4 +1,4 @@ -From 33b6ed4c7b6fb424c5ac5972f3a5fb15da027985 Mon Sep 17 00:00:00 2001 +From 22d44422cf5ea191aff6370f777dc6b8f9a0618f Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Sun, 2 Jun 2019 18:39:05 +0900 Subject: [PATCH 3/3] kubelet: new feature gate: SupportNoneCgroupDriver @@ -25,10 +25,10 @@ Signed-off-by: Akihiro Suda 11 files changed, 126 insertions(+), 30 deletions(-) diff --git a/cmd/kubeadm/app/phases/kubelet/flags.go b/cmd/kubeadm/app/phases/kubelet/flags.go -index a6c5d1411e..dbdb95db10 100644 +index 14f7317be1..6bb02f6ef4 100644 --- a/cmd/kubeadm/app/phases/kubelet/flags.go +++ b/cmd/kubeadm/app/phases/kubelet/flags.go -@@ -85,6 +85,8 @@ func buildKubeletArgMap(opts kubeletFlagsOpts) map[string]string { +@@ -86,6 +86,8 @@ func buildKubeletArgMap(opts kubeletFlagsOpts) map[string]string { if err != nil { klog.Warningf("cannot automatically assign a '--cgroup-driver' value when starting the Kubelet: %v\n", err) } else { @@ -51,7 +51,7 @@ index 1a2b3263be..c718050aff 100644 fs.StringVar(&c.CPUManagerPolicy, "cpu-manager-policy", c.CPUManagerPolicy, "CPU Manager policy to use. Possible values: 'none', 'static'. Default: 'none'") fs.DurationVar(&c.CPUManagerReconcilePeriod.Duration, "cpu-manager-reconcile-period", c.CPUManagerReconcilePeriod.Duration, " CPU Manager reconciliation period. Examples: '10s', or '1m'. If not supplied, defaults to `NodeStatusUpdateFrequency`") diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go -index 207893d8be..e83ab11616 100644 +index 46540e4760..7ac5a7d70e 100644 --- a/cmd/kubelet/app/server.go +++ b/cmd/kubelet/app/server.go @@ -605,26 +605,28 @@ func run(s *options.KubeletServer, kubeDeps *kubelet.Dependencies, stopCh <-chan @@ -103,10 +103,10 @@ index 207893d8be..e83ab11616 100644 if kubeDeps.CAdvisorInterface == nil { diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go -index 7ee1c8b195..36522ff9be 100644 +index 25eb7fedb8..1f93d33ca3 100644 --- a/pkg/features/kube_features.go +++ b/pkg/features/kube_features.go -@@ -477,6 +477,18 @@ const ( +@@ -468,6 +468,18 @@ const ( // // Schedule pods evenly across available topology domains. EvenPodsSpread featuregate.Feature = "EvenPodsSpread" @@ -125,7 +125,7 @@ index 7ee1c8b195..36522ff9be 100644 ) func init() { -@@ -556,6 +568,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS +@@ -546,6 +558,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS PodOverhead: {Default: false, PreRelease: featuregate.Alpha}, IPv6DualStack: {Default: false, PreRelease: featuregate.Alpha}, EvenPodsSpread: {Default: false, PreRelease: featuregate.Alpha}, @@ -147,7 +147,7 @@ index bf99db85f0..93408248c2 100644 // CPUManagerPolicy is the name of the policy to use. // Requires the CPUManager feature gate to be enabled. diff --git a/pkg/kubelet/cm/cgroup_manager_linux.go b/pkg/kubelet/cm/cgroup_manager_linux.go -index 39aad1fb38..7612bba68d 100644 +index a653e67c79..c51ca75b79 100644 --- a/pkg/kubelet/cm/cgroup_manager_linux.go +++ b/pkg/kubelet/cm/cgroup_manager_linux.go @@ -46,6 +46,9 @@ const ( @@ -260,10 +260,10 @@ index 5d77ed7a45..5654d737fd 100644 func (m *unsupportedCgroupManager) Name(_ CgroupName) string { diff --git a/pkg/kubelet/cm/container_manager_linux.go b/pkg/kubelet/cm/container_manager_linux.go -index a8de98330f..66a0350583 100644 +index a6b381153e..723752bfb4 100644 --- a/pkg/kubelet/cm/container_manager_linux.go +++ b/pkg/kubelet/cm/container_manager_linux.go -@@ -245,9 +245,15 @@ func NewContainerManager(mountUtil mount.Interface, cadvisorInterface cadvisor.I +@@ -240,9 +240,15 @@ func NewContainerManager(mountUtil mount.Interface, cadvisorInterface cadvisor.I // Turn CgroupRoot from a string (in cgroupfs path format) to internal CgroupName cgroupRoot := ParseCgroupfsToCgroupName(nodeConfig.CgroupRoot) @@ -280,7 +280,7 @@ index a8de98330f..66a0350583 100644 // this does default to / when enabled, but this tests against regressions. if nodeConfig.CgroupRoot == "" { return nil, fmt.Errorf("invalid configuration: cgroups-per-qos was specified and cgroup-root was not specified. To enable the QoS cgroup hierarchy you need to specify a valid cgroup-root") -@@ -257,7 +263,7 @@ func NewContainerManager(mountUtil mount.Interface, cadvisorInterface cadvisor.I +@@ -252,7 +258,7 @@ func NewContainerManager(mountUtil mount.Interface, cadvisorInterface cadvisor.I // of note, we always use the cgroupfs driver when performing this check since // the input is provided in that format. // this is important because we do not want any name conversion to occur. @@ -308,7 +308,7 @@ index 62c9f203a0..fda4177a05 100644 qosContainersInfo: qosContainersInfo, } diff --git a/pkg/kubelet/dockershim/docker_service.go b/pkg/kubelet/dockershim/docker_service.go -index 16cd9fda9b..ae4ea40ed0 100644 +index ce40e9ff5b..8962d35d94 100644 --- a/pkg/kubelet/dockershim/docker_service.go +++ b/pkg/kubelet/dockershim/docker_service.go @@ -267,7 +267,8 @@ func NewDockerService(config *ClientConfig, podSandboxImage string, streamingCon @@ -322,10 +322,10 @@ index 16cd9fda9b..ae4ea40ed0 100644 } klog.Infof("Setting cgroupDriver to %s", cgroupDriver) diff --git a/test/e2e_node/node_container_manager_test.go b/test/e2e_node/node_container_manager_test.go -index 2be3d1ed6f..0b6cec8560 100644 +index 98d9b39476..c03baf5181 100644 --- a/test/e2e_node/node_container_manager_test.go +++ b/test/e2e_node/node_container_manager_test.go -@@ -159,7 +159,10 @@ func runTest(f *framework.Framework) error { +@@ -161,7 +161,10 @@ func runTest(f *framework.Framework) error { } // Create a cgroup manager object for manipulating cgroups.