Merge pull request #228 from AkihiroSuda/dev

Update k/k patches to follow the latest KEP
rootless-containers · May 24, 2021 · 7d22892 · 7d22892
2 parents 22803ca + 222ab26
commit 7d22892
Show file tree

Hide file tree

Showing 8 changed files with 137 additions and 33 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -10,8 +10,8 @@ ARG ROOTLESSKIT_COMMIT=e2839766a691861fe65c391c237c7adacad858ee
 ARG CONTAINERD_COMMIT=14316794ad0a33b8688078f770655c9203e4d80d
 # 2021-05-06T03:35:41Z
 ARG CRIO_COMMIT=4d40e65acb9639d167f78ac90e3691e1029934ea
-# 2021-05-06T07:45:15Z
-ARG KUBE_NODE_COMMIT=4e1432700e5df2295dd12451d80fa145f770d128
+# 2021-05-24T14:17:38Z
+ARG KUBE_NODE_COMMIT=3464112cf961485bdf95f1cdda36451f81af6984
 
 # Version definitions (cont.)
 ARG SLIRP4NETNS_RELEASE=v1.1.9

diff --git a/boot/kubelet.sh b/boot/kubelet.sh
@@ -30,6 +30,7 @@ failSwapOn: false
 featureGates:
   DevicePlugins: false
   LocalStorageCapacityIsolation: false
+  KubeletInUserNamespace: true
 evictionHard:
   nodefs.available: "3%"
 cgroupDriver: "${cgroup_driver}"

diff --git a/boot/rootlesskit.sh b/boot/rootlesskit.sh
@@ -85,13 +85,6 @@ else
 		mount --bind $src $f
 	done
 
-	# Allow reading /dev/kmsg with a fake content if we don't have permission
-	# (kernel.dmesg_restrict=1)
-	# https://github.com/rootless-containers/usernetes/issues/204
-	if ! head -n1 /dev/kmsg >/dev/null 2>&1; then
-		mount --bind /dev/null /dev/kmsg
-	fi
-
 	rk_pid=$(cat $rk_state_dir/child_pid)
 	# workaround for https://github.com/rootless-containers/rootlesskit/issues/37
 	# child_pid might be created before the child is ready

diff --git a/src/patches/kubernetes/0001-New-feature-gate-KubeletInUserNamespace.patch b/src/patches/kubernetes/0001-New-feature-gate-KubeletInUserNamespace.patch
@@ -0,0 +1,46 @@
+From c23b75f05c9959d48e0bf6579c35065018348547 Mon Sep 17 00:00:00 2001
+From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+Date: Mon, 24 May 2021 23:18:02 +0900
+Subject: [PATCH 1/5] New feature gate: KubeletInUserNamespace
+
+Enables support for running kubelet in a user namespace.
+The user namespace has to be created before running kubelet.
+All the node components such as CRI need to be running in the same user namespace.
+
+See kubernetes/enhancements PR 1371 (merged) and issue 2033.
+
+Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+---
+ pkg/features/kube_features.go | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go
+index 589cb97c52b..eebd4d28de4 100644
+--- a/pkg/features/kube_features.go
++++ b/pkg/features/kube_features.go
+@@ -733,6 +733,14 @@ const (
+ 	//
+ 	// Enables support for 'HostProcess' containers on Windows nodes.
+ 	WindowsHostProcessContainers featuregate.Feature = "WindowsHostProcessContainers"
++
++	// owner: @AkihiroSuda
++	// alpha: v1.22
++	//
++	// Enables support for running kubelet in a user namespace.
++	// The user namespace has to be created before running kubelet.
++	// All the node components such as CRI need to be running in the same user namespace.
++	KubeletInUserNamespace featuregate.Feature = "KubeletInUserNamespace"
+ )
+
+ func init() {
+@@ -844,6 +852,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
+ 	CSIVolumeHealth:                                {Default: false, PreRelease: featuregate.Alpha},
+ 	WindowsHostProcessContainers:                   {Default: false, PreRelease: featuregate.Alpha},
+ 	DisableCloudProviders:                          {Default: false, PreRelease: featuregate.Alpha},
++	KubeletInUserNamespace:                         {Default: false, PreRelease: featuregate.Alpha},
+
+ 	// inherited features from generic apiserver, relisted here to get a conflict if it is changed
+ 	// unintentionally on either side:
+-- 
+2.30.2
+
diff --git a/...-sysctl-error-when-running-in-usern.patch → ...-sysctl-error-when-running-in-usern.patch b/...-sysctl-error-when-running-in-usern.patch → ...-sysctl-error-when-running-in-usern.patch
@@ -1,7 +1,7 @@
-From 8cf3dc19c78da076fb89945cdc25304dc2e1df7e Mon Sep 17 00:00:00 2001
+From 89fe19c5785575d40cbad196345d217d01560dcb Mon Sep 17 00:00:00 2001
 From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 Date: Tue, 21 Aug 2018 16:45:04 +0900
-Subject: [PATCH 1/3] kubelet/cm: ignore sysctl error when running in userns
+Subject: [PATCH 2/5] kubelet/cm: ignore sysctl error when running in userns
 
 Errors during setting the following sysctl values are ignored:
 - vm.overcommit_memory
@@ -13,11 +13,11 @@ Errors during setting the following sysctl values are ignored:
 
 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 ---
- pkg/kubelet/cm/container_manager_linux.go | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
+ pkg/kubelet/cm/container_manager_linux.go | 8 ++++++++
+ 1 file changed, 8 insertions(+)
 
 diff --git a/pkg/kubelet/cm/container_manager_linux.go b/pkg/kubelet/cm/container_manager_linux.go
-index 5e05d5eff82..50ed88660e0 100644
+index 6406e03fa3f..186f886ce47 100644
 --- a/pkg/kubelet/cm/container_manager_linux.go
 +++ b/pkg/kubelet/cm/container_manager_linux.go
 @@ -33,6 +33,7 @@ import (
@@ -28,19 +28,20 @@ index 5e05d5eff82..50ed88660e0 100644
  	"k8s.io/klog/v2"
  	"k8s.io/mount-utils"
  	utilio "k8s.io/utils/io"
-@@ -455,7 +456,11 @@ func setupKernelTunables(option KernelTunableBehavior) error {
+@@ -454,6 +455,13 @@ func setupKernelTunables(option KernelTunableBehavior) error {
  			klog.V(2).InfoS("Updating kernel flag", "flag", flag, "expectedValue", expectedValue, "actualValue", val)
  			err = sysctl.SetSysctl(flag, expectedValue)
  			if err != nil {
--				errList = append(errList, err)
 +				if libcontainersystem.RunningInUserNS() {
-+					klog.Warningf("Updating kernel flag failed: %v: %v (running in UserNS)", flag, err)
-+				} else {
-+					errList = append(errList, err)
++					if utilfeature.DefaultFeatureGate.Enabled(kubefeatures.KubeletInUserNamespace) {
++						klog.Warningf("Updating kernel flag failed: %v: %v (running in UserNS, ignoring)", flag, err)
++						continue
++					}
++					klog.Errorf("Updating kernel flag failed: %v: %v (Hint: enable KubeletInUserNamespace feature flag to ignore the error)", flag, err)
 +				}
+ 				errList = append(errList, err)
  			}
  		}
- 	}
 -- 
-2.27.0
+2.30.2
 
diff --git a/...-kube-proxy-allow-running-in-userns.patch → ...-kube-proxy-allow-running-in-userns.patch b/...-kube-proxy-allow-running-in-userns.patch → ...-kube-proxy-allow-running-in-userns.patch
@@ -1,7 +1,7 @@
-From 341823948c6f777ad264773cf0f7ffc1dcd92530 Mon Sep 17 00:00:00 2001
+From 99752c8ad58425a09d0816dea6ec46a5b50e1eab Mon Sep 17 00:00:00 2001
 From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 Date: Thu, 23 Aug 2018 14:14:44 +0900
-Subject: [PATCH 2/3] kube-proxy: allow running in userns
+Subject: [PATCH 3/5] kube-proxy: allow running in userns
 
 Ignore an error during setting RLIMIT_NOFILE.
 
@@ -35,5 +35,5 @@ index a2945f6fd08..d4f35de6d56 100644
 
  	proxyPorts := newPortAllocator(pr)
 -- 
-2.27.0
+2.30.2
 
diff --git a/src/patches/kubernetes/0004-kubelet-ignore-dev-kmsg-error-when-runnin-in-userns.patch b/src/patches/kubernetes/0004-kubelet-ignore-dev-kmsg-error-when-runnin-in-userns.patch
@@ -0,0 +1,63 @@
+From 926907649559db5d85c813cc123318c035e61c2e Mon Sep 17 00:00:00 2001
+From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+Date: Mon, 24 May 2021 23:35:22 +0900
+Subject: [PATCH 4/5] kubelet: ignore /dev/kmsg error when runnin in userns
+
+oomwatcher.NewWatcher returns "open /dev/kmsg: operation not permitted" error,
+when running with sysctl value `kernel.dmesg_restrict=1`.
+
+The error is negligible for KubeletInUserNamespace.
+
+Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+---
+ pkg/kubelet/kubelet.go | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/pkg/kubelet/kubelet.go b/pkg/kubelet/kubelet.go
+index 7f390290496..dfce93e34c9 100644
+--- a/pkg/kubelet/kubelet.go
++++ b/pkg/kubelet/kubelet.go
+@@ -37,6 +37,7 @@ import (
+ 	"k8s.io/mount-utils"
+ 	"k8s.io/utils/integer"
+
++	libcontainersystem "github.com/opencontainers/runc/libcontainer/system"
+ 	v1 "k8s.io/api/core/v1"
+ 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ 	"k8s.io/apimachinery/pkg/fields"
+@@ -479,7 +480,18 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
+
+ 	oomWatcher, err := oomwatcher.NewWatcher(kubeDeps.Recorder)
+ 	if err != nil {
+-		return nil, err
++		if !libcontainersystem.RunningInUserNS() {
++			return nil, err
++		}
++		// oomwatcher.NewWatcher returns "open /dev/kmsg: operation not permitted" error,
++		// when running with sysctl value `kernel.dmesg_restrict=1`.
++		if !utilfeature.DefaultFeatureGate.Enabled(features.KubeletInUserNamespace) {
++			klog.Errorf("Failed to create an oomWatcher: %v (running in UserNS, Hint: enable KubeletInUserNamespace feature flag to ignore the error)",
++				err)
++			return nil, err
++		}
++		klog.Warningf("Failed to create an oomWatcher: %v (running in UserNS, ignoring)", err)
++		oomWatcher = nil
+ 	}
+
+ 	clusterDNS := make([]net.IP, 0, len(kubeCfg.ClusterDNS))
+@@ -1356,8 +1368,10 @@ func (kl *Kubelet) initializeModules() error {
+ 	}
+
+ 	// Start out of memory watcher.
+-	if err := kl.oomWatcher.Start(kl.nodeRef); err != nil {
+-		return fmt.Errorf("failed to start OOM watcher %v", err)
++	if kl.oomWatcher != nil {
++		if err := kl.oomWatcher.Start(kl.nodeRef); err != nil {
++			return fmt.Errorf("failed to start OOM watcher %v", err)
++		}
+ 	}
+
+ 	// Start resource analyzer
+-- 
+2.30.2
+
diff --git a/...ream-kubelet-new-cgroup-driver-none.patch → ...ream-kubelet-new-cgroup-driver-none.patch b/...ream-kubelet-new-cgroup-driver-none.patch → ...ream-kubelet-new-cgroup-driver-none.patch
@@ -1,7 +1,7 @@
-From f6304fb2f22507d79f086acee450cf99e3d7eb46 Mon Sep 17 00:00:00 2001
+From ba728da0ea44e25c294991ff2ead6d653c786974 Mon Sep 17 00:00:00 2001
 From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 Date: Sun, 2 Jun 2019 18:39:05 +0900
-Subject: [PATCH 3/3] [Not for Upstream] kubelet: new cgroup driver: "none"
+Subject: [PATCH 5/5] [Not for Upstream] kubelet: new cgroup driver: "none"
 
 The "none" driver is used for running "rootless" mode on a host that does not support cgroup v2.
 
@@ -17,10 +17,10 @@ Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
  4 files changed, 88 insertions(+), 20 deletions(-)
 
 diff --git a/cmd/kubelet/app/options/options.go b/cmd/kubelet/app/options/options.go
-index 74226f8e3d8..2eed0f2d031 100644
+index 2cd28ac56b4..c23b3341483 100644
 --- a/cmd/kubelet/app/options/options.go
 +++ b/cmd/kubelet/app/options/options.go
-@@ -483,7 +483,7 @@ func AddKubeletConfigFlags(mainfs *pflag.FlagSet, c *kubeletconfig.KubeletConfig
+@@ -479,7 +479,7 @@ func AddKubeletConfigFlags(mainfs *pflag.FlagSet, c *kubeletconfig.KubeletConfig
  	fs.StringVar(&c.ProviderID, "provider-id", c.ProviderID, "Unique identifier for identifying the node in a machine database, i.e cloudprovider")
 
  	fs.BoolVar(&c.CgroupsPerQOS, "cgroups-per-qos", c.CgroupsPerQOS, "Enable creation of QoS cgroup hierarchy, if true top level QoS and pod cgroups are created.")
@@ -30,10 +30,10 @@ index 74226f8e3d8..2eed0f2d031 100644
  	fs.StringVar(&c.CPUManagerPolicy, "cpu-manager-policy", c.CPUManagerPolicy, "CPU Manager policy to use. Possible values: 'none', 'static'.")
  	fs.DurationVar(&c.CPUManagerReconcilePeriod.Duration, "cpu-manager-reconcile-period", c.CPUManagerReconcilePeriod.Duration, "<Warning: Alpha feature> CPU Manager reconciliation period. Examples: '10s', or '1m'. If not supplied, defaults to 'NodeStatusUpdateFrequency'")
 diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go
-index 2dc10a512b3..1bdbcbd7f72 100644
+index bb52d49cf4c..546612a2003 100644
 --- a/cmd/kubelet/app/server.go
 +++ b/cmd/kubelet/app/server.go
-@@ -622,26 +622,30 @@ func run(ctx context.Context, s *options.KubeletServer, kubeDeps *kubelet.Depend
+@@ -646,26 +646,30 @@ func run(ctx context.Context, s *options.KubeletServer, kubeDeps *kubelet.Depend
  	}
 
  	var cgroupRoots []string
@@ -96,7 +96,7 @@ index fcc86830b5a..9eece47b26d 100644
  	// CPUManagerPolicy is the name of the policy to use.
  	// Requires the CPUManager feature gate to be enabled.
 diff --git a/pkg/kubelet/cm/cgroup_manager_linux.go b/pkg/kubelet/cm/cgroup_manager_linux.go
-index f598d466b0b..f320a77a6fa 100644
+index bd7415a945b..1bab12d7472 100644
 --- a/pkg/kubelet/cm/cgroup_manager_linux.go
 +++ b/pkg/kubelet/cm/cgroup_manager_linux.go
 @@ -49,6 +49,9 @@ const (
@@ -123,7 +123,7 @@ index f598d466b0b..f320a77a6fa 100644
  	managerType := libcontainerCgroupfs
  	if cgroupDriver == string(libcontainerSystemd) {
  		managerType = libcontainerSystemd
-@@ -768,3 +778,57 @@ func (m *cgroupManagerImpl) GetResourceStats(name CgroupName) (*ResourceStats, e
+@@ -719,3 +729,57 @@ func (m *cgroupManagerImpl) GetResourceStats(name CgroupName) (*ResourceStats, e
  	}
  	return toResourceStats(stats), nil
  }
@@ -182,5 +182,5 @@ index f598d466b0b..f320a77a6fa 100644
 +	}, nil
 +}
 -- 
-2.27.0
+2.30.2