Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Container Linux Config Transpiler does not support ETCD_SSL_DIR #2565

Open
devurandom opened this Issue Mar 12, 2019 · 1 comment

Comments

Projects
None yet
2 participants
@devurandom
Copy link

devurandom commented Mar 12, 2019

Issue Report

Bug

Container Linux Version

$ cat /etc/os-release
NAME="Container Linux by CoreOS"
ID=coreos
VERSION=2023.4.0
VERSION_ID=2023.4.0
BUILD_ID=2019-02-26-0032
PRETTY_NAME="Container Linux by CoreOS 2023.4.0 (Rhyolite)"
ANSI_COLOR="38;5;75"
HOME_URL="https://coreos.com/"
BUG_REPORT_URL="https://issues.coreos.com"
COREOS_BOARD="amd64-usr"

Environment

What hardware/cloud provider/hypervisor is being used to run Container Linux?

Digital Ocean

Expected Behavior

Setting etcd.ssl_dir Container Linux Config parameter should set the ETCD_SSL_DIR environment variable in /etc/systemd/system/etcd-member.service.d/20-clct-etcd-member.conf, so that there is a way to influence which host directory /usr/lib/coreos/etcd-wrapper will mount at /etc/ssl/certs in the container.

Actual Behavior

The etcd Container Linux Config structure offers no way of influencing the ETCD_SSL_DIR environment variable.

devurandom added a commit to devurandom/typhoon that referenced this issue Mar 12, 2019

Configure etcd on Digital Ocean to listen on private IPv4 address only
This is supposed to slightly improve security.

Since we do not yet know the IP address of the machine when rendering the
template in Terraform, we use Container Linux Config's support for CoreOS
Metadata to resolve it during installation.  This requires that we use the
Container Linux Config `etcd` structure instead of manipulating the
`etcd-member.service` directly, because the Container Linux Config transpiler
will only interpolate `{}` statements in that section, but not in `systemd`
units.

Since the Container Linux Config transpiler currently provides no way to set
the `ETCD_SSL_DIR` which `/usr/lib/coreos/etcd-wrapper` will mount into the
container, we still need to override this environment variable in
`etcd-member.service` ourselves.

See-Also: coreos/bugs#2565

devurandom added a commit to devurandom/typhoon that referenced this issue Mar 12, 2019

Configure etcd on Digital Ocean to listen on private IPv4 address only
This is supposed to slightly improve security.

Since we do not yet know the IP address of the machine when rendering the
template in Terraform, we use Container Linux Config's support for CoreOS
Metadata to resolve it during installation.  This requires that we use the
Container Linux Config `etcd` structure instead of manipulating the
`etcd-member.service` directly, because the Container Linux Config transpiler
will only interpolate `{}` statements in that section, but not in `systemd`
units.

Since the Container Linux Config transpiler currently provides no way to set
the `ETCD_SSL_DIR` which `/usr/lib/coreos/etcd-wrapper` will mount into the
container, we still need to override this environment variable in
`etcd-member.service` ourselves.

See-also: coreos/bugs#2565
Signed-off-by: Dennis Schridde <devurandom@gmx.net>
@ajeddeloh

This comment has been minimized.

Copy link

ajeddeloh commented Mar 12, 2019

As a workaround you can add a dropin unit to the etcd-member.service unit setting that environment variable.

This is because we currently only support the command line options from etcd (which can be specified by env vars as well) but the ETCD_SSL_DIR env var is actually used by the etcd-wrapper script, not etcd itself. This was an oversight.

We're pretty bogged down with Fedora CoreOS work at the moment, but if you want to submit a PR I can definitely get that through review and cut a new release with it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.