Skip to content
This repository has been archived by the owner on Oct 16, 2020. It is now read-only.

Container Linux Config Transpiler does not support ETCD_SSL_DIR #2565

Open
devurandom opened this issue Mar 12, 2019 · 1 comment
Open

Container Linux Config Transpiler does not support ETCD_SSL_DIR #2565

devurandom opened this issue Mar 12, 2019 · 1 comment

Comments

@devurandom
Copy link

Issue Report

Bug

Container Linux Version

$ cat /etc/os-release
NAME="Container Linux by CoreOS"
ID=coreos
VERSION=2023.4.0
VERSION_ID=2023.4.0
BUILD_ID=2019-02-26-0032
PRETTY_NAME="Container Linux by CoreOS 2023.4.0 (Rhyolite)"
ANSI_COLOR="38;5;75"
HOME_URL="https://coreos.com/"
BUG_REPORT_URL="https://issues.coreos.com"
COREOS_BOARD="amd64-usr"

Environment

What hardware/cloud provider/hypervisor is being used to run Container Linux?

Digital Ocean

Expected Behavior

Setting etcd.ssl_dir Container Linux Config parameter should set the ETCD_SSL_DIR environment variable in /etc/systemd/system/etcd-member.service.d/20-clct-etcd-member.conf, so that there is a way to influence which host directory /usr/lib/coreos/etcd-wrapper will mount at /etc/ssl/certs in the container.

Actual Behavior

The etcd Container Linux Config structure offers no way of influencing the ETCD_SSL_DIR environment variable.
devurandom added a commit to devurandom/typhoon that referenced this issue Mar 12, 2019
@devurandom
Configure etcd on Digital Ocean to listen on private IPv4 address only
e69bba9 
This is supposed to slightly improve security.

Since we do not yet know the IP address of the machine when rendering the
template in Terraform, we use Container Linux Config's support for CoreOS
Metadata to resolve it during installation.  This requires that we use the
Container Linux Config `etcd` structure instead of manipulating the
`etcd-member.service` directly, because the Container Linux Config transpiler
will only interpolate `{}` statements in that section, but not in `systemd`
units.

Since the Container Linux Config transpiler currently provides no way to set
the `ETCD_SSL_DIR` which `/usr/lib/coreos/etcd-wrapper` will mount into the
container, we still need to override this environment variable in
`etcd-member.service` ourselves.

See-Also: coreos/bugs#2565
devurandom added a commit to devurandom/typhoon that referenced this issue Mar 12, 2019
@devurandom
Configure etcd on Digital Ocean to listen on private IPv4 address only
1005914 
This is supposed to slightly improve security.

Since we do not yet know the IP address of the machine when rendering the
template in Terraform, we use Container Linux Config's support for CoreOS
Metadata to resolve it during installation.  This requires that we use the
Container Linux Config `etcd` structure instead of manipulating the
`etcd-member.service` directly, because the Container Linux Config transpiler
will only interpolate `{}` statements in that section, but not in `systemd`
units.

Since the Container Linux Config transpiler currently provides no way to set
the `ETCD_SSL_DIR` which `/usr/lib/coreos/etcd-wrapper` will mount into the
container, we still need to override this environment variable in
`etcd-member.service` ourselves.

See-also: coreos/bugs#2565
Signed-off-by: Dennis Schridde <devurandom@gmx.net>
@devurandom devurandom mentioned this issue Mar 12, 2019
Closed
@ajeddeloh
Copy link

As a workaround you can add a dropin unit to the etcd-member.service unit setting that environment variable.

This is because we currently only support the command line options from etcd (which can be specified by env vars as well) but the ETCD_SSL_DIR env var is actually used by the etcd-wrapper script, not etcd itself. This was an oversight.

We're pretty bogged down with Fedora CoreOS work at the moment, but if you want to submit a PR I can definitely get that through review and cut a new release with it.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@devurandom @ajeddeloh