Install docker 17.03 via binary and configure logs rotation on all systems via daemon.json #382
Conversation
kubermatic-bot
added
release-note
| "log-driver": "json-file", | ||
| "log-opts": { | ||
| "max-size": "10m", | ||
| "max-file": "2" |
There was a problem hiding this comment.
Is this a per-container setting?
There was a problem hiding this comment.
Unfortunately yes.
There was a problem hiding this comment.
Do we already limit the overall journald size?
There was a problem hiding this comment.
Yes, on every system we set:
https://github.com/kubermatic/machine-controller/pull/382/files#diff-8e277877f731647a2f08ec1c985fb9abR16
|
Is there a way we can find out via the Kube api which storage driver docker uses? |
I don't think so. The Node Object does only container the container runtime version. The storage driver seems more an implementation detail, which should not even appear in the Node object. |
|
/lgtm |
kubermatic-bot
added
lgtm
|
/hold @mrIncompetent The issue with reading logs from the journald log driver only exists with the docker package from the built-in repo ( |
kubermatic-bot
added
the
do-not-merge/hold
docker-ce from the docker repositories only contains 18.03 (Only verified with kubernetes 1.12+). Though, the docker.io (from the ubuntu bionic repo) only has version 17.12: https://packages.ubuntu.com/bionic/docker.io Kubernetes 1.9 - 1.11 supports 17.03 as highest version. |
Sort-Of, 17.03 is the highest verified Docker version, that doesn't mean higher Docker versions won't work. E2Es do pass for all Kubernetes versions with Docker 1806 |
|
Maybe going with the kops way of doing it, could be a solution? Basically downloading the release & manually setting it up. It would decouple us from the operating system specific package management - which has up & downsides. |
|
Doesn't help here, the problem is that we need a dynamically linked version of Docker in order for docker logs to work with the journald driver. So we basically must use packages from the repo |
|
@alvaroaleman and me agreed on using json-file as log driver for Docker on all operating systems. We'll use the |
mrIncompetent
force-pushed
the
ubuntu-limit-docker-log-size
branch
from
1e69786 to
2b10b67
Compare
kubermatic-bot
removed
the
approved
mrIncompetent
changed the title
|
@alvaroaleman PTAL |
mrIncompetent
force-pushed
the
ubuntu-limit-docker-log-size
branch
from
2b10b67 to
7d9da33
Compare
kubermatic-bot
added
size/XXL
mrIncompetent
force-pushed
the
ubuntu-limit-docker-log-size
branch
from
5983c9c to
372b56d
Compare
kubermatic-bot
removed
the
needs-rebase
mrIncompetent
force-pushed
the
ubuntu-limit-docker-log-size
branch
from
899405a to
4c114d2
Compare
|
This works finally. PTAL @alvaroaleman |
pkg/userdata/ubuntu/userdata.go
Outdated
| # Never set the hostname on AWS nodes. Kubernetes(kube-proxy) requires the hostname to be the private dns name | ||
| {{ end }} | ||
| groups: |
There was a problem hiding this comment.
What for do we need this?
There was a problem hiding this comment.
I would like to stick as close as possible to "normal" setup of docker as possible.
Using a docker group is the common way of handling docker permission, no?
There was a problem hiding this comment.
Oh wait, i just realized that we don't actually use that group anywhere
There was a problem hiding this comment.
We did use it on the socket ;)
There was a problem hiding this comment.
Oh that explains a lot :D
| [Install] | ||
| WantedBy=multi-user.target | ||
|
|
||
| - path: /etc/systemd/system/docker.socket |
There was a problem hiding this comment.
Is there any reason to have a docker.socket and a containerd.service aside from "CoreOS does it that way"? The docker package on Ubuntu manages perfectly fine without a containerd.service and the socket is only useful to have socket activation which we don't need because we already explicitly declare docker as dependency of the Kubelet
There was a problem hiding this comment.
containerd.service:
Even though has a compiled in containerd, docker will look on the host for a /usr/bin/containerd first. If one is found, that binary will be started instead of the compiled in one.
On CoreOS /usr/bin/containerd exists - as it gets shipped with CoreOS, but does not work together with Docker 17.04. As Thus the way via the service is needed.
docker.socket
That is how CoreOS does it. I can remove it
There was a problem hiding this comment.
containerd.service:
Even though has a compiled in containerd, docker will look on the host for a /usr/bin/containerd first. If one is found, that binary will be started instead of the compiled in one.
Yeah but that would mean that we need it on coreos only, not on the rest. I'd really like to prefer all of this as simple as possible and right now IMHO the templates are extremely hard to read already, so I'd prefer to not put anything in them which we dont absolutely need
There was a problem hiding this comment.
So you prefer a special handling for CoreOS?
I'm not sure if that would improve readability, as we then would either have to introduce special templating inside the docker.service to support CoreOS and the rest or we would have a copy of the docker.service just for CoreOS.
I would prefer a unified handling of Docker, but as you prefer.
There was a problem hiding this comment.
We can use a drop-in to add the additional dependency without having to alter the main unit file
There was a problem hiding this comment.
Great idea, i'll adapt the pull!
…stems via daemon.json
mrIncompetent
force-pushed
the
ubuntu-limit-docker-log-size
branch
from
b4f71d6 to
44979bd
Compare
mrIncompetent
changed the title
|
@alvaroaleman PTAL |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alvaroaleman The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kubermatic-bot
added
the
approved
|
/test pull-machine-controller-e2e |
2 similar comments
|
/test pull-machine-controller-e2e |
|
/test pull-machine-controller-e2e |
|
/hold cancel |
kubermatic-bot
removed
the
do-not-merge/hold
What this PR does / why we need it:
This PR will unify the docker installation on all operating systems.
Instead of installing the best(Or close to best) version via the individual OS repositories, docker will now be installed by simply downloading the release binary & creating the systemdunit.
This ensures that we always install the same version across all operating systems.
Additionally - and this was actually the initial idea - all operating systems now use the docker log-rotation via
daemon.jsonFixes #292