kubeadm: chroot to new --rootfs arg #54935
Conversation
k8s-ci-robot
added
release-note-none
| @@ -34,6 +34,7 @@ type MasterConfiguration struct { | |||
| CloudProvider string `json:"cloudProvider"` | |||
| NodeName string `json:"nodeName"` | |||
| AuthorizationModes []string `json:"authorizationModes,omitempty"` | |||
| Rootfs string `json:"rootfs"` | |||
There was a problem hiding this comment.
do we really need to expose it here ?
There was a problem hiding this comment.
Oh I see, I didn't realise how this differed from the other ../types.go. No, we don't need it exposed in this (persisted) version.
| @@ -103,6 +104,7 @@ type NodeConfiguration struct { | |||
| NodeName string `json:"nodeName"` | |||
| TLSBootstrapToken string `json:"tlsBootstrapToken"` | |||
| Token string `json:"token"` | |||
| Rootfs string `json:"rootfs"` | |||
|
For new flags, it would be good also to have release note. |
|
@kad: do you want me to duplicate this code for all these subcommands (and phases)? That seems to be the current pattern, but if I were writing kubeadm I would instead lift this (and perhaps other common options) up to a single I'm happy to do the cut+paste-everywhere version, I just want to be sure that is the direction you want me to go before doing it. |
k8s-ci-robot
added
release-note
|
About moving to root My point was purely about functionality: if we introduce functionality in some main commands (join/init), we should be able to do the same consistently in phases (if kubeadm is used as part of more complex solution which executes phases step-by-step) and in other main commands (reset, upgrade). |
cmd/kubeadm/app/cmd/init.go
Outdated
| if err := syscall.Chroot(cfg.Rootfs); err != nil { | ||
| return nil, fmt.Errorf("unable to chroot to %s: %v", cfg.Rootfs, err) | ||
| } | ||
| // NB: All file paths after here are relative to Rootfs |
There was a problem hiding this comment.
Note that chroot "does not change the current working directory, so that after the call '.' can be outside the tree rooted at '/'." See more info in man 2 chroot. It's advised to always explicitly invoke syscall.Chdir before or after the chroot.
There was a problem hiding this comment.
Good call - I should not just rely on kubeadm using only absolute paths. I'll add an explicit chdir(/).
anguslees
force-pushed
the
kubeadm-chroot
branch
from
c32f91f
to
373edad
Compare
|
PTAL. Moved into a Note that the chroot happens before reading the config file - so the |
anguslees
force-pushed
the
kubeadm-chroot
branch
2 times, most recently
from
69056be
to
eb1fe7f
Compare
k8s-github-robot
added
the
needs-rebase
anguslees
force-pushed
the
kubeadm-chroot
branch
from
eb1fe7f
to
93f2a81
Compare
k8s-github-robot
added
needs-rebase
|
(Given the release freeze, I'm going to wait until I get a review rather than just sit here rebasing this every day. Please don't misinterpret an outstanding conflict as an indication that I no longer care about this PR.) |
examples/kubeadm/Dockerfile
Outdated
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. |
There was a problem hiding this comment.
Maybe add here as a comment at least some "usage" for this image ? with example of docker run -it -v /:/rootfs kubeadm init ... /
There was a problem hiding this comment.
Done. Let me know if it doesn't makes sense.
anguslees
force-pushed
the
kubeadm-chroot
branch
2 times, most recently
from
f4bb01b
to
d134986
Compare
k8s-github-robot
removed
the
needs-rebase
|
In overall, looks good to me. @anguslees have you thought about looking at creating that kubeadm image as part of release artefacts ? If build scripts will be building this image and populating GCR at the same time as any other release images, it might be easier method for users to get kubeadm. |
Agreed 100% and that is my desire. As I said in the original PR comment, I have no idea how to go about getting this added/moved to the release images. Any pointers? (to docs or people/channels where I can ask again?) |
|
I think first place to look at is: |
k8s-github-robot
added
the
needs-rebase
|
@anguslees is this still of interest? If yes, please rebase. |
|
@anguslees I agree, all commands that require reading/writing any file should have |
|
@anguslees @kad thanks for the updates @anguslees and sorry for going back and forth with the reviews and also for this PR collecting dust for so long. i can do any further amends myself if you'd prefer. /lgtm |
k8s-ci-robot
added
the
lgtm
|
/test pull-kubernetes-e2e-kops-aws |
|
/test all |
|
/retest |
|
/assign @fabriziopandini |
There was a problem hiding this comment.
This is useful, but there are weird side effects that may occur on chroots. I'm ok with this so long as --experiment-rootfs is given
/assign @timothysc
|
/retest |
To be clear: Are you saying the change is ok as-is, or you want me to rename the flag to (You github-approved the change, but without an "/approve" for the k8s-bots to see) |
|
@anguslees @timothysc
WDYT? |
Happy to type whatever the latest approver wants to see, just need to know what that is. |
|
+1 to |
|
@anguslees ^^ also: in the release note will be nice to have. |
k8s-ci-robot
removed
the
lgtm
|
I have prepended |
|
@anguslees |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: anguslees, neolit123, timothysc The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/test pull-kubernetes-e2e-kops-aws |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
What this PR does / why we need it:
This change adds a new --rootfs=path option to kubeadm, and (if
provided) chroot()s to this path before performing file operations.
This makes it possible to run the kubeadm binary from a container, but
perform remaining file operations against the host filesystem using
something like:
(Assuming something like the included
examples/kubeadm/Dockerfilewhich sets CMD tokubeadm --rootfs=/rootfs- Edit: Dockerfile has been removed from this PR, but you get the idea)Fixes kubernetes/kubeadm#503
Special notes for your reviewer:
I'm not sure where is best to put the Dockerfile, or hook it up to the build process. Advice sought.
The kubeadm command line arg handling was less unified than I was expecting to find. I've implemented this arg for
initandjoin. I can add it to all the others too, if we're happy with the approach. An alternative would be to add the arg in the parentKubeadmCommand, possibly with aPersistantFlag- then it would automatically exist for all kubeadm subcommands.It would be slightly preferable if we could order
--rootfsbefore the subcommand so we could apply the arg automatically withENTRYPOINT ["kubeadm", "--rootfs=/rootfs"]. This would be the only such flag inkubeadmhowever, so I have not implemented it that way atm. (Another alternative would be an env var)Release note: