-
Notifications
You must be signed in to change notification settings - Fork 38.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubeadm: chroot to new --rootfs arg #54935
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what about cmd/kubeadm/app/phases/*
?
@@ -34,6 +34,7 @@ type MasterConfiguration struct { | |||
CloudProvider string `json:"cloudProvider"` | |||
NodeName string `json:"nodeName"` | |||
AuthorizationModes []string `json:"authorizationModes,omitempty"` | |||
Rootfs string `json:"rootfs"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we really need to expose it here ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh I see, I didn't realise how this differed from the other ../types.go
. No, we don't need it exposed in this (persisted) version.
@@ -103,6 +104,7 @@ type NodeConfiguration struct { | |||
NodeName string `json:"nodeName"` | |||
TLSBootstrapToken string `json:"tlsBootstrapToken"` | |||
Token string `json:"token"` | |||
Rootfs string `json:"rootfs"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same as above.
For new flags, it would be good also to have release note. |
@kad: do you want me to duplicate this code for all these subcommands (and phases)? That seems to be the current pattern, but if I were writing kubeadm I would instead lift this (and perhaps other common options) up to a single I'm happy to do the cut+paste-everywhere version, I just want to be sure that is the direction you want me to go before doing it. |
About moving to root My point was purely about functionality: if we introduce functionality in some main commands (join/init), we should be able to do the same consistently in phases (if kubeadm is used as part of more complex solution which executes phases step-by-step) and in other main commands (reset, upgrade). |
cmd/kubeadm/app/cmd/init.go
Outdated
if err := syscall.Chroot(cfg.Rootfs); err != nil { | ||
return nil, fmt.Errorf("unable to chroot to %s: %v", cfg.Rootfs, err) | ||
} | ||
// NB: All file paths after here are relative to Rootfs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that chroot
"does not change the current working directory, so that after the call '.' can be outside the tree rooted at '/'." See more info in man 2 chroot
. It's advised to always explicitly invoke syscall.Chdir
before or after the chroot.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good call - I should not just rely on kubeadm using only absolute paths. I'll add an explicit chdir(/).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(Done)
c32f91f
to
373edad
Compare
PTAL. Moved into a Note that the chroot happens before reading the config file - so the |
69056be
to
eb1fe7f
Compare
eb1fe7f
to
93f2a81
Compare
(Given the release freeze, I'm going to wait until I get a review rather than just sit here rebasing this every day. Please don't misinterpret an outstanding conflict as an indication that I no longer care about this PR.) |
examples/kubeadm/Dockerfile
Outdated
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe add here as a comment at least some "usage" for this image ? with example of docker run -it -v /:/rootfs kubeadm init ...
/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. Let me know if it doesn't makes sense.
f4bb01b
to
d134986
Compare
In overall, looks good to me. @anguslees have you thought about looking at creating that kubeadm image as part of release artefacts ? If build scripts will be building this image and populating GCR at the same time as any other release images, it might be easier method for users to get kubeadm. |
Agreed 100% and that is my desire. As I said in the original PR comment, I have no idea how to go about getting this added/moved to the release images. Any pointers? (to docs or people/channels where I can ask again?) |
I think first place to look at is: |
@anguslees is this still of interest? If yes, please rebase. |
@anguslees I agree, all commands that require reading/writing any file should have |
@anguslees @kad thanks for the updates @anguslees and sorry for going back and forth with the reviews and also for this PR collecting dust for so long. i can do any further amends myself if you'd prefer. /lgtm |
/test pull-kubernetes-e2e-kops-aws |
/test all |
/retest |
/assign @fabriziopandini |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is useful, but there are weird side effects that may occur on chroots. I'm ok with this so long as --experiment-rootfs is given
/assign @timothysc
/retest |
To be clear: Are you saying the change is ok as-is, or you want me to rename the flag to (You github-approved the change, but without an "/approve" for the k8s-bots to see) |
@anguslees @timothysc
WDYT? |
Happy to type whatever the latest approver wants to see, just need to know what that is. |
+1 to |
@anguslees ^^ also:
in the release note will be nice to have. |
I have prepended |
@anguslees |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: anguslees, neolit123, timothysc The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test pull-kubernetes-e2e-kops-aws |
/test all [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
What this PR does / why we need it:
This change adds a new --rootfs=path option to kubeadm, and (if
provided) chroot()s to this path before performing file operations.
This makes it possible to run the kubeadm binary from a container, but
perform remaining file operations against the host filesystem using
something like:
(Assuming something like the included
examples/kubeadm/Dockerfile
which sets CMD tokubeadm --rootfs=/rootfs
- Edit: Dockerfile has been removed from this PR, but you get the idea)Fixes kubernetes/kubeadm#503
Special notes for your reviewer:
I'm not sure where is best to put the Dockerfile, or hook it up to the build process. Advice sought.
The kubeadm command line arg handling was less unified than I was expecting to find. I've implemented this arg for
init
andjoin
. I can add it to all the others too, if we're happy with the approach. An alternative would be to add the arg in the parentKubeadmCommand
, possibly with aPersistantFlag
- then it would automatically exist for all kubeadm subcommands.It would be slightly preferable if we could order
--rootfs
before the subcommand so we could apply the arg automatically withENTRYPOINT ["kubeadm", "--rootfs=/rootfs"]
. This would be the only such flag inkubeadm
however, so I have not implemented it that way atm. (Another alternative would be an env var)Release note: