Experimental support for running kubelet in container

[pmorie]

WIP for #6848

[googlebot]

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project, in which case you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed, please reply here (e.g. I signed it!) and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please let us know the company's name.

[pmorie]

So far this PR:

1. Injects mounters into volume plugins
2. Adds a new mounter that knows how to nsenter the host's mount namespace from a container
3. Runs a containerized flag to the kubelet
4. Turns off kubelet joining cgroup to use devices (will be handled with docker --privileged option) when kubelet is containerized
5. Injects an nsentering mounter into plugins when kubelet is containerized

It builds; tests are going to be broken.

Next up: make an image that has this kubelet binary and nsenter and test.

[pmorie]

@vmarmol @thockin @erictune @eparis @rootfs @vishh

[pmorie]

How could I forget @yifan-gu @dchen1107

[vishh]

This hack LGTM.

[pmorie]

@vishh Yep, this is 99% hack for POC purposes. The mounter injection would be the 1% that we can use.

[pmorie]

Now with more hacks. Tmpfs e2e runs locally with kubelet running in container; secrets doesn't. Next step will be to investigate secrets.

[pmorie]

Code in this branch works with docker 1.6. Currently, there's a dependency on 1.6 because it switches the mount propogation mode of bind mounts from MOUNT_PRIVATE to MOUNT_SLAVE, so mounts made to host fs volumes (made from the host's mount ns) bind-mounted into containers will be propagated to the bind-mounts. Docker 1.5 uses MOUNT_PRIVATE. I've tested by doing an e2e run locally. There are some cases that don't work, but they appear to be the usual suspects and most of them shouldn't be run anyway against local (will open PRs up to skip these).

One nit that I found: mounts for volumes are not currently cleaned up when the kubelet is run in a container (ie, umount fails with device or resource busy). Those mount points may show as busy because they're under the bind-mount of the kubelet root dir. Need to do more digging on this to follow up.

With that said, I'm curious about how folks feel about some of this code going in so that we can experiment further without carrying the patch. I would want to:

1. Rebase on top of Implement Mount interface using mount(8) and umount(8) #6400 when it goes in
2. Pull the mounter to use up to being a field of the kubelet that the creator of the kubelet can supply (instead of having the getMounter method that would introduce a dependency on `NsenterMounter)
3. Pull the NsenterMounter out for now or use some other special casing around it which is clearly marked as experimental

Unit and integration tests still broken; will fix those up next.

Thanks to @eparis and @vbatts again for support on getting this working.

Any thoughts @thockin @vishk @smarterclayton?

[eparis]

Would it be better to check for /.dockerenv or /.dockerinit instead of having to make the user remember on the command line?

[pmorie]

@eparis Eventually that seems sane.

[pmorie]

Rebased, will test later. Next up for this is fixing tests. Still waiting on #6400.

[pmorie]

I think I've got a handle on getting unmount to work correctly; I think I need to perform the unmount first in the kubelet container's mount ns, and then on the host.

[pmorie]

Sweet, more rebasing later.

[pmorie]

I ran emptyDir and secrets E2Es locally with SELinux enforcing against containerized kubelet, both passed.

[pmorie]

@vmarmol My rebase party is complete, I think this is ready for final review.

[pmorie]

I'm blocked at the moment from doing the E2E build because of the bug this commit fixes:

rhatdan/moby1@350a636

They're cutting a new 1.6 package for fedora but it will probably be a couple days before it shows up in repos. :-/

[pmorie]

@vmarmol If you are running docker 1.5 locally and could find it in your heart do kick off an e2e run, I would definitely owe you 🍻

[vmarmol]

Spoke to @pmorie on IRC and we're gonna split the PR into 4:

• Injecting mounter
• nsenter mounter
• Local Dockerized Kubelet
• Building Dockerized Kubelet

[vmarmol]

@pmorie the default Docker on GCE is still 1.5 so I'd be happy to test :D I'll kickoff an e2e with this branch

[pmorie]

Closing this out since we're splitting out separate PRs.