From 426f8dacf31f608f828dbd2c75c0dfdc5a52cc60 Mon Sep 17 00:00:00 2001 From: Pete Birley Date: Thu, 14 Jun 2018 22:02:23 -0500 Subject: [PATCH] MaaS: Slightly clean systemd and enable Stdout logging for journald This PS updates the charts and images for running systemd in a more kubernetes friendly way: - The hosts cgroupfs is mounted in read only - Required mounts are created (tmp tmp/lock) - A tty is created for the container - A unit is added to each image that streams journald to stdout Follow up patches will improve the image builds, create cgroups in an init container, and also drop unrequired privileges from the containers in addition to compatibility with recent helm-toolkits. Change-Id: If3b0df28fea967c5ff67df51e1e95bc74f906222 Signed-off-by: Pete Birley --- charts/maas/templates/bin/_start.sh.tpl | 2 +- charts/maas/templates/deployment-rack.yaml | 20 +++++++++++++++++++ charts/maas/templates/statefulset-region.yaml | 19 ++++++++++++++++++ images/maas-rack-controller/Dockerfile | 6 +++++- .../scripts/journalctl-to-tty.service | 13 ++++++++++++ images/maas-region-controller/Dockerfile | 6 +++++- .../journalctl-to-tty.service | 13 ++++++++++++ 7 files changed, 76 insertions(+), 3 deletions(-) create mode 100644 images/maas-rack-controller/scripts/journalctl-to-tty.service create mode 100644 images/maas-region-controller/journalctl-to-tty.service diff --git a/charts/maas/templates/bin/_start.sh.tpl b/charts/maas/templates/bin/_start.sh.tpl index 1292e82..0cee4c8 100644 --- a/charts/maas/templates/bin/_start.sh.tpl +++ b/charts/maas/templates/bin/_start.sh.tpl @@ -33,4 +33,4 @@ fi chsh -s /bin/bash maas -exec /bin/systemd --system +exec /sbin/init --log-target=console 3>&1 diff --git a/charts/maas/templates/deployment-rack.yaml b/charts/maas/templates/deployment-rack.yaml index 802d76c..9b4690d 100644 --- a/charts/maas/templates/deployment-rack.yaml +++ b/charts/maas/templates/deployment-rack.yaml @@ -14,6 +14,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} + {{- if .Values.manifests.rack_deployment }} {{- if empty .Values.conf.maas.url.maas_url -}} {{- tuple "maas_region_ui" "default" "region_ui" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.maas.url "maas_url" | quote | trunc 0 -}} @@ -55,6 +56,7 @@ spec: - name: maas-rack image: {{ .Values.images.tags.maas_rack }} imagePullPolicy: {{ .Values.images.pull_policy }} + tty: true env: - name: MAAS_ENDPOINT value: {{ .Values.conf.maas.url.maas_url }} @@ -69,6 +71,15 @@ spec: securityContext: privileged: true volumeMounts: + - mountPath: /sys/fs/cgroup + name: host-sys-fs-cgroup + readOnly: true + - mountPath: /run + name: pod-run + - mountPath: /run/lock + name: pod-run-lock + - mountPath: /tmp + name: pod-tmp {{- if .Values.conf.maas.ntp.disable_ntpd_rack }} - name: maas-bin mountPath: /usr/sbin/ntpd @@ -96,6 +107,15 @@ spec: {{- end }} {{ if $mounts_maas_rack.volumeMounts }}{{ toYaml $mounts_maas_rack.volumeMounts | indent 12 }}{{ end }} volumes: + - name: host-sys-fs-cgroup + hostPath: + path: /sys/fs/cgroup + - name: pod-run + emptyDir: {} + - name: pod-run-lock + emptyDir: {} + - name: pod-tmp + emptyDir: {} {{- if .Values.manifests.secret_ssh_key }} - name: maas-ssh emptyDir: {} diff --git a/charts/maas/templates/statefulset-region.yaml b/charts/maas/templates/statefulset-region.yaml index a258d4f..b1f5222 100644 --- a/charts/maas/templates/statefulset-region.yaml +++ b/charts/maas/templates/statefulset-region.yaml @@ -52,6 +52,7 @@ spec: - name: maas-region image: {{ .Values.images.tags.maas_region }} imagePullPolicy: {{ .Values.images.pull_policy }} + tty: true {{ tuple $envAll $envAll.Values.pod.resources.maas_region | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} ports: - name: r-ui @@ -64,6 +65,15 @@ spec: command: - /tmp/start.sh volumeMounts: + - mountPath: /sys/fs/cgroup + name: host-sys-fs-cgroup + readOnly: true + - mountPath: /run + name: pod-run + - mountPath: /run/lock + name: pod-run-lock + - mountPath: /tmp + name: pod-tmp - name: maas-region-secret mountPath: /var/lib/maas/secret subPath: REGION_SECRET @@ -104,6 +114,15 @@ spec: {{- end }} {{- if $mounts_maas_region.volumeMounts }}{{ toYaml $mounts_maas_region.volumeMounts | indent 12 }}{{ end }} volumes: + - name: host-sys-fs-cgroup + hostPath: + path: /sys/fs/cgroup + - name: pod-run + emptyDir: {} + - name: pod-run-lock + emptyDir: {} + - name: pod-tmp + emptyDir: {} - name: maas-etc configMap: name: maas-etc diff --git a/images/maas-rack-controller/Dockerfile b/images/maas-rack-controller/Dockerfile index 9bdf0a5..12c8695 100644 --- a/images/maas-rack-controller/Dockerfile +++ b/images/maas-rack-controller/Dockerfile @@ -45,5 +45,9 @@ RUN systemctl enable register-rack-controller.service RUN mv /usr/sbin/tcpdump /usr/bin/tcpdump RUN ln -s /usr/bin/tcpdump /usr/sbin/tcpdump +COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service +RUN mkdir -p /etc/systemd/system/basic.target.wants ;\ + ln -s /etc/systemd/system/journalctl-to-tty.service /etc/systemd/system/basic.target.wants/journalctl-to-tty.service + # initalize systemd -CMD ["/sbin/init"] +CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"] diff --git a/images/maas-rack-controller/scripts/journalctl-to-tty.service b/images/maas-rack-controller/scripts/journalctl-to-tty.service new file mode 100644 index 0000000..2725055 --- /dev/null +++ b/images/maas-rack-controller/scripts/journalctl-to-tty.service @@ -0,0 +1,13 @@ +[Unit] +Description=Journald console log streamer +Requires=systemd-journald.service +After=systemd-journald.service + +[Service] +Restart=always +RestartSec=0 +ExecStart=/bin/journalctl -f +StandardOutput=tty + +[Install] +WantedBy=basic.target diff --git a/images/maas-region-controller/Dockerfile b/images/maas-region-controller/Dockerfile index 4c26e87..66f6bd5 100644 --- a/images/maas-region-controller/Dockerfile +++ b/images/maas-region-controller/Dockerfile @@ -62,5 +62,9 @@ RUN cd /usr/lib/python3/dist-packages/maasserver && patch compose_preseed.py < / RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/2.3_route.patch RUN cd /usr/lib/python3/dist-packages/maasserver/models/signals && patch interfaces.py < /tmp/2.3_recursion_fix.patch +COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service +RUN mkdir -p /etc/systemd/system/basic.target.wants ;\ + ln -s /etc/systemd/system/journalctl-to-tty.service /etc/systemd/system/basic.target.wants/journalctl-to-tty.service + # initalize systemd -CMD ["/sbin/init"] +CMD ["/bin/bash", "-c", "exec /sbin/init --log-target=console 3>&1"] diff --git a/images/maas-region-controller/journalctl-to-tty.service b/images/maas-region-controller/journalctl-to-tty.service new file mode 100644 index 0000000..2725055 --- /dev/null +++ b/images/maas-region-controller/journalctl-to-tty.service @@ -0,0 +1,13 @@ +[Unit] +Description=Journald console log streamer +Requires=systemd-journald.service +After=systemd-journald.service + +[Service] +Restart=always +RestartSec=0 +ExecStart=/bin/journalctl -f +StandardOutput=tty + +[Install] +WantedBy=basic.target