diff --git a/Vagrantfile b/Vagrantfile index 8d3f2bbddf0296da3f7c861d22f1c8c3167f5c48..b769199b1836bea735d07d5d3dcf971c21eb9526 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -23,6 +23,7 @@ $etcd_instances = $num_instances $kube_master_instances = $num_instances == 1 ? $num_instances : ($num_instances - 1) # All nodes are kube nodes $kube_node_instances = $num_instances +$local_release_dir = "/vagrant/temp" host_vars = {} @@ -97,7 +98,7 @@ Vagrant.configure("2") do |config| "ip": ip, "flannel_interface": ip, "flannel_backend_type": "host-gw", - "local_release_dir": "/vagrant/temp", + "local_release_dir" => $local_release_dir, "download_run_once": "False", # Override the default 'calico' with flannel. # inventory/group_vars/k8s-cluster.yml diff --git a/docs/atomic.md b/docs/atomic.md new file mode 100644 index 0000000000000000000000000000000000000000..cb506a9f3d24b9244b698b980277cdb2d9f7c106 --- /dev/null +++ b/docs/atomic.md @@ -0,0 +1,22 @@ +Atomic host bootstrap +===================== + +Atomic host testing has been done with the network plugin flannel. Change the inventory var `kube_network_plugin: flannel`. + +Note: Flannel is the only plugin that has currently been tested with atomic + +### Vagrant + +* For bootstrapping with Vagrant, use box centos/atomic-host +* Update VagrantFile variable `local_release_dir` to `/var/vagrant/temp`. +* Update `vm_memory = 2048` and `vm_cpus = 2` +* Networking on vagrant hosts has to be brought up manually once they are booted. + + ``` + vagrant ssh + sudo /sbin/ifup enp0s8 + ``` + +* For users of vagrant-libvirt download qcow2 format from https://wiki.centos.org/SpecialInterestGroup/Atomic/Download/ + +Then you can proceed to [cluster deployment](#run-deployment) \ No newline at end of file diff --git a/docs/vars.md b/docs/vars.md index b763f6a34f82744d19569bed17e639de05221f13..966b3ffc831e77ec52f243efaaa14de9e4d12655 100644 --- a/docs/vars.md +++ b/docs/vars.md @@ -102,4 +102,3 @@ Stack](https://github.com/kubernetes-incubator/kargo/blob/master/docs/dns-stack. Kargo sets up two Kubernetes accounts by default: ``root`` and ``kube``. Their passwords default to changeme. You can set this by changing ``kube_api_pwd``. - diff --git a/roles/bootstrap-os/tasks/main.yml b/roles/bootstrap-os/tasks/main.yml index 7f135557776f7c0004737761136a6ab8c3ab458a..4adefb39448bc5cd0392298960cd1236d8292a04 100644 --- a/roles/bootstrap-os/tasks/main.yml +++ b/roles/bootstrap-os/tasks/main.yml @@ -8,4 +8,12 @@ - include: bootstrap-centos.yml when: bootstrap_os == "centos" -- include: setup-pipelining.yml \ No newline at end of file +- include: setup-pipelining.yml + +- name: check if atomic host + stat: + path: /run/ostree-booted + register: ostree + +- set_fact: + is_atomic: "{{ ostree.stat.exists }}" \ No newline at end of file diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 3e7b342f2248709045375b6d852122e009c4f47a..cdfae82421bd96cbe2fb04854efc5262ba52c0c5 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -38,7 +38,7 @@ retries: 4 delay: "{{ retry_stagger | random + 3 }}" with_items: "{{ docker_repo_key_info.repo_keys }}" - when: not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] + when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic) - name: ensure docker repository is enabled action: "{{ docker_repo_info.pkg_repo }}" @@ -46,13 +46,13 @@ repo: "{{item}}" state: present with_items: "{{ docker_repo_info.repos }}" - when: (not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]) and (docker_repo_info.repos|length > 0) + when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic) and (docker_repo_info.repos|length > 0) - name: Configure docker repository on RedHat/CentOS template: src: "rh_docker.repo.j2" dest: "/etc/yum.repos.d/docker.repo" - when: ansible_distribution in ["CentOS","RedHat"] + when: ansible_distribution in ["CentOS","RedHat"] and not is_atomic - name: ensure docker packages are installed action: "{{ docker_package_info.pkg_mgr }}" @@ -66,7 +66,7 @@ delay: "{{ retry_stagger | random + 3 }}" with_items: "{{ docker_package_info.pkgs }}" notify: restart docker - when: (not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]) and (docker_package_info.pkgs|length > 0) + when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic) and (docker_package_info.pkgs|length > 0) - name: check minimum docker version for docker_dns mode. You need at least docker version >= 1.12 for resolvconf_mode=docker_dns command: "docker version -f '{{ '{{' }}.Client.Version{{ '}}' }}'" diff --git a/roles/docker/tasks/systemd.yml b/roles/docker/tasks/systemd.yml index 18710ac4983e280a5a16b655eab87afdc97a09bb..1275de5d73041c90eef0317d986773766bd616be 100644 --- a/roles/docker/tasks/systemd.yml +++ b/roles/docker/tasks/systemd.yml @@ -15,7 +15,14 @@ src: docker.service.j2 dest: /etc/systemd/system/docker.service register: docker_service_file - when: not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] + when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic) + +- name: Write docker.service systemd file for atomic + template: + src: docker_atomic.service.j2 + dest: /etc/systemd/system/docker.service + notify: restart docker + when: is_atomic - name: Write docker options systemd drop-in template: diff --git a/roles/docker/templates/docker-dns.conf.j2 b/roles/docker/templates/docker-dns.conf.j2 index 01dbd3b20b973782c46cf1b2e674921f86acfabb..d501a19c07e17854accc9b2312d7d455bd79a4b8 100644 --- a/roles/docker/templates/docker-dns.conf.j2 +++ b/roles/docker/templates/docker-dns.conf.j2 @@ -3,4 +3,4 @@ Environment="DOCKER_DNS_OPTIONS=\ {% for d in docker_dns_servers %}--dns {{ d }} {% endfor %} \ {% for d in docker_dns_search_domains %}--dns-search {{ d }} {% endfor %} \ {% for o in docker_dns_options %}--dns-opt {{ o }} {% endfor %} \ -" +" \ No newline at end of file diff --git a/roles/docker/templates/docker-options.conf.j2 b/roles/docker/templates/docker-options.conf.j2 index 50356a9f41f40bd678f6ee2091679977b805720f..01279589820d38cd893e5e8fa85c06b1499ca07c 100644 --- a/roles/docker/templates/docker-options.conf.j2 +++ b/roles/docker/templates/docker-options.conf.j2 @@ -1,2 +1,2 @@ [Service] -Environment="DOCKER_OPTS={% if docker_options is defined %}{{ docker_options }}{% endif %}" +Environment="DOCKER_OPTS={% if docker_options is defined %}{{ docker_options }}{% endif %}" \ No newline at end of file diff --git a/roles/docker/templates/docker_atomic.service.j2 b/roles/docker/templates/docker_atomic.service.j2 new file mode 100644 index 0000000000000000000000000000000000000000..ba37bf4c338f00899746686b6d900245f80be27f --- /dev/null +++ b/roles/docker/templates/docker_atomic.service.j2 @@ -0,0 +1,38 @@ +[Unit] +Description=Docker Application Container Engine +Documentation=http://docs.docker.com +After=network.target +Wants=docker-storage-setup.service + +[Service] +Type=notify +NotifyAccess=all +EnvironmentFile=-/etc/sysconfig/docker +EnvironmentFile=-/etc/sysconfig/docker-storage +EnvironmentFile=-/etc/sysconfig/docker-network +Environment=GOTRACEBACK=crash +Environment=DOCKER_HTTP_HOST_COMPAT=1 +Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin +ExecReload=/bin/kill -s HUP $MAINPID +Delegate=yes +KillMode=process +ExecStart=/usr/bin/dockerd-current \ + --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \ + --default-runtime=docker-runc \ + --exec-opt native.cgroupdriver=systemd \ + --userland-proxy-path=/usr/libexec/docker/docker-proxy-current \ + $DOCKER_OPTS \ + $DOCKER_STORAGE_OPTIONS \ + $DOCKER_NETWORK_OPTIONS \ + $DOCKER_DNS_OPTIONS \ + $ADD_REGISTRY \ + $BLOCK_REGISTRY \ + $INSECURE_REGISTRY +LimitNOFILE=1048576 +LimitNPROC=1048576 +LimitCORE=infinity +TimeoutStartSec=1min +Restart=on-abnormal + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/roles/etcd/meta/main.yml b/roles/etcd/meta/main.yml index bff76a129b0c0aba8caa819e966276a41b751004..9bd6f02a31b044013db6f2d79f215a826be8c83a 100644 --- a/roles/etcd/meta/main.yml +++ b/roles/etcd/meta/main.yml @@ -2,7 +2,7 @@ dependencies: - role: adduser user: "{{ addusers.etcd }}" - when: not ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] + when: not (ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] or is_atomic) - role: download file: "{{ downloads.etcd }}" tags: download diff --git a/roles/kernel-upgrade/tasks/main.yml b/roles/kernel-upgrade/tasks/main.yml index 999eb94aeb6abcb68f50c30329b81b650aa3e195..a16f0f37bbd42261300f52148f91b7bbf8909e5e 100644 --- a/roles/kernel-upgrade/tasks/main.yml +++ b/roles/kernel-upgrade/tasks/main.yml @@ -2,4 +2,4 @@ - include: centos-7.yml when: ansible_distribution in ["CentOS","RedHat"] and - ansible_distribution_major_version >= 7 + ansible_distribution_major_version >= 7 and not is_atomic \ No newline at end of file diff --git a/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 b/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 index a965ef792ab49c230001e3ca6b0cecd8401ac2d0..2dbcf74d1e0cac10e9703e33a0513858bb158285 100644 --- a/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 +++ b/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 @@ -50,7 +50,11 @@ spec: volumes: - name: ssl-certs-host hostPath: +{% if ansible_os_family == 'RedHat' %} + path: /etc/pki/tls +{% else %} path: /usr/share/ca-certificates +{% endif %} - name: "kubeconfig" hostPath: path: "{{kube_config_dir}}/node-kubeconfig.yaml" diff --git a/roles/kubernetes/preinstall/meta/main.yml b/roles/kubernetes/preinstall/meta/main.yml index cf440f5e222c33d9670142d4309c243fa0610bac..203d968a7f7470439b6a5b2516aa96129a416120 100644 --- a/roles/kubernetes/preinstall/meta/main.yml +++ b/roles/kubernetes/preinstall/meta/main.yml @@ -3,3 +3,4 @@ dependencies: - role: adduser user: "{{ addusers.kube }}" tags: kubelet + when: not is_atomic \ No newline at end of file diff --git a/roles/kubernetes/preinstall/tasks/main.yml b/roles/kubernetes/preinstall/tasks/main.yml index 5b79c101d0ea9f5ccc1667502ec469147d2ed824..27e98949ddd239050e68b63b8dcf5168b533a25a 100644 --- a/roles/kubernetes/preinstall/tasks/main.yml +++ b/roles/kubernetes/preinstall/tasks/main.yml @@ -91,7 +91,7 @@ yum: update_cache: yes name: '*' - when: ansible_pkg_mgr == 'yum' + when: ansible_pkg_mgr == 'yum' and not is_atomic tags: bootstrap-os - name: Install latest version of python-apt for Debian distribs @@ -112,7 +112,7 @@ - name: Install epel-release on RedHat/CentOS shell: rpm -qa | grep epel-release || rpm -ivh {{ epel_rpm_download_url }} - when: ansible_distribution in ["CentOS","RedHat"] + when: ansible_distribution in ["CentOS","RedHat"] and not is_atomic changed_when: False check_mode: no tags: bootstrap-os @@ -127,7 +127,7 @@ retries: 4 delay: "{{ retry_stagger | random + 3 }}" with_items: "{{required_pkgs | default([]) | union(common_required_pkgs|default([]))}}" - when: not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] + when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic) tags: bootstrap-os # Todo : selinux configuration diff --git a/roles/kubernetes/preinstall/tasks/set_facts.yml b/roles/kubernetes/preinstall/tasks/set_facts.yml index 2481fcd7fb0e2877a1a257cd75ea9be50826a9ab..6a25c785eed23f7ab1b263b1c8ce2104c5454527 100644 --- a/roles/kubernetes/preinstall/tasks/set_facts.yml +++ b/roles/kubernetes/preinstall/tasks/set_facts.yml @@ -83,5 +83,17 @@ - set_fact: peer_with_calico_rr: "{{ 'calico-rr' in groups and groups['calico-rr']|length > 0 }}" +- name: check if atomic host + stat: + path: /run/ostree-booted + register: ostree + +- set_fact: + is_atomic: "{{ ostree.stat.exists }}" + +- set_fact: + kube_cert_group: "kube" + when: is_atomic + - include: set_resolv_facts.yml tags: [bootstrap-os, resolvconf, facts]