2017-07-25 08:16:34 +02:00
|
|
|
---
|
|
|
|
systemd:
|
|
|
|
units:
|
|
|
|
- name: docker.service
|
2020-06-10 07:38:32 +02:00
|
|
|
enabled: true
|
2017-07-25 08:16:34 +02:00
|
|
|
- name: locksmithd.service
|
|
|
|
mask: true
|
|
|
|
- name: kubelet.path
|
2020-06-10 07:38:32 +02:00
|
|
|
enabled: true
|
2017-07-25 08:16:34 +02:00
|
|
|
contents: |
|
|
|
|
[Unit]
|
|
|
|
Description=Watch for kubeconfig
|
|
|
|
[Path]
|
|
|
|
PathExists=/etc/kubernetes/kubeconfig
|
|
|
|
[Install]
|
|
|
|
WantedBy=multi-user.target
|
|
|
|
- name: wait-for-dns.service
|
2020-06-10 07:38:32 +02:00
|
|
|
enabled: true
|
2017-07-25 08:16:34 +02:00
|
|
|
contents: |
|
|
|
|
[Unit]
|
|
|
|
Description=Wait for DNS entries
|
|
|
|
Wants=systemd-resolved.service
|
|
|
|
Before=kubelet.service
|
|
|
|
[Service]
|
|
|
|
Type=oneshot
|
|
|
|
RemainAfterExit=true
|
|
|
|
ExecStart=/bin/sh -c 'while ! /usr/bin/grep '^[^#[:space:]]' /etc/resolv.conf > /dev/null; do sleep 1; done'
|
|
|
|
[Install]
|
|
|
|
RequiredBy=kubelet.service
|
|
|
|
- name: kubelet.service
|
|
|
|
contents: |
|
|
|
|
[Unit]
|
2020-04-26 01:50:51 +02:00
|
|
|
Description=Kubelet
|
Change Flatcar kubelet.service container from rkt to docker
* Use docker to run the `kubelet.service` container
* Update Kubelet mounts to match Fedora CoreOS
* Remove unused `/etc/ssl/certs` mount (see
https://github.com/poseidon/typhoon/pull/810)
* Remove unused `/usr/share/ca-certificates` mount
* Remove `/etc/resolv.conf` mount, Docker default is ok
* Change `delete-node.service` to use docker instead of rkt
and inline ExecStart, as was done on Fedora CoreOS
* Fix permission denied on shutdown `delete-node`, caused
by the kubeconfig mount changing with the introduction of
node TLS bootstrap
Background
* podmand, rkt, and runc daemonless container process runners
provide advantages over the docker daemon for system containers.
Docker requires workarounds for use in systemd units where the
ExecStart must tail logs so systemd can monitor the daemonized
container. https://github.com/moby/moby/issues/6791
* Why switch then? On Flatcar Linux, podman isn't shipped. rkt
works, but isn't developing while container standards continue
to move forward. Typhoon has used runc for the Kubelet runner
before in Fedora Atomic, but its more low-level. So we're left
with Docker, which is less than ideal, but shipped in Flatcar
* Flatcar Linux appears to be shifting system components to
use docker, which does provide some limited guards against
breakages (e.g. Flatcar cannot enable docker live restore)
2020-10-19 07:51:25 +02:00
|
|
|
Requires=docker.service
|
|
|
|
After=docker.service
|
2017-09-25 03:04:48 +02:00
|
|
|
Wants=rpc-statd.service
|
2017-07-25 08:16:34 +02:00
|
|
|
[Service]
|
2021-03-19 19:27:31 +01:00
|
|
|
Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.20.5
|
2017-07-25 08:16:34 +02:00
|
|
|
ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d
|
2019-09-19 09:15:39 +02:00
|
|
|
ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
|
|
|
|
ExecStartPre=/bin/mkdir -p /opt/cni/bin
|
2018-04-22 00:13:38 +02:00
|
|
|
ExecStartPre=/bin/mkdir -p /var/lib/calico
|
2017-11-11 23:13:54 +01:00
|
|
|
ExecStartPre=/bin/mkdir -p /var/lib/kubelet/volumeplugins
|
2017-07-25 08:16:34 +02:00
|
|
|
ExecStartPre=/usr/bin/bash -c "grep 'certificate-authority-data' /etc/kubernetes/kubeconfig | awk '{print $2}' | base64 -d > /etc/kubernetes/ca.crt"
|
Change Flatcar kubelet.service container from rkt to docker
* Use docker to run the `kubelet.service` container
* Update Kubelet mounts to match Fedora CoreOS
* Remove unused `/etc/ssl/certs` mount (see
https://github.com/poseidon/typhoon/pull/810)
* Remove unused `/usr/share/ca-certificates` mount
* Remove `/etc/resolv.conf` mount, Docker default is ok
* Change `delete-node.service` to use docker instead of rkt
and inline ExecStart, as was done on Fedora CoreOS
* Fix permission denied on shutdown `delete-node`, caused
by the kubeconfig mount changing with the introduction of
node TLS bootstrap
Background
* podmand, rkt, and runc daemonless container process runners
provide advantages over the docker daemon for system containers.
Docker requires workarounds for use in systemd units where the
ExecStart must tail logs so systemd can monitor the daemonized
container. https://github.com/moby/moby/issues/6791
* Why switch then? On Flatcar Linux, podman isn't shipped. rkt
works, but isn't developing while container standards continue
to move forward. Typhoon has used runc for the Kubelet runner
before in Fedora Atomic, but its more low-level. So we're left
with Docker, which is less than ideal, but shipped in Flatcar
* Flatcar Linux appears to be shifting system components to
use docker, which does provide some limited guards against
breakages (e.g. Flatcar cannot enable docker live restore)
2020-10-19 07:51:25 +02:00
|
|
|
# Podman, rkt, or runc run container processes, whereas docker run
|
|
|
|
# is a client to a daemon and requires workarounds to use within a
|
|
|
|
# systemd unit. https://github.com/moby/moby/issues/6791
|
|
|
|
ExecStartPre=/usr/bin/docker run -d \
|
|
|
|
--name kubelet \
|
|
|
|
--privileged \
|
|
|
|
--pid host \
|
|
|
|
--network host \
|
|
|
|
-v /etc/kubernetes:/etc/kubernetes:ro \
|
|
|
|
-v /etc/machine-id:/etc/machine-id:ro \
|
|
|
|
-v /usr/lib/os-release:/etc/os-release:ro \
|
|
|
|
-v /lib/modules:/lib/modules:ro \
|
|
|
|
-v /run:/run \
|
|
|
|
-v /sys/fs/cgroup:/sys/fs/cgroup:ro \
|
|
|
|
-v /sys/fs/cgroup/systemd:/sys/fs/cgroup/systemd \
|
|
|
|
-v /var/lib/calico:/var/lib/calico:ro \
|
|
|
|
-v /var/lib/docker:/var/lib/docker \
|
|
|
|
-v /var/lib/kubelet:/var/lib/kubelet:rshared \
|
|
|
|
-v /var/log:/var/log \
|
|
|
|
-v /opt/cni/bin:/opt/cni/bin \
|
|
|
|
$${KUBELET_IMAGE} \
|
2017-07-25 08:16:34 +02:00
|
|
|
--anonymous-auth=false \
|
2018-05-14 08:20:42 +02:00
|
|
|
--authentication-token-webhook \
|
|
|
|
--authorization-mode=Webhook \
|
2020-04-26 01:50:51 +02:00
|
|
|
--bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
|
2017-09-14 17:41:17 +02:00
|
|
|
--client-ca-file=/etc/kubernetes/ca.crt \
|
2019-01-05 22:32:03 +01:00
|
|
|
--cluster_dns=${cluster_dns_service_ip} \
|
2017-12-09 22:36:59 +01:00
|
|
|
--cluster_domain=${cluster_domain_suffix} \
|
2017-07-25 08:16:34 +02:00
|
|
|
--cni-conf-dir=/etc/kubernetes/cni/net.d \
|
2019-12-29 20:20:59 +01:00
|
|
|
--healthz-port=0 \
|
2017-09-23 20:49:12 +02:00
|
|
|
--hostname-override=${domain_name} \
|
2020-04-26 01:50:51 +02:00
|
|
|
--kubeconfig=/var/lib/kubelet/kubeconfig \
|
2017-09-14 17:41:17 +02:00
|
|
|
--network-plugin=cni \
|
2019-09-18 06:24:30 +02:00
|
|
|
--node-labels=node.kubernetes.io/node \
|
2020-03-09 04:39:18 +01:00
|
|
|
%{~ for label in compact(split(",", node_labels)) ~}
|
|
|
|
--node-labels=${label} \
|
|
|
|
%{~ endfor ~}
|
|
|
|
%{~ for taint in compact(split(",", node_taints)) ~}
|
|
|
|
--register-with-taints=${taint} \
|
|
|
|
%{~ endfor ~}
|
2017-11-11 23:13:54 +01:00
|
|
|
--pod-manifest-path=/etc/kubernetes/manifests \
|
2018-05-14 03:16:10 +02:00
|
|
|
--read-only-port=0 \
|
2020-04-26 01:50:51 +02:00
|
|
|
--rotate-certificates \
|
2017-11-11 23:13:54 +01:00
|
|
|
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
|
Change Flatcar kubelet.service container from rkt to docker
* Use docker to run the `kubelet.service` container
* Update Kubelet mounts to match Fedora CoreOS
* Remove unused `/etc/ssl/certs` mount (see
https://github.com/poseidon/typhoon/pull/810)
* Remove unused `/usr/share/ca-certificates` mount
* Remove `/etc/resolv.conf` mount, Docker default is ok
* Change `delete-node.service` to use docker instead of rkt
and inline ExecStart, as was done on Fedora CoreOS
* Fix permission denied on shutdown `delete-node`, caused
by the kubeconfig mount changing with the introduction of
node TLS bootstrap
Background
* podmand, rkt, and runc daemonless container process runners
provide advantages over the docker daemon for system containers.
Docker requires workarounds for use in systemd units where the
ExecStart must tail logs so systemd can monitor the daemonized
container. https://github.com/moby/moby/issues/6791
* Why switch then? On Flatcar Linux, podman isn't shipped. rkt
works, but isn't developing while container standards continue
to move forward. Typhoon has used runc for the Kubelet runner
before in Fedora Atomic, but its more low-level. So we're left
with Docker, which is less than ideal, but shipped in Flatcar
* Flatcar Linux appears to be shifting system components to
use docker, which does provide some limited guards against
breakages (e.g. Flatcar cannot enable docker live restore)
2020-10-19 07:51:25 +02:00
|
|
|
ExecStart=docker logs -f kubelet
|
|
|
|
ExecStop=docker stop kubelet
|
|
|
|
ExecStopPost=docker rm kubelet
|
2017-07-25 08:16:34 +02:00
|
|
|
Restart=always
|
|
|
|
RestartSec=5
|
|
|
|
[Install]
|
|
|
|
WantedBy=multi-user.target
|
|
|
|
|
|
|
|
storage:
|
2020-01-07 06:38:20 +01:00
|
|
|
directories:
|
|
|
|
- path: /etc/kubernetes
|
|
|
|
filesystem: root
|
2020-06-10 07:38:32 +02:00
|
|
|
mode: 0755
|
2017-07-25 08:16:34 +02:00
|
|
|
files:
|
|
|
|
- path: /etc/hostname
|
|
|
|
filesystem: root
|
|
|
|
mode: 0644
|
|
|
|
contents:
|
|
|
|
inline:
|
2017-09-23 20:49:12 +02:00
|
|
|
${domain_name}
|
2017-07-25 08:16:34 +02:00
|
|
|
- path: /etc/sysctl.d/max-user-watches.conf
|
|
|
|
filesystem: root
|
2020-06-10 07:38:32 +02:00
|
|
|
mode: 0644
|
2017-07-25 08:16:34 +02:00
|
|
|
contents:
|
|
|
|
inline: |
|
|
|
|
fs.inotify.max_user_watches=16184
|
|
|
|
passwd:
|
|
|
|
users:
|
|
|
|
- name: core
|
|
|
|
ssh_authorized_keys:
|
2017-09-23 20:49:12 +02:00
|
|
|
- ${ssh_authorized_key}
|
2017-07-25 08:16:34 +02:00
|
|
|
|