capi: support Flatcar Container Linux #248
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
@dongsupark: GitHub didn't allow me to request PR reviews from the following users: vbatts, t-lo. Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Welcome @dongsupark! |
k8s-ci-robot
added
the
size/XL
|
/assign @vincepri |
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
cncf-cla: no
|
Signed. Can we re-evaluate please? |
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
added
the
needs-rebase
dongsupark
force-pushed
the
dongsu/capi-flatcar
branch
from
9e35bd9 to
15c3800
Compare
k8s-ci-robot
added
do-not-merge/invalid-commit-message
dongsupark
force-pushed
the
dongsu/capi-flatcar
branch
from
15c3800 to
9737ee3
Compare
k8s-ci-robot
removed
the
do-not-merge/invalid-commit-message
|
Rebased, and added AWS AMI support. |
images/capi/id_rsa
Outdated
| @@ -0,0 +1,27 @@ | |||
| -----BEGIN RSA PRIVATE KEY----- | |||
| MIIEogIBAAKCAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzI | |||
There was a problem hiding this comment.
@dongsupark was this checked in by mistake?
There was a problem hiding this comment.
No, the key is exactly the same key as the vagrant insecure ssh key.
It is needed for vagrant tests.
Now I am thinking, it might be better to rename the key to a descriptive name, e.g. vagrant-insecure-key.
| make FLATCAR_CHANNEL="$channel" FLATCAR_VERSION="$release" \ | ||
| build-${CAPI_PROVIDER}-flatcar | ||
| run_vagrant | ||
| elif [[ ${CAPI_PROVIDER} = "aws" ]] || [[ ${CAPI_PROVIDER} = "ami" ]]; then |
There was a problem hiding this comment.
any plans to add the same support for azure?
There was a problem hiding this comment.
Sure, we can add Azure support in the future.
Before that, I would like to get some feedback from maintainers about the current PR, to make sure we are doing in the right direction.
There was a problem hiding this comment.
Renamed the ssh key file to vagrant-insecure-key.
There was a problem hiding this comment.
Okay, a lot to go over here, so I'm sure it will take a few rounds and some experimentation...
This is exciting to see Flatcar come in, and I'm really happy to see it making progress. I think the main stumbling blocks i see is the stuff around setting gather_facts to False for Ansible, and trying to set some default facts directly. As this PR currently stands, it's going to break the majority of existing builds (it will break all OVAs, All AMIs, and basically everything but Flatcar as far as I can tell). So that's the big thing we'll have to sort out.
On the templating side, there are several that are copied with a flatcar specific version that I think can remain as a single template and just use conditional to avoid having to change things int wo places.
Seeing this work is making me raise the priority of some other changes that are planned, that will make adding additional OS's to the AMI and QEMU builders easier. Thanks for this!
images/capi/ansible/roles/containerd/templates/etc/containerd/config-flatcar.toml
Outdated
Show resolved
Hide resolved
| LimitNOFILE=1048576 | ||
| LimitNPROC=infinity | ||
| LimitCORE=infinity | ||
| TasksMax=infinity |
There was a problem hiding this comment.
I think you mentioned that Flatcar ships with containerd. Is there not already a unit file present for it? I'm concerned about there being confusion or conflicts between this and the additional drop-ins that are put in place today by
image-builder/images/capi/ansible/roles/containerd/tasks/main.yml
Lines 42 to 60 in 9cf00c9
I already see one example where a specific setting is set twice (TasksMax).
There was a problem hiding this comment.
I think you mentioned that Flatcar ships with containerd. Is there not already a unit file present for it? I'm concerned about there being confusion or conflicts between this and the additional drop-ins that are put in place today...
Right. Flatcar already has built-in containerd and docker provided by torcx. It basically means that after boots it is not possible to modify any torcx artifacts, including the containerd's systemd unit file as well as the containerd config. However, we need to download containerd binary files, modify its config, so the new containerd points to the built-in gRPC socket provided by Docker. To do that, we need to install a new containerd unit file that points to a new containerd config that has path to the new containerd socket.
I admit it could look ugly, but I was not able to find a better solution.
images/capi/ansible/roles/kubernetes/files/usr/lib/systemd/system/kubelet-flatcar.service
Outdated
Show resolved
Hide resolved
|
@codenrhoden Thanks a lot for your thorough review. |
k8s-ci-robot
added
the
needs-rebase
We should be able to configure path to containerd CRI socket file, `containerd_cri_socket`, for each distro. Its main use case is to support distros with different CRI socket path, for example, `/run/docker/libcontainerd/container.sock` for Flatcar. By default it is `/var/run/containerd/containerd.sock` as it has been in all other distros. This PR is split out from kubernetes-sigs#248, as suggested by codenrhoden.
dongsupark
force-pushed
the
dongsu/capi-flatcar
branch
2 times, most recently
from
037b956 to
d56f11b
Compare
|
@codenrhoden Rebased the PR. Please have a look. |
This is a cluster-API image builder for [Flatcar Container Linux](https://www.flatcar-linux.org). On the Packer side it includes `packer/qemu/flatcar.json` and `packer/qemu/packer.json`. In `packer/config/` it also includes some other JSON files with configuration for ansible and packages installed with Ansible. On the Ansible side there's some preliminary playbook in `ansible/`.
This change adds support for building all channels of Flatcar Container Linux. It also fixes an issue that made the build fail when make was called directly instead of using the wrapper script hack/image-build-flatcar.sh. Define an env variable `CAPI_PRIVIDER`, which is `aws`, `ami` or `qemu`. Default is `qemu`. Run vagrant commands only when the provider is qemu. If it is `aws` or `ami`, run `make build-ami-default`. Otherwise fail.
We do not need to necessarily install and unpack cri-containerd tarball, if we have containerd 1.3. Simply create symlinks to existing binaries from `/usr/bin` to `/opt/bin`, and set correct paths to them. Note, it only works for containerd 1.3, current Beta (2605.3.0) and Alpha (2605.1.0). OTOH stable (2512.4.0) with containerd 1.1 does not work with this approach yet.
In case of Flatcar, if the given containerd version does not match with the running containerd version, the image-builder should fail hard. A version mismatch with the current version. So it means we need to always set a correct version from Packer side, to make the containerd installation work for Flatcar.
Also unpack `containerd-shim-runc-v[12]` binaries from the
cri-containerd-cni tarball, because Flatcar by default does not
provide the runc shim binaries. Without the shims, containerd does not
work correctly.
Also We need to create {{sysusr_prefix}}/bin before unpacking containerd
tarballs, to avoid issues happening when unpacking containerd tarballs
into non-existent directories.
We should be able to set Flatcar channels and versions via `build_name`, `FLATCAR_CHANNEL`, or `FLATCAR_VERSION`, to use also non-default channels like alpha.
We should use `build_name` as-is, to avoid issues that can happen in builds for other distros.
Since we started simply using the `build_name` variable, we do not need to have `only` directives for checking for Flatcar. Simply remove the `only` directives.
We should run bootstrap-flatcar.sh only in case of Flatcar. We need to check the if clauses in `exec_command`. It is not possible to check for the `BUILD_NAME` in `inline` or `script`.
We should not embed vagrant insecure key in the PR. Instead we simply download the keypair from the official vagrant github repo, to use them for ignition config for Flatcar. Ignition template file `ignition-builder.json` will include a pre-defined string `BUILDERSSHAUTHKEY`, which will be then replaced with the ssh public key given by Packer.
dongsupark
force-pushed
the
dongsu/capi-flatcar
branch
from
d56f11b to
3d00a5d
Compare
|
/lgtm I think this is ready to go! I'll leave this for about 24 hours or so and see if anyone has anything else to say, but I'm happy to merge and iterate. Huge effort @dongsupark! |
k8s-ci-robot
added
the
lgtm
|
/approve 🎉 🚀 |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: codenrhoden, dongsupark The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/retest |
|
@dongsupark: Cannot trigger testing until a trusted user reviews the PR and leaves an In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/ok-to-test |
k8s-ci-robot
added
the
ok-to-test
This is a cluster-API image builder for Flatcar Container Linux.
On the Packer side it includes
packer/qemu/qemu-flatcar.jsonandpacker/qemu/packer.json. Inpacker/config/it also includes some other JSON files with configuration for ansible and packages installed with Ansible.On the Ansible side there's some preliminary playbook in
ansible/.notes
images/capi/ansible/roles/setup/tasks/bootstrap-flatcar.ymlinstalls python under/opt.images/capi/ansible/roles/kubernetes/tasks/url.ymlinstalls artificts of Kubernetes and CNI under/optand/etc, mainly because/usris read-only in Flatcar./run/docker/libcontainerd/docker-containerd.sock.kubeadm config images pull,/opt/bin/ctr images importas well as in/etc/crictl.yaml./etc/kubeadm.ymlfor Flatcar, because later steps runningkubeadm initrequire the config to be in place.TODOs
/cc @vbatts @t-lo @dims @detiber @codenrhoden