app-admin/etcd-wrapper: use docker for the etcd service

Since rkt is deprecated we need to run the etcd container with Docker or Podman. The etcd-wrapper script is based on rkt arguments and can't be used in a compatible way but we cannot remove it since ct explicitly uses it in the ExecStart directive when writing out a drop-in file once etcd settings are given in a Container Linux Config. A better way to run the Flannel/etcd container image is Podman because Flannel depends on etcd but wants to be run before Docker so that it can set up the Docker networking. Etcd and Flannel are part of the Container Linux Config specification and thus can't be removed easily. For now we have to resort to running these services with Docker and try to restart Docker for the Flannel options to take effect.
2025-08-18 21:11:08 +02:00 · 2021-02-22 12:42:03 +01:00 · 2021-02-22 12:42:03 +01:00 · a8f035c848
commit a8f035c848
parent 37309215b2
3 changed files with 28 additions and 88 deletions
--- a/sdk_container/src/third_party/coreos-overlay/app-admin/etcd-wrapper/etcd-wrapper-3.3.25.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/etcd-wrapper/etcd-wrapper-3.3.25.ebuild
@ -14,7 +14,8 @@ IUSE=""
 SLOT=0

 DEPEND=""
-RDEPEND=">=app-emulation/rkt-1.9.1[rkt_stage1_fly]"
+
+RDEPEND=">=app-admin/sdnotify-proxy-0.1.0"

 S=${WORKDIR}

--- a/sdk_container/src/third_party/coreos-overlay/app-admin/etcd-wrapper/files/etcd-member.service
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/etcd-wrapper/files/etcd-member.service
@ -8,21 +8,22 @@ Conflicts=etcd2.service

 [Service]
 Type=notify
-Restart=on-failure
+NotifyAccess=all
+Restart=always
 RestartSec=10s
 TimeoutStartSec=0
 LimitNOFILE=40000

+Environment="ETCD_IMAGE_URL=quay.io/coreos/etcd"
 Environment="ETCD_IMAGE_TAG=@ETCD_IMAGE_TAG@"
 Environment="ETCD_NAME=%m"
 Environment="ETCD_USER=etcd"
 Environment="ETCD_DATA_DIR=/var/lib/etcd"
-Environment="RKT_RUN_ARGS=--uuid-file-save=/var/lib/flatcar/etcd-member-wrapper.uuid"
+Environment="ETCD_SSL_DIR=/etc/ssl/certs"

-ExecStartPre=/usr/bin/mkdir --parents /var/lib/flatcar
-ExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/lib/flatcar/etcd-member-wrapper.uuid
 ExecStart=/usr/lib/flatcar/etcd-wrapper $ETCD_OPTS
-ExecStop=-/usr/bin/rkt stop --uuid-file=/var/lib/flatcar/etcd-member-wrapper.uuid
+ExecStop=/usr/bin/docker stop etcd-member
+ExecStopPost=/usr/bin/docker rm etcd-member

 [Install]
 WantedBy=multi-user.target
--- a/sdk_container/src/third_party/coreos-overlay/app-admin/etcd-wrapper/files/etcd-wrapper
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/etcd-wrapper/files/etcd-wrapper
@ -1,87 +1,25 @@
-#!/usr/bin/bash -e
-# Wrapper for launching etcd via rkt.
-#
-# Make sure to set ETCD_IMAGE_TAG to an image tag published here:
-# https://quay.io/repository/coreos/etcd?tab=tags Alternatively,
-# override ETCD_IMAGE to a custom image.
-
-function require_ev_all() {
-	for rev in $@ ; do
-		if [[ -z "${!rev}" ]]; then
-			echo ${rev} is not set
-			exit 1
-		fi
-	done
-}
-
-function require_ev_one() {
-	for rev in $@ ; do
-		if [[ ! -z "${!rev}" ]]; then
-			return
-		fi
-	done
-	echo One of $@ must be set
-	exit 1
-}
-
-require_ev_one ETCD_IMAGE ETCD_IMAGE_TAG
-require_ev_all ETCD_USER ETCD_DATA_DIR
-
-ETCD_IMAGE_URL="${ETCD_IMAGE_URL:-docker://quay.io/coreos/etcd}"
-ETCD_IMAGE="${ETCD_IMAGE:-${ETCD_IMAGE_URL}:${ETCD_IMAGE_TAG}}"
-
-if [[ "${ETCD_IMAGE%%/*}" == "quay.io" ]] && ! (echo "${RKT_RUN_ARGS}" | grep -q trust-keys-from-https); then
-	RKT_RUN_ARGS="${RKT_RUN_ARGS} --trust-keys-from-https"
-elif [[ "${ETCD_IMAGE%%/*}" == "docker:" ]] && ! (echo "${RKT_RUN_ARGS}" | grep -q insecure-options); then
-	RKT_RUN_ARGS="${RKT_RUN_ARGS} --insecure-options=image"
-fi
-
-if [[ ! -e "${ETCD_DATA_DIR}" ]]; then
-	mkdir --parents "${ETCD_DATA_DIR}"
-	chown "${ETCD_USER}" "${ETCD_DATA_DIR}"
-fi
+#!/bin/bash
+# The "etcd-wrapper" script can't be deleted because ct overwrites
+# the ExecStart directive with etcd-wrapper. Do the new action of
+# ExecStart here.
+set -e

 # Do not pass ETCD_DATA_DIR through to the container. The default path,
 # /var/lib/etcd is always used inside the container.
 etcd_data_dir="${ETCD_DATA_DIR}"
 ETCD_DATA_DIR="/var/lib/etcd"
-
-ETCD_SSL_DIR="${ETCD_SSL_DIR:-/etc/ssl/certs}"
-
-SYSTEMD_SYSTEM_DIR_SRC="${SYSTEMD_SYSTEM_DIR_SRC:-/run/systemd/system}"
-if [[ -d "${SYSTEMD_SYSTEM_DIR_SRC}" ]]; then
-	RKT_RUN_ARGS="${RKT_RUN_ARGS} \
-		--mount volume=coreos-systemd-dir,target=/run/systemd/system \
-		--volume coreos-systemd-dir,kind=host,source=${SYSTEMD_SYSTEM_DIR_SRC},readOnly=true \
-	"
-fi
-
-if [[ -S "${NOTIFY_SOCKET}" ]]; then
-	RKT_RUN_ARGS="${RKT_RUN_ARGS} \
-		--mount volume=coreos-notify,target=/run/systemd/notify \
-		--volume coreos-notify,kind=host,source=${NOTIFY_SOCKET} \
-		--set-env=NOTIFY_SOCKET=/run/systemd/notify \
-	"
-fi
-
-RKT="${RKT:-/usr/bin/rkt}"
-RKT_STAGE1_ARG="${RKT_STAGE1_ARG:---stage1-from-dir=stage1-fly.aci}"
-set -x
-exec ${RKT} ${RKT_GLOBAL_ARGS} \
-	run ${RKT_RUN_ARGS} \
-	--volume coreos-data-dir,kind=host,source="${etcd_data_dir}",readOnly=false \
-	--volume coreos-etc-ssl-certs,kind=host,source="${ETCD_SSL_DIR}",readOnly=true \
-	--volume coreos-usr-share-certs,kind=host,source=/usr/share/ca-certificates,readOnly=true \
-	--volume coreos-etc-hosts,kind=host,source=/etc/hosts,readOnly=true \
-	--volume coreos-etc-resolv,kind=host,source=/etc/resolv.conf,readOnly=true \
-	--mount volume=coreos-data-dir,target=/var/lib/etcd \
-	--mount volume=coreos-etc-ssl-certs,target=/etc/ssl/certs \
-	--mount volume=coreos-usr-share-certs,target=/usr/share/ca-certificates \
-	--mount volume=coreos-etc-hosts,target=/etc/hosts  \
-	--mount volume=coreos-etc-resolv,target=/etc/resolv.conf  \
-	--inherit-env \
-	${RKT_STAGE1_ARG} \
-	${ETCD_IMAGE} \
-		${ETCD_IMAGE_ARGS} \
-		--user=$(id -u "${ETCD_USER}") \
-		-- "$@"
+mkdir -p ${etcd_data_dir}
+chown -R etcd:etcd ${etcd_data_dir}
+chmod 700 ${etcd_data_dir}
+# A better way to run the Flannel/etcd container image is Podman because
+# Flannel depends on etcd but wants to be run before Docker so that it
+# can set up the Docker networking. Etcd and Flannel are part of the
+# Container Linux Config specification and thus can't be dropped easily.
+# For now we have to resort to running these services with Docker and try
+# to restart Docker for the Flannel options to take effect.
+/usr/bin/docker stop etcd-member || true
+/usr/bin/docker rm -f etcd-member || true
+# set umask so that sdnotify-proxy creates /run/etcd-notify with the same relaxed permissions as NOTIFY_SOCKET (/run/systemd/notify) normally has, to allow ETCD_USER to write to it
+umask 000
+# mapping only /run/etcd-notify does not work and we use the full /run, also we must set NOTIFY_SOCKET in the container but use the original for /usr/libexec/sdnotify-proxy
+/usr/libexec/sdnotify-proxy /run/etcd-notify /usr/bin/docker run --name etcd-member --network=host --ipc=host -u $(id -u ${ETCD_USER}):$(id -g ${ETCD_USER}) -v /run:/run -v /usr/share/ca-certificates:/usr/share/ca-certificates:ro -v ${etcd_data_dir}:/var/lib/etcd:rw -v ${ETCD_SSL_DIR}:/etc/ssl/certs:ro --env-file <(env; echo PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; echo NOTIFY_SOCKET=/run/etcd-notify) --entrypoint /usr/local/bin/etcd ${ETCD_IMAGE:-${ETCD_IMAGE_URL}:${ETCD_IMAGE_TAG}} "$@"