mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-18 21:11:08 +02:00
Code Issues Packages Projects Releases Wiki Activity

app-admin/flannel-wrapper: user docker for the flannel service

Browse Source 
As rkt is deprecated we need to run the Flannel container with Docker
or Podman. The flannel-wrapper script is based on rkt arguments and
can't be used in a compatible way but we cannot remove it since ct
explicitly uses it in the ExecStart directive when writing out a
drop-in file once flannel settings are given in a Container Linux
Config.
A better way to run the Flannel/etcd container image is Podman because
Flannel depends on etcd but wants to be run before Docker so that it
can set up the Docker networking. Etcd and Flannel are part of the
Container Linux Config specification and thus can't be removed easily.
For now we have to resort to running these services with Docker and try
to restart Docker for the Flannel options to take effect (but that also
terminates the etcd and flannel containers, causing the services to
restart).
This commit is contained in:
Kai Lüke 2021-02-24 12:13:04 +01:00
parent a8f035c848
commit f5612a8a95
4 changed files with 50 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
sdk_container/src/third_party/coreos-overlay/app-admin/flannel-wrapper/files/flannel-docker-opts.service vendored
View File

@ -4,18 +4,21 @@ Documentation=https://github.com/coreos/flannel
PartOf=flanneld.service PartOf=flanneld.service
Requires=flanneld.service Requires=flanneld.service
After=flanneld.service After=flanneld.service
Before=docker.service
[Service] [Service]
Type=oneshot Type=oneshot
RemainAfterExit=true
Restart=on-failure
RestartSec=5s
Environment="FLANNEL_IMAGE_URL=quay.io/coreos/flannel"
Environment="FLANNEL_IMAGE_TAG=@FLANNEL_IMAGE_TAG@" Environment="FLANNEL_IMAGE_TAG=@FLANNEL_IMAGE_TAG@"
Environment="RKT_RUN_ARGS=--uuid-file-save=/var/lib/flatcar/flannel-wrapper2.uuid" Environment="FLANNEL_CMD=/opt/bin/mk-docker-opts.sh"
Environment="FLANNEL_IMAGE_ARGS=--exec=/opt/bin/mk-docker-opts.sh" Environment="FLANNEL_CONTAINER=flannel-docker-opts"
ExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/lib/flatcar/flannel-wrapper2.uuid
ExecStart=/usr/lib/flatcar/flannel-wrapper -d /run/flannel/flannel_docker_opts.env -i ExecStart=/usr/lib/flatcar/flannel-wrapper -d /run/flannel/flannel_docker_opts.env -i
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/lib/flatcar/flannel-wrapper2.uuid ExecStop=/usr/bin/docker stop flannel-docker-opts
ExecStopPost=/usr/bin/docker rm flannel-docker-opts
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

114
sdk_container/src/third_party/coreos-overlay/app-admin/flannel-wrapper/files/flannel-wrapper vendored
View File

@ -1,86 +1,42 @@
#!/bin/bash -e #!/bin/bash
# Wrapper for launching flannel via rkt. # The "flannel-wrapper" script can't be deleted because ct overwrites
# # the ExecStart directive with flannel-wrapper. Do the new action of
# Make sure to set FLANNEL_IMAGE_TAG to an image tag published here: # ExecStart here.
# https://quay.io/repository/coreos/flannel?tab=tags Alternatively, set -e
# override FLANNEL_IMAGE to a custom image.
function require_ev_all() {
for rev in $@ ; do
if [[ -z "${!rev}" ]]; then
echo "${rev}" is not set
exit 1
fi
done
}
function require_ev_one() {
for rev in $@ ; do
if [[ ! -z "${!rev}" ]]; then
return
fi
done
echo One of $@ must be set
exit 1
}
if [[ -n "${FLANNEL_VER}" ]]; then
echo FLANNEL_VER environment variable is deprecated, please use FLANNEL_IMAGE_TAG instead
fi
if [[ -n "${FLANNEL_IMG}" ]]; then
echo FLANNEL_IMG environment variable is deprecated, please use FLANNEL_IMAGE_URL instead
fi
FLANNEL_IMAGE_TAG="${FLANNEL_IMAGE_TAG:-${FLANNEL_VER}}"
require_ev_one FLANNEL_IMAGE FLANNEL_IMAGE_TAG
FLANNEL_IMAGE_URL="${FLANNEL_IMAGE_URL:-${FLANNEL_IMG:-docker://quay.io/coreos/flannel}}"
FLANNEL_IMAGE="${FLANNEL_IMAGE:-${FLANNEL_IMAGE_URL}:${FLANNEL_IMAGE_TAG}}"
if [[ "${FLANNEL_IMAGE%%/*}" == "quay.io" ]] && ! (echo "${RKT_RUN_ARGS}" | grep -q trust-keys-from-https); then
RKT_RUN_ARGS="${RKT_RUN_ARGS} --trust-keys-from-https"
elif [[ "${FLANNEL_IMAGE%%/*}" == "docker:" ]] && ! (echo "${RKT_RUN_ARGS}" | grep -q insecure-options); then
RKT_RUN_ARGS="${RKT_RUN_ARGS} --insecure-options=image"
fi
ETCD_SSL_DIR="${ETCD_SSL_DIR:-/etc/ssl/etcd}" ETCD_SSL_DIR="${ETCD_SSL_DIR:-/etc/ssl/etcd}"
RUN_ARGS=""
if [[ -d "${ETCD_SSL_DIR}" ]]; then if [[ -d "${ETCD_SSL_DIR}" ]]; then
RKT_RUN_ARGS="${RKT_RUN_ARGS} \ RUN_ARGS="-v ${ETCD_SSL_DIR}:${ETCD_SSL_DIR}:ro"
--volume coreos-ssl,kind=host,source=${ETCD_SSL_DIR},readOnly=true \
--mount volume=coreos-ssl,target=${ETCD_SSL_DIR} \
"
fi
if [[ -S "${NOTIFY_SOCKET}" ]]; then
RKT_RUN_ARGS="${RKT_RUN_ARGS} \
--mount volume=coreos-notify,target=/run/systemd/notify \
--volume coreos-notify,kind=host,source=${NOTIFY_SOCKET} \
--set-env=NOTIFY_SOCKET=/run/systemd/notify \
"
fi fi
mkdir --parents /run/flannel mkdir --parents /run/flannel
RKT="${RKT:-/usr/bin/rkt}"
RKT_STAGE1_ARG="${RKT_STAGE1_ARG:---stage1-from-dir=stage1-fly.aci}" WRAP=""
set -x if [[ -S "${NOTIFY_SOCKET}" ]]; then
exec ${RKT} ${RKT_GLOBAL_ARGS} \ WRAP="/usr/libexec/sdnotify-proxy /run/${FLANNEL_CONTAINER}-notify"
run ${RKT_RUN_ARGS} \ fi
--net=host \
--volume coreos-run-flannel,kind=host,source=/run/flannel,readOnly=false \ # A better way to run the Flannel/etcd container image is Podman because
--volume coreos-etc-ssl-certs,kind=host,source=/etc/ssl/certs,readOnly=true \ # Flannel depends on etcd but wants to be run before Docker so that it
--volume coreos-usr-share-certs,kind=host,source=/usr/share/ca-certificates,readOnly=true \ # can set up the Docker networking. Etcd and Flannel are part of the
--volume coreos-etc-hosts,kind=host,source=/etc/hosts,readOnly=true \ # Container Linux Config specification and thus can't be dropped easily.
--volume coreos-etc-resolv,kind=host,source=/etc/resolv.conf,readOnly=true \ # For now we have to resort to running these services with Docker and try
--mount volume=coreos-run-flannel,target=/run/flannel \ # to restart Docker for the Flannel options to take effect (but that also
--mount volume=coreos-etc-ssl-certs,target=/etc/ssl/certs \ # terminates the etcd and flannel containers, causing the services to
--mount volume=coreos-usr-share-certs,target=/usr/share/ca-certificates \ # restart).
--mount volume=coreos-etc-hosts,target=/etc/hosts \ RESTART_DOCKER=0
--mount volume=coreos-etc-resolv,target=/etc/resolv.conf \ if [ "${FLANNEL_CMD}" = "/opt/bin/mk-docker-opts.sh" ] && [ "$1" = "-d" ] && [ ! -f "$2" ]; then
--inherit-env \ # only restart Docker only on first run, propagating updates on later runs was not done before in the rkt version, so keep the behavior
${RKT_STAGE1_ARG} \ # (which also helps to break the loop which otherwise exists because "restart docker" mentioned above)
${FLANNEL_IMAGE} \ RESTART_DOCKER=1
${FLANNEL_IMAGE_ARGS} \ fi
-- "$@" /usr/bin/docker stop ${FLANNEL_CONTAINER} || true
/usr/bin/docker rm -f ${FLANNEL_CONTAINER} || true
# mapping only /run/${FLANNEL_CONTAINER}-notify does not work and we map the full /run (using /run:/run covers /run/flannel, too), also we must set NOTIFY_SOCKET in the container but use the original for /usr/libexec/sdnotify-proxy
${WRAP} /usr/bin/docker run --name ${FLANNEL_CONTAINER} --privileged --network=host --ipc=host ${RUN_ARGS} -v /run:/run:rw -v /etc/ssl/certs:/etc/ssl/certs:ro -v /usr/share/ca-certificates:/usr/share/ca-certificates:ro --env-file <(env; echo PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; echo NOTIFY_SOCKET=/run/${FLANNEL_CONTAINER}-notify) --entrypoint ${FLANNEL_CMD} ${FLANNEL_IMAGE:-${FLANNEL_IMAGE_URL}:${FLANNEL_IMAGE_TAG}} "$@"
if [ "${RESTART_DOCKER}" = 1 ]; then
systemctl restart docker
echo "Restarted Docker to apply Flannel options"
fi

10
sdk_container/src/third_party/coreos-overlay/app-admin/flannel-wrapper/files/flanneld.service vendored
View File

@ -6,22 +6,24 @@ Requires=flannel-docker-opts.service
[Service] [Service]
Type=notify Type=notify
NotifyAccess=all
Restart=always Restart=always
RestartSec=10s RestartSec=10s
TimeoutStartSec=300 TimeoutStartSec=300
LimitNOFILE=40000 LimitNOFILE=40000
LimitNPROC=1048576 LimitNPROC=1048576
Environment="FLANNEL_IMAGE_URL=quay.io/coreos/flannel"
Environment="FLANNEL_IMAGE_TAG=@FLANNEL_IMAGE_TAG@" Environment="FLANNEL_IMAGE_TAG=@FLANNEL_IMAGE_TAG@"
Environment="FLANNEL_OPTS=--ip-masq=true" Environment="FLANNEL_OPTS=--ip-masq=true"
Environment="RKT_RUN_ARGS=--uuid-file-save=/var/lib/flatcar/flannel-wrapper.uuid" Environment="FLANNEL_CMD=/opt/bin/flanneld"
Environment="FLANNEL_CONTAINER=flannel"
EnvironmentFile=-/run/flannel/options.env EnvironmentFile=-/run/flannel/options.env
ExecStartPre=/sbin/modprobe ip_tables ExecStartPre=/sbin/modprobe ip_tables
ExecStartPre=/usr/bin/mkdir --parents /var/lib/flatcar /run/flannel
ExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/lib/flatcar/flannel-wrapper.uuid
ExecStart=/usr/lib/flatcar/flannel-wrapper $FLANNEL_OPTS ExecStart=/usr/lib/flatcar/flannel-wrapper $FLANNEL_OPTS
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/lib/flatcar/flannel-wrapper.uuid ExecStop=/usr/bin/docker stop flannel
ExecStopPost=/usr/bin/docker rm flannel
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

2
sdk_container/src/third_party/coreos-overlay/app-admin/flannel-wrapper/flannel-wrapper-0.12.0.ebuild vendored
View File

@ -17,7 +17,7 @@ IUSE=""
RDEPEND=" RDEPEND="
!app-admin/flannel !app-admin/flannel
>=app-emulation/rkt-1.9.1[rkt_stage1_fly] >=app-admin/sdnotify-proxy-0.1.0
" "
S="$WORKDIR" S="$WORKDIR"