Explicitly install conntrack

2018-09-03 23:10:53 +02:00 · 2018-09-03 23:10:53 +02:00 · 70ae068945
parent 767255e2ed
commit 70ae068945
6 changed files with 36 additions and 21 deletions
--- a/images/utils-builder/Dockerfile
+++ b/images/utils-builder/Dockerfile
@ -19,7 +19,7 @@ RUN echo "deb-src http://security.debian.org/ jessie/updates main" >> /etc/apt/s
 RUN echo "deb-src http://ftp.us.debian.org/debian/ jessie main" >> /etc/apt/sources.list

 RUN apt-get update && apt-get install --yes dpkg-dev bash \
-  && apt-get build-dep --yes socat \
+  && apt-get build-dep --yes socat conntrack \
  && apt-get clean

 RUN mkdir /socat
@ -30,4 +30,12 @@ RUN cd /socat; \
    LDFLAGS_APPEND=-static CPPFLAGS_APPEND=-static \
    apt-get source --build socat

+RUN mkdir /conntrack
+
+# Note that this approach does _not_ include libssl, but we don't need it for kubernetes anyway
+RUN cd /conntrack; \
+    CFLAGS=-static LDFLAGS=-static CPPFLAGS=-static CFLAGS_APPEND=-static \
+    LDFLAGS_APPEND=-static CPPFLAGS_APPEND=-static \
+    apt-get source --build conntrack
+
 COPY extract.sh /extract.sh
--- a/images/utils-builder/README.md
+++ b/images/utils-builder/README.md
@ -1 +1 @@
-This docker image builds statically linked binaries, in particular socat for use on CoreOS.
+This docker image builds statically linked binaries, in particular socat and conntrack for use on CoreOS.
--- a/images/utils-builder/extract.sh
+++ b/images/utils-builder/extract.sh
@ -19,6 +19,7 @@ rm -rf /utils

 mkdir -p /utils
 cp /socat/socat-*/debian/socat/usr/bin/socat /utils/socat
+cp /conntrack/conntrack-*/debian/conntrack/usr/sbin/conntrack /utils/conntrack
 #(sha1sum /utils/socat | cut -d' ' -f1) > /utils/socat.sha1

 tar cvfz /utils.tar.gz /utils
--- a/nodeup/pkg/model/kubelet.go
+++ b/nodeup/pkg/model/kubelet.go
@ -222,7 +222,7 @@ func (b *KubeletBuilder) buildSystemdService() *nodetasks.Service {
 	manifest.Set("Unit", "After", "docker.service")

 	if b.Distribution == distros.DistributionCoreOS {
-		// We add /opt/kubernetes/bin for our utilities (socat)
+		// We add /opt/kubernetes/bin for our utilities (socat, conntrack)
 		manifest.Set("Service", "Environment", "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/kubernetes/bin")
 	}
 	manifest.Set("Service", "EnvironmentFile", "/etc/sysconfig/kubelet")
@ -275,25 +275,27 @@ func (b *KubeletBuilder) buildKubeletConfig() (*kops.KubeletConfigSpec, error) {

 func (b *KubeletBuilder) addStaticUtils(c *fi.ModelBuilderContext) error {
 	if b.Distribution == distros.DistributionCoreOS {
-		// CoreOS does not ship with socat.  Install our own (statically linked) version
+		// CoreOS does not ship with socat or conntrack.  Install our own (statically linked) version
 		// TODO: Extract to common function?
-		assetName := "socat"
-		assetPath := ""
-		asset, err := b.Assets.Find(assetName, assetPath)
-		if err != nil {
-			return fmt.Errorf("error trying to locate asset %q: %v", assetName, err)
-		}
-		if asset == nil {
-			return fmt.Errorf("unable to locate asset %q", assetName)
-		}
+		for _, binary := range []string{"socat", "conntrack"} {
+			assetName := binary
+			assetPath := ""
+			asset, err := b.Assets.Find(assetName, assetPath)
+			if err != nil {
+				return fmt.Errorf("error trying to locate asset %q: %v", assetName, err)
+			}
+			if asset == nil {
+				return fmt.Errorf("unable to locate asset %q", assetName)
+			}

-		t := &nodetasks.File{
-			Path:     "/opt/kubernetes/bin/socat",
-			Contents: asset,
-			Type:     nodetasks.FileType_File,
-			Mode:     s("0755"),
+			t := &nodetasks.File{
+				Path:     "/opt/kubernetes/bin/" + binary,
+				Contents: asset,
+				Type:     nodetasks.FileType_File,
+				Mode:     s("0755"),
+			}
+			c.AddTask(t)
 		}
-		c.AddTask(t)
 	}

 	return nil
--- a/nodeup/pkg/model/packages.go
+++ b/nodeup/pkg/model/packages.go
@ -33,12 +33,15 @@ var _ fi.ModelBuilder = &DockerBuilder{}
 // Build is responsible for installing packages
 func (b *PackagesBuilder) Build(c *fi.ModelBuilderContext) error {
 	// kubelet needs:
+	//   conntrack  - kops #5671
 	//   ebtables - kops #1711
 	//   ethtool - kops #1830
 	if b.Distribution.IsDebianFamily() {
+		c.AddTask(&nodetasks.Package{Name: "conntrack"})
 		c.AddTask(&nodetasks.Package{Name: "ebtables"})
 		c.AddTask(&nodetasks.Package{Name: "ethtool"})
 	} else if b.Distribution.IsRHELFamily() {
+		c.AddTask(&nodetasks.Package{Name: "conntrack-tools"})
 		c.AddTask(&nodetasks.Package{Name: "ebtables"})
 		c.AddTask(&nodetasks.Package{Name: "ethtool"})
 		c.AddTask(&nodetasks.Package{Name: "socat"})
--- a/upup/pkg/fi/cloudup/apply_cluster.go
+++ b/upup/pkg/fi/cloudup/apply_cluster.go
@ -1081,8 +1081,9 @@ func (c *ApplyClusterCmd) AddFileAssets(assetBuilder *assets.AssetBuilder) error

 	// TODO figure out if we can only do this for CoreOS only and GCE Container OS
 	// TODO It is very difficult to pre-determine what OS an ami is, and if that OS needs socat
-	// At this time we just copy the socat binary to all distros.  Most distros will be there own
-	// socat binary.  Container operating systems like CoreOS need to have socat added to them.
+	// At this time we just copy the socat and conntrack binaries to all distros.
+	// Most distros will have there own socat and conntrack binary.
+	// Container operating systems like CoreOS need to have socat and conntrack added to them.
 	{
 		utilsLocation, hash, err := KopsFileUrl("linux/amd64/utils.tar.gz", assetBuilder)
 		if err != nil {