From 70ae068945d7a144447ecbc5871ddc390e1a2db9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Johannes=20W=C3=BCrbach?= Date: Mon, 3 Sep 2018 23:10:53 +0200 Subject: [PATCH] Explicitly install conntrack --- images/utils-builder/Dockerfile | 10 +++++++- images/utils-builder/README.md | 2 +- images/utils-builder/extract.sh | 1 + nodeup/pkg/model/kubelet.go | 36 +++++++++++++++------------- nodeup/pkg/model/packages.go | 3 +++ upup/pkg/fi/cloudup/apply_cluster.go | 5 ++-- 6 files changed, 36 insertions(+), 21 deletions(-) diff --git a/images/utils-builder/Dockerfile b/images/utils-builder/Dockerfile index 6b95ca4b87..f04918c62f 100644 --- a/images/utils-builder/Dockerfile +++ b/images/utils-builder/Dockerfile @@ -19,7 +19,7 @@ RUN echo "deb-src http://security.debian.org/ jessie/updates main" >> /etc/apt/s RUN echo "deb-src http://ftp.us.debian.org/debian/ jessie main" >> /etc/apt/sources.list RUN apt-get update && apt-get install --yes dpkg-dev bash \ - && apt-get build-dep --yes socat \ + && apt-get build-dep --yes socat conntrack \ && apt-get clean RUN mkdir /socat @@ -30,4 +30,12 @@ RUN cd /socat; \ LDFLAGS_APPEND=-static CPPFLAGS_APPEND=-static \ apt-get source --build socat +RUN mkdir /conntrack + +# Note that this approach does _not_ include libssl, but we don't need it for kubernetes anyway +RUN cd /conntrack; \ + CFLAGS=-static LDFLAGS=-static CPPFLAGS=-static CFLAGS_APPEND=-static \ + LDFLAGS_APPEND=-static CPPFLAGS_APPEND=-static \ + apt-get source --build conntrack + COPY extract.sh /extract.sh diff --git a/images/utils-builder/README.md b/images/utils-builder/README.md index a9a7f4f8ab..7839c3f039 100644 --- a/images/utils-builder/README.md +++ b/images/utils-builder/README.md @@ -1 +1 @@ -This docker image builds statically linked binaries, in particular socat for use on CoreOS. +This docker image builds statically linked binaries, in particular socat and conntrack for use on CoreOS. diff --git a/images/utils-builder/extract.sh b/images/utils-builder/extract.sh index bbfb08dba7..a662b4c404 100755 --- a/images/utils-builder/extract.sh +++ b/images/utils-builder/extract.sh @@ -19,6 +19,7 @@ rm -rf /utils mkdir -p /utils cp /socat/socat-*/debian/socat/usr/bin/socat /utils/socat +cp /conntrack/conntrack-*/debian/conntrack/usr/sbin/conntrack /utils/conntrack #(sha1sum /utils/socat | cut -d' ' -f1) > /utils/socat.sha1 tar cvfz /utils.tar.gz /utils diff --git a/nodeup/pkg/model/kubelet.go b/nodeup/pkg/model/kubelet.go index c5c0544e69..7af53e8318 100644 --- a/nodeup/pkg/model/kubelet.go +++ b/nodeup/pkg/model/kubelet.go @@ -222,7 +222,7 @@ func (b *KubeletBuilder) buildSystemdService() *nodetasks.Service { manifest.Set("Unit", "After", "docker.service") if b.Distribution == distros.DistributionCoreOS { - // We add /opt/kubernetes/bin for our utilities (socat) + // We add /opt/kubernetes/bin for our utilities (socat, conntrack) manifest.Set("Service", "Environment", "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/kubernetes/bin") } manifest.Set("Service", "EnvironmentFile", "/etc/sysconfig/kubelet") @@ -275,25 +275,27 @@ func (b *KubeletBuilder) buildKubeletConfig() (*kops.KubeletConfigSpec, error) { func (b *KubeletBuilder) addStaticUtils(c *fi.ModelBuilderContext) error { if b.Distribution == distros.DistributionCoreOS { - // CoreOS does not ship with socat. Install our own (statically linked) version + // CoreOS does not ship with socat or conntrack. Install our own (statically linked) version // TODO: Extract to common function? - assetName := "socat" - assetPath := "" - asset, err := b.Assets.Find(assetName, assetPath) - if err != nil { - return fmt.Errorf("error trying to locate asset %q: %v", assetName, err) - } - if asset == nil { - return fmt.Errorf("unable to locate asset %q", assetName) - } + for _, binary := range []string{"socat", "conntrack"} { + assetName := binary + assetPath := "" + asset, err := b.Assets.Find(assetName, assetPath) + if err != nil { + return fmt.Errorf("error trying to locate asset %q: %v", assetName, err) + } + if asset == nil { + return fmt.Errorf("unable to locate asset %q", assetName) + } - t := &nodetasks.File{ - Path: "/opt/kubernetes/bin/socat", - Contents: asset, - Type: nodetasks.FileType_File, - Mode: s("0755"), + t := &nodetasks.File{ + Path: "/opt/kubernetes/bin/" + binary, + Contents: asset, + Type: nodetasks.FileType_File, + Mode: s("0755"), + } + c.AddTask(t) } - c.AddTask(t) } return nil diff --git a/nodeup/pkg/model/packages.go b/nodeup/pkg/model/packages.go index 1aa300121f..f8083bc6c1 100644 --- a/nodeup/pkg/model/packages.go +++ b/nodeup/pkg/model/packages.go @@ -33,12 +33,15 @@ var _ fi.ModelBuilder = &DockerBuilder{} // Build is responsible for installing packages func (b *PackagesBuilder) Build(c *fi.ModelBuilderContext) error { // kubelet needs: + // conntrack - kops #5671 // ebtables - kops #1711 // ethtool - kops #1830 if b.Distribution.IsDebianFamily() { + c.AddTask(&nodetasks.Package{Name: "conntrack"}) c.AddTask(&nodetasks.Package{Name: "ebtables"}) c.AddTask(&nodetasks.Package{Name: "ethtool"}) } else if b.Distribution.IsRHELFamily() { + c.AddTask(&nodetasks.Package{Name: "conntrack-tools"}) c.AddTask(&nodetasks.Package{Name: "ebtables"}) c.AddTask(&nodetasks.Package{Name: "ethtool"}) c.AddTask(&nodetasks.Package{Name: "socat"}) diff --git a/upup/pkg/fi/cloudup/apply_cluster.go b/upup/pkg/fi/cloudup/apply_cluster.go index 2d8d2fbe60..23b3bbeac6 100644 --- a/upup/pkg/fi/cloudup/apply_cluster.go +++ b/upup/pkg/fi/cloudup/apply_cluster.go @@ -1081,8 +1081,9 @@ func (c *ApplyClusterCmd) AddFileAssets(assetBuilder *assets.AssetBuilder) error // TODO figure out if we can only do this for CoreOS only and GCE Container OS // TODO It is very difficult to pre-determine what OS an ami is, and if that OS needs socat - // At this time we just copy the socat binary to all distros. Most distros will be there own - // socat binary. Container operating systems like CoreOS need to have socat added to them. + // At this time we just copy the socat and conntrack binaries to all distros. + // Most distros will have there own socat and conntrack binary. + // Container operating systems like CoreOS need to have socat and conntrack added to them. { utilsLocation, hash, err := KopsFileUrl("linux/amd64/utils.tar.gz", assetBuilder) if err != nil {