Docker Default Ulimits

The current implementation does not permit us to set the default ulimit on docker daemon (currently a requirement for our logstash). This PR add the DefaultUlimit option to the DockerConfig

nodeup/pkg/model/docker.go

@@ -20,14 +20,15 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/blang/semver"
-	"github.com/golang/glog"
 	"k8s.io/kops/nodeup/pkg/distros"
 	"k8s.io/kops/nodeup/pkg/model/resources"
 	"k8s.io/kops/pkg/flagbuilder"
 	"k8s.io/kops/pkg/systemd"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
+
+	"github.com/blang/semver"
+	"github.com/golang/glog"
 )
 
 // DockerBuilder install docker (just the packages at the moment)
@@ -293,7 +294,10 @@ func (d *dockerVersion) matches(arch Architecture, dockerVersion string, distro
 	return true
 }
 
+// Build is responsible for configuring the docker daemon
 func (b *DockerBuilder) Build(c *fi.ModelBuilderContext) error {
+
+	// @check: neither coreos or containeros need provision docker.service, just the docker daemon options
 	switch b.Distribution {
 	case distros.DistributionCoreOS:
 		glog.Infof("Detected CoreOS; won't install Docker")
@@ -466,6 +470,7 @@ func (b *DockerBuilder) buildSystemdService(dockerVersion semver.Version) *nodet
 	return service
 }
 
+// buildContainerOSConfigurationDropIn is responsible for configuring the docker daemon options
 func (b *DockerBuilder) buildContainerOSConfigurationDropIn(c *fi.ModelBuilderContext) error {
 	lines := []string{
 		"[Service]",
@@ -473,7 +478,7 @@ func (b *DockerBuilder) buildContainerOSConfigurationDropIn(c *fi.ModelBuilderCo
 	}
 	contents := strings.Join(lines, "\n")
 
-	t := &nodetasks.File{
+	c.AddTask(&nodetasks.File{
 		Path:     "/etc/systemd/system/docker.service.d/10-kops.conf",
 		Contents: fi.NewStringResource(contents),
 		Type:     nodetasks.FileType_File,
@@ -481,8 +486,7 @@ func (b *DockerBuilder) buildContainerOSConfigurationDropIn(c *fi.ModelBuilderCo
 			{"systemctl", "daemon-reload"},
 			{"systemctl", "restart", "docker.service"},
 		},
-	}
-	c.AddTask(t)
+	})
 
 	if err := b.buildSysconfig(c); err != nil {
 		return err
@@ -491,6 +495,7 @@ func (b *DockerBuilder) buildContainerOSConfigurationDropIn(c *fi.ModelBuilderCo
 	return nil
 }
 
+// buildSysconfig is responsible for extracting the docker configuration and writing the sysconfig file
 func (b *DockerBuilder) buildSysconfig(c *fi.ModelBuilderContext) error {
 	flagsString, err := flagbuilder.BuildFlags(b.Cluster.Spec.Docker)
 	if err != nil {
@@ -503,12 +508,11 @@ func (b *DockerBuilder) buildSysconfig(c *fi.ModelBuilderContext) error {
 	}
 	contents := strings.Join(lines, "\n")
 
-	t := &nodetasks.File{
+	c.AddTask(&nodetasks.File{
 		Path:     "/etc/sysconfig/docker",
 		Contents: fi.NewStringResource(contents),
 		Type:     nodetasks.FileType_File,
-	}
-	c.AddTask(t)
+	})
 
 	return nil
 }

pkg/apis/kops/dockerconfig.go

@@ -18,28 +18,34 @@ package kops
 
 // DockerConfig is the configuration for docker
 type DockerConfig struct {
-	Bridge   *string `json:"bridge,omitempty" flag:"bridge"`
-	LogLevel *string `json:"logLevel,omitempty" flag:"log-level"`
-	IPTables *bool   `json:"ipTables,omitempty" flag:"iptables"`
-	IPMasq   *bool   `json:"ipMasq,omitempty" flag:"ip-masq"`
-
-	LogDriver string   `json:"logDriver,omitempty" flag:"log-driver"`
-	LogOpt    []string `json:"logOpt,omitempty" flag:"log-opt,repeat"`
-
-	// Storage maps to the docker storage flag
-	// But nodeup will also process a comma-separate list, selecting the first supported option
-	Storage *string `json:"storage,omitempty" flag:"storage-driver"`
-
-	InsecureRegistry *string `json:"insecureRegistry,omitempty" flag:"insecure-registry"`
-
-	// Set mirrors for dockerd, benefiting cluster provisioning and image pulling
-	RegistryMirrors []string `json:"registryMirrors,omitempty" flag:"registry-mirror,repeat"`
-	MTU             *int32   `json:"mtu,omitempty" flag:"mtu"`
-
-	// The bridge cidr (--bip) flag
+	// AuthorizationPlugins is a list of authorization plugins
+	AuthorizationPlugins []string `json:"authorizationPlugins,omitempty" flag:"authorization-plugin,repeat"`
+	// Bridge is the network interface containers should bind onto
+	Bridge *string `json:"bridge,omitempty" flag:"bridge"`
+	// BridgeIP is a specific IP address and netmask for the docker0 bridge, using standard CIDR notation
 	BridgeIP *string `json:"bridgeIP,omitempty" flag:"bip"`
-
-	// The version of docker to install
-	// Be careful if changing this; not all docker versions are validated, and they will break in bad ways.
+	// DefaultUlimit is the ulimits for containers
+	DefaultUlimit []string `json:"defaultUlimit,omitempty" flag:"default-ulimit,repeat"`
+	// IPMasq enables ip masquerading for containers
+	IPMasq *bool `json:"ipMasq,omitempty" flag:"ip-masq"`
+	// IPtables enables addition of iptables rules
+	IPTables *bool `json:"ipTables,omitempty" flag:"iptables"`
+	// InsecureRegistry enable insecure registry communication @question according to dockers this a list??
+	InsecureRegistry *string `json:"insecureRegistry,omitempty" flag:"insecure-registry"`
+	// LogDriver is the defailt driver for container logs (default "json-file")
+	LogDriver string `json:"logDriver,omitempty" flag:"log-driver"`
+	// LogLevel is the logging level ("debug", "info", "warn", "error", "fatal") (default "info")
+	LogLevel *string `json:"logLevel,omitempty" flag:"log-level"`
+	// Logopt is a series of options given to the log driver options for containers
+	LogOpt []string `json:"logOpt,omitempty" flag:"log-opt,repeat"`
+	// MTU is the containers network MTU
+	MTU *int32 `json:"mtu,omitempty" flag:"mtu"`
+	// RegistryMirrors is a referred list of docker registry mirror
+	RegistryMirrors []string `json:"registryMirrors,omitempty" flag:"registry-mirror,repeat"`
+	// Storage is the docker storage driver to use
+	Storage *string `json:"storage,omitempty" flag:"storage-driver"`
+	// StorageOpts is a series of options passed to the storage driver
+	StorageOpts []string `json:"storageOpts,omitempty" flag:"storage-opt,repeat"`
+	// Version is consumed by the nodeup and used to pick the docker version
 	Version *string `json:"version,omitempty"`
 }

pkg/apis/kops/v1alpha1/dockerconfig.go

@@ -18,28 +18,34 @@ package v1alpha1
 
 // DockerConfig is the configuration for docker
 type DockerConfig struct {
-	Bridge   *string `json:"bridge,omitempty" flag:"bridge"`
-	LogLevel *string `json:"logLevel,omitempty" flag:"log-level"`
-	IPTables *bool   `json:"ipTables,omitempty" flag:"iptables"`
-	IPMasq   *bool   `json:"ipMasq,omitempty" flag:"ip-masq"`
-
-	LogDriver *string  `json:"logDriver,omitempty" flag:"log-driver"`
-	LogOpt    []string `json:"logOpt,omitempty" flag:"log-opt,repeat"`
-
-	// Storage maps to the docker storage flag
-	// But nodeup will also process a comma-separate list, selecting the first supported option
-	Storage *string `json:"storage,omitempty" flag:"storage-driver"`
-
-	InsecureRegistry *string `json:"insecureRegistry,omitempty" flag:"insecure-registry"`
-
-	// Set mirrors for dockerd, benefiting cluster provisioning and image pulling
-	RegistryMirrors []string `json:"registryMirrors,omitempty" flag:"registry-mirror,repeat"`
-	MTU             *int32   `json:"mtu,omitempty" flag:"mtu"`
-
-	// The bridge cidr (--bip) flag
+	// AuthorizationPlugins is a list of authorization plugins
+	AuthorizationPlugins []string `json:"authorizationPlugins,omitempty" flag:"authorization-plugin,repeat"`
+	// Bridge is the network interface containers should bind onto
+	Bridge *string `json:"bridge,omitempty" flag:"bridge"`
+	// BridgeIP is a specific IP address and netmask for the docker0 bridge, using standard CIDR notation
 	BridgeIP *string `json:"bridgeIP,omitempty" flag:"bip"`
-
-	// The version of docker to install
-	// Be careful if changing this; not all docker versions are validated, and they will break in bad ways.
+	// DefaultUlimit is the ulimits for containers
+	DefaultUlimit []string `json:"defaultUlimit,omitempty" flag:"default-ulimit,repeat"`
+	// IPMasq enables ip masquerading for containers
+	IPMasq *bool `json:"ipMasq,omitempty" flag:"ip-masq"`
+	// IPtables enables addition of iptables rules
+	IPTables *bool `json:"ipTables,omitempty" flag:"iptables"`
+	// InsecureRegistry enable insecure registry communication @question according to dockers this a list??
+	InsecureRegistry *string `json:"insecureRegistry,omitempty" flag:"insecure-registry"`
+	// LogDriver is the defailt driver for container logs (default "json-file")
+	LogDriver *string `json:"logDriver,omitempty" flag:"log-driver"`
+	// LogLevel is the logging level ("debug", "info", "warn", "error", "fatal") (default "info")
+	LogLevel *string `json:"logLevel,omitempty" flag:"log-level"`
+	// Logopt is a series of options given to the log driver options for containers
+	LogOpt []string `json:"logOpt,omitempty" flag:"log-opt,repeat"`
+	// MTU is the containers network MTU
+	MTU *int32 `json:"mtu,omitempty" flag:"mtu"`
+	// RegistryMirrors is a referred list of docker registry mirror
+	RegistryMirrors []string `json:"registryMirrors,omitempty" flag:"registry-mirror,repeat"`
+	// Storage is the docker storage driver to use
+	Storage *string `json:"storage,omitempty" flag:"storage-driver"`
+	// StorageOpts is a series of options passed to the storage driver
+	StorageOpts []string `json:"storageOpts,omitempty" flag:"storage-opt,repeat"`
+	// Version is consumed by the nodeup and used to pick the docker version
 	Version *string `json:"version,omitempty"`
 }

pkg/apis/kops/v1alpha1/zz_generated.conversion.go

@@ -967,19 +967,22 @@ func Convert_kops_DNSSpec_To_v1alpha1_DNSSpec(in *kops.DNSSpec, out *DNSSpec, s
 }
 
 func autoConvert_v1alpha1_DockerConfig_To_kops_DockerConfig(in *DockerConfig, out *kops.DockerConfig, s conversion.Scope) error {
+	out.AuthorizationPlugins = in.AuthorizationPlugins
 	out.Bridge = in.Bridge
-	out.LogLevel = in.LogLevel
-	out.IPTables = in.IPTables
+	out.BridgeIP = in.BridgeIP
+	out.DefaultUlimit = in.DefaultUlimit
 	out.IPMasq = in.IPMasq
+	out.IPTables = in.IPTables
+	out.InsecureRegistry = in.InsecureRegistry
 	if err := v1.Convert_Pointer_string_To_string(&in.LogDriver, &out.LogDriver, s); err != nil {
 		return err
 	}
+	out.LogLevel = in.LogLevel
 	out.LogOpt = in.LogOpt
-	out.Storage = in.Storage
-	out.InsecureRegistry = in.InsecureRegistry
-	out.RegistryMirrors = in.RegistryMirrors
 	out.MTU = in.MTU
-	out.BridgeIP = in.BridgeIP
+	out.RegistryMirrors = in.RegistryMirrors
+	out.Storage = in.Storage
+	out.StorageOpts = in.StorageOpts
 	out.Version = in.Version
 	return nil
 }
@@ -990,19 +993,22 @@ func Convert_v1alpha1_DockerConfig_To_kops_DockerConfig(in *DockerConfig, out *k
 }
 
 func autoConvert_kops_DockerConfig_To_v1alpha1_DockerConfig(in *kops.DockerConfig, out *DockerConfig, s conversion.Scope) error {
+	out.AuthorizationPlugins = in.AuthorizationPlugins
 	out.Bridge = in.Bridge
-	out.LogLevel = in.LogLevel
-	out.IPTables = in.IPTables
+	out.BridgeIP = in.BridgeIP
+	out.DefaultUlimit = in.DefaultUlimit
 	out.IPMasq = in.IPMasq
+	out.IPTables = in.IPTables
+	out.InsecureRegistry = in.InsecureRegistry
 	if err := v1.Convert_string_To_Pointer_string(&in.LogDriver, &out.LogDriver, s); err != nil {
 		return err
 	}
+	out.LogLevel = in.LogLevel
 	out.LogOpt = in.LogOpt
-	out.Storage = in.Storage
-	out.InsecureRegistry = in.InsecureRegistry
-	out.RegistryMirrors = in.RegistryMirrors
 	out.MTU = in.MTU
-	out.BridgeIP = in.BridgeIP
+	out.RegistryMirrors = in.RegistryMirrors
+	out.Storage = in.Storage
+	out.StorageOpts = in.StorageOpts
 	out.Version = in.Version
 	return nil
 }

pkg/apis/kops/v1alpha2/dockerconfig.go

@@ -18,28 +18,34 @@ package v1alpha2
 
 // DockerConfig is the configuration for docker
 type DockerConfig struct {
-	Bridge   *string `json:"bridge,omitempty" flag:"bridge"`
-	LogLevel *string `json:"logLevel,omitempty" flag:"log-level"`
-	IPTables *bool   `json:"ipTables,omitempty" flag:"iptables"`
-	IPMasq   *bool   `json:"ipMasq,omitempty" flag:"ip-masq"`
-
-	LogDriver *string  `json:"logDriver,omitempty" flag:"log-driver"`
-	LogOpt    []string `json:"logOpt,omitempty" flag:"log-opt,repeat"`
-
-	// Storage maps to the docker storage flag
-	// But nodeup will also process a comma-separate list, selecting the first supported option
-	Storage *string `json:"storage,omitempty" flag:"storage-driver"`
-
-	InsecureRegistry *string `json:"insecureRegistry,omitempty" flag:"insecure-registry"`
-
-	// Set mirrors for dockerd, benefiting cluster provisioning and image pulling
-	RegistryMirrors []string `json:"registryMirrors,omitempty" flag:"registry-mirror,repeat"`
-	MTU             *int32   `json:"mtu,omitempty" flag:"mtu"`
-
-	// The bridge cidr (--bip) flag
+	// AuthorizationPlugins is a list of authorization plugins
+	AuthorizationPlugins []string `json:"authorizationPlugins,omitempty" flag:"authorization-plugin,repeat"`
+	// Bridge is the network interface containers should bind onto
+	Bridge *string `json:"bridge,omitempty" flag:"bridge"`
+	// BridgeIP is a specific IP address and netmask for the docker0 bridge, using standard CIDR notation
 	BridgeIP *string `json:"bridgeIP,omitempty" flag:"bip"`
-
-	// The version of docker to install
-	// Be careful if changing this; not all docker versions are validated, and they will break in bad ways.
+	// DefaultUlimit is the ulimits for containers
+	DefaultUlimit []string `json:"defaultUlimit,omitempty" flag:"default-ulimit,repeat"`
+	// IPMasq enables ip masquerading for containers
+	IPMasq *bool `json:"ipMasq,omitempty" flag:"ip-masq"`
+	// IPtables enables addition of iptables rules
+	IPTables *bool `json:"ipTables,omitempty" flag:"iptables"`
+	// InsecureRegistry enable insecure registry communication @question according to dockers this a list??
+	InsecureRegistry *string `json:"insecureRegistry,omitempty" flag:"insecure-registry"`
+	// LogDriver is the defailt driver for container logs (default "json-file")
+	LogDriver *string `json:"logDriver,omitempty" flag:"log-driver"`
+	// LogLevel is the logging level ("debug", "info", "warn", "error", "fatal") (default "info")
+	LogLevel *string `json:"logLevel,omitempty" flag:"log-level"`
+	// Logopt is a series of options given to the log driver options for containers
+	LogOpt []string `json:"logOpt,omitempty" flag:"log-opt,repeat"`
+	// MTU is the containers network MTU
+	MTU *int32 `json:"mtu,omitempty" flag:"mtu"`
+	// RegistryMirrors is a referred list of docker registry mirror
+	RegistryMirrors []string `json:"registryMirrors,omitempty" flag:"registry-mirror,repeat"`
+	// Storage is the docker storage driver to use
+	Storage *string `json:"storage,omitempty" flag:"storage-driver"`
+	// StorageOpts is a series of options passed to the storage driver
+	StorageOpts []string `json:"storageOpts,omitempty" flag:"storage-opt,repeat"`
+	// Version is consumed by the nodeup and used to pick the docker version
 	Version *string `json:"version,omitempty"`
 }

pkg/apis/kops/v1alpha2/zz_generated.conversion.go

@@ -1055,19 +1055,22 @@ func Convert_kops_DNSSpec_To_v1alpha2_DNSSpec(in *kops.DNSSpec, out *DNSSpec, s
 }
 
 func autoConvert_v1alpha2_DockerConfig_To_kops_DockerConfig(in *DockerConfig, out *kops.DockerConfig, s conversion.Scope) error {
+	out.AuthorizationPlugins = in.AuthorizationPlugins
 	out.Bridge = in.Bridge
-	out.LogLevel = in.LogLevel
-	out.IPTables = in.IPTables
+	out.BridgeIP = in.BridgeIP
+	out.DefaultUlimit = in.DefaultUlimit
 	out.IPMasq = in.IPMasq
+	out.IPTables = in.IPTables
+	out.InsecureRegistry = in.InsecureRegistry
 	if err := v1.Convert_Pointer_string_To_string(&in.LogDriver, &out.LogDriver, s); err != nil {
 		return err
 	}
+	out.LogLevel = in.LogLevel
 	out.LogOpt = in.LogOpt
-	out.Storage = in.Storage
-	out.InsecureRegistry = in.InsecureRegistry
-	out.RegistryMirrors = in.RegistryMirrors
 	out.MTU = in.MTU
-	out.BridgeIP = in.BridgeIP
+	out.RegistryMirrors = in.RegistryMirrors
+	out.Storage = in.Storage
+	out.StorageOpts = in.StorageOpts
 	out.Version = in.Version
 	return nil
 }
@@ -1078,19 +1081,22 @@ func Convert_v1alpha2_DockerConfig_To_kops_DockerConfig(in *DockerConfig, out *k
 }
 
 func autoConvert_kops_DockerConfig_To_v1alpha2_DockerConfig(in *kops.DockerConfig, out *DockerConfig, s conversion.Scope) error {
+	out.AuthorizationPlugins = in.AuthorizationPlugins
 	out.Bridge = in.Bridge
-	out.LogLevel = in.LogLevel
-	out.IPTables = in.IPTables
+	out.BridgeIP = in.BridgeIP
+	out.DefaultUlimit = in.DefaultUlimit
 	out.IPMasq = in.IPMasq
+	out.IPTables = in.IPTables
+	out.InsecureRegistry = in.InsecureRegistry
 	if err := v1.Convert_string_To_Pointer_string(&in.LogDriver, &out.LogDriver, s); err != nil {
 		return err
 	}
+	out.LogLevel = in.LogLevel
 	out.LogOpt = in.LogOpt
-	out.Storage = in.Storage
-	out.InsecureRegistry = in.InsecureRegistry
-	out.RegistryMirrors = in.RegistryMirrors
 	out.MTU = in.MTU
-	out.BridgeIP = in.BridgeIP
+	out.RegistryMirrors = in.RegistryMirrors
+	out.Storage = in.Storage
+	out.StorageOpts = in.StorageOpts
 	out.Version = in.Version
 	return nil
 }