Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gvisor: Use chroot instead of LD_LIBRARY_PATH #5735

Merged
merged 5 commits into from
Oct 25, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,8 @@ GOLINT_OPTIONS = --timeout 4m \
--enable goimports,gocritic,golint,gocyclo,misspell,nakedret,stylecheck,unconvert,unparam,dogsled \
--exclude 'variable on range scope.*in function literal|ifElseChain'

# Major version of gvisor image. Increment when there are breaking changes.
GVISOR_IMAGE_VERSION ?= 2

export GO111MODULE := on

Expand Down Expand Up @@ -480,11 +482,11 @@ out/gvisor-addon: pkg/minikube/assets/assets.go pkg/minikube/translate/translati

.PHONY: gvisor-addon-image
gvisor-addon-image: out/gvisor-addon
docker build -t $(REGISTRY)/gvisor-addon:latest -f deploy/gvisor/Dockerfile .
docker build -t $(REGISTRY)/gvisor-addon:$(GVISOR_IMAGE_VERSION) -f deploy/gvisor/Dockerfile .

.PHONY: push-gvisor-addon-image
push-gvisor-addon-image: gvisor-addon-image
gcloud docker -- push $(REGISTRY)/gvisor-addon:latest
gcloud docker -- push $(REGISTRY)/gvisor-addon:$(GVISOR_IMAGE_VERSION)

.PHONY: release-iso
release-iso: minikube_iso checksum
Expand Down
40 changes: 9 additions & 31 deletions deploy/addons/gvisor/gvisor-pod.yaml.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -24,50 +24,28 @@ spec:
hostPID: true
containers:
- name: gvisor
image: {{default "gcr.io/k8s-minikube" .ImageRepository}}/gvisor-addon:latest
image: {{default "gcr.io/k8s-minikube" .ImageRepository}}/gvisor-addon:2
securityContext:
privileged: true
volumeMounts:
- mountPath: /node/
name: node
- mountPath: /usr/libexec/sudo
name: sudo
- mountPath: /var/run
name: varrun
- mountPath: /usr/bin
name: usrbin
- mountPath: /usr/lib
name: usrlib
- mountPath: /bin
name: bin
name: node-root
- mountPath: /node/run
name: node-run
- mountPath: /tmp/gvisor
name: gvisor
name: node-tmp
env:
- name: PATH
value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/node/bin
- name: SYSTEMD_IGNORE_CHROOT
value: "yes"
imagePullPolicy: IfNotPresent
volumes:
- name: node
- name: node-root
hostPath:
path: /
- name: sudo
- name: node-run
hostPath:
path: /usr/libexec/sudo
- name: varrun
hostPath:
path: /var/run
- name: usrlib
hostPath:
path: /usr/lib
- name: usrbin
hostPath:
path: /usr/bin
- name: bin
hostPath:
path: /bin
- name: gvisor
path: /run
- name: node-tmp
hostPath:
path: /tmp/gvisor
restartPolicy: Always
6 changes: 2 additions & 4 deletions deploy/gvisor/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.

FROM ubuntu:18.04
RUN apt-get update && \
apt-get install -y kmod gcc wget xz-utils libc6-dev bc libelf-dev bison flex openssl libssl-dev libidn2-0 sudo libcap2 && \
rm -rf /var/lib/apt/lists/*
# Need an image with chroot
FROM alpine:3
tstromberg marked this conversation as resolved.
Show resolved Hide resolved
COPY out/gvisor-addon /gvisor-addon
CMD ["/gvisor-addon"]
8 changes: 4 additions & 4 deletions hack/jenkins/common.sh
Original file line number Diff line number Diff line change
Expand Up @@ -245,13 +245,13 @@ mkdir -p "${TEST_HOME}"
export MINIKUBE_HOME="${TEST_HOME}/.minikube"
export KUBECONFIG="${TEST_HOME}/kubeconfig"

# Build the gvisor image. This will be copied into minikube and loaded by ctr.
# Used by TestContainerd for Gvisor Test.
# TODO: move this to integration test setup.

# Build the gvisor image so that we can integration test changes to pkg/gvisor
chmod +x ./testdata/gvisor-addon
# skipping gvisor mac because ofg https://github.com/kubernetes/minikube/issues/5137
if [ "$(uname)" != "Darwin" ]; then
docker build -t gcr.io/k8s-minikube/gvisor-addon:latest -f testdata/gvisor-addon-Dockerfile ./testdata
# Should match GVISOR_IMAGE_VERSION in Makefile
docker build -t gcr.io/k8s-minikube/gvisor-addon:2 -f testdata/gvisor-addon-Dockerfile ./testdata
fi

echo ""
Expand Down
25 changes: 14 additions & 11 deletions pkg/gvisor/enable.go
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,7 @@ func copyConfigFiles() error {
if err := mcnutils.CopyFile(filepath.Join(nodeDir, containerdConfigTomlPath), filepath.Join(nodeDir, storedContainerdConfigTomlPath)); err != nil {
return errors.Wrap(err, "copying default config.toml")
}
log.Print("Copying containerd config.toml with gvisor...")
log.Printf("Copying %s asset to %s", constants.GvisorConfigTomlTargetName, filepath.Join(nodeDir, containerdConfigTomlPath))
if err := copyAssetToDest(constants.GvisorConfigTomlTargetName, filepath.Join(nodeDir, containerdConfigTomlPath)); err != nil {
return errors.Wrap(err, "copying gvisor version of config.toml")
}
Expand All @@ -171,8 +171,13 @@ func copyAssetToDest(targetName, dest string) error {
asset = a
}
}
if asset == nil {
return fmt.Errorf("no asset matching target %s among %+v", targetName, assets.Addons["gvisor"])
}

// Now, copy the data from this asset to dest
src := filepath.Join(constants.GvisorFilesPath, asset.GetTargetName())
log.Printf("%s asset path: %s", targetName, src)
contents, err := ioutil.ReadFile(src)
if err != nil {
return errors.Wrapf(err, "getting contents of %s", asset.GetAssetName())
Expand All @@ -182,6 +187,8 @@ func copyAssetToDest(targetName, dest string) error {
return errors.Wrapf(err, "removing %s", dest)
}
}

log.Printf("creating %s", dest)
f, err := os.Create(dest)
if err != nil {
return errors.Wrapf(err, "creating %s", dest)
Expand All @@ -193,28 +200,24 @@ func copyAssetToDest(targetName, dest string) error {
}

func restartContainerd() error {
dir := filepath.Join(nodeDir, "usr/libexec/sudo")
if err := os.Setenv("LD_LIBRARY_PATH", dir); err != nil {
return errors.Wrap(err, dir)
}
log.Print("restartContainerd black magic happening")
tstromberg marked this conversation as resolved.
Show resolved Hide resolved

log.Print("Stopping rpc-statd.service...")
// first, stop rpc-statd.service
cmd := exec.Command("sudo", "-E", "systemctl", "stop", "rpc-statd.service")
cmd := exec.Command("/usr/sbin/chroot", "/node", "sudo", "systemctl", "stop", "rpc-statd.service")
if out, err := cmd.CombinedOutput(); err != nil {
fmt.Println(string(out))
return errors.Wrap(err, "stopping rpc-statd.service")
}
// restart containerd

log.Print("Restarting containerd...")
cmd = exec.Command("sudo", "-E", "systemctl", "restart", "containerd")
cmd = exec.Command("/usr/sbin/chroot", "/node", "sudo", "systemctl", "restart", "containerd")
if out, err := cmd.CombinedOutput(); err != nil {
log.Print(string(out))
return errors.Wrap(err, "restarting containerd")
}
// start rpc-statd.service

log.Print("Starting rpc-statd...")
cmd = exec.Command("sudo", "-E", "systemctl", "start", "rpc-statd.service")
cmd = exec.Command("/usr/sbin/chroot", "/node", "sudo", "systemctl", "start", "rpc-statd.service")
if out, err := cmd.CombinedOutput(); err != nil {
log.Print(string(out))
return errors.Wrap(err, "restarting rpc-statd.service")
Expand Down
7 changes: 7 additions & 0 deletions test/integration/gvisor_addon_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,13 @@ func TestGvisorAddon(t *testing.T) {
profile := UniqueProfileName("gvisor")
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Minute)
defer func() {
if t.Failed() {
rr, err := Run(t, exec.CommandContext(ctx, "kubectl", "--context", profile, "logs", "gvisor", "-n", "kube-system"))
if err != nil {
t.Logf("failed to get gvisor post-mortem logs: %v", err)
}
t.Logf("gvisor post-mortem: %s:\n%s\n", rr.Command(), rr.Output())
}
CleanupWithLogs(t, profile, cancel)
}()

Expand Down