Merge pull request #268 from galal-hussein/atomic_centos

Add z option to volume binds

README.md

@@ -222,6 +222,25 @@ ingress:
 
 RKE will deploy Nginx Ingress controller as a DaemonSet with `hostnetwork: true`, so ports `80`, and `443` will be opened on each node where the controller is deployed.
 
+## Operating Systems Notes
+
+### Atomic OS
+
+- Container volumes may have some issues in Atomic OS due to SELinux, most of volumes are mounted in rke with option `z`, however user still need to run the following commands before running rke:
+```
+# mkdir /opt/cni /etc/cni
+# chcon -Rt svirt_sandbox_file_t /etc/cni
+# chcon -Rt svirt_sandbox_file_t /opt/cni
+```
+- OpenSSH 6.4 shipped by default on Atomic CentOS which doesn't support SSH tunneling and therefore breaks rke, upgrading OpenSSH to the latest version supported by Atomic host will solve this problem:
+```
+# atomic host upgrade
+```
+- Atomic host doesn't come with docker group by default, you can change ownership of docker.sock to enable specific user to run rke:
+```
+# chown <user> /var/run/docker.sock
+```
+
 ## License
 
 Copyright (c) 2017 [Rancher Labs, Inc.](http://rancher.com)

hosts/hosts.go

@@ -220,7 +220,7 @@ func buildCleanerConfig(host *Host, toCleanDirs []string, cleanerImage string) (
 	}
 	bindMounts := []string{}
 	for _, vol := range toCleanDirs {
-		bindMounts = append(bindMounts, fmt.Sprintf("%s:%s", vol, vol))
+		bindMounts = append(bindMounts, fmt.Sprintf("%s:%s:z", vol, vol))
 	}
 	hostCfg := &container.HostConfig{
 		Binds: bindMounts,

services/etcd.go

@@ -90,8 +90,8 @@ func buildEtcdConfig(host *hosts.Host, etcdService v3.ETCDService, initCluster,
 	hostCfg := &container.HostConfig{
 		RestartPolicy: container.RestartPolicy{Name: "always"},
 		Binds: []string{
-			"/var/lib/etcd:/etcd-data",
-			"/etc/kubernetes:/etc/kubernetes",
+			"/var/lib/etcd:/etcd-data:z",
+			"/etc/kubernetes:/etc/kubernetes:z",
 		},
 		NetworkMode: "host",
 	}

services/etcd_test.go

@@ -13,7 +13,7 @@ const (
 	TestInitEtcdClusterString = "etcd-etcd1=https://1.1.1.1:2380,etcd-etcd2=https://2.2.2.2:2380"
 	TestEtcdImage             = "etcd/etcdImage:latest"
 	TestEtcdNamePrefix        = "--name=etcd-"
-	TestEtcdVolumeBind        = "/var/lib/etcd:/etcd-data"
+	TestEtcdVolumeBind        = "/var/lib/etcd:/etcd-data:z"
 	TestEtcdExtraArgs         = "--foo=bar"
 )
 

services/kubeapi.go

@@ -62,7 +62,7 @@ func buildKubeAPIConfig(host *hosts.Host, kubeAPIService v3.KubeAPIService, etcd
 			SidekickContainerName,
 		},
 		Binds: []string{
-			"/etc/kubernetes:/etc/kubernetes",
+			"/etc/kubernetes:/etc/kubernetes:z",
 		},
 		NetworkMode:   "host",
 		RestartPolicy: container.RestartPolicy{Name: "always"},

services/kubeapi_test.go

@@ -12,7 +12,7 @@ const (
 	TestEtcdConnString      = "https://1.1.1.1:2379,https://2.2.2.2:2379"
 	TestKubeAPIImage        = "rancher/k8s:latest"
 	TestInsecureBindAddress = "--insecure-bind-address=127.0.0.1"
-	TestKubeAPIVolumeBind   = "/etc/kubernetes:/etc/kubernetes"
+	TestKubeAPIVolumeBind   = "/etc/kubernetes:/etc/kubernetes:z"
 	TestKubeAPIExtraArgs    = "--foo=bar"
 )
 

services/kubecontroller.go

@@ -51,7 +51,7 @@ func buildKubeControllerConfig(kubeControllerService v3.KubeControllerService, a
 			SidekickContainerName,
 		},
 		Binds: []string{
-			"/etc/kubernetes:/etc/kubernetes",
+			"/etc/kubernetes:/etc/kubernetes:z",
 		},
 		NetworkMode:   "host",
 		RestartPolicy: container.RestartPolicy{Name: "always"},

services/kubecontroller_test.go

@@ -11,7 +11,7 @@ const (
 	TestKubeControllerClusterCidr           = "10.0.0.0/16"
 	TestKubeControllerServiceClusterIPRange = "10.1.0.0/16"
 	TestKubeControllerImage                 = "rancher/k8s:latest"
-	TestKubeControllerVolumeBind            = "/etc/kubernetes:/etc/kubernetes"
+	TestKubeControllerVolumeBind            = "/etc/kubernetes:/etc/kubernetes:z"
 	TestKubeControllerExtraArgs             = "--foo=bar"
 	TestClusterCidrPrefix                   = "--cluster-cidr="
 	TestServiceIPRangePrefix                = "--service-cluster-ip-range="

services/kubelet.go

@@ -44,6 +44,7 @@ func buildKubeletConfig(host *hosts.Host, kubeletService v3.KubeletService) (*co
 			"--allow-privileged=true",
 			"--cloud-provider=",
 			"--kubeconfig=" + pki.GetConfigPath(pki.KubeNodeCertName),
+			"--volume-plugin-dir=/var/lib/kubelet/volumeplugins",
 			"--require-kubeconfig=True",
 			"--fail-swap-on=" + strconv.FormatBool(kubeletService.FailSwapOn),
 		},
@@ -53,20 +54,19 @@ func buildKubeletConfig(host *hosts.Host, kubeletService v3.KubeletService) (*co
 			SidekickContainerName,
 		},
 		Binds: []string{
-			"/etc/kubernetes:/etc/kubernetes",
-			"/usr/libexec/kubernetes/kubelet-plugins:/usr/libexec/kubernetes/kubelet-plugins",
-			"/etc/cni:/etc/cni:ro",
-			"/opt/cni:/opt/cni:ro",
+			"/etc/kubernetes:/etc/kubernetes:z",
+			"/etc/cni:/etc/cni:ro,z",
+			"/opt/cni:/opt/cni:ro,z",
 			"/etc/resolv.conf:/etc/resolv.conf",
 			"/sys:/sys",
-			"/var/lib/docker:/var/lib/docker:rw",
-			"/var/lib/kubelet:/var/lib/kubelet:shared",
+			"/var/lib/docker:/var/lib/docker:rw,z",
+			"/var/lib/kubelet:/var/lib/kubelet:shared,z",
 			"/var/run:/var/run:rw",
 			"/run:/run",
 			"/etc/ceph:/etc/ceph",
 			"/dev:/host/dev",
-			"/var/log/containers:/var/log/containers",
-			"/var/log/pods:/var/log/pods"},
+			"/var/log/containers:/var/log/containers:z",
+			"/var/log/pods:/var/log/pods:z"},
 		NetworkMode:   "host",
 		PidMode:       "host",
 		Privileged:    true,

services/kubelet_test.go

@@ -13,7 +13,7 @@ const (
 	TestKubeletClusterDNSServer    = "10.1.0.3"
 	TestKubeletInfraContainerImage = "test/test:latest"
 	TestKubeletImage               = "rancher/k8s:latest"
-	TestKubeletVolumeBind          = "/etc/kubernetes:/etc/kubernetes"
+	TestKubeletVolumeBind          = "/etc/kubernetes:/etc/kubernetes:z"
 	TestKubeletExtraArgs           = "--foo=bar"
 	TestClusterDomainPrefix        = "--cluster-domain="
 	TestClusterDNSServerPrefix     = "--cluster-dns="

services/kubeproxy.go

@@ -38,7 +38,7 @@ func buildKubeproxyConfig(host *hosts.Host, kubeproxyService v3.KubeproxyService
 			SidekickContainerName,
 		},
 		Binds: []string{
-			"/etc/kubernetes:/etc/kubernetes",
+			"/etc/kubernetes:/etc/kubernetes:z",
 		},
 		NetworkMode:   "host",
 		RestartPolicy: container.RestartPolicy{Name: "always"},

services/kubeproxy_test.go

@@ -9,7 +9,7 @@ import (
 
 const (
 	TestKubeproxyImage      = "rancher/k8s:latest"
-	TestKubeproxyVolumeBind = "/etc/kubernetes:/etc/kubernetes"
+	TestKubeproxyVolumeBind = "/etc/kubernetes:/etc/kubernetes:z"
 	TestKubeproxyExtraArgs  = "--foo=bar"
 )
 

services/scheduler.go

@@ -39,7 +39,7 @@ func buildSchedulerConfig(host *hosts.Host, schedulerService v3.SchedulerService
 			SidekickContainerName,
 		},
 		Binds: []string{
-			"/etc/kubernetes:/etc/kubernetes",
+			"/etc/kubernetes:/etc/kubernetes:z",
 		},
 		NetworkMode:   "host",
 		RestartPolicy: container.RestartPolicy{Name: "always"},

services/scheduler_test.go

@@ -9,7 +9,7 @@ import (
 
 const (
 	TestSchedulerImage      = "rancher/k8s:latest"
-	TestSchedulerVolumeBind = "/etc/kubernetes:/etc/kubernetes"
+	TestSchedulerVolumeBind = "/etc/kubernetes:/etc/kubernetes:z"
 	TestSchedulerExtraArgs  = "--foo=bar"
 )