packaging: Add post-installation fixup for systemd-resolved for kubelet #63632
Conversation
k8s-ci-robot
added
release-note
|
/sig cluster-lifecycle |
k8s-ci-robot
added
the
sig/cluster-lifecycle
|
/assign luxas as the main discussant from kubeadm office hours on 2018-06-09 |
build/debs/postinst.sh
Outdated
| @@ -0,0 +1,10 @@ | |||
| #!/bin/sh | |||
|
|
|||
| if [ -f "/run/systemd/resolve/resolv.conf" ]; then | |||
There was a problem hiding this comment.
What if the systemd-resolved service is stopped, this file exists and contains old data? We should probably change this check to:
if systemctl is-active systemd-resolved; then
There was a problem hiding this comment.
Agreed. Will update when I've got a moment
There was a problem hiding this comment.
Resolved in newer commit. Will squash after approval.
randomvariable
force-pushed
the
packaging/debian/systemd-resolved
branch
from
8f3d5f2 to
8bb72e5
Compare
|
/ok-to-test |
k8s-ci-robot
added
lgtm
randomvariable
force-pushed
the
packaging/debian/systemd-resolved
branch
from
f1ce8f0 to
d67dc06
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/test pull-kubernetes-e2e-gce |
|
/assign |
|
Related to kubernetes/kubeadm#273 |
|
A couple comments/questions:
|
|
Fedora isn't currently using As far as k/release goes, I can't see package builds happening there, just the rule definition of |
|
We use dpkg-buildpackage in k8s.io/release. See here |
randomvariable
force-pushed
the
packaging/debian/systemd-resolved
branch
from
ad4d130 to
c870d57
Compare
Check if systemd-resolved is active and if so place a systemd override to set up the DNS resolution correctly. Signed-off-by: Naadir Jeewa <naadir@randomvariable.co.uk>
randomvariable
force-pushed
the
packaging/debian/systemd-resolved
branch
from
c870d57 to
08af346
Compare
|
@mikedanese ah, thanks. as we have per distro builds there i would do it differently. will open issue |
randomvariable
changed the title
|
/test pull-kubernetes-integration |
|
/test pull-kubernetes-e2e-gce |
randomvariable
force-pushed
the
packaging/debian/systemd-resolved
branch
from
08af346 to
55de637
Compare
|
/test pull-kubernetes-e2e-kops-aws |
|
/test pull-kubernetes-e2e-gce |
|
/test pull-kubernetes-e2e-kops-aws |
1 similar comment
|
/test pull-kubernetes-e2e-kops-aws |
|
/test pull-kubernetes-e2e-gce |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: detiber, randomvariable Assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/test pull-kubernetes-e2e-gce |
3 similar comments
|
/test pull-kubernetes-e2e-gce |
|
/test pull-kubernetes-e2e-gce |
|
/test pull-kubernetes-e2e-gce |
|
/joke |
|
@neolit123: I had a dream that I was a muffler last night. I woke up exhausted! In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
See kubernetes/kubeadm#845 for an alternative approach. |
|
I think it makes a lot of sense to have all kubelet flags managed by the Kubernetes installer (kubeadm in this case) and keep any post-install logic out of the kubelet package. |
|
I agree. Was initially worried about getting too close to release and not having something working out of the box on Ubuntu 18.04. |
|
@randomvariable Please do work on implementing kubernetes/kubeadm#845 ;) I do agree with you both though that minimizing what the debs/rpms do, and letting the installer (in this case kubeadm) have full control over the env makes a lot of sense. We don't have any other post-install logic or preferred args for the kubelet as-is either. With default args the kubelet is kinda useless (no authn/authz for example), it really depends on getting all the bits in place. So I'm gonna close this for now, and say we're letting kubeadm control all the bits. If we can't get that happen, we can always reopen this as a last resort to getting it fixed for the v1.11 release. |
|
Yeah, defo treat this as last resort. Can start on kubernetes/kubeadm#845 later in the week. |
What this PR does / why we need it:
On systemd-resolved based systems,
/etc/resolv.confgets rewritten such that the listed nameserver is not compatible with containers run by kubelet.This PR adds a post-installation script to Debian packaging to check if
/run/systemd/resolve/resolv.confis available, and if so place a systemd override for kubelet to set up the DNS resolution correctly.This is needed for at least all versions of Ubuntu 17.10 onwards.
Additionally, a small fix up to kubernetes-cni to ensure /opt/cni/bin exists, otherwise package doesn't install on minimal ubuntu installs.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Related to kubernetes/kubeadm#787
Not marking as fixed, as other tasks need to be considered:
Special notes for your reviewer:
This is still using the deprecated command line flags, but is a minimal change which should get these
distros working out of the box. It may also be at odds to the dynamic kubelet configuration.
Release note: