From 6b40a7d85df324b8556c9e4f2916e444dc0ca0a6 Mon Sep 17 00:00:00 2001 From: Guo Ruijing Date: Wed, 30 May 2018 19:03:03 +0800 Subject: enable kata 1.0 + containerd 1.1 Change-Id: Idbeda8b36d067a7bd27a8ef19184c5bb5a6daa04 Signed-off-by: Guo Ruijing --- ci/deploy.sh | 1 + src/vagrant/kubeadm_kata/examples/nginx-app.sh | 7 +++- src/vagrant/kubeadm_kata/examples/nginx-app.yaml | 2 ++ src/vagrant/kubeadm_kata/kata_setup.sh | 42 ++++++++++++------------ src/vagrant/kubeadm_kata/master_setup.sh | 12 +++---- src/vagrant/kubeadm_kata/worker_setup.sh | 14 +------- 6 files changed, 36 insertions(+), 42 deletions(-) diff --git a/ci/deploy.sh b/ci/deploy.sh index 58f8385..aa9e5fd 100755 --- a/ci/deploy.sh +++ b/ci/deploy.sh @@ -24,6 +24,7 @@ SCENARIOS="kubeadm_basic kubeadm_virtlet kubeadm_ovsdpdk kubeadm_istio + kubeadm_kata " DEFAULT_TIMEOUT=3600 diff --git a/src/vagrant/kubeadm_kata/examples/nginx-app.sh b/src/vagrant/kubeadm_kata/examples/nginx-app.sh index 96d776c..a66b7ca 100755 --- a/src/vagrant/kubeadm_kata/examples/nginx-app.sh +++ b/src/vagrant/kubeadm_kata/examples/nginx-app.sh @@ -20,6 +20,11 @@ kubectl get nodes kubectl get services kubectl get pods kubectl get rc -sleep 180 +r=0 +while [ "$r" -eq "0" ] +do + sleep 30 + r=$(kubectl get pods | grep Running | wc -l) +done svcip=$(kubectl get services nginx -o json | grep clusterIP | cut -f4 -d'"') wget http://$svcip diff --git a/src/vagrant/kubeadm_kata/examples/nginx-app.yaml b/src/vagrant/kubeadm_kata/examples/nginx-app.yaml index f80881a..9de4ef4 100644 --- a/src/vagrant/kubeadm_kata/examples/nginx-app.yaml +++ b/src/vagrant/kubeadm_kata/examples/nginx-app.yaml @@ -23,6 +23,8 @@ spec: metadata: labels: app: nginx + annotations: + io.kubernetes.cri.untrusted-workload: "true" spec: containers: - name: nginx diff --git a/src/vagrant/kubeadm_kata/kata_setup.sh b/src/vagrant/kubeadm_kata/kata_setup.sh index c14d844..53a2bbf 100644 --- a/src/vagrant/kubeadm_kata/kata_setup.sh +++ b/src/vagrant/kubeadm_kata/kata_setup.sh @@ -17,27 +17,27 @@ set -ex -cat << EOF | sudo tee /etc/apt/sources.list.d/cc-oci-runtime.list -deb http://download.opensuse.org/repositories/home:/clearcontainers:/clear-containers-3/xUbuntu_16.04/ / -EOF -curl -fsSL http://download.opensuse.org/repositories/home:/clearcontainers:/clear-containers-3/xUbuntu_16.04/Release.key | sudo apt-key add - -sudo apt-get update -sudo apt-get install -y cc-oci-runtime +sudo sh -c "echo 'deb http://download.opensuse.org/repositories/home:/katacontainers:/release/xUbuntu_$(lsb_release -rs)/ /' > /etc/apt/sources.list.d/kata-containers.list" +curl -sL http://download.opensuse.org/repositories/home:/katacontainers:/release/xUbuntu_$(lsb_release -rs)/Release.key | sudo apt-key add - +sudo -E apt-get update +sudo -E apt-get -y install kata-runtime kata-proxy kata-shim +sudo -E apt-get -y install libseccomp2 -echo | sudo add-apt-repository ppa:projectatomic/ppa -sudo apt-get update -sudo apt-get install -y cri-o -sudo sed -i 's,runtime_untrusted_workload.*,runtime_untrusted_workload = "/usr/bin/cc-runtime",' /etc/crio/crio.conf -sudo sed -i 's,cgroup_manager.*,cgroup_manager = "cgroupfs",' /etc/crio/crio.conf -sudo sed -i 's,default_workload_trust.*,default_workload_trust = "untrusted",' /etc/crio/crio.conf -sudo sed -i 's,^registries.*,registries = [ "docker.io",' /etc/crio/crio.conf -sudo systemctl enable crio -sudo systemctl daemon-reload -sudo systemctl restart crio +wget http://storage.googleapis.com/cri-containerd-release/cri-containerd-1.1.0.linux-amd64.tar.gz >& /dev/null +sudo tar -C / -xzf cri-containerd-1.1.0.linux-amd64.tar.gz +sudo systemctl start containerd +sudo mkdir -p /opt/cni/bin +sudo mkdir -p /etc/cni/net.d +sudo mkdir -p /etc/containerd +containerd config default | sudo tee /etc/containerd/config.toml +sudo sed -i "/.*untrusted_workload_runtime.*/,+5s/runtime_type.*/runtime_type=\"io.containerd.runtime.v1.linux\"/" /etc/containerd/config.toml +sudo sed -i "/.*untrusted_workload_runtime.*/,+5s/runtime_engine.*/runtime_engine=\"kata-runtime\"/" /etc/containerd/config.toml +sudo systemctl restart containerd + +cat << EOF | sudo tee /etc/systemd/system/kubelet.service.d/0-containerd.conf +[Service] +Environment="KUBELET_EXTRA_ARGS=--container-runtime=remote --runtime-request-timeout=15m --container-runtime-endpoint=unix:///run/containerd/containerd.sock" +EOF -sudo systemctl stop kubelet -echo "Modify kubelet systemd configuration to use CRI-O" -k8s_systemd_file="/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" -sudo sed -i '/KUBELET_AUTHZ_ARGS/a Environment="KUBELET_EXTRA_ARGS=--container-runtime=remote --container-runtime-endpoint=/var/run/crio/crio.sock --runtime-request-timeout=30m"' "$k8s_systemd_file" sudo systemctl daemon-reload -sudo systemctl start kubelet +sudo systemctl restart kubelet diff --git a/src/vagrant/kubeadm_kata/master_setup.sh b/src/vagrant/kubeadm_kata/master_setup.sh index 41dadf0..3f1177e 100644 --- a/src/vagrant/kubeadm_kata/master_setup.sh +++ b/src/vagrant/kubeadm_kata/master_setup.sh @@ -17,18 +17,16 @@ set -ex -sudo kubeadm init --skip-preflight-checks --apiserver-advertise-address=192.168.1.10 --service-cidr=10.96.0.0/16 --pod-network-cidr=10.32.0.0/12 --token 8c5adc.1cec8dbf339093f0 +sudo kubeadm init --skip-preflight-checks --apiserver-advertise-address=192.168.1.10 --service-cidr=10.96.0.0/16 --pod-network-cidr=10.244.0.0/16 --token 8c5adc.1cec8dbf339093f0 mkdir ~/.kube sudo cp /etc/kubernetes/admin.conf .kube/config sudo chown $(id -u):$(id -g) ~/.kube/config -kubectl apply -f http://git.io/weave-kube-1.6 +kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml -r=1 -while [ "$r" -ne "0" ] +r=0 +while [ "$r" -ne "1" ] do sleep 30 - r=$(kubectl get pods -n kube-system | grep weave-net | grep -v Run | wc -l) + r=$(kubectl get pods -n kube-system | grep -v Running | wc -l) done - -sudo systemctl restart crio diff --git a/src/vagrant/kubeadm_kata/worker_setup.sh b/src/vagrant/kubeadm_kata/worker_setup.sh index 6145793..b717291 100644 --- a/src/vagrant/kubeadm_kata/worker_setup.sh +++ b/src/vagrant/kubeadm_kata/worker_setup.sh @@ -18,16 +18,4 @@ set -ex sudo kubeadm join --discovery-token-unsafe-skip-ca-verification \ --token 8c5adc.1cec8dbf339093f0 192.168.1.10:6443 \ - --ignore-preflight-errors=SystemVerification,FileContent--proc-sys-net-bridge-bridge-nf-call-iptables - -sudo apt-get install -y putty-tools -mkdir ~/.kube -r=1 -while [ "$r" -ne "0" ] -do - sleep 30 - echo "y\n" | plink -ssh -pw vagrant vagrant@master "cat ~/.kube/config" > ~/.kube/config || true - r=$(kubectl get pods -n kube-system | grep weave-net | grep -v Run | wc -l) -done - -sudo systemctl restart crio + --ignore-preflight-errors=SystemVerification,CRI,FileContent--proc-sys-net-bridge-bridge-nf-call-iptables -- cgit 1.2.3-korg