Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

base for image stamping #25

Merged
merged 1 commit into from
Aug 30, 2018
Merged

Conversation

vincepri
Copy link
Member

@vincepri vincepri commented Aug 27, 2018

This is an initial port from wardroom adding support for containerd in Ubuntu (RHEL to follow).

Fixes #12

@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 27, 2018
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 27, 2018
@chuckha
Copy link
Contributor

chuckha commented Aug 27, 2018

Thoughts on purging the wardroom name in favor of something more descriptive like 'kubernetes-image', 'kubeadm-image', or 'cluster-api-provider-aws-image'?

images/README.md Outdated
| Variable | Default | Description |
|----------|---------|-------------|
| build_version | unset | A unique build version for the image |
| kubernetes_version | 1.9.5-00 | Kubernetes Version to install |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably default to the latest available stable version here, same with kubernetes_cni_version.

images/README.md Outdated
| kubernetes_version | 1.9.5-00 | Kubernetes Version to install |
| kubernetes_cni_version | 0.6.0-00 | CNI Version to install |

For exmaple, to build all images for use with Kubernetes 1.8.9 for build version 1:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

comment doesn't align with the snippet below.

images/README.md Outdated

- A Google Cloud account
- The gcloud CLI installed and configured
- A precreated service account json file
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should remove any references to GCP image building here.

images/ansible/filter_plugins/kube.py Show resolved Hide resolved
- name: install python
raw: bash -c "test -e /usr/bin/python || (apt-get -qqy update && apt-get install -qqy python python-pip)"
register: output
changed_when: output.stdout != ""
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a bit of an ugly hack that we can most likely avoid by using a shell provisioner script in packer instead.

@@ -0,0 +1,9 @@
---
kubernetes_version: "{{ kubernetes.version if kubernetes_version_defined else '1.9.3-00' }}"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kill all the backwards compat for kubernetes.* variables here and switch to simple defaults.

Default for versions should probably be an empty string or undefined, and the role should default to latest available release version if not specified.

At some point we may want to consider a way to handle alpha/beta/rc releases as well, but that isn't a priority for the MVP.

docker_image:
name: "{{ item }}"
with_items: kubernetes_cached_images
when: kubernetes_enable_cached_images | bool
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lets kill the cached image handling for now, especially since it is docker specific.

RestartSec=10

[Install]
WantedBy=multi-user.target
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We shouldn't need this systemd unit file, it should be managed by the kubelet/kubeadm packages.

Environment="KUBELET_NETWORK_ARGS=--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin"
Environment="KUBELET_DNS_ARGS=--cluster-dns=10.96.0.10 --cluster-domain=cluster.local"
ExecStart=
ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_SYSTEM_PODS_ARGS $KUBELET_NETWORK_ARGS $KUBELET_DNS_ARGS $KUBELET_EXTRA_ARGS
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For kubernetes v1.11+, we should be setting values in /var/lib/kubelet/kubeadm-flags.env insetad of overriding the unit files here.

kubernetes_apt_key_url_defined: "{{ kubernetes is defined and 'apt_key_url' in kubernetes }}"
kubernetes_apt_repo_string_defined: "{{ kubernetes is defined and 'apt_repo_string' in kubernetes }}"
kubernetes_yum_baseurl_defined: "{{ kubernetes is defined and 'yum_baseurl' in kubernetes }}"
kubernetes_yum_gpgkey_defined: "{{ kubernetes is defined and 'yum_gpgkey' in kubernetes }}"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is all backward compat crud.

@detiber
Copy link
Member

detiber commented Aug 27, 2018

@chuckha good point on the naming. @vincepri we'll also need to migrate over the python tool for sync'ing images. I'm also thinking that it might be a good idea to use that python tool for wrapping the interaction with packer for common use cases as well.

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Aug 27, 2018
@vincepri
Copy link
Member Author

@detiber thanks for the review! fixed most comments and updated the PR. I didn't initially migrate the wardroom tool because we should be able to use packer directly to copy images to different regions this line is a list of regions we want to copy the images to. Thoughts?

@detiber
Copy link
Member

detiber commented Aug 27, 2018

@detiber thanks for the review! fixed most comments and updated the PR. I didn't initially migrate the wardroom tool because we should be able to use packer directly to copy images to different regions this line is a list of regions we want to copy the images to. Thoughts?

Nice, I think that would work for the general user use case, but we will still probably want some tooling for the community AMI building. The wardroom tool for example will sync to all available regions in the client config and ensure the images are public.

@@ -0,0 +1,3 @@
---
kubernetes_version: ""
kubernetes_cni_version: ""
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this behave correctly with the defaults here? It appears this may fail, since we are passing the value into the kube_platform_version filter.

images/packer/packer.json Outdated Show resolved Hide resolved
images/packer/packer.json Outdated Show resolved Hide resolved
@detiber detiber added this to the Initial MVP milestone Aug 30, 2018
@k8s-ci-robot k8s-ci-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 30, 2018
@vincepri vincepri changed the title WIP: image stamping base for image stamping Aug 30, 2018
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 30, 2018
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Aug 30, 2018
images/README.md Outdated Show resolved Hide resolved
images/README.md Outdated Show resolved Hide resolved
images/README.md Outdated
}
]
}
```
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you been able to test using these limited permissions? I'm wondering if the use of ami_groups or ami_regions adds additional requirements.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've updated the permissions to match the official packer suggested ones. Which include permissions to modify images attributes, needed for ami_groups to function. The ami_regions should be good too.

"ssh_username": "centos",
"tags": {
"build_version": "{{user `build_version`}}",
"source_ami": "{{user `centos_7_4_ami`}}",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering if we can use source_ami_filter here instead to be able to automatically choose the newest base image rather than having to hard code it into a variable file like we are currently doing.

Thoughts?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah. I was actually going to change it to use the official versions. The reason I left it untouched is that with the current behavior it's easier for folks to provide their own base image, which might contain different drivers/tweaks/security tools.

@vincepri
Copy link
Member Author

@detiber Fixed / replied to the other comments. I think this is ready to be merged in. 😊

@chuckha
Copy link
Contributor

chuckha commented Aug 30, 2018

Do these files need the licensing stanza at the top?

@vincepri
Copy link
Member Author

All done! Thanks @chuckha

Copy link
Member

@detiber detiber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lets get the licensing wrapped up and these commits squashed and get this merged :)

@@ -1,3 +1,17 @@
# Copyright 2018 Heptio Inc.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/Heptio/The Kubernetes Authors/

We should probably have this on all the Ansible yaml files as well.

Signed-off-by: Vince Prignano <vince@vincepri.com>
@vincepri
Copy link
Member Author

@detiber License notices added, squashed commits.

@detiber
Copy link
Member

detiber commented Aug 30, 2018

/ok-to-test
/lgtm

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 30, 2018
@detiber
Copy link
Member

detiber commented Aug 30, 2018

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: detiber, vincepri

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 30, 2018
@k8s-ci-robot k8s-ci-robot merged commit f103494 into kubernetes-sigs:master Aug 30, 2018
enxebre pushed a commit to enxebre/cluster-api-provider-aws-2 that referenced this pull request Sep 28, 2018
…same-ami

Make all examples use ami-060f14ef82deddfc6
@vincepri vincepri deleted the aws-images branch October 15, 2018 19:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants