diff --git a/images/base/entrypoint b/images/base/entrypoint index 990009d4f6..8e1f5f5c52 100755 --- a/images/base/entrypoint +++ b/images/base/entrypoint @@ -37,12 +37,9 @@ fix_mount() { # and this flag also happens to make /sys rw, amongst other things mount -o remount,ro /sys - echo 'INFO: making mounts shared for "/", "/run", "/var/lib/containerd"' + echo 'INFO: making mounts shared' # for mount propagation - # TODO(bentheelder): determine which exact mounts we need to do this on - mount --make-shared / - mount --make-shared /run - mount --make-shared /var/lib/containerd + mount --make-rshared / } fix_machine_id() { diff --git a/pkg/build/node/node.go b/pkg/build/node/node.go index d038e8e00f..7ca6953d4a 100644 --- a/pkg/build/node/node.go +++ b/pkg/build/node/node.go @@ -44,7 +44,7 @@ import ( const DefaultImage = "kindest/node:latest" // DefaultBaseImage is the default base image used -const DefaultBaseImage = "kindest/base:v20190708-022110d@sha256:8acfd3b9b8a3a42385a761f8c6aa3bdad4241cac220c12d3309f1b7a6d70af24" +const DefaultBaseImage = "kindest/base:v20190819-26e1eb5@sha256:e609eaa7853289ef603db647ae9568b32093b2347f839a2117d98a08bfc7ab17" // DefaultMode is the default kubernetes build mode for the built image // see pkg/build/kube.Bits @@ -320,15 +320,6 @@ func (c *BuildContext) buildImage(dir string) error { // Save the image changes to a new image cmd := exec.Command( "docker", "commit", - /* - The snapshot storage must be a volume to avoid overlay on overlay - - NOTE: we do this last because changing a volume with a docker image - must occur before defining it. - - See: https://docs.docker.com/engine/reference/builder/#volume - */ - "--change", `VOLUME [ "/var/lib/containerd" ]`, // we need to put this back after changing it when running the image "--change", `ENTRYPOINT [ "/usr/local/bin/entrypoint", "/sbin/init" ]`, containerID, c.image, diff --git a/pkg/cluster/nodes/create.go b/pkg/cluster/nodes/create.go index c3a8ddde6d..86c3d97072 100644 --- a/pkg/cluster/nodes/create.go +++ b/pkg/cluster/nodes/create.go @@ -133,8 +133,8 @@ func CreateWorkerNode(name, image, clusterLabel string, mounts []cri.Mount, port // effectively be paused until we call actuallyStartNode(...) func createNode(name, image, clusterLabel, role string, mounts []cri.Mount, portMappings []cri.PortMapping, extraArgs ...string) (handle *Node, err error) { runArgs := []string{ - "-d", // run the container detached - "-t", // allocate a tty for entrypoint logs + "--detach", // run the container detached + "--tty", // allocate a tty for entrypoint logs // running containers in a container requires privileged // NOTE: we could try to replicate this with --cap-add, and use less // privileges, but this flag also changes some mounts that are necessary @@ -142,14 +142,17 @@ func createNode(name, image, clusterLabel, role string, mounts []cri.Mount, port // for now this is what we want. in the future we may revisit this. "--privileged", "--security-opt", "seccomp=unconfined", // also ignore seccomp + // runtime temporary storage "--tmpfs", "/tmp", // various things depend on working /tmp "--tmpfs", "/run", // systemd wants a writable /run - // some k8s things want /lib/modules - "-v", "/lib/modules:/lib/modules:ro", - // ensure pods etc. are not on container filesystem - // TODO: we could do this in the image instead - // However this would leave old images with this issue - "-v", "/var/lib/kubelet", + // runtime persistent storage + // this ensures that E.G. pods, logs etc. are not on the container + // filesystem, which is not only better for performance, but allows + // running kind in kind for "party tricks" + // (please don't depend on doing this though!) + "--volume", "/var", + // some k8s things want to read /lib/modules + "--volume", "/lib/modules:/lib/modules:ro", "--hostname", name, // make hostname match container name "--name", name, // ... and set the container name // label the node with the cluster ID