fix: docker.service file

+ some work on flannel integration, not completed yet. See also flannel-io/flannel#799 for an issue why iptables rules need to be changed.
rhuss · Oct 12, 2017 · 99e0bf4 · 99e0bf4
1 parent 8bf6311
commit 99e0bf4
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 7 deletions.
diff --git a/roles/kubernetes/defaults/main.yml b/roles/kubernetes/defaults/main.yml
@@ -1,10 +1,10 @@
 reset: false
-overlay_network: weave
+overlay_network: flannel
 network:
   service_subnet: 10.200.100.0/24
   pod_subnet: 10.1.0.0/16
 images:
-  flannel: quay.io/coreos/flannel:v0.7.0-arm
+  flannel: quay.io/coreos/flannel:v0.9.0-arm
   weave: weaveworks/weave-kube:2.0.4
   weave_npc: weaveworks/weave-npc:2.0.4
 k8s:

diff --git a/roles/kubernetes/tasks/cni/flannel.yml b/roles/kubernetes/tasks/cni/flannel.yml
@@ -1,7 +1,32 @@
-- name: Create flannel resources
+# Please note, this is still work in progress
+# Especially saving of the iptables rules needs to be fixed
+
+- name: flannel | Install iptables support package
+  apt:
+    name: iptables-persistent
+    force: yes
+    state: present
+
+- name: flannel | Get iptables rules
+  shell: iptables -L
+  register: iptablesrules
+  check_mode: no
+
+- name: flannel | Add flannel iptable rules (in)
+  command: /sbin/iptables -A FORWARD -i cni0 -j ACCEPT -m comment --comment "Flannel"
+  when: iptablesrules.stdout.find("Flannel") == -1
+
+- name: flannel | Add flannel iptable rules (out)
+  command: /sbin/iptables -A FORWARD -o cni0 -j ACCEPT -m comment --comment "Flannel"
+  when: iptablesrules.stdout.find("Flannel") == -1
+
+- name: flannel | Save iptables
+  command: service iptables-persistent save
+
+- name: flannel | Create flannel resources
   template: src=cni/flannel.yml dest=/etc/kubernetes/kube-flannel.yml
 
-- name: Create flannel resources
+- name: flannel | Create flannel resources
   environment:
     KUBECONFIG: /etc/kubernetes/admin.conf
   command: kubectl create -f /etc/kubernetes/kube-flannel.yml
diff --git a/roles/kubernetes/tasks/docker.yml b/roles/kubernetes/tasks/docker.yml
@@ -13,7 +13,7 @@
     dockerd_extra_args: "{{ '-H tcp://' + inventory_hostname + ':2375' if docker.expose_tcp else '' }}"
 
 - name: Update docker service startup
-  template: src=docker.service dest=/etc/systemd/system/docker.service
+  template: src=docker.service dest=/lib/systemd/system/docker.service
   register: result
   notify:
     - restart docker

diff --git a/roles/kubernetes/templates/docker.service b/roles/kubernetes/templates/docker.service
@@ -1,7 +1,7 @@
 [Unit]
 Description=Docker Application Container Engine
 Documentation=https://docs.docker.com
-After=network.target docker.socket
+After=network.target docker.socket firewalld.service
 Requires=docker.socket
 
 [Service]
@@ -14,11 +14,11 @@ Type=notify
 # - make the cluster accessible from the outside
 ExecStart=/usr/bin/dockerd -H fd:// {{ dockerd_extra_args }} -s {{ docker.storage_driver }}
 ExecReload=/bin/kill -s HUP $MAINPID
+LimitNOFILE=1048576
 # Having non-zero Limit*s causes performance problems due to accounting overhead
 # in the kernel. We recommend using cgroups to do container-local accounting.
 LimitNPROC=infinity
 LimitCORE=infinity
-LimitNOFILE=infinity
 # Uncomment TasksMax if your systemd version supports it.
 # Only systemd 226 and above support this version.
 #TasksMax=infinity