From 99e0bf40686d8ebd61f0eda0b49410ea249aa504 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roland=20Hu=C3=9F?= Date: Thu, 12 Oct 2017 10:49:20 +0200 Subject: [PATCH] fix: docker.service file + some work on flannel integration, not completed yet. See also https://github.com/coreos/flannel/issues/799 for an issue why iptables rules need to be changed. --- roles/kubernetes/defaults/main.yml | 4 ++-- roles/kubernetes/tasks/cni/flannel.yml | 29 +++++++++++++++++++++-- roles/kubernetes/tasks/docker.yml | 2 +- roles/kubernetes/templates/docker.service | 4 ++-- 4 files changed, 32 insertions(+), 7 deletions(-) diff --git a/roles/kubernetes/defaults/main.yml b/roles/kubernetes/defaults/main.yml index 393de35..ef2f878 100644 --- a/roles/kubernetes/defaults/main.yml +++ b/roles/kubernetes/defaults/main.yml @@ -1,10 +1,10 @@ reset: false -overlay_network: weave +overlay_network: flannel network: service_subnet: 10.200.100.0/24 pod_subnet: 10.1.0.0/16 images: - flannel: quay.io/coreos/flannel:v0.7.0-arm + flannel: quay.io/coreos/flannel:v0.9.0-arm weave: weaveworks/weave-kube:2.0.4 weave_npc: weaveworks/weave-npc:2.0.4 k8s: diff --git a/roles/kubernetes/tasks/cni/flannel.yml b/roles/kubernetes/tasks/cni/flannel.yml index e5bbf50..5dbf686 100644 --- a/roles/kubernetes/tasks/cni/flannel.yml +++ b/roles/kubernetes/tasks/cni/flannel.yml @@ -1,7 +1,32 @@ -- name: Create flannel resources +# Please note, this is still work in progress +# Especially saving of the iptables rules needs to be fixed + +- name: flannel | Install iptables support package + apt: + name: iptables-persistent + force: yes + state: present + +- name: flannel | Get iptables rules + shell: iptables -L + register: iptablesrules + check_mode: no + +- name: flannel | Add flannel iptable rules (in) + command: /sbin/iptables -A FORWARD -i cni0 -j ACCEPT -m comment --comment "Flannel" + when: iptablesrules.stdout.find("Flannel") == -1 + +- name: flannel | Add flannel iptable rules (out) + command: /sbin/iptables -A FORWARD -o cni0 -j ACCEPT -m comment --comment "Flannel" + when: iptablesrules.stdout.find("Flannel") == -1 + +- name: flannel | Save iptables + command: service iptables-persistent save + +- name: flannel | Create flannel resources template: src=cni/flannel.yml dest=/etc/kubernetes/kube-flannel.yml -- name: Create flannel resources +- name: flannel | Create flannel resources environment: KUBECONFIG: /etc/kubernetes/admin.conf command: kubectl create -f /etc/kubernetes/kube-flannel.yml diff --git a/roles/kubernetes/tasks/docker.yml b/roles/kubernetes/tasks/docker.yml index 615cb69..cf08528 100644 --- a/roles/kubernetes/tasks/docker.yml +++ b/roles/kubernetes/tasks/docker.yml @@ -13,7 +13,7 @@ dockerd_extra_args: "{{ '-H tcp://' + inventory_hostname + ':2375' if docker.expose_tcp else '' }}" - name: Update docker service startup - template: src=docker.service dest=/etc/systemd/system/docker.service + template: src=docker.service dest=/lib/systemd/system/docker.service register: result notify: - restart docker diff --git a/roles/kubernetes/templates/docker.service b/roles/kubernetes/templates/docker.service index aba631a..c662bb1 100644 --- a/roles/kubernetes/templates/docker.service +++ b/roles/kubernetes/templates/docker.service @@ -1,7 +1,7 @@ [Unit] Description=Docker Application Container Engine Documentation=https://docs.docker.com -After=network.target docker.socket +After=network.target docker.socket firewalld.service Requires=docker.socket [Service] @@ -14,11 +14,11 @@ Type=notify # - make the cluster accessible from the outside ExecStart=/usr/bin/dockerd -H fd:// {{ dockerd_extra_args }} -s {{ docker.storage_driver }} ExecReload=/bin/kill -s HUP $MAINPID +LimitNOFILE=1048576 # Having non-zero Limit*s causes performance problems due to accounting overhead # in the kernel. We recommend using cgroups to do container-local accounting. LimitNPROC=infinity LimitCORE=infinity -LimitNOFILE=infinity # Uncomment TasksMax if your systemd version supports it. # Only systemd 226 and above support this version. #TasksMax=infinity