kubernetes
/
minikube
mirror of https://github.com/kubernetes/minikube.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #13828 from AkihiroSuda/drop-fuse-overlayfs 

KIC rootless: drop fuse-overlayfs; bump kernel requirement to 5.11
pull/13857/head
Medya Ghazizadeh 2022-03-25 11:57:11 -07:00 committed by GitHub
parent aa007da3fe 7204b1db3e
commit 23841c4385
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 41 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
deploy/kicbase/Dockerfile
View File

@ -126,9 +126,7 @@ RUN clean-install \
openssh-server \
dnsutils \
# libglib2.0-0 is required for conmon, which is required for podman
libglib2.0-0 \
# fuse3 is required for fuse-overlayfs
fuse3
libglib2.0-0
# install docker
# use the bionic packages for arm32
@ -139,19 +137,6 @@ RUN export ARCH=$(dpkg --print-architecture | sed 's/armhf/arm-v7/') && \
apt-key add - < docker.key && \
clean-install docker-ce docker-ce-cli containerd.io
# install fuse-overlayfs (used by rootless; apt-get version is old)
RUN curl -sSL --retry 5 --output /usr/local/bin/fuse-overlayfs https://github.com/containers/fuse-overlayfs/releases/download/${FUSE_OVERLAYFS_VERSION}/fuse-overlayfs-$(uname -m) \
&& chmod +x /usr/local/bin/fuse-overlayfs
# install containerd-fuse-overlayfs (used by rootless)
RUN export ARCH=$(dpkg --print-architecture | sed 's/ppc64el/ppc64le/' | sed 's/armhf/arm-v7/') \
&& echo "Installing containerd-fuse-overlayfs..." \
&& export CONTAINERD_FUSE_OVERLAYFS_BASE_URL="https://github.com/containerd/fuse-overlayfs-snapshotter/releases/download/v${CONTAINERD_FUSE_OVERLAYFS_VERSION}" \
&& curl -sSL --retry 5 --output /tmp/containerd-fuse-overlayfs.tgz "${CONTAINERD_FUSE_OVERLAYFS_BASE_URL}/containerd-fuse-overlayfs-${CONTAINERD_FUSE_OVERLAYFS_VERSION}-linux-${ARCH}.tar.gz" \
&& tar -C /usr/local/bin -xzvf /tmp/containerd-fuse-overlayfs.tgz \
&& rm -rf /tmp/containerd-fuse-overlayfs.tgz
COPY deploy/kicbase/containerd-fuse-overlayfs.service /etc/systemd/system/containerd-fuse-overlayfs.service
# install buildkit
RUN export ARCH=$(dpkg --print-architecture | sed 's/ppc64el/ppc64le/' | sed 's/armhf/arm-v7/') \
&& echo "Installing buildkit ..." \

13
deploy/kicbase/containerd-fuse-overlayfs.service
View File

@ -1,13 +0,0 @@
# From https://github.com/kubernetes-sigs/kind/blob/0d3780371091b2dc9ff6eea1b6054f14ff5d970a/images/base/files/etc/systemd/system/containerd-fuse-overlayfs.service
[Unit]
Description=containerd fuse-overlayfs snapshotter
PartOf=containerd.service
[Service]
ExecStart=/usr/local/bin/containerd-fuse-overlayfs-grpc /run/containerd-fuse-overlayfs.sock /var/lib/containerd-fuse-overlayfs
Type=notify
Restart=always
RestartSec=1
[Install]
WantedBy=multi-user.target

3
pkg/drivers/kic/oci/oci.go
View File

@ -162,9 +162,6 @@ func CreateContainerNode(p CreateParams) error {
// including some ones docker would otherwise do by default.
// for now this is what we want. in the future we may revisit this.
"--privileged",
// enable /dev/fuse explicitly for fuse-overlayfs
// (Rootless Docker does not automatically mount /dev/fuse with --privileged)
"--device", "/dev/fuse",
"--security-opt", "seccomp=unconfined", // ignore seccomp
"--tmpfs", "/tmp", // various things depend on working /tmp
"--tmpfs", "/run", // systemd wants a writable /run

25
pkg/minikube/cruntime/containerd.go
View File

@ -70,12 +70,6 @@ oom_score = 0
[cgroup]
path = ""
[proxy_plugins]
# fuse-overlayfs is used for rootless
[proxy_plugins."fuse-overlayfs"]
type = "snapshot"
address = "/run/containerd-fuse-overlayfs.sock"
[plugins]
[plugins."io.containerd.monitor.v1.cgroups"]
no_prometheus = false
@ -208,9 +202,6 @@ func generateContainerdConfig(cr CommandRunner, imageRepository string, kv semve
}
pauseImage := images.Pause(kv, imageRepository)
snapshotter := "overlayfs"
if inUserNamespace {
snapshotter = "fuse-overlayfs"
}
opts := struct {
PodInfraContainerImage string
SystemdCgroup bool
@ -239,6 +230,16 @@ func generateContainerdConfig(cr CommandRunner, imageRepository string, kv semve
// Enable idempotently enables containerd on a host
func (r *Containerd) Enable(disOthers, forceSystemd, inUserNamespace bool) error {
if inUserNamespace {
if err := CheckKernelCompatibility(r.Runner, 5, 11); err != nil {
// For using overlayfs
return fmt.Errorf("kernel >= 5.11 is required for rootless mode: %w", err)
}
if err := CheckKernelCompatibility(r.Runner, 5, 13); err != nil {
// For avoiding SELinux error with overlayfs
klog.Warningf("kernel >= 5.13 is recommended for rootless mode %v", err)
}
}
if disOthers {
if err := disableOthers(r, r.Runner); err != nil {
klog.Warningf("disableOthers: %v", err)
@ -254,12 +255,6 @@ func (r *Containerd) Enable(disOthers, forceSystemd, inUserNamespace bool) error
return err
}
if inUserNamespace {
if err := r.Init.EnableNow("containerd-fuse-overlayfs"); err != nil {
return err
}
}
// Otherwise, containerd will fail API requests with 'Unimplemented'
return r.Init.Restart("containerd")
}

15
pkg/minikube/cruntime/crio.go
View File

@ -150,18 +150,13 @@ func enableIPForwarding(cr CommandRunner) error {
// enableRootless enables configurations for running CRI-O in Rootless Docker.
//
// 1. Create /etc/systemd/system/crio.service.d/10-rootless.conf to set _CRIO_ROOTLESS=1
// 2. Create /etc/crio/crio.conf.d/10-fuse-overlayfs.conf to enable fuse-overlayfs
// 3. Reload systemd
// 2. Reload systemd
//
// See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-in-userns/#configuring-cri
func (r *CRIO) enableRootless() error {
files := map[string]string{
"/etc/systemd/system/crio.service.d/10-rootless.conf": `[Service]
Environment="_CRIO_ROOTLESS=1"
`,
"/etc/crio/crio.conf.d/10-fuse-overlayfs.conf": `[crio]
storage_driver = "overlay"
storage_option = ["overlay.mount_program=/usr/local/bin/fuse-overlayfs"]
`,
}
for target, content := range files {
@ -211,6 +206,14 @@ func (r *CRIO) Enable(disOthers, forceSystemd, inUserNamespace bool) error {
}
}
if inUserNamespace {
if err := CheckKernelCompatibility(r.Runner, 5, 11); err != nil {
// For using overlayfs
return fmt.Errorf("kernel >= 5.11 is required for rootless mode: %w", err)
}
if err := CheckKernelCompatibility(r.Runner, 5, 13); err != nil {
// For avoiding SELinux error with overlayfs
klog.Warningf("kernel >= 5.13 is recommended for rootless mode %v", err)
}
if err := r.enableRootless(); err != nil {
return err
}

20
pkg/minikube/cruntime/cruntime.go
View File

@ -20,6 +20,7 @@ package cruntime
import (
"fmt"
"os/exec"
"strings"
"github.com/blang/semver/v4"
"github.com/pkg/errors"
@ -316,3 +317,22 @@ func CheckCompatibility(cr Manager) error {
}
return compatibleWithVersion(cr.Name(), v)
}
// CheckKernelCompatibility returns an error when the kernel is older than the specified version.
func CheckKernelCompatibility(cr CommandRunner, major, minor int) error {
expected := fmt.Sprintf("%d.%d", major, minor)
unameRes, err := cr.RunCmd(exec.Command("uname", "-r"))
if err != nil {
return err
}
actual := strings.TrimSpace(unameRes.Stdout.String())
sortRes, err := cr.RunCmd(exec.Command("sh", "-euc", fmt.Sprintf(`(echo %s; echo %s) | sort -V | head -n1`, actual, expected)))
if err != nil {
return err
}
comparison := strings.TrimSpace(sortRes.Stdout.String())
if comparison != expected {
return NewErrServiceVersion("kernel", expected, actual)
}
return nil
}

1
site/content/en/docs/drivers/docker.md
View File

@ -34,6 +34,7 @@ minikube config set driver docker
## Requirements
- Docker 20.10 or higher, see https://rootlesscontaine.rs/getting-started/docker/
- Cgroup v2 delegation, see https://rootlesscontaine.rs/getting-started/common/cgroup2/
- Kernel 5.11 or later (5.13 or later is recommended when SELinux is enabled), see https://rootlesscontaine.rs/how-it-works/overlayfs/
## Usage