This PR adds the code for enabling gvisor in minikube. It adds the pod
that will run when the addon is enabled, and the code for the image
which will run when this happens.
When gvisor is enabled, the pod will download runsc and the
gvisor-containerd-shim. It will replace the containerd config.toml and
restart containerd.
When gvisor is disabled, the pod will be deleted by the addon manager.
This will trigger a pre-stop hook which will revert the config.toml to
it's original state and restart containerd.
* Only restart docker service if container runtime is docker
Only allow the buildroot provisioner to restart docker if the container
runtime is docker. This change should fix the bug in #3424, since now
docker will not be restarted if the container runtime is containerd.
* Added files to fix FileContent--proc-sys-net-bridge-bridge-nf-call-iptables precheck error
From this issue: https://github.com/kubernetes/kubeadm/issues/1062
these files need to be added to prevent this precheck error (which occurs when running any container runtime that isn't docker).
Also, save the machine config on the user's filesystem earlier so that the buildprovisioner can access it.
* Implement a check to see if an ISO URL is valid
* Use strings.TrimPrefix instead of []rune casting for 'file://' prefix removal
* Handle file permissions error with a user-friendly message
Small improvements to debugging and reducing integration test flakiness:
* added logging to kubeadm init in the SSHExecutor
* increasing timeout for RBAC creation via the kubernetes client set
* only log tunnel output to test logger
This change is a bit of a hack to make IP routing work over the virtio-net interface - it forces the virtio-net interface (bridge100) created by hyperkit/xhyve to reset via removing and readding the single member of the interface. Without this "reset" packets are just simply lost most of the time, despite a completely healthy IP route.
This error was also the reason for a large percentage of our integration test failures. While reducing the flakiness of tunnel related tests I also increased the timeout requirement and adding retries to the nginx request in TestTunnel.
After stopping any runtimes that aren't being used, if we're using
containerd then we need to restart it. This is because it competes with
cri-o to listen on port 10010, causing a necesary plugin to not be
installed. After stopping cri-o, we need to restart containerd so that
the plugin is installed.
I also added some preflight checks when using alternative runtimes.
kubeadm checks to make sure the Docker service is running, so I disabled
that. It also checks if a few ports are available; these are ports that
containerd uses, so I also added them to the ignore list.
This should finish the work started in #3211, which stopped alternative
runtimes but didn't restart containerd. I was able to run "minikube
start" with containerd locally with this change.
* Stop extra container runtimes, before bootstrapper
The minikube.iso starts every runtime, by default
* Disable docker-env output, if docker isn't running
Might be running an alternative container runtime
* Add config parameter for the cri socket path
Closes#3153
* Remove stray newline, when not using criSocket
* Add the --cri-socket parameter to configuration
Also fix the syntax for CRI-O, adding unix://
kubectl releases older than August 2017 don't include a newline, which
means there is effectively no hint that the output has completed. I
believe this is why tests have been failing on the macOS.
Should resolve test timeout panics such as #3203
This commit introduces a new command, `minikube tunnel`, a LoadBalancer emulator functionality, that must be run with root permissions.
This command:
* Establishes networking routes from the host into the VM for all IP ranges used by Kubernetes.
* Enables a cluster controller that allocates IPs to services external `LoadBalancer` IPs.
* Cleans up routes and IPs when stopped (Ctrl+C), when `minikube` stops, and when `minikube tunnel` is ran with the `--cleanup` flag
This provides an additional level of security, by enforcing host checking, applying port randomization, and requiring explicit user intent to expose the service to the host.
Previously we were mixed between the two forms. This commit picks %v,
which is consistent with the Kubernetes code base. They both effectively
do the same thing in this case, though %v works with any object, and %s
only with string objects.
Opt-in with `minikube config set embed-certs true`. Similar to the
behaviour of `kubectl config set-credentials --embed-certs`.
Enables Minikube on Windows to produce a .kube/config file that
can be shared directly with kubectl inside the Windows Subsystem
for Linux (WSL) without needing to perform additional translation
of the certificate paths within the configuration file.
Previously, files installed to /usr/local/bin/ would be owned by the
user executing the command, not root. This change makes these installed
files owned by root instead. Improving security is the goal.
priyawadhwa
Thomas Strömberg
Anders Björklund
Joey
Balint Pato
dlorenc
Bartel Sielski
Arijit Basu
Jason Stangroome
Asbjørn Apeland
dlorenc
Aaron Prindle
Dusty Rip
kairen
Rohit Agarwal
Peter Trotman