kubelet base environment fixes #3240
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| KUBELET_EXTRA_ARGS=--runtime-cgroups=/system.slice/containerd.service | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -181,8 +181,8 @@ fix_mount() { | |
| mount --make-rshared / | ||
| } | ||
|
|
||
| # helper used by mount_kubelet_cgroup_root | ||
| mount_kubelet_cgroup_root_subsystem() { | ||
| local cgroup_root=$1 | ||
| local subsystem=$2 | ||
| if [ -z "${cgroup_root}" ]; then | ||
|
|
@@ -201,6 +201,22 @@ mount_kubelet_cgroup_root() { | |
| mount --bind "${subsystem}/${cgroup_root}" "${subsystem}/${cgroup_root}" | ||
| } | ||
|
|
||
| # helper used by fix_cgroup | ||
| mount_kubelet_cgroup_root() { | ||
|
There was a problem hiding this comment. This is just pulled out from the end of fix_cgroup for re-use in v1 both with/without cgroupns. We're responsible for setting up the cgroup when we use --cgroup-root. We did that previously for the "v1 no cgroupns and nested in another cluster" reasons, but we'll need to keep |
||
| local cgroup_subsystems=$1 | ||
| echo "${cgroup_subsystems}" | | ||
| while IFS= read -r subsystem; do | ||
| mount_kubelet_cgroup_root_subsystem /kubelet "${subsystem}" | ||
| mount_kubelet_cgroup_root_subsystem /kubelet.slice "${subsystem}" | ||
| done | ||
| # workaround for hosts not running systemd | ||
| # we only do this for kubelet.slice because it's not relevant when not using | ||
| # the systemd cgroup driver | ||
| if [[ ! "${cgroup_subsystems}" = */sys/fs/cgroup/systemd* ]]; then | ||
| mount_kubelet_cgroup_root_subsystem /kubelet.slice /sys/fs/cgroup/systemd | ||
| fi | ||
| } | ||
|
|
||
| fix_cgroup() { | ||
| if [[ -f "/sys/fs/cgroup/cgroup.controllers" ]]; then | ||
| echo 'INFO: detected cgroup v2' | ||
|
|
@@ -226,8 +242,17 @@ fix_cgroup() { | |
| # current process. this tells us what cgroup-path the container is in. | ||
| local current_cgroup | ||
| current_cgroup=$(grep -E '^[^:]*:([^:]*,)?cpu(,[^,:]*)?:.*' /proc/self/cgroup | cut -d: -f3) | ||
| local cgroup_subsystems | ||
| cgroup_subsystems=$(findmnt -lun -o source,target -t cgroup | grep -F "${current_cgroup}" | awk '{print $2}') | ||
| if [ "$current_cgroup" = "/" ]; then | ||
| echo "INFO: detected cgroupns" | ||
| # kubelet will try to manage cgroups / pods that are not owned by it when | ||
| # "nesting" clusters, unless we instruct it to use a different cgroup root. | ||
| # We do this, and when doing so we must fixup this alternative root | ||
| # currently this is hardcoded to be /kubelet | ||
| # under systemd cgroup driver, kubelet appends .slice | ||
| mount --make-rprivate /sys/fs/cgroup | ||
| mount_kubelet_cgroup_root "${cgroup_subsystems}" | ||
| return | ||
| fi | ||
|
|
||
|
|
@@ -310,17 +335,7 @@ fix_cgroup() { | |
| # currently this is hardcoded to be /kubelet | ||
| # under systemd cgroup driver, kubelet appends .slice | ||
| mount --make-rprivate /sys/fs/cgroup | ||
| mount_kubelet_cgroup_root "${cgroup_subsystems}" | ||
| } | ||
|
|
||
| fix_machine_id() { | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the cgroup in which containerd operates (in kind, and in most cases since there's a standard in-tree service spec).
GKE nodes set this, noticed while debugging the runc issues, which reminded me that we aren't here.
So do the SIG node GCE containerd CI jobs.
https://github.com/kubernetes/test-infra/blob/6928f7825c26cd52dd2db97298db1882d6609584/config/jobs/kubernetes/sig-node/containerd.yaml#L20
https://github.com/kubernetes/kubernetes/blob/15a1f9a39db95a7f83ce5463a328566411d99d51/cluster/gce/util.sh#L823