From 27e4c5fa1db329f38502651a874df26e62b1aa21 Mon Sep 17 00:00:00 2001
From: Mike Danese <mikedanese@google.com>
Date: Thu, 19 May 2016 12:43:47 -0700
Subject: [PATCH] create a chroot aci for docker and kubelet

---
 node-aci/.gitignore      |  3 +++
 node-aci/build           | 39 +++++++++++++++++++++++++++++++++++++++
 node-aci/docker.service  | 22 ++++++++++++++++++++++
 node-aci/docker.socket   | 12 ++++++++++++
 node-aci/kubelet.service | 18 ++++++++++++++++++
 node-aci/unpack          | 27 +++++++++++++++++++++++++++
 6 files changed, 121 insertions(+)
 create mode 100644 node-aci/.gitignore
 create mode 100755 node-aci/build
 create mode 100644 node-aci/docker.service
 create mode 100644 node-aci/docker.socket
 create mode 100644 node-aci/kubelet.service
 create mode 100755 node-aci/unpack

diff --git a/node-aci/.gitignore b/node-aci/.gitignore
new file mode 100644
index 000000000..1758e409e
--- /dev/null
+++ b/node-aci/.gitignore
@@ -0,0 +1,3 @@
+.acbuild
+library-debian-jessie.aci
+node.aci
diff --git a/node-aci/build b/node-aci/build
new file mode 100755
index 000000000..33a0007d9
--- /dev/null
+++ b/node-aci/build
@@ -0,0 +1,39 @@
+#! /bin/bash
+
+set -o errexit
+set -o pipefail
+set -o nounset
+set -o xtrace
+
+rm -f node.aci
+
+docker2aci docker://debian:jessie
+
+acbuild begin ./library-debian-jessie.aci
+
+acbuild run -- apt-get update
+acbuild run -- apt-get install -y -q apparmor curl iptables
+acbuild run -- apt-get autoremove
+acbuild run -- apt-get clean
+
+acbuild run -- \
+  curl -sSL --fail \
+    "https://get.docker.com/builds/Linux/x86_64/docker-1.11.1.tgz" \
+    -o /opt/docker.tgz
+acbuild run -- tar xzfv /opt/docker.tgz --strip=1 -C "/usr/local/bin"
+acbuild run -- rm /opt/docker.tgz
+
+acbuild run -- \
+  curl -sSL --fail \
+    "https://storage.googleapis.com/kubernetes-release/release/v1.3.0-alpha.4/bin/linux/amd64/kubectl" \
+    -o "/usr/local/bin/kubectl"
+acbuild run -- chmod +x "/usr/local/bin/kubectl"
+
+acbuild run -- \
+  curl -sSL --fail \
+    "https://storage.googleapis.com/kubernetes-release/release/v1.3.0-alpha.4/bin/linux/amd64/kubelet" \
+    -o "/usr/local/bin/kubelet"
+acbuild run -- chmod +x "/usr/local/bin/kubelet"
+
+acbuild write node.aci
+acbuild end
diff --git a/node-aci/docker.service b/node-aci/docker.service
new file mode 100644
index 000000000..fedc30be2
--- /dev/null
+++ b/node-aci/docker.service
@@ -0,0 +1,22 @@
+[Unit]
+Description=Docker Application Container Engine
+Documentation=https://docs.docker.com
+After=network.target docker.socket
+Requires=docker.socket
+
+[Service]
+Type=notify
+RootDirectory=/opt/kubelet/rootfs
+ExecStart=/usr/local/bin/docker daemon
+ExecReload=/bin/kill -s HUP $MAINPID
+LimitNOFILE=1048576
+LimitNPROC=1048576
+LimitCORE=infinity
+# Only systemd 226 and above support this version.
+TasksMax=infinity
+TimeoutStartSec=0
+# set delegate yes so that systemd does not reset the cgroups of docker containers
+Delegate=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/node-aci/docker.socket b/node-aci/docker.socket
new file mode 100644
index 000000000..7dd95098e
--- /dev/null
+++ b/node-aci/docker.socket
@@ -0,0 +1,12 @@
+[Unit]
+Description=Docker Socket for the API
+PartOf=docker.service
+
+[Socket]
+ListenStream=/var/run/docker.sock
+SocketMode=0660
+SocketUser=root
+SocketGroup=docker
+
+[Install]
+WantedBy=sockets.target
diff --git a/node-aci/kubelet.service b/node-aci/kubelet.service
new file mode 100644
index 000000000..ab8923e0f
--- /dev/null
+++ b/node-aci/kubelet.service
@@ -0,0 +1,18 @@
+[Unit]
+Description=Kubernetes Kubelet Server
+Documentation=https://github.com/kubernetes/kubernetes
+After=network.target docker.socket
+
+[Service]
+RootDirectory=/opt/kubelet/rootfs
+ExecStart=/usr/local/bin/kubelet \
+            --address=0.0.0.0 \
+            --allow-privileged=true \
+            --enable-server \
+            --config=/etc/kubernetes/manifests \
+            --cluster-dns=10.0.0.10 \
+            --cluster-domain=cluster.local \
+            --v=2
+
+[Install]
+WantedBy=multi-user.target
diff --git a/node-aci/unpack b/node-aci/unpack
new file mode 100755
index 000000000..1fb03bbda
--- /dev/null
+++ b/node-aci/unpack
@@ -0,0 +1,27 @@
+#! /bin/bash
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+ROOTFS=/opt/kubelet/rootfs
+
+mount_in() {
+  local path="${1}"
+  local shared="${2:-false}"
+  mkdir -p "${path}"
+  mkdir -p "${ROOTFS}${path}"
+  mkdir --rbind "${path}" "${ROOTFS}${path}"
+  if [[ "${shared}" == "true" ]]; then
+    mount --bind "${ROOTFS}${path}" "${ROOTFS}${path}"
+    mount --make-shared "${ROOTFS}${path}"
+  fi
+}
+
+tar xzvf node.aci -C /opt/kubelet
+
+mount_in /run
+mount_in /var/run
+mount_in /etc/kubernetes
+mount_in /var/lib/docker
+mount_in /var/lib/kubelet true