From e0a1540cf1ff3624a907fc3d5c9446460a05d21f Mon Sep 17 00:00:00 2001 From: Clayton Coleman Date: Thu, 11 Jun 2015 17:04:05 -0400 Subject: [PATCH 1/2] UPSTREAM: nsenter path should be relative --- .../kubernetes/pkg/util/mount/nsenter_mount.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Godeps/_workspace/src/github.com/GoogleCloudPlatform/kubernetes/pkg/util/mount/nsenter_mount.go b/Godeps/_workspace/src/github.com/GoogleCloudPlatform/kubernetes/pkg/util/mount/nsenter_mount.go index 0d5dae381fe1..b6671b523745 100644 --- a/Godeps/_workspace/src/github.com/GoogleCloudPlatform/kubernetes/pkg/util/mount/nsenter_mount.go +++ b/Godeps/_workspace/src/github.com/GoogleCloudPlatform/kubernetes/pkg/util/mount/nsenter_mount.go @@ -54,7 +54,7 @@ var _ = Interface(&NsenterMounter{}) const ( hostRootFsPath = "/rootfs" hostProcMountsPath = "/rootfs/proc/mounts" - nsenterPath = "/nsenter" + nsenterPath = "nsenter" ) // Mount runs mount(8) in the host's root mount namespace. Aside from this @@ -94,6 +94,7 @@ func doNsenterMount(source, target, fstype string, options []string) error { func makeNsenterArgs(source, target, fstype string, options []string) []string { nsenterArgs := []string{ "--mount=/rootfs/proc/1/ns/mnt", + "--", "/usr/bin/mount", } @@ -106,6 +107,7 @@ func makeNsenterArgs(source, target, fstype string, options []string) []string { func (*NsenterMounter) Unmount(target string) error { args := []string{ "--mount=/rootfs/proc/1/ns/mnt", + "--", "/usr/bin/umount", target, } @@ -133,7 +135,7 @@ func (*NsenterMounter) IsMountPoint(file string) (bool, error) { return false, err } - args := []string{"--mount=/rootfs/proc/1/ns/mnt", "/usr/bin/findmnt", "-o", "target", "--noheadings", "--target", file} + args := []string{"--mount=/rootfs/proc/1/ns/mnt", "--", "/usr/bin/findmnt", "-o", "target", "--noheadings", "--target", file} glog.V(5).Infof("findmnt command: %v %v", nsenterPath, args) exec := exec.New() From e99b8e365a52440f17e657bada52ee77bc8571b1 Mon Sep 17 00:00:00 2001 From: Clayton Coleman Date: Thu, 11 Jun 2015 17:04:18 -0400 Subject: [PATCH 2/2] Support a containerized node Add OPENSHIFT_CONTAINERIZED=true to trigger this mode, fixes docker config file. --- README.md | 39 +++++++++++------------- hack/build-images.sh | 2 +- hack/build-release.sh | 2 ++ images/base/Dockerfile | 2 +- images/origin/Dockerfile | 2 ++ pkg/cmd/server/kubernetes/node_config.go | 5 +++ 6 files changed, 29 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index d48ca69c8737..9715aad15928 100644 --- a/README.md +++ b/README.md @@ -11,60 +11,55 @@ easy deployment and scaling, and long-term lifecycle maintenance for small and l **Features:** -* Push source code to the platform and have deployments automatically occur +* Build web-scale applications with integrated service discovery, DNS, load balancing, failover, health checking, persistent storage, and fast scaling +* Push source code to your Git repository and have image builds and deployments automatically occur * Easy to use client tools for building web applications from source code * Templatize the components of your system, reuse them, and iteratively deploy them over time * Centralized administration and management of application component libraries * Roll out changes to software stacks to your entire organization in a controlled fashion * Team and user isolation of containers, builds, and network communication in an easy multi-tenancy system + * Allow developers to run containers securely by preventing root access and isolating containers with SELinux * Limit, track, and manage the resources teams are using **Learn More:** +* **[OpenShift Public Documentation](http://docs.openshift.org/latest/welcome/index.html)** +* The **[Trello Roadmap](https://ci.openshift.redhat.com/roadmap_overview.html)** covers the epics and stories being worked on (click through to individual items) * **[Technical Architecture Presentation](https://docs.google.com/presentation/d/1Isp5UeQZTo3gh6e59FMYmMs_V9QIQeBelmbyHIJ1H_g/pub?start=false&loop=false&delayms=3000)** * **[System Architecture](https://github.com/openshift/openshift-pep/blob/master/openshift-pep-013-openshift-3.md)** design document -* The **[Trello Roadmap](https://ci.openshift.redhat.com/roadmap_overview.html)** covers the epics and stories being worked on (click through to individual items) -* **[Public Documentation](http://docs.openshift.org/latest/welcome/index.html)** site For questions or feedback, reach us on [IRC on #openshift-dev](https://botbot.me/freenode/openshift-dev/) on Freenode or post to our [mailing list](https://lists.openshift.redhat.com/openshiftmm/listinfo/dev). NOTE: OpenShift release candidate 1 is available on the [releases page](https://github.com/openshift/origin/releases). Feedback, suggestions, and testing are all welcome! -Security Warning!!! +Security!!! ------------------- -OpenShift is a system that runs Docker containers on your machine. In some cases (build operations and the registry service) it does so using privileged containers. Those containers access your host's Docker daemon and perform `docker build` and `docker push` operations. As such, you should be aware of the inherent security risks associated with performing `docker run` operations on arbitrary images as they have effective root access. This is particularly relevant when running the OpenShift as a node directly on your laptop or primary workstation. Only run code you trust. +OpenShift is a system that runs Docker containers on your machine. In some cases (build operations) it does so using privileged containers. Those containers access your host's Docker daemon and perform `docker build` and `docker push` operations. As such, you should be aware of the inherent security risks associated with performing `docker build` operations on arbitrary images as they have effective root access. This is particularly relevant when running the OpenShift as a node directly on your laptop or primary workstation. Only build and run code you trust. For more information on the security of containers, see these articles: * http://opensource.com/business/14/7/docker-security-selinux * https://docs.docker.com/articles/security/ -Running untrusted containers will become less scary as improvements are made upstream to Docker and Kubernetes, but until then please be conscious of the images you run. Consider using images from trusted parties, building them yourself on OpenShift, or only running containers that run as non-root users. - - -Docker 1.6 ----------- -OpenShift now requires at least Docker 1.6. Here's how to get it: - -### Fedora 21 -RPMs for Docker 1.6 are available for Fedora 21 in the updates yum repository. - -### CentOS 7 -RPMs for Docker 1.6 are available for CentOS 7 in the extras yum repository. +Consider using images from trusted parties, building them yourself on OpenShift, or only running containers that run as non-root users. Getting Started --------------- -The simplest way to run OpenShift Origin is in a Docker container: +The easiest way to run OpenShift Origin is in a Docker container (OpenShift requires Docker 1.6 or higher or 1.6.2 on CentOS/RHEL): - $ sudo docker run -d --name "openshift-origin" --net=host --privileged \ - -v /var/run/docker.sock:/var/run/docker.sock \ + $ sudo docker run -d -name "origin" \ + --privileged --net=host \ + -v /:/rootfs:ro -v /var/run:/var/run:rw -v /sys:/sys:ro -v /var/lib/docker:/var/lib/docker:rw \ openshift/origin start +*Security!* Why do we need to mount your host, run privileged, and get access to your Docker directory? OpenShift runs as a host agent (like Docker) +and starts and stops Docker containers, mounts remote volumes, and monitors the system (/sys) to report performance and health info. You can strip all of these options off and OpenShift will still start, but you won't be able to run pods (which is kind of the point). + Once the container is started, you can jump into a console inside the container and run the CLI. - $ sudo docker exec -it openshift-origin bash + $ sudo docker exec -it origin bash $ oc --help $ oc login Username: test @@ -76,6 +71,8 @@ Any username and password are accepted by default (with no credential system con ![Web console overview](docs/screenshots/console_overview.png?raw=true) +You can also use the Docker container to run our CLI (`sudo docker exec -it origin cli --help`) or download the `oc` command-line client from the [releases](https://github.com/openshift/origin/releases) page for Mac, Windows, or Linux and login from your host with `oc login`. + ### Next Steps diff --git a/hack/build-images.sh b/hack/build-images.sh index f3c6a13d6533..64de861ef0fc 100755 --- a/hack/build-images.sh +++ b/hack/build-images.sh @@ -46,7 +46,7 @@ cp -f "${imagedir}/dockerregistry" images/dockerregistry/bin function image { echo "--- $1 ---" docker build -t $1:latest $2 - docker tag $1:latest $1:${OS_RELEASE_COMMIT} + docker tag -f $1:latest $1:${OS_RELEASE_COMMIT} } # images that depend on scratch diff --git a/hack/build-release.sh b/hack/build-release.sh index 82e6194a4bf3..ae16b7cb8a29 100755 --- a/hack/build-release.sh +++ b/hack/build-release.sh @@ -26,6 +26,8 @@ mkdir -p "${OS_ROOT}/_output/local" os::build::get_version_vars os::build::save_version_vars "${context}/os-version-defs" +echo "++ Building release ${OS_GIT_VERSION}" + # Create the input archive. git archive --format=tar -o "${context}/archive.tar" HEAD tar -rf "${context}/archive.tar" -C "${context}" os-version-defs diff --git a/images/base/Dockerfile b/images/base/Dockerfile index 4c6300d68ab8..dac609dcc9ed 100644 --- a/images/base/Dockerfile +++ b/images/base/Dockerfile @@ -7,5 +7,5 @@ FROM centos:centos7 # components from EPEL must be installed in a separate yum install step -RUN yum install -y git tar wget socat hostname epel-release && \ +RUN yum install -y git tar wget socat hostname sysvinit-tools util-linux epel-release && \ yum clean all diff --git a/images/origin/Dockerfile b/images/origin/Dockerfile index f975fdb2b029..dd108da5a3d9 100644 --- a/images/origin/Dockerfile +++ b/images/origin/Dockerfile @@ -13,12 +13,14 @@ RUN ln -s /usr/bin/openshift /usr/bin/oc && \ ln -s /usr/bin/openshift /usr/bin/oadm && \ ln -s /usr/bin/openshift /usr/bin/osc && \ ln -s /usr/bin/openshift /usr/bin/osadm && \ + ln -s /usr/bin/openshift /usr/bin/kubectl && \ ln -s /usr/bin/openshift /usr/bin/openshift-deploy && \ ln -s /usr/bin/openshift /usr/bin/openshift-docker-build && \ ln -s /usr/bin/openshift /usr/bin/openshift-sti-build && \ ln -s /usr/bin/openshift /usr/bin/openshift-router ENV HOME /root +ENV OPENSHIFT_CONTAINERIZED true ENV KUBECONFIG /var/lib/openshift/openshift.local.config/master/admin.kubeconfig WORKDIR /var/lib/openshift ENTRYPOINT ["/usr/bin/openshift"] diff --git a/pkg/cmd/server/kubernetes/node_config.go b/pkg/cmd/server/kubernetes/node_config.go index 82d5a77ce05b..4a3370dbf715 100644 --- a/pkg/cmd/server/kubernetes/node_config.go +++ b/pkg/cmd/server/kubernetes/node_config.go @@ -17,6 +17,7 @@ import ( "github.com/golang/glog" configapi "github.com/openshift/origin/pkg/cmd/server/api" + cmdutil "github.com/openshift/origin/pkg/cmd/util" cmdflags "github.com/openshift/origin/pkg/cmd/util/flags" "github.com/openshift/origin/pkg/cmd/util/variable" ) @@ -120,6 +121,10 @@ func BuildKubernetesNodeConfig(options configapi.NodeConfig) (*NodeConfig, error server.TLSCertFile = options.ServingInfo.ServerCert.CertFile server.TLSPrivateKeyFile = options.ServingInfo.ServerCert.KeyFile + if value := cmdutil.Env("OPENSHIFT_CONTAINERIZED", ""); len(value) > 0 { + server.Containerized = value == "true" + } + // resolve extended arguments // TODO: this should be done in config validation (along with the above) so we can provide // proper errors