diff --git a/Makefile b/Makefile index 1d9fd8a..f86445b 100644 --- a/Makefile +++ b/Makefile @@ -4,7 +4,7 @@ REGION := us-east-1 include .ci/podman.mk -BUILDER := v3.18.2 +BUILDER := v3.18.4 PKG := '*' CF_DIST := E11OFTOA3L8IVY diff --git a/kubezero/fluent-bit/APKBUILD b/kubezero/fluent-bit/APKBUILD index 6d2cd00..515fcd3 100644 --- a/kubezero/fluent-bit/APKBUILD +++ b/kubezero/fluent-bit/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Stefan Reimer # Maintainer: Stefan Reimer pkgname=fluent-bit -pkgver=2.1.5 +pkgver=2.1.10 pkgrel=0 pkgdesc="Fast and Lightweight Log processor and forwarder" url="https://fluentbit.io/" @@ -12,10 +12,10 @@ makedepends=" bison cmake flex + gtest-dev linux-headers musl-fts-dev openssl-dev - gtest-dev yaml-dev zlib-dev " @@ -27,8 +27,11 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/fluent/fluent-bit/archive/v$ fluent-bit.confd fluent-bit.initd chunkio-static-lib-fts.patch + exclude-luajit.patch + xsi-strerror.patch fluent-bit.conf zdt-parsers.conf + fluent-bit.logrotated " # enable check when this solved - https://github.com/fluent/fluent-bit/issues/2464#issuecomment-673280055 # Disable all things AWS to make tests pass @@ -50,15 +53,16 @@ build() { -DFLB_DEBUG=Off \ -DFLB_SHARED_LIB=Off \ -DFLB_JEMALLOC=Yes \ - -DFLB_LUAJIT=Yes \ -DFLB_IN_SYSTEMD=Off \ -DFLB_PROXY_GO=No \ + -DFLB_TLS=Yes \ -DFLB_HTTP_SERVER=Yes \ $CMAKE_CROSSOPTS . make -C build #-DCMAKE_FIND_LIBRARY_SUFFIXES=".a" \ #-DCMAKE_EXE_LINKER_FLAGS="-static" \ #-DFLB_STREAM_PROCESSOR=No \ + #-DFLB_LUAJIT=Yes \ #-DFLB_FILTER_LUA=Off \ #-DFLB_TESTS_INTERNAL=Yes \ #-DFLB_AWS=No \ @@ -90,14 +94,20 @@ package() { mkdir -p "$pkgdir"/var/spool/fluent-bit install -Dm644 "$srcdir/fluent-bit.conf" "$pkgdir/etc/fluent-bit/fluent-bit.conf" install -Dm644 "$srcdir/zdt-parsers.conf" "$pkgdir/etc/fluent-bit/zdt-parsers.conf" + + install -Dm644 "$srcdir"/fluent-bit.logrotated "$pkgdir"/etc/logrotate.d/fluentbit + touch "$pkgdir"/etc/fluent-bit/metadata.conf } sha512sums=" -de9c6a4744223ed0f6f401adeb95956c90524feba6f592459ed517e1058f7e1a21f1c42910d3ac721be639264979ba3ebb5503cd7dc5874e1f676bf32a7e7df0 fluent-bit-2.1.5.tar.gz +55caefa81cdeaf293b727829383c6eaa75bc2f8b8c61ebe15e1478c66033921fde6e50c39fc8c39a7d2d93d03892f709daf4d1b6caacf586133de5268de10299 fluent-bit-2.1.10.tar.gz f6431397c80a036980b5377b51e38aec25dfceeb8dbe4cd54dce1f6e77d669d9f8daf983fcc96d25332385888f1809ced5e8ab0e8ccfcd93d19494036e3dc949 fluent-bit.confd -8ba6c8e84dee90176f9b4375fb2c6444fa5d32fa601d9bcf3ea7960fec87f1ef664f175caf08bd0b052843e971efdbf08e2a5cd180ad9a8f23ff2c5cb233814f fluent-bit.initd +e17bad6abd597da620fdb930e3f18612a828dd956abf87ce850e2660b83db4d9ab7d373ab3a9bf1d07f605b5077998234ce4774007c0197cfbfdad465ca6b47a fluent-bit.initd 6bd7d8b4da93a17f29b6ea1e0286ea226d0e376024284741110936779b3229bd8d6cd03ffbdc5d3b4842294e7f32a888de0dd16b0851b65d91b062ca58530ea0 chunkio-static-lib-fts.patch -ea125b68825ae17bb6d08b1cbe7b3594d4844f7abb06465d7de0a39995dfa927087a28e592f40239792aee7f3494a8ba7a2d2373efc36f6ac712e802ace2f8a2 fluent-bit.conf +e3308a8377fb8ba496415b7a31e9e022e5aa9965d27a0c33ea5166a29049b72cb364bbcdf9d8611ef3407b0968f9bd4adff12cdb39728bbebd382710e5bc75d0 exclude-luajit.patch +d61f30344af997f126486fa5b34cd3fbfe88bfc9aea394a8c60d0206f4db8db998eadf637a3a581b89512411c1e7980c414e236e455d5e2b889d20a556ee6577 xsi-strerror.patch +52aba9d23584d64842bc967504701a10166a43a03ca0d31de9b6cbffaacdbaa7d99f0fd55a4b0194e3b65d456817cb1779b86d468d81c1d9681a6fa708e85449 fluent-bit.conf 31899a3c68bbb43adb9025a3a46bad4ca0c740d5bca5c252c8667197575698d98ac4a3b6e11ee160c4bb8df0d0089b639bfd7d0ffa52391e6c4f8f734a6952a6 zdt-parsers.conf +e166b0ff11a1789599e93f86b72102ca6a06725c98553a8fdd48c8d6414bfa765c3958d07bfb4c4d99101d8cdf7d00db1a8506d48c2cbd6bd375ce43c43d2bf9 fluent-bit.logrotated " diff --git a/kubezero/fluent-bit/exclude-luajit.patch b/kubezero/fluent-bit/exclude-luajit.patch new file mode 100644 index 0000000..b4df338 --- /dev/null +++ b/kubezero/fluent-bit/exclude-luajit.patch @@ -0,0 +1,12 @@ +otherwise it installs an unused /usr/bin/luajit .... +-0 +diff --git a/cmake/luajit.cmake b/cmake/luajit.cmake +index b6774eb..f8042ae 100644 +--- a/cmake/luajit.cmake ++++ b/cmake/luajit.cmake +@@ -1,4 +1,4 @@ + # luajit cmake + option(LUAJIT_DIR "Path of LuaJIT 2.1 source dir" ON) + set(LUAJIT_DIR ${FLB_PATH_ROOT_SOURCE}/${FLB_PATH_LIB_LUAJIT}) +-add_subdirectory("lib/luajit-cmake") ++add_subdirectory("lib/luajit-cmake" EXCLUDE_FROM_ALL) diff --git a/kubezero/fluent-bit/fluent-bit.conf b/kubezero/fluent-bit/fluent-bit.conf index 3f0d808..0221515 100644 --- a/kubezero/fluent-bit/fluent-bit.conf +++ b/kubezero/fluent-bit/fluent-bit.conf @@ -30,12 +30,4 @@ @INCLUDE metadata.conf -[OUTPUT] - Match * - Name forward - Host fluentd - Port 24224 - Shared_Key cloudbender - tls on - Send_options true - Require_ack_response true +@INCLUDE output.conf diff --git a/kubezero/fluent-bit/fluent-bit.initd b/kubezero/fluent-bit/fluent-bit.initd index e1059d8..f0e5871 100644 --- a/kubezero/fluent-bit/fluent-bit.initd +++ b/kubezero/fluent-bit/fluent-bit.initd @@ -7,5 +7,5 @@ command_args="$fluentbit_opts" depend() { need net - after firewall + after firewall cloudbender } diff --git a/kubezero/fluent-bit/fluent-bit.logrotated b/kubezero/fluent-bit/fluent-bit.logrotated new file mode 100644 index 0000000..e1e7f88 --- /dev/null +++ b/kubezero/fluent-bit/fluent-bit.logrotated @@ -0,0 +1,12 @@ +/var/log/fluentbit.log +{ + rotate 2 + missingok + notifempty + compress + maxsize 10M + daily + postrotate + rc-service fluent-bit restart + endscript +} diff --git a/kubezero/fluent-bit/xsi-strerror.patch b/kubezero/fluent-bit/xsi-strerror.patch new file mode 100644 index 0000000..527de20 --- /dev/null +++ b/kubezero/fluent-bit/xsi-strerror.patch @@ -0,0 +1,15 @@ +--- a/src/flb_network.c ++++ b/src/flb_network.c +@@ -523,9 +523,10 @@ + } + + /* Connection is broken, not much to do here */ +- str = strerror_r(error, so_error_buf, sizeof(so_error_buf)); ++ /* XXX: XSI */ ++ int _err = strerror_r(error, so_error_buf, sizeof(so_error_buf)); + flb_error("[net] TCP connection failed: %s:%i (%s)", +- u->tcp_host, u->tcp_port, str); ++ u->tcp_host, u->tcp_port, so_error_buf); + return -1; + } + } diff --git a/kubezero/kubernetes/APKBUILD b/kubezero/kubernetes/APKBUILD index ff4b6f9..f2e8334 100644 --- a/kubezero/kubernetes/APKBUILD +++ b/kubezero/kubernetes/APKBUILD @@ -5,7 +5,7 @@ # Contributor: Dave # Maintainer: Stefan Reimer pkgname=kubernetes -pkgver=1.26.7 +pkgver=1.26.8 pkgrel=0 pkgdesc="Container Cluster Manager" url="https://kubernetes.io/" @@ -208,7 +208,7 @@ _do_zshcomp() { } sha512sums=" -9069e653e87883e54df8e01edf2cce9d847a83d593f13e8281654653924586e73841d1ee302de4de93dadf2a2474e875cf350f03c2aec512c100cb3d4fb7d9c5 kubernetes-1.26.7.tar.gz +38649d4c8a85e236a8ceffe5bba5146cf1a4eb9191534707dd39443303f99d830e95dc4e9be0febfb2a8bd4d0b57f13b5cb883b51fea57306f1f2ceff2052d69 kubernetes-1.26.8.tar.gz 5427c2e653504cfd5b0bcaf195d4734ee40947ddfebc9f155cd96dddccfc27692c29d94af4ac99f1018925b52995c593b584c5d7a82df2f185ebce1a9e463c40 make-e2e_node-run-over-distro-bins.patch 94d07edfe7ca52b12e85dd9e29f4c9edcd144abc8d120fb71e2a0507f064afd4bac5dde30da7673a35bdd842b79a4770a03a1f3946bfae361c01dd4dc4903c64 make-test-cmd-run-over-hyperkube-based-kubectl.patch e690daff2adb1013c92124f32e71f8ed9a18c611ae6ae5fcb5ce9674768dbf9d911a05d7e4028488cda886e63b82e8ac0606d14389a05844c1b5538a33dd09d1 kube-apiserver.initd @@ -223,7 +223,7 @@ d7e022ee22da191bda7382f87cb293d9c9d115a3df0c2054bf918279eb866f99c6d5c21e4c98eae8 561bef5633ba4b9021720624443d9c279a561e5fabea76e5d0fbee2e7ad8999029a2511a45895fbec8448026212a3c5b4c197b248a6afa7f8bd945f705524ea7 kube-scheduler.initd af88b382ab75657d0ff13c3f8f6d924cef9f2df7807a9a27daa63495981801bc4b607998f65c0758c11a7e070e43c24f7184ba7720711109c74b1c4d57919e34 kube-scheduler.confd 3692da349dd6ed0f5acc09d7b95ac562ffecb103e2270bebdfe4a7808d48dada9d2debff262d85b11c47f9ca3f0c20000712d03629ed813ff08a3e02d69267e6 kube-scheduler.logrotated -73fdb0303e72c006f4570af28312ecee224beb1d6cc1e19003593af377436b4082f6d49bd25cd9cae258ffa01bc9f2f0624d11ef0ecc64c658761888923be812 kubelet.initd -887ee5b4c67198727407e74c92639b23674515d5f049938f8ce5f3ba2eabcf7f321c00c914b254a7b2baa5c2f45a9ae4a945c9c90f1968f1012dbd60245d1b81 kubelet.confd +7cb03bde52820c3ce8b10df1a16cf0b46b39d185e01b4d312400f70bba5875992ec71166539d3820cf59ddbabeb48dec7ae8185820646fae3f851c4cd144fe69 kubelet.initd +44eb973de8ee8e0c5a77d76ab0e105fe0ae892be1ff86c238a5449b43f83cab6f844575b6c3218f08c5ff077e9f828f5aef72425c1d77546cce2e0136e8a8da8 kubelet.confd 941f4a7579dcf78da2d323ac69195e95eba6600e6fcefe9231447f11c9867a7aa57b4189ee1fefb10eab19c89665ea2e7696b539c92e99fbcde905d2ff85be58 kubelet.logrotated " diff --git a/kubezero/kubernetes/kubelet.confd b/kubezero/kubernetes/kubelet.confd index b924610..79ced80 100644 --- a/kubezero/kubernetes/kubelet.confd +++ b/kubezero/kubernetes/kubelet.confd @@ -1,2 +1 @@ command_args="--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --image-credential-provider-bin-dir=/usr/libexec/kubernetes/kubelet-plugins --image-credential-provider-config=/etc/kubernetes/credential-provider.yaml" -rc_after="cloudbender" diff --git a/kubezero/kubernetes/kubelet.initd b/kubezero/kubernetes/kubelet.initd index 7cc9880..1c20029 100755 --- a/kubezero/kubernetes/kubelet.initd +++ b/kubezero/kubernetes/kubelet.initd @@ -7,7 +7,10 @@ description="Kubelet, a Kubernetes node agent" # do not start without kubezero node config in place required_files="/var/lib/kubelet/kubeadm-flags.env /var/lib/kubelet/config.yaml" + +# Restart forever just like systemd upstream respawn_max=0 +respawn_delay=5 if [ -e /var/lib/kubelet/kubeadm-flags.env ]; then . /var/lib/kubelet/kubeadm-flags.env; @@ -20,7 +23,6 @@ pidfile="${KUBELET_PIDFILE:-/run/${RC_SVCNAME}.pid}" : ${error_log:=/var/log/$RC_SVCNAME/$RC_SVCNAME.log} depend() { - after net - need cgroups - want containerd crio + after net cloudbender + need cgroups crio } diff --git a/kubezero/kubezero/APKBUILD b/kubezero/kubezero/APKBUILD index e02d579..f9c9f5e 100644 --- a/kubezero/kubezero/APKBUILD +++ b/kubezero/kubezero/APKBUILD @@ -55,7 +55,7 @@ package() { install -Dm644 "$srcdir"/kubelet.monit "$pkgdir/etc/monit.d/kubelet.conf" # crio settings - install -Dm644 "$srcdir"/crio.conf "$pkgdir/etc/crio.conf.d/01-kubezero.conf" + install -Dm644 "$srcdir"/crio.conf "$pkgdir/etc/crio/crio.conf.d/01-kubezero.conf" } # Preload container images all nodes need to speed up boot time and reduce data transfer @@ -72,6 +72,6 @@ sha512sums=" ecb33fc3a0ffc378723624858002f9f5e180e851b55b98ab6611ecc6a73d4719bc7de240f87683fc58de8bf577059e6f19b417655b5301ef8c32deff67a29dff shared-sys-fs.start fce1013f7b1bfa8ee526de62e642a37fda3168889723e873d3fb69e257f4caa1423b5a14b9343b12a87f3b6f93c7d3861b854efda67ef2d6a42a5ca8cf3d1593 evictLocalNode.sh 716ec3404d7016bce57d663f750a18db3ede07c1ba7a2908f9f01f41c5ca8fe4e7232ded27bc2bccd705b11ae5cd26574322a8eacefcf8c102bba0f8e4995e59 credential-provider.yaml -abf062fbb2b94831f5321265a648bd17ddbb198e446e763d64d0cc8e3b7320e1545376cfa57b1491bb296ace28f1623439807a4157a2f32984082e565e2edcba kubelet.monit +8b81eb0fb66e6a739965db6af6a31c443e8f612c06146bd51107372abd833b527423299ee11b27e011f46cfbee11415234b3fa0dea695dbbb06711e0ad58f08d kubelet.monit 064fc245b7ffd67834a2f5fd13cb0bcb5f4a5caf79b8113b3669bf1d0e1a4af2042e69f8f496991de76d621fd01bc7e67de37c59f034584d12622c6af96376ff crio.conf " diff --git a/kubezero/kubezero/kubelet.monit b/kubezero/kubezero/kubelet.monit index 4c09368..fc196a4 100644 --- a/kubezero/kubezero/kubelet.monit +++ b/kubezero/kubezero/kubelet.monit @@ -1,6 +1,7 @@ check process kubelet pidfile /run/kubelet.pid - start program = "/etc/init.d/kubelet start" - stop program = "/etc/init.d/kubelet stop" + start program = "/sbin/rc-service kubelet start" + stop program = "/sbin/rc-service kubelet stop" + restart program = "/sbin/rc-service kubelet restart" if failed port 10248 protocol http diff --git a/kubezero/nvidia-container-toolkit/APKBUILD b/kubezero/nvidia-container-toolkit/APKBUILD index 2d18039..a5c6763 100644 --- a/kubezero/nvidia-container-toolkit/APKBUILD +++ b/kubezero/nvidia-container-toolkit/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Stefan Reimer # Maintainer: Stefan Reimer pkgname=nvidia-container-toolkit -pkgver=1.13.2 +pkgver=1.13.5 pkgrel=0 pkgdesc="NVIDIA Container toolkit incl. cri hooks" url="https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/overview.html" @@ -68,11 +68,11 @@ package() { } sha512sums=" -0edd50e9d42d345bcc26410752ac50425a5806144b0fdd4f6eea07f62501a325a3f58e74d68b6bb2a834b33977ddcc86723b1d96c4ae9664827ad86b4756172b libnvidia-container1_1.13.2-1_amd64.deb -3d61c5e610402344411f40db7b9da090b4de467f170779eac7fd8787bd5c30035128196b265a55af5ddadee704056dbcdf30b5cfb0ed72e90ea307db25285b1d libnvidia-container-tools_1.13.2-1_amd64.deb -f15af5460823667476e8b788708d1b76e81b73e99e0c6c9a045c830160ab2bb78988de1b4ad1963656f590faa1c5ee415b951275704fd77849d16a0ef712ed4a nvidia-container-toolkit_1.13.2-1_amd64.deb +903155c63c7af83dbd431ba3e5bc0d8ca74cce38996bf944b80520b5838f9765bbc0cbe201122d8ccc21cbd01dd4c4e47d2b451bdab7fadc99a8d75b941fda67 libnvidia-container1_1.13.5-1_amd64.deb +2d4cbbdd80db2730b1ed9db8d4b36c5212ce5361350dcdfbc5795dac887136cecd40c13843e61350bad12b103cd1550030c76de35a2cbbca2a6df3850b6b68ca libnvidia-container-tools_1.13.5-1_amd64.deb +8614c2b436dab3886df6a2328b3753c27704dd3a78f0abe5c333c57fb4ee8deebb6fc03051931b3794bf152d947b721c160acf6614e5145b39bb7162d1ef45d8 nvidia-container-toolkit_1.13.5-1_amd64.deb 694a3ec64ef3056d5874ff03b889b868c294bccb16506468fdf1c289fe3aaadc2da25a5934de653af9633a5d993d2bb21491d84b3b2e2529e6b31d92c78a2228 libcap2_2.25-2_amd64.deb 5a4eaa96e6e774948889909d618a8ed44a82f649cbba11622dc7b4478098bea006995d5a5a60ca026a57b76ad866d1e2c6caebd154a26eb6bd7e15291b558057 libseccomp2_2.3.3-4_amd64.deb 040ac2e3f58549dc09e5bce0d694e4be2f6aae736014bf0ee90042646562d5f1ef1f5990eb9f2c2a2fdf504587b82f4aa0eb99d04c5d3e407670e4012e3edd4e config.toml -cf5673231d1862e3ec03f792cddf54ff27237656f762c3f42b6d7e1584de2201c487861ac399ab26951b5dbf3e3cd9b4451dbf61f02b55e0991889b507319764 oci-nvidia-hook.json +0f150ea59b2372bf3ef60e657142b19f46500d1c70cb179d37ce117d6b03e86427dbf356873affb7639e082a07f852a922ae3aea4a8f8885640e43675c4e4add oci-nvidia-hook.json " diff --git a/kubezero/nvidia-container-toolkit/oci-nvidia-hook.json b/kubezero/nvidia-container-toolkit/oci-nvidia-hook.json index c547dd7..ae3b651 100644 --- a/kubezero/nvidia-container-toolkit/oci-nvidia-hook.json +++ b/kubezero/nvidia-container-toolkit/oci-nvidia-hook.json @@ -1,8 +1,8 @@ { "version": "1.0.0", "hook": { - "path": "/usr/bin/nvidia-container-toolkit", - "args": ["nvidia-container-toolkit", "prestart"] + "path": "/usr/bin/nvidia-container-runtime-hook", + "args": ["nvidia-container-runtime-hook", "prestart"] }, "when": { "always": true, diff --git a/kubezero/nvidia-drivers/APKBUILD b/kubezero/nvidia-drivers/APKBUILD index eea656a..0217f1f 100644 --- a/kubezero/nvidia-drivers/APKBUILD +++ b/kubezero/nvidia-drivers/APKBUILD @@ -39,7 +39,7 @@ package() { # which libs are from debug log at runtime # LIBS=$(grep "missing library" /var/log/nvidia-container-toolkit.log | awk '{print $7}' | sort | uniq) # cross checked via .manifest for targets and symlinks - LIBS="libEGL_nvidia.so libGLESv1_CM_nvidia.so libGLESv2_nvidia.so libGLX_nvidia.so libcuda.so libcudadebugger.so libnvcuvid.so libnvidia-allocator.so libnvidia-cbl.so libnvidia-cfg.so libnvidia-compiler.so libnvidia-eglcore.so libnvidia-encode.so libnvidia-fatbinaryloader.so libnvidia-fbc.so libnvidia-glcore.so libnvidia-glsi.so libnvidia-glvkspirv.so libnvidia-ifr.so libnvidia-ml.so libnvidia-ngx.so libnvidia-nscq.so libnvidia-opencl.so libnvidia-opticalflow.so libnvidia-pkcs11.so libnvidia-ptxjitcompiler.so libnvidia-rtcore.so libnvidia-tls.so libnvoptix.so libvdpau_nvidia.so" + LIBS="libEGL_nvidia.so libGLESv1_CM_nvidia.so libGLESv2_nvidia.so libGLX_nvidia.so libcuda.so libcudadebugger.so libnvcuvid.so libnvidia-allocator.so libnvidia-cbl.so libnvidia-cfg.so libnvidia-compiler.so libnvidia-eglcore.so libnvidia-encode.so libnvidia-fatbinaryloader.so libnvidia-fbc.so libnvidia-glcore.so libnvidia-glsi.so libnvidia-glvkspirv.so libnvidia-ifr.so libnvidia-ml.so libnvidia-ngx.so libnvidia-nscq.so libnvidia-opencl.so libnvidia-opticalflow.so libnvidia-pkcs11.so libnvidia-ptxjitcompiler.so libnvidia-rtcore.so libnvidia-tls.so libnvoptix.so libvdpau_nvidia.so libnvidia-gpucomp.so libnvidia-nvvm.so" # inspired from Gentoo x11-drivers/nvidia-drivers for lib in $LIBS; do diff --git a/kubezero/zdt-base/APKBUILD b/kubezero/zdt-base/APKBUILD index 6f869f6..30515eb 100644 --- a/kubezero/zdt-base/APKBUILD +++ b/kubezero/zdt-base/APKBUILD @@ -7,7 +7,7 @@ pkgdesc="ZeroDownTime Alpine additions and customizations" url="https://git.zero-downtime.net/ZeroDownTime/alpine-overlay/src/branch/master/kubezero/zdt-base" arch="noarch" license="AGPL-3.0" -depends="logrotate syslog-ng neofetch monit file tiny-cloud" +depends="logrotate syslog-ng neofetch monit file tiny-cloud dhcpcd" options="!check" subpackages="$pkgname-openrc $pkgname-aws" install="$pkgname.post-install" @@ -22,6 +22,7 @@ source=" syslog-ng.conf syslog-ng.logrotate.conf syslog-ng.apparmor + dhcpcd-mtu.hook monitrc monit_alert.sh.aws neofetch.conf @@ -45,6 +46,9 @@ package() { mkdir -p "$pkgdir/home/alpine" install -Dm644 "$srcdir/profile" "$pkgdir/home/alpine/.profile" + # set mtu on interface via dhcpcd + install -Dm644 "$srcdir/dhcpcd-mtu.hook" "$pkgdir/usr/lib/dhcpcd/dhcpcd-hooks/10-mtu" + # various sysctl tunings install -Dm644 "$srcdir"/zdt-sysctl.conf "$pkgdir"/etc/sysctl.d/60-zdt.conf @@ -85,15 +89,16 @@ aws() { } sha512sums=" -a99d8fada2ce90876abbd84d8f72c976d1363e0b1437952aee8b22983b7bc7492803950bcc4dfb9866fcf744b9b6056bdbd53c257780d26814f16c8b0983242f common.sh +a870cc7657757770fb573a0fb5df61887d1b9d2a6a57b3ee8be93a7dfb34df6a1d489cd5572ab273dfe896b97faad7e7479571f993a3e13cfefe24c4720bcbf4 common.sh 7f6a69a77d6a4a3c34928609108b7939cd43a892d72fb14bebc1d935cd66eda3bd625d15eebb4d6026715b36b12919fcaf863ed5f65ffdc0e2de9fc1b969cb3e boot.sh ee19dcc0b46bdff8581c2661cda69fd8a3fa2de4dd30d96a4ce438b2536043a9f0bc57a6b0d4056e2715a2663a89bc1b07ec33798d5430a2046a65069a327cda cloudbender-early.init -9ca46acc407ff6aa18beec02564c3822db215bd5dc0a94f9bd9258c9b99f85cc40f793e20618509ed7f1e8645407cffb8274d7838b46442ad44e64726e37e3a0 cloudbender.init +df610d896c6b2821925df8d65ab44a0008b31e5b738172076234ae7645e8ef7e25d710c43f9b3999fb3f0303ccd81b57327c2e7694e1fc3f790abdbc77e0a097 cloudbender.init b9479835d8667fa99f8b1b140f969f0464a9bb3c60c7d19b57e306cfe82357d453932791e446caded71fddd379161ae8328367f1ee75ae3afc1b85e12294b621 zdt-sysctl.conf 76e6a4f309f31bfa07de2d3b1faebe5670722752e18157b69d6e868cbe9e85eda393aed0728b0347a01a810eee442844c78259f86ff71e3136a013f4cbfaaea4 ps_mem.py 5376f4bf8356ce9249c45e78085073245181e8742c7b4be47c71dcd97a611ae125a7dfd3060502bdd591560af070334f89fe60dbc09c008926149c538ab0560a syslog-ng.conf 484bdcf001b71ce5feed26935db437c613c059790b99f3f5a3e788b129f3e22ba096843585309993446a88c0ab5d60fd0fa530ef3cfb6de1fd34ffc828172329 syslog-ng.logrotate.conf e86eed7dd2f4507b04050b869927b471e8de26bc7d97e7064850478323380a0580a92de302509901ea531d6e3fa79afcbf24997ef13cd0496bb3ee719ad674ee syslog-ng.apparmor +f8c052c7ec12c71937c7b8bc05d8374c588f345e303b30eda9c8612dff8f8f34a87a433648a3e9b85b278196ece198533b29680a303ff6478171d43f8e095189 dhcpcd-mtu.hook e00a8f296c76446fe1241bf804c0108f47a2676f377a413ee9fede0943362a6582cad30fe13edd93f3d0daab0e2d7696553fb9458dca62adc05572dce339021a monitrc c955dabe692c0a4a2fa2b09ab9096f6b14e83064b34ae8d22697096daf6551f00b590d837787d66ea1d0030a7cc30bef583cc4c936c980465663e73aec5fa2dc monit_alert.sh.aws 346b0170ada6cc1207ffb7b8ef138a1570a63c7df4d57618aa4b6b6c0d2df2197b0f5b23578ec83c641ee5e724865ac06985222e125809c990467426a0851b72 neofetch.conf diff --git a/kubezero/zdt-base/cloudbender.init b/kubezero/zdt-base/cloudbender.init index faca0c4..5917658 100755 --- a/kubezero/zdt-base/cloudbender.init +++ b/kubezero/zdt-base/cloudbender.init @@ -30,7 +30,16 @@ start() { # if fixed hostname use persistent sshd keys [ -n "$CUSTOMHOSTNAME" ] && persistent_sshd_hostkeys "/_ssh/${ARTIFACT}/${CONGLOMERATE}/${HOSTNAME}" - eend $? + associate_eip $INSTANCE_ID $ELASTICIP && PUBLIC_IP_ADDRESS=$ELASTICIP + + register_service_dns + + is_enabled $LOGGING_ENABLED && setup_fluentbit $LOGGING_HOST + + # cleanup previous reboot logs + rm -f /tmp/shutdown.log + + eend 0 } @@ -46,5 +55,5 @@ stop() { [ -n "$RC_REBOOT" ] && ACTION="rebooting" || ACTION="terminated" [ -z "$DISABLE_SCALING_EVENTS" ] && /var/lib/cloud/sns_alarm.sh "Instance $ACTION" "" Info "$SHUTDOWNLOG" - eend $? + eend 0 } diff --git a/kubezero/zdt-base/common.sh b/kubezero/zdt-base/common.sh index 5cad24c..bc2c2ab 100644 --- a/kubezero/zdt-base/common.sh +++ b/kubezero/zdt-base/common.sh @@ -105,6 +105,9 @@ setup_instance() { # Set system wide default region for boto3 echo "export AWS_DEFAULT_REGION=$REGION" > /etc/profile.d/aws.sh + # workaround for dhcpcd / openresolv to omit search domain if equal to domain breaking DNS resolution of shortnames for eg. etcd and kube-apiserver + add_once /etc/resolv.conf "search $DOMAIN_NAME" + case "$CLOUD" in aws) setup_sns_alarms @@ -148,20 +151,26 @@ configure_sshd() { # Persist host keys +# has to run before sshd starts up first time ! persistent_sshd_hostkeys() { # Top level is artifact to be able to limit the SSM IAM permissions local ssm_path=$1 - local key_types="dsa ecdsa ed25519 rsa" + local key_types="ecdsa ed25519 rsa" - # If host keys exist on SSM try to download + # try to get none existing host keys from SSM RET=0 for key in $key_types; do + if [ ! -f /etc/ssh/ssh_host_${key}_key.pub -a ! -f /etc/ssh/ssh_host_${key}_key ]; then (aws ssm get-parameters --names "${ssm_path}/host_${key}.tgz" --with-decryption --query 'Parameters[0].Value' | base64 -d | tar xzf - --directory=/ 1>/dev/null 2>&1) \ && log -t user-data info "Restored ssh_host_${key}_key from SSM" || RET=1 + fi done # Update keys if any key couldn't be restored from SSM if [ $RET -eq 1 ]; then + # generate any missing keys + ssh-keygen -A + for key in $key_types; do if [ -r /etc/ssh/ssh_host_${key}_key -a -r /etc/ssh/ssh_host_${key}_key.pub ]; then (aws ssm put-parameter --name "${ssm_path}/host_${key}.tgz" --type SecureString --value \ @@ -302,6 +311,17 @@ unmount_volumes() { # msg used for sns event, last one wins msg() { MSG="$@"; log -t user-data info "$@"; } +# boolean flags +is_enabled() { + local flag=$(echo "$1" | tr '[:upper:]' '[:lower:]') + + [ "$flag" == 1 -o "$flag" == "true" ] && return 0 + [ "$flag" == 0 -o "$flag" == "false" -o -z "$flag" ] && return 1 + + log -t user-data warn "Unknown value for boolean option: $flag - assuming False" + return 1 +} + # Generic retry command wrapper, incl. timeout of 30s # $1 = number of tries; 0 = forever # $2 = number of seconds to sleep between tries @@ -313,7 +333,7 @@ retry() { while true; do # Only use timeout of $1 is an executable, call directly if function type -tf $1 >/dev/null && { timeout 30 $@ && return; } || { $@ && return; } - ((tries=tries-1)) + ((tries=tries-1)) || true [ $tries -eq 0 ] && return 1 sleep $waitfor done @@ -519,14 +539,12 @@ check_lock() { # All things networking enable_ip_forwarding() { - local interface=$1 - modprobe nf_conntrack cat < /etc/sysctl.d/40-ip-forward.conf net.ipv4.ip_forward=1 net.ipv4.ip_local_port_range = 1024 65535 -net.ipv4.conf.$interface.send_redirects=0 +net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.default.forwarding = 1 @@ -548,6 +566,7 @@ register_service_dns() { [ -n "SERVICEPRIVATE" ] && _IP=$IP_ADDRESS route53.py --fqdn "${SERVICENAME}.${DNSZONE}" --record $_IP + # Register shutdown hook to remove DNS entry on terminate cat <> /etc/local.d/route53.stop echo "Deleting Route53 record for ${SERVICENAME}.${DNSZONE}" >> /tmp/shutdown.log route53.py --delete --fqdn "${SERVICENAME}.${DNSZONE}" --record ${PUBLIC_IP_ADDRESS:-$IP_ADDRESS} @@ -561,8 +580,8 @@ EOF # associate EIP -# return 0 if we attache EIP -# return 1 if we public did NOT change +# return 0 if we attached an EIP +# return 1 if we the public IP did NOT change or other error associate_eip() { local instance_id=$1 local eip=$(echo $2 | sed -e 's/\/32//' | grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)") || true @@ -609,16 +628,20 @@ disable_source_dest_check() { # Register ourself at route tables register_routes() { - local rtb_id_list=$1 - local route_cidr=${2:-"0.0.0.0/0"} + local rtb_id_list="$1" + local route_cidr="$2" for cidr in ${route_cidr//,/ }; do - for rt in ${rtb_id_list//,/ }; do - [[ "$rt" =~ ^rtb-[a-f0-9]*$ ]] || { log -t user-data warn "Invalid Route Table ID: $rt"; return 1; } - - aws ec2 create-route --route-table-id $rt --destination-cidr-block "${cidr}" --instance-id ${INSTANCE_ID} || \ - aws ec2 replace-route --route-table-id $rt --destination-cidr-block "${cidr}" --instance-id ${INSTANCE_ID} - done + if [ "$cidr" != "$VPC_CIDR_RANGE" ]; then + for rt in ${rtb_id_list//,/ }; do + if [[ "$rt" =~ ^rtb-[a-f0-9]*$ ]]; then + aws ec2 create-route --route-table-id $rt --destination-cidr-block "${cidr}" --instance-id ${INSTANCE_ID} || \ + aws ec2 replace-route --route-table-id $rt --destination-cidr-block "${cidr}" --instance-id ${INSTANCE_ID} + else + log -t user-data warn "Invalid Route Table ID: $rt" + fi + done + fi done } @@ -632,17 +655,16 @@ setup_nat() { setup_fluentbit() { - local token="cloudbender" + local key="cloudbender" + local host="$1" - if [[ $FLUENTDURL == *@* ]]; then - token=${FLUENTDURL%%@*} - FLUENTD_URL=${FLUENTDURL##*@} + if [[ "$host" =~ "@" ]]; then + key=${host%%@*} + host=${host##*@} fi - LOG_FILES=$FLUENTDLOGFILES - # Add a local file based syslog parser which does not require Priority + # add some AWS metadata cat < /etc/fluent-bit/metadata.conf -# add some AWS metadata [FILTER] Name record_modifier Match * @@ -654,22 +676,21 @@ setup_fluentbit() { Record source.artifact $ARTIFACT EOF - # install logrotate fragment - cat < /etc/logrotate.d/fluentbit -/var/log/fluentbit.log -{ - rotate 3 - missingok - notifempty - compress - maxsize 10M - daily - postrotate - rc-service fluent-bit restart - endscript -} + # Configure output + cat < /etc/fluent-bit/output.conf +[OUTPUT] + Match * + Name forward + Host $host + Port 24224 + Shared_Key $key + tls on + Send_options true + Require_ack_response true EOF + + LOG_FILES=$LOGGING_FILES - rc-update add fluent-bit default - rc-service fluent-bit start + ## TODO: + # Add parameter parsing for custom logfile tailing } diff --git a/kubezero/zdt-base/dhcpcd-mtu.hook b/kubezero/zdt-base/dhcpcd-mtu.hook new file mode 100644 index 0000000..8282590 --- /dev/null +++ b/kubezero/zdt-base/dhcpcd-mtu.hook @@ -0,0 +1,36 @@ +# From https://chromium.googlesource.com/chromiumos/third_party/dhcpcd/+/refs/tags/dhcpcd-6.0.0/dhcpcd-hooks + +# Configure the MTU for the interface +mtu_dir="$state_dir/mtu" +set_mtu() +{ + local mtu=$1 + if [ -w /sys/class/net/$interface/mtu ]; then + echo "$mtu" >/sys/class/net/$interface/mtu + else + ifconfig "$interface" mtu "$mtu" + fi +} +if [ "$reason" = PREINIT -a -e "$mtu_dir/$interface" ]; then + rm "$mtu_dir/$interface" +elif [ -n "$new_interface_mtu" ] && $if_up; then + # The smalled MTU dhcpcd can work with is 576 + if [ "$new_interface_mtu" -ge 576 ]; then + if set_mtu "$new_interface_mtu"; then + syslog info "MTU set to $new_interface_mtu" + # Save the MTU so we can restore it later + if [ ! -e "$mtu_dir/$interface" ]; then + mkdir -p "$mtu_dir" + echo "$ifmtu" > "$mtu_dir/$interface" + fi + fi + fi +elif [ -e "$mtu_dir/$interface" ]; then + if $if_up || $if_down; then + # No MTU in this state, so restore the prior MTU + mtu=$(cat "$mtu_dir/$interface") + syslog info "MTU restored to $mtu" + set_mtu "$mtu" + rm "$mtu_dir/$interface" + fi +fi diff --git a/kubezero/zdt-base/zdt-base.post-install b/kubezero/zdt-base/zdt-base.post-install index 615ecd0..8be7db2 100644 --- a/kubezero/zdt-base/zdt-base.post-install +++ b/kubezero/zdt-base/zdt-base.post-install @@ -28,6 +28,8 @@ echo 'syslog-ng: all to /var/log/messages as json, rotate hourly' echo ":2345:respawn:/usr/bin/monit -Ic /etc/monitrc.zdt" >> /etc/inittab echo 'Enable monit via inittab' -# QoL -[ -f /etc/profile.d/color_prompt.sh.disabled ] && mv /etc/profile.d/color_prompt.sh.disabled /etc/profile.d/color_prompt.sh || true +# QoL - color prompt even for doas bash +[ -f /etc/profile.d/color_prompt.sh.disabled ] && mv /etc/profile.d/color_prompt.sh.disabled /etc/profile.d/color_prompt.sh +ln -sf /etc/profile.d/color_prompt.sh /etc/bash/color_prompt.sh + echo 'alias rs="doas bash"' > /etc/profile.d/alias.sh